Clarification on the definition of cipherstate in the quantum one-time pad

Question

I was reading the paper “Optimal Encryption of Quantum Bits ” (quantum one-time pad) and came across the following paragraph:

The input state, $\rho$, is called the message state, and the output state, $\rho_c$, is called the cipherstate. The protocol is secure if for every input state, $\rho$, the output state, $\rho_c$, is the totally mixed state: $$\rho_c = \sum_k p(k) U_k \rho U^*_k = \frac{1}{1/2^n} \mathbb I$$

This is while, earlier in the paper it says

The key is chosen with some probability $p_k$ and the input quantum state is encrypted by applying the corresponding unitary operation $U_k$. In the decryption stage, $U^*_k$ is applied to the quantum state to retrieve the original state.

I am confused about whether the authors mean that the cipherstate is the encrypted state or the decrypted state. If I interpret cipherstate as the decryption of the encrypted message in this context, then everything makes sense to me; however, usually cipherstate (or ciphertext) is different from the decrypted message. The expression $\sum_k p(k) U_k \rho U^*_k = \frac{1}{1/2^n} \mathbb I$ looks like what the adversary would see if they try to decrypt the message on average.

Answer 1

usually cipherstate (or ciphertext) is different from the decrypted message

This is the case here too. A maximally mixed state is essentially of no use to the adversary: it can gain no information whatsoever whatever the unitary they apply, except for a random string. It's just like you give the adversary a random bitstring.

It's kind of similar to the classical case: for the adversary, the ciphertext should look totally random. In the quantum case, for a single copy of the state, "totally random" translates to the maximally mixed state.

Answer 2

I guess you're seeing the term $U_k\rho U_k^\star$ and are thinking "that's got both $U$ and $U^\star$ so there's both an encryption and a decryption going on". That's not the case. It's only an encryption.

This is the difference between pure states and mixed states. If you had an initial state $|\psi\rangle$, you would encrypt it as $U_k|\psi\rangle$. However, if you write this as a density matrix, you start with $\rho=|\psi\rangle\langle \psi|$ and end up with the encrypted state $U_k|\psi\rangle\langle \psi|U_k^\star$. So, why are we using the density matrix formalism rather than pure states? Because we have a bunch of things happening with classical probabilities $p_k$ which are unknown from the perspective of an eavesdropper. The best way that the state can be described from that state of knowledge requires use of a density matrix.