Quantum data locking for high-rate private communication

We show that, if the accessible information is used as a security quantifier, quantum channels with a certain symmetry can convey private messages at a tremendously high rate, as high as less than one bit below the rate of non-private classical communication. This result is obtained by exploiting the quantum data locking effect. The price to pay to achieve such a high private communication rate is that accessible information security is in general not composable. However, composable security holds against an eavesdropper who is forced to measure her share of the quantum system within a finite time after she gets it.


I. INTRODUCTION
One of the most promising contemporary applications of quantum mechanics is within cryptography, where the laws of quantum physics certify the secrecy of a communication protocol.In quantum key distribution, the communication protocol aims at establishing a common key between two legitimate parties, Alice and Bob, in such a way that a third party, say Eve, eavesdropping and tampering the communication line, obtains virtually no information about the key [1].The key itself it is generated randomly, possibly to serve as a one time pad.On the other hand, in a private communication protocol, the sender, say Alice, aims at sending private messages to Bob [2].In this case, the content of the messages is under the control of Alice and it is not random from her point of view.Clearly, any private communication protocol can be also used for key distribution.
In this paper we introduce a private communication protocol, based on the phenomenon of quantum data locking (QDL), that allows the highest rate of private communication: as high as less than one bit below the classical capacity for non-private communication (similar ideas were applied to quantum key distribution in [3].)Our protocol is secure according to the accessible information criterion, which is not the standard and widely accepted security criterion in quantum cryptography.For this reason, before proceeding with the description of the protocol, we make a brief detour to clarify in which context the accessible information yields reliable security, as well as to review the phenomenon of QDL [4].

A. Accessible information security
Let us recall that the accessible information is defined as the maximum classical mutual information between Alice's input and the result of any measurement performed by Eve on her share of the quantum system.Suppose that Alice's message x is generated with probability p X (x) by a memoryless source described by the random variable X, and the conditional state obtained by Eve is ρ E|x .The ensemble state of the joint system of Alice and Eve is hence described by the density matrix ρ AE = x p X (x)|x A x|⊗ρ E|x .
A local measurement by Eve is described by a map M E : E → Y whose output is the classical variable Y .Then the accessible information of the state ρ AE reads where I(X; Y ) = H(X)+H(Y )−H(XY ) is the classical mutual information, and H denotes the Shannon entropy.
To assess the security of our protocol we show that I acc ≤ ǫ where ǫ is a security parameter that can be made arbitrarily small under certain conditions.This means that the output of any measurement by Eve is arbitrarily close to be uncorrelated with Alice message.When used as a security quantifier, the accessible information suffers from a major problem: it does not guarantee composable security.Roughly speaking, composable security means that if two communication protocols are secure individually they remain secure when composed.The fact that the accessible information does not ensure composability is intimately related with the very effect of QDL [5].However, as discussed in [3,6], the accessible information yields composable security conditioned on certain physical assumptions.For instance, one physical assumption that guarantees composable security is that the eavesdropper does not have access to a quantum memory, that is, she is forced to measure her share of the state as soon as she obtains it.This is a consequence of the fact that the accessible information concerns the output of Eve's measurement, and not the quantum state itself.A more realistic assumption is that Eve possesses a quantum memory with finite coherence time.In the simplest model, Eve either measures her share of the quantum system within a time τ or the quantum memory decoheres and becomes classical.Suppose the given communication protocol is used as a subroutine of a larger protocol.In this case composable security is granted if Alice and Bob know the coherence time of Eve's quantum memory and wait for a time sufficiently longer than τ before proceeding.Clearly, too large values of τ would make the protocol unpractical.However, as discussed in [3], in a stationary regime the overall asymptotic communication rate may be independent of τ and remain finite even in the limit τ → ∞.

B. Quantum data locking
Below we introduce a private communication protocol that is secure according to the accessible information criterion.Such a protocol is a QDL protocol.In a typical QDL protocol, the legitimate parties, Alice and Bob, publicly agree on a set of N = M K codewords in a high-dimensional quantum system.From this set, they then use a short shared secret key of log K bits to select a set of M codewords that they will use for sending information.If an eavesdropper Eve does not know the secret key, then the number of bits, as quantified by the accessible information, that she can obtain about the message by measuring her share of the quantum system is essentially equal to zero for certain choices of codewords.In most of the known QDL protocols, including the protocol we discuss below, codewords are chosen from different bases, and the secret key identifies the basis to which the codewords belong.
However, only recently QDL has been considered in the presence of noise [3,6,[13][14][15].Following the idea of the "quantum enigma machine" [13] for applying QDL to cryptography, a formal definition of the locking capacity of a communication channel has been introduced in [6], as the maximum rate at which information can be reliably and securely transmitted through a (noisy) quantum channel N A→B from Alice to Bob, where the security is according to the accessible information criterion.Motivated by QDL protocols, we also allow the assistance of an initial secret key shared by Alice and Bob.In order this key to be inexpensive in the asymptotic limit, we further require that the bits of secret key grow sublinearly with the number of channel uses.
Two notions of locking capacities were defined in [6]: the weak locking capacity and the strong locking capacity.The weak locking capacity is defined by requiring security against an eavesdropper who measures the output of the complementary channel (denoted as N A→E = ÑA→B ) of the channel from Alice to Bob.
The strong locking capacity is instead defined by requiring that the eavesdropper is able to measure the very input of the channel.In general, the weak locking capacity is larger than or at most equal to the strong locking capacity, as any strong locking protocol also defines a weak locking one.It is natural to compare the weak locking capacity with the private capacity [2].Since the private capacity is defined by a security criterion stronger than the accessible information, it follows that the weak locking capacity is always larger that or at most equal to the private capacity.Finally, both the weak and strong locking capacities cannot exceed the classical capacity, which is the maximum rate of reliable communication allowed by the channel (not requiring any secrecy) [16].
Our starting point is a QDL protocol for the d-dimensional noiseless channel.It applies to n uses of the channel and locks classical information into codewords that are separable among different channel uses.The protocol allows QDL (in the strong sense) of the qudit noiseless channel at a rate of log d bits per channel use, equal to its classical capacity, and consumes secret key at an asymptotic rate of 1 bit per channel use.
The crucial property of this protocol is that it makes use of codewords that are separable among different channel uses.This property allows us to generalize the protocol to the case of a noisy memoryless channel.

II. A PROTOCOL FOR STRONG LOCKING OF A NOISELESS CHANNEL
In this section we define a protocol for the strong locking of the qudit noiseless channel.Later we will apply this protocol to the (weak and strong) locking of a noisy memoryless channel.
Let us consider a d-dimensional Hilbert space endowed with an orthonormal basis {|ω } ω=0,...,d−1 and its Fourier-conjugate basis {|m } m=0,...,d−1 , To encode classical information in n qudits, Alice uses a code According to this code, she prepares one of the M n-qudit codewords Alice and Bob publicly agree on a set of K n-qudit unitaries for k = 1, 2, . . ., K, where the single-qudit unitary acting on the j-th system is of the form According to the value of the secret key, Alice applies the unitary transformation U k on the n-qudit codeword, obtaining where ω = (ω 1 , ω 2 , . . ., ω n ) and |ω = ⊗ n j=1 |ω j .Since Bob knows the unitary U k chosen by Alice, he can simply apply the inverse transformation U −1 k and then a perform an optimal measurement to discriminate between the codewords.We consider random codewords generated by choosing independently and identically each of the m j c according to the uniform distribution over {0, 1, . . ., d − 1}.It is well know that in such a setting Bob can decode reliably in the limit n → ∞ if M < ǫd n and ǫ vanishes in the limit n → ∞.For instance, one can take ǫ = 2 −n s for s < 1 and obtain an asymptotic rate of communication of log d bits.
In the strong locking scenario, we assume that Eve intercepts the whole train of qudit systems and measures them.Since Eve does not have access to the secret key, we have to compute the accessible information of the ensemble of states , where p c is the probability of the codeword |ψ c .For the sake of simplicity here we assume that all the messages have equal probability, that is, p c = 1/M (the case of non-uniform distribution has been considered in [11,12]).A straightforward calculation yields (see [14]) where , and the minimization is over all n-qudit unit vectors |φ .
Below we show that for certain choices of the unitaries {U k } k=1,...,K , and with log K ≃ n, Alice and Bob also have the guarantee that Eve's accessible information is exponentially small in n.To show that, we make use of a random coding argument based on random choices of both the codewords and the data locking unitaries.In particular, the set of unitaries U j k is generated randomly by choosing each of the angular variables θ j k (ω j ) independently and identically according to a distribution such that E[e iθ j k (ω j ) ] = 0.This is the only condition required, any distribution satisfying it will work.For instance, the angles θ j k (ω) can be uniformily distributed in [0, 2π[, or assume the binary values {0, π} with equal probabilities.

A. Some preliminary results
To characterize our QDL protocol we will make use of two concentration inequalities.The first one is the tail bound [17]: Theorem 1 Let {X t } t=1,...,T be T i.i.d.non-negative real-valued random variables, with X t ∼ X and finite first and second moments, E[X], E[X 2 ] < ∞.Then, for any τ > 0 we have that .
(P r{x} denotes the probability that the proposition x is true.) The second one is the operator Chernoff bound [18]: Theorem 2 Let {X t } t=1,...,T be T i.i.d.random variables taking values in the algebra of hermitian operators in dimension D, with 0 ≤ X t ≤ I and E[X t ] = µI (I is the identity operator).Then, for any τ > 0 we have that For any given d n -dimensional unit vector |φ and codeword |ψ ck , we define the quantity Clearly, the latter is a random variable if the unitary U k and/or the codeword c are chosen randomly.Also, since |ψ ck and |ψ ck ′ are statistically independent, so are q ck (φ) and q ck ′ (φ).To apply Theorems 1 and 2, we compute the first and second moments of q ck (φ), for given |φ and c, with respect to the i.i.d.random locking unitaries (the same results are obtained if also c is chosen randomly).As shown in [3], we have and For any given |φ and c, we also consider the quantity We now derive several concentration inequalities by applying Theorems 1 and 2: • Applying Maurer's tail bound (Theorem 1), we obtain that for any given |φ and c We then use this inequality to bound the probability that there exist ℓ codewords such that Applying the union bound we obtain • Let us consider the operators |ψ ck ψ ck | and apply the operator Chernoff bound (Theorem 2).Notice that Eq. ( 10) implies Putting µ = 1/d n and (1 + τ )µ = (1 − δ), the operator Chernoff bound then yields that for any given This in turn implies that We bound the probability that there exists a codeword c and a vector |φ such that Applying the union bound we obtain • Finally, we consider random choices of the codewords c and apply the Chernoff bound with τ = ǫ.
We then obtain

B. Eve's accessible information
Let Eve intercept and measure the train of n qudits sent by Alice.To evaluate the security of the QDL protocol according to the accessible information criterion, we show that there exist choices of the scrambling unitaries U j k 's that guarantee Eve's accessible information to be negligibly small.To prove that we show that this property is true with an arbitrary high probability for a random choice of the unitaries U j k 's if n is large enough.
We consider a random choice of the code C. From Eq. (26), we have that for all |φ , M c=1 Q c (φ) is smaller than (1 + ǫ) M d n up to a probability which is bounded away from one provided Assuming This in turn implies that, for K large enough, Eq. ( 7) is equivalent, up to a negligibly small probability, to According to the latter expression, an upper bound on the accessible information follows from a lower bound on the minimum Shannon entropy, To do that, for any ǫ > 0 and d n and K large enough we bound the probability that This corresponds to bounding the probability that either Notice that for d n sufficiently large and/or ǫ sufficiently small we have First, we bound the probability that there exists a codeword c and a vector |φ such that Q c (φ) > λ + .
We apply Eq. ( 24) with δ = 2η 1−ǫ d n to obtain where we have also used the fact that 1 d n < η 1−ǫ d n for n large enough.This probability vanishes exponentially with d n provided K is not too small, that is, Second, we bound the probability that there exist ℓ ≪ M codewords such that Q c (φ) < λ − .We apply Eq. ( 17) and obtain Putting ℓ = ǫM we have Notice that this probability is also exponentially small in M , provided that K > 2 n+1 ǫ −2 ln M .
Inequality (24) implies that, with probability at least equal to 1 − p + , all the Q c (φ)'s are larger than λ + .Also, according to Eq. ( 39), for a given |φ there exist, with probability greater than 1 − p − at least Putting these results together we have that for any given |φ that is, with a probability at least equal to 1 − p − − p + , which is in turn larger than 1 − 2p − for M large enough.
To bound the right hand side of Eq. ( 31) we have to show that a relation similar to (44) holds for all vectors |φ .To do that we introduce an ǫ-net.Let us recall that an ǫ-net is a finite set of unit vectors Hilbert space such that for any unit vector |φ there exists As discussed in [7] there exists an ǫ-net such that |N ǫ | ≤ (5/ǫ) 2D .Below, we first extend the bound (44) on all the ǫ-net, and then, for ǫ sufficiently small, to all the manifold of unit vectors.
By applying the union bound we obtain: Finally, we have to replace the minimum over vectors in the ǫ-net with a minimum over all unit vectors.
An application of the Fannes inequality [19] yields (see also [7]) which implies that is, Such a probability is bounded away from one (and goes to zero exponentially in M ) provided If we put ǫ = 2 −n s , with s ∈ (0, 1), Eve's accessible information will be exponentially small in n, with an asymptotic secret key consumption rate equal to By increasing n we want Bob to be able to decode reliably.As noted above, for the case of a noiseless channel we can chose M = ǫd n , which finally yields a secret consumption rate of 1 bit per channel use.
In conclusion, we have proven that there exist QDL codes allowing Alice and Bob to data lock classical information through n uses of a noiseless memoryless qudit channel in such a way that Eve's accessible , where ǫ can be taken to approach zero exponentially in n.The strong locking rate equals log d bits per channel use and require the pre-shared secret key to be consumed at an asymptotic rate of 1 bit per channel use (independently on d).

III. STRONG LOCKING A QUDIT MEMORYLESS CHANNEL
The noiseless protocol can be applied for the strong locking of a noisy qudit channels N A→B connecting Alice to Bob.The point is that in a strong locking setting we require that the communication is secure against an eavesdropper having access to the very input of the channel.In other words, the security of the protocol is independent on how the channel acts on the input, and hence it applies to both the noiseless and noisy settings.That is, the bound on the accessible information in Eq. ( 51) and the condition on the number of key values in Eq. ( 52) apply for a generic qudit channel.
The crucial difference, however, is that the presence of noise reduces the rate at which Alice and Bob can communicate reliably.Let us suppose that, using the codewords described above, Alice and Bob can achieve a reliable communication rate of R bits per channel use [20].Then we can put, for n large enough, M = ǫ2 nR , which yields the following condition on the key (from Eq. ( 52)): These condition implies an asymptotic key consumption rate of Since R cannot exceed log d, this implies an increase in the secret key consumption rate of log d − R bits with respect of the noiseless setting.We can say that the latter equation represents a trade off between communication rate and secret key consumption.In order to achieve strong locking, the secret key consumption rate should increase to compensate the reduced communication rate.

IV. WEAK LOCKING A QUDIT MEMORYLESS CHANNEL
Our analysis of the strong locking of a noisy channel showed that a longer secret key, which means more randomness, has to be employed to compensate the reduction in the communication rate.On the other hand, in the weak locking scenario the eavesdropper has access to the output of the complementary channel, that is, also the eavesdropper signal is distorted by noise.One can hence expect that the randomness introduced by the noise can produce a QDL effect.If this is true, then one can exploit the randomness due to the noise to reduce the length of the required secret key.Below we show that this intuition is true by examining a family of channels of a specific form.We define these channels through their conjugates, which are of the form where p ∈ [0, 1] and σ is a given density matrix (notable examples of channels belonging to this family are the erasure channel and the conjugate of the depolarizing channel).
The results on the noiseless case can be easily applied to these channels.To do that, it is sufficient to notice that, with probability p, the channel N A→E is noiseless.In other words, for n uses of the channel, one expects that the channel N A→E will act as an effective noiseless channel over a fraction of about pn qudits.It is sufficient to require that the protocol data locks the information contained in these qudits, since the remaining (1 − p)n qudits do not convey any information at all about the message as the output is independent on the input.
More formally, upon n uses of the channel Eve receives (with probability arbitrarily close to 1 for n large enough) no more than n(p + δ) qudits without any distortion.Let us hence fix a subset of n(p + δ) qudits and apply the same reasoning of the noiseless channel given above with d n replaced by d n(p+δ) .This yields a bound on Eve's accessible information conditioned on the choice of the subset: Finally, we apply the union bound to account for all possible n n(p+δ) choices of the subset of n(p + δ) qudits: This probability goes to zero exponentially in M -we can always assume that M = ǫ2 nR where R is the communication rate -under the following condition on the secret key: which requires an asymptotic secret key consumption of (we can assume lim n→∞ δ = 0) This example shows that the presence of noise in the channel to Eve allows Alice and Bob to consume secret key at a reduced rate.We now compute a lower bound on the maximum achievable communication rate for the class of channels considered here.To compute R, we first write an isometric extension of the channel.We introduce four quantum systems: systems 1, 2 and 3 are qudits and system 4 is a qubit.In input, system 1 is assigned to Alice and systems 2, 3 and 4 to Eve.In output, system 1 is assigned to Eve and the others to Bob.We put where S 12 is the swap operation between qudits 1 and 2. As initial state of the environment we put where Tr 3 (|φ 23 φ|) = σ 2 (without loss of generality we can also assume Tr 3 (|φ 23 φ|) = σ 3 ).
One can easily check that Taking the trace over the output systems 1 we obtain the output of the channel to Bob:

B. Conjugate of the depolarizing channel
If σ = I/d, the channel in Eq. ( 56) is a qudit depolarizing channel with depolarizing probability 1 − p.
We can rewrite the action of the depolarizing channel as where X = d−1 j=0 |j ⊕ 1 j| (⊕ denotes summation modulo d) and Z = d−1 j=0 e ij2π/d |j j| are the ddimensional generalization of the Pauli matrices, and {|j } j=0,...,d−1 is a qudit basis.This representation of the channel to Eve induces a representation for the isometric extension, which is given by the bipartite conditional unitary: where the first system, assigned to Eve's input, is represented by a d 2 -dimensional Hilbert space (spanned by the basis vectors {|ab }), and the second is the input qudit system.As initial state of Eve's system we take where q 00 = p + (1 − p)/d 2 and q ab = (1 − p)/d 2 for ab = 00.Taking the partial trace over Eve's output system, we finally obtain the following expression for the channel to Bob: A straightforward calculation yields that the maximum achievable rate using our ensemble of input states is where As in the case of the erasure channel, this rate is independent of the choice of encoding basis.
In conclusion, Eq. ( 71 Figure 1 shows the weak locking rate compared with the classical capacity [16] and the private capacity [2] of the erasure channel.Figure 2 shows the weak locking rate for the conjugate of the depolarizing channel, compared with its classical capacity and the Hashing bound for private communication.
In conclusion, we have presented protocols that achieve a weak locking rate as high as less than one bit below the classical capacity.These results, together with [3,15], further deepen our understanding of the QDL effect as well as of the notion of locking capacities recently introduced in [6].A few natural questions remain open.It is not clear whether our strong locking protocol for the noiseless channel is optimal in terms of secret key consumption.The secret key consumption rate of 1 bit per channel use could very well not be a fundamental limit, but just an artifact of our proof technique.Also, one would like to find good locking protocols for general channels beyond the restricted class considered here.Finally, since the most important realizations of quantum communication channels are infinite dimensional, it is urgent to discover QDL that are not restricted to the finite dimensional setting.
− p) [Tr 1 (S 12 ρ 1 ⊗ |φ 23 φ|) ⊗ |1 4 0| + h.c.] .(66) We notice that the action on the channel from Alice and Bob depends on σ through the last two terms proportional to |0 4 1| and |1 4 0|.If we apply a completely dephasing channel on qubit 4 the channel to Bob becomes an erasure channel with erasure probability p independently of σ.This implies that the classical capacity of the erasure channel is an achievable rate for classical communication, hence we can put R = (1 − p) log d.Moreover, this bound holds for any choice of the locking unitary, since the erasure channel is covariant under unitary transformations.
probability 1 − p, whose complement is an erasure channel with erasure probability p.In this case, the maximum communication rate equals the classical capacity of the erasure channel, R = (1 − p) log d, and the secret key consumption rate is of p − (1 − 2p) log d bits if p ≥ 1/2 and of p bits if p ≤ 1/2.