Quantum enigma machines and the locking capacity of a quantum channel

The locking effect is a phenomenon which is unique to quantum information theory and represents one of the strongest separations between the classical and quantum theories of information. The Fawzi-Hayden-Sen (FHS) locking protocol harnesses this effect in a cryptographic context, whereby one party can encode n bits into n qubits while using only a constant-size secret key. The encoded message is then secure against any measurement that an eavesdropper could perform in an attempt to recover the message, but the protocol does not necessarily meet the composability requirements needed in quantum key distribution applications. In any case, the locking effect represents an extreme violation of Shannon's classical theorem, which states that information-theoretic security holds in the classical case if and only if the secret key is the same size as the message. Given this intriguing phenomenon, it is of practical interest to study the effect in the presence of noise, which can occur in the systems of both the legitimate receiver and the eavesdropper. This paper formally defines the locking capacity of a quantum channel as the maximum amount of locked information that can be reliably transmitted to a legitimate receiver by exploiting many independent uses of a quantum channel and an amount of secret key sublinear in the number of channel uses. We provide general operational bounds on the locking capacity in terms of other well-known capacities from quantum Shannon theory. We also study the important case of bosonic channels, finding limitations on these channels' locking capacity when coherent-state encodings are employed and particular locking protocols for these channels that might be physically implementable.


Introduction
The security of a cryptographic primitive can be assessed according to different security criteria.Most modern cryptosystems are computationally secure-that is, their security relies on the difficulty of breaking them in a reasonable amount of time given available technologies.This is also the case for the enigma machines, a family of historical polyalphabetic ciphers in use during the earlier half of the previous century-their security relied on the difficulty of uncovering patterns hidden in pseudorandom sequences [8].
A stronger security criterion requires that an encrypted message is close to being statistically independent of the corresponding unencrypted message, in which case one speaks of informationtheoretic security.For the case of classical systems, a good measure of correlation is the mutual information between the unencrypted and encrypted message.If the mutual information vanishes, the chance of successfully decrypting the message is exponentially small in the length of the message.Any encryption scheme with such a property cannot perform any better than one-time pad encryption, where a truly random key is used to encrypt (and decrypt) the message [44].The one-time pad guarantees information-theoretic security as long as the key is kept secret, it has the same length as the message, and can be used only once.However, the fact that the secret key should be the same length as the message imposes severe practical limitations on the use of the one-time pad protocol.
On the other hand, it is now known that quantum mechanics gives a way around these limitations.The locking effect is a phenomenon which is unique to quantum information theory [14] and represents one of the most striking separations between the classical and quantum theories of information.It is responsible for important revisions to security definitions for quantum key distribution [32] and might even help to explain how both unitarity could be preserved and most of the information leaking from an evaporating black hole could be inaccessible until the final stages of evaporation [49,15].Quantum data locking occurs when the accessible information about a classical message encoded into a quantum state decreases by an amount that is much larger than the number of qubits of a small subsystem that is discarded [14].A device that realizes a quantum data locking protocol is called a quantum enigma machine [37].
Impressive locking schemes exist [23,15,18].Suppose that a sender and receiver share a constant number of secret key bits.Using these secret key bits, they can then encode an n-bit classical message into n qubits such that an adversary who gains access to these n qubits, but who does not know the secret key, cannot do much better than to randomly guess the message after performing an arbitrary measurement on these n qubits.
However, the cryptographic applications of quantum data locking have to be "taken with a grain of salt," as they are only applicable if the distribution of the message is completely random from the perspective of the adversary.Otherwise, the key size should increase by an amount necessary to ensure that the distribution of the message becomes uniform.Moreover, one might say that the strength of quantum data locking also exposes a weakness.Indeed, as a small key is sufficient for encrypting a long message, the leakage of a small part of the secret key may allow an adversary to uncover a disproportionate amount of information.For this reason, any cryptographic primitive based on the locking effect (called a locking scheme), does not necessarily guarantee composable security [32].This also implies that quantum data locking cannot necessarily be used for secure key distribution.The only exception is if the adversary has no option other than to perform a collective measurement on the qubits in her possession just after she receives them.
As stated above, Shannon proved that such a locking effect is impossible classically [44].That is, when using only classical resources, a sender and receiver require a secret key whose size is proportional to the size of the message in order for the eavesdropper to have a negligible amount of information about the encrypted message.Thus, after Shannon's result, information scientists looked in a different direction in order to determine ways for communication systems to provide secrecy in addition to reliable transmission.In reality, all communication systems suffer from physical-layer noise, and one might be able to determine the characteristics of the noise to a legitimate receiver and to an untrusted eavesdropper.Such a model is known as the wiretap channel [55], and it is well known now that if the noise to the eavesdropper is stronger than the noise to the legitimate receiver, then it is possible to communicate error-free at a positive rate such that the eavesdropper obtains a negligible amount of information about the messages being transmitted.

Summary of results
In this paper, we consider the performance of locking protocols in the presence of noise, and as an important application, we consider locking protocols for bosonic channels.There are two types of noise to consider in any realistic locking protocol: that which affects the transmission to a legitimate receiver and that which affects the eavesdropper's system.Both are important to consider in any realization of a quantum enigma machine.
We begin in Section 4 by reviewing the locking effect and a recently introduced quantum enigma machine (QEM) from Ref. [37].This QEM encodes a classical message into a single-photon state spread over a collection of discrete modes and then decodes it by direct photodetection.The encryption and decryption are realized by applying and inverting, respectively, a single multi-mode passive linear-optical unitary transformation, selected uniformly at random from a set of such transformations.Similar to historical enigma machines, QEMs can encrypt a long message using an exponentially shorter secret key.However, unlike historical enigma machines which were only computationally secure, quantum data locking implies security in the sense that the outcomes of any eavesdropper measurement will be essentially independent of the message.
After the review, Section 5 provides a formal definition of the locking capacity of a quantum channel.In short, a locking protocol uses a quantum channel n times (for some arbitrarily large integer n) and has three requirements: 1.The receiver should be able to decode the transmitted message with an arbitrarily small error probability.
2. The eavesdropper can recover only an arbitrarily small number of the message bits after performing a quantum measurement on her systems.
3. The secret key rate is no more than sublinear in the number n of channel uses (for example, logarithmic in n).
We define the locking capacity of a quantum channel to be the maximum rate at which it is possible to lock classical information according to the above requirements.Changing the systems to which the adversary has access leads to different notions of locking capacity, and we distinguish the notions by naming them the weak locking capacity and the strong locking capacity.The difference between the two is that, in the weak notion, the adversary is assumed to have access to only the channel environment, while, in the strong case, we allow her access to the channel input.We emphasize that when we use the term (weak or strong) "locking capacity" without any other modifiers, we refer to the locking capacity of a quantum channel without additional resources such as classical feedback.Most of the results reported here correspond to such a forward locking capacity.The locking capacity of channels with additional resources such as classical feedback remains largely open.However, at the very least, we can already say that quantum key distribution protocols provide lower bounds on the locking capacity in this setting.
We then find operational bounds on the locking capacity in terms of other well known capacities studied in quantum Shannon theory, and we find other information-theoretic upper bounds on the locking capacity.We prove that the locking capacity of an entanglement-breaking channel is equal to zero, which demonstrates that a quantum channel should have some ability to preserve entanglement in order for it to be able to lock information according to the above requirements.We also show that any achievable locking rate is equal to zero whenever a given locking protocol has a classical simulation.Furthermore, we find a class of channels for which the weak locking capacity is equal to both the private capacity and quantum capacity.Finally, we discuss locking protocols for some simple exemplary channels.
Section 6 establishes several important upper bounds on the locking capacity of channels when restricting to coherent-state encodings.If it were possible to exploit coherent-state encodings to perform locking at high rates, then this would certainly turn the locking effect from an interesting theoretical phenomenon into one with practical utility.However, we are able to show that there are fundamental limitations on the locking capacity when restricting to coherent-state encodings.In particular, we prove that the "strong" locking capacity of any channel is no larger than log 2 (e) locked bits per channel use whenever the encoding consists of coherent states (where e is the base for the natural logarithm).We also prove that the "weak" locking capacity of a pure-loss bosonic channel is no larger than the sum of its private capacity and log 2 (e).
In Section 7, we discuss an explicit protocol that uses a pulse position modulation encoding of coherent states.We derive bounds on the security and key efficiency of this coherent-state locking protocol and find that it has qualitative features analogous to the single-mode quantum enigma machine in the presence of linear loss.
Finally, Section 8 presents our conclusions, a discussion of the scaling of the required physical resources, and open questions for future research.

Notation
We briefly review some notation that we use in the rest of the paper.Let B(H) denote the algebra of bounded linear operators acting on a Hilbert space H.The 1-norm of an operator X is defined as Let B(H) + denote the subset of positive semidefinite operators (we often simply say that an operator is "positive" if it is positive semidefinite).We also write Let id A denote the identity map acting on B(H A ).A linear map N A→B is completely positive if the map id R ⊗ N A→B is positive for a reference system R of arbitrary size.A linear map N A→B is trace-preserving if Tr{N A→B (τ A )} = Tr{τ A } for all input operators τ A ∈ B(H A ).If a linear map is completely positive and trace-preserving, we say that it is a quantum channel or quantum operation.For simplicity, we denote a quantum channel N : B(H A ) → B(H B ) simply as N A→B .Similarly, we denote an isometry U : The variational distance between two probability distributions p(x) and q(x) is defined as The trace distance between two quantum states ρ and σ is defined as follows: and it is a conventional measure used in quantum information theory to quantify the distinguishability of two quantum states.Clearly, when the two states are commuting, the trace distance is equal to the variational distance between the two probability distributions corresponding to the eigenvalues of ρ and σ.
The von Neumann entropy of a state ρ ∈ D(H A ) is given by H(A) ρ := −Tr{ρ log ρ}.Throughout this paper we take the logarithm base 2. For a tripartite state ρ ABC ∈ D(H ABC ), the quantum mutual information and the conditional quantum mutual information are respectively given by: where H(A) ρ denotes the von Neumann entropy of the reduced state ρ A , for example.

Review of quantum data locking
A quantum data locking scheme can be implemented by a set of |K| unitary transformations {U k } k∈K acting on a Hilbert space H M of finite dimension |M| [14,23,15,18].(For the moment, we restrict ourselves to finite-dimensional Hilbert spaces, but Definitions 1 and 2 appearing later on allow for encoding information into infinite-dimensional Hilbert spaces.)Alice encodes |M| equiprobable messages by means of a set of orthonormal states {|m } m∈M defining a standard basis in H M .The encryption is then made by applying a particular unitary U k with k chosen uniformly at random from K, and this unitary maps a standard basis state |m into a state U k |m .The label k identifies the choice of the basis and plays the role of a secret key.
It is helpful to consider a particular classical-quantum state when reasoning about a quantum data locking protocol.For such a state, we have two classical systems, the first associated with Alice's message and the second associated with the secret key, and a quantum system Q of dimension |M| corresponding to the quantum-encoded message of Alice.This classical-quantum state is given by the following density matrix: where the sets {|m } and {|k } are comprised of orthonormal states representing the message and the secret key, respectively.The receiver Bob has access to the quantum system Q and the key system K.We assume that an eavesdropper Eve only has access to the quantum system Q (for example, before it gets passed along to the receiver Bob).The classical correlations between Alice's message M and Bob's systems K and Q can be quantified by the accessible information [40].This is defined as the maximum classical mutual information that can be extracted by performing local measurements on the bipartite state: where the maximization is taken over local measurement maps M KQ→Y and I(X; Y ) = H(X) + H(Y )−H(XY ) is the mutual information, with H(Z) denoting the Shannon entropy of the random variable Z [12].The accessible information in (2) can never be larger than log 2 |M|, due to the bound I(M ; Y ) ≤ log 2 |M| which holds for any random variable Y .A particular strategy for achieving this upper bound is for Bob first to perform the controlled unitary He then simply measures in the basis {|m } to recover the message m perfectly, so that his accessible information is maximal, equal to log 2 |M|.
To assess the security of the communication, let us consider the accessible information for a party Eve who does not have access to the secret key.We consider the following reduced state: obtained by taking the partial trace over the key system in (1).The aim of Eve is to find an optimal positive operator-valued measure (POVM) to maximize the classical mutual information.
It is sufficient to consider a POVM M Q→Y with rank-one measurement operators, i.e., where each |φ y is a normalized vector and µ y > 0 (the sufficiency of rank-one POVMs follows by a data processing argument).We then find the following expression for Eve's accessible information about Alice's message [14]: where the probability distributions q yk have components Notice that Eve's accessible information is written in terms of the minimum of the Shannon entropies H(q yk ) = − m q m yk log 2 q m yk averaged over y and k.While finding Eve's optimal POVM is generally a difficult problem, one can obtain a good upper bound by a convexity argument [14].Furthermore, one can choose the encoding unitaries uniformly at random according to the Haar measure [23,18,9,15], and if one also adjoins to the message a small ancilla system in a maximally mixed state [18], then it is possible to reduce the adversary's accessible information to become arbitrarily small.These latter results show that for large enough |M| there exist data locking schemes with log 2 |K| negligibly small in comparison to log 2 |M| and for which That means that a relatively short secret key can be used to encrypt an exponentially longer message.To be more precise, consider the results of [18], according to which for |M| large enough there exist choices of |K| unitaries, with such that for any ε > 0.Moreover, if one randomly chooses the |K| unitaries according to the Haar distribution on the unitary group, the probability of picking up a set with this property approaches one exponentially fast in the limit as |M| → ∞.
In quantum data locking, the removal of a subsystem reduces the accessible information by an amount larger than the number of qubits removed.This is a purely quantum feature which has no classical analog.For comparison, consider a classical counterpart of the quantum data locking setting, in which Alice has access to a message variable M , Bob to an output random variable Y and key variable K, while Eve has access only to Y .In the classical framework, the following inequality holds This inequality shows that in the classical framework, removal of the key variable K reduces the mutual information by no more than log 2 |K|.
In the quantum case as discussed above, this inequality can be violated by an arbitrarily large amount by replacing the classical mutual information with the accessible information.A violation of the classical inequality in (8) can be quantified in terms of the following ratios [14,23]: The first is the ratio of the accessible information without the secret key to that with the secret key.The second is the ratio of the key length to the amount of information that Bob can unlock by having access to the key.For a good locking scheme, both of these quantities should be small, and the quantum data locking schemes discussed above are such that both r 1 and r 2 can be made arbitrarily small.On the other hand, the inequality in (8) implies that r 2 ≥ 1 for any locking scheme that uses classical resources only.Notice that the one-time pad protocol has r 2 = 1 because the number of bits in the key is equal to the amount of unlocked information for Bob.

Quantum enigma machine
A particular example of a QEM was proposed in Ref. [37].This QEM implements an optical realization of quantum data locking, in which Alice exploits a pulse position modulation (PPM) encoding using single-photon states over n optical modes [37].The message states |m = a † m |0 represent the states of a single photon occupying one out of a set of n bosonic modes with canonical operators {a m , a † m } m∈{1,...,n} .Thus, for this case, we have n = |M|.The unitaries {U k } k∈K are realized as passive linear-optical transformations acting on n modes.The encryption through a passive linear-optical unitary U k transforms the message states into where U k is the corresponding n × n unitary matrix acting on the mode labels.The effect of the encryption is to spread a single photon coherently over n modes.
Let us first assume that Alice and Bob communicate via a noiseless quantum channel.Then Bob receives the state prepared by Alice unperturbed.He decrypts the message by first applying the inverse transformation U † k and then by performing photodetection on the modes {a m }.We assume that Eve may intercept the signal but she does not know which unitary has been used for encryption.Then, a direct application of the results of [18] shows that Eve's accessible information can be made arbitrary small using a pre-shared secret key of length logarithmic in the length of the message.
One natural application of a QEM is in synergy with standard quantum key distribution (QKD) [5,39]-that is, a relatively short secret key can be first established by QKD and then used to encrypt a much (exponentially) longer message through the QEM.This combination of QKD and QEM in an all-quantum-optical cryptosystem could possibly overcome the bit-rate limitations of standard QKD, but more work is necessary to determine if this is the case.
Let us now suppose that Alice and Bob communicate through a pure-loss bosonic channel with transmissivity η ∈ (0, 1) and Eve makes a passive wiretap attack on the communication line, hence getting the photon lost in the channel with probability no larger than 1 − η.A simple feedbackassisted strategy allows for Alice and Bob to use the same scheme even for transmissivity values below 50%.Notice that the only effect of the pure-loss channel is to induce a probabilistic leakage of the photon.Hence, each time Bob detects a photon (which happens with probability η) he can be sure that he has correctly decrypted Alice's message.On the other hand, if Bob's photodetectors do not produce a click (which happens with probability 1 − η) he can request for Alice to resend.This shows that with the help of a classical feedback channel Alice and Bob can attain the accessible information Although reduced, this value of the accessible information equals the maximum value achievable through a pure-loss bosonic channel with a mean value of n −1 photons per mode [37,19].
Lloyd argues that such a scheme should be secure in principle [37].However, a critical assumption for this security to hold is that Eve should attack each block that she receives independently, in which case her accessible information is reduced by a factor 1 − η when compared to the lossless case.Indeed, an important assumption for the security of any locking protocol is that the distribution of the message is uniform from the perspective of the adversary.If this is not the case (as for repeated transmission of the same message when it does not show up at the receiver's end), then the secret key needs to be large enough so that the distribution of the message becomes uniform (see Proposition 4.16 in Ref. [17]).
Concerning the key efficiency of the protocol, we can estimate the key efficiency ratio as This expression implies that, although r 2 can be made arbitrarily small by increasing n, the number of bosonic modes needed to fulfill the key efficiency condition r 2 < 1 grows exponentially with decreasing r 2 and η.This feature is first of all a consequence of the fact that the quantum data locking scheme in [18] (similar conclusions are also obtained using the results of [23,15]) requires a high-dimensional Hilbert space.On top of that, there is the fact that the PPM encoding, as remarked above, is highly inefficient as it encodes log 2 n qubits into n optical modes.
According to Definition 1 below, this QEM is an instance of an (n, R, ε) weak locking protocol (assisted by classical feedback) for the pure-loss bosonic channel with transmissivity η, with a locking rate R = [η log 2 n]/n.It is worthwhile to notice that, due to the inefficiency of PPM encoding, the rate of this QEM approachs zero as n increases.

The locking capacity of a quantum channel
In this section, we take a more general approach to quantum data locking than that pursued in prior work by defining the locking capacity of a quantum channel.Our goal is to understand the locking effect in the setting of quantum Shannon theory, where a sender and receiver are given access to n independent uses of a noisy quantum channel (where n is an arbitrarily large integer).Their aim is to exploit some sublinear (in n) amount of secret key in order to lock classical messages from an adversary, in the sense that this adversary will not be able to do much better than random guessing when performing a quantum measurement to learn about the transmitted message.Also, we demand that the legitimate receiver (who knows the value of the secret key) be able to recover the classical message with an arbitrarily small probability of error.This leads us naturally to the following formal definition of a locking protocol for a noisy channel: Definition 1 (Weak locking protocol).An (n, R, ε) weak locking protocol for a channel N A→B consists of encoding and decoding maps E M K→A n and D B n K→ M , respectively.The encoding E M K→A n acts on a message system M and a key system K and outputs the system A n for input to n uses of the channel.The decoding map D B n K→ M acts on the output systems B n and the key system K to produce a classical system M containing the receiver's estimate of the message.Without loss of generality, the encoding consists of |M||K| quantum states ρ m,k , where |M| is the number of messages and |K| is the number of key values.Furthermore, the decoding consists of |K| POVMs {Λ (k) m } m∈M .The rate R = log 2 |M|/n and the parameter ε > 0. The protocol should satisfy the following requirements: 1. Given the key, the receiver can decode the transmitted message well on average: 2. Let {Γ y } be a POVM that Eve can perform in an attempt to learn about the message M .After she performs this measurement, the joint classical-classical state of the message and her measurement outcome is as follows: where N A→E is the channel complementary to N A→B .Equivalently, the joint probability Our security criterion (see also Ref. [18]) is that, for any measurement outcome y of Eve, the variational distance between the message distribution p M (m) and the distribution p M |Y (m|y) for the message conditioned on any particular measurement outcome should be no larger than ε: The interpretation here is that Eve cannot do much better than to randomly guess the message if all of the conditional distributions p M |Y (m|y) are indistinguishable from the message distribution.
3. The secret key consumption grows sublinearly in the number n of channel uses.
In a weak locking protocol, it is assumed that the eavesdropper has access to the channel environment only.A stronger locking protocol is obtained if we allow for the eavesdropper to have access to the channel input (or, equivalently, to both the channel output and environment): Definition 2 (Strong locking protocol).An (n, R, ε) strong locking protocol is similar to a weak locking protocol, except that we allow for Eve to have access to the A n systems, so that she can perform a measurement on the A n systems of the following state: We then demand that the variational distance as in ( 14) can be made less than an arbitrarily small positive constant ε.
Remark 3. One could alternatively allow for the adversary to have access to the output of the channel, but we do not explore such a possibility in this paper.
Remark 4. The Fannes-Audenaert inequality [16,2] for continuity of entropy implies that if (14) holds, then we get the following bound on Eve's accessible information: where h 2 is the binary entropy and n and R are as in Definition 1.In more detail, recall the Fannes-Audenaert inequality for continuity of entropy: , where h 2 is the binary entropy and d is the dimension of the states.Applying this to the condition in (14) gives Since the above inequality holds for any measurement of Eve, averaging it with respect to the distribution p Y (y) gives the inequality in (15).
Remark 5.If desired, one can demand further for the secret key rate of an (n, R, ε) weak or strong locking protocol to be consumed at a particular sublinear rate (for example, a logarithmic number of secret key bits or perhaps √ n secret key bits for n channel uses).However, the present paper establishes several upper bounds on locking capacity in an IID setting, and these bounds converge to the same quantity in the large n limit regardless of which sublinear rate is chosen.Also, the FHS protocol [18] is very strong, in the sense that it uses such a small amount of secret key.Thus, in light of these two observations it seems reasonable to define locking capacity in such a coarsegrained manner.However, other characterizations of locking capacity in a finite blocklength setting or in a one-shot setting might change depending on the amount of secret key allowed (so it would be necessary to specify in more detail the amount of secret key allowed).Remark 6. Observe that an (n, R, ε) strong locking protocol is also an (n, R, ε) weak locking protocol, but the other implication is not necessarily true.
Remark 7. The security and key efficiency ratios become arbitrarily small for a strong locking protocol.Indeed, from the fact that I acc (M ; A n ) ≤ h 2 (ε/2) + εnR/2 and the fact that the receiver can decode with the key, so that I acc (M ; B n K) ≈ log 2 |M|, it follows that the security ratio r 1 ≤ h 2 (ε/2)/(nR) + ε/2.Also, since we require the key to be sublinear in the message length, it follows that the key efficiency ratio r 2 = o(n)/O(n), which vanishes in the limit as n → ∞.
In what follows, we use the modifier "weak" or "strong" only when we need to distinguish between them.

Definition 8 (Achievable rate for locking).
A rate R is achievable if ∀ δ, ε > 0 and sufficiently large n, there exists an (n, R − δ, ε) locking protocol.Definition 9 (Locking capacity).The locking capacity L(N ) of a quantum channel is the supremum of all achievable rates: Let L W (N ) and L S (N ) denote the weak and strong locking capacity, respectively.

Relation of the locking capacity to other capacities
Let Q(N ), P (N ), and C(N ) denote the quantum [41,42,4,3,36,45,13], private [13,10], and classical [26,43] capacities of a quantum channel N , respectively.By employing operational arguments, we can determine that the following bounds hold Indeed, for any channel, its quantum capacity is less than the private classical capacity because any scheme for quantum communication can be used for private classical communication such that the classical information is protected from the environment of the channel.Furthermore, the inequality P (N ) ≤ L W (N ) holds because any (n, R, ε) private classical communication protocol satisfies the three requirements of a weak locking protocol [13,10].Finally, the requirements of a weak locking protocol are more restrictive than those for classical communication, so that L W (N ) ≤ C(N ).Operational arguments and the existence of the Fawzi-Hayden-Sen (FHS) locking protocol [18] also lead to the following bounds on the strong locking capacity: We first justify the bound Q(N ) ≤ L S (N ), already observed in some sense in Ref. [17].The strong locking capacity of the noiseless qubit channel is equal to one, due to the existence of the FHS locking protocol (see Example 23 below).By concatenating the FHS locking protocol with a family of capacity-achieving quantum error correcting codes, we obtain a family of strong locking protocols that achieve a strong locking rate equal to the quantum capacity of the channel.The bound L S (N ) ≤ L W (N ) follows because a strong locking protocol always meets the demands of a weak locking protocol (recall Remark 6).The relationship between the private capacity and the strong locking capacity is less clear.Indeed, a private communication protocol for a quantum channel protects information only from the environment of the channel (which we think of as the eavesdropper's system).For this reason, it does not meet the demands of a strong locking protocol.However, we could consider a "strong privacy" protocol in which the goal is to protect a message from both the environment and output of the channel, under the assumption that the party controlling these systems does not have access to the shared key.In this case, the "strong private capacity" would always be equal to zero because a sublinear amount of secret key is insufficient to get any "strong private capacity" out of the channel.For this reason, the bounds in ( 18)-( 19) are the best simple ones that we can derive from operational considerations.We can also consider the case in which a classical feedback channel is available for free from the receiver to the sender.In this case, we denote the resulting capacities with a superscript (←) .By employing the same operational arguments as above, we find that the following inequalities hold Capacities assisted by classical feedback need not be equal to the unassisted capacities.For example, it is known that the quantum and private capacities assisted by classical feedback can be strictly larger than the corresponding unassisted capacities [33], and this is true even for the classical capacity [47].The locking capacity of quantum channels with classical feedback remains largely an open question.

Upper bounds on the locking capacity
Let us define the information quantity L (u) W (N ) as follows: where the above information quantities are evaluated with respect to a state of the following form: U N A→BE is an isometric extension of the channel N , and the superscript (u) indicates that this quantity will function as an upper bound on the locking capacity.The following theorem establishes that the regularization of L (u) W (N ) provides an upper bound on the weak locking capacity of a quantum channel.This bound is nontrivial given that the regularization of L Proof.The proof below places an upper bound on the weak locking capacity of a quantum channel by considering the most general protocol for this task.Suppose that the task is to generate shared, locked randomness rather than to send a locked message (placing an upper bound on achievable rates for this task gives an upper bound on achievable rates for the latter task, since a protocol for the latter task can be used to accomplish the former task).The most general protocol has Alice input her share of the key K and her variable M into an encoder that outputs some systems A n to be fed into the inputs of the channels.She then transmits these systems A n over the channel, so that Bob receives the output systems B n .Let the following state describe all systems at this point in the protocol: Bob inputs his share of the key K and the systems B n into a decoder D KB n → M to recover M , which is his estimate of Alice's variable M .The final state of the protocol is given by If the protocol is any good for locking the message M , then the ideal distribution of M and M deviates from the actual distribution of these variables by no more than ε, in the sense that The above condition is equivalent to the condition that Pr{ Also, from Remark 4, Eve's accessible information I acc (M ; E n ) about the variable M is bounded from above by ε ′′ n, where ε ′′ ≡ h 2 (ε/2)/n + εR/2, whenever ( 14) is satisfied.We can now proceed with bounding achievable rates for any locking protocol: The first equality follows from the assumption that the random variable M is a uniform random variable.The second equality is an identity because H(M | M ) = 0 for the ideal distribution on M and M .The first inequality follows from an application of the Alicki-Fannes-Audenart inequality (continuity of entropy) [1,2], where ε ′ is a function of ε that approaches zero as ε → 0. The second inequality follows from an application of quantum data processing (both B n and K are fed into the decoder to produce M ).The third equality follows from an application of the chain rule for mutual information.The third inequality follows from the upper bound (the assumption that the secret key rate is sublinear) and from the accessible information bound The final inequality follows from optimizing over all distributions, so that we have in the limit as n becomes large and as ε → 0.
Theorem 11.The strong locking capacity L S (N ) of a quantum channel N is upper bounded as where and the information quantities are with respect to the state in (23).
Proof.The proof of this theorem is nearly identical to the proof of the one above.However, we employ the bound on the accessible information I acc (M ; A n ) = I acc (M ; B n E n ) from Definition 2 and Remark 4 instead.
Remark 12. Observe that the bounds in the above theorem hold even if the key is allowed to be a sublinear size quantum system, as in the locking schemes discussed in [15].
It is an interesting and important open question to determine if the upper bounds given in the above theorems are achievable.

Entanglement-breaking channels have zero locking capacity
The above theorems and a further analysis allow us to determine that both the strong and weak locking capacities of an entanglement-breaking channel are equal to zero.
Definition 13 (Entanglement-breaking channel [29]).A channel N EB is entanglement-breaking if the output state is separable whenever it acts on one share of an entangled state: where p X (x) is a probability distribution, each σ x R is a state on the reference system R, and each ω x B is a state on the channel output system B.
Theorem 14.Both the strong and weak locking capacities of an entanglement-breaking channel N EB are equal to zero: Proof.The proof of this theorem exploits the upper bound derived in Theorem 10 and the fact that L W (N EB ) ≥ L S (N EB ).We know from Ref. [29] that any entanglement-breaking channel has a representation with rank-one Kraus operators, so that its action on an input density operator is given by for some set of vectors {|ψ y A } such that y |ψ y ψ y | A = I A and a set of states {|φ y B }.An isometric extension of the channel is then given by with {|y E } an orthonormal basis for the environment.From this representation, it is clear that the channel to the environment is of the form: and the environment can simulate the channel to the receiver by first performing a von Neumann measurement in the basis {|y } followed by a preparation of the state |φ y B conditioned on the measurement outcome being y.Now consider the information quantity L (u) W (N EB ) defined in (22).Theorem 10 states that the regularization of this quantity is an upper bound on the weak locking capacity.For any finite n, we can always pick the measurement to be a tensor-product von Neumann measurement of the form mentioned above, giving that where Y n is the random variable corresponding to the measurement outcomes.Due to the structural relationship given above (the fact that the environment can simulate the channel to the receiver by preparing n quantum states |φ y 1 ⊗ • • • ⊗ |φ yn from the measurement outcomes y n ), we find that by an application of the quantum data processing inequality.This is equivalent to W N ⊗n EB = 0 and thus that the weak locking capacity vanishes for any entanglement-breaking channel.
Remark 15.The importance of the above theorem is the conclusion that a channel should be able to preserve entanglement between a purification of the channel input and its output in order for it to be able to lock information.If it is not able to (i.e., if it is entanglement-breaking), then the locking capacity is equal to zero.Ref. [6] suggested that entanglement does not play a role in quantum data locking, but this theorem shows that it does in any realistic implementation of a locking protocol.
Remark 16.It should be possible to provide a rigorous generalization of this result to entanglementbreaking channels defined over general infinite-dimensional spaces using the techniques from Ref. [27].For example, it is known that a lossy bosonic channel becomes entanglement-breaking when the environment injects a thermal state with sufficiently high photon number [27].However, we leave this question open for future work.

Protocols with classical simulations have zero strong locking rate
It is important to determine the conditions for when the locking rate of a given protocol is zero, so that we can distinguish between the classical and quantum regimes for locking.In this regard, we can exclude all protocols that have a classical simulation in the following sense: Definition 17 (Classical simulation).We say that a locking protocol has a classical simulation if the receiver's decoding consists of performing a measurement on the output of the channel that is independent of the key K, followed by a classical post-processing of the measurement output and the key to produce an estimate of the transmitted message.
Theorem 18.The strong locking rate of any locking protocol with a classical simulation is equal to zero.
Proof.The fact that this theorem should hold might be obvious, but nevertheless we provide a proof.The setup for this proof is similar to that in the proof of Theorems 10 and 11, with the exception that the decoder first performs a key-independent measurement of the channel output to produce a random variable Y .The decoder then processes the random variable Y and the key K to produce an estimate M of the sender's message.We can bound the rate R of this protocol as follows: The first three lines above are exactly the same as those in the proof of Theorem 10.The second inequality follows from quantum data processing.The third equality is the chain rule.The third inequality follows from the condition I acc (M ; 14) is satisfied, which should hold for any strong locking protocol.Also, it follows because I(M ; K|Y ) ω ≤ H(K) ≤ o(n).Finally, the adversary can choose her processing of the B n E n systems to be a discarding of E n followed by whatever key-independent measurement of B n that the receiver is performing to produce Y .Thus, it follows that I acc (M ; B n E n ) ω ≥ I(M ; Y ).The statement that the strong locking rate is equal to zero follows by taking the limit as n → ∞ and ε → 0.
As a corollary of the above theorem, we find the following: Corollary 19.If a protocol does not consume any secret key at all, then the strong locking rate is equal to zero.
Proof.This follows simply because the receiver's measurement on the channel outputs does not depend on a key for a scheme that does not use any key at all.

5.2.3
The private and quantum capacity are equal to the weak locking capacity for particular Hadamard channels In this section, we prove that if the channel is such that the map from the input to the environment is a quantum-to-classical channel, i.e., of the following form: for some orthonormal basis {|x } and where x A † x A x = I, then the weak locking capacity of such a channel is equal to its private and quantum capacity.This result follows simply because the systems received by the environment are already classical, so that the best measurement for the adversary to perform is given by {|x x|} on each channel use.Any measurement other than this one will have a mutual information with the message lower than this measurement's mutual information by a simple data processing argument.Furthermore, since the systems given to the environment are classical, the Holevo information of the environment with the input is equal to the accessible information of the environment with the input for such channels.
For such channels, the map from the input to the output is of the following form: because the operator x A x (•)⊗|x ⊗|x is an isometric extension of the channel in (24).A notable example of such a channel is the "photon detected-jump" channel, described in Ref. [20].Channels of the form in (25) are examples of Hadamard channels, which are generally defined as channels complementary to entanglement-breaking ones [30,31].We state the above result as the following theorem: Theorem 20.The weak locking capacity of a channel of the form in ( 25) is equal to its private and quantum capacity and is given by the following expression: where the information quantities are evaluated with respect to the following state: with U N A→BE an isometric extension of the channel N .
Proof.A proof of this theorem follows the intuition mentioned above.In particular, we know from Refs.[13,10] that the following formula is equal to the private capacity of any channel: Now, since we are assuming the channel to the environment to have the form given in (24), the systems given to the environment are classical so that the accessible information I acc (X; E n ) is equal to the Holevo information I(X; E n ) for any finite n.Thus, our upper bound from Theorem 10 on the weak locking capacity of such a channel is equal to the expression given above for its private capacity.Furthermore, all Hadamard channels are degradable [7], meaning that the receiver can simulate the map from the input to the environment by acting with a degrading map on his system.Finally, it is known that the expression for the private capacity "single-letterizes" to the form in the statement of the theorem for degradable channels and that the quantum capacity is equal to the private capacity for such channels [46].
Remark 21.Theorem 20 demonstrates that it suffices to use a private capacity achieving code for channels of the form in (25), with the benefit that these private communication codes do not require the consumption of any secret key.That is, there is no need to devise an exotic information locking protocol for such channels in order to achieve their weak locking capacity.

Quantum discord-based upper bound on the gap between weak locking capacity and private capacity
The quantum discord is an asymmetric measure that quantifies the quantum correlation in a bipartite quantum state [38].For a given bipartite quantum state ρ AB , the quantum mutual information I(A; B) ρ quantifies all of the bipartite correlations in ρ AB , while max Λ A→X I(X; B) is meant to capture the classical correlations in the state that are recoverable by performing a local measurement on the A system [25].Thus, the idea behind the quantum discord D(A, B) ρ is to quantify the quantum correlations in a state by subtracting out the classical correlation from the total correlation: Ollivier and Zurek originally described the quantum discord as the correlations lost during a measurement process [38].
Our upper bound on the weak locking capacity from Theorem 10 appears similar to the above formula for quantum discord.Indeed, we can place an upper bound on the gap between the weak locking capacity and the private capacity of a quantum channel in terms of the discord between the environment of the channel and the classical variable sent into the channel.We can also interpret this merely as the gap between the Holevo information of the environment and its accessible information.It is clear why this gap is related to quantum discord.In a private communication protocol, the security guarantee is with respect to the Holevo information, while in a locking protocol, the guarantee is with respect to the accessible information.Thus, the gap between the two capacities should be related to the correlations lost during Eve's measurement.
Proposition 22.The gap between the weak locking capacity and the private capacity of a quantum channel is no larger than where the entropies for any finite n are with respect to a state of the following form: and N A→E is the channel complementary to N A→B = N .
Proof.Consider that for any finite n, we have the bound Then by using the bound from Theorem 10, the inequality above, and the characterization of the private capacity as the bound in the statement of the theorem follows.

Examples
Example 23 (Noiseless qudit channel) The noiseless qudit channel trivially has weak locking capacity equal to log 2 d, where d is the dimension of the input and output for the channel.The reason for this is that an isometric extension of this channel has the following form: In this case, Eve's state is independent of the input, so that her accessible information is always equal to zero (even without coding in any way).
However, the noiseless qudit channel nontrivially has strong locking capacity also equal to log 2 d.This follows from the results of Fawzi et al. [18], in which they demonstrated the existence of a locking protocol that locks n dits using 4 log 2 (1/ε) + O(log 2 log 2 (1/ε)) bits of key while having the variational distance in (14) for any eavesdropper measurement no larger than ε, for an eavesdropper who obtains the full output of the noiseless channel.Thus, this scheme is an (n, log 2 d, ε) locking protocol that consumes secret key at a rate equal to So, for any fixed ε > 0, we can take n large so that the secret key rate vanishes in this limit, while the eavesdropper will not be able to do much better than to randomly guess the message.Thus, this construction gives a scheme to achieve the rate log 2 d.Since the strong locking capacity of the noiseless qudit channel cannot be any larger than log 2 d, this proves that it is equal to log 2 d for this channel.
In reality, one does not ever have access to perfectly independent uses of a quantum channel, as this is just an idealization.As such, it can be helpful to define the "one-shot" locking capacity for a single use of a quantum channel.We provide such a definition below: Definition 24 (One-shot locking capacity).The ε-one-shot locking capacity of a quantum channel is the maximum number of locked bits that a sender can transmit to a receiver such that the receiver can recover the message with average error probability less than ε > 0 and such that the total variational distance of the message distribution conditioned on the eavesdropper's measurement outcome x with the unconditioned message distribution p M is no larger than ε: We also demand that the number of secret key bits used is O(log 2 log 2 |M|).Similar to the IID case, we can distinguish between weak and strong locking capacities.
Example 25 (Depolarizing channel) Recall that the quantum depolarizing channel is defined as where p ∈ [0, 1] characterizes the noisiness of the channel and d is its dimension.For sufficiently large d, the ε-one-shot strong locking capacity of the depolarizing channel is equal to its ε-one-shot classical capacity (defined similarly as above-see Ref. [50], for example).This result follows simply because any unitary encoding commutes with the action of the depolarizing channel on the input state, and we can employ the FHS protocol combined with an ε-one-shot classical capacity achieving code, in order to achieve the same ε-one-shot strong locking capacity of the depolarizing channel.
While easy to prove, this example illustrates the subtle interplay between locking, entanglement and classical communication.The fact that the depolarizing channel's one-shot strong locking and classical capacities match regardless of the strength of the noise would seem to leave little room for quantum correlations to play any role.Indeed, it seems hard to square this result with Theorem 14's statement that entanglement-breaking channels have zero strong locking capacity, which is easily adapted to the one-shot setting.The resolution is that for any fixed but arbitrarily large amount of noise p, the depolarizing channel eventually ceases to be entanglement breaking for some sufficiently large d = poly(1/p) [21].
Our best known characterization of the locking capacity of the IID memoryless depolarizing channel is in terms of the operational inequalities given in ( 18)- (19).
Example 26 (Erasure channel) Consider a d-dimensional quantum erasure channel defined as where |e is an erasure flag state that is orthogonal to the d-dimensional input state.For this channel, a unitary acting on the input commutes with the action of the channel, so that the same argument as above demonstrates that the ε-one-shot strong locking capacity of this channel is equal to its ε-one-shot classical capacity for sufficiently large d.
The feedback-assisted weak and strong locking capacities of the memoryless erasure channel are at least (1 − p) 2 for p ≤ 1/2 and (1 − p)/(1 + 2p) for p ≥ 1/2.Furthemore, they are no larger than 1 − p.These results follow from the best known lower bounds on the quantum capacity of the erasure channel assisted by classical feedback [33], the fact that the feedback-assisted classical capacity of the erasure channel cannot exceed 1 − p, and the operational inequalities in (21).
Example 27 (Parallelized locking protocols) A simple parallelized protocol (as mentioned in Ref. [37]) is to employ the FHS protocol for each use of a memoryless depolarizing or erasure channel.However, the best known statement regarding the parallel composition of locking protocols is given by Proposition 2.4 of Ref. [18].That is, if one locking protocol guarantees that the total variational distance of a message distribution conditioned on the eavesdropper's measurement outcome x 1 with the unconditioned message distribution p M is no larger than ε 1 : and another guarantees it is no larger than ε 2 : then the parallel composition of these protocols guarantees a total variational distance no larger than ε 1 + ε 2 : Then consider a simple parallelized protocol consisting of n uses of a d-dimensional channel, where we suppose that each channel use has a guarantee that the variational distance (as above) is no larger than γ > 0. Parallel composition of the locking protocols guarantees that the variational distance for the n channel uses is no larger than γn.By applying the Fannes-Audenaert inequality [16,2] as in Proposition 3.2 of Ref. [18], one finds the following bound on the accessible information of the adversary: (γn) log d n E + h 2 (γn), where d E is the dimension of the environment for a single channel use.Thus, the number of secret key bits needed to guarantee that Eve's accessible information is no larger than nε is equal to O(n log 2 (1/ε)), so that the rate of key used in this scheme grows linearly with the number of channel uses.Clearly, this approach is less desirable than simply using a one-time pad combined with a classical capacity achieving code.For this latter protocol, the rate of key is a fixed constant independent of the number of channel uses and the protocol guarantees perfect secrecy from an adversary with access to a quantum memory.
In information theory, results for memoryless channels usually follow straightforwardly from their one-shot counterparts.The linear key growth incurred when parallelizing locking protocols prevents us from quickly concluding that the non-one-shot strong locking capacities of the depolarizing and erasure channels match their classical capacities.Moreover, the covariance argument used to draw that conclusion does not translate directly to the setting of many channel uses.We therefore leave it as an open question to determine whether the equivalence persists beyond the one-shot setting.

Upper bounds on the locking capacity when restricting to coherentstate encodings
In this section, we prove that there are fundamental limitations on the locking capacity of channels when we restrict ourselves to coherent-state encodings.In particular, we prove that the strong locking capacity of any quantum channel cannot be any larger than where g(x) ≡ (x + 1) log 2 (x + 1) − x log 2 x, when restricting to coherent-state encodings with mean input photon number N S .Observe that g(N S ) − log 2 (1 + N S ) ≤ log 2 (e), and this latter bound is independent of the photon number used for the coherent-state codewords.An intuitive (yet not fully rigorous) reason for why we obtain this bound is that log 2 (1 + N S ) is the rate of information that an adversary can recover about the message simply by performing heterodyne detection on each input to the channel, while g(N S ) is an upper bound on the classical capacity of any channel with mean input photon number N S .Thus, the difference of these two quantities should be a bound on the strong locking capacity.We also prove that the weak locking capacity of a pure-loss bosonic channel cannot be any larger than the sum of its private capacity and when restricting to coherent-state encodings with mean photon number N S , where η ∈ [0, 1] is the transmissivity of the channel.As before, g(( , which is independent of the photon number. We consider a coherent-state locking protocol in which the encrypted states {U k |m } are generalized to a set of n-mode coherent states {|α n (m, k) } m∈M,k∈K , where |α n (m, k) is an n-fold tensor product of coherent states: Definition 28 (Coherent-state locking protocol).A coherent-state locking protocol consists of coherent-state codewords {|α n (m, k) } m∈M,k∈K depending upon the message m and the key value k.These codewords are then transmitted over a quantum channel to be decoded by a receiver.
Theorem 29.The strong locking capacity of any channel when restricting to coherent-state encodings with mean photon number N S is upper bounded by g(N S ) − log 2 (1 + N S ).
Proof.As described in Definition 28, the encoder for such a scheme prepares a coherent-state codeword |α n (m, k) at the input of n uses of a quantum channel N , depending upon the message m and the key value k.It is useful for us to consider the following classical-quantum state, which describes the state of the message, key, and input to many uses of the channel: The state after the isometric extension of the channel (unique up to unitaries acting on the environment) acts is then as follows: where U N A n →B n E n is the isometry corresponding to n uses of the given channel.Recall from the proof of Theorem 11 that we obtain the following upper bound on the strong locking capacity of N : (Recall that this bound holds for any (n, R, ε) strong locking protocol, with ε ′ a function of ε that vanishes as ε → 0.) Consider that the information quantity I(M ; B n ) is upper bounded as follows: where the first inequality follows from quantum data processing, and the equality follows from the chain rule for quantum mutual information.We then find that where the second equality follows because the state on A n is a pure coherent state when conditioned on systems M and K.
On the other hand, we obtain a lower bound on the accessible information I acc (M ; B n E n ) = I acc (M ; A n ) by having the adversary perform heterodyne detection (a particular measurement that is not necessarily the optimal one) on each of the systems A n , giving where in the second line we again apply the chain rule for mutual information.An ideal n-mode heterodyne measurement is described by a POVM { d 2n β n π n |β n β n |}, where β n is the amplitude of the n-mode coherent state |β n ≡ |β 1 • • • |β n and d 2n β n denotes the Lebesgue measure on C n .We can then compute the heterodyne mutual information I het (M K; A n ) ρ as denotes the Wehrl entropy for a state σ defined on system Q [51] and its conditional version follows in the natural way.It is easy to see that the Wehrl entropy of an n-mode coherent state is equal to n log 2 (e), so we find that We are now in a position to derive an upper bound on (27).Observe that our development above implies that The second inequality follows from data processing: I(K; A n |M ) ρ ≥ I het (K; A n |M ) ρ (the system M is classical, and performing heterodyne detection on A n can only reduce the mutual information).The third inequality follows by taking a maximization over all distributions p X (x) where ω XA n is a state of the following form: such that the mean input photon number to the channel for each x is N S .The fourth inequality follows by realizing that the difference between the mutual information and the heterodyne information is equal to the private information of a quantum wiretap channel in which the state |α n x is prepared for the receiver while the heterodyned version of this state (a classical variable) is prepared for the eavesdropper.Such a quantum wiretap channel has pure product input states (they are coherent states) and it is degraded.Thus, we can apply Theorem 35 from the appendix to show that this private information is subadditive, in the sense that max where we define the state σ XA as follows: The last equality follows from the observation in (32) and because I(X; A) σ = H(A) σ −H(A|X) σ = H(A) σ (since the states are pure when conditioned on X).
We now show that the maximizing distribution for max p X (x) [H(A) σ − W (A) σ ] is given by a circularly-symmetric Gaussian distribution with variance N S , so that the optimal ensemble is a Gaussian ensemble of coherent states.Indeed, let ̺ be a single-mode quantum state with Tr[a̺] = 0 and Tr[a † a̺] = N S where a † and a are creation and annihilation operators, respectively.The von Neumann entropy is given by H is maximized when ̺ is a thermal state.Our approach is based on a technique used in the appendix of Ref. [28], which in turn is based on classical approaches to this problem [12].Let be a thermal state with mean photon number N S .We will show that holds for any ̺ with Tr[a̺] = 0 and Tr[a † a̺] = N S .Putting the left hand side of ( 36) is equal to where D(̺|| ̺) and D(Q ̺ ||Q ̺ ) are quantum and classical relative entropies, respectively.We can easily show that their difference is positive by the monotonicity property of the relative entropy.The third term is Similarly, the fourth term is and we used the fact that if Tr[a † a̺] = Tr[a † aτ ] then As a consequence, we have which completes the proof that max p X (x) [H(A) σ − W (A) σ ] is optimized by a circularly symmetric complex Gaussian distribution with variance N S .
Finally, we can rewrite log 2 (e) + max p X (x) [H(A) σ − W (A) σ ] as I(X; A) σ − I het (X; A) σ for X complex Gaussian, and these information quantities evaluate to g(N S ) − log 2 (1 + N S ) in such a case.By combining the bounds in (27) and (33), we deduce the following upper bound on the rate R of any strong locking protocol that employs coherent-state codewords with mean photon number N S : which converges to g(N S ) − log 2 (1 + N S ) in the limit as n → ∞ and ε → 0.
Theorem 30.The weak locking capacity of a pure-loss bosonic channel with transmissivity η ∈ [0, 1] when restricting to coherent-state encodings with mean input photon number N S is upper bounded by max{0, g(ηN The term max{0, g(ηN S ) − g((1 − η)N S )} is equal to the private capacity of the pure-loss bosonic channel, while the second term is limited by the bound Proof.The proof of this theorem is somewhat similar to the proof of the previous theorem.Nevertheless, there are some important differences, and so we give the full proof for completeness.
In the proof of Theorem 10, we obtained the following upper bound on the weak locking capacity: (Recall that this bound holds for any (n, R, ε) strong locking protocol, with ε ′ a function of ε that vanishes when ε → 0.) We begin by bounding the quantity I(M ; B n ) − I acc (M ; E n ): The first inequality follows from data processing I(M ; B n ) ≤ I(M K; B n ), the fact that I acc (M ; E n ) ≥ I het (M K; E n ), and the identity The first equality follows from the fact that I(M K; B n ) = H(B n ) for the pure-loss bosonic channel and from the fact that The second equality is a simple identity.The final inequality follows because the entropy difference H(B n ) − H(E n ) is equal to a coherent information of the n-use pure-loss bosonic channel.The only relevant property of the input state for which the coherent information is evaluated is that it has a mean photon number N S , and so the coherent information is always lower than n max{0, g(ηN S ) − g((1 − η)N S )}, which is equal to n times the quantum and private capacity of this channel [54,52].We also employ an argument similar to that in the previous theorem to bound . Finally, by combining the above bound with the bound in (43), we deduce the following upper bound on the rate R of any weak locking protocol that employs coherent-state codewords for transmission over a pure-loss bosonic channel: ] in the limit as n → ∞ and ε → 0.
Remark 31.Given that the private capacity of a pure-loss bosonic channel with mean input photon number N S is equal to max{0, g(ηN S ) − g((1 − η)N S )}, the above theorem implies a strong limitation on the weak locking capacity of a pure-loss bosonic channel when restricting to coherent-state encodings with mean input photon number N S .That is, the weak locking capacity when restricting to coherent-state encodings cannot be more than 1.45 bits larger than the channel's private capacity.
Remark 32.These bounds apply in particular to channels that use a coherent-state locking protocol in which there is a fixed codebook {|α n (m) } and the coherent states are encrypted according to passive mode transformations U k that transform n-mode coherent states as |α n → | U k α n , where U k α n is understood to be a label for a coherent state vector with the following complex amplitudes: Remark 33.If the coherent-state locking protocol consists of passive mode transformations (as defined above) for the encryption and the receiver performs heterodyne detection to recover the message after decrypting with a passive mode transformation, then the strong locking capacity of a channel using such a scheme is equal to zero.This result follows because such a scheme has a classical simulation-passive mode transformations commute with heterodyne detection in such a way that heterodyne detection can be performed first followed by a classical postprocessing of the measurement data with a matrix multiplication as in (44).That is, the decoding in such a scheme is equivalent to first performing key-independent heterodyne detection measurements followed by classical post-processing of the key and the measurement results.Thus, Theorem 18 applies so that the strong locking capacity of a channel using such a scheme is equal to zero.However, this theorem does not apply if the receiver performs photodetection because passive mode transformations do not commute with such a measurement.
From our upper bounds on the locking capacity of channels restricted to coherent-state encodings, it is clear that there are strong limitations on the rates that are achievable when employing bright coherent states.That is, it clearly would not be worthwhile to invest a large mean input photon number per transmission given the above limitations on locking capacity that are independent of the photon number.In spite of this result, it might be possible to achieve interesting locking rates with weak coherent states, but we should keep in mind that the above bounds were derived by considering the information that an adversary can gain by performing heterodyne detection-the information of the adversary can only increase if she performs a better measurement.Nevertheless, we can determine values of the mean input photon number N S such that the difference where the optimization is over the POVM M (1) E defined on the single-photon subspace, with elements {µ y |U k |m | 2 .The expression in square brackets in (54) is formally the same as that in (5).We can hence bound I num (M ; Q) ρ using the results of Ref. [18].It follows that there exist choices of |K| n-mode passive linear-optical unitaries with such that with ε arbitrarily small if n is large enough.
Clearly, the security condition r 1 ≪ 1 can be satisfied only if which can be fulfilled in the case of weak coherent states, where N tot ≪ 1.In this regime, the key-efficiency condition r 2 < 1 can be satisfied only if This implies that the value of N tot has to be in the range In conclusion, this weak coherent state PPM protocol is analogous to the single-photon one in the presence of linear loss.In principle the condition in (59) can always be fulfilled for n large enough, yet the minimum value of n increases exponentially with decreasing key-efficiency ratio r 2 and with decreasing N tot .

Conclusion
In this paper, we formally defined the locking capacity of a quantum channel in order to establish a framework for understanding the locking effect in the presence of noise.We can distinguish between a weak locking capacity and a strong one, the difference being whether the adversary has access to the environment of the channel or to its input.We related these locking capacities to other well known capacities from quantum Shannon theory such as the quantum, private, and classical capacity.The existence of the FHS locking protocol [18] establishes that both the weak and strong capacity locking capacities are not smaller than the quantum capacity, while the weak locking capacity is not smaller than the private capacity because a private communication protocol always satisfies the demands of a weak locking protocol.Furthermore, the classical capacity is a trivial upper bound on both locking capacities.We also proved that the strong locking capacity is equal to zero whenever a locking protocol has a classical simulation and that both locking capacities are equal to zero for an entanglement-breaking channel.This latter result demonstrates that a channel should have some ability to preserve entanglement in order for non-zero locking rates to be achievable.Moreover, we found a class of channels for which the weak locking capacity is equal to both the private capacity and the quantum capacity.
As an important application, we considered the case of the pure-loss bosonic channel and the locking capacities for channels restricted to coherent-state encodings.We note that a particular example of such a protocol is the αη protocol (also known as Y 00) [56].We found limitations of the locking capacity for these coherent-state schemes: the strong locking capacity of any channel is not larger than log 2 (e) locked bits per channel use while the weak locking capacity of the pureloss bosonic channel is not larger than the sum of its private capacity and log 2 (e) locked bits per channel use.If the scheme exploits passive mode transformations and the receiver uses heterodyne detection, the restrictions are as severe as they can be: the strong locking capacity is equal to zero because there is a classical simulation of such a protocol.
As a final contribution, we discussed locking schemes that exploit weak coherent states and that might be physically implementable.They are similar to the single-photon quantum enigma machine (QEM) of Ref. [37], with the exception that information is encoded by pulse position modulation (PPM) of a coherent state of a given amplitude α, with |α| 2 ≪ 1, over n modes.The necessary conditions for security and key efficiency of this scheme are qualitatively equivalent to that of the single-photon QEM.
The realization of a proof of principle demonstration of a quantum enigma machine is a tremendous experimental challenge.The main difficulty to overcome concerns the scaling of the physical resources required for key efficient encryption.Notice that for single-photon PPM encoding, n optical modes are needed to encode log 2 n bits, while the required secret key has length of the order of log 2 log 2 n.As a consequence, the number of modes increases very quickly if one requires small values of the key efficiency ratio r 2 , as defined in (10).Although keeping the same scaling law, the resources required for a key efficient single-photon QEM become even more demanding when one introduces loss in the single-photon scheme and when one moves from the single-photon PPM to the weak coherent-state PPM.On the other hand, in the case of a weak coherent-state QEM, one can trade off the increase in the number of modes (and/or the reduction in the key efficiency level) with the fact that coherent states can be prepared deterministically and are much easier to handle than single-photon states.However, it seems that one has to go beyond PPM encoding to overcome the key efficiency limitations.
There are many open questions to consider going forward from here.Perhaps the most pressing question is to determine a formula that serves as a good lower bound on the locking capacities (that is, one would need to demonstrate locking protocols with nontrivial achievable rates according to the requirements stated in Definitions 1, 2, and 8).One might suspect that the formulas given in Theorems 10 and 11 are in fact achievable, but it is not clear to us if this is true.Furthermore, it is important to determine if there is an example of channel (perhaps many?) for which its weak locking capacity is strictly larger than its private classical capacity, and similarly, if there is a channel for which its strong locking capacity is strictly larger than its quantum capacity.We also suspect that the locking capacity is non-additive, as is the case for other capacities in quantum Shannon theory [48,34,47].If it is the case that the 50% quantum erasure channel has a weak locking capacity equal to zero, then it immediately follows from the results of Ref. [47] and our operational bounds in (18) and ( 19) that both the weak and strong locking capacities are non-additive.
Another intriguing question is the relationship between the strong locking and quantum identification capacities [53] of a quantum channel.Both seem to involve a weak form of coherent data transmission from a sender to receiver.FHS even established an explicit connection between locking using unitary encodings and quantum identification over a channel built out of the inverses of those unitaries [18].It is tempting to speculate that the single-letter formula for the amortized quantum indentification capacity found in Ref. [24] could thereby be recruited as a tool to study the locking capacity.
Proof.This result follows by exploiting the counterexample of Hastings [22] for the Holevo information formula.Let M 1 and M 2 be the channels from Hastings' counterexample, i.e., they satisfy χ(M 1 ⊗ M 2 ) > χ(M 1 ) + χ(M 2 ), ( where χ(N ) is the Holevo information of a channel N .We then construct our quantum wiretap channels M 1 and M 2 as N 1 (ρ) = M 1 (ρ) ⊗ σ E and N 2 (ρ) = M 2 (ρ) ⊗ σ E .Both channels are obviously degraded wiretap channels because the channel to the environment simply prepares a constant state σ E .Also, there is no dependence of the environment's output on the input state, so that the private informations of these channels reduce to Holevo informations: Thus, the inequality in the statement of the theorem follows from (62).
Theorem 35.The private information of a degraded quantum wiretap channel is additive when restricted to product state encodings.
Proof.First, consider that we can always restrict the optimization in the private information formula to be taken over pure input states whenever the quantum wiretap channel N A→BE is degraded.Indeed, consider the extension state where we are using a spectral decomposition for each state ρ x : The first equality is from the chain rule for mutual information.The first inequality follows by exploiting the degrading condition and from the fact that X is classical.The final inequality follows by considering XY as a joint classical system, so that the private information of the channel can only be larger than I(XY ; B) − I(XY ; E).Now consider an isometric extension U A→BEF of a quantum wiretap channel N A→BE .By using the fact that the private information is optimized for pure state ensembles, we can always rewrite it as where in the second line we used the fact that H(E|X) = H(BF |X) for pure-state ensembles.Now we show the additivity property for product-state ensembles.Consider the following state on which we evaluate information quantities: where we are restricting the signaling states to be product and without loss of generality we can take them to be pure as shown above.Consider that The first equality follows from the identity in (64).The second equality follows from entropy identities.The first inequality follows from the degraded wiretap channel assumption, so that I(B 1 ; B 2 ) σ − I(E 1 ; E 2 ) σ ≥ 0 and by applying strong subadditivity of entropy [35] three times to get that H(F 1 F 2 |B 1 B 2 X) ≤ H(F 1 |B 1 X) + H(F 2 |B 2 X).The last equality follows from the identity in (64) and the fact that we are restricting to product-state signaling ensembles.

W
(N )  does not depend on the secret key used in a given locking protocol.Theorem 10.The weak locking capacity L W (N ) of a quantum channel N is upper bounded by the regularization of L (u)