Relating Quantum Tamper-Evident Encryption to Other Cryptographic Notions

TL;DR

This paper explores the relationships between quantum tamper-evident encryption and other quantum cryptographic primitives, establishing formal implications, equivalences, and separations in an information-theoretic framework.

Contribution

It formally relates tamper-evident encryption to encryption with revocation and quantum money, clarifying their interconnections and distinctions.

Findings

Tamper evidence implies encryption.

Tamper-evident schemes can be constructed from encryption with revocation.

Tamper evidence does not imply authentication or uncloneable encryption.

Abstract

A quantum tamper-evident encryption scheme is a non-interactive symmetric-key encryption scheme mapping classical messages to quantum ciphertexts such that an honest recipient of a ciphertext can detect with high probability any meaningful eavesdropping. This quantum cryptographic primitive was first introduced by Gottesman in 2003. Beyond formally defining this security notion, Gottesman's work had three main contributions: showing that any quantum authentication scheme is also a tamper-evident scheme, noting that a quantum key distribution scheme can be constructed from any tamper-evident scheme, and constructing a prepare-and-measure tamper-evident scheme using only Wiesner states inspired by Shor and Preskill's proof of security for the BB84 quantum key distribution scheme. In this work, we further our understanding of tamper-evident encryption by formally relating it to other quantum cryptographic primitives in an information-theoretic setting. In particular, we show that tamper evidence implies encryption, answering a question left open by Gottesman, we show that it can be constructed from any encryption scheme with revocation and vice-versa, and we formalize an existing sketch of a construction of quantum money from any tamper-evident encryption scheme. These results also yield as a corollary that any scheme allowing the revocation of a message must be an encryption scheme. We also show separations between tamper evidence and other primitives, notably showing that tamper evidence does not imply authentication and does not imply uncloneable encryption.