Block encryption of quantum messages
Min Liang, Li Yang

TL;DR
This paper introduces a new quantum block encryption scheme called $ ext{EHE}$ that allows key reuse and achieves security comparable to the quantum one-time pad, overcoming classical limitations and enabling practical quantum encryption.
Contribution
The paper presents the $ ext{EHE}$ mode for quantum encryption, enabling key reuse and perfect security, which was previously thought impossible in classical cryptography.
Findings
The scheme achieves indistinguishability under chosen plaintext attack with secure pseudorandom functions.
It allows exponential encryption of qubits with a reusable 2n-bit key.
Implementation requires only simple single-qubit gates, feasible with current technology.
Abstract
In modern cryptography, block encryption is a fundamental cryptographic primitive. However, it is impossible for block encryption to achieve the same security as one-time pad. Quantum mechanics has changed the modern cryptography, and lots of researches have shown that quantum cryptography can outperform the limitation of traditional cryptography. This article proposes a new constructive mode for private quantum encryption, named , which is a very simple method to construct quantum encryption from classical primitive. Based on mode, we construct a quantum block encryption (QBE) scheme from pseudorandom functions. If the pseudorandom functions are standard secure, our scheme is indistinguishable encryption under chosen plaintext attack. If the pseudorandom functions are permutation on the key space, our scheme can achieve perfect security. In our scheme,…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsQuantum Computing Algorithms and Architecture · Quantum Information and Cryptography · Cryptography and Data Security
Block encryption of quantum messages
Min Liang and Li Yang Min Liang is with the Data Communication Science and Technology Research Institute, Beijing 100191, China. E-mail: [email protected] Yang is with the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China and the University of Chinese Academy of Sciences, Beijing 100049, China. E-mail: [email protected]
Abstract
In modern cryptography, block encryption is a fundamental cryptographic primitive. However, it is impossible for block encryption to achieve the same security as one-time pad. Quantum mechanics has changed the modern cryptography, and lots of researches have shown that quantum cryptography can outperform the limitation of traditional cryptography.
This article proposes a new constructive mode for private quantum encryption, named , which is a very simple method to construct quantum encryption from classical primitive. Based on mode, we construct a quantum block encryption (QBE) scheme from pseudorandom functions. If the pseudorandom functions are standard secure, our scheme is indistinguishable encryption under chosen plaintext attack. If the pseudorandom functions are permutation on the key space, our scheme can achieve perfect security. In our scheme, the key can be reused and the randomness cannot, so a -bit key can be used in an exponential number of encryptions, where the randomness will be refreshed in each time of encryption. Thus -bit key can perfectly encrypt qubits, and the perfect secrecy would not be broken if the -bit key is reused for only exponential times.
Comparing with quantum one-time pad (QOTP), our scheme can be the same secure as QOTP, and the secret key can be reused (no matter whether the eavesdropping exists or not). Thus, the limitation of perfectly secure encryption (Shannon’s theory) is broken in the quantum setting. Moreover, our scheme can be viewed as a positive answer to the open problem in quantum cryptography “how to unconditionally reuse or recycle the whole key of private-key quantum encryption”. In order to physically implement the QBE scheme, we only need to implement two kinds of single-qubit gates (Pauli gate and Hadamard gate), so it is within reach of current quantum technology.
Index Terms:
Quantum cryptography, quantum encryption, block encryption, quantum pseudorandom functions, perfect security.
I Introduction
The combination of quantum mechanics and information science forms a new science – quantum information science, in which the information extends to quantum information. The requirement of processing quantum information occurs, and we have to develop quantum cryptographic technology for quantum information, e.g. encryption of quantum information. Since the quantum information can be seen as an extension of classical information in complex Hilbert space, the cryptographic schemes for quantum information are suitable for classical information, but not vice versa.
Quantum information encryption is a kind of basic quantum cryptographic primitive, especially the quantum one-time pad (QOTP), which has been applied in various quantum cryptographic schemes. For example, the quantum message authentication (QMA) is applied in the constructions of secure multiparty quantum computation [1] and quantum interactive proof [2], and the authenticity of QMA can be guaranteed by quantum encryption [3].
QOTP (or private quantum channel) [4, 5, 6, 7] is the first kind of quantum information encryption scheme, which uses preshared classical symmetric key and has perfect security. However, the secret key cannot be reused. The recycling issues of QOTP-key have been studied in some literatures [8]. Zhou et al. propose another symmetric-key encryption algorithm [9], which uses quantum-classical hybrid keys.
Public-key encryption of quantum messages is firstly studied by Yang [10], in which both the public key and private key are classical. Because the scheme is constructed based on NP-complete problem, it has computational security at the most. Later, public-key encryption schemes with computational security are studied in more literatures [11, 12, 13]. In addition, public-key encryption with information-theoretic security is also studied [14, 15].
Alagic et al.[16] propose a private-key scheme and a public-key encryption scheme for quantum data, both of which have computational security. The private-key scheme is constructed based on quantum pseudorandom function (PRF) and QOTP, but it is not indistinguishable against chosen ciphertext attack. The public-key scheme is constructed based on quantum trapdoor one-way permutation and QOTP.
There are some literatures about QMA [3, 17, 18] or non-malleable quantum encryption [19, 20]. Because authenticity of QMA implies encryption [3], those secure quantum authentication schemes can also be used as quantum message encryption scheme; However, the secret key cannot be reused or can be recycled partially.
I-A Our Results
We present a detailed description of encryption. In the notation “”, each represents a different quantum encryption operation, and represents a transversal Hadamard transformation. Actually, QOTP can be viewed as a special case of encryption, where each is implemented by encrypting quantum superpositions using classical one-time pad.
Based on two PRFs, we construct a secure quantum block encryption (QBE) scheme in the form of encryption. The idea is described in Fig.1. and are two classical block encryption (BE) schemes that are constructed based on two PRFs and . and are insecure QBE schemes that are constructed using and . The whole procedure of quantum encryption can be finished in the three steps: (1) the quantum message is encrypted using the first QBE scheme , and the obtained ciphertext is ; (2) perform transversal Hadamard transformation on , and obtain ; (3) If , then can be encrypted using the second QBE scheme , and the obtained ciphertext is .
We study the security of QBE scheme , and obtain the main results as follows.
Theorem 1** (informal)**
If PRFs are chosen independently and have standard security in the quantum computation setting, then is an IND-CPA-secure QBE scheme.
Theorem 2** (informal)**
* are independent PRFs with standard security. If both and are permutations on the key space, then is a perfectly secure QBE scheme.*
Theorem 1 states that our QBE scheme can be IND-CPA-secure. The plaintext block has the same length as ciphertext block. Theorem 2 states that, in some particular case, the QBE scheme can have the same security as QOTP even if the keys are reused. Thus, our scheme can be viewed as a positive answer to an open problem in quantum cryptography “how to unconditionally reuse or recycle the whole key of private-key quantum encryption”, which has been studied in Refs.[8, 17, 18, 21, 22, 23].
QOTP has been widely applied in the theoretical design of various quantum encryption and authentication schemes [1, 2, 3, 14, 18]. Based on our results, we can consider modifying those QOTP-based schemes by replacing QOTP with perfectly secure QBE, and expect an obvious optimization, for example, recycling all the keys of the scheme in Ref.[18] or lifting weak authentication to total authentication [17].
I-B Related works
I-B1 How to construct quantum cryptographic primitives from classical ones
Based on quantum mechanics, the information extends to quantum information, and the computation extends to quantum computation. A natural question is whether or not the modern cryptography based on the information and computation could extend to quantum cryptography. Concretely, how to extend classical cryptographic primitive to quantum one? Our results give an answer from the aspect of BE (or pseudorandom functions). In addition, there are also some other related works.
In Ref.[10], a quantum public-key encryption scheme is proposed based on classical McEliece public-key cryptosystem. Later, more constructions are proposed [11]. In order to improve the security, Yang and Liang [13] propose the double-encryption technique, which is the origin of encryption.
Garg et al. [17] propose the “Auth-QFT-Auth” pattern used to construct QMA scheme (denoted as ), where are the classical Wegman-Carter MAC schemes and is the quantum Hadamard transform. Obviously, this pattern is very similar to encryption.
In fact, QOTP can be viewed as an -like construction based on classical OTP: quantum states are encrypted using the classical one-time pad in the basis , and then using the classical one-time pad in the basis .
The most related work is Ref.[16], which propose a computationally secure framework for quantum encryption. However, their construction uses “PRF+QOTP” mode, and our construction uses mode. In the spirit, mode is a special combination of two insecure encryption. This mode of combination can be extended to construct more quantum cryptographic schemes.
I-B2 Quantum encryption with key recycling
OTP is a perfectly secure encryption scheme, but the key cannot be reused; In BE scheme, the key can be reused, but the security is weaker than OTP. In quantum cryptography, there exists the same problem: QOTP has the same security as OTP, but the key cannot be reused (Though we can use a QOTP with quantum key distribution, this would need more rounds of interaction and more communication.). In order to settle this problem, the researchers begin to consider how to recycle part of the keys or conditionally reuse the keys.
Damgard et al.[21, 22] show how to encrypt a classical message in a quantum state and recycle the key. Oppenheim and Horodecki [8] study how to encrypt a quantum message and recycle the key, and the key of QOTP can only be partially reused. Fehr and Salvail [23] propose a classical-message-oriented quantum authentication scheme with key recycling, in which the partial randomness can be extracted and be used as the OTP-key or QOTP-key. Then the combination of the authentication scheme and OTP (or QOTP) becomes a quantum encryption scheme with key recycling, and can be used to encrypt the classical or quantum information.
There are also some researches about QMA with key recycling [17, 18]. The “Auth-QFT-Auth” authentication scheme [17] allows conditionally recycling part of the keys: the inner key can be recycled upon successful verification, and the outer key unfortunately cannot be. Because any scheme to authenticate quantum messages must also encrypt them [3], these authentication schemes can also be used as encryption schemes with key recycling.
In all these schemes, the keys cannot be totally reused, and we will solve this problem through QBE scheme.
I-C Organization
In Section II, we introduce some basic notations, and review three kinds of PRFs. In Section II-C, we describe the encryption technique. In Section III, we show how to construct IND-CPA-secure QBE scheme, and prove the perfectly secure scheme is achievable. Finally, we conclude and discuss these results.
II Preliminaries
II-A Notations and definitions
denotes the set of all the functions that map bits to bits. Define as the set of functions , then , where .
Any classical computable function can be implemented by a quantum computer, or be implemented as an oracle which is queried on quantum superpositions.
[TABLE]
where and are the domain and range, respectively. can be briefly written as without leading to any misunderstanding. represents the quantum adversary can access to with quantum superposition queries. represents the (classical or quantum) adversary can access to classically
[TABLE]
PRF is the basic primitive in modern cryptography. A PRF is a polynomial-time computable function , where , and are the key space, the domain and range, respectively. Denote . are implicit functions of the security parameter . We write or .
Definition 1** (PRF)**
A function is PRF, if for any probabilistic polynomial-time (PPT) adversary , the advantage of while distinguishing between a truly random function and the function for a uniformly chosen
[TABLE]
is negligible. We write to represent the key is drawn from uniformly and randomly. represents the function is uniformly chosen from . The notations can be briefly written as and .
“ is negligible” means that, for any polynomial , there exists such that .
Pauli gate and gate can be represented as: X=\left(\begin{array}[]{cc}0&1\\ 1&0\\ \end{array}\right), Z=\left(\begin{array}[]{cc}1&0\\ 0&-1\\ \end{array}\right), and Hadamard gate is H=\frac{1}{\sqrt{2}}\left(\begin{array}[]{cc}1&1\\ 1&-1\\ \end{array}\right). Given any unitary matrix and a -bit string ( is the -th bit of the string ), we write to denote . Particularly, .
For two -bit strings , define .
We write to represent a quantum message encryption scheme that performs encryption operator and decryption operator using the symmetric key , where is chosen with probability and cannot be reused. Then QOTP can be described by the notation .
II-B Quantum pseudorandom functions
Following the definitions in Ref.[24], there are two security notions of PRF under quantum computation model. The first notion is standard security, where the quantum adversary can only access to the function classically; We denote this kind of PRF as “sPRF”. The second one is quantum security, where the quantum adversary can access to the function with quantum superposition queries; We denote this kind of PRF as “qPRF”.
Definition 2** (sPRF)**
A PRF is standard secure, if no quantum polynomial-time (QPT) adversary making classical queries can distinguish between a truly random function and the function for a uniformly chosen . That is, for every such , there exists a negligible function such that
[TABLE]
Definition 3** (qPRF)**
A PRF is quantum secure, if no QPT adversary making quantum queries can distinguish between a truly random function and the function for a uniformly chosen . That is, for every such , there exists a negligible function such that
[TABLE]
For sPRF , define . For qPRF , define , where is QPT adversary.
When quantum queries are allowed, QPT adversary has more advantage while distinguishing PRF and truly random function. That is . If , then , where is negligible. Thus, if a PRF is a qPRF, then it is also a sPRF.
How to directly construct a sPRF that is not a qPRF? In fact, Even-Mansour block cipher is a sPRF [25], but it is not a qPRF [26]. In addition, CBC-MAC is also not quantum-secure as a PRF [27].
Lemma 1
Given a function , if is independent of PRF , then
[TABLE]
where is any PPT adversary and is negligible.
Proof:
Define a new quantum adversary , where the adversary is allowed to access to the function classically. Because is independent of , we have
[TABLE]
is a PRF, so is negligible. Thus complete the proof. ∎
There are two similar results for sPRF and qPRF, respectively.
Lemma 2
Given a function , if is independent of sPRF , then
[TABLE]
where is any QPT adversary and is negligible.
Lemma 3
Given a function , if is independent of qPRF , then
[TABLE]
where is any QPT adversary and is negligible.
Remark 1
If is a PRF and is independent of , then the results in Lemmas 1,2 and 3 hold as well.
Theorem 3** (Parallel Composition)**
If and are two independent sPRFs, then is also a sPRF. That is, for any QPT adversary , there exists a negligible function such that
[TABLE]
Proof:
According to Definition 2, if is a sPRF, then for any QPT adversary there exists a negligible function such that
[TABLE]
If is a sPRF, then for any QPT adversary there exists a negligible function such that
[TABLE]
Thus for any QPT adversary , we have the following deduction according to Lemma 2 and Remark 1.
[TABLE]
Let , then is negligible. Let and . Thus complete the proof. ∎
II-C * encryption*
In Ref.[13], Yang and Liang have improved the security of quantum McEliece PKE using double-encryption technology. Here, the “double-encryption” is named as “ encryption”. The new name “ encryption” can accurately reflect its structural characteristic.
Based on encryption, secure quantum encryption scheme can be constructed by combining two insecure ones. is a universal technology for the construction of quantum cryptographic schemes. The basic framework can be summarized in the following three steps: (1) Encrypt using the first insecure quantum encryption scheme; (2) Perform transversal Hadamard transformation; (3) Encrypt again using the second insecure quantum encryption scheme.
Suppose are the two insecure quantum encryption schemes, where ,, represent the key generation, encryption and decryption algorithms, respectively. is the transversal Hadamard transformation being performed on all the input qubits. General framework of encryption is completely described in the following three algorithms.
- •
: , output ;
- •
: , output ;
- •
: , output .
The two encryption schemes should satisfy the conditions ,. It is straightforward that
[TABLE]
so the combined construction can decrypt the ciphertext correctly.
III Quantum block encryption
III-A Some definitions
is a kind of symmetric-key quantum encryption scheme, where each key is chosen with probability and cannot be reused. In this section, we propose the QBE scheme, which is another kind of symmetric-key scheme, and its secret key can be reused for many times.
Definition 4** (QBE)**
QBE scheme is defined by a triplet , where are key generation, encryption and decryption algorithms, respectively. is the key space, and and are the quantum plaintext/ciphertext spaces. The randomness is optional.
- •
: Given a security parameter , it generates a secret key ;
- •
: Choose a random number and perform the encryption transformation with the key ;
- •
: Perform the decryption transformation with the key .
These algorithms satisfy the condition
Similar to the security notions of classical encryption, we can define the quantum versions of indistinguishability (IND), indistinguishability against chosen plaintext attack (IND-CPA).These definitions can also be referred to Refs.[14][16][28]. Notice that, indistinguishability for quantum encryption is originally defined in Ref.[28]. Later, Broadbent and Jeffery [33] presents a definition of quantum IND-CPA with an interactive game, and gives no explicit definition of IND. Following the definition in Ref.[33], Ref.[16] defines IND, IND-CPA and IND-CCA with an incremental way instead of interactive game. The incremental definition is very brief and is adopted in our manuscript.
Definition 5** (IND)**
A QBE scheme is IND-secure, if for any QPT adversary ,
[TABLE]
where is negligible, are arbitrary quantum states chosen by the adversary from , , and the probability in these terms is taken over the internal randomness of the algorithms , and .
Next, we introduce another definition of IND.
Definition 6** (IND)**
A QBE scheme is IND-secure, if for any QPT adversary ,
[TABLE]
where is negligible, is arbitrary quantum state chosen by the adversary from , , and the probability in these terms is taken over the internal randomness of the algorithms , and .
Obviously, the two definitions of IND are equivalent. The reason is as follows: (1)if a QBE scheme satisfies Definition 5, let , then the QBE scheme satisfies Definition 6 too; (2)if a QBE scheme satisfies Definition 6, then and the QBE scheme satisfies Definition 5 too.
Definition 7** (IND-CPA)**
A QBE scheme is IND-CPA-secure, if it is IND-secure when the QPT adversary is allowed to access to the encryption oracle , where is the secret key.
IND and IND-CPA define the computational security. In addition, we can define information-theoretic security, e.g. perfect security. Actually, QOTP is a kind of perfectly secure quantum encryption. In quantum cryptography, there exist some other cryptographic schemes that can achieve perfect security.
Definition 8** (Perfect Security)**
A QBE scheme is perfectly secure, if Definition 5 (or Definition 6) holds for when is computationally unbounded quantum adversary.
In QOTP , a secret key of bits is necessary for perfectly encrypting qubits. Suppose we set a restriction on and such that , then we get a new encryption scheme . The length of the key would decrease to , however, the security will also decrease.
Proposition 1
The quantum encryption scheme is not IND-secure.
Proof:
Suppose . Two quantum states and are chosen as the challenge messages. Consider the two messages are encrypted. The density matrixes of the two messages are written as and , respectively.
The key is chosen with probability . Because the adversary does not know the value of , the ciphertexts corresponding to and should be represented as two mixed states , .
[TABLE]
[TABLE]
The trace distance of the two ciphertexts is , and the adversary can efficiently distinguish the ciphertexts of and . In fact, the adversary chooses as the measurement basis. If the adversary measures in the basis, he can obtain with probability ; If the adversary measures in the basis, he can obtain with probability , and obtain with probability . Thus, the adversary can efficiently distinguish and with successful probability .
For any value of , we choose the two states and as the challenge messages, and analyze the security in the same way. Then the adversary can efficiently distinguish their ciphertexts with successful probability . Thus complete the proof. ∎
III-B An insecure construction from classical block encryption
Next, we introduce the PRF-based classical BE scheme , and construct a QBE scheme which is insecure.
Construction 1(Construction 5.3.9 in Ref.[29]): Let be a PRF. Define classical BE scheme as follows.
- •
: , output ;
- •
: , output ;
- •
: , output .
Based on the classical scheme , we can construct a QBE scheme for encrypting any -qubit message.
Construction 2: Let be a classical BE scheme defined in Construction 1, define the QBE scheme as follows.
- •
: , output ;
- •
: , output ;
- •
: , output .
Assume without loss of generality that the quantum message is a pure state , where . According to the encryption operator defined in Construction 2, the obtained ciphertext is also pure state, which can be written as .
[TABLE]
Next we show that the QBE scheme in Construction 2 is insecure.
Theorem 4
The QBE scheme in Construction 2 is not IND-secure.
Proof:
Choose two quantum plaintexts and . Suppose the secret key is , the ciphertexts of and are
[TABLE]
With respect to the adversary (who does not know the key ), the ciphertexts of and should be written in the mixed states as follows.
[TABLE]
The adversary performs quantum measurement on the ciphertexts in the basis . Because , while measuring its ciphertext, the outcome would be with probability ; While measuring the ciphertext of , the outcome would be with probability at most . Thus, the adversary can successfully distinguish the two ciphertexts with probability at least . Thus complete the proof. ∎
Theorem 4 can be extended to the case that replacing with any quasi-length-preserving encryption scheme. See the eprint version of Ref.[30] for the definition of quasi-length-preserving encryption.
Theorem 5
Given any quasi-length-preserving classical BE scheme, the QBE scheme constructed according to Construction 2 is not IND-secure.
Proof:
The proof is similar to Theorem 4. ∎
From Theorems 4 and 5, it is insecure to use any quasi-length-preserving classical BE schemes in the following two cases. The first case is that the classical scheme is directly used to encrypt quantum superpositions on the quantum computer. The second case is that the classical scheme is embedded into the quantum cryptographic protocols.
III-C IND-CPA quantum block encryption
If and are PRFs, two insecure QBE schemes can be defined following the constructions in Section III-B. Denote the two schemes as and , respectively. Next, we propose a secure QBE scheme following the framework of encryption.
Construction 3: Given two schemes and , define a new QBE scheme as follows.
- •
: , , output ;
- •
: ,, , output ;
- •
: , , , output .
According to the QBE scheme defined in Construction 3, we encrypt qubits with the keys , and obtain
[TABLE]
where .
We decrypt the ciphertext with the keys , and obtain
[TABLE]
Notice that
[TABLE]
Then we can make a slight modification to the encryption/decryption operators (in Equations (3) and (4)) as follows.
[TABLE]
It can be seen that, the only modification is that the quantum operator is discarded. Because the operator does not contain variable parameters, the modification would not affect its security essentially. However, there exists a slight disadvantage that is analyzed as follows.
Upon the modifications (defined by Equations (6) and (7)), if is encrypted with the keys and the randomness are , then the ciphertext would be (ignoring the global phase which depends on ); If the ciphertext is encrypted and the same randomness are used, then the original message would be restored. In the same way, we consider the original QBE scheme (defined by Equations (3) and (4)). If is encrypted twice in sequence using the same randomness, then we can obtain , instead of . For this tiny difference, we decide to choose the original scheme in Construction 3. That is, the Hadamard transformation is kept in the scheme.
It can be seen that the QBE scheme is very similar to QOTP. The difference is that, the QOTP-key is replaced with the pseudorandom numbers generated from the PRFs with the keys and randomness . According to Construction 3, the keys of the PRFs (or classical BE schemes) are used as the key of QBE scheme . Because the keys of the PRFs (or classical BE schemes) can be reused, the key of can also be reused. However, the randomness cannot be reused, or else the security would decrease. The proof is as follows.
Proposition 2
For the QBE scheme defined in Construction 3, if it is allowed to reuse the randomness , then the scheme is not IND-CPA-secure.
Proof:
Let be the secret key of QBE scheme, and choose the randomness . For the first time, the sender encrypts the quantum message , and obtains the ciphertext
[TABLE]
In the CPA model, the adversary is allowed to access to the quantum encryption oracle. Given the input , the adversary can query the quantum encryption oracle . If the randomness are reused, then the adversary would obtain the new ciphertext
[TABLE]
where . The ciphertext can be viewed as the outcome of performing quantum encryption scheme on the quantum message . From Proposition 1, we conclude the QBE scheme in Construction 3 is not IND-CPA-secure if the randomness is reused. ∎
According to Proposition 2, while applying the QBE scheme , the randomness cannot be reused, and should be chosen randomly in every execution of encryption.
Next we prove the security of QBE scheme in Construction 3.
Theorem 6
If are two independent sPRFs, then in Construction 3 is an IND-CPA-secure QBE scheme.
Proof:
If the scheme in Construction 3 adapts the truly random functions (instead of PRFs ), then the scheme would be the same as QOTP. So the scheme would have perfect security.
Next we show the QBE scheme is IND-secure while using the two sPRFs and .
According to the QBE scheme, if totally mixed state is encrypted, the outcome is , where are chosen randomly. Given any QPT adversary , assume can distinguish the two ciphertexts of arbitrary state and with advantage
[TABLE]
Then we prove is negligible as follows. For the pair of sPRFs , we construct a distinguisher invoking the QPT adversary . The distinguisher can classically query a pair of functions, and should make a judgement about the queried functions, e.g. the queried functions are a pair of PRFs or truly random functions .
Construction of distinguisher . is given an input and a pair of classical random oracles , where .
Choose a pair of random values ; 2. 2.
Access to the pair of classical random oracles with input , and obtain the outcome ; 3. 3.
Randomly choose a plaintext (). The output is used as the key to encrypt as follow: ; Denote the ciphertext as ; 4. 4.
Invoke the QPT adversary on input , and output whatever does.
In the above distinguisher, may access two kinds of classical random oracles. The first one is for truly random functions , and the second one is for PRFs . We discuss the two cases as follows.
(a)
If access to the truly random functions , then is a random element in . In addition, the value of is not accessible to in the distinguisher. From the aspect of , the ciphertext can be written as a mixed state (That is ). Thus,
[TABLE]
where are chosen randomly and independently from the set .
(b)
If access to PRFs , then . From the aspect of (who does not know ), the ciphertext can be written as . It can be concluded that
[TABLE]
where are chosen randomly and independently.
From the equations (8)(9)(10), it can be deduced that
[TABLE]
is a QPT algorithm, then the distinguisher invoking is also a QPT algorithm. Using Theorem 3, if are sPRFs, then in Equation (11) is negligible. From Equation (8) and Definition 6, the QBE scheme is IND-secure.
Consider the case that the adversary is allowed to access to quantum encryption oracle
[TABLE]
If the randomness used by have also been used in challenge query, then it would be insecure (According to Proposition 2, the advantage of while distinguishing the challenge ciphertexts would be non-negligible). However, the encryption oracle will use a fresh randomness that is chosen uniformly and independently, so the probability that uses the same randomness as the challenge query is negligible. Then allowing to access to encryption oracle has negligible effect on all the above proof of IND security. Thus the QBE scheme is IND-CPA-secure. ∎
Remark 2
From the proof of Theorem 6, the distinguisher can classically access to the oracles of PRFs (or truly random functions). The PRFs are not required to have quantum security. The PRFs with standard security are sufficient to assure the IND security of the QBE scheme.
Corollary 3.6.7 in Ref.[29] has shown that the existence of one-way function implies the existence of PRF. Zhandry [24] has proved that, if PRF exists then there exists sPRF that is not qPRF. Thus, from Theorem 6, we reduce IND-CPA-secure QBE scheme to the existence of one-way function. That is, if there exist one-way functions, then IND-CPA-secure QBE schemes exist as well.
Definition 9
A function is pairwise independent sPRF, if the two probability distributions , and are QPT-indistinguishable, where is uniformly distributed over and is a truly random function in . That is
[TABLE]
where is negligible, and is any QPT adversary. accesses to the two functions with two independent inputs (the two inputs may be the same or different).
If is a pairwise independent PRF, let , then a QBE scheme can be constructed from encryption technology.
Construction 4: Given a pairwise independent PRF , an insecure QBE scheme can be constructed following Constructions 1 and 2. Then a secure QBE scheme can be constructed as follows.
- •
: , , output ;
- •
: , , , output ;
- •
: , , , output .
Theorem 7
If is a pairwise independent PRF and has standard security, then in Construction 4 is an IND-CPA-secure QBE scheme.
Proof:
The proof is similar to Theorem 6. Definition 9 is used in the proof. The details are omitted. ∎
III-D Perfectly secure case
In Section III-C, the QBE scheme in Construction 3 has been proved to be IND-CPA-secure. Next we show the QBE scheme can achieve higher security in a particular case.
It is well known that, BE cannot achieve the same security as OTP in classical cryptography. However, based on quantum mechanics, there may be an important breakthrough – QBE can achieve the same security as QOTP. Next we show the QBE scheme can achieve perfect security in certain special case.
Theorem 8
Given two independent sPRFs , where , if for any fixed , both and are permutations, then in Construction 3 is a perfectly secure QBE scheme.
Notice that, Theorem 10 proves a special case of the scheme in Theorem 6 with only one additional limitation on the functions . So the reusability of the key would not be affected. We have presented a strict proof that, the security is enhanced with this additional limitation, and achieve the same level as QOTP.
Proof:
From Theorem 6, in Construction 3 is an IND-CPA-secure QBE scheme. Next we prove it can achieve perfect security if and are permutations.
Suppose a block of quantum plaintext has qubits, and its density operator can be written as a matrix with trace . Given a set of all matrixes, it is an inner space if we define inner product as , where and are matrixes. Then the set is a group of complete orthogonal bases. Thus the density operator can be expressed as , where . According to the QBE scheme , quantum plaintext is encrypted with the keys as follows.
[TABLE]
The keys are unknown by the adversary and every are used with identical probability. Thus, from the aspect of the adversary, the quantum ciphertext should be represented as an equal mixture of a quantum plaintext encrypted under all possible keys with uniform probability
[TABLE]
Using the following three equations
[TABLE]
one can conclude that
[TABLE]
If and are permutations, then
[TABLE]
where the function \delta_{x,y}=\left\{\begin{array}[]{ll}1,&\hbox{x=y;}\\ 0,&\hbox{otherwise.}\end{array}\right. Using Equations (16)(17), it can be deduced that
[TABLE]
The facts and are used in the above deduction. are randomly chosen and are independent of the plaintext. Then the adversary can obtain nothing from the quantum ciphertext . Thus the QBE scheme has perfect security. ∎
Because the perfectly secure QBE scheme is just a special case of the constructions in previous sections, the related results and discussions in Section III-C are also suitable for the perfectly secure QBE scheme. So the keys are reusable and would not decrease the security. If the randomness are reused, the security would decrease.
Notice that the key can be reused and the randomness cannot. The randomness has exponential different choices, so a -bit key can be used in an exponential number of encryptions, where the randomness will be refreshed in each time of encryption. Thus -bit key can perfectly encrypt qubits, and the perfect secrecy would not be broken if the -bit key is reused only exponential times.
Remark 3
In Theorem 8, the functions should satisfy two conditions: (1) they are independent sPRFs; (2) for any fixed , both and are permutations. We argue that cannot be a perfectly secure QBE if the condition (1) does not hold. For example, let and , then both and are permutations. So . Because are public, the encryption is equivalent to . Thus the keys cannot be reused, and is not a QBE.
Remark 4
In Theorem 8, the sPRF (or ) is required that, for any fixed , the function (or ) is permutation on the key space . In fact, a good candidate is GGM-PRF [34] construction , where are pseudorandom permutation from to .
Next, we give a detailed comparison between our scheme and QOTP, especially their relations and differences. (1) For QOTP (see Ref.[4]), while considering the encryption of qubits, we should use an unused -bit key in each encryption, and an used key may be chosen again with probability if the key is randomly chosen. For our scheme, the key can be reused, but a -bit randomness should be sampled and an used randomness may be chosen again with probability . (2) In QOTP, the key can be used only one time and no randomness is used. In our scheme, the key can be reused, and we only need to choose a -bit randomness in each encryption. Because the randomness can be chosen from exponential candidates, our scheme can be viewed as exponential times of -qubit QOTP encryption with the same key. (3) In the -qubit QOTP, the key has bits, where can be arbitrary value. That means the length of the key is variable. In our scheme, the randomness has bits, where the value depends on the length of the key. (4) In QOTP, -bit key can perfectly encrypt qubits. In our scheme, -bit key can perfectly encrypt qubits, since the scheme would not be perfectly secure when the randomness is reused. (5) Our scheme can be implemented using Pauli and gates, and the number is at most ( is the length of one block); the QOTP can be implemented using Pauli gate and gate, and the number is at most . Thus, the QBE scheme has nearly the same difficulty and complexity as QOTP from the aspect of physical implementation. (6) QOTP can be completely replaced with our scheme. Currently, QOTP has been used as a basic quantum primitive in various cryptographic protocols and algorithms [1, 2, 3, 14, 18]. If the QOTP in these protocols or algorithms is replaced with perfectly secure QBE scheme, then optimized schemes could be obtained.
III-E Multiple-message encryption
Given a classical BE scheme, if it is IND-CPA-secure in single-message encryption, then it is also IND-CPA-secure in multiple-message encryption. However, it is not the case for QBE scheme: QBE scheme is secure in single-message encryption, however it may be insecure in multiple-message encryption.
In this section, we show that the perfectly secure QBE scheme is not perfectly secure in multiple-message encryption. However, the multiple-message encryption would be perfectly secure if the QBE scheme is applied in the operation mode “encrypt-decrypt-confirm”: Alice encrypts one block of message and sends it to Bob; After receiving Alice’s one block of ciphertext, Bob decrypts it; Next, Bob confirms publicly that he has decrypted the ciphertext; Then Alice and Bob start the next round of encrypted communication.
Given blocks of messages , from the aspect of the adversary, the multiple-message encryption would output
[TABLE]
where the randomness is used in the encryption of th block of messages.
Generally, Equation (19) does not equal to the following equation
[TABLE]
The result in the proof of Theorem 8 does not hold any more. Thus, from the aspect of the adversary, the ciphertext of blocks of messages are not equal to
[TABLE]
Thus, the perfectly secure QBE scheme is not perfectly secure in multiple-message encryption. If it works in the operation mode “encrypt-decrypt-confirm”, then the encryption of the different blocks would be independent, and it would still be perfectly secure in every single-message encryption.
IV Conclusions and discussions
The encryption has been described and be used in the construction of QBE scheme. Firstly, we show how to construct an insecure QBE scheme based on PRF. Then, we propose a secure construction from two insecure QBE schemes according to encryption. It is shown that the QBE scheme is IND-CPA-secure if there exist PRFs with standard security. Finally, we show the QBE scheme can have the same security as QOTP when the PRFs satisfy an additional condition.
As is well known that, “QKD+OTP” can perfectly encrypt classical messages in theory, and there are many applications in practice. However, lots of interaction and communication are necessary, and the efficiency would decrease. Actually, the QBE scheme can also be used to encrypt classical messages. For example, the classical message can be viewed as a quantum state , and each bit is encrypted to a qubit , which belongs to the set . Then, while encrypting classical messages, we can use a perfectly secure QBE scheme. Because no interaction is needed in QBE scheme, it would be more efficient than “QKD+OTP”, and is a potential replacement of “QKD+OTP” in the future. Theoretically, -bit key can perfectly encrypt classical bits.
For perfect secrecy, Ref.[31] proposed a strict mathematical proof that the key must have at least the same length as the plaintext. In Section III-D, we have shown the BE scheme based on quantum mechanics can break the limitation of perfectly secure encryption. In QOTP, -bit key is necessary to perfectly encrypt qubits. However, in the QBE scheme, -bit key can be reused and the fresh randomness are used to encrypt another qubits, thus -bit key can be used to perfectly encrypt qubits.
encryption is a kind of generic transformation used for the construction of quantum encryption scheme. It can convert classical encryption or insecure quantum encryption scheme into secure quantum encryption scheme. The QBE scheme constructed based on encryption can be seen as an extension of classical BE scheme, and it is also suitable for encryption of the classical messages. Thus, encryption has established the direct connection between the quantum and classical BE schemes.
Finally, two problems are left for the future research.
- •
Construct more cryptographic schemes in the -like way. It is proved that Wegman-Carter MAC is insecure while authenticating quantum message [32], however, it can be converted into a secure QMA scheme in the pattern [17]. In addition, our results show that encryption can convert an insecure QBE scheme into a secure QBE scheme. Is there any other quantum cryptographic scheme that can be constructed in the -like way?
- •
Replace the QOTP with the QBE in those QOTP-based (encryption, authentication or others) schemes. QOTP has been used as an important building block in many quantum schemes. Because the perfectly secure QBE scheme in Section III-D has many advantages, we could replace the QOTP with the QBE and expect an obvious optimization, for example, recycling all the keys of the scheme in Ref.[18] or lifting weak authentication to total authentication [17].
Acknowledgment
This work was supported by the National Natural Science Foundation of China (Grant No. 61672517), and National Cryptography Development Fund (Grant No. MMJJ20170108).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Dupuis, F., Nielsen, J.B., Salvail, L.: Actively secure two-party evaluation of any quantum operation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 794 C 811. Springer, Heidelberg (2012)
- 2[2] Aharonov, D., Ben-Or, M., Eban, E.: Interactive proofs for quantum computations. In: Proceedings of Innovations in Computer Science, ICS 2010, pp. 453 C 469. Tsinghua University Press (2010)
- 3[3] Barnum, H., Crepeau, C., Gottesman, D., Smith, A., Tapp, A.: Authentication of quantum messages. In: Proceedings of the 43rd Symposium on Foundations of Computer Science, FOCS 2002, pp. 449 C 458. IEEE (2002)
- 4[4] Boykin, P., Roychowdhury, V.: Optimal Encryption of Quantum Bits. Phys. Rev. A 67(4), 42317 (2003)
- 5[5] Boykin, P.: Information security and quantum mechanics: security of quantum protocols. Dissertation for the Doctoral Degree. University of California, Los Angeles (2002)
- 6[6] Ambainis, A., Mosca, M., Tapp, A., De Wolf, R.: Private quantum channels. In: 41st IEEE FOCS, pp. 547-553 (2000)
- 7[7] Leung, D.: Quantum Vernam cipher. Quantum Inf. Comput. 2(1), 14 C 34 (2002)
- 8[8] Oppenheim, J., Horodecki, M.: How to reuse a one-time pad and other notes on authentication, encryption, and protection of quantum information. Phys. Rev. A 72, 042309 (2005)
