Memory Cost of an Anti-malware Quantum Network Design

A significant number of servers that constitute the Internet are to provide private data via private communication channels to mutually anonymous registered users. Such are the server of banks, hospitals, that providing cloud storage and many others. Replacing communication channels by maximally entangled states is a promising idea for the Quantum-secured Internet (QI). While it is an important idea for large distances secure communication, for the case of the mentioned class of servers pure entanglement based solution is not only unnecessary but also opens a threat. A crack stimulating a node to generate secure connections {via entanglement swapping} between two hackers can cause uncontrolled consumption of resources. Turning into positive a recently proven no-go result by M. Christandl et al. [1] we propose a natural countermeasure to this threat. The solution bases on connections between hub-nodes and end-users realized with states that contain secure key but do not allow for swapping of this key. We then focus on the study of the quantum memory cost of such a scheme and prove a fundamental lower bound on memory overhead. In particular, we show that to avoid possibility of entanglement swapping, it is necessary to store at least twice as much of memory than it is the case in standard quantum-repeater-based network design. For schemes employing either states with positive partial transposition that approximates certain privates states or private states hardly distinguishable from their attacked versions, we derive much tighter lower bounds on required memory. Our considerations yield upper bounds on a two-way repeater rate for states with positive partial transposition (PPT), which approximates strictly irreducible private states. As a byproduct, we provide a lower bound on trace distance between PPT and private states, shown previously only for private bits.


I. INTRODUCTION
The domain of quantum information processing, which shows how the rules of quantum mechanics can meet the needs of information society [2,3], has reached its maturity in recent years. We are about to enter the NISQ era of quantum computing with the Noisy Intermediate Scale Quantum (NISQ) devices ahead of us [4]. In parallel, a huge effort has been done towards building the Quantum Internet (QI) [5][6][7], which is predicted to be built within several years [8]. It is viewed as a network of NISQ devices with their memory and the central processing unit (CPU), which exchange qubits rather than classical bits between each other.
The main welcome feature of the Quantum Internet in comparison with the traditional Internet is its, speaking of theory, the inherent security of sent signals. The 1st generation QI [6] bases on the quantum correlations called entanglement and its amazing property of transitivity. In theory, a two otherwise disconnected nodes can obtain mutual unconditionally secure connection if only they share maximally entangled state (singlet) with a common node, via the entanglement swapping protocol [9,10]. Due to the high attenuation of quantum signals in optical fiber and impossibility of their amplification by cloning [11], the number of intermediate nodes which perform entanglement swapping (quantum repeaters [5]), needs to be large, and function in high coordination. Let us note here that the quantum repeaters protect sent qubits against eavesdropping because entanglement swapping uses, in fact, quantum teleportation [10], allowing a transfer of data without any intermediate point in space-time, where it could be attacked.
The greatness of mankind, demonstrated among others via ability to develop information-based society, is accompanied by the weakness of its individuals due to abuses of inventions of the latter. While the QI is about to come, a number of serious attacks on the traditional Internet which is working already for about a halve a century is being more and more often reported in accordance with growing interest in network cyber-security. One of the simplest attack on the network is the hijacking of a node, via malware -a malicious piece of software which changes its functioning at a wish of a hacker. Possible attacks on future Quantum Internet has been recently considered [12,13]: a piece of software infects the CPU of a quantum device of the node of quantum repeater, leading e.g., to local change of topology of the network. While proposals for overcoming the implications of such an attack are developed, we focus on a solution which to some extent, prevents it due to laws of physics.
Hybrid Quantum Network: As it is common in quantum information theory, a no-go (impossibility) in processing of quantum data can be exploited as its potential: quantum no-cloning led to the seminal ideas of quantum money and quantum cryptography protocols [2,3] while impossibility of prediction of measurement outcomes (attributing the so-called hidden variable model) led further arXiv:1912.07548v2 [quant-ph] 18 Dec 2019 to the device independent quantum security [14,15]. Our countermeasure to hijacking is also based on a recently found no-go, which can be stated as follows: • There exist quantum states which allow for pointto-point security of classical data against quantum adversary, and in spite of this fact can not be effectively used in quantum key repeaters [16].
The above result shows that quantum security is not always transitive: for certain states (call them nonrepeatable secure states σ), conversely to entanglement swapping, when A has secure link (possessing σ) with B and B with C, there is no possibility for B to help A and C, via a 3-partite local quantum operations and classical communication , to share a secure link, protected against B as well. Certain bound entangled states [17] (from which no pure entanglement can be distilled by local operations and communication [18]) and highly noisy private states [19], has been recently shown, to fit the scheme in case of arbitrary 3-way and one-way classical communication (from the node B to A and C) respectively [16,20].

A. Main results
In this manuscript, we propose a general idea of physical protection against malware by presenting a flip side of the presented limitation on quantum repeaters. It amounts to deliberate use of the quantum states which disallow for repeating of secure key, in order to protect against any unauthorized network user who wants to perform it for his own purposes.
In the language of Computer Science, we propose an architecture and model of the physical layer of the quantum network to exclude the possibility that its local topology is changed via attacking the network at the application layer.
We show that specially designed hybrid quantum network i.e. based on both repeaters and special relays, is more robust against special kind of attacks than original repeaters. We put forward a particular example of an attack and study properties of its countermeasure. To show the idea, we focus on a sub-network of the hybrid quantum network, whose graph is a star, i.e. with a central hub-node and a bunch of ∆ connected end-nodes (see Figure 1).
Our approach suits the scenario in which: 1. The hub-node can be connected by a quantum repeater with other hub nodes 2. Only classical data need to be sent between the hub node and the end-nodes.
3. The distance between the hub-node and the endnodes is maximally of metropolitan scale (up to 200km [21,22] 4. Only disconnected hub-nodes and their two adjacent end-nodes are attacked at a time.
5. The Attack is honest-but curious: functioning of the quantum CPU only is changed by malware, while classical data at the node remain unread.
The hybrid network is shown in Fig. 3. The above example fits the real use case, as in the network of the traditional Internet. Indeed, there is quite a number of nodes representing servers that deliver certain utilities in the form of classical data, access to which is charged, and limited to a group of registered users. Moreover, the task of these nodes is not to connect the users, that are usually anonymous but to provide them an access to data via private link. Servers for online banking, access to medical data, online shops, and last but not least, providers of the data-clouds form far from a complete list of examples of the latter. In some of these cases, the users are local so that the assumptions about the distance between end-nodes is satisfied. We focus on the on-line medical laboratory connected to its clients. In this case, the data is generated in classical form (literature). The distance between the users is usually not too big. It is also, needless to say, that security is vital since it is important for the authors of books, articles, etc. or the owner of the server. We also focus on the case when two dishonest users of the network hijack a single node. Their task is to obtain a free secure connection. The main feature of our solution is that the topology of the network is naturally, physically protected against modification.
As it is usual, any good comes at a price. In the above case, the price will come out in the number of qubits needed to be stored (or processed) in quantum memory of a node. We provide lower bounds on the cost of our anti-malware solution, which is related to the density of the secure key in quantum states -a natural quantity that, implicitly used [16,23,24]. To our knowledge, this quantity has not been explicitly studied on its own so far. More precisely, we introduce a memory overhead as a measure of the cost. For a scheme S (that assures security of the hub-node), its overhead is defined as where D is the density of the key i.e. ratio of the key to the dimension of the state, M (S) is the total memory of the scheme. This intuitive quantity is 0 for maximally entangled states, as their whole memory has a form of the key. However, in general case of mixed quantum states V (S) is strictly larger than zero. We then represent each link in the network by the same state ρ and study its usefulness in the context of hacking. The quality of a given scheme we quantify by the difference between the key that can be repeated R and the initial key of the link K D . We then say that a scheme is (θ, η)-good when K D ≥ θ but R ≤ η. This means that the link provides security and because it is not realized by pure state, one can not abuse the link to connect with someone else in the network.
We prove the general lower bound showing that for any state serving as reasonable anti-malware scheme at least half of the memory qubits (approximately) shall not be used for key distillation, i.e. V (S) ≥ 1 2 M (ρ). Different, however asymptotically equivalent bound we obtain for the so-called private states [19,23]. These are states that have two parts: the key part from which the key can be obtained via direct von-Neumann measurement and the shield, which just assures security of the key. For these specific states, we prove that the shield must be at least the size of the key part to assure the security of the scheme. We do so by finding explicit formula for the coherent information of a private state [25,26].
Aiming at set of states for which there are known examples that assure an ≈ (0, 1)-good scheme, we consider states that have positive partial transposition (PPT states), and approximate some private states. More precisely, we provide lower bounds for anti-malware schemes employing PPT states approximating strictly irreducible private states [27]. As a related problem being of independent interest, we give upper bound on two-way repeater rate for PPT states (whose attacked version is separable) approximating strictly irreducible pdits for any dimension of the key part d k . As a byproduct, we prove a lower bound for the trace norm distance between private states and PPT states approximating them. So far, only d k = 2 case was known, which we also tighten. For the considered class of states, the overhead approaches 1 in the limit of large dimensions. However, the speed of this convergence is rather modest. It is easy to conclude from the formulas, that e.g., for a scheme with 80% gap i.e., where θ − η ≥ 8 10 , it suffices to spend 8 qubits on Shield for one qubits in key part. States realizing such schemes are known [23].
The paper is organized as follows. In the next Section II, we specify and describe an example of the proposed anti-malware scheme. In Section III, we introduce the memory overhead of the scheme and the density of key. In subsequent Section IV, we provide lower bound on overhead for irreducible privates states and also a general lower. In Section V, we quantify the scheme that uses private states hardly distinguishable from their attacked versions, whereas in Section VI, we concentrate on bounds for certain PPT states. Section VII is left for discussion.

II. ON-LINE MEDICAL LABORATORY -THE CASE STUDY OF THE ATTACK AND COUNTERMEASURE
In this section we describe in detail the scenario for which, given Quantum Internet happens to be realized in a form suggested nowadays, an attack via malware could be done. We then describe countermeasure invoking recent results on limitations on quantum key repeaters A.
Attack on the star-shaped, pure entanglement based quantum network.
We focus the following specific example of the aboveexplained scenario. The laboratory shares secure links with many clients S i with i ∈ {1, ..., n}, in particular with Adam and Eve (see Fig. 2 a)). The natural topology of the network of secure links is the star one (see Fig.  1), so that each client is connected with the medical laboratory. The laboratory network node is assumed to be a unit with classical and quantum computer inside. The crucial observation is that if the links are quantum, and based on pure entanglement, they allow via entanglement swapping for the change of topology of the network. Indeed, it can change from star to a disconnected graph of at least two components: star without some nodes and a pair of clients having a secure connection between them and sharing no more the connection with the medical laboratory.
For the above reason, setting up a star network based on pure entanglement, the laboratory opens a possibility to provide security to pairs of clients (see Fig 2 b)). On the other hand, states allowing quantum rather than classical secret communication seem to be an overkill in case where the node exchanges with subnodes inherently classical information like in this example. Such an additional side-effect possibility should be under control of the medical laboratory who owns the network. A solution would be to designate a person who sells the connections. In case of no solution, there opens a possibility of two dangers: first, the workers of the laboratory can sell the secure links by themselves and earn illegally without notice of the laboratory. Second, more important, two clients Adam and Eve can hack the system installing a trojan quantum software, which serves them as a source of cheap security. Even more importantly, in this way energy consumed for performing quantum operations would be stolen, again, without notice of the medical laboratory. Let us note that the same holds if the laboratory is one of a number of repeater stations [5], and the links are improved via entanglement distillation 1 [10].
We will distinguish here two kinds of attacks: a general one where the hacked node can perform any 3-party classical communication with two other nodes and oneway attack where only the central node can communicate classical information to the hackers. Remark 1. We focus on a form of honest but curious attack aimed at misusing the power of the node. This situation differs from an attack in which classical data of the node are compromised.

B. Countermeasure via noisy entangled states.
In what follows we observe, that using appropriate noisy entangled states solves the mentioned problem in cases of general (two-way) and one-way attack (see Fig.  3). 1 Note that there are other services that has the same feature, yet we focus on the case of medical laboratory. Another one could be a clinic performing blood tests shares the same properties: the user is an end-user, the data are classical, and should be kept private.
Recently a fundamental result has been shown in this context, indicating that for some states (having at least one separable key attacked state) the rate R of repeated secure key is strongly related to the so called distillable entanglement [10,18,20] by the following result: (2) where → stands for the classical communication restricted to one-way from the intermediate node H ≡ H 1 H 2 to nodes A and E, and γ AHi denotes a private state [19] -a state possessing ideal security directly accessible via measuring its subsystem called key part. Notation 1. Private state with d k dimensional key part, and d s dimensional shield part per one party, shared between A or B and H is denoted γ d k ,ds .
We present the following countermeasure: instead of having a star network with the clients, which is pure entanglement based, the medical laboratory can set a starshaped network of point-to-point links based on bound entangled states which are approximate private states (see Fig 3). Let us note that this is legitimate when the laboratory needs to encrypt only classical data. Furthermore, if clients had a quantum connection with the medical laboratory, then we could have a case of laboratory's network abuse. Due to the fact that these bound entangled states are not transitive there simply does not exist a quantum software, or even a quantum tripartite LOCC protocol between Adam, Eve and the quantum computer of the laboratory which manages secure communication with it to achieve this task. The no-go is hence turned into a success. The medical laboratory employing the bound entanglement based quantum links keeps secure communication but needs not to control the setup. There is simply no possibility for the setup to be forced to create a secure link with a non-negligible amount of secrecy.
Let us note that although we talk here about entanglement swapping, in [1] it is shown that even if the links with the medical laboratory are provided in the form of γ ⊗n AHi , the rate of the output secure key for Adam and Eve is negligible as a function of dimension of the bound entangled approximate private states. By negligible amount, we mean the rate which goes to zero with growing dimension of the shield system of the private state γ AHi . Hence the countermeasure works in the asymptotic regime up to the fact that some small rate of key can be obtained by Adam and Eve. Yet, the key is only classical, it is clearly not in the form of pure entanglement, as the initial states shared by Adam with the laboratory and Eve with the laboratory were bound entangled and had to remain so after any LOCC implementable quantum malware.

III. MEMORY OVERHEAD OF THE COUNTERMEASURE
We now focus on the quantum memory cost of implementation of the proposed countermeasure. We recall first the definition of the key repeater rate. Let us stress here that according to our approach, the lower it is, the better for the security of the node.
We further focus on the scheme represented by a private state with d k dimensional key-part and d s dimensional shield. This state reads a form [19] Definition 1. Private quantum state where X ij = U i σU † j for some state σ of C ds ⊗ C ds and U i are some unitary transformations.
Notation 3. We follow the notation in which, Additionally we skip the subscript, as it doesn't lead to any ambiguity.

Remark 2.
Through the rest of the paper, we assume that each considered quantum state ρ acts on H H ⊗ H N being tensor product of subspaces associated with the hub and a node, and dimH H = dimH N < ∞. What is more, both subspaces are assumed to be partitioned into key and shield parts (of dimensions d k and d s respectively) in the same way at both sides.
Notation 4. Here we adapt shortened notation in which X ij ≡ X ii,jj . In calculations we mainly incorporate full notation, which doesn't lead to any ambiguities. Additionally for i = j we define X ij,ij ≡ 0, as they do not enter to definition of a private state.
Note that X ii are, in fact, subnormalized states, obtained on the shield system upon observing key |i on the key part. We call them conditional states. According to definition, K D (γ d k ,ds ) ≥ log d k , while in case of equality, a private state is called irreducible: its whole secure content is available from the key part via direct measurement. In the case in which X ii are additionally separable, we call these states strictly irreducible private states. In fact, it is conjectured that all irreducible private states are of the form of strictly irreducible ones [27], it is so if there do not exist entangled but key undistillable states.
Definition 2. The distillable key rate with respect to arbitrary LOCC operations is defined as: where ρ is a bipartite state shared by the parties. Λ is a LOCC protocol with two-way classical communication.
Definition 3. The quantum key repeater rate with respect to arbitrary LOCC operations among A, E and H is defined as: where Adam and Hub share state ρ while Hub and Eve share ρ . Λ := Λ LOCC n are tripartite LOCC protocols with two-way classical communication. In the case in which communication between central node and A, E systems is restricted to one-way from H to A and E, we denote this rate with R A←H→E D . Notation 5. For the repeater rate in the case in which ρ = ρ , we introduce simplified notation R →(↔) (ρ).
An ultimate goal would be to provide a non-repeatable key with the smallest possible memory cost. Our solution to the problem is represented by a bipartite quantum state ρ shared between the central node H and one of the clients (Adam), however, its specific parameters are important enough to write them out explicitly. The scheme will be represented by the following tuple: The arrow(s) in the superscript are dropped if the results hold for both cases. The state ρ HA is shared between the central node H and a single client (Adam). ∆(S) is the degree of the node (number of connections).
Definition 4. We say that the scheme is one-way (two- In our approach, we are interested in possibly large gap between K D and R →(↔) , while keeping memory overhead considerably small at the same time. We quantify this gap by its lower bound defined as η − θ.
Definition 5. By an overhead of the scheme we mean the following quantity: Where ρ is a bipartite state shared between the hub and a client.
The overhead is the difference between the qubits of memory at the node: ρ ⊗∆(S) has of qubits of subsystem H, and the number of bits of security which the node shares with the other part of the Quantum Internet.
Definition 6. For an antimalware scheme that is (θ, η)good, we call the difference η − θ the gap of the scheme.
We note here that such defined overhead bares strong connection with the other, to our knowledge not explicitly studied notion, which is that of density of private key.
Definition 7. For a quantum state ρ shared between the hub H and Adam A or Eve E, we define density of the private key D as: We then have the dependence: From the above form it is clear to see that the overhead is a non-negative number, as the density is a quantity less than or equal to 1. In what follows we provide several lower bounds on the overhead V of the countermeasure, that satisfies The above inequality follows from the fact that secure key K D (ρ), can not be larger than memory size log dim H (ρ), and hence ∆(S) is non-negative.

IV. LOWER BOUNDS ON THE OVERHEAD OF THE ANTI-MALWARE SCHEME
Let us first focus on the class of one-way attacks: the attacked hub node can send data to two receiver nodes owned by malicious parties that can communicate freely. We begin with preliminary definitions and facts.
Definition 8. The coherent information of a quantum state ρ AB where S(B) is the Von Neumann entropy of state ρ B = Tr A (ρ AB ) and S(AB) is that of state the ρ AB .
It is clear, that the key repeater rate is an upper bound on distillable entanglement. We therefore provide a lower bound on one-way distillable entanglement of a private state, via the Devetak-Winter hashing protocol [28].
where I coh is the coherent information [18], and σ i are the conditional states of a private state. We have then the following observation Observation 1. For any private state γ d k ,ds , one-way distillable entanglement is lower bounded.
Let us note that the above bound is achievable given a choice ∀ i σ i = I ds , i.e. for pdits with twisted-in maximally mixed state.
Since coherent information can not be smaller than − log d for a d dimensional state, we have the following general result. Corollary 1. For any private state γ d k ,ds one-way distillable entanglement is lower bounded by the following expression.
where d k and d s , are dimensions of the key part and shield part respectively.
Proof. It follows from the fact that for any state σ i of dimension d 2 s there is: Following the fact that one-way distillable entanglement constitutes a lower bound for both one-way and two-way repeater rates, we conclude that in schemes incorporating privates states, it is reasonable to assume d s ≥ d k . This assumption is a necessary condition for having low repeater rates.
As we have discussed, we obtain the following lower bound on overhead of schemes based on irreducible private states: , then its overhead satisfies a lower bound: Proof can be found in appendix.
The above theorem shows that memory used by a private state which allows only for θ of repeated key must have at least as big shield system as its key part. The technique used for proving Theorem 1 inspires to find a general lower bound on the overhead of any scheme, which is presented below. Theorem 2. Any state ρ that serves as (θ, η)-good antimalware scheme, satisfies The proof is left for the appendix. The above theorem is based on observation that distillable key is upper bounded by S(A)/2 if only coherent information is nonpositive. As we will show below on Fig. 5, this bound is the only bound on key repeater rate for certain amount of one-way distillable entanglement, as we comment below.
The inequality in Eq. (23) is a known fact, since one-way communication from the hub H to hosts A and E can not allow to repeat more key than in two-way communication setup. The second inequality comes from the fact that it is not possible to have more of a repeatable key than a distillable key. On the other hand, it is possible that the quantum key repeater rate is smaller than the distillable key of a particular state ρ. The third inequality is true because squashed entanglement is an upper bound on distillable key [29]. Finally, the last inequality is the upper bound on R → observed in this work, which is a direct consequence from the proof of lemma 18 in [16]. Similar results on private capacity for quantum channels were obtained in [30]. We find our approach and definitions simplified, as they consider only channels. The green line segment is the upper bound on quantum key repeater rate derived in [20]: Here the hub can send messages to Adam and Eve, but not receive from them. Adam and Eve can communicate in both ways freely. The violet line segment is the upper bound introduced in [16]: In this case only the communication from Hub to Adam is one-way and between Hub and Eve the communication is two-way, no other data transfer is allowed. The orange line segment is the upper bound for states that have I coh = 0. These states do not have more of distillable key than E C /2 or S(A)/2.
Even though green and violet bounds intersect in E → D = E c /3, they are different scenarios in which the classical communication is not in the same direction. Therefore, they are incomparable. It is the same for blue and violet bounds. On the other hand, the directions of classical communication for green and blue bounds are the same, so it is possible to compare them. The upper bound introduced in this work is more accurate than the bound derived in [20] starting from E → D = S(A)/3.

V. LOWER BOUND ON OVERHEAD FOR PRIVATE STATES HARDLY DISTINGUISHABLE FROM THEIR ATTACKED VERSIONS
In this Section, we derive lower bounds for the memory overhead for schemes utilizing private states hardly distinguishable from their attacked versions. We first briefly explain the approach and then formalize the presented idea.
Let us note, that to assure η > 0 in antimalware scheme, we need to know how much a given state of it has distillable key. A good choice is then a strictly irreducible private state, as for it, we know that K D (γ d k ,ds ) = log d k , however, such γ d k ,ds should not be too much distillable, as R ↔ ≥ E D (ρ). Thus to also have that scheme is (θ, η)-good for small θ, we need to assure E D (γ d k ,ds ) ≤ θ. This can be done in various ways, including bound E D (ρ) ≤ − log ρ Γ [31]. From [20] it follows, that with a factor 2, this will imply that R → is small since it is upper bounded by 2E → D . The next theorem encapsulates this approach and proves the lower bound of the memory cost of such a solution.
We first use the bound that employs measure called log-negativity [32,33].
Observation 2. For a private state such that X ii ∈ P P T , and at least one from its conditional key attacked states is separable there hold the following bounds on the one-way quantum key repeater rate: whereγ d k ,ds = i 1 d k |ii ii| ⊗ X ii is an irreducible private state after measurement on the key part (attaacked), and Γ is an operation of partial transposition.
Proof can be found in appendix.
For technical reasons, we deal more specifically with the right-hand side of the above inequality, as encapsulated in the following observation. Observation 3. The following identity holds.
ii is the private state after measurement on the key part and Γ is the partial transpose operation.
Proof can be found in appendix.
In the next lemma, we argue, that some private states, that are hardily distinguishable from their attacked versions, have large dimension of the shield in relation to the dimension of the key part.
Lemma 1. For a special private state γ d k ,ds , which satisfies condition X Γ ii ≥ 0, and ||γ Γ d k ,ds −γ Γ d k ,ds || ≤ there is: Proof can be found in appendix. The above technical lemmas and observations lead us to the main result of this section. It states, that the overhead in case of private states that are hardly distinguishable from their attacked versions.

Example of the gap for low dimensional state
In general, one would like to diminish the repeater rate of the scheme as much as possible. Unfortunately, in Theorem 3, the parameter appears both in formula for the repeater rate and the overhead. This is the reason why one can not reduce repeater rate to zero keeping the overhead smaller than total memory cost. In this situation, one should decide on an acceptable level of repeater rate, for which the overhead is still reasonable. A small dimensional example of a pbit state which allows for such a control is known [19,34]. Block matrix representation of such a pbit is: where F is a matrix of swap quantum logic gate of dimension d 2 s implying Ω Γ ds −Ω Γ ds = 1 ds . We estimate now the size of the gap for a scheme using this state. Let us assume a scheme with minimal amount of memory by setting = 1 ds (see that conditions of Lemma 1 and Theorem 3 are satisfied). We obtain a lower bound ds , for scheme being 2 ln 2 1 ds , 1 -good. For d s = 2 it saturates also the general lower bound on overhead from Theorem 2 with value of 1 2 , although in this case the rate of repeater R → is upper bounded with 1 ln 2 ≈ 1.44, what is an unsatisfying result. The first nontrivial case, in that antimalware scheme has an advantage over malicious parties, appears for d s = 3, in which repeatable rate drops to R → ≤ 2 3 ln 2 ≈ 0.96 being strictly smaller than key rate K = 1, what follows from its irreducibly.

VI. LOWER BOUNDS ON OVERHEAD FOR PPT STATES
As was argued in [16] (see supplemental material note 6) the states which are PPT and approximate private bits are of rather high dimension. This fact can be found as a result of the following earlier statement [24] (see also [35]): We conclude that a quantum PPT state close by in trace norm to strictly irreducible private state γ d k ,ds has dimension of the shield at least d s ≥ 1−2 2 . We know that for two-way repeater rate to be zero, the state has to be bound entangled (R ↔ (ρ) ≥ E D (ρ)) [19]. Thus, in this Section, we investigate the overhead using such schemes. Notation 6. We adopt a notation in which PPT state ρ has the following form: Where A ij,kl are blocks of dimension d 2 s . Proposition 1. If ρ is a state with positive partial transpose, that approximates a strictly irreducible private bit ||ρ − γ 2,ds || ≤ for ≥ 1 2(ds+1) , A Γ 01,10 ≤ ,and its conditional shield states are separable, then its two-way repeater rate R ↔ (ρ) is upper bounded.
Proof can be found in appendix. Indeed PPT states from Proposition 1 above do exist. One example can be states for which A 01,10 = A Γ 00, 11 . Theorem 4. If a state with positive partial transpose ρ approximates strictly irreducible private bit ||ρ − γ 2,ds || ≤ for 1 2(ds+1) ≤ < 1 2 , A Γ 01,10 ≤ , and its conditional shield states are separable, then it serves as a two-way (θ, η)-good anti-malware scheme S ρ with degree ∆(S ρ ), then its overhead satisfies a lower bound: is the binary Shannon entropy), and θ = 2 ). Proof can be found in appendix. From inequality (32)   we obtain We then see that focusing on states which have positive partial transposition and approximate private bits is quite costly: the overhead approximates the whole memory of the scheme for small . In particular, obtaining a reasonable amount of key in links ≈ 1 bits for each of ∆ links implies that the whole memory cost is that of an overhead. However, an advantage of this scheme is that it is no longer limited to one-way communication. In this case, there does not exist any 3-partite LOCC protocol which can break the scheme.
We now generalize the above result for larger dimensions of the key part than qubit, and study it in case of private state. Ideas for proving both are similar and quite clear in case of private states instead of their approximations, so we begin describing the latter result.
We define the cost of the countermeasure as lower bound on the number of qubits necessary for the shield part d s of the private state used in the protection scheme.
We will need a numer of technical observations and lemmas, which we present below.
Observation 4. Denoting with A ij,kl matrices some of them (A ii,jj ) being unnormalized conditional states of the shield of a state ρ = ijkl |ij kl| ⊗ A ij,kl , we prove the following relations: and In the following lemma and subsequent corollary, we prove a general lower bound on the distance between private states (of any dimension of the key part) from PPT states [24].
Lemma 2. For any state ρ ∈ P P T , there is where γ is a private state with d 2 k dimensional key part and d 2 s dimensional shield subsystem. Corollary 2. For any state ρ ∈ P P T approximating private state, the following lower bound holds .
The important properties of lower bound presented in Corollary 2 are the fact that it is not trivial for values of d k but also that it yields tighter bound for d k = 2 known form [24] (see eqn. 32). Concluding as a byproduct, we have found a non-trivial (non-zero) lower bound on the distance between any private state and a PPT state in any dimension [24,34].
Corollary 3. For any state ρ ∈ P P T of dimension 2d s approximating private bit there is: The upper bound on norm in Corollary 3 is tighter than the one in [24]. This is due to slightly different proving technique. This motivates us to assume i =j A Γ ij,ji ≤ , instead of 2 i =j A Γ ij,ji ≤ what would be analogous to assumption in Proposition 1.

Proposition 2.
If ρ is a state with positive partial transpose approximates a strictly irreducible private dit (pdit) ||ρ−γ d k ,ds || ≤ for ij,ji ≤ , and conditional shield states of ρ are separable, then its two-way repeater rate R ↔ (ρ) is upper bounded as follows Proof can be found in appendix. It is easy to notice that the upper bound in Proposition 2 evaluated for pbits is tighter than the corresponding one from Proposition 1. This is because with slightly different assumption for A ij,ji blocks.
Theorem 5. If a state with positive partial transpose ρ approximates strictly irreducible private dit (pdit) ||ρ − γ d k ,ds || ≤ for ij,ji ≤ , and its conditional shield states are separable, then it serves as a two-way (θ, η)-good anti-malware scheme S ρ with degree ∆(S ρ ), and its overhead is lower bounded with with η = log d k −8 log d k −4h( ) (where h(.) is the binary Shannon entropy), and We leave the proof for the appendix.

VII. CONCLUSIONS
In this manuscript, we have observed a particular attack on quantum network, and studied the quantum memory cost of its remedy -the hybrid quantum network. A common approach in designing Quantum-secured Internet is to connect its nodes via pure entangled states or channels that distribute such entanglement. In this article, we observe that this practice is not needed for a number of nodes of the Internet, and moreover, would open a threat.
As a case study of such a threat, we consider the possibility of performing entanglement swapping between the data basis of the medical laboratory and its two clients Adam and Eve. We imagine here that in future quantum technologies the link between each of them and the medical laboratory would be quantum one. As a countermeasure, we propose to replace these links into those sharing/distributing bound entangled states which approximate private states. As for clients being the endusers, it is enough to communicate only classical information (blood tests etc.) with the medical laboratory; a functionality to pass a quantum state seems not only to be a redundant feature but also opens a gateway for possible abuse.
While in the case of a maximally entangled state, one can generate 1 bit of key per 1 qubit of local memory, this is not the case for mixed entangled quantum states. We, therefore, study the memory cost of the proposed solution. We have introduced two notions: (i) that of a scheme (a choice of states shared by the node and users), and (ii) that of the memory overhead. The latter quantity reports how many qubits of the memory are not directly used up to generate key, but only assures security of its generation. We then focus on schemes that are represented by a single quantum state distributed in all the links. As the quality of the scheme, we propose the gap between the key from the state and the upper bound on the key that can be obtained via hacking. We called it a gap of the scheme.
We first focus on what is more or less straightforward to obtain from the well-established facts in entanglementbased approach to quantum cryptography. This leads us to two different but asymptotically equivalent lower bounds for the memory overhead of the scheme. One is for private states, and the other for all quantum states. It implies that at least half of the memory of the scheme need to assist security of the scheme rather than can be turned to security itself.
We then consider particular bound entangled states as well as private states for which we know the construction of our proposal can be based. These are PPT sates that approximate private states and that are at the same time highly indistinguishable by PPT operations from their attacked versions, which are separable. Although, in general, the overhead, in that case, is asymptotically 1, the convergence to 1 is modest. The presented results allow to tune the exemplary states to the size of the gap of the scheme. As a byproduct, we have both sharpen the lower bounds on the distance between PPT and private bits and gave the first lower bound on this distance between PPT states and private dits for arbitrary d. It would be then interesting to find the schemes based on private dits, rather than those that are based on tensor products of private bits.
Let us note here that we consider the attack to be honest-but curious i.e., we haven't discussed so far the security of the data at the node. Both in the case of quantum repeater and the proposed hybrid repeater, the nodes can be hijacked, and in principle, the data can be traded via blackmail, and therefore, should be kept e.g., post-quantumly encrypted. However, in the hybrid repeater, an honest but curious attack using the power of the node for free quantum Internet can not be anymore used.
Finally, we admit, that another simple to consider solution for the considered threat, is to live with the fact of possibility of a malware and let every registered user of a node be connected with any other by quantum switch (no matter what is the type of the node) and sold e.g. utility. This, however, would need to be done at a certain price, in similarity to a utility that any smartphone can be turned into a network router within the price of the subscription. In general, one can ask for any other nontransitive property (non-hackable), that can be incorporated to provide security. That will be studied elsewhere [36].
While large effort to make QI happen is begin taken [8], it is also important to know a novel, inherently quantum threats That can come from the new quantum network design. To our knowledge this direction of research needs separate attention, as has not been studied in deep so far [12,13].
where σ iB = Tr A U i ρ A B U † i . The first inequality is due to the fact that one-way distillable entanglement is lower bounded by the coherent information. The first equality follows from direct calculation, and the fact that S( i . Equality S(AA BB ) = S(ρ A B ) comes from the construction: the private state is unitarily equivalent to ψ ⊗ ρ (where ψ is maximally entangled state of dimension d 2 k ), and the entropy is invariant under unitary transformation, additive and zero for pure states. In the equality (50) we add the unitary transformations to ρ A B which is assured by mentioned property of entropy: We then finally observe that the averaged is the coherent information, yet evaluated on a state σ i ≡ U i ρ A B U † i .
Proof of Theorem 1. Below we present a sequence of inequalities, that altogether allow to prove the theorem.
The first inequality comes from our assumption that γ d k ,ds is an (θ, log d k )-good one-way anti-malware scheme. The second inequality is supported by the fact, that one can distill R → (ρ) singlets and use them for teleportation. One of methods to repeat key is to distill E → D of pure entanglement between H and A and H and B respectively. This is followed by entanglement swapping [37]. The third inequality comes from Eq. (18). The final inequality is due to Corollary 1. Thanks to the above inequality we can upper bound the density of private key as follows: (56) From Eq. (15) we have what ends the proof.
, and it has non-positive coherent information I coh ( H A) [28], thus distillable key has to fulfill: where E sq (ρ A,B ) = inf ρ ABE ∈SExt 1 2 I(A; B|E) is the squashed entanglement [38], and the next inequality is by the definition of E sq . Owing to the fact that K D (ρ) ≥ η, we obtain: Proof of Observation 2. The first inequality comes from the result of Christandl and Ferrara [20] there is: The distillable entanglement is upper bounded by the log-negativity: where equality comes from the additivity of the lognegativity. We upper bound log-negativity as follows.
The last equality is obtained via X ii ∈ P P T . Finally, because logarithm is strictly increasing, we have 2 log γ Γ ≤ 2 log 1 + γ Γ −γ Γ , and hence: What implies in the virtue of equation (63): Proof of Observation 3. By direct calculations we have: Proof of Lemma 1. A pdit γ d k ,ds has d 2 k − d k offdiagonal block elements X ij , and X ij ≥ 0. From Observation 3 we have that Then among those block elements there clearly has to be one such that 1 d k X Γ i0,j0 ≤ d 2 k −d k as a property of mean value, hence: We know from [39], that X ij ≤ d s X Γ ij . Hence, for arbitrary (i, j) we have: In particular 1 ≤ d s X Γ i0,j0 . Then 1 ≤ d s d k −1 and finally d s ≥ d k −1 Proof of Theorem 3. From Observation 2: R → (γ d k ,ds ) ≤ 2 log (1 + ), from irreducability of γ d k ,ds we have that K D (γ d k ,ds ) = log d k , and the lower bound for V (S) we obtain in the following way: Thus where the first inequality is a consequence of Lemma 1.
Proof of Proposition 1. In this proof partial transposition Γ and the operation of diag are assumed to be evaluated in computational basis. Futhermore we assume A Γ 01,10 ≤ . Using the results in Ref. [24], we know: We define a projection.
Notice that Πγ 2,ds Π = γ 2,ds , and let us define subnormalized state From one of assumptions we have: Where diag(·) refers to blocks with respect to key part. We define a CPTP φ and corresponding Kraus operators.
We anticipate now and use equations (86-89) to lower bound the following quantity.
As a byproduct notice that: We employ now the "gentle measurement lemma" [40][41][42], saying that for all positive semidefinite operators σ, and 0 ≤ H ≤ 1 one has: Since Π is a projector, and ρ Γ is normalized, from equations (90-91,93) we find where we used cyclic property of trace. Using triangle inequality twice, the fact that ρ Γ Π ≡ diag ρ Γ Π , and inequalities in (82,92,94): From the Ref. [16] and [23] two-way repeater rate is upper bounded in the following way.
While employing asymptotic continuity of the relative entropy of entanglement E r [43,44], in the form: where ξ = 2 √ + 3 2 . We have now from equation (100) Blocks of diag ρ Γ are separable by assumption. Since non-zero blocks of diag ρ Γ Π are identical to corresponding blocks of diag ρ Γ they are also separable. This implies that the relative entropy of entanglement of , from its definition reads 0. Knowing that d k = 2 and that dimension of matrix is invariant under partial transpose we obtain an upper bound.
Then we make use of asymptotic continuity of quantum relative entropy [43,44].
Now we have to place an appropriate lower bound on K D . Following arguments of Ref. [45] the operation of privacy squeezing does not increase the trace distance ρ ps − γ ps 2,ds ≤ . Moreover after this operation private state (strictly irreducible in that case) turns into one of the two Bell states γ ps 2,ds ≡ ψ. In general the following inequalities hold On the other hand due to Lemma V.3. in Ref. [46], both one-way and two-way keys are lower bounded with: From equations (116), (117), and the fact dim H (ρ ps ) = 2, we obtain: Form the Proposition 1 the rate of the repeater is upper bounded with: Notation 7. We denote Projectors P i,j and P i for i = j The following identities hold.
Fact 1. We have the following identities: and also Notation 8. For the proves of Observations 4 and 4 we abuse the notation denoting 1 d k X ii,jj → X ii,jj , P i,j ⊗I → P i,j and P i ⊗ I → P i for conciseness.
Proof of Observation 4. We start with proving first inequality (38). Using the contractivity of the trace norm we have Using again the norm contractivity property and projector P i we have Now we want to prove that Let us express the matrix from LHS of (131) as follows where M is a matrix, D are diagonal elements andÂ are anti-diagonal elements. Note that ||D|| ≤ as ||M || ≤ . We get then We note then, that Â = 0Â ii,jĵ A † ii,jj 0 = 2 Â ii,jj , hence Â = 2 A ii,jj − X ii,jj ≤ 2 , A ii,jj − X ii,jj ≤ .
Finally, applying the reverse triangle inequality to equation (139), and having X ii,jj = 1 d k .
Now we prove the second inequality (39). Consider an incomplete von Neumann measurement Using ρ − γ ≤ and contractivity of norm we obtain Employing aforementioned condition that X ij,ij vanish, and non-negativity of trace norm we obtain.
Proof of Lemma 2. We know that ρ Γ ≥ 0. Firstly we construct, a projector on certain 2 × d s dimensional subspace of ρ Γ ≥ 0.
Having in mind that ρ = ijjkl |ij kl| ⊗ A ij,kl we perform the projection and obtain where we used that A Γ jj,ii = A Γ ii,jj † , what is a consequence of ρ Γ being hermitean. Indeed Π 0 ρ Γ Π 0 is positive semidefinite since Π 0 is a Kraus operator. In what follows we construct a unitary transformation based on singular value decomposition of A Γ ii,jj = SΣV .
Note that TrΣ = A Γ ii,jj . In the next step we perform specific privacy squeezing operation on ρ Γ .
What yields following form of a squeezed matrix, that is positive semidefinite.
Where we used a property of diagonal blocks ||A ij,ij || = TrA ij,ij = TrA Γ ij,ij = ||A Γ ij,ij ||. Using a basic fact known for positive matrices we have the following dependence between its entries: Now we are going to use Observation 4. The smallest component of the sum is always smaller than an average we have: Since equation (153) is true for all i = j, we use the smallest element denoted with i 0 = j 0 . Hence form (153): By Observation 4, ∀ i =j we have A ii,jj ≥ 1 Owing to the fact that under partial transposition the trace norm can not increase by more than the dimension of the matrix (here d s ) [24], we have: thus: and finally: Proof of Corollary 2. The proof is straightforward consequence of Lemma 2. Since the implication stated in Lemma 2 is true for any that ≥ ρ − γ , we denote with 0 the one that saturates it. We have the following implication.
We immediately obtain the following lower bound: .
Proof of Corollary 3. We notice that equation (157) is true also for d k = 2. Since in this dimension there is only a single choice of i 0 = j 0 (up to hermitean conjugate), we have: Proof of Proposition 2. This proof follows the same steps as proof of Proposition 1. Partial transposition Γ and the operation of diag(·) are assumed to be evaluated in computational basis. Futhermore we assume that i =j A Γ ij,ji ≤ . We work under an assumption that We define a projection, and subnormalized state ρ Γ Π , We notice then that: where diag(·) refers to blocks with respect to key part.
We anticipate now and calculate the following quantity using equation (147) again: K D (ρ) ≤ log d k + 2 log dim H ρ + (1 + 2 )h( 2 1 + 2 ). (187) From Lemma 2, we know that d s ≥ d k −1 (1 − d k ), we assume RHS to be positive, what together with the initial condition yields: The overhead of the scheme is then lower bounded