Quantum Information Science: Lecture Notes

Citation preview

Lecture # 2, Quantum Computation 2: QEC Criteria Lecture notes of Isaac Chuang, transcribed by Jennifer Novosad Outline: 0. Review 1. Classical Coding 2. Q. Coding 3. Operator Measurement and Error Syndromes 4. Shor 9 Qubit Code 5. Quantum Error correction Codes Criteria (QEC criteria)

2

0. Review �

χ ≡ χ∗

β(χ) =

�

k

Ek χEk† where

�

k

Ek Ek† = I

3 1.

CLASSICAL CODING

1-p

0

0

p p 1

1-p

1

FIG. 1: a binary symmetric channel

P = prob of error Definition: A Classical [n,k,d] code is a set of 2k n-bit strings which have a minimum Hamming distance d. Definition: A Hamming distance between two bit strings is d(x, y) = w(x ∃ y) where ∃ is the x-or operator, and w is an operation that counts the number of ones. Example: 0L(ogical) = 000, 1L = 111 is a [3,1,3] code could send

could receive

prob

decode

0L = 000

000

(1 − p)3

0

001

p(1 − p)2

0

010

p(1 − p)2

0

100

p(1 − p)2

0

011

p2 (1 − p)

1

p2 (1 − p)+

101

p2 (1 − p)

1

p2 (1 − p)+

110

p2 (1 − p)

1

p2 (1 − p)+

111

p3

1

p3

So, the total probability of error is 3p2 − 2p3 = O(p2 )

prob. of error

4 2.

QUANTUM CODING

1995: Thought error correction to be impossible! 1. States collapse on measurement 2. Classically error occurs or does not occur. In Q. M., errors are continuous: �|0→ + � |1→ ≡ (� + β)|0→ + ... 3. No cloning Thm prohibits copying, so cannot create �|0→ + �|1→ ≡ (�|0→ + � |1→)(�|0→ + � |1→)(�| 0→ + � |1→) The Solutions: 1. Measure only the effect of the environment, not the state (i.e. did an error occur?) 2. & 3. Orthogonalize errors using entanglement: the environment has done one thing, or another, in an entangled way. �| didsomething→ + � |didnothing→ Example: The Quantum Bit Flip Code:

|0L → = |000 → |1L → = |111→ |�L → = �|0L → + � |1L →

suppose β(χ) = (1 − P )χ + P XχX where P is the probability of error and X is the error

operator. �(�)

A≡ B Define: An [[n,k]] quantum code C is a k-qubit subspace of an n-qubit Hilbert space. So, for our example, k=3, n=1.

5 ��3

Input |�� = �|000� + � |111�

3.

� Output

prob

decode

prob. of error

�|000� + � |111�

(1 − p) 3

0

�|001� + � |110�

p(1 − p)2

0

�|010� + � |101�

p(1 − p)2

0

�|100� + � |011�

p(1 − p)2

0

�|011� + � |100�

p2 (1 − p)

1

p2 (1 − p)+

�|101� + � |010�

p2 (1 − p)

1

p2 (1 − p)+

�|110� + � |001�

p2 (1 − p)

1

p2 (1 − p)+

�|111� + � |000�

p3

1

p3

OPERATOR MEASUREMENT

Given U with eigenvalues ±1, eigenvectors |u± → Definition: Measuring U H

H

0

C0 u+

U

measurement result z

�

C1 u-

Initially, the state is |0→(C0 |u+ → + C1 |u− →)

�1 (|0→ + |1→)(C0 |u+ → + C1 |u− →) 2 Controlled-U gate, �12 (|0→(C0 |u+→ + C1 |u− →) + |1→(C0 |u+ → − C1 |u− →)) last Hadamard, �12 (|0→ + |1→)(C0 |u+ → + C1 |u− →) + (|0→ − |1→)(C0 |u+ → −

After the first Hadamard, After the After the

= |0→C0 |u+ → + |1→C1 |u− →

If the measurement is z = 0, then |P si→ = |u+→. (With prob C02 , z = 0)

If the measurement is z = 1, then |P si→ = |u− →. (With prob C12 , z = 1) 3.1.

U1 = δz1 δz2 = δz δz I U2 = δz2 δz3 = Iδz δz

Error Correction Syndrome Measurement

C1 |u− →)

6

state

U1

U2

�|000� + � |111�

0

0

�|001� + � |110�

0

1

�|010� + � |101�

1

1

�|100� + � |011�

1

0

TABLE I: 0 represents a +1 eigenstate of U i , and 1 represents a -1 eigenstate.

Steps to Error Correction: 1. measure syndrome operators (here, U1 & U2 2. Apply recovery operator R (here, 00 ≡ I, 01 ≡ δx3 , 11 ≡ δx2 , 10 ≡ δx1 To create the initial state |P siL →: � 0

+� 1 � 000

0

+ � 111

0

And then to error correct: 0

�

H

H αz

Ψ

αz

R

αz

αz 0

H

H

note: the double lines indicate classical information.

7 Claim:

This scheme also corrects for a small continuous rotation error!

We will do this on one bit to demonstrate.

β(χ) = eiεδx χeiεδx e−εδx = Rx (2ε) Rx1 (2ε)|�→ ∝ = |�→ − iεδx1 |P si→ ∈ |�∗ →

The fidelity is F = |√�|�∗ →|2 ∝ = 1−ε

Syndrome measurement collapses error into either I or δx1 F (R(β(χ)), |�→) ∝ =? ∝ = 1 − ε2 Example: The Phase Flip Code βphasef lip(χ) = (1 − P )χ + P δz χδz Recall Hδx H = δz , Hδz H = δx So, Hβphasef lip(HχH)H = βbitf lip Explicitly, � 0

+� 1

H

0

H

0

H

0L = |+++ 1L = | - - ­

Ψ

H

H

R

H

+

= 0 + 1 / sqrt(2)

_

= 0 - 1 / sqrt(2)

For the bit flip: Uo = δz δz I and U1 = Iδz δz For the phase flip: Uo = δx δx I and U1 = Iδx δx Claim: arbitrary errors can be described as δx , δz , and δx δz errors Proof Argument: � β(χ) = k Ek χEk†

where we are guaranteed

�

k

Ek Ek† = I

Recall pauli matrices δj = I, δx , δy , δz , and that δy = −iδx δz � Since δj is a basis for all 2x2 hermitian matrices, let Ek = j Ckj δj .

8 � Then, β(χ) = kjj � Ckj Ck�j � δj χδj � � β(χ) jj � �jj � δj χδj � is the “Chi representation or OSR”

Example: recall

∝ |P si→ − iεδx |P si → Rx (2ε)|�→ =

β(χ) = χ − iεδx χ − iεχδx + ε2 δx χδx

The −iεδx χ − iεχδx term disappears in the syndrome measurement, and the χ + ε2 δx χδx

term remains. The result is that the syndrome measurement projects the environment into a definite error state.

9 4.

SHOR 9 QUBIT CODE

⊕ |0L → = (|000→ + |111→)�3 / 8 ⊕ |1L → = (|000→ − |111→)�3 / 8 this code will correct ANY single qubit error. Syndrome Measurements: for a bit flip: δz1 δz2 , δz2 δz3 , δz4 δz5 , δz5 δz6 , δz7 δz8 , δz8 δz9 for a phase flip: δx1 δx2 , δx3 δx4 , δx4 δx5 , δx5 δx6 , δx6 δx7 , δx8 δx9 ,

10 5.

Channel: E(χ) =

�

k

QEC CRITERIA/CONDITIONS

Ek χEk†

Thm: Let C be a quantum Code defined by the orthonormal states { |�l → } � a quantum recovery operation R correction β on C iff: 1. Orthogonality: if I have 2 errors j and k, √�l |Ej† Ek | �l → = 0 2. Nondeformation criteria:

√�l |Ek† Ek |�l → = dk �l this is so you cannot distinguish shrinking on different code words, all shrinking is the same.

C

Ψ

C

C

C No Overlap or Unique Deformations

C

C

C

note that dk implies probability loss, but not information loss, �

† k Ek Ek

=1

�

k

dk = 1 since

Proof: (≡) � Let P = l |�l →√�l | (project onto C) note P Ej† Ek P = dk αjk P (*)

note by Polar decomposition (extracting rotation and shrinkage) Ek P = Uk ⊕ ⊕ dk Uk P where dk is the shrinkage and Uk P is the rotation. 1. Syndrome measurement:

�

P Ek† Ek P =

11 let Pk = Uk P Uk† =

Ek P Uk† � dk

=

Uk P Ek† � dk

By (*), the Pk s are orthogonal: �k ∼= j, Pk Pj ∀ Uk P Ek† Ej P Uj† = 0 measure Pk output k syndrome. 2. Apply Recovery R � R(χ) = k Uk† Pk χPk Uk note for |�→ � C , Uk† Pk Ej |�→ =

Uk† Uk P Ek† � Ej P |�→ dk

=

�jk dk P � |�→ dk

=

⊕

dk αjk |�→

Thus: R(β(|�→√�|) = R(

�

j

Ej |�→√�|EjT ) =

�

jk

Uk† Pk Ej† Pk Uk =

�

jk

dk αjk P = |�→√�|

MIT 6.443J / 8.371J / 18.409 / MAS.865 Quantum Information Science March 14, 2006

1

Adiabatic Quantum Computation

Adiabatic quantum computation is a Hamiltonian­Based model of quantum computation. In quantum odinger equation gives the time­evolution of a state |ψ� in terms of the Hamiltonian mechanics, the Schr¨ operator H, ∂ H |ψ� = i� |ψ�. ∂t Furthermore, if |ψ� is an energy eigenstate with energy E, then |ψ(t)� = e−iEt/� |ψ(0)�. The idea behind Hamiltonian­based QC is that finding the ground state of a Hamiltonian solves inter­ esting computational problems, including NP complete problems. Adiabatic Theorem The adiabatic theorem says that if we begin in the ground state and change the Hamiltonian slowly, be end in the ground state of the new Hamiltonian. Consider the Hamiltonian H(t) for 0 ≤ t ≤ 1. Where do we end up if we are in the ground state at s = 0 ? � � t HT (t) = H T ∂ HT |ψ� = i� |ψ� ∂t |ψt=0 � = |ground state� Theorem. As T → ∞, |ψt=τ � → |ground state�. How Slow Must the Hamiltonian Change? The time depends on the energy gap Δ between the ground state and the lowest excited state. “Theorem”. If T ∝ 1/Δ2 , we stay in the ground state (no rigorous proof known). Theorem. If T ∝ 1/Δ3 , we stay in the ground state. Theorem. If T ∝ 1/Δ2 and the Hamiltonian is smooth, we stay in the ground state. Example: Grover’s Algorithm Grover’s algorithm finds a unique goal state, H |goal� = H |s, s �= goal� =

0 1.

We begin with the state: �

�⊗n 1 √ (|0� + |1�) , 2 1

which is the ground state of the Hamiltonian, H = −σx(1) − σx(2) − . . . − σx(n) . To find the gap, let |goal� = |00. . .0�. Note that the beginning state is symmetric: exchanging any two qubits � yields the same Hamiltonian. The space of symmetric states has dimensionality n√+ 1n and basis states: 1 |sk �, where the sum is over all bit strings with k 0s. The smallest gap is O(1/ 2 ) so the running n

(k )

time is O(2n ). However, the gap over time looks like:

1st excited

ground

√ so by moving quickly when the gap is large, the time becomes O( 2n ). Example: 3­SAT 3­SAT may be expressed as finding the ground state of a Hamiltonian. Given n variables with possible values 0 and 1, and m clauses of the form xi ∨ x¯j ∨ xk (with any number of negations), can all clauses be satisfied for some assignment of the variables? The Hamiltonian that answers this question is: HC H

(1 + Zi )(1 − Zj )(1 + Zk ) m � = HC i

=

i=1

Note: the Hamiltonian is 3­local, which is desireable for physical implementations. What is the gap for random instances of 3­SAT? Nobody knows.

2

Universality of Adiabatic QC

Theorem. Any quantum computation is equivalent, up to polynomial factors to 5­local adiabatic quantum computation. Steps: 1. Find a ground state that accomplishes the computation. 2. Show that the gap is large. Encoding a Computation Given a computation on s qubits with t steps, step i is given by: Ui |ψi−1 � = |ψi � |ψ0 � = |00. . .0�

2

The first bit encodes the answer. We want the probability of of the first bit being 1 to be close to 1 or close to 0. There are two registers: computation and clock. The ground state that encodes the computation is given by: Wi

= Ui Ui−1 . . . U1 t � 1 |g.s.� = √ Wk |0�comp ⊗ |k�clock t + 1 k=0 Energy Penalties We want to assign energy penalties for: • having an incorrect initial state • incorrect evolution • bit 1 �= |0� in final state. For the initial state we use a term picking out |1�k |0�clock : E |1�k |0�clock �1|k �0|clock . A similar term can be used for the final state. When the clock goes from k − 1 to k, we need to apply Uk to the state. The penalty term to accomplish this is: I ⊗ |k��k| − Uk ⊗ |k��k − 1| − Uk† ⊗ |k − 1�|k� + I ⊗ |k − 1��k − 1|. The Hamiltonian’s ground state thus encodes the entire evolution. Modified 3­Local Hamiltonian To make the Hamiltonian 3­local, we represent the clock in unary: time k: |1�⊗k |0�⊗n−k . Not all clock states are valid in this representation. We need to ensure there are no |01� sequences in the clock states. We can now use 3­qubit clock terms in the penalty term for evolution. Energy Gap • Have: H |ψ� ≈ 0 if the computation answer is “yes”. • Need: H |ψ� > 1/nk if the answer is “no”. • Need: excited state H |ψ� > 1/nk if the answer is “yes”. We perform a change of basis: Wk |0�comp |k�clock → |0�comp |k�clock accomplished by applying the unitary: �

Wk† ⊗ |k��k|

k

to the original ground state. The effect on the Hamiltonian is: Uk ⊗ |k��k − 1| → I ⊗ |k��k − 1|, making the gap simple to calculate. 3

3

Fault Tolerance

Considering the final Hamiltonian, there may be an additional error term: Hfinal Hfinal + Herror

→ →

ground state |ψ� |ψ˜�

We encode each qubit {|0�, |1�} to {|0L �, |1L �}:

|0� |1�

1

(|0000� + i|0011� + i|1100� + |1111�) 2 1 → (−|0101� + i|0110� + |1001� − |1010�) . 2 →

These states are in a subspace stabilized by: XXXX ZZZZ XY ZI so we assign an energy penatly for not lying in the logical subspace: � � � (k) (k) (k) Hp = −Ep g1 + g2 + g3 . One­local errors take logical states outside the subspace. We want to put the Hamiltonian in terms of XL , YL , ZL : XL YL ZL

= Y IY I = −IXXI = ZZII

Note that this takes a k­local Hamiltonian to a 2k­local one. A 5 qubit code protects against 2­local noise implemented with 3­local ooperators. Condition. G = �g1 , g2 , . . . , gk � such that gi Gj = gj gi . When encoding 1 qubit, XL , YL , ZL are given by cosets of G in G⊥ . If wt(G⊥ ) > t we want XL , YL , ZL with wt(t + 1) in each of 3 cosets G⊥ /G.

4

Lecture 11 : Quantum Random Walks

Lecturer: Peter Shor Scribe: Isaac Kim

1

Quantum Random Walks • Exponential speedups on contrived problems → Childs et al. •

2

√

speedups on some applicable problems → Ambainis’s algorithm for element distinctness

Grover’s Algorithm • We have N elements – One of the are ‘marked’ → Find it! ∗ Classically : O(N )

√ ∗ Quantum Mechanically : O( N ) • Strategy – Use two operations ∗ G |i� = − |i� where i is the marked one, G |j� = |j� ∀i = � j �N 1 ∗ M : |ψ� = j=1 √N |j� → |ψ� (M = 2 |ψ� �ψ | − I) – Start in |ψ� √ – Perform (M G)t for t = π4 N

• Why does it work? – The state stays in a subspace generated by |ψ�, |i�.

2

Isaac Kim

3

Generalization • Suppose you have a

√

N×

√

N grid.

• We will use following operations 1. Move to adjacent vertex 2. Ask “Is this vertex marked?”

√ √ √ • For N × N grid, there is O( N log N ) quantum algorithm.

√ • For dim ≥ 3 grids, O( N ) quantum algorithm exists.

4

Element Distinctness • We have function f [N ] → [M ] – ∃i, j

s.t. f (i) = f (j), i = � j

– Assume i and j are unique. • Classically : Best way is to sort the elements, with time complexity O(N log N ), O(N ) queries. • Buhram O(N 3/4 ) queries • Ambainis O(N 2/3 ) queries → Proven to be the lower bound (Shi)

4.1

Several Definitions and Generic Settings

1. Define graph • S : Set of r elements • S � : Set of r+1 elements (if S ⊆ S � ) 2. Mark a set if f (i) = f (j), i, j ∈ S 3. Start in a superposition of all sets. Perform walk, search until you find a marked set. 2

• Probability of a set being marked is O( Nr 2 ).

Lecture 11: Quantum Random Walks

3 N2 r2

• Each takes time r to check a set. →

log r

4. Keep f (i) ∀i ∈ S

4.2

• A : |s� |y� → |s� (−1 +

2 N −r

• B : |s� |y� → |s� (−1 +

2 ) |y� r+1

|y� + +

2 N −r

�

2 r+1

�

y � ∈S,y � �=y

|y � �)

y � ∈S,y � = � y,S � =(S−{y})∪{y � }

|s� � |y � �

Algorithm

1. Start in a superposition

1 q

�

N r

( )(N −r)

|S |=r,y ∈S /

|S� |y�

• Number of elements in S : r = O(N 2/3 ) (Why? → Shown in the last part) 2. Query elements f (i), i ∈ S ∪ {y}. Get 3. Repeat

N r

�

|s� |y� ⊗i∈S f (i) × f (y)

times

• Apply phase (−1) to marked states. √ • Apply (AB)t , t = O( r) • Measure state. Find f (i) = f (j) with probability � > 0.

4.3

Proof

The walk stays in a 5­dim subspace. Since • • • • •

N −2 r

1 )(N −2−r)

�

|S, y� : S ∪ y contains no duplicated elements.

N −2 r

1 )(N −2−r)

�

|S, y� : S contains 1, y not duplicated

N −2 r

1 )(N −2−r)

�

|S, y� : S contains 2, y not duplicated

N −2 r

1 )(N −2−r)

�

|S, y� : S contains 0, y duplicated

N −2 r

1 )(N −2−r)

�

|S, y� : S contains 1, y duplicated

( ( ( ( (

Lemma : Suppose U1 , U2 are unitaries on some O(1)­dimensional subspace, where U1 is a reflection. U1 |ϕgood � = − |ϕgood � U1 |ϕ� = |ϕ� (�ψ |ϕgood � = 0)

4

Isaac Kim

U2 is real and U2 |ϕstart � = |ϕstart �. Other eigenvalues eiθ , e−iθ , where � < θ < 2π − �. Let �ϕgood | ϕstart � = α. Then, ∃t, t = O( α1 ), so after t, iterations | �ϕgood | (U1 U2 )t |ϕstart � | ≤ δ where δ > 0 depends on �, not α. √ BA has eigenvalue O( √1r and for eiθ , θ = O( √1r ). Therefore, (BA) r has eigenvalue eiθ , where θ > � > 0. Now we need to iterate O( √1α times, where α = �ϕgood |ϕstart �. • ϕstart : Superposition of all |S� • ϕgood : Superposition of all marked |S� Since | �ϕstart |ϕgood � = portions of marked |S�s and α = O(r +

� r2 /N 2 =

r , N

total time is

N√ N r) = O(r + √ ) r r

which is minimized by taking r = O(N 2/3 ). → Running time becomes O(N 2/3 ).

MIT 6.443J / 8.371J / 18.409 / MAS.865 Quantum Information Science April 27, 2006

Unconditional Security of QKD 1. Cryptography 2. Quantum Key Distribution: BB84 3. EPR Protocol 4. CSS Code Protocol 5. Secure BB84

1

Crytography

secret comm.

auth

PKC

DSS

In the Vernam Cipher (one­time pad), Alice and Bob share a secret key k.

key k A msg m m+k

B m' m'+k=m

Eve has m + k, but I(m + k, m) = H(m + k) − H(m + k/m) = H(m + k) − H(k) = 0 The key k is called a “pad.” It is referred to as “one­time” because k can’t be reused.

1

Distribution of k ⇒ “security criterion” I(Eve, key) = 2−l where resources required ∼ poly(l).

2

Quantum Key Distribution: BB84 rand b in {0,1} A

H

rand b' in {0,1}

channel

H

a'

Bob

a = |0�, |1� = �, ↔ Keep all bits for which b� = b. A and B hash obtain key k. Thm. Info gain ⇔ disturbance. In any attempt to distinguish non­orthogonal states |ψ� and |φ�, information gain is only possible at the expense of disturbing the states. Proof. WLOG assume |ψ�|u� |φ�|u� �φ|ψ� 1 |v�

→ → = = = contradiction

Problem: collective attacks

2

|ψ�|v� |φ�|u� � �φ|ψ��v|v � � �v|v � � |v � �

b rand H A Q meas

Eve

Bob

3

EPR Protocol

Perfect EPR Pair ⇒ good key. • A announces b b

• B does

H

• Random checks (test Bell’s inequalities) • Entaglement purification ⇒ m EPR pairs • Measure, get key Q: what is Eve’s mutual information with k? We want: I ∼ e−l ⇒ bound Eve’s errors Does classical statistics apply? The most general model for Eve is: A |00> + |11> B

Eve

Eve can be treated as an error on the state |00� + |11�:

|00� + |11� → |00� + |11� |00� + |11� → |00� − |11� |00� + |11� → |01� + |10� |00� + |11� → |01� − |10� 3

Error I Z X iY

Define: Πbf = |β01 ��β01 | + |β11 ��β11 | Πpf = |β10 ��β10 | + |β11 ��β11 | Claim: we can use classical statistics because [Πbf , Πpf ] = 0. Measure the following randomly on random pairs: Πbf , Πpf ,

I − Πbf I − Πpf

Theorem: Random Sampling. Consider 2n bits with 2µn ones. Measure n bits, obtaining 2 kn ones. Prob[|k − µ| > �] ∼ e−O(n �) as n → ∞ (Chernoff bound). ⇒ How to purify?

Let δn = n − nt, where t is the estimated number of errors. Let E, D be an encoder pair for

a [[n, δn ]] QECC. Result: QECC garantees:

A

dn E Bell n n

n Eve

U

dn D

Bob

F (ρ, |β00 �⊗δn )2 ≥ 1 − 2−l Goal: Bound I(Eve, key)

Lemma: High Fidelity ⇒ low entropy. If F (ρ, |ψ�)2 > 1 − 2−l , then S(ρ) < (n + l)2−l .

Proof. If �ψ |ρ|ψ� > 1 − 2−l , then the maximum eigenvalue of ρ is greater than 1 − 2−l . ⎛⎡ ⎤⎞ 1 − 2−l ⎜⎢ ⎥⎟ x ⎜⎢ ⎥⎟ S(ρ) < S(ρmax ) = S ⎜⎢ ⎥⎟ x ⎝ ⎣

⎦⎠ .. .

4

where x =

2−l . 2n −1

S(ρmax ) = −(1 − 2−l )log(1 − 2−l ) 2−l −l = −2 log n 2 −1 ∼ (n + l)2−l

Now Apply Holevo’s theorem. Alice Eve Bob

I(Eve, AandB) < S(ρ) < O(2−l ) Problems: 1. need efficient codes (CSS works) 2. need quantum memory 3. need quantum computer The last two are done away with by BB84.

4

CSS Code Protocol

Step 1: EPR → Random Codes The circuit is equivalent to: |k>

E Bell

Eve

U XZ

† |ψ� = DUxz EEve Uxz E |k�

5

D

Also equivalent to:

xz |k>

E

U XZ

Eve

U XZ

D

Step 2: Let C1 , C2 be classical [n, k1 ] and [n, k2 ] codes correcting up to t errors with C2 ⊂ C1 . CSS(C1, C2) is a [[n, k1 , k2 ]] quantum code with states: |ψk � =

1 � |vk + w�, |C2 | w∈C 2

where vk is a coset representative of C2 in C1 . C2

C1

I vk=1

Define: CSSzx (C1 , C2 ) |ψkzx � = �

1

�

|C2 | w∈C2

(−1)vk +w−z

CSS code protocol: zx

|k>

encode CSSxz

b

p

permute

|checkbit>

• Alice announces x, z, p, b 6

H

Eve

b check Q mem

H

sort decode CSSxz

• Bob does:

k

• If error rate > tn, abort

5

Secure BB84

1. Remove Quantum Computer Bob doesn’t care about z errors. ρ=

1 � |ψkxz ��ψkxz | 2n z

Alice need not reveal z! ρ =

1 � |vk + w + x��vk + w + x| |C2 | w∈C 2

= |random bit string� 2. Remove Quantum Memory Double number of qubits and bob measures random b� , keep if b� = b. Final Protocol b random bits

H

b' Eve

1. A and B discard if bi = � b�i 2. compare check bits, obtain A : x, B : x + � 3. A announces x − vk 4. B computes x + � − (x − vk ) = � + vk 5. correction in C1 → vk 6. Both compute coset index vk → k

7

H