Secure sequential transmission of quantum information

We propose a quantum communication protocol that can be used to transmit any quantum state, one party to another via several intermediate nodes, securely on quantum communication network. The scheme makes use of the sequentially chained and approximate version of private quantum channels satisfying certain commutation relation of n-qubit Pauli operations. In this paper, we study the sequential structure, security analysis, and efficiency of the quantum sequential transmission protocol in depth.


I. INTRODUCTION
One of the most popular quantum cryptographic primitives, except quantum key distribution, is the quantum secret sharing (QSS) protocols [1,2].The primitive known as QSS is a process of splitting a piece of quantum information into several parts, and then securely reconstructing the information, but certain subparts are not enough to restore the original quantum information.(In a strict sense, the secret sharing is different from the state sharing on its goal [3], but we treat the protocols as in the same category.)There are huge number of theoretical studies on QSS protocols, and also exist experimental demonstrations on QSS schemes in continuous-variable regime, e.g., Ref. [4,5].
Transmission or distribution of quantum information over several authorized nodes is essential for future applications in quantum communications.We here review the original QSS scheme from the point of view of (approximate) private quantum channels (PQC), and then propose an information transmission method, namely, εsecure quantum sequential transmission (QST) protocol.This protocol uses a concept of private quantum channel and aims to secure sequential transmission, where arbitrary quantum states pass through several authorized intermediate nodes (or participants).In the transmission process, all nodes must collaborate to reveal the original quantum information.In the sequentially chained scheme, we exploit the Pauli commutation relations on n-qubit quantum states, and derive the mathematical structure of multi-node ε-randomizing maps.
Using a toy model, we first analyze three-party QSS protocol, and we describe the task as an information splitting-reconstructing (ISR) protocol under the security parameter ε.Second, we construct our main protocol.The parameter ε implies that security and efficiency of the protocols are dealt with an asymptotic consideration.Shortly speaking, the quantum sequential transmission protocol can transmit any quantum states from one party to another under the consent of all authorized participants with classical secret bits.Note that any input quantum states into a quantum channel are arbitrary quantum information with a given dimension, and we ex-clude classical information.Thus we expect that the protocol, QST, can be applied to certain applications such as quantum repeater [6], quantum key repeater [7], quantum sealed-bid auction [8] or probably quantum email protocol, since only authorized users can send, confirm, and read the quantum message.Furthermore, with the proposed schemes, we study the key question of finding minimal resources required to split and reconstruct a quantum state, and to transfer arbitrary quantum information sequentially.
Let us briefly review the quantum one-time pad or private quantum channel (PQC).Ambainis et al. [9] first proposed a quantum primitive known as a private quantum channel for secure transmission of quantum states, and already proved its security including the optimality [10,11].The complete randomization method naturally gave births to approximate approaches for randomizing quantum states [12][13][14].We here adopt an approximate version of the Dickinson and Nayak's PQC [14], which has relatively few Pauli operations on multi-qubit encodings.Using conventions and definitions in Sec.I A, we construct two kinds of quantum communication protocols that are efficient and secure with a small information leakages (ε 1) notwithstanding minimal use of resources.But, in this paper, we mainly focus our attention on constructing the ε-secure quantum sequential transmission scheme (QST), not on ISR.
Before finishing the section, we introduce the mathematical structure of (approximate) PQC or εrandomizing map (or also known as random unitary channel).Moreover we comment on security analysis from Holevo bound.In Section II, we introduce a modified QSS in terms of information splitting-reconstructing scenario on three-party system.In Section III, we focus on our main construction of quantum sequential transmission protocol, which is one step more advanced form of the QSS or ISR protocol, on multi-party system.In Section IV, we summarize and conclude our work.

arXiv:1501.04452v1 [quant-ph] 19 Jan 2015
A. Background For a given d-dimensional Hilbert space C d , B(C d ) denotes the space of bounded linear operators on the space C d , and U (d) ⊂ B(C d ) the unitary group on the space.We make use of a quantum map from B(C d ) to itself generally known as a quantum channel.Then we can define a private quantum channel: For any ε ≥ 0, a completely positive and trace preserving (CPTP) map R : B(C d ) → B(C d ) is said to be ε-randomizing with respect to the trace norm if, for all quantum state ρ ∈ B(C d ), where 1 d denotes the identity matrix of a given dimension d.The input quantum source ρ is a d-dimensional density matrix.The map R satisfying Eq. ( 1) is the approximate private quantum channel (APQC), and M 1 := tr √ M † M denotes the trace norm for any matrix M .Note that the mapping R is perfect (or complete) randomizing map if ε = 0.
A simple way to create such an invertible encoding map is to choose a certain sequence of unitary operators U 1 , . . ., U s≤d 2 ∈ U (d) and define the encoding map as The index i corresponds to the number of shared secret bits that all communicating parties share.We here assume that the secret bits are unknown to any eavesdroppers or unauthorized parties.With a suitable choice of s unitary operators not more than d 2 , the mapping R satisfies to be an approximate private quantum channel.
In fact, any orthogonal set of d 2 unitary operations form a perfect private quantum channel.Notice that the dimension d of our case is fixed to 2 n to accommodate the Hilbert space of n qubits.
If that is the case, how can we analyze the security of approximate private quantum channels?Roughly speaking, the accessible information to any attackers, for any quantum states ρ = i p i ρ i supported on C d and dε < 1, is bounded above by Holevo information [15] where {p i , R(ρ i )} represents an ensemble of ρ i 's with probability p i 's through the quantum channel R, and S(ρ) := −trρ log ρ, the von Neumann entropy.The above inequality is true because the definition of the ε-randomizing map with respect to the trace norm in Eq. ( 1) implies that the eigenvalues of the channel-output are almost uniformly distributed such that R(ρ i ) (1 + dε)1 d /d.This also means that attackers cannot obtain any information about the information of the ensemble {p i , R(ρ i )} under the condition dε < 1.

II. THREE-PARTY INFORMATION SPLITTING/RECONSTRUCTING PROTOCOL
In this section we study the quantum state sharing protocol in three-party scheme.We describe the structure of the classical key relation in terms of private quantum channel, and explain the security analysis under a restriction of holding secure key bits notwithstanding the small size.Especially we call the scheme not as quantum state sharing but as (quantum) information splitting and reconstructing (ISR), because we mainly focus on PQC based protocols.Note that we have already studied similar case on approximate QSS by using bilateral private quantum channels [16].By excluding entanglement, these schemes can be compared to another protocol proposed by Sun at al.'s construction [17].
Suppose that Alice wants to transmit an n-qubit quantum state to Bob and Charlie in such a way that they must cooperate in order to extract the quantum information, and no one obtain any information for the state that Alice sends to Bob and Charlie.As usual quantum secret sharing protocols our information splitting and reconstructing scheme is based on PQCs, and receivers also collaborate with each other to retrieve the sender's original message.The quantum message is divided by Alice and sent to Bob and Charlie.Then we pursue an approximate information splitting-reconstructing (ISR) protocol with the security parameter ε < 1. Assume that all participants have no shared entanglement with each other, e.g., Greenberger-Horne-Zeilinger states, unlike the usual scheme in Ref. [1].In such a protocol, what would be the minimum number of secret classical key bits, that Alice, Bob and Charlie have to share to achieve the quantum state sharing?
Suppose that 2n-bit string K = k 1 . . .k 2n and we denote Alice, Bob and Charlie's key as K A , K B and K C , respectively.Now assume that K A , K B and K C satisfy the following relation where α i = 0 or 1 (i = 1, . . ., 2n).For convenience, we fix α i = 0.A relation between keys and Pauli operators is crucial in the proof of following protocols, so we carefully investigate the key correspondence.An explicit construction for Eq. ( 2) depends on unitary operators chosen at random from the set of n-qubit Pauli matrices.For two n-bit strings a and b, let a * b = n j=1 a j b j mod 2 denotes the standard inner product on Z n 2 .We represent a tensor product of n single qubit Pauli operators by a string of 2n-bit K, (a, b) ∈ {0, 1} 2n , by using the following correspondence where and Z = 1 0 0 −1 , and ι = √ −1 the imaginary number.Now, we define a set P n as for all tensor products of n single qubit Pauli operators.
Then the set P n forms a basis for the 2 n × 2 n complex matrices.(Note that the set P 1 = {1 2 , X, ιXZ, Z} is the usual Pauli operators on single qubit.)For convenience we substitute P n to P K under the correspondence in Eq. ( 4) to emphasize a classical key K.As we mentioned above, n-qubit Pauli operators form a basis for the set of all 2 n × 2 n matrices.So, for a given density matrix ρ, we can construct that where c a,b is an element of a vector (c a,b ) in 2 ≤ 2 n , and X 2 := √ trX † X is the Frobenius (or Hilbert-Schmidt) norm on the space.
Suppose that a pure state |Φ ∈ B(C 2 n ) is Alice's secret n-qubit fixed message.(Consideration of only pure states is enough since the convexity of trace norm ensures the previous statement.)Alice applies a unitary operator P K A corresponding to K A on |Φ , and sends the encoding state to Bob and Charlie.Then Bob and Charlie have to collaborate with each other to get the Alice's secret n-qubit message.Also Alice must use at least 2n-bit key not to leak any information [9].We believe that these three-party protocol can be extended to multi-party schemes (m ≥ 3) in natural ways since there is no restriction on the pre-shared key extension on m users.Now we briefly consider the security of ISR depending on ε and a minimum amount of secure key consuming.As mentioned above, if the quantum channel R is an ε-randomizing map, information leakage with ε < 1 is sufficiently small by the definition of Eq. ( 1).Furthermore, for sufficiently large n and any ε > 0, if we use ε-randomizing map, the amount of key required can be reduced to n + 2 log 1 ε + 4 in the trace norm case [14].This size of key is about one-half required for the complete PQC with 2n-secret bits.We move on to the next step on further generalized version of the ISR protocol.

III. QUANTUM SEQUENTIAL TRANSMISSION SCHEME
With additional modification of QSS or ISR schemes and approximate private quantum channels, we now propose a quantum transmission protocol of so-called εsecure quantum sequential transmission (QST) scheme.The main objective of our task is to send a unknown quantum information from a sender to a receiver when several authorized intermediate nodes exist.Although the quantum information is transmitted sequential ways on concatenated quantum channels, the crucial advantage of this protocol is to preserving its explicit security 1: Approximate m-party quantum sequential transmission protocol: By using a secret classical information K, a sender transmits any quantum state ρ securely to final node through the m − 1 and ε-randomizing maps RE j for all j.Boxes with PK represent the n-qubit Pauli operations corresponding a key K. and efficiency.In the sequential structure, we take the generalized n-qubit Pauli commutation relations on any input quantum signal, and prove the mathematical consistency and security of the chained ε-randomizing maps.
As in the above ISR protocol, suppose that, for all i-th position, Alice, Bob and Charlie share a correlation key such that k A i ⊕k B i ⊕k C i = α i , where α i is fixed to 0 under the mod 2 operation.The main purpose of this protocol is to securely transmit a quantum state from Alice to Charlie through a middle party Bob.The transmitted state between Alice and Charlie is asymptotically secure since the 2n-bit-key-based PQC makes arbitrary n-qubit state into a near maximally mixed state (in three-party scenario).Extending the idea of three-party protocol, we can directly generalize it to an m-party concatenatedtransmission protocol within n-qubit Pauli commutation relations.
First, we simply take account of three-party protocol for sequential quantum state transmission.Alice prepares an n-qubit quantum state |Φ and encodes the state to P K A |Φ which will be transmitted to Bob. Bob also encodes the state, by using the correlation key K B , to P K B • P K A |Φ where • denotes a composition of two Pauli sets, and sends the state to the third party Charlie.Remember that so the receiver Charlie efficiently decodes the state to original quantum information In Eq. ( 6), we use the following identity, for any Pauli operators, (7) This condition for (complete) private quantum channel needs exactly 2n secret bits.But if we use the approximate case of PQC, then we need about half-size (≈ n-bit) keys only instead of 2n-bit keys [12,14], i.e., for sufficiently large d it satisfies our security level with small ε.
As shown in Fig. 1, m-party extension (m ≥ 3) of QST scheme is simple and natural, but we need some technical calculations as shown below.We note that every intermediate user also accomplishes the role of sender and receiver.Before describing the m-party scenario, we define a bias of a set of 2n-bit strings.For a given subset of E ⊂ {0, 1} 2n , if then we call the set E is biased with respect to a string (a, b) ∈ {0, 1} 2n [14,18], where E is an expectation value for some variable in E. Note that * is also the inner product, and the bias is equal to 2E E [x * (a, b)] − 1 under the modulo 2 operations.When, for all (a, b) = 0 2n , Bias(E, (a, b)) ≤ β, we call the subset E ⊂ {0, 1} 2n to be β-biased.
A subset E ⊂ {0, 1} 2n defines a CPTP map on n-qubit as follows, where a real number |β a,b | is equal to the Bias(E, (a, b)) in Eq. ( 8).The modulus of E, |E|, corresponds to some number s(≤ 2 2n ) of n-qubit Pauli operations used in the map R E .By using commutation relations on Pauli matrices, above equations can be derived from If we choose E = {0, 1} 2n , then we have a completely randomizing map.It is known that there exists a map R E an ε-randomizing map with respect to the trace norm for n-qubit states, when the subset E ⊂ {0, 1} 2n be a set with bias at most ε • 2 −n/2 .(See also the proof in Ref. [13].) From the existence of small β-bised subset E, the Frobenius norm of the randomized state is almost concentrated at the maximally mixed state, that is, This inequality can be directly calculated from the Eq. ( 9) of ε•2 −n/2 -biasedness and the bound c a,b 2 2 ≤ 2 n .Moreover, for any density matrix N ∈ B(C 2 n ), the inequalities 2 − 1 always hold.(See proof details in the appendix A of Ref. [14].)Thus we obtain the following chain bounds Thus, if we can choose a suitable subset E with βbiasedness, then we can always create ε-randomizing map or APQC in trace norm.The above equation, Eq. ( 12), is intrinsically identical to the Eq. ( 1), therefore the security is well preserved.Finally we show that multi-party approximate private quantum channel and multi-party quantum sequential transmission protocol is secure and efficient, i.e., we claim that n DN := n + 2 log 1 ε + 4 classical keys are sufficient for the m-party QST scheme.By choosing a dense subset E, we can initialize a subset E j ⊂ {0, 1} 2n to be a set with bias at most ε 1/m • 2 −n/2m for each j [19].Then we assert that there exists an m-party ε-randomizing map with respect to the trace norm for n-qubit states: For any density matrix ρ ∈ B(C 2 n ), we have We here denote that R Since the m-user encoding and transmitting for a quantum state under m-APQC form an m-party QST protocol, and it can be directly derived from the following commutation relation This equation is just a generalization of Eq. (10).Suppose that, for every quantum state ρ ∈ B(C 2 n ), each ε-randomizing map between two nodes (j, j + 1) satisfies then we can always construct multi-user QST protocol via approximate private quantum channels with and consume about n bits of secret classical keys satisfying m i=1 K Ai = 0.The estimation of Eq. ( 16) for every ε promises to use the classical key of n+2 log 1 ε +4 bits [14].Notice that Dickinson and Nayak's efficient construction for the approximate PQC on n-qubit situation relies on McDiarmid's inequality in probability analysis and a net argument on discretizing pure quantum states.Strict security analysis for the approximate private quantum channel in security parameter ε are reported at Ref. [11], and see also Ref. [20].

IV. CONCLUSION
In summary, we constructed a quantum communication protocol for quantum sequential and ε-secure transmission scheme via the extension of three-party information splitting/reconstructing task.This scheme makes use of a relatively small (correlated) classical secret information of about n DN n bits, just half of the size or the perfect private quantum channel of 2n-bit, and transmit any n-qubit states securely, so we say that the protocol is efficient.The security argument only depends on the small security parameter ε in which an approximate private quantum channel guarantee its security.In fact, it is a small value (ε < 1) for sufficiently large d-dimension of Hilbert space C d .
Beyond the mathematical construction of the quantum sequential transmission scheme, we need to exploit this type of communication protocols for potential future applications such as quantum (key) repeater, auction, and email scheme and so on.So, the analysis of these protocols in quantum regime is significant and necessary.We finally point out that the security of the QST protocol must be systematically analyzed for several cases of attackers, and further study is needed for mathematical generalization in p-norm cases (for all p ≥ 1).We hope that the quantum sequential transmission, QST, can be used for the realization of practical quantum communication networks.
V. ACKNOWLEDGEMENT