1 Introduction↩︎

Developments in the area of quantum computing in the last decades have put a spotlight on how vulnerable many state-of-the-art security techniques for communication networks are against attacks based on execution of quantum algorithms that exploit the laws of quantum physics [1]. Another aspect of the rapid development in experimental quantum physics, however, has received significantly less attention in communication engineering: Instead of simply performing quantum processing steps on an intercepted classical signal, an attacker can use quantum measurement devices to exploit the quantum nature of the signals themselves. For instance, radio waves as well as visible light that is used in optical fiber communications both consist of photons. This fact was exploited in [2] to introduce the so-called photonic side channels.

Any communication network that involves a vast number of interconnected network elements and systems communicating with each other, by its very nature exposes a large attack surface to potential adversaries. This is even exacerbated if many of the communication paths are wireless, as is the case in cellular networks such as 6G. Examples for possible attacks that can be carried out against various parts of such networks are algorithm implementation attacks, jamming attacks, side-channel attacks, and attacks on the physical layer of the communication system. This multi-faceted nature of the threat necessitates a diverse range of countermeasures. It has therefore been a longstanding expectation that established defenses based on cryptography will need to be complemented with defenses based on pls which is a promising approach to protect against lower-layer attacks. It can be used as an additional layer of security to either increase the overall system security or reduce the complexity of cryptographic algorithms and protocols running at higher layers of the protocol stack. We point out that complexity may be a key aspect in massive wireless networks of the future such as 6G, where many low-cost, resource and computationally constrained devices will be deployed, making it difficult to use advanced cryptographic techniques.

In cryptography, sequences of bits are protected against attacks. The main threat posed by the recent progress in the implementation of quantum computers and known quantum algorithms [1], [3] which directly affect the security of certain cryptographic schemes, therefore, is that an attacker may have the ability to process cipher texts with quantum computers. This has triggered significant research and development efforts in the field of post-quantum cryptography [4]. The goal in this field is to develop new cryptographic algorithms and protocols that are resistant to attacks by quantum computers. The threat for defense mechanisms based on pls, on the other hand, is of a different nature: Since there is no assumption regarding the computational capability of attackers needed to guarantee security, such techniques are inherently safe against attacks with quantum computers that process classically represented signals. But since pls seeks to protect the communication signals themselves against attacks, they are vulnerable to violations of system assumptions regarding what type of signal the attacker can intercept. Therefore, security is not guaranteed if an attack is carried out with quantum hardware such as optical quantum detectors and similar quantum measurement equipment. For example, the photon emission from integrated circuits has been exploited in [2], [5] to read out the secret keys used. The underlying physical process represents a quantum side channel since the properties of the emitted photons strongly depend on the operation that the involved device performs and the data being processed. This shortcoming of (classical) pls techniques can be addressed by establishing results for pls that take the quantum nature of wireless communication signals and side channels in transmitters and receivers into account. For example, the work [6] defined the notion of an exclusion region with the goal of guaranteeing information-theoretic security as long as no wiretapper can interact with signals inside the exclusion region.

Another important aspect is the availability of bounds for secure communication in the finite block length regime. These are important for many practical purposes, such as the construction of secrecy maps for indoor and outdoor wireless networks in [7]–[9] that we expect to be crucial for the integration of pls into mobile communication networks.

In this work, we prove direct coding results for wiretap channels that take both of these aspects into consideration. The channel models considered have a quantum output at the eavesdropper’s channel terminal, and the derived bounds can be numerically evaluated at finite block lengths. Besides this, we also discuss operational implications of the resulting security guarantees and compare them to other notions of security that are commonly used in the literature.

1.1 Prior work↩︎

The results we provide in this paper are rooted in and draw from several branches of research like classical pls and its connection to cryptography, channel resolvability, and quantum Shannon theory. For this reason, we give a short overview of existing literature in these fields which is closely related to this work.

1.1.0.1 Classical pls

An important branch of research with long history in pls addresses fundamental bounds to confidentiality of communication, which is traditionally based on the communication model of the wiretap channel [10]–[15].

It is important to emphasize that the measure of confidentiality itself has undergone a tremendous evolution. While the results of [10], [11] use equivocation as the underlying measure, [12]–[15] rely on strong secrecy or closely related measures as the security metric. The disadvantage of these security metrics is that they allow no or very limited operational interpretation, i.e., they do not provide a way to quantify leakage of information for specific types of eavesdropping attacks. A confidentiality measure that has been known in the cryptography community for a long time and allows a clear operational interpretation is semantic security [16]. It has been adopted in the pls community as a suitable measure of secrecy and used for wiretap channel coding problems in [17]–[20].

1.1.0.2 Achievability for wiretap channels with quantum outputs

A quantum version of the wiretap channel was first analyzed in [21] for a one-shot scenario. [22], [23] derive non-asymptotic results for general finite-dimensional wiretap channels with classical input and quantum outputs as well as in the case of quantum input and quantum outputs under the strong secrecy criterion, but due to the proof methods used, semantic security is implicitly established as well. In [24], error exponents and equivocation rates are established for the case that there is only randomness of limited quality available at the transmitter. [25] extends the result from [22] to pure-loss bosonic channels under the strong secrecy criterion. The series of works [26]–[29] explores a trade-off region between semantically secure communication, public communication and secret key generation which can be specialized to just semantically secure communication in a straightforward way. The channel models considered are the pure-loss bosonic channel, the thermal-noise bosonic channel, the quantum amplifier channel and general infinite-dimensional quantum channels. All achievability results are of asymptotic nature. In [30], a feedback scenario is considered under weak secrecy. One-shot achievability bounds for the finite-dimensional broadcast channel with private and confidential messages are given in [31]–[33]. In contrast to the prior works discussed, the present work derives achievability results for a general infinite-dimensional cq channels, providing bounds that can be numerically evaluated for finite block lengths.

1.1.0.3 Converse results for wiretap channels with quantum outputs

Multi-letter converse results for finite-dimensional channels appear in [22], [23]. One-shot converse results for finite-dimensional broadcast channels with private and confidential messages are proposed in [31], [32]. In [25], [27], single-letter converse results for pure-loss bosonic channels are given, but they rely on an unproven conjecture, the entropy photon number inequality. Converse results for general quantum channels and certain bosonic channels that do not rely on unproven conjectures are given in [24], [28], [29]. Single-letter versions are available only in the case of degradable channels, otherwise the converse results are multi-letter.

1.1.0.4 Semantic security for channels with quantum outputs

As mentioned above, many works have either given results that imply semantic security or established them implicitly in their proofs. The works [24], [34], however, have considered the question of security notion explicitly and established an interesting connection between strong secrecy and semantic security. [24] contains a construction that can transform any wiretap code which achieves strong secrecy over a cqq wiretap channel into a code that ensures semantic security and has (asymptotically) the same rate. As was observed in [34], this holds also in the infinite-dimensional case. For the finite-dimensional case, [34] gives an alternative construction for this transformation; the advantage here is that the construction is explicit so that it can be expected that if it is used on a practically feasible code that achieves strong secrecy, the transformation will result in a semantically secure wiretap code that retains the practical feasibility. The prior works study semantic security either implicitly or explicitly under one of multiple possible definitions. In this work, we connect these definitions with each other and with strong and weak secrecy by showing, similarly as was done before for classical channels [35], what implications hold between them. In doing so, we also pay special attention to the subtleties that arise in the infinite-dimensional case and make explicit which of these implications continue to hold.

1.1.0.5 Resolvability for cq channels

To the best of our knowledge, the first works that contain resolvability results for cq channels are [22], [23]. Further results appeared in [36] and a much more in-depth treatment with generalizations to the case of imperfect randomness at the transmitter can be found in [24]. All of these works are specific to the finite-dimensional case, while in this paper, we propose results that are valid for general infinite-dimensional cq channels.

1.2 Contribution and Outline↩︎

The contribution of this paper can be summarized as follows:

• We establish a semantic security based direct coding theorem for wiretap channels with infinite-dimensional quantum output observed by the eavesdropper (cf. Fig. 1). This result applies both to the case where the legitimate parties communicate over a (possibly) continuous-alphabet classical channel, and to the case in which they also use a channel with classical input and infinite-dimensional quantum output.

• We develop a new proof method for wiretap channels with the eavesdropper having access to a quantum version of the input signal. This method also establishes a resolvability result for cq channels with infinite-dimensional output. Our method is based on symmetrization arguments used to prove non-asymptotic versions of uniform laws of large numbers based on Rademacher complexity. One advantage of this new method, besides its amenability to infinite-dimensional channels, is that it naturally yields nonasymptotic results that are valid for any block length and not only asymptotically for block lengths tending to infinity.

• We state versions of our results that are amenable to numerical evaluations for finite block lengths. While it may not be possible from these results to obtain nontrivial bounds for very small block lengths, it is possible to numerically determine minimum block lengths for which our theorems guarantee certain performance metrics.

• We establish our results under additive cost constraints. These types of constraints specialize in particular to the case of average input energy constraints.

• We illustrate the finite-block length nature of our methods with numerical evaluations of the obtained error bounds in the special case where both the legitimate communication parties and the eavesdropper use Gaussian cq channels.

• We discuss various established secrecy metrics for quantum communication systems and show how they are related to each other.

In Section [sec:main-result], we introduce the wiretap channel models that are considered in this paper, and state the main results. In Section 3, we give the definitions of semantic security and other established secrecy metrics for quantum communication systems, and we discuss how they are related. In particular, we show how the results stated in Section [sec:main-result] imply a semantic security guarantee. To establish the main results, we need a theorem on cq channel resolvability and a coding theorem for the cq channel, which we state and briefly discuss in Section 4. Section 5 contains the proofs of the theorems in Sections [sec:main-result] and 4. Finally, in Section 6, we specialize our results to Gaussian cq channels. For the example of a set of system parameters that is plausible for a real-world optical communication system, we numerically evaluate and plot the bounds derived in this paper. A number of technical lemmas are relegated to the appendix.

2 Problem Statement and Main Result↩︎

In this section, we introduce the wiretap channel model and state our main results.

2.1 Notation and Conventions↩︎

Before we can make the formal problem statement, it is necessary to introduce some preliminaries. Let \(\mathcal{H}\) be a separable Hilbert space over \(\mathbb{C}\) and let \[\mathcal{B}({\mathcal{H}}):=\left\{A: \mathcal{H}\to \mathcal{H}: A\textrm{ is linear and } \sup_{h\in \mathcal{H}: || h||\le 1} || Ah||< \infty \right\}\] be the set of bounded linear operators on \(\mathcal{H}\) where \(|| \cdot ||\) denotes the norm on the Hilbert space \(\mathcal{H}\) induced by the inner product. The set \(\mathcal{T}({\mathcal{H}})\) of trace class operators [37] is defined by \[\mathcal{T}({\mathcal{H}}):=\left\{A\in \mathcal{B}({\mathcal{H}}): \mathrm{tr}(A^* A)^{\frac{1}{2}}< \infty \right\}.\] Endowed with the norm \(\left\lVert {\cdot} \right\rVert_\mathrm{tr}: \mathcal{T}({\mathcal{H}})\to \mathbb{R}_{+}\) defined by \[\left\lVert {A} \right\rVert_\mathrm{tr}:=\mathrm{tr}(A^* A)^{\frac{1}{2}},\] for \(A\in \mathcal{T}({\mathcal{H}})\), the pair \((\mathcal{T}({\mathcal{H}}), \left\lVert {\cdot} \right\rVert_\mathrm{tr})\) is a Banach space (cf. [37]) and is called the trace class on \(\mathcal{H}\).

The set of states or density operators \(\mathcal{S}({\mathcal{H}})\subset \mathcal{T}({\mathcal{H}})\) is given by \[\label{eq:def-state} \mathcal{S}({\mathcal{H}}) := \left\{ \rho\in \mathcal{T}({\mathcal{H}}):~ \rho\geq 0,~ \mathrm{tr}\rho= 1 \right\},\tag{1}\] where \(\geq\) denotes the positive semi-definite partial ordering of operators, and we follow the tradition of using lowercase Greek letters for states. We will also occasionally use the operator norm \(\left\lVert {\cdot} \right\rVert_\mathrm{op}\) on \(\mathcal{B}({\mathcal{H}})\) which is given by \[\left\lVert {A} \right\rVert_\mathrm{op}:= \sup_{h\in \mathcal{H}: || h||\le 1} || Ah||\] for \(A\in \mathcal{B}({\mathcal{H}})\), and for the reader’s convenience we summarize the specific properties of the operator and trace norms that we use in Lemma 15 in Appendix 6.6. Note that the pair \((\mathcal{B}({\mathcal{H}}), \left\lVert {\cdot} \right\rVert_\mathrm{op})\) is a Banach space as well (cf. [37]).

Given any finite set \(V\), a \(V\)-valued povm [38], [39] is a sequence \((F_v)_{v\in V}\) of operators on \(\mathcal{H}\) such that for all \(v\), \(F_v\geq 0\), and \[\label{eq:def-povm} \sum_{v\in V} F_v = \mathbf{1}.\tag{2}\] The povm \((F_v)_{v\in V}\) is a mathematical description of a measurement with the possible outcomes \(v\in V\). For a system in the state \(\rho\in \mathcal{S}({\mathcal{H}})\), the probability of the outcome \(v\in V\) when performing the measurement represented by the povm \((F_v)_{v\in V}\) is given by the Born rule as \[p(v):=\mathrm{tr}\left(\rho F_{v}\right).\] Since \(\rho\ge 0\) and \(F_{v}\ge 0\), we have \(p(v)\ge 0\). The defining relations (1 ), (2 ), and the linearity of the trace show that \[\sum_{v\in V}p(v)=1,\] so that, indeed, \(p\) is a pmf on \(V\).

Throughout the paper, we use the following abbreviations. For a Hilbert space \(\mathcal{H}\), \(A\in \mathcal{B}({\mathcal{H}})\), and \(n\in \mathbb{N}\), \(\mathcal{H}^{\otimes n}:=\mathcal{H}\otimes \ldots \otimes \mathcal{H}\) stands for \(n\)-fold tensor product of \(\mathcal{H}\) and \(A^{\otimes n}:= A\otimes\ldots \otimes A\) denotes the \(n\)-fold tensor power of \(A\). For a set \(\mathcal{X}\) and \(n\in \mathbb{N}\) we set \(\mathcal{X}^{n}:=\mathcal{X}\times \ldots \times \mathcal{X}\) for \(n\)-fold Cartesian product of the set \(\mathcal{X}\). Moreover, we use the abbreviation \(x^{n}:=(x_1, \ldots , x_{n})\in \mathcal{X}^{n}\).

Throughout this work, expectations and integrals of operator-valued random variables and functions will play an important role. Since we do not assume that the input alphabet \(\mathcal{X}\) is necessarily finite or discrete, we assume that \(\mathcal{X}\) is equipped with a \(\sigma\)-algebra \(\Sigma\) which represents a collection of measurable sets. This means in particular that the probability space underlying these expectations is possibly infinite as well. The expectations are therefore formally defined as Bochner integrals on the Banach space \((\mathcal{T}({\mathcal{H}}), \left\lVert {\cdot} \right\rVert_\mathrm{tr})\). The exact definitions and many important facts about Bochner integration can, e.g., be found in [40]. Therefore, many technical questions of measurability and integrability arise in our proofs. We summarize the preliminaries on measurability that we use in this paper in Lemma 18 and the necessary preliminaries on Bochner integration in Lemma 19 in Appendix 6.6. When referring to the notions of continuity (measurability) of functions, it is important to specify with respect to which topology (\(\sigma\)-algebra) the function in question is continuous (measurable). We therefore adopt the following conventions: When the domain or range of a function is given as \(\mathcal{X}\), measurability is with respect to \(\Sigma\). When the domain or range is given as \(\mathcal{B}({\mathcal{H}})\), the continuity (measurability) of the function is with respect to the topology (Borel \(\sigma\)-algebra) induced by the operator norm. When the domain or range is given as \(\mathcal{T}({\mathcal{H}})\) or \(\mathcal{S}({\mathcal{H}})\), the continuity (measurability) of the function is with respect to the topology (Borel \(\sigma\)-algebra) induced by the trace norm. When the domain or range is a subset of \(\mathbb{R}\) or \(\mathbb{C}\), we consider the topology (Borel \(\sigma\)-algebra) induced by the Euclidean norm.

2.2 System Model and Main Result↩︎

In this work, we study wiretap channels with ccq and wiretap channels with cqq. Formally, a ccq wiretap channel is a pair \((W, D_\mathfrak{E})\), where \(W\) is a stochastic kernel (i.e., a classical channel), \(D_\mathfrak{E}\) is a cq channel, and \(W\) and \(D_\mathfrak{E}\) share the same input alphabet. The idea behind this definition is that the eavesdropper observes a quantum system instead of a classical output while the legitimate receiver observes a classical output. A cqq wiretap channel is a pair \((D_\mathfrak{B},D_\mathfrak{E})\) where both \(D_\mathfrak{B}\) and \(D_\mathfrak{E}\) are cq channels.

In the following, we describe the system model (which is also depicted in Fig. 1) in more detail. The transmitter \(\mathfrak{A}\) transmits a channel input \(X\) which is a random variable ranging over a measurable space \((\mathcal{X},\Sigma)\), the input alphabet. The eavesdropper \(\mathfrak{E}\) observes the output of a cq channel which is described by a measurable map \(D_\mathfrak{E}: \mathcal{X}\rightarrow \mathcal{S}({\mathcal{H}_\mathfrak{E}})\) where \(\mathcal{H}_\mathfrak{E}\) is a separable Hilbert space. The measurability of \(D_\mathfrak{E}\) is with respect to \(\Sigma\) and the Borel \(\sigma\)-algebra induced by the trace norm. In the case of the cqq wiretap channel (Fig. 1 (b)), the legitimate receiver \(\mathfrak{B}\) also observes the output of a cq channel, described by a measurable map \(D_\mathfrak{B}: \mathcal{X}\rightarrow \mathcal{S}({\mathcal{H}_\mathfrak{B}})\), where \(\mathcal{H}_\mathfrak{B}\) is a separable Hilbert space. In the case of the ccq wiretap channel (Fig. 1 (a)), the legitimate receiver observes the output \(\hat{X}\) which is a random variable ranging over another measurable space \((\hat{\mathcal{X}},\hat{\Sigma})\) and its relationship with \(X\) is described by a stochastic kernel \(W: \hat{\Sigma}\times \mathcal{X}\to [0,1]\), the legitimate receiver’s (classical) channel.

For \(x^n:=(x_1, \ldots ,x_{n})\in \mathcal{X}^n\) and \(B_1,\ldots, B_n \in \hat{\Sigma}\), we set \[W^n(B_1\times \ldots \times B_n,x^n):= \prod_{i=1}^{n}W(B_i, x_i),\;\] for classical channels \(W\), and \[D^{n} (x^n) := \bigotimes_{i=1}^{n} D(x_i)= D(x_1)\otimes \dots \otimes D(x_{n}),\] for cq channels \(D\), i.e., we consider \(n\)-th memoryless extensions of the channels \(W\) and \(D\).

A wiretap code for the ccq channel \((W, D_\mathfrak{E})\) (for the cqq channel \((D_\mathfrak{B}, D_\mathfrak{E})\)) with message set size \(M\) and block length \(n\) is a pair \((\mathrm{Enc}, \mathrm{Dec})\) such that

• The encoder is a stochastic kernel mapping \(\mathrm{Enc}: \Sigma^{\otimes n} \times \{1, \dots, M\} \to [0,1]\), where \(\mathcal{X}\) is the common input alphabet of \(W\) and \(D_\mathfrak{E}\) (of \(D_\mathfrak{B}\) and \(D_\mathfrak{E}\)).

• In case of a classical channel \(W\) to the legitimate receiver, the decoder is a deterministic mapping \(\mathrm{Dec}: \hat{\mathcal{X}}^n\to \{1, \dots, M\}\), where \(\hat{\mathcal{X}}\) is the output alphabet of \(W\).

• In case of a cq channel \(D_\mathfrak{B}\) to the legitimate receiver, the decoder is a \(\{1, \dots, M\}\)-valued povm \((Y_m)_{m=1}^M\) on \(\mathcal{H}_\mathfrak{B}\).

The rate of a wiretap code is defined as \(\log (M) / n\). In this paper, we always use the logarithm (as well as the exponential function denoted \(\exp\)) with Euler’s number as a base and consequently, the rate is given in nats per channel use. For the ccq channel and \(\varepsilon\ge 0\), we say that the wiretap code has average error \(\varepsilon\) if \[\label{eq:def-average-error} \mathbb{E}_\mathfrak{M} \mathbb{P}\big( \mathrm{Dec}(\hat{X}^n) \neq \mathfrak{M} \big) \leq \varepsilon\tag{3}\] where \(\hat{X}^n\) is the random variable observed by the legitimate receiver, resulting from encoding and transmission of a uniformly distributed message \(\mathfrak{M}\) through the channel \(W^n\). For the cqq channel and \(\varepsilon\ge 0\), we say that the wiretap code has average error \(\varepsilon\) if \[\label{eq:def-average-error-cq} \mathbb{E}_\mathfrak{M} \mathrm{tr}\left( D_\mathfrak{B}^n\circ \mathrm{Enc}(\mathfrak{M}) (\mathbf{1}- Y_\mathfrak{M}) \right) \leq \varepsilon\tag{4}\] for a uniformly distributed message \(\mathfrak{M}\). The composition of the stochastic kernel mapping \(\mathrm{Enc}: \Sigma^{\otimes n} \times \{1, \dots, M\} \to [0,1]\) and the cq channel \(D_\mathfrak{B}^n:\mathcal{X}^n\to \mathcal{S}({\mathcal{H}_\mathfrak{B}^{\otimes n}})\) is given by \[\label{eq:def-channel-composition} D_\mathfrak{B}^n\circ \mathrm{Enc}(m) := \int_{\mathcal{X}^n} D_\mathfrak{B}^n(x^n)\mathrm{Enc}(d x^n, m),\tag{5}\] for \(m\in \{1, \dots, M\}\). Note that the integral is well-defined by the measurability of \(D_\mathfrak{B}\) and that the integral exists in Bochner sense by Lemma 19-[item:bochner-integral-basics-existence]. Moreover, \(D_\mathfrak{B}^n\circ \mathrm{Enc}(m)\in \mathcal{S}({\mathcal{H}_\mathfrak{B}^{\otimes n}})\) by Lemma 19-[item:bochner-integral-basics-trace] and Lemma 19-[item:bochner-integral-basics-bounded-functional].

For \(\delta\ge 0\), we say that the wiretap code \((\mathrm{Enc}, \mathrm{Dec})\) has distinguishing security level \(\delta\) if \[\label{eq:def-distinguishing-security} \forall m_1, m_2 \in \{1, \dots, M\} ~~ \left\lVert { D_\mathfrak{E}^n\circ \mathrm{Enc}(m_1) - D_\mathfrak{E}^n\circ \mathrm{Enc}(m_2) } \right\rVert_\mathrm{tr} \leq \delta,\tag{6}\] where \(D_\mathfrak{E}^n\circ \mathrm{Enc}\) is defined in an analogous way to (5 ).

The main results of this work state that wiretap codes for certain ccq and cqq channels exist that simultaneously achieve low average error and low distinguishing security level. Achievable secrecy rates are characterized by two information quantities. Information density and mutual information of the classical channel \(W\) associated with an input distribution \(P\) on \(\mathcal{X}\) are defined in the usual way as \[i_{P}({ x^n };{ \hat{x}^n }) := \log \frac{d{W^n(\cdot, x^n)}}{d{\hat{P}}} (\hat{x}^n) ,~~ I(P,W) := \mathbb{E} i_{P}({ X };{ \hat{X} })\] where \(\hat{P}\) is the distribution of the output of \(W\) under the input distribution \(P\), and \(\hat{X}\) is a random variable distributed according to \(\hat{P}\) (or \(\hat{X}\sim\hat{P}\) for short). For \(\rho\in \mathcal{S}({\mathcal{H}})\), we define the von Neumann entropy \[H\left(\rho\right) := - \mathrm{tr}( \rho\log \rho )\] with the convention \(H\left(\rho\right) = \infty\) if \(\rho\log \rho\notin \mathcal{T}({\mathcal{H}})\). For an input distribution \(P\), \(X\sim P\), and a cq channel \(D: \mathcal{X}\rightarrow \mathcal{S}({\mathcal{H}})\), we define \[D_P:= \mathbb{E}D(X)\] to be the density operator of the output of the channel under input distribution \(P\). Note that since \(\left\lVert {D(x)} \right\rVert_\mathrm{tr}=1\) for all \(x\in \mathcal{X}\), the expectation \(\mathbb{E}D(X)\) exists by Lemma 19-[item:bochner-integral-basics-existence]. Moreover, von Neumann entropy \(H\left(\cdot\right)\) is lower semi-continuous with respect to the topology induced by the trace norm \(\left\lVert {\cdot} \right\rVert_\mathrm{tr}\) (cf. [41]). Consequently, the map \(\mathcal{X}\ni x\mapsto H\left(D(x)\right)\) is measurable. Therefore, for a random variable \(X\sim P\), we can define the Holevo information as \[\chi(P;D) := \mathbb{E} \mathrm{tr}\big( D(X) \log D(X) \big) - \mathrm{tr}\big( D_P \log D_P \big) = H\left(D_P\right) - \mathbb{E} H\left(D(X)\right),\] where we adopt the convention that \(\chi(P;D)= \infty\) whenever \(H\left(D_P\right) = \infty\) or if the integral \(\mathbb{E} H\left(D(X)\right)\) does not exist. More information on definition, measurability, and structural properties of \(\chi(P;D)\) can be found in [42].

We have now introduced all necessary terminology to state the main result of this work. For better readability, we state the result for the ccq wiretap channel (Theorem 1) and for the cqq wiretap channel (Theorem 2) separately although the theorems are very similar. The proofs are deferred to Section 5.6.

2.3 Results Valid for Finite Block lengths↩︎

In this subsection, we state versions of Theorem 1 and Theorem 2 that can be evaluated at given, finite block lengths \(n\). While the expressions neither give closed-form expressions for the achievable average error and security level at a given \(n\) nor guarantee nontrivial bounds for these performance metrics at arbitrarily short block lengths, they do make it possible to numerically evaluate tradeoffs between \(n\), average error, and security level for given channels and communication rates. For instance, it is possible to numerically approximate the average error and security level for a given channel and a set communication rate and block length, or conversely, to determine a minimum block length at which a set combination of performance metrics can be achieved. We show examples for this in Section 6.

Before we can state these somewhat more involved versions of our main results, we need to make some more definitions. Given the classical channel \(W\) and input distribution \(P\), we define for \(\alpha\in [0,1) \cup (1,\infty)\) \[I_{\alpha}(P,W) := \frac{1}{1-\alpha} \log \mathbb{E}_{P\hat{P}}\left( \frac{d{W(\cdot, X)}}{d{\hat{P}}}(\hat{X}) \right)^\alpha\] to denote the Rényi divergence between the joint input-output distribution and the product of their marginals. As before, we use \(X,\hat{X}\) to denote the channel input and output, and we use \(\hat{P}\) to denote the marginal output distribution of \(W\) under the input distribution \(P\). It is well-known [44] that this definition can be continuously extended to \(\alpha\in [0,\infty]\) and with this extension, \(I_{1}(P,W)=I(P,W)\).

For every cq channel \(D\) and \(x\in \mathcal{X}\), we fix a spectral decomposition \[D(x) = \sum_{y\in \mathbb{N}} P_{D}( y| x) \left\lvert {e_{y| x}} \right\rangle\left\langle {e_{y| x}} \right\rvert,\] where \(\{e_{y| x}\}_{y\in \mathbb{N}}\) is an orthonormal basis of the output Hilbert space of \(D\) for every \(x\in \mathcal{X}\). Whenever the channel \(D\) is clear from context, we will drop the corresponding subscript. By Lemma 18-[item:spectral-decompositions-measurable-eigenvalues], for every \(\mathcal{Y}\subseteq \mathbb{N}\), the map \(x \mapsto \sum_{y\in \mathcal{Y}} P_{D}(y| x)\) is a pointwise limit of measurable maps and therefore measurable. Moreover, for all \(x\), we have \(\sum_{y\in \mathbb{N}} P_{D}(y| x) = \mathrm{tr}D(x) = 1\). Therefore, the eigenvalues \(P(y| x)\) induce a stochastic kernel from \(\mathcal{X}\) to \(\mathbb{N}\), and together with a probability distribution \(P\) on \(\mathcal{X}\), we obtain a joint probability distribution on \(\mathcal{X}\times \mathbb{N}\). In a slight abuse of notation, we will use the symbol \(P\) to denote this joint probability distribution as well as the marginal on \(\mathbb{N}\) and all corresponding pmfs. Let \((\Omega,\mathcal{F}, \mu)\) be a probability space and \(X: \Omega\rightarrow \mathcal{X}\) be a random variable distributed according to \(P\). We write the density operator of the channel output in terms of its spectral decomposition \[D_P := \mathbb{E}_XD(X) = \sum_{y\in \mathbb{N}} U_{D}(y) \left\lvert {e_y} \right\rangle\left\langle {e_y} \right\rvert.\] Clearly, \(U\) is a pmf on \(\mathbb{N}\) which we identify with the probability measure it induces. We define the entropies \[\begin{align} \tag{7} H_{P_{D}} &:= - \sum_{x\in \mathcal{X}} \sum_{y\in \mathbb{N}} P_{D}(x,y) \log P_{D}(y| x) = - \mathbb{E}_X \sum_{y\in \mathbb{N}} P_{D}(y| X) \log P_{D}(y| X) = - \mathbb{E}_X \mathrm{tr}( D(X) \log D(X) ) = \mathbb{E}_X H\left(D(X)\right) , \\ \tag{8} H_{U_{D}} &:= - \sum_{y\in \mathbb{N}} U_{D}(y) \log U_{D}(y) = - \mathrm{tr}( D_P \log D_P ) = H\left(D_P\right). \end{align}\] If \(\chi(P;D)< \infty\), then \(H_P\) and \(H_U\) are both finite, and we have \[\label{eq:quantum-information} \chi(P;D) = -H_P+ H_U.\tag{9}\]

Furthermore, we define for \(\alpha\in [\alpha_{\min},1) \cup (1,\infty)\) \[\begin{align} \tag{10} H_{P_{D},{\alpha}} &:= \frac{1}{1-\alpha} \log \mathbb{E}_{P_{D}}\left( P_{D}(Y| X)^{\alpha-1} \right) = \frac{1}{1-\alpha} \log \mathbb{E}_{P_{D}} \sum\limits_{y\in \mathbb{N}} P_{D}(y| X)^{\alpha} = \frac{1}{1-\alpha} \log\mathbb{E}_{P_{D}}\mathrm{tr}\left( D(X)^{\alpha} \right) \\ \tag{11} H_{U_{D},{\alpha}} &:= \frac{1}{1-\alpha} \log \mathbb{E}_{U_{D}}\left( U_{D}(Y)^{\alpha-1} \right) = \frac{1}{1-\alpha} \log \sum\limits_{y\in \mathbb{N}} U_{D}(y)^{\alpha} = \frac{1}{1-\alpha} \log\mathrm{tr}\left( D_P^{\alpha} \right). \end{align}\]

We will use properties of \(H_{P_{D},{\alpha}}\) and \(H_{U_{D},{\alpha}}\) which are stated and proved in Lemmas 20 and 21 in Appendix 6.6. Lemma 21 allows us to expand the definitions of \(H_{U_{D},{\alpha}}\) and \(H_{P_{D},{\alpha}}\) to the domain \([\alpha_{\min},\infty)\) and obtain continuous functions in \(\alpha\) with \(H_{U_{D},{1}} = H_{U_{D}}\) and \(H_{P_{D},{1}} = H_{P_{D}}\).

We define the following functions: \[\begin{align} \nonumber \mathcal{W}_\mathrm{class}^{W}(R,n) &:= \inf_{\substack{\varepsilon\in (0,\\ I(P,W)-R)}}\Bigg( \exp\left( - n \sup_{\alpha\in (1,\infty)}\left( (\alpha-1) \left( I(P,W) + \varepsilon - I_{\alpha}(P,W) \right) \right) \right) + \exp\left( - n (I(P,W)+\varepsilon-R) \right) \Bigg) \\ \tag{12} \mathcal{R}_1^D(\varepsilon, n) &:= \exp\left( -n \sup_{\alpha\in (1,\infty)} (\alpha-1)(H_{P_{D},{\alpha}} + \varepsilon- H_{P_{D}}) \right) \\ \tag{13} \mathcal{R}_2^D(\varepsilon, n) &:= \exp\left( -n \sup_{\alpha\in [\alpha_{\min},1)} (1-\alpha)(H_{P_{D}} + \varepsilon- H_{P_{D},{\alpha}}) \right) \\ \tag{14} \mathcal{R}_3^D(\varepsilon, n) &:= \exp\left( - n \sup_{\alpha\in (1,\infty)} (\alpha-1) ( H_{U_{D},{\alpha}} + \varepsilon - H_{U_{D}} ) \right) \\ \tag{15} \mathcal{R}_4^D(\varepsilon, n) &:= \exp\left( - n \sup_{\alpha\in [\alpha_{\min},1)} (1-\alpha) ( H_{U_{D}} + \varepsilon - H_{U_{D},{\alpha}} ) \right) \\ \tag{16} \mathcal{W}_\mathrm{coding}^D(R,n) &:= \inf_{\substack{\varepsilon\in (0,\\(\chi(P;D)-R)/2)}}\Big( 2 \mathcal{R}_1^D(\varepsilon,n) + 2 \mathcal{R}_2^D(\varepsilon,n) + 4 \mathcal{R}_3^D(\varepsilon,n) + 4 \mathcal{R}_4^D(\varepsilon,n) + 4 \exp\big( - n (\chi(P;D)- R- 2\varepsilon) \big) \Big) \\ \tag{17} \mathcal{W}_\mathrm{res}^D(R,n) &:=\inf_{\substack{\varepsilon\in (0,\\(R-\chi(P;D))/4)}}\left( 2\mathcal{R}_1^D(\varepsilon, n) + 2\mathcal{R}_2^D(\varepsilon, n) + 2\mathcal{R}_3^D(\varepsilon, n) + 2\mathcal{R}_4^D(\varepsilon, n) + 6\exp\left( - \frac{1}{2} n (R- \chi(P;D)- 4\varepsilon) \right) \right) \\ \tag{18} \mathcal{W}_\mathrm{cost}^{(c,C)}( \beta, R, n ) &:= \exp\Big( -2\exp(n(R-2\beta))\big(1-\exp(-n(\beta_1-\beta))\big)^2 \Big), \end{align}\] where \((c,C)\) is an additive cost constraint and \[\label{eq:mgf-parameter-choice} \beta_1 := \sup_{\hat{t} \in (0,\infty)} \left( - \log p(\hat{t}) \right),\tag{19}\] with \(p(t) := \mathbb{E}_P\exp(t(c(X)-C))\), the moment generating function of \(c(X)-C\).

With this, we are ready to state finite-block length versions of Theorem 1 and Theorem 2.

Let \((W, D)\) be a \(\gls{ccq}\) wiretap channel, let \(P\) be a probability distribution on the input alphabet \(\mathcal{X}\), and let \(X\sim P\) such that

• there is \(\alpha_{\min} < 1\) with \(D_\mathfrak{E}(x)^{\alpha_{\min}} \in \mathcal{T}({\mathcal{H}})\) for almost all \(x\), \(D_P^{\alpha_{\min}} \in \mathcal{T}({\mathcal{H}})\), and the Bochner integral \(\mathbb{E}D_\mathfrak{E}(X)^{\alpha_{\min}}\) exists;

• there is \(t> 0\) such that \(\mathbb{E}\exp(ti_{P}({X};{\hat{X}})) < \infty\).

Let \((c, C)\) be a cost constraint compatible with \(P\), let \(M, L\in \mathbb{N}\), and let \(R,\tilde{R},\hat{R}\in (0,\infty)\) with the properties \[\begin{align} \tag{20} M&\geq \exp(n\tilde{R}) \\ \tag{21} ML&\leq \exp(n\hat{R}) \\ \tag{22} L&\geq \exp(nR). \end{align}\]

Further assume that \[\begin{align} \tilde{R}&> \chi(P;D) \\ \hat{R}&< I(P,W). \end{align}\]

Let \(\beta_2 \in (0, \min(\beta_1,(R+L)/2)), \beta_3 \in (0,\infty), \beta_4 \in (0, \min(\beta_1,\tilde{R}/2)), \beta_5 \in (0, \tilde{R}/2)\), and \(n\in \mathbb{N}\), where \(\beta_1\) is defined in 19 , be chosen such that \[\begin{gather} \label{eq:wiretap-ccq-prob-one} \mathcal{W}_\mathrm{class}^W(\hat{R},n)\exp(n\beta_3) + \mathcal{W}_\mathrm{cost}^{(c,C)}(\beta_2,R+\tilde{R},n) \\+ \mathcal{W}_\mathrm{cost}^{(c,C)}( \beta_4, \tilde{R}, n ) \exp(n(\hat{R}-\tilde{R})) + \exp\left( -\frac{1}{2}\exp( n (\tilde{R}-2\beta_5) ) + n( \hat{R}-\tilde{R} ) \right) < 1. \end{gather}\tag{23}\]

Then there exists a wiretap code with the following properties:

1. The code has size \(L\).

2. The output of the encoder satisfies the cost constraint \((c,C)\) almost surely.

3. The code has an average error \[\varepsilon = \exp(-n\beta_2) + \exp(-n\beta_3)\] as defined in (3 ).

4. The code has distinguishing security level \[\delta = 2\mathcal{W}_\mathrm{res}^D(\tilde{R},n) + 4\exp(-\beta_4n) + 2\exp(-\beta_5n)\] as defined in (6 ).

Let \((D_\mathfrak{B},D_\mathfrak{E})\) be a cqq wiretap channel, and let \(P\) be a probability distribution on the input alphabet \(\mathcal{X}\) such that for both choices of \(D\in \{D_\mathfrak{E}, D_\mathfrak{B}\}\), there is \(\alpha_{\min} < 1\) with \(D(x)^{\alpha_{\min}} \in \mathcal{T}({\mathcal{H}})\) for almost all \(x\), \(D_P^{\alpha_{\min}} \in \mathcal{T}({\mathcal{H}})\), and the Bochner integral \(\mathbb{E}D(X)^{\alpha_{\min}}\) exists, where \(X\sim P\).

Let \((c, C)\) be a cost constraint compatible with \(P\), let \(M,L\in \mathbb{N}\) and \(R,\tilde{R},\hat{R}\in \mathbb{R}\) satisfying 20 , 21 , and 22 .

Further assume that \[\begin{align} \tilde{R}&> \chi(P;D_\mathfrak{E}) \\ \hat{R}&< \chi(P;W). \end{align}\]

Let \(\beta_2 \in (0, \min(\beta_1,(R+L)/2)), \beta_3 \in (0,\infty), \beta_4 \in (0, \min(\beta_1,\tilde{R}/2)), \beta_5 \in (0,R/2)\), and \(n\in \mathbb{N}\), where \(\beta_1\) is defined in 19 , be chosen such that \[\begin{gather} \label{eq:wiretap-cq-prob-one} \mathcal{W}_\mathrm{coding}^{D_\mathfrak{B}}(\hat{R},n)\exp(n\beta_2) + \mathcal{W}_\mathrm{cost}^{(c,C)}\left(\beta_3,R+\tilde{R},n\right) \\+ \mathcal{W}_\mathrm{cost}^{(c,C)}( \beta_4, \tilde{R}, n ) \exp(n(\hat{R}-\tilde{R})) + \exp\left( -\frac{1}{2}\exp( n (\tilde{R}-2\beta_5) ) + n( \hat{R}-\tilde{R} ) \right) < 1. \end{gather}\tag{24}\]

Then there exists a wiretap code with the following properties:

1. The code has size \(L\).

2. The output of the encoder satisfies the cost constraint \((c,C)\) almost surely.

3. The code has an average error \[\varepsilon = \exp(-n\beta_2) + 2\exp(-n\beta_3)\] as defined in (4 ).

4. The code has distinguishing security level \[\delta = 2\mathcal{W}_\mathrm{res}^{D_\mathfrak{E}}(n) + 4\exp(-\beta_4n) + 2\exp(-\beta_5n)\] as defined in (6 ).

3 Security Notions for Wiretap Channels with Quantum Outputs↩︎

The distinguishing security criterion provided by Theorems 1 and 2 implies security guarantees against eavesdropping attacks that extend beyond an attacker’s ability to reconstruct the entire transmitted message. In this section, we discuss various notions of security and their operational implications.

3.1 Semantic Security↩︎

In this subsection, we give a definition of semantic security that is analogous to the classical archetype in [17]. Formally, semantic security means that a large class of possible objectives (which includes the objective of reconstructing the entire transmitted message, but also many others) cannot be reached by the eavesdropper. To the best of our knowledge, this definition of semantic security has not appeared before in the literature for channels with quantum outputs.

The partition of \(\{1, \dots, M\}\) that corresponds to the reconstruction of the entire message consists of all singleton sets, i.e., \[\Pi= \big\{ \{1\}, \dots, \{M\} \big\}.\]

But also other possible objectives can be defined by a message space partition. For instance, the task of reconstructing the first bit of the transmitted message would be represented by \[\Pi= \big\{ \{ m:~ \textrm{The binary representation of m starts with 0} \}, \{ m:~ \textrm{The binary representation of m starts with 1} \} \big\}.\]

In this section, we assume that the eavesdropper has prior knowledge of the probability distribution \(P_\mathfrak{M}\) from which the transmitted message \(\mathfrak{M}\) is drawn. While this may not be realistic in some practical scenarios, it is certainly possible, for example when the eavesdropper knows that a protocol is executed in which only certain messages can be transmitted at certain time instances. In any case, this is not a restrictive assumption since it represents an additional advantage that the eavesdropper has compared to a case where no such prior knowledge is available.

We assume in this work that, after message \(\mathfrak{M}\) has been transmitted, the eavesdropper can perform any \(\Pi\)-valued povm on the output \(\rho_{\mathfrak{E}}^{n}(\mathfrak{M})\) of the channel \[\label{eq:eve-q-output-state} \rho_{\mathfrak{E}}^{n}:= D_\mathfrak{E}^n\circ \mathrm{Enc}.\tag{25}\] By the Born rule, a \(\Pi\)-valued povm \((F_\pi)_{\pi\in \Pi}\) and \(\rho_{\mathfrak{E}}^{n}(\mathfrak{M})\) induce a probability distribution on \(\Pi\), described by the pmf \[p(\pi) := \mathrm{tr}(F_\pi\rho_{\mathfrak{E}}^{n}(\mathfrak{M})).\] \(p\) describes the probability distribution of the eavesdropper’s conclusion of what the correct partition element \(\pi\) is under a fixed communication scheme, distribution of the message, and reconstruction strategy of the eavesdropper.

We define the eavesdropper’s maximum success probability when a quantum measurement is performed on a quantum state \(\rho_{\mathfrak{E}}^{n}(\mathfrak{M})\) as \[\label{eq:def-eavesdropper-success} \mathrm{Succ}(\Pi, P_\mathfrak{M}, \rho_{\mathfrak{E}}^{n}) := \sup\left\{ \mathbb{E}_\mathfrak{M}\sum_{\pi\in \Pi: \mathfrak{M}\in \pi} \mathrm{tr}(F_\pi\rho_{\mathfrak{E}}^{n}(\mathfrak{M})) :~ (F_\pi)_{\pi\in \Pi} \text{ is a \gls{povm}} \right\}.\tag{26}\] Note that since \(\Pi\) is a partition, the sum consists of only one summand for each fixed realization of \(\mathfrak{M}\).

It is important to emphasize at this point that it is not possible in general to guarantee a low eavesdropper’s success probability. For instance, \(\mathfrak{M}\) could be drawn from a distribution where the binary representation of \(\mathfrak{M}\) almost surely starts with \(0\). What we can control, however, is the advantage that the eavesdropper gains by observing \(\rho_{\mathfrak{E}}^{n}(\mathfrak{M})\) compared to the situation where it cannot observe any channel output. We denote the maximum achievable success probability in solving Problem 1 for partition \(\Pi\) and message distribution \(P_\mathfrak{M}\) without observing any quantum state (i.e., by pure guessing) by \[\mathrm{Guess}(\Pi, P_\mathfrak{M}) := \sup\left\{ \mathbb{P}(\mathfrak{M}\in \pi):~ \pi\text{ is a random variable ranging over \Pi} \right\}.\]

This leads us to the following definition of semantic security.

This is a straightforward quantum analog of the term semantic security which is already an established performance metric both in classical cryptography and information-theoretic secrecy [17].

3.2 Other Security Notions↩︎

There are alternative security definitions that are easier to analyze in proofs than semantic security in the sense of Definition 2. In this section, we introduce several of these alternative established notions of security. We point out that the terminology is not the same everywhere in the literature, neither for classical nor for quantum wiretap channels. Because both distinguishing security as defined in Definition 3-[item:distinguishing-security] and mutual information security as defined in Definition 3-[item:mutual-information-security] below imply semantic security in the sense of Definition 2 above, some papers use these alternative definitions directly for semantic security. In this section, we define these alternative notions and show some implications between them. This is very similar to the treatment of the classical case [17], [35].

In the remainder of this section, we follow the arguments in [35] for the classical case and prove that similar implications also hold in the quantum case between the different security notions of Definitions 2 and 3. For the implication from distinguishing security to mutual information security, we use a slightly more general approach that applies not only to finite-dimensional systems but also to some practically relevant infinite-dimensional systems.

For the bound of \(\mathrm{Adv}_\mathrm{inf}(\rho_{\mathfrak{E}}^{n})\) in terms of \(\mathrm{Adv}_\mathrm{dist}(\rho_{\mathfrak{E}}^{n})\), we introduce some technical terms first. A linear operator \(G\) on \(\mathcal{H}\) is called a Gibbs observable if it satisfies the following properties:

• It is of the form \[\label{eq:gibbs-eigenvalues} G\left\lvert {h} \right\rangle := \sum_{i\in \mathbb{N}} g_i \left\langle {e_i}, {h} \right\rangle\left\lvert {e_i} \right\rangle,\tag{30}\] defined on the dense domain \[\label{eq:gibbs-domain} \mathcal{D}(G):= \left\{ h\in \mathcal{H} : \sum_{i\in \mathbb{N}} \left \lvert g_i \right \rvert^2 \left \lvert \left\langle {e_i}, {h} \right\rangle \right \rvert^2 < \infty \right\},\tag{31}\] where \((g_i)_{i\in \mathbb{N}}\) is an unbounded sequence of nonnegative real numbers that includes \(0\) and \(\left\lvert {e_i} \right\rangle_{i\in \mathbb{N}}\) form an orthonormal basis in \(\mathcal{H}\) (cf. [41] and [47]). Note that \(G\) is an unbounded self-adjoint operator on the domain \(\mathcal{D}(G)\) (which is a simple consequence of [37]).

• For every \(\beta\in (0,\infty)\), it holds that \[\label{eq:gibbs-regularity} \exp(-\beta G) \in \mathcal{T}({\mathcal{H}}),\tag{32}\] with the definition \[\exp(-\beta G) \left\lvert {h} \right\rangle := \sum_{i\in \mathbb{N}} \exp(-\beta g_i) \left\langle {e_i}, {h} \right\rangle \left\lvert {e_i} \right\rangle,\] \(h\in \mathcal{H}\) (cf. [47]). Note that for (32 ) to hold, it is necessary that the spectrum of \(G\) given by the sequence \((g_i)_{i\in \mathbb{N}}\) is unbounded and every eigenvalue has finite multiplicity.

For a Gibbs observable \(G\) and \(\rho\in \mathcal{S}({\mathcal{H}})\), we adopt the convention (cf. [41]) \[\label{eq:gibbs-trace} \mathrm{tr}(\rho G) := \sum_{i\in \mathbb{N}} g_i \left\langle {e_i}, {\rho e_i} \right\rangle \in [0,\infty],\tag{33}\] and we define (see [47]) for \(E\in [0,\infty)\) \[\label{eq:gibbs-max-entropy-function} H_{G}(E) := \sup\left\{ H\left(\rho\right) : \rho\in \mathcal{S}({\mathcal{H}}),~ \mathrm{tr}(\rho G) \leq E \right\} \in [0,\infty).\tag{34}\] In [48], it is proven that this supremum is finite and is in fact realized by a state of maximum entropy.

It is not clear from Lemma 4 how \(\mathrm{Adv}_\mathrm{inf}(\rho_{\mathfrak{E}}^{n})\) behaves for \(n\rightarrow \infty\) since both \(\rho_{\mathfrak{E}}^{n}\) and the Gibbs observable \(\hat{G}\) depend on \(n\). In the following Lemmas 5 and 6, we derive a bound for \(\mathrm{Adv}_\mathrm{inf}(\rho_{\mathfrak{E}}^{n})\) that depends on \(n\) only explicitly and via \(\mathrm{Adv}_\mathrm{dist}(\rho_{\mathfrak{E}}^{n})\). To this end, we need a way to lift a Gibbs observable \(G\) on a Hilbert space \(\mathcal{H}\) to a Gibbs observable \(G^n\) on \(\mathcal{H}^{\otimes n}\), and a relation between \(H_{G}\) and \(H_{G^n}\). Let \((g_i)_{i\in \mathbb{N}}\) be the eigenvalues and \(\left\lvert {e_i} \right\rangle_{i\in \mathbb{N}}\) be the eigenvectors associated with \(G\), i.e., \(G\) can be written as in (30 ) and (31 ). Then \((\left\lvert {e_{i_{1}}} \right\rangle \otimes \dots \otimes \left\lvert {e_{i_{n}}} \right\rangle)_{i_{1}, \ldots ,i_{n} \in \mathbb{N}}\) is an orthonormal basis of \(\mathcal{H}^{\otimes n}\) and the operator \[\label{eq:n-block-gibbs} G^n := G\otimes \mathbf{1}\otimes \dots \otimes \mathbf{1} + \dots + \mathbf{1}\otimes \dots \otimes \mathbf{1}\otimes G\tag{36}\] is well-defined on the set of (finite) linear combinations of \((\left\lvert {e_{i_{1}}} \right\rangle \otimes \dots \otimes \left\lvert {e_{i_{n}}} \right\rangle)_{i_{1}, \ldots ,i_{n} \in \mathbb{N}}\). Moreover, for any \(i_{1}, \ldots ,i_{n} \in \mathbb{N}\), we have \[G^{n} \left\lvert {e_{i_{1}}} \right\rangle \otimes \dots \otimes \left\lvert {e_{i_{n}}} \right\rangle = (g_{i_{1}}+\dots + g_{i_{n}})\left\lvert {e_{i_{1}}} \right\rangle \otimes \dots \otimes \left\lvert {e_{i_{n}}} \right\rangle.\] Then on the dense domain \[\label{eq:n-block-gibbs-domain} \mathcal{D}(G^{n}):= \left\{ h\in \mathcal{H}^{\otimes n} : \sum_{i_1,\ldots , i_{n} \in \mathbb{N}} \left \lvert g_{i_{1}}+\dots + g_{i_{n}} \right \rvert^2 \left \lvert \left\langle { {e_{i_{1}}} \otimes \dots \otimes {e_{i_{n}}} }, {h} \right\rangle \right \rvert^2 < \infty \right\},\tag{37}\] we can write \[\label{eq:n-block-gibbs-alt} G^{n} \left\lvert {h} \right\rangle= \sum_{i_1,\ldots , i_{n} \in \mathbb{N}}(g_{i_{1}}+\dots + g_{i_{n}})\left\langle { {e_{i_{1}}} \otimes \dots \otimes {e_{i_{n}}} }, {h} \right\rangle \left\lvert {e_{i_{1}}} \right\rangle \otimes \dots \otimes \left\lvert {e_{i_{n}}} \right\rangle.\tag{38}\] It is easily shown using [37] that (37 ) and (38 ) define a self-adjoint operator on \(\mathcal{H}^{\otimes n}\). Additionally, for any \(\beta\in (0,\infty)\), we have \[\begin{align} \mathrm{tr}\big(\exp(-\beta G^n)\big) &= \sum_{i_1,\ldots , i_{n} \in \mathbb{N}} \left\langle { e_{i_{1}} \otimes \dots \otimes e_{i_{n}} }, {\exp(-\beta G^{n}) e_{i_{1}} \otimes \dots \otimes e_{i_{n}} } \right\rangle \\ &= \sum_{i_1,\ldots , i_{n} \in \mathbb{N}}\exp(-\beta( g_{i_{1}}+\dots + g_{i_{n}} )) \displaybreak[0] \\ \overset{(a)}&{=} \left( \sum_{i\in \mathbb{N}}\exp(-\beta g_{i})\right)^{n} \\ &< \infty, \end{align}\] where (a) is due to the theorem of Fubini-Tonelli applied to the \(n\)-fold product of the counting measure on \(\mathbb{N}\). Therefore, \[\label{eq:n-block-gibbs-regularity} \exp(-\beta G^{n}) \in \mathcal{T}({\mathcal{H}^{\otimes n}}),\tag{39}\] for all \(\beta\in (0,\infty)\). Consequently, (37 ), (38 ), and (39 ) show that \(G^{n}\) is a Gibbs observable on \(\mathcal{H}^{\otimes n}\).

It is known from [48] that \(\mathrm{Adv}_\mathrm{dist}(\rho_{\mathfrak{E}}^{n}) H_{G}\left( 2E/\mathrm{Adv}_\mathrm{dist}(\rho_{\mathfrak{E}}^{n}) \right)\) tends to \(0\) as \(\mathrm{Adv}_\mathrm{dist}(\rho_{\mathfrak{E}}^{n})\) tends to \(0\), and it is also clear that the binary entropy term vanishes in this case. However, in general, the presence of the extra factor \(n\) in the upper bound of Lemma 6 means that an additional argument is necessary to show that distinguishing security implies mutual information security. We do not have such an argument for the general case, but we show in the following lemma that the implication holds in important special cases. The first of these cases is that the eavesdropper’s output is finite-dimensional. The other cases are infinite dimensional and assume the existence of Gibbs observables for the eavesdropper’s output that are closely related to the Hamiltonian of harmonic oscillator of bounded energy. Therefore, they specialize to bosonic systems with either one or finitely many modes. In this case, the Hilbert space under consideration is \(\mathcal{H}_\mathfrak{E}=L^2(\mathbb{R})\) and the Gibbs observable is given by \[\label{eq:def-number-operator} G:=a^*a,\tag{46}\] defined, for the moment, on the domain \[\mathcal{D}(G)=\mathcal{S}(\mathbb{R})\] where \(a^*\) and \(a\) denote the creation resp. annihilation operators (cf. [41]) defined on \(\mathcal{S}(\mathbb{R})\) and where \(\mathcal{S}(\mathbb{R})\) is the Schwartz space of rapidly decreasing functions which is dense in \(L^2(\mathbb{R})\). It is well known that \(G:=a^* a\) is essentially self-adjoint on \(\mathcal{D}(G)\) (cf. [49] from which the claim follows by a slight modification of the argument). The operator \(G\) is, up to additive scalar multiple of \(\mathbf{1}\), the Hamiltonian of the quantum harmonic oscillator [41]. Moreover, the operator \(G\) has discrete spectrum with spectral decomposition (cf. [49], [41]) \[\label{eq:spec-decomp-number-operator} G=\sum_{i=0}^{\infty} i\left\lvert {e_{i}} \right\rangle\left\langle {e_{i}} \right\rvert,\tag{47}\] where \(\left\lvert {e_{i}} \right\rangle_{i\in \mathbb{N}_{0}}\) is an orthonormal basis of \(\mathcal{H}_\mathfrak{E}=L^2(\mathbb{R})\) consisting of so-called number state vectors. The final domain of the operator \(G\) is then given by \[\bar{\mathcal{D}}(G)=\left\{\left\lvert {h} \right\rangle\in L^2(\mathbb{R}): \sum_{i=0}^{\infty} i^2 \left \lvert \left\langle {e_{i}}, {h} \right\rangle \right \rvert^2<\infty \right\}.\] The operator \(G\) is self-adjoint on \(\bar{\mathcal{D}}(G)\).

For the case of \(s\) modes, we similarly define the operator \[\label{eq:def-s-mode-number-operator} G^{(s)} := \sum_{j=1}^s\mathbf{1}^{\otimes j-1} \otimes \omega_jG_j\otimes \mathbf{1}^{\otimes s- j},\tag{48}\] on \(\mathcal{D}(G^{s}):=\mathcal{S}(\mathbb{R})^{\otimes s} \subseteq (L^2(\mathbb{R}))^{\otimes s}\), where \(\omega_1,\ldots , \omega_s\in (0,\infty)\) denote the frequencies of the modes and the operators \(G_1, \ldots , G_s\) are given in (46 ) with the respective creation and annihilation operators of the modes. Using the spectral decomposition (47 ) for each of the modes, we obtain the spectral decomposition \[G^{(s)} = \sum_{i_1, \dots, i_s=0}^\infty\left( \sum_{j=1}^s \omega_j i_j \right) \left\lvert { e_{1,i_1} \otimes \dots \otimes e_{s,i_s} } \right\rangle\left\langle { e_{1,i_1} \otimes \dots \otimes e_{s,i_s} } \right\rvert,\] where \(( e_{1,i_1} \otimes \dots \otimes e_{s,i_s} )\) is the orthonormal basis of \((L^2(\mathbb{R}))^{\otimes s}\) composed of bases consisting of number state vectors of individual modes (47 ). Defining \[\bar{\mathcal{D}}\left(G^{(s)}\right):= \left\{ \left\lvert {h} \right\rangle\in (L^2(\mathbb{R}))^{\otimes s} : \sum_{i_1, \dots, i_s=0}^\infty \left( \sum_{j=1}^s \omega_j i_j \right)^2 \left \lvert \left\langle { e_{1,i_1} \otimes \dots \otimes e_{s,i_s} }, {h} \right\rangle \right \rvert^2 <\infty \right\},\] we note that the operator \(G^{(s)}\) is self-adjoint on the dense domain \(\bar{\mathcal{D}}(G^{(s)})\) [37].

In order to show that \(G\) and \(G^{(s)}\) are Gibbs observables, it remains to verify that for all \(\beta\in (0,\infty)\), we have \[\exp(-\beta G) \in \mathcal{T}({L^2(\mathbb{R})})\quad \textrm{ and } \quad \exp(-\beta G^{(s)})\in \mathcal{T}({(L^2(\mathbb{R}))^{\otimes s}}),\] which will be proven in the implications 3) and 4) of Lemma 7. An example of a cqq wiretap channel for which \(G\) is a Gibbs observable is given in Section 6.1, and a general account and further examples of energy-constrained quantum channels can be found in [41]. According to the following lemma, superlinear convergence of the distinguishing security level to \(0\) is sufficient to guarantee mutual information security in the finite-dimensional case. In the case that the eavesdropper’s channel has energy constraints described by Gibbs observables of the form (46 ), (48 ), superquadratic convergence is a sufficient condition. Therefore, mutual information security in these cases follows in particular from the exponential bounds on distinguishing security level that we obtain in this work.

Observing the trivial inequalities \[\mathrm{Adv}_\mathrm{weak}(\rho_{\mathfrak{E}}^{n}) \leq \mathrm{Adv}_\mathrm{str}(\rho_{\mathfrak{E}}^{n}) \leq \mathrm{Adv}_\mathrm{inf}(\rho_{\mathfrak{E}}^{n}),\] the preceding lemmas imply the following equivalences and implications for the asymptotic notions about sequences of codes in parallel to the classical case [35] \[\text{semantically secure} \Leftrightarrow \text{distinction secure} \Leftrightarrow \text{mutual information secure} \Rightarrow \text{strongly secure} \Rightarrow \text{weakly secure}.\] It should be noted that Lemma 7 shows \[\text{distinction secure} \Rightarrow \text{mutual information secure}\] only under additional assumptions which capture, however, some practically important cases. But even in the general case, both mutual information secure and distinction secure sequences of codes are also semantically secure according to Definition 2.

4 cq Channel Resolvability and Coding↩︎

Important prerequisites in proving achievability of rates for the wiretap channel will be results of achievability for the channel resolvability problem, depicted in Fig. 2 (a), and the channel coding problem, depicted in Fig. 2 (b).

Here, we just consider a point-to-point cq channel described by a measurable map \(D: \mathcal{X}\rightarrow \mathcal{S}({\mathcal{H}})\) with some separable Hilbert space \(\mathcal{H}\). We focus on two different problems: In channel resolvability, the question will be which transmit strategies (i.e., rules for generating \(X^n\)) the transmitter can employ to approximate the output state \(D_P^{\otimes n}\) by \(D^n(X^n)\) at the receiver. In channel coding, the task is to encode a given message for transmission through the channel in such a way that the receiver can with high probability decode the message. In the proof of Theorems 1 and 2, the security criterion can then be shown by applying the resolvability result to the channel \(D= D_\mathfrak{E}\), and for the case of a quantum output at the legitimate receiver, the average decoding error criterion can be shown by applying the channel coding result to the channel \(D= D_\mathfrak{B}\) (for the case of classical output at \(\mathfrak{B}\), we cite a classical channel coding result which is used instead).

In the solution to both of these problems, we use the same standard random codebook construction: The random codebook \(\mathcal{C}\) of block length \(n\) and size \(M\) is of the form \(\mathcal{C}:= (\mathcal{C}(m))_{m=1}^M\) where the codewords \(\mathcal{C}(m)\) are vectors with entries from \(\mathcal{X}\) and length \(n\) where all entries across all codewords are i.i.d. and follow the distribution \(P\).

Both theorems stated in this section use the technical assumption that there is some \(\alpha_{\min} \in (0,1)\) such that: \[\label{eq:technical-assumptions} \begin{align} &D_P^{\alpha_{\min}} \in \mathcal{T}({\mathcal{H}}), \\ &\text{for P-almost all } x:~ D(x)^{\alpha_{\min}} \in \mathcal{T}({\mathcal{H}}), \\ &\text{the Bochner integral } \mathbb{E}(D(X)^{\alpha_{\min}}) \in \mathcal{T}({\mathcal{H}}) \text{ exists}. \end{align}\tag{50}\] It is an immediate consequence of Lemmas 20 and 21 that \(\chi(P;D) < \infty\) whenever (50 ) holds, and we will implicitly use this fact in the following.

For channel resolvability, each fixed realization of \(\mathcal{C}\) defines an induced channel output density \[\label{eq:codebook-channel-output-definition} D_\mathcal{C} := \frac{1}{M} \sum\limits_{m=1}^M D^n(\mathcal{C}(m))\tag{51}\] which results if the transmitter chooses a codeword for transmission through the channel uniformly at random. With these definitions, we now have the necessary terminology to state our resolvability and coding results. The proofs are deferred to Sections 5.2 and 5.3, and in Sections 5.4 and  5.5, we analyze the concentration behavior of the errors and extend both results to the case of cost-constrained channel inputs.

For channel coding, given a fixed codebook \(\mathcal{C}\), the transmitter chooses the codeword \(\mathcal{C}(\mathfrak{M})\) to encode a message \(\mathfrak{M}\).

5 Proofs↩︎

In this section, we prove the theorems which are stated in the preceding sections. In Section 5.1, we introduce notions of typicality and state two lemmas around typicality that will be needed both for the resolvability and coding results. We then proceed to proving Theorem 3 on resolvability in Section 5.2 and Theorem 4 on coding in Section 5.3. In Section 5.4, we show that the error terms are very tightly concentrated around their expectations. Extensions that incorporate an additive input cost constraint can be found in Section 5.5. Finally, everything is put together in Section 5.6 where Theorems [theorem:wiretap-ccq-all-blocklengths], 1, [theorem:wiretap-cq-all-blocklengths], and 2 on coding for the wiretap channel are proved. The proofs of technical lemmas are relegated to Appendix 6.5.

5.1 Prerequisites on Typicality↩︎

In this section, we introduce typicality notions and related technical lemmas that are used in the proofs of Theorems 3 and 4.

For \(n\)-fold uses of the channel \(D\), we note that via the definitions \[\begin{align} e_{y^n| x^n} &:= \bigotimes\limits_{i=1}^n e_{y_i| x_i} \\ e_{y^n} &:= \bigotimes\limits_{i=1}^n e_{y_i} \\ P(x^n) &:= \prod\limits_{i=1}^n P(x_i) \\ P(y^n| x^n) &:= \prod\limits_{i=1}^n P(y_i| x_i) \\ U(y^n) &:= \prod\limits_{i=1}^n U(y_i), \end{align}\] we identify \(P\) and \(U\) with corresponding distributions on \(\mathcal{X}^n\times \mathbb{N}^n\) (and the resulting marginals) and \(\mathbb{N}^n\), and we have \[\begin{align} D^n(x^n) &= \sum_{y^n\in \mathbb{N}^n} P(y^n| x^n) \left\lvert {e_{y^n| x^n}} \right\rangle\left\langle {e_{y^n| x^n}} \right\rvert, \\ D_P^{\otimes n} &= \sum_{y^n\in \mathbb{N}^n} U(y^n) \left\lvert {e_{y^n}} \right\rangle\left\langle {e_{y^n}} \right\rvert. \end{align}\]

For any \(\varepsilon\in (0, \infty)\), we define \[\begin{align} \mathcal{P}_{\varepsilon,n} &:= \left\{ ( x^n, y^n ) \in \mathcal{X}^n \times \mathbb{N}^n :~ n(H_P- \varepsilon) < -\log P( y^n ~|~ x^n ) < n(H_P+ \varepsilon) \right\} \\ \mathcal{U}_{\varepsilon,n} &:= \left\{ y^n \in \mathbb{N}^n :~ n(H_U- \varepsilon) < -\log U( y^n ) < n(H_U+ \varepsilon) \right\} \end{align}\] and, based on these definitions, \[\begin{align} \label{eq:spectral-decomposition-joint-typicality-operator} \Psi_{\varepsilon,n} (x^n) &:= \sum\limits_{y^n\in \mathbb{N}^n} \mathbb{1}_{\mathcal{P}_{\varepsilon,n}} ( x^n, y^n ) \left\lvert {e_{ y^n | x^n }} \right\rangle\left\langle {e_{ y^n | x^n }} \right\rvert \displaybreak[0] \\ \nonumber \Theta_{\varepsilon,n} &:= \sum\limits_{y^n\in \mathbb{N}^n} \mathbb{1}_{\mathcal{U}_{\varepsilon,n}} (y^n) \left\lvert {e_{y^n}} \right\rangle\left\langle {e_{y^n}} \right\rvert. \end{align}\tag{52}\] While \(\Theta_{\varepsilon,n}\) is a fixed operator, \(\Psi_{\varepsilon,n}\) is an operator-valued function and its measurability is not immediately clear from the definition. Therefore, we note that it can also be written as \[\Psi_{\varepsilon,n} (x^n) = \mathbb{1}_{( \exp(-n(H_P+ \varepsilon)), \exp(-n(H_P- \varepsilon)) )} \big( D^n(x^n) \big)\] and is therefore a measurable map \(\mathcal{X}^n\rightarrow \mathcal{T}({\mathcal{H}^{\otimes n}})\) by Lemma 18-[item:spectral-decompositions-measurable-indicators]. We also note the following basic properties of these projections which are straightforward to verify from their definitions: \[\label{eq:typicality-operators-basic-properties} \Theta_{\varepsilon,n}^2 = \Theta_{\varepsilon,n} , ~~ \Psi_{\varepsilon,n} (x^n)^2 = \Psi_{\varepsilon,n} (x^n) , ~~ D^n(x^n) \Psi_{\varepsilon,n} (x^n) = \Psi_{\varepsilon,n} (x^n) D^n(x^n).\tag{53}\]

Finally, define \[\begin{align} \tag{54} \Gamma_{\varepsilon,n}:~ \mathcal{X}^n\rightarrow \mathcal{T}({\mathcal{H}^{\otimes n}}),~ x^n &\mapsto \Theta_{\varepsilon,n} \Psi_{\varepsilon,n} (x^n) \\ \tag{55} \Phi_{\varepsilon,n}:~ \mathcal{X}^n\rightarrow \mathcal{T}({\mathcal{H}^{\otimes n}}),~ x^n &\mapsto \Theta_{\varepsilon,n} \Psi_{\varepsilon,n}(x^n) \Theta_{\varepsilon,n}. \end{align}\] which clearly are also measurable.

These notions of typicality will allow us to split the error terms that appear in the proofs of Theorems 3 and 4 into a typical and an atypical part. These terms can be bounded separately with the help of the next two lemmas. These are fairly well-known facts in quantum information theory. For this reason, we omit the proofs here, but include them in Appendix 6.5 for sake of self-containedness of the paper.

5.2 Proof of Theorem 3 for cq Channel Resolvability↩︎

We start with a preliminary lemma which is used in the proof of Theorem 3 and encapsulates a symmetrization argument similar to the one used in [50].

5.3 Proof of Theorem 4 for cq Channel Coding↩︎

In this section, we follow the methodology in [52], making adaptations as needed to derive the exponential error bound as stated in Theorem 4. An essential ingredient will be the following lemma from [52]. In the statement of the lemma, we need the notion of Moore-Penrose pseudoinverse which assigns to any \(A\in\mathcal{B}({\mathcal{H}})\) an (unbounded) operator \(A^{-1}\) acting on \(\mathcal{H}\) [53]. Moreover, for \(A\in\mathcal{B}({\mathcal{H}})\), we use the notation \(\mathrm{im}(A):=\{h\in \mathcal{H}: \exists \tilde{h} \in \mathcal{H}\textrm{ such that }h= A\tilde{h} \}\). The following lemma is a well-established fact in quantum information theory, but some care needs to be taken in the infinite-dimensional case to ensure the Moore-Penrose pseudoinverse which appears is well-behaved. Therefore, we include a proof of this part of the lemma in Appendix 6.5.

For the proof of Theorem 4, we use the definitions from Section 5.1. For decoding, we choose the povm \((Y_m)_{m=1}^M\) defined as \[Y_m := \sqrt{ \sum_{\hat{m}=1}^M \Phi_{\varepsilon,n} (\mathcal{C}(\hat{m})) }^{-1} \Phi_{\varepsilon,n} (\mathcal{C}(m)) \sqrt{ \sum_{\hat{m}=1}^M \Phi_{\varepsilon,n} (\mathcal{C}(\hat{m})) }^{-1},\] where we use \(\Phi_{\varepsilon,n}\) defined in (55 ). We note that \[\dim \mathrm{im}\left(\sum_{\hat{m}=1}^M \Phi_{\varepsilon,n} (\mathcal{C}(\hat{m}))\right)< \infty,\] by Lemma 8-[item:q-resolvability-typical-terms-output-trace] which implies that \[\mathrm{im}\left(\sum_{\hat{m}=1}^M \Phi_{\varepsilon,n} (\mathcal{C}(\hat{m}))\right)\] is closed. Consequently, by the first statement of Lemma 11 we have \[\sqrt{ \sum_{\hat{m}=1}^M \Phi_{\varepsilon,n} (\mathcal{C}(\hat{m})) }^{-1} \in \mathcal{B}({\mathcal{H}}).\]

The first part of the statement of Theorem 4, namely that the \(Y_m\) are measurable functions of \(\mathcal{C}\), is proven in the next two lemmas. This measurability is also essential for the proof of the remainder of Theorem 4.

5.4 Concentration of Error↩︎

Theorems 3 and 4 are formulated in terms of expectation, but both the decoding error and the trace distance from the ideal output distribution are concentrated around their mean, as can be seen in the following corollaries.

The proof of Corollary 1 is essentially an application of the bounded differences inequality [55]. For the reader’s convenience, we reproduce the result here in the form that we will be using.

Condition (63 ) is called the bounded differences property which gives Theorem 5 its name.

5.5 Cost constraint↩︎

In this section, we extend Corollaries 1 and 2 to a cost-constrained version \(\mathcal{C}_{c,C}\) of the codebook \(\mathcal{C}\), where \((c,C)\) is an additive cost constraint compatible with the input distribution \(P\) chosen for the generation of \(\mathcal{C}\).

As long as there exists at least one \(x^n\in \mathcal{X}^n\) which satisfies the cost constraint (which is always the case if there is an input distribution compatible with the cost constraint), we can (given any codebook \(\mathcal{C}\)) define the cost-constrained codebook \(\mathcal{C}_{c,C}\) via \[\mathcal{C}_{c,C}(m) = \begin{cases} \mathcal{C}(m), &\mathcal{C}(m) \text{ satisfies the cost constraint } (c,C), \\ x^n, &\text{otherwise.} \end{cases}\]

We define a set of bad codeword indices \[\mathbb{B} := \left\{ m\in \{1, \dots, M\} :~~ \mathcal{C}(m) \neq \mathcal{C}_{c,C}(m) \right\}.\]

It is possible with methods similar to the ones used in [57] to bound the probability that the codebook contains a large number of bad code words as in the following lemma. For completeness, we give a full proof in Appendix 6.5.

5.6 Proof of the Main Theorems for Wiretap Coding↩︎

We now have everything needed to prove the main results of this paper.

6 Specialization to the Gaussian cq Wiretap Channel↩︎

In this section, we demonstrate the finite block length nature of our results on the example of the Gaussian cqq wiretap channel. We only give a sketch of the additional steps necessary to evaluate the bounds for this channel in the rest of this section, but the full annotated Python source code that reproduces the plots in Figures 4, 5 and 6 is available as an electronic supplement with this paper.

6.1 The Gaussian cq Channel↩︎

In the following, we introduce the Gaussian cq channel along with some properties that we need in this section. For more details, we refer the reader to [41].

Let \(\mathcal{H}:= L^2(\mathbb{R})\) be the complex Hilbert space of equivalence classes of complex-valued, square integrable functions on \(\mathbb{R}\). For \(k=0,1,\dots\), let \(\left\lvert {k} \right\rangle\) be the number state vector defined in [41]. Here, it will only be important that \(\left\lvert {0} \right\rangle, \left\lvert {1} \right\rangle, \dots\) form an orthonormal basis of \(\mathcal{H}\). For every \(\zeta\in \mathbb{C}\), we define a coherent state vector (see [41]) \[\label{eq:coherent-state-vector} \left\lvert {\zeta} \right\rangle := \exp\left( -\frac{\left \lvert \zeta \right \rvert^2}{2} \right) \sum_{k=0}^\infty \frac{\zeta^k}{\sqrt{k!}} \left\lvert {k} \right\rangle.\tag{69}\] The Gaussian cq channel is then defined (cf. [41]) as \[D^{(\eta,N)}:~ \mathbb{C}\rightarrow \mathcal{S}({\mathcal{H}}) ,~~ x \mapsto \frac{1}{\pi N} \int_\mathbb{C} \left\lvert {\zeta} \right\rangle\left\langle {\zeta} \right\rvert \exp\left( -\frac{\left \lvert \zeta-\sqrt{\eta}x \right \rvert^2}{N} \right) d\zeta.\] It is parametrized by the noise power \(N>0\), and the transmittivity \(\eta\in [0,1]\). With \(\eta=1\), this is the same definition as in  [41]. In the following, we summarize some properties of this channel that we need in this section. They are derived in [41] for the case \(\eta=1\), but they carry over because \(D^{(\eta,N)}(x) = D^{(1,N)}(\sqrt{\eta}x)\). For every \(x\in \mathbb{C}\), there is [41] a unitary displacement operator \(U_{x}\) such that \[D^{(1,N)}(x) = U_{x} D^{(1,N)}(0) U_{x}^*,\] and hence \[\label{eq:gaussian-cq-unitary} D^{(\eta,N)}(x) = D^{(1,N)}(\sqrt{\eta}x) = U_{\sqrt{\eta}x} D^{(1,N)}(0) U_{\sqrt{\eta}x}^* = U_{\sqrt{\eta}x} D^{(\eta,N)}(0) U_{\sqrt{\eta}x}^*.\tag{70}\] \(D^{(\eta,N)}(0)=D^{(1,N)}(0)\) can be written as [41] \[\label{eq:gaussian-cq-zero-decomposition} D^{(\eta,N)}(0) = \frac{1}{N+1} \sum_{k=0}^\infty \left( \frac{N}{N+1} \right)^k \left\lvert {k} \right\rangle\left\langle {k} \right\rvert.\tag{71}\] This state has the von Neumann entropy [41] \[\label{eq:gaussian-cq-entropy} H\left(D^{(\eta,N)}(0)\right) = g(N),\tag{72}\] where \[\label{eq:gordon} g:~ [0,\infty) \rightarrow [0,\infty),~~ t\mapsto \begin{cases} (t+1) \log(t+1) - t\log t, &t> 0, \\ 0, &t=0 \end{cases}\tag{73}\] is called the Gordon function.

A consequence of (70 ) and (71 ) is that for every \(f: \mathbb{R}\rightarrow \mathbb{R}\) and every \(x\in \mathbb{C}\), we have \[\begin{align} \nonumber \mathrm{tr} f\big( D^{(\eta,N)}(x) \big) \overset{(\ref{eq:gaussian-cq-unitary})}&{=} \mathrm{tr} f\big( U_{\sqrt{\eta}x} D^{(\eta,N)}(0) U_{\sqrt{\eta}x}^* \big) \\ \nonumber \overset{(\ref{eq:gaussian-cq-zero-decomposition})}&{=} \mathrm{tr} f\left( \frac{1}{N+1} \sum_{k=0}^\infty \left( \frac{N}{N+1} \right)^k U_{\sqrt{\eta}x} \left\lvert {k} \right\rangle\left\langle {k} \right\rvert U_{\sqrt{\eta}x}^* \right) \\ \nonumber \overset{(a)}&{=} \mathrm{tr} f\left( \frac{1}{N+1} \sum_{k=0}^\infty \left( \frac{N}{N+1} \right)^k \left\lvert {k} \right\rangle\left\langle {k} \right\rvert \right) \\ \label{eq:gaussian-cq-trace-function} \overset{(\ref{eq:gaussian-cq-zero-decomposition})}&{=} \mathrm{tr}f(D^{(\eta,N)}(0)), \end{align}\tag{74}\] where step (a) is due to the fact that both \(\left\lvert {0} \right\rangle, \left\lvert {1} \right\rangle, \dots\) and \(U_{\sqrt{\eta}x}\left\lvert {0} \right\rangle, U_{\sqrt{\eta}x}\left\lvert {1} \right\rangle, \dots\) are orthonormal bases of \(\mathcal{H}\).

As the input distribution \(P\), we choose a complex Gaussian distribution where real and imaginary part are independent with mean \(0\) and variance \(E/2\), and \(E\) is the average energy per channel use. In order to relate this to the case \(\eta=1\), we also define an auxiliary input distribution \(P_\eta\) which is complex Gaussian with mean \(0\) and variance \(\eta E/2\) per complex component. With this choice, we have [41] \[\label{eq:gaussian-cq-average} D^{(\eta,N)}_P = D^{(1,N)}_{P_\eta} = \frac{1}{N+\eta E+1} \sum_{k=1}^\infty \left( \frac{N+\eta E}{N+\eta E+1} \right)^k \left\lvert {k} \right\rangle\left\langle {k} \right\rvert.\tag{75}\]

In this section, we consider a cqq wiretap channel where \(D_\mathfrak{B}= D^{(\eta_\mathfrak{B}, N_\mathfrak{B})}\) and \(D_\mathfrak{E}= D^{(\eta_\mathfrak{E},N_\mathfrak{E})}\).

6.2 Physical Channel Model↩︎

In the following, we describe a commonly employed channel model of physical systems [25], [59] that is a special case of the Gaussian cqq wiretap channel \((D_\mathfrak{B},D_\mathfrak{E})\) introduced in Section 6.1. It uses a quantum channel \(\mathcal{V}_\eta\) called a beam splitter [60] with a parameter \(\eta\in [0,1]\) called transmittivity. Denoting by \(a^{\ast},b^\ast\) and \(a,b\) the creation, respectively annihilation operators on two copies \(\mathcal{H}_\mathfrak{A},\mathcal{H}'_\mathfrak{A}\) of the Hilbert space \(\mathcal{H}=L^2(\mathbb{R})\), \(\mathcal{V}_{\eta}: \mathcal{S}({\mathcal{H}_{\mathfrak{A}}\otimes \mathcal{H}'_{\mathfrak{A}}}) \to \mathcal{S}({\mathcal{H}_{\mathfrak{A}}\otimes \mathcal{H}'_{\mathfrak{A}}})\) is defined as \[\mathcal{V}_{\eta} (\rho) := B_{\theta} \rho B_{\theta}^*,\] where \(\theta\in[0,\pi/2]\) is such that \(\eta=\cos^2(\theta)\) and the unitary \(B_{\theta}: \mathcal{H}_{\mathfrak{A}}\otimes \mathcal{H}'_{\mathfrak{A}} \to\mathcal{H}_{\mathfrak{A}}\otimes \mathcal{H}'_{\mathfrak{A}}\) is given by [60] \[B_\theta= \exp\{\theta(a^\ast \otimes b-a\otimes b^\ast)\}.\] For every \(x,x'\in\mathbb{C}\) and corresponding coherent state vectors \(\left\lvert {x} \right\rangle\in\mathcal{H}_{\mathfrak{A}}\) and \(\left\lvert {x'} \right\rangle\in \mathcal{H}'_{\mathfrak{A}}\), we have [60] \[\label{eq:beam-splitter-key-property} \mathcal{V}_\eta\left( \left\lvert {x} \right\rangle\left\langle {x} \right\rvert \otimes \left\lvert {x'} \right\rangle\left\langle {x'} \right\rvert \right) = \left\lvert {\sqrt{\eta}x+\sqrt{\eta'}x'} \right\rangle\left\langle {\sqrt{\eta}x+\sqrt{\eta'}x'} \right\rvert \otimes \left\lvert {\sqrt{\eta'}x-\sqrt{\eta}x'} \right\rangle\left\langle {\sqrt{\eta'}x-\sqrt{\eta}x'} \right\rvert,\tag{76}\] where \(\eta':=1-\eta\). Moreover, we use an additive thermal noise channel \(\mathcal{N}_N(\rho)\) which is described [59] by \[\mathcal{N}_N(\rho) = \frac{1}{\pi N} \int_\mathbb{C} U_{\zeta} \rho U_{\zeta}^* \exp\left( - \frac{\left \lvert \zeta \right \rvert^2}{N} \right) d\zeta,\] where \(U_{\zeta}\) are displacement operators and \(\zeta\in\mathbb{C}\). For every coherent state \(\left\lvert {\zeta} \right\rangle\left\langle {\zeta} \right\rvert\) and \(N\in (0,\infty)\), it holds that \[\label{eq:additive-noise-channel-key-property} \mathcal{N}_{N}\left( \left\lvert {\zeta} \right\rangle\left\langle {\zeta} \right\rvert \right) = D^{(1,N)} (\zeta).\tag{77}\]

A bosonic wiretap model [25], [59] can be based on the assumption that every photon which is lost from the original signal can be detected by the eavesdropper. This is an extremely pessimistic model, not taking into account the photons which are detected neither by the legitimate receiver nor the eavesdropper due to channel loss. In contrast, we evaluate a channel model, depicted in Fig. 3, in which both the legitimate receiver and the eavesdropper are subject to channel loss. To this end, we consider Hilbert spaces \(\mathcal{H}_{\mathfrak{A},1}\), \(\mathcal{H}'_{\mathfrak{A},1}\), \(\mathcal{H}_{\mathfrak{A},2}\), \(\mathcal{H}'_{\mathfrak{A}, 2}\), \(\mathcal{H}_\mathfrak{B}\), \(\mathcal{H}_\mathfrak{E}\), and \(\mathcal{H}_{\mathrm{env}}\) all of which are copies of \(\mathcal{H}=L^2(\mathbb{R})\). Moreover, we choose transmittivity parameters \(\eta_1, \eta_2 \in [0,1]\).

In this model, the transmitter’s channel alphabet is given as \(\mathcal{X}:= \mathbb{C}\). The transmission symbol \(x\in \mathbb{C}\) is transformed into a coherent state \(\left\lvert {x} \right\rangle\left\langle {x} \right\rvert\) with \(\left\lvert {x} \right\rangle\in \mathcal{H}_{\mathfrak{A},1}\) defined in (69 ). This state \(\left\lvert {x} \right\rangle\left\langle {x} \right\rvert\) is passed to the first input of the beam splitter \(\mathcal{V}_{\eta_1}: \mathcal{S}({\mathcal{H}_{\mathfrak{A},1}\otimes \mathcal{H}'_{\mathfrak{A},1} }) \to \mathcal{S}({\mathcal{H}_{\mathfrak{A},1}\otimes \mathcal{H}_{\mathfrak{A},2}})\), where the second input of the beam splitter receives the vacuum state \(\left\lvert {0} \right\rangle\left\langle {0} \right\rvert\in \mathcal{S}({\mathcal{H}'_{\mathfrak{A},1}})\). The first output is passed through \(\mathcal{N}_{N_\mathfrak{B}}:\mathcal{S}({\mathcal{H}_{\mathfrak{A},1}})\to \mathcal{S}({\mathcal{H}_\mathfrak{B}})\) to model the thermal noise at the legitimate receiver. The second output is passed through another beam splitter \(\mathcal{V}_{\eta_2}: \mathcal{S}({\mathcal{H}_{\mathfrak{A},2}\otimes \mathcal{H}'_{\mathfrak{A},2} }) \to \mathcal{S}({\mathcal{H}_{\mathfrak{A},2}\otimes \mathcal{H}_{\mathrm{env}}})\), again with the vacuum state \(\left\lvert {0} \right\rangle\left\langle {0} \right\rvert\in \mathcal{S}({\mathcal{H}'_{\mathfrak{A},2}})\) at the second input. The eavesdropper receives a version of the first output of the beam splitter \(\mathcal{V}_{\eta_2}\) which is passed through \(\mathcal{N}_{N_\mathfrak{E}}: \mathcal{S}({ \mathcal{H}_{\mathfrak{A},2} })\to \mathcal{S}({\mathcal{H}_\mathfrak{E}})\) to model the eavesdropper’s thermal receiver noise. The remaining beam splitter output is considered an environment state which is received neither at the legitimate receiver nor at the eavesdropper. The joint quantum state at the legitimate receiver’s channel output, the eavesdropper’s channel output, and the environment channel output can thus be written as \[\begin{align} &\hphantom{{}={}} \left( \mathcal{N}_{N_\mathfrak{B}} \otimes \mathcal{N}_{N_\mathfrak{E}} \otimes \textrm{id}_{\mathcal{B}({\mathcal{H}'_{\mathfrak{A},2}})}\right) \circ \left(\textrm{id}_{\mathcal{B}({\mathcal{H}_{\mathfrak{A},1}})} \otimes \mathcal{V}_{\eta_2}\right) \Big( \mathcal{V}_{\eta_1}\big( \left\lvert {x} \right\rangle\left\langle {x} \right\rvert \otimes \left\lvert {0} \right\rangle\left\langle {0} \right\rvert \big) \otimes \left\lvert {0} \right\rangle\left\langle {0} \right\rvert \Big) \\ \overset{(\ref{eq:beam-splitter-key-property})}&{=} \left(\mathcal{N}_{N_\mathfrak{B}} \otimes \mathcal{N}_{N_\mathfrak{E}} \otimes \textrm{id}_{\mathcal{B}({\mathcal{H}'_{\mathfrak{A},2}})}\right) \circ \left(\textrm{id}_{\mathcal{B}({\mathcal{H}_{\mathfrak{A},1}})} \otimes \mathcal{V}_{\eta_2}\right) \Big( \left\lvert {\sqrt{\eta_1}x} \right\rangle\left\langle {\sqrt{\eta_1}x} \right\rvert \otimes \left\lvert {\sqrt{\eta'_1}x} \right\rangle\left\langle {\sqrt{\eta'_1}x} \right\rvert \otimes \left\lvert {0} \right\rangle\left\langle {0} \right\rvert \Big) \\ \overset{(\ref{eq:beam-splitter-key-property})}&{=} \left( \mathcal{N}_{N_\mathfrak{B}} \otimes \mathcal{N}_{N_\mathfrak{E}} \otimes \textrm{id}_{\mathcal{B}({\mathcal{H}'_{\mathfrak{A},2}})} \right) \Big( \left\lvert {\sqrt{\eta_1}x} \right\rangle\left\langle {\sqrt{\eta_1}x} \right\rvert \otimes \left\lvert {\sqrt{\eta_2\eta'_1}x} \right\rangle\left\langle {\sqrt{\eta_2\eta'_1}x} \right\rvert \otimes \left\lvert {\sqrt{\eta'_2\eta'_1}x} \right\rangle\left\langle {\sqrt{\eta'_2\eta'_1}x} \right\rvert \Big) \\ \overset{(\ref{eq:additive-noise-channel-key-property})}&{=} D^{(1,N_\mathfrak{B})} \left(\sqrt{\eta_1}x\right) \otimes D^{(1,N_\mathfrak{E})} \left(\sqrt{\eta_2\eta'_1}x\right) \otimes \left\lvert {\sqrt{\eta'_2\eta'_1}x} \right\rangle\left\langle {\sqrt{\eta'_2\eta'_1}x} \right\rvert \\ &= D^{(\eta_1,N_\mathfrak{B})} \left(x\right) \otimes D^{(\eta_2\eta'_1,N_\mathfrak{E})} \left(x\right) \otimes \left\lvert {\sqrt{\eta'_2\eta'_1}x} \right\rangle\left\langle {\sqrt{\eta'_2\eta'_1}x} \right\rvert, \end{align}\] where we have used \(\eta'_1 := 1-\eta_1\), \(\eta'_2 := 1-\eta_2\), and the identity maps \(\textrm{id}_{\mathcal{B}({\mathcal{H}_{\mathfrak{A},1}})}\) and \(\textrm{id}_{\mathcal{B}({\mathcal{H}'_{\mathfrak{A},2}})}\) on the spaces \(\mathcal{B}({\mathcal{H}_{\mathfrak{A},1}})\) and \(\mathcal{B}({\mathcal{H}'_{\mathfrak{A},2}})\).

Therefore, this system is a special case of the cqq wiretap channel \(D_\mathfrak{B}= D^{(\eta_\mathfrak{B}, N_\mathfrak{B})}\) and \(D_\mathfrak{E}= D^{(\eta_\mathfrak{E},N_\mathfrak{E})}\) described in Section 6.1 where \(\eta_\mathfrak{B}:= \eta_1\) and \(\eta_\mathfrak{E}:= \eta_2(1 - \eta_1)\).

6.3 Numerical Evaluation of the Error Bounds in Theorems 3 and 4↩︎

In this subsection, we fix a channel \(D^{(\eta,N)}\) and show how to compute the quantities \(H_P,H_U,H_{P,{\alpha}},H_{U,{\alpha}}\) and evaluate 12 to 18 for such a channel under a Gaussian input distribution with energy \(E\) as defined in Section 6.1.

The properties collected in Section 6.1 allow us to calculate the quantities defined in (7 ) and (8 ) as \[\begin{align} \tag{78} H_P \overset{(\ref{eq:joint-entropy})}&{=} -\mathbb{E}_X \mathrm{tr}\left( D^{(\eta,N)}(X) \log D^{(\eta,N)}(X) \right) \overset{(\ref{eq:gaussian-cq-trace-function})}{=} - \mathrm{tr}( D^{(\eta,N)}(0) \log D^{(\eta,N)}(0) ) \overset{(\ref{eq:gaussian-cq-entropy})}{=} g(N) \\ \tag{79} H_U \overset{(\ref{eq:output-entropy})}&{=} H\left(D^{(\eta,N)}_P\right) \overset{(\ref{eq:gaussian-cq-entropy}),(\ref{eq:gaussian-cq-average})}{=} g(N+\eta E). \end{align}\]

Next, we use the convergence behavior of the geometric series to argue that for \(\alpha\in (0,\infty)\), \[\label{eq:gaussian-cq-power} \mathrm{tr}\left(D^{(\eta,N)}(0)^\alpha\right) = \frac{1}{(N+1)^\alpha} \sum_{k=0}^\infty \left( \frac{N}{N+1} \right)^{\alpha k} = \frac{1}{(N+1)^\alpha(1-N^\alpha/(N+1)^\alpha)} = \frac{1}{(N+1)^\alpha-N^\alpha}\tag{80}\]

With this, we can calculate the quantities defined in (10 ) and (11 ) as \[\begin{align} H_{P,{\alpha}} \overset{(\ref{eq:conditional-renyi-entropy})}&{=} \frac{1}{1-\alpha} \log\mathbb{E}_X\left( \mathrm{tr}\left(D^{(\eta,N)}(X)^\alpha\right) \right) \overset{(\ref{eq:gaussian-cq-trace-function})}{=} \frac{1}{1-\alpha} \log \mathrm{tr}\left(D^{(\eta,N)}(0)^\alpha\right) \overset{(\ref{eq:gaussian-cq-power})}{=} \frac{1}{\alpha-1} \log( (N+1)^\alpha-N^\alpha ) = g_\alpha(N) \\ H_{U,{\alpha}} \overset{(\ref{eq:renyi-entropy})}&{=} \frac{1}{1-\alpha} \log \mathrm{tr}\left(\left(D^{(\eta,N)}_P\right)^\alpha\right) \overset{(\ref{eq:gaussian-cq-average}),(\ref{eq:gaussian-cq-power})}{=} g_\alpha(N+\eta E), \end{align}\] where we use a modified version of the Gordon function \[\label{eq:gordon-renyi} g_\alpha:~ [0,\infty) \rightarrow [0,\infty) ,~~ t \mapsto \frac{\log((t+1)^\alpha-t^\alpha)}{\alpha-1}.\tag{81}\] From the considerations in Section 5.1, we know that with the convention \(g_1 := g\), the map \((0,\infty) \rightarrow (0,\infty), \alpha\mapsto g_\alpha(t)\) is continuous. We can also calculate the derivative \[\label{eq:gordon-renyi-derivative} g_\alpha'(t) := \frac{\partial}{\partial\alpha} g_\alpha(t) = \frac{ \frac{ (t+1)^\alpha\log(t+1) - t^\alpha\log t }{ (t+1)^\alpha-t^\alpha} - g_\alpha(t) }{ \alpha-1 }.\tag{82}\] With this, it is possible to numerically evaluate the functions \(\mathcal{R}_1,\mathcal{R}_2,\mathcal{R}_3,\mathcal{R}_4\) defined in 12 to 15 for any given values of \(\varepsilon,n\). Consequently, the evaluation of \(\mathcal{W}_\mathrm{coding}\) defined in 16 and \(\mathcal{W}_\mathrm{res}\) defined in 17 requires only a one-dimensional optimization over all admissible values of the parameter \(\varepsilon\). The evaluation of the bounds of Theorem [theorem:wiretap-cq-all-blocklengths] also requires calculation of \(\mathcal{W}_\mathrm{cost}^{(c,C)}\) defined in 18 and another doubly exponential term that appears in 24 , however, we observe that in the regime in which we evaluate the bounds for the plots in the present paper, these terms are so small that they are negligible. This means that we can avoid a costly simultaneous optimization over the parameters \(\beta_2\), \(\beta_3\), \(\beta_4\), and \(\beta_5\) that appear in the statement of Theorem [theorem:wiretap-cq-all-blocklengths]. Instead, we only consider the terms that contain \(\mathcal{W}_\mathrm{res}\) or \(\mathcal{W}_\mathrm{coding}\) and only check that the remaining terms are indeed neglible. For details on how small we ensure these terms are, we refer the reader to Section 6.4. Full details and comments on how this is ensured can be found in the source code in the electronic supplement of this paper.

6.4 Plots↩︎

We plot various quantities of interest for a model of an optical communication system with a noiseless source as described in Section 6.2. In order to find reasonable system parameters, we make a series of rough estimates of what values these parameters may have in a realistic communication system. When a transmitter communicates a line of sight optical signal to a receiver, the transmittivity \(\eta\in [0,1]\) can be roughly estimated as \[\eta= c\cdot\left(\frac{L_\mathrm{diam}}{L_\mathrm{dist}}\right)^2\] where \(c\) is a system-dependent constant, \(L_\mathrm{diam}\) the receiver diameter and \(L_\mathrm{dist}\) the distance between transmitter and receiver [61]. In slightly non-optimal situations where fog disturbs the link, this transmittivity in a free-space optical system can easily be as low as \(\eta=10^{-5}\) already at distances \(\require{physics} L_\mathrm{dist}=\qty{1}{\km}\) [61]. For our plots, we choose \(\eta_1 := 10^{-5}\) and \(\eta_2 := 6 \cdot 10^{-6}\) to obtain a scenario in which the eavesdropper is at a slightly greater distance from the sender than the legitimate receiver (or equivalently, guaranteed to be unable to place its receive antenna close enough to the center of the optical beam, cf. [6]), and otherwise uses equivalent equipment. For the average transmit energy, we note that the number of photons per channel use can be estimated by considering a laser with \(\require{physics} \qty{1}{\W}\) output power at \(\require{physics} \qty{1550}{\nm}\). This system will emit in the order of \(10^{19}\) photons per second, and typically use a modulation format such that \(10^{10}\) pulses are emitted per second. Thus, \(E:= 10^9\) photons per channel use are a fair estimate. We assume that the number of noise photons per channel use is around \(10^{-5}\), which is at the lower end of the plausible range of values. At a wave length of \(\require{physics} \qty{1550}{\nm}\) and a baud rate of \(10^{10}\) pulses per second, this is equivalent to a background noise power of about \(\require{physics} \qty{1.5e-14}{\W}\). This means that in our example, we choose \(N_\mathfrak{A}:= N_\mathfrak{B}:= 10^{-5}\).

This yields the system parameters \(\eta_\mathfrak{B}= \eta_1 = 10^{-5}\), \(\eta_\mathfrak{E}= \eta_2(1-\eta_1) \approx 6 \cdot 10^{-6}\), \(N_\mathfrak{B}= N_\mathfrak{E}= 10^{-5}\). By Theorem 2 and (78 ), (79 ), we obtain a bound \[\chi(P;D_\mathfrak{B}) - \chi(P;D_\mathfrak{E}) = g(N_\mathfrak{B}+ \eta_\mathfrak{B}E) - g(N_\mathfrak{B}) - g(N_\mathfrak{E}+ \eta_\mathfrak{E}E) + g(N_\mathfrak{E}) \approx 0.5108\] on the achievable rates. When calculating the achievable bounds, we do not optimize over the doubly exponential terms that appear in 24 , but we make sure they do not exceed \(\exp(-100)\) in value. This threshold is chosen arbitrarily, but we believe it is small enough to convince the reader that neglecting this term does not have more severe effects than other limitations that are inherent in numerical evaluations such as the machine precision of the computer used. For the cost constraint and the concentration of the security level and decoding error around its expectation, we also need to allow for a little bit of slack due to the nature of the results we evaluate. We allow the security level and decoding error to differ by at most \(10^{-8}\) from the expected value and the individual code words to exceed the expected energy per code word by at most \(10\%\). Again, the choice of these threshold values is somewhat arbitrary, but we believe the values are small enough to convince the reader that the difference between expected and actual security level and decoding error does not significantly impact the accuracy of the plots given that we do not display values of security level and decoding error smaller than \(10^{-5}\) and the possible additional energy consumption of some of the code words is not so large that it would meaningfully impact the practicality of such a code. In Fig. 4 and 5, it can be seen how the security level and decoding error decay with increasing block length for various rates. As expected, the decay is always at least exponential, but the slope of the lines is steeper for larger gaps to the upper bound of achievable rates. In Fig. 6, we plot the block lengths necessary to achieve a few selected combinations of decoding error and security level in dependence of the rate. It can be seen that the necessary block length increases sharply when the rate gets close to the upper bound.

6.5 Proofs of Technical Lemmas↩︎

In this appendix, we give the proofs for the technical lemmas related to quantum information theory and stochastics that are omitted in the main part of the paper.

6.6 Preliminaries on Functional Analysis and Rényi Entropy↩︎

In this appendix, we collect technical facts on functional analysis and Rényi entropy that we need for the proofs in this paper.

Since these are well-known facts, we provide references to textbooks in lieu of a proof: [item:norm-basics-trace-norm-bound]) follows from [62], [item:norm-basics-trace-class-ideal]) follows from [62], [item:norm-basics-trace-norm-submultiplicative]) is immediate from [item:norm-basics-trace-norm-bound]) and [item:norm-basics-trace-class-ideal]), [item:norm-basics-trace-norm-duality] is [37], and [item:norm-basics-zero-trace-operators] is stated in [63] for the finite-dimensional case, however, the proof also works for infinite-dimensional spaces without modification.

References↩︎