ebook img

How to share a quantum secret PDF

5 Pages·0.13 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview How to share a quantum secret

How to share a quantum secret Richard Cleve1∗, Daniel Gottesman2†, Hoi-Kwong Lo3‡ 1 Department of Computer Science, University of Calgary, Calgary, Alberta, Canada T2N 1N4 2 T-6 Group, Los Alamos National Lab, Los Alamos, NM 87545 3 Hewlett-Packard Labs, Bristol, UK BS34 8QZ sical threshold schemes that uses quantum information We investigate the concept of quantumsecret sharing. In to transmit the shares securely in the presence of eaves- a ((k,n)) threshold scheme, a secret quantum state is di- droppers. vided into n shares such that any k of those shares can be Define a ((k,n)) threshold scheme, with k ≤ n, as a used to reconstruct the secret, but any set of k−1 or fewer method to encode and divide an arbitrary secret quan- shares contains absolutely no information about the secret. 9 tum state (which is given but not, in general, explicitly 9 We show that theonly constraint on theexistence of thresh- 9 old schemes comes from the quantum “no-cloning theorem”, known) into n shares with the following two properties. 1 whichrequiresthatn<2k, and,inallsuchcases, wegivean First,fromanykormoresharesthesecretquantumstate efficient construction of a ((k,n)) threshold scheme. We also can be perfectly reconstructed. Second, from any k−1 n explore similarities and differences between quantum secret or fewer shares, no information at all can be deduced a J sharing schemes and quantum error-correcting codes. One about the secret quantum state. Formally, this means 2 remarkable difference is that, while most existing quantum that the reduced density matrix of these k − 1 shares 1 codesencodepurestatesaspurestates,quantumsecretshar- (with the other shares traced out) is independent of the ing schemes must use mixed states in some cases. For exam- value of the secret. Each share can consist of any num- 1 ple,ifk≤n<2k−1thenany((k,n))thresholdschememust ber of qubits (or higher-dimensional states), and not all v distributeinformation that is globally in a mixed state. shares need to be of the same size. In this paper we do 5 2 not consider the problem of securely creating and dis- 0 tributing the shared secret, and simply assume that it 1 can be done when necessary. 0 Suppose that the president of a bank wants to give Quantum secret sharing schemes might be used in the 9 accessto avaultto three vice presidentswho arenoten- contextofsharingquantumkeys,suchasthoseproposed 9 / tirely trusted. Instead of giving the combination to any by Weisner [5] for uncounterfeitable “quantum money.” h oneindividual,itmaybedesirabletodistributeinforma- They canalsobe usedto provideinteresting waysof dis- p tion in such a way that no vice president alone has any tributingquantumentanglementandnonlocality. Forex- - t knowledge of the combination, but any two of them can ample, suppose that Alice has one qubit of an EPR pair n a jointly determine the combination. In 1979, Blakely [1] and a ((2,2)) threshold scheme is applied to the other u and Shamir [2] addressed a generalization of this prob- qubit to produce a share for Bob and a share for Carol. q lem, by showing how to construct schemes that divide a Then Alice and Bob together have a product state (i.e., : v secret into n shares such that any k of those shares can ρ = ρ ⊗ρ ), as do Alice and Carol; however, Bob AB A B i be used to reconstruct the secret, but any set of k −1 andCarolcanjointlyconstructaqubitfromtheir shares X orfewersharescontainsabsolutelynoinformationabout that is in an EPR state with Alice’s qubit. Also, for r a the secret. This is called a (k,n) threshold scheme, and quantum storageor quantum computations to be robust is a useful tool for designing cryptographic key manage- intheworst-casesituationwhereacomponentoragroup ment systems. of components fail (due to sabotage by malicious parties Now, consider a generalization of such schemes to the or due to defects), quantum secret sharing may prove settingofquantuminformation,wherethesecretisanar- to be a useful concept. Finally, by definition, quantum bitrary unknownquantum state. Salvail [3] (see also[4]) secret sharing distributes trust between various parties obtained a method to divide an unknown qubit into two and prevents a small coalition of malicious parties from shares, each of which individually contains no informa- learning a quantum secret. tion about the qubit, but which jointly can be used Let us begin with an example of a ((2,3)) threshold to reconstruct the qubit. Hillery, Buˇzek, and Berthi- scheme. Thesecrethereisanarbitrarythree-dimensional aume[4]proposedamethodforimplementingsomeclas- quantum state (a quantum trit or qutrit). The encoding maps the secret qutrit to three qutrits as α|0i+β|1i+γ|2i 7→α(|000i+|111i+|222i)+ (1) ∗Email: [email protected] β(|012i+|120i+|201i)+ †Email: [email protected] γ(|021i+|102i+|210i), ‡Email: [email protected] 1 and each resulting qutrit is taken as a share. Note that, procedure can be defined by the following linear map on from a single share, absolutely no information can be density matrices deduced about the secret, since each individual share is |0ih0| 7→|00ih00|+|11ih11|+|22ih22| always in the totally mixed state (an equal mixture of |0i, |1i, and |2i). On the other hand, the secret can be |1ih1| 7→|01ih01|+|12ih12|+|20ih20| (3) reconstructedfromanytwoofthethreesharesasfollows. |2ih2| 7→|02ih02|+|10ih10|+|21ih21|. Ifwearegiventhefirsttwoshares(forinstance),addthe Callaschemethatencodespurestatesecretsusingglobal valueofthefirstsharetothesecond(modulothree),and pure states a pure state scheme, and a scheme for which then add the value of the second share to the first, to the encodings of pure states are sometimes in global obtain the state mixed states a mixed state scheme. We shall show later (α|0i+β|1i+γ|2i)(|00i+|12i+|21i). (2) that there does not exist a pure state ((2,2)) threshold scheme. The firstqutritnowcontainsthe secret. The reconstruc- On the other hand, if we do not insist on protecting tion procedurefor the other casesis similar,by the sym- an arbitrary secret, we could use the encoding metryofmapping(1)withrespecttocyclicpermutations α|0i+β|1i7→α(|00i−|11i)+β(|01i+|10i). (4) of the three qutrits. Note that, because the data is quantum, one must be For the restricted set of secrets where α · β∗ is real- carefulnot to individually measure the shares while per- valued, it functions as a ((2,2)) threshold scheme. How- forming the reconstruction, since this will collapse any ever,without this restriction, this is not a secret sharing superposition of the basis states. The same considera- scheme, since (for example) it can be verified that a sin- tions arise with quantum error-correctingcodes [6,7]. In gle share can completely distinguish between the secrets fact, the above example is a three-qutrit quantum code |0i+i|1i and |0i−i|1i. Although such a scheme may that can correct one erasure error. Every quantum se- be useful in some contexts, we shall henceforth consider cret sharing scheme is, in some sense, a quantum error- only “unrestricted” secret sharing schemes. correctingcode;however,someerror-correctingcodesare Note that the previously mentioned technique of dis- not secret sharing schemes, since they may contain sets cardingasharefroma((2,3))thresholdschemetoobtain ofsharesfromwhichpartial informationaboutthesecret a((2,2))thresholdscheme(suggestedby[10]in the con- canbeobtained. Forexample,considerafour-qubitcode text of a different scheme) generalizes considerably: [8,9] that corrects one erasure by the encoding Theorem 1. From any ((k,n)) threshold scheme with n>k,a((k,n−1))thresholdschemecanbeconstructed α|0i+β|1i7−→α(|0000i+|1111i)+β(|0011i+|1100i) by discarding one share. (thecodecanactuallybeextendedtoencodetwoqubits, In the classical case, a (k,n) threshold scheme exists but we do not need this for our illustration). While it for every value of n ≥k. However, this does not hold in is true that any three qubits suffice to reconstruct the thequantumcase,duetothequantum“no-cloningtheo- secret, it is not true that two qubits provide no informa- rem”[11,12],whichstatesthatnooperationcanproduce tion. For instance, given the first and third qubits, one multiple copies of an unknown arbitrary quantum state. can distinguish between the secrets |0i and |1i. More Theorem2. Ifn≥2kthenno((k,n))thresholdscheme generally, from these two qubits, statistical information exists. about the relative values of |α| and |β| can be obtained. Proof. If a ((k,n)) threshold scheme exists with n≥2k Later, we shall show how to obtain a ((3,4)) threshold then the following procedure can be used to make two scheme with four qubits using a different approach. independent copies of an arbitrary quantum state (that Returning to the ((2,3)) threshold scheme using is,toclone). First,applythe((k,n))schemetothestate qutrits, note that it can be used to share a secret that to produce n shares. Then, taking two disjoint sets of k is a qubit by simply not using the third dimension of shares, reconstruct two independent copies of the state. the input space (though the resulting shares are still full This contradicts the “no-cloning theorem” [11,12]. 2 qutrits). It turns out that there does not exist a ((2,3)) threshold scheme for qubits in which each share is also The five-qubit quantum code proposed in [13,14] im- a qubit. This is because such a scheme would also be a mediately yields a ((3,5)) threshold scheme. First, since three-qubitcodethatcorrectssinglequbiterasureerrors, itcorrectsanytwoerasureerrors,itenablesthesecretto which has been shown not to exist [9]. be reconstructed from any three shares. Also, any pair The ((2,3)) qutrit threshold scheme can be used to of qubits provides no information about the data. This construct a ((2,2)) threshold scheme, by simply discard- is a consequence of the following more general theorem. ing (i.e., tracing out) one of the three shares. Note that Theorem 3. If a quantum code with codewords of the resulting ((2,2)) scheme produces a mixed state en- length2k−1correctsk−1erasureerrors(which,forsta- codingevenwhenthesecretisapurestate. Theencoding bilizer codes [15,16], is a [[2k−1,1,k]] code, where q is q 2 thedimensionalityofeachcoordinateandoftheencoded It now suffices to show that, given an encoding (5) of state) then it is also a ((k,2k−1)) threshold scheme. a quantum state, the state can be recovered from any k Proof. First,supposethatwearegivenasetofkshares. of the m coordinates. One way to show this is to apply Since this set excludes precisely k − 1 shares and the the theory of CSS codes [20,21], noting that this code is code corrects any k −1 erasures, the secret can be re- formed from the two classical codes constructed from these k shares. On the other hand, suppose that we are given a set of k −1 shares. This C1 =(cid:8)(pc(x0),...,pc(xm−1))|c∈Fk(cid:9) (6) subset excludes a set of k shares, from which we know C2 =(cid:8)(pc(x0),...,pc(xm−1))|c∈Fk,ck−1 =0(cid:9) (7) that the secret can be perfectly reconstructed. Now, in quantum mechanics, it is well-known that any informa- and that min(dist C1,dist C2⊥) = m−k+1. From this it follows that the code corrects m−k erasure errors. tiongainonanunknownquantumstatenecessarilyleads For completeness, we also give an explicit decoding to its disturbance [17]. Therefore, if a measurement on procedureforthe caseofinterest,wherem=2k−1. We the given k −1 shares provided any information about begin with some preliminary definitions. For an invert- the secret, then this measurement would disturb the in- ible d×d matrix M, define the operation apply M to a formationthat the remainingk qubits containaboutthe secret. This leads to a contradiction. 2 sequenceofdquantumregistersasapplyingthemapping Combining Theorem 3 with Theorem 1, we obtain |(y0,...,yd−1)i7→|(y0,...,yd−1)Mi (8) Corollary 4. From a [[2k − 1,1,k]] code, a ((k,n)) q threshold scheme can be constructed for any n<2k. (where we are equating |(y0,...,yd−1)i with |y0,...,yd−1i). For z0,...,zd−1 ∈ F, define the d×d Forexample,fromthe aforementionedfive-qubitcode, Vandermonde matrix a ((3,4)) threshold scheme and ((3,3)) thresholdscheme can be obtained (by discarding shares). [Vd(z0,...,zd−1)]ij =zji (9) Next, we prove the converse of Theorem 2. (fori,j ∈{0,...,d−1}). Thismatrixisinvertiblewhen- Theorem 5. Ifn<2k,thena((k,n))thresholdscheme exists. Moreover, the dimension of each share can be ever z0,...,zd−1 are distinct. Also, note that applying bounded above by 2max(2k − 1,s), where s is the di- Vd(z0,...,zd−1) to registers in state |c0,...,cd−1i yields mension of the quantum secret. the state |pc(z0),...,pc(zd−1)i, where c=(c0,...,cd−1). Thesecretcanberecoveredfromanyk coordinatesby Proof. The proof is based on a class of quantum poly- the following procedure. Call the m registers containing nomial codes, which are similar to those defined by the coordinates R0,...,Rm−1, and suppose that we are AharonovandBen-Or[18],whousedtheminthecontext given, say, the first k registers (that is, R0,...,Rk−1). of fault-tolerant quantum computation. We will show how to construct such a code of length m and degree 1. Apply Vk(x0,...,xk−1)−1 to R0,...,Rk−1. k−1wheneverm<2k,andthatthedatathatitencodes 2. Cyclically shift the first k registers by one canalwaysbe recoveredfromanyk ofits m coordinates. Then, considering the special case where m = 2k −1, to the right by setting (R0,R1...,Rk−1) to we obtain a [[2k−1,1,k]] code, for which Corollary 4 (Rk−1,R0,...,Rk−2). q applies to prove the theorem. 3. Apply Vk−1(xk,...,xm−1) to R1,...,Rk−1. Let k and m be given with m < 2k, and let s be the dimension of the quantum state to be encoded. Choose 4. Foralli∈{1,...,k−1},addR0·(xk+i−1)k−1 toRi. a prime q such that max(m,s) ≤ q ≤ 2max(m,s) Consider an execution of the above procedure on a (which is always possible [19]) and let F = Z . For q state resulting from the encoding (5) on a basis state c=(c0,c1,...,ck−1)∈Fk,definethepolynomialpc(t)= |si. After steps 1 and 2, the state of the n registers is c0+c1t+···+ck−1tk−1. Letx0,...,xm−1 be m distinct elements of F. Encode a q-ary quantum state by the X |ck−1,c0,...,ck−2i|pc(xk),...,pc(xm−1)i linear mapping which is defined on basis states |si (for c∈Fk s∈F) as ck−1=s =|si X |c0,...,ck−2i|pc(xk),...,pc(xm−1)i. (10) |si7→ X |pc(x0),...,pc(xm−1)i. (5) c∈Fk c∈Fk ck−1=s ck−1=s If the data is a basis state |si (for some s ∈ F) then, As an example, it turns out that mapping (1) (for the at this point, its recovery is complete. However, for a ((2,3)) threshold scheme given at the beginning of this generalsecret,whichis a superpositionof |sistates, reg- paper)isaquantumpolynomialcodewithk =2,m=3, ister R0 is entangled with the other registers. The en- and q =3. tanglement is due to the fact that, in (10), the value 3 of s can be determined by the value of any of the kets Notethatthesamefunctionc(E)appearsinconditions |c0,...,ck−2i|pc(xk),...,pc(xm−1)i. In fact, if we had (b) and (c), and that it is independent of |φi or |φii. m ≥ 2k then s could be determined from just the state Proof. a)⇔b)isessentiallythestandardquantumerror of the last m−k registers, so it would be impossible to correctionconditions[13,23]appliedtoerasureerrors[9]. performthe necessarydisentanglementbyaccessingonly b) ⇔ c) is straightforward. Alternately, a) ⇔ c) follows the firstk registers. Sincem=2k−1,thisisnotaprob- from the main theorem of [22]. 2 lem and the remaining steps correctly extract the data Equation (12) says that in correcting errors, we will in the following manner. never confuse two different basis vectors. Equation (13) After steps 3 and 4, the state is says that learning about the error will never give us any informationaboutwhichbasisvectorwehave. Thisisim- |si X |pc(xk),...,pc(xm−1)i|pc(xk),...,pc(xm−1)i portant, since that information would constitute a mea- ckc−∈F1=ks surement, collapsing a superposition of basis vectors. On the other hand, condition (14) simply says that =|si X |y1,...,yk−1i|y1,...,yk−1i, (11) the environment can never gain any information about y∈Fk−1 the state. In other words, the proposition tells us that where the last equality holds since, for any s ∈ F and protecting a state from noise is exactly the same as pre- y1,...,yk−1 ∈F, there is a unique c∈Fk with ck−1 =s venting the environment from learning about it. suchthatpc(xk+i−1)=yi,foralli∈{1,...,k−1}. Since Condition(14)isalsoveryconvenientforourpurposes, the state of R1,...,Rm−1 is now independent of s, the since the two constraints that arise on a quantum secret decoding procedure is now correct for arbitrary data. 2 sharingschemearetheabilitytocorrecterasuresandthe requirement that no information be gained by unautho- Although we have focused on threshold schemes, it rized sets of shares. is possible to consider more general access structures. In the theory of quantum error-correcting codes, we In a general quantum secret sharing scheme, from cer- usually consider shares of the same dimension. In con- tain authorized sets of shares, the secret can be recon- trast, in quantum secret sharing, we would like to allow structed, while, from all other sets of shares, no infor- shares to live in Hilbert spaces of different sizes. Never- mation can be obtained about the secret. Those other theless, it is still true that conditions a), b), and c) in sets are called unauthorized sets. For example, consider Proposition 6 are equivalent. a scenario with three shares, A, B, C, where the autho- rizedsets are{A,B}, {A,C}, andany superset ofone of Theorem 7. An encoding f : |ψi 7→ |φi is a pure state thesesets. Suchasecretsharingschemecanbeeasilyim- quantum secret sharing scheme iff plemented by starting with the ((3,4)) thresholdscheme hφ|E|φi=c(E) (15) and bundling the first two shares into the share A. We have already seen relationships between quan- (independent of |φi) whenever E is an operator acting tumsecretsharingschemesandquantumerror-correcting on the complement of an authorizedset or when E is an codes. We now explore this connection more deeply. operator acting on an unauthorized set. The following proposition follows naturally from the For instance, for the three-qutrit scheme (1) and usual formulation of the conditions for a quantum error- correcting code. Ej|y1,y2,y3i = ωyj|y1,y2,y3i, where ω = exp(2πi/3), wehavehφ|E |φi=0forallstates|φiusedinthescheme. Proposition 6. Let C be a subspace of a Hilbert space j Proof. Let C be the image of f. S is an authorized H. The following conditions are equivalent: set iff the subspace C can correct for erasures on K, the a) C corrects erasures on a set K of coordinates. complement of S. By Proposition 6, this means S is an authorized set iff (15) holds for all E acting on K. T is b) For any orthonormal basis {|φ i} of C, i anunauthorizedsetwheneverwecangainnoinformation aboutthestate|ψifromanymeasurementonT. Thatis, hφ |E|φ i=0 (i6=j) (12) i j the expectation value hφ|E|φi is independent of |φi ∈ C hφ |E|φ i=c(E) (13) i i for any operator E we could choose to measure, which means it must actonT. Again,this is condition(15). 2 for all operators E acting on K. Theorem 7 has at least one remarkable consequence: c) Forall(normalized)|φi∈C andallE actingonK, Corollary 8. For a pure state quantum secret sharing scheme, every unauthorized set of shares is the comple- hφ|E|φi=c(E). (14) ment of an authorized set and vice-versa. Proof. If the complement of an authorized set of shares S1 were another authorized set S2 then we could create 4 two copies of the secret from S1 and S2, violating the rection,” Phys. Rev. A 54, 3824–3851 (1996); quant- no-cloning theorem. Therefore, the complement of an ph/9604024. authorized set is always an unauthorized set. [14] R.Laflamme, C.Miquel,J.P.Paz, andW.Zurek,“Per- On the other hand, by Proposition6, if condition (15) fectquantumerrorcorrectioncode,”Phys.Rev.Lett.77, 198–201 (1996); quant-ph/9602019. holds on an unauthorized set T, we can correct erasures [15] D.Gottesman,“Class ofquantumerror-correctingcodes on T, and therefore reconstruct the secret on the com- saturatingthequantumHammingbound,”Phys.Rev.A plementofT. Therefore,thecomplementofanunautho- 54, 1862–1868 (1996); quant-ph/9604038. rized set is always an authorized set. 2 [16] A. R. Calderbank, E. M. Rains, P. W. Shor, and For a pure state ((k,n)) threshold scheme, this condi- N. J. A. Sloane, “Quantum error correction and orthog- tion implies that n−k =k−1. Therefore: onal geometry,” Phys. Rev. Lett. 78, 405–408 (1997); quant-ph/9605005. Corollary 9. Any ((k,n)) pure state threshold scheme [17] C. H. Bennett, G. Brassard and N. David Mer- satisfies n=2k−1. min,“QuantumCryptographywithoutBell’sTheorem,” Clearly, this corollary does not apply to mixed state Phys. Rev.Lett. 68, 557–559 (1992). schemes, since we have constructed ((k,n)) threshold [18] D. Aharonov and M. Ben-Or, “Fault-tolerant quantum schemes with n<2k−1. computationwithconstanterror,”Proc.29thAnn.ACM We would like to thank Dorit Aharonov, Alexei Symp.onTheoryofComputing,pp.176–188(ACM,New Ashikhmin, Charles Bennett, Andr´e Berthiaume, York, 1998); quant-ph/9611025. [19] M.Aigner,G.M.Ziegler,ProofsfromTheBook,pp.7–12 Vladimir Buˇzek, H. F. Chau, Mark Hillery, Brendan (Springer, Berlin, 1998). Lane, Debbie Leung, and Louis Salvail for helpful dis- See also S. Ramanujan, “A proof of Bertrand’s Postu- cussions. Part of this work was completed during the late,”J.oftheIndianMath.Soc.11,pp.181–182(1919). 1998 Elsag-Bailey – I.S.I. Foundation research meeting [20] A.R.CalderbankandP.W.Shor,“Goodquantumerror- on quantum computation, and the 1998 meeting at the correcting codes exist,” Phys. Rev. A 54, 1098–1105 Benasque Center for Physics. R.C. is supported in part (1996); quant-ph/9512032. by Canada’s NSERC. D.G. is supported by the Depart- [21] A. Steane, “Multiple particle interference and quantum ment of Energy under contract W-7405-ENG-36. error correction,” Proc. Roy. Soc. Lond. A 452, 2551– 2577 (1996); quant-ph/9601029. [22] M. A. Nielsen and C. M. Caves, “Reversible quantum operationsandtheirapplication toteleportation,” Phys. Rev. A 55, pp 2547–2556 (1997); quant-ph/9608001 [23] E. Knill and R. Laflamme, “A theory of quantum error- correcting codes,” Phys. Rev. A 55, 900–911 (1997); [1] G. Blakely, “Safeguarding cryptographic keys,” Proc. quant-ph/9604034. AFIPS 48, 313–317 (1979). [2] A.Shamir, “How to share a secret,” Communications of theACM, 22, 612–613 (1979). [3] L. Salvail, private communication. [4] M. Hillery, V. Buˇzek, and A. Berthiaume, “Quantum secret sharing,” quant-ph/9806063. [5] S.Wiesner,“ConjugateCoding,”SIGACTNews15,pp. 78–88 (1983). [6] P. Shor, “Scheme for reducing decoherence in quantum memory,” Phys.Rev.A 52, 2493–2496 (1995). [7] A. M. Steane, “Error correcting codes in quantum the- ory,” Phys.Rev.Lett. 77, 793–797 (1996). [8] L.Vaidman,L.Goldenberg,andS.Wiesner,“Errorpre- vention scheme with four particles,” Phys. Rev. A 54, 1745–1748 (1996); quant-ph/9603031. [9] M. Grassl, T. Beth, and T. Pellizzari, “Codes for the quantum erasure channel,” Phys. Rev. A 56, 33–38 (1997); quant-ph/9610042. [10] B. Lane, personal communication (1997). [11] W. K. Wootters and W. H. Zurek, “A single quantum cannot be cloned,” Nature299, 802–803 (1982). [12] D.Dieks,“CommunicationbyEPRdevices,”Phys.Lett. A 92, 271–272 (1982). [13] C. Bennett, D. DiVincenzo, J. Smolin, and W. Woot- ters,“Mixed state entanglementand quantumerrorcor- 5

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.