Comparison with the classical case

What about classical data structures for the set membership problem, how many bits are required to represent a set S ⊆ {0, 1}ⁿof at most k elements? The answer depends on what we expect from the data structure. Most reasonable seems to require the data structure to be a classical string (possibly generated according to some distribution depending on S) which we can store somewhere and afterwards use to determine whether y∈ S for any y of our choice. With this constraint, the classical data structure requires about log³Pk

i=0

¡_N

i

¢´≈ kn bits (the logarithm of the number of sets that we want to represent). Accordingly, in this case, quantum mechanics allows exponential space savings for small k: if k ∈ polylog(n) then the quantum data structure for S requires about k log(kn) ∈ polylog(n) qubits, which is exponentially less than the classical space of about kn bits.

There is, however, another way to view the classical data structure, a way which uses classical fingerprinting and requires only O(k log(kn)) bits to represent S. Suppose we choose a field F of, say, 100kn elements. For each x∈ S we choose a random z_x∈ F and we represent S by giving the pairs (zx, p_x(z_x)) for all x∈ S.

This takes k· 2 log(100kn) bits. If we now want to test whether some y is in S, then we can compare px(zx) with py(zx) for all k pairs. If y ∈ S then one of these k comparisons will give equality, and if y6∈ S then probably all comparisons give inequality, where the probability is taken over the random choices of zx. If this probabilistic result satisfies us, then we have a classical data structure which is as efficient as the quantum one given above. The problem with this approach is that once the randomness (the choices of zx) has been fixed, an adversary can find a y such that with certainty the data structure will give the wrong answer for the query ‘y∈ S?’. The quantum data structure does not suffer from this drawback.

In the quantum case there is no randomness that needs to be fixed, and every query is answered with high probability no matter which y the adversary chooses.

One way to express this is to say that the quantum superposition “postpones”

the randomness to the actual time at which the query is made.

The difference between the quantum and the classical case also shows up in the simultaneous message passing model mentioned in the first part of this paper.

Suppose Alice receives S⊆ {0, 1}ⁿof size|S| ≤ k, Bob receives some y ∈ {0, 1}ⁿ, and they each want to send one message to the referee to enable him to determine whether y∈ S. In the quantum case, Alice can send the quantum data structure for S to the referee (O(k log(kn)) qubits), Bob can send a fingerprint of y to the referee with error reduced to ≈ 1/k (O(log(kn)) qubits), and the referee can determine whether y ∈ S with small error probability. Note that the referee has to apply the test of Figure 8.2, he cannot apply the simpler test from this section, since he does not have the complete y. In the classical case, Alice and/or Bob need to send exponentially more bits to the referee (in particular, for k = 1 this is just the equality problem, for which the classical bound is Θ(√

n)).

8.8 Summary

In many contexts, testing the equality of n-bit strings x and y can be done by taking short fingerprints of x and y and comparing only those. If the two parties making the respective fingerprints share O(log n) bits of randomness, then the classical fingerprints need only be O(1) bits long. However, if the parties do not share randomness, then the fingerprints need Θ(√

n) bits. We gave a quantum fingerprinting scheme in which the fingerprints can be O(log n) qubits even if the parties share no randomness whatsoever. This implies an exponential quantum-classical gap for the equality problem in the simultaneous message passing variant of communication complexity: Alice and Bob are uncorrelated, they get inputs x and y, respectively, and should each send a message to a referee to enable him to decide whether x = y. Classically this takes Θ(√

n) bits of communication, quantumly it takes only O(log n) qubits. We analyzed the required size of the quantum fingerprints and the error probability of the referee’s equality test in detail, and also gave some other applications of quantum fingerprinting.

Chapter 9

Private Quantum Channels

This chapter is based on the paper

• A. Ambainis, M. Mosca, A. Tapp, and R. de Wolf. Private Quantum Chan-nels. In Proceedings of 41th IEEE FOCS, pages, 547–553, 2000.

9.1 Introduction

In the previous chapters we have discussed bounds on the amount of quantum communication that is needed for solving various tasks. Whenever two people communicate over some channel, they run the risk of being spied on: some eaves-dropper Eve may tap the channel and learn things about the conversation that Alice and Bob would rather she didn’t know. In this chapter we will investigate what resources are needed for Alice and Bob to make their quantum communi-cation secure, in the sense that Eve will get no information about the messages when she taps the channel.

Secure transmission of classical information is a well studied topic. Suppose Alice wants to send an n-bit message M to Bob over an insecure (i.e., spied-on) channel, in such a way that the eavesdropper Eve cannot obtain any information about M from tapping the channel. If Alice and Bob share some secret n-bit key K, then here is a simple way for them to achieve their goal: Alice exclusive-ors M with K and sends the result M^′ = M ⊕ K over the channel, Bob then xors M^′ again with K and obtains the original message M^′ ⊕ K = M. Eve may see the encoded message M^′, but if she does not know K then this will give her no information about the real message M , since for any M there is a key K^′ giving rise to the same encoding M^′. This scheme is known as the Vernam cipher or one-time pad (“one-time” because K can be used only once if we want information-theoretic security). It shows that n bits of shared secret key are sufficient to securely transmit n bits of information. Shannon [149, 150]

155

has shown that this scheme is optimal: n bits of shared key are also necessary in order to transmit an n-bit message in an information-theoretically secure way.

Now let us consider the analogous situation in the quantum world. Alice and Bob are connected by a one-way quantum channel, to which an eavesdropper Eve has complete access. Alice wants to transmit to Bob some n-qubit state ρ taken from some setS, without allowing Eve to obtain any information about ρ. (Here ρ is a mixed quantum state, a probability distribution on pure quantum states, to be defined in more detail in the next section.) Alice and Bob could easily achieve such security if they share n EPR-pairs or if they were able to establish EPR-pairs over a secure quantum channel, for then they can apply teleportation (Section 6.2) and transmit every qubit via 2 random classical bits, which will give Eve no information whatsoever. But now suppose Alice and Bob do not share EPR-pairs, but instead they only have the resource of shared randomness, which is weaker but easier to maintain.

A first question is: is it at all possible to send quantum information fully securely using only a finite amount of randomness? At first sight this may seem hard: Alice and Bob have to “hide” the amplitudes of a quantum state, which are infinitely precise complex numbers. Nevertheless, the question has a positive answer. More precisely, to privately send n qubits, a shared 2n-bit classical key is sufficient. The encryption technique is fairly natural. Alice applies to the state ρ that she wants to transmit a reversible quantum operation specified by the shared key K (basically, she applies a random Pauli matrix to each qubit), and she sends the result ρ^′ to Bob. In the most general setting this reversible operation can be represented as doing a unitary operation on the state ρ augmented with a known fixed ancilla state ρa. Knowing the key K that Alice used, Bob knows which operation Alice applied and he can reverse this, remove the ancilla, and retrieve ρ. In order for this scheme to be information-theoretically secure against the eavesdropper, we have to require that Eve always “sees” the same density matrix ρ₀ on the channel, no matter what ρ was. Because Eve does not know K, this condition can indeed be satisfied. Accordingly, an insecure quantum channel can be made secure (private) by means of shared classical randomness.

A second question is, then, how much key Alice and Bob need to share in order to be able to privately transmit any n-qubit state. A good way to measure key size is by the amount of entropy required to create it, that is, by the entropy of the probability distribution according to which Alice and Bob select their secret key. In the case of a uniform distribution, this is just the number of bits of the key. As one might imagine, showing that 2n bits of key are not only sufficient but also necessary, is the most intricate part of this chapter.¹ We prove this 2n-bit lower bound in Section 9.5, and show that it even holds for the simpler task of

1Note that if Alice and Bob share an insecure two-way channel, then they can do quantum key exchange [26] in order to establish a shared random key, so in this case no prior shared key (or only a very small one) is required.

9.2. Preliminaries 157