Uncloneable Cryptographic Primitives with Interaction
Anne Broadbent, Eric Culf

TL;DR
This paper introduces three cryptographic primitives based on uncloneability, leveraging a novel monogamy-of-entanglement property, including interactive uncloneable encryption, uncloneable bit commitment, and a strengthened receiver-independent QKD scheme.
Contribution
It presents new uncloneable cryptographic primitives with security proofs based on a novel MoE property, extending quantum security concepts and protocols.
Findings
One-round information-theoretic uncloneable encryption scheme.
A check step enhances uncloneability in bit commitment.
A strengthened receiver-independent QKD protocol with untrusted receiver devices.
Abstract
Much of the strength of quantum cryptography may be attributed to the no-cloning property of quantum information. We construct three new cryptographic primitives whose security is based on uncloneability, and that have in common that their security can be established via a novel monogamy-of-entanglement (MoE) property: - We define interactive uncloneable encryption, a version of the uncloneable encryption defined by Broadbent and Lord [TQC 2020] where the receiver must partake in an interaction with the sender in order to decrypt the ciphertext. We provide a one-round construction that is secure in the information-theoretic setting, in the sense that no other receiver may learn the message even if she eavesdrops on all the interactions. - We provide a way to make a bit string commitment scheme uncloneable. The scheme is augmented with a check step chronologically in between the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsComputability, Logic, AI Algorithms · Benford’s Law and Fraud Detection · Quantum Computing Algorithms and Architecture
Uncloneable Cryptographic Primitives
with Interaction
Anne Broadbent
University of Ottawa, Department of Mathematics and Statistics [email protected]
Eric Culf
University of Waterloo, Institute for Quantum Computing and Faculty of Mathematics [email protected]
Abstract
Much of the strength of quantum cryptography may be attributed to the no-cloning property of quantum information. We construct three new cryptographic primitives whose security is based on uncloneability, and that have in common that their security can be established via a novel monogamy-of-entanglement (MoE) property:
- •
We define interactive uncloneable encryption, a version of the uncloneable encryption defined by Broadbent and Lord [TQC 2020] where the receiver must partake in an interaction with the sender in order to decrypt the ciphertext. We provide a one-round construction that is secure in the information-theoretic setting, in the sense that no other receiver may learn the message even if she eavesdrops on all the interactions.
- •
We provide a way to make a bit string commitment scheme uncloneable. The scheme is augmented with a check step chronologically in between the commit and open steps, where an honest sender verifies that the commitment may not be opened by an eavesdropper, even if the receiver is malicious. Our construction preserves the assumptions of the original commitment while requiring only a polynomial decrease in the length of the committed string.
- •
We construct a receiver-independent quantum key distribution (QKD) scheme, which strengthens the notion of one-sided device independent QKD of Tomamichel, Fehr, Kaniewski, and Wehner (TFKW) [NJP 2013] by also permitting the receiver’s classical device to be untrusted. Explicitly, the sender remains fully trusted while only the receiver’s communication is trusted. We provide a construction that achieves the same asymptotic error tolerance as the scheme of TFKW.
To show security, we prove an extension of the MoE property of coset states introduced by Coladangelo, Liu, Liu, and Zhandry [Crypto 2021]. In our stronger version, the player Charlie also receives Bob’s answer prior to making his guess, thus simulating a party who eavesdrops on an interaction. To make use of this property, we express it as a new type of entropic uncertainty relation which arises naturally from the structure of the underlying MoE game.
Contents
1 Introduction
An important feature of quantum information is the no-cloning principle — the property that an arbitrary quantum state cannot be perfectly copied, unlike a classical string [Par70, WZ82, Die82]. This idea underpins many of the unique constructions in quantum cryptography [BS16], beginning with quantum money [Wie83] and quantum key distribution (QKD) [BB84]. In this work, we give three new constructions of cryptographic primitives that, at the intuitive level, make use of uncloneability: uncloneable encryption with interactive decryption, uncloneable bit commitment, and receiver-independent QKD. An important consequence of the uncloneability is that none of these primitives can be secure classically — in fact, as classical information can always be copied, the security is clearly unachievable.
In order to prove security of these primitives and formally reason about their “uncloneability,” we show a strengthened form of the subspace coset state monogamy-of-entanglement (MoE) property [CLLZ21, CV22], which is a bound on the winning probability of an MoE game built using subspace coset states. MoE games are used to quantify the strength of quantum tripartite correlations. They belong to the family of extended nonlocal games [JMRW16], which generalise nonlocal games, but are highly distinct from them. The MoE game paradigm, introduced in [TFKW13], has recently been used in various uncloneability-related cryptographic constructions [BL20, BC23, CLLZ21]. An MoE game is played between two cooperating players, Bob and Charlie, and an honest referee, Alice, all of whom may hold a quantum system. The subspace coset MoE game (called the strong monogamy game in [CLLZ21]), proceeds as follows. First, Alice samples a subspace of dimension of the space of -bit strings , and strings uniformly at random, and prepares the coset state333We use lowercase rather than uppercase letters for subspaces as we aim to reserve the uppercase letters for registers and random variables.
[TABLE]
She sends this state to Bob and Charlie, who may do arbitrary actions to split444Note that the splitting operation is represented by an arbitrary quantum channel, chosen by Bob and Charlie. It is not necessarily something simple like a bipartition of the qubits. the state between their two systems, after which they are isolated. Next, Alice provides them with a description of . In order to win, Bob must provide a vector from the coset and Charlie must provide one from , where is the orthogonal complement of . This game was shown in [CV22] to have an exponentially small winning probability in . We strengthen the relation by showing that the same bound holds on a version of the game that is easier to win — Bob’s answer, whether or not it is correct, leaks to Charlie before he makes his guess. In this way, we are able to see the information that Charlie gets as messages sent during an interaction between Alice and Bob, on which he eavesdrops. We refer to this bound on the winning probability as the *leaky *monogamy-of-entanglement property.
1.1 Uncloneable encryption with interactive decryption
We introduce, study, and construct a variant of uncloneable encryption that allows for an interaction during the decryption process. Uncloneable encryption as is currently understood was introduced in [BL20], building on earlier concepts such as the tamper-evident encryption of [Got03] and the MoE games of [TFKW13]. In its most general form, an uncloneable encryption scheme provides a way to encrypt messages in such a way that they cannot be simultaneously read by two malicious parties, Bob and Charlie, under the assumption that they are isolated once the encryption key is released. To the best of our knowledge, it is unknown whether this is achievable in the plain model, even if we allow computational assumptions. Uncloneable encryption schemes in the quantum random oracle model (QROM) have been studied [BL20] and provide nearly optimal security. Other computational assumptions have been considered: under the assumption of post-quantum one-way functions, [AK21] show that it is possible to turn an uncloneable encryption scheme into one with semantic security; and under the assumption of a post-quantum public key encryption scheme, they show how to turn the scheme into a public-key uncloneable encryption scheme. Since all these rely on the existence of uncloneable encryption, a key open question remains concerning the existence of an “uncloneable bit” — an optimal uncloneable encryption scheme in the plain model that encrypts one-bit message. This is a fundamental object as any uncloneable encryption scheme implies an uncloneable bit [BL20, Theorem 9]. We work with a simple communication assumption rather than a computational assumption in order to instantiate a new form of uncloneable encryption.
Originally, the encryption was represented by a quantum encryption of classical messages (QECM), a protocol that encrypts classical messages as quantum ciphertexts, which can be decrypted using only the classical encryption key [BL20]. A QECM scheme is uncloneable if two receivers receive a ciphertext, split it arbitrarily, and only get the key once they are isolated, then they can simultaneously learn the message with at best near-trivial probability. We extend the original non-interactive setting of [BL20] by allowing interaction in the decryption phase. We call this model quantum encryption of classical messages with interactive decryption (QECM-ID). To adapt uncloneability to a QECM-ID scheme, we again have two receivers, whom we call Bob and Eve, who split a ciphertext. To decrypt, Bob initiates an interaction with Alice. Only after this point does Bob need to be seen as the intended recipient of the message. To avoid the trivial attack where Bob simply gives the decrypted message to Eve, they may not communicate directly during the interaction step — nevertheless, Eve may eavesdrop on the communication between Alice and Bob. We therefore say that the encryption is uncloneable if, for any actions Bob and Eve take, the probability that Eve guesses the message correctly once the interaction finishes and the decryption protocol does not abort is near-trivial.
We also adapt uncloneable-indistinguishable security, which is meant to represent an uncloneability version of chosen-plaintext attack (CPA) security. For a QECM, this is the property that Bob and Eve cannot simultaneously distinguish the encryption of a chosen message distribution from a fixed message [BL20]. To adapt this to a QECM-ID, we say that it is uncloneable-indistinguishable secure if, after the decryption interaction, the probability that, simultaneously, Alice accepts the decryption and Eve distinguishes a chosen message distribution from a fixed message is near trivial, i.e. half the probability of accepting. Intuitively, the condition that Bob guesses correctly is replaced with the condition that Alice accepts the decryption in order to adapt the definition to a QECM-ID.
Finally, we show that there is an equivalence between uncloneable and uncloneable-indistinguishable security for QECM-IDs. This extends the result, shown in [BL20], that uncloneable security implies uncloneable-indistinguishable security for QECMs. Further, the equivalence generalises an important property of classical encryption. To the best of our knowledge, it is unknown whether both implications hold for QECMs.
Proof technique.
To instantiate an uncloneable QECM-ID, we make use of the leaky MoE property. Alice, to encrypt her message , uses as a key a subspace , strings and , and a key for a quantum-proof strong extractor . She sends the pair as the ciphertext. The MoE property implies that, if Bob is able to provide to Alice, then with high probability Eve is unable to guess correctly, even if she learns . Hence, Alice can use the interaction to check whether Bob knows . If this succeeds, then is secure against Eve with high probability, so Alice sends remainder of the key to Bob. With this, our construction satisfies both forms of uncloneable security, with tighter bounds that the equivalence between the properties implies.
1.2 Uncloneable bit commitment
In bit string commitment, a sender Alice commits to a string that a receiver Bob can only access when she chooses. Ideally, the commitment should be hiding, in the sense that Bob cannot learn the string Alice has committed until she chooses to reveal, and binding, in the sense that Alice must reveal the same string to which she had committed. Without additional assumptions, bit commitment is impossible [May96, LC97, BS16], but there are a variety of models in which it was shown to exist. For example, under classical computational assumptions [Cha87, Nao91] (see also [Cré11]) or in the noisy quantum storage model [KWW12]. However, a problem underlying many classically-defined cryptographic primitives is that they are inherently cloneable; if an eavesdropper Eve is able to eavesdrop on the communications between Alice and Bob, she may be able to produce a transcript of their interactions and hence learn the final string whenever it is revealed. This is the case for bit commitment: in fact, the reveal step is usually represented as a public broadcast with no indication of security against an eavesdropper. We remedy this with a method to make a bit string commitment scheme uncloneable.
We define an uncloneable bit string commitment scheme as a commitment scheme with an additional check step in between the commit and reveal steps, where Alice verifies whether an eavesdropper has attempted to clone the commitment. If the commitment passes this check, then an honest Alice can be sure that only Bob will be able to open it during the reveal phase, despite a lack of prior agreement between them. Bob may even be malicious: the only restriction needed on him is that he does not communicate directly to Eve after the check. With this in mind, the point in time when Alice chooses to undertake the check allows it to be run under varying assumptions. In particular, Alice may check immediately after committing, which means that no honest party needs to store any quantum information, but Alice needs to be sure that Bob does not communicate privately with Eve at any point after committing. This is more feasible for near-term quantum devices, but requires that Bob not communicate information to Eve for a period of time between steps. On the other hand, if Alice waits until immediately before revealing to do the check, she may assume that Bob and Eve have arbitrary communication after committing. The drawback is that Bob must store a quantum state even if he is honest.
Proof technique.
We use the leaky MoE property to provide a way to turn a commitment scheme into an uncloneable commitment of the above form, which works under the same assumptions as the original commitment. We assume that this is a randomised commitment scheme, where Alice commits to a uniformly random string; this form of commitment is equivalent to the standard one where Alice chooses the string to commit [KWW12]. In order to commit to the random string , where is a quantum-proof strong extractor, Alice commits to using the original commitment and sends a coset state to Bob. Because Bob does not know , he has no information about and has not been revealed, so the commitment is hiding. Next, to check for cloning, Alice sends to Bob and verifies that he can measure . Due to the leaky MoE property, this implies that Eve is only able to guess with low probability. Finally, to reveal, Alice reveals and Bob queries Alice for some information about to make sure that their values are consistent, making the scheme binding. With a good choice of strong extractor, this causes only a polynomial decrease in the length of the committed string and an exponentially small change in the binding parameter.
1.3 Receiver-independent QKD
Quantum key distribution (QKD), introduced by Bennett and Brassard [BB84], is a foundationally important quantum cryptographic primitive. In its most basic form, it allows an honest sender, Alice, to share a secret key with an honest receiver, Bob, over a public channel without an eavesdropper Eve learning the key. Many variants of QKD that require only weaker assumptions on the honest parties have been proposed. In particular, device-independent protocols, initiated by Ekert [Eke91], seek to allow QKD with few, if any, assumptions on the behaviour of Alice and Bob’s devices. One-sided device-independent QKD, shown to be secure against any eavesdropper in [TFKW13], allows Bob’s quantum device to be fully untrusted, relying on a monogamy-of-entanglement game winning probability bound for security; and fully device-independent QKD, shown by Vazirani and Vidick [VV14], allows both Alice and Bob’s quantum devices to be untrusted, with security coming from the rigidity of a nonlocal game. These varying assumptions allow implementations of QKD to balance practicality and security, depending on available resources.
We show security of QKD in a model extending the one-sided device-independent model, which we call receiver-independent QKD. In this model, Alice’s quantum device remains fully trusted, but neither Bob’s quantum nor his classical device is trusted. However, we require that Bob’s communication be trusted: if Bob’s communication were not trusted, any QKD scheme would be susceptible to the trivial attack where Bob sends his final key to Eve. In this way, this model can be seen as the minimal assumption on the receiver, hence warranting the name “receiver-independent”.
Receiver-independent QKD schemes are distinct in a number of ways. First, since any computation Bob might want to make is inherently untrusted, he cannot be trusted to check any property of the shared state. As such, only Alice may be given the power to abort the protocol. In this way, the interactions between Alice and Bob take the form of a sequence of challenges and responses. Also, the idea of correctness must be altered to account for the fact that Bob’s classical computations are untrusted. This is because it is not possible to be certain that Bob has access to the final key, but it is possible to be sure that his device can compute it.
Proof technique.
We construct a receiver-independent QKD scheme using coset states, and show its security using an error-robust generalisation of the leaky MoE property. Alice sends a coset state to Bob. To verify that Eve does not have , Alice asks Bob to provide , acting as the parameter estimation step. If he is able to, with only small error, then Alice issues challenges to Bob that allow her to correct her to match the guess Bob’s device claims to have, and then verify this match, which act as the error correction and information reconciliation steps, respectively. Finally, for privacy amplification, Alice acts on her corrected raw key with a quantum-proof strong extractor and instructs Bob to do the same. It is worth noting that our use of an entropic uncertainty relation, as introduced in Section 1.4 below, brings the security proof intuitively closer to earlier proofs of QKD security, as in [Ren05], than the proof of [TFKW13], which works more directly with an MoE game.
1.4 Main technique: MoE entropic uncertainty relations
Entropic uncertainty relations, and earlier uncertainty relations beginning with [Hei27], have played a foundational role in quantum information [WW10]. Tomamichel, Fehr, Kaniewski, and Wehner show an entropic uncertainty relation in the same scenario as their MoE game [TFKW13]. We provide an entropic uncertainty relation that arises naturally from the scenario of the leaky subspace coset MoE game, allowing us to work with the full strength of the MoE property in an entropy setting.
To show our relation, we generalise the min-entropy of guessing to a novel property that we refer to as the sequential min-entropy, , which represents the uncertainty of guessing knowing , followed by guessing knowing , on the same state. For any measurement on used to guess , this decomposes as the entropic uncertainty relation
[TABLE]
where is the state conditioned on the guess of being correct. A notable distinction between such an entropic uncertainty and a more standard relation is that the states on the two terms are different, although closely related. The winning probability of the leaky MoE game can directly be expressed using a sequential entropy as , where is the state such that and hold two copies of the subspace , and hold the coset representatives , and and hold Bob and Charlie’s quantum systems once they are isolated. Hence, the leaky MoE property provides the entropic uncertainty relation
[TABLE]
This may be compared to the MoE game-based entropic uncertainty relation that was studied in [TFKW13], , where is any quantum state with , is the result of measuring in a uniformly random Wiesner basis of states , and is the description of the basis. The relation is found in the same way as their bound on the winning probability of their MoE game, but is strictly weaker than that bound, since it only considers entropies with respect to the same state. This makes it too weak to provide security of cryptographic primitives such as QKD. In fact, even in the case of the subspace coset MoE game, we similarly have
[TABLE]
using the same simple attack: half the time, Bob takes the whole state, and the other half of the time, Charlie takes the whole state.
In order to extend the use of the leaky MoE property and associated entropic uncertainty relation to scenarios where errors should be accounted for, such as QKD, we adapt the MoE game to allow for errors. That is, we show a bound on the winning probability of a robust generalisation of the leaky MoE game where Bob and Charlie’s answers are considered to be correct even if some small number of bits are wrong. The important case for QKD is where Bob is allowed to guess incorrectly up to relative error but Charlie, who represents the eavesdropper, must still answer perfectly. For small enough error, the winning probability remains exponentially small in . We can also handle this probability of approximate guessing as an entropic uncertainty relation, by representing the “entropy of approximate guessing” as an entropy of exact guessing on a modified state. Explicitly, the relation takes the now-familiar form
[TABLE]
where is the state modified to account for the error bit flips \sigma=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{|u|\leq\gamma n/2}X_{T}^{u}\rho X_{T}^{u}.
1.5 Further related work
The no-cloning property is found in a wide and growing range of cryptographic applications, such as tamper-detection [Got03], copy-protection [Aar09, CMP20], certified deletion [BI20], secure software leasing [ALP21, BJL*+*21], and uncloneable decryption [CLLZ21].
The coset states we study act as a generalisation of subspace states — uniform superpositions of the elements of a subspace — introduced in the context of quantum money by Aaronson and Christiano [AC12]. Rather than using the properties of subspaces, it is possible to see the generalisation to coset states as subspace states encrypted with a quantum one time pad . Coset states under this definition have been studied in the context of proofs of knowledge by Vidick and Zhang [VZ21].
Though inspired by uncloneable encryption of [BL20], uncloneable encryption using a QECM-ID also bears comparison to tamper-evident encryption, introduced by Gottesman [Got03] (under the name uncloneable encryption). This is a scheme where an honest receiver can verify, during decryption, whether an eavesdropper had attempted to clone an encrypted message. We emphasize that [Got03] requires both an honest sender and receiver and that our techniques are fundamentally different since they are resilient to a dishonest receiver.
Finally, the recent work of Kundu and Tan [KT22] provides an alternate extension of the uncloneable encryption paradigm. They consider the case where, for each encryption key, there are multiple decryption keys. They give a construction of an encryption scheme that is uncloneable as long as the attackers receive independently generated keys. Similarly to the interaction in our model, an assumption on the communication during the decryption is used to guarantee uncloneability. Also, their results consider noise on the devices, similarly to what we are concerned with in the robust version of the game used for receiver-independent QKD; arbitrary small leakage of information between Bob and Charlie’s devices, contrasting with our fixed but large leakage of Bob’s measurement result; and full device-independence, which requires an interactive encryption
1.6 Acknowledgements
This work was supported by the Air Force Office of Scientific Research under award number FA9550-20-1-0375, Canada’s NSERC, and the University of Ottawa’s Research Chairs program.
1.7 Outline
In Section 2, we introduce our notation and the relevant basic technical facts. In Section 3, we introduce and analyse the monogamy-of-entanglement game we study, as well as the related entropic uncertainty relation. In Sections 4, LABEL:, 5, LABEL: and 6 we define and study the primitives of interactive uncloneable encryption, uncloneable bit commitment, and receiver-independent QKD, respectively. In Section 6, we also study the robust version of the MoE game. The MoE properties are given as Theorem 3.2 and Theorem 6.2, and their expressions as entropic uncertainty relations as Corollary 3.7 and Corollary 6.5.
2 Preliminaries
In this section, we introduce the notation and recall the technical facts we use in this paper. In Section 2.1, we go over the basics of quantum information and probability that we need; in Section 2.2, we discuss subspaces of vector spaces of bit strings and recall the definition of subspace coset states; and in Section 2.3, we note the definitions of conditional min-entropy and strong extractors.
2.1 Registers and states
A register is a set that represents the classical states of a physical system. Note that we may have distinct registers with the same underlying set of states. We represent registers by uppercase Latin letters and classical states from the register by the corresponding lowercase letter. For registers and , write the compound register , representing the states of both systems. A register is a subregister of if is a compound register with as a factor. For a register , define the Hilbert space as the -dimensional space spanned by the orthonormal basis called the register basis. The pure quantum states on are given by the unit vectors of , up to phase. We implicitly make use of the isomorphism .
We write the set of linear operators as , and if as ; the set of positive semidefinite operators on as , and when is evident, write for ; and the set of density operators , representing the mixed quantum states. An operator is a subnormalised state if . The definitions below for mixed states extend directly to subnormalised states. Write for the identity operator, and for the identity channel. For , write . A state is classical if it is diagonal in the register basis: it corresponds to a probability distribution on . As a shorthand, write to represent the density operator of a deterministic classical state. A state is called classical-quantum (cq) or classical on if it can be written for some and . By extension, we say a state is if it is classical on each . We say a register is classical to assume that every state we work with is classical on it. We say that a state is supported on if is a subregister of .
We represent a probability distribution on a register by a function such that . When the probability distribution is implicit, we write the probability of an event as . For any -vector space , we write the expectation value with respect to the distribution as \operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{x\leftarrow\pi}f(x):=\sum_{x\in X}\pi(x)f(x). The classical state corresponding to is written \mu_{\pi}=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{x\leftarrow\pi}[x]\in\mathcal{D}(x). For the uniform distribution, we write the expectation simply \operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{x\in X} and the state . Abusing notation a bit, when we consider a random variable with values in a register , we often refer to the variable as as well.
A linear map is called completely positive if for any register and , . It is trace-preserving if for any , ; and trace non-increasing if . The quantum channels are the completely positive trace-preserving (CPTP) maps — they represent the most general quantum operations. A positive operator-valued measurement (POVM) is a map , where and are registers, such that ; we write . A POVM is a projector-valued measurement (PVM) if for all . We can associate various channels to a measurement. For a POVM , the destructive measurement channel is defined as
[TABLE]
representing the classical outcome of a measurement; and the nondestructive measurement channel defined as
[TABLE]
which represents both the classical outcome and the perturbed quantum state after the measurement. Evidently, . For a state , write . Similarly, if is classical on , for any function , we write . For any cq state and any event — which may be phrased as either a subset or as a relation — write the partial state
[TABLE]
and the conditional state . If the event makes reference to a measurement, e.g. , or a function evaluation, we assume that the measurement or evaluation is undertaken by the nondestructive channel, used to come up with the partial or conditional state, and then the result is forgotten by tracing out. This may perturb registers on which the state is non-classical, so we have to in particular assure ourselves that any two measurements in the same event are compatible.
2.2 Finite vector spaces and subspace coset states
Consider the vector space of bit strings over the finite field . The canonical basis of is the set , where is the string that is at position and [math] elsewhere. For any , we expand in the basis as . The inner product on is defined as . For any subspace , the orthogonal subspace
[TABLE]
This satisfies and , but in general , for example .
A subspace is called a register subspace if it may be expressed as for some [JNV*+*21]. For a register subspace, we have that , and therefore that . In this case, we get the canonical isomorphisms and . We can easily express any register subspace by an indicator vector defined by if and only if .
The space can be be seen as a register, giving the Hilbert space .
Definition 2.1** ([CLLZ21, VZ21]).**
Let be a subspace. Given , the subspace coset state
[TABLE]
If and , we have that is equal to up to global phase. To make use of this, for any subspace , we fix a linear map , such that is an isomorphism , and then take, for and , . Then, the coset states are all distinct and form an orthonormal basis of .
If is a register subspace, there is a particularly good choice of map. For with , we take . This allows us to write the subspace coset state in this case as a Wiesner state , where and .
2.3 Entropy and extractors
Given a state , the conditional min-entropy of given is defined as
[TABLE]
where is the base-two logarithm [Ren05, Tom16]. Qualitatively, this represents the uncertainty on , knowing . If is classical on , this takes on a quantitative meaning: is the maximal probability of guessing when given the register . In the absence of side information, the conditional min-entropy becomes the min-entropy , where the norm here is the operator norm.
We will use strong extractors to go from a condition on the entropy to a near-independence of registers.
Definition 2.2** ([KT08]).**
Let be classical registers. A quantum-proof -strong extractor is a function that satisfies the following property. Let be a subnormalised state, where is a quantum register. If , then
[TABLE]
where .
Here, the norm is the trace norm . Due to [DPVR12], many constructions of extractors exist. Though we will tend to stay general, we give an example of their construction that is useful to keep in mind. For any and , there exists a quantum-proof -strong extractor , where . For course, for this to be useful, we need that . Nevertheless, it is possible to achieve an exponentially small error for any output length by taking , though this requires the key length to be polynomial in . This example absolutely defeats the original purpose of strong extractors, to extract a large amount of near-uniform randomness using a small seed, but is of great use in our cryptographic applications.
3 Novel Coset State Monogamy-of-Entanglement Property
In this section, we introduce and prove the MoE property that we make use of throughout the paper. In Section 3.1, we recall the MoE properties of coset states that are already known. In Section 3.2, we show our new leaky MoE property: the result is given in Theorem 3.2. Finally, in Section 3.3, we show that this MoE property is equivalent to an entropic uncertainty relation, given as Corollary 3.7.
3.1 Weak and strong MoE properties
Let the register and be a set of subspaces of of dimension : we take to either be the set of all register subspaces of dimension or all subspaces of dimension . We consider the following monogamy-of-entanglement game, played between a referee Alice, who holds , and two cooperating players, Bob and Charlie.
Alice samples a uniformly random and . She prepares the state and sends it to Bob and Charlie. 2. 2.
They act by an arbitrary channel and then are isolated, so that Bob holds and Charlie holds . 3. 3.
Alice shares with Bob and Charlie, and they each make guesses of the pair . 4. 4.
Bob and Charlie win if their guesses are both correct.
It was shown in [CLLZ21] that the winning probability of this game is sub-exponentially small in . This is called the weak monogamy-of-entanglement property of subspace coset states.
There is also a strong monogamy-of-entanglement property, conjectured in the same work, which constrains the winning probability of a related game. The difference here is that the winning condition is slackened: Bob needs only guess and Charlie needs only guess correctly to win. It was shown in [CV22] that the winning probability of this game is upper-bounded by .
3.2 The leaky MoE property
We exhibit an even stronger version of the MoE properties by showing that the same bound holds on a family of games that can only be easier to win. In the same setting as above, the game proceeds as follows:
Alice samples a uniformly random and . She prepares the state and sends it to Bob and Charlie. 2. 2.
They act by an arbitrary channel and then are isolated, so that Bob holds and Charlie holds . 3. 3.
Alice shares with Bob and Charlie. 4. 4.
Bob makes a guess of , which is then given to Charlie; Charlie makes a guess of . 5. 5.
Bob and Charlie win if their guesses are both correct.
We call this the -leaky monogamy-of-entanglement game. The scenario is illustrated in Fig. 1. An alternate but equivalent way to play the game, in order to bring it closer to the original form of an MoE game, is to have Alice provide Charlie with the correct value of rather than Bob’s guess. The equivalence can be seen by noting that, in the original interpretation, only the cases when Bob’s guess is correct are relevant to the computation of the winning probability. Next, we formalise the strategies and winning probability of this game.
Definition 3.1**.**
A quantum strategy for the -leaky MoE game is a tuple of the form , where
- •
and are the registers representing Bob and Charlie’s systems, respectively;
- •
and are POVMs, representing Bob and Charlie’s measurements;
- •
is a quantum channel, representing the splitting operation.
The winning probability of a strategy S is
[TABLE]
The optimal winning probability of the -leaky MoE game is the supremum over all quantum strategies .
Now, we can formally express the leaky MoE property.
Theorem 3.2**.**
Let and be either the collection of register subspaces or the collection of all subspaces of dimension of . Then,
[TABLE]
First, we note that, as in [TFKW13], we need only consider strategies for the -strong MoE game where the measurements and are projective, as any measurement may be made projective by dilating using Naimark’s theorem. Next, we need an important lemma.
Lemma 3.3** (Lemma 2 in [TFKW13]).**
Let for be a collection of positive operators. For any set of mutually orthogonal permutations (permutations such that has a fixed point iff ) then
[TABLE]
The following technical lemma is the final step of the proof of the theorem.
Lemma 3.4**.**
For any , where .
Proof.
First, note that and
[TABLE]
where is the projector onto . Then,
[TABLE]
since the are orthogonal projectors. Next, by the identity,
[TABLE]
Now, the terms in this sum are Hermitian with orthogonal supports, because provides the orthogonality for different values of , and equal values of , provides it for different values of . Therefore, we can again decompose this norm as the maximum of the norms of each term. Putting this together, we get
[TABLE]
and we complete the proof by noting that
[TABLE]
∎
Now, we can proceed to the proof of Theorem 3.2, which follows the method of the analogous proof in [CV22].
Proof of Theorem 3.2.
First, for any strategy, we upper bound the winning probability by the norm of a related operator. Using the Choi-Jamiołkowski representation of , we see that
[TABLE]
Using the notation of the previous lemma, this is \mathfrak{w}_{n,A}(\texttt{S})\leq\left\|\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{a}P^{a}\right\|. In the case that is the set of all subspaces of dimension , we split the expectation into two: first we take the average over the bases of , and then over the subspaces than can be spanned by that basis, that is
[TABLE]
If A is the set of register subspaces, we don’t need to take this step as we have \mathfrak{w}_{n,A}(\texttt{S})\leq\|\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{\gamma\subseteq E,|\gamma|=n/2}P^{\operatorname{span}\gamma}\|. In either case, we will complete the proof by fixing and showing that \|\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{\gamma\subseteq\beta,|\gamma|=n/2}P^{\operatorname{span}\gamma}\|\leq\sqrt{e}(\cos\tfrac{\pi}{8})^{n}. Let be the set of subsets of of cardinality . There exists a family of orthogonal permutations such that for each , the number of permutations such that for each is . Using Lemma 3.3 and then Lemma 3.4, we have, since is a projector,
[TABLE]
Using a result of [CV22], this is upper-bounded by , finishing the proof. ∎
3.3 A new type of entropic uncertainty relation
We define a generalisation of the min-entropy that can be used to express MoE properties.
Definition 3.5**.**
Let be a state supported on not necessarily distinct classical registers and quantum registers . For POVMs , write
[TABLE]
Then, we define the sequential min-entropy of knowing as
[TABLE]
Note that the sequential min-entropy is a generalisation of the conditional min-entropy in the sense that they are the same for .
The winning probability of the -leaky MoE game may be phrased using this entropy. First, for registers and representing either the register subspaces or all subspaces of of dimension , Alice prepares , and then copies and prepares coset states on accordingly to get
[TABLE]
Bob and Charlie act with a channel , giving . In terms of the sequential min-entropy, the leaky MoE property is the statement that
[TABLE]
This expression follows directly from the definition. The only snarl is that, in general in the definition of the sequential min-entropy, Bob’s measurement may not preserve ; and similarly Charlie’s measurement may not preserve . However, since these classical registers are not reused, only the diagonal blocks have any effect, and therefore, we may assume that the measurements are diagonal on the classical registers. As such, the infimum over the measurements is attained by those measurements that correspond to strategies. Note that any MoE game admits an entropic expression of this form.
To close off this section, we present a way to expand the sequential min-entropy as an entropic uncertainty relation.
Proposition 3.6**.**
Let be a state supported on classical registers and quantum registers . Then,
[TABLE]
Note the contrast between this entropic uncertainty relation and that found in [TFKW13]. Most importantly, their relation considers the min-entropy of the same state on both terms, whereas ours uses different, albeit closely related, states. This avoids the shortcoming of their entropic uncertainty relation — that the entropy can remain bounded for any dimension of Alice’s space — and thus allows us to make use of the full power of the MoE property in terms of an entropy.
Proof.
This follows immediately from the definition. We have
[TABLE]
Using the above proposition, we may express the leaky MoE property as an entropic uncertainty relation.
Corollary 3.7** (Leaky MoE entropic uncertainty relation).**
For any measurement Bob makes in the leaky MoE game, we have
[TABLE]
This follows immediately by combining Theorem 3.2 with Proposition 3.6 via Eq. 26. This is the form of the bound that we make use of throughout the remainder of the paper.
4 Interactive Uncloneable Encryption
In this section, we discuss our first application, introduced in Section 1.1. In Section 4.1, we introduce the formalism used for interactive uncloneable encryption and discuss its security. In Section 4.3, we give a construction, given as 4.5, and prove its security using the leaky MoE property of the previous section.
4.1 QECMs with interactive decryption and their security
We construct an uncloneable encryption scheme which requires only a communication assumption. That is, in order to decrypt a message, the sender Alice is required to have a short interaction with the receiver Bob. Note that, like uncloneable encryption, interactive uncloneable encryption does not assume an intended recipient, but once the interaction is started, only the party that initiated the interaction will be able to decrypt the message with high probability. First, in order to make sense of this interactive decryption, we extend the idea of a quantum encryption of classical messages of [BL20], by allowing the decryption to contain an interaction between the sender Alice and the receiver Bob. This allows for uncloneability via the leaky MoE property, as it will permit Alice to check whether an eavesdropper has the ciphertext by checking whether Bob holds an uncorrelated piece of information. We present this formally.
Definition 4.1**.**
A quantum encryption of classical messages with interactive decryption (QECM-ID) is a tuple .
- •
is the quantum channel representing the key-generation algorithm, where is the classical key register.
- •
is the quantum channel representing the encryption algorithm, where is the classical message register and is the quantum ciphertext register. Enc preserves , i.e. , where is the quantum ciphertext.
- •
The decryption algorithm Dec is an interaction between Alice and Bob that takes a state to , where Alice holds , , and (a classical register that indicates whether Alice aborts (0) or accepts the decryption (1)); and Bob holds (a classical register holding Bob’s decryption of the message), and and (additional quantum registers).
The scheme is -correct if, for any classical state , when Alice and Bob run Dec as intended on for , they get such that555We use this definition as it presents an operational way to simultaneously lower bound the probabilities of aborting and decrypting the correct message.
[TABLE]
Note that this reduces to the original definition of a QECM if the decryption is a simple one-round interaction: Alice sends the key to Bob, who uses it to decrypt the ciphertext, and Alice always accepts the decryption. We extend the security properties of indistinguishable, uncloneable, and uncloneable-indistinguishable security of a QECM to this setting as well. Intuitively, the definitions are meant to replace the condition of Bob guessing correctly with Alice accepting the decryption.
First, we can describe the security properties by means of security games. The indistinguishable security game is played by an adversary Bob against a challenger Alice.
Bob prepares a cq state and sends register to Alice, keeping hold of the side-information. 2. 2.
Alice samples a bit uniformly at random. If she replaces with a fixed message ; else she preserves . 3. 3.
Alice samples a key using Key and encrypts the message. She then sends the ciphertext to Bob. 4. 4.
Bob attempts to guess . He wins if he guesses correctly.
Indistinguishable security is achieved if the winning probability of this game is only slightly above . This is a standard property of encryption schemes.
Uncloneable security guarantees that, even if a colluding party decrypts, an eavesdropper can only guess the message as well as her side information allows. The uncloneable security game is played by two cooperating adversaries Bob and Eve against a challenger Alice.
Alice samples a message uniformly at random. She samples a key and encrypts the message. She sends the ciphertext to the adversaries. 2. 2.
The adversaries split the state between them using a quantum channel, and then may no longer communicate. 3. 3.
Alice and Bob decrypt with the interaction Dec, and Eve eavesdrops on their interactions. 4. 4.
Eve attempts to guess the message. The adversaries win if Alice accepts the decryption () and Eve guesses correctly.
Uncloneable security is achieved if the winning probability is only slightly above the probability of Alice accepting and Eve guessing the message given no information .
Finally, uncloneable-indistinguishable security combines uncloneable and indistinguishable security: it guarantees that, even if a colluding party decrypts, an eavesdropper cannot distinguish between the encryptions of an intended message and a fixed message. The uncloneable-indistinguishable security game is also played by two cooperating adversaries against a challenger.
The adversaries prepare a cq state and send register to Alice. 2. 2.
Alice samples a bit uniformly at random. If she replaces with a fixed message ; else she preserves . 3. 3.
Alice samples a key and encrypts the message. She sends the ciphertext to the adversaries. 4. 4.
The adversaries split the state between them using a quantum channel, and then may no longer communicate. 5. 5.
Alice and Bob decrypt with the interaction Dec, and Eve eavesdrops on their interactions. 6. 6.
Eve tries to guess . The adversaries win if Alice accepts the decryption and Eve guesses correctly.
Uncloneable-indistinguishable security is achieved if the winning probability is only slightly above , half the probability of accepting.
We now formalise the intuition of these security games in a way that is amenable to security proofs in the information-theoretic setting.
Definition 4.2**.**
Let be a QECM-ID. We say the scheme satisfies
-indistinguishable security
if
[TABLE]
for prepared as follows. Fix , and let and be any cq state. Alice prepares the state , then encrypts to get .
-uncloneable security
if
[TABLE]
for prepared as follows. Let be the maximally mixed state. Alice then encrypts and an eavesdropper Eve acts with a quantum channel to get . Then, after eavesdropping on all the interactions during Dec, Eve produces a guess of .
-uncloneable-indistinguishable security
if
[TABLE]
for prepared as follows. Fix , and let and be any cq state. Alice prepares the state , then encrypts to get . Next, an eavesdropper Eve acts with a quantum channel to get and after eavesdropping on all the interactions during Dec, Eve holds a register .
The security definitions are illustrated in Fig. 2.
4.2 General properties
In this section, we show some relations on the uncloneable security properties for QECM-IDs, with the idea to generalise properties of classical encryption schemes. These extend and strengthen results known for QECMs.
First, we see that uncloneable security holds for non-uniform message distributions, generalising a property shown in [BL20].
Lemma 4.3**.**
Let Q be an -uncloneable QECM-ID. Then, if the uncloneable security game is played with a classical state not necessarily uniform, the winning probability
[TABLE]
Proof.
We relate this to the winning probability with . In fact,
[TABLE]
∎
Next, we find an equivalence, up to scalar multiple of the parameters, between the uncloneable and uncloneable-indistinguishable security properties. One direction, uncloneable security implying uncloneable-indistinguishable security, generalises a similar property shown for QECMs in [BL20], while the other direction is new, and remains an open question for QECMs in the information-theoretic setting. The equivalence of these security properties is similar to the equivalence of semantic security and indistinguishability in classical encryption.
Theorem 4.4**.**
Let Q be a perfectly indistinguishable QECM-ID.
- •
If Q is -uncloneable secure then it is -uncloneable-indistinguishable secure.
- •
If Q is -uncloneable-indistinguishable secure then it is -uncloneable secure.
Note that this theorem means that, outside of some pathological cases, it is only necessary to show either uncloneable and uncloneable-indistinguishable security for QECM-IDs, not both. However, we nevertheless show both in the following section, as it allows us to work out better parameters.
Proof.
- •
We proceed by contrapositive. Suppose there exists an attack for the uncloneable-indistinguishable security game that wins with advantage greater than . An important observation we make to help simplify the proof is that we may always assume that for some message [KT22]. This is because the trace norm is convex, so
[TABLE]
and thus we can take to be the value whose term in this convex combination is maximal. Finally, we can remove the side information by redefining the splitting channel .
With such an attack, we construct an attack against the uncloneable security game. The splitting operation and Bob act in the same way. To attempt to guess the message, Charlie makes the measurement that optimally distinguishes the cases and , and guess or , respectively. Then, the guessing probability
[TABLE]
Since is the probability of distinguishing messages and , we have by hypothesis that this is greater than . Finally, as Q is perfectly indistinguishable, — otherwise Bob could distinguish the messages without access to the key. Putting this together,
[TABLE]
- •
Let \rho_{ME^{\prime}\land(F=1)}=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{m\in M}[m]\otimes\rho^{m}_{E^{\prime}\land(F=1)} be the final state in the uncloneable security game. Since we have by hypothesis that Q is uncloneable-indistinguishable secure, for all . Setting the state , we have that
[TABLE]
Because the registers and are independent on , the guessing probability . Finally, because is only away from in trace norm and by perfect indistinguishability, we get that . ∎
4.3 Instantiation and security proofs
Now, we give a construction of a QECM-ID. Let be a quantum-proof -strong extractor and let be the set of all subspaces of of dimension .
Protocol 4.5** (Coset state QECM-ID).**
Key generation
Let and and take . The channel
\displaystyle\texttt{Key}([0])=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{a,t,t^{\prime},r,h}[att^{\prime}rh].
(40)
Encryption
Let and . Take
(41)
Decryption
Dec proceeds as follows. First, Alice sends to Bob. Then, Bob measures in the coset state basis to get measurements of . Bob sends to Alice: if , Alice sets , else she sets and aborts. Alice sends and to Bob. Bob computes .
\tfn@tablefootnoteprintout
Proposition 4.6**.**
4.5 is perfectly correct, i.e. [math]-correct.
Proof.
First, writing ,
[TABLE]
To begin the decryption, Bob measures in the coset state basis and gets
[TABLE]
Sending to Alice, she always sets , and then gives and to Bob. Then, the state become
[TABLE]
Finally, Bob computes , getting
[TABLE]
Thus, . ∎
Proposition 4.7**.**
4.5 is perfectly indistinguishable.
Proof.
Writing , we see that
[TABLE]
Hence,
[TABLE]
Thus, . ∎
Theorem 4.8**.**
Suppose . Then, 4.5 is -uncloneable.
Proof.
We have the state before decryption
[TABLE]
To begin the decryption, Alice shares , and Bob makes a measurement on to determine a guess of . Fix . Then, taking to be the cloning channel in the leaky MoE game, we get by the leaky MoE property that , where is a copy of . Thus, we must have either or . In the former case, as is the register Bob has access to by that point, we have
[TABLE]
In the latter case, we have by hypothesis and the strong extractor property,
[TABLE]
where is the register containing . Combining the two cases,
[TABLE]
where we set . This implies that, as and are uniformly distributed and independent,
[TABLE]
hence . Supposing , the decryption continues and Eve also gets and tries to guess . As classical computations are CPTP maps, we see that
[TABLE]
where , so
[TABLE]
During the decryption, all the information Eve receives is contained in . Let the subnormalised state . By the above, we have that . As such, if the shared state were , is independent from , and therefore . This implies that the probability of guessing given of is at most
[TABLE]
as wanted. ∎
Theorem 4.9**.**
Suppose . Then, 4.5 is -indistinguishable-uncloneable.
Proof.
With , we have again
[TABLE]
so given the cloning attack , the state before decryption is
[TABLE]
On , the cloning attack is , so we have
[TABLE]
where is a copy of , and hence as above
[TABLE]
and then, in order to include and ,
[TABLE]
As , this gives that
[TABLE]
In the same way, we get that on , the cloning attack is , so the entropy , and hence as above
[TABLE]
To include and ,
[TABLE]
This gives that, again using ,
[TABLE]
As , this implies that
[TABLE]
To finish the proof, we study the state . The cloning attack and the first decryption step takes to via a trace non-increasing channel. Therefore, if we have , then . To that end,
[TABLE]
so , giving the result. ∎
5 Uncloneable Bit Commitment
In this section, we discuss our second application, introduced in Section 1.2. In Section 5.1, we define uncloneable commitments and provide a construction, given as 5.3. Finally, in Section 5.2, we prove security of our construction.
5.1 Motivation and definitions
We want to extend bit commitment protocols to make them uncloneable — that is that only the intended recipient can successfully reveal a commitment. First, we recall a usual definition of bit commitment, as in [KWW12]. The form of commitment we use allows for strings, not just single bits, to be committed. Also, it supposes that, in the honest case, a uniformly random string is chosen to be committed; this however is not a restriction on the general case.
Definition 5.1**.**
A -randomised bit string commitment (RBC) scheme is a pair of interactive protocols between two parties Alice and Bob: a protocol commit that creates a state , and a protocol reveal that creates a state . Here is a classical register holding the committed string; is a classical register holding the revealed string; is a classical register that indicates whether Bob accepts (1) or rejects (0) the reveal; and and are additional quantum registers that Alice and Bob hold, respectively. The scheme additionally satisfies
-correctness
If Alice and Bob are honest, then , for .
-hiding
If Alice is honest, then after commit, .
-binding
If Bob is honest, there exists a state such that , and if reveal is run to get , .
Bit commitment is not possible with no additional assumptions [BS16], so we need a model with, e.g., computational or storage assumptions in order for this definition to not be vacuous. Notwithstanding, we can extend the definition to handle uncloneability as well. We do so by adding an eavesdropper Eve, from whom Alice wishes to hide her commitment. In order to check for cloning, the protocol will have an additional check step which is used to verify whether it is in fact Bob who received the commitment. The separation of the check step also allows us to consider various models: Eve can be allowed to freely communicate with Bob prior to that step, but not afterwards, as Bob could in that case simply give his register that passed the check to her.
Definition 5.2**.**
A -uncloneable randomised bit string commitment (URBC) scheme is a triple of protocols between two parties Alice and Bob, eavesdropped by an eavesdropper Eve: a protocol commit that creates a state , a protocol check that creates a state , and a protocol reveal that creates a state . Here, is a classical register holding the committed string; is a classical register holding the revealed string; is a classical register that indicates whether Alice accepts (1) or rejects (0) the check; is a classical register that indicates whether Bob accepts (1) or rejects (0) the reveal; and , , and are additional quantum registers that Alice, Bob, and Eve hold, respectively. The scheme additionally satisfies
-correctness
If Alice and Bob are honest, and Eve does not act, then , where .
-hiding
If Alice is honest, then after commit, , and after check, .
-binding
If Bob is honest, there exists a state such that and .
-uncloneability
If Alice is honest, .
From this definition, we see that uncloneability holds for any malicious Bob, even one who colludes with Eve, as long as they do not communicate after the check. Similarly to interactive uncloneable encryption, the commitment can be seen as not having an intended recipient prior to the check step — in particular, Bob and Eve may have arbitrary communication before then. This illustrates an important aspect of the uncloneability, as only Bob will be able to open despite a lack of an agreement between him an Alice, such as a pre-shared secret key.
Remark*.*
Note that the above definitions do not hold as given in the computational setting. However, it is straightforward to adapt them by replacing the supremum in the trace norm with the distinguishing advantage corresponding to a computationally-bounded guessing strategy. This allows adaptation to a wide range of computational settings where different computational assumptions that give rise to commitments can be considered. For simplicity, we use the trace norm definition to prove security of our URBC construction, but the proofs work as well in such computational settings simply because the trace norm upper bounds any seminorm given as a supremum over fewer operators. Nevertheless, in our instantiation, the information-theoretic nature of the uncloneability property may be preserved as this does not depend on the choice of commitment assumption.
Now, we can define a candidate URBC scheme. We do so by taking an RBC scheme and turning it into an uncloneable one on polynomially shorter bit strings using the leaky MoE property, implicitly working under the assumptions that are required for the commitment.
Let be a -RBC scheme, let be the set of all subspaces of of dimension , let be a quantum-proof -strong extractor, and let be an -linear error-correcting code with syndrome .
Protocol 5.3** (Uncloneable bit string commitment).**
Commit
Let , , and . Alice and Bob commit to using . Then, Alice samples , , and uniformly at random, after which she prepares the state and sends it to Bob. Alice stores and Bob stores , and they both store what is needed to reveal the commitment of .
Check
Alice sends Bob and he measures in the coset state basis to get measurements of , then sends to Alice. If , Alice sets , else she sets . Alice stores and Bob stores , and they both store what is needed to reveal the commitment of .
Reveal
Bob selects a random subset of cardinality and sends it to Alice. She replies with and . Then, they reveal the commitment to get . If , , and accepts (), Bob sets ; else he sets . Alice’s output is and Bob’s output is .
\tfn@tablefootnoteprintout
This protocol is illustrated in Fig. 3.
5.2 Security proofs
Proposition 5.4**.**
5.3 is -correct.
Proof.
We suppose Alice and Bob are honest, and Eve does not act. First, Alice and Bob run to get . Then, in the commit and check phases, Alice sends and to Bob, and he is able to measure exactly, so and . Bob sends to Alice, and she sets . At that point, the shared state has the form for . Next, in the reveal phase, we have that and , so Bob’s flag . When Alice and Bob run , the shared state becomes , where we know by correctness of that for . Thus, for , we see that
[TABLE]
We see that , as is hashed. Then, as classical computations are quantum channels,
[TABLE]
∎
Proposition 5.5**.**
5.3 is -hiding.
Proof.
As Alice is honest, the commitment is hiding in the sense that . Consider the state . As is uniformly random, for each and , is uniformly random. Hence,
[TABLE]
As Bob and Eve’s registers after commit and check are given by quantum channels acting on , we get, noting that
[TABLE]
In the same way . ∎
Proposition 5.6**.**
5.3 is -binding.
Proof.
Since is -binding, we consider the state such that . As all the actions undertaken are quantum channels, we know that at the end of the commit phase, . Now, we continue the argument, implicitly assuming that the state is . In the reveal phase, Bob sets if and only if , , and . Thus,
[TABLE]
First, as is binding, . Next, suppose that but . Then as the code has distance , the Hamming distance . But, as is a subset of indices chosen uniformly at random, the probability that is no more than . Simplifying,
[TABLE]
which gives the result. ∎
Theorem 5.7**.**
Suppose . Then, 5.3 is -uncloneable.
Proof.
Due to the leaky MoE property, we must have when Bob guesses during the check phase. This implies that, for any measurement Bob might have made to get , either or . In the former case, the probability that , and hence that , is at most . In the latter case, the additional information that Eve gets about during the reveal phase is and , so knowing that her final register ,
[TABLE]
Then, by hypothesis on the extractor, . Thus, combining the two cases and noting that the events and are equivalent,
[TABLE]
∎
6 Receiver-Independent Quantum Key Distribution
In this section, we discuss our final application, introduced in Section 1.3. In Section 6.1, we prove a version of the leaky MoE property that is robust against errors, given as Theorem 6.2, and discuss its expression as an entropic uncertainty relation, given as Corollary 6.5. In Section 6.2, we present receiver-independent QKD and provide a construction, given as 6.7. Finally, in Section 6.3, we recall the QKD security definitions and prove security for our construction.
6.1 Robust leaky MoE property
We first need a robust version of the leaky MoE property, analogous to the game with imperfect guessing in [TFKW13]. To do so, we fix to be neighbourhoods of [math], and modify the leaky MoE game winning condition by saying that Alice accepts if Bob’s answer is in and Charlie’s is in . To warrant the name “leaky”, we suppose that Charlie gets Bob’s potentially erroneous guess of — but never the actual value of chosen by Alice — before making his guess. In the case of , this reduces to the original leaky MoE game. We formalise this.
Definition 6.1**.**
Let to be a set of subspaces of of dimension , and be neighbourhoods of [math]. A strategy S for the -robust leaky monogamy-of-entanglement game is simply a strategy for the -leaky MoE game. The winning probability of S is
[TABLE]
The optimal winning probability of G is .
We show an upper bound in a context relevant to QKD, where the errors correspond to independent bit flip errors. We define some standard objects: the Hamming norm of is the number of non-zero terms, written , and the corresponding metric, the Hamming distance, is written ; the unit ball in of radius in is ; and the binary entropy function is defined as . We have the very useful bound on the volume of this ball: if , .
Theorem 6.2**.**
Let be the set of register subspaces of of dimension . Then, for
[TABLE]
Note that this bound is not particularly tight. We try to stick with the tightest possible expression throughout the proof before passing to this simple closed-form expression at the very end.
The proof proceeds similarly to Theorem 3.2. First, we need a robust generalisation of Lemma 3.4.
Lemma 6.3**.**
Let be subspaces of dimension , and be neighbourhoods of [math]. Then,
[TABLE]
where and for as defined in Section 2.2.
Proof.
Since for any , we get the bound
[TABLE]
Since the right hand side is a projector, we have by monotonicity of the square root that it is also a bound on . We also bound
[TABLE]
Using these,
[TABLE]
Next, using the triangle inequality,
[TABLE]
Now, as the terms of the sum are Hermitian operators with orthogonal supports, we can bound
[TABLE]
For each of these terms,
[TABLE]
The cardinality of the intersection may be written as
[TABLE]
This gives the wanted bound
[TABLE]
∎
Now, we proceed to the proof of the theorem.
Proof of Theorem 6.2.
Write and . First, we bound the winning probability by an operator norm
[TABLE]
so that we can apply Lemma 3.3 using the same permutations as in Theorem 3.2, giving
[TABLE]
We use Lemma 6.3 to write the overlap in terms . Suppose and . Then . Thus, as , for any ,
[TABLE]
To maximise the cardinality of this set, we take , so
[TABLE]
This gives . Putting this into the bound on the winning probability,
[TABLE]
We can bound and therefore
[TABLE]
Using the bound on the volume of a ball gives the result. ∎
It will prove useful to express the winning probability of this game as a sequential min-entropy as well.
Corollary 6.4**.**
Fix a strategy for the -robust leaky monogamy game with and . Let the state
[TABLE]
Then, the sequential min-entropy
[TABLE]
Note that we pack the approximate guessing into the state, so we can derive a result on the sequential min-entropy of that state.
Proof.
First, the winning probability may be rewritten as
[TABLE]
Thus, using the bound of Theorem 6.2 with , \operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{a,t,t^{\prime}}\operatorname{Tr}\left[(B^{a}_{t}\otimes C^{a,t}_{t^{\prime}})\sigma^{a,t,t^{\prime}}_{BC}\right]\leq\sqrt{e}\left\lparen\cos\tfrac{\pi}{8}\right\rparen^{n}. Since this takes a similar form to the winning probability of the original leaky MoE game, we can apply the definition of sequential min-entropy to get the wanted result
[TABLE]
∎
Finally, we get an entropic uncertainty relation.
Corollary 6.5** (Robust leaky MoE entropic uncertainty relation).**
For any measurement made by Bob in the robust leaky MoE game, we have
[TABLE]
6.2 Motivation and construction
We consider QKD in a model where neither Bob’s classical nor his quantum devices are trusted, and may even have been provided by the eavesdropper, but his communication is trusted. This is a stronger model than the one-sided device independent model considered in [TFKW13]. To illustrate this, we give first an attack against that scheme in this model, which allows the eavesdropper to gain the secret key.
First, we recall the one-sided device-independent QKD protocol given as Figure 1 of [TFKW13], with one small difference: they considered an entanglement-based model whereas we will work directly in the usual and more practical prepare-and-measure model, knowing that security in the former model implies security in the latter.
Protocol 6.6** (one-sided device independent QKD of [TFKW13]).**
State preparation
Alice samples and uniformly at random and sends the state to Bob.
Measurement
Bob confirms receipt of the state, then Alice sends to Bob. He measures to get a string .
Parameter estimation
Alice samples a random subset of size and sends to Bob. If the Hamming distance , Bob aborts.
Error correction
Alice sends an error-correction syndrome and a random hash function to Bob. Bob corrects using the syndrome to get
Privacy amplification
Alice computes the output and Bob computes .
\tfn@tablefootnoteprintout
In our model, the security of this QKD scheme can be broken, because we cannot trust Bob’s classical device to honestly do parameter estimation. Bob would simply control the communication to and from the device, and receive the message or an abort message once the protocol finishes. Consider the following attack involving a malicious device provided by an eavesdropper Eve. When Alice sends the state , Eve intercepts it and holds on to it, and sends Bob’s device . Then, Eve intercepts every message Alice sends and is able to compute Bob’s intended output , while Bob’s device simply outputs a uniformly random string to him. Neither Alice nor Bob have learned that an attack has happened. In this way, Eve succeeds in completely breaking the security of the one-sided device-independent QKD protocol in the receiver-independent model.
To avoid this sort of attack, we need a QKD protocol where only Bob’s communication is trusted but none of his devices are. We present the protocol. Let be a quantum-proof -strong extractor and be a -linear error correcting code with syndrome .
Protocol 6.7** (receiver-independent QKD).**
State preparation
Alice chooses , and uniformly at random, then sends the state to Bob.
Parameter estimation
Alice sends , and Bob replies with a measurement of . If the distance , Alice aborts the protocol.
Error correction
Bob makes a measurement of , and sends to Alice. She uses it to correct666The correction here is not simply the natural one of the error-correcting code. Rather, Alice sets to be the string that corrects to the same point in as but has syndrome . and get
Information reconciliation
Alice sends of cardinality to Bob, and he replies with . If , Alice aborts.
Privacy amplification
Alice sends uniformly random to Bob. Alice outputs and Bob outputs .
\tfn@tablefootnoteprintout
We note that, unlike usual QKD, Alice has full control over whether to abort the protocol. This allows us to consider the case where the checks that Bob makes are untrusted.
Since Bob’s classical computations are untrusted, the idea of correctness must also be altered. Neither Alice nor Bob can in general check that Bob’s final key matches Alice’s, since Bob’s device can always, once all the checks have been passed, output a uniformly random string to Bob. As such, all Alice can assure herself of is that Bob’s device has all the necessary information allowing it to compute the key. So, we only require correctness to hold for the device’s computed key, though Bob may not actually receive it.
6.3 QKD security
First, following [MR22, Ren05], we give the security definiton of QKD.
Definition 6.8**.**
A receiver-independent QKD protocol is an interaction between Alice, who is trusted, and Bob, who has trusted communication but untrusted quantum and classical devices, and which is eavesdropped by an eavesdropper Eve. The interaction produces the state where holds a flag set to if the protocol accepts and [math] otherwise, holds Alice’s outputted key, holds Bob’s device’s key, and is Eve’s side information. The protocol is
- •
-correct if .
- •
-secret if .
- •
-complete if, when Eve acts as the channel and Bob’s device works as intended, .
A subtle but important difference between this and the usual QKD definition is in Bob’s key . Here, the key is produced by Bob’s device, but as the device is untrusted, Alice cannot be sure that the key is actually given to Bob at the end of the protocol.
We now show that 6.7 satisfies these security properties under some conditions on the parameters.
Proposition 6.9**.**
6.7 is -correct.
Note that, in our protocol, in order for Bob to actually receive the key, Bob’s classical device is only required to do one computation honestly: the final privacy amplification step.
Proof.
First, the event that is equivalent to . Then,
[TABLE]
We claim that the event implies the event . To see this, (writing for , the correction from the error-correcting code, i.e. the nearest point in to ) first note that if , then . Then, as the code distance is , . Since , .
Thus, as is sampled uniformly at random among the substrings of length ,
[TABLE]
∎
Theorem 6.10**.**
Suppose . Then, 6.7 is -complete, where is any iid noise channel such that , , , and .
In particular, note that this gives an exponentially small abort rate if the error . We make use of Hoeffding’s inequality in the proof: for independent random variables with support in , their sum has the property that, for any ,
[TABLE]
Proof.
First, recall that Alice sends states of the form , for and , the indicator vector. Thus, the conditions on are simply that there is an independent probability at most of a bit flip on any of the bits of the measured strings. Next, since implies that , we have that
[TABLE]
First, the probability of more than bit flips occurring on is
[TABLE]
where the binomial random variable . Consider the independent identically distributed Bernoulli random variables . Since we know and , Hoeffding’s inequality provides
[TABLE]
To proceed similarly for the second term, first note that, in the same way as in Proposition 6.9, implies . Thus, as before . ∎
Lemma 6.11**.**
Let and be registers, be a cq state, and be a ball. For \sigma=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{u\in U}X_{X}^{u}\rho_{XA}X_{X}^{u} where is the Pauli operator and any POVM , we have
[TABLE]
Proof.
First, writing , we see that
[TABLE]
and so
[TABLE]
On the other hand, , so
[TABLE]
which completes the proof. ∎
Lemma 6.12**.**
Let be registers and be a ccq state. Then, for any ,
[TABLE]
Proof.
We interpret this in terms of the guessing probability. Writing , the probability of guessing given is
[TABLE]
as . ∎
Theorem 6.13**.**
Suppose that . Then, the QKD protocol 6.7 is -secret.
Asymptotically, in order for the QKD protocol to produce a secure key, we require only
[TABLE]
as we can make arbitrarily small by enlarging the key. These provide the asymptotic noise tolerance. First and we can choose small enough to have while preserving subexponential correctness (for example ), so we don’t need to worry about those terms. Also, the Shannon limit provides the minimum value . Therefore, the inequalities reduce to asymptotically, so approximately ; thus the asymptotic noise tolerance is . Note that this is the same tolerance as in [TFKW13].
Proof.
At the start of the protocol, Alice prepares the state \rho_{ATT^{\prime}V}=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{a,t,t^{\prime}}[att^{\prime}]\otimes\vphantom{a_{t,t^{\prime}}}\left\lvert\smash{a_{t,t^{\prime}}}\middle\rangle\!\middle\langle\smash{a_{t,t^{\prime}}}\right\rvert, where she holds onto and sends . Eve acts with some channel and sends the register to Bob. Bob sends to Alice, which Eve may intercept and copy. We work first with the state \sigma_{ATT^{\prime}BE}=\operatorname*{\mathchoice{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\displaystyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-10.00012pt}{\leavevmode\resizebox{18.9231pt}{10.00012pt}{\hbox{\raisebox{0.0pt}{\textstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-7.00009pt}{\leavevmode\resizebox{13.24615pt}{7.00009pt}{\hbox{\raisebox{0.0pt}{\scriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}{\raisebox{-5.00006pt}{\leavevmode\resizebox{9.46153pt}{5.00006pt}{\hbox{\raisebox{0.0pt}{\scriptscriptstyle\vphantom{\mathbb{E}}\text{\raisebox{0.3pt}{\scalebox{0.9}{}}}}}}}}}_{u\in U}X_{T}^{u}\rho X_{T}^{u}, and then exchange it for later, using Lemma 6.11. At the parameter estimation step, the robust leaky MoE property implies , where is a copy of . Let be the measurement Bob’s device uses to get the guess of . Then, by the entropic uncertainty relation, we must have either
[TABLE]
In the former case, we have
[TABLE]
as . In the latter case, by the error correction step, Eve holds and thus, making use of Lemma 6.12
[TABLE]
Next, as Eve has access to the syndrome , her probability of guessing is equal to that of guessing , giving . By hypothesis on the strong extractor, we have that
[TABLE]
where the register . Before passing to the information reconciliation step, we combine the two cases. Writing \varepsilon^{\ast}=\max\vphantom{\varepsilon,2^{-\big{\lparen}-\lg\cos\tfrac{\pi}{8}-\tfrac{1}{(2\ln 2)n}\big{\rparen}\frac{n}{2}}}\left\{\smash{\varepsilon,2^{-\big{\lparen}-\lg\cos\tfrac{\pi}{8}-\tfrac{1}{(2\ln 2)n}\big{\rparen}\frac{n}{2}}}\right\}, we get
[TABLE]
Now, we can pass to the real state . Using Lemma 6.11 with ,
[TABLE]
As the event is equivalent to , this means
[TABLE]
Finally, as Eve’s register at the end of the privacy amplification step is , we get the wanted result . ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[Aar 09] S. Aaronson. Quantum copy-protection and quantum money. In 24th Annual Conference on Computational Complexity—CCC 2009 , pages 229–242, 2009. DOI: 10.1109/CCC.2009.42 . · doi ↗
- 2[AC 12] S. Aaronson and P. Christiano. Quantum money from hidden subspaces. In 44th Annual ACM Symposium on Theory of Computing—STOC 2012 , pages 41–60, 2012. DOI: 10.1145/2213977.2213983 . · doi ↗
- 3[AK 21] P. Ananth and F. Kaleoglu. Unclonable encryption, revisited. In 18th Theory of Cryptography Conference—TCC 2021 , pages 299–329, 2021. DOI: 10.1007/978-3-030-90459-3_11 . · doi ↗
- 4[ALP 21] P. Ananth and R. L. La Placa. Secure software leasing. In Advances in Cryptology—EUROCRYPT 2021 , pages 501–530, 2021. DOI: 10.1007/978-3-030-77886-6_17 . · doi ↗
- 5[BB 84] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In International Conference on Computers, Systems and Signal Processing , pages 175–179, 1984.
- 6[BC 23] A. Broadbent and E. Culf. Rigidity for monogamy-of-entanglement games. In 14th Conference on Innovations in Theoretical Computer Science—ITCS 2023 , pages 28:1–28:29, 2023. DOI: 10.4230/LIP Ics.ITCS.2023.28 . · doi ↗
- 7[BI 20] A. Broadbent and R. Islam. Quantum encryption with certified deletion. In 17th Theory of Cryptography Conference—TCC 2020 , pages 92–122, 2020. DOI: 10.1007/978-3-030-64381-2_4 . · doi ↗
- 8[BJL + 21] A. Broadbent, S. Jeffery, S. Lord, S. Podder, and A. Sundaram. Secure software leasing without assumptions. In 18th Theory of Cryptography Conference—TCC 2021 , pages 90–120. 2021. DOI: 10.1007/978-3-030-90459-3_4 . · doi ↗
