Quantum Unicity Distance [8440-32]

Quantum Unicity Distance

Chong Xiang and Li Yang* State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing 100195, China Graduate University of the Chinese Academy of Sciences, Beijing 100049, China

ABSTRACT We attempt to develop Shannon’s concept of the unicity distance into the quantum context. Based on the deﬁni- tion of information-theoretic security for quantum cryptography, we present a quantum probabilistic encryption algorithm with bounded information-theoretic security, and then work out its quantum unicity distances. The result shows that quantum unicity distance is much bigger than the unicity distance of classical cryptography. Keywords: unicity distance, quantum unicity distance, quantum private key encryption, quantum probabilistic encryption.

1. INTRODUCTION Shannon provided the concept of unicity distance in 19491 . He showed a way of calculating approximately how many ciphertexts were necessary to recovery the unique key for the classical encryption protocols, the length of ciphertexts needed was determined by the entropy of the key space and the redundance of the plaintext space. This parameter can be used to measure the number of times one key can be reused securely, while the length of ciphertexts encrypted by same key is not more than the unicity distance, this key can not be confirmed under the Known Ciphertext Attack(KCA). According to Deavours, the unicity distance of DES is worked out as 8.2 ASCII characters or 66 bits2, 3 . Mao and Wu4 used the unicity distance to analysis the security of hashing algorithms, Liu, Zhang and Li5 then develop it into multimedia hash scheme. The quantum key distribution has been proved to be unconditionally secure and applied in practice.6–10 Though it is seem that quantum one-time pad(which usually called private quantum channel11–13) can be achieved theoretically with the quantum key distribution, we still need to consider the repetition of key for the well- known low efficiency of the quantum key distribution. The quantum unicity distance represents the theoretical limitation of how many times a key can be reused in quantum context. The quantum unicity distance of a quantum cryptography protocol can be used to measure its efficiency and the security in practice. In the latter part of this paper we provide a definition of information-theoretic security for quantum cryptography based on the information-theoretic security of classical cryptography suggested by O. Goldrich. We present a quantum probabilistic encryption with bounded information-theoretic security, and then calculate its quantum unicity distance. This quantum unicity distance is proved to be much bigger than that of a classical encryption protocol introduced by Shannon.

2. PRELIMINARIES 2.1 Unicity distance Although Shannon has shown an expression of the unicity distance1 , people always use the following expression in order to express the unicity distance under multi-system (P, C, K, ε, D):

H(K) n0 = . RL log2 |P | *Corresponding author. Email: [email protected]

Proc. of SPIE Vol. 8440 84400T-1 The unicity distance has great significance for one cryptography protocol as the amount of unicity distance reflects the security of the protocol in one aspect. It must be noticed that unicity distance is a average value, so people always need more ciphertexts to get the unique key. It can be seen that if the ciphertext that eavesdropper E owned is longer than the unicity distance, it can be decrypted into a meaningful plaintext only with the unique key, and be decrypted into meaningless message with any other bit-strings. We can get the following figure:

Figure 1. While the length of the plaintext grows, the ciphertext sets encrypted from the same set of meaningful plaintexts with diﬀerent keys must be almost mutually disjoint sets.

Classical cryptography has a property that its decryption process is certain, which means every time we decrypt the same ciphertext with the same key will result the same plaintext; however, the quantum cryptography has a certain decryption result with the unique key but a uncertain decryption result with other bit-strings. It means that a quantum cryptography may not have unicity distance even if its ciphertext sets encrypted from the same set of meaningful plaintext with diﬀerent keys are almost mutually disjoint sets.

2.2 Information-theoretic security In classical cryptography, the information-theoretic security is suggested by O. Goldreich14 as follows:

Definition 2.1. An encryption is information-theoretically secure if for every circuit family {Cn}, every positive polynomial p(·), all suﬃciently large n’s, and every x, y in plaintext space: n n 1 Pr[Cn(G(1 ),EG(1n)(x)) = 1] − Pr[Cn(G(1 ),EG(1n)(y)) = 1] < , (1) p(n) where G is a key generation algorithm.

3. DEFINITIONS 3.1 Structure of quantum encryption transformation Quantum encryption protocols can be divided into four different kinds: 1. both the plaintext and the key are classical bits; 2. the key is quantum state, and the plaintext is classical bit; 3. the plaintext is quantum state, and the key is classical bit; 4. both the plaintext and the key are quantum states. Meanwhile the ciphertext is always quantum state. Different kinds of protocols may lead to different definition of quantum unicity distance, here we just discuss the first type of them as the Figure 2.

Proc. of SPIE Vol. 8440 84400T-2 Classical plaintext bit-string

Quantum Orthogonal state qubit-string Coding with orthogonal qubits ciphertext Qubit-string Encrypt with quantum operation

Figure 2. The plaintexts are classical bits. Firstly we encodes them with orthogonal quantum states, then we encrypt the quantum states with quantum operation which is determined by the classical key, at last the ciphertexts are also quantum states.

3.2 Quantum unicity distance There are many differences between the unicity distance for the classical cryptography and the quantum cryptography. Firstly we cannot measure one quantum state repeatedly, so while one classical ciphertext can be used to verify any bit-string to see if it is the key, one quantum ciphertext can only be used to verify one bit-string, the quantum unicity distance shall be much bigger than the classical one; secondly any bit-string may have nonzero probability to decrypt ciphertexts into meaningful plaintexts under quantum mechanical. If we define the quantum spurious key referring to Shannon’s unicity distance, we can get this result: the spurious key of a quantum ciphertext Y may be defined as the bit-strings with which decrypting Y can get a meaningful plaintext. But under quantum mechanical, if we decrypt Y with any bit-strings except the key, the result may also be a superposition state which has some meaningful components and others meaningless. So we need to give a new definition for quantum spurious. We define the spurious key as follow: Definition 3.1. The quantum spurious key of a ciphertext Y is the bit-string except the unique key with which decrypting Y may result a meaningful plaintext with probability more than 1 − δ. Let’s define set Z as the set of meaningful plaintexts, spurious key of Y can be represented as follow:

K(Y )={k ∈ K|P (Ek(Y ) ∈ Z) > 1 − δ}.

For a quantum encryption protocol, if there exists a N satisfying that while the length of ciphertext is bigger than N, the number of quantum spurious keys is 0, we will call N the quantum unicity distance of the quantum cryptography. Notice that a classical ciphertext can be used any times to verify any bit-string to see that if it is the unique key, but a quantum ciphertext can only be used once, so quantum unicity distance should contain two components: one is the length of ciphertext with which we can verify if a bit-string is a wrong key and the other is the size of the key space. This definition is suited for calculating the quantum unicity distance of a specific quantum cryptography, but it is difficult to calculate the quantum unicity distance of abstract model of quantum cryptography.

Proc. of SPIE Vol. 8440 84400T-3 3.3 Information-theoretic security of quantum cryptography15 We suggest here a definition of information-theoretic security of quantum encryption as follows: Definition 3.2. A quantum encryption is information-theoretically secure if for every quantum circuit family {Cn}, every positive polynomial p(·),allsufficientlylargen, and every x, y in plaintext space: n n 1 Pr[Cn(G(1 ),EG(1n)(x)) = 1] − Pr[Cn(G(1 ),EG(1n)(y)) = 1] < , (2) p(n) where the encryption algorithm E is a quantum algorithm, and the ciphertext E(x),E(y) are quantum states. Then we give the sufficient condition of the information-theoretic security which has been proved in paper.15 Theorem 3.3. For every plaintexts x and y, let the density operators of cipher states G(1n)(x) and G(1n)(y) are ρx and ρy, respectively. A quantum encryption protocol is said to be information-theoretically secure if for every positive polynomial p(·) and every sufficiently large n, 1 D(ρx,ρy) < . (3) p(n)

4. QUANTUM PROBABILISTIC ENCRYPTION PROTOCOL 4.1 Probabilistic encryption Probabilistic encryption16 is also called randomized encryption. A process of probabilistic encryption E can be shown as follow: E : Vn × K × R → Vm, where Vn and Vm are plaintext space and ciphertext space with m>n, K is the key space and R is a set of random numbers. The probabilistic cryptography maps one plaintext into diﬀerent ciphertexts with the same key, so it can resist the Chosen Plaintext Attack better, and increase the eﬀective size of the plaintext space.

4.2 The protocol We ﬁrst consider bit encryption. Using the following scheme to encrypt every bit with key k ∈{0, 1}l. Encryption: Alice chooses i ∈{0, 1}l randomly. A bit b is encrypted to be |i +(−1)b|i ⊕ k. Decryption: Suppose the key k = k(1)k(2) ···k(l), randomly choose one bit of k whose value is 1. Here we assume the jth bit of k is chosen. First we do controlled-NOT operation to each bit of ciphertext but the jth bit, the control bit of each operation is always the jth bit. Then we measure the jth bit with basis |±.Iftheresult is |+ we have b = 0, else b =1

Denote the density operator of the ciphertext is ρ(b,k),thenwehave: ρ 1 |i − b|i ⊕ k i| − bi ⊕ k| 1 − bθ|ii ⊕ θk|, (b,k) = · l ( +( 1) )( +( 1) )= l ( 1) (4) 2 2 i 2 i θ where θ ∈{0, 1}.

While we encrypt a bit string b1,b2, ···,bn, the density operator of the ciphertext for attacker who has no idea with k is shown as 1 ρ(b ,b ,···,b ) = ρ(b ,k) ⊗ ρ(b ,k) ⊗···⊗ρ(b ,k) (5) 1 2 n l − 1 2 n 2 1 k

Then we give that

Proc. of SPIE Vol. 8440 84400T-4 Theorem 4.1. l, n 1 < 1 While satisfy 2l−n p(n) , the trace distance between two density operators of the ciphertext which encrypted from x =(b1,b2, ···,bn) and x =(b1,b2, ···,bn) respectively is 1 D(ρ(x),ρ(x)) < . (6) p(n)

Thus, from the Theorem 3.3 this probabilistic protocol is bounded information-theoretically secure.

4.3 The quantum unicity distance of the protocol We assume the plaintext is the codewords being encoded with error correcting code(ECC) C,hereC is a (m, k)- ECC which can correct t-bit error. Then the minimum distance between each m-bit codewords is 2t +1. Let the length of key is m × l and use every l-bit of the key as a group to encrypt one bit plaintext, it can used to encrypt m-bits plaintext once. When the length of the plaintext more than m bits, we repeat this process and reuse the key. This encryption has a property as follow: Property: While the attacker decrypts with a random (m × l)-bit-string except the key , the result will be 1 0 or 1 both with probability 2 . This property means that once there exists any errors in one group, the decryption will result of 0 or 1 both with probability 50%, so we may just consider the number of groups with errors, named m0.Letpe is the probability of veriﬁcation of that if one (m × l)-bit-string is the key..

1. While m0 < 2t + 1, a random (m × l)-bit-string except the key can not be veriﬁed if and only if every group key with error results the right plaintext with probability 50%. So verifying this kind of bit-strings with ciphertext whose length is n × m, the probability

1 m0×n pe =1− ( ) . (7) 2

m 2t 2. While m0 ≥ 2t + 1, a random (m × l)-bit-string may result 2 0 diﬀerent ciphertexts, there are at least 2 invalid ciphertexts. When checking this kind of bit-strings, the probability

2t−m0 n pe > 1 − (1 − 2 ) . (8)

Let security parameter is p0 =1− δ, if we want to satisfy pe ≥ p0 with every m0:ifm0 < 2t + 1, it turns out ln(1−p0) ln(1−p0) n − n 2t−m = m0 ln 2 ; else it turns out = ln(1−2 0 ) . Note that the length of ciphertext enough to verifying each bit-string all must be the maximum n,so − p − p − p n {−ln(1 0), ln(1 0) } ln(1 0) . 0 =max 2t−m = 2t−m (9) m0 m0 ln 2 ln(1 − 2 0 ) ln(1 − 2 )

Then the quantum unicity distance for p0 is

NQ = n0 ×|K|, (10) here |K| =2m×l is the size of the key space.

5. DISCUSSIONS We showed the quantum unicity distance of the quantum protocol suggested here, this result has many constraints and is not suitable for a general quantum encryption protocol. So a universal way to work out the quantum unicity distance of a general quantum protocol and the formal expression of quantum unicity distance are still open problems.

Proc. of SPIE Vol. 8440 84400T-5 6. CONCLUSIONS In this paper we suggest a deﬁnition of quantum unicity distance for one kind of quantum cryptography, and give the quantum unicity distances of an bounded information-theoretic secure quantum encryption protocol. We show that while a classical key is reused to encrypt a classical plaintext with a quantum algorithm, there exists a theoretical limitation of the reused times beyond it the key should be unsafe. This quantum unicity distance is much bigger than Shannon’s unicity distance.

ACKNOWLEDGMENTS This work was supported by the National Natural Science Foundation of China under Grant No. 61173157, and Strategy Pilot Project of Chinese Academy of Sciences (sub-project XDA06010702).

REFERENCES [1] Shannon, C. E., “Communication theory of secrey systems”, Bell Systems Technical Journal 28, 656–715 (1949). [2] Deavours, C. A., “Unicity points in cryptanalysis”, Cryptologa 1(1), 46 (1977). [3] Schneier, B., [Applied Cryptography], John Wiley & Sons (1996). [4] Mao, Y. and Wu, M., “Unicity distance of robust image hashing”, IEEE Trans. on Information Forensics and Security 2(3), 462 (2007). [5] Liu, L., Zhang, Y., and Li, L. L., “On the secure model of multimedia hashing”, ICISE 2010 2nd Interna- tional conference on , 2212 (2010). [6] Ekert, A., “Quantum cryptography based on bell’s theorem”, Phys. Rev. Lett. 67, 661 (1991). [7] Lo, H. K. and Chau, H. F., “Quantum cryptography in noisy channels”, e-print arXiv: quant-ph/9511025 (1995). [8] Deutsch, D., Ekert, A., Jozsa, R., Macchiavello, C., Popescu, S., and Sanpera, A., “Quantum privacy ampliﬁcation and the security of quantum cryptography over noisy channels”, Phys. Rev. Lett. 77, 2818 (1996). [9] Mayers, D., “Quantum key distribution and string oblivious transfer in noisy channels”, Advances in Cryptology–Proceeding of CRYPTO’96 Springer-Verlag, New York , 343 (1996). [10] Mayers, D., “Unconditional security in quantum cryptography”, J. Assoc. Comput. Mach 48, 351 (2001). [11] Ambainis, A., Mosca, M., Tapp, A., and de Wolf, R., “Private quantum channel”, Proc. 41st FOCS , 547 (2000). [12] Ambainis, A. and Smith, A., “Small pseudo-random families of matrices: Derandomizing approximate quantum encryption”, Proc. RANDOM, LNCS 3122, Berlin-Heidelberg-NewYork: Springer , 249 (2004). [13] Boykin, P. and Roychowdhury, V., “Optimal encryption of quantum bits”, Phys. Rev. A 67(4), 42317 (2003). [14] Goldreich, O., [Foudations of Cryptography: Basic Applications], Cambridge University Press, Cambridge (2001). [15] Yang, L., Xiang, C., and Li, B., “Qubit-string-based bit commitment protocols with physical security”, e-print arXiv: 1011.5099v2 (2010). [16] Goldwasser, S. and Micali, S., “Probabilistic encryption”, Special issue of Journal of Computer and Systems Sciences 28(2), 270 (1984).

Proc. of SPIE Vol. 8440 84400T-6