Single-Shot Secure Quantum Network Coding for General Multiple Unicast Network with Free Public Communication

Abstract

Based on a secure classical network code, we propose a general method for constructing a secure quantum network code in the multiple unicast setting under restricted eavesdropper’s power. This protocol certainly transmits quantum states when there is no attack. We also show the secrecy with shared randomness as additional resource from the secrecy and the recoverability of the corresponding secure classical network code. Our protocol does not require verification process, which ensures single-shot security.

Appendices

Appendix

A  Security Proof Based on Computation Basis Security

To show the security theorem, we prepare an important result for the recovery of the maximally entangled state from evaluation of classical information. First, we consider a sufficient condition to approximately and locally generate the maximally entangled state \(|\varPhi \rangle :=\sum _{x=1}^d \frac{1}{\sqrt{d}} |x\rangle _A\otimes |x\rangle _{A'} \in {\mathcal {H}}_{A}\otimes {\mathcal {H}}_{A'}\) on the composite system \({\mathcal {H}}_A \otimes {\mathcal {H}}_{A'}\), where \(\{|x\rangle _A\}\) and \(\{|x\rangle _{A'}\}\) are the CONSs of \({\mathcal {H}}_{A}\) and \({\mathcal {H}}_{A'}\), respectively. For this purpose, we focus on the following two conditions for a pure state \(\rho \) on the composite system \({\mathcal {H}}_A \otimes {\mathcal {H}}_B\otimes {\mathcal {H}}_R\).

• \(\epsilon _1\)-classical secrecy:   Let \(\mathop {\text {id}}\nolimits _R\) be the identity operation, \(\rho _{\mathrm{mix},A} \) be the completely mixed state, \(\kappa _{A}\) be the pinching with respect to the computation basis of \({\mathcal {H}}_A\), i.e., \(\kappa _{A}(\sigma ):=\sum _{x=1}^d | x \rangle _A ~_A\langle x|\sigma | x \rangle _A ~_A \langle x|\). The relation \(F(\kappa _{A}\otimes \mathop {\text {id}}\nolimits _R(\rho _{AR}),\rho _{\mathrm{mix},A} \otimes \rho _R ) \ge 1- \epsilon _1\) holds.

• \(\epsilon _2\)-error classical recoverability:  There exists a POVM \({\varvec{M}}=\{M_x\}_{x=1}^d\) on \({\mathcal {H}}_B\) such that \(\sum _{x=1}^d \mathop {\text {Tr}}\nolimits \rho _{AB} |x \rangle _A ~_A \langle x|\otimes M_x \ge 1- \epsilon _2\).

The following proposition is known.

Proposition 1

(Renes[30]¹ ). Assume that a state \(\rho =|\varPsi \rangle \langle \varPsi |\) on the composite system \({\mathcal {H}}_A \otimes {\mathcal {H}}_B\otimes {\mathcal {H}}_R\) satisfies both of the above conditions. Then, there is a TP-CP map \(\kappa : {\mathcal {S}}({\mathcal {H}}_B) \rightarrow {\mathcal {S}}({\mathcal {H}}_{A'})\) such that

$$\begin{aligned} F(\mathop {\text {id}}\nolimits _A \otimes \kappa (\rho _{AB}),|\varPhi \rangle \langle \varPhi |) \ge 1- (\sqrt{\epsilon _2}+ \sqrt{\epsilon _1})^2. \end{aligned}$$

(18)

Proposition 1 guarantees that we can generate the maximally entangled state between systems \({\mathcal {H}}_A\) and \({\mathcal {H}}_B\) only by an operation on the system \({\mathcal {H}}_B\) if the bit information on the system \({\mathcal {H}}_A\) is a uniform random number almost independent of the environment system \({\mathcal {H}}_E\) and can be recovered in the system \({\mathcal {H}}_B\). In our situation, these two conditions can be checked by the secrecy and the recoverability.

Proof of Theorem

2:

Part 1: To show the theorem, we prove that an entangled state can be shared by sending entanglement halves from sink nodes by applying Proposition 1 to the state after Step 3-1. We prepare notations, while we employ the same notation as in the proof of Theorem 1. We introduce the quantum systems \({\mathcal {H}}_{n+1}, \ldots , {\mathcal {H}}_{n+l}\) to describe the shared-randomness edges \(\mathbf {e}(n+1), \ldots \mathbf {e}(n+l)\). Given a shared-randomness vertex \(r_k\), by using the notation \(|b\rangle _{r_k}:= |b,\ldots ,b\rangle _{ n+\sum _{j=1}^{k-1}l_{j}+1,\cdots , n+\sum _{j=1}^{k}l_{j}}\), the initial state on the composite system \({\mathcal {H}}_{n+\sum _{j=1}^{k-1}l_{j}+1} \otimes \cdots \otimes {\mathcal {H}}_{n+\sum _{j=1}^{k}l_{j}}\) connected to the shared-randomness vertex \(r_{k}\). can be regarded as the super position state \(|\varPhi \rangle _{r_k}:= \frac{1}{\sqrt{q}}\sum _{x \in \mathbb {F}_q} |b\rangle _{r_k}\). Hence, we denote the system span by \(|{\varvec{b}}\rangle _{SR}:= |b_1\rangle _{r_1}\cdots |b_{n'}\rangle _{r_{n'}}\) by \({\mathcal {H}}_{SR}\).

In this protocol, it is important to consider the path, in which the sequence of the messages is \({\varvec{a}}\in \mathbb {F}_q^{n}\), the sequence of the shared random numbers is \({\varvec{b}}\in \mathbb {F}_q^{n'}\), the sequence of Eve’s injections is \({\varvec{c}}\in \mathbb {F}_q^{h}\), the sequence of inputs of attacked edges is \( {\varvec{z}}\in \mathbb {F}_q^{h}\), and the sequence of outputs of all edges \(\tilde{E}\cup E_O\) is \({\varvec{y}}=(y_{n+l+1}, \ldots , y_{2n+l+N})\). Here, when e(j) is attacked, \(y_{j}\) expresses the information after the attack.

Depending on this path, the matrix component on Eve’s memory \({\mathcal {W}}\) is determined. For \(({\varvec{a}},{\varvec{b}},{\varvec{c}}) \in \mathbb {F}_q^{n+n'+h}\) and \({\varvec{y}}\in \mathbb {F}_q^{N+n}\), the matrix component \(V({\varvec{a}},{\varvec{b}},{\varvec{c}},{\varvec{y}})\) is given as

$$\begin{aligned} V({\varvec{a}},{\varvec{b}},{\varvec{c}},{\varvec{y}}):= \Big (\prod _{j=n+l+1}^{2n+l+N} \delta (y_j , (M' ({\varvec{a}},{\varvec{b}},{\varvec{c}})^T)_j) \Big ) \Big (\prod _{i=1}^{h} \langle c_i |V_i|(M_\zeta ({\varvec{a}},{\varvec{b}},{\varvec{c}})^T)_{i}\rangle \Big ). \end{aligned}$$

Since the information \({\varvec{c}}\in \mathbb {F}_q^{h}\) does not appear in the final state, we define the vector;

$$\begin{aligned} |\varPhi [{\varvec{a}},{\varvec{b}},{\varvec{y}}] \rangle := \sum _{{\varvec{c}}} V({\varvec{a}},{\varvec{b}},{\varvec{c}},{\varvec{y}}) |\phi _{ini}\rangle _W |{\varvec{a}}\rangle _I |{\varvec{b}}\rangle _{SR}|{\varvec{a}},{\varvec{y}}\rangle _{G}, \end{aligned}$$

(19)

Therefore, the state after Step 2 on the whole system is given as

$$\begin{aligned} q^{-(n+n')/2 } \sum _{{\varvec{a}},{\varvec{b}},{\varvec{y}}} |\varPhi [{\varvec{a}},{\varvec{b}},{\varvec{y}}] \rangle _{I,SR,G,W}. \end{aligned}$$

(20)

Now, for a sequence \({\varvec{y}}\in \mathbb {F}_q^{N+n}\), we introduce the sequence \({\varvec{y}}^c:=(y_j)_{j \in E_O\cup \tilde{E} \setminus E_P} \in \mathbb {F}_q^{N+n-h'}\), which expresses the information on the non-protected edges \(E_O\cup \tilde{E} \setminus E_P\). When we observe the measurement outcome \({\varvec{\beta }}=(\beta _j)_{j\in E \setminus E_P}\in \mathbb {F}_q^{N+n-h'}\) in Step 3-1, the resultant state is

$$\begin{aligned} |\varPsi _{{\varvec{\beta }}}\rangle := \sum _{{\varvec{a}},{\varvec{b}},{\varvec{y}}} \omega ^{-\mathop {\text {tr}}\nolimits {\varvec{\beta }}\cdot ({\varvec{a}},{\varvec{y}}^c )} q^{( N+n-h' -n-n')/2 } ~_{NP}\langle {\varvec{a}}, {\varvec{y}}^c |\varPhi [{\varvec{a}},{\varvec{b}},{\varvec{y}}] \rangle _{I,SR,G,W}, \end{aligned}$$

(21)

where \({\mathcal {H}}_{NP}:= (\otimes _{j=1}^{n}{\mathcal {H}}_j) \otimes (\otimes _{j \in E_O\cup \tilde{E} \setminus E_P} {\mathcal {H}}_j)\).

Now we set \({\mathcal {H}}_A:={\mathcal {H}}_{I}\), \({\mathcal {H}}_B:={\mathcal {H}}_{P}\otimes {\mathcal {H}}_{SR}\otimes \mathcal {V}'\), and \({\mathcal {H}}_R:=\mathcal {W}\otimes \mathcal {V}\), where \({\mathcal {H}}_P:=\otimes _{j:\mathbf {e}\left( \iota \left( j\right) \right) \in E_{P} }{\mathcal {H}}_{\iota \left( j\right) }\). and \(\mathcal {V}'\) expresses the Hilbert space of the measurement outcome possessed by the system \({\mathcal {H}}_B\). Then, the final state is pure on the composite system \({\mathcal {H}}_A \otimes {\mathcal {H}}_B\otimes {\mathcal {H}}_R\). Then, due to Proposition 1, it is enough to show the 0-bit secrecy and the 0-bit recoverability separately for the state \(|\varPsi _{{\varvec{\beta }}}\rangle \) with any measurement outcome \({\varvec{\beta }}\).

Part 2: Next, we discuss the 0-classical secrecy. Since \({\mathcal {H}}_B\) does not belong to Eve’s system, it is sufficient to prove the secrecy when we apply the Fourier basis measurement for shared-randomness edges and protected edges and send the measurement outcome \({\varvec{\alpha }}\) to Eve. That is, it is sufficient to show that the unnormalized state \(\sum _{ {\varvec{b}}, {\varvec{y}}_\iota } ~_{SR}\langle {\varvec{b}}| ~_{P}\langle {\varvec{y}}_\iota | \omega ^{-\mathop {\text {tr}}\nolimits {\varvec{\alpha }}\cdot ({\varvec{b}},{\varvec{y}}_\iota )} q^{n/2 }~_I\langle {\varvec{a}}|\varPsi _{{\varvec{\beta }}}\rangle \) does not depend on \({\varvec{a}}\) for each \(({\varvec{\alpha }},{\varvec{\beta }}) \in \mathbb {F}_q^{N+2n+n'}\). Based on Lemma 2, we choose \({\varvec{b}}({\varvec{a}})\in \mathbb {F}_q^{n'}\) for \({\varvec{a}}\in \mathbb {F}_q^{n}\). Since the vector \({\varvec{y}}({\varvec{a}}):=M'(-{\varvec{a}},{\varvec{b}}({\varvec{a}}),0)^T\) satisfies \(M'({\varvec{a}},{\varvec{b}},{\varvec{c}})^T+ {\varvec{y}}({\varvec{a}})= M'(0,{\varvec{b}}+{\varvec{b}}({\varvec{a}}),{\varvec{c}})^T\) and \(M_\varsigma ({\varvec{a}},{\varvec{b}},{\varvec{c}})=M_\varsigma (0,{\varvec{b}}+{\varvec{b}}({\varvec{a}}),{\varvec{c}})\), we have \( V({\varvec{a}},{\varvec{b}},{\varvec{c}},{\varvec{y}}) = V(0,{\varvec{b}}+{\varvec{b}}({\varvec{a}}),{\varvec{c}},{\varvec{y}}+ {\varvec{y}}({\varvec{a}})). \) Hence, we have

$$\begin{aligned}&q^{-( N-h' -n')/2 } \sum _{ {\varvec{b}}, {\varvec{y}}_\iota } ~_{SR}\langle {\varvec{b}}| ~_{P}\langle {\varvec{y}}_\iota | \omega ^{-\mathop {\text {tr}}\nolimits {\varvec{\alpha }}\cdot ({\varvec{b}},{\varvec{y}}_\iota )} q^{n/2 }~_I\langle {\varvec{a}}|\varPsi _{{\varvec{\beta }}}\rangle \\ =&\sum _{{\varvec{b}},{\varvec{y}}} \omega ^{-\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot ({\varvec{a}},{\varvec{b}},{\varvec{y}})} ~_{SR}\langle {\varvec{b}}|~_I\langle {\varvec{a}}|~_{G}\langle {\varvec{a}}, {\varvec{y}}|\varPhi [{\varvec{a}},{\varvec{b}},{\varvec{y}}] \rangle _{I,SR,G,W} \\ =&\sum _{{\varvec{b}},{\varvec{y}}} \omega ^{-\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot ({\varvec{a}},{\varvec{b}},{\varvec{y}})} \sum _{{\varvec{c}}} V({\varvec{a}},{\varvec{b}},{\varvec{c}},{\varvec{y}}) |\phi _{ini}\rangle _W \\ =&\omega ^{\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot ({\varvec{a}},{\varvec{b}}({\varvec{a}}),{\varvec{y}}({\varvec{a}}) )} \sum _{{\varvec{b}},{\varvec{y}}} \omega ^{-\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot (0,{\varvec{b}}+{\varvec{b}}({\varvec{a}}),{\varvec{y}}+{\varvec{y}}({\varvec{a}}))} \\&\sum _{{\varvec{c}}} V(0,{\varvec{b}}+{\varvec{b}}({\varvec{a}}),{\varvec{c}},{\varvec{y}}+ {\varvec{y}}({\varvec{a}})) |\phi _{ini}\rangle _W \\ =&\omega ^{\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot ({\varvec{a}},{\varvec{b}}({\varvec{a}}),{\varvec{y}}({\varvec{a}}) )} \sum _{{\varvec{b}}',{\varvec{y}}'} \omega ^{-\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot (0,{\varvec{b}}',{\varvec{y}}' )} \sum _{{\varvec{c}}} V(0,{\varvec{b}}',{\varvec{c}},{\varvec{y}}') |\phi _{ini}\rangle _W , \end{aligned}$$

where \({\varvec{b}}':= {\varvec{b}}+{\varvec{b}}({\varvec{a}})\) and \({\varvec{y}}':={\varvec{y}}+ {\varvec{y}}({\varvec{a}})\). Since \(\omega ^{\mathop {\text {tr}}\nolimits ({\varvec{\alpha }}, {\varvec{\beta }}) \cdot ({\varvec{a}},{\varvec{b}}({\varvec{a}}),{\varvec{y}}({\varvec{a}}) )} \) is the global phase factor, Eve’s information on \({\mathcal {W}}\otimes \mathcal {V}\) is independent of \({\varvec{a}}\). Thus, we obtain the 0-classical security.

Part 3: To show the 0-error classical recoverability, we give a POVM \(\{M_{{\varvec{a}}'}\}_{{\varvec{a}}' \in \mathbb {F}_q^n}\) on \({\mathcal {H}}_P\) to recover Alice’s message \({\varvec{a}}\), which does not use the outcome \({\varvec{\beta }}\) of the Fourier basis measurement on \(E\setminus E_P\). The condition is given as

$$\begin{aligned} \mathop {\text {Tr}}\nolimits (M_{{\varvec{a}}'} \otimes |{\varvec{a}}\rangle _I ~_I \langle {\varvec{a}}| \otimes I_{R} ) |\varPsi _{{\varvec{\beta }}}\rangle \langle \varPsi _{{\varvec{\beta }}}| = \frac{\delta ({\varvec{a}},{\varvec{a}}')}{q^{n}} . \end{aligned}$$

(22)

Now, using the function \(f_{{\varvec{b}}}\) given in Definition 2, we define the POVM \( M_{{\varvec{a}}'}:= \sum _{ {\varvec{b}}\in \mathbb {F}_q^{n'},{\varvec{y}}_\iota \in \mathbb {F}_q^{h'}: f_{{\varvec{b}}}({\varvec{y}}_\iota )={\varvec{a}}'} |{\varvec{b}}\rangle _{SR}~_{SR}\langle {\varvec{b}}| \otimes | {\varvec{y}}_\iota \rangle _P ~_P \langle {\varvec{y}}_\iota |\). When we make the measurement \(\{|{\varvec{b}}\rangle _{SR}~_{SR}\langle {\varvec{b}}| \otimes | {\varvec{y}}_\iota \rangle _P ~_P \langle {\varvec{y}}_\iota | \otimes |{\varvec{a}}\rangle _I ~_I \langle {\varvec{a}}| \otimes I_{R} \}_{{\varvec{b}}, {\varvec{y}}_\iota , {\varvec{a}}}\), for observed outcomes \( {\varvec{y}}_\iota , {\varvec{a}},{\varvec{b}}\), there exists a sequence \({\varvec{c}}\) such that \({\varvec{y}}_\iota = M_{\iota }'({\varvec{a}},{\varvec{b}},{\varvec{c}}) \). Since the relation (16) guarantees the relation \( f_{{\varvec{b}}}({\varvec{y}}_\iota )={\varvec{a}}\), we obtain the desired condition (22). \(\blacksquare \)

In summary, the above proof shows Theorem 2 via the 0-classical secrecy and the 0-error classical recoverability.

Remark 1

Here, we remark on the relation between our security proof and our protocol. Using Proposition 1, the security proof gives a protocol to transmit a quantum state to \({\mathcal {H}}_B\). Hence, one might consider that this protocol can be used for our purpose. However, this protocol cannot be used for three reasons. (i) Whereas our real setting is multiple-unicast, the protocol in the security proof assumes one receiver. (ii) The protocol in the security proof requires a measuring operation on the shared-randomness as a coherent superposition state across the sharing edges. In the real situation, each receiver possesses only a part of edges. (iii) To realize the protocol given in the security proof, we need to identify the edges attacked by Eve. However, the legitimate users know only the range of Eve’s possible attack. Hence, they cannot perform the decoding protocol. Due to three problems, we cannot apply the protocol given in the security proof in our multiple unicast setting.

Remark 2

One might consider that it is sufficient to apply Proposition 1 to the case when \({\mathcal {H}}_A:={\mathcal {H}}_{I}\), \({\mathcal {H}}_B:={\mathcal {H}}_{P}\otimes {\mathcal {H}}_{SR}\), and \({\mathcal {H}}_R:=\mathcal {W}\) for the respective measurement outcome \({\varvec{\beta }}\). However, this application only shows that the whole density on \(\mathcal {H}_{I}\otimes \mathcal {W}\otimes \mathcal {V}\) is written as

$$\begin{aligned} \sum _{{\varvec{\beta }}}p_{{\varvec{\beta }}} \rho _{I,{\varvec{\beta }}}\otimes \rho _{E,{\varvec{\beta }}} \otimes |{\varvec{\beta }}\rangle \langle {\varvec{\beta }}|. \end{aligned}$$

(23)

Hence, we need to apply Proposition 1 to the case when \({\mathcal {H}}_A:={\mathcal {H}}_{I}\), \({\mathcal {H}}_B:={\mathcal {H}}_{P}\otimes {\mathcal {H}}_{SR}\otimes \mathcal {V}'\), and \({\mathcal {H}}_R:=\mathcal {W}\otimes \mathcal {V}\).

Indeed, one might consider that the combination of form (23) and Part 3 of our proof shows the desired statement because Part 3 of our proof shows the independence of Eve’s state from \(\mathcal {H}_{I}\) when \(\mathcal {H}_{I}\) is measured in a computational basis. This fact only shows that the state \(\langle {\varvec{a}}| \rho _{I,{\varvec{\beta }}}|{\varvec{a}}\rangle \rho _{E,{\varvec{\beta }}} \) is independent of \({\varvec{a}}\). That is, the form (23) and Part 3 of our proof do not deny the possibility of the correlation between the resultant state on Eve’s system and \(\mathcal {H}_{I}\) when the state on \(\mathcal {H}_{I}\) is measured in another basis.

B  Constructions of Matrices Describing Network

In this appendix, we concretely construct the matrices describing the network structure.

1.1 B.1  Construction of \(M_0\)

The definition of input edges and shared-randomness edges determine the coefficients \(\left\{ m_0\left( i,k\right) \right\} _{i,k}\) for \(1\le i\le n+l\) as follows: For \(1\le i\le n\), \(\mathbf {e}\left( i\right) \) is an input edge, that is, \(\mathbf {e}\left( i\right) \in E_{I}\). Thus, the definition of input edges determines \(\left\{ m_0\left( i,k\right) \right\} _{k=1}^{n+n'}\) as

$$\begin{aligned} \left\{ m_0\left( i,k\right) \right\} _{k=1}^{n+n'}=(\overbrace{0,\cdots ,0}^{i-1},1,\overbrace{0,\cdots ,0}^{n'+n-i})\quad \text{ for } 1\le i\le n. \end{aligned}$$

(24)

For \(n+1\le i\le n+l\), \(\mathbf {e}\left( i\right) \) is a shared-randomness edge, that is, \(\mathbf {e}\left( i\right) \in E_{R}\). Hence, there uniquely exists an integer \(i' \in [1,m]\) such that \(n+\sum _{j=1}^{i'-1}l_{j}+1\le i\le n+\sum _{j=1}^{i'}l_{j}\). Thus, the definition of shared-randomness edges determines \(\left\{ m_0\left( i,k\right) \right\} _{k=1}^{n+n'}\) as

$$\begin{aligned} \left\{ m_0\left( i,k\right) \right\} _{k=1}^{n+n'}&=(\overbrace{0,\cdots ,0}^{n+i'-1},1,\overbrace{0,\cdots ,0}^{m-i'}). \end{aligned}$$

(25)

Using Eqs. (4) and (5), we derive the recurrence relation of \(m_0\left( i,k\right) \) as

$$\begin{aligned} m_0\left( i,k\right) =\sum _{j=1}^{i-1}\theta _{ij}m_0\left( j,k\right) . \end{aligned}$$

(26)

Thus, the coefficients \(\left\{ \theta _{ij}\right\} _{i\in \left\{ 1,\dots ,\left| E\right| \right\} ,j<i}\) completely determine all the coefficients \(\left\{ m_0\left( i,k\right) \right\} _{i,k}\) through Eqs. (24), (25), and (26).

1.2 B.2  Construction of M

Since

$$ Y_i =\sum _{j\in \mathop {\mathbf {I}}\nolimits \left( i\right) }\theta _{ij} Y_j', $$

Eqs. (10) and (7) lead

$$\begin{aligned} m\left( i,k\right) =\sum _{j\in \mathop {\mathbf {I}}\nolimits \left( i\right) }\theta _{ij}m'(j,k). \end{aligned}$$

(27)

Thus, from Eqs. (27) and (9), we derive the following recurrence relations for \(m\left( i,k\right) \):

$$\begin{aligned} m\left( i,k\right) =\sum _{j\in \mathop {\mathbf {I}}\nolimits \left( i\right) \setminus E_{A}} \theta _{ij}m\left( j,k\right) +\sum _{i'=1}^{h}\theta _{i\varsigma \left( i'\right) }\delta _{k,n+n'+i'}, \end{aligned}$$

(28)

where we define \(\theta _{i\varsigma \left( i'\right) }=0\) for \(i'\) such that \(\varsigma \left( i'\right) \not \in \mathop {\mathbf {I}}\nolimits \left( i\right) \).