Quantum entropic security and approximate quantum encryption
Abstract
An encryption scheme is said to be entropically secure if an adversary whose minentropy on the message is upper bounded cannot guess any function of the message. Similarly, an encryption scheme is entropically indistinguishable if the encrypted version of a message whose minentropy is high enough is statistically indistinguishable from a fixed distribution. We present full generalizations of these two concepts to the encryption of quantum states in which the quantum conditional minentropy, as introduced by Renner, is used to bound the adversary’s prior information on the message. A proof of the equivalence between quantum entropic security and quantum entropic indistinguishability is presented. We also provide proofs of security for two different ciphers in this model and a proof for a lower bound on the key length required by any such cipher. These ciphers generalize existing schemes for approximate quantum encryption to the entropic security model.
quantum information, cryptography, entropic security
I Introduction
\PARstartSemantic security, whether it is computational, as introduced in [1], information theoretic in a classical setting, as introduced in [2] and [3], or information theoretic in a limited quantum setting, as introduced in [4], contrasts the capabilities of two adversaries: one () that has access to an encrypted version of the message, and another () that does not. Their abilities to predict a function on the initial message are compared. Of course seems to be at a tremendous disadvantage: it has access to nothing but the prior distribution of the plain text, whereas also has access to an encrypted version of the plain text and could potentially use imperfections in the encryption scheme to gain an advantage. However, this can become a way to bound these imperfections: an encryption scheme is considered semantically secure if, for every adversary , there exists an that can predict every function on the plaintext almost as well as without even having access to the encrypted message. This is a very strong security criterion, especially in the information theoretic setting.
Perhaps surprisingly, it is possible to construct semantically secure encryption schemes which, depending on their setting, make very few assumptions on and yet do not require keys to be as long as the message. In the computational setting, Goldwasser and Micali [1] had as a constraint that both and were probabilistic polynomialtime machines. In their model, they could construct encryption schemes which, on all message distributions, would render as useless as . In the information theoretic setting, introduced by Russell and Wang [2] and expanded upon by Dodis and Smith [3], no computational limitation is imposed on or . In order to achieve significant key size reduction, a limit on the prior knowledge of on the plain text space is assumed. In fact, a lower bound on the minentropy of the message space is assumed: the most probable message is not too probable. For this reason, this concept is called entropic security in the context of informationtheoretic security. In the quantum information theoretic setting, as introduced by Desrosiers [4], the exact same restriction on the minentropy is imposed on , except that this time messages are quantum states which are further assumed to be unentangled with any quantum system that the adversary might possess. If these two restrictions are satisfied, one can construct encryption schemes for the quantum setting which have exactly the same key size as in the classical setting: for an qubit message which is assumed to have a minentropy of at least , then we need bits of key to encrypt it securely (where is a security parameter).
In this paper we remove one of those two restrictions. Of course, the limit on the minentropy of the adversary on the message space is hard to remove: it is the essence of entropic security. However, it has to be modified in order to get robust definitions of security in the presence of entanglement between the sender and the adversary. The notion of quantum conditional minentropy as introduced by Renner in [5] will be used to bound the prior “knowledge” of the adversary. This new notion of minentropy allows us to remove the noentanglement restriction and replace it by something more general. Indeed, if a state is not entangled, we have an implicit lower bound of zero on the conditional minentropy, whereas in the general case, the conditional minentropy of the adversary on an qubit system held by the sender ranges between and . It turns out that the key size remains the same in this model: for an qubit message about which the eavesdropper has a minentropy of at least , we still need a key of bits. In the extreme case where we have no bound at all on the minentropy, this reduces to , which is in total agreement with the standard result of Ambainis, Mosca, Tapp and de Wolf [6].
Note that this generalizes the existing literature on approximate quantum encryption. In [7], Hayden, Leung, Shor and Winter considered the task of approximately encrypting quantum states assuming that the adversary is not entangled with the sender. They showed, using a randomized argument, that, while we need bits of key to perfectly encrypt an qubit quantum message, there exists a scheme requiring bits of key. Ambainis and Smith [8] then gave two explicit constructions of an approximate quantum encryption scheme under the same assumption requiring and bits of key respectively. Here we recover and generalize these results.
More recently, Fehr and Schaffner [9] gave a classical encryption scheme which is entropically secure against an adversary that has access to quantum information about the classical message. Our work also generalizes this result: when our encryption schemes are applied to a classical message, the resulting ciphertext remains classical, and the proof of security still works against quantum adversaries.
We introduce our model and definitions in section III and show in section IV that the two security definitions we give are equivalent. We also prove, in section V, that two encryption schemes introduced by Ambainis and Smith [8] and by Dodis and Smith [3] (and generalized to the quantum world by Desrosiers [4]) are still secure using this new definition and require the same amount of key as in the limited quantum model of [4]. Finally, in section VI, we generalize a proof of Dodis and Smith to show that an entropic scheme that can encrypt any qubit state having a conditional minentropy of at least requires at least bits of uniform key.
Ii Notation and preliminaries
A quantum state is defined as a positive semidefinite operator of trace equal to 1 over some Hilbert space . By the spectral decomposition theorem, , where the form a basis for the space in which the quantum state lives and the are nonnegative real numbers that sum up to one. This can be interpreted this way: if is measured in the basis , then it behaves as a source that will output with probability the state .^{1}^{1}1For a thorough introduction to quantum information theory, see [10]
The partial trace can be seen as a kind of inverse to the tensor product operation. For any bipartite state , we have that ; the normal interpretation for such an operator is that if a physical state lives in the space but one only has access to the system to measure the state, then the statistics obtained are in agreement with . The partial trace can be defined as:
(1) 
where the vectors form any orthonormal basis for the subspace . In fact, this is equivalent to doing a complete measurement of the subsystem followed by a loss of the result and of the subsystem; what is left in our hands is .
Throughout this paper, we will use superscripts for density matrices to indicate on which subsystems they are defined; for example, is a density operator on the Hilbert space . By convention, when we omit certain subsystems from the superscript, we mean that we take the partial trace over the subsystems that are absent; i.e. . We will refer to the dimension of the Hilbert space by .
We will use as our main distance measure the trace distance which is defined as
(2) 
where is defined as , which is simply for a Hermitian operator . As [11] and chapter 9 in [10] tell us, for any two states and there exists an optimal adversary which can distinguish between them with probability ; no adversary can do better.
Another useful distance measure is known as the fidelity: given two density operators and , their fidelity is defined as . If is a pure state , this is equal to .
We will also frequently make use of operator inequalities: given two Hermitian operators and , we will say that iff is positive semidefinite.
Also, we denote by the concatenation of the bit strings and . , where is an bit string, means . We shall also write for the space of linear operators on the Hilbert space . Finally, we denote by the inner product modulo of the strings and : .
Iii Model and definitions
Entropic security as introduced by Russell and Wang [2] and generalized by Dodis and Smith [3] uses the definition of classical minentropy to represent the adversary’s knowledge on the sender’s message space. Let be a random variable over the message space and let take value with probability . Then the minentropy of , written is defined to be .
Desrosiers introduced in [4] a quantum version of these security definitions for the case where the eavesdropper and the sender are neither entangled nor correlated. In this setting, a message is chosen at random with probability in a valid interpretation of a state . Here the adversary’s a priori uncertainty is quantified by the quantum minentropy, where is the spectral decomposition of . The joint system of the sender and the adversary was considered to contain no correlations: i.e. , where represents the eavesdropper’s system.
In this paper, we shall show that we can fully generalize these security definitions to the quantum setting, where no assumption on the entanglement between the sender and the adversary is made. The only restriction on the adversary will be quantified by the following definition introduced by Renner (see [5]) in his proof that the BB84 scheme, the original quantum key distribution protocol, is secure in the most general setting. We shall make no other assumption on the sendereavesdropper system than the eavesdropper’s conditional minentropy.
Definition 1 (Quantum conditional minentropy).
For any quantum state shared between the eavesdropper and the sender, we define the conditional minentropy of given as
where ranges over all normalized density operators over .
According to [12], we can express the quantum conditional minentropy as
where the maximization is taken over all CPTP maps and where .
One can prove a few properties about conditional minentropy which will be handy later on. First, this lemma:
Lemma 1.
Let the joint state of the sender and the adversary be , then .
Proof.
Since the first and last lines are the same, the two inequalities are, in fact, equalities, and hence . ∎
We can conclude from this lemma that if the sender and the adversary are not correlated, then the earlier results of [4] can be used.
Furthermore, König, Renner and Schaffner [12] show that for a state of the form (i.e. holds classical information and holds a quantum state containing partial information on ), the quantum conditional minentropy characterizes Eve’s optimal probability of guessing by measuring :
Note also that if the and systems are in a maximally entangled state , where , then
(3) 
Hence, the quantum conditional minentropy ranges from to for an qubits system and, as is the case with the von Neumann conditional entropy, negative values arise from purely quantum effects.
In our model, we will consider a protocol to be secure if the adversary is incapable of obtaining classical information about the message encoded in any basis. We will therefore model the adversary as a POVM on the encrypted message together with the adversary’s side information. Since entropic security, even in the classical case (see [3]), does not have good composability properties (i.e. the security of the scheme does not necessarily imply that it can be securely embedded in a larger cryptographic protocol), we will not consider adversaries that keep quantum information without measuring it in the hopes of mounting a more effective attack later after having received more information. We are interested in the predictive capabilities of an adversary that was given — see below for the formal definition of a cipher — compared to those of an adversary that was not given such a state in predicting a function of . Since our adversary is a POVM, we take its output to be a prediction of the function . We shall denote the random variable that is the output of on any given state by ; that is, if is the set of POVM elements associated with , then is a random variable which takes the value with probability .
An encryption scheme is a set of superoperators indexed by a uniformly distributed key such that for each there exists an inverting operator such that for all , with probability one we have
(4) 
The view of the adversary is then . To simplify the notation, we will write instead of from now on. Note that in general, maps systems on space to systems on space ; the dimension of could be larger than the dimension of .
Both [3] and [4] presented security definitions equivalent in their respective models to the following two security definitions.
Note that throughout this paper, we shall be mostly concerned with encryption schemes where the message to be sent consists of qubits; therefore from now on.
Definition 2 (Entropic Security).
An encryption system is entropically secure if for all states such that , all interpretations , all adversaries and all functions , there exists an such that we have: ^{2}^{2}2One can also get an equivalent definition by using functions on the states rather than on the indices .
(5) 
Note that everywhere, we take probabilities over all and all randomness used by the adversaries and the cipher.
Definition 3 (Entropic Indistinguishability).
An encryption system is indistinguishable if there exists a state such that for all states such that we have that:
(6) 
Iv Equivalence between the two security definitions
This section will show that an encryption scheme which is entropically secure is entropically indistinguishable, and viceversa, up to small variations in the and parameters. Before presenting these proofs, however, we will need an additional definition and a technical lemma. The following variation on entropic security will prove to be useful in the sequel:
Definition 4 (Strong entropic security).
An encryption system is strongly entropically secure if for all states such that , all interpretations , all adversaries , and all functions , we have
(7) 
Note that in this case both uses of are independent. Strong entropic security clearly implies regular entropic security, since used on and an encrypted message independent of (which can be prepared by Eve in her lab) is a valid choice for .
The following lemma says that one does not need to consider all possible functions, but one can restrict the analysis to predicates:
Lemma 2.
Let be a state, be an interpretation, be a cipher, be a function and be an adversary such that
then there exist an adversary and a predicate such that
Proof.
Let our predicate be a GoldreichLevin predicate [13], that is . Let and . Then we know that . Let us compute
(8) 
where the expectation is taken over all of adequate size. We need two observations. First, when predicts correctly, then . Second, when does not predict correctly, the probability that is exactly one half. Hence Equation (8) reduces to
(9) 
Thus there exists at least one value such that the following is true:
The lemma is proven if adversary is defined, using this appropriate , as . ∎
Theorem 1.
entropic indistinguishability implies strong entropic security for all functions.
Proof.
We shall prove the contrapositive. Suppose there exists an adversary , a state such that , an interpretation for and a function such that
(10) 
Then we know from Lemma 2 that there exists another adversary and a predicate such that strong entropic security is violated. Let’s call this adversary and let us define the sets and as follows:
(11)  
(12) 
Define the following:
Note that . Now, define the following states:
(13)  
(14) 
where, as usual, . We need the following lemma to finish the proof.
Lemma 3.
Assuming , we then have that both and are at least .
Proof.
We have that
(15) 
We now bound the second term using the original definition of the conditional minentropy:
(16) 
Substituting this into the last line of (15) yields . Of course, an identical calculation yields the same result for . ∎
To finish the proof of Theorem 1 , we want to show that can distinguish from with probability strictly better than . Let’s denote by the probability that will correctly distinguish from in an mixture, and by the probability that will correctly distinguish from in an , mixture. Also assume without loss of generality that (otherwise consider an adversary identical to but which returns the opposite answer). Now assume that we feed it with probability and with probability . Observe that this is exactly as if we gave it an mixture of and with probability and an mixture of and with probability . We then have that the probability of distinguishing from using is
since the correct answer is reversed for and .
But by the assumption that violates entropic security, we know that
Hence, the probability of distinguishing from is at least , which implies that for all we have:
and therefore either or , which is a violation of indistinguishability.
∎
Theorem 2.
entropic security implies indistinguishability as long as .
Proof.
We will prove the contrapositive. Let and let be a state such that and . Consider the following state
.
We show that :
Since , we know that there exists an adversary that can distinguish from with probability at least . Let’s call this adversary , and let’s assume that it gives the right answer with probability when it is given and with probability when it is given . We then have .
Now, consider the following interpretation of :
(17) 
where and . We shall show that violates entropic security for , with this interpretation and the function .
First of all, it is clear that by having access only to Eve’s system, no adversary can guess the value of with a probability greater than . Let us now determine what can do by having access to the encrypted version of . One possible strategy for is to try to distinguish between and and return 1 when it gets and randomly return either 2 or 3 when it gets . We then have:
Finally we get that for all adversaries ,
a violation of entropic security. ∎
V Two encryption schemes
Before presenting the ciphers, we will give some definitions and technical lemmas which will be used in the presentation of both encryption schemes.
First, we define the following shortcut for any matrix :
(18) 
We also define
(19) 
for any state , where is a state such that .
Lemma 4.
For every density matrix , we have that .
Proof.
Let be an orthonormal basis for . Since Pauli matrices form an orthonormal basis for , we have
(20)  
(21)  
(22)  
(23) 
∎
We will also make use of the following lemma (Lemma 5.1.3 in [5]):
Lemma 5.
Let S be a Hermitian operator and let be any positive definite operator. Then
Va A scheme based on biased sets
In [8], Ambainis and Smith introduced an approximate quantum encryption scheme based on biased sets. Here, we shall show that if , then the AmbainisSmith scheme is secure using bits of key, where is the logarithm of as usual.
Definition 5 (biased set).
A set is said to be biased if and only if for every , we have that .
There exist several efficient constructions of biased sets ([14, 15, 16]); following [3], we will use the one from [16], which yields sets of size (note that Dickinson and Nayak [17] improve this to ).
The AmbainisSmith scheme consists of applying an operator at random from the set
where is a biased set containing strings of length . The shared private key is used to index one of the operators. In other words, the encryption operator is
We shall now prove that this scheme is secure in our framework. The following lemma contains most of the proof, and the main theorem follows:
Lemma 6.
For any state with , we have that
(24) 
Proof.
Let be a state such that and write
(25) 
This is due to Lemma 5, with ; without loss of generality, we can assume that has full rank by considering to be the support of . We continue by applying Lemma 4 on :
(26) 
and therefore
(27)  
(28) 
where , and since , we can neglect the term , and hence .
We now compute the trace in (25) as follows:
(29) 
where

comes from the fact that is Hermitian, hence taking its adjoint leaves it unchanged;

is true because terms in which the pairs are not the same in both sums disappear when we take the trace;

because and every term in the sum has a nonnegative trace since .

is justified below;

is due to Lemma 4; and

comes from the fact that .
To justify , we first observe that , where . Hence,
(30) 
Step then follows when we combine this with the observation that , if , and : the first sum is what we want to bound; the two sums in the middle evaluate to the zero matrix; and in the last sum, only the 00 term remains, which clearly has a positive trace.
The main theorem now easily follows:
Theorem 3.
If , then the AmbainisSmith scheme is secure using bits of key, where .
VB A scheme based on XORuniversal functions
Our second scheme based on XORuniversal functions can be considered as a quantum version of the scheme given in [3]. This scheme can also be viewed as a generalization of the second scheme of [8].
Definition 6.
Let be a finite family of functions from bit strings to bit strings. We say the family is stronglyXORuniversal if for all bit strings , , and such that we have
where is distributed uniformly over . The family proposed in [3] naturally possesses this property if one allows to be zero.
We define our second cipher as follows. Let be a stronglyXORuniversal family of functions. The encryption operator for the key is defined as
(32) 
where , , and is the secret key selected uniformly at random from a set . The overall cipher can be described by the superoperator
(33) 
The structure of is irrelevant; only its cardinality matters for the security of the scheme. Not that this scheme is not length preserving since the ancillary system