Entanglementassisted private communication over quantum broadcast channels
Abstract
We consider entanglementassisted (EA) private communication over a quantum broadcast channel, in which there is a single sender and multiple receivers. We divide the receivers into two sets: the decoding set and the malicious set. The decoding set and the malicious set can either be disjoint or can have a finite intersection. For simplicity, we say that a single party Bob has access to the decoding set and another party Eve has access to the malicious set, and both Eve and Bob have access to the preshared entanglement with Alice. The goal of the task is for Alice to communicate classical information reliably to Bob and securely against Eve, and Bob can take advantage of preshared entanglement with Alice. In this framework, we establish a lower bound on the oneshot EA private capacity. When there exists a quantum channel mapping the state of the decoding set to the state of the malicious set, such a broadcast channel is said to be degraded. We establish an upper bound on the oneshot EA private capacity in terms of smoothed min and maxentropies for such channels. In the limit of a large number of independent channel uses, we prove that the EA private capacity of a degraded quantum broadcast channel is given by a singleletter formula. Finally, we consider two specific examples of degraded broadcast channels and find their capacities. In the first example, we consider the scenario in which one part of Bob’s laboratory is compromised by Eve. We show that the capacity for this protocol is given by the conditional quantum mutual information of a quantum broadcast channel, and so we thus provide an operational interpretation to the dynamic counterpart of the conditional quantum mutual information. In the second example, Eve and Bob have access to mutually exclusive sets of outputs of a broadcast channel.
1 Introduction
Among the many results of classical information theory, transmitting private information over wiretap channels is of both conceptual profoundness and practical relevance [Wyn75]. A wiretap channel is modeled as a conditional probability distribution , in which models the information a sender Alice intends to transmit, models the outcome obtained by a receiver Bob, and models what a malicious thirdparty Eve holds. The goal of private communication is for Alice to reliably transmit a given message to Bob, while Eve gets negligible information about the transmitted message.
Private communication in quantum information theory is naturally defined by allowing each party to possess a quantum system, as well as a quantum channel to connect Alice to Bob and Eve. However, in the quantum setting, it is typical to give Eve full control of the environment of the channel from Alice to Bob [Dev05]. This strongest form of security in the quantum setting is guaranteed by the peculiar nature of quantum mechanics, in the form of the nocloning theorem and the observer effect. Actually, it is the wellknown BB84 quantum key distribution protocol [BB84], a particular kind of private communication protocol, that played a role in the unification of quantum mechanics and classical Shannon theory, which eventually resulted in the birth of what we call quantum Shannon theory today.
The possibility of exploiting shared quantum entanglement prior to communication has been considered extensively in quantum Shannon theory. The superdense coding protocol [BW92] was the first example to reveal the power of entanglement in the context of communication, in which, by using one ebit and a noiseless quantum channel, one can transmit two bits of classical information. Entanglementassisted (EA) classical communication over a quantum channel was thereafter one of the problems considered and solved early on [BSST99, BSST02, Hol02]. Surprisingly, the use of preshared entanglement simplifies the problem of determining capacity, in the sense that the optimal rate is given by a singleletter formula: the quantum mutual information of a quantum channel [BSST99, BSST02, Hol02]. Later on, various EA protocols have been studied, including quantum communication [DHW04, DHW08] and classical communication over quantum broadcast [YHD11, DHL10, WDW17] and multipleaccess channels [HDW08, QWW17]. However, EA private communication has not been considered to the best of our knowledge, although it is practically meaningful and mathematically welldefined. In this work, we consider a general EA private communication protocol over a singlesender multiplereceiver quantum broadcast channel.
The capacity of a channel is an asymptotic concept, defined in the limit of a large number of channel uses. This notion, which in many cases is given by a simple formula and invokes powerful tools such as typicality, is one of Shannon’s great contributions [Sha48]. In an effort to bring this notion closer to practice, recently many works have been devoted to the socalled oneshot theory [Ren08, DRRW13, DH13, MW14a], which studies the maximum amount of information that can be transmitted over a single use of a quantum channel, subject to the error probability being below a certain threshold. Results in oneshot theory typically not only reduce to correct bounds on the capacity in the independent and identically distributed (i.i.d.) limit, but they are also the foundation for further study of correlated quantum channels [BD06, CGLM14] and secondorder asymptotics [TH13, Li14, TT15, DL15, LD16, DTW16, BDL16, TBR16, DPR16, WTB17, Led16].
In this work, we consider a general setting for EA private communication, in which a sender and receivers are connected by a quantum broadcast channel . Here , called the decoding set, includes the systems that Bob holds, and , called the malicious set, includes all the systems held by Eve. The sets and need not be disjoint in our model. An EA private code is then defined as a set of encoding and decoding channels, such that transmitted messages can be decoded by Bob with an error probability no more than , and meanwhile the leakage of information to Eve (defined in what follows) is no more than . The oneshot EA private capacity, denoted as , is the largest number such that there exists an code for the channel .
Our first result in Theorem 2 is the following lower bound on the oneshot EA private capacity for :
(1) 
where is an arbitrary quantum state and . The first two terms in the above expression are the difference of the hypothesistesting and smoothedmaxmutual information, which we formally define in Section 2.
To establish the lower bound in (1), we use two recently developed techniques: positionbased coding [AJW17] and convex splitting [ADJ17]. Positionbased coding relates the decoding procedure of the receiver to quantum hypothesis testing, while convex splitting works like a oneshot version of the covering lemma (see, e.g., [Wil17b, Chapter 17] for a discussion of the covering lemma). Also, see [QWW17] for further developments on the connection between decoding and hypothesis testing in network quantum information theory. These two techniques have been applied in various settings, including EA classical communication over pointtopoint quantum channels and broadcast channels [AJW17], private communication [Wil17a], classical communication over quantum multipleaccess channels [QWW17], state redistribution [ADJ17], and the quantum SlepianWolf problem [AJW18]. From oneshot lower bounds, it is straightforward to obtain a lower bound on the secondorder coding rate by applying secondorder expansions of the hypothesis testing relative entropy [TH13, Li14, DPR16], as done, e.g., in [Wil17a, QWW17].
Our second result in Theorem 3 is the following upper bound on the oneshot EA private capacity of a quantum broadcast channel:
(2) 
where is classical on and quantum on , and . The definition of smoothed min and maxconditional entropies are given in Section 2. Theorem 4 presents a different oneshot bound in the case that the broadcast channel is degraded (see Definition 1).
Next, we define the EA private information of a quantum broadcast channel (see (73)), and we prove that it is additive if the quantum broadcast channel is degraded. Finally, we prove that the EA private capacity of a degraded broadcast channel is given by the EA private information of the channel.
We also consider two special cases of degraded quantum broadcast channels. We briefly summarize our results on the first one here, since it gives an operational meaning to the conditional mutual information (CMI) of a quantum broadcast channel, extending the recent development in [SWW17]. The first scenario consists of one part of Bob’s laboratory being compromised by Eve, which can be modeled by a broadcast channel in which Bob’s laboratory consists of systems . Bob has access to both systems while Eve has access to system . In this case, the broadcast channel is degraded since , where and is a bipartite state. We prove a singleletter capacity formula for this task, which is given by the CMI of the broadcast channel:
(3) 
Table 1 summarizes how our result on the CMI of a broadcast channel fits into the larger context of prior results in quantum Shannon theory. Optimal rates of communication protocols in quantum Shannon theory are often given by entropic quantities. Or put in another way, different communication protocols give operational meanings to different information quantities. An initial resource can either be static or dynamic. A protocol involving a static resource starts with some initial quantum state and realizes some target state at the end, without using a noisy quantum channel as a resource. On the other hand, a protocol involving a dynamic resource, such as a noisy quantum channel, involves the corruption of information when it is transmitted via this channel. For protocols involving a dynamic resource, the optimal rate is given by an information function of a quantum channel, which usually involves an optimization over states that are fed into the channel.
The rest of our paper is organized as follows. In Section 2, we summarize definitions and lemmas relevant to our proofs. We consider bounds on the oneshot EA private capacity in Section 3. There we establish both lower and upper bounds on the oneshot EA private capacity of an arbitrary quantum broadcast channel. By combining these results, we arrive at a singleletter formula for the EA private capacity of a degraded quantum broadcast channel in the asymptotic setting. In Section 4, we consider two special cases of a tworeceiver broadcast channel. As corollaries of our main theorem, we establish EA private capacities for both cases. In the first scenario, we prove that the of a quantum broadcast channel is the optimal rate. Finally, we summarize our main results and discuss future directions in Section 5.
2 Preliminaries
We use notation and concepts that are standard in quantum information theory and point readers to [Wil17b] for background. In the rest of this section, we review concepts that are less standard and set some notation that will be used later in the paper.
Trace distance, fidelity, and purified distance. Let denote the set of density operators acting on a Hilbert space and the set of subnormalized density operators (with trace not exceeding one) acting on . The trace distance between two quantum states is equal to , where for any operator . It has a direct operational interpretation in terms of the distinguishability of these states. The fidelity between two quantum states is defined as [Uhl76], which is invariant with respect to isometries and monotone nondecreasing with respect to channels. The sine distance or distance between two quantum states is defined as
(4) 
and it was proven to be a metric in [Ras02, Ras03, Ras06, GLN05]. It was later [TCR09] (under the name “purified distance”) shown to be a metric on subnormalized states via the embedding
(5) 
The following inequality relates trace distance and purified distance:
(6) 
For a state , we define the ball of close subnormalized states around as
(7) 
Relative entropies and variances. The quantum relative entropy of two states and is defined as [Ume62]
(8) 
whenever , and it is equal to otherwise.
The hypothesis testing relative entropy [BD10, WR12] of states and is defined as
(9) 
The max and minrelative entropy for states and are defined as [Dat09, KRS09]
(10)  
(11) 
The following relation between the min and maxrelative entropies holds [MLDS13, Theorem 7]
(12) 
The smoothed max and minrelative entropy for states and , and a parameter are defined as [Dat09, KRS09]
(13)  
(14) 
Conditional entropies and mutual informations. Conditional entropies play an important role in our converse proof. The max and minconditional entropies are defined as [Ren08]
(15)  
(16) 
along with their smoothed versions:
(17)  
(18) 
If the system is trivial, the conditional entropies reduce to max and minentropies:
(19)  
(20) 
We can define different oneshot mutual informations by using different relative entropies. It turns out that the maxmutual information often appears in oneshot bounds of various protocols. There are several different ways to define maxmutual information in general [BCR11, CBR14], but what we employ in the convexsplit lemma below is the following variation [AJW17]:
(21) 
The hypothesistestingmutual information is defined here as
(22) 
Hayashi–Nagaoka operator inequality. A key tool in analyzing error probabilities in communication protocols is the Hayashi–Nagaoka operator inequality [HN04]: given operators and such that and , the following inequality holds for all :
(23) 
Convexsplit lemma. The convexsplit lemma from [ADJ17] has been a key tool used in recent developments in quantum information theory [ADJ17, AJW17]. Here, we state a slight variant of the convexsplit lemma from [Wil17a], which can be helpful for obtaining oneshot bounds for privacy and ensuing bounds on secondorder coding rates.
Let be a state, and let be the following state:
(24) 
Let and . If
(25) 
then
(26) 
for some state such that .
3 Oneshot bounds for EA private communication over a quantum broadcast channel
We consider a quantum broadcast channel , for which is the set of systems held by Bob, while is the set of systems held by Eve. We call the decoding set and the malicious set. Notice that we do not assume any relationship between the two sets and . For instance, it is possible that or . It is this freedom that gives our model some generality.
In a protocol for EA private communication, a sender Alice would like to transmit a classical message , chosen from a set where , to Bob via the quantum broadcast channel . She and the receivers also preshare entanglement to assist their communication, represented by some bipartite state . Moreover, we also allow Eve to have access to this preshared entanglement. The goal of EA private communication is for Bob, who holds systems , to reliably decode Alice’s transmitted message, while Eve, who holds systems , can only get negligible information about Alice’s message. Fix , , and . We define a code to be a set of encoding channels and a decoding positive operatorvalued measure (POVM) , such that

the classical messages can be reliably decoded by Bob:
(27) where and , and

each classical message is secure:
(28) where is a fixed state.
In the above, is some constant state that does not contain any information about Alice’s message (one can show that (28) guarantees that the mutual information is small [Wil17b, Section 23.1.1]). For fixed , let denote the oneshot EA private capacity, i.e., the largest value of for which there exists a code. The EA private capacity of the quantum broadcast channel is defined as
(29) 
In our paper, we focus our attention mostly on degraded quantum broadcast channels, which are defined as follows:
Definition 1 (Degraded broadcast channel)
Let be a quantum broadcast channel with a decoding set and a malicious set . The channel is degraded if there exists a quantum channel such that
(30) 
for all states . Here includes all the systems in except those in .
3.1 Lower bound on the oneshot EA private capacity
In this section, we construct a code for EA private communication based on the techniques of positionbased coding [AJW17] and convex splitting [ADJ17].
Theorem 2
Let be a quantum broadcast channel with decoding set and malicious set . For fixed and , the oneshot EA private capacity is bounded from below as
(31) 
In the above, is an arbitrary quantum state and .
Proof. The proof is related to the approach given in [Wil17a], which more generally is inspired by the well known approach from [Wyn75].
Encoding: Alice and Bob prepare blocks of entangled states, each of which is the tensorproduct of bipartite states . That is, we take the preshared entangled state before the communication begins to be
(32) 
To send message , Alice first chooses a local key variable uniformly at random and then sends the th system through the quantum channel . Therefore, after the transmission, the state for Bob and Eve is as follows:
(33) 
where .
Reliable decoding: From previous work [AJW17, Wil17a, QWW17], we know that as long as
(34) 
where and , we have the following bound
(35) 
where is a POVM built from the test operator for the hypothesis testing relative entropy that optimally distinguishes between and . In particular, see [QWW17, Theorem 8] for more details.
Security: Since for each message , the local key is chosen uniformly at random, the state held by the malicious party is as follows:
(36) 
Now invoking the convexsplit lemma (recalled at the end of Section 2), as long as
(37) 
where , we have the following bound for the trace distance:
(38)  
(39)  
(40) 
where is a state such that , and . The first equality follows from the property . The first inequality follows from the definition of purified distance. The last inequality is due to the convexsplit lemma and the choice in (37).
Therefore, by combining (34) and (37), we have an code with
(41)  
(42) 
The last equality follows because the first equality holds for any input state , and for any value of and . Since the oneshot capacity is defined to be the largest value of for which there exists a code, the desired result follows.
Lower bound on the secondorder coding rate. Defining the relative entropy variance of two states and as [TH13, Li14]
(43) 
and the inverse cumulative Gaussian distribution function as , where
(44) 
we can obtain a lower bound on the secondorder coding rate for EA private communication, in a way similar to what was reported in [Wil17a]. Indeed, recall the following secondorder expansions [TH13, Li14, DPR16]:
(45)  
(46) 
Let us define the mutual information variance of a bipartite state as
(47) 
Then by taking , and applying the above expansions, as well as [Wil17a, Lemma 1], we find the following lower bound on the secondorder coding rate for EA private communication over the broadcast channel :
(48) 
for and for some state .
3.2 Upper bound on the oneshot EA private capacity
In the proof of Theorem 3 below, we derive an upper bound on the oneshot EA private capacity of a quantum broadcast channel. This upper bound coincides with the lower bound from Theorem 2 in the asymptotic, i.i.d. limit.
Theorem 3
Let be a quantum broadcast channel with a decoding set and a malicious set , and let , . Then the oneshot EA private capacity is bounded from above as
(49) 
where is classical on and quantum on and .
Proof. We begin by establishing an upper bound on for an arbitrary EA private communication code (with the state defined in what follows), essentially by following an approach similar to that in [RR11]. To establish the upper bound, we consider the task of EA secret key distribution, which in turn gives an upper bound on the oneshot EA private capacity. In this task, Alice picks a classical message uniformly at random, places it in a system , and makes a copy of it in a system . The goal at the end is to produce a secure and perfectly correlated key between her and Bob, such that Bob has a copy of Alice’s message. Therefore, the initial state of Alice’s systems is as follows:
(50) 
For an arbitrary code, the combined state of Bob and Eve’s systems after one use of the broadcast channel is as follows:
(51) 
where . After the decoding procedure, Alice and Bob end up with imperfect shared randomness, represented by the following state:
(52) 
Here, is the probability of Bob decoding when the message transmitted by Alice is .
Next, we find an upper bound on the trace distance between and . Consider the following chain of inequalities:
(53)  
(54)  
(55)  
(56) 
The first equality follows from the directsum property of trace norm. The second equality follows from the triangle inequality. To obtain the last inequality, we apply the reliable decoding condition of a code.
We now show that . Consider the following chain of inequalities:
(57) 
The first inequality follows from the data processing inequality for the smoothed maxconditional entropy (see, e.g., [Tom12]). The second inequality follows from the definition of smoothedmaxconditional entropy.
Next, we show that , by invoking the security condition of the code. From the security condition, we know that for all messages , and we thus have
(58) 
Therefore, by using the definition of purified distance and the PowersStormer inequality [PS70], we find that . The rest is straightforward:
(59) 
Using (57) and (59), we establish the following upper bound on the amount of transmitted information:
(60)  
(61) 
Since these inequalities hold for any value of , the desired result in (49) follows.
Theorem 4
If is a degraded quantum broadcast channel, then the oneshot EA private capacity is bounded from above as
(62) 
where the optimization is over all bipartite states . Here, , , , and .
Proof. Suppose that the quantum broadcast channel is degraded. In what follows, we apply the following chain rules to (60) for ([VDTR13, Theorem 13] and its dual):
(63)  
(64) 
where and for small . We then have that
(65)  
(66) 
for .
To proceed from here, we invoke Lemma 9 from [MW14b]:
(67) 
for , and . Substituting (67) into (66), we find that
(68) 
We now fix . By using the dataprocessing inequality of smoothedmaxconditional entropy (see, e.g., [Tom12]) under the action of a degrading channel , we get
(69) 
Therefore, we can discard the terms inside of the square bracket in (66), and by choosing , , , we find
(70)  
(71) 
where , and thus we need to impose the constraints and . The last step follows since systems and extend the input of channel . Since these inequalities hold for any value of , the desired result in (62) follows.
Remark 5
The optimization in Theorem 4 is with respect to mixedstate inputs with a potentially unbounded reference system . This could be viewed as undesirable. To get around this problem, we consider a purifying system for the input state , iterate once more with the chain rules in (63) and (64), and arrive at the following upper bound:
(72) 
where the optimization is over all pure bipartite states and . (Note that, in the above expression, we have consolidated the systems external to the channel as a single system .) The bound above is not as tight as that stated in Theorem 4, but it has the advantage that the reference system