1 Introduction

1.1 Entropic security

An encryption scheme is called perfect if the ciphertext reveals no information whatsoever about the plaintext. For perfect encryption of classical plaintexts, the length of the key needs to be at least the entropy of the plaintext, and the simplest implementation is the One-Time Pad (OTP) or Vernam cipher [1] applied to compressed plaintext. In the quantum setting, perfect encryption of an n-qubit plaintext state requires a key length of 2n bits and the simplest cipher achieving this kind of encryption is the Quantum One-Time Pad (QOTP) [2,3,4].

If one does not aim for perfect security, it is possible to get information-theoretic guarantees about the encryption even with shorter keys, as long as a lower bound is known on the min-entropy of the plaintext. The notion of \((t,\varepsilon )\)-entropic security has been introduced [5, 6], stating that the adversary’s advantage in guessing any function of the plaintext is upper bounded by \(\varepsilon \) if the min-entropy of the plaintext (conditioned on Eve’s side information) is at least t. It can be seen as an information-theoretic version of semantic security. It has been shown that \((t,\varepsilon )\)-entropically secure encryption of an n-(qu)bit plaintext can be achieved with key length \(n-t+2\log {\textstyle \frac{1}{\varepsilon }}\) [6,7,8]. In the quantum case, the t can become negative when Eve’s quantum memory is entangled with the plaintext state.

The standard way to perform entropically secure encryption is to expand the short key to a pseudorandom string which is then used as the key for (Q)OTP encryption. The key expansion is done either using small-bias spaces or by universal hashing with a public random string.

1.2 Contribution and outline

We introduce a new key expansion method for entropically secure encryption, both classical and quantum. The main idea is to append a pseudorandom string f(k) to the short key k, instead of creating an entirely new string from k. For the computation of f(k), we use finite-field multiplication with a public random string.

  • Our key expansion is faster than all previous constructions while achieving the shortest known key length \(\ell =n-t+2\log {\textstyle \frac{1}{\varepsilon }}\) for both classical and quantum settings. In particular, a factor of 2 in speed is gained in the unentangled quantum case without further assumptions on Eve and the entropy of the plaintext.

  • Compared to the classical construction of [6], which has a key expansion based on multiplication in GF\((2^n)\) and ciphertext size of 2n bits, our ciphertext is shorter: \(n+\max (\ell ,n-\ell )\) bits.

  • Our security proof in the quantum case is a bit more straightforward than [8], as we avoid expanding states in the Pauli basis.

The outline of the paper is as follows. We discuss related work on entropic security in Sect. 2. We present the relevant definitions and lemmas from the literature in Sect. 3. In Sect. 4, we present our classical scheme and its security proof. Then in Sect. 5, we do the same for the quantum scheme, additionally giving an analysis of the computational complexity of the key expansion, especially in the unentangled case in Sect. 6. Finally, in Sect. 8, we comment on possible improvements.

2 Related work

2.1 Entropic security for classical plaintext

The entropic security notion and its definition for encryption were coined first by Russell and Wang [5]. They showed that it is possible to encrypt a high-entropy n-bit plaintext using a key shorter than n such that an attacker has less than \(\varepsilon \) advantage in predicting predicates of the plaintext. Such schemes are called Entropically Secure Encryption (ESE) schemes. They provided an ESE with key length \(n-t+3\log {\textstyle \frac{1}{\varepsilon }}+{{\mathcal {O}}}(1)\), where t is the min-entropy of the plaintext.Footnote 1

Dodis and Smith [6] gave a stronger definition by considering all functions of the plaintext instead of only predicates. They also showed the equivalence between ESE and indistinguishability (in terms of statistical distance) of ciphertexts. They introduced two simple constructions, one of which uses XOR-universal hash functions and improves the key length to \(n-t+2\log {\textstyle \frac{1}{\varepsilon }}+ {{\mathcal {O}}}(1)\). They proved that the key length of any ESE needs to be at least \(n-t\) bits.

Fehr and Schaffner [9] introduced a classical indistinguishable encryption scheme secure against quantum adversaries. It has key length \(n-t+2\log n +2\log {\textstyle \frac{1}{\varepsilon }}+{{\mathcal {O}}}(1)\), where t is the collision entropy of the (classical) plaintext given Eve’s quantum side information. Different from [5, 6], they used collision entropy in the security definition instead of min-entropy.

Table 1 Comparison of classical schemes with message length n
Full size table

2.2 Entropic security in the quantum setting

In order to perfectly encrypt any n-qubit state, the necessary and sufficient key length is 2n bits [2,3,4]. In its simplest form, quantum one-time pad encryption and decryption work by applying to each individual qubit a Pauli operation from the set \(\{\mathbbm {1},\sigma _x,\sigma _y,\sigma _z\}\). The choice of Pauli operations constitutes the key. For someone who does not know this key, the state after encryption equals the maximally mixed state regardless of the plaintext state.

Entropic security has been generalized to the fully quantum setting where both the plaintext and ciphertext are quantum states. Desrosiers [7] introduced definitions of entropic security and entropic indistinguishability for quantum ciphers. Similar to the classical setting, these definitions are equivalent up to parameter changes. He also introduced a scheme with a key length of \(n-t+2\log {\textstyle \frac{1}{\varepsilon }}\) using a similar key expansion method as [6]. Here t is the min-entropy of the plaintext quantum state. The analysis in [7] applies only if Eve is not entangled with the plaintext. Desrosiers and Dupuis [8] generalized the analysis with conditional quantum min-entropy as defined by Renner [10], and showed that the results hold even with entanglement.Footnote 2 They also proved a minimum required key length of \(n-t-1\).

2.3 Approximate randomization

The quantum setting without entanglement (\(t\ge 0\)) is a special case that has received a lot of attention by itself, as it occurs naturally: It corresponds to the situation where Alice prepares a plaintext state and encrypts it. As long as the plaintext state is generated entirely by Alice (as opposed to being received by Alice as part of a larger protocol), Eve is not entangled with it. In the literature, this special case goes by the name approximate randomization or approximate quantum encryption. Hayden et al. [11] showed that approximate randomization is possible with a key length of \(n+\log n + 2\log {\textstyle \frac{1}{\varepsilon }}\) by using sets of random unitaries.Footnote 3 Ambainis and Smith [13] introduced far more efficient schemes that work with a pseudorandom sequence which selects Pauli operators as in the QOTP. In one of them, they expanded the key using small-bias sets and achieve key length \( n+2\log n+2\log {\textstyle \frac{1}{\varepsilon }}\). This scheme is length-preserving, i.e. the cipherstate consists of n qubits. In another construction, they expanded the key by multiplying it with a random binary string of length 2n; this string becomes part of the cipherstate. The key length is reduced to \(n+2\log {\textstyle \frac{1}{\varepsilon }}\). Dickinson and Nayak [14] improved the small-bias based scheme of [13] and achieved key length \(n+2\log {\textstyle \frac{1}{\varepsilon }}+4\). Škorić and de Vries [15] described a pseudorandom QOTP scheme that has key length \(n+2\log {\textstyle \frac{1}{\varepsilon }}\), but they need an exponentially large common random string to be stored. Table 2 shows an overview of these results.

Table 2 Results on approximate randomization of n qubits
Full size table

The ‘\(\varepsilon \)-close to maximally mixed’ property can be expressed as a distance with respect to different norms, e.g. the 1-norm (trace norm) or the \(\infty \)-norm (maximum absolute eigenvalue). In this paper, we consider only the 1-norm, since it expresses the distinguishability of states and it is a universally composable measure of security [16,17,18].

3 Preliminaries

3.1 Notation; entropic quantities

Random variables are written in uppercase and their realizations in lowercase. The statistical distance between random variables \(X,Y\in {{\mathcal {X}}}\) is given by \(\Delta (X,Y)={\textstyle \frac{1}{2}}\sum _{a\in {{\mathcal {X}}}}|\textrm{Pr}[X=a]-\textrm{Pr}[Y=a]|\). Expectation over a random variable X is written as \({{\mathbb {E}}}_x f(x)=\sum _{x\in {{\mathcal {X}}}} \textrm{Pr}[X=x]f(x)\). The collision probability of X is \(\sum _{x\in {{\mathcal {X}}}}\textrm{Pr}[X=x]^2\). The Rényi entropy of order \(\alpha \) (with \(\alpha \ne 1\)) is defined as \({\textsf{H}}_\alpha (X)= (1-\alpha )^{-1}\log (\sum _{x}\textrm{Pr}[X=x]^\alpha )\). Special cases are the collision entropy \({\textsf{H}}_2(X)=-\log (\sum _{x}\textrm{Pr}[X=x]^2)\) and the min-entropy \({\textsf{H}}_{\textrm{min}}(X)={\textsf{H}}_\infty (X)=-\log (\max _x \textrm{Pr}[X=x])\).

We denote the space of density matrices on Hilbert space \({{\mathcal {H}}}\) as \({{\mathcal {D}}}({{\mathcal {H}}})\). The single-qubit Hilbert space is denoted as \({{\mathcal {H}}}_2\). A bipartite state comprising subsystems ‘A’ and ‘B’ is written as \(\rho ^{\textrm{AB}}\in {{\mathcal {D}}}({{\mathcal {H}}}_{\textrm{A}}\otimes {{\mathcal {H}}}_{\textrm{B}})\). The state of a subsystem is obtained by taking the partial trace over the other subsystem, e.g. \(\rho ^{\textrm{A}}={\textrm{Tr}}\,_{\textrm{B}}\,\rho ^{\textrm{AB}}\). The identity operator on \({{\mathcal {H}}}\) is denoted by \(\mathbbm {1}^{{\mathcal {H}}}\); we will simply write \(\mathbbm {1}\) when the Hilbert space is clear from the context. Similarly, we write \(\tau ^{{\mathcal {H}}}\) for the maximally mixed state \(\mathbbm {1}^{{\mathcal {H}}}/\textrm{dim}({{\mathcal {H}}})\), often omitting the superscript. Let M be an operator with eigenvalues \(\lambda _i\). The Schatten 1-norm of M is given by \( \Vert M \Vert _1 ={\textrm{Tr}}\,\sqrt{M^{\dag }M}=\sum _i |\lambda _i|\). The trace distance between states \(\rho ,\sigma \) is \( \Vert \rho -\sigma \Vert _{\textrm{tr}}= {\textstyle \frac{1}{2}}\Vert \rho -\sigma \Vert _1\). We say that states are orthogonal, \(\rho \perp \sigma \), if their Frobenius inner product vanishes, \({\textrm{Tr}}\,\rho ^{\dag }\sigma =0\).

In the literature, there are multiple definitions of quantum conditional Rényi entropy. We will work with the definition of [19, 20], which is based on sandwiched relative entropy, and which has been shown in [21] to possess the most favorable properties. Let \(\rho ,\sigma \ge 0\) with \(\rho \ne 0\), and \(\alpha \in (0,1)\cup (1,\infty )\). The sandwiched quantum Rényi relative entropy is given by

$$\begin{aligned} D_{\alpha }(\rho ||\sigma ) {\mathop {=}\limits ^{{\textrm{def}}}}\frac{1}{\alpha -1}\log {\textrm{Tr}}\,\Big [\Big ( \sigma ^{{\textstyle \frac{1-\alpha }{2\alpha }}} \rho \, \sigma ^{{\textstyle \frac{1-\alpha }{2\alpha }}} \Big )^{\alpha } \Big ] \end{aligned}$$
(1)

if \(\sigma \gg \rho \,\vee \, (\alpha <1 \wedge \rho \not \perp \sigma )\), and otherwise \(D_{\alpha }(\rho ||\sigma )=\infty \). Here \(\sigma \gg \rho \) denotes that \(\sigma \) dominates \(\rho \), i.e. that the kernel of \(\sigma \) is contained in the kernel of \(\rho \). For \(\alpha \in (0,1)\cup (1,\infty )\) and \(\rho ^{\textrm{AE}}\in {{\mathcal {D}}}({{\mathcal {H}}}_A\otimes {{\mathcal {H}}}_E)\), the conditional quantum Rényi entropy is given by

$$\begin{aligned} {\textsf{H}}_{\alpha }(A|E)_\rho {\mathop {=}\limits ^{{\textrm{def}}}}-\inf _{\sigma \in {{\mathcal {D}}}({{\mathcal {H}}}_E)} D_\alpha (\rho ^{\textrm{AE}}|| \mathbbm {1}^{A}\otimes \sigma ). \end{aligned}$$
(2)

In the limit \(\alpha \rightarrow \infty \) this reproduces the conditional Rényi entropy as introduced by Renner [10],

$$\begin{aligned} {\textsf{H}}_{\textrm{min}}(A|E)_\rho =\sup _{\sigma \in {{\mathcal {D}}}({{\mathcal {H}}}_E)} -\log \min \{\lambda \,|\, \lambda \mathbbm {1}^{A}\otimes \sigma -\rho ^{\textrm{AE}}\ge 0\}. \end{aligned}$$
(3)

3.2 Security definitions and useful lemmas

Definition 3.1

(Classical encryption scheme) A classical encryption scheme for a message space \({{\mathcal {X}}}\) with key space \({{\mathcal {K}}}\) and ciphertext space \({{\mathcal {C}}}\) consists of three algorithms \(({\textsf{Gen, Enc, Dec}})\). Gen is a probabilistic algorithm that outputs a key \(k\in {{\mathcal {K}}}\). The Enc: \({{\mathcal {K}}}\times {{\mathcal {X}}}\rightarrow {{\mathcal {C}}}\) is a possibly randomized algorithm that takes a key k and a message \(x\in {{\mathcal {X}}}\) and outputs a ciphertext \(c\in {{\mathcal {C}}}\). The Dec: \({{\mathcal {K}}}\times {{\mathcal {C}}}\rightarrow {{\mathcal {X}}}\) is the decryption algorithm that takes a key \(k\in {{\mathcal {K}}}\) and a ciphertext \(c\in {{\mathcal {C}}}\) as inputs and outputs a message \(x\in {{\mathcal {X}}}\). It must hold that \(\forall _{k\in {{\mathcal {K}}},x\in {{\mathcal {X}}}}{\textsf{Dec}}(k,{\textsf{Enc}}(k, x)) = x\).

Entropic security of an encryption scheme is formulated as the property that the encryption Enc hides all functions of the plaintext X. ‘Hiding’ means that an adversary \({{\mathcal {A}}}\) who sees the ciphertext has no advantage in guessing function values f(X) over an adversary \({{\mathcal {A}}}'\) who does not observe the ciphertext. Here the function f is fixed before \({{\mathcal {A}}}\) observes the ciphertext. This is phrased in [6] as: ‘The probabilistic map leaks no a priori information about X’.

Definition 3.2

(Hiding all functions) A probabilistic map Y is said to hide all functions of X with leakage \(\varepsilon \) if

$$\begin{aligned} \forall _{{\mathcal {A}}}\exists _{{{\mathcal {A}}}'}\forall _f \quad \Big | \textrm{Pr}[{{\mathcal {A}}}(Y(X))=f(X)] - \textrm{Pr}[{{\mathcal {A}}}'()=f(X)] \Big | \le \varepsilon . \end{aligned}$$
(4)

Definition 3.3

(Entropic security in the classical setting, Def.1 in [6]) A probabilistic map Y is called \((t,\varepsilon )\)-entropically secure if

$$\begin{aligned} {\textsf{H}}_{\textrm{min}}(X)\ge t \implies Y \text{ hides } \text{ all } \text{ functions } \text{ of } X \text{ with } \text{ leakage } \varepsilon . \end{aligned}$$
(5)

An encryption scheme is \((t,\varepsilon )\)-entropically secure if \(Y(\cdot )={\textsf{Enc}}(K,\cdot )\) satisfies Def. 3.3. The definition is similar to semantic security, but it works with unbounded adversaries and is restricted to high-entropy plaintext.

It has been shown that entropic security implies statistical indistinguishability and vice versa, with small modifications in the t and \(\varepsilon \) parameters. Indistinguishability is defined by the existence of a variable G such that a ciphertext resulting from random X (from some distribution) and random K is \(\varepsilon \)-close to G in terms of statistical distance.

Definition 3.4

(Entropic indistinguishability in the classical setting, Def.2 in [6])Footnote 4 A randomized map Y is called \((t, \varepsilon )\)-indistinguishable if

$$\begin{aligned} \exists _G\quad {\textsf{H}}_{\textrm{min}}(X)\ge t \implies \Delta (Y(X), G)\le \varepsilon . \end{aligned}$$
(6)

Lemma 3.5

(Paraphrased from [6]) Let \(t\ge 2\log {\textstyle \frac{1}{\varepsilon }}-5\). Then \((t-2, 8\varepsilon )\)-indistinguishability implies \((t, \varepsilon )\)-entropic security for all functions.

Lemma 3.6

(Claim 2 in [22]) Let D be a distribution on a finite set \({{\mathcal {S}}}\). If the collision probability of D is at most \((1+2\varepsilon ^2)/|{{\mathcal {S}}}|\), then D is at a statistical distance at most \(\varepsilon \) from the uniform distribution.

Definition 3.7

(Quantum encryption scheme) A quantum encryption scheme with quantum message space \({{\mathcal {H}}}\), classical key space \({{\mathcal {K}}}\), and quantum ciphertext space \({{\mathcal {H}}}'\) consists of a triplet \(({\textsf{Gen}}, \textsf{Enc}, {\textsf{Dec}})\). Gen is a probabilistic algorithm that outputs a key \(k\in {{\mathcal {K}}}\). The Enc\(:{{\mathcal {K}}}\times {{\mathcal {D}}}({{\mathcal {H}}})\rightarrow {{\mathcal {D}}}({{\mathcal {H}}}')\) is a (possibly randomized) algorithm that takes as input a classical key \(k\in {{\mathcal {K}}}\) and a quantum state \(\varphi \in {{\mathcal {D}}}({{\mathcal {H}}})\), and outputs a quantum state \(\omega ={\textsf{Enc}}(k,\varphi )\in {{\mathcal {D}}}({{\mathcal {H}}}')\) called the cipherstate. \(\textsf{Dec}:{{\mathcal {K}}}\times {{\mathcal {D}}}({{\mathcal {H}}}')\rightarrow {{\mathcal {D}}}({{\mathcal {H}}})\) is an algorithm that takes as input a key \(k\in {{\mathcal {K}}}\) and a state \(\omega \in {{\mathcal {D}}}({{\mathcal {H}}}')\), and outputs a state \({\textsf{Dec}}(k,\omega )\in {{\mathcal {D}}}({{\mathcal {H}}})\). It must hold that \(\forall _{k\in {{\mathcal {K}}},\varphi \in {{\mathcal {D}}}({{\mathcal {H}}})}\; {\textsf{Dec}}(k,\textsf{Enc}(k,\varphi ))=\varphi \).

Note that Def. 3.7 allows the cipherstate space to be larger than the plaintext space, \(\dim {{\mathcal {H}}}' > \dim {{\mathcal {H}}}\). We will be working with the special case where the cipherstate consists of a quantum state of the same dimension as the input, accompanied by classical information.

The effect of the encryption, with the key unknown to the adversary, can be described as a completely positive trace-preserving (CPTP) map \(R:{{\mathcal {D}}}({{\mathcal {H}}})\rightarrow {{\mathcal {D}}}({{\mathcal {H}}}')\) as follows,

$$\begin{aligned} R(\varphi ) = \sum _{k\in {{\mathcal {K}}}} \frac{1}{|{{\mathcal {K}}}|} {\textsf{Enc}}(k,\varphi ). \end{aligned}$$
(7)

If the plaintext state is entangled with Eve (E), e.g. the state is \(\varphi ^{\textrm{AE}}\), then the encryption and decryption act only on the A subspace; we write \(R(\rho ^{\textrm{AE}})\) for \((R\otimes \mathbbm {1}^E)(\rho ^{\textrm{AE}})\). The definition of entropic security is more involved than in the classical case.

Definition 3.8

(Strong entropic security in the quantum setting, Def.4 in [8]) An encryption system R is called strongly \((t,\varepsilon )\)-entropically secure if for all states \(\varphi ^{\textrm{AE}}\) satisfying \({\textsf{H}}_{\textrm{min}}(A|E)_\varphi \ge t\), all interpretations \(\{(p_i, \sigma _i^{\textrm{AE}})\}\) of \(\varphi ^{\textrm{AE}}\), all adversaries \({{\mathcal {A}}}\) and all functions f, it holds that

$$\begin{aligned} \Big | \Pr [{{\mathcal {A}}}(R(\sigma _i^{\textrm{AE}}))=f(i)]- \Pr [{{\mathcal {A}}}(R(\varphi ^{\textrm{A}})\otimes \sigma _i^{E})=f(i)] \Big | \le \varepsilon . \end{aligned}$$
(8)

Here ‘interpretation’ means \(\varphi ^{\textrm{AE}}=\sum _i p_i \sigma ^{\textrm{AE}}_i\). Def. 3.8 implies another definition of entropic security given in [8] that contains an adversary \({{\mathcal {A}}}'\) who gets access only to the own subsystem \(\sigma _i^{\textrm{E}}\). Similar to the classical case, the equivalence has been shown between entropic security and entropic indistinguishability in the quantum setting.

Definition 3.9

(Entropic indistinguishability in the quantum setting, Def.3 in [8]) An encryption system \(R: {{\mathcal {D}}}({{\mathcal {H}}}_A)\rightarrow {{\mathcal {D}}}({{\mathcal {H}}}_{A'})\) is called \((t,\varepsilon )\)-indistinguishable if

$$\begin{aligned} \exists _{\Omega ^{\mathrm{A'}}\in {{\mathcal {D}}}({{\mathcal {H}}}_{A'})} \quad {\textsf{H}}_{\textrm{min}}(A|E)_\varphi \ge t \implies \Vert R({\varphi }^{AE})- \Omega ^{\mathrm{A'}}\otimes \varphi ^E \Vert _1 \le \varepsilon . \end{aligned}$$
(9)

Lemma 3.10

(Theorem 1 in [8]) \((t-1, \varepsilon /2)\)-entropic indistinguishability in the quantum setting implies strong \((t, \varepsilon )\)-entropic security for all functions.

Lemma 3.11

(Lemma 5.1.3 in [10]) Let S be a Hermitian operator on \({{\mathcal {H}}}\) and let \(\sigma \) be a non-negative operator on \({{\mathcal {H}}}\). It holds that

$$\begin{aligned} \big \Vert S\big \Vert _1 \le \min _{\sigma } \sqrt{{\textrm{Tr}}\,(\sigma ){\textrm{Tr}}\,(S\sigma ^{-1/2}S\sigma ^{-1/2})}. \end{aligned}$$
(10)

3.3 The quantum one time pad

Let \({{\mathcal {H}}}_2\) denote the Hilbert space of a qubit. Let Z and X be single-qubit Pauli operators, in the standard basis given by \(Z={1\; 0\atopwithdelims ()0\;-1}\) and \(X={0\; 1\atopwithdelims ()1\;0}\). For QOTP encryption of one qubit, the key consists of two bits \(s,q\in \{0,1\} \). The encryption of a state \(\varphi \in {{\mathcal {D}}}({{\mathcal {H}}}_2)\) is given by \(X^s Z^q \varphi Z^q X^s\). Decryption is the same operation as encryption, but with the order of applying the \(Z^q\) and \(X^s\) interchanged.

The simplest way to encrypt an n-qubit state \(\varphi \in {{\mathcal {D}}}({{\mathcal {H}}}_2^{\otimes n})\) is to encrypt each qubit independently. The QOTP key \(\beta \) has length 2n and can be expressed as \(\beta =s\Vert q\), with \(s,q\in \{0,1\} ^n\). In the rest of the paper we will use the following shorthand notation for the QOTP cipherstate,

$$\begin{aligned} F_\beta (\varphi )= U_\beta \varphi U_\beta ^{\dag }\quad \text{ where } U_\beta =\bigotimes _{i=1}^n X^{s_i}Z^{q_i}. \end{aligned}$$
(11)

Let \({{\mathcal {H}}}_{A'}={{\mathcal {H}}}_A={{\mathcal {H}}}_2^{\otimes n}\) and let \(\varphi ^{\textrm{AE}}\in {{\mathcal {D}}}({{\mathcal {H}}}_A \otimes {{\mathcal {H}}}_E)\) be a bipartite state. Encryption of the A subsystem is written as \(F_\beta (\varphi ^{AE})= (U_\beta \otimes \mathbbm {1}^E) \varphi ^{\textrm{AE}} (U_\beta ^{\dag }\otimes \mathbbm {1}^E)\). For any \(\varphi ^{\textrm{AE}}\) it holds that

$$\begin{aligned} \frac{1}{2^{2n}}\sum _{\beta \in \{0,1\} ^{2n}} F_\beta (\varphi ^{AE}) = \tau ^{\mathrm{A'}}\otimes \varphi ^{\textrm{E}}, \end{aligned}$$
(12)

i.e. Def. 3.9 is achieved with \(t=-n\) and \(\varepsilon =0\): no matter how entangled E is with A, from the adversary’s point of view the \(A'\) subsystem is maximally mixed and entirely decoupled from E.

4 Our results on entropically secure classical encryption

We present a modification of Ambainis and Smith’s second construction in [13]. The difference lies in the hash function, which in our case consists of the concatenation of the short key k with an affine function of k. In Sect. 4.2 we show that the key length as a function of the security parameter \(\varepsilon \) is essentially the same as in [13]. We comment on the speed gain in Sect. 6.

4.1 The construction

Our construction has message space \({{\mathcal {X}}}= \{0,1\} ^n\) and key space \({{\mathcal {K}}}= \{0,1\} ^\ell \) (with \(\ell \le n\)). Let \(\lambda =\max (\ell ,n-\ell )\). The ciphertext space is \({{\mathcal {C}}}= \{0,1\} ^{n+\lambda }\). Let \(u\in \{0,1\} ^\lambda \). We define a hash function h as follows,

$$\begin{aligned} h_{u}(k){\mathop {=}\limits ^{{\textrm{def}}}}k \Vert (uk)_{\textrm{lsb}} \end{aligned}$$
(13)

where \(\Vert \) denotes string concatenation. The multiplication uk takes place in GF\((2^\lambda )\). The subscript ‘lsb’ denotes taking the \(n-\ell \) least significant bits of \(uk\in \textrm{GF}(2^\ell )\) in the case \(\ell >n-\ell \), and simply \(uk\in \textrm{GF}(2^{n-\ell })\) itself in the case \(\ell \le n-\ell \).

The encryption is randomized, with uniformly random string u which becomes part of the ciphertext,

$$\begin{aligned} {\textsf{Enc}}_{u}(k,x) =\big ( c_1, c_2\big ) = \Big ( u,\; x \oplus h_{u}(k) \Big ). \end{aligned}$$
(14)

Here \(\oplus \) stands for bitwise xor. The decryption is

$$\begin{aligned} {\textsf{Dec}}\big (k, (c_1,c_2) \big ) = c_2\oplus h_{c_1}(k). \end{aligned}$$
(15)

Example 4.1

Consider \(\ell <n/2\). In this case we have \(\lambda {\mathop {=}\limits ^{{\textrm{def}}}}\max (\ell ,n-\ell )=n-\ell \). Hence \(u\in \{0,1\} ^{n-\ell }\). Computation of the product uk takes place in GF(\(2^{n-\ell }\)), where \(k\in \{0,1\} ^\ell \) is converted to an element of GF(\(2^{n-\ell }\)) by left zero padding. The hash \(h_u(k)\in \{0,1\} ^n\) is constructed as \(h_u(k)= k|| uk\). The size of the ciphertext \((u, x\oplus h_u(k))\) is \(2n-\ell \) bits.

Example 4.2

Consider \(\ell >n/2\). In this case we have \(\lambda {\mathop {=}\limits ^{{\textrm{def}}}}\max (\ell ,n-\ell )=\ell \). Hence \(u\in \{0,1\} ^\ell \). Computation of the product uk takes place in GF(\(2^\ell \)). In the computation of the hash \(h_u(k)\in \{0,1\} ^n\), the \(n-\ell \) least significant bits of uk are taken: \(h_{u}(k)= k \Vert (uk)_{\textrm{lsb}(n-\ell )}\). The size of the ciphertext is \(n+\ell \) bits.

4.2 Security proof

Theorem 4.3

Let \((U,K, X, U', K', X')\) be independent random variables. Then our classical encryption scheme described in Sect. 4.1 satisfies

$$\begin{aligned} \textrm{Pr}[{\textsf{Enc}}_{U}(K,X)={\textsf{Enc}}_{U'}(K',X')] \le \frac{1}{|{{\mathcal {C}}}|} (1+2^{n-\ell -{\textsf{H}}_2(X)}). \end{aligned}$$
(16)

Proof

To start, due to the prepended u in (14) we get \(U'=U\) and we acquire an overall factor \(2^{-\lambda }\) from \(\textrm{Pr}[U=U']=2^{-\lambda }\). Next, we need to bound the expression \(\textrm{Pr}[X\oplus h_{U}(K)=X'\oplus h_{U}(K')]\), which we can rewrite as \(\textrm{Pr}[X\oplus X' = h_{U}(K)\oplus h_{U}(K')]\) \(=\sum _{a\in \{0,1\} ^n}\textrm{Pr}[X\oplus X'=a]\textrm{Pr}[h_{U}(K)\oplus h_{U}(K')=a]\). The \(a=0\) term yields a contribution \(\textrm{Pr}[K'=K]\textrm{Pr}[X'=X]=2^{-\ell }\textrm{Pr}[X'=X]\).

$$\begin{aligned}{} & {} \textrm{Pr}[U'=U]\textrm{Pr}[X\oplus h_{U}(K)=X'\oplus h_{U}(K')] \nonumber \\{} & {} \quad =2^{-\lambda }\Big (2^{-\ell }\textrm{Pr}[X'=X] +\sum _{{\mathop {a\ne 0}\limits ^{a\in \{0,1\} ^n}}}\textrm{Pr}[X\oplus X'=a]\textrm{Pr}[h_{U}(K)\oplus h_{U}(K')=a]\Big ).\nonumber \\ \end{aligned}$$
(17)

For the \(a\ne 0\) part of the summation we split up a as \(a=a_L||a_R\) with \(a_L\in \{0,1\} ^\ell \), \(a_R\in \{0,1\} ^{n-\ell }\) and write

$$\begin{aligned}{} & {} \sum _{{\mathop {a\ne 0}\limits ^{a\in \{0,1\} ^n}}}\textrm{Pr}[X\oplus X'=a]\textrm{Pr}[h_{U}(K)\oplus h_{U}(K')=a] \nonumber \\{} & {} \quad = \sum _{(a_L,a_R)\ne 0} \textrm{Pr}[X\oplus X'=a] \textrm{Pr}[K\oplus K'=a_L] \textrm{Pr}[(Ua_L)_{\textrm{lsb}}=a_R] \nonumber \\{} & {} \quad =\sum _{{\mathop {a_R}\limits ^{a_L\ne 0}}} \textrm{Pr}[X\oplus X'=a] \textrm{Pr}[K\oplus K'=a_L] \textrm{Pr}[(Ua_L)_{\textrm{lsb}}=a_R]. \end{aligned}$$
(18)

The last equality follows from that fact that \(a_L=0\) implies \(Ua_L=0\) and hence \(a_R=0\), while \((a_L,a_R)=(0,0)\) is not part of the summation; hence \(a_L=0\) drops from the summation. Next, we note that \(K\oplus K'\) is uniform on \( \{0,1\} ^\ell \), yielding \(\textrm{Pr}[K\oplus K'=a_L]=2^{-\ell }\) and that \((Ua_L)_{\textrm{lsb}}\) for \(a_L\ne 0\) is uniform on \( \{0,1\} ^{n-\ell }\), yielding \(\textrm{Pr}[(Ua_L)_{\textrm{lsb}}=a_R]=2^{-(n-\ell )}\). Combining all these results we get

$$\begin{aligned}{} & {} \textrm{Pr}[{\textsf{Enc}}_{U}(K,X) = {\textsf{Enc}}_{U'}(K',X')]\nonumber \\{} & {} \quad =2^{-\lambda }\Big ( 2^{-\ell }\textrm{Pr}[X'=X]+2^{-n} \sum _{a_L\ne 0}\sum _{a_R} \textrm{Pr}[X\oplus X'=a] \Big )\nonumber \\{} & {} \quad =2^{-\lambda }\Big ( 2^{-\ell }\textrm{Pr}[X'=X] +2^{-n} \{1 - \sum _{a_R} \textrm{Pr}[X\oplus X' = 0||a_R] \} \Big ) \nonumber \\{} & {} \quad \le 2^{-\lambda -n}(1+2^{n-\ell -{\textsf{H}}_2(X)}) \end{aligned}$$
(19)

where we have used that \({\textsf{H}}_2(X)=-\log \textrm{Pr}[X'=X]\). \(\square \)

Theorem 4.4

Let \(t\ge 2\log \frac{1}{\varepsilon }-5\). Let the key length be set as \(\ell = n-t+2\log \frac{1}{\varepsilon }-5\). Then the encryption scheme of Sect. 4.1 is \((t,\varepsilon )\)-entropically secure.

Proof

Setting \(\ell = n-t+2\log \frac{1}{\varepsilon }-5\) in (16) yields a collision probability upper bound of \(2^{-2n}(1+2{{\tilde{\varepsilon }}}^2)\), with \({{\tilde{\varepsilon }}}=8\varepsilon \sqrt{2^{[t-2]-{\textsf{H}}_2(X)}}\). Thus, according to Lemma 3.6 and Def. 3.4, our scheme has \((t-2,8\varepsilon )\) entropic indistinguishability.Footnote 5 Finally we invoke Lemma 3.5 for the implication of \((t,\varepsilon )\)-entropic security. \(\square \)

5 Our results on entropically secure quantum encryption

Our construction for encrypting n qubits is very similar to the classical construction. The difference lies in the use of the QOTP instead of classical OTP, and in the length of the expanded key which is now 2n instead of n.

5.1 The construction

The message space is \({{\mathcal {D}}}({{\mathcal {H}}}_2^{\otimes n})\). The key space is \({{\mathcal {K}}}= \{0,1\} ^\ell \). Let \(\lambda =\max \{\ell , 2n-\ell \}\). The ciphertext space is \( \{0,1\} ^{2n-\ell +\lambda }\times {{\mathcal {D}}}({{\mathcal {H}}}_2^{\otimes n})\). Let \(u\in \{0,1\} ^\lambda \) and \(v\in \{0,1\} ^{2n-\ell }\). We define a hash function b as

$$\begin{aligned} b(k,u,v) = k \Vert (uk+v)_{\textrm{lsb}}. \end{aligned}$$
(20)

Here the multiplication and addition in the computation of \(uk+v\) are GF\((2^\lambda )\) operations. The subscript ‘lsb’ (Least Significant Bits) stands for taking the last \(2n-\ell \) bits of the string; in the finite field representation, this corresponds to taking a polynomial in x modulo \(x^{2n-\ell }\). Instead of \((uk+v)_{\textrm{lsb}}\) we can also write \((uk)_{\textrm{lsb}}+v\).

Let \(\varphi \in {{\mathcal {D}}}({{\mathcal {H}}}_2^{\otimes n})\). The encryption step draws random uv and outputs n qubits as well as the uv,

$$\begin{aligned} {\textsf{Enc}}_{uv}(k,\varphi ) = \Big (u,v, F_{b(k,u,v)}(\varphi )\Big ) \end{aligned}$$
(21)

with F the QOTP encryption as defined in (11) and \(b(\cdot ,\cdot ,\cdot )\) as defined by (20). Decryption is essentially the same as encryption,

$$\begin{aligned} {\textsf{Dec}}\big (k, (u,v,{{\tilde{\varphi }}})\big ) = F_{b(k,u,v)}({{\tilde{\varphi }}}). \end{aligned}$$
(22)

Example 5.1

Consider \(\ell <n\). In this case \(\lambda {\mathop {=}\limits ^{{\textrm{def}}}}\max (\ell , 2n-\ell )=2n-\ell \). Hence \(u\in \{0,1\} ^{2n-\ell }\). The product uk is computed in GF\((2^{2n-\ell })\), where k is converted to an element of GF\((2^{2n-\ell })\) by left zero padding. The hash \(b(k,u,v)\in \{0,1\} ^{2n}\) is constructed as \(k||(uk+v)\). The classical part of the ciphertext is \(2\cdot (2n-\ell )\) bits long.

Example 5.2

Consider \(\ell >n\). In this case \(\lambda {\mathop {=}\limits ^{{\textrm{def}}}}\max (\ell , 2n-\ell )=\ell \). Hence \(u\in \{0,1\} ^\ell \). The product uk is computed in GF\((2^\ell )\). Then the \(2n-\ell \) least significant bits are taken of uk. The 2n-bit hash is constructed as \(b(k,u,v)=k|| ([uk]_{\textrm{lsb}}+v)\). The classical part of the ciphertext is 2n bits long.

Note that Example 5.2 is the relevant case for Approximate Randomization. There, for large n, the key length \(\ell \) is slightly above n. The main computational effort is the GF(\(2^\ell \)) multiplication, with \(\ell \approx n\). In contrast, the GF-based scheme of [13] would need to multiply the \(\ell \)-bit key times a 2n-bit seed, with is roughly twice the work. For more details see Sect. 6.

5.2 Security proof

Let \({{\mathcal {H}}}_A={{\mathcal {H}}}_2^{\otimes n}\) and let Eve be entangled with the plaintext state. The joint state is \(\varphi ^{\textrm{AE}}\in {{\mathcal {D}}}({{\mathcal {H}}}_A\otimes {{\mathcal {H}}}_E)\). As discussed in Sect. 3.3, the encryption Enc acts only on the ‘A’ subsystem. As the parameters uv are public we focus on the quantum part of the ciphertext. From Eve’s point of view, the state after encryption is

$$\begin{aligned} R_{uv}(\varphi ^{\textrm{AE}}) {\mathop {=}\limits ^{{\textrm{def}}}}\frac{1}{2^\ell } \sum _{k\in \{0,1\} ^\ell } F_{b(k,u,v)}(\varphi ^{\textrm{AE}}). \end{aligned}$$
(23)

Lemma 5.3

It holds that

$$\begin{aligned} {{\mathbb {E}}}_{v} R_{uv}(\varphi ^{\textrm{AE}})=\tau ^{\textrm{A}}\otimes \varphi ^{\textrm{E}}. \end{aligned}$$
(24)

Proof

We write \({{\mathbb {E}}}_{v} R_{uv}(\varphi ^{\textrm{AE}})={{\mathbb {E}}}_{kv}F_{b(k,u,v)}(\varphi ^{\textrm{AE}})\). Next, \({{\mathbb {E}}}_{kv}F_{b(k,u,v)}(\varphi ^{\textrm{AE}})={{\mathbb {E}}}_{\beta \in \{0,1\} ^{2n}} F_\beta (\varphi ^{\textrm{AE}})=\tau ^{\textrm{A}}\otimes \varphi ^{\textrm{E}}\). The equality \({{\mathbb {E}}}_{kv}={{\mathbb {E}}}_\beta \) follows from the fact that for any fixed u, the k and v together can create any string \(\beta \in \{0,1\} ^{2n}\) in precisely one way. The last equality is due to the fact that the QOTP is completely randomizing (12). \(\square \)

Lemma 5.4

Let f be any (possibly operator-valued) function acting on \( \{0,1\} ^{2n}\) and \(g=(uk+v)_{\textrm{lsb}}\), \(g'=(uk'+v)_{\textrm{lsb}}\). It holds that

$$\begin{aligned} {{\mathbb {E}}}_{kk'uv} f(b(k,u,v))f(b(k',u,v))= & {} 2^{-\ell }{{\mathbb {E}}}_\beta f(\beta )f(\beta )+ {{\mathbb {E}}}_{\beta \beta '}f(\beta )f(\beta ') \nonumber \\{} & {} -2^{-\ell }{{\mathbb {E}}}_{kgg'}f(k\Vert g) f(k\Vert g'). \end{aligned}$$
(25)

Here \(\beta ,\beta '\in \{0,1\} ^{2n}\), and \({{\mathbb {E}}}_\beta \) stands for \(2^{-2n} \sum _{\beta }\). Similarly, \(g,g'\in \{0,1\} ^{2n-\ell }\) and \({{\mathbb {E}}}_g\) stands for \(2^{\ell -2n} \sum _g\).

Proof

We write \(f_x\) instead of f(x). We omit the \(\Vert \) in the expression \(k\Vert g\). In this notation the left hand side of (25) is \({{\mathbb {E}}}_{kk'uv}f_{kg}f_{k'g'}\).

$$\begin{aligned} {{\mathbb {E}}}_{kk'uv}f_{kg}f_{k'g'}&=\frac{1}{|{{\mathcal {K}}}|^2}\sum _k {{\mathbb {E}}}_{uv}f_{kg}f_{kg} + \frac{1}{|{{\mathcal {K}}}|^2} \sum _{kk': k\ne k'}{{\mathbb {E}}}_{uv}f_{kg}f_{k'g'}\nonumber \\&{\mathop {=}\limits ^{(a)}} \frac{1}{|{{\mathcal {K}}}|}{{\mathbb {E}}}_\beta f_\beta f_\beta + \frac{1}{|{{\mathcal {K}}}|^2} \sum _{kk': k\ne k'}{{\mathbb {E}}}_{gg'}f_{kg}f_{k'g'}\end{aligned}$$
(26)
$$\begin{aligned}&=\frac{1}{|{{\mathcal {K}}}|}{{\mathbb {E}}}_\beta f_\beta f_\beta + \frac{1}{|{{\mathcal {K}}}|^2} \sum _{kk'}{{\mathbb {E}}}_{gg'} f_{kg}f_{k'g'} -\frac{1}{|{{\mathcal {K}}}|^2}\sum _k {{\mathbb {E}}}_{gg'}f_{kg}f_{kg'}\nonumber \\&=\frac{1}{|{{\mathcal {K}}}|}{{\mathbb {E}}}_\beta f_\beta f_\beta + {{\mathbb {E}}}_{\beta \beta '} f_\beta f_{\beta '}-\frac{1}{|{{\mathcal {K}}}|}{{\mathbb {E}}}_k {{\mathbb {E}}}_{gg'}f_{kg}f_{kg'}. \end{aligned}$$
(27)

In step (a) we used in the first term that summation over \(k\in \{0,1\} ^\ell \) and \(v\in \{0,1\} ^{2n-\ell }\) exactly corresponds to summation over \(\beta \in \{0,1\} ^{2n}\); in the second term we used that (for \(k'\ne k\)) averaging over (uv) exactly corresponds to averaging over \((g,g')\). The latter is obvious in the case \(u\in \{0,1\} ^{2n-\ell }\) (\(\lambda =2n-\ell \)), as the ‘lsb’ in \((uk)_{\textrm{lsb}}\) can be omitted. In the case \(u\in \{0,1\} ^\ell \) (\(\lambda =\ell \)), the (uv)-summation covers the \((g,g')\)-space exactly an integer number (\(2^{2\ell -2n}\)) of times. This is seen as follows. When the two equations \(g=(uk+v)_{\textrm{lsb}}\), \(g'=(uk'+v)_{\textrm{lsb}}\) are added, the v disappears and we get \([u(k+k')]_{\textrm{lsb}}=g+g'\), which has \(2^\ell /2^{2n-\ell }\) solutions u. Then, at fixed \(k,k',g,g',u\) the solution for v is unique. \(\square \)

Another way of looking at step (a) is: the independence and uniformity of U and V cause the linear combinations \(G=(kU)_{\textrm{lsb}}+V\) and \(G'=(k' U)_{\textrm{lsb}}+V\) to be independent and uniform.

Theorem 5.5

Our encryption scheme described in Sect. 5.1 satisfies

$$\begin{aligned} {{\mathbb {E}}}_{uv} \Big \Vert R_{uv}(\varphi ^{\textrm{AE}})-\tau ^A\otimes \varphi ^{\textrm{E}}\Big \Vert _1 \le \sqrt{2^{n-\ell -{\textsf{H}}_2(A|E)_\varphi }}. \end{aligned}$$
(28)

Proof

Let \(\sigma ^{\textrm{E}}\) be a non-negative operator on \({{\mathcal {H}}}_E\) and \(\sigma =\mathbbm {1}^{\textrm{A}}\otimes \sigma ^{\textrm{E}}\).

$$\begin{aligned}{} & {} {{\mathbb {E}}}_{uv}\Vert R_{uv}(\varphi ^{\textrm{AE}})-\tau ^A\otimes \varphi ^{\textrm{E}}\Vert _1 \end{aligned}$$
(29)
$$\begin{aligned}{} & {} \quad {\mathop {\le }\limits ^{\text {Lemma}~3.11}} {{\mathbb {E}}}_{uv}\min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,\sigma }\sqrt{{\textrm{Tr}}\,[ R_{uv}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}}-\tau ^A\otimes \varphi ^{\textrm{E}} \sigma ^{-{\textstyle \frac{1}{2}}}]^2} \end{aligned}$$
(30)
$$\begin{aligned}{} & {} \quad {\mathop {\le }\limits ^{\textrm{Jensen}}} \min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,\sigma }\sqrt{{\textrm{Tr}}\,[{{\mathbb {E}}}_{uv}( R_{uv}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}}-\tau ^A\otimes \varphi ^{\textrm{E}} \sigma ^{-{\textstyle \frac{1}{2}}})^2]} \end{aligned}$$
(31)
$$\begin{aligned}{} & {} \quad {\mathop {=}\limits ^{{\textrm{Lemma}}~5.3}} \min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,\sigma }\sqrt{{\textrm{Tr}}\,[{{\mathbb {E}}}_{uv}( R_{uv}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}})^2] -{\textrm{Tr}}\,[\tau ^A\otimes \varphi ^{\textrm{E}} \sigma ^{-{\textstyle \frac{1}{2}}}]^2}\end{aligned}$$
(32)
$$\begin{aligned}{} & {} \quad =\min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,\sigma }\sqrt{{\textrm{Tr}}\,[{{\mathbb {E}}}_{kk'uv} F_{b(kuv)}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}} F_{b(k'uv)}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}}]-2^{-n}{\textrm{Tr}}\,[\varphi ^{\textrm{E}} ({\sigma ^{\textrm{E}}})^{-{\textstyle \frac{1}{2}}}]^2}. \nonumber \\ \end{aligned}$$
(33)

Next, we apply Lemma 5.4 to the first expression under the square root in (33), identifying f(b(kuv)) \(=F_{b(kuv)}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}}\). This yields

$$\begin{aligned}{} & {} {\textrm{Tr}}\,\Big [{{\mathbb {E}}}_{kk'uv} F_{b(kuv)}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}} F_{b(k'uv)}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}}\Big ] \nonumber \\{} & {} \quad ={\textrm{Tr}}\,\Big [2^{-\ell } {{\mathbb {E}}}_\beta F_\beta (\varphi ^{\textrm{AE}})\sigma ^{-{\textstyle \frac{1}{2}}} F_\beta (\varphi ^{\textrm{AE}})\sigma ^{-{\textstyle \frac{1}{2}}}+(\tau ^{\textrm{A}}\otimes \varphi ^{\textrm{E}} ({\sigma ^{\textrm{E}}})^{-{\textstyle \frac{1}{2}}})^2 \nonumber \\{} & {} \qquad -2^{-\ell }{{\mathbb {E}}}_{kgg'} F_{kg}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}} F_{kg'}(\varphi ^{\textrm{AE}}) \sigma ^{-{\textstyle \frac{1}{2}}}\Big ] \end{aligned}$$
(34)
$$\begin{aligned}{} & {} \quad \le 2^{-\ell }{\textrm{Tr}}\,\Big [{{\mathbb {E}}}_\beta F_\beta (\varphi ^{\textrm{AE}})\sigma ^{-{\textstyle \frac{1}{2}}} F_\beta (\varphi ^{\textrm{AE}})\sigma ^{-{\textstyle \frac{1}{2}}}\Big ]+2^{-n}{\textrm{Tr}}\,\Big [\varphi ^{\textrm{E}}\sigma ^{-{\textstyle \frac{1}{2}}}\Big ]^2. \end{aligned}$$
(35)

Substitution into (33), and writing \({\textrm{Tr}}\,\sigma =2^n{\textrm{Tr}}\,\sigma ^{E}\), gives

$$\begin{aligned}{} & {} {{\mathbb {E}}}_{uv}\Vert R_{uv}(\varphi ^{\textrm{AE}})-\tau ^{\textrm{A}}\otimes \varphi ^{\textrm{E}}\Vert _1 \nonumber \\{} & {} \quad \le \sqrt{2^{n-\ell }}\min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,{\sigma ^{\textrm{E}}}}\sqrt{ {{\mathbb {E}}}_\beta {\textrm{Tr}}\,\Big [F_\beta (\varphi ^{\textrm{AE}})\sigma ^{-{\textstyle \frac{1}{2}}} F_\beta (\varphi ^{\textrm{AE}})\sigma ^{-{\textstyle \frac{1}{2}}} \Big ]}\nonumber \\{} & {} \quad =\sqrt{2^{n-\ell }}\min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,{\sigma ^{\textrm{E}}}}\sqrt{ {{\mathbb {E}}}_\beta {\textrm{Tr}}\,\Big [ U_\beta \varphi ^{\textrm{AE}}U_\beta ^{\dag }\sigma ^{-{\textstyle \frac{1}{2}}} U_\beta \varphi ^{\textrm{AE}}U_\beta ^{\dag }\sigma ^{-{\textstyle \frac{1}{2}}} \Big ]}\nonumber \\{} & {} \quad =\sqrt{2^{n-\ell }}\min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,{\sigma ^{\textrm{E}}}}\sqrt{ {{\mathbb {E}}}_\beta {\textrm{Tr}}\,\Big [\varphi ^{\textrm{AE}}(U_\beta ^{\dag }\sigma ^{-{\textstyle \frac{1}{2}}} U_\beta )\varphi ^{\textrm{AE}}(U_\beta ^{\dag }\sigma ^{-{\textstyle \frac{1}{2}}}U_\beta ) \Big ] }\nonumber \\{} & {} \quad =\sqrt{2^{n-\ell }}\min _{\sigma ^E}\sqrt{{\textrm{Tr}}\,{\sigma ^{\textrm{E}}}}\sqrt{ {\textrm{Tr}}\,\Big [\varphi ^{\textrm{AE}} \sigma ^{-{\textstyle \frac{1}{2}}} \varphi ^{\textrm{AE}}\sigma ^{-{\textstyle \frac{1}{2}}} \Big ]}. \end{aligned}$$
(36)

In (36) we have used the fact that the \(U_\beta \) acts only on the ‘A’ subsystem, leaving \(\sigma ^{-\frac{1}{2}}\) unchanged. Finally, we restrict \(\sigma ^{\textrm{E}}\) to \({{\mathcal {D}}}({{\mathcal {H}}}_E)\), so that \({\textrm{Tr}}\,{\sigma ^{\textrm{E}}}=1\), and apply the definition of conditional quantum Rényi entropy (2) to get \({\min }_{\sigma ^E} {\textrm{Tr}}\,\varphi ^{\textrm{AE}} \sigma ^{-{\textstyle \frac{1}{2}}} \varphi ^{\textrm{AE}}\sigma ^{-{\textstyle \frac{1}{2}}} = 2^{-{\textsf{H}}_2(A|E)_\varphi }\). \(\square \)

Theorem 5.6

Let the key length be set as \(\ell = n-t +2\log \frac{1}{\varepsilon }+3\). Then the quantum encryption scheme of Sect. 5.1 is \((t,\varepsilon )\)-strongly entropically secure for all functions.

Proof

The ciphertext space is \( \{0,1\} ^{2n-\ell +\lambda }\times {{\mathcal {D}}}({{\mathcal {H}}}_2^{\otimes n})\). The quantum-classical ciphertext state, entangled with Eve, is \(\varphi ^{\mathrm{A'E}}={{\mathbb {E}}}_{uv}| uv \rangle \langle uv |\otimes R_{uv}(\varphi ^{\textrm{AE}})\). According to the entropic indistinguishability definition (Def. 3.9), the quantity to be bounded is \(\Vert \varphi ^{\mathrm{A'E}}-\Omega ^{\mathrm{A'}}\otimes \varphi ^{\textrm{E}} \Vert _1\), which, after setting \(\Omega ^{\mathrm{A'}}=\tau ^{\mathrm{A'}}\), becomes \(\Vert {{\mathbb {E}}}_{uv}| uv \rangle \langle uv |\otimes R_{uv}(\varphi ^{\textrm{AE}}) -{{\mathbb {E}}}_{uv}| uv \rangle \langle uv |\otimes \tau ^{\textrm{A}}\otimes \varphi ^{\textrm{E}}\Vert _1\) =\({{\mathbb {E}}}_{uv}\Vert R_{uv}(\varphi ^{\textrm{AE}}) - \tau ^{\textrm{A}}\otimes \varphi ^{\textrm{E}} \Vert _1\). This we upper bound with Theorem 5.5. Next, setting \(\ell = n-t +2\log \frac{1}{\varepsilon }+3\) in (28) yields \(\Vert \varphi ^{\mathrm{A'E}}-\tau ^{\mathrm{A'}}\otimes \varphi ^{\textrm{E}} \Vert _1 \le \) \(\frac{\varepsilon }{2}\sqrt{2^{[t-1]-{\textsf{H}}_2(A|E)_\varphi }}\). Hence we have \((t-1,\frac{\varepsilon }{2})\) entropic indistinguishability according to Def. 3.9. This implies \((t,\varepsilon )\) strong entropic security according to Lemma 3.10. \(\square \)

Note that we achieve \((t,\varepsilon )\)-entropic indistinguishability with key length \(n-t+2\log \frac{1}{\varepsilon }\). For approximate randomization, where the plaintext is unentangled (\(t=0\)), we thus get the key length \(n+2\log \frac{1}{\varepsilon }\) as listed in Table 2.

A special case of quantum encryption is when the plaintext is classical. Then the quantum encryption scheme typically reduces to a classical scheme that is secure against quantum adversaries. The QOTP (11), when applied to classical plaintext bits encoded in the z-basis,Footnote 6 has the effect of xor-ing the plaintext with the string \(s\in \{0,1\} ^n\), while the string q does nothing and can be omitted from the scheme.

6 Complexity of the key expansion

We comment on the complexity of our key expansion compared to previous works. Complexity is typically quantified as the number of bit-AND operations; bit-XOR operations are considered to be much cheaper. Multiplication in GF\((2^\nu )\) has time complexity \({{\mathcal {O}}}(\nu \log \nu )\) [23, 24] whereas GF\((2^\nu )\) addition (subtraction) consists of \(\nu \) bit-XOR operations. Mateer [25] introduced an improved version of Schönhage’s multiplication algorithm [26]. If m is of the form \(3^\kappa \) and \(\kappa \) is a power of two, then multiplication of two elements in GF(\(2^{2m}\)) requires \( {\textstyle \frac{17}{3}}m\log _3 m\) bit-AND operations and at least \({\textstyle \frac{52}{5}}m\log m \log (\log m) + {\textstyle \frac{3}{2}}m\log m - {\textstyle \frac{3}{2}}m+{\textstyle \frac{11}{2}}\sqrt{m}\) bit-XORs. If \(\kappa \) is not a power of two, then the number of ANDs slightly increases to \(6m\log _3 m\) while the bound on the XORs stays the same.

Entropically secure encryption.

Dodis and Smith’s key expansion for classical entropically-secure encryption [6] makes use of a xor-universal hash function that is implemented by GF(\(2^n\))-multiplying the key \(k\in \{0,1\} ^\ell \) times a random string \(i\in \{0,1\} ^n\). In contrast, our classical scheme has multiplication in GF\((2^{\lambda })\), with \(\lambda =\max (\ell ,n-\ell )\), and the concatenation with k is for free. For short keys the speedup is modest; only when the key length \(\ell \) is a sizeable part of n does the speedup become interesting.

The situation is similar in the general quantum case with entanglement. The scheme of Desrosiers and Dupuis [8] has a key expansion that is the same as in [6] but for string length 2n instead of n. Again, our speedup from GF(\(2^{2n}\))-multiplication to GF(\(2^{2n-\ell }\)) is modest when the key is short.

Approximate randomization.

The case of approximate randomization corresponds to entropically secure encryption with \(t=0\), i.e. without entanglement between Eve and the plaintext state, but with no further guarantees about Eve’s (lack of) knowledge. The key size \(\ell \) is slightly larger than one-half of the extended length 2n, namely \(\ell =n+2\log {\textstyle \frac{1}{\varepsilon }}\). We consider \(n\gg 2\log {\textstyle \frac{1}{\varepsilon }}\) and neglect the term \(2\log {\textstyle \frac{1}{\varepsilon }}\). Our key expansion consists of one multiplication in GF(\(2^\ell \)) and one addition in GF(\(2^{2n-\ell }\)) or, since \(\ell \) asymptotically almost equals n, roughly speaking one multiplication and one addition in GF(\(2^n\)). With Mateer’s multiplication for general \(\kappa \), this yields a total cost of \(3 n\log _3 n - 3 n\log _3 2\) ANDs and \(\ge n\log n \{\frac{26}{5}\log \log \frac{n}{2} +\frac{3}{4}\}-n\{ \frac{26}{5}\log \log \frac{n}{2}+\frac{1}{2} \}\) \(+{{{\mathcal {O}}}}(\sqrt{n})\) XORs for our key expansion.

Next we consider the key expansion of [13]. In [13] the \(\ell \)-bit key k is multiplied by a string \(\alpha \in \{0,1\}^{2n}\), and the multiplication is in GF(\(2^{2n}\)). If we write \(\alpha =L||R\) and take \(\ell \approx n\) then this can be reorganized into the following steps: (i) a polynomial multiplication \(k\cdot R\) without modular reduction; (ii) a polynomial multiplication \(k\cdot L\) shifted by n positions, resulting in a polynomial of degree at most 3n, followed by GF(\(2^{2n}\)) modular reduction; (iii) addition of the two above contributions. As we count two XORs per monomial that needs to be reducedFootnote 7, we see that the addition in step (iii) precisely compensates the missing reduction in step (i). Furthermore, the number of monomials that needs reducing in step (ii) is n, which is the same as in GF(\(2^n\)) multiplication. Hence the cost of computing \(k\cdot \alpha \) equals the cost of two GF(\(2^n\)) multiplications.

Since in GF(\(2^n\)), multiplication is much more expensive than addition, we see that our key expansion is a factor 2 cheaper than [13].

7 Implementation

Entropically secure encryption involves two main processes: key expansion and encryption. The encryption is a straightforward XOR operation in the classical case, and qubitwise Pauli operations in the classical case. The key expansion requires more work, namely the Galois field multiplication of the short key and the public string. This multiplication can be implemented in two steps. The first step is binary polynomial multiplication. The second step is modular reduction with an irreducible polynomial.

We have done some preliminary implementation work, without extensive optimization. Note that existing finite field implementations are optimized for much smaller inputs than what are dealing with. For the binary polynomial multiplication we have used the gf2x library (version 1.3.0) [28]. It is suitable for flexible sizes and is faster than similar libraries. For the reduction, lists are available of irreducible polynomials for specific degrees but they go up to only around GF(\(2^{18}\)) [29]. We have used a class of irreducible polynomials and reduction algorithm proposed by Banegas et al. [27]. It works for any length and requires fewer XORs than previous reduction algorithms.

Our preliminary experiments were done on an Intel Core i7-9750 H 2.60GHZ processor with 16GB RAM. For message length \(2^{26}\) bits and key length \(2^{14}\) bits, the polynomial multiplication takes 0.29 s, and reduction 0.47 s. When message is longer, \(2^{32}\) bits, and key has the same length, \(2^{14}\), the polynomial multiplication takes 44.29 s, and reduction 33.0 s. Optimization is left for future work.

8 Discussion

Our scheme achieves the same shortest key length \(\ell =n-t+2\log \frac{1}{\varepsilon }\) reported in other studies, but with a more efficient key expansion. In the classical case, we achieve a reduction of the ciphertext size compared to the best-known [6] scheme that has fast key expansion.

It is interesting to note that the security proof in [13] uses Fourier analysis and \(\delta \)-biased families, and invokes Cayley graphs for intuition, whereas our proof is more straightforward. Furthermore, the security proof in [8] uses an expansion in the Pauli basis, which we do not need.

All the definitions of entropic indistinguishability and entropic security put a condition on the min-entropy of the plaintext, whereas all the security proofs yield expressions that contain the collision entropy. It may be advantageous to work with modified definitions that put a condition on the collision entropy, since that is more easily met.

We briefly discuss the application of entropically secure encryption as a building block in various larger schemes. Consider for instance Quantum Key Distribution. QKD produces information-theoretically secure key material at a rate that depends on the quality of the quantum channel and the details of the QKD scheme. Depending on the amount of plaintext that needs to be encrypted, a QKD key may be employed as a one-time-pad or as a symmetric key in blockcipher/streamcipher encryption. The latter case would necessarily occur, e.g. when a plaintext data stream arrives at a higer rate (bit per second) than the QKD key generation rate. Then the encryption is computationally secure; this is perfectly legitimate but a bit disappointing given that the key exchange was information-theoretically secure. It is interesting to note that (classical) ESE can re-instate information-theoretic security when the \(\frac{n-t}{t}\) value of the plaintext stream is lower than the QKD key rate, e.g. in case of well compressed data. Our key expansion scheme yields a significant computational improvement over existing ESE schemes when the required key length for ESE is of the same order of magnitude as the plaintext length, e.g. \(n-t > n/2 \). Computational efficiency is important when one deals with gigabits-per-second data streams that need to be encrypted in realtime.

Furthermore, there are various quantum-cryptographic schemes that require encryption of quantum states, e.g. zero knowledge protocols, commitments, signing/authentication of quantum states [30].

It is an interesting topic for future work to see how much they can gain from approximate randomization, and how relevant a factor 2 speedup would be.

Note that ESE should be used carefully, because it does not have composability [6]. When ESE is used as a component in a larger scheme, security may be lost if the other components somehow cause a violation of ESE’s entropy condition. For this reason it is prudent to apply ESE in tandem with a computationally secure encryption scheme.