SARG04 explained
SARG04 (named after Valerio Scarani, Antonio Acín, Gregoire Ribordy, and Nicolas Gisin) is a 2004 quantum cryptography protocol derived from the first protocol of that kind, BB84.
Origin
Researchers built SARG04 when they noticed that by using the four states of BB84 with a different information encoding they could develop a new protocol which would be more robust, especially against the photon-number-splitting attack, when attenuated laser pulses are used instead of single-photon sources. SARG04 was defined by Scarani et al. in 2004 in Physical Review Letters as a prepare and measure version (in which it is equivalent to BB84 when viewed at the level of quantum processing).[1]
An entanglement-based version has been defined as well.[1]
Description
In the SARG04 scheme, Alice wishes to send a private key to Bob. She begins with two strings of bits,
and
, each
bits long. She then encodes these two strings as a string of
qubits,
and
are the
bits of
and
, respectively. Together,
give us an index into the following four qubit states:
|\psi01\rangle=|+\rangle=
}|0\rangle + \frac|1\rangle
|\psi11\rangle=|-\rangle=
}|0\rangle - \frac|1\rangle.
Note that the bit
is what decides which basis
is encoded in (either in the computational basis or the Hadamard basis). The qubits are now in states which are not mutually orthogonal, and thus it is impossible to distinguish all of them with certainty without knowing
.
Alice sends
over a public
quantum channel to Bob. Bob receives a state
\varepsilon\rho=\varepsilon|\psi\rangle\langle\psi|
, where
represents the effects of noise in the channel as well as eavesdropping by a third party we'll call Eve. After Bob receives the string of qubits, all three parties, namely Alice, Bob and Eve, have their own states. However, since only Alice knows
, it makes it virtually impossible for either Bob or Eve to distinguish the states of the qubits.
Bob proceeds to generate a string of random bits
of the same length as
, and uses those bits for his choice of basis when measuring the qubits transmitted by Alice. At this point, Bob announces publicly that he has received Alice's transmission. For each qubit sent, Alice chooses one computational basis state and one Hadamard basis state such that the state of the qubit is one of these two states. Alice then announces those two states. Alice will note whether the state is the computational basis state or the Hadamard basis state; that piece of information makes up the secret bit that Alice wishes to communicate to Bob. Bob now knows that the state of his qubit was one of the two states indicated by Alice. To determine the secret bit, Bob must distinguish between the two candidate states. For each qubit, Bob can check to see whether his measurement is consistent with either possible state. If it is consistent with either state, Bob announces that the bit is invalid, since he cannot distinguish which state was transmitted based on the measurement. If on the other hand, one of the two candidate states was inconsistent with the observed measurement, Bob announces that the bit is valid since he can deduce the state (and therefore the secret bit).
Consider for example the scenario that Alice transmits
and announces the two states
and
. If Bob measures in the computational basis, his only possible measurement is
. This outcome is clearly consistent with the state having been
, but it would also be a possible outcome if the state had been
. If Bob measures in the Hadamard basis, either
or
could be measured, each with probability . If the outcome is
then again this state is consistent with either starting state. On the other hand, an outcome of
cannot possibly be observed from a qubit in state
. Thus in the case that Bob measures in the Hadamard basis and observes state
(and only in that case), Bob can deduce which state he was sent and therefore what the secret bit is.
From the remaining
bits where both Bob's measurement was conclusive, Alice randomly chooses
bits and discloses her choices over the public channel. Both Alice and Bob announce these bits publicly and run a check to see if more than a certain number of them agree. If this check passes, Alice and Bob proceed to use privacy amplification and information reconciliation techniques to create some number of shared secret keys. Otherwise, they cancel and start over.
The advantage of this scheme relative to the simpler BB84 protocol is that Alice never announces the basis of her bit. As a result, Eve needs to store more copies of the qubit in order to be able to eventually determine the state than she would if the basis were directly announced.
Intended use
The intended use of SARG04 is in situations where the information is originated by a Poissonian source producing weak pulses (this means: mean number of photons < 1) and received by an imperfect detector, which is when attenuated laser pulses are used instead of single photons. Such a SARG04 system can be reliable up to a distance of about 10 km.[1]
Modus operandi
The modus operandi of SARG04 is based on the principle that the hardware must remain the same (as prior protocols) and the only change must be in the protocol itself.[1]
In the original "prepare and measure" version, SARG04's two conjugated bases are chosen with equal probability.[1]
Double clicks (when both detectors click) are important for comprehending SARG04: double clicks work differently in BB84 and SARG04. In BB84, their item is discarded because there is no way to tell what bit Alice has sent. In SARG04, they are also discarded, "for simplicity", but their occurrence is monitored to prevent eavesdropping. See the paper for a full quantum analysis of the various cases.[1]
Security
Kiyoshi Tamaki and Hoi-Kwong Lo were successful in proving security for one and two-photon pulses using SARG04.[1]
It has been confirmed that SARG04 is more robust than BB84 against incoherent PNS attacks.[1]
Unfortunately an incoherent attack has been identified which performs better than a simple phase-covariant cloning machine, and SARG04 has been found to be particularly vulnerable in single-photon implementations when Q >= 14.9%.[1]
Comparison with BB84
In single-photon implementations, SARG04 was theorised to be equal with BB84, but experiments have shown that it is inferior.[1]
References
Bibliography
- Valerio Scarani . Antonio Acín . Grégoire Ribordy . Nicolas Gisin . 2004 . Quantum Cryptography Protocols Robust against Photon Number Splitting Attacks for Weak Laser Pulse Implementations . . 92 . 5 . 057901 . quant-ph/0211131 . 2004PhRvL..92e7901S . 10.1103/PhysRevLett.92.057901 . 14995344.
- Chi-Hang Fred Fung . Kiyoshi Tamaki . Hoi-Kwong Lo . 2006 . Performance of two quantum-key-distribution protocols. . 73 . 1 . 012337 . quant-ph/0510025. 2006PhRvA..73a2337F . 10.1103/PhysRevA.73.012337.
- Branciard, Cyril . Gisin, Nicolas . Kraus, Barbara . Scarani, Valerio . Security of two quantum cryptography protocols using the same four qubit states . . 72 . 32301 . 2005 . quant-ph/0505035. 2005PhRvA..72c2301B . 10.1103/physreva.72.032301.
See also
Notes and References
- Cyril Branciard . Nicolas Gisin . . Valerio Scarani . 2005 . Security of two quantum cryptography protocols using the same four qubit states . . 72 . 3 . 032301 . quant-ph/0505035 . 2005PhRvA..72c2301B. 10.1103/PhysRevA.72.032301.