Approximate quantum state sharing via two private quantum channels
aa r X i v : . [ qu a n t - ph ] N ov Approximate quantum state sharing via two private quantum channels
Dong Pyo Chi and Kabgyun Jeong Department of Mathematical Sciences, Seoul National University, Seoul 151-742, Korea Nano Systems Institute (NSI-NCRC), Seoul National University, Seoul 151-742, Korea (Dated: November 3, 2018)We investigate the approximate quantum state sharing protocol based on random unitary chan-nels, which is secure against any exterior or interior attackers in principle. Although the protocolleaks small information for a security parameter ε , the scheme still preserves its information-theoreticsecrecy, and reduces some pre-shared classical secret keys for a private quantum channel betweena sender and two receivers. The approximate private quantum channels constructed via randomunitary channels play a crucial role in the proposed quantum state sharing protocol. PACS numbers: 03.67.-a, 03.67.Dd
I. INTRODUCTION
Quantum physics allows us a perfect randomness, so most of all quantum information-theoretic primitives try tooffer an unconditional security under the randomness. For examples, quantum key distribution protocols such asBB84 [1] and B92 [2] highly depend on a random measurements for given classified non-orthogonal quantum states.Instead of the random measurement on non-orthogonal states, we can consider a direct randomization of quantumstates through a quantum channel. This randomizing procedures are efficiently accomplished via the private quantumchannels (PQC) or quantum one-time pads [3]. In the paper we are interest to some schemes for approximate encryptions (no perfect) and we make an attempt to reducing some classical communication resources. We wouldlike to call the randomizing procedures or maps as random unitary channels (RUC) in terms of quantum channels.There are several methods for the approximate randomizing quantum states, for examples, [4, 5, 8]: We here adaptthe procedure of Hayden et al. [4].Many applications of RUC in quantum protocols (See e.g., [4, 6, 7].) are started from the approximate version ofPQC. Here we will propose new approximate quantum state sharing (AQSS) scheme, which uses two approximatePQCs (APQC) and reduces the classical pre-shared secrets about one-half as compared with a perfect protocol.Actually our protocol could be including the (well-known) quantum secret sharing protocols [9, 10], because a quantumstate itself is able to operate special quantum tasks, though those are impossible in the classical power. Imagine thatif there is a quantum computer only activated under a bipartite quantum state (or quantum key ), then our AQSSprotocol will give a efficient and secure solution for the quantum key. These approximate quantum state sharingprotocols may offer us more opportunities as compared with the quantum secret sharing.Let’s take account of the pre-shared secrets for the approximate quantum state sharing protocols under RUC-basedPQC roughly. Assume that a sender Charlie prepares a quantum state ϕ AB (two-qudit) and transmits the statethrough two independent RUCs, then two distant agents Alice and Bob will receive some output state of includinghigh entropy. For the state ϕ AB the perfect randomization protocol will require exactly the amount of 4 log d -unitarymatrices (Pauli matrices). On the other hand, the construction of Hayden et al. [4] for our AQSS scheme implies thatonly 2 log d + o (log d )-unitaries sufficient. In other words, the perfect quantum state sharing protocol needs to 2 l bitsof pre-shared secret information, while the AQSS protocol demands about l bits of information. Note that the worksin [5, 8] will give a similar result for l bits bound.We will prove the information-theoretic security of the AQSS scheme in two kinds of eavesdropping: an interiorand exterior attackers. The proof of having higher entropy condition for the exterior attacks is not easy fact, so wesplit the input state ϕ AB to separable and entangled cases. As a result, the von Neumann entropy in both cases canbe chosen sufficiently larger, and a leakage information will be arbitrarily small. Finally the authors show that ourbipartite AQSS scheme naturally can be generalized to an one-sender and multiparty-receivers schemes.In section II we introduce the definition of random unitary channels, and briefly mention about special propertyknown as the destruction of quantum states on a product random unitary channel. We present our AQSS protocolbased on two approximate PQCs in section III, and investigate the security of AQSS of considering two attacks: anexterior and interior strategies. we finally conclude our results in section IV. i i U i U i j Alice Bob Bob
FIG. 1: Approximate private quantum channel: Alice applies some U i ’s and Bob decodes N ( ϕ ) with i of having pre-sharedlog n bits classical information. II. SOME PROPERTIES OF RANDOM UNITARY CHANNELS
Now let us define the random unitary channel, and then construct an approximate private quantum channels. Forall density matrices ϕ ∈ B ( C d ), a completely positive trace-preserving map N : B ( C d ) → B ( C d ) is the so-called ε -randomizing , if (cid:13)(cid:13)(cid:13)(cid:13) N ( ϕ ) − d (cid:13)(cid:13)(cid:13)(cid:13) ≤ ε, (1)where the trace norm is defined by k X k = √ X † X . This definition directly induces the notion of random unitarychannels. That is, for every ϕ , a quantum channel N : B ( C d ) → B ( C d ) is called the random unitary channel , if N ( ϕ ) = n X i =1 p i U i ϕU † i (2)is ε -randomizing, where the unitary operators U i ∈ U ( d ), and the probability p i ’s are all positives with P i p i = 1.(The notation B ( C d ) denotes the set of bounded linear operators from C d to itself and U ( d ) ⊂ B ( C d ) the unitarygroup on C d .) Note that the parameter n is the number of Kraus operation elements for RUC, so it corresponds tothe dimension of arbitrary environment.For the approximate constructions of RUC, it was known that for all ε > d , such that n can be taken to be O ( d log d/ε ) in [4] and O ( d/ε ) in [12] where U i ’s arechosen randomly according to the Haar measure. We here fix the number n of having exactly n = dε , the Theorem1 in [12].As mentioned in the Introduction, most intuitive application of the random unitary channel is the approximate private quantum channel [4], which is a modification of the perfect private quantum channel [3] via RUC. The RUC-based APQC is the main tool of constructing the proposed AQSS protocol.The security of PQC is preserved by the argument of the accessible information in which the leakage information isless than ε . Although small information is leaked to exterior attackers, Bob’s decoding state is almost equal to Alice’soriginal state ϕ . The FIG. 1 describes the total procedure of APQC.In the next section we use two one-way independent PQCs between a sender Charlie and a receiver Alice, and thesender Charlie and another receiver Bob. Let’s define two RUCs, from the definition of (Eq. (2)), such that N A ( ϕ ) : = 1 n A n A X i =1 U i ϕU † i and (3) N B ( ϕ ) : = 1 n B n B X j =1 U j ϕU † j , where we fix the probability as an equally weighted probabilities p i = n A and p j = n B for all i, j , and assume that thenumber of n A is equal to n B , i.e., n A = n B = 150 d/ε . For an approximate state sharing of any bipartite quantumstate, above two channels play an important role in the approximate quantum state sharing scheme. ii U U i Charlie o j j U j y j BobAlice U i y FIG. 2: Approximate QSS: If Charlie-Alice and Charlie-Bob have shared two independent PQCs each other, then the productchannel N A ⊗ N B preserves the security with high probability for any attacks. The arrow denotes that Alice must go to Bob’slocation to obtain the state. For given two RUCs N A and N B , and for all input ϕ AB , we must bound the trace norm for the difference betweenan output state of the product channel N A ⊗ N B and maximally mixed /d , such that (cid:13)(cid:13)(cid:13)(cid:13) ( N A ⊗ N B )( ϕ AB ) − A ⊗ B d (cid:13)(cid:13)(cid:13)(cid:13) ≤ ε, (4)where a security parameter ε be a positive less than 1. The relation above asserts that all encoding states areinformation-theoretically secure. Unfortunately, for any entangled states proving the bound is not a simple task.Note that the argument for the (efficient) randomization is related to a destruction of correlations in quantumstates [4, 11]. They pointed out that the unitary operations of the amount corresponding to the quantum mutualinformation I [ A : B ] = S [ ϕ A ] + S [ ϕ B ] − S [ ϕ AB ] efficiently destroy the total correlation of any quantum states [11],where S [ ̺ ] = − tr ̺ log ̺ the von Neumann entropy. For the maximally entangled state ϕ AB = d P i,j | ii ih jj | AB , I [ A : B ] = 2 log d , which might be related to the Eq. (5).The following section gives the AQSS protocol and the security of the protocol. The last of the section, we brieflydescribe a multiparty AQSS scheme. III. APPROXIMATE QUANTUM STATE SHARING PROTOCOL
Let us assume that Charlie-Alice and Charlie-Bob have independent two APQCs, and Charlie wants to sharing abipartite quantum state ϕ AB securely between Alice and Bob.The protocol for a bipartite quantum state sharing is simple (See FIG. 2):(i) The sender Charlie selects a quantum state ϕ AB and transmits the state through the channel N A ⊗ N B to thereceivers Alice and Bob.(ii) Distant two parties Alice and Bob just hold the state N A ⊗ N B ( ϕ AB ) they received.(iii) When Alice and Bob want to reveal the original state ϕ AB , they must cooperate in a single location. Theyperform the inverse unitary operations under the locally shared keys.The security of the AQSS protocol is divided two cases of an exterior and interior attacks. Actually the securityis based on information-theoretic assumption, which means that the intercepted states must have the higher vonNeumann entropy. Thus any attackers cannot obtain sufficient information for the original states.First, let us consider an attack accomplished by an exterior Eve. Assume that Eve intercepts the state N A ⊗N B ( ϕ AB ). We here claim that S [( N A ⊗ N B )( ϕ AB )] ∼ d → ∞ (5)as d goes to infinity. We don’t know the accurate description for the state N A ⊗ N B ( ϕ AB ) for all inputs, so we willdivide the state ϕ AB into the separable and entangled one and investigate the behavior each other.If product state is given, it is possible to infer the inequality Eq. (4) easily. By using the triangle inequal-ity with respect to the trace norm for the two RUCs, if (cid:13)(cid:13) N A ( ϕ A ) − A d (cid:13)(cid:13) ≤ ε and (cid:13)(cid:13) N B ( ϕ B ) − B d (cid:13)(cid:13) ≤ ε , then (cid:13)(cid:13) ( N A ⊗ N B )( ϕ AB ) − AB d (cid:13)(cid:13) ≤ ε for ϕ AB = ϕ A ⊗ ϕ B . More formally assume that ϕ AB = P i p i ϕ A,i ⊗ ϕ B,i such that P i p i = 1, i.e., a separable state is given, then (cid:13)(cid:13)(cid:13)(cid:13) ( N A ⊗ N B )( ϕ AB ) − AB d (cid:13)(cid:13)(cid:13)(cid:13) = (cid:13)(cid:13)(cid:13)(cid:13)(cid:13)X i p i N A ( ϕ A,i ) ⊗ N B ( ϕ B,i ) − AB d (cid:13)(cid:13)(cid:13)(cid:13)(cid:13) ≤ X i p i (cid:13)(cid:13)(cid:13)(cid:13) N A ( ϕ A,i ) ⊗ N B ( ϕ B,i ) − AB d (cid:13)(cid:13)(cid:13)(cid:13) (6)= X i p i (cid:13)(cid:13)(cid:13)(cid:13) N A ( ϕ A,i ) ⊗ N B ( ϕ B,i ) − N A ( ϕ A,i ) ⊗ B d + N A ( ϕ A,i ) ⊗ B d − AB d (cid:13)(cid:13)(cid:13)(cid:13) ≤ X i p i (cid:20)(cid:13)(cid:13)(cid:13)(cid:13) N A ( ϕ A,i ) − A d (cid:13)(cid:13)(cid:13)(cid:13) + (cid:13)(cid:13)(cid:13)(cid:13) N B ( ϕ B,i ) − B d (cid:13)(cid:13)(cid:13)(cid:13) (cid:21) (7) ≤ ε, where the inequalities Eq. (6) and Eq. (7) come from the norm convexity and the triangle inequality, respectively [4].Thus any separable inputs for the product channel are very close to the maximally mixed state d . This implies that S [( N A ⊗ N B )( ϕ AB )] is close to 2 log d .For the separable input cases, there is another bound that depends on the dimension parameter d and n : We canprove that the expectation value for the difference between the channel output and the maximally mixed state (withrespect to the trace norm) is very close, that is, E { U i,j } (cid:13)(cid:13)(cid:13)(cid:13) ( N A ⊗ N B )( ϕ AB ) − d (cid:13)(cid:13)(cid:13)(cid:13) ≤ s d n A n B , (8)where E { U i,j } denotes the total expectation value of { U i } n A i =1 and { U j } n B j =1 for the independent RUCs N A and N B ,respectively. The Appendix in this paper states that the inequality Eq. (8) is non-trivial and obtained preciselyby exploiting the relation between the trace norm and the Hilbert-Schmidt norm. As mentioned above, let’s take n A = dε and n B = dε , then d √ n A n B = ε < ε. (9)This implies that Eve’s attack is impossible in principle.What can we do for an entangled input state? Though a direct proof could be impossible, there is an evidence forthe statement, the Eq. (5). The Theorem III.3 in [4] states that, for a positive operator-valued measure (POVM) { L i } which is implemented using local operation and classical communication (LOCC), P i k p i − q i k ≤ ε , where p i := tr( L i ( N A ⊗ B )( ϕ AB )) and q i := tr( L i ( A d ⊗ ϕ B )) with a maximally entangled state s.t. ϕ AB = d P di,j | ii ih jj | AB and ϕ B = tr A ϕ AB . Natural extension is possible as adding the channel N B : Define p i = tr( L i ( N A ⊗ N B )( ϕ AB )) and q i = tr( L i ( AB d )), then also P i k p i − q i k ≤ ε . Therefore, we can conclude the state N A ⊗ N B ( ϕ AB ) is close to d under the LOCC-implemented POVM. In this reason any input state ϕ AB through the product channel N A ⊗ N B have high entropy for d ≫ or Bob is malicious. Assume that Bob intercepts the Alice’s state N A ( ϕ A ), Bob’s decoded state looks like( N A ⊗ N ∗ B )( N A ⊗ N B )( ϕ AB ) = ( N A ⊗ B )( ϕ AB ) , (10)where ∗ denotes the inverse operation for Bob’s RUC N B , but S [ N A ( ϕ A )] has still high entropy values. The interceptedstate tr B ( N A ⊗ B )( ϕ AB ) is still almost maximally mixed state by the definition of the RUC N A ( ϕ A ). As a result,Bob cannot obtain any information for ϕ A without Charlie-Alice’s key information. Symmetrically Alice’s attack isuseless. In other words, the Charlie’s aim of sharing a quantum state ϕ AB between Alice and Bob will be securelyaccomplished.At least above-mentioned two attacks (exterior and interior eavesdropping) cannot break the security of the proposedAQSS protocol. so the cooperation between Alice and Bob always restores the original state approximately.In the proposed scenarios, the perfect protocol for quantum state sharing requires exactly d unitary operators,while our protocol only needs to total 22500 d /ε unitaries for sufficiently larger d . This fact directly means thatsome pre-shared key bits are reduced by factor 2, since the AQSS is needed 2 log d − ε + O (1) secret bits, but theperfect QSS is required 4 log d bits. For any state ϕ AB ∈ B ( C d ), and for any channel N AB (for an ε > (cid:13)(cid:13)(cid:13)(cid:13) N AB ( ϕ AB ) − d (cid:13)(cid:13)(cid:13)(cid:13) ≤ ε. (11)Then, it is sufficient to construct the perfect QSS ( ε = 0) with d Pauli operators for the channel N AB in the sense ofPQC [4, 8]. In the case of our approximate QSS, the product channel of two RUCs ( N AB = N A ⊗ N B ) just consumeof half secret bits, so we say that it is efficient in weak sense (though small information is always leaking).Without loss of generality, a direct extension of the bipartite quantum state sharing protocol (Eq. (8)) gives thesecurity of a multiparty approximate quantum state sharing (MAQSS). Assume that a sender Charlie ( C ) preparesan m -qudit ϕ A A ··· A m . If they initially have shared PQCs between C - A , C - A and so on, then, for any ε > (cid:13)(cid:13)(cid:13)(cid:13) ( N A ⊗ · · · ⊗ N A m )( ϕ A A ··· A m ) − d m (cid:13)(cid:13)(cid:13)(cid:13) ≤ ε. (12)The above Eq. (12) implies that any exterior attacks will be failed. Furthermore all interior attacks (including groupconspiracy) will be frustrated to obtain the whole state without others secrets, it has similar reason to the two receiversprotocol. Let’s look at the cost of secret bits for the MAQSS scheme. Roughly speaking, the perfect scheme requires2 m log d secret bits, but MAQSS only m log d + o (log d )-bits sufficient. IV. CONCLUSIONS
We studied that the approximate quantum state sharing schemes are efficient from the classical information costof view and those are robust to the two kinds of attacks. The proposed AQSS protocol basically depends on anapproximate private quantum channel, which is constructed via two independent random unitary channels. Althoughthe protocol leaks small information corresponding to the security parameter ε , the scheme preserves its information-theoretic security, and so the AQSS and MAQSS schemes can be interpreted as some high-efficiency state sharingprotocols for any bipartite and multipartite quantum states. Acknowledgments
This work was supported by Basic Science Research Program through the National Research Foundation of Ko-rea (NRF) funded by the Ministry of Education, Science and Technology (Grant No. 2009-0072627).
Appendix
For given two random unitary channels N A ( ϕ ) and N B ( ϕ ) in Eq. (3), and for all pure-separable states ϕ AB ∈ B ( C d ), k ( N A ⊗ N B )( ϕ AB ) k = tr( N A ⊗ N B ) ( ϕ AB )= 1 n A n B n A X i =1 n B X j =1 tr (cid:16) U i ⊗ U j ϕ AB U † i ⊗ U † j (cid:17) + 1 n A n B n A X i = k n B X j = l tr (cid:16) U i ⊗ U j ϕ AB U † i ⊗ U † j (cid:17) (cid:16) U k ⊗ U l ϕ AB U † k ⊗ U † l (cid:17) , (13)where tr (cid:16) U i ⊗ U j ϕ AB U † i ⊗ U † j (cid:17) = 1 for any pure states ϕ AB . (Note that this method is just an extension of thestatement, the chapter 3 in [8].)Recall that the unitary operators are chosen randomly according to the Haar measure, and take expectation overthe random selection of unitaries: E { U i,j } (cid:2) tr( N A ⊗ N B ) ( ϕ AB ) (cid:3) = 1 n A n B + 1 n A n B X i = k X j = l E { U i,j } tr (cid:16) U i ⊗ U j ϕ AB U † i ⊗ U † j (cid:17) (cid:16) U k ⊗ U l ϕ AB U † k ⊗ U † l (cid:17) = 1 n A n B + tr h E { U i,j } (cid:16) U i ⊗ U j ϕ AB U † i ⊗ U † j (cid:17) E { U k,l } (cid:16) U k ⊗ U l ϕ AB U † k ⊗ U † l (cid:17)i (14)= 1 n A n B + tr d (15)= 1 n A n B + 1 d . (16)In Eq. (14), we have used that U i,j and U k,l are chosen independently, and Eq. (15) inherited from the definition of theHaar measure. (For any ϕ ∈ B ( C d ), a Haar-distributed set U := { U i } ni =1 satisfies that E U U ϕU † = R U ϕU † dU = d .)The Eq. (15) exploits the separable condition for ϕ AB . Note that for any rank d matrix X k X k ≤ √ d k X k . For anyrank d matrix X , a generalization of the Corollary A.2 in [8] directly show that (cid:13)(cid:13)(cid:13)(cid:13) X − A ⊗ B d (cid:13)(cid:13)(cid:13)(cid:13) ≤ d k X k − . (17)Then, from considering the random variable Y := (cid:13)(cid:13) ( N A ⊗ N B )( ϕ AB ) − d (cid:13)(cid:13) and Eq. (16), E Y ≤ √ E Y ≤ q d k Y k − s d n A n B . [1] C. H. Bennett and G. Brassard, Quantum cryptography: Public-key distribution and coin tossing , In
Proceedings of IEEEInternational Conference on Computers, Systems and Signal Processing , p. 175, (1984).[2] C. H. Bennett,
Quantum cryptography using any two nonorthogonal states , Phys. Rev. Lett. , 3121 (1992).[3] A. Ambainis, M. Mosca, A. Tapp, and R. de Wolf, Private quantum channels , In
IEEE Symposium on Foundations ofComputer Sciences (FOCS) , p. 547, (2000).[4] P. Hayden, D. Leung, P. W. Shor, and A. Winter,
Randomizing quantum states: Constructions and applications , Commun.Math. Phys. , 371 (2004).[5] A. Ambainis and A. Smith,
Small Pseudo-Random Families of Matrices: Derandomizing Approximate Quantum Encryp-tion , In
Proceedings of RANDOM . p. 249 (2004).[6] A. Harrow, P. Hayden, and D. Leung,
Superdense coding of quantum states , Phys. Rev. Lett. , 187901 (2004).[7] C. H. Bennett, P. Hayden, D. Leung, P. W. Shor, and A. Winter, Remote preparation of quantum states , IEEE Trans. Inf.Theory , 56 (2005).[8] P. A. Dickinson and A. Nayak, Approximate Randomization of Quantum States With Fewer Bits of Key , AIP ConferenceProceedings , 18 (2006).[9] M. Hillery, V. Buˇzek, and A. Berthiaume,
Quantum secret sharing , Phys. Rev. A. , 1829 (1999).[10] A. Karlsson, M. Koashi, and N. Imoto, Quantum entanglement for secret sharing and secret splitting , Phys. Rev. A. ,162 (1999).[11] B. Groisman, S. Popescu, and A. Winter, Quantum, clasical, and total amount of correlations in a quantum state , Phys.Rev. A. , 032317 (2005).[12] G. Aubrun, On Almost Randomizing Channels with a Short Kraus Decomposition , Commun. Math. Phys.288