Table Of ContentOnthe equivalence between sharing quantum andclassicalsecrets, and error correction
Anne Marin∗ and Damian Markham†
CNRS LTCI, De´partement Informatique et Re´seaux, Telecom ParisTech,
23 avenue d’Italie, CS 51327, 75214 Paris CEDEX 13, France.
Wepresentageneralschemeforsharingquantumsecrets,andanextensiontosharingclassicalsecrets,which
containallknownquantumsecretsharingschemes. Inthisframeworkweshowtheequivalenceofexistenceof
bothschemes,thatis,theexistenceofaschemesharingaquantumsecretimpliestheextendedclassicalsecret
sharingschemeworks,andviceversa. Asaconsequenceofthiswefindnewschemessharingclassicalsecrets
forarbitraryaccessstructures. Wethenclarifytherelationshiptoquantumerrorcorrectionandobserveseveral
restrictionstherebyimposed,whichforexampleindicatesthatforpurestatethresholdschemesthesharesizeq
mustscalewiththenumberofplayersnasq √n.
≥
Secretsharingisanimportantprimitiveininformationnet- playerssuchthatonlyauthorizedplayerscanaccessthe key.
works, forexample in online auctions, electronic voting, se- We refer to this family of protocols as CQ (again following
2
cure multiparty function evaluation, first introduced in the the notationof [10]). The only knownexisting CQ schemes
1
classical setting in [1]. The problem setting is that a dealer arethresholdwithparameters (n,n)[2], (2,3)[11]and(3,5)
0
2 d wishes to distribute a secret (we will considerboth classi- [10].
calandquantumsecrets)toasetofnplayers,suchthatonly In[10]alinkwaspresentedbetweenQQandCQprotocols
y
certainsetsofplayerscanaccessthesecret(wecallthesethe where it was shown that in some instances the same frame-
a
M authorizedplayers),andcertainsetsofplayerscannotaccess workcouldbeusedforbothusinggraphstates(firstforqubits,
thesecret(wecallthesetheunauthorizedsetsofplayers). The then for qudits in [11]). The usefulness of this connection
8 assignment of authorizedand unauthorizedsets is called the is many fold. On a practical level sharing the same frame-
1 access structure. Any such scheme can be loosely described workisadvantageoussinceanyimplementationforonecanbe
asa‘ramp’scheme,describedbythreeparameters,(k,k′,n), adaptedtoperformtheother. Onthetheoreticallevelthead-
] whereanysetofplayersB suchthat B k canaccessthe vantagesareveryrich.OntheonehanditallowsnewCQpro-
h
p secret,whereasanysetsuchthat B | k|′≥cannotgetanyin- tocolstobefoundviatranslationfromQQ,asin[10],[11]. In
| | ≤
- formation at all. Clearly this description does not cover the the other direction, techniques for constructing CQ schemes
nt fullaccessstructureinbetweenkandk′. Whenk′ =k 1,it (which can often on the face of it appearmuch simpler) can
−
a doeshowever,andthisiscalleda‘threshold’scheme,denoted beusedtoconstructQQschemes.Furthermorethereisadeep
u (k,n). Often it suffices to considerthreshold schemes since relationshipbetweenQQandquantumerrorcorrection. This
q
allaccessstructurescanbebuiltfromthem. opens up the door to the possibility of using powerful tools
[
We considertwo quantumextensionsofthesecretsharing fromerrorcorrectiontheorytoinvestigatesecertsharing,and
1 problem,firstputforwardin[2][3],whichhavefoundapplica- newtechniquesfromsecretsharingtofindnewerrorcorrect-
v tion, forexample in secure multipartyquantumcomputation ing schemes. Graph state methods for finding CQ schemes
2 [4]. The first is the sharing of a quantum secret [3], that is have recentlyyieldedmany results in this direction[25, 27].
8
thedealerwishestodistributeaquantumstatesuchthatonly The generalrelationshipbetweenQQ and CQ secret sharing
1
authorizedplayerscanaccessit,andunauthorizedcannot. We istodateunclearhowever,andwecanonlyexpectmoreuse-
4
. refertothisprotocolfamilyasQQ(followingthenotationof fulnesstobegained.
5
[10]). It was shown in [3] that in principle all access struc- WepresentthemostgeneralQQsecretsharingschemefor
0
turesnotcontradictingno-cloningcanbeachieved. Thesec- sharing a quantum secret and its extension to a CQ scheme,
2
1 ondquantumversionweconsideristhesharingofaclassical whichformallyencompassallquantumexistingsecretsharing
: secretusingquantumchannels,introducedin[2]. Itisknown schemes.WeshowthattheexistenceofsuchaQQimpliesthe
v
that there exist informationally theoretically secure schemes extensiontoCQcasehasthesameaccessstructureandsecu-
i
X toshareaclassicalsecret[1],however,theseschemesrequire rityismaintained,andsimilarly,ifthereexistsaCQschemeof
r asecurechannelbetweenthedealerandeachplayer.Oneway thistype,thequantumversionalsoisavalidQQsecretshar-
a ofresolvingthisissuewouldbetouse nquantumkeydistri- ingscheme. Thisallowsusto use theQQ schemesfrom[3]
bution (QKD) channels from the dealer, one to each player, fortheextendedCQscheme,allowingallaccessstructuresfor
and then use the Shamirscheme. Anotherway, presentedin thefirsttime. WethendrawanequivalencebetweenQQand
[2]combinestheideaofQKDwithsecretsharingdirectly,this quantumerrorcorrection,showingthatallrampschemesare
canbe moreefficientthanthedirectuse ofQKD. By choos- errorcorrectingschemesand vice versa. Severalrestrictions
ing a suitable entangled state shared between the dealer and are thus imposed, notably, that for pure state QQ threshold
the players, the dealer is able to share a secret key with the schemes,thesizeofthesharemustscalewiththesizeofthe
network (something which is also true in the fully classical
setting).
∗[email protected] ThemostgeneralQQquantumsecretsharingprotocolcan
†[email protected] be understood as a map from a quantum secret state ζ =
| i
2
α i to a multipartite state ζ = α i 2. Thedealersendsquditℓoftheresultantstatetoplayer
i i| i | Li1...n i i| Li1...n
Psharedbetweenthe players 1...n, encodedontoPsomelogical ℓ.
basis i , whichisdesignedsuchthatauthorizedsets
L 1...n
{| i } 3. Playersinauthorizedset B followaprescribeddecod-
ofplayerscanaccessthesecretandunauthorizedsetsofplay-
ing operation Γ (involving syndrome measurements
ers cannot. Without loss of generality we take i to be B
L
{| i} andcorrection).
anorthonormalbasis. Anencodingontoanon-orthogonalba-
sis canbeunderstoodas somepreprocessingtakingthestate
Theprotocolisthendefinedbyencodingbasis i ,and
input ζ to a state ζ′ correspondingto the non-orthogonal {| Li1...n}
encod|inig, and then|folilowingthe map above. A mixedstate decodingoperationsΓB foreachauthorizedsetB. Attheend
theauthorizedsetB havethequantumsecret.
encodingcanalwaysbepurifiedintoamapasabove,followed
CQProtocol:TheCQprotocoldoesnotdirectlydistribute
bytracingoutofsomesystems(inwhichcasethenumberof
asecretclassicalmessagefromthedealertotheplayers,rather
active playerswould be less than n). In this way this repre-
it is a protocol to establish a secure key between the dealer
sentsthemostgeneralscheme.
andtheplayers,suchthatonlyauthorizedsetsofplayerscan
Foranysuchscheme,weextendtosharingclassicalsecrets
accessthekey. Inthissenseitmaybeconsideredmoreaccu-
byintroducingwhatwecallachannelstatebetweensystemd
ratelyassecretkeysharing. Thiskeycanthenbeusedbythe
heldbythedealerandtheplayers’systems1...n,
dealertoshareasecretmessagesuchthatitcanonlyberead
byauthorizedsetsofplayers.TheCQprotocolisanextension
q−1
1
ofthosepresentedin[2,10,11],tothemoregeneralcasenot
CS := i i . (1)
d,1...n d L 1...n
| i √q | i | i usinggraphstates. Wenowoutlinetheprotocol.
Xi=0
This is a maximallyentangledstate between d and the play- 1. Thedealerpreparesachannelstate(1)andsendsqudit
ers,andcanbeunderstoodasachannelfromthedealertothe ℓtoplayerℓ.
players. InthecaseofQQthischannelisusedtoteleportthe
2. The dealer randomly measures his qudit d among the
secret from the dealer’s qubit to the players (that is, it acts
bases: XtZ q−1. Wedenotetheresultr(t). Thestate
simplyasanencodingprocessforthemostgeneralscheme). { }t=0
oftheplayersisthenprojectedto
In the case of CQ this channel is used to establish a secure
randomkeybetweenthedealerandtheplayers(aspertheEk-
r(t) . (3)
ertprotocol[8]). In bothcases it is the choiceof the logical | Li1...n
basis i givesrisetotheaccessstructure.Thisexten-
L 1...n
{| i } 3. An authorised set B randomly measures in one of the
sioncoversallknownCQschemes[2,10,11](uptopossible
reoFrodrertihnegCofQpuebxltiecncsioomnmitunwiiclaltbioenussteepfusl,eto.g.d[e?fin])e.general- nporetsecdrisb(etd′).measurements {MBt′}tq′−=10, with result de-
ized Pauli operators, X i = i + 1 , Z i = ωi i , where
| i | i | i | i 4. Repeat step 1. 2. 3. m times. The list of mea-
ω = ei2π/q,whereq isthedimensionofthesecret. Forsim- surementresults r(t) an→ds(∞t′)are the raw keysof the
plicity we consider prime dimension q. We further denote
dealerandplayersB respectively.
i(t) as the eigenstatesof XtZ. The channelstate can then
| i
beexpandedas 5. SECURITY TEST: FollowstandardQKDsecuritysteps.
Through public discussion first sift the key such that
1 q−1 theonlyremainingresultsaresuchthatt=t′. Second,
CS = i(t) i(t) ,
| id,1...n √q | id| Li1...n verify for a random subset that s(t) = r(t). If this is
Xi=0 notthecase,abort,ifitis,keeptheremainingresultsas
thesharedrandomkey.
where the bases i(t) are also orthonormaland comple-
L
mentary,thatis {i|(t) ji(}t′) 2 =1/qwhent=t′.
|h L| Li| 6 At the end, if the protocol is not aborted, the dealer and
Wewillfirstdescribetheprotocols,thenmakeprecisewhat
the authorised set share a secure key which can be used to
wemeanexactlybyauthorisedandunauthorisedsetsforboth
distributeaclassicalsecretsecurely.
QQandCQ,andsecurityfortheCQprotocol.
QQProtocol:Let|ζid′ = iq=−01αi|iid′ ∈Cqbethesecret Wenowdefinewhatitmeanstosaysetsofplayersareau-
stateinpossessionofthedealPer. thorisedorunauthorisedforbothCQ andQQprotocols. For
later proofscomparingthe two protocolsit will be useful to
1. Thedealerpreparesachannelstate(1),thendoesanex- also talk about equivalent information theoretic conditions.
tendedBellmeasurementoverdandd′andappropriate For this we define the channel Λ from system d′ to subset
corrections,leavingthestateofthenquditsas ofplayersBastheencodingprocedureinQQgivingstate(2)
followedbytracingoutallbuttheplayersB.
q−1 WefirstlookattheQQcase.
αi iL 1...n. (2) QQAuthorisedsetsWesayasetofplayersB isauthorised
| i
Xi=0 iftheycanperfectlyaccessthequantumsecret,thatis,ifthere
3
existsadecodingprocedureΓ actingonlyonthoseplayers, ourprotocolsastheystanddonotguaranteecompletesecurity
B
whichcanperfectlyrecoverthesecretinputstate ζ . against arbitrary attacks, but rather, against only intercept
| i
If the quantum information is accessible through the resend,andarenottoleranttonoise. Weshouldmentionthat
channel Λ, then the quantum mutual information be- itis expectedthatsecurityproofsexistingforstandardQKD
tween two halves of a maximally mixed state after may be extended to these protocols also. Security against
one half has been sent down the channel is maxi- intercept resend attacks is guaranteed if any purification
mal [12]. That is to say I(τ;Λ) = 2log q, where ψ compatible with the results of the security test
2 | id,B,E
I(τ;Λ) = S(τ) + S(Λ(τ)) S((id Λ)(Φ Φ )), has the property that the reduced density matrix ρ is not
q q dE
− ⊗ | ih |
τ = 1 q−1 i i is a maximally mixed state, correlatedacrossdandE,
q i=0 | ih |
Φ = 1 Pq−1 ii is a maximally entangled state and
| qi q i=0 | i ρdE =ρd ρE. (4)
S istheVonPNeumanentropy(S(ρ)= tr(ρlog(ρ))). ⊗
−
This ensures that the dealer’s results are independentof any
QQ Unauthorised sets We say a set of players B is measurementsanyeavesdropperE mightmake.
unauthorisedif it has no access to the quantumsecret what-
soever,thatis, the reduceddensitymatrix ρ is independent
B We now explorethe relationship between the existence of
of the quantum input ζ . Information theoretically, if the
protocolsforCQ andQQ asdescribedabove. We will show
| i
quantum information is completely denied through the
thefactthatforgivenlogicalencodingbasis i ,theexis-
L
channel Λ, (the output of the channel can only guess the {| i}
tenceofaQQprotocolandCQprotocolarerelated.
secretwithequalprobability),thenI(τ;Λ)=0.
FortheQQandCQschemesdefinedasabovefromachan-
nel state CS , with logicalbasis i , the followingrela-
L
| i {| i}
WenowlookattheCQprotocol. tionshipshold:
CQAuthorisedsetsWesayasetofplayersBisauthorisedif
itcanaccessthesecret,thatis,ifthereexistsa(possiblyjoint) Proposition1.
measurementontheirsystemswhichallowsthemtodiscover 1. AQQauthorisedset,isaCQauthorisedset.
thedealersmeasurementresultr(t)foreachsettingt. 2. AQQunauthorisedsetisaCQunauthorisedset.
Torewritethisininformationtheoreticlanguage,itsuffices 3. ACQauthorisedsetisaQQauthorisedset.
toconsiderthechannelfromthedealertotheplayersB,where
foreacht,thedealersendsaspecificchosenstate r(t) Proof: 1 and 2 are clear since the access of the classical
L 1...n
| i
totheplayersencodingtheclassicalinformationr(t),chosen informationisaspecialcaseofthequantuminformation. We
accordingtoauniformdistribution.Theability,ornot,ofaset directlydeduce3fromthelemma1of[13]. Thislemmasays
ofplayerstoaccessthisclassicalinformationisequivalentto that
thembeingabletodiscoverthedealer’smeasurementresultin
theCQprotocol.IntermsoftheactionofthechannelΛabove, χ(Λ( ))+χ(Λ( )) I(τ :Λ) (5)
0 1
thiscorrespondstoasetofinputs Ut i q−1,whereUisthe E E ≤
cfoourrreiesrpotrnadnssftoormanoifnprauntkstqa,tetU∈t[qr]{.dT′.h|Tathi}uisis,=te0oacvher|irf(yt)thLait1.t.h.nis, wfohrmereoEf0di=me{nq1s,io|ini}q,,EΛ1a=C{Pq1T,PUm|iaip},,χwitthheUHaolfeovuoriienrfotrramnas--
| i
channelworksperfectlyforeachsuchmessage,weareinter-
tion.
ested in the classical informationthat can be transmitted for
IfasetBcanaccessintheCQprotocol,aftergoingthrough
a random distribution overthe alphabetfor a given t, which
we denote = 1,Ut i q−1. We use Holevo information the associated quantum channel Λ, the classical information
Et {q | i}i=0 is accessible in atleast two mutualunbiasedbases i and
for characterizing the amount of classical informationtrans- {| i}
U i , this means that χ(Λ( )) = χ(Λ( )) = log(q),
mittablethroughaquantumchannelΛ,definedby: { | i} E0 E1
hence I(τ : Λ) 2log(q) Moreoverfrom its definition we
≥
χ(Λ(Et))=S(cid:16)1q XΛ(Ut|iihi|Ut†)(cid:17)−1q XS(Λ(Ut|iihi|Ut†)). hmaevaenIs(tτha:tΛth)e≤inf2olromga(tqio).nHiseqnuceanIt(uτm:lyΛa)cc=es2silbolge(.q(cid:3)),which
i i
We note that it is not true that a CQ unauthorised set is
If the classical information is accessible through the automaticallyQQunauthorised. However,aswewillseead-
quantum channel Λ perfectly, then the Holevo information ditionalmixingcanaddressthisandfurther,forpurestateQQ
χ( t(Λ))=logq. the unauthorised sets exactly determined by the authorised
E
sets,sothattheconnectionbetweenQQandCQisexact.
CQ Unauthorised sets We say a set of players B is In addition, we will now show that a valid access struc-
unauthorised if the dealer’s result r(t) is completely denied tureforaCQprotocolimpliesasecurekeydistribution,inthe
to them, thatis, if the reducedstate ρB ofthose systemshas sensewhereiftheProtocolgothroughtheSecuritytest(Step
no dependence on r(t). In information theoretic terms, for 6), then we show that for any state ρ outside the encoded
E
the channel Λ and the set of inputs above, this is equal to state (which could be an eavesdropper as the environment),
sayingthatχ(Λ(Et))=0. wehaveρdE = I/q⊗ρE whereρd isthedealer’sstate,and
so,ρ isindependentofthedealer’smeasurement.
E
CQ Security For CQ protocols there is the additional
conditionofsecurity. AsinallpreviousCQwork[2,10,11], Proposition2. ACQauthorisedsetisaCQsecureset.
4
Proof:Seeappendix. pointedoutin[3],itispossibletogofrom(n,k = n+1/2)
Fromtheseresultswecanimmediatelyseethattheschemes to(n l,k)thresholdschemesbythrowingaway l systems.
presentedin[3]allowingforallQQaccessstructurescanbe Clearl−y these mixed schemes to not satisfy k′ = n k.
−
used to givenew CQ protocolsallowingforall accessstruc- Such schemes were used in [3] to show that all QQ thresh-
tures. Furthermorethis can be done using high dimensional old schemes can be achieved using quantum Reed Solomon
graphstates[30]. codes. It is these schemes which when translated to CQ
schemes (through our general relationship above) show all
We nowclarifytherelationshipbetweenQQandquantum threshold schemes are possible for CQ also. Note that this
errorcorrectingcodes(QECC).AQECCencodesaspaceof approachofdiscardingsharesclearlyholdsin theCQ exten-
dimension κ onto n systems (or shares), such that errors on sionspresentedinthiswork,henceaQQ(k,k′,n)mixedstate
some subsets of systems can be tolerated. For a distance d, schemeimpliesaCQ(k,k′,n)mixedstatescheme. Another
andsharesofdimensionqwedenoteaQECCas((n,κ,d)) , set of schemes which have been developed recently which
q
whichmeansthatthecodecantoleratethelossofd 1shares do not satisfy (6) [16–19]. The idea of these schemes is to
−
(systems).ClearlyonecanusesuchanencodingasaQQ,and takepurestateerrorcorrectingschemes,whicharenecessarily
inthelanguageoframpschemes,ifeachshareisaplayer,this (k,k′ =n k,n)rampschemes,thusguaranteedquantumac-
meansthatk=n d+1. Whichplayersareunauthorisedis cesstoatle−astk,andaddclassicalmixingontoptoincreasek′
−
apriorinotgivenforacodeandmustbechecked.Similarlyit arbitrarily(whereclassicalinformationisdistributedviaclas-
isclearthatanyQQschemeisaQECCwithd=n k+1. sicalsecretsharingprotocolsoversecurechannels).Sincethe
−
Itwasnoticedin[3]thatforthecaseoferrorcorrectingpro- originalquantumcodesarenolongerthresholdschemes,they
tocolsencodingontopurestates,thesituationbecomesmuch donothavetosaturatetheSingletonbound,andhencedonot
simpler. It turns out that in this case it can be seen that the havetosatisfy(6). However,eveninthiscaseitseemsthere
toleranceofacodeto thelossofa setofshares B isexactly are some restrictionson share size [17]. Note also that both
equivalenttothesamesetBnotgettinganyinformationwhat- thesessetsofschemescanbepurified,andtheirpurifications
soeverabouttheencodedinformation.WhenusedforQQthis clearlyfallintoourgeneralizedschemesandmustsatisfythe
meansits rampschemeparameteris k′ n k. Butbyno abovestill. Althoughsuchpurificationsareimpractical,these
cloningk′ n k.ThusforallQQwith≤pure−stateencodings schemes still fit into our framework, and this fact may well
k′ =n k≥. Th−isextendstherestrictionofk =(n+1)/2for imposerestrictionsonthemixedprotocolsalso.
−
thresholdschemesnoticedin[3].
Furthermore, it gives a general relationship: a pure state
Ontheonehand,theseresultsmeanthatallquantumerror
QECC protocol ((n,κ,d))q is equivalent to a QQ ramp correctioncanthenbeusedforbothCQandQQsecretshar-
scheme where all shares are considered as players with pa-
ing.Intheotherdirection,theseresultsgiveanewmethodfor
rameters (k,k′ = n k,n). Thatisall suchQECC areQQ searchingfornewerrorcorrectingschemesstartingfromCQ
−
rampschemeswiththoseparameters,andviceversa.
schemes. In particular for graph state schemes, many tools
We can then ask what else is imposed by the relationship
haverecentlybeendevelopedtophrasetheconditionsforCQ
witherrorcorrection. Oneimportantquestionisthatofshare
secret sharing in soley graphical language, which have been
size. It can easily be seen that the Singleton bound implies
used to search for new CQ schemes [24–26, 30] which are
that for threshold schemes with pure state encoding κ q. thereforevalidQQandQECCschemes. Throughthegeneral
≤
Hence for κ = q (as is the case for many codes, including connection shown in this work, such techniques can also be
all stabilisercodes)all purestate thresholdschemesmust be
usedtosearchfornewquantumerrorcorrectingcodes,inpar-
MDScodes. Thisimpliessomethingthathasbeenshownfor
ticularforhigherdimensionalcodeswhichareseentobenec-
smallncasesin[10],whichisthat,forallpurestatethreshold essary for the most efficient codes and general access struc-
QQsecretsharingschemesencodingasecretequaltothesize
tures.
ofeachshare,thedimensionofeachsharemustscalewithn,
n+2
q . (6) I. ACKNOWLEDGEMENTS
≥r 2
This bound follows from the fact that the code saturates the We gratefully acknowledge discussions on the topics of
Singleton bound, as shown in [14]. Indeed the MDS con- this research with Simon Perdrix, Gilles Zemor. We partic-
jecture for such codes states that it would scale as badly as ularly thank Francesco Buscemi for discussions and point-
q √n 1. ing out reference [13]. We acknowledge financial support
≥ −
Wenotethattheaboveresultsneedonlyholdforpurestate from ANR project FREQUENCY (ANR-09-BLAN=0410-
errorcorrectingschemes. Mixedstateschemescanofcourse 03) and ANR Des program under contract ANR-08-EMER-
exist,whichdonotneedtosatisfytheseproperties.Indeed,as 003(COCQproject).
[1] A.Shamir,Commun.ACM22,612(1979). [2] M.Hillery,V.Buzˇek,andA.Berthiaume,Phys.Rev.A59,1829
5
(1999). [18] B.FortescueandG.Gour,arXiv:1108.5541(2011).
[3] R.Cleve,D.Gottesman,andH-K.Lo,Phys.Rev.Lett.83,648 [19] V.Gheorghiu,arXiv:1204.1072(2012).
(1999). [20] M.Hein, W.Du¨r, J.Eisert,R.Raussendorf, M.vandenNest,
[4] M.Ben-Or,C.Cre´peau,D.Gottesman,A.Hassidim,A.Smith, andH.-J.Briegel. 2005. SubmittedtotheInternationalSchool
Proc. 47th Annual IEEE Symposium on the Foundations of of Physics on Quantum Computers, Algorithms and Chaos,
ComputerScience(FOCS’06),pp.249-260.IEEEPress,2006. Varenna,Italy.
[5] C.H.BennettandG.Brassard,inProc.IEEEInternationalCon- [21] M.BahramgiriandS.Beigi. arXiv:quant-ph/0610267(2006).
ferenceonComputers,Systems,andSignalProcessing,Banga- [22] A.Cross,G.Smith,J.SmolinandB.Zeng,IEEETrans.Info.
lore,India(IEEE,NewYork,1984),175. Theory55,1,433-438(2009).
[6] K.ChenandH-K.Lo,Quant.Info.Comp.7,689(2007). [23] M.VandenNest,J.DehaeneJ,B.DeMoor,Phys.Rev.A69,
[7] D.Gottesman,Phys.Rev.A61,042311(2000). 022316(2004).
[8] A.Ekert,Phys.Rev.Lett.67,661(1991). [24] E.Kashefi,D.Markham,M.Mhalla,andS.Perdrix.Electronic
[9] D.Schlingemann and R.F.Werner, Phys.Rev. A 65, 012308 ProceedingsinTheoreticalComputerScience,9:87–97(2009).
(2001). [25] S. Gravier, J. Javelle, M. Mhalla and S. Perdrix,
[10] D.MarkhamandB.C.Sanders,PhysicalReviewA,78,(2008). arXiv:1112.2495(2011).
[11] A.Keet, B.Fortescue, D.Markham andB.C.Sanders, Phys. [26] S. Gravier, J. Javelle, M. Mhalla and S. Perdrix,
Rev.A82,062315(2010). arXiv:1109.6181(2011).
[12] M.SchumacherandM.Nielsen,Phys.Rev.A54,2629(1999). [27] Je´roˆme Javelle, Mehdi Mhalla, Simon Perdrix,
[13] M.ChristandlandA.Winter,IEEETransInfTheory,vol51,no arXiv:1204.4564(2012).
9,pp3159-3165(2005). [28] S. Wicker, V. Bhargava, An introduction to Reed Solomon
[14] A. Ketkar, A. Klappenecker, S. Kumar and P. K. Sarvepalli, codes, Reed-Solomon Codes and Their Applications, Wiley-
quant-ph/0508070(2005). IEEEPress(1999).
[15] M.Grassl,T.Beth,M.Roetteler,InternationalJournalofQuan- [29] F.J.MacWilliams,N.J.A.Sloane,Thetheoryoferrorcorrecting
tumInformation,Vol2,No.1,55-64(2004). codes(2006).
[16] A.BroadbentandA.Tapp,(ICQNM2009),pp.59-62,(2009). [30] A.MarinandD.Markham,inpreparation.
[17] J.Javelle,M.MhallaandS.Perdrix,arXiv:1109.1487(2011).
AppendixA:ProofofProposition2
ForanymeasurementsMt,onecanalwaysdefineaunitaryoverapurificationofthemeasurementVt (whereB′represents
B B′
the total purification space with possibly additional ancillas) , such that the outcome of a results matching the measurement
XtZ asperthesecuritytest,implyforanypurificationofthetotalstatetoincludeapossibleeavesdropperE,that
d
XdtZd⊗VBt′ ⊗IE|ϕidB′E =|ϕidB′E (A1)
Inparticularthisistruefort=0andt=1,sothat(Zd V0B′ IE)ϕ dB′E = ϕ dB′E and(XdZd V1B′ IE)ϕ dB′E =
⊗ ⊗ | i | i ⊗ ⊗ | i
(|ϕXidndBZ′dmE.⊗MWme,ndBe′d⊗ucIeE)th|ϕenidBth′Eat=fo|ϕr iadlBl′Em.,n ∈ {0,..,q − 1} there exists a unitary operator Mm,nB′ such that
ρdE = TrB′(ϕ dB′E ϕ)
| i h |
1
= TrB′( q2(XdnZdm⊗Mm,nB′ ⊗IE)|ϕidB′Ehϕ|(XdnZdm⊗Mm,nB′ ⊗IE)†)
Xm,n
1
= q2(XdnZdm⊗IE)TrB′(|ϕidB′Ehϕ|)(XdnZdm⊗IE)†
Xm,n
= ( I )(ρ )
d E dE
E ⊗
= ( I )( p i j k l )
d E ijkl d E d E
E ⊗ | i | i h | h |
Xijkl
= p (i k ) j l ,
ijkl d d d E E
E | i h | ⊗| i h |
Xijkl
where we define (N) := XdnZdmN(XdnZdm)−1. So (I) = I and i,j (ZiXj) = 0, so for all matrix
E m,n q2 E ∀ E
M in the operator space, MP= q−1 α ZiXj, we have (M) = Tr(M)I. Hence (i k ) = δ I and
i,j=0 i,j E q Ed | idh |d ikq
ρ = p δ Id j l =PId ( q−1p )j l = Id ρ . (cid:3)
dE ijkl ijkl ik q ⊗| iEh |E q jl i=0 ijil | iEh |E q ⊗ E
P P P
6
Fromthisitfollowsthatanysetauthorizedintwomutualunbiasedbasescanshareasecretkeywiththedealer. Thus,with
an(n,k,k′)CQscheme,anysetofsizegreaterthank canshareasecretkeywith D. Anysetofsizelessthank′ cannot. But
in between, there is some particularsets that potentially can. In other words, by checking the k-accessibility for two mutual
unbiasedbases,weguaranteethatanysubsetofkplayersandmorecanshareasecretkeywithDinanytwooftheq+1mutual
unbiasedbases. Nevertheless,thek′-privacyparametermaynotbethesameforeachbases. Andcheckingitfortwodoesnot
implyanythingforthe others. Note thatif the k′ parametersare equalforanybases, than the graphstate is (n,k,k′) forQQ
(andk′ =n k). Therelevanceofk′willbeestablishedaccordingtothesituation.
−
