We consider the task of continuous variable (CV) private communication over a lossy bosonic channel with additive noise, with a quantum-limited adversary. We consider a forward wiretap channel from Alice to Bob with an eavesdropper Eve. There is also a backward public side channel from Bob to Alice. All parties, including Eve, have perfectly noiseless access to communication on this side channel. This immediately presents a problem. All communication channels in reality have a non-zero level of noise. With error-correction the noise can be reduced, but never completely removed. Therefore this model is clearly unphysical. Indeed, most of the information theoretic capacity analyses of private communication and secret-key generation have traditionally assumed such a zero-error feedback. Admittedly, the process of abstraction that allows a problem to be mathematically analyzed inevitably causes such unphysical features to emerge. However, we will find in this paper that this particular feature can be problematic in that ameliorating it can create a significant difference in achievable rates.
More explicitly, we propose a protocol over a lossy bosonic channel and consider an alteration of the feedback-assisted private communication model in which Eve’s copy of the public communication sent by Bob to Alice on just the initial round of the protocol is corrupted by a small amount of noise, a small step towards physical relevance. Eve obtains the remainder of the public communication noiselessly, and is otherwise quantum equipped, i.e., has perfect quantum memories and the ability to make arbitrary collective quantum measurements. We show that with such a seemingly inconsequential weakening of the eavesdropper, Alice and Bob can achieve a rate of secure bits per mode 111Throughout this paper, logarithms are base 2. using a simple laser-light modulation and homodyne detection, being the mean input photon number per mode. This is a loss unlimited rate, in sharp contrast to the loss limited upper bound known for the original model: [1, 2]. The exact same protocol also works if the channel has noise in addition to loss. We will argue that the noise can even be non-Gaussian.
A closely related classical result 222Note that in the classical case the feedback-assisted private capacity of the Gaussian wiretap channel also has a loss limited capacity. This can be seen for instance by upper bounding it by the secret key capacity and upper bounding that via Theorem 4 of . was proven in . However, their altered communication model assumes Eve’s copy of the feedback is corrupted by Gaussian additive noise and on every round. Thus this is a more specialized and significant departure from the usual model. They do consider more general correlated noise between the different channels involved, but this can be integrated into our model as well. In addition to the difference in model alteration, in the discussion section we will see that we can slightly strengthen Eve from what is discussed above, by giving her copies of the initial transmission and noise, and still obtain our main result with the same protocol. Note that our results trivially apply to a classical additive white Gaussian noise (AWGN) channel and since adding more noise to Eve’s feedback can only increase the achievable rate, implies the result in .
Ii Main Result
Alice is to send a message to Bob over a bosonic (quantum) wiretap channel , which is to be kept private from Eve, by transmitting bosonic states on the forward channel and using a backward noiseless classical feedback channel. Eve obtains the quantum output of the complement of the isometric extension of , and can eavesdrop on the feedback channel, but she obtains a noisy version of the classical feedback for the initial round. Denoting the classical feedback system as , for this round Eve obtains the output of a classical noisy channel . Furthermore, we assume that the capacity of the noisy channel from Bob to Eve, is finite for a finite input power, that is,
is finite for finite 333Note that the capacity is finite at all finite cost constraints iff it is finite at some finite cost constraint. The forward direction is trivial. For the reverse direction, assume for contradiction that there is some finite cost constraint at which the capacity is infinite. Then, by time-sharing we can conclude that is infinite at all finite cost constraints, a contradiction. . Note that this condition is very mild. For instance, if , with , is AWGN, can be arbitrarily small as long as it is nonzero. Hence, we only need an iota of noise. We shall refer to this setting as asymmetric feedback-assisted private communication. We say asymmetric because the feedback is noiseless to Alice but noisy to Eve on the initial round. A diagram of the communication model for the initial round is shown in fig. 1. is some leftover system that Bob keeps. For subsequent rounds no noise is applied to Eve’s copy of .
is uniformly distributed and require:
where is the number of rounds and is the aggregation of Eve’s systems after all rounds. Note that this is in general weaker than the privacy criterion used in quantum Shannon theory analyses, for instance , which requires the trace distance between Eve’s states and a constant state independent of the message to vanish. We leave open whether we can obtain our result with this stronger privacy criterion.
We will consider the case where the forward channel is a single mode thermal bosonic wiretap channel: denoting Alice’s, Bob’s and Eve’s optical modes as and , respectively, the channel is described by the Heisenberg evolutions:
where is the optical mode of the environment, which is in a thermal state with thermal number , and is the transmissivity. A thermal state is given by We enforce an average photon number constraint on Alice’s input over the rounds: . We now state our main theorem.
where , is achievable with mean photon per mode for asymmetric feedback-assisted private communication over the thermal bosonic wiretap channel, under the aforesaid model.
The rate is achieved by generalizing the Schalkwijk-Kailath protocol  to the quantum setting.
Codebook: Divide the interval into equal length intervals for some . Given a message , let be the midpoint of the -th interval. The codebook is then given by the coherent states .
Encoding and Decoding
: When we say Alice transmits a random variableon , we mean she sends the mixed state
where is a coherent state. Note that . Given message , on round , Alice sends the constant random variable which takes the value . Bob receives , and Eve receives . Bob then performs an homodyne measurement on his output, to obtain, with appropriate scaling, the output of an induced additive white Gaussian noise (AWGN) channel with input : . Now, on every round, Bob will simply send a copy of his measurement result through the feedback channel. Via the feedback channel Alice receives , while Eve receives .
Denote the random noise that is added in the -th induced AWGN channel from Alice to Bob by . Note that since Alice has access to both and , she can always explicitly compute . For round , Alice computes the conditional expectation , where , that is, is not included, and . She then transmits
where are chosen such that . Note that this guarantees that the photon number constraint is satisfied and with equality. Bob receives the state
on which he will do a homodyne measurement to obtain , while Eve receives
At the end of the protocol (), Bob computes
His guess of the message will then be , where is closest to .
Error Analysis: Note that this protocol is simply the Schalkwijk-Kailath protocol over an induced classical AWGN channel with noise . Therefore, by the analysis in [8, 9], the probability of error of this protocol is upper bounded by
Hence, if . For completeness, we reproduce this argument in Appendix A.
Privacy Analysis: For round , the message is no longer involved in the protocol as Alice is simply trying to transmit the noise , which is independent of the message , to Bob. Hence we can upper bound the mutual information between the message and Eve’s systems as follows:
The inequality follows from monotonicity of mutual information. The last equality follows from our observation that the subsequent transmissions are only about and independent of the message. We explicitly compute the state at the end of round . We start with a uniformly distributed message:
Alice encodes the message into a coherent state:
is then sent into the thermal bosonic wiretap channel:
Bob then does a homodyne measurement, which produces the system (None of the parties have posession of .):
Note that are classical states and are not coherent states. Bob sends a noisy copy to Eve to obtain the state:
is the probability distribution of the output of the noisy feedback channel given inputand we made the substitution .
Using (4), we can bound
where we used the facts that and are independent, ,
form a Markov chain, and thatsince the conditioned systems are classical. Now, the first term is simply the mutual information between the input and output of the noisy channel to Eve on the initial round. Hence, it is upper bounded by the capacity of feedback channel from Bob to Eve with cost constraint :
This capacity is finite by assumption. We can bound the second term in (5) by observing
Since both terms of independent of , we conclude
thereby establishing privacy. ∎
We have proven that with respect to the communication model of asymmetric feedback where Eve obtains a slightly noisy copy of the feedback on the initial round of the protocol, it is possible to achieve a much higher rate of private communication over a lossy thermal-noise bosonic wiretap channel, even one that is loss unlimited (2). It is worthwhile to make some observations about this result, as well as discuss its implications, limitations, and possible extensions.
Eq. (2) is achievable with a probability of decoding error that decays doubly exponentially with the number of channel uses. That is, the rate is achievable with an infinite error exponent. Indeed, this was the main thrust of the result in  for the setting of feedback-assisted classical communication. It was then extended by , where it was shown that we can actually achieve a probability of error that goes as an exponential tower with an order that increases linearly with the blocklength. This was shown to be optimal by a corresponding lower bound on the error probability. This lower bound would also apply in our case since it only concerns the part where Alice reliably sends a message to Bob. The only essential difference between the protocol in  and that of Schalkwijk and Kailath is that the former preserves the discrete structure of the message. In particular, in both, only the initial transmission contains information about the message. It is then straightforward to make the same extension to our setting. That is, we can achieve (2) with a block probability of error
for sufficiently large , where denotes the tetration operation,
Note that this expression has minor differences compared to the bound in  because we use bits instead of nats. Some simplifications were also made for presentation.
Another possible extension follows from observing that the achieved rate (2) is not optimal. This is because it is known that squeezed state encoding can achieve higher rates over the thermal noise lossy bosonic channel with a homodyne receiver . However, the induced classical channel with squeezed states encoding is AWGN, so our argument trivially applies to this case. With optimal squeezed-state encoding, we can achieve a rate :
When Bob uses a homodyne detection receiver, a squeezed state encoding is conjectured to be the optimal encoding for any Gaussian bosonic channel. If this conjecture is proven true, Eq. (7) would be optimal for asymmetric feedback-assisted private communication assuming that Bob makes a homodyne detection since the private capacity is trivially upper bounded by the classical capacity.
Iii-B Non-Gaussian Channels
An apparent limitation of our result is that it strongly relies on the induced classical channel from Alice to Bob being an AWGN channel. This fact was heavily used in for instance the error analysis of the Schalkwijk-Kailath protocol. However, as noted in Remark 17.3 of , this exact protocol, that is, the protocol with the conditional expectations realized in the AWGN case, can be applied for channels with non-Gaussian additive noise. In fact, it would work for any affine channel whose output is given by
where is the input, is some general additive noise independent of , and
is some scaling. The error analysis follows by observing that the estimateis linear in as shown in 
. Hence, in the affine channel case the variance ofhas the exact same expression in terms of as in the AWGN case, and so , where
is the capacity of the AWGN channel with the corresponding noise statistics. Then, by Chebyshev’s inequality,
This works for general affine channels, albeit at the cost of losing the doubly exponential decay. The privacy analysis can also be generalized since the argument did not make use of Gaussianity. Note that (9) is in general less than the actual capacity of the channel, but it is still loss unlimited. In particular, our result applies to a general lossy bosonic wiretap channel where the additive noise (state of the mode) can be any state, that is, it does not even need to be Gaussian. This is shown in fig. 2.
It is simple to see that the induced classical channel in this case is an affine channel. This subsumes a large class of physical optical channels.
However, it would be interesting to extend our result to a general quantum wiretap channel. Unfortunately, there are channels for which it is not possible to induce a classical affine channel via a particular encoding and decoding. A trivial example is the constant channel which outputs a state regardless of the input. Admittedly, such a channel is useless for communication, so it is not surprising that our protocol fails there. For the specific case of coherent encoding and homodyne detection, we can find explicit nontrivial channels for which we do not induce an affine channel. For instance, consider the channel, a unitary self-Kerr interaction, which maps a coherent state to a cat state: . It is not difficult to see that a homodyne measurement of a cat state will always have an expected value of zero. If the channel is affine: , then given , either or . If , then the measurement result is always zero, which is clearly wrong. The latter possibility is also impossible since additive noise must be independent of the message. The conclusion follows. Thus, it is not clear whether our protocol can be extended to general quantum channels.
Iii-C Communication Model
We assumed that Eve can eavesdrop on both the (noisy, quantum) forward and (classical) backward channels, but that her copy of the initial round of classical feedback has some noise. From a physical standpoint, this is a natural assumption since there is always some noise in the physical layer. It might appear unnatural that the feedback error happens on the initial round, but this could be realized by Alice and Bob somehow knowing the time window in which the feedback noise might occur and starting the protocol during that window. Our constraint on feedback noise is reasonable as well, that any physical Eve-to-Bob channel should not have infinite capacity.
One might say that in order to make the model more physically relevant, there should be noise in the feedback channel to Alice as well. Indeed, it is this very noiselessness that is key to the result that we obtain. The channel to Alice is a noiseless CV classical channel, which has an infinite capacity, while we constrained the channel to Eve to have finite capacity. It is this infinite difference that allows us to get a loss unlimited rate 444Note that this is an infinite difference in capacity between the channels from Bob to Alice and Eve, and we are trying to achieve forward private communication from Alice to Bob. Thus it is not clear a priori that this should be possible.. Hence, it is unlikely that we can achieve loss unlimited rates if we allow noise in the channel to Alice as well. Indeed, it is known that linear schemes such as Schalkwijk-Kailath cannot achieve any positive rates in this regime . However, this does not undermine our thesis that (2) indicates issues with the usual assumption of noiselessness of the public side channel. The fact that a classical noiseless CV channel has infinite capacity introduces significant unphysical features to the model and makes achievable rates strongly dependent on the model. For by just adding an infinitesimal amount of noise to the eavesdropper’s copy of the initial round, one single step towards physical relevance, we obtain a loss unlimited rate instead of a loss limited one.
Now, it is somewhat queer that we can achieve a markedly different rate even if we allow Eve to have noiseless access to the feedback after the initial round. For an intuition for why this works, we observe that the Schalkwijk-Kailath protocol can be summarized as follows: Bob on the initial round receives the message with additive noise and subsequently learns the value of to exquisite precision. Since Eve has additional noise to what Bob received on the initial round, even if Eve can also learn to exquisite precision, the accuracy with which she can recover the message is still limited by the additional noise. Indeed, we can even further alter our communication model so as to give Eve exactly as done by (3), thereby allowing her to completely simulate the protocol for rounds , and our result would still hold. We can also give her a copy of the quantum system 555Note that this is not the classical random variable that is encoded into the quantum system, but the encoded quantum system itself. that Alice sends on round . This would simply replace in the privacy analysis by , whose entropy we can again bound via subadditivity and then by bounds on photon number. Thus, we can alter our communication model so that Eve is strengthened, and our result still holds. This reflects again that our protocol essentially depends on that initial round of feedback where there is an infinite difference in capacities.
At first glance the fact that we only need noise on the initial round appears to have implausibly strong implications. One might think our result holds in the usual feedback-assisted private communication model but where Alice and Bob have a pre-shared secret key which they can use to simulate the noise. For instance, by performing bitwise addition with the pre-shared key, they can simulate an additive noise channel with noise on the initial round of feedback. However, since any reasonable pre-shared key has finite Shannon entropy, is discrete. Then, the capacity of the feedback channel would be infinite, which precludes us from bounding the information leaked to Eve. Hence it does not seem sufficient to have pre-shared secret key to obtain our result.
Lastly, it is worth looking at the closely related communication models of two way private communication, secret key agreement, and quantum key distribution. If we make the same alteration, that is, introduce noise in the classical feedback in the initial round, Bob can simply send an arbitrarily long locally generated random bit string to Alice during that round. Alice will then receive this key noiselessly, while Eve will only receive a noisy copy whose mutual information with the key is finite since the capacity of the noisy feedback channel is finite. Hence, in these models the infinite difference in capacities trivially leads to an infinite rate. This again shows the dependence of the rates to the model considered and suggests that in general we should more seriously address blatant unphysical features in the communication model.
Acknowledgements. DD is supported by the Stanford Graduate Fellowship and the National Defense Science and Engineering Graduate Fellowship. SG was supported by the Communications and Networking with Quantum Operationally-Secure Technology for Maritime Deployment (CONQUEST) program funded by the Office of Naval Research (ONR) under a Raytheon BBN Technologies prime contract # N00014-16-C-2069. We would like to thank Patrick Hayden and Tsachy Weissman for valuable discussions and feedback. DD would like to thank God for all of His provisions.
-  M. Takeoka, S. Guha, and M. M. Wilde, “Fundamental rate-loss tradeoff for optical quantum key distribution,” Nature communications, vol. 5, p. 5235, 2014.
-  S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nature Communications, vol. 8, 2017.
-  U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Transactions on Information Theory, vol. 39, no. 3, pp. 733–742, 1993.
-  D. Gunduz, D. R. Brown, and H. V. Poor, “Secret communication with feedback,” in Information Theory and Its Applications, 2008. ISITA 2008. International Symposium on. IEEE, 2008, pp. 1–6.
-  A. D. Wyner, “The wire-tap channel,” Bell Labs Technical Journal, vol. 54, no. 8, pp. 1355–1387, 1975.
-  I. Csiszár and J. Korner, “Broadcast channels with confidential messages,” IEEE Transactions on Information Theory, vol. 24, no. 3, pp. 339–348, 1978.
-  M. M. Wilde, Quantum information theory. Cambridge University Press, 2013.
-  J. Schalkwijk and T. Kailath, “A coding scheme for additive noise channels with feedback–i: No bandwidth constraint,” IEEE Transactions on Information Theory, vol. 12, no. 2, pp. 172–182, 1966.
-  A. El Gamal and Y.-H. Kim, Network information theory. Cambridge University Press, 2011.
-  C. M. Caves and P. D. Drummond, “Quantum limits on bosonic communication rates,” Reviews of Modern Physics, vol. 66, no. 2, p. 481, 1994.
-  J. D. Bekenstein, “Universal upper bound on the entropy-to-energy ratio for bounded systems,” Physical Review D, vol. 23, no. 2, p. 287, 1981.
-  R. G. Gallager and B. Nakiboglu, “Variations on a theme by schalkwijk and kailath,” IEEE Transactions on Information Theory, vol. 56, no. 1, pp. 6–17, 2010.
-  S. Guha, “Classical capacity of the free-space quantum-optical channel,” Master’s thesis, Massachusetts Institute of Technology, 2004.
-  Y.-H. Kim, A. Lapidoth, and T. Weissman, “The gaussian channel with noisy feedback,” in Information Theory, 2007. ISIT 2007. IEEE International Symposium on. IEEE, 2007, pp. 1416–1420.
-  R. Durrett, Probability: theory and examples. Cambridge University Press, 2010.
Appendix A Error Analysis of the Schalkwijk-Kailath Protocol
but with our notation. Consider the vector. This is clearly jointly Gaussian since are independent and Gaussian. We claim that is also jointly Gaussian where are mutually independent and .
We proceed by induction. For the base case, we first note that , so we obtain
by a linear transformation, so it’s jointly Gaussian with. Furthermore, since are independent.
Now we consider the inductive case. Assume is jointly Gaussian and are mutually independent and . Then, is jointly Gaussian, so , which is also the minimum mean squared error (MMSE) estimate, is affine in . Since and both have mean zero, it is actually linear. Thus, is linear in . Hence, is jointly Gaussian. By the orthogonality principle for linear MMSE estimates, is independent of for . Furthermore, is also independent of . Since are mutually independent, we conclude that is jointly Gaussian and uncorrelated. Thus, they are mutually independent. It is also clear that . Furthermore, since by construction and are independent. Finally, is jointly Gaussian, so we’re done. ∎
We next expand in two different ways. First,
where the third equality holds because are mutually independent and is a function of , , and . is the capacity of the AWGN channel with power and noise given in (2). The second way to calculate this gives
where the second equality follows from the fact that is Gaussian with variance independent of by the joint Gaussianity of . Note that is a random variable, but since it does not depend on , we can identify it with the value it takes on almost surely.
We conclude from the two ways to write the mutual information that . Now, is Gaussian since it’s linear in . Furthermore,
where the second equality follows by the law of iterated expectation. Thus, .
We make a decoding error only if . Hence, , where
Now, we know that for , , so if and is large enough,
Note that we used the channel times, so the rate we achieve is actually .