Secrecy content of two-qubit states

We analyze the set of two-qubit states from which a secret key can be extracted by single-copy measurements plus classical processing of the outcomes. We introduce a key distillation protocol and give the corresponding necessary and sufficient condition for positive key extraction. Our results imply that the critical error rate derived by Chau, Phys. Rev. A {\bf 66}, 060302 (2002), for a secure key distribution using the six-state scheme is tight. Remarkably, an optimal eavesdropping attack against this protocol does not require any coherent quantum operation.


I. INTRODUCTION
It is known that all quantum correlations can be converted into secret ones, namely, into correlations that cannot be distributed by local operations and public communication [1]. However, the identification of the precise quantum correlations (entangled states) that can be converted into a secret key remains an open problem. This paper focuses on this problem: we wish to determine which two-qubit states contain distillable secret correlations. More precisely, we aim to characterize the set of two-qubit states from which a secret key can be extracted by SIngle-copy Measurements plus ClAssical Processing (SIMCAP) protocols.
As usual, Alice and Bob are the honest parties willing to communicate secretly and Eve is the adversary who tries to learn the secret messages. The scenario for key extraction that we consider is quite similar to that for entanglement distillation. The honest parties initially share a large number, N , of copies of a known two-qubit state ρ AB . Instead of distilling entangled bits, or singlets, Alice and Bob's task here consists in extracting secret bits. Pure secret and entangled bits are indeed two different information resources that can be extracted from quantum states. Notice that in contrast with general security proofs of quantum key distribution (QKD) protocols, it is assumed that Alice and Bob know they share N independent copies of the two-qubit state ρ AB . We restrict our considerations to SIMCAP protocols for several reasons. First, they do not require any coherent quantum operation, so they are experimentally feasible with present day technology. Second, it is interesting to compare these protocols with those employing coherent quantum operations performed by Alice and Bob. Finally, results obtained for quantum states in the SIM-CAP scenario can be applied to quantum channels and prepare and measure QKD schemes [2], such as BB84 [3].
In this paper, we consider a slightly improved version of the SIMCAP protocol with two-way communication introduced in [4]. We derive a necessary and sufficient condition any two-qubit state must satisfy for this pro-tocol to be secure. The sufficiency of this condition is proved by showing that, if it holds, our protocol enables extracting a key that is secure against any attack. The necessity follows from the existence of an explicit eavesdropping attack (given below), that breaks the protocol if the aforementioned condition is not satisfied. Remarkably enough, Eve can implement this attack without any coherent quantum operation. As far as we know, this is the first necessary and sufficient condition for key distillation from quantum states using a two-way communication SIMCAP protocol.

II. THE PROTOCOL
As mentioned above, Alice and Bob share N copies of a known bipartite state ρ AB . Given this assumption, the SIMCAP key distillation protocol consists of three steps: (i) local measurement on each qubit pair ρ AB , (ii) advantage distillation, and (iii) one-way key extraction. Measurements: Step (i) can be decomposed into the operations (a), (b), and (c) defined as follows. Operation (a) is a single-copy filtering operation that Alice and Bob perform in order to maximize the entanglement of formation of their state. The operators F A and F B that characterize this filtering, [5]. If the filtering fails, the qubit pair is rejected. If it succeeds, the resulting two-qubit state is diagonal in the Bell basis (defined in [6]): with λ i ≥ 0 and i λ i = 1. Throughout this paper square brackets denote one-dimensional projectors (not necessarily normalized); e.g., [ψ] = |ψ ψ|. If ρ AB is already diagonal in the Bell basis, this filtering leaves it unchanged. Operation (b) is a local unitary transformation that Alice and Bob apply to the state (1) to ensure that This is just a permutation of the coefficients λ i in (1), and any such permutation can be achieved using only local unitaries [7]. One can thus associate to any twoqubit state ρ AB the pair of coefficients (λ 1 , λ 2 ). The last operation, (c), consists in measuring each qubit in the computational basis {|0 , |1 }. These three operations can be seen as a single measurement performed by each of the honest parties, with outcomes: 0, 1 and reject. After discarding all the instances where the outcome reject is obtained, each of the honest parties has a list of partially correlated bits. These two lists do not constitute a shared secret key yet, because in general they are neither equal nor secret. Our goal is now to distill them to a secret key [steps (ii) and (iii) above].
Advantage distillation: Step (ii) is a reconciliation scheme introduced by Maurer in [8] that uses two-way communication. Within this scheme, each of the honest parties transforms blocks of M bits into a single bit. By doing that, Alice and Bob map their initial lists of bits into shorter, more secret and correlated ones. To achieve this goal, Alice randomly chooses M bits from her list of accepted outcomes, and Bob takes their M counterparts from his list: Next, Alice generates a secret random bit s A , computes the M numbers X i := (A i + s A ) mod 2, and sends the M -bit string through the insecure but authenticated public channel. Bob then adds bitwise (mod 2) this string to his list, B 1 , B 2 , . . . B M . If he obtains the same result s B for the M sums, i.e., if (B i + X i ) mod 2 = s B for i = 1, 2, . . . M , he keeps the bit s B and communicates its acceptance to Alice. Otherwise, the two parties reject the M bits. The bits s A and s B are the result of the advantage distillation process (ii). A large number of pairs (s A , s B ) constitute the input of (iii).
One-way key extraction: Step (iii) consists of the oneway communication procedure given by Devetak and Winter in [9]. It concerns the situation where Alice has a classical random variable correlated to Bob and Eve's quantum states, and it enables (when possible) transforming these classical-quantum-quantum (CQQ) correlations into a secret key with maximal rate. In our case, the honest parties have the classical random variables (s A , s B ) correlated with Eve's quantum states (CCQ correlations), this being a particular case of the scenario considered in [9]. Thus, their techniques immediately apply.
Having discussed the protocol with some detail, we now state our main result: A secret key can be extracted from a two-qubit state ρ AB by the protocol above if and only if its associated weights (λ 1 , λ 2 ) satisfy The sufficient and necessary statements of this result are proved in sections III and IV, respectively.

III. SECURITY PROOF
Let us first prove the security of this protocol. As usual, we conservatively assume that Eve has a large quantum system that is a purification of the whole state ρ ⊗N AB . Note that all purifications of Alice and Bob's state are equivalent, since they only differ by a local unitary operation on Eve's Hilbert space. Without any loss of generality, the state of the three parties can be taken to be |Ψ ABE ⊗N , where |Ψ ABE is a purification of ρ AB , i.e., ρ AB = tr E [Ψ ABE ]. After the filtering operation (a), the tripartite state is still pure, hence, Eve holds the system that purifies the Bell-diagonal state (1). The three parties thus share many copies of the state After step (i), Alice and Bob are left with classical data, whereas Eve could still hold a quantum system. The correlations they share are described by the state (up to normalization) where x = 00, 01, 10, 11, and |ψ 00/11 = λ 1 |1 ± λ 2 |2 , Notice that the above vectors are non-normalized. After step (ii), Eve has her M (four-dimensional) quantum systems as well as the information that the honest parties have exchanged through the public channel. In particular, Eve has the M -bit string (4). If she performs the unitary transformation to her i-th system (i = 1 . . . M ), up to normalization the tripartite state becomes After this transformation, the tripartite state (10) becomes completely uncorrelated to (4). The rest of the protocol is also independent of (4), and this information is no longer useful. Hence, all the correlations among Alice, Bob and Eve before step (iii) are described by the state (10). It was proven in [9], that the secret key rate one can achieve with one-way communication (K → ) when Alice holds a classical system satisfies: where I(X : Y ) is the mutual information referred to the state (10), and is defined in [11]. After some algebra, the following equality can be obtained where , and the subscript 'eq' ('dif') refers to the outcome A being equal to (different from) B. It can be checked that if condition (5) is satisfied, there exists a sufficiently large M such that the right-hand side of (11), i.e., Eq. (12), is positive. Thus, a secret key can be extracted from ρ AB with our SIMCAP protocol. This completes the security proof. In the next section we prove that condition (5) is tight.

IV. OPTIMAL EAVESDROPPING ATTACK
Let us present a particular eavesdropping attack that is optimal in the sense that it breaks our SIMCAP protocol if (5) is not satisfied. This attack is similar to that in [12].
Without loss of generality, we assume that in step (iii) the public communication is sent from Alice to Bob. In the attack, Eve makes a guess, s E , for Alice's outcome s A in such a way that s E and s B are independent when conditioned on s A . That is, the probability distribution for these random variables P (s A , s B , s E ) satisfies To accomplish this, she first waits until step (ii) is completed [recall that at this stage the three parties share the state (10)], and performs the two-outcome measurement defined by the projectors In order to learn s A , she must discriminate between the two pure states ψ 00 and ψ 11 . It was proved in [14] that the minimum error probability she can achieve is where c is the overlap between the states. Applying this formula to (16), we obtain the error probability in guessing s A Similarly, if Eve obtains instead the outcome corresponding to F dif , the error probability ǫ dif is given by (18) with the substitution Λ eq → Λ dif . At this point, Eve's information consists of s E (her guess for s A ) as well as the outcome of the measurement (15). To ensure (14), Eve proceeds as follows. From (2), it can be seen that Λ dif ≤ Λ eq , which implies that ǫ dif ≤ ǫ eq . Then, when she obtains the outcome corresponding to F dif , she increases her error until ǫ dif = ǫ eq . She achieves this by changing the value of s E with some probability. After this operation the tripartite probability distribution is of the form (14). Additionally we know that P (s B |s A ) and P (s E |s A ) are binary symmetric channels with error probability ǫ B in (13) and ǫ eq in (18), respectively. It is proven in [8] that in such situation the one-way key rate is which is non-positive if Let us finally prove that this inequality holds for all values of M if condition (5) is not satisfied. Define z = λ 1 + λ 2 . The range of interest is 1/2 ≤ z ≤ 1, since no secret key can be extracted from a separable state [13] and a two-qubit state is entangled iff λ 1 > 1/2. After some algebra, one can prove the inequality where M is any positive integer. The right-hand side of (21) is equal to ǫ B , whereas the left-hand side is an upper bound for ǫ eq . This bound follows from the inequality (λ 1 − λ 2 ) 2 /z 2 ≤ (1 − z)/z, which is the negation of (5). In summary, if condition (5) is not satisfied, no secret key can be distilled with the considered protocol.
Since we have previously proven the sufficiency of (5), the attack we have considered is optimal and the security bound (5) is tight for our SIMCAP protocol. It is worth analyzing the resources that this optimal eavesdropping attack requires. First of all, we note that Eve does not need to perform any coherent operation, i.e., she can make do with single-copy measurements. This follows from the fact that the minimum error probability (17) can be attained using an adaptive discrimination protocol consisting of projective measurements on each one of the M copies [15]. Therefore, in order to break our key distillation protocol, what Eve does need is the ability to store her quantum states until after listening to the (public) communication between the honest parties in step (ii). That is to say, she requires a quantum memory. If Eve can neither perform coherent operations nor have a quantum memory, the necessary and sufficient condition for the success of this protocol is λ 1 > 1/2 [4], which is the entanglement condition for two-qubit states.

V. FINAL REMARKS
In this paper, we have considered the problem of secret key extraction from two-qubit correlations. We have derived the necessary and sufficient condition for positive key rate using an improved version of the SIMCAP protocol of Ref. [4]. If this condition does not hold, we have shown that an optimal attack can be implemented without any coherent quantum operation. In this case, and contrary to what happens in [16], quantum memory gives a significant advantage to Eve. In view of the above, the first natural question one can ask concerns the optimality of the SIMCAP protocol discussed here. In other words, does condition (5) characterize the set of all distillable two-qubit states with SIM-CAP protocols? Let us argue that this could indeed be the case. Recall that our protocol consists of three steps: measurements followed by two-way and one-way reconciliation. Concerning the third step, we employ the optimal protocol [9]. Therefore, the weak part in the reconciliation process corresponds to the two-way communication step. Here, we have used the standard advantage distillation protocol. Notice that its coherent version, usually called recurrence, combined with one-way hashing techniques, enables the distillation of pure-state entanglement from any entangled two-qubit state [17]. As far as the measurement part is concerned, the single-copy filtering operation (a) is optimal in terms of entanglement enhancing [5]. Moreover, we have numerically checked that for Bell diagonal states of the form (2), measuring in the computational basis is optimal within our reconciliation scheme. All this suggests that the necessary and sufficient condition (5) could very well be completely general. If this were the case, there would exist some two-qubit entangled states for which extracting secret bits would require coherent operations (see Fig. 1). In other words, there would be quantum states whose secrecy content would not be distillable by SIMCAP protocols.
Since our protocol does not require any coherent quantum operation on Alice and Bob's side, our results can be related to the security of prepare and measure schemes, such as BB84 [3]. Indeed, every state can be associated to a channel, and then, the sequence of measurements defines a QKD prepare and measure protocol. Note however that in a fully general security proof for these schemes, one must not make any assumption on the global state shared by Alice and Bob. That is, one must consider the most general correlated state of N pairs of systems compatible with the single-pair description. In our analysis, however, it is assumed that Alice and Bob's state consists of N copies of the same two-qubit state. In the prepare and measure picture, this means that Eve interacts individually with the quantum states sent to Bob; they are the so-called collective attacks [10]. The recent results of [10] suggest that Eve gains no advantage by introducing correlations among the pairs of systems shared by Alice and Bob. If this were proved correct, our results would indeed provide a tight, general security proof for a whole family of schemes and channels. Note also that while the sufficient part of our security condition relies on the N copies hypothesis, the necessary part does not. It simply senses the existence of an attack that can be applied to any protocol equivalent to ours.
Finally, it is interesting to compare our results with previous security proofs using two-way communication for QKD schemes [18]. When the attack described above is applied to the six-state protocol, Eve prepares N independent copies of a two-qubit Werner state: Condition (5) shows that a secure key extraction is not possible with our protocol if the error rate is larger than This is precisely the same value as obtained by Chau in [18]. Indeed, his protocol is equivalent to ours. The attack we have presented proves that, unless another twoway reconciliation technique is employed, this critical error rate cannot be improved, i.e., is tight.

VI. ACKNOWLEDGEMENTS
This work is supported by the Spanish Ministry of Science and Technology project BFM2002-02588, "Ramón y Cajal", 2002FI-00373 and 2004FI-00068 grants, by CIRIT project SGR-00185, by the U.K. Engineering and Physical Sciences Research Council (IRC QIP), and by QUPRODIS working group EEC contract IST-2001-38877.