arXiv:0801.2840v1 [quant-ph] 18 Jan 2008 rtcl rvd ouint the QKD to [3], moni- solution states a passive quantum provide allow unknown protocols of not cloning do and that toring mechanics principles -distribution fundamental quantum of quantum virtue of By of To- [2]. means protocols parties by (QKD) two communicate. achieved between key be to a can such wish of establishment who the day, entities the between rpoytm eg,oetm a)wihoe provable offer a that which provided pad) security symmetric one-time exist (e.g., there schemes, public-key conventional computer). quantum ad- construction a the future (e.g., of hardware any and algorithms to in known not vances the vulnerable has of all OWFs cryptosystems makes numerical now, public-key to of up existence rigorously proved the been Nevertheless, that their algorithms. re- fact for known of the required best amount the time) large using and the solution (OWFs), power on functions mainly (computing one-way relies sources for belief this candidates and good considered are be problems logarithm to numerical discrete These problems problem, etc). computational problem, factorization some integer of hardness (e.g., the on relies by possible and key. is private key the public resulting of part. the means the private) of of as use i.e., decryption known with parts, the (also encrypted two secret of are the consisting Messages and key public personal the a have a public-key to known such has the in of participant ef- most Each of behind cryptosystems. idea complexity key le- to the due between is fort, adversaries, barrier and This compu- users time a gitimate problem. face same to the infeasible has at tationally (adversary) while user problem, unauthorized tractable any legitimate a these the provide with of they characteristic users that main is The objects invert mathematical to [1]. trap- “hard” so-called information) but (the door information compute, additional to some “easy” without are func- that i.e., functions, tions one-way trapdoor numerical on relies ncnrs otecmuainlscrt ffrdby offered security computational the to contrast In public-key conventional of security The cryptography asymmetric) else (or public-key Modern plctoso igeqbtrttosi unu public- quantum in rotations single-qubit of Applications unu ttso ui n t neso a einfeasible 03.67.Hk be 03.67.Dd, can numbers: inversion PACS cryp its and proposed qubit the a underlying of states possible function quantum is one-way decryption while trapdoor messages quantum The of of principles the fundamental for on relies particula security In whose encryption. public-key and functions one-way edsuscytgahcapiain fsnl-ui rot single-qubit of applications cryptographic discuss We .INTRODUCTION I. erttuyrandom truly secret nttt fEetoi tutr n ae,FORTH, Laser, and Structure Electronic of Institute .O o 57 ealo 1 0 rt,Greece Crete, 10, 711 Heraklion 1527, Box O. P. e-itiuinprob- key-distribution e sshared is key erisM Nikolopoulos M. Georgios Dtd oebr2 2018) 2, November (Dated: e a evee saqatmetnino h dis- the of extension quantum a prob- as This viewed permutation. be hidden can with lem ran- states two coset on, between problem dom Later distinguishability the fin- 6]. of erties quantum [5, signatures to digital Kawachi rather directly and but pertain [4], qubits. not gerprinting encryption, of do public-key classical collection papers to mapping a two by of these states obtained Nevertheless, quantum be to can bit-strings function that demonstrated a authors first the such was where OWF 5], quantum [4, parties in of introduced the concept The of quan- computers. all possess tum adversaries) where and scenario users (legitimate futuristic them involved of a all to and small, pertain rather is investigations theoretical on than rely rather to assumptions. theory, computational has quantum unproven functions of these principles of fundamental particular, property In one-way OWFs. requires the trapdoor however, quantum of cryptosystem, existence The a the such schemes. of encryption flexibil- development public-key the conventional with of protocols ity QKD quantum of combines security a provable which the is cryptosystem, problems (asymmetric) public-key management and distribution computationally offer earlier, discussed only. we security flex- as very but, are ible con- which by cryptosystems provided public-key is ventional problem key-management the solu- to alternative An tion insecure. imme- at- communications renters an all KDC diately compromised becomes a itself while KDC target, this key- the tractive with a that problem is as however, main acts solution, The and (KDC). management center key distribution the with burdened an of use al ihtenme fuesi h network. the quadrati- in scales users entity. of keys other number secret every the of with with number cally key total secret the a Hence, where needs networks entity large to each the In pertains problem of [1]. the schemes one particular, encryption symmetric remains of drawbacks management main key the Nevertheless, lem otebs forkolde h ubro related of number the knowledge, our of best the To key- the of both to solution ideal an Clearly, n ouint the to solution One vni h rsneo h otpwru adversaries. powerful most the of presence the in even ,w rsn naymti cryptosystem asymmetric an we r, ymaso lsia rvt e only. key private classical a of means by tosfo h esetv ftrapdoor of perspective the from ations hsc.Aqatmpbi e sused is key public quantum A physics. yvru fteHlv’ theorem. Holevo’s the of virtue by tal. et oytmmp nee ubr to numbers integer maps tosystem nodtoal trusted unconditionally 7 netgtdtecytgahcprop- cryptographic the investigated [7] e-aaeetproblem key-management e cryptography key hr at hc is which party third sthe is 2 tinguishability problems between two probability distri- covering the integer s from the given state |φsi) with a butions used in conventional cryptography [1]. Finally, non-negligible probability. besides quantum OWFs there have been also investiga- Actually, by definition the inversion of a quantum tions on OWFs which rely on “hard” problems appearing OWF is a hard problem for everyone (legitimate users in other areas of physics such as statistical physics [8], op- and eavesdroppers). For cryptographic applications, tics [9], and mesoscopic physics of disordered media [10]. however, authorized users should be able to identify the In this paper we establish a theoretical framework for state of the quantum system, and thus inverse the map quantum public-key encryption based on qubit rotations. s 7→ |φsi, more efficiently than any unauthorized party. In particular, we explore the trapdoor and one-way prop- Hence, it is essential to introduce a trapdoor information erties of functions that map integer numbers onto single- which makes the inversion of the map computationally qubit states. Moreover, we present an asymmetric cryp- feasible for anyone who possesses it. tosystem which is provably secure even against powerful Having introduced the notion of quantum trapdoor quantum eavesdropping strategies. OWFs in a rather general theoretical framework, in the following we specialize the present discussion to a partic- ular family of such functions based on single-qubit rota- II. QUANTUM TRAPDOOR (ONE-WAY) tions. FUNCTIONS

In this section we introduce the notion of the quantum B. A quantum based on trapdoor OWF, that maps integer numbers to quantum single-qubit rotations states of a physical system. The discussion involves a sce- nario where all of the parties (legitimate users and adver- For the sake of simplicity, we will present our quantum saries) possess quantum computers and are only limited trapdoor OWF in the context of single-qubit states lying by the laws of physics. on the x − z plane of the Bloch-sphere. The main idea can be easily extended to qubit states that lie on the three-dimensional Bloch sphere. A. Definition and properties Let us denote by { |0zi, |1zi} the eigenstates of the Pauli operator Zˆ = ( |0zih0z| − |1zih1z| ), which form Definition. Consider two sets S and which involve an orthonormal basis in the Hilbert space of a qubit H2. numbers and quantum states of a physical system, re- A general qubit state lying on the x − z plane can be spectively. A quantum OWF is a map M : S 7→ Q, which written as |ψ(θ)i = cos(θ/2) |0zi + sin (θ/2) |1zi, where is “easy” to perform, but “hard” to invert. A quantum 0 ≤ θ< 2π. Hence unlike the classical bit which can store OWF whose inversion becomes feasible by means of some a discrete variable taking only two real values (that is “0” information (trapdoor information) is a quantum trap- and “1”), a qubit may represent a continuum of states on door OWF. the x − z Bloch plane. Introducing the rotation operator ˆ −iθYˆ/2 ˆ Throughout this work we will focus on quantum trap- about the y axis, R(θ) = e with Y = i( |1zih0z| − door OWFs whose input is an integer s ∈ Zn := |0zih1z| ), we may alternatively write |ψ(θ)i = Rˆ(θ) |0zi. {0, 1,...,n − 1|n ∈ N}, and its output is the state of The input of the proposed quantum trapdoor function a quantum system, say |φsi. To elaborate further on the is a random integer s uniformly distributed over Z2n with terms “easy” and “hard”, consider a quantum system n ∈ N, and a qubit initially prepared in |0zi. Thus, n- initially prepared in some state |0i and let H be the cor- bit strings suffice as labels to identify the input s for responding Hilbert space. For a randomly chosen s ∈ Zn fixed n. For given values of n ∈ N and s ∈ Z2n , the we apply an operation Oˆ(s): H 7→ H on the system, qubit state is rotated by sθn around the y-axis with θn = n−1 which changes the initial state |0i → |φsi = Oˆ(s) |0i. π/2 . Hence, for some fixed n ∈ N, the output of the The set of all possible output states of the quantum OWF OWF pertains to the class of states Qn = { |ψs(θn)i|s ∈ n−1 is Q ≡ { |φsi|s ∈ Zn}, and belongs to H. If the map Z2n ,θn = π/2 }, with M : Z 7→ Q is a bijection there is a unique s ∈ Z such n n ˆ that |0i → |φsi, i.e., M is one-to-one and |Zn| = |Q|. |ψs(θn)i ≡ R(sθn) |0zi The map s 7→ |φsi must be “easy” to compute in the sθn sθn = cos |0zi + sin |1zi. (1) sense that, for a given s ∈ Zn, the transformation on the  2   2  system’s state |0i → |φsi, can be performed efficiently on a quantum computer with polynomial resources. On Clearly, both of the input and output sets (i.e., Z2n and the other hand, in order for the map s 7→ |φsi to serve as Qn, respectively) remain unknown if n is not revealed. a quantum OWF, its inversion must be a “hard” problem For a given pair of integers {n,s}, the function s 7→ by virtue of fundamental principles of quantum mechan- |ψs(θn)i is easy to compute since it involves single-qubit ics. In other words, given a state |φsi chosen at random rotations only. In particular, it is known that any single- from Q, there is no efficient quantum algorithm that suc- qubit operation can be simulated to an arbitrary accu- ceeds in performing the inverse map |φsi 7→ s (i.e., re- racy ǫ> 0, by a quantum algorithm involving a universal 3 set of gates (i.e., Hadamard, phase, controlled-NOT, and amount of information one may have on c, the number π/8 gates) [3]. Moreover, this simulation is efficient since m will also remain unknown. The one-way and trap- its implementation requires an overhead of resources that door properties of the map s 7→ |ψs(θn)i will become scales polynomially with log(ǫ−1). clearer in the following, through the security analysis of Inversion of the map s 7→ |ψs(θn)i means to recover an asymmetric quantum encryption scheme. s from a given qubit state |ψs(θn)i chosen at random from an unknown set Qn. Nevertheless, let us consider for the time being that n is known. In this case, the III. QUANTUM PUBLIC-KEY ENCRYPTION inversion of the map reduces to the problem of discrim- ination between various non-orthogonal states chosen at In this section we introduce an asymmetric cryptosys- random from a known set Qn. The number of non- tem based on the quantum trapdoor OWF presented in orthogonal states increases as we increase n, whereas Sec. II. In analogy to classical asymmetric cryptosys- for n >> 1 we have for the nearest-neighbor overlap tems, in the proposed protocol the encryption and the hψs(θn)| ψs+1(θn)i = cos(θn/2) → 1. Hence, a projective decryption keys are different. In the following we de- von Neumann measurement cannot distinguish between scribe the three stages of the protocol. all of the states for n >> 1, since the number of possible Stage 1 — Key generation. Each user participating outcomes in such a measurement is restricted by the di- in the cryptosystem generates a key consisting of a pri- mensions of the state space of the system (i.e., qubit in vate part d, and a public part e, as determined by the our case). following steps. One has therefore, to resort to more general mea- surements which can be always described formally by 1. Choose a random positive integer n ≫ 1. a positive operator-valued measure (POVM) involving a number of non-negative operators [3]. In the theoreti- 2. Choose a random integer string s of length N i.e., cal framework of POVMs, an input state is associated s = (s1,s2,...,sN ), with sj chosen independently with a particular outcome of the measurement, while op- from Z2n . timization is typically performed with respect to vari- ⊗N ous quantities (e.g., probability of inconclusive results, 3. Prepare N qubits in the state |0zi . mutual information, conditional probabilities, etc). It is (j) worth noting, however, that some of these strategies are 4. Apply a rotation Rˆ (sj θn) on the jth qubit, with n−1 not applicable for the states of the set Qn, since they θn = π/2 . Thus, the state of the jth qubit are not linearly independent when n > 2 (e.g., see Ref. ˆ(j) becomes |ψsj (θn)ij = R (sj θn) |0zi, and is of the [11]). In any case, according to Holevo’s theorem [3], the form (1). classical information that can be extracted from a single qubit by means of a POVM is at most 1 bit, whereas n 5. The private key is d = {n, s}, while the public key bits required to identify the randomly chosen s ∈ Z n for (pk) 2 is e = {N, |Ψs (θn)i}, with the N-qubit state fixed n. Hence, we see that for a given n ≫ 1 the map (pk) N s |Ψ (θn)i≡ j=1 |ψsj (θn)ij . s 7→ |ψs(θn)i acts as a quantum OWF that is “easy” to N perform but hard to invert. Actually, the inversion may Clearly in the proposed protocol, the private key is clas- become even harder if n is not publicly announced, thus sical whereas the public key is quantum as it involves the rendering the sets from which s and |ψs(θn)i are chosen state of N qubits. Moreover, note that each user may (that is, Z2n and Qn, respectively) practically unknown produce multiple copies of his/her own public key as the (see also discussion in Sec. IV). quantum state is known, and thus its copying does not The map s 7→ |ψs(θn)i may also act as a trapdoor violate the no-cloning theorem. OWF when it involves two consecutive rotations. To Stage 2 — Encryption. Assume now that one of ˆ demonstrate this fact, let us assume that after R(sθn), a the users (Bob) wants to send Alice an r-bit message ˆ second rotation R(mθn) is applied to the same qubit, m = (m1,m2,...,mr), with mj ∈ {0, 1} and r ≤ N. with a randomly chosen integer m ∈ Z2n such that To encrypt the message, he should do the following steps n s + m = c mod 2 . The state of the qubit after without altering the order of the public-key qubits: the second rotation becomes |ψc(θn)i = Rˆ(cθn) |0zi = Rˆ(mθn)Rˆ(sθn) |0zi. Having access to the qubit before 1. Obtain Alice’s authentic public key e. If r>N, he and after the second rotation (i.e., given the qubit states should ask Alice to increase the length of her public |ψs(θn)i and |ψc(θn)i), we are interested in deducing m. key. This task, however, requires substantial information on both of the numbers s and c, which is not possible for 2. Encrypt the jth bit of his message, say mj, by (j) n ≫ 1. More precisely, as discussed earlier, in this case applying the rotation Rˆ (mj π) on the corre- only negligible information can be extracted from the sponding qubit of the public key, whose state ˆ(j) state |ψs(θn)i about the randomly chosen s, which thus becomes |ψsj ,mj (θn)ij = R (mj π) |ψsj (θn)ij . remains practically unknown. Hence, irrespective of the 4

3. The quantum ciphertext (or else cipher state) is Authentication is a crucial requirement for secure, clas- (c) the new state of the N qubits, i.e., |Ψs,m(θn)i = sical or quantum, encryption schemes since without it N |ψ (θ )i , and is sent back to Alice. any encryption scheme is vulnerable to an impersonation j=1 sj ,mj n j attack [1]. In modern cryptography, secrecy (confiden- N Note that, at the end of the encryption stage, the mes- tiality) and authenticity are treated as distinct and inde- sage has been encoded in the first r qubits of the cipher pendent cryptographic goals [1]. In particular, public-key state. Thus, in the decryption stage Alice may focus on encryption aims at confidentiality whereas other crypto- this part of the cipher state, discarding the remaining graphic goals (such as data integrity, authentication, and N −r qubits, which do not carry any additional informa- non-repudiation) are provided by other cryptographic tion. primitives including message authentication codes, dig- Stage 3 — Decryption. To recover the m ital signatures, and fingerprints. Following the same at- (c) titude, throughout this section we focus on the security from the cipher state |Ψs,m(θn)i, Alice has to perform the following steps. provided by the quantum encryption scheme under con- sideration. 1. Undo her initial rotations, i.e., to apply To emphasize, however, the importance of authenticity, (j) −1 Rˆ (sj θn) on the j-th qubit of the cipher- in the encryption stage of the protocol described in Sec. text. III it is explicitly stated that Bob should be able to ob- tain an authentic copy of Alice’s public key. A quantum 2. Measure each qubit of the ciphertext in the basis scheme for authentication purposes was { |0zi, |1zi}. proposed in [5], and relies on mapping classical bit-strings to multi-qubit states. We believe that the main results of In discussing the decryption stage, we would like to [5] can be also adapted to the single-qubit OWF discussed point out that the above two steps are basically equiv- here. Nevertheless, the creation of public certificates for alent to a von Neumann measurement which projects quantum keys is not an easy task, since digitally signing the jth qubit onto the basis { |ψ (θ )i, Rˆ(π) |ψ (θ )i}. sj n sj n an unknown qubit state is not possible [12]. In any case, (j) −1 Moreover, it is worth recalling here that Rˆ (α) = authentication of quantum messages remains an interest- Rˆ(j)(α)† = Rˆ(j)(−α), while different rotations around ing question in the field of , but it the same axis commute, i.e., [Rˆ(j)(α), Rˆ(j)(β)] = 0. is beyond the scope of this paper.

IV. SECURITY B. Secrecy of the private key

The primary objective of an adversary (eavesdropper) The private key of each entity consists of two parts i.e., is to recover the plaintext from the cipher state intended d = {n, s}. The first part is a randomly chosen positive for Alice. On the other hand, there is always a more am- integer with the only constraint being n ≫ 1. Never- bitious objective pertaining to the recover of the private theless, to present quantitative estimates on the entropy key from Alice’s public key. A cryptosystem is consid- of the private key, in the following we consider that n is ˜ ered to be broken with accomplishment of any of the two uniformly distributed over a finite interval N = [nl,nu], objectives, but in the latter case the adversary has access with nl ≫ 1. Thus, the entropy of the first part of the ˜ ˜ to all of the messages sent to Alice. In this section we private key is H(n) = log2(|N|), where |N| denotes the discuss various security issues related to the encryption number of elements in N˜. The second part of the private scheme of Sec. III key involves a random integer string s, which is encoded on the state of the N qubits of the public key. For a given value of n, say n = ν, each random element of s A. Distribution of public keys is chosen independently and has a uniform distribution over Z2ν . Hence the sting s is also uniformly distributed N In contrast to symmetric cryptosystems, in an asym- over Z2ν ≡ {(a1,a2,...,aN )|aj ∈ Z2ν }, and its entropy s metric cryptosystem a KDC is burdened with the dis- is given by H( |n = ν) = Nν. The entropy of the en- s tribution of public keys whose secrecy is not required. tire private key is given by the joint entropy H(n, ), i.e., s ˜ Nevertheless, the KDC has to verify still the public key H(d)= H(n)+ H( |n) = log2(|N|)+ ν∈N˜ p(ν)H(s|n = of each entity participating in the cryptosystem. Typi- ν) = log(|N˜|)+ N(nu + nl)/2. P cally, in conventional cryptography the outcome of this Let us estimate now the classical information one may verification is a public certificate which consists of two extract from the quantum public key. For a given value parts; a data part which contains the public key as well of n = ν, the jth element of s is chosen at random as information about its owner, and the verification part from Z2ν , and the corresponding qubit of the public with the signature of the KDC over the data part. Hence, key is prepared in the pure state |ψsj (θν )ij . From an such a certificate essentially guarantees the authenticity, adversary’s point of view, however, who does not have or else integrity, of the public key of each entity. access to sj , the jth qubit of the public key is pre- 5 pared in a pure state chosen at random from the set which defines an upper bound on the number of copies of − ν ν 1 Qn=ν = { |ψsj (θν )i | sj ∈ Z2 ; θν = π/2 }, with all the public key that can be issued. This is in contrast to the states being equally probable. Accordingly, one can conventional public-key cryptosystems, where there are easily show that for ν > 2, the density operator for the no such limitations. jth qubit is of the form To summarize, the secrecy of the private key is guar- anteed by the fact that the public key is quantum and 2ν −1 1 11 unknown to every one except Alice. Moreover, the state σ(j)(θ )= |ψ (θ )i hψ (θ )| = . (2a) pk n=ν 2ν sj ν jj sj ν 2 of each public-key qubit is chosen at random and inde- sXj =0 pendently of the other qubit states. In other words, there is no redundancy or pattern in the public key, that could Summing over all possible values of n and taking into be explored by a potential adversary. Information gain ˜ (j) account its uniform distribution over N, we obtain ρpk = on the state of the public key (and thus the private key), ˜ −1 (j) can be obtained only by performing measurements on |N| n σpk (θn) = 11/2. Moreover, each qubit is pre- paredP independently of the others, and thus the state of the public-key qubits, at the expense of disturbing irre- the entire public key reads versibly their state. In any case, according to Holevo’s theorem, this information gain cannot exceed one bit per ⊗N qubit and thus, for k copies of the public key simulta- (pk) (pk) 11 ρ = p(n, s) |Ψs (θ )ihΨs (θ )| = , pk n n 2N neously in circulation, the private key is secret as long nX∈N˜ s∈XZ2n as condition (3b) is satisfied. Furthermore, by virtue of (2b) the no-cloning theorem [3], Eve cannot create additional while we obtain for the corresponding von Neumann en- copies of Alice’s quantum public key, besides the copies N (j) tropy S(e)= j=1 S(ρpk )= N. provided by Alice or the KDC. In particular, the fidelity The secrecyP of the private key d is guaranteed by the of the clone for each public-key qubit is smaller than one Holevo’s theorem. In particular, let us denote by I(x, d) [13] and thus, the fidelity of the public-key clone drops the mutual information between the private key, and a exponentially with the key length N. variable containing the information an adversary (Eve) Finally, it is worth noting that according to the key- may have obtained by performing quantum measure- generation stage of Sec. III, there is a one-to-one corre- ments on the public key. Since the public-key qubits are spondence between the private key and the public key. As prepared at random and independently in pure states, we a result, any information an adversary may obtain about have from Holevo’s theorem I(x, d) ≤ S(e)= N. Hence, the state of the jth public-key qubit |ψsj (θn)ij , is imme- I(x, d) ≪ H(d) provided diately associated with the the jth element of the private string s. One may alter this situation, by applying a ran- ˜ log2(|N|)+ Nn¯ ≫ N, (3a) dom permutation Π on the public-key qubits, before they become publicly available. In this case, the jth element of wheren ¯ = (nu + nl)/2. Clearly, to satisfy condition (3a) the private string s is mapped to the state of the Π(j)th ˜ it is sufficient to have eithern ¯ ≫ 1 or log2(|N|) >> N. qubit (i.e., sj 7→ |ψsj (θn)iΠ(j)), which is unknown to Eve In the protocol of the previous section, both of these if Π is unknown. Hence, even if Eve were able to know requirements are fulfilled simultaneously since n is chosen precisely the state of each public-key qubit, she would at random from the set of positive integers N with the have to guess the right permutation in order to deduce constraint n >> 1. Hence, the inequality I(x, d) ≪ H(d) the private string s. From another point of view, permut- also holds that is, Eve’s information gain is much smaller ing the public-key qubits for a given private key is equiv- than the entropy of the private key d, which thus remains alent to preparing the public-key qubits in states deter- practically unknown to her. Accordingly, the conditional mined by a permutation of the private string Π(s), which entropy H(d|x) is given by H(d|x) ≡ H(d) − I(x, d) ≈ is unknown to Eve. In this case, the private key consists H(d), which establishes the uniformity of the private key of three parts, i.e., d′ = (n, s, Π). The corresponding ′ s over D = N˜ × Z2n , after the measurements on the public- joint entropy is given by H(d )= H(d)+ H(Π| ,n), with key state. H(d) defined earlier. Accordingly, the left-hand side of So, we have seen that by making the public key avail- Eqs. (3) increases by H(Π|s,n), whereas the maximum able to every one, we do not compromise the security information gain for a potential adversary is determined of the protocol for n ≫ 1, i.e., the public key may re- by the Holevo’s bound and remains constant. veal only negligible information about the private key. In the following we analyze the security of our encryp- When multiple copies of the public key, say k, are simul- tion scheme, against various types of attacks aiming at taneously in circulation, Eve’s mutual information with the recover of the plaintext and/or the private key, from the key increases, but is again upper bounded as follows the quantum ciphertext. These attacks are generaliza- I(x, d) ≤ Nk. In this case, secrecy of the private key is tions of the corresponding attacks on conventional asym- always guaranteed if metric encryption schemes [1]. In contrast, however, to their classical counterparts, in the quantum attacks Eve ˜ log2(|N|)+ Nn¯ ≫ Nk, (3b) does not know the state of the quantum public key, but 6 is allowed to perform arbitrary operations and measure- key. First of all, recall that Bob encrypts his message ments on it. The only assumption in the following anal- m ∈{0, 1}r, by transforming the state of the public key ysis is that Alice’s decryption device is manufactured so as follows that is automatically deactivated when it performs k con- m ˜ˆ (r) ˜ˆ (r)† secutive decryptions on N-qubit states. In this way we ρpk −→ ρc = Rm (π)ρpkRm (π). (5) guarantee that no more than k copies of Alice’s public As mentioned above, the mixed state ρ remains in- key will be used. When these copies are exhausted, Al- pk variant under these rotations, and thus all of the possi- ice must generate a new pair of keys (e′, d′), and update ble messages yield the same cipher state, i.e., ρ = ρ . accordingly her decryption device. To this end, the old c pk Hence, Eve cannot distinguish between distinct messages, private key may act as a quantum password, which en- and the encryption scheme under consideration is prov- sures authorized access to the decryption device. ably secure [14]. Finally, note that a protocol which is secure against chosen-plaintext attacks, is also secure against less pow- C. Chosen-plaintext attack erful attacks, such as the ciphertext-only and the known- plaintext attacks [1]. In the following, we analyze the Typically, in a chosen-plaintext attack, Eve is al- forward-search attack, that is a chosen-plaintext attack lowed to obtain a number of plaintext-ciphertext pairs adapted to small message spaces. of her choice. More precisely, given k copies of Alice’s public-key state ρpk, and k in binary form a a a a rj { 1, 2,..., k}, with j ∈ {0, 1} and rj ≤ N, she D. Forward-search attack (1) (2) (k) obtains a sequence of cipher states {ρe ,ρe ,...,ρe }, where The forward-search attack can be very efficient (at least for conventional cryptosystems) when the number (j) ˆ (rj ) ˆ (rj )† ˜ a ˜ a ρe = R j (π)ρpkR j (π). of all possible messages is small. In this case, Eve may obtain multiple copies of Alice’s public-key, and create The collective rotation on r qubits is defined as j the corresponding to each possible message. rj Subsequently, she may try to deduce the encrypted mes- ˆ (rj ) (i) R˜ x (ϕ) ≡ Rˆ (xiϕ). (4) sage, by comparing the unknown ciphertext with the ci- Oi=1 phertexts in her database. For the encryption scheme under consideration, how- Subsequently, Eve may explore her database, in order to ever, the crucial information is not the actual angle of the decrypt an unknown message encrypted with Alice’s pub- rotation, but rather whether a public-key qubit has been lic key, or gain further information on Alice’s private key. rotated or not (see stage 2 in Sec. III). Hence, instead For the sake of simplicity, and without loss of generality, of creating her own plaintext-ciphertext database, it is in the following we assume that rj = N, ∀ j. sufficient for Eve to compare the cipher state sent from Let us discuss first whether Eve can gain significant Bob to Alice, with a copy of Alice’s public-key. information, by encrypting plaintexts (i.e., obtaining ci- To analyze this attack, let us focus on an 1-bit mes- pher states) of her choice. As discussed in the previous sage m ∈ {0, 1}. Bob encodes his message by applying subsection, Eve can obtain only negligible information the rotation R(mπ) on Alice’s public-key qubit, which about the private key, by performing measurements on is prepared in a state |ψs(θn)i chosen at random from the public-key qubits. Thus, for Eve the private key is un- Qn, for some n ≫ 1. To deduce Bob’s message, Eve known, and uniformly distributed over D. Accordingly, performs a SWAP test [4] between the cipher qubit sent the state of the public key ρpk is chosen at random from from Bob to Alice, and a copy of Alice’s public-key qubit. (pk) the ensemble {p(d), |Ψs (θn)i}, and is thus given by In this way, she will learn whether the cipher-qubit state Eq. (2b). Note now that this maximally mixed state has been rotated with respect to the state of the public- remains invariant under Eve’s rotations [16], and thus key qubit. Such a test, succeeds with average probabil- any plaintext aj is mapped to the same cipher state, i.e., ity psuc = 3/4. Moreover, at the end of the test the aj 7→ ρpk. Hence, on average, there is no information two qubits are entangled, and Eve cannot distinguish be- gain for Eve. The same conclusion can be drawn on the tween them. Hence, she cannot compare Bob’s cipher basis of Holevo’s theorem. In particular, since the state state with the public-key state more than once. of the public key is unknown to Eve, the cipher state is Alice and Bob can reduce considerably psuc, by en- also unknown to her. Hence, Eve can extract at most coding the message on the state of two, or more Nk bits of information from measurements on all of the public-key qubits. For instance, using two public-key k cipher states, which is negligible in view of condition qubits in the state |ψs1 (θn)i1 ⊗ |ψs2 (θn)i2, the mes- (3b). sage “0” is encoded by applying an operation randomly The remaining question is whether Eve can use her chosen from the set {Rˆ(1)(0)Rˆ(2)(0), Rˆ(1)(π)Rˆ(2)(π)}, plaintext-ciphertext database, in order to decrypt Bob’s whereas “1” is encoded using an operation from the message, which has been encrypted with the same public set {Rˆ(1)(0)Rˆ(2)(π), Rˆ(1)(π)Rˆ(2)(0)}. Thus, to deduce 7

Bob’s message, Eve has to identify correctly the opera- with the collective rotations given by Eq. (4). Eve learns tions performed on both qubits. In this case, Eve suc- only the outcomes of the projective measurements per- 2 ceeds with probability psuc = (3/4) ≈ 0.56; that is, formed at the end of the decryption stage. According to slightly better than random guessing. In general, when Holevo’s theorem, however, these outcomes cannot pro- each bit of a message is encoded to α qubits, Eve has to vide her with more than N bits of classical information perform α successive SWAP tests to deduce it, and the about the private key. Of course Eve has the chance to average success probability is (3/4)α; that is worse than perform up to k such decryptions, but as long as condi- random guessing for α> 3. tion (3b) is satisfied, her information gain is not sufficient In the forward-search attack discussed above, Eve per- to determine the private key. forms independent (individual) SWAP tests between the corresponding qubits of the cipher state and a copy of the public key. The question arises here is whether Eve may V. DISCUSSION increase her probability of success, by performing collec- tive measurements on all the qubits of the cipher state In conclusion, we have discussed cryptographic ap- and the public key. This issue deserves further investi- plications of single-qubit rotations in the framework of gation, and will be addressed elsewhere. Nevertheless, quantum trapdoor (one-way) functions. We also demon- the mere fact that each public-key qubit is prepared at strated how such a function can be used as a basis for random and independently of the others, suggests that a quantum public-key cryptosystem, whose security, in the optimal attack (i.e., the attack that maximizes Eve’s contrast to its classical counterparts, relies on fundamen- probability of success), involves only individual measure- tal principles of quantum mechanics. More precisely, in ments on various qubit pairs, consisting of the corre- the proposed encryption scheme, each user creates a key sponding qubits of the cipher state and the public key. consisting of two parts: a private key, which is purely In particular, as discussed in Sec. IV B, there is no re- classical, and a public key, which involves a number of dundancy or pattern in the public key (and thus in the qubits prepared independently in states specified by the cipher state) which could be explored in a collective mea- private key. The sender encrypts his message on the re- surement. cipients public key by rotating the state of its qubits. A potential adversary cannot deduce the encrypted message without knowing the recipient’s private key. E. Chosen-ciphertext attack One might have noticed here external similarities of the proposed encryption scheme to the Y00 protocol [15]. To In this scenario, Eve has access to Alice’s decryp- avoid any misunderstandings, we would like to point out tion device, but not to the private key. Providing judi- some crucial differences between the two schemes. First ciously chosen cipher states, she receives the correspond- of all, the security of the Y00 protocol is claimed to rely ing plaintexts. The only restriction is that Alice’s device on quantum noise which renders the discrimination of does not allow more than k decryptions on N-qubit states closely spaced mesoscopic states impossible. On the con- with the same private key. As before, Eve’s objective is trary, the security of the proposed public-key encryption to deduce the private key, or decrypt Bob’s message at scheme relies on the Holevo’s bound and the no-cloning a later instant, when she does not have access to the theorem. Second, the Y00 is a symmetric encryption decryption device. scheme whereas the present work involves asymmetric cryptosystems (different keys are used for encryption and The chosen-ciphertext attack can be analyzed along decryption). Third, in the Y00 protocol the two legiti- the lines of the previous sections. Let us discuss briefly, mate users share a short secret key in advance, which is for instance, the security of the private key. In a chosen- expanded in the course of the protocol. No secret infor- ciphertext attack Eve can prepare arbitrary multi-qubit mation is necessary for the functionality of the present states, not necessarily related to the public key. For in- protocol. stance, Eve may ask for the decryption of an N-qubit Various security issues pertaining to the proposed state ρe, where the qubits are entangled among them- selves as well as with another ancillary system. Never- asymmetric encryption scheme, have been analyzed in theless, as soon as the qubits are input to the decryption the context of a futuristic scenario, where all of the en- device, Eve has no access to them. First, the decryption tities participating in the cryptosystem possess quantum device undoes the initial rotations on the qubits, as de- computers, and are connected via ideal quantum chan- termined by the private key d. For Eve, who does not nels. There are various questions yet to be explored, es- have access to the private key, the input state is trans- pecially in connection with the extension of the present formed to a state ρ′ randomly chosen from the ensemble ideas to more realistic scenarios, where the legitimate e users are limited by current technology. For instance, in ˜ˆ (r)† ˜ˆ (r) {p(d), Rs (θn)ρeRs (θn)}, i.e., the presence of a lossy quantum channel, quantum error- correction codes can be used to increase the robustness d ′ ˜ˆ (r)† ˜ˆ (r) of the protocol. We have already seen that by encoding ρe −→ ρe = p(d)Rs (θn)ρeRs (θn), (6) dX∈D 1 bit on two qubits we make the encryption more robust 8 against the forward-search attack. over, such investigations might lead to the development In any case, the purpose of the present work was to of practical public-key encryption schemes, or other prov- introduce certain basic ideas underlying quantum public- ably secure quantum cryptographic primitives (e.g., dig- key encryption, and set an appropriate theoretical frame- ital signatures, hash functions, etc). work. We also demonstrated how fundamental properties of quantum systems and certain theorems of quantum mechanics may provide a barrier, due to complexity of effort, between legitimate users and adversaries, which is VI. ACKNOWLEDGMENTS the cornerstone of quantum public-key encryption. We hope that our results and discussion will stimulate fur- I am grateful to S. J. van Enk and P. Lambropou- ther investigations on these topics, so that light is shed los for helpful comments and discussions. The work was on crucial questions, pertaining to the power and the supported in part by the EC RTN EMALI (contract No. limitations of asymmetric quantum cryptography. More- MRTN-CT-2006-035369).

[1] A. Menezes, P. van Oorschot and S. Vanstone, Handbook [9] X. Peng, H. Wei, and P. Zhang, Opt. Lett. 31, 3579 of Applied Cryptography (CRC Press, 1996). (2006). [2] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. [10] R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, Sci- Mod. Phys. 74, 145 (2002). ence 297, 2026 (2002). [3] M. A. Nielsen and I. L. Chuang, Quantum Computation [11] A. Chefles, Phys. Lett. A 239, 339 (1998). and Quantum Information (Cambridge University Press, [12] M. Curty, D. J. Santos, E. Perez, and P. Garcia- Cambridge, London, 2000). Fernandez, Phys. Rev. A 66, 022301 (2002). [4] H. Buhrman, R. Cleve, J. Watrous, and R. de Wolf, Phys. [13] V. Scarani, S. Iblisdir, N. Gisin, and A.Acin, Rev. Mod. Rev. Lett. 87, 167902 (2001). Phys. 77, 1225 (2005). [5] D. Gottesman and I. L. Chuang, e-print [14] P. O. Boykin and V. Roychowdhury, Phys. Rev. A 67, qunt-ph/0105032. 042317 (2003). [6] E. Andersson, M. Curty, and I. Jex, Phys. Rev. A 74, [15] H. P .Yuen, e-print quant-ph/0311061; G. A. Barbosa, 022304 (2006). E. Corndorf, P. Kumar, and H. P. Yuen, Phys. Rev. Lett [7] A. Kawachi, T. Koshiba, H. Nishimura, and T. Ya- 90, 227901 (2003). makami, Lect. Notes on Computer Science 3494, 268 [16] Actually, the state (2b) remains invariant even under a (2005). general quantum operation (completely positive map) E : † † [8] Y. Kabashima, T. Murayama, and D. Saad, Phys. Rev. ρ → E(ρ)= Pi EˆiρEˆi , with Pi EˆiEˆi = 11. Lett. 84, 2030 (2000).