Entanglement Sharing Protocol via Quantum Error Correcting Codes
We introduce a new multiparty cryptographic protocol, which we call ‘entanglement sharing schemes’, wherein a dealer retains half of a maximally-entangled bipartite state and encodes the other half into a multipartite state that is distributed among multiple players. In a close analogue to quantum secret sharing, some subsets of players can recover maximal entanglement with the dealer whereas other subsets can recover no entanglement (though they may retain classical correlations with the dealer). We find a lower bound on the share size for such schemes and construct two non-trivial examples based on Shor’s and the stabilizer code; we further demonstrate how other examples may be obtained from quantum error correcting codes through classical encryption. Finally, we demonstrate that entanglement sharing schemes can be applied to characterize leaked information in quantum ramp secret sharing.
pacs:03.67. Pp,03.67.Dd, 03.67.Hk, 03.67.Mn
Secret sharing is a well-studied multi-party cryptographic protocol in the classical regime Shamir (1979); Blakley (1979) and the quantum regime, which can correspond to either sharing classical messages via quantum channels Hillery et al. (1999) or sharing arbitrary quantum states Cleve et al. (1999) known as CQ and QQ versions, respectively Markham and Sanders (2008); we focus on QQ secret sharing here. Multi-party cryptographic protocols typically are described as involving one party (the dealer) possessing some information (the secret) which they distribute among the other parties (the players) in such a way that some subsets of players can completely recover the secret, whereas other subsets of players are denied any knowledge of the secret. Secret sharing has numerous applications in cryptography including secure multi-party computation, effecting the Byzantine agreement. threshold cryptography, access control, and generalized oblivious transfer Beimel (2011). In the quantum regime, where the secret can be quantum information, quantum secret sharing (QSS) could be applied to quantum generalizations of applications for secret sharing, such as distributed quantum computation Nascimento et al. (2001) or authorizing one party to access encrypted quantum communication.
Here we develop a theory of entanglement sharing schemes (ESS), which is based on QSS including one dealer and multiple players, but we are concerned not with recovery of classical or quantum information but rather with recovering shared entanglement between the dealer and the players. This secure protocol for sharing entanglement is important as entanglement is a valuable communication resource when only classical or degraded quantum channels are available between dealer and players after the initial sharing stage. Entanglement is a crucial consumable resource for quantum communication tasks such as quantum teleportation Bennett et al. (1993), super-dense coding Bennett and Wiesner (1992) and device-independent quantum key distribution Acín et al. (2007); Masanes et al. (2011).
In entanglement sharing, the dealer, rather than encoding an arbitrary quantum state as in QSS, encodes half of a bipartite maximally-entangled state (MES), which is then distributed to multiple players. This distribution meets the requirement that the entanglement can be perfectly recovered between the dealer and certain “authorized” subsets of players (the resultant shared entanglement being then usable as a resource). Futhermore no entanglement can be obtained between the dealer and other “unauthorized” subsets of players. The “access structure” is the collection of all authorized subsets, and the “adversary structure” is the collection of all unauthorized subsets.
The ESS, QSS and quantum error correcting coding (QECC) are interrelated as we shall discover in this paper. Any QSS scheme can be modified to serve as an ESS, and all ESSs can be derived from quantum error correcting codes. In symbolic language we can write QSS. Moreover quantum ramp secret sharing protocols (QRSSs) contain ESSs and are contained in protocols corresponding to quantum error correcting codes. Symbolically we can write
for the symbol denoting that the indicated scheme is actually its adaptation to ESS.
Entanglement sharing can be implemented using any QSS scheme: the dealer simply chooses the shared information to be half of an MES and proceeds as normal; the requirement for unauthorized subsets of the QSS scheme to have no information about the secret will ensure no shared entanglement with the dealer. However, as we find, the differing requirements for ESSs (in particular the ability for unauthorized subsets to share classical correlations with the dealer) allow for distinct schemes to be constructed. We present examples of such schemes in later sections, and discuss how the use of classical encryption allows them to be constructed from error-correcting codes which may not naturally allow for such schemes.
Finally we discuss the conceptual use of ESSs in the context of sharing arbitrary quantum states at a lower cost. In QSS
possessing perfect secrecy against information leakage, the size of shares allocated to each player must be at as large as the size of the secret Cleve et al. (1999); Gottesman (2000).
This limitation on the size of shares can impose large communication and storage costs.
QRSS is cheaper in the size of shares than quantum secret sharing, but it leaks some information to unauthorized sets of players, which are denoted as intermediate sets Ogawa et al. (2005). As the information leakage can compromise the secrecy of protocols, it is important to characterize the leaked information
and prevent the intermediate structure from learning any valuable information.
Ii Entanglement Sharing Schemes
Our general form of an ESS is as follows:
suppose that a dealer D initially prepares a quantum system
in an MES .
She retains half of the system, and encodes the other half into the shares of
players . Every subset of players must be either an authorized set or an
unauthorized set. We denote as the recoverability condition that any authorized set of players can reconstruct fully using
local operations (with respect to the player/dealer divide; they may perform joint quantum operations within their subset), and as the secrecy condition that any unauthorized set cannot share any entanglement with the dealer.
We note that in this scheme every access structure is monotone i.e. any set of shares including an authorized set is also authorized. Also the complement of any authorized set must be unauthorized, due to monogamy of entanglement Coffman et al. (2000); Osborne and Verstraete (2006), which states that if two systems are maximally entangled they cannot be entangled with any third system. This can be expressed, for example, via the inequality
for any composite system of , and . This inequality holds for some entanglement measures such as the one-way distillable
entanglement and the squashed entanglement Koashi and Winter (2004); Kim et al. (2012).
Let be the dealer, be an authorized set and be the complement of . As can be transformed into by LOCC (local operations and classical communication) with respect to the dealer/player divide, and vice versa, must have the same amount of entanglement with respect to this divide as . Therefore, the complement of any authorized set is an unauthorized set, i.e., . It similarly follows that, due to the monogamy of entanglement, an access structure in an ESS cannot have two disjoint subsets, since both such subsets could simultaneously recover maximal entanglement with the dealer. This is analogous to quantum secret sharing not allowing an access structure to have two disjoint subsets due to the no-cloning theorem.
We derive the upper bound of the recoverable entanglement using the non-lockability of the relative entropy of entanglement Horodecki et al. (2005); Plenio and Virmani (2007) to obtain Theorem 1. Let the share of a player be an “important” share if there is an unauthorized set such that is authorized.
Every ESS satisfies
where is the relative entropy of entanglement, is any state shared between a dealer D and a set of players P, and is the size of the smallest important share (i.e. is the number of qubits in that share).
Let be an unauthorized set satisfying where is an authorized set and is the player who possesses the smallest important share, and let be the reduced density matrix of joint system of and the dealer. Assume that the total dephasing (i.e., twirling) is performed on the smallest important share. That is, the unitary operators are applied to with equal probabilities. Then relative entropy of entanglement satisfies
and . Due to total dephasing, we have
Hence, the player does not now contribute to the entanglement with the dealer because it is independent of the other players and the dealer. Thus,
As the relative entropy of entanglement is invariant under local unitary transformations, we also have
Using the above equations we can rewrite (II.1) as
As is an unauthorized set, its reduced density matrix is not entangled with the dealer; i.e., . On the other hand, has the same amount of entanglement as because can be transformed into by LOCC and vice versa. Therefore, we have . ∎
Let a player possess a one-qubit important share, where is an unauthorized set and is authorized. As the set can recover the entangled state initially shared between a dealer D and a set of players P, the state has the same amount of entanglement as , but the amount of entanglement must go to zero by discarding the share . According to Horodecki et al. (2005), the amount of entanglement can decrease at most by two upon discarding one qubit with respect to the relative entropy of entanglement.
Any bipartite entanglement measure has the same value for an MES Plenio and Virmani (2007). Therefore, if a dealer D shares an MES with a set of players P, we have . This leads to the following corollary to Theorem 1.
For any entanglement measure ,
where is an initial MES and is the size of the smallest important share.
We note here a distinct difference between an ESS and a QSS, despite the close analogies of the two processes; in QSS the size of the secret can be no larger than that of the smallest share Gottesman (2000), whereas in an ESS (for which we find protocols that saturate this bound) one can share twice as much entanglement as the size of the smallest share.
Just as in QSS, a natural starting point for constructing an ESS is to use an existing QECC,
as the recovery operation in an ESS is a form of correction of erasure errors (the missing shares of the players which are not part of the subset performing the recovery). Thus, a given QECC naturally satisfies the necessary recovery condition for some ESS.
However, the secrecy condition for an ESS may be violated if the code
space yields unauthorized sets that share partially entangled states (i.e., neither maximally entangled nor separable) with the dealer.
As stabilizer codes are simple well-understood codes, we focus on using such codes as the basis for seeking ESSs. A dealer encodes a MES
via the mapping
where the code space of the stabilizer code is spanned by
with each a codeword of .
Each qubit of the code is taken as a share (i.e., where is the Hilbert space of the share).
In this scheme, an access structure is determined from the stabilizer of the stabilizer code. Such a code can detect all errors that are either in or anti-commute with any element of Gottesman (1997). If the stabilizer code can correct erasure errors on the set of shares, the complement of would be an authorized set that can reconstruct through the recovery operation of the code. In this way we can determine an access structure as well as an adversary structure.
In order to satisfy the secrecy condition of ESSs, we require that the reduced density matrix of every unauthorized set is separable with the dealer, which will not automatically be the case for a given QECC. We find, for example, that ESSs can be constructed from Shor’s nine-qubit code Shor (1995) (i.e., a stabilizer code) and from a stabilizer code Gottesman (1997). In both these schemes the reduced density matrix of every unauthorized set is straightforward to write in a separable form with the dealer. In general determining whether or not a bipartite density matrix is entangled is NP-Hard Gurvits (2003) so verifying the secrecy of an ESS is typically hard.
ii.2 Entanglement sharing using the [[4,2,2]] code
We now give an explicit example of an ESS. As shown below, the [[4,2,2]] stabilizer code leads to a threshold ESS (i.e., a scheme in which the access structure is determined solely by the number of players in each subset) due to the permutation invariance of the elements of its stabilizer. Moreover, this scheme saturates the bound of Eq. (2) as the size of shares is half of the size of initial entanglement.
We consider the case that a dealer D holds half of and encodes the other half into four shares according to
the set of Bell states, where D denotes the dealer’s qubit and the index of refers to the and shares.
As the stabilizer code can correct any single erasure error, can be recovered from any three or more shares. Thus, any single share cannot be entangled with the dealer, and we can show explicitly that any single share is in a product state with the dealer, of the form
with the identity matrix of a single share .
The subsets and each have a separable state with the dealer as is clear from Eq. (12). The following analysis shows that all other sets of two shares are also separable with the dealer. Note that, as found in Gour and Wallach (2010), the indices of qubits in the state can be re-ordered as
where is a permutation of . By tracing out two arbitrary players , one obtains the separable state
ii.3 Entanglement sharing using Shor’s code
An ESS with a general (not threshold) access structure can be constructed from Shor’s nine-qubit code. In this scheme, half of is encoded into nine shares of 1 qubit, producing the joint state of dealer and players of
We note that the encoding is not fully symmetric between shares, but divides the players into three “triplets” .
The nine-qubit Shor code Shor (1995) can correct erasure errors on any of those subsets which consist of
any one or two qubits,
two qubits in one triplet and a single qubit in another triplet (e.g., ), or
two qubits in one triplet and two qubits in another triplet (e.g., ).
Therefore, the complement of can recover using error correction for the 9-qubit code, and cannot be entangled with the dealer due to monogamy.
The remaining subsets of players , consisting neither of subsets nor their complements, are separable with the dealer. For example, the reduced density matrix of can be written as
In a similar way the other subsets in are also separable with the dealer, as shown in the Appendix A.
ii.4 Non-perfect entanglement sharing
As shown below, not all stabilizer codes satisfy the secrecy condition for standard entanglement sharing, although we can also consider them as a “non-perfect” case, in which we allow some partial entanglement between unauthorized subsets and the dealer. For example, a [[6,4,2]] stabilizer code Gottesman (1997) yields a non-perfect ESS. Suppose that a dealer encodes an MES of four ebits by the code such that
where and are the Bell states.
Any five players can recover the original entanglement as this stabilizer code can correct erasure errors on a single qubit. However, any four players have some entanglement with the dealer even though they are an unauthorized set, as can be seen in two ways. First the reduced density matrix of four players violates the positive partial transpose criterion Peres (1996); Horodecki et al. (1996), which provides one useful way to check state separability in ESSs when separability is not obvious from the density matrices. Second, the amount of initially shared entanglement is too large to satisfy Theorem 1 (i.e., and ). Therefore, some entanglement must remain even after one player is excluded from an authorized set.
Iii Hybrid Entanglement Sharing
A QECC that does not already satisfy the secrecy condition can potentially be made to do so through hybridization with classical information. Similarly to hybrid QSS Nascimento et al. (2001); Fortescue and Gour (2012),
hybrid ESSs can be implemented from any QECC combined with classical secret sharing, by “locking” any leaked entanglement from recovery by first encrypting the dealer’s MES using classical keys (i.e., bit strings) and then distributing the keys among a set of players in such a way that unauthorized sets are totally denied any access to entanglement.
The principle of encrypting quantum information with classical keys is shown in quantum teleportation Bennett et al. (1993). Alice generates two classical bits by performing a joint measurement on a quantum state that she intends to teleport to Bob and half of a previously shared MES. In the absence of Alice’s classical bits, Bob’s qubit is left in a maximally mixed state,
However, with the knowledge of the classical bits, Bob can recover by determining which state of the above mixture his qubit is in. In a similar sense we can encrypt and decrypt entanglement using classical keys.
Let us consider an MES
in a bipartite system of two -dimensional Hilbert spaces. We can partially encrypt by a unitary mapping
randomly chosen. Note that the phase information for the encrypted state is totally randomized for any party without knowledge of the classical key , and thus the randomized state can be written in terms of separable states as follows:
Hybrid ESSs can be implemented by the following procedure: Suppose that a dealer encodes an MES into the code space of a QECC and thereby obtains
The access structure for the corresponding ESS is determined by the code’s ability to recover from erasure errors (for example an stabilizer code corresponds to an access structure consisting of any or more shares). The dealer additionally performs the following steps:
Performs on using a randomly chosen classical key .
Encodes in classical shares and distributes using a classical secret sharing scheme with an access structure .
We thus have a scheme with both classical and quantum shares, which are separately distributed among the players. If a set of players is an element of , it can recover with the classical key . Otherwise they are left in a separable state with a dealer because they cannot acquire any information about . We note that suitable classical secret sharing schemes can be easily devised by using polynomial functions Shamir (1979); Blakley (1979).
Iv Describing partial information in QRSS
As described earlier, we can consider both the “perfect” ESS where unauthorized sets are denied all entanglement and the “imperfect” case where this secrecy condition is relaxed and some entanglement is leaked. A similar framework applies to leaked information in imperfect QSS, known as quantum ramp secret sharing (QRSS). In QRSS, one considers three types of player structures: access, forbidden and intermediate structures. The forbidden structure is the collection of unauthorized sets that are completely denied any information about the secret, and the intermediate structure is the collection of unauthorized sets that obtain some information about a secret.
As QRSS allows for smaller player shares than perfect QSS, this information leakage could be an acceptable sacrifice, but, for a given secret sharing scenario, what constitutes acceptable leakage likely depends on the nature of the information that is accessible to the intermediate subsets. One method to characterize information leakage requires stabilizer encoding and therefore requires precise details of encoding operation (e.g., stabilizers) to generate the information group Gheorghiu et al. (2010) so is not of direct use here.
Entanglement sharing gives us an alternative way to characterise this information, which may be useful in many circumstances. In a perfect ESS, we can similarly consider three structures of players with respect to correlations with the dealer, by dividing the adversary structure into a forbidden structure and an intermediate structure. Whereas all members of the adversary structure recover no entanglement with the dealer, we can distinguish between forbidden subsets (who can recover only product states with the dealer) and intermediate subsets, who can recover non-product mixed states with the dealer; i.e., they and the dealer can share classical correlations (but no entanglement). Thus player subsets can be divided into those recovering “quantum correlations” (entanglement), classical correlations, or no correlations with the dealer. This can be a useful qualitative description of leaked information.
One can characterise the qualitative difference by considering, for example, a circuit implementing quantum teleportation Bennett et al. (1993), which outputs a density matrix associated with an input state. Given an MES as a resource, this circuit can be successfully operated and thus the output density matrix is identical to the input state. However, if a product state is instead used as the resource, the circuit outputs the identity matrix. If a separable state is used as a resource, quantum teleportation cannot be perfectly achieved but will output a density matrix with some correlation with the input state.
For example, suppose that an arbitrary quantum state is the input state of the quantum teleportation circuit, and a separable state
is used as its resource. Then the circuit outputs
The output density matrix of this “classical teleportation” contains some information about the diagonal elements of the density matrix but nothing about its off-diagonal elements. In this context we can characterize leaked information about the secret in a QRSS scheme as “quantum” or “classical” in the sense of requiring a quantum or only a classical channel to transmit.
By considering QRSS schemes as ESSs (applying the scheme to a secret of half of an MES, with the other half retained by the dealer), we therefore have a means of characterizing this information: a unauthorized subset of players who can recover a partially-entangled state with the dealer have some leaked quantum information, whereas those recovering a separable state only have leaked classical information. This method of classifying information in the context of quantum teleportation provides one unambiguous definition of leakage of specifically quantum information, as it relies only on the clear definitions of entangled and separable states. Since quantum correlations are useful resources in many contexts, a QRSS scheme may be acceptable if, for example, the only information leaked is classical.
Now let us revisit the stabilizer code. The stabilizer code is not only used to devise an ESS but also for a QRSS scheme Gheorghiu et al. (2010) (where denotes a four-player scheme in which 3-player subsets are authorized, whereas player subsets receive no information about the secret, and two-player subsets receive partial information). Suppose that the ESS using the stabilizer code is applied to supply an MES required for quantum teleportation. If an arbitrary quantum state is transmitted to four players, any three or more players can receive the state perfectly with the recovered MES, and any single player can acquire no information. However, any two players can have a separable state with the dealer and learn the information about diagonal elements of . Therefore, the stabilizer code yields a QRSS scheme that leaks only classical information to unauthorized sets, which corresponds to the result of Gheorghiu et al. (2010).
Formally, we propose a secrecy condition for QRSS in terms of entanglement sharing as follows.
Given an encoding operation mapping
a QRSS scheme described by is secure from the leakage of quantum information if the reduced density matrix for every intermediate set ,
is separable with the system D for the complement of .
We have introduced a new protocol for entanglement sharing, which allows a dealer to distribute half of a MES with a set of players in such a way that some collaborating groups of players can recover the entangled state fully, but other groups cannot share any entanglement with the dealer. While closely related to QSS (every perfect QSS scheme will also be an entanglement sharing scheme) the entanglement sharing conditions result in different properties for these schemes (for example share size of each player need only be at least half the amount of initial entanglement). We have demonstrated examples of construction of entanglement sharing schemes from stabilizer codes, both directly and through hybridization with classical encryption. We note that the general relationship between QECCs and entanglement sharing (i.e., whether or not schemes can be directly constructed from a given QECC) is still not evident, and therefore is a promising avenue for further investigation.
Finally, we have shown that the entanglement sharing paradigm provides a useful characterization of information leakage in QRSS schemes, wherein any QECC suitable for perfect entanglement sharing can be used to construct a QRSS in which only classical information is leaked to unauthorized player subsets. As with sharing quantum secrets, entanglement sharing would be especially convenient if one could choose the access, intermediate, and adversary structure first and then find a corresponding code, but in practice the codes are chosen first and the structures are consequential. Given the many contexts in which entanglement is a crucial resource for performing quantum information protocols, this characterization, and entanglement sharing schemes in general, have the potential for a wide range of applications.
Acknowledgements.We appreciate valuable discussions with Vlad Gheorghiu and Yun-jiang Wang. This project has been supported by Alberta Innovates Technology Futures, AITF, CIFAR and NSERC.
Appendix A Investigation of Shor’s code
In this appendix, we supplement Sec. II.3 by investigating other sets in . As is in a separable state with a dealer, and are also separable with the dealer as shown by permutation of the triplets. Similarly the complement of , namely , is in a separable state
and thus and are also separable with the dealer. We regard these six subsets as a class of .
Every set in is classified into four classes: , , and . For each class, it is enough to demonstrate whether or not the reduced density matrices of a small subset (e.g., ) and a big subset (e.g., ) are separable with the dealer.
Let us look at the class of . The complement of has a separable state written as
If we discard three more qubits from the state in Eq. (32), the resulting density matrix is a reduced density matrix of in this class and still has a separable form with the dealer.
Next we consider the class of . The reduced density matrix for (the complement of ) is given by
In this case, the subset is independent of the other qubits so the reduced density matrix for (a small set in the class of ) is separable with the dealer after tracing out player 5.
Finally we consider the class of . By tracing out and from the state of Eq. (32), clearly and in this class are separable with the dealer. We therefore conclude that any subset of players in is in a separable state with the dealer.
- Shamir (1979) A. Shamir, Commun. ACM 22, 612 (1979).
- Blakley (1979) G. R. Blakley, in Proceedings of the National Computer Conference (AFIPS, Montvale, NJ, 1979), vol. 48, pp. 313–317.
- Hillery et al. (1999) M. Hillery, V. Bužek, and A. Berthiaume, Phys. Rev. A 59, 1829 (1999).
- Cleve et al. (1999) R. Cleve, D. Gottesman, and H.-K. Lo, Phys. Rev. Lett. 83, 648 (1999).
- Markham and Sanders (2008) D. Markham and B. C. Sanders, Phys. Rev. A 78, 042309 (2008).
- Beimel (2011) A. Beimel, in Coding and Cryptology, edited by Y. Chee, Z. Guo, S. Ling, F. Shao, Y. Tang, H. Wang, and C. Xing (Springer Berlin Heidelberg, 2011), vol. 6639 of Lecture Notes in Computer Science, pp. 11–46, ISBN 978-3-642-20900-0, URL http://dx.doi.org/10.1007/978-3-642-20901-7_2.
- Nascimento et al. (2001) A. C. A. Nascimento, J. Mueller-Quade, and H. Imai, Phys. Rev. A 64, 042311 (2001).
- Bennett et al. (1993) C. H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres, and W. K. Wootters, Phys. Rev. Lett. 70, 1895 (1993).
- Bennett and Wiesner (1992) C. H. Bennett and S. J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992).
- Acín et al. (2007) A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, Phys. Rev. Lett. 98, 230501 (2007).
- Masanes et al. (2011) L. Masanes, S. Pironio, and A. Acín, Nat. Commun. 2, 238 (2011).
- Gottesman (2000) D. Gottesman, Phys. Rev. A 61, 042311 (2000).
- Ogawa et al. (2005) T. Ogawa, A. Sasaki, M. Iwamoto, and H. Yamamoto, Phys. Rev. A 72, 032318 (2005).
- Coffman et al. (2000) V. Coffman, J. Kundu, and W. K. Wootters, Phys. Rev. A 61, 052306 (2000).
- Osborne and Verstraete (2006) T. J. Osborne and F. Verstraete, Phys. Rev. Lett. 96, 220503 (2006), URL http://link.aps.org/doi/10.1103/PhysRevLett.96.220503.
- Koashi and Winter (2004) M. Koashi and A. Winter, Phys. Rev. A 69, 022309 (2004).
- Kim et al. (2012) J. S. Kim, G. Gour, and B. C. Sanders, Contemporary Physics 53, 417 (2012).
- Horodecki et al. (2005) K. Horodecki, M. Horodecki, P. Horodecki, and J. Oppenheim, Phys. Rev. Lett. 94, 200501 (2005).
- Plenio and Virmani (2007) M. B. Plenio and S. Virmani, Quantum Inf. Comput. 7, 1 (2007).
- Gottesman (1997) D. Gottesman, Caltech Ph.D. thesis (1997).
- Shor (1995) P. W. Shor, Phys. Rev. A 52, R2493 (1995).
- Gurvits (2003) L. Gurvits, in Proceedings of the 35th annual ACM symposium on Theory of computing (ACM, New York, NY, 2003), STOC ’03, pp. 10–19.
- Gour and Wallach (2010) G. Gour and N. R. Wallach, J. Math. Phys. 51 (2010).
- Peres (1996) A. Peres, Phys. Rev. Lett. 77, 1413 (1996).
- Horodecki et al. (1996) M. Horodecki, P. Horodecki, and R. Horodecki, Physics Letters A 223, 1 (1996).
- Fortescue and Gour (2012) B. Fortescue and G. Gour, IEEE Trans. Inf. Th. 58, 6659 (2012).
- Gheorghiu et al. (2010) V. Gheorghiu, S. Y. Looi, and R. B. Griffiths, Phys. Rev. A 81, 032326 (2010).