Quantum public-key algorithms to encrypt and authenticate quantum messages with information-theoretic security

# Quantum public-key algorithms to encrypt and authenticate quantum messages with information-theoretic security

Min Liang Li Yang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China Graduate University of Chinese Academy of Sciences, Beijing, China
###### Abstract

Public-key cryptosystems for quantum messages are considered from two aspects: public-key encryption and public-key authentication. Firstly, we propose a general construction of quantum public-key encryption scheme, and then construct an information-theoretic secure instance. Then, we propose a quantum public-key authentication scheme, which can protect the integrity of quantum messages. This scheme can both encrypt and authenticate quantum messages. It is information-theoretic secure with regard to encryption, and the success probability of tampering decreases exponentially with the security parameter with regard to authentication. Compared with classical public-key cryptosystems, one private-key in our schemes corresponds to an exponential number of public-keys, and every quantum public-key used by the sender is an unknown quantum state to the sender.

###### keywords:
Quantum cryptography, authentication, quantum public-key, private quantum channel

## 1 Introduction

There are three kinds of cryptosystems for quantum messages, such as quantum no-key protocol yang02 ; yang11 , private quantum channel (or quantum one-time pad) boykin2000 ; boykin2002 ; ambainis2000 , and quantum public-key encryption protocol yang2003a .

Quantum one-time pad boykin2000 ; boykin2002 was proposed to encrypt qubits using -bit secret key. Presharing -bit secret key is sufficient and necessary for encrypting -qubit messages with perfect security. Ambainis et al. ambainis2000 defined private quantum channel (PQC), which is actually the same as quantum one-time pad. PQC (or quantum one-time pad) is a type of symmetric-key encryption scheme for quantum messages and it is considered to have perfect security. Later, others hayden2004 ; ambainis2004 relaxed the security requirement of PQC, and proposed approximate private quantum channel (APQC) (or approximate randomization of quantum state). This relaxation reduced the length of preshared classical key.

Leung leung2001 proposed another kind of quantum one-time pad with preshared EPR pairs as the secret key. In their scheme, the secret key can be reused securely. In addition, zhou2005 ; zhou2006 studied realizable quantum block encryption algorithm based on some simple bit-wise quantum computation. All these researches are quantum-message-oriented encryption schemes with preshared secret key.

Yang yang2003a constructed the first quantum-message-oriented public-key encryption protocol with classical private- key and classical public-key. It is a computationally secure quantum public-key encryption protocol. Kawachi and Portmann kawachi2008 presented another kind of quantum-message-oriented public-key encryption protocol, where the public-key is the quantum state. By analyzing the protocol from the message size and the number of copies of the quantum public-key, they showed that it is bounded information-theoretic secure.

In this paper, we propose a quantum-message-oriented public-key encryption protocol, where one private-key corresponds to an exponential number of quantum public-keys and any two public-keys are different. In this scheme, the quantum public-keys are unknown to the sender, and the sender can only use them. The scheme has been proved to be truly information-theoretic secure.

Quantum authentication scheme (QAS) was firstly defined by Barnum et al. barnum2002 . They showed that any scheme to authenticate quantum messages must also encrypt them, and constructed a quantum-message-oriented symmetric-key authentication scheme with preshared classical key. Their scheme can both encrypt and authenticate -qubit message. If encrypting and authenticating -qubit message into qubits, the sender and receiver need to preshare -bit classical key, where is the security parameter. Later, yang2003b ; yang2010a constructed a quantum-message-oriented public-key authentication scheme without a preshared classical key. However, its security is based on computational assumptions. Zhang zhang2009 proposed another type of QAS to authenticate the identity of the users, which will not be studied in this paper.

We propose a quantum-message-oriented public-key authentication scheme with the public-keys being quantum states. It can both encrypt and authenticate quantum messages. It is information-theoretic secure with regard to encryption, and the success probability of tampering decreases exponentially with the security parameter with regard to authentication.

## 2 Preliminaries

### 2.1 Private quantum channel ambainis2000

Ambainis et al. ambainis2000 defined PQC with an ancillary quantum state. Here we use the PQC without ancillary qubits. The definition is as follows.

Definition 1: PQC is a set , where , is the probability of using the classical key . The PQC is used in the following way: Alice and Bob preshare a classical secret key , then

1. Alice uses the unitary transformation to encrypt a -qubit message , and obtains its quantum cipher . Alice sends to Bob.

2. Bob uses the unitary transformation to decrypt , and obtains the message .

In order to be secure, it is required that the following formula holds for any -qubit state :

 ∑i∈{0,1}2npiUiσU†i=σ0,∀σ, (1)

where is a fixed state which is independent of (For example ).

PQC is a symmetric-key cryptosystem using a preshared classical key. Denote as using -bit classical key to encrypt -qubit message through PQC, and its quantum cipher is denoted as . For example, boykin2000 ; boykin2002 proposed a PQC . Its encryption transformation is

 l(σ) = PQCl(σ)=UlσU†l (2) = (⊗nj=1Xlj)⋅(⊗2nj=n+1Zlj)σ(⊗2nj=n+1Zlj)⋅(⊗nj=1Xlj).

The PQC decryption transformation is

 PQC−1l(σ)=U†lσUl (3) = (⊗2nj=n+1Zlj)⋅(⊗nj=1Xlj)σ(⊗nj=1Xlj)⋅(⊗2nj=n+1Zlj).

Other researchers hayden2004 ; ambainis2004 studied the approximate quantum encryption or approximate PQC (APQC). In APQC, the security condition Eq.(1) is relaxed in order to lessen the preshared secret key. It is required that

 (4)

where is any -qubit message, is the length of the preshared key, and . represents the trace distance of two density matrixes and nielsen2000 . is security parameter, and APQC is considered a perfect PQC when .

We denote as using -bit preshared key to encrypt -qubit message through APQC. For example, we can adopt the last scheme (hybrid construction) in ambainis2004 . That scheme is described as follows. Let be a -biased set on bits. For , define a unitary transformation as follows. Define , where is the usual (bitwise) inner product of and . Each and are selected with uniform probability. The APQC transformation can be described as follows:

 APQC(σ)=12n⋅1|B|∑a∈{0,1}n∑b∈BAPQCa,b(σ), (5)

where represents using the preshared classical key to encrypt quantum message (”” denotes an concatenation of two bit-strings).

 APQCa,b(σ)=XaZa2UbσU†bZ−a2X−a, (6)

where , and . The total length of and is . Because is a -biased set on bits, bits of randomness is enough to generate any -bit number in polynomial time ambainis2004 . In other words, the set can be generated from the set using a polynomial-time algorithm. For convenience, each number can be seen as one element of the set . Thus, this APQC construction needs only bits of the classical key, and .

### 2.2 Quantum authentication scheme barnum2002

Authentication of quantum messages was defined by Barnum et al. barnum2002 . A sender Alice and a receiver Bob must preshare a classical key . Alice and Bob use to authenticate the quantum message.

Definition 2: QAS is defined by a triplet , where and are two polynomial-time quantum algorithms, and is a set of classical keys. satisfies:

1. Alice performs quantum algorithm on a -qubit message and a classical key , and outputs a -qubit state . Alice sends to Bob.

2. Bob receives a quantum state , and then inputs and the classical key to quantum algorithm . The output of has two parts: a -qubit message , a single-qubit . Bob decides to accept or reject according to the single-qubit (accept if it is and reject if it is ).

From this definition, QAS is a type of symmetric-key authentication for quantum messages. However, we will consider public-key authentication of quantum messages in this paper.

## 3 Security notion

In this section, information-theoretic security is defined for public-key encryption of quantum messages, and two sufficient conditions are presented here.

Lemma 1: is a quantum state space. The following two statements are equivalent:

(1) There exists a fixed quantum state , such that .

(2) .

Proof: Firstly, the statement (2) can be deduced from (1). ,

 D(ρ1,ρ2) = 12tr|ρ1−ρ2| = 12tr|ρ1−τ+τ−ρ2| ≤ 12tr|ρ1−τ|+12tr|τ−ρ2| = D(ρ1,τ)+D(ρ2,τ) ≤ ϵ+ϵ=2ϵ.

It is straightforward to deduce (1) from (2). By randomly selecting a fixed quantum state from , then can satisfy the condition .

From Definition 5.2.4 in goldreich2004 , indistinguishability was defined for public-key encryption of the classical messages.

Definition 3: A public-key encryption scheme for the classical messages has indistinguishable encryptions, if for every classical polynomial-size circuit family , and every positive polynomial , all sufficiently large , and every (i.e.,),

 ∣∣Pr[Cn(G(1n),EG(1n)(x))=1]−Pr[Cn(G(1n),EG(1n)(y))=1]∣∣<1p(n), (7)

where the algorithm is a classical encryption algorithm and is a algorithm for key generation.

From the discussion in Chapter 5.5.2 in goldreich2004 , the security can be classified according to the size of classical circuit family : (1) if is polynomial-size, the above definition defines computational security; (2) if there are no limitations on the size of , the above definition defines information-theoretic security.

Definition 3 in yang2010b defines information-theoretic security of quantum public-key encryption for classical messages. It naturally extends the information-theoretic security of classical public-key encryption. It coincides with the notion of information-theoretically indistinguishable as discussed by Hayashi et al. hayashi2008 . Here, it is extended to information-theoretic security of quantum public-key encryption for quantum messages. Two sufficient conditions are presented here.

Definition 4: A quantum public-key encryption scheme for quantum messages is information-theoretic secure, if for every quantum circuit family , every positive polynomial , all sufficiently large , and any two quantum messages , it holds that

 ∣∣Pr[Cn(G(1n),EG(1n)(σ))=1]−Pr[Cn(G(1n),EG(1n)(σ′))=1]∣∣<1p(n), (8)

where the algorithm is a quantum algorithm for encryption and is a quantum algorithm for generating public-keys.

It should be noted that Yang et al. yang2010b and in this paper, information-theoretic security are all defined using quantum circuit family without limitations on its size. This means can be any quantum circuit family of arbitrary size. Here, the right side of Eq.(8) is , but it does not mean that the ciphers can be distinguished efficiently, because is not a particular polynomial but an arbitrary polynomial. Thus the above definition means, for any two quantum messages, their quantum ciphers cannot be distinguished by any quantum circuit family of any size.

Next, two sufficient conditions are presented. The sender Alice encrypts a quantum message using a quantum public-key . Its quantum cipher is denoted as . Suppose each quantum public-key is used with probability , and . The attacker Eve does not know the public-key used by Alice, so the quantum cipher (with respect to Eve) of can be represented by .

Theorem 1: A quantum public-key encryption scheme for quantum messages is information-theoretic secure, if for every positive polynomial , all sufficiently large , any two quantum messages ,

 D(∑kpkρ(σ)k,∑kpkρ(σ′)k)<1p(n), (9)

where and are quantum ciphers of and using quantum encryption algorithm and public-key , respectively. We consider as the probability of generating public-key from the quantum algorithm , and .

Proof: In Definition 4, is a quantum encryption algorithm which performs on quantum message , and is a quantum algorithm for generating public-keys, and each public-key is generated with a probability , so

 Pr[Cn(G(1n),EG(1n)(σ))=1] = ∑kpkPr[Cn(ρ(σ)k⊗σa)=1] = Pr[Cn(∑kpkρ(σ)k⊗σa)=1],

where is a quantum state which acts as ancillary input to quantum circuit .

Similarly, the following formula can be deduced.

 Pr[Cn(G(1n),EG(1n)(σ′))=1]=Pr[Cn(∑kpkρ(σ′)k⊗σa)=1].

Any quantum circuit family built for distinguishing two density operators corresponds to a set of positive operator-values measure (POVM) . We define and
as the probabilities of measurement result labeled by . In this case, we have

 ∣∣ ∣∣Pr[Cn(∑kpkρ(σ)k⊗σa)=1]−Pr[Cn(∑kpkρ(σ′)k⊗σa)=1]∣∣ ∣∣ (10) ≤ max{Em}12∑m∣∣ ∣∣tr[(Cn(∑kpkρ(σ)k⊗σa)−Cn(∑kpkρ(σ′)k⊗σa))Em]∣∣ ∣∣ = max{Em}D(pm,qm).

The formula Eq.(10) is equal to

 D(Cn(∑kpkρ(σ)k⊗σa),Cn(∑kpkρ(σ′)k⊗σa)) (11) ≤ D(∑kpkρ(σ)k⊗σa,∑kpkρ(σ′)k⊗σa) = D(∑kpkρ(σ)k,∑kpkρ(σ′)k)<1p(n).

Then,

 ∣∣Pr[Cn(G(1n),EG(1n)(σ))=1]−Pr[Cn(G(1n),EG(1n)(σ′))=1]∣∣<1p(n).

Thus, the quantum public-key encryption scheme is information-theoretic secure.

From Lemma 1 and Theorem 1, the following corollary can be deduced directly.

Corollary 1: A quantum public-key encryption scheme for quantum messages is information-theoretic secure, if for every positive polynomial , all sufficiently large , there exists a fixed quantum states such that

 D(∑kpkρ(σ)k,τ)<1p(n),∀σ∈HM, (12)

where is the cipher of quantum message using the quantum encryption algorithm and the public-key . Again, we consider as the probability of generating public-key from the quantum algorithm , and .

## 4 Public-key encryption of quantum information

### 4.1 A general construction

Firstly, we define a model for quantum public-key encryption of classical messages pan2010 .

Definition 5: A public-key cryptosystem using quantum public-key to encrypt classical messages is described by a quadruple pan2010 :

 Δ=({Fi}i∈I,{(s,ρk)}s∈{0,1}O(n),E,D),

where all components are defined as follows.

• is a set of private-keys. Each is a polynomial-time computable function with -bit input and -bit output. ().

• is a set of quantum public-keys. Each pair of is generated from a function , and their relation is . Given , quantum state can be efficiently prepared.

• is a quantum encryption transformation. Alice uses and quantum public-key to encrypt the classical message , and obtains a quantum cipher . Alice sends to Bob.

• is a quantum decryption transformation. After receiving from Alice, Bob computes by using private-key . Bob then uses and to decrypt the cipher , and obtains the classical message .

In this definition, the private-key is a function which can be computed efficiently. From the key , many different pairs of can be generated such that , thereby allowing many different quantum public-keys to be prepared. Thus, the relation between private-keys and public-keys is one-to-many. That means, a private-key corresponds to many quantum public-keys , where .

In the encryption schemes introduced in kawachi2005 ; kawachi2008 , the relation between private-keys and public-keys is one-to-one (One private-key corresponds to one quantum public-key ). This kind of schema is a special case of the public-key cryptosystem . The reason is as follows. In , let , then , so is uniquely determined by . Then the public-key is uniquely determined by private-key .

Remark 1: Because the attacker Eve does not know the function , she does not know the value of . Suppose each is used with probability , then the cipher of classical message (with respect to Eve) is .

PQC is a symmetric-key encryption scheme for quantum messages with classical secret key. is a public-key encryption scheme for classical messages with quantum public-keys. The two schemes are combined as Figure 1, and form a public-key encryption scheme for quantum messages with quantum public-keys.

Next, we describe the scheme in detail. Bob generates a private-key and many quantum public-keys, then he sends all quantum public-keys to his public-key register. The progress is as follows.

[Key Generation]

1. Bob randomly selects a function ;

2. Bob randomly selects some , and computes , and then prepares quantum state according to ;

3. Bob uploads all to his public-key register. The function is Bob’s private-key.

Alice intends to send a -qubit message to Bob. She firstly downloads quantum public-keys from Bob’s public-key register, then encrypts with quantum public-keys. The progress is as follows.

[Encryption]

1. Alice randomly selects a -bit number , and then encrypts the quantum message by performing PQC encryption transformation ;

2. Alice downloads quantum public-key from Bob’s public-key register, and then encrypts by performing encryption transformation , and obtains ;

3. Alice sends and the quantum cipher to Bob.

Bob receives the cipher , and then decrypts it as follows.

[Decryption]

1. According to the value of , Bob uses his private-key to compute ;

2. According to the value of , Bob performs decryption transformation on quantum cipher , and obtains ;

3. According to the value of , Bob performs PQC decryption transformation on quantum cipher , and obtains the quantum message .

In this scheme, is a random number selected by Alice, and is unknown by Eve. From Remark 1, the cipher of the quantum message (with respect to Eve) can be represented as follows.

 G(σ)=122n∑l∈{0,1}2n[∑kpkρ(l)k]⊗l(σ). (13)

This scheme is constructed by combining a public-key encryption scheme and a symmetric-key encryption scheme PQC (or APQC). The security of the combined scheme can be determined by the security of and PQC (or APQC). The analysis is as follows.

Lemma 2: In a quantum state space , if there exists a fixed state , such that , then , where and .

Proof: From , it can be deduced that

 D(∑kpkρk,τ) = 12tr∣∣ ∣∣∑kpkρk−τ∣∣ ∣∣=12tr∣∣ ∣∣∑kpk(ρk−τ)∣∣ ∣∣ ≤ 12tr∑kpk|ρk−τ|=∑kpkD(ρk,τ) ≤

Theorem 2: If there exists a scheme and a PQC (APQC), which satisfy the following conditions:

1. For the scheme , there exist a fixed state , such that
;

2. For the PQC (APQC), there exist a fixed state , such that
;

then there exists a fixed state , such that .

Proof: From the condition 1,

 D([∑kpkρ(l)k]⊗l(σ),τ1⊗l(σ))=D(∑kpkρ(l)k,τ1)≤ϵ1.

According to Lemma 2, it can be deduced that

 D⎛⎜⎝G(σ),122n∑l∈{0,1}2nτ1⊗l(σ)⎞⎟⎠≤ϵ1,∀σ. (14)

Then there exists a state , such that

 D(G(σ),τ)=D(G(σ),τ1⊗τ2) ≤ D(G(σ),122n∑lτ1⊗l(σ))+D(122n∑lτ1⊗l(σ),τ1⊗τ2) ≤ ϵ1+D(122n∑ll(σ),τ2) ≤

### 4.2 Quantum public-key encryption of classical informationpan2010

In order to give a concrete example for the scheme described in Figure 1, we firstly introduce an example for public-key encryption scheme . This example was proposed by Pan and Yang pan2010 . Their scheme can be used to encrypt single-bit classical message with information-theoretic security. Moreover, Yang et al. yang2011 proposed a classical message oriented quantum public-key scheme based on conjugate coding. This scheme is another example of .

Denote . Define a -qubit state , where , . Let , then it is the identity transformation while , and it is the unitary transformation while . We define a transformation as follows:

 T:l→Vlρk,iV†l, l∈{0,1}. (15)

Denote , then . Because , it can be deduced that .

According to Lemma 3 and Lemma 4 in pan2010 , if the values of and are unknown, it is information-theoretically indistinguishable between
and (the trace distance of them is ). However, given the value of , there exists a polynomial-time quantum algorithm which can distinguish and . Therefore, is a quantum trapdoor one-way transformation with trapdoor .

The key generation process is as follows.

1. Bob randomly selects an efficiently computable function ;

2. Bob randomly selects a number , and then computes a -bit number . Then he continues the next step if is an element of , otherwise he randomly selects a new number ;

3. Bob randomly selects a number , and prepares a -qubit state ;

4. Bob’s public-key is , and private-key is .

Alice uses Bob’s public-key to encrypt one classical bit . Its encryption transformation is as follows.

 ρ(l)k,i=E(ρk,i,l)=Vlρk,iV†l. (16)

That means, Alice performs a unitary transformation on Bob’s public-key , and then sends its result to Bob.

After receiving the cipher , Bob uses his private-key to decrypts as follows. He firstly computes from the value of , and then decrypts with its trapdoor , and obtains the classical message .

Remark 2: In this example, the public-key is . Compared with the encryption scheme defined in Section 4.1, here a random parameter is added into the public-key in order to protect (See the analysis in Section 4.4).

### 4.3 Quantum public-key encryption of quantum information

According to the general construction in Section 4.1, and the example of as introduced in Section 4.2, we can construct a concrete public-key encryption protocol for quantum message. The encryption key of PQC has bits, and the scheme in Section 4.2 is used to encrypt single-bit classical message, so that the bits should be encrypted one by one.

Alice intends to encrypt a -bit number , thus she must get Bob’s quantum public-keys. There are two requirements for the quantum public-keys: (1) In order to protect , all the quantum public-keys are different (See the proof of Proposition 1); (2) In order to encrypt bits, she needs to get quantum public-keys (From the scheme in Section 4.2, Alice stores single-bit message in a quantum public-key, and then sends the quantum public-key to Bob. However, she does not know the state of the quantum public-key, and cannot produce its copies according to quantum no-cloning theorem. Thus, if she has only one copy of Bob’s public-key, she can only encrypt one bit). From the two requirements, Alice must get different quantum public-keys published by Bob. We denote the quantum public-keys as , and the -th bit () of is . Alice encrypts each bit , and obtains a quantum cipher .

If Alice intends to send a -qubit message to Bob securely, she firstly downloads quantum public-keys: from Bob’s public-key register. Let . The encryption process is as follows.

[Encryption]

1. Alice randomly selects a -bit number ;

2. Alice encrypts the quantum message with PQC encryption transformation and the classical key , and obtains ;

3. Alice uses Bob’s public-key to encrypt each bit (), and obtains qubits

 ρ(l)ki=E′(ρki,l)≡⊗2nj=1E(ρkj,ij,lj)≡⊗2nj=1ρ(lj)kj,ij;
4. Alice sends all the strings and quantum cipher to Bob.

Bob receives these classical numbers and the quantum cipher , and then performs the decryption process.

[Decryption]

1. According to , Bob uses his private-key to compute ;

2. Bob uses to decrypt the first -qubit of the quantum cipher. He decrypts and obtains each bit of : ;

3. According to , Bob decrypts quantum cipher by performing PQC decryption transformation, and obtains the quantum message .

The attacker Eve does not know the random string and the quantum public-keys used by Alice. Thus, with respect to Eve, a -qubit state is encrypted into a -qubit state

 G(σ) = 122n∑l∈{0,1}2n⎡⎢ ⎢ ⎢⎣(122n−1)2n∑k1,⋯,k2n∈Ωn,i1,⋯,i2n∈{0,1}nE′(ρki,l)⎤⎥ ⎥ ⎥⎦⊗PQCl(σ) (17) = 122n∑l∈{0,1}2n⊗2nj=1⎡⎢⎣122n−1∑kj∈Ωn∑ij∈{0,1}nρ(lj)kj,ij⎤⎥⎦⊗PQCl(σ),

where , .

In the above scheme, PQC encryption needs -bit classical number . If we consider to replace PQC with APQC (replace the transformation with in the above protocol), the length of can be reduced. This method can save quantum resources while encrypting classical string .

For example, we consider the case that, the PQC in Figure 1 is replaced with the APQC which is described in Eq.(6). Then , where is an -bit string. Thus, encrypting a -qubit message can obtain a -qubit cipher. The cipher with respect to Eve is

 G′(σ) = 12m∑l∈{0,1}m⎡⎢ ⎢ ⎢⎣(122n−1)m∑k1,⋯,km∈Ωn,i1,⋯,im∈{0,1}n[⊗mj=1E(ρkj,ij,lj)]⎤⎥ ⎥ ⎥⎦⊗APQCl(σ) (18) = 12m∑l∈{0,1}m⊗mj=1⎡⎢⎣122n−1∑kj∈Ωn∑ij∈{0,1}nρ(lj)kj,ij⎤⎥⎦⊗APQCl(σ).

From , it can be infered that . That means the cipher of a -qubit state is shortened.

### 4.4 Security analysis

The security of the quantum public-key encryption scheme proposed in Section 4.3 is analyzed from two aspects: (1) the security of private-key; (2) the security of encryption.

Firstly, we consider the security of private-key. In this scheme, is an important number because it can be directly used for decryption. According to the Holevo theorem nielsen2000 , at most -bit classical information can be obtained from a -qubit public-key

 ρk,i=12(|i⟩+|i⊕k⟩)(⟨i|+⟨i⊕k|),∀i∈{0,1}n,k∈Ωn.

If Eve receives enough copies of a public-key , she can obtain the -bit information of , and then attack the communication between Alice and Bob. Thus, in order to protect the communication, the copies of each quantum public-key must be limited by an upper bound . That means Bob publishes at most copies of the quantum public-key according to a pair of , and then selects a new pair of to produce new quantum public-key. The following proposition proves that the upper bound is equal to .

Proposition 1: Given copies of a quantum public-key , the value of can be extracted successfully with probability at least .

Proof: For arbitrary quantum public-key, suppose the -qubit state is , where and . Suppose Eve has received sufficient copies of . Firstly, she measures the first copy of in the basis , and gets a -bit string . Then she measures the second copy of and gets the second string . If , she continues to measure the -th () copy of , until the -th string . At this time, she can conclude .

We denote random variable as the measurement times until being determined. The probability of the number being determined until the -th measurement is

 Pr(N=t)=12t−1,t≥2.

Thus expected value of is

 +∞∑t=2t⋅Pr(N=t)=+∞∑t=2t2t−1=3.

That means, measurement for three times in average can determine the value of . Moreover, , which means the successful probability is when there are two copies of .

According to Proposition 1, in order to protect , only one copy of each quantum public-key is permitted to be produced from a pair of . Therefore, any two quantum public-keys published by Bob are different. The attacker Eve can only obtain one copy of . When she measures it, she will get and both with probability , but cannot get both the values of and . Extracting the value of from or is the same as attacking one-time-pad in classical cryptography. Therefore, extracting the value of from only one copy of is information-theoretically impossible. Moreover, extracting the relation (the private-key ) between and is also information-theoretically impossible. There maybe exist some different quantum public-keys corresponding to the same , such as