Professional Documents
Culture Documents
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Kazuo Iwama Yasuhito Kawano
Mio Murao (Eds.)
Theory of Quantum
Computation,
Communication,
and Cryptography
13
Volume Editors
Kazuo Iwama
Kyoto University
Yoshida-Honmachi, 606-8501 Kyoto, Japan
E-mail: iwama@kuis.kyoto-u.ac.jp
Yasuhito Kawano
NTT
3-1 Morinosato Wakamiya, 243-0198 Atsugi-shi, Kanagawa, Japan
E-mail: kawano.yasuhito@lab.ntt.co.jp
Mio Murao
University of Tokyo
7-3-1 Hongo, 113-0033 Bunkyo-ku, Tokyo, Japan
E-mail: murao@phys.s.u-tokyo.ac.jp
Program Committee
Patrick Hayden McGill University, Canada
Susana Huelga University of Ulm, Germany
Kazuo Iwama Kyoto University, Japan (Chair)
Masato Koashi University of Tokyo, Japan
Barbara Kraus University of Innsbruck, Austria
Francois Le Gall University of Tokyo, Japan
Serge Masser ULB, Belgium
Kae Nemoto NII, Japan
Harumichi Nishimura Osaka Prefecture University, Japan
Robert Raussendorf University of British Columbia, Canada
Renato Renner ETH, Switzerland
Barry Sanders University of Calgary, Canada
Mario Szegedy Rutgers University, USA
Yasuhiro Takahashi NTT, Japan
Andreas Winter University of Bristol, UK and
National University of Singapore, Singapore
Ronald de Wolf CWI, The Netherlands
Shengyu Zhang Chinese University of Hong Kong, Hong Kong
Organizing Committee
Yasuhito Kawano NTT, Japan (Co-chair)
Mio Murao University of Tokyo, Japan (Co-chair)
Table of Contents
New Protocols and Lower Bounds for Quantum Secret Sharing with
Graph States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Jérôme Javelle, Mehdi Mhalla, and Simon Perdrix
A Quantum Protocol for Sampling Correlated Equilibria
Unconditionally and without a Mediator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Iordanis Kerenidis and Shengyu Zhang
An All-But-One Entropic Uncertainty Relation, and Application to
Password-Based Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Niek J. Bouman, Serge Fehr, Carlos González-Guillén, and
Christian Schaffner
1 Introduction
Secret sharing schemes were independently introduced by Shamir [20] and Blak-
ley [1] and extended to the quantum case by Hillery [10] and Gottesman [4,7]. A
quantum secret sharing protocol consists in encoding a secret into a multipartite
quantum state. Each of the players of the protocol has a share which consists of
a subpart of the quantum system and/or classical bits. Authorized sets of play-
ers are those that can recover the secret collectively using classical and quantum
communications. A set of players is forbidden if they have no information about
the secret. The accessing structure is the description of the authorized and for-
bidden sets of players. The encrypted secret can be a classical bit-string or a
quantum state.
A threshold ((k, n)) quantum secret sharing protocol [10,4,7] is a protocol by
which a dealer distributes shares of a quantum secret to n players such that any
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 1–12, 2013.
c Springer-Verlag Berlin Heidelberg 2013
2 J. Javelle, M. Mhalla, and S. Perdrix
subset of at least k players is authorized, while any set of less than k players
is forbidden. It is assumed that the dealer has only one copy of the quantum
secret he wants to share. A direct consequence of the no-cloning theorem [22]
is that no ((k, n)) quantum secret sharing protocol can exists when k ≤ n2
– otherwise two distinct sets of players can reconstruct the secret implying a
cloning of the quantum secret. On the other hand, for any k > n2 a ((k, n))
protocol has been introduced in [4] in such a way that the dimension of each
share is proportional to the number of players. The unbounded size of the share is
a strong limitation of the protocol, as a consequence several schemes of quantum
secret sharing using a bounded amount of resources for each player have been
introduced [14,2,13]. In [14] a quantum secret sharing scheme using particular
quantum states, called graph states, and such that every player receives a single
qubit, has been introduced. The graph-state-based protocols are also of interest
because graph states are at the forefront in terms of implementation and have
emerged as a powerful and elegant family of entangled states [9,21].
Only few threshold quantum secret sharing schemes have been proved in the
literature to be achievable using graph states: ((3, 5)) can be done using a C5
graph (cycle with 5 vertices) [14], and for any n, an ((n, n)) protocol using the
complete graph can be done, up to some constraints on the quantum secret [15].
Independently [2] introduced an ((n, n)) protocol for any n. This protocol is
based on the GHZ state [8] which is locally equivalent to a complete graph state
[9].
We introduce a new family of secret sharing protocols using graph states.
Like in [14] the quantum secret is encoded into a graph state shared between
the players, but in order to obtain threshold protocols, an additional round is
added to the protocol. This round consists in encrypting the quantum secret
with a classical key which is then shared between the players using a classical
secret sharing protocol. This technique extends the one presented in [2] in which
the secret is partially encrypted and then shared using a fixed quantum state,
namely the GHZ state which is equivalent to the complete graph state. The
technique which consists in encrypting the quantum secret before to encode it
into a larger state is also used in [16] in such a way that some players have a
classical share but no quantum share.
The family of protocols we introduce in the present paper is parametrized by
a pair (G, A) where G = (V, E) is a graph and A is a non empty set of vertices of
the graph. We explore the possible values of k for which there exists a pair (G, A)
leading to a ((k, n)) protocol. One of our main results is to introduce an infinite
family of graphs which can realize any ((k, n)) protocol when k > n − n0.68 . This
result proves that graph states secret sharing can be used not only for ((n, n))
protocols, but also for any threshold larger than n−n0.68 . The second main result
of the paper is the proof that there is no graph G such that (G, V ) realizes a
79
((k, n)) protocols when k < 156 n. This lower bound also applies in the protocol
introduced by Markham and Sanders. Moreover, it suggests that secret sharing
protocols with a threshold closed to half of the players cannot be achieve with
shares of bounded size.
New Protocols and Lower Bounds for Quantum Secret Sharing 3
where q(x) is the number of edges in the induced subgraph G(x) = ({vi ∈ V | xi =
1}, {(vi , vj ) ∈ E | xi = xj = 1}).
Graph states have the following fundamental fixpoint property: given a graph
G, for any vertex u ∈ V ,
(−1)|D∩Odd(D)| XD ZOdd(D) |G = Xu ZN (u) |G = |G (3)
u∈D
4 J. Javelle, M. Mhalla, and S. Perdrix
Proof. For a given B ⊆ V , let ΓB be the cut matrix induced by B, i.e. the sub-
matrix of the adjacency matrix Γ of G such that the columns of ΓB correspond
to the vertices in B and its rows to the vertices in V \ B. ΓB is the matrix
representation of the linear function which maps every X ⊆ B to ΓB .X =
Odd(X) ∩ (V \ B), where the set X is identified with its characteristic column
vector. Similarly, ∀Y ⊆ V \ B, ΓV \B .Y = Odd(Y ) ∩ B where ΓV \B = ΓBT since Γ
New Protocols and Lower Bounds for Quantum Secret Sharing 5
Corollary 1. Given a graph G = (V, E), the cQSS protocol (G, A) is perfect
and
B is authorized ⇔ ∃D ⊆ B, D ∪ Odd(D) ⊆ B and |D ∩ A| = 1 mod 2
B is forbidden ⇔ ∃C ⊆ V \ B, Odd(C) ∩ B = A ∩ B
Following [14], the cQSS protocols are extended to qQSS schemes for sharing
a quantum secret |φ = α |0 + β |1. Given a graph G and A a non empty
subset of vertices, the dealer prepares the quantum state |Gφ = α |G0 + β |G1 .
Notice that the transformation |φ → |Gφ is a valid quantum evolution – i.e.
an isometry – whenever |G0 is orthogonal to |G1 which is guaranteed by A =
∅. Then, the dealer sends each player i the qubit qi of |Gφ . Regarding the
reconstruction of the secret, it has been proved in [14], that a set B of players can
recover the quantum state |φ if and only if B can reconstruct a classical secret
in the two cQSS protocols (G, A) and (GΔA, A), where GΔA = (V, EΔ(A × A))
and XΔY = (X ∪ Y ) \ (X ∩ Y ) is the symmetric difference. In other words
GΔA is obtained by complementing the edges of G incident to two vertices in
A. We introduce an alternative characterization of authorized sets of players
(those who are able to reconstruct a quantum secret) which does not involved
the complemented graph GΔA:
Proof. First notice that for any X, if |X ∩ A| = 1 mod 2 then OddGΔA (X) =
OddG (X)ΔA. Thus for any X, Y , if |X ∩ A| = 1 mod 2, OddGΔA (X) ∩ Y =
∅ ⇐⇒ (OddG (X)ΔA) ∩ Y = ∅ ⇐⇒ (OddG (X) ∩ Y )Δ(A ∩ Y ) = ∅ ⇐⇒
OddG (X) ∩ Y = A ∩ Y .
(⇒) Assume that B can reconstruct the quantum secret, so B can reconstruct
the classical secret in GΔA. Thus ∃D ⊆ B s.t. OddGΔA (D) ∩ (V \ B) = ∅. Ac-
cording to the previous remark, it implies that OddG (D) ∩ V \ B = A ∩ (V \ B),
so V \ B cannot reconstruct the secret.
(⇐) Assume V \ B cannot recover the classical secret and B can. So ∃C ⊆ B
s.t. OddG (C) ∩ B = A ∩ B. If |C ∩ A| is even, let C := CΔD where |D ∩ A|
6 J. Javelle, M. Mhalla, and S. Perdrix
is odd and OddG (D) ∩ B = ∅. Such a set D exists since B can reconstruct
the classical secret in G. If |C ∩ A| is odd, then let C := C. In both cases,
|C ∩ A| = 1 mod 2 and OddG (C ) ∩ B = A ∩ B, so according to the previ-
ous remark, OddGΔA (C ) ∩ B = ∅, as a consequence B is authorized secret
in GΔA.
In any pure quantum secret sharing protocol a set of players can reconstruct a
quantum secret if and only if its complement set of players has no information
about the secret (see [7]). As a consequence:
Sets of players that can reconstruct the secret and those who have no information
about the secret admit simple graphical characterisation thanks to the simple
reduction to the classical case. However, unlike the cQSS case, there is a third
kind of set players, those who can have some information about the secret but not
enough to reconstruct the secret perfectly. For instance for any n > 1 consider
the qQSS protocol (Kn , {v1 , . . . , vn }) where Kn is the complete graph on the n
vertices v1 , . . . vn . For any set B of vertices s.t. |B| = 0 and |B| = n, both B and
V \ B cannot reconstruct a classical secret in the corresponding cQSS protocol,
so B cannot reconstruct the quantum secret perfectly but has some information
about the secret.
Corollary 3. Given a graph G = (V, E), the qQSS protocols (G, A) and
(GΔA, A) have the same accessing structure. In particular, the protocols (G, V )
and (G, V ) have the same accessing structure, where G is the complement graph
of G.
motivate the analysis of the case where the secret is encoded on all the vertices
by giving a reduction from the general case where A is an arbitrary non empty
subset of vertices.
Definition 1. Given a graph G = (V, E) of order n and A ⊆ V a non empty
subset of vertices. Let κQ (G, A) be the minimal
such that for any B ⊆ V , if
|B| >
then ∃CB , DB ⊆ B such that: |DB ∩ A| = 1 mod 2, Odd(DB ) ⊆ B and
Odd(CB ) ∩ B = A ∩ B. We also define κQ (G, A) = n − κQ (G, A).
Theorem 3. Given a graph G over n vertices, a non empty subset of vertices
A, and an integer k > κQ (G, A), there exists an ((k + c, n + c)) quantum secret
sharing protocol for any c ≥ 0 in which the dealer sends one qubit to n players
and uses a (k + c)-threshold classical secret sharing scheme on the n + c players.
The rest of the section is dedicated to define a family of protocols called qQSS*
satisfying the theorem.
Inspired by the work of Broadbent, Chouha and Tapp [2], we extend the qQSS
scheme adding a classical reconstruction part. In [2], a family of unanimity – i.e.
the threshold is the number of players – quantum secret sharing protocols have
been introduced. They use a GHZ state which is equivalent to the graph state
|Kn where Kn is the complete graph on n vertices. We extend this construction
to any graph, using also a more general initial encryption of the quantum secret.
Quantum Secret Sharing with Graph States and Classical Recon-
struction (qQSS*). Given a graph G = (V, E), a non empty A ⊆ V ,
and k > κQ (G, A), suppose the dealer wishes to share the quantum secret
|φ = α |0 + β |1.
– Encryption. The dealer chooses uniformly at random bx , bz ∈ {0, 1}.
and
apply X bx Z bz on |φ.The resulting state is |φ = α |bx + β(−1)bz bx .
– Graph State Embedding. The dealer embeds |φ to the n-qubit state
α |Gbx + β(−1)bz |Gbx .
– Distribution. The dealer sends each player i the qubit qi . Moreover using
a classical secret sharing scheme with a threshold k, the dealer shares the
bits bx , bz .
– Reconstruction. The reconstruction of the secret for a set B of players s.t.
|B| ≥ k is in 3 steps: first the set DB such that D ∪ Odd(D) ⊆ B and |D ∩ A|
is odd, is used to add an ancillary qubit and put the overall system in an
appropriate state; then CB such that Odd(C) ∩ (V \ B) = A ∩ (V \ B), is
used to disentangled the ancillary qubit form the rest of the system; finally
the classical bits bx and bz are used to recover the secret:
– (a) The players in B applies on their qubits the isometry UDB := |0 ⊗
P0 + |1 ⊗ P1 where Pi are the projectors associated with observable ODB =
I+(−1)i O
(−1)|DB ∩Odd(DB )| XDB ZOdd(DB ) , i.e. Pi := DB
. The resulting state
bz
2
is α |bx ⊗ |Gbx + β.(−1) bx ⊗ |Gbx .
– (b) The players in B apply the controlled unitary map ΛVCB = |0
0| ⊗
I + |1
1| ⊗ VCB , where VC := (−1)|C∩Odd(C)|XC ZOdd(C)ΔA . The resulting
state is α |bx ⊗ |G + β.(−1)bz bx ⊗ |G = α |bx + β.(−1)bz bx ⊗ |G.
8 J. Javelle, M. Mhalla, and S. Perdrix
– (c) Thanks to the classical secret sharing scheme, the players in B recover
the bits bx and bz . They apply X bx and then Z bz for reconstructing the
quantum secret α |0 + β |1 on the ancillary qubit.
Note that this reconstruction method can be used for the qQSS protocols defined
in [12] and for which the reconstruction part was not explicitly defined.
Lemma 2. Given a graph G = (V, E), a non empty A ⊆ V , and k > κQ (G, A),
the corresponding qQSS* protocol is a ((k, n)) secret sharing protocol, where
n = |V |.
Proof. The classical encoding ensures that any set of size smaller then k is forbid-
den. ODB is acting on the qubits DB ∪Odd(DB ) ⊆ B. Moreover Pi |Gs = |Gs if
i = s and 0 otherwise, so the
application of the isometry UDB produce the state
α |bx ⊗ |Gbx + β.(−1)bz bx ⊗ |Gbx . Regarding step b of the reconstruction,
since Odd(C) ∩ (V \ B) = A ∩ (V \ B), C ∪ (Odd(C)ΔA) ⊆ B, so VC is acting
on
the qubits in B. Moreover VC produces the states α |bx + β.(−1)bz bx ⊗ |G.
Finally the classical secret scheme guarantees that the players in B have access
to bx and bz so that they reconstruct the secret.
Proof of Theorem 3. The correctness of the qQSS* protocol implies that
given a graph G = (V, E) of order n, a non empty A ⊆ V , and k > κQ (G, A),
the corresponding qQSS* protocol is a ((k, n)) secret sharing protocol. In order
to finish the proof of Theorem 3 this protocol is turned into a ((k + c, n + c))
protocol for any c ≥ 0. The qQSS* protocol is modified as follows, following the
technique used in [16]. During the distribution stage, the dealer shares bx and bz
with all the n + c players with a threshold k + c, but sends a qubit of the graph
state to only n players chosen at random among the n + c players. During the
reconstruction, a set of k + c players must contain at least k players having a
qubit. These k players use the reconstruction steps (a) and (b) and then the last
step (c) is done by all the k + c players.
In the next sections, we focus on the protocols of the form (G, V ), where G =
(V, E). This restriction is motivated by the fact that, for any (G, A), there exists
a graph G = (V , E ) such that κQ (G , V ) = κQ (G, A). In other words:
Theorem 4. If (G, A) realizes a ((k, n)) qQSS* protocol, then there exists G =
(V , E ) such that (G , V ) realizes a ((k +
, n +
)) qQSS* protocol, where
=
2n − 2k + 1.
Proof. Let G = (V , E ) be the graph G = (V, E) augmented with an indepen-
dent set X of size n − k and a clique Y of size n − k + 1, such that every vertex
in Y is connected to the all the vertices in X ∪ (V \ A).
In the following, for any G = (V, E), we consider protocols of the form (G, A)
where A = V , as a consequence A is omitted in the notations e.g., κQ (G) (resp.
κQ (G)) denotes κQ (G, V ) (resp. κQ (G, V )).
|B2 (v1 )| > κQ (G2 ) and thus there exists D2 (v1 ) ⊆ B2 (v1 )) with |D2 (v1 )| =
1 mod 2 and D2 (v1 ) ∪ Odd(D2 (v1 )) ⊆ B2 (v1 ) and there exist C2 (v1 ) ⊆ B2 (v1 )
with V2 \ B2 (v1 ) ⊆ Odd(C2 (v1 ))). Let C20 (v1 ) = C2 (v1 ) if |C2 (v1 )| = 0 mod 2
and C20 (v1 )ΔD2 (v1 ) otherwise, and let C21 (v1 ) = C20 (v1 )ΔD2 (v1 ). We partition
V1 in 4 subsets and define for any vertex v1 a set S2 (v1 ) ⊆ V2 as follows
⎧
⎪ If v1 ∈ D1 ∩ (V1 \ Odd(D1 ))
⎪
⎨
, S2 (v1 ) = D2 (v1 )
If v1 ∈ D1 ∩ Odd(D1 ) , S2 (v1 ) = C21 (v1 ))
⎪
⎪ If v1 ∈ V1 \ (D1 ∩ (V1 \ Odd(D1 ))) , S2 (v1 ) = ∅
⎩
If v1 ∈ V1 \ (D1 ∩ Odd(D1 )) , S2 (v1 ) = C20 (v1 )
Consider the set DB
= v1 ∈V1 {v1 } × S 2 (v1 ),
DB ⊆ B
and |DB | = v1 ∈D1 ∩(V1 \D1 ) |D 2 (v1 )| + v1 ∈D1 ∩Odd( D1 ) |C2
1
(v1 )|
+ v1 ∈V1 \D1 ∩Odd(D1 ) |C2 (v1 )|. Therefore |DB | = |D1 | = 1 mod 2. For
0
C5 •i
C5 •i+1 = C5 •i C5 •i
C5 •i C5 •i
Proof. An induction from Lemma 3 gives κQ (C5 •i ) ≥ κQ (C5 )i . Since κQ (C5 ) =
3, κQ (C5 •i ) ≥ 3i . We have |C5 •i | = 5i , so, thanks to Theorem 3, the graph C5 •i
log(3)
realizes a ((n − n log(5) + 1, n)) protocol (with n = 5i ).
4 Lower Bound
By the no-cloning theorem, this is not possible to get two separated copies of the
secret starting from only one copy. Thus, if we consider a quantum secret sharing
protocol with parameters ((k, n)) we must have k > n2 . We derive here less trivial
lower bounds for the qQSS* protocols and for the qQSS protocols defined in [14].
New Protocols and Lower Bounds for Quantum Secret Sharing 11
Lemma 4. If G = (V, E) realizes a qQSS* ((k, n)) protocol, then for any set
B ⊆ V of size k, there exists a set X ⊆ B such that |X| ≤ 23 (n − k + 1) and
either (X ∪ Odd(X) ⊆ B and |X| = 1 mod 2) or B ⊆ Odd(X).
Proof. First, let ΓB ∈ Mk,n−k (F2 ) be a cut matrix of G corresponding to the
cut (B, V \ B). We can see ΓB as the linear map that maps a set D ⊆ B to its
odd neighborhood in V \ B: Consequently, any set D with D ∪ Odd(D) ⊆ B
corresponds to a linear combination of the columns of the matrix ΓB which
equals the null vector. Therefore, {D ⊆ B, D ∪ Odd(D) ⊆ B} = Ker(ΓB ),
and t = dim(Ker(ΓB )) = k − dim(Im(ΓB )) ≥ 2k − n. As |XΔY | = |X| +
|Y | mod 2, the sets D1 = {D ⊆ B, |D| = 1 mod 2 and D ∪ Odd(D) ⊆ B}
and C1 = {C ⊆ B, C ∪ (V \ (C)) ⊆ B} are two affine subspaces having the
same vector subspace D0 = {D ⊆ B, |D| = 0 mod 2 and D ∪ Odd(D) ⊆ B}.
The dimension of D0 is t − 1, therefore, by gaussian elimination its exists a set
X0 ⊆ B, |X0 | = t − 1 such that there exists sets C1 ∈ C1 and D1 ∈ D1 satisfying
X0 ∩ C1 = X0 ∩ D1 = ∅. Thus |C1 ∪ D1 | ≤ k − t + 1 ≤ n − k + 1. Therefore
2|D1 ∪ C1 | = |D1 | + |C1 | + |D1 ΔC1 | ≤ 2(n − k + 1) which implies that one of the
three sets have cardinality smaller than 2(n − k + 1). as D1 ∪ Odd(D1 ) ⊆ B and
|D1 | = 1 mod 2, C1 ∪ (V \ Odd(C1 )) ⊆ B and (D1 ΔC1 ) ∪ (V \ (D1 ΔC1 )) ⊆ B
at least one of the has a cardinality smaller than 2(n − k + 1)/3
Using this lemma and a counting argument we prove the following lower bound:
Theorem 6. There exists no graph G that has a ((k, n)) qQSS* protocol with
k < n2 + 157
n
.
Proof. We consider a graph G = (V, E) which realizes a ((k, n)) secret sharing
protocol. Any set D ⊆ V , with |D| = 1 mod 2 satisfies |D ∪ Odd(D)| ≥ n −
k + 1, otherwise B = V \ (D ∪ Odd(D) of size greater than k would not be
authorized. Consequently, given a set D, with |D| = 1 mod 2, there exists at
k−1
most n−(n−k+1)
k−(n−k+1)
= 2k−n−1 sets B of size k containing D ∪ Odd(D). Similarly,
for any set C ⊆ V , |C ∪ (V \ Odd(C))| ≥ n − k + 1, otherwise B = Odd(C) \ C of
size greater than k would not be authorized. Therefore, given a set C ⊆ V the
number of sets B of size k containing C and such that C ∪ (V \ Odd(C)) ⊆ B
k−1
is at most 2k−n−1 . With Lemma 4, each set B ⊆ V of size k contains either a
set D with D ∪ Odd(D) ⊆ B of size odd or a set C with C ∪ (V \ Odd(C)) ⊆ B
such that |D| ≤ 23 (n − k + 1) or |C| ≤ 23 (n − k + 1). Thus by counting twice
all the sets of cardinality smaller then 23 (n − k + 1) we can upper bound the
23 (n−k+1) n k−1
set of possible cuts of size k with nk ≤ 2 i=1 i 2k−n−1 . The previous
inequality implies that k > n2 + 157
n
when n → ∞.
The previous theorem directly implies that the protocols defined in [14] admit
no threshold k when the secret is encoded on all the qubits and the number of
players satisfies n > 79.
Corollary 4. For any graph G = (V, E) with |V | ≥ 79, (G, V ) is not a threshold
qQSS protocol.
12 J. Javelle, M. Mhalla, and S. Perdrix
References
1. Blakley, G.R.: Safeguarding cryptographic keys. In: AFIPS Conference Proceed-
ings, vol. 48, pp. 313–317 (1979)
2. Broadbent, A., Chouha, P.R., Tapp, A.: The GHZ state in secret sharing and
entanglement simulation. arXiv:0810.0259 (2008)
3. Browne, D.E., Kashefi, E., Mhalla, M., Perdrix, S.: Generalized flow and determinism
in measurement-based quantum computation. New Journal of Physics 9, 250 (2007)
4. Cleve, R., Gottesman, D., Lo, H.-K.: How to Share a Quantum Secret. Phys. Rev.
Lett. 83, 648–651 (1999)
5. Ekert, A.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67,
611 (1991)
6. Fortescue, B., Gour, G.: Reducing the quantum communication cost of quantum
secret sharing. arXiv:1108.5541 (2011)
7. Gottesman, D.: On the Theory of Quantum Secret Sharing. Phys. Rev. A 61, 04231
(2000); also quant-ph/9910067
8. Greenberger, D.M., Horne, M.A., Zeilinger, A.: Going beyond Bells theorem. In:
Bells Theorem, Quantum Theory, and Conceptions of the Universe, pp. 69–72
(1989)
9. Hein, M., Eisert, J., Briegel, H.J.: Multi-party entanglement in graph states. Phys-
ical Review A 69, 062311 (2004); quant-ph/0307130
10. Hillery, M., Buzek, V., Berthiaume, A.: Quantum Secret Sharing Phys. Rev. A 59,
1829 (1999); arXiv/9806063
11. Javelle, J., Mhalla, M., Perdrix, S.: Classical versus Quantum Graph-based Secret
Sharing arXiv:1109.4731 (2011)
12. Kashefi, E., Markham, D., Mhalla, M., Perdrix, S.: Information Flow in Secret Shar-
ing Protocols. In: DCM 2009: Elec. Proc. Theor. Comp. Sci., vol. 9, p. 87 (2009)
13. Keet, A., Fortescue, B., Markham, D., Sanders, B.C.: Quantum secret sharing with
qudit graph states. Phys. Rev. A 82, 062315 (2010)
14. Markham, D., Sanders, B.C.: Graph states for quantum secret sharing. Physical
Review A 78, 042309 (2008)
15. Markham, D., Sanders, B.C.: Erratum: Graph states for quantum secret sharing.
Phys. Rev. A 78, 042309 (2008); Phys. Rev. A 83, 019901(E) (2011)
16. Nascimento, A., Mueller-Quade, J., Imai, H.: Improving quantum secret-sharing
schemes. Phys. Rev. A 64, 042311 (2001)
17. Ogawa, T., Sasaki, A., Imamoto, M., Yamamoto, H.: Reducing the quantum com-
munication cost of quantum secret sharing. Phy. Rev. A 72, 032318 (2005)
18. Sarvepalli, P.: Bounds on the information ate of quantum secret sharing. Phys.
Rev. A 83, 042324 (2011)
19. Sarvepalli, P., Raussendorf, R.: Matroids and Quantum Secret Sharing Schemes
Phys. Rev. A 81, 052333 (2010)
20. Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613
(1979)
21. Raussendorf, R., Briegel, H.: A one-way quantum computer. Phys. Rev. Let. 86,
5188 (2001)
22. Wootters, W.K., Zurek, W.H.: A Single Quantum Cannot be Cloned. Nature 299,
802–803 (1982)
A Quantum Protocol
for Sampling Correlated Equilibria
Unconditionally and without a Mediator
Most of the work was done when the authors visited Centre of Quantum Technologies
(CQT), Singapore in early January, 2011, under the support of CQT. I.K.’s research
was also supported by French projects ANR-09-JCJC-0067-01, ANR-08-EMER-012
and the project QCS (grant 255961) of the E.U. S.Z.’s research was supported
by China Basic Research Grant 2011CBA00300 (sub-project 2011CBA00301), Re-
search Grants Council of Hong Kong (Project no. CUHK418710, CUHK419011),
and benefited from research trips under the support of China Basic Research Grant
2007CB807900 (sub-project 2007CB807901).
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 13–28, 2013.
c Springer-Verlag Berlin Heidelberg 2013
14 I. Kerenidis and S. Zhang
1 Introduction
Game theory is a research area of great importance that studies the behavior
of two or more players, when interacting with each other in order to achieve
individual goals. It has found far reaching applications in the fields of economics,
biology, computer science, sociology, political sciences, the study of Internet and
stock markets, among others.
Most games fall into two broad categories: 1) Strategic games, where all play-
ers choose their strategies simultaneously or without knowing the other players’
moves. The payoffs depend on the joint strategy that is performed by all play-
ers, and the game is usually described in a matrix form when there are only
two players. 2) The extensive games, where the players take turns in making
moves. Examples of strategic games include the Battle of the Sexes, Prisoner’s
Dilemma, Vickrey auction, etc. Examples of extensive games include chess, the
eBay auction system, etc.
In order to study stable behaviors in games, the concept of an equilibrium has
been put forward [vNM44]. A Nash equilibrium, the most fundamental notion
of an equilibrium, is a joint strategy of all players, such that no player has any
incentive to change her own strategy given that all other players retain theirs.
One of the seminal results in this area is that every game with finite players and
finite strategies has a mixed Nash equilibrium [vNM44, Nas51], i.e. one where
the strategy of each player is a distribution over deterministic strategies. Note
that these distributions are uncorrelated across different players and hence, each
player can sample independently her strategy.
Even though the importance of Nash equilibria is undisputed, there are some
drawbacks. First, the recent breakthrough results by [DGP09, CDT09] have
shown that finding a Nash equilibrium is a computationally hard problem. To
make matters worse, in many games there are more than one Nash equilibrium
and it is really unclear whether the players will end up in one of them, and if
yes, which one and how. Note that in many cases these equilibria are not fair,
and thus different players have a preference for a different equilibrium.
Let us see a simple example, the Battle of the Sexes. A couple needs to decide
where to go for holidays. Partner A prefers Amsterdam to Barcelona, and Partner
B prefers Barcelona to Amsterdam. But both players prefer going to the same
place than ending up in different places; see the following payoff Table, where
A Quantum Protocol for Sampling Correlated Equilibria 15
the pair of numbers in each entry represents the payoffs of the two partners in
order.
Amsterdam Barcelona
Amsterdam (4,2) (0,0)
Barcelona (0,0) (2,4)
So where should they go? There are two pure Nash equilibria in the above game.
They both go to Amsterdam, and hence have payoffs 4 and 2 respectively, or
both go to Barcelona and have payoffs 2 and 4 respectively. Even though these
are Nash equilibria, none of them is fair, causing the battle of the sexes. There is
actually a third Nash equilibrium, a mixed one, where each player independently
flips a coin and decides to go to their preferred place with probability 2/3 and
to the preferred place of the other player with probability 1/3. In this case, the
expected payoff is the same for both players and equal to 4/3. Even though this
is a fair equilibrium, it is pretty inefficient, since now both players have payoff
even less than in the case of the unfair pure equilibrium. Moreover, there is a
5/9 chance the couple goes in different places, which they really do not prefer.
One simple way to rectify all of these problems is the introduction of the
notion of a correlated (Nash) equilibrium [Aum74]. In such an equilibrium, we
allow the strategies of the players to be drawn from a correlated distribution p,
and same as for a Nash equilibrium, we require that each player has no incentive
to deviate given the current sample of his strategy and the information of the
distribution p (but not the sampled strategies of the other players). There are
many nice properties of these equilibria. First, they form a superset of Nash
equilibria and hence they always exist. Moreover, it is not hard to exhibit games
with a correlated equilibrium which enjoys fairness and whose social welfare (i.e.
the total payoff of the players) is arbitrarily better than that of any Nash equi-
librium. Second, unlike Nash equilibria, it is computationally easy to compute
an optimal correlated equilibrium by solving an LP, for many types of games,
including constant-player, polymatrix, graphical, hypergraphical, congestion, lo-
cal effect, scheduling, facility location, network design and symmetric games
[PR08, VNRT07]. In our previous example, a correlated equilibrium is the strat-
egy where with probability 1/2 the couple goes to Amsterdam or to Barcelona.
The expected payoff for each player is then 3 and the couple is equally happy.
However, in general it is hard to sample from a correlated distribution. In
fact, even for the case of two players and the distribution of the correlated equi-
librium being just one fair coin, it is well known that without any computational
assumptions, it is impossible to achieve just that; actually in any classical pro-
tocol one player has a strategy to get his/her desired outcome with probability
1. A canonical solution to this problem is to introduce a trusted mediator, who
in this case flips the fair coin. However, for many real life scenarios, trusted
mediators are simply not available.
A computational solution to this problem was proposed by Dodis, Halevi and
Rabin [DHR00], who showed that classical cryptographic protocols can provide
an elegant way to achieve a correlated equilibrium under standard computational
16 I. Kerenidis and S. Zhang
honest strategy, then no matter how the other player plays, the bias of the coin
cannot exceed an arbitrarily small ε.
Let us first focus on a subset of all correlated equilibria, that we call Nash-
support correlated equilibria, where the distribution is over joint strategies that
are pure Nash equilibria. Such correlated equilibria exist whenever the game has
pure Nash equilibria and in many cases are optimal. For example, in the Battle of
the Sexes, and more generally in all coordination games, the optimal correlated
equilibrium is a uniform distribution over the two pure Nash equilibria.
As in Dodis et al., we construct an extended game, in which the players first
exchange messages, then play the original game by choosing strategies. A Nash
equilibrium in the extended game is a sequence of moves of all players such that
no unilateral deviation by one player can increase her payoff. At a high level,
the new game we construct has the following stages: 1) Communication stage:
the players use as a subroutine the quantum weak coin flipping protocol in order
to sample a joint strategy from the distribution of the original Nash-support
correlated equilibrium. 2) Game stage: the players play the original game and
their payoff is the same as in the original game.
It is not hard to see that being honest during the communication stage and
playing the strategy that corresponds to the sampled Nash equilibrium is an
approximate Nash equilibrium and it achieves payoff (almost) equal to the cor-
related equilibrium of the original game. Let us assume that one of the players
is dishonest while the other is playing the honest strategy. The cheating player
can deviate during the coin flipping process but this only increases his payoff by
at most ε by the security of the coin flipping protocol. Then, he can deviate by
not playing the suggested strategy, but since the suggested strategy is a Nash
equilibrium, he cannot increase his payoff.
Theorem 1. For any Nash-support correlated equilibrium p of a game G with
at most n strategies for each player, there exists an extended game Q with an
-Nash equilibrium σ computable in time poly(n, 1/δ, 1/
), such that the expected
payoffs for both players in σ is at least as high as in p minus δ.
For general correlated equilibria, we further extend our game as follows. Since
we do not preserve privacy of the moves, it may be to someone’s advantage
to change their strategy instead of following the suggestion. We remedy this
situation by adding a final stage to the game and by using the usual “Punishment
for Deviation” method. Therefore, in 3) Checking stage: the players submit an
Accept/Reject move, where a player plays Reject if the strategy of the other
player during the second stage is not equal to the suggested one. The payoff of
the players is equal to the one in the original game if they both play Accept in
the last phase, and 0 otherwise. Note that we do not need the Accept/Reject
moves to be simultaneous and that without loss of generality we assume that all
payoffs are in [0, 1].
Again, it is not hard to see that being honest during the communication stage
and playing the suggested move is an approximate Nash equilibrium for this
game and it achieves payoff equal to the correlated equilibrium of the original
game. Let us assume that one of the players is dishonest while the other is
18 I. Kerenidis and S. Zhang
playing the honest strategy. The cheating player can deviate during the coin
flipping process but this will only increase his payoff by at most an ε fraction
by the security of the coin flipping protocol. Then, in the second stage, he can
deviate by not playing the suggested strategy, but then his payoff will be 0 since
the honest player will play Reject in the Checking stage. Hence, there is no
significant advantage for any player to deviate from the honest strategy.
Theorem 2. For any correlated equilibrium p of a game G with at most n strate-
gies for each player, there exists an extended game Q with an
-Nash equilibrium
σ computable in time poly(n, 1/δ, 1/
), such that the expected payoffs for both
players in σ is at least as high as in p minus δ.
Let us make a more detailed comparison with the results of Dodis, Halevi and
Rabin [DHR00]. They describe an extended game, first introduced by Barany
[Bár92], that involves a communication stage and then the game stage. In the
communication stage, they securely compute a functionality that they call Cor-
related Element Selection. This consists of two players sampling a joint strategy
from a correlated distribution, with the extra privacy property that at the end
each player knows only his/her own move. Then, in the second stage, the players
play the original game. If a player catches the other one cheating during the
communication stage, then he plays his minmax move in the second stage, i.e.
the move that minimizes the other players’ payoff.
On one hand, in our protocol, the communication stage achieves something
weaker. We sample from the correlated distribution in a way that at the end,
both players know the joint strategy. By removing the privacy constraint we are
able to achieve the sampling using the weaker primitive of Weak Coin Flipping.
A nice property of our procedure is that the honest player is guaranteed to
have an output, regardless of the dishonest player’s strategy. For the case of
the Nash-support correlated equilibria, we do not have to resort to the minmax
punishment, since even if the honest player catches the other player cheating, he
can still play the suggested move. In the case of general correlated equilibria, we
need to be more explicit in our punishment by adding the Accept/Reject stage,
in order to dissuade the players from deviating from the suggested move.
On the other hand, we achieve something much stronger than before, which
is that we do not make any assumptions about the computational power of
the players. Hence we are able to use quantum communication to achieve a
real correlated equilibrium for a large array of different types of games with
unconditionally powerful players and without a trusted mediator.
A few remarks are in order for this extra checking stage that we add in the
case where the correlated equilibrium has support on joint strategies that are
not Nash equilibria. First, note that all the equilibria remain unchanged, since
we specified the payoffs of any joint strategy with a Reject move as 0. Hence,
sampling a correlated equilibrium in the new game is equivalent to sampling
a correlated equilibrium in the original game. This means that the quantum
advantage comes from the sampling part and not due to the checking part.
For a fair comparison, we can also augment the classical game with the choice
A Quantum Protocol for Sampling Correlated Equilibria 19
of Accept/Reject. It is not hard to see that the players still cannot sample a
correlated equilibrium in this new game; otherwise they would have been able
to do a strong coin flipping which is impossible.
Second, in many practical situations, breaking preagreed rules is considered
losing (and thus given the least payoff) automatically. Many games in sports
are of this nature. For example, when the referee tosses a coin to decide the
side of the court for each team, both teams know the outcome of this random
process and are not allowed to disagree no matter the outcome; otherwise the
team will be claimed to lose by the referee immediately. Moreover, in extensive
games, the checking phase is already implicitly present. In the middle of a chess
game, only a subset of moves is compatible with the stage of the game and hence
if a player decides to play some other move, then the other player will Reject
either immediately or at the end of the game. Hence, adding an Accept/Reject
stage only makes explicit what is implicitly present in any game, that if a player
breaks the rules then the other one rejects the outcome of the game.
Third, our Accept/Reject stage is not simultaneous. One has to be very careful
with adding simultaneous moves to a game, since two players can flip a fair coin
with a simultaneous move where each plays one of two possible moves at random.
If the two moves are the same then the coin is Head and if different the coin is
Tail. Here, we do not add the ability to play simultaneously.
Fourth, one may wonder why the honest player would prefer to reject and
receive 0 payoff — she could instead choose to accept even though the other
player cheated and receive a possibly positive payoff. Note that this is not a defect
of our protocol, rather, it is an inherent property of Nash equilibria in extensive
games. As explained in Dodis et al. where there was again a punishment step,
the Nash equilibrium property requires merely local optimality by considering
the scenario where at most one player deviates from the protocol; nothing is
guaranteed if both players cheat. Moreover, the insistence of the honest player
to punish the cheater forces the other player not to cheat in the first place (or to
stop cheating if the game is repeated). One possible way to remedy the situation
would be to consider subgame perfect equilibria, however neither our protocol
nor the one in Dodis et al. has this property.
Note that our protocol does not provide a quantum algorithm to compute a
Nash equilibrium. However, it almost renders this question moot. Instead of a
quantum algorithm to compute a Nash equilibrium, there is a quantum protocol
where the players can generate a correlated equilibrium, which enjoys desirable
properties such as fairness and higher payoff.
Since our protocol uses quantum channels, one may wonder whether the power
of two-way quantum communication enables us to achieve any quantum equilib-
rium with payoff higher than any classical correlated equilibrium. This is actually
not possible: Any quantum protocol eventually generates a joint strategy s ac-
cording to some correlated distribution p. If the players’ behaviors in the protocol
form a Nash equilibrium, then the resulting distribution p is a quantum corre-
lated equilibrium of the quantized game, because otherwise the players would
20 I. Kerenidis and S. Zhang
2 Preliminaries
Game Theory. In a classical strategic game with n players, labeled by {1, 2, . . . , n},
each player i has a set Si of strategies. We use s = (s1 , . . . , sn ) to denote the
joint strategy selected by the players and S = S1 × . . . × Sn to denote the set
of all possible joint strategies. Each player i has a utility function ui : S → R,
specifying the payoff or utility ui (s) to player i on the joint strategy s. For
simplicity of notation, we use subscript −i to denote the set [n] − {i}, so s−i is
(s1 , . . . , si−1 , si+1 , . . . , sn ), and similarly for S−i , p−i , etc.
In a classical extensive game with perfect information, the players take moves
in turns and all players know the entire history of all players’ moves. An extensive
game can be transformed into strategic form by tabulating all deterministic
strategies of the players, which usually results in an exponential increase in size.
A game is [0, 1]-normalized if all utility functions are in [0, 1]. Any game can
be scaled to a normalized one. For a fair comparison, we assume that all games
in this paper are normalized.
A Nash equilibrium is a fundamental solution concept in game theory. Roughly,
it says that in a joint strategy, no player can gain more by changing her strategy,
provided that all other players keep their current strategies unchanged.
Definition 1. A pure Nash equilibrium is a joint strategy s = (si , . . . , sn ) ∈ S
satisfying
In the following section we will use weak coin flipping as a subroutine for
the following cryptographic primitive, that enables two players to jointly sample
from a correlated distribution, in a way that no dishonest player can force a
distribution which is far from the honest one.
Definition 6. A Correlated Strategy Sampling protocol between two players P1
and P2 is an interactive protocol where the players receive as input a game G with
an efficiently computable correlated equilibrium1 p and at the end, P1 outputs a
joint strategy s = (s1 , s2 ) ∈ S1 ×S2 and P2 outputs a joint strategy s = (s1 , s2 ) ∈
S1 × S2 . If s = s , we say the protocol outputs s = (s1 , s2 ). If s = s then we say
the protocol outputs ⊥.
An (ε, δ)-Correlated Strategy Sampling procedure satisfies the following prop-
erties:
1. If both players follow the honest strategy, then they both output the same
joint strategy s = (s1 , s2 ), where s ← ph for some distribution ph , s.t.
for both i ∈ {1, 2}, Es←ph [ui (s)] ≥ Es←p [ui (s)]−δ
2. If Player 1 is dishonest and Player 2 is honest (similarly for the other case),
then Player 2 outputs a joint strategy s distributed according to some q, s.t.
Es←q [u2 (s)] ≥ Es←ph [u2 (s)] − ε, Es←q [u1 (s)] ≤ Es←ph [u1 (s)] + ε.
Note again, that similar to the case of the weak coin flip, the players do not
abort, since a player that wants to abort can always choose the joint strategy
that is best for him rather than aborting without reducing the security of the
protocol.
Extended Game Q
Note that from the security of the Correlated Strategy Sampling procedure we
also have
Es←q [u2 (s)] ≥ Es←ph [u2 (s)] − ε. (2)
Hence, we have the following interesting corollary
Corollary 1. In the extended game Q, the expected payoff of the honest player
will not decrease by more than ε, no matter how the dishonest player deviates,
unless the dishonest player makes both players’ payoff equal to 0.
In other words, the honest strategy remains an equilibrium even if the objective
of a player is not to maximize his own payoff but rather maximize the difference
between the players’ payoffs.
24 I. Kerenidis and S. Zhang
Input: A game G with at most n strategies for each player, and an efficiently
computable correlated equilibrium p.
1. Each Player i computes locally the equilibrium p and emulates p by a
uniform distribution p̄ on a multiset of joint strategies (i.e. on {0, 1}k ),
with k = O(log n).
2. for j = 1 to k
(a) Each Player i computes and announces his preference aji =
sign Es̄j+1 ...s̄k ←p̄h (·|s̄1 ...s̄j−1 0) [ui (s)]−Es̄j+1 ...s̄k ←p̄h (·|s̄1 ...s̄j−1 1) [ui (s)] .
(b) if aj1 aj2 = −1,
Run W CF (aj1 , ε/k). Let the outcome of Player i be s̄ji ∈ {0, 1}.
else
Set s̄j1 = s̄j2 to be their commonly desirable value.
3. Each Player i outputs s according to the jointly flipped coins s̄ = s̄1i ...s̄ki .
Analysis. First, if both players are honest then their expected utility is at least
as high as in the original CE, up to an additive error δ due to the precision of
using k bits to emulate p. If in all rounds they flip a fair coin then their expected
utility is exactly the same as in p. If at some round they both agree on a preferred
value then this increases both players expected utility.
We now prove that no dishonest player can increase his utility by much. Let
us assume without loss of generality that Player 1 is dishonest and Player 2 is
honest. We prove that after round m,
Claim. For any m = 1, ..., k, we have
(q̄(s̄1 · · · s̄m ) − p̄h (s̄1 · · · s̄m )) p̄h (s̄m+1 · · · s̄k |s̄1 · · · s̄m )u1 (s)
s̄1 ···s̄m s̄m+1 ···s̄k
ε
≤ (q̄(s̄1 · · · s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 )) p̄h (s̄m · · · s̄k |s̄1 · · · s̄m−1 )u1 (s) + .
k
s̄1 ···s̄m−1 s̄m ···s̄k
(3)
The proof is in Appendix. Adding the inequalities in the claim for all m, we have
(q̄(s̄1 · · · s̄k ) − p̄h (s̄1 · · · s̄k ))u1 (s) ≤ ε.
s̄1 ···s̄k
By going back to the space of joint strategies we have Es←q [u1 (s)] ≤
Es←ph [u1 (s)] + ε.
Moreover, for the honest player we have, by a similar argument (changing u1
to u2 ,
/k to −
/k, and changing the direction of the inequality in Claim 4), it
is also easy to show the claimed Eq.(2).
The same analysis holds when Player 2 is dishonest. Also, it is easy to see that
the complexity of the protocol is polynomial in n/δ and 1/ε. This completes the
proof of our main theorem.
26 I. Kerenidis and S. Zhang
A final remark is that the same protocol can be used for general k-player
games. In each round, some players prefer s̄m to be 0 and some players prefer
1. We can then let two representatives, one from each group, to do the weak
coin flipping, at the end of which the representatives announce the bits. If one
representative lies, then the other reject in the third stage. The previous analysis
then easily applies to this scenario as well.
References
[ADGH06] Abraham, I., Dolev, D., Gonen, R., Halpern, J.: Distributed computing
meets game theory: robust mechanisms for rational secret sharing and multiparty
computation. In: Proceedings of the Twenty-fifth Annual ACM Symposium on
Principles of Distributed Computing, pp. 53–62 (2006)
[Aum74] Aumann, R.: Subjectivity and correlation in randomized strategies. Journal
of Mathematical Economics 1, 67–96 (1974)
[Bár92] Bárány, I.: Fair distribution protocols or how the players replace fortune. Math-
ematics of Operations Research 17, 327–340 (1992)
[CDT09] Chen, X., Deng, X., Teng, S.: Settling the complexity of computing two-player
nash equilibria. Journal of the ACM 56(3) (2009)
[CK09] Chailloux, A., Kerenidis, I.: Optimal quantum strong coin flipping. In: The
50th Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp.
527–533 (2009)
[DGP09] Daskalakis, C., Goldberg, P., Papadimitriou, C.: Computing a nash equilib-
rium is PPAD-complete. SIAM Journal on Computing 39(1), 195–259 (2009)
[DHR00] Dodis, Y., Halevi, S., Rabin, T.: A Cryptographic Solution to a Game Theo-
retic Problem. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 112–130.
Springer, Heidelberg (2000)
[FS02] Feigenbaum, J., Shenker, S.: Distributed algorithmic mechanism design: recent
results and future directions. In: Proceedings of the 6th International Workshop
on Discrete Algorithms and Methods for Mobile Computing and Communications,
pp. 1–13 (2002)
[IML05] Izmalkov, S., Micali, S., Lepinski, M.: Rational secure computation and ideal
mechanism design. In: Proceedings of the 46th Annual IEEE Symposium on Foun-
dations of Computer Science, pp. 585–595 (2005)
[Kit03] Kitaev, A.: Quantum coin-flipping. Presentation at The 6th Workshop on
Quantum Information Processing, QIP 2003 (2003)
[LMPS04] Lepinski, M., Micali, S., Peikert, C., Shelat, A.: Completely fair SFE and
coalition-safe cheap talk. In: Proceedings of the Twenty-third Annual ACM Sym-
posium on Principles of Distributed Computing, pp. 1–10 (2004)
[Lo97] Lo, H.-K.: Insecurity of quantum secure computations. Physical Review A 56(2)
(1997)
[Moc07] Mochon, C.: Quantum weak coin flipping with arbitrarily small bias.
arXiv:0711.4114 (2007)
[Nas51] Nash, J.: Non-cooperative games. The Annals of Mathematics 54(2), 286–295
(1951)
[PR08] Papadimitriou, C.H., Roughgarden, T.: Computing correlated equilibria in
multi-player games. Journal of the ACM 55(3) (2008)
[vNM44] von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behav-
ior. Princeton University Press (1944)
A Quantum Protocol for Sampling Correlated Equilibria 27
[VNRT07] Vazirani, V., Nisan, N., Roughgarden, T., Tardos, É.: Algorithmic Game
Theory. Cambridge University Press (2007)
[Zha12] Zhang, S.: Quantum strategic game theory. In: Proceedings of the 3rd
Innovations in Theoretical Computer Science, pp. 39–59 (2012); earlier at
arXiv:1012.5141 and QIP 2011
A Proof of Claim 4
For the convenience of notation, we sometimes write u1 (s̄) to mean u1 (s) where s
corresponds s̄. First by expanding the probability to marginal times conditional
probabilities, we have
(q̄(s̄1 · · · s̄m ) − p̄h (s̄1 · · · s̄m )) p̄h (s̄m+1 · · · s̄k |s̄1 · · · s̄m )u1 (s)
s̄1 ···s̄m s̄m+1 ···s̄k
= q̄(s̄1 · · · s̄m−1 ) q̄(s̄m |s̄1 ...s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 ) p̄h (s̄m |s̄1 ...s̄m−1 )
s̄1 ···s̄m−1 s̄m s̄m
1
· p̄h (s̄ m+1
· · · s̄ |s̄ · · · s̄ )u1 (s).
k m
s̄m+1 ···s̄k
For those s̄1 · · · s̄m−1 that the two players have the same preference on s̄m , the
best for Player 1 is then just to follow the honest protocol. Thus the correspond-
ing part in the inequality in Claim 4 is true even without the
/k term. For
the rest s̄1 · · · s̄m−1 , the two players have different preferences; without loss of
generality, assume that Player 1 prefers s̄m to be 0. Then the best for Player 1
raising her utility is to try to bias s̄m in the coin flipping to 0 as much as pos-
sible. By the security of the weak coin flipping (which holds against a dishonest
player that may possess a quantum auxiliary input, hence includes the situation
where the dishonest player may try to entangle the different executions of the
coin flips), the above quantity is at most
1
q̄(s̄1 ...s̄m−1 ) + p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 0s̄m+1 ...s̄k )
2 k
s̄1 ...s̄m−1 s̄m+1 ...s̄k
1
+ q̄(s̄1 ...s̄m−1 ) − p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 1s̄m+1 ...s̄k )
2 k
s̄m+1 ...s̄k
1
− p̄h (s̄1 ...s̄m−1 ) p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 0s̄m+1 ...s̄k )
2
s̄m+1 ...s̄k
1
1
− p̄h (s̄ ...s̄ m−1
) p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 1s̄m+1 ...s̄k )
2
s̄m+1 ...s̄k
28 I. Kerenidis and S. Zhang
= (q̄(s̄1 · · · s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 )) p̄h (s̄m |s̄1 ...s̄m−1 )
s̄1 ···s̄m−1 s̄m
p̄h (s̄m+1 · · · s̄k |s̄1 · · · s̄m )u1 (s) + q̄(s̄1 ...s̄m−1 )
k
s̄m+1 ···s̄k s̄1 ...s̄m−1
1
p̄h (s̄ m+1
...s̄ |s̄ ...s̄ )
k m
s̄m+1 ...s̄k
· [u1 (s̄1 ...s̄m−1 0s̄m+1 ...s̄k ) − u1 (s̄1 ...s̄m−1 1s̄m+1 ...s̄k )].
ε
≤ (q̄(s̄1 · · · s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 )) p̄h (s̄m · · · s̄k |s̄1 · · · s̄m−1 )u1 (s)+ .
1
k
s̄ ···s̄
m−1 m k s̄ ···s̄
where we used the fact that p̄h (s̄m |s̄1 ...s̄m−1 ) = 1/2 in the equality, and the fact
that the game is [0, 1]-normalized in the inequality.
An All-But-One Entropic Uncertainty Relation,
and Application to Password-Based Identification
1 Introduction
In this work1 , we propose and prove a new general entropic uncertainty relation.
Entropic uncertainty relations are quantitative characterizations of Heisenberg’s
uncertainty principle, which make use of an entropy measure (usually Shannon
entropy) to quantify uncertainty. Our new entropic uncertainty relation dis-
tinguishes itself from previously known uncertainty relations by the following
collection of features:
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 29–44, 2013.
c Springer-Verlag Berlin Heidelberg 2013
30 N.J. Bouman et al.
2. It lower bounds the uncertainty in the measurement outcome for all but one
choice for the measurement from an arbitrary, and in particular arbitrarily
large, family of possible measurements. This is clearly stronger than typical
entropic uncertainty relations that lower bound the uncertainty on average
(over the choice of the measurement).
3. The measurements can be chosen to be qubit-wise measurements, in the
computational or Hadamard basis, and thus the uncertainty relation is ap-
plicable to settings that can be implemented using current technology.
d
Hmin(X|J = j, J = j ) ∀ j = j ∈ {1, . . . , m}
2
no matter what the distribution of J is. Thus, unless the measurement J co-
incides with J , there is roughly d/2 bits of min-entropy in the outcome X.
2
The approximate inequality will be made rigorous in the main body.
An All-But-One Entropic Uncertainty Relation, and Application 31
2 Preliminaries
We write D(H) for the set of all density matrices on Hilbert space H.
Definition 1 (Min-Entropy [10,7]). For any density matrix ρXE ∈ D(HXE )
with classical X, the min-entropy of X when given HE is defined as
Hmin(X|E) := − log pguess (X|E)
where the guessing probability pguess (X|E) := max{Mx } x PX (x) tr(Mx ρxE ) is
the maximal success probability of guessing X by a positive operator-valued mea-
surement {Mx } of E.
3
Actually, [4] proposed two such schemes: QID and QID+ . QID offers security against
impersonation attacks, and QID+ additionally offers security against man-in-the-
middle attacks but is not truly password-based. In this work, we focus on imperson-
ation attacks only (with truly password-based security).
An All-But-One Entropic Uncertainty Relation, and Application 33
2 ρ − σ1 ≤ ε, we use
1
If two states ρ and σ are ε-close in trace distance, i.e.
ρ ≈ε σ as shorthand.
dim(HX ) IX .
1
where ρU :=
was proven and used in the original paper about the BQSM [3]. The proof of
Theorem 5 (Appendix A.2) goes along similar lines as the proof in the jour-
nal version of [3] for the special case outlined above. It is based on the norm
inequality (see Appendix A.1)
A1 + . . . + Am ≤ 1 + (m − 1) · max Aj Ak
j
=k∈[m]
here; the other two cases are proved in Appendix A.4, by reducing them to
the case α = 0 by “inflating” and “deflating” the event E appropriately. The
approach for the case α = 0 is to define J in such way that E ⇐⇒ J = J ,
i.e., the event J = J coincides with the event E. The min-entropy bound from
Corollary 6 then immediately translates to Hmin(X|J = j, J = J) ≥ (δ/2−2
)n,
and to Hmin(X|J = j, J = j ) ≥ (δ/2 − 2
)n for j = j with PJJ (j, j ) > 0, as
we will show. What is not obvious about the approach is how to define J when
it is supposed to be different from J, i.e., when the event E occurs, so that in
the end J and J are independent.
Formally, we define J by means of the following conditional probability dis-
tributions:
1 if j = j
PJ |JX Ē (j |j, x) :=
0 if j = j
0 if j = j
PJ |JXE (j |j, x) := Pr[Ē|J=j ]
Pr[E|J=j] if j = j
We assume for the moment that the denominator in the latter expression does
not vanish for any j; we take care of the case where it does later. Trivially,
PJ |JX Ē is a proper distribution, with non-negative probabilities that add up to
1, and the same holds for PJ |JXE :
¯ = j]
Pr[E|J
PJ |JX Ē (j |j, x) = PJ |JX Ē (j |j, x) = = 1,
Pr[E|J = j]
j ∈[m] j ∈[m]\{j} j ∈[m]\{j}
where we used that j∈[m] Pr[E|J ¯ = j] = 1 (because α = 0) in the last equality.
Furthermore, it follows immediately from the definition of J that E¯ =⇒ J = J
and E =⇒ J = J . Hence, E ⇐⇒ J = J , and thus the bound from Corollary 6
translates to Hmin(X|J = j, J = J) ≥ (δ/2 − 2
)n. It remains to argue that J
is independent of J, and that the bound also holds for Hmin(X|J = j, J = j )
whenever j = j .
The latter follows immediately from the fact that conditioned on J = J
(which is equivalent to E), X, J and J form a Markov chain X ↔ J ↔ J ,
and thus, given J = j, additionally conditioning on J = j does not change
the distribution of X. For the independence of J and J , consider the joint
probability distribution of J and J , given by
PJJ (j, j ) = PJ JE (j , j) + PJ J Ē (j , j)
= PJ (j)Pr[E|J = j]PJ |JE (j |j) + PJ (j)Pr[Ē|J = j]PJ |J Ē (j |j)
= PJ (j)Pr[Ē|J = j ],
where the last equality follows by separately analyzing the cases j = j and
j= j . It follows immediately that the marginal distribution of J is PJ (j ) =
j PJJ (j, j ) = Pr[E|J = j ], and thus PJJ = PJ · PJ .
¯
What is left to do for the case α = 0is to deal with the case where there
exists j ∗ with Pr[E|J = j ∗ ] = 0. Since j∈[m] Pr[Ē|J = j] = 1, it holds that
36 N.J. Bouman et al.
ρW W E|W
=W ≈ε ρW ↔W ↔E|W
=W .
Protocol Q-ID
(1) U picks x ∈ {0, 1}n at random and sends H c(w) |x to S.
(2) S measures in basis c(w). Let x be the outcome.
(3) U picks f ∈ F randomly and independently and sends it to S
(4) S picks g ∈ G randomly and independently and sends it to U
(5) U computes and sends z := f (x) ⊕ g(w) to S
(6) S accepts if and only if z = z where z := f (x ) ⊕ g(w)
The proof of this claim can be found in the full version [2]. In the BQSM, we
achieve the following security for the user.
Theorem 12. Let S∗ be a dishonest server whose quantum memory is at most
q qubits at Step (3) of Q-ID. Then, for any 0 < κ < δ/4, Q-ID is ε-secure for
the user with
1
ε = 2− 2 ((δ/2−2κ)n−1−q−) + 4 · 2−κn .
The proof follows quite easily from our new uncertainty relation and vitally
relies on its all-but-one feature. We show the first (and most important) part of
the proof below, the rest of the proof can be found in Appendix A.5. To prove
Theorem 12 we will use the following lemma.
Lemma 13. For any density matrix ρ on HXY E with classical X and Y and E
consisting of q qubits, it holds that
Hmin(X|Y E) ≥ Hmin(X|Y ) − q.
The proof of this lemma can be found in the full version [2].
Proof (of Theorem 12). We consider and analyze a purified version of Q-ID where
∗
in step (1) instead of sending |X
c to S for a uniformly distributed X, U prepares
−n/2 ∗
a fully entangled state 2 x |x|x and sends the second register to S while
keeping the first. Then, in step (3) when the memory bound has applied, U mea-
sures his register in the basis c(W ) in order to obtain X. Note that this procedure
produces exactly the same common state as in the original (non-purified) version
of Q-ID. Thus, we may just as well analyze this purified version.
The state of S∗ consists of his initial state and his part of the EPR pairs, and
may include an additional ancilla register. Before the memory bound applies,
S∗ may perform any unitary transformation on his composite system. When
the memory bound is applied (just before step (3) is executed in Q-ID), S∗ has
to measure all but q qubits of his system. Let the classical outcome of this
measurement be denoted by y, and let E be the remaining quantum state of
at most q qubits. The common state has collapsed to a (n + q)-qubit state and
38 N.J. Bouman et al.
depends on y; the analysis below holds for any y. Next, U measures his n-qubit
part of the common state in basis c(W ); let X denote the classical outcome of this
measurement. By our new uncertainty relation (Theorem 7) and subsequently
applying the min-entropy chain rule that is given in Lemma 13 (to take the q
stored qubits into account) it follows that there exists W , independent of W ,
and an event Ω that occurs at least with probability 1 − 2 · 2−κn , such that
Hmin(X|E , W = w, W = w , Ω) ≥ (δ/2 − 2κ)n − 1 − q.
The proof is quite involved. Since the dishonest server can store all the qubits and
then decide in the end how to measure them, depending on all the information
obtained during the scheme, standard tools like privacy amplification are not
applicable. The proof, which relies on a certain minimum-distance property of
random binary matrices and makes use of Diaconis and Shahshahani’s XOR
inequality [5], can be found in the full version [2].
Acknowledgments. NJB is supported by an NWO Open Competition grant.
CGG is supported by Spanish Grants I-MATH, MTM2008-01366, QUITEMAD
and QUEVADIS. CS is supported by an NWO VENI grant.
References
1. Bhatia, R.: Matrix Analysis. Springer, New York (1997)
2. Bouman, N.J., Fehr, S., González-Guillén, C., Schaffner, C.: An all-but-one entropic
uncertainty relation, and application to password-based identification (2011), full
version http://arxiv.org/abs/1105.6212
An All-But-One Entropic Uncertainty Relation, and Application 39
3. Damgård, I., Fehr, S., Salvail, L., Schaffner, C.: Cryptography in the bounded
quantum-storage model. In: 46th Ann. IEEE FOCS, pp. 449–458 (2005); also in
SIAM Journal on Computing 37(6),1865–1890 (2008)
4. Damgård, I.B., Fehr, S., Salvail, L., Schaffner, C.: Secure Identification and QKD
in the Bounded-Quantum-Storage Model. In: Menezes, A. (ed.) CRYPTO 2007.
LNCS, vol. 4622, pp. 342–359. Springer, Heidelberg (2007)
5. Diaconis, P.: Group Representations in Probability and Statistics. Lecture Notes
— Monograph series, vol. 11. Inst. of Math. Stat., Hayward (1988)
6. Kittaneh, F.: Norm inequalities for certain operator sums. Journal of Functional
Analysis 143(2), 337–348 (1997)
7. König, R., Renner, R., Schaffner, C.: The operational meaning of min-and max-
entropy. IEEE Tran. Inf. Th. 55(9), 4337–4347 (2009)
8. Maassen, H., Uffink, J.B.M.: Generalized entropic uncertainty relations. Phys. Rev.
Lett. 60(12), 3 (1988)
9. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information,
1st edn. Cambridge University Press (2000)
10. Renner, R.: Security of Quantum Key Distribution. PhD thesis, ETH Zürich
(Switzerland) (September 2005), http://arxiv.org/abs/quant-ph/0512258
11. Renner, R., König, R.: Universally Composable Privacy Amplification Against
Quantum Adversaries. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 407–425.
Springer, Heidelberg (2005)
12. Schaffner, C.: Cryptography in the Bounded-Quantum-Storage Model. PhD thesis,
University of Aarhus (Denmark) (September 2007)
13. Wehner, S., Winter, A.: Entropic uncertainty relations—a survey. New J. of
Phys. 12(2) (2010)
A Proofs
A.1 A Useful Norm Inequality (Proposition 16)
Before stating the inequality, we recall some basic properties of the operator
norm A := sup A|ψ, where the supremum is over all norm-1 vectors |ψ ∈
H. First of all, it is easy to see that
A 0
0 B = max {A, B} .
Proof. For any two n × n matrices X and Y , XY and Y X have the same eigen-
values, see e.g. [1, Exercise I.3.7]. Therefore, XY = λmax (XY ) = λmax (Y X) =
Y X.
We are now ready to state and prove the norm inequality. We recall that an
orthogonal projector P satisfies P 2 = P and P ∗ = P .
Proof. Defining
⎛ ⎞ ⎛ ⎞
A1 A2 · · · Am A1 0 ··· 0
⎜0 0 ··· 0 ⎟ ⎜ A2 0 ··· 0⎟
⎜ ⎟ ⎜ ⎟
X := ⎜ . .. .. ⎟ and Y := ⎜ . .. .. ⎟
⎝ .. . . ⎠ ⎝ .. . .⎠
0 0 ··· 0 Am 0 ··· 0
yields
⎛ ⎞ ⎛ ⎞
S 0 ··· 0 A1 A1 A2 · · · A1 Am
⎜0 0 ··· 0⎟ ⎜ A2 A1 A2 · · · A2 Am ⎟
⎜ ⎟ ⎜ ⎟
XY = ⎜ . .. .. ⎟ , and Y X = ⎜ . .. .. .. ⎟
⎝ .. . .⎠ ⎝ .. . . . ⎠
0 0 ··· 0 Am A1 Am A2 · · · Am
··
··
··
··
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
·
·
·
·
·
⎝ ∗ ⎠ ⎝ 0 ∗⎠ ⎝ 0 ⎠
∗ ∗ 0 ∗0
where the ∗ stand for entries of Y X and for i = 1, . . . , m the ith star-pattern
after the diagonal pattern is obtained by i cyclic shifts of the columns of the
diagonal pattern.
XY and Y X are Hermitian and thus we can apply Lemma 15. Then, by
applying the triangle inequality, the unitary invariance of the operator norm
and the facts that for all j = k : Aj = 1, Aj Ak = Ak Aj , we obtain the
desired statement.
An All-But-One Entropic Uncertainty Relation, and Application 41
w j∈[m] w j∈[m]
j j k
≤ A A A ,
≤ 1 + (m − 1) · j
=max
k∈[m]
j∈[m]
The third equality follows from Pythagoras, the first inequality holds by triangle
! |
x|j |yk |, and the last follows
inequality, the second inequality by the bound on
from Cauchy-Schwarz. This implies Aj Ak ≤ c |Lj ||Lk | and finishes the proof.
= (m − 1) − (m − 1)2−n .
7
Here’s the mnemonic: S for the strings with S mall probabilities, L for Large.
42 N.J. Bouman et al.
= (m − 1 − α) + α = m − 1 .
We can now apply the analysis of the case α = 0 to conclude the existence of
J , independent of J, such that J = J ⇐⇒ E and thus (J = J ) ∧ E¯◦ ⇐⇒
E ∧ Ē◦ ⇐⇒ E. Setting Ω := Ē◦ , it follows that
Again, from the α = 0 case we obtain J , independent of J, such that the event
J = J is equivalent to the event E .
It follows that
where the second equality holds because E =⇒ E, the first inequality holds
because additionally conditioning on E increases the probabilities of X condi-
tioned on J = j and E by at most a factor 1/P [E |E, J = j]), and the last
inequality holds by Corollary 6) and because P [E |E, J = j]) = m−1−α
m−1
≥ 12 ,
where the latter holds since α ≥ −1. Finally, using similar reasoning as in the
previous cases, it follows that the same bound holds for Hmin(X|J = j, J = j )
whenever j = j . This concludes the proof.
δ(ρW W E|W
=W , ρW ↔W ↔E|W
=W )
= 12 ρW W E F GZ|W
=W − ρW ↔W ↔E F GZ|W
=W 1
≤ 12 ρW W E F GZ|W
=W − ρW W E F G|W
=W ⊗ 2− I1
+ 12 ρW W E F G|W
=W ⊗ 2− I − ρW ↔W ↔E F GZ|W
=W 1 (2)
where the equality follows by definition of trace distance (Definition 2) and the
fact that the output state E is obtained by applying a unitary transformation to
the set of registers (E , F , G, W , Z). The inequality is the triangle inequality;
in the remainder of the proof, we will show that both terms in (2) are upper
bounded by ε .
2 ρW W E F GZ|W
=W
1
− ρW W E F G|W
=W ⊗ 2− I1
= PW W |W
=W (w, w ) dunif (Z|E F G, W = w, W = w ) ≤ ε ,
w
=w
where the latter inequality follows from (1). For the other term, we reason as
follows:
2 ρW W E F G|W
=W
1
⊗ 2− I − ρW ↔W ↔E F GZ|W
=W 1
= 1
2 PW W |W
=W (w, w ) ρw,w −
E F G|W
=W ⊗ 2 I − ρE F GZ|W
=W 1
w
w
=w
= 1
2 PW W |W
=W (w, w ) ρw,w −
E F G|W
=W ⊗ 2 I
w
=w
− PW |W ,W
=W (w |w )ρw ,w
E F GZ|W
=W 1
w
s.t. w
=w
= 1
2 PW |W
=W (w ) PW |W ,W
=W (w|w )ρw,w −
E F G|W
=W ⊗ 2 I
w w
s.t. w
=w
− PW |W ,W
=W (w |w )ρw ,w
E F GZ|W
=W PW |W ,W
=W (w|w )1
w w
s.t. w
=w s.t. w
=w
= 1
2 PW W |W
=W (w, w ) ρw,w − w,w
E F G|W
=W ⊗ 2 I − ρE F GZ|W
=W 1
w
=w
= PW W |W
=W (w, w ) dunif (Z|E F G, W = w, W = w ) ≤ ε ,
w
=w
1 Introduction
Wiesner’s protocol for quantum money [36] was a formative idea in quantum
information processing. In this protocol, a bank generates a bank note composed
of n qubits: each qubit is initialized to a state chosen uniformly at random
from the set {|0 , |1 , |+ , |−}, and this choice of states is kept secret by the
bank. The bank can later check the authenticity of a given note by performing a
measurement on each of its qubits, in accordance with its secret record of their
original states. (Each bank note is labeled with a unique serial number, so that all
of the bank notes in circulation may be treated independently.) The security of
Wiesner’s scheme rests on the principle that quantum states cannot be cloned—
that is, a malicious attacker, given access to a fixed supply of authentic bank
Supported by NSERC, MITACS, a Mike and Ophelia Lazaridis Graduate Fellow-
ship, and a David R. Cheriton Graduate Scholarship.
Supported by the National Science Foundation under Grant No. 0844626.
Supported by NSERC, CIFAR, and MITACS.
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 45–64, 2013.
c Springer-Verlag Berlin Heidelberg 2013
46 A. Molina, T. Vidick, and J. Watrous
notes, cannot generate a larger quantity of valid bank notes than those to which
he was initially given access.
Although Wiesner’s scheme was introduced almost three decades ago, to the
best of our knowledge no rigorous analysis with explicit bounds on the security
of the scheme exists in the literature. The intuition that the scheme’s security
follows from the no-cloning principle appears in [20], and quantitatively one
should be able to obtain exponential security guarantees from results such as
proofs of the security of the BB84 quantum key exchange protocol [6,30,24] or of
uncloneable encryption [17]. In this paper we prove tight bounds on the security
of Wiesner’s quantum money scheme, through a simple and easily extended
argument based on semidefinite programming.
We consider the specific situation in which a counterfeiter, given access to a
single authentic bank note, attempts to create two bank notes having the same
serial number that independently pass the bank’s test for validity. We will call
such attacks simple counterfeiting attacks. Our first main result is the following.
Other types of attacks are not analyzed in this paper, but we must note their
existence! For instance, a counterfeiter might use several distinct bank notes
in an attempt to copy one of them, or a counterfeiting attempt might involve
multiple interactions with the bank. By substituting one of two qubits of a Bell
state for each qubit of a bank note, for example, a counterfeiter can succeed in
passing the bank’s test for validity with probability 2−n , and then conditioned
on having succeeded the counterfeiter will be guaranteed to hold a second valid
bank note.2 One would therefore expect that the bank would charge a small
fee for testing validity, for otherwise counterfeiters have a positive incentive to
attack the protocol. Generally speaking, an analysis of attacks of this nature
would seem to require a limit on the number of verification attempts permitted,
or the specification of a utility function that weighs the potential gain from
counterfeiting against the costs for multiple verifications. We expect that the
semidefinite programming methods used to prove Theorem 1 would be useful for
analyzing such attacks, but we do not investigate this question further in this
paper.
We also consider simple counterfeiting strategies against quantum money
schemes that generalize Wiesner’s original scheme. These are the schemes ob-
tained by varying the set of possible states that a quantum bank note may store,
as well as the underlying probabilities for those states. We show that there is
1
Wiesner [36] in fact arrived at a similar bound, but through a not-so-rigorous argu-
ment!
2
Lutomirski [22] considered a related scenario where the bank kindly provides coun-
terfeiters with access to a bank note’s post-measurement qubits, regardless of
whether validity was established. He proved that O(n) verification attempts are
sufficient to break the protocol in this setting.
Optimal Counterfeiting Attacks and Generalizations 47
As for Theorem 1, our proof of Theorem 2 follows from the use of semidefinite
programming techniques. In addition we show that, contrary to the quantum-
verification setting, the classical-verification analogue of Wiesner’s scheme is
optimal as long as one considers only qubits: either changing the bases used to
encode each qubit or increasing the number of possible bases will not improve
the scheme’s security against simple counterfeiting attacks. We also consider
a natural generalization of this scheme to bank notes made of d-dimensional
qudits, and prove that the optimal simple
√ counterfeiting attack against it has
success probability exactly (3/4 + 1/(4 d))n .
Related Work. The no-cloning theorem [37] states that there is no perfect quan-
tum cloning machine. This impossibility result relies on two assumptions: that
we are trying to clone all possible states (of a given dimension), and that we are
trying to do so perfectly. Relaxing either or both assumptions opens the way for
a fruitful exploration of the possibility of approximate cloning machines. Most
3
There has also been work in recent years on creating quantum money schemes that
do not require any communication with the bank in order to verify a bank note, but
this is only possible under computational assumptions [15,23,1].
48 A. Molina, T. Vidick, and J. Watrous
4
In both cases, the specific distance measure used can also be varied. For instance,
the trace distance and the Hilbert-Schmidt distance on density matrices have been
considered.
5
Our analysis can also be extended to this setting; see Section 3.4 for more details.
Optimal Counterfeiting Attacks and Generalizations 49
Gavinsky [16] also considers more general attacks against his money scheme
with classical verification. Compared to his scheme, ours (like the one in [28]) is
somewhat simpler. For instance, Gavinsky’s protocol requires the user to perform
two-qubit measurements. We prove stronger security bounds, albeit against more
restricted kinds of attacks: Gavinsky obtains security bounds of the form 2−n
c
2 Preliminaries
We assume the reader is familiar with the basics of quantum information theory,
and suggest Nielsen and Chuang [27] to those who are not. The purpose of this
section is to summarize some of the notation and basic concepts we make use of,
and to highlight a couple of concepts that may be less familiar to some readers.
The lecture notes [34] may be helpful to readers interested in further details on
these topics.
Let d = dim(X ) and assume a fixed orthonormal basis {|1 , . . . , |d} of X has
been selected. With respect to this basis, one defines the Choi-Jamiolkowski
operator J(Φ) ∈ L(Y ⊗ X ) of a linear mapping Φ : L(X ) → L(Y) as
J(Φ) = Φ(|i
j|) ⊗ |i
j| .
1≤i,j≤d
The mapping J is a linear bijection from the space of mappings of the form
Φ : L(X ) → L(Y) to L(Y ⊗ X ). It is well-known that Φ is completely positive
if and only if J(Φ) ∈ Pos(Y ⊗ X ), and that Φ is trace-preserving if and only if
TrY (J(Φ)) = 1X [11,19]. It is also well-known, and easy to verify, that
$
φ| Φ(|ψ
ψ|) |φ = φ ⊗ ψ J(Φ) φ ⊗ ψ (1)
for any choice of vectors |ψ ∈ X and |φ ∈ Y, with complex conjugation taken
with respect to the standard basis.
α = sup{
A, X : X ∈ Pos(X ), Φ(X) = B},
β = inf{
B, Y : Y ∈ Herm(Y), Φ∗ (Y ) ≥ A}.
(It is to be understood that the supremum over an empty set is −∞ and the
infimum over an empty set is ∞, so α and β are well-defined values in R ∪
{−∞, ∞}. In this paper, however, we will only consider semidefinite programs
for which α and β are finite.)
It always holds that α ≤ β, which is a fact known as weak duality. The
condition α = β, which is known as strong duality, does not hold for every
semidefinite program, but there are simple conditions known under which it
does hold. The following theorem provides one such condition (that has both a
primal and dual form).
In words, the first item of this theorem states that if the dual problem is feasible
and the primal problem is strictly feasible, then strong duality holds and the
optimal dual solution is achievable. The second item is similar, with the roles of
the primal and dual problems reversed.
Because the primal and dual problems are both strictly feasible (as follows
by taking X and Y to be appropriately chosen multiples of the identity, for
example), it follows from Theorem 3 that the optimal values for the primal and
dual problems are always equal, and are both achieved by feasible choices for X
and Y .
where ⎛ ⎞ ⎛ ⎞
3 0 0 1
1 ⎜ 0 1⎟ 1 ⎜ 1 0⎟
A0 = √ ⎜ ⎟ and A1 = √ ⎜ ⎟.
12 ⎝0 1⎠ 12 ⎝1 0⎠
1 0 0 3
For the dual problem, the value 3/4 is obtained by the solution Y = 38 1X , whose
feasibility may be verified by computing Q = 3/8.
where {|τ1 , . . . |τ4 } are any four states forming a single qubit SIC-POVM [29].
The operator Q corresponding to any such ensemble is identical to the one (3)
from the six-state ensemble above, and therefore yields the same optimal value
for the semidefinite program.
The schemes just mentioned are the best possible single qubit schemes. To
see this, one may simply consider the performance of Φ (i.,e., the Bužek–Hillery
cloner), for which it follows by a direct calculation that
2
ψ ⊗ ψ| Φ(|ψ
ψ|) |ψ ⊗ ψ =
3
for every state |ψ. This shows that the optimal primal value, and therefore the
optimal counterfeiting probability, is always at least 2/3.
single-qubit notes. The value of n plays the role of a security parameter, given
that it becomes increasingly hard to successfully counterfeit n single-qubit bank
notes in a row, without failure, as n grows large.
Now, there is nothing that forces a counterfeiter to attempt to counterfeit an
n-qubit bank note by treating each of its n qubits independently. However, it
is easily concluded from the semidefinite programming formulation above that
a counterfeiter gains no advantage whatsoever by correlating multiple qubits
during an attack. This, in fact, is true for arbitrary choices of the ensemble E,
as follows from a general result of Mittal and Szegedy [25] regarding product
properties of some semidefinite programs. (In our case, this property follows
from the fact that the operator Q defining the objective function in the primal
problem is always positive semidefinite.)
In greater detail, let us consider the n-fold repetition of a scheme, in which a
single repetition of the scheme gives rise to a semidefinite program determined
by Q ∈ Pos(Y ⊗ Z ⊗ X ). Let us write Xj , Yj , and Zj to denote copies of
the spaces X , Y, and Z that represent the j-th repetition of the scheme, for
j = 1, . . . , n, and let us write X ⊗n = X1 ⊗ · · · ⊗ Xn , Y ⊗n = Y1 ⊗ · · · ⊗ Yn ,
and Z ⊗n = Z1 ⊗ · · · ⊗ Zn . The semidefinite program that describes the optimal
simple counterfeiting attack probability for the n-fold repetition is as follows:
Primal problem
$
maximize: W Q⊗n W ∗ , X
subject to: TrY ⊗n ⊗Z ⊗n (X) = 1X ⊗n
X ∈ Pos(Y ⊗n ⊗ Z ⊗n ⊗ X ⊗n )
Dual problem
minimize: Tr(Y )
subject to: 1Y ⊗n ⊗Z ⊗n ⊗ Y ≥ W Q⊗n W ∗
Y ∈ Herm(X ⊗n )
In this semidefinite program, W is a unitary operator representing a permutation
of Hilbert spaces:
W |(y1 ⊗ z1 ⊗ x1 ) ⊗ · · · ⊗ (yn ⊗ zn ⊗ xn )
= |(y1 ⊗ · · · ⊗ yn ) ⊗ (z1 ⊗ · · · ⊗ zn ) ⊗ (x1 ⊗ · · · ⊗ xn ) ,
for all choices of |xj ∈ Xj , |yj ∈ Yj , and |zj ∈ Zj , for j = 1, . . . , n.
If the optimal value of the semidefinite program is α in the single-repetition
case, then the optimal value of the semidefinite program for the n-fold repetition
case is necessarily αn . This may be proved by considering the primal and dual
solutions
X = W (X1 ⊗ · · · ⊗ Xn )W ∗ and Y = Y1 ⊗ · · · ⊗ Yn ,
for X1 , . . . , Xn being optimal primal solutions and Y1 , . . . , Yn being optimal dual
solutions for the single-repetition semidefinite program. The values obtained by
56 A. Molina, T. Vidick, and J. Watrous
for such a scheme, for α being the optimal counterfeiting probability for a single
repetition. This is the probability of successful counterfeiting when each repe-
tition is attacked independently. In general, however, this bound may not be
correct: the main result of [26] demonstrates a related setting in which an anal-
ogous bound does not hold, and explains the obstacle to obtaining such a bound
in general.
However, for some schemes, including Wiesner’s original scheme and all of the
other specific schemes (including the classical verification ones in Section 4.2)
discussed in this paper, this bound will be correct. Letting d = dim(X ), the
specific assumptions that we require to obtain the bound (4) are that
N
1
pk |ψk
ψk | = 1, (5)
d
k=1
Primal problem
maximize:
W RW ∗ , X
subject to: TrY ⊗n ⊗Z ⊗n (X) = 1X ⊗n
X ∈ Pos(Y ⊗n ⊗ Z ⊗n ⊗ X ⊗n )
Dual problem
minimize: Tr(Y )
subject to: 1Y ⊗n ⊗Z ⊗n ⊗ Y ≥ W RW ∗
Y ∈ Herm(X ⊗n )
where
R= Q a1 ⊗ · · · ⊗ Q an .
a1 ,...,an ∈{0,1}
a1 +···+an ≥t
To prove that the optimal value of this semidefinite program is given by the ex-
pression (4), it suffices to exhibit primal and dual feasible solutions achieving this
value. As for the standard n-fold repetition case described in the previous sub-
section, it holds that X = W (X1 ⊗ · · ·⊗ Xn )W ∗ is a primal feasible solution that
achieves the desired value, where again X1 , . . . , Xn are optimal primal solutions
to the single-repetition semidefinite program. (This solution simply corresponds
to an attacker operating independently and optimally in each repetition.) For
the dual problem, we take
Y = R 1X ⊗n ,
which is clearly dual-feasible. The condition (5) implies that
1
Q0 = 1Y⊗Z⊗X − Q1 ,
d
and a consideration of spectral decompositions of the commuting operators Q0
and Q1 reveals that
1 n j
R = n α (1 − α)n−j ,
d j
t≤j≤n
The answer is that there are better schemes (provided n > 1). More generally,
for every d representing the dimension of the state stored by a quantum bank
note, there exist schemes whose optimal counterfeiting probability is equal to
2/(d + 1), which is the best that is possible: Werner’s quantum cloning map
[35] will always succeed in counterfeiting any quantum bank note of dimension
d with probability 2/(d + 1). The following proposition shows that there exists
a scheme that matches this bound in all dimensions d.
Proposition 1. Let E = {pk , |ψk } be any ensemble of d-dimensional states for
which the operator
N
$
Q= pk ψk ⊗ ψk ⊗ ψk ψk ⊗ ψk ⊗ ψk
k=1
is given by
1
Q = 1L(Cd ) ⊗ 1L(Cd ) ⊗ T (Π), (6)
rank(Π)
where T is the transposition mapping with respect to the standard basis of Cd
and Π is the orthogonal projector onto the symmetric subspace of Cd ⊗ Cd ⊗ Cd .
Then no simple counterfeiting strategy can succeed against the money scheme
derived from E with probability greater than 2/(d + 1).
Before proving the proposition, we note that any ensemble E obtained from a
complex projective (3, 3)-design (also known as a quantum 3-design [4]) satis-
fies (6), and thus leads to an optimal d-dimensional money scheme. This also
suggests that one might obtain more efficient schemes (i.e., involving less possi-
ble states for each part of the note) with security properties similar to the ones
described here if approximate designs are considered instead.
Proof (of Proposition 1). Because we are looking for an upper bound on the max-
imum counterfeiting probability, it suffices to construct a good feasible solution
Y to the dual SDP described in Section 3.1. We will choose Y = Q1X , which
is a feasible dual solution with corresponding objective value Tr(Y ) = dQ. We
indicate how results from [13] may be used to show that Q = 2/(d(d + 1)),
proving the proposition.
The operator Q commutes with all operators of the form U ⊗ U ⊗ U , where
U is any unitary acting on Cd . In Section VI.A of [13] it is shown that any
such operator can be written as a linear combination of six conveniently chosen
Hermitian operators S+ , S− , S0 , S1 , S2 , S3 (for a definition see Eqs. (25a)–(25f)
of [13]). For our operator Q we obtain the decomposition
1 1 d + 2
Q = S+ + S0 + S1 , (7)
rank(Π) 3 6
where
1+V 1
S+ = − X + XV + V X + V XV ,
2 2(d + 1)
1
S0 + S1 = X + XV + V X + V XV ,
d+1
Optimal Counterfeiting Attacks and Generalizations 59
V is the operator that permutes the first two registers on which Q acts, and X
the partial transpose of the operator permuting the last two registers. Moreover,
as shown in [13], S+ and S0 are mutually orthogonal projections, S0 S1 = S1 S0 =
S1 , S+ S1 = S1 S+ = 0, and S12 = S0 . Hence, the decomposition (7) shows that
the operator norm of Q satisfies
1 d+2 2
Q = = ,
rank(Π) 3 d(d + 1)
d+2
as rank(Π) = 3 .
N
1
pk
ψk | Aac11ca22 |ψk , (8)
|C|2 c ,c
k=1 1 2 (a1 ,a2 ):
(a1 ,c1 ,k)∈S
(a2 ,c2 ,k)∈S
6
As we will see, successful verification of a ticket necessarily entails its destruction.
This is unavoidable, as shown in [16]. One may still concatenate together many
tickets, each equipped with its own serial number, to create a single bank note.
The bank note will then be able to go through as many verification attempts as it
contains tickets.
7
For instance, the bank could accept all “plausible” answers, i.e., all a such that
ψk | Πca |ψk > 0. This condition ensures that honest users are always accepted.
60 A. Molina, T. Vidick, and J. Watrous
and the SDP constraints are immediately seen to exactly enforce that {Xca11ca22 }a1 a2
is a POVM for every (c1 , c2 ).
We note that the problem faced by the counterfeiter can be cast as a special
instance of the more general state discrimination problem. Indeed, the counter-
feiter’s goal is to distinguish between the following: for every pair of possible
answers (a1 , a2 ), there is a mixed state corresponding to the mixture over all
states |c1 |c2 |Ψk that for which (a1 , a2 ) would be a valid answer. (Each state
is weighted proportionally to the probability of the pair (c1 , c2 ) of being chosen
as challenges by the bank, and of |Ψk being chosen as a bank note.) As such,
the fact that the optimal counterfeiting strategy can be cast as a semidefinite
program follows from similar formulations for the general state discrimination
problem (as the ones considered in e.g. [14]).
1
$
d−1
Q= |s
s|Y ⊗ |t
t|Z ⊗ e0s e0s X + |e1t
e1t |X .
2d s,t=0
$
$
For s, t ∈ {0, . . . , d−1}, let Vs,t = e0s e0s X + e1t e1t X . As Q is block-diagonal,
the dual SDP is
minimize: Tr Y
1
subject to: Y ≥ Vs,t (for all s, t) (9)
2d
Y ∈ Herm(Cd ).
Vs,t is a rank-2 Hermitian matrix whose eigenvalues are 1 ±
e0s |e1t . Hence,
√
Y =√1+2d c 1 is a feasible solution to the dual problem with objective value
(1 + c)/2, leading to an upper bound on√the best counterfeiting strategy with
overall success probability at most 3/4 + c/4.
To finish the proof of the upper bound it suffices to note that the SDP has
the same parallel repetition property as was described in Section 3.4.
Finally, we show the “moreover” √ part of the claim. Relabeling the vectors if
necessary, assume √ |
e |e
0 1
0 0 | = c. Let |u0 be the eigenvector of V0,0 with largest
eigenvalue 1 + c, and |u1 √ the eigenvector with smallest eigenvalue. Using the
observation that |
e01 |e11 | = c, it may be checked that
X = |0, 0
0, 0| ⊗ |u0
u0 | + |1, 1
1, 1| ⊗ |u1
u1 |
is a feasible solution to the primal SDP √ corresponding to (9) (as expressed in
Section 3.1) with
√ objective value (1 + c)/2, proving that the optimum of (9)
is exactly (1 + c)/2.
recovers the one that is derived from Wiesner’s original quantum money. Let Xd
and Zd be the generalized Pauli matrices, acting as Xd : |i → |(i + 1) mod d
and Zd : |i → ω i |i, where ω = e2iπ/d . Let F be the quantum Fourier transform
over Zd ,
1 ij
F : |i → √ ω |j ,
d j
"
# 0
0
et =
defined by (Xd )t |0 =
|t, and et 1
the Fourier-transformed basis et = F et = (Zd ) F |0 for ev-
t
ery t. Then
0 1
es |et =
s|F |t = √1
d
for every s, t: the corresponding overlap is c = 1/d.√Lemma 1 shows that the
optimal cloner achieves success at most 3/4 + 1/(4 d). The following lemma
states a matching lower bound.
Lemma 2. There is a cloner for the n-qudit ticket scheme described
above
n that
successfully answers both challenges with success probability 34 + 4√
1
d
.
Proof. We describe a cloner that acts independently on each qudit, succeeding
with probability 34 + 4√
1
d
on each qudit.10 Let
√ −1/2
|ψ = 2 + 2/ d (|0 + F |0),
# Xd Zd |ψ.
s t
and for every (s, t) let Ps,t be the rank
1 1projector on the unit " vector
As a consequence of Schur’s lemma, s,t d Ps,t = 1, so that Ps,t /d is a POVM.
The cloner proceeds as follows: if the challenge is either 00 or 11, he measures
in the corresponding basis and sends the resulting outcome as answer to both
challenges. In this case he is always correct. In case the challenge is either 01 or
10, he measures the ticket using the POVM {Ps,t /d}, and uses s as answer to the
challenge “0” and t as answer to the challenge “1”. Because the two challenges
are distinct, only one of them corresponds to the actual basis in which the ticket
was encoded.
Without loss of generality assume this is the “0” basis, so that the
ticket is e0s = |s. The probability that the cloner obtains the correct outcome
s is
1 1
s| X s Z t |ψ 2
Tr Ps,t |s
s| = d d
d t d t
1 2
=
0| Zdt |ψ
d t
2
=
0|ψ .
To conclude, it suffices to compute
0|ψ 2 = 1 2 1 1
√
0|0 +
0|F |0 = 1+ √ .
2 + 2/ d 2 d
10
The analysis is very similar to one that was done in [33], in a different context but
for essentially the same problem.
Optimal Counterfeiting Attacks and Generalizations 63
References
1 Introduction
The issue of non-locality in quantum physics was raised in 1935 by Einstein,
Podolsky and Rosen [6]. Thirty years later, John Bell proved that quantum
physics yields correlations that cannot be reproduced by classical local hidden
variable theories [2]. This momentous discovery led to the more general question
of quantifying quantum non-locality. Not only is this question relevant for the
foundations of quantum physics, but it is directly related to our understanding
of the computational power of quantum resources.
A natural quantitative approach to non-locality is to study the amount of
resources required to reproduce probabilities obtained by measuring quantum
states. In this paper, we consider the simulation of these distributions using
classical communication. This approach was introduced independently by several
authors [9,4,11]. It led to a series of results, culminating with the protocol of
Toner and Bacon to simulate von Neumann measurements on Bell states with a
single bit of communication [12]. Later, Regev and Toner extended this result by
giving a simulation of binary von Neumann measurements on arbitrary bipartite
states using two classical bits [10].
We focus here on multipartite entanglement, and more specifically on GHZ
states [8]. Unlike the bipartite case, which has been the topic of intensive inves-
tigation, the simulation of multipartite entanglement is still teeming with major
open problems.
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 65–73, 2013.
c Springer-Verlag Berlin Heidelberg 2013
66 G. Brassard and M. Kaplan
Theorem 1. For any n, k ≥ 1, there exists a protocol for UVS(n, k) with ex-
pected communication cost at most n(n + k).
Sampling the angles θ1 and θ2 , can be done with O(n2 ) expected bits of commu-
nication. Therefore, the whole protocol can be done with O(n2 ) expected bits of
communication.
π
to the referee, who computes θ = δ + t 2k−1 . The resulting angle θ is uniformly
distributed on [α1 − 2k , α1 + 2k ]. Notice that since t ∈ [2k − 1], the length of the
π π
message is at most k.
Proof. Denote Ui− = [0, 1/2i ] and Ui+ = [1 − 1/2i , 1]. We define the density
functions associated to the distributions Di+ and Di− ,
2i if x ∈ Ui+ , 2i if x ∈ Ui− ,
fi+ (x) = and fi− (x) =
0 otherwise, 0 otherwise.
By definition, the density ρi of t1 + t2 for a fixed i is
1 +
ρi = (f ∗ fi+ + fi− ∗ fi− ),
2 i
where ∗ denotes the convolution product of two functions. By direct calculation,
we have
⎧
⎪
⎨2
2(i+1)
x if x ∈ [0, 1/2i+1 ],
− −
(fi ∗ fi )(x) = 2 i+2
−2 2(i+1)
x if x ∈ [1/2i+1 , 1/2i ],
⎪
⎩
0 otherwise.
and
(fi+ ∗ fi+ )(x) = (fi− ∗ fi− )(1 − x).
Let ρ denote the density of the distribution D. We now calculate ρ(x). Notice
that f0− = f0+ , and for i > 0, fi− and fi+ have disjoint supports. Assume that
70 G. Brassard and M. Kaplan
1 1
0.8 0.8
0.6 0.6
0.4 0.4
0.2 0.2
Fig. 1. The density functions fi+ and fi− , for i ≤ 3 and i ≤ 8. Each density function is
scaled down by the probability of sampling it in Lemma 1. f0+ and f0− are equal. The
dashed curves represent the sum of the represented density functions.
x < 1/2 (the other case is similar). In that case, fi+ (x) = 0 for any i > 0. Let
j = max{j : x ∈ [0, 1/2j ]} and notice that fi− (x) = 0 for any i > j. We have
∞
1
ρ(x) = i+1
ρi (x)
i=0
2
1 1
j
1 1 +
= · (f0 ∗ f0+ )(x) + (f − ∗ fi− )
2 2 2 i=0 2i+1 i
.j−1 /
1 1 2(i+1) 1
=x+ 2 x + j+1 (2j+2 − 22(j+1) x)
2 i=0 2i+1 2
0j−1 1
=x+ 2i x + 1 − 2j x
i=0
= x + (2 − 1)x + 1 − 2j x
j
=1
We now prove the induction step. The induction hypothesis is that for any k ≥ 1,
it is possible for n−1 players to each send a message
to anotherk party
n−1such that khe
outputs an angle θ uniformly distributed on [ n−1 i=1 αi − π/2 , i=1 αi + π/2 ].
Before receiving their inputs, the players prepare the following random
elements:
θ1|j , that is, the random variable generated by UVS(n − 1, k + j + 1) for a fixed
value of j. The shifted random variable T1,j + b 2k+1 π
1 − 21j is uniform
+ n−1 ,
n−1
– either on i=1 αi − π/2 k+1
, i=1 αi − π/2 k+1
+ π/2 k+j
if b = −1,
+ ,
n−1 n−1
– or on i=1 αi + π/2
k+1
− π/2k+j , i=1 αi + π/2k+1 if b = +1.
+ −
Using, v1,j and v1,j , we can rewrite
n−1 −
π 1 αi − π/2k+1 + v1,j · π/2k if b = −1
T1,j + b k+1 1 − j = i=1 n−1
i=1 αi − π/2 + v1,j · π/2k
k+1 +
2 2 if b = +1
− +
Similarly, let T2,j denote the random variable θ2|j . Using v2,j and v2,j , it can be
written
−
π 1 αn − π/2k+1 + v2,j · π/2k if b = −1
T2,j + b k+1 1 − j =
2 2 αn − π/2 k+1
+ v2,j · π/2k if b = +1
+
+ + −
where vj,b is the sum of v1,j and v2,j if b = +1 and the sum of v1,j and
−
v2,j if b = −1. According to Lemma 1, when taking the expectation over j
and
)n b, vj,b is uniform
n on [0, 1].kIn
* consequence, θ is uniform on the interval
i=1 αi − π/2 k
, i=1 αi + π/2 .
72 G. Brassard and M. Kaplan
It remains to bound the expected length of messages. Denote ln,k the expected
sum of the messages length. We already know that l1,k ≤ k for any k. Fix n > 1.
Analyzing our protocol, we get the induction:
1
ln,k = (ln−1,k+j+1 + l1,k+j+1 ),
2j+1
j≥0
1 k+j+1
≤ ln−1,k+j+1 + ,
2j+1 2j+1
j≥0 j≥0
1
≤ ln−1,k+j+1 + k.
2j+1
j≥0
4 Conclusion
We gave a protocol to simulate equatorial measurements on the n-partite GHZ
state, using O(n2 ) bits on average. Our protocol is in two parts. Firstly, we re-
duce the problem to sampling vectors on regions of the S 1 . Secondly, we give a
procedure called Uniform Vector Sampling to sample the vectors. This scheme
is inspired by the protocol of Toner and Bacon to simulate von Neumann mea-
surements on Bell States.
Our work leads to an obvious question. Is it possible to transform our protocol
into a protocol that is bounded in the worst case? To solve this question, it
enough to give a protocol for UVS that use bounded communication in the worst
case. Uniform Vector Sampling could also be considered as a task of independent
interest or be applied in other contexts.
Our work, like others on the same topic, considers only equatorial measure-
ments. The simulation of more general measurements is an intriguingly hard
question. The main difference is that they lead to non-uniform marginals. In
the bipartite case, an analogous problem arises when considering non-maximally
entangled states. It may seem that modifying local marginals is easy once the
correlation is simulated. Unfortunately, local transforms usually also modify the
full correlation.
Simulating Equatorial Measurements on GHZ States 73
References
1. Bancal, J.-D., Branciard, C., Gisin, N.: Simulation of equatorial von Neumann
measurements on GHZ states using nonlocal resources. Advances in Mathematical
Physics 2010, 293245 (2010)
2. Bell, J.S.: On the Einstein-Podolsky-Rosen paradox. Physics 1, 195–200 (1964)
3. Branciard, C., Gisin, N.: Quantifying the nonlocality of GHZ quantum correlations
by a bounded communication simulation protocol. Physical Review Letters 107,
020401 (2011)
4. Brassard, G., Cleve, R., Tapp, A.: Cost of exactly simulating quantum entangle-
ment with classical communication. Physical Review Letters 83, 1874–1877 (1999)
5. Broadbent, A., Chouha, P.R., Tapp, A.: The GHZ state in secret sharing and
entanglement simulation. In: Proceedings of the Third International Conference
on Quantum, Nano and Micro Technologies, pp. 59–62 (2009)
6. Einstein, A., Podolsky, B., Rosen, N.: Can quantum-mechanical description of
physical reality be considered complete? Physical Review 47, 777–780 (1935)
7. Gisin, N.: Personal communication (2010)
8. Greenberger, D.M., Horne, M.A., Zeilinger, A.: Going beyond Bell’s theorem. In:
Kafatos, M. (ed.) Bell’s Theorem, Quantum Theory and Conceptions of the Uni-
verse, pp. 69–72. Kluwer Academic, Dordrecht (1989)
9. Maudlin, T.: Bell’s inequality, information transmission, and prism models. In:
Biennial Meeting of the Philosophy of Science Association, pp. 404–417 (1992)
10. Regev, O., Toner, B.: Simulating quantum correlations with finite communication.
In: Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer
Science, pp. 384–394 (2007)
11. Steiner, M.: Towards quantifying non-local information transfer: finite-bit non-
locality. Physics Letters A 270, 239–244 (2000)
12. Toner, B., Bacon, D.: Communication cost of simulating Bell correlations. Physical
Review Letters 91, 187904 (2003)
Testing Quantum Circuits
and Detecting Insecure Encryption
Bill Rosgen
1 Introduction
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 74–86, 2013.
c Springer-Verlag Berlin Heidelberg 2013
Testing Quantum Circuits and Detecting Insecure Encryption 75
as input, the problem is to decide if there is an input on which the circuit acts non-
trivially or if the circuit is close to the identity for all input states. The problem
of determining if a circuit is close to an isometry (i.e. a reversible transformation
that maps pure states to pure states) is also known to be QMA-complete [15].
In this paper we generalize the hardness proofs of [10,15] to show the QMA-
hardness of testing the properties of the outputs of quantum circuits. Specifically,
we define the circuit testing problem, which has as parameters two uniformly
generated families of quantum circuits C0 and C1 . The problem is to decide,
given an input circuit C, whether C acts like circuits from the family C0 on
a large input subspace, or whether C acts like circuits from C1 for all input
states. It is important to note that the circuit families C0 , C1 are part of the
problem definition: each choice of circuit families gives a different problem and
an algorithm for a specific one of these problems may depend on these families
in a non-uniform way. The main result of the paper is a proof that this circuit
testing problem is QMA-hard for any circuit families C0 , C1 for which the problem
is well-defined. Using this result we reprove the QMA-hardness of non-identity
check and non-isometry testing as well as proving the hardness of a few other
circuit problems. This is done by choosing specific families C0 and C1 for which
these problems reduce to the associated circuit testing problems.
We then apply the hardness result to the problem of detecting insecure quan-
tum encryption. This is the problem of deciding, given a quantum circuit that
takes as input a quantum state as well as a classical key, whether this circuit
is close to a perfect encryption scheme (i.e. a private quantum channel [2,4]),
or whether there is a large subspace of input states that the circuit does not
encrypt. To prove hardness, we argue that this problem contains as a special
case an instance of the circuit testing problem. Finally, we give a QMA verifier
for this problem to prove that it is QMA-complete.
2 Preliminaries
Throughout the paper the set of density matrices on a Hilbert space H is denoted
D(H) while T(H, K) is is the set of channels that map D(H) to D(K). To
measure the distance between states we will make extensive use of the trace
norm, X tr , which for a linear operator X is given by the sum of the absolute
values of the singular values of X. One important property of the trace distance
ρ − σtr is that it does not increase under the application of quantum channels.
We will also need the intuitive property that two states that are close together
in the trace norm produce similar measurement outcomes: this follows from the
fact that an expression involving the trace norm gives the maximum probability
that states can be distinguished [9].
Lemma 1. Let X ∈ L(H) satisfy 0 ≤ X ≤ 1. Then tr(Xρ) ≤ tr(Xσ) +
ρ − σtr
In addition to the trace norm, we will also need a distance measure on quantum
channels. Such a measure is given by the diamond norm, which for a linear map
76 B. Rosgen
2.1 QMA
A promise problem P = (Pyes , Pno ) ∈ QMA if there is a quantum poly-time
verifier V such that
1. if x ∈ Pyes , then there exists a witness ρ such that Pr[V accepts ρ] ≥ 1 − ε,
2. if x ∈ Pno , then for any state ρ, Pr[V accepts ρ] ≤ ε.
The exact value of ε is not significant: any ε < 1/2 that is at least an inverse
polynomial suffices [13].
Let P be an arbitrary promise problem in QMA, and let x be an arbitrary
input string. Our goal will be to encode the QMA-hard problem of deciding P
into the problem of detecting an insecure encryption circuit. To do this it will
be convenient to represent the verifier as a unitary circuit V , which represents
the algorithm of the verifier in a QMA protocol on some input x. We may “hard-
code” the input string x into the circuit for V , since the circuit V needs only to
be efficiently generated given x. The algorithm implemented by the verifier in
an arbitrary QMA protocol is as follows: the verifier receives a witness state |ψ,
applies the unitary V on the witness state and any ancillary qubits needed, and
finally measures the first output qubit to decide whether or not to accept. Any
qubits not measured are traced out. One of the main results of this paper is a
reduction from an arbitrary QMA verifier to the problem of testing the behaviour
of quantum circuits.
also be viewed as encryption systems: the key is the environment, which, when
combined with the output state, allows the input to be recovered. We restrict
attention to the private channels that allow the input to be recovered not with
the quantum state of the environment but instead with a classical key that can
be pre-shared between two parties. These channels, called private channels, were
introduced and studied in [2,4].
An important example of a private quantum channel is the completely depo-
larizing channel. This is the channel Ω that maps any input to the completely
mixed state. This channel can be efficiently implemented by applying a ran-
dom Pauli operator to each qubit. In order to use the completely depolarizing
channel as a private channel we must add a key. This can be done by apply-
ing a key-selected Pauli operator to each of the input qubits. We will refer to
this channel as Ωk when a specific key is used. Notice that if Ωk ∈ T(H), then
|k| = 2 log dim H, i.e. we use two key bits for each encrypted qubit. In the case of
a perfect encryption channel this key rate is optimal [2,4,5]. When k is unknown
and uniformly distributed, the channel Ωk is identical to Ω, i.e. if the key k is
uniformly distributed in {1, . . . , K} we have k Ωk /K = Ω.
We use the following definition of a private quantum channel (i.e. secure en-
cryption).
Definition 2. Let E be a channel that takes inputs k ∈ {1, . . . , K} and a state
in H and produces an output in K, where dim H ≤ dim K. For fixed k we write
Ek (·) = E(k, ·). E is ε-private if
1. There exists a polynomial-size circuit D : {1, . . . , K} ⊗ D(K) → D(H) such
that for all k Dk ◦ Ek − 1H ≤ ε.
2. Without k, the output of E is random, i.e. k Ek /K − Ω ≤ ε.
The use of the diamond norm in this definition is significant: we require that
both conditions hold even for part of an entangled state. Specifically, a chan-
nel satisfying this definition both preserves any entanglement encrypted state
and remains secure even against an entangled eavesdropper. We use this strong
definition because one of the main results of the paper is a hardness result: distin-
guishing secure and insecure encryption is hard even when the secure encryption
is promised to be secure in this model. Our results are also true in the weaker
model using the trace norm.
This definition is a strengthened version of the model used by Ambainis and
Smith [3], who define security in a similar way, but only against adversaries
that are not entangled with the input state. The model considered by Hayden
et al. [8] uses a stronger bound involving the operator norm under which our
hardness result does not apply, as it is ultimately derived from the definition of
QMA, and the probability that the Verifier in a QMA protocol can be made to
accept is more naturally modelled by the trace norm.
3 Testing Circuits
The problem of testing the behaviour of a circuit can be informally stated as:
given a circuit C decide if the circuit acts like some known circuit C0 on a large
78 B. Rosgen
subspace of the input or if the circuit acts like some other known circuit C1
on the whole input space. We use uniform circuit families C0 and C1 as it is
important that the circuits C, C1 , and C2 agree on input and output spaces.
Yes: There exists a subspace S of X with dim S ≥ (dim X )1−δ such that for
any reference space R and any ρ ∈ D(S ⊗ R),
When the values of ε, δ, C0, and C1 are important we will refer to this problem
as CT(ε, δ, C0 , C1 ).
This problem is well-defined only for families C0 and C1 that do not violate
the promise, i.e. any circuits whose output is not too close together. These are
the circuits C0 and C1 such that there does not exist a subspace T of X of
size dim T ≥ dim X δ such that for any input states ρ ∈ D(T ⊗ R) we have
(C0 ⊗ 1R )(ρ) − (C1 ⊗ 1R )(ρ)tr ≤ 2ε, i.e. there does not exist a large subspace
of pure states on which C0 and C1 produce output that is close together. This
condition can be difficult to verify but for many families of circuits it is easy to
see that they are not too close together. As an example, the application of this
hardness result to detecting insecure encryption takes C0 as the identity and
C1 as the completely depolarizing channel, and these two circuits never agree
on pure states. We show that this problem is QMA-hard for any circuit families
that satisfy this condition.
Note the special case δ = 1: here the CT problem asks if there are any inputs
on which the circuit C behaves like C0 or if it behaves like C1 for all inputs. In
this case the problem is well-defined for any families C0 and C1 that do not agree
on the whole space (up to error 2ε).
Concerning the parameters ε and δ, we may choose ε = 2−p for any polynomial
p using an amplification result for QMA [13] and we may choose δ any constant
satisfying 0 < δ ≤ 1.
The key idea to the reduction is that we construct a circuit that takes an input
state and applies the unitary V to a portion of it, makes a ‘copy’ of the output
bit with a controlled-not gate, and then applies V ∗ . If the result of the QMA
protocol would have been the verifier accepting (i.e. the copy of the output qubit
is measured in the |1 state), then we apply the circuit C0 . On the other hand,
if the output qubit was in the |0 state, we apply the circuit C1 . The resulting
circuit applies C0 if and only the input is a state the Verifier in the QMA proof
system accepts. In order to guarantee that the subspace of accepting states is
large enough, we add dummy input qubits that are ignored by the circuit V
but are acted on by either C0 or C1 . By adding enough of these qubits, we can
ensure that if V accepts at least one state then the result is a large subspace of
accepted states.
The full construction of the circuit produced by the reduction is shown in
Figure 1. Before describing the circuit, we fix notation: let C0 and C1 be circuits
drawn from C0 and C1 implementing transformations in T(X , Y ), where X =
F ⊗ H and Y = F ⊗ K, using the 2 spaces H,3K from the QMA Verifier for P .
Further, we may let dim F = dim H(1−δ)/δ , since we are free to take any
polynomial number of input qubits to C0 and C1 . We also assume without loss
of generality that these circuits are implemented by circuits that apply unitary
circuits mapping X ⊗ A → Y ⊗ G, where the space A holds any ancillary qubits
needed by the circuit (initially in the |0 state) and the space G represents the
qubits traced out at the end of the computation. Any mixed-state circuit can be
efficiently transformed into a circuit of this form by moving the introduction of
ancillary qubits to the start of the circuit and delaying any partial traces to the
end of the circuit. We may also assume that both the circuit V and the circuits
80 B. Rosgen
ρ s
U0 U1
V V∗
|0
|0 c s X s
?
Fig. 1. Circuit output by the reduction. V is the unitary circuit applied by the original
QMA verifier and Ui is the unitary circuit obtained from Ci by removing the gates that
introduce ancillary qubits and trace out qubits.
C0 and C1 use ancillary spaces A, G of the same size, by simply padding the
circuits using a smaller space with unused ancillary qubits.
Let C be the circuit in Figure 1. This circuit takes as input a quantum state
ρ on the space X = F ⊗ H. This circuit first applies V to the portion of ρ
in H as well as any needed ancillary qubits in the space A. Next, the circuit
makes a classical copy of the ‘output bit’ of V , which is used as a control for
the application of the circuits C0 and C1 . The circuit V ∗ is then applied, so that
the result (provided that V accepts or rejects with high probability) is a state
that is close to the input state plus a qubit that indicates whether V accepts
or rejects the input state. The circuit then applies C0 if V accepts and C1 if V
rejects. These circuits use the same ancillary space A as the circuits V and V ∗ ,
but as long as the Verifier V either accepts of rejects the input state with high
√ these ancillary qubits will be returned to the |0 state, up to trace
probability,
distance 2 ε.
Before proving the correctness of the reduction, it will be convenient to write
down some of the states produced by running the constructed circuit C. Let ρ
be an arbitrary input state in D(H ⊗ F ) and let |ψ ∈ H ⊗ F ⊗ R be a purifi-
cation of ρ. The order of the spaces H and F has been changed for notational
convenience. Applying the unitary V to the portion of |ψ in H results in the
state
|φ = (V ⊗ 1F ⊗ 1R )(|ψ ⊗ |0),
where the |0 qubits are in the space A. Then, there exist states |φ0 , |φ1 on all
but the first qubit of K ⊗ F ⊗ R such that
! √
|φ = 1 − p|0 ⊗ |φ0 + p|1 ⊗ |φ1
where 0 ≤ p ≤ 1 is exactly the probability that the Verifier accepts in the original
protocol on input trF ρ. Applying the controlled-not gate results in
! √
|φ = 1 − p|00 ⊗ |φ0 + p|11 ⊗ |φ1 .
Testing Quantum Circuits and Detecting Insecure Encryption 81
We then bound the trace distance of |φ to |0|ψ and |1|ψ. In the case of
|0|ψ we have
! √
|φ
φ | − |0
0| ⊗ |φ
φ|tr = 2 1 − |
φ |0φ| = 2 1 − (1 − p)2 < 3 p, (1)
2
These two equations show that, when p is close to 0 or 1, the fact that we make a
classical copy of the output qubit does not have a large effect on the state of the
system. (This fact can also be argued from the Gentle Measurement Lemma [18].)
The remainder of the circuit then applies V ∗ and, depending on the value of the
control qubit, one of C0 and C1 . We consider two cases, which are argued in two
separate propositions.
Proposition 4. If x ∈ Pyes , then there exists a subspace S of X with dim S ≥
dim X 1−δ such that for any reference system R and any |ψ ∈ S ⊗ R
√
(C ⊗ 1R )(|ψ
ψ|) − (C0 ⊗ 1R )(|ψ
ψ|tr ≤ 3 ε.
Proof. If x ∈ Pyes , then there is some input state |ψ on which the Verifier
accepts with probability p ≥ 1 − ε. Applying the remainder of the circuit, up to
the partial trace, to the state |1|φ results in the state |1 ⊗ (U1 ⊗ 1R )(|ψ ⊗ |0).
Tracing out the space G as well as the copy of the output qubit, results in exactly
the state trG (U1 ⊗ 1R )(|ψ
ψ| ⊗ |0
0|)(U1∗ ⊗ 1R ) = (C1 ⊗ 1R )(|ψ
ψ|). This is
not quite equal to the output of the constructed circuit C, however, as we have
replaced the state |φ with the state |1|φ. However, using the monotonicity of
the trace norm under quantum operations, the remainder of the circuit cannot
increase the norm, and so by Equation (2) we have
! √
(C ⊗ 1R )(|ψ
ψ|) − (C0 ⊗ 1R )(|ψ
ψ|)tr ≤ 3 1 − p ≤ 3 ε. (3)
which implies that dim F ≥ dim X 1−δ , as required. Thus, when x ∈ Pyes the
Verifier V can be made to accept, and so the result is a yes instance of CT.
The remaining case is when x ∈ Pno , i.e. the Verifier V rejects every state with
high probability.
82 B. Rosgen
√
Proposition 5. If x ∈ Pno then C − C1 ≤ 3 ε.
Taken together, these two proposition prove the hardness of the CT problem.
Note once again that in order for the CT problem to be well defined (i.e. the
set of ‘yes’ instances does not intersect the set of ‘no’ instances) we require that
circuits from the two families are not too close together on any large subspaces
of pure inputs. See the discussion following Problem 3 for a technical condition
that is equivalent to this requirement. It is straightforward to verify that the
reduction is efficient.
Theorem 6. CT(ε, δ, C0 , C1 ) is QMA-hard for any 0 < ε < 1 with ε ≥ 2−p for
some polynomial p, any constant 0 < δ ≤ 1, and any uniform circuit families C0 ,
C1 for which the problem is well-defined.
3.2 Applications
In this section we apply Theorem 6 to prove the hardness of some new and old
problems.
The first problem we consider is a slightly generalized version of the prob-
lem Non-identity Check [10], who show that it is QMA-complete. Our ver-
sion of the problem differs in that we do not require that the input circuit C
is unitary. We do require, however, that if C deviates from the identity, then it
does so in a way similar to some efficient unitary circuit U . This restriction is
not needed for hardness but it is not clear that the problem is in QMA without
it.
Problem 7 (Mixed Non-identity Check [10]). Let 0 < ε < 1. On input
C ∈ T(X , X ):
Yes: C − 1 ≥ 2 − ε and there exists an efficient unitary U such that on
some pure state |ψ ∈ X we have C(|ψ
ψ|) − U |ψ
ψ|U ∗ tr ≤ ε and
U |ψ
ψ|U ∗ − |ψ
ψ|tr ≥ 2 − ε.
No: C − 1 ≤ ε.
The QMA-hardness of this problem follows from Theorem 6 and the fact that
CT(ε, 1, U, 1) is a special case of the problem, where U is any uniform family of
quantum circuits that are not close to the identity (one example are the circuits
that apply Pauli X to the first qubit).
Testing Quantum Circuits and Detecting Insecure Encryption 83
Theorem 11. DIε,δ is QMA-hard for all 0 < ε < 1/2 and all 0 < δ ≤ 1.
84 B. Rosgen
Proof. Let Ek = {Ωk,n } where Ωk,n is the n-qubit channel that applies the
kth Pauli operator to the input qubits. Averaging over all keys k results in
the completely depolarizing channel on n qubits. Then, Theorem 6 implies that
CT(ε, δ, 1k , Ek ) is hard for QMA, where 1k is the channel that discards the key
k and does nothing to the quantum input. The problem CT(ε, δ, 1k , Ek ) is a
modification of the problem CT to include both a quantum input as well as a
classical input k. This is done by including k as part of the quantum input that
is immediately measured in the computational basis. CT(ε, δ, 1k , Ek ) remains
hard after this modification.
The QMA-hardness of DIε,δ then follows from the fact that the problem of de-
tecting insecure encryption is CT(ε, δ, 1k , Ek ) with a weakened promise. Since the
sets of ‘yes’ instances of the two problems are identical, we need only verify the
‘no’ instances. Let the circuit C ∈ T(H, K) be a ‘no’ instance of CT(ε, δ, 1k , Ek )
and let Ck (·) = C(|k
k| ⊗ ·) be the circuit defined by hardcoding the ‘key’
portion of the input space. Then, for any input ρ and any key k, we have
Ck − Ωk ≤ ε, since this follows for the versions of these circuits without
a hardcoded key (which is just a restriction of the input space). The triangle
inequality then implies Ω − k Ck /2m ≤ k Ωk − Ck /2m ≤ ε, which is
the property required by ‘no’ instances of DI. To see further that the output of
Ck can be decrypted with knowledge of k, observe that Ωk−1 ◦ Ωk = 1, and so
−1
Ω ◦ Ck − 1 = Ω −1 ◦ Ck − Ω −1 ◦ Ωk ≤ Ck − Ωk ≤ ε,
k k k
this proof state will cause the Verifier to obtain the symmetric outcome with
probability approaching 1.
If E represents a secure encryption system, then without knowledge of the key,
the output of E is close to the completely mixed state, regardless of the input
state. In this case the Verifier performs the swap test on two highly mixed states
and the result is antisymmetric with probability close to 1/2. This protocol can
be formalized as follows.
Protocol 12. On input a circuit E : {1, . . . , K}⊗D(H) → D(K), an instance of
DIε,δ , as well as a quantum proof |φ in D((H ⊗ R)⊗2 ) (where dim R = dim H):
1. The Verifier generates random keys k1 , k2 ∈ {1, . . . , K}.
2. The Verifier applies (Ek1 ⊗ 1R ) ⊗ (Ek2 ⊗ 1R ) to the state |φ.
3. The Verifier applies the swap test, accepting if the outcome is symmetric.
The space R appears in this protocol, but Problem 10 places no upper bound on
this space, by the properties of the diamond norm, we may take dim R = dim H
without loss of generality.
Proposition 13. For 0 < ε < 1/8, Protocol 12 is a QMA protocol for DIε,δ .
regardless of the proof state |ψ the input to the swap test is within trace dis-
tance 2ε of the completely mixed state. On such a state, Lemma 1 implies
that the swap test returns the symmetric outcome with probability at most
1/2 − tr[(1K / dim K)2 ]/2 + 2ε = 1/2 − 1/(2 dim K) + 2ε, and so the probability
the Verifier accepts is bounded above by 1/2 + 2ε. Thus, when ε < 1/8, there is
a constant gap between the acceptance probabilities in the two cases.
Combining the previous Proposition with Theorem 11 we obtain the main result.
Theorem 14. For 0 < ε < 1/8 and 0 < δ ≤ 1, the problem DIε,δ is QMA-
complete.
86 B. Rosgen
References
1. Aharonov, D., Kitaev, A., Nisan, N.: Quantum circuits with mixed states. In: Proc.
30th STOC, pp. 20–30 (1998)
2. Ambainis, A., Mosca, M., Tapp, A., de Wolf, R.: Private quantum channels. In:
Proc. 41st FOCS, pp. 547–553 (2000)
3. Ambainis, A., Smith, A.: Small Pseudo-random Families of Matrices: Derandomiz-
ing Approximate Quantum Encryption. In: Jansen, K., Khanna, S., Rolim, J.D.P.,
Ron, D. (eds.) RANDOM 2004 and APPROX 2004. LNCS, vol. 3122, pp. 249–260.
Springer, Heidelberg (2004)
4. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev.
A 67(4), 042317 (2003)
5. Braunstein, S., Lo, H.K., Spiller, T.: Forgetting qubits is hot to do (1999)
(unpublished manuscript)
6. Buhrman, H., Cleve, R., Watrous, J., de Wolf, R.: Quantum fingerprinting. Phys.
Rev. Lett. 87(16), 167902 (2001)
7. Ekert, A.K., Alves, C.M., Oi, D.K., Horodecki, M., Horodecki, P., Kwek, L.C.:
Direct estimations of linear and nonlinear functionals of a quantum state. Phys.
Rev. Lett. 88(21), 217901 (2002)
8. Hayden, P., Leung, D., Shor, P.W., Winter, A.: Randomizing quantum states: con-
structions and applications. Commun. Math. Phys. 250, 371–391 (2004)
9. Helstrom, C.W.: Detection theory and quantum mechanics. Inform. Control 10(3),
254–291 (1967)
10. Janzing, D., Wocjan, P., Beth, T.: “Non-identity-check” is QMA-complete. Int. J.
Quantum Inf. 3(3), 463–473 (2005)
11. Kempe, J., Kitaev, A., Regev, O.: The complexity of the local Hamiltonian problem.
SIAM J. Comput. 35(5), 1070–1097 (2006)
12. Liu, Y.-K.: Consistency of Local Density Matrices Is QMA-Complete. In: Dı́az, J.,
Jansen, K., Rolim, J.D.P., Zwick, U. (eds.) APPROX 2006 and RANDOM 2006.
LNCS, vol. 4110, pp. 438–449. Springer, Heidelberg (2006)
13. Marriott, C., Watrous, J.: Quantum Arthur-Merlin games. Comp. Compl. 14(2),
122–152 (2005)
14. Rosgen, B., Watrous, J.: On the hardness of distinguishing mixed-state quantum
computations. In: Proc. 20th CCC, pp. 344–354 (2005)
15. Rosgen, B.: Testing Non-isometry Is QMA-Complete. In: van Dam, W., Kendon,
V.M., Severini, S. (eds.) TQC 2010. LNCS, vol. 6519, pp. 63–76. Springer,
Heidelberg (2011)
16. Schuch, N., Cirac, I., Verstraete, F.: Computational difficulty of finding matrix
product ground states. Phys. Rev. Lett. 100(25), 250501 (2008)
17. Schuch, N., Verstraete, F.: Computational complexity of interacting electrons and
fundamental limitations of density functional theory. Nat. Phys. 5(10), 732–735
(2009)
18. Winter, A.: Coding theorem and strong converse for quantum channels. IEEE T.
Inform. Theory 45(7), 2481–2485 (1999)
Search by Quantum Walks on Two-Dimensional
Grid without Amplitude Amplification
Faculty of Computing, University of Latvia, Raina bulv. 19, Riga, LV-1586, Latvia
1 Introduction
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 87–97, 2013.
c Springer-Verlag Berlin Heidelberg 2013
88 A. Ambainis et al.
|ψ(t) = (αi,j,⇑ |i, j, ⇑ + αi,j,⇓ |i, j, ⇓+ (1)
i,j
|i, j, ⇑ → |i, j − 1, ⇓
|i, j, ⇓ → |i, j + 1, ⇑
(3)
|i, j, ⇐ → |i − 1, j, ⇒
|i, j, ⇒ → |i + 1, j, ⇐
Notice that after moving to an adjacent location we change the value of the direc-
tion register to the opposite. This is necessary for the quantum walk algorithm
of [AKR05] to work.
We start quantum walk in the state
1
|ψ(0) = √ |i, j, ⇑ + |i, j, ⇓ + |i, j, ⇐ + |i, j, ⇒
2 N i,j
It can be easily verified that the state of the walk stays unchanged, regardless of
the number of steps. To use quantum walk as a tool for search, we ”mark” some
locations. In unmarked locations, we apply the same transformations as above. In
marked locations, we apply −I instead of D as the coin flip transformation. The
shift transformation remains the same in both marked and unmarked locations.
If there are marked locations, the state of this
√ process starts to deviate from
|ψ(0). It has been shown [AKR05] that after O( N log N ) steps the inner prod-
uct
ψ(t)|ψ(0) becomes close to 0.
In case of one or two marked locations [AKR05] algorithm finds a marked
location with O(1/ log N ) probability. For multiple marked locations this is not
always the case. There exist marked location configurations for which quantum
walk fails to find any of marked locations [AR08].
3 Results
In this paper we examine a single marked location case only. However, we note
that numerical experiments give very similar results in the case of multiple
marked locations. √ √
√ an N × N grid with one marked location. The [AKR05] al-
Suppose we have
gorithm takes O( N log N ) steps and finds the marked location with O(1/ log N )
probability. The algorithm then uses amplitude amplification √ to get Θ(1) prob-
ability. The amplitude amplification
√ adds an additional O( log N ) factor to the
number of steps, making it O( N log N ).
Performing numerical experiments with [AKR05] algorithm, we have noticed
that probability to be close to the marked location is much higher than probabil-
ity to be far from the marked location. Figure 1 shows probability distribution
by distance from the marked location for 1024 × 1024 √ grid on logarithmic scale.
We have measured the √ probability within O( N ) neighbourhood of the
marked location (at O( 4 N ) distance)1 for different grid sizes (figure 2) and
have made the following conjecture:
1 √
Another logical choice of the size of the neighbourhood would be O( N log N ) - the
number of steps of [AKR05] algorithm.
90 A. Ambainis et al.
Fig. 1. Probability by distance, one marked location, grid size 1024 × 1024, logarithmic
scale
√
Hypothesis
√ 1. The probability to be within O( N ) neighbourhood, i.e. at
O( 4 N ) distance, of the marked location is Θ(1).
P r[0]
P r[R] ≈
R2
There are 4R points at the distance R from the marked location
√ (we use Manhat-
tan or L1 distance). Thus, the total probability to be within N neighbourhood
of the marked location is:
Search by Quantum Walks on Two-Dimensional Grid 91
√
Fig. 2. Probability to be within N neibourghood from the marked location
√ √
4
N 4
N
P r[0] 1
S= 4R × O = P r[0] × O = P r[0] × O(log N ).
R2 R
R=1 R=1
4 Proofs
2
Here, |i − i | ≤ N and |j − j | ≤ N should be interpreted “modulo N ”: |i − i | ≤ N
if (i − i ) mod N ∈ {−N , −N + 1, . . . , N }.
92 A. Ambainis et al.
Let √ √
N −1
N−1
|ψ = αtj,j ,d |j, j , d
j=0 j =0 d
we have
|αtj,j ,⇑ |2 ≥ C 2 (f (j, j ) − f (j − 1, j ))2 + o(1)
(j,j )∈S (j,j )∈S
where
1
f (j, j ) = ω kj+lj ,
(k,l)
=(0,0)
2 − cos 2kπ
√
N
− cos 2lπ
√
N
2πi
√
ω=e N and C = Θ( √N 1log N ).
1. U1 = I − 2|ψgood
ψgood | (in other words, U1 |ψgood = −|ψgood and, if |ψ is
orthogonal to |ψgood , then U1 |ψ = |ψ);
2. U2 |ψstart = |ψstart for some state |ψstart with real amplitudes and there
is no other eigenvector with eigenvalue 1;
3. U2 is described by a real unitary matrix.
Search by Quantum Walks on Two-Dimensional Grid 93
⎡ ⎤ ⎡ ⎤
e−iθk,l − ωk ω k − eiθk,l
i ⎢ e−iθk,l − ω −k ⎥ i ⎢ ω −k − eiθk,l ⎥
|vk,l
+
= √ ⎢ −iθ ⎥, −
|vk,l = √ ⎢ ⎥
2 2 sin θk,l ⎣ e k,l − ωl ⎦ 2 2 sin θk,l ⎣ ω l − eiθk,l ⎦ .
e−iθk,l − ω −l ω −l − eiθk,l
The order of directions for the coin register is: | ⇓, | ⇑, | ⇒, | ⇐. The sign of
−
|vk,l has been adjusted so that
1 1 −
√ |Φ+
k,l + √ |Φk,l = |ξk ⊗ |ξl ⊗ |δ (4)
2 2
where |δ = 12 | ⇓ + 12 | ⇑ + 12 | ⇒ + 12 | ⇐.
We can assume that |ψgood = |0 ⊗ |0 ⊗ |δ. This gives us an expression of
|ψgood in terms of the eigenvectors of U2 :
1
|ψgood = √ |ξk ⊗ |ξl ⊗ |δ
N k,l
1 1 1
−
= √ |ψstart + √ |Φ+
k,l + √ |Φk,l .
N (k,l)
=(0,0)
2N 2N
94 A. Ambainis et al.
Using the results from [AKR05], we can transform this into an expression for the
final state of our quantum search algorithm. According
√ to the first big equation
in the proof of Lemma 5 in [AKR05], after t = O( N log N ) steps, we get a
|φf inal
final state |ψ such that |ψ − |φf inal = o(1), where |φf inal = φf inal and
1 1
−
|φf inal = √ |ψstart + √ ak,l |Φ+
k,l + bk,l |Φk,l (5)
N 2N (k,l)
=(0,0)
and
i α + θk,l i −α + θk,l
ak,l = 1 + cot + cot ,
2 2 2 2
i α − θk,l i −α − θk,l
bk,l = 1 + cot + cot .
2 2 2 2
We now replace (j,j )∈S |αtj,j ,d |2 by the corresponding sum of squares of am-
plitudes for the state |φf inal . By Lemma 2, this changes the sum by an amount
that is o(1).
1
From [AKR05], we have α = Θ( √N log N
), min θk,l = Θ( √1N ) and max θk,l =
π − Θ( √N ). Hence, we have ±α + θk,l = (1 + o(1))θk,l and we get
1
1 1 θk,l
|φf inal = √ |ψstart + √ 1 + i(1 + o(1)) cot k,l +
|Φ+
N 2N 2
(k,l)
=(0,0)
1 θk,l
√ 1 − i(1 + o(1)) cot |Φ−
k,l . (6)
2N 2
|ψf inal
This means that |ψf inal − |φf inal = o(1) where |ψf inal = ψf inal and
1 θk,l +
|ψf inal = |ψgood + √ i cot |Φk,l − |Φ−
k,l . (7)
2N 2
(k,l)
=(0,0)
Again, we can replace a sum of squares of amplitudes for the state |φf inal by
the corresponding sum for |ψf inal and, by Lemma 2, the sum changes by an
amount that is o(1).
We now estimate the amplitude of |j, j , ⇑ in |ψf inal . We assume that (j, j ) =
(0, 0). Then, the amplitude of |j, j , ⇑ in |ψgood is 0. Hence, we can evaluate the
amplitude of |j, j , ⇑ in
1 θk,l +
√ i cot (|Φk,l − |Φ−
k,l ) (8)
2N 2
(k,l)
=(0,0)
√ √
and then divide the result by Θ( log N ), because ψf inal = Θ( log N ).
From the definitions of |Φ± ±
k,l and |vk,l ,
⎡ ⎤
2 cos θk,l − 2ω k
1 + 1 − i ⎢ 2 cos θk,l − 2ω −k ⎥
√ |vk,l − √ |vk,l = ⎢ ⎥.
2 2 4 sin θk,l ⎣ 2 cos θk,l − 2ω l ⎦
2 cos θk,l − 2ω −l
Search by Quantum Walks on Two-Dimensional Grid 95
−k
The amplitude of | ⇑ in this state is 2 sin θk,l (cos θk,l − ω
i
). The amplitude
lj
of |j in |ξk is √
4
1
N
ω kj . The amplitude of |j in |ξl is 4 N ω . Therefore, the
√1
amplitude of |j, j , ⇑ in √1 |Φ+ − √1 |Φ− is
2 k,l 2 k,l
1 i
√ ω kj+lj (cos θk,l − ω −k )
N 2 sin θk,l
and the amplitude of |j, j , ⇑ in (8) is
1 θj i
√ i cot · (cos θk,l − ω −k )ω kj+lj .
2N (k,l)
=(0,0) 2 2 sin θk,l
θk,l θ
By using sin θk,l = 2 sin 2 , we get that the amplitude of |j, j , ⇑ is
cos k,l
2
0 1
1 1 cos θk,l kj+lj 1 k(j−1)+lj
√ − 2 θk,l ω + θ
ω =
2 (k,l)
=(0,0) 4N sin 2 sin2 k,l2
0 1
1 1 1
kj+lj kj+lj k(j−1)+lj
√ 2ω − θk,l
(ω −ω ) , (9)
2 (k,l)
=(0,0) 4N sin2 2
To obtain the amplitude of |j, j , ⇑ in |ψf inal , this should be divided by ψf inal
√
which is of the order Θ( log N ). This implies Lemma 1.
cos 2(kj+lj )π
+ sin 2(kj+lj )π
i
n n
= . (10)
(k,l)∈S
2 − cos 2kπ
n − cos 2lπ
n
96 A. Ambainis et al.
2(l−N )π
Since the cosine function is periodic with period 2π, we have cos 2lπ n = cos n .
Hence, we can replace the summation over S by the summation over
& & :n; :n ;''
S = (k, l)|k, l ∈ − , 1, . . . , −1 \ {(0, 0)}.
2 2
This implies that the imaginary part of (10) cancels out because terms in the
sum can be paired up so that, in each pair, the imaginary part in both terms
has the same absolute value but opposite sign. Namely:
– If none of k, l, −k and −l is equal to n2 , we pair up (k, l) with (−k, −l).
– If none of k and −k is equal to 0 or n2 , we pair up (− n2 , k) with (− n2 , −k)
and (k, − n2 ) with (−k, − n2 ).
– The terms (− n2 , 0), (0, − n2 ) and (− n2 , − n2 ) are left without a pair. This does
not affect the argument because the imaginary part is equal to 0 in those
terms.
Hence, we have
cos 2(kj+lj )π
n
f (j, j ) = .
(k,l)∈S
2 − cos 2kπ
n − cos n
2lπ
Lemma 3
g 2 (j, j ) = Ω(n2 ln M )
0<j ,j<M
The proof of the lemma can be found in [AB+11]. Together with Lemma 1, this
implies that the sum of amplitudes of |j, j , ⇑, 0 < j , j < M is Ω( log
log n ) − o(1).
M
log M
Since log N =
, this would complete the proof of Theorem 1.
References
[AA03] Aaronson, S., Ambainis, A.: Quantum search of spatial regions. In: Proc.
44th Annual IEEE Symp. on Foundations of Computer Science (FOCS),
pp. 200–209 (2003)
[AB+11] Ambainis, A., Backurs, A., Nahimovs, N., Ozols, R., Rivosh, A.: Search by
quantum walks on two-dimensional grid without amplitude amplification.
arXiv:quant-ph/1112.3337, 22 pages (2011)
[Amb03] Ambainis, A.: Quantum walks and their algorithmic applications. Interna-
tional Journal of Quantum Information 1, 507–518 (2003)
[Amb04] Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J.
Comput. 37(1) 2007, 210–239 (2007, 2001)
[AKR05] Ambainis, A., Kempe, J., Rivosh, A.: Coins make quantum walks faster. In:
Proceedings of SODA 2005, pp. 1099–1108 (2005)
Search by Quantum Walks on Two-Dimensional Grid 97
[AR08] Ambainis, A., Rivosh, A.: Quantum Walks with Multiple or Moving Marked
Locations. In: Geffert, V., Karhumäki, J., Bertoni, A., Preneel, B., Návrat,
P., Bieliková, M. (eds.) SOFSEM 2008. LNCS, vol. 4910, pp. 485–496.
Springer, Heidelberg (2008)
[Ben02] Benioff, P.: Space searches with a quantum robot. In: Quantum Com-
putation and Information, Washington, DC. Contemp. Math., vol. 305,
pp. 1–12. Amer. Math. Soc., Providence (2002)
[BS06] Buhrman, H., Spalek, R.: Quantum Verification of Matrix Products. In: Pro-
ceedings of 17th Annual ACM-SIAM Symposium on Discrete Algorithms
(SODA 2006), Miami, Florida, pp. 880–889 (2006)
[BV] Bernstein, E., Vazirani, U.: Quantum complexity theory. SIAM Journal on
Computing 26, 1411–1473 (1997)
[CC+03] Childs, A.M., Cleve, R., Deotto, E., Farhi, E., Gutmann, S., Spielman, D.A.:
Exponential algorithmic speedup by a quantum walk. In: Proceedings of the
35th ACM STOC, pp. 59–68 (2003)
[CG04] Childs, A., Goldstone, J.: Spatial search and the Dirac equation. Physical
Review A 70, 042312 (2004)
[Gro96] Grover, L.: A fast quantum mechanical algorithm for database search. In: Pro-
ceedings of the 28th ACM STOC, Philadelphia, Pennsylvania, pp. 212–219.
ACM Press (1996)
[Kem03] Kempe, J.: Quantum random walks - an introductory overview. Contempo-
rary Physics 44(4), 302–327 (2003)
[KM+10] Krovi, H., Magniez, F., Ozols, M., Roland, J.: Finding Is as Easy as De-
tecting for Quantum Walks. In: Abramsky, S., Gavoille, C., Kirchner, C.,
Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010. LNCS, vol. 6198,
pp. 540–551. Springer, Heidelberg (2010)
[Mey96] Meyer, D.A.: From quantum cellular automata to quantum lattice gases.
Journal of Statistical Physics 85, 551–574 (1996)
[MPA10] Marquezino, F.L., Portugal, R., Abal, G.: Mixing times in quantum walks
on two-dimensional grids. arxiv:1006.4625
[MSS05] Magniez, F., Santha, M., Szegedy, M.: An O(n1.3 ) quantum algorithm for
the triangle problem. In: Proceedings of SODA 2005, pp. 1109–1117 (2005);
SIAM J. Comput. 37(2), 413–424 (2007)
[SKW03] Shenvi, N., Kempe, J., Whaley, K.B.: A quantum random walk search al-
gorithm. Physical Review A 67(5), 052307 (2003)
[Sze04] Szegedy, M.: Quantum speed-up of Markov Chain based algorithms. In:
Proceedings of IEEE FOCS 2004, pp. 32–41 (2004)
[Tul08] Tulsi, A.: Faster quantum-walk algorithm for the two-dimensional spatial
search. Phys. Rev. A 78, 012310 (2008)
The Effects of Free
Will on Randomness Expansion
1 Introduction
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 98–106, 2013.
c Springer-Verlag Berlin Heidelberg 2013
The Effects of Free Will on Randomness Expansion 99
2 Overview
We work in the simplest scenario of two parties with two inputs and two outputs
each, characterized by the Clauser-Horne-Shimony-Holt (CHSH) inequality [8].
The devices that Alice and Bob use are treated as black boxes, potentially pre-
pared by an adversary. The inputs are labelled Aj and Bk respectively, where
100 D.E. Koh et al.
j, k ∈ {0, 1}, and the outputs are labelled a, b ∈ {0, 1}. The CHSH test is re-
peated a large number of times, yielding a probability distribution of the outputs
(O) {pO (a, b|Aj , Bk )}, which we assume to be non-signalling. In terms of these
probabilities, the CHSH correlation function E can be defined as
E= (−1)a+b+jk pO (a, b|Aj , Bk ). (1)
a,b,j,k∈{0,1}
We impose the condition that the probability of each of the inputs (I) pI are
equally likely, i.e. pI (Aj , Bk ) = 14 for all j, k ∈ {0, 1}, which means that unless
one has knowledge of the underlying variables, one will be unable to detect any
deviations of these probabilities from the uniform distribution ( 14 , 14 , 14 , 14 ).
We describe the adversary’s control over the inputs and outputs by an under-
lying variable λ, which could describe both classical and quantum states, and
underlying conditional probability densities pO (a, b|Aj , Bk , λ) and ρ(λ|Aj , Bk ),
which
< are related to {pO (a, b|Aj , Bk )} by Bayes’ theorem: pO (a, b|Aj , Bk ) =
dλ pO (a, b|Aj , Bk , λ)ρ(λ|Aj , Bk ). By summing over b and a respectively, we
(A) (B)
obtain the marginals pO (a|Aj , λ) and pO (b|Bk , λ). Note that the marginal
(A) (B)
probability pO is independent of Bk and pO is independent of Aj because of
the no-signalling assumption. The guessing probability G(λ) for a given underly-
ing variable λ would then be the maximum over all these marginal probabilities.
The guessing probability, for Alice, Bob or any observer without access to the
underlying variables, is the weighted average of G(λ) over λ, i.e.
=
G = dλ ρ(λ)G(λ), (2)
where ρ(λ) is the probability distribution of the underlying variable λ. Note that
G takes values in the closed interval [ 12 , 1], where G = 12 (G = 1) means that the
underlying model is indeterministic (deterministic).
For a given Bell violation, tight bounds for G have been calculated in the lit-
erature [9] for the case of complete free will. In order to formulate the relaxation
of free will, we define a free will parameter, P , as the maximum probability that
a particular pair of measurement settings is chosen, maximized over all control
variables λ, i.e.
P = max pI (Aj , Bk |λ). (3)
j,k,λ
This quantifies the maximum deviation of pI (Aj , Bk |λ) from the uniform dis-
tribution. For a 2-party-2-setting protocol, P takes values in the interval [ 14 , 1];
P = 14 corresponds to the case of complete free will, while P = 1 corresponds to
the case of maximal measurement dependence, as in [10]. Any value of P greater
than 14 indicates that Alice’s and Bob’s choices of inputs are not completely
random, even though they might think they are.
We choose this definition because it relates directly to probabilities that a
pair of inputs are chosen for a given underlying variable. While being more nat-
ural for our model, this differs from that given in [3], which involve conditional
The Effects of Free Will on Randomness Expansion 101
1.0 a , a
1 2
0.9
b1 b2
Value of S
GS ,P
0.8
ai : 2.0
bi : 2.8
c2
c1 ci : 3.3
0.7 di : 3.9
General
0.6 Factorizable
d1 d2
As expected, this does not exceed the bound in the more general case. For an
observed Bell violation S ∗ , we obtain
%
1 4 − S∗ 1
Gfac ≤ min 1+ ,1 ,P < . (7)
2 4(1 − 2P ) 2
It is seen (Fig. 1) that when 14 < P < 13 , the bound for G is less in the factorizable
case than in the general case. Hence, unless non-factorizable distributions for the
inputs are supplied, we can put lower bounds on the guessing probability. Also, it
takes a larger value of P in order to produce PR box i.e. S ∗ = 4 [11] correlations
for the factorizable case.
Note that for P = 14 corresponding to the case of complete free will, the
bounds for G for both the general and factorizable cases, from Eq. (5) and (7),
∗
reduce to the result in [1]: G ≤ 32 − S4 .
For deterministic strategies, i.e. G = 1, this gives S(1, P ) = min{24P −
4, 4} and Sfac (1, P ) = min{8P, 4}, representing a lower bound on any optimal
indeterministic strategy (Fig. 2). Any point above the graph must correspond
to a G < 1 strategy. In other words, any adversary would be forced to introduce
some indeterminism in the model, thus decreasing her guessing probability, if she
wishes for a given P to violate Bell inequality greater than S(1, P ) or Sfac (1, P )
respectively.
General
Factorizable
S
2
1 1 1
4 3 2
P
Fig. 2. Graph of maximal Bell violation S(1, P ) versus P for no-signalling deterministic
(i.e. G = 1) models, showing both general (dashed) and factorizable (solid) cases, which
are plots of Eq. (4) and (6). In the region 14 < P < 13 , an adversary with access to only
factorizable distributions cannot produce as large a Bell violation as one with access
to general distributions. Any point above the graphs S(1, P ) must correspond to an
indeterministic model.
104 D.E. Koh et al.
3 Concluding Remarks
We have shown that for no-signalling models, the bound for the guessing proba-
bility increases as the degree of free will of Alice and Bob decreases. This allows
us to put an upper bound on the guessing probability of an adversary given that
the amount of free will and Bell violation are known.
In the above work we have specified the maximum device-independent bound
on an eavesdropper Eve’s maximum guessing probability, assuming she has ac-
cess to devices that can produce any non-signalling distribution (including PR
boxes etc.). It is of course worth asking how these bounds would be reduced in
the more realistic setting where Eve has access only to quantum devices, and
what Eve’s optimal quantum strategy would be to achieve the new bounds.
A natural extension of this work is to ask whether the local strategies employed
here could be used to take advantage of a key distribution scheme, where an
eavesdropper fakes a Bell violation to undermine the security that Alice and
Bob believe is in their key. One could explicitly state a procedure that employs
a Bell test for a subset of the total runs in n experiments, yet generates a key
from a disjoint subset, akin to the Ekert protocol [12].
References
1. Pironio, S., et al.: Nature 464, 1021 (2010)
2. Bell, J.S.: Physics 1, 195 (1964)
3. Hall, M.J.W.: Phys. Rev. Lett. 105, 250404 (2010)
4. Barrett, J., Gisin, N.: arXiv:1008.3612v2 (2011)
5. Colbeck, R., Renner, R.: arXiv:1105.3195v2 (2011)
6. Kofler, J., Paterek, T., Brukner, C.: Phys. Rev. Lett. 73, 022104 (2006)
7. Hall, M.J.W.: Phys. Rev. A. 84, 022102 (2011)
8. Clauser, J.F., et al.: Phys. Rev. Lett. 23, 880 (1969)
9. Masanes, L., Pironio, S., Acin, A.: Nature Commun. 2, 238 (2011)
10. Brans, C.: Int. J. Theoret. Phys. 27, 219 (1988)
11. Popescu, S., Rohrlich, D.: Found. Phys. 24, 379 (1994)
12. Ekert, A.: Phys. Rev. Lett. 67, 661 (1991)
Semi-device-independent QKD
Based on BB84 and a CHSH-Type Estimation
1 Introduction
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 107–115, 2013.
c Springer-Verlag Berlin Heidelberg 2013
108 E. Woodhead, C.C.W. Lim, and S. Pironio
1
S= (−1)a+b+xy P (b | axy) . (1)
2
abxy
(As this is the only use of these cases, all results where measurement y = 0 or
y = 1 are performed should be used to estimate this correlator.)
We now proceed to describe how a characterization of Alice’s states can be
extracted from the correlator S, before deriving a lower bound on the secure
keyrate.
3 State Characterization
a ⊗ Mb
P (b | axy) = 2 ρ(x) Φ+
. (3)
Substituting (3) into (1), we find that we may express the correlator as
$
where
(x) (x)
Ax = ρ0 − ρ1 , (5)
(y) (y)
By = M0 − M1 . (6)
S 2 ≤
OΦ+ + [A0 , A1 ] ⊗ [B0 , B1 ]T Φ+ , (7)
110 E. Woodhead, C.C.W. Lim, and S. Pironio
where
O = A02 + A12 ⊗ (B0T )2 + (B1T )2
+ A02 − A12 ⊗ {B0 , B1 }T + {A0 , A1 } ⊗ (B0T )2 − (B1T )2 . (8)
Because the operators A0 and A1 are traceless, we can express them as linear
combinations of the Pauli operators:
A0 = p̄ · σ̄ , (10)
A1 = q̄ · σ̄ , (11)
|sin(θ)| ≥ S 2 /4 − 1 . (18)
Semi-device-independent QKD Based on BB84 111
21−λ σB = 12 (ρ + τ ) + 12 |ρ − τ | . (25)
We determine λ by taking the trace of both sides, which concludes the proof of
(22).
112 E. Woodhead, C.C.W. Lim, and S. Pironio
2 Ax,B 1 ≥ |1 − 2Q(x)| .
1
(26)
The following lemma will allow us to put an upper bound on the 12 AE,x 1 given
lower bounds on the 12 AB,x 1 , which will produce a lower bound on Hmin (A|E).
Lemma 2. Let X = x̄ · σ̄ and Z = z̄ · σ̄ be two Pauli-type operators contained
in the same two dimensional Hilbert space H2 , with H2 ⊂ HA ⊗ HB , where HA
and HB are two arbitrary Hilbert spaces whose tensor product is of dimension at
least two. In the case where x̄ and z̄ are unit vectors,
Adding these and applying the Cauchy-Schwarz inequality in the same manner
as before we finally obtain
|q̄ · v̄| ≤
P ⊗ 1B 0 +
P⊥ ⊗ 1B 1
P⊥ ⊗ 1B 0 +
P ⊗ 1B 1
!
= (1 + p̄ · ū)(1 − p̄ · ū)
!
= 1 − (p̄ · ū)2 , (36)
or
(p̄ · ū)2 + (q̄ · v̄)2 ≤ 1 . (37)
This bound holds for all pairs ū, v̄ of othogonal unit vectors.
It is worth pointing out at this stage that, by identifying X = σz and Z = σx
in the derivation of (37), we have already demonstrated the special case of (27)
where cos(θ) = 0:
4 XA 1 + 4 ZB 1 ≤ 1 .
1 2 1 2
(38)
Note that the content of (38) is identical to that of results (23) and (24) of
[13]. Indeed, it is easy to see that the information gain G defined by (9) therein
is bounded by the trace distace between the states received by Eve. We may
express this as G ≤ 12 XE 1 . Using this and the bound |1 − 2Q| ≤ 12 ZB 1 on
the QBER in the Z basis, we have
G2 + (1 − 2Q)2 ≤ 1 , (39)
or !
G ≤ 2 Q(1 − Q) . (40)
Conversely, (40) is satisfied for all POVMs Bob and Eve could perform, including
those which saturate the bounds on Q and G.
We now show that the left hand side of (30) is bounded by 1 + |cos(θ)|. This
is accomplished by choosing two orthogonal unit vectors ū and v̄, such that
with
+! ! ,
λ= 1
2 1 − cos(θ) ,
1 + cos(θ) + (43)
+! ! ,
μ = 12 1 + cos(θ) − 1 − cos(θ) . (44)
With these definitions one may verify that x̄ = z̄ = 1 and x̄ · z̄ = cos(θ), as
required. Then,
(p̄ · x̄)2 + (q̄ · v̄)2 = λ2 (p̄ · ū)2 + (q̄ · v̄)2 + μ2 (q̄ · ū)2 + (p̄ · v̄)2
+ 2λμ (p̄ · ū)(p̄ · v̄) + (q̄ · ū)(q̄ · v̄)
≤ λ2 + μ2 + 2|λμ|
= (λ + |μ|)2
= 1 + |cos(θ)| . (45)
Applying this result yields, for example,
1
2 A
0,E 1 ≤ |cos(θ)| + 4Q(1) (1 − Q(1) ) . (46)
4.2 Result
We now have all the ingredients necessary to put a lower bound on the keyrate.
Combining the results of the previous subsection, and considering the keyrate
generated just from the basis x = 0 as an example, we obtain the bound
+ ,
r(0) ≥ 1 − log 1 + |cos(θ)| + 4Q(1) (1 − Q(1) ) − h(Q(0) ) , (47)
where an upper bound on |cos(θ)| is obtained via (18), h(x) denotes the binary
entropy, and we have used that H(A|B) ≤ h(Q(0) ).
It should be noted that the asymptotic keyrate derived here is far from opti-
mal. The main reason for this is that we have opted to bound the min-entropy,
due to its simple expression (22) in terms of the trace distance between the
states it is defined on. Another limitation is that (27) is not a tight inequality,
except in the case where 12 XA 1 = 12 ZB 1 . We believe it is possible to derive
significantly better bounds, more in line with those known for BB84 or based on
entropic uncertainty relations. This will form the subject of future work.
References
1. Bennett, C.H., Brassard, G.: Quantum cryptography: Public key distribution and
coin tossing. In: Proceedings of IEEE International Conference on Computers,
Systems and Signal Processing, Bangalore, India, vol. 11, pp. 175–179 (1984)
2. Ekert, A.K.: Quantum cryptography based on bell’s theorem. Phys. Rev. Lett. 67,
661–663 (1991)
3. Mayers, D., Yao, A.: Self testing quantum apparatus. Quantum Info. Comput. 4,
273–286 (2004)
4. Barrett, J., Hardy, L., Kent, A.: No signaling and quantum key distribution. Phys.
Rev. Lett. 95, 010503 (2005)
5. Acı́n, A., Brunner, N., Gisin, N., Massar, S., Pironio, S., Scarani, V.: Device-
independent security of quantum cryptography against collective attacks. Phys.
Rev. Lett. 98, 230501 (2007)
6. Pironio, S., Acı́n, A., Brunner, N., Gisin, N., Massar, S., Scarani, V.: Device-
independent quantum key distribution secure against collective attacks. New Jour-
nal of Physics 11(4), 045021 (2009)
7. Masanes, L., Pironio, S., Acı́n, A.: Secure device-independent quantum key distri-
bution with causally independent measurement devices. Nature Communications 2,
283 (2011)
8. Hanggi, E., Renner, R.: Device-independent quantum key distribution with com-
muting measurements (September 2010)
9. Pawlowski, M., Brunner, N.: Semi-device-independent security of one-way quantum
key distribution. Phys. Rev. A 84, 010302 (2011)
10. Devetak, I., Winter, A.: Distillation of secret key and entanglement from quantum
states. Proceedings of the Royal Society A: Mathematical, Physical and Engineer-
ing Science 461(2053), 207–235 (2005)
11. Konig, R., Renner, R., Schaffner, C.: The operational meaning of min- and max-
entropy. IEEE Transactions on Information Theory 55(9), 4337–4347 (2009)
12. Helstrom, C.W.: Quantum Detection and Estimation Theory. Academic Press,
New York (1976)
13. Fuchs, C.A., Gisin, N., Griffiths, R.B., Niu, C.S., Peres, A.: Optimal eavesdropping
in quantum cryptography. I. Information bound and optimal strategy. Phys. Rev.
A 56(2), 1163–1172 (1997)
On Some Special Cases
of the Entropy Photon-Number Inequality
1 Introduction
The Entropy Photon Number Inequality (EPnI) was conjectured by Guha et. al. [1].
EPnI has a classical analogue called Entropy power inequality which is stated as fol-
lows. Let X and Y be independent random variables with densities and h(X) be the
differential entropy of X, then
holds. It was first stated by Shannon in Ref. [2] and the proof was given by Stam and
Blachman [3,4].
The EPnI has some important consequences in quantum information theory. In par-
ticular, if this conjecture is true, then one would be able to establish the classical ca-
pacity of certain bosonic channels [1,5]. EPnI is shown to imply two minimum output
entropy conjectures, which would suffice to prove the capacity of several other channels
such as the thermal noise channel [5] and the bosonic broadcast channel [6,7].
The statement of the inequality is as follows. Let a and b be the photon annihilation
operators and let the joint state of the modes associated with a and b be the product state,
i.e., ρAB = ρA ⊗ ρB , where ρA and ρB are the density operators associated with the
a and b modes respectively. For the beam-splitter with inputs a and b and output c with
transmissivity η and reflectivity 1 − η respectively, the annihilation operator evolution
is given by !
√
c = ηa + 1 − ηb, (2)
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 116–127, 2013.
c Springer-Verlag Berlin Heidelberg 2013
On Some Special Cases of the Entropy Photon-Number Inequality 117
where
g(x) = (x + 1) log(x + 1) − x log(x) (4)
is the von Neumann entropy of the thermal state with mean photon-number x, and
S(ρ) = −Tr(ρ log ρ) is the von Neumann entropy.
In this paper, we prove the EPnI for the case of ρB to be the vacuum state, ρA having
its eigenvectors as the number states and either having two nonzero eigenvalues or high
von Neumann entropy with arbitrary number of eigenvalues. There are other candidates
as well for which some special cases EPnI hold and these are mentioned later.
where [a, a† ] = [b, b† ] = [c, c† ] = [d, d† ] = I and [a, b] = [a, c] = [a, d] = 0 and so on.
We assume that the inputs density operators are diagonal in the number state basis and
hence,
∞ ∞
ρAB = xi yj |iA |jB
i|A
j|B , (7)
i=0 j=0
where xi and yj are the ith and jth eigenvalues of A and B respectively, |iA and |jB
are the Fock number states for the systems A and B respectively. Any state |iA |jB
can be written as (see Ref. [8] for example)
(a† )i (b† )j
|iA |jB = √ √ |0A |0B . (8)
i! j!
√ √ √ √
From (5) and (6), we get a† = ηc† + 1 − ηeιφ d† and b† = 1 − ηc† − ηeιφ d† .
Using these with (8), we get the transformation
√ † √ √ √
B.S. ( ηc + 1 − ηeιφ d† )i ( 1 − ηc† − ηeιφ d† )j
|iA |jB −−→ √ √ |0C |0D , (9)
i! j!
where B.S. indicates the action of the beam splitter. Using the fact that the operators c†
and d† commute and the binomial expansion, we get
i j
B.S. 1 l i j i−k+l j−l+k
|iA |jB −−→ √ √ e ι(k+l)φ
(−1) η 2 (1 − η) 2
i! j! k=0 l=0 k l
(c† )(i+j)−(k+l) (d† )k+l |0C |0D . (10)
118 S. Das, N. Sharma, and S. Muthukrishnan
i j
B.S. 1 i j i−k+l j−l+k
|iA |jB −−→ √ √ eι(k+l)φ (−1)l η 2 (1 − η) 2
i! j! k=0 l=0 k l
!
[(i + j) − (k + l)]!(k + l)! |(i + j) − (k + l)C |k + lD . (11)
∞
∞
1 ι[(k+l)−(k +l )]φ
i j i j
l+l i j
ρCD = xi yj e (−1)
i!j! k l
i=0 j=0 k=0 l=0 k =0 l =0
i j i− k+k + l+l l+l k+k
η 2 2 (1 − η)j− 2 + 2
k l
! !
[(i + j) − (k + l)]!(k + l)! [(i + j) − (k + l )]!(k + l )!
|(i + j) − (k + l)C |k + lD
(i + j) − (k + l )|C
k + l |D . (12)
∞
∞
1
i j i j
l+l i j i j
ρC = xi yj (−1)
i=0 j=0
i!j!
k l k l
k=0 l=0 k =0 l =0
l+l k+k
i− k+k l+l
η 2 + 2 (1 − η)j− 2 + 2 [(i + j) − (k + l)]!(k + l)!
|(i + j) − (k + l)
(i + j) − (k + l)| δk+l,k +l . (13)
We now consider the special case when ρB is a vacuum state. Let the set of all prob-
∞
ability vectors (with infinite length) be denoted by P and if x ∈ P, then i=0 xi = 1
and xi ≥ 0 ∀ i ≥ 0. Then (13) reduces to
∞
ρC = zi |iC
i|C , (14)
i=0
g −1 {H[Mη (x
x )]} ≥ ηg −1 [H(x
x )] . (16)
Note that this equation is expected to hold for all x ∈ P and η ∈ [0, 1]. The inequality
x) = [1, 0, ...] implying H[M0 (x
is trivially true for η = 0 since M0 (x x )] = 0, and for
η = 1 since M1 (x x) = x .
On Some Special Cases of the Entropy Photon-Number Inequality 119
Let
Hb (p) −p log(p) − (1 − p) log(1 − p) (17)
Proof. One can see that g −1 [Hb (ηα)] = ηg −1 [Hb (α)] if η ∈ {0, 1} or α = 0. In all
other cases, we show that
Let f (β) g −1 [Hb (β)]. The Lemma is equivalent to showing that f (β)/β is
a strictly decreasing function in 0 < β ≤ 1. Note that since g(β) = Hb (β) +
2 [log(2) − Hb (1/2 + β/2)] and log(2) > Hb (1/2 + β/2) for all β ∈ (0, 1), hence
g(β) > Hb (β) for all 0 < β < 1. Since g is one-to-one and increasing, we have
g −1 [Hb (β)] < β for all 0 < β < 1 or f (β) < β for all 0 < β < 1.
It is not difficult to see that
and since, using f (β) < β for all 0 < β < 1, it follows that (1 − β)[1 + f (β)] < 1 for
all 0 < β < 1, hence, f (β)/β is a strictly decreasing function in 0 < β ≤ 1.
j ∞
k i j
(η )k (1 − η ) xj
j−k
= η (1 − η)k−i (22)
i k
k=i j=k
∞
j−i
j i j−i
(η − ηη )k−i (1 − η )
j−k
= (ηη ) xj (23)
j=i
i k − i
k−i=0
∞
j
= (ηη )i (1 − ηη )j−i xj (24)
j=i
i
Proof. It is clear from (30) that (i) and (ii) are equivalent. Furthermore, (ii) implies
(iii) since (iii) is a special case of (ii). We prove that (iii) implies (ii). Note that
x )]
d h[β, Mη (x d h(ηβ, x )
= (35)
dβ β β=1 dβ β β=1
d h(θ, x )
= η2 . (36)
dθ θ θ=η
d h(θ, x )
≤0 (37)
dθ θ θ=η
We now state EPnI in (16) in the form of an entropic inequality, i.e., an inequality
involving Shannon entropy of discrete probability distributions. By Lemma 3, (16) is
equivalent to
dH(η, x )
η − H(η, x ) + log [1 + h(η, x )] ≤ 0. (38)
dη
Note that g(1/β − 1) = Hb (β)/β ∀ β ∈ [0, 1] and hence, (16) is equivalent to showing
that
+ dH(η,xx)
,
Hb e−H(η,xx )+η dη
H(η, x ) ≤ x)
dH(η,x
. (40)
e−H(η,xx)+η dη
For the two dimensional case with η = 1, x = [α, 1 − α, 0, ...], α ∈ [0, 1], H(η, x ) −
ηdH(η, x )/dη = − log(α), H(x x) = Hb (α), and substituting this in (40), we get
Hb (α)
Hb (α) ≤ , (41)
α
122 S. Das, N. Sharma, and S. Muthukrishnan
which is true. This gives a short proof of (16) for this special case. Evaluating (40)
at η = 1 gives an interesting expression that depends only on the distribution x . It is
shown in (16) that
dH(η, x) ∞
xi
x)
Θ(x =− ixi log , (42)
dη η=1
i=1
xi−1
dH(η, x )
η ≤ 1, (44)
dη
dH(η, x )
η ≤ H(η, x ). (45)
dη
Note that r(0) = 0 and dr(x)/dx = − log(1−x) ≥ 0 ∀ x ∈ [0, 1]. Therefore, r(x) ≥ 0
∀ x ∈ [0, 1] and (44) follows.
(44) and (45) are the necessary conditions for (16) to hold. We now show that they
both hold under general conditions.
On Some Special Cases of the Entropy Photon-Number Inequality 123
dH(η, x )
η < 1, (48)
dη
dH(η, x )
η ≤ H(η, x) (49)
dη
x) = [1, 0, ...].
with equality if and only if Mη (x
x ) is sufficiently large.
We now show that (16) holds if H(x
Lemma 5. For a given η ∈ (0, 1), x ∈ P, (16) holds if H(x
x ) is large enough.
We have
+ , a
g eH(η,xx)−ηdH(η,xx)/dη − 1 > H(η, x ) + δ − e−H(η,xx)+ηdH(η,xx)/dη (51)
b
> H(η, x ) + δ − e−H(η,xx)+1 ≥ H(η, x ) (52)
where in a, we use the inequality that g(ex − 1) ≥ x + 1 − e−x and we use Lemma 4
to get ηdH(η, x )/dη < 1 − δ for some δ > 0, in b, we use ηdH(η, x )/dη < 1 and the
last inequality would hold if H(η, x ) ≥ 1 − log(δ) or if H(η, x ) is large enough.
We now show that if H(x x ) is large, then so is H(η, x ) for η ∈ (0, 1). Define
H(η, x )
q(η, x ) . (53)
η
5 Discussion
Entropy Photon-Number Inequality (EPnI) conjecture has been settled in the affirmative
when one of the input states is the vacuum state and for several candidates of the other
input state that includes the cases when the state has the eigenvectors as the number
states and either has only two non-zero eigenvalues or has arbitrary number of non-zero
eigenvalues but is a high entropy state. Using Fannes’ inequality [9,10], one can easily
check that the EPNI holds even if the two input states with one in vacuum state and the
other state having two non-zero eigenvalues in the number state basis, are perturbed by
a small amount as long as the dimension of the new states after perturbation remains
finite.
References
1. Guha, S., Erkemen, B.I., Shapiro, J.H.: The Entropy Photon-Number Inequality and its Con-
sequences. Open Problems Session, ITA, UCSD (2008)
2. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423,
623–655 (1948)
3. Stam, A.J.: Some inequalities satisfied by the quantities of information of Fisher and Shan-
non. Inf. Contr. 2, 101–112 (1959)
4. Blachman, N.M.: The convolution inequality for entropy powers. IEEE Trans. Inf. Theory 11,
267–271 (1965)
5. Giovannetti, V., Guha, S., Lloyd, S., Maccone, L., Shapiro, J.H., Yuen, H.P.: Classical capac-
ity of the lossy bosonic channel: The exact solution. Phys. Rev. Lett. 92, 027902 (2004)
6. Guha, S., Shapiro, J.H., Erkmen, B.I.: Classical capacity of bosonic broadcast communica-
tion and a minimum output entropy conjecture. Phys. Rev. A 76, 032303 (2007)
7. Guha, S., Shapiro, J.H., Erkmen, B.I.: Capacity of the bosonic wiretap channel and the en-
tropy photon-number inequality. In: Proceedings of IEEE International Symposium on In-
formation Theory, pp. 91–95 (2008)
8. Gerry, C., Knight, P.: Introductory Quantum Optics. Cambridge University Press (2004)
9. Fannes, M.: A continuity property of the entropy density for spin lattice systems. Commun.
Math. Phys. 31, 291–294 (1973)
10. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge
University Press (2000)
Note that g is one-one and and strictly increasing, therefore g −1 is also strictly increas-
ing. Therefore, it is enough to prove that
Note that
) *
H(zz 0,P ) =f α, (1 − η)P + αH [Bin(P, η)] , (60)
where
f (α, x) = − [(1 − α) + αx] log [(1 − α) + αx] − (1 − x)α log(α) + x log(x)α. (61)
It is not difficult to show that f (x) is a decreasing function of x. Note that H [Bin(P, η)]
increases with P . Since H(x x0,P ) is a sum of two functions each of which increases with
P , (59) follows.
Next, we show that for all N, P ≥ 0, we have
H(zz N +1,P +1 ) ≥ H(zz N,P ). (62)
Note first that Bin(N + 1, η) = (1 − η)Bin(N, η) + ηBin+1 (N, η), where if X has
distribution Bin+1 (N, η), then Pr{X = k + 1} = Bin(N, η, k) ∀ k. This implies that
∞
a zi−1
≥ izi 1 − (69)
i=1
zi
= −1, (70)
126 S. Das, N. Sharma, and S. Muthukrishnan
where in a, we have used the inequality that log(x) ≥ 1 − 1/x for all x ≥ 0 with
equality if and only if x = 1. If z is such that zi = 0 ∀ i, then it is impossible to have
an equality in a since equality would imply zi−1 = zi ∀ i and this would imply that
∞
i=0 zi is unbounded.
If z has a finite number of nonzero values say z = [z0 , z1 , ..., zL−1 , 0, ...], then (70)
can be further tightened as
dH(η, x )
η ≤ 1 − LzL−1 . (71)
dη
Let us define a sequence of probability distributions {zz (L) }, L = 0, 1, ..., where z (L)
has length L + 1 and z (L) = [(1 − zL )zz (L−1) , zL ] and z (0) = [1]. It is easy to see that
the following recurrence relations hold
1 − zL
Θ(zz (L) ) = (1 − zL )Θ(zz (L−1) ) + LzL log zL−1 (73)
zL
H(zz (L) ) = (1 − zL )H(zz (L−1) ) + Hb (zL ). (74)
Define
Ξ(zz (L) ) Θ(zz (L) ) − H(zz (L) ). (75)
Using the recurrence relations in (73) and (74), we get
1 − zL
Ξ(zz (L) ) = (1 − zL )Ξ(zz (L−1) ) + LzL log zL−1 − Hb (zL ). (76)
zL
where in a, we have used the induction hypothesis and the fact that
zL log(zL−1 ) ≤ 0, in b,
x 1−x
d(x, y) = x log + (1 − x) log (82)
y 1−y
is the relative entropy between [x, 1 − x] and [y, 1 − y] and is always nonnegative.
(49) now follows from (77) since log(1 − zL ) ≤ 0. The equality condition follows
straightforwardly.
Quantum Security Analysis
via Smoothing of Renyi Entropy of Order 2
Masahito Hayashi1,2
1
Graduate School of Mathematics, Nagoya University
2
Centre for Quantum Technologies, National University of Singapore
masahito@math.nagoya-u.ac.jp
http://www.math.nagoya-u.ac.jp/~ masahito/index_e.html
1 Introduction
Evaluation of secrecy is one of important topics in classical and quantum in-
formation theory. In order to increase the secrecy, we apply a hash function.
Bennett et al. [4] and Håstad et al. [14] proposed to use universal2 hash func-
tions for privacy amplification and derived two universal hashing lemma, which
provides an upper bound for the universal composability based on Rényi entropy
of order 2. Renner [6] extended their idea to the quantum case and evaluated the
secrecy with universal2 hash functions based on a quantum version of conditional
Rényi entropy order 2.
In order to apply Renner’s two universal hashing lemma to a realistic setting,
Renner [6] attached the smoothing to min entropy, which is smaller than the
above quantum version of conditional Rényi entropy order 2 in the classical
case. That is, he proposed the application of universal hashing lemma to a state
approximating the true state. In this method, it is not easy to find a suitable
approximating state. Hayashi [11] found such a suitable approximating state in
the sense of Rényi entropy order 2. That is, he applied the smoothing to Rényi
entropy order 2. Then, he evaluated the universal composability criterion after
universal2 hash functions based on Rényi entropy order 1+s. Since Rényi entropy
order 2 gives a tighter security bound than the min entropy, the smoothing for
Rényi entropy order 2 yields a better security bound than the min entropy.
Indeed, it has been showed that the method [11] yields the optimal exponential
decreasing rate in the n-fold independent and identical case.
However, in other cases (quantum case and classical case with the mutual
information criterion), no study attached the smoothing to the quantum version
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 128–140, 2013.
c Springer-Verlag Berlin Heidelberg 2013
Quantum Security Analysis via Smoothing of Renyi Entropy of Order 2 129
2 Preparation
2.1 Information Quantities for Single System
In order to discuss the quantum case, we prepare several useful properties of
information quantities in single quantum system: First, we define the following
quantities:
130 M. Hayashi
For a proof for ψ(s|ρσ), see Hayashi [9, Exercises 2.24]. For ψ(s|ρσ), see
Hayashi [16].
Since lims→0 1s ψ(s|ρσ) = D(ρσ), and lims→0 1s ψ(s|ρσ) = D(ρσ), we ob-
tain the following lemma.
ψ(s|ρσ) ψ(s|ρσ)
Lemma 2. s and s are monotone increasing concerning s ∈ R. In
particular,
for s > 0.
For any quantum operation Λ, the following information processing inequalities
hold for s ∈ (0, 1][9, (5,30),(5.41)]. However, this kind of inequality does not fold
for ψ(s|ρσ) in general.
normalized. Then, the von Neumann entropies and Renyi entropies are given as
with s ∈ R. When we focus on the total system of a given density ρA,E and
the density matrix ρ describes the state on the composite system HA ⊗ HE ,
H(A, E|ρA,E ) and H1+s (A, E|ρ) are simplified to H(ρ) and H1+s (ρ).
A quantum version of the conditional entropy and two kinds of quantum
versions of conditional Renyi entropy are given for s ∈ R:
1
H1+s (A|E|ρσ E ) := log |A| − ψ(s|ρρAmix ⊗ σ )
E
s
1
H 1+s (A|E|ρσ E ) := log |A| − ψ(s|ρρA
mix ⊗ σ ).
E
s
Then, we obtain
and
for s > 0.
132 M. Hayashi
dφ(s|A|E|ρA,E ) φ(s|A|E|ρA,E )
|s=0 = lim
ds s→0 s
=H(E|A|ρ A,E
) − H(E|ρ A,E
) + H(A|ρA,E ) = −H(A|E|ρA,E ). (18)
Taking into account the randomness, Renner [6] defined the following criteria
for security of a secret random number:
d2 (A : E|ρσ)
:=Tr ((I ⊗ σ −1/4 )(ρ − ρA
mix ⊗ ρ )(I ⊗ σ
E −1/4 2
))
1
=Tr ((I ⊗ σ −1/4 )ρ(I ⊗ σ −1/4 ))2 − Tr (σ −1/4 ρE σ −1/4 )2
|A|
1
=e−H 2 (A|E|ρσ) − Tr (σ −1/4 ρE σ −1/4 )2
|A|
Using this value, we can evaluate d1 (A : E|ρ) as follows [6, Lemma 5.2.3] when
the state σ is a normalized state on HE :
! !
d1 (A : E|ρ) ≤ |A| d2 (A : E|ρ|σ). (22)
We say that a function ensemble F is ε-almost universal2 [1,2,13], if, for any
pair of different inputs a1 ,a2 , the collision probability of their outputs is upper
bounded as
ε
Pr [fX (a1 ) = fX (a2 )] ≤ . (24)
|B|
The parameter ε appearing in (24) is shown to be confined in the region
|A| − |B|
ε≥ , (25)
|A| − 1
and in particular, an ensemble {fX } with ε = 1 is simply called a universal2
function ensemble.
Two important examples of universal2 hash function ensembles are the
Toeplitz matrices (see, e.g., [3]), and multiplications over a finite field (see, e.g.,
[1,4]). A modified form of the Toeplitz matrices is also shown to be universal2 ,
which is given by a concatenation (X, I) of the Toeplitz matrix X and the iden-
tity matrix I [12]. The (modified) Toeplitz matrices are particularly useful in
134 M. Hayashi
practice, because there exists an efficient multiplication algorithm using the fast
Fourier transform algorithm with complexity O(n log n) (see, e.g., [5]).
The following lemma holds for any universal2 function ensemble.
Lemma 5 (Renner [6, Lemma 5.4.3]). Given any composite c-q sub-state
ρA,E on HA ⊗HE and any normalized state σ E on HE . Any universal2 ensemble
of hash functions fX from A to {1, . . . , M } satisfies
fC : Fnq → Fnq /C ∼
= Flq , l ≤ m. (28)
That is, we can always identify a linear hash function fC and a code C.
When CX = Ker fX , the definition of ε-universal2 function ensemble of (24)
takes the form
∀x ∈ Fnq \ {0}, Pr [fX (x) = 0] ≤ q −m ε, (29)
which is equivalent with
This shows that the ensemble of kernel {CX } contains sufficient information for
determining if a function ensemble {fX } is ε-almost universal2 or not.
For a given ensemble of codes {CX }, we define its minimum (respectively, max-
imum) dimension as tmin := minX dim CX (respectively, tmax := maxr∈I dim CX ).
Then, we say that a linear code ensemble {CX } of minimum (or maximum) di-
mension t is an ε-almost universal2 code ensemble, if the following condition is
satisfied
∀x ∈ Fnq \ {0}, Pr [x ∈ CX ] ≤ q t−n ε. (31)
In particular, if ε = 1, we call {CX } a universal2 code ensemble.
Quantum Security Analysis via Smoothing of Renyi Entropy of Order 2 135
q n #{x ∈ C|px = p}
εp (C) := . (32)
|C|#{x ∈ Fnq |px = p}
and
ε(C) := max
+
εp (C). (33)
p∈Tq,n
Lemma 7. For any t ≤ n, there exists a t-dimensional code C ∈ Fnq such that
and thus
|Tq,n | − 1
Pr{∃p ∈ Tq,n
+
, εp (CX ) ≥ |Tq,n |} ≤ . (36)
|Tq,n |
Hence,
1
Pr{∀p ∈ Tq,n
+
, εp (CX ) < |Tq,n |} ≥ . (37)
|Tq,n |
Using the above relation, as is suggested in [7, Case 2], we obtain the following
lemma.
Quantum Security Analysis via Smoothing of Renyi Entropy of Order 2 137
Lemma 8. When the l-dimensional code ensemble {CX } ! is ε-almost dual uni-
versal, the ensemble of random variables {WCX } on Fnq is εq −m -biased.
In the following, we treat the case of A = Fnq . Given a composite state ρA,E
on HA ⊗ HE and AP on A, we define another
a distribution
W
composite state
ρ A,E
∗ P := w P (w) a P (a)|a + w
a + w| ⊗ ρE
W W
a . Then, we obtain the
following.
Lemma 9 ([8, Theorem 3.2]). For any c-q sub-state ρA,E on HA ⊗ HE and
any normalized state σ E on HE , a δ-biased ensemble of random variables {WX }
on A satisfies
More precisely,
1 −H 2 (A|E|ρA,E σE )
EX d2 (A : E|ρA,E ∗ P WX σ E ) ≤ δ 2 (1 − )e . (41)
M
More precisely,
For a proof for the binary case, see Tsurumaru and Hayashi [13], and for the
general case, see Hayashi [16].
Lemma 10 essentially coincides with Lemma 9. However, the concept “δ-
biased” does not concern a family of linear hash functions while the concept
“ε-almost dual universal2 ” does it because the former is defined for the family of
random variables. That is, the latter is a generalization of universal2 linear hash
functions while the former does not. Hence, Lemma 9 cannot directly provide the
performance of linear hash functions. Lemma 10 gives how small the leaked in-
formation is after the privacy amplification by linear hash functions. Therefore,
in the following section, using Lemma 10 we treat the exponential decreasing
rate when we apply the privacy amplification by ε-almost dual universal2 linear
hash functions.
138 M. Hayashi
Lemma 11. Given a normalized state σ on HE and c-q sub-states ρA,E and
ρ
A,E
on HA ⊗ HE . When an ensemble of linear hash functions {fX }X from A
to {1, . . . , M } is ε-almost dual universal2 , we obtain
√ 1 1
EX d1 (fX (A) : E|ρA,E ) ≤ εM 2 e− 2 H 2 (A|E|ρ σ )
A,E E
(44)
√ 1
− 1 A,E
σ E
EX d1 (fX (A) : E|ρ A,E
) ≤2ρ − ρ 1 + εM 2 e 2 H 2 (A|E|ρ )
. (45)
For a proof, see Hayashi [16].
In order to obtain a better upper bound for EX d1 (fX (A) : E|ρA,E ), we
have to choose a suitable ρ in (45). Choosing a suitable state ρ with the
condition ρ − ρ 1 ≤ c is called smoothing. Renner [6] applies smoothing to
min-entropy Hmin (A|E|ρA,E σ E ) := − log (IA ⊗ σ E )−1/2 ρA,E (IA ⊗ σ E )−1/2 .
However, H 2 (A|E|ρA,E σ E ) is larger than Hmin (A|E|ρA,E σ E ). Hence, the
smoothing for H 2 (A|E|ρA,E σ E ) yields a better bound for EX d1 (fX (A) :
E|ρA,E ) than the smooth min entropy. In fact, Hayashi [11] applies the smooth-
ing to H 2 (A|E|ρA,E σ E ) in the classical case. In the following, applying the
same kind of smoothing to the quantum case, we obtain the following lemma.
Lemma 12. Given any c-q sub-state ρA,E on A and HE and any normalized
state σ E on HE . When an ensemble of linear hash functions {fX }X from A to
{1, . . . , M } is ε-almost dual universal2 , we obtain
√ √
EX d1 (fX (A) : E|ρA,E ) ≤ (4 + v ε)M s/2 e− 2 H1+s (A|E|ρ σ ) ,
s A,E E
(46)
for s ∈ (0, 1], where v is the number of eigenvalues of σ.
Further, the inequalities with ε = 1 hold when the ensemble of linear hash
functions {fX }X is universal2 .
The next step is the choice of a suitable σ E . The optimal σ E is given in Lemma
4. Hence, the combination of Lemmas 4 and 12 yields the following lemma.
5 Asymptotic Evaluation
Next, we consider the case when our state is given by the n-fold independent
and identical state ρ, i.e., ρ⊗n . In this case, we focus on the optimal generation
rate
Quantum Security Analysis via Smoothing of Renyi Entropy of Order 2 139
G(ρA,E )
%
log Mn
:= sup lim lim d1 (fn (An ) : En |(ρ A,E n
) )=0 .
{(fn ,Mn )} n→∞ n n→∞
−1
lim inf log EXn d1 (fXn (An ) : En |(ρA,E )⊗n ) ≥ eφ,q (ρA,E |R), (49)
n→∞ n
where
1+s s s
eφ,q (ρA,E |R) := max − φ( |ρA,E ) − R
0≤s≤1 2 1+s 2
1 t
= max1 − φ(t|ρA,E ) − R.
0≤t≤ 2 2(1 − t) 2(1 − t)
6 Conclusion
We have derived an upper bound of exponential decreasing rate for the leaked
information in the mutual information criterion and the universal composability
in the quantum case when we apply a family of ε-almost dual univeresal2 hash
functions for privacy amplification. Although the class of families of ε-almost
dual univeresal2 hash functions larger than the class of families of univeresal2
linear hash functions, our bounds is quite similar to the known bound [11,12].
Hence, the obtained result suggests a possibility of the existence of an effective
privacy amplification protocol with a smaller complexity than known privacy
amplification protocols.
References
1. Carter, J.L., Wegman, M.N.: Universal Classes of Hash Functions. J. Comput.
System Sci. 18, 143–154 (1979)
2. Wegman, M.N., Carter, J.L.: New Hash Functions and Their Use in Authentication
and Set Inequality. J. Comput. System Sci. 22, 265–279 (1981)
3. Mansour, Y., Nisan, N., Tiwari, P.: The Computational Complexity of Universal
Hashing. In: STOC 1990, Proceedings of the Twenty-second Annual ACM Sympo-
sium on Theory of Computing, pp. 235–243 (1990)
4. Bennett, C.H., Brassard, G., Crepeau, C., Maurer, U.M.: Generalized privacy am-
plification. IEEE Transactions on Information Theory 41, 1915–1923 (1995)
5. Golub, G.H., Van Loan, C.F.: Matrix Computation, 3rd edn. The John Hopkins
University Press (1996)
6. Renner, R.: Security of Quantum Key Distribution. PhD thesis, Dipl. Phys. ETH,
Switzerland, 2005; arXiv:quantph/0512258 (2005)
7. Dodis, Y., Smith, A.: Correcting Errors Without Leaking Partial Information. In:
STOC 2005, pp. 654–663 (2005)
8. Fehr, S., Schaffner, C.: Randomness Extraction Via δ-Biased Masking in the Pres-
ence of a Quantum Attacker. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948,
pp. 465–481. Springer, Heidelberg (2008)
9. Hayashi, M.: Quantum Information: An Introduction. Springer (2006)
10. Hayashi, M.: Upper bounds of eavesdropper’s performances in finite-length code
with the decoy method. Physical Review A 76, 012329 (2007); Physical Review A
79, 019901(E) (2009)
11. Hayashi, M.: Tight exponential evaluation for universal composablity with privacy
amplification and its applications. arXiv:1010.1358 (2010)
12. Hayashi, M.: Exponential decreasing rate of leaked information in universal random
privacy amplification. IEEE Transactions on Information Theory 57(6), 3989–4001
(2011)
13. Tsurumaru, T., Hayashi, M.: Dual universality of hash functions and its applica-
tions to quantum cryptography. arXiv:1101.0064 (2011)
14. Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A Pseudorandom Generator
from any One-way Function. SIAM J. Comput. 28, 1364 (1999)
15. Devetak, I., Winter, A.: Distillation of secret key and entanglement from quantum
states. Proc. R. Soc. Lond. A, 461, 207–235 (2005)
16. Hayashi, M.: Classical and quantum security analysis via smoothing of Renyi en-
tropy of order 2. arXiv:1202.0322 (2012)
Applying a Generalization
of Schur-Weyl Duality to Problems
in Quantum Information and Estimation
1 Introduction
Schur-Weyl duality is a very powerful tool in representation theory which has
many applications to quantum information and quantum algorithms (see [1]
and [2] for a review). Here, we present a novel generalization of Schur-Weyl
duality which has an interesting natural physical interpretation. Based on this
generalization, we develop a general framework for the study of a family of
quantum estimation problems. The proof of the results, more examples and
discussions of these results can be found in [3].
2 Preliminaries
Consider the following representation of the unitary group U(d) on (Cd )⊗n .
∀V ∈ U(d) : Q(V )|i1 ⊗ · · · ⊗ |in = V |i1 ⊗ · · · ⊗ V |in (1)
For a subgroup H of U(d) we denote the group {Q(V ) : V ∈ H} by Q(H)
and we call it the collective action of H on (Cd )⊗n . Consider also the canonical
representation of the symmetric group of degree n, Sn , on (Cd )⊗n
∀s ∈ Sn : P(s)|i1 ⊗ · · · ⊗ |in = |is−1 (1) ⊗ · · · ⊗ |is−1 (n) (2)
We denote the group {P(s) : s ∈ Sn } by P(Sn ).
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 141–152, 2013.
c Springer-Verlag Berlin Heidelberg 2013
142 I. Marvian and R.W. Spekkens
Using these notations we can express Schur-Weyl duality in the following form
{eiθ0 |0
0| + eiθ1 |1
1| : θ0 , θ1 ∈ (0, 2π]}
with @
Φ± (·) ≡ p−1 ⊗n
μ,± Pμ [TGA (Π± (·)Π± )]Pμ (4)
μ
where μ labels all the irreps of GA which show up in the representation Q(GA ),
Pμ is the projector
to the subspace of (Cd )⊗n associated to irrep μ, pμ,± ≡
⊗n
tr Pμ TGA (Π± ) and the summation in Eq. (4) is over all the irreps μ for which
pμ is nonzero.
For an arbitrary operator M ∈ End(Cd )⊗n we say that M has global symmetry
with respect to the subgroup H of U(d) if it is invariant under the collective
action of H, i.e.,
⊗n
∀V ∈ H : V ⊗n M V † = M. (5)
In other words, M has global symmetry with respect to H iff M ∈ Comm{Q(H)}.
Similarly, we say that M has local symmetry with respect to H if it is invariant
under the local action of H, i.e.,
∀V ∈ H and ∀k : 0 ≤ k ≤ n − 1, (6)
⊗k ⊗(n−k−1) ⊗k † ⊗(n−k−1)
(I ⊗V ⊗I )M (I ⊗V ⊗I )=M
5.1 Example
A very simple example of a multi-copy estimation problem is the one considered
by Hayashi et al. [4]. A pure state in Cd is chosen uniformly according to the
Haar measure, and n copies of the state are prepared. The goal is to estimate the
expectation value of an observable A for the state. Hayashi et al. have shown
that for a squared-error figure of merit, the optimal estimation scheme is to
simply measure the observable A separately on each system and then perform a
classical processing on the data gathered in these measurements.
Our generalization of Schur-Weyl duality can be used to provide a very el-
ementary proof of this result. It can also be used to simplify the solution of
estimation problems that are much more complicated, as we shall show.
the state ρ ∈ supp(p) and has sent state ρ⊗n to Bob (here, supp(p) denotes the
support of the distribution p).
This describes the most general figure of merit one can define for the multi-
copy estimation problems we are considering here. However, in the particular
cases where for example the goal is to estimate some parameter of ρ, say the
expectation value of some observable for state ρ, one might use a figure of merit
which only depends on the conditional probability of outcomes for different val-
ues of that parameter. Here, we think of the parameter as a random variable
defined as a function of the state Alice chooses each time (The state is random
and so any function of the state can be thought of as a random variable). Let
s : supp(p) → R be an arbitrary function from states in supp(p) to real numbers.
Then this function will map the random state ρ chosen by Alice to a random
real variable S = s(ρ). Then if Bob’s goal is to estimate the value of parameter
s(ρ) for the state ρ which Alice has chosen each time (or to make a decision
based on the value of this parameter) a reasonable family of figures of merit to
evaluate Bob’s performance can be expressed as functionals of
qM (B|S ∈ Δ),
where Δ is an interval of R. This is the conditional probability that, using the
strategy described by POVM M : σ(Ω) → End((Cd )⊗n ), event B happens given
that the value of the random variable S is in Δ.
On the other hand, one can imagine the situations where, for example, the
cost for wrong estimation of a parameter S not only depends on the estimated
value of S and its actual value but also depends on the value of some other
parameter say S where S is the random variable induced by the function s :
supp(p) → R acting on the random state Alice chooses. For instance, one may
imagine situations where the cost of wrong estimation of a parameter S depends
also on the energy of state tr(ρH) where H is the Hamiltonian. So in this case
s (X) = tr (XH) defines a relevant parameter to evaluate the performance of
the estimation procedure.
In general, let − →s (·) = s(1) (·), · · · , s(l) (·) be a set of functions where each
s (1)
(i)
(·) is a functionfrom supp(p) to R. Then based on the set of functions −
→
s (·) =
s (·), · · · , s (·) we can define a set of random variables S , · · · , S
(l) (1) (l)
where
the random variable S (i) is s(i) (ρ) where ρ is the random state Alice has chosen
at each round. So a general figure of merit can be expressed as a functional of
→ −
− →
qM (B| S ∈ Δ),
→
−
where Δ is an l-dimensional interval of Rl . This is the conditional probability
that with Bob’s strategy described by POVM M : σ(Ω) → End((Cd )⊗n ) event
→
− →
−
B happens given the value of the random variables S are in Δ.
→
− →
−
The other reason to consider qM (B| S ∈ Δ) for more than one parameter
S (i) is to study the cases where Bob is interested in estimating more than one
parameter of the state.
Note that by having larger number of parameters l we can describe more and
more general types of figure of merit. In general, if d is the dimension of Cd
148 I. Marvian and R.W. Spekkens
for all B ∈ σ(Ω) and ρ ∈ supp(p) then they will have exactly the same per-
formance in the estimation problem with respect to any figure of merit. On the
→ −
− →
other hand, qM (B| S ∈ Δ) has generally less information i.e. it can be obtained
by a coarse-graining of qM (B|ρ) but not typically vice versa. However, in many
reasonable figures of merit one does not need to specify qM (B|ρ) to specify the
→ −
− →
figure of merit of the measurement M ; it is sufficient to specify qM (B| S ∈ Δ). If
this is the case, then even if Eq. (7) doesn’t hold, as long as the weaker constraint
− → − → − → − →
qM B| S ∈ Δ = qM B| S ∈ Δ (8)
Applying a Generalization of Schur-Weyl Duality 149
→
−
holds for all B ∈ σ(Ω) and for all l-dimensional intervals Δ which are assigned
nonzero probability, then the two strategies yield the same performance for the
figure of merit of interest (See Fig. 1). Eq. (8) states that learning the outcome
→
−
of measurement M is precisely as informative about the parameter S as learning
the outcome of measurement M .
We now present our main results (The proofs are presented [3].).
Theorem 5. Let A ⊆ End(Cd ) be a von Neumann algebra, and let GA be the
gauge group associated with it. Then assuming that:
then for any given measurement with POVM M : σ(Ω) → End((Cd )⊗n ), there
is another measurement with POVM M : σ(Ω) → End((Cd )⊗n ) whose image is
entirely confined to A⊗n (i.e., M : σ(Ω) → A⊗n ), such that M is as informative
→
−
about S as M is, i.e.,
− → − → − → − →
qM B| S ∈ Δ = qM B| S ∈ Δ (9)
→
−
for all B ∈ σ(Ω) and all l-dimensional intervals Δ which are assigned nonzero
probability.
An instance of the measurement described in theorem 5 is M ≡ L+ (M ), where
L+ is the unital super-operator defined in theorem 4. In [3] we present a gener-
alization of this result to a family of priors which are nonzero on mixed states.
We now make explicit what our main theorem implies for multi-copy estima-
tion problems.
Corollary 2 implies that the optimal measurement has the gauge group GA as a
local symmetry. Then, in the special case wherein the algebra A is commutative,
by proposition 1, it follows that the optimal measurement can be implemented
by measuring a set of observables which generates A separately on each of the
n systems and then performing a classical processing on the outcomes.
This result can be applied to the example we considered in section 5.1: The
figure of merit of the problem, i.e. the mean squared error of the estimation of
the value of tr(ρA), can be expressed as a functional of q(B|tr(ρA)) (see [3] for
more discussion). So by defining the algebra A to be the algebra generated by the
150 I. Marvian and R.W. Spekkens
identity and the operator A, we can easily see that the prior which is uniform
according to the Haar measure and the parameter s(ρ) ≡ tr(ρA) satisfy the
conditions of theorem 5. Therefore, from the above result we can immediately
infer that the optimal estimation can be achieved by measuring operator A
individually on each system and then performing a classical processing on the
outcomes of these measurements. But, we also now that this is true under much
more general conditions: the prior need not be the Haar measure and the figure
of merit need not be squared mean error as long as they satisfy the conditions
of theorem 5. For example, the figure of merit could be the mutual information
between the estimated values of the parameter and its actual values, or it could
be the expected cost for an arbitrary cost function that depends only on A
[3]. For all of these cases, the figure of merit for an estimation strategy M is
a functional of qM (B|S ∈ Δ) and so from the above results we know that the
optimal estimation can be realized by measuring the observable A individually
on each copy and then performing a classical processing on the outcomes of these
measurements.
Given that the class of estimation problems for which our results apply is
very large, they represent a dramatic expansion, relative to previously known
results, in the scope of problems for which we can easily determine the optimal
measurement. Furthermore, in previous results where independent measurements
on each copy were shown to be optimal, such as Ref. [4], the reasoning was
rather ad hoc. It was not clear what feature of the estimation problem implied
the sufficiency of such measurements. By contrast, our approach follows a clear
methodology – we are determining the consequences of the gauge symmetries
of the estimation problem. Our results establish a sufficient condition for the
optimality of independent measurements, , i.e. the lack of any need for adaptive
or entangled measurements. It is that the set of single-copy observables that are
needed to define the estimation problem form a commutative set. In a slogan,
the commutativity of the observables defining the estimation problem imply the
adequacy of independent measurements.
s(|ψ(θ, b)
ψ(θ, b)|) = b.
Adopting the convention that |0 and |1 are eigenstates of the Pauli observable
σz , it is clear that the prior p and the parameter to be estimated, s, are both
invariant under unitaries of the form eiφ eiφσz where φ, φ ∈ [0, 2π), which de-
scribe phase shifts or rotations about the axis ẑ. As we have seen in the section
3 this group is a gauge group. The algebra that corresponds to the commutant
of this gauge group is A = Alg{σz , I}. Finally, since the figure of merit depends
only on q(B|b = b0 ) the assumptions of corollary 2 are satisfied (Note that since
s(|ψ(θ, b)
ψ(θ, b)|) = b, b can be thought as the random variable defined by pa-
rameter s acting on states.). Therefore, we can infer that to achieve the optimal
estimation, it suffices to consider POVMs inside the algebra A⊗n and since A
is commutative, it suffices to measure σz on each system individually. In other
words, all the information we can get from the state |ψ(θ, b)⊗n about the value
of b we can also get from the mixed state [cos2 (αb )|0
0| + sin2 (αb )|1
1|]⊗n .
Note, however, that if one acquires some information about θ, then this in-
formation can be useful for estimating b: In the extreme case where we know
the exact value of θ, we can perform the Helstrom measurement [11] for dis-
tinguishing the two pure states |ψ(θ, 0)⊗n and |ψ(θ, 1)⊗n . So one estimation
strategy is to use some of the qubits to estimate θ and then use this information
to choose an optimal measurement for estimating b using the rest of qubits. But
our result shows that by this strategy one cannot get more information than
what one gets by ignoring θ and measuring σz on individual systems. [Note that
this result also implies that to get information about θ from each system we nec-
essarily disturb its information about b. This can be interpreted as an example
of information-disturbance tradeoff.]
6 Other Applications
This generalization of Schur-Weyl duality can have other applications in quan-
tum information. Here, we just point out one of these applications in finding
noiseless subsystems.
Suppose one is going to send quantum information through a noisy qubit
channel, where the noise is described by a unitary that is sampled at random, but
wherein the same unitary acts on each qubit. This happens when, for example,
the noise varies slowly compared to the interval between the qubits as they
pass down the channel (or that it varies little on the distance scale between the
qubits in the case of a quantum memory), in which case one can assume that
the same random unitary is applied to all n qubits. Then it turns out that, due
to the symmetry of the noise, it is possible to encode classical and quantum
information in the n qubit system in such a way that it remains unaffected by
152 I. Marvian and R.W. Spekkens
the noise [8,9,10]. To see this, note that under these assumptions, the noise is
described by the group Q(U(2)). Any state in the commutant of Q(U(2)) is
invariant under the noise. Furthermore, any state in the span of P(Sn ) has this
property as well. Now using Schur-Weyl duality one can conclude that the span
of P(Sn ) is equal to the commutant of Q(U(2)) and therefore every state which
is unaffected by this type of noise is in the span of P(Sn ).
In a more general model, the system sent through the channel may have
other degrees of freedom which can potentially be used to send quantum infor-
mation. In other words, the Hilbert space describing each particle sent through
the channel is not C2 but it is C2 ⊗ H where the finite dimensional Hilbert
space H describes another degree of freedom which is invariant under the noise
in the channel. Clearly, in this case, one cannot use the usual form of Schr-Weyl
duality to find the noiseless subsystems. But, as we have explained in [3], our
generalization of Schur-Weyl duality can be used to specify these subsystems.
References
1. Goodman, R., Wallach, N.R.: Representations and Invariants of the Classical
Groups Cambridge University Press (1998)
2. Harrow, A.: Applications of coherent classical communication and the Schur
transform to quantum information theory. PhD thesis, MIT, Arxiv preperint
arXiv:quant-ph/0512255 (2005)
3. Marvian, I., Spekkens, R.W.: A generalization of Schur-Weyl duality with applica-
tions in quantum estimation, arXiv:1112.0638
4. Hayashi, A., Horibe, M., Hashimoto, T.: Phys. Rev. A 73, 062322 (2006)
5. Holevo, A.: Probabilistic and Statistical Aspects of Quantum Theory. Scuola Nor-
male Superiore, Monographs (2011)
6. Chiribella, G.: Optimal estimation of quantum signals in the presence of symmetry.
PhD thesis, University of Pavia, Pavia, Italy (2006)
7. Zyczkowski, K., Sommers, H.J.: J. Phys. A 34, 7111–7125 (2001), quant-
ph/0012101
8. Zanardi, P., Rasetti, M.: Phys. Rev. Lett. 79, 3306 (1997); Zanardi, P.: Phys. Rev.
A 63, 012301 (2000)
9. Knill, E., et al.: Phys. Rev. Lett. 84, 2525 (2000); Kempe, J., et al.: Phys. Rev. A
63, 042307 (2001)
10. Bartlett, S.D., Rudolph, T., Spekkens, R.W.: Phys. Rev. Lett. 91, 027901 (2003)
11. Helstrom, C.W.: Quantum detection and estimation theory. Academic Press (1976)
Author Index
Rivosh, Alexander 87
González-Guillén, Carlos 29
Rosgen, Bill 74
Hall, Michael J.W. 98 Scarani, Valerio 98
Hayashi, Masahito 128 Schaffner, Christian 29
Setiawan, 98
Javelle, Jérôme 1 Sharma, Naresh 116
Spekkens, Robert W. 141
Kaplan, Marc 65
Kay, Alastair 98 Vidick, Thomas 45
Kerenidis, Iordanis 13 Watrous, John 45
Koh, Dax Enshan 98 Woodhead, Erik 107