Above we showed that 2n bits of entropy suffice for a PQC that can send arbitrary n-qubit states. In this section we will show that 2n bits are also necessary for this.
Independently of our work, this 2n-bit lower bound was also proven by Boykin and Roychowdhury [31] for the special case where the PQC is not allowed to use any ancilla qubits. We will first give a shorter version of their proof, basically by observing that a large part of it can be replaced by a reference to the unitary equivalence of identical superoperators stated at the end of Section 9.2.1.
9.5.1. Theorem (Boykin & Roychowdhury [31]; AMTW [10]).
If [H2n,{√piUi | 1 ≤ i ≤ N}, ˜I2n] is a PQC, then H(p1, . . . , pN)≥ 2n.
Proof. Let E = {√piUi}, and let E′ = {√212nσx | x ∈ {0, 1, 2, 3}n} be the superoperator of Theorem 9.4.1, and let K = max(22n, N ). Since E(ρ) = E′(ρ) = I˜2n for all n-qubit states ρ, we have thatE and E′ are unitarily related in the way mentioned in Theorem 9.2.1: there exists a unitary K × K matrix A such that for all 1≤ i ≤ N we have
We view the set of all 2n× 2n matrices as a 22n-dimensional vector space with inner producthM, M′i = Tr(M∗M′)/2n and induced normkM k= p
hM, Mi (as done in [31]). Note that k M k= 1 if M is unitary. It is easy to see that the set of all σx forms an orthonormal basis for this vector space, so:
pi =k√
However, even granted this result it is still conceivable that a PQC might require fewer than 2n bits of randomness if it can “spread out” its encoding over many ancilla qubits — it is even conceivable that those ancilla qubits can be used to establish privately shared randomness using some variant of quantum key distribution. The general case with ancilla is not addressed in [31], and proving that the 2n-bit lower bound extends to this case requires more work.
The next few theorems will do this. They will in fact show something slightly stronger, namely that a PQC that can transmit any unentangled n-qubit state already requires 2n bits of randomness, no matter how many ancilla qubits it uses. Thus Theorem 9.4.1 exhibits an optimal quantum one-time pad, analogous to the optimal classical one-time pad mentioned in the introduction.
9.5. Lower Bound on the Entropy of PQCs 165 We use the notation Ck = {|ii | 0 ≤ i ≤ k − 1} for the set of the first k classical states. The next theorem implies that a PQC that privately conveys n unentangled qubits using m bits of key, can be transformed into a PQC that privately conveys any |ii ∈ C22n, still using only m bits of key.
9.5.2. Theorem (AMTW [10]). If there exists a PQC [H⊗n2 ,E = {√piUi | 1 ≤ i≤ N}, ρa, ρ0], then there is a PQC [C22n,E′ ={√piUi′ | 1 ≤ i ≤ N}, ρa, ˜I2n⊗ ρ0].
Proof. For ease of notation we again assume E uses no ancilla. First note that it follows easily from Lemma 9.4.4 that the PQCE not only works for H⊗n2
(the set of all unentangled n-qubit states) but also for H2n (the set of all n-qubit states). We will first define E′ and then show that it is a PQC.
Intuitively,E′maps every state fromC22n to a tensor product of n Bell states by mapping pairs of bits to one of the four Bell states (which are √1
2(|00i ± |11i) and
√1
2(|01i ± |10i)). The second bits of the pairs are then moved to the second half of the state and encrypted by applying E to them. Because of the entanglement between the two halves of each Bell state, the resulting 2n-qubit density matrix will be ˜I2n ⊗ ρ0. More specifically, for x ∈ {0, 1, 2, 3}n and σx = σx1 ⊗ · · · ⊗ σxn
as in Theorem 9.4.1, define the following unitary transformation U : U|xi = (σx⊗ I2n) 1
(∗)= (σx⊗ I2n) 1 Privately sending any state from C2m corresponds to privately sending any classical m-bit string. If communication takes place through classical channels, then Shannon’s theorem implies that m bits of shared key are required to achieve such security. Shannon’s classical lower bound does not translate automatically to the quantum world (it is in fact violated if a two-way quantum channel is avail-able, see Footnote 1 on page 156). Nevertheless, if Alice and Bob communicate via a one-way quantum channel, then Shannon’s theorem does generalize to the quantum world:
9.5.3. Theorem (AMTW [10]). If [C2m,{√piUi | 1 ≤ i ≤ N}, ρa, ρ0] is a PQC, then H(p1, . . . , pN)≥ m.
Proof. Diagonalize the ancilla: ρa =Pr
j=1qj|ψjihψj|, so S(ρa) = H(q1, . . . , qr).
Note that the 5th property of Von Neumann entropy (Section 9.2) implies:
S(ρ0) = S
Also, using properties 2, 3, and 4 of Von Neumann entropy:
S(ρ0) = S
9.6. Summary 167 Combining these two inequalities gives the theorem. 2 In particular, for sending arbitrary states from C22n we need entropy at least 2n. Combining Theorems 9.5.2 and 9.5.3 we thus obtain the main lower bound:
any private quantum channel that can send every n-qubit state in a secure way, needs at least 2n bits of secret key. This shows that Theorem 9.4.1 is optimal.
9.5.4. Corollary (AMTW [10]). If [H⊗n2 ,{√piUi | 1 ≤ i ≤ N}, ρa, ρ0] is a PQC, then H(p1, . . . , pN)≥ 2n (and hence in particular N ≥ 22n).
Since H⊗n2 ⊆ H2n, we have also proved the optimality of the PQC of Theo-rem 9.4.1:
9.5.5. Corollary (AMTW [10]). If [H2n,{√piUi | 1 ≤ i ≤ N}, ρa, ρ0] is a PQC, then H(p1, . . . , pN)≥ 2n.
In relation to Theorem 9.4.2, note that C2n ⊆ B⊗n. Hence another corollary of Theorem 9.5.3 is the optimality of the PQC of Theorem 9.4.2:
9.5.6. Corollary (AMTW [10]). If [B⊗n,{√piUi | 1 ≤ i ≤ N}, ρa, ρ0] is a PQC, then H(p1, . . . , pN)≥ n (and hence in particular N ≥ 2n).
9.6 Summary
The main result of this chapter is an optimal quantum version of the classical one-time pad. On the one hand, if Alice and Bob share 2n bits of secret key, then Alice can send Bob any n-qubit state ρ, encoded in another n-qubit state in a way that conveys no information about ρ to the eavesdropper. This is a simple scheme which works locally (i.e., deals with each qubit separately) and uses no ancillary qubits. On the other hand, we showed that even if Alice and Bob are allowed to use and send any number of ancilla qubits, then they still require 2n bits of entropy. Thus 2n bits of shared randomness are necessary as well as sufficient for private communication of n qubits.
Appendix A
Some Useful Linear Algebra
In this appendix we sketch some useful parts of linear algebra, most of which will be used somewhere or other in the thesis.
A.1 Some Terminology and Notation
We use V = Cd to denote the d-dimensional complex vector space, which is the set of all column vectors of d complex numbers. We assume familiarity with the basic rules of matrix addition and multiplication. A set of vectors v1, . . . , vm ∈ V is linearly independent if the only way to getPm
i=1aivi equal to the zero-vector ~0 is to set a1 =· · · = am = 0. A basis for V is a set of vectors v1, . . . , vd such that every vector v∈ V can be written as a linear combination of those basis vectors v =Pd
i=1aivi. One can show that a basis is linearly independent.
We use Aij for the (i, j)-entry of a matrix A and AT for its transpose, which has ATij = Aji. Id denotes the d× d identity matrix, which has 1s on its diagonal and 0s elsewhere. We usually omit the subscript d when the dimension is clear from context. If A is square and there is a matrix B such that AB = BA = I, then we use A−1to denote this B, which is called the inverse of A (and is unique if it exists). Note that (AB)−1 = B−1A−1. If A is a matrix (not necessarily square), then A∗ denotes its conjugate transpose: the matrix obtained by transposing A and taking the complex conjugates of all entries. Note that (AB)∗ = B∗A∗. Physicists often write A† instead of A∗.
For vectors v, w, we use hv|wi = v∗w =P
ivi∗wi for their inner product. The combination of the vector space V with this inner product is called a Hilbert space. Two vectors v, w are orthogonal if hv|wi = 0. The inner product induces a vector norm k v k= p
hv|vi =pP
i|vi|2. The Cauchy-Schwarz inequality gives
|hv|wi| ≤kv k · kw k. A set {vi} of vectors is called an orthogonal set if all vectors are pairwise orthogonal: hvi|vji = 0 if i 6= j. If additionally the vectors all have norm 1, then the set is called orthonormal. The outer product of v and w is the
169
matrix vw∗. Below we will restrict attention to square matrices, unless explicitly mentioned otherwise. The complex number λ is an eigenvalue of square matrix A is there is some eigenvector v such that Av = λv.