Security Significance of the Trace Distance Criterion in Quantum Key Distribution
aa r X i v : . [ qu a n t - ph ] N ov SECURITY SIGNIFICANCE OF THE TRACE DISTANCECRITERION IN QUANTUM KEY DISTRIBUTION
Horace P. Yuen ∗ Department of Electrical Engineering and Computer Science andDepartment of Physics and Astronomy,Northwestern University, Evanston, IL 60208
Abstract
The security significance of the trace distance security criterion d is analyzed in terms of oper-ational probabilities of an attacker’s success in identifying different subsets of the generated key,both during the key generation process and when the key is used in one-time pad data encryptionunder known-plaintext attacks. The difference between Eve’s sequence error rate and bit error rateis brought out. It is shown with counter-examples that the strong security claim maintained in theliterature is incorrect. Other than the whole key error rates that can be quantified at the levels d / and d / which are much worse than d itself, the attacker’s success probabilities in estimating vari-ous subsets of the key and in known-plaintext attacks are yet to be quantified from d if possible. Itis demonstrated in realistic numerical examples of concrete protocols that drastic breach of securitycannot yet be ruled out. ∗ Electronic address: [email protected] . INTRODUCTION In quantum key distribution (QKD) there have been many proofs offered on the “uncondi-tional security” of various protocols of the BB84 variety. For a recent review see [1]. Securityis a serious matter which cannot be established experimentally in contrast to most problemsin science and technology, if only because the possible different attacks are unlimited. Asystematic examination of fundamental security analysis, as opposed to practical imperfec-tions, will be offered of which this paper constitutes the first and is concerned with securitycriteria, their empirical meanings and the quantitative levels needed for meaningful security.Without them the term “unconditional” or whatever security would be empty and in factmisleading. It will be shown that, in contrast to the prevalent claims in the literature, QKDsecurity has not yet been properly quantified.Until 2004-2005 and often till recently, the security criterion adopted is the attacker Eve’squantum accessible information ( I ac ) on the generated key K , which is the maximum mutualinformation Eve has on K from a measurement on her probe she may set on the quantumsignals transmitted during the key generation process. Security of K during key generationbefore it is actually used is called “raw security” [2], to distinguish it from “compositionsecurity” when K is actually used in an application for which Eve may possess additionalinformation related to K . In particular, when K is used for data encryption, part of K may be known to Eve in a known-plaintext attack (KPA) to help her get at the rest of K and thus the rest of the encrypted data. KPA can be simply represented when K isused in the one-time pad format, in which some bits among the n -bit K are known to Eve.KPA security is necessary for security because that is the major weakness of conventionalsymmetric-key ciphers QKD purports to overcome. Indeed, there is otherwise no need for2KD since its achievable raw security is worse in a precise sense [2] than that of conventionalciphers in which the key is typically totally hidden by uniform random data. The securityunder discussion is information theoretic and symmetric key cipher, not RSA, is the propercomparison with QKD since a shared secret key is needed for both in an information theoreticcontext.It was claimed in [3] that an exponentially small (in n ) I ac would guarantee universal com-position security and that such is the case obtained in prior security proofs, while suggestingalso a trace distance criterion, often denoted by “ d ” which we adopt, is a better criterion towork with. In [4] it was shown from quantum information locking that mere exponentiallysmall I ac does not imply KPA security. The small leak in [4] is enlarged to a “spectacularfailure” of the I ac criterion in [5]. At present, d is the only basis of QKD unconditionalsecurity claim including the use of privacy amplification [1, 6, 7].However, the precise security claim associated with d has not been quantitatively spelledout while various paraphrases in words without mathematical expression are given for verystrong security claims on behalf of d . In [2] the errors of some such interpretations arepointed out, but there are other possible interpretations that appear to support such claimswhich still persist. To settle this fundamental security issue, in the following we will exam-ine all such interpretations one may infer from the various wordings in the literature andgive them precise mathematical expressions. They are found to be either incorrect or tooweak to support the claimed security. Generally, Eve’s optimal sequence error rate on K is only bounded by d / and her bit error rate is bounded from by d / , while her errorrates on subsets of K are not quantified. In the process, we also identify the empiricallymeaningful criteria of security that guarantee fundamental security. It will be demonstrated3hat disastrous breach of security is not ruled out with practically achievable levels of d fromconcrete protocols, even though that is very unlikely with probability bounded by d underthe prevalent incorrect interpretation. II. THE CRITERION d AND ITS INTERPRETATIONS
During key generation Eve sets her probe and the protocol goes forward. After privacyamplification the final key K is generated with corresponding “prior probability" p ( k ) andprobe state ρ kE on each k . Let ρ = X k p ( k ) | k i h k | (1)for N orthonormal | k i ’s in space H K , N = 2 n . Let ρ E = X k p ( k ) ρ kE (2) ρ KE = X k p ( k ) | k i h k | ⊗ ρ kE (3)The criterion d is defined to be d ≡ k ρ KE − ρ U ⊗ ρ E k (4)where ρ U is given by (1) with p ( k ) = U ( k ) for the uniform random variable U . It can be4eadily shown (similar to Lemma 2 in [6]) that d = 12 X k k p ( k ) ρ kE − N ρ E k (5)A key K with d ≤ ǫ is called “ ǫ -secure”, as it has been forced by privacy amplification to be ǫ -close to U . But what is the operational meaning of d ≤ ǫ ?The major interpretation that has been given to d ≤ ǫ which has lent it a strong securityinterpretation has two slightly different versions, to be called (i) and (ii) in the following:(i) “The real and the ideal setting can be considered to be identical with probability atleast 1- ǫ ." [4, 6](ii) The parameter ǫ can be understood as the “maximum failure probability” [1, 8, 9] ofthe real protocol, “where ‘failure’ means that ‘something went wrong’, e.g., that anadversary might have gained some information on K ” [8].In [2] the interpretation (i) is shown to be incorrect in that the real and the ideal settingare actually different with probability from the given mathematical representation. Wenow give a precise mathematical representation of (ii), namely, Eve’s real performance P r (the bigger the better for her) in an attack of any kind can be better than that of P i , theperformance of the ideal uniform K case, by a probability no more than ǫ , i.e., Pr[ P r > P i ] ≤ ǫ (6)The probability in this case is obtained when Eve makes a measurement, as opposed to (i)which involves the setting before any measurement. This intended probability interpretationof ǫ is also utilized explicitly in [9] to derive composition security under d .5he justification for (ii) is the same as for (i), namely the interpretation of Lemma 1 in[6] that the variational distance v ( P, Q ) , ≤ v ≤ , between two distributions P and Q onthe same sample space “can be interpreted as the probability that two random experimentsdescribed by P and Q , respectively, are different”. This interpretation is derived from Lemma1 that asserts the existence of a joint distribution which gives marginals P and Q and forwhich the results of the two random experiments differ with just probability v ( P, Q ) . It waspointed out [2, 10] that there is no reason to expect there is such a joint distribution in force.However, the contrary belief is still widespread.Thus, two more reasons why this would not work are now given, to be followed by specificcounter-examples. First, even if such joint distribution is in force it is not represented inthe mathematical formulation, which just treats P and Q as independent. Furthermore,if it is introduced explicitly then whether the measurement result is close to that from U is irrelevant since Eve can learn about K through the joint distribution, i.e., the claimedconclusion still does not follow. In fact counter-example would result, classically or quantummechanically, whenever knowing parts of K reveals the rest for certainty such as in the caseof information locking.For an explicit simple example, consider a two-bit K with k = k k for two bits k and k with uniform a priori probability. Let | i i , i ∈ − be the four BB84 states on a qubitwith h | i = h | i = 0 . Let the states be ρ E = | i | i , ρ E = | i | i ρ E = | i | i , ρ E = | i | i (7)Thus, k is locked into the second qubit through k and is unlocked by measuring on the 1-36r 2-4 basis given the knowledge of k . The protocol then fails for sure but d is not given by1, which never happens in any protocol since that requires ρ kE and ρ E to be orthogonal.To give a raw security example with large “failure probability”, consider the distributionupon a measurement result with P i = ǫN for i ∈ − N and P i = − ǫN for i ∈ ( N + 1) − N sothat v ( P, U ) = ǫ . Then Eve gains “information” compared to the ideal case with probability , not ǫ . What happens, of course, is that no “joint distribution” other than the product oneis included in the mathematical formulation, and conceptually ǫ is not an event probabilitythough it may be the difference of two event probabilities. Although the information gained inthis counter-example is small, it clearly shows that variational distance is not the probabilitythat information is leaked.There is another interpretation:(iii) “Distinguishability advantage” between the real and the ideal protocols is bounded by ǫ [3].The distinguishability advantage that is referred to here is the trace distance (4) between the“real” and the “ideal” situations. From binary quantum decision [11] the optimum probabilityof success is P c = 12 + || p o ρ o − p ρ || (8)for two states ρ and ρ with a priori probability p , p = 1 − p . Clearly, Eve does not makesuch binary decision if only because H K is not accessible to her. Indeed if it is, she can justmeasure on it to identify K . The entanglement form (4) is misleading even in the classicallimit, and the form (5) on Eve’s probe alone is appropriate for interpretation.Equ (5) shows that each unnormalized trace distance is bounded by ǫ and thus the trace7istance between two different ρ kE is bounded by ǫ from the triangular inequality, k p ( k ) ρ kE − p ( k ′ ) ρ k ′ E k ≤ ǫ (9)Since p ( k ) is the distribution of K after privacy amplification, it is generally nonuniform withcorrelation between bits. It is not possible to draw the conclusion from (8)-(9) that k and k ′ cannot be distinguished with probability better than P c = + 2 ǫ even after renormalizationof p ( k ) and p ( k ′ ) . Also it is only possible to conclude from (5) that k p ( k ) ρ kE − N ρ E k ≤ ǫ (10)and not the “distinguishability advantage” interpretation k ρ kE − ρ E k ≤ ǫ . This is so evenafter the application of Markov Inequality to obtain an individual guarantee at a level ǫ ′ > ǫ .Interpretation (iii) is not relevant, certainly not sufficient, for general security whichinvolves M -ary decisions by Eve for M = 2 to M = 2 n . Note that even classically, the M -ary performance could only improve for Eve with decreasing M , on the absolute levelat least. A level ǫ may appear adequate for bit decision compared to , but is in fact veryinadequate for M -ary decision as compared to M . In the information security literaturea “semantic security" binary decision condition similar to (7) has been obtained for the“bounded storage model" [12] for “message” security, with K and any ˜ K ⊂ K being possiblemessages for comparison with QKD. Such condition is not strong enough for just raw securityas just indicated, apart from KPA security. However, in [12] the security guarantee is muchstronger than (9) from d because it is valid for every pair of k and k ′ as well as any ˜ k and ˜ k ′ , while no Markov Inequality is needed for its application. Most significantly, the security8s controlled by a security parameter that can make the quantitative level arbitrarily small.There is no such security parameter in QKD. Thus, d ≤ ǫ does not offer the equivalent ofsuch “semantic security" in QKD.Composition security of the “expansion” kind under d follows from the the fact that k ρ i − σ i k ≤ ǫ i , i ∈ − m , implies k ρ ⊗ · · · ⊗ ρ m − σ ⊗ · · · ⊗ σ m k ≤ m X i =1 ǫ i (11)In contrast to the case of interpretation (i) or (ii), this (11) does not guarantee KPA securitywhich is a “contraction". Furthermore, there are problems in adopting (11) to the form (4)or (5), which is overcome [9] by the incorrect interpretation (ii).We have gone through all the security significance of d that can be drawn from theliterature, correct and incorrect ones. We will next derive valid operational guarantee fromthe security condition d ≤ ǫ . III. SEQUENCE ERROR PROBABILITY GUARANTEE FROM d Theoretical quantities such as I ac and d have no direct operational or empirical meaningin information theory already [13]. They surely do not in cryptography, and the translationof d into operational probability guarantee is a central issue in the foundation of information-theoretic cryptography. A generalization of interpretation (iii) is P r ≤ P i + ǫ ′ ( ǫ ) (12)where ǫ ′ is some function of ǫ for d ≤ ǫ . Note that although (6) is a stronger security claim9han (12), it does not imply it became (12) holds with certainty. Under (12), empiricalmeanings of d are obtained when the performance P r ’s are Eve’s success probabilities ofvarious kinds. Generally the probabilities we are concerned with are Eve’s optimal proba-bilities p ( ˜ K ) of successfully estimating ˜ K , which is any possible subset of K including K itself, during key generation and in a KPA when K is used. We may want to bound suchprobabilities to some acceptable level ǫ ( ˜ K ) which, ideally, should be close to −| ˜ K | where | ˜ K | is the bit length of ˜ K , p ( ˜ K ) ≤ ǫ ( ˜ K ) (13)When ˜ K consists of m bits, m ≤ n , the problems involved are M -ary decisions, M = 2 m ,classically or quantum mechanically. Eve is going to utilize all her side information andmeasures on her probe to best estimate ˜ K . The usual optimal detection theory [11,14]concerns the ˜ K -averaged optimal probability only.Such averaged performance seems hard to avoid and we would need Markov Inequality(MAI) for a random variable X to convert it to an individual guarantee [15], P r [ | X | ≥ δ ] ≤ E [ | X | ] δ (14)For the application at hand, MAI needs to be used twice to get ǫ ′ from ǫ , from averages overprivacy amplification codes and either measurement result y or individual k . Such individualguarantee is needed to rule out with a high probability any disastrous breach of security.It is evident that the trace distance or variational distance corresponding to a small p ( k ) or p ( y ) can be large for any given d level. (In contrast, under interpretation (i) or (ii) oneonly needs MAI once for privacy amplification.) Since typically ǫ ≫ N , one can treat ǫ as10 probability and minimizes the total failure probability, the probability that the specifiedsecurity level is not guaranteed. This is important especially in crypto security because oneneeds to take the users’ worst care performance to guarantee a minimum security level.Thus, given E [ | X | ] = ǫ one can guarantee from (14) the level | X | < σ with a probability ≥ − ǫ/σ . This gives the failure probability (failure to guarantee | X | < σ ) of probability < ǫ/σ . The “<” or “ ≤ ” is not significant here because the bounds may be approachedarbitrarily closely. When σ itself is a similar failure probability the total failure probability P f , assuming independence of the two failure events, satisfies P f ≤ − (1 − σ )(1 − ǫ/σ ) = σ + ǫ/σ − ǫ . The best guarantee is these obtained at σ = ǫ / with resulting P f ∼ ǫ / for ǫ ≪ . Similarly, if there are two random parameters so that MAI needs to be sued twice,the total failure probability is minimized at σ = σ = ǫ / with resulting P f ∼ ǫ / .When Eve makes a measurement on her probe with result Y , from Bayes rule d ≤ ǫ becomes [16] X y p ( y ) v ( p ( k | y ) , U ( k )) ≤ ǫ (15)In lieu of applying MAI to K -average, one may apply it to the Y -average form (15). The firstmajor problem in raw security is the optimal probability that Eve can estimate the whole K correctly. This problem is more than the guarantee from a single distribution which wouldbe offered by a single variational distance. It is readily shown[16] through bounding on eachmeasured result y in (15) that the K -averaged optimum error probability ¯ p ( k ) is boundedas in (12), ¯ p ( k ) ≤ N + ǫ ′ ( ǫ ) (16)with ǫ ′ ( ǫ ) = 3 ǫ / for two uses of MAI. 11imilarly, Eve’s optimal subset ˜ K probabilities averaged over ˜ K , ¯ p ( ˜ K ) , are to be deter-mined from | ˜ K | -ary optimum quantum decision. For some ǫ ′ ( ǫ ) , one needs to show from d ≤ ǫ ¯ p ( ˜ K ) ≤ −| ˜ K | + ǫ ′ ( ǫ ) (17)For KPA, one needs to show for possibly another ǫ ′ ( ǫ ) , ¯ p ( ˜ K | K = k ) ≤ −| ˜ K | + ǫ ′ ( ǫ ) (18)when a portion K of K is known to be k and a subset ˜ K of the rest K is to be estimated.It appears difficult if not impossible to obtain (17)-(18) in general [16], with or without theuse of MAI. This is not surprising, since some ˜ K may be poorly protected under just acondition d ≤ ǫ on the overall K . The average performance overt the rest of K is hard toquantify with or without MAI, especially for a KPA. (The proper subset probabilities givenin [2, 10] are not Eve’s optimal.) Thus, Eve’s sequence success probabilities on ˜ K ⊂ K inboth raw and KPA security are not quantified (yet at least) under the security condition d ≤ ǫ . Of course, (17)-(18) follow with a high probability under interpretation (i) or (ii).Note that a quantitative statement together with a general proof is lacking on whatsecurity guarantee is obtained from d against information locking leaks. IV. BIT ERROR RATE GUARANTEE FROM d It is possible that in a wrong sequence decision on ˜ K for any ˜ K < K , Eve may neverthelessget more than half of the bits in K correctly even if the “a priori" p (˜ k ) as derived from p ( k ) is uniform. This is the bit error rate (BER) vs sequence error probability issue in12ommunications. Thus, in addition to the sequence error probability Eve’s typically betterBER needs to be bounded also from d ≤ ǫ . Eve’s BER, to be denoted by p b , is clearly onefundamental operational criterion when K is used in one-time pad format. The sequenceerror probability (rate) is needed if K is used as the seed key of a conventional cipher,which however has no KPA security independently of Eve’s quantum probe. Note that p b isdifferent from a single-bit ˜ K success probability and is not known to be determined by d .Under interpretation (i) or (ii), p b = the ideal value with probability ≥ − ǫ .The only known general low error bound on p b is Fano Inequality which can be applied toboth sequence error rate [15] and BER [17]. For d ≤ ǫ its use for sequence error rate yieldsa bound less good than (16) for typical parameters [16]. The BER is defined to be the perbit error probability p b ≡ P b ( K ) = 1 n n X i =1 P e ( i ) (19)where P e ( i ) is the probability that the i th bit in K is incorrectly obtained from Eve’s estimateof K . Fano Inequality gives in this case n H ( p b ) ≥ H ( K ) − I ac (20)where H ( · ) is the binary entropy function, H ( K ) the entropy of K from p ( k ) . We can bound H ( K ) in bits from d ≤ ǫ using [15, theorem 17.3.3] H ( K ) ≥ n − ǫ ( n + log 1 ǫ ) ∼ n (1 − ǫ ) (21)13n (21) the term log ǫ is usually small compared with n while I ac is typically ≪ and canbe neglected in (20). Thus (20)-(21) yields, for p b = − ǫ ′ and small ǫ ′ , ǫ ′ ≤ ( ǫ/ e ) / .Since MAI needs to be used twice before this ǫ ′ is applied, it is similar to the case of usingit three times and the final ǫ ′ is therefore ǫ ′ ≤ ǫ / p log e (22)As expected, the BER guarantee (22) in the form (12) is worse than that of the correspondingsequence error.Similar to the case of sequence error rate, it does not appear there is any readily derived p b ( ˜ K ) from (20) for raw and KPA security if Eve attacks proper subsets ˜ K ⊂ K via optimal | ˜ K | -ary quantum detection. From her specific attack and knowledge of the error correctionand privacy amplification codes, Eve can estimate p ( k ) and attack ˜ K from such “a priori”information apart from her probe measurement. As also in the case of her sequence errorprobability, the best subset performance can be very good for her and it is difficult to boundher average subset performance. V. QUANTITATIVE GUARANTEE FROM d There has been the persistent "intuition" that a criterion should be fine if the level isbrought down to a sufficiently small level, assuming the value zero in the ideal case. Thatseems to be true, but the whole question is how small is sufficiently small. It is a quantitative issue relative to the situation at hand. Even I ac gives security if it is smaller than − n for ann-bit K [16], which also follows from the O (log n/ǫ ) bits of K needed in a KPA [5] for largeleak of deterministic bits. 14quality in (16) may be achieved [10]. Since ǫ ′ gives the probability level that the entire K can be found by Eve in raw security, it must be very small even if not close to − n . Similar p ∼ ǫ ′ is obtained for I ac /n ≤ ǫ [10]. In this regard, the necessity of using Markov Inequalityfor individual guarantee to eliminate disastrous security breach causes great difficulty inpractice, from (22) and ǫ ′ = ǫ in (16). The problem then is that it is very hard to get a lowenough level of d or I ac in practice.It is rare to find an experimental QKD system with quantified security, but the one in [18]gives I ac ∼ − for n ∼ . Similar to (16), after two applications of MAI, the p level of − becomes ∼ − , a drop over four orders of magnitude. For the six-state BB84 protocoltheoretically analyzed recently [19] with d ≤ ǫ = 10 − (and key rate . bps ), ¯ p from (16)becomes − , a drop of six orders of magnitude from fairly secure to not at all secure. ForBER, ǫ ′ ∼ − and thus on average one more bit out of 500 bits of K may turn out correct toEve in addition to half of K . This can be compared to the binomial fluctuation level of onein − bits for the n in [19]. For the system of [18] it is possible to bound d via p [16]and ǫ ′ in (22) may get up to 25%, though for such large value the approximation of H ( p b ) leading to (21) may not be accurate. However, it is clear that drastic breach of security isnot adequately ruled out with the above numerical values. No subset ˜ K or KPA probabilitiesof the form (17)-(18) can be numerically estimated, since it is not known whether they holdfor what ǫ ′ ( ǫ ) . VI. CONCLUSION
We have shown that the QKD strong security claim (i) or (ii) fails to obtain under thesecurity guarantee d ≤ ǫ while (iii) does not address the operational security levels. We15rovide operational security meaning to d via bounds on Eve’s sequence error probabilityand bit error rate when she attacks the whole key K , the guaranteed levels are far worsethan d itself and no result can yet be obtained on her optimal attacks on subsets of K or onher known-plaintext attacks. This also causes fundamental problem on the final key rate,because better general security cannot be obtained by further privacy amplification withoutsettling these security criteria issues first.Similar to I ac the criterion d gives some measure of security to a QKD protocol . How-ever, it does not rule out huge leakage with appreciable probability, especially when theachievable level is inadequate for the necessary individual guarantee which seems to be thecase in current as well as future practice. Indeed, even the formulation of an operationallymeaningful security criterion for known-plaintext attacks does not yet exist. In a futurepaper, we will show the actual security level cannot even be quantified due to other factorsnot properly taken into account in the security analysis thus far. It appears that eitherQKD should be treated like any other existing cryptosystem with unknown fundamental se-curity, or new approaches and especially new protocols need to be developed for fundamentalsecurity guarantee. 16 II. ACKNOWLEDGMENT
I would like to thank S. Abruzzo, G. Kanter, C. Portmann, and M. Raginsky for usefulinputs. This work was supported by the Air Force Office of Scientific Research. [1] V. Scarani, H. Bechmann-Pasquinucci, N.J. Cerf, M. Pusek, N. Lukenhaus, and M. Peev, Rev.Mod. Phys. 81, 1301 (2009).[2] H.P. Yuen, Phys. Rev. A 82, 062304 (2010).[3] M. Ben-Or, M. Horodecki, D.W. Leung, D. Mayers, and J. Oppenheim, Second Theory ofCryptography Conference (TCC), Lecture Notes in Comnputer Science, vol. 3378, Springer,New York, pp.386-406 (2005); also quant-ph 0409078.[4] R. Konig, R. Renner, A. Bariska, and U. Maurer, Phys. Rev. Lett. 98, 140502 (2007).[5] F. Dupuis, Florjanczyk, P. Hayden, and D. Leung, arxiv: quant-ph 1011.1612v1, 2010.[6] R. Renner and R. Konig, Second Theory of Cryptography Conference (TCC), Lecture Notesin Computer Science, vol. 3378, Springer, New York, pp. 407-425 (2005).[7] R. Renner, J. Quant.Inf. 6, 1 (2008); same as Ph.D thesis in quant-ph 0512258.[8] V.Scarani and R.Renner, Phys. Rev. Letter.100, 200501 (2008).[9] J. Muller-Quade and R. Renner, New J. Phys. 11, 085006 (2009).[10] H.P. Yuen, IEEE J. Selected Topics in Quantum Electronics, 15, 1630 (2009).[11] C.W. Helstrom,
Quantum Detection and Estimation Theory , Academic Press, 1976[12] Y. Aumann, Y. Ding, and M. Rabini, IEEE Trans. Inf. Theory 48, 1668 (2002)[13] T.S. Han,
Information Spectrum Methods in Information Theory , Springer, New York, 2003,p. XI.
14] H.P. Yuen, R. Kennedy, and M. Lax, IEEE Trans, Inf. Theory, 21, 125 (1975).[15] T.M. Cover and J.A. Thomas,
Elements of Information Theory , 2nd ed, Wiley, 2006.[16] H.P. Yuen, quant-ph. 1109.1051 v.3 .[17] R.G. Gallager,
Information Theory and Reliable Communication , Wiley, 1968.[18] J. Hasegawa, M. Hayashi, T. Hiroshima, and A. Tomita, Asian Conference on Quantum Infor-mation Science, Kyoto, 2007; quant-ph 0705.3081[19] S. Abruzzo, H. Kampermann, D. Brub, S.Bratzik, M. Mertz, and H. Heine, paper presentedat the SPIE meeting in Prague, September, 2011, Wiley, 1968.[18] J. Hasegawa, M. Hayashi, T. Hiroshima, and A. Tomita, Asian Conference on Quantum Infor-mation Science, Kyoto, 2007; quant-ph 0705.3081[19] S. Abruzzo, H. Kampermann, D. Brub, S.Bratzik, M. Mertz, and H. Heine, paper presentedat the SPIE meeting in Prague, September, 2011