Quantum Authentication and Encryption with Key Recycling

Or: How to Re-use a One-Time Pad Even if \(P=NP\) — Safely & Feasibly
  • Serge Fehr
  • Louis Salvail
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10212)


We propose an information-theoretically secure encryption scheme for classical messages with quantum ciphertexts that offers detection of eavesdropping attacks, and re-usability of the key in case no eavesdropping took place: the entire key can be securely re-used for encrypting new messages as long as no attack is detected. This is known to be impossible for fully classical schemes, where there is no way to detect plain eavesdropping attacks.

This particular application of quantum techniques to cryptography was originally proposed by Bennett, Brassard and Breidbart in 1982, even before proposing quantum-key-distribution, and a simple candidate scheme was suggested but no rigorous security analysis was given. The idea was picked up again in 2005, when Damgård, Pedersen and Salvail suggested a new scheme for the same task, but now with a rigorous security analysis. However, their scheme is much more demanding in terms of quantum capabilities: it requires the users to have a quantum computer.

In contrast, and like the original scheme by Bennett et al., our new scheme requires from the honest users merely to prepare and measure single BB84 qubits. As such, we not only show the first provably-secure scheme that is within reach of current technology, but we also confirm Bennett et al.’s original intuition that a scheme in the spirit of their original construction is indeed secure.


Hash Function Encryption Scheme Authentication Scheme Quantum Communication Message Authentication Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors would like to thank Ivan Damgård and Christian Schaffner for interesting discussions related to this work, and Christopher Portmann for comments on an earlier version of the paper.


  1. 1.
    Ambainis, A., Mosca, M., Tapp, A., De Wolf, R.: Private quantum channels. In: 41st IEEE FOCS, pp. 547–553 (2000)Google Scholar
  2. 2.
    Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: IEEE International Conference on Computers, Systems and Signal Processing, pp. 175–179 (1984)Google Scholar
  3. 3.
    Bennett, C.H., Brassard, G., Breidbart, S.: Quantum cryptography II: how to re-use a one-time pad safely even if \(P=NP\). Nat. Comput. 13(4), 453–458 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Barnum, H., Crépeau, C., Gottesman, D., Smith, A., Tapp, A.: Authentication of quantum messages. In: 43rd IEEE FOCS, pp. 449–458 (2002)Google Scholar
  5. 5.
    Damgård, I., Pedersen, T.B., Salvail, L.: A quantum cipher with near optimal key-recycling. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 494–510. Springer, Heidelberg (2005). doi: 10.1007/11535218_30 CrossRefGoogle Scholar
  6. 6.
    Damgård, I., Brochmann Pedersen, T., Salvail, L.: How to re-use a one-time pad safely and almost optimally even if \(P =NP\). Nat. Comput. 13(4), 469–486 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Damgård, I.B., Fehr, S., Salvail, L., Schaffner, C.: Secure identification and QKD in the bounded-quantum-storage model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 342–359. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74143-5_19 CrossRefGoogle Scholar
  8. 8.
    Dodis, Y., Smith, A.: Correcting errors without leaking partial information. In: 37th ACM STOC, pp. 654–663 (2005)Google Scholar
  9. 9.
    Fehr, S., Schaffner, C.: Randomness extraction via delta-biased masking in the presence of a quantum attacker. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 465–481. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78524-8_26 CrossRefGoogle Scholar
  10. 10.
    Garg, S., Yuen, H., Zhandry, M.: New security notions and feasibility results for authentication of quantum data. Manuscript (2016). arXiv:1607.07759v1
  11. 11.
    Hayden, P., Leung, D., Mayers, D.: Universal composable security of quantum message authentication with key recycling. Talk at QCRYPT 2011, Zürich (2011)Google Scholar
  12. 12.
    König, R., Renner, R., Schaffner, C.: The operational meaning of min- and max-entropy. IEEE Trans. Inf. Theor. 55(9), 4337–4347 (2009)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Leung, D.: Quantum Vernam cipher. Quantum Inf. Comput. 2(1), 14–34 (2002)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Oppenheim, J., Horodecki, M.: How to reuse a one-time pad and other notes on authentication, encryption and protection of quantum information. Phys. Rev. A 72, 042309 (2005)CrossRefGoogle Scholar
  16. 16.
    Portmann, C.: Quantum authentication with key recycling. Manuscript. (2016). Also to appear in these proceedings
  17. 17.
    Renner, R.: Security of quantum key distribution. Ph.D. thesis, ETH Zürich, No. 16242 (2005)Google Scholar
  18. 18.
    Radhakrishnan, J., Ta-Shma, A.: Bounds for dispersers, extractors, and depth-two superconcentrators. SIAM J. Comput. 13(1), 2–24 (2000)MathSciNetzbMATHGoogle Scholar
  19. 19.
    Tomamichel, M., Fehr, S., Kaniewski, J., Wehner, S.: One-sided device-independent QKD and position-based cryptography from monogamy games. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 609–625. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_36 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Centrum Wiskunde & Informatica (CWI)AmsterdamThe Netherlands
  2. 2.Université de Montréal (DIRO)MontréalCanada

Personalised recommendations