One-out-of-$m$ spacetime-constrained oblivious transfer
Dami\'an Pital\'ua-Garc\'ia

TL;DR
This paper introduces unconditionally secure protocols for one-out-of-m spacetime-constrained oblivious transfer, extending previous two-out-of-two protocols to arbitrary m, with applications in quantum cryptography and classical communication settings.
Contribution
It generalizes existing two-out-of-two SCOT protocols to one-out-of-m, introduces the concept of distributed quantum access with classical memory, and discusses potential extensions to k-out-of-m settings.
Findings
Protocols are unconditionally secure for any m â„ 2.
Introduces the task of one-out-of-m distributed quantum access with classical memory.
Extends SCOT to k-out-of-m and discusses classical communication protocols.
Abstract
In one-out-of- spacetime-constrained oblivious transfer (SCOT), Alice and Bob agree on pairwise spacelike separated output spacetime regions in an agreed reference frame in a spacetime that is Minkowski, or close to Minkowski; Alice inputs a message in the causal past of a spacetime point of , for ; Bob inputs in the intersection of the causal pasts of and outputs in ; Alice remains oblivious to anywhere in spacetime; and Bob is unable to obtain in and in for any pair of different numbers . We introduce unconditionally secure one-out-of- SCOT protocols extending the one-out-of-two SCOT protocols of Pital\'ua-Garc\'ia [Phy. Rev. A 93, 062346 (2016)] and Pital\'ua-Garc\'ia and Kerenidis [Phy. Rev. AâŠ
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
One-out-of- spacetime-constrained oblivious transfer
DamiĂĄn PitalĂșa-GarcĂa
Centre for Quantum Information and Foundations, DAMTP, Centre for Mathematical Sciences, University of Cambridge, Wilberforce Road, Cambridge, CB3 0WA, U.K.
Abstract
In one-out-of- spacetime-constrained oblivious transfer (SCOT), Alice and Bob agree on pairwise spacelike separated output spacetime regions in an agreed reference frame in a spacetime that is Minkowski, or close to Minkowski; Alice inputs a message in the causal past of a spacetime point of , for ; Bob inputs in the intersection of the causal pasts of and outputs in ; Alice remains oblivious to anywhere in spacetime; and Bob is unable to obtain in and in for any pair of different numbers . We introduce unconditionally secure one-out-of- SCOT protocols extending the one-out-of-two SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018), for arbitrary integers . We define the task of one-out-of- distributed quantum access with classical memory (DQACM), which works as a subroutine to implement a class of one-out-of- SCOT protocols where distant agents only need to communicate classically. We present unconditionally secure one-out-of- DQACM protocols and one-out-of- SCOT protocols of the class , for arbitrary integers . We discuss various generalizations of SCOT. In particular, we introduce a straightforward extension of SCOT to a -out-of- setting, and suggest protocols where distant agents only need to communicate classically, while we leave the investigation of their security as an open problem.
I Introduction
One-out-of- oblivious transfer is a fundamental cryptographic task that works as a primitive in secure computation Kilian (1988). Secure computation Yao (1982) is an area of cryptography in which two or more mistrustful parties compute a joint function of their private inputs in such a way that there is no information about their inputs, which does not follow from the output of the computation, revealed to the other parties. In an one-out-of- oblivious transfer protocol, Alice inputs messages , Bob inputs a number , and Bob outputs the message . An one-out-of- oblivious transfer protocol must satisfy two security conditions: 1) the condition of security for honest Alice, also denoted as security against dishonest Bob, according to which if Alice follows the protocol honestly but Bob does not, Bob cannot obtain more than one of Aliceâs messages; and 2) the condition of security for honest Bob, also denoted as security against dishonest Alice, according to which if Bob follows the protocol honestly but Alice does not, Alice remains oblivious to Bobâs input .
Protocols for one-out-of- oblivious transfer and more general secure computations have been proposed, with the security being based in computational or technological assumptions, for example, the assumed difficulty of finding the prime factors of large integers Yao (1986); Kilian (1988), or the assumption that quantum memories are bounded or noisy Wehner et al. (2008). However, one-out-of- oblivious transfer and more general secure computations cannot be implemented with unconditional security in the standard setting of non-relativistic quantum cryptography Lo (1997); Colbeck (2007); Buhrman et al. (2012), i.e. it is impossible to guarantee their security only from the laws of quantum physics. In particular, Loâs no-go theorem Lo (1997) states that if a protocol for one-out-of- oblivious transfer is unconditionally secure against dishonest Alice then, with sufficiently advanced quantum technology, Bob can obtain all messages .
One-out-of- oblivious transfer and more general secure computations cannot achieve unconditional security even in the more general setting of relativistic quantum cryptography, introduced by Kent Kent (1999a, 2012a), in which each party in the protocol has trusted agents performing quantum computations and communications at different spacetime points, some of which are spacelike separated. For example, in the case of one-out-of- oblivious transfer, if a quantum relativistic protocol taking place in a finite region of spacetime, in some reference frame , is unconditionally secure against Alice, then it follows from Loâs no-go theorem that Bob can perform the protocol honestly with an input and obtain in and then apply a unitary operation on his global quantum system, which is spread among various locations, and complete it within the spacetime region consisting in the intersection of the causal futures of all the spacetime points of â for example, Bob can simply send all his quantum systems to a common spacetime point within and then apply there â and then apply a quantum measurement to obtain and then proceed similarly to obtain and so on. This is in contrast to other tasks in mistrustful cryptography, like coin tossing and bit commitment, for which unconditionally secure protocols cannot exist in non-relativistic quantum cryptography Lo and Chau (1998, 1997); Mayers (1997), but for which there are unconditionally secure protocols in relativistic quantum cryptography Kent (1999b, a, 2005, 2011a, 2012b); Lunghi et al. (2015).
Nevertheless, two relativistic variations of one-out-of-two oblivious transfer have been recently proposed, denoted as location-oblivious data transfer (LODT) Kent (2011b) and spacetime-constrained oblivious transfer (SCOT) PitalĂșa-GarcĂa (2016), which have been shown to achieve unconditional security Kent (2011b); PitalĂșa-GarcĂa (2016). In LODT, Alice transfers a message to Bob at a random location in spacetime that neither Alice nor Bob can determine in advance, and Alice remains oblivious to the location where Bob received the message. In SCOT, according to a bit input by Bob, Bob either obtains a message of Alice in a spacetime region or a message of Alice in a spacetime region , where and are spacelike separated, and where Alice remains oblivious to Bobâs input . Interestingly, LODT and SCOT are the only known cryptographic tasks that necessitate both the no-superluminal principle of relativity theory and the properties of quantum information to achieve unconditional security Kent (2011b); PitalĂșa-GarcĂa (2016), in contrast to coin tossing and bit commitment, for example, for which there are unconditionally secure relativistic protocols that are purely classical Kent (1999b, a, 2005); Lunghi et al. (2015).
Two unconditionally secure protocols for SCOT have been presented in the academic literature PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018). The protocol of Ref. PitalĂșa-GarcĂa (2016) requires the preparation of random Bennett-Brassard 1984 (BB84) Bennett and Brassard (1984) states and their secure transmission to distant laboratories. The protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018) requires the preparation and transmission of quantum states between adjacent laboratories, and the transmission of classical information to distant laboratories. Here, we introduce unconditionally secure protocols that generalize those of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018) to the one-out-of- setting, in which Alice inputs messages , there are pairwise spacelike separated output spacetime regions , Bob inputs an integer and outputs in , Alice remains oblivious to anywhere in spacetime, and Bob cannot output in and also in for any pair of different numbers from the set .
Potential applications of one-out-of- SCOT include situations where Bob needs to access, at a specific location and within a short interval of time, one of various pieces of information input by Alice, and Bob requires his choice of accessed piece of information to remain secret to Alice. For example, potential applications of one-out-of- SCOT and generalizations are in high frequency trading strategies (HFT) in the stock market, where must transaction are completed within half a millisecond Wissner-Gross and Freer (2010). Consider for example in this case the following situation. Alice is a company that sells information about the stock market in real time in a set of different possible locations and Bob is a company that trades in the stock market using HFT strategies. Alice offers Bob one piece of her database , each being information on the stock market at the respective location at real time. Each could be the location of a stock market in some part of the world, for instance New York, Toronto, Paris, London, Tokyo, etc. Bob pays Alice a fixed amount of money to obtain an entry in the location in real time. Bob requires that his choice remains private from Alice, while Alice requires that Bob cannot access her entry in at real time, for more than one from the set . One-out-of- SCOT guarantees with unconditional security that Alice cannot learn Bobâs choice anywhere in spacetime and that within a time interval smaller than 0.5 ms, which is relevant for HFT strategies, Bob cannot obtain in and also in for any pair of different numbers from the set if the distance between any pair of locations from the set is at least 150 km, which is the maximum distance that light can travel in 0.5 ms in the approximately Minkowski spacetime near the Earth surface.
We mainly focus on a class of one-out-of- SCOT protocols extending those of Ref. PitalĂșa-GarcĂa and Kerenidis (2018), which require classical â but not quantum â communication among distant locations, and we show them unconditionally secure. We introduce a quantum-cryptography task denoted as one-out-of- distributed quantum access with classical memory (DQACM), which works as a fundamental primitive to construct the class of one-out-of- SCOT protocols.
Broadly speaking, a protocol for one-out-of- DQACM consists in the following steps. Alice encodes messages chosen randomly from predetermined sets in a quantum state , where , and where denotes a basis chosen randomly by Alice from a predetermined set of non-mutually orthogonal bases. Alice sends to Bob. Bob chooses a random number , applies a quantum measurement on , and obtains a classical measurement outcome . At a later time Alice gives to Bob, who then uses and to learn Aliceâs input . A one-out-of- DQACM protocol must satisfy a security condition against dishonest Bob, according to which, if Alice follows the protocol honestly and Bob follows a cheating strategy in which he applies an arbitrary quantum operation on that produces at least two quantum systems and , and then quantum measurements and are applied on and after receiving , giving classical outcomes and , respectively, then the probability that equals and equals is negligible for Aliceâs input messages of large size, and for any pair of different numbers from the set .
We introduce a class of one-out-of- DQACM protocols. We show that by satisfying a few properties the protocols of this class are unconditionally secure. We give specific examples of unconditionally secure one-out-of- DQACM protocols from the class .
We also briefly discuss various generalizations of one-out-of- SCOT. In particular, we suggest a definition for -out-of- SCOT, for arbitrary natural numbers and , according to which Alice and Bob agree on pairwise spacelike separated output spacetime regions , Alice inputs messages , Bob obtains Aliceâs input in the output spacetime region , for different numbers chosen by Bob, Bob cannot obtain in , for more than different elements from the set , and Alice remains oblivious to Bobâs inputs , anywhere in spacetime. We suggest protocols for -out-of- SCOT where communication between distant locations is only classical, based on the primitive of -out-of- DQACM, which is a natural generalization of one-out-of- DQACM into a -out-of- setting, but we leave as an open question to investigate whether they are unconditionally secure. In particular, we propose protocols for -out-of- DQACM extending the class of protocols for one-out-of- DQACM, and we leave as an open problem to show whether they are unconditionally secure.
This paper is organized as follows. In section II, we describe the setting of relativistic quantum cryptography, we provide some mathematical notation and we recall the SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018). We define one-out-of- SCOT in section III. In section IV, we introduce an unconditionally secure one-out-of- SCOT protocol that extends the one-out-of-two SCOT protocol of Ref. PitalĂșa-GarcĂa (2016), and which requires quantum communication between distant locations. We define the task of one-out-of- DQACM in section V. In section VI, we present a class of unconditionally secure protocols for one-out-of- DQACM, we show that this class of protocols are unconditionally secure from the satisfaction of a few properties, and we give specific examples of this class of protocols. In section VII, we introduce a class of one-out-of- SCOT protocols where communication between distant locations is only classical, and where one-out-of- DQACM acts as a subroutine; we show the class is unconditionally secure if the one-out-of- DQACM subroutine is unconditionally secure; and we discuss specific examples of protocols from the class where the one-out-of- DQACM subroutine belongs to the class . Section VIII discusses generalizations of one-out-of- SCOT; in particular, definitions of -out-of- SCOT and -out-of- DQACM are suggested; protocols for -out-of- DQACM and -out-of- SCOT are outlined, with the investigation of their security being left as an open problem. We conclude in section IX with a discussion of our results and of possible connections with other research problems in quantum information and relativistic quantum cryptography.
II Preliminaries
II.1 Relativistic quantum cryptography
In relativistic quantum cryptography, security is guaranteed from 1) the no-superluminal principle of relativity theory, stating that physical systems and information cannot travel faster than light, which is satisfied by quantum theory; and 2) the properties of quantum information, for example, the no-cloning theorem Dieks (1982); Wootters and Zurek (1982), the impossibility of perfectly distingushing non-orthogonal quantum states, the monogamy of quantum entanglement Terhal (2004), the existence of quantum correlations that violate Bell inequalities Bell (1964), etc.
Relativistic-quantum cryptography is usually considered for spacetimes that are Minkowski, or close to Minkowski, as near the Earth surface. But, relativistic quantum cryptography can also apply to arbitrary curved spacetimes with well defined causal structure, if the parties participating in the cryptographic tasks have a well description of the spacetime geometry, if they cannot substantially alter the geometry of spacetime, and if within the region of spacetime where the cryptographic tasks take place, there are not wormholes or other mechanisms allowing them to send signals faster than the speed of light Kent (1999a).
In the setting of relativistic quantum cryptography, the parties participating in the cryptographic tasks, e.g. Alice and Bob, consist of various agents who process and communicate classical and quantum information at various locations in spacetime. In general, in a protocol for relativistic quantum cryptography, the participating parties must agree on spacetime regions where they should communicate classical or quantum information to each other. For this reason, the parties agree on a reference frame with global spacetime coordinates , where the first entry is temporal and the others are spatial, and where without loss of generality we use units in which the speed of light is unity. In the case of mistrustful cryptography, which includes the task of SCOT considered in this paper, Aliceâs (Bobâs) agents work in collaboration and trust each other, but Aliceâs agents are mistrustful of Bobâs agents and vice versa.
II.2 Notation
We define the sets and for any integer numbers and . For a string of entries, we denote the th entry by , for . The Hamming distance between strings of bits and is denoted by . The Hamming weight of a string of bits is denoted by . When applied to bits (bit strings) denotes (bitwise) sum modulo 2. We denote the complement of a bit by , and of a bit by . The binary entropy of is given by , and of is defined as zero. We use the following notation for the BB84 states: , , , , where \lvert\pm\rangle=\frac{1}{\sqrt{2}}\bigl{(}\lvert 0\rangle\pm\lvert 1\rangle\bigr{)}. The computational and Hadamard bases are denoted by and , respectively.
II.3 The SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018)
It is useful to recall the SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018), because we will extend these in following sections. We describe the common setting of these protocols before presenting them.
In the SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018), Alice has three agents , , and ; and Bob has three agents , , and . Alice and Bob agree in a reference frame and in two spacelike separated output spacetime regions and . Each of Aliceâs (Bobâs) agents controls a secure laboratory. It is useful to consider that the agents and have adjacent laboratories, and that the agents and have adjacent laboratories, for . There is a quantum channel between and . There is a classical channel between and , for .
In the SCOT protocol of Ref. PitalĂșa-GarcĂa (2016), Aliceâs agents share secure and authenticated classical channels, and Bobâs agents share secure and authenticated quantum channels. On the other hand, in the SCOT protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018), Aliceâs agents share secure and authenticated classical channels, and Bobâs agents share secure and authenticated classical channels, but Bobâs agents do not need to share quantum channels; additionally, there is a classical channel, as well as a quantum channel, between and .
In both protocols, Alice and Bob agree on spacetime points in and in . We define as the intersection of the causal pasts of and . In the notation of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018), is the causal past of a spacetime point , which is in the causal past of a spacetime point of and a spacetime point of . Alice inputs a bit string in the causal past of , for . Bob inputs a bit in and outputs in . An example of a setting for the SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018) is given in Fig. 1.
As shown in Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018), both protocols are unconditionally secure. The protocols are trivially unconditionally secure against dishonest Alice, as Alice does not receive any information from Bob. The protocols are unconditionally secure against dishonest Bob: in any cheating strategy by Bob allowed by quantum theory and relativity, the probability that Bob outputs in and in decreases exponentially with , satisfying p_{n}\leq\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}^{n}. The protocols can be extended to allow a small fraction of errors in Bobâs output message, while still satisfying unconditional security for dishonest Bob.
II.3.1 The SCOT protocol of Ref. PitalĂșa-GarcĂa (2016)
Agent encodes a random bit string in a quantum state of BB84 states, where the bit string is random and denotes the bases. sends to , who receives it in . 2. 2.
obtains his input bit in and redirects the received state to his colleague , who receives it in the causal past of at least one spacetime point of . 3. 3.
For , sends copies of and to her colleague , who receives them in the causal past of . 4. 4.
For , obtains her input message in the causal past of . 5. 5.
For , gives and to at the spacetime point . 6. 6.
measures the quantum state in the basis labeled by and obtains the encoded string in . 7. 7.
computes the message and outputs it in .
II.3.2 The SCOT protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018)
This SCOT protocol consists of two main stages. Stage I includes quantum communication between agents and , which can take place within their adjacent laboratories, and which can take an arbitrarilly long time, but which must be completed within . For , stage II includes fast classical processing and communication between the agents and , which again can take place within their adjacent laboratories; it also includes classical communication between the â possibly distant â pairs of agents and , and and . Steps 1 to 6 take place within .
Stage I
For , generates random bit strings and sends copies to , who receives them in the causal past of . 2. 2.
prepares a system of qubit-pairs in the quantum state \lvert\psi_{\mathbb{r}_{0},\mathbb{r}_{1}}^{\mathbb{s}}\rangle=\bigotimes_{j\in[n]}\bigl{\lvert}\psi_{r_{0}^{j}r_{1}^{j}}^{s^{j}}\bigr{\rangle}_{A_{0}^{j}A_{1}^{j}}, where
[TABLE]
for . We note that indicates which qubit in the pair is prepared in the computational basis and which one in the Hadamard basis . For , the string is prepared in the basis . sends , i.e. the qubits with their labels , to , for and . 3. 3.
chooses a random bit , before receiving the qubits from . measures in the basis , obtaining the bit outcome , for and . The outcomes define , for . For , transmits , and to , who receives these in the causal past of .
Stage II
obtains his input and gives the bit to . 2. 5.
For , transmits to , with the transmission being completed in the causal past of . 3. 6.
For , transmits to , with the transmission being completed in the causal past of . 4. 7.
For , obtains in the causal past of , and transfers and to at . 5. 8.
Within , uses , , and to compute , which equals . Then, within , outputs , which equals .
II.4 Generalizing the SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018) to the one-out-of- setting
As described above, the SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018) consider the one-out-of-two setting in which Alice has two input messages and and there are two spacelike separated output spacetime regions and . In section III we generalize the definition of SCOT to the one-out-of- setting, where Alice has input messages , there are pair-wise spacelike separated output spacetime regions , Bob should obtain in for his chosen , Alice should not learn , and Bob should not get in for more than one from the set .
As discussed above, in the SCOT protocol of Ref. PitalĂșa-GarcĂa (2016), Alice encodes a message in a quantum state , which further encodes the messages and . In this protocol, Bob transmits the state received from Alice to his agent having access to , who is then able to decode , after receiving the basis label , and then uses and to decode in . As we detail in section IV, this protocol can be straightforwardly generalized to the one-out-of- setting because the message of the quantum state can be used to encode the messages with the messages , for .
On the other hand, generalizing the SCOT protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018) to the one-out-of- setting is more complicated and interesting. We note from the discussion above, that the SCOT protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018) works in two stages. Broadly, in the first stage, two messages and are encoded in a quantum state ; and, in the second stage, these messages are used to encode further messages and . Generalizing the first stage of this protocol to the one-out-of- setting requires to find a set of quantum states that encodes messages , while satisfying some security conditions. We have identified this stage with a task that we denote as one-out-of- distributed quantum access with classical memory, which we describe in section V, with a specific class of secure protocols for this task given in section VI. Generalizing the second stage of the protocol to the one-out-of- setting is straightforward, and is done explicitly in section VII.
Finally, further generalizations are discussed in section VIII. For example, we consider the case that the number of output spacetime regions can be different to the number of Aliceâs inputs, and we discuss protocols for -out-of- SCOT.
III One-out-of- spacetime-constrained oblivious transfer
We introduce a generalization of the definition of SCOT of Ref. PitalĂșa-GarcĂa (2016) to a one-out-of- setting, for any integer . Alice (Bob) has trusted agents who can process and communicate classical or quantum information at various locations in spacetime. But, Aliceâs agents do not trust Bobâs agents, and vice versa. We assume that spacetime is Minkowski, or very close to Minkowski, as near the Earthâs surface. Alice and Bob agree on a reference frame in spacetime, and on pairwise spacelike separated output spacetime regions ; they also agree on a spacetime point of , for . For , Alice inputs a message in the causal past of , chosen from a set of possible messages previously agreed with Bob. Bob inputs a number in the spacetime region , which is defined as the intersection of the causal pasts of the spacetime points , and he outputs in . We illustrate an example of a setting for one-out-of- SCOT in Fig. 2.
A one-out-of- SCOT protocol must satisfy correctness and security properties. Broadly speaking, the correctness property states that Bob obtains in , according to his input , if Alice and Bob follow the protocol honestly. The security properties state: that if Bob follows the protocol honestly and Alice follows any dishonest strategy, Alice cannot learn Bobâs input anywhere in spacetime; and that if Alice follows the protocol honestly and Bob follows any dishonest strategy, Bob cannot obtain in and in , for any pair of different numbers and from the set . We state these properties more precisely below in the ideal case in which Bobâs outputs do not have any errors, and then in a scenario in which Bobâs outputs have a small fraction of errors. We consider that is initially completely unknown to Alice, i.e. from her perspective, Bob chooses randomly from . Similarly, we consider that is initially completely unknown to Bob, i.e. from his perspective, Alice chooses randomly from the previously agreed set, for .
III.1 The ideal case of no errors
III.1.1 Correctness
For , we say a SCOT protocol is correct if, when Alice and Bob follow the protocol honestly, the probability that Bob outputs in satisfies , for any inputs by Alice from the agreed sets, and for any input by Bob. We say a SCOT protocol is perfectly correct if it is correct.
III.1.2 Security
For , we say a SCOT protocol is secure against dishonest Alice if, when Bob follows the protocol honestly and Alice follows any cheating strategy, the probability that Alice guesses Bobâs input anywhere in spacetime satisfies . We say a SCOT protocol is perfectly secure against dishonest Alice if it is secure against dishonest Alice. We say a SCOT protocol is unconditionally secure against dishonest Alice if it is secure against dishonest Alice with approaching zero by increasing some security parameter, for any cheating strategy by Alice that is allowed by quantum theory and relativity.
For , we say a SCOT protocol is secure against dishonest Bob if, when Alice follows the protocol honestly and Bob follows any cheating strategy, the probability that Bob outputs in and in satisfies , for any pair of different numbers from the set . Ideally, we would define a SCOT protocol to be unconditionally secure against dishonest Bob if it is secure against dishonest Bob with approaching by increasing some security parameter, for any cheating strategy by Bob that is allowed by quantum theory and relativity, where is the minimum of the number of possible values of , for . That is, ideally, we would like to guarantee that when a security parameter tends to infinity, Bob should not be able to do better than following the honest protocol to obtain some in and to make a random guess of some other in . However, here we can satisfy a weaker definition of security: we say a SCOT protocol is unconditionally secure against dishonest Bob if it is secure against dishonest Bob with approaching zero by increasing the size of Aliceâs input messages and possibly by increasing some other security parameters, for any cheating strategy by Bob that is allowed by quantum theory and relativity.
III.2 Tolerating a small fraction of errors
We generalize the previous definition of one-out-of- SCOT to allow a small fraction of errors in Bobâs output. We consider that Alice and Bob agree that Aliceâs inputs are of the form , for an agreed number , and for . Alice and Bob agree on parameters , for . In following sections we present protocols to implement one-out-of- SCOT considering the particular case and , for .
III.2.1 Correctness
For , we say a SCOT protocol is correct if, when Alice and Bob follow the protocol honestly, the probability that Bob outputs a message in satisfying satisfies , for any inputs by Alice from the agreed sets, and for any input by Bob. We say a SCOT protocol is perfectly correct if it is correct.
III.2.2 Security
For , we say a SCOT protocol is secure against dishonest Bob if, when Alice follows the protocol honestly and Bob follows any cheating strategy, the probability that Bob outputs messages in and in satisfying and satisfies , for any pair of different numbers and from the set . We say a SCOT protocol is unconditionally secure against dishonest Bob if it is secure against dishonest Bob with approaching zero by increasing the size of Aliceâs input messages and possibly some other security parameters, for any cheating strategy by Bob that is allowed by quantum theory and relativity. Security against dishonest Alice is defined as in the ideal case of no errors.
IV An unconditionally secure one-out-of- SCOT protocol with long-distance quantum communication
We introduce the protocol for one-out-of- SCOT, which extends straightforwardly the protocol for one-out-of-two SCOT of Ref. PitalĂșa-GarcĂa (2016). The label âQCâ stands for âquantum communicationâ, as the protocol requires quantum communication among Bobâs distant agents. The protocol uses a subroutine introduced below.
The setting is the following. Alice has trusted agents and , for . Bob has trusted agents and , for . Alice and Bob agree in a reference frame and in pairwise spacelike separated output spacetime regions . Each of Aliceâs (Bobâs) agents controls a secure laboratory. It is useful to consider that the agents and have adjacent laboratories, and that the agents and have adjacent laboratories, for . Aliceâs agents share secure and authenticated classical channels, and Bobâs agents share secure and authenticated quantum channels. There is a quantum channel between and . There is a classical channel between and , for .
IV.1 The subroutine
The following protocol was used as a subroutine in Ref. PitalĂșa-GarcĂa (2016) for the case . We extend this protocol here for the case and denote it as .
Aliceâs agent encodes a random bit string in a quantum state of BB84 states, where is a random bit string denoting the bases. sends to , who receives it in . 2. 2.
obtains his input number in and redirects the received state to his colleague , who receives it in the causal past of at least one spacetime point of . 3. 3.
For , sends a copy of to her colleague , who receives it in the causal past of . 4. 4.
For , gives to at the spacetime point . 5. 5.
measures the quantum state in the basis labeled by , and obtains a bit string in .
IV.1.1 Correctness
In the ideal case in which there are not any errors nor any losses, Bobâs output equals with unit probability.
IV.1.2 Security against dishonest Alice
Since Bob does not transmit any physical systems to Alice, Alice cannot obtain any information about Bobâs input . Thus, Alice cannot guess Bobâs input with probability greater than .
IV.1.3 Security against dishonest Bob
For the case , it was shown in Ref. PitalĂșa-GarcĂa (2016) that if Alice follows the protocol honestly and Bob follows an arbitrary cheating strategy allowed by quantum theory and relativity, the probability that Bob outputs bit strings in and in satisfies P_{\text{Bob}}\leq\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}^{n}. It was also shown that for a sufficiently small positive parameter , the probability that Bob outputs bit strings in and in satisfying and decreases exponentially with . In particular, we have , where q_{\gamma}=2^{2h(\gamma)}\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}<1, for , and where denotes the binary entropy of PitalĂșa-GarcĂa (2016). As we show below, these security properties hold for all .
Consider any pair of different numbers . In an arbitrary cheating strategy by Bob allowed by quantum theory and relativity in which he tries to output in and in , applies some quantum operation on the quantum state received from Alice and outputs two quantum systems and that he sends to his colleagues and , respectively. Then, after receiving form Aliceâs agents, and apply respective measurements and , and obtain respective measurement outcomes and . This cheating strategy is the same as for the case , where and . Thus, we see that the security conditions stated in the previous paragraph hold for any pair of different numbers , both in the case of perfect outcomes, for which we have P_{\text{Bob}}\leq\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}^{n}; and in the case in which a small fraction of errors is tolerated, in particular , where q_{\gamma}=2^{2h(\gamma)}\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}<1, for .
IV.2 The one-out-of- SCOT protocol
Alice and Bob implement the subroutine , where is the message encoded by in and is âs input in , and where is âs output in . 2. 2.
For , sends a copy of to , who receives it in the causal past of . 3. 3.
For , obtains her input message in the causal past of . 4. 4.
For , gives to at the spacetime point . 5. 5.
computes the message and outputs it in .
IV.2.1 Comments
Different variations of this protocol can be considered. For example, Bobâs agents having quantum memories have more freedom on the time at which they receive, process and transmit classical and quantum information. On the other hand, if Bob does not have any quantum memories, Bobâs agent must redirect the quantum states as soon as he receives them from Aliceâs agent ; and the transmission of the quantum state from to must be completed within a sufficiently short time interval so that Bobâs agent is able to complete the corresponding quantum measurement on it within the output spacetime region ; a physical implementation of this protocol seems plausible in some scenarios using photons as the physical systems encoding the quantum states, for example. Additionally, here we have considered that the subroutine is implemented with BB84 states, but generalizations with other sets of non-mutually orthogonal states can be devised. Furthermore, we note that Bobâs secure and authenticated quantum channels can be implemented via the teleportation Bennett et al. (1993) protocol if Bobâs agents share entangled states and authenticated classical channels, or via the quantum one-time pad Ambainis et al. (2000) if Bobâs agents share secret classical keys and authenticated quantum channels.
IV.2.2 Correctness
In the ideal case that there are not any errors nor any losses, Bob outputs in in the subroutine , hence, Bob outputs in in the protocol . In an implementation of in which Bob outputs in satisfying , Bobâs output in satisfies , for .
IV.2.3 Security against dishonest Alice
Like in the subroutine , Bob does not transmit any physical systems to Alice in the protocol , hence, Alice cannot obtain any information about Bobâs input . Thus, Alice cannot guess Bobâs input with probability greater than . Therefore the protocol is perfectly secure against dishonest Alice.
IV.2.4 Security against dishonest Bob
For any pair of different numbers , the probability that Bob outputs in and in in the protocol satisfying and is equal to the probability that Bob outputs in and in in the subroutine satisfying and . Thus, from the security properties of the subroutine , it follows straightforwardly that if errors are not tolerated, i.e. if , the protocol is secure against dishonest Bob, with \epsilon=\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}^{n}. Since decreases exponentially with , is unconditionally secure against dishonest Bob.
Similarly, if the protocol tolerates a fraction of errors , the protocol is secure against dishonest Bob, with , where q_{\gamma}=2^{2h(\gamma)}\bigl{(}\frac{1}{2}+\frac{1}{2\sqrt{2}}\bigr{)}<1, for . Since decreases exponentially with , for , is unconditionally secure against dishonest Bob in this case too.
V One-out-of- distributed quantum access with classical memory
In this section we introduce a task that we denote as one-out-of- distributed quantum access with classical memory (DQACM), which for simplicity of the exposition we often refer to simply as DQACM. This task works as a primitive to construct one-out-of- SCOT protocols in which Bobâs agents only need to communicate classical information.
We define one-out-of- DQACM as follows. Previous to implementing a DQACM protocol, Alice and Bob agree on the integer ; on finite sets of classical messages , , and ; and on a set of quantum states \Delta=\{\bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}\big{|}\mathbb{r}\in\Omega_{\text{outcome}},\mathbb{s}\in\Lambda_{\text{basis}}\}. In general, we may set , but here we consider . A DQACM protocol consists of two stages.
In stage I, Alice encodes a string of messages in a quantum state \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{A}\in\Delta of a quantum system , using the extra classical message . The message may indicate, for example, the basis used by Alice to prepare the state \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}, from a set of possibly non-mutually orthogonal bases. Alice gives the quantum state \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{A} to Bob. We consider that Aliceâs inputs are initially secret to Bob, i.e. from Bobâs perspective, Alice chooses randomly from , for , and randomly from . Bob inputs a number , initially secret to Alice, i.e. from Aliceâs perspective, Bob chooses randomly from . Bob applies a quantum measurement on the received quantum state \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{A} and obtains a classical measurement outcome .
Stage II consists of two steps. In the first step, Alice gives the classical message to Bob. In the second step, Bob applies a function on giving as output a classical message , i.e. .
Ideally, a protocol for one-out-of- DQACM should satisfy a correctness and a security condition. Broadly speaking, the correctness property says that if Alice and Bob follow the protocol honestly, Bobâs output is equal to Aliceâs input , or is sufficiently close to Aliceâs input , according to a predetermined threshold. The security condition states that in distributed cheating strategies by Bob involving two agents of Bob, and , who receive Aliceâs message , and who cannot communicate with each other after receiving , and cannot both output Aliceâs inputs and â or messages sufficiently close to and , according to a predetermined threshold â respectively, for any pair of different numbers . Fig. 3 illustrates the task of one-out-of- DQACM.
We see that by construction, in the defined task of one-out-of- DQACM, Alice remains oblivious to Bobâs input , as she does not receive any physical system from Bob. This obliviousness property, as well as the properties of correctness and security against dishonest Bob allow us to use one-out-of- DQACM to construct correct and secure one-out-of- SCOT.
We explain why we have denoted this task as âone-out-of- distributed quantum access with classical memoryâ. First, in the honest protocol Bob chooses to access one out of messages that Alice encodes in a quantum state. Second, in the honest protocol, we can consider that Bob has only classical memory, as he receives the quantum state from Alice and is forced to apply a quantum measurement and then apply further classical processing on his outcomes after receiving the classical message from Alice. Third, in a dishonest cheating strategy by Bob, we can consider that he outputs two quantum systems and and distributes them to his agents and , who without communicating â because they must obtain their outputs at spacelike separated spacetime regions, for instance â must respectively output Aliceâs inputs and after receiving Aliceâs classical message , for some pair of different numbers .
We define precisely the correctness and security conditions in two broad scenarios: an ideal scenario in which there are not errors in Bobâs output, and a more general scenario in which there is a small fraction of errors in Bobâs output.
V.1 The ideal case of no errors
V.1.1 Correctness
For , we say a protocol to implement one-out-of- DQACM is correct if, when Alice and Bob follow the protocol honestly, the probability that Bob outputs satisfies , for any input by Bob. We say a protocol to implement one-out-of- DQACM is perfectly correct if it is correct.
V.1.2 Security
For , we say a protocol to implement one-out-of- DQACM is secure against dishonest Bob if, when Alice follows the protocol honestly, for any pair of different numbers and from the set , for any quantum operation independent of and independent of applied by Bob on the quantum state that produces at least two quantum systems and , and for any sets of quantum measurements \bigl{\{}\tilde{\text{M}}_{0}^{\mathbb{s}}\bigr{\}}_{\mathbb{s}\in\Lambda_{\text{basis}}} and \bigl{\{}\tilde{\text{M}}_{1}^{\mathbb{s}}\bigr{\}}_{\mathbb{s}\in\Lambda_{\text{basis}}}, the probability to obtain respective outcomes and , by respectively applying on and on , is not greater than . We say a protocol to implement one-out-of- DQACM is unconditionally secure against dishonest Bob if it is secure against dishonest Bob with approaching zero by increasing the size of Aliceâs input messages and possibly some other security parameters.
V.2 Tolerating a small fraction of errors
We generalize the previous definition of one-out-of- DQACM to allow a small fraction of errors in Bobâs output. We consider that Alice and Bob agree that Aliceâs inputs are of the form , for an agreed number , and for . Alice and Bob agree on parameters , for .
V.2.1 Correctness
For , we say a protocol to implement one-out-of- DQACM is correct if, when Alice and Bob follow the protocol honestly, the probability that Bob outputs a message satisfying satisfies , for any input by Bob. We say a protocol to implement one-out-of- DQACM is perfectly correct if it is correct.
V.2.2 Security
For , we say a protocol to implement one-out-of- DQACM is secure against dishonest Bob if, when Alice follows the protocol honestly, for any pair of different numbers , for any quantum operation independent of and independent of applied by Bob on the quantum state that produces at least two quantum systems and , and for any sets of quantum measurements \bigl{\{}\tilde{\text{M}}_{0}^{\mathbb{s}}\bigr{\}}_{\mathbb{s}\in\Lambda_{\text{basis}}} and \bigl{\{}\tilde{\text{M}}_{1}^{\mathbb{s}}\bigr{\}}_{\mathbb{s}\in\Lambda_{\text{basis}}}, the probability to obtain respective outcomes and satisfying and , by respectively applying on and on , is not greater than . We say a protocol to implement one-out-of- DQACM is unconditionally secure against dishonest Bob if it is secure against dishonest Bob with approaching zero by increasing the size of Aliceâs input messages and possibly some other security parameters.
VI A class of unconditionally secure protocols for one-out-of- DQACM
We introduce a class of protocols to implement one-out-of- DQACM. We define a set with distinct elements, for some integer . We define , i.e. the set is in one-to-one correspondence with the set of permutations of distinct elements. We define and . This means that we consider strings , and , i.e. with and , for and . We note that the number of elements of the set is , hence, the number of elements of the set is . Similarly, as the number of elements of the set is , the number of elements of the set is .
Alice generates the quantum state encoded in a quantum system with Hilbert space , where the strings and are randomly generated by her, for . Alice gives the quantum state to Bob. The quantum state is of the form
[TABLE]
where denotes the string of messages encoded by Alice, and where the Hilbert space is a tensor product of Hilbert spaces , as follows,
[TABLE]
with the dimension of the Hilbert space being equal to for all and all , and where is an orthonormal basis of an -dimensional Hilbert space, for . We define
[TABLE]
where the maximum is taken over all and over all with .
Bob generates his input and applies a quantum measurement on the received quantum state . The quantum measurement consists in measuring the quantum subsystem of in the basis , whose classical measurement outcome is denoted by , for and . We denote , for , and Bobâs total classical measurement outcome by . We note that the outcomes satisfy , because the quantum system is prepared by Alice in the quantum state \bigl{\lvert}\alpha_{r_{c}^{j}}^{c}\bigr{\rangle}, i.e. in the basis encoding the classical outcome , for . Thus, for , following the protocol honestly and using , and , Bob can decode Aliceâs input , i.e. there exists a function that when applied on gives as output Aliceâs input . Therefore, in the ideal case that there are not errors nor losses, the protocols of this class are perfectly correct.
In order to guarantee security against dishonest Bob, the set of bases is chosen to satisfy the constraint
[TABLE]
For fixed values of and , the smaller the value of is, the greater the security that can be guaranteed. For this reason, it is preferable that the bases are mutually unbiased, i.e. that for all and all with , in which case . For example, in the case , we can set , and a pair of mutually unbiased bases can be given by the computational and Hadamard bases.
In order to quantitatively prove the security against dishonest Bob in the examples given in this section, we also require that the set of bases satisfies the constraint that there exists a maximally entangled state of two -dimensional quantum systems and such that can be expressed by
[TABLE]
for all .
From (2) â (6), we show below that if the protocols of the class defined above do not tolerate any errors in Bobâs output then they are secure against dishonest Bob, with
[TABLE]
Thus, since as given by (5), we have that exponentially with , meaning that the protocol is unconditionally secure against dishonest Bob.
We can straightforwardly extend the class of protocols above to tolerate a small fraction of errors. For example, consider protocols with , i.e. is a string of bits, for . Bobâs output may be considered correct if for some small allowed error rate , i.e. if the number of bit errors in with respect to is not greater than , for . In this case, we show below that the considered protocols are secure against dishonest Bob with
[TABLE]
for some , where is the smallest solution to the following equation
[TABLE]
which satisfies , where we recall that denotes the binary entropy of . We note from (9) that since , the term inside the brackets in (8) is smaller than unity, hence, given by (8) decreases exponentially with . Thus, the protocols are unconditionally secure against dishonest Bob.
We give two specific examples below of protocols for one-out-of- DQACM of the previous class that satisfy (2) â (6), from which the security bounds (7) and (8) follow.
VI.1 Example 1
We consider the case with . We set the state , where is the Bell state
[TABLE]
Since , and are qubit orthogonal bases, which without loss of generality we fix on the same plane of the Bloch sphere. Without loss of generality we set to be the computational basis, given by the states , for . The basis is defined by the states
[TABLE]
for and for some \theta\in\bigl{(}0,\pi\bigr{)}. In this example, we have
[TABLE]
Since \theta\in\bigl{(}0,\pi\bigr{)}, we have , hence, (5) holds. It is easy to see that for any , hence, by setting , (6) holds too. From (7), in this example we have that the DQACM protocol is secure against dishonest Bob, with
[TABLE]
where is given by (12). Since decreases exponentially with , the DQACM protocol is unconditionally secure against dishonest Bob, for .
In this example, in order to enhance the security, it is preferable to have , in which case and correspond respectively to the computational and Hadamard bases, which are mutually unbiased, giving from (12) the value . In this case, it follows from (13) that the DQACM protocol is secure against dishonest Bob, with
[TABLE]
VI.2 Example 2
We set arbitrary , with , hence . Since , are qubit orthogonal bases, for . We set the bases to lie on the same plane of the Bloch sphere. Without loss of generality we set this plane to be the - plane, and we set the basis to lie on the axis, i.e. is the computational basis, which is given by the states , for . The other bases can be expressed by the states
[TABLE]
for , for different parameters \theta_{i}\in\bigl{(}0,\pi\bigr{)}, for , which without loss of generality we order like . In this example, we can set
[TABLE]
for , which gives
[TABLE]
satisfying (5), for . As in the Example 1 above, we set , given by (10), which as above satisfies (6). From (7), in this example we have that the DQACM protocol is secure against dishonest Bob, with
[TABLE]
Since decreases exponentially with , the DQACM protocol is unconditionally secure against dishonest Bob, for .
VI.3 Security against dishonest Bob
We show below that the class of DQACM protocols described in this section satisfying (2) â (6) are secure against dishonest Bob in the case that errrors in Bobâs output are not tolerated, and secure against dishonest Bob in the case that a small fraction of errors is tolerated, with and given by (7) and (8), respectively.
By definition, security against dishonest Bob is analyzed with respect to cheating strategies of the following form. Bob receives the quantum state \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{A} from Alice in the quantum system . Bob then applies any quantum operation on the quantum state \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{A}, and possibly and ancillary quantum system or arbitrary finite Hilbert space dimension. Bob then partitions his total system into two quantum systems and . After receiving from Alice, Bob applies a quantum measurement on and a quantum measurement on , whose respective outcomes are denoted by and . We show below that the probability that Bobâs outputs satisfy and satisfies
[TABLE]
for any pair of different numbers . We also show that for Aliceâs inputs of the form , the probability that Bobâs outputs satisfiy and satisfies
[TABLE]
for any pair of different numbers , and for some , where is the smallest solution to the equation
[TABLE]
which satisfies . Thus, from (7) â (9), and from (19) â (21), it follows that the class of DQACM protocols described in this section satisfying (2) â (6) are secure against dishonest Bob in the case that errors in Bobâs output are not tolerated, and secure against dishonest Bob in the case that a small fraction of errors is tolerated, with and given by (7) and (8), respectively.
The most general quantum operation consists in performing some joint unitary operation , independent of and independent of , on the quantum state of the quantum system and a fixed quantum state of an ancillary system , which we assume to be of arbitrary finite Hilbert space dimension, to obtain the state
[TABLE]
where for simplifying notation we have written , where , and where the quantum systems and have arbitrary finite dimensions. Bob partitions the global system into two quantum systems and . Then, for , Bob applies a projective measurement on and obtains the outcome . Bobâs cheating probability is given by
[TABLE]
where denotes that for , as we have used the notation , and where we recall that with . Then, using (2) â (6), and in particular, using the property of non-perfect distinguishability of non-orthogonal quantum states exploited in Aliceâs quantum state preparation (2), as quantified by (4) and (5), we show the bound (19) below.
From (19) and (23), it is straightforward to derive (20). Consider a projective measurement on for any bit string in the case and , where we recall that ââ denotes bit-wise sum modulo 2. Extending (23), Bobâs cheating probability is given by
[TABLE]
where we recall that denotes the Hamming weight of the bit string , i.e. the number of bit entries of equal to â1â. The bound (19) applies for any pair of projective measurements on and , hence, in particular for the projective measurement on , for and . It follows from (19), (23) and (24) that
[TABLE]
where in the second line we have used that the number of bit strings with Hamming weight not greater than is upper bounded by , for , which is shown in section 1.4 of Ref. van Lint (1999), and where is the binary entropy of . The bound (20) follows.
VI.3.1 Proof of the bound (19)
We note that our protocol is mathematically equivalent to the following procedure. First, Alice takes the following actions. She prepares a pair of -dimensional quantum systems and in the state given by (6) , for and . More precisely, Alice prepares a global quantum system with Hilbert space , where is given by (3), and similarly is given by
[TABLE]
The quantum system is prepared in the quantum state
[TABLE]
Alice keeps the system and she sends the system to Bob. Then, Alice measures in the orthonormal basis \bigl{\{}\bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}\bigr{\}}_{\mathbb{r}\in\Omega^{nm}} according to her random value of , where means that , for . With probability , Alice measures \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{C} and projects into the state . Bobâs unitary operation in his cheating strategy commutes with Aliceâs measurements. Thus, we can consider that the global system , before Aliceâs and Bobâs measurement are implemented, is in the state
[TABLE]
where we recall that , is an ancilla, and and have arbitrary finite Hilbert space dimensions. Then, Alice measures in the orthonormal basis \bigl{\{}\bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}\bigr{\}}_{\mathbb{r}\in\Omega^{nm}} according to her random value of . With probability , Alice measures \bigl{\lvert}\Psi_{\mathbb{r}}^{\mathbb{s}}\bigr{\rangle}_{C} and projects into the state . After receiving , Bob applies the projective measurement on , for .
Thus, Bobâs cheating probability given by (23) equals
[TABLE]
where \Psi=\bigl{(}\lvert\Psi\rangle\langle\Psi\rvert\bigr{)}_{CB_{0}B_{1}} and
[TABLE]
where we recall that and .
We derive the bound (19) with the help of two lemmas of Ref. Tomamichel et al. (2013). Before stating these lemmas we provide some useful notation. We denote by the Hilbert space of the global system , which as said before is arbitrary but finite dimensional. We denote by and by the sets of linear operators and of positive semi-definite operators on , respectively. For , the expression means that . For , denotes the Schatten norm of , which gives the largest singular value of , and which coincides with its largest eigenvalue if .
Lemma 1**.**
*(Ref. Tomamichel et al. (2013))
Let such that . Then, it holds that .*
Lemma 2**.**
*(Ref. Tomamichel et al. (2013))
Let , and let be a set of mutually orthogonal permutations of . Then*
[TABLE]
It follows from Lemma 1 that for satisfying and , it holds that Tomamichel et al. (2013). Thus, if are projectors on satisfying and then . We use this property below.
To use Lemma 2, we consider the set of permutations of labeled by and given by with s_{\mathbb{v}}^{j}=\bigl{(}s_{v^{j},0}^{j},s_{v^{j},1}^{j},\ldots,s_{v^{j},m-1}^{j}\bigr{)} being a permutation of , for . This is a set of mutually orthogonal permutations, that is, if , for all . To see this, consider a pair of different elements from the set and any . Since , there exists at least a such that , hence, s_{\mathbb{v}}^{j^{\prime}}=\bigl{(}s_{v^{j^{\prime}},0}^{j^{\prime}},s_{v^{j^{\prime}},1}^{j^{\prime}},\ldots,s_{v^{j^{\prime}},m-1}^{j^{\prime}}\bigr{)} and s_{\mathbb{w}}^{j^{\prime}}=\bigl{(}s_{w^{j^{\prime}},0}^{j^{\prime}},s_{w^{j^{\prime}},1}^{j^{\prime}},\ldots,s_{w^{j^{\prime}},m-1}^{j^{\prime}}\bigr{)} are different permutations of , which means that and therefore that .
We have
[TABLE]
where in the first line we used the linearity of the trace, in the second line we used the definition of the Schatten norm, and in the last line we used Lemma 2 and the fact that and are projectors.
In the following we use the notation , where , for . We define the projectors
[TABLE]
for . We see that and satisfy and , for . Thus, we have from Lemma 1 that
[TABLE]
where the equality follows from the property for any Tomamichel et al. (2013) and from the fact that and are projectors. Then we show in the Appendix A that
[TABLE]
where \omega_{\mathbb{v}}=\bigl{\lvert}\{j\in[n]|s_{v^{j},l_{1}}^{j}=s_{l_{0}}^{j}\}\bigr{\rvert}, that is, is the number of entries of corresponding to a permutation that takes into , where is in the th entry, and where â?â denotes any allowed entry after the permutation. For example, in the case and , \omega_{\mathbb{v}}=\bigl{\lvert}\{j\in[n]|s_{v^{j},1}^{j}=s_{0}^{j}\}\bigr{\rvert} is the number of entries of corresponding to a permutation that takes into , where â?â denotes any allowed entry after the permutation. As explicitly stated by the notation, we see that only depends on , but not on . Thus, since for a fixed , the upper bound on given by (34) is the same for any , we have from (31), (33) and (34) that
[TABLE]
We also note that the value of does not depend on the values of , for any pair of different numbers ; hence, the bound (35) holds for any pair of different numbers .
We compute the sum in (35). There are exactly \bigl{(}\begin{smallmatrix}n\\ \omega\end{smallmatrix}\bigr{)}\bigl{(}(m-1)!\bigr{)}^{\omega}\bigl{(}m!-(m-1)!\bigr{)}^{n-\omega} values of satisfying . We can see this as follows. Consider a such that . For this , there are entries which are permutations of distinct elements that take into , where is in the th entry. There are possible permutations that take into , where is in the th entry, and that do not. Let us write a -bit string whose th entry is if is a permutation of the form , where is in the th entry, or [math] otherwise. Thus, the number of elements for which has entries equal to and the rest entries equal to [math] is \bigl{(}\begin{smallmatrix}n\\ \omega\end{smallmatrix}\bigr{)}\bigl{(}(m-1)!\bigr{)}^{\omega}\bigl{(}m!-(m-1)!\bigr{)}^{n-\omega}. Thus, from (35), we have
[TABLE]
which is the claimed bound (19).
VII A class of unconditionally secure one-out-of- SCOT protocols with long-distance classical communication
By implementing one-out-of- DQACM as a subroutine, the following class of one-out-of- SCOT protocols only requires classical communication among Bobâs distant agents. Alice and Bob agree on a reference frame in spacetime, on pairwise spacelike separated output spacetime regions , and on a spacetime point of , for ; they also agree on Aliceâs message in the causal past of being from the set , for some , and on a maximum allowed error rate on Bobâs outputs, for . We recall that is the spacetime region consisting in the intersection of the causal pasts of the spacetime points . We consider that from Bobâs perspective, Aliceâs inputs are random, for ; and that from Aliceâs perspective, Bobâs input is random.
Alice has trusted agents , and Bob has trusted agents . Each of Aliceâs (Bobâs) agents controls a secure laboratory. It is helpful to consider that and have adjacent laboratories, and that and have adjacent laboratories, for . Aliceâs (Bobâs) agents share secure and authenticated classical channels. There is a classical channel and a quantum channel between and , and there is a classical channel between and , for . It is possible that and ( and ) are the same agent, for some .
The class of one-out-of- SCOT protocols extends the one-out-of-two SCOT protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018). It consists of two stages. Stage I includes quantum communication between the agents and , which can take place within their adjacent laboratories, and which can take an arbitrarily long time, but which must be completed within . For , stage II includes fast classical processing and communication between the agents and , which can take place within their adjacent laboratories; it also includes classical communication between the â possibly distant â pairs of agents and , and and . The actions performed in the steps 1 to 6 take place within , unless otherwise stated. Fig. 4 illustrates the class of one-out-of- SCOT protocols.
VII.1 Stage I
Aliceâs agent and Bobâs agent implement the stage I of a one-out-of- DQACM protocol with random inputs and by Alice, and a random input by Bob, for . This consists in sending to a quantum state encoding in a basis labeled by , applying a quantum measurement on the received quantum state, and obtaining a classical measurement outcome . The stage I of the DQACM protocol is completed in the spacetime region . 2. 2.
sends copies of to , who receives them in the causal past of , for . 3. 3.
transmits and to , who receives these in the causal past of , for .
VII.2 Stage II
Within , generates his SCOT input , and transmits the number modulo to , who receives it within . 2. 5.
For , transmits to , who receives it in the causal past of . 3. 6.
For , transmits to , who receives it in the causal past of . 4. 7.
For , generates in the causal past of , and gives to at , where is modulo . 5. 8.
For , gives to at . This corresponds to the first step in stage II of the DQACM protocol. 6. 9.
Within the spacetime region , uses , and to obtain the output (or close to according to a predetermined threshold) of the DQACM protocol. This corresponds to the second step in stage II of the DQACM protocol. 7. 10.
Within , outputs (or , which is close to according to a predetermined threshold).
VII.3 Comments and variations
We note that the class of one-out-of- SCOT protocols shares various important properties with the one-out-of-two SCOT protocol of Ref. PitalĂșa-GarcĂa and Kerenidis (2018). First, has the freedom to choose after he has measured the quantum state received from . Thus, the quantum communication and quantum measurement steps can take an arbitrarily long time, but they must be completed within . Second, Alice has the freedom to choose her inputs , in real time, i.e. can generate anywhere in the causal past of , for . Third, different variations of the protocols can be considered. For example, if does not send to , can act assuming that , for . In particular, for , independently of whether sends to , can output a message that is equal to (or close to) Aliceâs input (see Fig. 4); although this does not allow to obtain (or a message close to , unless ) as shown below.
VII.4 Correctness
We assume that the DQACM subroutine is correct in the case that an error rate on Bobâs output is tolerated, for . This means that with probability not smaller than , for . Therefore, with probability not smaller than , for . It follows that the one-out-of- SCOT protocols from the class are correct in the case that an error rate on Bobâs output is tolerated, for .
VII.5 Security against dishonest Alice
Neither in the DQACM subroutine, nor in the whole one-out-of- SCOT protocol, Bob gives Alice any physical systems. Thus, Alice cannot obtain any information about Bobâs SCOT input . It follows that the SCOT protocol is perfectly secure against dishonest Alice.
VII.6 Security against dishonest Bob
We assume that the DQACM subroutine is secure against dishonest Bob. We show that the one-out-of- SCOT protocol from the class is secure against dishonest Bob. It follows that if the DQACM subroutine is unconditionally secure against dishonest Bob, i.e. if goes to zero by increasing the number of bits of Aliceâs input messages and possibly some other security parameters, then the SCOT protocol is unconditionally secure.
In order to show security against dishonest Bob, we assume that Alice follows the one-out-of- SCOT protocol honestly and Bob applies an arbitrary cheating strategy allowed by quantum theory and relativity. Consider a general cheating strategy by Bob in which he outputs a message in and a message in , which in a successful cheating strategy are equal to â or very close to â Aliceâs inputs and , respectively, for some pair of different numbers . Given that Aliceâs inputs are random, and that gives the message to at , and gives the message to at , the goal of Bobâs cheating strategy is that and obtain respective strings and , in and , that are equal to â or close to â and with high probability, so that outputs in and outputs in , which are equal to â or close to â and , respectively, with high probability.
Therefore, Bobâs general strategy consists of three main steps. In the first step, Bobâs agent receives the quantum state in a quantum system from Aliceâs agent and applies a quantum operation on and an extra ancillary system consisting in a unitary operation on , independent of and independent of , producing two quantum systems and , including also a measurement producing a classical outcome encoded in a system , where we define . then sends to (who sends to , for ) and he sends the classical message encoded in a classical system and the quantum system to Bobâs agent , and the classical message encoded in a classical system and the quantum system to Bobâs agent . Thus, sends to and to , while is held by , except for , which sends to .
In the second step, after reception of from , and after reception of the classical message and of the quantum system from , applies a quantum measurement â depending on both and â on and obtains the guess of . Similarly, after reception of from , and after reception of the classical message and of the quantum system from , applies a quantum measurement on and obtains the guess of .
As shown in the Appendix B, the two steps above are mathematically equivalent to the following situation. More precisely, for any pair of different numbers , we show that the joint probability that Bobâs agent obtains a particular outcome as his guess of and Bobâs agent obtains a particular outcome as his guess of in the procedure of the two steps above is the same in the procedure described in the paragraph below.
Bobâs agent applies a quantum operation on the received quantum state and an extra ancillary system , producing two quantum systems and . The operation consists in applying the unitary operation on of the quantum operation above, partitioning into two subsystems and , applying the quantum measurement on and preparing each of the quantum systems , and in a quantum state , conditioned on the outcome of being , for , where is an orthonormal basis of each of the quantum systems , and . Conditioned on the outcome of being , sends to Aliceâs agent in part of the system , and sends the joint system () to Bobâs agent (). A quantum measurement is applied on the joint system , with obtaining the outcome from , which is his guess of . Bobâs agent applies a quantum measurement on the joint system and obtains a classical outcome , which is his guess of .
Finally, in the third step, after reception of the message from , computes his guess of and outputs it in . Similarly, after reception of from , computes his guess of and outputs it in .
By assumption, the DQACM subroutine is secure against dishonest Bob. By definition, since we assume that Alice follows the protocol honestly, for any pair of different numbers and from the set , for any quantum operation independent of and independent of applied by Bob on the quantum state that produces at least two quantum systems and , and for any sets of quantum measurements \bigl{\{}\tilde{\text{M}}_{0}^{\mathbb{s}}\bigr{\}}_{\mathbb{s}\in\Lambda_{\text{basis}}} and \bigl{\{}\tilde{\text{M}}_{1}^{\mathbb{s}}\bigr{\}}_{\mathbb{s}\in\Lambda_{\text{basis}}}, the probability to obtain respective outcomes and satisfying and , by respectively applying on and on , is not greater than . Thus, by considering and , we see from the first and second steps of Bobâs general cheating strategy in the one-out-of- SCOT protocol, that the probability that Bobâs agents and output in and in satisfying and , respectively, is not greater than . Since in the third step of Bobâs cheating strategy outputs in and outputs in , and since and , it follows that the probability that Bobâs agents and output in and in satisfying and , respectively, is not greater than . This means, by definition, that the one-out-of- SCOT protocol is secure against dishonest Bob, as claimed.
VII.7 Examples
We consider that the DQACM subroutine belongs to the class introduced in section VI with , i.e. with inputs by Alice for . We consider separately the case where no errors in Bobâs output are tolerated and the case where a small fraction of errors is tolerated in Bobâs outputs.
We consider first the ideal case of no errors. In this case, the DQACM subroutine is perfectly correct, i.e correct. It follows that a one-out-of- SCOT protocol of the class using this DQACM subroutine is perfectly correct in the ideal case of no errors.
The class of DQACM protocols with is secure against dishonest Bob, with given by (7), hence, unconditionally secure against dishonest Bob, as decreases exponentially with . It follows that a one-out-of- SCOT protocol of the class using this DQACM subroutine is secure against dishonest Bob, with given by (7), hence, unconditionally secure against dishonest Bob. For example, consider that the DQACM subroutine is given by the protocol of Example 2 in section VI.2. In this case, the DQACM protocol is secure against dishonest Bob, with given by (18). Thus, from the arguments above, the one-out-of- SCOT protocol is secure against dishonest Bob, with given by (18). Since decreases exponentially with , the SCOT protocol is unconditionally secure against dishonest Bob.
Now we consider the case where a small fraction of errors is tolerated in Bobâs outputs. In the case that the fraction of bit errors in Bobâs output in the DQACM subroutine is below a threshold , the DQACM subroutine is perfectly correct by setting the allowed error rate equal or greater than . Thus, the SCOT protocol of the class using this DQACM subroutine is perfectly correct in the case that a maximum allowed error rate on Bobâs SCOT outputs is set to a value equal or greater than .
The class of DQACM protocols with is secure against dishonest Bob, with given by (8), hence, unconditionally secure against dishonest Bob, as decreases exponentially with , if , where is the smallest solution of the equation (9). It follows that a one-out-of- SCOT protocol of the class using this DQACM subroutine is secure against dishonest Bob, with given by (8), hence, unconditionally secure against dishonest Bob, if , where is the smallest solution of the equation (9).
VIII Generalizations
We note that the one-out-of- SCOT protocols of the class use one-out-of- DQACM protocols as a fundamental primtive. In the one-out-of- DQACM protocols, Aliceâs agent encodes random messages from the agreed sets in a quantum state that she gives to Bobâs agent in a spacetime region , in such a way that the probability that Bob obtains Aliceâs input â or a message very close to â in a spacetime region , and also Aliceâs input â or a message very close to â in a spacetime region that is spacelike separated from , is very small, for any pair of different numbers from the set . We can then use the one-out-of- DQACM primitive to consider more general SCOT schemes, as we illustrate below. We can also extend the definition of DQACM, which allows us to further generalize the definition of SCOT.
VIII.1 Using a one-out-of- DQACM subroutine to implement generalized versions of SCOT
Consider a more general setting for SCOT in a spacetime that is Minkowski or close to Minkowski. Alice and Bob agree on a reference frame in spacetime. Alice and Bob agree on pairwise spacelike separated output spacetime regions , and on a spacetime point of , for . Alice inputs messages in the causal past of , for , where the set and the number are previously agreed by Alice and Bob, for .
For some previously agreed integer , Alice and Bob perform a one-out-of- DQACM subroutine. Alice encodes random messages from sets previously agreed with Bob in a quantum state , where denotes a basis randomly chosen by Alice from a set of non-mutually orthogonal bases previously agreed with Bob, and where we denote . Bob receives the quantum state from Alice in the spacetime region , which is the intersection of the causal pasts of . Bob inputs a number in and obtains a message of his choice in any number of the output spacetime regions. Alice applies a classical encoding of using , with the encoding being previously agreed with Bob, for some , for and . For example, if for some , then we can set . Alice then gives to Bob in , for . Bob is then able to complete the DQACM protocol and obtain the message of his choice (or a message close to ) in any number of the output spacetime regions. Alice also gives the encoding message to Bob at , for and . Bob is then able to decode Aliceâs message (or a message close to ) in the output spacetime region via a decoding using and (or ) if . For example, if for some and then Bob computes (or ).
The security guarantee of the one-out-of- DQACM subroutine is that Bob cannot obtain with non-negligible probability Aliceâs input â or a message very close to â in one output spacetime region and also Aliceâs input â or a message very close to â in another output spacetime region, for any pair of different numbers from the set . Thus, with unconditional security, it is guaranteed in this generalized version of SCOT that Bob cannot obtain a message â or a message very close to â in the output spacetime region and a message â or a message very close to â in the output spacetime region , for any pair of different numbers from the set for which it holds that . Therefore, in order to satisfy specific security constraints, Alice and Bob must previously agree on the classical encodings and decodings , and particularly on the messages of these encodings in order to satisfy the desired security conditions.
VIII.2 -out-of- DQACM and SCOT
We can consider generalizations of one-out-of- DQACM to a -out-of- setting for arbitrary natural numbers and . Broadly speaking, a -out-of- DQACM protocol involves the following steps. Alice prepares a quantum state that she gives to Bob, where and are randomly chosen by Alice from predetermined sets and , respectively. Bob chooses different numbers from the set and applies a quantum measurement labeled by on the quantum state and obtains a classical measurement outcome . Alice then gives to Bob. Bob then uses , and to decode Aliceâs inputs . A -out-of- DQACM protocol must satisfy a security condition against dishonest Bob, according to which, for any subset of different elements from the set , for any quantum operation independent of and independent of applied by Bob on the received quantum state that produces at least quantum systems , and for any quantum measurement applied on depending on , the probability that the measurement outcome is equal to - or very close to according to a predetermined threshold â for all is not greater than a small security bound , which ideally decreases by increasing the size of Aliceâs input messages and possibly by increasing some other security parameters.
We can then use a -out-of- DQACM protocol as a fundamental primitive to implement more general SCOT protocols. For example, we may consider the following definition of -out-of- SCOT, for natural numbers and . We may consider that spacetime is Minkowski or close to Minkowski. Alice and Bob agree on a reference frame in spacetime. Alice and Bob agree on pairwise spacelike separated output spacetime regions , and on a spacetime point of , for . Alice inputs a message in the causal past of , where the set is previously agreed by Alice and Bob, for . Bob inputs different numbers from the set . In a correct -out-of- SCOT protocol Bob outputs â or a message very close to it according to a predetermined thresholdâ in , for . We may define security against dishonest Alice as the guarantee that Alice cannot obtain any information about Bobâs input anywhere in spacetime, when Bob follows the honest protocol and Alice implements an arbitrary cheating strategy allowed by quantum theory and relativity. We define a -out-of- SCOT protocol to be secure against dishonest Bob if, when Alice follows the protocol honestly and Bob implements an arbitrary cheating strategy allowed by quantum theory and relativity, the probability that Bob outputs â or a message very close to according to a predetermined threshold â in , for any different numbers from the set , is not greater than a small security bound , which ideally decreases by increasing the size of Aliceâs input messages and possibly by increasing some other security parameters.
We outline a way to construct -out-of- DQACM protocols by extending the one-out-of- DQACM protocols of the class given in section VI. In the one-out-of- DQACM protocols of the class , for , the quantum system encodes the th entries of the messages , in a quantum state , where , where the orthogonal bases are not mutually orthogonal, for , and where indicates which subsystem of encodes the number in the basis , for .
We suggest to extend the class to -out-of- DQACM protocols as follows. For , Alice and Bob perform the following actions. In the stage I, Alice randomly chooses and , for . Alice prepares copies of the quantum state . More precisely, Alice prepares a quantum system , with for , in the quantum state that she gives to Bob. Bob measures each subsystem of in the basis and obtains classical measurement outcomes , for , where are different numbers input by Bob from the set indicating that Bob wishes to learn Aliceâs inputs . In the stage II, Alice gives to Bob. Bob then uses , and his outcome to obtain , for . Thus, we see that Bob obtains , as required. We leave as an open problem to investigate whether the -out-of- DQACM protocols of this class are unconditionally secure against dishonest Bob.
VIII.3 Further generalizations of SCOT
More generally, we can consider SCOT settings in which Alice inputs some messages in specific regions of spacetime, Bob generates inputs in some regions of spacetime, and Bob obtains some outputs correlated to some of Aliceâs inputs in some specific regions of spacetime. Alice and Bob previously agree on spacetime constraints indicating regions of spacetime where Alice should be unable, or able, to obtain specific information about Bobâs inputs; and indicating also regions of spacetime where Bob should be able or unable to obtain specific information about Aliceâs inputs. The SCOT settings and protocols that we have discussed in this paper are particular examples within this general setting.
One could consider generalizations with more than two parties. Additionally, although we have focused here in output spacetime regions that are pairwise spacelike separated, one could also consider that some output spacetime regions are timelike separated. We expect that in the latter case the security guarantees would be softened.
IX Discussion
In addition to the LODT protocol of Ref. Kent (2011b) and the one-out-of-two SCOT protocols of Refs. PitalĂșa-GarcĂa (2016); PitalĂșa-GarcĂa and Kerenidis (2018), the one-out-of- SCOT protocols and generalizations presented here are further examples of unconditionally secure spacetime-constrained secure computations. Spacetime-constrained secure computation is a research problem initially outlined by Kent Kent (2011b), in which, in addition to the requirements of standard secure computations Yao (1982), the inputs and outputs of the computation are restricted to be within constrained regions of spacetime. By definition, in these tasks the inputs and outputs consist in classical information.
It would be interesting to investigate connections between SCOT and other quantum relativistic cryptographic tasks that have some intrinsically quantum inputs, for example, summoning Kent (2013), in its various versions Kent (2013); Hayden and May (2016); Adlam and Kent (2016); Kent (2018); Hayden and May (2018), where a given quantum state must be returned at specific regions of spacetime. In particular, in the localize-exclude task introduced in Ref. Hayden and May (2018), a quantum state must be localized to a collection of authorized spacetime regions while guaranteeing that the state cannot be localized to unauthorized spacetime regions. It would be interesting to investigate connections between SCOT and the localize-exclude task, or other versions of summoning. For example, can SCOT be used as a subroutine to implement a summoning task, or vice versa?
The defined task of one-out-of- DQACM allowed us to construct an unconditionally secure class of one-out-of- SCOT protocols that do not require to transmit quantum states between distant locations. We provided examples of unconditionally secure one-out-of- DQACM protocols, hence of unconditionally secure one-out-of- SCOT protocols. We believe that one-out-of- DQACM and one-out-of- SCOT, and generalizations (e.g. in the -out-of- setting), may be useful primitives to build other cryptographic tasks with no-communication constraints, due to spacelike separation or otherwise. For example, our proposed (or other) unconditionally secure protocols for one-out-of- DQACM can be used to implement the task of bit string coordination, which is a primitive to perform some supermoney schemes: virtual tokens that are capable to guarantee unconditional security based on the laws of quantum physics and relativity Kent (2019).
The tasks of one-out-of- and -out-of- distributed quantum access with classical memory (DQACM) introduced here seem related to quantum random access codes, with security conditions similar to those of one-out-of- and -out-of- oblivious transfer, hence the name we chose to denote these tasks. Broadly speaking, in a quantum random access code (QRAC) Wiesner (1983); Ambainis et al. (1999), Alice encodes various classical messages in a quantum state, and Bob decides which message to access. For example, a quantum random access code is a scheme in which Alice encodes bits into qubits in such a way that Bob can recover any bit of his choice with a probability , where in general one considers . The first motivation to study QRACs was given by Wiesner Wiesner (1983), who introduced the concept of QRACs with the name of âconjugate codingâ, in quantum cryptography: quantum money that is impossible to counterfeit. In the literature of QRACs, the questions that are mainly investigated relate to the efficiency of the encodings. For example, one investigates for which values of and with there exist QRACs with Ambainis et al. (1999, 2002); Hayashi et al. (2006), the maximum achievable values of given and , how extra resources like randomness Ambainis et al. (2009) and entanglement PawĆowski and ƻukowski (2010) improve the efficiency of the encodings, etc. Extensions in which Alice encodes dits in qudits, where Bob can retrieve any dit of his choice with probability , for , are considered in Ref. LiabĂžtrĂž (2017). Extensions of QRACs codes in which Alice encodes, and Bob decodes, intrinsically quantum information were introduced in Ref. PitalĂșa-GarcĂa (2013). In Ref. Spekkens et al. (2009), a variation of QRACs denoted as parity oblivious multiplexing was investigated within a framework of operational theories containing quantum theory as a particular case, and an experimental demonstration of QRACs was performed. It would be interesting to investigate these questions for DQACM, and to investigate further connections between QRACs and DQACM. In particular, can we use results, or intuitions, gained from QRACs to construct unconditionally secure DQACM protocols?
Our proposed protocols for one-out-of- DQACM and SCOT tolerate small error rates, but they do not consider losses. Although dealing with losses is standard in quantum cryptography, it would be interesting to investigate explicit protocols, as in the lines suggested in Ref. PitalĂșa-GarcĂa and Kerenidis (2018) for the one-out-of-two case, for instance. Obtaining unconditionally secure protocols with higher allowed error rated would be helpful too. Furthermore, it would be interesting to prove, or disprove, that our proposed -out-of- DQACM protocols are unconditionally secure. More generally, it would be interesting to find further unconditionally secure SCOT protocols, for example, for the generalized versions of SCOT suggested in section VIII.
Acknowledgements.
The author acknowledges financial support from the European Research Council project QCC and from the project SPACE17RPSMT-SATT1PITKER during his work at IRIF, Université Paris Diderot, and from the UK Quantum Communications Hub grant no. EP/M013472/1 during his work at the CQIF, DAMTP, University of Cambridge.
Appendix A Proof of the bound (34)
We show the bound (34) for the case and . The proof follows straightforwardly for the general case with .
For fixed and , we define the sets \tau=\bigl{\{}j\in[n]\big{|}s^{j}_{v^{j},1}=s^{j}_{0}\bigr{\}} and \tau_{c}=\bigl{\{}j\in[n]\big{|}s^{j}_{v^{j},1}\neq s^{j}_{0}\bigr{\}}. We define , that is, is the number of entries of corresponding to a permutation that takes to where â?â denotes any allowed entry after the permutation. As explicitly stated by the notation, we see that only depends on , but not on . Using the definitions (2) and (VI.3.1), we express and by
[TABLE]
Below we compute . We express the left hand operator in terms of the dummy variables and the right hand one in terms of . The operator is expressed in terms of . For this computation we use the following properties: 1) from the definitions of and , we have that for , and for ; 2) summing over we obtain because , since \bigl{\{}\Pi^{\mathbb{r}_{0}}_{0\mathbb{s}}\bigr{\}}_{\mathbb{r}_{0}\in\Omega^{n}} is a projective measurement; and 3) (the identity on a -dimensional Hilbert space) because is an orthonormal basis of a -dimensional Hilbert space, for . Thus, after summing over , for with and , we obtain
[TABLE]
where \text{I}_{v^{j}}=\bigl{\{}i\in[m-1]\big{|}s_{i}^{j}\neq s^{j}_{v^{j},1}\bigr{\}}.
Using \Bigl{\lvert}\Bigl{\langle}\alpha_{r_{0}^{j}}^{0}\Big{|}\alpha_{w_{1}^{j}}^{1}\Bigr{\rangle}\Bigr{\rvert}^{2}\leq\lambda from (4) and , we obtain
[TABLE]
Using that \bigl{\{}\Pi^{\mathbb{r}_{0}}_{0\mathbb{s}}\bigr{\}}_{\mathbb{r}_{0}\in\Omega^{n}} and \bigl{\{}\Pi^{\mathbb{w}_{1}}_{1\mathbb{s}_{\mathbb{v}}}\bigr{\}}_{\mathbb{w}_{1}\in\Omega^{n}} are projective measurements, it is straightforward to see that the right-hand term of (39) times is a projector. Thus, , which implies (34).
We have shown (34) for the particular case and . But, since from (4) we have \bigl{\lvert}\bigl{\langle}\alpha_{r}^{l_{0}}\big{|}\alpha_{w}^{l_{1}}\bigr{\rangle}\Bigr{\rvert}^{2}\leq\lambda for any pair of different numbers , and for any , it is straightforward to see from the derivation above that the bound (34) holds for any pair of different numbers .
Appendix B Details about the quantum measurements of Bobâs agents
Here we show that the following two procedures (1) and (2) described below are mathematically equivalent. More precisely, for any pair of different numbers , we show that the joint probability that Bobâs agent obtains a particular outcome as his guess of and Bobâs agent obtains a particular outcome as his guess of in procedure (1) is the same in procedure (2), for any , where it is assumed that is the set of possible values of , for .
In the procedure (1), Bobâs agent receives the quantum state in a quantum system from Aliceâs agent , he introduces an ancillary system and applies a unitary operation on , then he applies a quantum measurement on obtaining a classical outcome , with being recorded in systems , and , where . partitions the joint system into and . inspects from his system and then he sends to Aliceâs agent , and () and () to Bobâs agent (). Bobâs agent () obtains the value from the system () and then applies a projective measurement () on () and obtains a classical outcome () which is his guess of ().
In the procedure (2), applies the following quantum operation on , where : prepares the quantum system in a quantum state , he applies a unitary operation on , and then he applies a unitary operation on the total system , where the joint system is partitioned into the subsystems and (as in the procedure (1)). The unitary operation consists in applying the quantum measurement on and preparing each of the quantum systems , and in a quantum state , conditioned on the outcome of being , where is an orthonormal basis of each of the quantum systems , and , for . Conditioned on the outcome of being , sends to Aliceâs agent in part of the system , and sends the joint system () to Bobâs agent (). A quantum measurement is applied on the joint system , with obtaining the outcome from , which is his guess of . Bobâs agent applies a quantum measurement on the joint system and obtains a classical outcome , which is his guess of .
We give details of the procedures (1) and (2) described above. The quantum state is transmitted to Bobâs agent . Bobâs agent introduces an ancillary system , which includes a system of arbitrary finite Hilbert space dimension and extra ancillary systems , and , each one of Hilbert space dimension . The system is set initially to an arbitrary quantum state , and the systems , and are set initially to the state , where is an orthonormal basis of , and , and where . Bobâs agent applies an arbitrary unitary operation on the joint quantum system . The global state is transformed into the state , where
[TABLE]
and where the joint quantum system is partitioned into two subsystems and .
Consider the unitary operation applied on the whole system :
[TABLE]
where is a unitary operation acting on a Hilbert space of dimension satisfying , for ; and where is a projective measurement on . Consider the projective measurement on , for , and , where is the set of possible values of .
Consider the projectors
[TABLE]
acting on , and the projectors
[TABLE]
acting on , for and . It is straightforward to see that is a projective measurement acting on , for and .
It is straightforward to see that, for any pair of different numbers , the joint probability that obtains a particular outcome as his guess of and obtains a particular outcome as his guess of in procedure (1) is the same in procedure (2), for any , as claimed.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1PitalĂșa-GarcĂa (2016) D. PitalĂșa-GarcĂa, Phys. Rev. A 93 , 062346 (2016) . · doi â
- 2PitalĂșa-GarcĂa and Kerenidis (2018) D. PitalĂșa-GarcĂa and I. Kerenidis, Phys. Rev. A 98 , 032327 (2018) . · doi â
- 3Kilian (1988) J. Kilian, in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC â88 (ACM, New York, 1988) pp. 20â31.
- 4Yao (1982) A. C. Yao, in 23rd Annual Symposium on Foundations of Computer Science (SFCS 1982) (IEEE, Chicago, IL, 1982) pp. 160â164.
- 5Yao (1986) A. C. Yao, in 27th Annual Symposium on Foundations of Computer Science (SFCS 1986) (IEEE, Toronto, ON, 1986) pp. 162â167.
- 6Wehner et al. (2008) S. Wehner, C. Schaffner, and B. M. Terhal, Phys. Rev. Lett. 100 , 220502 (2008) . · doi â
- 7Lo (1997) H.-K. Lo, Phys. Rev. A 56 , 1154 (1997) . · doi â
- 8Colbeck (2007) R. Colbeck, Phys. Rev. A 76 , 062308 (2007) . · doi â
