Secure Quantum Network Coding Theory [1 ed.] 9811533857, 9789811533853

Table of contents :
Preface
Acknowledgements
Contents
Part I Quantum Network Coding
1 Introduction
1.1 Concept of Network Coding
1.2 Development of Quantum Network Coding
1.3 Classification of Quantum Network Coding
1.4 Future Direction
References
2 Preliminaries
2.1 Main Notions
2.1.1 Hilbert Space
2.1.2 Tensor Product
2.1.3 Quantum State
2.1.4 Density Operator
2.1.5 Quantum Operator
2.1.6 Quantum Measurement
2.1.7 Bloch Sphere
2.1.8 Fidelity
2.1.9 Trace Distance
2.2 Key Operations
2.2.1 Bell Measurement
2.2.2 Group Operation
2.2.3 Quantum Teleportation
References
3 Typical Quantum Network Coding Schemes
3.1 Non-additional Resource Scheme
3.1.1 XQQ
3.1.2 General Graph
3.2 Prior Entanglement Scheme
3.2.1 Prior Entanglement Between Senders
3.2.2 Sharing Non-maximally Entangled States
3.3 Quantum Register Scheme
3.3.1 Perfect Linear Quantum Network Coding
3.3.2 Perfect Nonlinear Quantum Network Coding
3.3.3 Perfect Quantum Network Coding for Multicast
3.4 Quantum Repeater Scheme
3.5 Quantum Cluster Scheme
3.6 Performance Analysis
3.6.1 Achievable Rate Region
3.6.2 With Free Classical Communication
3.6.3 With Free Entanglement
3.6.4 Comparison of Schemes
3.6.5 Comparison with Routing
References
4 Quantum Network Coding Based on Repeater
4.1 Quantum Network Coding for General Repeater Networks
4.1.1 Requirement of General Networks
4.1.2 Quantum Repeater Network
4.1.3 LOCC (Local Operations and Classical Communication)
4.1.4 Basic Operations
4.1.5 QNC Scheme for General Repeater Networks
4.1.6 Property of QNC Scheme
4.1.7 Performance Analysis
4.1.8 Discussion
4.2 Secure Quantum Network Coding for Controlled Repeater Networks
4.2.1 Consumption and Security of Quantum Repeater Networks
4.2.2 Quantum One-Time Pad
4.2.3 Network Model
4.2.4 Basic Operations
4.2.5 QNC Scheme for Controlled Repeater Networks
4.2.6 Performance Analysis
4.2.7 Security Analysis
4.2.8 Discussion
4.3 Summary
References
5 Quantum Network Coding Based on Controller
5.1 Quantum Network Coding Based on Controlled Teleportation
5.1.1 Requirement of a Trusted Third Party
5.1.2 Controlled Teleportation
5.1.3 QNC Scheme Based on XQQ
5.1.4 QNC Scheme Based on Prior Entanglement
5.1.5 Performance Analysis
5.1.6 Security Analysis
5.1.7 Discussion
5.2 Secure Quantum Network Coding with Identity Authentication
5.2.1 Requirement of Identity Authentication
5.2.2 Quantum Security Direct Communication
5.2.3 QNC Scheme with Identity Authentication
5.2.4 Performance Analysis
5.2.5 Security Analysis
5.3 Summary
References
6 Opportunistic Quantum Network Coding
6.1 Opportunistic Characteristic of Network Coding
6.2 Classical Opportunistic Coding
6.3 Quantum Channel Verification
6.4 Opportunistic QNC Scheme
6.5 Property of QNC Scheme
6.6 Performance Analysis
6.6.1 Network Throughput
6.6.2 Resource Consumption
6.7 Security Analysis
6.7.1 Classical Attack
6.7.2 Quantum Attack
6.8 Summary
References
7 Quantum Network Coding with Message Authentication
7.1 Quantum Homomorphic Signature for QNC
7.1.1 Signature for Quantum Networks
7.1.2 Homomorphic Signature
7.1.3 Entanglement Swapping
7.1.4 Quantum Homomorphic Signature Scheme
7.1.5 Property of Signature Scheme
7.1.6 Security Analysis
7.1.7 Discussion
7.2 Secure Quantum Network Coding with Message Authentication
7.2.1 Efficient Authentication of Homomorphic Signature
7.2.2 Problem of Quantum Homomorphic Signature Scheme
7.2.3 QNC Scheme with Message Authentication
7.2.4 Performance Analysis
7.2.5 Security Analysis
7.3 Summary
References
8 Continuous-Variable Quantum Network Coding
8.1 Continuous-Variable Quantum Network Coding Using Coherent States
8.1.1 Advantage of Continuous Variables
8.1.2 Continuous-Variable Quantum Cloning
8.1.3 Linear Optics for Continuous Variables
8.1.4 Continuous-Variable Quantum Teleportation
8.1.5 CVQNC Scheme Using Approximate Operations
8.1.6 CVQNC Scheme with Prior Entanglement
8.1.7 Performance Analysis
8.1.8 Discussion
8.2 Continuous-Variable Quantum Homomorphic Signature
8.2.1 Homomorphic Signature for CVQNC
8.2.2 Requirement of Quantum Homomorphic Signature
8.2.3 Continuous-Variable Entanglement Swapping
8.2.4 CVQHS Scheme
8.2.5 Property of CVQHS Scheme
8.2.6 Performance Analysis
8.2.7 Security Analysis
8.3 Secure CVQNC with Message Authentication
8.3.1 Message Authentication of CVQNC
8.3.2 Secure CVQNC Scheme
8.3.3 Performance Analysis
8.3.4 Security Analysis
8.4 Summary
References
Part II Security Analysis Method
9 Security Analysis of Quantum Cryptographic Protocols
9.1 Main Attacks
9.1.1 Intercept-and-Resend Attack
9.1.2 Teleportation Attack
9.1.3 Man-in-the-Middle Attack
9.1.4 Participant Attack
9.1.5 Implementation Attack
9.2 Security Analysis Methods
9.2.1 BAN Logic
9.2.2 Random Oracle Model
9.2.3 Quantum-Accessible Random Oracle Model
References
10 Security Analysis Based on BAN Logic
10.1 Formal Analysis
10.2 Quantum Identity Authentication
10.3 Representative QIA Protocol
10.4 Analysis Procedure
10.4.1 Description of Notions and Rules
10.4.2 Inference Based on BAN Logic
10.5 Summary
References
11 Security Analysis Based on Quantum Random Oracle Model
11.1 Quantum Random Oracle Model for Quantum Digital Signature
11.1.1 Development of Random Oracle
11.1.2 Quantum Digital Signature
11.1.3 Representative QDS Scheme
11.1.4 Security Analysis from RO to QRO
11.1.5 Quantum Random Oracle Model for QDS
11.1.6 Analysis Procedure
11.1.7 Discussion
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption
11.2.1 Instantiation of Quantum Random Oracle Model
11.2.2 Quantum Hash Function
11.2.3 Quantum Public-Key Encryption
11.2.4 QPKE in the QRO Model
11.2.5 Instantiation of QRO for a Bad and a Good Example
11.2.6 Numerical Simulation of Key-Collision Attack
11.3 Summary
References
12 Security Analysis of Quantum Obfuscation
12.1 Obfuscatability of Quantum Point Functions
12.1.1 Development of Obfuscation
12.1.2 Quantum Circuit
12.1.3 Quantum Obfuscation
12.1.4 Quantum-Accessible Random Oracle Model
12.1.5 Reduction for Quantum Obfuscation
12.1.6 Obfuscation of Combined Quantum Circuits
12.1.7 Quantum Point Function
12.1.8 Application to Quantum Zero-Knowledge
12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation
12.2.1 Requirement of Indistinguishability
12.2.2 Efficient Quantum Circuit and Quantum Computation
12.2.3 Quantum One-Time Pad
12.2.4 Quantum Symmetric Encryption and Its Security
12.2.5 Quantum Point Obfuscation
12.2.6 IND-Secure Quantum Symmetric Encryption Scheme
12.2.7 Security Analysis
12.3 Summary
References
13 Security Analysis of Measurement-Device Independency
13.1 Device Independency Analysis
13.2 Measurement-Device Independency
13.3 Continuous-Variable Quantum Homomorphic Signature
13.4 Analysis Procedure
13.4.1 Attack Model
13.4.2 Probability of a Forged Signature Passing Verification
13.4.3 Probability of a Legal Signature Being Denied
13.5 Discussion
13.6 Summary
References
Index

Citation preview

Tao Shang Jianwei Liu

Secure Quantum Network Coding Theory

Secure Quantum Network Coding Theory

Tao Shang Jianwei Liu •

Secure Quantum Network Coding Theory

123

Tao Shang School of Cyber Science and Technology Beihang University Beijing, China

Jianwei Liu School of Cyber Science and Technology Beihang University Beijing, China

ISBN 978-981-15-3385-3 ISBN 978-981-15-3386-0 https://doi.org/10.1007/978-981-15-3386-0

(eBook)

Jointly published with National Defense Industry Press The print edition is not for sale in China. Customers from China please order the print book from: National Defense Industry Press. © Springer Nature Singapore Pte Ltd. 2020 This work is subject to copyright. All rights are reserved by the Publishers, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publishers, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publishers nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publishers remain neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

Preface

In 2009, after the author JianWei Liu visited the University of Florida as a senior visiting scholar, the author Tao Shang first learned about network coding from the received proceedings. In fact, the concept of network coding was first proposed in 2000 and has been always a hot topic of communication field till now. At that time, the authors became interested in network coding and attracted by the great charm of network coding. That is to say, encoding operation can greatly enhance the performance of network communication instead of pervasive routing technology, which will become a kind of overturning technology for network communication. Thus, the authors began to dedicate more efforts to network coding from principle to application. In 2013, the author Tao Shang learned about the importance of quantum communication in the near future. He thought that network coding was a new communication technology and wondered whether it was feasible to apply network coding to quantum communication or not. Meanwhile, he recognized that quantum communication is featured with security inherent in communication, which can be believed to be the perfect combination of communication and security. So he planned to solve the bottleneck problem of quantum network coding from the perspective of communication and security. As far as we know, quantum network coding was first proposed in 2006. Till 2013, there were few achievements and only several schemes were proposed. However, it aroused the authors’ immense interest, they attempted to combine coding theory with cryptography. From the viewpoints of the coding method, coding model, and coding security, the author designed a series of quantum network coding schemes by means of combining quantum cryptography into quantum communication. During the process of research, many students showed great enthusiasm in quantum network coding and provided many valuable achievements. Three representative schemes that not only influenced the authors greatly but also provided a deep insight into the subject and fueled their interests in network coding and quantum network coding are as follows: foremost is the classic “XQQ” scheme proposed by Masahito Hayashi, the second is “prior entanglement” also proposed by Masahito Hayashi, the third is quantum repeater scheme proposed by v

vi

Preface

Takahiko Satoh. Although many schemes have been proposed untilnow, theoretical knowledge on quantum network coding such as classification, performance analysis, security analysis, and future direction is still not clear. In recent years, network coding has been applied to classical communication, especially in wireless communication. Since quantum network coding was proposed for quantum communication, the advent of quantum network coding gave a new dimension to the use of network coding. The advent in the past few years of technology has given an added dimension to the network coding. A simple example is a scenario of quantum internet proposed in the 2017 Qcrypt conference. Persistent objective is to effectively combine cryptography into communication, especially quantum communication, even if quantum communication is thought to be unconditionally secure in the case of two-party communication. The authors believe that quantum communication needs cryptography and general security analysis methods can facilitate the design of quantum protocols. The authors expect the readers of this book to first learn about quantum network coding, its principle, classification, development, and main problems. The authors expect them to design secure quantum network coding and finally develop the theory of quantum network coding. What is the range of topics, innovative technologies for designing a secure quantum network coding scheme? This book will help the readers understand these with ease. What is an effective analysis method for quantum protocols? Exemplary protocols are shown such as quantum authentication, quantum signature, quantum encryption, and quantum network coding. So this book consists of two parts. Part I is quantum network coding from Chaps. 1 to 8 and Part II is security analysis method from Chaps. 9 to 13. The organization of the chapters is as follows: Chapter 1 gives a detailed introduction to quantum network coding. It emphasizes the basic concept of quantum network coding and introduces the development of quantum network coding from 2006. Chapter 2 explains the preliminaries of quantum network coding, including main notions and key operations. Classification is provided for the existing schemes of quantum network coding. Also, the main directions are discussed for the future research. Chapter 3 describes the paradigm schemes of quantum network coding. These schemes are divided from the viewpoints of non-additional resource, prior entanglement, quantum register, quantum repeater, quantum cluster, and performance analysis. Chapter 4 concentrates on quantum network coding based on the repeater. Quantum repeater is an important device of quantum networks. Firstly, quantum repeater is introduced into quantum network coding for a general network. Here LOCC operations and general graph are two basic points. Then secure quantum network coding scheme for controlled repeater networks is designed by considering node authentication and network model. Especially, LOCC is replaced by LOQC from the perspective of security. Chapter 5 explains quantum network coding based on controller. Quantum teleportation is a process by which quantum information can be transmitted from one location to another, with the help of classical communication and previously shared

Preface

vii

quantum entanglement between the sending and receiving location. It depends on classical communication. From the perspective of security, controlled teleportation is a good choice for quantum communication. A controller can be looked on as a trusted third party, which can introduce some classical secure mechanisms into quantum communication. Through identity authentication between a node and a controller, secure quantum network coding scheme is designed. Chapter 6 explains opportunistic quantum network coding. COPE is a classical opportunistic coding method. How to design a quantum network coding scheme with opportunistic characteristics like COPE is a key problem. Furthermore, the problem of how to distinguish between legal listener and illegal eavesdropper is needed to be solved. Opportunistic quantum network coding scheme is designed by means of combining quantum channel verification and opportunistic listening. Chapter 7 is for quantum network coding with message authentication. Digital signature is an effective method for message authentication, while quantum digital signature is an effective method for quantum message authentication. For quantum network coding, quantum homomorphic signature is a basic point. Quantum homomorphic signature is based on entanglement swapping. Then a quantum network coding scheme against pollution attacks is designed. Chapter 8 covers continuous-variable quantum network coding using coherent states. Continuous variable is the most feasible approach. From the perspective of continuous variable, two schemes based on coherent states are designed. Especially, for the practical performance, practical influence on network throughput and implementation scheme of nonideal amplifier are considered. In addition, continuousvariable quantum homomorphic signature is designed for continuous-variable quantum network coding based on continuous-variable entanglement swapping. Chapter 9 describes security analysis of quantum cryptographic protocols, including main attacks and analysis methods. Chapter 10 describes security analysis based on BAN logic. Quantum identity authentication protocol is taken for example. Chapter 11 describes security analysis based on quantum random oracle model. Quantum random oracle model is a new concept. Quantum digital signature protocol is taken for example. Analysis procedure based on quantum random oracle model is described in detail. Chapter 12 explains security analysis of quantum obfuscation. A series of new concepts of quantum obfuscation are defined. Quantum point function is taken for discussion. Analysis procedure based on quantum obfuscation is described in detail. Chapter 13 explains security analysis of measurement-device independency. Continuous-variable quantum homomorphic signature protocol is taken for example. Analysis procedure for measurement-device independency is described in detail. Beijing, China

Tao Shang Jianwei Liu

Acknowledgements

The author Tao Shang is grateful to his advisor, Prof. ShuoYu Wang at the Kochi University of Technology in Japan, an eminent scientist, and educationist. From this teacher, he learned about the great role of self-learning and interest arousing for understanding emerging technologies, and he developed passion and patience for knowledge acquirement. He also learned to keep abreast of the latest technology areas no matter whatever a young scholar could meet at the initial work phase. He has blessed the author all through his academic life since 2006. The author Tao Shang is grateful to Prof. JianWei Liu at the Beihang University, a distinguished scientist in the field of network security and cryptography. Prof. Liu guided him into the field of cryptography, gave him an opportunity to set up from scratch the quantum cryptography group, and cooperated on the writing of this book. The research group member, XiaoJie Zhao (2012–2015) at the Beihang University, Jiao Li and Zhuang Pei (2013–2016) at the Beihang University, Gang Du (2014–2017) at the Beihang University, Ke Li and Qi Lei (2015–2018) at the Beihang University, ChengRan Fang (2016–2019) at the Beihang University, RanYiLiu Chen and Zheng Zhao (2017–2020) at the Beihang University, Ran Liu and HaiZheng Sun (2018–2021) at the Beihang University. All members proofread the manuscript, particularly RanYiLiu Chen and Zheng Zhao provided many services for the editing of the book, such as checking and minutely tracing the errors in the book. The author Tao Shang is especially thankful to Prof. XiuBo Chen at the Beijing University of Posts and Telecommunications for the cooperation of quantum cryptography and quantum network coding and Prof. QianHong Wu, ChunDi Xiu, Jian Mao, ZhenYu Guan, and Zongyang Zhang at the Beihang University for the support during this process. Blessings of Prof. Zheng Zheng at the Beihang University, Head of Department of Optoelectronics and Information Engineering, and his continuous support in theory and experiment are also unforgettable. The help of his colleague, particularly Prof. Xin Zhao at various stages is gratefully acknowledged.

ix

x

Acknowledgements

The book is supported by the National Natural Science Foundation of China (No. 61571024 and No. 61971021), the National Key Research and Development Program of China (No. 2016YFC1000307), and Aeronautical Science Foundation of China (No. 2018ZC51016). The authors are thankful to Miss XingYue Chen for making the drawings and Miss Ran Liu for making the related translations. The authors are grateful to the editorial team for reviews and suggestions. Finally, the author Tao Shang is grateful to his understanding spouse, two lovely daughters, and his kind parents.

Contents

Part I

Quantum Network Coding

1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Concept of Network Coding . . . . . . . . . . . 1.2 Development of Quantum Network Coding 1.3 Classification of Quantum Network Coding 1.4 Future Direction . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

3 3 5 7 8 9

2

Preliminaries . . . . . . . . . . . . . . . . . . . 2.1 Main Notions . . . . . . . . . . . . . . 2.1.1 Hilbert Space . . . . . . . . 2.1.2 Tensor Product . . . . . . . 2.1.3 Quantum State . . . . . . . 2.1.4 Density Operator . . . . . 2.1.5 Quantum Operator . . . . 2.1.6 Quantum Measurement . 2.1.7 Bloch Sphere . . . . . . . . 2.1.8 Fidelity . . . . . . . . . . . . 2.1.9 Trace Distance . . . . . . . 2.2 Key Operations . . . . . . . . . . . . . 2.2.1 Bell Measurement . . . . 2.2.2 Group Operation . . . . . 2.2.3 Quantum Teleportation . References . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

11 11 11 13 14 16 17 17 20 22 22 23 23 23 24 25

3

Typical Quantum Network Coding Schemes . 3.1 Non-additional Resource Scheme . . . . . . 3.1.1 XQQ . . . . . . . . . . . . . . . . . . . . 3.1.2 General Graph . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

27 27 27 30

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

xi

xii

Contents

3.2

Prior Entanglement Scheme . . . . . . . . . . . . . . . . . . . . . . 3.2.1 Prior Entanglement Between Senders . . . . . . . . . 3.2.2 Sharing Non-maximally Entangled States . . . . . . 3.3 Quantum Register Scheme . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Perfect Linear Quantum Network Coding . . . . . 3.3.2 Perfect Nonlinear Quantum Network Coding . . . 3.3.3 Perfect Quantum Network Coding for Multicast . 3.4 Quantum Repeater Scheme . . . . . . . . . . . . . . . . . . . . . . 3.5 Quantum Cluster Scheme . . . . . . . . . . . . . . . . . . . . . . . 3.6 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6.1 Achievable Rate Region . . . . . . . . . . . . . . . . . . 3.6.2 With Free Classical Communication . . . . . . . . . 3.6.3 With Free Entanglement . . . . . . . . . . . . . . . . . . 3.6.4 Comparison of Schemes . . . . . . . . . . . . . . . . . . 3.6.5 Comparison with Routing . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

32 32 34 36 36 40 41 43 47 47 47 48 49 50 50 51

Quantum Network Coding Based on Repeater . . . . . . . . . . . . 4.1 Quantum Network Coding for General Repeater Networks 4.1.1 Requirement of General Networks . . . . . . . . . . . . 4.1.2 Quantum Repeater Network . . . . . . . . . . . . . . . . 4.1.3 LOCC (Local Operations and Classical Communication) . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.4 Basic Operations . . . . . . . . . . . . . . . . . . . . . . . . 4.1.5 QNC Scheme for General Repeater Networks . . . 4.1.6 Property of QNC Scheme . . . . . . . . . . . . . . . . . . 4.1.7 Performance Analysis . . . . . . . . . . . . . . . . . . . . . 4.1.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Secure Quantum Network Coding for Controlled Repeater Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Consumption and Security of Quantum Repeater Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.2 Quantum One-Time Pad . . . . . . . . . . . . . . . . . . . 4.2.3 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.4 Basic Operations . . . . . . . . . . . . . . . . . . . . . . . . 4.2.5 QNC Scheme for Controlled Repeater Networks . 4.2.6 Performance Analysis . . . . . . . . . . . . . . . . . . . . . 4.2.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . 4.2.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

53 53 53 54

. . . . . .

. . . . . .

. . . . . .

. . . . . .

56 57 59 68 70 71

....

72

. . . . . . . . . .

72 72 73 74 76 79 81 82 83 84

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

Contents

5

xiii

........

87

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

87 87 88 89 91 93 94 95

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

96 96 96 97 100 101 103 103

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

105 105 106 107 109 116 118 118 119 120 120 121 122 123

Quantum Network Coding with Message Authentication 7.1 Quantum Homomorphic Signature for QNC . . . . . . . 7.1.1 Signature for Quantum Networks . . . . . . . . 7.1.2 Homomorphic Signature . . . . . . . . . . . . . . . 7.1.3 Entanglement Swapping . . . . . . . . . . . . . . . 7.1.4 Quantum Homomorphic Signature Scheme . 7.1.5 Property of Signature Scheme . . . . . . . . . . . 7.1.6 Security Analysis . . . . . . . . . . . . . . . . . . . . 7.1.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

125 125 125 126 127 129 132 135 137

Quantum Network Coding Based on Controller . . . . . . . 5.1 Quantum Network Coding Based on Controlled Teleportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Requirement of a Trusted Third Party . . . . . 5.1.2 Controlled Teleportation . . . . . . . . . . . . . . . 5.1.3 QNC Scheme Based on XQQ . . . . . . . . . . . 5.1.4 QNC Scheme Based on Prior Entanglement . 5.1.5 Performance Analysis . . . . . . . . . . . . . . . . . 5.1.6 Security Analysis . . . . . . . . . . . . . . . . . . . . 5.1.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Secure Quantum Network Coding with Identity Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1 Requirement of Identity Authentication . . . . 5.2.2 Quantum Security Direct Communication . . 5.2.3 QNC Scheme with Identity Authentication . . 5.2.4 Performance Analysis . . . . . . . . . . . . . . . . . 5.2.5 Security Analysis . . . . . . . . . . . . . . . . . . . . 5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6

Opportunistic Quantum Network Coding . . . . . . . . . 6.1 Opportunistic Characteristic of Network Coding . 6.2 Classical Opportunistic Coding . . . . . . . . . . . . . 6.3 Quantum Channel Verification . . . . . . . . . . . . . . 6.4 Opportunistic QNC Scheme . . . . . . . . . . . . . . . . 6.5 Property of QNC Scheme . . . . . . . . . . . . . . . . . 6.6 Performance Analysis . . . . . . . . . . . . . . . . . . . . 6.6.1 Network Throughput . . . . . . . . . . . . . . 6.6.2 Resource Consumption . . . . . . . . . . . . . 6.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 6.7.1 Classical Attack . . . . . . . . . . . . . . . . . . 6.7.2 Quantum Attack . . . . . . . . . . . . . . . . . . 6.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

xiv

Contents

7.2

Secure Quantum Network Coding with Message Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 Efficient Authentication of Homomorphic Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.2 Problem of Quantum Homomorphic Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.3 QNC Scheme with Message Authentication . . . 7.2.4 Performance Analysis . . . . . . . . . . . . . . . . . . . 7.2.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . 7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8

. . . . . . 139 . . . . . . 139 . . . . . .

. . . . . .

. . . . . .

Continuous-Variable Quantum Network Coding . . . . . . . . . . . 8.1 Continuous-Variable Quantum Network Coding Using Coherent States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.1 Advantage of Continuous Variables . . . . . . . . . . . . 8.1.2 Continuous-Variable Quantum Cloning . . . . . . . . . 8.1.3 Linear Optics for Continuous Variables . . . . . . . . . 8.1.4 Continuous-Variable Quantum Teleportation . . . . . 8.1.5 CVQNC Scheme Using Approximate Operations . . 8.1.6 CVQNC Scheme with Prior Entanglement . . . . . . . 8.1.7 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . 8.1.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2 Continuous-Variable Quantum Homomorphic Signature . . . 8.2.1 Homomorphic Signature for CVQNC . . . . . . . . . . 8.2.2 Requirement of Quantum Homomorphic Signature . 8.2.3 Continuous-Variable Entanglement Swapping . . . . 8.2.4 CVQHS Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 8.2.5 Property of CVQHS Scheme . . . . . . . . . . . . . . . . . 8.2.6 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . 8.2.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 8.3 Secure CVQNC with Message Authentication . . . . . . . . . . 8.3.1 Message Authentication of CVQNC . . . . . . . . . . . 8.3.2 Secure CVQNC Scheme . . . . . . . . . . . . . . . . . . . . 8.3.3 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . 8.3.4 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 8.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

140 141 143 144 145 146

. . . 147 . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

147 147 149 150 151 152 155 159 161 167 167 168 169 171 173 174 178 180 180 181 183 184 186 187

Contents

Part II 9

xv

Security Analysis Method

Security Analysis of Quantum Cryptographic Protocols . 9.1 Main Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.1 Intercept-and-Resend Attack . . . . . . . . . . . . 9.1.2 Teleportation Attack . . . . . . . . . . . . . . . . . . 9.1.3 Man-in-the-Middle Attack . . . . . . . . . . . . . . 9.1.4 Participant Attack . . . . . . . . . . . . . . . . . . . . 9.1.5 Implementation Attack . . . . . . . . . . . . . . . . 9.2 Security Analysis Methods . . . . . . . . . . . . . . . . . . . 9.2.1 BAN Logic . . . . . . . . . . . . . . . . . . . . . . . . 9.2.2 Random Oracle Model . . . . . . . . . . . . . . . . 9.2.3 Quantum-Accessible Random Oracle Model References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10 Security Analysis Based on BAN Logic . . . . . . 10.1 Formal Analysis . . . . . . . . . . . . . . . . . . . 10.2 Quantum Identity Authentication . . . . . . . 10.3 Representative QIA Protocol . . . . . . . . . . 10.4 Analysis Procedure . . . . . . . . . . . . . . . . . 10.4.1 Description of Notions and Rules 10.4.2 Inference Based on BAN Logic . 10.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

191 191 191 193 193 194 195 195 195 199 200 201

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

203 203 204 204 206 206 207 210 211

11 Security Analysis Based on Quantum Random Oracle Model . 11.1 Quantum Random Oracle Model for Quantum Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1.1 Development of Random Oracle . . . . . . . . . . . . . 11.1.2 Quantum Digital Signature . . . . . . . . . . . . . . . . . 11.1.3 Representative QDS Scheme . . . . . . . . . . . . . . . . 11.1.4 Security Analysis from RO to QRO . . . . . . . . . . 11.1.5 Quantum Random Oracle Model for QDS . . . . . . 11.1.6 Analysis Procedure . . . . . . . . . . . . . . . . . . . . . . . 11.1.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2.1 Instantiation of Quantum Random Oracle Model . 11.2.2 Quantum Hash Function . . . . . . . . . . . . . . . . . . . 11.2.3 Quantum Public-Key Encryption . . . . . . . . . . . . . 11.2.4 QPKE in the QRO Model . . . . . . . . . . . . . . . . . . 11.2.5 Instantiation of QRO for a Bad and a Good Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2.6 Numerical Simulation of Key-Collision Attack . . .

. . . . 213 . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

213 213 214 215 216 218 220 224

. . . . .

. . . . .

. . . . .

. . . . .

225 225 226 227 229

. . . . 232 . . . . 236

xvi

Contents

11.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 12 Security Analysis of Quantum Obfuscation . . . . . . . . . . . . . . 12.1 Obfuscatability of Quantum Point Functions . . . . . . . . . . 12.1.1 Development of Obfuscation . . . . . . . . . . . . . . . 12.1.2 Quantum Circuit . . . . . . . . . . . . . . . . . . . . . . . . 12.1.3 Quantum Obfuscation . . . . . . . . . . . . . . . . . . . . 12.1.4 Quantum-Accessible Random Oracle Model . . . 12.1.5 Reduction for Quantum Obfuscation . . . . . . . . . 12.1.6 Obfuscation of Combined Quantum Circuits . . . 12.1.7 Quantum Point Function . . . . . . . . . . . . . . . . . . 12.1.8 Application to Quantum Zero-Knowledge . . . . . 12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.1 Requirement of Indistinguishability . . . . . . . . . . 12.2.2 Efficient Quantum Circuit and Quantum Computation . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.3 Quantum One-Time Pad . . . . . . . . . . . . . . . . . . 12.2.4 Quantum Symmetric Encryption and Its Security 12.2.5 Quantum Point Obfuscation . . . . . . . . . . . . . . . 12.2.6 IND-Secure Quantum Symmetric Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . 12.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Security Analysis of Measurement-Device Independency . . 13.1 Device Independency Analysis . . . . . . . . . . . . . . . . . . 13.2 Measurement-Device Independency . . . . . . . . . . . . . . . 13.3 Continuous-Variable Quantum Homomorphic Signature 13.4 Analysis Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.4.1 Attack Model . . . . . . . . . . . . . . . . . . . . . . . . . 13.4.2 Probability of a Forged Signature Passing Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 13.4.3 Probability of a Legal Signature Being Denied . 13.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

241 241 241 243 243 244 245 247 249 253

. . . . . 255 . . . . . 255 . . . .

. . . .

. . . .

. . . .

. . . .

256 256 257 258

. . . .

. . . .

. . . .

. . . .

. . . .

260 262 264 265

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

267 267 268 269 270 270

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

272 273 274 275 276

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Part I

Quantum Network Coding

Chapter 1

Introduction

As quantum network coding is an important and potential research topic in quantum communication, in this chapter, we summarize the main research results of quantum network coding in recent years. Firstly, we briefly introduce the concept of quantum network coding. Then we introduce the development of quantum network coding schemes and classify the typical quantum network coding schemes from the viewpoint of additional resources. Finally, we point out the future research directions of quantum network coding.

1.1 Concept of Network Coding In 2000, Ahlswede, Cai, Li, and Yeung found a new way to implement better communication performance over a network than ever in the fundamental article of network coding (NC) [1]. The main idea of network coding is that we can encode information at intermediate nodes in a network, thus improving throughput, robustness, and security and reducing the complexity of a network. Figure 1.1 gives an example of network coding which realizes the improvement of network throughput. The example features multicast from two sources to two destinations (sinks or targets). The two sinks wish to receive the total messages sent by the two sources. The capacity of each directed link is one. As we can see, the node s0 performs a coding operation by taking the binary sum (XOR, exclusive OR), which allows the message to pass across over the bottleneck channel s0 t0 . In this way, the messages x, y can be received simultaneously at t1 and t2 , which is impossible for the traditional routing paradigm, where intermediate nodes are allowed only to make copies of received bits for output. Network coding has pointed out the fact that the information flow cannot be treated as the materials flow since the information can be encoded. Classical network coding has inspired the studies of quantum network coding (QNC) because quantum communication is expensive and the efficiency is an important topic of quantum communication. In 2006, Iwama, Hayashi, Nishimura, Raymond, and Yamashita [2] initiated the study of quantum network coding for © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_1

3

4 Fig. 1.1 Network coding on the butterfly network

1 Introduction

X

Y S1

X

S2

Y S0

X

X Y X Y

t2

Y X ( X Y ), X

t0

Y X Y t1

X ( X Y ) Y,Y

the butterfly network. They confirmed the feasibility of quantum network coding if approximation is allowed. In fact, it is impossible that without additional modification, perfect quantum network coding on the butterfly network transfers two quantum states crossly over bottleneck with high fidelity. The principal problems concerning quantum network coding are the exact copy of a quantum state and the operation of a qubit. The no-cloning theorem which states that it is impossible to create an identical copy of an arbitrary unknown quantum state prevents the exact copy of an unknown qubit. Consequently, we can only use approximated cloning such as the universal cloning proposed by Buzek and Hillery [3] or the probabilistic cloning proposed by Duan and Guo [4]. However, both of these cloning techniques are not able to realize the exact copy of a unknown quantum state. On this occasion, perfect quantum network coding seems to be impossible. With the development of quantum technology, more processing methods have been found. Researchers began to introduce additional resources into quantum networks and aimed to realize the perfect quantum network coding. Moreover, because of the no-cloning theorem, people believe that perfect quantum multicast cannot be achieved, therefore the vast majority of researchers pay their attention to the k-pair problem (or multi–unicast problem). In this case, the copy of quantum states is not needed. The aim is to transmit k quantum states across over a bottleneck network to k targets. It turns out that perfect quantum network coding for the k-pair problem with additional resources is possible and plenty of schemes with different resources appear. These schemes will be introduced in the following part.

1.2 Development of Quantum Network Coding

5

1.2 Development of Quantum Network Coding Before quantum network coding schemes are designed, several famous theorems have been proved in quantum communication. One of the most important is the nocloning theorem that forbids the copy of an unknown quantum state. Even though classical network coding can achieve multicasting tasks effectively, it seems that we cannot multicast a quantum state in a quantum network faithfully. As a result, researchers pay their attention to a subproblem of network coding, namely k-pair problem. In the k-pair problem, there are k source–target pairs. Each source wants to send a quantum state to a corresponding target and some bottleneck channels could appear between these source–target pairs. Until now, most quantum network coding schemes aim at the k-pair problem. Indeed, some researchers, like Shi and Soljanin [5] and Iwama [6], attempted to multicast quantum states by supposing that sources have many identical quantum states to send, but the price is that faithful communication will never be achieved. Since 2006, Hayashi et al. explored the possibility of quantum network coding [2] and proposed the first quantum network coding protocol XQQ [7]. They are the pioneers of this domain, so the first question they should resolve is whether quantum network coding is possible. By designing the XQQ protocol, they showed that one can design a quantum network coding protocol which transmits across two qubits for the butterfly network with the fidelity greater than 1/2. An upper bound of the fidelity which is less than 1 was also calculated. But this work still cannot fully answer the basic question, because a general form of network topology is not considered. As a successor of XQQ, Iwama et al. [6] extended network topology to the graph class G4 which allows some nonlinear operations over a four-letter alphabet to achieve classical network coding. We notice that each graph in G4 associates with a classical k-pair network coding protocol which is indispensable to design the quantum counterpart. The true problem for a general graph is the introduction of extra entanglement. It is difficult to get rid of extra entanglement after the transmission of a complex network. Therefore, they put forward the entanglement-free cloning to eliminate extra entanglement. The proposed protocol is a quantum simulation of classical network coding protocol. It turns out that for a given G in G4 and a corresponding classical network coding protocol, a quantum network coding protocol can send some arbitrary qubits with the fidelity greater than 1/2, perfect quantum state transmission cannot be achieved with the fidelity of 1. The first two works of quantum network coding, namely [7] and [6], inspired research interest for quantum network coding but negated the existence of perfect quantum network coding. However, [7] and [6] are both stuck in the quantum weirdness, like the no-cloning theorem, but do not take the advantage of quantum properties such as teleportation and dense coding. Consequently, it is not surprising that they cannot achieve perfect quantum network coding. Once some additional resources are added, some new inspiring results will come out. Hayashi [8] began to explore the effect of prior entanglement. He proposed a perfect quantum network coding protocol transmitting two non-entangled quantum

6

1 Introduction

states across over the butterfly network with prior entanglement sharing between two senders. Nevertheless, the particles shared by the two senders are maximally entangled in the state |+  which is not easy to obtain in the reality. Then Ma et al. [9] considered the non-maximally entangled case. They designed a QNC protocol that can perfectly transmit two 2-level states (possibly entangled) across over the butterfly network by sharing non-maximally entangled particles between two senders. The side effect of the non-maximal entanglement is that sometimes no information can be transmitted so that perfect transmission can be achieved only with certain probability less than 1. We should point out that with the development of quantum communication and quantum computation, the maximally entangled particles can be prepared by quantum circuit, entanglement distillation, quantum repeater, etc. Some other protocols of perfect transmission have also been proposed. Kobayashi et al. [10] considered another auxiliary resource, namely free classical communication. It was proved that perfect quantum network coding using free classical communication is possible over a general network with k source–target pairs if there exists a classical linear (or even vector linear) coding scheme over a finite ring. Furthermore, the nonlinear version was also be solved [11]. It was verified that the perfect quantum network coding protocol for any instance of the k-pair problem exists, if the corresponding classical version is solvable (classical version has a k-pair problem solution). Kobayashi et al. [12] slightly changed the hypotheses, i.e., we can design perfect k-pair quantum network coding using free classical communication over a general network if the corresponding classical graph has multicast problem solution. It seems that this protocol does not make use of any quantum property, but further studies show that many quantum computation methods have been used. Beaudrap et al. [13] proved that those protocols [10–12] can be regarded as one-way quantum computation. As for perfect quantum network coding using free classical communication, Satoh et al. [14] criticized that those protocols [10–12] focused on an abstract model, in which quantum registers can be freely introduced at each node and need to be transmitted between nodes. Especially, how to implement a quantum system is a crucial problem to the development of quantum communication so that it is difficult to realize a long-distance quantum communication. Quantum repeater is a potential approach to realizing long-distance quantum communication. Satoh et al. [14] explored quantum repeater and designed a quantum repeater network coding protocol for the butterfly network. In this protocol, adjacent nodes initially share one EPR (Einstein–Podolsky–Rosen)-pair and no additional register is needed. The main idea is to control the entanglement state of a quantum network thus forming the quantum channel (EPR-pair) between each source–target pair. The performance analysis of quantum repeater network coding protocol was executed in [15], which shows that quantum repeater network coding is more sensitive to entanglement errors (errors on the initial Bell pairs), Pauli errors and local gate errors than entanglement swapping. In brief, quantum repeater network coding is useful when quantum resources are limited or high communication speed is required. Similar to the idea of quantum repeater network coding which controls the entanglement state of a quantum network, cluster state is a type of highly entangled multi-

1.2 Development of Quantum Network Coding

7

particle quantum states and used as a universal resource for measurement-based quantum computation. Especially, it can be represented by mathematical graphs. The control of cluster state has been widely studied in quantum computation [16]. Li et al. [17] utilized 2D and 3D cluster state to solve the k-pair quantum network coding problem. They proposed three protocols to realize perfect quantum network coding for the butterfly network, grail network, and extended butterfly network. A method based on stabilizer was also presented to analyze the resolvability of a certain type of network. In recent years, some other additional resources have been explored in order to improve the performance of quantum network coding. For example, Shang et al. proposed continuous-variable quantum network coding [18] and opportunistic quantum network coding [19]. These protocols are quite different from previous schemes and give us a new viewpoint to treat the quantum network coding problem. The security analysis of quantum network coding is also a key point of recent researches. Owari et al. [20] proposed a secure quantum network coding on the butterfly network in the multi–unicast setting based on a secure classical network coding. Shang et al. introduced a controller to control the decoding process in order to improve the security of quantum communication in [21] and extended the idea of a controller to the quantum repeater network coding in [22]. To analyze the risk of pollution attacks on prior entanglement, they designed aquantum network coding protocol against pollution attacks by using quantum homomorphic signature [23]. Recently, Nguyen et al. explored a generalized quantum network coding protocol for large-scale quantum communication networks [24]. This work is a further work to analyze the performance of quantum repeater network coding for large-scale quantum communication networks under the Z-error perturbations. It extends the case to the large-scale quantum communication and finds the benefits brought by large-scale quantum communication networks. As we can see, many quantum network coding protocols are inspired by other quantum processing techniques. Vice versa, the application of quantum network coding for realizing other quantum processing techniques has attracted much attention. Epping et al. [25] proposed a scheme to verify that robust entanglement distribution can be realized via quantum network coding. Nguyen et al. [26] realized cooperative quantum key distribution over free-space optical channels aided by network coding. Soeda et al. [27] realized quantum computation over the butterfly network and Akibue et al. [28] proposed a scheme for distributed quantum computation over the cluster and butterfly network.

1.3 Classification of Quantum Network Coding Although many quantum network coding schemes have been proposed till now, quantum network coding is still not classified clearly. In fact, quantum network coding schemes can be classified in terms of network topology, node, channel, resource, security, etc. From the development that we have discussed above, we can see that

8

1 Introduction

quantum network coding schemes can be precisely classified according to what kind of additional resources are used. Different schemes have their own special properties characterized by the additional resources used. We will list the main classes of quantum network coding and emphasize their peculiarities. 1. Non-additional resource: XQQ [7], general graph [6]. • Capability of quantum multicasting for a general graph in the graph class G4 . • Impossibility of perfect QNC, i.e., fidelity is always less than 1. 2. Prior entangled state between sources: maximal entangled state [8], non-maximal entangled state [9]. • Capability of perfect QNC for the k-pair problem over the butterfly network, i.e., fidelity equals one. • Capability of transmitting an entangled state. 3. Free classical communication + quantum register: Perfect QNC [10–12]. • Capability of perfect QNC for the k-pair problem over a general network which has a classical solution. • Capability of transmitting an entangled state. 4. LOCC + quantum repeater network: repeater QNC [14]. • Capability of perfect QNC for the k-pair problem over the butterfly network. • Independence of classical network coding protocol. 5. Free classical communication + quantum cluster: cluster QNC [17]. • Capability of perfect QNC for the k-pair problem over the butterfly network, grail network and extended butterfly network. • Independence of classical network coding protocol. 6. Continuous variable + free classical communication: perfect CVQNC (continuous-variable quantum network coding) [18]. • Capability of perfect CVQNC for the k-pair problem over the butterfly network. • Capability of transmitting continuous-variable quantum states.

1.4 Future Direction According to the previous analysis, we point out that the design of quantum network coding concentrates on the additional resources used in each protocol. There are two choices in front of us. One is that we attempt to find more new quantum techniques and integrate them to quantum network coding thus proposing new theoretical schemes. Some ideas are, for example, quantum polar encoding, quantum superactivation,

1.4 Future Direction

9

dense coding, quantum wavelet transforms, probabilistic quantum clone, etc. The other is that we take realistic conditions into account and design more robust quantum network coding schemes. Performance analysis is also a key direction to study. Since the starting points of quantum network coding schemes are quite different, we cannot find a consistent standard to measure different schemes. For example, repeater network and cluster network can achieve almost the same task, but we cannot simply say which is better or worse. We cannot order the cost of different quantum resources which depends on real conditions. Furthermore, the security of quantum communication depends on the specific protocol or the realization. If we want to distinguish the pros and cons of different protocols, the realistic situation should be considered. So far the main purpose of quantum network coding is to improve the throughput of quantum networks which was inspired by the advantages of classical network coding. Apart from the improvement of network throughput, classical networks can also enhance the robustness and security and reduce the complexity. Few works have brought other benefits of classical network coding into quantum network coding. One example is that reference [15] shows that the repeater QNC scheme is more sensitive than the entanglement swapping scheme. As a result, some researches on improving the robustness of quantum network could be interesting. Some security analyses have been conducted with the help of secure quantum communication or quantum cryptography. However, classical network coding could provide some security on its own, exploring this property in quantum networks may save some quantum communication resources. The application of quantum network coding to other quantum techniques is also attractive. We have shown that quantum network coding can help realize entanglement distribution, distributed quantum computing, etc. More studies of application need to be explored in the near future.

References 1. Ahlswede, R., Cai, N., Li, S., et al.: Network information flow. IEEE Trans. Inf. Theory 46(4), 1204–1216 (2000) 2. Iwama, K.: Classic and quantum network coding. In: Scandinavian Symposium and Workshops on Algorithm Theory (SWAT). LNCS, vol. 4059, pp. 3–4 (2006) 3. Buzek, V., Hillery, M.: Quantum copying: beyond the no-cloning theorem. Phys. Rev. A 54(3), 1844–1852 (1996) 4. Duan, L.M., Guo, G.C.: Probabilistic cloning and identification of linearly independent quantum states. Phys. Rev. Lett. 80(22), 4999–5002 (1998) 5. Shi, Y., Soljanin, E.: On multicast in quantum networks. In: Conference on Information Sciences and Systems (CISS), pp. 871–876 (2006) 6. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs. Physics 52(3), 610–621 (2006) 7. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007) 8. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding with modification. Phys. Rev. A 76(4), 538 (2007)

10

1 Introduction

9. Ma, S.Y., Chen, X.B., Luo, M.X., et al.: Probabilistic quantum network coding of M-qudit states over the butterfly network. Opt. Commun. 283(3), 497–501 (2010) 10. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: General scheme for perfect quantum network coding with free classical communication. In: International Colloquium on Automata, Languages and Programming (ICALP), pp. 622–633 (2009) 11. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes from classical nonlinear protocols. In: IEEE International Symposium on Information Theory (ISIT), pp. 109–113 (2011) 12. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Perfect quantum network communication protocol based on classical network coding. In: IEEE International Symposium on Information Theory (ISIT), pp. 2686–2690 (2010) 13. de Beaudrap, N., Roetteler, M.: Quantum linear network coding as one-way quantum computation (2014). arXiv:1403.3533 14. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A 86(3), 9591–9598 (2012) 15. Satoh, T., Ishizaki, K., Nagayama, S., et al.: Analysis of quantum network coding for realistic repeater networks. Phys. Rev. A 93(3), 032302 (2016) 16. Briegel, H.J., Browne, D.E., Dur, W., et al.: Measurement-based quantum computation. Nat. Phys. 5(1), 19–26 (2009) 17. Li, J., Chen, X., Sun, X., et al.: Quantum network coding for multi-unicast problem based on 2D and 3D cluster states. Sci. China Inf. Sci. 59(4), 1–15 (2016) 18. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding for coherent states. Quantum Inf. Process. 16(4), 107 (2017) 19. Shang, T., Du, G., Liu, J.W.: Opportunistic quantum network coding based on quantum teleportation. Quantum Inf. Process. 15(4), 1–12 (2016) 20. Owari, M., Kato, G., Hayashi, M.: Secure quantum network coding on butterfly network (2017). arXiv:1705.01474 21. Shang, T., Zhao, X., Liu, J.W.: Quantum network coding based on controlled teleportation. IEEE Commun. Lett. 18(5), 865–868 (2014) 22. Shang, T., Li, J., Liu, J.W.: Secure quantum network coding for controlled repeater networks. Quantum Inf. Process. 15(7), 2937–2953 (2016) 23. Shang, T., Pei, Z., Zhao, X.J., et al.: Quantum network coding against pollution attacks. IEEE Commun. Lett. 20(7), 1369–1372 (2016) 24. Nguyen, H.V., Babar, Z., Alanis, D., et al.: Towards the quantum internet: generalised quantum network coding for large-scale quantum communication networks. IEEE Access 5, 17288– 17308 (2017) 25. Epping, M., Kampermann, H., Brub, D.: Robust entanglement distribution via quantum network coding. New J. Phys. 18(10), 103052 (2016) 26. Nguyen, H., Trinh, P., Pham, A., et al.: Network coding aided cooperative quantum key distribution over free-space optical channels. IEEE Access 5(99), 12301–12317 (2017) 27. Soeda, A., Kinjo, Y., Turner, P.S., et al.: Quantum computation over the butterfly network. Phys. Rev. A 84(1), 012333 (2011) 28. Akibue, S., Murao, M.: Network coding for distributed quantum computation over cluster and butterfly networks. IEEE Trans. Inf. Theory 62(11), 6620–6637 (2016)

Chapter 2

Preliminaries

Quantum communication is a new interdiscipline combining quantum mechanics and information theory which has the feature of unconditional security. Usually, the handling of quantum information is harder than that of the classical counterparts. Copying and coding are two typical operations of network coding. The question is whether or not quantum network coding is possible with the quantum counterpart of key operations. In this chapter, we introduce the preliminaries of quantum network coding, including main notions and key operations.

2.1 Main Notions 2.1.1 Hilbert Space The Hilbert space is a generalization of the Euclidean space. It extends a 2dimensional or 3-dimensional space to any number of dimensions space. That is to say, an infinite-dimensional space is also possible. First of all, the Hilbert space which we study in quantum mechanics is a vector space (also called a linear space) represented by (E H , C, +). E H is the vector space whose elements are called vectors (or states or state vectors). C is the filed of complex numbers whose elements are called scalars. The vector space E H over the field C possesses two operations: • the vector addition (or simply addition) +: E H2 −→ E H • the scalar multiplication ·: C × E H −→ E H For example, the addition takes two vectors (x, y) ∈ E H2 and assigns to them a third vector which is commonly written as x + y belonging to E H . And the scalar multiplication takes a scalar and a vector (α, x) ∈ C × E H and assigns to them a third vector which is commonly written as αx belonging to E H . We can notice that any superposition of two or more vectors is also a legitimate vector of the Hilbert space E. Namely, © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_2

11

12

2 Preliminaries

(α, β) ∈ C2 , (x, y) ∈ E H2 so that αx + β y ∈ E H . This property implies the linearity of a quantum system. The vector space E and the complex field C together with two operations above should respect many axioms such as the associativity of addition, the commutativity of addition, etc. Here we will not discuss these details. Another advantage of the Hilbert space is that we can define the notion of distance and angle between two vectors like the case of the Euclidean space. That is to say, we can define the Hermitian positive-definite inner product ·|· of two vectors. The inner product is defined by ·|· :

E H2 −→ C (x, y) −→ x| y

Some properties should be respected: • • • • •

x ∈ E H , x|x = 0 ⇒ x = 0 x ∈ E H , x = 0 ⇒ x|x ∈ R+∗ x, y, z ∈ E H and α ∈ C, αx + y|z = α∗ x|z +  y|z x, y, z ∈ E H and β ∈ C, x|β y + z = β x| y + x|z x, y ∈ E H , x| y =  y|x∗

Once we have defined the inner product, we can define the norm || · || associated with the inner product. For a vector in the Hilbert space x ∈ E H , the norm is defined by  ||x|| = x|x Since x|x ≥ 0 for an arbitrary vector x ∈ E H , the norm is well defined. The Hilbert space is an effective tool to describe the state of a quantum system. We usually use the Dirac notation ket, for example |ψ, to represent a vector in the Hilbert space. We also have the notation bra denoted by ψ| for representing the dual vector in the dual space. The bra is a linear form from the vector space to its field of scalars. Every |ψ corresponds to a specific ψ|, and the action of the ψ| over the ket |φ is related to the inner product of the two vectors. That is, ψ| (|φ) = ψ|φ Once we have defined the Hilbert space, we can pose the postulate of the superposition and the postulate of the evolution [1]. Postulate of the superposition: Associated to any isolated physical system is a complex vector space with inner product (that is, a Hilbert space) known as the state space of the system. The system is completely described by its state vector, which is a unit vector in the state space of the system. Postulate of the evolution: The time evolution of the state of a closed quantum system is described by the Schrodinger equation,

2.1 Main Notions

13 i

d |ψ = Hˆ |ψ dt

where  is the reduced Planck constant, Hˆ is a fixed Hermitian operator called the Hamiltonian of the closed system.

We can simplify the postulate of the evolution by considering only two different times t1 and t2 . This edition is used widely in the quantum mechanics. Postulate of the evolution 2: The evolution of a closed quantum system is described by a unitary That means the state |ψ of the system at time t1 is related to the  transformation.  state ψ  of the system at time t2 by a unitary operator U which depends only on the time t1 and t2 ,   ψ = U |ψ .

2.1.2 Tensor Product One example of the Hilbert space is the space L2 (R) which is the set of squareintegrable functions from R to C. All the Hermite functions {φn }n∈N form an orthonormal basis of L2 (R). The Hermite functions φn (x) are   √ − 1 x 2 √ − 1 x 2 d n −x 2 φn (x) = 2n n! π 2 e− 2 Hn (x) = (−1)n 2n n! π 2 e 2 e dxn For space L2 (R2 ) which is the set of square-integrable functions from R2 to C. One of the bases of the L2 (R2 ) is the set {φm φn , (m, n) ∈ N2 }. In other words, every function (x, y) in the space L2 (R2 ) can be decomposed into the form (x, y) =



Cm,n φm (x)φn (y)

m,n

Mathematically, we say that the space L2 (R2 ) is the tensor product of the two space L2 (R). Namely, L2 (R2 ) = L2 (R) ⊗ L2 (R) If we use the Dirac notation, that is,  | = Cm,n |φm  ⊗ |φn  m,n

where | is the ket related to the function (x, y) and |φm  ⊗ |φn  is the ket in the space L2 (R2 ) related to the function φm (x)φn (y). Definition of tensor product Given two Hilbert spaces E and F, we can associate a third Hilbert space G and a bilinear application T from the space E × F to the third space G, such that

14

2 Preliminaries

1. T (E × F) spans G, in other words, all the elements of the space G are the sum of the elements with the form T (|u , |v), where |u ∈ E and |v ∈ F. 2. Let {|em }m∈N is a basis of the space E and {| f n }n∈N is a basis of the space F. Then the set {T (|em  , | f n )}m,n is a basis of the space G. Here G is the tensor product of E and F, which is denoted by G = E ⊗ F. The elements of E ⊗ F is called the tensor and T (|u , |v) = |u ⊗ |v. For convenience, one usually writes |u ⊗ |v as |u |v or |u, v or |uv.

2.1.3 Quantum State In quantum physics, a quantum state refers to the state of an isolated quantum system. There are two main classes of quantum states, namely pure quantum state and mixed quantum state. Pure quantum state All the vectors in the Hilbert space describe the pure quantum states. A pure quantum state can be represented by a ray in a Hilbert space over the complex numbers. The ray is a set of nonzero vectors differing by just a complex scalar factor, any of them can be chosen as a state vector to represent the ray and the corresponding state. For example, |ψ ∈ E H or α |ψ, where α ∈ C, represents a pure quantum state. The superposition of some kets are also a ket that represents a pure quantum state, for instance, α |ψ + β |φ belongs to E H and is a pure quantum state. Entangled quantum state For the quantum system which has two or more degrees of freedom, the Hilbert space E describing the total system can be factorized to the tensor product of several subspaces. For example, we suppose that we only study the spin of two particles with spin 1/2. The Hilbert space E which describes the spin state of the total system, can be factorized. That is to say, E = E1 ⊗ E2 . The number of dimensions of Ei , i = 1, 2 is 2. So the dimension of E is 4 = 2 × 2. One example of the ket in the E is the |+ ⊗ |− or |+− which means the first particle has the spin up and the second particle has the spin down. This state is similar to the classical situation with two balls, one of the balls is white and the other is black. But the difference is that any superposition of the kets is also a legitimate 1 state in the Hilbert space. In other words, the state like | = √ (|+− + |−+) 2 can exist. This kind of quantum state which cannot be factorized to the tensor product of two kets is called entangled state. We would like to point out that if we consider the entangled state from the space E, it is still a pure quantum state for reason of | ∈ E. Mixed quantum state There exists another quantum state that cannot be represented by the vector in the Hilbert space. This state is called mixed quantum state which corresponds to a probabilistic mixture of pure states. The mixed quantum state usually arises from the lack of information. The state vector of a quantum system is unknown

2.1 Main Notions

15

at to the experimenter, but the appearance probability p j of a quantum state  least  ψ j is known. Thus, we cannot describe this quantum state by simply using the state vector of the Hilbert space. A mathematical tool called density operator discussed in the Sect. 2.1.4 will be used to represent this kind of quantum state. One famous example of the different quantum states is about the light polarization. Photons can have two helicities, which correspond to two orthogonal quantum states, |R (right circular polarization) and |L (left circular √ polarization). A Photon can |L) + also be in a superposition state, such as / 2 (vertical polarization) or (|R √ (|R − |L) / 2 (horizontal polarization). More generally, it can be in any state α |R + β |L (with |α|2 + |β|2 = 1). All these quantum states are the pure states that can be described by the vector of the Hilbert space. However, unpolarized light is different from any state like α |R + β |L. It can be described with ensemble averages, i.e., each photon is either |R with the probability of 50% or |L with the probability of 50%. The same behavior will occur if each photon is either vertically polarized with 50% probability or horizontally polarized with the probability of 50%. These two configurations give exactly the same results in the experiments. They are completely indistinguishable experimentally so that they are considered the same mixed state. Moreover, unpolarized light cannot be described by any pure state, but can be described as a statistical ensemble of pure states in at least two ways (the ensemble of half-left and half- right circularly polarized, or the ensemble of half vertically and half horizontally linearly polarized). There are many origins of the mixed quantum state. For the origins of the unpolarized light, we should consider the mechanism of the generation of the light. For the unpolarized light emitted by the incandescent light bulb, the polarization of the light is closely related to the thermal randomness. The filament is in the thermal equilibrium, a statistical mixture of enormous numbers of micro-states, each with a certain probability (the Boltzmann factor), switching rapidly from one to the next due to thermal fluctuations. Each micro-state emits a certain kind of polarized light. Thus, the global polarization of the light is a probabilistic mixture of some certain kind of polarized lights (pure states). A particular example of the mixed state is related to the entangled state. For √ example, two photons in the entangled state (|R, L + |L , R)/ 2. If we treat the two photons together, they are in the pure state since the total system can be described by a state vector, but if we only observe one of the photons and ignore the other, the photon behaves just like unpolarized light, the photon is in the mixed state. We can conclude some main reasons for the mixed state [2]: • • • • •

the system preparation is imperfect, like for a thermal state; through decoherence processes; after a measurement if the outcome is not revealed to the observer; observe an entangled state in a subsystem;   some other mechanism that produces quantum; states ψ j with probability p j .

16

2 Preliminaries

2.1.4 Density Operator The density operator is a mathematical tool to describe the quantum states, including the pure state and the mixed state. For a finite-dimensional function space, the most general density operator is described by ρ=



   p j ψ j ψ j 

j

where the coefficients p j are nonnegative and add up  to  one. This form represents a mixed quantum state that is in the quantum state ψ j with the probability of p j . Note that the density operator ρ pur e for a pure state |φ is a special case of the density operator with ρ pur e = |φ φ| We will list some important properties of the density operator: 1. The density operator ρ is a Hermitian operator with T r (ρ) = 1. All the coefficients of the probability p j respect 0 ≤ p j ≤ 1. ˆ 2. If we measure a physical quantity A, corresponding to the observable A, the probability to obtain the eigenvalue aα is P(aα ) = T r Pˆα ρ , where Pˆα is the projector over the sub-eigenspace of Aˆ corresponding to the eigenvalue aα . ˆ 3. If we measure a physical quantity A, corresponding to the

observable A, the ˆ . expectation value of the physical quantity is a = T r Aρ 4. Immediately after a measurement giving the result aα , the state of the system is   ψ =

Pˆα |ψ . || Pˆα |ψ ||

The density operator of this new state is ρ =

Pˆα ρ Pˆα P(aα )

5. The Schrodinger equation which describes the evolution of the quantum system is written as i

dρ  ˆ = H (t), ρ(t) dt

There is a practical method to distinguish the pure quantum state and the mixed quantum state using the density operator. If T r (ρ2 ) = T r (ρ) = 1, then the state is a pure quantum state. If T r (ρ2 ) < 1, then the state is a mixed state.

2.1 Main Notions

17

2.1.5 Quantum Operator Let A be a linear quantum operator on a Hilbert space E H . A : E H −→ E H ˆ Aˆ † : E H −→ E H is defined by The Hermitian conjugate or adjoint of A: (|v , Aˆ |w) = ( Aˆ † |v , |w) where |v and |w belong to E H , (·|·) is the inner product of quantum states. Once we defined the Hermitian conjugation, we can classify the quantum operators. ˆ • Normal operator: Aˆ is a normal operator if Aˆ Aˆ † = Aˆ † A. 1. Normal operator ⇔ diagonalizable operator (cf. theorem of spectral decomposition). 2. If all eigenvalues of a normal operator Aˆ are real, Aˆ is Hermitian. • Hermitian operator: Aˆ is a Hermitian operator if Aˆ = Aˆ † . 1. Hermitian operator ⇒ normal operator. 2. All eigenvalues of Hermitian operator are real. • Positive operator: Positive operators are a special subclass of Hermitian operators. Aˆ is a positive operator if (|v , Aˆ |v) is a real and nonnegative number for any vector |v. 1. If (|v , Aˆ |v) is strictly greater than zero for all |v = 0, Aˆ is positive definite. • Unitary operator: Aˆ is a unitary operator if Aˆ † Aˆ = Iˆ. 1. Aˆ Aˆ † = Aˆ † Aˆ = Iˆ, unitary operator ⇒ normal operator. 2. Unitary operator preserves the inner product, i.e., (U |v , U |w) = v|w.

2.1.6 Quantum Measurement To understand the issue of the quantum measurement, we should firstly give the postulate of the measurement [1]. Postulate of the measurement: Quantum measurements are described by a collection 

Mˆ m of measurement operators. These are operators acting on the state space of the system being measured. The index m refers to the measurement outcomes that may occur in the experiment. If the state of the quantum system is |ψ immediately before the measurement, then the probability that result m occurs is given by

18

2 Preliminaries ˆ m† Mˆ m |ψ P (m) = ψ| M and the state of the system after the measurement is Mˆ m |ψ  ψ| Mˆ m† Mˆ m |ψ The measurement operators satisfy the completeness equation,  Mˆ m† Mˆ m = Iˆ m

The first corollary of the completeness equation is the fact that probabilities sum to one.    ψ| Mˆ m† Mˆ m |ψ = ψ| P(m) = Mˆ m† Mˆ m |ψ = 1 m

m

m

The postulate of the measurement has pointed out two important things in quantum mechanics. The first is the statistic result of a series of measurements. One can know the probability that a certain result m occurs. The second is the quantum state of the measured system after the measurement. Projective measurement There exist a particular type of measurement in quantum mechanics, projective measurement. The projective measurement turns out to be equivalent to the general measurement defined in the postulate of the measurement if we can perform the unitary transformation as described in the postulate of the evolution. Firstly, let us look at the definition of the projective measurement according to the reference [1]. ˆ a Hermitian operA projective measurement is described by an observable M, ator on the state space of the system being observed. The observable has a spectral decomposition:  ˆ = m Pˆm M m

ˆ with eigenvalue m. The possible where Pˆm is the projector onto the eigenspace of M outcomes of the measurement correspond to the eigenvalues, m, of the observable. Upon measuring the state |ψ, the probability of getting result m is given by P(m) = ψ| Pˆm |ψ Given that outcome m occurred, the state of the quantum system immediately after the measurement is Pˆm |ψ  ψ| Pˆm |ψ

2.1 Main Notions

19

The projective measurement is a special case of the general measurement with Pˆm = Mˆ m , for all m, defined in the postulate of the measurement. However, the projective measurement is equivalent to the general measurement if we perform the unitary transformation. Furthermore, the observable has some good properties: 1. 2. 3. 4. 5.

Since Pˆm is Hermitian, we have Pˆm† = Pˆm , for all m. Since Pˆm is orthogonal projector, we have Pˆm Pˆm  = δm,m  Pˆm , for all m, m  . Pˆ † Pˆ = Pˆ Pˆm = Pˆm , because Pˆm is a projector, for all m. m m † m  ˆ ˆ ˆ ˆ m Pm Pm = m Pm = I . ˆ in measuring the quantum state |ψ The average value m of the observable M is   ˆ m = ψ|M|ψ

  ˆ in measuring the quantum 6. The average square value m 2 of the observable M state |ψ is   2  ˆ 2 |ψ m = ψ|M   7. The variance (m)2 = m 2 − m2 ˆ If {|m} is the set of normal eigenvectors of the non-degenerate observable M, then the set {|m} forms a basis of the corresponding Hilbert space and we have Pˆm = |m m|. The degenerate cases are somewhat different but keep the same idea. We say that “measure the |ψ in the basis |m” to describe this case. POVM Projective measurement is important and useful in the quantum measurement, but sometimes it is complicate to use. To have these good properties of the projective measurement, we also have many restrictions on the choice of the operators. What’s more, we usually have little interest about the quantum state after the measurement, but concern more about the probabilities of the respective measurement outcomes. The POVM (Positive Operator-Valued Measure) formalism is a well-adapted tool to analyze the result of the measurement. Certainly, we will lose some good properties such as the repeatability, but sometimes we cannot repeat the measurement, we can only measure a quantum state once. At the beginning, we put the definition of the POVM here.

 Conversely, suppose that we have a set of positive Hermitian operators Eˆ m  such that m Eˆ m = Iˆ. We can prove that there exists a set of measurement operators  Mˆ m defining a measurement described by the POVM Eˆ m . By defining Mˆ m ≡  

  Eˆ m , we obtain m Mˆ m† Mˆ m = m Eˆ m = Iˆ, and therefore the set Mˆ m describes

 a measurement with POVM Eˆ m .

 For this reason, we can simply define a POVM to be a set of operators Eˆ m satisfying

20

2 Preliminaries

•  Eˆ m is Hermitian and positive, for all m. • m Eˆ m = Iˆ. Example of comparison of two measurements This example is from the reference [1]. Suppose Alice wants √ to transmit one of the two non-orthogonal states, |ψ1  = |0 or |ψ2  = (|0 + |1)/ 2, to Bob. There is a theorem saying two non-orthogonal states cannot be reliably distinguished. But we will see the difference between two types of measurements. Suppose that Bob uses the projective measurement to determine what he received. The observable is ˆ = |0 0| + |1 1| M If Bob receives the state |ψ1 , then he will get 0 with the probability 1. If Bob receives the state |ψ2 , then he will get 0 with the probability 0.5 and 1 with the probability 0.5. That is to say, if Bob obtains 1, he certainly receives the state |ψ2 , but if he obtains 0, he cannot know exactly what Alice has transmitted. So Bob could make the error of misidentification. Now, consider a POVM containing three elements: √

2 √ |1 1| 1+ 2 √ 2 (|0 − |1)(0| − 1|) ˆ E2 = √ 2 1+ 2 ˆ ˆ ˆ ˆ E3 = I − E1 − E2 Eˆ 1 =

ˆ ˆ ˆ ˆ ˆ ˆ ˆ It

is clear that E 1 + E 2 + E 3 = I and E 1 , E 2 , E 3 are positive Hermitian operators. So ˆ ˆ ˆ E 1 , E 2 , E 3 forms a legitimate POVM. If Bob receives the state |ψ1 , he will never observe the result corresponding to Eˆ 1 . So, if he observes the result corresponding to Eˆ 1 , what he received is certainly |ψ2 . Similarly, if Bob receives the state |ψ2 , he will never observe the result corresponding to Eˆ 2 . So, if he observes the result corresponding to Eˆ 2 , what he received is certainly |ψ1 . Moreover, if he receives the result corresponding to Eˆ 3 , he cannot get any information. By using the POVM, we can avoid the error of misidentification, even if we cannot reliably distinguish two non-orthogonal states.

2.1.7 Bloch Sphere There are many quantum effects that could be used to represent a qubit, such as spin states (up and down) of an electron, charge states of the quantum dots and polarization states of photons [2]. Although we do not want to discuss physics details, the state vector is a useful abstract to describe these effects. In the classical information

2.1 Main Notions

21

system, the bit which is a two-state system is used to represent arbitrary information. Similarly, in a quantum information system, we study the system which has two degrees of freedom. The two kets |0 and |1 consist of the basis of a Hilbert space. |0 is just like the logical state 0 in the classical system, and |1 is like 1. But the difference is that any superposition state |ψ of |0 and |1 is also a possible state of the quantum system. That is to say, any state vector which has the form |ψ = α |0 + β |1 where α, β ∈ C is also a legitimate state of the quantum information system. The Bloch sphere is a useful mathematical tool to visualize the quantum state |ψ. Firstly, the quantum state should be normalized, in other words, |α|2 + |β|2 = 1. Secondly, the absolute phase of a quantum system is not measurable. Consequently, it has no physical significance, quantum state |ψ, and eiθ |ψ where θ is an arbitrary real number represent the same quantum state [3]. We should notice that the relative phase between two quantum states is important. For example, the state |φ1  and the state |φ2  = eiθ |φ1  where θ is an real number represent two different quantum states. This means we can choose α to be a real number, and a qubit could be represented by |ψ = cos(θ/2) |0 + eiφ sin(θ/2) |1 where 0 ≤ θ ≤ π and 0 ≤ φ ≤ 2π. Note that θ = 0 corresponds to |0, and θ = π corresponds to |1. It is clear that any |ψ can be related to a point of a sphere of radius 1 with latitude and azimuth angles θ and φ. The sphere is called Bloch sphere (cf. Fig. 2.1).

0

z

Fig. 2.1 Bloch sphere

|ψ θ y x

φ

z

1

22

2 Preliminaries

2.1.8 Fidelity The fidelity F is measure of distance between two density operators θ and ρ. The fidelity can be defined as

2  F(θ, ρ) = T r ρ1/2 θρ1/2 It is the largest fidelity between any two purifications of the given states. Fidelity as a distance measure between pure states used to be called transition probability. For two pure states given by unit vectors |ψ and |φ, fidelity between them is F(|ψ , |φ) = | ψ|φ |2 . For a pure state (unit vector |ψ) and a mixed state (density operator ρ), this generalizes to ψ|ρψ. Properties are listed as follows: 1. 2. 3. 4.

0 ≤ F(θ, ρ) ≤ 1. F(θ, ρ) = F(ρ, θ). F(ρ1 ⊗ ρ2 , θ 1 ⊗ θ 2 ) = F(ρ1 , θ 1 )F(ρ2 , θ 2 ). The fidelity is preserved by unitary evolution, i.e., F(ρ, θ) = F(U ρU † , U θU † )

. 5. F(ρ, αθ 1 + (1 − α)θ 2 ) ≥ αF(ρ, θ 1 ) + (1 − α)F(ρ, θ 2 ), α ∈ [0, 1].

2.1.9 Trace Distance The trace distance D between two density matrices θ, ρ is defined to be D(θ, ρ) =

1 tr (|θ − ρ|) 2

√ where we define |A| = A† A. We notice that the trace distance between two single qubits is equal to one half of the ordinary Euclidean distance between them on the Bloch sphere. Properties are listed as follows: 1. 2. 3. 4.

0 ≤ D(θ, ρ) with equality if and only if θ = ρ. D(θ, ρ) ≤ 1 with equality if and only if θ is orthogonal to ρ, i.e., tr (θρ) = 0. D(θ, ρ) = D(ρ, θ) D(ρ1 ⊗ ρ2 , θ 1 ⊗ θ 2 ) ≤ D(ρ1 , θ 1 ) + D(ρ2 , θ 2 ).

2.2 Key Operations

23

2.2 Key Operations 2.2.1 Bell Measurement We consider a system of two particles with spin 1/2. The general state of the system is given by | = α |00 + β |01 + γ |10 + δ |11 with |α|2 + |β|2 + |γ|2 + |δ|2 = 1. If we measure the spin of each particle over ordinary basis {|00 , |01 , |10 , |11}, we will obtain • • • •

(+/2, +/2) with probability of |α|2 . (+/2, −/2) with probability of |β|2 . (−/2, +/2) with probability of |γ|2 . (−/2, −/2) with probability of |δ|2 . Bell measurement is the measurement over the Bell basis:  +  |00 + |11  = , √ 2  +  |01 + |10  = , √ 2

 −  |00 − |11  = √ 2  −  |01 − |10  = √ 2

The Bell measurement which is denoted by μ(|) or μ(σ) will give us the result: • • • •

state |+  with probability of |α + β|2 /2. state |−  with probability of |α − β|2 /2. state |+  with probability of |γ + δ|2 /2. state |−  with probability of |γ − δ|2 /2.

The Bell measurement is a very useful measurement method in quantum mechanics [4]. One example will be given in the Sect. 2.2.3.

2.2.2 Group Operation We consider four operations, the bit-flip operation σ X or X = |0 1| + |1 0|, the phase-flip operation σ Z or Z = |0 0| − |1 1|, the bit+phase-flip operation σY or Y = − |0 1| + |1 0| and the identity operation σ I or I . The group operation under a two-bit string r1r2 is denoted by G R(ρ, r1r2 ).

24

2 Preliminaries

Fig. 2.2 Quantum teleportation

⎧ ρ, ⎪ ⎪ ⎪ ⎨ Z ρZ † , G R(ρ, r1r2 ) = ⎪ X ρX † , ⎪ ⎪ ⎩ Y ρY † ,

r1 r2 r1 r2 r1 r2 r1 r2

= 00 = 01 = 10 = 11

2.2.3 Quantum Teleportation In 1993, Bennett et al. [5] proposed the concept of quantum teleportation. Quantum teleportation is a method that allows us to transmit perfectly an unknown pure quantum state by using a pair of entangled particles. As shown in Fig. 2.2, Alice wants to transmit a particle A with spin 1/2 in an unknown pure quantum state |ψ = α |0 + β |1 with |α|2 + |β|2 = 1 to Bob. In order to realize the teleportation, Alice and Bob share two entangled particles B and √C with spin 1/2. The two particles are in the entangled state |s  = (|01 − |10)/ 2. Consequently, the three particles A, B and C form the state |: α β α β | = √ |001 + √ |101 − √ |010 − √ |110 2 2 2 2 We want to realize the Bell measurement to the pair of particles A and B. We can firstly write | under the Bell basis, i.e., 1 |+  ⊗ (α |1 − β |0) 2 1 + |−  ⊗ (α |1 + β |0) 2 1 − |+  ⊗ (α |0 − β |1) 2 1 − |−  ⊗ (α |0 + β |1)     2  par ticle C

| = +

par ticles AB

We can see that after the measurement of the particles A and B, we obtain that

2.2 Key Operations

25

• if we obtain |− , we can say for sure that the state of the particle C is exactly what we want to transmit |ψ. • if we obtain |+ , we act the phase-flip Z = |0 0| − |1 1| to the particle C, then we obtain the state |ψ. • if we obtain |− , we act the bit-flip X = |0 1| + |1 0| to the particle C, then we obtain the state |ψ. • if we obtain |+ , we act the bit+phase-flip Y = |0 1| − |1 0| to the particle C, then we obtain the state |ψ.

References 1. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2002) 2. Jones, J.A., Jaksch, D.: Quantum Information, Computation and Communication. Cambridge University Press, Cambridge (2012) 3. Basdevant, J.L., Dalibard, J., Joffre, M.: Mécanique quantique. Editions Ecole Polytechnique (2002) 4. Schwabl, F.: Quantum Mechanics. Springer Nature, Berlin (2002) 5. Bennett, C.H., Brassard, G., Crepeau, C.: Teleportation an unknown quantum state via dual classical and EPR channel. Phys. Rev. Lett. 70(13), 1895–1899 (1993)

Chapter 3

Typical Quantum Network Coding Schemes

Many quantum network coding schemes are different in terms of node, channel, resources, security, etc. Considering their own special properties characterized by the additional resources used, quantum network coding schemes can be precisely classified according to what kind of additional resources are used. In this chapter, we introduce several main classes of quantum network coding. Beside non-additional resource scheme, additional resource schemes include prior entanglement scheme, quantum register scheme, quantum repeater scheme, and quantum cluster scheme. Also, performance analysis approaches are summarized.

3.1 Non-additional Resource Scheme 3.1.1 XQQ Hayashi et al. [1] started the first study of quantum network coding. They verified the possibility of quantum network coding and proposed an approximated network coding protocol, namely crossing two qubits (XQQ). This protocol requires three basic operations. Universal cloning (UC) The universal cloning was proposed by Buzek and Hillery [2] as an approximated cloning method of an unknown qubit state. It is given by the TP-CP map U C. 1 2 |00 00| + |+  + | 3 3 √ √ 2 2 |+  11| + |00 + | U C(|0 1|) = 3 3 √ √ 2 2 |11 + | + |+  00| U C(|1 0|) = 3 3 U C(|0 0|) =

© Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_3

27

28

3 Typical Quantum Network Coding Schemes

U C(|1 1|) =

1 2 |11 11| + |+  + | 3 3

This map is intended to clone not only classical states |0 and |1 but also any superposition by mixing the symmetric state |+  with |00 and |11 as the output. Let ρ1 = Tr2 U C(|ψ) and ρ2 = Tr1 U C(|ψ), where Tri is the partial trace over the ith qubit. Then we obtain ρ1 = ρ2 = 23 |ψ ψ| + 13 2I as the universal cloning. We can prove that the universal cloning is 2/3-shrinking. Tetra measurement (TTR) There are the four states as follows: |χ(00) = cos θ˜ |0 + eiπ/4 sin θ˜ |1 |χ(01) = cos θ˜ |0 + e−3iπ/4 sin θ˜ |1 |χ(10) = sin θ˜ |0 + e−iπ/4 cos θ˜ |1 |χ(11) = sin θ˜ |0 + e3iπ/4 cos θ˜ |1 √ form a tetrahedron in the Bloch sphere reprewith cos2 θ˜ = 1/2 + 3/6, which  sentation. We can prove that χ(00), ˆ χ(01), ˆ χ(10), ˆ χ(11) ˆ , where χ ˆ = |χ χ| are linearly independent. The tetra measurement is defined by the   POV M χ(00), ˆ χ(01), ˆ χ(10), ˆ χ(11) ˆ We list some properties of the tetra measurement: • TTR on |χ(z1 z2 ) produces the two bits z1 z2 with probability 1/2, and other three bits with probability 1/6, respectively. Iˆ 1 • The TP-CP map induced by TTR, |ψ → χ(TTR(|ψ)) ˆ = |ψ ψ| + , is 1/33 3 shrinking. 3D Bell measurement(BM) 3D Bell measurement is based on the Bell measurement, denoted by BM (Q, Q ) or BM (σ). The input is the state σ of the two-qubit system Q ⊗ Q . The output belongs to the set |0 , |1 , |+ =

|0 + |1 |0 − |1    |0 + i |1    |0 − i |1 , |− = , + = , − = . √ √ √ √ 2 2 2 2

We apply the following three operations a, b, c with probability 1/3 for each.      |0 , if μ(σ) = + or −     a= |1 , if μ(σ) =  + or  −      |+ , if μ(σ) = + or  +     b= |− , if μ(σ) = − or  −

3.1 Non-additional Resource Scheme

29

Fig. 3.1 XQQ S1

S2

Q2

Q1

Q3

Q4

Q5

Q6 t2

Q7

t1

      + , if μ(σ) = + or  −     c =   − , if μ(σ) =  − or  + Figure 3.1 represents the network configuration. This protocol is described as follows. • • • • • •

Input: |ψ1  at s1 , and |ψ2  at s2 . Output: ρ1out at t1 , and ρ2out at t2 . Step 1: (Q1 , Q2 ) = U C(|ψ1 ) at s1 ; (Q3 , Q4 ) = U C(|ψ2 ) at s2 . Step 2: X = TTR(Q3 ), Q5 = GR(Q2 , X ) at s0 . Step 3: (Q6 , Q7 ) = U C(Q5 ) at t0 . Step 4: ρ1out = GR(Q7 , TTR(Q4 )) at t1 ; ρ2out = BM (Q1 , Q6 ) at t2 .

We observe that the two qubits pass across over the bottleneck channel s0 t0 . The main idea is that by using the tetra measurement, we discretize the qubit Q3 into two classical bits which are then used to encode the qubit Q2 by the Group operation. To recover the qubits at the two sinks, we use the Group operation and the 3D Bell measurement at t1 and t2 , respectively. Because the approximated cloning is used, we cannot get the exactly transmitted qubits at the two sinks. So the fidelity of quantum communication has to be considered. We calculate the fidelity Ft1 at t1 and Ft2 at t2 and obtain 2 1 + ≤ Ft1 ≤ 0.983 2 81√ 1 2 3 • + ≤ Ft2 ≤ 0.983 2 243 •

30

3 Typical Quantum Network Coding Schemes

We observe that the lower bound is strictly greater than 1/2, which means some quantum information has been successfully transferred via the quantum butterfly network by the XQQ protocol.

3.1.2 General Graph The first quantum network coding protocol XQQ [1] achieved the cross transmission of two qubits with fidelity greater than 1/2 for the butterfly network. Then Iwama et al. [3] attempted to extend the result to a larger class of general graph. This protocol requires two basic operations. Entanglement-free cloning The entanglement-free cloning (EFC) is defined as follows:   A TP-CP map f is an EFC for a set of quantum states Q = ρ1 , ..., ρm if there exist p, q > 0 I I such that, for any ρ ∈ Q, f (ρ) = (pρ + (1 − p) ) ⊗ (qρ + (1 − q) ). If such a map exists, 2 2 we say that Q admits an EFC.

Necessary Conditions for EFC   If a set Q = ρ1 , ..., ρm of quantum states admits an EFC, then ρ1 , ..., ρm are linearly independent (on the vector space M2×2 (C)).

Operation of EFCα

  ˆ • Input: ρα = αχ ˆ + (1 − α) 2I where χ ˆ ∈ χ(z ˆ 1 z2 )|z1 z2 ∈ F22 . • Step 1: Apply the tetra measurement on ρα , let X = TTR(ρα ) where X ∈ F22 . • Step 2: Produce the pairs of two bits (Z1 , Z2 ) from the measurement value X according to the following probability distribution: (X , X ) with probability 2 , each of the forms (X , Y ) or (Y , X ) (6 patterns) with probability p1 = 81+6α+α 432 (9−α)(15+α) p2 = where Y is two-bit information different from X, each of the 1296 forms (Y , Y  ) (6 patterns) with probability p3 = (9−α)(3+α) where Y  is two-bit 1296 information different from X and Y , and each of the forms (Y , Y ) (3 patterns) 2 . with probability p4 = 9−2α+α 432 • Step 3: Send |χ(Z1 ) and |χ(Z2 ) to the two outgoing edges. ˆ

For any α > 0, the output of EFCα on input ρα is ( α9 χ ˆ + (1 − α9 ) 2I )⊗2 which is entanglement-free defined above. Before introducing the protocol, we provide some important definitions and lemmas. Degree-3 graph A degree-3 (D3) graph has five different kinds of nodes, fork nodes, join nodes, transform nodes, source nodes, and sink nodes whose (indegree, outdegree) is (1, 2), (2, 1), (1, 1), (0, 1), and (1, 0), respectively.

3.1 Non-additional Resource Scheme

31

Simple classical protocol The classical protocol PC (G) for a D3 graph is called simple if the operation at each node is restricted as follows: 1. The input is sent to the outgoing edge without any change at each source node. 2. The incoming value is just copied and sent to the two outgoing edges at each fork node. 3. The operation of each transform node is constant, one-to-one, or two-to-one. 4. The operation of each join node is the addition (denoted by +) over F22 . 5. The sink node just receives the incoming value (no operation). Lemma For a given general graph G and a classical protocol PC (G), we can transform them to a D3 graph G  and a varying protocol PC (G  ) from which we can design our quantum counterpart PQ (G) by simulating PC (G  ). Protocol PQ (G) In this paragraph, we introduce the algorithm for designing PQ (G) based on all the preliminaries above. Q(v) is the operation at a node v, and α(v) is the shrinking factor at that node v. • • • •

Input: A pair of general graph and classical protocol (G, PC (G)). Output: A QNC protocol PC (G) which simulates PC (G). Step 1: Transform (G, PC (G)) to D3 graph and a simple protocol (G  , PC (G  )). Step 2: Determine a total order for the nodes of G  by their depth (= the length of the longest path from a source node). Break ties arbitrarily. Let v1 , ..., vr be their order. • Step 3: For each v = v1 , ..., vr , do the following work according to the type of a node: – source node: Let α(v) = 1 and let Q(v) = [apply TTR for the source, obtain the measurement value x1 x2 ∈ F22 and send χ(x ˆ 1 x2 ) to its child node]. – joint node: Let α(v) = 19 α(v1 )α(v2 ) where v1 and v2 are v’s parent nodes, and let Q(v) = [apply TTR for the two source states, obtain measurement value ˆ 1 x2 + y1 y2 ) to its child node]. x1 x2 ∈ F22 and y1 y2 ∈ F22 , and send χ(x – fork node: Let α(v) = 19 α(v1) for the parent node v1 , and Q(v) = [apply EFCα(v) for the incoming state and send the resulting two-qubit state to its child nodes]. – sink node: Q(v) = [Do nothing]. – transform node: Let g be the corresponding operation in PC (G  ). If g is a constant function, i.e., for a fixed x1 x2 ∈ F22 , g(.) = x1 x2 , then let α(v) = 1 and Q(v) = [send χ(x ˆ 1 x2 ) to its child node]. Else if g is a one-to-one function, then let α(v) = α(v1 )/3 for the parent node v1 , and Q(v) = [apply TTR for the source ˆ state, obtain the measurement value x1 x2 ∈ F22 and send χ(g(x 1 x2 )) to its child α(v1 ) nodes]. Else g is a two-to-one function, let α(v) = 6−α(v1 ) for the parent node v1 and Qv = [apply TTR for the source state, obtain the measurement value 3 ˆ ˆ 1 y2 ) x1 x2 ∈ F22 , send χ(g(x 1 x2 )) to its child with probability 6−α(v) and send χ(y 3−α(v) and χ(z ˆ 1 z2 ) to its child with probability 2(6−α(v)) for each, where {y1 y2 , z1 z2 } = 2 F2 \Im(g)].

32

3 Typical Quantum Network Coding Schemes

By applying the protocol above, Iwama et al. obtained several important results which lead to the approximate quantum network coding. First of all, for the node v ∈ V , suppose that PC (G  ) produces output values y ∈ F22 from input values (x1 , ..., xn ) ∈ F2n ˆ i ) are supplied to source node si for i = 1, ..., n, 2 . If input states χ(x ˆ ˆ + (1 − α(u)) 2I . Such result leads to the then PQ (G) produces the state α(u)χ(y) main conclusion: Suppose that PC (G) is a classical protocol for the graph G and we supply general input states |ψ1  , ..., |ψn . If PQ (G)   produces output states ρ1 , ..., ρm , the fidelity between ρi and corresponding initial state ψj is greater than 1/2.

This protocol is a quantum simulation of the classical network coding protocol. So the classical network coding protocol is indispensable. It can achieve the transmission of non-entangled states in a general graph G4 network with fidelity greater than 1/2. The key operation used is the EFCα which produces no entanglement thus allowing us to get rid of complicated entanglement situations after propagating in a complex network. By EFC, this protocol can achieve multicasting of quantum states with certain fidelity less than 1.

3.2 Prior Entanglement Scheme 3.2.1 Prior Entanglement Between Senders Entanglement provides some miracle performances in quantum information such as quantum teleportation and dense coding. Leung et al. [4] showed that the combination of quantum teleportation and dense coding enables perfect quantum transmission in the butterfly network. Furthermore, Hayashi [5] explored the effect of prior entanglement and reduced the number of players sharing the prior entanglement. Hayashi’s protocol ((here it is called PE)) [5] uses two pairs of the maximally entangled state + (one of the Bell bases) shared between two senders to transmit two non-entangled quantum states across in the butterfly network. Figure 3.2 shows the network configuration. • Input: |ψ1  at s1 , and |ψ2  at s2 . • Output: ρ1out at t1 , and ρ2out at t2 . • Preparation: s1 and s2 share two pairs of maximally entangled  sources   The two  qubits + A11 A21 , + A12 A22 . One of each maximally entangled particles belongs to the source s1 and the other  one belongs to the source s2 . So the state of the whole system at si is |ψi  ⊗ + A1i A2i , i = 1, 2.   • Step 1: the source si carries out the Bell measurement of the state |ψi  ⊗ + A1i A2i ,  +  −  +  − i = 1, 2. The result { ,  ,  ,  } corresponds to {00, 10, 01, 11}, respectively. For convenience, we denote Xi ∈ {00, 10, 01, 11} as the result of measurement at source si , i = 1, 2. In this case, the state on the remaining site A12

3.2 Prior Entanglement Scheme

33

Fig. 3.2 Sharing maximally entangled states

|ψ2 (UX−1 |ψ1 , respectively), where UX is the recovering (A21 , respectively) is UX−1 2 1 unitary operation for teleportation. (UX−1 , • Step 2: the source s1 (s2 , respectively) performs the unitary operation UX−1 1 2 respectively) to the remaining site A12 (A21 , respectively). |ψ2  and UX−1 |ψ1  at the source s1 and s2 . Hence, we obtain the state UX−1 1 ⊕X2 1 ⊕X2 Then we send the two states to the sinks. The sources also send the two bits strings X1 and X2 to the node s0 . • Step 3: the node s0 performs the XOR operation of X1 and X2 . After that, we send the result to the node t0 then to the sinks t1 and t2 . • Step 4: the sink ti performs the unitary operation UX1 ⊕X2 to the received state |ψi . The output is ρiout = UX1 ⊕X2 UX−1 |ψi  = |ψi . UX−1 1 ⊕X2 1 ⊕X2 The unitary operation UX used in the Step 2 is chosen from  U00 =

       10 1 0 01 0 1 , U10 = , U01 = , U11 = 01 0 −1 10 −1 0

In this protocol, either one-qubit quantum transmission or two-bit classical communication was allowed over the network. If the dense coding was used, one qubit can represent two classical bits.

34

3 Typical Quantum Network Coding Schemes

Fig. 3.3 Sharing non-maximally entangled states

3.2.2 Sharing Non-maximally Entangled States It is difficult to have a maximally entangled state at one’s disposal in real situation. As a successor of [5], Ma et al. [6] investigated quantum network coding via nonmaximally entangled pairs. Their protocol can transmit 2-level quantum states across over the butterfly network with two non-maximally entangled qubit pairs shared only between two senders. Figure 3.3 shows the network configuration. • Input: |ϕ1  = α1 |0 + β1 |1 at s1 , and |ϕ2  = α2 |0 + β2 |1 at s2 with αi2 + βi2 = 1, i = 1, 2. • Output: ρ1out at t1 , and ρ2out at t2 . • Preparation: two sources s1 and s2 share two pairs of non-maximally entangled qubits: |A11 A21 = (b0 |00 + b1 |11)A11 A21 , |A12 A22 = (b0 |00 + b1 |11)A12 A22 with b20 + b21 = 1 and |b0 | < |b1 |. One of each non-maximally entangled particles belongs to the source s1 and the other one belongs to the source s2 . So the state of the whole system at si is |φi  ⊗ |A1i A2i , i = 1, 2. of the state |φi  ⊗ |A1i A2i , • Step 1: the source si carries    out the Bell  measurement i = 1, 2. The result {+ , − ,  + and  − } corresponds to {00, 10, 01, 11}, respectively. For convenience, we denote Xi = ni mi ∈ {00, 10, 01, 11} as the result of measurement at source si , i = 1, 2. We denote also |ϕ1 (X1 ) (|ϕ2 (X2 ), respectively) as the state on the remaining site A21 (A12 , respectively) after the measurement.

3.2 Prior Entanglement Scheme

35

|ϕ2 (X2 ) (UX−1 |ϕ1 (X1 ), • Step 2: the source s1 (s2 , respectively) sends the state UX−1 1 2 respectively) to the sink t2 (t1 , respectively), and sends a classical two-bit string X1 (X2 , respectively) to the node s0 . • Step 3: the node s0 sends a classical three-bit string p1 p2 m1 to t0 . Then t0 sends the same bit string to t1 and t2 . Here p1 p2 = X1 ⊕ X2 . • Step 4: the sink t1 (t2 , respectively) performs the unitary operation Up1 p2 on the |ϕ1 (X1 ) (UX−1 |ϕ2 (X2 ), respectively). The outputs are ρ1out and received state UX−1 2 1 2 ρout . • Step 5: the sink si introduces an auxiliary qubit with the original state |0si . Every sink takes a collective unitary transformation depending on m1 and p2 . (i) the sink s1 takes the collective unitary transformation V0 if m1 = 0, otherwise takes V1 . (ii) the sink s2 takes the collective unitary transformation V0 if m1 = p2 , otherwise takes V1 . If the result is |0Bi , the transmission succeeds, otherwise the transmission fails. The collective unitary transformations are described as follows: ⎡

1

0

0 0

⎢ b0 ⎢ ⎢0 0 ⎢ b1 V0 = ⎢ ⎢0 −1 ⎢ 0 ⎢ 2 b ⎣ 0 1 − 02 0 b1 ⎡ b0 ⎢ 0 ⎢ b1 ⎢ ⎢ 1 0 V1 = ⎢ ⎢ 2 b ⎢ ⎢ 1 − 02 0 ⎣ b1 0 0



⎤

⎥ b20 ⎥ ⎥ b21 ⎥ ⎥ ⎥ 0 ⎥ ⎥ b0 ⎦ − b1

1−

⎤ b20 1− 2 0 ⎥ ⎥ b1 ⎥ 0 0⎥ ⎥ ⎥ b0 ⎥ − 0⎥ ⎦ b1 0 −1

This protocol can transmit entangled state across over the butterfly network. Some new technique such as entanglement distillation and quantum repeater can realize maximally entangled state efficiently. In this protocol, the state of non-maximally entangled particles is also difficult to determine, which means that the coefficients b0 and b1 can hardly be obtained.

36

3 Typical Quantum Network Coding Schemes

3.3 Quantum Register Scheme 3.3.1 Perfect Linear Quantum Network Coding Since it is impossible to achieve perfect quantum network coding without additional assumptions, Kobayashi et al. [7] studied the problem of transmitting quantum states efficiently through a network, which allows free classical communication between any pairs of network nodes. This protocol requires three basic operations. Unitary operator W Let φ be a group isomorphism from the additive group of R to  some abelian group A = Zr1 × · · · × Zrl with li=1 ri = |R| (but φ is not necessarily a ring isomorphism). There are many possibilities for the choice of A and φ. It is convenient to take Zr1 × · · · × Zrl to be the invariant factor decomposition of the additive group of R. For any x ∈ R and i ∈ {1, ..., l}, let φi (x) denote the ith coordinate of φ(x), i.e., an element of Zri . In the quantum setting, each register contains a quantum state over H = C|R| , and denote an orthonormal basis of H by {|z}z∈R . We define a unitary operator W over the Hilbert space H as follows: for any y ∈ R, the operator W maps the basis state |y to the state   l  φi (y)φi (z) 1  |z exp 2πi √ ri |R| z∈R i=1 Note that W is basically the quantum Fourier transform over the additive group of R. Operator Uf1 ,...,fn Let m and n be two positive integers and f1 , ..., fn be n functions from Rm to R. Let Uf1 ,...,fn be the unitary operator over the Hilbert space H⊗m ⊗ H⊗n defined as follows: for any m elements y1 , ..., ym and any n elements z1 , ..., zn of R, the operator Uf1 ,...,fn maps the basis state |y1 , ..., ym  |z1 , ..., zn  to the state |y1 , ..., ym  |z1 + f1 (y1 , ..., ym ), ..., zn + fn (y1 , ..., ym ) Encoding(f1 , ..., fn ) • • • • • •

Input: quantum registers Q1 , ..., Qm ∈ H; Output: quantum registers Q1 , ..., Qn ∈ H and elements a1 , ..., am ∈ R. Introduce n registers Q1 , ..., Qn , each is initialized to |0. Apply the operator Uf1 ,...,fn to (Q1 , ..., Qm , Q1 , ..., Qn ). For each i ∈ {1, ..., m}, apply W to Qi . Measure the first m registers Q1 , ..., Qm in the {|i}i∈R basis. Let a1 , ..., am ∈ R denote the outcomes of the measurements. • Output Q1 , ..., Qn and the m elements a1 , ..., am .

3.3 Quantum Register Scheme

37

Suppose that the contents of the registers Q1 , ..., Qm form the state |y1 , ..., ym (Q1 ,...,Qm ) for some elements y1 , ..., ym of R. Then the state in (Q1 , ..., Qn ) after applying Encoding(f1 , ..., fn ) is of the form exp (2πig(y1 , ..., ym )) |f1 (y1 , ..., ym ), ..., fn (y1 , ..., ym )Q1 ,...,Qn where g is an additive group homomorphism determined by the measurement outcomes a1 , ..., am : g : Rm −→ Q (y1 , ..., ym ) −→

l  m  φi (aj )φi (yj ) i=1 j=1

ri

Perfect quantum network coding using free classical communication is possible over a network with k source–target pairs if there exists a classical linear (or even vector linear) coding scheme over a finite ring. The strategy is to simulate the solution to the associated classical task node by node. More precisely, let v ∈ V be a node of graph G with fan-in m and fan-out n. The classical protocol performs fv,1 , ..., fv,n to the m inputs and produces n outputs, each fv,i corresponds to one output. The quantum simulation is designed as follows: the quantum procedure Encoding(fv,1 , ..., fv,n ) is used on the inputs of m quantum registers to v through its m incoming edges. The procedure outputs n registers and m elements a1 , ..., am of R. Then all the elements a1 , ..., am are sent to each target node (via free classical communication), and the n registers are sent along the n outgoing edges of v. Such a simulation is done for all the nodes in V . Finally, the phases are corrected at each target with the help of the elements transmitted by classical communication. The linearity of the function f makes phase correction possible. Here we will give an example of using this protocol to simulate the classical network coding with a little modification. Rather than the case of multicast, we study the k-pair problem sending a quantum state |ψs  (potentially entangled quantum state) from s1 and s2 to the target nodes t1 ans t2 . Figure 3.4 shows the network configuration. s0 , s1 , s2 , t0 , t1 , t2 are nodes of the network and S1 , S2 , T1 , T2 , R1 − R7 are single-qubit quantum registers. The space of the information forms a ring R, in this case R = F2 , possessing the operation of addition “+”. The Hilbert space H for a single qubit has consequently two dimensions. We denote {|z}z∈F2 as an orthonormal basis of H. By using the tensor product, we can construct the Hilbert space for any number of qubits. All the registers are supposed to be initialized to |0. According to the protocol, the measurement results at each node are sent to both t1 and t2 , and the measured registers are disregarded. First of all, we list the operators which will be used in the protocol. The copy procedure Encoding(fI , fI ) which is applied at nodes s1 , s2 , t0 is implemented by using the Hadamard operator W , here a unitary operator UfI ,fI maps the state |y |z1 , z2  to the

38

3 Typical Quantum Network Coding Schemes

Fig. 3.4 Perfect QNC

S1

S2 S1

S2

R2

R4 S0

R3

R5

R1 t0

R6

R7

t2

T2

t1

T1

state |y |y + z1 , y + z2  and “+” is the addition operation in the ring F2 . The addition procedure Encoding(f+ ) which is applied at nodes s0 , t1 , t2 is implemented by using the Hadamard operator H, here a unitary operator Uf+ mapping the state |y1 , y2  |z to |y1 , y2  |z + y1 + y2  and f+ is the addition in the ring F2 . All the operators UfI ,fI and Uf+ can be realized by using the controlled-NOT    operators. The controlled-NOT  operator defined in the ring F2 maps the state |z z  to the state |z z + z  . Suppose the quantum state is stored in the registers (S1 , S2 ), we want to transmit it in a general form. |ψs (S1 ,S2 ) = α00 |0S1 |0S2 + α01 |0S1 |1S2 + α10 |1S1 |0S2 + α11 |1S1 |1S2 •

Step 1: Implement UfI ,fI (S1 , R1 , R2 ) and UfI ,fI (S2 , R3 , R4 ), then obtain the state α00 |0S1 |0R1 |0R2 |0S2 |0R3 |0R4 +α01 |0S1 |0R1 |0R2 |1S2 |1R3 |1R4 +α10 |1S1 |1R1 |1R2 |0S2 |0R3 |0R4 +α11 |1S1 |1R1 |1R2 |1S2 |1R3 |1R4

• Step 2: Apply the operator W to each register S1 and S2 , then measure these two registers in the basis {|z}z∈F2 . Let a ∈ F2 and b ∈ F2 denote the measurement outcomes, then obtain the state

3.3 Quantum Register Scheme

39

α00 |0R1 |0R2 |0R3 |0R4 +(−1) α01 |0R1 |0R2 |1R3 |1R4 +(−1)a α10 |1R1 |1R2 |0R3 |0R4 b

+(−1)a+b α11 |1R1 |1R2 |1R3 |1R4 After that, send the registers R1 , R2 , R3 and R4 to t2 , s0 , t1 and s0 , respectively. a and b are sent to both target nodes, i.e., t1 and t2 , by classical communication. • Step 3: Prepare a new register R5 initiated to |0 on the node s0 , and implement Encoding(f+ ) by executing CNOT (R2 ,R5 ) and CNOT (R4 ,R5 ) . The quantum state becomes α00 |0R1 |0R2 |0R3 |0R4 |0R5 +(−1) α01 |0R1 |0R2 |1R3 |1R4 |1R5 +(−1)a α10 |1R1 |1R2 |0R3 |0R4 |1R5 b

+(−1)a+b α11 |1R1 |1R2 |1R3 |1R4 |0R5 • Step 4: Measure the registers R2 and R5 in the Hadamard basis. The measurement outcomes, denoted by c1 and c2 , are sent to both target nodes. The quantum state becomes α00 |0R1 |0R3 |0R5 +(−1) +(−1)

b+c2

a+c1

α01 |0R1 |1R3 |1R5 α10 |1R1 |0R3 |1R5

+(−1)a+b+c1 +c2 α11 |1R1 |1R3 |0R5 After that, send the register R5 to the node t0 . • Step 5: Prepare two registers R6 and R7 on the node t0 , implement UfI ,fI (R5 , R6 , R7 ) and measure register R5 in the Hadamard basis. The measurement outcome is denoted by d . The quantum state becomes α00 |0R1 |0R3 |0R6 |0R7 b+c2 +d

α01 |0R1 |1R3 |1R6 |1R7

a+c1 +d

α10 |1R1 |0R3 |1R6 |1R7

a+b+c1 +c2

α11 |1R1 |1R3 |0R6 |0R7

+(−1) +(−1) +(−1)

After that, send the register R6 and R7 to t2 and t1 , respectively. d is sent to t1 and t2 . • Step 6: Prepare two registers T1 and T2 on the node t1 and the node t2 , then apply CNOT (R3 ,T1 ) , CNOT (R7 ,T1 ) , CNOT (R1 ,T2 ) and CNOT (R6 ,T2 ) for Encoding(f+ ). The resulting state becomes

40

3 Typical Quantum Network Coding Schemes

α00 |0R1 |0R3 |0R6 |0R7 |0T1 |0T2 b+c2 +d

α01 |0R1 |1R3 |1R6 |1R7 |0T1 |1T2

a+c1 +d

α10 |1R1 |0R3 |1R6 |1R7 |1T1 |0T2

+(−1) +(−1)

+(−1)a+b+c1 +c2 α11 |1R1 |1R3 |0R6 |0R7 |1T1 |1T2 • Step 7: Measures R3 and R7 (R1 and R6 , respectively) in the Hadamard basis on the node t1 (t2 , respectively). Let e1 and e2 (f1 and f2 , respectively) be the outcomes of the measurement. The quantum state becomes α00 |0T1 |0T2 +(−1)b+c2 +d +e1 +e2 +f2 α01 |0T1 |1T2 +(−1)a+c1 +d +e2 +f1 +f2 α10 |1T1 |0T2 +(−1)a+b+c1 +c2 +e1 +f1 α11 |1T1 |1T2 • Step 8: On the node t1 (t2 , respectively), apply the quantum operation Y1 (Y2 , respectively) mapping, for any z ∈ F2 , the basis state |zT1 to the state (−1)(a+c1 +d +e2 +f1 +f2 )z · |zT1 (mapping |zT2 to the state (−1)(b+c2 +d +e1 +e2 +f2 )z |zT1 , respectively). The quantum state becomes |ψS (T1 ,T2 ) = α00 |0T1 |0T2 + α01 |0T1 |1T2 + α10 |1T1 |0T2 + α11 |1T1 |1T2 The input state of this protocol is generally entangled state between the sources. This protocol is a simulation of the classical linear network coding protocol for the k-pair problem. The linearity of the classical network coding protocol allows the phase correction at each target. This protocol realizes the propagation of entangled state over a network. Li et al. [8] proposed a more efficient protocol for the extended butterfly network and reduced communication cost by using a certain special type of quantum operations.

3.3.2 Perfect Nonlinear Quantum Network Coding The general scheme for perfect quantum network coding by simulating the classical linear network coding protocol for the k-pair problem has been proposed in [7]. In fact, there are some networks for which no linear solutions exist to the k-pair problem, whereas nonlinear solutions should exist. We wonder whether nonlinear classical network coding schemes can help design quantum network coding schemes. Kobayashi et al. [9] used the same quantum operators as the perfect linear protocol. All difficulties come from the non-linearity of classical protocols for which we cannot correct the phase errors at each target node. Consequently, we need to correct the phase errors locally. More precisely, we send the measurement outcomes to the nodes

3.3 Quantum Register Scheme

41

to which the current node has incoming edges and correct the phase introduced by the measurements. If these operations could be done in a proper order, the phase errors can be corrected perfectly. In reverse, the difficulty also provides convenience that only undirected classical communication between two adjacent nodes is needed. They proved that perfect quantum network coding is also possible for the graphs which only have nonlinear classical solutions [10]. By combining with the result obtained in [7], we can say that a quantum protocol solving any instance of the k-pair problem exists, if the corresponding classical version is solvable under any coding scheme (linear or nonlinear). This protocol is a simulation of the classical nonlinear quantum network coding protocol. Classical communication is needed, but is only used between two nodes linked by quantum channel.

3.3.3 Perfect Quantum Network Coding for Multicast Kobayashi et al. [7] has studied the case of perfect quantum network coding by simulating the classical linear network coding protocol for the k-pair problem. The hypotheses is that a classical network possesses a solution to the k-pair problem. Then they slightly changed the hypotheses in [10] which assumes that classical linear network coding over F2 is possible in the multicast model. Generally, we consider the qubits as the carrier of quantum information. The orthonormal basis of a qubit is {|i}i∈F2 , where F2 = Z/2Z. And the general state of a qubit is given by |ψ = α |0 + β |1, where |α|2 + |β|2 = 1 and α, β ∈ C. state of a quantum The Hilbert space EH of a qubit is two dimensional. A general register of n qubits is a normalized vector in EH⊗n , given by |ψ = x∈Fn2 αx |x, where  2 x∈Fn2 |αx | = 1 and αx ∈ C. This protocol requires some basic operations. Elementary clifford operation The following four operations are called elementary clifford operations: • σX = |0 1| + |1 0| • σZ = |0 0| − |1 1| |0 − |1 |0 + |1 0| + √ 1| = |+ 0| + |− 1| • Hadamard operator √ 2 2 • CNOT (A,B) = |0 0|A ⊗ (|0 0|B + |1 1|B ) + |1 1|A ⊗ (|1 0|B + |0 1|B ) Let us look closely at the functions of these four operations. Let |ψ = α |0 + β |1. For σX |ψ = β |0 + α |1, the operation σX changes the coefficients of |0 and |1. For σZ |ψ = α |0 − β |1, the operation σZ changes the sign of the coefficients of |1. The Hadamard operator is a linear operation mapping the |0 to the |+ and the |1 to the |−. For the CNOT operation or controlled-NOT operator, we list four elementary results:

42

3 Typical Quantum Network Coding Schemes

xi

x1

Fig. 3.5 A classical node with m inputs and n outputs

z1

...

...

...

... zj

xm

zn

|00 → |00 , |01 → |01 , |10 → |11 , |11 → |10 We can see that the state of the particle A is a controller. When the state of A is |0, we do nothing to the particle B. When the state of A is |1, we change the state of B.    Effect of measuring in the Hadamard basis For a joint state ψ(A,B) = x∈Fn2 αx   |f (x)A · |f (x)B , the state in A obtained from ψ(A,B) by measuring each qubit in B in  |B| the {|+ |−} basis has the form |ψA  = x∈Fn2 (−1)y0 .g(x) αx |f (x) where y0 ∈ F2 is a random vector of measurement results.  L(x) αx |x can be mapped to the state Phase error fixing The state x∈Fn2 (−1)  n αx |x. x∈F2 Quantum coding operation The quantum coding operation is a method of simulating the classical coding operation. For simplicity, we consider the case where each edge has the capacity one. Let us consider a node v ∈ V with m-fan-in and n-fan-out performing classical   linear coding. The node has m inputs {xi ∈ F2 }i∈{1..m} and n outputs zj ∈ F2 j∈{1..n} . This node can be represented by  Fig. 3.5. For each output zj ∈ F2 , zj = m i=1 γji xi , where j ∈ {1..n} and γji is a fixed coefficient in F2 . Now let us look at the quantum counterpart, quantum coding operations. For this   purpose, we should attach n new ancilla qubits zj , j ∈ {1..n} initialized to|0 for each output edge, as shown in the left sub-image of Fig. 3.6. Then for every zj , we execute the CNOT operation according to the value of γji . If γji = 0, we do nothing   zj . If γji = 1, we execute CNOT (|xi  , zj ). In the end, we can obtain to    the state   zj =  m γji xi . Furthermore, we can send the n ancillas zj , j ∈ {1..n} along on i=1 the n outgoing edges and all the incoming qubits are retained at the node. Thus we simulate the classical coding by means of qubits. Fan-out operation The operation is in fact the copy of the incoming quantum state. This operation does not violate the no-cloning theorem because we only use two orthogonal vectors |0 and |1. The operation is a special case of quantum coding operations such that only one input state |x , x ∈ F2 , and γj1 = 1. The procedure is represented by Fig. 3.7.

3.3 Quantum Register Scheme

x1

xi

...

43

xm

x1

... CNOT according to

... 0

...

...

...

...

z1

0

xm

ji

... 0

xi

zj

zn

Fig. 3.6 Quantum coding with m inputs and n outputs

x

x

CNOT

... 0

... 0

... 0

x

... x

x

Fig. 3.7 Fan-out operations

Measurement It is used to make the superfluous qubits (kept at each node) collapse, by measuring them in the Hadamard basis. Let G = (V, E) be a quantum network with a subset S ⊆ V of source nodes and an integral weight that describes its quantum capacity. Assume that classical network coding is possible in the multicast model from S to T . Then perfect quantum teleportation from S to any ordered subset T0 ⊆ T with |S| = |T0 | is possible. This protocol is a quantum simulation of classical network coding for the multicast problem. Non-entangled states can be transmitted through a network. This protocol realizes the construction of quantum channels (EPR-pairs) between a source and a target.

3.4 Quantum Repeater Scheme The perfect quantum network coding schemes proposed in [7, 9, 10] primarily focus on an abstract model, in which quantum registers can be freely introduced at each nodes. However, the implementation of a quantum system should be taken account of. One fact is that it is difficult to realize long-distance quantum communication

44

3 Typical Quantum Network Coding Schemes

Fig. 3.8 Quantum repeater network

EPR-pair

S

A

Quantum repeater B

r

C

D

t

Classical channel (free, undirected)

using quantum registers. In reverse, quantum repeater is a potential approach for dealing with this problem. Satoh et al. [11] aimed to explore the quantum repeater and design a quantum network coding protocol for quantum repeater networks. Quantum repeater network consists of a number of quantum repeaters, undirected classical channels, and EPR-pairs |+  (each pair of adjacent quantum repeaters shares one EPR-pair). Figure 3.8 is an example of a network with three quantum repeaters, two EPR-pair, and two undirected classical channels. This protocol requires some basic operations. Connection ConCR→T Connection is a non-unitary operation between two repeaters (u and v). Repeater u has Control and Resource qubits (C and R). Repeater v has a Target qubit (T ). Procedure: • Setup: C and R are 1-qubit registers owned by u. T is a 1-qubit register owned by v. R and T share an EPR-pair |+ . • Step 1: u applies CONT (C,R) . • Step 2: u measures R in the {|0 , |1} basis. Let a ∈ {0, 1} be the outcome. • Step 3: u sends a to v via a classical channel. • Step 4: If a = 1, then v applies σX to T . For an initial state |init = (α |ψ0  |0C + β |ψ1  |1C ) ⊗ |+ RT ⊗ |, the output of ConCR→T (|init ) is final = (α |ψ0  |00CT + β |ψ1  |11CT ) ⊗ |. Connection: Fanout FanoutRC1 →T1 ,R2 →T2 Connection: Fanout is a variant of the Connection operation. Fanout is a non-unitary operation between three repeaters (u, v, and w). Repeater u has Control and Resource qubits (C and R1 , R2 ), repeater v and w have target qubits T1 and T2 , respectively. R1 shares an EPR-pair |+  with T1 , and R2 with T2 . Procedure: • Setup: C, R1 and R2 are 1-qubit registers owned by u. T1 is a 1-qubit register owned by v. T2 is a 1-qubit register owned by w. • Step 1: u and v apply ConCR1 →T1 . • Step 2: u and w apply ConCR2 →T2 . For an initial state |init  = (α |ψ0  |0C + β |ψ  1  |1C ) ⊗ |+ R1 T1 |+ R2 T2 ⊗ |, the output of FanoutRC1 →T1 ,R2 →T2 (|init ) is final = (α |ψ0  |000CT1 T2 + β |ψ1  |111CT1 T2 ) ⊗ |.

3.4 Quantum Repeater Scheme

45

C1 ,C2 Connection: Add AddR→T Connection: Add is a variant of the Connection operation. Add is a non-unitary operation between two repeaters (u and v). Repeater u has Control and Resource qubits (C1 , C2 and R), repeater v has target qubit T . R shares a EPR-pair |+  with T. Procedure: • Setup: C1 , C2 and R are 1-qubit registers owned by u. T is a 1-qubit register owned by v. • Step 1: u applies CNOT (C1 ,R) . 2 . • Step 2: u and v apply ConCR→T For an initial state |init  = (α |ψ0  |0C1 + β |ψ1  |1C1 ) ⊗ (γ |φ0  |0C2 + δ   C1 ,C2 |φ1  |1C2 ) ⊗ |+ CD ⊗ |, then the output of AddR→T (|init ) is final = ((αγ |ψ0  |φ0  |00C1 C2 + βδ |ψ1  |φ1  |11C1 C2 ) |0T + (αδ |ψ0  |φ1  |01C1 C2 + βγ |ψ1  |φ0  |10C1 C2 ) |1T ) ⊗ |.

Removal RemR→T Removal is a non-unitary operation between two repeaters (u and v) which deletes a resource qubit R of a quantum state using measurement in the Hadamard basis and σZ . Repeater u has Resource qubit R, repeater v has target qubit T . R shares a EPR-pair |+  with T . Procedure: • Setup: R is a 1-qubit register owned by u. T is a 1-qubit register owned by v. • Step 1: u applies the Hadamard gate to R. • Step 2: u measures R in {|0 , |1} basis. Let a ∈ {0, 1} be the outcome. • Step 3: u sends a to v via a classical channel. • Step 4: If a = 1, then v applies σZ to T . For an initial state |init  = (α |00RT |ψ00  + β |11RT |ψ11 ) ⊗ |, then the output of RemR→T (|init ) is final = (α |0T |ψ00  + β |1T |ψ11 ) ⊗ |. Removal: Add RemAddR→T1 ,T2 Removal: Add is a variant of the removal operation. RemAdd is a non-unitary operation between three repeaters (u, v, and w) which deletes the target qubit used in Connection: Add operation. Repeater u has Resource qubit R, repeater v has target qubit T1 and w has T2 . R, T1 and T2 are entangled. Procedure: • Setup: R is a 1-qubit register owned by u. T1 is a 1-qubit register owned by v. T2 is a 1-qubit register owned by w. • Step 1: u applies the Hadamard gate to R. • Step 2: u measures R in {|0 , |1} basis. Let a ∈ {0, 1} be the outcome. • Step 3: u sends a to v and w via a classical channel. • Step 4: If a = 1, then v and w apply σZ to T1 and T2 .   1  ⊗ |, then the output For an initial state |init  = i,j=0 aij |ijAB |i ⊕ jC ψij     1  of RemAddR→T1 ,T2 (|init ) is final = ⊗ |. i,j=0 aij |ijAB ψij With the help of the above techniques, we can design a protocol without additional registers that creates two quantum channels (EPR-pairs) between s1 and t1 , s2 and t2 ,

46

3 Typical Quantum Network Coding Schemes s1

C

s2

G

A

s2

A

E D

s1 E

H s0

s0

I

J

t0

t0 K

M

B t2

B

F L

N

t1

t2

F t1

Fig. 3.9 Repeater QNC

and are then able to perform quantum teleportation. The butterfly repeater network as well as the execution result of the protocol is represented by Fig. 3.9. Procedure: • Setup: Described as Fig. 3.9. • Step 1: s1 and r1 apply ConAC→D ; s2 and r2 apply ConEG→H . • Step 2: r1 and r2 apply AddID,H →J . J • Step 3: r2 , t1 , and t2 apply FanoutK→L,M →N . (N ,F) • Step 4: t1 applies CNOT ; t2 applies CNOT (L,B) . • Step 5: t2 and r2 apply RemL→J ; t1 and r2 apply RemN →J . • Step 6: r2 and r1 apply RemAddJ →D,H . • Step 7: r1 and s1 apply RemD→A ; r1 and s2 apply RemH →E This protocol which creates two quantum channels from sources to sinks can transmit two non-entangled qubits across over the butterfly network. This protocol is independent of the classical network coding protocol. The Ref. [12] studied the performance of the repeater scheme under the conditions of noise, errors, and shortage of quantum resources. They have found that the repeater scheme is more sensitive to entanglement errors (errors on the initial Bell pairs), Pauli errors and local gate errors than entanglement swapping. In short, the repeater scheme is useful when the quantum resources are limited or high communication speed is required.

3.5 Quantum Cluster Scheme

47

3.5 Quantum Cluster Scheme Since it is impossible to achieve the perfect quantum network coding without additional assumptions, Li et al. [8] studied the solubility of perfect quantum network coding by taking advantage of global entanglement state (2D and 3D cluster states). The cluster state belongs to a family of highly entangled multi-particle quantum states, which can be efficiently parameterized by mathematical graphs [13]. The cluster state is generally considered as a communication resource. By exploring the properties of the cluster state, they proposed a perfect quantum network coding k-pair problem protocol for butterfly network, grail network, and extended butterfly network. They have also proposed a new approach based on stabilizer to analyze the resolvability of a certain quantum multi-unicast network. In this protocol, free classical communication is also needed. The bigraph property of a cluster allows parallel operations which give a constant-step scheme as the scale of a network increases.

3.6 Performance Analysis In 2011, Jain et al. [14] studied the non-additional resource schemes and the entanglement-supported schemes by information-theoretic and graph-theoretic approach. In 2014, Nishimura [15] summarized the known results of quantum network coding, mainly focusing on the multi-unicast networks. These two references are few achievements that study the quantum network coding schemes by theoretical approach. More study of quantum network coding needs to be developed. Especially, there are very few results on general networks for difficulties.

3.6.1 Achievable Rate Region The basic setting of the well-known butterfly network is the so-called one-shot, i.e., one qubit at each source node must be sent to the corresponding target node by a single use of the network. Leung et al. [16] extended this setting to the following asymptotic version. Achievable rate A rate (r1 , . . . , rk ) is achievable in a quantum network N if there is a choice of quantum operations such that by n uses of N , each si can send n(ri − δn ) qubits to with fidelity 1 − n , where δn , n → 0 as n → ∞. In this asymptotic setting, they investigated inner and outer bounds of the rates in several simple networks. In the butterfly network, it was proven that the rate region was bounded by r1 + r2 ≤ 1, which is trivially achievable by routing. In their proof, any protocol on the butterfly network was reduced to a quantum secret sharing protocol where the quantum secret is the two source qubits. Then they gave the

48

3 Typical Quantum Network Coding Schemes

above outer bound by applying a lower bound on the quantum secret sharing [17, 18]. Hayashi [5] also proved a similar impossibility result without reducing to the quantum secret sharing by using information-theoretic arguments more directly. He also improved the upper bound of the fidelity of the one-shot case to 0.951.

3.6.2 With Free Classical Communication In this section, we give the case where classical communication is available in addition to the basic quantum networks. This setting can be considered as the second-best when quantum network coding is impossible in the basic setting since the cost of classical communication is much cheaper than that of quantum communication. In the case where classical communication is freely available between any two nodes, Leung et al. [16] made an important observation: the underlying quantum network becomes undirected. In fact, we can send a qubit in the reverse direction of each directed edge by first preparing an EPR pair using the directed quantum channel corresponding to the edge, and then by applying quantum teleportation using two free classical bits and the EPR pair. For the butterfly network, this enables us to send two qubits from s1 to t1 by a single use of the network, and two qubits from s2 to t2 by another single use. Thus, the rate (r1 , r2 ) = (x, 2 − x) (where 0 ≤ x ≤ 2) becomes achievable by time sharing (and this is shown to be optimal by a simple min-cut argument). On the contrary, Kobayashi et al. [9, 10] showed the following relation between classical and quantum network coding in general multiple unicast networks. Theorem 3.1 If the rate (r1 , . . . , rk ) is achievable in a classical network, then the same rate is also achievable in the corresponding quantum network under free classical communication. Note that the converse of Theorem 3.1 is trivially false when the classical network is directed since the quantum network becomes undirected due to free classical communication. However, if the classical network is undirected, it is open to show whether the converse holds or not. In the case where classical one-way communication is freely available, Leung et al. [16] studied the case where classical communication is freely available according to the directed edges of the underlying graph. Although we cannot reverse the edges at will, we can increase the rates in some networks, compared to the case of no additional resources. For example, the rate (r1 , r2 ) = (0.5, 1) is achievable in the butterfly network as follows: (i) s1 sends the two subsystems of an EPR pair to s0 and t2 , respectively. (ii) s2 sends s0 a source qubit, and s0 teleports it to t2 by using the EPR pair and free two bits. (iii) s1 and s2 send their qubits by routing. This protocol uses the network twice while one qubit is sent from s1 to t1 , and two qubits are sent from s2 to t2 . A similar protocol with time sharing achieves the rate region {(r1 , r2 )|r1 , r2 ≤ 1, r1 + r2 ≤ 1.5}, which was proven to be optimal.

3.6 Performance Analysis

49

3.6.3 With Free Entanglement In this section, we give the case where entanglement is allowed as additional resources. While entanglement is not cheaper than classical communication, there is an advantage that we can prepare it offline, i.e., at any time. In the case where any two nodes in a quantum network share any entangled state at will, Leung et al. [16] observed two facts that can be immediately obtained from quantum teleportation and dense coding. The first fact is the exact relation between the amounts of quantum and classical communication that can be sent on a quantum network. Proposition 3.1 Under free entanglement, the achievable rate for “quantum communication” in a quantum network is exactly half of that for “classical communication” in the same network. Leung et al. gave the exact rate region {(r1 , r2 )|r1 , r2 ≤ 2} for classical communication in the butterfly network. By Proposition 1, this implies that the rate region for quantum communication is {(r1 , r2 )|r1 , r2 ≤ 1}. The second fact is a relation between the amount of quantum communication on a quantum network and the amount of classical communication on the corresponding classical network. Proposition 3.2 The achievable rate for quantum communication in a quantum network under free entanglement is at least that for classical communication in the corresponding classical network. The converse of Proposition 3.2 was conjectured, but it still remains an interesting open question. If the conjecture is true, it implies that by Proposition 1, the rates for classical communication in quantum networks (even with free entanglement) is at most twice as much as those in classical networks, which extends the known results for point-to-point communication channels to networks. In the case where any two neighboring nodes are allowed to share entanglement, the Hayashi’s impossibility proof [11] implies that the achievable rate region in the butterfly network is also the same as that for the case of no additional resources. Recently, motivated by quantum repeater networks [19], Satoh et al. [11] studied the setting where any two neighboring nodes share EPR pairs and free classical communication is allowed, but no quantum communication is available and any extra qubits other than receiving qubits are not allowed to use at each node (which make the physical implementation easier). In this setting, they gave a protocol for the butterfly network that can send two source qubits simultaneously by a single use of the network. In the case where any source nodes are allowed to share entanglement, Hayashi [5] introduced a bit flexible setting where each edge can choose sending one qubit or two bits. This was motivated by the equivalence between one qubit and two bits under shared entanglement via quantum teleportation and dense coding. Then he showed that two source qubits can be sent simultaneously by a single use of

50 Table 3.1 Performance

3 Typical Quantum Network Coding Schemes N C1 C2 E1 E2

{(r1 , r2 )|r1 + r2 ≤ 1} {(r1 , r2 )|r1 + r2 ≤ 2} {(r1 , r2 )|r1 , r2 ≤ 1, r1 + r2 ≤ 1.5} {(r1 , r2 )|r1 , r2 ≤ 1} {(r1 , r2 )|r1 + r2 ≤ 1}

thenetwork. This possibility result can be regarded as swapping two source qubits on the butterfly network. Under this viewpoint, Soeda et al. [20] investigated which two-qubit operations can be done on the butterfly network.

3.6.4 Comparison of Schemes We summarize the achievable rate region in the butterfly network for quantum communication in Table 3.1, where N , C1, C2, E1, and E2 represent the basic settings with no additional resources, with free classical communication among any nodes, with free classical communication according to the directed edges, with free entanglement among any two nodes, and with free entanglement between neighboring nodes, respectively.

3.6.5 Comparison with Routing One may wonder that the optimal rates in all quantum networks are achievable by network coding or routing. Jain et al. [14] observed that there exists a quantum network such that the achievable rate by network coding is k times the rate by routing, here k is the number of source-target pairs. This example was based on the classical example by using quantum teleportation and dense coding, which allow us to take advantage of directed edges that are trivially useless by any routing protocol [21]. The results are summarized below: 1. On the butterfly network, the total quantum information flow is bounded by what can be routed through the bottleneck channel. 2. For the k-pair multiple unicast problem and for all k ≥ 2, there exists a family of networks where quantum network coding achieves k times greater quantum information flow than what can be achieved by routing, with entanglement assistance that is intrinsic to the topology of a network. 3. Given a non-entanglement-supported k-pair multiple unicast problem on a network N , the 1-max-flow is bounded by the sparsest multi-cut capacity.

References

51

References 1. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007) 2. Buzek, V., Hillery, M.: Quantum copying: beyond the no-cloning theorem. Phys. Rev. A 54(3), 1844–1852 (1996) 3. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs. Physics 52(3), 610–621 (2006) 4. Leung, D., Oppenheim, J., Winter, A.: Quantum network communication-the butterfly and beyond. IEEE Trans. Inf. Theory 56(7), 3478–3490 (2010) 5. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding with modification. Phys. Rev. A 76(4), 538 (2007) 6. Ma, S.Y., Chen, X.B., Luo, M.X., et al.: Probabilistic quantum network coding of M-qudit states over the butterfly network. Opt. Commun. 283(3), 497–501 (2010) 7. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: General scheme for perfect quantum network coding with free classical communication. In: International Colloquium on Automata, Languages and Programming (ICALP), pp. 622–633 (2009) 8. Li, J., Chen, X., Sun, X., et al.: Quantum network coding for multi-unicast problem based on 2D and 3D cluster states. Sci. China Inf. Sci. 59(4), 1–15 (2016) 9. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes from classical nonlinear protocols. In: IEEE International Symposium on Information Theory (ISIT), pp. 109–113 (2011) 10. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Perfect quantum network communication protocol based on classical network coding. In: IEEE International Symposium on Information Theory, pp. 2686–2690 (2010) 11. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A 86(3), 9591–9598 (2012) 12. Satoh, T., Ishizaki, K., Nagayama, S., et al.: Analysis of quantum network coding for realistic repeater networks. Phys. Rev. A 93(3), 032302 (2016) 13. Briegel, H.J., Browne, D.E., Dur, W., et al.: Measurement-based quantum computation. Nat. Phys. 5(1), 19–26 (2009) 14. Jain, A., Franceschetti, M., Meyer, DA.: On quantum network coding. J. Math. Phys. 52(3), 032201 (2011) 15. Nishimura, H.: Quantum network coding—how can network coding be applied to quantum information? In: International Symposium on Network Coding (NetCod), pp. 1–5 (2013) 16. Leung, D., Oppenheim, J., Winter, A.: Quantum network communication: the butterfly and beyond. IEEE Trans. Inf. Theory 56(7), 3478–3490 (2010) 17. Gottesman, D.: On the theory of quantum secret sharing. Phys. Rev. A 61(4), 042311 (1999) 18. Imai, H., Muellerquade, J., Nascimento, A.C.A., et al.: A quantum information theoretical model for quantum secret sharing schemes. Quantum Inf. Comput. 5(1), 69–80 (2003) 19. Briegel, H.J., Dur, W., Cirac, J.I., et al.: Quantum repeaters: the role of imperfect local operations in quantum communication. Phys. Rev. Lett. 81(26), 5932–5935 (1998) 20. Soeda, A., Kinjo, Y., Turner, P.S., et al.: Quantum computation over the butterfly network. Phys. Rev. A 84(1), 012333 (2011) 21. Harvey, N.J., Kleinberg, R.D., Lehman, A.R.: Comparing network coding with multicommodity flow for the K-pairs communication problem. MIT LCS technical report 964 (2004)

Chapter 4

Quantum Network Coding Based on Repeater

How to design network coding beyond the butterfly network is desired to be resolved. Quantum repeaters are potential candidates to create nonlocal entanglement between distant particles and realize long-distance quantum communication. In this chapter, we introduce a quantum network coding scheme for general repeater networks with either maximally or non-maximally entangled EPR-pairs and apply it to complex network scenarios. Considering the resource consumption and security of quantum repeater network, we introduce a quantum network coding scheme with an EPR-pair distribution controller, which can realize long-distance quantum communication with minimal resource consumption.

4.1 Quantum Network Coding for General Repeater Networks 4.1.1 Requirement of General Networks Evidently, typical quantum network coding schemes were designed based on the butterfly network. It is more difficult and meaningful to design quantum network coding beyond the butterfly network. In 2009, Kobayashi et al. [1] pointed out that perfect quantum network coding is feasible for any graph. In 2013, Nishimura et al. [2] summarized the achievable rate region in the butterfly network for quantum communication, and pointed out that the future works of quantum network coding should be extended to general graphs. With the rapid development of quantum network, the complexity of actual network topology brings challenges to quantum network coding, i.e., it remains to be an open problem of how to realize quantum communication on general networks securely and efficiently. In order to design quantum network coding for general networks, a few valuable schemes have been proposed. Iwama et al. [3] proposed the quantum network coding scheme in general graph networks by using a new cloning method called EFC © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_4

53

54

4 Quantum Network Coding Based on Repeater

(entanglement-free cloning) which solves the problem of entanglement in quantum cloning, and adopting graph transformation which has extremely important significance in the complex algorithm design because of its nature. Although the existing quantum network coding scheme for general graphs can achieve fidelity larger than 1/2, the optimality of EFC and efficiency remain to be solved. As we know, repeaters are necessary for remote quantum communication in a general network. Yan et al. [4] proposed the scheme of quantum repeater, with which quantum communication systems can be used for long-distance quantum communication. Then they [5] further designed the scheme of long-distance quantum communication system with the source of entangled photon pairs, which transmits quantum information by the principle of simple entanglement swapping. Moreover, Satoh et al. [6] presented a quantum network coding scheme for quantum repeaters with certain quantum operations under weaker assumption that adjacent nodes initially share one maximally entangled EPR-pair but cannot add any quantum registers or send any quantum information. The feasibility of quantum network coding for quantum repeaters was verified. Hence, we can easily conclude that quantum repeaters are promising candidates for the implementation of general quantum networks. Currently, quantum repeaters are mainly used in the butterfly network, how to set the initial condition and ensure the feasibility of algorithms in networks with complex topology is remained to be solved. Moreover, the difficult preparation of maximally entangled EPR-pairs also brings challenges to quantum repeater networks.

4.1.2 Quantum Repeater Network In 2012, Satoh et al. [6] presented the protocol for quantum repeater networks, in which quantum repeaters were introduced into the butterfly network. Compared with the XQQ protocol, all nodes are quantum repeaters which are capable of sharing and conservation, and adjacent nodes initially share one EPR-pair. With the quantum circuits constructed by Hadamard gate and controlled-NOT (also CNOT) gate, nonunitary operations are applied to qubits between two repeaters to generate EPR-pairs between crossing source nodes and target nodes, remote quantum communication is realized by using quantum entanglement as a channel which can perform quantum teleportation. In the butterfly network of quantum repeaters, the setting is presented in Fig. 4.1. Source nodes s1 and s2 simultaneously send quantum information to target nodes t1 and t2 in the butterfly network. r1 and r2 are two intermediate nodes. Between  any  two adjacent nodes, one EPR-pair is initially shared, such as two EPR-pairs  + AB  and  + C D between s1 -t2 and s1 -r1 , et al. As a result, s1 and t2 (similarly, s2 and t2 ) share one EPR-pair. The quantum network coding scheme for quantum repeaters includes three core parts: Setup, Quantum channel generation, and Quantum information transmission. It is described in the following parts:

4.1 Quantum Network Coding for General Repeater Networks G

C

s1

55

A

s2 E

D

H

r1 I

J

r2 K

M F

B

t2

L

N

t1

Fig. 4.1 Quantum repeater network based on butterfly network

(1) Setup Encoding for quantum repeater network should be on the condition that any two adjacent nodes initially share an EPR-pair. The phase of setup is responsible for distributing EPR-pairs to all the legitimate nodes before encoding for generating quantum entanglement channel. (2) Quantum channel generation To construct a network which can perform teleportation, the sender and the receiver should share an EPR-pair, i.e., use quantum entanglement as a quantum channel. The phase of quantum channel generation is responsible for generating EPR-pairs between source nodes and target nodes by operating the EPR-pairs between any adjacent nodes with LOCC. (3) Quantum information transmission Quantum information transmission is responsible for transmitting quantum information by means of quantum teleportation through quantum entanglement channels. Obviously, in the above quantum repeater communication system, EPR-pairs shared by any two adjacent nodes are distributed firstly before quantum information transmission under the condition that the whole process of quantum channel generation is secure. However, if there exist active attacks during the process of quantum channel generation, the encoding process for quantum channel will not be completed properly. In this case, a trusted party, which can control the distribution of EPR-pairs, is very necessary for quantum repeater network. With the help of the trusted party, the process of quantum channel generation terminates once the active attack is found and EPR-pairs are no longer distributed, so that waste of particle consumption can be avoided.

56

4 Quantum Network Coding Based on Repeater

4.1.3 LOCC (Local Operations and Classical Communication) LOCC [6] are non-unitary operations between two repeaters with Hadamard gate, CNOT gate, Pauli operator, and transformation of measurement result in the {|0 , |1} basis over a classical channel. LOCC consists of Connection, Removal, and other algorithms, which are described as follows: (1) Connection The setting for Connection is shown in Fig. 4.2, in a network with quantum repeaters   + share EPRR R1 , R 2 , and 3 , R1 and R2 share one EPR-pair  AB , R2 and  R  one  3  pair  + C D . Let the input state |init  be a form |init  =  + AB ⊗  + C D . By   A applying Con C−>D , the state becomes  f inal = |G H Z  AB D . The procedure for Connection is listed in Table 4.1. (2) Removal The setting for Removal is shown in Fig. 4.3, in a network with three quantum repeaters R1 , R2 and R3 , which share one Greenberger–Horne–Zeilinger (GHZ) state. Let the input state |init  |init  = |G H Z  ABC . By applying   be a form Rem A−>B , the state becomes  f inal =  + BC . The procedure for Removal is listed in Table 4.2.

Fig. 4.2 The setting for connection

A Table 4.1 Con C−>D

Fig. 4.3 The setting for removal

Step 1. R2 applies C N O T (A,C) Step 2. R2 measures particle C in the {|0 , |1} basis Let a ∈ {0, 1} be the outcome Step 3. R2 sends a to R3 by a classical channel Step 4. If a = 1 then R3 applies σx to D

4.1 Quantum Network Coding for General Repeater Networks Table 4.2 Rem A−>B

57

Step 1. R2 applies the Hadamard gate to A Step 2. R2 measures particle A in the {|0 , |1} basis Let a ∈ {0, 1} be the outcome Step 3. R2 sends a to R1 by a classical channel Step 4. If a = 1 then R1 applies σz to B

(3) Other algorithms Other algorithms are Fanout, Add, Rem Add, etc., which also enable us to manipulate EPR-pairs and encode for the quantum repeater network. It is easy to find that all the above algorithms of LOCC need to measure particles in the {|0 , |1} basis and then transmit the measurement result by classical channels, which are liable to be attacked. To secure the LOCC operations, the transmission of measurement result in the {|0 , |1} basis can be realized by means of quantum information.

4.1.4 Basic Operations LOCC is the key technology for encoding in quantum repeater networks, which is constructed by Control-NOT gate, Hadamard operator and measurements in the {|0, |1} basis, by applying the non-unitary operations to qubits between two repeaters, entangled states can be generated between source nodes and corresponding target nodes, then remote quantum communication is realized by using quantum entanglement as quantum channels which can perform quantum teleportation. LOCC contains two basic algorithms “Connection” and “Removal”, which can manipulate entangled states and systematize the methods of encoding. The two specific algorithms on entangled states are defined as follows: (1) Connection with entangled states In a particle system with two entangled EPR-pairs | AB and |C D , where | AB = x1 |00 + y1 |11, |C D = x2 |00 + y2 |11, and x1 , y1 , x2 , y2 are positive real numbers satisfying x12 + y12 = 1, x22 + y22 = 1. That is, we can obtain |00 AB in a probability of x1 2 , and |11 AB in a probability of y1 2 . Similarly, for |C D , |00C D , |11C D can be obtained in probabilities of x2 2 and y2 2 , respectively. The circuit for A is shown in Fig. 4.4. Con C−>D Let |init  be a state of the form |init = | AB ⊗ |C D = (x1 |00 AB + y1 |11 AB ) ⊗ (x2 |00C D + y2 |11C D ),

58

4 Quantum Network Coding Based on Repeater

A Fig. 4.4 Con C−>D

A

Con C A

D

2

0

x1

1

y1

0

x2

2

1

y2

2

2

B C

a

Xa

D init

final

A then by applying Con C−>D to |init , we can obtain |000 AB D in a probability of 2 2 2 2 2 x1 x2 + x1 y2 = x1 , and |111 AB D in a probability of y1 2 x2 2 + y1 2 y2 2 = y1 2 , so the state becomes

| f inal = x1 |000 AB D + y1 |111 AB D = |G H Z  AB D . Thus, one entangled GHZ state |G H Z  AB D can be obtained. Especially, |G H Z  AB D is maximally entangled when x1 2 = y1 2 = 1/2. (2) Removal with entangled states In an entangled three-particle system with |G H Z  ABC , where |G H Z  ABC = x1 |000 ABC + y1 |111 ABC , and x1 , y1 are positive real numbers satisfying x12 + y12 = 1. That is, we can obtain |000 ABC and |111 ABC in probabilities of x1 2 and y1 2 , respectively. The circuit for Rem A−>B is shown in Fig. 4.5. Let |init  be a state of the form |init = |G H Z  ABC = x1 |000 ABC + y1 |111 ABC , then by applying Rem A−>B to |init , we can obtain |000 BC in a probability of 1/2x1 2 + 1/2x1 2 = x1 2 , and |11 BC in a probability of 1/2y1 2 + 1/2y1 2 = y1 2 , so the state becomes | f inal = x1 |00 BC + y1 |11 BC = | BC . Thus, one entangled EPR-pair | BC can be obtained. Especially, | BC is maximally entangled when x1 2 = y1 2 = 1/2.

4.1 Quantum Network Coding for General Repeater Networks

59

Re m A

Fig. 4.5 Rem A−>B

A

2

0

x1

1

y1

2

H

B

a Xa

B C

init

final

4.1.5 QNC Scheme for General Repeater Networks Inspired by the quantum repeater communication system which can realize longdistance quantum communication [5], a quantum network coding scheme for general repeater networks [7] was designed, which can realize long-distance quantum communication in repeater networks with complex topology. It introduces D3 graph transformation to establish a general transmission network model and uses arbitrary entangled EPR-pairs as a resource to build quantum entanglement channel. The quantum network coding scheme for general repeater networks includes three core parts: Graph transformation, Quantum channel generation, and Quantum information transmission, so this scheme is also called as “GQQ”. It is described in the following part: (1) Graph transformation To ensure the versatility of encoding algorithm, a general transmission model is established by graph transformation, i.e., for a graph with the degree being more than 3, we should firstly transform it into a D3 graph, whereas it is not necessary to transform a graph with degree being no more than 3. And the transformation schemes [3] of one-to-many, many-to-one and many-to-many are shown in Figs. 4.6, 4.7 and 4.8, respectively. (2) Quantum channel generation To construct a network which can perform quantum teleportation, the sender and the receiver should share an EPR-pair, i.e., use quantum entanglement as a quantum channel. The phase of quantum channel generation is responsible for generating EPRpairs between source nodes and target nodes in a D3 graph network by operating the EPR-pairs between any adjacent nodes with LOCC. Although Satoh et al. [6] proposed a protocol to generate quantum channels in the butterfly network, here the algorithms are further provided to generate quantum channels in a D3 graph network

60

4 Quantum Network Coding Based on Repeater

Fig. 4.6 (1, 3) transformation. For a node with one input X and three outputs Y1 , Y2 , Y3 , its (indegree, outdegree) is (1, 3). It can be transformed into a combination of nodes whose degrees are no more than 3 by means of the multilevel structure of a binary tree

Fig. 4.7 (3, 1) transformation. For a node with three inputs X 1 , X 2 , X 3 and one output Y , its (indegree, outdegree) is (3, 1). Compared with the node of (1, 3), it is a single-input and multioutput model, and can also be transformed into a combination of nodes whose degrees are no more than 3 by means of the multilevel structure of a binary tree

X1

Y1

X2

X3

Y2

X1

X2

Y1

X3

Y2

Fig. 4.8 (3, 2) transformation. For a node with three inputs X 1 , X 2 , X 3 and two outputs Y1 , Y2 , it is a multi-input and multi-output model whose (indegree, outdegree) is (3, 2). Assume that node operation is simple X O R without any superposition coefficient, the many-to-many node can be transformed into a combination of one-to-many nodes and many-to-one nodes

4.1 Quantum Network Coding for General Repeater Networks

61

1

C

A

A1

A2

B

B1

B1

1

E1

E F1 F G

D

H

1

2

I

J

2

3

Fig. 4.9 One-to-many network (Solid line denotes one-way connection between any two adjacent nodes, and dotted line denotes quantum entanglement channel)

which is transformed from a general graph with degree being more than 3. According to the network types of one-to-many, many-to-one, and many-to-many, the quantum channel generation schemes are described, respectively, as follows: (1) One-to-many network In a one-to-many network with quantum repeaters, the setting for this scheme is presented in Fig. 4.9. Between any two adjacent nodes, EPR-pairs are initially shared. The goal of this work is to simultaneously send quantum information between three pairs of quantum repeaters ((s1 , t1 ), (s1 , t2 ), and (s1 , t3 )). r1 and r2 are two intermediate nodes. To generate EPR-pairs between one source node and three target nodes, additional EPR-pairs should be needed, such as | A1 B1 , | A2 B2 between s1 -r1 , | E1 F1 between r1 -r2 . And all the EPR-pairs have coefficients xi and yi for |00 and |11 basis in turn, where 1 ≤ i ≤ 8, such as | AB is denoted as | AB = x1 |00 AB + y1 |11 AB , | A1 B1 = x2 |00 A1 B1 + y2 |11 A1 B1 , . . ., | I J = x8 |00 I J + y8 |11 I J . Let the input state of the one-to-many network |init  be a state of the form as follows: |init  = | AB | A1 B1 | A2 B2 |C D | E F | E1 F1 |G H | I J , and the algorithm of quantum channel generation is described as follows: A1 A , Con E−>F and Con EA12 −> F1 to |init , the state Step 1: By applying Con C−>D becomes

62

4 Quantum Network Coding Based on Repeater

|1  = |G H Z  AB D |G H Z  A1 B1 F |G H Z  A2 B2 F1 |G H | I J , where |G H Z  AB D = x1 |000 AB D + y1 |111 AB D , |G H Z  A1 B1 F = x2 |000 A1 B1 F + y2 |111 A1 B1 F , |G H Z  A2 B2 F1 = x3 |000 A2 B2 F1 + y3 |111 A2 B2 F1 . Step 2: By applying Rem B−>A , Rem B1 −> A1 and Rem B2 −> A2 to |1 , the state becomes |2  = | AD | A1 F | A2 F1 |G H | I J , where | AD = x1 |00 AD + y1 |11 AD , | A1 F = x2 |00 A1 F + y2 |11 A1 F , | A2 F1 = x3 |00 A2 F1 + y3 |11 A2 F1 . A1 2 , Con IA−>J to |2 , the state becomes Step 3: By applying Con G−>H |3  = | AD |G H Z  A1 F H |G H Z  A2 F1 J , where |G H Z  A1 F H = x2 |000 A1 F H + y2 |111 A1 F H , |G H Z  A2 F1 J = x3 |000 A2 F1 J + y3 |111 A2 F1 J . Step 4: By applying Rem F−>H , Rem F1 −>J to |3 , the state becomes   |4  = | AD ⊗ | A1 H ⊗ | A2 J =  f inal , where | A1 H = x2 |00 A1 H + y2 |11 A1 H , | A2 J = x3 |00 A2 J + y3 |11 A2 J . As a result, three EPR-pairs are obtained. The first one is owned by (s1 , t1 ), the second one is owned by (s1 , t2 ), and the third one is owned by (s1 , t3 ). That means that quantum channel is generated with quantum entanglement and then is able to perform quantum teleportation. The corresponding procedure is shown in Table 4.3. (2) Many-to-one network In a many-to-one network with quantum repeaters, the setting for this scheme is presented in Fig. 4.10. r1 and r2 are two intermediate nodes. In comparison with oneto-many network, additional EPR-pairs are needed between r1 -r2 , r2 -t1 to generate EPR-pairs between three source nodes and one target node. Similarly, all the EPRpairs have coefficients xi and yi for |00 and |11 basis in turn, where 1 ≤ i ≤ 8. Let the input state of the many-to-one network |init  be a state of the form as follows: Table 4.3 Encoding for a one-to-many network

A Step 1. r1 and t1 apply Con C−>D , A1 r1 and r2 apply Con E−>F and Con EA12 −>F1

Step 2. s1 and r1 apply Rem B−>A , Rem B1 −> A1 and Rem B2 −> A2 A1 Step 3. r2 and t2 apply Con G−>H , A2 r2 and t3 apply Con I −>J Step 4. r2 and t2 apply Rem F−>H , r2 and t3 apply Rem F1 −>J

4.1 Quantum Network Coding for General Repeater Networks

1

2

3

G

C

A

B

1

63

D E1

E F1 F

H

2

I

I1

I2

J

J1

J2

1

Fig. 4.10 Many-to-one network

|init  = | AB |C D | E F | E1 F1 |G H | I J | I1 J1 | I2 J2 , and the algorithm of quantum channel generation is described as follows: A , Con CE1 −> F1 and Con GI2 −> J2 to |init , the state Step 1: By applying Con E−>F becomes |1  = |G H Z  AB F |G H Z C D F 1 |G H Z G H J 2 | I J | I1 J1 , where |G H Z  AB F = x1 |000 AB F + y1 |111 AB F , |G H Z C D F1 = x2 |000C D F1 + y2 |111C D F1 , |G H Z G H J2 = x5 |000G H J2 + y5 |111G H J2 . Step 2: By applying Rem B−>A , Rem D−>C , and Rem H −>G to |1 , the state becomes |2  = | AF |C F 1 |G J 2 | I J | I1 J1 , where | AF = x1 |00 AF + y1 |11 AF , |C F1 = x2 |00C F1 + y2 |11C F1 , |G J2 = x5 |00G J2 + y5 |11G J2 . Step 3: By applying Con IA−>J , Con CI1 −> J1 to |2 , the state becomes |3  = |G H Z  AF J |G H Z C F 1 J1 |G J 2 , where |G H Z  AF J = x1 |000 AF J + y1 |111 AF J , |G H Z C F1 J1 = x2 |000C F1 J1 + y2 |111C F1 J1 .

64

4 Quantum Network Coding Based on Repeater

Table 4.4 Encoding for a many-to-one network

A Step 1. r1 and r2 apply Con E−>F and Con CE 1 −>F1 , G r2 and t1 apply Con I1 −>J1

Step 2. s1 and r1 apply Rem B−>A , s2 and r1 apply Rem D−>C , s3 and r2 apply Rem H −>G Step 3. r2 and t1 apply Con IA−>J and Con CI1 −>J1 Step 4. r2 and t1 apply Rem F−>J , Rem F1 −>J1

Step 4: By applying Rem F−>J , Rem F1 −>J1 to |3 , the state becomes   |4  = | A J ⊗ |C J 1 ⊗ |G J 2 =  f inal , where | A J = x1 |00 A J + y1 |11 A J , |C J1 = x2 |00C J1 + y2 |11C J1 . Similarly, three EPR-pairs owned by (s1 , t1 ), (s2 , t1 ), and (s3 , t1 ) are obtained, thus quantum channel is generated in the many-to-one network. The corresponding procedure is shown in Table 4.4. (3) Many-to-many network In a many-to-many network with quantum repeaters, the setting for this scheme is presented in Fig. 4.11. Note that here we adopt a network with three inputs and two outputs, which has more generality than the above two types of network. Source nodes s1 and s2 communicate with target node t1 , r1 , r2 , and r3 are three intermediate nodes, so additional EPR-pairs are needed between r1 -r2 , r2 -r3 and r3 -t1 . Similarly, all the EPR-pairs have coefficients xi and yi for |00 and |11 basis in turn, where 1 ≤ i ≤ 11. Let the input state of the many-to-many network |init  be a state of the form as follows: |init  = | AB |C D | E F | E1 F1 |G H | I J   | M N , ⊗ | |  + | I1 J1

I2 J2

KL

K1 L 1

and the algorithm of quantum channel generation is described as follows: A , Con CE1 −> F1 , and Con GI2 −> J2 to |init , the state Step 1: By applying Con E−>F becomes |1  = |G H Z  AB F |G H Z C D F 1 |G H Z G H J 2 | I J | I1 J1 | K L | K 1 L 1 | M N , where |G H Z  AB F = x1 |000 AB F + y1 |111 AB F , |G H Z C D F1 = x2 |000C D F1 + y2 |111C D F1 , |G H Z G H J2 = x5 |000G H J2 + y5 |111G H J2 . Step 2: By applying Rem B−>A , Rem D−>C , and Rem H −>G to |1 , the state becomes |2  = | AF |C F 1 |G J 2 | I J | I1 J1 | K L | K 1 L 1 | M N ,

4.1 Quantum Network Coding for General Repeater Networks

65

2

1

3

G

C

A

B

1

D E1

E F1 F

K

H

2

I

I1

I2

J

J1

J2

3

M

K1 L

N L1 1

2

Fig. 4.11 Many-to-many network

where | AF = x1 |00 AF + y1 |11 AF , |C F1 = x2 |00C F1 + y2 |11C F1 , |G J2 = x5 |00G J2 + y5 |11G J2 . Step 3: By applying Con IA−>J , Con CI1 −> J1 to |2 , the state becomes |3  = |G H Z  AF J |G H Z C F 1 J1 |G J 2 | K L | K 1 L 1 | M N , where |G H Z  AF J = x1 |000 AF J + y1 |111 AF J , |G H Z C F1 J1 = x2 |000C F1 J1 + y2 |111C F1 J1 . Step 4: By applying Rem F−>A , Rem F1 −>C to |3 , the state becomes |4  = | A J |C J 1 |G J 2 | K L | K 1 L 1 | M N , where | A J = x1 |00 A J + y1 |11 A J , |C J1 = x2 |00C J1 + y2 |11C J1 . Step 5: By applying Con KA −>L , Con CK 1 −> L 1 and Con GM−>N to |4 , the state becomes |5  = |G H Z  A J L ⊗ |G H Z C J 1 L 1 ⊗ |G H Z G J 2 N ,

66

4 Quantum Network Coding Based on Repeater

Table 4.5 Encoding for a many-to-many network

A Step 1. r1 and r2 apply Con E−>F and Con CE 1 −>F1 , G r2 and r3 apply Con I2 −>J2

Step 2. s1 and r1 apply Rem B−>A , s2 and r1 apply Rem D−>C , s3 and r2 apply Rem H −>G Step 3. r2 and r3 apply Con IA−>J and Con CI1 −>J1 Step 4. r2 and r3 apply Rem F−>J , Rem F1 −>J1 Step 5. r3 and t1 apply Con KA −>L and Con CK 1 −>L 1 , r3 and t2 apply Con G M−>N Step 6. r3 and t1 apply Rem J −>L , Rem J2 −>N , s3 and t2 apply Rem H −>G

where |G H Z  A J L = x1 |000 A J L + y1 |111 A J L , |G H Z C J1 L 1 = x2 |000C J1 L 1 + y2 |111C J1 L 1 , |G H Z G J2 N = x5 |000G J2 N + y5 |111G J2 N . Step 6: By applying Rem J −>A , Rem J1 −>C , and Rem J2 −>G to |5 , the state becomes   |6  = | AL ⊗ |C L 1 ⊗ |G N =  f inal , where | AL = x1 |00 AL + y1 |11 AL , |C L 1 = x2 |00C L 1 + y2 |11C L 1 , |G N = x5 |00G N + y5 |11G N . Thus, the expected EPR-pairs are obtained, so quantum channel is also generated in the many-to-many network. The corresponding procedure is shown in Table 4.5. In summary, we can see that additional EPR-pairs are essential in the networks for the quantum channel generation schemes according to different network conditions. The key is to firstly define the two sides of communication session, then add EPR-pairs to ensure that EPR-pairs can be generated between source nodes and corresponding target nodes. After the generation of quantum channel, we can then transmit quantum information. (3) Quantum information transmission In this scheme, quantum information is transmitted by means of quantum teleportation. Inspired by teleportation scheme of an unknown bipartite state [8], the quantum information transmission protocol is given. Without loss of generality, here we take many-to-many network as an example. Assume s1 wants to transmit single quantum state |ϕ1  to t1 , |ϕ1  is a state of the form |ϕ1  = α|01 + β|11 , where α and β are positive real number satisfying α 2 + β 2 = 1. The whole state is |ψ = | AL |ϕ1  = (x1 |00 + y1 |11) AL (α |0 + β |1)1 = x1 α|000 AL1 + x1 β|001 AL1 + y1 α|110 AL1 + y1 β|111 AL1 = x1 α|000 A1L + x1 β|010 A1L + y1 α|101 A1L + y1 β|111 A1L 1 1 = √ | +  A1 (x1 α|0 L + y1 β|1 L ) + √ | −  A1 (x1 α|0 L − y1 β|1 L ) 2 2

4.1 Quantum Network Coding for General Repeater Networks

67

1 1 + √ |+  A1 (x1 β|0 L + y1 α|1 L ) + √ |−  A1 (x1 β|0 L − y1 α|1 L ), 2 2 where | ±  A1 = √12 (|00 A1 ± |11 A1 ), |±  A1 = √12 (|01 A1 ± |10 A1 ). The algorithm of quantum state transmission is described as follows: Step 1: s1 measures particles A, 1 in a Bell basis, and the state of whole system will collapse into one of the following four states: 1 √ (x1 α|0 L 2 1 √ (x1 α|0 L 2 1 √ (x1 β|0 L 2 1 √ (x1 β|0 L 2

+ y1 β|1 L ), − y1 β|1 L ), + y1 α|1 L ), − y1 α|1 L ),

s1 turns Bell measurement results {| + , | − , |+ , |− } into corresponding classical bits {00, 01, 10, 11}, and notifies r1 the outcome of its measurement via a classical channel. Assume that the measurement result of particles A, 1 is 10, then the state of particle L is x1 β|0 L + y1 α|1 L . Step 2: r1 introduces an auxiliary two-state particle 2 with the initial state |02 and applies a unitary transformation U to particles L, 2 in the {|00 L2 , |01 L2 , |10 L2 , |11 L2 } basis, U is denoted as follows: ⎡  ⎤ y1 /x1 − 1 − y12 /x12 0 0 ⎢ ⎥ ⎢ ⎥ 2 2 ⎢ ⎥ /x y /x 0 0 1 − y 1 1 U =⎢ 1 1 ⎥ ⎣ 0 0 1 0⎦ 0 0 01 the state becomes  y1 (α|0 L + β|1 L ) ⊗ |02 + x1 β 1 − y12 /x12 |0 L ⊗ |12 . Step 3: r1 measures particle 2 in the {|0, |1} basis. If the measurement result is |12 , the teleportation fails. If the measurement result is |02 , the teleportation succeeds. The state will collapse into y1 (α|0 L + β|1 L ), i.e., s1 can transform an unknown qubit to r1 , we can realize quantum communication with quantum channel built by quantum entanglement in a D3 graph network.

68

4 Quantum Network Coding Based on Repeater

4.1.6 Property of QNC Scheme Quantum network coding scheme for general repeater networks can achieve quantum communication in a network with complex topology. Since it combines the generality of general graphs and the capacity of quantum repeaters, two properties can be obtained as follows: (1) From the viewpoint of network model, general graphs have more generalities than the butterfly network which is a special D3 graph, which are more widely used in practical applications. To realize quantum communication in any general network, the scheme adopts the technique of graph transformation, i.e., realize encoding for quantum entanglement channel by means of transforming a Dk (k > 3) graph to a D3 graph. Proposition 1 Graph transformation can realize encoding for quantum entanglement channel. Proof We compare the expected results of the three transformation schemes with the actual results. (a) One-to-many scheme As can be seen from Fig. 4.6, the expected result of communication is Y1 = Y2 = Y3 = X , i.e., receivers Y1 , Y2 , Y3 can receive information from sender X. In Fig. 4.9, we take the state |  AB ⊗ | C D as example, after encoding at interA and Rem B−>A , it becomes | AD . Simimediate node r1 by applying Con C−>D larly, the other EPR-pairs are encoded at intermediate nodes r1 and r2 . Thus after the quantum channel generation process, the actual result is that three EPR-pairs are generated, | AD is owned by (s1 , t1 ), |  A1 H is owned by (s1 , t2 ), and |  A2 J is owned by (s1 , t3 ), which means quantum channel between the source node s1 and the three target nodes t1 , t2 , t3 are generated to realize quantum communication. (b) Many-to-one scheme As can be seen from Fig. 4.7, the expected result of communication is Y = X 1 + X 2 + X 3 , i.e., receiver Y can receive information from senders X 1 , X 2 , X 3 . In Fig. 4.10, the two EPR-pairs |  AB ⊗ |  E F are converted to one EPR-pair | AF after encoding at intermediate node r1 . For the whole scheme, the actual result is that three EPR-pairs are generated, | AL is owned by (s1 , t1 ), | C J 1 is owned by (s2 , t1 ), and | G J 2 is owned by (s3 , t1 ), which means quantum channel between three source nodes s1 , s2 , s3 and the target node t1 are generated to realize quantum communication. (c) Many-to-many scheme As can be seen from Fig. 4.8, the expected result of communication is Y1 + Y2 = X 1 + X 2 + X 3 , i.e., receivers Y1 , Y2 can receive information from senders X 1 , X 2 , X 3. Here, X 1 , X 2 communicate with Y1 , X 3 communicates with Y2 . After encoding at intermediates r1 , r2 , r3 , the actual result is that three EPR-pairs are generated, | A J is owned by (s1 , t1 ), |C L 1 is owned by (s2 , t1 ), and |G N is owned by (s3 , t2 ),

4.1 Quantum Network Coding for General Repeater Networks

69

which means quantum channel between three source nodes s1 , s2 , s3 and two target node t1 , t2 are generated to realize quantum communication. All the above completes the proof. (2) From the viewpoint of transmission distance, Yan et al. [4] analyzed the feasibility of quantum repeaters that communication distance of quantum communication system is positively related to the series of repeater nodes. With the increasing complexity of a general network, the types of nodes also increase, such as the nodes with degrees being 4 or larger. The transformation of nodes will add the depth of graphs, and increase the series of repeater nodes, hence the communication distance of quantum communication system also increases. Thus we can get Proposition 2. Definition 1 For a general graph G = (V, E), where V is a set of all nodes and E is a set of all links, the complexity of a graph O(G) represents the number level of V and E. Proposition 2 The communication distance of quantum communication system is positively related to the complexity of general graphs. Proof Assume that there exists a general graph Dk , k ∈ N ∗ . When 1 ≤ k ≤ 3, the Dk graph can be encoded directly without graph transformation, the number of repeater nodes doesn’t change, and neither does communication distance. When k > 3, for a general graph with only a k-degree node, we can conclude from the three graph transformation schemes as follows: k = 4, the repeater series of the original graph is 3, and the repeater series increases by 1 after graph transformation. k = 5, compared with the original graph, the repeater series increases by 2 after graph transformation. k = m(m > 5), it can be inferred that compared with the original graph, the repeater series increases by (m − 3) after graph transformation. Thus, for a general graph which contains not only k-degree nodes but also nodes with smaller degrees, after the transformation into a D3 graph, let the increased series of intermediate repeater nodes be a variable , we can infer that must satisfy the following condition: k  Ni (i − 3), (k − 3) ≤ ≤ i=4

where Ni is the number of i-degree nodes contained by the general graph Dk . That means with the diversification of general networks, the complexity of a graph increases, repeater series increase after graph transformation, so does communication distance. This completes the proof.

70

4 Quantum Network Coding Based on Repeater

4.1.7 Performance Analysis This scheme will be analyzed from the aspects of success probability of teleportation, particle consumption, transmission rate, transmission distance, etc. (1) Success probability of teleportation Theorem 1 Suppose that |st = a|00st + b|11st (a, b ∈ R+, a 2 + b2 = 1 and a ≥ b) is the quantum entanglement channel generated by this scheme in a network with complex topology, and an unknown qubit |φm = x|0m + y|1m (x, y ∈ R+, x 2 + y 2 = 1) is transmitted via quantum entanglement channel. Then the success probability of teleportation via the quantum entanglement channel is 2b2 . Proof By teleporting the unknown qubit |φm via the quantum entanglement channel, √ 2 |φm can be obtained in a probability of (b/ 2) when introducing another auxiliary for any state of the four collapsed states, so the probability of successful teleportation p is √ 2 p = (b/ 2) × 4 = 2b2 √ If a = b = 1/ 2, |st works as a maximally entangled quantum channel, over which the successful probability of teleportation is strictly 1. Hence we can easily obtain Theorem 1. (2) Particle consumption Theorem 2 Let O(G) be the complexity of a general graph G. Suppose that E(G) is EPR particles consumed to encode for G, then E (G)O (G) ≥ 0, where E (G) and O (G) are differential coefficients of E(G) and O(G), respectively. Proof Assume that a Dk (k ∈ N ∗ ) graph G is given, and Ni (i ∈ N ∗ , 1 ≤ i ≤ k) is the number of i-degree nodes. For any i-degree (i > 3) nodes, we decompose them into (i − 2) 3-degree nodes. the total number of nodes k Then after the transformation, k k Ni + i=4 Ni (i − 3), where i=4 Ni (i − 3) is positive related to is Nsum = i=1 the complexity O(G). In this scheme, EPR-pairs should be initially shared between adjacent nodes only, so EPR particles consumed E(G) depend on Nsum . Apparently, as the complexity O(G) increases, node number increases and consequently EPR particle consumption E(G) increases, similarly, same change rule works when O(G) decreases, i.e., E(G) keeps the same change trend with O(G). This completes the proof. (3) Transmission rate Theorem 3 Let N S be the number of source nodes in a general graph G. Suppose that r b is the transmission rate between adjacent nodes and r bn is the transmission rate of this scheme, then r bn = N S × r b.

4.1 Quantum Network Coding for General Repeater Networks

71

Proof This scheme uses quantum entanglement as quantum channel, quantum information is transmitted between source nodes and target nodes directly by quantum teleportation which breaks through the limit of channel capacity. For example, we can analyze the transmission rate for the many-to-many network with N S = 3 source nodes. Clearly, if quantum information is transformed through non-entanglement quantum channel, to ensure target nodes t1 and t2 can decode, only one qubit is allowed to transmit at one time in a transmission rate of r b, so we should transmit three times to realize quantum communication in the many-to-many network. With quantum entanglement channel which is constructed by EPR-pairs, three qubits can be transmitted by quantum teleportation simultaneously, i.e., the transmission rate of this scheme is 3 × r b. The same conclusion can be easily drawn for one-to-many and many-to-one networks. Without loss of generality, for any network G with N S inputs, quantum entanglement channels can be generated between source nodes and corresponding target nodes, that means N S qubits can be transmitted by quantum teleportation simultaneously, the maximal transmission rate r bn is determined by N S . Hence we can obtain Theorem 3. (4) Transmission distance Theorem 4 Let R(G) be the actual repeater series participating in encoding after D3 graph transformation of a general graph G, and L be the transmission distance of this scheme, then the maximal transmission distance L max = 125 × R(G) + 125 (km). Proof Yan et al. [4] quantitatively analyzed the performance of quantum repeaters by giving the relationship curve between transmission distance and repeater series in the case of an ideal passivation, i.e., transmission distance L is positively related with repeater series R(G). Considering the distribution of actual network nodes, we can get the corresponding functional expression as follows: L max = 125 × R(G) + 125 (km).

4.1.8 Discussion According to the above analysis, we can conclude that this scheme can achieve remote quantum communication in a network with complex topology, at the expense of increase of particle consumption which is related to network complexity as described in Table 4.4. Compared with the XQQ protocol, this scheme weakens the claim to quantum channel, break through the limit of channel capacity, and makes a significant improvement in transmission rate. Moreover, according to the results of quantum channel generation, we can conclude that the entanglement degree of EPR-pairs between source nodes and corresponding target nodes only depends on that of EPRpairs initially distributed between source nodes and corresponding adjacent nodes.

72

4 Quantum Network Coding Based on Repeater

That is, as long as source nodes and the adjacent nodes are distributed maximally entangled EPR-pairs, regardless of the entanglement degree of EPR-pairs between the rest nodes, the scheme can also generate maximally entangled quantum channel and achieve high-reliability quantum communication with the fidelity of 1. If the consumed EPR pairs are all non-maximally entangled, the generated quantum channel will be of less entanglement, and success probability of teleportation will be lower accordingly. We have taken teleportation of a single unknown qubit over the quantum entanglement channel as an example, and actually the quantum entanglement channel can also teleport an unknown bipartite state. Apparently, there remains a lot of future works for communication capacity which is limited by the storage and operation performance of quantum repeaters.

4.2 Secure Quantum Network Coding for Controlled Repeater Networks 4.2.1 Consumption and Security of Quantum Repeater Networks In quantum repeater networks, quantum communication system consumes EPR-pairs as resources, which are hard to prepare and should be initially shared by legitimated nodes. Although the existing schemes can achieve high-reliability and high-rate quantum information transmission, the optimization of resource consumption is remained to be solved. Meanwhile, the rapid development of quantum repeater networks has also exposed some security issues. Security attacks can be usually divided into passive attacks and active attack. Although passive attacks such as eavesdropping can generally be detected in quantum communication, it is possible for a quantum repeater to be confronted with active attacks such as intercept-resend attack, impersonation attack, and relay attack. Figure 4.12 shows an example of intercept-resend attack in a quantum repeater network. As a typical active attack, it may occur during the process of encoding for quantum entanglement channel. In this section, considering the resource consumption and security of quantum repeater networks, a quantum network coding scheme with an EPR-pair distribution controller was proposed, which can realize long-distance quantum communication with minimal resource consumption [9].

4.2.2 Quantum One-Time Pad To realize secure point-to-point quantum communication, several approaches have been proposed, such as QSDC (quantum secure direct communication), quantum one-time pad [10], et al. Among these approaches, quantum one-time pad, which

4.2 Secure Quantum Network Coding for Controlled Repeater Networks

73

  Fig. 4.12 Intercept-resend attack in a quantum repeater network.  + AB is an EPR-pair shared by quantum repeaters R1 and R2 . Sender R1 measures particle A and sends the measurement result M1 to receiver R2 . Attacker intercepts M1 and sends another information M2 to R2

can realize optimal encryption of quantum bits, can be adopted to detect the realtime performance of quantum communication. It allows a user to encrypt its quantum bits using secret and random classical bits. The procedure of quantum one-time pad is described as follows: l Let a quantum message be the form |M = ⊗ | Mi , where | Mi  = αi |0 + i=1

βi |1, αi and βi are complex number satisfying |αi |2 + |βi |2 = 1, and l is the length of a quantum message. Sender and receiver share 2l random secret bits K = ( K 1 · · · K l K l+1 · · · K 2l ), satisfying K i ∈ {0, 1}, where K i is the ith bit of K . The encryption E K on |M for quantum one-time pad can be described as follows: l

l

i=1

i=1

|C = E K (|M) = ⊗ σx K 2i−1 σz K 2i |Mi  = ⊗ |Ci  , where σx and σz are Pauli operators, |Ci  is the ith qubit of |C. The corresponding decryption is l

D K (|C) = ⊗ σz K 2i σx K 2i−1 |Ci  . i=1

4.2.3 Network Model Figure 4.13 shows a network model with one controller and n quantum repeaters, where n is a positive integer, and n ≥ 3. The controller works as a trusted party which can control the distribution of EPR-pairs. So we call such network to be controlled repeater network. To transmit quantum information from source node R1 to target node Rn , we should generate quantum entanglement channel between R1 and Rn , here R2 , . . . , Rn−1 are intermediate nodes. For each node Ri (i ≤ n), we establish an identity I D i , which is only known to all legitimate nodes and the controller. Particularly, the identities are quantum bits. In this scheme, the controller controls the EPR-pair distribution by judging the

74

4 Quantum Network Coding Based on Repeater

Controller

Quantum channel A

R1

Rn

B

R3

R2

ID1

ID2

C

D

IDn

ID3

Fig. 4.13 Quantum repeater network with a controller

information received from the legitimate nodes. As a result, during encoding for quantum entanglement channel, particle consumption can be avoided being wasted in the presence of active attacks. The key operations of controlled repeater networks can be described as follows: (1) Node-to-node Communication. To extend quantum entanglement in the repeater network, any two adjacent nodes should operate on the distributed EPRpairs and transmit the corresponding {|0 , |1} measurement result. (2) Security Confirmation. Every receiver of node-to-node communication should judge the legitimacy and instantaneity of {|0 , |1} measurement result, then send corresponding message to the controller. (3) EPR-pair Distribution. By judging the message from any node of the repeater network, the controller determines whether the system distributes EPR-pairs or not. As a result, one EPR-pair between R1 and Rn is obtained, which means quantum entanglement channel is generated and then is able to perform quantum teleportation.

4.2.4 Basic Operations To realize node-to-node communication and secure confirmation between two specific legitimate nodes in controlled repeater networks, we introduce a new approach to transmitting measurement result in the {|0 , |1} basis, which is based on quantum one-time pad and used to improve the security problem of LOCC. In this approach, we give each node an identity for authentication. As shown in Fig. 4.14, in a network with quantum repeaters R1 , R2 , both repeaters have quantum identities I D 1 , I D 2 , which are known to each other, where I D i = id i1 id i2 · · · id li ∈ {|0, |1}l . Let M1

4.2 Secure Quantum Network Coding for Controlled Repeater Networks

75

measure in the { 0 , 1 } basis B

A

2

1

ID1

ID2

M1

Quantum channel

Encryption

Ek(M1 ID1)

Fig. 4.14 Quantum transmission for measurement result in the {|0 , |1} basis Table 4.6 LOQC Algorithms Items LOCC LOQC

Con QCon

Rem QRem

Fanout QFanout

Add QAdd

RemAdd QRemAdd

be the measurement result of particle A in the {|0 , |1} basis. The procedure for transmitting M1 to R2 is described as follows: Step 1: Key establishment. R1 , R2 agree the way to generate a 2(l + 1) bit random key K . Step 2: Particle measurement and state transition. R1 measures particle A in the {|0 , |1} basis, let {0, 1} be the outcome. Then it transforms the measurement result into quantum message M1 according to the rules 0 → |0, 1 → |1. Step 3: Encryption and transmission. R1 applies quantum one-time pad encryption E K on ( M1 , I D 1 ), and transmits quantum message E K ( M1 , I D 1 ) to R2 over the quantum channel. Step 4: Decryption and Pauli operation. R2 decrypts the received quantum message E K ( M1 , I D 1 ) and gains ( M1 , I D 1 ). With I D 1 , R2 can confirm that M1 is a real-time message from R1 . Then it can apply the corresponding Pauli operator to particle B. As we can see, the improved LOCC focus on transmitting measurement result in the {|0 , |1} basis by means of quantum information, so we rename the improved LOCC as LOQC, namely Local Operations and Quantum Communication. LOQC allow legitimate nodes to identify the source of received information and judge the freshness of received information in the presence of active attacks. Therefore, we can denote the algorithms of LOQC by renaming the algorithms of LOCC according to the rule of Table 4.6.

76

4 Quantum Network Coding Based on Repeater

4.2.5 QNC Scheme for Controlled Repeater Networks Inspired by the idea of quantum network coding scheme based on controlled teleportation [11], QNC can control the decoding process of two receivers on the butterfly network simultaneously by introducing a controller. By introducing the role of a controller as a trusted party to control the distribution of EPR-pairs for quantum repeater networks, a secure quantum network coding scheme for controlled repeater networks was proposed [9] and its objective is to reduce particle consumption during the encoding process in the presence of active attacks. Moreover, during the process of quantum channel generation, to verify secure communication between any two legitimate nodes, including the controller, we establish an identity for each legitimate node, with which communication party can be authenticated. In the butterfly network of quantum repeaters, the setting for this scheme is presented in Fig. 4.15. Source nodes s1 and s2 simultaneously send quantum information to target nodes t1 and t2 in the butterfly network by quantum entanglement channel. r1 and r2 are two intermediate nodes. The identity of any node is represented as I D x (x is the name of a node), e.g., I Ds 1 denotes the identity of source node s1 . Secure encoding (SE). For convenience, we define the secure encoding operation of repeaters rm , rn with a controller. Let |be  be the state before encoding, AlgoN be the algorithm name, and |a f  be the state after encoding. rm , rn apply AlgoN on |be , rn marks its state with qubit by judging the security of node-to-node communication, if rn receives a real-time message from rm , the state becomes |a f . Then rn marks its state Sym i as qubit |1, otherwise marks Sym i as |0. rn applies quantum one-time pad encryption on (Sym i , I Dr n ) and transmits E K (Sym i , I Dr n ) to the controller. The controller decrypts the received message. If the controller can obtain |1 from rn , it means that no attack happens, continue to next step, otherwise return to the beginning. Note that the function is used in the form of S E(AlgoN , Sym i , I Dr n ). The secure quantum network coding scheme for butterfly network can be described as follows:     Step 1: Distribute two EPR-pairs  + AB and  + C D to s1 − t2 and s1 − r1 , respectively. Let the input state |init  be a form as follows:     |init  =  + AB ⊗  + C D , A , Sym 1 , I Dr 1 ) on |1 , the state becomes s1 , r2 apply S E(QCon C−>D

|1  = |G H Z  AB D .     Step 2: Distribute two EPR-pairs  + E F and  + G H to s2 − t1 and s2 − r1 , respectively, the state becomes     |2  = |G H Z  AB D ⊗  + E F ⊗  + G H ,

4.2 Secure Quantum Network Coding for Controlled Repeater Networks

Quantum channel

77

Controller

IDs2

IDs1

1 10 A

11

1

C

2

IDr1 10

D

1

2

11

9

1

3

2

9 7

2 8 IDr2

B

4

7

2 6

5 8 IDt1

IDt2

1 6

Fig. 4.15 Butterfly network of quantum repeaters

E s2 , r1 apply S E(QCon G−>H , Sym 2 , I Dr 1 ) on |2 , the state becomes

|3  = |G H Z  AB D |G H Z  E F H .   Step 3: Distribute  + I J to r1 − r2 , the state becomes   |4  = |G H Z  AB D |G H Z  E F H ⊗  + I J , r1 , r2 apply S E(Q Add ID,H −>J , Sym 3 , I Dr 2 ) on |4 , the state becomes 1 (|000000 + |111111) AB D E F H |0 J 2 1 + (|000111 + |111000) AB D E F H |1 J . 2

|5  =

78

4 Quantum Network Coding Based on Repeater

  Step 4: Distribute  + K L to r2 − t2 , the state becomes   1 (|000000 + |111111) AB D E F H |0 J ⊗  + K L 2   1 + (|000111 + |111000) AB D E F H |1 J ⊗  + K L , 2

|6  =

r2 , t2 apply S E(QCon KJ −>L , Sym 4 , I Dt 2 ) on |6 , the state becomes 1 (|000000 + |111111) AB D E F H |00 J L 2 1 + (|000111 + |111000) AB D E F H |11 J L , 2   Step 5: Distribute  + M N to r2 − t1 , the state becomes |7  =

  1 (|000000 + |111111) AB D E F H |00 J L ⊗  + M N 2   1 + (|000111 + |111000) AB D E F H |11 J L ⊗  + M N , 2

|8  =

J , Sym 5 , I Dt 1 ) on |8 , the state becomes r2 , t1 apply S E(QCon M−>N

1 (|000000 + |111111) AB D E F H |000 J L N 2 1 + (|000111 + |111000) AB D E F H |111 J L N . 2

|9  =

Step 6: t1 applies C N O T (N ,F) , t2 applies C N O T (L ,B) , the state becomes 1 (|000000 + |111111) AB D E F H |000 J L N 2 1 + (|010101 + |101010) AB D E F H |111 J L N . 2

|10  =

Step 7: t2 , r2 apply S E(Q Rem L−>J , Sym 6 , I Dr 2 ) on |10 , the state becomes 1 (|000000 + |111111) AB D E F H |00 J N 2 1 + (|010101 + |101010) AB D E F H |11 J N . 2

|11  =

4.2 Secure Quantum Network Coding for Controlled Repeater Networks

79

Step 8: t1 , r2 apply S E(Q Rem N −>J , Sym 7 , I Dr 2 ) on |11 , the state becomes 1 (|000000 + |111111) AB D E F H |0 J 2 1 + (|010101 + |101010) AB D E F H |1 J . 2

|12  =

Step 9: r2 , r1 apply S E(Q Rem Add J −>D,H , Sym 8 , I Dr 1 ) on |12 , the state becomes 1 (|000000 + |111111) AB D E F H 2 1 + (|010101 + |101010) AB D E F H . 2

|13  =

Step 10: r1 , s1 apply S E(Q Rem D−>A , Sym 9 , I Ds 1 ) on |13 , the state becomes |14  =

1 (|00000 + |11111 + |01101 + |10010) AB E F H . 2

Step 11: r1 , s2 apply Q Rem H −>E , if s2 receives real-time message from r1 , the state becomes 1 (|0000 + |1111 + |0110 + |1001) AB E F 2  +     =  AF ⊗  + B E =  f inal .

|15  =

    As a result, two EPR-pairs are obtained,  + AF between s1 − t1 , and  + B E between s2 − t2 , which means quantum entanglement channel between source and target is generated and then is able to perform quantum teleportation.

4.2.6 Performance Analysis Theorem 5 The particle consumption for a controlled repeater network E q is positive to the total number of network nodes Nsum . Proof Suppose that a controlled repeater network has Nsum nodes, if no active attack happens during the encoding process, the minimum number of communications between adjacent nodes is (Nsum − 1), so is the number of communication between network nodes and the controller. In any communication of this scheme, a node should send a qubit ({|0 , |1} measurement result or state symbol of communication security) and a quantum information I D, the length of which is supposed to be l. Thus, the consumption of particles for a controlled quantum repeater network is Nq ≥ (l + 1) × 2 (Nsum − 1). Apparently, with the total number of nodes Nsum

80

4 Quantum Network Coding Based on Repeater

Table 4.7 Particle consumption in the case of no active attack Item Parameter Total number of nodes Total number of ID (l qubits) Minimum number of {|0 , |1} measurement result or state symbol Minimum particle consumption Min(E q )

Nsum l × 2 (Nsum − 1) 2 (Nsum − 1) (l + 1) × 2 (Nsum − 1)

increasing, the particle consumption E q will increase correspondingly. Thus we can prove Theorem 5, and the details are listed in Table 4.7. Theorem 6 Secure quantum network coding scheme for controlled repeater networks can reduce EPR-pair consumption in the presence of active attacks to a maximum extent. Proof As a trusted party, the controller regulates the process of EPR-pair distribution by judging the source and freshness of received information. With quantum one-time pad, the controller obtains (l + 1) qubits message (Mi , I D i ), where Mi and I D i represent the operating state and identity of node i, respectively. If the controller can receive real-time quantum information from legitimate nodes in the whole process of quantum channel generation, i.e., no attack happens, quantum repeater network can generate quantum entanglement channel with any adjacent nodes only should share one EPR-pair initially. If attack happens, quantum channel generation process is terminated to avoid waste of particle consumption, so that no more EPR-pairs will be distributed. In contrast to quantum repeater network without a controller, this scheme can reduce particle consumption in the presence of active attacks, and the earlier the attack is detected, the fewer particle will be wasted. Assume that secure encoding for a quantum repeater network needs n e EPRpairs by m s steps, x represents the xth step when the controller detects an attack, the particle consumption N P is positively related with x, and the corresponding functional expression is given as follows: N P = f (x, m s , n e ) , where the function f is monotone increased. Compared with a quantum repeater network without a controller, (n e − N P ) EPR-pairs can be saved when an attack happens. The comparison results between with-controller case and without-controller case over the butterfly network are listed in Table 4.8.

4.2 Secure Quantum Network Coding for Controlled Repeater Networks Table 4.8 EPR-pair consumption in the case of active attack Step of attack happening Step 1 Step 2 EPR-pairs consumed without a controller 7 EPR-pairs consumed with a controller 2 EPR-pairs saved 5

7 4 3

81

Step 3

Step 4

Step 5–11

7 5 2

7 6 1

7 7 0

4.2.7 Security Analysis   Theorem 7 Let  + AB be an EPR-pair shared by two legitimate nodes r1 and r2 in a quantum repeater network, where I D 1 and I D 2 are identities of r1 and r2 , and known to each other. Transmission of measurement result on particle A in the {|0 , |1} basis with quantum one-time pad can detect active attacks and generate entanglement channel securely. Proof Let M A be the {|0 , |1} basis measurement result of particle A in the legitimate node r1 . During the process of quantum channel generation, only when the current legitimate node r2 receives a real-time quantum message from the previous legitimate node r1 , does it apply Pauli operator on its own particle B. There will be four possible scenarios listed as follows: (a) No attack happens, r2 receives the encrypted quantum information and decrypts it to obtain (M A , I D 1 ), then applies a corresponding Pauli operator on particle B. (b) Attacker intercepts the encrypted quantum information and sends other information to r2 , r2 receives the information and decrypts with the correct secret key, only to find that decrypted information is not the identity of r1 , and it will do no operation on particle B. (c) Attacker impersonates r1 and sends information to r2 , r2 judges the received information as irrelevant information because r1 does not send request of key generation to r2 , so r2 will discard it and do no operation on particle B. (d) Attacker intercepts an encrypted quantum information and resends the same information to r2 in the latter communication, the first time r2 receives the information, it can decrypt and obtain the correct information, while it can tell out that the rest received information are not in real time. As we see from above analysis that a legitimate node can judge the source and freshness of received information with quantum one-time pad, so it will not apply wrong or redundant operation on its particle during quantum channel generation. Thus Theorem 7 is proved.

82

4 Quantum Network Coding Based on Repeater

Fig. 4.16 Many-to-many D3 repeater network

2

1 IDs1

3 IDs2

IDs3

1 IDr1 2 IDr2 Controller

IDr3

3

1

IDt1

2

IDt2

4.2.8 Discussion According to the above analysis, we can conclude that this scheme can not only achieve secure quantum channel generation for long-distance quantum communication, but also reduce particle consumption in the presence of active attacks. Beyond butterfly network, this scheme would also be applied to general scenarios, such as general quantum repeater networks. Consider that the key technique of general graph networks is to transform a general graph into a D3 (Degree 3) graph, Iwama et al. [3] gave the transformation schemes of one-to-many, many-to-one, and many-to-many. Here we give an example of manyto-many D3 repeater network with a controller shown as Fig. 4.16. Note that here we adopt a network with three inputs and two outputs, and assume that source nodes s1 and s2 communicate with target node t1 , source nodes s3 communicates with target node t2 , r1 , r2 , and r3 are three intermediate nodes. The identity of any node is represented as I D x (x is the name of a node). By applying the quantum repeater network coding scheme, three EPR-pairs are obtained by (s1 , t1 ), (s2 , t1 ), and (s3 , t2 ) finally, thus quantum entanglement channel is generated in the many-to-many network. During the process of quantum channel generation, the controller controls the distribution of EPR-pairs. In comparison with the setting of the butterfly network, additional EPR-pairs are needed between r1 − r2 , r2 − r3 , and r3 − t1 , if there exists an active attack, more particle resource could be

4.2 Secure Quantum Network Coding for Controlled Repeater Networks Fig. 4.17 Site selection of a controller for the butterfly network

r

83

r r Controller

r r

r 250km

saved. That means with the diversification of general graph network, the controller will play a more important role in the presence of active attacks. Obviously, there remains a lot of future works, such as site selection of a controller in the quantum repeater network with complex topology, which is limited by practical operability of EPR-pair distribution. If the controller was nearer to each node, it will save more resource. In this scheme, the controller needs to keep in touch with every network node, which severely restricts the size of a network. Yan et al. [4] have ever quantitatively analyzed the performance of quantum repeater that one repeater can support quantum communication for 125 km, i.e., the controller should be no more than 125 km away from each node. We give a simple model of site selection for the butterfly network with one controller (see Fig. 4.17). The controller is located at the center of a circle which contains all repeater nodes with diameter no more than 250 km. For a more complex network, one possible solution to site selection is dividing the network with (a + b + c + · · · ) nodes into a few groups by the principle of proximity and following the rule that each node is no more than 125 km away from a controller (see Fig. 4.18), we set one controller for the system and each group to control EPRpair distribution. The main idea is that the main controller communicates with the group controllers (Con 1 , Con 2 , Con 3 , . . .), while the group controllers communicate with the repeater nodes.

4.3 Summary The objective was to realize long-distance quantum communication over quantum repeater networks with complex topology. In this chapter, we introduced a quantum network coding scheme “GQQ” for general repeater networks. The detailed algo-

84

4 Quantum Network Coding Based on Repeater

Controller

Quantum channel

Con1

r11

Con2

r1a

r21

Con3

r2b

r31

r3c

Fig. 4.18 Quantum repeater network with hierarchical controllers

rithms of quantum channel generation scheme for the cases of one-to-many, manyto-one, and many-to-many were given to generate quantum entanglement channels in a D3 graph network. Then we introduced a new quantum repeater network adding a controller as a trusted party, which controls the EPR-pair distribution in the whole quantum channel generation process. Quantum one-time pad is utilized to improve the basic operations LOCC. With the improved algorithms LOQC, legitimate nodes can apply correct operation to the particles when encoding for quantum entanglement channel. Scheme analysis demonstrates that the scheme can realize secure long-distance quantum communication and achieve resource saving if there exist active attacks to a maximum extent.

References 1. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes from classical nonlinear protocols. In: IEEE International Symposium on Information Theory (ISIT), pp. 109–113 (2011) 2. Nishimura, H.: Quantum network coding - how can network coding be applied to quantum information? In: International Symposium on Network Coding (NetCod), 1–5 (2013) 3. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs. Physics 52(3), 610–621 (2006) 4. Yan, Y., Pei, C.X., Han, B.B., et al.: A quantum repeater for quantum communication systems. In: The First Chinese Conference on Communications Departments of Colleges and Universities, pp. 791–796 (2007) 5. Pei, C.X., Yan, Y., Liu, D., et al.: A quantum repeater communication system based on entanglement. Acta Photon. Sin. 37(12), 2422–2426 (2008) 6. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A 86(3), 9591–9598 (2012)

References

85

7. Shang, T., Li, J., Pei, Z., Liu, J.W.: Quantum network coding for general repeater networks. Quantum Inf. Process. 14(9), 3533–3552 (2015) 8. Cao, H.J., Guo, Y.Q., Song, H.S.: Teleportation of an unknown bipartite state via non-maximal entangled two-particle state. Chin. Phys. 15(5), 915–918 (2006) 9. Shang, T., Li, J., Pei, Z., Liu, J.W.: Secure quantum network coding for controlled repeater network. Quantum Inf. Process. 15(7), 2937–2953 (2016) 10. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev. A 67(4), 645–648 (2003) 11. Shang, T., Zhao, X., Liu, J.W.: Quantum network coding based on controlled teleportation. IEEE Commun. Lett. 18(5), 865–868 (2014)

Chapter 5

Quantum Network Coding Based on Controller

Controlled teleportation introduces the concept of a controller and can control the reconstruction process of a receiver by sharing a GHZ state between the sender and the receiver. In this chapter, we introduce quantum network coding schemes based on controlled teleportation to control the decoding process of receivers in a butterfly network. By introducing a third party, the schemes provide a model of three-party communication for each unicast stream in the butterfly network. Furthermore, by introducing an identity authentication mechanism into the quantum network coding scheme, the schemes will have good potential to enhance the security of communication in the quantum network.

5.1 Quantum Network Coding Based on Controlled Teleportation 5.1.1 Requirement of a Trusted Third Party With the rapid development of quantum network, the security of quantum information transmission has become a crucial issue. Researchers have explored to transmit information in quantum channels directly, namely, quantum security direct communication (QSDC) [1]. However, the QSDC schemes based on teleportation must send measurement results via classical channels to receivers, which will arouse hidden danger due to the unreliability of classical communication. Research achievements [2, 3] show that if the measurement results are governed by a trusted third party, the security of QSDC will be greatly enhanced. Following this idea, we focus on new quantum network coding schemes based on controlled teleportation [4]. By introducing a third party, namely, the controller, these schemes provide a model of three-party communication for each unicast stream in the butterfly network. Such schemes have good potential to enhance the security of communication in the quantum network. © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_5

87

88

5 Quantum Network Coding Based on Controller

5.1.2 Controlled Teleportation In 2007, Zhou et al. [5] proposed a controlled teleportation scheme. This scheme introduces the concept of a controller and can control the reconstruction process of a receiver by sharing a GHZ state between the sender and the receiver. Assume that the state of the particle to be sent is |ϕ D = α|0 D + β|1 D (where |α|2 + |β|2 = 1). The GHZ state shared by Alice, Bob and Charlie initially is: 1 |ϕ ABC = √ (|000 + |111) ABC . 2

(5.1)

The subscripts A, B, and C represent the three particles owned by the parties Alice, Bob, and Charlie, respectively. The whole state can be represented to be: |ψ = |ϕ ABC ⊗ |ϕ D . It can be rewritten as follows: |ψ =

1  +  φ (α|00 BC + β|11 BC )+ 2  AD φ− (α|00 BC − β|11 BC )+  + AD ψ (α|11 BC + β|00 BC )+  −  AD  ψ (α|11 BC − β|00 BC ) . AD

For convenience, four operators are defined as follows:  U0 = |0 0| + |1 1| = 

10 01



 1 0 0 −1   01 U2 = |1 0| + |0 1| = 10   0 1 . U3 = |0 1| − |1 0| = −1 0 U1 = |0 0| − |1 1| =

(5.2)

The Bell states are:    ± φ = √1 (|00 ± |11) , ψ ± = √1 (|01 ± |10) . 2 2 Let the classical bits correspond to the result of Bell-state measurement as follows:         00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ − .

5.1 Quantum Network Coding Based on Controlled Teleportation

89

The controlled teleportation scheme is described as follows: (1) The sender Alice performs a Bell-state measurement on her particles A and D, then Alice can transmit the result to Bob by classical channel. Hence the particles   B and C collapse to a corresponding entangled state. We pick out the result φ+ AD as an example. Then |ψ BC = α|00 BC + β|11 BC . (2) If Charlie allows Bob to acquire the originally unknown state, he can perform a Hadamard operation on the particle C: 1 1 H |0C = √ (|0 + |1)C , H |1C = √ (|0 − |1)C . 2 2 Then the state of the particles B and C becomes:    ψ

BC

= (α|0 B + β|1 B )|0C + (α|0 B − β|1 B )|1C .

(3) After Charlie’s single-particle measurement (in the basis of |0 and |1) on C, Bob can obtain a state that can be transformed to the originally unknown state with or without a local unitary operation.

5.1.3 QNC Scheme Based on XQQ We describe a scheme with two controllers (Con1 and Con2 ) based on the XQQ protocol as shown in Fig. 5.1. In this scenario, there are two unicast streams, including two senders A1 and A2 , two receivers B1 and B2 . M1 and M2 are two intermediate nodes. The unknown quantum states to be sent by Ai is |ϕi  = αi |0 + βi |1 , i ∈ {1, 2}. More importantly, the controller Con(i⊕1) and the sender Ai share a GHZ state: 1 |ϕ Ai,3 Ai,4 Ci⊕1 = √ (|000 + |111) Ai,3 Ai,4 Ci⊕1 . 2 Where ⊕ denotes classical exclusive OR operation, Ai,3 Ai,4 are owned by Ai , and Ci⊕1 is owned by Con(i⊕1) . Considering the latter scheme, here we use Ai,3 and Ai,4 to denote the particles of GHZ states instead of Ai,1 and Ai,2 . The first scheme is described as follows: Step 1: At the sender A1 , (Q 1 , Q 2 ) = U C (|ϕ1 ); At the sender A2 , (Q 3 , Q 4 ) = U C (|ϕ2 ). Step 2: The sender A1 (A2 ) performs a Bell-state measurement on the particles Q 1 (Q 4 ) and A1,3 (A2,3 ), and obtains the classical bit strings (r1r2 )1 ((r1r2 )2 ) corresponding to the measurement result (see Eq. 5.2). Then the sender Ai transmits the result (r1r2 )i to the controller Con(i⊕1) , respectively. Step 3: The controller Con(i⊕1) performs a Hadamard operation on its particle Ci⊕1 and performs a single-particle measurement on Ci⊕1 to obtain a classical bit

90

5 Quantum Network Coding Based on Controller

Controller 2

1

A1

Con 2

Q2

Q1

Q4

M1

GHZ state

Q4

Q5

1

Con1

A2

Q3

Q1

GHZ state

Controller 1

2

M2

H1

H2

B2

Q6

2

Q7

B1

Fig. 5.1 Scheme based on the XQQ protocol

(r3 )i . Let the classical bit (r3 )i correspond to the measurement result: 0 → |0C , 1 → |1C . According to controlled teleportation, after this step the state of the particle Ai,4 becomes ρi = (Uxi )−1 · U C(|ϕi ), which can be denoted as Q 1  = ρ1 = (Ux1 )−1 · U C(|ϕ1 ), Q 4  = ρ2 = (Ux2 )−1 · U C(|ϕ2 ). Here Uxi is the unitary operator chosen to reconstruct |ϕi  according to (r1r2 r3 )i . Step 4: At the node M1 , Q 5 = G R (Q 2 , T T R(Q 3 )). Step 5: At the node M2 , (Q 6 , Q 7 ) = U C (Q 5 ). Step 6: If the controller Coni allows the receiver Bi to obtain the original state |ϕi , it can send the classical bits (r1r2 r3 )i⊕1 to the receiver Bi via the channel Hi . Thus the receiver Bi can obtain the operator Ux(i⊕1) according to (r1r2 r3 )i⊕1 . Then the decoding processes are described as follows: At the receiver B1 , the output state is

ρ1 out = G R Q 7 , T T R(Ux2 · Q 4  ) = G R(Q 7 , T T R(Q 4 )) = |ϕ1  . At the receiver B2 , the output state is ρ2 out = B M(Ux1 · Q 1  , Q 6 ) = B M(Q 1 , Q 6 ) = |ϕ2  . Here U C denotes the operation of universal cloning, T T R denotes the operation of tetra measurement, G R denotes the group operation, and B M denotes the operation of 3D Bell measurement. Note that U C(|ϕ1 ) can produce two quantum states which are approximate to |ϕ1 . T T R(Q 3 ) is to perform a tetra measurement on the quantum

5.1 Quantum Network Coding Based on Controlled Teleportation

91

Table 5.1 Measurement results of the particles and the corresponding Uxi operator |ϕ Ai,3 Si |ϕCi⊕1 Uxi (r1 r2 r3 )i  + φ |0Ci⊕1 000 U0 A S i,3 i

 − φ

|1Ci⊕1 |0Ci⊕1

001 010

U1 U1

Ai,3 Si

|1Ci⊕1 |0Ci⊕1

011 100

U0 U2

Ai,3 Si

|1Ci⊕1 |0Ci⊕1

101 110

U3 U3

|1Ci⊕1

111

U2

Ai,3 Si

 + ψ  − ψ

state Q 3 , which can produce two classical bits r1r2 . Then r1r2 can be used to select one operator of Pauli operators as GR operator (00 → I = U1 ,10 → σx = U2 ,01 → σz = U3 ,11 → iσY = U4 ). More details can be seen in Hayashi’s work [6]. In other cases, the state of the particles after the corresponding measurement and the unitary operator chosen to reconstruct the original states by the receivers are shown in Table 5.1 (See the Eq. 5.1 for Uxi ). The particles Q 1 (Q 4 ) sent by A1 (A2 ) is denoted as S1 (S2 ) for convenience.

5.1.4 QNC Scheme Based on Prior Entanglement Due to approximate cloning, the fidelity of the XQQ protocol is obviously smaller than 1. For this reason, another scheme for high fidelity was designed based on the perfect quantum network coding protocol with prior entanglement [7]. The scheme is shown in Fig. 5.2. Here we also use two controllers of Con1 and Con2 . The sender A1 (A2 ) can transmit classical bits to C  on1(Con2 ) freely. The two senders share two pairs of the maximally entangled state φ+ , where the first pair has two particles A1,1 and A2,1 , and the second pair has two particles A1,2 and A2,2 . Here A1,1 and A1,2 are owned by A1 . The sender Ai and the controller Coni (i ∈ {1, 2}) share a GHZ state as follows: 1 |ϕ Ai,3 Ai,4 Ci = √ (|000 + |111) Ai,3 Ai,4 Ci . 2 Here Ai,3 Ai,4 are owned by Ai , and Ci is owned by Coni . The unknown quantum states to be sent by Ai is |ϕi  = αi |0 + βi |1. The corresponding particle is denoted as Si . Then

92

5 Quantum Network Coding Based on Controller

Controller 1

1

A1

Con1

D1 : X1

GHZ state

E1 : U (X1

X2 )

D2 : X 2

A2

F : X1 X 2

4

H1

Con 2

GHZ state

M1

1

Controller 2

2

E2 : U (X1

G2 : X1

X 2 G1 : X1

1 3

H2

M2

B2

X2 )

X2

B1

Fig. 5.2 Scheme based on prior entanglement

|ϕ Ai,3 Ai,4 Ci ⊗ |ϕ Si 1   = [φ+ Ai,3 Si (αi |00 Ai,4 Ci + βi |11 Ai,4 Ci ) 2  + φ− Ai,3 Si (αi |00 Ai,4 Ci − βi |11 Ai,4 Ci )   + ψ + Ai,3 Si (αi |11 Ai,4 Ci + βi |00 Ai,4 Ci )   + ψ − Ai,3 Si (αi |11 Ai,4 Ci − βi |00 Ai,4 Ci )] . The second scheme is described as follows: Step 1: The sender Ai performs a Bell-state measurement on the particles Si (i = 1 or 2) and Ai,3 . Then he can obtain the classical bit string (r1r2 )i corresponding to the Bell-state measurement result. The sender Ai transmits the result (r1r2 )i to the controller Coni , respectively. Step 2: The controller Coni performs a Hadamard operation on its particle Ci and performs a single-particle measurement on Ci , and obtains the classical bit (r3 )i corresponding to the measurement result: 0 → |0C , 1 → |1C . According to controlled teleportation, after this step the state of the particle Ai,4 becomes |ϕi+2  = (Uxi )−1 · |ϕi , where Uxi is the unitary operator chosen to reconstruct |ϕi . The value of Uxi can be seen in Table 5.1 (Here we need to replace Ci⊕1 with Ci in Table 5.1). Step 3: The sender Ai performs a joint measurement on the particle Ai,4 and the particle Ai,i in the Bell basis, and he obtains the measurement result X i = n i m i .

5.1 Quantum Network Coding Based on Controlled Teleportation

93

  The state of Ai,i⊕1 after measurement is U (X i⊕1 )−1 · ϕ(i⊕1)+2 (Here U (00) → I U (10) → σ Z U (01) → σ X U (11) → iσY ). Step 4: The sender Ai performs the unitary operation U (X i )−1 to Ai,i⊕1  . Hence the −1 −1  ϕ(i⊕1)+2 = state of the particle Ai,i⊕1 becomes U (X ) · U (X ) · i i⊕1   c(X i , X i⊕1 ) · U (X 1 ⊕ X 2 )−1 · ϕ(i⊕1)+2 , where |c (X i , X i⊕1 )| = 1. Then the sender Ai sends the particle Ai,i⊕1 to Bi⊕1 via the channel E i . He also sends the classical bits X i to Mi . Step 5: The node M1 sends X 1 ⊕ X 2 to the node M2 . Also the node M2 sends X 1 ⊕ X 2 on the receivers B1 and B2 . Step 6: The receiver Bi performs the unitary operation U (X 1 ⊕ X 2 ) to the received state U (X 1 ⊕ X 2 )−1 · |ϕi+2 . He can obtain the state |ϕi+2 . Step 7: If the controller Coni allows the receiver Bi to obtain the original state |ϕi , he can send the classical bits (r1r2 r3 )i to the receiver Bi via the channel Hi . Then the receiver Bi can choose the suitable operator to recover the quantum state |ϕi  according to the classical bits (r1r2 r3 )i . This process can be written as follows: (Uxi ) · |ϕi+2  = (Uxi ) · (Uxi )−1 · |ϕi  = |ϕi  . If the controller Coni forbids the receiver Bi to obtain the original state, he would not transmit the classical bits (r1r2 r3 )i to the receiver Bi . Without the corresponding unitary operator, Bi would fail to recover the original state |ϕi  by |ϕi+2 .

5.1.5 Performance Analysis As we know, controlled teleportation can transmit a quantum state perfectly. All the operations of controlled teleportation have no effect on the fidelity. Hence we can easily obtain Theorem 1. Theorem 1 The fidelity of the scheme with two controllers based on the XQQ pro√ 2 , F2 ≥ 21 + 22433 . tocol is smaller than 1 and larger than 1/2, specially F1 ≥ 21 + 81 The fidelity of the scheme with two controllers based on the perfect quantum network coding protocol with prior entanglement is strictly 1. Definition 1 If a protocol uses the network n times along with other allowed resources, and communicates m 1 , m 2 of sizes n (r1 − δn ), n (r2 − δn ) bits/qubits with fidelity at least 1 − ξn for δn , ξn → 0. Then we say that the rate pair (r1 , r2 ) is achievable. The achievable rate region is the set of all achievable rate pairs [8]. In the schemes, each channel can optionally transmit one qubit or two bits as required. Note that it needs to transmit three bits (r1r2 r3 )i via the classical channel between the controllers and the receivers. Hence we can easily conclude that it totally needs to use the network

1.5 times to transmit two source qubits across in two schemes, i.e., (r1 , r2 ) = 23 , 23 . Obviously, the rate region of the schemes would be  (r1 , r2 ) r1 , r2 ≤ 23 .

94

5 Quantum Network Coding Based on Controller

Table 5.2 Performance comparison Fidelity X QQ Scheme1 PE Scheme2

Hx(p) . So when a classical message or signature is tampered or forged by an attacker or a dishonest intermediate node, Hx(p) is larger than the verification threshold.

8.2.7 Security Analysis We provide a lemma to prove the unforgeability of the CVQHS scheme in Propositions 3 and 4. Lemma 1 Secret keys cannot be calculated on the basis of the classical messages and quantum states transmitted in the channels. Proof Firstly, the link A → M is considered. Obviously, an attacker Eve cannot calculate the secret keys kA1 and kA2 on the basis of mA = a + ia and |α2 + mA + mkA1 + mkA2 . Similarly, for the link B → M , the secret keys kB1 and kB2 cannot be calculated. Secondly, the link M → V is considered. Eve can intercept the classical message mA + m∗B and the quantum states ⎧  |α 1  = | √12 α+  ⎪ ⎪ ⎪ ⎨ |α 2  = | √1 (α∗ + mA + mB + mk + mk + mk + mk ) A1 A2 B1 B2 + 2 .  √1 α−  |α  = | ⎪ 3 ⎪ 2 ⎪ ⎩ |α  = | √1 (α∗ + m − m + m + m − m − m ) 4 A B kA1 kA2 kB1 kB2 − 2 Owing to the famous uncertainty principle, two quadratures x and p cannot be precisely measured at the same time. To calculate as much information as possible,

8.2 Continuous-Variable Quantum Homomorphic Signature

179

Eve needs to measure the x quadrature of part of the quantum states and the p quadrature of the other part of the quantum states. Without loss of generality, we assume Eve measures the x quadrature of |α1  and |α2  and the p quadrature of |α3  and |α4 . Eve can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2 on the basis of the measurement results and mA + m∗B . So the secret keys kA1 , kA2 , kB1 , and kB2 cannot be calculated. Proposition 3 An attacker Eve cannot forge the signature of a legitimate signer. Proof In the verifying phase, the verifier V uses pre-shared secret keys to verify a signature. So Eve must obtain secret keys to forge a signature that can pass verification. According to Lemma 1, Eve cannot calculate secret keys on the basis of the classical messages and the quantum states transmitted in the channels. Assume the secret keys are distributed securely in the setup phase, then it is impossible for Eve to have the secret keys. So Eve cannot forge the signature of a legitimate signer. In fact, even if Eve obtains the secret keys in the setup phase, it cannot forge the signature of a legitimate signer because it does not share entangled states with M . Assume Eve has a quantum state |α0  = |x0 + ip0  and the secret keys of A, namely kA1 and kA2 . Eve signs a message e with secret keys kA1 and kA2 and generates the signature SkEA (e) = |α0 + mE + mkA1 + mkA2  = |αE , where mE = e + ie. Then it substitutes the classical message and the signature of A with mE and |αE , respectively. In the verifying phase, V calculates 

and

xV = x0 − x1 + e + kA1 + xkA2 + b + kB1 + xkB2 pV = p1 − p0 + e + kA1 + pkA2 − b − kB1 − pkB2 

x V = e + kA1 + xkA2 + b + kB1 + xkB2 . p V = e + kA1 + pkA2 − b − kB1 − pkB2

It is obvious that xV = xV and pV = pV . The verifier confirms the existence of an attacker or a dishonest intermediate node and denies the signatures. In conclusion, Eve cannot forge the signature of a legitimate signer. Proposition 4 Assume secret keys are distributed securely in the setup phase, then a dishonest intermediate node M cannot forge the signatures of legitimate signers. Proof According to Lemma 1 and the assumption that secret keys are distributed securely, M cannot obtain the secret keys kA1 , kA2 , kB1 and kB2 . Instead, M can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2 . Assume M substitutes mA+B with a fake message mM A+B . It needs to prepare M ∗ ∗ two quantum states |α2M  = | √12 (α+ + mM ) and |α  = | √12 (α− + mM 2 4 4 ) to sub  M stitute the original signatures |α2  and |α4 , respectively. Here, m2 and mM 4 are M M M M M = x + ip and m = x + ip . In the complex numbers and expressed as mM 2 2 2 4 4 4

180

8 Continuous-Variable Quantum Network Coding

verifying phase, V measures quantum states and calculates xV = x2M and pV = p4M . M       According to mM A+B , V calculates a and b that satisfy a + b + i(a − b ) = mA+B .    Then mkA = xkA + ipkA can be calculated according to the pre-shared secret 1(2)

1(2)

1(2)

M keys kA2 and kB2 . After that, V calculates xV = xA+B + kA1 + xk A + kB1 + xk B and 2 2 M + kA1 + pk A − kB1 − pk B . Finally, V calculates Hx = (xV − τ xV )2 and pV = pA+B 2 2 Hp = (pV − τ pV )2 . If Hx ≤ Hth and Hp ≤ Hth , V accepts the signatures. Otherwise, V denies the signatures. If imperfections of implementation are not considered, Hth = 0. M To make the fake signatures pass verification, M should choose mM 2 , m4 , and to satisfy mM A+B  M M x2 = xA+B + kA1 + x kA2 + kB1 + x kB2 . M M p4 = pA+B + kA1 + p kA − kB1 − p kB 2

2

Since M cannot obtain kA2 and kB2 , it cannot calculate the correct values for mkA 1 and mkA . So M cannot forge the signatures of legitimate signers. 2 Finally, we prove the non-repudiation of the CVQHS scheme in Propersition 5. Proposition 5 Assume secret keys are distributed securely in the setup phase, then a signer cannot repudiate its signature after it has passed verification. Proof According to Propersitions 3 and 4, a dishonest intermediate node M and an attacker cannot perform forgery, so the signatures generated only by legitimate signers with their own secret keys can pass verification. According to Lemma 1 and the assumption that secret keys are distributed securely, nobody but legitimate signers and the verifier can obtain the secret keys. Therefore, a signer cannot repudiate its signature after it has passed verification.

8.3 Secure CVQNC with Message Authentication 8.3.1 Message Authentication of CVQNC Like network coding, continuous-variable quantum network coding scheme could be confronted with pollution attacks, so we try to combine continuous-variable quantum homomorphic signature with continuous-variable quantum network coding [45]. The scheme is based on the CVQNC scheme with prior entanglement. A source node applies Bell detection to two of its quantum states and displaces another quantum state according to the measurement results. Then it sends the displaced quantum state to a target node and the measurement results to an intermediate node, respectively. For the purpose of message authentication, the source node generates a quantum signature of the measurement results and sends it to the intermediate node. Intermediate nodes will generate homomorphic quantum signatures. Before a target node decodes the quantum message, it must verify the received quantum signatures.

8.3 Secure CVQNC with Message Authentication

181

8.3.2 Secure CVQNC Scheme The network setting is presented in Fig. 8.6. s1 and s2 are source nodes and signers, r1 and r2 are intermediate nodes, and t1 and t2 are target nodes and verifiers. The scheme is described as follows: Step 1. Setup phase. s1 shares secret keys kA1 and kA2 with target nodes. s2 shares secret keys kB1 and kB2 with target nodes. s1 and s2 share two pairs of entangled states, namely (|α11 , |α12 ) and (|α21 , |α22 ), and si (i = 1, 2) holds the ith modes of the entangled states. r1 prepares two pairs of entangled states, namely (|α1 , |α2 ) and (|α3 , |α4 ). A pair of entangled states (|α1 , |α2 ) meet the following correlations ⎧ √ (0) xˆ 1 = (er xˆ 1(3) + e−r xˆ 2(0) )/ 2 ⎪ ⎪ ⎪ ⎨ pˆ = (e−r pˆ (0) + er pˆ (0) )/√2 1 2 1(3) √ , r (0) −r (0) ⎪ = (e x ˆ − e x ˆ )/ 2 x ˆ 2 ⎪ 1(3) 2) ⎪ √ ⎩ (0) − er pˆ 2(0) )/ 2 pˆ 2 = (e−r pˆ 1(3) 

(ˆx1 − xˆ 2 )2  = e−2r /2 , (ˆp1 + pˆ 2 )2  = e−2r /2

where xˆ k(0) and pˆ k(0) (k = 1, 2) are a conjugate pair of quadratures of a vacuum state |αk(0)  and |αk(0)  = |xk(0) + ipk(0) . Then r1 sends |α2  to s1 and |α4  to s2 . | | |

| | |

A

11 21

s1

S kB (b)

Sk A (a)

mA

B 12 22

s2

mB

r1 |

| |

11

1

3

| |

r2

t2

5 7

| |

|

4

mA mB* | |

mA mB*

2

6 8

mA mB* | |

1

3

| |

2 4

Fig. 8.6 CVQNC scheme against pollution attacks

t1

22

182

8 Continuous-Variable Quantum Network Coding

Step 2. Encoding phase. s1 applies Bell detection to |α21  and its signal mode |αA . Concretely, it mixes two modes at a 50:50 beam splitter (BS) and applies homodyne detection to the output states. Then it displaces the quadratures of |α11  according to the measurement results (xA1 , pA1 ), where xA1 is the measurement result of the x quadrature of |αA + α21  and pA1 the p quadrature of |αA − α21 . The displaced mode is denoted as |α 11 . Similarly, s2 applies Bell detection to |α12  and its signal mode |αB . Then it displaces the quadratures of |α22  according to the measurement results (xB2 , pB2 ). The displaced mode is denoted as |α 22 . Step 3. Signing phase. s1 generates a real number a from (xA1 , pA1 ) according to an encoding rule which is predetermined among all nodes. Then s1 uses secret keys ˆ a+ kA1 and kA2 to generate a signature of a, which is denoted by SkA (a). SkA (a) = D(m ˆ = exp(γ aˆ † − γ ∗ aˆ ) is the displacement operator. ma , mkA1 + mkA2 )|α, where D(γ) mkA1 and mkA2 are complex numbers, namely ma = a + ia, mkA1 = kA1 + ikA1 , mkA2 = xkA2 + ipkA2 , where xkA2 and pkA2 satisfy

xkA2 = kA2 , pkA2 = 0

if a + kA2 is odd

xkA2 = 0, pkA2 = kA2

if a + kA2 is even

.

s1 sends mA = a + ia and SkA (a) to r1 and |α 11  to t2 . Similarly, s2 generates a real number b from (xB2 , pB2 ) and generates its signature SkB (b). Then s2 sends mB = b + ib and SkB (b) to r1 and |α 22  to t1 . Step 4. Combining phase. r1 applies Bell detection to |α1  and |α3 , and denotes output states as |α 1  and |α 3 . Then r1 mixes SkA (a) and SkA (a) at a 50:50 BS and denotes output states as |α 2  and |α 4 . After that, r1 sends |α 1 , |α 3 , |α 2 , |α 4 , and mA + m∗B to r2 . Step 5. Copying phase. After applying homodyne detection to the received quantum states, r2 prepares quantum states |α5 , |α6 , |α7 , and |α8  according to measurement results, where x5 = x 1 , p6 = p 3 , x7 = x 2 , and p8 = p 4 . Then r2 sends |α 1 , |α 3 , |α 2 , and |α 4  to t1 , and sends |α5 , |α6 , |α7 , and |α8  to t2 . Step 6. Verifying phase. t1 applies homodyne detection to the received quantum states and calculates √ xV = 2(x 2 − τ x 1 ) and pV =

√  2(p 4 − τ p 3 )

according to measurement results. Then t1 calculates x V = a + kA1 + xkA2 + b + kB1 + xkB2 and p V = a + kA1 + pkA2 − b − kB1 − pkB2 according to the classical message and pre-shared secret keys. If Hx = (xV − τ x V )2 ≤ Hth and Hp = (pV − τ p V )2 ≤ Hth , t1 will confirm that the messages are from s1 and s2 . Otherwise, t1 will deny the signatures and abort the protocol. t2 verifies the signatures in a similar way.

8.3 Secure CVQNC with Message Authentication

183

Step 7. Decoding phase. t1 applies displacement operator to |α 22  so as to obtain |αA , which displaces the x quadrature by xA1 +xB2 and the p quadrature by pA1 +pB2 . Similarly, t2 obtains |αB .

8.3.3 Performance Analysis In this section, we will analyze the performance of the scheme from the perspectives of fidelity and network throughput. A. Fidelity Here we consider the quantum state at the target node t1 . The case of the target node t2 will be the same for the reason of symmetry. Assume the entangled states shared between two source nodes are ideal, i.e., perfectly correlated and maximally entangled, r → ∞.   + ip22  are After step 2, the two quadratures of |x22 

 = xˆ 22 − xˆ B + xˆ 12 xˆ 22 .  pˆ 22 = pˆ 22 − pˆ B − pˆ 12

 At t1 , xˆ 22 is displaced as    → xˆ 22 = xˆ 22 + xˆ 22

√ 2(ˆxA1 + xˆ B2 )

= xˆ A − xˆ 21 + xˆ 22 √ = xˆ A − 2e−r xˆ 2(0)

.

 Similarly, pˆ 22 is displaced as    → pˆ 22 = pˆ 22 + pˆ 22

√ 2(ˆpA1 + pˆ B2 )

= pˆ A + pˆ 21 + pˆ 22 √ = pˆ A + 2e−r pˆ 1(0)

.

When r increases to infinity, the final quantum state at t1 becomes |ˆxA + iˆpA , which is the same as the quantum state sent by s1 . As a result, we can conclude that our CVQNC scheme can successfully transmit two quantum states across perfectly by a single network use. The fidelity of the scheme is 1. B. Network throughput Assume that a coherent state |x + ip is modulated with classical characters, i.e., x, p ∈ {0, 1, ..., N − 1}. When the classical character set for modulation has N elements, each character contains log2 N bits of information. In the proposed CVQNC scheme, each target node receives one coherent state with a fidelity of 1. So each

184

8 Continuous-Variable Quantum Network Coding

target node can receive 2log2 N bits of classical information by a single network when applying the CVQNC scheme. As a matter of fact, coherent states are nonorthogonal, which means they cannot be perfectly distinguished to yield the ideal entropy calculated. The square of the inner product of two arbitrary coherent states |α and |β is |β|α|2 =e−|α−β| . 2

(8.18)

Equation 8.18 shows that coherent states |α and |β are approximately orthogonal when |α − β| 1 so they can be measured by heterodyne detection with high accuracy. The condition |α − β| 1 requires the elements of classical character set to have large values, which may be impractical for implementation.

8.3.4 Security Analysis The CVQNC scheme utilizes quantum homomorphic signature to resist pollution attacks. To successfully tamper or forge messages, an attacker Eve or dishonest intermediate nodes must forge a signature that can pass verification. Meanwhile, a legitimate source node may attempt to deny that it has sent a message to a target node. In this section, we will analyze the security of the scheme from the perspectives of unforgeability and non-repudiation. A. Unforgeability Firstly, we analyze whether secret keys can be calculated on the basis of the classical messages and quantum states transmitted in the channels. By eavesdropping the link s1 → r1 , an attacker Eve cannot calculate the secret keys kA1 and kA2 on the basis of mA = a + ia and |α2 + mA + mkA1 + mkA2 . Similarly, for the link B → r1 , the secret keys kB1 and kB2 cannot be calculated. By eavesdropping the link r1 → r2 → t1 , Eve can intercept the classical message mA + m∗B and the quantum states ⎧ 1 | √2 α+  ⎪ ⎪ ⎪ ⎨ | √1 (α∗ + mA + mB + mk + mk + mk + mk ) A1 A2 B1 B2 + 2 . √1 α−  | ⎪ ⎪ 2 ⎪ ⎩ | √1 (α∗ + m − m + m + m − m − m ) A B kA1 kA2 kB1 kB2 − 2 Owing to the famous uncertainty principle, two quadratures x and p cannot be precisely measured at the same time. To calculate as much information as possible, Eve needs to measure the x quadrature of part of the quantum states and the p quadrature of the other part of the quantum states. Without loss of generality, we assume Eve measures the x quadrature of |α1  and |α2  and the p quadrature of |α3  and |α4 . Eve can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2

8.3 Secure CVQNC with Message Authentication

185

on the basis of the measurement results and mA + m∗B . So the secret keys kA1 , kA2 , kB1 , and kB2 cannot be calculated. Secondly, we analyze whether an attacker Eve or a dishonest intermediate node r2 can forge the signature of a legitimate source node. In the verifying phase, t1 and t2 use pre-shared secret keys to verify a signature. So Eve and r2 must obtain secret keys to forge a signature that can pass verification. It has been proved that Eve and r2 cannot calculate secret keys on the basis of the classical messages and the quantum states transmitted in the channels. Assume the secret keys are distributed securely in the setup phase, then it is impossible for Eve and r2 to have the secret keys. So Eve and r2 cannot forge the signature of a legitimate signer. In fact, even if Eve and r2 obtain the secret keys in the setup phase, they cannot forge the signature of a legitimate signer because they do not share entangled states with r1 . Assume Eve or r2 has a quantum state |α0  = |x0 + ip0  and the secret keys of A, namely kA1 and kA2 . It signs a message e with secret keys kA1 and kA2 and generates the signature SkEA (e) = |α0 + mE + mkA1 + mkA2  = |αE , where mE = e + ie. Then it substitutes the classical message and the signature of A with mE and |αE , respectively. In the verifying phase, t1 calculates 

xV = x0 − x1 + e + kA1 + xkA2 + b + kB1 + xkB2 pV = p1 − p0 + e + kA1 + pkA2 − b − kB1 − pkB2 

and

x V = e + kA1 + xkA2 + b + kB1 + xkB2 . p V = e + kA1 + pkA2 − b − kB1 − pkB2

It is obvious that xV = xV and pV = pV . t1 confirms the existence of an attacker or a dishonest intermediate node and denies the signatures. The case of t2 will be the same for the reason of symmetry. In conclusion, Eve and t2 cannot forge the signature of a legitimate source node. Thirdly, we analyze whether a dishonest intermediate node r1 can forge the signatures of a legitimate source node under the assumption of secure secret key distribution. According to the assumption that secret keys are distributed securely, r1 cannot obtain the secret keys kA1 , kA2 , kB1 and kB2 . Instead, r1 can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2 . Assume r1 substitutes mA+B with a fake message mM A+B . It needs to prepare M ∗ ∗ two quantum states |α2M  = | √12 (α+ + mM ) and |α  = | √12 (α− + mM 2 4 4 ) to sub  M stitute the original signatures |α2  and |α4 , respectively. Here, m2 and mM 4 are M M M M M complex numbers and expressed as mM 2 = x2 + ip2 and m4 = x4 + ip4 . In the verifying phase, t1 measures quantum states and calculates xV = x2M and pV = p4M . M       According to mM A+B , t1 calculates a and b that satisfy a + b + i(a − b ) = mA+B .    Then mkA = xkA + ipkA can be calculated according to the pre-shared secret 1(2)

1(2)

1(2)

M keys kA2 and kB2 . After that, t1 calculates xV = xA+B + kA1 + xk A + kB1 + xk B and 2

2

186

8 Continuous-Variable Quantum Network Coding

M pV = pA+B + kA1 + pk A − kB1 − pk B . Finally, t1 calculates Hx = (xV − τ xV )2 and 2 2 Hp = (pV − τ pV )2 . If Hx ≤ Hth and Hp ≤ Hth , t1 accepts the signatures. Otherwise, t1 denies the signatures. M To make the fake signatures pass verification, r1 should choose mM 2 , m4 , and M mA+B to satisfy  M M x2 = xA+B + kA1 + x kA2 + kB1 + x kB2 . M M p4 = pA+B + kA1 + p kA − kB1 − p kB 2

2

Since r1 cannot obtain kA2 and kB2 , it cannot calculate the correct values for mkA 1 and mkA . So r1 cannot forge the signatures of a legitimate source node. 2

B. Non-repudiation Assume secret keys are distributed securely in the setup phase and the target nodes are honest. It has been proved that an attacker Eve and dishonest intermediate nodes cannot perform forgery, so only the signatures generated by pre-shared secret keys can pass verification. It has also been proved that secret keys cannot be calculated, so nobody but legitimate source nodes and target nodes can obtain the secret keys. Since the target nodes are honest, they always announce the correct verification results and will not forge signatures. Therefore, a source node cannot repudiate its signature after it has passed verification.

8.4 Summary In this chapter, we introduced two feasible CVQNC schemes. The first scheme uses the Gaussian cloning and ADD/SUB operators as the counterparts of key operations of quantum network coding. As quantum states cannot be cloned perfectly, the fidelity of this scheme is constrained to be 1/2, which is rather low compared with the existing DVQNC schemes. With the help of extra resources, i.e., pre-shared entanglement and classical communication, the second scheme can transmit quantum states with a fidelity of 1. By encoding classical information on quantum states, quantum network coding schemes can be utilized to transmit classical information. Scheme analysis shows that the CVQNC schemes have great advantage over discrete-variable paradigms in network throughput from the viewpoint of classical information transmission. Thus, CVQNC is a meaningful direction for quantum communication in the perspective of efficiency and practicability. Then we introduced a CVQHS scheme. The scheme is based on continuousvariable entanglement swapping and provides additive and subtractive homomorphism. The CVQHS scheme is a basic model for verifying two different data sources in a quantum network and future work is needed to extend it to multiple data sources. Furthermore, we introduced a continuous-variable quantum network coding scheme against pollution attacks. By combining continuous-variable quantum homomorphic signature, the scheme can verify the identity of different data sources. As long as

8.4 Summary

187

quantum signatures pass verification, target nodes can decode their quantum states and obtain the correct messages. Security analysis shows that the scheme is secure against forgery and repudiation.

References 1. Braunstein, S.L., Loock, P.V.: Quantum information with continuous variables. Rev. Mod. Phys. 77(2), 513–577 (2005) 2. Vaidman, L.: Teleportation of quantum states. Phys. Rev. A 49(2), 1473–1476 (1994) 3. Hillery, M.: Quantum cryptography with squeezed states. Phys. Rev. A 61(2), 022309 (1999) 4. Cerf, N.J., Levy, M., Assche, G.V.: Quantum distribution of gaussian keys using squeezed states. Phys. Rev. A 63(5), 535–540 (2001) 5. Frederic, G., Philippe, G.: Continuous variable quantum cryptography using coherent states. Phys. Rev. Lett. 88(5), 057902 (2002) 6. Bartlett, S.D., Sanders, B.C., Braunstein, S.L., et al.: Efficient classical simulation of continuous variable quantum information processes. Phys. Rev. Lett. 88(9), 47–55 (2001) 7. Miwa, Y., Yoshikawa, J.I., van Loock, P., et al.: Demonstration of a universal one-way quantum quadratic phase gate. Phys. Rev. A 80(5), 050303 (2009) 8. Cerf, N.J., Ipe, A., Rottenberg, X.: Cloning of continuous quantum variables. Phys. Rev. Lett. 85(8), 1754–1757 (2000) 9. Fiurasek, J.: Optical implementation of continuous-variable quantum cloning machines. Phys. Rev. Lett. 86(21), 4942 (2001) 10. Andersen, U.L., Josse, V., Leuchs, G.: Unconditional quantum cloning of coherent states with linear optics. Phys. Rev. Lett. 94(24), 240503 (2005) 11. Zeng, G., Lee, M., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int. J. Quantum Inf. 5(4), 553–573 (2007) 12. Weedbrook, C., Lance, A.M., Bowen, W.P., et al.: Quantum cryptography without switching. Phys. Rev. Lett. 93(17), 170504-1–170504-4 (2004) 13. Zavatta, A., Fiurasek, J., Bellini, M.: A high-fidelity noiseless amplifier for quantum light states. Nat. Photonics 5(1), 52–60 (2011) 14. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding for coherent states. Quantum Inf. Process. 16(4), 107 (2017) 15. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007) 16. Grosshans, F., Grangier, P.: Quantum cloning and teleportation criteria for continuous quantum variables. Phys. Rev. A 64(1), 783–797 (2001) 17. Bernstein, H.J.: Must quantum theory assume unrestricted superposition? J. Math. Phys. 15(10), 1677–1679 (1974) 18. Braunstein, S.L., Kimble, H.J.: Teleportation of continuous quantum variables. Phys. Rev. Lett. 80(4), 869 (1998) 19. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding with modification. Phys. Rev. A 76(4), 538–538 (2007) 20. Braunstein, S.L., Fuchs, C.A., Kimble, H.J.: Criteria for continuous-variable quantum teleportation. J. Mod. Opt. 47(2–3), 267–278 (2000) 21. Banaszek, K.: Optimal receiver for quantum cryptography with two coherent states. Phys. Lett. A 253(1), 12–15 (1999) 22. van Enk, S.J.: Unambiguous state discrimination of coherent states with linear optics: application to quantum cryptography. Phys. Rev. A 66, 042313 (2002) 23. Muller, C., Usuga, M.A., Wittmann, C., et al.: Quadrature phase shift keying coherent state discrimination via a hybrid receiver. New J. Phys. 14(8), 83009–83021 (2012)

188

8 Continuous-Variable Quantum Network Coding

24. Becerra, F.E., Fan, J., Migdall, A.: Implementation of generalized quantum measurements for unambiguous discrimination of multiple non-orthogonal coherent states. Nat. Commun. 4(3), 131–140 (2013) 25. da Silva, M.P., Guha, S., Dutton, Z.: Optimal discrimination of M coherent states with a small quantum computer. In: International Conference on Quantum Communication, Measurement and Computation (QCMC), vol. 1633, no. 1, pp. 225–227 (2014) 26. Gottesman, D., Kitaev, A., Preskill, J.: Encoding a qubit in an oscillator. Phys. Rev. A 64(1), 012310 (2001) 27. Chuang, I.L., Leung, D.W., Yamamoto, Y.: Bosonic quantum codes for amplitude damping. Phys. Rev. A 56(2), 1114 (1997) 28. Holevo, A.S., Werner, R.F.: Evaluating capacities of bosonic Gaussian channels. Phys. Rev. A 63(3), 032312 (2001) 29. Holevo, A.S.: One-mode quantum Gaussian channels: structure and quantum capacity. Probl. Inf. Transm. 43(1), 1–11 (2007) 30. Weedbrook, C., Pirandola, S., Garcia-Patron, R., et al.: Gaussian quantum information. Rev. Mod. Phys. 84(2), 621 (2012) 31. Caruso, F., Giovannetti, V.: Degradability of bosonic Gaussian channels. Phys. Rev. A 74(6), 062307 (2006) 32. Cubitt, T., Elkouss, D., Matthews, W., et al.: Unbounded number of channel uses may be required to detect quantum capacity. Nat. Commun. 6, 6739 (2015) 33. Caves, C.M.: Quantum limits on noise in linear amplifiers. Phys. Rev. D 26(8), 1817 (1982) 34. Li, Q., Chan, W.H., Wu, C., Wen, Z.: On the existence of quantum signature for quantum messages. Int. J. Theor. Phys. 52(12), 4335–4341 (2013) 35. Clarke, P.J., Collins, R.J., Dunjko, V., et al.: Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light. Nat. Commun. 3, 1174 (2012) 36. Collins, R.J., Donaldson, R.J., Dunjko, V., et al.: Realization of quantum digital signatures without the requirement of quantum memory. Phys. Rev. Lett. 113(4), 040502 (2014) 37. Guo, Y., Feng, Y., Huang, D., et al.: Arbitrated quantum signature scheme with continuousvariable coherent states. Int. J. Theor. Phys. 55(4), 2290–2302 (2016) 38. Croal, C., Peuntinger, C., Heim, B., et al.: Free-space quantum signatures using heterodyne measurements. Phys. Rev. Lett. 117(10), 100503 (2016) 39. Donaldson, R.J., Collins, R.J., Kleczkowska, K., et al.: Experimental demonstration of kilometer-range quantum digital signatures. Phys. Rev. A 93(1), 012329 (2016) 40. Shang, T., Zhao, X.J., Wang, C., et al.: Quantum homomorphic signature. Quantum Inf. Process. 14(1), 393–410 (2015) 41. Luo, Q.B., Yang, G.W., She, K., et al.: Quantum homomorphic signature based on Bell-state measurement. Quantum Inf. Process. 15(12), 5051–5061 (2016) 42. Li, K., Shang, T., Liu, J.W.: Continuous-variable quantum homomorphic signature. Quantum Inf. Process. 16(10), 246 (2017) 43. Zukowski, M., Zeilinger, A., Horne, M.A., et al.: ‘Event-ready-detectors’ Bell experiment via entanglement swapping. Phys. Rev. Lett. 71(26), 4287 (1993) 44. Polkinghorne, R.E.S., Ralph, T.C.: Continuous variable entanglement swapping. Phys. Rev. Lett. 83(11), 2095 (1999) 45. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding against pollution attacks. In: 2018 IEEE Information Theory Workshop (ITW), 25–29 November 2018 (Submitted)

Part II

Security Analysis Method

Chapter 9

Security Analysis of Quantum Cryptographic Protocols

In this chapter, we review the principle of some common quantum attacks, such as intercept-and-resend attack, teleportation attack, man-in-the-middle attack, participant attack and implementation attack. Also, we introduce some general security analysis methods, such as BAN logic, random oracle model and quantum-accessible random oracle model. These methods for classical cryptographic protocols can provide effective tools for quantum cryptographic protocols.

9.1 Main Attacks In this section, we introduce the main attacks on quantum protocols. Indeed many attacks are contrived for particular protocols, while we still can conclude representative attack models against various quantum protocols, including quantum key distribution (QKD), quantum secure direct communication (QSDC) and quantum secret sharing (QSS).

9.1.1 Intercept-and-Resend Attack The intercept-and-resend attack is the most common type of attack used on quantum protocols. An eavesdropper interrupts quantum channel, measures each quantum signal received from a sender in one of measurement bases (according to the protocol), which it chooses randomly. Then the eavesdropper sends the quantum signal to a receiver, and will replace the compromised signal with other signals, without leaving traces of the attack. We present an example of intercept-and-resend attack on QKD. In naive interceptand-resend, Eve intercepts the light photons coming from the sender Alice with his own predefined basis. Since detectors are highly efficient in the ideal environment, Eve can get a hold on each photon. Eve follows a scheme which is shown in the © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_9

191

192

9 Security Analysis of Quantum Cryptographic Protocols

Fig. 9.1 Decision tree of Eve

form of the decision tree in Fig. 9.1. The scheme is shown for sending a bit value 0. Eve then sends the replacement photon to Bob as his predefined basis. Now, the intensity of the pulse to Bob is such adjusted that Bob will detect this pulse with the same rate. So, in a sense Eve is working like a median person and performing the detection of the photons from the Alice side the same √ as that of Bob. Eve’s efforts are said to be worth if he succeeds in getting the 1/ 2 of the Alice’s information. In the error correction and privacy amplification phase of the BB84 protocol, suppose t error bits are detected. By using this information, Alice and Bob get some estimation that lesser than e1 bits are subjected to intercept/resend√attack. Furthermore, the amount of information gained by Eve is not more than e1 / 2. In the naive interceptand-resend attack, the assumption is that Eve is not listening over public channel during the sifting phase of the BB84 protocol. This gives the information gain of approximately 0.2 bits out of every bit sent by Alice. Intercept-and-resend attack is also used against quantum protocols like Byzantine agreement [1] and QSDC [2]. Therefore, despite the intercept-and-resend attack is very simple in principle, enough attention should be paid carefully.

9.1 Main Attacks

193

9.1.2 Teleportation Attack Teleportation attack [3] was presented originally against a certain QSDC protocol [4]. However, it is demonstrated that quantum teleportation can be employed to weaken the role of the order-rearrangement encryption in certain protocols. With the help of this special attack, an eavesdropper can obtain half of the transmitted secret bits. To understand this attack, we introduce the basic idea of the QSDC protocol in [4]. At the beginning of the QSDC protocol, Alice’s sending qubits are in the states |φi1 = Uˆ y (θi )|0 = cos θi |0 − sin θi |1, which looks as if Alice puts a lock Uˆ y (θi ) on each carrier state |0. Similarly, Bob also puts another lock Uˆ y (φi ) on each of them. Because θi and φi are randomly selected by Alice and Bob, respectively, all locks can be removed only by the one who initially puts them on. Afterward, Alice opens her locks by the operations Uˆ y (−θi ) and encodes her secret bits by Uˆ y (± π4 ). Finally Bob removes his locks by Uˆ y (−φi ) and then obtains the secret bits by measurements. To extract the transmitted bits, from the perspective of Eve who has no keys to these locks, the only way is to acquire the qubits without any lock at a certain stage. However, Bob will disorder the sequence before sending it. In this condition, the simple attack would be invalid because Alice cannot remove her locks appropriately (the key and the lock for a certain qubit are not matched due to the order-restoring operation by Alice). To resolve this problem, Eve can employ the technique of quantum teleportation. When Eve sends the faked sequence S1E to Alice, the role of the orderrearrangement encryption would be weakened because Eve can also adjust the order of his corresponding sequence S2E according to Bob’s announcement. In the teleportation process, if Eve acquires one of the results {|+, |−, |+, |−}, she knows that the state of the corresponding qubit in Alice’s hand would be one of { Iˆ|φi1 , σˆ z |φi1 , σˆ x |φi1 , iσˆ y |φi1 }, respectively. At that time, if the sequence is in the control of Eve, she can change each qubit into the (preferred) state |φi1 by one of the above operations and subsequently eliminate the influence of the orderrearrangement encryption completely. Thus, Eve can extract secret information if he obtains {|+ or |−} in a certain teleportation process, because both Iˆ and iσˆ y commute with Alice’s operation Uˆ y (−θi ± π4 ).

9.1.3 Man-in-the-Middle Attack The man-in-the-middle (MITM) attack is a very common attack method in classical cryptography. Generally, the MITM attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. An MITM attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other. In quantum cryptography, there also exists the MITM

194

9 Security Analysis of Quantum Cryptographic Protocols

attack. For example, Zou and Qiu [5] considered the MITM attack on the QSDC protocol. We briefly explain why the MITM attack is feasible in QSDC. According to the request of QSDC and the QSDC scheme [6], we can learn that Alice and Bob do not share any secret key or quantum entanglement in the QSDC scheme. Therefore, when Alice receives the quantum information |ψ, she cannot confirm that it was sent by Bob. Similarly, Bob cannot determine that the received quantum information |ψ   came from Alice. Furthermore, we know that Alice and Bob do not discuss the measurement results in the classical communication channel. Thereby, at the end of the QSDC scheme, Alice cannot be sure that |ψ was sent by Bob, and Bob cannot be sure that |ψ   came from Alice. Accordingly, what quantum messages cannot be authenticated in the QSDC scheme provides the possibility of the MITM attacks. To deal with this problem, measuring partial quantum states and discussing the measurement results with Bob by the unblocked classical public communication channel must be undertaken before Alice encrypts the message p and sends it to Bob. MITM can also attack other quantum protocols. For example, Wang et al. [7] considered the MITM attack on the BB84 protocol.

9.1.4 Participant Attack In most multi-party quantum cryptographic protocols, participants tend to be more aggressive than external attackers. This is because participants can use their legal control of some carrier particles and participate in detecting eavesdropping processes to enhance their attacks. We call this attack a ‘participant attack’. Therefore, when analyzing the security of multi-party quantum cryptography protocols like QSS, we should prevent dishonest participants from eavesdropping more carefully. Generally speaking, if a multi-party protocol can resist participant attacks, then it can resist external attacks and therefore is secure. An example of participant attack against QSS is in [8]. In this attack, two dishonest agents together can illegally recover the secret quantum state without the help of any other controller, and it will not be detected by any other users. We describe how participants Bob and Charlie1 in QSS protocol [9] can illegally obtain the secret quantum state. After the secure distribution process of the particles, Alice performs Bell measurements on particles p, 1 and particles q, 3 and announces the measurement results via the classical channel. If Alice’s measurement results are in the states of |+ p1 and |+q3 , the state of other particles would be projected. At an appropriate time, if Charlie1 cooperates with Bob and sends the particle 4 to Bob, Bob just performs σx on the particle 4, and then the particles 2 and 4 would be in the state | pq . So Bob obtains the secret state in an illegal way. In the QSS protocol, the process of detection aims to detect whether the particles have securely arrived at each agent. This participant attack is performed after this process, so it

9.1 Main Attacks

195

cannot be detected by other users. Thus, this strategy can successfully attack the QSS protocol [9].

9.1.5 Implementation Attack The attack methods described above are all from the viewpoint of theoretical analysis. In the experimental implementation, the various devices are not as perfect as in the theoretical hypothesis. Therefore, in addition to the theoretical attacks, there are some attacks that are considered from an implementation perspective, such as faked state attack [10], Trojan horse attack [11], and photon number splitting attack [12].

9.2 Security Analysis Methods A variety of common attack methods in the quantum cryptographic protocol has been introduced above. When analyzing the security of a quantum cryptographic protocol, a good way is to consider all possible attacks. Of course, we would prefer more general security analysis. In classical cryptography, provably security is a way to generally analyze the security of protocols. Provably security refers to a reduction approach: firstly, determine the security objectives of a protocol; then build a form of adversary model based on the capabilities of the adversary; finally, reduce the protocol to a mathematical assumption. Here we introduce classical BAN logic model and random oracle model, and quantum-accessible random oracle model for post-quantum cryptosystems.

9.2.1 BAN Logic In 1989, Burrows, Abadi, and Needham [13] proposed a model logic based on knowledge and belief, namely BAN Logic. BAN logic can be used to describe and verify authentication protocols, the purpose of which is to analyze the security of authentication protocols in computer networks or distributed systems. After authentication, three principals (people, computers, or services) should be entitled to believe that they are communicating with each other and not with intruders. Applying the BAN logic for protocol analysis requires converting a protocol into formulas in the BAN logic, i.e., performing the “idealization step” of the protocol, and makes reasonable postulates according to specific situation. Then it uses logical rules to infer whether the protocol can achieve the desired goal based on idealized protocols and postulates. The simplicity and practicality of protocol analysis has made BAN logic widely used.

196

9 Security Analysis of Quantum Cryptographic Protocols

Basic notation The logic distinguishes several sorts of objects: principals, encryption keys, and formulas (also called statements). The symbols A, B, and S denote specific principals; K ab , K as , and K bs denote specific shared keys; K a , K b , and K s denote specific public keys, and K a−1 , K b−1 , and K s−1 denote corresponding secret keys; and Na , Nb , and Nc denote specific statements. The symbols P, Q, and R range over principals; X and Y range over statements; and K ranges over encryption keys. The logic uses the following notation [14]: P believes X : P believes X , or P would be entitled to believe X . P sees X : P sees X . Someone has sent a message containing X to P, who can read and repeat X (possibly after doing some decryption). P said X : P once said X . The principal P at some time sent a message including the statement X . It is not known whether the message was sent long ago or during the current run of the protocol, but it is known that P believed X then. P controls X : P has jurisdiction over X . The principal P is an authority on X and should be trusted on this matter. fresh (X ): The formula X is f r esh, i.e., X has not been sent in a message at any time before the current run of the protocol. K

P ↔ Q: P and Q may use the shar ed key K to communicate. The key K is good, in that it will never be discovered by any principal except P or Q, or a principal trusted by either P or Q. K

→ P: P has K as a public key. The matching secr et key (denoted K −1 ) will never be discovered by any principal except P or a principal trusted by P. X

P  Q: The formula X is a secr et known only to P and Q, and possibly to principals trusted by them. Only P and Q may use X to prove their identities to one another. {X } K : This represents the formula X encrypted under the key K . Formally, {X } K is a convenient abbreviation for an expression of the form {X } K from P. X Y : This represents X combined with the formula Y . It is intended that Y be a secret and that its presence proves the identity of whoever utters X Y . In implementations, X is simply concatenated with the password Y . Logical postulates BAN logic has 19 inference rules. Some representative rules are listed: (1) The message-meaning rules: the interpretation of messages. Two of the three concern the interpretation of encrypted messages, and the third concerns the interpretation of messages with secrets. They all explain how to derive beliefs about the origin of messages. For shared keys, we postulate K

P believes Q ↔ P, P sees {X } K P believes Q said X That is, if P believes that the key K is shared with Q and sees X encrypted under K , then P believes that Q once said X .

9.2 Security Analysis Methods

197

For public keys, we postulate K

P believes → Q, P sees {X } K −1 P believes Q said X That is, if P believes that K is the public key of Q, and K −1 is the secret key, the message is sent by Q when P sees the message encrypted with K −1 . For shared secrets, we postulate Y

P believes Q  P, P sees X Y P believes Q said X That is, if P believes that the secret Y is shared with Q and sees X Y , then P believes that Q once said X . (2) The nonce-verification rule: P believes fresh(X ), P believes Q said X P believes Q believes X That is, if P believes that X could have been uttered only recently (in the present) and that Q once said X (either in the past or in the present), then P believes that Q believes X . (3) The jurisdiction rule: P believes Q controls X, P believes Q believes X P believes X That is, if P believes that Q has jurisdiction over X then P trusts Q on the truth of X. (4) The seeing rules: K

P sees X Y P believes Q ↔ P, P sees {X } K P sees (X, Y ) , , P sees X P sees X P sees X K K P believes → P, P sees {X } K P believes → Q, P sees {X } K −1 , P sees X P sees X That is, if a principal sees a formula, then he also sees its components, and he knows the necessary keys. (5) The freshness rules: P believes fresh(X ) , P believes fresh(X, Y )

P believes fresh(X ) P believes fresh(α X )

That is, if one part of a formula is fresh, then the entire formula must also be fresh.

198

9 Security Analysis of Quantum Cryptographic Protocols

(6) The belief rules: P believes X, P believes Y , P believes (X, Y ) P believes Q believes (X, Y ) , P believes Q believes X

P believes (X, Y ) P believes X P believes Q said (X, Y ) P believes Q said X

(7) The key and secret rules: K

P believes R ↔ R 

K

K

,

X

,

P believes R  ↔ R X P believes R  R  P believes R   R

P believes Q believes R ↔ R  K

P believes Q believes R  ↔ R X P believes Q believes R  R  X

P believes Q believes R   R

(8)The session key rule: A believes fresh(K ), A believes B believes X K

A believes A ↔ B Idealized protocol Authentication protocols are described by listing their messages. Each message is typically written in the form P → Q : message. This denotes that the principal P sends a message to the principal Q. The message is presented in an informal notation designed to suggest the bit-string that a concrete implementation would use. This presentation is often ambiguous and not an appropriate basis for formal analysis. Therefore, we transform each protocol step into an idealized form. A message in the idealized protocol is a formula. For instance, the protocol step A → B : {A, K ab } K bs may tell B, who knows the key K bs , that K ab is a key to communicate with A. This step should then be idealized as K ab

A → B : {A ↔ B} K bs . Idealized protocols usually ignore certain unimportant messages and elements. The criterion for judging whether a message or element of the message is important is whether the message or element of the message can help the principal establish a new belief. In general, we omit cleartext communication simply because it can be forged,

9.2 Security Analysis Methods

199

and so its contribution to an authentication protocol is mostly one of providing hints as to what might be placed in encrypted messages. Protocol analysis BAN logic can solve four problems in the formal analysis of the protocol: (1) (2) (3) (4)

Does this protocol work? Can it be made to work? Exactly what does this protocol achieve? Does this protocol need more assumptions than another protocol? Does this protocol do anything unnecessary?

The analysis steps of the BAN logic are described as follows: (1) Describe the initial state of the system with a logical language and establish an initial set of postulates. (2) Establish an idealized protocol model and convert the actual message of the protocol into a formula that can be recognized by the BAN logic. (3) Transform the message (P → Q : X ) into a logical language (Q sees X ). (4) Apply inference rules to formally analyze the protocol and derive the analysis results. In order to analyze the idealized protocols, we annotate them with logical formulas. The main rules for deriving legal annotations are the following: (1) If X holds before the message P → Q : Y , then both X and Q sees Y hold afterward. (2) If Y can be derived from X by the logical postulates, then Y holds whenever X holds. Step by step, we can follow the evolution from the initial beliefs to the final ones, from the original assumptions to the conclusions.

9.2.2 Random Oracle Model The random oracle model is an important way to balance the provable security and practicality of a cryptographic scheme compared with standard model. The idea is to prove the scheme secure in a model in which every party, legitimate or malicious, has access to a public random function. The idea of a public random function was first introduced in 1986 by Fiat and Shamir [15]. They argued the security of a method to turn identification schemes into signature schemes by assuming every party has access to a public random function. This method was later used to provide a security argument for blind signatures and electronic cash. The random oracle model was formalized and popularized by Bellare and Rogaway [16]. In particular, they showed that many “tricks” that were used to construct cryptographic schemes could be proven secure in the random oracle model. Following this, the random oracle model was used to argue the security of many efficient cryptographic protocols.

200

9 Security Analysis of Quantum Cryptographic Protocols

The random oracle is a deterministic and publicly accessible random uniform distribution function. For any length of input, a deterministic length value is uniformly selected in the output field as the answer to the query. The random oracle model adds a publicly accessible random oracle to the standard model and idealizes a hash function as a random oracle. Bellare and Rogaway described the random oracle methodology as a paradigm. Suppose one has a protocol problem . In order to devise a good protocol P for : (1) Find a formal definition for  in the model of computation in which all parties (including the adversary) share a random oracle R. (2) Devise an efficient protocol P for  in this random oracle model. (3) Prove that P satisfies the definition for . (4) Replace oracle accesses to R by computation of a cryptographic hash function. In the random oracle model, the adversary can only obtain the required hash value by the random oracle. The simulator exploits the adversary in a number of steps to turn the adversary’s ability into an advantage that breaks a known difficult problem. A secure hash function (such as SHA-1, SHA-256, 384, etc.) is used in most practical applications instead of the random oracle. The security of a scheme is based on the provable security results and the distinguishability of the hash function from the random oracle. Compared with the provable security scheme in the standard model, the computational cost is also greatly reduced due to tight reduction in the random oracle model. Many widely used cryptographic schemes are based on the random oracle model, such as digital signature scheme PSS [17], public-key encryption scheme RSA-OAEP [18, 19], key exchange protocol [16], etc.

9.2.3 Quantum-Accessible Random Oracle Model The interest in post-quantum cryptosystems, namely systems that remain secure in the presence of a quantum adversary, has generated elegant proposals for new cryptography. A promising direction is lattice-based cryptography, where the underlying problems are related to finding short vectors in high- dimensional lattices. As it is often the case, lattice-based cryptosystems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. In this model, the adversary is given oracle access to a random hash function O : {0, 1}∗ → {0, 1}∗ and it can only “learn” a value O(x) by querying the oracle O at the classical bits x. However, to obtain a concrete system, the random oracle is eventually replaced by a concrete hash function thereby enabling a quantum attacker to evaluate this hash function on quantum states. To capture this issue in the model, an adversary should be allowed to evaluate the random oracle “in superposition”, i.e., the adversary can submit quantum states |φ = αx |x to the oracle O and receives back the evaluated state αx |O(x) (appropriately encoded to make the transformation unitary). This is called the quantum-accessible random oracle model. To prove

9.2 Security Analysis Methods

201

post-quantum security, one needs to prove security in the quantum-accessible random oracle model. Relative works of quantum-accessible random oracle are carried out by [20, 21]. The works of Boneh et al. [22] showed the separation of the classical and quantumaccessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. Then generic conditions are developed under which a classical random oracle proof implies security in the quantumaccessible random oracle model.

References 1. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Comment on experimental demonstration of a quantum protocol for byzantine agreement and liar detection. Phys. Rev. Lett. 101(20), 208901 (2008) 2. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Forcible measurement attack on quantum direct communication protocol with cluster state. Chin. Phys. Lett. 25(8), 2766–2769 (2008) 3. Gao, F., Wen, Q.Y., Zhu, F.C.: Teleportation attack on the QSDC protocol with a random basis and order. Chin. Phys. B 17(9), 3189–3193 (2008) 4. Song, J., Zhu, A.D., Zhang, T.: Quantum secure direct communication protocol with blind polarization bases and particles’ transmitting order. Chin. Phys. B 16(3), 621–623 (2007) 5. Zou, X.F., Qiu, D.W.: Attacks and improvements of QSDC schemes based on CSS codes. Int. Conf. Intell. Comput. (ICIC) 6840, 239–246 (2012) 6. Lu, X., Ma, Z., Feng, D.G.: Quantum secure direct communication using quantum calderbankshor-steane error correcting codes. J. Softw. 17(3), 509–515 (2006) 7. Wang, Y., Wang, H.D., Li, Z.H., et al.: Man-in-the-middle attack on BB84 protocol and its defence. In: IEEE International Conference on Computer Science and Information Technology (ICCSIT) pp. 438–439 (2009) 8. Song, T.T., Zhang, J., Gao, F., et al.: Participant attack on quantum secret sharing based on entanglement swapping. Chin. Phys. B 18(4), 1333–1337 (2009) 9. Zhang, Y.Q., Jin, X.R., Zhang, S.: Secret sharing of quantum information via entanglement swapping. China Phys. B 15(10), 2252–2255 (2006) 10. Makarov, V., Hjelme, D.R.: Faked states attack on quantum cryptosystems. J. Mod. Opt. 52(5), 691–705 (2005) 11. Vakhitov, A., Makarov, V., Hjelme, D.R.: Large pulse attack as a method of conventional optical eavesdropping in quantum cryptography. Opt. Acta Int. J. Opt. 48(13), 2023–2038 (2001) 12. Lutkenhaus, N.: Security against eavesdropping in quantum cryptography. Phys. Rev. A 54(1), 97 (1996) 13. Burrows, M., Abadi, M. and Needham, R:. A logic of authentication. ACM Trans. Comput. Syst. 8(1):18–36 (1990) 14. Dong, L., Chen, K.F.: Cryptographic Protocol. Springer Nature (2012) 15. Fiat, A., Shamir, A.: How to prove ourself: practical solutions to identification and signature problems. In: Annual International Cryptology Conference (CRYPTO’ 86), vol. 263, pp. 186– 194 (1987) 16. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73 (1993) 17. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’ 96), vol. 1070, pp. 399–416 (1996)

202

9 Security Analysis of Quantum Cryptographic Protocols

18. Bellare, M., Rogaway, P.: Optimal asymmetric encryption: how to encrypt with RSA. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’ 94), vol. 950, pp. 92–111 (1995) 19. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013) 20. Aaronson, S.: Quantum copy-protection and quantum money. In: Annual IEEE Conference on Computational Complexity (CCC), pp. 229–242 (2009) 21. Brassard, G., Hoyer, P., Kalach, K., et al.: Merkle puzzles in a quantum world. In: Annual International Cryptology Conference (CRYPTO 2011), vol. 6841, pp. 391–410 (2011) 22. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput. Sci. 7073(1), 41–69 (2010)

Chapter 10

Security Analysis Based on BAN Logic

Many quantum authentication schemes have been designed according to quantum key distribution. Scheme security is proved heuristically by employing attack strategies such as intercept-measure-resend attack, entanglement-measure attack, etc. In this chapter, we introduce security analysis based on BAN logic. In contrast to analyzing protocols with common quantum attacks, formal approach is a more universal tool which helps understand whether a quantum cryptographic protocol meets its security goal or not.

10.1 Formal Analysis Due to its capability to detect potential eavesdropper with high probability, quantum cryptography has been widely explored in many emerging cryptography and communication systems. Based on quantum mechanics, a variety of protocols have been proposed to support diverse systems, such as quantum key distribution (QKD) protocol, quantum signature (QS) protocol, quantum secure direct communication (QSDC) protocol, etc. So it is necessary to provide an efficient analysis tool for quantum cryptographic protocol, which will help analyze the correctness of quantum protocol in a simple and uniform way. Formal method is a combination of a mathematical or logic model of a system and its requirements, together with an effective procedure for determining whether a proof that a system satisfies its requirement is correct [1]. Since the first mention of formal methods, by Needham and Schroeder, was a possible tool for analysis [2], Dolev and Yao accomplished the first protocol analysis work by developing a formal model of an environment in 1981 [3]. Then a lot of research focused on the general use of model checker based on the Dolev–Yao model. These belong to the model checking approach. Given a system model and desired system properties, the model checker explores the full state space of the system model to check whether the given system properties are satisfied by the model [4]. Until the publication of BAN logic [5], formal methods became apprehensible to a larger research community and led to © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_10

203

204

10 Security Analysis Based on BAN Logic

a host of other logics to expand it such as GNY-logic, SVO-logic, etc. Featured with BAN logic, these techniques fall into the domain of logical inference, which is based on an agreed set of deduction rules for formally reasoning about the authentication protocols. In this chapter, we introduce BAN logic and expend it for quantum circumstance and present a detailed security analysis for quantum identity authentication protocols in BAN logic together with a brief discussion.

10.2 Quantum Identity Authentication One branch of these protocols is quantum identity authentication (QIA) protocol, which certifies the identity of the legitimate users of a communication line so that no third party can impersonate either of them. With the achievements of quantum key distribution, early authentication schemes were designed according to quantum key distribution. Dusek et al. [6] presented a proposal based on the combination of classical identification procedure and QKD. Zeng et al. [7] proposed a quantum key verification scheme, which can simultaneously distribute the quantum secret key and verify the communicator’s identity. Similarly, functions of QKD and QIA can also be implemented with Einstein–Podolsky–Rosen (EPR) pair in protocol [8]. Later, a one-way quantum identity authentication scheme [9] was proposed by employing mechanism of ping-pong protocol and property of quantum controlled-NOT gate. Obviously, no authentication is possible between two communicating parties without a previously shared secret including a message and entanglement states [10]. Even with the help of a third party called referee, who can prevent observers from masquerade, the shared secret is necessary in identity authentication. The referee needs to verify a shared entangled resource in a trust-free manner by using classical and quantum communication channels appropriately [11]. For these protocols, distinctive attack strategies have been put forward to analyze their security accordingly since the types of threats become more various in quantum fields. An eavesdropper may impersonate legitimate users, for instance, by intercepting the transmitting particle and resending a fake particle according to its measurement result, which is called intercept-measure-resend attack. To obtain more shared messages from the sending particle in a quantum channel, eavesdropper may send an ancillary particle to entangle with the message particle, which is called entanglement-measure attack. Any attempt to assure the correctness of cryptographic protocols must take all these new attack developments into account.

10.3 Representative QIA Protocol In 2000, Zeng et al. [7] claimed that it is necessary to verify the key in quantum key management while classical verification cannot simultaneously complete identity verification and quantum key distribution as in the literature [6], so they proposed

10.3 Representative QIA Protocol

205

a quantum key verification scheme in case that eavesdroppers avoid the identity verification procedure. EPR pair and Bell theorem were used in their two-phase protocol. In the initial phase, two communicators gain the shared message with the help of an information center which is neither responsible for identity verification nor for generating or distributing secret keys. After the legitimate users, Alice and Bob, obtain the sharing key K1 , no more communication is necessary with the center. Then two communicators execute the verification phase. (1) Alice and Bob convert the sharing key K1 into a series of measurement basis MK . If K1 = 1, MK corresponds to the rectilinear measurement basis. If K1 = 0, MK corresponds to the diagonal measurement basis. (2) Alice prepares the EPR pair. She measures one particle of each EPR pair in the string and sends the other to Bob. Alice chooses a random basis like in the EPR protocol [1] for measuring. (3) Bob randomly measures the received string of particles by using two measurement basis M , MK . Note that M is the measurement basis for the quantum key distribution and obtainment of a new identity sharing key. MK is the measurement basis for identity verification in the current communication. (4) Alice and Bob check the eavesdropper first. Bob randomly chooses some measurement results measured by the basis M to judge the eavesdroppers according to Bell theorem. (5) If there is no eavesdropper, Bob transforms the results measured by the basis MK into a binary bit string m according to the beforehand appointment. The corresponding sequence number is Ni in Alice’s whole qubits strings. Then Bob encrypts m and Ni with K1 . Bob obtains secret message y and sends it to Alice. (6) Alice decrypts y and gets m , Ni . Alice compares her results with m and gets the measurement basis MKt . If Kt = K1 , Bob’s identity is true. (7) Alice sends Bob the results m . If m = m, Alice’s identity is true. (8) If the communicators are legitimate, Alice and Bob distribute the quantum secret key using the remainder qubits as in the EPR protocols [12]. (9) Alice and Bob discard the sharing key K1 , and set up a new sharing key K2 from qubits measured by M or from taking portion bits of the final distributed quantum key. This verification protocol is featured in using the measurement basis to encode message and applying Bell theorem to guarantee unconditional security. The only pitfall is that the process is rather complicated with too much classical messages transmitted. Next, we will focus on a simpler protocol in which only quantum channel is needed. Compared with the shared information schemes [6, 7], the shared entangled states protocols provide further security since the “sharing keys” cannot be copied and spread according to non-cloning theorem. Although it is hard to distribute entangled states and store them, numerous protocols have been proposed considering the speeding progress will be made in technique. Here we consider a quantum identity protocol proposed by Shi et al. [8] for formal analysis. It can not only be used for

206

10 Security Analysis Based on BAN Logic

QKD and QIA, but also for QSDC since no qubit is discarded in the case of an error-free quantum channel. Suppose that Alice and Bob have previously shared pairs of entangled states, Bob performs randomly one of two local unitary operations I and X on his particle in each EPR pair, where     10 01 I= ,X = . 01 10 If Bob performs the unitary operation I on the particle belonging to him, the state ψ − holds unchanged. If the unitary operation performed by Bob is X , the state ψ − will be transformed into state φ− . Then Bob sends his particle back to Alice. Alice does a Bell state measurement on the particle from Bob and the particle from herself. Alice and Bob let state ψ − correspond to “1”, state φ− correspond to “0”. Then they get the sharing key. Moreover, when Alice gets the result of the other two Bell states ψ + , φ+ , there must be someone who impersonates Bob. In this way, every EPR pair is used to distribute a quantum key and verify the user’s identification simultaneously without transmission of any classical message.

10.4 Analysis Procedure 10.4.1 Description of Notions and Rules BAN logic is a formal method for verifying that three principals (including people, computer and services) are entitled to believe they are communicating with each other and not the intruders. It concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes. The procedure of BAN logic for analyzing the crypotographic protocol is described as follows: (1) (2) (3) (4)

Transform protocol into some “idealized” form; Identify the initial assumptions in the language of BAN logic; Use the postulates and rules of the logic to deduce new predicates; Interpret the statements proved by the process to check whether the protocol meets the goal.

In order to apply the same concept to analyze the QIA protocol, some expending work [13] has been made to adjust to quantum circumstance. The supplement notions and postulates we will rely on are summarized in (Tables 10.1 and 10.2), while the initial notions are the same as the literature [5]. Then we analyze a QIA protocol from an efficient perspective by using the BAN logic.

10.4 Analysis Procedure

207

Table 10.1 Supplement notions of BAN logic Supplement notions Lowercase (a, b) Capital letter (A, B) A_ > B :? A− > B :? A A ::! (y, Y  ) = Measure(Y /z)

Meaning Classical bit string Quantum bit string A sends B? through quantum channel A sends B? through classical channel The measured quantum bit string A have! Measure quantum string Y with basis z and gain classical string y and quantum string Y  Number of 1 in string x or X Number of bits in quantum string X

Number(x) or Number(X ) x = Count(X )

Table 10.2 Rules of BAN logic Rules Postulate

Meaning

K

Message-meaning rules

P≡P ↔ Q,P{X }K P≡Q|∼X

Jurisdiction rule

P≡Q⇒X ,P≡Q∼X P≡X

Nonce-verification rule

P≡Q∼X ,P≡#(X ) P≡Q≡X

Freshness rule

P|≡#(X ) P|≡#(X ,Y )

Belief rule

P|≡(X ,Y ) P|≡X ,P|≡Y P|≡X , P|≡(X ,Y )

If P believes that the key K is shared with Q and sees a message X encrypted under K, then P believes that Q once said X If P believes that Q has jurisdiction over X then P trusts Q on the truth of X If P believes that X could have been uttered only recently and that Q once said X, then P believes that Q believes X If P believes that Q has jurisdiction over X then P trusts Q on the truth of X P believes a collection of statements if and only if it believes each of the statements separately

10.4.2 Inference Based on BAN Logic For the QIA protocol proposed by Shi et al. [8], we divide it into two parts. The idealized version derived from the original is presented as follows together with the initial version as a reference. (1) Alice identifies Bob This verification process is shown in Fig. 10.1.

208 Fig. 10.1 Alice identifies Bob

Fig. 10.2 Bob identifies Alice

10 Security Analysis Based on BAN Logic S2′ (x)

Alice

Bob

1: S 2 (y)

Alice

Bob 2 : S1′ (m − y)

(2) Bob identifies Alice This verification process is shown in Fig. 10.2. To verify the security of the QIA protocols, we make a reasonable assumption that when Alice sends a bit string X in a quantum channel, ALL| ≡ Alice| ∼ X , ALL| ≡ #X . Then we use the rules of BAN logic to determine whether the goal of authentication is met or not. (1) Alice identifies Bob Bob sends S 2 (x) to Alice in a quantum channel, recall assumption, we get Alice| ≡ Bob ∼ S 2

(10.1)

Alice| ≡ (#S 2 ). According to Nonce-verification rule, Alice| ≡ Bob| ≡ S 2 ; Since Bob sends S 2 (x), Alice| ≡ Bob ⇒ S 2 . Together with Eq. 10.1, according to Jurisdiction rule, Alice| ≡ S 2

(10.2)

If Number(r a (x)) = 0, Alice| ≡ Number(ra (x)) = 0, ka (x) = Kab . Since ka (x) was the measurement result of S 2 , Alice| ≡ S2  ⇒ ka (x). Together with Eq. 10.2, according to Jurisdiction rule, Alice| ≡ ka (x), i.e., Alice| ≡ Kab . Kab So we derive that Alice| ≡ Alice ↔ Bob (Table 10.3). (2) Bob identifies Alice The steps are similar to (1). Bob sends S 2 (y) to Alice in a quantum channel, recall assumption, we get: Alice| ≡ Bob ∼ S 2 Alice| ≡ (#S 2 ),

(10.3)

10.4 Analysis Procedure

209

Table 10.3 Idealized version of Alice identifies Bob Idealized version Initial protocol Alice :: {S1 (m + n)}, Bob :: {S2 (m + n)}

There are m + n pair of EPR pair and m is public to every one. Alice has one string of qubits S1 , Bob has another S2

Bob :: (kb (x), S2  (x)) = . Note: base(m) is Measure(S2 (x))/base(m) the measurement basis, m = 0 corresponds to operation I , m = 1 corresponds to operation X Bob_ > Alice : S 2 (x) Alice :: (ra (x), ka (x)) = . Note: If the Measure(S1 (x), S2  (x))/BELL result measured by BELL basis is ⎧ − ⎪ φ , ra = 1, ka = 1 ⎪ ⎨ ψ − , ra = 1, ka = 0 ⎪ ⎪ ⎩ φ+ or ψ + , r = 0

Bob performs randomly one of two local unitary operations X and I on x of his qubits

Bob sends his measured qubits back to Alice Alice does a Bell state measurement on the particle from Bob and the particle from herself

a

Alice :: Number(ra (x)), If Number(ra (x)) > 0, Alice counts the number of 1 in ra to figures stop, discard ka (x); If Number(ra (x)) = 0, out whether there is impersonation Alice :: Kab = ka (x)

According to Nonce-verification rule, Alice| ≡ Bob| ≡ S 2 ; Since Bob sends S 2 (y), Alice| ≡ Bob ⇒ S 2 . Together with Eq. 10.3, according to Jurisdiction rule, Alice| ≡ S 2 . Since y is the number of S 2 (y), we obtain y ⊂ S 2 , according to belief rule, Alice| ≡ y, then Alice sends the next S 1  (m − y) to Bob; If b = m − y, Bob| ≡ Alice ∼ S 1 , Bob| ≡ (#S 1 ). According to Nonce-verification rule, we get Bob| ≡ Alice| ≡ S 1

(10.4)

Since Alice sends S 1 (m − y), Bob| ≡ Alice ⇒ S 1 . Together with Eq. 10.4, according to Jurisdiction rule, Bob| ≡ S 1

(10.5)

If Number(rb (x)) = 0, Bob| ≡ Number(rb (x)) = 0, kb (x) = Kab ; Since kb (x) was the measurement result of S 1 , Bob| ≡ Alice ⇒ S 1 . Together with Eq. 10.5, according to Jurisdiction rule, Bob| ≡ kb (x), i.e., Bob| ≡ Kab . Kab So we deduce that Bob| ≡ Alice ↔ Bob (Table 10.4). Through the analysis of this protocol, we obtain the outcome that the authentication between Alice and Bob is complete.

210

10 Security Analysis Based on BAN Logic

Table 10.4 Idealized version of Bob identifies Alice Idealized version Initial protocol Bob_ > Alice : S 2 (y), Alice :: y = Count(S2 (y)) Alice :: (S1  (m − y)) = Measure(S1 (m − y))/base(m) Alice_ > Bob : S 1 (m − y) Bob :: b = Count(S 1 (m − y)). If b = m − y, Stop; If b = m − y. Bob :: (rb (n)) = Measure (S1  (m − y), S2 (m − y))/BELL Bob :: Number(rb (n)); If Number(rb (n)) > 0, stop, discard kb (x); If Number(rb (n)) = 0, Bob :: Kab = kb (x)

Bob sends y number of qubits to Alice Alice performs randomly one of two local unitary operations X and Y on m − y of her qubits Bob sends his measured qubits back to Alice Bob counts the number of the received string to figure out whether Alice get the y qubits

Alice counts the number of 1 in to figures out whether there is impersonation

From above analysis, BAN logic is verified that it can help make the analysis of protocols more efficient by eliminating contents of message or encryptions of messages. In order to verify a protocol by using BAN logic, a set of hypotheses have been made to obtain the initial beliefs. Thus, in classical environment, some hypotheses make it problematic to distinguish between freshness of creation and freshness of receipt roles. On the contrary, in quantum environment, scarcely when the communicators operate on the qubits can the message be validated and this guarantees the freshness of creation as shown in our assumption. However, BAN logic also has its limitation. Since there is no systematic way for translating a protocol description into a BAN description, subjective factors may be introduced and cause a biased view of analysis.

10.5 Summary In this chapter, we applied BAN logic to the formal verification of QIA protocols. We gived the description of notions and rules, and analyzed the security of a representative QIA protocol. BAN logic provides a concise way of proving security of authentication protocols. Especially for quantum circumstances, ambiguity can be avoided in creating the freshness of a message. With finer modeling hypotheses or a finer level of description, more application of logic-based formal methods can be adopted to verify the security of quantum cryptographic protocols.

References

211

References 1. Meadows, C.: Formal methods for cryptographic protocol analysis: emerging issues and trends. IEEE J. Sel. Areas Commun. 21(1), 44–54 (2003) 2. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978) 3. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(20), 198–208 (1983) 4. Lal, S., Jain, M., Chaplot, V.: Approaches to formal verification of security protocols. arXiv:1101.1815 (2011) 5. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8(1), 18–36 (1990) 6. Dusek, M., Haderka, O., Hendrych, M., et al.: Quantum identification system. Phys. Rev. A 60(1), 149–156 (1999) 7. Zeng, G., Zhang, W.: Identity verification in quantum key distribution. Phys. Rev. A 61(2), 022303 (2000) 8. Shi, B.S., Li, J., Liu, J.M., et al.: Quantum key distribution and quantum authentication based on entangled state. Phys. Lett. A 281(2), 83–87 (2001) 9. Zhang, Z., Zeng, G., Zhou, N., et al.: Quantum identity authentication based on ping-pong technique for photons. Phys. Lett. A 356(3), 199–205 (2006) 10. Curty, M., Santos, D.J., Perez, E., et al.: Qubit authentication. Phys. Rev. A 66(2), 022301 (2002) 11. Cavalcanti, E.G., Hall, M.J., Wiseman, H.M.: Entanglement verification and steering when Alice and Bob cannot be trusted. Phys. Rev. A 87(3), 032306 (2013) 12. Ekert, A.K.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67(6), 661 (1991) 13. Sheng, Z.: A Research on the formal analysis of quantum cryptography protocols. Dissertation thesis, National University of Defense Technology (2007)

Chapter 11

Security Analysis Based on Quantum Random Oracle Model

Random oracle model is a general security analysis tool for rigorous security proof and effective cryptographic protocol design. In the quantum world, the attempts of constructing a quantum random oracle (QRO) have been made, such as quantumaccessible random oracle for post-quantum cryptography and quantum random oracle for quantum cryptography. To facilitate the security analysis of quantum cryptographic protocols, we introduce quantum random oracle. As in the classical circumstance, it is crucial and challenging to design and instantiate the QRO model with an appropriate quantum hash function. As a result, we use the QRO model for the security analysis of quantum public-key encryption and quantum digital signature. This new tool can be a test-bed for the cryptanalysis of more quantum cryptographic protocols based on quantum one-way function.

11.1 Quantum Random Oracle Model for Quantum Digital Signature 11.1.1 Development of Random Oracle Random oracle (RO) has been used to design effective cryptographic protocols and give rigorous proofs of security for cryptographic protocols over 20 years [1–4]. RO is virtually a theoretical black box which outputs random bits in equal length when queried by all parties including an adversary. Queries to RO are standardly designed to model an adversary’s attack power [5]. The rapidly evolving quantum computation equips a quantum adversary with sufficient computational power. To analyze classical cryptographic protocols against quantum adversaries, Boneh et al. [6] started pioneering work of the quantum random oracle (QRO) model, more precisely, the quantum-accessible random oracle model, in which an adversary can make quantum superposition queries. Later, Zhandry [7, 8] upgraded the quantum-accessible random oracle with a semi-constant distribution to make it indistinguishable with iden© Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_11

213

214

11 Security Analysis Based on Quantum Random Oracle Model

tical uniform distribution under quantum algorithms. In 2013, Boneh and Zhandry [9] made a significant progress to initiate the study of quantum-secure digital signatures and quantum chosen ciphertext security. In the quantum-accessible random oracle model, an adversary can make quantum chosen message queries and quantum chosen ciphertext queries. Till now, most of the quantum-accessible random oracle model research has focused on classical cryptographic protocols against quantum adversaries. Furthermore, can we explore the construction of a new QRO model to effectively analyze quantum cryptographic protocols against quantum attacks? In this section, we introduce a new QRO model to analyze the security of QDS schemes based on quantum one-way function [10]. We start with the quantum random oracle modeling a collision-free quantum one-way function. Then we will give a general security analysis procedure in the QRO model. For convenient analysis, we choose the original QDS scheme [11]. It is very meaningful to endow new meaning and explanation to the QRO model for quantum cryptosystems.

11.1.2 Quantum Digital Signature Quantum digital signature (QDS) is an important direction of quantum cryptography, which can be used to prevent impersonation, tampering, and repudiation in an information-theoretically secure way. Comparatively, classical unconditionally secure signature schemes against quantum computing attacks have been proposed [12, 13], but the resource assumption of secure classical channels is practically impossible [14]. With the security verified by information-theoretical limits and quantum mechanics, QDS schemes have been applicable by just using existing mature quantum key distribution (QKD) equipment and the experimental transmission distance can achieve over 100 km [15, 16]. In 2001, Gottesman et al. [11] first proposed a QDS scheme, a quantum version of the Lamport public key based signature scheme [17], for certifying the origin and authenticity of a message. In this QDS scheme, public keys are produced through a quantum one-way function instead of the frequently used trapdoor one-way function in classical cryptography. A quantum one-way function transforms a classical bit-string into quantum states. To ensure the validity of transmitted messages, a sender transmits pairs of quantum signatures, consisting of classical secret keys and quantum public keys, to several recipients. The recipients store the signature pairs and verify the quantum signatures by nondestructive quantum state comparison, such as SWAP-test. As we know, general nondestructive quantum state comparison and quantum memory are two key constraints for the development of QDS. Over ten years later, in 2012, Clarke et al. [18] experimentally realized a QDS scheme based on coherent states, while the remaining challenge for QDS to be feasible in practice is quantum memory. The critical requirement of quantum memory was circumvented by Dunjko et al. [19, 20]. They put forward a practical QDS scheme without quantum memory and later implemented it. Obviously, the slow pacing of experimental realization hampered the progress of QDS and other quantum protocols. Alternatively, we can construct

11.1 Quantum Random Oracle Model for Quantum Digital Signature

215

a security model which can facilitate the exploration of a quantum one-way function to more scenarios and the security analysis of related quantum cryptographic protocols, such as quantum digital signature schemes [11, 15, 19] and quantum public-key encryption schemes [21, 22]. The desirable security model needs to provide participants with outputs of a quantum one-way function and results of quantum states comparison, and also, give the same response to an adversary to model possible quantum attacks. Then the security model can be instantiated with continuously developed techniques [18, 20]. In classical cryptography, similar efficient analysis model named random oracle (RO) was introduced in 1993 [1].

11.1.3 Representative QDS Scheme We briefly recall the representative QDS scheme proposed by Gottesman et al. [11]. The scheme assumes all participants will know how to implement the quantum oneway function, and it is based on perfect devices and channels. Notations are described as follows: b: 1-bit classical message. classical secret key. k bi : L-bit    f kbi : n-bit public keys of quantum states that a quantum one-way function generates.    kbi →  f kbi : quantum one-way function that maps a classical bit-string kbi to quan   tum states  f kbi . Initializing phase: Alice chooses a series of L-bit classical bit-strings {k0i , k1i }, 1 ≤ i ≤ M as secret keys for a single message b. k0 is used to sign the message b = 0, and k1 is used to sign the message b = 1. Note that k0 and k1 are chosen independently and randomly for each i. M is a security parameter and the scheme is exponentially secure in M when other parameters are fixed. Signing and verifying phase: (1) Alice chooses secret keys according to b. Then she sends public-keys to at most t recipients, t < L/n. The signed message (b, kb1 , kb2 . . . kbM ) are sent to recipients via insecure classical channel.    (2) Every recipient checks each of the revealed public-keys to verify kbi →  f kbi by quantum states comparison. Then each recipient j counts the number of incorrect keys as s j ; (3) According to s j , each recipient determines the message b as transferable, valid or invalid. Then all participants discard all used and unused keys. To prove the impossibility of forgery and repudiation, the original security model sets security parameters. In the forging scenario, an adversary wants to convince Bob that a faked message b is valid, i.e., b = b. Thus, the secret keys kbi not received by recipients can be modified by the adversary. Some public-keys will fail and the

216

11 Security Analysis Based on Quantum Random Oracle Model

number of incorrect keys s j will increase. The scheme defines the rejection parameter c2 so that when s j > c2 M, the recipients reject the signature. In Alice’s repudiation scenario, Alice wishes Bob (for instance) to accept a message and Charlie to reject it, so she may give completely different public keys to Bob and Charlie. To avoid this kind of cheating, Bob and Charlie will exchange quantum public keys to be compared with SWAP-test. So Alice’s goal is to pass all SWAP-tests and make her message to be intransferable. Analysis shows the possibility of passing SWAP-test is exponentially small in M. In participants’ reputation scenario, they can always deny the sender Alice’s message. Therefore, there must be at least two honest participants. Note that quantum states can store arbitrary amount of data and can be different for unequal messages, but the measurement procedure may lead to collision-type errors, i.e., different classical inputs may lead to equal quantum outputs. Gottesman et al. [11] assumed δ-orthogonal quantum states to limit the measurement errors of SWAP-test. Instead, to give an effective analysis of schemes based on quantum oneway function, we may reasonably use the QRO model to realize the collision-free property. So we assume that the quantum states generated by QRO are distinguishable by its measurement.

11.1.4 Security Analysis from RO to QRO Bellare and Rogaway [1] introduced random oracle (RO) model, which made it possible to give a rigorous proof of security for certain basic cryptographic protocols [23]. RO is used to model a hash function and output total random hash results. All parties, including legal communicators and an adversary, should query RO for the hash value. The security analysis procedure based on the RO model is summarized as follows: (1) Define a hard problem . (2) Redescribe a protocol for . (3) Define the specific security for the protocol. (4) Prove the security of the protocol by reduction. According to the methodology of the RO model, the QRO model for quantum cryptographic protocols can also conform to the above analysis procedure. Proving security in the QRO model presents many challenges. For each step of this analysis procedure, we can further explore the following problems (1) What is a feasible hard problem  in the QRO model? Hard problems for reduction vary among different RO models. In the RO model, Hwang et al. [24] put forward a new quantum primitive called “Unbiased Chosen Basis” (UCB) assumption based on no-cloning theorem, and use it as a hard problem for an adversary to prove the security of three-party quantum key distribution protocol. No-cloning theorem is the foundation of quantum cryptography, which indicates that one cannot copy a qubit if he/she does not know the polarization basis of the qubit. This physical property of quantum mechanics can provide an absolutely secure reduction for the QRO model.

11.1 Quantum Random Oracle Model for Quantum Digital Signature

217

In the quantum-accessible random oracle model for post-quantum cryptography, an adversary with the quantum end-user machine is allowed to issue random oracle quantum queries, i.e., exponential number of queries in superposition states. The difficult point for reduction lies in the fact that the reduction algorithm must evaluate RO at all points in the superposition. To provide an indistinguishable output under this powerful query, Boneh et al. [6] assumed there exists a quantum-secure pseudorandom function (QPRF) which ensures that random oracle queries are answered consistently across queries. Thus, cryptographic protocols can be proven secure by means of history-free reductions related to the existence of QPRF. Their work gives an important hint of construction of the QRO model considering quantum queries. Furthermore, Definitions 1 and 2 give the detailed description of related quantum query and quantum oracles [9]. Definition 1 Quantum chosen message query is the transformation  m

ψm |m →



ψm |m, S (k, m)

m

where S (k, m) is the signature on m using signing key k. An attacker can sample the response to such a query and obtain one valid messagesignature pair. After q such queries, it can obtain q valid message-signature pairs. Definition 2 An oracle O : X → Y is implemented by a unitary transformation O where O |x, y, z = |x, y + O(x), z where + : X × X → X is some group operation on X . Suppose there is a quantum algorithm that makes quantum queries to oracles O1 , . . . , Oq . Let |ψ0  be the input state of the algorithm, and let U0 , . . . , Uq be the unitary transformations applied between queries. Note that the transformations Ui are themselves possibly the products of many simpler unitary transformations. The final state of the algorithm will be Uq Oq · · · U1 O1 U0 |ψ0  We can also have an algorithm to make classical queries to Oi . In this case, the input to the oracle is measured before applying the transformation Oi . We call a quantum oracle algorithm efficient if the number of queries q is a polynomial in the size of its input, and each of the transformations Ui between queries can be written as the product of polynomially many unitary transformations from some fixed basis set. (2) How to redescribe a protocol for ? Redescribing a protocol means to formally define the parameters for the protocol and the queries for modeling an adversary’s

218

11 Security Analysis Based on Quantum Random Oracle Model

capability. A similar description has been given in the Refs. [5, 24]. In the RO model, an adversary interacts with players by making various queries to RO, such as “Send query” and “Hash query” [24]. Modifications of such queries can be made for the security proofs in the QRO model. (3) What is the specific security for quantum cryptographic protocols? For security definition of the signature scheme, existential forgery under chosen message attack is always considered [9, 25]. Chosen message attack means that an adversary cannot produce q + 1 valid message-signature pairs with q chosen message queries. (4) How to prove the security of quantum cryptographic protocols by reduction? Reduction means that if an adversary wants to break the security of a protocol, a challenger can take advantage of the adversary’s capability to solve the hard problem  by controlling the random oracle and providing indistinguishable output. Considering the superposition quantum query for reduction algorithm, Zhandry [7] provided the related definition and the lemma which allows for the efficient simulation of an exponentially-large list of samples given only a polynomial number of samples. Definition 3 Fix sets X and Y and a distribution D on Y. Fix an integer r. Let y = (y1 , y2 , . . . yr ) be a list of r samples from D and let P be a random function from X to [r ]. The distributions on y and P induce a distribution on functions H : X → Y defined by H (x) = y P(x) . This distribution is called a small-range distribution with r samples of D. Lemma 1 There is a universal constant C0 such that, for any sets X and Y, distribution D on Y, any integer , and any quantum algorithm F making q queries to an oracle H : X → Y, the following two cases are indistinguishable, except with probability less than C0 q 3 /l – H (x) = yx where y is a list of samples of D of size |X |. – H is drawn from the small-range distribution with  samples of D.

11.1.5 Quantum Random Oracle Model for QDS Different from classical RO model and prior QRO model (precisely, quantumaccessible random oracle model), our objective is to construct a new QRO model for quantum cryptographic protocols. Considering the possible quantum collision problem resulted from quantum measurement, we assume that there exists a collision-free quantum one-way function and use QRO to model it by requiring that different quantum states produced by QRO are distinguishable when QRO measures. Since an adversary may have access to all quantum states, we assume all parties, including sender Alice, recipient Bob and adversary A, query QRO for classical random bits, quantum one-way function outputs and quantum states comparison results. For a quantum adversary, this QRO can respond consistently to quantum superposition query like the quantum-accessible oracle [9]. We also assume that quantum states are transmitted without interference.

11.1 Quantum Random Oracle Model for Quantum Digital Signature

219

Definition 4 A quantum random oracle is a tuple of efficient algorithms   G, Hq , Measur e where: G: for any input of a classical bit-string m, it outputs a random bit-string k = {0, 1}k . Hψ : for any input of a classical bit-string k = {0, 1}k , it operates ψ : {0, 1}k → H⊗s , to generate distinguishable quantum states |ψk i , where H⊗s = H1 ⊗ · · · ⊗ Hs is a 2s -dimensional Hilbert space made up of s products of single-qubit spaces Hi2 . Measur e: any qubits |ψk i ,|ψk j  QRO generates are distinguishable when QRO measures, i.e., | ψk i |ψk j |2 = ε, where ε is negligible for i = j. We illustrate these three parts of QRO in Fig. 11.1. Proposition 1 Quantum random oracle can respond consistently to quantum queries  ψm |m by mapping X → Y m   O(m, k) : ψm |m → ψm |m, k, m

m

where k is a random bit-string on m. Then it samples r times from some distribution on X such that, for every m and k, O(m, k) is uniformly distributed on Y. Proof Let r be some integer to be chosen later. Replace X with small-range distributions of r samples on Y. Lemma 1 shows that an adversary can distinguish X with Y with probability less than C0 q 3 /r . Thus, we use r samples of a small-range Y to replace r samples of an exponentially-large range X with distinguishable probability less than C0 q 3 /r , which facilitates the quantum random oracle to respond to a quantum query with suitable r . Proposition 2 Quantum random oracle can accurately match classical secret keys with corresponding quantum public-keys. Proof A quantum one-way function transforms an input of classical bit-string to an output of quantum states. A forgery of signature can be made when an adversary finds out a collision error, i.e., different quantum states pass the test of equality by measurement. In case of possible quantum collision error, we use a quantum random oracle to generate collision-free quantum states |ψk i  as Definition 4:

220

11 Security Analysis Based on Quantum Random Oracle Model

| ψk i |ψk j |2 = ε,

(11.1)

where ε is negligible for i = j. Equation 11.1 implies that all quantum states generated by QRO vary with different classical inputs and can be measured by QRO accurately, so this quantum random oracle can accurately match classical secret keys with corresponding quantum public-keys. In order to prove whether a QDS scheme is resistant to a chosen message attack, even when an adversary submits quantum superpositions of messages, we need a suitable definition of QDS scheme in the QRO model. Definition 5 A quantum digital signature scheme is a tuple of (G, Sign, Verify) algorithms called generator, signing algorithm, and verifying algorithm, respectively. Generator G: On inputting a bit-string 1k , the generator randomly produces a classical secret key k. Signing algorithm Sign(m, k): To sign a message m, QRO operates | f k  ← H (m, k) to generate a public key of quantum state | f k . Verifying algorithm Verify (k, | f k ): To verify a signature pair (k, | f k ), QRO takes quantum measurement Verify (k, | f k ) ∈ {0, 1}. It must be the case for all | f k  ∈ H (m, k), Verify (k, | f k ) = 1. In contrast to core algorithms of classical digital signature scheme, QDS generates a public-key of quantum states in the Signing algorithm, and the verifying algorithm is measurement rather than computation.

11.1.6 Analysis Procedure As mentioned in Sec.II, the security analysis of quantum cryptographic protocols in QRO follows the procedure: (1) Define a hard problem , (2) Redescribe the quantum protocol for , (3) Define the specific security for the quantum protocol, (4) Prove the security of the quantum protocol by reduction. Phases (1) and (3) are related to specific quantum protocols. For example, the three-party quantum key distribution protocol [24] chooses UCB assumption as a hard problem for the authenticated quantum key distribution security. Here we use no-cloning theorem as a hard problem for the provable security of a QDS scheme. Phases (2) and (4) are common for all quantum cryptographic protocols, just as in classical cryptography [1, 5, 9]. Formal queries need to be defined in phase (2) for modeling an adversary’s capability and proving security. Here we take the QDS scheme [11] described in related works as an example for security analysis. A. Hard problem in the QRO model For quantum cryptographic protocols, we choose no-cloning theorem, one of the foundations of quantum cryptography, to be the hard problem  for reduction. Nocloning theorem indicates that it is impossible to create an identical copy of an

11.1 Quantum Random Oracle Model for Quantum Digital Signature

221

arbitrary unknown quantum state. Note that we carry out security reduction relative to quantum physical property instead of the existence of collision-free quantum oneway function. For example, consider a QDS scheme, we prove it to be unforgeable for quantum adversaries by a reduction to no-cloning theorem. We can claim that the QDS scheme is unforgeable as long as violating no-cloning theorem is infeasible even when an adversary has quantum access to random oracle. This technique works well whenever we can assure the success of the adversary A. B. Description of the QDS scheme Since an adversary interacts with players by making various queries to QRO, we formulate specific queries to describe the QDS scheme [11]. According to Proposition 2, QRO can correctly match secret keys and public keys. So the number of incorrect keys s j is equal to 0. Then we do not need the acceptable or transferable boundaries. Here we present the QDS scheme with a single key pair. (1) Message query qmessage {Alice}: All parties are allowed to know whether Alice has sent a message b to QRO or not. If Alice sends the message, QRO sends (b, kb ) back. Otherwise, it outputs (l + 1)-bit zeros (1-bit message and l-bit secret key). Since classical channel cannot guarantee message not being tapped, we use this query to model the process that A eavesdrops message and secret keys via classical channel. The worst case is that A fully accesses message and secret key, i.e., QRO directly returns b and kb . (2) Signing query qsign {b}: Anyone could ask QRO for quantum digital    signature for b. QRO operates quantum one-way function to output key pairs kb ,  f kb . This query models the process that a signer (Alice) generates secret keys of classical bits and public keys of quantum statesfor every message bit b.  (3) Sending query  q send {b, kb , f kb , Bob}: To transfer a signature to Bob, Alice  sends   qsend {b, kb , f kb , Bob} to QRO. QRO sends a secret key kb and a public key  f k to Bob. In this query, a signer can choose a secret key and a public key to a b recipient, which models an adversary’s forgery attack. Besides, A might practically intercept the key pair, measure it and resend the tampered keys to Bob. This scenario also changes the key pair and can be modeled by sending query.     (4) Verifying query qveri f y {kb ,  f kb }: Bob sends QRO the key pair kb ,  f kb he received to verify the signature. If the pair is validated by quantum states measurement, QRO returns 1. Otherwise it returns 0. QRO records the verifier’s identity and verification result. This query models the verifying phase that recipients compare the quantum states they received with the quantum states generated according to the secret key. (5) Accepting query qacc {Bob}: If the record value in verifying query is 1, i.e., the signature is valid, then QRO returns 1. Otherwise, it returns 0. Through this query, Alice can make sure whether her signature is accepted and adversary A can figure out whether his attack is successful. Different queries related to corresponding parts of QRO are shown in Fig. 11.1. Based on these specific queries, we present the execution of the QDS scheme [11]. (1) Alice sends 1-bit message  with qsign {b} query and gets corresponding  to QRO secret keys and public keys kb ,  f kb .

222

11 Security Analysis Based on Quantum Random Oracle Model

qmessage Eavesdropping

QRO

Alice

 b, k b 

b

k , b

H

qacc

{0,1} User



b, kb , f kb , Bob

kb , f kb

qverify

f kb

qsign

qsend

Forgery attack Intercept-resend attack

Measure

{0,1}

Fig. 11.1 QRO model

      f k , Bob}. q (2) Alice sends Bob the key pairs kb ,  f kb by {b, k , send b b   (3) Bob makes a query, namely qveri f y {kb , f kb } to verify the signature he received. Then QRO records measurement result for next Accepting query. C. Definition of security in the QRO model Definition 6 A quantum digital signature scheme (G, Sign, Verify) is existentially unforgeable under quantum chosen message attacks (QCMA-secure) if, for any efficient quantum algorithm F and any polynomial q (in the input of the quantum algorithm), F’s probability of success in the following game  is negligible  f k ← H (m, kb ) to generate G, then operates Key Gen. A challenger runs k b ← b    a public key of quantum states  f kb and gives  f kb to F. Signing Queries. An adversary makes a polynomial q chosen message queries. For each query, the challenger responds by signing each message in the query by mapping X → Y,   ψm |m → ψm |m, k O(m, k) : m

m

Forgeries. The adversary is required to produce q + 1 message-signature pairs. The challenger then measures that all signatures are valid and all message-signature pairs are distinct. If so, the challenger reports that the adversary wins. D. Proof of security in the QRO model Theorem 1 Assume an adversary A has algorithm F and queries QRO for quantum state signature. A breaks the QCMA-security if A inputs an inconsistent pair of secret

11.1 Quantum Random Oracle Model for Quantum Digital Signature

223

key and public key that QRO cannot distinguish with non-negligible probability. Then a challenger takes advantage of A to clone quantum states. If quantum states cannot be cloned perfectly, then the signature is QCMA-secure in the quantum random oracle model. Proof We can use QRO  to construct a signature on any given message b and output the signature kb ,  f kb . Then we prove this QRO can respond to a classical chosen message attack when A is only given a polynomial number of signatures on random messages. If A intends to forge a signature, A queries qmessage {Alice} to identify whether Alice has sent the message b to QRO. Then A gets the message and secret key q times queries of qmessage {Alice}, A gets q pairs of message and (b, kb ). Through   secret key bi , kbi , 1 < i < q. A runs the algorithm  F to produce a message b .  the secret key of A queries qsign {b } to get q + 1 key pairs kb ,  f kb . A sends     b and the public key  of b to Bob through qsend {b , kb , f kb , Bob} query. Then A sends qveri f y {kb ,  f kb } query to figure out whether his attack is successful. If QRO outputs 1, A successfully makes a forgery attack with non-negligible   probability ε. Therefore, a challenger could use kb to clone quantum states  f kb with probability ε, which violates quantum physical property. Furthermore, if the adversary is armed with a quantum computer and issues quantum chosen message queries, each of the exponentially many messages in the query superposition are to be signed. Therefore, using the above technique directly would require an exponential number of random values for quantum one-way function. To avoid exponential quantum states needed, we use the technique of small-range distributions and Lemma 1 to reduce the number of signed messages required to a polynomial. Let A be a quantum adversary breaking the QCMA-security of signature with non-negligible probability ε. The idea of security proof is a slight modification to Boneh’s work [9] that the contradiction lies in violating quantum physical property instead of hash collision-resistance property. The security of the scheme is proved through a sequence of games in QRO. Game 0. A issues qmessage {Alice} query and receives q pairs of message and  secret key b, kbi , 1 < i < q. A is allowed to make a polynomial number of quantum chosen message queries. For query i, the challenger runs random generator G, and responds to each message in the query superposition as follows: – Let kbi = G (i) (b).

   – Operate quantum one-way function  f kbi = Hψ (kbi ).  

 – Respond with the signature kbi ,  f kbi .

 

 In the end, A must produce q + 1 distinct pairs kbi  ,  f kbi such that verifying    query qveri f y {kbi  ,  f kbi }= 1. By definition, A wins with probability ε, which is nonnegligible. Therefore, there is some polynomial p = p(λ) such that p(λ) > 1/ε(λ) for infinitely-many λ. Here λ is the input of G.

224

11 Security Analysis Based on Quantum Random Oracle Model

  1. We modify the condition in which A wins by requiring that no two pairs  i Game k ,  f k i form a collision error for H in QRO. Then A succeeds in Game 1 with probability at least ε − negl. Game 2. Let  = 2C0 qp where C0 is a constant from Lemma 1. At the beginning   ˆ (i) = f and let of the game, for i = 1, . . . , q and j = 1, . . . , , sample values kˆ (i)  j k j

Hψ (kˆb(i) ). Also pick q random  functions   Oi to  map m to  according to Proposition 1. ˆ  (i) (i) ˆ Then let km = k Oi (m) and  f km(i) =  f k (i) . The difference between Game 1 and Oi (m)    Game 2 only lies in the generation of km(i) and  f km(i) by q small-range distributions on  samples. Each of the small-range distributions is only required once, so Lemma 1 implies that the success probability is still at least ε − negl − 1/2 p. ∗ ∗ If the adversary   wins in Game 2, it produces two secret keys kb , kb on a same  public-key  f kbi . Then a challenger could produce same quantum states with probability ε − negl − 1/2 p. The quantum states produced by QRO are distinguishable, which implies this quantity is negligible, thus ε − 1/2 p is negligible. Since ε > 1/ p infinitely often, 1/2 p < negl infinitely often, there exists a contradiction. So ε is negligible. In this section, we formulate Message query, Signing query, Sending query, and Verifying query, etc. These queries are used to model an adversary’s possible attack such as eavesdropping, forgery attack, and intercept-resend attack. Then we give a general definition of QCMA-security for the QDS scheme based on quantum one-way function. Through a series of games, we prove the QDS scheme is QCMA-secure even under quantum chosen message attack by a reliable reduction to no-cloning theorem.

11.1.7 Discussion In the original security model [11], the QDS scheme is proved informationtheoretically secure, which relies on significantly large security parameter. An adversary may use the collision-type error to easily pass the verifying phase, while the original security model does not provide the related analysis. Apart from informationtheoretical security, we can provide the provable security of quantum cryptographic protocols, e.g., the unforgeable security of QDS. In the new QRO model, we prove the QCMA-security of a QDS scheme via a series of indistinguishability games, even if an adversary has quantum access to QRO. We use different queries to model different attack scenarios, including the collision case. The QRO model can be used to simplify quantum cryptographic protocols based on quantum one-way function and testify its security on every step. When QRO is instantiated, we can analyze special attack scenarios and define the similar security parameter to protect its security.

11.1 Quantum Random Oracle Model for Quantum Digital Signature Table 11.1 Comparison with different RO models Comparison items RO model Quantum-accessible random oracle model

225

QRO model

Model

Hash function

Hash function

Assumption

PRF

QPRF

Response to quantum query Form of signature Reduction

No

Yes

Quantum one-way function Collision-free measurement Yes

Classical PRF etc.

Classical LWE, QPRF, etc.

Quantum No-cloning theorem

Furthermore, in contrast to the classical RO model, QRO is used to model quantum one-way function to analyze the provable security of QDS scheme. Considering the vague-defined and not yet implemented quantum hash [26], we select a broader concept, namely quantum one-way function, to be a modeling object. In the QRO model, collision-free measurement assumption replaces computational hardness assumption of pseudorandom function (PRF) in the RO model. A new function is added to QRO that it cannot only respond to the quantum state queries, but output signatures of quantum states. Unlike the prior quantum-accessible random oracle model [6] which relies on classical hard problems such as learning with errors (LWE) problem and the assumption of QPRF against quantum adversaries, we use no-cloning theorem as a hard problem for reduction. In addition, we use queries to QRO to model an adversary’s capability. Comparison among different RO models is summarized in Table 11.1.

11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 11.2.1 Instantiation of Quantum Random Oracle Model Different from famous quantum key distribution (QKD) protocols [27], a new cryptographic primitive, namely quantum hash function, has been considered by researchers for cryptographic protocols with higher level of security. The quantum hash function maps a classical bit-string to a quantum state. Due to the accountability of unknown quantum states, quantum hash functions were first used to design unforgeable quantum digital signatures [28] and quantum fingerprints [29]. Then quantum public-key encryption (QPKE) schemes also made use of the uncloneablility [30, 31], regarding secret keys as the trapdoor information. In 2014, Ablayev et al. [32] for the first time gave a rigorous definition of quantum hash function. They subsequently discussed

226

11 Security Analysis Based on Quantum Random Oracle Model

several constructions of quantum hash function [33]. Recent works on quantum hash function include new ways of constructions [34] and its applications [35]. However, there are still some open problems in the field of quantum hash functions. In the previous researches, some of quantum hash functions are given concrete constructions of quantum circuits [29–31, 33], while others are only used as a black box [28]. For the existing and future protocols which use quantum hash functions as secure subprograms (and do not care about how exactly they are instantiated), we do lack an ideal model of such quantum hash function for further analysis and design. Previous security analyses of quantum cryptographic protocols mainly concentrate on scenario quantum attacks, i.e., only limited types of attack are analyzed [30, 31]. Such analysis of diverse quantum attacks is not general enough to prove the security of quantum cryptographic protocols, and a more precise and generic tool is needed for the protocols using quantum hash functions to perform provable security analysis. A new type of QRO which can model a quantum hash function is such an efficient tool to solve these problems. A well-defined QRO can reasonably simulate a quantum hash function in terms of protocol designing. The attempt of constructing a QRO model has been made in [36] for cryptanalysis of quantum digital signature (QDS). In this section, we generalize the construction and property of the QRO model, and redefine the QRO model to analyze the security of quantum hash based QPKE against key-collision attack [37]. Concretely, we introduce a paradigm of security analysis in the QRO model, and give the instantiation method of the QRO model for quantum cryptographic protocols, i.e., how to replace the QRO with an appropriate quantum hash function.

11.2.2 Quantum Hash Function Unlike classical cases where the security analysis relies on computational assumption, the security of quantum hash functions is guaranteed by quantum physical laws. A quantum hash function takes a classical bit-string as an input and outputs a quantum state of fixed length. It also has its one-wayness and collision-resistance. Similar to the classical case, the one-wayness of a quantum hash function requires that the input of a classical bit-string cannot be deduced from the output of quantum states [32, 33]. The no-cloning theorem avoids an adversary obtaining a large enough number of an unknown hash value. Thus, the one-wayness can be guaranteed by Holevo bound [38], i.e., no more than O(s) bits of information can be learned from s qubits. According to the Holevo bound, the one-wayness condition holds when the length of an input is much larger than that of an output. As for collision-resistance, a quantum hash function becomes more complicated and very different from its classical counterpart. Since the Hilbert space is an infinite field (while a set of bit-strings with fixed length is a finite one), we can easily design a quantum hash function that is mathematically an injective function, i.e., there is no collision according to its definition. However, when comparing two quantum states

11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption

227

or recovering classical information from a quantum state, one will introduce measurement operations, which could lead to collision-type errors. Now the ‘collision’ refers to the case where quantum hash values are measured to be identical while they are actually different. The probability of this collision is closely related to the inner product of two quantum states. Thus, for the collision-resistance condition, the outputs of a quantum hash function are required to be nearly orthogonal [32, 33]. Based on the above considerations, the quantum hash function is defined as follows: Definition 7 (quantum hash function [33]) Let  > 0 and δ > 0. We call the function ψ : {0, 1}n → (H2 )⊗s a (, δ)-quantum hash function if the following conditions hold •

One-wayness: for any quantum algorithm A, the probability of finding a preimage of ψ is bounded by : Pr[A(ψ(x)) = x] <  (11.2)

•

 Collision resistance: for any different √ pair (w, w ), the norm of the inner product of their hash value is bounded by δ, then the probability that two different hash values are measured to be identical is bounded by

Pr[Measur e(|ψ(w)) = Measur e(|ψ(w ))] =| ψ(w)|ψ(w )|2 < δ

(11.3)

11.2.3 Quantum Public-Key Encryption QPKE protocols can be qubit rotations-based [30, 31], knapsack-based [39] or fullyflipped-permutations-based [40]. Some of them [30, 31, 40] can be abstracted as ones that bases on a quantum hash function in which the secret key and the plaintext are classical, while the public key and the ciphertext are quantum states. This type of QPKE can be described as follows: Definition 8 The QPKE protocol based on a quantum hash function ψ consists of 3 steps •

Key-generation Gen: the key-generation Gen outputs the secret key sk ∈ {0, 1}n , then generates s-qubit public key | pk by using the quantum hash function ψ Gen(1n ) = sk, | pk = ψsk |0⊗s

•

(11.4)

Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically encrypts m with the public key | pk and outputs s-qubit ciphertext |c |c = Encm | pk = Encm · ψsk |0⊗s

(11.5)

228

•

11 Security Analysis Based on Quantum Random Oracle Model

Decryption Dec: for the ciphertext |c ∈ (H2 )⊗s , Dec deterministically decrypts |c with the secret key sk  . Since the Dec is a quantum algorithm, we introduce a tracing-out operator of the Dec’s output to get 1-bit plaintext m  |m   = Tr s−1 [Decsk  |c] = Tr s−1 [Decsk  · Encm · ψsk |0⊗s ]

(11.6)

then the measurement on the base vector {|0, |1} can output a classical m  . The quantum algorithms Enc and Dec are designed based on the quantum hash function ψ, obeying the following rules •

Enc and ψ are commute, i. e., [Enc, ψ] = Encψ − ψ Enc = 0

(11.7)

•

When the public-key | pk = |0⊗s , the last qubit of the output of Enc becomes the base vector (11.8) Tr s−1 [Encm · |0⊗s ] = |m, m ∈ {0, 1}

•

Dec reverses ψ

−1 Decsk = ψsk

(11.9)

These three rules guarantee that decryption with the correct sk outputs the original m |m   = Tr s−1 [Decsk · Encm · ψsk |0⊗s ] = Tr s−1 [Decsk · ψsk · Encm |0⊗s ] = Tr s−1 [Encm |0⊗s ] = |m

(11.10)

Note that the probabilistic encryption algorithm Enc can be the one that randomly parity-codes the plaintext m then encrypts the codeword. This strategy was suggested against forward-search attack in [31]. The security notions defined in [41] can help with the cryptanalysis of the QPKE protocols. In the quantum chosen plaintext attack (qCPA) model, (constant) C copies of the public-key are fed to the adversary, so it can invoke the encryption oracle with | pk for at most C times. The security under qCPA is defined as follows: Definition 9 (indistinguishability under qCPA) A QPKE protocol is indistinguishable [41] under qCPA, if for any quantum adversary A, for every plaintext pair (m x , m y ), the following difference of probability |Pr[A(| pk ⊗C , Encm x | pk ) = 1] −Pr[A(| pk ⊗C , Encm y | pk ) = 1]| is negligible.

(11.11)

11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption

229

11.2.4 QPKE in the QRO Model In this section, we analyze the security of QPKE in the QRO model. We firstly, define the QRO so that it can simulate cryptographic procedures of QPKE. Then we describe the QPKE protocol in the QRO model by defining the adversary-challenger game with the random oracle. Finally, we give a paradigm of security proof for QPKE in the QRO model. Herein, we introduce a new type of attack, namely key-collision attack. Analysis demonstrates that the property of QRO must be satisfied to prevent from this attack. A. Re-definition of the QRO model We make reasonable adjustments to the first “classical-quantum” random oracle in Definition 4. Firstly, we remove the classical random number generator G in Definition 4. This part of QRO simulates the secret key generation step in a protocol, but the input of a message m is unnecessary. In fact, the secret key is generated locally in the QPKE or the QDS protocols, and this step will not be explored in any classical or quantum communication. Removing G does not violate the security proof in [36]. We mainly focus on the possible attacks to quantum hash functions. So the classical random number generator G is removed in our QRO model. Then we remove the decision part Measur e in Definition 4 and describe the distinguishability as the property of QRO instead. The expression is identical in security proof, while the re-description of the distinguishability is more natural and simplifies the QRO model. Finally, we add a C-restriction of the QRO, i.e., if the QRO is invoked by the challenger, it only generates at most C copies of the output. This restriction reflects the fact that the adversary can only intercept limited copies of the unknown public key due to the no-cloning theorem. According to the above considerations, we re-define the QRO as follows: Definition 10 (quantum random oracle) A quantum random oracle is an efficient algorithm Hq that satisfies the following properties • When queried with a classical bit-string k ∈ {0, 1}n , Hq randomly and consistently generates s-qubit quantum states |Hq (k) ∈ (H2 )⊗s . • Any pair of outputs of Hq with different inputs is nearly orthogonal | Hq (w)|Hq (w  )| < δ

(11.12)

where δ is negligible in n. • If Hq is invoked by the challenger with any input k, it responds for at most C times for the same input. In the next sections, the QRO in Definition 10 will be utilized for security analysis. We denote that the corollaries in [36] still hold in the adjusted QRO model.

230

11 Security Analysis Based on Quantum Random Oracle Model

B. Description of the QPKE protocol Here we present the QPKE protocol in the QRO model defined in definition 10. The adversary-challenger game is defined as follows: Definition 11 (the adversary-challenger game) The adversary-challenger game of the QPKE protocol in Definition 8 consists of the following three phases Phase 1. The Challenger runs Gen(1n ) to get secret key sk. Then it queries QRO Hq with sk. The QRO gives at most C copies of |Hq (sk) to the adversary. Phase 2. The adversary in this phase can query the challenger with message-key pairs (m i , |Hq (ki )). The challenger encrypts the messages with the corresponding public key and returns the ciphertext Encm i |Hq (ki ) to the adversary. The number of this query is denoted by qenc . The adversary can generate arbitrary many of its own public keys by querying QRO. So the public key it supplies to the challenger can be the limited ones it gets in Phase 1, or arbitrary many of its own keys generated in Phase 2. The number of the adversary querying QRO in this phase is denoted by qr o . Obviously, we have qenc ≤ qr o + C. Phase 3. The adversary chooses two distinct plaintexts (m 0 , m 1 ). The challenger encrypts one of them with its public key |Hq (sk) and returns Encm b |Hq (sk), b ∈ {0, 1}. Then the adversary outputs a single bit b ∈ {0, 1}. The advantage of the adversary is denoted by the probability that b = b : 

1 AdvqCPA (adver sar y) = 2 Pr[b = b ] − 2 

(11.13)

The adversary-challenger game is shown in Fig. 11.2. The challenger wins the game if the adversary’s advantage is negligible beyond 21 . In this case the QPKE protocol has ciphertext indistinguishability under qCPA according to Definition 9. C. Security of the QPKE protocol Theorem 2 The QPKE protocol in Definition 8 has ciphertext indistinguishability under qCPA in the QRO model. Proof We start with regular analysis as it is in the classical case where the adversary attempts to get a secret key sk. Let A be the event that the adversary asks the query sk in Phase 2 of the game. If A happens, the adversary can decrypt Encm b |Hq (sk) in Phase 3 with probability 1 according to the consistency of Definition 8. But in the game, |Hq (sk) is randomly generated by QRO and independent from sk. Thus, no public information is related to sk. The probability that the adversary obtains sk is that it asks sk in qr o queries, i. e., the event A happens. When A does not happen, the adversary faces qenc pieces of ciphertext. Recall that the public keys are generated independently and randomly. The state of the entire possible public keys indicates maximum mixed state ρ pk =

I⊗s . 2s

(11.14)

11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption

231

Fig. 11.2 The adversary-challenger game

The ciphertext is generated from the public key by a completely positive map Encm ρ pk → ρc = Encm ρ pk Encm† .

(11.15)

The mixed state ρc stays maximally mixed under the encryption operator, i. e., ρc = I⊗s . Hence, the adversary cannot distinguish from distinct messages. 2s Based on the above considerations, the advantage of the adversary Pr[b = b ] =Pr[A] · Pr[Encm b |Hq (sk) = Encm b |Hq (ki )|A] +Pr[A] · Pr[b = b |A] qr o qr o 1 ≤ n · 1 + (1 − n ) · 2 2 2 qr o 1 1 = + = + negl(n) 2 2 · 2n 2

(11.16)

Now we consider two special attacks only possible in the quantum world. The first attack is so-called ‘forward-search’ attack [31]. This type of attack is invalidated by randomization as mentioned in Definition 8. The second attack is a collision-type attack. Consider a quantum obtaining the key-generation algorithm Gen without the secret key sk. By Randomly guessing

232

11 Security Analysis Based on Quantum Random Oracle Model

secret key, he/she probably gets a wrong public key |Hq (sk  ). This wrong public key |Hq (sk  ), however, may help the adversary distinguish the ciphertext encrypted with the right key sk in the game due to the probabilistic measurement. This is a collision-type attack and is called here a key-collision attack. In the quantum hashbased QPKE, the key-collision attack is possible only when the possible public keys are non-orthogonal. Definition 12 A key-collision attack on QPKE helps the adversary distinguish the ciphertext in the game. An adversary undertakes this attack by randomly guessing sk  , generating ciphertext Encm b |Hq (sk  ), and comparing it with the challenge ciphertext Encm b |Hq (sk). Theorem 3 If the inner product of two distinct public keys | pk| pk  | is negligible, then QPKE in the QRO model is secure under the key-collision attack. Proof Note that distinct public keys are near-orthogonal according to definition 10, i.e., |(Hq (ki )|Hq (k j ))| = δ where δ is negligible. For comparing technique of SWAPtest [32], the probability that the adversary can distinguish the challenger’s ciphertext with a wrong secret key sk  is 1 PrSWAP [b = b ] = (1 + |(Encm b |Hq (sk  ), Encm b |Hq (sk))|2 ) 2 1 = (1 + | Hq (sk  )|Hq (sk)|2 ) 2 1 1 1 = + δ 2 = + negl(n) 2 2 2

(11.17)

By means of partial-trace and measurement, the adversary can obtain |m with only negligible probability δ 2 . Since the ciphertext can only be decrypted once, the QPKE is secure under the key-collision attack. In the QRO model, the key-collision attack is impossible since the outputs of QRO are nearly orthogonal. When realizing the QRO, the corresponding property of quantum hash function must be considered. Detailed discussions about this attack will be described in the latter instantiation.

11.2.5 Instantiation of QRO for a Bad and a Good Example Both in classical and quantum circumstances, the instantiation of the RO model with a concrete hash function is crucial for the practical analysis of cryptographic protocols. In this section, we will discuss what kind of quantum functions is suitable for the instantiation of QRO. We give a qubit rotation-based function and a quantum fingerprinting-based one as examples. For the former, it is a bad attempt of instantiation because of the non-orthogonality of its outputs. The adversary can decrypt a

11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption

233

ciphertext with non-negligible probability even without a secret key. For the latter, it is a (, δ)-quantum hash function and thus suitable for the instantiation of QRO. A. A bad example: single-qubit rotation The QPKE protocol based on single-qubit rotation is presented in [30], and randomized against forward-search attack in [31]. In this scheme, the QRO is instantiated by a single-qubit rotation around y-axis in the Bloch-sphere, where the rotating angle is determined by the secret key. A probabilistic QPKE protocol based on single-qubit rotation is described as follows: Scheme 1: The QPKE protocol based on single-qubit rotation [31] consists of three steps •

Key-generation Gen: Gen chooses a random n-bit-string sk = k1 k2  . . . ks ∈ {0, 1}n with each k j chosen independently from Z2n/s (suppose s divides n). Then ˆ j ) on each Gen prepares s qubits of |0z ⊗s and performs a rotation operation R(k πk j πk j s of the jth qubit to obtain ⊗ j=1 (cos( 2n/s )|0 + sin( 2n/s )|1). Here the rotation operation   πk j πk j ˆ (11.18) R(k j ) = cos n/s |0 + sin n/s |1 2 2 πk

•

|c = ⊗sj=1 (cos( •

πk

The secret key is sk and the public key is | pk = ⊗sj=1 (cos( 2n/sj )|0 + sin( 2n/sj )|1). Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically parity-codes m into s-bit codeword w = w1 w2 . . . ws , then Enc encrypts w by rotating jth qubit of the public key with the angle πw j πk j πk j + πw j )|0 + sin( n/s + πw j )|1) 2n/s 2

(11.19)

Decryption Dec: for the ciphertext |c, Dec decrypts |c by rotating jth qubit πk of |c with angle − 2n/sj and gets ⊗sj=1 (cos(πw j )|0 + sin(πw j )|1)

(11.20)

then applies CNOT gate where the first s − 1 qubits are the control qubits. Now the last qubit becomes |w1 ⊕ w2 ⊕ · · · ⊕ ws  = |m.

(11.21)

The measurement on the base vector {|0, |1} can output a classical m. When the QRO is instantiated, the secrecy of sk is guaranteed by Holevo bound. According to the Holevo-Nayak bound [42], the secret key sk is secure against any adversary when

234

11 Security Analysis Based on Quantum Random Oracle Model

Pr[A(| pk⊗C ) = sk] < 2 log2  ⇒s< C

2sC 0, there exists a set K = {κi } such that | h(k)|h(k  )| < δ

(11.30)

for any distinct pair of (k, k  ). From Lemma 2, we know that public keys of any distinct pairs (k j , k j ) are nearorthogonal with properly selected {κ1, j , κ2, j , . . . , κd, j }. Since the public keys for different codewords are not entangled with each other, the inner product of any two distinct public keys is

236

11 Security Analysis Based on Quantum Random Oracle Model

| pk(k)| pk(k  )| = tj=1 | pk(k j )| pk(k j )| < δ t

(11.31)

Thus, the probability that the adversary successfully implements the key-collision attack Prkey−collision attack (adver sar y) = | pk(k)| pk(k  )|2 is bounded by δ 2t . According to a similar technique in the proof of Theorem 3, the QPKE protocol is secure against the key-collision attack.

11.2.6 Numerical Simulation of Key-Collision Attack We give the numerical results of the simulation of the key-collision attack on the aforementioned two examples of the QRO instantiation. Simulation parameters are set as follows: To make comparison of the two instantiation examples with the same consumption of quantum resource, the length of the public key n in two examples is the same, ranging from 1 qubit to 1000 qubits. Each component of the secret key in both scheme (ki , i = 1, . . . , s in Scheme 1 and k j , j = 1, . . . , t in Scheme 2 is 8 bits. Parameter d in Scheme 1 is d = 8, thus the length of the public key in Scheme 2 is n = (log2 d + 1)t ⇒ t = log nd+1 = n4 . Parame2 ters κi, j ∈ {0, 1}8 , so 8dt = 16n-bit extra memory for K = {κi, j , i = 1, . . . , d, j = 1, . . . , k} is required in Scheme 2. To simulate the key-collision attack, we assume that the difference of rotating angle of the correct public key and the attacker’s public = 216 ≈ 6%, key is less than θ = 2π5 . The probability of this attack is no less than 2θ π which corresponds to the random guess of the rotating angle of the correct public key. Fig. 11.3 shows the comparison between the adversary’s advantage over Scheme 1 and Scheme 2, and Table 11.2 specifies parameters and results when n = 100. Apparently, while increasing the length of the public key can help reduce the advantage of the adversary, Scheme 1 is vulnerable under the key-collision attack when n = 100. On the other hand, Scheme 2 performs well under the key-collision attack even with a short public key, while it requires extra storage of 1600 bits for K = {κi, j } when n = 100.

11.3 Summary In this chapter, we provided a new QRO model and a framework of security analysis procedure for the provable security of quantum cryptographic protocols based on quantum one-way function. A QDS scheme was proved QCMA-secure through a sufficiently reliable reduction to no-cloning theorem. Then we provided a new quantum random oracle model with reasonable properties for quantum hash-based QPKE protocol. We also demonstrated what kind of instantiation is suitable for the quantum random oracle and verified it by numerical simulation. We note that, while it is natural

11.3 Summary

237

1

Scheme 1 Scheme 2

0.9

0.8

adversary's advantage

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0

0

100

200

300

400

500

600

700

800

900

1000

length of the public key

Fig. 11.3 Adversary’s advantage Table 11.2 Simulation result of n = 100 Parameters & Results Scheme 1 | pk sk |c d K Simulation time Adversary’s winning time Advantage

100 qubits 800 bits 100 qubits – – 1000 801 0.602

Scheme 2 100 qubits 800 bits 100 qubits 8 1600 bits 1000 522 0.044

to conceive secure QPKE schemes under quantum chosen cyphertext attack (qCCA) as in the classical circumstances, how the adversary would deal with the quantum decryption oracle which is probabilistic due to the randomness of measurement is still an open question. Further work lies in the security analysis of quantum public key cryptographic protocols under qCCA, or other kinds of quantum random oracle like “quantum-to-quantum” random oracle.

238

11 Security Analysis Based on Quantum Random Oracle Model

References 1. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (CCS) pp. 62–73 (1993) 2. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’ 96), vol. 1070, pp. 399–416 (1996) 3. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’ 96), vol. 1070, pp. 387–398 (1996) 4. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2004), vol. 3027, pp. 207–222 (2004) 5. Bresson, E., Chevassut, O., Pointcheval, D., et al.: Provably authenticated group Diffie-Hellman key exchange. In: ACM Conference on Computer and Communications Security (CCS), pp. 255–264 (2001) 6. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput. Sci. 7073(1), 41–69 (2010) 7. Zhandry, M.: How to construct quantum random functions. In: Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp. 679–687 (2012) 8. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Annual International Cryptology Conference (CRYPTO 2012), vol. 7417, pp. 758–775 (2012) 9. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Annual International Cryptology Conference (CRYPTO 2013), vol. 8043, pp. 361–379 (2013) 10. Shang, T., Lei, Q., Liu, J.W.: Quantum random oracle model for quantum digital signature. Phys. Rev. A 94(4), 042314 (2016) 11. Gottesman, D., Chuang, I.L.: Quantum digital signatures. arXiv:quant-ph/0105032 (2001) 12. Swanson, C.M., Stinson, D.R.: Unconditionally secure signature schemes revisited. In: International Conference on Information Theoretic Security (ICITS), vol. 6673, pp. 100–116 (2011) 13. Amiri, R., Andersson, E.: Unconditionally secure quantum signatures. Entropy 17(8), 5635– 5659 (2015) 14. Arrazola, J.M., Wallden, P., Andersson, E.: Multiparty quantum signature schemes. Quantum Inf. Comput. 16(5–6), 435–464 (2016) 15. Yin, H.L., Fu, Y., Chen, Z.B.: Practical quantum digital signature. Phys. Rev. A 93(3), 032316 (2016) 16. Yin, H.L., Fu, Y., Liu, H., et al.: Experimental quantum digital signature over 102 km. Phys. Rev. A 95(3), 032334 (2017) 17. Lamport, L.: Constructing digital signatures from a one-way function. Palo Alto: Technical Report CSL-98, SRI International, vol. 238 (1979) 18. Clarke, P.J., Collins, R.J., Dunjko, V., et al.: Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light. Nat. Commun. 3, 1174 (2012) 19. Dunjko, V., Wallden, P., Andersson, E.: Quantum digital signatures without quantum memory. Phys. Rev. Lett. 112(4), 040502 (2014) 20. Collins, R.J., Donaldson, R.J., Dunjko, V., et al.: Realization of quantum digital signatures without the requirement of quantum memory. Phys. Rev. Lett. 113(4), 040502 (2014) 21. Nikolopoulos, G.M.: Applications of single-qubit rotations in quantum public-key cryptography. Phys. Rev. A 77(3), 032348 (2008) 22. Seyfarth, U., Nikolopoulos, G.M., Alber, G.: Symmetries and security of a quantum-public-key encryption based on single-qubit rotations. Phys. Rev. A 85(2), 022342 (2012) 23. Koblitz, N., Menezes, A.J.: The random oracle model: a twenty-year retrospective. Des., Codes Cryptogr. 77(2–3), 587–610 (2015)

References

239

24. Hwang, T., Lee, K.C., Li, C.M.: Provably secure three-party authenticated quantum key distribution protocols. IEEE Trans. Dependable Secur. Comput. 4(1), 71–80 (2007) 25. Pointcheval, D., Stern, J.: Provably secure blind signature schemes. In: International Conference on the Theory and Applications of Cryptology and Information Security (ASIACRYPT’ 96), vol. 1163, pp. 252–265 (1996) 26. Ablayev, F., Vasiliev, A.: Quantum hashing. arXiv:1310.4922 (2013) 27. Bennett, C., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of the International Conference on Computers, Systems, and Signal Processing, pp. 157–179 (1984) 28. Zhou, J., Zhou, Y., Niu, X., Yang, Y.: Quantum proxy signature scheme with public verifiability. Sci. China-Phys. Mech. Astron. 54(10), 1828–1832 (2011) 29. Buhrman, H., Cleve, R., Watrous, J., de Wolf, R.: Quantum fingerprinting. Phys. Rev. Lett. 87, 167902 (2001) 30. Nikolopoulos, G.M.: Applications of single-qubit rotations in quantum public-key cryptography. Phys. Rev. A 77(78), 156 (2008) 31. Nikolopoulos, G.M., Ioannou, L.M.: Deterministic quantum-public-key encryption: forward search attack and randomization. Phys. Rev. A 79(4), 126–136 (2009) 32. Ablayev, F., Vasiliev, A.: Cryptographic quantum hashing. Laser Phys. Lett. 11(2), 25202 (2014) 33. Ablayev, F., Ablayev, M., Vasiliev, A.: On the balanced quantum hashing. J. Phys.: Conf. Ser. 681(1), 12019 (2016) 34. Ziatdinov, M.: From graphs to keyed quantum hash functions. Lobachevskii J. Math. 37(6), 705–712 (2016) 35. Yang, Y., Xu, P., Yang, R., Zhou, Y., Shi, W.: Quantum hash function and its application to privacy amplification in quantum key distribution, pseudo-random number generation and image encryption. Sci. Rep. 6(1), 19788 (2016) 36. Shang, T., Lei, Q., Liu, J.: Quantum random oracle model for quantum digital signature. Phys. Rev. A 94, 042314 (2016) 37. Shang, T., Chen, R., Lei, Q.: Quantum random oracle model for quantum public-key encryption. IEEE Access 7(1), 130024–130031 (2019) 38. Holevo, A.S.: Bounds for the quantity of information transmitted by a quantum communication channel. Probl. Inf. Transm. 9, 3–11 (1973) 39. Okamoto, T., Tanaka, K., Uchiyama, S.: Quantum public-key cryptosystems. In: Advances in Cryptology - CRYPTO 2000, International Cryptology Conference, pp. 147–165 (2000) 40. Kawachi, A., Koshiba, T., Nishimura, H., Yamakami, T.: Computational indistinguishability between quantum states and its cryptographic application. J. Cryptol. 25(3), 528–555 (2012) 41. Koshiba, T.: Security notions for quantum public-key cryptography. arXiv:quant-ph/0702183 (2007) 42. Nayak, A.: Optimal lower bounds for quantum automata and random access codes. In: 40th Annual Symposium on Foundations of Computer Science, pp. 369–376 (1999)

Chapter 12

Security Analysis of Quantum Obfuscation

Quantum cryptography has developed some fundamental primitives such as quantum one-time pad and quantum IND (indistinguishability)-security. Compared with other terms in quantum cryptography, quantum obfuscation attracts less attention and is still in its infancy due to its difficulty in implementation and application. In this chapter, we provide a positive result of quantum obfuscation. To analyze the obfuscatability of quantum point functions, we introduce the strict definition of a quantum point function and discuss its variants of multiple points and multiple qubits. Furthermore, we discuss the application of quantum obfuscation in quantum zero-knowledge and quantum symmetric encryption. As a start of the study on quantum point functions, such work will be very useful in the future development of quantum obfuscation theory.

12.1 Obfuscatability of Quantum Point Functions 12.1.1 Development of Obfuscation Promoted by the vigorous development of computer science, cryptology became a new discipline in the 1970s. The study of cryptography has made remarkable achievements over the past few decades, especially on secure protocols and encryption methods based on complexity theory. However, there are still some problems left unsolved. As a powerful means to protect information, obfuscation can obstruct malicious analysis effectively. In software development, obfuscation is the deliberate act of creating obfuscated code, i.e., source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use one needlessly roundabout expression to compose statements. The first formal definition of program obfuscation was proposed by Hada [1], which we call a strong virtual blackbox obfuscation. Hada’s definition is modeled on a simulation paradigm and requires an attacker to learn information from the obfuscated code which can be learned by © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_12

241

242

12 Security Analysis of Quantum Obfuscation

simply accessing the function with a black-box oracle. In 2001, Barak et al. [2] first introduced the concept of obfuscation into the field of cryptography and proposed its three features as follows: 1. (Functionality) The obfuscated program has the same computational function as the original one. 2. (Polynomial slowdown) The running time of the obfuscated program cannot exceed the polynomial size of the original running time. 3. (Black-box property) Any valid message computed through the obfuscated program can be effectively computed with access to the oracle of the original program. This is a guarantee for the security of the obfuscated program, which is based on the security of simulation paradigm. They also pointed out that obfuscation will have a series of cryptographic purposes such as transforming private-key encryption into public-key encryption, removing a random oracle, etc. Unfortunately, they also proved that such an obfuscator is nonexistent. In the next few years, some positive results of obfuscation were proposed. Lynn et al. [3] discussed point functions and the simple obfuscation of combined point functions, and gave the first positive result of obfuscation theory by means of access control problem based on regular expression. After that, point functions become one of the focus problems of obfuscation theory. In 2005, Wee [4] made a more detailed study on the obfuscation of point functions and drew some important conclusions. He proved that we can construct a valid obfuscator for point functions by weakening the concept of obfuscation, although an obfuscator has certain constrains. For example, a simulated adversary must output a single bit. For such constrains, Canetti et al. proposed an obfuscator for multi-bit output point functions [5], thereafter discussed the possibility of its application in symmetric encryption [6]. In connection with obfuscation of combined point functions, they presented a concept of virtual gray-box obfuscation, which is weaker than a virtual black-box one. Also, some researches suggest that there is a certain connection between obfuscation theory and zero-knowledge [1]. Quantum obfuscation is based on the theory of quantum circuit and quantum computing. Since quantum computing theory is far from maturer than its classical counterpart, until 2014, no one had publicly published research on quantum obfuscation. At the 2014 Quantum Computing Theory Conference (TQC), Alagic et al. [7] first proposed quantum obfuscation based on quantum topological calculations. They used the specific high-dimensional expression of the braid group to compile quantum circuits into braids, and then convert it into a normal form. In 2016, Alagic and Fefferman [8] formally proposed the definition of quantum obfuscation. The quantum black-box obfuscator was first defined and proved more practicable than classical black-box obfuscator. Then they defined the quantum indistinguishable obfuscator and pointed out some possible application such as quantum-secure one-way function (qOWF) and public-key quantum money. In this chapter, we give a further discussion on quantum obfuscation, then introduce the definition and obfuscatability of quantum point functions under the

12.1 Obfuscatability of Quantum Point Functions

243

quantum-accessible random oracle model [9]. We start with reduction skills for quantum obfuscation and the obfuscator for combined quantum circuits, then we give a definition of quantum point functions. Under the quantum-accessible random oracle, we discuss the obfuscatability of quantum point function families and their variants. Finally, we discuss a probable application of quantum obfuscation.

12.1.2 Quantum Circuit Similar to classical ones, quantum circuits consist of quantum gates, which are described by the individual behavior of the state of microscopic particles, and evolve from one state to another. The unitarity is the only limitation of a quantum logic gate and each unitary matrix defines an effective quantum gate. Nielson and Chuang [10] proved that we can construct a reversible quantum gate sequence for classical computable functions. Any classical function f that has m-bit inputs and kbit outputs can be implemented on a quantum computer. Assuming that there is a quantum gate sequence U f of m + k qubits, the function f is implemented as U f : |x, y → |x, y ⊕ f (x). The quantum gate sequence U f represented above is unitary for any function f . To calculate f (x), we can apply U f to the state |x, 0. f (x) ⊕ f (x) = 0, so U f U f = I . We can combine quantum circuits together to construct a new quantum circuit. In this case, a control register is needed to decide which circuit is to be used. Formally, a combined quantum circuit denoted by C1 #C2 # . . . #Ct has a control register of logt-qubit and an input register of n-qubit. Of course, to meet the request of unitarity, all component circuits have to be of the same input size of n. Quantum polynomial time algorithm (or QPT) A is a uniform set of quantum circuits. It can also include operations of measurement and tracing out any qubit. Therefore, the input and output size can be verified according to the definition of QPT [8].

12.1.3 Quantum Obfuscation The definition of a quantum obfuscator, proposed by Alagic and Fefferman [8], is similar to its classical counterpart. Definition 12.1 A black-box quantum obfuscator is a quantum algorithm O and a QPT δ such that whenever C is an n-qubit quantum circuit, the output of O is an m-qubit state O(C) satisfying

244

12 Security Analysis of Quantum Obfuscation

1. (Polynomial expansion) m = poly(n), 2. (Functional equivalence) δ(O(C) ⊗ ρ) − UC ρUC† tr ≤ negl(n), 3. (Virtual black-box) for every QPT A there exists a QPT S UC such that |Pr [A(O(C)) = 1] − Pr [S UC (|0n ) = 1]| ≤ negl(n). When carrying obfuscation over the quantum case, the “interpreter” algorithm δ must be well explained. Since an end user (and hence also any adversary) should be in possession of a quantum computer, it is conceivable that the obfuscation result may not just be another description of a quantum circuit. Instead, the obfuscator might output a quantum state, which is then to be employed by the end user to execute a desired function in some “well-specified” manner [8]. Now we no longer have any quantum circuit description in hand, therefore, an interpreter algorithm δ must be used to execute a specific function. How to understand such a QPT δ? One may think of δ as an algorithm which is fixed once and for all for a certain state class. It is also feasible to regard the obfuscation result as a quantum state O(C) and an algorithm δ which inputs O(C) and r ho and implements the function of UC . Alagic and Fefferman [8] pointed out that all of these variants are equivalent, in the sense that a black-box quantum obfuscator of each variant exists if and only if the other variants exist. Since the interpreters are used not only when obfuscating a quantum circuit but also in some reduction skills in this work, we will set the interpreter δ to be universal, and it is conceivable to assume that we can always implement a function by producing a specific state and executing it with δ. We note that the quantum obfuscation theory is so far a relatively rough one. Many critical concepts and theorems in the classical case have not yet been well presented in quantum behavior.

12.1.4 Quantum-Accessible Random Oracle Model Bellare and Rogaway [11] proposed the classical random oracle (RO) model in 1993, which provides a rigorous reduction method of cryptographic security proof. Under such a model, all parties, namely adversaries and legal ones, have access to the same oracle R, and get random yet consistent answers. An algorithm S is denoted by S R , so long as queries to R have been made. As for quantum circumstances, security proof becomes complicated. Bennett and Brassard [12] discussed an oracle quantum Turing machine A, which responds intu a |x ◦ A(x) when called with a query tape itively a string in the entangled state x x  of superposition state x ax |x ◦ 0. It will also be useful to put the target bit b into a

12.1 Obfuscatability of Quantum Point Functions

245

√ superposition, like β = (|0 − |1)/ 2. In this case, the whole input state will be left unchanged if A(x) = 0 and will be left unchanged while introducing a phase factor 1 if A(x) = 1. Such an oracle quantum Turing machine can also be assumed as a length-preserving one, and it can be achieved by interpreting the oracle answer on the pair (x, i) as the ith bit of the function value. In this case, A is called a permutation oracle. Intuitively, a query with superposition state should also be allowed in the quantumaccessible random oracle (QRO) model. A QRO must simultaneously compute for the query at possibly exponentially many points. For post-quantum cryptography, Boneh et al. [13] gave out a key separation by presenting that a protocol is secure in the classical random oracle model while insecure in the quantum-accessible random oracle model. In this work, a QRO, when no confusion may arise, will be interpreted as a lengthpreserving oracle, which means Rq : |x, y → |x, y ⊕ R(x), where R : {0, 1}∗ → {0, 1}∗ .

12.1.5 Reduction for Quantum Obfuscation In this section, we will discuss reduction skills for quantum obfuscation and the obfuscator for combined quantum circuits. Many of our ideas come from Lynns’ work [3] on classical obfuscation theory, which helps us extend obfuscation into quantum circumstances. Definition 12.2 A quantum circuit family C is said to be obfuscatable if there is a quantum state family S, for every C ∈ C, there is a |s ∈ S such that |s = O(C). This definition is similar to its classical counterpart. Definition 12.3 A n-qubit quantum circuit family C is said to be oracle implementable relative to a n-qubit quantum circuit family D, if there exists n-qubit quantum circuits M and N , for every C ∈ C, there exists a D ∈ D such that δ(M U D (|0n ) ⊗ ρ) − UC ρUC† tr ≤ negl(n) δ(N UC (|0n ) ⊗ ρ) − U D ρU D† tr ≤ negl(n) for every valid input ρ. This relationship is called Oracle implementable relationship. Here we denote by C D such relationship of C and D. In this definition, we follow the idea of Alagics’ work that our quantum state achieves a specific function with an interpreter δ. This is consistent with the definition of a quantum obfuscator, which helps our following proof.

246

12 Security Analysis of Quantum Obfuscation

Since an interpreter is necessary in the application of an obfuscated quantum circuit, we denote δ(s ⊗ ρ) by δs (ρ), for any quantum state s and ρ. Therefore, N δ O(C) refers to a quantum circuit N with oracle access to the obfuscation of C. We note that in this circumstance, an oracle δ O(C) receives a quantum state ρ, computes δ(O(C) ⊗ ρ) and returns it to N . So, functionally, the interaction between N and δs (ρ) is exactly the same as N UC , due to the functional equivalence property defined by [8]. And N δ O(C) is also effective so long as N UC is effective, since the definition of obfuscation guarantees the polynomial property of an interpreter δ. Lemma 12.1 if C D, D is obfuscatable, then so is C. Proof Our goal is to build an obfuscation of C. Since D is obfuscatable, we set O  (D) to be an obfuscation result of any D ∈ D. Given C D, we have a quantum circuit M such that δ(M U D (|0n ) ⊗ ρ) − UC ρUC† tr ≤ negl 



Now we show that M δ O (D) (|0n ) is an obfuscation of C. Here M δ O (D) (|0n ) and  O(C) are both quantum states. According to previous discussion, M δ O (D) works  exactly the same as M U D , therefore, M δ O (D) (|0n ) satisfies polynomial slowdown and functionality. Here we prove the black-box property. For any adversary A(O(C)) =   A(M δ O (D) (|0n )), consider QPT A (M O (D) ), which runs A internally. A works as follows: 1. With an input O  (D) and a quantum circuit M, A builds a quantum circuit M O(D) . 2. Then A passes M O(D) (|0n ) to A. 3. Finally A outputs what A outputs. So we have

Pr [A (O  (D)) = 1] = Pr [A(M O(D) ) = 1].

(12.1)

Due to the black-box property of O  (D), there exists a simulator S  such that |Pr [A (O  (D)) = 1]−

.

Pr [S U D (|0n ) = 1]| ≤ negl(n)

(12.2)

Then we construct a simulator S UC from S U D . The key of this construction is to respond to the query which S  interacts with an oracle U D . Note that C D, we have a quantum circuit N such that δ(N UC (|0n ) ⊗ ρ) − U D ρU D† tr ≤ negl(n). It indicates that with a quantum circuit N and oracle access to UC , one can simulate oracle access to U D , with negligible Euclid distance. So our S UC works as follows.

12.1 Obfuscatability of Quantum Point Functions

247

Fig. 12.1 Structure of A

1. Firstly, S UC gets its input |0n , then passes it to S  . 2. For every query by which S  interacts with U D with state ρ, S UC computes δ N UC (|0n ) (ρ) and returns the result to S  . 3. Finally S UC outputs what S  outputs. In this case, we have Pr [S UC (|0n ) = 1] = Pr [S U D (|0n ) = 1].

(12.3)

Finally, according to Eqs. 12.1, 12.2 and 12.3, we have |Pr [A(M O(D) ) = 1]−

. Pr [S UC (|0n ) = 1]| ≤ negl(n)

The structures of A and S are shown in Figs. 12.1 and 12.2. So we finish our proof that M O(D) (|0n ) is an obfuscation of C.

12.1.6 Obfuscation of Combined Quantum Circuits An obfuscated quantum circuit can be idealized as oracle access to the original quantum circuit. Naturally, we want to combine different obfuscation results so as to compose a new obfuscation which also can be idealized as oracle access to the original one. We then discuss the obfuscatability of combined quantum circuits. The definition of a combined quantum circuit has been presented in Sect. 12.1.2. Here we give out some intuitive obfuscations of combined quantum circuits.

248

12 Security Analysis of Quantum Obfuscation

Fig. 12.2 Structure of S

Definition 12.4 Given an obfuscatable quantum circuit family C. If O ∗ (C1 # . . . #Ck ) = O(C1 )# . . . #O(Ck ) is an effective obfuscation of C1 # . . . #Ck for any Ci ∈ C, we say it is a simple obfuscation of combined quantum circuits C1 # . . . #Ck . Even in the classical setting, it is hard to construct a non-trivial simple obfuscation of combined circuits. However, we can define a simple obfuscation of any trivial combined quantum circuit. Definition 12.5 A quantum circuit family C is learnable, if for any C ∈ C there exists a quantum circuit P such that δ(P C (|0⊗|C| ) ⊗ ρ) − UC ρUC† tr ≤ negl. If a quantum circuit family C is learnable, it is easy to prove that C is also obfuscatable. To obtain O(C), an obfuscator takes an input C, makes oracle access to C over P to get P C (|0⊗|C| ). Obviously, P C (|0⊗|C| ) is an effective obfuscation of C, since for any adversary A, a simulator can have oracle access to C, get P C (|0⊗|C| ) and pass it to A. Definition 12.6 A learnable quantum circuit family is called trivial quantum obfuscatable family. Given a quantum circuit learnable family, the obfuscation via learning is called trivial quantum obfuscation. Lemma 12.2 Given a learnable quantum circuit family C, D is obfuscatable if and only if {C# D|C ∈ C, D ∈ D} is obfuscatable.

12.1 Obfuscatability of Quantum Point Functions

249

Proof Firstly, we prove that {C# D} is obfuscatable ⇒D is obfuscatable. We randomly choose C ∈ C, D ∈ D. With similar technique in the proof of Lemma 12.2, for any adversary A, we build QPT A (O(C# D)) which works as follows: A sets the control register of O(C# D)) to |1, then passes it to A, finally outputs what A outputs. Clearly, we have Pr [A (O(C# D)) = 1] = Pr [A(O(C# D)|1 ) = 1]. Since O(C# D) is an obfuscation of C# D, there exists a simulator S  such that |Pr [A (O(C# D)) = 1]− Pr [S UC# D (|0⊗|C# D| ) = 1]| ≤ negl.

(12.4)

Then we build S U D from S UC# D . S U D works as follows: firstly S UC gets input , adds |0 to it and passes |0⊗|C# D| to S UC# D . Every time S UC# D queries UC# D |0 with ρ, S U D checks the control register of ρ. If it is |0, S U D returns δ(C(ρ), otherwise S U D has oracle access to U D and returns it to S UC# D . Finally, it outputs what S UC# D outputs. Through the construction, we have ⊗|D|

Pr [S UC# D (|0⊗|C# D| ) = 1] = Pr [S U D (|0⊗|D| ) = 1].

(12.5)

With Eqs. 12.4 and 12.5, we have |Pr [A(O(D)|1 ) = 1]− Pr [S U D (|0⊗|D| ) = 1]| ≤ negl. So we finish the proof that {C# D} is obfuscatable ⇒D is obfuscatable. Proof of reverse direction is very similar and will not be described again.

12.1.7 Quantum Point Function In this section, we will give a precise definition of quantum point functions, especially the ones with an input of quantum superposition.

12.1.7.1

Quantum Point Function Family and Its Obfuscatability

In the classical case, a point function is defined by  1 if x = α Pα (x) = . 0 other wise

250

12 Security Analysis of Quantum Obfuscation

According to quantum computation theory, any classical function f can be implemented by a quantum circuit. To implement such a function, a quantum circuit maps input register x and target register b |x ◦ b to |x ◦ b ⊕ f (x), where ◦ denotes concatenation. For convenience, the target register b can be set to zero. From this premise, we can define a quantum point function as follows: Definition 12.7 A quantum point function Uα is defined as Uα : |x, 0 → |x, Pα (x) where α ∈ {0, 1}n .  Obviously, with an input in superposition x a x |x ◦ 0, the point function will  also return a result of superposition x ax |x ◦ Pα (x), where  ax is a complex coefficient. After defining Un = {Uα : α ∈ {0, 1}n } and U = n Un , we can build the obfuscation of U and prove the following lemma. Lemma 12.3 A quantum point function family U is obfuscatable, under the quantumaccessible random oracle model. Proof Note that the quantum-accessible random oracle Rq is interpreted as a lengthpreserving permutation oracle, Rq : |x, y → |x, y ⊕ R(x), where R : {0, 1}n → {0, 1}n and x, y ∈ {0, 1}n . The obfuscator for quantum point function Uα works as follows: O R (Uα ) firstly makes query to oracle Rq with a classical bit string α to get R(α), then removes any information about α except R(α). When it receives an input |x, 0, O R (Uα ) accesses to quantum-accessible random oracle Rq with |x, 0n  to get |x, R(x). Finally, O R (Uα ) implements the checking function  Ch(x) =

1 i f x = R(α) 0 other wise

by quantum gate Ch q : |x, y → |x, y ⊕ Ch(x) and uses it on both the second register of return result of the oracle and the target register of input of the quantum circuit. The whole quantum circuit is implemented as Fig. 12.3. Firstly, we prove the functional equivalence property of Uα . We point out that the quantum-accessible oracle is implemented as a permutation oracle {0, 1}n → {0, 1}n . In this sense R is a bijective,  hence R(x)= R(α) if and only if x = α. Therefore, O R (Uα ) correctly maps x ax |x ◦ 0 to x ax |x ◦ Pα (x). Since quantum random query is made once for any input, polynomial slowdown condition holds. Now we prove the black-box property. For any adversary A, a simulator S Uα can be built as follows: S sets a copy of A internally (noted by A ), then S randomly chooses a ∈ {0, 1}n and builds a quantum state |α, 0m , then queries the random oracle Rq with it twice to get two same quantum states |r1 , |r2 . Then it builds a circuit C like this: for an input |x, y, C queries random oracle with |x, 0m , keeps the return value |r  , and check if r1 = r  . If so, it reverses register |y. Next,

12.1 Obfuscatability of Quantum Point Functions

251

Fig. 12.3 Quantum circuit for O(Uα )

S puts C into A , every time A queries Rq with |x, y, S queries Uα with |x, 0. If S gets |1, it returns |x, y ⊕ r2 , otherwise S randomly chooses a number in {0, 1}n , queries R with it and returns to A . Finally, S outputs what A outputs. Obviously, A performs exactly the same as A. |Pr [A = 1] − Pr [S Uα = 1]| = 0 So the black-box condition holds.

12.1.7.2

Quantum Point Functions with Multi-qubit Output

In the context of multi-qubit output, |0n  becomes a possibly valid output. In the classical case, the invalid output ⊥ is introduced and a point function with multiqubit output is defined by  β if x = α Pα,β (x) = . ⊥ other wise where α, β ∈ {0, 1}n . However, as the quantum circuits are required to be invertible and unitary, concession must be made to keep consistence with well-formed QPT. Conceretly, to avoid the use of ⊥, we manually set |0n  to present an invalid input, therefore, β is restricted in any bit string in {0, 1}n except 0n . In this sense, Pα,β will  to output 0n when x = α. be modified as Pα,β Definition 12.8 A quantum point function with general output is defined as follows:  Uα,β : |x, 0n  → |x, Pα,β 

where α ∈ {0, 1}n , and β ∈ {0, 1}n \0n .

252

12 Security Analysis of Quantum Obfuscation

Let Cα,β to be a quantum circuit which implements Uα,β . Define Cn = {Cα,β : α, β ∈ {0, 1}n }. Lemma 12.4 A quantum point function family C with multi-qubit output is obfuscatable, under the quantum random oracle model. Proof A QRO Rq is used in the proof. Firstly, we randomly choose r ∈ {0, 1}n , query Rq with |r, α, 02n  and get |r, α, 02n ⊕ R(r, α) = |r, α, a ◦ b, where a and b is the first n bits and the last n bits of R(r, α). Note that R is a length-preserving oracle. Then we compute c = b ⊕ β. Now we can remove any information about α and β, and just keep r , a and c. Next, for every input |x, 0, O R (Uα,β ) makes query to Rq with |r, x|02n , gets |r, x|R(r, x) = |r, x|R1 (r, x), R2 (r, x) in return. Finally, O R (Uα,β ) implements the checking function  Ch(x) =

c ⊕ R2 i f x = a other wise 0n

by a quantum gate Ch q : |x, y → |x, y ⊕ Ch(x) and implies it on both the second register of return result of the oracle and the target register of input of the quantum circuit. It is obvious that this obfuscation is valid, with the similar method used in the proof of Lemma 12.3. We can see that C can be simply obfuscated. Note that we have only polynomial many obfuscations, the probability that two of them happen to pick up the same r is negligible. Under this condition, the simulator will be able to simulate any adversary.

12.1.7.3

Quantum Multi-point Functions with Multi-qubit Output

Definition 12.9 A quantum multi-point function with multi-qubit output is defined as U(α1 ,β1 ),...,(αt ,βt ) : |x, y → |x, y ⊕ P(α1 ,β1 ),...,(αt ,βt ) , where αi ∈ {0, 1}n , βi ∈ {0, 1}n \0n and P(α1 ,β1 ),...,(αt ,βt ) is a classical function that maps {0, 1}n to {0, 1}tn :  P(α1 ,β1 ),...,(αt ,βt ) (x)|i =

βi i f x = αi 0n other wise

and P(α1 ,β1 ),...,(αt ,βt ) (x) = P(α1 ,β1 ),...,(αt ,βt ) (x)|1 ◦ · · · ◦ P(α1 ,β1 ),...,(αt ,βt ) (x)|t . Let C(α1 ,β1 ),...,(αt ,βt ) to be a quantum circuit which implements  U(α1 ,β1 ),...,(αt ,βt ) . Define Cnt = {C(α1 ,β1 ),...,(αt ,βt (n) ) : αi , βi ∈ {0, 1}n }. Define C ∗ = poly t Cnt Lemma 12.5 A quantum circuit family C ∗ is obfuscatable.

12.1 Obfuscatability of Quantum Point Functions

253

Proof We will show that Cnt {Cn1 # . . . #Cnt : Cni ∈ Cn }. Since C can be simply obfuscated, {C1 # . . . #Ct : Ci ∈ C} is obfuscatable. Therefore, given Lemma 12.1, C t is obfuscatable, so is C ∗ . To built a QTP M that M UCn1 #...#Cnt computes Cnt , M has access to each oracle successively and simply concatenates all return values. To built a QTP N that N UCnt computes Cn1 # . . . #Cnt , N query the oracle of Cnt with the input register once and discard the unwanted part of output according to the control register. Since the control register is fixed to be a basic state, measurement will not cause any information loss of the input register.

12.1.8 Application to Quantum Zero-Knowledge Quantum obfuscation allows users to run quantum circuits functionally as an unpenetrable black-box. In a quantum zero-knowledge circumstance, a protocol allows a verifier to accept a statement without leaking extra information. Moreover, the definition of both quantum obfuscation and QZK are simulation-based paradigm. All these similarities inspire us to study on applications of quantum obfuscation in QZK. In this section, we will discuss a possible scheme of QZK based on quantum obfuscation. The classical idea of constructing zero-knowledge by obfuscation was initiated in the beginning of researches on obfuscation [1], but was realized relatively recently in the work of Bitansky [14]. Bitansky built a zero-knowledge scheme for languages in NP, based on obfuscation of point functions and 2-message delegation. Extending Bitansky’s idea to quantum circumstance includes transferring the primitives, such as NP, zero-knowledge, delegation, and obfuscation, into their quantum version. (1) quantum version of NP: quantum Merlin-Arthur (QMA) [15]. QMA is defined analogously to NP, except that the witness is presented as a quantum state. For a language L in QMA, any statement x ∈ L has (at least) a witness ρ helping x / L has pass the family of verifier circuits {V er L (x, ρ)}, while any statement x ∈ no witness helping x pass the verifier. (2) quantum version of zero-knowledge: quantum zero-knowledge (QZK). Transferring prover and verifier into quantum computer extends ZK to QZK. Here one interesting thing is that in quantum circumstances we do not limit a verifier to be honest because honest-verifier quantum zero-knowledge equals general quantum zero-knowledge [16]. (3) quantum version of delegation: secure multiparty quantum computation (SQMC). We roughly explain what we need from SMQC: essentially a 2-party quantum computation task. Consider Alice (holding secret state ρ A ) and Bob (holding a secret circuit f = f (x)). After particular operations, Bob obtains the result f (ρ A ) while Alice obtains nothing about f . This task can be specialized from Min’s universal SQMC structure [17]. Since Min’s scheme is valid based on quantum oblivious transfer [18], our expectation for SMQC is feasible.

254

12 Security Analysis of Quantum Obfuscation

Table 12.1 QZK scheme Step 1. Public input: x, P holds witness ρ, V holds verifier V er L (x, ρ) Step 2. V randomly generates |y and sends f |y (ρ) to P Step 3. P receives function f  , computes f  (ρ) and sends a quantum obfuscation quantum point function O(U f  (ρ) ) to V Step 4. V receives O  and accepts iff δ O  is identical to U|y

(4) obfuscation: quantum obfuscation. We defined quantum obfuscation in Definition 12.1, and quantum point functions with general outputs in Definition 12.8. According to Lemma 12.4, the quantum obfuscation for quantum point functions is valid. Now we build up our QZK scheme. We start with the following awkward strategy: V selects a verifier V er L (x, ρ), P sends V er L (x, ρ) to V directly. It is unsound since P can always send ‘yes’. To fulfill the requirement of soundness, we introduce SMQC strategy mentioned above. That is, P holds a secret ρ, V randomly generates a secret |y and offers circuit working as:  f |y (ρ) =

|y i f V er L (x, ρ) says “yes” |0|y| other wise

After calculation, P obtains the output of f and sends it to V , and V compares the result and its secret |y. Since SMQC leaks no information about |y, malicious P cannot cheat V . However, the scheme is now non-ZK: a cheating V may send any circuit of ρ (like trivial circuit f (ρ) = ρ) to learn about ρ. Here the key is to make sure that V compares the output of P without “knowing” it. An intuitive way of doing so is obfuscation. Concretely, after calculation, P obtains the output of f |y (ρ), and sends a quantum obfuscation of quantum point function O(U f|y (ρ) ) instead of f |y (ρ) itself. Now the whole scheme works as Table 12.1. At last, we point out two notable details. One is that the scheme is somewhat similar to the quantum version of witness hiding scheme rather than zero-knowledge scheme in Bitansky’s work [14], but satisfies QZK property. This is because that Bitansky’s attack on ZK requires repeated comparison of the obfuscation’s output, which is ruled out by quantum no-cloning theory. The other is that Bitansky’s structure is insecure in post-quantum cryptographic. The reason is that the 2-message delegation on which the scheme based is proved insecure against quantum adversaries [19].

12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation

255

12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation 12.2.1 Requirement of Indistinguishability The study of obfuscation was initiated by Hada [1], and was formally proposed and formulated in Barak’s influential work [2]. In the first few years, research development was restricted by crucial negative results. Hada [1] observed that a piece of code cannot be perfectly obfuscated unless it is learnable. Barak et al. [2] demonstrated that the virtual black-box property unconditionally rules out the existence of a general obfuscator, i.e., an obfuscator for all circuit families. In 2005, Goldwasser and Kalai [20] showed the impossibility of obfuscator with arbitrary auxiliary inputs. Sequentially in 2007, Hofheinz et al. [21] gave out the reason why many deterministic functions cannot be obfuscated. Recent negative results include the works of Bitansky [22, 23] and Garg et al. [24]. All these impossibilities demand to either refer to some more relaxed definition of obfuscation, or try to obfuscate programs with limited categories of functions. In the path of weaker definition, Barak et al. [2] put forth the idea of indistinguishable obfuscation (iO). An iO makes it hard for adversaries to distinguish two obfuscated programs if they agree on all inputs. Indistinguishable obfuscation is also proved to be equivalent to the so-called best-possible obfuscation [25], which can hide any information that any other obfuscation can hide. The usage and construction of iO have been discussed recently by Sahai and Waters [26] and Garg et al. [27]. In terms of limited kinds of functions, point functions first drew academic attention and was proved obfuscatable under the random oracle model [3]. Following this idea, some positive results have been published successively. Canetti and Dakdouk [5] formally extended the point functions to the ones with multi-bit outputs by means of composition technique. This extension essentially strengthens the connection between obfuscation and encryption. Subsequently, he showed this tight connection [6]. In 2010, the virtual gray-box (VGB) property was proposed and point functions were proved composable under this meaning. One branch of quantum cryptography, beyond quantum key distribution (QKD) and post-quantum cryptography, is to carry classical cryptographic primitives over quantum circumstances. Quantum one-time pad (QOTP) [28] is a representative example, but for so long there have been a lacking even in the most basic cryptographic concepts. Scattered primitives such as quantum homomorphic encryption [29], quantum homomorphic signature [30], and quantum random oracle (QRO) [13, 31], have been discussed. In 2016, Alagic et al. [32] built the concept of semantic security, IND-CPA (indistinguishability under chosen plaintext attack) and IND-CCA1 (indistinguishability under non-adaptive chosen ciphertext attack) for quantum situation. More recent work includes quantum non-malleability [33], quantum INDCCA2 (indistinguishability under adaptive chosen ciphertext attack), and authenticated encryption [34]. As for the notion of obfuscation, the research is relatively immature. The first idea of “protecting software by a quantum state” was originated

256

12 Security Analysis of Quantum Obfuscation

in Scott Aaronson’s ten semi-grand challenges for quantum computation. In 2016, the definition of quantum VBB obfuscation and quantum iO was proposed [8], although many basic concepts in this area is yet to be set. In this section, we introduce a quantum symmetric encryption scheme by means of quantum obfuscator [35]. We start with the basic requirement of IND-secure and point out that a quantum VBB obfuscator satisfies this requirement unconditionally. Then we prove that a quantum obfuscator with combinable property or auxiliary input property corresponds to encryptions with IND-CPA security or leakage resilience. Note that the absence of the usefulness of quantum obfuscation may eliminate the positivity of related research. We hope that such work will be inspiring in the field of quantum obfuscation.

12.2.2 Efficient Quantum Circuit and Quantum Computation Due to the strong Church-Turing thesis [36], deterministic polynomial-time (PT) algorithm and probabilistic polynomial-time (PPT) algorithm are the most representative calculation models in classical complexity theory. In quantum situation, the first formalized model by Deutsch [37] was realized by quantum circuits consisting of unitary quantum gates. An improved solution takes measurements in the middle of the computation and decoherence into account [38]. Here, a quantum polynomialtime (QPT) algorithm is defined as a family of quantum circuits, each composed of polynomial many admissible (rather than unitary) quantum gates. Oracle gates are feasible only under such model of QPT, which are crucial in IND-CPA security.

12.2.3 Quantum One-Time Pad Recall that the single qubit Pauli operators are defined as:  σX =

     01 0 −i 1 0 , σY = , σZ = 10 i 0 0 −1

Here we take an identity matrix I2 into account. So the Pauli operation set consists of four Pauli matrices P = {I2 , σ X , σY , σ Z }. The definition of quantum one-time is quite simple: for each qubit ρ, randomly choose one operator from Pauli set P and apply it on ρ. It is evident that such operation is information-theoretically indistinguishable, since the output state is maximally mixed I2 1 (ρ + σ X ρσ †X + σY ρσY† + σ Z ρσ †Z ) = 4 2

12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation

257

Since the Pauli operators are self-adjoint, the above operation can be achieved by choosing two single bits α, β ∈ {0, 1}, and applying the mapping β

β

ρ → σ αX σ Z ρσ Z σ αX In the case of n-qubits message ρ, α, β ∈ {0, 1}n . Define X α = ⊗σ αXi and Z β = β ⊗σ Zi . The quantum one-time pad [28] for n-qubits goes ρ → X α Z β ρZ β X α Through analysis, the output is still maximally mixed 1 1 Un ρUn† = 2n α,β X α Z β ρZ β X α 2n 2 2 = α,β T r (ρZ β X α )δα,0 δβ,0 X α Z β T r (ρ) = I2n 2n I2n = n 2

12.2.4 Quantum Symmetric Encryption and Its Security Following the idea of quantum one-time pad, we are interested in the circumstances where the message space and cypher-text space are the set of density operators on Hilbert space H M , HC , and the key space K = {0, 1}n [32]. The set of density operators, i.e., all physically possible quantum states on Hilbert space H is denoted by D(H). Then a quantum symmetric encryption scheme is defined as follows: Definition 12.10 A quantum symmetric encryption scheme is a triple QPTs of (key generation)Gen : 1n → k ∈ Kn , (encryption)Enck : K × D(HM ) → D(HC ) and (decryption)Deck : K × D(HC ) → D(HM ), satisfying correctness property: Enck ◦ Deck − I M  ≤ negl(n) for all k ∈ Kn . To analyze the security of a quantum encryption scheme, we introduce Alagic’s work [32] on indistinguishably of encryptions.

258

12 Security Analysis of Quantum Obfuscation

M

Challenger D

Fig. 12.4 IND-security game

Definition 12.11 A quantum symmetric encryption scheme is indistinguishable (or IND-secure), if for any QPT adversary A = (M, D) we have |Pr {D[(Enck ⊗ I E )ρ M E ] = 1]} −Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1]}| < negl(n) where ρ M E ← M(1n ), ρ E = tr M (ρ M E ). Figure 12.4 shows the IND-security game. Definition 12.12 An IND-secure quantum symmetric encryption scheme is INDCPA, if A has oracle access to Enck . We denote again that A runs in polynomial time. If we assume that an oracle gate runs in a unit of time O(1), then A has only polynomial many of oracle queries sent to Enck .

12.2.5 Quantum Point Obfuscation The definition of a quantum obfuscator, proposed by Alagic and Fefferman [8], is similar to its classical counterpart. Definition 12.13 A quantum black-box obfuscator is a quantum algorithm O and QPT δ, for any n-qubit quantum circuit C, the output of O is an m-qubit state O(C) and the following three conditions hold.

12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation

259

1. (Polynomial expansion) m = poly(n) 2. (Functional equivalence) for any possible ρ δ(O(C) ⊗ ρ) − UC ρUC† tr ≤ negl(n) 3. (Virtual black-box) for every QPT A, there exists a QPT S UC such that |Pr [A(O(C)) = 1] − Pr [S UC (|0n ) = 1]| ≤ negl(n) Point functions return an internal value m when the input equals a specific k, and 0 elsewise. In the theory of quantum computation, such a function can be described as  |x, y ⊕ m i f x = k Uk,m : |x, y → |x, y other wise Since an obfuscator for all functions does not exist, consider a quantum obfuscator only for quantum point functions, then we assume that the input of an obfuscator is delineated by m and k. Therefore, n in Definition 12.13 equals |m| + |k|, and we have |O(Um,k )| = poly(|m| + |k|). We then define a stronger version of quantum point obfuscator, which preserves security even when an adversary has a combination of different point functions. With respect to quantum encryption, we are interested in the case where the point functions are of the same k. In this case, we call it self-combinable. Definition 12.14 A quantum point obfuscator is self-combinable, if for any t = poly(n) the combination of t’s obfuscators is still secure, i.e., we have a simulator S such that |Pr [A(O(Uk,r1 , O(Uk,r2 ), . . . , O(Uk,rt ))) = 1] −Pr [S Uk,r1 ,Uk,r2 ,...,Uk,rt (0n ) = 1]| ≤ negl(n) In quantum encryption, we are also interested in the case where A is provided some auxiliary inputs (always some information on k). In this case, we define a quantum secure obfuscator with auxiliary inputs. Definition 12.15 A quantum point obfuscator with auxiliary inputs f is secure, if we have a simulator S such that |Pr [A(O(Uk,r ), f (k)) = 1] −Pr [S Uk,r ( f (k)) = 1]| ≤ negl(n)

260

12 Security Analysis of Quantum Obfuscation

12.2.6 IND-Secure Quantum Symmetric Encryption Scheme In this section, we give the construction of symmetric encryption scheme. Then we prove its IND-security, which comes from the VBB property of a quantum obfuscator. Scheme 12.1 Let O be a quantum point obfuscator and Uk,r be a quantum point function. A quantum symmetric encryption scheme is a triple QPTs of following algorithms 1. (key generation)Gen(1n ) = k ∈ Kn , 2. (encryption)Enck (ρ) = Pr ρPr ⊗ O(Ur,k ), where r is randomly chosen from {0, 1}2n , 3. (decryption)Deck (c ⊗ ) = Pr  c Pr  , where r  is the measurement result of T r1 [δ( ⊗ |k, 02n k, 02n |)]. The encryption and decryption algorithm are shown in Figs. 12.5 and 12.6. Correctness of the scheme. Proving the scheme’s correctness, we apply |kright , 02n  with the right key kright = k to the obfuscated point function. By functional equivalence property, we get δ( ⊗ |k, 02n k, 02n |) = δ(O(Uk,r ) ⊗ |k, 02n k, 02n |) ≈ p Uk,r (|k, 02n ) = |k, r  After tracing out the first register of |k|-qubits and measurement, we get r  = r , with which we can correctly recover ρ from Pr ρPr . While with the wrong key kwr ong = k, the measurement gives r  = 0, and the message is kept secret.

Enc

Fig. 12.5 Encryption algorithm

RNG r r Output

Gen

k

k

r

O

12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation

261

Dec

Fig. 12.6 Decryption algorithm

c

c

m k

r M

Now we indicate the security of the encryption scheme. Specifically, we have the following theorem. Theorem 12.1 If a quantum point obfuscator exists, then the quantum symmetric encryption scheme in Scheme 12.1 is IND-secure. Proof For any adversary A = (M, D), set s = (Pr ⊗ I E )ρ M E , and t = (Enck ⊗ I E )(|00| M ⊗ ρ E ), we have |Pr {D[(Enck ⊗ I E )ρ M E ] = 1} −Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}| =|Pr {D[s ⊗ O(Uk,r )] = 1} − Pr {D[t ⊗ O(Uk,r )] = 1}| =|Pr {D[s, O(Uk,r )] = 1} − Pr {D[t, O(Uk,r )] = 1}|

(12.6)

≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}| ·Pr [D  (O(Uk,r )) = g(r )] In the last equation, the sum symbol is for all possible g(r ), and D  is a subroutine of D dealing with O. By the VBB property, we have a simulator S satisfying |Pr [D(O(Uk,r )) = f (r )] − Pr [S Uk,r (0n ) = f (r )]| ≤ negl(n) Note that S has oracle access to Uk,r , then g(r ) can only be r (when S successfully accesses the oracle with k), or 0 (when not). So we can rewrite Eq. 12.6 as g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}| ·Pr [D(O(Uk,r )) = g(r )] ≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}| ·|Pr [S Uk,r (0n ) = g(r )] + negl(n)| =|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}|

262

12 Security Analysis of Quantum Obfuscation

·|Pr [S Uk,r (0n ) = r ] + negl(n)| +|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}| ·|Pr [S Uk,r (0n ) = 0] + negl(n)|

For the first item to the right side of the inequality, consider QPT S with polynomial many queries. While the key space K is uniformly random {0, 1}n , the possibility Pr [S Uk,r (0n ) = r ] = poly(n)/2n ≤ negl(n). For the second item to the right of inequality, we have |Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}| =|Pr {D[(Pr ⊗ I E )ρ M E ] = 1} −Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}| This difference is negligible, according to indistinguishableness of quantum onetime pad. Finally, we have |Pr {D[(Enck ⊗ I E )ρ M E ] = 1} −Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}| ≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}| ·|Pr [S Uk,r (0n ) = r ] + negl(n)| +|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}| ·|Pr [S Uk,r (0n ) = 0] + negl(n)| ≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}| · negl(n) +negl(n) · |Pr [S Uk,r (0n ) = 0] + negl(n)| ≤negl(n) This is exactly what we need for IND-security.

12.2.7 Security Analysis In this section, we provide the extension of an obfuscator and encryption scheme. Specifically, a self-combinable obfuscator implements IND-CPA-secure encryption and an auxiliary input obfuscator implements leakage-resilient encryption.

12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation

12.2.7.1

263

Self-combinable Obfuscator and IND-CPA-Secure Encryption

Here we point out the self-combinable property in obfuscation corresponds to the IND-CPA security in quantum encryption. We continue to use the construction of Scheme 12.1, requiring that the obfuscator O is self-combinable. We prove the following theorem. Theorem 12.2 If a quantum point obfuscator O is self-combinable, then the quantum symmetric encryption scheme in Scheme 12.1 is IND-CPA-secure. Proof The correctness holds obviously. Assume that A = (M, D) queries encryption oracle for t = poly(n) times. Then there are r1 , . . . , rt (used by the encryption oracle) and r (used by the challenger) that maximize the difference |Pr {D Enc [(Enck ⊗ I E )ρ M E ] = 1]} −Pr {D Enc [(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1]}| From A we build an adversary A attacking the obfuscator. Specifically, when A queries the encryption oracle for the ith time, A responses with Pri ρPri ⊗ O(Uk,ri ). During the distinguishing challenge game, A responds either Pr ρPr ⊗ O(Uk,r ) or Pr |00|Pr ⊗ O(Uk,r ). Therefore, when A outputs the same as A, |Pr {D Enc [(Enck ⊗ I E )ρ M E ] = 1]} −Pr {D Enc [(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1]}| ≤|Pr {A [O(Uk,r1 ), . . . , O(Uk,rt ); Enck (ρ)] = 1]|} −Pr {A [O(Uk,r1 ), . . . , O(Uk,rt ); Enck (|0)] = 1]}| ≤|Pr {S O(Uk,r1 ),...,O(Uk,rt ) [Enck (ρ)] = 1]|} −Pr {S O(Uk,r1 ),...,O(Uk,rt ) [Enck (|0)] = 1]}| + negl(n) ≤negl(n) where the last inequality comes from self-combinablelity.

12.2.7.2

Auxiliary Input and Leakage Resilience

Here we prove that auxiliary input corresponds to the quantum leakage resilience. We firstly define a quantum leakage-resilient encryption scheme, which is similar to its classical counterpart just like many other quantum cryptographic terminologies. Definition 12.16 An IND-secure quantum symmetric encryption scheme is leakage-resilient, if after Gen(1n ) generates a key k, A submits an quantum-secure one-way function (qOWF) f and gets f (k).

264

12 Security Analysis of Quantum Obfuscation

We now show that a quantum point obfuscator with auxiliary inputs implements quantum leakage-resilient encryption. The proof is very similar to that of Theorem 12.1. Theorem 12.3 If (O, δ) is an quantum point obfuscator with auxiliary input f , then Scheme 12.1 is leakage-resilient against key information f (k). Proof The correctness holds obviously. For any adversary A = (M, D), set s = (Pr ⊗ I E )ρ M E , and t = (Enck ⊗ I E )(|00| M ⊗ ρ E ), we have |Pr {D[(Enck ⊗ I E )ρ M E , f (k)] = 1} −Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E ), f (k)] = 1}| =|Pr {D[s, O(Uk,r ), f (k)] = 1} −Pr {D[t, O(Uk,r ), f (k)] = 1}| ≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}| ·Pr [D  [O(Uk,r ), f (k)] = g(r )] Similarly, we have g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}| ·Pr [D  [O(Uk,r ), f (k)] = g(r )] ≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}| ·|Pr [S Uk,r ( f (k)) = r ]| +|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}| ·|Pr [S Uk,r ( f (k)) = 0]| +negl(n) For the first item to the right side of the the inequality, Pr [S Uk,r ( f (k)) = r ] ≤ negl(n) due to the irreversibility of f and uniformity of k. For the second item to the right side of the inequality, it is negligible according to the indistinguishableness of quantum one-time pad. Therefore, the whole difference is negligible, and Scheme 12.1 is leakage-resilient against f .

12.3 Summary In this chapter, to precisely define quantum point function family and analyze its obfuscatability under the quantum-accessible random oracle, we introduce essential reduction and combination skills. A quantum multi-point function family with multiqubit output was proved obfuscatable under the QRO model. We also discussed an obfuscation-based QZK scheme. Then we demonstrate the usability of a quantum point obfuscator in a quantum symmetric key encryption. We give the construction

12.3 Summary

265

of an IND-secure encryption scheme and extend various properties of an obfuscator and corresponding encryption security. Further work lies in the routine similar to classical obfuscation theory on point functions such as obfuscatability under the standard model, or how to build obfuscators, by encryption schemes.

References 1. Hada, S.: Zero-knowledge and code obfuscation. In: International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2000), vol. 1976, pp. 443–457 (2000) 2. Barak, B., Goldreich, O., Impagliazzo, R., et al.: On the (im)possibility of obfuscating programs. In: Annual International Cryptology Conference (CRYPTO 2001), vol. 2139, no. 2, pp. 1–18 (2001) 3. Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2004), vol. 3027, pp. 20–39 (2004) 4. Wee, H.: On obfuscating point functions. In: ACM Symposium on Theory of Computing (STOC), pp. 523–532 (2005) 5. Canetti, R., Dakdouk, R.R.: Obfuscating point functions with multibit output. In: International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2008), vol. 4965, pp. 489–508 (2008) 6. Canetti, R., Kalai, Y.T., Varia, M., et al.: On symmetric encryption and point obfuscating. In: Theory of Cryptography Conference (TCC), vol. 5978, pp. 52–71 (2010) 7. Alagic, G., Jeffery, S., Jordan, S.: Circuit obfuscation using braids. In: Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC), vol. 27, pp. 141–160 (2014) 8. Alagic, G., Fefferman, B.: On quantum obfuscation (2016). arXiv:1602.01771 9. Shang, T., Chen, R.Y.L., Liu, J.W.: On the obfuscatability of quantum point functions. Quantum Inf. Process. 18(2), 55 (2019) 10. Nielson, M.A., Chuang, I.: Quantum Computation and Quantum Information. Cambridge University Press, IL (2002) 11. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73 (1993) 12. Bennett, C.H., Brassard, G.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997) 13. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput. Sci. 7073(1), 41–69 (2010) 14. Nir, B., Omer, P.: Point obfuscation and 3-round zero-knowledge. In: International Conference on Theory of Cryptography, pp. 190–208 (2012) 15. Bookatz, A.D.: QMA-complete problems. Quantum Inf. Comput. 14, 361–383 (2012) 16. Kobayashi, H.: General properties of quantum zero-knowledge proofs. In: Conference on Theory of Cryptography, pp. 107–124 (2008) 17. Liang, M.: Secure multiparty quantum computation based on bit commitment (2013). arXiv:1306.0447 18. Liang, M.: Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Comput. 12, 3675–3687 (2013) 19. Lo, H.K.: Insecurity of quantum secure computations. Phys. Rev. A 52, 1154–1162 (1996) 20. Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp. 553–562 (2005)

266

12 Security Analysis of Quantum Obfuscation

21. Hofheinz, D., Malone-Lee, J., Stam, M.: Obfuscation for cryptographic purposes. In: Theory of Cryptography Conference (TCC), vol. 4392, pp. 214–232 (2007) 22. Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to resettable cryptography. In: ACM Symposium on Theory of Computing (STOC), pp. 241–250 (2013) 23. Bitansky, N., Canetti, R., Cohn, H., et al.: The impossibility of obfuscation with auxiliary input or a universal simulator. In: Annual International Cryptology Conference (CRYPTO 2014), pp. 71–89 (2014) 24. Garg, S., Gentry, C., Halevi, S., et al.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. Algorithmica 79(4), 1353–1373 (2017) 25. Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: Theory of Cryptography Conference (TCC), vol. 4392, pp. 194–213 (2007) 26. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: ACM Symposium on Theory of Computing (STOC), pp. 475–484 (2014) 27. Garg, S., Gentry, C., Halevi, S., et al.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016) 28. Ambainis, A., Mosca, M., Tapp, A., et al.: Private quantum channels. In: Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp. 547–553 (2000) 29. Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low T-gate complexity. In: Annual International Cryptology Conference (CRYPTO 2015), vol. 9216, pp. 609629 (2015) 30. Shang, T., Zhao, X.J., Liu, J.W.: Quantum homomorphic signature. Quantum Inf. Process. 14(1), 393–410 (2015) 31. Shang, T., Lei, Q., Liu, J.W.: Quantum random oracle model for quantum digital signature. Phys. Rev. A 94(4), 042314 (2016) 32. Alagic, G., Broadbent, A., Fefferman, B., et al.: Computational security of quantum encryption. In: International Conference on Information Theoretic Security (ICITS), vol. 10015, pp. 47–71 (2016) 33. Alagic, G., Majenz, C.: Quantum non-malleability and authentication. In: International Conference on Information Theoretic Security (ICITS), pp. 310–341 (2017) 34. Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption (2017). arXiv:1709.06539 35. Chen, R.Y.L., Shang, T., Liu, J.W.: Quantum symmetric encryption based on quantum obfuscation. Quantum Inf. Process. 18(6), 161 (2019) 36. Slot, C., Boas, P.: On tape versus core an application of space efficient perfect hash functions to the invariance of space. In: ACM Symposium on Theory of Computing (STOC), pp. 391–400 (1984) 37. Deutsch, D.: Quantum theory, the Church-Turing principle and the universal quantum computer. SIAM J. Comput. 400(1818), 97–117 (1985) 38. Dorit, A., Alexei, Y.K., Noam, N.: Quantum circuits with mixed states. In: ACM Symposium on Theory of Computing (STOC), pp. 20–30 (1998)

Chapter 13

Security Analysis of Measurement-Device Independency

With the practical implementation of continuous-variable quantum cryptographic protocols, security problems resulting from measurement-device loopholes are being paid increasing attention. At present, research on measurement-device independency analysis is limited in quantum key distribution protocols, while there exist different security problems for different protocols. Considering the importance of quantum digital signature in quantum cryptography, in this chapter, we introduce the measurement-device independency analysis of continuous-variable quantum digital signature, especially continuous-variable quantum homomorphic signature. Also, the analysis method can be extended to other quantum cryptographic protocols.

13.1 Device Independency Analysis Since continuous-variable quantum cryptographic protocols are very probable to be implemented in practice, such analysis which assumes all devices are perfect is insufficient to judge whether a protocol is truly secure or not. An attacker could exploit the loopholes of a device to successfully attack a protocol even though it is proved theoretically secure. To analyze the practical security of a quantum cryptographic protocol, the definition of device independency was proposed. If a protocol can complete its task securely even if all devices are untrusted, which means some devices might be controlled by an attacker, it is called a device-independent (DI) protocol. To date, research on device independency analysis only focuses on quantum key distribution (QKD) protocols. In 2006, Acin et al. [1] proposed the first deviceindependent quantum key distribution (DI-QKD) protocol and proved its security against individual attacks. Before long security analyses against collective attacks of DI-QKD protocols were proposed [2, 3]. Since 2011, general formalisms for proving the security of DI-QKD protocols have been proposed [4, 5], which can defend against the most general attacks. However, these analyses were proposed for discrete-variable QKD protocols, which means they cannot be directly applied to continuous-variable quantum cryptographic protocols. © Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0_13

267

268

13 Security Analysis of Measurement-Device Independency

As we know, in the continuous-variable setting, research focuses more on the measurement-device independency of a protocol rather than device independency, which only considers the independency of measurement devices. Measurement devices are the devices used for measuring quantum observables, such as beam splitter (BS) and homodyne detector. The concept of measurement-device independency was put forward by Lo et al. [6] in 2012. It can be regarded as a weakened version of device independency because it only considers the security loopholes of measurement devices. Compared to DI quantum cryptographic protocols, measurement-device-independent (MDI) quantum cryptographic protocols are widely studied because they can achieve higher efficiency with practical implementation while not losing much security. To improve practicability and the efficiency of QKD, several continuous-variable measurement-device-independent quantum key distribution (CV-MDI-QKD) protocols were proposed [7–9]. In recent years, study on measurement-device independency extends to other types of quantum cryptographic protocols other than QKD. In 2016, Wu et al. [10] proposed a CV-MDI multipartite quantum communication protocol, which can implement both quantum cryptographic conference and quantum secret sharing. In 2018, Li et al. [11] tried to solve the practical problem of implementing scalable quantum networks and proposed a CV-MDI quantum relay network with phase-sensitive amplifiers. Recently, towards estimating entanglement in a quantum network, MDI entanglement estimation schemes were proposed [12, 13]. Since there exist different security problems for different protocols, device independency analysis of other continuous-variable quantum cryptographic protocols except QKD protocols should be explored. Continuous-variable quantum digital signature (CVQDS) [14–16] is a sufficiently studied technology in the field of continuous-variable quantum cryptography. It is an essential part of a secure continuous-variable quantum network, so its device independency can affect the practical security of a network. Yet, there is no research on the measurement-device independency of CVQDS. Generally, CVQDS protocols are not device-independent because secret keys are directly passed to the device that generates signatures as a parameter, in which case an attacker can easily obtain the secret keys. Therefore, we assume the devices for quantum state preparation as trusted and perfect, and focus on analyzing the measurement-device independency of CVQDS [17].

13.2 Measurement-Device Independency If a quantum cryptographic protocol can complete its task securely with untrusted measurement devices, it is called a measurement-device-independent protocol. To analyze the security of a quantum cryptographic protocol under the worst case, we assume measurement devices are prepared and controlled by an attacker and can work in the way that is most favorable to the attacker. Concretely, the assumptions are

13.2 Measurement-Device Independency

269

(1) An attacker can tamper and forge the output of measurement devices. (2) An attacker can eavesdrop quantum channels by any means. For simplicity, we call the above assumptions the MDI assumptions. In other words, if the task of a quantum cryptographic protocol is completed under the MDI assumptions, the protocol is measurement-device-independent. To date, there are only achievements of MDI analysis for QKD protocols. The first MDI-QKD protocol was proposed by Lo et al. [6], which is a discrete-variable quantum cryptographic protocol. The security proof utilizes the monogamous nature of quantum entanglement and removes detector side-channel attacks while it is not a mathematical proof. In the same year, Ma and Razavi [18] proposed the alternative schemes for MDI-QKD using phase and path or time encoding. In the security analysis, the lower bound of the secret key rate was calculated. A protocol is secure if its secret key rate is higher than the lower bound. In 2014, several CV-MDI-QKD protocols were proposed [7]. In the security analysis, the secret key rate of an equivalent one-way CVQKD model was calculated, which is the lower bound for the proposed protocol. The calculation was simplified by applying the theorem of optimality of Gaussian collective attacks [19]. The analysis of other CV-MDI-QKD protocols [8, 9] are similar in calculating the lower bound of the secret key rate. Obviously, we cannot directly calculate the secret key rate of a non-CVQKD protocol, so we should put forward a new method of analyzing its measurementdevice independency.

13.3 Continuous-Variable Quantum Homomorphic Signature In CVQDS protocols, there are usually at most three participants, i.e., a signer, a verifier, and an arbitrator. Since the verifier and the arbitrator are assumed to be honest, the only untrusted party is the signer, so it seems easy to analyze measurement-device independency. Nevertheless, in 2017, Li et al. [20] proposed a continuous-variable quantum homomorphic signature (CVQHS) scheme, where an aggregator generates a homomorphic quantum signature for verifying the identities of multiple data sources. The aggregator has access to all quantum and classical data in the network, so the scheme probably will not be secure if an attacker takes control of the devices of the aggregator. The existence of an untrusted aggregator has posed a new challenge in analyzing the measurement-device independency of CVQDS. Li’s CVQHS scheme is based on continuous-variable entanglement swapping and provides additive and subtractive homomorphism. The basic model of the CVQHS scheme is shown in Fig. 13.1. A and B are signers, M is an aggregator who aggregates the received signatures to generate two new signatures, and V is a verifier.

270

13 Security Analysis of Measurement-Device Independency

a

b

A

B mA

2

k A1 k A2

mB

Sk A (a)

4

SkB (b) 1

|

1

|

2

|

3

|

4

M

k B1 k B2

3

mA mB* Quantum Channel

V k A1 k A2 k B1 k B2

Classical Channel Entanglement

Fig. 13.1 Basic model of CVQHS

13.4 Analysis Procedure If the task of a quantum cryptographic protocol is completed under the MDI assumptions, the protocol is measurement-device-independent. The task of CVQHS is to verify the identities of different data sources at a low error rate. So in the measurementdevice analysis of the CVQHS scheme, we can calculate the upper bound of the error rate. If the upper bound is negligible under the MDI assumptions, the CVQHS scheme is measurement-device-independent. The upper bound of the error rate is the error rate under the worst-case when an attacker can carry out any possible attack. So we will find out the optimal attack model and calculate the error rate under the model.

13.4.1 Attack Model Considering all possible cases which are shown in Fig. 13.2, the error rate is equal to the probability of a forged signature passing verification plus the probability of a legal signature being denied. Obviously, the probability of a legal signature being denied is only affected by noise. So we only consider the attack model of the case that an attacker tries to forge a signature. In the CVQHS scheme, when an attacker Eve has secret keys and is able to prepare quantum states which are entangled with those at honest signers, it can forge a signature that can pass verification. Throughout the CVQHS scheme, only the aggregator M and the verifier V use measurement devices. Here we assume the measurement devices controlled by V

13.4 Analysis Procedure

271

Fig. 13.2 Possible errors in CVQHS

Eve

S k E ( e) S k A ( a )

Sk A (a)

A

M

V Signature Accepted

A

Sk A (a)

M

V Signature Denied

are trusted because the protocol will be extremely inefficient and meaningless if the verifier is dishonest. So the MDI assumptions only apply to the measurement devices controlled by M, namely a 50:50 BS and two homodyne detectors which are used to perform Bell detection, and a 50:50 BS for mixing two quantum signatures. According to assumption (1), Eve is able to tamper and forge the results of Bell detection and the mixtures of quantum signatures at the combining phase. So Eve can forge a quantum signature that can pass verification as long as it obtains the pre-shared secret keys. So the security of the CVQHS scheme is guaranteed by the secrecy of secret keys. The probability of a forged signature passing verification is equal to the probability of Eve obtaining secret keys. At this point, the complicated attack model which contains forgery is simplified as a simple eavesdropping model. According to assumption (2), Eve is able to eavesdrop all quantum channels by any means. From the perspective of an attacker’s ability, eavesdropping can be divided into three types, namely coherent attack, collective attack, and individual attack. Coherent attack is the most general attack by which an attacker can perform joint quantum operations and joint measurement to all quantum states sent via quantum channels. The proof of security against coherent attack is the strictest proof for security, but the model of coherent attack cannot be effectively parameterized. A common approach is to extend the security against collective attack to coherent attack by using the exponential de Finetti theorem [21]. Collective attack is a special case of coherent attack, where an attacker can only perform quantum operations individually on each quantum state. Fortunately, analysis shows that the security bound under coherent attack is the same as that under collective attack for QKD protocols [22]. This result can be applied to CVQHS because a signature in the scheme is in a single quantum state. The quantum states in a quantum channel are not correlated, so introducing correlations to them by performing joint operations will not help the attacker obtain more information. Therefore, we can analyze the security against collective attack.

272

13 Security Analysis of Measurement-Device Independency

13.4.2 Probability of a Forged Signature Passing Verification At the first step of the setup phase, the signers and the verifier share secret keys. Assume they use a MDI-QKD protocol in this step, then Eve can only obtain the secret keys by eavesdropping the quantum channels. The information on the secret keys that Eve can obtain is the mutual information I (k : E), where k = (k1 , k2 ) denotes the secret keys and E is the quantum system of Eve. The larger the mutual information I (k : E) is, the more information Eve can obtain. When I (k : E) = H (k), Eve can recover the secret keys accurately. The upper bound of I (k : E) is usually used to estimate the security of a protocol. According to the symmetry of CVQHS, we only need to calculate the upper bounds of I (k A1 : E) and I (k A2 : E). According to quantum information theory, it is known that I (k A1 : E) ≤ χ(k A1 : E), where χ(k A1 : E) is the Holevo bound [23]. It can be calculated that χ(k A1 : E) = S(ρˆ E ) − S(ρˆ E |k A1 ) under collective attack, where S(ρˆ E |k A1 ) = p(k A1 )S(ρˆ E|k A1 )dk A1 and ρˆ E is the quantum system of Eve. According to assumption (1) aforementioned in Sect. 13.2, Eve can purify the whole quantum system, so χ(k A1 : E) = χ(k A1 : ρˆ1 2 3 4 ), where ρˆ1 2 3 4 = |α1 |α2 |α3 |α4 . Because |α1  and |α3  are independent of the secret keys, their entropy will be offset during subtraction. So S(ρˆ E ) − S(ρˆ E |k A1 ) = S(ρˆ2 4 ) − S(ρˆ2 4 |k A1 ), where ρˆ2 4 = |α2 |α4 . The quantum states in the CVQHS scheme are Gaussian states, whose von Neumann entropy can be calculated based on their covariance matrices. Assume the original entangled states prepared by the aggregator have the same density matrix, i.e., ρ12 = ρ34 = ρin . Their covariance matrix is  Vin =

√

VI V 2 − 1diag(1, −1)

√

 V 2 − 1diag(1, −1) , VI

where V = cosh 2r is the variance of two-mode squeezed states. Assume the quantum channels are modeled as √ √ |α → | τ α + 1 − τ α N , where τ (0 < τ < 1) is transmissivity and |α N  = |x N + i p N  is thermal noise. Assume thermal noise in each quantum channel is independently and identically distributed and their quadratures follow Gaussian distribution: x N , p N ∼ N (0, VN ). After |α2 and |α4 are transmitted twice via noisy quantum channels, the covariance matrix becomes    2 V I V − 1diag(1, −1) 1 1  Vin =  2 , V1 − 1diag(1, −1) V1 I where V1 = τ 2 V + (τ + 1)VN .

13.4 Analysis Procedure

273

After entanglement swapping, the covariance matrix of ρˆ2 4 = |α2 |α4  is V2 4

1 = 2V1



 diag(V1 2 + 1, V1 2 + 1) diag(V1 2 − 1, −V1 2 + 1) . diag(V1 2 − 1, −V1 2 + 1) diag(V1 2 + 1, V1 2 + 1)

Then |α2  and |α4  are mixed at a 50:50 beam splitter, outputting |α2  and |α4 . Beam splitter is a Gaussian operator, which does not change the von Neumann entropy of a quantum system. So the von Neumann entropy of ρˆ2 4 can be calculated based on V2 4 . S(ρˆ2 4 |k A1 ) is the von Neumann entropy of ρˆ2 4 when k A1 is given. It can be calculated based on a new covariance matrix   1 diag(V  2 + 1, V  2 + 1) diag(V  2 − 1, −V  2 + 1) , V2 4 |k A1 = 2V diag(V  2 − 1, −V  2 + 1) diag(V  2 + 1, V  2 + 1) where V  = V1 − Vk A1 . Simple calculation shows that I (k A1 : E) = 0, which means Eve cannot obtain any information on k A1 . Similarly, we can calculate that I (k A2 : E) = 0. So Eve cannot obtain any information on the pre-shared secret keys between the signers and the verifier. The probability of a forged signature passing verification is the probability of Eve guessing the exact secret keys, which is negligible. In the above theoretical analysis, we only considered the case of collective attack, which is proved to be the optimal attack model. In fact, simulation or experiment considering more complex scenarios can be conducted to verify our calculation results in future works. It will be much easier to obtain the error rate for complex scenarios such as coherent attack and forgery, which involve complex modeling and calculation in theoretical analysis and cannot be efficiently parameterized [22]. Special attack models may be also implemented to discuss how parameters affect the result of CVQHS.

13.4.3 Probability of a Legal Signature Being Denied In the CVQHS scheme, if the deviation between the value calculated from a signature and the value calculated from pre-shared messages is larger than certain verification threshold, the signature will be denied by the verifier. The deviation can be caused by an attacker or noise. Here it is assumed that the verifier receives a signature that is generated by a legal signer and not tampered by an attacker. So the probability only depends on noise. A verification threshold Hth in a noisy environment is given in Ref. [20], which is equal to the variance of x V − τ x V . In the verification phase, the verifier compares (x V − τ x V )2 , ( pV − τ pV )2 and Hth . If (x V − τ x V )2 > Hth or ( pV − τ pV )2 > Hth , it will deny the signature. Denote x V − τ x V as a random variable X whose first and

274

13 Security Analysis of Measurement-Device Independency

second moments are E X = 0 and D X = Hth . So the probability of a legal signature being denied is P(X 2 > Hth ) = P(X 2 > D X ) √ = P(|X | > D X ) Since X is a linear combination of quadratures, secret keys, and classical messages, it follows the Gaussian distribution. According to the property of Gaussian distribution, P(X 2 > Hth ) ≈ 0.32. So the probability of a legal signature being denied is 0.32. By adding up two probabilities in Sects. 13.4.2 and 13.4.3, we can conclude that the upper bound of the error rate of the CVQHS scheme is 0.32 when all measurement devices are untrusted. Although 0.32 is not negligible, the probability of correctly verifying the identities is twice of error rate. So the CVQHS scheme is deemed to be measurement-device-independent.

13.5 Discussion Firstly, we discuss how the parameters of the CVQHS scheme affect the error rate. The calculation of the probability of a forged signature passing verification involves three parameters, namely the variance V of two-mode squeezed states, the transmissivity τ of quantum channels, and the variance VN of thermal noise of quantum channels. According to the calculation result, the probability is always 0 provided V is nonzero, which means an attacker cannot obtain the pre-shared secret keys as long as the entangled states are properly prepared and not collapsed before being used for generating quantum signatures. And noisy quantum channels do not have any influence on the probability of a forged signature passing verification. It is the randomness of quantum states that prevents the pre-shared secret keys from being leaked during transmission. The calculation of the probability of a legal signature being denied involves the values of both quadratures of entangled states, pre-shared secret keys, the transmissivity and the variance of thermal noise of quantum channels, and the verification threshold. In the calculation, the parameters follow Gaussian distribution so the probability can be easily obtained. The probability is influenced by the verification threshold Ht h. If Ht h is larger, the probability will decrease but it will be easier for a forged quantum signature to pass verification. If Ht h is smaller, the probability will increase. So the verification should be carefully set in order to lower the error rate. Secondly, we discuss the application of the analysis method. The analysis method can be summarized in the following three steps Step 1. Analyze the objective of the protocol and find the parameter that can be used to decide whether the protocol has completed its task. Step 2. Analyze the topology and the communication pattern of the protocol to obtain a simplified attack model, which may be a sufficiently studied attack.

13.5 Discussion

275

Step 3. Calculate the parameter under the attack model to judge the measurementdevice independency of the protocol. In our analysis procedure, the parameter is the upper bound of error rate and the attack model can be simplified as collective attack. Although we only analyze the CVQHS scheme, the analysis method can be applied to other CVQDS protocols by means of calculating the same parameter under a similar attack model. Concretely, the objective of a CVQDS protocol is to verify the identity of a data source, which is the same as the CVQHS scheme. So at Step 1, the parameter will be the upper bound of error rate as well. From the perspective of verification results, errors can be classified into two types. The first type of error is the case where a tampered or forged quantum signature passes verification. The second type of error is the case where a legal quantum signature which is not tampered by attackers gets denied by the verifier. In order to calculate the error rate, we should, respectively, construct models for the two types of errors. The first type of error usually evolves attackers so we should construct an attack model. The second type of error is caused by noise so we should also construct a model for noisy quantum channels. Constructing an attack model in Step 2 is the key step of the MDI analysis method. The most effective way of attack can be found by means of applying MDI assumptions to the protocol. And attack models may be different for different CVQDS protocols if the protocols have different network topologies and communication patterns. Since most of the CVQDS protocols do not involve an untrusted aggregator, we believe attack models for CVQDS protocols will be simpler than the CVQHS scheme. Furthermore, it seems that the attack model of a CVQDS protocol can often become an eavesdropping model because it is necessary for an attacker to obtain secret keys. After simplification, the calculation process at Step 3 will be similar to our calculation. The above analysis procedure seems to be a general formalism for analyzing measurement-device independency. In this procedure, the key point of analyzing a protocol is to find an appropriate parameter and constructing an attack model. For a complicated protocol carried out in a large-scale network, it may have several tasks that affect each other and each task is completed by several nodes. It will be difficult to find an appropriate parameter in Step 1. Also, unintended entanglement among different nodes will not only affect the quantum states transmitted between two legal nodes in an unexpected way, but also increase the complexity of analysis and calculation. It will be difficult to construct an attack model that is simple enough for calculation. So MDI analysis method of quantum cryptographic protocols except CVQDS protocols still need to be explored.

13.6 Summary In this chapter, we analyzed the measurement-device independency of continuousvariable quantum digital signature. According to the objective of CVQDS, we verify that a CVQDS protocol is measurement-device-independent if its error rate is

276

13 Security Analysis of Measurement-Device Independency

negligible on condition that all measurement devices are untrusted. Concretely, we take a continuous-variable quantum homomorphic signature protocol as an example. The error rate of the CVQHS scheme is equal to the probability of a forged signature passing verification plus the probability of a legal signature being denied. In the analysis procedure, we introduced an attack model in order to calculate the error rate. The attack model was simplified as collective attack by means of applying MDI assumptions to the protocol. The calculation was also simplified by using advantage of Gaussian states, i.e., the von Neumann entropy of a Gaussian state can be calculated from its first and second moments. Calculation results show that the error rate is 0.32 so that the CVQHS scheme is deemed to be measurement-deviceindependent. Although we only analyze the measurement-device independency of the CVQHS scheme, our analysis can be summarized in three steps and applied to other CVQDS protocols. Whether this approach is a general formalism for analyzing the measurement-device independency of all quantum protocols is still an open question and will be discussed in future works.

References 1. Acin, A., Gisin, N., Masanes, L.: From Bell’s theorem to secure quantum key distribution. Phys. Rev. Lett. 97(12), 120405 (2006) 2. Acin, A., Brunner, N., Gisin, N., et al.: Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98(23), 230501 (2007) 3. Pironio, S., Acin, A., Brunner, N., et al.: Device-independent quantum key distribution secure against collective attacks. New J. Phys. 11(4), 1–2 (2009) 4. Masanes, L., Pironio, S., Acin, A.: Secure device-independent quantum key distribution with causally independent measurement devices. Nat. Commun. 2(1), 238 (2011) 5. Vazirani, U., Vidick, T.: Fully device-independent quantum key distribution. Phys. Rev. Lett. 11(4), 1–2 (2014) 6. Lo, H.K., Curty, M., Qi, B.: Measurement-device-independent quantum key distribution. Phys. Rev. Lett. 108(13), 130503 (2012) 7. Li, Z.Y., Zhang, Y.C., Xu, F.H., et al.: Continuous-variable measurement-device-independent quantum key distribution. Phys. Rev. A 89(5), 052301 (2014) 8. Zhang, Y.C., Li, Z.Y., Yu, S., et al.: Continuous-variable measurement-device-independent quantum key distribution using squeezed states. Phys. Rev. A 90(5), 052325 (2014) 9. Pirandola, S., Ottaviani, C., Spedalieri, G., et al.: High-rate measurement-device-independent quantum cryptography. Nat. Photonics 9(6), 397–402 (2015) 10. Wu, Y.D., Zhou, J., Gong, X.B., et al.: Continuous-variable measurement-device-independent multipartite quantum communication. Phys. Rev. A 93(2), 022325 (2016) 11. Li, F., Zhao, W., Guo, Y.: Continuous-variable measurement-device-independent quantum relay network with phase-sensitive amplifiers. Int. J. Theor. Phys. 57(1), 112–126 (2018) 12. Supic, I., Skrzypczyk, P., Cavalcanti, D.: Measurement-device-independent entanglement and randomness estimation in quantum networks. Phys. Rev. A 95(4), 042340 (2017) 13. Rosset, D., Martin, A., Verbanis, E., et al.: Practical measurement-device-independent entanglement quantification (2017). arXiv:1709.03090 14. Zeng, G.H., Lee, M.H., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int. J. Quantum Inf. 5(4), 553–573 (2007) 15. Guo, Y., Feng, Y.Y., Huang, D.Z., et al.: Arbitrated quantum signature scheme with continuousvariable coherent states. Int. J. Theor. Phys. 55(4), 2290–2302 (2016)

References

277

16. Donaldson, R.J., Collins, R.J., Kleczkowska, K., et al.: Experimental demonstration of kilometer-range quantum digital signatures. Phys. Rev. A 93(1), 012329 (2016) 17. Shang, T., Li, K., Liu, J.W.: Measurement-device independency analysis of continuous-variable quantum digital signature. Entropy 20(4), 291 (2018) 18. Ma, X.F., Razavi, M.: Alternative schemes for measurement-device-independent quantum key distribution. Phys. Rev. A 86(6), 062319 (2012) 19. Navascues, M., Grosshans, F., Acin, A.: Optimality of Gaussian attacks in continuous-variable quantum cryptography. Phys. Rev. Lett. 97(19), 190502 (2006) 20. Li, K., Shang, T., Liu, J.W.: Continuous-variable quantum homomorphic signature. Quantum Inf. Process. 16(10), 246 (2017) 21. Renner, R., Cirac, J.I.: de Finetti representation theorem for infinite-dimensional quantum systems and applications to quantum cryptography. Phys. Rev. Lett. 102(11), 110504 (2009) 22. Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., et al.: The security of practical quantum key distribution. Rev. Mod. Phys. 81(3), 1301–1350 (2009) 23. Holevo, A.S.: Bounds for the quantity of information transmitted by a quantum communication channel. Probl. Peredachi Informatsii 9(3), 3–11 (1973)

Index

A Achievable rate, 47, 49, 50, 53, 93, 144 Achievable rate region, 47, 49, 50, 53, 93 ADD/SUB operators, 152–155, 165, 166, 186 Adjoint, 17

B BAN logic, 191, 195, 196, 199, 203, 204, 206–208, 210 BB84, 96, 107, 129, 135, 138, 192, 194 Beam Splitter (BS), 152, 170, 172–176, 182, 268, 271 Bell detection, 151, 155–157, 170, 172, 180, 182, 271 Bell Measurement (BM), 23, 24, 28, 29, 32, 34, 67, 90, 141–143, 155, 194 Bell states, 88, 99, 111, 112, 131, 139–141, 206, 209 Best-possible obfuscation, 255 BFKW, 126 Black-box quantum obfuscator, 243, 244 Bloch sphere, 20–22, 28

C Cluster QNC, 8 Cluster state, 6, 7, 9, 47 CNOT, 41, 42, 54, 56, 233, 235 Completely opportunistic characteristic, 116 Complete Opportunity Encoding (COPE), 105–107, 109, 116, 117 Connection, 44, 45, 56, 57, 61, 193, 242, 255 Continuous-variable entanglement swapping, 147, 168–171, 186, 269

Continuous-variable quantum cloning, 148, 149 Continuous-Variable Quantum Digital Signature (CVQDS), 267–269, 275, 276 Continuous-Variable Quantum Homomorphic Signature (CVQHS), 147, 167– 169, 171, 173–176, 178, 180, 186, 267, 269–276 Continuous-Variable Quantum Key Distribution (CVQKD), 148, 171, 269 Continuous-Variable Quantum Network Coding (CVQNC), 7, 147, 148, 154– 156, 158–162, 164, 165, 180, 183, 184, 186 Continuous-variable quantum teleportation, 148, 151 Continuous variables, 147, 148, 150, 159, 161, 168, 175 Controlled repeater networks, 72–74, 76, 79, 80 Controlled teleportation, 76, 87–90, 92, 93, 95, 96, 99, 100 CV-MDI-QKD, 268, 269

D 3D Bell measurement, 28, 29, 90 Degree-3 (D3), 30, 31 Degree-3 graph, 30, 31 Density operator, 15, 16, 22, 154, 257 Device-Independent (DI), 267, 268 Device-Independent Quantum Key distribution (DI-QKD), 267 Discrete-Variable Quantum Network Coding (DVQNC), 147 148, 159–161, 186 Discrete variables, 147, 159, 175

© Springer Nature Singapore Pte Ltd. 2020 T. Shang and J. Liu, Secure Quantum Network Coding Theory, https://doi.org/10.1007/978-981-15-3386-0

279

280 Displacement, 150, 152, 155–157, 161, 162, 164, 165, 170, 171, 174, 182, 183

E Einstein–Podolsky–Rosen (EPR), 6, 43–45, 48, 49, 53–59, 61, 62, 64, 66, 68, 70– 74, 76, 79–84, 98, 107–112, 114, 115, 119–122, 126, 130, 135, 139, 141, 142, 156–158, 164, 204–206, 209 Elementary clifford operation, 41 Entangled quantum state, 14, 37 Entanglement-Free Cloning (EFC), 5, 30, 32, 53, 54 Entanglement swapping, 6, 9, 46, 54, 96, 107, 126–129, 131, 134, 138–140, 142, 143, 145, 147, 168–171, 186, 269, 273 Error-free, 206

F Fan-out operation, 42, 43 Fidelity, 4, 5, 8, 22, 29, 30, 32, 47, 48, 54, 72, 91, 93–95, 97, 100, 143, 148, 149, 151–155, 158–161, 165–167, 183, 186 Fork node, 30, 31 Free classical communication, 6, 8, 9, 36, 37, 47–50, 148, 161

G Gaussian Cloning (GC), 148–150, 152–155, 186 General graph, 5, 8, 30–32, 53, 61, 69–71, 82, 83 GHZ state, 58, 87–89, 91, 95, 97, 99, 101 GNY-logic, 204 GR, 90, 91 Group operation, 23, 29, 90, 217

H Hermitian conjugate, 17 Hermitian operator, 13, 16–20 Hilbert space, 11–15, 17, 19, 21, 36, 37, 41, 147, 159, 160, 219, 226, 257 Homomorphic signature, 7, 125, 126, 129, 130, 136, 137, 139–142, 144, 145, 147, 167–169, 175, 180, 184, 186, 255, 269, 276

Index I Implementation attack, 191, 195 IND-CCA1, 255 IND-CCA2, 255 IND-CPA, 255, 256, 258, 263 Indistinguishable Obfuscation (IO), 255, 256 IND-secure, 256, 258, 260, 261, 263, 265 Inner product, 12, 17, 160, 184, 227, 232, 234, 235 Instantiation of QRO, 232, 233 Intercept-and-resend attack, 191, 192 J Joint node, 31 K k-pair problem, 4–6, 8, 37, 40, 41, 47, 95 L Learnable, 248, 255 Learnable quantum circuit family, 248 Learning With Errors (LWE), 225 Light polarization, 15 Linear optics for continuous variables, 150 Linear space, 11 Local Operations and Classical Communication (LOCC), 8, 55–57, 59, 74, 75, 84 Local Operations and Quantum Communication (LOQC), 75, 84 M Man-in-the-Middle Attack (MITM), 191, 193, 194 Maximal entangled state, 8 MDI-QKD, 269, 272 Measurement-device independency, 267– 269, 275, 276 Measurement-Device-Independent (MDI), 268–270, 274–276 Measurement-displace scheme, 166, 167 Measurement operators, 17–19 Minimum Error Discrimination (MED), 160 Mixed quantum state, 14–16 Multi-source model, 137, 139 N Network Coding (NC), 3–9, 11, 27, 30, 32, 34, 36, 37, 40, 41, 43, 44, 46–48, 50,

Index 53, 54, 59, 68, 72, 76, 80, 82, 83, 87, 91, 93, 96–98, 100, 101, 103, 105– 107, 109, 119, 122, 125, 139–144, 146–149, 151, 152, 159, 180, 186 No-cloning theorem, 4, 5, 42, 139, 148, 216, 220, 221, 224–226, 229, 236 Non-maximal entangled state, 8 Norm, 12, 227 Normal operator, 17 Notation bra, 12 Notation ket, 12 NP, 253

O Obfuscatable, 245, 246, 248–250, 252, 253, 255, 264 Obfuscation, 241, 242, 244–250, 252–256, 258, 263, 265 Opportunistic coding, 105–107, 109, 113, 117, 118, 123 Oracle implementable, 245

P Participant attack, 191, 194 Particle consumption, 55, 70, 71, 74, 76, 79, 80, 82 PE, 5, 8, 32, 34, 48, 49, 151, 156, 160, 161 Perfect CVQNC, 8 Perfect linear quantum network coding, 36 Perfect nonlinear quantum network coding, 40 Perfect QNC, 8 Phase error fixing, 42 Photon addition-subtraction scheme, 167 Pollution attack, 7, 125, 139, 140, 142, 146, 180, 181, 184, 186 Polynomial-Time (PT), 256 Positive operator, 17 Positive Operator-Valued Measure (POVM), 19, 20, 28 Postulate of the evolution, 12, 13, 18 Postulate of the evolution 2, 13 Postulate of the measurement, 17–19 Postulate of the superposition, 12 Prior entanglement between senders, 32 Probabilistic Polynomial-Time (PPT), 256 Projective measurement, 18–20 Pseudorandom Function (PRF), 225 Pure quantum state, 14, 16, 24

281 Q QCMA-secure, 222–224, 236 QCPA-secure, 228, 230 Quantum-accessible random oracle model, 191, 195, 200, 201, 213, 214, 217, 218, 225, 243, 245, 250 Quantum Bit Error Rate (QBER), 107 Quantum black-box obfuscator, 242, 258 Quantum channel verification, 107, 109, 111, 113, 114, 119, 121, 122 Quantum chosen message query, 217 Quantum circuit, 6, 54, 167, 226, 242–248, 250–253, 256, 258 Quantum circuit family, 245, 248 Quantum coding operation, 42 Quantum communication, 3, 5–7, 9, 11, 29, 43, 48–50, 53, 54, 57, 59, 67–69, 71– 73, 75, 82–84, 105, 106, 109, 116, 119, 139, 147, 148, 163, 168, 175, 186, 204, 229, 268 Quantum Digital Signature (QDS), 168, 213–215, 218, 220–222, 224–226, 229, 236, 267 Quantum homomorphic signature scheme, 129, 140 Quantum Identity Authentication (QIA), 96, 103, 107, 204, 206–208, 210 Quantum indistinguishability under chosen plaintext attack, 255 Quantum indistinguishable-secure, 242 Quantum Key Distribution (QKD), 7, 105– 107, 129, 135, 142, 191, 203–206, 214, 216, 220, 225, 255, 267–269, 271 Quantum measurement, 17, 19, 218, 220 Quantum Merlin-Arthur (QMA), 253 Quantum multi-point function with multiqubit output, 252 Quantum Network Coding (QNC), 3–9, 11, 27, 30, 32, 34, 36, 37, 40, 41, 43, 44, 47, 48, 50, 53, 54, 59, 68, 72, 76, 80, 83, 87, 91, 93, 96–98, 100, 101, 103, 105, 106, 109, 119, 122, 125, 139– 144, 146–148, 151, 152, 180, 186 Quantum obfuscation, 241–245, 253, 254, 256 Quantum One-Time Pad (QOTP), 72–76, 80, 81, 84, 241, 255–257, 262, 264 Quantum operator, 17, 40, 176 Quantum point function, 241–243, 249–252, 254, 259, 260, 264 Quantum point function with general output, 251

282 Quantum point obfuscation, 258 Quantum point obfuscation with auxiliary input, 258 Quantum polynomial time algorithm, 243 Quantum Polynomial-Time (QPT), 243, 244, 246, 249, 251, 256–260, 262 Quantum Public-Key Encryption (QPKE), 213, 215, 225–230, 232–234, 236, 237 Quantum Random Oracle (QRO), 213, 214, 216–226, 229, 230, 232–234, 236, 237, 245, 252, 255, 264 Quantum random oracle model, 213, 214, 216–218, 220, 223–226, 229, 230, 232, 236, 245 Quantum repeater, 6–8, 27, 35, 44, 49, 53– 57, 59, 61, 62, 64, 68, 69, 71–74, 76, 80, 81, 83 Quantum repeater network, 6, 7, 44, 49, 53– 55, 57, 72, 73, 76, 79–84 Quantum Secret Sharing (QSS), 47, 48, 191, 194, 195, 268 Quantum Secure Direct Communication (QSDC), 72, 87, 94, 96, 99, 102, 107, 191–194, 203, 206 Quantum-secure One-Way Function (QOWF), 242, 263 Quantum-Secure Pseudorandom Function (QPRF), 217, 225 Quantum Signature (QS), 125, 126, 129, 132, 133, 135, 136, 141, 143, 148, 167, 168, 171, 180, 187, 203, 214, 269, 271, 274, 275 Quantum state, 4–8, 14–19, 21, 30, 32, 34, 36–40, 42, 45, 47, 66, 67, 89–91, 93– 98, 100, 101, 106, 109, 111, 112, 114, 120, 122, 125, 129, 136, 143, 145, 148, 150, 151, 153–156, 158–163, 166, 168, 169, 171–175, 178–180, 182–187, 194, 200, 214–216, 218– 227, 229, 244–246, 250, 253, 255, 257, 268, 270–272, 274, 275 Quantum symmetric encryption, 241, 256– 258, 260, 261, 263 Quantum teleportation, 24, 32, 43, 46, 48– 50, 54, 57, 59, 62, 66, 71, 74, 79, 105– 107, 109, 111–116, 119, 120, 122, 123, 142, 193 Quantum Zero-Knowledge (QZK), 241, 253, 254, 264 Quantum-Secure Pseudorandom Function (QPRF), 225

Index R Random Oracle (RO), 200, 201, 213, 216– 218, 221, 229, 237, 242–244, 250, 264 Random oracle model, 191, 195, 199, 200, 245, 255 Repeater QNC, 9 Repudiation, 168, 187, 214–216

S Scalars, 11, 12, 14 Secure Encoding (SE), 76, 80 Secure Multiparty Quantum Computation (SQMC), 253 Self-combinable, 259, 262, 263 Sharing non-maximally entangled states, 34 Simple classical protocol, 31 Simple obfuscation, 242, 248 Sink node, 30, 31, 146 Small-range distribution, 218, 219, 223, 224 Source node, 30–32, 43, 47, 49, 54, 55, 57, 59, 61, 62, 64, 66, 68–73, 76, 82, 137– 139, 145, 148, 153–156, 158, 180, 181, 183–186 SVO-logic, 204

T Teleportation attack, 139, 191, 193 Tensor product, 13, 14, 37 Tetra measurement (TTR), 28–31, 90 Thermal equilibrium, 15 TQC, 242, 265 Trace distance, 22 Transform node, 30, 31 Transition probability, 22 Transmission distance, 69–71, 168, 214 Transmission rate, 70, 71, 147, 148, 162 Trivial quantum obfuscation, 248

U Unambiguous State Discrimination (USD), 160 Unbiased Chosen Basis (UCB), 216, 220 Unforgeability, 135, 178, 184 Unitary operator, 13, 17, 36–38, 90–93, 99, 100, 130, 136, 141, 145, 150, 156 Universal Cloning (UC), 4, 27, 28, 90

V VBB, 256, 260, 261

Index Vectors, 6, 11, 12, 14, 15, 17, 20–22, 30, 37, 41, 42, 95, 97, 135, 162, 200, 228, 233, 235 Vector space, 11, 12, 30 Verification threshold, 173, 175, 176, 178, 273, 274 Virtual black-box obfuscator, 241, 242, 244, 255, 259 Virtual Gray-Box (VGB), 242, 255

283 W Weakly opportunistic characteristic, 116

X XQQ, 5, 8, 27, 30, 54, 71, 89, 91, 93, 95, 97, 148, 160