Cryptography from Noisy Storage

Stephanie Wehner; Christian Schaffner; Barbara M. Terhal

Cryptography from Noisy Storage

2008, Physical Review Letters

Cryptography from Noisy Storage Stephanie Wehner,1, ∗ Christian Schaffner,2, † and Barbara M. Terhal3 arXiv:0711.2895v3 [quant-ph] 20 Jun 2008 1 Institute for Quantum Information, Caltech, 1200 E California Blvd, Pasadena, CA 91125, USA 2 CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands 3 IBM, Watson Research Center, P.O. Box 218, Yorktown Heights, NY, USA‡ (Dated: February 11, 2013) We show how to implement cryptographic primitives based on the realistic assumption that quantum storage of qubits is noisy. We thereby consider individual-storage attacks, i.e. the dishonest party attempts to store each incoming qubit separately. Our model is similar to the model of bounded-quantum storage, however, we consider an explicit noise model inspired by present-day technology. To illustrate the power of this new model, we show that a protocol for oblivious transfer (OT) is secure for any amount of quantum-storage noise, as long as honest players can perform perfect quantum operations. Our model also allows the security of protocols that cope with noise in the operations of the honest players and achieve more advanced tasks such as secure identification. Traditional cryptography is concerned with the secure and reliable transmission of messages. With the advent of widespread electronic communication new cryptographic tasks have become increasingly important. Examples of such tasks are secure identification, electronic voting, online auctions, contract signing and other applications where the protocol participants do not necessarily trust each other. It is well-known that almost all these interesting tasks are impossible to realize without any restrictions on the participating players, neither classically nor with the help of quantum communication [8]. It is therefore an important task to come up with a cryptographic model which restricts the capabilities of adversarial players and in which these tasks become feasible. It turns out that all such two-party protocols can be based on a simple primitive called 1-2 Oblivious Transfer [1] (1-2 OT), first introduced in [3, 4, 5]. Hence, 1-2 OT is commonly used to provide a “proof of concept” for the universal power of a new model. In 1-2 OT, the sender Alice starts off with two bit strings S0 and S1 , and the receiver Bob holds a choice bit C. The protocol allows Bob to retrieve SC in such a way that Alice does not learn any information about C (thus, Bob cannot simply ask for SC ). At the same time, Alice must be ensured that Bob only learns SC , and no information about the other string S1−C (thus, Alice cannot simply send him both S0 and S1 ). A 1-2 OT protocol is called unconditionally secure when neither Alice nor Bob can break these conditions, even when given unlimited resources. In this letter, we propose a cryptographic model based on current practical and near-future technical limitations, namely that quantum storage is noisy. Thus the presence of noise, the very problem that makes it so hard to implement a quantum computer, can actually be turned to our advantage. Recently it was shown that secure OT is possible when the receiver Bob has a lim- ∗ wehner@caltech.edu † c.schaffner@cwi.nl ‡ bterhal@gmail.com ited amount of quantum memory [13, 14] at his disposal. Within this ‘bounded-quantum-storage model’ OT can be implemented securely as long as a dishonest receiver Bob can store at most n/4−O(1) qubits coherently, where n is the number of qubits transmitted from Alice to Bob. This approach assumes an explicit limit on the physical number of qubits (or more precisely, on the rank of the adversary’s quantum state). However, at present we do not know of any practical physical situation which enforces such a limit for quantum information. We therefore propose an alternative model of noisy quantum storage inspired by present-day physical implementations: We require no explicit memory bound, but we assume that any qubit that is placed into quantum storage undergoes a certain amount of noise. The advantage of our model is that we can evaluate the security parameters of a protocol explicitly in terms of the noise. In this letter, we show that the OT protocol from [14] is secure in our new model. This simple OT protocol could be implemented using photonic qubits (using polarization or phase-encoding) with standard BB84 quantum key distribution [15, 16] hardware, only with different classical post-processing. We analyze the case where the adversary performs individual-storage attacks. More precisely, Bob may choose to (partially) measure (a subset of) his qubits immediately upon reception using an error-free product measurement. In addition he can store each incoming qubit, or post-measurement state from a prior partial measurement, separately and wait until he gets additional information from Alice (at Step 3 in Protocol 1). Once he obtained the additional information he may perform an arbitrary coherent measurement on his stored qubits using the stored classical data. We thereby assume that qubit qi undergoes some noise while in storage, and we also assume that the noise acts independently on each qubit. In the following, we use the super-operator Si to denote the combined channel given by Bob’s initial (partial) measurement and the noise. Practically, noise can arise as a result of transferring the qubit onto a different physical carrier, such as an atomic ensemble or atomic state for example, or into an error-correcting code with 2 fidelity less than 1. In addition, the (encoded) qubit will undergo noise once it has been transferred into ‘storage’. Hence, the quantum operation Si in any real world setting necessarily includes some form of noise. First, we show that for any initial measurement, and any noisy superoperator Si the 1-2 OT protocol is secure if the honest participants can perform perfect noise-free quantum operations. As an explicit example we consider the case of depolarizing noise during storage. In particular, we can show the following all-or-nothing result: if Bob’s storage noise is above a certain threshold, his optimal cheating strategy is to perform a measurement in the so-called Breidbart basis. On the other hand, if the noise level is below the threshold, he is best off storing each qubit as is. Second, we consider a more practical setting using photonic qubits where the honest participants experience noise themselves: their quantum operations may be inaccurate or noisy, they may use weak laser pulses instead of single photon sources, and qubits may undergo decoherence during transmission. Note, however, that unlike in QKD, we typically want to execute such protocols over very short distances (for example in banking applications) where the depolarization rate during transmission is very low. We give a practical OT-protocol that is a small modification of the perfect protocol. It allows us to to deal with erasure errors (i.e. photon loss) separately. We show how to derive trade-offs between the amount of storage noise, the amount of noise for the operations performed by the honest participants, and the security of the protocol. Finally, we briefly discuss the security of our protocol from the future perspective of fault-tolerant quantum computation with photonic qubits. We also discuss the issue of analyzing fully coherent attacks for our protocol. Indeed, there is a close relation between the OT protocol and BB84 quantum key distribution. Our security analysis can in principle be carried over to obtain a secure identification scheme in the noisy-quantum-storage model analogous to [17]. This scheme achieves password-based identification and is of particular practical relevance as it can be used for banking applications. A. Related work Precursors of the idea of basing cryptographic security on storage-noise are already present in [7], but no rigorous analysis was carried through in that paper. Furthermore, it was pointed out in [18, 19] how the original bounded-quantum-storage analysis applies in the case of noise levels which are so large that the rank of a dishonest player’s quantum storage is reduced to n/4. In contrast, we are able to give an explicit security trade-off even for small amounts of noise. We note that our security proof does not exploit the noise in the communication channel (which has been done in the classical setting to achieve cryptographic tasks, see e.g. [20, 21]), but is solely based on the fact that the dishonest receiver’s quantum storage is noisy. A model based on classical noisy storage is akin to the setting of a classical noisy channel, if the operations are noisy, or the classical bounded-storage model, both of which are difficult to enforce in practise. Another technical limitation has been considered in [22] where a bit-commitment scheme was shown secure under the assumption that the dishonest committer can only measure a limited amount of qubits coherently. Our analysis differs in that we can in fact allow any coherent destructive measurement at the end of the protocol. I. DEFINITIONS AND TOOLS We start by introducing some tools, definitions and technical lemmas. To define the security of OT we need to express what it means for a dishonest quantum player not to gain any information. Let ρXE be a state that is P part classical, part xquantum, i.e. a cq-state ρXE = x∈X PX (x)|xihx| ⊗ ρE . Here, X is a classical random variable distributed over the finite set X according to distribution PX . The non-uniformity of X given ρE = P x P (x)ρ is defined as X E x X 1 d(X|ρE ) := || I/|X |⊗ρE − PX (x)|xihx|⊗ρxE ||tr , (1) 2 x √ where ||A||tr = Tr A† A. Intuitively, if d(X|ρE ) ≤ ε the distribution of X is ε-close to uniform even given ρE , i.e., ρE gives hardly any information about X. A simple property of the non-uniformity which follows from its definition is that d(X|ρED ) = d(X|ρE ) (2) for any cq-state of the form ρXED = ρXE ⊗ ρD . We prove the security of a randomized version of OT. In such a protocol, Alice does not choose her input strings herself, but instead receives two strings S0 , S1 ∈ {0, 1}ℓ chosen uniformly at random by the protocol. Randomized OT (ROT) can easily be converted into OT: after the ROT protocol is completed, Alice uses her strings S0 , S1 obtained from ROT as one-time pads to encrypt her original inputs Sˆ0 and Sˆ1 , i.e. she sends an additional classical message consisting of Sˆ0 ⊕S0 and Sˆ1 ⊕S1 to Bob. Bob can retrieve the message of his choice by computing SC ⊕ (ŜC ⊕ SC ) = ŜC . He stays completely ignorant about the other message Ŝ1−C since he is ignorant about S1−C . The security of a quantum protocol implementing ROT is formally defined in [13, 14]: Definition 1 An ε-secure 1-2 ROTℓ is a protocol between Alice and Bob, where Bob has input C ∈ {0, 1}, and Alice has no input. For any distribution of C: • (Correctness) If both parties are honest, Alice gets output S0 , S1 ∈ {0, 1}ℓ and Bob learns Y = SC except with probability ε. 3 • (Receiver-security) If Bob is honest and obtains output Y , then for any cheating strategy of Alice resulting in her state ρA , there exist random vari′ ables S0′ and S1′ such that Pr[Y = SC ] ≥ 1 − ε and C is independent of S0′ ,S1′ and ρA . Lemma 2 Let ρXE be a cq-state with uniformly distributed X = x ∈ {0, 1}n and ρxE = ρxE11 ⊗. . .⊗ρxEnn . Then the maximum probability of guessing x given state ρE is Pg (X|ρE ) = Πni=1 Pg (Xi |ρEi ), which can be achieved by measuring each register separately. • (Sender-security) If Alice is honest, then for any cheating strategy of Bob resulting in his state ρB , there exists a random variable C ′ ∈ {0, 1} such that d(S1−C ′ |SC ′ C ′ ρB ) ≤ ε. The last tool we need is an uncertainty relation for noisy channels and measurements. Let σ0,+ = |0ih0|, σ1,+ = |1ih1|, σ0,× = |+ih+| and σ1,× = |−ih−| denote the BB84-states corresponding to the encoding of a bit z ∈ {0, 1} into basis b ∈ {+, ×} (computational resp. Hadamard basis). Let σ+ = (σ0,+ + σ1,+ )/2 and σ× = (σ0,× + σ1,× )/2. Consider the state S(σz,b ) for some super-operator S. Note that Pg (X|S(σb )) (see Lemma 2) denotes the maximal average success probability for guessing a uniformly distributed X when b = + or b = ×. An uncertainty relation for such success probabilities can be stated as The OT protocol makes use of two-universal hash functions. These hash functions are used for privacy amplification similar as in quantum key distribution. A class F of functions f : {0, 1}n → {0, 1}ℓ is called two-universal if for all x 6= y ∈ {0, 1}n and f ∈ F chosen uniformly at random from F, we have Pr[f (x) = f (y)] ≤ 2−ℓ . For example, the set of all affine functions from {0, 1}n to {0, 1}ℓ is two-universal [23]. The following theorem expresses how hash functions can increase the privacy of a random variable X given a quantum adversary holding ρE and the function F : Theorem 1 (Th. 5.5.1 in [24] (see also [25])) Let F be a class of two-universal hash functions from {0, 1}n to {0, 1}ℓ . Let F be a random variable that is uniformly and independently distributed over F, and let ρXE be a cq-state. Then, 1 d(F (X)|F, ρE ) ≤ 2− 2 (H2 (X|ρE )−ℓ)−2 , where H2 (·|·) denotes the conditional collision entropy −1 defined in [24] as H2 (X|ρE ) := − log Tr((I ⊗ ρE 2 )ρXE )2 of the cq-state ρXE . In our application we will make use of a simplified form of this theorem which follows directly from [26, Lemma 1]. The non-uniformity in the theorem above is bounded by the average success probability of guessing x given the state ρE : Lemma 1 For a measurement M with POVM elements x {Mx }x∈X let pM y|x = TrMy ρE the probability of outputting P guess y given ρxE . Then Pg (X|ρE ) = supM x PX (x)pM x|x is the maximal average success probability of guessing x ∈ X given the reduced state ρE of the cq-state ρXE . We have q ℓ d(F (X)|F, ρE ) ≤ 2 2 −1 Pg (X|ρE ) . If we have an additional k bits of classical information D about X, we can bound q ℓ+k (3) d(F (X)|F, D, ρE ) ≤ 2 2 −1 Pg (X|ρE ) . The following lemma is proven in the Appendix and states that the optimal strategy to guess X = x ∈ {0, 1}n given individual quantum information about the bits of X is to measure each register individually. Pg (X|S(σ+ )) · Pg (X|S(σ× )) ≤ ∆(S)2 , (4) where ∆ is a function from the set of superoperators to the real numbers. For example, when S is a quantum measurement M mapping the state σz,b onto purely classical information it can be argued (e.g. by using a purification argument and Corollary 4.15 in [18]) that ∆(M) ≡ 1 −1/2 ) which can be achieved by a measurement 2 (1 + 2 in the Breidbart basis, where the Breidbart basis is given by {|0iB , |1iB } with |0iB = cos(π/8)|0i+sin(π/8)|1i and |1iB = sin(π/8)|0i − cos(π/8)|1i. It is clear that for a unitary superoperator U we have ∆(U )2 = 1 which can be achieved. It is not hard to show that (see the proof in the Appendix) Lemma 3 The only superoperators S : C2 → Ck for which Pg (X|S(σ+ )) · Pg (X|S(σ× )) = 1, (5) are reversible operations. II. PROTOCOL AND ANALYSIS We use ∈R to denote the uniform choice of an element from a set. We further use x|T to denote the string x = x1 , . . . , xn restricted to the bits indexed by the set T ⊆ {1, . . . , n}. For convenience, we take {+, ×} instead of {0, 1} as domain of Bob’s choice bit C and denote by C the bit different from C. Protocol 1 ([14]) 1-2 ROTℓ (C, T ) 1. Alice picks X ∈R {0, 1}n and Θ ∈R {+, ×}n . Let Ib = {i | Θi = b} for b ∈ {+, ×}. At time t = 0, she sends σX1 ,Θ1 ⊗ . . . ⊗ σXn ,Θn to Bob. 2. Bob measures all qubits in the basis corresponding to his choice bit C ∈ {+, ×}. This yields outcome X ′ ∈ {0, 1}n . 4 3. Alice picks two hash functions F+ , F× ∈R F, where F is a class of two-universal hash functions. At time t = T , she sends I+ ,I× , F+ ,F× to Bob. Alice outputs S+ = F+ (X|I+ ) and S× = F× (X|I× ) [40]. remaining qubit individually and hence we obtain X s Y ℓ Pg (Xi |Si (σC ′ )) δsec ≤ 2 2 −1 · 2−n θ∈{+,×}n ℓ 4. Bob outputs SC = ≤ 2 2 −1 ′ ). FC (X|I C s X 2−n i∈IC ′ Y θ∈{+,×}n i∈IC ′ Pg (Xi |Si (σC ′ )) v u n Y u ℓ 1 + Pg (Xi |Si (σC ′ )) , = 2 2 −1 t2−n i=1 A. Analysis We first show that this protocol is secure according to Definition 1. (i) correctness: It is clear that the protocol is correct. Bob can determine the string X|IC (except with negligible probability 2−n the set IC is non-empty) and hence obtains SC . (ii) security against dishonest Alice: this holds in the same way as shown in [14]. As the protocol is noninteractive, Alice never receives any information from Bob at all, and Alice’s input strings can be extracted by letting her interact with an unbounded receiver. (iii) security against dishonest Bob: Our goal is to show that there exists a C ′ ∈ {+, ×} such that Bob is completely ignorant about SC ′ . In our model Bob’s collective storage cheatingNstrategy can be described by n some super-operator S = i=1 Si that is applied on the qubits between the time they arrive at Bob’s and the time T that Alice sends the classical information. We define the choice bitQC ′ as a fixed functionQof S. Formally, we n n set C ′ ≡ + if i=1 Pg (Xi |Si (σ+ )) ≥ i=1 Pg (Xi |Si (σ× )) and C ′ ≡ × otherwise. Due to the uncertainty relation Q for each Si (from Eq. (4)) it then holds that ≤ i Pg (Xi |Si (σC ′ )) Q n i ∆(Si ) ≤ (∆max ) where ∆max : = maxi ∆(Si ). This will be used in the proof below. In the remainder of this section, we show that the nonuniformity δsec := d(SC ′ |SC ′ C ′ ρB ) is negligible in n for collective attacks. Here ρB is the complete quantum state of Bob’s lab at the end of the protocol including the classical information I+ , I×N , F+ , F× he got from Alice n and his quantum information i=1 Si (σXi ,Θi ). Expressing the non-uniformity in terms ofP the trace-distance allows us to observe that δsec = 2−n θ∈{+,×}n d(SC ′ |Θ = θ, SC ′ C ′ ρB ). Now, for fixed Θ = θ,Nit is clear from the construction that SC ′ , C ′ , FC ′ and i∈IC ′ Si (σXi ,C ′ ) are independent of SC ′ = FC ′ (X|IC ′ ) and we can use Eq. (2). Hence, one can bound the non-uniformity as in Lemma 1, i.e. by the square-root of theN probability of correctly guessing X|I given the state i∈I ′ Si (σXi ,C ′ ). C C′ Lemma 2 tells us that to guess X, Bob can measure each where we used the concavity of the square-root function in Q the last inequality. Lemman 4 together with the bound i Pg (Xi |Si (σC ′ )) ≤ (∆max ) lets us conclude that ℓ δsec ≤ 2 2 −1 · (∆max ) log(4/3) n 2 . Lemma 3 shows that for essentially any noisy superoperator ∆(S) < 1. This shows that for any collective attacks there exists an n which yields arbitrarily high security. B. Example Let us now consider the security in an explicit example: a noisy depolarizing channel. In order to explicitly bound ∆(Si ) we should allow for intermediate strategies of Bob in which he partially measures the incoming qubits leaving some quantum information undergoing depolarizing noise. To model this noise we let Si = N ◦ Pi , where Pi is any noiseless quantum operation of Bob’s choosing from one qubit to one qubit that generates some classical output. For example, Pi could be a partial measurement providing Bob with some classical information and a slightly disturbed quantum state, or just a unitary operation. Let N (ρ) := rρ + (1 − r) I 2 be the fixed depolarizing ’quantum storage’ channel that Bob cannot influence. (see Figure 1) To determine δsec , we have to find an uncertainty relation similar to Eq. (4) by optimizing over all possible partial measurements Pi max ∆(Si )2 = max Pg (X|Si (σ+ )) · Pg (X|Si (σ× )). Si Pi We solve this problem for depolarizing noise using the symmetries inherent in our problem. In Appendix B we prove the following. Theorem 2 Let N be the depolarizing channel and let maxSi ∆(Si ) be defined as above. Then ( 1+r for r ≥ √12 2 max ∆(Si ) = 1 1 √ for r < √12 Si 2 + 2 2 5 FIG. 1: Bob performs a partial measurement Pi , followed by noise N , and outputs a guess bit xg depending on his classical measurement outcome, the remaining quantum state, and the additional basis information. √ Our result shows that for r < 1/ 2 a direct measurement M in the Breidbart basis is the best attack Bob can perform. √+ √ For this measurement, we have ∆(M) = 1/2 1/(2 2). If the depolarizing noise is low (r ≥ 1/ 2), then our result states that the best strategy for Bob is to simply store the qubit as is. III. PRACTICAL OBLIVIOUS TRANSFER In this section, we prove the security of a ROT protocol that is robust against noise for the honest parties. Our protocol is thereby a small modification of the protocol considered in [18]. Note that for our analysis, we have to assume a worst-case scenario where a dishonest receiver Bob has access to a perfect noise-free quantum channel and only experiences noise during storage. First, we consider erasure noise (in practice corresponding to photon loss) during preparation, transmission and measurement of the qubits by the honest parties. Let 1 − perase be the total probability for an honest Bob to measure and detect a photon in the {+, ×} basis given that an honest Alice prepares a weak pulse in her lab and sends it to him. The probability perase is determined among others by the mean photon number in the pulse, the loss on the channel and the quantum efficiency of the detector. In our protocol we assume that the (honest) erasure rate perase is independent of whether qubits were encoded or measured in the +- or ×-basis. This assumption is necessary to guarantee the correctness and the security against a cheating Alice only. Fortunately, this assumption is well matched with physical capabilities. Any other noise source during preparation, transmission and measurement can be characterized as an effective classical noisy channel resulting in the output bits X ′ that Bob obtains at Step 3 of Protocol 2. For simplicity, we model this compound noise source as a classical binary symmetric channel acting independently on each bit of X. Typical noise sources for polarizationencoded qubits are depolarization during transmission, dark counts in Bob’s detector and misaligned polarizing beam-splitters. Let the effective bit-error probability of this binary symmetric channel be perror < 1/2. Before engaging in the actual protocol, Alice and Bob agree on the system parameters perase and perror similarly to Step 1 of the protocol in [7]. Furthermore, they agree on a family {Cn } of linear error correcting codes of length n capable of efficiently correcting n·perror errors. For any string x ∈ {0, 1}n , error correction is done by sending the syndrome information syn(x) to Bob from which he can correctly recover x if he holds an output x′ ∈ {0, 1}n obtained by flipping each bit of x independently with probability perror . It is known that for large enough n, the code Cn can be chosen such that its rate is arbitrarily close to 1 − h(perror ) and the syndrome length (the number of parity check bits) are asymptotically bounded by |syn(x)| < h(perror )n [27], where h(perror ) is the binary Shannon entropy. We assume the players have synchronized clocks. In each time slot, Alice sends one qubit (laser pulse) to Bob. Protocol 2 Noise-Protected Photonic 1-2 ROTℓ (C, T ) 1. Alice picks X ∈R {0, 1}n and Θ ∈R {+, ×}n . 2. For i = 1, . . . , n: In time slot t = i, Alice sends σXi ,Θi as a phase- or polarization-encoded weak pulse of light to Bob. 3. In each time slot, Bob measures the incoming qubit in the basis corresponding to his choice bit C ∈ {+, ×} and records whether he detects a photon or not. He obtains some bit-string X ′ ∈ {0, 1}m with m ≤ n. 4. Bob reports back to Alice in which time slots he received a qubit. Alice restricts herself to the set of m < n bits that Bob did not report as missing. Let this set of qubits be Sremain with |Sremain | = m. 5. Let Ib = {i ∈ Sremain | Θi = b} for b ∈ {+, ×} and let mb = |Ib |. Alice aborts the√protocol if either m+ or m× ≤ (1 − perase )n/2 − O( n). If this is not the case, Alice picks two two-universal hash functions F+ , F× ∈R F. At time t = n + T , Alice sends I+ ,I× , F+ ,F× , and the syndromes syn(X|I+ ) and syn(X|I× ) according to codes of appropriate length mb to Bob. Alice outputs S+ = F+ (X|I+ ) and S× = F× (X|I× ). 6. Bob uses syn(X|IC ) to correct the errors on his out′ put X|I . He obtains the corrected bit-string Xcor C ′ and outputs SC = FC (Xcor ). Let us consider the security and correctness of this modified protocol. (i) correctness: By assumption, perase is independent of the basis in which Alice sent the qubits. Thus, Sremain is with high √ probability a random subset of m ≈ (1 − perase )n ± O( n) qubits independent of the value of Θ. This implies that in Step 5 the protocol is aborted with a probability exponentially small in m, and hence in n. 6 The codes are chosen such that Bob can decode except with negligible probability. These facts imply that if both ′ parties are honest the protocol is correct (i.e. SC = SC ) with exponentially small probability of error. (ii) security against dishonest Alice: Even though in this scenario Bob does communicate to Alice, the information stating which qubits were erased is (by assumption) independent of the basis in which he measured and thus of his choice bit C. Hence Alice does not learn anything about his choice bit C. Her input strings can be extracted as in Protocol 1. (iii) security against dishonest Bob: First of all, we note that Bob can always make Alice abort the protocol by reporting back an insufficient number of received qubits. If this is not the case, then we define C ′ as in the analysis of Protocol 1 and we need to bound the non-uniformity δsec as before. Let us for simplicity assume that √mb = m/2 (this is true with high probability, modulo O( n) factors which become negligible in the security for large n) with m ≈ (1 − perase )n We now follow through the same analysis, where we restrict ourselves to the set of remaining qubits. We first follow through the same steps simplifying the non-uniformity using that the total attack superoperator S is a product of superoperators. Then we use the bound in Lemma 1 for each θ ∈ {+, ×}n where we now have to condition on the additional information syn(X|IC ′ ) which is mh(perror )/2 bits long. Using Eq. (3) and following identical steps in the remainder of the proof implies ℓ m δsec ≤ 2 2 −1+h(perror ) 4 (∆max ) log(4/3) m 2 . (6) From this expression it is clear that the security depends crucially on the value of ∆max versus the binary entropy h(perror ). The trade-off in our bound is not extremely favorable for security as we will see. A. Depolarizing noise We first consider again the security tradeoff when Bob’s storage is affected by depolarizing noise, and additionally the channel itself is subject √ to depolarizing noise. Let us assume that r < 1/ 2 for the storage noise. According to Theorem 2, Bob’s optimal attack is to measure each qubit individually in the Breidbart basis. In this case, our protocol is secure as long as 1 h(perror ) < 2 log( 21 + 2√ ) log(3/4). Hence, we require 2 that perror / 0.029. This puts a strong restriction on the noise rate of the honest protocol. Yet, since our protocols are particularly interesting at short distances (e.g. in the case of secure identification), we can imagine very short free-space implementations such that depolarization noise during transmission is negligible and the main depolarization noise source is due to Bob’s honest measurements. In the near-future we may anticipate that storage is better than direct measurement when good photonic FIG. 2: h((1 − ar)/2)/4 + log( 1+r ) log(4/3)/2, where we only 2 show the region below 0, i.e., where security can be attained. memories become available ([28, 29, 30, 31, 32, 33]). However, we are free in our protocol to stretch the waiting time T between Bob’s reception of the qubits and his reception of the classical basis information, say, to seconds, which means that one has to consider the overall noise rate on a qubit that is stored for seconds. Clearly, there is a strict tradeoff between the noise perror on the channel experienced by the honest parties, and the noise experienced by √ dishonest Bob. For r ≥ 1/ 2 (when storage is better than the Breidbart attack) we also obtain a tradeoff involving r. Suppose that the qubits in the honest protocol are also subjected to depolarizing noise at rate 1 − rhonest . The effective classical error rate for a depolarizing channel is then simply perror = (1 − rhonest )/2. Thus we can consider when the function h(perror )/4 + log( 1+r 2 ) log(4/3)/2 goes below 0. If we assume that rhonest = ar ≤ 1, for some scaling factor 1 ≤ a ≤ 1/r (i.e., the honest party never has more noise than the dishonest party), we obtain a clear tradeoff between a and r depicted in Figure 2. B. Other Attacks In a practical setting, other attacks may be possible which are not captured by the model we used when analyzing depolarizing noise. For example, attacks that relate to the protocol being implemented with weak coherent states. We discuss the affect of such practical problems in this section, but do not claim to prove security of the practical protocol in full generality. Instead, we merely discuss several practical attacks that a dishonest Bob may mount. Let us consider the security threat that comes from using coherent weak laser pulses. For a mean photon number µ, the probability to have more than one photon in the beam is P (k > 1) ≈ µ/2 [16], where k is the number of photons and P (k) is the probability of k photons in the beam with mean photon number µ. In prin- 7 ciple, this implies that Bob can measure in both bases with probability µ/2 (and he knows when this occurs). If with remaining probability 1 − µ/2 he is able to do a measurement in the Breidbart basis, then for such √ attack we have ∆ = µ/2 + (1 − µ/2)(1/2 + 1/(2 2)) = bm √ √ 1/2 + 1/(2 2) + µ(1 − 1/ 2)/4. Another attack is the following. Upon reception of his qubits Bob tries to beam-split each incoming pulse and measure the outgoing modes in both bases. In case he does not succeed he would like to declare erasures. In Step 5 of the protocol Alice aborts the protocol when Bob declares too many erasures: in principle, this can prevent Bob from making the protocol completely unsafe with this attack. Such a beam-splitting attack does however put another constraint on the region of error rates where one can have security using Eq. (6). Let us sketch the security bound for this particular attack. Among the m = (1 − perase )n remaining time slots, Bob will have P (k > 1)pbeamsplit n ≈ nµ/4 slots where he gets two or more photons and measures them successfully in both bases (assuming perfect detector efficiency), where pbeamsplit = 1/2. For these slots, ∆ = 1 so they do not enter the security bound. For the n(1 − perase − µ/4) remaining time slots, he is in a situation similar to before. Let us assume that the erasure rate perase ≈ P (k = 0) + P (k ≥ 1)pnodetect where pnodetect is the probability that Bob does not detect a photon with his devices. Since the probability of emitting a very large number of photons is small, we approximate the true value by letting pnodetect be independent of k. We have P (0) = e−µ ≈ 1 − µ for small µ and thus n((1 − perase ) − µ/4) = nµ(pdetect − 1/4). In principle, this leads to a bound as in Eq. (6). However, security remains to be analyzed rigorously, and one needs to determine Bob’s optimal cheating strategy. If single photon sources were used, such attacks could be excluded. In our analysis, we assumed that Alice and Bob can reliably establish a bound on perase . However perase may contain a sizable contribution from the quantum efficiency of the detectors used by Bob and a dishonest receiver may cheat by using better detectors than he tells Alice during the error estimation process. For example, in the extreme case he could convince Alice that his devices are so bad that of the n inputs he can detect a photon only in µn/4 cases. If instead he has perfect devices and measures two photons successfully in both bases µn/4 times, he made the protocol completely insecure. Thus we assume in our protocol that Alice can establish a reliable and reasonable lower bound on perase . For current and near-future implementations we note that an important practical limitation on Bob’s attacks is the following. Since a photon measurement is destructive with current technology, Bob cannot store his qubits while at the same time reporting correctly which ones were erased. So if Bob wants to store his qubits, he has to guess which qubits were erased. This implies that among the set of qubits in the set Ib approximately perase mb are in fact erased. For an erasure channel with rate perase it is simple to show that ∆(Serase ) = 1−perase /2. Since erasure rates can easily be high (due to small µ and other sources of photon loss), say of O(10−1 ), this limits the threat of a storage attack within the current technology setting. C. Fault-tolerant computation Let us discuss the long-term security when faulttolerant photonic computation would become available (with the KLM scheme [34] for example). In such a scenario dishonest Bob can encode the incoming quantum information into a fault-tolerant quantum memory. This implies that in storage, the effective noise rate can be made arbitrarily small. However, the encoding of a single unknown state is not a fault-tolerant quantum operation: already the encoding process introduces errors whose rates cannot be made arbitrarily small with increasing effort. Hence, even in the presence of a quantum computer, there is a residual storage noise rate due to the unprotected encoding operation. The question of security then becomes a question of a trade-off between this residual noise rate versus the intrinsic noise rate. Our current security bound is too weak though, to show security in such scenario. IV. CONCLUSION We have determined security bounds for a perfect and a practical ROT protocol given collective storage attacks by Bob. Ideally, we would like to be able to show security against general coherent noisy attacks. The problem with analyzing a coherent attack of Bob described by some super-operator S affecting all his incoming qubits is not merely a technical one: one first needs to determine a realistic noise model in this setting. It may be possible using de Finetti theorems as in the proof of QKD [24] to prove for a symmetrized version of our protocol that any coherent attack by Bob is equivalent to a collective attack. One can in fact analyze a specific type of coherent noise, one that essentially corresponds to an eavesdropping attack in QKD. Note that the 1-2 OT protocol can be seen as two runs of QKD interleaved with each other. The strings f (x|I+ ) and f (x|I× ) are then the two keys generated. The noise must be such that it leaves Bob with exactly the same information as the eavesdropper Eve in QKD. In this case, it follows from the security of QKD that the dishonest Bob (learning exactly the same information as the eavesdropper Eve) does not learn anything about the two keys. It is an important open question whether it is possible to derive security bounds (or find a better OT protocol) which give better trade-offs between noise in the honest protocol and noise induced by dishonest Bob. Finally, it remains to address composability of the protocol within 8 our model, which has already been considered for the bounded-quantum-storage model [35]. Acknowledgments We thank Charles Bennett, David DiVincenzo, Renato Renner and Falk Unger for interesting discussions and Ronald de Wolf for suggestions regarding Lemma 4. We are especially grateful to Hoi-Kwong Lo for bringing up [1] J. Kilian, in Proceedings of 20th ACM STOC (1988), pp. 20–31. [2] C. Crépeau, J. van de Graaf, and A. Tapp, in CRYPTO ’95: Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology (SpringerVerlag, 1995), pp. 110–123. [3] S. Wiesner, Sigact News 15 (1983). [4] M. Rabin, Tech. Rep., Aiken Computer Laboratory, Harvard University (1981), technical Report TR-81. [5] S. Even, O. Goldreich, and A. Lempel, Communications of the ACM 28, 637 (1985). [6] C. Crépeau, Journal of Modern Optics 41, 2455 (1994). [7] C. H. Bennett, G. Brassard, C. Crépeau, and M.-H. Skubiszewska, in CRYPTO ’91: Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology (Springer-Verlag, 1992), pp. 351–366. [8] H.-K. Lo, Physical Review A 56, 1154 (1997), quantph/9611031. [9] D. Mayers (1996), quant-ph/9603015. [10] H.-K. Lo and H. F. Chau, Physical Review Letters 78, 3410 (1997), quant-ph/9603004. [11] D. Mayers, Physical Review Letters 78, 3414 (1997), quant-ph/9605044. [12] H.-K. Lo and H. Chau, in Proceedings of PhysComp96 (1996), quant-ph/9605026. [13] I. Damgaard, S. Fehr, L. Salvail, and C. Schaffner, in Proceedings of 46th IEEE FOCS (2005), pp. 449–458. [14] I. B. Damgård, S. Fehr, R. Renner, L. Salvail, and C. Schaffner, in Advances in Cryptology—CRYPTO ’07 (Springer-Verlag, 2007), vol. 4622 of Lecture Notes in Computer Science, pp. 360–378, quant-ph/0612014. [15] C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (1984), pp. 175–179. [16] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Reviews of Modern Physics 74, pp. 145 (2002). [17] I. Damgaard, S. Fehr, L. Salvail, and C. Schaffner, LNCS 4622, 342 (2007), arxiv:0708.2557. [18] C. Schaffner, Ph.D. thesis, University of Aarhus (2007), http://arxiv.org/abs/0709.0289. [19] I. B. Damgård, S. Fehr, L. Salvail, and C. Schaffner, special issue of SIAM Journal of Computing (2008), to appear. [20] C. Crépeau and J. Kilian, in Proceedings of 29th IEEE FOCS (1988). [21] C. Crépeau, K. Morozov, and S. Wolf, in International Conference on Security in Communication Networks (SCN) (2004), vol. 4 of Lecture Notes in Computer attacks that relate to the use of weak laser pulses in the practical OT protocol. This work was completed while SW was a PhD student at CWI, Amsterdam, Netherlands. CS and SW were supported by EU fifth framework project QAP IST 015848 and the NWO VICI project 2004-2009. BMT acknowledges support by DTO through ARO contract number W911NF-04-C-0098. SW thanks IBM Watson and BMT thanks the Instituut Lorentz in Leiden for their kind hospitality. At both locations part of this work were completed. Science. [22] L. Salvail, in Proceedings of CRYPTO’98 (1998), vol. 1462 of Lecture Notes in Computer Science, pp. 338–353. [23] J. L. Carter and M. N. Wegman, Journal of Computer and System Sciences 18, 143 (1979). [24] R. Renner, Ph.D. thesis, ETH Zurich (2005), quantph/0512258. [25] R. Renner and R. König, in Proceedings of TCC 2005 (Springer, 2005), vol. 3378 of Lecture Notes in Computer Science, pp. 407–425. [26] H. Buhrman, M. Christandl, P. Hayden, H.-K. Lo, and S. Wehner, Physical Review Letters 97, 250501 (2006), quant-ph/0609237. [27] C. Crépeau, in Advances in Cryptology – Proceedings of EUROCRYPT ’97 (1997). [28] B. Julsgaard, J. Sherson, J. I. Cirac, J. Fiurasek, and E. S. Polzik, Nature 432, pp. 482 (2004). [29] A. D. Boozer, A. Boca, R. Miller, T. E. Northup, and H. J. Kimble, Reversible state transfer between light and a single trapped atom (2007), quant-ph/0702248. [30] T. Chanelière, D. Matsukevich, S. Jenkins, S.-Y. Lan, T. Kennedy, and A. Kuzmich, Nature 438, pp. 833 (2005). [31] M. Eisaman, A. André, F. Massou, M. Fleischauer, A. Zibrov, and M. D. Lukin, Nature 438, pp. 837 (2005). [32] W. Rosenfeld, S. Berner, J. Volz, M. Weber, and H. Weinfurter, Physical Review Letters 98, 0505004 (2007). [33] T. B. Pittman and J. D. Franson, Phys. Rev. A 66, 062302 (2002). [34] E. Knill, R. Laflamme, and G. Milburn, Nature 409, 46 (2001), http://arxiv.org/abs/quant-ph/0006088. [35] S. Wehner and J. Wullschleger (2007), arxiv:0709.0492. [36] L. Vandenberghe and S. Boyd, SIAM review 38, 49 (1996). [37] C. W. Helstrom, Information and Control 10, 254 (1967). [38] M. Hayashi, Quantum Information - An introduction (Springer, 2006). [39] R. A. Horn and C. R. Johnson, Matrix Analysis (Cambridge University Press, 1985). [40] If X|Ib is less than n bits long Alice pads the string X|Ib with 0’s to get an n bit-string in order to apply the hash function to n bits. APPENDIX A: TOOLS In this appendix, we prove the lemmas used in the main text. The statements are reproduced for convenience. 9 Lemma 2 Let ρXE be a cq-state with uniformly distributed X ∈ {0, 1}n and ρxE = ρxE11 ⊗ . . . ⊗ ρxEnn . Then the maximum probability of guessing x given state ρE is Pg (X|ρE ) = Πni=1 Pg (Xi |ρEi ), which can be achieved by measuring each register separately. Proof. For simplicity, we will assume that each bit is encoded using the same states ρ0 = ρ0Ei and ρ1 = ρ1Ei . The argument for different encodings is analogous, but harder to read. First of all, note that we can phrase the problem of finding the optimal probability of distinguishing two states as a semi-definite program (SDP) maximize 12 (Tr(M0 ρ0 ) + Tr(M1 ρ1 )) subject to M0 , M1 ≥ 0 M0 + M1 = I Proof. Using Helstrom’s formula [37] we have that Pg (Z|S(σb )) = 21 [1 + ||S(σ0,b ) − S(σ1,b )||tr /2] and thus for ∆(S) = 1 we need that for both b ∈ {×, +}, ||S(σ0,b ) − S(σ1,b )||tr /2 = 1. This implies that S(σ0,b ) and S(σ1,b ) are states which have support P on orthogonal sub-spaces for both b. Let S(σ ) = 0,+ k pk |ψk ihψk | and P S(σ1,+ ) = k qk |ψk⊥ ihψk⊥ | where for all k, l hψk⊥ |ψl i = 0. Consider the purification of S(σi,b ) using an ancillary system write P √i.e. |φi,b i = US |iib |0i. PWe√can ⊥ |φ0,+ i = p |ψ , ki and |φ i = q |ψ , ki. k k 1,+ k k k k Hence US |0i× |0i = √12 (|φ0,+ i + |φ1,+ i) and similar for US |1i× |0i. So we can write || with the dual program X√ k ||S(σ0,× ) − S(σ1,× )||tr = pk qk (|ψk ihψk⊥ | + |ψk⊥ ihψk |)||tr ≤ 2 X√ pk q k . k minimize 21 Tr(Q) subject to Q ≥ ρ0 Q ≥ ρ1 . Let p∗ and d∗ denote the optimal values of the primal and dual respectively. From the weak duality of SDPs, we have p∗ ≤ d∗ . Indeed, since M0 , M1 = I/2 are feasible solutions, we even have strong duality: p∗ = d∗ [36]. Of course, the problem of determining the entire string x from ρ̂x := ρxE can also be phrased as a SDP: P maximize 21n x∈{0,1}n Tr(Mx ρ̂x ) subject to P ∀x, Mx ≥ 0 x∈{0,1}n Mx = I For this quantity to be equal to 2 we observe that it is necessary that pk = qk . Thus we set pk = qk . Then we observe that if any of the states |ψk i (or ψk⊥ ) are non-orthogonal, i.e. |hψk |ψl i| > 0, then the quantity P || k pk (|ψk ihψk⊥ | + |ψk⊥ ihψk |)||tr < 2. Let Sk be the two-dimensional subspace spanned by the orthogonal vectors |ψk i and |ψk⊥ i. By the arguments above, the spaces Sk are mutually orthogonal. We can reverse the super-operator S by first projecting the output into one of the orthogonal subspaces Sk and then applying a unitary operator Uk that maps |ψk i and |ψk⊥ i onto the states |0i and |1i. ✷ Lemma 4 For any have with the corresponding dual 1 2 ≤ pi ≤ 1 with Qn i=1 pi ≤ pn , we n 1 Y (1 + pi ) ≤ plog(4/3)n . 2n i=1 minimize 21n Tr(Q̂) subject to ∀x, Q̂ ≥ ρ̂x . (A2) Let p̂∗ and dˆ∗ denote the optimal values of this new primal and dual respectively. Again, p̂∗ = dˆ∗ . Note that when trying to learn the entire string x, we are of course free to measure each register individually and thus (p∗ )n ≤ p̂∗ . We now show that dˆ∗ ≤ (d∗ )n by constructing a dual solution Q̂ from the optimal solution to the dual of the single-register case, Q∗ : Take Q̂ = Q⊗n ∗ . Since Q∗ ≥ ρ0 and Q∗ ≥ ρ1 it follows that ∀x, Q⊗n ≥ ρ̂x . Thus Q̂ is satisfies the dual constraints. ∗ Clearly, 2−n Tr(Q̂) = (2−1 Tr(Q∗ ))n and thus we have dˆ∗ ≤ (d∗ )n as promised. But from (p∗ )n ≤ p̂∗ , p̂∗ = dˆ∗ , and p∗ = d∗ we immediately have p̂∗ = (p∗ )n . ✷ Proof. With λ : = log(4/3), it is easy to verify that 1−λ p−λ + p ≤ 2 for 1/2 ≤ pi ≤ 1 and therefore, i i Lemma 3 The only superoperators S : C2 → Ck for which We now evaluate maxS ∆(S)2 for depolarizing noise. Recall that to determine this quantity, we have to find an uncertainty relation, Eq. (4), by optimizing over all possible partial measurements P as depicted in Figure 1. Pg (X|S(σ+ )) · Pg (X|S(σ× )) = 1, are reversible. (A1) n n 1 Y 1 Y λ −λ (1 + p ) = p p + p1−λ i i 2n i=1 2n i=1 i i ≤ 1 · pλn · 2n . 2n ✷ APPENDIX B: DEPOLARIZING NOISE ∆2 := max ∆(S)2 = max Pg (X|S(σ+ )) · Pg (X|S(σ× )), S P 10 where S acts on a single qubit, but we drop the index i to improve readability. For our analysis, it is convenient to think of P as a partial measurement of the incoming qubit. Note that this corresponds to letting Bob perform an arbitrary CPTP map from the space of the incoming qubit to the space carrying the stored qubit. Furthermore, it is convenient to consider maximizing the sum instead of the product of guessing probabilities Γ = max Pg (X|S(σ+ )) + Pg (X|S(σ× )). P This immediately gives us the bound ∆ ≤ Γ/2. In the following, we will use the shorthand p+ = Pg (X|S(σ+ )), p× = Pg (X|S(σ× )) for the probabilities that Bob correctly decodes the bit after Alice has announced the basis information. Any intermediate measurement P that Bob may perform can be characterized by a set of measurement opP † erators {Fk } such that k Fk Fk = I. Let the postmeasurement state when Bob measures σi,b , and obk tained outcome k, be σ̃i,b . The probability that Bob succeeds in decoding the bit after the announcement of the basis is given by the average of probabilities (over all outcomes k) that conditioned on the fact that he obtained outcome k he correctly decodes the bit. That is for b ∈ {+, ×} X 1 1 k k pk|b pb = )||tr + ||p0|kb N (σ̃0,b ) − p1|kb N (σ̃1,b 2 4 k 1 1X k k = + pk|b ||r(p0|kb σ̃0,b − p1|kb σ̃1,b ) 2 4 k +(1 − r)(p0|kb − p1|kb )I/2||tr , (B1) where pk|b = Tr(Fk (σ0,b + σ1,b )Fk† )/2 = σ0,b + σ1,b † 1 Tr(Fk Fk ) = Tr(Fk Fk† ) 2 2 is the probability of obtaining measurement outcome k conditioned on the fact that the basis was b (and we even see from the above that it is actually independent of b), k = Fk σ0,b Fk† /pk|0b is the post-measurement state for σ̃0,b outcome k, and p0|kb is the probability that we are given this state. Definitions are analogous for the bit 1. We now show that Bob’s optimal √ strategy is to measure in the Breidbart basis for r < 1/ 2, and to simply store √ the qubit for r ≥ 1/ 2. This then immediately allows us to evaluate ∆. To prove our result, we proceed in three steps: First, we will simplify our problem considerably until we are left with a single Hermitian measurement operator over which we need to maximize. Second, we show that the optimal measurement operator is diagonal in the Breidbart basis. And finally, we show that depending on the amount of noise, this measurement operator is either proportional to the identity, or proportional to a rank one projector. Our individual claims are indeed very intuitive. M For any measurement M = {Fk }, let B(M ) = pM + +p× M M for the measurement M , where p+ and p× are the success probabilities similar to Eq. (B1), but restricted to using the measurement M . First of all, note that we can easily combine two measurements. Intuitively, the following statement says that if we choose one measurement with probability α, and the other with probability β our average success probability will be the average of the success probabilities obtained via the individual measurements: Claim 1 Let M1 = {Fk1 } and M2 = {Fk2 } be two measurements. Then B(αM1√+ βM2 ) =√ αB(M1 ) + βB(M2 ), where αM1 + βM2 := { αFk1 } ∪ { βFk2 } for α, β ≥ 0 and α + β = 1. Proof. Let F = {Fk }fk=1 and G = {Gk }gk=1 be √ measurements, 0 ≤ α ≤ 1 and M : = { αFk }fk=1 ∪ √ +g { 1 − αGk }fk=f +1 be the measurement F with probability α and measurement G with probability 1 − α. G M We denote by pF the probabilities correspond· , p· , p· ing to measurements F, G, M respectively. Observe that † 1 F for 1 ≤ k ≤ f , pM k|b = 2 Tr(αFk Fk ) = αpk|b and analogously for f + 1 ≤ k ≤ f + g, we have pM k|b = G (1 − α)pk|b . We observe furthermore that for 1 ≤ k ≤ f and x ∈ {0, 1}, α cancels out by the normalization, k,M σ̃x,b = αFk σx,b Fk† pM k|xb = Fk σx,b Fk† pF k|xb k,F = σ̃x,b and similarly for f + 1 ≤ k ≤ f + g. Finally, we can convince ourselves F G that pM x|kb = px|kb = px|(k−f )b , as the probability to be k given state σ̃0,b is the same when the measurement outcome and the basis is fixed. Putting everything together, we obtain f +g X 1 1 M k,M k,M M M p + ||p N (σ̃ ) − p N (σ̃ )|| pM = tr b k|b 1|kb 0,b 1,b 2 4 0|kb k=1 f X 1 1 F k,F k,F F = + ||p N (σ̃ ) − p N (σ̃ )|| αpF tr 1|kb k|b 0,b 1,b 2 4 0|kb k=1 + g X k=f +1 (1 − α)pG k|b · 1 1 G k,G k,G + ||p N (σ̃0,b ) − pG 1|kb N (σ̃1,b )||tr 2 4 0|kb G = αpF b + (1 − α)pb . ✷ We can now make a series of observations. Claim 2 Let M = {Fk } and G = {I, X, Z, XZ}. Then for all g ∈ G we have B(M ) = B(gM g † ). Proof. This claim follows immediately from that fact that for the trace norm we have ||U AU † ||tr = ||A||tr for 11 all unitaries U , and by noting that for all g ∈ G, g can at Let M ∗ be the optimal measurement. Clearly, m = most exchange the roles of 0 and 1. That is, we can perB(M ∗ ) ≤ maxk B(Mk∗ ) ≤ m by the above and Corolform a bit flip before the measurement which we can corlary 1 from which our claim follows. ✷ rect for afterwards by applying classical post-processing: we have for all g ∈ G that Note that Claim 3 also gives us that we have at most ! ! 4 measurement operators. Wlog, we will take the meaFk gσ0,b g † Fk† Fk gσ1,b g † Fk† pk|b ||p0|kb N − p1|kb N ||trsurement outcomes to be labeled 1, 2, 3, 4. pk|0b pk|1b Finally, we note that we can restrict ourselves to opti! ! mizing over positive-semidefinite (and hence Hermitian) † † Fk σ1,b Fk Fk σ0,b Fk − p1|kb N ||tr . matrices only. = pk′ |b ||p0|kb N pk|0b pk|1b Claim 4 Let F P be a measurement operator, and let g(F ) := 1 + ✷ 0,b ) − p1|b N (σ˜ 1,b )||tr b,k pk|b ||p0|b N (σ˜ with σ˜0,b = F σ0,b F † /Tr(F σ0,b F † ) and σ˜1,b = F σ1,b F † /Tr(F σ1,b F † ). Then there exists a Hermitian It also follows that operator F̂ , such that g(F ) = g(F̂ ). Corollary 1 For all k we have for all b ∈ {+, ×} and g ∈ G that Proof. Let F † = F̂ U be the polar decomposition of F † , where F̂ is positive semidefinite and U is unitary [39, ! ! † † Fk σ0,b Fk Fk σ1,b Fk Corollary 7.3.3]. Evidently, since the trace is cyclic, all ||p0|kb N − p1|kb N ||tr probabilities remain the same. It follows immediately pk|0b pk|1b from the definition of the trace-norm that ||U AU † ||tr = ! ! Fk gσ1,b g † Fk† Fk gσ0,b g † Fk† ||A||tr for all unitaries U , which completes our proof. ✷ − p1|kb N ||tr . = ||p0|kb N pk|0b pk|1b To summarize, our optimization problem can now be Proof. This follows from the proof of Claim 2. ✷ simplified to Claim 3 Let G = {I, X, Z, XZ}. There exists a measurement operator F such that the maximum of B(M ) over all measurements M is achieved by a measurement proportional to {gF g † | g ∈ G}. Proof. Let M = {Fk } be a measurement. Let K = |M | be the number of measurement operators. Clearly, M̂ = {F̂g,k } with F̂g,k 1 = gFk g † , 4 P † is also a quantum measurement since g,k F̂g,k F̂g,k = I. It follows from Claims 1 and 2 that B(M ) = B(M̂ ). Define operators Note that X Ng,k = q g∈G 1 gFk g † . Ng,k = q † 2Tr(Fk Fk ) 1 X 2Tr(Fk† Fk ) u,v∈{0,1} F b,k =1+2 B(M ) = B(M̂ ) ≤ max B(Mk ). X b ||r(F (σ0,b − σ1,b )F ) I +(1 − r)Tr(F (σ0,b − σ1,b )F ) ||tr 2 where the maximization is now taken over a single operator F , and we have used the fact that we can write p0|kb = pk|0b /(2pk|b ) and we have 4 measurement operators. 1. F is diagonal in the Breidbart basis Now that we have simplified our problem already considerably, we are ready to perform the actual optimization. Since we are in d = 2 and F is Hermitian, we may express F as F = α|φihφ| + β|φ⊥ ihφ⊥ |, X u Z v Fk† Fk Z v X u = I. (see for example Hayashi [38]). Hence Mk = {Ng,k } is a valid quantum measurement. Now, note that M̂ can be obtained from M1 , . . . , MK by averaging. Hence, by Claim 1 we have k M max B(M ) = max pM + + p× ≤ M M X max 1 + pk|b ||p0|b N (σ˜0,b ) − p1|b N (σ˜1,b )||tr for some state |φi and real numbers α, β. We first of all P note that from k Fk Fk† = I, we obtain that ! X X † Tr Fk Fk = Tr(Fk Fk ) = k X g∈{I,X,Z,XZ} k Tr(gF gg † F g † ) = 4Tr(F F ) = Tr(I) = 2, 12 and hence Tr(F F ) = α2 + β 2 = 1/2. Furthermore using that |φihφ| + |φ⊥ ihφ⊥ | = I we then have F = βI + (α − β)|φihφ|, (B2) √ with β = 1 − α2 . Our first goal is now to show that |φi is a Breidbart vector (or the bit-flipped version thereof). To this end, we first formalize our intuition that we may take |φi to lie in the XZ plane of the Bloch sphere only. Since we are only interested in the trace-distance term of B(M ), we restrict ourselves to considering C(F ) := X b ||r(F (σ0,b − σ1,b )F ) + I (1 − r)Tr(F (σ0,b − σ1,b )F ) ||tr . 2 Similarly, we obtain for the Hadamard basis that p 1 λ1 (T ) = 4α2 − 1 x − r x2 + 8α2 (2α2 − 1)(x2 − 1) 4 p 1 λ2 (T ) = 4α2 − 1 x + r x2 + 8α2 (2α2 − 1)(x2 − 1) 4 We define f (α, x) := I + xX + yY + zZ . 2 √ Since |φi is pure we can write y = 1 − x2 − z 2 . Hence, we can express F as |φihφ| = F = 1 ((α + β)I + (α − β)(xX + yY + zZ)) . 2 Noting that σ0,+ − σ1,+ = Z and σ0,× − σ1,× = X we can compute for the computational basis I P := r(F ZF ) + (1 − r)Tr(F ZF ) 2 1 1 2α2 − zI + r (α − β)2 xzX = 2 2 + (α − β)2 yzY + (α − β)2 z 2 + 2αβ Z , 1 4 x 1p 2 x + 8α2 (2α2 − 1)(x2 − 1). 4 h(α, x, r) := |f (α, x) + rg(α, x)| + |f (α, x) − rg(α, x)| Note that our optimization problem now takes the form maximize h(α, x, r) + h(α, z, r) subject to x2 + z 2 ≤ 1 0≤x≤1 0 ≤ z ≤ 1, where we can introduce the last two inequality constraints without loss of generality, since the remaining three measurement operators will be given by XF X, ZF Z, and XZF ZX. To show that we can let y = 0 for the optimal solution, we have to show that for all α and all r, the function h(α, x, r) is increasing on the interval 0 ≤ x ≤ 1 (and indeed Mathematica will convince you in an instant that this is the case). Our analysis is further complicated by the absolute values. We therefore first consider h(α, x, r)2 = 2(f (α, x)2 +r2 g(α, x)2 +|f (α, x)2 −r2 g(α, x)2 |, where we have used the fact that f and g are real valued functions. In principle, we can now analyze h+ (α, x, r)2 = 2(f (α, x)2 + r2 g(α, x)2 + f (α, x)2 − r2 g(α, x)2 and h− (α, x, r)2 = 2(f (α, x)2 + r2 g(α, x)2 − f (α, x)2 + r2 g(α, x)2 separately on their respective domains. By rewriting, we obtain and for the Hadamard basis: I T := r(F XF ) + (1 − r)Tr(F XF ) 2 1 1 2 2α − xI + r (α − β)2 x2 + 2αβ X = 2 2 + (α − β)2 xyY + (α − β)2 xzZ α2 − g(α, x) := Claim 5 Let F be the operator that maximizes C(F ), and write F as in Eq.(B2). Then |φi lies in the XZ plane in the Bloch sphere. (i.e. Tr(F Y ) = 0). Proof. We first parametrize the state in terms of its Bloch vector: h+ (α, x, r)2 = 1 2 2 r (x + 8α2 (2α2 − 1)(x2 − 1)), 4 and 1 h− (α, x, r) = 4 α − 4 2 2 2 x2 . Luckily, the first derivatives of h+ and h− turns out to be positive Note that ||P ||tr = j |λj (P )|, where λj is the j-th √ everywhere for our choice of parameters 0 ≤ α ≤ 1/ 2, and 0 ≤ r, z ≤ 1. Hence, by further ineigenvalue of P . A lengthy computation (using Mathp spection at the transitional points we can conclude that 1/2 − α2 and y = ematica), and plugging in β = √ h is an increasing function of x. But this means that to 1 − x2 − z 2 shows that we have maximize our target expression, we must choose x and z as large as possible. Hence, choosing y = 0 is the best p 1 4α2 − 1 z − r z 2 + 8α2 (2α2 − 1)(z 2 − 1) choice and our claim follows. λ1 (P ) = ✷ 4 p 1 λ2 (P ) = 4α2 − 1 z + r z 2 + 8α2 (2α2 − 1)(z 2 − 1) We can now immediately extend this analysis to find 4 P 13 Claim 6 Let F be the operator that maximizes C(F ), and write F as in Eq. (B2). Then |φi = g(cos(π/8)|0i + sin(π/8)|1i), for some g ∈ {I, X, Z, XZ}. Proof. Extending our analysis from the previous proof, we can compute the second derivative of both functions. It turns out that also the second derivatives are positive, and hence h is convex in x. By Claim 5, we can rewrite our optimization problem as our argument, we can then write λ1 (P ) = λ2 (P ) = p 4α2 − 1 − r 1 − 16α4 + 8α2 p 4α2 − 1 + r 1 − 16α4 + 8α2 And similarly for the Hadamard basis. We again define functions 4α2 − 1 p g(α) := 1 − 16α4 + 8α2 h(α, r) := |f (α, x) + rg(α, x)| + |f (α, x) − rg(α, x)| Note that our optimization problem now takes the form f (α) := maximize h(α, x, r) + h(α, z, r) subject to x2 + z 2 = 1 0≤x≤1 0≤z≤1 It now follows from the fact that h is convex in x and the constraint x2 + z 2 = 1 (by computing the Lagrangian of the above optimization problem), that for the optimal solution we must have x = z, and our claim follows. ✷ 2. Optimality of the trivial strategies Now that we have shown that F is in fact diagonal in the Breidbart basis (or the bit flipped version thereof) we have only a single parameter left in our optimization problem. We must now optimize over all operators F of the form p F = α|φihφ| + 1/2 − α2 |φ⊥ ihφ⊥ |, where we may take |φi to be |0iB or |1iB . Our aim is now to show that either F is the identity, or F = |φihφ| depending on the value of r. Claim 7 Let F be the operator that maximizes C(F ). √ Then F = cI (for√ some c ∈ R) for r ≥ 1/ 2, and F = |φihφ| for r < 1/ 2, where |φi = g(cos(π/8)|0i + sin(π/8)|1i), for some g ∈ {I, X, Z, XZ}. √ Proof. We can now plug in x = z = 1/ 2 in the expressions for the eigenvalues in our previous proof. Ignoring the constant factors which do not contribute to maximize 2h(α, r) subject to 0 ≤ α ≤ √1 2 Since we are maximizing, we might as well consider the square of our target function and ignore the leading constant as it is irrelevant for our argument. h(α, r)2 = 2(f (α)2 + r2 g(α)2 + |f (α)2 − r2 g(α)2 |, To deal with the absolute value, we now perform a case analysis similar to the one above. Computing the zeros crossings of the function f (α)2 − r2 g(α)2 , we analyze each interval separately. Computing the first and second derivatives on the intervals we find that h(α, r)2 has exactly two peaks: The first at α = 0, and the second at α = 1/2. We have that h(0, r)2 = 2 for all r, and h(1/2, r)2 = 4r2 . Hence, we immediately see √ that the maximum is located √ at α = 0 for r ≤ 1/ 2, and at ✷ α = 1/2 for r ≥ 1/ 2. Hence, we may conclude that Bob either measures in the Breidbart basis, or stores the qubit as is, and Theorem 2 follows. We believe that a similar analysis can be done for the dephasing channel, by first symmetrizing the noise by applying a rotation over π/4 to our input states.

Log In

Cryptography from Noisy Storage

Related papers

Related papers

Related topics