SARG04

SARG04 (named after Valerio Scarani, Antonio Acin, Gregoire Ribordy, and Nicolas Gisin) is a 2004 quantum cryptography protocol derived from the first protocol of that kind, BB84.

Origin

Researchers built SARG04 when they noticed that by using the four states of BB84 with a different information encoding they could develop a new protocol which would be more robust, especially against the photon-number-splitting attack, when attenuated laser pulses are used instead of single-photon sources. SARG04 was defined by Scarani et al. in 2004 in Physical Review Letters as a prepare and measure version (in which it is equivalent to BB84 when viewed at the level of quantum processing).

An entanglement-based version has been defined as well.

Description

In the SARG04 scheme, Alice wishes to send a private key to Bob. She begins with two strings of bits, $a$ and $b$, each $n$ bits long. She then encodes these two strings as a string of $n$ qubits,

$, \psi\rangle = \bigotimes_^, \psi_\rangle.$

$a_i$ and $b_i$ are the $i^\mathrm$ bits of $a$ and $b$, respectively. Together, $a_ib_i$ give us an index into the following four qubit states:

$, \psi_\rangle = , 0\rangle$

$, \psi_\rangle = , 1\rangle$

$, \psi_\rangle = , +\rangle = \frac, 0\rangle + \frac, 1\rangle$

$, \psi_\rangle = , -\rangle = \frac, 0\rangle - \frac, 1\rangle.$

Note that the bit $b_i$ is what decides which basis $a_i$ is encoded in (either in the computational basis or the Hadamard basis). The qubits are now in states which are not mutually orthogonal, and thus it is impossible to distinguish all of them with certainty without knowing $b$.

Alice sends $, \psi\rangle$ over a public quantum channel to Bob. Bob receives a state $\varepsilon\rho = \varepsilon, \psi\rangle\langle\psi,$, where $\varepsilon$ represents the effects of noise in the channel as well as eavesdropping by a third party we'll call Eve. After Bob receives the string of qubits, all three parties, namely Alice, Bob and Eve, have their own states. However, since only Alice knows $b$, it makes it virtually impossible for either Bob or Eve to distinguish the states of the qubits.

Bob proceeds to generate a string of random bits $b'$ of the same length as $b$, and uses those bits for his choice of basis when measuring the qubits transmitted by Alice. At this point, Bob announces publicly that he has received Alice's transmission. For each qubit sent, Alice chooses one computational basis state and one Hadamard basis state such that the state of the qubit is one of these two states. Alice then announces those two states. Alice will note whether the state is the computational basis state or the Hadamard basis state; that piece of information makes up the secret bit that Alice wishes to communicate to Bob. Bob now knows that the state of his qubit was one of the two states indicated by Alice. To determine the secret bit, Bob must distinguish between the two candidate states. For each qubit, Bob can check to see whether his measurement is consistent with either possible state. If it is consistent with either state, Bob announces that the bit is invalid, since he cannot distinguish which state was transmitted based on the measurement. If on the other hand, one of the two candidate states was inconsistent with the observed measurement, Bob announces that the bit is valid since he can deduce the state (and therefore the secret bit).

Consider for example the scenario that Alice transmits $, \psi_\rangle$ and announces the two states $, \psi_\rangle$ and $, \psi_\rangle$. If Bob measures in the computational basis, his only possible measurement is $, \psi_\rangle$. This outcome is clearly consistent with the state having been $, \psi_\rangle$, but it would also be a possible outcome if the state had been $, \psi_\rangle$. If Bob measures in the Hadamard basis, either $, \psi_\rangle$ or $, \psi_\rangle$ could be measured, each with probability ½. If the outcome is $, \psi_\rangle$ then again this state is consistent with either starting state. On the other hand, an outcome of $, \psi_\rangle$ cannot possibly be observed from a qubit in state $, \psi_\rangle$. Thus in the case that Bob measures in the Hadamard basis and observes state $, \psi_\rangle$ (and only in that case), Bob can deduce which state he was sent and therefore what the secret bit is.

From the remaining $k$ bits where both Bob's measurement was conclusive, Alice randomly chooses $k/2$ bits and discloses her choices over the public channel. Both Alice and Bob announce these bits publicly and run a check to see if more than a certain number of them agree. If this check passes, Alice and Bob proceed to use privacy amplification and information reconciliation techniques to create some number of shared secret keys. Otherwise, they cancel and start over.

The advantage of this scheme relative to the simpler BB84 protocol is that Alice never announces the basis of her bit. As a result, Eve needs to store more copies of the qubit in order to be able to eventually determine the state than she would if the basis were directly announced.

Intended use

The intended use of SARG04 is in situations where the information is originated by a Poissonian source producing weak pulses (this means: mean number of photons < 1) and received by an imperfect detector, which is when attenuated laser pulses are used instead of single photons. Such a SARG04 system can be reliable up to a distance of about 10 km.

Modus operandi

The modus operandi of SARG04 is based on the principle that the hardware must remain the same (as prior protocols) and the only change must be in the protocol itself.

In the original "prepare and measure" version, SARG04's two conjugated bases are chosen with equal probability.

Double clicks (when both detectors click) are important for comprehending SARG04: double clicks work differently in BB84 and SARG04. In BB84, their item is discarded because there is no way to tell what bit Alice has sent. In SARG04, they are also discarded, "for simplicity", but their occurrence is monitored to prevent eavesdropping. See the paper for a full quantum analysis of the various cases.

Security

Kiyoshi Tamaki and Hoi-Kwong Lo were successful in proving security for one and two-photon pulses using SARG04.

It has been confirmed that SARG04 is more robust than BB84 against incoherent PNS attacks.

Unfortunately an incoherent attack has been identified which performs better than a simple phase-covariant cloning machine, and SARG04 has been found to be particularly vulnerable in single-photon implementations when Q >= 14.9%.

Comparison with BB84

In single-photon implementations, SARG04 was theorised to be equal with BB84, but experiments have shown that it is inferior.

References

Bibliography

*
*
*

See also

*Quantum cryptography
*BB84 protocol

{{quantum_computing

Quantum cryptography
Quantum cryptography protocols