Authentication of continuous-variable quantum messages

Message authentication is a fundamental task in cryptography that enables a receiver to verify whether a message has been tampered with during transmission, and whether it originates from the claimed sender. By enabling tamper detection and origin verification, quantum authentication serves as a critical building block for advanced cryptographic protocols such as quantum one-time programs [15] and secure multiparty quantum computation [16‐18].

A quantum authentication scheme works with a classical symmetric key and consists of two keyed procedures: encoding (or encryption) and decoding (or decryption). The sender encodes the quantum message using the key. The recipient gets a quantum state and decodes it using the same key; attempts to forge or manipulate the quantum message are detected with high probability. The first Quantum Authentication Scheme (QAS) was introduced by Barnum et al. [12], where they also provided security definitions. One of the key results of their work was that any QAS must encrypt the quantum message. Their construction relied on purity-testing codes derived from quantum error-correcting codes (QECCs). It was later shown that such purity-testing codes can also satisfy universal composability [19].

The original security definition has since been strengthened by more robust proposals [19‐21]. It was shown that partial or even complete key reuse is possible, depending on the amount of key leakage [20, 22, 23]. A variety of QAS constructions have been proposed, based on polynomial codes [14, 16], Clifford codes [14], threshold codes [24], and trap codes [13, 15].

In this paper, we focus on trap code-based quantum authentication, first introduced in [15] and later refined with a more efficient security proof in [13]. The main idea behind trap codes is to insert dummy states—referred to as traps—into the quantum message (which has already been encoded using a QECC), and then apply a secret permutation and Quantum One-Time Pad encryption. The traps are used to detect any tampering by an adversary.

All of the quantum authentication schemes referred to above are designed for Discrete-Variable (DV) quantum states. In contrast, Continuous-Variable (CV) quantum message authentication remains relatively unexplored. CV systems are particularly attractive for practical implementations due to their compatibility with existing optical communication infrastructure.

In this work, we introduce the first quantum authentication scheme for CV quantum states. Our construction is an adaptation of the DV trap code-based QAS proposed by Broadbent, Gutoski, and Stebila [15]. Our security proof follows the proof technique of Broadbent and Wainewright [13]. While our construction and security proof contain no real surprises, the differences between DV and CV lead to several nontrivial features, e.g. the necessity to allow a small probability of error in the verification step; fine tuning scheme parameters in order to obtain properly matched step-like functions; a CV analogue of the Pauli twirl.

Our contributions are:

We use standard notation from quantum information theory. Quantum states are represented by density operators (positive semi-definite, trace-one operators) acting on Hilbert spaces, and we write them as \(\rho , \sigma \), etc., with subscripts indicating associated registers. The identity operator is denoted by \(\mathbbm {1}\), and the partial trace over a subsystem \(A\) is \(\textrm{Tr}\,_A\). We write \(\Vert A\Vert _1\) for the 1-norm, and \(\Vert \rho -\sigma \Vert _\textrm{tr}=\) \( \frac{1}{2}\Vert \rho - \sigma \Vert _1\) is the trace distance between two quantum states. Throughout, we consider bosonic modes with associated infinite-dimensional Hilbert spaces. Each mode is equipped with canonical quadrature operators \(\hat{x}, \hat{p}\) corresponding to position and momentum observables, satisfying the commutation relation \([\hat{x}, \hat{p}] = i\). The annihilation and creation operators are defined as \(\hat{a} = \tfrac{1}{\sqrt{2}}(\hat{x}+ i\hat{p}), \quad \hat{a}^\dagger = \tfrac{1}{\sqrt{2}}(\hat{x}- i\hat{p})\). The electromagnetic field in vacuum can be decomposed into plane waves. Plane waves with different parameters (direction, wavelength, polarization) are called modes. Each mode has its own creation/annihilation operators as defined above, which change the number of photons in the mode. The non-commuting observables \(\hat{x}\), \(\hat{p}\) represent the mode’s quadratures; a quadrature is a particular combination of the photon number n and the phase \(\varphi \) of the oscillation, such as \(x=\sqrt{n}\cos \varphi \) and \(p=\sqrt{n} \sin \varphi \). Quadratures are easy to measure experimentally with cheap hardware at room temperature.

The Wigner function provides a quasiprobability representation of a quantum state in phase space. For a single-mode density operator \(\hat{\rho }\), the Wigner function is given by \( W(x,p) = \frac{1}{\pi } \int _{-\infty }^{\infty } \langle x+y \vert \hat{\rho } \vert x-y \rangle \, e^{-2 i p y} \, \textrm{d}y \), where \(| x \rangle \) denotes the eigenstate of the quadrature operator \(\hat{x}\). The marginals of W(x, p) yield the probability distributions of quadrature measurements. For instance, for the vacuum state \(\rho = |0 \rangle \langle 0 |\), the Wigner function can be evaluated explicitly as \(W_{\textrm{vac}}(x,p) = \frac{1}{\pi } \exp \!\left( -x^{2}-p^{2}\right) \). This is a Gaussian centered at the origin, with variances \(\textrm{Var}(\hat{x}) = \textrm{Var}(\hat{p}) = \tfrac{1}{2}.\) The corresponding fluctuations represent the fundamental shot noise of the vacuum, which sets the baseline noise floor in continuous-variable systems. More generally, a single-mode Gaussian state has a Wigner function of the form \(W(x,p)= \frac{1}{2\pi \sqrt{\det K}}\exp -\frac{1}{2}(x-x_0,p-p_0)K^{-1}{x-x_0\atopwithdelims ()p-p_0}\), where K is the \(2\times 2\) covariance matrix. For N modes, this generalizes to quadrature values \((x_1,\ldots ,x_N)\), \((p_1,\ldots ,p_N)\), and the covariance is a \(2N\times 2N\) matrix.

A coherent state is a shifted version of the vacuum state. For \(z \in \mathbb {C}\), the coherent state \(| z \rangle \) is defined as the eigenstate of \(\hat{a}\) with eigenvalue z:   \(\hat{a} | z \rangle = z | z \rangle \). Coherent states have the minimum possible combined uncertainty in the quadratures \(\hat{x}\) and \(\hat{p}\) and their Wigner function is Gaussian centered at \((\textrm{Re}\,{z}, \textrm{Im}\,{z})\sqrt{2}\). The light produced by a laser is well described by a coherent state. Coherent states form an overcomplete basis of the Hilbert space, \(\int \textrm{d}^{2} z\; | z \rangle \langle z |=\pi \mathbbm {1}\). They can be represented as a displacement of th evacuum: \(| z \rangle = D(z)| 0 \rangle \). The displacement operator is given by \(D(\beta ) = \exp (\beta \hat{a}^\dagger - \bar{\beta } \hat{a})\). The set \(\{D(\beta )\}_{\beta \in \mathbb {C}}\) is a basis for the unitary operators [25] and forms a unitary representation of the Weyl-Heisenberg group. The displacement operators play the same role as Pauli operators in DV systems. Quantum One-Time Pad (QOTP) encryption for CV is achieved by applying a secret displacement, chosen from a very wide almost-uniform distribution [26].

The single-mode squeezing operator is given by \(S(r) = \exp \!\left[ -\tfrac{r}{2}(\hat{a}^{2} - \hat{a}^{\dagger 2})\right] \), \(r \in \mathbb {R}\). We define \(| X \rangle = S(r)| 0 \rangle \), which is squeezed in the x-quadrature, and \(| P \rangle = S(-r)| 0 \rangle \), which is squeezed in the p-quadrature. Their Wigner functions are elliptic Gaussians, with variances \(e^{-r}\) and \(e^{r}\) in the respective quadratures. As \(r \rightarrow \infty \), the states \(S(r)| 0 \rangle \) and \(S(-r)| 0 \rangle \) go to the quadrature eigenstates \(| x=0 \rangle \) and \(| p=0 \rangle \).

A two-mode maximally entangled state is created by mixing position and momentum eigenstates \(| p=p_0 \rangle \) and \(| x=x_0 \rangle \) together using a balanced beamsplitter. The two-mode state before the mixing is Gaussian with shift¹\(s_0=(0,p_0,x_0,0)^T\) and covariance matrix \(K=\textrm{Diag}(e^r, e^{-r},e^{-r},e^r)\), where it is understood that we are taking the limit \(r\rightarrow \infty \). The action of the beamsplitter is represented as \(B=\frac{1}{\sqrt{2}}{\phantom {-}1\; 1\atopwithdelims ()-1\; 1}\). After the mixing, the shift is \(Bs_0=\frac{1}{\sqrt{2}}(x_0, p_0, x_0, -p_0 )^{T}\) and the covariance is \(B K B^T= {\phantom {-s}\mathbbm {1}\cosh r\;\;\;\; -\sigma _z \sinh r \atopwithdelims ()-\sigma _z \sinh r\;\;\;\; \mathbbm {1}\cosh r}\). The single-mode marginals have thermal distribution, but the x-quadratures of the two modes are perfectly correlated and the p-quadrature are anti-correlated. We will denote the maximally entangled state with zero displacement (known as the ‘two-mode squeezed vacuum’) as \(| \mathrm EPR \rangle \).

In DV, the two-qubit Bell basis is generated from one Bell state by QOTP-ing one side, i.e. acting with Pauli matrices on one of the two qubits. In CV this structure is also present, albeit only in the limit \(r\rightarrow \infty \). If we act with displacement operator \(D(u+iv)\) on the first mode of the above-mentioned EPR state, the covariance is unaffected and the shift changes to \(\frac{1}{\sqrt{2}}(x_0+2u, p_0+2v, x_0, -p_0 )^T\). In the basis of the original ‘unmixed’ modes, this corresponds to \((u,p_0+v,x_0+u,v)^T\). In the \(r\rightarrow \infty \) limit, the x-displacement in the first unmixed mode (over u) is hardly noticeable because of the \(e^r\) width in that direction. Similarly the p-displacement in the 2nd unmixed mode is hardly noticeable. Effectively, \(| x=x_0 \rangle \) has been mapped to \(| x= x_0+u \rangle \) and \(| p=p_0 \rangle \) to \(| p=p_0+v \rangle \). Thus the whole x-basis is spanned in one of the modes and the whole p-basis in the other mode. From \(\int \!\textrm{d}x\; | x \rangle \langle x |=\mathbbm {1}\) and \(\int \!\textrm{d}p\; | p \rangle \langle p |=\mathbbm {1}\) it follows that \(\int \!\textrm{d}^2 z\; D(z)| \mathrm EPR \rangle \langle \mathrm EPR |D^{\dag }(z)=\mathbbm {1}\).

A CV Quantum Error Correcting Code (CV-QECC) is called an \([[n, 1, d]]\) code if it encodes one mode to n modes and is capable of correcting arbitrarily large displacements in up to \(t = \lfloor (d-1)/2 \rfloor \) out of n modes.

We use the definition of a quantum authentication scheme given by Broadbent et al.[13], but with a small modification: we allow for a small probability that a decoding error occurs.

We allow the message register M to be entangled with a reference system R that belongs to the adversary. The input to the scheme is expressed as a joint quantum state \(\rho _{MR}\).

The adversary applies a joint unitary \(U_{CR}\) on the encoded message and the reference system. For a fixed key k, the corresponding real-world quantum channel is defined asThe security definition relies on comparing this real-world channel with an idealized simulator which has access only to the ideal functionality. The ideal functionality either accepts the message by outputting message register M, or rejects it by outputting a fixed dummy state \(\Omega _M\). The simulator may also modify the reference system R. The idealized process can be expressed as ideal channel \(\mathcal {F}\),where for each attack \(U_{CR}\) there exists two CP maps \(\mathcal {U}_R^{\textrm{acc}}\) and \(\mathcal {U}_R^{\textrm{rej}}\) acting only on the reference system R, satisfying \(\mathcal {U}_R^{\textrm{acc}} + \mathcal {U}_R^{\textrm{rej}} = \mathbbm {1}_R\).

The statement (5) says that the real-world situation is indistinguishable from the ideal case (up to some probability \(\eta \)), as the trace norm is an upper bound on the probability of successfully distinguishing two states. Moreover, this definition provides composable security [13, 28, 29].

We briefly summarize how the main building blocks of DV authentication are replaced in the CV setting.

Qubit \(\rightarrow \) mode. Instead of working with a qubit spin state, CV systems encode information in the quadratures (\(\hat{x},\hat{p}\)) of a mode. Note that a quadrature measurement is always noisy due to the shot noise.

Bell state \(\rightarrow \) Two-mode squeezed vacuum (TMSV). The security proof in [13] uses Bell states to mimic the effect of ideal encryption. One half serves as the cipherstate, while the other half stays with the simulator for verification. We replace each Bell state by the TMSV.

Pauli basis \(\rightarrow \) displacements. In [13] the attack is written as a unitary acting on the encoded state and the attacker’s auxiliary state; this unitary is decomposed in the Pauli basis. Analogously, we use the displacement basis.

Spin traps \(\rightarrow \) squeezed states. In DV trap schemes, the traps are qubits prepared in a known state, and for verification they need to be measured in the correct basis. In CV, this becomes squeezed states. The verification is a homodyne measurement in the correct direction; the squeezing reduces the shot noise, so that the verification is more precise than for a coherent state.

The encoding process, denoted by \(\mathcal {E}^{M \rightarrow C}_{k}\), takes as input the single-mode message state \(\rho _{M}\). A CV QECC with parameters [[n, 1, d]] is applied to \(\rho _M\), encoding it to \(\textrm{Enc}(\rho _M)\) which consists of n modes. The QECC is able to correct displacements in \(\le t\) modes, where \(d = 2t +1\). After encoding, z states squeezed in the x-quadrature and z states squeezed in the p-quadrature are appended to the encoded message, forming a system of \(n + 2z\) modes. For proof-technical reasons we set \(2z>n\).These squeezed states are denoted as \(| X \rangle \) and \(| P \rangle \), respectively, and act as traps. They are centered on zero and have squeezing parameter r. The entire set of modes is then permuted according to a secret key \(k_1\). Finally, a QOTP is applied according to a secret key \(k_2\in {\mathbb C}^{n+2z}\) drawn from a Gaussian distribution with variance \(\Delta ^{2} \gg e^{r}\). The \(\Delta \) is a parameter of the scheme. We write \(k=(k_{1},k_{2})\). The output Hilbert space has \(n+2z\) modes.

The QAS encoding is expressed as:where \(\pi _{k_1}\) is the permutation and \(D_{k_2}\) is the QOTP displacement operator.

The decoding \(\mathcal {D}^{C \rightarrow MF}_{k}\) begins by applying the inverse displacement \(D_{k_2}^{\dagger }\) and inverse permutation \(\pi _{k_1}^{\dagger }\) to the received cipherstate. The last 2z modes, corresponding to appended squeezed trap states, are then measured using homodyne detection. The measurement outcomes are denoted as \((x_i)_{i=1}^z\) and \((p_i)_{i=1}^z\). Ideally we would like to verify if the displacement caused to a trap mode exceeds some parameter \(\varepsilon \). However, because of the finite width \(e^{-r/2}\) of the squeezed state we cannot do an exact verification. In order to obtain enough confidence that \(\varepsilon \) is not exceeded, we test with a threshold \(\varepsilon '\), where \(\varepsilon '<\varepsilon \). We define the following condition for acceptance:In order to keep the decoding error probability (see Eq.10 below) small, the values of r and \(\varepsilon '\) are tuned such that \(\varepsilon '> e^{-r/2}\).

In case of Accept, QECC-decoding Dec\(: \rho _C\rightarrow \rho _M\) is applied to the first n modes, and a flag \(| \text {acc} \rangle \langle \text {acc} |\) is appended. If any trap state fails the condition, the message system M is traced out, and a fixed dummy state \(\Omega _M\) is output instead. In this case, the flag \(| \text {rej} \rangle \langle \text {rej} |\) is appended.

We define a POVM V that acts on the trap space and has outcomes \(\{\text {acc}, \text {rej}\}\). The POVM elements are given bywhere \(| x \rangle \) is an x-quadrature eigenstate and \(| p \rangle \) is a p-quadrature eigenstate. The decoding process is expressed as follows,We briefly show that our scheme satisfies Def. 2.2 with a small decoding error probability \(\varepsilon _\textrm{dec}\). If there is no attack, each trap state has the following probability of passing the verification: \(\int _{-\varepsilon '}^{\varepsilon '} \! \textrm{d}x\; (2\pi e^{-r})^{-1/2} \exp (-\frac{x^2}{2e^{-r}})\) \(=\textrm{Erf}\frac{\varepsilon '}{e^{-r/2}\sqrt{2}}\). ThenWith the parameter tuning \(e^{-r/2}\ll \varepsilon '\), the above expression is close to 1. Using the inequalities \(\textrm{Erfc} (x)\le e^{-x^2}\) and \((1-x)^a \ge 1-ax\) we get \(\varepsilon _\textrm{dec} \le 2z \exp [-\frac{1}{2}\frac{(\varepsilon ')^2}{e^{-r}}]\).

We introduce shorthand notationUsing the POVM for the accept case, the real world channel can be expressed as follows:The attack is modeled as the unitary \(U_{CR}\). Analogous to the approach in [13], we expand the attack as \(U_{CR} = \sum _{\mathbf {\alpha }} \chi (\vec {\alpha }) \, D_C(\vec {\alpha }) \otimes U_{R}^{\vec {\alpha }}\) where \(\mathbf {\alpha }\) stands for \((\alpha _1,\ldots , \alpha _{n+2z})\), and it holds that \(\sum _{\mathbf {\alpha }} |\chi (\vec {\alpha })|^2 = 1\) and \(U_R^{\mathbf {\alpha }} (U_R^{\mathbf {\alpha }'})^\dagger =\mathbbm {1}_{R}\delta _{\mathbf {\alpha }'\mathbf {\alpha }}\).³ There is a natural ‘resolution’ or length scale for the displacement \(\mathbf {\alpha }\), namely the squeezing width \(e^{-r/2}\). Any \(\alpha _i'\) and \(\alpha _i\) that are much closer to each other than \(e^{-r/2}\) cannot be distinguished by Bob.

With this representation of the attack, the real world channel is given byHere we have used that the QECC decoding is a linear operation. The \({\mathbb E}_{k_2}\) expectation gives rise to a CV twirl, which we evaluate using Lemma 4.2. The resulting state is given byWe treat the factor \(e^{-2\Delta ^2|\mathbf {\alpha }'-\mathbf {\alpha }|^2}\) as the Kronecker delta \(\delta _{\mathbf {\alpha }'\mathbf {\alpha }}\) plus a correction term of order \(\mathcal{O}(e^{-2 \Delta ^2 e^{-r}})\). The correction term leads to the final term in (11), and below we will further ignore it. The Kronecker delta part yieldsNext we rewrite the permutation of the displacement \(D_C(\mathbf {\alpha })\) as a displacement over the permuted \(\mathbf {\alpha }\).We explicitly write out the POVM V as specified in (8). For the C register we use label ‘msg’ for the first n modes, the label ‘X’ for the z trap modes after that, and ‘P’ for the final z modes. For conciseness we write only the Accept part. The Reject part is analogous, and will be presented explicitly again at the end of the analysis.Next we evaluate the trace over all the trap modes. In each trap mode independently we get an x-integral or p-integral of a displaced squeezed state, with integration interval \((-\varepsilon ',\varepsilon ')\), i.e. an integral of the form \(\int _{-\varepsilon '}^{\varepsilon '} \! \textrm{d}x \, |\langle x | D(\beta ) | X \rangle |^2\) for some \(\beta \in {\mathbb C}\). It holds that \(|\langle x | D(\beta ) | X \rangle |^2 = (2\pi e^{-r})^{-1/2}\exp (-\frac{(x-\sqrt{2} \textrm{Re}\,\beta )^2}{2e^{-r}})\) and \(|\langle p | D(\beta ) | P \rangle |^2 = (2\pi e^{-r})^{-1/2}\exp (-\frac{(p-\sqrt{2} \textrm{Im}\,\beta )^2}{2e^{-r}})\). We getFor \(r\gg 1\) and properly tuned \(\varepsilon '\) (\(\varepsilon ' > e^{-r/2}\)), this combination of error functions acts as a selection function \(\tilde{s}\) that equals (almost) 1 if \(| b| \le \varepsilon '/\sqrt{2} \) and (almost) 0 otherwise. The product of all the contributions from the trap states yields an overall selection function \(\tilde{G}\),Finally, we can write the real-world channel as

We now specify the ideal channel (4) for our scheme, again closely following [13]. The register C contains one side of \(n+2z\) EPR pairs. (The other side is denoted as \(C'\).) We work with the two-mode squeezed vacuum as detailed in Section 2.1. We denote the squeezing parameter as s; we work in the limit \(s\rightarrow \infty \). Note that this limit is allowed since we are dealing with an idealized functionality rather than something that needs to be implemented. We use the notation \(| \mathrm TMSV \rangle \) to denote the normalised state, as opposed to the pseudo-normalised beamsplitter-mixture of \(| x=0 \rangle \) and \(| p=0 \rangle \), which we will denote as \(| \mathrm EPR \rangle \).

The attack is applied to the \(k_1\)-permuted modes; then the modes are unpermuted and finally it is verified if the EPR pairs are unmodified. Specifically, the simulator checks if more than t modes out of the first n have been noticeably displaced, and if any of the trap modes have been displaced by more than \(\delta \).

Next we look at the verification step. For displacement \(u\in {\mathbb C}^{n}\) we define a ‘Hamming weight’ \(w_\delta (\textbf{u}) = \#\{j|\;\; |u_j|>\delta \}\) which counts how many of the n modes have a noticeable displacement. The set of displacements that get accepted by the simulator is given byNote that the parameter \(\varepsilon \) is slightly larger than the \(\varepsilon '\) of the real-world channel. The simulator’s POVM for the verification is written as \((V^\textrm{acc}_\mathcal {F}, V^\textrm{rej}_\mathcal {F})\), with \(V^\textrm{rej}_\mathcal {F}=\mathbbm {1}-V^\textrm{acc}_\mathcal {F}\). We haveThe mapping that represents the ideal channel is given byHere \(\mathcal {S}_{n+2z}\) stands for the set of permutations of \(n+2z\) modes. Again we write \(U_{CR} = \sum _{\mathbf {\alpha }} \chi (\vec {\alpha }) \, D_C(\vec {\alpha }) \otimes U_{R}^{\vec {\alpha }}\) with normalisation \(\sum _{\mathbf {\alpha }} |\chi (\vec {\alpha })|^2 = 1\). Again we use \(\pi ^{\dag }D(\mathbf {\alpha })\pi =D(\pi ^{-1}\mathbf {\alpha })\). Furthermore we use cyclic property of the trace to rotate \(\sqrt{V_\mathcal {F}}\) so that the square roots combine into \(V_\mathcal {F}\); then we substitute the POVM (27) into (28). This givesHere all the displacements act on the C space; the \(I(\beta \in \mathcal {D}_\mathcal {F})\) is an indicator function that equals 1 when the condition is met; the abbreviation ‘same’ stands for the same state in \(MRCC'\) space as in the line above. Taking the trace \(\textrm{Tr}\,_{CC'}\) yields a factor \(\langle \mathrm TMSV | D_\beta ^{\dag }D_{\pi ^{-1}\alpha } | \mathrm EPR \rangle \langle \mathrm EPR | D_{\pi ^{-1}\alpha '}^{\dag }D_\beta | \mathrm TMSV \rangle \), which evaluates to \(\delta _{\mathbf {\alpha }' \mathbf {\alpha }}\delta (\beta -\pi ^{-1}\mathbf {\alpha })\) Carrying out the integral over \(\mathbf {\beta }\) and the sum over \(\mathbf {\alpha }'\) yields

Note that we can write \(I(\pi ^{-1}\mathbf {\alpha }\in \mathcal {D}_\mathcal {F})U_R^\alpha \rho _{MR}U_R^{\alpha \dagger }\) in the more complicated form \(I(\pi ^{-1}\mathbf {\alpha }\in \mathcal {D}_\mathcal {F}) \textrm{Dec}\Big ( [D_{\pi ^{-1}\mathbf {\alpha }}]_\textrm{msg}\otimes U_R^\alpha \;\; \textrm{Enc}\rho _{MR}\;\; [D_{\pi ^{-1}\mathbf {\alpha }}]_\textrm{msg}^{\dag }\otimes U_R^{\alpha \dagger }\Big )\). This equality holds because, under the condition on \(\mathbf {\alpha }\), the decoding is guaranteed to recover \(\rho _{MR}\). We use the more complicated form to express the difference \(\mathcal {C}-\mathcal {F}\) in a compact form,Next we use the triangle inequality to obtain the following boundIn the last step we used that the trace distance between two normalised states cannot exceed 1.

Note that the functions \(\tilde{G}\) and I are very similar. The indicator I exactly selects displacements \(\mathbf {\alpha }\in {\mathbb C}^{n+2z}\) such that in the traps part of \(\pi ^{-1}\mathbf {\alpha }\) the measured component is \(\frac{\varepsilon }{\sqrt{2}}\)-close to zero, and in the message part of \(\pi ^{-1}\mathbf {\alpha }\) the Hamming weight \(w_\delta \) is low.

The function \(\tilde{G}\) is not an exact indicator function, having continuous behaviour. However, for \(e^{-r/2}\ll \varepsilon '\) the \(\tilde{G}\) is extremely close to a step function which we will denote as \(G(\pi ,\mathbf {\alpha })= \prod _{j=1}^z \Theta (\varepsilon -\sqrt{2} |[\textrm{Re}\,\pi ^{-1}\alpha ]_{X_j}|) \Theta (\varepsilon -\sqrt{2} |[\textrm{Im}\,\pi ^{-1}\alpha ]_{P_j}|)\). (Note that we write \(\varepsilon \) instead of \(\varepsilon '\).) The G enforces the same conditions as I on the traps part of \(\pi ^{-1}\mathbf {\alpha }\), but ignores the message part. We write \(\tilde{G} = G + \Gamma \). The contribution from the imperfection \(\Gamma \) to (33) is given by \( \sum _{\mathbf {\alpha }} |\chi (\mathbf {\alpha })|^2 {\mathbb E}_{\pi \in \mathcal {S}_{n+2z}}\Gamma (\pi ,\mathbf {\alpha })\). We need to upperbound it. We observe that each of the factors \(\tilde{g}_1\), \(\tilde{g}_2\) in (24) lies in the interval [0, 1]. Consequently \(\tilde{G}\in [0,1]\). Hence, whenever \(G=1\) it must hold that \(\Gamma \le 0\). Next we consider the part of the \(\alpha \)-integral where \(G=0\); here we have \(\Gamma \ge 0\). The worst case (most positive \(\tilde{G}\) at \(G=0\)) occurs when the vector \(\mathbf {\alpha }\) consists of all zeros except for one entry which is infinitesimally larger than \(\varepsilon \) in either x or p direction and that component is moved into a trap mode by the permutation \(\pi ^{-1}\). This yields \(\Gamma =[\tilde{s}(0)]^{2z-1}\tilde{s}(\varepsilon /\sqrt{2}) < \tilde{s}(\varepsilon /\sqrt{2})\) \(< \frac{1}{2} - \frac{1}{2} \textrm{Erf}\frac{\varepsilon -\varepsilon '}{e^{-r/2}\sqrt{2}}\). Taking into account the probability \(\frac{2z}{n+2z}\) of getting permuted into a trap mode, we get the contribution \(\frac{z}{n+2z}\textrm{Erfc}\frac{\varepsilon -\varepsilon '}{e^{-r/2}\sqrt{2}}\) in (11).

The expression \(G(\pi ,\mathbf {\alpha })-I(\pi ^{-1}\mathbf {\alpha }\in \mathcal {D}_\mathcal {F})\) evaluates either to 0 or 1; it cannot become negative since I imposes more conditions than G. The value 1 occurs only if the traps are intact but the message has uncorrectable noise. (See Table 1).

For the final step in the proof we have to tune the parameter \(\delta \) to \(\delta =\frac{\epsilon }{\sqrt{2}}\) in order to obtain symmetry between all the modes. Let u be the number of modes in \(\mathbf {\alpha }\) that contain a large displacement. We consider only vectors \(\mathbf {\alpha }\) that can yield \(G-I=1\) for some permutation \(\pi \). Such a vector must have \(u\in \{t+1,\ldots ,n\}\). The expression \({\mathbb E}_{\pi \in \mathcal {S}_{n+2z}} (G-I)\) is the probability, given a random permutation of \(n+2z\) modes, of placing the u noisy ones precisely in the first n positions. This probability is given byAs P(u) is a decreasing function of u we can write \(P(u) \le P(t+1)\). Next we writeHere we have used the inequality \(\frac{n-j}{n+2z-j} \le \frac{n}{n+2z}\), which holds for \(2z> n\). Finally we use the normalisation of \(\chi \). This yields the term \((\frac{n}{n+2z})^{t+1}\) in (11).