Quantum publickey algorithms to encrypt and authenticate quantum messages with informationtheoretic security
Abstract
Publickey cryptosystems for quantum messages are considered from two aspects: publickey encryption and publickey authentication. Firstly, we propose a general construction of quantum publickey encryption scheme, and then construct an informationtheoretic secure instance. Then, we propose a quantum publickey authentication scheme, which can protect the integrity of quantum messages. This scheme can both encrypt and authenticate quantum messages. It is informationtheoretic secure with regard to encryption, and the success probability of tampering decreases exponentially with the security parameter with regard to authentication. Compared with classical publickey cryptosystems, one privatekey in our schemes corresponds to an exponential number of publickeys, and every quantum publickey used by the sender is an unknown quantum state to the sender.
keywords:
Quantum cryptography, authentication, quantum publickey, private quantum channel1 Introduction
There are three kinds of cryptosystems for quantum messages, such as quantum nokey protocol yang02 ; yang11 , private quantum channel (or quantum onetime pad) boykin2000 ; boykin2002 ; ambainis2000 , and quantum publickey encryption protocol yang2003a .
Quantum onetime pad boykin2000 ; boykin2002 was proposed to encrypt qubits using bit secret key. Presharing bit secret key is sufficient and necessary for encrypting qubit messages with perfect security. Ambainis et al. ambainis2000 defined private quantum channel (PQC), which is actually the same as quantum onetime pad. PQC (or quantum onetime pad) is a type of symmetrickey encryption scheme for quantum messages and it is considered to have perfect security. Later, others hayden2004 ; ambainis2004 relaxed the security requirement of PQC, and proposed approximate private quantum channel (APQC) (or approximate randomization of quantum state). This relaxation reduced the length of preshared classical key.
Leung leung2001 proposed another kind of quantum onetime pad with preshared EPR pairs as the secret key. In their scheme, the secret key can be reused securely. In addition, zhou2005 ; zhou2006 studied realizable quantum block encryption algorithm based on some simple bitwise quantum computation. All these researches are quantummessageoriented encryption schemes with preshared secret key.
Yang yang2003a constructed the first quantummessageoriented publickey encryption protocol with classical private key and classical publickey. It is a computationally secure quantum publickey encryption protocol. Kawachi and Portmann kawachi2008 presented another kind of quantummessageoriented publickey encryption protocol, where the publickey is the quantum state. By analyzing the protocol from the message size and the number of copies of the quantum publickey, they showed that it is bounded informationtheoretic secure.
In this paper, we propose a quantummessageoriented publickey encryption protocol, where one privatekey corresponds to an exponential number of quantum publickeys and any two publickeys are different. In this scheme, the quantum publickeys are unknown to the sender, and the sender can only use them. The scheme has been proved to be truly informationtheoretic secure.
Quantum authentication scheme (QAS) was firstly defined by Barnum et al. barnum2002 . They showed that any scheme to authenticate quantum messages must also encrypt them, and constructed a quantummessageoriented symmetrickey authentication scheme with preshared classical key. Their scheme can both encrypt and authenticate qubit message. If encrypting and authenticating qubit message into qubits, the sender and receiver need to preshare bit classical key, where is the security parameter. Later, yang2003b ; yang2010a constructed a quantummessageoriented publickey authentication scheme without a preshared classical key. However, its security is based on computational assumptions. Zhang zhang2009 proposed another type of QAS to authenticate the identity of the users, which will not be studied in this paper.
We propose a quantummessageoriented publickey authentication scheme with the publickeys being quantum states. It can both encrypt and authenticate quantum messages. It is informationtheoretic secure with regard to encryption, and the success probability of tampering decreases exponentially with the security parameter with regard to authentication.
2 Preliminaries
2.1 Private quantum channel ambainis2000
Ambainis et al. ambainis2000 defined PQC with an ancillary quantum state. Here we use the PQC without ancillary qubits. The definition is as follows.
Definition 1: PQC is a set , where , is the probability of using the classical key . The PQC is used in the following way: Alice and Bob preshare a classical secret key , then

Alice uses the unitary transformation to encrypt a qubit message , and obtains its quantum cipher . Alice sends to Bob.

Bob uses the unitary transformation to decrypt , and obtains the message .
In order to be secure, it is required that the following formula holds for any qubit state :
(1) 
where is a fixed state which is independent of (For example ).
PQC is a symmetrickey cryptosystem using a preshared classical key. Denote as using bit classical key to encrypt qubit message through PQC, and its quantum cipher is denoted as . For example, boykin2000 ; boykin2002 proposed a PQC . Its encryption transformation is
(2)  
The PQC decryption transformation is
(3)  
Other researchers hayden2004 ; ambainis2004 studied the approximate quantum encryption or approximate PQC (APQC). In APQC, the security condition Eq.(1) is relaxed in order to lessen the preshared secret key. It is required that
(4) 
where is any qubit message, is the length of the preshared key, and . represents the trace distance of two density matrixes and nielsen2000 . is security parameter, and APQC is considered a perfect PQC when .
We denote as using bit preshared key to encrypt qubit message through APQC. For example, we can adopt the last scheme (hybrid construction) in ambainis2004 . That scheme is described as follows. Let be a biased set on bits. For , define a unitary transformation as follows. Define , where is the usual (bitwise) inner product of and . Each and are selected with uniform probability. The APQC transformation can be described as follows:
(5) 
where represents using the preshared classical key to encrypt quantum message (”” denotes an concatenation of two bitstrings).
(6) 
where , and . The total length of and is . Because is a biased set on bits, bits of randomness is enough to generate any bit number in polynomial time ambainis2004 . In other words, the set can be generated from the set using a polynomialtime algorithm. For convenience, each number can be seen as one element of the set . Thus, this APQC construction needs only bits of the classical key, and .
2.2 Quantum authentication scheme barnum2002
Authentication of quantum messages was defined by Barnum et al. barnum2002 . A sender Alice and a receiver Bob must preshare a classical key . Alice and Bob use to authenticate the quantum message.
Definition 2: QAS is defined by a triplet , where and are two polynomialtime quantum algorithms, and is a set of classical keys. satisfies:

Alice performs quantum algorithm on a qubit message and a classical key , and outputs a qubit state . Alice sends to Bob.

Bob receives a quantum state , and then inputs and the classical key to quantum algorithm . The output of has two parts: a qubit message , a singlequbit . Bob decides to accept or reject according to the singlequbit (accept if it is and reject if it is ).
From this definition, QAS is a type of symmetrickey authentication for quantum messages. However, we will consider publickey authentication of quantum messages in this paper.
3 Security notion
In this section, informationtheoretic security is defined for publickey encryption of quantum messages, and two sufficient conditions are presented here.
Lemma 1: is a quantum state space. The following two statements are equivalent:
(1) There exists a fixed quantum state , such that .
(2) .
Proof: Firstly, the statement (2) can be deduced from (1). ,
It is straightforward to deduce (1) from (2). By randomly selecting a fixed quantum state from , then can satisfy the condition .
From Definition 5.2.4 in goldreich2004 , indistinguishability was defined for publickey encryption of the classical messages.
Definition 3: A publickey encryption scheme for the classical messages has indistinguishable encryptions, if for every classical polynomialsize circuit family , and every positive polynomial , all sufficiently large , and every (i.e.,),
(7) 
where the algorithm is a classical encryption algorithm and is a algorithm for key generation.
From the discussion in Chapter 5.5.2 in goldreich2004 , the security can be classified according to the size of classical circuit family : (1) if is polynomialsize, the above definition defines computational security; (2) if there are no limitations on the size of , the above definition defines informationtheoretic security.
Definition 3 in yang2010b defines informationtheoretic security of quantum publickey encryption for classical messages. It naturally extends the informationtheoretic security of classical publickey encryption. It coincides with the notion of informationtheoretically indistinguishable as discussed by Hayashi et al. hayashi2008 . Here, it is extended to informationtheoretic security of quantum publickey encryption for quantum messages. Two sufficient conditions are presented here.
Definition 4: A quantum publickey encryption scheme for quantum messages is informationtheoretic secure, if for every quantum circuit family , every positive polynomial , all sufficiently large , and any two quantum messages , it holds that
(8) 
where the algorithm is a quantum algorithm for encryption and is a quantum algorithm for generating publickeys.
It should be noted that Yang et al. yang2010b and in this paper, informationtheoretic security are all defined using quantum circuit family without limitations on its size. This means can be any quantum circuit family of arbitrary size. Here, the right side of Eq.(8) is , but it does not mean that the ciphers can be distinguished efficiently, because is not a particular polynomial but an arbitrary polynomial. Thus the above definition means, for any two quantum messages, their quantum ciphers cannot be distinguished by any quantum circuit family of any size.
Next, two sufficient conditions are presented. The sender Alice encrypts a quantum message using a quantum publickey . Its quantum cipher is denoted as . Suppose each quantum publickey is used with probability , and . The attacker Eve does not know the publickey used by Alice, so the quantum cipher (with respect to Eve) of can be represented by .
Theorem 1: A quantum publickey encryption scheme for quantum messages is informationtheoretic secure, if for every positive polynomial , all sufficiently large , any two quantum messages ,
(9) 
where and are quantum ciphers of and using quantum encryption algorithm and publickey , respectively. We consider as the probability of generating publickey from the quantum algorithm , and .
Proof: In Definition 4, is a quantum encryption algorithm which performs on quantum message , and is a quantum algorithm for generating publickeys, and each publickey is generated with a probability , so
where is a quantum state which acts as ancillary input to quantum circuit .
Similarly, the following formula can be deduced.
Any quantum circuit family built for distinguishing two density operators
corresponds to a set of positive operatorvalues measure (POVM) .
We define and
as the probabilities of
measurement result labeled by . In this case, we have
(10)  
The formula Eq.(10) is equal to
(11)  
Then,
Thus, the quantum publickey encryption scheme is informationtheoretic secure.
From Lemma 1 and Theorem 1, the following corollary can be deduced directly.
Corollary 1: A quantum publickey encryption scheme for quantum messages is informationtheoretic secure, if for every positive polynomial , all sufficiently large , there exists a fixed quantum states such that
(12) 
where is the cipher of quantum message using the quantum encryption algorithm and the publickey . Again, we consider as the probability of generating publickey from the quantum algorithm , and .
4 Publickey encryption of quantum information
4.1 A general construction
Firstly, we define a model for quantum publickey encryption of classical messages pan2010 .
Definition 5: A publickey cryptosystem using quantum publickey to encrypt classical messages is described by a quadruple pan2010 :
where all components are defined as follows.

is a set of privatekeys. Each is a polynomialtime computable function with bit input and bit output. ().

is a set of quantum publickeys. Each pair of is generated from a function , and their relation is . Given , quantum state can be efficiently prepared.

is a quantum encryption transformation. Alice uses and quantum publickey to encrypt the classical message , and obtains a quantum cipher . Alice sends to Bob.

is a quantum decryption transformation. After receiving from Alice, Bob computes by using privatekey . Bob then uses and to decrypt the cipher , and obtains the classical message .
In this definition, the privatekey is a function which can be computed efficiently. From the key , many different pairs of can be generated such that , thereby allowing many different quantum publickeys to be prepared. Thus, the relation between privatekeys and publickeys is onetomany. That means, a privatekey corresponds to many quantum publickeys , where .
In the encryption schemes introduced in kawachi2005 ; kawachi2008 , the relation between privatekeys and publickeys is onetoone (One privatekey corresponds to one quantum publickey ). This kind of schema is a special case of the publickey cryptosystem . The reason is as follows. In , let , then , so is uniquely determined by . Then the publickey is uniquely determined by privatekey .
Remark 1: Because the attacker Eve does not know the function , she does not know the value of . Suppose each is used with probability , then the cipher of classical message (with respect to Eve) is .
PQC is a symmetrickey encryption scheme for quantum messages with classical secret key. is a publickey encryption scheme for classical messages with quantum publickeys. The two schemes are combined as Figure 1, and form a publickey encryption scheme for quantum messages with quantum publickeys.
Next, we describe the scheme in detail. Bob generates a privatekey and many quantum publickeys, then he sends all quantum publickeys to his publickey register. The progress is as follows.
[Key Generation]

Bob randomly selects a function ;

Bob randomly selects some , and computes , and then prepares quantum state according to ;

Bob uploads all to his publickey register. The function is Bob’s privatekey.
Alice intends to send a qubit message to Bob. She firstly downloads quantum publickeys from Bob’s publickey register, then encrypts with quantum publickeys. The progress is as follows.
[Encryption]

Alice randomly selects a bit number , and then encrypts the quantum message by performing PQC encryption transformation ;

Alice downloads quantum publickey from Bob’s publickey register, and then encrypts by performing encryption transformation , and obtains ;

Alice sends and the quantum cipher to Bob.
Bob receives the cipher , and then decrypts it as follows.
[Decryption]

According to the value of , Bob uses his privatekey to compute ;

According to the value of , Bob performs decryption transformation on quantum cipher , and obtains ;

According to the value of , Bob performs PQC decryption transformation on quantum cipher , and obtains the quantum message .
In this scheme, is a random number selected by Alice, and is unknown by Eve. From Remark 1, the cipher of the quantum message (with respect to Eve) can be represented as follows.
(13) 
This scheme is constructed by combining a publickey encryption scheme and a symmetrickey encryption scheme PQC (or APQC). The security of the combined scheme can be determined by the security of and PQC (or APQC). The analysis is as follows.
Lemma 2: In a quantum state space , if there exists a fixed state , such that , then , where and .
Proof: From , it can be deduced that
Theorem 2: If there exists a scheme and a PQC (APQC), which satisfy the following conditions:

For the scheme , there exist a fixed state , such that
; 
For the PQC (APQC), there exist a fixed state , such that
;
then there exists a fixed state , such that .
Proof: From the condition 1,
According to Lemma 2, it can be deduced that
(14) 
Then there exists a state , such that
4.2 Quantum publickey encryption of classical informationpan2010
In order to give a concrete example for the scheme described in Figure 1, we firstly introduce an example for publickey encryption scheme . This example was proposed by Pan and Yang pan2010 . Their scheme can be used to encrypt singlebit classical message with informationtheoretic security. Moreover, Yang et al. yang2011 proposed a classical message oriented quantum publickey scheme based on conjugate coding. This scheme is another example of .
Denote . Define a qubit state , where , . Let , then it is the identity transformation while , and it is the unitary transformation while . We define a transformation as follows:
(15) 
Denote , then . Because , it can be deduced that .
According to Lemma 3 and Lemma 4 in pan2010 , if the values of and are unknown, it is informationtheoretically indistinguishable between
and (the trace distance of them is ).
However, given the value of , there exists a polynomialtime quantum algorithm which can distinguish and . Therefore, is a quantum trapdoor oneway transformation with trapdoor .
The key generation process is as follows.

Bob randomly selects an efficiently computable function ;

Bob randomly selects a number , and then computes a bit number . Then he continues the next step if is an element of , otherwise he randomly selects a new number ;

Bob randomly selects a number , and prepares a qubit state ;

Bob’s publickey is , and privatekey is .
Alice uses Bob’s publickey to encrypt one classical bit . Its encryption transformation is as follows.
(16) 
That means, Alice performs a unitary transformation on Bob’s publickey , and then sends its result to Bob.
After receiving the cipher , Bob uses his privatekey to decrypts as follows. He firstly computes from the value of , and then decrypts with its trapdoor , and obtains the classical message .
4.3 Quantum publickey encryption of quantum information
According to the general construction in Section 4.1, and the example of as introduced in Section 4.2, we can construct a concrete publickey encryption protocol for quantum message. The encryption key of PQC has bits, and the scheme in Section 4.2 is used to encrypt singlebit classical message, so that the bits should be encrypted one by one.
Alice intends to encrypt a bit number , thus she must get Bob’s quantum publickeys. There are two requirements for the quantum publickeys: (1) In order to protect , all the quantum publickeys are different (See the proof of Proposition 1); (2) In order to encrypt bits, she needs to get quantum publickeys (From the scheme in Section 4.2, Alice stores singlebit message in a quantum publickey, and then sends the quantum publickey to Bob. However, she does not know the state of the quantum publickey, and cannot produce its copies according to quantum nocloning theorem. Thus, if she has only one copy of Bob’s publickey, she can only encrypt one bit). From the two requirements, Alice must get different quantum publickeys published by Bob. We denote the quantum publickeys as , and the th bit () of is . Alice encrypts each bit , and obtains a quantum cipher .
If Alice intends to send a qubit message to Bob securely, she firstly downloads quantum publickeys: from Bob’s publickey register. Let . The encryption process is as follows.
[Encryption]

Alice randomly selects a bit number ;

Alice encrypts the quantum message with PQC encryption transformation and the classical key , and obtains ;

Alice uses Bob’s publickey to encrypt each bit (), and obtains qubits

Alice sends all the strings and quantum cipher to Bob.
Bob receives these classical numbers and the quantum cipher , and then performs the decryption process.
[Decryption]

According to , Bob uses his privatekey to compute ;

Bob uses to decrypt the first qubit of the quantum cipher. He decrypts and obtains each bit of : ;

According to , Bob decrypts quantum cipher by performing PQC decryption transformation, and obtains the quantum message .
The attacker Eve does not know the random string and the quantum publickeys used by Alice. Thus, with respect to Eve, a qubit state is encrypted into a qubit state
(17)  
where , .
In the above scheme, PQC encryption needs bit classical number . If we consider to replace PQC with APQC (replace the transformation with in the above protocol), the length of can be reduced. This method can save quantum resources while encrypting classical string .
For example, we consider the case that, the PQC in Figure 1 is replaced with the APQC which is described in Eq.(6). Then , where is an bit string. Thus, encrypting a qubit message can obtain a qubit cipher. The cipher with respect to Eve is
(18)  
From , it can be infered that . That means the cipher of a qubit state is shortened.
4.4 Security analysis
The security of the quantum publickey encryption scheme proposed in Section 4.3 is analyzed from two aspects: (1) the security of privatekey; (2) the security of encryption.
Firstly, we consider the security of privatekey. In this scheme, is an important number because it can be directly used for decryption. According to the Holevo theorem nielsen2000 , at most bit classical information can be obtained from a qubit publickey
If Eve receives enough copies of a publickey , she can obtain the bit information of , and then attack the communication between Alice and Bob. Thus, in order to protect the communication, the copies of each quantum publickey must be limited by an upper bound . That means Bob publishes at most copies of the quantum publickey according to a pair of , and then selects a new pair of to produce new quantum publickey. The following proposition proves that the upper bound is equal to .
Proposition 1: Given copies of a quantum publickey , the value of can be extracted successfully with probability at least .
Proof: For arbitrary quantum publickey, suppose the qubit state is , where and . Suppose Eve has received sufficient copies of . Firstly, she measures the first copy of in the basis , and gets a bit string . Then she measures the second copy of and gets the second string . If , she continues to measure the th () copy of , until the th string . At this time, she can conclude .
We denote random variable as the measurement times until being determined. The probability of the number being determined until the th measurement is
Thus expected value of is
That means, measurement for three times in average can determine the value of . Moreover, , which means the successful probability is when there are two copies of .
According to Proposition 1, in order to protect , only one copy of each quantum publickey is permitted to be produced from a pair of . Therefore, any two quantum publickeys published by Bob are different. The attacker Eve can only obtain one copy of . When she measures it, she will get and both with probability , but cannot get both the values of and . Extracting the value of from or is the same as attacking onetimepad in classical cryptography. Therefore, extracting the value of from only one copy of is informationtheoretically impossible. Moreover, extracting the relation (the privatekey ) between and is also informationtheoretically impossible. There maybe exist some different quantum publickeys corresponding to the same , such as