Quantum direct communication protocols using discrete-time quantum walk
QQuantum direct communication protocols using discrete-time quantum walk
Srikara S and C. M. Chandrashekar
2, 3, ∗ Indian Institute of Science Education and Research, Pune-411008, India The Institute of Mathematical Sciences, C. I. T. Campus, Taramani, Chennai 600113, India Homi Bhabha National Institute, Training School Complex, Anushakti Nagar, Mumbai 400094, India
Quantum walk spread in superposition of position space and entangles walker with the positionspace providing an inherent quantum advantage for communication protocols. Here we proposetwo quantum direct communication protocols, a Quantum Secure Direct Communication (QSDC)protocol and a Controlled Quantum Dialogue (CQD) protocol using discrete-time quantum walkon a cycle. The proposed protocols have been shown to be unconditionally secure against variousattacks such as the intercept-resend attack, the denial of service attack and the man-in-the-middleattack. Additionally, the proposed CQD protocol is shown to be unconditionally secure againstan untrusted service provider and both the protocols are shown more secure against the interceptresend attack as compared to the qubit based LM05 protocol.
I. INTRODUCTION
The research in quantum cryptography, which first started off with the BB84 quantum key distribution (QKD)protocol [1] was later followed up with the design and the study of various different novel QKD schemes [2–4]. Theseprotocols were designed to securely generate a secret key between two parties, which would then be used to encodethe message via a one-time pad. Most of the research in quantum cryptography was concentrated on QKD, untilduring 2003-05, when two new protocols were introduced [5, 6]. In these protocols, the message was directly encodedinto the quantum resources without the requirement of a key. These protocols were called Quantum Secure DirectCommunication (QSDC) protocols. In 2004, a two-way quantum direct communication protocol was introduced, calledthe quantum dialogue(QD) [7]. Unlike QSDC protocols where the communication is just one way, in QD protocolsboth the parties interact with each other i.e., the communication is two way. This quantum dialogue protocol wasextended to a controlled quantum dialogue protocol (CQD), in which a third party provides the quantum servicesfor communication [8]. The QSDC, QD and the CQD protocols have shown that an unconditionally secure quantumcommunication can be achieved even without a key.In 1993, the concept of quantum walks was introduced [9]. Quantum walks are the quantum analogues of classicalrandom walks. Unlike classical random walks where the walker is at just one deterministic position at a given time,in quantum walks, the walker can be at multiple positions at the same time, i.e., in superposition of position space.The tossed quantum coin that decides the movement of the walker, can also be at a superposition of head andtails. These unique features of quantum walks can help traverse multiple positions faster, a feature which has beenexploited in the design of various quantum search algorithms [10]. Quantum walks have also been used for studyingand describing various quantum phenomena [11, 12] and also in the study and design of quantum networks [13].surprisingly, the usage of quantum walks for the purposes of cryptography and secure communication has largely beenunexplored, except for a few designs of QKD protocols [14] and public key cryptosystems [15]. In this work, we delveinto an unexplored cryptographic potential of quantum walks, which is the quantum direct communication. Using thediscrete-time quantum walk on a cycle, we propose two new protocols for QSDC and CQD and show the unconditionalsecurity they provide against various attacks such as the intercept-resend attack, the denial of service attack and theman-in-the-middle attack. We also show that the proposed CQD protocol provides unconditional security against anuntrusted service provider and both the protocols are more secure against the intercept resend attack as compared tothe qubit based LM05 protocol.This paper is structured as follows: In section II, we introduce the preliminary concepts of discrete-time quantumwalk on a cycle required to understand the protocols proposed in section III. In section IV, we discuss the securityof the proposed protocols against various attacks. In section V, we conclude with our remarks. In the Appendix, weprovide relevant background details that can be referred to if required. ∗ Electronic address: [email protected] a r X i v : . [ qu a n t - ph ] A p r II. DISCRETE-TIME QUANTUM WALK ON A CYCLE - PRELIMINARIES
Quantum walks are a quantum analogue of the classical random walks. In discrete-time quantum walk on an N -cycle, the walker moves along N discrete points on a cycle [16], which are represented by N dimensional quantumstates | x (cid:105) , orthogonal to each other and belonging to the Hilbert space H p where H p = span {| x (cid:105) , x ∈ { , , , ..., N − }} . .During each step of the discrete-time quantum walk, the walker moves one position either to his left or to his rightbased on the result ( | (cid:105) or | (cid:105) ) of the quantum coin, which is given by a two dimensional quantum state | c (cid:105) belongingto the Hilbert space H c where H c = span {| (cid:105) , | (cid:105)} . If the walker is in superposition of the coin sate, it will move to both, left and right simultaneously, creating a statewhich is in superposition in position space. Thus, the initial state of the walker starting at position x in and with aninitial coin state | c in (cid:105) can be considered to be in superposition of the two allowed basis states given by | Ψ in (cid:105) = | x in (cid:105) ⊗ | c in (cid:105) = | x in (cid:105)| c in (cid:105) ; | x in (cid:105) ∈ H p ; | c in (cid:105) ∈ H c . (1)The dynamics of the walker during each step of the walk is governed by the action of the unitary operator, acomposition of a quantum coin operation on the coin space followed by a conditioned position shift operation on thecomplete Hilbert space [17–19], U = U ( θ, ξ, ζ ) = S ( I p ⊗ R c ) . (2)Here I p is the identity operator on position space and the quantum coin operation, R c = R c ( θ, ξ, ζ ) = (cid:20) e iξ cos θ e iζ sin θe − iζ sin θ e − iξ cos θ (cid:21) . (3)In simpler cases, when ζ = ξ = 0 or fixed to a specific value, R c ( θ, ξ, ζ ) = R c ( θ ) is the coin operator on the coin space.The shift operator on H = H p ⊗ H c , which shifts the position of the walker in the direction which is determined bythe coin state is given by S = N − Σ x =0 ( | x −
1( mod N ) (cid:105)(cid:104) x | ⊗ | (cid:105)(cid:104) | + | x + 1( mod N ) (cid:105)(cid:104) x | ⊗ | (cid:105)(cid:104) | ) . (4)The state after t steps of the walk on an N − cycle in general will be in the form, | Ψ t (cid:105) = U t | Ψ in (cid:105) = N (cid:88) x =1 (cid:16) α x,t | (cid:105) + β x,t | (cid:105) (cid:17) ⊗ | x (cid:105) (5)and the probability of finding the walker at any position x after t steps of walk will be P ( x, t ) = | α x,t | + | β x,t | .In addition to the quantum walk evolution operator, we will also define the translation operator and measurementoperator which will be needed for QSCD and CQD protocols. The translation operator is defined on the space H p inthe form given by T ( y ) = N − Σ x =0 | x + y ( mod N ) (cid:105)(cid:104) x | (6)and the measurement operator M is defined on the entire space H in the form given by M = M p ⊗ M c where M p = N − Σ x =0 | x (cid:105)(cid:104) x | and M c = Σ c =0 | c (cid:105)(cid:104) c | . (7)Note that [ T ( y ) , U ] = 0 i.e., T ( y ) and U commute with each other [15]. III. THE PROTOCOLS
The extent of spread of the discrete-time quantum walk in position space is mainly governed by the parameter θ in the quantum coin operation [18, 19]. Therefore, in this paper we will keep only the coin parameter θ as a variableparameter while keeping the parameters ξ and ζ constant throughout the protocols. Here we first present the encodingscheme, and then we present the protocols for QSDC and CQD. Schematic representation of the protocols for QSDCand and CQD are presented in Fig. 1 and Fig. 2, respectively. In both the figures, the “random path switcher” is adevice that switches the path of the quantum channel so as to move a particular state into encoding the message orinto checking eavesdropping, similar to using a physical lever that is used for changing the railway tracks. A. Encoding of the message
The message m (or a part m of the total message) is encoded on a discrete-time quantum walk state | φ (cid:105) = (cid:80) i | x i (cid:105)| c i (cid:105) by applying the translation operator T ( m ) on | φ (cid:105) , resulting in the state T ( m ) ⊗ I c | φ (cid:105) = (cid:80) i | x i + m (cid:105)| c i (cid:105) . B. Discrete-time quantum walk based QSDC protocol
1. Alice prepares n discrete-time quantum walk states. To prepare n quantum walk states, Alice randomly chooses3 n integers { t , t , ..., t n } , { x , x , ..., x n } and { c , c , ..., c n } such that x i ∈ { , , , ..., N − } , c i ∈ { , } and t i ∈ N ∪{ } ∀ i ∈ { , , ..., n } and n random real numbers { θ , θ , ..., θ n } such that θ i ∈ [0 , π ]. Thus, she prepares n discrete-time quantum walk states [ U ( θ i )] t i | x i (cid:105)| c i (cid:105) = U t i | x i (cid:105)| c i (cid:105) ∀ i ∈ { , , ..., n } and sends these states toBob. (In the rest of this and the next protocol, we will refer to [ U ( θ i )] as U ).2. On receiving the walk states from Alice, Bob randomly chooses n/ i to Alice. Alice classically sends to Bob the correspondingvalues of t i , x i , c i , and θ i . Bob applies the corresponding operation U − t i on those states, measures them andchecks the measurement result with the value of x i and c i . If the error is within a tolerable limit, he continuesto step 3. Otherwise, the protocol is aborted and they will start the protocol all over again.3. Out of the remaining n/ n/ n/ m i by applying the translation operator T ( m i ) ⊗ I c . He does nothingto the other n/ n/ U − t i on the decoy states and checks for eavesdropping just likehow Bob does it in step 2.5. Once no eavesdropping is confirmed, Alice then applies U − t i on the remaining n/ FIG. 1: Schematic diagram of the discrete-time quantum walk based QSDC protocol. The bold arrow lines represent quantumchannels whereas the dotted arrow lines represent classical channels
C. Discrete-time quantum walk based CQD protocol
1. Charlie prepares n discrete-time quantum walk states. To prepare n quantum walk states, Charlie randomlychooses 3 n integers { t , t , ..., t n } , { x , x , ..., x n } and { c , c , ..., c n } such that x i ∈ { , , , ..., N − } , c i ∈ { , } and t i ∈ N ∪ { } ∀ i ∈ { , , ..., n } and n random real numbers { θ , θ , ..., θ n } such that θ i ∈ [0 , π ]. He prepares n quantum walk states [ U ( θ i )] t i | x i (cid:105)| c i (cid:105) = U t i | x i (cid:105)| c i (cid:105) ∀ i ∈ { , , ..., n } and sends these states to Alice.2. On receiving the walk states, Alice randomly chooses n/ i to Charlie. Charlie classically sends to Alice the corresponding values of t i , x i , c i , and θ i . Alice applies the operation U − t i on those states and measures them and checks the measurementresult with the value of x i and c i . If the error is within a tolerable limit, Alice continues to step 3. Otherwise,the protocol is aborted and they restart the protocol from the beginning.3. Out of the remaining n/ n/ n/ a i by applying the translation operator T ( a i ). She does nothingto the other n/ k and coin parameter θ r , applies [ U ( θ r )] k on all the n/ θ r and k and the coordinatesof the decoy states. Charlie, upon receiving the announcement, sends the t i , x i , c i , and θ i values of the decoystates to Bob. Bob then applies the corresponding operator U − t i [ U ( θ r )] − k on the decoy states and checks forthe presence of Eve just like how Alice does it in step 2.5. Meanwhile, Bob encodes his message b i on the remaining message states by applying the translation operator T ( b i ). Once he confirms the absence of eavesdropping, Charlie sends the t i , x i , θ i and c i values of the messagestates to Bob. Bob applies the operator U − t i on the message states, measures them and publicly announcesthe measurement results a i + b i . Alice and Bob subtract a i and b i respectively from their results to obtain eachothers’ messages. FIG. 2: Schematic diagram of the discrete-time quantum walk based CQD protocol. The bold arrow lines represent quantumchannels whereas the dotted arrow lines represent classical channels.
IV. SECURITY
In this section, we analyse the security of our protocol against various attacks, namely the intercept-resend attack,the denial of service attack, man-in-the-middle attack, and the attack by an untrusted Charlie.
A. Intercept-and-resend attack
In this attack, Eve intercepts the quantum channel and tries to extract information from the incoming state bymeasuring it. Then, she re-prepares the appropriate state (based on the information she receives) and sends it to thereceiver. Our protocols are robust against this attack. This is due to the fact that the discrete-time quantum walkstates are usually superposition states where the position and the coin Hilbert spaces are usually entangled. Hence,Eve can’t determine the incoming state by measurement alone. Instead of directly measuring the state, Eve can apply U − t i and then measure the state. But this attack also cannot be performed by Eve because the value of t i will beonly known to Alice at the time of attack. If Eve attempts to perform this attack, she will raise the error during theeavesdropping checking of the control mode states, and hence will be caught.
1. Mutual Information between Alice and Eve
In practical scenarios, Alice can choose her parameters t i , x i , c i , and θ i only from a finite set or a finite range ofvalues. Hence, the amount of mutual information I AE gained between Alice and Eve during the intercept-resendattack is dependent upon the size of these sets and ranges. The higher the mutual information, the more will beknown by Eve about the state sent by Alice, thus making the protocol less secure. Let us consider a practical scenariowhere Alice can choose: • t i from the set T containing n ( T ) integers (from 0 to n ( T ) − • x i from the set X = { , , , ..., N − } (set of N values), N being the dimension of the position space • c i from the set C = { , } (set of 2 values) • θ i from the range R θ = [ θ min , θ max ]Let us say, that for a particular round of transmission, Alice chooses the values t A ∈ T , x A ∈ X , c A ∈ C , and θ A ∈ R θ and prepares the state | ψ A (cid:105) = [ U ( θ A )] t A | x A (cid:105)| c A (cid:105) . Now Eve can perform the intercept-resend attack in two ways,1. directly measure the incoming state to obtain the position and coin values x E and c E respectively (Let us callthis strategy IR1) , or2. randomly choose the values t E ∈ T , x E ∈ X , c E ∈ C , and θ E ∈ R θ and perform the operation [ U ( θ E )] − t E | ψ A (cid:105) and then measure the position and coin values of the resulting state in order to obtain the values x E and c E respectively (let us call this strategy IR2).Let us now examine IR2. We can consider t A , x A , c A , t E , x E , c E , θ A , and θ E as uniformly distributed random vari-ables, where t A , x A , c A , t E , x E , c E are discrete and θ A and θ E are continuous. Now, for IR2, the mutual information I AE between Alice and Eve is given by, I AE = (cid:88) t E ∈ T (cid:88) x E ∈ X (cid:88) c E ∈ C (cid:88) t A ∈ T (cid:88) x A ∈ X (cid:88) c A ∈ C θ max (cid:90) θ A = θ min θ max (cid:90) θ E = θ min p ( t A , x A , c A , t E , x E , c E , θ A , θ E ) log p ( t A , x A , c A , t E , x E , c E , θ A , θ E ) p ( t A ) p ( x A ) p ( c A ) p ( t E ) p ( x E ) p ( c E ) p ( θ A ) p ( θ E ) dθ A dθ E , (8)where p ( a , a , ..., a n ) is the joint probability distribution-mass function of the random variables a , a , ..., a n where a i ∈ { t A , x A , c A , t E , x E , c E , θ A , θ E } .For IR1, the mutual information I AE between Alice and Eve is given by, I AE = (cid:88) x E ∈ X (cid:88) c E ∈ C (cid:88) t A ∈ T (cid:88) x A ∈ X (cid:88) c A ∈ C θ max (cid:90) θ A = θ min p ( t A , x A , c A , x E , c E , θ A ) log p ( t A , x A , c A , x E , c E , θ A ) p ( t A ) p ( x A ) p ( c A ) p ( x E ) p ( c E ) p ( θ A ) dθ A . (9)The above formulas of I AE and I AE contain 1 and 2 integrals respectively. Due to lack of access to good computingpower to calculate I AE and I AE , we modify the protocol for the purpose of analysis of this attack, by keeping allthe coin parameters, including θ constant and publicly known throughout the protocol, thus reducing the number ofsecret parameters and avoiding the integrals. Now, the revised formulas for I AE and I AE will be I AE = (cid:88) t E ∈ T (cid:88) x E ∈ X (cid:88) c E ∈ C (cid:88) t A ∈ T (cid:88) x A ∈ X (cid:88) c A ∈ C p ( t A , x A , c A , t E , x E , c E ) log p ( t A , x A , c A , t E , x E , c E ) p ( t A ) p ( x A ) p ( c A ) p ( t E ) p ( x E ) p ( c E ) (10)and I AE = (cid:88) x E ∈ X (cid:88) c E ∈ C (cid:88) t A ∈ T (cid:88) x A ∈ X (cid:88) c A ∈ C p ( t A , x A , c A , x E , c E ) log p ( t A , x A , c A , x E , c E ) p ( t A ) p ( x A ) p ( c A ) p ( x E ) p ( c E ) (11)where p ( t A , x A , c A , t E , x E , c E ) = ‘12 N [ n ( T )] ( (cid:104) x E |(cid:104) c E | U − t E U t A | x A (cid:105)| c A (cid:105) ) , (12) p ( t A , x A , c A , x E , c E ) = ‘12 N [ n ( T )] ( (cid:104) x E |(cid:104) c E | U t A | x A (cid:105)| c A (cid:105) ) (13)and p ( a i ) = (cid:88) a , ,a ,...,a i − ,a i +1 ,...,a n p ( a , a , ..., a n ) (14)where a j ∈ { t A , x A , c A , t E , x E , c E } and U = U ( θ ) where θ is the publicly known coin parameter throughout theprotocol. We can see that I AE and I AE are a function of n ( T ) and N , and also depend on the fixed coin parameter θ . FIG. 3: (a) Mutual Information I AE vs coin parameter θ for N = 3 , n ( T ) = 7. (b) Mutual Information I AE vs the cycle length N for n ( T ) = 7 , θ = π . The variation of I AE with θ is periodic with period π with the peaks at even multiples of π andminimum at odd multiples of π . The variation of I AE with N is fluctuating in the beginning, but later steadily increases. Forboth the plots, the coin parameters ζ and ξ were set to a fixed value π . In Fig. 3(a), we can see that I AE is at its lowest when θ is an odd multiple of π and is at its highest ( I AE = 1) when θ is an even multiple of π . Hence, for θ equal to even multiples of π , the security of the protocol will be compromised.This is consistent with the discrete-time quantum walk dynamics, for θ being even multiples of π , the walk will eitherbe localized around the origin or will be ballistic without being in superposition of more than two position space ata time [18, 19]. We can infer that the degree of spread of the walker in position space gives an enhanced security tothe protocol. In Fig. 3(b), we can see that for odd N , I AE increases with increase in N , whereas for even N , I AE initially decreases with N , but then increases. In Fig. 4, we see that I AE decreases with n ( T ) and its value is greaterfor even N than for odd N . In fact, for odd N , the I AE drops much below 0.5 (which is the I AE value for the LM05protocol (see appendix)) for large n ( T ), and in fact is less than 0.25 for n ( T ) >
25. From Fig. 4(b) and Fig. 3, wecan see that I AE > I AE , implying that that IR2 is a better strategy for Eve than IR1 for odd N . This shows that,for an odd, low value of N , and a high value of n ( T ), and θ being an odd multiple of π , our discrete-time quantumwalk protocols are more secure against the intercept-resend attack than the LM05 protocol (whose I AE = 0 . B. Denial of Service attack
Instead of trying to extract information from the incoming state, Eve can rather perform a denial-of-service attacki.e., she can just stop the incoming state from going forward and can instead prepare and send a random discrete-timequantum walk state. This attack also cannot be performed by Eve because if she does so, she introduces an addederror and noise into the channel and hence the eavesdropping checking performed by the sender and the receiver ateach quantum channel will detect Eve.
FIG. 4: Mutual Information I AE vs n ( T ) for (a) N = 4 and (b) N = 3. The dash-dotted line (magenta coloured in online andcolour-printed versions) represents the I AE for one channel of the LM05 protocol, which is the same as the I AE for the BB84protocol. In both the figures, I AE decreases with n ( T ), thus increasing security of the protocol with increase in n ( T ). For boththe plots, the coin parameters θ, ζ and ξ were set to a fixed value π . C. Man-in-the-middle attack
Let’s consider the QSDC protocol. In this attack, Eve initially puts the incoming state from Alice into her quantummemory. Then, she sends her own walk state to Bob. Bob, assuming that Alice may have sent this state, encodeshis message on this state and sends it back to Alice. Eve intercepts that channel also and reads the message. Shethen encodes the message onto the Alice’s state which she had earlier stored in her quantum memory and sends itback to Alice, thus being able to read the message. Eve can perform a similar kind of attack in the CQD protocol toobtain the message of one of the two communicating parties. In both cases of this attack, Eve will be detected by thecommunicating parties during eavesdropping checking. Hence both our protocols are unconditionally secure againstthis attack.
D. Attack by an untrusted Charlie
Let us consider the QDC protocol. In this attack, Charlie intercepts the Alice-Bob channel, applies U − t i on theincoming state and obtains Alice’s message by measuring the state. Then, he re-prepares the state and sends it toBob. Then when Bob encodes his message b i and announces the value a i + b i , Charlie can then get Bob’s messageas well. But our QDC protocol is robust against this attack because as Alice applies an additional [ U ( θ r )] k to thestates, Charlie will not know the value of θ r or k and hence he cannot apply [ U ( θ r )] − k to retrieve the state. V. CONCLUSION
The unique features of discrete-time quantum walks such as spreading the quantum state in superposition of positionspace and entanglement generation between the position and the coin states has an immense unexplored potentialfor quantum security for communication and cryptographic protocols. In this work, we have explored its potentialfor providing cryptographic security by proposing two new protocols, a one-way two-party Quantum Secure DirectCommunication (QSDC) protocol and a two-way three-party Controlled Quantum Dialogue (CQD) protocol. We haveshown that the proposed protocols are unconditionally secure against various attacks, such as the intercept-resendattack, the denial of service attack and the man-in-the-middle attack. The CQD protocol, in particular, is shown tobe secure against an attack by an untrusted Charlie. Also, for the intercept-resend attack, the mutual informationgained between Alice and Eve is shown to be much lower for the proposed protocols as compared to the qubit basedprotocols such as the LM05 protocol [6], thus making the proposed protocols more secure than LM05 against thisattack. Also, unlike the qubit based protocols which transfer just one bit per state, the proposed protocols cantransfer multiple bits per state [20], which can possibly lead to advantages such as faster transmission of messages anda lower requirement of resources (both subject to practical/experimental conditions). These direct communicationschemes could potentially lead to secure feasible solutions for many social and economic problems such as the socialistmillionaire problem [21], quantum E-commerce [22], quantum voting [23] and the work towards finding these potentialsolutions is to be attempted in the future.
Acknowledgments
SS and CMC would like to thank Department of Science and Technology, Government of India for theRamanujan Fellowship grant No.:SB/S2/RJN-192/2014. We also acknowledge the support from Interdisci-plinary Cyber Physical Systems (ICPS) programme of the Department of Science and Technology, India, GrantNo.:DST/ICPS/QuST/Theme-1/2019/1.
AppendixLM05 Protocol
This qubit based protocol was introduced in [6]. In this protocol, the encoding rules for the message sender is asfollows:To encode the bit 0, do nothing to the incoming qubit.To encode the bit 1, apply the operator iY = ZX on the incoming qubit. The transformations are as follows: iY | (cid:105) = −| (cid:105) iY | (cid:105) = | (cid:105) iY |±(cid:105) = ±|∓(cid:105) The protocol is as follows:1. Alice chooses n random qubits from the set {| (cid:105) , | (cid:105) , | + (cid:105) , |−(cid:105)} and sends them to Bob.2. Out of these n qubits received from Alice, Bob randomly chooses n/ n/ n/ n/ n/ n/ n/ n/ Mutual Information
Let us take two random variables, say x and y . The mutual information I XY between two random variables x and y is the decrease in uncertainty of one random variable when the value of the other random variable is observed,measured or determined. If x and y are discrete, the formula for I XY is given by [24] I XY = (cid:88) x (cid:88) y p ( x, y ) log p ( x, y ) p ( x ) p ( y ) (15)0where p ( x, y ) is the joint probability mass function and p ( x ) and p ( y ) are the individual probability mass functions.If x and y are continuous, then the formula for I XY is given by I XY = (cid:90) x (cid:90) y p ( x, y ) log p ( x, y ) p ( x ) p ( y ) dxdy (16)Where p ( x, y ) is the joint probability density function and p ( x ) and p ( y ) are the individual probability densityfunctions.There can also be a case where one of the random variables is discrete and the other is continuous. For example, if x is discrete and y is continuous, then the formula for I XY becomes I XY = (cid:88) x (cid:90) y p ( x, y ) log p ( x, y ) p ( x ) p ( y ) dy (17)where p ( x ) is the probability mass function of x , p ( y ) is the probability density function of y and p ( x, y ) is a functionthat is a probability density-mass function that is discrete in x and continuous in y .This concept of mutual information can also be generalized to r = mn > { x , x , ..., x m } and { y , y , ..., y n } where x i are discrete and y i are continuous. The generalised mutual information I mutual is given by[24] I mutual = (cid:88) x ,x ,...,x n (cid:90) y ,...,y n p ( x , x , ..., x m , y , y , ..., y n ) log p ( x , x , ..., x m , y , y , ..., y n ) p ( x ) p ( x ) ...p ( x m ) p ( y ) p ( y ) ...p ( y n ) dy dy ...dy n . (18) Mutual Information for the intercept-resend attack for the LM05 protocol:
Let us consider the first transmission from Alice to Bob. In this transmission, Alice first selects either of the fourstates and prepares them and sends them to Bob. Eve intercepts this channel before the state reaches Bob andrandomly chooses a basis for each incoming state and measures the state in that basis. Let a, e ∈ { , , + , −} . Letthe probability of Alice sending the qubit a and Eve receiving the qubit e be p ( a, e ). For example, the probability p (0 ,
0) is p (0 ,
0) = probability of Alice choosing × probability of Eve choosing the computational Z basis × probability of Eve getting . (19)Similarly, p (0 ,
1) = 14 × × , (20) p (0 , +) = 14 × ×
12 = 116 , (21) p (0 , − ) = 14 × ×
12 = 116 , (22)and similar probabilities for p (1 , e ) , p (+ , e ), and p ( − , e ) , where e ∈ { , , + , −} Hence, the mutual information I AE for the LM05 protocol is given by I AE = (cid:88) a (cid:88) e p ( a, e ) log p ( a, e ) p ( a ) p ( e ) (23)1= 4( log + log + log ) = 0 . a and e , p ( a ) = p ( e ) = . Hence, p ( a ) p ( e ) = ))