Abstract
We present a quantum-public-key identification protocol and show that it is secure against a computationally-unbounded adversary. This demonstrates for the first time that unconditionally-secure and reusable public-key authentication is possible in principle with (pure-state) public keys.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Note that it is not a user’s personal identification number (PIN) that functions as the prover’s private key; the PIN only serves to authenticate the user to the smart card (not the smart card to the card reader).
- 3.
Pseudo-signature schemes, such as the one in Ref. [8], are information-theoretically secure but assume broadcast channels.
- 4.
For password-based identification in a symmetric-key model, as in Ref. [10], where both Alice and Bob know something that Eve does not (i.e. the password), one can define a nontrivial “man-in-the-middle” attack, where Eve’s goal is to learn the password in order to impersonate Alice in a later instance of the protocol. However, in public-key identification, Eve’s goal of learning the private key may, without loss of generality, be accomplished by participating as a dishonest verifier and by obtaining copies of the public key, since Bob does not perform any action that Eve cannot perform herself given a copy of the public key.
- 5.
This requires the following two facts: (1) for any integer \(a\),
$$\begin{aligned} \frac{1}{2\pi }\int _{0}^{2\pi } e^{i a \theta } d\theta = \left\{ \begin{array}{ll} 0 &{} \text{ if } a\ne 0 , \\ 1 &{} \text{ otherwise } ; \end{array} \right. \end{aligned}$$(21)and (2) for any integer \(p\ge 2\) and integer \(a\):
$$\begin{aligned} \frac{1}{p}\sum _{k=1}^p e^{2 \pi i a k/p} =\left\{ \begin{array}{ll} 0 &{} \text{ if } a \text{ is } \text{ not } \text{ a } \text{ multiple } \text{ of } p, \\ 1 &{} \text{ otherwise } , \end{array} \right. \end{aligned}$$(22)where the second fact is applied at \(p=2r+1\).
- 6.
One way to interpret this result is that even if Alice encodes infinitely many bits into \(\phi \), it is no better than if she encoded \(\lceil \log _2(2r+1) \rceil \) bits. Note that if Eve performs an optimal phase estimation [16] in order to learn \(\phi \) and then cheat Bob, she can only learn at most \(\lfloor \log _2(2r-1)\rfloor \) bits of \(\phi \) (here, we assume Eve has \(2r-1\) copies of the public key, having left Bob one copy), whereas Alice actually encoded \(\lceil \log _2(2r+1) \rceil \) bits into \(\phi \).
References
Menezes, A.J., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press LLC, Boca Raton (1996)
Gottesman, D., Chuang, I.L.: Quantum Digital Signatures (2001). quant-ph/0105032
Lamport, L.: Constructing digital signatures from a one-way function. CSL 98, SRI International (1979)
Kawachi, A., Koshiba, T., Nishimura, H., Yamakami, T.: Computational indistinguishability between quantum states and its cryptographic application. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 268–284. Springer, Heidelberg (2005). http://arxiv.org/abs/quants-ph/0403069
Hayashi, M., Kawachi, A., Kobayashi, H.: Quantum measurements for hidden subgroup problems with optimal sample complexity. Quantum Inf. Comput. 8, 0345–0358 (2008)
Ioannou, L.M., Mosca, M.: Public-key cryptography based on bounded quantum reference frames. http://arxiv.org/abs/0903.5156
Goldreich, O.: Foundations of Cryptography (Volume I): Basic Tools. Cambridge University Press, Cambridge (2001)
Chaum, D., Roijakkers, S.: Unconditionally secure digital signatures. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 206–214. Springer, Heidelberg (1991)
Gottesman, D.: Quantum public key cryptography with information-theoretic security. Workshop on classical and quantum information security, Caltech, 15–18 December 2005. http://www.cpi.caltech.edu/quantum-security/program.html; see also http://www.perimeterinstitute.ca/personal/dgottesman
Damgaard, I., Fehr, S., Salvail, L., Schaffner, C.: Secure identification and QKD in the bounded-quantum-storage model. CRYPTO 2007 4622, 342–359 (2007)
Bartlett, S.D., Rudolph, T., Spekkens, R.W., Turner, P.S.: Degradation of a quantum reference frame. New J. Phys. 8, 58 (2006)
Gutoski, G.: Quantum strategies and local operations. Ph.D. thesis, University of Waterloo (2009)
Mittal, R., Szegedy, M.: Product rules in semidefinite programming. In: Csuhaj-Varjú, E., Ésik, Z. (eds.) FCT 2007. LNCS, vol. 4639, pp. 435–445. Springer, Heidelberg (2007)
van Dam, W., Mauro D’Ariano, G., Ekert, A., Macchiavello, C., Mosca, M.: Optimal quantum circuits for general phase estimation. Phys. Rev. Lett. 98(9), 090501 (2007)
Beals, R., Buhrman, H., Cleve, R., Mosca, M., de Wolf, R.: Quantum lower bounds by polynomials. In FOCS ’98: Proceedings of the 39th Annual Symposium on Foundations of Computer Science (1998)
van Dam, W., Mauro D’Ariano, G., Ekert, A., Macchiavello, C., Mosca, M.: Optimal phase estimation in quantum networks. J. Phys. A: Math. Theor. 40, 7971–7984 (2007)
Chiribella, G., D’Ariano, G.M., Sacchi, M.F.: Optimal estimation of group transformations using entanglement. Phys. Rev. A 72(4), 042338 (2005)
Watrous, J.: Theory of quantum information. Lecture notes for course CS 789, University of Waterloo, http://www.cs.uwaterloo.ca/~watrous/ (2008)
Cleve, R., Slofstra, W., Unger, F., Upadhyay, S.: Strong parallel repetition theorem for quantum XOR proof systems (2006). arXiv:quant-ph/0608146v1
Kitaev, A., Watrous, J.: Parallelization, amplification, and exponential time simulation of quantum interactive proof systems. In STOC ’00: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing (2000)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendices
1.1 Proof of Sufficiency of Individual Attacks
Consider the following non-cryptographic, \((t+1)\)-round interactive protocol (or game) between Evelyn and Bobby (neither of whom is considered adversarial, hence we distinguish these two players from Eve and Bob), denoted \(\mathcal {L} = \mathcal {L}(\varPhi )\), where
and the \(\varPhi _i\) are quantum operations (super-operators) that specify Evelyn’s actions in the game (the quantities \(r\) and \(t\) are as defined previously):
-
\((1')\) Bobby chooses a uniformly random \(x\in \{1,2,\ldots ,2r+1\}\) and sends a qubit in the state \(| 0 \rangle \) to Evelyn (who can ignore this qubit—it carries no significant information).
-
\((2')\) For \(i = 1,2,\ldots , t\) \(\{\)
-
\(\diamond \) Evelyn performs the quantum operation \(\varPhi _i\) on her system, and then sends one qubit to Bobby.
-
\(\diamond \) Bobby performs the unitary gate \(u_{\phi _x}\) on the qubit received from Evelyn and sends it back to Evelyn.\(\}\)
-
-
\((3')\) Bobby chooses a uniformly random \(b \in \{0,1\}\) and sends a qubit in the state \(| 0 \rangle + (-1)^b e^{i \phi _x}| 1 \rangle \) to Evelyn.
-
\((4')\) Evelyn performs the quantum operation \(\varPhi _{t+1}\) on her system, and then sends one qubit to Bobby.
-
\((5')\) Bobby measures the received qubit in the computational basis \(\{| 0 \rangle , | 1 \rangle \}\), getting outcome 0 or 1 (corresponding to \(| 0 \rangle \) and \(| 1 \rangle \) respectively); he tests whether this outcome equals \(b\).
The following proposition is straightforward to prove:
Proposition 5
The probability that Eve, using \(t\) black boxes \(u_{\phi _{x_j}}\), causes Bob’s equality test to pass in a particular iteration \(j\) of the protocol in Sect. 2.1 is at most
where \(\varPhi \) ranges over all \((t+1)\)-tuples of admissible quantum operations that Evelyn can apply in the game \(\mathcal {L}\).
Now consider the parallel \(s\)-fold repetition of \(\mathcal {L}\), which we denote \(\mathcal {L}^{\Vert s} = \mathcal {L}^{\Vert s} (\varPhi ')\), where now \(\varPhi '\) denotes Evelyn’s quantum operation in \(\mathcal {L}^{\Vert s}\). The following proposition is also straightforward to prove:
Proposition 6
The probability that Eve fools Bob on the first attempt using \(t\) black boxes per \(x\)-value in the protocol in Sect. 2.1 is at most
where \(\varPhi '\) ranges over all \((t+1)\)-tuples of admissible quantum operations that Evelyn can apply in the game \(\mathcal {L}^{\Vert s}\).
Therefore, in order to prove that it is sufficient to consider individual (as opposed to coherent) attacks by Eve, it suffices to show that \(\alpha ' = \alpha ^s\).
In Ref. [12], the above game is viewed as an interaction between a \((t+1)\)-round (non-measuring) strategy and a (compatible) measuring co-strategy; Evelyn’s operations \(\varPhi \) form the non-measuring strategy and Bobby’s actions form the measuring co-strategy (technically, Steps \((1')\), \((3')\), and \((4')\) would have to be slightly modified in order to fit the co-strategy formalism: in Steps \((1')\) and \((3')\), Bobby should make his random choices in superposition and use the quantum registers storing these choices as a control register whenever requiring these random values subsequently; in Step \((4')\), Bobby should only make one final measurement whose outcome indicates whether the equality test passes; we assume that these modifications have been made).
For all \(i\), let \(\mathcal {X}_i\) and \(\mathcal {Y}_i\) be the input and output spaces, respectively, of Evelyn’s quantum operation \(\varPhi _i\) in \(\mathcal {L}\), i.e. \(\varPhi _i: \mathrm {L}\left( \mathcal {X}_i\right) \rightarrow \mathrm {L}\left( \mathcal {Y}_i\right) \), where \(\mathrm {L}\left( \mathcal {X}_i\right) \) is the space of all linear operators from the complex Euclidean space \(\mathcal {X}_i\) to itself (and likewise for \(\mathrm {L}\left( \mathcal {Y}_i\right) \)). Let \(\mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \) denote the set of all positive semidefinite operators in \(\mathrm {L}\left( \mathcal {Y}\otimes \mathcal {X}\right) \), where \(\mathcal {Y}= \mathcal {Y}_1 \otimes \mathcal {Y}_2 \otimes \cdots \otimes \mathcal {Y}_{t+1}\) (and similarly for \(\mathcal {X}\)). For any Euclidean space \(\mathcal {Z}\), let \(\mathbb {I}_{\mathcal {Z}}\) denote the identity operator \(\mathcal {Z}\).
Reference [12] shows that Evelyn’s strategy can be equivalently expressed by a single positive semidefinite operator in \(\mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \) while Bobby’s measuring co-strategy can be expressed by the collection \(\{B_0, B_1\}\) of two positive semidefinite operators in \(\mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \), where, without loss of generality, we assume that \(B_0\) corresponds to the measurement outcome indicating that Bobby’s test for equality in Step \((5')\) passes. We briefly note that these positive semidefinite operators are the Choi-Jamiołkowski representations of quantum operations corresponding to the players’ actions. A more general version of the following theorem is proved in Ref. [12]:
Theorem 7
(Interaction output probabilities [12]). For any non-measuring strategy \(X\in \mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \) of Evelyn, the probability that Bobby’s equality test passes is \(\text {Tr}(B_0^\dagger X)\).
Using Theorem 7, it is shown, in the proof of Theorem 3.3 of Ref. [12], that the maximal probability with which Bobby’s measuring co-strategy can be forced to output the outcome corresponding to \(B_0\) by some (compatible) strategy of Evelyn’s can be expressed as a semidefinite (optimization) program (see Ref. [18] for a relevant review of semidefinite programming). Thus \(\alpha \) and \(\alpha '\) can be expressed, respectively, as solutions to the following semidefinite programs \(\pi _{\alpha }\) and \(\pi _{\alpha '}\):
where, for all \(i\), \(\mathcal {X}_i' = \mathcal {X}_i^{\otimes s}\) and \(\mathcal {X}' = \mathcal {X}_1' \otimes \mathcal {X}_2' \otimes \cdots \otimes \mathcal {X}_{t+1}'\) (and similarly for \(\mathcal {Y}_i'\) and \(\mathcal {Y}'\)). We note that the first constraint in each semidefinite program above codifies the property of trace-preservation for the quantum operation corresponding to \(X\), while the second constraint codifies the property of complete positivity (see Ref. [18] for details). Furthermore, it is shown in Ref. [12] that such semidefinite programs (arising from interactions between strategies and compatible co-strategies) satisfy the condition of strong duality, which means that the solution to each semidefinite program above coincides with that of its dual.
In Ref. [13], the following theorem is proven:
Theorem 8
(Condition for product rule for semidefinite programs [13]). Suppose that the following two semidefinite programs \(\pi _1\) and \(\pi _2\) satisfy strong duality:
where \(\varPsi _1: \mathrm {L}\left( \mathcal {W}_1\right) \rightarrow \mathrm {L}\left( \mathcal {Z}_1\right) \) and \(\varPsi _2: \mathrm {L}\left( \mathcal {W}_2\right) \rightarrow \mathrm {L}\left( \mathcal {Z}_2\right) \), for complex Euclidean spaces \(\mathcal {W}_1, \mathcal {Z}_1, \mathcal {W}_2, \mathcal {Z}_2\), and \(J_1 \in \mathrm {L}\left( \mathcal {W}_1\right) \) and \(J_2\in \mathrm {L}\left( \mathcal {W}_2\right) \) are Hermitian. Let \(\alpha (\pi _1)\) and \(\alpha (\pi _2)\) denote the semidefinite programs’ solutions. If \(J_1\) and \(J_2\) are positive semidefinite, then the solution to the following semidefinite program, denoted \(\pi _1 \otimes \pi _2\), is \(\alpha (\pi _1 \otimes \pi _2) = \alpha (\pi _1) \alpha (\pi _2)\):
Since \(B_0\) is positive semidefinite and \(\pi _{\alpha '} = \pi _\alpha ^{\otimes s}\) (using the associativity of \(\otimes \)), Theorem 8 can be applied \((s-1)\) times in order to prove that \(\alpha ' = \alpha ^s\) as required. See Ref. [12] for a similar approach, based on ideas in Ref. [19]. The idea of expressing the acceptance probability of a quantum interactive proof system as a semidefinite program first appeared in Ref. [20].
Note that this argument, combined with the arguments in the main body of the paper, shows that both the serial and parallel versions of our identification protocol are secure.
1.2 Proof of Proposition 3
Two facts hold without loss of generality:
-
the POVMs \(\{E_{w,0}, E_{w,\pi }\}\), for all \(w\), may be assumed to be covariant, i.e. \(E_{w,\pi } = V_\pi E_{w,0} V_\pi ^\dagger \) (to see this, note that any not-necessarily-covariant POVM \(\{F_{w,0}, F_{w,\pi }\}\) gives the same average probability of successfully guessing \(\theta \), given \(w\), as the covariant POVM \(\{E_{w,0}, E_{w,\pi }\}\) defined by \(E_{w,0} = (F_{w,0} + V_\pi ^\dagger F_{w, \pi } V_\pi )/2\));
-
each \(E_{w,0}\) has support only on \(\text {sp}( \mathcal {O}_w)\) and thus \(E_{w,0} + E_{w,\pi } = I_{\text {sp}( \mathcal {O}_w)}\), where \(I_{\text {sp}( \mathcal {O}_w)}\) is the identity operator on \(\text {sp}( \mathcal {O}_w)\).
To compute a basis of \(\text {sp}( \mathcal {O}_w)\), we now further define the system \(R'\) in the proof of Lemma 1 to consist of exactly \(t+1\) qubits and the states \(| c_h \rangle \), \(h=0,1,\ldots ,t\), to be all those computational basis states whose labels have Hamming weight 1 (thus \(q = 2t+1\), which is larger than necessary, but simplifies the structure of the POVMs). The total subspace
supporting \(| \psi _{RS}(\phi ,\theta ) \rangle \) breaks up into mutually orthogonal subspaces \(S_w\) of weight \(w\), i.e., spanned by computational basis states whose labels have Hamming weight \(w\):
for \(k=2,3,\ldots , t+1\). Thus, for each \(w\), we will do the following:
-
write \(P_w\) in the basis in which \(S_w\) is expressed in Eqs. (64), (65), (66),
-
derive an expression for \(P_w |\psi _{RS}(0,0)\rangle \) (which is proportional to \(| \varPsi _w \rangle \)) in order to find a basis for \(\text {sp}( \mathcal {O}_w) = \text {sp}\{| \varPsi _w \rangle ,V_\pi | \varPsi _w \rangle \}\) (which fully supports \(E_{w,0}\)), and
-
derive the form of \(E_{w,0}\) and thus, by covariance, the form of the POVM \(\{E_{w,0},E_{w,\pi }\}\) in each subspace \(S_w\).
Recalling Eq. (40), it will be convenient to let \(\alpha _{j,h}\equiv b_j g_{j,h}\) and so
w=1:
Writing
we see that \(V_{\pi }|\varPsi _1\rangle = |\varPsi _1\rangle \) so that \(E_{1,0} = E_{1,\pi } = |\varXi _{0}\rangle | 0 \rangle \langle \varXi _0 |{\langle 0 | }\), where \(|\varXi _{0}\rangle \) is a state such that
We note that getting the outcome corresponding to this POVM element does not give any information about \(\theta \); we arbitrarily assign a guess of “\(\theta = 0\)” to this outcome, without affecting optimality (since \(\theta \) is a priori uniformly distributed).
\(\underline{w \in \{2,3,\ldots ,t+1\}:}\)
Similarly, we can write
Chiribella et al. [17] show that \(E_{w,0}\) may be assumed to have rank 1 without loss of generality. Thus \(E_{w,0}\) may be written \(|\eta _w\rangle \langle \eta _w |\), where
for some complex coefficients \(a\) and \(b\), such that \(|a|^2 + |b|^2 = 1\), where \(|\varXi _{w-1}\rangle \) and \(|\varXi _{w-2}\rangle \) are states such that, for \(j=0,1,\ldots ,t\),
We have (using covariance to get \(E_{w,\pi }\))
But
Equating the two expressions implies that
for some phase \(\varphi _w\). But we must have \(\varphi _w = 0\) since \(E_{w,0}\) corresponds to the guess “\(\theta = 0\)”.
\(\underline{w=t+2:}\)
Similar to the case \(w=1\) and using the definition from Eq. (77), we have \(E_{t+2,0}=E_{t+2,\pi } = |\varXi _t\rangle | 1 \rangle \langle \varXi _t |{\langle 1 | }\). We assign the guess “\(\theta =\pi \)” to getting the outcome corresponding to this POVM element.
To summarize, the elements of the overall POVM \(\{E_0,E_\pi \}\) describing the measuring-and-guessing strategy may be expressed
where
1.3 Proof of Theorem 1, Assuming Eq. (15)
For security with error \(\epsilon \), we require
which, by taking the logarithm of both sides, is equivalent to
Using the series expansion \(\log (1 - x) = -(x + x^2/2 + x^3/3 + \cdots )\), the right-hand side of Eq. (88) is upper-bounded by
from which the theorem follows.
1.4 Proof of Proposition 4
This maximization problem is very similar to that in Ref. [11], where it was required to maximize \(\langle \zeta |M'_t |\zeta \rangle \) over all states \(| \zeta \rangle \in \text {sp}\{| j \rangle :j=0,1,\ldots ,t \}\) for
In fact, in light of Eq. (40), the phase estimation problem in Ref. [11] may be viewed as the same as the one we consider, but where Eve does not have access to the register \(R'\). (Indeed, our optimal success probability cannot be less than that in Ref. [11], since at the very least Eve can forgo the use of the ancillary register \(R'\).) Finally, below, we show that our optimal success probability is exactly equal to that obtained in Ref. [11].
Let \(\alpha _{j,h}^\star \) denote the optimal values for our maximization problem, and let \(M_t^\star \), \(|\psi _R(0)^\star \rangle \), and \(|\varXi _{j}^\star \rangle \) denote the values of \(M_t\), \(|\psi _R(0)\rangle \), and \(|\varXi _{j}\rangle \) at those optimal values. Note that \(\{|\varXi _{j}\rangle : j=0,1,\ldots ,t\}\) is orthonormal for all values of \(\alpha _{j,h}\), thus \(\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) is orthonormal. Consider now optimizing \({\langle \psi | }M_t^\star | \psi \rangle \) over all unit vectors \(| \psi \rangle \in \text {sp}\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) for fixed \(M_t^\star \); denote the optimal \(| \psi \rangle \) as \(| \psi ^\star \rangle \). It must be that
since \(| \psi _R(0)^\star \rangle \in \text {sp}\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) by inspecting Eqs. (67) and (77). Now note that the coefficients of \(| \psi ^\star \rangle \) with respect to the basis \(\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) must be precisely those coefficients of the optimal \(| \zeta \rangle \) with respect to the standard orthonormal basis \(\{| j \rangle :j=0,1,\ldots ,t \}\) found in Ref. [11]; otherwise, substituting the coefficients of \(| \psi ^\star \rangle \) would give a higher maximum than that in Ref. [11]. (The argument works because, in both cases, the orthonormal basis is fixed for the optimization.) Therefore, we have, as in Ref. [11],
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ioannou, L.M., Mosca, M. (2014). Unconditionally-Secure and Reusable Public-Key Authentication. In: Bacon, D., Martin-Delgado, M., Roetteler, M. (eds) Theory of Quantum Computation, Communication, and Cryptography. TQC 2011. Lecture Notes in Computer Science(), vol 6745. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54429-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-54429-3_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54428-6
Online ISBN: 978-3-642-54429-3
eBook Packages: Computer ScienceComputer Science (R0)