We consider the problem of semantic security via classical-quantum and quantum wiretap channels and use explicit constructions to transform a non-secure code into a semantically secure code, achieving capacity by means of biregular irreducible functions. Explicit parameters in finite regimes can be extracted from theorems. We also generalize the semantic security capacity theorem, which shows that a strongly secure code guarantees a semantically secure code with the same secrecy rate, to any quantum channel, including the infinite-dimensional and non-Gaussian ones.

## I. INTRODUCTION

We investigate the transmission of messages from a sending party to a receiving party through a wiretap channel. In this model, there is a third party called an eavesdropper who must not be allowed to know the information sent from the sender to the intended receiver. The wiretap channel was first introduced by Wyner in Ref. 1. A classical-quantum channel with an eavesdropper is called a classical-quantum wiretap channel.

The secrecy capacity of the classical-quantum wiretap channel subject to the strong security criterion was determined in Refs. 2 and 3. Strong security means that given a uniformly distributed message sent through the channel, the eavesdropper shall obtain no information about it. This criterion goes back to Refs. 4 and 5, and it is the most common secrecy criterion in classical and quantum information theory.

In the present paper, however, a stronger security requirement will be applied, called semantic security (and defined in Sec. III). With this, the eavesdropper gains no information regardless of the message distribution. This criterion was introduced to information theory from cryptography^{6} and also used earlier in Quantum Key Distribution (QKD) in Ref. 7, Theorem 2, motivated by the analogous security criterion of the same name. It is equivalent to message indistinguishability, where the eavesdropper cannot distinguish whether the given cipher text is an encryption of any two messages (which can even be chosen by the eavesdropper). Aside from being the minimum security requirement in practical applications, semantic security is also necessary in the security of identification codes.^{8} Because in identification pairs of messages are compared to each other, to make the code secure, any two messages must be indistinguishable at the eavesdropper.^{9} Message indistinguishability is, thus, necessary to construct secure identification codes, and the semantic security achieved in this paper can, thus, be used to construct secure identification codes via classical-quantum channels.^{10} At the same time but on a different note, bounds on identification find application on transmission via the wiretap channel.^{11} Further results and references can be found in Ref. 12.

In Sec. IV, we prove the well-known semantic-secrecy capacity formula, which is equal to the capacity formula under the strong security criterion, for the most general case of arbitrary, including the infinite-dimensional channel, under the most stringent semantic security criterion (in terms of mutual information). This can be easily shown by slightly modifying the expurgation method,^{12} whereby a code that has a small leakage with respect to the strong security criterion is converted into a code that has a small leakage with respect to the semantic security leakage, making the strong and semantic secrecy capacities equal. This statement was at first proven for classical wiretap channels in Ref. 14 and for finite-dimensional classical-quantum channels in Ref. 15 and with security measured in the trace norm in Ref. 16. Note that that the expurgation technique given in Ref. 12 works for any channels, including the infinite-dimensional channel and even non-Gaussian ones. The results for the classical-quantum channel extend to quantum channels where the environment, which is completely under the control of a constant eavesdropper, can be entangled with the quantum system.

The proofs applying the expurgation technique are merely existence statements and give no clue as to how to find the large message subset, which provides semantic security. In Sec. V, we show how the capacity can be achieved by modularly correcting transmission error and amplifying privacy in separate components of the code as for the case of strong secrecy.^{17} While we make the proof for finite-dimensional channels, the codes also automatically achieve capacity for quantum Gaussian wiretap channels since the capacity is achieved as the limit of the capacities on finite-dimensional subspaces of the increasing dimension.^{18} These modular codes for the classical-quantum wiretap channel are constructed, concatenating an ordinary transmission code for the channel from the sender to the intended receiver with an additional security component. Furthermore, the additional security component is independent of the channel (sometimes called channel universality^{15}) as for the case of explicit strong-secrecy constructions. The first such security components used in the literature were universal hash functions,^{17,19} used to achieve strong secrecy. The specific security components we use, called biregular irreducible (BRI) functions, were introduced in Ref. 14 in the context of classical wiretap channels. A modular code for the classical-quantum wiretap channel is illustrated in Fig. 1.

If a transmission code from the sender to the intended receiver with input/output set $C$ is given, then a BRI function that is to be used with this transmission code has the form $f:S\xd7C\u2192N$. Here, $S$ is a seed set, and the set $M$ of messages of the modular wiretap code is an explicitly given subset of $N$. To use this modular code, the sender and the intended receiver have to share a seed $s\u2208S$, chosen uniformly at random from $S$. Given any message $m\u2208M$ and seed *s*, the sender randomly chooses a preimage $c\u2208C$, satisfying *f*_{s}(*c*) = *m*. Since the intended receiver knows *s*, the receiver can recover *m* if no transmission error occurs. Thus, the task of establishing reliable transmission is entirely due to the transmission code, while the BRI function’s responsibility is to ensure semantic security. The above modular construction was already shown to achieve the secrecy capacity of classical wiretap channels with semantic security in Ref. 14. An alternative to BRI functions was proposed by Hayashi and Matsumoto.^{15} Their example, however, requires a seed, which is longer than that which is necessary for the best-known BRI function. The length of the seed is relevant for the efficiency of the derandomized codes at finite regimes.

We emphasize that the seed is not a secret key since we do not require it to be unknown to the eavesdropper. The main part of the analysis of the above modular codes assumes that the seed is given (non-securely) to the sender and the intended receiver by common randomness. However, it is a general result for codes with common randomness that if the error probability and security leakage decrease sufficiently fast in block length, the seed can be reused a small number of times. Modular codes constructed using BRI functions show this behavior. Therefore, no more than a negligible amount of rate is lost if the sender generates the seed and transmits it to the intended receiver and, then, reuses the seed a small number of times. In particular, any rate that is achievable with a seed given by common randomness is also achievable with a sender-generated seed.

Moreover, we would like to emphasize that the semantic secrecy for classical-quantum channels is much harder than for classical channels. Roughly speaking, two different inputs not only result in two different random variables, but the outputs also have different eigenspaces, so it is more difficult to make them indistinguishable. For instance, Corollary 5.10 delivers a bound that is technically weaker than the classical version of Ref. 14 (see below).

## II. BASIC NOTATIONS AND DEFINITIONS

*H*, we denote the set of linear operators on

*H*with $L(H)$. Let $\rho ,\sigma \u2208L(H)$ be Hermitian operators in $L(H)$. We say

*ρ*≥

*σ*, or, equivalently,

*σ*≤

*ρ*, if

*ρ*−

*σ*is positive-semidefinite. The (convex) space of density operators on

*H*is defined as

_{H}is the null matrix on

*H*. Note that any operator in $S(H)$ is bounded. A POVM (positive-operator valued measure) over a finite set $M$ is a collection of positive-semidefinite operators $Dm:m\u2208M$ on

*H*, which is a partition of the identity, i.e., $\u2211m\u2208MDm=idH$. The POVM describes a measurement that maps quantum states

*ρ*to classical values $m\u2208M$ by assigning them the probability tr[

*ρD*

_{m}]. If $\u2211m\u2208MDm\u2264idH$, then we call $Dm:m\u2208M$ a sub-POVM. More generally, a measurement operator will be any positive semi-definite operator

*D*satisfying 0 ≤

*D*≤ id

_{H}.

*X*, on a finite set $X$, we denote the Shannon entropy of

*X*by

*h*(

*ν*) ≔ −

*ν*log

*ν*− (1 −

*ν*)log(1 −

*ν*) for

*ν*∈ [0, 1] the binary entropy.

*ρ*and

*σ*be two positive semi-definite operators not necessarily in $S(H)$. The quantum relative entropy between

*ρ*and

*σ*is defined as

*supp*(

*ρ*) ⊂

*supp*(

*σ*) and

*D*(

*ρ*‖

*σ*) ≔ ∞ otherwise. For

*α*∈ (0, 1) ∪ (1, ∞), the Rényi relative entropy

^{23}between

*ρ*and

*σ*is defined as

*supp*(

*ρ*) ⊂

*supp*(

*σ*) and

*D*

_{α}(

*ρ*‖

*σ*) ≔ ∞ otherwise. The Rényi relative entropy satisfies the ordering relation or parameter monotonicity,

*ρ*and

*σ*and any

*α*≤

*α*′.

^{24,25}Furthermore, it holds

^{23}that

*α*≤ 2,

^{25–27}namely, under completely positive trace preserving linear maps Λ,

*H*and

*H*′, a

**quantum channel**

*N*(

*ρ*) is represented by a completely positive trace-preserving linear map $N:L(H)\u2192L(H\u2032)$, which accepts input quantum states in $S(H)$ and produces output quantum states in $S(H\u2032)$. Quantum channels will be treated in Sec. III D, building on the results for classical-quantum channels. The case of classical-quantum channels will be treated in Secs. III–V. For a finite-dimensional complex Hilbert space

*H*, a

**classical-quantum channel**is a map $V:X\u2192S(H)$,

*x*↦

*V*(

*x*). In order to use the same notation common in classical information theory, for a measurement operator 0 ≤

*D*≤ id

_{H}, we define the following notation:

*C** algebra literature, where quantum states are considered functionals on Hermitian operators.

*P*and a classical-quantum channel

*V*on $X$, the Holevo

*χ*quantity, or Holevo information, is defined as

*X*be the random variable on $X$ with distribution

*P*; then, the Holevo information is the quantum mutual information

*I*(

*X*∧

*V*(

*X*)) for the state

## III. STRONG AND SEMANTIC SECURITY

In this section, we introduce the channels, codes, and capacities, which we will study, as well as the definitions for strong secrecy and semantic security with and without common randomness. In Sec. V, we will show how to explicitly build such codes using modular coding schemes, which require common randomness. For now, let us define the channels of interest.

*Let* $X$ *be a finite set and* *H* *and* *H*′ *be finite-dimensional complex Hilbert spaces. Let* $W:X\u2192S(H)$ *and* $V:X\u2192S(H\u2032)$ *be classical-quantum channels. We call the pair* (*W*, *V*) *a* *classical-quantum wiretap**channel**.*

The intended receiver accesses the output of the first channel *W*, and the eavesdropper observes the output of the second channel *V* in the pair.

### A. Codes

*H*and

*H*′, and a classical-quantum wiretap channel (

*W*,

*V*) from $X$ to

*H*and

*H*′. Just like for the notation

*PV*for a channel $V:X\u2192S(H)$ and a probability distribution

*P*over $X$, we define

*EV*for a classical channel $E:M\u2192P(X)$,

*m*↦

*E*

_{m}≡

*E*(·|

*m*) as

*D*, we have two ways of writing the output probability, given

*m*, namely,

*E*

_{m}

*V*(

*D*) and

*EV*(

*D*|

*m*).

*(code, error, and leakage). An*$(n,|M|)$

*code for*(

*W*,

*V*)

*is a finite set*

*where the stochastic encoder*$E:M\u2192P(Xn)$

*is a classical channel and the decoder operators*$Dm:m\u2208M$

*form a sub-POVM on*

*H*

^{⨂n}.

*We assume that the POVM is completed by associating the measurement operator*$idH\u2212\u2211m\u2208MDm$

*with the error/abortion symbol of the decoder.*

*The (maximum) error (probability) of*$C$

*is defined as*

*where*$Dmc\u2254idH\u2a02n\u2212Dm$

*. For any random variable*

*M*

*over the messages*$M$

*, the leakage of*$C$

*with respect to*

*M*

*is defined as*

Note that we have chosen maximum rather than average transmission error; the reason is that as we allow the probability distribution to be arbitrary, the correctness and not just the secrecy of the message should also be guaranteed independently of the input distribution. Maximum error is the counterpart to measuring the leakage via maximum indistinguishability between the messages [generally via the trace distance (Ref. 12, Sec. II-E) or statistical distance for classical channels].

Observe that we consider codes with stochastic encoders as opposed to deterministic codes. In a deterministic code, the encoder is deterministic, namely, in Definition 3.2 instead of a family of probability distributions ${Em}m\u2208M$, the encoder consists of a family of *n*-length strings of symbols $cmm\u2208M\u2286Xn$.The deterministic encoder can be obtained as a special case of the stochastic encoder by imposing that every probability distribution *E*_{m} is deterministic. For message transmission over an ordinary classical-quantum channel and even for the most general case of robust message transmission over an arbitrarily varying classical-quantum channel, it is enough to use deterministic encoders.^{28,29} However, for secret message transmission over wiretap channels, we need to use stochastic encoders.^{2,3}

Now, we will define the coding scheme where both the sender and the receiver have access to common randomness. We do not require this common randomness to be secure against eavesdropping. Effectively, the common randomness simply decides which among a set of classical-quantum codes from Definition 3.2 will be used.

*(common-randomness code, error, and leakage). An*$(n,|S|,|M|)$

*common-randomness code for*(

*W*,

*V*)

*is a finite subset*

*of the set of*$(n,|M|)$

*codes from Definition*3.2

*, labeled by a finite set*$S$

*.*

*Let*

*S*

*, the seed, be a uniform random variable over*$S$

*. The (expected) error of*$Cs:s\u2208S$

*is defined as*

*For any random variable*

*M*

*over the messages independent of*

*S*

*, the leakage of*$Cs$

*with respect to*

*M*

*is defined as*

*S*and

*M*, the leakage can be written as conditional mutual (or Holevo) information between the message

*M*and the output conditioned on the seed

*S*,

The random seed should not be confused with the randomness of the stochastic encoder. In the stochastic encoder, only the sender, but not the receiver, randomly chooses a code word to encode a message *m* according to the probability distribution *E*_{m}. In the subsequent definitions of achievable rates, the receiver should be able to decode *m* even when the receiver only knows *E*_{m}, but not which code word is actually chosen by the sender. In contrast, a randomly chosen seed *s* determines a stochastic encoder *E*^{s} for the sender and a set of decoder operators ${Dms:m\u2208M}$ for the receiver. Correctness is required only for the case that *s* is known to both the sender and the receiver and that they use the encoder and decoder prescribed by *s*.

### B. Capacities

Next, we define the strong and semantic secrecy rates, which can be achieved by the codes introduced in Subsection III A. A good code reliably conveys private information to the intended receiver such that the wiretapper’s knowledge of the transmitted information can be kept arbitrarily small in terms of the corresponding secrecy criterion.

*(strong secrecy). A code*$C=(Em,Dm):m\u2208M$

*is an*(

*n*,

*R*,

*ϵ*)

*strong secrecy code for*(

*W*,

*V*)

*if*

*where*

*U*

*is the uniform distribution on*$M$

*.*

*R* *is an achievable strong secrecy rate if for every* *ϵ* > 0 *and sufficiently large* *n**, there exists an* (*n*, *R* − *ϵ*, *ϵ*) *strong secrecy code. The strong secrecy capacity* *C*_{strong}(*W*, *V*) *is the supremum of all achievable strong secrecy rates of* (*W*, *V*)*.*

*(common-randomness strong secrecy). A common-randomness code*$Cs=(Ems,Dms):m\u2208M:s\u2208S$

*is an*(

*n*,

*R*,

*ϵ*)

*common-randomness strong secrecy code for*(

*W*,

*V*)

*if*

*where*

*U*

*is the uniform distribution on*$M$

*.*

*R* *is an achievable common-randomness strong secrecy rate if for every* *ϵ* > 0 *and sufficiently large* *n**, there exists a* (*n*, *R* − *ϵ*, *ϵ*) *common-randomness strong secrecy code. The common-randomness strong secrecy capacity* *C*_{strong}(*W*, *V*; *cr*) *is the least upper bound of all achievable common-randomness strong secrecy rates of* (*W*, *V*)*.*

Strong secrecy, i.e., the requirements of Eqs. (7) and (10), is the secrecy criterion, which has been used mostly in information-theoretic security until the introduction of semantic security in Ref. 6. It provides secrecy if the message random variable is uniformly distributed. Inspired by cryptography, the authors of Ref. 6 introduced semantic security, where the eavesdropper shall not obtain any information regardless of the probability distribution of the message. This is also the reason why we use the maximum instead of the average transmission error. Semantic security and indistinguishability for the classical-quantum channels were first considered in Ref. 12. Here, we state the semantic security definitions.

*(semantic secrecy). A code*$C=(Em,Dm):m\u2208M$

*is an*(

*n*,

*R*,

*ϵ*)

*semantic secrecy code for*(

*W*,

*V*)

*if*

*where*

*M*

*is any random variable over the messages*$M$

*.*

*R* *is an achievable semantic secrecy rate if for every* *ϵ* > 0 *and sufficiently large* *n**, there exists a* (*n*, *R* − *ϵ*, *ϵ*) *semantic secrecy code. The semantic secrecy capacity* *C*_{sem}(*W*, *V*) *is the supremum of all achievable semantic secrecy rates of* (*W*, *V*)*.*

*(common-randomness semantic secrecy). A common-randomness code*$Cs=(Ems,Dms):m\u2208M:s\u2208S$

*is an*(

*n*,

*R*,

*ϵ*)

*common-randomness semantic secrecy code for*(

*W*,

*V*)

*if*

*where*

*M*

*is any random variable over the messages*$M$

*.*

*R* *is an achievable common-randomness semantic secrecy rate if for every* *ϵ* > 0 *and sufficiently large* *n**, there exists a* (*n*, *R* − *ϵ*, *ϵ*) *common-randomness semantic secrecy code. The common-randomness semantic secrecy capacity* *C*_{sem}(*W*, *V*; *cr*) *is the supremum of all achievable common-randomness semantic secrecy rates of* (*W*, *V*)*.*

Note that since the leakage of the common-randomness codes in Eq. (3) is computed against the state at the wiretap and the seed, bounding the leakage in the common-randomness capacities implies bounding the information about the key carried by the seed. Thus, the common randomness is not required to be secure against eavesdropping since Eqs. (10) and (16) impose that the seed carries no information, and thus, it is considered to be public.

### C. Derandomization

Derandomization is a standard and widely used technique in information theory, already used by Ahlswede in Ref. 30. As a final result, in this section, we apply the derandomization technique to good common-randomness semantic-security codes, namely, we construct a semantic-security code without common randomness using a transmission code and a common-randomness semantic-security code with appropriate error scaling. These derandomized codes will essentially be able to produce the common randomness needed to run the common-randomness codes using an asymptotically small number of copies of the channel. The proof mimics the classical case showed in Ref. 14.

A simple idea that uses too many channels to generate the seed, however, is to alternate transmission codes and common-randomness semantic-secrecy codes, use the transmission code to generate the seed, and use it only once in the common randomness semantic-security code. Depending on the size of the required seed, this may result in too many channels used just for the seed. The solution is to simply reuse the seed, thus reducing the total size of $|S|$ by sharing the same $s\u2208S$ for *N* common-randomness codes. We, thus, need to build (*N* + 1)-tuple of codewords as the new codewords. Each tuple is a composition of a first codeword that generates the common-randomness and *N* common randomness-assisted codewords to transmit the messages to the intended receiver. We start by defining such codes.

*(derandomizing codes). Let* $n,n\u2032,N\u2208N$*.*

Let $Es\u2032,Ds\u2032s\u2208S$

*be an*$(n\u2032,|S|)$*code.*- Let $Ems,Dms:m\u2208M:s\u2208S$
*be an*$(n,|S|,|M|)$*common-randomness code, and define*$M\u0304\u2254MN$,*and for any*$m\u0304\u2208M\u0304$,$Em\u0304s\u2254Em1s\u22c5\cdots \u22c5EmNsDm\u0304s\u2254Dm1s\u2a02\cdots \u2a02DmNs.$*We define their*$(n\u2032+nN,|M|N)$*derandomized code*$C\u0304$*to be the code (without common randomness) such that for any message*$m\u0304\u2208M\u0304$,*we have the following.* *The encoder samples from a uniform seed**S**and, then, conditioned on the values**s**use the Kronecker product encoder*$Es\u2032\u22c5Em\u0304s$*. Thus,*$E\u0304m\u0304\u2254ESES\u2032\u22c5Em\u0304S.$*The decoder for the message is the coarse graining of decoders over**s*,$D\u0304m\u0304\u2254\u2211s\u2208SDs\u2032\u2a02Dm\u0304s.$

Note that the random seed in the derandomizing code becomes part of the stochastic encoding process of the code. As we expect, the error and the leakage of the derandomizing code are not worse than the sum of the errors and leakage of all the codes used in the process. This can be easily proved by simply applying the standard techniques (cf. Refs. 31 and 32) for derandomization with uniform distributed inputs on derandomization with arbitrary distributed inputs. Note that the standard proof of security (cf. Ref. 32) is nothing more than applying the quantum data processing inequality (cf. Ref. 22) when we consider the derandomizing code as a function of its first part. Thus, this argument works for any input distribution. Nevertheless, we give a proof for the sake of completeness.

*Let* $C\u2032$ *be an* $(n\u2032,1n\u2032log|S|,\u03f5\u2032)$ *transmission code, and let* $Css\u2208S$ *be an* (*n*, *R*, *ϵ*) *common-randomness semantic-secrecy code. Let* $n\u0304\u2254n\u2032+nN$*; then, the* *N**-derandomized code* $C\u0304$ *is an* $(n\u0304,nNn\u0304R,\u03f5\u2032+\u03f5N)$ *semantic-secrecy code.*

The *N*-derandomized code has size $|M|N$; thus, the rate is $N\u2061log|M|/n\u0304\u2265nR/n\u0304$. We just need to bound the error and leakage of the new code.

*H*(

*XY*) ≤

*H*(

*X*) +

*H*(

*Y*) applied to $HEM\u0304EM\u0304SV\u2a02nN$ gives

Note that the argument works for any distribution of $M\u0304$; the single uses of the semantic-secrecy code do not need to have independent messages. This is usually a point of difference with the derandomization techniques used for strong secrecy. In strong secrecy, $M\u0304$ is only required to be uniformly distributed, which makes each *M*_{i} already independent and also uniformly distributed. This allows for an easier but not fully general argument since the leakage of the derandomized code is actually equal to the sum of the leakages of the single internal codes.

We will use the above in Sec. V to derandomize the explicit constructions of semantic secrecy codes.

### D. Quantum channels

The results from classical secret message transmission over classical-quantum channels can usually be carried over to fully quantum channels. Moreover, this is optimal in the sense that it is usually enough to just prepend a classical-quantum preprocessing channel to many copies of the quantum channel and, then, use the coding for the resulting classical-quantum channel. The extension to quantum channels reduces to simply proving Corollary 4.2, which is straightforward and uses quite general arguments. More precisely, since the encoding of classical messages for any quantum channel will need to map the classical messages to quantum states, the resulting effect at the sender is again a classical-quantum channel, and thus, we can reduce the analysis to what we have done so far for classical-quantum channels.

For classical and classical-quantum channels, the wiretap channel must be given in the sense that an assumption must be made about the output seen at the eavesdropper simply because the worst case scenario that the eavesdropper receives a noiseless copy of the input is always physically possible. This is not the case for quantum channels, where one of the aspects of no-cloning implies that a copy of the input quantum state cannot be made, and the worst case interaction with the environment can be deduced from the noise in the channel. Since there is a limit to the information that it is leaked to the environment, there is, thus, also a limit to the information of the eavesdropper, and we can then remove any assumption in that respect and identify the eavesdropper with the environment.^{3,33}

Let now $P$ and $Q$ be quantum systems, and let *W* be a quantum channel. We assume, as usual in the quantum setting, the worst case scenario, namely, that the environment $E$ is completely under the control of the eavesdropper, which is in contrast with the classical and classical-quantum setting where this worst case scenario does not allow for secrecy. This automatically defines the wiretap channel(*W*, *V*) for any given quantum channel *W* to the intended receiver. However, the results below work, in general, for any allowed pair of quantum channels (*W*, *V*) on the same input.

*A quantum wiretap channel from a sender* $P$ *to a receiver* $Q$ *with eavesdropper* $E$ *is a pair of complementary channels* (*W*, *V*)*, where* $W:S(HP)\u2192S(HQ)$ *and* $V:S(HP)\u2192S(HE)$ *are defined as* $W(\rho )=trEU\rho U*$ *and* $V(\rho )=trQU\rho U*$ *for some isometry* $U:HP\u2192HQ\u2a02HE$*.*

*Without the assumption that the eavesdropper might have full access to the environment, the treatment of the semantic secrecy capacity is still the same. In this case, the wiretap channel must be specified explicitly as* (*W*, *V*)*, where both* *W* *and* *V* *are quantum channels. However, not all pairs are allowed as* *V* *must be a channel that can be recovered from the environment. The generalization is that* *W* *and* *V* *must be of the form* $W=trERU\rho U*$ *and* $V=trQRU\rho U*$*, where now the isometry* $U:HP\u2192HQ\u2a02HE\u2a02HR$ *maps to three systems, the intended receiver, the eavesdropper, and an environment not in possession of the eavesdropper.*

We can transmit both classical and quantum information over quantum channels. For the transmission of classical information via a quantum channel, we first have to convert a classical message into a quantum state. We assume that the states produced in the input system are constructed depending on the value of $x\u2208X$, where $X$ is a finite set of letters. Let, thus, $F:X\u2192S(HP)$ be this classical-quantum channel. The composition with a quantum channel *W* defines the classical-quantum channel $W\u25e6F:X\u2192S(HQ)$; to keep a consistent notation, we define *FW* ≡ *W*◦*F*. With this notation, the definitions present only minimal changes in comparison to the classical-quantum wiretap channels above. A code for the quantum channels now simply needs to input quantum states instead of classical values.

*An* $(n,|M|)$ *quantum code for a quantum channel* *W* *consists of a finite set* $C=Em,Dm:m\u2208M$*, where the stochastic encoder* $E:M\u2192S(HP\u2a02n)$ *is a classical-quantum channel, and the decoders* $Dm:m\u2208M$ *form a sub-POVM.*

*The error of*$C$

*is defined as*

*The leakage of a message random variable*

*M*

*over*$M$

*is defined as*

*where*

*V*

*is the complementary channel to the environment.*

The rates and capacities can, then, be defined exactly as is done for classical-quantum channels. Since we will use these definitions only briefly in Corollary 4.2, we limit ourselves to directly defining the capacities.

*The strong secrecy capacity*

*C*

_{strong}(

*W*)

*is the largest real number such that for every*

*ϵ*> 0

*and sufficiently large*

*n*,

*there exists a finite set*$X$

*and an*$(n,|M|)$

*code*$C=Em,Dm:m\u2208M$

*such that*

*where*

*U*

*is the uniform random variable over*$M$

*.*

*The semantic secrecy capacity of*

*W*

*, denoted by*

*C*

_{sem}(

*W*),

*is the largest real number such that for every*

*ϵ*> 0

*and*

*sufficiently large*

*n*,

*there exists an*$(n,|M|)$

*code*$C={Em,Dm:m\u2208M}$

*such that for any random variable*

*M*

*with arbitrary distribution on*$M$,

Note that the choice of the environment channel does not affect the definitions of capacity. Let *V* and *V*′ be two distinct complementary channels to *W*; then, *V*′ and *V* are equivalent in the sense that there is a partial isometry *U* such that for all input states $\rho \u2208S(HP)$, we have *V*′(*ρ*) = *U*^{*}*V*(*ρ*)*U*.^{34,35} The action of the partial isometry is reversible, and thus, the leakage is the same (being a mutual information, which is non-increasing under local operations). Therefore, the security criteria in Definitions 3.13 and 3.14 do not depend on the choice of the complementary channel.

With the definitions in place, we prove in Sec. IV that we can change any strong secrecy capacity achieving codes into semantic secrecy capacity achieving codes. However, the result is non-constructive, which is why in Sec. V we provide a semi-constructive proof where we concatenate functions to suitable transmission codes to convert them into semantic secrecy capacity achieving codes. Section VI provides perspectives on the extension of our results to more general channel models.

## IV. SEMANTIC SECRECY CAPACITY

*P*on $M$, and classical channels $E:M\u2192P(Xn)$.

*C*

_{w}(

*W*,

*V*) was first proven in Ref. 3 to equal the strong secrecy capacity of the classical-quantum wiretap channel. The result was extended in Ref. 36 to the common-randomness strong secrecy capacity as a particular case of arbitrarily varying classical-quantum wiretap channels. Namely, we have

*C*

_{w}. Since a semantically secure code is also always strongly secure, the converse theorems for strong secrecy are also strong converses for semantic secrecy, as displayed schematically in Fig. 2.

*C*

_{sem}(

*W*,

*V*) ≥

*C*

_{strong}(

*W*,

*V*) when we apply the standard expurgation technique given in Ref. 12 to our channel to convert a strong secrecy code into a semantic secrecy code without asymptotic rate loss (see also Ref. 15 for the classical finite case): For any

*ϵ*> 0, by the definition of

*C*

_{strong}(

*W*,

*V*), there exists

*δ*> 0 such that for all sufficiently large

*n*, there exists an $(n,|Mn|)$ strong secrecy code $Cn$ satisfying $|Mn|\u22652n(Cstrong(W,V)\u2212\u03f5)$, $e(Cn,n)\u22642\u2212n\delta $, and

*χ*(

*U*

_{n};

*EV*

^{⨂n}) ≤ 2

^{−nδ}, where

*U*

_{n}is the uniform distribution over $Mn$ and

*E*is the encoder of the code. We have $\chi (Un;EV\u2a02n)=1|Mn|\u2211m\u2208MnD(EmV\u2a02n\Vert UnEV\u2a02n)$. Thus, as per expurgation in Ref. 12, there is a subcode $Cn\u2032$ of size $Mn\u2032\u2265Mn/2$ such that we can choose 0 <

*δ*′ <

*δ*such that for any $m\u2208Mn\u2032$ and sufficiently large

*n*, we have

*D*(

*E*

_{m}

*V*

^{⨂n}‖

*U*

_{n}

*EV*

^{⨂n}) ≤ 2 · 2

^{−nδ}< 2

^{−nδ}′. Note that the encoder is the same; we are just restricting the set of messages. Then, for any probability distribution

*P*on the new message set $Mn\u2032$, by Ref. 37, Eq. (4.7), we have

*Let*(

*W*,

*V*)

*be a classical-quantum wiretap channel. With the same notation as in*Eq.

*(25)*

*, we have*

Note that the expurgation technique given in Ref. 12 makes no assumption on the dimension of the quantum systems, namely, the outputs of the wiretap channels considered below can be infinite dimensional.

### A. Quantum channels

Let *W* now be a quantum channel, thus defining the quantum wiretap channel to be the complementary channel to the environment. Just like the case of the classical-quantum channel, the strong and semantic secrecy capacities are equal. This time, rather than transforming a strong secrecy code into a semantic secrecy code, we simply generalize the result from classical-quantum channels to quantum channels in the same way as was done for strong secrecy in Ref. 3.

*C*

_{strong}(

*W*) can be computed using the following multi-letter formula:

*V*is the channel to the environment defined by

*W*. The supremum is taken over all chosen finite sets $X$, classical/quantum channels $F:X\u2192S(HP\u2a02n)$, and probability distributions

*P*on $X$. Note how the classical-quantum channel is allowed to output entangled states between the inputs of the channels.

Just like for classical-quantum channels, any semantic secrecy code is also a strong secrecy code, and the strong secrecy capacity is a converse on the semantic secrecy capacity. Again, we only need the achievability proof. The achievability of this rate follows directly from the achievability of the wiretap capacity for classical-quantum channels. Since the proof is actually independent of the structure of the secrecy criterion, the same proof for strong secrecy also works for semantic secrecy.

*Let*

*W*

*be a quantum channel. We have*

*n*, $X$,

*P*, and

*F*, namely, that

Note that *χ*(*P*, *FW*^{⨂n}) − *χ*(*P*, *FV*^{⨂n}) is already an achievable rate for the classical-quantum channel (*FW*^{⨂n}, *FV*^{⨂n}), and thus, for all *ϵ* > 0 and all *n*′, there exist an [*n*′, *χ*(*P*, *FW*^{⨂n}) − *χ*(*P*, *FV*^{⨂n}) − *ϵ*, *ϵ*] code $Em,Dm$ for (*FW*^{⨂n}, *FV*^{⨂n}) as stated in Theorem 4.1. It follows by construction and definition that $EmF\u2a02n\u2032,Dm$ is a [*n*′*n*, *χ*(*P*, *FW*^{⨂n}) − *χ*(*P*, *FV*^{⨂n}) − *ϵ*, *ϵ*] code for *W* with rate divided by *n*.

Since we can reduce the classical semantic secrecy capacity of quantum channels to the one of classical-quantum wiretap channels, we can restrict ourselves to the latter in our analysis.

We have proven that whenever strong secrecy is achievable, then semantic security is also achievable. However, the proof technique does not tell us how to practically construct such codes, and the subset of semantically secure messages chosen in Theorem 4.1 will, in general, depend on the channel and the code. In Sec. V, we will address this issue and show how to construct such codes, similar to how hash functions are used to achieve strong secrecy.

## V. SEMANTIC SECURITY WITH BRI FUNCTIONS

However, the expurgation technique gives us only an existence statement and does not answer the question of how to choose the semantically secure message subsets. In this section, we introduce BRI functions and use them to construct semantic secrecy capacity achieving BRI modular codes in Theorem 5.12, thus also providing an alternative to the achievability Proof of Theorem 4.1 in Sec. IV. We will construct such codes requiring common randomness and will at first only show achievability via common-randomness BRI modular codes. An additional derandomization step will be required to construct codes without common randomness. The idea behind the construction of semantic-secrecy BRI modular codes is similar to the way in which strong secrecy codes are constructed using first a transmission code to correct all the errors, but substituting the use of strongly universal hash functions with the use of BRI functions to erase the information held by the eavesdropper. Just like hash functions, BRI functions require a random seed known to the sender and receiver, which is why we provide it as common randomness. Providing the seed via common randomness makes construction easier and the proof conceptually clear. However, the assumption of common randomness as an additional resource is quite strong. In the end of this section, we prove that the random seed can be generated by the sender and be made known to the receiver using the channel without sacrificing capacity, a process known as derandomization.

An approach achieving the semantic secrecy rate using “standard” secure codes was delivered in Ref. 17, where the result of Ref. 3 was extended. In Ref. 17, it has been demonstrated how to obtain a semantic secure code from a “standard” secure code by using a hash function when the “standard” secure code is a linear code and the channel is an additive channel. References 17 and 38 extended this technique to deliver an explicit construction of a secrecy transmission code with strong secrecy for a general classical channel. In addition, this method also works for a continuous input alphabet. The same technique can be easily extended to a classical-quantum code (cf. Ref. 39). This technique has been also applied in Ref. 12 for additive fully quantum channels when the eavesdropper has access to the whole environment. Together with the expurgation technique (cf. Sec. IV), these results deliver an extend proof for Theorem 4.1.

Our results, both for classical-quantum channels and for fully quantum channels with eavesdropper having access to the whole environment, are more general since our techniques deliver an explicit construction of a secrecy transmission code with semantic secrecy using **any code,** ensuring strong security on any wiretap channel.

To our knowledge, we are the first to show that **every** code with or without common randomness that achieves strong secrecy has a subcode with the same asymptotic rate, which achieves semantic secrecy measured in terms of Holevo information. Thus, the passing from the strongly secret code to the semantically secret subcode is highly nonconstructive. An important aspect of THIS modular construction using BRI functions is that there is hope that it can be implemented in practice.

### A. BRI functions

We will define what biregular irreducible (BRI) functions are in this subsection and prove the key properties that we will use to achieve semantic security. The properties we will prove are independent of communication problems such as the classical-quantum wiretap channels we consider. They are simply related to the structure of BRI functions and how they are used as an input to classical-quantum channels. Thus, the channels and the input spaces in this subsection are not to be confused with the actual wiretap channel and its inputs, as will be made clearer below.

*f*

_{s}(

*x*), namely, functions of two inputs $f:S\xd7X\u2192N$, and at their preimages in $X$,

*(biregular functions). Let* $S$*,* $X$*,* $N$ *be finite sets. A function* $f:S\xd7X\u2192N$ *is called biregular if there exists a regularity set* $M\u2286N$ *such that for every* $m\u2208M$*, the following holds:*

$dS\u2254|{x:fs(x)=m}|=|fs\u22121(m)|$

*is non-zero and independent of**s**;*$dX\u2254|{s:fs(x)=m}|$

*is non-zero and independent of**x**.*

*P*

_{f,m}

^{14}with coefficients defined as

*P*

_{f,m}(

*x*,

*x*′) is the normalized number of seeds $s\u2208S$ such that both

*x*and

*x*′ are in the preimage $fs\u22121(m)$. Since

*P*

_{f,m}is stochastic, its largest eigenvalue is 1 and we define

*λ*

_{2}(

*f*,

*m*) to be the second largest singular value of

*P*

_{f,m}.

*(BRI functions). Let* $S$*,* $X$*,* $N$ *be finite sets. A biregular function* $f:S\xd7X\u2192N$ *is called irreducible if 1 is a simple eigenvalue of* *P*_{f,m}*, namely, if* *λ*_{2}(*f*, *m*) < 1*, for every* $m\u2208M$*.*

Note that $dS$ and $dX$ might depend on *m*. However, for the known BRI function construction, these are, indeed, a constant parameter.^{14}

*m*is a possible output of any

*s*or

*x*with the right (

*s*,

*x*) pair. If for a fixed

*m*, we consider the incidence matrix $Isx=\delta m,fs(x)$, which we can think of it as representing the

*m*section of the graph of

*f*

_{s}(

*x*), then we can visualize items (a) and (b) as

*I*

_{sx}having the same number of 1’s in each row, and similarly in each column. For example, ignoring Definition 5.2 and omitting the zeros, a possible

*I*

_{sx}for a given

*m*might look like

*d*≥ 3 and $k\u2208N$, there exists a BRI function $f:S\xd7S\u2192M$, satisfying $|S|=2kd$, $|M|=2k$, and

*H*; a classical-quantum channel

*V*is not necessarily a wiretap; and the random variables

*V*will actually be the composition of the encoder of the transmission code with the actual wiretap; thus, $X$ will be the message space of the transmission code. The space $M$ will be the message space of the wiretap code, and $S$ will be the space of the common randomness. Given a seed

*s*, the encoding of a message

*m*happens by picking an uniformly random element of the preimage $fs\u22121(m)$. The definition of BRI functions and these conditions, then, are such that fixing the message and choosing the seed at random produce a uniformly random encoding, as will be explained now more precisely. For this purpose, with some abuse of notation, we will allow classical-quantum channels to take subsets as inputs, with the convention that the resulting state is the uniform mixture over the outputs of the elements in the set. Namely, for $D\u2286X$, we will define

We can now start bounding the information at the output of the channel *V* and ultimately will need to be able to show the semantic secrecy conditions. As said, we focus for now on the common-randomness semantic security, Eq. (16) of Definition 3.7, which means bounding the leakage defined in Eq. (3) of Definition 3.3. We do this, in general, for the output of any channel, irrespective of actual encodings, and, therefore, will upper bound a general leakage $\chi M;S,V\u25e6fS\u22121$. We begin by converting the leakage from a Holevo quantity to a relative entropy.

*For any random variable*

*M*

*over*$M$

*independent of the uniform seed*

*S*

*, it holds that*

For the next step, we will define subnormalized classical-quantum channels. Later, we will project onto the typical subspace and discard the rest.

*Let*

*ϵ*≥ 0

*. An*

*ϵ*

*-subnormalized classical-quantum channel*$V\u2032:X\u2192L(H)$

*is a map satisfying*

*V*′(

*x*) ≥ 0

*and*1 −

*ϵ*≤ tr

*V*′(

*x*) ≤ 1

*for all*$x\u2208X$

*. Since for*

*ϵ*>

*ϵ*′

*, an*

*ϵ*

*-subnormalized channel is also*

*ϵ*′

*-subnormal, we call all 0-subnormalized classical-quantum channels simply subnormal. Now, let*$V:X\u2192S(H)$

*be a classical-quantum channel. Let*$V\u2032:X\u2192L(H)$

*be a subnormalized classical-quantum channel. We say that*

*if*

*V*′(

*x*) ≤

*V*(

*x*)

*for all*$x\u2208X$

*.*

The ordering definition reflects what we obtain when we project a channel on a subspace, and we obtain a subnormalized channel that is less than the original channel in an operator ordering sense. When we project onto the typical subspace, we only change the channel a little, and we want to make sure that our upper bound only changes a little. This is the statement of the next lemma.

*Let*

*V*

*:*$X\u2192S(H)$

*be a classical-quantum channel. Let*

*ϵ*> 0

*. Let*$V\u2032:X\u2192L(H)$

*be an*

*ϵ*

*-subnormalized classical-quantum channel such that*

*V*′ ≤

*V*

*. Then, for any fixed*$m\u2208M$

*, it holds that*

*ρ*,

*ρ*′,

*σ*, and

*σ*′ be subnormalized quantum states on the same system such that the sum is a normalized state, namely, so that tr(

*ρ*+

*ρ*′) = tr(

*σ*+

*σ*′) = 1. Consider classical-quantum states of the form $00\u2a02\rho +11\u2a02\rho \u2032$ and $00\u2a02\sigma +11\u2a02\sigma \u2032$. By monotonicity of the relative entropy (cf. Sec. II) under the trace, we note that

*V*

^{Δ}≔

*V*−

*V*′ and apply the above equation to

*Let*

*ϵ*> 0,

*and let*$V\u2032:X\u2192S(H)$

*be an*

*ϵ*

*-subnormalized classical-quantum channel. For any fixed*$m\u2208M$

*, it holds that*

Lemma 5.6 is just the quantum version of Lemma 23 in Ref. 14 and can be shown by similar techniques. For the sake of completeness, we deliver a proof here.

*α*-Rényi relative entropy for quantum states we mentioned in Sec. II, it holds that

*D*(

*ρ*‖

*σ*) ≤

*D*

_{2}(

*ρ*‖

*σ*), and thus, we can bound any relative entropy term

*D*(

*pρ*‖

*qσ*), where

*p*and

*q*are probabilities and

*ρ*and

*σ*are states such that

*supp*(

*ρ*) ⊂

*supp*(

*σ*) with the 2-Rényi relative entropy as follows [note that Eq. (38) holds trivially if

*supp*(

*ρ*) is not in

*supp*(

*σ*)]:

*p*log

*p*≤ 1 −

*p*.

*Let*$V\u2032:X\u2192L(H)$

*be a subnormalized classical-quantum channel. For every*

*m*∈

*M*,

*we have*

*where*

*λ*

_{2}(

*f*,

*m*)

*is the second largest singular value of*

*P*

_{f,m}

*defined in*

*Eq. (32)*

*, and the expectation value is over uniformly random*$s\u2208S$

*.*

Lemma 5.7 is a form of leftover hash lemma for classical-quantum channels.

*supp*(

*ρ*) ⊂

*supp*(

*σ*), then $expD2\rho \Vert \sigma =tr\rho 2\sigma \u22121$, where

*σ*

^{−1}is the pseudo-inverse. By linearity, the definition of the BRI function and by expanding the mixtures for every

*m*, we obtain

*P*

_{f,m}from Definition 5.2 and, then, Eq. (33).

*ρ*and

*σ*be two states with

*supp*(

*ρ*) ⊂

*supp*(

*σ*). Let ${vi}$ be an orthonormal basis of eigenvectors to the non-zero eigenvalues of

*σ*, and let $\rho ij=vi\rho vj$. Then,

*x*, so we can apply this to the above. Let {

*λ*

_{i}:

*i*} be the non-zero eigenvalues of $V(X)$ with a set of orthonormal eigenvectors {|

*v*

_{i}⟩ :

*i*}. We now use the notation $V\u2032ij$ for the functions $V\u2032ij(x)=viV\u2032(x)vj$. Because

*V*′(

*x*) are Hermitian, we have $V\u2032ij=V\u2032ji*$, and thus, we can write

*P*

_{f,m}is a symmetric stochastic matrix in an $|X|$-dimensional real space with

*λ*

_{2}(

*f*,

*m*) < 1 denoting the second-largest eigenvalue. By construction and assumption, 1 is the largest eigenvalue, and it is simple (non-degenerate). Then, for any two vectors in

*ω*and

*ω*′ in this space, it holds that

*AB*≤ ‖

*A*‖

_{∞}tr|

*B*|, together with the positivity of the states, to obtain the following:

Note that the bound in Lemma 5.7 is technically different from the classical version in Ref. 14, Lemma 26, which bounds the leakage in terms of a max mutual information. As for now, we are only able to prove the lemma for finite-dimensional quantum systems, while the classical version is also valid for infinite classical systems.

*Using different types of functions instead of BRI functions, Hayashi and Matsumoto showed Ref.* *15 **, Theorem 17 and Lemma 21, which is a result similar to Lemma* 5.7 *in the case of a single message [i.e., for resolvability (Ref.* *15 **, Theorem 17)] and for ordinary classical channels. It is straightforward to extend this to the case of several messages and subnormalized channels. The function class of Hayashi and Matsumoto is defined via the function inverses in terms of group homomorphisms. The example given in Ref.* *41 * *uses a short seed for strong security. It is still open whether the seed required in Ref.* *15 * *for semantic secrecy can be as short as for the BRI security functions in this work. The size of the seed is a part of the complexity of the code once it is derandomized; it may partially influence the efficiency of the code and the finite rates achieved for a finite number of channel uses. During the completion of this work, new efficient functions with an efficient randomness size were proven to achieve semantic security in the classical setting.*^{42} *We also expect these functions to provide semantic security for quantum channels.*

For completeness, the proof of Eq. (41) follows here. Afterward, we will continue the chain of inequalities and bound the *V* dependent term of Lemma 5.7.

*Let*

*P*

*be a symmetric stochastic real matrix in a*$|X|$-

*dimensional complex space, and let eigenvalue 1 be simple. Denote the second-largest eigenvalue modulus*

*P*

*by*

*λ*

_{2}

*. For every vector*$\omega $

*in this space, it holds that*

*where*$1$

*is the normalized all-one vector, namely,*$1=1|X|(1,\u2026,1)$

*.*

*λ*

_{2}. Since

*λ*

_{2}is positive for such a matrix,

^{40}we have

Putting all the results above together, we obtain the following single statement for BRI functions.

*Let*

*ϵ*> 0,

*and let*$V\u2032:X\u2192L(H)$

*be an*

*ϵ*

*-subnormalized classical-quantum channel such that*

*V*′ ≤

*V*

*. For any random variable*

*M*

*over*$M$

*independent of the uniform seed*

*S*

*, it holds that*

*x*) ≤

*x*/ln 2.□

In Sec. V B, we will finally define what a code using BRI functions looks like. The chain of lemmas above will allow us to prove that we can achieve capacity with such codes. There, the classical-quantum channels of the lemmas above will be the classical-quantum channel generated by a transmission code around the actual wiretap channel. Hence, *V* above should not be confused with the actual wiretap, but instead, it will be the composition of the wiretap *V*^{⨂n} and the encoder. This is why all the lemmas above are single letter.

### B. BRI modular codes

We can now prove the final statements. As will be noted in the next proof, BRI functions are not used to upgrade the strong secrecy achieved by, e.g., a hash function or any strong-secrecy capacity-achieving code. Instead, the BRI functions replace hash functions and directly produce a semantic-secrecy capacity-achieving code out of a capacity-achieving error-correction code.

Let us now fix an actual wiretap channel. We fix a finite space $X$, two finite quantum systems *H* and *H*′, and a classical-quantum wiretap channel (*W*, *V*) defined as the classical-quantum channels $W:X\u2192S(H)$ and $V:X\u2192S(H\u2032)$. For reference, recall that an $(n,|S|,|M|)$ common-randomness code is a finite subset $Cs={(Ems,Dms):m\u2208M}:s\u2208S$ of the set of $(n,|M|)$ codes, labeled by a finite set $S$, the common randomness. We, then, define BRI modular codes as follows:

*Let* $S$ *and* $M$ *be the finite sets for the space of the seeds, messages, and encodings. Let* $xcn,Dcc\u2208C$ *be an* $(n,|C|)$ *code for* *W**, and let* $f:S\xd7C\u2192M$ *be a BRI function. We define their BRI modular code to be the common-randomness code such that for every seed* $s\u2208S$ *and message* $m\u2208M$*, we have the following:*

*The encoder*$Ems$*is the uniform distribution over*$xcn:c\u2208fs\u22121(m)$.*The decoder is*$Dms=\u2211c\u2208fs\u22121(m)Dc$*.*

Note that, in practice, for the decoder, it will be more straightforward to simply decode *c* and, then, compute directly *f*_{s}(*c*) instead of implementing the coarse grained decoding operators.

*For any probability distribution* *P* *over* $X$*, we have the following:*

*There exist BRI modular codes achieving the semantic secrecy rate**χ*(*P*;*W*) −*χ*(*P*;*V*)*using codes achieving the transmission rate**χ*(*P*;*W*).*The same rate is achievable with their derandomized codes.*

*P*, we can also directly achieve the supremum. This single letter formula, then, implies the multi-letter formula by standard argument. More precisely, we can write the classical-quantum wiretap capacity as

*C*

_{w}is also achievable.

Finally, the finite block length results can be extracted by looking at Eqs. (47) and (51) in the proof, and they depend on the finite-block length parameters of the chosen transmission code. Similar finite-block length results for derandomized codes are found in Eq. (53).

Fix the arbitrary distribution *P* and fix any *ϵ* > 0, and let *δ* be a positive number, which will later be chosen as a function of *ϵ*. By Refs. 43–45, there exists *γ* > 0 such that for sufficiently large *n*, there exists an $(n,|X\u2032|)$ transmission code ${Ex\u2032\u2032,Dx\u2032\u2032:x\u2032\u2208X\u2032}$ for *W* whose rate is at least *χ*(*P*; *W*) − *ϵ*/2, whose maximal error probability is at most 2^{−nγ}, and whose codewords, moreover, are all *δ*-typical, namely, the encoders satisfy $E(TP,\delta n|x\u2032)=1$ for all messages $x\u2032\u2208X\u2032$. (For the definition of $TP,\delta n$, see the Appendix. For an explicit proof that the error can be made to decrease exponentially, see, e.g., Ref. 37, Lemma 4.1).

*n*if necessary, we have enough flexibility to choose integers

*k*and

*d*satisfying

*f*. Its rate clearly satisfies

^{−nγ}. In order to evaluate the security of the BRI modular code, we define the classical-quantum channel

*U*=

*E*′

*V*

^{⨂n}and upper-bound

*M*on $M$ independent of the uniform seed

*S*.

*V*′ is a 2

^{−nη(δ)}subnormalized classical-quantum channel satisfying

*V*′(

*x*

^{n}) ≤

*V*

^{⨂n}(

*x*

^{n}) for all $xn\u2208TP,\delta n$. Since all codewords are contained in $TP,\delta n$,

^{−nη(δ)}subnormalized classical-quantum channel satisfying

*U*′ ≤

*U*, and Corollary 5.10 and Eq. (46) imply

*k*is

*n*times the rate of our common-randomness code, thus by Theorem 4.1, it cannot grow faster than

*nC*

_{w}(

*W*,

*V*), and thus,

*δ*small enough for

*γ*″(

*δ*) <

*ϵ*/4 to hold. Then, this upper bound tends to zero at exponential speed with

*n*. Hence, as the block length

*n*increases, our BRI modular code ${Cs:s\u2208S}$ achieves the rate

*χ*(

*P*;

*W*) −

*χ*(

*P*;

*V*) with the exponentially decreasing error probability and leakage.

As previously mentioned, the codes we constructed use common randomness. This allows us to simply provide the seed needed by the BRI modular code and keep the proof focused on the properties of the BRI function. We now derandomize these codes. Note, however, that this is a standard procedure and does not really depend on the structure of the BRI modular codes, but simply in the scaling of its size and errors.

*n*′ =

*n*and share the seed with the same transmission code $C\u2032$ used to construct the BRI modular code. For the number of reuses of the seed, we need to choose a sequence $(N(n))n\u2208N$ such that 1 ≪

*N*(

*n*) ≪ 2

^{nγ}, $N(n)\u226a2n(\u03f5/4\u2212\gamma \u2032\u2032(\delta ))$, and $N(n)\u226a(nCw(W,V)+\u03f5\u2032+1)\u221212n\gamma $. For simplicity, it suffices to choose

*N*(

*n*) =

*n*− 1, and thus, we define $C\u0304$ as the

*n*− 1-derandomized code constructed from $C\u2032$ and $Cs:s\u2208S$. The total number of channels used is, then,

*n*

^{2}. By Lemma 3.9, we have an $(n2,n2\u2212nn2R,2\u2212n\gamma n)$ semantic-secrecy code. Since now we have $|Mn\u22121|=2(n\u22121)k$, similar to (47), we have

*δ*was chosen to satisfy

*γ*″(

*δ*) <

*ϵ*/4, this upper bound still tends to zero with

*n*, and our derandomized BRI modular code achieves the rate

*χ*(

*P*;

*W*) −

*χ*(

*P*;

*V*).□

The following is the standard statement that any single letter achievable rate implies a multi-letter achievable rate. We give a proof for completeness.

*If*

*C*

^{1}(

*W*,

*V*)

*is an achievable rate, then*

*where the maximum is over finite sets*$A$

*and stochastic mappings*$E:A\u2192Xn$

*, is also an achievable rate.*

In order to show that *C*_{sem}(*W*, *V*) is also achievable, given that *C*^{1}(*W*, *V*) is achievable, we pick any *n* and *E*. We obtain a new classical-quantum wiretap channel (*EW*^{⨂n}, *EV*^{⨂n}) for which we know that the rate *C*^{1}(*EW*^{⨂n}, *EV*^{⨂n}) is achievable. Specifically, for any *ɛ* > 0 and sufficiently large *n*′, there exists an [*n*′, *C*^{1}(*EW*^{⨂n}, *EV*^{⨂n}) − *ϵ*, *ϵ*] code $Em\u2032,Dm\u2032:m\u2208M$ for (*EW*^{⨂n}, *EV*^{⨂n}). The error and leakage only directly depend on the encoder and channels compositions $E(EW\u2a02n)\u2a02n\u2032$ and $E(EV\u2a02n)\u2a02n\u2032$; thus, they do not change, and thus, the code $Em\u2032En\u2032,Dm\u2032:m\u2208M$ is a [*nn*′, (*C*^{1}(*EW*^{⨂n}, *EV*^{⨂n}) − *ϵ*)/*n*, *ϵ*] code for (*W*, *V*). Therefore, *C*^{1}(*EW*^{⨂n}, *EV*^{⨂n})/*n* is achievable for (*W*, *V*). Since the above holds for all *n* and *E*, taking the supremum concludes the proof.□

In this section, we showed that there exist modular coding schemes constructed from suitable transmission codes and BRI functions, which achieve the security capacity of the classical-quantum wiretap channel and provide semantic security. Compared to the results of Sec. IV, the message sets of these modular codes are given explicitly via the BRI function. In particular, they do not depend on the wiretap channel.

## VI. FURTHER PERSPECTIVES

In classical information, not only discrete channels but also continuous channels are important subjects of study. In Ref. 14, semantic security was demonstrated for both discrete channels and continuous channels. Thus, it will be very interesting to analyze if we can extend these results to continuous quantum channels. As mentioned above, the results of Ref. 14 show how a non-secure code can be transformed into a semantic secure code. Thus, it will be a promising next step to analyze if these results can be extended to a non-secure code for continuous quantum channels, e.g., classical-quantum Gaussian channels, which are continuous-variable classical-quantum channels undergoing a Gaussian-distributed thermal noise.^{46} Furthermore, similar to the discrete channels, one can consider that the eavesdropper will have access to the environment’s final state^{47} for continuous quantum channels as well. Thus, it will be an interesting further step to analyze if the results of Sec. III D can be extended to continuous quantum channels. Further discussions will be the extension of these techniques on more complicated networks, e.g., arbitrarily varying wiretap channels. This is also currently still open for classical networks.

## ACKNOWLEDGMENTS

Holger Boche, Minglai Cai, Christian Deppe, and Roberto Ferrara were supported by the German Federal Ministry of Education and Research (BMBF) through Grant Nos. 16KISQ028 (C.D., R.F.), 16KISQ020 (H.B.), 16KIS0948 (H.B., M.W.), and 16KISQ038 (C.D., R.F.). We acknowledge the Research Hub 6G-life under Grant No. 16KISK002 for their support to Holger Boche and Christian Deppe. Holger Boche and Moritz Wiese were supported by the German Research Foundation (DFG) within Germany’s Excellence Strategy—Grant No. EXC 2092 CASA-390781972.

## AUTHOR DECLARATIONS

### Conflict of Interest

The authors have no conflicts to disclose.

### Author Contributions

**Holger Boche**: Writing – original draft (supporting); Writing – review & editing (supporting). **Minglai Cai**: Writing – original draft (equal); Writing – review & editing (equal). **Christian Deppe**: Writing – original draft (equal); Writing – review & editing (equal). **Roberto Ferrara**: Writing – original draft (equal); Writing – review & editing (equal). **Moritz Wiese**: Writing – original draft (equal); Writing – review & editing (equal).

## DATA AVAILABILITY

Data sharing is not applicable to this article as no new data were created or analyzed in this study.

### APPENDIX: TECHNICAL LEMMAS

We now bound the *V* dependent term of Lemma 5.7. Before stating the actual lemma, we need to recall some facts about typical sequences and typical operators as can be found, e.g., in Ref. 22.

Let $X$ be a finite set. Let *P* be a probability function on $X$. Let *δ* > 0 and $n\u2208N$. The set $TP,\delta n$ of typical sequences of *P* consists of those $xn\u2208Xn$ satisfying the following.

$1nN(a\u2223xn)\u2212P(x\u2032)\u2264\delta |X|$ for all $a\u2208X$.

*N*(*a*|*x*^{n}) = 0 if*P*(*a*) = 0 for all*a*in $X$,

where *N*(*a*∣*x*^{n}) is the number of occurrences of the symbol $a\u2208X$ in the sequence *x*^{n}.

*H*be a finite-dimensional complex Hilbert space. Let $\rho \u2208S(H)$ be a state with spectral decomposition $\rho =\u2211xP(x)xx$. For any other basis of eigenvectors, the same statements will be valid. The

*δ*-typical subspace is defined as the subspace spanned by $xn:xn\u2208TP,\delta n$, where $xn\u2254\u2a02i=1nxi$. The orthogonal projector onto the

*δ*-typical subspace is given by

*α*(

*δ*),

*β*(

*δ*), and

*γ*(

*δ*) depending on

*δ*such that for large enough

*n*,

*H*be a finite-dimensional complex Hilbert space. Let $V:X\u2192S(H)$ be a classical-quantum channel. For $a\u2208X$, suppose that

*V*(

*a*) has the spectral decomposition

*V*(

*a*) = ∑

_{j}

*V*(

*j*|

*a*)|

*j*⟩⟨

*j*| for a stochastic matrix

*V*(·|·). The

*α*-conditional typical subspace of

*V*for a typical sequence

*a*

^{n}is the subspace spanned by $\u2a02a\u2208XjIa,jIa\u2208TV(\u22c5|a),\delta Ia$. Here, $Ia\u2254{i\u2208{1,\u2026,n}:ai=a}$ is an indicator set that selects the indices

*i*in the sequence

*a*

^{n}= (

*a*

_{1}, …,

*a*

_{n}) for which the

*i*th symbol

*a*

_{i}is equal to $a\u2208X$. The subspace is often referred to as the

*α*-conditional typical subspace of the state

*V*

^{⨂n}(

*a*

^{n}). The orthogonal subspace projector that projects onto it is defined as

*β*(

*α*)′,

*γ*(

*α*)′, and

*δ*(

*α*)′ depending on

*α*such that

*P*on $X$, we define a quantum state

*PV*≔ ∑

_{a}

*P*(

*a*)

*V*(

*a*) on $S(H)$. Clearly, one can then speak of the orthogonal subspace projector Π

_{PV,δ}, fulfilling Eqs. (A1)–(A3). For Π

_{PV,δ}, there is a positive constant

*α*(

*δ*)″ such that for every $xn\u2208TP,\delta n$, the following inequality holds:

*Let*$V:X\u2192S(H)$

*be a classical-quantum channel. For any*

*δ*> 0

*and probability distribution*

*P*

*over*$X$

*, define the subnormalized classical-quantum channel*$V\u2032:TP,\delta n\u2192L(Hn)$

*by*

*We assume that the inputs are chosen from a set of typical sequence*$TP,\delta n$

*with a probability distribution*

*P*

*and a positive*

*δ*

*. Then,*

*V*′ ≤

*V*

^{⨂n}

*. Moreover, there exist positive*

*η*(

*δ*)

*and*

*γ*″(

*δ*)

*such that if*

*n*

*is sufficiently large,*

*V*′

*is a*2

^{−nη(δ)}

*-subnormalized classical-quantum channel and*

*V*′ ≤

*V*

^{⨂n}. To check that the trace of

*V*′ is close to 1, let $xn\u2208TP,\delta n$ and define

*V*″(

*x*

^{n})) ≥ 1 − 2

^{−nα}′

^{(δ)}. In addition, it is clear that

*V*

^{⨂n}(

*x*

^{n}) commutes with $\Pi V,\delta n(xn)$ and that

*V*″(

*x*

^{n}) ≤

*V*

^{⨂n}(

*x*

^{n}). Therefore,

*V*′ is a 2

^{−nη(δ)}-subnormalized version of

*V*

^{⨂n}.

## REFERENCES

*Communications and Cryptography: Two Sides of One Tapestry*

*Advances in Cryptology – CRYPTO 2012*

*Quantum Computation and Quantum Information*

*Quantum Information Theory*

*α*-

*z*-Rényi relative entropies

*Completely Bounded Maps and Operator Algebras*

*Quantum Information Theory*

*Markov Chains, Gibbs Fields, Monte Carlo Simulation, and Queues*