Authentication of Quantum Messages

Howard Barnum ∗, Claude Crepeau´ †, Daniel Gottesman ‡, Adam Smith §, and Alain Tapp ¶

Abstract 1. Introduction

Authentication is a well-studied area of classical cryp- Until recently, the expression “quantum cryptogra- tography: a sender and a receiver sharing a classi- A B phy” referred mostly to quantum key distribution pro- cal secret key want to exchange a classical message with tocols [3]. However, these words now refer to a larger the guarantee that the message has not been modified or set of problems. While QKD and many other quan- replaced by a dishonest party with control of the commu- tum protocols attempt to provide improved security for nication line. In this paper we study the authentication tasks involving classical information, an emerging area of messages composed of quantum states. of quantum cryptography attempts instead to create se- We give a formal definition of authentication in the cure protocols for tasks involving quantum information. quantum setting. Assuming and have access to an A B One standard cryptographic task is the authentication of insecure quantum channel and share a secret, classical messages: transmits some information to over an random key, we provide a non-interactive scheme that insecure channel,A and they wish to be sure thatB it has enables to both encrypt and authenticate an m qubit A not been tampered with en route. When the message is message by encoding it into m + s qubits, where the classical, and and share a random secret key, this error probability decreases exponentially in the security problem can beA solvedB by, for instance, the Wegman- parameter s. The scheme requires a secret key of size Carter scheme [7]. In this paper, we discuss the analo- 2m + O(s). To achieve this, we give a highly efficient gous question for quantum messages. protocol for testing the purity of shared EPR pairs. If we assume and share a secret quantum key in It has long been known that learning information the form of m EPRA pairs,B and a secret classical key, there about a general quantum state will necessarily disturb it. is a straightforward solution to the problem: teleports We refine this result to show that such a disturbance can her message to , authenticating the 2m classicalA bits be done with few side effects, allowing it to circumvent transmitted in theB quantum teleportation protocol [4]. If cryptographic protections. Consequently, any scheme to and initially share only a classical key, however, the authenticate quantum messages must also encrypt them. taskA isB more difficult. We start with a simple approach: In contrast, no such constraint exists classically. first distribute EPR pairs (which might get corrupted in This reasoning has two important consequences: It transit), and then use entanglement purification [5] to es- allows us to give a lower bound of 2m key bits for au- tablish clean pairs for teleportation. However, we do not thenticating m qubits, which makes our protocol asymp- need entanglement purification, which produces good totically optimal. Moreover, we use it to show that digi- EPR pairs even if the channel is noisy; instead we only tally signing quantum states is impossible. need a purity testing protocol, which checks that EPR Keywords. Authentication, quantum information. pairs are correct, but does not repair erroneous ones. Unfortunately, any such protocol will have to be interactive, since must first send some qubits to and ∗ CCS-3 Group, Los Alamos National Laboratories, Los Alamos, A B New Mexico 87554 USA. e-mail: [email protected]. then wait for confirmation of receipt before complet- † School of Computer Science, McGill University, Montreal´ (Qc), ing the transmission. This is unsuitable for situations Canada H3A 2A7. e-mail: [email protected]. in which a message is stored and must be checked for ‡ UC Berkeley, EECS: Computer Science Division, Berkeley, CA 94720, USA. e-mail: [email protected]. authenticity at a later time. Also, this interactive pro- Supported by the Clay Mathematics Institute. tocol achieves something stronger than what is required § M.I.T., Lab. for Computer Science, Cambridge MA 02139, USA. of a quantum authentication scheme: at the end of the e-mail: [email protected]. Supported in part by purity-testing based scheme, both and know that U.S. Army Research Office Grant DAAD19-00-1-0177. the transmission was successful, whereasA B for authenti- ¶ Departement´ IRO, Universite´ de Montreal,´ Montreal´ (Qc), Canada H3C 3J7. e-mail: [email protected]. cation, we only require that knows. B

1 Contributions In this paper we study non-interactive ble to create digital signature schemes for quantum mes- quantum authentication schemes with classical keys. sages: any protocol which allows one recipient to read a Our primary contributions are: message also allows him or her to modify it without risk of detection, and therefore all potential recipients of an Formal definition of authentication for quantum authenticated message must be trustworthy (section 7). states – In classical authentication, one simply limits the This conclusion holds true even if we require only com- probability that the adversary can make any change to putationally secure digital signatures. Note that this does the state without detection. This condition is too strin- not in any way preclude the possibility of signing clas- gent for quantum information, where we only require sical messages with or without quantum states [9]. high fidelity to the original state. We state our definition in terms of the transmission of pure states (section 3). In Why should we prefer a scheme with classical keys the full version, we also show that the same definition to a scheme with entangled quantum keys? The task of implies security for mixed or entangled states. authenticating quantum data is only useful in a scenario Construction of efficient purity testing protocols – We where quantum information can be reliably stored, ma- show how to create purity-testing protocols using fam- nipulated, and transmitted over communication lines, so ilies of quantum error-correcting codes with a particu- it would not be unreasonable to assume quantum keys. lar covering property, namely that any Pauli error is de- However, many manipulations are easier with classical tected by most of the codes in the family. We construct keys. Certainly, the technology for storing and manip- an efficient such family based on projective geometry, ulating them is already available, but there are addi- yielding a purity-testing protocol requiring only O(s) tional advantages. Consider, for example, public key (classical) bits of communication, where s is the secu- cryptography; it is possible to sign and encrypt classical rity parameter (section 4). key bits with public key systems, but signing a general Purity-testing codes have not explicitly appeared be- quantum state is impossible. Thus, quantum keys would fore in the literature, but have been present implicitly be unsuitable for an asymmetric quantum authentication in earlier work, for instance [10, 12]. To prove our scheme such as the one we describe in section 7.1. purity-testing protocols secure, we use a “quantum-to- classical” reduction, due to Lo and Chau [10]. Sub- 2. Preliminaries sequently to our work, Ambainis, Smith, and Yang [2] used our construction in a study of more general entan- Classical Authentication In the classical setting, an glement extraction procedures. authentication scheme is defined by a pair of functions Construction of non-interactive quantum authenti- A : M C and B : C M valid, invalid cation schemes (QAS)– We show that a secure non- suchK× that for→ any messageK×µ →M and×{ key k we} interactive QAS can be constructed from any purity- have completeness ∈ ∈ K testing protocol derived, as above, from QECCs (section 5). In particular, for our family of codes, we obtain Bk(Ak(µ)) = µ, valid an authentication scheme which requires sending m + s h i qubits, and consuming 2m + O(s) bits of classical key and that for any opponent O, we have soundness for a message of m qubits. The proof techniques in the Shor and Preskill paper [12] serve as inspiration for the Prob Bk(O(Ak(µ))) µ0, valid , µ0 = µ { ∈ {h i 6 Ω(}}t) transformation from an interactive purity-testing proto- 1 2− col to a non-interactive QAS. ≥ − A relation between encryption and authentication – where t = lg #C lg #M is the security parameter One feature of our authentication protocol is that it com- creating the tradeoff− between the expansion of the mes- pletely encrypts the quantum message being sent. We sages and the security level. Note that we only consider show that this is necessary in any QAS(section 6), in information-theoretically secure schemes, not schemes striking contrast to the situation for classical informa- that are based on computational assumptions. tion, where common authentication schemes leave the Wegman and Carter [7] introduced several construc- message completely intelligible. It therefore follows tions for such schemes; their most efficient uses keys that any authentication protocol for an m-qubit message of size only 4(t + lg lg m) lg m and achieves security t+2 must use nearly 2m bits of classical key, enough to en- 1 2− . This compares rather well to the known crypt the message. The protocol we present approaches lower− bound of t + lg m lg t for such a result [7]. this bound asymptotically. The same work also introduced− a technique to re-use an Impossibility of digitally signing quantum states – authentication function several times by using one-time- Since authentication requires encryption, it is impossi- pad encryption on the tag, so that an opponent cannot

2 learn anything about the particular key being used by Undetectable errors We can classify errors which lie and . Thus, at a marginal cost of only t secret key bitsA in E into three categories: The errors corresponding to per authentication,B the confidentiality of the authentica- elements of Q are not truly errors—they leave the code- tion function h is guaranteed and thus may be re-used (a words unchanged. Errors which fail to commute with polynomial number of times). some element of Q move codewords into a subspace orthogonal to the code, so can be detected by the QECC. For the remainder of this paper, we assume the reader The remaining errors, those which commute with all el- is familiar with the basic notions and notation of quan- ements in S but are not themselves in S, are the unde- tum computing (see textbooks such as [11]). tectable errors of the code. Thus, if Q⊥ is the space of vectors y for which B(x, y) = 0 for all x Q, the set ∈ Quantum Stabilizer Codes A quantum error- of undetectable errors is just Q⊥ Q. correcting code (QECC) is a way of encoding quantum − data (say m qubits) into n qubits (m < n). Usually the Purification and purity testing Quantum error- goal in the construction of codes is give it the ability to correcting codes may be used for entanglement purifica- correct errors on as many qubits as possible. However, tion ([5]). In this setting, and share some Bell states in this paper, we use the theory developed for those (say Φ+ = 00 + 11 )A whichB have been corrupted by purposes to construct families of codes with a slightly transmission| i | throughi | ai noisy quantum channel. They different type of property. For now, we review the want a protocol which processes these imperfect EPR necessary theory on a very general class of codes known pairs and produces a smaller number of higher-quality as stabilizer codes. pairs. We assume that and have access to an au- A basis for the set of all operators on a qubit is the A B a b thenticated, public classical channel. At the end of the “Pauli” error basis, defined via Eab = X Z , where i protocol, they either accept or reject based on any incon- i X j = δi,j+1, i Z j = ( 1) δi,j . We define the sistencies they have observed. As long as and have errorh | | groupi E to beh | the| i tensor− product of n copies of A B c a noticeable probability of accepting, then conditioned the single-qubit error group ( 1) Eab . Each element { − } on accepting, the state they share should have fidelity of E corresponds to a 2n-dimensional vector, and the + m almost 1 to the pure state Φ ⊗ . Moreover, small vectors x = (a b), y = (a0 b0) come from commuting amounts of noise in their initial| i shared state should not | | Z operators iff their symplectic inner product is 0 in 2: cause failure of the protocol. Stabilizer codes can be particularly useful for purifi- E E = E E B(x, y) = a b + a b = 0. x y y x 0 0 cation because of the following observation: for any sta- ⇐⇒ · · (1) bilizer code Q, if we measure the syndrome of one half + n of a set of Bell states Φ ⊗ and obtain the result y, A stabilizer code is a QECC given by an Abelian sub- | i + m then the result is the state Φ ⊗ , with each of its two group S of E which does not contain any multiples of | i the identity other than I itself. S can be described by halves encoded in the coset with syndrome y. (More- over, in this case the distribution on y is uniform.) If the set of 2n-dimensional vectors x such that Ex S. Z2n ∈ the original state is erroneous, and will likely find This will be a subspace of 2 . Moreover, it will be A B totally isotropic, i.e. B(x, y) = 0 for all x, y in the sub- different syndromes, which will differ by the syndrome space. If we take a set of generators for S, we can di- associated with the actual error. vide Hilbert space into a set of equidimensional orthog- Most purification protocols based on stabilizer codes onal subspaces. Each such space T consists of common require efficient error correction; we measure the syn- eigenvectors of all operators of S having a fixed pattern drome, and use that information to efficiently restore of eigenvalues, unique to T . The space with all eigen- the encoded state. However, one can imagine a weaker task in which and only want to test their EPR pairs values +1 is the “code space,” its elements are “code- A B words,” and the orthogonal spaces are labelled by “syn- for purity, i.e. they want a guarantee that if their pairs dromes.” pass the test, their shared state will probably be close to + m Φ ⊗ . In that case, we can use the code for error de- Note that one can also view B( , ) as a symplectic | i form over GF (22n), by choosing a· set· of generators for tection, not correction, and need only be able to encode 2n and decode efficiently from the space Q. GF (2 ) as a vector space over Z2. By choosing different sets of generators for GF (22n) as a vector space over Z2, we can get different symplectic forms B( , ) Encryption of Quantum Messages A useful ingredi- over this finite vector space. By judicious choice of· the· ent for much recent work in quantum cryptography is generators, one can make B( , ) correspond to any non- the concept of quantum teleportation, put forward by degenerate symplectic form over· · GF (22n). Bennett et al [4]. After and have shared a singlet A B

3 state, can later secretly send a single qubit in an ar- two systems: a m-qubit message state M, and a bitraryA quantum state ρ to by measuring her half of single qubit V which indicates acceptance or re- the singlet state together withB her state ρ in the Bell ba- jection. The classical basis states of V are called sis to get two classical bits b0, b1. As a result, ’s half ACC , REJ by convention. of the singlet state will become one of four possibilitiesB | i | i b0 b1 b1 b0 For any fixed key k, we denote the corresponding super- ρ0 := σz σx ρσx σz . If sends b0, b1, then can eas- ily recover ρ. A B operators by Ak and Bk. Now without the bits b , b , the state ρ reveals no 0 1 0 Note that may well have measured the qubit V to information about ρ. Thus, one can turn this into an en- see whether orB not the transmission was accepted or re- cryption scheme which uses only a classical key: after jected. Nonetheless, we think of V as a qubit rather than and have secretly shared two classical bits b , b , 0 1 a classical bit since it will allow us to describe the joint Acan laterB secretly send a single qubit in an arbitrary quan-A state of the two systems M,V with a density matrix. tum state ρ to by sending a qubit in state ρ0 as above. This is calledB a quantum one-time pad (QOTP). This There are two conditions which should be met by a scheme is optimal [1]: any quantum encryption must use quantum authentication protocol. On the one hand, in 2 bits of classical key for every transmitted qubit. the absence of intervention, the received state should be the same as the initial state and should accept. On the other hand, we wantB that when the adversary 3. Quantum Authentication does intervene, ’s output systems have high fidelity to the statement “eitherB rejects or his received state is the At an intuitive level, a quantum authentication same as that sent by B”. One difficulty with this is that scheme is a keyed system which allows to send a it is not clear what isA meant by “the same state” when state ρ to with a guarantee: if acceptsA the received B B ’s input is a mixed state. It turns out that it is sufficient state as “good”, the fidelity of that state to ρ is almost 1. toA define security in terms of pure states; one can deduce Moreover, if the adversary makes no changes, should an appropriate statement about fidelity of mixed states. always accept, and the fidelity should be exactlyB 1. Given a pure state ψ M , consider the following Of course, this informal definition is impossible to test on the joint system| iM,V ∈ H: output a 1 if the first m attain. The adversary might always replace ’s trans- A qubits are in state ψ or if the last qubit is in state REJ mitted message with a completely mixed state. There (otherwise, output| a 0).i The projectors corresponding| toi would be a small probability that would accept, and in this measurement are that case the fidelity of the receivedB state to ’s initial state would be very low. A ψ P1| i = ψ ψ IV + IM REJ REJ The problem comes from conditioning on ’s accep- | ih | ⊗ ⊗ | ih | B ψ ψ REJ REJ tance of the received state; this causes trouble if the − | ih | ⊗ | ih | ψ adversary’s a priori chances of cheating are high. A P | i = (IM ψ ψ ) ( ACC ACC ) 0 − | ih | ⊗ | ih | more reasonable definition requires a tradeoff between We want that for all possible input states ψ and for all ’s chances of accepting, and the expected fidelity of | i theB received system to ’s initial state given his accep- possible interventions by the adversary, the expected fi- ψ tance: as ’s chance ofA accepting increases, so should delity of ’s output to the space defined by P | i is high. B 1 the expectedB fidelity. This is captured in the following definition of security. There is no reason to use the languages of both prob- Definition 2 A QAS is secure with error for a state ψ ability and fidelity here: for classical tests, fidelity and | i probability of acceptance coincide. With this in mind if it satisfies: Completeness: For all keys k : we first define what constitutes a quantum authentica- ∈ K Bk(Ak( ψ ψ )) = ψ ψ ACC ACC tion scheme, and then give a definition of security: | ih | | ih | ⊗ | ih | Soundness: For all super-operators , let ρBob be Definition 1 A quantum authentication scheme (QAS) is the state output by when the adversary’sO intervention1 a pair of polynomial time quantum algorithms A and B is characterized byB , that is: together with a set of classical keys such that: O K A takes as input an m-qubit message system M and E ρBob = khBk( (Ak( ψ ψ )))i • a key k and outputs a transmitted system T of O | ih | ∈ K 1 m + t qubits. = Bk( (Ak( ψ ψ ))) X O | ih | B takes as input the (possibly altered) transmitted |K| k • 1 system T 0 and a classical key k and outputs We make no assumptions on the running time of the adversary. ∈ K

4 where “ Ek” means the expectation when k is chosen The obvious way of constructing a purity testing pro- uniformly at random from . The QAS has soundness tocol is to start with a purity testing code Qk . When error for ψ if: K andT are given the state ρ, chooses{ a} random | i Ak Band tells it to . They bothA measure the syn- ψ ∈ K B Tr P1| iρBob 1 drome of Q and compare. If the syndromes are the ≥ − k same, they accept and perform the decoding procedure QAS A is secure with error if it is secure with error for Q ; otherwise they reject. for all states ψ . k | i Proposition 1 If the purity testing code Qk has error Note that our definition of completeness assumes that { } the channel connecting to is noiseless in the absence , then is a purity testing protocol with error . A B T of the adversary’s intervention. This is in fact not a sig- Proof: If and are given n EPR pairs, this proce- nificant problem, as we can simulate a noiseless channel dure will alwaysA accept,B and the output will always be using standard quantum error correction. + m Φ ⊗ . Thus, satisfies the completeness condition. | i T Suppose for the moment that the input state is (Ex + n ⊗ Interactive protocols In the previous section, we I) Φ ⊗ , for Ex E, x = 0. Then when k is chosen | i ∈ 6 dealt only with non-interactive quantum authentication at random, there is only probability that x Q⊥ ∈ k − schemes, since that is both the most natural notion, and Qk. If x / Q⊥, then and will find different error ∈ k A B the one we achieve in this paper. However, there is no syndromes, and therefore reject the state. If x Q⊥, ∈ k reason to rule out interactive protocols. The definitions then and will accept the state, but if x Qk, then A B + m ∈ of completeness and soundness extend naturally: as be- the output state will be Φ ⊗ . Thus, the probability fore, ’s final output is a pair of systems M,V , where | i B that and accept an incorrect state is at most . the state space of V is spanned by ACC , REJ . In that A B | i | i To prove the soundness condition, we can use case ρBob is ’s density matrix at the end of the proto- this fact and a technique of Lo and Chau [10]. The B + n col, averaged over all possible choices of shared secret states (Ex I) Φ ⊗ form the Bell basis for the key and executions of the protocol. The soundness error Hilbert space⊗ of | andi . Suppose a nonlocal third ψ A B is , where Tr P1| iρBob 1 . party first measured the input state ρ in the Bell basis; ≥ − call this measurement B. Then the argument of the 4. Purity Testing Codes previous paragraph would apply to show the soundness condition. In fact, it would be sufficient if and used the nonlocal measurement Q Q whichA comparesB An important tool in our proof is the notion of a purity k k the Q -syndromes for and⊗ without measuring testing code, which is a way for and to ensure that k them precisely. This isA a submeasurementB of the they share (almost) perfect EPR pairs.A WeB shall concen- Bell measurement B — that is, it gives no additional trate on purity testing codes based on stabilizer QECCs. information about the state. Therefore it commutes with Definition 3 A stabilizer purity testing code (SPTC) B, so the sequence B followed by Qk Qk is the same ⊗ with error is a set of stabilizer codes Qk , for k , as Qk Qk followed by B, which gives probability at { } ∈ K ⊗ such that Ex E with x = 0, # k x Q⊥ Qk least 1 of success for general input states ρ. But if ∀ ∈ 6 { | ∈ k − } ≤ − (# ). the state after Qk Qk gives, from a Bell measurement, K + m ⊗ Φ ⊗ or REJ with probability 1 , then the state That is, for any error x in the error group, if k is cho- |itselfi must| havei fidelity 1 to− the projection P . sen later at random, the probability that the code Qk de- − Thus, the measurement Qk Qk without B satisfies tects x is at least 1 . the soundness condition. Moreover,⊗ and ’s actual − A B Definition 4 A purity testing protocol with error is procedure is a refinement of Qk Qk—that is, it T ⊗ a superoperator which can be implemented with lo- gathers strictly more information. Thus, it also satisfies cal operations andT classical communication, and which the soundness condition, and is a purity testing T maps 2n qubits (half held by and half held by ) to protocol with error . 2 2m+1 qubits and satisfies theA following two conditions:B + n + m Completeness: ( Φ ⊗ ) = Φ ⊗ ACC T | i | i ⊗ | i An Efficient Purity Testing Code Now we give an Soundness: Let P be the projection on the subspace example of a particularly efficient purity testing code. + m spanned by Φ ⊗ ACC and ψ REJ for To do so, we apply the techniques of stabilizer quantum | i ⊗ | i | i ⊗ | i all ψ . Then satisfies the soundness condition if error-correcting codes. We build a set of codes Qk each for| alliρ, Tr (PT (ρ)) 1 . encoding m = (r 1)s qubits in n = rs qubits, and T ≥ − −

5 s show that the Qk form a SPTC. (Note that the construc- among the q + 1 available s-dimensional spaces corre- tion below works for registers with dimension equal to sponding to points on Υ. Thus, the Qk form a purity any prime power.) Using qubits in groups of s allows testing code with error { } us to view our ﬁeld GF (22rs) as both a 2r-dimensional 2r vector space over GF (2s) and a 2rs-dimensional binary s . (4) vector space. We need a symplectic form that is compat- ≤ q + 1 ible with this decomposition. One possibility is We now show the claimed property of codes deﬁned rs by Υ. A set of points in a projective geometry of B(x, y) := Tr (xy2 ), (2) dimension d 1 are said to be in general position if − 2rs 1 2i any d (= dimension of the underlying vector space, where Tr(z) = − z is the standard trace func- i=0 when, as in our case, such exists) of them are linearly tion, which mapsPGF (22rs) onto GF (2). independent. The points on the normal rational curve We consider a normal rational curve in PG(2r Υ are in general position, and indeed a maximal set 1, 2s) (the projective geometry whose points are the 1-− of such points. (To verify that they are in general d subspaces of the 2r-dimensional vector space over position one shows that for any 2r points on the curve, GF (2s)). (See, e.g., the excellent introductory text [6].) the determinant of the matrix of their coordinates is Such a curve is given by: nonzero; these are Vandermonde determinants.) That 2 2r 1 s is, any 2r points on Υ are linearly independent. Each Υ = [1 : y : y : : y − ]: y GF (2 ) { ··· ∈ } point k on Υ corresponds to an s-dimensional code Qk, [0 : 0 : 0 : : 1] 2rs z ∪ { ··· } consisting of -dimensional vectors. Let be any nonzero element of Q . As α ranges over GF (qs), αz Thus, there are 2s + 1 points on the curve. k ranges over all vectors in Q . Thus, if any vector from Since each “point” of this curve is actually a one- k Q is a linear combination of vectors from other codes dimensional subspace over GF (2s), it can also be con- k Q , than all of Q is also a linear combination of sidered as an s-dimensional binary subspace Q in a j k k vectors{ } from Q , and k is linearly dependent on the vector space of dimension 2rs = 2n. We show that Q j k points j of{Υ.} So if we take any 2r codes Q , and is totally isotropic with respect to the symplectic inner k take s independent{ } vectors from each, the resulting set product (2), and encodes m = n s qubits in n qubits. − of 2rs vectors is linearly independent. 2

Theorem 2 The set of codes Qk form a SPTC with error Note that the above efﬁcient SPTC also yields a cor- 2r responding efﬁcient QKD protocol. = . (3) 2s + 1 5. Protocols Each Qk encodes m = (r 1)s qubits in n = rs qubits. −

Proof: We must show (a) that Qk is totally isotropic, and In this section we describe a secure non-interactive (b) that the error probability is at most . quantum authentication scheme (Protocol 5.2) which (a) Follows from a straightforward calculation. satisfies the definition of section 3. (b) We must find, for an arbitrary error Ex (which can In order to prove our scheme secure, we begin with a be described via a 2n-dimensional GF (q) vector x), an purity testing protocol as per Section 4 (summarized as upper bound on the number of Q⊥ Qk it can belong to. Protocol 5.1). The security of this protocol follows from k − It will be sufficient to bound the number of Qk⊥ the er- Prop. 1. We then perform several transformations to the ror can belong to, since Qk is small compared to Q⊥ protocol that strictly preserve its security and goals but | | | k | in our context. x Q⊥ means B(x, y) = 0 for all which remove the interaction, replacing it with a shared ∈ k y Qk. By choice of s linearly independent y Qk secret key. We thus obtain two less interactive interme- this∈ imposes s linearly independent linear equations∈ on diate protocols and a final protocol (Protocol 5.2), which x. We will show below that if we take any 2r codes Qk is completely non-interactive. The transformations are defined by points on Υ, and take s independent vectors similar in flavor to those of Shor and Preskill [12], who from each, the resulting set of 2rs vectors is linearly in- use the technique to obtain a simple proof of the secu- dependent. Thus if Ex is undetectable in 2r such codes, rity of a completely different task, namely the BB84 [3] this imposes the dimension’s worth (2rs) of linearly in- quantum key exchange scheme. dependent equations on x. Consequently, Ex must be Following the notation of Section 4, let P be the detectable in all the remaining codes, i.e., Ex can satisfy projector onto the subspace described by “either has + Bm x Q⊥ for at most 2r values of k, when Qk are chosen aborted or the joint state held by and is Φ ⊗ ”. ∈ k A B | i

6 Protocol 5.1 ( Purity Testing Based Protocol ) Proof: From Corollary 3 we have that Protocol 5.1 is a secure interactive authentication protocol. We show that 1: and agree on some SPTC Qk . A B { } Protocol 5.2 is equivalent to Protocol 5.1, in the sense + n 2: generates 2n qubits in state Φ ⊗ . sends that any attack on Protocol 5.2 implies an equally suc- A | i A the first half of each Φ+ state to . cessful attack on Protocol 5.1. To do so, we proceed by a | i B series of reductions through two intermediate protocols. 3: announces that he has received the n qubits. PROTOCOL 5.1 1st INT.PROTOCOL: We obtain B our first intermediate→ protocol by observing that in pro- 4: picks a random k , and announces it to . A ∈ K B tocol 5.1, can perform all of her operations (except for A 5: and measure the syndrome of the stabilizer the transmissions) before she actually sends anything to A B code Qk. announces her results to who com- , since these actions do not depend on ’s feedback. A B B B pares them to his own results. If any error is de- This will not change any of the states transmitted in the tected, aborts. protocol or computed by , and so both completeness B and soundness will remainB the same. 6: and decode their n-qubit words according 1st INT.PROTOCOL 2nd INT.PROTOCOL: There A B → to Qk. Each is left with m qubits, which together are two changes between the first and second intermedi- + m should be nearly in state Φ ⊗ . ate protocols. First, note that measuring the first qubit | i + + m of Φ and obtaining a random bit ci is equivalent 7: uses her half of Φ ⊗ to teleport an arbitrary | i A | i to choosing ci at random and preparing the pure state m-qubit state ρ to . + n B ci ci . Therefore, instead of preparing Φ ⊗ and| i ⊗measuring | i the syndrome of half of it, |mayi as Let ρAB be the joint density matrix of and ’s sys- A tems. Then Prop. 1 states that at theA end ofB step 6, well choose the syndromes s at random and encode both halves of Φ+ m using code Q and the syndrome s. Tr(P ρAB) is exponentially close to 1 in n. The sound- ⊗ k Second,| ratheri than teleporting state ρ to using the ness of our first protocol follows immediately: B EPR halves which were encoded in Qs1,s2 , encrypts ρ Corollary 3 If and are connected by an authenti- using a quantum one-time pad and sends it toA directly, cated classical channel,A B then Protocol 5.1 is a secure in- B further encoded in Qk. These behaviors are equivalent teractive quantum authentication protocol, with sound- ~ ~ ~ ~ since either way, the encoded state is σt1 σt2 ρσt2 σt1 , ness error exponentially small in n. x z z x where ~t1 and ~t2 are random n-bit vectors. Protocol 5.2 ( Non-interactive authentication ) 2nd INT.PROTOCOL PROTOCOL 5.2: In Protocol 5.2, all the random choices→ of are replaced with the 1: Preprocessing: and agree on some SPTC A A B bits taken from a secret random key shared only by her Qk and some secret and random binary strings { } and . This eliminates the need for an authenticated k, x, and y. classicalB channel, and for any interaction in the protocol. 2: q-encrypts ρ as τ using key x. encodes τ ac- This transformation can only increase the security of A A cording to Qk for the code Qk with syndrome y to the protocol as it removes the adversary’s ability to jam produce σ. sends the result to . the classical communication. 2 A B 3: receives the n qubits. Denote the received state B If the quantum channel is noisy we can modify our by σ0. measures the syndrome y0 of the code Qk B scheme to benefit from the error-correction capability of on his qubits. compares y to y0, and aborts if any B the quantum code. If rejects only when the number of error is detected. decodes his n-qubit word ac- B B observed errors is too large then error correction will fix cording to Qk, obtaining τ 0. q-decrypts τ 0 using B natural noise or tampering of small amplitude. x and obtains ρ0.

Theorem 4 When the purity testing code Qk has er- 6. Authentication Implies Encryption ror , the protocol 5.2 is a secure quantum{ authenti-} cation scheme with key length O(n + log2(# )) and One notable feature of any protocol derived using soundness error . In particular, for the purityK testing Theorem 4 is that the information being authenticated code described in section 4, the authentication scheme is also completely encrypted. For classical information, s has key length 2m + s + log2(2 + 1) 2n + 1 and authentication and encryption can be considered com- soundness error 2n/[s(2s + 1)], where m≤ is the length pletely separately, but in this section we will show that of the message in qubits, s is the security parameter, and quantum information is different. While quantum states sends a total of n = m + s qubits. can be encrypted without any form of authentication, the A

7 converse is not true: any scheme which guarantees au- However, in general, the adversary cannot exactly thenticity must also encrypt the quantum state almost distinguish two states, so we must allow some proba- perfectly. The difference can be understood as a com- bility of failure. Note that it is sufficient in general to plementarity feature of quantum mechanics: authenti- consider two encoded pure states, since any two mixed cating a message in one basis requires encrypting it in states can be written as ensembles of pure states, and the complementary Fourier-transformed basis. This is the mixed states are distinguishable only if some pair of essentially another realization of the principle that mea- pure states are. Furthermore, we might as well let the suring data in one basis disturbs it in any complemen- two pure states be orthogonal, since if two nonorthog- tary basis. For classical messages, therefore, encryption onal states ψ0 and ψ1 are distinguishable, two basis | i | i is not required: only one basis is relevant. In contrast, states 0 and 1 for the space spanned by ψ0 and ψ1 for quantum messages, we require authentication in all are at least| i as| distinguishable.i | i | i bases and therefore we must also require encryption in Due to space limitations, we outline the proof with all bases. a sequence of lemmas, only proving the last and most To show this, let us consider any fixed authentication difficult. scheme. Denote by ρ ψ the density matrix transmitted We first consider the case when 0 and 1 can al- | i | i | i in this scheme when ’s input is ψ . Let ρ(k) denote most perfectly be distinguished. In that case, the adver- A | i ψ the density matrix for key k. | i sary can change 0 + 1 to 0 1 with high (but not perfect) fidelity (stated| i | formallyi | i − in | Lemmai 8). When 0 Definition 5 An encryption scheme with error for and 1 are more similar, we first magnify the difference| i | i quantum states hides information so that if ρ0 and ρ1 between them by repeatedly encoding the same state in are any two distinct encrypted states, then the trace dis- multiple copies of the authentication scheme, then apply 1 tance D(ρ0, ρ1) = Tr ρ0 ρ1 . the above argument. 2 | − | ≤ We claim that any good QAS must necessarily also be Lemma 8 Suppose that there are two states 0 , 1 a good encryption scheme. That is: | i | i such that D(ρ 0 , ρ 1 ) 1 η. Then the scheme is not -secure for| iψ |=i 0≥+ 1− for any < 1 2η. Theorem 5 (Main Lower Bound) A QAS with error | i | i | i − is an encryption scheme with error at most 41/6. When two states can be distinguished, but only just Corollary 6 A QAS with error requires at least barely, the above lemma is not sufficient. Instead, we 2m(1 poly()) classical key bits. must magnify the distinguishability of the states 0 and − 1 by repeating them by considering the tensor product| i The proof of the corollary is quite similar to the proof of| i many copies of the same state. The probability of that 2m key bits are needed to perfectly encrypt a quan- distinguishing then goes to 1 exponentially fast in the tum message. Instead, we concentrate on Theorem 5. number of copies: The intuition behind the proof of this main theorem is that measurement disturbs quantum states, so if Lemma 9 Let ρ0, ρ1 be density matrices t t the adversary can learn information about the state, she with D(ρ0, ρ1) = δ. Then D(ρ0⊗ , ρ⊗1 ) can change the state. More precisely, if the adversary 1 2 exp( tδ2/2). ≥ can distinguish between two states 0 and 1 , she can − − change the state 0 + 1 to 0 1 .| Ani extreme| i version We create these repeated states by encoding them in | i | i | i−| i of this fact is contained in the following proposition: an iterated QAS consisting of t copies of the original QAS (with independent values of the key for each copy). Proposition 7 Suppose that there are two states 0 , 1 | i | i whose corresponding density matrices ρ 0 , ρ 1 are per- | i | i Lemma 10 Suppose we iterate the scheme t times. Let fectly distinguishable. Then the scheme is not an - ψ = 1 ( 000...0 + 111...1 ). If (A, B, ) is an - √2 secure QAS for any < 1. | i | i | i K secure QAS, then the iterated scheme is 10t3-secure for ψ Proof: Since ρ 0 , ρ 1 can be distinguished, they must the state . | i | i | i have orthogonal support, say on subspaces V0,V1. So consider an adversary who applies a phase shift of 1 Note that the proof of this lemma goes through the (k) − following crucial claim, which follows from a simple conditioned on being in V1. Then for all k, ρ 0 + 1 | i | i hybrid argument. becomes ρ(k) . Thus, will decode the (orthogonal) 0 1 B state 0 | 1i−|. i 2 Claim 11 (Product states) The iterated scheme is t- | i − | i secure for any product state.

8 1 Proof: For simplicity we prove the claim for the state Proof: Fix i. Note that ψ+ = ( ψi+1 + ψi ) is a | i √2 | i | i 000...0 . The same proof works for any product pure product state (with H 0 in one position), as is ψ = | i state (and in fact for separable states in general). 1 ( ψ ψ ). The| i image of ψ can be written| −i √2 i+1 i + Intuitively, an adversary who modifies the state | i − | i | i 000...0 must change some component of the state. We 1 | i 000...0 ( ψi+1 γi+1 + ψi γi ) ACC can formalize this by rewriting the projector P0| i in √2 | i| i | i| i | i 0 i terms of the individual projectors P | i . 0 + ( δi+1 + δi ) ACC + ( βi+1 + βi ) REJ For the case t = 2, accepts only if he finds the | i | i | i | i | i | i B 1 1 verification qubits for both schemes in the accept state. = ψ+ ( γi+1 + γi ) + ψ ( γi+1 γi ) | i2 | i | i | −i2 | i − | i 00 1 1 | i P0 + ( δi+1 + δi ) ACC + ( βi+1 + βi ) REJ √2 | i | i | i √2 | i | i | i = (Im1m2 00 00 ) ACC1 ACC1 − | ih | ⊗ | ih | Now we know that δ 2 t for all i (since γ is a ACC2 ACC2 i i ⊗| ih | product state). Thus,k| ik1 ( δ≤ + δ ) √2|t.i √2 i+1 i = (Im 0 0 ) Im + Im (Im 0 0 ) k | i | i k ≤ 1 2 1 2 Moreover, ψ+ is a product state and so we have − | ih | ⊗ ⊗ − | ih | | i 1 1 (Im1 0 0 ) (Im2 0 0 ) − − | ih | ⊗ − | ih | ψ ( γi+1 γi ) + ( δi+1 + δi ) √t k| −i2 | i − | i √2 | i | i k ≤ ACC1 ACC1 ACC2 ACC2 ⊗| ih | ⊗ | ih | 1 1 0 0 1 2 Thus, ψ 2 ( γi+1 γi ) = 2 ( γi+1 γi ) = P0| i ACC2 ACC2 + P0| i ACC1 ACC1 k| −i | i − | i k k | i − | i k ≤ ⊗ | ih | ⊗ | ih | (1 + √2)√t. 2 0 1 0 2 P0| i P0| i − ⊗ 1 Then by the triangle inequality, ( γt γ0 ) 0 1 0 2 2 Since P | i P | i is positive, for all ρ, we have 1 k | i − | i k ≤ 0 0 (1+√2)t√t. Let Ψ = ( ψt ψ0 ). The image ⊗ ± √2 1 | i | i±| i 00 0 0 1 2 of Ψ+ = √ ( 000...0 + 111...1 ) is: Tr(P0| iρ) Tr(P0| i ρ) + Tr(P0| i ρ) 2 | i 2 | i | i ≤ ≤ 1 1 Similarly, for larger values of t we have Ψ+ ( γt + γ0 ) + Ψ ( γt γ0 ) | i2 | i | i | −i2 | i − | i t 1 1 000...0 0 i + ( δt + δ0 ) ACC + ( βt + β0 ) REJ Tr(P | iρ) Tr(P | i ρ) t √2 | i | i | i √2 | i | i | i 0 ≤ X 0 ≤ i=1 Ψ+ Now the trace of this state with P0| i is the square of Thus the iterated scheme is t-secure for 000...0 (and | i 1 1 in fact for all product states). 2 Ψ ( γt γ0 ) + ( δt + δ0 ) k| −i2 | i − | i √2 | i | i k 1 1 Proof (of Lemma 10): Consider the net superoperator Ψ ( γt γ0 ) + ( δt + δ0 ) due to encoding, decoding, and the adversary’s interven- ≤ k| −i2 | i − | i k k√2 | i | i k 1 tion, i.e. net = k Bk advAk. By introducing an (1 + √2)t√t + √2t O |K| P O ≤ ancilla system R, we can extend this superoperator to a √10t3, linear transformation on the joint system M R V ≤ (where M is the message system and V is ’s⊗ verifica-⊗ where in the last line, we have assumed t 2. That is, B 3 ≥ tion qubit). For a pure state ψ , write its image as the iterated scheme is 10t -secure for Ψ+ . 2 | i | i

ψ γ ψ ACC + β ψ REJ + δ ψ ACC Putting the various lemmas together, we ﬁnd that, | i| | ii| i | | ii| i | | ii| i given two states 0 and 1 which are slightly distin- | i | i where δ ψ is a joint state of MR which is orthogonal guishable by the adversary, so D(ρ0, ρ1) δ, then in | | ii to the subspace ψ R. the iterated scheme, 000...0 and 111...1 are≥ more dis- | i ⊗ | i | i Now consider the family of states ψi = tinguishable: D(ρ 000...0 , ρ 111...1 ) 1 η, where | i 2 | i | i ≥ − 3 000...0 111...1 , and let γi = γ ψi and δi = η 2 exp( tδ /2). Since the iterated scheme is 10t - | i | i | | ii | i ≤ − 1 i t i secure for the state ψ = ( 000...0 + 111...1 ), then | {z } | {z− } | i √2 | i | i δ ψi . by Lemma 8, | | ii 3 2 1 10t > 1 2η 1 4 exp( tδ /2) Claim 12 For all i = 0, ..., t 1, we have 2 ( γi+1 − ≥ − − − k | i − 3 1/6 γi ) (1 + √2)√t Choosing t = 1/√20, we get δ 4 . | i k ≤ ≤

9 7. Quantum Signatures Acknowledgments

One consequence of the previous theorem is that dig- We would like to thank H. Bernstein, A. Blokhuis, itally signing quantum messages is impossible. One can H.F. Chau, D. DiVincenzo, M. Knill, D. Leung, imagine more than one way of defining this task, but M. Mosca, E. Rains, and R. de Wolf for helpful discus- any reasonable definition must allow a recipient—who sions or comments. should not be able to alter signed messages—to learn something about the contents of the message. However, References this is precisely what is forbidden by the previous theorem: in an information-theoretic setting, any adver- [1] A. Ambainis, M. Mosca, A. Tapp and R. de Wolf “Pri- sary who can gain a non-trivial amount of information vate quantum channels”, Proceedings of the 41st Annual must be able to modify the authenticated state with non- Symposium on Foundations of Computer Science, pp. negligible success. 547 – 553, IEEE Computer Society Press, 2000. If we consider computationally secure schemes, a [2] A. Ambainis, A. Smith and K. Yang, “Extracting Quan- somewhat narrower definition of digitally signing quantum Entanglement (General Entanglement Purification tum states remains impossible to realize. If we assume a Protocols)”, Proceedings of CCC 2002, May 2002. quantum digital signature protocol should allow any recipient to efficiently extract the original message, then [3] C. H. Bennett and G. Brassard. “Quantum cryptogra- a simple argument shows that he can also efficiently phy: Public-key distribution and coin-tossing.” In Proc. change it without being detected, contradicting the secu- of IEEE Conference on Computers, Systems and Signal Processing, 1984, pp. 175 – 179. rity of the scheme. Namely: Assume that there is transformation U with a small circuit which extracts the orig- [4] C. H. Bennett, G. Brassard, C. Crepeau,´ R. Jozsa, inal message ρ, leaving auxiliary state ϕ (which may A. Peres and W. Wootters, “Teleporting an unknown not all be held by ). In order to preserve| i any entan- quantum state via dual classical and EPR channels”, glement between ρ Band a reference system, the auxiliary Phys. Rev. Lett., pp. 1895 – 1899, March 1993. state ϕ must be independent of ρ. Therefore, can re- | i B [5] C. H. Bennett, G. Brassard, S. Popescu, B. Schumacher, place ρ with any other state ρ0 and then perform U † on J. A. Smolin, W. K. Wootters, “Purification of Noisy En- ρ0 and his portion of ϕ , producing a valid signature for tanglement and Faithful Teleportation via Noisy Chan- | i ρ0. This is an efficient procedure: the circuit for U † is nels”, Phys. Rev. Lett., vol. 76, 1996, pp. 722 – 725. just the circuit for U executed backwards. [6] A. Beutelspacher and U. Rosenbaum, Projective Geom- etry, Cambridge University Press, Cambridge, 1998. 7.1. Public Key Quantum Authentication [7] J. L. Carter and M. N. Wegman, “New hash functions As an alternative to digital signature we introduce the and their use in authentication and set equality”, Jour- nal of Computer and System Sciences, vol. 22, 1981, pp. weaker notion of public key quantum authentication. 265 – 279. Let Eb, Db be ’s public and private keyed algo- B rithms to a PKC and Sa, Va be ’s private and public [8] D. Gottesman, “Uncloneable Encryption with Quantum keyed algorithms to a digital signatureA scheme, both re- States”, to appear in Proceedings of QCMC ’02, Rinton sistant to quantum computers’ attacks. To perform au- Press, Dec. 2002. thentication, picks secret and random binary strings k, A [9] D. Gottesman and I. L. Chuang, “Quantum digital signa- x, and y, and uses them as keys to q-authenticate ρ as ρ0. tures”, to appear in Proceedings of QCMC ’02, Rinton encrypts and signs the key as σ := Sa(Eb(k x y)). Press, Dec. 2002. e-print quant-ph/0105032. A | | A sends ρ0, σ to . To verify a state, verifies ’s signa- h i B B A [10] H.-K. Lo and H. F. Chau, “Unconditional Security Of ture on σ using Va and then discovers the key k, x and y Quantum Key Distribution Over Arbitrarily Long Dis- using his private decryption function Db. checks that B tances”, Science, vol. 283, 1999, pp. 2050 – 2056. ρ0 is a valid q-authenticated message according to k, x, y, and recovers ρ. [11] M. A. Nielsen and I. L. Chuang, “Quantum Computa- Public Key Quantum Authentication is the basis of a tion and Quantum Information”, Cambridge University scheme for Uncloneable Encryption [8] allowing trans- Press, 676 pages, 2000. mission of quantum or classical messages in a way that [12] P.W. Shor and J. Preskill, “Simple Proof of Security of if the authentication succeeds then despite the computa- the BB84 Quantum Key Distribution Protocol”, Phys. tional assumption the confidentiality of the message is Rev. Lett., vol. 85, 2000, pp. 441 – 444. forever guaranteed unconditionally.