Secrecy

Now, we are going to prove the secrecy of 5. First, we prove two lemmas.

Lemma 4.19. Suppose M is a full rank m-by-n matrix such that m < n and the entries of M are in{0, 1}. If s is chosen uniformly from {0, 1}ⁿat random, then, for all t ∈ {0, 1}^m, it holds that

s←{0,1}Pr ⁿ(M s = t) = 1 2^m.

Proof. First, we apply the Guassian elimination to M and have a decomposition M = LR, where L is an m-by-m lower trianguler matrix and R is an m-by-n matrix in row echelon form. Because M is full rank, each row of R has a pivot (a pivot element is the first non-zero element in a row such that all the elements below it are zero).

Then, suppose X, Y are two random variables take value in {0, 1}. If Y is uniformly distributed over {0, 1}, then no matter what distribution of X is, the random variable X⊕Y is uniformly distributed over {0, 1}. This is the core idea of one-time pad.

Generally, let X₁,· · · , Xl, Y1,· · · , Yl be random variables such that X_i, Yi ∈ {0, 1}

for all i. Suppose each Y_i is independently uniformly distributed over {0, 1} for all i and Xican be in arbitrary distribution for all i. Then, each X_i⊕ Yiis independently uniformly distributed over {0, 1} for all i.

Back to our lemma, suppose s^′ = Rs. Then, the i-bit of s^′, namely s^′[i], comes from the inner product of R[i] and s. Because s is chosen uniformly from {0, 1}ⁿat random, the product of the pivot element in R[i] and the corresponding bit in s is uniformly distributed over {0, 1}, which serves as the one-time pad for the i-bit of s^′. Thus, for all t ∈ {0, 1}^m, it holds that

s←{0,1}Pr ⁿ(Rs = t) = 1 2^m,

which implies Rs is uniformly distributed over {0, 1}^m. Next, because L represents the row operations of the Guassian elimination, the diagonal elements of L must all be 1.

These diagonal elements play the same roles as the pivots of R. Thus, for all t ∈ {0, 1}^m, it holds that

s←{0,1}Pr ⁿ(LRs = t) = 1 2^m.

Lemma4.19implies that if we have a secret key k and a full rank matrix H, then Hk is also secret.

Lemma 4.20. Suppose Alice measures register A in the X basis after the step IP4 of ₅ and gets the measurement outcome ξ. Then, if we choose mPA = nH2(δth+ ϵPE) + nϵPA,

it holds that

Pr (PE passes ∧ ξ = 0ⁿ)≤ e^−nϵ2PE+ 2· 2^−nϵPA.

Proof. From Corollary4.13, we know that if Alice measures A in the X basis after IP2 and gets the measurement outcome µ_A, Then,

Pr

<

PE passes ∧ 1n

i=1

(µ_A[i]̸= µ[i]) ≥ (δ^th+ ϵPE)n

=

≤ e^−nϵ2PE,

Let c_i be an all zero binary string except the i-th bit is one. Because {X^HPA[j]}i=1,··· ,mPA

and {X^ci}i=1,··· ,n commute, whether Alice measures A in the X basis after IP3 does not change the statistics of the measurement at IP4.

If H_PA^⊥ is decided by uniformly chosen code from Cn,n−mPA, we can directly apply the Proposition2.5. However, the choice of CPAis under the constraint CPA⊆ C^IRso that C_PA^⊥ is not chosen uniformly at random. In the following, we are going to show that we can still get a similar guarantee of the Proposition2.5even in this case.

Suppose HIR and H_PA^⊥ are the parity check matrices that Alice chooses at IP3 and IP4 whose corresponding linear code satisfy CPA ⊆ C^IR. Suppose we uniformly choose a permutation matrix² P at random. Let H_IR^′ = HIRP and H_PA^′⊥ = H_PA^⊥P . Then, the corresponding linear code C_IR^′ and C_PA^′⊥ also satisfy C_PA^′ ⊆ CIR^′ . Because both HIR and P are chosen uniformly at random, the distribution of HIRand H_PA^⊥ are the same as H_IR^′ and H_PA^′⊥.

In the proofs of the Proposition2.4and the Proposition2.5, the reason why we need a random code is to make the positions of errors uniformly distributed. However, because the distribution of HIR and H_PA^⊥ are the same as H_IR^′ and H_PA^′⊥, HIR and H_PA^⊥ are already equiped with a random permutation. The only problem is that HIRand H_PA^⊥ share the same permutation.

From the Proposition2.5, we know that the probability that Eve successfully finds a position of errors is upperbounded some value p. Then, for a fixed permutation, if Eve has two chances to guess the position, the probability that Eve succeed at least once is

2A permutation matrix is a matrix obtained by permuting the rows of an identity matrix.

upperbounded by 2p according to the union bound.

Consequently, we have

Pr (PE passes ∧ x^PA ̸= µA)≤ e^−nϵ2PE + 2· 2^−nϵPA.

Thus, after we apply the operation Z^xPA at IP4, the measurement outcome ξ will satisfy

Pr (PE passes ∧ ξ ̸= 0ⁿ)≤ e^−nϵ2PE + 2· 2^−nϵPA.

Now, we can prove the secrecy of 5.

Lemma 4.21. If we choose mPA = nH2(δth+ϵPE)+nϵPA, then ₅is 26

e^−nϵ2PE+ 2· 2^−nϵPA -secret.

Proof. Now we analyze the quantum state after IP5. Let τ_A^∧accbe the subnormalized state of register A such that we drop the portion of rejection. Thus, the probability pacc that Alice and Bob accept the protocol is pacc = Tr (τ_A^∧acc). From Lemma4.20, we know that if we measure A in the X basis, the measurement outcome ξ would satisfy

Pr (PE passes ∧ ξ ̸= 0ⁿ)≡ p^fail ≤ e^−nϵ2PE + 2· 2^−nϵPA.

Because ξ = 0ⁿcorresponds to the projector |+^⊗n⟩ ⟨+^⊗n|, we have

⟨+^⊗n|τA^∧acc|+^⊗n⟩ = p^acc− p^fail.

Let τ_A^|acc = _p¹_accτ_A^∧acc be the re-normalized state conditioned on Alice and Bob accept the protocol. We have

F (τ_A^|acc,|+^⊗n⟩ ⟨+^⊗n|) = ⟨+^⊗n|τA^|acc|+^⊗n⟩ = 1

pacc ⟨+^⊗n|τA^∧acc|+^⊗n⟩ = 1 − pfail

pacc. Now we analyze the measurement at IP6 and IP8. Because the observables in the set

{Z^HIR[j]}i=1,··· ,mIR and {Z^Hfin[i]}i=1,··· ,ℓfin consist of Pauli Z, the statistics of the measure-ment outcomes remain the same if Alice measures register A in the Z basis before IP6.

Thus, suppose Alice does an imaginary step before IP6:

• IP5.5 Alice measures A in the Z basis and gets a measurement outcome µ_Z.

Let τ_A^′|acc be the normalized state after IP5.5 conditioned on Alice and Bob accept the protocol. Because the measurement outcome of |+⟩ in the Z basis is uniformly at random, the state |+^⊗n⟩ ⟨+^⊗n| becomes ₂¹ⁿ/n

i=1|i⟩ ⟨i| after the step IP5.5. Because the fidelity is non-decreasing under quantum operation, we have

F

If Alice does the imaginary step IP5.5, measuring register A by observables {Z^HIR[j]}i=1,··· ,mIR

and {Z^Hfin[i]}^i=1,··· ,ℓfin are equivalent to calculates r = HIRµZ and kA = HfinµZ respec-tively. By Lemma4.19, we know that if the register A is in the state ₂¹n

/n

i=1|i⟩ ⟨i|, r and kAwill be uniformly distributed and independent to each other.

Suppose ρ_{KAKBF CE} = ( 5,A) is a normalized state given an adversary A and ρ^∧acc_{KAKBF CE}is the sub-normalized state that we drop the portion of rejection in ρ_{KAKBF CE}. Let ρ^|acc_{KAKBF CE} = _p¹_accρ^∧acc_{KAKBF CE} and ρ^|acc_A = TrBF CE

-ρ^|acc_{KAKBF CE}.

. Because the fidelity is non-decreasing after IP6, IP7 and IP8, we have

F

Now we consider Eve’s system. By Corollary2.2, there exists a state σ_{F CE} ∈ HF CE

such that

By the relation between the trace distance and the fidelity, we have

Because the argument above holds for any adversary A, we conclude that 5is 26

e^−nϵ2PE + 2· 2^−nϵPA -secret.

Combining Lemma4.14,4.15,4.16,4.17and4.21, we can conclude this section with the following corollary.