Quantum security and theory of decoherence

We sketch a relation between two crucial, yet independent, fields in quantum information research, viz. quantum decoherence and quantum cryptography. We investigate here how the standard cryptographic assumption of shielded laboratory, stating that data generated by a secure quantum device remain private unless explicitly published, is disturbed by the einselection mechanism of quantum Darwinism explaining the measurement process by interaction with the external environment. We illustrate the idea with a paradigmatic example of a quantum random number generator compromised by an analog of the Van Eck phreaking. In particular, we derive a trade-off relation between eavesdropper's guessing probability $P_{guess}$ and the collective decoherence factor $\Gamma$ of the simple form $P_{guess} + \Gamma \geq 1$.

Quantum cryptography [1] is one of the most spectacular successes of the quantum information theory, providing security beyond the scale accessible using classical computation techniques. Quantum devices can be used for such applications as secure key distribution [2] or generation of private random number [3] based on elementary physical phenomena.
Still, humans can deal only with classical data, and thus at some stage, any quantum cryptographic device has to generate classical output data. This process is known as the quantum measurement [4]. Even though the measurement is one of the most basic processes in quantum mechanics, it remains to be one of the most mysterious phenomena since the very beginning of the theory [5][6][7]. This so-called measurement problem still lacks a definitive solution, with the decoherence theory being one of the most popular approaches [8].
The trailblazing works ofŻurek [9,10] elucidated the problem in which basis the quantum measurement is actually being performed, by the introduction of the concept of the pointer basis, i.e. the eigenbasis of observables commuting with the Hamiltonian determining the interaction of the measuring apparatus with the environment; the fact that the interaction with the environment is the factor that determines the measurement basis is called environment-induced superselection, or einselection [10,11]. This result accentuated the role of the external world in the process of measurement and revealed that without this interaction, only the premeasurement, i.e. the correlation of the apparatus with the observed system, can occur.
The role of the exterior world in the working of quantum devices seemingly contradicts the natural and necessary assumption, that the cryptographic devices are located inside a shielded laboratory protecting against outflowing of the private data. Indeed, a crucial condition for the privacy of numbers, constituting e.g. a secure key, is that they remain secret unless intentionally revealed. This is particularly important for providing the information-theoretic level of security [12,13].
On the other hand, quantum Darwinism [14] suggests that without this information propagation or leakage, the decoherence will not occur, leading, in principle to the Wigner's friend paradox [15,16]. Up to our knowledge, the problem of this prominent role of the environment has not been investigated in the context of cryptographical applications. The most related considerations concerned only the role of noise in cryptography [17,18]. This paper aims to provide an example, of how the direct connection between the low-level description of the measurement process, and the high-level specification of application protocols can be done.
Methods.-We concentrate on an elementary operation of a qubit measurement, as a basic operation for the majority of quantum devices. We follow [9] and call the observed qubit a system (S), the measuring device an apparatus (A); the third subsystem the environment (E).
We model the premeasurement upon rank-1 projectors {P x , where superscripts in parenthesis denote the subspace. The interaction of the apparatus with the environment is given by the unitary transformation: leading to the decoherence in the computational basis of (A).
To illustrate a simple scenario of quantum randomness generation we consider measurement of the state | + (S) = 1/ √ 2(| 0 (S) + | 1 (S) ) in the computational basis, P where T is the time after which all the interactions occur.

arXiv:2205.12927v1 [quant-ph] 25 May 2022
We get that Γ = 0 | (E) U (E) † 1 U (E) 0 | 0 (E) is the collective decoherence factor of the joint state ρ (SA) (T ) equal to (2) and the full orthogonalization of measurement results occur [34]. For the measurement to betide we need also the full decoherence, i.e. Γ 1. The above model refers to the simplest quantum randomness generation, where the measured state | + (S) is prepared in a basis that is unbiased [19] to the basis {P (S) i } in which the premeasurement is performed, and the results are stored in the computational basis of the subsystem (A) that is initially preset to | 0 (A) to maximize its information capacity [20]. The interaction part U (SA) is designed by the user of the quantum device that calibrates the measuring device to measure in the selected basis, possibly taking into account the characteristics of his source of states; this part is also responsible for apparatus state orthogonalization.
The actual measurement is finalized by the interaction U (AE) . That interaction is supposed to be engineered by the vendor of the measuring apparatus; the computational basis of (A) is actually the one that is being displayed to the user and the shape of U (AE) is determined by the device's case, like e.g. plastic housing of a USB stick, or metal shielding of a rack-mounted multimeter.
We consider a 4-th subspace, denoted (V ) for Van Ecktype eavesdropper since our approach is a quantum analog of the so-called Van Eck attack in classical cryptography [21], where the electromagnetic radiation of classical devices is captured by antennas and used to intercept the private content.
In the attack, the eavesdropper intends to capture information regarding the measurement result stored in the apparatus. Since both the former and latter are classical data, we assume the result of wiretapping is stored in the computational basis. We consider a passive reception of the content of the environment, i.e. eavesdropper doesn't change it. This restricts his action to a CNOT conditioned on some orthogonal projectors {P and thus the joint state of the user apparatus and the eavesdropper ρ (AV ) (T ) = Tr SE | ψ ψ | (SAEV ) is a state diagonal in the computational basis with coefficients: where we omitted the superscipt (E). The figure of cryptographical merit we consider here is the probability that the eavesdropper correctly guesses the measurement result of the apparatus [22][23][24][25], denoted P guess . This happens when both two-dimensional subsystems (A) and (V ) indicate the same binary value, thus it is given by: The environment (E) mediates between subsystems (A) and (V ), and can be of much larger dimension.
From (4) we see, that the guessing probability depends both on the ability of the environment to gather information regarding the apparatus, modeled by {U = 1 1 (E) ; then the value of (4) is 0.5, so no information leaks outside the laboratory, and simultaneously Γ = 1, thus the measurement does not occur.
The shielding determines U (AE) and is dependent on the owner of the laboratory (and the technology used) and should be considered as a part of the quantum device. The antenna determines U (EV ) and is possessed by the wiretapper, and its capabilities are limited by his resources, reflecting his control over the information scattering. The rest of this paper aims to model the dependence of the guessing probability (4) on the power of the eavesdropper.
Results.-Now, let us use the above results to analyse a case of the environment consisting of N qubits. We follow the standard approach [26,27] and model the U (AE) interaction as N independent imperfect CNOT defined as U (θ) ≡ | 0 0 | (A) ⊗ 1 1 (·) 2 + | 1 1 | (A) ⊗ P (·) , with P ≡ sin θ cos θ cos θ − sin θ , and θ fixed for the setup. Thus, denotes s-th environmental qubit. From this it follows that the collective decoherence factor Γ = |sin θ | N , or, that for a specific value of Γ an interaction with at least N ≥ − ln Γ − ln|sin θ | environmental qubits is required. The factor dependent on θ is an engineering parameter, and Γ is a quantumness parameter, thus we may assume that the number n ≤ N of qubits accessible to the eavesdropper is µ(− ln Γ) − ln|sin θ | , for some function µ. Let us consider the case when the eavesdropper is not able to perform a coherent measurement on multiple qubits, and needs to perform the guess basing on many separate single-qubit measurements. If he performs the Helstrom measurement [28], with one of the projectors given by cos 2 (θ/2) −(sin θ)/2 −(sin θ)/2 sin 2 (θ/2) , on a specific environmental qubit, the success probability of correct distiguishing its state is p ≡ (1 + |cos θ |)/2. Suppose that the guess is given as the majority of n single-qubit guesses, i.e. it succeeds when at least n/2 of these guesses is correct. Thus, the total success probability of the guess (4) is equal to 1 − F (n/2; n, p), where F (·; n, p) is the cumulative distribution function (CDF) of the binomial distribution with n Bernoulli trials with success probability p. Now, we ask, for what range of Γ, θ, and µ do we have P guess 1/2? It can be shown [29,30] that for p ∈ (0, 1) and a < p it holds F (an; n, p) ≤ exp (−nD (a||p)), where D (a||p) ≡ a ln a p + (1 − a) ln 1−a 1−p is the Kullback-Leibler divergence between Bernoulli random variables. Using the above formulae for p and n we directly get D (1/2||(1 + |cos θ |)/2) = − ln |sin θ |, and so and the lower bound doesn't depend on θ. From these considerations it follows that taking any µ satisfying lim x→∞ µ(x) = ∞ and lim x→∞ µ(x) x = 0 we have that in the classical limit an arbitrary small fraction of all environmental qubits is enough to provide the eavesdropper full access to cryptographic data.
This complies with the information plateau observation of the quantum Darwinism [14]. We also note when the whole environment is accessible to the eavesdropper, even in incoherent, semi-classical, manner, i.e. for µ(x) = x, the relation (5) takes a simple trade-off form P guess +Γ ≥ 1.
We see that the shielded laboratory assumption P guess ≤ 1/2 entails Γ ≥ 1/2, viz. restricts the measurement to premeasurement. The trade-off (6) in particular states that the eavesdropper's ability to read out the information of the measurement limits the degree of decoherence. We note that the above model is exceedingly simplistic, covering only a particular form of potential attacks of Van Eck's type, and may not be the most efficient one. Yet, this restricted and fairly simple and natural form of gathering information from the surroundings is enough to compromise the security of a device producing private numbers showing that the discussed sort of attacks is a serious threat.
Let us summarize the assumptions we make in the derivation of the trade-off (6). We assume a particular form of the interaction U (SA) justified by the functioning of a measuring device. The decomposition of the measurement process into parts U (SA) and U (AE) is justified by its logical order in the measurement, i.e. first occurs the premeasurement, and then occurs the decoherence. Thus, stating that the measuring device interacts with the environment via some interaction U (AE) is not restrictive. Next, we perform the calculations using a particular form of U (AE) used in [26,27]; we leave considerations with more general U (AE) as an important new engineering task of designing cryptographical devices in a way more secure against Van Eck's attacks. The considered form of the interaction U (EV ) doesn't restrict the generality of our results, as it is sufficient for the trade-off relation to occur. We show that such interaction exists, possibly there exists another interaction U (EV ) for which the trade-off relation is even tighter; we also leave this for a further study of the interplay between designing devices with more suitable U (AE) and attacks with more efficient To see consequences of the above analysis, we start with the simplest case with one environmental qubit interacting via a perfect CNOT, viz. N = 1 and θ = 0. We have the full decoherence with Γ = 0 but, if the only environmental qubit is intercepted by the eavesdropper, we also have P guess = 1. For a toy model of decoherence with N = 20 and θ = π/4 we have Γ ≈ 0.001; then for 1, 3, and 5 intercepted environmental qubits P guess is 0.85, 0.94, and 0.98, respectively. For the more realistic case with Γ ≈ 10 −40 [31] if the van Eck's antenna observes 1% or 5% of the environment, then P guess is 0.6 or 0.99, respectively.
To investigate how the privacy of quantum random numbers from the above model is compromised by a coherent Van Eck-type antenna we performed also numerical simulations. Let D (E) denote the dimension of the environment, and k ∈ {2, · · · , D (E) } be the number of degrees of freedom of the environment the antenna can faithfully distinguish; the ratio k/D (E) can be considered as the measure of how much of the environment is monitored, or controlled, by the eavesdropper.
In the numerical calculations we consider Haar distributed [32] {U We executed the computation of (4) for D (E) = 20, 50, 100, 200. To this end, for each instance we parametrized the operator P (Ê) and performed gradient search to maximize the value of the quessing probability. We averaged the results of several (15,8,11, and 4, respectively) instances with different {U It can be observed that the guessing probability is more or less proportional to the observed part of the environment. We note that even when the eavesdropper possesses full access to the environment's information, he still may not be able to achieve the value 1 of guessing probability since not all information could have been propagated, especially when the value of D (E) is small. This relates to the situation with Γ 0, so with no full measurement inside the laboratory.
Conclusions.-Despite this work being embedded in the framework of einselection and quantum Darwinism, we don't consider here the usual scenario of information widespread in multiple copies of independent parts of the environment. We concentrate on the observation of a single observer, so, this cannot be understood as a model of objectivity [33] (or inter-subjectivity [34,35]) as investigated in the recent works [26]. Yet, it is obvious, that after a measurement is performed, then knowing what has been measured (i.e. the basis), should imply the ability to copy and disseminate the result [36,37].
We have seen that the shielded laboratory assumption prevents the occurrence of measurement; and that by relaxing this assumption, we open a way for attacks similar to the Van Eck phreaking. We note that although Fig. 1 shows cases with relatively small sizes of the environment compared to macroscopic objects, it suggests that the greater the dimension, the lower part of the laboratory's surroundings has to be under control for the significant potential for eavesdropping. Indeed, the relation (6) we derived for incoherent qubits phreaking clearly indicates that any sort of cryptographic protocol is prone to the discussed type of attacks. We would like to stress that our topic is not an analysis of the case when the device that processes quantum information happens not to be perfectly shielded due to imperfections; on contrary, we show that for any quantum measuring-based device to function properly it is necessary to drop the perfect shielding assumption by the design.
In this preliminary study, we investigated only the simplest case where the quantum randomness is obtained from the measurement on a different basis than the pre-pared state. Although simple, this scenario is ubiquitous as an ingredient of more involved and complex quantum protocols.
This work intends to show that the quantitative investigation of the relation between two important, yet till now disjoint, areas of quantum information, viz. theory (quantum Darwinism) and application (quantum cryptography) of measurements, is possible. Quantum cryptography is a wide field and is currently the only quantum information research area with serious commercial deployments [38]. Our main premise is to change one of the essential parts of the paradigm of quantum cryptography that was based on neglecting, or abstracting from, the way the quantum measurement is performed in cryptographic devices.
We expect the presented result will encourage researchers working on decoherence theory to contribute to the development of the design of cryptographic devices, similarly as they contribute to the area of quantum computation [39,40]. We consider it an interesting and vital problem, how such analysis can be extended to more complicated scenarios, and cover such problems as quantum communication [2] or quantum key distribution [41], not only in a device-dependent scenario, like in this work, but possibly in device-independent [42], or semi-device-independent [43] frameworks.
We close this work with the practical open question of whether it is possible to protect against the introduced type of attacks? We predict the general answer, with the eavesdropper with sufficient control over the environment, to be negative. Still, it is plausible that under some reasonable assumptions regarding the technology of the eavesdropper, one can engineer the shielding in such a way that the measurement does occur while the wiretapping task becomes burdensome. Acknowledgments.-The work is supported by the Foundation for Polish Science (IRAP project, ICTQT, contract no. 2018/MAB/5, co-financed by EU within Smart Growth Operational Programme) and NCBiR QUAN-TERA/2/2020 (www.quantera.eu) under the project eDICT. The numerical calculations we conducted using OCTAVE 6.1 [44], and packages QETLAB 0.9 [45] and Quantinf 0.5.1 [46]