Entanglement-assisted private communication over quantum broadcast channels
We consider entanglement-assisted (EA) private communication over a quantum broadcast channel, in which there is a single sender and multiple receivers. We divide the receivers into two sets: the decoding set and the malicious set. The decoding set and the malicious set can either be disjoint or can have a finite intersection. For simplicity, we say that a single party Bob has access to the decoding set and another party Eve has access to the malicious set, and both Eve and Bob have access to the pre-shared entanglement with Alice. The goal of the task is for Alice to communicate classical information reliably to Bob and securely against Eve, and Bob can take advantage of pre-shared entanglement with Alice. In this framework, we establish a lower bound on the one-shot EA private capacity. When there exists a quantum channel mapping the state of the decoding set to the state of the malicious set, such a broadcast channel is said to be degraded. We establish an upper bound on the one-shot EA private capacity in terms of smoothed min- and max-entropies for such channels. In the limit of a large number of independent channel uses, we prove that the EA private capacity of a degraded quantum broadcast channel is given by a single-letter formula. Finally, we consider two specific examples of degraded broadcast channels and find their capacities. In the first example, we consider the scenario in which one part of Bob’s laboratory is compromised by Eve. We show that the capacity for this protocol is given by the conditional quantum mutual information of a quantum broadcast channel, and so we thus provide an operational interpretation to the dynamic counterpart of the conditional quantum mutual information. In the second example, Eve and Bob have access to mutually exclusive sets of outputs of a broadcast channel.
Among the many results of classical information theory, transmitting private information over wiretap channels is of both conceptual profoundness and practical relevance [Wyn75]. A wiretap channel is modeled as a conditional probability distribution , in which models the information a sender Alice intends to transmit, models the outcome obtained by a receiver Bob, and models what a malicious third-party Eve holds. The goal of private communication is for Alice to reliably transmit a given message to Bob, while Eve gets negligible information about the transmitted message.
Private communication in quantum information theory is naturally defined by allowing each party to possess a quantum system, as well as a quantum channel to connect Alice to Bob and Eve. However, in the quantum setting, it is typical to give Eve full control of the environment of the channel from Alice to Bob [Dev05]. This strongest form of security in the quantum setting is guaranteed by the peculiar nature of quantum mechanics, in the form of the no-cloning theorem and the observer effect. Actually, it is the well-known BB84 quantum key distribution protocol [BB84], a particular kind of private communication protocol, that played a role in the unification of quantum mechanics and classical Shannon theory, which eventually resulted in the birth of what we call quantum Shannon theory today.
The possibility of exploiting shared quantum entanglement prior to communication has been considered extensively in quantum Shannon theory. The superdense coding protocol [BW92] was the first example to reveal the power of entanglement in the context of communication, in which, by using one ebit and a noiseless quantum channel, one can transmit two bits of classical information. Entanglement-assisted (EA) classical communication over a quantum channel was thereafter one of the problems considered and solved early on [BSST99, BSST02, Hol02]. Surprisingly, the use of pre-shared entanglement simplifies the problem of determining capacity, in the sense that the optimal rate is given by a single-letter formula: the quantum mutual information of a quantum channel [BSST99, BSST02, Hol02]. Later on, various EA protocols have been studied, including quantum communication [DHW04, DHW08] and classical communication over quantum broadcast [YHD11, DHL10, WDW17] and multiple-access channels [HDW08, QWW17]. However, EA private communication has not been considered to the best of our knowledge, although it is practically meaningful and mathematically well-defined. In this work, we consider a general EA private communication protocol over a single-sender multiple-receiver quantum broadcast channel.
The capacity of a channel is an asymptotic concept, defined in the limit of a large number of channel uses. This notion, which in many cases is given by a simple formula and invokes powerful tools such as typicality, is one of Shannon’s great contributions [Sha48]. In an effort to bring this notion closer to practice, recently many works have been devoted to the so-called one-shot theory [Ren08, DRRW13, DH13, MW14a], which studies the maximum amount of information that can be transmitted over a single use of a quantum channel, subject to the error probability being below a certain threshold. Results in one-shot theory typically not only reduce to correct bounds on the capacity in the independent and identically distributed (i.i.d.) limit, but they are also the foundation for further study of correlated quantum channels [BD06, CGLM14] and second-order asymptotics [TH13, Li14, TT15, DL15, LD16, DTW16, BDL16, TBR16, DPR16, WTB17, Led16].
In this work, we consider a general setting for EA private communication, in which a sender and receivers are connected by a quantum broadcast channel . Here , called the decoding set, includes the systems that Bob holds, and , called the malicious set, includes all the systems held by Eve. The sets and need not be disjoint in our model. An EA private code is then defined as a set of encoding and decoding channels, such that transmitted messages can be decoded by Bob with an error probability no more than , and meanwhile the leakage of information to Eve (defined in what follows) is no more than . The --one-shot EA private capacity, denoted as , is the largest number such that there exists an code for the channel .
Our first result in Theorem 2 is the following lower bound on the one-shot EA private capacity for :
where is an arbitrary quantum state and . The first two terms in the above expression are the difference of the hypothesis-testing- and smoothed-max-mutual information, which we formally define in Section 2.
To establish the lower bound in (1), we use two recently developed techniques: position-based coding [AJW17] and convex splitting [ADJ17]. Position-based coding relates the decoding procedure of the receiver to quantum hypothesis testing, while convex splitting works like a one-shot version of the covering lemma (see, e.g., [Wil17b, Chapter 17] for a discussion of the covering lemma). Also, see [QWW17] for further developments on the connection between decoding and hypothesis testing in network quantum information theory. These two techniques have been applied in various settings, including EA classical communication over point-to-point quantum channels and broadcast channels [AJW17], private communication [Wil17a], classical communication over quantum multiple-access channels [QWW17], state redistribution [ADJ17], and the quantum Slepian-Wolf problem [AJW18]. From one-shot lower bounds, it is straightforward to obtain a lower bound on the second-order coding rate by applying second-order expansions of the hypothesis testing relative entropy [TH13, Li14, DPR16], as done, e.g., in [Wil17a, QWW17].
Our second result in Theorem 3 is the following upper bound on the one-shot EA private capacity of a quantum broadcast channel:
where is classical on and quantum on , and . The definition of smoothed min- and max-conditional entropies are given in Section 2. Theorem 4 presents a different one-shot bound in the case that the broadcast channel is degraded (see Definition 1).
Next, we define the EA private information of a quantum broadcast channel (see (73)), and we prove that it is additive if the quantum broadcast channel is degraded. Finally, we prove that the EA private capacity of a degraded broadcast channel is given by the EA private information of the channel.
We also consider two special cases of degraded quantum broadcast channels. We briefly summarize our results on the first one here, since it gives an operational meaning to the conditional mutual information (CMI) of a quantum broadcast channel, extending the recent development in [SWW17]. The first scenario consists of one part of Bob’s laboratory being compromised by Eve, which can be modeled by a broadcast channel in which Bob’s laboratory consists of systems . Bob has access to both systems while Eve has access to system . In this case, the broadcast channel is degraded since , where and is a bipartite state. We prove a single-letter capacity formula for this task, which is given by the CMI of the broadcast channel:
Table 1 summarizes how our result on the CMI of a broadcast channel fits into the larger context of prior results in quantum Shannon theory. Optimal rates of communication protocols in quantum Shannon theory are often given by entropic quantities. Or put in another way, different communication protocols give operational meanings to different information quantities. An initial resource can either be static or dynamic. A protocol involving a static resource starts with some initial quantum state and realizes some target state at the end, without using a noisy quantum channel as a resource. On the other hand, a protocol involving a dynamic resource, such as a noisy quantum channel, involves the corruption of information when it is transmitted via this channel. For protocols involving a dynamic resource, the optimal rate is given by an information function of a quantum channel, which usually involves an optimization over states that are fed into the channel.
The rest of our paper is organized as follows. In Section 2, we summarize definitions and lemmas relevant to our proofs. We consider bounds on the one-shot EA private capacity in Section 3. There we establish both lower and upper bounds on the one-shot EA private capacity of an arbitrary quantum broadcast channel. By combining these results, we arrive at a single-letter formula for the EA private capacity of a degraded quantum broadcast channel in the asymptotic setting. In Section 4, we consider two special cases of a two-receiver broadcast channel. As corollaries of our main theorem, we establish EA private capacities for both cases. In the first scenario, we prove that the of a quantum broadcast channel is the optimal rate. Finally, we summarize our main results and discuss future directions in Section 5.
We use notation and concepts that are standard in quantum information theory and point readers to [Wil17b] for background. In the rest of this section, we review concepts that are less standard and set some notation that will be used later in the paper.
Trace distance, fidelity, and purified distance. Let denote the set of density operators acting on a Hilbert space and the set of subnormalized density operators (with trace not exceeding one) acting on . The trace distance between two quantum states is equal to , where for any operator . It has a direct operational interpretation in terms of the distinguishability of these states. The fidelity between two quantum states is defined as [Uhl76], which is invariant with respect to isometries and monotone non-decreasing with respect to channels. The sine distance or -distance between two quantum states is defined as
The following inequality relates trace distance and purified distance:
For a state , we define the ball of -close subnormalized states around as
Relative entropies and variances. The quantum relative entropy of two states and is defined as [Ume62]
whenever , and it is equal to otherwise.
The following relation between the min- and max-relative entropies holds [MLDS13, Theorem 7]
Conditional entropies and mutual informations. Conditional entropies play an important role in our converse proof. The max- and min-conditional entropies are defined as [Ren08]
along with their smoothed versions:
If the system is trivial, the conditional entropies reduce to max- and min-entropies:
We can define different one-shot mutual informations by using different relative entropies. It turns out that the max-mutual information often appears in one-shot bounds of various protocols. There are several different ways to define max-mutual information in general [BCR11, CBR14], but what we employ in the convex-split lemma below is the following variation [AJW17]:
The -hypothesis-testing-mutual information is defined here as
Hayashi–Nagaoka operator inequality. A key tool in analyzing error probabilities in communication protocols is the Hayashi–Nagaoka operator inequality [HN04]: given operators and such that and , the following inequality holds for all :
Convex-split lemma. The convex-split lemma from [ADJ17] has been a key tool used in recent developments in quantum information theory [ADJ17, AJW17]. Here, we state a slight variant of the convex-split lemma from [Wil17a], which can be helpful for obtaining one-shot bounds for privacy and ensuing bounds on second-order coding rates.
Let be a state, and let be the following state:
Let and . If
for some state such that .
3 One-shot bounds for EA private communication over a quantum broadcast channel
We consider a quantum broadcast channel , for which is the set of systems held by Bob, while is the set of systems held by Eve. We call the decoding set and the malicious set. Notice that we do not assume any relationship between the two sets and . For instance, it is possible that or . It is this freedom that gives our model some generality.
In a protocol for EA private communication, a sender Alice would like to transmit a classical message , chosen from a set where , to Bob via the quantum broadcast channel . She and the receivers also pre-share entanglement to assist their communication, represented by some bipartite state . Moreover, we also allow Eve to have access to this pre-shared entanglement. The goal of EA private communication is for Bob, who holds systems , to reliably decode Alice’s transmitted message, while Eve, who holds systems , can only get negligible information about Alice’s message. Fix , , and . We define a code to be a set of encoding channels and a decoding positive operator-valued measure (POVM) , such that
the classical messages can be reliably decoded by Bob:
where and , and
each classical message is -secure:
where is a fixed state.
In the above, is some constant state that does not contain any information about Alice’s message (one can show that (28) guarantees that the mutual information is small [Wil17b, Section 23.1.1]). For fixed , let denote the one-shot EA private capacity, i.e., the largest value of for which there exists a code. The EA private capacity of the quantum broadcast channel is defined as
In our paper, we focus our attention mostly on degraded quantum broadcast channels, which are defined as follows:
Definition 1 (Degraded broadcast channel)
Let be a quantum broadcast channel with a decoding set and a malicious set . The channel is degraded if there exists a quantum channel such that
for all states . Here includes all the systems in except those in .
3.1 Lower bound on the one-shot EA private capacity
Let be a quantum broadcast channel with decoding set and malicious set . For fixed and , the one-shot EA private capacity is bounded from below as
In the above, is an arbitrary quantum state and .
Proof. The proof is related to the approach given in [Wil17a], which more generally is inspired by the well known approach from [Wyn75].
Encoding: Alice and Bob prepare blocks of entangled states, each of which is the tensor-product of bipartite states . That is, we take the pre-shared entangled state before the communication begins to be
To send message , Alice first chooses a local key variable uniformly at random and then sends the th system through the quantum channel . Therefore, after the transmission, the state for Bob and Eve is as follows:
where and , we have the following bound
where is a POVM built from the test operator for the hypothesis testing relative entropy that optimally distinguishes between and . In particular, see [QWW17, Theorem 8] for more details.
Security: Since for each message , the local key is chosen uniformly at random, the state held by the malicious party is as follows:
Now invoking the convex-split lemma (recalled at the end of Section 2), as long as
where , we have the following bound for the trace distance:
where is a state such that , and . The first equality follows from the property . The first inequality follows from the definition of purified distance. The last inequality is due to the convex-split lemma and the choice in (37).
The last equality follows because the first equality holds for any input state , and for any value of and . Since the one-shot capacity is defined to be the largest value of for which there exists a code, the desired result follows.
and the inverse cumulative Gaussian distribution function as , where
we can obtain a lower bound on the second-order coding rate for EA private communication, in a way similar to what was reported in [Wil17a]. Indeed, recall the following second-order expansions [TH13, Li14, DPR16]:
Let us define the mutual information variance of a bipartite state as
Then by taking , and applying the above expansions, as well as [Wil17a, Lemma 1], we find the following lower bound on the second-order coding rate for EA private communication over the broadcast channel :
for and for some state .
3.2 Upper bound on the one-shot EA private capacity
In the proof of Theorem 3 below, we derive an upper bound on the one-shot EA private capacity of a quantum broadcast channel. This upper bound coincides with the lower bound from Theorem 2 in the asymptotic, i.i.d. limit.
Let be a quantum broadcast channel with a decoding set and a malicious set , and let , . Then the one-shot EA private capacity is bounded from above as
where is classical on and quantum on and .
Proof. We begin by establishing an upper bound on for an arbitrary EA private communication code (with the state defined in what follows), essentially by following an approach similar to that in [RR11]. To establish the upper bound, we consider the task of EA secret key distribution, which in turn gives an upper bound on the one-shot EA private capacity. In this task, Alice picks a classical message uniformly at random, places it in a system , and makes a copy of it in a system . The goal at the end is to produce a secure and perfectly correlated key between her and Bob, such that Bob has a copy of Alice’s message. Therefore, the initial state of Alice’s systems is as follows:
For an arbitrary code, the combined state of Bob and Eve’s systems after one use of the broadcast channel is as follows:
where . After the decoding procedure, Alice and Bob end up with imperfect shared randomness, represented by the following state:
Here, is the probability of Bob decoding when the message transmitted by Alice is .
Next, we find an upper bound on the trace distance between and . Consider the following chain of inequalities:
The first equality follows from the direct-sum property of trace norm. The second equality follows from the triangle inequality. To obtain the last inequality, we apply the reliable decoding condition of a code.
We now show that . Consider the following chain of inequalities:
The first inequality follows from the data processing inequality for the smoothed max-conditional entropy (see, e.g., [Tom12]). The second inequality follows from the definition of smoothed-max-conditional entropy.
Next, we show that , by invoking the security condition of the code. From the security condition, we know that for all messages , and we thus have
Therefore, by using the definition of purified distance and the Powers-Stormer inequality [PS70], we find that . The rest is straightforward:
Since these inequalities hold for any value of , the desired result in (49) follows.
If is a degraded quantum broadcast channel, then the one-shot EA private capacity is bounded from above as
where the optimization is over all bipartite states . Here, , , , and .
where and for small . We then have that
To proceed from here, we invoke Lemma 9 from [MW14b]:
We now fix . By using the data-processing inequality of smoothed-max-conditional entropy (see, e.g., [Tom12]) under the action of a degrading channel , we get
Therefore, we can discard the terms inside of the square bracket in (66), and by choosing , , , we find
where , and thus we need to impose the constraints and . The last step follows since systems and extend the input of channel . Since these inequalities hold for any value of , the desired result in (62) follows.
The optimization in Theorem 4 is with respect to mixed-state inputs with a potentially unbounded reference system . This could be viewed as undesirable. To get around this problem, we consider a purifying system for the input state , iterate once more with the chain rules in (63) and (64), and arrive at the following upper bound:
where the optimization is over all pure bipartite states and . (Note that, in the above expression, we have consolidated the systems external to the channel as a single system .) The bound above is not as tight as that stated in Theorem 4, but it has the advantage that the reference system