Lecture Notes

edX Quantum Cryptography: Week 3

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Licence.
 Contents

3.1 When are two quantum states almost the same? 3

3.1.1 Trace distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1.2 Fidelity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 Measuring uncertainty: the min-entropy 6
3.2.1 The min-entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2.2 The conditional min-entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.3 What it means to be ignorant 9
3.4 Uncertainty principles: a bipartite guessing game 11
3.4.1 Analysis: winning probability of the guessing game . . . . . . . . . . . . . . . . . . . . . 13
3.5 Extended uncertainty relation principles: A tripartite guessing game 14
3.5.1 Analysis: winning probability of the tripartite guessing game . . . . . . . . . . . . . . 16
 3.1 When are two quantum states almost the same? 3

We have seen in Week 1 an example of communication between Alice and Bob, where the
transmitted message is hidden from any eavesdropper Eve. There, we have seen the importance
of using a large key K shared between Alice and Bob, but looks completely random from Eve’s
perspective. In the next few lectures, we will concern ourselves with how to establish such a key.
In this week, we will first learn about ways to quantify quantum information, which will be
crucial in formulating what does it mean to be secure in cryptographic protocols.

3.1 When are two quantum states almost the same?

It will be important for us to have some notion of what it means to approximately produce a
particular quantum state.

3.1.1 Trace distance

One measure of closeness that is of extreme importance in quantum cryptography, and also in the
design of quantum circuits is the trace distance. Let us suppose, we would like to implement a
protocol or algorithm that produces state ρideal . Unfortunately, due to imperfections, our protocol
produces the state ρreal . If we now use this protocol or algorithm as a subroutine in a much larger
protocol or computation, how is this larger protocol affected if we can only make ρreal instead of
ρideal ?
Intuitively, it is clear that if ρreal and ρideal are nearly impossible to distinguish, then it should
not matter much in the large protocol which one we use. We would thus like a distance measure
that is directly related to how well we can distinguish the two states. To this end, let us suppose
that we really don’t know whether we have the real or ideal state. Imagine that we are given ρreal
and ρideal each with probability 1/2, and we are challenged to distinguish them. To this end, we
can perform a measurement using some operators Mreal and Mideal = I − Mreal . The probability of
distinguishing the two states is then
1 1 1 1
psucc = tr [Mreal ρreal ] + tr [Mideal ρideal ] = + tr [Mreal (ρreal − ρideal )] . (3.1)
2 2 2 2
To find the best measurement, we can optimize the term Mreal above over all measurement operators.
We know (see Week 1 lecture notes, section on POVMs) that 0 ≤ Mreal ≤ I, i.e. Mreal ’s eigenvalues
all lie between 0 and 1. Thus the maximum success probability is given by
1 1
pmax
succ = + max tr [M (ρreal − ρideal )] . (3.2)
2 2 0≤M≤I
What is, then, the operator M that would maximize the trace quantity tr [M (ρreal − ρideal )]? This
question has been analyzed in [Hel76], and the optimal M is the projector onto the positive
eigenspace of ρreal − ρideal . More concretely, consider the diagonalized form of the linear operator
ρreal − ρideal , and denote this diagonal matrix as D = ∑i di |di ihdi |. Furthermore, denote the set
S+ = { j|d j > 0}. The optimal M is then given by

Mopt = ∑ |d j ihd j |. (3.3)

j∈S+

It turns out the the trace distance precisely captures this idea of distinguishing states.
Definition 3.1.1 — Trace distance. The trace distance between two quantum states ρreal and
ρideal is given by

D(ρreal , ρideal ) = max tr [M (ρreal − ρideal )] . (3.4)

0≤M≤I
4

The trace distance can also be written as

1 h√ i
D(ρreal , ρideal ) = tr A† A , (3.5)
2
where A = ρreal − ρideal .
In the literature, you will also see the trace distance written using the following notation
1 1
D(ρreal , ρideal ) = kρreal − ρideal ktr = kρreal − ρideal k1 . (3.6)
2 2
If two states are close in trace distance, then there exists no measurement - no process in the
universe - that can tell them apart very well. It also means that if we use a subroutine that makes
ρreal instead of ρideal and the two are close in trace distance, then we can safely conclude that also
the surrounding larger protocol cannot see much difference. Otherwise, we could use the large
protocol to tell the two states apart, but we know this cannot be.
Definition 3.1.2 — Closeness in terms of trace distance. Two quantum states ρ and σ are
ε-close, if D(ρ, σ ) ≤ ε. We also write this as ρ ≈ε σ .

Proposition 3.1.1 The trace distance is a metric, that is, a proper distance measure that corresponds
to our intuitive notions of distance. We have the following properties for all states ρ, σ , τ:
1. Non-negative: D(ρ, σ ) ≥ 0, where equality is achieved if and only if ρ = σ .
2. Symmetric: D(ρ, σ ) = D(σ , ρ).
3. Triangle inequality: D(ρ, σ ) ≤ D(ρ, τ) + D(τ, σ ).
4. Convexity: D(∑i pi ρi , σ ) ≤ ∑i pi D(ρi , σ ).
 Example 3.1.1 Consider ρ1 = |0ih0| and ρ2 = |+ih+|. Firstly, calculate
     
1 0 1 1 1 1 1 −1
ρ1 − ρ2 = − = . (3.7)
0 0 2 1 1 2 −1 −1
Therefore, the trace distance is equal to
s 2 s 
1 1 1 −1 1 1 2 0 1
D(ρ1 , ρ2 ) = · tr = · tr =√ . (3.8)
2 2 −1 −1 2 2 0 2 2
Another way to do so is to first consider the diagonalization of ρ1 − ρ2 , which can be done by first
calculating its eigenvalues, solving the following equation:
1
− 21

2 −λ
det = 0. (3.9)
− 12 − 12 − λ
The solutions are given by λ = ± √12 . One can also find the eigenvector |e+ i = (x y)T correspond-
ing to λ = √12 ,
    
1 1 −1 x 1 x x −1
=√ =⇒ =√ . (3.10)
2 −1 −1 y 2 y y 2−1
On the other hand, normalization condition gives x2 + y2 = 1, and the solution is found to be
π π
x = cos , y = sin . (3.11)
8 8
The optimal measurement operator that distinguishes ρ1 , ρ2 is then given by Mopt = |e+ ihe+ |, while

  1
tr Mopt (ρ1 − ρ2 ) = √ . (3.12)
2

 3.1 When are two quantum states almost the same? 5

Since states which are ε−close to each other cannot be distinguished well, it will later be
helpful to have the notion of a set of states which are all ε−close to a particular state ρ. This is
often called the ε−ball of ρ.
Definition 3.1.3 — ε−ball of ρ. Given any density matrix ρ, the ε−ball of ρ is defined as the
set of all states ρ 0 which are ε−close to ρ in terms of trace distance, i.e.

B ε (ρ) := {ρ 0 | ρ 0 ≥ 0, tr(ρ 0 ) = 1, D(ρ, ρ 0 ) ≤ ε}. (3.13)

3.1.2 Fidelity
Although we have not seen this in the lectures, there is another common measure for closeness
of states is known as the fidelity, which for pure states is directly related to their inner prod-
uct.
Definition 3.1.4 — Fidelity. Given density matrices ρ1 and ρ2 , the fidelity between ρ1 and ρ2 is
q 
√ √
F(ρ1 , ρ2 ) = tr ρ1 ρ2 ρ1 . (3.14)

For pure states ρ1 = |Ψ1 ihΨ1 | and ρ2 = |Ψ2 ihΨ2 | the fidelity takes on a simplified form:

F(ρ1 , ρ2 ) = |hΨ1 |Ψ2 i| . (3.15)

If only one of the states ρ1 = |Ψ1 ihΨ1 | is pure, we have

p
F(ρ1 , ρ2 ) = hΨ1 |ρ2 |Ψ1 i . (3.16)

Although the fidelity is not a metric (since F(ρ1 , ρ2 ) = 0 does not imply that ρ1 = ρ2 ), it does have
an intuitive interpretation, if we were to verify whether we managed to produce a desired target
state |Ψi. Suppose that we want to build a machine that produces |ΨihΨ|, yet we are only able to
produce some state ρ. Let us suppose we now measure ρ to check for success. We can do this
(theoretically) by measuring

Msucc = |ΨihΨ| , (3.17)

Mfail = I − |ΨihΨ| . (3.18)

The success probability is directly related to the fidelity between the true output ρ and the target
state |Ψi as

tr [Msucc ρ] = hΨ|ρ|Ψi = F(|Ψi, ρ)2 . (3.19)

It is interesting to note that another way to write the fidelity is as

max |hρAP |σAP i| , (3.20)

|ρAP i,|σAP i

where |ρAP i and |σAP i are purifications of the states ρA and σA using a purifying system P.
Proposition 3.1.2 For any two quantum states ρ, σ , the fidelity satisfies the following properties
1. Between 0 and 1: 0 ≤ F(ρ, σ ) ≤ 1.
2. Symmetric: F(ρ, σ ) = F(σ , ρ).
3. Multiplicative under tensor product: F(ρ1 ⊗ ρ2 , σ1 ⊗ σ2 ) = F(ρ1 , σ1 ) · F(ρ2 , σ2 ).
4. Invariant under unitary operations: F(ρ, σ ) = F(UρUp † ,UσU † ).

Relation to trace distance: 1 − F(ρ, 2

5. pσ ) ≤ D(ρ, σ ) ≤ 1 − F (ρ, σ ). Conversely, we also
2
have that 1 − D(ρ, σ ) ≤ F(ρ, σ ) ≤ 1 − D (ρ, σ ). This is known as the Fuchs-van de Graaf
inequality [FV99].
 6

3.2 Measuring uncertainty: the min-entropy

In many quantum protocols, we will be measuring quantum states and not get a key immediately.
Instead, we will create a cq-state

ρXE = ∑ px |xihx|X ⊗ ρxE , (3.21)

x∈{0,1}n

where we have used the shorthand px = Prob(X = x), and px is not uniform. Of course, we could
ideal , but it will typically be extremely large.
consider the distance of this state to an ideal state ρXE
Nevertheless, we could ask how useful the state ρXE for obtaining a key, for example, by performing
some computation on the string X. This motivates us to try and find a measure of uncertainty about
the classical string X.

3.2.1 The min-entropy

Let us first consider just the state

ρX = ∑ px |xihx|X . (3.22)
x

Note that this means that we are effectively considering the probability distribution px over strings
x. How could we measure the uncertainty inherent in ρX ? When talking about communication, one
very important measure is the von Neumann or Shannon entropy H(X) = − ∑x px log px . Is this
quantity also a useful measure in the context of cryptography?
To think about this question, let us consider the following scenario: Suppose we have purchased
a box (possibly from Eve!) which generates a string x = x1 , . . . , xn . If the string was uniformly
random, then px = 1/2n and H(X) = n. If x is uncorrelated from Eve, then we could hope to use the
string x as an encryption key for use in the one-time pad. Suppose now that while we are promised
that x is uncorrelated from Eve, the distribution px is not uniform. However, we are guaranteed that
the entropy is still H(X) ≈ n/2, and n is very large. We know nothing else about the box. Would
you still be willing to use x as an encryption key?
On first sight, the situation may not be so bad. After all, while the string does not have maximum
entropy H(X) = n, it still has half as much entropy, which for very large n is after all still extremely
large. Intuitively, this should mean that there is a lot of uncertainty for Eve, or does it?
Let us consider the following distribution:
1

2 for x = 11 . . . 1
px = 1 1 (3.23)
2 · 2n −1 otherwise .

Exercise 3.2.1 Show that the entropy for this distribution is H(X) ≈ n/2. 

But is there a lot of uncertainty for Eve? Note that the probability that the box generates the
string x = 11 . . . 1 is 1/2, independent of the length of the string! This means that whenever we
use x as an ecryption key, Eve will be able to guess the key, and thus decrypt the message with
probability 1/2. Eve’s probability of guessing is extremely large, even when we send a very large
message.
We thus see that the von Neumann/Shannon entropy is not a good measure for cryptography.
However, there exists an alternate entropy which is indeed useful for such purposes.
Definition 3.2.1 — Min-entropy. Given any probability distribution {px }x , the min-entropy
Hmin is defined as Hmin (X) = Hmin (ρX ) = − log maxx px .
 3.2 Measuring uncertainty: the min-entropy 7

In our example above, we see that Hmin (X) = − log 1/2 = 1. That is, the min-entropy is constant!
Note that the min-entropy precisely captures our intuitve idea of what it means for Eve to be
uncertain about x: Eve could guess the string with probability 1/2. In general, we would all guess
the most likely string, and the probability that we are correct is precisely Pguess (X) = maxx px . The
min-entropy thus has as very neat operational interpretation as
Hmin (X) = − log Pguess (X) . (3.24)

R We may wonder why this was not also the right measure of uncertainty in the communication
tasks we considered. Note that there we have always look at the case where we have states
of the form ρ ⊗n where n is reasonably large. Following Shannon’s line of thought and
thinking of i(x) := − log px as the surprisal, that is, the information gained when we observe
x, the Shannon entropy measured the average surprisal H(X) = ∑x px i(x). When doing
cryptography, however, we are always interested in the worst case, not the average case.
The min-entropy Hmin (X) = minx i(x) is precisely this smallest surprisal. Fig.3.1 shows the
difference between these quantities, for a binary random variable.

1.0
H(X)
0.8

0.6

0.4

0.2 Hmin(X)

0.0
0.0 0.2 0.4 0.6 0.8 1.0
p

Figure 3.1: For a binary random variable X = {0, 1}, the comparison between Shannon entropy
H(X) and its min-entropy Hmin (X).

Exercise 3.2.2 Show that the min-entropy satisfies the following bounds:

0 ≤ Hmin (X) ≤ H(X) ≤ log |X|. (3.25)

3.2.2 The conditional min-entropy

Can we also quantify the uncertainty about X given some extra quantum register E? It turns out
that just like for the von Neumann entropy, the min-entropy has a conditional variant Hmin (X|E)
developed in [Ren08]. The easiest way to think about the conditional min-entropy is in terms of the
probability that Eve manages to guess X given access to her quantum register E. Note that we see
from the cq-state in Eq. (3.21) that Eve has state ρxE with probability px and her goal is to guess x
by making a measurement on E. This is precisely the problem of distinguishing quantum states
that we considered earlier.
Definition 3.2.2 — Conditional min-entropy. Consider a bipartite cq-state ρXE where X is
classical. The conditional min-entropy Hmin (X|E) can be written as

Hmin (X|E)ρXE := − log Pguess (X|E) , (3.26)

8

where Pguess (X|E) is the probability that Eve guesses x, maximized over all possible measure-
ments

Pguess (X|E) := max ∑ px tr Mx ρxE ,

 
(3.27)
{Mx }x x

where the maximization is taken over all POVMS {Mx ≥ 0 | ∑x Mx = I}. In this context, E is
also called side information about X. When it is clear from context, we omit the subscript ρXE ,
i.e. we write Hmin (X|E)ρXE = Hmin (X|E).
How could we ever hope to compute this quantity? When x ∈ {0, 1} takes on only two values,
then it is easy to find the optimal measurement, and the guessing probability Pguess is directly related
to the distinguishability of reduced states ρ0E and ρ1E , i.e. the trace distance D(ρ0E , ρ1E ). We shall
see this in the following example.
 Example 3.2.1 Consider the state ρXE = 21 |0ih0|X ⊗ |0ih0|E + 12 |1ih1|X ⊗ |+ih+|E . Then the
conditional min-entropy Hmin (X|E) = − log Pguess (X|E) where
 
1 1
Pguess (X|E) = max tr (M0 |0ih0|E ) + tr (M1 |+ih+|E ) (3.28)
M1 , M2 ≥ 0 2 2
M1 + M2 = I
 
1 1 1
= max tr (M|0ih0|E ) + tr (|+ih+|E ) − tr (M|+ih+|E ) (3.29)
0≤M≤I 2 2 2
1 1
= + max tr[M(|0ih0|E − |+ih+|E )] (3.30)
2 2 0≤M≤I
1 1
= + D(|0ih0|E , |+ih+|E ). (3.31)
2 2


However, if x can take more than two possible values, then it is in general difficult to compute
Pguess (X|E) by hand. Nevertheless, finding the optimal success probability is a so-called semi-
definite program (SDP) and can be evaluate efficiently (in the dimension of the states ρxE ) using for
example Matlab or Julia.
For any cq-state ρXE we have

0 ≤ Hmin (X|E) ≤ log |X| . (3.32)

Note that the assumption that X is classical here is important: in particular, Hmin (X|E) can be
negative if X is a genuine quantum register. Furthermore, we have

Hmin (X|E) ≥ Hmin (X) − log |E| . (3.33)

A general quantum conditional min-entropy

In the fully general case, the system X as we have seen above is not necessarily classical, but can
also be quantum (to make explicitly this difference, we use A to label such a quantum system).
How should the conditional min-entropy Hmin (A|E) look like? To gain some intuition on how
such a quantity should be defined, think of the guessing probability as a way of quantifying how
close one may get classically maximally correlated with the classical system X, i.e. by guessing
it correctly. Therefore, a quantum extension of this concept would be to, when only allowing to
perform operations upon E, get as close as possible to the maximally entangled state between A
and E.
 3.3 What it means to be ignorant 9
Definition 3.2.3 — Quantum conditional min-entropy, [KRS09]. Given any bipartite density
matrix ρAE , with A having dimension |A|, the conditional min-entropy is

Hmin (A|E) := − log [|A| · Dec(A|E)], (3.34)

2
Dec(A|E) := max F((IA ⊗ ΛE→A0 )ρAE , |ΦihΦ|AA0 ) , (3.35)
ΛE→A0

|A|
where |ΦiAA0 := √1 ∑i=1 |ai iA ⊗ |ai iA0 is the maximally entangled state between A and A0 , and
|A|
the maximization is performed over all quantum channels Λ mapping system E to A0 . The
function F is the fidelity that we have seen in Def. 3.1.4.
An alternative way to express the conditional min-entropy is

Hmin (A|E) := max sup {λ ∈ R|ρAB ≤ 2−λ IA ⊗ σB }. (3.36)

σB

Smoothed min-entropy
As one has seen earlier in the discussion on trace distance, due to imperfections in a protocol or
algorithm we often do not excactly produce the state ρXE that we want, rather, we can only manage
0 , and we do not know the form of ρ 0 (other than the fact that
to produce a state which is close, ρXE XE
it is ε−close to ρXE ). For this reason, it is usually more physically relevant to look at the smoothed
min-entropy, which gives us the maximum value of Hmin (X|E) over all states ρAE 0 ∈ B ε (ρ ).
AE

Definition 3.2.4 — Smoothed conditional min-entropy. Consider a bipartite cq-state ρXE

where X is classical. The smoothed conditional min-entropy Hεmin (X|E) can be written as

Hεmin (X|E)ρ := max Hmin (X|E)ρ 0 . (3.37)

ρ 0 ∈B ε (ρ)

3.3 What it means to be ignorant

Before establishing keys, let us be precise about what we actually want to achieve. We have already
sketched before that we desire the keys to be picked from a uniformly random distribution, and Eve
to be uncorrelated. Classically, we could say that this should mean that the probability of selecting
any n-bit key k is Prob(K = k) = p(k) = 1/2n , and the key k is independent of some classical
information, denoted by e, that the eavesdropper may have gathered. That is, p(k) = p(k|e).
Clearly, it makes no sense to talk about some probability distribution over classical keys k
conditioned on classical strings e in the quantum case. After all, Eve may have gathered quantum
information about the key! That is, the state between the register holding the key, let us call it K,
and the register of Eve, let us call it E, is a cq-state
ρKE = ∑ pk |kihk| ⊗ ρkE . (3.38)
k

This implies that depending on the key k, Eve has a quantum state ρkE that she may measure to gain
some information about the key. Ideally, the fact that Eve knows nothing can be expressed in the
following definition, which we refer to as ignorance about the key.
To motivate the definition of ignorance, let us first consider a few examples, where for simplicity
we consider just a single bit of key. Our examples can however be easily extended to arbitrary many
keys, and you’re encouraged to check.
 Example 3.3.1 First, let us consider the state
1
ρKE = ∑ |kihk|K ⊗ |kihk|E .
2 k∈{0,1}
(3.39)
10

Clearly, we have ρK = trE (ρKE ) = IK /2. That is the key is uniform. But clearly Eve knows
everything about the key: whenever K is in the state |kihk|, then so is E! You may see the
information that Eve has as simply a classical piece of paper that has an exact copy of k. States of
the form above are also called classically maximally correlated states. Both systems are diagonal in
the standard basis, and the both systems are prepared precisely in the same state |kihk| with some
probability. 

 Example 3.3.2 Let us now consider the state ρKE = |0ih0|K ⊗ ρE . It sure appears Eve is
uncorrelated. However, ρK is certainly not uniform. In fact, the only possible key is k = 0, so it is
indeed easy to guess the key for anyone. 

 Example 3.3.3 Consider the maximally entangled state

ρKE = |ΨihΨ|KE
√
between K and E, that is, |ΨiKE = (|0iK |0iE + |1iK |1iE ) / 2. As you have calculated before, we
have ρK = trE (ρKE ) = I/2. That is, the key X is uniform. But is it uncorrelated? Clearly not, no
matter what basis we measure K in, there always exists a corresponding measurement on E that
yields the same outcome. This is because for all unitaries U, we have

UK ⊗UE∗ |ΨiKE = (UK ⊗ IE )(IK ⊗UE∗ )|ΨiKE (3.40)

= (UK ⊗ IE )((UK∗ )T ⊗ IE )|ΨiKE (3.41)
= (UK ⊗ IE )(UK† ⊗ IE )|ΨiKE (3.42)
= (UK UK† ⊗ IE )|ΨiKE (3.43)
= |ΨiKE , (3.44)

where in the second equality, we have made used of a special property that holds for |ΨiKE : for any
U, (IK ⊗UE )|ΨiKE = (UKT ⊗ IE )|ΨiKE . Therefore, the corresponding measurement on E is simply
to measure in the basis defined by UE∗ (i.e. the basis in which UE∗ is diagonalized). 

Therefore, we conclude that an eavesdropper Eve is ignorant of a key if and only if the following
conditions hold.
Definition 3.3.1 — Ignorant. Consider the joint cq-state ρKE of an n-bit key K and the eaves-
dropper Eve, E. Eve is ignorant about the key K if and only if
1
ρKE = IK ⊗ ρE . (3.45)
2n
That is, the key is uniform and uncorrelated from Eve.

In any actual implementation, we can never hope to attain the perfection as given by the state
in Eq. (3.45). However, we can hope to get close to such an ideal state, motivating the following
definition.
real of an n-bit key K and the
Definition 3.3.2 — Almost ignorant. Consider the joint cq-state ρKE
eavesdropper Eve, E. Eve is almost ignorant about the key K if and only if
real ideal


D ρKE , ρKE ≤ ε , (3.46)
ideal = 1
where ρKE 2n IK ⊗ ρE .

Why would this be a good definition? Recall that the trace distance measures exactly how well
we can distinguish two scenarios. We saw that if two states are ε-close in trace distance, then no
measurement can tell them apart with an advantage more than ε/2, i.e. if we were given one of the
 3.4 Uncertainty principles: a bipartite guessing game 11

two states with equal probability, any measurement allowed by quantum mechanics would only tell
them apart with probability 1/2 + ε/2. This is an advantage of at most ε/2 over a random guess,
which would be correct with probability 1/2.
This has important consequences if we want to later use the key in another protocol, for
example, in an an encryption protocol like the one-time pad. Recall from Week 2 lecture notes that
an encryption scheme is secret/secure if and only if for all prior distributions over the messages
p(m), and for all messages m, we should have p(m) = p(m|c), where c denotes the ciphertext. Such
a secrecy can be achieved using the one-time pad, if Eve is completely ignorant about the key. You
may think of the one-time pad scheme as a type of measurement to distinguish ρKE ideal and ρ real . If
KE
this protocol would behave very differently if we use the ρKE real instead of the ideal ρ ideal , then this
KE
would give us a means to distinguish the two states very well. But this is precisely ruled out if the
states are close in trace distance!

In conclusion, if D ρKE real , ρ ideal ≤ ε, while ρ ideal leads to the probabilty distribution p(m) =
KE KE
p(m|c), then we should also have that when using the real state ρKE real , p(m) ≈ p(m|c) should hold.
ε
This means that in the analysis of any subsequent protocol we can assume that we have the ideal
key, at the expense of only a very small error ε.

3.4 Uncertainty principles: a bipartite guessing game

In this section, we first see how to construct a simple guessing game that allows us to prove
security against an eavesdropper Eve who can prepare quantum states, but who otherwise stores
and processes only classical information. The crucial property of quantum mechanics which allows
us to make this security proof is called the uncertainty principle. Such a principle tells us how well
Eve can or cannot predict the outcomes of two incompatible measurements on Alice’s state.
As a warmup, let us first consider the case where Eve only has classical memory. That is,
she might make measurements on the qubits during the transmission, but she cannot keep any
entanglement herself. This is effectively equivalent to Eve actually preparing Alice’s qubits herself,
and can be analyzed in the form of a guessing game defined below:
Definition 3.4.1 — Guessing game - Alice and Eve. Suppose Alice and Eve play the fol-
lowing game:
1. Eve prepares a qubit ρA and sends it to Alice.
2. Alice chooses a random bit Θ ∈ {0, 1}.
3. If Θ = 0, then Alice measures ρA in the standard basis; if Θ = 1, then she measures in the
Hadamard basis.
4. Alice obtains and records a measurement outcome X ∈ {0, 1}.
5. Alice announces Θ.
6. Eve wins if she can guess the bit X.

How may we make sure that Eve cannot fully predict Alice’s measurement outcome X? As a
simple example, let us return to Example 3.3.2 where the joint state between Alice and Eve is

ρAE = |0ih0|A ⊗ ρE , (3.47)

where Alice measures system A either in the standard or Hadamard basis in order to obtain the key
K. If Alice measures in the standard basis, Eve can always predict the outcome perfectly. However,
if Alice measures in the Hadamard basis, Eve can only make a random guess, since by measuring
Alice obtains outcome |+i and |−i each with probability 12 !
12

Bipartite guessing game

Alice Eve

1. Prepares and sends ρA

2. Chooses a random basis
Θ ∈{0,1}

Θ=0 Θ=1

6. Eve wins if she can

Standard Hadamard guess X!
basis basis

3. Measures ρA according to Θ

4. Records outcome X

5. Announces Θ to Eve

Figure 3.2: The guessing game between Alice and Eve, where Eve prepares a quantum state and
sends it to Alice, who choses randomly to measure in the standard basis or in the Hadamard basis.
Eve then tries to guess Alice’s measurement outcome, given the basis she chosen.

To see why this captures the essence of the uncertainty principle, note that if the measurements
are incompatible, then there exists no state ρA that Eve can prepare, that would allow her to guess
the outcomes for both choices of measurements with certainty. Uncertainty can thus be quantified
by a bound on the average probability that Eve correctly guesses X:

Pguess (X|Θ) = p(Θ = 0) · Pguess (X|Θ = 0) + p(Θ = 1) · Pguess (X|Θ = 1) (3.48)

1  
= · Pguess (X|Θ = 0) + Pguess (X|Θ = 1) ≤ c, (3.49)
2

where the second equality holds if Alice chooses her measurement basis Θ at random, namely
with uniform probability 12 for each option. In the case where Eve holds no additional information
except for the basis where Alice has performed the measurement, the quantity c can be shown to be
strictly less than 1.
To see why this is the case, suppose that Eve aims to correctly guess X all of the time. In
particular, she wants to guess X correctly always, regardless of whether Θ = 0 or Θ = 1. This
means that she requires, in particular, that Pguess (X|Θ = 0) = 1, Eve should prepare a state that
will always produce a deterministic outcome when Alice measures in the standard basis. In earlier
weeks, we have seen that for this to happen, Eve can for example send the state |0ih0|A , where
Alice, upon measuring in the standard basis, will always produce X = 0. However, if Eve has used
the strategy of preparing |0ih0|A , what happens when Alice now measured in the Hadamard basis
 3.4 Uncertainty principles: a bipartite guessing game 13

instead? We can calculate the probability

Pguess (X|Θ = 1) = max [ p(X = 0|Θ = 1), p(X = 1|Θ = 1) ] (3.50)

1
= max [ tr (|+ih+||0ih0|) , tr (|−ih−||0ih0|) ] = . (3.51)
2
Therefore, if Eve uses this strategy of preparing ρA = |0ih0|A in order to guess Alice’s outcome X,
then whenever Θ = 1, this corresponds only to a random guess! What’s important in this protocol
is that since Eve does not know beforehand what basis Alice will choose to measure in, she has
to prepare a state that will maximize her guessing probability in both cases of Alice measuring in
the standard basis, and also the Hadamard basis. We have seen from the above example that this
guessing probability can never be equal to 1.
Note that in order for Eve to maximize the guessing probability Pguess (X|Θ) over ρA (without
loss of generality one can consider the outcome to be X = 0),
1
Pguess (X|Θ) = · [tr(ρA |0ih0| + tr(ρA |+ih+|))] (3.52)
2
1
= · tr [ρA (|0ih0| + |+ih+|)] . (3.53)
2
then she has to prepare ρA in the pure state corresponding to the eigenvector of |0ih0| + |+ih+|
with the largest eigenvalue. Check for yourselves that the largest eigenvalue of this matrix is
λmax = 1 + √12 . Therefore, we have that Pguess (X|Θ) = 12 + 2√1 2 < 1.

3.4.1 Analysis: winning probability of the guessing game

Let us first try to calculate Eve’s guessing probability for the protocol in Def. 3.4.1. We have seen
in previous lectures that any state can be written in its Bloch representation as ρA = 12 (I + vx X +
vyY + vz Z), where the vector ~v = (vx , vy , vz ) is a 3-dimensional real vector. Therefore, one may
calculate the following inner products using the Bloch representation:
1 1
tr(ρA |0ih0|) = (1 + vz ), tr(ρA |1ih1|) = (1 − vz ), (3.54)
2 2
1 1
tr(ρA |+ih+|) = (1 + vx ), tr(ρA |−ih−|) = (1 − vx ). (3.55)
2 2
On the other hand,
1 1
pguess (X|Θ) = max{tr(ρA |0ih0|), tr(ρA |1ih1|)} + max{tr(ρA |+ih+|), tr(ρA |−ih−|)}, (3.56)
2 2
where we want this value maximized over all possible states ρA , since Eve is allowed to pick any
arbitrary state. Since the maximizations of both expression are symmetric around vz = 0, vx = 0
respectively, we can without loss of generality consider only the case where vz , vx ≥ 0. The
expression in Eq. (3.56) then reduces to
1 1
pguess (X|Θ)ρA = tr [ρA (|0ih0| + |+ih+|)] = (2 + vz + vx ), v2z + v2x ≤ 1. (3.57)
2 4
To maximize this expression over all states ρA implies maximizing Eq. (3.57) over the constraint
v2z + v2x ≤ 1, and the maximum happens only when v2z + v2x = 1 (this implies that ρA is pure for Eve’s
optimal strategy). Using the parametrization vz = sint, vx = cost then gives us that
1
max (sint + cost), achieved when sint = cost = √ . (3.58)
t 2
 14
√
Therefore, the probability Eve wins this game is Pguess (X|Θ)ρA = 1/2 + 1/(2 2) ≈ 0.85.
In a more general scenario, Eve may even have classical information about ρA . This means that
she is able to create an arbitrary cq-state ρAC = ∑c pc ρcA ⊗ |cihc|C according to some distribution
{pc }c , and sends ρA = ∑c pc ρcA to Alice while keeping the classical label C. Let us further convince
ourselves that any further classical information Eve holds about ρA does not help. Suppose that Eve
can prepare any cq-state ρAC = ∑c pc ρcA ⊗ |cihc|C , and sends ρA to Alice. The guessing probability
further conditioned on C is given by

pguess (X|ΘC)ρAC = ∑ pc pguess (X|Θ)ρcA (3.59)

c

where we maximize over all possible {pc , ρcA }c . But we have previously already shown the
maximum possible value of pguess (X|Θ)ρcA , over all possible ρcA ! Therefore, Eq. (3.59) yields
 
1 1
pguess (X|ΘC)ρAC = 1+ √ ≈ 0.85. (3.60)
2 2
This quantity Pguess (X|ΘC) now directly tells us about the min-entropy about this bit, since
Hmin (X|ΘC) = − log Pguess (X|ΘC). That gives a value for min-entropy per bit, of Hmin (X|ΘC) =
− log Pguess (X|ΘC) ≈ 0.22.
Next, let us give Eve a little more power. Suppose that not only can Eve prepare a state ρA for
Alice to measure, she might create a larger state ρAE , possibly entangled, and send only ρA to Alice.
Note that since we always allow Eve maximum information about everything, ρAE is always pure:
Eve always holds the purification as well. We will thus simply assume that Eve can prepare pure
states ρAE of which she sends qubit A to Alice.

Exercise 3.4.1 Show that if Eve can keep entanglement, that is the can prepare an arbitrary
entangled state ρAE then she can guess X perfectly.
Hint: consider the case where Eve prepares the EPR pair. 

When you complete the exercise you will discover that if Eve can be entangled with Alice’s
qubit, then she can guess perfectly.
Is there any hope for security (i.e. keeping X secret from Eve) at all then? The answer to
this is yes: remember that entanglement is monogamous! In other words, if we want limit Eve’s
knowledge about Alice’s measurement outcomes, then we need to use two aspects of quantum
mechanics:
• Uncertainty: If Eve has no (or little) entanglement with Alice, then she cannot predict
the outcomes of two incompatible measurements (very well). In particular, this means
it is difficult for here to guess Alice’s measurement outcomes, i.e., Pguess (X|EΘ) < 1, or
equivalently, Hmin (X|EΘ) > 0.
• Entanglement: We need a means to ensure there actually is little entanglement between Alice
and Eve. For this we can use the fact that entanglement is monogamous, that is, if we find a
large amount of entanglement between Alice and Bob, then we know that Eve has very little
entanglement with either Alice or Bob, and therefore the min-entropy should be large!

3.5 Extended uncertainty relation principles: A tripartite guessing game

In this section, in order to make use of the monogamous property of entanglement, we consider a
direct extension of the guessing game as before, only this time we are given no guarantee about
the entanglement (or absence thereof) between Alice and Eve. Instead, we have a third party Bob,
whom Alice trusts. In particular, to show security against Eve, Alice and Bob may join forces
to make an estimate of Eve’s min-entropy. To do so, they need to perform an entanglement test
3.5 Extended uncertainty relation principles: A tripartite guessing game 15

between Alice and Bob to ensure that by the monogamy of quantum entanglement, the entanglement
between Alice and Eve is small. For this, let us consider the following tripartite guessing game.
Definition 3.5.1 — Tripartite guessing game - Alice, Bob and Eve. Suppose Alice plays
against Bob and Eve in the following way:
1. Eve prepares a global state ρABE , and sends qubits A and B to Alice and Bob respectively.
2. Alice chooses a random bit Θ ∈ {0, 1}.
3. If Θ = 0, then Alice measures ρA in the standard basis; if Θ = 1, then she measures in the
Hadamard basis.
4. Alice obtains a measurement outcome X ∈ {0, 1} and records it.
5. Alice announces Θ to both Bob and Eve.
6. Given Θ, Bob measures ρB and makes a guess X̃. Likewise, Eve measures ρE and makes
a guess XE .
7. Bob and Eve win the game if XE = X = X̃.

Tripartite guessing game

Eve
Alice Bob

ρA ρB
2. Chooses a random basis 1. Prepares ρABE
Θ ∈{0,1} 6. Measures ρB and makes a
6. Measures ρE and makes a ~
guess X
Θ=0 Θ=1 guess XE

Standard Hadamard
basis basis

3. Measures ρA according to Θ

7. Bob and Eve win if they

4. Records outcome X ~
can guess X, XE such that
5. Announces Θ to Eve and Bob ~
XE = X = X !

Figure 3.3: A tripartite guessing game where Eve gets to prepare the global state ρABE . She send
the qubits A and B to Alice and Bob respectively, where Alice measures randomly in either the
standard or Hadamard basis. Bob and Eve both provide guesses X̃, XE , and we say that they win
the game if XE = X = X̃.

Therefore, our goal will be to bound the probability that they all produce the same outcome,
 16

averaged over the choice of basis, that is, that Bob and Eve wins the guessing game.


pTripartite = p X = X̃ = XE = ∑ pΘ p(X = X̃ = XE |Θ) (3.61)
Θ∈{0,1}
" !#
1
= ∑ tr ρABE ∑ |xihx|Aθ ⊗ |xihx|Bθ ⊗ Mx|θ
E
, (3.62)
2 θ ∈{0,1} x∈{0,1}

where we used superscripts A, B and E to denote the systems on which we perform the mea-
surements, and |xiΘ to denote basis element x in the basis Θ. That is, |0i0 = |0i, |1i1 = |1i, and
|0i1 = |+i, |1i1 = |−i. The probability above is the probability that they all give the same outcome
x when measuring the state ρABE . Of course, we don’t know anything about the state ρABE or the
measurement {Mx|Θ E } with outcomes x that Eve will perform on E depending on the basis Θ. We
x
only know that this must be a quantum state, and Eve can only make measurements that are allowed
by the laws of quantum mechanics. Since it is known that all POVMs can be realized as projective
measurements using a potentially larger ancilla, and our all powerful Eve can hold the entire rest
of the universe except Alice and Bob’s labs, we can without loss of generality assume that Eve’s
measurements are projective. Given her access to a smaller space only makes things more difficult
for Eve and in a security analysis we are always allowed to make the adversary more (but not less!)
powerful.

3.5.1 Analysis: winning probability of the tripartite guessing game

How could we hope to analyze this situation? Previously when we considered a classical Eve, the
solution was given by a simple eigenvalue problem, and if we would fix Eve’s measurements then
again we obtain an eigenvalue problem
" !#
1
max tr ρABE , (3.63)
2∑
ΠΘ
ρABE
Θ

where
ΠΘ = ∑ |xihx|AΘ ⊗ |xihx|BΘ ⊗ Mx|Θ
E
. (3.64)
x∈{0,1}

E and malicious Eve

Now we are in some small amount of trouble given that we don’t know Mx|Θ
will of course use the best possible measurements.
Two tools from linear algebra
To get around this dificulty, we will use two little linear algebra tricks which are proven in [Tom+13].
To write them down, let us first introduce a shorthand for the maximization problem above. In
general, the operator norm of some operator O, can be written as
kOk∞ = max tr [ρO] , (3.65)
ρ

where the maximization is taken over all ρ such that tr[ρ] ≤ 1. When, O is Hermitian, then we just
maximize over all quantum states ρ, that is, ρ satisfying ρ ≥ 0 and tr[ρ] = 1. Note that this means
we can reduce the maximization problem above to studying

1
∑ Πθ , (3.66)
2 θ ∈{0,1}
∞
for of course still partially unknown Πθ . When talking about operators, people often omit the
subscript ∞ and simply write kOk = kOk∞ as is also done in [Tom+13], and we will use this simpler
notation from now on. Nevertheless, while cumbersome, one can establish the following two facts:
3.5 Extended uncertainty relation principles: A tripartite guessing game 17

1. For any two projectors Π0 and Π1 1 , we have

kΠ0 + Π1 k ≤ max{kΠ0 k, kΠ1 k} + kΠ0 Π1 k. (3.67)

([Tom+13, Lemma 2])

2. If Π0 ≤ P and Π1 ≤ Q 2 , then kΠ0 Π1 k ≤ kPQPk.

([Tom+13, Lemma 1])

Let us now use these two tricks to bound Eve’s probability of winning. Using trick 1, we have that

1 1
max ∑ Πθ = max ∑ Πθ (3.68)
ME 2 θ ∈{0,1} ME 2 θ ∈{0,1}
∞ ∞
 
1
≤ 1 + max kΠ0 Π1 k , (3.69)
2 ME

where we have used that kΠ0 k, kΠ1 k ≤ 1 for any measurements M E that Eve could make in
quantum mechanics (convince yourself that this is true!). It remains to analyze kΠ0 Π1 k for which
we will use trick number two, for some smart choice of P and Q. Note that since all measurement
E ≤ I and also |xihx| ≤ I, we have that
operators Mx|θ θ

Π0 ≤ ∑ |xihx|A0 ⊗ |xihx|B0 ⊗ IE =: P (3.70)

x∈{0,1}

Π1 ≤ ∑ |xihx|A1 ⊗ IB ⊗ Mx|1
E
=: Q (3.71)
x∈{0,1}

E = I for any quantum

Using the fact that hx|yi = 0 if x 6= y in the same basis, and that ∑y My|1
measurement Eve may make, we thus have

PQP = ∑ |xihx|A0 |yihy|A1 |zihz|A0 ⊗ |xihx|B0 |zihz|B0 ⊗ My|1

E
(3.72)
x,y,z
1
= ∑ |xihx|A0 ⊗ |xihx|B0 ⊗ My|1
E
(3.73)
x,y 2
1
= |xihx|A0 ⊗ |xihx|B0 ⊗ ∑ My|1
E
(3.74)
2∑x y
1
= |xihx|A0 ⊗ |xihx|B0 ⊗ IE . (3.75)
2∑x

This gives kPQPk ≤ 1/2. Using trick number two, and plugging into Eq. (3.69) we thus have that
 
1 1 1 1
pTripartite ≤ 1+ √ = + √ , (3.76)
2 2 2 2 2
which is again our familiar number from the much simpler guessing game, where Eve was all
classical! Moreover, it can be shown using messy but not not more advanced mathematical tools
that also when we consider collective attacks
 n
1 1
pnTripartite
rounds
≤ + √ , (3.77)
2 2 2
1 Recall that a projector Π is an operator such that Π2 = Π.
2 Recall that A ≤ B means that B − A ≥ 0.
18

and she can achieve this bound by playing the optimal one round strategy!
We thus know that if the error rate is low, and Bob can reproduce a significant fraction X = X̃,
then it is difficult for Eve to guess XE = X and hence her min-entropy must be large.

Acknowledgements
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
International Licence. The lecture notes are written by Stephanie Wehner, Nelly Ng, and Thomas
Vidick. We thank David Elkouss, Jonas Helsen, Jérémy Ribeiro and Kenneth Goodenough for
proofreading.
3.5 Extended uncertainty relation principles: A tripartite guessing game 19

Important identities for calculations

Trace distance

D(ρreal , ρideal ) := max tr [M (ρreal − ρideal )] (3.78)

0≤M≤I
1 h√ i
= tr A† A , A = ρreal − ρideal . (3.79)
2
Properties:
1. D(ρ, ρ 0 ) ≥ 0 with equality iff ρ = ρ 0 .
2. D(ρ, ρ 0 ) = D(ρ 0 , ρ).
3. D(ρ, ρ 0 ) + D(ρ 0 , ρ 00 ) ≥ D(ρ, ρ 00 ).
4. D(∑i pi ρi , σ ) ≤ ∑i pi D(ρi , σ ).

Fidelity
q 
0 √ 0√
F(ρ, ρ ) := tr ρρ ρ . (3.80)

If ρ = |ψihψ| and ρ 0 = |ψ 0 ihψ 0 |, then F(|ψihψ|, |ψ 0 ihψ 0 |) =

p
√ hΨ1 |ρ2 |Ψ1 i.
Relation to trace distance: 1 − F ≤ D ≤ 1 − F . 2

Min-entropy
Unconditional : Hmin (X) = Hmin (ρX ) = − log maxx px .
Conditional : For a cq-state ρXE , Hmin (X|E) := − log Pguess (X|E), where

Pguess (X|E) := max ∑ px tr Mx ρxE , {Mx ≥ 0 | ∑ Mx = I}.

 
{Mx }x x x

Properties:
1. 0 ≤ Hmin (X|E) ≤ Hmin (X) ≤ log |X|, but only for cq states! For quantum register X,
Hmin (X|E) can be negative.
2. Hmin (X|E) ≥ Hmin (X) − log |E|.

A secret key
A key K is secret from Eve iff it is uniform and uncorrelated from Eve, i.e. the joint state
ρKE is of the form

IK
ρKE = ⊗ ρE . (3.81)
dK
 Bibliography

[FV99] Christopher A Fuchs and Jeroen Van De Graaf. “Cryptographic distinguishability

measures for quantum-mechanical states”. In: IEEE Transactions on Information
Theory 45.4 (1999), pages 1216–1227 (cited on page 5).
[Hel76] Carl W. Helstrom. Quantum detection and estimation theory / Carl W. Helstrom.
English. Academic Press New York, 1976, ix, 309 p. : ISBN: 0123400503 (cited on
page 3).
[KRS09] Robert Konig, Renato Renner, and Christian Schaffner. “The operational meaning
of min-and max-entropy”. In: IEEE Transactions on Information theory 55.9 (2009),
pages 4337–4347 (cited on page 9).
[Ren08] Renato Renner. “Security of quantum key distribution”. In: International Journal of
Quantum Information 6.01 (2008), pages 1–127 (cited on page 7).
[Tom+13] M. Tomamichel et al. “A Monogamy-of-Entanglement Game With Applications to
Device-Independent Quantum Cryptography”. In: New Journal of Physics 15 (2013).
EUROCRYPT 2013, arXiv:1210.4359, page 103002 (cited on pages 16, 17).