Entanglement Enhances Security in Secret Sharing
Rafal Demkowicz-Dobrzanski, Aditi Sen De, Ujjwal Sen, Maciej Lewenstein
aa r X i v : . [ qu a n t - ph ] F e b Entanglement Enhances Security in Secret Sharing
Rafa l Demkowicz-Dobrza´nski , Aditi Sen(De) , Ujjwal Sen , Maciej Lewenstein , Institute of Physics, Nicolaus Copernicus University, ul. Grudziadzka 5, 87-100 Toru´n, Poland ICREA and ICFO-Institut de Ci`encies Fot`oniques, E-08860 Castelldefels (Barcelona), Spain
We analyze tolerable quantum bit error rates in secret sharing protocols, and show that usingentangled encoding states is advantageous in the case when the eavesdropping attacks are local. Wealso provide a criterion for security in secret sharing – a parallel of the Csisz´ar-K¨orner criterion insingle-receiver cryptography.
In the last few years, the role of entanglement in dif-ferent branches of physics has been studied extensively,ranging from many-body physics [1, 2] to quantum in-formation processing [3]. In particular, the qualities andthresholds of entanglement for optimal quantum commu-nication performance have been found, e.g. with regardto teleportation [4], dense coding [5], and cryptography[6]. The necessity of entanglement in quantum computa-tion is still under investigation (see e.g. [7]). In a differentcontext, there is an ongoing research on the behavior ofentanglement in e.g. quantum phase transitions [2], localcloning [8], and local state distinguishing [9].In this paper, we will investigate the advantage of en-tanglement in the security of a quantum communicationtask, known as secret sharing [10, 11], which is a com-munication scenario in which a sender Alice ( A ) wantsto provide a (classical) message to two recipients (Bobs– B , B ), in a way that each of the Bobs individuallyknows nothing about the message, but they can recoverits content once they cooperate. In order to transmit a bi-nary message string { a i } , Alice can then take a sequenceof completely random bits { b ,i } , send it to B , and atthe same time send a sequence { b ,i } = { a i ⊕ b ,i } to B ,where ⊕ denotes addition modulo 2. Thus a i = b ,i ⊕ b ,i ,assuring that the Bobs can recover the message if they co-operate, and yet none of them can learn anything on themessage of Alice on his own, since the sequences { b ,i } , { b ,i } are completely random.An important issue is of course security, i.e. distribut-ing the message in a way that no third (actually fourth!)party learns about it. This can be achieved using quan-tum cryptography (e.g. by the BB84 scheme [12]). Al-ice simply has to establish secret random keys, indepen-dently, with both Bobs, and use them as one-time pads tosecurely send bits in the way required by secret sharing.We call this the BB84 ⊗ protocol. It has been argued [10]that a more natural way of using quantum states in secretsharing is to send entangled states to the Bobs, and as aresult, avoid establishing random keys with each of theBobs separately, by combining the quantum and classicalparts of secret sharing in a single protocol. We call theprotocol in [10, 11] as E4 (since it uses four entangledstates).In this paper, we consider security thresholds for bothE4 and BB84 ⊗ , i.e. the highest quantum bit error rates (QBERs) below which one-way distillation of secret keyis possible. There are three main results proven in thepaper. First , we provide a criterion for security of se-cret sharing, for which one-way classical distillation ofsecret key is possible between the sender and the re-ceivers: the parallel of the Csisz´ar-K¨orner criterion in(single-receiver, classical) cryptography [13].
Secondly ,we find the optimal quantum eavesdropping attacks onboth E4 and BB84 ⊗ , that are individual, without quan-tum memory, and most importantly, local . Note that anattack which acts by local operations and classical com-munication (LOCC) on the particles sent through the twochannels ( A → B and A → B ) is physically more rele-vant in this distributed receivers case. We show that thethreshold QBER for E4 is about 18.2 % higher than thatof BB84 ⊗ . This shows, to our knowledge for the firsttime, that it is more secure to use entangled encodingstates in secret sharing. Thirdly , we provide an interest-ing general method for dealing with local eavesdroppingattacks.
The protocols.
In our setting, a secret sharing protocolcan be characterized by {| ψ j, i , | ψ j, i , σ j,k ⊗ σ j,k } , where j labels the different encoding “bases” used, | ψ j,a i aretwo-qubit states send by Alice to the Bobs if she uses ba-sis j and wants to communicate the logical value a , while σ j,k ⊗ σ j,k is a set of observables compatible with basis j (so that if the corresponding measurement is performedby the Bobs, it allows them to recover a proper logicalbit of Alice). In practice, B ( B ) randomly measuresthe observables σ j,k ( σ j,k ) on states received from Alicein each round. After the transmission is completed, theBobs announce the observables they have used in eachround to Alice, who, judging on whether this combina-tion of observables is present in σ j,k ⊗ σ j,k for the partic-ular j she had used in that round, tells the Bobs whetherto keep or reject their measured results for that round –this is called the sifting phase. The BB84 ⊗ protocol isdefined as j | ψ j, i | ψ j, i σ j,k ⊗ σ j,k | x + i| x + i , | x − i| x − i | x + i| x − i , | x − i| x + i σ x ⊗ σ x | x + i| y + i , | x − i| y − i | x + i| y − i , | x − i| y + i σ x ⊗ σ y | y + i| x + i , | y − i| x − i | y + i| x − i , | y − i| x + i σ y ⊗ σ x | y + i| y + i , | y − i| y − i | y + i| y − i , | y − i| y + i σ y ⊗ σ y where | x ± i ( | y ± i ) are eigenstates of the Pauli σ x ( σ y )matrix. The fact that there are two states correspondingto a given | ψ j,a i simply means that each of them is sentrandomly with probability 1 /
2. The E4 protocol [10] (seealso [15]), on the other hand, is defined as j | ψ j, i | ψ j, i σ j,k ⊗ σ j,k | ψ + i | ψ − i σ x ⊗ σ x , − σ y ⊗ σ y | ψ i + i | ψ i − i σ x ⊗ σ y , σ y ⊗ σ x , where | ψ ± i = ( | i ± | i ) / √ | ψ i ± i = ( | i ± i | i ) / √ | i , | i are eigenstates of the Pauli σ z opera-tor. The question is which of these protocols toler-ates a higher QBER. After the sifting phase, let thebits of Alice and the Bobs, obtained in a given setof rounds, be described by the probability distribution p AB B ( a, b , b ). The corresponding QBER is QBER = P a,b ,b p AB B ( a, b , b )[1 − δ a,b ⊕ b ]. Error correction and privacy amplification.
KnowingQBER, we want to perform an one-way error correctionprocedure, such that all errors are corrected with ar-bitrarily high probability. In standard (single-receiver)cryptography, error correction can be performed eitherfrom the sender to the receiver, or vice-versa. In secretsharing, there are two separated receivers, and each ofthem individually has bits that are completely random.So there is no way for Alice to perform one-way errorcorrection to Bobs – whatever she sends to each of themindividually, it will not be enough for them to correcterrors, unless she sends the total information which is ofcourse not the solution we are after.The only remaining option is that each of Bobs sendssome information to Alice, judging on which she is ableto correct her bits { a i } in a way that for every i : a i = b ,i ⊕ b ,i . Fortunately, this is indeed possible. We presenthere an idea how this can be achieved. We will adapt forour needs, a standard method in classical communica-tion theory – namely, that of random coding (see e.g.[16–18]). Let each of the three parties have n bits afterthe sifting phase. The error correction procedure uses arandom coding function f : { , } n → { , } m , knownto all three parties (and the rest of the world), where m ≤ n will be chosen later. This function assigns a ran-dom m -bit codeword to each of 2 n possible n -bit strings.Error correction goes as follows: B and B calculate f ( { b ,i } ) and f ( { b ,i } ) respectively, and send their m -bitcodewords to Alice. After this, Alice looks for all n -bitsequences { b ′ ,i } , { b ′ ,i } such that f ( { b ′ ,i } ) = f ( { b ,i } ), f ( { b ′ ,i } ) = f ( { b ,i } ), and chooses a pair { b ′ ,i } , { b ′ ,i } ,for which the Hamming distance dist( { a i } , { b ′ ,i ⊕ b ′ ,i } )is minimal. It can be shown that in the limit n → ∞ ,this strategy is successful with arbitrarily high probabil-ity, provided m ≥ n [1 + h (QBER)] / , (1)where h ( p ) = − p log p − (1 − p ) log (1 − p ) is the binaryentropy function. This result is quite intuitive, since in a standard bipartite error correction, the length of a code-word has to fulfill m ≥ nh (QBER). In secret sharinghowever, the two Bobs together have to provide Alicewith nh (QBER) + n bits. These additional n bits areneeded, since a sequence of one of Bobs taken separatelyis completely random for Alice. As a result each of Bobshas to send a code of length given by Eq. (1).After the error correction stage is completed, Alice andthe Bobs need to perform privacy amplification, in orderto obtain a possibly shortened, but a completely securekey, on which an eavesdropper has no information. Pri-vacy amplification presents no additional difficulty in asecret sharing scenario, as compared to standard bipar-tite cryptography, since its performance, in principle, re-quires no additional communication between Alice andthe Bobs. It is enough that all parties apply the samehashing function [14] for shortening the key, and if therewere no errors, in the sense that for all i , a i = b ,i ⊕ b ,i ,then there will be no errors in the shortened key. LOCC attacks.
We will analyze security of the proto-cols with the following restrictions imposed on an eaves-dropper: (i) Eavesdropper can perform only individualattacks; (ii) Individual attacks are LOCC operations withrespect to partition of the encoding states between B and B ; (iii) Eavesdropper is not allowed any kind ofquantum memory. The restriction (i) means that aneavesdropper can interact, in a given round, with onlythe quantum state send by Alice to Bobs in that round.Restriction (ii) is at the heart of the problem we analyze,and is natural in the distributed receivers scenario. Notehere that if no LOCC condition is imposed, then the se-curity analyses of the two-receiver E4 and single-receiverBB84 protocols are isomorphic. The justification of (iii)is based on current technology limitations – no long last-ing quantum memory has been developed so far.Let the probability distribution p ABE ( a, b, e ) describesingle-round bit values, a of Alice, b = b ⊕ b of the Bobs,and e of an eavesdropper, after the eavesdropper’s attackand after the sifting stage is completed. In single-receivercryptography, the maximal one-way secret key distilla-tion rate K is given by the Csisz´ar-K¨orner criterion [13]: K = I ( A : B ) − min( I ( A : E ) , I ( B : E )), where I ( : )is the mutual information between the corresponding par-ties. As discussed in previous paragraphs, error correc-tion in secret sharing can be performed only in one direc-tion (from Bobs to Alice). Thus the secret key distillationrate in case of secret sharing is K = I ( A : B ) − I ( B : E ),which is therefore the parallel of the Csisz´ar-K¨orner cri-terion in (single-receiver) cryptography [13].In order to analyze eavesdropping attacks, consider thestate | ψ j,a i being sent from Alice to Bobs. Collaborat-ing eavesdroppers E , E , acting on channels conecting A with B and B respectively, can perform an arbitraryLOCC operation E (completely positive trace-preservingLOCC map) to create ρ j,aB B E E = E ( | ψ j,a ih ψ j,a | ).The operation is LOCC with respect to the partition B , E | B , E . Subsequently, E , E perform an LOCCmeasurement on their subsystems in order to obtain in-formation about the bit shared by Alice with Bobs, whilesending possibly-perturbed subsystems B , B to theirlegitimate recipients. Without loosing generality, we canrestrict this measurement to have only two possible out-comes (0 or 1), since only the value of a transmitted bitis of interest to the eavesdroppers. Hence we model themeasurement by a two element positive operator valuedmeasurement (POVM): Π E E (0), Π E E (1). ObviouslyΠ E E ( e ) ≥
0, and Π E E (0) + Π E E (1) = E E , buthere we additionally impose the constraint that the mea-surements are LOCC-based.The probability distribution p ABE ( a, b, e ) is givenby P j p ( j, a )Tr[ E ( | ψ j,a ih ψ j,a | )Π B B ( j, b ) ⊗ Π E E ( e )],where p ( j, a ) is the probability that A sends the state | ψ j,a i in a given round, whereas { Π B B ( j, b ) } is a POVMcorresponding to Bobs’ measurement in basis j (com-patible with the state sent by Alice), where the sum oftheir individual measured values, modulo 2, is equal b : b = b ⊕ b . Probability normalization condition readsΠ B B ( j,
0) + Π B B ( j,
1) = B B . We assume the con-vention that if one of Bobs (locally) performs a mea-surement characterized by a Pauli matrix σ i , then heascribes the bit value 0 or 1, once in a measurementhe projects on an eigenvector with eigenvalue − p ABE ( a, b, e ) more revealing, weintroduce non-trace-preserving completely positive oper-ations E , E : H in B ⊗ H in B
7→ H out B ⊗ H out B acting onthe input and output Hilbert spaces of the Bobs, anddefined as E e ( ̺ B B ) = Tr E E [ E ( ̺ B B )Π E E ( e )]. E e represents the disturbance experienced by a state trans-mitted to the Bobs, once the eavesdroppers have obtaineda particular value e in their measurement. Notice thateven though each operation E e is not trace-preservingthe operation E + E is – it corresponds to a situationwhen one averages over the results of the eavesdrop-pers’ measurement. We can now write p ABE ( a, b, e ) = P j p ( j, a )Tr[ E e ( | ψ j,a ih ψ j,a | )Π B B ( j, b )]. It is now clear,that the eavesdropping strategy is completely defined byspecifying the two operations E , E , and for a given pro-tocol yields a joint probability distribution p ABE ( a, b, e ).To calculate the QBER threshold, one should now lookfor the highest value of QBER, for which it is still possibleto find eavesdropping LOCC operations E e , so that theresulting probability distribution p ABE enjoys the prop-erty I ( A : B ) = I ( B : E ). Forgetting for the momentabout the LOCC constraint, the problem of finding theQBER threshold is a semi-definite program. To see this,let us denote H out = H out B ⊗ H out B , H in = H in B ⊗ H in B andrecall the Jamio lkowski isomorphism [19] between com-pletely positive maps E e and positive semi-definite oper-ators P E e ∈ L ( H out ⊗ H in ): P E e = E e ⊗ I ( | Ψ + ih Ψ + | ),where | Ψ + i = P dim H in i =1 | i i ⊗ | i i is an unnormalized maxi-mally entangled state in the space H in ⊗ H in , and I is an identity operation on H in . Hence our problem variablesare entries of two 16 ×
16 matrices, which are required tobe positive semi-definite. Trace-preservation condition of E + E translates to a condition on positive operators:Tr H out ( P E + P E ) = H in . This condition is obviouslylinear in the matrix elements of P E e . Similarly, p ABE isalso linear, and hence the security condition is linear. Fi-nally, the QBER, which we want to maximize, is linear.In order to deal with an LOCC constraint, we will im-pose the weaker “PPT constraint”: positivity after par-tial transposition of the P E e operators – we transposesubsystem H out B ⊗ H in B . This is a strictly necessary con-dition for LOCC [20]. However, we will show that theoptimal PPT maps are also LOCC. Entangled vs. product encoding.
We now present thesolutions for maximal tolerable QBER for BB84 ⊗ andE4 protocols found by solving the corresponding semi-definite programs, using the SeDuMi package. Althoughsolving a semi-definite program provided us only with nu-merical solutions, we were able to recognize their analyt-ical form, and hence all results presented are analytical.For the BB84 ⊗ protocol, the optimal P E BB84 ⊗ , in the computational basis, = diag[4 , , , , , , , , , , , , , , ,
4] + the16x16 matrix ( α i,j ) whose only nonzero elementsare α , = α , = α , = α , = α , = α ∗ , = α ∗ , = α ∗ , = α ∗ , = α ∗ , = α ∗ , = α ∗ , = i/ α , = α , = 2 / α , = α , = α , = α , = α , = α , = α , = α , = 1 / α , = − α , = 1 /
18, and hermitian conjugates.The optimal P E BB84 ⊗ has the same entries on thediagonal, and the anti-diagonal, while the remain-ing ones are multiplied by −
1. These optimal PPTmaps will later on proven to be LOCC. The optimalQBER(BB84 ⊗ ) = 5 / ≈ . P E E40 =diag[ a, b, b, d, b, a, d, b, b, d, a, b, d, b, b, a ] + the 16x16 ma-trix ( β i,j ) whose only nonzero entries are β , = β ∗ , = β ∗ , = β , = c , β , = a , β , = f ∗ , and thehermitian conjugates, where a = 3 − √ b = a/ √ c = b exp( iπ/ d = a/ f = id . The optimal P E E41 isthe same as P E E40 , but with c replaced by − c . Again theseoptimal PPT maps will later on proven to be LOCC. Theoptimal QBER(E4) = 2( √ − / ≈ . ⊗ ), which indicates that indeed the pro-tocol using entangled states is more secure, in the caseof LOCC eavesdropping. In Fig.1, we show the maxi-mum achievable secret-key rates for the two protocols asa function of measured QBER. It is clear that E4 is bet-ter not only because of its higher QBER threshold, butbecause of its higher key rate for all QBER (see Fig. 1,more details will be presented elsewhere [21]) Explicit LOCC forms of the optimal attacks.
We nowshow that the optimal attacks are separable. We will Ä E4 FIG. 1: Maximal achievable secret-key rates K = I ( A : B ) − I ( B : E ) for E4 and BB84 ⊗ , against local attacks. subsequently show that the attacks are actually LOCC.Separability of the optimal attack for the BB84 ⊗ caseis evident once we write it in the form (the procedureleading to this form will be presented elsewhere [21]) E BB84 ⊗ e ( ρ ) = X φ ,φ ∈{ ,π } K φ ,φ e,B K φ ,φ e,B ρK φ ,φ † e,B K φ ,φ † e,B , where the local Kraus operators K φ ,φ e,B , K φ ,φ e,B are1 √ " ( − e √ i ( φ − π/ i ( φ + π/ − e √ i ( φ + φ )] , √ " √ − i ( φ + π/ − i ( φ − π/ √ i ( φ + φ )] respectively. Since K e,B does not depend on e (equivalently, K e,B can also be chosen to be so),we write it as K B . The full operation E BB84 ⊗ = E BB84 ⊗ + E BB84 ⊗ can be written as = P φ ,φ ∈{ ,π } ⊗ K φ ,φ B ( P e =0 K φ ,φ e,B ⊗ ρ K φ ,φ † e,B ⊗ ⊗ K φ ,φ † B , whichshows that it is indeed LOCC, since it can be realized asfollows. First an operation given by the four Kraus oper-ators K φ ,φ B is performed on the second subsystem, andthe measurement result ( φ , φ ) is transmitted to the firstsubsystem. For given values of ( φ , φ ) received by thefirst subsystem, an operation using the two Kraus opera-tors K φ ,φ ,B , K φ ,φ ,B is performed on the first subsystem.This is a legitimate deterministic LOCC operation since P φ ,φ ∈{ ,π } K φ ,φ † B K φ ,φ B =
1, and for every ( φ , φ ), P e =0 K φ ,φ † e,B K φ ,φ e,B =
1. Note that it requires only one-way classical communication. Summing up, E BB84 ⊗ e areseparable trace-decreasing operations, such that whenadded together, they form a trace-preserving LOCC op-eration E BB84 ⊗ , and hence they can both be realized viaLOCC. In a similar way, we can show that the optimal PPT at-acks on the E4 protocol are also LOCC. Separable Krausdecompositions of E E4 e read E E4 e ( ρ ) = X K φ ,φ ,φ e,B K φ ,φ ,φ B ρK φ ,φ ,φ † e,B K φ ,φ ,φ † B , where the sum runs over φ , φ , φ ∈ { , π/ , π/ } , and K φ ,φ ,φ e,B , K φ ,φ ,φ e,B are respectively s √ " ( − e / exp( iφ )exp( iφ ) ( − e / exp( iφ ) , q √ " / exp[ − i ( φ + π/ − i ( φ − π/ / exp( − iφ ) . Again we can write the full operation E E4 = E E40 + E E41 as P φ ,φ ,φ ∈{ , π/ , π/ } ⊗ K φ ,φ ,φ B (cid:16)P e =0 K φ ,φ ,φ e,B ⊗ ρ K φ ,φ ,φ † e,B ⊗ (cid:17) ⊗ K φ ,φ ,φ † B , , which shows that it is an LOCC, sinceit can be realized by performing an operation onthe second subsystem using the 27 Kraus opera-tors K φ ,φ ,φ † B , communicating the measurementresult ( φ , φ , φ ) to the first subsystem, on whichan appropriate operation using the two Kraus oper-ators K φ ,φ ,φ e,B ( e = 0 ,
1) is performed. Note that P φ ,φ ,φ ∈{ , π/ , π/ } K φ ,φ ,φ † B K φ ,φ ,φ B =
1, and forevery ( φ , φ , φ ), P e =0 K φ ,φ ,φ † e,B K φ ,φ ,φ e,B = Typical noise.
Judging the usefulness of the two pro-tocols by comparing their QBER thresholds, may aprioribe not sensible from an experimental point of view, asin an experiment, we face noise caused by natural fac-tors, as well as by the eavesdropper. Hence a relevantquestion is: Which protocol allows a secure key trans-mission in presence of a higher level of noise, of the typepresent in an experiment? Consider a typical situationwhen we send the qubits via two fibers. A usual modelof noise here would be that each channel (fiber) is anisotropically depolarizing channel – and they are inde-pendent. Given a channel with a fixed level of depolar-ization, we ask: Can we securely extract some secret keyusing either the E4 or the BB84 ⊗ protocol? This maynot be equivalent to comparing QBER thresholds, be-cause different states are used in the two protocols, whichunder the same noise level, may behave differently, andresult in different QBERs – in particular it could hap-pen that in such situation it might be advantageous toapply a protocol with lower QBER threshold. In thisenvironment, however, the QBERs for E4 and BB84 ⊗ depend in the same way on the depolarization parame-ter. If an isotropically depolarizing qubit channel actsas D ( ρ ) = (1 − p ) ρ + p /
2, then the QBER caused bythe D ⊗ channel is QBER = p (1 − p/
2) for both the pro-tocols. Comparing protocols using QBER thresholds asa figure of merit is legitimate both from theoretical andpractical point of view.
Summary.
We have for the first time shown that entan-glement in the encoding states provide a better securityin secret sharing. The security was judged by calculat-ing QBER threshold for secure communication, underassumption of local individual quantum attacks withoutquantum memory. We have found the optimal attacksin such scenario for the two paradigmatic protocols: oneusing product states and the other using entangled onesfor encoding. Further results include the parallel of theCsisz´ar-K¨orner criterion for security in (single-receiver)cryptography in the distributed-receivers case, and use-fulness of the protocols in the presence of a depolarizingenvironment.We acknowledge support from the Spanish MEC (FIS-2005-04627, Consolider QOIT, Acciones Integradas, &Ram´on y Cajal), ESF Program QUDEDIS, EuroquamFERMIX, Polish Ministry of Science and Higher Educa-tion grant no. 1 P03B 011 29, EU IP SCALA, EU IPQAP. [1] M. Lewenstein et al. , Adv. Phys. , 243 (2007).[2] L. Amico et al. , to appear in Rev. Mod. Phys. (quant-ph/0703044).[3] R. Horodecki et al. , to appear in Rev. Mod. Phys. (quant-ph/0702225).[4] See e.g. C.H. Bennett et al. , Phys. Rev. Lett. , 1895(1993); P. Horodecki, M. Horodecki, and R. Horodecki,Phys. Rev. A , 1888 (1999).[5] C.H. Bennett and S.J. Wiesner, Phys. Rev. Lett. , 2881(1992).[6] See e.g. A.K. Ekert, Phys. Rev. Lett. , 661 (1991);N. Gisin et al. , Rev. Mod. Phys. , 145 (2002); K. Horodecki et al. , ibid. , 160502 (2005).[7] A. Datta and G. Vidal, Phys. Rev. A , 042310 (2007).[8] See e.g. R. Demkowicz-Dobrza´nski et al. , Phys. Rev. A , 032313 (2006).[9] See e.g. M. Hayashi et al. , Phys. Rev. Lett. , 040501(2006).[10] M. ˙Zukowski, A. Zeilinger, M. Horne, and H. Weinfurter,Acta Phys. Pol. , 187 (1998); M. Hillery, V. Buˇzek,and A. Berthiaume, Phys. Rev. A , 1829 (1999).[11] R. Cleve, D. Gottesman, and H.-K. Lo, Phys. Rev. Lett. , 648 (1999); A. Karlsson, M. Koashi, and N. Imoto,Phys. Rev. A , 162 (1999).[12] C.H. Bennett and G. Brassard, in Proceedings of the In-ternational Conference on Computers, Systems and Sig-nal Processing, Bangalore, India (IEEE, NY (1984)).[13] I. Csisz´ar and J. K¨orner, IEEE Trans. Inf. Th.
IT-24 ,339 (1978)[14] C.H Bennett, G. Brassard, C. Cr´epeau, and U. Maurer,IEEE Trans. Inf. Theory, , 1915 (1995).[15] V. Scarani and N. Gisin, Phys. Rev. Lett. , 117901(2001); Phys. Rev. A , 012311 (2002); A. Sen(De), U.Sen, and M. ˙Zukowski, Phys. Rev. A , 032309 (2003);C. Schmid et al. , Phys. Rev. Lett. , 230505 (2005).[16] T.M. Cover and J.A. Thomas, Elements of InformationTheory (Wiley, NJ (1991)).[17] G. Brassard and L. Salvail, Adv. Cryptol. , 410(1994).[18] M.A. Nielsen and I.L. Chuang,
Quantum Computing andQuantum Information (CUP, Cambridge (2000)).[19] A. Jamio lkowski, Rep. Math. Phys. , 275 (1972).[20] P. Horodecki, Phys. Lett. A , 333 (1997); M.Horodecki, P. Horodecki, and R. Horodecki, Phys. Rev.Lett. , 5239 (1998); C.H. Bennett et al. , Phys. Rev. A59