A simple protocol for certifying graph states and applications in quantum networks
aa r X i v : . [ qu a n t - ph ] J a n A simple protocol for certifying graph states and applications in quantum networks
Damian Markham
Laboratoire d’Informatique de Paris 6, CNRS, UPMC-Sorbonne Universites, 4 place Jussieu, 75005 Paris, France
Alexandra Krause
Laboratoire d’Informatique de Paris 6, CNRS, UPMC-Sorbonne Universites, 4 place Jussieu, 75005 Paris, France andFreie Universitt Berlin, 14195 Berlin, Germany
We present a simple protocol for certifying graph states in quantum networks using stabilisermeasurements. The certification statements can easily be applied to different protocols using graphstates. We see for example how it can be used to for measurement based verified quantum compu-tation, certified sampling of random unitaries and quantum metrology and sharing quantum secretsover untrusted channels.
INTRODUCTION
Graph states are a family of multipartite quantumstates, defined in one to one correspondance with a sim-ple graph [1]. They are incredibly useful resources acrossquantum information, acting as the key entanglement re-source for error correction [2], measurement based quan-tum computation [3], quantum secret sharing [4] andmore [1]. Furthermore, they can be implemented in manydifferent ways, for example in optics [5–7], [8, 9] includ-ing on chip [10], in ion traps [11, 12], super conductingqubits [13] and NV centres [14].Many methods exist for testing graph states varyingin the trust that must be assumed and the kind of state-ments that are made. With respect to trust assumptions,on the one hand techniques such as tomography [15] andentanglement witnesses [16] make assumptions about thesource and measurements (essentially that they are hon-est but noisy). On the other hand tests which requirethe least trust, where neither the source nor the mea-surement devices are trusted, such as self testing [17],are incredibly demanding to implement in a way thatcloses all loopholes (necessary for security).In this work we explore the mid ground, where (local)measurement devices are trusted, but sources and chan-nels are not [7, 18–20]. Our statements of confidence aretailored to this end, following the language of quantumauthentication [21], particularly suited to applications forquantum networks. At the end of the protocol one gets aquantum output - the state we want to use - and a clas-sical output - which tells us weather we accept or reject.A successful test for us is then one that always acceptsan ideal source, and outputs the ideal source state (com-pleteness), and if it accepts, the state is not too far fromthe ideal state (soundness - see below for technical defini-tions). With this in hand, we see how it can be used forcertification for various quantum network tasks, in par-ticular for delegated computation, generation of random-ness, quantum metrology and quantum secret sharing.For a given graph G with vertices V , and denoting N ( i )as the neighbours of i ∈ V , associating a qubit to each vertex, a graph state | G i on | V | = n qubits is definedthrough the associated stabiliser equations | G i = S i | G i , (1)where S i are the graph stabiliser operators, with gen-erators S i := X i ⊗ j ∈ N ( i ) Z j associated to each of the N veritces, and X i and Z i are Pauli operators. We de-note the full stabiliser group S = { S i } = < S , ..., S n > ,which has 2 N elements. We say that the graph state | G i is shared amongst n players, who depending on the ap-plication may be in one physical location or distributedacross a network.The idea of the protocol is very straightforward. Theplayers ask the source for M copies of the graph state.They choose at random one of these to be used, andall the rest are tested by randomly choosing a stabiliseroperator and checking it returns the value +1. Sincethe malicious parties (the source, channel... everythingexcept the players) do not know which copy will be testedor used beforehand, the only way they will always passall the tests is if the players receive the intended graphstate each all M times. PROTOCOL
Many variants of the protocol are possible, adaptedin ways that may depend on the application or imple-mentation at hand. For clarity we present one particularsimple variant of a protocol. After we will comment onother possibilities. We start in the standard assumptionthat the honest parties, the players, share a secret clas-sical key k = { r, t } , composed of r ∈ [1 ...M ], t = { t i } i = r , t i ∈ [1 , ..., n ] denoting K the set of all keys ( k ∈ K ). Theprotocol follows the steps below.1. The source distributes M n -partite systems to the n players. In the honest case, this will be M copiesof the graph state | G i .2. For copy i = r , each player performs their part ofthe measurement of stabiliser S t i . If all the sta-bilisers output value +1, Accept, otherwise Reject.3. For copy r the state is the quantum output of theprotocol.The variable M plays the role of security parameter(see (9)). We briefly comment on some variants. Dif-ferent parts of the protocol can be changed dependingon the application. Indeed even the way the secret keysare shared even before the first step may vary, as we willsee for the application to secret sharing. The way thatthe outcomes of the test in step 2 is shared and accep-tance or rejection decided may be important for differentcases, for example if some players in the network aredishonest or not trusted. One may also want to lowerthe accept threshold in step 2 to allow for noisy resourcestates, for example accepting if something less than 100%of stabiliser tests give the correct output +1. We willcome back to these variants at different points later, butfor now we continue with the simplest version presentedabove. SECURITY
We first formalise our notions of security. For simplic-ity we encode the classical output as orthogonal quantumstates | ACC i R for accept and | REJ i R for reject. Theoutput state will in general depend on the classical key k = { r, t } . For each key k ∈ K , we denote the outputstate of the players plus classical reference system as ρ k .We say the protocol is ǫ -secure if it satisfies the followingtwo properties • Completeness . If the players recieve M copies ofthe ideal resource state | G i , then for all keys kρ k = | G i P h G | ⊗ | ACC i R h ACC | . (2) • Soundness . Denoting the expected output stateover all key strings as ρ out := |K| P k ∈K ρ k , anddenoting the projection P fail := ( I − | G i P h G | ) ⊗| ACC i R h ACC | , thenTr ( P fail ρ out ) ≤ ǫ. (3)Completeness is trivially guaranteed since the test usesthe stabilisers of the state itself, so it will always accept.Soundness follows through a similar reasoning to that in[20]. Let us denote by ρ the state of all the M.n systemsthat the players receive in step 1 of the protocol. In orderto bound (3) we only need to to consider the output stateconditioned on accept, let us denote it by ρ ACC . To findthis we start with the fact that for a given key k = { r, t } ,the projection corresponding to accepting all M − M r,taccept = O i = r ( S t i + I i )2 ⊗ I r . (4) From this we have that ρ ACC can be written as ρ ACC = M X r =1 X t M | S | M − ρ r,t , (5)with ρ r,t = 1Tr( M r,taccept ρ ) Tr r c ( M r,taccept ρ ) , (6)where A c denotes the complement of set A .Putting this together, we obtainTr ( P fail ρ out ) = 1 M Tr ( Qρ )) , (7)where Q = M X r =1 X t S M − O i = r S t i + I i ⊗ ( I r − | G i h G | )= M X r =1 O i = r I i + | G i i h G | ⊗ ( I r − | G i r h G | ) , (8)since 1 / | S | P i S i = | G ih G | . Note that Q is hermitian andpositive. It then remains to check that all eigenvalues of Q are smaller than 1, for which a proof can be found inthe appendix. It then follows thatTr( P fail ρ out ) ≤ M , (9)for all source states ρ .The protocol also has natural extensions for higherprime dimensional graph states, where proofs also followstraightforwardly.We now present several applications, where the secu-rity follows directly as above with a simple application ofour protocol, or slight variants of the security statementare made (verified t-designs) or some of the variants ofthe simplest protocol mentioned above give the utilityrequired (quantum secret sharing). APPLICATIONS
We focus on applications that can be considered ascompletely positive trace preserving (CPTP) map Γ act-ing on the quantum output. Since fidelity is monotonicunder CPTP maps, the usefulness or soundness is pre-served. This is the case, for example, when further inter-action with the source is not required to run the protocol.Formally, with respect to the CPTP application Γ onedefines a new fail projector, P F ail (Γ) := ( I − Γ ( | G ih G | )) ⊗ | ACC ih ACC | . (10)Due to the monotonicity of fidelity, (3) implies that T r (cid:16) P Γ( G ) fail Γ( ρ B ) (cid:17) ≤ M . (11)We now go through some examples of applications.
Verified blind quantum computation
In verified blind quantum computation a technologi-cally limited Alice wishes to delegate some quantum com-putational task to a server, Bob, in such a way that Bobdoes not get information about the computation (blind),and moreover, that she can be confident the computa-tion has been carried out correctly (verified). There aremany techniques to achieve this - see [22] for a very recentoverview.In our scenario Alice is limited to single qubit mea-surements. Clearly this, on its own, is not enough foruniversal quantum computation. However, in measure-ment based quantum computation (MBQC), universalquantum computation is achieved by single qubit mea-surements on a graph state, with feed forward [3]. Im-portantly the measurements can be made one qubit at atime. Thus, if Alice asks Bob to provide her with a uni-versal graph states, either cluster states [3] or brickworkstates [23] for example - Alice can perform the computa-tion she wants. Moreover this is blind to Bob - he getsonly minimal information, an upper bound to the size ofthe computation (given by the size of the graph state Al-ice asks for). To verify the computation Alice can simplyapply our protocol to test and use a universal graph stateof her choice.One has the same notions of completeness and sound-ness as those above, replacing the graph state by the idealoutput of the computation. Completeness follows imme-diately from the universality of the chosen graph state.For soundness, we simply note that Alice’s measurementsequence, which affects the computation, can be under-stood entirely as a CPTP map on the quantum outputof our protocol. In this way, the condition (11) ensuressoundness also. More specifically, if we denote the idealoutput of a computation as ρ compideal , and the average out-put of a given computation ρ compout , the failing projectorbecomes P compF ail := ( I − ρ compideal ) ⊗ | ACC ih ACC | , and wehave from (11) a verification soundness condition (see e.g.[24]), T r ( P compF ail ρ compout ) ≤ M . (12)Note that, compared to [24], this scaling with resourcesis poor. We will talk about this in the conclusions.We also note that the idea of testing graph states forMBQC computation has been presented before in sev-eral measurement based verification schemes, e.g. [25],[26]. Indeed, this application of our protocol is almostidentical to the verified computation scheme in [26], themain differences being in the specifics of the test (wemeasure settings chosen from all stabilisers, they a sub-set) and the figure of merit used (we use the correctnessand soundess above, they use the language of hypothe-sis testing). We present it here simply as an alternativepossible scheme, with similar characteristics. As pointed out in [26], this scenario is suited to performing fault tol-erant computation, since Alice could equally ask Bob fora resource graph state for fault tolerant computation, forexample the topological scheme in [27] using 3D clusterstates. This was the idea of the fault tolerant verifiedcomputation presented in [28], note however that thisworks only if the errors on Alice’s measurement deviceare assumed to be independent from anything happeningon Bob’s side.
Verified t-designs
Graph states can also be used to sample from a ran-dom ensemble of unitaries - this is effectively MBQCwithout correction, where the measurement outcomes in-dex which unitary is implemented. In particular, in [29]it was shown that ensembles with a particularly usefulproperty of being t -designs can be efficiently sampled us-ing graph states. A t -design is an ensemble of unitarieswith the property that its statistical moments matchthose of a Haar ensemble up to order t , with applica-tions across quantum information and physics, for exam-ple in estimating noise [30], private channels [31], mod-elling thermalisation [32], photonics[33], and even blackhole physics [34]. Later in [35] this approach was devel-oped to show that efficient t -designs can be generated us-ing a regular lattice similar to the brickwork state. Bothresults rely heavily on the construction of [36, 37] usingrandom circuits.Our protocol can be used to certify the applicationof a t -design random unitary onto an input, where thesource of the graph state is not trusted. For each set ofmeasurement outcomes ¯ m , we denote the applied CPTPmap on the graph state as Γ ¯ m . For simplicity we considerthe action of the induced unitary on the input vertices I ⊂ V corresponing to inputs in the state | + i . Then[29, 35] state that measurement result ¯ m , occuring withprobability p ¯ m applies a unitary on the input | + i ⊗| I | Γ ¯ m ( | G i ) = U ¯ m | + i ⊗| I | , (13)such that the ensemble { p ¯ m , U ¯ m } is an approximate t -design (see [29] for detailed definitions).For security of verified t-designs one can replace thegraph state in the definitions (2),(3) by the output state(13). The soundness is then guaranteed for each ¯ m by(11). It can easily be seen that one can flip this aroundto give a statement on the fidelity, F ( U ¯ m | ψ i , Γ ¯ m ( ρ ACC )) ≥ − P acc M , (14)where P acc is the probability of passing the tests and ρ ACC is the output of the protocol conditioned on ac-cepting.
Quantum Metrology
In quantum metrology entangled states are used tomeasure with more precision than is possible with classi-cal probes [38]. The general setting can be understood asan interferometer which imparts a phase ψ on one arm,each time a system passes through it. The idea is to sendin many probes N in an entangled state ρ , whereaftermeasurements can reveal the phase with higher precisionthan possible sending in separable states.How well this process allows the parameter ψ to beestimated is quantified by the Quantum Fisher Informa-tion , F Q ( ρ ). Note, as indicated by the notation, for asimple interferometer the quantum Fisher information isindependent of the value of ψ since it is unitarily en-coded [39, 40]. In particular, for ν independent repeti-tions of the process, the precision is characterised by themean squared error ∆ ˜ ψ of a (consistent and unbiased)estimator ˜ ψ , which is lower bounded by the QuantumCram´er-Rao Bound [41],∆ ˜ ψ ≥ ν F Q ( ρ ) . (15)For the standard interferometer, the best possible scal-ing with N is achieved by the N -party GHZ state √ ( | i ⊗ N + | i ⊗ N ). Denoting its density matrix ρ GHZ we have F Q ( ρ GHZ ) = N . The GHZ state is locallyequivalent to a graph state for the fully connected graph.Our certification protocol can easily be adapted using thesame local unitaries to test ρ GHZ (simply by rotating thetest measurements accordingly).In [40] they show that the quantum Fisher informa-tion of two states differs by an amount bounded by theirfidelity |F Q ( ρ ) − F Q ( σ ) | ≤ p − F ( ρ, σ ) N , (16)if ρ or σ are pure. That is, if two states are close, asmeasured by their fidelity, their usefulness for quantummetrology is close. Given the fidelity bound implied byour test (14), we see that the quantum Fisher informationis also bounded. For the rotated protocol testing a GHZstates, given the output state conditioned on accepting ρ ACC , we have, F Q ( ρ ACC ) ≥ N (cid:18) − P ACC M (cid:19) . (17) Secret sharing over untrusted channels
In quantum secret sharing a dealer wishes to distributea secret quantum state amongst N players such that onlycertain subsets of players can access the secret - the au-thorised sets. It was shown in [4, 42] that any secretsharing scheme can be implemented using graph states. However, these rely on the trusted sharing of the graphstate. If we are careful, a variant of our protocol can beused to boost these protocols to one where the networkof dealer and players do not need to trust the source ofthe graph state or the channels used to share them.There are two important subtleties in the applicationof our protocol here, stemming from the fact that unau-thorised sets of players should be treated as adversaries.Firstly, it makes their inclusion in the stabiliser tests notideal. Secondly, if they also have access to the randomkey k this could potentially allow attacks. In [20] a pro-tocol was presented which can be understood as a variantof the application of our scheme where i) the stabilisertests are restricted to an authorised set, and ii) the clas-sical key k is distributed by a classical secret sharingscheme, with the same access structure. A proof of prin-ciple example of this protocol was implemented in [7],demonstrating its simplicity. CONCLUSIONS
In this work we have presented a protocol for certi-fying graph states and a few applications in quantumnetworks. There are clearly some applications that ourprotocol would not be suited for - namely ones wherefurther interactions are required with Bob. Such inter-actions may allow for Bob to correlate his strategy incheating the ‘test’ part to the future applications poten-tially threatening functionality (be it security or other-wise). Nevertheless its simplicity lends itself to manyapplications as we have seen, not only in the form of pro-tocol presented here, but also its suitability to permitvariants, as with secret sharing. A simple variant canalso deal with noisy states for example, where one wouldnot expect, even an honest noisy source to pass all thetime. In such a case one can change the accept require-ment to require some smaller portion of correct answers.One can adapt the security statements and proofs to thisend without too much difficulty.We end with a discussion on scaling of soundness con-dition with S . In the kind of protocol presented here, itis impossible to beat the 1 /S scaling. This is clear sim-ply because a malicious party can behave honestly forall but one requested state, and send one false/dishoneststate. With probability 1 /S the malicious party’s choiceof when to be dishonest coincides with the users choiceof which one would be used and not tested, so strategypasses the test perfectly yet the state can be arbitrar-ily far from the ideal one and potentially ruin whateverapplication. Thus in order to beat the 1 /S scaling oneexpects to need some more entanglement. This can bedone, for example, by encoding the desired state on somerandomly chosen error correcting code - the essential trickused in the original authentication paper by Barnum etal [21]. Such an approach can give an exponential scal-ing in security with the number of systems sent. Thedownside now is that the entanglement required scaleswith the security. This then suggests a tradeoff betweenentanglement and scaling.In this context, the advantage of our protocol is that,for many applications, the difficulty in implementing acertified version of an application becomes only the samedifficulty as producing the same resource state manytimes, rather than asking for much more difficult larger,scaling, entanglement. In optics for example, this ad-vantage makes certified secret sharing possible [7], doingso an entangled code version would require impracticalscaling in entanglement. ACKNOWLEDGEMENTS
We thank Elham Kashefi, Peter Turner and GrardDuchamp for useful discussions. AK is grateful to theERASMUS program which supported the visit resultingin this collaboration. DM is grateful for funding fromANR COMB. [1] M. Hein, J. Eisert, and H. J. Briegel, Physical ReviewA , 062311 (2004).[2] D. Schlingemann and R. F. Werner, Physical Review A , 012308 (2001).[3] R. Raussendorf and H. J. Briegel, Physical Review Let-ters , 5188 (2001).[4] D. Markham and B. C. Sanders, Physical Review A ,042309 (2008).[5] X.-L. Wang, L.-K. Chen, W. Li, H.-L. Huang, C. Liu,C. Chen, Y.-H. Luo, Z.-E. Su, D. Wu, Z.-D. Li, et al. ,Physical review letters , 210502 (2016).[6] S. Barz, E. Kashefi, A. Broadbent, J. F. Fitzsimons,A. Zeilinger, and P. Walther, Science , 303 (2012).[7] B. Bell, D. Markham, D. Herrera-Mart´ı, A. Marin,W. Wadsworth, J. Rarity, and M. Tame, arXiv preprintarXiv:1411.5827 (2014).[8] Y. Cai, J. Roslund, G. Ferrini, F. Arzani, X. Xu,C. Fabre, and N. Treps, Nature communications , 15645(2017).[9] S. Yokoyama, R. Ukai, S. C. Armstrong, C. Sornphiphat-phong, T. Kaji, S. Suzuki, J.-i. Yoshikawa, H. Yonezawa,N. C. Menicucci, and A. Furusawa, Nature Photonics ,982 (2013).[10] M. A. Ciampini, A. Orieux, S. Paesani, F. Sciarrino,G. Corrielli, A. Crespi, R. Ramponi, R. Osellame, andP. Mataloni, Light: Science & Applications , e16064(2016).[11] J. T. Barreiro, M. M¨uller, P. Schindler, D. Nigg, T. Monz,M. Chwalla, M. Hennrich, C. F. Roos, P. Zoller, andR. Blatt, Nature , 486 (2011).[12] T. Monz, P. Schindler, J. T. Barreiro, M. Chwalla,D. Nigg, W. A. Coish, M. Harlander, W. H¨ansel, M. Hen-nrich, and R. Blatt, Physical Review Letters , 130506(2011). [13] C. Song, K. Xu, W. Liu, C.-p. Yang, S.-B. Zheng,H. Deng, Q. Xie, K. Huang, Q. Guo, L. Zhang, et al. ,Physical review letters , 180511 (2017).[14] J. Cramer, N. Kalb, M. A. Rol, B. Hensen, M. S. Blok,M. Markham, D. J. Twitchen, R. Hanson, and T. H.Taminiau, Nature communications (2016).[15] G. M. D’Ariano, M. G. Paris, and M. F. Sacchi, Ad-vances in Imaging and Electron Physics , 206 (2003).[16] B. Jungnitsch, T. Moroder, and O. G¨uhne, Physical Re-view A , 032310 (2011).[17] M. McKague, in Conference on Quantum Computation,Communication, and Cryptography (Springer, 2011) pp.104–120.[18] A. Pappa, A. Chailloux, S. Wehner, E. Diamanti, andI. Kerenidis, Physical review letters , 260502 (2012).[19] W. McCutcheon, A. Pappa, B. Bell, A. McMillan,A. Chailloux, T. Lawson, M. Mafu, D. Markham, E. Dia-manti, I. Kerenidis, et al. , Nature communications ,13251 (2016).[20] D. Markham and A. Marin, in International Conferenceon Information Theoretic Security (Springer, 2015) pp.1–14.[21] H. Barnum, C. Cr´epeau, D. Gottesman, A. Smith, andA. Tapp, in
Foundations of Computer Science, 2002. Pro-ceedings. The 43rd Annual IEEE Symposium on (IEEE,2002) pp. 449–458.[22] A. Gheorghiu, T. Kapourniotis, and E. Kashefi, arXivpreprint arXiv:1709.06984 (2017).[23] A. Broadbent, J. Fitzsimons, and E. Kashefi, in
Founda-tions of Computer Science, 2009. FOCS’09. 50th AnnualIEEE Symposium on (IEEE, 2009) pp. 517–526.[24] J. F. Fitzsimons and E. Kashefi, arXiv preprintarXiv:1203.5217 (2012).[25] M. Hayashi and M. Hajdusek, arXiv preprintarXiv:1603.02195 (2016).[26] M. Hayashi and T. Morimae, Physical review letters ,220502 (2015).[27] R. Raussendorf, J. Harrington, and K. Goyal, New Jour-nal of Physics , 199 (2007).[28] K. Fujii and M. Hayashi, Physical Review A , 030301(2017).[29] P. S. Turner and D. Markham, Physical review letters , 200501 (2016).[30] J. Emerson, Y. S. Weinstein, M. Saraceno, S. Lloyd, andD. G. Cory, Science , 2098 (2003).[31] P. Hayden, D. Leung, P. W. Shor, and A. Winter, Com-munications in Mathematical Physics , 371 (2004).[32] M. P. M¨uller, E. Adlam, L. Masanes, and N. Wiebe,Communications in Mathematical Physics , 499(2015).[33] J. C. Matthews, R. Whittaker, J. L. O’Brien, and P. S.Turner, Physical Review A , 020301 (2015).[34] P. Hayden and J. Preskill, Journal of high energy physics , 120 (2007).[35] R. Mezher, J. Ghalbouni, J. Dgheim, and D. Markham,arXiv preprint arXiv:1709.08091 (2017).[36] F. G. Brandao, A. W. Harrow, and M. Horodecki, arXivpreprint arXiv:1208.0692 (2012).[37] F. G. Brand˜ao, A. W. Harrow, and M. Horodecki, Phys-ical review letters , 170502 (2016).[38] V. Giovannetti, S. Lloyd, and L. Maccone, Nature pho-tonics , 222 (2011).[39] G. T´oth and I. Apellaniz, Journal of Physics A: Mathe-matical and Theoretical , 424006 (2014). [40] R. Augusiak, J. Ko lody´nski, A. Streltsov, M. N. Bera,A. Acin, and M. Lewenstein, Physical Review A ,012339 (2016).[41] S. L. Braunstein and C. M. Caves, Physical Review Let-ters , 3439 (1994).[42] A. Keet, B. Fortescue, D. Markham, and B. C. Sanders,Physical Review A , 062315 (2010). Appendix
We can write Q (8) as Q = M X r =1 Q r (18)with Q r = O i = r I i + | G i i h G | ⊗ ( I r − | G i r h G | ) (19)Let’s define A as I + | G ih G | and B as I − | G ih G | .An eigenvector for A with eigenvalue 1 is just given by | G i . Denoting | G ′ i an eigenvector with eigenvalue 1 of B, an complete eigenbasis for Q is given by all possiblecombinations of tensor products of those vectors. B actson | G i as B | G i = | G i − | G i = 0 while A | G ′ i = | G ′ i + | G ih G | G ′ i = | G ′ i as h G | G ′ i = 0.We can then write Q r = N r − i =1 A i N B r N Ml = r +1 A l where r denotes the position of B in the tensor. We thendenote the k -th family of eigenvectors where | G ′ i appears k times as | Eig i k = N j = k | G i k N k = j | G i k | k + j = M Trying to determinate the action from Q r on | Eig i k ,we have to distinguish the following cases :Let r be in [1 , M − k ]. | G i will then be projected to theeigenvalue 0 so that these cases are trivial. Regarding r in [ k, M ] gives us B | G ′ i = | G ′ i . After then, A acts for k − | G ′ i giving the eigenvalue k − .Putting this together and regarding the symmetry of Q with respect to permutations of r within the sum thedistribution of | G i and | G ′ i in the eigenvectors does notmatter. It suffices to know, how often | G ′ i appears. Thesum contains M − k elements with eigenvalue 0 and theremaining k elements with eigenvalue k − . The sum-mation gives than as eigenvalue k k − for every | Eig i kk