In this chapter I have discussed two protocols that demonstrate the entangling power of a beamsplitter. In each of them, entanglement has been created by mixing two uncorrelated classical beams on a beamsplitter, with entanglement emerging between at least one of the output modes and the remaining two. For the scheme to work, the state before the beamsplitter must have some global nonclassicality, quantified by global squeezing, and it must also possess quantum discord between the modes, while remaining fully separable. This shows the importance of each of these classifications of nonclassicality. Although it is global squeezing that is converted into entanglement, discord has to be there to ensure that the state possesses some correlations before the entangling beamsplitter. Interestingly, I have shown that there are some common classes of two-mode states that are never nonclassical and separable at the same time. However it seems likely that for states that are more mixed, the window in which states can be both nonclassical and separable is bigger. I also discussed how the beamsplitter is used in these protocols to transform between the different classes of three-mode entanglement.
Finally, I have demonstrated an application for these protocols in the form of collabo- rative dense coding. To use the three-mode entanglement for dense coding all three parties must work together. To do this the power of a beamsplitter is further demonstrated as it’s used to localise the three-mode entanglement into two-mode entanglement that can be used for dense coding.
5
Quantum Digital Signatures
A signature provides a method that ensures the authorship of a message and guarantees the integrity of its content. There have been many examples throughout history, from the wax seal of the middle ages to the chip-and-pin system today. One obvious example of a signature is the one on the back of your credit card or in your chequebook. Ideally this can only be produced by you, so anything bearing this signature must have originated from you. However the obvious problem with this is that anyone can observe the exact signature, and so a skilled forger can recreate it almost exactly. Therefore the importance of securing signatures against forgery is clear to see.
Recently, as more and more communication occurs online, digital signatures have be- come prevalent. These are based on the same principle as other signatures but can be transmitted through the use of computers. However currently used classical digital signa- ture schemes are only secure if one assumes that an adversary has limited computational power. At the moment, this assumption is probably safe, but with the advent of quantum computers many currently used schemes would become immediately insecure. This leads to the requirement for signature schemes that are unconditionally secure, and one possi- bility for this is a quantum digital signature (QDS). The security of QDS schemes is based on the fundamental principles of quantum mechanics and therefore provides unconditional security. The security of QDS is based on the same principles as security in quantum key distribution (QKD), in particular the non-orthogonality of quantum states.
In this chapter I introduce the properties of a signature scheme and briefly describe currently used classical digital signatures. I give an overview of work done so far on quan- tum digital signatures, focussing on the differences between schemes. I then introduce a protocol that provides a secure quantum digital signature through the use of homodyne detection, and describe its experimental implementation. Finally, I compare the per- formance of this scheme with previous work that uses discrete measurement techniques, showing that homodyne detection provides an advantage.
5.1
Introduction to signatures
Digital signature protocols, introduced by Diffie and Hellman in 1976 [58], aim to guarantee the author of a message and also its content. In addition, if one party accepts a signed message, he must be sure that a future party will also accept the message. To be considered secure a signature scheme must satisfy three properties [200]:
1. Unforgeability: Only the creator of the signature can send a message and have it successfully accepted as being genuine.
2. Non-repudiation: Once a message is signed, the signer cannot deny that the message originated from them.
3. Transferability: If someone accepts a signature, he must be confident that any future recipients will also accept the message. He must be sure of this without the need to interact with any other party.
In what follows, I restrict to the simplest case with three parties involved in the signature scheme, a distributor Alice and two recipients Bob and Charlie. Alice will send a signed message first to Bob, who then forwards the signed message to Charlie. In the three-party setting, the notions of non-repudiation and transferability are equivalent. In contrast to the case for QKD, where Alice and Bob are assumed to be honest, in a signature protocol any of the involved parties could be dishonest. In analogy to a signature on a cheque, Alice is the owner of the cheque and wishes to pay Bob, who wants to bring the cheque to Charlie, the bank. When Bob receives the cheque he must be sure that the bank will also accept it; this is transferability. When Charlie (the bank) receives the cheque from Bob, he must be sure that the cheque was signed by Alice; this is unforgeability. Recent work has began to extend QDS to more than three parties [12], but this adds additional complications, e.g. how to deal with colluding adversaries and dispute resolution.
In the case of a conventional handwritten signature, Alice has previously distributed her signature to the other parties before sending the message some time in the future. In both classical and quantum digital signature schemes, there are also two stages, a distribution and messaging stage. In both cases the distribution stage will often be in the form of public key distribution, where all parties are assumed to have access to the public key. In the messaging stage Alice sends her message along with a signature, or private key. All other parties can compare the private key to the public key to verify the signature, but it is impossible to determine the private key from the public key, so only Alice could have signed the message with the private key. Security of this form is often based on a one-way function that converts a private key to a public key. From the private key, the function can easily be used to calculate the public key, however given the public key it is almost impossible to determine the private key.