This protocol [1]  implements the task of private quantum communication, also known as a private quantum channel. It allows a sender and a receiver who share a uniformly random classical secret key to transmit an arbitrary quantum state over an insecure quantum channel in such a way that an eavesdropper learns no information about the transmitted state.

Private Quantum Channels and the Cost of Randomizing Quantum Information

The quantum one-time pad is the quantum analogue of the classical one-time pad. Two parties, Alice and Bob, first share a uniformly random classical secret key. To send a quantum message, Alice uses this key to choose, independently for each qubit, whether to apply bit-flip and phase-flip operations before sending the state to Bob.

Because the key is random and unknown to an eavesdropper, the transmitted quantum system looks completely random to anyone who does not know the key. After receiving the encrypted state, Bob uses the same shared key to undo the applied operations and recover the original quantum message exactly.

The protocol is simple, information-theoretically secure, and is often used as a basic subroutine inside larger quantum cryptographic protocols.

• Alice and Bob share a secret uniformly random classical key of length $2n$ before the protocol starts.
• There is an insecure quantum channel from Alice to Bob.
• Alice and Bob know the ordering of the transmitted qubits.
• Alice and Bob can reliably apply single-qubit Pauli operations $X$ and $Z$.
• The secret key is used only once.

• Network stage: prepare-and-measure quantum communication.
• Shared resource: a pre-shared classical secret key of length $2n$ to encrypt an $n$-qubit state.
• Parties capabilities:
  • preparation of $n$-qubit states (not necessarily entangled),
  • application of single-qubit Pauli gates,
  • Storage of quantum states for the period of decoding.
• Benchmark values:
  • perfect encryption of $n$ qubits requires exactly $2n$ uniformly random secret bits,
  • One pair of classical key bits is consumed per transmitted qubit.
• Remarks: No entanglement, measurements, or classical interaction during the encryption/decryption stage are required.

$n$: number of qubits in the message.
$\\\rho$: the $n$-qubit input state to be encrypted.
$a,b \\\in {0,1}^n$: two $n$-bit strings forming the secret key.
$k=(a,b) \\\in {0,1}^{2n}$: the full secret key.
$a_i,b_i$: the two key bits associated with qubit $i$.
$X$ and $Z$: the standard Pauli operators.
$X^a Z^b$: shorthand for the tensor-product Pauli operator $X^a Z^b := \\\bigotimes^n_{i=1} X^{a_i} Z^{b_i}$
$\\\rho_k$: the encrypted state corresponding to key $k$.
$\\\mathbb{I}_{2^n}$: identity operator on $n$ qubits.

• Correctness: for every key $k=(a,b)$,
  $$
  \\\operatorname{Dec}_k(\\\operatorname{Enc}_k(\\\rho))=\\\rho.
  $$
• Perfect secrecy (information-theoretic): averaging over the uniform key makes the ciphertext independent of the input state,
  $$\\\frac{1}{4^n}\\\sum_{a,b \\\in \\\{0,1\\\}^n} X^a Z^b \\\rho Z^b X^a = \\\frac{I_{2^n}}{2^n}.$$
  Hence an adversary without the key obtains no information about $\\\rho$.
• Key length optimality: perfect encryption of an arbitrary $n$-qubit state requires $2n$ bits of shared secret key.
• Efficiency: the protocol uses only local single-qubit Pauli gates and one use of the quantum channel.

Input: an $n$-qubit state $\\\rho$ held by Alice, and a shared secret key $k=(a,b)\\\in\\\{0,1\\\}^{2n}$ shared by Alice and Bob.
Output: Bob recovers $\\\rho$.

1. Key sharing
   1. Alice and Bob share two uniformly random strings $a,b \\\in \\\{0,1\\\}^n$.
   2. For each qubit $i$, the pair $(a_i,b_i)$ determines which Pauli correction is used.
2. Encryption
   1. Alice encrypts the message state by applying $P_k$:
      $$\\\rho_k = P_k \\\rho P_k^\\\dagger.$$
      where the encryption unitary is:
      $$
      P_k = X^a Z^b = \\\bigotimes_{i=1}^n X^{a_i} Z^{b_i}.
      $$
   2. Alice sends the encrypted state $\\\rho_k$ to Bob over the quantum channel.
3. Decryption
   1. Bob receives $\\\rho_k$.
   2. Using the shared key $k=(a,b)$, Bob applies the inverse operator $P_k^\\\dagger$.
   3. Bob recovers the original state: $P_k^\\\dagger \\\rho_k P_k = \\\rho$

No standalone experimental implementation has been added here. In practice, the quantum one-time pad is most often used as a basic subroutine within larger protocols rather than as a standalone communication task.

• The quantum one-time pad is also commonly called a private quantum channel.
• It is the exact quantum analogue of the classical one-time pad, but encrypting one qubit requires two classical secret bits rather than one.
• Approximate variants of private quantum channels can reduce the key length if a small information leak is allowed.
• The protocol extends naturally to qudits by replacing Pauli operators with generalised Pauli operators.

1. Ambainis, Andris, Michele Mosca, Alain Tapp, and Ronald de Wolf. “Private Quantum Channels and the Cost of Randomizing Quantum Information.” arXiv preprint quant-ph/0003101 (2000).
2. Ambainis, Andris, and Adam Smith. “Small Pseudo-Random Families of Matrices: Derandomizing Approximate Quantum Encryption.” arXiv preprint quant-ph/0404075 (2004).