Quantum entropic security and approximate quantum encryption

# Quantum entropic security and approximate quantum encryption

Simon Pierre Desrosiers and Frédéric Dupuis F. Dupuis is with the Université de Montréal and McGill University. email: dupuisf@iro.umontreal.caS. P. Desrosiers is with McGill University, email: simonpie@cs.mcgill.ca
###### Abstract

An encryption scheme is said to be entropically secure if an adversary whose min-entropy on the message is upper bounded cannot guess any function of the message. Similarly, an encryption scheme is entropically indistinguishable if the encrypted version of a message whose min-entropy is high enough is statistically indistinguishable from a fixed distribution. We present full generalizations of these two concepts to the encryption of quantum states in which the quantum conditional min-entropy, as introduced by Renner, is used to bound the adversary’s prior information on the message. A proof of the equivalence between quantum entropic security and quantum entropic indistinguishability is presented. We also provide proofs of security for two different ciphers in this model and a proof for a lower bound on the key length required by any such cipher. These ciphers generalize existing schemes for approximate quantum encryption to the entropic security model.

{keywords}

quantum information, cryptography, entropic security

## I Introduction

\PARstart

Perhaps surprisingly, it is possible to construct semantically secure encryption schemes which, depending on their setting, make very few assumptions on and yet do not require keys to be as long as the message. In the computational setting, Goldwasser and Micali [1] had as a constraint that both and were probabilistic polynomial-time machines. In their model, they could construct encryption schemes which, on all message distributions, would render as useless as . In the information theoretic setting, introduced by Russell and Wang [2] and expanded upon by Dodis and Smith [3], no computational limitation is imposed on or . In order to achieve significant key size reduction, a limit on the prior knowledge of on the plain text space is assumed. In fact, a lower bound on the min-entropy of the message space is assumed: the most probable message is not too probable. For this reason, this concept is called entropic security in the context of information-theoretic security. In the quantum information theoretic setting, as introduced by Desrosiers [4], the exact same restriction on the min-entropy is imposed on , except that this time messages are quantum states which are further assumed to be unentangled with any quantum system that the adversary might possess. If these two restrictions are satisfied, one can construct encryption schemes for the quantum setting which have exactly the same key size as in the classical setting: for an -qubit message which is assumed to have a min-entropy of at least , then we need bits of key to encrypt it securely (where is a security parameter).

In this paper we remove one of those two restrictions. Of course, the limit on the min-entropy of the adversary on the message space is hard to remove: it is the essence of entropic security. However, it has to be modified in order to get robust definitions of security in the presence of entanglement between the sender and the adversary. The notion of quantum conditional min-entropy as introduced by Renner in [5] will be used to bound the prior “knowledge” of the adversary. This new notion of min-entropy allows us to remove the no-entanglement restriction and replace it by something more general. Indeed, if a state is not entangled, we have an implicit lower bound of zero on the conditional min-entropy, whereas in the general case, the conditional min-entropy of the adversary on an -qubit system held by the sender ranges between and . It turns out that the key size remains the same in this model: for an -qubit message about which the eavesdropper has a min-entropy of at least , we still need a key of bits. In the extreme case where we have no bound at all on the min-entropy, this reduces to , which is in total agreement with the standard result of Ambainis, Mosca, Tapp and de Wolf [6].

Note that this generalizes the existing literature on approximate quantum encryption. In [7], Hayden, Leung, Shor and Winter considered the task of approximately encrypting quantum states assuming that the adversary is not entangled with the sender. They showed, using a randomized argument, that, while we need bits of key to perfectly encrypt an -qubit quantum message, there exists a scheme requiring bits of key. Ambainis and Smith [8] then gave two explicit constructions of an approximate quantum encryption scheme under the same assumption requiring and bits of key respectively. Here we recover and generalize these results.

More recently, Fehr and Schaffner [9] gave a classical encryption scheme which is entropically secure against an adversary that has access to quantum information about the classical message. Our work also generalizes this result: when our encryption schemes are applied to a classical message, the resulting ciphertext remains classical, and the proof of security still works against quantum adversaries.

We introduce our model and definitions in section III and show in section IV that the two security definitions we give are equivalent. We also prove, in section V, that two encryption schemes introduced by Ambainis and Smith [8] and by Dodis and Smith [3] (and generalized to the quantum world by Desrosiers [4]) are still secure using this new definition and require the same amount of key as in the limited quantum model of [4]. Finally, in section VI, we generalize a proof of Dodis and Smith to show that an entropic scheme that can encrypt any -qubit state having a conditional min-entropy of at least requires at least bits of uniform key.

## Ii Notation and preliminaries

A quantum state is defined as a positive semidefinite operator of trace equal to 1 over some Hilbert space . By the spectral decomposition theorem, , where the form a basis for the space in which the quantum state lives and the are non-negative real numbers that sum up to one. This can be interpreted this way: if is measured in the basis , then it behaves as a source that will output with probability the state .111For a thorough introduction to quantum information theory, see [10]

The partial trace can be seen as a kind of inverse to the tensor product operation. For any bipartite state , we have that ; the normal interpretation for such an operator is that if a physical state lives in the space but one only has access to the system to measure the state, then the statistics obtained are in agreement with . The partial trace can be defined as:

 TrA(ρAB)≜∑i(⟨ri|A⊗IB)ρAB(|ri⟩A⊗IB) (1)

where the vectors form any orthonormal basis for the subspace . In fact, this is equivalent to doing a complete measurement of the subsystem followed by a loss of the result and of the subsystem; what is left in our hands is .

Throughout this paper, we will use superscripts for density matrices to indicate on which subsystems they are defined; for example, is a density operator on the Hilbert space . By convention, when we omit certain subsystems from the superscript, we mean that we take the partial trace over the subsystems that are absent; i.e. . We will refer to the dimension of the Hilbert space by .

We will use as our main distance measure the trace distance which is defined as

 ∥ρ−σ∥1≜Tr(|ρ−σ|), (2)

where is defined as , which is simply for a Hermitian operator . As [11] and chapter 9 in [10] tell us, for any two states and there exists an optimal adversary which can distinguish between them with probability ; no adversary can do better.

Another useful distance measure is known as the fidelity: given two density operators and , their fidelity is defined as . If is a pure state , this is equal to .

We will also frequently make use of operator inequalities: given two Hermitian operators and , we will say that iff is positive semidefinite.

Also, we denote by the concatenation of the bit strings and . , where is an -bit string, means . We shall also write for the space of linear operators on the Hilbert space . Finally, we denote by the inner product modulo of the strings and : .

## Iii Model and definitions

Entropic security as introduced by Russell and Wang [2] and generalized by Dodis and Smith [3] uses the definition of classical min-entropy to represent the adversary’s knowledge on the sender’s message space. Let be a random variable over the message space and let take value with probability . Then the min-entropy of , written is defined to be .

Desrosiers introduced in [4] a quantum version of these security definitions for the case where the eavesdropper and the sender are neither entangled nor correlated. In this setting, a message is chosen at random with probability in a valid interpretation of a state . Here the adversary’s a priori uncertainty is quantified by the quantum min-entropy, where is the spectral decomposition of . The joint system of the sender and the adversary was considered to contain no correlations: i.e. , where represents the eavesdropper’s system.

In this paper, we shall show that we can fully generalize these security definitions to the quantum setting, where no assumption on the entanglement between the sender and the adversary is made. The only restriction on the adversary will be quantified by the following definition introduced by Renner (see [5]) in his proof that the BB84 scheme, the original quantum key distribution protocol, is secure in the most general setting. We shall make no other assumption on the sender-eavesdropper system than the eavesdropper’s conditional min-entropy.

###### Definition 1 (Quantum conditional min-entropy).

For any quantum state shared between the eavesdropper and the sender, we define the conditional min-entropy of given as

where ranges over all normalized density operators over .

According to [12], we can express the quantum conditional min-entropy as

 2−H∞(A|E)ρ=dAmaxE⟨Φ|E(ρAE)|Φ⟩

where the maximization is taken over all CPTP maps and where .

One can prove a few properties about conditional min-entropy which will be handy later on. First, this lemma:

###### Lemma 1.

Let the joint state of the sender and the adversary be , then .

###### Proof.
 2−H∞(A|E)ρ =minσEmin{λ:λIA⊗σE⩾ρA⊗ρE} ⩾min{λ:λIA⩾ρA} =min{λ:λIA⊗ρE⩾ρA⊗ρE} ⩾minσEmin{λ:λIA⊗σE⩾ρA⊗ρE}.

Since the first and last lines are the same, the two inequalities are, in fact, equalities, and hence . ∎

We can conclude from this lemma that if the sender and the adversary are not correlated, then the earlier results of [4] can be used.

Furthermore, König, Renner and Schaffner [12] show that for a state of the form (i.e. holds classical information and holds a quantum state containing partial information on ), the quantum conditional min-entropy characterizes Eve’s optimal probability of guessing by measuring :

 pguess=2−H∞(A|E)ρ

Note also that if the and systems are in a maximally entangled state , where , then

 H∞(A|E)ρ=−n. (3)

Hence, the quantum conditional min-entropy ranges from to for an -qubits system and, as is the case with the von Neumann conditional entropy, negative values arise from purely quantum effects.

An encryption scheme is a set of superoperators indexed by a uniformly distributed key such that for each there exists an inverting operator such that for all , with probability one we have

 (Dk⊗I)((Ek⊗I)(ρ))=ρ. (4)

The view of the adversary is then . To simplify the notation, we will write instead of from now on. Note that in general, maps systems on space to systems on space ; the dimension of could be larger than the dimension of .

Both [3] and [4] presented security definitions equivalent in their respective models to the following two security definitions.

Note that throughout this paper, we shall be mostly concerned with encryption schemes where the message to be sent consists of qubits; therefore from now on.

###### Definition 2 (Entropic Security).

An encryption system is -entropically secure if for all states such that , all interpretations , all adversaries and all functions , there exists an such that we have: 222One can also get an equivalent definition by using functions on the states rather than on the indices .

 ∣∣Pr[A(E(σAEi))=f(i)]−Pr[A′(σEi)=f(i)]∣∣⩽ε. (5)

Note that everywhere, we take probabilities over all and all randomness used by the adversaries and the cipher.

###### Definition 3 (Entropic Indistinguishability).

An encryption system is -indistinguishable if there exists a state such that for all states such that we have that:

 ∥∥E(ρAE)−ΩA′⊗ρE∥∥1<ε. (6)

## Iv Equivalence between the two security definitions

This section will show that an encryption scheme which is entropically secure is entropically indistinguishable, and vice-versa, up to small variations in the and parameters. Before presenting these proofs, however, we will need an additional definition and a technical lemma. The following variation on entropic security will prove to be useful in the sequel:

###### Definition 4 (Strong entropic security).

An encryption system is strongly -entropically secure if for all states such that , all interpretations , all adversaries , and all functions , we have

 (7)

Note that in this case both uses of are independent. Strong -entropic security clearly implies regular -entropic security, since used on and an encrypted message independent of (which can be prepared by Eve in her lab) is a valid choice for .

The following lemma says that one does not need to consider all possible functions, but one can restrict the analysis to predicates:

###### Lemma 2.

Let be a state, be an interpretation, be a cipher, be a function and be an adversary such that

then there exist an adversary and a predicate such that

###### Proof.

Let our predicate be a Goldreich-Levin predicate [13], that is . Let and . Then we know that . Let us compute

 E=∣∣Er[Pr[r⊙A(E(σi))=hr(i)]−Pr[r⊙A(E(ρA)⊗σEi)=hr(i)]]∣∣, (8)

where the expectation is taken over all of adequate size. We need two observations. First, when predicts correctly, then . Second, when does not predict correctly, the probability that is exactly one half. Hence Equation (8) reduces to

 E=∣∣∣1⋅p+12⋅(1−p)−(1⋅q+12⋅(1−q))∣∣∣=∣∣∣p−q2∣∣∣>ε2. (9)

Thus there exists at least one value such that the following is true:

The lemma is proven if adversary is defined, using this appropriate , as . ∎

###### Theorem 1.

-entropic indistinguishability implies strong -entropic security for all functions.

###### Proof.

We shall prove the contrapositive. Suppose there exists an adversary , a state such that , an interpretation for and a function such that

 (10)

Then we know from Lemma 2 that there exists another adversary and a predicate such that strong -entropic security is violated. Let’s call this adversary and let us define the sets and as follows:

 E0 = {i|h(i)=0} (11) E1 = {i|h(i)=1}. (12)

Define the following:

 r0 = ∑i∈E0pi, r1 = ∑i∈E1pi, τAE0 = 1r0⎛⎝∑i∈E0piσAEi⎞⎠ τAE1 = 1r1⎛⎝∑i∈E1piσAEi⎞⎠.

Note that . Now, define the following states:

 ~τAE0 = r0τAE0+r1ρA⊗τE1 (13) ~τAE1 = r1τAE1+r0ρA⊗τE0, (14)

where, as usual, . We need the following lemma to finish the proof.

###### Lemma 3.

Assuming , we then have that both and are at least .

###### Proof.

We have that

 dAmaxE⟨Φ|E(~τAE0)|Φ⟩⩽r0dAmaxE⟨Φ|E(τAE0)|Φ⟩+r1dAmaxE⟨Φ|ρA⊗E(τE1)|Φ⟩⩽dAmaxE⟨Φ|E(ρAE)|Φ⟩+dAmaxE⟨Φ|ρA⊗E(ρE)|Φ⟩⩽2−t+dAmaxE⟨Φ|ρA⊗E(ρE)|Φ⟩ (15)

We now bound the second term using the original definition of the conditional min-entropy:

 (16)

Substituting this into the last line of (15) yields . Of course, an identical calculation yields the same result for . ∎

To finish the proof of Theorem 1 , we want to show that can distinguish from with probability strictly better than . Let’s denote by the probability that will correctly distinguish from in an mixture, and by the probability that will correctly distinguish from in an , mixture. Also assume without loss of generality that (otherwise consider an adversary identical to but which returns the opposite answer). Now assume that we feed it with probability and with probability . Observe that this is exactly as if we gave it an mixture of and with probability and an mixture of and with probability . We then have that the probability of distinguishing from using is

 12η+12(1−α)=12+12(η−α)

since the correct answer is reversed for and .

But by the assumption that violates entropic security, we know that

Hence, the probability of distinguishing from is at least , which implies that for all we have:

 ε <∥∥E(~τAE0)−E(~τAE1)∥∥1 =∥∥(E(~τAE0)−ΩA′⊗ρE)−(E(~τAE1)−ΩA′⊗ρE)∥∥1 ⩽∥∥E(~τAE0)−ΩA′⊗ρE∥∥1+∥∥E(~τAE1)−ΩA′⊗ρE∥∥1

and therefore either or , which is a violation of -indistinguishability.

###### Theorem 2.

-entropic security implies -indistinguishability as long as .

###### Proof.

We will prove the contrapositive. Let and let be a state such that and . Consider the following state

 ˆρAE=13ρAE+23IdA⊗ρE.

.

We show that :

Since , we know that there exists an adversary that can distinguish from with probability at least . Let’s call this adversary , and let’s assume that it gives the right answer with probability when it is given and with probability when it is given . We then have .

Now, consider the following interpretation of :

 ˆρAE=13σAE1+13σAE2+13σAE3 (17)

where and . We shall show that violates entropic security for , with this interpretation and the function .

First of all, it is clear that by having access only to Eve’s system, no adversary can guess the value of with a probability greater than . Let us now determine what can do by having access to the encrypted version of . One possible strategy for is to try to distinguish between and and return 1 when it gets and randomly return either 2 or 3 when it gets . We then have:

 Pr[A(E(σAEi))=h(i)] = 13η1+23η22 = 13(η1+η2) > 13(1+3ε) = 13+ε.

Finally we get that for all adversaries ,

a violation of entropic security. ∎

## V Two encryption schemes

Before presenting the ciphers, we will give some definitions and technical lemmas which will be used in the presentation of both encryption schemes.

First, we define the following shortcut for any matrix :

 Mσuv:=TrA[(ZvXu√dA⊗I)σAE]. (18)

We also define

 ~ρAE:=ρAE−IdA⊗ρE. (19)

for any state , where is a state such that .

###### Lemma 4.

For every density matrix , we have that .

###### Proof.

Let be an orthonormal basis for . Since Pauli matrices form an orthonormal basis for , we have

 σAE =∑uvjXuZv√dA⊗EjTr[(ZvXu√dA⊗E†j)σAE] (20) =∑uvjXuZv√dA⊗EjTr[E†jMσuv] (21) =∑uvXuZv√dA⊗{∑jEjTr[E†jMσuv]} (22) =∑uvXuZv√dA⊗Mσuv. (23)

We will also make use of the following lemma (Lemma 5.1.3 in [5]):

###### Lemma 5.

Let S be a Hermitian operator and let be any positive definite operator. Then

 ∥S∥1⩽√Tr(σ)Tr(Sσ−1/2Sσ−1/2).

### V-a A scheme based on δ-biased sets

In [8], Ambainis and Smith introduced an approximate quantum encryption scheme based on -biased sets. Here, we shall show that if , then the Ambainis-Smith scheme is -secure using bits of key, where is the logarithm of as usual.

###### Definition 5 (δ-biased set).

A set is said to be -biased if and only if for every , we have that .

There exist several efficient constructions of -biased sets ([14, 15, 16]); following [3], we will use the one from [16], which yields sets of size (note that Dickinson and Nayak [17] improve this to ).

The Ambainis-Smith scheme consists of applying an operator at random from the set

 {XaZb:a∥b∈S and |a|=|b|=n}

where is a -biased set containing strings of length . The shared private key is used to index one of the operators. In other words, the encryption operator is

 E(ρAE)=1|S|∑a∥b∈S(XaZb⊗I)ρAE(ZbXa⊗I)

We shall now prove that this scheme is secure in our framework. The following lemma contains most of the proof, and the main theorem follows:

###### Lemma 6.

For any state with , we have that

 ∥∥∥E(ρAE)−IdA⊗ρE∥∥∥1⩽δ√dA2−t (24)
###### Proof.

Let be a state such that and write

 ∥∥∥E(ρAE)−IdA⊗ρE∥∥∥1⩽ ⎷dATr[E(~ρAE)(I⊗σE−12)E(~ρAE)(I⊗σE−12)] (25)

This is due to Lemma 5, with ; without loss of generality, we can assume that has full rank by considering to be the support of . We continue by applying Lemma 4 on :

 ~ρAE=∑uvXuZv√dA⊗M~ρuv (26)

and therefore

 E(~ρAE) =∑uvE(XuZv√dA)⊗M~ρuv (27) =∑uvαuvXuZv√dA⊗M~ρuv (28)

where , and since , we can neglect the term , and hence .

We now compute the trace in (25) as follows:

 (29)

where

• comes from the fact that is Hermitian, hence taking its adjoint leaves it unchanged;

• is true because terms in which the pairs are not the same in both sums disappear when we take the trace;

• because and every term in the sum has a nonnegative trace since .

• is justified below;

• is due to Lemma 4; and

• comes from the fact that .

To justify , we first observe that , where . Hence,

Step then follows when we combine this with the observation that , if , and : the first sum is what we want to bound; the two sums in the middle evaluate to the zero matrix; and in the last sum, only the 00 term remains, which clearly has a positive trace.

Substituting the end result of (29) in (25), we obtain:

 ∥∥∥E(ρAE)−IdA⊗ρE∥∥∥1⩽δ√dA2−t. (31)

The main theorem now easily follows:

###### Theorem 3.

If , then the Ambainis-Smith scheme is -secure using bits of key, where .

###### Proof.

If we choose and construct using the method of [16] such that , by Lemma 6 we obtain using bits of key. ∎

### V-B A scheme based on XOR-universal functions

Our second scheme based on XOR-universal functions can be considered as a quantum version of the scheme given in [3]. This scheme can also be viewed as a generalization of the second scheme of [8].

###### Definition 6.

Let be a finite family of functions from -bit strings to -bit strings. We say the family is strongly-XOR-universal if for all -bit strings , , and such that we have

 Pri[hi(x)⊕hi(y)=a]=12n.

where is distributed uniformly over . The family proposed in [3] naturally possesses this property if one allows to be zero.

We define our second cipher as follows. Let be a strongly-XOR-universal family of functions. The encryption operator for the key is defined as

 Ek(ρ)=1|I|∑i∈I|i⟩⟨i|A′⊗(XaZb⊗IE)ρAE(ZbXa⊗IE) (32)

where , , and is the secret key selected uniformly at random from a set . The overall cipher can be described by the superoperator

 E(ρ)=1|I||K|∑i∈I,k∈K|i⟩⟨i|A′⊗(XaZb⊗IE)ρAE(ZbXa⊗IE). (33)

The structure of is irrelevant; only its cardinality matters fo