Conditional quantum one-time pad
Kunal Sharma, Eyuri Wakakuwa, and Mark M. Wilde

TL;DR
This paper introduces the conditional quantum one-time pad, establishing the optimal secret communication rate as the conditional quantum mutual information, and explores its operational meaning and generalizations in quantum secret sharing.
Contribution
It defines the conditional quantum one-time pad, proves its optimal rate equals the conditional quantum mutual information, and generalizes the model to include negative tripartite interaction information.
Findings
Optimal secret communication rate is I(A;B|E).
Conditional quantum mutual information has a new operational interpretation.
Negative tripartite interaction information is achievable for secret sharing.
Abstract
Suppose that Alice and Bob are located in distant laboratories, which are connected by an ideal quantum channel. Suppose further that they share many copies of a quantum state , such that Alice possesses the systems and Bob the systems. In our model, there is an identifiable part of Bob's laboratory that is insecure: a third party named Eve has infiltrated Bob's laboratory and gained control of the systems. Alice, knowing this, would like use their shared state and the ideal quantum channel to communicate a message in such a way that Bob, who has access to the whole of his laboratory ( systems), can decode it, while Eve, who has access only to a sector of Bob's laboratory ( systems) and the ideal quantum channel connecting Alice to Bob, cannot learn anything about Alice's transmitted message. We call this task the conditional one-time pad, and in this…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Conditional quantum one-time pad
Kunal Sharma
Hearne Institute for Theoretical Physics, Department of Physics and Astronomy, and Center for Computation and Technology, Louisiana State University, Baton Rouge, Louisiana 70803, USA
Eyuri Wakakuwa
Graduate School of Informatics and Engineering, University of Electro-Communications, 1-5-1 Chofugaoka, Chofu-shi, Tokyo, 182-8585, Japan
Mark M. Wilde
Hearne Institute for Theoretical Physics, Department of Physics and Astronomy, and Center for Computation and Technology, Louisiana State University, Baton Rouge, Louisiana 70803, USA
Abstract
Suppose that Alice and Bob are located in distant laboratories, which are connected by an ideal quantum channel. Suppose further that they share many copies of a quantum state , such that Alice possesses the systems and Bob the systems. In our model, there is an identifiable part of Bob’s laboratory that is insecure: a third party named Eve has infiltrated Bob’s laboratory and gained control of the systems. Alice, knowing this, would like to use their shared state and the ideal quantum channel to communicate a message in such a way that Bob, who has access to the whole of his laboratory ( systems), can decode it, while Eve, who has access only to a sector of Bob’s laboratory ( systems) and the ideal quantum channel connecting Alice to Bob, cannot learn anything about Alice’s transmitted message. We call this task the conditional one-time pad, and in this paper, we prove that the optimal rate of secret communication for this task is equal to the conditional quantum mutual information of their shared state. We thus give the conditional quantum mutual information an operational meaning that is different from those given in prior works, via state redistribution, conditional erasure, or state deconstruction. We also generalize the model and method in several ways, one of which is a secret-sharing task, i.e., the case in which Alice’s message should be secure from someone possessing only the or systems but should be decodable by someone possessing all systems , , and .
conditional quantum one-time pad, conditional quantum mutual information
††preprint:
LABEL:FirstPage1 LABEL:LastPage#110
Introduction—This paper shows that the optimal rate of a communication task, which we call the conditional one-time pad, is equal to a fundamental information quantity called the conditional quantum mutual information. To prove this statement, we operate in the regime of quantum Shannon theory H06book ; H12 ; W15book , supposing that Alice and Bob possess a large number of copies of a quantum state . We suppose that one party Alice has access to all of the systems, and another party Bob has access to all of the systems. We suppose that Bob’s laboratory is divided into two parts, one of which is secure (the part) and the other which is insecure (the part) and accessible to an eavesdropper Eve. We also suppose that Alice and Bob are connected by an ideal quantum channel, but the eavesdropper Eve can observe any quantum system that is transmitted over the ideal channel if she so desires. The goal of a conditional quantum one-time pad protocol is for Alice to encode a message into her systems, in such a way that if she sends her systems over the ideal quantum channel, then
Bob can decode the message reliably by performing a measurement on all of the systems, while 2. 2.
an eavesdropper possessing the systems has essentially no chance of determining the message if she tried to figure it out.
We prove that the optimal asymptotic rate at which this task can be accomplished is equal to the conditional quantum mutual information of the state , defined as
[TABLE]
where the quantum mutual information of a state is defined as , with denoting the quantum entropy of the reduced state .
Our main result thus gives an operational meaning to the conditional quantum mutual information (CQMI) that is conceptually different from those appearing in prior works DY08 ; YD09 ; BBMW16a ; BBMW16 . CQMI has previously been interpreted as the optimal rate of quantum communication from a sender to a receiver to accomplish the task of state redistribution DY08 ; YD09 , in which the goal is for a sender to transmit one of her systems to a receiver who possesses a system correlated with the systems of the sender. CQMI has also been interpreted as the optimal rate of noise needed to accomplish the task of conditional erasure or state deconstruction BBMW16a ; BBMW16 , in which (briefly) the goal is to apply noise to the systems of such that the resulting systems are locally recoverable from the systems alone while the marginal state is negligibly disturbed. Recently, the dynamic counterpart of CQMI has been interpreted as the optimal rate of entanglement-assisted private communication over quantum broadcast channels QSW18 , which is inspired by the conditional one-time pad protocol presented in this work.
The conditional mutual information is an information quantity that plays a central role in quantum information theory. The fact that it is non-negative for any quantum state is non-trivial and known as the strong subadditivity of quantum entropy LR73 ; PhysRevLett.30.434 . The strong subadditivity inequality is at the core of nearly every coding theorem in quantum information theory (see, e.g., H12 ; H06book ; W15book ). The CQMI is also the information quantity underlying an entanglement measure called squashed entanglement Christandl2003 , a quantum correlation measure called quantum discord Z00 ; zurek01 (as shown in P12 ), and a steering quantifier called intrinsic steerability KWW16 . The CQMI is also a witness of Markovianity in the sense that if is small, then the correlations between systems and are mediated by the system via a recovery channel from to FR15 . Moreover, the CQMI of three regions with a non-trivial topology leads to the topological entanglement entropy of the system, which essentially characterizes irreducible many-body correlation KP06 ; LW06 ; K12 . The CQMI is thus an important information quantity to study quantum correlations in condensed matter systems (see, e.g., ZCZW15 ). Furthermore, in the context of thermodynamics, the CQMI has been used to establish that the free fermion non-equilibrium steady state is an approximate quantum Markov chain MFMTS16 . The CQMI also plays an important role in high energy physics CLMS15 ; Ding2016 ; PEW17 .
The basic intuition for the achievability of the conditional mutual information for the conditional one-time pad task is obtained by inspecting the expansion in (1) and is as follows: the authors of SW06 showed that the quantum mutual information of a bipartite state is equal to the optimal rate of a task they called the (unconditional) quantum one-time pad. In our setting, the result of SW06 implies that Alice can communicate a message secure against an eavesdropper, who can observe only the systems, such that Bob, in possession of the systems, can decode it reliably, as long as the number of messages is bits. Here, we show that the message of Alice can be secured against an eavesdropper having access to both the and systems if Alice sacrifices bits of the message, such that the total number of bits of the message is , where we have employed (1). The main idea for a code construction to accomplish the above task is the same as that for the classical wiretap channel W75 , which has been extended in a certain way to the quantum case in ieee2005dev ; 1050633 . To prove the achievability part of the main result of our paper, we use a coding technique developed in (itit2008hsieh, , Section III-A) and which was rediscovered shortly thereafter in SW06 and later used in DTW14 . We also employ tools known as the quantum packing and covering lemmas (see, e.g., W15book ). To establish optimality of the CQMI for the conditional one-time pad task, we employ entropy inequalities. We note that the aforementioned methods also lead to a proof of the main result of BO12 , which concerns a kind of quantum one-time pad protocol different from that developed in SW06 or the present paper.
A modification of the coding structure for the conditional one-time pad protocol allows us to establish that the following information quantity
[TABLE]
of a tripartite state is an optimal achievable rate for a particular secret-sharing task that we call information scrambling. In this modified task, we suppose that Alice, Bob, and Eve are three distinct parties. Alice’s laboratory is distant from Bob and Eve’s, but we imagine that Bob and Eve’s laboratories are close together, and an ideal quantum channel connects Alice’s laboratory to Bob and Eve’s. The goal of the information scrambling task is for Alice to communicate a message in such a way that it can be decoded only by someone who possesses all three ABE\systems. If someone possesses only the systems or only the systems, then such a person can figure out essentially nothing about the encoded message.
Our finding here shows that the quantity in (2) is an optimal achievable rate for information scrambling, such that the message is encoded in the non-local degrees of freedom of and cannot be decoded exclusively from the local degrees of freedom, which in this case are constituted by systems or systems .
The rest of our paper proceeds as follows. We first formally define the conditional one-time pad task. We then sketch a proof for the achievability part of our result. We finally discuss variations of the main task, such as the information scrambling task mentioned above and more general tasks, and then we conclude with a brief summary.
The supplementary material provides a detailed proof of the achievability part of our main result. It also establishes the optimality part of our main result: that Alice cannot communicate at a rate higher than the conditional mutual information while still satisfying the joint demands of reliable decoding for Bob (who gets the systems) and security against an eavesdropper who has access to the systems. The optimality proof is based on entropy inequalities and identities.
Conditional quantum one-time pad—We use notation and concepts standard in quantum information theory and point the reader to W15book for further background. Let and let . An conditional one-time pad protocol begins with Alice and Bob sharing copies of the state , so that their state is . As mentioned previously, Bob has access to the systems, but we consider the systems to be insecure and jointly accessible by an eavesdropper. Alice and Bob are connected by an ideal quantum channel, which Eve has access to as well (later we argue that it suffices for Alice and Bob to use only ideal qubit channels, but for now we suppose that the ideal quantum channel can transmit as many qubits as desired). At the beginning of the protocol, Alice picks a message and applies an encoding channel to the systems of , leading to the state . She transmits the system of over the ideal quantum channel. Bob applies a decoding positive operator-valued measure to the systems of in order to figure out which message was transmitted. The protocol is -reliable if Bob can determine the message with probability not smaller than :
[TABLE]
The protocol is -secure if the reduced state on systems is nearly indistinguishable from a constant state independent of the message :
[TABLE]
where we have employed the normalized trace distance.
We say that a rate is achievable for the conditional quantum one-time pad if for all , , and sufficiently large , there exists an conditional one-time pad protocol of the above form. The conditional one-time pad capacity of a state is equal to the supremum of all achievable rates.
Achievability of CQMI for conditional one-time pad—Here we mostly sketch an argument that the CQMI is a lower bound on the conditional one-time pad capacity of , while the supplementary material contains a detailed proof. First, consider the reduced state and a spectral decomposition for it as , where is a probability distribution and is an orthonormal basis. Let be a purification of . Let denote a purification of , with playing the role of a purifying system. Since all purifications are related by an isometry acting on the purifying system, there exists an isometry such that . Applying the isometry followed by a partial trace over can be thought of as a channel that realizes the state as . Similarly, if we apply the isometry and trace over , then this is a channel that realizes the reduced state as .
If we take copies of , then the state can be thought of as the following state . The pure state admits an information-theoretic type decomposition of the following form: where the label indicates a type class and is a maximally entangled state of Schmidt rank with support on the type class subspace labeled by . We can then consider forming encoding unitaries out of the generalized Pauli shift and phase-shift operators
[TABLE]
which act on a given type class subspace and where . The overall encoding unitary allows for an additional phase for and has the form
[TABLE]
where is a vector .
The coding scheme is based on random coding, as is usually the case in quantum Shannon theory, and works as follows. Let . Alice has a message variable and a local key variable . For each pair , Alice picks a vector , of the form described previously, uniformly at random and labels it as . The set constitutes the code, and observe that it is initially selected randomly. If Alice wishes to send message , then she picks uniformly at random from , applies the encoding unitary to the state and sends the systems to Bob. Bob’s goal is to decode both the message variable and the local key variable . Based on the packing lemma, it follows that if , then there is a decoding measurement for Bob, constructed from typical projectors and corresponding to a particular selected code , such that
[TABLE]
for all and sufficiently large , and where the expectation is with respect to the random choice of code . On the other hand, from the perspective of someone who does not know the choice of and who does not have access to the systems , the state has the following form:
[TABLE]
The quantum covering lemma and the properties of typical projectors guarantee that
[TABLE]
where is a parameter that is no more than exponential in , is a small constant, and
[TABLE]
Thus, as long as we pick , then there is an extremely good chance that the state will be nearly indistinguishable from the average state . Now, we can define the event to be the event that Bob’s measurement decodes with high average success probability and the event to be the event that is small. The union bound of probability theory then guarantees that there is a non-zero probability for there to be a code such that the average success probability of Bob’s decoder is arbitrarily high and is arbitrarily small for all , with these statements holding for sufficiently large . So this means that such a code exists. A final “expurgation” argument guarantees that Bob can decode each and with arbitrarily high probability and that is arbitrarily small for all . Therefore, the number of bits that Alice can communicate securely is thus
[TABLE]
so that is an achievable rate. This concludes the achievability proof sketch. As indicated previously, the optimality proof is given in the supplementary material.
We note that it actually suffices to use noiseless qubit channels for the communication of the systems, rather than noiseless qubit channels. This is because Alice can perform Schumacher compression PhysRevA.51.2738 of her systems before transmitting them, and the structure of the encoding unitaries is such that this can be done regardless of which message is being transmitted (see the discussion at the end of (W15book, , Section 22.3)). The Schumacher compression causes a negligible disturbance to each of the states that is transmitted.
Conditional one-time pad of a quantum message—We note that it is possible to define a conditional quantum one-time pad of a quantum message, in which the goal is to transmit one share of a quantum state securely in such a way that Bob, possessing systems , can decode the quantum message in , while someone possessing the systems cannot learn anything about the quantum system . Our result here is that is the optimal rate for this task of conditional one-time pad of a quantum message. The optimality proof is nearly identical to the optimality proof given previously, except that we start with the assumption that the initial state is a maximally entangled state , such that the quantum information in system can be decoded well. Then, the proof starts with the condition that and proceeds identically from there. For the achievability part, we perform a coherent version of the above protocol, as reviewed in (W15book, , Section 22.4), and we find that it generates coherent bits prl2004harrow , which are secure from someone possessing the systems, at a rate equal to . By the coherent communication identity from prl2004harrow , it follows that qubits can be transmitted securely at a rate equal to .
Generalizations—We note that the coding scheme outlined above in the achievability proof can be generalized in several interesting ways. Suppose that Alice shares a state with “many Bobs”, i.e., one of the form for some positive integer . Then Alice might wish to encode a message in her systems of in such a way that only someone possessing all of the systems would be able to decode it, but someone possessing system and some subset would not be able to determine anything about the message . Alice might wish to protect the message against several different subsets , for , as in secret sharing. Then we could structure a coding scheme similar to our achievability proof to have a message variable and a local key variable , such that
[TABLE]
Given that
[TABLE]
is always non-negative, the coding scheme guarantees that this information difference is an achievable rate that accomplishes the desired task. We note that the secret-sharing task discussed above is different from the previously considered protocols in HBB99 ; SS18 , and references therein.
A particular case of interest is the scenario mentioned earlier in the paper and which we called information scrambling. There, Alice, Bob, and Eve share a state , and the goal is for Alice to encode a message in the system such that someone possessing the systems can decode it, but someone possessing the systems or the systems cannot determine anything about the message (i.e., the message has been scrambled in the nonlocal degrees of freedom of the state and is not available in or ). According to the above reasoning, an achievable rate for this task is the information quantity . This rate is also optimal.
We note also that our methods give a concrete and transparent approach to prove the results of BO12 , as discussed in the supplementary material. In particular, we have established an information-theoretic converse of that result using entropy identities and inequalities along the lines presented previously, and the achievability part of that result can be accomplished by using the encoding unitaries discussed earlier, along with the quantum packing and covering lemmas.
Our operational interpretation of the conditional mutual information also leads to an interesting operational interpretation of the squashed entanglement of a bipartite state : we can consider squashed entanglement to be the optimal rate of secure communication in the conditional one-time pad if an eavesdropper has the system of the worst possible extension of the state , given that squashed entanglement is defined as Christandl2003 . This is analogous to the interpretations from O08 and the follow-up one in BBMW16 .
Conclusion—In this paper, we proved that the conditional mutual information of a tripartite state is equal to the optimal rate of secure communication for a task that we call the conditional one-time pad. This represents a fundamentally different operational interpretation of conditional mutual information that is conceptually simple at the same time. Furthermore, due to the fact that the optimal rate is given by conditional mutual information, the conditional one-time pad is an example of a communication task in which non-Markov quantum states are used as a resource HJPW04 ; EW18 . In the continuing quest to understand a refined generalization of conditional mutual information, as has been attempted previously in BSW14 ; DHO14 ; BCT16 ; ADJ17 , the protocol of conditional one-time pad might end up being helpful in this effort.
Acknowledgements.
We thank David Ding, Rahul Jain, and Andreas Winter for discussions related to the topic of this paper. MMW acknowledges support from the Office of Naval Research and the National Science Foundation. KS acknowledges support from the Department of Physics and Astronomy at LSU and the National Science Foundation under Grant No. 1714215.
Appendix A Preliminaries
We begin by reviewing some definitions and prior results relevant for the rest of the supplementary material. We point readers to [3, 2, 1] for background.
A.1 Quantum states, quantum fidelity, and trace distance
Throughout this work, we restrict ourselves to finite-dimensional Hilbert spaces. Let denote a Hilbert space. Let denote the set of density operators (positive semi-definite with unit trace) acting on . The Hilbert space for a composite system is denoted as where . The density operator corresponding to a state of a composite system is denoted as , and the reduced state , where . A purification of a density operator is a pure state such that , where is called the purifying system. All purifications of a density operator are related by an isometry acting on the purifying system. The maximally mixed state acting on the Hilbert space is denoted by .
The fidelity of two quantum states is defined as [43] , where denotes the trace norm. The trace distance between two density operators is equal to . The operational interpretation of trace distance is that it is linearly related to the maximum success probability in distinguishing two quantum states.
A.2 Typical set, strongly typicality, typical subspace, typical projector, properties of typical subspace
Suppose that a random variable takes values in an alphabet with cardinality . Consider an i.i.d. information source that samples independently from the distribution , corresponding to random variable , and emits realizations .
Let be the number of occurrences of the symbol in the sequence .
Definition 1** (Type)**
The type or empirical distribution of a sequence is a probability mass function whose elements are where
[TABLE]
Definition 2** (Type Class)**
Let denote the type class of a particular type . The type class is the set of all sequences with length and type :
[TABLE]
Definition 3** (Strongly Typical Set)**
The -strongly typical set is the set of all sequences with an empirical distribution that has maximum deviation from the true distribution . Furthermore, the empirical distribution of any sequence in vanishes for any letter for which :
[TABLE]
We now discuss the notion of a quantum information source and recall definitions of a typical subspace and typical projectors. Analogous to the notion of a classical information source, a quantum information source randomly emits pure qudit states in a finite-dimensional Hilbert space . Consider the following spectral decomposition of a density operator :
[TABLE]
Now suppose that the quantum information source emits a large number of random quantum states. The density operator corresponding to the emitted state is given by
[TABLE]
A spectral decomposition of the aforementioned state is as follows:
[TABLE]
where , and .
Definition 4** (Typical Subspace)**
The -typical subspace associated with many copies of a density operator, as defined in (18), is a subspace of the Hilbert space . It is spanned by states whose corresponding classical sequences are -typical, i.e.,
[TABLE]
Definition 5** (Typical Projector)**
The typical projector is a projector onto the typical subspace associated with a density operator, as defined in (18):
[TABLE]
Definition 6** (Type Class Subspace)**
The type class subspace associated to type is the subspace spanned by all states with the same type:
[TABLE]
Definition 7** (Type Class Projector)**
Let denote the type class subspace projector associated to type :
[TABLE]
Using the aforementioned definitions, we now state three useful properties of the strongly typical subspace . We point readers to [3] for a review of the proofs of these properties.
Property A.1** (Unit Probability)**
The probability that the quantum state is in the strongly typical subspace approaches one as becomes large, i.e.,
[TABLE]
for all , , and sufficiently large .
Property A.2** (Exponentially Smaller Dimension)**
The dimension of the strongly typical subspace () is exponentially smaller than the dimension of the entire space of quantum states when the output of the quantum information source is not maximally mixed. The mathematical form of this property is as follows:
[TABLE]
where is some positive constant.
Property A.3** (Equipartition)**
The action of the strongly typical projector on the density operator is to select out all the basis states of that are in the typical subspace and form a sliced operator. The following operator inequality holds for the sliced operator :
[TABLE]
A.3 Packing lemma
Definition 8** (Ensemble)**
Suppose that a random variable with probability density function takes values in an alphabet with cardinality . Consider an ensemble of quantum states where each realization x can be encoded into a quantum state . The expected density operator of the ensemble is
[TABLE]
For a reliable transmission of classical information, Alice can select a subset of for encoding, and Bob’s task is to distinguish this subset of states. The subset constitutes the code. We now recall the statement of the packing lemma.
Lemma 9** (Packing Lemma)**
Suppose that Alice has an ensemble , as in Definition 8. Suppose that codeword subspace projectors and a code subspace projector exist, and they project onto subspaces of the Hilbert space , and these projectors and ensemble satisfy the following conditions:
[TABLE]
where , , and . Suppose that is a message set of size with elements . Consider a set of random variables generated independently at random according to , so that each random variable takes a value in and corresponds to the message . However, its distribution is independent of the particular message , and therefore, the set constitutes a random code. Then there exists a corresponding POVM that reliably distinguishes the states , in the sense that the expectation of the average probability of detecting the correct state is high:
[TABLE]
when is large, , and is small.
We note that Bob can construct POVM by using the codeword subspace projectors and the code subspace projector . In particular, Bob can employ a square-root measurement or a sequential decoding strategy. We point readers to [3, Chapter 16] for a review of an explicit construction of POVM and a complete proof of the packing lemma.
A.4 Covering lemma
The goal of the covering lemma is to cover Eve’s space in such a way that Eve cannot distinguish different classical messages that Alice is sending to Bob. We start by defining two relevant ensembles for the covering lemma. We follow the convention from [3] and refer to the two different ensembles as the “true ensemble” and the “fake ensemble.”
Definition 10** (True Ensemble)**
For our discussion, the true ensemble is defined in the same way as in Definition 8.
Definition 11** (Fake Ensemble)**
Let be a set such that . The fake ensemble is defined as follows:
[TABLE]
Let denote the “fake expected density operator” of the fake ensemble:
[TABLE]
The goal for Alice is to generate a fake ensemble such that the trace distance between in (35) and in (28) is small. Moreover, in order to achieve a higher private communication rate, it is required to make the size of fake ensembles as small as possible while still having privacy from Eve. We call the trace distance between and the obfuscation error , i.e.,
[TABLE]
We now recall the statement of the covering lemma.
Lemma 12** (Covering Lemma)**
Let be an ensemble as in Definition 8. Suppose a total subspace projector and codeword subspace projectors are given, they project onto subspaces of , and these projectors and each state satisfy the following conditions:
[TABLE]
where , , and . Suppose that is a set of size with elements . Let a random covering code consist of random codewords where the codewords are chosen independently according to the distribution and give rise to a fake ensemble . Then the following bound exists on the probability of having a small obfuscation error of the random covering code:
[TABLE]
when is small and . Thus, it is highly likely that a given fake ensemble has its expected density operator indistinguishable from the expected density operator of the original ensemble .
We point readers to [3, Chapter 17] for a proof of the covering lemma.
A.5 Properties of encoding unitaries
Consider the reduced state and a spectral decomposition for it as , where is a probability distribution and is an orthonormal basis. Consider the following purification of :
[TABLE]
where for all , , and and are orthonormal bases for systems and , respectively. We now start with copies of the above state and write in terms of its type decomposition, as given in Definition 2:
[TABLE]
where is the size of the type class and
[TABLE]
We now consider a Heisenberg-Weyl set of operators that act on all the systems of . We denote one of these operators by where . Along with these operators, Alice applies a phase in each subspace. Therefore, the resulting unitary operator can be expressed as a direct sum of all these unitary operators:
[TABLE]
where is a vector containing all the indices needed to specify the unitary :
[TABLE]
We now recall that a transpose trick holds for such unitary operators. Consider the following chain of inequalities:
[TABLE]
where we have used the direct-sum property of the unitary operator (48) and a transpose trick associated with the maximally entangled state .
Let denote a purification of . Since all purifications are related by an isometry acting on the purifying system, there exists an isometry such that . Applying the isometry followed by a partial trace over can be thought of as a channel that realizes the state as . Moreover, the state can be thought of as the following state .
Appendix B Achievability of CQMI for conditional one-time pad
In this section, we provide a proof that the conditional quantum mutual information is a lower bound on the conditional one-time pad capacity of .
In the conditional one-time pad task, the goal for Alice is to encode information in her share of the state in such a way that Bob can reliably decode the information, while maintaining privacy from Eve. We now construct a coding scheme based on random coding for reliable communication between Alice and Bob. Let . Alice has message variable and a local key variable . If Alice wishes to send message , then she picks uniformly at random from . For each pair , the random code is selected in such a way that the vector , of the form described in (49), is chosen uniformly at random and then the encoding unitary acting on the state is associated to and . Therefore, the set constitutes a random code, given that the vectors are picked uniformly at random; i.e., the way that they are selected is independent of and , but after they are chosen, the association to and is made. Let denote the set of all possible vectors . To be clear, the ensemble from which Alice and Bob are selecting their code can be expressed as
[TABLE]
As described in Lemma 9, if the four inequalities corresponding to the codeword subspace projectors, the code subspace projector, and aforementioned ensemble are satisfied, then there exists a decoding POVM that can reliably decode Alice’s transmitted message. Consider the following respective codeword subspace projectors and a code subspace projector:
[TABLE]
where , , and are the typical projectors for copies of the states , , and , respectively.
Let denote the expected density operator of the ensemble in . We now state the four conditions corresponding to the packing lemma for our code:
[TABLE]
where is some constant, and is given by
[TABLE]
which approaches zero as and . In order to establish these inequalities, we use the properties of typical projectors described in Section A.2 and encoding unitaries described in Section A.5. We point readers to [3, Chapter 23] for a review of related proofs to establish these inequalities.
We now invoke Lemma 9 to demonstrate the existence of a reliable code. Since the four conditions (56)–(59) hold, there exists a POVM that can detect the transmitted states with an arbitrarily low expectation of the average probability of error, as described in Lemma 9. In particular, we get the following upper bound on the expectation of average probability of error:
[TABLE]
where we considered the size of the message set and the local key set combined to be
[TABLE]
Therefore, the number of bits per channel use encoded by and is
[TABLE]
Let and . If we pick large enough and small enough, we can have both and . Therefore, if , Alice can reliably communicate classical messages to Bob.
We now provide a proof for maintaining privacy from an eavesdropper in the conditional one-time pad task. Consider the following respective codeword subspace projectors and a code subspace projector.
[TABLE]
where , , and are the typical projectors for many copies of the states , , and , respectively.
Furthermore, consider the following ensemble derived from (53) by tracing over the systems:
[TABLE]
The ensemble average of this ensemble is given by
[TABLE]
Since for any message , Alice picks uniformly at random from , then from the perspective of an Eve who does not know the choice of , the state has the following form:
[TABLE]
As described in Lemma 12, if the four inequalities corresponding to the codeword subspace projectors, the code subspace projector, and the above mentioned ensemble are satisfied, then it is highly likely that in (70) is indistinguishable from in (69).
We now state the four conditions corresponding to the covering lemma for our code:
[TABLE]
where is some constant. Proofs of these properties are available in [3].
We now invoke Lemma 12 and arrive at the following inequality:
[TABLE]
Thus, if we choose the size of the key set to be , then is doubly exponentially decreasing in . Therefore, if , it is highly likely that the state will be nearly indistinguishable from the average state .
As described earlier, in the conditional one-time pad task, the goal for Alice is to encode information in her share of the state in such a way that Bob can reliably decode the information, while maintaining privacy from Eve. So far, we have shown that Alice can reliably communicate to Bob. Moreover, we have also discussed a strategy that Alice can implement to communicate a classical message to Bob, such that the quantum state that Eve can access has essentially no dependence on the message .
Next, we would like to show the existence of a code that is both reliable and secure. Using the union bound of probability theory, it can be shown that there is a non-zero probability for there to be a code such that the average success probability of Bob’s decoder is arbitrarily high and is arbitrarily small for all , with these statements holding for sufficiently large . Furthermore, a final “expurgation” argument can be applied to show that Bob can decode each and with arbitrarily high probability and that is arbitrarily small for all . These techniques have been used to establish a formula for the capacity of quantum channel for transmitting private classical information in [27, 28]. We point readers to [3, Chapter 23] for a review of a related proof to establish the desired result.
Therefore, the number of bits that Alice can communicate securely is
[TABLE]
and is an achievable rate. This concludes the achievability proof.
Appendix C Optimality of CQMI for conditional one-time pad
In this appendix, we establish that the conditional one-time pad capacity of cannot exceed . To see this, consider an arbitrary protocol of the above form, and suppose that the message is chosen uniformly at random. Then the overall state that describes all systems is
[TABLE]
where is an orthonormal basis and the state is defined in the main text. We can describe Bob’s decoding measurement as a measurement channel
[TABLE]
so that the final output state is
[TABLE]
By the condition in (3) and some further calculations, it follows that
[TABLE]
where is a maximally classically correlated state. A uniform bound for the continuity of mutual information [44] implies that
[TABLE]
where , with the property that . From the Holevo bound [45] or more generally quantum data processing (see, e.g., [3, Section 11.9.2]), it follows that
[TABLE]
By the condition in (4), it follows that
[TABLE]
which in turn implies from [44] that
[TABLE]
Putting everything together leads to the following bound:
[TABLE]
where we used that . Now by several applications of the chain rule for conditional mutual information, we find that
[TABLE]
The second inequality follows because we can consider the sequential action of 1) tensoring in the states and to the th copy of , 2) tensoring in the state , 3) applying the encoding conditioned on the value in , and 4) tracing over the systems all as a local channel acting on the system of , so that
[TABLE]
and the conditional mutual information does not increase under the action of a local channel on an unconditioned system [11]:
[TABLE]
Alternatively, the inequality resulting from (87)–(90) may be seen by the following steps:
[TABLE]
The first inequality follows from non-negativity of conditional mutual information [9, 10], and the second inequality follows from monotonicity of conditional mutual information [11] with respect to a local channel acting on one of the unconditioned systems [in this case, the local channel is the encoding channel that tensors in the maximally mixed state on system and applies the channel ].
Putting everything together, we find the following bound for any conditional one-time pad protocol:
[TABLE]
Taking the limit as and then as allows us to conclude that the conditional mutual information is an upper bound on the conditional one-time pad capacity of .
Appendix D A proof of the converse theorem for a secret-sharing task
In this section, we provide a proof of the converse theorem for a secret-sharing task that we call information scrambling. The goal of the information scrambling task is for Alice to communicate a message in such a way that it can be decoded only by someone who possesses all three systems. If someone possesses only the systems or only the systems, then such a person can figure out essentially nothing about the encoded message.
By using arguments similar to (80)–(86), we find the following two inequalities:
[TABLE]
Therefore, by combining (98) and (99), we arrive at the following bound for any secret-sharing protocol:
[TABLE]
Taking the limit as and then as allows us to conclude that is an upper bound on the information scrambling capacity of .
The proof for the achievability part follows similarly to the achievability part for the conditional one-time pad task, except that we have extra security conditions that should hold. To handle this, we just invoke the covering lemma again to be sure that the key variable is large enough to protect the message variable against local parties who do not have access to all systems of the full state.
Appendix E A proof of the converse theorem for the communication protocol in [31]
We begin by recalling the communication protocol described in [31]. Suppose that Alice, Bob, and Eve share copies of the quantum state , so that their state is . In this communication protocol, Alice, Bob, and Eve have access to the , , and systems, respectively. Alice and Bob are connected by an ideal quantum channel, which Eve has access to as well. The goal of this protocol is for Alice to encode a message into her systems, in such a way that if she sends her systems over the ideal quantum channel, then Bob can decode the message reliably by performing a measurement on all of the systems, while Eve, possessing the systems, has essentially no chance of determining the message if she tried to figure it out.
At the beginning of the protocol, Alice picks and applies an encoding channel to the systems of , leading to the state . She transmits the system of over the ideal quantum channel. Bob applies a decoding positive operator-valued measure to the systems of in order to figure out which message was transmitted. The protocol is -reliable if Bob can determine the message with probability not smaller than :
[TABLE]
The protocol is -secure if the reduced state on systems is nearly indistinguishable from a constant state independent of the message :
[TABLE]
Achievable rates and capacity are defined similarly to the previous cases.
We now provide a proof to establish an upper bound on the rate of communication for an arbitrary protocol of the above form, which is different from the proof given in [31]. Let the message be chosen uniformly at random, and the overall state that describes all systems is defined in the same way as in (77). We can describe Bob’s decoding measurement as a measurement channel similar to (78):
[TABLE]
so that the final output state is
[TABLE]
where
[TABLE]
By using arguments similar to (80)–(86), we find the following bound:
[TABLE]
Now by several applications of the chain rule for conditional mutual information, we find that
[TABLE]
where the first inequality follows because the action of 1) tensoring in the states and to the th copy of , 2) tensoring in the state , 3) applying the encoding conditioned on the value in , and 4) tracing over the systems and can be understood as a local channel acting on the system of . Relabeling system as and systems as , and defining
[TABLE]
we arrive at the inequality, following from the fact that the supremum is taken over quantum channels .
Putting everything together, we find the following bound on the number of bits that Alice can communicate securely:
[TABLE]
Taking the limit as and then as allows us to conclude that
[TABLE]
is an upper bound on the capacity of for this communication task.
Appendix F A proof of the direct coding theorem for the communication protocol in [31]
We now provide a proof of the direct coding theorem for the communication protocol described above, which follows from the coding scheme developed in Section B. Let . Alice has message variable and a local key variable . Before communicating to Bob, Alice can apply any local operation to the systems. Suppose that Alice applies a quantum channel to all copies of the state . Then the overall state that describes all systems is
[TABLE]
Similar to the coding scheme developed in Section B, if Alice wishes to send message , then she picks uniformly at random from . For each pair , the random code is selected in such a way that a vector , of the form described in (49), is chosen uniformly at random and associated with the pair . So if Alice wishes to send the pair , she applies the encoding unitary to the state and sends systems to Bob over the ideal quantum channel. Then we could structure a coding scheme similar to our achievability proof in Section B, such that
[TABLE]
Then if
[TABLE]
is strictly positive, the coding scheme guarantees that this information difference is an achievable rate. Moreover, Alice can further improve the achievable rate of secure communication by optimizing over quantum channels . Therefore, the following rate is an achievable rate:
[TABLE]
This concludes the achievability proof.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Masahito Hayashi. Quantum Information: An Introduction . Springer, 2006.
- 2[2] Alexander S. Holevo. Quantum Systems, Channels, Information . de Gruyter Studies in Mathematical Physics (Book 16). de Gruyter, November 2012.
- 3[3] Mark M. Wilde. Quantum Information Theory . Cambridge University Press, second edition, February 2017. ar Xiv:1106.1445 v 8.
- 4[4] Igor Devetak and Jon Yard. Exact cost of redistributing multipartite quantum states. Physical Review Letters , 100(23):230501, June 2008.
- 5[5] Jon Yard and Igor Devetak. Optimal quantum source coding with quantum side information at the encoder and decoder. IEEE Transactions on Information Theory , 55(11):5339–5351, November 2009. ar Xiv:0706.2907.
- 6[6] Mario Berta, Fernando G. S. L. Brandao, Christian Majenz, and Mark M. Wilde. Conditional decoupling of quantum information. Physical Review Letters , 121(4):040504, July 2018. ar Xiv:1808.00135.
- 7[7] Mario Berta, Fernando G. S. L. Brandao, Christian Majenz, and Mark M. Wilde. Deconstruction and conditional erasure of quantum correlations. Physical Review A , 98(4):042320, October 2018. ar Xiv:1609.06994.
- 8[8] Haoyu Qi, Kunal Sharma, and Mark M. Wilde. Entanglement-assisted private communication over quantum broadcast channels. Journal of Physics A , 51(37):374001, September 2018. ar Xiv:1803.03976.
