Entanglement-secured single-qubit quantum secret-sharing
aa r X i v : . [ qu a n t - ph ] S e p Entanglement-Secured Single-Qubit Quantum Secret Sharing
P. Scherpelz, ∗ R. Resch, † D. Berryrieser, ‡ and T. W. Lynn § Department of Physics, Harvey Mudd College, 301 Platt Blvd., Claremont, CA, 91711. (Dated: November 5, 2018)In single-qubit quantum secret sharing, a secret is shared between N parties via manipulationand measurement of one qubit at a time. Each qubit is sent to all N parties in sequence; the secretis encoded in the first participant’s preparation of the qubit state and the subsequent participants’choices of state rotation or measurement basis. We present a protocol for single-qubit quantum secretsharing using polarization entanglement of photon pairs produced in type-I spontaneous parametricdownconversion. We investigate the protocol’s security against eavesdropping attack under commonexperimental conditions: a lossy channel for photon transmission, and imperfect preparation of theinitial qubit state. A protocol which exploits entanglement between photons, rather than simply po-larization correlation , is more robustly secure. We implement the entanglement-based secret-sharingprotocol with 87% secret-sharing fidelity, limited by the purity of the entangled state produced byour present apparatus. We demonstrate a photon-number splitting eavesdropping attack, whichachieves no success against the entanglement-based protocol while showing the predicted rate ofsuccess against a correlation-based protocol. PACS numbers: 03.67.Hk, 03.67.Dd
I. INTRODUCTION
Secret sharing is the general term for a communica-tion task in which one participant (the sender) wants toshare a message with multiple other participants (the re-cipients) in a way that forces the recipients to cooperatewith one another to reconstruct the message. The taskis relevant when recipients are considered more trustwor-thy as a group than individually. In the strongest versionof secret sharing, the message can be fully reconstructedby the full set of N − N − N − N − N − N − N − ∗ Current address: Department of Physics, University of Chicago,5720 S. Ellis Ave, Chicago, IL 60637. † Current address: SLAC National Accelerator Laboratory, 2575Sand Hill Road, Menlo Park, CA 94025-7015. ‡ Current address: Department of Applied Physics, 348 Via PuebloMall, Stanford University Stanford, CA 94305-4090. § Electronic address: [email protected] protocol; quantum-state resources enhance the sharing ofclassical bit-string sequences. Such quantum-mechanicalresources can be brought to the task of secret sharing inseveral distinct ways.The original quantum secret sharing protocol, pre-sented in 1999 [1], requires the use of a multipartite en-tangled state. Specifically, to share a single-bit secretbetween a sender and N − N -qubit en-tangled state √ [ | i | i . . . | i N + | i | i . . . | i N ] mustbe produced, and the individual qubits distributed be-tween the participants. This quantum secret sharing pro-tocol is in principle quite powerful. It allows participantsto share secrets composed not only of bit values (0 or1) but of complete qubits (quantum states of the form a | i + e iϕ b | i ). The production of multipartite entangledstates is unfortunately a technical challenge, requiring anexperimental tour de force at each realization [2–6].Single-qubit quantum secret sharing (SQQSS), by con-trast, was first proposed and demonstrated in 2005 [7, 8]using photon pairs produced by type-II spontaneousparametric downconversion (SPDC). The protocol in-volves the transmission of a single qubit a | i + e iϕ b | i through the entire sequence of participants. The senderprepares a state with a specific value of ϕ and each re-cipient performs a simple operation to alter ϕ . The finalparticipant performs a measurement on the qubit whoseoutcome depends on the final value of ϕ , and the secret– the initial ϕ value – can be reconstructed only whenall recipients reveal their individual operations. Such aprotocol uses quantum resources to allow secure shar-ing of a classical secret, but does not enable the morepowerful sharing of a full quantum-state secret. On theother hand, SQQSS relies on physical states which canbe easily produced and manipulated in the laboratory, al-lowing for the straightforward realization of the protocolsand demonstration of their successes and vulnerabilities.The original SQQSS protocol, with proposed precautionsand coding repetitions [9, 10], provides security againstnumerous cheating attacks by a subset of recipients.In this work, we experimentally implement two varia-tions on the protocol of [7, 8], adapted for use with type-ISPDC. One version, like the original, relies only on polar-ization correlation in photon pairs; the other directly ex-ploits the quantum entanglement between photons. Wenote the relative strengths and weaknesses of the twoversions. In particular, we develop and implement aphoton-number splitting (PNS) eavesdropping attack; inthe presence of a lossy transmission channel and imper-fect state preparation, this eavesdropping attack worksagainst the correlation-based protocol but fails againstthe entanglement-secured version. II. SINGLE-QUBIT QUANTUM SECRETSHARING SCHEMES USING TYPE-I SPDCA. Correlation-Based Protocol
The SQQSS protocol relies on the secure transmissionof one qubit to a number of participants sequentially.In order to prevent individual participants from cheat-ing, however, this signal qubit must be produced anddetected in correlation with a partner qubit, called the idler . In both the original version [7] and our own vari-ation, the qubits are encoded in the polarizations of apair of photons produced in SPDC. Thus henceforth wewill refer specifically to polarization states of photonsrather than to generic two-state quantum systems. Ourcorrelation-based protocol for type-I SPDC closely fol-lows the original treatment of [7] for the type-II case.The sharing of a secret begins with the creation of apair of photons in the polarization-entangled state | ψ i = 1 √ | HH i + | V V i ) (1)where H denotes horizontal polarization and V verticalpolarization of each photon. The idler photon passesthrough a polarizer oriented to transmit | H i , while thesignal photon passes through a chain of SQQSS partic-ipants. Taken on its own, the polarization state of thesignal photon as it enters the SQQSS chain is undefined.However, the final step in the protocol is the detectionof the signal and idler photons in coincidence with oneanother. This coincidence detection projects the signalphoton, at its entry into the SQQSS chain, into the state | H i .The SQQSS chain is shown conceptually in Fig. 1.It begins with the sender, who uses a combination ofwaveplates to transform the signal photon to one of the ( ) VHx +=+ ϕ ϕ − N ϕ N ϕ sender recipientswith coincident idler photon detection HWPPBSDetectors
Measurement in ( )
VHx ±=± basis FIG. 1: A schematic of the single qubit quantum secret shar-ing protocol. The qubit is initially in the state | + x i = √ ( | H i + | V i ), conditioned on coincident detection of the idlerphoton (gating). Each participant applies a relative phaseshift ϕ j ∈ { , π/ , π, π/ } to the | V i component. The half-wave plate (HWP) and polarizing beam splitter (PBS) allowfor measurement of the final state in the |± x i = √ ( | H i±| V i )basis. four states | + x i = 1 √ | H i + | V i ) , | + y i = 1 √ | H i + i | V i ) , | − x i = 1 √ | H i − | V i ) , (2) | − x i = 1 √ | H i − i | V i ) . This is equivalent to the preparation of | + x i followedby use of a tilt-adjustable phase plate to obtain one of | ± x i , | ± y i , as shown in Fig. 1. The signal photonthen passes to N − ϕ j ∈ { , π/ , π, π/ } so that after partici-pant k , the signal photon state is | χ k i = 1 √ | H i + exp( i k X j =1 ϕ j ) | V i ) . (3)Overall, j ranges from 1 to N to account for the sender( i = 1) and N − X ⇒ ϕ j ∈ { , π } Class Y ⇒ ϕ j ∈ { π/ , π/ } . (4)The sender’s choice of state preparation likewise falls intoeither Class X , for creation of | ± x i , or Class Y , forcreation of | ± y i .Thus each participant so far possesses a single ‘class’bit denoting which class they have chosen, but also asecond ‘secret’ bit consisting of their phase choice withinthat class. After N participants have applied their localoperations, the initial signal photon state | H i is trans-formed to the state | χ N i = 1 √ | H i + exp( i N X j =1 ϕ j ) | V i ) . (5)These phase changes are illustrated in Fig. 1.At this point, the final participant measures the polar-ization of the signal photon in the | ± x i = (1 / √ | H i ±| V i ) basis, conducting the measurement in coincidencewith the idler photon as specified earlier. The measurerrecords the measurement outcome, and the physical as-pect of the SQQSS is complete.Notice that if the final state is of the form | χ N i = 1 √ | H i ± | V i ) , (6)then the measurement outcome will be | + x i or | − x i ,each with probability 1. However, if | χ N i = 1 √ | H i ± i | V i ) , (7)the final measurement result will be random.Therefore, after the measurement is performed, the N participants publicly announce the class of the operationthey applied, and the total number of Class Y operationsis counted. If the number of Class Y operations waseven, the run is valid; the N − Y operations was odd, then the run is discarded;this happens half the time on average.For valid runs, the remaining ‘secret’ bit value retainedby each participant regarding their applied operationconstitutes that participant’s shadow (or the sender’s se-cret). The last participant also holds the record of themeasurement outcome. Only if the N − ϕ .Finally, to prevent cheating, a random subset of thebits must be checked. To do this, the first N participantsannounce in random order their actual phase changes ϕ j for a subset of runs randomly selected by the sender. Theexpected measurement result for each run is computedand compared to the measurement result announced bythe final participant. If any recipient attempts to cheatby measuring the single-photon state and sending a newlyprepared version along to subsequent participants, thebit error rate rises to at least 25%. Thus, if the protocolshows an error rate of less than 25%, cheating of thisform can be ruled out.Restrictions on the order of the class announcements,along with repetitions of the protocol with coding en-hancements, can be implemented to make the protocolmore secure, defending even against cheaters with theirown entangled-pair resources [10]. Alternately, the proto-col can defend against cheating by a subset of recipients(participants 2 through N ) via a simpler modification:instead of measuring the signal photon, participant N is required to transmit it back to the sender, participant1. The sender then measures the photon in either the | ± x i or | ± y i basis, but all recipients announce theirclass choices before the sender announces the sending andmeasurement classes. Runs with even numbers of Class X operations, including the measurement class , are con-sidered valid. This protocol defends against cheating,even with entangled-pair resources, by any subset of therecipients. It privileges the trusted sender of the mes-sage, but the sender already occupies a position of trustby knowing the original secret, in many if not all possibleapplications. B. Entanglement-Based Protocol
In both type-I protocols, the signal and idler photonsare first generated as the entangled pair of Eq. 1. In thecorrelation-based protocol, all measurements are done incoincidence with detection of the idler photon in the state | H i . Thus the signal photon is projected into the state | H i as well, and then rotated into | ± x i or | ± y i stateafterwards by means of phase-shifting optics. As pointedout in Refs. [7, 8], the polarization correlation betweenthe signal and idler photons is crucial for the security ofthe protocol; a cheater or eavesdropper, who does nothave access to the idler photon, therefore has no infor-mation on the initial polarization of the signal photon.Because the signal photon’s initial state is ill-defined,subsequent measurements by the cheater cannot revealinformation about the phase changes applied by senderor recipients.However, while the correlation-based protocol relies onthe polarization correlation between signal and idler, itdoes not rely explicitly on the quantum entanglementbetween them. This insensitivity to entanglement per se can be viewed as a strength of the protocol, giving robust-ness against imperfect entanglement in the form of a lackof coherence between the two terms in the superpositionof Eq. 1. However, by failing to fully exploit the quan-tum entanglement in the initial resource the correlation-based protocol passes up a chance for enhanced securityagainst eavesdropping attacks, as we demonstrate in thenext section.The entanglement-based protocol which follows makesfull and explicit use of the entanglement between signaland idler in order to prepare the signal photon in the state | + x i before it enters the chain of SQQSS participants.Unlike a classical mixture, the initial entangled state canbe rewritten as | ψ i = 1 √ | HH i + | V V i ) = 1 √ | + x, + x i + | − x, − x i ) . (8)Relying on this equality, we orient the idler polarizer totransmit only | + x i polarization. Detection of the signalphoton in coincidence with the idler then projects thesignal photon into the | + x i state as it enters the SQQSSchain. The sender and recipient roles remain the same asbefore, except that the measurement of the signal photonis now conducted in coincidence with the | + x i -selectedidler.The success of the entanglement-based protocol de-pends entirely on the presence of entanglement, ratherthan classical correlation, between the signal and idlerpolarizations. To the extent that the initial state is aclassical mixture of | HH i and | V V i , projection of theidler photon onto | + x i will leave the signal photon inan uncertain polarization state rather than projecting itonto | + x i . Thus the success rate, or fidelity, of the secret-sharing transmission is sensitive to the purity of entan-glement in this protocol. However, the explicit use ofentanglement makes this protocol robust against certaineavesdropping attacks and cheating strategies to whichthe correlation-based protocol is vulnerable. We presentone such attack, a photon-number splitting exploitationof experimental asymmetries, in the next section. III. PHOTON-NUMBER SPLITTINGEAVESDROPPING ATTACK
The correlation-based SQQSS protocol, in an ideal re-alization, provides security against eavesdropping. How-ever, the protocol remains vulnerable to attacks thatmay arise due to the imperfections of implementation.In quantum communication in general (for example, inquantum key distribution), these forms of attack havebeen some of the greatest obstacles to securely imple-menting protocols [11–13]. Such attacks include the pos-sibility of splitting off and measuring a fraction of thephotons in a pulse that is sent for each qubit (photon-number splitting), or adding photons to the channel andlater extracting them for measurement (Trojan-Horse at-tacks) [14]. Here we focus on robustness against a photonnumber-splitting, or PNS, attack.In a PNS attack, an eavesdropper takes advantage ofthe fact that implementations may involve transmissionof pulses with the possibility of multiple photons perqubit. The eavesdropper ‘splits’ off some of the photons,and measures the state of their polarization, while theremaining photons pass through to the intended receiveruntouched. Unless the intended receiver can detect thedecreased signal size, the eavesdropper gains informationabout the message without alerting the participants toher presence.There are many ways of avoiding PNS attacks in quan-tum key distribution, including decoy states, strong ref-erence pulses, and differential phase shifts [15, 16]. Thecorrelation-based protocol protects against PNS by ref-erencing the signal photon to the idler photon, whichis passed through a polarizer before being detected. APNS eavesdropper cannot discover whether her ’picked-off’ signal photons are coincident with the correct idlerphotons; thus she gains no information about the polar-ization state of the signal [8].However, this protection is only completely valid in the case for which the two photons are produced with perfectsymmetry in their polarization states, as in Eq. 1. Givencommon issues in the production of this entangled state,the photons may actually be in the state | ψ , asymm i = a | HH i + p − a | V V i (9)with a = 1 /
2. This state may be the overall two-photonstate produced, or the emitted state may be symmetricbut with correlations between polarization and other de-grees of freedom (such as energy or spatial mode) whichmake it possible for an eavesdropper to filter her detec-tion so she is dealing with an asymmetric state. In ei-ther case, the difference in the probability of detectingthe signal photon in its two polarization states can giveinformation to an eavesdropper. An eavesdropper, Eve,can gather this information by splitting off some photons,and using a beamsplitter to measure half of them in the | ± x i basis and the other half in the | ± y i basis. A. Attack on Correlation-Based Protocol
To quantify this attack, let us assume that Eve is eaves-dropping on the correlation-based protocol, just after thesender has applied a phase shift to the photon. We wantto find the probability that for a given a = 1 / n photons measured by Eve, Eve can distinguish whatstate the sender has prepared. If she can reliably deter-mine the qubit state, she has intercepted the secret. Evewill attempt to distinguish the qubit state by countingthe number of photons detected in each of her four de-tectors (corresponding to measured photon state | + x i , | − x i , | + y i and | − y i ). She will then guess the bit valueassociated with the detector which registered the greatestnumber of counts. This is not the only possible algorithmfor deciding which bit value Eve will guess; however, thisalgorithm does yield better-than-random results for Evewhenever the vulnerability a = 1 / | ψ i = a | + x, H i + p − a | − x, V i . (10)(If the sender applies a different phase shift, the polar-ization states will be different, but Eve’s success in iden-tifying the correct bit does not change.) Given that theidler photon remains unmeasured, we can then find theprobability that Eve measures the signal photon in either | + x i or | − x i , as well as in either | + y i or | − y i . If thephoton goes to the | ± x i -basis detectors, the probabilityof registering | + x i is p ( | + x i ) = h ψ | P + x,s ⊗ I i | ψ i . (11)This evaluates simply to a , and similarly the probabilityof registering | − x i is 1 − a . If the photon goes to the | ± y i -basis detectors, the probability of measuring | + y i is p ( | + y i ) = h ψ | P + y,s ⊗ I i | ψ i (12)= a + (1 − a )2=1 / , and the probability of measuring |− y i is likewise 1 /
2. Forthe eavesdropper, then, for any single intercepted photonthe probabilities of detection in | + x i , | − x i , | + y i , and | − y i are a /
2, (1 − a ) /
2, 1 /
4, and 1 /
4, respectively.Let us assume that n total photons can be diverted anddetected by Eve. The probability of registering i countsin the | + x i detector, j counts in the | − x i detector, k counts in the | + y i detector, and l counts in the | − y i detector is c i,j,k,l = n ! i ! j ! k ! l ! (cid:18) a (cid:19) i (cid:18) − a (cid:19) j (cid:18) (cid:19) k (cid:18) (cid:19) l . (13)Eve will successfully identify the secret if the | + x i detector registers the most counts ( i > j, k, l ), but also ifthe | + y i detector registers the most counts ( l > i, j, k ),since either + result maps to the same secret bit value.To exactly predict Eve’s success rate, however, we mustalso consider the possibility that two or more detectorstie for the most counts. In this case, we let Eve randomlyselect one of the tying detectors and base her bit-valueguess on that detector. With this strategy in mind, wecan assign to each outcome a probability of occurring,and a likelihood for Eve to succeed in that case.Thus we can calculate the probability p Eve ,n for Eve tosuccessfully identify a bit by intercepting n = i + j + k + l photons to be ( p i indicates the probability that i > j, k, l ,while p i = j indicates the probability that i = j > k, l , andso forth): p Eve ,n = 12 [1 + p i − p j + p i = k − p j = k ]+ 16 [ p i = k = l − p j = k = l ] ≈
12 [1 + p i − p j ] , for large n. (14)The final approximation simply neglects ties between thedetectors, which become rare in the limit of large n [17].Finally, we use Eq. 13 to evaluate the probabilities p i ,etc. in Eq. 14. A plot of Eve’s predicted success ratesas a function of a , for various numbers of ‘picked-off’photons per qubit, is shown in Fig. 2.We have focused on Eve’s success rate when a > / a < / | HH i vs. | V V i asymmetry exists in the initially pro-duced two-photon state and (ii) she is able to indepen-dently gauge the success of a small number of her guessesin order to decide whether or not to reverse her guessing E v e ' s s u cc e ss r a t e a correlation-basedprotocol: 10 25 50 100photons intercepted FIG. 2: Bitwise probability of successful secret identifica-tion by Eve, using a photon-number splitting attack on thecorrelation-based SQQSS protocol. Eve’s success rate isshown as a function of a , the probability of | HH i in theemitted entangled state (as filtered by Eve’s detection). Be-cause the calculation is symmetric in a and b = 1 − a , P (1 − a ) = P ( a ) can be used to give the probability ofsuccess for a < .
5. Eve’s success rates are shown for n = (10 , , , n is the number of photons de-tected in Eve’s apparatus for each qubit. An eavesdropperdetecting an asymmetric two-photon initial state with a goodsignal-to-noise ratio (points) achieves results in close agree-ment with theory (curves). strategy (a common tactic in codebreaking scenarios). IfEve can listen in on classical communications between thesecret-sharing participants, for instance, the runs usedfor checking error rate should allow her to determine thecorrect guessing strategy.It is clear that photon number splitting requires accessto many photons. For a = 0 .
6, measuring 100 photonsgives Eve a theoretical 78% success rate for determiningthe secret bit value. The attack is especially strong whena pulse of large, indefinite photon number must be sentfor each qubit.
B. Robustness of Entanglement-Based Protocol
The correlation-based protocol for type-I SPDC is par-ticularly vulnerable to our PNS attack because stateasymmetry of the type denoted by Eq. 9 with a = 1 / a =1 / | + x i and | − x i before the actions of the SQQSS partic-ipants. This can be seen quite simply by rewriting thestate in the {| + x i , | − x i} basis for each photon: | ψ , asymm i = a | HH i + p − a | V V i = 12 (cid:16) a + p − a (cid:17) ( | + x, + x i + | − x, − x i )(15)+ 12 (cid:16) a − p − a (cid:17) ( | + x, − x i + | − x, + x i ) . It can easily be seen from this expression that the signalphoton is found in | + x i
50% of the time and | − x i x basis, there would be a parallel PNS eavesdrop-ping attack, but asymmetries in the x basis are muchless likely simply because of the physical way in whichthe entangled pair is produced via SPDC. Therefore theentanglement-based protocol, while it makes the fidelityof the transmission more sensitive, also provides built-insecurity against common exploitations by an eavesdrop-per. IV. EXPERIMENTAL IMPLEMENTATIONA. Realization of Correlation-Based SQQSS
We now turn to implementations of both correlation-based and entanglement-based protocols with a secret
FIG. 3: (a) Experimental setup for the correlation-based pro-tocol. The sender is composed of the first 810-nm HWP alongwith the first YVO crystal. Additional YVO crystals are thephase-shifting recipients in the protocol. The idler polarizeris set to accept horizontal polarization, which projects thesignal photon into | H i at its entry into the SQQSS chain. (b)In the entanglement-based protocol, the idler polarizer is setto accept | + x i polarization, projecting the signal photon into | + x i at its entry into the SQQSS chain. The sender preparesthe state using just the first YVO crystal. sender and two recipients. An experimental schematicfor the correlation-based SQQSS is shown in Fig. 3. En-tangled photon pairs are produced via type-I degener-ate spontaneous parametric downconversion [26] in a pairof 0.5mm-thick BBO crystals pumped with a 50mW cwdiode laser at 405nm. A 405-nm half waveplate and atiltable quartz phase plate control the input pump beampolarization; these are set to prepare the initial entan-gled state of Eq. 1 for the signal and idler photons at810nm. The BBO crystals are cut at 29.15 ◦ for non-collinear downconversion, with the signal and idler at 3 ◦ from the pump beam path.A Glan-Thompson polarizer in the idler beam path al-lows selective detection of | H i for the idler photon. An810-nm half waveplate in the signal arm converts | H i to | + x i . Now the sender and two recipients apply phaseshifts ϕ j ∈ { , π/ , π, π/ } . Each phase shift is accom-plished using a 200-micron-thick uniaxial YVO crystal.The tilt of each crystal about a vertical axis is controlledto obtain the desired phase shift. A compensation YVO crystal corrects for time spreading between the polar-izations. The final recipient measures the signal photonpolarization in the | ± x i basis using an 810nm half wave-plate and a polarizing beamsplitter, sending signal pho-tons into one of two detectors. Signal and idler photonsare detected by coupling into multimode fibers en routeto single-photon counting modules and coincidence detec- A v e r age S e c r e t - S ha r i ng F i de li t y j j j FIG. 4: Experimentally observed fidelity, or probability of‘sharing’ the correct qubit, using the entanglement-based pro-tocol. Fidelity is displayed as a function of the phase-shiftingangle of each YVO phase plate, averaged over all settingsof the other YVO phase plates. The overall 13% qubit er-ror rate is well below the 25% rate for reliable detection ofcheaters. Variation of fidelity between phase plate settingsmatches predictions based on precision of phase plate tilting.The overall fidelity matches predictions based on phase spreadin the initial two-photon entangled state. tion with a time resolution of 4ns. The overall efficiencyof detection is approximately 2%. B. Realization of Entanglement-Based SQQSS
An experimental schematic for the entanglement-basedprotocol is shown in Fig. 3. The polarizer in the idlerarm is rotated to select | + x i idler polarization. The810nm half waveplate in the idler arm is no longer neces-sary, so the sender is realized entirely by the first tiltableYVO phase plate. All other aspects of the setup remainunchanged from the correlation-based experiment.To measure the rate of success in secret sharing, manyruns with different secret and shadow bits were car-ried out using automated experiment control and dataacquisition. For each run, secret and shadow bits, aswell as the auxiliary Class X/Y bits, were chosen ran-domly. The random number choices determined settingsfor the YVO crystals, which were tilted using software-controlled motorized rotation platforms. All measure-ments were done by counting coincidences between theidler channel and the two signal channels over a minimumtime interval of 0.1 s, limited by data acquisition tech-niques. Per-photon probabilities of detection were cal-culated, when necessary, from the observed coincidencerates.Observed success rates for the entanglement-based pro-tocol are shown in Fig. 4. The overall error rate of 13%is well below the 25% threshold for reliable detection ofcheaters, so secret-sharing has been realized in this im- c o i n c i den c e s / s e c ond idler pol. at: 0 o +45 o (b) FIG. 5: (a) Schematic for measuring purity (mixedness) oftwo-photon entangled state, due to uncompensated spread inphase φ of state √ ( | HH i + e iφ | V V i ). Coincidence countsbetween signal and idler photons are measured with the idlerlinear polarizer fixed at 0 ◦ or 45 ◦ ; a half waveplate in thesignal arm is rotated to change the linear polarization trans-mitted through the polarizing beamsplitter. (b) Coincidencecounts observed. Diminished fringe visibility with the idlerpolarizer at 45 ◦ gives a purity of 0.78 for the two-photon state,accounting for our observed secret-sharing error rate. plementation. Variations in success rate of 3-6% are ob-served from one set of phase plate settings to another.This variation is predicted from the limited precision oftilt angles for the YVO phase plate crystals.The imperfect 87% fidelity of secret sharing can be at-tributed to imperfect entanglement, or purity P <
1, ofour entangled state produced by SPDC. For our appa-ratus, the BBO crystal thickness and pump laser band-width produce a spread in phase between | HH i and | V V i components, so that our two-photon state is only par-tially entangled. Separate measurements of the entan-gled state (see Fig. 5) indicate a purity P = 0 .
78, orentangled-state fidelity F = 0 .
87 [27], consistent withthe 87% secret-sharing fidelity we measure in the exper-iment.
C. Eavesdropping
A maximal implementation of the photon numbersplitting attack is shown in Fig. 6. First, some fractionof the photons traveling through the apparatus would bepicked off through the use of a polarization-preservingbeamsplitter placed immediately after the first (sender)YVO phase plate. The picked-off photons would be di-rected into Eve’s polarization-analyzing detection appa-ratus. A 50-50 beam splitter (BS) sends half of the in-tercepted photons to be measured in the | ± x i basis andthe other half to be measured in the | ± y i basis. The FIG. 6: Ideal eavesdropping setup for photon number split-ting attack. Eve picks off a fraction of the transmitted pho-tons and measures half of them in the | ± x i basis, half ofthem in the | ± y i basis. If the correlation-based protocol isused, Eve can exploit an imperfectly prepared initial state todetermine the secret bit with better than random success. measurement in the | ± x i basis is done using a half-waveplate, polarizing beamsplitter, and two detectors. Themeasurement in the | ± y i basis is done using a quarter-wave plate, polarizing beamsplitter, and two detectors.Eve then counts the number of photons that entered eachdetector and guesses a secret bit based on the detectorregistering the most counts.To implement a photon number splitting attack exper-imentally, we simulated the success of the Fig. 6 eaves-dropper via a simplified experimental setup. Rather thanperforming SQQSS detection as well as simultaneous de-tection in two bases by Eve, we omitted the final SQQSSmeasurement and conducted measurements in each ofEve’s two bases at different times in the actual exper-iment.The modified eavesdropping schematic is shown inFig. 7. The 405-nm half waveplate was rotated to obtaindifferent values of a . The sender’s 810-nm half wave-plate was present for the correlation-based protocol only.Two of the three YVO crystals, left in place for con-venience, were held at a constant position to introducea phase shift of 0 ◦ . The first YVO crystal was tiltedto produce the four possible phase shifts introduced bythe sender. An 810-nm quarter waveplate at 45 ◦ allowedmeasurement in the | ± y i vs. | ± x i basis to be decidedby rotation of the final 810-nm half waveplate.To approximate an eavesdropper with perfect signal-to-noise on her polarization analysis, we measured thesignal photon in coincidence with the idler, but with noidler polarizer since the eavesdropper lacks access to theidler’s polarization information. Thus the coincidencedetection improved signal-to-noise problems due to back-ground light, but otherwise faithfully simulated an eaves-dropper’s action.A single run of the eavesdropping scheme consists of:tilting the sender phase plate, setting the eavesdropper FIG. 7: Experimental setup to simulate a photon numbersplitting eavesdropping attack on the correlation-based pro-tocol. The 405-nm HWP is rotated for different values of a in the initial state. The last two YVO crystals are heldat a constant position to give a phase shift of ϕ = 0. Foreavesdropping on the entanglement-based protocol, the first810-nm HWP is removed. Detection is carried out in coin-cidence with the idler photon to improve signal-to-noise, butno idler polarizer is used to simulate an eavesdropper with noaccess to idler state information. E v e ' s s u cc e ss r a t e entanglement-based protocol: 10 25 50 100photons intercepted FIG. 8: A plot of the success rate of an eavesdropper detecting n = 10, 25, 50, or 100 photons per qubit, for the entanglement-based protocol. Note the change of vertical scale from Fig. 2.Here the eavesdropper is no longer successful despite asymme-try in the initial two-photon state. The very small deviationsfrom 50% success can be attributed to imperfect alignment ofthe apparatus. half waveplate to collect count rates in |± x i for 50 s, andthen rotating the eavesdropper half waveplate to collectcount rates in | ± y i for 50 s. The observed count ratesfor each sender phase setting were then used as inputsto a Monte Carlo simulation of Eve’s success rate for asmall number of detected photons.Observed success rates for Eve are shown here for thecorrelation-based measurement (Fig. 2) and likewise forthe entanglement-based measurement (Fig. 8). The im-perfect entangled-state purity seen in Fig. 5 does notaffect eavesdropping success. Hence the experimentallyinferred success rates closely follow the theoretical pre-dictions discussed above. V. CONCLUSIONS
We have demonstrated two SQQSS protocols usingentangled photon pairs from type-I SPDC. A photon-number splitting attack on these protocols, exploitinglossy transmission and asymmetric state preparation, isdemonstrated. The entanglement-based scheme is robustagainst this attack while the correlation-based scheme isnot; this contrast illustrates the value of using quantumentanglement for security of communication.An imperfect entangled state (
P <
1) causes low-ered fidelity of secret-sharing for the entanglement-basedscheme. Specifically, in this work, P = 0 .
78, input statefidelity F = 0 .
87, leads to secret-sharing fidelity of 87%.Improved purity at the P ≈ .
95 level should be possi-ble in this apparatus with relatively minor modification,such as addition of a compensation BBO crystal in thepump beam to remove time/energy phase spread [28–30].Such an improvement should lead to a secret-sharing fi-delity of ≈ VI. ACKNOWLEDGMENTS
The authors thank M. Beck at Whitman College fordiscussions and much valuable information regardingexperimental apparatus, C. Schmid for correspondenceabout the correlation-based SQQSS scheme in type-IIdownconversion, and D.K. Koh for discussions of secret-sharing security. This work was supported by ResearchCorporation Cottrell College Science Grant No. 10598,and by the Beckman Foundation through Harvey MuddCollege. P.S. acknowledges support from the Fannie andJohn Hertz Foundation, R.R. acknowledges support fromthe Engman Foundation, and D.B. acknowledges supportfrom the R. C. Baker Foundation. [1] M. Hillery, V. Buˇzek, and A. Berthiaume, Phys. Rev. A , 1829 (1999).[2] D. Bouwmeester, J.-W. Pan, M. Daniell, H. Weinfurter,and A. Zeilinger, Phys. Rev. Lett. , 1345 (1999).[3] M. Eibl, N. Kiesel, M. Bourennane, C. Kurtsiefer, andH. Weinfurter, Phys. Rev. Lett. , 077901 (2004).[4] Z. Zhao, Y.-A. Chen, A.-N. Zhang, T. Yang, H. J.Briegel, and J.-W. Pan, Nature , 54 (2004).[5] H. H¨affner, W. H¨ansel, C. F. Roos, J. Benhelm, D. C.al kar, M. Chwalla, T. K¨orber, U. D. Rapol, M. Riebe,P. O. Schmidt, et al., Nature , 643 (2005).[6] C.-Y. Lu, X.-Q. Zhou, O. G¨uhne, W.-B. Gao, J. Zhang,Z.-S. Yuan, A. Goebel, T. Yang, and J.-W. Pan, NaturePhysics , 91 (2007).[7] C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer,M. ˙Zukowski, and H. Weinfurter, Phys. Rev. Lett. ,230505 (2005).[8] C. Schmid, P. Trojek, S. Gaertner, M. Bourennane,C. Kurtsiefer, M. ˙Zukowski, and H. Weinfurter, Fortschr.Phys. , 831 (2006).[9] C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer,M. ˙Zukowski, and H. Weinfurter, Phys. Rev. Lett. ,028902 (2007).[10] G. P. He and Z. D. Wang, Quantum Information andComputation , 28 (2010).[11] D. Mayers, J. ACM , 351 (2001).[12] G. Brassard, N. L¨utkenhaus, T. Mor, and B. C. Sanders,Phys. Rev. Lett. , 1330 (2000).[13] H.-K. Lo and N. L¨utkenhaus, quant-ph/0702202 (2007).[14] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy,Phys. Rev. A , 022320 (2006).[15] D. Rosenberg, J. W. Harrington, P. R. Rice, P. A.Hiskett, C. G. Peterson, R. J. Hughes, A. E. Lita, S. W.Nam, and J. E. Nordholt, Phys. Rev. Lett. , 010503 (2007).[16] T. Schmitt-Manderbach, H. Weier, M. F¨urst, R. Ursin,F. Tiefenbacher, T. Scheidl, J. Perdigues, Z. Sodnik,C. Kurtsiefer, J. G. Rarity, et al., Phys. Rev. Lett. ,010504 (2007).[17] Furthermore, this approximation always leads to a biasagainst Eve’s true chances of success, because ties be-tween | + x i and | + y i (which always result in the correctqubit) are more common than ties between | − x i and | − y i (which result in the incorrect qubit) as long as a > / , 908 (2005).[19] M. Avenhaus, M. V. Chekhova, L. A. Krivitsky,G. Leuchs, and C. Silberhorn, Phys. Rev. A , 043836(2009).[20] H. S. Poh, C. Y. Lum, I. Marcikic, A. Lamas-Linares,and C. Kurtsiefer, Phys. Rev. A , 043816 (2007).[21] Y. Kim and W. Grice, J. Mod. Opt. , 2309 (2002).[22] R. Erdmann, D. Branning, W. Grice, and I. A. Walmsley,Phys. Rev. A , 053810 (2000).[23] D. Branning, W. P. Grice, R. Erdmann, and I. A. Walm-sley, Phys. Rev. Lett. , 955 (1999).[24] H. S. Poh, J. Lim, I. Marcikic, A. Lamas-Linares, andC. Kurtsiefer, Phys. Rev. A , 043815 (2009).[25] J. F. Hodelin, G. Khoury, and D. Bouwmeester, Phys.Rev. A , 013802 (2006).[26] P. G. Kwiat, E. Waks, A. G. White, I. Appelbaum, andP. H. Eberhard, Phys. Rev. A , R773 (1999).[27] The fidelity of the experimental two-photon density ma-trix ρ with respect to the ideal two-photon pure state | Φ + i is defined as T r ( p √ ρ | Φ + ih Φ + |√ ρ ), and is analo-gous to the state overlap for the case of two pure states.[28] Y. Nambu, K. Usami, Y. Tsuda, K. Matsumoto, andK. Nakamura, Phys. Rev. A , 033816 (2002). [29] J. B. Altepeter, E. R. Jeffrey, and P. Kwiat, Optics Ex-press , 8951 (2005).[30] R. Rangarajan, M. Goggin, and P. Kwiat, Optics Express17