Bidirectional quantum secure communication scheme based on Bell states and auxiliary particles

Bidirectional quantum secure communication scheme based on Bell states and auxiliary particles

Optics Communications 283 (2010) 5275–5278 Contents lists available at ScienceDirect Optics Communications j o u r n a l h o m e p a g e : w w w. e ...
Download PDF
168KB Sizes 0 Downloads 58 Views
Report

Optics Communications 283 (2010) 5275–5278

Contents lists available at ScienceDirect

Optics Communications j o u r n a l h o m e p a g e : w w w. e l s ev i e r. c o m / l o c a t e / o p t c o m

Bidirectional quantum secure communication scheme based on Bell states and auxiliary particles Guo-Fang Shi School of Science, Xi'an University of Posts and Telecommunications, Xi'an 710061, China

a r t i c l e

i n f o

Article history: Received 23 May 2010 Received in revised form 2 August 2010 Accepted 2 August 2010

a b s t r a c t A bidirectional quantum secure communication protocol is presented. By introducing the auxiliary particle and utilizing the special character of Bell state, “correlation extractability”, our scheme cannot only discard the drawback, “information leakage”, but also is easy to implement. © 2010 Elsevier B.V. All rights reserved.

Keywords: Quantum secure communication Bell state Auxiliary particle

1. Introduction Quantum key distribution (QKD) is an unconditionally secure method with which two remote legitimate users (say Alice and Bob) can establish a shared secret key. Since Bennett and Brassard presented the original QKD scheme [1] (BB84QKD), much attention has been focused on QKD [2–6]. Recently, a novel concept, quantum secure direct communication (QSDC) has been proposed and pursued [7–9]. QSDC can be used in some special environments as shown by Boström and Felbinger [8] and Deng et al. [9]. In QSDC scheme, Bob can decode Alice's encoded secret directly after his measurement without establishing a prior secret key. Based on the idea of QSDC, bidirectional quantum communication (or called quantum dialogue) is proposed [10–12]. However, Gao et al. [13] and Tan and Cai [14] independently proved that there exists a kind of insecurity, called “information leakage”, or “classical correlation” in bidirectional quantum communication, because the classical communication is erroneously used in those protocols [10–12]. That is, the dishonest eavesdropper can elicit half of the secret from the classical communication of the legitimate communicators. Fortunately, very recently, the authors proposed two schemes overcoming this insecurity by using a shared private Bell state [15] and utilizing the idea of BB84 [16]. In this paper, by introducing auxiliary particle and utilizing the “correlation extractability” of Bell state, we propose another bidirectional quantum communication protocol without information leakage. In our scheme, Bell states are used to encode the secret message

of two legitimate users, auxiliary particles and Bell measurements are used for two communicators to extract secret message respectively. As a result, less times of Bell measurements are required than [15], averagely once per three-bit secret message, which is the advantage of our protocol. Hence, our scheme is easier to realize than the scheme [15]. We present our scheme in section II, analyze the security in section III, and make conclusion and discussion in section IV. 2. Description of the protocol Before describing the scheme, let us consider the special property of GHZ state, called “correlation extractability” [17–19]. Consider any three-particle GHZ state, which is in the: jψ〉abc = 1 pffiffiffið j n1 ; n2 ; n3 〉 + jn1 ; n2 ; n3 〉Þabc . The subscripts denote the different 2

particles, ni = 0, 1, and ni = 1−ni ði = 1; 2; 3Þ. If one prepares an auxiliary particle in the state |0 〉 d, the whole state is as follows: 1

1

ψ = jψ〉abc j0〉d = pffiffiffi ð jn1 ; n2 ; n3 ; 0〉 + jn1 ; n2 ; n3 ; 0〉Þabcd 2

One performs controlled-not operations with b, c as control qubits and d as target qubit. According to the computational basis, double controlled-not operations are represented by the followings: |c1 〉 |c2 〉 |t 〉 → |c1 〉 |c2 〉 |t ⊕ c1 ⊕ c2 〉. The state of the whole system is as follows: 1

2

ψ →ψ =

1 pffiffiffi ðjn1 ; n2 ; n3 〉 2

+ jn1 ; n2 ; n3 〉Þabc jn1 ⊕ n2 〉d

= jψ〉abc jn1 ⊕ n2 〉d

E-mail address: [email protected]. 0030-4018/$ – see front matter © 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.optcom.2010.08.006

Where ⊕ is the addition module 2 and the equation n1 ⊕ n2 = n1 ⊕ n1 is satisfied. As is shown, two operations (UC − Not)b, d and

5276

G.-F. Shi / Optics Communications 283 (2010) 5275–5278

(UC − Not)c, d make the GHZ state unchanged and the state |0 〉 d become |n1 ⊕ n2 〉 d. Anyone who owns |n1 ⊕ n2 〉 d can obtain the correlation between any two qubits in a GHZ state. It is a special property of GHZ state, called “correlation extractability” [17–19]. Similar property also exists for multipartite GHZ states. Being a special case of GHZ state, Bell state owns the above nature unexceptionally. In this paper, we shall utilize the “correlation extractability” of two Bell states |Φ+ 〉 and |Ψ− 〉

step (3). Otherwise, they terminate the process and discard their transmission, then start from the step 1). 2.3. Step 3: the second security check

ð3Þ

If they are certain that no eavesdropping exists, Alice sends Bob the remaining sequence A, of course, the samples δ1 that have been measured are dropped from this sequence. After confirming Bob's receiving the transmission of sequence A, Alice and Bob cooperate to make the second security check as follows: (a) Alice tells Bob the positions and the preparing state of sample EPR pairs δ2;(b)Bob takes these δ2 sample particles Pi(A), Pi(B) from sequence A and B, and performs Bell-basis measurement. He records the results of measurements; (c) Bob estimates the error rate of the transmission of sequence A by making a comparison between initial state and Bell measurement results of [Pi(A), Pi(B)]. If the error rate is zero, they continue the communication and go on to do the next step 4). Or else, they stop the process.

1 − − ðUC−Not Þa;c ðUC−Not Þb;c j Ψ 〉ab j 0〉c = pffiffiffi ð j 0; 1〉Þ−j 1; 0〉Þab j0〉c = j Ψ 〉a;b j1〉c 2

2.4. Step 4: controlled-not operations and preparing for the third security check

1 1 þ jΦ 〉ab = pffiffiffi ð j0; 0〉Þ + j1; 1〉Þab = pffiffiffi ð j + ; + 〉Þ+ j−; −〉Þab 2 2

ð1Þ

1 1 − jΨ 〉ab = pffiffiffi ð j0; 1〉Þ− j1; 0〉Þab = pffiffiffi ð j + ; −〉Þ− j−; + 〉Þab 2 2

ð2Þ

1 þ þ ðUC−Not Þa;c ðUC−Not Þb;c j Φ 〉ab j0〉c = pffiffiffi ð j 0; 0〉Þ + j 1; 1〉Þab j 0〉c = jΦ 〉a;b j 0〉c 2

ð4Þ In the following we focus on the description of this protocol in ideal condition (the quantum channel is noiseless and device is perfect.) and the case in practice will be briefly discussed later. Suppose Alice has secret message N bits {i1, i2, ⋯, in, ⋯, iN}, Bob has a secret message 2 N bits {(j1, k1), (j2, k2), ⋯, (jn, kn), ⋯ (jN, kN)}, where in, jn, kn ∈ {0, 1}, n ∈ {1, 2, ⋯, N} and N is a large integer. Alice and Bob want to exchange their message securely. In order to realize bidirectional communication, they agree that Alice transmits her 1-bit secret message by means of deterministic secure quantum communication, Bob can perform Ujn, kn, Ujn, kn ∈ {I, σx, iσy, σz} to encode his 2-bit secret information 00, 01, 10, 11 respectively.

Bob produces (N+ δ3 + δ4) single photons Cn, n ∈ {1, 2, ⋯, N + δ3 + δ4}, in initial state |0 〉 and performs (N+ δ3 + δ4) times double controllednot operations (UC − Not)An, Cn and (UC − Not)Bn, Cn on |0 〉 Cn. He asks Alice for the positions of the checking EPR pairs (δ3 + δ4), consequently he picks up (δ3 + δ4) entangled particles from sequence A and B. Thus, the remainders, consisting of Pn(A) and Pn(B), i.e., N message EPR pairs, are used to exchange secret message. To guarantee the secure communication, Bob mixes checking EPR pairs (δ3 + δ4) with N message EPR pairs again in a new order, thus, new sequences formed. For simplicity, we call them sequence A′ and B′ respectively. At the same time, Bob collects all single photons Cn in new order accordingly. Bob sends sequence A′ to Alice.

I = j0〉〈0j + j 1〉〈1 j; σx = j 0〉〈1j + j 1〉〈0j ; iσy = j0〉〈1j − j1〉〈0j ; σz = j0〉〈0j − j1〉〈1j

2.5. Step 5: The third security check

2.1. Step 1: The preparation process for the communication Alice produces N EPR pairs, called message pairs, randomly in one of two states |Φ+ 〉 or |Ψ− 〉. She also prepares (δ1 + δ2 + δ3 + δ4) EPR pairs for security check randomly in one of states |Φ+ 〉,|Ψ− 〉. She mixes them with N message pairs above. We denote the total EPR pairs as follows: [P1(A), P1(B)], [P2(A), P2(B)], ⋯, [PN + δ1 + δ2 + δ3 + δ4(A), PN + δ1 + δ2 + δ3 + δ4(B)], where subscripts indicate the order of EPR state in sequence, and A, B represent the different particles in one EPR pair respectively. Then Alice takes particles A from each EPR pair, consisting of the followings:[P1(A), P2(A), ⋯, PN + δ1 + δ2 + δ3 + δ4(A)], called sequence A, the remaining partner particles compose another particle sequence as follows:[P1(B), P2(B), ⋯, PN + δ1 + δ2 + δ3 + δ4(B)], and it is called sequence B. Alice sends sequence B to Bob.

Bob confirms that Alice has received the sequence A′, he informs the positions of checking particles δ3 to Alice. They analyze the security of transmission of sequence A′ similar to step (2). The initial states of these check EPR pairs δ3 are known to Bob as long as he measures his corresponding single photons. If the measurement result of Cn(n ∈ δ3) is |0 〉 (or|1 〉), the initial state must be |Φ+ 〉 (or|Ψ− 〉), and the deterministic correlations correspond to Eqs. (1)((2)). Only by the error rate is zero, do they continue to do the next step. Otherwise, they give up the communication. 2.6. Step 6: Bob's encoding and preparation for the fourth security check Bob encodes his 2-bit secret message (jn, kn) by applying UjMn, kn on Pn(B) of message pairs, and he also encodes checking message by operating UjCn, kn on Pn(B) of checking pairs δ4. Here UjMn, kn, UjCn, kn ∈ {I, σx, iσy, σz}. Bob sends sequence B′ to Alice.

2.2. Step 2: the first security check 2.7. Step 7: the fourth security check After receiving Bob's confirmation of receiving all the particles B, Alice and Bob collaborate to check eavesdropping with the following procedures: (a) Alice tells Bob the positions of checking particles δ1 in classical manner; (b) Bob chooses randomly one of the two sets of measuring basis, i.e., σz and σx to measure particles δ1, Bob tells Alice the chosen measurement basis and corresponding outcomes through classical channel; (c) Alice chooses the same measuring basis as Bob has used to measure corresponding particles whose partners have been measured by Bob. (d) They compare their outcomes publicly. If there are no attacks, their results should have deterministic correlations according to equations (1,2), in this case, the procedure goes to

After receiving the sequence B′, Alice informs Bob and they make security check as follows: (a) Bob informs the positions of checking pairs δ4, (b) Alice collects all checking EPR pairs and makes Bell measurements, then she announces the outcomes to Bob; (c) After receiving Alice's outcomes and measuring his single photons Cn(n ∈ δ4) (from the state of these single photons Bob knows the initial state of checking EPR pairs δ4), Bob can extract the checking message which Alice obtains. Here we only consider its corresponding transformations denoting as U'Cjn, kn. Then he estimates the error rate by comparing his unitary operation UjCn, kn with Uj'nC, kn, if UjCn, kn = U'Cjn, kn, they are sure that there is

G.-F. Shi / Optics Communications 283 (2010) 5275–5278

5277

not Eve in line and continue the next step, or else, they give up the communication.

also be detected with 1/2 probability in step 3) because the EPR pairs have collapsed once Eve measures the sequence A.

2.8. Step 8: bidirectional communication

  1  þ 1  þ − − j00〉 = pffiffiffi jΦ 〉 + jΦ 〉 ; j11〉 = pffiffiffi jΦ 〉−jΦ 〉 ; 2 2

ð5Þ

 1  þ 1 þ − − j + + 〉 = pffiffiffi jΦ 〉 + jΨ 〉 ; j + −〉 = pffiffiffi ð jΦ 〉−jΨ 〉Þ; 2 2

ð6Þ

If the quantum channel is secure, they intend to complete communication. Alice first sends N-bit classical information string to Bob according to her secret message and the initial state of quantum channel. If Alice's secret message is 0 (or 1), the initial Bell state is |Φ+ 〉, the transmitted bit is the same as the secret message bit. Otherwise if Alice's secret message is 0 (or 1), the initial Bell state is |Ψ− 〉, the not value of the secret message bit is sent. With this classical information, Bob can extract Alice's N-bit secret message as long as he performs single-particle measurements on all Cn(n ∈ {1, 2, ⋯, N}) and makes the addition module 2. Here they agree that |0 〉 Cn (|1 〉 Cn) corresponds to classical information bit “0” (“1”) respectively. On the other hand, owning sequence A′ and B′, Alice collects all EPR pairs [Pn (A), UM jn, kn Pn(B)], of course, the samples EPR pairs δ4 that have been measured are dropped from here. She can also obtain Bob's 2 N-bit secret message on condition that she makes Bell measurements on [Pn (A), UM jn, kn Pn(B)] and compares the measurement outcomes with her preparing initial state [Pn(A), Pn(B)]. For example, if the third secret message of Alice is 0, Bob's secret message is “01”. Suppose Alice produces the initial state |Ψ− 〉 A3, B3 as quantum channel. Bob prepares |0 〉 C3 and performs double controlled-not operations (UCNot)A3, C3(UCNot)B3, C3 on |Ψ− 〉 A3, B3|0 〉 3. −



ðUCNot ÞA3 ;C3 ðUCNot ÞB3 ;C3 jΨ 〉A3 ;B3 j0〉C3 = jΨ 〉A3 ;B3 j1〉C3 Since the entangled state of A3 and B3 keep unchanged, Bob encodes his secret message j3, k3 = 01 by applying UjM = σx on 3, k3 particle B3. When they are certain that all the above steps are secure, they can realize bidirectional communication as step (8). That is, Alice announces classical information “1” to Bob. Bob extracts Alice's 1-bit secret message by measuring single photon |1 〉 C3 and calculating 1 ⊕ 1 = 0. Alice obtains Bob's secret message 01 when she compares the initial state |Ψ− 〉 A3B3 and the measurement outcome |Φ− 〉 A3B3. 3. Security analysis Now we discuss the security of this bidirectional quantum communication protocol. One can see the security of the steps (4–7) is based on the transmission of sequence A′. The fourth security check about the transmission of sequence B′ is to judge whether the secret message of Bob have been disturbed. Once the transmission of sequence A′ is securely transmitted, Eve can only disturb the transmission of sequence B′ and cannot obtain any secret message because no one can distinguish EPR state by access to only one qubit. The reduced density matrix of particle 1 B is: ρB = trA f jΨF 〉〈ΨF j g = trA f jΦF 〉〈ΦF j g = I (here I is a 2× 2 2 identity matrix), which is a mixed state, the eavesdropping on this particle gives no useful information to Eve. The transmission and the third security check of sequence A′ is similar to the procedures in BBM92 QKD protocol. As is known to all, the security of BBM92 QKD is equivalent to that of BB84 protocol [3], which has been proven to be secure [20–22], so the security of the steps (4–7) can be guaranteed. On the other hand, the steps (1–3) is something like that of Long and Liu's QKD scheme [6], where EPR pair is in one of the four Bell states. Here the preparing of EPR pair at Alice's side is only in one of two states |Φ+ 〉 A, B or |Ψ− 〉 A, B. So we shall discuss some of possible attacks Eve adopts. (a) Measure-resend attack: In this case, Eve intercepts the sequence B, measures each particle and then she sends them to the receiver. Since the measurement basis Alice and Bob choose are not always consistent with that of Eve, this attack can be detected with 1/4 probability in step 2) (when Eve and legitimate users choose the same measurement basis, no error takes place, otherwise, error rate is 1/2. 1 1 1 1 The total error rate is × 0 + × = Þ. Of course, this attack can 2

2

2

4

1

1

Where jΦ− 〉 = pffiffiffi ð j00〉− j11〉Þ = pffiffiffið j + −〉+ j−+ 〉Þ, jΨþ 〉 = 1 pffiffiffi 2

ð j01〉 + j 10〉Þ =

2 1 pffiffiffið j 2

2

+ + 〉−j−−〉Þ. (b)Intercept-resend attack:

Eve intercepts the sequence B and substitutes them with her prepared qubits which belong to her own EPR pairs. However, this attack can be detected with 1/2 probability because the entanglement correlation in equations ((1)–(2)) is destroyed. (c) Entanglement-measure attack: Eve may steal partial information by performing unitary operations on Pi(B)(assumed to be in the state |i〉) and her auxiliary particle (prepared in state |χi 〉 e) when the sequence B passing by. U ˆji〉⊗jχi 〉e = αji〉jχi 〉e + βji⊕1〉jχi⊕1 〉e Obviously, with a probability |β|2 Eve will be detected when Alice and Bob make the security checking under measuring basis (|0〉,|1〉). (d)Double controlled-not operations attack: Eve prepares auxiliary particle in initial state |0〉 En, she wish to extract Alice's secret message beforehand by performing double controllednot operations (UC − not)An, En(UC − not)Bn, En on |0 〉 En as Eqs. ((3), (4)) when sequence A and B passing by. Whereas, this attack can also be detected in step 2). For instance, Alice produces |Φ+ 〉 An, Bn as initial state, Eve intercepts sequence B and performs controlled-not operation 1 (UC − not)Bn, En, that is as follows: ðUC−not ÞBn ;En jΦþ 〉An ;Bn j0 〉En = pffiffiffi 2 h 1 ð j000〉+j111〉ÞAn ;Bn ;En = ð j+ + 〉+ j−−〉ÞAn ;Bn j+ 〉En + ð j+ −〉+ 2

j− + 〉ÞAn Bn j−〉En , obviously, this attack can be detected in step 2) with probability

1 2

×0+

1 2

×

1 2

1 4

= . That is to say, the security check in

steps 2) and 3) are effective to detect the eavesdropper. We can ascertain whether the steps (1–3) are secure or not from the statistical probability result. In the following, we will discuss the problem, “information leakage”. Still taking |Φ+ 〉 A3, B3 and |0 〉 C3 as example, three particles can be used to exchange three-bit secret message, this fact obeys the highest capacity of Holevo limit. Bob extracts Alice's secret message with the help of Alice's bit string and measuring result of particle C3, anyone who hearing Alice's classical bit string cannot extract the secret message of Alice because he does not know the measuring result of particle C3. So Alice's secret message is completely secure. Alice decodes the secret message of Bob similar to the two-step QSDC scheme [9], where no classical communication exists, anyone has no chance to extract Bob's secret message. So “information leakage” does not exist. In all, our protocol is secure against typical attacks above. 4. Discussion and Conclusion In summary, we have proposed a bidirectional quantum secure communication based on Bell states and auxiliary particles, we have also analyzed the security of it. In our scheme, the auxiliary particle and special property of Bell state, called “correlation extractability” are utilized. These techniques enable this scheme to have some good features. First, comparing with the previous bidirectional quantum communication [10,11], our scheme overcomes the drawback “information leakage” as analyzed just now. Second, comparing with [15], where Bell measurement is needed averagely once per two-bit secret message, our scheme needs less number of Bell measurements, averagely once per three-bit secret message. This makes our scheme easy to implement in the experiment.

5278

G.-F. Shi / Optics Communications 283 (2010) 5275–5278

In the end, I want to say, the present scheme is suitable and convenient for the bidirectional quantum communication where the amounts of Bob's secret message are twice as many as that of Alice. The cases like this are very common. For instance, both sides exchange their secret message in the form of question and answer. If the secret information of Alice and Bob are equal, our scheme should be modified in three aspects: (1)in step 1), Alice produces N EPR pairs, called message pairs, randomly in one of four Bell states|Φ+ 〉 A, B, |Φ− 〉 A, B, |Ψ+ 〉 A, B, |Ψ− 〉 A, B. (2) in step 4), Bob introduces two auxiliary particles |0 〉 C1, |0 〉 C2 and adopts the circuit for the non-destructive Bell states discrimination as [23] where controlled-not operations and Hadamard operations are all used. (3) in step 8), Alice sends Bob the classical bit string with the length of 2 N. Thus, Alice and Bob can exchange secret information equally. Of course, the security of it is still identical to our present scheme. Surely, the explicit steps in our scheme and the security analysis above are all based on ideal condition. In practice, the transmission and detection always have finite efficiency, noise inevitable exists. Therefore, some of the EPR pairs that are being sent between two parties will be lost, and entanglement is not distributed faithfully. It is thus necessary for Alice and Bob to do quantum entanglement swapping [24,25] for the security of transmission similar to that in [9], and entanglement purification [26,27] and quantum error correction [28,29] for reducing the effect of noise. Acknowledgments We are very grateful to the anonymous referees for their valuable opinions. This work was supported by The Natural Science Foundation of Shaanxi Province of China under Grant Nos. 2009JQ8006, 2009JM6001, 2010JM1011, the Specialized Research Program of Education Bureau of

Shaanxi Province under Grant Nos. 2010JK828, 2010JK819, 2010JK843 and The Youth Foundation of Xi'an University of Posts and Telecommunications under Grant No. ZL2010-33.

References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29]

C.H. Bennett, G. Brassard, Bangalore, India, IEEE, New York, 1984 p175. A. Ekert, Phys. Rev. Lett. 67 (1991) 661. C.H. Bennett, G. Brassard, N.D. Mermin, Phys. Rev. Lett. 68 (1992) 557. C.H. Bennett, Phys. Rev. Lett. 68 (1992) 3121. A. Cabello, Phys. Rev. Lett. 85 (2000) 5635. G.L. Long, X.S. Liu, Phys. Rev. A 65 (2002) 032302. A. Beige, B.G. Englert, C. Kurtsiefer, et al., Acta Phys. Pol. A 101 (2002) 357. K. Boström, T. Felbinger, Phys. Rev. Lett. 89 (2002) 187902. F.G. Deng, G.L. Long, X.S. Liu, Phys. Rev. A 68 (2003) 042317. B.A. Nguyen, Phys. Lett. A 328 (2004) 6. Z.X. Man, Z.J. Zhang, Y. Li, Chin. Phys. Lett. 22 (2005) 22. X. Ji, S. Zhang, Chin. Phys. 15 (2006) 1418. F. Gao, F.Z. Guo, Q.Y. Wen, et al., Sci ChinaSer G 51 (2008) 559. Y.G. Tan, Q.Y. Cai, Int. J. QuantumInf. 6 (2008) 325. G.F. Shi, X.Q. Xi, X.L. Tian, et al., Opt. Commun. 282 (2009) 2460. G.F. Shi, X.Q. Xi, M.L. Hu, et al., Opt. Commun. 283 (2010) 1984. F. Gao, Q.Y. Wen, Phys. Lett. A 360 (2007) 748. F. Gao, S. Lin, Q.Y. Wen, et al., Chin. Phys. Lett. 25 (2008) 1561. F. Gao, S.J. Qin, Q.Y. Wen, F.C. Zhu, Opt. Commun. 283 (2010) 192. D. Mayers, J. ACM 48 (2001) 351406. H.K. Lo, H.F. Chau, Science 283 (1999) 2050. P.W. Shor, J. Preskill, Phys. Rev. Lett. 85 (2000) 441. M. Gupta, A. Pathak, R. Srikanth, P.K. Panigrah, arXiv quant-ph/0507096v1 M. Zukowski, A. Zeilinger, A. Horne, A.K. Ekert, Phys. Rev. Lett. 70 (26) (1993) 4287. J.W. Pan, D. Bouwmeester, H. Weinfurter, A. Zeilinger., Phys. Rev. Lett. 80 (18) (1998) 3891. C.H. Bennett, G. Brassard, S. Popescu, B. Schumacher, J.A. Smolin, W.K. Wootters, Phys. Rev. Lett. 76 (1996) 722. J.W. Pan, C. Simon, Phys. Rev. Lett. 89 (2002) 257901. M.A. Nielsen, I.L. Chuang, Cambridge University Press, Cambridge, 2000. P.W. Shor, Phys. Rev. A. 52 (1995) 2493.