Block encryption of quantum messages
Abstract
In modern cryptography, block encryption is a fundamental cryptographic primitive. However, it is impossible for block encryption to achieve the same security as onetime pad. Quantum mechanics has changed the modern cryptography, and lots of researches have shown that quantum cryptography can outperform the limitation of traditional cryptography.
This article proposes a new constructive mode for private quantum encryption, named , which is a very simple method to construct quantum encryption from classical primitive. Based on mode, we construct a quantum block encryption (QBE) scheme from pseudorandom functions. If the pseudorandom functions are standard secure, our scheme is indistinguishable encryption under chosen plaintext attack. If the pseudorandom functions are permutation on the key space, our scheme can achieve perfect security. In our scheme, the key can be reused and the randomness cannot, so a bit key can be used in an exponential number of encryptions, where the randomness will be refreshed in each time of encryption. Thus bit key can perfectly encrypt qubits, and the perfect secrecy would not be broken if the bit key is reused for only exponential times.
Comparing with quantum onetime pad (QOTP), our scheme can be the same secure as QOTP, and the secret key can be reused (no matter whether the eavesdropping exists or not). Thus, the limitation of perfectly secure encryption (Shannon’s theory) is broken in the quantum setting. Moreover, our scheme can be viewed as a positive answer to the open problem in quantum cryptography “how to unconditionally reuse or recycle the whole key of privatekey quantum encryption”. In order to physically implement the QBE scheme, we only need to implement two kinds of singlequbit gates (Pauli gate and Hadamard gate), so it is within reach of current quantum technology.
I Introduction
The combination of quantum mechanics and information science forms a new science – quantum information science, in which the information extends to quantum information. The requirement of processing quantum information occurs, and we have to develop quantum cryptographic technology for quantum information, e.g. encryption of quantum information. Since the quantum information can be seen as an extension of classical information in complex Hilbert space, the cryptographic schemes for quantum information are suitable for classical information, but not vice versa.
Quantum information encryption is a kind of basic quantum cryptographic primitive, especially the quantum onetime pad (QOTP), which has been applied in various quantum cryptographic schemes. For example, the quantum message authentication (QMA) is applied in the constructions of secure multiparty quantum computation [1] and quantum interactive proof [2], and the authenticity of QMA can be guaranteed by quantum encryption [3].
QOTP (or private quantum channel) [4, 5, 6, 7] is the first kind of quantum information encryption scheme, which uses preshared classical symmetric key and has perfect security. However, the secret key cannot be reused. The recycling issues of QOTPkey have been studied in some literatures [8]. Zhou et al. propose another symmetrickey encryption algorithm [9], which uses quantumclassical hybrid keys.
Publickey encryption of quantum messages is firstly studied by Yang [10], in which both the public key and private key are classical. Because the scheme is constructed based on NPcomplete problem, it has computational security at the most. Later, publickey encryption schemes with computational security are studied in more literatures [11, 12, 13]. In addition, publickey encryption with informationtheoretic security is also studied [14, 15].
Alagic et al.[16] propose a privatekey scheme and a publickey encryption scheme for quantum data, both of which have computational security. The privatekey scheme is constructed based on quantum pseudorandom function (PRF) and QOTP, but it is not indistinguishable against chosen ciphertext attack. The publickey scheme is constructed based on quantum trapdoor oneway permutation and QOTP.
There are some literatures about QMA [3, 17, 18] or nonmalleable quantum encryption [19, 20]. Because authenticity of QMA implies encryption [3], those secure quantum authentication schemes can also be used as quantum message encryption scheme; However, the secret key cannot be reused or can be recycled partially.
Ia Our Results
We present a detailed description of encryption. In the notation “”, each represents a different quantum encryption operation, and represents a transversal Hadamard transformation. Actually, QOTP can be viewed as a special case of encryption, where each is implemented by encrypting quantum superpositions using classical onetime pad.
Based on two PRFs, we construct a secure quantum block encryption (QBE) scheme in the form of encryption. The idea is described in Fig.1. and are two classical block encryption (BE) schemes that are constructed based on two PRFs and . and are insecure QBE schemes that are constructed using and . The whole procedure of quantum encryption can be finished in the three steps: (1) the quantum message is encrypted using the first QBE scheme , and the obtained ciphertext is ; (2) perform transversal Hadamard transformation on , and obtain ; (3) If , then can be encrypted using the second QBE scheme , and the obtained ciphertext is .
We study the security of QBE scheme , and obtain the main results as follows.
Theorem 1 (informal)
If PRFs are chosen independently and have standard security in the quantum computation setting, then is an INDCPAsecure QBE scheme.
Theorem 2 (informal)
are independent PRFs with standard security. If both and are permutations on the key space, then is a perfectly secure QBE scheme.
Theorem 1 states that our QBE scheme can be INDCPAsecure. The plaintext block has the same length as ciphertext block. Theorem 2 states that, in some particular case, the QBE scheme can have the same security as QOTP even if the keys are reused. Thus, our scheme can be viewed as a positive answer to an open problem in quantum cryptography “how to unconditionally reuse or recycle the whole key of privatekey quantum encryption”, which has been studied in Refs.[8, 17, 18, 21, 22, 23].
QOTP has been widely applied in the theoretical design of various quantum encryption and authentication schemes [1, 2, 3, 14, 18]. Based on our results, we can consider modifying those QOTPbased schemes by replacing QOTP with perfectly secure QBE, and expect an obvious optimization, for example, recycling all the keys of the scheme in Ref.[18] or lifting weak authentication to total authentication [17].
IB Related works
IB1 How to construct quantum cryptographic primitives from classical ones
Based on quantum mechanics, the information extends to quantum information, and the computation extends to quantum computation. A natural question is whether or not the modern cryptography based on the information and computation could extend to quantum cryptography. Concretely, how to extend classical cryptographic primitive to quantum one? Our results give an answer from the aspect of BE (or pseudorandom functions). In addition, there are also some other related works.
In Ref.[10], a quantum publickey encryption scheme is proposed based on classical McEliece publickey cryptosystem. Later, more constructions are proposed [11]. In order to improve the security, Yang and Liang [13] propose the doubleencryption technique, which is the origin of encryption.
Garg et al. [17] propose the “AuthQFTAuth” pattern used to construct QMA scheme (denoted as ), where are the classical WegmanCarter MAC schemes and is the quantum Hadamard transform. Obviously, this pattern is very similar to encryption.
In fact, QOTP can be viewed as an like construction based on classical OTP: quantum states are encrypted using the classical onetime pad in the basis , and then using the classical onetime pad in the basis .
The most related work is Ref.[16], which propose a computationally secure framework for quantum encryption. However, their construction uses “PRF+QOTP” mode, and our construction uses mode. In the spirit, mode is a special combination of two insecure encryption. This mode of combination can be extended to construct more quantum cryptographic schemes.
IB2 Quantum encryption with key recycling
OTP is a perfectly secure encryption scheme, but the key cannot be reused; In BE scheme, the key can be reused, but the security is weaker than OTP. In quantum cryptography, there exists the same problem: QOTP has the same security as OTP, but the key cannot be reused (Though we can use a QOTP with quantum key distribution, this would need more rounds of interaction and more communication.). In order to settle this problem, the researchers begin to consider how to recycle part of the keys or conditionally reuse the keys.
Damgard et al.[21, 22] show how to encrypt a classical message in a quantum state and recycle the key. Oppenheim and Horodecki [8] study how to encrypt a quantum message and recycle the key, and the key of QOTP can only be partially reused. Fehr and Salvail [23] propose a classicalmessageoriented quantum authentication scheme with key recycling, in which the partial randomness can be extracted and be used as the OTPkey or QOTPkey. Then the combination of the authentication scheme and OTP (or QOTP) becomes a quantum encryption scheme with key recycling, and can be used to encrypt the classical or quantum information.
There are also some researches about QMA with key recycling [17, 18]. The “AuthQFTAuth” authentication scheme [17] allows conditionally recycling part of the keys: the inner key can be recycled upon successful verification, and the outer key unfortunately cannot be. Because any scheme to authenticate quantum messages must also encrypt them [3], these authentication schemes can also be used as encryption schemes with key recycling.
In all these schemes, the keys cannot be totally reused, and we will solve this problem through QBE scheme.
IC Organization
In Section II, we introduce some basic notations, and review three kinds of PRFs. In Section IIC, we describe the encryption technique. In Section III, we show how to construct INDCPAsecure QBE scheme, and prove the perfectly secure scheme is achievable. Finally, we conclude and discuss these results.
Ii Preliminaries
Iia Notations and definitions
denotes the set of all the functions that map bits to bits. Define as the set of functions , then , where .
Any classical computable function can be implemented by a quantum computer, or be implemented as an oracle which is queried on quantum superpositions.
(1) 
where and are the domain and range, respectively. can be briefly written as without leading to any misunderstanding. represents the quantum adversary can access to with quantum superposition queries. represents the (classical or quantum) adversary can access to classically
(2) 
PRF is the basic primitive in modern cryptography. A PRF is a polynomialtime computable function , where , and are the key space, the domain and range, respectively. Denote . are implicit functions of the security parameter . We write or .
Definition 1 (Prf)
A function is PRF, if for any probabilistic polynomialtime (PPT) adversary , the advantage of while distinguishing between a truly random function and the function for a uniformly chosen
is negligible. We write to represent the key is drawn from uniformly and randomly. represents the function is uniformly chosen from . The notations can be briefly written as and .
“ is negligible” means that, for any polynomial , there exists such that .
Pauli gate and gate can be represented as: , , and Hadamard gate is . Given any unitary matrix and a bit string ( is the th bit of the string ), we write to denote . Particularly, .
For two bit strings , define .
We write to represent a quantum message encryption scheme that performs encryption operator and decryption operator using the symmetric key , where is chosen with probability and cannot be reused. Then QOTP can be described by the notation .
IiB Quantum pseudorandom functions
Following the definitions in Ref.[24], there are two security notions of PRF under quantum computation model. The first notion is standard security, where the quantum adversary can only access to the function classically; We denote this kind of PRF as “sPRF”. The second one is quantum security, where the quantum adversary can access to the function with quantum superposition queries; We denote this kind of PRF as “qPRF”.
Definition 2 (sPRF)
A PRF is standard secure, if no quantum polynomialtime (QPT) adversary making classical queries can distinguish between a truly random function and the function for a uniformly chosen . That is, for every such , there exists a negligible function such that
Definition 3 (qPRF)
A PRF is quantum secure, if no QPT adversary making quantum queries can distinguish between a truly random function and the function for a uniformly chosen . That is, for every such , there exists a negligible function such that
For sPRF , define . For qPRF , define , where is QPT adversary.
When quantum queries are allowed, QPT adversary has more advantage while distinguishing PRF and truly random function. That is . If , then , where is negligible. Thus, if a PRF is a qPRF, then it is also a sPRF.
How to directly construct a sPRF that is not a qPRF? In fact, EvenMansour block cipher is a sPRF [25], but it is not a qPRF [26]. In addition, CBCMAC is also not quantumsecure as a PRF [27].
Lemma 1
Given a function , if is independent of PRF , then
where is any PPT adversary and is negligible.
Proof:
Define a new quantum adversary , where the adversary is allowed to access to the function classically. Because is independent of , we have
is a PRF, so is negligible. Thus complete the proof. \qed
There are two similar results for sPRF and qPRF, respectively.
Lemma 2
Given a function , if is independent of sPRF , then
where is any QPT adversary and is negligible.
Lemma 3
Given a function , if is independent of qPRF , then
where is any QPT adversary and is negligible.
Theorem 3 (Parallel Composition)
If and are two independent sPRFs, then is also a sPRF. That is, for any QPT adversary , there exists a negligible function such that
Proof:
According to Definition 2, if is a sPRF, then for any QPT adversary there exists a negligible function such that
If is a sPRF, then for any QPT adversary there exists a negligible function such that
Thus for any QPT adversary , we have the following deduction according to Lemma 2 and Remark 1.
Let , then is negligible. Let and . Thus complete the proof. \qed
IiC encryption
In Ref.[13], Yang and Liang have improved the security of quantum McEliece PKE using doubleencryption technology. Here, the “doubleencryption” is named as “ encryption”. The new name “ encryption” can accurately reflect its structural characteristic.
Based on encryption, secure quantum encryption scheme can be constructed by combining two insecure ones. is a universal technology for the construction of quantum cryptographic schemes. The basic framework can be summarized in the following three steps: (1) Encrypt using the first insecure quantum encryption scheme; (2) Perform transversal Hadamard transformation; (3) Encrypt again using the second insecure quantum encryption scheme.
Suppose are the two insecure quantum encryption schemes, where ,, represent the key generation, encryption and decryption algorithms, respectively. is the transversal Hadamard transformation being performed on all the input qubits. General framework of encryption is completely described in the following three algorithms.

: , output ;

: , output ;

: , output .
The two encryption schemes should satisfy the conditions ,. It is straightforward that
so the combined construction can decrypt the ciphertext correctly.
Iii Quantum block encryption
Iiia Some definitions
is a kind of symmetrickey quantum encryption scheme, where each key is chosen with probability and cannot be reused. In this section, we propose the QBE scheme, which is another kind of symmetrickey scheme, and its secret key can be reused for many times.
Definition 4 (Qbe)
QBE scheme is defined by a triplet , where are key generation, encryption and decryption algorithms, respectively. is the key space, and and are the quantum plaintext/ciphertext spaces. The randomness is optional.

: Given a security parameter , it generates a secret key ;

: Choose a random number and perform the encryption transformation with the key ;

: Perform the decryption transformation with the key .
These algorithms satisfy the condition
Similar to the security notions of classical encryption, we can define the quantum versions of indistinguishability (IND), indistinguishability against chosen plaintext attack (INDCPA).These definitions can also be referred to Refs.[14][16][28]. Notice that, indistinguishability for quantum encryption is originally defined in Ref.[28]. Later, Broadbent and Jeffery [33] presents a definition of quantum INDCPA with an interactive game, and gives no explicit definition of IND. Following the definition in Ref.[33], Ref.[16] defines IND, INDCPA and INDCCA with an incremental way instead of interactive game. The incremental definition is very brief and is adopted in our manuscript.
Definition 5 (Ind)
A QBE scheme is INDsecure, if for any QPT adversary ,
where is negligible, are arbitrary quantum states chosen by the adversary from , , and the probability in these terms is taken over the internal randomness of the algorithms , and .
Next, we introduce another definition of IND.
Definition 6 (Ind)
A QBE scheme is INDsecure, if for any QPT adversary ,
where is negligible, is arbitrary quantum state chosen by the adversary from , , and the probability in these terms is taken over the internal randomness of the algorithms , and .
Obviously, the two definitions of IND are equivalent. The reason is as follows: (1)if a QBE scheme satisfies Definition 5, let , then the QBE scheme satisfies Definition 6 too; (2)if a QBE scheme satisfies Definition 6, then and the QBE scheme satisfies Definition 5 too.
Definition 7 (IndCpa)
A QBE scheme is INDCPAsecure, if it is INDsecure when the QPT adversary is allowed to access to the encryption oracle , where is the secret key.
IND and INDCPA define the computational security. In addition, we can define informationtheoretic security, e.g. perfect security. Actually, QOTP is a kind of perfectly secure quantum encryption. In quantum cryptography, there exist some other cryptographic schemes that can achieve perfect security.
Definition 8 (Perfect Security)
In QOTP , a secret key of bits is necessary for perfectly encrypting qubits. Suppose we set a restriction on and such that , then we get a new encryption scheme . The length of the key would decrease to , however, the security will also decrease.
Proposition 1
The quantum encryption scheme is not INDsecure.
Proof:
Suppose . Two quantum states and are chosen as the challenge messages. Consider the two messages are encrypted. The density matrixes of the two messages are written as and , respectively.
The key is chosen with probability . Because the adversary does not know the value of , the ciphertexts corresponding to and should be represented as two mixed states , .
The trace distance of the two ciphertexts is , and the adversary can efficiently distinguish the ciphertexts of and . In fact, the adversary chooses as the measurement basis. If the adversary measures in the basis, he can obtain with probability ; If the adversary measures in the basis, he can obtain with probability , and obtain with probability . Thus, the adversary can efficiently distinguish and with successful probability .
For any value of , we choose the two states and as the challenge messages, and analyze the security in the same way. Then the adversary can efficiently distinguish their ciphertexts with successful probability . Thus complete the proof. \qed
IiiB An insecure construction from classical block encryption
Next, we introduce the PRFbased classical BE scheme , and construct a QBE scheme which is insecure.
Construction 1(Construction 5.3.9 in Ref.[29]): Let be a PRF. Define classical BE scheme as follows.

: , output ;

: , output ;

: , output .
Based on the classical scheme , we can construct a QBE scheme for encrypting any qubit message.
Construction 2: Let be a classical BE scheme defined in Construction 1, define the QBE scheme as follows.

: , output ;

: , output ;

: , output .
Assume without loss of generality that the quantum message is a pure state , where . According to the encryption operator defined in Construction 2, the obtained ciphertext is also pure state, which can be written as .
Next we show that the QBE scheme in Construction 2 is insecure.
Theorem 4
The QBE scheme in Construction 2 is not INDsecure.
Proof:
Choose two quantum plaintexts and . Suppose the secret key is , the ciphertexts of and are
With respect to the adversary (who does not know the key ), the ciphertexts of and should be written in the mixed states as follows.
The adversary performs quantum measurement on the ciphertexts in the basis . Because , while measuring its ciphertext, the outcome would be with probability ; While measuring the ciphertext of , the outcome would be with probability at most . Thus, the adversary can successfully distinguish the two ciphertexts with probability at least . Thus complete the proof. \qed
Theorem 4 can be extended to the case that replacing with any quasilengthpreserving encryption scheme. See the eprint version of Ref.[30] for the definition of quasilengthpreserving encryption.
Theorem 5
Given any quasilengthpreserving classical BE scheme, the QBE scheme constructed according to Construction 2 is not INDsecure.
Proof:
The proof is similar to Theorem 4. \qed
From Theorems 4 and 5, it is insecure to use any quasilengthpreserving classical BE schemes in the following two cases. The first case is that the classical scheme is directly used to encrypt quantum superpositions on the quantum computer. The second case is that the classical scheme is embedded into the quantum cryptographic protocols.
IiiC INDCPA quantum block encryption
If and are PRFs, two insecure QBE schemes can be defined following the constructions in Section IIIB. Denote the two schemes as and , respectively. Next, we propose a secure QBE scheme following the framework of encryption.
Construction 3: Given two schemes and , define a new QBE scheme as follows.

: , , output ;

: ,, , output ;

: , , , output .
According to the QBE scheme defined in Construction 3, we encrypt qubits with the keys , and obtain
(3) 
where .
We decrypt the ciphertext with the keys , and obtain
(4) 
Notice that
(5) 
Then we can make a slight modification to the encryption/decryption operators (in Equations (3) and (4)) as follows.
(6)  
(7) 
It can be seen that, the only modification is that the quantum operator is discarded. Because the operator does not contain variable parameters, the modification would not affect its security essentially. However, there exists a slight disadvantage that is analyzed as follows.
Upon the modifications (defined by Equations (6) and (7)), if is encrypted with the keys and the randomness are , then the ciphertext would be (ignoring the global phase which depends on ); If the ciphertext is encrypted and the same randomness are used, then the original message would be restored. In the same way, we consider the original QBE scheme (defined by Equations (3) and (4)). If is encrypted twice in sequence using the same randomness, then we can obtain , instead of . For this tiny difference, we decide to choose the original scheme in Construction 3. That is, the Hadamard transformation is kept in the scheme.
It can be seen that the QBE scheme is very similar to QOTP. The difference is that, the QOTPkey is replaced with the pseudorandom numbers generated from the PRFs with the keys and randomness . According to Construction 3, the keys of the PRFs (or classical BE schemes) are used as the key of QBE scheme . Because the keys of the PRFs (or classical BE schemes) can be reused, the key of can also be reused. However, the randomness cannot be reused, or else the security would decrease. The proof is as follows.
Proposition 2
For the QBE scheme defined in Construction 3, if it is allowed to reuse the randomness , then the scheme is not INDCPAsecure.
Proof:
Let be the secret key of QBE scheme, and choose the randomness . For the first time, the sender encrypts the quantum message , and obtains the ciphertext
In the CPA model, the adversary is allowed to access to the quantum encryption oracle. Given the input , the adversary can query the quantum encryption oracle . If the randomness are reused, then the adversary would obtain the new ciphertext