7. one-time quantum pad and Quantum Vernam cipher (Slides)

© Claude Crépeau 2002-2009 2|Will you marry me ?〉|Divorce your wife first !〉|The papers are in the mail...〉|OK, I will !〉

© Claude Crépeau 2002-2009 3(3.1.2Q) One-time Q-pad8RdewtU5qkLa$es!T9@»I(D%eXhDqIiykl#2cV7dEwnMs»H&fs@tyHvFGhaOKpTrGbl.Z/rUih*B7B3tdsjUila

© Claude Crépeau 2002-2009 4symmetric encryptionof Quantum messagesencryption|P〉|K〉CdecryptionInformation Theoretical Security

© Claude Crépeau 2002-2009 5(3.1.2C) Vernam Q-cipher|8ΡδεωτΥ5θκΛα∃εσ!Τ9≅〉»|Ι(∆%εΞη∆θΙιψκλ#2χς7δΕωνΜσ〉»|Η&φσ≅τψϖΦηαΟΚπΤρΓβλ.Ζ/ρΥιη∗〉|Β7Β3τδσϕΥιλα〉

© Claude Crépeau 2002-2009 6symmetric encryptionof Quantum messagesencryption|P〉K|C〉decryptionInformation Theoretical Security

© Claude Crépeau 2002-2009 11|ψ〉Hx|0〉Hy|0〉|ψ〉|0〉|0〉H|ψ〉(|0〉+|1〉)|0〉|ψ〉(|0〉|0〉+|1〉|1〉)(α|0〉+β|1〉)(|00〉+|11〉)α|0〉|00〉+α|0〉|11〉+β|1〉|00〉+β|1〉|11〉α|0〉|00〉+α|0〉|11〉+β|1〉|10〉+β|1〉|01〉Hα(|0〉+|1〉)|00〉+α(|0〉+|1〉)|11〉+β(|0〉−|1〉)|10〉+β(|0〉−|1〉)|01〉|00〉(α|0〉+β|1〉)+|01〉(α|1〉+β|0〉)+|10〉(α|0〉−β|1〉)+|11〉(α|1〉−β|0〉)|xy〉(α|y〉+(−1) x β|¬y〉)

© Claude Crépeau 2002-2009 12H(3.1.2Q)One-time Q-padH»a b⎛σ = 0 1 ⎞ ⎛x ⎜ ⎟,σ = 1 0 ⎞⎝1 0⎠z ⎜ ⎟⎝0 −1⎠HH1⁄4 : |Ψ〉1⁄4 : σ x|Ψ〉1⁄4 : σ z|Ψ〉1⁄4 : σ xσ z|Ψ〉ab

© Claude Crépeau 2002-2009 13(3.1.2Q) One-time Q-pad»Quantum key : one-time Q-padClassical Ciphertexta btwo random bits|Ψ〉»»

© Claude Crépeau 2002-2009 14(3.1.2) One-time pad»Classical key : Vernam Q-cipher (various sources)Quantum Ciphertext»Quantum key : one-time Q-pad (BBCJPW)Classical Ciphertext

© Claude Crépeau 2002-2009 15symmetric encryptionof Quantum messagesencryption|P〉K|C〉decryptionInformation Theoretical Security

© Claude Crépeau 2002-2009 16(3.1.2C) Vernam Q-cipher»Classical key : Vernam Q-cipherQuantum CiphertextQuantum key : one-time Q-padClassical Ciphertext|Ψ'〉|Ψ〉»a,b random bit keyρ1⁄4 : |Ψ〉1⁄4 : σ x|Ψ〉1⁄4 : σ z|Ψ〉1⁄4 : σ xσ z|Ψ〉»a,b random bit key|Ψ'〉=(σx) a (σz) b |Ψ〉|Ψ〉=(σz) b (σx) a |Ψ'〉⎛σ = 0 1 ⎞ ⎛x ⎜ ⎟,σ = 1 0 ⎞⎝1 0⎠z ⎜ ⎟⎝0 −1⎠

© Claude Crépeau 2002-2009 17{1/4: (α|0〉+β|1〉)ρ= 1/4: (α|1〉+β|0〉)1/4: (α|0〉−β|1〉)1/4: (α|1〉−β|0〉)4ρ=(α|0〉+β|1〉)(α ∗ 〈0|+β ∗ 〈1|)+(α|1〉+β|0〉)(α ∗ 〈1|+β ∗ 〈0|)+(α|0〉−β|1〉)(α ∗ 〈0|−β ∗ 〈1|)+(α|1〉−β|0〉)(α ∗ 〈1|−β ∗ 〈0|)=(2|α| 2 +2|β| 2 )|0〉〈0|+(αβ ∗ +βα ∗ −αβ ∗ −βα ∗ )|0〉〈1|+(βα ∗ +αβ ∗ −βα ∗ −αβ ∗ )|1〉〈0|+(2|β| 2 +2|α| 2 )|1〉〈1|=2|0〉〈0|+2|1〉〈1|ρ=( 1 0 /2 1 0 /2 )=Ι/2

© Claude Crépeau 2002-2009 18Theorems[AMTW00] showeda QES (with error probability 0)—> 2n bits to encrypt n qubits

© Claude Crépeau 2002-2009 19One-time Q-encryptionwith error εCompleteness:|ψ〉k∈KED|ψ〉Secrecy:|ψ〉k∈ K REρD|ψ〉∀|ψ 0〉,|ψ 1〉D(ρ 0,ρ 1)=Tr(|ρ 0−ρ 1|)

© Claude Crépeau 2002-2009 20Theorems[AMTW00] showeda QES (with error probability 0)—> 2n bits to encrypt n qubitsa QES with error probability ε>0—> (2-poly(ε))n bitsto encrypt n qubits.

© Claude Crépeau 2002-2009 21Theoremsa CES (with error probability 0)—> n bits to encrypt n bitsa CES with error probability ε>0—> (1−poly(ε))n bitsto encrypt n bits.

© Claude Crépeau 2002-2009 22Theorems[AMTW00] showeda QES (with error probability 0)—> 2n bits to encrypt n qubitsa QES with error probability ε>0—> (2-poly(ε))n bitsto encrypt n Eve-entangled qubits[HLSW03] showeda QES with error probability ε>0—> n+o(n) bitsto encrypt n Eve-separated qubits.

© Claude Crépeau 2002-2009 23Small Pseudo-Random Families of Matrices:Derandomizing Approximate Quantum EncryptionAndris AmbainisAdam Smith

© Claude Crépeau 2002-2009 24Small-Bias Spaces The bias of a random variable in with respect to a stringdot product on :is the distance from uniform of the bit , where refers to the standardThe functionis the Fourier transform of the probability mass function of the distribution,taken over the group .The bias of a set with respect to is simply the bias of the uniformdistribution over that set. A setis called -biased if the absolute value of its bias is atmost for all .

© Claude Crépeau 2002-2009 25Small-bias sets of size polynomial in and were first constructed by Naor andNaor [10]. Alon, Bruck et al. (ABNNR , [1]) gave explicit (i.e. deterministic, polynomialtime)constructions of -biased sets in with size . Constructions withsizewere provided by Alon, Goldreich, et al. ( AGHP , [2]). The AGHP constructionis better when . In both cases, the string in a set can be constructedin roughly time (regardless of ).One can sample a random point from a -biased space over using eitherbits of randomness (using ABNNR) or usingbits (using AGHP ).

© Claude Crépeau 2002-2009 263 State Randomization and Approximate Encryption3.1 Encrypting with a Small-Bias SpaceThe ideal quantum one-time pad applies a random Pauli matrix to the input [3]. Considerinstead a scheme which first chooses a-bit string from some set with small bias(we will set later to be ). If the set of strings is we have:That is, we choose the key from the set , which consists of -bit strings. To encrypt,we view a -bit string as the concatenation of two strings of bits, and applythe corresponding Pauli matrix.Using the constructions of AGHP [2] for small-bias spaces, we get a polynomial-timescheme that usesbits of key.

© Claude Crépeau 2002-2009 27Fact 1. If is -dimensional quantum state and Tr , then .Main Theorem.TrTr

© Claude Crépeau 2002-2009 28

© Claude Crépeau 2002-2009 29