Approximate quantum state sharing via two private quantum channels

We investigate the approximate quantum state sharing protocol based on random unitary channels, which is secure against any exterior or interior attackers in principle. Although the protocol leaks small information for a security parameter $\epsilon$, the scheme still preserves its information-theoretic secrecy, and reduces some pre-shared classical secret keys for a private quantum channel between a sender and two receivers. The approximate private quantum channels constructed via random unitary channels play a crucial role in the proposed quantum state sharing protocol.


I. INTRODUCTION
Quantum physics allows us a perfect randomness, so most of all quantum information-theoretic primitives try to offer an unconditional security under the randomness. For examples, quantum key distribution protocols such as BB84 [1] and B92 [2] highly depend on a random measurements for given classified non-orthogonal quantum states.
Instead of the random measurement on non-orthogonal states, we can consider a direct randomization of quantum states through a quantum channel. This randomizing procedures are efficiently accomplished via the private quantum channels (PQC) or quantum one-time pads [3]. In the paper we are interest to some schemes for approximate encryptions (no perfect) and we make an attempt to reducing some classical communication resources. We would like to call the randomizing procedures or maps as random unitary channels (RUC) in terms of quantum channels. There are several methods for the approximate randomizing quantum states, for examples, [4,5,8]: We here adapt the procedure of Hayden et al. [4].
Many applications of RUC in quantum protocols (See e.g., [4,6,7].) are started from the approximate version of PQC. Here we will propose new approximate quantum state sharing (AQSS) scheme, which uses two approximate PQCs (APQC) and reduces the classical pre-shared secrets about one-half as compared with a perfect protocol. Actually our protocol could be including the (well-known) quantum secret sharing protocols [9,10], because a quantum state itself is able to operate special quantum tasks, though those are impossible in the classical power. Imagine that if there is a quantum computer only activated under a bipartite quantum state (or quantum key), then our AQSS protocol will give a efficient and secure solution for the quantum key. These approximate quantum state sharing protocols may offer us more opportunities as compared with the quantum secret sharing.
Let's take account of the pre-shared secrets for the approximate quantum state sharing protocols under RUC-based PQC roughly. Assume that a sender Charlie prepares a quantum state ϕ AB (two-qudit) and transmits the state through two independent RUCs, then two distant agents Alice and Bob will receive some output state of including high entropy. For the state ϕ AB the perfect randomization protocol will require exactly the amount of 4 log d-unitary matrices (Pauli matrices). On the other hand, the construction of Hayden et al. [4] for our AQSS scheme implies that only 2 log d + o(log d)-unitaries sufficient. In other words, the perfect quantum state sharing protocol needs to 2l bits of pre-shared secret information, while the AQSS protocol demands about l bits of information. Note that the works in [5,8] will give a similar result for l bits bound.
We will prove the information-theoretic security of the AQSS scheme in two kinds of eavesdropping: an interior and exterior attackers. The proof of having higher entropy condition for the exterior attacks is not easy fact, so we split the input state ϕ AB to separable and entangled cases. As a result, the von Neumann entropy in both cases can be chosen sufficiently larger, and a leakage information will be arbitrarily small. Finally the authors show that our bipartite AQSS scheme naturally can be generalized to an one-sender and multiparty-receivers schemes.
In section II we introduce the definition of random unitary channels, and briefly mention about special property known as the destruction of quantum states on a product random unitary channel. We present our AQSS protocol based on two approximate PQCs in section III, and investigate the security of AQSS of considering two attacks: an exterior and interior strategies. we finally conclude our results in section IV.

II. SOME PROPERTIES OF RANDOM UNITARY CHANNELS
Now let us define the random unitary channel, and then construct an approximate private quantum channels. For all density matrices ϕ ∈ B(C d ), a completely positive trace-preserving map N : where the trace norm is defined by X 1 = √ X † X. This definition directly induces the notion of random unitary channels. That is, for every ϕ, a quantum channel N : is ε-randomizing, where the unitary operators U i ∈ U(d), and the probability p i 's are all positives with i p i = 1. (The notation B(C d ) denotes the set of bounded linear operators from C d to itself and U(d) ⊂ B(C d ) the unitary group on C d .) Note that the parameter n is the number of Kraus operation elements for RUC, so it corresponds to the dimension of arbitrary environment.
For the approximate constructions of RUC, it was known that for all ε > 0 there exist random unitary channels in sufficiently larger dimension d, such that n can be taken to be O(d log d/ε 2 ) in [4] and O(d/ε 2 ) in [12] where U i 's are chosen randomly according to the Haar measure. We here fix the number n of having exactly n = 150d ε 2 , the Theorem 1 in [12].
As mentioned in the Introduction, most intuitive application of the random unitary channel is the approximate private quantum channel [4], which is a modification of the perfect private quantum channel [3] via RUC. The RUCbased APQC is the main tool of constructing the proposed AQSS protocol.
The security of PQC is preserved by the argument of the accessible information in which the leakage information is less than ε. Although small information is leaked to exterior attackers, Bob's decoding state is almost equal to Alice's original state ϕ. The FIG. 1 describes the total procedure of APQC.
In the next section we use two one-way independent PQCs between a sender Charlie and a receiver Alice, and the sender Charlie and another receiver Bob. Let's define two RUCs, from the definition of (Eq. (2)), such that where we fix the probability as an equally weighted probabilities p i = 1 nA and p j = 1 nB for all i, j, and assume that the number of n A is equal to n B , i.e., n A = n B = 150d/ε 2 . For an approximate state sharing of any bipartite quantum state, above two channels play an important role in the approximate quantum state sharing scheme. For given two RUCs N A and N B , and for all input ϕ AB , we must bound the trace norm for the difference between an output state of the product channel N A ⊗ N B and maximally mixed ½/d 2 , such that where a security parameter ε be a positive less than 1. The relation above asserts that all encoding states are information-theoretically secure. Unfortunately, for any entangled states proving the bound is not a simple task. Note that the argument for the (efficient) randomization is related to a destruction of correlations in quantum states [4,11]. The following section gives the AQSS protocol and the security of the protocol. The last of the section, we briefly describe a multiparty AQSS scheme.

III. APPROXIMATE QUANTUM STATE SHARING PROTOCOL
Let us assume that Charlie-Alice and Charlie-Bob have independent two APQCs, and Charlie wants to sharing a bipartite quantum state ϕ AB securely between Alice and Bob.
The protocol for a bipartite quantum state sharing is simple (See FIG. 2): (i) The sender Charlie selects a quantum state ϕ AB and transmits the state through the channel N A ⊗ N B to the receivers Alice and Bob.
(ii) Distant two parties Alice and Bob just hold the state N A ⊗ N B (ϕ AB ) they received.
(iii) When Alice and Bob want to reveal the original state ϕ AB , they must cooperate in a single location. They perform the inverse unitary operations under the locally shared keys.
The security of the AQSS protocol is divided two cases of an exterior and interior attacks. Actually the security is based on information-theoretic assumption, which means that the intercepted states must have the higher von Neumann entropy. Thus any attackers cannot obtain sufficient information for the original states.
First, let us consider an attack accomplished by an exterior Eve. Assume that Eve intercepts the state N A ⊗ N B (ϕ AB ). We here claim that as d goes to infinity. We don't know the accurate description for the state N A ⊗ N B (ϕ AB ) for all inputs, so we will divide the state ϕ AB into the separable and entangled one and investigate the behavior each other. If product state is given, it is possible to infer the inequality Eq. (4) easily. By using the triangle inequality with respect to the trace norm for the two RUCs, if More formally assume that ϕ AB = i p i ϕ A,i ⊗ ϕ B,i such that i p i = 1, i.e., a separable state is given, then where the inequalities Eq. (6) and Eq. (7) come from the norm convexity and the triangle inequality, respectively [4]. Thus any separable inputs for the product channel are very close to the maximally mixed state ½ d 2 . This implies that For the separable input cases, there is another bound that depends on the dimension parameter d and n: We can prove that the expectation value for the difference between the channel output and the maximally mixed state (with respect to the trace norm) is very close, that is, where E {Ui,j } denotes the total expectation value of {U i } nA i=1 and {U j } nB j=1 for the independent RUCs N A and N B , respectively. The Appendix in this paper states that the inequality Eq. (8) is non-trivial and obtained precisely by exploiting the relation between the trace norm and the Hilbert-Schmidt norm. As mentioned above, let's take n A = 150d ε 2 and n B = 150d ε 2 , then This implies that Eve's attack is impossible in principle. What can we do for an entangled input state? Though a direct proof could be impossible, there is an evidence for the statement, the Eq. (5). The Theorem III.3 in [4] states that, for a positive operator-valued measure (POVM) {L i } which is implemented using local operation and classical communication (LOCC), i p i − q i 1 ≤ ε, where p i := tr(L i (N A ⊗ ½ B )(ϕ AB )) and q i := tr(L i ( ½A d ⊗ ϕ B )) with a maximally entangled state s.t. ϕ AB = 1 d d i,j |ii jj| AB and ϕ B = tr A ϕ AB . Natural extension is possible as adding the channel N B : Define p i = tr(L i (N A ⊗ N B )(ϕ AB )) and q i = tr(L i ( ½AB d 2 )), then also i p i − q i 1 ≤ ε. Therefore, we can conclude the state under the LOCC-implemented POVM. In this reason any input state ϕ AB through the product channel N A ⊗ N B have high entropy for d ≫ 1. Second, we must consider a situation when Alice or Bob is malicious. Assume that Bob intercepts the Alice's state N A (ϕ A ), Bob's decoded state looks like where * denotes the inverse operation for Bob's RUC N B , but S[N A (ϕ A )] has still high entropy values. The intercepted state tr B (N A ⊗ ½ B )(ϕ AB ) is still almost maximally mixed state by the definition of the RUC N A (ϕ A ). As a result, Bob cannot obtain any information for ϕ A without Charlie-Alice's key information. Symmetrically Alice's attack is useless. In other words, the Charlie's aim of sharing a quantum state ϕ AB between Alice and Bob will be securely accomplished.
At least above-mentioned two attacks (exterior and interior eavesdropping) cannot break the security of the proposed AQSS protocol. so the cooperation between Alice and Bob always restores the original state approximately.
In the proposed scenarios, the perfect protocol for quantum state sharing requires exactly d 4 unitary operators, while our protocol only needs to total 22500d 2 /ε 4 unitaries for sufficiently larger d. This fact directly means that some pre-shared key bits are reduced by factor 2, since the AQSS is needed 2 log d − 4 log ε + O(1) secret bits, but the perfect QSS is required 4 log d bits. For any state ϕ AB ∈ B(C d 2 ), and for any channel N AB (for an ε > 0 is arbitrary), let's consider a relation like that Then, it is sufficient to construct the perfect QSS (ε = 0) with d 4 Pauli operators for the channel N AB in the sense of PQC [4,8]. In the case of our approximate QSS, the product channel of two RUCs (N AB = N A ⊗ N B ) just consume of half secret bits, so we say that it is efficient in weak sense (though small information is always leaking). Without loss of generality, a direct extension of the bipartite quantum state sharing protocol (Eq. (8)) gives the security of a multiparty approximate quantum state sharing (MAQSS). Assume that a sender Charlie (C) prepares an m-qudit ϕ A1A2···Am . If they initially have shared PQCs between C-A 1 , C-A 2 and so on, then, for any ε > 0, The above Eq. (12) implies that any exterior attacks will be failed. Furthermore all interior attacks (including group conspiracy) will be frustrated to obtain the whole state without others secrets, it has similar reason to the two receivers protocol. Let's look at the cost of secret bits for the MAQSS scheme. Roughly speaking, the perfect scheme requires 2m log d secret bits, but MAQSS only m log d + o(log d)-bits sufficient.

IV. CONCLUSIONS
We studied that the approximate quantum state sharing schemes are efficient from the classical information cost of view and those are robust to the two kinds of attacks. The proposed AQSS protocol basically depends on an approximate private quantum channel, which is constructed via two independent random unitary channels. Although the protocol leaks small information corresponding to the security parameter ε, the scheme preserves its informationtheoretic security, and so the AQSS and MAQSS schemes can be interpreted as some high-efficiency state sharing protocols for any bipartite and multipartite quantum states.