Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Public-key cryptography has proved to be an indispensable tool in the modern information security infrastructure. Most notably, digital signature schemes form the backbone of Internet commerce, allowing trust to be propagated across the network in an efficient fashion. In turn, public-key encryption allows the private communication of messages (or, more usually, the establishment of symmetric secret keys) among users who are authenticated via digital signatures. The security of these classical public-key cryptosystems relies on assumptions on the difficulty of certain mathematical problems [1]. Gottesman and Chuang [2] initiated the study of quantum-public-key cryptography, where the public keys are quantum systems, with the goal of obtaining the functionality and efficiency of public-key cryptosystems but with information-theoretic security. They presented a secure one-time digital signature scheme for signing classical messages, based on Lamport’s classical scheme [3].

In a public-key framework, Alice chooses a random private key, creates copies of the corresponding public key via some publicly-known algorithm, and distributes the copies in an authenticated fashion to all potential “Bobs”. In principle, this asymmetric setup allows, e.g., any Bob to send encrypted messages to Alice or to verify any signature for a message that Alice digitally signed. By eliminating the need for each Alice-Bob pair to establish a secret key (in large networks where there may be many “Alices” and “Bobs”), the framework vastly simplifies key distribution, which is often the most costly part of any cryptosystem, compared to a framework that uses only symmetric keys.

Some remarks about the quantum-public-key framework are in order. First, we address the issue of purity of the quantum public keys. In principle, the quantum public key can be either in a pure or mixed state from Alice’s point of view (a mixed state is a fixed probabilistic distribution of pure states). Gottesman and Chuang [2] assumed pure-state public keys. For digital signature schemes, this purity is crucial; for, otherwise, Alice could cheat by sending different public keys to different “Bobs”. Purity prevents Alice’s cheating in this case because different “Bobs” can compare their copies of the public key via a “distributed swap-test” [2] to check they are the same (with high probability), much like can be done in the case of classical public keys. But any scheme can benefit from an equality test, since an adversary who tries to substitute bad keys for legitimate ones could thus be caught. There is no known equality test guaranteed to recognize when two mixed states are equal. Thus, having mixed-state public keys seems to be at odds with what it means to be “public”, i.e., publicly verifiable.Footnote 1 Even though the scheme we present in this paper does not make explicit use of the “distributed swap-test” (because we assume the public keys have been securely distributed), it can do so in principle. We view this as analogous to how modern public-key protocols do not specify use of an equality test among unsure “Bobs”, but how such a test is supported by the framework to help thwart attempts to distribute fake keys.

Second, we address the issue of usability of quantum-public-key systems. The states of two quantum public keys corresponding to two different private keys always have overlap less than \((1-\delta )\), for some positive and publicly known \(\delta \). Thus, a striking aspect of the quantum-public-key framework is that the number of copies of the public key in circulation must be limited (if we want information-theoretic security). If this were not the case, then an adversary could collect an arbitrarily large number of copies, measure them all, and determine the private key. By adjusting protocol parameters, this limit on the number of copies of the quantum public key can be increased in order to accommodate more users (or uses; see next paragraph for a discussion on “reusability”). Thus, in practice, there is no restriction on the usability of a quantum-public-key system as long as an accurate estimate can be made of the maximum number of users/uses.

Presumably, adjusting the protocol parameters (as discussed above) in order to increase the maximum number of copies of the quantum public key in circulation would result in a less efficient protocol instance, and this is one kind of tradeoff between efficiency and usability in the quantum-public-key setting. Another kind concerns reusability. The abovementioned digital signature scheme is “one-time” because only one message may be signed under a particular key-value (even though many different users can verify that one signature). If a second message needs to be signed, the signer must choose a new private key and then distribute corresponding new public keys. One open problem is thus whether there exist reusable digital signature schemes, where either the same copy of the public key can be used to verify many different message-signature pairs securely, or where just the same key-values can be used to verify many different message-signature pairs securely (but a fresh copy of the public key is needed for each verification). The latter notion of “reusability” is what we adopt here.

In this paper, we consider an identification scheme, which, like a digital signature scheme, is a type of authentication scheme. Authentication schemes seek to ensure the integrity of information, rather than its privacy. While digital signature schemes ensure the integrity of origin of messages, identification schemes ensure the integrity of origin of communication in real time [1]. Identification protocols are said to ensure “aliveness”—that the entity proving its identity is active at the time the protocol is executed; we describe them in more detail in the next section.

We prove that an identification scheme based on the one in Ref. [6] is secure against a computationally-unbounded adversary (only restricted by finite cheating strategies), demonstrating for the first time that unconditionally-secure and reusable public-key authentication is possible in principle. We regard our result more as a proof of concept than a (potentially) practical scheme. Still, we are confident that an extension of the techniques used here may lead to more efficient protocols.

We now proceed with a description of the protocol (Sect. 2) and the security proof (Sect. 3).

2 Identification Protocol

In the following, Alice and Bob are always assumed to be honest players and Eve is always assumed to be the adversary. Suppose Alice generates a private key and authentically distributes copies of the corresponding public key to any potential users of the scheme, including Bob.

Here is a description (adapted from Sect. 4.7.5.1 in Ref. [7]) of how a secure public-key identification scheme works. When Alice wants to identify herself to Bob (i.e. prove that it is she with whom he is communicating), she invokes the identification protocol by first telling Bob that she is Alice, so that Bob knows he should use the public key corresponding to Alice. The ensuing protocol has the property that the prover Alice can convince the verifier Bob (except, possibly, with negligible probability) that she is indeed Alice, but an adversary Eve cannot fool Bob (except with negligible probability) into thinking that she is Alice, even after having listened in on the protocol between Alice and Bob or having participated as a (devious) verifier in the protocol with Alice several times. Public-key identification schemes are used in smart-card systems (e.g., inside an automated teller machine (ATM) for access to a bank account, or beside a doorway for access to a building); the smart card “proves” its identity to the card reader.Footnote 2

Note that no identification protocol is secure against an attack where Eve concurrently acts as a verifier with Alice and as a prover with Bob (but note also that, in such a case, the “aliveness” property is still guaranteed). Note also that, by our definition of “reusable,” an identification scheme is considered reusable if Alice can prove her identity many times using the same key-values but the verifier needs a fresh copy of the public key for each instance of the protocol.

Note also that public-key identification can be trivially achieved via a digital signature scheme (Alice signs a random message presented by Bob), but we do not know of an unconditionally-secure and reusable digital signature scheme.Footnote 3 Similarly, public-key identification can be achieved with a public-key encryption scheme (Bob sends an encrypted random challenge to Alice, who returns it decrypted), but we do not know of an unconditionally-secure and reusable public-key encryption scheme (that uses pure-state public keys; though, see Ref. [9] for a promising candidate).

2.1 Protocol Specification

The identification protocol takes the form of a typical “challenge-response” interactive proof system, consisting of a kernel (or subprotocol) that is repeated several times in order to amplify the security, i.e., reduce the probability that Eve can break the protocol. The following protocol is a simplification of the original protocol from Ref. [6] (but our security proof applies to both protocols, with only minor adjustments). We assume all quantum channels are perfect.

Parameters

  • The security parameter \(s \in \mathbf {Z}^{+}\)

    1. \(\diamond \) equals the number of kernel iterations.

    2. \(\diamond \) The probability that Eve can break the protocol is exponentially small in \(s\).

  • The reusability parameter \(r \in \mathbf {Z}^{+}\)

    1. \(\diamond \) equals the maximum number of copies of the quantum public key in circulation and

    2. \(\diamond \) equals the maximum number of times the protocol may be executed by Alice, before she needs to pick a new private key.

Keys

  • The private key is

    $$\begin{aligned} (x_1,x_2,\ldots ,x_s), \end{aligned}$$
    (1)

    where Alice chooses each \(x_j\), \(j=1,2,\ldots ,s\), independently and uniformly randomly from \(\{1,2,\ldots ,2r+1\}\).

    1. \(\diamond \) The value \(x_j\) is used only in the \(j\)th kernel-iteration.

  • One copy of the public key is an \(s\)-partite system in the state

    $$\begin{aligned} {\otimes _{j=1}^s |\psi _{x_j}\rangle }, \end{aligned}$$
    (2)

    where (omitting normalization factors)

    $$\begin{aligned} |\psi _{x_j}\rangle := | 0 \rangle + e^{2\pi i x_j /(2r+1)}| 1 \rangle . \end{aligned}$$
    (3)

    1. \(\diamond \) Alice authentically distributes (e.g. via trusted courier) at most \(r\) copies of the public key.

    2. \(\diamond \) The \(j\)th subsystem of the public key (which is in the state \({|\psi _{x_j}\rangle }\)) is only used in the \(j\)th kernel-iteration.

Actions

  • The kernel \(\mathcal {K}(x)\) of the protocol is the following three steps, where we use the shorthand

    $$\begin{aligned} \phi _x := 2 \pi x / (r+1), \end{aligned}$$
    (4)

    and where we have dropped the subscript “\(j\)” from “\(x_j\)”:

    1. (1) Bob secretly chooses a uniformly random bit \(b\) and transforms the state of his authentic copy of \(|\psi _x\rangle \) into \(| 0 \rangle + (-1)^b e^{i\phi _x}| 1 \rangle \). Bob sends this qubit to Alice.

    2. (2) Alice performs the phase shift \(| 1 \rangle \mapsto e^{-i\phi _x}| 1 \rangle \) on the received qubit and then measures the qubit in the basis \(\{| 0 \rangle \pm | 1 \rangle \}\) (in order to determine Bob’s secret \(b\) above). If Alice gets the outcome corresponding to “+”, she sends 0 to Bob; otherwise, Alice sends 1.

    3. (3) Bob receives Alice’s bit as \(b'\) and tests whether \(b'\) equals \(b\).

  • When Alice wants to identify herself to Bob, they take the following actions:

    1. (i) Alice checks that she has not yet engaged in the protocol \(r\) times before with the current value of the private key; if she has, she aborts (and refreshes the private and public keys).

    2. (ii) Alice sends Bob her purported identity (“Alice”), so that Bob may retrieve the public keys corresponding to Alice.

    3. (iii) The kernel \(\mathcal {K}(x)\) is repeated \(s\) times, for \(x=x_1, x_2,\ldots , x_s\). Bob “accepts” if he found that \(b'\) equaled \(b\) in all the kernel iterations; otherwise, Bob “rejects”.

2.2 Completeness of the Protocol

It is clear that the protocol is correct for honest players: Bob always “accepts” when Alice is the prover. In the Appendix (“Sect. 3”), we prove that the protocol is also secure against any adversary (only restricted by finite cheating strategies): given \(r\) and \(\epsilon >0\), there exists a value of \(s = s(r,\epsilon )\) such that Bob “accepts” with probability at most \(\epsilon \) when Eve is the prover.

3 Security

Let us clearly define what Eve is allowed to do in our attack model. Eve can

  • passively monitor Alice’s and Bob’s interactions (which means that Eve can read the classical bits sent by Alice, and read the bit that indicates whether Bob “accepts” or “rejects”), and

  • participate as the verifier in one or more complete instances of the protocol, and

  • participate as the prover, impersonating Alice, in one or more complete instances of the protocol.

Eve is assumed not to be able to actively interfere with Alice’s and Bob’s communications during the protocol, as this would allow Eve to concurrently act as verifier with Alice and as prover with Bob (thus trivially breaking any such schemeFootnote 4).

Evidently, Eve’s passive monitoring only gives her independent and random bits (and the bit corresponding to “accept”), thus giving her no useful information (in that she may as well generate random bits herself). So, we can ignore the effects of her passive monitoring.

With regard to Eve acting as verifier, we will give Eve potentially more power by assuming that Alice, instead of performing both the phase shift and the measurement in Step 2 of the kernel \(\mathcal {K}(x)\), only performs the phase shift (Eve could perform Alice’s measurement herself, if she desired). Furthermore, we will assume that the phase shift Alice performs is

$$\begin{aligned} u_{\phi _x} = \begin{bmatrix} 1&0 \\ 0&e^{i\phi _x}\end{bmatrix}. \end{aligned}$$
(5)

Even though Alice actually performs the inverse phase shift \(u_{- \phi _x}\), note that the two phase shifts are equivalent in the sense that \(Z u_{\phi _x} Z\) equals \(u_{-\phi _x}\) up to global phase, where

$$\begin{aligned} Z = \begin{bmatrix} 1&0 \\ 0&-1\end{bmatrix}. \end{aligned}$$
(6)

Thus the protocol is unchanged had we assumed that Alice, instead of performing \(u_{-\phi _x}\) in Step 2 of the kernel \(\mathcal {K}(x)\), performs \(Z u_{\phi _x} Z\). Since Eve can perform \(Z\) gates on her qubit immediately before and after she gives it to Alice, our assumption indeed gives Eve at least as much power to cheat. Thus, Eve can effectively extract up to \(r\) black boxes for \(u_{\phi _x}\) from Alice (recall Alice only participates in the protocol \(r\) times before refreshing her keys).

We will also give Eve potentially more power by giving her a black box for \(u_{\phi _x}\) in place of every copy of \(| \psi _{x} \rangle \) that she obtained legitimately. For each \(x \in \{x_1,x_2\ldots ,x_s\}\), let \(t\) be the total number of black boxes for \(u_{\phi _x}\) that Eve has in her possession; that is, for simplicity, and without loss of generality, we assume she has the same number of black boxes \(u_{\phi _x}\) for each value of \(x\). Note that \(t \le (2r-1)\), since we always assume that at least one copy of the public key is left for Bob, so that Eve can carry out the protocol with him.

Therefore, to prove security in our setting, it suffices to consider attacks where Eve first uses her \(st\) black boxes to create a reference system in some \((\phi _{x_1}, \phi _{x_2}, \ldots , \phi _{x_s})\)-dependent state, denoted \(| \varPsi _R(\phi _{x_1}, \phi _{x_2}, \ldots , \phi _{x_s}) \rangle \), and then she uses this system while she participates as a prover, impersonating Alice, in one or many instances of the protocol in order to try to cause Bob to “accept”. We use the following definition of “security”:

Definition 1

(Security). An identification protocol (for honest prover Alice and honest verifier Bob) is secure with error \(\epsilon \) if the probability that Bob “accepts” when any adversary Eve participates in the protocol as a prover is less than \(\epsilon \).

The only assumption we make on Eve is that her cheating strategy is finite in the sense that her quantum computations are restricted to a finite-dimensional complex vector space; the dimension itself, though, is unbounded.

We will assume that Eve has always extracted the \(r\) black boxes for \(u_{\phi _x}\) from Alice (for all \(x=x_1,x_2,\ldots ,x_s\)), and we define \(t'\) to be the number black boxes that Eve obtained legitimately (via copies of the public key):

$$\begin{aligned} t = r + t'. \end{aligned}$$
(7)

Note that Eve can make at most \((r-t')\) attempts at fooling Bob, i.e., causing Bob to “accept”. Let \(E(a,b)\) denote the event that Eve fools Bob on her \(a\)th attempt using \(b\) black boxes for \(u_{\phi _x}\) for all \(x=x_1,x_2,\ldots ,x_s\). Most of the argument, beginning in Sect. 3.1, is devoted to showing that

$$\begin{aligned} \mathrm{Pr }[E(1,t)]&\le (1-c/(t+2)^2)^s, \end{aligned}$$
(8)

for some positive constant \(c\) defined at the end of Sect. 3. In general, Eve learns something from one attempt to the next; however, because Eve can simulate her interaction with Bob at the cost of using one copy of \(|\psi _x\rangle \) per simulated iteration of \(\mathcal {K}(x)\), we have, for \(\ell =2,3,\ldots ,(r-t')\),

$$\begin{aligned}&\mathrm{Pr }[E(\ell ,t)] \le \mathrm{Pr }[E(1,t+\ell -1)]. \end{aligned}$$
(9)

Given this, we use the union bound:

$$\begin{aligned}&\mathrm{Pr }[{\text {Eve fools Bob at least once, using}} \ t \ \mathrm{black~boxes~for }\,\, u_{\phi _x}, \forall x] \end{aligned}$$
(10)
$$\begin{aligned}&\le \sum _{\ell =1}^{r-t'} \mathrm{Pr }[E(\ell , t)] \end{aligned}$$
(11)
$$\begin{aligned}&\le \sum _{\ell =1}^{r-t'} \mathrm{Pr }[E(1,t+\ell -1] \end{aligned}$$
(12)
$$\begin{aligned}&\le \sum _{\ell =1}^{r-t'} (1-c/(t+\ell +1)^2)^s \end{aligned}$$
(13)
$$\begin{aligned}&\le (r-t')(1-c/(2r+1)^2)^s, \end{aligned}$$
(14)

since \(t+\ell \le 2r\). It follows that the probability that Eve can fool Bob at least once, that is, break the protocol, is

$$\begin{aligned} P_\mathrm{\footnotesize break } \le r(1-c/(2r+1)^2)^s, \end{aligned}$$
(15)

which, for fixed \(r\), is exponentially small in \(s\). Note that this bound is likely not tight, since it ultimately assumes that all of Eve’s attempts are equally as powerful. In particular, this bound assumes that Eve’s state \(| \varPsi _R(\phi _{x_1}, \phi _{x_2}, \ldots , \phi _{x_s}) \rangle \) does not degrade with use. A more detailed analysis using results about degradation of quantum reference frames [11] may be possible.

From Eq. (15) follows our main theorem (see Appendix A.3 for the proof):

Theorem 1

(Security of the protocol). For any \(\epsilon >0\) and any \(r \in \mathbf {Z}^+\), the identification protocol specified in Sect. 2.1 is secure with error \(\epsilon \) according to Definition 1 if

$$\begin{aligned} s > (2r+1)^2\log (r/\epsilon )/c, \end{aligned}$$
(16)

for some positive constant \(c\).

The theorem shows how the efficiency of the protocol scales with its reusability: it suffices to have

$$\begin{aligned} s \in O(r^2 \log (r/\epsilon )). \end{aligned}$$
(17)

The remainder of the paper establishes the bound in Line (8).

3.1 Sufficiency of Individual Attacks

At each iteration, we may assume Eve performs some measurement, in order to get an answer to send back to Bob. Generally, Eve can mount a coherent attack, whereby her actions during iteration \(j\) may involve systems that she used or will use in previous or future iterations as well as systems created using black boxes for \(u_{\phi _{x_k}}\) for any \(k\)—not just for \(k = j\). Since each \(x_j\) is independently selected from the set \(\{1, 2, \ldots , 2r+1\}\), intuition suggests that Eve’s measurement at iteration \(j\) may be assumed to be independent of her measurement at any other iteration and in particular does not need to involve any black boxes other than ones for \(u_{\phi _{x_j}}\). In other words, it seems plausible that the optimal strategy for Eve can consist of the “product” of identical optimal strategies for each iteration individually. This intuition can indeed be shown to be correct by combining a technique from Ref. [12], for expressing the maximum output probability in a multiple-round quantum interactive protocol as a semidefinite program, with a result in Ref. [13], which implies that the semidefinite program satisfies the product rule that we need; see Appendix A.1 for a proof.

The remainder of Sect. 3 establishes the following proposition:

Proposition 2

The probability that Eve guesses correctly in any particular iteration \(j\), using \(t\) black boxes for \(u_{\phi _{x_j}}\), is at most \((1-c/(t+2)^2)\) for some positive constant \(c\).

Assuming Proposition 2, the result proved in Appendix A.1 implies that the probability of Eve’s guessing correctly in all \(s\) iterations, using \(t\) black boxes for \(u_{\phi _x}\), for \(x = x_1,x_2,\ldots ,x_s\), is at most \((1-c/(t+2)^2)^s\), establishing the bound in Line (8).

3.2 Equivalence of Discrete and Continuous Private Phases

To help us prove Proposition 2, we now show that, from Bob’s and Eve’s points of view, Alice’s choosing the private phase angle \(\phi _x\) from the discrete set \(\{2 \pi x/(2r+1): x=1,2,\ldots ,2r+1\}\) is equivalent to her choosing the phase angle from the continuous interval \([0,2\pi )\). We have argued that the only information that Eve or Bob—or anyone but Alice—has about \(\phi _x\) may be assumed to come from a number of black boxes for \(u_{\phi _x}\) that can be no greater than \(2r\) (there are \(r\) legitimate copies of the public key, and one can extract \(r\) more black boxes from Alice); let this number be \(d\), where \(1 \le d \le 2r\).

In order to access the information from the black boxes, they must, in general, be used in a quantum circuit in order to create some state. Using the \(d\) black boxes, the most general (purified) state that can be made is without loss of generality of the form

$$\begin{aligned} | \psi (\phi _x) \rangle = \sum _{k=0}^{N-1} \left( \sum _{j=0}^{d} \beta _{j,k} e^{i j \phi _x} \right) |a_k\rangle , \end{aligned}$$
(18)

where \(\{|a_k\rangle : k = 0,1,..., N-1\}\) is an orthonormal basis of arbitrary but finite size (the assumption of finite \(N\) comes from our restricting Eve to using only finite cheating strategies). In general, the numbers \(N\) and \(\beta _{j,k}\) may depend on \(d\). Here we have followed Ref. [14] by noting that each amplitude is a polynomial in \(e^{i \phi _x}\) of degree at most \(d\); this fact follows from an inductive proof just as in Ref. [15], where the polynomial method is applied to an oracle revealing one of many Boolean variables.

Averaging over Alice’s random choices of \(x\), one would describe the previous state by the density operator

$$\begin{aligned} \frac{1}{2r+1}\sum _{x = 1}^{2r+1} | \psi (\phi _x) \rangle \langle \psi (\phi _x) |, \end{aligned}$$
(19)

since \(x\) is chosen uniformly randomly from \(\{1,2,\ldots ,2r+1\}\). Had \(\phi _x\) been chosen uniformly from \(\{2 \pi x/(2r+1): x\in [0,2r+1)\} = [0,2\pi )\), one would describe the state by

$$\begin{aligned} \int _0^{2 \pi } \frac{d\phi }{2\pi } | \psi (\phi ) \rangle \langle \psi (\phi ) |. \end{aligned}$$
(20)

It is straightforward to showFootnote 5 that the above two density operators are both equal to

$$\begin{aligned} \sum _{k, k' = 0}^{N-1} \sum _{j = 0}^{d} \beta _{j,k} \beta _{j, k'}^* | a_{k} \rangle \langle a_{k'} |. \end{aligned}$$
(23)

Thus, without loss of generality, we may drop the subscript “\(x\)” on “\(\phi _x\)”, write “\(\phi \)” for Alice’s private phase angle, and assume she did (somehow) choose \(\phi \) uniformly randomly from \([0,2\pi )\).Footnote 6  We are now ready to prove Proposition 2.

3.3 Bound on Relative Phase Shift Estimation

Eve’s task of cheating in one iteration of the kernel may be phrased as follows. Eve is to decide the difference between the relative phases encoded in two subsystems \(R\) and \(S\), where \(S\) is a given one-qubit system and \(R\) is under her control. The given subsystem \(S\) is in the state

$$\begin{aligned} | \psi _S(\phi ,\theta ) \rangle = |0\rangle + e^{i(\phi + \theta )}|1\rangle , \end{aligned}$$
(24)

where \(\theta \) is unknown and uniformly random in \(\{0, \pi \}\), and \(\phi \) is unknown and uniformly random in \([0,2\pi ]\). Eve can make the state \(| \psi _R(\phi ) \rangle \) of subsystem \(R\) by using arbitrary operations interleaved with at most \(t\) black boxes for the one-qubit gate \(u_\phi \). Note that the problem is nontrivial because \(\phi \) is unknown and uniformly random and the qubit \(S\) is given to Eve after she has used all her black boxes. We seek the optimal success probability for Eve to guess \(\theta \) correctly.

Eve’s estimation problem can be treated within the framework of quantum estimation of group transformations [17]. As such, we regard her problem as finding the optimal measurement (probability) to correctly distinguish the states in the two-element orbit

$$\begin{aligned} \{V_\theta \rho V_\theta ^\dagger : \theta \in \{0,\pi \}\}, \end{aligned}$$
(25)

where \(V_\theta = I_R \otimes (| 0 \rangle \langle 0 |+e^{i \theta } | 1 \rangle \langle 1 |)\) and

$$\begin{aligned} \rho = \int \frac{d\phi }{2\pi } |\psi _R(\phi )\rangle \langle \psi _R(\phi ) |\otimes |\psi _S(\phi ,0)\rangle \langle \psi _S(\phi ,0) |. \end{aligned}$$
(26)

The probabilities of her estimation procedure can be assumed to be generated by a POVM \(\{E_0, E_\pi \}\). In general, it is known how to solve for the POVM that performs optimally on average when the unitarily-generated orbit consists of pure states, but not when the orbit is generated from a mixed state (\(\rho \), in our case). Thus, we now effectively reduce the problem to several instances of an estimation problem where the orbit is pure.

Indeed, suppose that \(| \psi _R(\phi ) \rangle \) were a state on \(q\) qubits that satisfied the property

$$\begin{aligned} |\psi _R(\phi )\rangle \langle \psi _R(\phi ) | = (u_\phi )^{\otimes q}|\psi _R(0)\rangle \langle \psi _R(0) |(u_\phi ^\dagger )^{\otimes q} \end{aligned}$$
(27)

for all \(\phi \in [0,2\pi ]\). Then, letting \(U_\phi \equiv (u_\phi )^{\otimes (q+1)}\) and \(| \psi _{RS}(\phi ,\theta ) \rangle \equiv |\psi _R(\phi )\rangle |\psi _S(\phi ,\theta )\rangle \), we would have that

$$\begin{aligned} \rho&= \int \frac{d\phi }{2\pi } U_\phi |\psi _{RS}(0,0)\rangle \langle \psi _{RS}(0,0) |U_\phi ^\dagger \end{aligned}$$
(28)
$$\begin{aligned}&= \sum _w P_w |\psi _{RS}(0,0)\rangle \langle \psi _{RS}(0,0) | P_w \end{aligned}$$
(29)
$$\begin{aligned}&= \sum _w P_w \rho P_w, \end{aligned}$$
(30)

where \(P_w\) is the projection onto the subspace of Hamming weight \(w = 0,1,\dots , q+1\), and we used the formulas \(U_\phi = \sum _w P_w e^{i w \phi }\) and \(\delta _{w,0}=\int (d\phi /2\pi )e^{i w \phi }\). In other words, the state \(\rho \) would be block diagonal with respect to the direct-sum decomposition of the total state space of \(R\) into subspaces of constant Hamming weight \(w\). Then we would have that the probability that Eve guesses \(\theta = \theta '\) given that \(\theta = \theta ''\) is

$$\begin{aligned} \mathrm{Pr }[\mathrm{Eve \ guesses }\;\theta =\theta ' | \theta =\theta '']&= \text {Tr}\left[ E_{\theta '} \left( V_{\theta ''} \rho V_{\theta ''}^\dagger \right) \right] \end{aligned}$$
(31)
$$\begin{aligned}&= \text {Tr}\left[ E_{\theta '} V_{\theta ''} \sum _w P_w \rho P_w V_{\theta ''}^\dagger \right] \end{aligned}$$
(32)
$$\begin{aligned}&= \text {Tr}\left[ \left( \bigoplus _{w} E_{w, \theta '} \right) \left( V_{\theta ''} \rho V_{\theta ''}^\dagger \right) \right] , \end{aligned}$$
(33)

where \(E_{w,\theta '} \equiv P_w E_{\theta '} P_w\), and we used cyclicity of trace and the fact that \(V_\theta \) and \(P_w\) commute. Thus, the elements of Eve’s POVM \(\{E_0, E_\pi \}\) would without loss of generality have the same block diagonal structure as \(\rho \). In principle, this would allow Eve to measure first (just) the Hamming weight of \(\rho \) in order to find \(w\), and then deal with the group transformation estimation problem with respect to the pure orbit

$$\begin{aligned} \mathcal {O}_w \equiv \{V_\theta | \varPsi _w \rangle : \theta \in \{0,\pi \}\}, \end{aligned}$$
(34)

where \(| \varPsi _w \rangle \) is the state such that \(| \varPsi _w \rangle \propto P_w |\psi _{RS}(0,0)\rangle \); we note that \(| \varPsi _w \rangle \) is independent of \(\phi \) (and \(\theta \)). The following lemma shows that, without loss of generality, we may assume that the situation just described is indeed the case:

Lemma 1

Without loss of generality, Eve’s state \(|\psi _R(\phi )\rangle \), which she prepares with at most \(t\) black boxes for \(u_\phi \), may be assumed to be on \(q = (2t+1)\) qubits and satisfy

$$\begin{aligned} |\psi _R(\phi )\rangle \langle \psi _R(\phi ) | = (u_\phi )^{\otimes q}|\psi _R(0)\rangle \langle \psi _R(0) |(u_\phi ^\dagger )^{\otimes q} \end{aligned}$$
(35)

for all \(\phi \in [0,2\pi ]\) .

Proof

As noted in the previous section, using the \(t\) black boxes, the most general (purified) state of \(R\) that Eve can make is without loss of generality

$$\begin{aligned} \sum _{k=0}^{N-1} \left( \sum _{j=0}^{t} \beta _{j,k} e^{i j \phi } \right) |a_k\rangle _R, \end{aligned}$$
(36)

where, again, \(N\) is a priori unknown but finite (we use subscripts on the kets in this proof to indicate the physical systems). Note that we can rewrite the state in Eq. (36) by changing the order of the summations as

$$\begin{aligned} \sum _{j=0}^{t} \beta _j e^{i j \phi } |\tilde{g}_j\rangle _R, \end{aligned}$$
(37)

where we have defined the numbers \(\beta _j\) and the not-necessarily-orthogonal set of unit vectors \(\{ |\tilde{g}_j\rangle : j=0,1,...,t\}\) such that

$$\begin{aligned} \beta _j |\tilde{g}_j\rangle _R = \sum _{k=0}^{N-1} \beta _{j,k} |a_k\rangle _R . \end{aligned}$$
(38)

Using the Gram-Schmidt orthonormalization procedure on \(\{|\tilde{g}_j\rangle \}_j\) to get the orthonormal set \(\{|g_j\rangle \}_j\), we can write

$$\begin{aligned} |\tilde{g}_j\rangle _R = \sum _{h=0}^t \gamma _{j,h} |g_h\rangle _R. \end{aligned}$$
(39)

Introduce a new system \(R'\) consisting entirely of qubits and define \(U\) to be any unitary map acting on \(R \otimes R'\) that takes \(|0\rangle _R |c_h\rangle _{R'} \mapsto |g_h\rangle _R |0\rangle _{R'}\), where \(\{ |c_h\rangle _{R'} \}_{h=0,1,\ldots ,t}\) is an orthonormal set of size \(t+1\) with elements that are computational basis states whose labels have constant Hamming weight; note that \(R'\) needs only \(O(\log (t+1))\) qubits whereas \(R\) is of unknown (but finite) size (however, following this proof, we will construct \(R'\) using \(t+1\) qubits, as this makes things simpler). We first claim that, without loss of generality,

$$\begin{aligned} | \psi _R(\phi ) \rangle =\sum _{j,h} \beta _j \gamma _{j,h} e^{i j\phi }|S^t_j\rangle _{A} |c_h\rangle _{R'}, \end{aligned}$$
(40)

where \(A\) is a \(t\)-qubit ancilla, and \(|S^t_j\rangle _A\) is the symmetric state of weight \(j\).  To see this, note that Eve’s optimal measurement can include the following pre-processing operations (in sequence), so that she recovers the most general state in Eq. (36) (and Eq. (37)) on \(R\) but for a different random value of \(\phi \):

  • add an ancillary register \(R\) in state \(|0\rangle _{R}\) in between the two registers \(A\) and \(R'\) and perform \(U\) on \(R\otimes R'\) to get (after throwing out system \(R'\))

    $$\begin{aligned} \sum _j \beta _j \sum _h \gamma _{j,h} e^{i j\phi }|S^t_j\rangle _{A} |g_h\rangle _R = \sum _j \beta _j e^{i j\phi }|S^t_j\rangle _{A} |\tilde{g}_j\rangle _R \end{aligned}$$
    (41)

  • on \(A\), do the \((t+1)\)-dimensional inverse quantum Fourier transform in the symmetric basis on \(A\), i.e. mapping

    $$\begin{aligned} |S^t_j\rangle _A \mapsto \frac{1}{\sqrt{t+1}} \sum _y e^{- i 2 \pi y j/(t+1)}| S^t_y \rangle _A, \end{aligned}$$
    (42)

    to get

    $$\begin{aligned} \sum _j \sum _y \beta _j e^{i j(\phi - 2\pi y/(t+1))}|S^t_y\rangle _{A} |\tilde{g}_j\rangle _R \end{aligned}$$
    (43)

    and measure the Hamming weight of \(A\) to get result \(y_0\), which leaves the state (after throwing out system \(A\))

    $$\begin{aligned} \sum _j \beta _j e^{i j(\phi - 2\pi y_0/(t+1))} |\tilde{g}_j\rangle _R \end{aligned}$$
    (44)

  • correct the relative phase on qubit \(S\) by \(2 \pi y_0/(t+1)\).

Doing these operations does not change the estimation problem, since \(\phi \) is uniformly random anyway; these operations just change the unknown \(\phi \) to \(\phi ' = \phi - 2 \pi y_0 /(t+1)\).

Finally, note that Eq. (40) implies that \(| \psi _R(\phi ) \rangle \) can be made from \(| \psi _R(0) \rangle \) with at most \(t\) black boxes for \(u_\phi \), by applying \((u_\phi )^{\otimes t}\) on the \(t\) qubits of system \(A\), and note that \(| \psi _R(\phi ) \rangle \) satisfies Eq. (27), since the states \(|c_h\rangle \) are of constant Hamming weight.

Remark 1

(Quantum Fourier transform as analytical tool) Note that Eve’s optimal strategy is not necessarily to measure \(R\) to get an estimate \(\phi '\) of \(\phi \) first, then apply \(u_{-\phi '}\) on \(S\), and then measure \(S\) to estimate \(\theta \). However, the operation that is optimal for estimating \(\phi \) (see Ref. [14]), i.e. the inverse quantum Fourier transform applied above, is still useful as an analytical tool in order to derive (a convenient form of) an optimal state for her estimation of \(\theta \).

Thus, by Lemma 1, we assume Eq. (40) holds, which allows us to derive the following proposition. For convenience, we define

$$\begin{aligned} \alpha _{j,h}\equiv \beta _j \gamma _{j,h}. \end{aligned}$$
(45)

Proposition 3

The elements of the POVM \(\{E_0,E_\pi \}\) are without loss of generality defined as

$$\begin{aligned} E_0&= |\varXi _{0}\rangle | 0 \rangle \langle \varXi _0 |{\langle 0 | } +\sum _{w=2}^{t+1}| w,+ \rangle \langle w,+ | \end{aligned}$$
(46)
$$\begin{aligned} E_\pi&= \sum _{w=2}^{t+1}| w,- \rangle \langle w,- | +|\varXi _t\rangle | 1 \rangle \langle \varXi _t |{\langle 1 | }, \end{aligned}$$
(47)

where

$$\begin{aligned} |w,\pm \rangle \equiv \frac{1}{\sqrt{2}} (| \varXi _{w-1} \rangle | 0 \rangle \pm | \varXi _{w-2} \rangle | 1 \rangle ), \end{aligned}$$
(48)

and \(|\varXi _{w-1}\rangle \) and \(|\varXi _{w-2}\rangle \) are states such that, for \(j=0,1,\ldots ,t\),

$$\begin{aligned} |\varXi _{j}\rangle \propto \sum _h \frac{\alpha _{j,h}}{\sqrt{2}}|S^t_j\rangle |c_h\rangle . \end{aligned}$$
(49)

The proof of Proposition 3 is similar to the argument given in Ref. [11] and is given in Appendix A.2 . The total success probability of Eve’s strategy can now be computed as

$$\begin{aligned}&\quad \sum _{\theta ' \in \{0,\pi \}}\mathrm{Pr }[\mathrm{Eve \ guesses }\;\theta =\theta ' | \theta =\theta ']\mathrm{Pr }[\theta =\theta '] \end{aligned}$$
(50)
$$\begin{aligned}&= \frac{1}{2} \sum _{\theta ' \in \{0,\pi \}} \text {Tr}(E_{\theta '} V_{\theta '} \rho V_{\theta '}^\dagger ) \end{aligned}$$
(51)
$$\begin{aligned}&= \frac{1}{2} \sum _{\theta ' \in \{0,\pi \}} \text {Tr}(E_{\theta '} V_{\theta '} |\psi _{RS}(0,0)\rangle \langle \psi _{RS}(0,0) | V_{\theta '}^\dagger ) \end{aligned}$$
(52)
$$\begin{aligned}&=\frac{1}{2} + \frac{1}{4}\langle \psi _R(0) |M_t |\psi _R(0)\rangle , \end{aligned}$$
(53)

where

$$\begin{aligned} M_t \equiv \sum _{j=0}^{t-1} |\varXi _{j+1}\rangle \langle \varXi _{j} | +|\varXi _{j}\rangle \langle \varXi _{j+1} |. \end{aligned}$$
(54)

As a last task, we now seek the value of \(|\psi _R(0)\rangle \)—i.e. the values of \(\alpha _{j,h}\)—such that \(\langle \psi _R(0) |M_t |\psi _R(0)\rangle \) is maximal. The proof of the following proposition is in Appendix A.4:

Proposition 4

The state \(|\psi _R(0)\rangle \propto \sum _{j=0}^t \sin \left[ \frac{(j+1)\pi }{t+2}\right] |\varXi _j\rangle \) achieves the maximum value in Eq. (53).

Thus (as in Ref. [11]—see Appendix A.4), we get a maximal success probability of

$$\begin{aligned}&\quad \frac{1}{2} + \frac{1}{2}\cos (\pi /(t+2)) \end{aligned}$$
(55)
$$\begin{aligned}&\le \frac{1}{2} + \frac{1}{2}\left( 1 -\frac{(\pi /(t+2))^2}{2!} + \frac{(\pi /(t+2))^4}{4!} \right) \end{aligned}$$
(56)
$$\begin{aligned}&= 1 - \frac{\pi ^2}{4}\frac{1}{(t+2)^2} + \frac{\pi ^4}{48}\frac{1}{(t+2)^4} \end{aligned}$$
(57)
$$\begin{aligned}&\le 1 - \left( \frac{\pi ^2}{4} -\frac{\pi ^4}{48}\right) \frac{1}{(t+2)^2} \end{aligned}$$
(58)
$$\begin{aligned}&= 1 - c/(t+2)^2, \end{aligned}$$
(59)

for the constant \(c = (\pi ^2/4 - \pi ^4/48) \doteq 0.438\) and all \(t\ge 1\). This completes the proof of Proposition 2 and thus the proof of Theorem 1.