A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

A Few Simple Applications to Cryptography

Louis SalvailBRICS, Aarhus University

102344578911

QKD: An “Application” of Non-Cloning

• First, a digression:

Wiesner’s unforgeable quantum cash

0 0 1 1 1 1 0 0 1 1 0 1 0 1

102344578907 +x++xx+xx++x++ 10100010010110102344578908 x++x+x++x+x+xx 10010110001110102344578909 ++xx+xx+x+++x+ 11010111001010102344578910 x+xxx++x+x+++x 01101010011000102344578911 +x++xx+x+x+xx+ 00111100110101102344578912 x+xx++x+x++x++ 10101101110100102344578913 xx+x++x+x+++x+ 01010010011101102344578914 +x+x+++xx+x++x 01010111101000102344578915 x+++xx+x+x+++x 10110101010111

2nd attack:

1st attack:pick random bases, measure and store the outcome.

0 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 0 1 0 0 0 1 1 0 1 0 1

BB84

01101010

01111011

Quantum Channel

quantum

classical

OK

1,3,5,6,7-----((1,0),(7,1))

OK,f

Verify that not 2-many

errors occured.

If OK then choose f

randomly from U2 class.

K=f(110)K=f(110)

Return good positionsand a random sample.

error-correction

0*1*101*

0*1*101*

110

110

HardwareThis is how a QKD set-up looked like a few years ago.

photodetector:

photon sourceAnd now:

Purified BB84This EPR pair is a singlet:

11011100

11010100

Encrypting Qubits• Suppose we want to encrypt a qubit

under a classical secret-key K, such that:

• The cipher state alone does not reveal any information on the state of the qubit.

Using K, the qubit can be perfectly reconstructed from the cipher state.

Encryption/Decryption

• We suppose that encryption is performed by a family of unitary transforms {UK}K indexed by secret-key K.

• The simplest form is that upon qubit |φ>, the cipher state is generated as:

• |eK(φ)> = UK |φ>.

Decryption is performed by running UK backward (its complex conjugate transposed).

Privacy• Privacy means that given only the cipher

state |eK(φ)>, no information can be extracted about the state |φ>.

• This can be captured by enforcing that the quantum state produced by an encryption under a uniform and random choice for K is independent of |φ> .

This would mean that an eavesdropper ignorant of K always sees the same state. No measurement can therefore distinguish the encryptions of any 2 states.

The State Available to the

EavesdropperAs we have seen, the state available to the adversary when |φ> is encrypted is the mixed state corresponding to the encryption of |φ> over all keys:

An encryption scheme is therefore said to be private if:

Back to Teleportation

(x,z)

with prob. 1/4:(0,0)

with prob. 1/4:(0,1)

with prob. 1/4:(1,0)

with prob. 1/4:(1,1)

Encryption/DecryptionSuppose Alice and Bob share K ∈ {0,1}×{0,1}:

If K=(0,0)

If K=(0,1)

If K=(1,0)

If K=(1,1)

Since XX=ZZ=-YY=I, Bob decrypts by applying the same transform indicated by K:

In General• It can be shown that 2 classical bits are

necessary in order to encrypt with perfect privacy (and with perfect decryption) an arbitrary qubit.

• If the possible states of the qubit are restricted to some special sets then 1 classical could be sufficient.

For the encryption of qubits with only statistical privacy and almost perfect descryption, a single classical bit per qubit is asymptotically sufficient.

First Special CaseSuppose the possible states of the qubit are { |0>, |1> }. The situation is now classical and the one-time-pad (one bit per qubit) provides perfect privacy.

Notice that the encryption of these 2 states using X with probability 1/2 is exactly the same as the one-time-pad.

Second Special Case

Suppose the qubit to encrypt is of the form |φ> = a|0> + b|1> where a, b are real numbers.

Now, observe that:

So, only complex amplitude states require 2 bits of key.

Committing a Qubit

• Teleportation also allows to see how one can commit on a qubit given only a classical commitment scheme.

Suppose the scheme allows for committing on a pair of classical bits.

Encrypt |φ> using a

random key K.

classical commitment of K

Encrypting Classical Messages in Quantum

States• Consider the symmetric encryption of

classical messages in quantum states.

• We’ll get a simple encryption scheme that resists “better” to known plaintext attacks than any classical scheme.

It is based upon what is called an uncertainty relations.

Hadamard TransformRemember that:

Let’s define the following 2 Von Neumann measurements on n qubits (computational & diagonal basis):

Associated to |φ>, we can define the 2 probability distributions for the outcomes of M+ and Mx when applied to |φ>:

Uncertainty Relation

• The following uncertainty relation has been shown by Maassen and Uffink.

• We shall denote by H(pφ) and H(qφ) the Shannon entropy for distributions pφ(x) and qφ(x) respectively.

Theorem: For any n-qubit state |φ>, it is the case that

H(pφ) + H(qφ) ≥ n.

An equivalent uncertainty relation

• Suppose that a source S sends a quantum state chosen as follows:

• Pick x in {0,1}n at random,

• With prob. 1/2 send |x>,

• With prob. 1/2 send H⊗n|x>.Theorem: Let X be the random variable describing the choice made by S above. Let Y be the random variable for the outcome of an arbitrary measurement applied to the state sent by S. Then, for any outcome y:

H(X|Y=y) ≥ n/2.

Encryption Scheme• The key K=(p,h) where p ∈ {0,1}n and h

∈ {0,1}.

• The encryption of message m is done the following way:

• c := m ⊕ p

• If h=0 then send |c>

• Else send H⊗n|c>.Notice that the scheme is private since the message m is one-time-padded.

This is a (n,n+1)-encryption scheme: it encrypts n-bit messages using n+1 bit of keys.

This is called the Hn-cipher

Known Plaintext AttacksIn a known plaintext attack, the adversary gets the ciphertext(cipherstate), the plaintext and wants to extract as much information as possible on the secret-key.

Theorem: Any classical (n,n+1)-cipher is such that H(K| c,m) ≤1.Theorem: The (n,n+1)-quantum cipher Hn is such that

H((p,h) | (H⊗n)h | |m⊕p>,m)≥ n/2.Proof sketch: Given m and the situation is equivalent to distinguishing among {|p>,H⊗n|p>}p∈{0,1}

n . We have seen that the entropy on p is

at least n/2. In addition, it can be shown that the extra bit of key h is perfectly hidden. It follows that:

H((p,h) | View) ≥ n/2+1.

Secure Evaluation of an AND gate

AND

x ∈{0,1} y ∈{0,1}

a b

a⊕b = xyTheorem: Even with shared randomness, Alice and Bob cannot implement the AND gate without communication such that with probability better 3/4 Alice and Bob end up with a correct output for all possible inputs.

Quantum Crypto-AND gate

x y

B1(0)

B1(1)

A0(0)

A0(1) A1(0

)A1(1

)

B0(0)

B0(1)

The interpretation: Given x, Alice measures her half EPR-pair in

basis {Ax(0),Ax(1)},Given y, Bob measures his half EPR-pair in basis

{By(0),By(1)}.

Why it WorksLet p(x,y) be the error-probability when Alice inputs x and Bob inputs y:

Conclusion• With shared-EPR pairs, Alice and Bob can

end up with an additive sharing for the AND of their bits without communication and with probability cos2(π/8)≈0.85.

• This is significantly better than what is achievable by any classical strategy using shared randomness.

• Quantum entanglement is therefore more than classical shared randomness!!

This was originally shown by Bell using a different method called the Bell inequalities.