Abstract
In encryption, non-malleability is a highly desirable property: it ensures that adversaries cannot manipulate the plaintext by acting on the ciphertext. In [6], Ambainis et al. gave a definition of non-malleability for the encryption of quantum data. In this work, we show that this definition is too weak, as it allows adversaries to “inject” plaintexts of their choice into the ciphertext. We give a new definition of quantum non-malleability which resolves this problem. Our definition is expressed in terms of entropic quantities, considers stronger adversaries, and does not assume secrecy. Rather, we prove that quantum non-malleability implies secrecy; this is in stark contrast to the classical setting, where the two properties are completely independent. For unitary schemes, our notion of non-malleability is equivalent to encryption with a two-design (and hence also to the definition of [6]).
Our techniques also yield new results regarding the closely-related task of quantum authentication. We show that “total authentication” (a notion recently proposed by Garg et al. [18]) can be satisfied with two-designs, a significant improvement over the eight-design construction of [18]. We also show that, under a mild adaptation of the rejection procedure, both total authentication and our notion of non-malleability yield quantum authentication as defined by Dupuis et al. [16].
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
Background. In its most basic form, encryption ensures secrecy in the presence of eavesdroppers. Besides secrecy, another desirable property is non-malleability, which guarantees that an active adversary cannot modify the plaintext by manipulating the ciphertext. In the classical setting, secrecy and non-malleability are independent: there are schemes which satisfy secrecy but are malleable, and schemes which are non-malleable but transmit the plaintext in the clear. If both secrecy and non-malleability is desired, then pairwise-independent permutations provide information-theoretically perfect (one-time) security [20]. In the computational security setting, non-malleability can be achieved by MACs, and ensures chosen-ciphertext security for authenticated encryption.
In the setting of quantum information, encryption is the task of transmitting quantum states over a completely insecure quantum channel. Information-theoretic secrecy for quantum encryption is well-understood. Non-malleability, on the other hand, has only been studied in one previous work, by Ambainis, Bouda and Winter [6]. Their definition (which we will call ABW-non-malleability, or ABW-NM) requires that the scheme satisfies secrecy, and that the “effective channel” \(\mathsf {Dec}\circ \varLambda \circ \mathsf {Enc}\) of any adversary \(\varLambda \) amounts to either the identity map or replacement by some fixed state. In the case of unitary schemes, ABW-NM is equivalent to encrypting with a unitary two-design. Unitary two-designs are a natural quantum analogue of pairwise-independent permutations, and can be efficiently constructed in a number of ways (see, e.g., [10, 14].)
While quantum non-malleability has only been considered by [6], the closely-related task of quantum authentication (where decryption is allowed to reject) has received significant attention (see, e.g., [2, 7, 11, 16, 18].) The widely-adopted definition of Dupuis, Nielsen and Salvail asks that the averaged effective channel of any adversary is close to a map which does not touch the plaintext [16]; we refer to this notion as DNS-authentication. Recent work by Garg, Yuen and Zhandry [18] established another notion of quantum authentication, which they call “total authentication.” The notion of total authentication has two major differences from previous definitions: (i) it asks for success with high probability over the choice of keys, rather than simply on average, and (ii) it makes no demands whatsoever in the case that decryption rejects. We refer to this notion of quantum authentication as GYZ-authentication. In [18], it is shown that GYZ-authentication can be satisfied with unitary eight-designs.
This Work. In this work, we devise a new definition of non-malleability (denoted NM) for quantum encryption, improving on ABW-NM in a number of ways. First, our definition is expressed in terms of entropic quantities, which allows us to bring several quantum-information-theoretic techniques to bear (such as decoupling.) Second, we consider more powerful adversaries, which can possess side information about the plaintext. Third, we remove the possibility of a “plaintext injection” attack, whereby an adversary against an ABW-NM scheme can send a plaintext of their choice to the receiver. Finally, our definition does not demand secrecy; instead, we show that quantum secrecy is a consequence of quantum non-malleability. This is a significant departure from the classical case, and is analogous to the fact that quantum authentication implies secrecy [7].
The primary consequence of our work is twofold: first, encryption with unitary two-designs satisfies all of the above notions of quantum non-malleability; second, when equipped with blank “tag” qubits, the same scheme also satisfies all of the above notions of quantum authentication. A more detailed summary of the results is as follows. For schemes which have unitary encryption maps, we prove that \(\textsf {NM}\) is equivalent to encryption with unitary two-designs, and hence also to ABW-NM. For non-unitary schemes, we prove a characterization theorem for \(\textsf {NM}\) schemes that shows that NM implies ABW-NM, and provide a strong separation example between \(\textsf {NM}\) and ABW-NM (the aforementioned plaintext injection attack). In the case of GYZ authentication, we prove that two-designs (with tags) are sufficient, a significant improvement over the state-of-the-art, which requires eight-designs [18]. Moreover, the simulation of adversaries in this proof is efficient, in the sense of Broadbent and Wainewright [11]. Finally, we show that GYZ-authentication implies DNS-authentication, and that equipping an arbitrary \(\textsf {NM}\) scheme with tags yields DNS-authentication.
We remark that, after the initial version of our results was submitted, an independent work of C. Portmann gave an alternative proof that GYZ-authentication can be satisfied by the 2-design scheme [26].
1.1 Summary of Contributions
In the following, all schemes are symmetric-key encryption schemes for quantum data, in the information-theoretic security setting.
Quantum Non-malleability. We begin with non-malleability, in both the perfect setting (Sect. 3) and the approximate setting (Sect. 4).
-
1.
New definition of non-malleability. We give a new definition of quantum non-malleability (NM), in terms of the information gain of an adversary’s effective attack on the plaintext. The quantum registers are: plaintext A, ciphertext C, user’s reference R, and adversary’s side information B.
Definition 1.1
( \({{\mathbf {\mathsf{{NM}}}}}\) , informal). A scheme is non-malleable (NM) if for any \(\varrho _{ABR}\) and any attack \(\varLambda _{CB \rightarrow C\tilde{B}}\), the effective attack \(\tilde{\varLambda }_{AB \rightarrow A\tilde{B}}\) satisfies
The binary entropy term is necessary because adversaries can always simply record whether they disturbed the ciphertext (see Definition 3.4).
-
2.
Results on non-malleability. Our first result is an alternative characterization of \(\textsf {NM}\), in terms of the form of the effective map \(\tilde{\varLambda }\).
Theorem 1.2
(informal). A scheme is \(\textsf {NM}\) if and only if, for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), there exist maps \(\varLambda '_{B\rightarrow \tilde{B}}\), \(\varLambda ''_{B\rightarrow \tilde{B}}\) such that the effective attack satisfies
The fact that \(\textsf {NM}\) implies ABW-NM is an immediate corollary. The new definition is strictly stronger than ABW-NM: we give a scheme which is secure under ABW-NM but insecure under NM. This scheme is in fact susceptible to a powerful attack, whereby a simple adversary can replace the output of decryption with a plaintext of the adversary’s choice. On the other hand, if we restrict our attention to schemes where the encryption maps are unitary, then we are able to show the following.
Theorem 1.3
(informal). Let \(\varPi \) be a scheme such that encryption \(E_k\) is unitary for all keys k. Then \(\varPi \) is \(\textsf {NM}\) if and only if \(\{E_k\}_k\) is a two-design.
By the results of [6], we conclude that NM and ABW-NM are in fact equivalent for unitary schemes. Finally, we show that \(\textsf {NM}\) implies secrecy.
Theorem 1.4
(informal). Quantum non-malleability implies secrecy.
-
3.
Authentication from non-malleability. Our final result in the setting of non-malleability shows that, by adding a “tag” space to the plaintext (as in the Clifford scheme [2]), we can turn an \(\textsf {NM}\) scheme into an authentication scheme as defined in [16]. More precisely, given an encryption scheme \(\varPi = \{E_k\}\), we define \(\varPi ^{{\text {tag}}}_t\) to be a new scheme whose encryption is , and whose decryption rejects unless B measures to \(| 0^t \rangle \).
Theorem 1.5
(informal). Let \(\varPi = \{E_k\}\) be an encryption scheme. If \(\varPi \) is \(\textsf {NM}\), then \(\varPi ^{{\text {tag}}}_t\) is \(2^{2-t}\)-DNS-authenticating.
Quantum Authentication. Our results on quantum authentication are summarized as follows. We note that, strictly speaking, our definitions of authentication deviate slightly from the original versions [16, 18], in that decryption outputs a reject symbol in place of the plaintext (rather than setting an auxiliary bit to “reject.”) This adaptation is convenient for reasons we will return to later.
-
1.
\({{\mathbf {\mathsf{{GYZ}}}}}\) implies \({{\mathbf {\mathsf{{DNS}}}}}\) . First, we show that GYZ-authentication implies DNS-authentication. We remark that this is not trivial: on one hand, GYZ strengthens DNS by requiring high probability of success (rather than success on-average); on the other hand, in the reject case GYZ requires nothing while DNS makes rather stringent demands. Nonetheless, we show the following.
Theorem 1.6
(informal). Let \(\varPi \) be an encryption scheme. If \(\varPi \) is \(\varepsilon \)-GYZ-authenticating, then it is also \(O(\sqrt{\varepsilon })\)-DNS-authenticating.
-
2.
\({{\mathbf {\mathsf{{GYZ}}}}}\) is achievable with 2-designs. Next, we show that GYZ-authentication is achieved with a “tagged” two-design scheme. The analysis of [18] required eight-designs for the same construction.
Theorem 1.7
(informal). Let \(\varPi = \{ E_k \}_k\) be a \(2^{-t}\)-approximate 2-design scheme. Then \(\varPi ^{{\text {tag}}}_t\) is \(2^{-\varOmega (t)}\)-GYZ-authenticating.
-
3.
\({{\mathbf {\mathsf{{GYZ}}}}}\) authentication from non-malleability. As a straightforward consequence of Theorems 1.3 and 1.7, we finally record that tagging a unitary non-malleable scheme results in a GYZ-authenticating scheme.
Corollary 1.8
(informal). There exists a constant \(r > 0\) such that the following holds. If \(\varPi \) is a unitary \(\varOmega (2^{-r n})\)-\(\textsf {NM}\) scheme for n-qubit messages, and \(t = {\text {poly}}(n)\), then \(\varPi ^{{\text {tag}}}_t\) is \(2^{-\varOmega ({\text {poly}}(n))}\)-GYZ-authenticating.
A sufficiently strong \(\textsf {NM}\) scheme can be constructed via the \(\epsilon \)-approximate version of Theorem 1.3 (see Theorem 4.5 and Remark 2.3 below.)
The remainder of the paper is structured as follows. In Sect. 2, we review some basic facts regarding quantum states, registers, and channels, and recall several useful facts about unitary designs. In Sect. 3, we consider the exact setting, beginning with perfect secrecy and then continuing to perfect non-malleability (NM) and the relevant new results; we also discuss the relationship to ABW-NM in detail. We continue in Sect. 4 with the approximate setting, again beginning with secrecy and then continuing to approximate non-malleability. We end with the new results on quantum authentication, in Sect. 4.2.
2 Preliminaries
2.1 Quantum States, Registers, and Channels
We assume basic familiarity with the formalism of quantum states, operators, and channels. We denote quantum registers (i.e., systems and their subsystems) with capital Latin letters, e.g., A, B, C. The Hilbert space corresponding to system A is denoted by \(\mathcal {H}_A\). For a register A, we denote the dimension of \(\mathcal {H}_A\) by |A|. We emphasize that, in this work, all Hilbert spaces will be finite-dimensional.
The space operators on \(\mathcal {H}_A\) is denoted \(\mathcal B(\mathcal {H}_A)\). We say that a quantum state is classical if it is diagonal in the standard (i.e., computational) basis. We denote the adjoint of an operator \(X \in \mathcal B(\mathcal {H})\) by \(X^\dagger \) and its transpose with respect to the computational basis by \(X^T\). Where necessary, we will write a quantum state \(\varrho \in \mathcal B(\mathcal {H}_A \otimes \mathcal {H}_B \otimes \mathcal {H}_C)\) as \(\varrho _{ABC}\) to emphasize that the state is a multipartite state over registers A, B, and C. When such a state has already been defined, we will write reduced states by omitting the traced-out registers, e.g., \(\varrho _A := \mathrm {Tr}_{BC} [\varrho _{ABC}]\). We single out some special states which will appear frequently. Fix two systems \(S, S'\) with \(|S| = |S'|\). We let
denote the maximally entangled state on the bipartite system \(SS'\) (expressed as a pure state on the left, and as a density operator on the right.) Furthermore, we let \(\varPi ^-_{SS'}=\mathbbm {1}_{SS'}-\phi ^+_{SS'}\) and \(\tau ^-_{SS'}=\varPi ^-_{SS'}/(|S|^2-1)\). We also set \(\tau _S=\mathbbm {1}_S/|S|\) to be the maximally mixed state on S.
We denote the von Neumann entropy of a state \(\varrho _A\) by \(H(A)_\varrho \), and the joint entropy of \(\varrho _{AB}\) by \(H(AB)_\varrho \). We recall that the quantum mutual information of \(\varrho _{AB}\) is defined by
The quantum conditional mutual information of \(\varrho _{ABC}\) is defined by
These quantities are nonnegative [21] and satisfy a chain rule:
We remark that the above also holds for trivial D. Together with the Stinespring dilation theorem [27], non-negativity [22] and the chain rule imply the data processing inequality
when \(\varLambda \) is a CPTP (completely-positive, trace-preserving) map from \(\mathcal B(\mathcal {H}_B)\) to \(\mathcal B(\mathcal {H}_{\tilde{B}})\). An important special case is where \(B=B_1B_2\) and \(\varLambda =\mathrm {Tr}_{B_2}\) discards the contents of \(B_2\).
We will refer to valid transformations between quantum states as channels, or CPTP maps. We will sometimes also consider trace-non-increasing completely-positive (CP) maps. When necessary, we will emphasize the input and output spaces of a map \( \varLambda : \mathcal B(\mathcal {H}_A\otimes \mathcal {H}_B) \rightarrow \mathcal B(\mathcal {H}_C) \) by writing \(\varLambda _{AB \rightarrow C}\). We denote the identity channel on, e.g., register A by \(\mathrm {id}_{A\rightarrow A}\) (or simply \(\mathrm {id}_A\)) and the channel from register A to \(A'\) with constant output \(\sigma _{A'}\) by \(\langle \sigma \rangle _{A\rightarrow A'}\). When composing operators on many registers, and if the context allows, we will elide tensor products with the identity operator. So, for example, with \(\varLambda \) as above we may write \(\tau _{CD} = \varLambda \, \varrho _{ABD}\) in place of \(\tau _{CD} = (\varLambda \otimes \mathrm {id}_D) \varrho _{ABD}\).
A standard tool in this setting is the Choi-Jamiołkowski (CJ) isomorphism [12, 19]. Let \(\varXi _{A\rightarrow B}: \mathcal B(\mathcal {H}_A)\rightarrow \mathcal B(\mathcal {H}_B)\) be a linear operator. Then its CJ matrix is defined as
The linear operator mapping \(\varXi \) to \(\eta _{\varXi }\) is an isomorphism of vector spaces and \(\eta _\varXi \) is positive semidefinite iff \(\varXi \) is CP. Moreover \(\varXi _{A\rightarrow B}\) is TP iff \(\left( \eta _{\varXi }\right) _{A'}=\tau _A\). The inverse of the CJ isomorphism is given by the equation
We denote the swap operator by \(F : | i \rangle \otimes | j \rangle \mapsto | j \rangle \otimes | i \rangle \).
Lemma 2.1
(Swap trick [17]). For matrices A and B, \(\mathrm {Tr}[AB]=\mathrm {Tr}[F A\otimes B]\).
We will make frequent use of the trace norm \(\Vert \cdot \Vert _1\), the operator norm \(\Vert \cdot \Vert _\infty \), and the diamond norm \(\Vert \varLambda _{A\rightarrow B}\Vert _\diamond :=\max _{\varrho _{AA'}}\Vert \varLambda _{A\rightarrow B}\otimes \mathrm {id}_{A'}(\varrho _{AA'})\Vert _1\); here the max is taken over all pure quantum states \(\varrho _{AA'}\) and \(\mathcal {H}_A\cong \mathcal {H}_{A'}\). Recall that the Hölder inequality for operators states that, for any two operators X and Y,
2.2 Unitary Designs
We now recall the definition of unitary t-design, and some relevant variants. We begin by considering three different types of “twirls.”
-
1.
For a finite subset \(\mathrm D\subset \mathrm {U}(\mathcal {H})\) of the unitary group on some finite dimensional Hilbert space \(\mathcal {H}\), let
$$\begin{aligned} \mathcal T^{(t)}_{\mathrm D}(X)=\frac{1}{|\mathrm D|}\sum _{U\in \mathrm D}U^{\otimes t}X\left( U^\dagger \right) ^{\otimes t} \end{aligned}$$(2.4)be the associated t-twirling channel. If we take the entire unitary group (rather than just a finite subset), then we get the Haar t-twirling channel
$$\begin{aligned} \mathcal T^{(t)}_\mathsf {Haar}(X)=\int U^{\otimes t}X\left( U^\dagger \right) ^{\otimes t} \mathrm {d}U. \end{aligned}$$(2.5) -
2.
We define the U-\(\overline{U}\) twirl with respect to finite \(\mathrm D\subset \mathrm {U}(\mathcal {H})\) by
$$\begin{aligned} \overline{\mathcal {T}}_{\mathrm D}(X) =\frac{1}{|\mathrm D|}\sum _{U\in \mathrm D}\left( U\otimes \overline{U} \right) X\left( U\otimes \overline{U}\right) ^\dagger . \end{aligned}$$(2.6)The analogous U-\(\overline{U}\) Haar twirling channel is denoted by \(\overline{\mathcal T}_{\mathsf {Haar}}\).
-
3.
The third notion is called a channel twirl, and is defined in terms of U-\(\overline{U}\)-twirling. Given a channel \(\varLambda \), let \(\eta _\varLambda \) be the CJ state of \(\varLambda \). The channel twirl \(\mathcal T_{\mathrm {D}}^{ch}(\varLambda )\) of \(\varLambda \) is defined to be the channel whose CJ state is \(\overline{\mathcal {T}}_{\mathrm D}(\eta _\varLambda )\).
Next, we define the three corresponding notions of designs.
Definition 2.2
Let \(\mathrm D\subset \mathrm {U}(\mathcal {H})\) be a finite set. We define the following.
-
If \(\bigl \Vert \mathcal T^{(t)}_{\mathrm D}-\mathcal T^{(t)}_\mathsf {Haar}\bigr \Vert _\diamond \le \delta \) holds, then \(\mathrm {D}\) is a \(\delta \)-approximate t-design.
-
If \(\bigl \Vert \overline{\mathcal T}_{\mathrm D}-\overline{\mathcal T}_\mathsf {Haar}\bigr \Vert _\diamond \le \delta \) holds, then \(\mathrm {D}\) is a \(\delta \)-approximate U-\(\overline{U}\)-twirl design.
-
If \(\left\| \mathcal T^{ch}_{\mathrm D}(\varLambda )-T^{ch}_\mathsf {Haar}(\varLambda )\right\| _\diamond \le \delta \) holds for all CPTP maps \(\varLambda \), then \(\mathrm {D}\) is a \(\delta \)-approximate channel-twirl design.
For all three of the above, the case \(\delta = 0\) is called an “exact design” (or simply “design”.) All three notions of design are equivalent in the exact case. In the approximate case they are still connected, but there are some nontrivial costs in the approximation quality (See [23], Lemma 2.2.14, and an additional easy lemma proven in the full version [3]).
It is well-known that \(\varepsilon \)-approximate t-designs on n qubits can be generated by random quantum circuits of size polynomial in n, t and \(\log (1/\varepsilon )\) [10]. In particular, the size of these circuits is polynomial even for exponentially-small choices of \(\varepsilon \). We emphasize this observation as follows.
Remark 2.3
Fix a polynomial t in n. Then, for any \(\varepsilon > 0\), a random n-qubit quantum circuit consisting of \({\text {poly}}(n, \log (1/\varepsilon ))\) gates (from a universal set) satisfies every notion of \(\epsilon \)-approximate t-design in Definition 2.2.
For exact designs, we point out two important constructions. First, the prototypical example of a unitary one-design on n qubits is the n-qubit Pauli group. For exact unitary two-designs, the standard example is the Clifford group, which is the normalizer of the n-qubit Pauli group. Alternatively, the Clifford group is generated by circuits from the gate set \(\{H, P, \text {CNOT}\}\). It is well-known that one can efficiently generate exact unitary two-designs on n-qubits by building appropriate circuits from this gate set, using \(O(n^2)\) random bits [1, 14].
3 The Zero-Error Setting
We begin with the zero-error. In the case of secrecy, zero-error means that schemes cannot leak any information whatsoever. In the case of non-malleability, zero-error means that the adversary cannot increase their correlations with the secret by even an infinitesimal amount (except by trivial means; see below).
3.1 Perfect Secrecy
We begin with a definition of symmetric-key quantum encryption. Our formulation treats rejection during decryption in a slightly different manner from previous literature.
Definition 3.1
(Encryption scheme). A symmetric-key quantum encryption scheme (QES) is a triple \((\tau _K,E,D)\) consisting of a classical state \(\tau _K\in \mathcal B(\mathcal {H}_K)\) and a pair of channels
satisfying \([D\circ E](\cdot \otimes |k\rangle \langle k|)= (\mathrm {id}_{A} \oplus 0_\bot ) \otimes |k\rangle \langle k|\) for all k.
The Hilbert spaces \(\mathcal {H}_A\), \(\mathcal {H}_C\) and \(\mathcal {H}_K\) are implicitly given by the triple \((\tau _K, E, D)\). The state \(| \bot \rangle \) is an error flag that allows the decryption map to report an error. For notational convenience when dealing with these schemes, we set
We will often slightly abuse notation by referring to decryption maps \(D_k\) as maps from C to A; in fact, the output space of \(D_k\) is really the slightly larger space \(\bar{A} := A \oplus \mathbb {C}| \bot \rangle \).
It is natural to define secrecy in the quantum world in terms of quantum mutual information. However, instead of asking for the ciphertext to be uncorrelated with the plaintext as in the classical case, we ask for the ciphertext to be uncorrelated from any reference system.
Definition 3.2
(Perfect secrecy). A QES \((\tau _K, E, D)\) satisfies information - theoretic secrecy (ITS) if, for any Hilbert space \(\mathcal {H}_B\) and any \(\varrho _{AB}\in \mathcal B(\mathcal {H}_A\otimes \mathcal {H}_B)\), setting \(\sigma _{CBK}=E(\varrho _{AB}\otimes \tau _K)\) implies \(I(C:B)_\sigma =0.\)
We note that, for perfect ITS, adding side information is unnecessary: the definition already implies that the ciphertext is in product with any other system. In particular, if the adversary has some auxiliary system E in their possession, then \(I(B:CE)_\sigma =I(B:E)_\sigma \). Several definitions of secrecy for symmetric-key quantum encryption have appeared in the literature, but the above formulation appears to be new. It can be shown that \(\textsf {ITS}\) is equivalent to perfect indistinguishability of ciphertexts (IND). The latter notion is a special case of an early indistinguishability-based definition of Ambainis et al. [5].
In many situations it makes sense to restrict ourselves to QES that have identical plaintext and ciphertext spaces; due to correctness, this is equivalent to unitarity.
Definition 3.3
(Unitary scheme). A QES \((\tau _K,E,D)\) is called unitary if the encryption and decryption maps are controlled unitaries, i.e., if there exists \(V = \sum _k U^{(k)}_A\otimes |k\rangle \langle k|_K\) such that \(E(X)=VXV^\dagger \).
It is straightforward to prove that, for unitary schemes, ITS is equivalent to the statement that the encryption maps \(\{E_k\}\) form a unitary 1-design. Note that unitarity of \(E_k\) and correctness imply unitarity of \(D_k\).
3.2 A New Notion of Non-malleability
Definition. We consider a scenario involving a user Alice and an adversary Mallory. The scenario begins with Mallory preparing a tripartite state \(\varrho _{ABR}\) over three registers: the plaintext A, the reference R, and the side-information B. The registers A and R are given to Alice, while Mallory keeps B. Alice then encrypts A into a ciphertext C and then transmits (or stores) it in the open. Mallory now applies an attack map
Mallory keeps the (transformed) side-information \(\tilde{B}\) and returns C to Alice. Finally, Alice decrypts C back to A, and the scenario ends. We are now interested in measuring the extent to which Mallory was able to increase her correlations with Alice’s systems A and R. This can be understood by analyzing the mutual information \(I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )}\) where \(\tilde{\varLambda }_{AB \rightarrow A\tilde{B}}\) is the effective channel corresponding to Mallory’s attack (Fig. 1):
We point out one way in which Mallory can always increase these correlations, regardless of the structure of the encryption scheme. First, she flips a coin b, and records the outcome in B. If \(b=1\), she replaces the contents of C with some fixed state \(\sigma _C\), and otherwise she leaves C untouched. One then sees that Mallory’s correlations have increased by \(h(p_{=}(\varLambda ,\varrho ))\), where h denotes binary entropy and \(p_{=}\) is a defined as follows.
This quantity is the inner product between the identity map and the map \(\varLambda ((\,\cdot \,) \otimes \varrho _B)\), expressed in terms of CJ states. Intuitively, it measures the probability with which Mallory chooses to apply the identity map; taking the binary entropy then gives us the information gain resulting from recording this choice.
We are now ready to define information-theoretic quantum non-malleability. Stated informally, a scheme is non-malleable if Mallory can only implement the attacks described above.
Definition 3.4
(Non-malleability). A QES \((\tau _K,E, D)\) is non-malleable (NM) if for any state \(\varrho _{ABR}\) and any CPTP map \(\varLambda _{CB \rightarrow C{\tilde{B}}}\), we have
One might justifiably wonder if the term \(h(p_{=}(\varLambda , \varrho ))\) is too generous to the adversary. However, as we showed above, every scheme is vulnerable to an attack which gains this amount of information. This term also appears (somewhat disguised) in the classical setting. In fact, if a classical encryption scheme satisfies Definition 3.4 against classical adversaries, then it also satisfies classical information-theoretic non-malleability as defined in [20].
Definition 3.4 directly generalizes the classical information-theoretic definition from [20]. In some settings, it might be preferable to have a definition which characterizes the set of effective attack channels as was done in [6]. As it turns out, \(\textsf {NM}\) can be defined in this way.
Theorem 3.7 (Non-malleability, alternative form). A QES \((\tau , E, D)\) is \(\textsf {NM}\) if and only if for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map \(\tilde{\varLambda }_{AB\rightarrow A\tilde{B}}\) has the form
where \(\varLambda ' =\mathrm {Tr}_{CC'}[\phi ^+_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))]\) and \(\varLambda '' =\mathrm {Tr}_{CC'}[\varPi ^-_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))].\)
The proof of this theorem is postponed to the results section below (proof sketch) and the appendix.
Finally, as we will show in later sections, Definition 3.4 implies ABW-NM (see Definition 3.8), and schemes satisfying Definition 3.4 are sufficient for building quantum authentication under the strongest known definitions.
Non-malleability Implies Secrecy. In the classical case, non-malleability is independent from secrecy: the one-time pad is secret but malleable, and non-malleability is unaffected by appending the plaintext to each ciphertext. In the quantum case, on the other hand, we can show that \(\textsf {NM}\) implies secrecy. This is analogous to the fact that “quantum authentication implies encryption” [7].
Proposition 3.5
Let \((\tau _K,E, D)\) be an NM QES. Then \((\tau _K,E, D)\) is ITS.
Proof
Let B, \(\varrho _{AB}\), and \(\sigma _{CBK} = E(\varrho _{AB} \otimes \tau _K)\) be as in the definition of ITS (Definition 3.2). We first rename B to R. We then consider the non-malleability property in the following special-case scenario. The initial side-information register is empty, the final side-information register \(\tilde{B}\) satisfies \(\mathcal {H}_{\tilde{B}} \cong \mathcal {H}_C\), and the adversary map \(\varLambda _{C\rightarrow C\tilde{B}}\) is defined as follows. Note that the “ciphertext-extraction” map \(\varTheta _{C\rightarrow C\tilde{B}}=\mathrm {id}_{C\rightarrow \tilde{B}}(\cdot )\otimes \tau _C\) has CJ state \(\eta ^{\varTheta }_{CC'\tilde{B}}=\phi ^+_{C'\tilde{B}}\otimes \tau _C\). We choose \(\varLambda \) so that its CJ state satisfies
Applying the above projection to the CJ state of \(\varTheta \) ensures that \(\varLambda \) will have \(p_=({\varLambda })=0\) (note: \(p_=(\varTheta ) > 0\).)
Direct calculation of the \(C' \tilde{B}\) marginal of the CJ state of \(\varLambda \) yields
This implies that the output \(\sigma _{AR\tilde{B}}=\tilde{\varLambda }_{A\rightarrow A\tilde{B}}(\varrho _{AB})\) of the effective channel \(\tilde{\varLambda }\) will satisfy
where \(\gamma _{CR}=(E_K)_{A\rightarrow C}(\varrho _{AR})\) and we used the fact that \(\mathcal {H}_{\tilde{B}} \cong \mathcal {H}_C\). By non-malleability, we have
In particular, \(I(\tilde{B}:R)_{\sigma }=0\) and thus \(\sigma _{\tilde{B}R}=\sigma _{\tilde{B}}\otimes \varrho _R.\) It follows by Eq. (3.7) that
i.e., \(\gamma _{\tilde{B}R}\) is a product state. This is precisely the definition of information-theoretic secrecy. \(\square \)
Characterization of Non-malleable Schemes. Next, we provide a characterization of non-malleable schemes. First, we show that unitary schemes are equivalent to encryption with a unitary 2-design.
Theorem 3.6
A unitary QES \((\tau _K, E, D)\) is NM if and only if \(\{E_k\}_{k\in K}\) is a unitary 2-design.
This fact is particularly intuitive when the 2-design is the Clifford group, a well-known exact 2-design. In that case, a Pauli operator acting on only one ciphertext qubit will be “propagated” (by the encryption circuit) to a completely random Pauli on all plaintext qubits. The plaintext is then maximally mixed, and the adversary gains no information. The Clifford group thus yields a perfectly non-malleable (and perfectly secret) encryption scheme using \(O(n^2)\) bits of key [1].
It will be convenient to prove Theorem 3.6 as a consequence of our general characterization theorem, which is as follows.
Theorem 3.7
Let \((\tau , E, D)\) be a QES. Then \((\tau , E, D)\) is \(\textsf {NM}\) if and only if, for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map \(\tilde{\varLambda }_{AB\rightarrow A\tilde{B}}\) has the form
where \(\varLambda ' =\mathrm {Tr}_{CC'}[\phi ^+_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))]\) and \(\varLambda '' =\mathrm {Tr}_{CC'}[\varPi ^-_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))].\)
We remark that the forward direction holds even if \((\tau , E, D)\) only fulfills the \(\textsf {NM}\) condition (Eq. (3.3)) against adversaries with empty side-information B. The proof of Theorem 3.7 (with this strengthening) is sketched below. The full proof is somewhat technical and can be found in Appendix B. More precisely, we prove the stronger Theorem B.3, which implies the above by setting \(\varepsilon =0\).
Proof sketch. The first implication, i.e. \(\textsf {NM}\) implies Eq. (3.10), is best proven in the Choi-Jamiołkowski picture. Here, any \(\textsf {QES}\) defines a map
where the transpose \(E_k^T\) is the map whose Kraus operators are the transposes of the Kraus operators of \(E_k\) (in the standard basis). Our goal is to prove that this map essentially acts like the \(U\bar{U}\)-twirl. We decompose the space \(\mathcal {H}_C^{\otimes 2}\) as
which induces a decomposition of
On the first and last direct summands, the correct behavior of \(\mathcal E\) is easy to show: the first one corresponds to the identity, and the last one to the non-identity channels \(\varLambda \) with \(p_=(\varLambda )=0\). For the remaining two spaces, we employ Lemma A.3 which shows that the encryption map of any valid encryption scheme has the form of appending an ancillary mixed state and then applying an isometry. Evaluating for \(\left\langle \phi ^+ \mid v \right\rangle =0\) reduces to evaluating the adjoint of the average encryption map, \(E^\dagger _K\), on traceless matrices. It is, however, easy to verify that
for any \(\sigma _C\). This can be used to prove \(E_K=\langle \tau _C\rangle \) by observing that \(\langle \phi ^+ |_{CC'}\sigma _C\otimes \varrho _{C'}| \phi ^+ \rangle _{CC'}=\mathrm {Tr}(\sigma _C\varrho _{C})\), so for rank-deficient \(\varrho \) we can calculate \(\mathcal E_{CC'\rightarrow AA'}(\sigma _C\otimes (\cdot )_{C'})\) using what we have already proven.
The other direction is proven by a simple application of Lemma A.2. \(\square \)
The fact that \(\textsf {NM}\) is equivalent to 2-designs (for unitary schemes) is a straightforward consequence of the above.
Proof
(of Theorem 3.6) First, assume \((\tau _K, E, D)\) is a unitary \(\textsf {NM}\) \(\textsf {QES}\) with \(E_k=U_k(\cdot )U_k^\dagger \). Then it has \(|C|=|A|\), and \(D_K(\tau _C)=\tau _A\), so the conclusion of Theorem 3.7 in this case (i.e., Eq. (3.10)) is exactly the condition for \(\{U_k\}\) to be an exact channel twirl design and therefore an exact 2-design. If \((\tau _K, E, D)\), on the other hand, is a unitary \(\textsf {QES}\) and \(\{U_k\}\) is a 2-design, then Eq. (3.10) holds and the scheme is therefore \(\textsf {NM}\) according to Theorem 3.7.
Relationship to ABW Non-malleability. Ambainis, Bouda and Winter give a different definition of non-malleability, expressed in terms of the effective maps that an adversary can apply to the plaintext by acting on the ciphertext produced from encrypting with a random key [6]. According to their definition, a scheme is non-malleable if the adversary can only apply maps from a very restricted class when averaging over the key, and without giving side information to the active adversary. Let us recall their definition here.
First, given a QES \((\tau _K, E,D)\), we define the set \(S := \{ D_K(\sigma _C) \,|\, \sigma _C \in \mathcal B(\mathcal {H}_C)\}\) consisting of all valid average decryptions. We then define the class \(C^S_A\) of all “replacement channels”. This is the set of CPTP maps belonging to the space
We then make the following definition, which first appeared in [6].
Definition 3.8
(ABW non-malleability). A QES \((\tau _K, E,D)\) is ABW-non-malleable (ABW-NM) if it is ITS, and for all channels \(\varLambda _{C\rightarrow C}\), we have
As indicated in [6], an approximate version of Eq. (3.15) is obtained by considering the diamond-norm distance between the effective channel and the set \(C_A^S\); this implies the possibility of an auxiliary reference system, which is denoted R in \(\textsf {NM}\). We emphasize that this reference system is not under the control of the adversary. In particular, ABW-NM does not allow for adversaries which maintain and actively use side information about the plaintext system.
Another notable distinction is that [6] includes a secrecy assumption in the definition of an encryption scheme; under this assumption, it is shown that a unitary QES is ABW-NM if and only if the encryption unitaries form a 2-design. By our Theorem 3.6, we see that NM and ABW-NM are equivalent in the case of unitary schemes. So, in that case, ABW-NM actually ensures a much stronger security notion than originally considered by the authors of [6].
In the general case, \(\textsf {NM}\) is strictly stronger than ABW-NM. First, by comparing the conditions of Definition 3.8 to Eq. (3.10), we immediately get the following corollary of Theorem 3.7.
Corollary 3.9
If a \(\textsf {QES}\) satisfies \(\textsf {NM}\), then it also satisfies ABW-NM.
Second, we give a separation example which shows that ABW-NM is highly insecure; in fact, it allows the adversary to “inject” a plaintext of their choice into the ciphertext. This is insecure even under the classical definition of information-theoretic non-malleability of [20]. We now describe the scheme and this attack.
Example 3.10
Suppose \((\tau _K, E, D)\) is a QES that is both \(\textsf {NM}\) and ABW-NM. Define a modified scheme \((\tau _K, E', D')\), with enlarged ciphertext space \(\mathcal {H}_{C'} = \mathcal {H}_{C}\oplus \mathcal {H}_{\hat{A}}\) (where \(\mathcal {H}_{\hat{A}}\cong \mathcal {H}_A\)) and encryption and decryption defined by
Then \((\tau _K, E', D')\) is ABW-NM but not NM.
While encryption ignores \(\mathcal {H}_{\hat{A}}\), decryption measures if we are in C or \(\hat{A}\) and then decrypts (in the first case) or just outputs the contents (in the second case.) This is a dramatic violation of \(\textsf {NM}\): set \(\mathcal {H}_{\tilde{B}}\cong \mathcal {H}_{A}\), trivial B and R, and
it follows that, for all \(\varrho \),
Now let us show that \((\tau , E', D')\) is still ABW-NM. Let \(\varLambda _{C'\rightarrow C'}\) be an attack, i.e., an arbitrary CPTP map. Then the effective plaintext map is
where \(\varLambda ^C(X_C)=\varPi _C\varLambda (X_C\oplus 0_{\hat{A}})\varPi _C\) and \(\varLambda ^{\hat{A}}(X_C)=\mathrm {id}_{\hat{A}\rightarrow A}(\varPi _{\hat{A}}\varLambda (X_C\oplus 0_{\hat{A}})\varPi _{\hat{A}})\). Since \((\tau , E, D)\) is \(\textsf {ITS}\) (Proposition 3.5), there exists a fixed state \(\varrho ^0_C\) such that \(E_K(\varrho _A)=\varrho ^0_C\) for all \(\varrho _A\). Since \((\tau , E, D)\) is ABW-NM, we also know that
with \(S=\{ D_K(\sigma _C)\,|\,\sigma _C \in \mathcal B(\mathcal {H}_C)\}\). We therefore get
with \(S'=\{ D'_K(\sigma _{C'})\,|\,\sigma _{C'} \in \mathcal B(\mathcal {H}_{C'})\}.\) This is true because \(S'\) contains all constant maps, as \(D'_K(0_{C}\oplus \varrho _{\hat{A}})=\varrho _A\).
4 The Approximate Setting
We now consider the case of approximate non-malleability. Approximate schemes are relevant for several reasons. First, an approximate scheme with negligible error can be more efficient than an exact one: the most efficient construction of an exact 2-design requires a quantum circuit of \(O(n\log n\log \log n)\) gates [13], where approximate 2-designs can be achieved with linear-length circuits [14]. Second, in practice, absolutely perfect implementation of all quantum gates is too much to expect—even with error-correction. Third, when passing to authentication one must allow for errors, as it is always possible for the adversary to escape detection (with low probability) by guessing the secret key.
For all these reasons, it is important to understand what happens when the perfect secrecy and perfect non-malleability requirements are slightly relaxed. In this section, we show that our definitions and results are stable under such relaxations, and prove several additional results for quantum authentication. We begin with the approximate-case analogue of perfect secrecy.
Definition 4.1
(Approximate secrecy). Fix \(\varepsilon > 0\). A QES \((\tau _K, E, D)\) is \(\varepsilon \)-approximately secret (\(\epsilon \)-ITS) if, for any \(\mathcal {H}_B\) and any \(\varrho _{AB}\), setting \(\sigma _{CBK}=E(\varrho _{AB}\otimes \tau _K)\) implies \(I(C:B)_\sigma \le \varepsilon .\)
Analogously to the exact case, unitary schemes satisfying approximate secrecy are equivalent to approximate one-designs (see the full version of this article [3]).
4.1 Approximate Non-malleability
Definition. We now define a natural approximate-case analogue of NM, i.e., Definition 3.4. Let us briefly recall the context. The malleability scenario is described by systems A, C, B and R (respectively, plaintext, ciphertext, side-information, and reference), an initial tripartite state \(\varrho _{ABR}\), and an attack channel \(\varLambda _{CB\rightarrow C\tilde{B}}\). Given this data, we have the effective channel \(\tilde{\varLambda }_{AB \rightarrow A\tilde{B}}\) defined in Eq. (3.1) and the “unavoidable attack” probability \(p_=(\varLambda , \varrho )\) defined in Eq. (3.2). The new definition now simply relaxes the requirement on the increase of the adversary’s mutual information.
Definition 4.2
(Approximate non-malleability). A QES \(\,(\tau _K,E, D)\) is \(\varepsilon \)-non-malleable (\(\varepsilon \)-NM) if for any state \(\varrho _{ABR}\) and any CPTP map \(\varLambda _{CB \rightarrow C\tilde{B}}\), we have
We record the approximate version of Proposition 3.5, i.e., non-malleability implies secrecy. The proof is a straightforward adaptation of the exact case.
Proposition 4.3
Let \((\tau _K,E, D)\) be an \(\varepsilon \)-NM QES. Then \((\tau _K,E, D)\) is \(2\varepsilon \)-ITS.
Non-malleability with Approximate Designs. Continuing as before, we now generalize the characterization theorems of non-malleability (Theorems 3.6 and 3.7) to the approximate case.
Theorem 4.4
Let \((\tau , E, D)\) be a QES with ciphertext dimension \(|C|=2^{m}\) and \(r>0\) a sufficiently large constant. Then the following holds:
-
1.
If \((\tau , E, D)\) is \(2^{-r m}\)-\(\textsf {NM}\), then for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map \(\tilde{\varLambda }_{AB\rightarrow A\tilde{B}}\) is \(2^{-\varOmega (m)}\)-close (in diamond norm) to
$$\begin{aligned} \tilde{\varLambda }^{\mathrm {exact}}_{AB\rightarrow A\tilde{B}}=\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2\left\langle D_K(\tau )\right\rangle -\mathrm {id}\right) _A\otimes \varLambda ''_{B\rightarrow \tilde{B}}, \end{aligned}$$with \(\varLambda '\), \(\varLambda ''\) as in Theorem 3.7.
-
2.
Suppose that \(\log |R| = O(2^m)\), where R is the reference register in Definition 4.2. Then there exists a constant r, such that if every attack \(\varLambda _{CB\rightarrow C\tilde{B}}\) results in an effective map that is \(2^{-r m}\)-close to \(\tilde{\varLambda }^{\mathrm {exact}}\), then the scheme is \(2^{-\varOmega (m)}\)-NM.
This theorem is proven with explicit constants in Appendix B as Theorem B.3. The condition on R required for the second implication is necessary, as the relevant mutual information can at worst grow proportional to the logarithm of the dimension according to the Alicki-Fannes inequality. This is not a very strong requirement, as it should be relatively easy for the honest parties to put a bound on their total memory.
Next, we record the corollary which states that, for unitary schemes, approximate non-malleability is equivalent to encryption with an approximate 2-design. The proof proceeds as in the exact case, now starting from Theorem 4.4.
Theorem 4.5
Let \(\varPi = (\tau _K, E, D)\) be a unitary \(\textsf {QES}\) for n-qubit messages and \(f:\mathbb {N}\rightarrow \mathbb {N}\) a function that grows at most exponential. Then there exists a constant \(r>0\) such that
-
1.
If \(\{E_k\}\) is a \(\varOmega (2^{-rn})\)-approximate 2-design and \(\log |R|\le f(n)\), then \(\varPi \) is \(2^{-\varOmega (n)}\)-\(\textsf {NM}\).
-
2.
If \(\varPi \) is \(\varOmega (2^{-rn})\)-\(\textsf {NM}\), then \(\{E_k\}_{k\in K}\) is a \(2^{-\varOmega (n)}\)-approximate 2-design.
Relationship to Approximate ABW. Recall that, in Sect. 3.2, we discussed the relationship between our notion of exact non-malleability and that of Ambainis et al. [6] (i.e., ABW-NM.) As we now briefly outline, our conclusions carry over to the approximate case without any significant changes.
As described in Eq. (3”) of [6], one first relaxes the notion of ABW-NM appropriately by requiring that the containment (3.15) in Definition 3.8 holds up to \(\varepsilon \) error in the diamond-norm distance. In the unitary case, both definitions are equivalent to approximate 2-designs (by the results of [6], and our Theorem 4.5). In the case of general schemes, the plaintext injection attack described in Example 3.10 again shows that approximate ABW-NM is insufficient, and that approximate \(\textsf {NM}\) is strictly stronger.
4.2 Authentication
Definitions. Our definitions of authentication will be faithful to the original versions in [16, 18], with one slight modification. When decryption rejects, our encryption schemes (Definition 3.1) output \(\bot \) in the plaintext space, rather than setting an auxiliary qubit to a “reject” state. These definitions are equivalent in the sense that one can always set an extra qubit to “reject” conditioned on the plaintext being \(\bot \) (or vice-versa). Nonetheless, as we will see below, this mild change has some interesting consequences.
We begin with the definition of Dupuis, Nielsen and Salvail [16], which demands that the effective average channel of the attacker ignores the plaintext.
Definition 4.6
(DNS Authentication [16]). A QES \((\tau _K, E, D)\) is called \(\varepsilon \)-DNS-authenticating if, for any CPTP-map \(\varLambda _{CB\rightarrow CB'}\), there exists CP-maps \(\varLambda ^\textsf {acc}_{B\rightarrow \tilde{B}}\) and \(\varLambda ^\textsf {rej}_{B\rightarrow \tilde{B}}\) such that \(\varLambda ^\textsf {acc}+ \varLambda ^\textsf {rej}\) isFootnote 1 TP, and for all \(\varrho _{AB}\) we have
An alternative definition was recently given by Garg, Yuen and Zhandry [18]. It asks that, conditioned on acceptance, with high probability the effective channel is close to a channel which ignores the plaintext.
Definition 4.7
(GYZ Authentication [18]). A QES \((\tau _K, E, D)\) is called \(\varepsilon \)-GYZ-authenticating if, for any CPTP-map \(\varLambda _{CB\rightarrow CB'}\), there exists a CP-map \(\varLambda ^\textsf {acc}_{B\rightarrow \tilde{B}}\) such that for all \(\varrho _{AB}\)
Here \(\varPi _\textsf {acc}\) is the acceptance projector, i.e. projection onto \(\mathcal {H}_A\) in \(\mathcal {H}_A\oplus \mathbb {C}| \bot \rangle \).
A peculiar aspect of the original definition in [18] is that it does not specify the outcome in case of rejection, and is thus stated in terms of trace non-increasing maps. Of course, all realistic quantum maps must be CPTP; this means that the designer of the encryption scheme must still declare what to do with the contents of the plaintext register after decryption. Our notion of decryption makes one such choice (i.e., output \(\bot \)) which seems natural.
GYZ Authentication Implies DNS Authentication. A priori, the relationship between Definition 2.2 in [16] and Definition 8 in [18] is not completely clear. On one hand, the latter is stronger in the sense that it requires success with high probability (rather than simply on average.) On the other hand, the former makes the additional demand that the ciphertext is untouched even if we reject. As we now show, GYZ-authentication in fact implies DNS-authentication.
Theorem 4.8
Let \((\tau , E,D)\) be \(\varepsilon \)-totally authenticating for sufficiently small \(\varepsilon \). Then it is \(O(\sqrt{\varepsilon })\)-DNS authenticating.
Proof
Let \(\varLambda _{CB\rightarrow C\tilde{B}}\) be a CPTP map and \(\varepsilon \le 62^{-2}\). By Definition 4.7 there exists a CP map \(\varLambda '_{B\rightarrow \tilde{B}}\) such that for all states \(\varrho _{AB}\),
Assume for simplicity that \(D=M_\bot \circ D\), where \(M_\bot \) measures the rejection symbol versus the rest. (otherwise we can define a new decryption map that way.) Define the CP maps
By Theorem 15 in [18] we have
which implies that
Note that
On the other hand, we also have that, by Eq. (4.4),
Combining Eqs. (4.6), (4.7) and (4.8), we get
Now observe that
For all CPTP maps \(\varXi _{A\rightarrow A}\). We define \(\varLambda '''_{B\rightarrow \tilde{B}}=\varLambda ^{(2)}(\tau _A\otimes (\cdot ))\) and calculate
by the triangle inequality for the diamond norm. Continuing with the calculation,
The first inequality above is Eq. (4.9). The first equality is just a rewriting of the definition of \(\varLambda '''\), and the second equality is Eq. (4.10). Finally, the last inequality is due to Eq. (4.9) and the fact that the diamond norm is submultiplicative.
We have almost proven security according to Definition 4.6, as we have shown \(\tilde{\varLambda }\) to be close in diamond norm to \(\mathrm {id}_A\otimes \varLambda '+\big \langle |\bot \rangle \langle \bot |\big \rangle \otimes \varLambda '''\). However, \(\varLambda '+\varLambda '''\) is only approximately TP; more precisely, we have that for all \(\varrho _{ABR}\),
by the triangle inequality. We therefore have to modify \(\varLambda ' + \varLambda ''\) so that it becomes TP, while keeping the structure required for DNS authentication. Let \(M_B=(\varLambda '+\varLambda ''')^\dagger (\mathbbm {1}_{\tilde{B}})\). (4.12). Defining the CP-map \(\mathcal {M}(X)=M^{-1/2}XM^{-1/2}\) and noting it is well-behaved for small \(\varepsilon \), it follows from a straightforward calculation (see the full version [3] of this article for details) that
with \(\lambda ^{\textsf {acc}}=\varLambda '\circ \mathcal M\) and \(\varLambda ^{\textsf {rej}}=\varLambda ''\circ \mathcal M\). \(\square \)
Achieving GYZ Authentication with Two-Designs. In [18], the authors provide a scheme for their notion of authentication based on unitary eight-designs. We now show that, in fact, an approximate 2-design suffices. This implies that the well-known Clifford scheme (see e.g. [11, 15]) satisfies the strong security of Definition 4.7. We remark that our proof is inspired by the reasoning based on Schur’s lemma used in results on decoupling [8, 9, 17, 24].
Theorem 4.9
Let \(\mathrm D=\left\{ U_k\right\} _k\) be a \(\delta \)-approximate unitary 2-design on \(\mathcal {H}_C\). Let \(\mathcal {H}_C=\mathcal {H}_{A}\otimes \mathcal {H}_T\) and define
Then the QES \((\tau _K, E, D)\) is \(4(1/|T| + 3\delta )^{1/3}\)-GYZ-authenticating.
Remark 4.10
The following proof uses the same simulator as the proof for the 8-design scheme in [18], called “oblivious adversary” there. The construction exhibited there is efficient given that the real adversary is efficient.
Proof
To improve readability, we will occasionally switch between adding subscripts to operators (indicating which spaces they act on) and omitting these subscripts. We begin by remarking that it is sufficient to prove the GYZ condition (specifically, Eq. 4.3) for pure input states and isometric adversary channels. Indeed, for a general state \(\varrho _{AB}\) and a general map \(\varLambda _{CB\rightarrow C\tilde{B}}\), we may let \(\varrho _{ABR}\) and \(V_{CB\rightarrow C\tilde{B}E}\) be the purification and Stinespring dilation, respectively. We then simply observe that the trace distance decreases under partial trace (see e.g. [25]). Let \(\varrho _{AB}\) be a pure input state and
an isometry. We define the corresponding “ideal” channel \(\varGamma _V\), and the corresponding “real, accept” channel \(\varPhi _k\), as follows:
Note that for any matrix M with \(\Vert M\Vert _\infty \le 1\), the map \(\varLambda _M(X)=M^\dagger XM\) is completely positive and trace non-increasing. We have
We start by bounding the expectation of \(\left\| (\left( \varGamma _V\right) _{B\rightarrow \tilde{B}}-\left( \varPhi _k\right) _{AB\rightarrow A\tilde{B}})| \varrho \rangle _{AB}\right\| _2^2\), as follows. To simplify notation, we set \(\sigma _{ABT} := |\varrho \rangle \langle \varrho |_{AB}\otimes |0\rangle \langle 0|_T\) to be the tagged state corresponding to plaintext (and side information) \(\varrho _{AB}\).
First we bound the second term, using the fact that \(\varGamma _V\) only acts on B.
In the above, the operator \(\varDelta \) is the “error” operator in the \(\delta \)-approximate 2-design. The second equality above follows from \(\Vert \varDelta \Vert _1 \le \delta \) and the fact that a 2-design is also a 1-design; the inequality follows by Hölder’s inequality, and the last step follows from Schur’s lemma.
The first term of the RHS of Eq. (4.16) can be simplified as follows. We will begin by applying the swap trick (Lemma 2.1) \(\mathrm {Tr}[XY]=\mathrm {Tr}[F X\otimes Y]\) in the second line below. The swap trick is applied to register \(CC'\), with the operators X and Y defined as indicated below.
The inequality above follows the same way as in Eq. 4.17. Let \(d=|C|\).
An easy representation-theoretic calculation (see the Full version [3] for details) shows that
where we have set
plugging (4.19) into (4.18) and using Lemma 2.1 again, we get
Now recall that \(d=|A||T|\). Using the fact that \((a-1)/(b-1)\le a/b\) for \(b \ge a\), we can give a bound as follows.
Putting everything together, we arrive at
By Markov’s inequality this implies
which is equivalent to
where the probability is taken over the uniform distribution on \(\mathrm {D}\). Choosing \(\alpha =(1/|T|+3\delta )^{-1/3}\) this yields
Let \(S\subset D\) be such that \(|S|/|\mathrm D|\ge 1-(1/|T|+3\delta )^{1/3}\) and \(\left\| (\varGamma _V-\varPhi _k)| \varrho \rangle \right\| _2\le (1/|T|+3\delta )^{1/3}\) for all \(U_k\in S\). Using the easy-to-verify inequality \(\Vert |\psi \rangle \langle \psi |-|\phi \rangle \langle \phi |\Vert _1\le 2\Vert | \psi \rangle -| \phi \rangle \Vert _2\), we can bound
This completes the proof for pure states and isometric adversary channels. As noted above, the general case follows. \(\square \)
As an example, one may set \(|T|=2^{s}\) (i.e. s tag qubits) and take an approximate unitary 2-design of accuracy \(2^{-s}\). The resulting scheme would then be \(\varOmega (2^{-s/3})\)-GYZ-authenticating.
A straightforward corollary of the above result is that, in the case of unitary schemes, adding tags to non-malleable schemes results in GYZ authentication. We leave open the question of whether this is the case for general (not necessarily unitary) schemes.
Corollary 4.11
Let \((\tau , E, D)\) be a \(2^{-rn}\)-non-malleable unitary QES with plaintext space A. Define a new scheme \((\tau , E', D')\) with plaintext space \(A'\) where \(A = TA'\) and
Then there is a constant \(r>0\) such that \((\tau , E', D')\) is \(2^{-\varOmega (n)}\)-GYZ-authenticating if \(|T|=2^{\varOmega (n)}\).
The proof is a direct application of Theorem 4.5 (approximate non-malleability is equivalent to approximate 2-design) and Theorem 4.9 (approximate 2-designs suffice for GYZ authentication.) We emphasize that, by Remark 2.3, exponential accuracy requirements can be met with polynomial-size circuits.
DNS Authentication from Non-malleability. We end with a theorem concerning the case of general (i.e., not necessarily unitary) schemes. We show that adding tags to a non-malleable scheme results in a DNS-authenticating scheme. In this proof we will denote the output system of the decryption map by \(\overline{A}\) to emphasize that it is A enlarged by the reject symbol.
Theorem 4.12
Let r be a sufficiently large constant, and let \((\tau , E, D)\) be an \(2^{-rn}\)-NM QES with n qubit plaintext space A, and choose an integer d dividing |A|. Then there exists a decomposition \(A=TA'\) and a state \(| \psi \rangle _T\) such that \(|T| = d\) and the scheme \((\tau , E', D')\) defined by
is \((4/|T|)+2^{-\varOmega (n)}\)-DNS-authenticating.
Proof
We prove the statement for \(\varepsilon =0\) for simplicity, the general case follows easily by employing Theorem 4.4 instead of Theorem 3.7.
By Theorem 3.7, for any attack map \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map is equal to
for CP maps \(\varLambda '\) and \(\varLambda ''\) whose sum is TP. The effective map under the tagged scheme is therefore
with \(\beta = \mathrm {Tr}\left[ (\mathbbm {1}-\psi )_TD_K(\tau _C)\right] \). We would like to say that, unless the output is the reject symbol, the effective map on A is the identity. We do not know, however, what \(D_K(\tau _C)\) looks like. Therefore we apply a standard reasoning that if a quantity is small in expectation, then there exists at least one small instance. We calculate the expectation of \(\mathrm {Tr}\langle \psi |_TD_K(\tau _C)| \psi \rangle _T\) when the decomposition \(A=TA'\) is drawn at random according to the Haar measure,
Hence there exists at least one decomposition \(A=TA'\) and a state \(| \psi \rangle _T\) such that \(\hat{\gamma }:=\mathrm {Tr}\langle \psi |_TD_K(\tau _C)| \psi \rangle _T\le 1/|T|\). Define \(\gamma =\max (\hat{\gamma }, |C|^{-2})\). For the resulting primed scheme, let
We calculate the diamond norm difference between the real effective map an the ideal effective map,
as desired. \(\square \)
References
Aaronson, S., Gottesman, D.: Improved simulation of stabilizer circuits. Phys. Rev. A 70, 052328 (2004). doi:10.1103/PhysRevA.70.052328
Aharonov, D., Ben-Or, M., Eban, E.: Interactive proofs for quantum computations. In: Innovations in Computer Science - ICS 2010, Proceedings, Tsinghua University, Beijing, China, 5–7 January 2010, pp. 453–469 (2010)
Alagic, G., Majenz, C.: Quantum non-malleability and authentication. CoRR, abs/1610.04214 (2016). http://arxiv.org/abs/1610.04214
Alicki, R., Fannes, M.: Continuity of quantum conditional information. J. Phys. A: Math. Gen. 37(5), L55 (2004)
Ambainis, A., Mosca, M., Tapp, A., De Wolf, R.: Private quantum channels. In: Proceedings of the FOCS 2000, pp. 547–553 (2000)
Ambainis, A., Bouda, J., Winter, A.: Nonmalleable encryption of quantum information. J. Math. Phys. 50(4), 042106 (2009)
Barnum, H., Crépeau, C., Gottesman, D., Smith, A., Tapp, A.: Authentication of quantum messages. In: The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002, Proceedings, pp. 449–458. IEEE (2002)
Berta, M., Christandl, M., Renner, R.: The quantum reverse shannon theorem based on one-shot information theory. Commun. Math. Phys. 306(3), 579–615 (2011)
Berta, M., Brandao, F.G.S.L., Majenz, C., Wilde, M.M.: Deconstruction and conditional erasure of quantum correlations. arXiv preprint arXiv:1609.06994 (2016)
Brandao, F.G.S.L., Harrow, A.W., Horodecki, M.: Local random quantum circuits are approximate polynomial-designs. arXiv preprint arXiv:1208.0692 (2012)
Broadbent, A., Wainewright, E.: Efficient simulation for quantum message authentication. arXiv preprint arXiv:1607.03075 (2016)
Choi, M.-D.: Completely positive linear maps on complex matrices. Linear Algebra Appl. 10(3), 285–290 (1975)
Cleve, R., Leung, D., Liu, L., Wang, C.: Near-linear constructions of exact unitary 2-designs. Quantum Inf. Comput. 16(9&10), 0721–0756 (2016)
Dankert, C., Cleve, R., Emerson, J., Livine, E.: Exact and approximate unitary 2-designs and their application to fidelity estimation. Phys. Rev. A 80(1), 012304 (2009)
Dupuis, F., Nielsen, J.B., Salvail, L.: Secure two-party quantum evaluation of unitaries against specious adversaries. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 685–706. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_37
Dupuis, F., Nielsen, J.B., Salvail, L.: Actively secure two-party evaluation of any quantum operation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 794–811. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_46
Dupuis, F., Berta, M., Wullschleger, J., Renner, R.: One-shot decoupling. Commun. Math. Phys. 328(1), 251–284 (2014)
Garg, S., Yuen, H., Zhandry, M.: New security notions and feasibility results for authentication of quantum data. arXiv preprint arXiv:1607.07759 (2016)
Jamiołkowski, A.: Linear transformations which preserve trace and positive semidefiniteness of operators. Rep. Math. Phys. 3(4), 275–278 (1972)
Kawachi, A., Portmann, C., Tanaka, K.: Characterization of the relations between information-theoretic non-malleability, secrecy, and authenticity. In: Fehr, S. (ed.) ICITS 2011. LNCS, vol. 6673, pp. 6–24. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20728-0_2
Lieb, E.H., Ruskai, M.B.: A fundamental property of quantum-mechanical entropy. Phy. Rev. Lett. 30(10), 434 (1973a)
Lieb, E.H., Ruskai, M.B.: Proof of the strong subadditivity of quantum-mechanical entropy. J. Math. Phy. 14(12), 1938–1941 (1973b)
Low, R.A.: Pseudo-randomness and learning in quantum computation. arXiv preprint arXiv:1006.5227 (2010)
Majenz, C., Berta, M., Dupuis, F., Renner, R., Christandl, M.: Catalytic decoupling of quantum information. arXiv preprint arXiv:1605.00514 (2016)
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, New York (2010)
Portmann, C.: Quantum authentication with key recycling. ArXiv e-prints, October 2016
Stinespring, W.F.: Positive functions on c*-algebras. Proc. Am. Math. Soc. 6(2), 211–216 (1955)
Acknowledgments
The authors would like to thank Anne Broadbent, Alexander Müller-Hermes, Frédéric Dupuis and Christopher Portmann for helpful discussions. G.A. and C.M. acknowledge financial support from the European Research Council (ERC Grant Agreement 337603), the Danish Council for Independent Research (Sapere Aude) and VILLUM FONDEN via the QMATH Centre of Excellence (Grant 10059).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Technical lemmas
In the following we state some technical Lemmas that we need in this article. The proofs can be found in the full version [3].
Lemma A.1
Let \(X_{A\rightarrow B}\in L(\mathcal {H}_A,\mathcal {H}_B)\) be a linear operator from A to B. Then
The next group of lemmas is concerned with entropic quantities.
Lemma A.2
Let \(\varLambda _{A\rightarrow A'}^{(i)}\) be CPTP maps and \(\varLambda _{B\rightarrow B'}^{(i)}\), \(i=1,...,k\) CP maps for \(i=1,...,k\) such that \(\sum _i\varLambda _{B\rightarrow B'}^{(i)}\) is trace preserving. Let \(\varLambda ^{(i)}_{AB\rightarrow A'B'}=\varLambda _{A\rightarrow A'}^{(i)}\otimes \varLambda _{B\rightarrow B'}^{(i)}\) and define the CPTP maps
Then
for any quantum state \(\varrho _{AB}\).
The final lemma characterizes CPTP maps that are invertible on their image such that the inverse is CPTP as well.
Lemma A.3
Let \((\tau _K,E, D)\) be a QES. Then the encryption maps have the structure
and the decryption maps hence must have the form
for some quantum states \(\sigma ^{(k)}_{\hat{C}}\), isometries \((V_k)_{C\rightarrow A\hat{C}}\), and some CPTP map \(\hat{D}_k\). Here, \(\varPi ^{\mathrm {valid}}_k=\left( V_k\right) _{A\hat{C}\rightarrow C}\varPi _{\mathrm {supp}\sigma ^{k}}\left( V_k\right) _{A\hat{C}\rightarrow C}^\dagger \) is the projector onto the space of valid ciphertexts.
B Proof of characterization theorem
This section is dedicated to proving the characterization theorem for non-malle-able QES, i.e., Theorem 4.4. We begin with two preparatory lemmas.
Lemma B.1
For any \(\textsf {QES}\) \((\tau , E,D)\) the map \(\mathcal {E}:=|K|^{-1}\sum _{k}D_k\otimes E_{k}^T\) satisfies
This lemma is a consequence of the correctness condition and is proven in the full version [3] of this article.
Lemma B.2
Suppose \((\tau _K,E, D)\) satisfies Definition 4.2 for trivial B. Then \(\mathcal {E}:=|K|^{-1}\sum _{k}D_k\otimes E_{k}^T\) satisfies
Proof
It follows directly from the fact that \((\tau _K,E, D)\) is a QES together with Lemma A.1 that
Let \(\varLambda ^{(i)}_{C\rightarrow C\tilde{B}_1}\), \(i=0,1\) be two attack maps such that \(\eta _{\varLambda ^{(i)}}| \phi ^+ \rangle =0\) for \(i=0,1\) and define
The \(\varepsilon \)-\(\textsf {NM}\) property implies
and therefore, using Pinsker’s inequality,
Observe that
Setting \(\left( \eta _{\varLambda ^{(0)}}\right) _{CC'\tilde{B}_1}=\tau ^-_{CC'}\otimes \left( \eta _{\varLambda ^{(1)}}\right) _{\tilde{B}_1} \), we get
and therefore
for all \(\varLambda ^{(1)}\). For any state \(\varrho _{CC'\tilde{B}_1}\) with \(\varrho _{CC'\tilde{B}}| \phi ^+ \rangle _{CC'}=0\), we define the state
Here, V is a unitary such that \(\mathrm {Tr}(\mathbbm {1}_C-\varrho _C)V_C^T=0\). It is easy to see that such a unitary always exists, the existence is equivalent to the fact that any |C|-tuple of real numbers is the ordered list of side lengths of a polygon in the complex plain. Note that \(\varrho '_{CC'\tilde{B}_1\tilde{B}_2}| \phi ^+ \rangle _{CC'}=0\), and \(\varrho '_{C'}=\tau _{C'}\). Together with the triangle inequality, Eq. (B.6) implies therefore that
i.e. in particular
As \(\varrho \) was arbitrary we have proven that
The only fact that is left to show is, that is small for all normalized \(| v \rangle \) such that \(\left\langle \phi ^+ \mid v \right\rangle =0\). To this end, observe that \(\mathrm {Tr}_{A}\circ \mathcal E(\sigma _C\otimes (\cdot )_{C'})=E_K^T\) for all quantum states \(\sigma _C\). Let \(\varrho _C\) be any quantum state that does not have full rank, note that such states span all of \(\mathcal B(\mathcal {H}_C)\), and for hermitian operators there exists a decomposition into such operators that saturates the triangle inequality. Taking a quantum state \(\sigma _C\) such that \(\langle \phi ^+ |\varrho \otimes \sigma | \phi ^+ \rangle =\frac{1}{|C|}\mathrm {Tr}\varrho _C\sigma _C^T=0\) (the first equality is the mirror Lemma A.1), we have
according to what we have already proven. Using inequality (B.8) we arrive at
For Hermitian matrices X and therefore
For arbitrary X. We can write \(| v \rangle _{CC'}=X_C| \phi ^+ \rangle _{CC'}\) for some traceless matrix \(X_C\). Now we calculate
The first equation is Lemma B.1, the second and third equations are easily verified, the first inequality is a standard norm inequality, the second inequality is Eq. (B.10), and the last inequality follows from the normalization of \(| v \rangle \). By the Schmidt decomposition, we get a stabilized version of this inequality,
for all \(| \alpha \rangle _{\tilde{B}_1}\) and all \(| v \rangle _{CC'\tilde{B}}\) such that \(\left\langle \phi ^+ \mid v \right\rangle =0\). Combining everything we arrive at
\(\square \)
We are now ready to prove the characterization theorem Theorem 4.4 in the \(\varepsilon \)-approximate setting (including the exact case, Theorem 3.7 by setting \(\varepsilon =0\).)
Theorem B.3
(Precise version of Theorem 4.4 ). Let \(\varPi =(\tau , E,D)\) be a QES.
-
1.
If \(\varPi \) is \(\varepsilon \)-NM, then any attack map \(\varLambda _{CB\rightarrow C\tilde{B}}\) results in an effective map \(\tilde{\varLambda }_{AB \rightarrow A{\tilde{B}}}\) fulfilling
(B.14)where
$$\begin{aligned} \tilde{\varLambda }^{\mathrm {exact}}_{AB\rightarrow A\tilde{B}}=\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2\left\langle D_K(\tau )\right\rangle -\mathrm {id}\right) _A\otimes \varLambda ''_{B\rightarrow \tilde{B}}, \end{aligned}$$with \(\varLambda ' =\mathrm {Tr}_{CC'}[\phi ^+_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))]\) and \(\varLambda '' =\mathrm {Tr}_{CC'}[\varPi ^-_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))].\)
-
2.
Conversely, if for a scheme all effective maps fulfill Eq. (B.14) with the right hand side replaced by \(\varepsilon \), then it is \(5\varepsilon (\log (|A|)+r)+3h(\varepsilon )\)-NM, where r is a bound on the size of the honest user’s side information.
Proof
We start with 1. We want to bound the diamond norm distance between the effective map \(\tilde{\varLambda }\) resulting from an attack \(\varLambda \) and the idealized effective map \(\tilde{\varLambda }^{\mathrm {exact}}\). Let
be an arbitrary pure state given in its Schmidt decomposition across the bipartition \(AA'\) vs. \(BB'\). We can Write \(| \alpha _i \rangle _{AA'}=X^{(i)}_{A'}| \phi ^+ \rangle \) for some matrices \(X^{(i)}\) satisfying \(\Vert X^{(i)}\Vert _\infty \le |A|\). We calculate the action of \(\tilde{\varLambda }\) on ,
In a similar way we get
Using Lemma B.2 we bound
The inequalities result from applying Hölder’s inequality twice, and Lemma B.2, respectively. Using the triangle inequality we get
As \(| \psi \rangle \) was arbitrary, we have proven
Now let us prove 2. Let \(\varLambda _{CB\rightarrow C\tilde{B}}\) again be an arbitrary attack map, and assume that the resulting effective map is \(\varepsilon \)-close to \(\tilde{\varLambda }^{\mathrm {exact}}_{AB\rightarrow A\tilde{B}}\). Observe that \(p^{=}(\varLambda ,\varrho )=\mathrm {Tr}\varLambda '(\varrho _B)\).
By the Alicki-Fannes inequality [4] and Lemma A.2, this implies
with the help of Lemma A.2. \(\square \)
Rights and permissions
Copyright information
© 2017 International Association for Cryptologic Research
About this paper
Cite this paper
Alagic, G., Majenz, C. (2017). Quantum Non-malleability and Authentication. In: Katz, J., Shacham, H. (eds) Advances in Cryptology – CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science(), vol 10402. Springer, Cham. https://doi.org/10.1007/978-3-319-63715-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-63715-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-63714-3
Online ISBN: 978-3-319-63715-0
eBook Packages: Computer ScienceComputer Science (R0)