Quantum cryptographic resource distillation and entanglement

We look into multipartite quantum states on which quantum cryptographic protocols including quantum key distribution and quantum secret sharing can be perfectly performed, and define the quantum cryptographic resource distillable rate as the asymptotic rate at which such multipartite state can be distilled from a given multipartite state. Investigating several relations between entanglement and the rate, we show that there exists a multipartite bound entangled state whose quantum cryptographic resource distillable rate is strictly positive, that is, there exists a multipartite entangled state which is not distillable, but can be useful for quantum cryptography such as quantum key distribution and quantum secret sharing.


Results
QCR states. Assume that there are one dealer and N players who participate in a quantum cryptographic protocol, and let D =D D be the dealer's quantum system with two subsystems D of d dimension and D of arbitrary dimension in the protocol. Similarly, for each 1 ≤ i ≤ N , let A i =Ā i A i be the i-th player's quantum system with subsystems Ā i of d dimension and A i of arbitrary dimension. Throughout this paper, we denote Ā 1 · · ·Ā N and A 1 · · · A N by Ā and A , respectively, and denote Ā A by A . The systems Ā and A are called the information part and the shield part, respectively.
In order to perform the quantum cryptographic protocol, the dealer's and players' information should satisfy the following cryptographic conditions: (i) The probability distributions of the dealer's and all players' information must be unbiased and perfectly correlated. (ii) An eavesdropper and dishonest players cannot get any information about the dealer's information.
(iii) The dealer and any subset of players can perform the same protocol with smaller number of parties after properly applying LOCC.
When N = 1 , if the dealer and the player share the private states [3][4][5] , or when N ≥ 2 , if the dealer and the players share the genuine secret sharing states 7 , then the above three conditions are surely satisfied. However, since any player can be a dealer in the private states and the (genuine) secret sharing states, considering the case where the dealer is predetermined is more general than those in the private states and the (genuine) secret sharing states, Thus, we introduce the class of quantum states suitable for the case where the dealer is determined in advance. Theorem 2 tells us that from a given QCR state, a QCR state on any smaller number of players and the dealer as well as a private state between any player and the dealer can be shared by LOCC, as seen in the Fig. 1. In other words, Theorem 2 implies that any QCR state satisfies the cryptographic condition (iii).
(1) By Theorem 3, we can see that a larger QCR state can be obtained from two different QCR states with the same dealer party as seen in the Fig. 2. Furthermore, we note that the private state is considered as a QCR state with one dealer and one player. Hence, by mathematical induction, we have the following corollary.   www.nature.com/scientificreports/ QCR distillable rate and bound entangled states. Before defining the QCR distillable rate, we look at the distillable entanglement and the distillable key rate. Let m AB and γ m ABA ′ B ′ be denoted by the maximally entangled state with m = log dim(A) = log dim(B) and the private state with m = log dim(A) = log dim(B) , respectively, where dim(·) is the dimension of the system. The distillable entanglement E D is defined as the rate at which maximally entangled states can be distilled under LOCC 10 , that is, where A:B is an LOCC protocol between Alice and Bob. Similarly, the distillable key rate K D is defined as the rate at which private states can be distilled under LOCC 3,5 , that is, Since we can define the QCR distillable rate for any state in a similar way to the above definitions, from the definition, we can know how many copies of the given state are required to asymptotically distill a QCR state through LOCC. The QCR distillable rate CR D of a given multipartite quantum state ρ DA is defined as where is the dealer's and all players' LOCC operation, and ϒ m DA denotes a QCR state whose information part Let us now investigate the connection between the distillable key rate and the QCR distillable rate. It follows from Theorem 2 that for any bipartite split {P 1 , P 2 } of the players A = P 1 P 2 . In addition, by Theorem 3, we have the following theorem.  Corollary 6 implies that if each ρ D i A i has a positive distillable key rate, then N i=1 ρ D i A i has a positive QCR distillable rate. We note that if each ρ D i A i is a bipartite state with positive partial transposition (PPT), then N i=1 ρ D i A i is also an (N + 1)-partite state with PPT, since it is a PPT state with respect to any bipartite split of DA with one dealer D = D 1 D 2 · · · D N and N players A = A 1 A 2 · · · A N . Hence, we can readily construct multipartite PPT bound entangled states with positive QCR distillable rate from bipartite PPT bound entangled states with positive distillable key rate, which are presented in References 5,9 . Therefore, we can finally present our theorem showing the existence of such states as follows.

Discussion
We have defined the QCR state with a dealer party, and have shown that a given multipartite quantum state is a QCR state if and only if the two cryptographic conditions on the state hold. We have also defined the QCR distillable rate of a given multipartite state, and have presented several important properties on the QCR distillable rate. In the sequel, we have presented how to construct a QCR distillable state with larger number of parties from several QCR distillable states. Moreover, we have proved that there exist multipartite bound entangled states which are QCR distillable. This result implies that there exists a multipartite quantum state on which a dealer and players can perform one of several kinds of quantum cryptographic protocols to some extent, and from which they cannot distill any bipartite nor multipartite entanglement by LOCC. Hence, we can conclude that any bipartite or multipartite distillable entanglement is not necessarily required for quantum cryptography.
The QCR states that we have dealt with in this paper have one specific dealer party. Thus several kinds of perfectly secure classical communication feasible on the quantum state can be performed between the dealer party and any number of players. Therefore, the QCR state can be considered as a resource unit in quantum www.nature.com/scientificreports/ cryptographic theory, and hence we could construct the quantum cryptographic network consisting of the QCR states instead of the bipartite maximally entangled states or the private states.

Methods
Proof of Theorem 1. This proof is almost the same as that of the theorem related to the genuine secret sharing state in Reference 7 . The details are as follows. Let us consider the state which is a purification of ρ DA . Assume that the dealer and players can have cryptographic information that satisfies the cryptographic condition (i) by measuring the information part of ρ DA . Then we have p I = 1/d N for I ∈ S 0 N+1 and p I = 0 for I / ∈ S 0 N+1 . Regarding the condition (ii), we first take account of the worst case that all players except one player, say A k , are dishonest. Then the subsystem Ā ′ =Ā 1 · · ·Ā k−1Āk+1 · · ·Ā N is the information part of the dishonest players.
Let i be the dealer's measurement outcome. Then the eavesdropper and dishonest players' state after measurement becomes if reordering the systems. From the cryptographic condition (ii), we have γ for any i, i ′ ∈ Z d . It follows from the Hughston-Jozsa-Wootters theorem 11 Let {P 1 , P 2 } be an arbitrary bipartite split of the players with P 1 consisting of at least one player and A = P 1 P 2 . Without loss of generality, we may assume that P 1 = A 1 · · · A M and P 2 = A M+1 · · · A N . Then by Eq. (13), it can be shown that if and j t ≡ i + i 1 + · · · + i t (mod d) . Let tr D A (|ψ 00···0 ��ψ 00···0 |) = x x |η x � E �η x | be its spectral decomposition. Then we have for some unitary operators U iI 1 and orthonormal set {|φ x �} for the system D A . Therefore, ρ DA is of the form in Eq. (1).
Conversely, assume that ρ DA has the form in Eq. (1). Then it can be readily shown that players have cryptographic information that obeys the cryptographic condition (i) after measuring their information parts in the computational basis.
We now show that players' cryptographic information satisfies the condition (ii). Suppose that {P 1 , P 2 } is a bipartite split of the players A = P 1 P 2 with P 1 consisting of at least one player and P 2 representing K dishonest players. Let σ D A = x κ x |µ x � D A �µ x | be a spectral decomposition of σ D A , and let where {|ν x �} forms an orthonormal set for the eavesdropper's system E. Then the state is a purification of ρ DA . If the dealer has the measurement outcome i after measuring the dealer's information part in the computational basis, then the quantum state of dishonest players and eavesdropper after the measurement becomes P 2 E for any i, j ∈ Z d , dishonest players and eavesdropper cannot get any information about the dealer's cryptographic information. www.nature.com/scientificreports/ Proof of Theorem 2. The proof of Theorem 2 is also similar to that of the theorem associated with the genuine secret sharing states in Reference 7 . However, we here present its simple proof compared to that in Reference 7 as follows. Without loss of generality, we may assume that P 1 = A 1 · · · A M and P 2 = A M+1 · · · A N . Let ϒ DA be an (N + 1) -party QCR state shared by a dealer and N players. Since ϒ DA has the form in Eq. (1), if let I 2 ∈ S β N−M be the measurement outcomes for some β when players P 2 measure their information parts in the computational basis, then the resulting state of the dealer D and the players P 1 after the measurement becomes where σ D P 1 = tr P 2Ṽ We note that unitary operators on the shield part of the state ϒ DA can be expressed as in Eq. (14), and it can be easily shown that WDϒ Therefore, if the players P 2 announces the value β , then the dealer D and the players P 1 can share the (M + 1)-party QCR state after applying the unitary operator W on the dealer's information part. We remark that if the dealer and all players measure their information part D AĀB in the computational basis, then they have cryptographic information that satisfies the cryptographic condition (i). In order to show that the cryptographic information obeys the cryptographic condition (ii), we consider the worst case as in the proof of Theorem 1. Let us assume that the dealer measures the information part D A , and let i be the dealer's measurement outcome. By tracing out the system D ADB D A D B of the resulting state, we have Let us now consider the situation where all players except the dealer and one player are dishonest as the worst case. Without loss of generality, we may assume that the honest player is A 1 , by symmetry. When N ≥ 2 , after tracing out the system A 1 , the dishonest players and eavesdropper's state becomes www.nature.com/scientificreports/ where Î = i 2 · · · i L ∈ Z L−1 d for I = i 1 i 2 · · · i L ∈ Z L d and Â =Ā 2 · · ·Ā L for Ā =Ā 1Ā2 · · ·Ā L . Since ϒ D A A is a QCR state, for any α, β ∈ Z d and Î ,Î ′ ∈ S α−β N−1 . Hence, the state in Eq. (27) can be rewritten as We can here see that the state in Eq. (29) is independent on the dealer's measurement outcome i. In other words, the dealer's cryptographic information is perfectly secure against the dishonest players and any exterior eavesdropper, which implies that the dealer's and all players' cryptographic information satisfies the cryptographic condition (ii). Now assume that N = 1 , that is, A = A 1 . Then the state of the dishonest players B and eavesdropper E A E B after the dealer's measurement is where the dealer's measurement outcome is i. Since for all α ∈ Z d , the state in Eq. (30) does not depend on the measurement outcome i, and hence the cryptographic information is perfectly secure against the dishonest players and any exterior eavesdropper.
Let |ϒ� DABE be the pure state in Eq. (25), which is the resulting state after the dealer applies the unitary operator cXD ADB on the system D ADB in the state |ϒ� D A AE A ⊗ |ϒ� D B BE B , where D = D A D B and E = E A E B . Then, for any cases, the cryptographic information from the state |ϒ� DABE obeys the cryptographic conditions (i) and (ii). Therefore, the state cXD ADB ϒ D A A ⊗ ϒ D B B cX † By the telescoping property of the trace distance 12,13 , that is, we can see that the lower bound on CR D ρ D A A ⊗ ρ D B B in Eq. (32) is also lower bounded by which is greater than or equal to both CR D ρ D A A and CR D ρ D B B . This completes the proof, that is,