Quantum security and theory of decoherence

Quantum cryptography [1, 2] is one of the most spectacular successes of quantum information theory. It provides new means of detection of eavesdropping by observing a disturbance of intercepted quantum states [3] not possible in classical cryptography, and even allows to certify security when using cryptographical systems from untrusted vendors [4]. Quantum devices can be used for such applications as secure key distribution [5] or generation of private random number [6] based on elementary physical phenomena.

Still, humans can deal only with classical data, and thus at some stage, any quantum cryptographic device has to generate classical output data. This process is known as quantum measurement [7]. Even though the measurement is one of the most basic processes in quantum mechanics, it remains to be one of the most mysterious phenomena since the very beginning of the theory [8–10]. This so-called measurement problem still lacks a definitive solution, with the decoherence theory being one of the most popular approaches [11].

The trailblazing works of Żurek [12, 13] elucidated the problem in which basis the quantum measurement is actually being performed, by the introduction of the concept of the pointer basis, i.e. the eigenbasis of observables commuting with the Hamiltonian determining the interaction of the measuring apparatus with the environment; the fact that the interaction with the environment is the factor that determines the measurement basis is called environment-induced superselection, or einselection [13, 14]. This result accentuated the role of the external world in the process of measurement and revealed that without this interaction, only the premeasurement, i.e. the correlation of the apparatus with the observed system, can occur.

The idea developed into the quantum Darwinism theory [15] explaining that information that is being successfully proliferated and distributed in many copies in multiple parts of the environment becomes classical. Such a framework directly relates classical outcomes of quantum devices with information leakage beyond the scope of the control. The process of information propagation can be viewed as eavesdropping of the information about the system being measured by the environment [16].

The role of the exterior world in the working of quantum devices seemingly contradicts the natural and necessary assumption, that the cryptographic devices are located inside a shielded laboratory protecting against the outflowing of the private data. Indeed, a crucial condition for the privacy of numbers, constituting e.g. a secure key, is that they remain secret unless intentionally revealed. This is particularly important for providing the information-theoretic level of security [17, 18].

On the other hand, quantum Darwinism [15] suggests that without this information propagation or leakage, the decoherence will not occur, leading, in principle to Wigner's friend paradox [19, 20]. To our knowledge, the problem of this prominent role of the environment has not been investigated in the context of cryptographical applications. The most related considerations concerned only the role of noise in cryptography [21, 22]. This paper aims to provide an example, of how the direct connection between the low-level description of the measurement process, and the high-level specification of application protocols can be done.

We emphasize the role of quantum Darwinism theory in the proposed cryptographical examination. This goes beyond the classical analysis of quantum cryptographical devices that would take into account only the bounds of the correlations between the eavesdropper and the device. The undertaken survey scrutinizes the information transfer not directly to the eavesdropper, but a more subtle and general scenario of leakage outside the safe room, and the imminence that this can be further exploited by the eavesdropper.

The information broadcast elucidated by quantum Darwinism, up to our knowledge, has not been investigated in the cryptographical context before this work. The community working on the decoherence theory, in particular with quantum Darwinism, has been widely investigating the fact that the information widespread is present and necessary for the quantum-to-classical transition, but it has never been examined whether this widespread has any relevance to cryptography. The leakage is inevitable and beyond any control by the very fact that a quantum-to-classical transition has taken place.

Since the topic of this paper is highly interdisciplinary, integrating results of decoherence theory and quantum Darwinism, with attacks characteristic to classical devices in the framework of quantum communication protocols with an application for secure randomness generation, we decided to provide a relatively expanded introduction with an overview of basic concepts of each of these fields. In particular, we propose a quantity investigated in cryptography, viz. the guessing probability, and the closely related min-entropy, as a new figure of merit of investigation of the quantum Darwinism theory, that was till now concerned mainly with the mutual information.

In section 1 we overview the decoherence theory, with particular attention to information imprinting in the environment as analyzed by quantum Darwinism. Then, in section 2.1 we describe a particular form of attacks on classical devices called Van Eck phreaking and efforts to protect against it called emission security. Next, in section 2.2 we overview a particularly relevant type of attack on quantum protocols called intercept-and-resend attacks. In section 2.3 we argue that the topic of providing privacy for random numbers has many important applications and point out that the aspect of their security analyzed in this work has till now been neglected. We describe the formalism and methodology used in our security analysis of randomness generation using quantum measurements in shielded laboratories in section 3, and in section 4 apply these methods to cases of incoherent attacks in section 4.1 and coherent attacks in section 4.2. We conclude and pose some new open problems in section 5.

Decoherence is the process of losing the coherence between subsystems, where the coherence is a uniquely quantum type of correlation between separated objects, represented by off-diagonal terms of the density matrix. A perfectly isolated system remains coherent, whereas in open systems coherence is being gradually shared with the environment, ultimately leading to its decay. The notion of decoherence has first been used by Zeh in 1970 [23]. The review of the theory describing the decoherence process is given in [11, 24].

Suppose a quantum state is represented by a normalized positive semi-definite matrix $[\sigma_{i,j}]_{i,j}$. One often measures decoherence using the collective decoherence factor [25]:

$$\begin{align} \Gamma \equiv \sum_{i \neq j} \left| \sigma_{i,j} \, \right|. \end{align} \tag{ 1 }$$

Obviously, this quantity depends on the choice of the basis in which the quantum state representation is given, but for any practical application one considers the unique (up to permutations) classically meaningful basis of macroscopically observed quantities, viz. the pointer basis. For a decohered quantum state, we have $\Gamma \approx 0$.

The key element of decoherence is the following fact. Even though the evolution of every quantum system is given by unitary operators, and thus is reversible, when only one subsystem is considered and the rest is being ignored, or traced out, its evolution may not be unitary [26–28]. This allows for relieving the tension between the unitary character of quantum evolution and the irreversibility of quantum measurement. In particular, it can be shown that quantum randomness is a result of losing the coherence [29, 30]. The decoherence theory is used to model the collapse of the wave function, and transition to a mixed state in the eigenbasis of some local observable, while the quantum superposition of the state of the global wave function of the Universe undergoes the unitary evolution.

Important progress in the theory of decoherence was a series of works by Żurek in 1980s [12, 13] explaining that the basis in which the wave function collapse occurs, viz. the mentioned above pointer basis, is determined by the interaction with the exterior of the measured system and the measuring apparatus, i.e. with the environment, in the process called einselection. We elaborate on this idea more in section 3, when we adopt the formalism of these works. This approach allowed Żurek to compute the rate at which a pure state evolves into a mixed state via an interaction with the environment in a thermal equilibrium [31].

Another crucial progress made by Żurek was giving an even more important role in the quantum measurements to the environment. In [32] it was shown that the environment not only plays the passive role of a reservoir selectively destroying the coherence but also the environment selectively proliferates some part of the information about the system in multiple copies. It revealed that the pointer states are the ones that are able to leave a redundant and thus detectable imprint on the environment. In consequence, many observers by probing different parts of the environment can gain consistent information about the pointer basis, and this consent is the distinctive property of classical information that, in opposition to the quantum information [33], can be cloned [34].

The work [34] elucidated the nature of the existence of multiple copies of classical information by the introduction of the notion of the information plateau, as defined below. The whole considered Universe in this framework of quantum Darwinism consists of the system S and the environment E. The environment E is divided in arbitrary way into multiple subenvironments $\{E_i\}_{i = 1}^N$, in a sense $E = E_1~\otimes E_2~\otimes \cdots \otimes E_N$. A fragment, or macrofraction [25], is a grouping of several subenvironments, with notation $E_M = \bigotimes_{i \in M} E_i$ for $M \subseteq \{1, \cdots, N\}$. Each observer is assumed to capture a random fragment of the environment.

The maximum information that potentially can be accessed about the system S is its von Neumann entropy $H(S) = -\mathrm{Tr} \left[ S \log (S) \right]$. Quantum Darwinism consider the information about S contained in a fragment E_M , i.e. the mutual information $\mathcal{I}_{S:E_M} = H(S) + H(E_M) - H(S, E_M)$. If this information satisfies $(1 - \delta) H(S) = \mathcal{I}_{S:E_M}$ we say that δ is the information deficit of E_M . Define N_δ as the number of disjoint fragments E_M satisfying $\mathcal{I}_{S:E_M} \geqslant (1 - \delta) H(S)$, and for $\delta \ll 1$ this number is closely related the so-called redundancy of the information, with large N_δ being an indicator that indeed the information, called classical information, is present in multiple copies in different fragments of the environment; see section 2 of [34] for a detailed discussion.

Note that the maximal value of $\mathcal{I}_{S:E_M}$ is $2 H(S)$, not H(S), as it stems from a well-known fact that for pure ρ_SE it holds that $H(\rho_{SE}) = 0$ and $H(\rho_S) = H(\rho_E)$.

The average mutual information $\bar{\mathcal{I}}_m$ is the result of averaging over all fragments of size m. It was observed [34] that for relatively small values of m it holds

$$\begin{align} \bar{\mathcal{I}}_m \approx H(S), \end{align} \tag{ 2 }$$

and that only for m close to N it holds that $\bar{\mathcal{I}}_m \approx 2 H(S)$. The large region of values of m satisfying (2), that excludes only very small and very large m, is the information plateau; see [15] for a concise overview of the main properties of quantum Darwinism.

In this section, we provide a brief overview of selected topics and tasks from classical and quantum cryptography that are relevant to this work. In section 2.1 we describe a particular type of attack on classical devices with support of antennas, then in section 2.2 we discuss the intercept-and-resent type of attacks on quantum cryptography, being a quantum version of the classical man-in-the-middle attacks [35], and in section 2.3 we overview the problems of random number generation, classical and quantum, and its vital role for security.

2.1. Van Eck eavesdropping

2.2. Intercept and resend attacks in quantum cryptography

The first cryptographical protocol with security arising from the use of quantum resources is the well-known BB84 protocol [3] for quantum key distribution (QKD), where one of the communicating parties, Alice, transmits to the other party, Bob, a qubit either in the computational basis $\mathcal{B}_0~\equiv \{| \, 0~\rangle, | \, 1~\rangle\}$, or in the Hadamard (conjugate) basis $\mathcal{B}_1~\equiv \{| \, + \rangle, | \, - \rangle\}$ with $| \, + \rangle \equiv (1/\sqrt{2}) [| \, 0~\rangle + | \, 1~\rangle]$ and $| \, - \rangle \equiv (1/\sqrt{2}) [| \, 0~\rangle - | \, 1~\rangle]$, and afterward Bob performs his measurement also in one of these bases. The procedure is repeated multiple times for subsequent quantum systems. Finally, both parties reveal part of their results, use them to evaluate the reliability of their communication, which covers potential eavesdropping, and eventually perform some post-processing for error correction and privacy amplification [58]. This is paradigmatic for further developed protocols, see [1] for an overview.

A possible attack on a wide class of protocols is for the eavesdropper, Eve, to intercept some of the transmitted states, perform some action on them, and in place pass (resend) some quantum states to Bob. The passed state can either be transformed [59, 60], or Eve can measure the intercepted state and prepare a new one [61], or use some implementation-dependent attacks [62–66].

The former approach uses the concept of nondemolition measurement [67]. The idea is the following [59]. We assume that Eve knows that the intercepted state will be one of the non-orthogonal states $\{| \, \psi_i \rangle\}_i$, each occurring with probability p_i . This assumption is justified by the construction of the cryptographic scheme. Without measurement Eve's uncertainty regarding the transmitted subsystem is the ordinary Shannon entropy $-\sum_i p_i \log{p_i}$. The most general unitary transformation U possible to be performed by Eve on an intercepted qubit is [60]

$$\begin{align} U | \, 0~\rangle| \, 0~\rangle = \sqrt{F} | \, 0~\rangle| \, a \rangle + \sqrt{1 - F} | \, 1~\rangle| \, b \rangle, \end{align} \tag{ 3a }$$

$$\begin{align} U | \, 1~\rangle| \, 0~\rangle = \sqrt{1 - F} | \, 0~\rangle| \, c \rangle + \sqrt{F} | \, 1~\rangle| \, d \rangle, \end{align} \tag{ 3b }$$

where $| \, a \rangle$, $| \, b \rangle$, $| \, c \rangle$, and $| \, d \rangle$ are states of Eve's subsystem after the interaction, and F is the fidelity of Bob's subsystem. In [59, 60] a trade-off between the gain of information by Eve, and the disturbance caused to Bob, was investigated.

2.3. Private randomness generation

We concentrate on an elementary operation of a qubit measurement, as a basic operation for the majority of quantum devices. We follow [12] and call the observed qubit a system (S), the measuring device an apparatus (A); the third subsystem an environment (E).

We model the premeasurement upon rank-1 projectors $\{P_0^{(S)}, P_1^{(S)}\}$, with $P_0^{(S)}+P_1^{(S)} = {\unicode{x1D7D9}}^{(S)}$ by a $\mathrm{CNOT}$ operation conditioned on them, i.e. $U^{(SA)} = P_0^{(S)} \otimes {\unicode{x1D7D9}}^{(A)} + P_1^{(S)} \otimes \sigma_x^{(A)}$, where superscripts in parenthesis denote the subsystem. The interaction of the apparatus with the environment is given by the unitary transformation:

$$\begin{align} U^{(AE)} = | \, 0~\rangle \langle 0 \, |^{(A)} \otimes U_0^{(E)} + | \, 1~\rangle \langle 1 \, |^{(A)} \otimes U_1^{(E)}, \end{align} \tag{ 4 }$$

leading to the decoherence in the computational basis $\mathcal{B}_0$ of (A).

To illustrate a simple scenario of quantum randomness generation we consider the measurement of the state $| \, + \rangle^{(S)} = 1/\sqrt{2} (| \, 0~\rangle^{(S)}+| \, 1~\rangle^{(S)})$ in the computational basis, with projectors $P_i^{(S)} = | \, i \rangle \langle i \, |^{(S)}$, $i = 0,1$, and with subsystems (A) and (E) initially in 0th state leading to $\rho^{(SA)}(T) \equiv \mathrm{Tr}_{E} \left[ | \, \phi \rangle \langle \phi \, |^{(SAE)} \right]$, where

$$\begin{align} | \, \phi \rangle^{(SAE)} \equiv U^{(AE)} U^{(SA)} | \, + \rangle^{(S)} \otimes | \, 0~\rangle^{(A)} \otimes | \, 0~\rangle^{(E)}, \end{align} \tag{ 5 }$$

and where T is the time after which all the interactions occur. We get that $\Gamma = \left| \langle 0 \, |^{(E)} U_1^{(E) \dagger} U_0^{(E)} | \, 0~\rangle^{(E)} \, \right|$ is the collective decoherence factor, see (1), of the joint state $\rho^{(SA)}(T)$ equal to

$$\begin{align} \frac{1}{2} \begin{bmatrix} 1 & 0 & 0 & \langle 0 \, |^{(E)} U_1^{(E) \dagger} U_0^{(E)} | \, 0~\rangle^{(E)} \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ \langle 0 \, |^{(E)} U_0^{(E) \dagger} U_1^{(E)} | \, 0~\rangle^{(E)} & 0 & 0 & 1 \end{bmatrix}, \end{align} \tag{ 6 }$$

and the full orthogonalization of measurement results occur [25]. For the measurement to betide we need also the full decoherence, i.e. $\Gamma \ll 1$.

The above model refers to the simplest quantum randomness generation, where the measured state $| \, + \rangle^{(S)}$ is prepared in a basis that is unbiased [84] to the basis $\{P_i^{(S)} \}$ in which the premeasurement is performed, and the results are stored in the computational basis of the subsystem (A) that is initially preset to $| \, 0~\rangle^{(A)}$ to maximize its information capacity [85]. The interaction part $U^{(SA)}$ is designed by the user of the quantum device that calibrates the measuring device to measure in the selected basis, possibly taking into account the characteristics of his source of states; this part is also responsible for apparatus state orthogonalization.

The actual measurement is finalized by the interaction $U^{(AE)}$. $U^{(AE)}$ is partially engineered by the vendor of the measuring apparatus; the computational basis of (A) is actually the one that is being displayed to the user and the shape of $U^{(AE)}$ is determined by the device's case, like e.g. plastic housing of a USB stick, or metal frame of a rack-mounted multimeter together with the shielding of the laboratory, thus it also depends on the owner of the laboratory and should be considered as a part of the quantum device.

We consider a 4th subsystem, denoted (V) for Van Eck-type eavesdropper since our approach is a quantum analog of the Van Eck attack in classical cryptography, see section 2.1, where the electromagnetic radiation of classical devices is captured by antennas and used to intercept the private content.

In the attack, the eavesdropper intends to capture information regarding the measurement result stored in the apparatus. Since both the former and latter are classical data, we assume the result of wiretapping is stored in the computational basis. We consider a passive reception of the content of the environment, i.e. eavesdropper does not change it. This restricts his action to unitary operations conditioned on some projectors. Further in this text, we consider the particular case of the $\mathrm{CNOT}$ operation conditioned on a pair of orthogonal projectors $\{P_0^{(E)}, P_1^{(E)}\}$, with $P_0^{(E)}+P_1^{(E)} = {\unicode{x1D7D9}}^{(E)}$, i.e.

$$\begin{align} U^{(EV)} = P_0^{(E)} \otimes {\unicode{x1D7D9}}^{(V)} + P_1^{(E)} \otimes \sigma_x^{(V)}. \end{align} \tag{ 7 }$$

The eavesdropper's initial state is $| \, 0~\rangle^{(V)}$.

Direct calculations show the final state $| \, \psi \rangle^{(SAEV)}$ is

$$\begin{align} \begin{aligned} &(P_0^{(E)} U_0^{(E)} | \, 0000~\rangle^{(SAEV)} + P_1^{(E)} U_0^{(E)} | \, 0001~\rangle^{(SAEV)} \\ &\quad + P_0^{(E)} U_1^{(E)} | \, 1100~\rangle^{(SAEV)} + P_1^{(E)} U_1^{(E)} | \, 1101~\rangle^{(SAEV)})/\sqrt{2}, \end{aligned} \end{align} \tag{ 8 }$$

and thus the joint state of the user apparatus and the eavesdropper $\rho^{(AV)}(T) = \mathrm{Tr}_{SE} \left[ | \, \psi \rangle \langle \psi \, |^{(SAEV)} \right]$ is a state diagonal in the computational basis with coefficients: $\langle 0 \, | U_0^{\dagger} P_1~U_0 | \, 0~\rangle/2$, $\langle 0 \, | U_0^{\dagger} P_0~U_0 | \, 0~\rangle/2$, $\langle 0 \, | U_1^{\dagger} P_1~U_1 | \, 0~\rangle/2$, and $\langle 0 \, | U_1^{\dagger} P_0~U_1 | \, 0~\rangle/2$, where we omitted the superscript (E).

The figure of cryptographical merit we consider here is the probability that the eavesdropper correctly guesses the measurement result of the apparatus [86–89], denoted $\mathrm{P}_{\mathrm{guess}}$. This happens when both two-dimensional subsystems (A) and (V) indicate the same binary value, thus it is given by:

$$\begin{align} \begin{aligned} & \langle 00 \, |^{(AV)} \rho^{(AV)}(T) | \, 00~\rangle^{(AV)} + \langle 11 \, |^{(AV)} \rho^{(AV)}(T) | \, 11~\rangle^{(AV)} \\ &\quad \ = \frac{1}{2} \langle 0 \, |^{(E)} (U_0^{(E) \dagger} P_0^{(E)} U_0^{(E)} + U_1^{(E) \dagger} P_1^{(E)} U_1^{(E)}) | \, 0~\rangle^{(E)}. \end{aligned} \end{align} \tag{ 9 }$$

The environment (E) mediates between subsystems (A) and (V) and can be of a much larger dimension.

From (9) we see, that the guessing probability depends both on the ability of the environment to gather information regarding the apparatus, modeled by $\{U_0^{(E)}, U_1^{(E)}\}$, and on the possibility of collecting the signal from the environment through the Van Eck-type antenna, modeled by $\{P_0^{(E)}, P_1^{(E)}\}$. The shielded laboratory assumption refers to the case with $U_0^{(E)} = U_1^{(E)} = {\unicode{x1D7D9}}^{(E)}$; then the value of (9) is 0.5, so no information leaks outside the laboratory, and simultaneously $\Gamma = 1$, thus the measurement does not occur. Note that the guessing probability in (14) is the probability that the eavesdropper's subsystem (V) indicates the same state as the apparatus (A), and since we consider binary measurement, both subsystems are two-dimensional.

The antenna determines the evolution $U^{(EV)}$ and is possessed by the wiretapper, and its capabilities are limited by his resources, reflecting his control over the information scattering. The rest of this paper aims to model the dependence of the guessing probability (9) on the power of the eavesdropper.

The scheme for information retrieval by an eavesdropper we propose here can be compared to the intercept-and-resend attack on QKD protocols discussed in section 2.2. Even though we deal with a single honest party, Alice, and there is no intentionally communicated second party, Bob, we still can view the protocol of a measurement process as a state preparation of the environment, that is formally close to the state submission to another party. From this point of view, the subsystem of the environment (E) plays a partially analogous role to the prepared and transmitted state; thus the first subsystem in (3) refers to (E) and the second subsystem to (V) using the notation of this section. Nonetheless, the differences between both schemes are fundamental, and should not be neglected. We summarize them as follows:

• (a)  
  The essence of the security assured in QKD protocols against intercept-and-resend attack stem from the fact that the eavesdropper does not know the correct measurement basis. Thus, in the average case, the eavesdropper necessarily introduces some disturbance to the transferred quantum systems. Security is achieved as this disturbance can be further utilized by the users of the quantum protocol to detect the fact of wiretapping. In the attack proposed in this paper, any disturbance pertains to the environment external to the cryptographic system and has not been investigated as a potential diagnostic of aggression.
• (b)  
  In QKD protocols, the prepared and transmitted quantum state is intended to be further measured after being received. After the measurement, the information can be copied perfectly and under control without any disturbance. In the introduced attack, the preparation of the state of the environment is unintentional, and the environment is beyond the control of the users of the QKD protocol. Nonetheless, the eavesdropper can perform a measurement on part of the environment, that, as shown in this work, can influence security.
• (c)  
  In the proposed scheme the preparation of the state accessible to the eavesdropper is not intended to transmit information to other parts of the world; what is more, any information transfer is a kind of necessary evil needed for the local process of the measurement to betide, and the violated shielded laboratory assumption would demand this information be nullified if it were possible. On contrary, in ordinary quantum cryptographic protocols, the transmitted subsystem intentionally contains information, in fact as much information as it could accommodate.
• (d)  
  In the proposed scheme the eavesdropper has much more control over the 'transferred' subsystem, viz. the environment after the measurement process containing information on the measurement result, that is intended to be kept secret. In QKD protocols the integrity of the transmitted states is checked at the stage when parties publish parts of their data and use it to evaluate some certificate of their security. This aspect has not been to date considered from the point of view of necessary information wide spreading during the measurement process, and thus in all currently existing protocols, Alice overlooked an eavesdropping antenna potentially standing very next to her laboratory.

In other words, there is no other way to use any quantum device and perform a quantum measurement than to make the measurement result publicly accessible to the environment outside the shielding. This is an intrinsic property of any possible quantum protocol, not only the simplified randomness generation in the considered example. If one uses a perfectly shielded laboratory, then she or he cannot perform a quantum measurement; if one performs a quantum measurement, then her or his laboratory cannot be perfectly shielded—if it can be shielded at all.

In this section, we provide the results of applying the techniques of section 3 to two particular examples of the interaction of the measuring apparatus with the environment with the eavesdropper monitoring it with an antenna. In section 4.1 we provide an analytical study of a case with an environment consisting of multi two-level quantum system, and an eavesdropper accessing part of them in an incoherent way. In section 4.2 we present numerical results regarding a coherent attack on a part of a multi-level coherent environment.

4.1. Multi-qubit environment with incoherent eavesdropper

Now, let us use the above results to analyze a case of the environment consisting of N qubits. We follow the standard approach [16, 90] and model the $U^{(AE)}$ interaction as N independent imperfect $\mathrm{CNOT}$ defined as

$$\begin{align} U_{\oslash}(\theta) \equiv | \, 0~\rangle \langle 0 \, |^{(A)} \otimes {\unicode{x1D7D9}}_2^{(\cdot)} + | \, 1~\rangle \langle 1 \, |^{(A)} \otimes P_{\oslash}^{(\cdot)}, \end{align} \tag{ 10 }$$

with $P_{\oslash} \equiv \begin{pmatrix} \sin \theta & \cos \theta \\ \cos \theta & -\sin \theta \end{pmatrix}$, and θ fixed for the setup, i.e.

$$\begin{align} U_{\oslash}(\theta) = \begin{bmatrix} 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 \\ 0 & 0 & \sin \theta & \cos \theta \\ 0 & 0 & \cos \theta & -\sin \theta \end{bmatrix}. \end{align} \tag{ 11 }$$

Thus, we have $U_0^{(E)} = {\unicode{x1D7D9}}_{2^N}$ and $U_1^{(E)} = \bigotimes_{s = 1}^N P_{\oslash}^{(s)}$, where (s) denotes sth environmental qubit.

From this, it follows that the collective decoherence factor $\Gamma = \left| \sin \theta \, \right|^N$, or, that for a specific value of Γ an interaction with at least $N \geqslant \frac{-\ln \Gamma}{-\ln \left| \sin \theta \, \right|}$ environmental qubits is required. The factor dependent on θ is an engineering parameter, and Γ is a quantumness parameter, thus we may assume that the number $n \leqslant N$ of qubits accessible to the eavesdropper is $\frac{\mu(-\ln \Gamma)}{-\ln \left| \sin \theta \, \right|}$, for some function µ.

Let us consider the case when the eavesdropper is not able to perform a coherent measurement on multiple qubits and needs to perform the guess based on many separate single-qubit measurements. If he performs the Helstrom measurement [91], with one of the projectors given by $\begin{pmatrix} \cos^2(\theta/2) & -(\sin \theta) /2 \\ -(\sin \theta) /2 & \sin^2(\theta/2) \end{pmatrix}$, on a specific environmental qubit, the success probability of correct distinguishing its state is $p \equiv (1 + \left| \cos \theta \, \right|) / 2$.

Suppose that the guess is given as the majority of n single-qubit guesses, i.e. it succeeds when at least $n/2$ of these guesses is correct. Thus, the total success probability of the guess (9) is equal to $1-F(n/2;n,p)$, where $F(\cdot;n,p)$ is the cumulative distribution function of the binomial distribution with n Bernoulli trials with success probability p. Now, we ask, for what range of Γ, θ, and µ do we have $\mathrm{P}_{\mathrm{guess}} \gg 1/2$?

It can be shown [92, 93] that for $p \in (0,1)$ and a < p it holds $F(a n;n,p) \leqslant \exp \left( -n D \left( a || p \right) \right)$, where $D \left( a || p \right) \equiv a \ln{\frac{a}{p}} + (1-a) \ln{\frac{1-a}{1-p}}$ is the Kullback–Leibler divergence between Bernoulli random variables. Using the above formulae for n and p we directly get

$$\begin{align} D \left( 1/2 || (1 + \left| \cos \theta \, \right|) / 2~\right) = -\ln \left| \sin \theta \, \right|, \end{align} \tag{ 12 }$$

and thus

$$\begin{align} \mathrm{P}_{\mathrm{guess}} \geqslant 1 - \exp \left( - \mu(-\ln \Gamma)\right), \end{align} \tag{ 13 }$$

and the lower bound does not depend on θ. From these considerations it follows that taking any µ satisfying $\lim_{x \to \infty} \mu(x) = \infty$ and $\lim_{x \to \infty} \frac{\mu(x)}{x} = 0$ we have that in the classical limit an arbitrarily small fraction of all environmental qubits is enough to provide the eavesdropper full access to cryptographic data.

The fact expressed in (13), that the larger part of the environment is being observed, the more information about the system is gathered, complies with the information plateau observation of the quantum Darwinism [15, 34, 94], see section 1. We would like at this point to briefly discuss the relation between these two facts.

One of the central outcomes of quantum Darwinism is the result, that the mutual information between a measured (or observed) subsystem and a small fraction of the surrounding environment, is close to the von Neumann entropy of the former, H(S). In a sense, H(S) sets the limit on the classical information that the environment (E) can acquire about (S). It can also be observed, that when almost all the environment (E) is considered, it contains also the almost full quantum information about (S), as noted in section 1. It can be shown that the potential of acquisition of the quantum information is significantly diminished when any initial mixedness, or haziness, is present in the environment [94].

On the other hand, the quantity being paramount to our analysis is the guessing probability, directly related to min-entropy $H_\infty$ [88], viz. for a classical probability distribution we have $H_\infty = -\log_2~\mathrm{P}_{\mathrm{guess}}$. The conditional quantum min-entropy is a single-shot [95] version of the conditional quantum entropy, in a sense that the latter may be considered as a limit of the former when an infinite number of copies of the states are available, as stated by the quantum asymptotic equipartition property (QAEP) [96].

Thus, the approach to quantum Darwinism that we propose, employing the analysis of the guessing probability instead of the mutual information, supplies a related, but a new point of view on the concept of redundant imprinting of information in quantum Darwinism. Obviously, the larger the quantum mutual information the larger the classical guessing probability can be expected, and vice versa. However, a goal of quantum Darwinism, as a quantum-to-classical transition theory, is to elucidate the classical properties of quantum systems. Thus, a quantity that is classical in its nature, viz. the guessing probability, may be expected to provide new insight into the problem.

In quantum Darwinism, the fact that the classical information about (S) is present in the environment is expressed by the observation that multiple fragments of the environment (E) have large mutual information with (S). In contrast, in the view of QAEP, min-entropy and the guessing probability concern the situation when there exists at least one fragment of the environment with the classical information imprint. We leave a further investigation of the relation of these approaches to quantum Darwinism for future work.

We note that when the whole environment is accessible to the eavesdropper, even in an incoherent, semi-classical, manner, i.e. for $\mu(x) = x$, the relation (13) takes a simple trade-off form

$$\begin{align} \mathrm{P}_{\mathrm{guess}} + \Gamma \geqslant 1. \end{align} \tag{ 14 }$$

We see that the shielded laboratory assumption $\mathrm{P}_{\mathrm{guess}} \leqslant 1/2$ entails $\Gamma \geqslant 1/2$, viz. restricts the measurement to premeasurement. The trade-off (14) in particular states that the eavesdropper's ability to read out the information of the measurement limits the degree of decoherence.

The above model is exceedingly simplistic, covering only a particular form of potential attacks of Van Eck's type, and may not be the most efficient one. Yet, this restricted and fairly simple and natural form of gathering information from the surroundings is enough to compromise the security of a device producing private numbers showing that the discussed sort of attack is a serious threat.

Let us summarize the assumptions we make in the derivation of the lower bound (13). We assume a particular form of the interaction $U^{(SA)}$ justified by the functioning of a measuring device. The decomposition of the measurement process into parts $U^{(SA)}$ and $U^{(AE)}$ is justified by its logical order in the measurement, i.e. first occurs the premeasurement, and then occurs the decoherence. Thus, stating that the measuring device interacts with the environment via some interaction $U^{(AE)}$ is not restrictive. Next, we perform the calculations using a particular form of $U^{(AE)}$ used in [16, 90]; we leave considerations with more general $U^{(AE)}$ as an important new engineering task of designing cryptographical devices in a way more secure against Van Eck's attacks. The considered form of the interaction $U^{(EV)}$ does not restrict the generality of our results, as it is sufficient for the trade-off relation to occur. We show that such interaction exists, possibly there exists another interaction $U^{(EV)}$ for which the trade-off relation is even stronger; we also leave this for a further study of the interplay between designing devices with more suitable $U^{(AE)}$ and attacks with more efficient $U^{(EV)}$.

To see the consequences of the above analysis, we start with the simplest case with one environmental qubit interacting via a perfect CNOT, viz. N = 1 and θ = 0. We have the full decoherence with $\Gamma = 0$ but, if the only environmental qubit is intercepted by the eavesdropper, we also have $\mathrm{P}_{\mathrm{guess}} = 1$. For a toy model of decoherence with N = 20 and $\theta = \pi / 4$ we have $\Gamma \approx 0.001$; then for 1, 3, and 5 intercepted environmental qubits $\mathrm{P}_{\mathrm{guess}}$ is 0.85, 0.94, and 0.98, respectively. For the more realistic case with $\Gamma \approx 10^{-40}$ [97] if the van Eck's antenna observes $1\%$ or $5\%$ of the environment, then $\mathrm{P}_{\mathrm{guess}}$ is 0.6 or 0.99, respectively.

4.2. Coherent eavesdropping from moderate-size environment

To investigate how the privacy of quantum random numbers from the above model is compromised by a coherent Van Eck-type antenna we performed also numerical simulations. Let $D^{(E)}$ denote the dimension of the environment, and $k \in \{2, \cdots, D^{(E)}\}$ be the number of degrees of freedom of the environment the antenna can faithfully distinguish; the ratio $k/D^{(E)}$ can be considered as the measure of how much of the environment is monitored, or controlled, by the eavesdropper.

In the numerical calculations we consider Haar distributed [98] $\{U_0^{(E)}, U_1^{(E)}\}$. To simulate the limitations of Van Eck's antenna we now consider $P_0^{(E)}$ of the following form. We decompose the space of the environment $\mathcal{H}^{(E)}$ into two parts: $\mathcal{H}^{(\hat{E})}$, and $\mathcal{H}^{(\tilde{E})}$, with dimensions k and $D^{(E)} - k$, respectively; so that $\mathcal{H}^{(E)} = \mathcal{H}^{(\hat{E})} \oplus \mathcal{H}^{(\tilde{E})}$, where $\oplus$ denotes the direct sum of spaces. We take $P_0^{(E)} = P^{(\hat{E})} \oplus {\unicode{x1D7D9}}^{(\tilde{E})}$, where $P^{(\hat{E})}$ is an arbitrary projector on $\mathcal{H}^{(\hat{E})}$ with the rank $\lfloor{k/2}\rfloor$.

We executed the computation of (9) for $D^{(E)} = 20, 50, 100, 200$. To this end, for each instance, we parametrized the operator $P^{(\hat{E})}$ and performed a gradient search to maximize the value of the guessing probability. We averaged the results of several (15, 8, 11, and 4, respectively) instances with different $\{U_0^{(E)}, U_1^{(E)}\}$. The results are shown in figure 1.

Zoom In Zoom Out Reset image size

It can be observed that the guessing probability is more or less proportional to the observed part of the environment. We note that even when the eavesdropper possesses full access to the environment's information, she or he still may not be able to achieve the value 1 of guessing probability since not all information could have been propagated, especially when the value of $D^{(E)}$ is small. This relates to the situation with $\Gamma \gg 0$, so with no full measurement inside the laboratory.

Despite this work being embedded in the framework of einselection and quantum Darwinism, we do not consider here the usual scenario of information widespread in multiple copies of independent parts of the environment. We concentrate on the observation of a single observer, so, this cannot be understood as a model of objectivity [99] (or inter-subjectivity [25, 100]) as investigated in the recent works [16]. Yet, it is obvious, that after a measurement is performed, then knowing what has been measured (i.e. the basis), should imply the ability to copy and disseminate the result [33, 101].

We have seen that the shielded laboratory assumption prevents the occurrence of measurement; and that by relaxing this assumption, we open a way for attacks similar to the Van Eck phreaking. We note that although figure 1 shows cases with relatively small sizes of the environment compared to macroscopic objects, it suggests that the greater the dimension, the lower part of the laboratory's surroundings has to be under control for the significant potential for eavesdropping. Indeed, the relation (13) we derived for incoherent qubits phreaking clearly indicates that any sort of cryptographic protocol is prone to the discussed type of attacks.

We would like to stress that our topic is not the analysis of the case when the device that processes quantum information happens not to be perfectly shielded due to imperfections. We also do not consider the case when the eavesdropper is vetting any classical information encoded microscopically in the cryptographical equipment after potentially gaining access to it. On contrary, we show that for any quantum measuring-based device to function properly it is necessary to drop the perfect shielding assumption by the design, and adjust to the fact delivered from quantum Darwinism, that after the quantum-to-classical transition the uncontrolled information leakage is ineluctable.

In this preliminary study, we investigated only the simplest case where the quantum randomness is obtained from the measurement on a different basis than the prepared state. Although simple, this scenario is ubiquitous as an ingredient of more involved and complex quantum protocols.

This work intends to show that the quantitative investigation of the relation between two important, yet till now disjoint, areas of quantum information, viz. theory (quantum Darwinism) and application (quantum cryptography) of measurements are possible. Quantum cryptography is a wide field and is currently the only quantum information research area with serious commercial deployments [102, 103]. Our main premise is to change one of the essential parts of the paradigm of quantum cryptography that was based on neglecting, or abstracting from, the way the quantum measurement is performed in cryptographic devices. We also suggest that the guessing probability together with the related concept of min-entropy may be a relevant quantity to be investigated in quantum Darwinism in a way similar to the mutual information.

We expect the presented result will encourage researchers working on decoherence theory to contribute to the development of the design of cryptographic devices, similarly as they contribute to the area of quantum computation [104–106]. We consider it an interesting and vital problem, how such analysis can be extended to more complicated scenarios, and cover such problems as quantum communication [3] or QKD [107], not only in a device-dependent scenario, like in this work, but possibly in device-independent [108], or semi-device-independent [109] frameworks.

We close this work with the practical open question of whether it is possible to protect against the introduced type of attacks. We predict the general answer, with the eavesdropper with sufficient control over the environment, to be negative. Still, it is plausible that under some reasonable assumptions regarding the technology of the eavesdropper, one can engineer the shielding in such a way that the measurement does occur while the wiretapping task becomes burdensome. Another possible way of defense could potentially be to adopt the ordinary quantum cryptographical methods [3, 60] to somehow detect the action of a Van Eck-type eavesdropper on the environment.

The work is supported by the Foundation for Polish Science (IRAP project, ICTQT, Contract No. 2018/MAB/5, co-financed by EU within Smart Growth Operational Programme), NCBiR QUANTERA/2/2020 (www.quantera.eu), an ERA-Net cofund in Quantum Technologies, under the project eDICT, and NCN grant SHENG (Contract No. 2018/30/Q/ST2/00625). The numerical calculations we conducted using OCTAVE 6.1 [110], and packages QETLAB 0.9 [111] and Quantinf 0.5.1 [112].

The work does not involve any data not included in the text. The MATLAB source codes used to prepare figure 1 are available upon request from the author. All data that support the findings of this study are included within the article (and any supplementary files).

The author declare no conflict of interest.

The work is purely theoretical. No ethical issues were noted by the author.