Quantum entropic security and approximate quantum encryption

Download PDF
Comment
Report 4 Downloads 183 Views
Quantum entropic security and approximate quantum encryption Simon Pierre Desrosiers

arXiv:0707.0691v1 [quant-ph] 5 Jul 2007







and Fr´ed´eric Dupuis

∗ †

School of Computer Science McGill University Montr´eal, Qu´ebec [email protected]

D´epartement d’informatique et de recherche op´erationnelle Universit´e de Montr´eal Montr´eal, Qu´ebec [email protected]

October 17, 2007

Abstract We present full generalisations of entropic security and entropic indistinguishability to the quantum world where no assumption but a limit on the knowledge of the adversary is made. This limit is quantified using the quantum conditional min-entropy as introduced by Renato Renner. A proof of the equivalence between the two security definitions is presented. We also provide proofs of security for two different cyphers in this model and a proof for a lower bound on the key length required by any such cypher. These cyphers generalise existing schemes for approximate quantum encryption to the entropic security model.

1

Introduction

Semantic security, whether it is computational, as introduced in [1], information theoretic in a classical setting, as introduced in [2] and [3], or information theoretic in a limited quantum setting, as introduced in [4], compares the capabilities of two adversaries: one (A) that has access to an encrypted version of the message, and one (A′ ) that does not. Their abilities to predict a function on the initial message are compared. Of course A′ seems to be at a tremendous disadvantage: it has access to nothing but the prior distribution of the plain text, whereas A has access to an encrypted version of the plain text and could potentially use imperfections in the encryption scheme to gain an advantage. However, this can become a way to bound these imperfections: an encryption scheme is considered semantically secure if, for every adversary A, there exists an A′ that can predict every function on the plaintext almost as well as A without even having access to the encrypted message. This a very strong security criterion, especially in the information theoretic setting. Perhaps surprisingly, it is possible to construct semantically secure encryption schemes which, depending on their setting, make very few assumptions on A. In the computational setting, Goldwasser and Micali [1] had as a constraint that both A and A′ were probabilistic polynomial machines. In their setting, they could construct encryption schemes which, on all message distributions, would render A as useless as A′ . In the information theoretic setting, introduced by Russell and Wang [2] and expanded upon by Dodis and Smith [3], no computing limits are

1

imposed to A or A′ . In order to achieve significant key size reduction, a limit on the prior knowledge of A on the plain text space is assumed. In fact, a lower bound on the min-entropy of the message space is assumed: the most probable message is not too probable. For this reason, this concept is called entropic security in the context of information-theoretic security. In the quantum information theoretic setting, as introduced by Desrosiers [4], the exact same restriction on the min-entropy is imposed to A, except that this time messages are quantum states, and we impose the further condition that the adversary A must not be entangled with the sender’s message. If these two restrictions are satisfied, one can construct encryption schemes for the quantum setting which have exactly the same key size as in the classical setting. In this article we remove one of those two restrictions. Of course, the limit on the min-entropy of the adversary on the message space cannot be removed; it is the essence of entropic security. However, it has to be modified in order to get robust definition of security in the presence of entanglement between the sender and the adversary A. The notion of quantum conditional minentropy as introduced by Renato Renner in [5] will be used to bound the prior “knowledge” of the adversary. This new notion of min-entropy allows us to remove the no-entanglement restriction. An intuitive reason for that is that the min-entropy of the adversary on an n-qubit system held by the sender ranges between −n and n. Since in previous works, the key size needed was n − t + log(1/ǫ), where t is the min-entropy bound and ǫ is a security parameter, the key size needed for a fully entangled state will jump to 2n + log(1/ǫ) which is in total accordance with the standard result of [6]. Note that this generalises the existing literature on approximate quantum encryption. In [7], Hayden, Leung, Shor and Winter considered the task of approximately encrypting quantum states assuming no entanglement between the message and the eavesdropper’s system. They showed that while we need 2n bits of key to perfectly encrypt an n-qubit quantum message, they showed the existence of a scheme requiring n + log n + 2 log(1/ε) + O(1) bits of key using a randomized argument. Ambainis and Smith [8] then gave two explicit constructions of an approximate quantum encryption scheme under the same assumption requiring n + 2 log n + 2 log(1/ε) and n + 2 log(1/ε) respectively. Here we recover and generalise these results, and the no-entanglement restriction becomes a lower bound of 0 on the conditional min-entropy. More recently, Fehr and Schaffner [9] gave a classical encryption scheme which is entropically secure against an adversary that has access to quantum information about the classical message. Our work also generalises this result: when our encryption schemes are applied to a classical message, the resulting cyphertext remains classical, and the proof of security still works against quantum adversaries. We introduce our model and definitions in section 3 and show in section 4 that the two security definitions we give are equivalent. We also prove, in section 5, that two encryption schemes introduced by Ambainis and Smith [8] and by Dodis and Smith [3] (and generalised to the quantum world by Desrosiers) are still secure using this new definition and require in fact the exact same amount of key as in the limited quantum model of Desrosiers. Finally, in section 6, we generalise a proof of Dodis and Smith to show that any entropic scheme that can encrypt an n-qubit state having a conditional min-entropy of at least t requires at least n − t − 1 bits of uniform key.

2

Notation and preliminaries

A quantum state ρ is axiomatically defined as a non-negative complex operator P of trace equal to 1 over some Hilbert space H . By the spectral decomposition theorem ρ = i γi |ri ihri |, where the |ri i form a basis for the space in which the quantum state lives and the γi are non-negative real numbers that sum up to one. This can be interpreted as saying that ρ is a source that will output with probability γi the state |ri i if it is measured in the basis {|ri i} 1 . If we take two quantum states, σ A and τ B and want to describe them as a single system, the result is a state ρAB ∈ HA ⊗ HB which is equal to σ A ⊗ σ B . Note that for most states ρAB , one 1

For a thorough introduction to quantum information theory, see [10]

2

cannot factor them into two sub-systems such that ρAB = σ A ⊗ τ B or express ρ in a convex sum of such tensor products. The partial trace is a kind of inverse to the tensor product operation. For any bipartite state  ρAB , we have that ρB = TrA ρAB ; the normal interpretation for such an operator is that if a physical state ρAB lives in the space AB but one only has access to the space B to measure the state, then the statistics obtained can be explained using ρB . The partial trace can be defined as: X (hri |A ⊗ IB )ρAB (|ri iA ⊗ IB ) (1) TrA (ρAB ) , i

where the vectors {|ri i} form any orthonormal basis for the subspace A. In fact, this is equivalent to do a complete measurement of the A subspace and then lose that subspace, what is left in our hands is TrA (ρAB ). Throughout this paper, we will use superscripts on density matrices to indicate which subsystems they are defined on; for example, ρAB is a density operator on Hilbert space HA ⊗ HB . By convention, when we omit certain subsystems from the superscript, we mean that we take the partial trace over the subsystems that are absent; i.e. ρB = TrA ρAB . We will refer to the dimension of Hilbert space HA by dA . We will use as our main distance measure the trace distance which is defined as kρ − σk1 , Tr (|ρ − σ|) ,

(2)

√ P where |A| is defined as A† A, which is, for a Hermitian operator A = i αi |ai ihai |, simply P i |αi | |ai ihai |. We will also make extensive use of operator inequalities: given two Hermitian operators A and B, we will say that A > B iff A − B is positive semi-definite. Finally we denote by akb the concatenation of the bitstrings a and b. X a where a = a1 · · · an is an n-bit string means X a = X a1 ⊗ X a2 ⊗ · · · ⊗ X an . We shall also write L(H) for the space of linear operators on the Hilbert space H.

3

Model and definitions

Entropic security as introduced by Russell and Wang [2] and generalised by Dodis and Smith [3] uses the definition of classical min-entropy to represent the adversary’s knowledge on the senders message space. Let M be a random variable that represents the message space and let M take value m with probability pm . Then the min-entropy of M , written H∞ (M ) is defined to be − log maxm (pm ). Simon Pierre Desrosiers introduced in [4] quantum versions of these security definitions for the case where the eavesdroppers and the sender are not entangled. The adversary’s knowledge is represented by the quantum min-entropy of the adversary on the sender’s state. The P message A space in this case is considered to be a valid interpretation {(p , σ )} of a state ρ = γj |jihj| = i i P P A γj |jihj| is the spectral decomposition of i pi σi where H∞ (ρ ) = − log maxj γj and where ρA . The joint system of the sender and the adversary was considered to contain no correlations: i.e. ρAE = σ A ⊗ τ E , where E represents the adversary’s system. In this paper, we will show that we can fully generalise these security definition in the quantum setting, where no assumptions on the entanglement between the sender and the adversary is made. The only restriction on the adversary will be quantified by the following definition introduced by Renato Renner (see [5]) in his proof that the BB84 scheme is secure in the most general setting. We shall make no other assumption on the sender-eavesdropper system than the eavesdropper’s conditional min-entropy. Definition 1 (Quantum conditional min-entropy). For any quantum state ρAE shared between the eavesdropper and the sender, we define the conditional min-entropy of ρAE given ρE as H∞ (ρAE |ρE ) = − log λ,

3

where λ is the minimum real number such that the Hermitian operator λIA ⊗ ρE − ρAE is positive semi-definite. Observe that the last operator is defined using the identity matrix on the A space and not the perfectly mixed state. We will on occasion use the alternate notation H∞ (A|E)ρ , H∞ (ρAE |ρE ) for quantum conditional min-entropy; the subscript indicates the state with respect to which the min-entropy is calculated. Observe also that we can obtain an equivalent definition for λ using the following: H∞ (ρAE |ρE )

= − log min{λ : λIA ⊗ ρE − ρAE > 0}  = − log min λ : ∀|ψi, hψ|λIA ⊗ ρE |ψi > hψ|ρAE |ψi   hψ|ρAE |ψi = − log min λ : ∀|ψi, λ > hψ|IA ⊗ ρE |ψi   AE hψ|ρ |ψi = − log max . |ψi hψ|IA ⊗ ρE |ψi

This last expression is reminiscent of the definition of classical conditional min-entropy, which we reproduce here:   p(x, y) H∞ (X|Y ) = − log max (3) x,y p(y) One can prove a few properties about conditional min-entropy which will be handy later on. First, this lemma:

Lemma 1. Let the joint state of the sender and the adversary be ρAE = ρA ⊗ ρE , then H∞ (ρAE |ρE ) = H∞ (ρA ). Proof. The structure of ρAE lets us write this equality: λI ⊗ ρE − ρAE = (λI − ρA ) ⊗ ρE . We know that ρE is positive, since it is a valid density operator, hence if we want this quantity to be positive, we need λI − ρA to be positive. This implies, since I commutes with everything, that λ = γmax , where γmax is the largest eigenvalue of ρA . We can conclude from this lemma that if the sender and the adversary are not correlated, then the standard results of [4] can be used. But there is a case which is still more general and yet implies no quantum correlation (i.e. entanglement). We say a state ρAB is separable if it P P A B AB can be written as ρ = z pz σz ⊗ τz , where z pz = 1 and the pz are positive real numbers. In this case, Lemma 3.1.8 of Renato Renner’s Ph.D Thesis [5] lets us conclude something interesting. Using Renner’s notation, we say that a state ρABZ is classical with respect P to the space Z if there exist an orthonormal basis {|zi} for the Z subspace such that ρABZ = z pz ρAB z ⊗|zihz|. Therefore, for any separable stateP ρAB there exist a space Z and its orthonormal basis such that TrZ ρABZ = ρAB that is ρABZ = z pz σzA ⊗ τzB ⊗ |zihz|. Lemma 3.1.8 in Renner’s thesis states that B H∞ (ρABZ |ρBZ ) = inf H∞ (ρAB (4) z |ρz ). z

Note that this quantity for separable state is very classical and contains no perverse quantum B A B B A effects: by Lemma 1 we can conclude H∞ (ρAB z |ρz ) = H∞ (σz ⊗ τz |τz ) = H∞ (σz ). Lemma 3.1.7 of the same thesis also tells us that for any system C, H∞ (ρABC |ρBC ) 6 H∞ (ρAB |ρB ). Hence, putting all this together, we get for separable states that H∞ (ρAB |ρB ) > inf H∞ (σz ) > 0. z

(5)

Sadly, as far as we know, no better expression is known for the min-entropy of separable states. Hence, when one deals with separable states, the results contained in [4] hold and are perfectly satisfactory. Pd Note also that if the A and E spaces are in a fully entangled state i=1 √1d |iiA |iiE , where n = log d, then H∞ (ρAE |ρE ) = −n. (6)

4

Our model is as simple and yet as general as possible according to quantum mechanics. The adversary is considered to be a POVM, that is, the most general measurement allowed by P quantum mechanics. A POVM is a set of positive operators {Ei } such that i Ei = I. This can represent any circuit or combination of circuits possible as long as one only looks at the classical output of such an adversary. We do not take into consideration the remaining quantum state of the adversary. Note that if such a quantum output could be useful, then one could process it further and then output something: this is just another POVM. We are interested in the predictive capabilities of an adversary that was given E(σi ) — see below for the formal definition of a cypher E — compared to those of an adversary that was not given such a state in predicting a function of σi . Note that this σi was chosen according to the interpretation P {(pi , σi )} for ρ = i pi σi by the sender. A function of σi is a function that maps the bit string that represents the operator σi to another bit string, which is the output of the function. See [4] for further discussion of this model. Since our adversary is a POVM, we take its output to be a prediction of the function f . An encryption scheme E is a set of superoperators {Ek } indexed by a uniformly distributed key k ∈ {1, . . . , K} such that for each k there exists an inverting operator Dk such that for all ρAE , with probability one we have (Dk ⊗ I)((Ek ⊗ I)(ρ)) = ρ. (7) PK 1 AE ). To simplify the notation, The view of the adversary is then (E ⊗I)(ρAE ) , K k=1 (Ek ⊗I)(ρ AE AE we will write E(ρ ) instead of (E ⊗ I)(ρ ) from now on. Both [3] and [4] presented security definitions equivalent in their respective models to the following two security definitions. Definition 2 (Entropic Security). An encryption system E is (t, ε)-entropically secure if for all states ρAE such that H∞ (ρAE |ρE ) > t, all interpretations {(pj , σjAE )} and all adversaries A, there exists an A′ such that for all functions f , we have 2 Pr[A(E(σiAE )) = f (i)] − Pr[A′ (σiE ) = f (i)] 6 ε. (8)

Definition 3 (Entropic Indistinguishability). An encryption system E is (t, ǫ)-indistinguishable if for all states ρAE such that H∞ (ρAE |ρE ) > t we have that:



E(ρAE ) − I ⊗ ρE < ǫ. (9)

dA 1

Note that throughout this paper, we shall be mostly concerned with encryption schemes where the message to be sent consists of n qubits; and therefore n = log dA from now on.

4

Equivalence between the two security definitions

Theorem 1. (t − 1, ε/2)-indistinguishability implies (t, ε)-entropic security for all functions. Proof. We shall prove the contrapositive. Suppose there exists an adversary B, a state ρAE such AE E AE that H∞ (ρ |ρ ) > t, an interpretation (pj , σj ) for ρAE and a function f such that Pr[B(E(σ AE )) − f (i)] − Pr[B ′ (ρE ) − f (i)] > ε (10) i

for all adversaries B ′ . Then we know (see first Lemma of [4]) that there exists another adversary and a predicate h such that (t, ε/2)-entropic security is violated. Let’s call this adversary A and let us define the sets E0 and E1 as follows: E0 E1 2

= {i|h(i) = 0} = {i|h(i) = 1} .

(11) (12)

One can also get an equivalent definition by using functions on the states σiAE rather than on the indices i.

5

Define the following: r0

=

X

pi ,

i∈E0

r1

=

X

pi ,

i∈E1

τ0AE τ1AE

=

=

1 r0

X

pi σiAE

!

X

pi σiAE

!

i∈E0

1 r1

i∈E1

.

Note that ρAE = r0 τ0AE + r1 τ1AE . Now, define the following states: I ⊗ τ1E dA I + r0 ⊗ τ0E , dA

τ˜0AE

= r0 τ0AE + r1

(13)

τ˜1AE

= r1 τ1AE

(14)

where, as usual, τiE = TrA [τiAE ]. We need the following lemma to finish the proof. Lemma 2. H∞ (˜ τ0AE |˜ τ0E ) > t − 1, and H∞ (˜ τ1AE |˜ τ1E ) > t − 1. Proof. First, it is clear that τ˜0E = τ˜1E = ρE . We then have max |ψi

hψ| dIA ⊗ τ1E |ψi hψ|τ0AE |ψi hψ|˜ τ0AE |ψi 6 r max + r max . 0 1 hψ|I ⊗ ρE |ψi |ψi hψ|I ⊗ ρE |ψi |ψi hψ|I ⊗ ρE |ψi

First observe that max |ψi

hψ|τ0AE + rr10 τ1AE |ψi hψ|τ0AE |ψi 1 6 max 6 2−t . E E hψ|I ⊗ ρ |ψi |ψi hψ|I ⊗ ρ |ψi r0

Second, using theorem 3.1.12 from [5] and the previous observation, we get max |ψi

hψ| dIA ⊗ τ1E |ψi hψ|I ⊗ ρE |ψi

6 max |ψi

hψ|τ1AE |ψi 1 6 2−t . hψ|I ⊗ ρE |ψi r1

Combining these two results, we obtain max |ψi

hψ|˜ τ0AE |ψi 6 2 × 2−t = 2−(t−1) . hψ|I ⊗ ρE |ψi

Of course, an identical calculation yields the same result for τ˜1AE . To finish the proof of theorem 1 , we need to show that A can distinguish E(˜ τ0AE ) from E(˜ τ1AE ) AE with probability strictly better than ε/2. Assume that A can distinguish E(τ0 ) from E(τ1AE ) in a r0 , r1 mixture with probability η. Now assume that we feed it E(˜ τ0AE ) with probability 1/2 AE and E(˜ τ1 ) with probability 1/2. Observe that this is exactly as if we gave it an r0 , r1 mixture of E(τ0AE ) and E(τ1AE ) with probability 1/2 and an r0 , r1 mixture of dIA ⊗ τ0E and dIA ⊗ τ1E with probability 1/2. Let’s denote by α the optimal probability of distinguishing dIA ⊗ τ0E from I E τ0AE ) from dA ⊗ τ1 in an r0 , r1 mixture. We then have that the probability of distinguishing E(˜ E(˜ τ1AE ) using A is at least 1 1 1 1 η + (1 − α) = + (η − α) 2 2 2 2

6

since the worst case behaviour for A is to optimally distinguish dIA ⊗ τ0AE from then return the wrong answer. But by the assumption that A violates entropic security, we know that

I dA

⊗ τ1AE and

η − α = Pr[A(E(τiAE )) = i] − max Pr[A′ (τiE ) = i] > ε/2. ′ A

Hence, the probability of distinguishing E(˜ τ0AE ) from E(˜ τ1AE ) is at least 1/2 + ε/4, which implies that

ε < E(˜ τ0AE ) − E(˜ τ1AE ) 1

   

I I AE E E AE − E(˜ τ ) − ⊗ ρ ⊗ ρ = E(˜ τ ) − 1 0

dA dA



1



I I 6 τ0AE ) − + E(˜ τ1AE ) − ⊗ ρE ⊗ ρE

E(˜

dA dA 1 1

and therefore either E(˜ τ0AE ) −

I dA

(t − 1, ε/2)-indistinguishability.



⊗ ρE > ε/2 or E(˜ τ1AE ) − 1

I dA

⊗ ρE > ε/2, which violates 1

Theorem 2. (t, ε)-entropic security implies (t − 1, 6ε)-indistinguishability as long as t 6 n − 1. AE Proof. We will prove be a state such that H∞ (ρAE |ρE ) > t − 1 and

the contrapositive. Let ρ

I

E(ρAE ) − dA ⊗ ρE > 6ε. 1 Consider the following state

ρ˜AE =

1 AE 2 I ⊗ ρE . ρ + 3 3 dA

We can easily show that H∞ (˜ ρAE |˜ ρE ) = H∞ (˜ ρAE |ρE ) > t: hψ|˜ ρAE |ψi hψ|I ⊗ ρE |ψi

= 6 = 6 =

Since E(ρAE ) −

I dA E

I E 1 hψ|ρAE |ψi 2 hψ| dA ⊗ ρ |ψi + 3 hψ|I ⊗ ρE |ψi 3 hψ|I ⊗ ρE |ψi 1 −(t−1) 2 1 ·1 2 + 3 3 dA   2 1 2−t + 3 dA   2−t 2 −t 2 + 3 2

2−t .

⊗ ρE > 6ε, we know that there exists an adversary that can distinguish 1

E(ρAE ) from dIA ⊗ ρ with probability at least 12 + 23 ε. Let’s call this adversary A, and let’s assume that it gives the right answer with probability η1 when it is given E(ρAE ) and with probability η2 when it is given dIA ⊗ ρE . We then have 21 (η1 + η2 ) > 12 + 23 ε. Now, consider the following interpretation of ρ˜AE : ρ˜AE =

1 AE 1 AE 1 AE σ + σ2 + σ3 3 1 3 3

(15)

where σ1AE = ρAE and σ2AE = σ3AE = dIA ⊗ ρE . We will show that A violates entropic security on ρ˜AE , this interpretation and the function h(i) = i.

7

First of all, it is clear that by having access only to Eve’s system, no adversary can guess the value of h with a probability greater than 1/3. Let us now determine what A can do by having access to the encrypted version for ρ˜AE . It is clear that A’s best strategy is to try to distinguish between E(ρAE ) and dIA ⊗ ρE and return 1 when it gets E(ρAE ) and randomly return either 2 or 3 when it gets dIA ⊗ ρE . We then have: Pr[A(E(σi )) = h(i)] = = > =

2 η2 1 η1 + 3 3 2 1 (η1 + η2 ) 3 1 (1 + 3ε) 3 1 + ε. 3

We then finally get

which violates entropic security.

5

Pr[A(E(σi )) = h(i)] −

1 >ε 3

Two encryption schemes

We shall first show two technical lemmas which will be useful as an intermediate step for both encryption schemes. Lemma 3. For any bipartite state ρAE we have 2

2

H∞ (ρAE |ρE ) > t =⇒ TrA [ρAE ] 6 2−t ρE . Proof. H∞ (ρAE |ρE ) > t

⇒ ⇒

(a)



ρAE 6 2−t I ⊗ ρE

  2 TrA [ρAE ] 6 2−t TrA ρAE I ⊗ ρE 2

2

TrA [ρAE ] 6 2−t ρE ,

where (a) follows from the fact that TrA [ρAE (I ⊗ ρE )] = =

X i

X i

=

ρE

(hi| ⊗ I)ρAE (I ⊗ ρE )(|ii ⊗ I) (hi| ⊗ I)ρAE (|ii ⊗ I)ρE

(16)

2

Lemma 4. For any valid bipartite state ρAE , where TrA [ρAE ] = ρE we have " 2 # i h IA 1 E2 2 AE E ρ − TrA = TrA ρAE − ⊗ρ ρ , dA dA

where dA is the dimension of the A space.

Proof. By definition we have "   2 #  i h I 1 E2 I 2 E AE = TrA ρAE − 2 TrA ρAE + ⊗ρ ⊗ ρE ρ . ρ − TrA dA dA dA 2

Note that the middle term on the right-hand side is simply − d2A ρE as calculated in (16).

8

(17)

5.1

A scheme based on δ-biased sets

In [8], Ambainis and Smith introduced an approximate quantum encryption scheme based on δ-biased sets. Here, we shall show that if H∞ (ρAE |ρE ) > t, then the Ambainis-Smith scheme is ε-secure using n − t + 2 log n + 2 log( 1ε ) bits of key, where n is the logarithm of dA as usual. Definition 4 (δ-biased set). A set ⊆ {0, 1}n is said to be δ-biased if and only if for every SP ′ 1 ′ n ′ n s ∈ {0, 1} , s 6= 0 , we have that |S| s∈S (−1)s⊙s 6 δ.

There exist several efficient constructions of δ-biased sets ([11, 12, 13]); the one most appropriate for our purposes [13] yields sets of size n2 /δ 2 . The Ambainis-Smith scheme consists of applying at random an operator from the set  a b X Z : akb ∈ S where S is a δ-biased set containing strings of length 2n. The shared private key is used to index one of the operators. In other words, the encryption operator is 1 X (X a Z b ⊗ I)ρAE (Z b X a ⊗ I) E(ρAE ) = |S| akb∈S

To prove this scheme secure in our framework, we first need to prove a few technical lemmas. The following is a generalisation of a lemma contained in [8]: Lemma 5. | TrA [(X c Z d ⊗ I)E(ρAE )]| 6 δ| TrA [(X c Z d ⊗ I)ρAE ]| for all c, d such that ckd 6= 02n . Proof. TrA [(X c Z d ⊗ I)E(ρAE )] =

1 X TrA [(X c Z d ⊗ I)(X a Z b ⊗ I)ρAE (Z b X a ⊗ I)] |S| akb∈S

1 X TrA [(Z b X a X c Z d X a Z b ⊗ I)ρAE ] = |S| akb∈S

1 X = (−1)a⊙d+b⊙c TrA [(X c Z d ⊗ I)ρAE ] |S| akb∈S   X 1 = (−1)akb⊙ckd  TrA [(X c Z d ⊗ I)ρAE ] |S| akb∈S

and the lemma follows from the definition of δ-biased sets. p p Lemma 6. TrA ρAE 6 dA TrA ρAE .

Proof.pSince the square p root function is operator concave (see, for instance, [14]), it can be shown that P ρAE P > P ρAE P for any projector P . Hence, TrA

p ρAE

=

dA X i=1

6

p (hi| ⊗ I) ρAE (|ii ⊗ I)

dA q X (hi| ⊗ I)ρAE (|ii ⊗ I) i=1

=

6 =

dA q X 1 (hi| ⊗ I)ρAE (|ii ⊗ I) d A i=1 v u dA uX 1 (hi| ⊗ I)ρAE (|ii ⊗ I) dA t d A i=1 p dA TrA ρAE

dA

9

Lemma 7. For every Hermitian matrix M on HA ⊗ HE , where dA = 2n , we have TrA [M 2 ] =

1 X TrA [(X u Z v ⊗ I)M ]2 dA u,v

Proof. A matrix M on HA ⊗HE in the computational basis consists of a square matrix of dA ×dA blocks of dE × dE entries each. For the purposes of this proof, we will find it convenient to stack these blocks in a single column: let vecA (M ) be a d2A × dE matrix such that the mth block corresponds to the block in row i, column j of M , where i = ⌊ dmA ⌋ and j = m mod dA . It is easy to verify that TrA [A† B] = vecA (A)† vecA (B) (18) for any matrices A and B in L(HA ⊗ HE ). Now, it is well known that the Pauli matrices { √1d X u Z v |u, v ∈ {0, 1}n} form an orthonormal A basis for L(HA ) with respect to the Hilbert-Schmidt inner product. Hence, we have that X u,v

   † 1 1 vecA √ (X u Z v ⊗ I) vecA √ (X u Z v ⊗ I) = I dA dA

(19)

and therefore that TrA [M 2 ] = vecA (M )† vecA (M )    † X 1 1 u v u v † = vecA (M ) vecA √ (X Z ⊗ I) vecA √ (X Z ⊗ I) vecA (M ) dA dA u,v 1 X TrA [M † (X u Z v ⊗ I)] TrA [(X u Z v ⊗ I)† M ] = dA u,v 1 X = TrA [(X u Z v ⊗ I)M ]2 . dA u,v

Lemma 8. TrA



E(ρAE ) −

I dA

⊗ ρE

2 

i h 2 6 δ 2 TrA ρAE .

Proof. " 2 #   I (a) 2 E AE ⊗ρ = TrA E(ρAE )2 − d1A ρE E(ρ ) − TrA dA X = d1A TrA [(X u Z v ⊗ I)E(ρAE )]2 − u,v

=

1 dA

X

TrA [(X u Z v ⊗ I)E(ρAE )]2

X

TrA [(X u Z v ⊗ I)ρAE ]2

uv6=0n (b)

6

δ2 dA

uv6=0n

6

δ2 dA

X uv

TrA [(X u Z v ⊗ I)ρAE ]2

h i 2 = δ TrA ρAE , 2

where (a) follows by Lemma 4 and (b) by Lemma 5.

10

1 E2 dA ρ



Lemma 9. E(ρAE ) −

Proof.

I dA



⊗ ρE 6 δ dA 2−t . 1



E(ρAE ) − I ⊗ ρE

dA 1

=

6 6 =

 s 2  I Tr TrA  ⊗ ρE  E(ρAE ) − dA  v " u 2 # u I  ⊗ ρE Tr tdA TrA E(ρAE ) − dA q  2 Tr dA δ 2 TrA [ρAE ] q  p 2 δ dA Tr TrA [ρAE ] . 

Using Lemma 3 we continue as follows:



E(ρAE ) − I ⊗ ρE

dA 1

6 = =

 q p 2 −t E δ dA Tr 2 ρ p δ dA 2−t Tr[ρE ] p δ dA 2−t .

We are now ready to prove the main theorem: Theorem 3. If H∞ (ρAE |ρE ) > t, then the Ambainis-Smith scheme is ε-secure using n − t + 2 log n + 2 log( 1ε ) + 2 bits of key, where n = log dA . Proof. If we choose δ = ε/2(n−t)/2

and construct S using the method of [13] such that |S| =

(2n)2 /δ 2 , by lemma 9 we obtain E(ρAE ) − dIA ⊗ ρE 6 ε with n − t + 2 log n + 2 log( 1ε ) + 2 1 bits of key.

5.2

A scheme based on XOR-universal functions

Our second scheme based on XOR-universal functions can be considered as a quantum version of the scheme given in [3]; it can also be viewed as a generalisation of the second scheme given in [8]. Definition 5. Let Hn = {hi }i∈I be a family of functions from n-bit strings to n-bit strings. We say the family Hn is strongly-XOR-universal if for all n-bit strings a, x, and y such that x 6= y we have 1 Pri←I [hi (x) ⊕ hi (y) = a] = n . 2 where i is distributed uniformly over I. The family proposed in [3] naturally possesses this property. Theorem 4. Let HP 2n be a strongly-XOR-universal family of functions. Consider the super1 A′ a b E AE operator Ek (ρ) = |I| (Z b X a ⊗IE ), where akb = hi (k), hi ∈ H2n and i∈I |iihi| ⊗(X Z ⊗I )ρ k is the secret key selected at random from a set K ⊆ {0, 1}2n. Then E is (t, ǫ)-indistinguishable if log |K| > n − t + 2 log(1/ǫ). We will need the following lemma to complete the proof.

11

Lemma 10. For the cypher defined in theorem 4, we have  !2  h i AA′ 1 I 2 ⊗ ρE  6 TrA ρAE . TrAA′  E(ρAE ) − |I|dA |I||K|

(20)

Proof. By lemma 4,





IAA ⊗ ρE TrAA′  E(ρAE ) − |I|dA

!2  E2  = TrAA′ [E(ρAE )2 ] − ρ |I|dA

(21)

so we only have to calculate TrAA′ [E(ρAE )2 ]. ′ Now, the adversary’s view can be written this way: E(ρAE ) = Ek,i [|iihi|A ⊗ (X a Z b ⊗ I)ρAE (Z b X a ⊗ I)]. Let k and k ′ be independent instances of the key, i and j be two independent choices of the hash function, and akb = hi (k) and ckd = hj (k ′ ). Note that throughout the following calculation we will omit the subsystem superscripts and the IE to simplify the notation.    ′ TrAA′ E(ρ)2 = TrAA′ Ek,k′ ,i,j [(|iihi| ⊗ X a Z b ρZ b X a )(|jihj|A ⊗ X c Z d ρZ d X c )]  = TrAA′ Ek,k′ ,i,j [|iihi||jihj| ⊗ X a Z b ρZ b X a X c Z d ρZ d X c ]  1 = TrA Ek,k′ ,i [X a Z b ρZ b X a X c Z d ρZ d X c ] |I|  1 TrA Ek,k′ ,i [Z d X c X a Z b ρZ b X a X c Z d ρ] = |I|  1 TrA Ek,k′ ,i [(−1)d⊙c (−1)d⊙a X a⊕c Z b⊕d ρZ b X a X c Z d ρ] = |I|  1 = TrA Ek,k′ ,i [((−1)d⊙c )2 ((−1)d⊙a )2 X a⊕c Z b⊕d ρZ b⊕d X a⊕c ρ] |I|  1 = TrA Ek,k′ ,i [X e Z f ρZ f X e ]ρ |I|  1 = TrA Ek,k′ ,i [(X e Z f ⊗ I)ρAE (Z f X e ⊗ I)]ρAE |I|

where ekf = (a ⊕ c)k(b ⊕ d) = (akb) ⊕ (ckd) = hi (k) ⊕ hi (k ′ ). We can now split the expression into two cases: one where k = k ′ , which occurs with probability 1/|K|, and one where k 6= k ′ . In the first case, we always get ekf = 02n regardless of what i is, whereas in the second case, ekf is uniformly distributed over all 2n-bit strings regardless of what k and k ′ are, and the A subsystem becomes the completely mixed state. Hence, !    AE 2  1 ρ I 1 TrAA′ E(ρ)2 = (22) ⊗ ρE ρAE . TrA + 1− |I| |K| |K| dA 2

Finally, since TrA [( dIA ⊗ρE )ρAE ] = d1A ρE (see the proof of lemma 4), we can rewrite equation (22) this way: ! ! 2   ρAE 1 1 E2 AE 2 . (23) TrAA′ E(ρ ) 6 TrA + ρ |I| |K| dA

which, after substitution into equation (21), is equivalent to the lemma statement. And finally we can prove Theorem 4.

12

Proof. To show that the cypher is (t, ε)-indistinguishable, we must show that for all states ρAE such that H∞ (ρAE |ρE )ρ > t,



IAA

E AE ⊗ ρ 6 ε.

E(ρ ) −

|I|dA 1

We have



IAA

AE E ⊗ρ

E(ρ ) −

|I|dA

=

1

6

6

=

 s  2 ′ AA I Tr TrAA′  ⊗ ρE  E(ρAE ) − |I|dA  v " u 2 # ′ AA u I  E(ρAE ) − ⊗ ρE Tr tdA |I| TrAA′ |I|dA "s # dA 2 AE Tr TrA [ρ ] |K| s  q dA 2 AE TrA [ρ ] . Tr |K| 

Using Lemma 3 we continue as follows:



AA′ I

⊗ ρE

E(ρAE ) −

|I|dA

6

s

dA Tr |K|

=

s

=

s

dA 2−t Tr[ρE ] |K|

1

q  2 −t E 2 ρ

dA 2−t . |K|

Now, by hypothesis, we have log |K| > n − t + 2 log(1/ǫ), which can be transformed into 2−t log dA − log(|K|) − t 6 log ǫ2 . Getting rid of the logs gives us dA|K| 6 ǫ2 . This in turn implies that s



IAA dA 2−t

E AE ⊗ρ 6 6 ǫ,

E(ρ ) −

|I|dA |K| 1

which is the desired result.

6

Minimum requirement for the key length

We can generalise the proof for the lower bound on the key length found in [3] to the quantum world and the conditional min-entropy definition. Theorem 5. Any quantum encryption scheme which is (t, ǫ)-indistinguishable for inputs of n qubits requires a key of length at least n − t − 1 as long as ε 6 1/2. Proof. We prove this by constructing a state with conditional min-entropy t which provably ˆ requires at least n − t − 1 bits of key to be securely encrypted. Consider the state ρAAE = ˆ P A d A |iiA |iiE is a maximally entangled state; Alice wants to |Φ+ ihΦ+ |AE ⊗ dI ˆ where |Φ+ iAE = i=1 A send both A and Aˆ to be Bob securely. Furthermore, let dA = dE = 2(n−t)/2 and dAˆ = 2(n+t)/2 , hence dAAˆ = 2n . It is easy to compute the conditional min-entropy of this state: ˆ ρ = H∞ (A|E)|Φ+ ihΦ+ | + H∞ (A) ˆ Aˆ H∞ (AA|E) I /d ˆ = −(n − t)/2 + (n + t)/2 = t. A

13

Now, it is clear that this state requires at least as much key to encrypt as |Φ+ ihΦ+ |AE alone, since ˆ one could securely encrypt |Φ+ ihΦ+ |AE using a protocol to encrypt ρAAE by adding (n + t)/2 random qubits to the input state. However, as the following theorem proves, |Φ+ ihΦ+ |AE requires at least (n − t) − 1 bits of key to encrypt. ˜

˜

Theorem 6. Let E A→A be a cypher such that for all states ρAE , there exists some state ΩA such that

˜



(24)

(E ⊗ IE )(ρAE ) − ΩA ⊗ ρE < ǫ, 1

then E requires at least 2 log(dA˜ ) − 1 bits of key, or 2n − 1 bits of key of an n-qubit system, whenever ε 6 1/2. ˜

˜

AE † Proof. Let σm = σm = Um |Φ+ ihΦ+ |AE Um , where {Um } is a set of d2A˜ unitary matrices that operates on the A˜ space such that Tr(Ui† Uj ) = 0 if i 6= j (such a set can easily be constructed from generalised Pauli matrices, for instance, which would yield all Bell states). To simplify ˜ ˜ notation we will write E(ρ) instead of (E A ⊗ IE )(ρAE ) and Ω′ instead of ΩA ⊗ ρE — note that ′ E E for all m and m we have σm = σm′ . By hypothesis we deduce that

kE(σm ) − Ω′ k1 6 ε for all m, 1 6 m 6 d2A . Furthermore, assume that this scheme uses K possible keys, and that Ek PK 1 is the operation performed when the key is k (hence E(ρ) = K k=1 Ek (ρ)). Since one must be able to decode without error given the key, Ek (σm ) and Ek (σm′ ) must have disjoint support for all k, m and m′ such that m 6= m′ . Define ωmki as the ith eigenvalue of Ek (σm ), and |ψmki i as the corresponding eigenvector. P By the last comment of the previous paragraph, if we define Πmk = i |ψmki ihψmki |, which is ′ ′ a projector on the support of Ek (σ m ), then we conclude that for all m and m , where m 6= m P Πmk is orthonormal to Πm′ k and m Πmk 6 I. Also, let Πm be the projector onto the support of E(σm ). We can now prove a lower bound on K: 1 X Tr[E(σm ) − Πm Ω′ Πm ] d2A˜ m i 1 X h ωmki > 2 − hψmki |Ω′ |ψmki i dA˜ K mki !# ! " X X ωmki 1 X ′ = 2 hψmki |Ω |ψmki i − dA˜ K mi mi k " # 2 1 X dA˜ −1 > 2 dA˜ K

Em kE(σm ) − Ω′ k1 >

k

K = 1− 2 dA˜

Hence, we now have ε > Em kE(σm ) − Ω′ k1 > 1 −

K , d2˜ A

therefore K > (1 − ε)d2A˜ and log K >

2 log(dA˜ ) − t + log(1 − ε) > 2 log(dA˜ ) − t − 1 as long as ε 6 1/2.

Sadly, the tighter bound of [3] for schemes using public coins, given there as proposition 3.8, cannot be similarly generalised.

14

7

Conclusion

Using a different information limitation for the adversary, we were able to show how to fully generalise the notions of entropic security and entropic indistinguishability without any assumption on the entanglement between the sender and the adversary. These notions of security are similar in flavor to the one defined in [4]. Furthermore, the cypher presented in this paper were already shown to be entropically secure in [4] and to use exactly the same amount of key. We have thus strengthened the security definition without augmenting the number of key bits required. Is this true for every encryption scheme? As noted in [4], our new security definitions do not seem to require more key bits than their classical counterparts. We still wonder if that’s the case and leave it as an open problem.

Acknowledgments The authors would like to thank the following people for enlightening discussions and/or useful comments on the draft of this paper: Genevi`eve Arboit, Gilles Brassard, Claude Cr´epeau, Patrick Hayden, Debbie Leung, Jean-Raymond Simard and Adam Smith.

References [1] S. Goldwasser and S. Micali, “Probabilistic encryption & how to play mental poker keeping secret all partial information,” in STOC ’82: Proceedings of the fourteenth annual ACM Symposium on Theory of computing. New York, NY, USA: ACM Press, 1982, pp. 365–377. [2] A. Russell and H. Wang, “How to fool an unbounded adversary with a short key,” in EUROCRYPT ’02: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques. London, UK: Springer-Verlag, 2002, pp. 133–148. [3] Y. Dodis and A. Smith, “Entropic security and the encryption of high entropy messages,” Cryptology ePrint Archive, Report 2004/219, 2004. [4] S. P. Desrosiers, “Entropic security in quantum cryptography,” 2007. [Online]. Available: quant-ph/0703046 [5] R. Renner, “Security of quantum key distribution,” Ph.D. dissertation, Swiss Federal Institute of Technology, 2005. [Online]. Available: quant-ph/0512258 [6] A. Ambainis, M. Mosca, A. Tapp, and R. de Wolf, “Private quantum channels,” in IEEE Symposium on Foundations of Computer Science, 2000, pp. 547–553. [Online]. Available: citeseer.nj.nec.com/article/ambainis00private.html [7] P. Hayden, D. Leung, P. Shor, and A. Winter, “Randomizing quantum states: Constructions and applications,” Comm. Math. Phys., vol. 250(2), pp. 371–391, 2004. [Online]. Available: quant-ph/0307104 [8] A. Ambainis and A. Smith, “Small pseudo-random families of matrices: Derandomizing approximate quantum encryption.” in APPROX-RANDOM, ser. Lecture Notes in Computer Science, K. Jansen, S. Khanna, J. D. P. Rolim, and D. Ron, Eds., vol. 3122. Springer, 2004, pp. 249–260. [Online]. Available: quant-ph/0404075 [9] S. Fehr and C. Schaffner, “Randomness extraction via delta-biased masking in the presence of a quantum attacker,” 2007. [Online]. Available: arXiv:0706.2606 [10] M. A. Nielsen and I. L. Chuang, Quantum computation and quantum information. New York, NY, USA: Cambridge University Press, 2000. [11] J. Naor and M. Naor, “Small-bias probability spaces: Efficient constructions and applications,” SIAM J. Comput., vol. 22(4), pp. 838–856, 1993. [12] N. Alon, J. Bruck, J. Naor, M. Naor, and R. Roth, “Constructions of asymptotically good low-rate error-correcting codes through pseudo-random graphs,” IEEE Transactions on Information Theory, vol. 38, pp. 509–516, 1992.

15

[13] N. Alon, O. Goldreich, J. H˚ astad, and R. Peralta, “Simple constructions of almost k-wise independent random variables,” Random Structures and Algorithms, vol. 3(3), pp. 289–304, 1992. [14] R. Bhatia, Matrix Analysis.

Springer-Verlag, 1996.

16

Recommend Documents