0809.3019 quantum.pdf

8/16/2019 0809.3019 quantum.pdf

1/4

a r X i v : 0 8 0 9 . 3 0 1 9 v 1

[ q u a n t - p h ] 1 7 S e p 2 0 0 8

Post-selection technique for quantum channels with applications to quantum

cryptography

Matthias ChristandlFaculty of Physics, Ludwig-Maximilians-University Munich, 80333 Munich, Germany

Robert KönigInstitute for Quantum Information, California Institute of Technology, Pasadena, CA 91125, USA

Renato RennerInstitute for Theoretical Physics, ETH Zurich, 8093 Zurich, Switzerland

(Dated: September 17, 2008)

We propose a general method for studying properties of quantum channels acting on an n-partitesystem, whose action is invariant under permutations of the subsystems. Our main result is that,in order to prove that a certain property holds for any arbitrary input, it is sufficient to considerthe special case where the input is a particular de Finetti-type state , i.e., a state which consists of nidentical and independent copies of an (unknown) state on a single subsystem. A similar statementholds for more general channels which are covariant with respect to the action of an arbitrary finiteor locally compact group.

Our technique can be applied to the analysis of information-theoretic problems. For example,in quantum cryptography, we get a simple proof for the fact that security of a discrete-variablequantum key distribution protocol against collective attacks implies security of the protocol against

the most general attacks. The resulting security bounds are tighter than previously known boundsobtained by proofs relying on the exponential de Finetti theorem [1].

In quantum mechanics, the most general way of de-scribing the evolution of a subsystem A (A may be partof a larger system) at time t to a subsystem A′ at a laterpoint in time t′ is by application of a quantum channel .Mathematically, a quantum channel is a completely pos-itive trace-preserving (CPTP) map transforming the re-duced density matrix ρA of system A at time t to ρA′ , thereduced density matrix of system A′ at time t′. CPTPmaps are used in various areas of physics and information

theory. A CPTP map modeling a particular quantumcommunication channel, for instance, describes how thechannel output ρA′ depends on the input ρA.

A common method to characterize a given CPTP mapE is to compare it to an idealized CPTP map F that iswell understood, e.g., because it has a simple description.For instance, given a physical communication channelspecified by E , one may characterize its ability to reliablytransmit messages by showing its similarity to a perfectchannel F characterized by the identity mapping id. An-other example is the analysis of information-theoretic orcryptographic protocols (e.g., for quantum key distribu-tion). Here, E may be the action of the actual protocol while F is the ideal functionality the protocol is supposedto reproduce. We are then typically interested in provingthat E is almost equal to F (in quantum cryptography,this corresponds to proving security).

In order to compare two CPTP maps E and F , weneed a notion of distance. A natural choice is the metricinduced by the diamond norm · ⋄ [9] since it is directlyrelated to the maximum probability that a difference canbe observed between the processes described by E andF , respectively. More precisely, consider a hypotheticalgame where a player is asked to guess whether a given

physical process is described by E or F , which are bothequally likely to be the correct descriptions. If the playeris allowed to observe the process once (with an input of his choice, possibly correlated with a reference system)then the maximum probability p of a correct guess isgiven by p = 12 +

14E − F⋄ . In particular, if E and F

are identical, the distance equals zero and, hence, p = 12 ,corresponding to a random guess. On the other hand, if E and F are perfectly distinguishable, we have E−F⋄ = 2

and p = 1.Here, we present a general method for computing anupper bound on the distance E −F⋄ between two mapsE and F , provided they act symmetrically on an n-partitesystem with subsystems H of finite dimension. While, bydefinition, the diamond norm involves a maximizationover all possible inputs, we show that for calculating thebound it is sufficient to consider (relative to a referencesystem) the particular input

τ Hn =

σ⊗nH µ(σH) , (1)

where µ(·) is the measure on the space of density op-erators on a single subsystem induced by the Hilbert-Schmidt metric. States of the form (1) are also knownas de Finetti states . They describe the joint state of nsubsystems prepared as identical and independent copiesof an (unknown) density operator σH. Because of theirstructure, de Finetti states are usually easy to handle incalculations and proofs, as outlined below.

As an example, we apply this result to the securityanalysis of quantum key distribution (QKD) schemes [2,3]. Let E be the map describing a given QKD proto-col, which takes as input n predistributed particle pairs

http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1http://arxiv.org/abs/0809.3019v1

8/16/2019 0809.3019 quantum.pdf

2/4

(which may have been generated in a preliminary pro-tocol step). Security of the protocol (against the mostgeneral attacks) is then defined by the requirement thatthe protocol E is close to the ideal functionality F thatsimply outputs a perfect key , independently of the input(which may be arbitrarily compromised by the action of an adversary). Now, according to our main result, thisdistance is bounded by simply evaluating the map E for

an input of the form (1) and comparing the generatedkey with a perfect key. We further show that this resultis equivalent to proving security of the scheme against arestricted type of attacks, called collective attacks , wherethe adversary is assumed to attack each of the parti-cle pairs independently and identically. Our result thusgives a simple proof for the statement (proved originallyin [1, 4]) that security of a QKD protocol against col-lective attacks implies security against the most generalattacks. The resulting security bounds are tighter thanpreviously known bounds obtained by proofs relying onthe exponential de Finetti theorem [1].

Main Result. Let ∆ be a linear map from End(H⊗n)to End(H′). In particular, ∆ may be the difference be-tween two CPTP maps. End(L) denotes the space of all endomorphisms on L, which includes the density op-erators on L. We denote by π the map on End(H⊗n)that permutes the subsystems with permutation π [10].Our main result, the Post-Selection Theorem [11], givesan upper bound on the norm of a permutation-invariantmap in terms of the action of the map on a purifica-tion [12] τ HnR of the state τ Hn defined by (1).

Theorem 1. If for any permutation π there exists a CPTP map Kπ such that ∆ ◦ π = Kπ ◦ ∆, then

∆⋄ ≤ gn,d

(∆ ⊗ id)(τ HnR)1 .

id denotes the identity map on End(R) and gn,d =n+d2−1

n

≤ (n + 1)d

2−1, for d = dim H.

The proof of Theorem 1 uses the following lemmawhich relates arbitrary density operators ρHnKn on thesymmetric subspace Symn(H ⊗ K) ⊂ (H ⊗ K)⊗n, forK ∼= H, to a particular purification of τ Hn. We de-fine the state τ HnKn =

σ⊗nHKd(σHK) on Sym

n(H ⊗ K),where d(·) is the measure on the pure states inducedby the Haar measure on the unitary group acting onH ⊗ K. We note that τ HnKn extends the state τ Hn de-fined in (1), i.e., trKnτ HnKn = τ Hn ; the measure µ(·)furthermore is the one induced by the Hilbert-Schmidtmetric on End(H) [5]. Let now τ HnKn N be a purificationof τ HnKn .

Lemma 2. For ρHnKn a density operator supported on Sym n(H ⊗ K), with K ∼= H, there exists a trace-non-increasing map T from the purifying system End( N ) toC such that

ρHnKn = gn,d (id ⊗ T )(τ HnKn N ) , (2)

where id is the identity map on End((H ⊗ K)⊗n) and d = dim H.

Proof. Let N ∼= Symn(H ⊗ K) and let {|ν i}i be aneigenbasis of ρHnKn. Since, by Schur’s lemma, τ HnKn isthe state proportional to the identity on Symn(H ⊗ K),τ HnKn N := |ΨΨ|HnKn N is a purification of τ HnKn ,

where |ΨHnKn N := g− 1

2

n,d

i |ν i ⊗ |ν i, and gn,d is the

dimension of Symn(H ⊗ K). Furthermore, for any basisvector |ν i,

|ν iν i|HnKn = gn,d tr N (τ HnKn N · 11HnKn ⊗ |ν iν i| N ) ,

where 11HnKn ∈ End((H ⊗ K)⊗n) is the identity. Thisimplies (2) with T : σ → tr(σρ N ), since {|ν i}i is aneigenbasis of ρHnKn. Because T is clearly trace-non-increasing, this concludes the proof.

Proof of Theorem 1. We need to show that for any finite-dimensional space R′ and any density operator ρHnR′ ,(∆ ⊗ id)(ρHnR′)1 ≤ gn,d

(∆ ⊗ id)(τ HnR)1 , (3)for some purification τ HnR of τ Hn . In a first step, weshow that it is sufficient to prove (3) for density operators

ρHn

R′

with support on Symn

(H ⊗ K), where K ∼= H andR′ = K⊗n. To see this, let ρHnR′ be an arbitrary density

operator and define the density operator

ρ̄HnR′R′′ = 1

n!

π

(π ⊗ id)(ρHnR′) ⊗ |ππ|R′′ ,

where the sum ranges over all permutations π of the nsubsystems and where {|π}π is an orthonormal family of vectors on an auxiliary space R′′. Then, by construction,the reduced state ρ̄Hn = trR′R′′(ρ̄HnR′R′′) is permuta-tion invariant. Hence, according to [4, 6], there exists apurification ρ̄HnKn of ρ̄Hn supported on Sym

n(H ⊗ K).In particular, because all purifications are equivalent up

to isometries, there exists a CPTP map G from End(K⊗n)to End(R′ ⊗ R′′) such that ρ̄HnR′R′′ = (id ⊗ G )(ρ̄HnKn).Making use of the assumption on the permutation invari-ance of ∆, we thus find that

(∆ ⊗ id)(ρHnR′)1 equals1

n!

π

(∆ ◦ π) ⊗ id(ρHnR′)1 =(∆ ⊗ id)(ρ̄HnR′R′′)1

=(∆ ⊗ G )(ρ̄HnKn)1 ≤

(∆ ⊗ id)(ρ̄HnKn)1 ,where the last inequality holds because a CPTP mapcannot increase the norm. It thus remains to showthat (3) holds for states ρHnKn in Sym

n(H ⊗ K). ByLemma 2 there exists a map T such that ρHnKn =

gn,d (id ⊗ T )(τ HnKn N ). Then, by linearity, we have(∆ ⊗ id)(ρHnKn)1 = gn,d(∆ ⊗ T )(τ HnKn N )1 .

Inequality (3) then follows from the fact that T cannotincrease the norm and by setting R = K⊗n ⊗ N .

Application to Quantum Key Distribution. QKD is theart of generating a secret key known only to two distantparties, Alice and Bob, connected by an insecure quan-tum communication channel and an authentic classical

2

8/16/2019 0809.3019 quantum.pdf

3/4

channel [13]. Most QKD protocols can be subdividedinto two parts. In the first, Alice and Bob use the quan-tum channel to distribute n entangled particle pairs (thisphase may include advanced quantum protocols such asquantum repeaters). In the second part, they apply localmeasurements (we will restrict ourselves to the typicalcase of measurements that are independent and identicalon each of the n pairs) followed by a sequence of classical

post-processing steps (such as parameter estimation , er-ror correction , and privacy amplification ) to extract ℓ keybits [14]. It induces a map E from (HA ⊗ HB)⊗n (the nparticle pairs) to the set of pairs (S A, S B) of ℓ-bit strings(Alice and Bob’s final keys, respectively) and C , whereC is a transcript of the classical communication. Notethat ℓ may depend on the input; in particular, ℓ = 0 if the entanglement of the initial particle pairs is too smallfor key extraction.

A QKD protocol is said to be ε-secure (for some smallε ≥ 0) if, for any attack of an adversary, the final keys S Aand S B computed by Alice and Bob are identical, uni-formly distributed, and independent of the adversary’sknowledge, except with probability ε. This criterion canbe reformulated as a condition on the map E . Since anadversary may have full control over the quantum chan-nel connecting Alice and Bob, we require that, for any input to E , the output is a pair (S A, S B) of secure keysof length ℓ ≥ 0 [15]. To make this more precise, let S be the map that acts on the output (S A, S B , C ) of E by replacing (S A, S B) by a pair (S

′A, S

′B) of identical and

uniformly distributed keys of the same length, while leav-ing C unchanged. With this definition, the concatenatedmap F := S ◦ E describes an ideal key distillation schemewhich always outputs a perfect key pair. We then saythat E is ε-secure if E − F⋄ ≤ ε.

E is typically invariant under permutations of the in-

puts. However, if it is not, permutation invariance canbe enforced by prepending an additional symmetrization step where both Alice and Bob permute their inputs ac-cording to a permutation π̄ chosen at random by oneparty and communicated to the other using the classi-cal channel [16]. We can thus apply Theorem 1 with∆ := E − F , which implies that E is ε-secure whenever

(E − F ) ⊗ id(τ HnR)1 ≤ ε̄ := ε(n + 1)−(d2−1) , (4)where H := HA ⊗ HB, where d = dim(H), and whereτ HnR is a purification of the state τ Hn defined by (1).

We will now employ (4) to show that for proving se-

curity of a QKD protocol it suffices to consider collective attacks , where the adversary acts on each of the signalsindependently and identically. Using the above formal-ism, we say that E is ε̄-secure against collective attacks if

(E −F )⊗id

(σ⊗nHK)1 ≤ ε̄, for any (pure) σHK on H⊗K,where K ∼= H. This immediately implies that the same

bound holds for the extension τ HnKn =

σ⊗nHKd(σHK)of τ Hn ,

(E − F ) ⊗ idKn(τ HnKn)1

≤ maxσHK

(E − F ) ⊗ idKn(σ⊗nHK)1 ≤ ε̄ . (5)

To obtain criterion (4), we need to show that a similar

bound still holds if we consider a purification τ Hn

Kn

N of τ HnKn. For this, we think of N as an additional systemthat is available to an adversary. Because N can be cho-sen isomorphic to Symn(H⊗K), its dimension is bounded

by (n + 1)d2−1. The idea is then to compensate the extra

information available to the adversary by slightly reduc-ing the size of the final key. More precisely, according tothe privacy amplification theorem (Theorem 5.5.1 of [4]),the protocol E ′ obtained from E by shortening the outputof the hashing by 2 log2 dim N ≤ 2(d

2−1)log2(n+1) bitssatisfies

(E ′ − F ′) ⊗ idKn N (κ)1 ≤ (E − F ) ⊗ idKn ⊗ tr N (κ)1 .

Setting κ equal to τ HnKn N and using (5), we concludethat (E ′ − F ′) ⊗ idKn N (τ HnKn N )1 ≤ ε̄, which corre-sponds to (4). We have thus shown that ε̄-security of E against collective attacks implies ε-security of E ′ againstgeneral attacks.

In the security analysis against collective attacks, thesecurity parameter ε̄ can be chosen exponentially small,

i.e., ε̄ ≤ 2−cδ2n (for some c > 0), at the only cost of

reducing the key size by an (arbitrarily small) fraction δ compared to the asymptotically optimal rate. The cru-cial observation made in this paper is that the securityparameter ε for general attacks and ε̄ are polynomially re-

lated (see (4)). We thus find ε ≤ 2−cδ2n+(d2−1)log

2(n+1),

which shows that security under the assumption of col-lective attacks implies full security essentially withoutchanging the security parameter. This security estimateimproves on previous estimates based on the exponentialde Finetti theorem and has a direct impact on the secu-rity analysis of current experimental implementations.

Concluding remark. The technical results in this pa-per deal with quantum states and channels that commutewith the action of the symmetric group on H⊗n, but canbe easily generalized to the action of an arbitrary finiteor locally compact group G on a space V [17]. Seen inthe light of more general symmetry groups G, we thushope that our results will find fundamental applications

in quantum physics beyond their presented use in quan-tum information theory.Acknowledgments. RK acknowledges support by the

NSA under ARO contract no. W911NF-05-1-0294 and bythe NSF under contract no. PHY-0456720. RR receivedsupport from the EU project SECOQC.

[1] R. Renner, Nature Physics 3, 645 (2007). [2] C. H. Bennett and G. Brassard, in Proc. of IEEE Int.

3

8/16/2019 0809.3019 quantum.pdf

4/4

Conf. on Computers, Systems and Signal Processing (1984), pp. 175–179.

[3] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).[4] R. Renner, Ph.D. thesis, ETH Zurich (2005), quant-

ph/0512258.

[5] K. Życzkowski and H.-J. Sommers, J. Phys. A 34, 7111(2001).

[6] M. Christandl, R. König, G. Mitchison, and R. Renner,Comm. Math. Phys. 273, 473 (2007).

[7] A. Y. Kitaev, Russian Math. Surveys 52, 1191 (1997).[8] C. H. Bennett, G. Brassard, and N. D. Mermin, Phys.

Rev. Lett. 68, 557 (1992).[9] The diamond norm is given by E⋄ = supk∈N E ⊗ idk1

where F1 := supσ1≤1 F (σ)1 and σ1 := tr√

σ†σis the trace norm. idk denotes the identity map on statesof a k-dimensional quantum system. The suprema arereached for positive σ and k equal to the dimension of the input of E [7].

[10] The permutation π on n elements acts on Hn = H⊗nby permuting the tensor factors, i.e., π|i1 · · · in =|iπ−1(1) · · · iπ−1(n) for a basis {|i} of H. The spaceof vectors invariant under the action of all π is de-noted by Symn(H). As a map on End(H⊗n) we writeπ(ρ) = π ρπ

−1

.[11] The proof essentially relies on the fact that the state thatmaximizes the diamond norm can be post-selected by ameasurement as constructed in Lemma 2.

[12] A purification τ HnR of τ Hn is a pure state on Hn ⊗ Rsatisfying trRτ HnR = τ Hn

[13] Authenticity means that the communication cannot bealtered by an adversary. If only completely insecure chan-nels are available, authenticity may be simulated using ashort initial key shared between Alice and Bob.

[14] This describes an entanglement-based protocol. How-ever, our results immediately extend to prepare-and-measure schemes , because their security analysis can gen-erally be reduced to corresponding entanglement-basedschemes [8].

[15] Of course, any non-trivial protocol generates keys of pos-itive length ℓ > 0 for at least some inputs.

[16] It is easy to see that this symmetrized key distillationprotocol E satisfies Kπ ◦ E ◦ π = E for any permutationπ, where Kπ is the operation that acts on the output(S A, S B, C ) by replacing the communicated permutationπ̄ (in C ) by π̄◦π. Similarly, we have Kπ◦(S◦E )◦π = S◦E ,because Kπ acts like the identity on the key pair (S A, S B).

[17] The role of H⊗n is taken by the space V of a finite-dimensional unitary representation V of G. We denoteby g|v ≡ V (g)|v the action of g ∈ G on |v ∈ V andby g (ρ) = V (g)ρV (g−1) the action on End(V ). The spaceK⊗n is replaced by a space W ∼= V on which G acts withthe dual representation, g|w = V (g−1)T |w for |w ∈ W .The role of the symmetric subspace Symn(

H⊗K) is then

taken by (V ⊗W )G = {|x ∈ V ⊗W : g × g|x = |x∀g ∈G}, the invariant space of V ⊗ W . The constant gn,dbecomes dim(V ⊗ W )G and the state τ VW is the stateproportional to the identity on (V ⊗ W )G ⊂ V ⊗W .

4

0809.3019 quantum.pdf

Documents