arXiv:quant-ph/0610193v1 23 Oct 2006 en ehiusfrsaigasce e ewe remote between key QKD secret that a remark as we sharing data Here, for sequel. secret techniques the encrypt means in used directly elucidated be be that can will codes codes conjugate cryptographic that th imply as example, also one For [7] codes). merely in (CSS arguments as codes viewed the conjugate [7], be of in application can QKD scheme treated CSS- QKD have of CSS-code-based we discrete litera- reliability Although ideal the systems. and assuming quantum in rigorously security schemes exist the QKD quantified to code-based and proved [2], those ture outperforms that codes that with unfamiliar so those here to theorists’ coined theory. accessible coding information was more quantum the be term would in This quantum issue done pays fields. this about be and finite can forgets of decoding what universe one or to if encoding only attention codes for CSS operations mechanical for synonym a code error-correcting quantum protocol. of famous the fidelity the underlying particular, the of proved In evaluating security be could theory. the by protocol quantum that QKD in (BB84) for argued 1984 [6] least, Bennett-Brassard useful Preskill are at and codes Shor (QKD), symplectic distribution of key class this stabilizer that or codes symplectic [5]. called [4], class general [3], are more codes Calderbank- which a called to QECCs, then QECCs and of algebraic [2] soon of codes of was (CSS) theory code class Shor-Steane the first a The 1995, to rapidly. in extended developed [1] been Shor has by QECCs (QECC) code correcting pairs. code conjugate on cryptograph studies quantum motivate to th to applicable argued order are is pairs corresp It code the code. conjugate conjug of quantum The structure other. (CSS) essential the Calderbank-Shor-Steane of the dual represents the pair contains code one that such codes codes. eety h rsn uhr[]poe h xsec fCSS of existence the proved [7] author present the Recently, almost is title the in appearing codes’ ‘conjugate term The well-known is It codes. CSS on focus we paper, this In error- quantum algebraic first the of invention the Since Terms Index Abstract ojgt oepi sdfie sapi flinear of pair a as defined is pair code conjugate A — ojgt oe,qoin oe,cryptographic codes, quotient codes, conjugate — .I I. ojgt oe n Applications and Codes Conjugate NTRODUCTION -- aaaagke,Mcia oy 9-60 Japan 194-8610, Tokyo Machida, Tamagawa-gakuen, 6-1-1 eerhCne o unu nomto Science Information Quantum for Center Research RSO aa cec n ehooyAgency Technology and Science Japan PRESTO, -- oco aauh,Siaa Japan Saitama, Kawaguchi, Honcho, 4-1-8 aaaaUiest eerhInstitute Research University Tamagawa oCryptography to isr Hamada Mitsuru onding in y ate at e s o etr in vectors for endby defined 0 C pair n I epciey etosVIadVI,cnanremark contain VIII, respectively. summary, and a VII Section and Sections in respectively. explained sym- VI, are General codes, and cod quotient cryptography. conjugate and quantum that codes, to argued plectic is applicable codes it are quantum IV, CSS pairs Section III, In Section explained. in are and introduced, are codes eti odto,wihwl egvnsoty hra [7 where whereas case shortly, the given for be result the will describes which condition, certain a ato 7 huhordsrpini lgtymr eea i a pair general of code more general paraphrase slightly a a is treat nearly description explicitly is we our that paper though remark [7] this We of of emphasized. part portion large are a encryption, cryptog that direct to applications allow particular, In which codes. of class this refere and [8] suited (e.g., therein). be to computing to quantum notably said fault-tolerant are most for codes noise, CSS quantum QECCs, or Among decoherence. errors the to a to vulnerable states back quantum more since Turning computing deem wishes. quantum codes for one these indispensable mightier if QECCs, (algebraic) QKD is of as encryption motivation the original used direct decrypts be receiver the The the can key. using and and shared data receiver the secret the using to a data aft message it encrypts that sends secret is sender and scenario the the key typical key, not A the is send. to sharing itself wishes key sender the shared that the and parties, } eueafiiefield finite a use We . ewrite We hsppri raie sflos nScinI,conjugate II, Section In follows. as organized is paper This ema yan by mean We h i fti oki oehnemtvto ostudy to motivation enhance to is work this of aim The o subset a for rCScd arover pair code CSS or ( B x F 1 q n x , . . . , ≤ C elet We . C I C II. of [[ if F ,k n, n q n B ) ONJUGATE F . C · q ]] ( sasbru fa diiegroup additive an of subgroup a is ⊥ y F of ojgt cmlmnay code (complementary) conjugate 1 q denote y , . . . , q pair a lmns n h o product dot the and elements, C { n ( y ODES = ) C ∈ 1 C C , 1 F X i =1 ( n q n = 2 C ) ∀ | 1 x C ossigo an of consisting C , i 2 x y . i 2 ∈ ) ,x C, satisfying raphy, · nces y V s (1) ed = re er n e s 1 ] , 2

1 [n, k1] linear code C1 and an [n, k2] linear code C2 satisfying and n NJ = {Nx | x ∈ J}, J ⊆ X . C⊥ ≤ C , (2) 2 1 An obvious but important consequence of (5) is that XuZw ′ ′ ⊥ u w ′ ′ which condition is equivalent to C1 ≤ C2, and and X Z commute if and only if u · w − w · u =0. The map k = k1 + k2 − n. (3) ([u, w], [u′, w′]) 7→ u · w′ − w · u′ (6) ⊥ If C1 and C2 satisfy (2), the quotient codes C1/C2 and is a symplectic bilinear form, which we refer to as standard. ⊥ C2/C1 are said to be conjugate. The notion of quotient codes A CSS code is specified by two classical linear codes (i.e., was introduced in [9], and will be explained in Section VI. Fn 2 subspaces of q ) C1 and C2 with (2). Coset structures are The goal, in a long span, is to find a conjugate code exploited in construction of CSS codes. We fix some set of ⊥ ⊥ pair (C1, C2) such that both C1/C and C2/C have good Fn 2 1 coset representatives of the factor group q /C1, for which performance. If the linear codes C1 and C2 both have good the letter x is always used to refer to a coset representative in ⊥ ⊥ performance, so do C1/C and C2/C . Hence, a conjugate ⊥ 2 1 this section, that of C1/C2 , for which v is used, and that of code pair (C1, C2) with good (not necessarily a technical term) Fn q /C2, for which z is used. These may be written as C and C is also desirable. 1 2 Fn x ∈ q /C1, Fn III. CALDERBANK-SHOR-STEANE CODES z ∈ q /C2, ⊥ The complex linear space of operators on a Hilbert space v ∈ C1/C2 H L H is denoted by ( ). A quantum code usually means a where is in abuse as usual. Put , ⊗n ∈ k1 = dim C1 k2 = pair (Q, R) consisting of a subspace Q of H and a ⊥ dim C2, and assume g1,...,gn−k2 form a basis of C2 , and trace-preserving completely positive (TPCP) linear map R on ⊥ h1,...,hn−k form a basis of C . We assume k1 is larger L(H⊗n), called a recovery operator. The subspace Q alone 1 1 than n − k2. is also called a code. Symplectic codes have more structure: The operators They are simultaneous eigenspaces of commuting operators on h h − g g − H⊗n. Once a set of commuting operators is specified, we have Z 1 ,...,Z n k1 , X 1 ,...,X n k2 , (7) a collection of eigenspaces of them. A symplectic code refers which generate the so-called stabilizer of the CSS code, to either such an eigenspace or a collection of eigenspaces, commute with each other, so that we have simultaneous each possibly accompanied by a suitable recovery operator. In eigenspaces of these operators. Specifically, put this section and the next, we assume H is a Hilbert space of 1 dimension q, and q is a prime (but see Section VII-E). Then, |φ i = ωz·w|x + v + wi (8) q−1 xzv ⊥ X F Z Z H |C | ⊥ q = /q . We fix an orthonormal basis (|ii)i=0 of . p 2 w∈C In constructing symplectic codes, the following basis of 2 L(H⊗n) is used. Let unitary operators X,Z on H be defined for coset representatives x, z and v. Then, we have by hj x·hj Z |φxzvi = ω |φxzvi, j =1,...,n − k1 j X|ji = |j − 1i, Z|ji = ω |ji, j ∈ Fq (4) and with ω being a primitive q-th root of unity (e.g., ei2π/q). For gj z·gj Fn u u u1 X |φxzvi = ω |φxzvi, j =1,...,n − k2. u = (u1,...,un) ∈ q , let X and Z denote X ⊗···⊗ Xun and Zu1 ⊗···⊗Zun , respectively. The operators XuZw, Fn Fn It can be checked that |φxzvi, x ∈ q /C1, z ∈ q /C2, v ∈ u, w ∈ Fn, form a basis of L(H⊗n), which we call the Weyl ⊥ H⊗n q C1/C2 , form an orthonormal basis of . In words, we have (unitary) basis [15]. We have the commutation relation k1+k2−n q -dimensional subspaces Qxz such that Lx,z Qxz = ′ ′ ′ ′ ′ ′ ⊗n · − · H and is spanned by orthonormal vectors , (XuZw)(Xu Zw )= ωu w w u (Xu Zw )(XuZw), (5) Qxz |φxzvi ⊥ Fn Fn v ∈ C1/C2 , for each pair (x, z) ∈ ( q /C1) × ( q /C2). ′ ′ Fn Fn Fn for u,w,u , w ∈ q , which follows from XZ = ωZX. It The subspaces Qxz, (x, z) ∈ ( q /C1) × ( q /C2), are the is sometimes useful to rearrange the components of (u, w) simultaneous eigenspaces of the operators in (7), and form a appearing in the operators XuZw in the Weyl basis as follows: CSS code. Fn ⊥ For u = (u1,...,un) and w = (w1,...,wn) ∈ q , we denote In [7], we have treated the case when C1 = C2 = C with by [u, w] the rearranged one a code C. In this case, C is necessarily self-orthogonal3 by

n (2). We will consistently use k to denote the logarithm of the (u1, w1),..., (un, wn) ∈ X ,
dimension of Qxz, viz., where X = Fq × Fq. We occasionally use another symbol N k = k1 + k2 − n = log dimC Qxz. (9) for the Weyl basis: q 2 ⊥ Our code pair (C1, C2) often appears as (C1, C ) in the literature [2], u w 2 N[u,w] = X Z [6], [9]. Our choice would be more acceptable to coding theorists because good (not necessarily a technical term) codes C1 and C2 result in a good 1 n k ⊥ When the number of elements of a code C ⊆ Fq is q , it is called an [n,k] CSS code while the performance of C2 seemingly has no direct meaning. code. Readers unfamiliar with coding theory are referred to [9, Section 2] or 3A subspace C with C ≤ C⊥, which is equivalent to ∀x,y ∈ C, x·y = 0, standard textbooks such as [10], [11], [12], [13], [14]. is said to be self-orthogonal (with respect to the dot product). 3

Decoding or recovery operation for a CSS quantum code where E denotes the expectation operator with respect to can be done as follows. If we choose a set Γi of coset (X, Z). Hence, if 1 − EFXZ goes to zero faster than 1/n, then Fn V E XZ representatives of q /Ci (i = 1, 2), we can construct a I( ; | ) → 0 as n → ∞. We have seen in [7] that the recovery operator R for Qxz so that the code (Qxz, R) is convergence is, in fact, exponential for some good CSS codes, E −nE+o(n) NJ(Γ1,Γ2)-correcting in the sense of [16], where J(·, ·) is viz., 1 − FXZ ≤ q with some E > 0. This, together defined by with (14), implies

−nE+o(n) J(Γ1, Γ2)= {[x, z] | x ∈ Γ1 and z ∈ Γ2}. (10) I(V; E|XZ) ≤ 2q [n(E + R) − o(n)], (15) In fact, Q is N ′ ′ -correcting with xz J(Γ1,Γ2) where we used the upper bound −2t log t for h(t), 0 ≤ t ≤ ′ ⊥ ′ ⊥ 1/2, which can easily be shown by differentiating t log t (or Γ1 =Γ1 + C2 and Γ2 =Γ2 + C1 . (11) by Lemma 2.7 of [19]). Thus, we could safely send a secret This directly follows from the general theory of symplectic ⊥ data v+C2 provided we could send the entangled state |φxzvi codes [4], [5], [17, Proposition A.2] on noticing that the in (8) and the noise level of the quantum channel including operators in the Weyl basis that commute with all of those Eve’s action were tolerable by the quantum code. u w in (7) are X Z , u ∈ C1, w ∈ C2 (see also Sections V and In the above scheme, the legitimate sender, Alice, and VI). receiver, Bob, should share the random variables XZ, say, by sending them through a public channel that is free from IV. CSS CODES AS CRYPTOGRAPHIC CODES tampering of malicious parties (but see Section IV-C). In Schumacher [18, Section V-C], using the Holevo bound, particular, we assume Eve can possibly observe XZ without argued that if a good quantum channel code is used as a tampering them as in the literature on quantum key distribu- cryptographic code, the amount of information leakage to the tion. possible eavesdropper is small. In this section, we will apply Schumacher’s argument to CSS codes. B. Reduction to Cryptographic Code A. Quantum Codes and Quantum Cryptography In [7], borrowing the idea of [6], we have reduced the above V ⊥ cryptographic scheme to the BB84 protocol. We now explain Suppose we send a k-digit secret information + C2 ∈ ⊥ that this reduction argument also shows that conjugate code C1/C2 physically encoded into the state |φXZVi ∈ QXZ, where we regard X, Z as random variables, and assume (X, Z) pairs (CSS codes) can be used as cryptographic codes. 4 The above scheme is simply summarized as ‘choose XZ are randomly chosen according to some distribution PXZ. = Once the eavesdropper, Eve, has done an eavesdropping, xz randomly, and encode the secret data into the basis namely, a series of measurements, Eve’s measurement results (|φxzvi)v of the quantum code QXZ.’ We would encounter form another random variable, say, E. We use the standard several difficulties and drawbacks in implementing the above symbol I to denote the mutual information (in information scheme in this form. Among others, the state |φxzvi defined in theory). (8) is entangled in general, and therefore the above scheme is According to [18, Section V-C], hard to implement with the current technology. To overcome this problem, we use Shor and Preskill’s observation that the V E X Z (12) I( ; | = x, = z) ≤ Sxz probabilistic mixture of |φxzvi with x, v fixed and z chosen uniformly randomly over Fn/C⊥ is given as where Sxz is the entropy exchange after the system suffers a q 2 channel noise N , Eve’s attack E, another channel noise N ′, 1 and the recovery operation R = Rxz for Qxz at the receiver’s X |φxzvihφxzv | |C⊥| end. Let us denote by Fxz the fidelity of the code (Qxz, R) 2 z employing the entanglement fidelity Fe [18]. Specifically, 1 = ⊥ X |w + v + xihw + v + x|, (16) ′ |C | 2 ∈ ⊥ Fxz = FeπQxz , RN EN
w C2 where πQ denotes the normalized projection operator onto Q, which can be prepared as the mixture of states |w + v + xi 5 and BA(ρ)= BA(ρ)
for two CP maps A and B, etc. Then, with no entanglement. Then, clearly, if Alice sends the secret by the quantum Fano inequality [18, Section VI], we have data v encoded into the state in (16) with x chosen randomly according to PX (the marginal distribution of PXZ), the in- S ≤ h(F )+(1 − F )2nR (13) xz xz xz equalities deduced in the previous subsection, in particular, where h is the binary entropy function and R = the bound on the information leakage to Eve in (15), remain −1 n logq dim Qxz. Combining (12) and (13) and taking the true. Thus, we can send secret data safely by the following averages of the end sides, we obtain scheme. I(V; E|XZ) Conjugate-Code-Based Cryptographic Code. Alice sends a -digit secret information V ⊥ ⊥ physically E E k + C2 ∈ C1/C2 ≤ h(FXZ)+(1 − FXZ)2nR encoded into the state in (16) where X = x is chosen randomly ≤ h(EFXZ)+(1 − EFXZ)2nR, (14) according to some distribution PX.

4The probability distribution of a random variable Y is denoted by PY. 5A proof of (16) is given in Section VII-F. 4

In this case, Alice and Bob should share X = x. We remark The history of information theory suggests it would be the random variable Z, the states |φxzvi and the recovery reasonable to treat first the tractable case where E is known ⊗n operator Rxz are fictitious in that they do not appear in the to the legitimate participants (and A = E ) to pursue the above reduced cryptographic code, but they proved useful for fundamentals of the issue of transmitting private data (cf. demonstrating the security. These need only exist in theory, [20], [21]). Then, we can interpret the above argument as and need not be implemented in practice. indicating the existence of a good cryptographic code (a kind Up to now, we have fixed our attention on proving the of random coding proof). Namely, we can single out the best security. However, we should ensure reliable transmission. index x such that EZFxZ ≥ EXZFXZ, where EY denotes the Namely, the probability of disagreement between Alice’s data expectationb operator withb respect to a random variable Y. V and Bob’s data V′, which should be the result of decoding Replacing the original random variable X with that whose the cryptographic code, must be reasonably small. For the probability concentrates on x, we have a protocol that does conjugate-code-based (CSS-code-based) cryptographic code, not require transmission of informationb X through an auxiliary we employ the following decoding principle. The receiver public channel. performs a decoding algorithm for the coset code x + C1 that Still, it would be desirable to remove the assumption that Fn correct errors in Γ1, a set of coset representatives of q /C1. the legitimate participants know A. That is, universal codes The algorithm is the obvious modification of a decoding that do not depend on the channel characteristics are desir- algorithm for the linear code C1. In the next subsection, we able. Regarding this issue, we make a small step forward. will see that a CSS quantum code with high fidelity results It seems difficult to construct universal cryptographic codes in a secure and reliable cryptographic code, where a reliable without transmission of auxiliary information for the com- cryptographic code means that with small decoding error pletely general class of channels. However, this is possible probability. Note that if PX(x)=1 for some x, we do not with our conjugate-code-based cryptographic code if the class have to send X (see the next subsection). of A is restricted to those such that EZFxZ does not depend on x. This situation occurs if, e.g., A has the form A : u w u w † ρ 7→ Fn P (u, w)X Z ρ(X Z ) with a probability C. Evaluating Fidelity Pu,w∈ q Fn 2 distribution P on ( q ) . This condition is equivalent to that A Note that the underlying CSS codes (before the reduction) † is ‘Weyl-covariant’: NxA = ANx, where Nx : ρ 7→ NxρNx, has the fidelity EFXZ which is bounded by x ∈ X n (see, e.g., [17, Section 2.5]). More generally, the E ′ ′ c situation occurs if A has the property 1 − FXZ ≤ PA(J(Γ1, Γ2) ), (17) ′ ′ A(XuρX−u)= XuA(ρ)X−u where J, Γ1 and Γ2 are as in (10) and (11). The right-hand side ′ ′ of (17) can be written as Pr{ξ ∈/ Γ1 or ζ ∈/ Γ2}, and hence for any ρ ∈ L(H⊗n) and u ∈ Fn. This condition is equivalent E ′ ′ q we have 1− FXZ ≤ Pr{ξ ∈/ Γ1}+Pr{ζ ∈/ Γ2}, where ξ and to ζ are random variables such that the distribution of [ξ, ζ] is n−k1 given by PA. The equality holds in (17) if |Γ1| = q and hl − u|A(|i − uihj − u|)|m − ui = hl|A(|iihj|)|mi n−k2 |Γ2| = q (namely, if they are complete systems of coset Fn for any i,j,l,m,u ∈ q , which reads ‘the channel looks the representatives). This follows from that the code is NJ(Γ′ ,Γ′ )- 1 2 same if we translate the basis (|ii)i to (|i − ui)i.’ correcting and that the fidelity of an NJ -correcting symplectic ⊗n ⊗n code is 1 − PA(J) for a channel A : L(H ) → L(H ), V. GENERAL SYMPLECTIC CODES where the probability distribution PA is associated with A in the manner described in [7], [17] (see also Section V). In the In this and next sections, the order q of the finite field F present context, A = N ′EN . An important fact is that the q is not necessarily a prime. In this section, we digress ′ to explain how general symplectic codes are defined and right-hand side of (17) is smaller than Pr{ξ ∈/ Γ1}, which is ⊥ how CSS codes are obtained from the general definition. The the decoding error probability when the quotient code C1/C2 F2n F is used as a conjugate-code-based cryptographic code. Hence, 2n-dimensional linear space q over q equipped with the by bounding the fidelity of the underlying CSS quantum codes, standard symplectic form we automatically obtain bounds on the security and reliability ′ ′ ′ ′ fsp((x1,z1,...,xn,zn), (x ,z ,...,x ,z )) simultaneously. 1 1 n n ′ ′ There are subtleties on (17). This fidelity bound is true for a = X xizi − zixi ⊗ ⊗ general TPCP map A : L(H n) → L(H n) if PXZ is uniform. i This is because (17) is based on Corollary 4 to Theorem 3 in which has already appeared in (6), plays a crucial role in [17] or the alternative reasoning in [7, Appendix A] and any algebraic QECCs. We can define the dual L⊥sp of L by X Z ⊥sp F2n f of these assumes the distribution of the syndrome ( , ) is L = {y ∈ q | ∀x ∈ L, sp(x, y)=0}. Let us call ⊥sp uniform. A desirable situation in the reduced cryptographic a subspace L with L ≤ L an fsp-dual-containing code code is that the entropy of PX is small. In particular, if or a dual-containing code (with respect to the symplectic PX(x)=1 for some x, or (17) is true for such a random form fsp). Then, we have a quantum code whose performance variable X for other reasons, we do not need the public channel is closely related to that of the classical code L. The code to send X. This is possible if the map A = N ′EN is known to is called a symplectic (quantum) code with parity check set F2n the legitimate participants of the protocol as explained below. (y1,...,yn−k), where y1,...,yn−k ∈ q form a basis of 5

⊥sp ⊥sp L , or a symplectic code with stabilizer NL⊥sp . Here, as above with C1, C2, the quotient code L/L has the form F2n ⊥ ⊥ N : u 7→ Nu is Weyl’s projective representation [15] of q C1/C2 ⊕ C2/C1 . Thus, the CSS code Qxz in Section III is ′ ⊥ ′ ⊥ (the same as in Section III). ′ ′ -correcting with and . NJ(Γ1,Γ2) Γ1 =Γ1 + C2 Γ2 =Γ2 + C1 A f ⊥ Suppose n,k is the ensemble of [2n,n + k] sp-dual- In particular, the CSS code has large fidelity if both C1/C2 F ⊥ containing codes over q. We can regard them [n, (n + and C2/C1 have small decoding error probabilities. This is F2 k)/2] additive codes over X = q if we pair up the ground where the goal described in Section II stems from. the coordinates of any word (x1,z1,...,xn,zn) to have It might be said that the structure of quotient codes were n ((x1,z1),..., (xn,zn)) ∈ X . We can associate with an inherent in quantum error-correcting codes and CSS-code- k [n, (n+k)/2] fsp-dual-containing code a set of d -dimensional based cryptographic codes. subspaces of H⊗n, which can be used for quantum error correction [3], [4], [5]. Namely, we have the next lemma, VII. REMARKS which is a slight reformulation of the original one [3], [4]. A. Model of Eavesdropping A measurement is modeled as a completely positive (CP) Lemma 1: Suppose a subspace L ∈ An,k and a set J of F2n instrument whose measurement result belongs to a finite or representatives of cosets of L in q are given. Then, we have a qk-dimensional subspace of H⊗n that works as an N - countable set (e.g., [23], [24], [25], [26], [27]). The specific J model employed in this work is the same as in [7] and as correcting code with a suitable recovery operator, where J =e follows. J + L⊥sp = {x + y | x ∈ J, y ∈ L⊥sp }. e We assume a TPCP map L H⊗n L H⊗n represents For a proof, see [4] or, e.g., [22], [17]. Roughly speaking, A : ( ) → ( ) the whole action of Eve (plus the other environment). This given a set of operators F, a quantum code being F-correcting means that there exists a decomposition (CP instrument) {A } or a code corrects ‘errors’ in F means that it recovers any state i i such that A = A , where A are trace-nonincreasing CP in the code subspace perfectly after the state suffers ‘errors’ Pi i i maps, and when the initial state of the system of the whole belonging to F [16]. The precise definition of F-correcting is sent digits is , Eve obtains data E with probability not requisite for evaluating the performance of quantum codes. ρ = i leaving the system in state . Here, Indeed, the next fact is enough to treat symplectic codes [17]: Tr Ai(ρ) Ai(ρ)/Tr Ai(ρ) the decomposition may depend on the other random variables If we properly define the performance measure of symplectic available to Eve. codes, it equals the probability P (J). The performance A A minor comment follows. Let the random variable E′ measure is the entanglement fidelity averagede over the whole denotes Eve’s measurement result on the whole sent digits. syndromes, which was already used in Section IV. Then, the random variable E above mentioned has more A CSS code is a symplectic code with stabilizer N ⊥sp such L information than E′ since E includes the data relevant to the that L⊥sp has the form L⊥sp = {[u, w] | u ∈ C⊥, w ∈ C⊥} 2 1 other environment. However, there is no harm in considering with some C1 and C2. In this case, L = {[u, w] | u ∈ C1, w ∈ E ⊥sp ⊥ as Eve’s data for the purpose of proving the security. C2}, so that L ≤ L can be written as C2 ≤ C1, the requirement we have posed. B. Related Information Theoretic Problems

VI. QUOTIENT CODES In [20], [21], information theoretic problems related to ours are treated. These and the present work or [7] share the goal of Now, we turn to the realm of finite fields or algebraic coding secure transmission of private data, but their specific purpose theory. In [9], the notion of quotient codes was introduced to in [20], [21] is to establish coding theorems on the best explain QECCs. The aim of [9] was to exhibit the essence, asymptotically achievable rates. Our codes are linear codes at least, for algebraic coding theorists, of algebraic quantum while theirs lack such a helpful structure and are hard to F coding. A quotient code of length n over q is an additive conceive aimed at practical use. quotient group with Fn. In the scenario of C/B B ≤ C ≤ q The quantum theoretical models treated in the literature quotient codes in [9], the sender encodes a message into a above mentioned can be regarded as generalizations of that member c of C/B, chooses a word in c according to some of [28]. What are called conjugate-code-based cryptographic probability distribution on c, and then sends it through the codes in the present work essentially fall in the class of coding channel. Clearly, if C is a J-correcting in the ordinary sense, systems in [28]. C/B is (J + B)-correcting (since adding a word in B to a code-coset does not change it). A conjugate-code-based cryptographic code effectively means a quotient code in this C. Wiesner's Conjugate Coding scenario. A conjugate-code-based cryptographic code may be The term ‘conjugate coding’ appeared in the pioneering said to be an error-correcting code that can protect information work on quantum cryptography [29], where the idea of encod- from eavesdroppers, and hence may be called a cryptographic ing secret information into quantum states, more specifically, error-correcting code. into conjugate bases, was proposed. This idea is still alive Lemma 1 may read that if L is a dual-containing code in CSS-code-based cryptographic codes or QKD schemes. ⊥sp with respect to fsp, and the quotient code L/L is J- However, this is a problem of modulation in the language of correcting, then the corresponding symplectic quantum codee is communication engineers. Thus, our meaning of ‘conjugate’

NJ -correcting. Turning our attention to the CSS code specified is different from, though related to, that of [29]. e 6

D. QKD Protocol ACKNOWLEDGMENT The BB84 QKD protocol as treated in [30], [6] or its vari- The author wishes to thank O. Hirota, Professor of Tama- ants is, roughly speaking, the CSS-code-based cryptographic gawa University, for encouragement. code plus a scheme for estimating the noise level, where the noise includes the effect of eavesdropping. Mainly due to the scheme for noise estimation, the protocol needs public commu- REFERENCES nication. We have used the dichotomy of cryptographic codes [1] P. W. Shor, “Scheme for reducing decoherence in quantum computer and estimation schemes in analysis of the QKD protocol [7], memory,” Phys. Rev. A, vol. 52, pp. R2493–2496, 1995. and have focused more on cryptographic codes in the present [2] A. R. Calderbank and P. W. Shor, “Good quantum error correcting codes work. exist,” Phys. Rev. A, vol. 54, pp. 1098–1105, 1996. [3] A. R. Calderbank, E. M. Rains, P. W. Shor, and N. J. A. Sloane, “Quantum error correction and orthogonal geometry,” Phys. Rev. Lett., E. Non-prime Alphabet vol. 78, pp. 405–408, Jan. 1997. [4] A. R. Calderbank, E. M. Rains, P. W. Shor, and N. J. A. Sloane, Let q = pm with p prime. We have assumed m = 1 “Quantum error correction via codes over GF(4),” IEEE Trans. Inform. in Sections III and IV. When m > 1, a conjugate code Theory, vol. 44, pp. 1369–1387, July 1998. F [5] D. Gottesman, “Class of quantum error-correcting codes saturating the pair (C1, C2) over q is still useful for quantum coding and quantum Hamming bound,” Phys. Rev. A, vol. 54, pp. 1862–1868, Sept. cryptography. This is because elements of Fq can be expanded 1996. m into F using dual bases in such a way that TrF F xy = [6] P. Shor and J. Preskill, “Simple proof of security of the BB84 quantum p q / p key distribution protocol,” Phys. Rev. Lett., vol. 85, pp. 441–444, July Pi xiyi, where (x1,...,xm) is the representation of x with 2000. respect to one basis and (y1,...,ym) is that of y with respect [7] M. Hamada, “Reliability of Calderbank-Shor-Steane codes and security of quantum key distribution,” J. Phys. A: Math. Gen., vol. 37, pp. 8303– to the dual [31]. Applying these representations to (C1, C2), F 8328, 2004. E-Print, quant-ph/0308029, LANL, 2003. we obtain a conjugate code pair over p. This follows easily [8] A. M. Steane, “Efficient fault-tolerant quantum computing,” Nature, from [32, Theorem 1], or [33, Theorem 1]. vol. 399, pp. 124–126, 1999. [9] M. Hamada, “Quotient codes and their reliability,” IPSJ Digital Courier, vol. 1, pp. 450–460, Oct. 2005. Available at F. Proof of (16) http://www.jstage.jst.go.jp/article/ipsjdc/1/0/1 450/ article Also appeared in IPSJ Journal, vol. 46, pp. 2428–2438, no. 10, Oct., The left-hand side can be written as 2005. ′ [10] R. J. McEliece, The Theory of Information and Coding. London: 1 z·(w−w ) ′ X X ω |x + v + wihx + v + w | Addison-Wesley, 1977. |C⊥|2 2 w,w′∈C⊥ z [11] W. W. Peterson and E. J. Weldon, Jr., Error-Correcting Codes. MA: 2 MIT Press, 2nd ed., 1972. ′ and we see ωz·(w−w ) vanishes whenever w 6= w′.6 Hence, [12] J. H. van Lint, Introduction to Coding Theory. Berlin: Springer-Verlag, Pz 3rd ed., 1999. we have (16). [13] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. NY: North-Holland, 1977. [14] E. R. Berlekamp, ed., Key Papers in The Development of Coding Theory. G. Other Comments NY: IEEE Press, 1974. We take this opportunity to make corrections to related [15] H. Weyl, Gruppentheorie und Quantenmechanik. Leipzig: Verlag von S. Hirzel in Leipzig, 1928. English translation, The Theory of Groups and works of the present author [7], [34], [9]. (a) Ref. [7]: On Quantum Mechanics, of the second (1931) ed. was reprinted by Dover, n p. 8313, line 5, ‘Γn = Γn +1 ’ should read ‘Γn = Γn + 1950. {0n, 1n}’. (b) Ref.e [9]: On p. 453, right column,e 5th line [16] E. Knill and R. Laflamme, “Theory of quantum error-correcting codes,” Phys. Rev. A, vol. 55, pp. 900–911, Feb. 1997. ⊥sp from the bottom, ‘basis of L’ should read ‘basis of L ’. [17] M. Hamada, “Notes on the fidelity of symplectic quantum error- (c) Ref. [9]: On p. 453, right column, 4th line from the correcting codes,” International Journal of Quantum Information, vol. 1, no. 4, pp. 443–463, 2003. bottom, ‘NL’ should read ‘N ⊥sp ’. (d) Ref. [34]: On p. 6, right L [18] B. Schumacher, “Sending entanglement through noisy quantum chan- column, line 16, the period should be removed, and ‘With’ in nels,” Phys. Rev. A, vol. 54, pp. 2614–2628, Oct. 1996. the subsequent line should be decapitalized. [19] I. Csisz´ar and J. K¨orner, Information Theory: Coding Theorems for Discrete Memoryless Systems. NY: Academic, 1981. [20] I. Devetak, “The private classical information capacity and quantum VIII. SUMMARY AND CONCLUDING REMARKS information capacity of a quantum channel,” IEEE Trans. Information Conjugate codes were introduced without referring to Theory, vol. 51, pp. 44–55, Jan. 2005. [21] N. Cai, A. Winter, and R. W. Yeung, “Quantum privacy and quantum Hilbert spaces so as to be more accessible to algebraic coding wiretap channels,” Problems of Information Transmission, vol. 40, no. 4, theorists. The bridge between the coding theorists’ universe, pp. 318–336, 2004. the vector space over a finite field, and quantum mechanical [22] A. Ashikhmin and E. Knill, “Nonbinary quantum stabilizer codes,” IEEE Trans. Information Theory, vol. 47, pp. 3065–3072, Nov. 2001. worlds that are represented by Hilbert spaces is Weyl’s pro- [23] A. S. Holevo, Statistical Structure of Quantum Theory. Berlin: Springer, F2n n n jective representation N of q ≃ X , N : X ∋ x 7→ Nx. 2001. Applicability of conjugate codes to cryptography was argued. [24] K. Kraus, “General state changes in quantum theory,” Annals of Physics, vol. 64, pp. 311–335, 1971. A class of good conjugate code pairs will be given in future [25] K.-E. Hellwig, “General scheme of measurement processes,” Interna- works [33], [35], [36]. tional Journal of Theoretical Physics, vol. 34, pp. 1467–1479, 1995. Reprinted in Quantum Computation and Quantum Information Theory, 6This follows by an easy direct calculation, but may be seen as a basic ′ C. Macchiavello et al. eds., World Scientific, Singapore, 2000. property of characters (e.g., [12]): the map f : z 7→ ωz·(w−w ) is a character, [26] K. Kraus, States, Effects, and Operations. Berlin: Springer, 1983. and f(z) =6 1 for some z if w =6 w′. Lecture Notes in Physics, vol. 190. 7

[27] J. Preskill, Lecture Notes for Physics 229: Quantum Information and Computation. 1998. Available at http://www.theory.caltech.edu/people/ preskill/ph229. [28] A. D. Wyner, “The wire-tap channel,” The Bell System Technical Journal, vol. 54, pp. 1355–1387, Oct. 1975. [29] S. Wiesner, “Conjugate coding,” SIGACT News, vol. 15, no. 1, pp. 78– 88, 1983. [30] D. Mayers, “Unconditional security in quantum cryptography,” J. As- soc. Comp. Mach., vol. 48, pp. 351–406, 2001. [31] R. Lidl and H. Niederreiter, Finite Fields. Cambridge: Cambridge University Press, 2nd ed., 1997. [32] T. Kasami and S. Lin, “The binary weight distribution of the extended (2m, 2m − 4) code of the Reed-Solomon code over GF(2m) with generator polynomial (x−α)(x−α2)(x−α3),” Linear Algebra Appl., vol. 98, pp. 291–307, 1988. [33] M. Hamada, “Concatenated conjugate codes,” submitted to IEEE Trans. Information Theory, 2006. [34] M. Hamada, “Teleportation and entanglement distillation in the presence of correlation among bipartite mixed states,” Phys. Rev. A, vol. 68, pp. 012301–1–7, 2003. E-Print, quant-ph/0302054, LANL, 2003. [35] M. Hamada, “Minimum distance of concatenated conjugate codes for cryptography and quantum error correction,” to be submitted to IEEE Trans. Information Theory, 2006. [36] M. Hamada, “Conjugate codes for secure and reliable information transmission,” to appear in Proc. Information Theory Workshop 2006, Chengdu, China, 2006.