Onthe equivalence between sharing quantum andclassicalsecrets, and error correction Anne Marin∗ and Damian Markham† CNRS LTCI, De´partement Informatique et Re´seaux, Telecom ParisTech, 23 avenue d’Italie, CS 51327, 75214 Paris CEDEX 13, France. Wepresentageneralschemeforsharingquantumsecrets,andanextensiontosharingclassicalsecrets,which containallknownquantumsecretsharingschemes. Inthisframeworkweshowtheequivalenceofexistenceof bothschemes,thatis,theexistenceofaschemesharingaquantumsecretimpliestheextendedclassicalsecret sharingschemeworks,andviceversa. Asaconsequenceofthiswefindnewschemessharingclassicalsecrets forarbitraryaccessstructures. Wethenclarifytherelationshiptoquantumerrorcorrectionandobserveseveral restrictionstherebyimposed,whichforexampleindicatesthatforpurestatethresholdschemesthesharesizeq mustscalewiththenumberofplayersnasq √n. ≥ Secretsharingisanimportantprimitiveininformationnet- playerssuchthatonlyauthorizedplayerscanaccessthe key. works, forexample in online auctions, electronic voting, se- We refer to this family of protocols as CQ (again following 2 cure multiparty function evaluation, first introduced in the the notationof [10]). The only knownexisting CQ schemes 1 classical setting in [1]. The problem setting is that a dealer arethresholdwithparameters (n,n)[2], (2,3)[11]and(3,5) 0 2 d wishes to distribute a secret (we will considerboth classi- [10]. calandquantumsecrets)toasetofnplayers,suchthatonly In[10]alinkwaspresentedbetweenQQandCQprotocols y certainsetsofplayerscanaccessthesecret(wecallthesethe where it was shown that in some instances the same frame- a M authorizedplayers),andcertainsetsofplayerscannotaccess workcouldbeusedforbothusinggraphstates(firstforqubits, thesecret(wecallthesetheunauthorizedsetsofplayers). The then for qudits in [11]). The usefulness of this connection 8 assignment of authorizedand unauthorizedsets is called the is many fold. On a practical level sharing the same frame- 1 access structure. Any such scheme can be loosely described workisadvantageoussinceanyimplementationforonecanbe asa‘ramp’scheme,describedbythreeparameters,(k,k′,n), adaptedtoperformtheother. Onthetheoreticallevelthead- ] whereanysetofplayersB suchthat B k canaccessthe vantagesareveryrich.OntheonehanditallowsnewCQpro- h p secret,whereasanysetsuchthat B | k|′≥cannotgetanyin- tocolstobefoundviatranslationfromQQ,asin[10],[11]. In | | ≤ - formation at all. Clearly this description does not cover the the other direction, techniques for constructing CQ schemes nt fullaccessstructureinbetweenkandk′. Whenk′ =k 1,it (which can often on the face of it appearmuch simpler) can − a doeshowever,andthisiscalleda‘threshold’scheme,denoted beusedtoconstructQQschemes.Furthermorethereisadeep u (k,n). Often it suffices to considerthreshold schemes since relationshipbetweenQQandquantumerrorcorrection. This q allaccessstructurescanbebuiltfromthem. opens up the door to the possibility of using powerful tools [ We considertwo quantumextensionsofthesecretsharing fromerrorcorrectiontheorytoinvestigatesecertsharing,and 1 problem,firstputforwardin[2][3],whichhavefoundapplica- newtechniquesfromsecretsharingtofindnewerrorcorrect- v tion, forexample in secure multipartyquantumcomputation ing schemes. Graph state methods for finding CQ schemes 2 [4]. The first is the sharing of a quantum secret [3], that is have recentlyyieldedmany results in this direction[25, 27]. 8 thedealerwishestodistributeaquantumstatesuchthatonly The generalrelationshipbetweenQQ and CQ secret sharing 1 authorizedplayerscanaccessit,andunauthorizedcannot. We istodateunclearhowever,andwecanonlyexpectmoreuse- 4 . refertothisprotocolfamilyasQQ(followingthenotationof fulnesstobegained. 5 [10]). It was shown in [3] that in principle all access struc- WepresentthemostgeneralQQsecretsharingschemefor 0 turesnotcontradictingno-cloningcanbeachieved. Thesec- sharing a quantum secret and its extension to a CQ scheme, 2 1 ondquantumversionweconsideristhesharingofaclassical whichformallyencompassallquantumexistingsecretsharing : secretusingquantumchannels,introducedin[2]. Itisknown schemes.WeshowthattheexistenceofsuchaQQimpliesthe v that there exist informationally theoretically secure schemes extensiontoCQcasehasthesameaccessstructureandsecu- i X toshareaclassicalsecret[1],however,theseschemesrequire rityismaintained,andsimilarly,ifthereexistsaCQschemeof r asecurechannelbetweenthedealerandeachplayer.Oneway thistype,thequantumversionalsoisavalidQQsecretshar- a ofresolvingthisissuewouldbetouse nquantumkeydistri- ingscheme. Thisallowsusto use theQQ schemesfrom[3] bution (QKD) channels from the dealer, one to each player, fortheextendedCQscheme,allowingallaccessstructuresfor and then use the Shamirscheme. Anotherway, presentedin thefirsttime. WethendrawanequivalencebetweenQQand [2]combinestheideaofQKDwithsecretsharingdirectly,this quantumerrorcorrection,showingthatallrampschemesare canbe moreefficientthanthedirectuse ofQKD. By choos- errorcorrectingschemesand vice versa. Severalrestrictions ing a suitable entangled state shared between the dealer and are thus imposed, notably, that for pure state QQ threshold the players, the dealer is able to share a secret key with the schemes,thesizeofthesharemustscalewiththesizeofthe network (something which is also true in the fully classical setting). ∗[email protected] ThemostgeneralQQquantumsecretsharingprotocolcan †[email protected] be understood as a map from a quantum secret state ζ = | i 2 α i to a multipartite state ζ = α i 2. Thedealersendsquditℓoftheresultantstatetoplayer i i| i | Li1...n i i| Li1...n Psharedbetweenthe players 1...n, encodedontoPsomelogical ℓ. basis i , whichisdesignedsuchthatauthorizedsets L 1...n {| i } 3. Playersinauthorizedset B followaprescribeddecod- ofplayerscanaccessthesecretandunauthorizedsetsofplay- ing operation Γ (involving syndrome measurements ers cannot. Without loss of generality we take i to be B L {| i} andcorrection). anorthonormalbasis. Anencodingontoanon-orthogonalba- sis canbeunderstoodas somepreprocessingtakingthestate Theprotocolisthendefinedbyencodingbasis i ,and input ζ to a state ζ′ correspondingto the non-orthogonal {| Li1...n} encod|inig, and then|folilowingthe map above. A mixedstate decodingoperationsΓB foreachauthorizedsetB. Attheend theauthorizedsetB havethequantumsecret. encodingcanalwaysbepurifiedintoamapasabove,followed CQProtocol:TheCQprotocoldoesnotdirectlydistribute bytracingoutofsomesystems(inwhichcasethenumberof asecretclassicalmessagefromthedealertotheplayers,rather active playerswould be less than n). In this way this repre- it is a protocol to establish a secure key between the dealer sentsthemostgeneralscheme. andtheplayers,suchthatonlyauthorizedsetsofplayerscan Foranysuchscheme,weextendtosharingclassicalsecrets accessthekey. Inthissenseitmaybeconsideredmoreaccu- byintroducingwhatwecallachannelstatebetweensystemd ratelyassecretkeysharing. Thiskeycanthenbeusedbythe heldbythedealerandtheplayers’systems1...n, dealertoshareasecretmessagesuchthatitcanonlyberead byauthorizedsetsofplayers.TheCQprotocolisanextension q−1 1 ofthosepresentedin[2,10,11],tothemoregeneralcasenot CS := i i . (1) d,1...n d L 1...n | i √q | i | i usinggraphstates. Wenowoutlinetheprotocol. Xi=0 This is a maximallyentangledstate between d and the play- 1. Thedealerpreparesachannelstate(1)andsendsqudit ers,andcanbeunderstoodasachannelfromthedealertothe ℓtoplayerℓ. players. InthecaseofQQthischannelisusedtoteleportthe 2. The dealer randomly measures his qudit d among the secret from the dealer’s qubit to the players (that is, it acts bases: XtZ q−1. Wedenotetheresultr(t). Thestate simplyasanencodingprocessforthemostgeneralscheme). { }t=0 oftheplayersisthenprojectedto In the case of CQ this channel is used to establish a secure randomkeybetweenthedealerandtheplayers(aspertheEk- r(t) . (3) ertprotocol[8]). In bothcases it is the choiceof the logical | Li1...n basis i givesrisetotheaccessstructure.Thisexten- L 1...n {| i } 3. An authorised set B randomly measures in one of the sioncoversallknownCQschemes[2,10,11](uptopossible reoFrodrertihnegCofQpuebxltiecncsioomnmitunwiiclaltbioenussteepfusl,eto.g.d[e?fin])e.general- nporetsecdrisb(etd′).measurements {MBt′}tq′−=10, with result de- ized Pauli operators, X i = i + 1 , Z i = ωi i , where | i | i | i | i 4. Repeat step 1. 2. 3. m times. The list of mea- ω = ei2π/q,whereq isthedimensionofthesecret. Forsim- surementresults r(t) an→ds(∞t′)are the raw keysof the plicity we consider prime dimension q. We further denote dealerandplayersB respectively. i(t) as the eigenstatesof XtZ. The channelstate can then | i beexpandedas 5. SECURITY TEST: FollowstandardQKDsecuritysteps. Through public discussion first sift the key such that 1 q−1 theonlyremainingresultsaresuchthatt=t′. Second, CS = i(t) i(t) , | id,1...n √q | id| Li1...n verify for a random subset that s(t) = r(t). If this is Xi=0 notthecase,abort,ifitis,keeptheremainingresultsas thesharedrandomkey. where the bases i(t) are also orthonormaland comple- L mentary,thatis {i|(t) ji(}t′) 2 =1/qwhent=t′. |h L| Li| 6 At the end, if the protocol is not aborted, the dealer and Wewillfirstdescribetheprotocols,thenmakeprecisewhat the authorised set share a secure key which can be used to wemeanexactlybyauthorisedandunauthorisedsetsforboth distributeaclassicalsecretsecurely. QQandCQ,andsecurityfortheCQprotocol. QQProtocol:Let|ζid′ = iq=−01αi|iid′ ∈Cqbethesecret Wenowdefinewhatitmeanstosaysetsofplayersareau- stateinpossessionofthedealPer. thorisedorunauthorisedforbothCQ andQQprotocols. For later proofscomparingthe two protocolsit will be useful to 1. Thedealerpreparesachannelstate(1),thendoesanex- also talk about equivalent information theoretic conditions. tendedBellmeasurementoverdandd′andappropriate For this we define the channel Λ from system d′ to subset corrections,leavingthestateofthenquditsas ofplayersBastheencodingprocedureinQQgivingstate(2) followedbytracingoutallbuttheplayersB. q−1 WefirstlookattheQQcase. αi iL 1...n. (2) QQAuthorisedsetsWesayasetofplayersB isauthorised | i Xi=0 iftheycanperfectlyaccessthequantumsecret,thatis,ifthere 3 existsadecodingprocedureΓ actingonlyonthoseplayers, ourprotocolsastheystanddonotguaranteecompletesecurity B whichcanperfectlyrecoverthesecretinputstate ζ . against arbitrary attacks, but rather, against only intercept | i If the quantum information is accessible through the resend,andarenottoleranttonoise. Weshouldmentionthat channel Λ, then the quantum mutual information be- itis expectedthatsecurityproofsexistingforstandardQKD tween two halves of a maximally mixed state after may be extended to these protocols also. Security against one half has been sent down the channel is maxi- intercept resend attacks is guaranteed if any purification mal [12]. That is to say I(τ;Λ) = 2log q, where ψ compatible with the results of the security test 2 | id,B,E I(τ;Λ) = S(τ) + S(Λ(τ)) S((id Λ)(Φ Φ )), has the property that the reduced density matrix ρ is not q q dE − ⊗ | ih | τ = 1 q−1 i i is a maximally mixed state, correlatedacrossdandE, q i=0 | ih | Φ = 1 Pq−1 ii is a maximally entangled state and | qi q i=0 | i ρdE =ρd ρE. (4) S istheVonPNeumanentropy(S(ρ)= tr(ρlog(ρ))). ⊗ − This ensures that the dealer’s results are independentof any QQ Unauthorised sets We say a set of players B is measurementsanyeavesdropperE mightmake. unauthorisedif it has no access to the quantumsecret what- soever,thatis, the reduceddensitymatrix ρ is independent B We now explorethe relationship between the existence of of the quantum input ζ . Information theoretically, if the protocolsforCQ andQQ asdescribedabove. We will show | i quantum information is completely denied through the thefactthatforgivenlogicalencodingbasis i ,theexis- L channel Λ, (the output of the channel can only guess the {| i} tenceofaQQprotocolandCQprotocolarerelated. secretwithequalprobability),thenI(τ;Λ)=0. FortheQQandCQschemesdefinedasabovefromachan- nel state CS , with logicalbasis i , the followingrela- L | i {| i} WenowlookattheCQprotocol. tionshipshold: CQAuthorisedsetsWesayasetofplayersBisauthorisedif itcanaccessthesecret,thatis,ifthereexistsa(possiblyjoint) Proposition1. measurementontheirsystemswhichallowsthemtodiscover 1. AQQauthorisedset,isaCQauthorisedset. thedealersmeasurementresultr(t)foreachsettingt. 2. AQQunauthorisedsetisaCQunauthorisedset. Torewritethisininformationtheoreticlanguage,itsuffices 3. ACQauthorisedsetisaQQauthorisedset. toconsiderthechannelfromthedealertotheplayersB,where foreacht,thedealersendsaspecificchosenstate r(t) Proof: 1 and 2 are clear since the access of the classical L 1...n | i totheplayersencodingtheclassicalinformationr(t),chosen informationisaspecialcaseofthequantuminformation. We accordingtoauniformdistribution.Theability,ornot,ofaset directlydeduce3fromthelemma1of[13]. Thislemmasays ofplayerstoaccessthisclassicalinformationisequivalentto that thembeingabletodiscoverthedealer’smeasurementresultin theCQprotocol.IntermsoftheactionofthechannelΛabove, χ(Λ( ))+χ(Λ( )) I(τ :Λ) (5) 0 1 thiscorrespondstoasetofinputs Ut i q−1,whereUisthe E E ≤ cfoourrreiesrpotrnadnssftoormanoifnprauntkstqa,tetU∈t[qr]{.dT′.h|Tathi}uisis,=te0oacvher|irf(yt)thLait1.t.h.nis, wfohrmereoEf0di=me{nq1s,io|ini}q,,EΛ1a=C{Pq1T,PUm|iaip},,χwitthheUHaolfeovuoriienrfotrramnas-- | i channelworksperfectlyforeachsuchmessage,weareinter- tion. ested in the classical informationthat can be transmitted for IfasetBcanaccessintheCQprotocol,aftergoingthrough a random distribution overthe alphabetfor a given t, which we denote = 1,Ut i q−1. We use Holevo information the associated quantum channel Λ, the classical information Et {q | i}i=0 is accessible in atleast two mutualunbiasedbases i and for characterizing the amount of classical informationtrans- {| i} U i , this means that χ(Λ( )) = χ(Λ( )) = log(q), mittablethroughaquantumchannelΛ,definedby: { | i} E0 E1 hence I(τ : Λ) 2log(q) Moreoverfrom its definition we ≥ χ(Λ(Et))=S(cid:16)1q XΛ(Ut|iihi|Ut†)(cid:17)−1q XS(Λ(Ut|iihi|Ut†)). hmaevaenIs(tτha:tΛth)e≤inf2olromga(tqio).nHiseqnuceanIt(uτm:lyΛa)cc=es2silbolge(.q(cid:3)),which i i We note that it is not true that a CQ unauthorised set is If the classical information is accessible through the automaticallyQQunauthorised. However,aswewillseead- quantum channel Λ perfectly, then the Holevo information ditionalmixingcanaddressthisandfurther,forpurestateQQ χ( t(Λ))=logq. the unauthorised sets exactly determined by the authorised E sets,sothattheconnectionbetweenQQandCQisexact. CQ Unauthorised sets We say a set of players B is In addition, we will now show that a valid access struc- unauthorised if the dealer’s result r(t) is completely denied tureforaCQprotocolimpliesasecurekeydistribution,inthe to them, thatis, if the reducedstate ρB ofthose systemshas sensewhereiftheProtocolgothroughtheSecuritytest(Step no dependence on r(t). In information theoretic terms, for 6), then we show that for any state ρ outside the encoded E the channel Λ and the set of inputs above, this is equal to state (which could be an eavesdropper as the environment), sayingthatχ(Λ(Et))=0. wehaveρdE = I/q⊗ρE whereρd isthedealer’sstate,and so,ρ isindependentofthedealer’smeasurement. E CQ Security For CQ protocols there is the additional conditionofsecurity. AsinallpreviousCQwork[2,10,11], Proposition2. ACQauthorisedsetisaCQsecureset. 4 Proof:Seeappendix. pointedoutin[3],itispossibletogofrom(n,k = n+1/2) Fromtheseresultswecanimmediatelyseethattheschemes to(n l,k)thresholdschemesbythrowingaway l systems. presentedin[3]allowingforallQQaccessstructurescanbe Clearl−y these mixed schemes to not satisfy k′ = n k. − used to givenew CQ protocolsallowingforall accessstruc- Such schemes were used in [3] to show that all QQ thresh- tures. Furthermorethis can be done using high dimensional old schemes can be achieved using quantum Reed Solomon graphstates[30]. codes. It is these schemes which when translated to CQ schemes (through our general relationship above) show all We nowclarifytherelationshipbetweenQQandquantum threshold schemes are possible for CQ also. Note that this errorcorrectingcodes(QECC).AQECCencodesaspaceof approachofdiscardingsharesclearlyholdsin theCQ exten- dimension κ onto n systems (or shares), such that errors on sionspresentedinthiswork,henceaQQ(k,k′,n)mixedstate some subsets of systems can be tolerated. For a distance d, schemeimpliesaCQ(k,k′,n)mixedstatescheme. Another andsharesofdimensionqwedenoteaQECCas((n,κ,d)) , set of schemes which have been developed recently which q whichmeansthatthecodecantoleratethelossofd 1shares do not satisfy (6) [16–19]. The idea of these schemes is to − (systems).ClearlyonecanusesuchanencodingasaQQ,and takepurestateerrorcorrectingschemes,whicharenecessarily inthelanguageoframpschemes,ifeachshareisaplayer,this (k,k′ =n k,n)rampschemes,thusguaranteedquantumac- meansthatk=n d+1. Whichplayersareunauthorisedis cesstoatle−astk,andaddclassicalmixingontoptoincreasek′ − apriorinotgivenforacodeandmustbechecked.Similarlyit arbitrarily(whereclassicalinformationisdistributedviaclas- isclearthatanyQQschemeisaQECCwithd=n k+1. sicalsecretsharingprotocolsoversecurechannels).Sincethe − Itwasnoticedin[3]thatforthecaseoferrorcorrectingpro- originalquantumcodesarenolongerthresholdschemes,they tocolsencodingontopurestates,thesituationbecomesmuch donothavetosaturatetheSingletonbound,andhencedonot simpler. It turns out that in this case it can be seen that the havetosatisfy(6). However,eveninthiscaseitseemsthere toleranceofacodeto thelossofa setofshares B isexactly are some restrictionson share size [17]. Note also that both equivalenttothesamesetBnotgettinganyinformationwhat- thesessetsofschemescanbepurified,andtheirpurifications soeverabouttheencodedinformation.WhenusedforQQthis clearlyfallintoourgeneralizedschemesandmustsatisfythe meansits rampschemeparameteris k′ n k. Butbyno abovestill. Althoughsuchpurificationsareimpractical,these cloningk′ n k.ThusforallQQwith≤pure−stateencodings schemes still fit into our framework, and this fact may well k′ =n k≥. Th−isextendstherestrictionofk =(n+1)/2for imposerestrictionsonthemixedprotocolsalso. − thresholdschemesnoticedin[3]. Furthermore, it gives a general relationship: a pure state Ontheonehand,theseresultsmeanthatallquantumerror QECC protocol ((n,κ,d))q is equivalent to a QQ ramp correctioncanthenbeusedforbothCQandQQsecretshar- scheme where all shares are considered as players with pa- ing.Intheotherdirection,theseresultsgiveanewmethodfor rameters (k,k′ = n k,n). Thatisall suchQECC areQQ searchingfornewerrorcorrectingschemesstartingfromCQ − rampschemeswiththoseparameters,andviceversa. schemes. In particular for graph state schemes, many tools We can then ask what else is imposed by the relationship haverecentlybeendevelopedtophrasetheconditionsforCQ witherrorcorrection. Oneimportantquestionisthatofshare secret sharing in soley graphical language, which have been size. It can easily be seen that the Singleton bound implies used to search for new CQ schemes [24–26, 30] which are that for threshold schemes with pure state encoding κ q. thereforevalidQQandQECCschemes. Throughthegeneral ≤ Hence for κ = q (as is the case for many codes, including connection shown in this work, such techniques can also be all stabilisercodes)all purestate thresholdschemesmust be usedtosearchfornewquantumerrorcorrectingcodes,inpar- MDScodes. Thisimpliessomethingthathasbeenshownfor ticularforhigherdimensionalcodeswhichareseentobenec- smallncasesin[10],whichisthat,forallpurestatethreshold essary for the most efficient codes and general access struc- QQsecretsharingschemesencodingasecretequaltothesize tures. ofeachshare,thedimensionofeachsharemustscalewithn, n+2 q . (6) I. ACKNOWLEDGEMENTS ≥r 2 This bound follows from the fact that the code saturates the We gratefully acknowledge discussions on the topics of Singleton bound, as shown in [14]. Indeed the MDS con- this research with Simon Perdrix, Gilles Zemor. We partic- jecture for such codes states that it would scale as badly as ularly thank Francesco Buscemi for discussions and point- q √n 1. ing out reference [13]. We acknowledge financial support ≥ − Wenotethattheaboveresultsneedonlyholdforpurestate from ANR project FREQUENCY (ANR-09-BLAN=0410- errorcorrectingschemes. Mixedstateschemescanofcourse 03) and ANR Des program under contract ANR-08-EMER- exist,whichdonotneedtosatisfytheseproperties.Indeed,as 003(COCQproject). [1] A.Shamir,Commun.ACM22,612(1979). [2] M.Hillery,V.Buzˇek,andA.Berthiaume,Phys.Rev.A59,1829 5 (1999). [18] B.FortescueandG.Gour,arXiv:1108.5541(2011). [3] R.Cleve,D.Gottesman,andH-K.Lo,Phys.Rev.Lett.83,648 [19] V.Gheorghiu,arXiv:1204.1072(2012). (1999). [20] M.Hein, W.Du¨r, J.Eisert,R.Raussendorf, M.vandenNest, [4] M.Ben-Or,C.Cre´peau,D.Gottesman,A.Hassidim,A.Smith, andH.-J.Briegel. 2005. SubmittedtotheInternationalSchool Proc. 47th Annual IEEE Symposium on the Foundations of of Physics on Quantum Computers, Algorithms and Chaos, ComputerScience(FOCS’06),pp.249-260.IEEEPress,2006. Varenna,Italy. [5] C.H.BennettandG.Brassard,inProc.IEEEInternationalCon- [21] M.BahramgiriandS.Beigi. arXiv:quant-ph/0610267(2006). ferenceonComputers,Systems,andSignalProcessing,Banga- [22] A.Cross,G.Smith,J.SmolinandB.Zeng,IEEETrans.Info. lore,India(IEEE,NewYork,1984),175. Theory55,1,433-438(2009). [6] K.ChenandH-K.Lo,Quant.Info.Comp.7,689(2007). [23] M.VandenNest,J.DehaeneJ,B.DeMoor,Phys.Rev.A69, [7] D.Gottesman,Phys.Rev.A61,042311(2000). 022316(2004). [8] A.Ekert,Phys.Rev.Lett.67,661(1991). [24] E.Kashefi,D.Markham,M.Mhalla,andS.Perdrix.Electronic [9] D.Schlingemann and R.F.Werner, Phys.Rev. A 65, 012308 ProceedingsinTheoreticalComputerScience,9:87–97(2009). (2001). [25] S. Gravier, J. Javelle, M. Mhalla and S. Perdrix, [10] D.MarkhamandB.C.Sanders,PhysicalReviewA,78,(2008). arXiv:1112.2495(2011). [11] A.Keet, B.Fortescue, D.Markham andB.C.Sanders, Phys. [26] S. Gravier, J. Javelle, M. Mhalla and S. Perdrix, Rev.A82,062315(2010). arXiv:1109.6181(2011). [12] M.SchumacherandM.Nielsen,Phys.Rev.A54,2629(1999). [27] Je´roˆme Javelle, Mehdi Mhalla, Simon Perdrix, [13] M.ChristandlandA.Winter,IEEETransInfTheory,vol51,no arXiv:1204.4564(2012). 9,pp3159-3165(2005). [28] S. Wicker, V. Bhargava, An introduction to Reed Solomon [14] A. Ketkar, A. Klappenecker, S. Kumar and P. K. Sarvepalli, codes, Reed-Solomon Codes and Their Applications, Wiley- quant-ph/0508070(2005). IEEEPress(1999). [15] M.Grassl,T.Beth,M.Roetteler,InternationalJournalofQuan- [29] F.J.MacWilliams,N.J.A.Sloane,Thetheoryoferrorcorrecting tumInformation,Vol2,No.1,55-64(2004). codes(2006). [16] A.BroadbentandA.Tapp,(ICQNM2009),pp.59-62,(2009). [30] A.MarinandD.Markham,inpreparation. [17] J.Javelle,M.MhallaandS.Perdrix,arXiv:1109.1487(2011). AppendixA:ProofofProposition2 ForanymeasurementsMt,onecanalwaysdefineaunitaryoverapurificationofthemeasurementVt (whereB′represents B B′ the total purification space with possibly additional ancillas) , such that the outcome of a results matching the measurement XtZ asperthesecuritytest,implyforanypurificationofthetotalstatetoincludeapossibleeavesdropperE,that d XdtZd⊗VBt′ ⊗IE|ϕidB′E =|ϕidB′E (A1) Inparticularthisistruefort=0andt=1,sothat(Zd V0B′ IE)ϕ dB′E = ϕ dB′E and(XdZd V1B′ IE)ϕ dB′E = ⊗ ⊗ | i | i ⊗ ⊗ | i (|ϕXidndBZ′dmE.⊗MWme,ndBe′d⊗ucIeE)th|ϕenidBth′Eat=fo|ϕr iadlBl′Em.,n ∈ {0,..,q − 1} there exists a unitary operator Mm,nB′ such that ρdE = TrB′(ϕ dB′E ϕ) | i h | 1 = TrB′( q2(XdnZdm⊗Mm,nB′ ⊗IE)|ϕidB′Ehϕ|(XdnZdm⊗Mm,nB′ ⊗IE)†) Xm,n 1 = q2(XdnZdm⊗IE)TrB′(|ϕidB′Ehϕ|)(XdnZdm⊗IE)† Xm,n = ( I )(ρ ) d E dE E ⊗ = ( I )( p i j k l ) d E ijkl d E d E E ⊗ | i | i h | h | Xijkl = p (i k ) j l , ijkl d d d E E E | i h | ⊗| i h | Xijkl where we define (N) := XdnZdmN(XdnZdm)−1. So (I) = I and i,j (ZiXj) = 0, so for all matrix E m,n q2 E ∀ E M in the operator space, MP= q−1 α ZiXj, we have (M) = Tr(M)I. Hence (i k ) = δ I and i,j=0 i,j E q Ed | idh |d ikq ρ = p δ Id j l =PId ( q−1p )j l = Id ρ . (cid:3) dE ijkl ijkl ik q ⊗| iEh |E q jl i=0 ijil | iEh |E q ⊗ E P P P 6 Fromthisitfollowsthatanysetauthorizedintwomutualunbiasedbasescanshareasecretkeywiththedealer. Thus,with an(n,k,k′)CQscheme,anysetofsizegreaterthank canshareasecretkeywith D. Anysetofsizelessthank′ cannot. But in between, there is some particularsets that potentially can. In other words, by checking the k-accessibility for two mutual unbiasedbases,weguaranteethatanysubsetofkplayersandmorecanshareasecretkeywithDinanytwooftheq+1mutual unbiasedbases. Nevertheless,thek′-privacyparametermaynotbethesameforeachbases. Andcheckingitfortwodoesnot implyanythingforthe others. Note thatif the k′ parametersare equalforanybases, than the graphstate is (n,k,k′) forQQ (andk′ =n k). Therelevanceofk′willbeestablishedaccordingtothesituation. −