Cryptography from Noisy Storage
Stephanie Wehner,1, ∗ Christian Schaffner,2, † and Barbara M. Terhal3
arXiv:0711.2895v3 [quant-ph] 20 Jun 2008
1
Institute for Quantum Information, Caltech, 1200 E California Blvd, Pasadena, CA 91125, USA
2
CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands
3
IBM, Watson Research Center, P.O. Box 218, Yorktown Heights, NY, USA‡
(Dated: February 11, 2013)
We show how to implement cryptographic primitives based on the realistic assumption that quantum storage of qubits is noisy. We thereby consider individual-storage attacks, i.e. the dishonest
party attempts to store each incoming qubit separately. Our model is similar to the model of
bounded-quantum storage, however, we consider an explicit noise model inspired by present-day
technology. To illustrate the power of this new model, we show that a protocol for oblivious transfer
(OT) is secure for any amount of quantum-storage noise, as long as honest players can perform
perfect quantum operations. Our model also allows the security of protocols that cope with noise in
the operations of the honest players and achieve more advanced tasks such as secure identification.
Traditional cryptography is concerned with the secure
and reliable transmission of messages. With the advent of
widespread electronic communication new cryptographic
tasks have become increasingly important. Examples
of such tasks are secure identification, electronic voting,
online auctions, contract signing and other applications
where the protocol participants do not necessarily trust
each other. It is well-known that almost all these interesting tasks are impossible to realize without any restrictions on the participating players, neither classically nor
with the help of quantum communication [8]. It is therefore an important task to come up with a cryptographic
model which restricts the capabilities of adversarial players and in which these tasks become feasible. It turns out
that all such two-party protocols can be based on a simple primitive called 1-2 Oblivious Transfer [1] (1-2 OT),
first introduced in [3, 4, 5]. Hence, 1-2 OT is commonly
used to provide a “proof of concept” for the universal
power of a new model. In 1-2 OT, the sender Alice starts
off with two bit strings S0 and S1 , and the receiver Bob
holds a choice bit C. The protocol allows Bob to retrieve SC in such a way that Alice does not learn any
information about C (thus, Bob cannot simply ask for
SC ). At the same time, Alice must be ensured that Bob
only learns SC , and no information about the other string
S1−C (thus, Alice cannot simply send him both S0 and
S1 ). A 1-2 OT protocol is called unconditionally secure
when neither Alice nor Bob can break these conditions,
even when given unlimited resources.
In this letter, we propose a cryptographic model based
on current practical and near-future technical limitations, namely that quantum storage is noisy. Thus the
presence of noise, the very problem that makes it so
hard to implement a quantum computer, can actually
be turned to our advantage. Recently it was shown that
secure OT is possible when the receiver Bob has a lim-
∗ wehner@caltech.edu
† c.schaffner@cwi.nl
‡ bterhal@gmail.com
ited amount of quantum memory [13, 14] at his disposal.
Within this ‘bounded-quantum-storage model’ OT can
be implemented securely as long as a dishonest receiver
Bob can store at most n/4−O(1) qubits coherently, where
n is the number of qubits transmitted from Alice to Bob.
This approach assumes an explicit limit on the physical
number of qubits (or more precisely, on the rank of the
adversary’s quantum state). However, at present we do
not know of any practical physical situation which enforces such a limit for quantum information. We therefore propose an alternative model of noisy quantum storage inspired by present-day physical implementations:
We require no explicit memory bound, but we assume
that any qubit that is placed into quantum storage undergoes a certain amount of noise. The advantage of our
model is that we can evaluate the security parameters of
a protocol explicitly in terms of the noise. In this letter, we show that the OT protocol from [14] is secure in
our new model. This simple OT protocol could be implemented using photonic qubits (using polarization or
phase-encoding) with standard BB84 quantum key distribution [15, 16] hardware, only with different classical
post-processing.
We analyze the case where the adversary performs
individual-storage attacks. More precisely, Bob may
choose to (partially) measure (a subset of) his qubits
immediately upon reception using an error-free product
measurement. In addition he can store each incoming
qubit, or post-measurement state from a prior partial
measurement, separately and wait until he gets additional information from Alice (at Step 3 in Protocol 1).
Once he obtained the additional information he may perform an arbitrary coherent measurement on his stored
qubits using the stored classical data. We thereby assume
that qubit qi undergoes some noise while in storage, and
we also assume that the noise acts independently on each
qubit. In the following, we use the super-operator Si to
denote the combined channel given by Bob’s initial (partial) measurement and the noise. Practically, noise can
arise as a result of transferring the qubit onto a different
physical carrier, such as an atomic ensemble or atomic
state for example, or into an error-correcting code with
2
fidelity less than 1. In addition, the (encoded) qubit will
undergo noise once it has been transferred into ‘storage’.
Hence, the quantum operation Si in any real world setting necessarily includes some form of noise.
First, we show that for any initial measurement, and
any noisy superoperator Si the 1-2 OT protocol is secure
if the honest participants can perform perfect noise-free
quantum operations. As an explicit example we consider
the case of depolarizing noise during storage. In particular, we can show the following all-or-nothing result: if
Bob’s storage noise is above a certain threshold, his optimal cheating strategy is to perform a measurement in
the so-called Breidbart basis. On the other hand, if the
noise level is below the threshold, he is best off storing
each qubit as is.
Second, we consider a more practical setting using photonic qubits where the honest participants experience
noise themselves: their quantum operations may be inaccurate or noisy, they may use weak laser pulses instead of single photon sources, and qubits may undergo
decoherence during transmission. Note, however, that
unlike in QKD, we typically want to execute such protocols over very short distances (for example in banking
applications) where the depolarization rate during transmission is very low. We give a practical OT-protocol that
is a small modification of the perfect protocol. It allows
us to to deal with erasure errors (i.e. photon loss) separately. We show how to derive trade-offs between the
amount of storage noise, the amount of noise for the operations performed by the honest participants, and the
security of the protocol.
Finally, we briefly discuss the security of our protocol
from the future perspective of fault-tolerant quantum
computation with photonic qubits. We also discuss
the issue of analyzing fully coherent attacks for our
protocol. Indeed, there is a close relation between
the OT protocol and BB84 quantum key distribution. Our security analysis can in principle be carried
over to obtain a secure identification scheme in the
noisy-quantum-storage model analogous to [17]. This
scheme achieves password-based identification and is
of particular practical relevance as it can be used for
banking applications.
A.
Related work
Precursors of the idea of basing cryptographic security
on storage-noise are already present in [7], but no rigorous analysis was carried through in that paper. Furthermore, it was pointed out in [18, 19] how the original
bounded-quantum-storage analysis applies in the case of
noise levels which are so large that the rank of a dishonest
player’s quantum storage is reduced to n/4. In contrast,
we are able to give an explicit security trade-off even for
small amounts of noise. We note that our security proof
does not exploit the noise in the communication channel
(which has been done in the classical setting to achieve
cryptographic tasks, see e.g. [20, 21]), but is solely based
on the fact that the dishonest receiver’s quantum storage
is noisy. A model based on classical noisy storage is akin
to the setting of a classical noisy channel, if the operations are noisy, or the classical bounded-storage model,
both of which are difficult to enforce in practise. Another
technical limitation has been considered in [22] where a
bit-commitment scheme was shown secure under the assumption that the dishonest committer can only measure
a limited amount of qubits coherently. Our analysis differs in that we can in fact allow any coherent destructive
measurement at the end of the protocol.
I.
DEFINITIONS AND TOOLS
We start by introducing some tools, definitions and
technical lemmas. To define the security of OT we need
to express what it means for a dishonest quantum player
not to gain any information. Let ρXE be a state that
is
P part classical, part xquantum, i.e. a cq-state ρXE =
x∈X PX (x)|xihx| ⊗ ρE . Here, X is a classical random
variable distributed over the finite set X according to
distribution
PX . The non-uniformity of X given ρE =
P
x
P
(x)ρ
is defined as
X
E
x
X
1
d(X|ρE ) := || I/|X |⊗ρE −
PX (x)|xihx|⊗ρxE ||tr , (1)
2
x
√
where ||A||tr = Tr A† A. Intuitively, if d(X|ρE ) ≤ ε
the distribution of X is ε-close to uniform even given
ρE , i.e., ρE gives hardly any information about X. A
simple property of the non-uniformity which follows from
its definition is that
d(X|ρED ) = d(X|ρE )
(2)
for any cq-state of the form ρXED = ρXE ⊗ ρD .
We prove the security of a randomized version of OT.
In such a protocol, Alice does not choose her input strings
herself, but instead receives two strings S0 , S1 ∈ {0, 1}ℓ
chosen uniformly at random by the protocol. Randomized OT (ROT) can easily be converted into OT: after
the ROT protocol is completed, Alice uses her strings
S0 , S1 obtained from ROT as one-time pads to encrypt
her original inputs Sˆ0 and Sˆ1 , i.e. she sends an additional
classical message consisting of Sˆ0 ⊕S0 and Sˆ1 ⊕S1 to Bob.
Bob can retrieve the message of his choice by computing
SC ⊕ (ŜC ⊕ SC ) = ŜC . He stays completely ignorant
about the other message Ŝ1−C since he is ignorant about
S1−C . The security of a quantum protocol implementing
ROT is formally defined in [13, 14]:
Definition 1 An ε-secure 1-2 ROTℓ is a protocol between Alice and Bob, where Bob has input C ∈ {0, 1},
and Alice has no input. For any distribution of C:
• (Correctness) If both parties are honest, Alice gets
output S0 , S1 ∈ {0, 1}ℓ and Bob learns Y = SC
except with probability ε.
3
• (Receiver-security) If Bob is honest and obtains
output Y , then for any cheating strategy of Alice
resulting in her state ρA , there exist random vari′
ables S0′ and S1′ such that Pr[Y = SC
] ≥ 1 − ε and
C is independent of S0′ ,S1′ and ρA .
Lemma 2 Let ρXE be a cq-state with uniformly distributed X = x ∈ {0, 1}n and ρxE = ρxE11 ⊗. . .⊗ρxEnn . Then
the maximum probability of guessing x given state ρE is
Pg (X|ρE ) = Πni=1 Pg (Xi |ρEi ), which can be achieved by
measuring each register separately.
• (Sender-security) If Alice is honest, then for any
cheating strategy of Bob resulting in his state ρB ,
there exists a random variable C ′ ∈ {0, 1} such that
d(S1−C ′ |SC ′ C ′ ρB ) ≤ ε.
The last tool we need is an uncertainty relation for
noisy channels and measurements. Let σ0,+ = |0ih0|,
σ1,+ = |1ih1|, σ0,× = |+ih+| and σ1,× = |−ih−| denote the BB84-states corresponding to the encoding of
a bit z ∈ {0, 1} into basis b ∈ {+, ×} (computational
resp. Hadamard basis). Let σ+ = (σ0,+ + σ1,+ )/2
and σ× = (σ0,× + σ1,× )/2. Consider the state S(σz,b )
for some super-operator S. Note that Pg (X|S(σb )) (see
Lemma 2) denotes the maximal average success probability for guessing a uniformly distributed X when b = +
or b = ×. An uncertainty relation for such success probabilities can be stated as
The OT protocol makes use of two-universal hash functions. These hash functions are used for privacy amplification similar as in quantum key distribution. A class F
of functions f : {0, 1}n → {0, 1}ℓ is called two-universal
if for all x 6= y ∈ {0, 1}n and f ∈ F chosen uniformly
at random from F, we have Pr[f (x) = f (y)] ≤ 2−ℓ . For
example, the set of all affine functions from {0, 1}n to
{0, 1}ℓ is two-universal [23]. The following theorem expresses how hash functions can increase the privacy of a
random variable X given a quantum adversary holding
ρE and the function F :
Theorem 1 (Th. 5.5.1 in [24] (see also [25])) Let
F be a class of two-universal hash functions from {0, 1}n
to {0, 1}ℓ . Let F be a random variable that is uniformly
and independently distributed over F, and let ρXE be a
cq-state. Then,
1
d(F (X)|F, ρE ) ≤ 2− 2 (H2 (X|ρE )−ℓ)−2 ,
where H2 (·|·) denotes the conditional collision entropy
−1
defined in [24] as H2 (X|ρE ) := − log Tr((I ⊗ ρE 2 )ρXE )2
of the cq-state ρXE .
In our application we will make use of a simplified form
of this theorem which follows directly from [26, Lemma
1]. The non-uniformity in the theorem above is bounded
by the average success probability of guessing x given the
state ρE :
Lemma 1 For a measurement M with POVM elements
x
{Mx }x∈X let pM
y|x = TrMy ρE the probability of outputting
P
guess y given ρxE . Then Pg (X|ρE ) = supM x PX (x)pM
x|x
is the maximal average success probability of guessing x ∈
X given the reduced state ρE of the cq-state ρXE . We
have
q
ℓ
d(F (X)|F, ρE ) ≤ 2 2 −1 Pg (X|ρE ) .
If we have an additional k bits of classical information
D about X, we can bound
q
ℓ+k
(3)
d(F (X)|F, D, ρE ) ≤ 2 2 −1 Pg (X|ρE ) .
The following lemma is proven in the Appendix and
states that the optimal strategy to guess X = x ∈ {0, 1}n
given individual quantum information about the bits of
X is to measure each register individually.
Pg (X|S(σ+ )) · Pg (X|S(σ× )) ≤ ∆(S)2 ,
(4)
where ∆ is a function from the set of superoperators to
the real numbers. For example, when S is a quantum
measurement M mapping the state σz,b onto purely classical information it can be argued (e.g. by using a purification argument and Corollary 4.15 in [18]) that ∆(M) ≡
1
−1/2
) which can be achieved by a measurement
2 (1 + 2
in the Breidbart basis, where the Breidbart basis is given
by {|0iB , |1iB } with |0iB = cos(π/8)|0i+sin(π/8)|1i and
|1iB = sin(π/8)|0i − cos(π/8)|1i.
It is clear that for a unitary superoperator U we have
∆(U )2 = 1 which can be achieved. It is not hard to show
that (see the proof in the Appendix)
Lemma 3 The only superoperators S : C2 → Ck for
which
Pg (X|S(σ+ )) · Pg (X|S(σ× )) = 1,
(5)
are reversible operations.
II.
PROTOCOL AND ANALYSIS
We use ∈R to denote the uniform choice of an element
from a set. We further use x|T to denote the string x =
x1 , . . . , xn restricted to the bits indexed by the set T ⊆
{1, . . . , n}. For convenience, we take {+, ×} instead of
{0, 1} as domain of Bob’s choice bit C and denote by C
the bit different from C.
Protocol 1 ([14]) 1-2 ROTℓ (C, T )
1. Alice picks X ∈R {0, 1}n and Θ ∈R {+, ×}n . Let
Ib = {i | Θi = b} for b ∈ {+, ×}. At time t = 0,
she sends σX1 ,Θ1 ⊗ . . . ⊗ σXn ,Θn to Bob.
2. Bob measures all qubits in the basis corresponding
to his choice bit C ∈ {+, ×}. This yields outcome
X ′ ∈ {0, 1}n .
4
3. Alice picks two hash functions F+ , F× ∈R F, where
F is a class of two-universal hash functions. At
time t = T , she sends I+ ,I× , F+ ,F× to Bob. Alice
outputs S+ = F+ (X|I+ ) and S× = F× (X|I× ) [40].
remaining qubit individually and hence we obtain
X s Y
ℓ
Pg (Xi |Si (σC ′ ))
δsec ≤ 2 2 −1 · 2−n
θ∈{+,×}n
ℓ
4. Bob outputs SC =
≤ 2 2 −1
′
).
FC (X|I
C
s
X
2−n
i∈IC ′
Y
θ∈{+,×}n i∈IC ′
Pg (Xi |Si (σC ′ ))
v
u
n
Y
u
ℓ
1 + Pg (Xi |Si (σC ′ )) ,
= 2 2 −1 t2−n
i=1
A.
Analysis
We first show that this protocol is secure according to
Definition 1.
(i) correctness: It is clear that the protocol is correct.
Bob can determine the string X|IC (except with negligible probability 2−n the set IC is non-empty) and hence
obtains SC .
(ii) security against dishonest Alice: this holds in the
same way as shown in [14]. As the protocol is noninteractive, Alice never receives any information from
Bob at all, and Alice’s input strings can be extracted
by letting her interact with an unbounded receiver.
(iii) security against dishonest Bob: Our goal is to
show that there exists a C ′ ∈ {+, ×} such that Bob
is completely ignorant about SC ′ . In our model Bob’s
collective storage cheatingNstrategy can be described by
n
some super-operator S = i=1 Si that is applied on the
qubits between the time they arrive at Bob’s and the time
T that Alice sends the classical information. We define
the choice bitQC ′ as a fixed functionQof S. Formally, we
n
n
set C ′ ≡ + if i=1 Pg (Xi |Si (σ+ )) ≥ i=1 Pg (Xi |Si (σ× ))
and C ′ ≡ × otherwise.
Due to the uncertainty relation
Q for each Si (from
Eq.
(4))
it
then
holds
that
≤
i Pg (Xi |Si (σC ′ ))
Q
n
i ∆(Si ) ≤ (∆max ) where ∆max : = maxi ∆(Si ). This
will be used in the proof below.
In the remainder of this section, we show that the nonuniformity δsec := d(SC ′ |SC ′ C ′ ρB ) is negligible in n for
collective attacks. Here ρB is the complete quantum
state of Bob’s lab at the end of the protocol including
the classical information I+ , I×N
, F+ , F× he got from Alice
n
and his quantum information i=1 Si (σXi ,Θi ). Expressing the non-uniformity in terms ofP
the trace-distance allows us to observe that δsec = 2−n θ∈{+,×}n d(SC ′ |Θ =
θ, SC ′ C ′ ρB ). Now, for fixed Θ = θ,Nit is clear from
the construction that SC ′ , C ′ , FC ′ and i∈IC ′ Si (σXi ,C ′ )
are independent of SC ′ = FC ′ (X|IC ′ ) and we can use
Eq. (2). Hence, one can bound the non-uniformity as in
Lemma 1, i.e. by the square-root of theN
probability of correctly guessing X|I given the state i∈I ′ Si (σXi ,C ′ ).
C
C′
Lemma 2 tells us that to guess X, Bob can measure each
where we used the concavity of the square-root function
in
Q the last inequality. Lemman 4 together with the bound
i Pg (Xi |Si (σC ′ )) ≤ (∆max ) lets us conclude that
ℓ
δsec ≤ 2 2 −1 · (∆max )
log(4/3)
n
2
.
Lemma 3 shows that for essentially any noisy superoperator ∆(S) < 1. This shows that for any collective
attacks there exists an n which yields arbitrarily high
security.
B.
Example
Let us now consider the security in an explicit example:
a noisy depolarizing channel. In order to explicitly bound
∆(Si ) we should allow for intermediate strategies of Bob
in which he partially measures the incoming qubits leaving some quantum information undergoing depolarizing
noise. To model this noise we let Si = N ◦ Pi , where
Pi is any noiseless quantum operation of Bob’s choosing
from one qubit to one qubit that generates some classical output. For example, Pi could be a partial measurement providing Bob with some classical information
and a slightly disturbed quantum state, or just a unitary
operation. Let
N (ρ) := rρ + (1 − r)
I
2
be the fixed depolarizing ’quantum storage’ channel that
Bob cannot influence. (see Figure 1)
To determine δsec , we have to find an uncertainty relation similar to Eq. (4) by optimizing over all possible
partial measurements Pi
max ∆(Si )2 = max Pg (X|Si (σ+ )) · Pg (X|Si (σ× )).
Si
Pi
We solve this problem for depolarizing noise using the
symmetries inherent in our problem. In Appendix B we
prove the following.
Theorem 2 Let N be the depolarizing channel and let
maxSi ∆(Si ) be defined as above. Then
(
1+r
for r ≥ √12
2
max ∆(Si ) =
1
1
√
for r < √12
Si
2 + 2 2
5
FIG. 1: Bob performs a partial measurement Pi , followed by
noise N , and outputs a guess bit xg depending on his classical
measurement outcome, the remaining quantum state, and the
additional basis information.
√
Our result shows that for r < 1/ 2 a direct measurement
M in the Breidbart basis is the best attack Bob can
perform.
√+
√ For this measurement, we have ∆(M) = 1/2
1/(2 2). If the depolarizing noise is low (r ≥ 1/ 2),
then our result states that the best strategy for Bob is to
simply store the qubit as is.
III.
PRACTICAL OBLIVIOUS TRANSFER
In this section, we prove the security of a ROT protocol
that is robust against noise for the honest parties. Our
protocol is thereby a small modification of the protocol
considered in [18]. Note that for our analysis, we have to
assume a worst-case scenario where a dishonest receiver
Bob has access to a perfect noise-free quantum channel
and only experiences noise during storage. First, we consider erasure noise (in practice corresponding to photon
loss) during preparation, transmission and measurement
of the qubits by the honest parties. Let 1 − perase be the
total probability for an honest Bob to measure and detect
a photon in the {+, ×} basis given that an honest Alice
prepares a weak pulse in her lab and sends it to him.
The probability perase is determined among others by the
mean photon number in the pulse, the loss on the channel and the quantum efficiency of the detector. In our
protocol we assume that the (honest) erasure rate perase
is independent of whether qubits were encoded or measured in the +- or ×-basis. This assumption is necessary
to guarantee the correctness and the security against a
cheating Alice only. Fortunately, this assumption is well
matched with physical capabilities.
Any other noise source during preparation, transmission and measurement can be characterized as an effective classical noisy channel resulting in the output bits
X ′ that Bob obtains at Step 3 of Protocol 2. For simplicity, we model this compound noise source as a classical binary symmetric channel acting independently on
each bit of X. Typical noise sources for polarizationencoded qubits are depolarization during transmission,
dark counts in Bob’s detector and misaligned polarizing
beam-splitters. Let the effective bit-error probability of
this binary symmetric channel be perror < 1/2.
Before engaging in the actual protocol, Alice and Bob
agree on the system parameters perase and perror similarly
to Step 1 of the protocol in [7]. Furthermore, they agree
on a family {Cn } of linear error correcting codes of length
n capable of efficiently correcting n·perror errors. For any
string x ∈ {0, 1}n , error correction is done by sending the
syndrome information syn(x) to Bob from which he can
correctly recover x if he holds an output x′ ∈ {0, 1}n
obtained by flipping each bit of x independently with
probability perror . It is known that for large enough n,
the code Cn can be chosen such that its rate is arbitrarily
close to 1 − h(perror ) and the syndrome length (the number of parity check bits) are asymptotically bounded by
|syn(x)| < h(perror )n [27], where h(perror ) is the binary
Shannon entropy. We assume the players have synchronized clocks. In each time slot, Alice sends one qubit
(laser pulse) to Bob.
Protocol 2 Noise-Protected Photonic 1-2 ROTℓ (C, T )
1. Alice picks X ∈R {0, 1}n and Θ ∈R {+, ×}n .
2. For i = 1, . . . , n: In time slot t = i, Alice sends
σXi ,Θi as a phase- or polarization-encoded weak
pulse of light to Bob.
3. In each time slot, Bob measures the incoming qubit
in the basis corresponding to his choice bit C ∈
{+, ×} and records whether he detects a photon or
not. He obtains some bit-string X ′ ∈ {0, 1}m with
m ≤ n.
4. Bob reports back to Alice in which time slots he
received a qubit. Alice restricts herself to the set of
m < n bits that Bob did not report as missing. Let
this set of qubits be Sremain with |Sremain | = m.
5. Let Ib = {i ∈ Sremain | Θi = b} for b ∈ {+, ×} and
let mb = |Ib |. Alice aborts the√protocol if either m+
or m× ≤ (1 − perase )n/2 − O( n). If this is not the
case, Alice picks two two-universal hash functions
F+ , F× ∈R F. At time t = n + T , Alice sends
I+ ,I× , F+ ,F× , and the syndromes syn(X|I+ ) and
syn(X|I× ) according to codes of appropriate length
mb to Bob. Alice outputs S+ = F+ (X|I+ ) and
S× = F× (X|I× ).
6. Bob uses syn(X|IC ) to correct the errors on his out′
put X|I
. He obtains the corrected bit-string Xcor
C
′
and outputs SC
= FC (Xcor ).
Let us consider the security and correctness of this
modified protocol.
(i) correctness: By assumption, perase is independent of
the basis in which Alice sent the qubits. Thus, Sremain
is with high √
probability a random subset of m ≈ (1 −
perase )n ± O( n) qubits independent of the value of Θ.
This implies that in Step 5 the protocol is aborted with
a probability exponentially small in m, and hence in n.
6
The codes are chosen such that Bob can decode except
with negligible probability. These facts imply that if both
′
parties are honest the protocol is correct (i.e. SC = SC
)
with exponentially small probability of error.
(ii) security against dishonest Alice: Even though in this
scenario Bob does communicate to Alice, the information
stating which qubits were erased is (by assumption) independent of the basis in which he measured and thus of his
choice bit C. Hence Alice does not learn anything about
his choice bit C. Her input strings can be extracted as
in Protocol 1.
(iii) security against dishonest Bob: First of all, we note
that Bob can always make Alice abort the protocol by reporting back an insufficient number of received qubits. If
this is not the case, then we define C ′ as in the analysis of
Protocol 1 and we need to bound the non-uniformity δsec
as before. Let us for simplicity assume that √mb = m/2
(this is true with high probability, modulo O( n) factors
which become negligible in the security for large n) with
m ≈ (1 − perase )n We now follow through the same analysis, where we restrict ourselves to the set of remaining
qubits. We first follow through the same steps simplifying the non-uniformity using that the total attack superoperator S is a product of superoperators. Then we
use the bound in Lemma 1 for each θ ∈ {+, ×}n where
we now have to condition on the additional information
syn(X|IC ′ ) which is mh(perror )/2 bits long. Using Eq.
(3) and following identical steps in the remainder of the
proof implies
ℓ
m
δsec ≤ 2 2 −1+h(perror ) 4 (∆max )
log(4/3)
m
2
.
(6)
From this expression it is clear that the security depends
crucially on the value of ∆max versus the binary entropy
h(perror ). The trade-off in our bound is not extremely
favorable for security as we will see.
A.
Depolarizing noise
We first consider again the security tradeoff when
Bob’s storage is affected by depolarizing noise, and additionally the channel itself is subject
√ to depolarizing
noise. Let us assume that r < 1/ 2 for the storage
noise. According to Theorem 2, Bob’s optimal attack
is to measure each qubit individually in the Breidbart
basis. In this case, our protocol is secure as long as
1
h(perror ) < 2 log( 21 + 2√
) log(3/4). Hence, we require
2
that perror / 0.029. This puts a strong restriction on the
noise rate of the honest protocol. Yet, since our protocols are particularly interesting at short distances (e.g.
in the case of secure identification), we can imagine very
short free-space implementations such that depolarization noise during transmission is negligible and the main
depolarization noise source is due to Bob’s honest measurements.
In the near-future we may anticipate that storage is
better than direct measurement when good photonic
FIG. 2: h((1 − ar)/2)/4 + log( 1+r
) log(4/3)/2, where we only
2
show the region below 0, i.e., where security can be attained.
memories become available ([28, 29, 30, 31, 32, 33]).
However, we are free in our protocol to stretch the waiting time T between Bob’s reception of the qubits and his
reception of the classical basis information, say, to seconds, which means that one has to consider the overall
noise rate on a qubit that is stored for seconds. Clearly,
there is a strict tradeoff between the noise perror on the
channel experienced by the honest parties, and the noise
experienced by
√ dishonest Bob.
For r ≥ 1/ 2 (when storage is better than the Breidbart attack) we also obtain a tradeoff involving r. Suppose that the qubits in the honest protocol are also subjected to depolarizing noise at rate 1 − rhonest . The effective classical error rate for a depolarizing channel is then
simply perror = (1 − rhonest )/2. Thus we can consider
when the function h(perror )/4 + log( 1+r
2 ) log(4/3)/2 goes
below 0. If we assume that rhonest = ar ≤ 1, for some
scaling factor 1 ≤ a ≤ 1/r (i.e., the honest party never
has more noise than the dishonest party), we obtain a
clear tradeoff between a and r depicted in Figure 2.
B.
Other Attacks
In a practical setting, other attacks may be possible
which are not captured by the model we used when analyzing depolarizing noise. For example, attacks that
relate to the protocol being implemented with weak coherent states. We discuss the affect of such practical
problems in this section, but do not claim to prove security of the practical protocol in full generality. Instead,
we merely discuss several practical attacks that a dishonest Bob may mount.
Let us consider the security threat that comes from
using coherent weak laser pulses. For a mean photon
number µ, the probability to have more than one photon in the beam is P (k > 1) ≈ µ/2 [16], where k is the
number of photons and P (k) is the probability of k photons in the beam with mean photon number µ. In prin-
7
ciple, this implies that Bob can measure in both bases
with probability µ/2 (and he knows when this occurs).
If with remaining probability 1 − µ/2 he is able to do
a measurement in the Breidbart basis, then for such
√ attack we have
∆
=
µ/2
+
(1
−
µ/2)(1/2
+
1/(2
2)) =
bm
√
√
1/2 + 1/(2 2) + µ(1 − 1/ 2)/4.
Another attack is the following. Upon reception of
his qubits Bob tries to beam-split each incoming pulse
and measure the outgoing modes in both bases. In
case he does not succeed he would like to declare erasures. In Step 5 of the protocol Alice aborts the protocol when Bob declares too many erasures: in principle, this can prevent Bob from making the protocol completely unsafe with this attack. Such a beam-splitting
attack does however put another constraint on the region of error rates where one can have security using
Eq. (6). Let us sketch the security bound for this particular attack. Among the m = (1 − perase )n remaining
time slots, Bob will have P (k > 1)pbeamsplit n ≈ nµ/4
slots where he gets two or more photons and measures
them successfully in both bases (assuming perfect detector efficiency), where pbeamsplit = 1/2. For these slots,
∆ = 1 so they do not enter the security bound. For
the n(1 − perase − µ/4) remaining time slots, he is in a
situation similar to before. Let us assume that the erasure rate perase ≈ P (k = 0) + P (k ≥ 1)pnodetect where
pnodetect is the probability that Bob does not detect a
photon with his devices. Since the probability of emitting a very large number of photons is small, we approximate the true value by letting pnodetect be independent
of k. We have P (0) = e−µ ≈ 1 − µ for small µ and thus
n((1 − perase ) − µ/4) = nµ(pdetect − 1/4). In principle,
this leads to a bound as in Eq. (6). However, security
remains to be analyzed rigorously, and one needs to determine Bob’s optimal cheating strategy. If single photon
sources were used, such attacks could be excluded.
In our analysis, we assumed that Alice and Bob can
reliably establish a bound on perase . However perase may
contain a sizable contribution from the quantum efficiency of the detectors used by Bob and a dishonest receiver may cheat by using better detectors than he tells
Alice during the error estimation process. For example,
in the extreme case he could convince Alice that his devices are so bad that of the n inputs he can detect a
photon only in µn/4 cases. If instead he has perfect
devices and measures two photons successfully in both
bases µn/4 times, he made the protocol completely insecure. Thus we assume in our protocol that Alice can
establish a reliable and reasonable lower bound on perase .
For current and near-future implementations we note
that an important practical limitation on Bob’s attacks
is the following. Since a photon measurement is destructive with current technology, Bob cannot store his qubits
while at the same time reporting correctly which ones
were erased. So if Bob wants to store his qubits, he has to
guess which qubits were erased. This implies that among
the set of qubits in the set Ib approximately perase mb are
in fact erased. For an erasure channel with rate perase it
is simple to show that ∆(Serase ) = 1−perase /2. Since erasure rates can easily be high (due to small µ and other
sources of photon loss), say of O(10−1 ), this limits the
threat of a storage attack within the current technology
setting.
C.
Fault-tolerant computation
Let us discuss the long-term security when faulttolerant photonic computation would become available
(with the KLM scheme [34] for example). In such a scenario dishonest Bob can encode the incoming quantum
information into a fault-tolerant quantum memory. This
implies that in storage, the effective noise rate can be
made arbitrarily small. However, the encoding of a single unknown state is not a fault-tolerant quantum operation: already the encoding process introduces errors
whose rates cannot be made arbitrarily small with increasing effort. Hence, even in the presence of a quantum computer, there is a residual storage noise rate due
to the unprotected encoding operation. The question of
security then becomes a question of a trade-off between
this residual noise rate versus the intrinsic noise rate.
Our current security bound is too weak though, to show
security in such scenario.
IV.
CONCLUSION
We have determined security bounds for a perfect and
a practical ROT protocol given collective storage attacks
by Bob. Ideally, we would like to be able to show security against general coherent noisy attacks. The problem
with analyzing a coherent attack of Bob described by
some super-operator S affecting all his incoming qubits
is not merely a technical one: one first needs to determine
a realistic noise model in this setting. It may be possible
using de Finetti theorems as in the proof of QKD [24] to
prove for a symmetrized version of our protocol that any
coherent attack by Bob is equivalent to a collective attack. One can in fact analyze a specific type of coherent
noise, one that essentially corresponds to an eavesdropping attack in QKD. Note that the 1-2 OT protocol can
be seen as two runs of QKD interleaved with each other.
The strings f (x|I+ ) and f (x|I× ) are then the two keys
generated. The noise must be such that it leaves Bob
with exactly the same information as the eavesdropper
Eve in QKD. In this case, it follows from the security of
QKD that the dishonest Bob (learning exactly the same
information as the eavesdropper Eve) does not learn anything about the two keys.
It is an important open question whether it is possible
to derive security bounds (or find a better OT protocol)
which give better trade-offs between noise in the honest
protocol and noise induced by dishonest Bob. Finally, it
remains to address composability of the protocol within
8
our model, which has already been considered for the
bounded-quantum-storage model [35].
Acknowledgments
We thank Charles Bennett, David DiVincenzo, Renato
Renner and Falk Unger for interesting discussions and
Ronald de Wolf for suggestions regarding Lemma 4. We
are especially grateful to Hoi-Kwong Lo for bringing up
[1] J. Kilian, in Proceedings of 20th ACM STOC (1988), pp.
20–31.
[2] C. Crépeau, J. van de Graaf, and A. Tapp, in CRYPTO
’95: Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology (SpringerVerlag, 1995), pp. 110–123.
[3] S. Wiesner, Sigact News 15 (1983).
[4] M. Rabin, Tech. Rep., Aiken Computer Laboratory, Harvard University (1981), technical Report TR-81.
[5] S. Even, O. Goldreich, and A. Lempel, Communications
of the ACM 28, 637 (1985).
[6] C. Crépeau, Journal of Modern Optics 41, 2455 (1994).
[7] C. H. Bennett, G. Brassard, C. Crépeau, and M.-H. Skubiszewska, in CRYPTO ’91: Proceedings of the 11th Annual International Cryptology Conference on Advances in
Cryptology (Springer-Verlag, 1992), pp. 351–366.
[8] H.-K. Lo, Physical Review A 56, 1154 (1997), quantph/9611031.
[9] D. Mayers (1996), quant-ph/9603015.
[10] H.-K. Lo and H. F. Chau, Physical Review Letters 78,
3410 (1997), quant-ph/9603004.
[11] D. Mayers, Physical Review Letters 78, 3414 (1997),
quant-ph/9605044.
[12] H.-K. Lo and H. Chau, in Proceedings of PhysComp96
(1996), quant-ph/9605026.
[13] I. Damgaard, S. Fehr, L. Salvail, and C. Schaffner, in
Proceedings of 46th IEEE FOCS (2005), pp. 449–458.
[14] I. B. Damgård, S. Fehr, R. Renner, L. Salvail, and
C. Schaffner, in Advances in Cryptology—CRYPTO ’07
(Springer-Verlag, 2007), vol. 4622 of Lecture Notes in
Computer Science, pp. 360–378, quant-ph/0612014.
[15] C. H. Bennett and G. Brassard, in Proceedings of the
IEEE International Conference on Computers, Systems
and Signal Processing (1984), pp. 175–179.
[16] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Reviews of Modern Physics 74, pp. 145 (2002).
[17] I. Damgaard, S. Fehr, L. Salvail, and C. Schaffner, LNCS
4622, 342 (2007), arxiv:0708.2557.
[18] C. Schaffner, Ph.D. thesis, University of Aarhus (2007),
http://arxiv.org/abs/0709.0289.
[19] I. B. Damgård, S. Fehr, L. Salvail, and C. Schaffner, special issue of SIAM Journal of Computing (2008), to appear.
[20] C. Crépeau and J. Kilian, in Proceedings of 29th IEEE
FOCS (1988).
[21] C. Crépeau, K. Morozov, and S. Wolf, in International Conference on Security in Communication Networks (SCN) (2004), vol. 4 of Lecture Notes in Computer
attacks that relate to the use of weak laser pulses in the
practical OT protocol. This work was completed while
SW was a PhD student at CWI, Amsterdam, Netherlands. CS and SW were supported by EU fifth framework
project QAP IST 015848 and the NWO VICI project
2004-2009. BMT acknowledges support by DTO through
ARO contract number W911NF-04-C-0098. SW thanks
IBM Watson and BMT thanks the Instituut Lorentz in
Leiden for their kind hospitality. At both locations part
of this work were completed.
Science.
[22] L. Salvail, in Proceedings of CRYPTO’98 (1998), vol.
1462 of Lecture Notes in Computer Science, pp. 338–353.
[23] J. L. Carter and M. N. Wegman, Journal of Computer
and System Sciences 18, 143 (1979).
[24] R. Renner, Ph.D. thesis, ETH Zurich (2005), quantph/0512258.
[25] R. Renner and R. König, in Proceedings of TCC 2005
(Springer, 2005), vol. 3378 of Lecture Notes in Computer
Science, pp. 407–425.
[26] H. Buhrman, M. Christandl, P. Hayden, H.-K. Lo, and
S. Wehner, Physical Review Letters 97, 250501 (2006),
quant-ph/0609237.
[27] C. Crépeau, in Advances in Cryptology – Proceedings of
EUROCRYPT ’97 (1997).
[28] B. Julsgaard, J. Sherson, J. I. Cirac, J. Fiurasek, and
E. S. Polzik, Nature 432, pp. 482 (2004).
[29] A. D. Boozer, A. Boca, R. Miller, T. E. Northup, and
H. J. Kimble, Reversible state transfer between light and
a single trapped atom (2007), quant-ph/0702248.
[30] T. Chanelière, D. Matsukevich, S. Jenkins, S.-Y. Lan,
T. Kennedy, and A. Kuzmich, Nature 438, pp. 833
(2005).
[31] M. Eisaman, A. André, F. Massou, M. Fleischauer, A. Zibrov, and M. D. Lukin, Nature 438, pp. 837 (2005).
[32] W. Rosenfeld, S. Berner, J. Volz, M. Weber, and H. Weinfurter, Physical Review Letters 98, 0505004 (2007).
[33] T. B. Pittman and J. D. Franson, Phys. Rev. A 66,
062302 (2002).
[34] E. Knill, R. Laflamme, and G. Milburn, Nature 409, 46
(2001), http://arxiv.org/abs/quant-ph/0006088.
[35] S. Wehner and J. Wullschleger (2007), arxiv:0709.0492.
[36] L. Vandenberghe and S. Boyd, SIAM review 38, 49
(1996).
[37] C. W. Helstrom, Information and Control 10, 254 (1967).
[38] M. Hayashi, Quantum Information - An introduction
(Springer, 2006).
[39] R. A. Horn and C. R. Johnson, Matrix Analysis (Cambridge University Press, 1985).
[40] If X|Ib is less than n bits long Alice pads the string X|Ib
with 0’s to get an n bit-string in order to apply the hash
function to n bits.
APPENDIX A: TOOLS
In this appendix, we prove the lemmas used in the main
text. The statements are reproduced for convenience.
9
Lemma 2 Let ρXE be a cq-state with uniformly distributed X ∈ {0, 1}n and ρxE = ρxE11 ⊗ . . . ⊗ ρxEnn . Then
the maximum probability of guessing x given state ρE is
Pg (X|ρE ) = Πni=1 Pg (Xi |ρEi ), which can be achieved by
measuring each register separately.
Proof. For simplicity, we will assume that each bit is
encoded using the same states ρ0 = ρ0Ei and ρ1 = ρ1Ei .
The argument for different encodings is analogous, but
harder to read. First of all, note that we can phrase the
problem of finding the optimal probability of distinguishing two states as a semi-definite program (SDP)
maximize 12 (Tr(M0 ρ0 ) + Tr(M1 ρ1 ))
subject to M0 , M1 ≥ 0
M0 + M1 = I
Proof.
Using Helstrom’s formula [37] we have that
Pg (Z|S(σb )) = 21 [1 + ||S(σ0,b ) − S(σ1,b )||tr /2] and thus
for ∆(S) = 1 we need that for both b ∈ {×, +},
||S(σ0,b ) − S(σ1,b )||tr /2 = 1. This implies that S(σ0,b )
and S(σ1,b ) are states which have support
P on orthogonal
sub-spaces for
both
b.
Let
S(σ
)
=
0,+
k pk |ψk ihψk | and
P
S(σ1,+ ) = k qk |ψk⊥ ihψk⊥ | where for all k, l hψk⊥ |ψl i =
0. Consider the purification of S(σi,b ) using an ancillary system
write
P √i.e. |φi,b i = US |iib |0i. PWe√can ⊥
|φ0,+ i =
p
|ψ
,
ki
and
|φ
i
=
q
|ψ
, ki.
k
k
1,+
k
k
k
k
Hence US |0i× |0i = √12 (|φ0,+ i + |φ1,+ i) and similar for
US |1i× |0i. So we can write
||
with the dual program
X√
k
||S(σ0,× ) − S(σ1,× )||tr =
pk qk (|ψk ihψk⊥ | + |ψk⊥ ihψk |)||tr ≤
2
X√
pk q k .
k
minimize 21 Tr(Q)
subject to Q ≥ ρ0
Q ≥ ρ1 .
Let p∗ and d∗ denote the optimal values of the primal
and dual respectively. From the weak duality of SDPs,
we have p∗ ≤ d∗ . Indeed, since M0 , M1 = I/2 are feasible
solutions, we even have strong duality: p∗ = d∗ [36].
Of course, the problem of determining the entire string
x from ρ̂x := ρxE can also be phrased as a SDP:
P
maximize 21n x∈{0,1}n Tr(Mx ρ̂x )
subject to P
∀x, Mx ≥ 0
x∈{0,1}n Mx = I
For this quantity to be equal to 2 we observe that it is
necessary that pk = qk . Thus we set pk = qk . Then
we observe that if any of the states |ψk i (or ψk⊥ ) are
non-orthogonal,
i.e. |hψk |ψl i| > 0, then the quantity
P
|| k pk (|ψk ihψk⊥ | + |ψk⊥ ihψk |)||tr < 2.
Let Sk be the two-dimensional subspace spanned by
the orthogonal vectors |ψk i and |ψk⊥ i. By the arguments
above, the spaces Sk are mutually orthogonal. We can
reverse the super-operator S by first projecting the output into one of the orthogonal subspaces Sk and then
applying a unitary operator Uk that maps |ψk i and |ψk⊥ i
onto the states |0i and |1i.
✷
Lemma 4 For any
have
with the corresponding dual
1
2
≤ pi ≤ 1 with
Qn
i=1
pi ≤ pn , we
n
1 Y
(1 + pi ) ≤ plog(4/3)n .
2n i=1
minimize 21n Tr(Q̂)
subject to ∀x, Q̂ ≥ ρ̂x .
(A2)
Let p̂∗ and dˆ∗ denote the optimal values of this new primal and dual respectively. Again, p̂∗ = dˆ∗ .
Note that when trying to learn the entire string x, we
are of course free to measure each register individually
and thus (p∗ )n ≤ p̂∗ . We now show that dˆ∗ ≤ (d∗ )n
by constructing a dual solution Q̂ from the optimal solution to the dual of the single-register case, Q∗ : Take
Q̂ = Q⊗n
∗ . Since Q∗ ≥ ρ0 and Q∗ ≥ ρ1 it follows that
∀x, Q⊗n
≥ ρ̂x . Thus Q̂ is satisfies the dual constraints.
∗
Clearly, 2−n Tr(Q̂) = (2−1 Tr(Q∗ ))n and thus we have
dˆ∗ ≤ (d∗ )n as promised. But from (p∗ )n ≤ p̂∗ , p̂∗ = dˆ∗ ,
and p∗ = d∗ we immediately have p̂∗ = (p∗ )n .
✷
Proof.
With λ : = log(4/3), it is easy to verify that
1−λ
p−λ
+
p
≤ 2 for 1/2 ≤ pi ≤ 1 and therefore,
i
i
Lemma 3 The only superoperators S : C2 → Ck for
which
We now evaluate maxS ∆(S)2 for depolarizing noise.
Recall that to determine this quantity, we have to find
an uncertainty relation, Eq. (4), by optimizing over all
possible partial measurements P as depicted in Figure 1.
Pg (X|S(σ+ )) · Pg (X|S(σ× )) = 1,
are reversible.
(A1)
n
n
1 Y
1 Y λ −λ
(1
+
p
)
=
p p + p1−λ
i
i
2n i=1
2n i=1 i i
≤
1
· pλn · 2n .
2n
✷
APPENDIX B: DEPOLARIZING NOISE
∆2 := max ∆(S)2 = max Pg (X|S(σ+ )) · Pg (X|S(σ× )),
S
P
10
where S acts on a single qubit, but we drop the index i
to improve readability. For our analysis, it is convenient
to think of P as a partial measurement of the incoming
qubit. Note that this corresponds to letting Bob perform
an arbitrary CPTP map from the space of the incoming
qubit to the space carrying the stored qubit. Furthermore, it is convenient to consider maximizing the sum
instead of the product of guessing probabilities
Γ = max Pg (X|S(σ+ )) + Pg (X|S(σ× )).
P
This immediately gives us the bound ∆ ≤ Γ/2. In the
following, we will use the shorthand
p+ = Pg (X|S(σ+ )),
p× = Pg (X|S(σ× ))
for the probabilities that Bob correctly decodes the bit
after Alice has announced the basis information.
Any intermediate measurement P that Bob may perform can be characterized by a set of measurement opP †
erators {Fk } such that
k Fk Fk = I. Let the postmeasurement state when Bob measures σi,b , and obk
tained outcome k, be σ̃i,b
.
The probability that Bob succeeds in decoding the bit
after the announcement of the basis is given by the average of probabilities (over all outcomes k) that conditioned
on the fact that he obtained outcome k he correctly decodes the bit. That is for b ∈ {+, ×}
X
1 1
k
k
pk|b
pb =
)||tr
+ ||p0|kb N (σ̃0,b
) − p1|kb N (σ̃1,b
2 4
k
1 1X
k
k
=
+
pk|b ||r(p0|kb σ̃0,b
− p1|kb σ̃1,b
)
2 4
k
+(1 − r)(p0|kb − p1|kb )I/2||tr ,
(B1)
where
pk|b = Tr(Fk (σ0,b + σ1,b )Fk† )/2 =
σ0,b + σ1,b †
1
Tr(Fk
Fk ) = Tr(Fk Fk† )
2
2
is the probability of obtaining measurement outcome k
conditioned on the fact that the basis was b (and we even
see from the above that it is actually independent of b),
k
= Fk σ0,b Fk† /pk|0b is the post-measurement state for
σ̃0,b
outcome k, and p0|kb is the probability that we are given
this state. Definitions are analogous for the bit 1.
We now show that Bob’s optimal
√ strategy is to measure
in the Breidbart basis
for
r
<
1/
2, and to simply store
√
the qubit for r ≥ 1/ 2. This then immediately allows us
to evaluate ∆. To prove our result, we proceed in three
steps: First, we will simplify our problem considerably
until we are left with a single Hermitian measurement
operator over which we need to maximize. Second, we
show that the optimal measurement operator is diagonal
in the Breidbart basis. And finally, we show that depending on the amount of noise, this measurement operator
is either proportional to the identity, or proportional to
a rank one projector. Our individual claims are indeed
very intuitive.
M
For any measurement M = {Fk }, let B(M ) = pM
+ +p×
M
M
for the measurement M , where p+ and p× are the success probabilities similar to Eq. (B1), but restricted to
using the measurement M . First of all, note that we
can easily combine two measurements. Intuitively, the
following statement says that if we choose one measurement with probability α, and the other with probability
β our average success probability will be the average of
the success probabilities obtained via the individual measurements:
Claim 1 Let M1 = {Fk1 } and M2 = {Fk2 } be two measurements. Then B(αM1√+ βM2 ) =√
αB(M1 ) + βB(M2 ),
where αM1 + βM2 := { αFk1 } ∪ { βFk2 } for α, β ≥ 0
and α + β = 1.
Proof.
Let F = {Fk }fk=1 and G = {Gk }gk=1 be
√
measurements, 0 ≤ α ≤ 1 and M : = { αFk }fk=1 ∪
√
+g
{ 1 − αGk }fk=f
+1 be the measurement F with probability α and measurement G with probability 1 − α.
G M
We denote by pF
the probabilities correspond· , p· , p·
ing to measurements F, G, M respectively. Observe that
†
1
F
for 1 ≤ k ≤ f , pM
k|b = 2 Tr(αFk Fk ) = αpk|b and
analogously for f + 1 ≤ k ≤ f + g, we have pM
k|b =
G
(1 − α)pk|b . We observe furthermore that for 1 ≤ k ≤ f
and x ∈ {0, 1}, α cancels out by the normalization,
k,M
σ̃x,b
=
αFk σx,b Fk†
pM
k|xb
=
Fk σx,b Fk†
pF
k|xb
k,F
= σ̃x,b
and similarly for
f + 1 ≤ k ≤ f + g. Finally, we can convince ourselves
F
G
that pM
x|kb = px|kb = px|(k−f )b , as the probability to be
k
given state σ̃0,b
is the same when the measurement outcome and the basis is fixed. Putting everything together,
we obtain
f
+g
X
1 1 M
k,M
k,M
M
M
p
+
||p
N
(σ̃
)
−
p
N
(σ̃
)||
pM
=
tr
b
k|b
1|kb
0,b
1,b
2 4 0|kb
k=1
f
X
1 1 F
k,F
k,F
F
=
+
||p
N
(σ̃
)
−
p
N
(σ̃
)||
αpF
tr
1|kb
k|b
0,b
1,b
2 4 0|kb
k=1
+
g
X
k=f +1
(1 − α)pG
k|b ·
1 1 G
k,G
k,G
+ ||p N (σ̃0,b
) − pG
1|kb N (σ̃1,b )||tr
2 4 0|kb
G
= αpF
b + (1 − α)pb .
✷
We can now make a series of observations.
Claim 2 Let M = {Fk } and G = {I, X, Z, XZ}. Then
for all g ∈ G we have B(M ) = B(gM g † ).
Proof. This claim follows immediately from that fact
that for the trace norm we have ||U AU † ||tr = ||A||tr for
11
all unitaries U , and by noting that for all g ∈ G, g can at
Let M ∗ be the optimal measurement. Clearly, m =
most exchange the roles of 0 and 1. That is, we can perB(M ∗ ) ≤ maxk B(Mk∗ ) ≤ m by the above and Corolform a bit flip before the measurement which we can corlary 1 from which our claim follows.
✷
rect for afterwards by applying classical post-processing:
we have for all g ∈ G that
Note that Claim 3 also gives us that we have at most
!
! 4 measurement operators. Wlog, we will take the meaFk gσ0,b g † Fk†
Fk gσ1,b g † Fk†
pk|b ||p0|kb N
− p1|kb N
||trsurement outcomes to be labeled 1, 2, 3, 4.
pk|0b
pk|1b
Finally, we note that we can restrict ourselves to opti!
!
mizing over positive-semidefinite (and hence Hermitian)
†
†
Fk σ1,b Fk
Fk σ0,b Fk
− p1|kb N
||tr . matrices only.
= pk′ |b ||p0|kb N
pk|0b
pk|1b
Claim 4 Let F P
be a measurement operator, and let
g(F ) := 1 +
✷
0,b ) − p1|b N (σ˜
1,b )||tr
b,k pk|b ||p0|b N (σ˜
with σ˜0,b = F σ0,b F † /Tr(F σ0,b F † ) and σ˜1,b =
F σ1,b F † /Tr(F σ1,b F † ). Then there exists a Hermitian
It also follows that
operator F̂ , such that g(F ) = g(F̂ ).
Corollary 1 For all k we have for all b ∈ {+, ×} and
g ∈ G that
Proof. Let F † = F̂ U be the polar decomposition of
F † , where F̂ is positive semidefinite and U is unitary [39,
!
!
†
†
Fk σ0,b Fk
Fk σ1,b Fk
Corollary 7.3.3]. Evidently, since the trace is cyclic, all
||p0|kb N
− p1|kb N
||tr
probabilities remain the same. It follows immediately
pk|0b
pk|1b
from the definition of the trace-norm that ||U AU † ||tr =
!
!
Fk gσ1,b g † Fk†
Fk gσ0,b g † Fk†
||A||tr for all unitaries U , which completes our proof. ✷
− p1|kb N
||tr .
= ||p0|kb N
pk|0b
pk|1b
To summarize, our optimization problem can now be
Proof. This follows from the proof of Claim 2.
✷
simplified to
Claim 3 Let G = {I, X, Z, XZ}. There exists a measurement operator F such that the maximum of B(M )
over all measurements M is achieved by a measurement
proportional to {gF g † | g ∈ G}.
Proof. Let M = {Fk } be a measurement. Let K =
|M | be the number of measurement operators. Clearly,
M̂ = {F̂g,k } with
F̂g,k
1
= gFk g † ,
4
P
†
is also a quantum measurement since g,k F̂g,k
F̂g,k = I.
It follows from Claims 1 and 2 that B(M ) = B(M̂ ).
Define operators
Note that
X
Ng,k = q
g∈G
1
gFk g † .
Ng,k = q
†
2Tr(Fk Fk )
1
X
2Tr(Fk† Fk ) u,v∈{0,1}
F
b,k
=1+2
B(M ) = B(M̂ ) ≤ max B(Mk ).
X
b
||r(F (σ0,b − σ1,b )F )
I
+(1 − r)Tr(F (σ0,b − σ1,b )F ) ||tr
2
where the maximization is now taken over a single operator F , and we have used the fact that we can write
p0|kb = pk|0b /(2pk|b ) and we have 4 measurement operators.
1.
F is diagonal in the Breidbart basis
Now that we have simplified our problem already considerably, we are ready to perform the actual optimization. Since we are in d = 2 and F is Hermitian, we may
express F as
F = α|φihφ| + β|φ⊥ ihφ⊥ |,
X u Z v Fk† Fk Z v X u = I.
(see for example Hayashi [38]). Hence Mk = {Ng,k } is
a valid quantum measurement. Now, note that M̂ can
be obtained from M1 , . . . , MK by averaging. Hence, by
Claim 1 we have
k
M
max B(M ) = max pM
+ + p× ≤
M
M
X
max 1 +
pk|b ||p0|b N (σ˜0,b ) − p1|b N (σ˜1,b )||tr
for some state |φi and real numbers α, β. We first of all
P
note that from k Fk Fk† = I, we obtain that
!
X
X
†
Tr
Fk Fk =
Tr(Fk Fk ) =
k
X
g∈{I,X,Z,XZ}
k
Tr(gF gg † F g † ) = 4Tr(F F ) = Tr(I) = 2,
12
and hence Tr(F F ) = α2 + β 2 = 1/2. Furthermore using
that |φihφ| + |φ⊥ ihφ⊥ | = I we then have
F = βI + (α − β)|φihφ|,
(B2)
√
with β = 1 − α2 . Our first goal is now to show that |φi
is a Breidbart vector (or the bit-flipped version thereof).
To this end, we first formalize our intuition that we may
take |φi to lie in the XZ plane of the Bloch sphere only.
Since we are only interested in the trace-distance term of
B(M ), we restrict ourselves to considering
C(F ) :=
X
b
||r(F (σ0,b − σ1,b )F ) +
I
(1 − r)Tr(F (σ0,b − σ1,b )F ) ||tr .
2
Similarly, we obtain for the Hadamard basis that
p
1
λ1 (T ) =
4α2 − 1 x − r x2 + 8α2 (2α2 − 1)(x2 − 1)
4
p
1
λ2 (T ) =
4α2 − 1 x + r x2 + 8α2 (2α2 − 1)(x2 − 1)
4
We define
f (α, x) :=
I + xX + yY + zZ
.
2
√
Since |φi is pure we can write y = 1 − x2 − z 2 . Hence,
we can express F as
|φihφ| =
F =
1
((α + β)I + (α − β)(xX + yY + zZ)) .
2
Noting that σ0,+ − σ1,+ = Z and σ0,× − σ1,× = X we can
compute for the computational basis
I
P := r(F ZF ) + (1 − r)Tr(F ZF )
2
1
1
2α2 −
zI + r (α − β)2 xzX
=
2
2
+ (α − β)2 yzY + (α − β)2 z 2 + 2αβ Z ,
1
4
x
1p 2
x + 8α2 (2α2 − 1)(x2 − 1).
4
h(α, x, r) := |f (α, x) + rg(α, x)| + |f (α, x) − rg(α, x)|
Note that our optimization problem now takes the form
maximize h(α, x, r) + h(α, z, r)
subject to x2 + z 2 ≤ 1
0≤x≤1
0 ≤ z ≤ 1,
where we can introduce the last two inequality constraints without loss of generality, since the remaining
three measurement operators will be given by XF X,
ZF Z, and XZF ZX.
To show that we can let y = 0 for the optimal solution,
we have to show that for all α and all r, the function
h(α, x, r) is increasing on the interval 0 ≤ x ≤ 1 (and
indeed Mathematica will convince you in an instant that
this is the case). Our analysis is further complicated by
the absolute values. We therefore first consider
h(α, x, r)2 = 2(f (α, x)2 +r2 g(α, x)2 +|f (α, x)2 −r2 g(α, x)2 |,
where we have used the fact that f and g are real
valued functions. In principle, we can now analyze
h+ (α, x, r)2 = 2(f (α, x)2 + r2 g(α, x)2 + f (α, x)2 −
r2 g(α, x)2 and h− (α, x, r)2 = 2(f (α, x)2 + r2 g(α, x)2 −
f (α, x)2 + r2 g(α, x)2 separately on their respective domains. By rewriting, we obtain
and for the Hadamard basis:
I
T := r(F XF ) + (1 − r)Tr(F XF )
2
1
1
2
2α −
xI + r (α − β)2 x2 + 2αβ X
=
2
2
+ (α − β)2 xyY + (α − β)2 xzZ
α2 −
g(α, x) :=
Claim 5 Let F be the operator that maximizes C(F ),
and write F as in Eq.(B2). Then |φi lies in the XZ plane
in the Bloch sphere. (i.e. Tr(F Y ) = 0).
Proof. We first parametrize the state in terms of its
Bloch vector:
h+ (α, x, r)2 =
1 2 2
r (x + 8α2 (2α2 − 1)(x2 − 1)),
4
and
1
h− (α, x, r) = 4 α −
4
2
2
2
x2 .
Luckily, the first derivatives of h+ and h− turns out
to be positive
Note that ||P ||tr = j |λj (P )|, where λj is the j-th
√ everywhere for our choice of parameters
0
≤
α
≤
1/
2, and 0 ≤ r, z ≤ 1. Hence, by further ineigenvalue of P . A lengthy computation
(using Mathp
spection
at
the
transitional points we can conclude that
1/2 − α2 and y =
ematica), and plugging in β =
√
h
is
an
increasing
function of x. But this means that to
1 − x2 − z 2 shows that we have
maximize our target expression, we must choose x and z
as large as possible. Hence, choosing y = 0 is the best
p
1
4α2 − 1 z − r z 2 + 8α2 (2α2 − 1)(z 2 − 1) choice and our claim follows.
λ1 (P ) =
✷
4
p
1
λ2 (P ) =
4α2 − 1 z + r z 2 + 8α2 (2α2 − 1)(z 2 − 1)
We can now immediately extend this analysis to find
4
P
13
Claim 6 Let F be the operator that maximizes C(F ),
and write F as in Eq. (B2). Then
|φi = g(cos(π/8)|0i + sin(π/8)|1i),
for some g ∈ {I, X, Z, XZ}.
Proof. Extending our analysis from the previous proof,
we can compute the second derivative of both functions.
It turns out that also the second derivatives are positive,
and hence h is convex in x. By Claim 5, we can rewrite
our optimization problem as
our argument, we can then write
λ1 (P ) =
λ2 (P ) =
p
4α2 − 1 − r 1 − 16α4 + 8α2
p
4α2 − 1 + r 1 − 16α4 + 8α2
And similarly for the Hadamard basis. We again define
functions
4α2 − 1
p
g(α) :=
1 − 16α4 + 8α2
h(α, r) := |f (α, x) + rg(α, x)| + |f (α, x) − rg(α, x)|
Note that our optimization problem now takes the form
f (α) :=
maximize h(α, x, r) + h(α, z, r)
subject to x2 + z 2 = 1
0≤x≤1
0≤z≤1
It now follows from the fact that h is convex in x and
the constraint x2 + z 2 = 1 (by computing the Lagrangian
of the above optimization problem), that for the optimal
solution we must have x = z, and our claim follows. ✷
2.
Optimality of the trivial strategies
Now that we have shown that F is in fact diagonal in
the Breidbart basis (or the bit flipped version thereof)
we have only a single parameter left in our optimization
problem. We must now optimize over all operators F of
the form
p
F = α|φihφ| + 1/2 − α2 |φ⊥ ihφ⊥ |,
where we may take |φi to be |0iB or |1iB . Our aim is
now to show that either F is the identity, or F = |φihφ|
depending on the value of r.
Claim 7 Let F be the operator that maximizes
C(F ).
√
Then F = cI (for√ some c ∈ R) for r ≥ 1/ 2, and F =
|φihφ| for r < 1/ 2, where
|φi = g(cos(π/8)|0i + sin(π/8)|1i),
for some g ∈ {I, X, Z, XZ}.
√
Proof.
We can now plug in x = z = 1/ 2 in the
expressions for the eigenvalues in our previous proof. Ignoring the constant factors which do not contribute to
maximize 2h(α, r)
subject to 0 ≤ α ≤
√1
2
Since we are maximizing, we might as well consider the
square of our target function and ignore the leading constant as it is irrelevant for our argument.
h(α, r)2 = 2(f (α)2 + r2 g(α)2 + |f (α)2 − r2 g(α)2 |,
To deal with the absolute value, we now perform a case
analysis similar to the one above. Computing the zeros crossings of the function f (α)2 − r2 g(α)2 , we analyze
each interval separately. Computing the first and second derivatives on the intervals we find that h(α, r)2 has
exactly two peaks: The first at α = 0, and the second
at α = 1/2. We have that h(0, r)2 = 2 for all r, and
h(1/2, r)2 = 4r2 . Hence, we immediately see
√ that the
maximum is located
√ at α = 0 for r ≤ 1/ 2, and at
✷
α = 1/2 for r ≥ 1/ 2.
Hence, we may conclude that Bob either measures in
the Breidbart basis, or stores the qubit as is, and Theorem 2 follows.
We believe that a similar analysis can be done for the
dephasing channel, by first symmetrizing the noise by
applying a rotation over π/4 to our input states.