The Private Classical Capacity With Symmetric Assistance

Graeme Smith IBM TJ Watson Research Center

QIP 2008 Based on arXiv:0705.3838

1 Goal: Private Classical communication over a quantum channel

A N B

Cp(N ): rate, in bits per channel use, at which A can send secret information to B, given N ⊗n. The information should be secret from Eve, who holds the purification of the channel. † N (ρ) = TrEUN ρUN , where UN : A → BE.

2 Outline

• Private classical capacity

• Symmetric side channel assisted capacity

• Degradable channels

• An (easily evaluated) upper bound for the private capacity

• Application: Separating individual and collective attacks on BB84

3 Private Classical Capacity of Classical Broadcast channel

Csiszar & Korner ’78

X → (Y,Z) ∼ p(y, z|x)

Receiver gets Y , eavesdropper gets Z.

Q: What is the optimal rate of private communication from sender to receiver?

A: maxX→T (I(T ; Y ) − I(T ; Z))

mutual information: I(T ; Y )= H(T )+ H(Y ) − H(TY )

4 Private Classical Capacity of a Quantum Channel

Devetak ’03

Sender has access to a channel UN : A → BE. Would like to send classical information to B, but keep it secret from E.

Q: What is the optimal rate of private communication from sender to reciever?

A:

1 n n Cp(N )= lim max I(T ; B ) − I(T ; E ) n→∞ n {px,|φxi n }X→T  A 

5 Symmetric side channels: A little extra help

d d Let Sd be the d(d+1)/2-dimensional space of symmetric states on C ⊗ C . d(d+1)/2 V : C → Sd. † Ad(ρ) = Tr2V ρV .

Note: Ad has zero private capacity.

6 The ss-assisted private capacity

Allow the sender to use n copies of N , together with Ad, for d as big as she likes.

The resulting optimal rate for private classical communication is given by

Cp,ss(N )= sup (I(T ; BF ) − I(T ; EG)) , {px,|ϕxiAF G}X→T

with |ϕxiAF G symmetric in F G, and mutual informations evaluated on † x,t px,t|tiht|⊗ UN ⊗ IF G|ϕxihϕx|UN ⊗ IF G . A similarP trick works for the quantum capacity (Smith, Smolin, Winter ’06).

7 The ss-assisted private capacity: properties

Cp,ss is

• Single letter. :)

• Additive: Cp,ss(N1 ⊗ N2)= Cp,ss(N1)+ Cp,ss(N2). :)

• Convex:Cp,ss(pN1 + (1 − p)N2) ≤ pCp,ss(N1)+(1 − p)Cp,ss(N2). :)

• Still not a finite optimization. :(

8 Degradable Channels: Definition

Devetak and Shor ’03

† Channel: N (ρ) = TrEUρU † Complementary Channel: N = TrBUρU . N is Eve’s view of things. b N called degradable if there is a channel D such that b D ◦ N = N . (1)

Bob can simulate whatb Eve gets. Based on classical notion of degraded broadcast channel.

9 Degradable Channels Are Great!

Examples include:

• generalized dephasing channels (Devetak & Shor ’03)

• amplitude damping (Giovannetti & Fazio ’04)

• half of the qubit channels with two Kraus operators (Wolf & Perez-Garcia ’06)

• more! (Cubitt, Ruskai, Smith ’07)

They satisfy:

coh • Q(N )= I (N ) = maxφ I(AiB)I⊗N (|φihφ|) (Devetak & Shor)

coh • Cp,ss = Cp(N )= I (N ) (this work)

10 Simple upper bound on private capacity

Suppose N = i piNi with Ni degradable. P Then

Cp(N ) ≤ Cp,ss(N )= Cp,ss piNi i ! X coh ≤ piCp,ss(Ni)= piI (Ni) i i X X coh We can easily calculate I (Ni) for degradable Ni.

11 BB84 with one-way post-processing

• Alice sends Bob random bits in either {|0i, |1i} basis or |±i basis.

• Bob measures in one of the two bases randomly.

• Announce which basis chosen, and keep bits only when chose same basis.

• process raw key (add noise, do privacy amplification, error correction)

Individual attack: Eve measures each qubit individually, uses her outcomes to learn about the key.

Optimal individual attack found by Fuchs, Gisin, Griffiths, Niu and Peres in 1997.

12 BB84: Collective Attacks

Collective attack: Eve interacts a different probe with each qubit, then performs global measurement after Alice and Bob have established key. Usually can show security against collective attack is equivalent to fully coherent attack (e.g., Gottesman-Lo, Renner).

Presumably collective attacks are stronger than individual attacks, but this has been difficult to show. Why? Because Alice and Bob are allowed to do arbitrary (joint) processing on their raw key. That’s a lot of different things to analyse.

How we get around it: For degradable channels, the best protocol is very simple.

13 BB84: Collective Attacks

Independent phase and amplitude errors:

BB84 2 2 Nq (ρ) = (1 − q) ρ + q(1 − q)XρX + q Y ρY + q(1 − q)ZρZ 1 1 = UN ad(U †ρU)U †+ UXN ad(XU †ρUX)XU †, 2 γq 2 γq

i π X where U = e 4 and γq = 4q(1 − q).

coh ad I (Nγ ) = maxt∈[0,1] (H(t(1 − γ)) − H(tγ)) := f(γ), so

→ BB84 BB84 K (Nq )= Cp(Nq ) ≤ f(4q(1 − q)).

14 BB84: Key Rates

1.2

1

0.8

0.6 R

0.4

0.2

0

−0.2 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 q

Upper curve: optimal individual attack. Lower curve: best known achievable key rate. Middle curve: new upper bound.

15 Summary

• Private classical capacity with a symmetric side channel—upper bound on private classical capacity.

• Cp,ss: convex, additive, single-letter

coh • for degradable N , Cp,ss(N )= I (N )

• Application to BB84 with one-way post-processing: separates individual and collective attacks

Questions:

• Can we bound the size of Ad?

• Are there channels with Cp(N ) < Cp,ss(N )?

16