Abstract
We aim to quantify and mitigate quantum-information leakage in continuous-variable quantum secret sharing (CV QSS). Here we introduce a technique for certifying CV ramp quantum secret-sharing (RQSS) schemes in the framework of quantum interactive-proof systems. We devise pseudocodes in order to represent the sequence of steps taken to solve the certification problem. Furthermore, we derive the expression for quantum mutual information between the quantum secret extracted by any multi-player structure and the share held by the referee corresponding to the Tyc–Rowe–Sanders CV QSS scheme. We solve by converting the Tyc–Rowe–Sanders position representation for the state into a Wigner function from which the covariance matrix can be found, then insert the covariance matrix into the standard formula for CR quantum mutual information to obtain quantum mutual information in terms of squeezing. Our quantum mutual information result quantifies the leakage of the RQSS schemes.
Export citation and abstract BibTeX RIS
Original content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
1. Introduction
Secret sharing (SS) is an information theoretically secure cryptographic protocol that is applicable to online auctions, electronic voting, shared electronic banking and cooperative activation in the classical domain [1], and distributed quantum computing in the quantum regime [2]. Ramp classical [3, 4] and quantum [5, 6] SS schemes were proposed to reduce the communication complexity by the sacrifice of security conditions. Continuous-variable quantum secret sharing (CV QSS) [7–9] has been formulated in the framework of discrete-variable quantum SS schemes [10], which does not accommodate the quantum-information leakage inherent in continuous representations of quantum information. Our aim is to formulate CV QSS as a continuous-variable (CV) ramp quantum secret sharing (RQSS) protocol and introduce a technique to certify the protocol.
In order to reach our aims, we introduce four advances in our work. We develop the quantum mutual-information approach to the CV regime for evaluating the security of CV QSS schemes. We derive quantum mutual information between referee and any multi-player structure corresponding to the Tyc–Rowe–Sanders (TRS03) CV QSS scheme [7]. Furthermore, we introduce a certification technique for CV QSS in the framework of quantum-interactive proofs [11–13] and demonstrating the necessity for it being a RQSS scheme. Also we give an upper bound for the failure probability in terms of the number of experimental runs from which the referee knows how many rounds are required to have sufficient information.
Two types of QSS are employed in the general literature: quantum-enhanced sharing of classical information [14] and SS as a special case of quantum error correction and used to distribute quantum information to untrusted parties [10]. Markham and Sanders explained classical SS with the nomenclature CC and these two types of QSS by CQ and QQ, respectively, with C indicating 'classical' and Q indicating 'quantum' [15]. QQ SS is needed, rather than CC SS, when the objects to be shared are quantum, rather than classical, information. Here we focus on QQ SS schemes [10] as the alternative CQ SS schemes [14, 16] can be simulated by QKD and classical SS [17] and thus CQ does not offer a compelling advantage whereas QQ is compelling.
QQ SS was extended to the CV regime [8] as valuable tool for augmenting the CV toolkit with potential beneficial applications to (i) entanglement sharing, namely as a CV extension to QSS-based entanglement sharing [6], (ii) CV quantum key distribution [18] and (iii) quantum summoning [19–21]. CV QQ SS has been realized experimentally for three players, any two of whom are authorized to extract the secret quantum state [9, 22]. Importantly, TRS03 later showed that the CV quantum state sharing could be extended to a threshold scheme (a class of QSS schemes in which the authorized structure comprises all groups of k or more players while there are n players in total [10]), without a corresponding scale-up in quantum resources.
Whereas conditional entropy is employed for evaluating the security of CC schemes, quantum mutual information is needed for the quantum case [23]. Quantum mutual information has been used as a means to evaluate the secrecy condition of Cleve–Gottesman–Lo QSS in the case [23]. TRS03 characterized the quality of secret extraction for their scheme by calculating the fidelity in terms of squeezing parameter between the original and the extracted secret for an arbitrary coherent state as the secret. However, fidelity is not a distance measure [24].
Hence, we develop the alternative and more meaningful quantum mutual-information approach for evaluating the CV QSS security. Restricting to Gaussian states and operations allows all the calculation to be performed within the convenient framework of the semidirect product
which is the CV Clifford group, with the symplectic group and HW the Heisenberg–Weyl group for n modes [25]. This representation makes calculations tractable but ignores potentially powerful non-Gaussian operations [26].
Our paper is organized as follows. In section 2, we briefly review the theoretical background on CV quantum information with Gaussian states and Gaussian operations, mutual information and discrete-variable ramp quantum SS protocols. We detail our approach in section 3. The mathematical results are presented in section 4. We conclude with a discussion of our results in section 5.
2. Background
This section provides the required context to tackle the problem which is solved in this paper. We begin the section by theoretical background on CV quantum information with Gaussian states and Gaussian operations. Then we discuss quantum mutual information, which is a necessary tool for defining and evaluating quantum SS schemes. Finally, we discuss basic results of RQSS schemes.
2.1. CV quantum information with Gaussian states and Gaussian operations
In this section, we begin by introducing Gaussian states [27] and some of their important properties. Then we explain the Gaussian preserving maps, which preserve the Gaussian property of quantum states. Finally, we discuss CV QSS based on TRS03 CV QSS scheme.
2.1.1. Gaussian states
A CV quantum state is an continuously parameterized element of Hilbert space described by observables with continuous eigenspectra. Typically, a CV quantum state is described by n bosonic modes, associated with a tensor-product Hilbert space
i.e. square integrable complex-valued functions over and a vector of quadrature operators
for denoting transpose. The vector satisfies the commutation relation
known as the symplectic form.
An arbitrary CV quantum state is characterized by a density operator
where is the set of positive semidefinite trace-class operators. These positive trace-class operators can be represented by the Wigner function [28]
for
being the the Wigner characteristic function and
being the Weyl operator. Thus far, we have the Wigner representation for any state; now we restrict to Gaussian states.
A Gaussian state is defined to be a state whose Wigner representation is Gaussian. A Gaussian state can be completely characterized by its first moment and covariance matrix . The covariance matrix entries are
with the anticommutator.
The symplectic manipulation of a Gaussian state's covariance matrix can be used to express its fundamental properties. By definition, a real-valued matrix is called symplectic if it preserves the symplectic form of equation (3); i.e.
According to Williamson's theorem [29], each covariance matrix has a corresponding symplectic transformation satisfying
with symplectic spectrum defined by the vector
unique to each and satisfying
As an example, a two-mode Gaussian state has covariance matrix
The symplectic spectrum is [30]
where
As Gaussian states are easy to describe mathematically, a large class of transformations acting on such states are easy to characterize as well. In the next section, we discuss this class of transformations called Gaussian preserving maps.
2.1.2. Gaussian-preserving maps
Gaussian (linear) unitary Bogoliubov transformations are interactions that preserve the Gaussian character of a quantum state. In terms of the quadrature operators, a Gaussian map is described by the affine map
for (9) a matrix representation of the symplectic group. The most general form of a Gaussian map in terms of its action on the statistical moments and is
A special class of Gaussian maps are linear canonical point transformations, for which the positions and momenta do not mix and transform separately [31].
For single-mode squeezing we have the infinite-dimensional unitary representation [32]
and for two-mode squeezing we have the infinite-dimensional unitary representation
where
A two-mode squeezed vacuum (TMSV) state is mathematically represented as [32]
In the next section, we explain TRS03 CV quantum SS scheme in which the Gaussian maps are used for encoding and decoding.
2.1.3. Continuous-variable quantum secret sharing
In this section, we explain the TRS03 CV QSS scheme. In a -threshold scheme, the dealer possesses a pure secret state and encodes the quantum secret into an entangled state of modes of the electromagnetic field by combining it with ancillary states. The dealer then distributes them among the n players, each of whom receive one share, and at least k players must combine their shares in an active interferometer to extract the secret state.
Let be the tensor product of copies of and each player owns one of these copies. Let us define as the real linear space of coordinate functions for . Then a system of Euclidean coordinates
is equivalent to choosing an orthonormal basis of coordinate functions
such that
with xi the coordinate of (23), and .
Initially, the dealer starts with an unentangled tensor product
where is the secret state and
Let us write this state as
where
The dealer then performs the encoding using a linear canonical point transformation
The corresponding unitary transformation then maps the state to
The dealer, however, has to choose such that any k players are able to disentangle the secret state but that fewer is unable to do so. For this purpose, in the case of sufficiently large a, only the orthogonal projection of each vector gi into the space spanned by the vectors is important. The vectors then must be chosen such that any k vectors from the set are linearly independent. This linear independence condition guarantees that any k players are able to extract the secret.
For convenience, let us express as a direct sum of three mutually orthogonal subspaces
where is the one-dimensional space spanned by f1 and and are -dimensional spaces spanned by and , respectively. Now let us relabel coordinates as coordinates with
The wavefunction Ψ is then
Without loss of generality, the first k players collaborate to retrieve the quantum secret. The players then make the linear coordinate transformation
assuming for all .
For convenience, let us define a decomposition for every vector as a sum of three mutually orthogonal vectors, each of which belongs to subspaces , and
Equivalently, we can write
In the case that the vectors gi are chosen in such a way that any k vectors from the set are linearly independent, the players can design the transformation such that
where . Then transformation (38) extracts the secret for sufficiently large values of parameter a.
2.2. Mutual information
Here we review the key notions of mutual information, which is the method for quantifying information security and defining QSS. We begin by presenting salient facts about Shannon and von Neumann entropy followed by requisite knowledge concerning classical and quantum mutual information. Finally, in this section, we discuss the security for discrete QSS as our aim is to analyze security for CV QSS.
2.2.1. Shannon and von Neumann entropy
Here we review Shannon and von Neumann entropy as these notions of entropy underpin the formulation of classical and quantum mutual information. This section also helps to elucidate the compact notation we use throughout this paper.
Shannon entropy. Let Z be a statistical ensemble defined by a classical random variable z and its associated probability distribution , which can be expressed as a probability vector . The logarithm of this vector (always using base 2 here) is
Using the Hadamard (elementwise) product [33] for vectors and the sum of such elements , the Shannon entropy is
Thus, yields the number of bits per letter needed to completely specify Z in the asymptotic limit of infinitely long strings [34]. Shannon entropy is thus a measure for the uncertainty of z or it indicates how much information each letter in the string that uses the alphabet Z carries.
Von Neumann entropy. In the same vein, the information content of a quantum state ρ (5) can be quantified by determining how many qubits are needed to represent state ρ in the asymptotic limit of an infinite ensemble of physical systems. This quantum-information content, known as the von Neumann entropy [35], amounts to computing a classical Shannon entropy (40)
for a vector comprising eigenvalues of the state ρ.
CV quantum entropy. For CV Gaussian states, we define the vectors
with the symplectic spectrum (12) and the vector with all entries being unity. Thus, the von Neumann entropy is [36]
These entropy expressions are used in the formulæ for mutual information.
Convenient notation for states in entropy formulæ. A convenient notation for entropy, which is independent of being classical or quantum, uses a label for the classical or quantum state. Rather than specify the state as classically or ρ quantumly, we label the state by a capital letter such as A and B, with these labels commensurate with the usual Alice-and-Bob nomenclature in cryptology [37].
Conditional entropy. Labelling the joint state held by A and B as , the conditional entropy is abstractly expressed as
for any valid formula for entropy, whether classical (40) or quantum (41).
Classical conditional entropy. The classical conditional entropy [38] is obtained from equation (44) by replacing
for the distribution held by A. Similarly, we replace
and
quantifies the correlation between and as the reduction of the number of bits per letter needed to specify given is known.
Quantum conditional entropy. The quantum conditional entropy [24] is obtained from equation (44) by replacing
for the quantum state held by A. Similarly, we replace
and
Although classical conditional entropy is always positive, for evaluating quantum conditional entropy can be negative [39].
2.2.2. Classical and quantum mutual information
We explain classical mutual information [38] and quantum mutual information [24], first as an abstract concept regardless of whether classical or quantum information is chosen. Then we explain each of classical and quantum mutual information. Quantum mutual information is vital for evaluating security for SS.
Mutual information. Labelling the joint state held by A and B as , mutual information is abstractly expressed as
for any valid formula for entropy, whether classical (40) or quantum (41). Classical mutual information [24] is obtained from equation (51) by replacing
with for and
as discussed in section 2.2.1. Classical mutual information quantifies the correlation between two statistical ensembles and as the reduction of the number of bits per letter needed to specify one of the variables given the other variable is known.
Quantum mutual information. The quantum mutual information [24] is obtained from equation (51) by replacing
for the quantum state held by A. Similarly, we replace
and
Quantum mutual information is always positive and quantifies the total correlations contained in the bipartite state . Quantum mutual information is employed to define and evaluate the security of QSS schemes.
Relation between conditional entropy and mutual information. The relation between conditional entropy and mutual information is
for any valid formula for entropy, whether classical (40) or quantum (41). The relation between classical mutual information and classical conditional entropy is obtained from equation (57) by replacing
with and
with as discussed in section 2.2.1.
The relation between quantum mutual information and quantum conditional entropy is obtained from equation (57) by replacing
with and
with as discussed in section 2.2.1.
2.2.3. Classical and QSS
In this section, we explain classical and QSS protocols. We begin by establishing the agents of the protocol namely dealer and players and the structures corresponding to the set of players. Afterwards, we explain classical secret-sharing schemes along with classical secrecy and recoverability conditions corresponding to them. Then we define QSS and provide the secrecy and recoverability conditions corresponding to them based on quantum mutual information.
Dealer and players. We establish the agents of the protocol and the structures corresponding to sets of players, who are one kind of agent. Specifically, SS comprises agents, namely one dealer and n players labelled
The power set of players is , which is the set of all subsets of the set of players (62).
The role of the dealer is to encode the secret message (classically) or (5) quantumly, into n shares and distributes them among players in such a way that specific elements of form the authorized structure to retrieve the secret message whereas other elements are denied any information about the secret whatsoever. The set of elements that are denied any information is known as the forbidden structure .
Access structure. Let
where is monotonically decreasing and is monotonically increasing, and
Then the set
is the access structure on . Quantumly, the no-cloning theorem implies that the existence of two disjoint authorized group is forbidden [40].
Secret-sharing protocol. Let be a Hilbert space and let be all density operators on a Hilbert space . In a QSS scheme, the dealer's task is to encrypt a quantum secret into a composite system of Hilbert spaces
each of which is called a share labelled by . Let
be the entire set of shares and
be the corresponding Hilbert space. The dealer then distributes the shares among players (62). For a subset of shares
the QSS encoding is
which is a completely positive and trace preserving map [5].
The composition map of the encoder WN for a subset , and the partial trace of the complement is
A QSS scheme is then defined by the quantum operation WN (70) that is reversible with respect to . The set N is divided into two mutually disjoint structures and [5].
- (i)A set is authorized if WX is reversible with respect to .
- (ii)A set is forbidden if WX is vanishing with respect to .
The arguments so far are valid in the classical cases, which is verified by replacing the corresponding notions with the classical ones [5].
Classical secrecy and recoverability conditions. Classical secrecy is expressed in terms of conditional entropy but equivalently can be expressed in terms of mutual information. Strictly speaking, conditional entropy is between shares. However, for simplicity, in the literature there is a tendency to refer to conditional entropy between players. Π is a perfect SS scheme on Γ if
- .
Quantum secrecy and recoverabiliy conditions. Here we discuss quantum secrecy conditions in terms of quantum mutual information. Strictly speaking, quantum mutual information is between shares. However, for simplicity, in the literature there is a tendency to refer to quantum mutual information between players. We can imagine that the system is part of a larger system and that this compound system is initially in a pure state . Therefore,
In a QSS, if a subset satisfies
then does not contain any information about [23]. On the other hand, if a subset X satisfies
then X contains full information about [23].
Access structure. Specific subsets of players form the authorized structure
to retrieve the message whereas the other subsets, i.e. the forbidden structure
are denied any information about the secret whatsoever. We define the QSS access structure as
Threshold SS. threshold QSS schemes are a class of QSS schemes in which the authorized structure comprises all groups of k or more players while there are n players in total (the use of double parentheses distinguishes it from a classical scheme). quantum threshold schemes exists provided no-cloning theorem is satisfied [40]. Any QSS scheme can be reduced to threshold schemes [40]. In QSS schemes, the size of shares allocated to each player must be at least as large as the size of the secret [5, 40].
2.3. RQSS scheme
As an extension of (k, n)-threshold SS schemes discussed in section 2.2.3, ramp secret-sharing (RSS) schemes were proposed by Blakley–Meadows [3] and Yamamoto [4]. In RSS schemes, the dimension of each share is reduced compared to that of the original system by sacrifice security for admitting the intermediate property for some sets of shares, which are denoted as intermediate sets.
In a threshold RSS scheme, any k or more players are able to fully reconstruct the secret s, whereas any k − L or less players are denied to obtain any information of it. Furthermore, from arbitrary k − j shares for , some information of the secret leak out with the size of in s.
A QSS scheme WN is called perfect if any set is either authorized or forbidden. Otherwise, WN is a RQSS scheme. The access structure of a RQSS scheme is the list of the forbidden, intermediate, and authorized sets. A set is called intermediate if WX is neither vanishing nor reversible with respect to [5]. Formally, the access structure of the set N is defined by a map
where and 2 represent , and , respectively. Now that we have the essential background, we proceed in the next section to explain our approach to CV RQSS.
3. Approach
In this section, we introduce a CV RQSS protocol and explain how to certify. We discuss the success criterion of the certification protocol. Furthermore, we specify what the parties need to do to complete the certification.
3.1. CV RQSS protocol with Gaussian states and operations
Here we modify the discrete-variable RQSS protocol discussed in section 2.3 into a CV counterpart. We choose Gaussian states and operations, which are convenient mathematically due to the elegance of techniques based on the semidirect product of the symplectic group and the Heisenberg–Weyl group (1). However, the price paid for this convenience is discarding potentially powerful universal operations [26]. Whereas, in the discrete case, specification of number of players and threshold condition L suffices to determine the cardinality of the three structures, the CV case is more complicated due to squeezing limitations.
3.1.1. Quantum-optical resources
The optical realization comprises displacers that generate Heisenberg–Weyl group elements and single-mode squeezers, passive beam-splitters and phase-shifters that generate the semidirect product of the symplectic group (1). The inputs are vacuum states of light. For the closed disk
the dealer's and players' single-mode squeezers (19) have limited squeezing capability corresponding to , with for the dealer and for the player.
3.1.2. Dealer's task
Here we specify the dealer's task in the RQSS protocol. Dealer's tasks include preparing a quantum secret, choosing an access structure, encoding the quantum secret and distributing shares.
Two-mode squeezed-vacuum source. The dealer prepares a TMSV state (22) drawn randomly from the uncountable set
The dealer's task is to encode one mode of this quantum state into an n-mode entangled state by mixing it with ancillary states in an n-mode active interferometer. The dealer then sends one share to each of the players in such a way that the elements of power set of players are divided into three predetermined mutually disjoint sets known as authorized, intermediate and forbidden structures.
In order for the dealer to prepare the TMSV randomly, first, he needs to decide the complex two-mode squeezing parameter (21), where s is bounded by . The dealer generates two random numbers . Then the dealer assigns
Choosing a useful, feasible access structure. The dealer chooses an access structure Γ based on the desired application. The dealer then runs an algorithm that accepts Γ, covariance matrix of TMSV state , and as input and yields the encoding transformation or else null as the output. The dealer then performs the encoding transformation and distributes the shares among players.
3.1.3. Players' task
The players' task in any authorized set is to reconstruct the quantum secret. One player is assigned to hold the secret after reconstruction. The aforementioned player forms a structure with other players in the authorized set who perform a Gaussian unitary operation on their shares such that the state of the share belonging to the assigned player become the same as the original secret state. The players in any intermediate set are allowed to partially reconstruct the secret state. Furthermore, the players in a forbidden structure should not gain any information about the quantum secret whatsoever.
3.2. Certification protocol
In this section we introduce a certification protocol that ascertains whether the RQSS protocol succeeds. The success criterion is discussed in this section. We specify what the parties need to do to complete the certification.
3.2.1. Agents and resources
In this section, we establish the agents of the certification protocol, namely, the dealer, the players and the referee who serves as skeptical certifier. Furthermore, we specify available resources for each party.
The dealer and players share trusted error-free classical and quantum communication channels between each other, and the referee also shares trusted error-free classical and quantum communication channels with each player and with the dealer. In our CV setting, the referee possesses single-mode homodyne detectors [27]. Henceforth, we only refer explicitly to homodyne measurement, without loss of generality. The dealer possesses a classical computer to choose the access structure Γ discussed in section 3.1.2, and the referee possesses a classical computer to run the certification algorithm.
3.2.2. Dealer's encoding and announcement
The dealer chooses an access structure Γ discussed in section 3.1.2 and announces Γ to the players and to the referee. The dealer encodes shares based on the choice of Γ and the quantum secret, such as a randomly chosen state in the parameter disk (80), and announces this encoding to the players.
3.2.3. Rounds
In this section, we define 'rounds', which are repetitions of the protocol between the dealer, players and referees. The concept for these rounds is depicted in figure 1. First the dealer prepare a suitable two-mode Gaussian state, which is the same two-mode Gaussian state for all rounds, and sends one mode to the referee and the other mode into an encoder, which is also unchanging over all rounds. This encoder creates shares that are sent to each player.
After the players receive shares, the referee requests a subset of players, who can be authorized, forbidden or intermediate, to try to reconstruct the quantum secret and then send their resultant shares to the referee. Depending on instructions to the referee as an input, the referee performs single-mode homodyne measurement on either the reconstructed secret state, the reference state or both. Furthermore the referee follows the instruction to choose the local-oscillator phase for each homodyne detection. After each round, she saves these measurement results for classical post processing. Rounds continue until the referee permits the dealer and players to stop.
3.2.4. Referee's certification strategy
The referee's task is to certify the protocol by ascertaining the dealer's announcement that the access structure is the announced Γ. The referee conducts tests by requiring many rounds per instance, with each instance corresponding to testing whether a fixed subset of players is in , or structures determined by Γ. Due to the statistical nature of the test, the referee cannot be 100% sure that the inference is correct; rather the referee makes a decision if the probability of being correct exceeds some threshold value, itself strictly greater than 1/2.
Sufficiency condition. When a sufficiency condition is met to ascertain whether the subset of players are determined to be in a structure compatible with the dealer's announced Γ, the referee instructs the players to stop. If that instance passes the test, the referee announces a new subset of players to test and the rounds repeat until the referee has enough data to pass the sufficiency test. If the instance results in the dealer and players failing, the procedure stops as the team of dealer and players has failed the test. The dealer and players pass only if every instance passes.
3.3. Summary of approach
In this section, we have introduced CV RQSS protocol for Gaussian states and operations. We specified the quantum optical resources available to agents of the CV RQSS protocol, namely dealer and players, and stated the resource limitations. Furthermore, we introduced a certification test for CV RQSS protocol, established the agents of the protocol along with their tasks, and discussed the success criterion.
4. Results
In this section we present our main results. Our first result is a CV version of quantum mutual information. This CV quantum mutual information is then used to quantify quantum-information leakage for Gaussian states and operations. Based on this leakage characterization, we introduce a certification test, in the framework of quantum-interactive proofs, and provide a practical test to implement this test.
4.1. CV quantum mutual information
In this section, we develop the quantum mutual information for the CV RQSS quantum access structures and employ it to quantify quantum-information leakage for Gaussian states and operations. We define corresponding to CV RQSS protocols based on quantum mutual information.
Let be a pure two-mode Gaussian state and let the quantum secret be (72). Then
and and are obtained from equations (75) and (76), respectively.
We now calculate mutual information between the referee and any multiplayer structure for TRS03. Specifically, we consider a two-mode entangled state (79) such that one mode is used for the secret and the other mode is used for the reference system. We choose this system because that way the referee can do a sensitive entanglement check to verify that the reconstructed state is entangled with a reference system as it should be. To simplify matters, without loss of generality, we investigate in particular a TMSV with one mode being the quantum secret and the other mode being the reference system.
We solve the quantum mutual information between an extracted secret obtained by any player structure with k elements and the reference system. In order to do so, by using equations (6)–(8), we transform the density function of the reference system and the extracted secret (A.5) into a Gaussian Wigner function represented by a mean vector and a covariance matrix from which the symplectic eigenvalues (12) are calculated.
The symplectic eigenvalues (12) are inserted into equation (43) in order to calculate the local and global von Neumann entropy of the extracted secret and reference system from which the quantum mutual information is solved (51). Figure 2 shows the resultant quantum mutual information versus squeezing parameter in the case of .
Download figure:
Standard image High-resolution imageAn equivalent alternative to our approach for deriving the covariance matrix of the extracted secret and reference system is to calculate the symplectic transformation (10) of the TRS03 protocol and insert it into equation (18). Our approach does not explicitly require a matrix representation of the symplectic transformation whereas this approach would require us to calculate this matrix which involves matrix inversion. In section 4.2 we employ the CV quantum mutual-information approach to introduce a certification technique for CV RQSS schemes.
4.2. Certification test for RQSS protocols
In this section, we establish our model for certification tests. Specifically, we introduce certification tests for , and , respectively. We introduce quantum information thresholds and as a mean to quantify security of RQSS protocols. Our approach for introducing these thresholds is based on standard weak-membership certification method [41].
RQSS certification for . Let be a threshold quantum mutual information chosen by the referee. This quantum mutual information quantifies the minimum knowledge that players in an access structure are able to obtain about the secret. Let be a maximum failure probability. A test, which receives copies of some X as input, and yields accept or reject, is a test for certifying whether , if, with probability at least , it both rejects every for which
and accepts if
These conditions correspond to soundness (83) and completeness (84) [11–13].
RQSS certification for . Let be a threshold quantum mutual information chosen by the referee, which quantifies the maximum knowledge that players in the forbidden structure can obtain about the secret. A test, which receives as input copies of some , and yields accept or reject, is a certification test for certifying whether , if, with probability at least , it both accepts every X for which
and rejects a different for
These conditions are completeness (85) and soundness (86).
RQSS certification for . A test that receives copies of some X as input and yields accept or reject certifies whether if, for a least probability , it both rejects every X for
or
and accepts if
Conditions (87) and (88) are soundness and condition (89) is completeness. In the next section we employ our certification model to propose a practical test to ascertain RQSS protocols.
4.3. Practical realization of the certification test
In this section, we propose a practical algorithm, for determining if X is in , or . We prove propositions that the algorithm is both sound and complete. Furthermore, we provide a sufficiency test for the referee to know how many runs are required for her to have sufficient information to check if a particular element is in , or .
4.3.1. Steps for certification
Below we provide the steps for certifying RQSS. Before commencing certification, the referee numerically labels each element of the power set and proceeds to test each labelled element of the power set in order according to this labelling. For simplicity, and without loss of generality, we assume that each player holds one share; thus, the number n of modes equals one more than the number of players, hence shares, in the given subset. This extra mode allows a single-mode reference field in addition to the modes held by the players.
The referee conducts a test that requires many rounds (3.2.3) for each power-set element. The test evaluates whether a fixed subset of players is in , or . In order to do so, the referee estimates the quantum mutual information between the reference state and the extracted secret state such that
with a failure probability . Algorithm 4 accepts as input and determines the structure of the power-set element. If the test result is consistent with the dealer's announcement that the access structure is the announced Γ, the referee announces a new subset of players to test; otherwise the procedure halts as the team of dealer and players has failed the certification test.
To estimate , the referee estimates the expectation values corresponding to each element of the matrices
and
with defined in equation (3). The first and second modes hold reference and reconstructed secret states, respectively. The referee's result is then used to estimate the covariance matrix (9) of according to [13]
This covariance matrix is used to calculate the entropies of and using algorithm 1. The resultant entropies are then inserted into the standard formula for quantum mutual information (57).
The expectation value of each element of (91) and (92) is calculated by performing multiple homodyne measurements on identical and independent copies of and taking the average of the measurement results. Using Chebyshev's inequality [13], the referee calculates an upper-bound for the estimation error of each expectation value as a function of number of rounds and β. Subsequently, this estimation error is then used to calculate the maximum expectation values' estimation error of covariance-matrix entries via the standard formula for error propagation. Afterwards she calculates the bound on the estimation error of entropies following algorithm 2. The estimation error of is bounded by summation of the entropies estimation errors. The rounds continue until the estimation error of is below a prespecified acceptable error.
Algorithm 1. Continuous-variable quantum entropy ().
Input:
▹ Number of modes
▹ Covariance matrix
(4)
Output:
▹ von Neumann entropy
function vonNeumannH
. ▹ Calculates positive eigenvalues.
.
return
end function
Algorithm 2. Upper bound of estimation error.
Input:
▹ Number of modes
▹ Covariance matrix
▹ Maximum estimation error of covariance matrix elements
Output:
▹ Upper bound of QMI estimation error
function
maximal singular value of .
minimal singular value of .
return ▹ is always finite.
end function
Algorithm 3. Estimation of QMI.
Input:
▹ Number of trials
▹ T copies of the joint state ρ for the reference and players' reconstructed state
▹ Error tolerance for estimated QMI
▹ Failure probability tolerance
▹ A uniform upper bound on the standard deviations of measurement results
▹ Homodyne measurement on mode MODE with respect to local-oscillator phase θ; replaces ρ by some with probability
Output:
▹ Estimated QMI
procedure EstimateQMI,Tol,
for i from 1 to 2 do
for j from 1 to 2 do
▹ Initialize covariance matrix for the players' reconstructed state including position-position, position-momentum, momentum-position and momentum-momentum
▹ Initialize covariance matrix for the reference state including position-position, position-momentum, momentum-position and momentum-momentum
end for
end for
for i from 1 to 4 do
▹ Initialize vector comprising sums of in-phase and out-of-phase homodyne measurements of modes 0 and 1
for j from 1 to 4 do
▹ Initialize joint reconstructed-reference covariance matrix including position-position, position-momentum, momentum-position and momentum-momentum
SecondMom ▹ Second-moment matrix defined in equation (91)
end for
end for
▹ Maximum estimation error of measurement results expectation values with a least probability
▹ Number of times that the referee performs the sufficiency test
▹ Initialize to the first of input
▹ Initialize to any value greater than
for r from 1 to T
while do
▹ Increment the sufficiency-test counter
if then ▹ Referee measures 14 copies before ascertaining sufficiency
return Fail
Exit ▹ Abort procedure if fewer than 14 copies remain
end if
if mod 14 = 0 ▹ Measure one of T copies of ρ
Call ▹ In-phase homodyne measurement of the reconstructed state
▹ Sum detection outcomes
else if mod 14 = 0 ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reconstructed state
▹ Sum detection outcomes
else if mod 14 = 0 ▹ Measure one of T copies of ρ
Call ▹ In-phase homodyne measurement of the reference state
▹ Sum detection outcomes
else if mod 14 = 0 ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reference state
▹ Sum detection outcomes
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ In-phase homodyne measurement of the reconstructed state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ In-phase homodyne measurement of the reconstructed state
Call HOMMEAS ▹ In-phase homodyne measurement of the reference state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ In-phase homodyne measurement of the reconstructed state
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reference state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reconstructed state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reconstructed state
Call HOMMEAS ▹ In-phase homodyne measurement of the reference state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Out- of-phase homodyne measurement of the reconstructed state
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reference state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ In-phase homodyne measurement of the reference state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Out-of-phase homodyne measurement of the reference state
else if mod 14 = 0 then ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Homodyne measurement of the reconstructed state with respect to local-oscillator phase
=
else mod 14 = 0 ▹ Measure one of T copies of ρ
Call HOMMEAS ▹ Homodyne measurement of the reference state with respect to local-oscillator phase
=
end if
for i from 1 to 4 do
for j from i to 4 do
end for
end for
for i from 1 to 2
for j from 1 to 2
end for
end for
▹ Via standard error propagation method
▹ See algorithm 2
end while
end for
return ▹ see algorithm 1
end procedure
Algorithm 4. Certification of RQSS protocols.
Input:
▹ Number of trials for each instance
▹ Threshold quantum mutual information for the forbidden structure
▹ Threshold quantum mutual information for all authorized structures
▹ Estimation error bound of estimated QMI
▹ Maximum failure probability
▹ Cardinality of the set of players
▹ Returns power set of players structure claimed by the dealer (78)
▹ is the joint state for the reference and players' reconstructed state for subset of players
▹ A uniform upper bound on the standard deviations of measurement results
▹ Homodyne measurement on mode MODE with respect to local-oscillator phase θ; replaces ρ by some with probability
Output:
▹ Certify (b = 1) or not certify (b = 0)
Procedure Certification
▹ initialize the structure of power-set elements based on referees' test to
▹ initialize the number of power-set elements that pass the test
for J from 1 to do
▹ see algorithm 3.
if
then
else if
else
end if
if then
else
Exit ▹ Halt
end if
end for
if then
.
else
.
end if
return b
end procedure
Proposition 1. Algorithm 3 ensures
and
for N the number of rounds.
Proof. Using Chebyshev's inequality [13],
Equations (102) and (103) equivalently are
Assigning
and assuming an independent identically distributed (iid) protocol delivers
Let be the maximum estimation error of estimated covariance matrix, which is calculated in terms of (106) via standard error propagation methods. In the following we give an upper bound on the estimation error of quantum mutual information in terms of . In order to do so, we introduce some helpful notation and theorems used in our proofs.
For any two Gaussian states with corresponding covariance matrices and , the entropy difference is bounded by [42]
for
Also
holds for any covariance matrix [43]. Hence,
By substituting equation (111) into (109), we obtain the perturbation bound
For any , let and be the estimated and real covariance matrices, respectively. Then
Also
Furthermore, let us define
and
Thus,
Due to the triangle inequality,
Each of the terms in the right-hand side of equation (118) is suitably achieved by using equation (112). Substituting equations (114) and (115) into the resultant equation delivers equation (100).
Now we show that scales properly with respect to number of rounds. Using the Weyl [44] perturbation bound for singular value decomposition, we conclude
Therefore, the error bound scales inversely with square root of the number of rounds. Next we prove the algorithm 4 is both sound and complete.□
- (i)
- (ii)if then the algorithm fails with probability at least .
Proof. We show cases (i) and (ii) in sequence.
Case (i): We first recall that
Also
Therefore,
As , we conclude
Thus, algorithm 4 accepts with probability at least if .
Case (ii): We note that
Therefore, substituting equation (83) into (124) delivers
Thus, algorithm 4 rejects with probability at least if .□
- (i)
- (ii)
Proof. We show cases (i) and (ii) in sequence.
Case (i):
Also
Therefore,
Substituting equation (126) in (128) delivers
As , we conclude
Thus, algorithm 4 accepts with probability at least if .
Case (ii):
Substituting equation (86) into (128) delivers
Thus, algorithm 4 rejects with probability at least if .□
- (i)
- (ii)
Proof. We show cases (i) and (ii) in sequence.
Case (i):
Also
Therefore,
Substituting equation (133) into (135) delivers
Thus, algorithm 4 accepts with probability at least if .
Case (ii):
and
Substituting equations (87) and (88) into equations (137) and (138), respectively, delivers
and
As , we conclude
and
Thus, algorithm 4 rejects with probability at least if .□
5. Discussion
In this section we discuss our results. We have two main results. The first result is a security analysis, which assigns subsets of players to each of the three structures, namely, authorized, intermediate, and forbidden structures. The second result is certification, which is performed by a referee. In our security analysis, we not only determine structures for subset of players, but we also quantify information leakage. For certification we introduce a referee who has limited resources such as finite local oscillator field. We now discuss these two results.
We base our approach on TRS03, which divides subsets of players into authorized and forbidden structures. TRS03 do not consider the intermediate structure because their security analysis is based on assuming infinite squeezing, but finite squeezing is responsible for information leakage, which leads us to introduce the intermediate structure based on ramp SS concepts. RQSS has been considered before in two cases: discrete-variable threshold RQSS [5] and entanglement sharing [45]. These analysis did not treat the CV case, however. In our case, for any amount of finite squeezing, we construct encoding and decoding procedures and thereby assign each subset to the correct structure.
Now we describe our result for certification. In our protocol, the dealer supplies the players with the encoded state, and in fact the state would be entangled with another share that goes directly to the referee. The referee identifies which subset of players are to transmit the decoded state to the referee, and the referee can combine this state with any shares that did not go through the players and then performs homodyne detection [13, 46]. The referee performs homodyne measurement, and, if the local oscillator strength is infinite, then standard homodyne theory suffices to describe the statistics. We study the particular case of the referee performing tests based on Gaussian states and repeated measurements to allow the referee to estimate accurately the mean and covariance of the resultant state. The referee's procedure is valid even in the case of limited local-oscillator strength.
As our procedure is rather complicated and involves multiple parties, we have augmented our analysis by including pseudocode to explain step-by-step instructions on how to complete the procedure. Our pseudocode analysis makes clear exactly what is required of each party in the procedure. This pseudocode description could be a useful approach for describing future CV quantum-information protocols.
6. Conclusions
We have developed CV quantum mutual information with an external reference system in order to quantify the leakage of information and evaluate the security of CV QSS protocols. Furthermore, we prove that information leakage arising in the TRS03 scheme monotonically decreases with reduced squeezing. In addition, we introduce a certification process for CV QSS in the framework of quantum-interactive proofs and RQSS schemes.
Pseudocodes have been introduced in order to represent clearly the sequence of steps taken to solve the certification problem. Subsequently, we provide a practical realization of the certification test using homodyne detection, including a sufficiency condition on the number of experimental runs the referee has to perform. We prove that the statistical error in the referee's estimated quantum mutual information scales with the inverse square root of number of rounds.
Our certification procedure assumes the extracted secret states are iid. In reality, this i.i.d. property does not hold due to the environmental noises. Furthermore, in QSS schemes, malicious parties might generate highly complicated entanglement among samples to fool the referee. As a future line of research, it is important to extend our certification procedure to the case of samples that are not independent and identically distributed.
Another useful avenue of research would be to analyze the effect of systematic errors in the referee's measurement procedure. As a final remark, we emphasize that our certification approach is applicable to certifying other quantum-information protocols such as summoning of quantum information in space time, quantum error correcting codes and quantum teleportation in the framework of quantum-interactive proof systems.
Acknowledgments
We acknowledge funding form Government of Alberta and NSERC.
: Appendix. Calculation of quantum mutual information
The total density operator of all shares and the reference system after the extraction procedure is
where
We let
and the states and be tensor products of position states with two degrees of freedom. The joint density function
of the extracted secret and the reference system is then obtained by tracing over shares . The resultant density matrix is
where for which (37). Also, where are the coefficients of the expansion for which Then, by employing equations (6)–(8), we transform this density matrix into a Wigner function representation (6), namely
Wigner functions are particularly useful for calculating expectation values of symmetrically ordered functions and denoted by , with S denoting symmetric ordering, and with expectation value
By inserting the Wigner function (A.6) in equation (A.7), we derive the generic elements of the covariance matrix corresponding to the joint reference and extracted-secret state. The elements of are
The covariance matrix of the extracted secret and reference system denoted by and are
Also the joint covariance matrix of the extracted secret and reference system is
For convenience, let us also define
Using equation (13), symplectic eigenvalues of and denoted by and are
for which and are defined in equation (A9). Symplectic eigenvalues of denoted by is calculated using equation (15), therefore
where .