Applications of single-qubit rotations in quantum public-key cryptography Georgios M. Nikolopoulos Institute of Electronic Structure and Laser, FORTH, P. O. Box 1527, Heraklion 711 10, Crete, Greece (Dated: November 2, 2018) We discuss cryptographic applications of single-qubit rotations from the perspective of trapdoor one-way functions and public-key encryption. In particular, we present an asymmetric cryptosystem whose security relies on fundamental principles of quantum physics. A quantum public key is used for the encryption of messages while decryption is possible by means of a classical private key only. The trapdoor one-way function underlying the proposed cryptosystem maps integer numbers to quantum states of a qubit and its inversion can be infeasible by virtue of the Holevo’s theorem. PACS numbers: 03.67.Dd, 03.67.Hk I. INTRODUCTION lem even in the presence of the most powerful adversaries. Nevertheless, the key management remains one of the Modern public-key (or else asymmetric) cryptography main drawbacks of symmetric encryption schemes [1]. In relies on numerical trapdoor one-way functions, i.e., func- particular, the problem pertains to large networks where tions that are “easy” to compute, but “hard” to invert each entity needs a secret key with every other entity. without some additional information (the so-called trap- Hence, the total number of secret keys scales quadrati- door information) [1]. The main characteristic of these cally with the number of users in the network. mathematical objects is that they provide the legitimate One solution to the key-management problem is the users with a tractable problem, while at the same time use of an unconditionally trusted third party which is any unauthorized user (adversary) has to face a compu- burdened with the key management and acts as a key- tationally infeasible problem. This barrier between le- distribution center (KDC). The main problem with this gitimate users and adversaries, due to complexity of ef- solution, however, is that the KDC itself becomes an at- fort, is the key idea behind most of the known public-key tractive target, while a compromised KDC renters imme- cryptosystems. Each participant in such a cryptosystem diately all communications insecure. An alternative solu- has to have a personal key consisting of two parts, i.e., tion to the key-management problem is provided by con- the public and the secret (also known as private) part. ventional public-key cryptosystems which are very flex- Messages are encrypted with use of the public key and ible but, as we discussed earlier, offer computationally the decryption of the resulting ciphertext is possible by security only. means of the private key. Clearly, an ideal solution to both of the key- The security of conventional public-key cryptography distribution and management problems is a quantum relies on the hardness of some computational problems public-key (asymmetric) cryptosystem, which combines (e.g., integer factorization problem, discrete logarithm the provable security of QKD protocols with the flexibil- problem, etc). These numerical problems are considered ity of conventional public-key encryption schemes. The to be good candidates for one-way functions (OWFs), development of such a cryptosystem, however, requires and this belief relies mainly on the large amount of re- the existence of quantum trapdoor OWFs. In particular, sources (computing power and time) required for their the one-way property of these functions has to rely on solution using the best known algorithms. Nevertheless, fundamental principles of quantum theory, rather than arXiv:0801.2840v1 [quant-ph] 18 Jan 2008 the fact that the existence of numerical OWFs has not unproven computational assumptions. been proved rigorously up to now, makes all of the known To the best of our knowledge, the number of related public-key cryptosystems vulnerable to any future ad- theoretical investigations is rather small, and all of them vances in algorithms and hardware (e.g., the construction pertain to a futuristic scenario where all of the parties of a quantum computer). involved (legitimate users and adversaries) possess quan- In contrast to the computational security offered by tum computers. The concept of quantum OWF was first conventional public-key schemes, there exist symmetric introduced in [4, 5], where the authors demonstrated that cryptosystems (e.g., one-time pad) which offer provable such a function can be obtained by mapping classical security provided that a secret truly random key is shared bit-strings to quantum states of a collection of qubits. between the entities who wish to communicate. To- Nevertheless, these two papers do not pertain directly day, the establishment of such a key between two parties to public-key encryption, but rather to quantum fin- can be achieved by means of quantum key-distribution gerprinting [4], and digital signatures [5, 6]. Later on, (QKD) protocols [2]. By virtue of fundamental principles Kawachi et al. [7] investigated the cryptographic prop- of quantum mechanics that do not allow passive moni- erties of the distinguishability problem between two ran- toring and cloning of unknown quantum states [3], QKD dom coset states with hidden permutation. This prob- protocols provide a solution to the key-distribution prob- lem can be viewed as a quantum extension of the dis- 2 tinguishability problems between two probability distri- covering the integer s from the given state |φsi) with a butions used in conventional cryptography [1]. Finally, non-negligible probability. besides quantum OWFs there have been also investiga- Actually, by definition the inversion of a quantum tions on OWFs which rely on “hard” problems appearing OWF is a hard problem for everyone (legitimate users in other areas of physics such as statistical physics [8], op- and eavesdroppers). For cryptographic applications, tics [9], and mesoscopic physics of disordered media [10]. however, authorized users should be able to identify the In this paper we establish a theoretical framework for state of the quantum system, and thus inverse the map quantum public-key encryption based on qubit rotations. s 7→ |φsi, more efficiently than any unauthorized party. In particular, we explore the trapdoor and one-way prop- Hence, it is essential to introduce a trapdoor information erties of functions that map integer numbers onto single- which makes the inversion of the map computationally qubit states. Moreover, we present an asymmetric cryp- feasible for anyone who possesses it. tosystem which is provably secure even against powerful Having introduced the notion of quantum trapdoor quantum eavesdropping strategies. OWFs in a rather general theoretical framework, in the following we specialize the present discussion to a partic- ular family of such functions based on single-qubit rota- II. QUANTUM TRAPDOOR (ONE-WAY) tions. FUNCTIONS In this section we introduce the notion of the quantum B. A quantum trapdoor function based on trapdoor OWF, that maps integer numbers to quantum single-qubit rotations states of a physical system. The discussion involves a sce- nario where all of the parties (legitimate users and adver- For the sake of simplicity, we will present our quantum saries) possess quantum computers and are only limited trapdoor OWF in the context of single-qubit states lying by the laws of physics. on the x − z plane of the Bloch-sphere. The main idea can be easily extended to qubit states that lie on the three-dimensional Bloch sphere. A. Definition and properties Let us denote by { |0zi, |1zi} the eigenstates of the Pauli operator Zˆ = ( |0zih0z| − |1zih1z| ), which form Definition. Consider two sets S and Q which involve an orthonormal basis in the Hilbert space of a qubit H2. numbers and quantum states of a physical system, re- A general qubit state lying on the x − z plane can be spectively. A quantum OWF is a map M : S 7→ Q, which written as |ψ(θ)i = cos(θ/2) |0zi + sin (θ/2) |1zi, where is “easy” to perform, but “hard” to invert. A quantum 0 ≤ θ< 2π. Hence unlike the classical bit which can store OWF whose inversion becomes feasible by means of some a discrete variable taking only two real values (that is “0” information (trapdoor information) is a quantum trap- and “1”), a qubit may represent a continuum of states on door OWF. the x − z Bloch plane. Introducing the rotation operator ˆ −iθYˆ/2 ˆ Throughout this work we will focus on quantum trap- about the y axis, R(θ) = e with Y = i( |1zih0z| − door OWFs whose input is an integer s ∈ Zn := |0zih1z| ), we may alternatively write |ψ(θ)i = Rˆ(θ) |0zi. {0, 1,...,n − 1|n ∈ N}, and its output is the state of The input of the proposed quantum trapdoor function a quantum system, say |φsi. To elaborate further on the is a random integer s uniformly distributed over Z2n with terms “easy” and “hard”, consider a quantum system n ∈ N, and a qubit initially prepared in |0zi. Thus, n- initially prepared in some state |0i and let H be the cor- bit strings suffice as labels to identify the input s for responding Hilbert space. For a randomly chosen s ∈ Zn fixed n. For given values of n ∈ N and s ∈ Z2n , the we apply an operation Oˆ(s): H 7→ H on the system, qubit state is rotated by sθn around the y-axis with θn = n−1 which changes the initial state |0i → |φsi = Oˆ(s) |0i. π/2 . Hence, for some fixed n ∈ N, the output of the The set of all possible output states of the quantum OWF OWF pertains to the class of states Qn = { |ψs(θn)i|s ∈ n−1 is Q ≡ { |φsi|s ∈ Zn}, and belongs to H. If the map Z2n ,θn = π/2 }, with M : Z 7→ Q is a bijection there is a unique s ∈ Z such n n ˆ that |0i → |φsi, i.e., M is one-to-one and |Zn| = |Q|.