Private Quantum Channels
y z x Andris Ambainis � Michele Mosca Alain Tapp Ronald de Wolf
Abstract Now let us consider the analogous situation in the quan- tum world. Alice and Bob are connected by a one-way We investigate how a classical private key can be used quantum channel, to which an eavesdropper Eve has com-
by two players, connected by an insecure one-way quantum plete access. Alice wants to transmit to Bob some n-qubit S
channel, to perform private communication of quantum in- state � taken from some set , without allowing Eve to ob- �
formation. In particular we show that in order to transmit n tain any information about . Alice and Bob could eas-
n n qubits privately, � bits of shared private key are necessary ily achieve such security if they share EPR-pairs (or if and sufficient. This result may be viewed as the quantum they were able to establish EPR-pairs over a secure quan- analogue of the classical one-time pad encryption scheme. tum channel), for then they can apply teleportation [1] and transmit every qubit via 2 random classical bits, which will give Eve no information whatsoever. But now suppose Al- ice and Bob do not share EPR-pairs, but instead they only have the resource of shared randomness, which is weaker 1 Introduction but easier to maintain. A first question is: is it at all possible to send quantum Secure transmission of classical information is a well information fully securely using only a finite amount of ran- studied topic. Suppose Alice wants to send an n-bit mes- domness? At first sight this may seem hard: Alice and Bob sage M to Bob over an insecure (i.e. spied-on) channel, in have to “hide” the amplitudes of a quantum state, which are such a way that the eavesdropper Eve cannot obtain any in- infinitely precise complex numbers. Nevertheless, the ques-
formation about M from tapping the channel. If Alice and tion has a positive answer. More precisely, to send privately
n K
�n
Bob share some secret -bit key , then here is a simple n qubits, a -bit classical key is sufficient. The encryp- M
way for them to achieve their goal: Alice exclusive-ors tion technique is fairly natural. Alice applies to the state �
�
M � M � K
with K and sends the result over the chan- she wants to transmit a reversible quantum operation spec-
�
M K
nel, Bob then xors again with and obtains the original ified by the shared key K (basically, she applies a random
�
�
M � K � M
message . Eve may see the encoded message Pauli matrix to each qubit), and she sends the result � to
� K M , but if she does not know then this will give her no Bob. In the most general setting this reversible operation
information about the real message M , since for any mes- can be represented as doing a unitary operation on the state
�
M K � sage there is a key giving rise to the same encoding �
augmented with a known fixed ancilla state a . Know-
� M . This scheme is known as the Vernam cipher or one- ing the key K that Alice used, Bob knows which operation
time pad (“one-time” because K can be used only once if Alice applied and he can reverse this, remove the ancilla, n we want information-theoretic security). It shows that bits and retrieve �. In order for this scheme to be information- of shared secret key are sufficient to securely transmit n bits theoretically secure against the eavesdropper, we have to
of information. Shannon [7, 8] has shown that this scheme �
require that Eve always “sees” the same density matrix 0 n
is optimal: bits of shared key are also necessary in order on the channel, no matter what � was. Because Eve does n to transmit an -bit message in an information-theoretically not know K , this condition can indeed be satisfied. Ac- secure way. cordingly, an insecure quantum channel can be made secure (private) by means of shared classical randomness. � U.C. Berkeley, supported by U.C. Berkeley Graduate Fellowship and A second question is, then, how much key Alice and Bob NSF grant CCR-9800024, [email protected].
y University of Waterloo and St. Jerome’s University, partially sup- need to share in order to be able to privately transmit any 1 ported by NSERC, [email protected]. n-qubit state. A good way to measure key size is by the
z University of Waterloo, supported by NSERC Postdoctoral Fellow- ship, [email protected]. 1 If Alice and Bob share an insecure two-way channel, then they can do
x CWI and University of Amsterdam, partially supported by the EU fifth quantum key exchange [2] in order to establish a shared random key, so in framework project QAIP, IST–1999–11234, [email protected]. this case no prior shared key (or only a very small one) is required.
amount of entropy required to create it. As one might imag- are the 4 Pauli matrices:
� � � � n
ine, showing that � bits of key are also necessary is the
� � � �
�n
� � � � �
most challenging part of this article. We prove this -bit �
0 1
� � � �
� � �
lower bound in Section 5, and show that it even holds if the �
� �i � �
n qubits of the message are not entangled. Accordingly, in
� � � � � �
2 3
i � ��
analogy with the classical one-time pad, we have an opti- � n
mal quantum one-time pad which uses � classical bits to
�i � � � � � jM � �i M Let j denote the basis states of some -
completely “hide” n qubits from Eve. In particular, hiding a
n
H H 2
qubit is only twice as hard as hiding a classical bit, despite dimensional Hilbert space M . We use for the Hilbert
n n
the fact that in the qubit we now have to hide amplitudes space whose basis states are the � classical -bit strings. A
j�i H
coming from a continuous set. pure quantum state is a norm-1 vector in M . We treat
�i M h�j j as an -dimensional column vector and use for the The article is organized as follows. Section 2 introduces row vector that is its conjugate transpose. The inner product
some notation and some properties of Von Neumann en-
�i j� i h�j� i between pure states j and is . A mixed quantum tropy. In Section 3 we give a formal definition of a private
state or density matrix � is a non-negative Hermitian matrix
quantum channel (PQC). In Section 4 we give some exam-
r��� � � that has trace T . The density matrix corresponding
ples of PQCs. In particular we show that there is a PQC
�i j�i h�j �
to a pure state j is . Because a density matrix is
P
�n
that privately sends any n-qubit state using bits of ran-
N
p j� i h � j � �
i i
Hermitian, it has a diagonalization i ,
i=1
domness (shared key). We also exhibit a non-trivial set of P
p p � � p � �
i i
where the are its eigenvalues, , i , and i
n-qubit states, namely the tensor products of qubits with
j� i �
the i form an orthonormal set. Thus can be viewed as real amplitudes, for which there is PQC requiring only n describing a probability distribution over pure states. We
bits of randomness. The latter result includes the classical P
M
1 1
�
I � I � jii hij M
use M to denote the totally
i=1
M M n one-time pad. In Section 5 we show that � bits of random- mixed state, which represents the uniform distribution on
ness are necessary if we want to be able to send any n-qubit
�i
state privately. all basis states. If two systems are in pure states j and
� i
j , respectively, then their joint state is the tensor product
�i � j� i � j�i j� i
pure state j . If two systems are in mixed
� � 2
Remarks about related work. Several recent papers in- states 1 and , respectively, then their joint state is the
� � � �j �i � j� i��h �j � h� j� 2
dependently discussed issues similar to our work. In a tensor product 1 . Note that is
�i h�j � j� i h� j
related but slightly different setting, Braunstein, Lo, and the same as j .
j�i
Spiller [4, 5] have shown that 2 bits of entropy are neces- Applying a unitary transformation U to a pure state
j�i U �
sary and sufficient to “randomize” a qubit. Very recently, gives pure state U , applying to a mixed state gives
p
y
U �U E � f p U j � � i � N g
�n i
Boykin and Roychowdhury [3] exhibited the -bit Pauli- mixed state . We will use i U
matrix one-time pad. They also gave a general characteri- to denote the superoperator which applies i with proba-
P
p � � p i
bility i to its argument (we assume ). Thus
zation of all possible encryption schemes without ancilla, a i
P
y
p U �U ��� �
characterization which can also be derived from the simulta- E i
i . Quantum mechanics allows for more
i i
neous and independent work of Werner [10]. Furthermore, general superoperators, but this type suffices for our pur-
p
�n
� f p U j � � i � N g
Boykin and Roychowdhury proved a -bit lower bound for E i
poses. If two superoperators i
p
� � �
the case where the encryption scheme does not allow the use �
U j � � i � N g � f p E ��� �
and E are identical (
i i
of an ancilla state. In Section 5 we start with a simplified �
��� � E for all ), then they are unitarily related in the follow-
proof of the lower bound for the no-ancilla case and give a �
� N
ing way [6, Theorem 8.2] (where we assume N and
� �
different and more complicated proof for the lower bound �
� N E E E if N we pad with zero operators to make and
in the case where we do allow an ancilla.
� N A of equal size): there exists a unitary N matrix such
that for all i
N q
2 Preliminaries X
p
�
�
A U � p U � p
ij i i
j
j =1 2.1 States and operators j
2.2 Von Neumann entropy
v jj v A
We use jj for the Euclidean norm of vector . If is
y �
a matrix, then we use A for its conjugate transpose and Let density matrix have the diagonal-
P
N
� p j� i h � j
i i i
r�A�
T ization . The Von Neumann entropy of =1
for its trace (the sum of its diagonal entries). A i
P
N
y
A A � A S ��� � H �p � � � � � p � � � p log p H
N i i
square matrix is Hermitian if , and unitary if is 1 , where is
i=1
�1 y
� A S ��� A . Important examples of unitary transformations the classical entropy function. This can be interpreted as the minimal Shannon entropy of the measurement out- Note that by linearity, if the PQC works for all pure
come, minimized over all possible complete measurements. states in S , then it also works for density matrices over
��� � S S
Note that S only depends on the eigenvalues of . The : applying the PQC to a mixture of states from gives �
following properties of Von Neumann entropy will be use- the same 0 as when we apply it to a pure state. Accord-
p
p U j � � i � N g� � � � � �S � f
i a 0
ful later (for proofs see for instance [9]). ingly, if i is a PQC, then
H �p � � � � � p � N
1 bits of shared randomness are sufficient for
�j�i h �j� � � j�i
1. S , for every pure state . S Alice to send any mixture � of -states to Bob in a secure
way. Alice encodes � in a reversible way depending on her
S �� � � � � S �� � � S �� �
2 1 2
2. 1 . i
key i and Bob can decode because he knows the same and
y
S �U � U � � S ���
3. . U
hence can reverse Alice’s operation i . On the other hand,
Eve has no information about the key i apart from the dis-
S �� � � � � � � � � � � � � � � S �� � � � S �� � �
1 2 2 n n 1 1 2 2
4. 1
P p
tribution i , so from her point of view the channel is in state
� � � � � S �� � � � � � � �
n n i
if and i .
i
� � � � 0
E v e . This is independent of the that Alice wants to
P N
send, and hence gives Eve no information about �.
� � p j� i h � j j� i
i i i
5. If i with the not necessarily
i=1
S ��� � H �p � � � � � p � N orthogonal, then 1 . 4 Examples and properties of PQCs 3 Private Quantum Channels
In this section we exhibit some private quantum chan- n Let us sketch the scenario for a private quantum chan- nels. The first uses � bits of key to send privately any
n-qubit state. The idea is simply to apply a random Pauli nel. There are N possible keys, which we identify for
matrix to each bit individually. This takes 2 random bits
� � � � � N i convenience with the numbers � . The th key has
per qubit and it is well known that the resulting qubit is
p H �p � � � � � p �
1 N probability i , so the key has entropy when in the completely mixed state. For notational convenience
viewed as a random variable. Each key i corresponds to a
2n
�� � � � � � � �g
we identity the numbers f with the set U
unitary transformation i . Suppose Alice wants to send a
n n
f�� �� �� �g x � f�� �� �� �g x � f�� �� �� �g
. For we use i
�i S
pure state j from some set to Bob. She appends some
i � n
for its th entry, and we use x to denote the -qubit unitary
� j�i h�j U i
fixed ancilla qubits in state a to and then applies
� � � � � � � x
transformation x .
j�i h�j � � i
n 1 to a , where is her key. She sends the resulting
state to Bob. Bob, who shares the key i with Alice, applies
1
n
p
E � f � j x � f�� �� �� �g g
�1
Theorem 4.1 If x , then
2n
U j�i h�j � � �
2 a
to obtain a , removes the ancilla , and is
i
�
n n
� � E � I �H
j�i h �j 2 left with Alice’s message . One can verify that this is 2 is a PQC.
the most general setting allowed by quantum mechanics if �
we want Bob to be able to recover the state perfectly. Now Proof It is easily verified that applying each i with proba-
��
in order for this to be secure against an eavesdropper Eve, bility � to a qubit puts that qubit in the totally mixed state
� I
2 (no matter if it is entangled with other qubits). Operator
we have to require that if Eve does not know i, then the n
E just applies this treatment to each of the qubits, hence �
density matrix 0 that she gets from monitoring the channel
�
n n
E �j�i h�j � � I j�i � H 2 2
2 for every .
�i
is independent of j . This implies that she gets no infor-
�i
mation at all about j . Of course, Eve’s measuring the
2n �
channel might destroy the encoded message, but this is like Since the above E contains operations and they have n
classically jamming the channel and cannot be avoided. The uniform probability, it follows that � bits of private key
n H
point is that if Eve measures, then she receives no informa- suffice to privately send any state from 2 .
�i
tion about j . We formalize this scenario as follows. The next theorem shows that there is some nontrivial
n
H n
subspace of 2 where bits of private key suffice, namely
n
S � H n
Definition 3.1 Let 2 be a set of pure -qubit states, the set of all tensor products of real-amplitude qubits:
p
E � f p U j � � i � N g i
i be a superoperator where each
P
N
B � fcos�� � j �i � sin�� � j �i j � � � �
m
U H � � �
p Theorem 4.2 If
i 2 a
is a unitary mapping on , i , be an
i=1
1
�n n
p
�� g S � B E � f � j x � f�� �g g
�m � n� � m
, , and x , then n
-qubit density matrix, and 0 be an -qubit den-
2
�
�S � E � � � � �
a 0
sity matrix. Then is called a Private Quantum n
� �S � E � I
2 is a PQC.
�i � S
Channel (PQC) if and only if for all j we have
� � 2
Proof This is easily verified: applying 0 and , each
N
X B
y with probability 1/2, puts any qubit from in the totally
� � � p U �j�i h�j � � � U E �j�i h�j � � � �
0 i i a a
i n
mixed state. Operator E does this to each of the qubits
i=1
individually. 2
n � m �
If (i.e. no ancilla), then we omit a .
�
� � �E � E � � j�i h �j�
Note that if we restrict B to classical bits (i.e.
f�� � ��g � ) then the above PQC reduces to the classical �
one-time pad: flipping each bit with probability 1/2 gives X
� � � �
� A
� �E � E � � � jxi h x j � jy i hy j
0 0
xy y
information-theoretical security. Note also that this PQC x
0 0 �y
does not work for arbitrary entangled real-amplitude states; x�y �x
X
1
p
� � � �
j ��i � j ��i�
for instance the entangled state � is not
� � � E �jxi hx j� � E �jy i hy j�
0 0
2
xy
x y
n � �� �� �
0 0
�y mapped to the totally mixed state. For there ex- x�y �x X
ist PQCs that require exactly n bits of entropy and can pri-
(�)
� �
� � � E �jxi hxj � � E �jy i hy j�
xy xy
vately transmit any entangled real-amplitude n-qubit state.
x�y
� �
However, for n we can show that such a PQC requires
X
2 �
n
� � j � � �
entropy strictly more than bits. This marks a difference j
xy 0 0
between sending entangled and unentangled real-amplitude x�y
states. We omit the technical proofs for reasons of space. �
� � � � �
0 0 �
In the previous PQCs, 0 was the completely mixed state
�
�
n
I n � m
��� E �j xi hx j� � �
2 . This is no accident, and holds whenever and In the step marked by we used that
�
�
n
I
x � x 2
2 is one of the states that the PQC can send: unless (Lemma 4.4).
�
�n
n
I �S � E � � � 2
Theorem 4.3 If 0 is a PQC without ancilla and
� H
The above proof also shows that a PQC for S
2
�
n
S � � I 2 can be written as a mixture of -states, then 0 .
(the set of all unentangled n-qubit states) is automatically
n
S � H n
also a PQC for 2 (the set of all -qubit states).
�
n
I S Proof If 2 can be written as a mixture of -states, then Finally, the same technique shows that Alice can employ
a PQC to privately send part of an entangled state to Bob
N N
X X
y
� � �
� in a way that preserves the entanglement. The PQC puts
n n n n
I � I � p I U � p U � � E �I � �
2 2 i 2 i i 0 2
i �
this part of the state in the 0 -state, so Eve can obtain no
i=1 i=1 information from the channel. When Bob reconstructs the
2 original state, this will still be entangled with the part of the
state that Alice kept.
�
n
I � S � 2
In general 0 need not be . For instance, let
� �
p
p
� �
p
2
1
p p
E � f p fj�i � g �j �i � j�i�g �
I 5 Lower bound on the entropy of PQCs 2
, 1 with
2 2
� ��
� �
1 3
4 4
�n
� p � ��� � �
p Above we showed that bits of entropy suffice for a
1 2 0 1
, and 1 . Then it is easily
4 4
PQC that can send arbitrary n-qubit states. In this section
�S � E � � �
verified that 0 is a PQC. n we will show that � bits are also necessary for this. Very
Finally we prove that a PQC for n-qubit states and n recently and independently of our work, this � -bit lower
a PQC for m-qubit states can easily be combined to a bound was also proven by Boykin and Roychowdhury [3]
� m
PQC for n -qubit states: entanglement between the for the special case where the PQC is not allowed to use any m n-qubit and -qubit parts is dealt with automatically. If
q ancilla qubits. We will first give a shorter version of their
p
� �
�
g U E � f p U g E � f p i
i and are superoperators, then j j proof, basically by observing that a large part of it can be re-
q placed by a reference to the unitary equivalence of identical
� �
�
g U � U E � E � f p p i
we use i for their tensor product. j j superoperators stated at the end of Section 2.1.
We will need the following lemma, the technical proof of
p
�
n n
� f � �H p U j � � i � N g� I
i i 2
which is deferred to the appendix. Theorem 5.1 If 2 is a
H �p � � � � � p � � �n N
PQC, then 1 .
E �j�i h�j � � � � � 0
Lemma 4.4 Suppose that a whenever
p
1
�
p
E � f p E � f � j x � U g
x i i
�i n E �j xi hy j � � � � � j Proof Let ,
2n
is a tensor product of qubits. Then a
2
n
n
f�� �� �� �g g
� f�� �g x � y
whenever x� y and . be the superoperator of Theorem 4.1, and let
2n �
�
n
K � max�� � N � E ��� � E ��� � I n
. Since 2 for all -
� � �
�
n m
� E � � � � � � E � � � � � �H �H
� E E
a 0 a 0 2
Theorem 4.5 If 2 and are qubit states , we have that and are unitarily related
� � �
n+m
�H � E � E � � � � � � � � �
a a 0 0
PQCs, then 2 is a PQC. in the way mentioned in Section 2.1: there exists a unitary
� K A � � i � N
K matrix such that for all we have
� �
Proof For notational convenience we will assume a
X
�
p
�
n � m j�i � � � �
p
a
p U � A �
. Consider any -qubit pure state �
i i ix x
P
2n
�
n � jxi jy i
n m
xy
�f0�1�2�3g
. We have: x
x�f0�1g �y �f0�1g
n n 2n
� � � � � � � � � � � � �
x x
We view the set of all matrices as a -dimensional with x as in Theorem 4.1. Also define
n 1
� y � n � �
n
hM � M i � Tr�M M ��� U � �I � U �U E �jxi hxj � � i
vector space with inner product 2 . It remains to show that
i
p
�
n
2n
jjM jj � hM � M i jxi � C � � I
0 2
and induced norm (as done in [3]). for all 2 :
jjM jj � � M �
Note that if is unitary. The set of all x forms
�
�j xi h xj�
an orthonormal basis for this vector space, so: E
� � �
n
X
N 2 �1
p �
X 2 2 X
�
p
p � jj p U jj � jj � jj A
i i i x ix
n n
p
� U � � p �I � � � � I jy i j y i
2n
i i 2 x 2
�
n
x
�
y =0
i=1
X
� �
� � �
2
n
2 �1
� jA j � �
ix
X
2n 2n
�
� �
y y
x
n n
p
� U � �I � � � I hz j hz j �
i 2 x 2
n
�
z =0
2n
�
N � � H �p � � � � � p � � �n 2 N
Hence and 1 .
N
X
�
n n
� � � � � I � U � p �I
x 2 i i 2
n
� =1
However, even granted this result it is still conceivable i
� �
that a PQC might require less randomness if it can “spread �
X
y y
� A �
n n
� � � I jy i hz j � jy i hz j � � U � I
out” its encoding over many ancilla qubits — it is even con- �
x 2 i 2
n
�f0�2 �1g ceivable that those ancilla qubits can be used to establish y �z
privately shared randomness using some variant of quan- � X
tum key distribution. The general case with ancilla is not �
�
n
jy i hz j � � � � � � I
x 2
n
�n
addressed in [3], and proving that the -bit lower bound �
n
y �z �f0�2 �1g
�� extends to this case requires more work. The next few the- � N
orems will do this. These show that a PQC that can trans- X
y
y
n
� p U jy i hz j U � � � I
i i x 2
i
�n
mit any unentangled n-qubit state already requires bits
i=1 �
of randomness, no matter how many ancilla qubits it uses. � X
Thus Theorem 4.1 exhibits an optimal quantum one-time �
y
� �
n n
� � � � I � � I � � jy i h z j � E �j y i hz j� �
x 2 x 2
pad, analogous to the optimal classical one-time pad men- n
�
n
�f0�2 �1g
tioned in the introduction. y �z
� �
n
2 �1
C � fjii j � � i � k ��g X
We use the notation k for the set
�
(�)
y
n n
� � jy i hy j � E �j y i hy j� � � � � � I � � I
k 2 x 2
of the first classical states. The next theorem implies that x
n
�
y =0
a PQC that privately conveys n unentangled qubits using
i h
y m
bits of key, can be transformed into a PQC that privately �
n n n
� � � � � I � � I � � � � I
x 2 x 2 0 2
2n
jii � C m
conveys any 2 , still using only bits of key.
�
n
� � � � I
0 2
p
�n
�H � E � f p U j i
Theorem 5.2 If there exists a PQC i
2
�
��� E �jy i hz j� � �
2n
� � i � N g� � � � � �C � E � 0 a In the step marked by we used that unless
, then there exists a PQC 2
p
�
�
n y � z 2
� � � j � � i � N g� � � I p U f
0 a 2
i . (Lemma 4.4). i
Proof For ease of notation we assume without loss of gen-
m C
Privately sending any state from 2 corresponds to pri-
E � n erality that uses no ancilla, so we assume 0 is an -
vately sending any classical m-bit string. If communica- �
qubit state and omit a (this does not affect the proof in tion takes place through classical channels, then Shannon’s � any way). We will define E and show that it is a PQC. In-
theorem implies that m bits of shared key are required to
�
2n
E C tuitively, maps every state from 2 to a tensor product achieve such security. Shannon’s classical lower bound
of n Bell states by mapping pairs of bits to one of the four does not translate automatically to the quantum world (it 2 Bell states. The second bits of the pairs are then moved to is in fact violated if a two-way quantum channel is avail- the second half of the state and encrypted by applying E to able, see Footnote 1). Nevertheless, if Alice and Bob com-
them. Because of the entanglement between the two halves municate via a one-way quantum channel, then Shannon’s n
of each Bell state, the resulting � -qubit density matrix will theorem does generalize to the quantum world:
�
n
� � I 0
be 2 . More specifically, define
p
m
�C � f p U j � � i � N g� � � � �
n
2 i a 0
Theorem 5.3 If i is a
2 �1
X
�
H �p � � � � � p � � m N
PQC, then 1 .
n
p
jii jii � � U jxi � � � � I
x 2
n
�
P
i=0
r
� � q j� i h � j
j j j
Proof Diagonalize the ancilla as a ,
j =1
1 1
2
p p
(j00i � j11i ) (j01i � j10i )
�� � � H �q � � � � � q �
The 4 Bells states are and . S
1 r
so a . First note that the properties of
2 2
Von Neumann entropy (Section 2) imply: which conveys no information about � to the eavesdropper.
� � This is a simple scheme which works locally (i.e. deals with N
X each qubit separately) and uses no ancillary qubits. On the
y
p U �j�i h�j � � �U S �� � � S
i i a 0
i other hand, we showed that even if Alice and Bob are al-
i=1 �
� lowed to use any number of ancilla qubits, then they still
N r
X X n
require � bits of entropy.
y
A �
p q U �j�i h�j � j� i h � j�U � S
i j i j j
i
i=1 j =1
Acknowledgment
� H �p q � p q � � � � � p q � p q �
1 1 1 2 N r �1 N r
We thank Richard Cleve, Hoi-Kwong Lo, Michael Nielsen,
� H �p � � � � � p � � H �q � � � � � q ��
N 1 r 1 Harry Buhrman, Michel Boyer, and P. Oscar Boykin for
Secondly, note that useful discussions and comments.
� �
N
X y
� References
m
p U �I � � �U S �� � � S
i i 2 a 0
i
i=1
N
� �
X [1] C. Bennett, G. Brassard, C. Cr´epeau, R. Jozsa, A. Peres, and
�
m
p S � � I �
i a
2 W. Wootters. Teleporting an unknown quantum state via =1 i dual classical and Einstein-Podolsky-Rosen channels. Phys-
N ical Review Letters, 70:1895–1899, 1993.
X
p �m � S �� ��
� [2] C. H. Bennett and G. Brassard. Quantum cryptography:
i a
Public key distribution and coin tossing. In Proceedings of
i=1
the IEEE International Conference on Computers, Systems
� m � S �� �� a and Signal Processing, pages 175–179, 1984. [3] P. O. Boykin and V. Roychowdhury. Optimal encryption of Combining these two inequalities gives the theorem. 2 quantum bits. quant-ph/0003059, 16 Mar 2000.
[4] S. Braunstein, H.-K. Lo, and T. Spiller. Forgetting qubits is
2n C
In particular, for sending arbitrary states from 2 we
hot to do. Unpublished manuscript, 1999. n need entropy at least � . Combining Theorems 5.2 and 5.3 [5] H.-K. Lo. Classical communication cost in distributed quan- we thus obtain: tum information processing—a generalization of quantum
p communication complexity. Physical Review A, 62, 012313.
�n
�H p U j � � i � N g� � � � � � f
i a 0 Corollary 5.4 If i is a
2 [6] M. A. Nielsen and I. L. Chuang. Quantum Computation and
H �p � � � � � p � � �n N
PQC, then 1 (and hence in particular Quantum Information. Cambridge University Press, 2000.
2n
� � N ). [7] C. E. Shannon. A mathematical theory of communication.
Bell System Technical Journal, 27:379–423, 623–656, 1948.
�n
n
H � H
Since 2 , we have also proved the optimality 2 [8] C. E. Shannon. Communication theory of secrecy systems. of the PQC of Theorem 4.1: Bell System Technical Journal, 28:656–715, 1949.
p [9] A. Wehrl. General properties of entropy. Review of Modern
n
� f �H p U j � � i � N g� � � � �
i i a 0 Corollary 5.5 If 2 is a
Physics, 50(2):221–260, 1978.
H �p � � � � � p � � �n N PQC, then 1 .
[10] R. F. Werner. All teleportation and dense coding schemes. n
� quant-ph/0003070, 17 Mar 2000.
n
C � B
In relation to Theorem 4.2, note that 2 . Hence another corollary of Theorem 5.3 is the optimality of the
PQC of Theorem 4.2: A Proof of Lemma 4.4
p
�n
�B � f p U j � � i � N g� � � � �
i a 0
Corollary 5.6 If i is
E �j �i h �j � � � � � 0
Lemma 4.4 Suppose that a whenever
H �p � � � � � p � � n N
a PQC, then 1 (and hence in particular
j�i n E �jxi hy j � � � � � n
is a tensor product of qubits. Then a
� �
N ).
n
� f�� �g x � y whenever x� y and .
6 Summary
� � �
Proof For notational convenience we assume a . The
proof is by induction on the Hamming distance d between
The main result of this paper is an optimal quantum ver- y x and .
sion of the classical one-time pad. On the one hand, if Al- n
ice and Bob share � bits of key, Alice can send Bob any
1 1
p p
d � � �jxi � jy i� �jxi �
� n
n-qubit state , encoded in another -qubit state in a way Base case. If , then and
2 2
jy i�
i are tensor products, and we have:
� �
1
�jxi hxj � jy i hy j� � � E
0
2
1
�E �j xi h xj� � E �jy i hy j�� � �
2
� �
1 1
p p
� � E � �j xi � jy i��� �h xj � hy j��
0
2 2
1
�E �j xi h xj� � E �jy i hy j� � E �j xi hy j� � E �j y i h xj�� � �
2
� �
1 1
p p
�hxj � i hy j�� � � E � �j xi � i jy i���
0
2 2
1
� �E �j xi h xj� � E �jy i hy j� � iE �jxi hy j� � iE �jy i hxj�� � 2
The first and second equality imply
E �j xi h y j� � E �j y i h xj� � ��
the first and third equality imply
E �j xi h y j� � E �j y i h xj� � ��
�j xi hy j� � E �jy i hxj � � �
Hence E .
n
� f�� �g
Induction step. Let x� y have Hamming dis-
d
� � x � � z
tance d . Without loss of generality we assume
d n�d
� � z z � f�� �g
and y for some . We have to show
�jxi hy j� � �
E .
d
� f�� �g n
Let v . We consider the pure -qubit state
�
v v
1
d
p
j�i� � � � � � �j�i � i j�i� � jz i � �j�i � i j� i �
v
d
�
P
u v u � v � j
Let j denote the inner product of bitstrings
j
v u u
u and , and let denote the negation of (all bits flipped).
j� i
Since v is a tensor product, we have
� � E �j � i h� j�
0 v v
X
0
�
u�v u �v �
i ��i� E �j ui h u j � jz i h z j�� �
d
�
0 d
u�u �f0�1g
d �
u � u
Note that the � terms with in the latter expression �
sum to 0 . Furthermore, by the induction hypothesis we
�
�j ui hu j � jz i hz j� � �
have E whenever the Hamming dis-
�
u d � � tance between u and lies between 1 and . Thus the
only terms left in the above equation are the ones where u
� �
d u � u
and u have Hamming distance (i.e. ). Now, using
jv j u�v u�v u�v
� ��i� ���� ��i�
i , the equation reduces to:
X
�
u�v
� � uj � jz i hz j�� ���� E �jui h
d
�
d
u�f0�1g
P
u�v d
���� � �
Summing over all v and using that for
v
d d
� � u � �
u and 0 for , we obtain:
X X
�
u�v
� � uj � jz i h z j� ���� E �j ui h
d
�
d d
v �f0�1g u�f0�1g
� E �j� � � � �i h� � � � �j � j z i hz j��
� � � � �i h� � � � �j � jz i hz j � jxi hy j Since j , this concludes
the proof. 2