Entropically secure encryption with faster key expansion

Entropically secure encryption is a way to encrypt a large plaintext with a small key and still have information-theoretic security, thus in a certain sense circumventing Shannon's result that perfect encryption requires the key to be at least as long as the entropy of the plaintext. Entropically secure encryption is not perfect, and it works only if a lower bound is known on the entropy of the plaintext. The typical implementation is to expand the short key to the size of the plaintext, e.g. by multiplication with a public random string, and then use one-time pad encryption. This works in the classical as well as the quantum setting. In this paper, we introduce a new key expansion method that is faster than existing ones. We prove that it achieves the same security. The speed gain is most notable when the key length is a sizeable fraction of the message length. In particular, a factor of 2 is gained in the case of approximate randomization of quantum states.


A. Entropic Security
A N encryption scheme is called perfect if the ciphertext reveals no information whatsoever about the plaintext.For perfect encryption of classical plaintexts, the length of the key needs to be at least the entropy of the plaintext, and the simplest cipher is the One-Time Pad (OTP) or Vernam cipher [1].In the quantum setting, perfect encryption of an n-qubit plaintext state requires a key length of 2n bits and the simplest cipher achieving this kind of encryption is the Quantum One-Time Pad (QOTP) [2]- [4].
If one does not aim for perfect security, it is possible to get information-theoretic guarantees about the encryption even with shorter keys, as long as a lower bound is known on the min-entropy of the plaintext.The notion of (t, ε)entropic security has been introduced [5], [6], stating that the adversary's advantage in guessing any function of the plaintext is upper bounded by ε if the min-entropy of the plaintext (conditioned on Eve's side information) is at least t.It can be seen as an information-theoretic version of semantic security.It has been shown that (t, ε)-entropically secure encryption of an n-(qu)bit plaintext can be achieved with key length n − t + 2 log 1 ε [6]- [8].In the quantum case, the t can become negative when Eve's quantum memory is entangled with the plaintext state.
The standard way to perform entropically secure encryption is to expand the short key to a pseudorandom string which is Part of this work was supported by the Dutch Startimpuls NAQT KAT-2 and NGF Quantum Delta NL  then used as the key for (Q)OTP encryption.The key expansion is done either using small-bias spaces or by universal hashing with a public random string.

B. Contribution and Outline
We introduce a new key expansion method for entropically secure encryption, both classical and quantum.The main idea is to append a pseudorandom string f (k) to the short key k, instead of creating an entirely new string from k.For the computation of f (k), we use finite-field multiplication with a public random string.
• Our key expansion is faster than all previous constructions while achieving the shortest known key length n−t+2 log 1 ε .In particular, a factor of 2 in speed is gained in the unentangled quantum case without further assumptions on Eve and the entropy of the plaintext.
• Our security proof in the quantum case is a bit more straightforward than [8], as we avoid expanding states in the Pauli basis.The outline of the paper is as follows.We discuss related work on entropic security in Section II.We present the relevant definitions and lemmas from the literature in Section III.In Section IV, we present our classical scheme and its security proof.Then in Section V, we do the same for the quantum scheme, additionally giving an analysis of the computational complexity of the key expansion, especially in the unentangled case in Section VI.Finally, in Section VII, we comment on possible improvements.

A. Entropic Security for Classical Plaintext
The entropic security notion and its definition for encryption were coined first by Russell and Wang [5].They showed that it is possible to encrypt a high-entropy n-bit plaintext using a key shorter than n such that an attacker has less than ε advantage in predicting predicates of the plaintext.Such schemes are called Entropically Secure Encryption (ESE) schemes.They provided an ESE with key length n − t + 3 log 1 ε + O(1), where t is the min-entropy of the plaintext.Dodis and Smith [6] gave a stronger definition by considering all functions of the plaintext instead of only predicates.They also showed the equivalence between ESE and indistinguishability (in terms of statistical distance) of ciphertexts.They introduced two simple constructions, one of which uses XOR-universal hash functions and improves the key length to . They proved that the key length of any ESE needs to be at least n − t bits.
Fehr and Schaffner [9] introduced a classical indistinguishable encryption scheme secure against quantum adversaries.It has key length n − t + 2 log n + 2 log 1 ε + O(1), where t is the collision entropy of the (classical) plaintext given Eve's quantum side information.Different from [5], [6] they used collision entropy in the security definition instead of minentropy.

B. Entropic Security in the Quantum Setting
In order to perfectly encrypt any n-qubit state, the necessary and sufficient key length is 2n bits [2]- [4].In its simplest form, quantum one-time pad (QOTP) encryption and decryption work by applying to each individual qubit a Pauli operation from the set {1, σ x , σ y , σ z }.The choice of Pauli operations constitutes the key.For someone who does not know this key, the state after encryption equals the fully mixed state regardless of the plaintext state.
Entropic security has been generalized to the fully quantum setting where both the plaintext and ciphertext are quantum states.Desrosiers [7] introduced definitions of entropic security and entropic indistinguishability for quantum ciphers.Similar to the classical setting, these definitions are equivalent up to parameter changes.He also introduced a scheme with a key length of n − t + 2 log 1 ε using a similar key expansion method as [6].Here t is the min-entropy of the plaintext quantum state.The analysis in [7] applies only if Eve is not entangled with the plaintext.Desrosiers and Dupuis [8] generalized the analysis, with conditional quantum min-entropy as defined by Renner [10], and showed that the results hold even with entanglement. 1 They also proved a minimum required key length of n − t − 1.

C. Approximate Randomization
The quantum setting without entanglement (t ≥ 0) is a special case that has received a lot of attention by itself, as it occurs naturally: It corresponds to the situation where Alice prepares a plaintext state and encrypts it.As long as the plaintext state is generated entirely by Alice (as opposed to being received by Alice as part of a larger protocol), Eve is not entangled with it.In the literature, this special case goes by the name approximate randomization or approximate quantum encryption.Hayden et al. [11] showed that approximate randomization is possible with a key length of n + log n + 2 log 1 ε by using sets of random unitaries. 2Ambainis and Smith [13] introduced far more efficient schemes that work with a pseudorandom sequence which selects Pauli operators as in the QOTP.In one of them, they expanded the key using small-bias sets and achieve key length n + 2 log n + 2 log 1 ε .This scheme is length-preserving, i.e. the cipherstate consists of n qubits.In another construction, they expanded the key by multiplying it with a random binary string of length 2n; this string becomes 1 The conditional quantum min-entropy of an n-qubit system ranges between −n and n.A maximally entangled state has conditional min-entropy t = −n.
2 They also provided a result for the ∞-norm, with key length n + log n + 2 log 1 ε + log 134; unitaries are drawn from the Haar measure.This was later improved to n + 2 log 1 ε + log 150 by Aubrun [12].
part of the cipherstate.The key length is reduced to n+2 log 1 ε .Dickinson and Nayak [14] improved the small-bias based scheme of [13] and achieved key length n+2 log 1 ε +4.Škorić and de Vries [15] described a pseudorandom QOTP scheme that has key length n + 2 log 1 ε , but they need an exponentially large common random string to be stored.Table I shows an overview of these results.
The 'ε-close to fully mixed' property can be expressed as a distance with respect to different norms, e.g. the 1-norm (trace norm) or the ∞-norm (maximum absolute eigenvalue).In this paper, we consider only the 1-norm, since it expresses the distinguishability of states and it is a universally composable measure of security [16]- [18].

A. Notation; Entropic Quantities
Random variables are written in uppercase and their realizations in lowercase.The statistical distance between random variables X, Y ∈ X is given by ∆(X, Y ) = We denote the space of density matrices on Hilbert space H as D(H).The single-qubit Hilbert space is denoted as H 2 .A bipartite state comprising subsystems 'A' and 'B' is written as ρ AB ∈ D(H A ⊗ H B ).The state of a subsystem is obtained by taking the partial trace over the other subsystem, e.g.ρ A = Tr B ρ AB .The identity operator on H is denoted by 1 H ; we will simply write 1 when the Hilbert space is clear from the context.Similarly, we write τ H for the fully mixed state 1 H /dim(H), often omitting the superscript.Let M be an operator with eigenvalues λ i .The Schatten 1-norm of M is given by In the literature, there are multiple definitions of quantum conditional Rényi entropy.We will work with the definition of [19], which is based on sandwiched relative entropy, and which has been shown in [20] to possess the most favorable properties.Let ρ, σ ≥ 0 with ρ = 0, and α ∈ (0, 1) ∪ (1, ∞).The sandwiched quantum Rényi relative entropy is given by Here σ ≫ ρ denotes that σ dominates ρ, i.e. that the kernel of σ is contained in the kernel of ρ.For α ∈ (0, 1) ∪ (1, ∞) and ρ AE ∈ D(H A ⊗ H E ), the conditional quantum Rényi entropy is given by In the limit α → ∞ this reproduces the conditional Rényi entropy as introduced by Renner [10],

B. Security Definitions and Useful Lemmas Definition 3.1 (Classical encryption scheme):
A classical encryption scheme for a message space X with key space K and ciphertext space C consists of three algorithms (Gen, Enc, Dec).Gen is a probabilistic algorithm that outputs a key k ∈ K.The Enc: K × X → C is a possibly randomized algorithm that takes a key k and a message x ∈ X and outputs a ciphertext c ∈ C. The Dec: K × C → X is the decryption algorithm that takes a key k ∈ K and a ciphertext c ∈ C as inputs and outputs a message x ∈ X .It must hold that Entropic security of an encryption scheme is formulated as the property that the encryption Enc hides all functions of the plaintext X. 'Hiding' means that an adversary A who sees the ciphertext has no advantage in guessing function values f (X) over an adversary A ′ who does not observe the ciphertext.
Here the function f is fixed before A observes the ciphertext.This is phrased in [6] as: 'Y leaks no a priori information about X'.

Definition 3.2 (Hiding all functions):
A probabilistic map Y is said to hide all functions of X with leakage ε if (5) The definition is similar to semantic security, but it works with unbounded adversaries and is restricted to high-entropy plaintext.It has been shown that entropic security implies statistical indistinguishability and vice versa, with small modifications in the t and ε parameter.Indistinguishability is defined by the existence of a variable G such that a ciphertext resulting from random X (from some distribution) and random K is ε-close to G in terms of statistical distance.[6]): 3
Lemma 3.6 (Claim 2 in [21]): Let D be a distribution on a finite set S. If the collision probability of D is at most (1 + 2ε 2 )/|S|, then D is at a statistical distance at most ε from the uniform distribution.
Definition 3.7 (Quantum encryption scheme): A quantum encryption scheme with quantum message space H, classical key space K, and quantum ciphertext space H ′ consists of a triplet (Gen, Enc, Dec).Gen is a probabilistic algorithm that outputs a key k ∈ K.The Enc: K × D(H) → D(H ′ ) is a (possibly randomized) algorithm that takes as input a classical key k ∈ K and a quantum state ϕ ∈ D(H), and outputs a quantum state ω = Enc(k, ϕ) ∈ D(H ′ ) called the cipherstate.Dec : K × D(H ′ ) → D(H) is an algorithm that takes as input a key k ∈ K and a state ω ∈ D(H ′ ), and outputs a state Dec(k, ω) ∈ D(H).It must hold that ∀ k∈K,ϕ∈D(H) Dec(k, Enc(k, ϕ)) = ϕ.
Note that Def.3.7 allows the cipherstate space to be larger than the plaintext space, dim H ′ > dim H.We will be working with the special case where the cipherstate consists of a quantum state of the same dimension as the input, accompanied by classical information.
The effect of the encryption, with the key unknown to the adversary, can be described as a completely positive tracepreserving (CPTP) map R : D(H) → D(H ′ ) as follows, If the plaintext state is entangled with Eve (E), e.g. the state is ϕ AE , then the encryption and decryption act only on the A subspace; we write R(ρ AE ) for (R⊗1 E )(ρ AE ).The definition of entropic security is more involved than in the classical case.
Definition 3.8 (Strong entropic security in the quantum setting, Def.4 in [8]): An encryption system R is called strongly (t, ε)-entropically secure if for all states ϕ AE satisfying H min (A|E) ϕ ≥ t, all interpretations {(p i , σ AE i )} of ϕ AE , all adversaries A and all functions f , it holds that Here 'interpretation' means ϕ AE = i p i σ AE i .Def. 3.8 implies another definition of entropic security given in [8] that contains an adversary A ′ who gets access only to the own subsystem σ E i .Similar to the classical case, the equivalence has been shown between entropic security and entropic indistinguishability in the quantum setting.
Lemma 3.11 (Lemma 5.1.3in [10]): Let S be a Hermitian operator and σ a nonnegative operator.It holds that

C. The Quantum One Time Pad (QOTP)
Let H 2 denote the Hilbert space of a qubit.Let Z and X be single-qubit Pauli operators, in the standard basis given by Z = 1 0 0 −1 and X = 0 1 1 0 .For QOTP encryption of one qubit, the key consists of two bits s, q ∈ {0, 1}.The encryption of a state ϕ ∈ D(H 2 ) is given by X s Z q ϕZ q X s .Decryption is the same operation as encryption, but with the order of applying the Z q and X s interchanged.
The simplest way to encrypt an n-qubit state ϕ ∈ D(H ⊗n 2 ) is to encrypt each qubit independently.The QOTP key β has length 2n and can be expressed as β = s q, with s, q ∈ {0, 1} n .In the rest of the paper we will use the following shorthand notation for the QOTP cipherstate, Let and let ϕ AE ∈ D(H A ⊗ H E ) be a bipartite state.Encryption of the A subsystem is written as i.e.Def.3.9 is achieved with t = −n and ε = 0: no matter how entangled E is with A, from the adversary's point of view the A ′ subsystem is fully mixed and entirely decoupled from E.

ENCRYPTION
We present a modification of Ambainis and Smith's second construction in [13].The difference lies in the hash function, which in our case consists of the concatenation of the short key k with an affine function of k.In Section IV-B we show that the key length as a function of the security parameter ε is essentially the same as in [13].We comment on the speed gain in Section VI.

A. The Construction
Our construction has message space X = {0, 1} n , key space We define a hash function h as follows, where denotes string concatenation.The addition and multiplication in the expression uk + v take place in GF(2 λ ); the subscript 'lsb' denotes taking the n − ℓ least significant bits in case λ > n − ℓ.Note that (uk + v) lsb = (uk) lsb + v.The encryption is randomized, with uniformly random strings u, v which become part of the ciphertext, Here ⊕ stands for bitwise xor.The decryption is B. Security Proof Theorem 4.1: Our classical encryption scheme described in Section IV-A satisfies Proof: To start, due to the prepended u, v in ( 14) we get U ′ V ′ = U V and we acquire an overall factor For the a = 0 part of the summation we split up a as a = a L ||a R with a L ∈ {0, 1} ℓ , a R ∈ {0, 1} n−ℓ and write The last equality follows from that fact that a L = 0 implies U a L = 0 and hence a R = 0, while (a L , a R ) = (0, 0) is not part of the summation; hence a L = 0 drops from the summation.Next, we note that ℓ) .Combining all these results we get where we have used that Theorem 4.2: Let t ≥ 2 log 1 ε − 5. Let the key length be set as ℓ = n − t + 2 log 1 ε − 5. Then the encryption scheme of Section IV-A is (t, ε)-entropically secure.

ENCRYPTION
Our construction for encrypting n qubits is very similar to the classical construction.The difference lies in the use of the QOTP instead of classical OTP, and in the length of the expanded key which is now 2n instead of n.

A. The Construction
The message space is D(H ⊗n 2 ).The key space is Here the multiplication and addition in uk + v are GF(2 λ ) operations.The subscript 'lsb' (Least Significant Bits) stands for taking the last 2n − ℓ bits of the string; in the finite field representation, this corresponds to taking a polynomial in x modulo x 2n−ℓ .Instead of (uk + v) lsb we can also write (uk) lsb + v. Let ϕ ∈ D(H ⊗n 2 ).The encryption step draws random u, v and outputs n qubits as well as the u, v, with F the QOTP encryption as defined in (11) and b(•, •, •) as defined by (20).Decryption is essentially the same as encryption,

B. Security Proof
Let H A = H ⊗n 2 and let Eve be entangled with the plaintext state.The joint state is ϕ AE ∈ D(H A ⊗ H E ).As discussed in Section III-C, the encryption Enc acts only on the 'A' subsystem.As the parameters u, v are public we focus on the quantum part of the ciphertext.From Eve's point of view, the state after encryption is Lemma 5.1: It holds that Proof: We write The first equality follows from the fact that for any fixed u, the k and v together can create any string in {0, 1} 2n in precisely one way.The second equality is due to the fact that the QOTP is completely randomizing (12).Lemma 5.2: Let f be any (possibly operator-valued) function acting on {0, 1} 2n .It holds that Here β, β ′ ∈ {0, 1} 2n , and E β stands for 2 −2n β .Similarly, g, g ′ ∈ {0, 1} 2n−ℓ and E g stands for 2 ℓ−2n g .Proof: We use shorthand notation g = (uk + v) lsb , g ′ = (uk ′ + v) lsb and we write f x instead of f (x).We omit the in the expression k g.In this notation the left hand side of ( 25) is In step (a) we used in the first term that summation over k ∈ {0, 1} ℓ and v ∈ {0, 1} 2n−ℓ exactly corresponds to summation over β ∈ {0, 1} 2n ; in the second term we used that (for k ′ = k) averaging over (u, v) exactly corresponds to averaging over (g, g ′ ).The latter is obvious in the case u ∈ {0, 1} 2n−ℓ (λ = 2n − ℓ), as the 'lsb' in (uk) lsb can be omitted.In the case u ∈ {0, 1} ℓ (λ = ℓ), the (u, v)-summation covers the (g.g ′ )-space exactly an integer number (2 2ℓ−2n ) of times.This is seen as follows.When the two equations g = (uk + v) lsb , g ′ = (uk ′ + v) lsb are added, the v disappears and we get [u(k + k ′ )] lsb = g + g ′ , which has 2 ℓ /2 2n−ℓ solutions u.Then, at fixed k, k ′ , g, g ′ , u the solution for v is unique.
Theorem 5.3: Our encryption scheme described in Section V-A satisfies 29)-(33) at the bottom of the page.]Next, we apply Lemma 5.2 to the first expression under the square root 2 .This yields Substitution into (33), and writing Tr σ = 2 n Tr σ E , gives In (36) we have used the fact that the U β acts only on the 'A' subsystem, leaving σ − 1 2 unchanged.Finally, we restrict σ E to D(H E ), so that Tr σ E = 1, and apply the definition of conditional quantum Rényi entropy (2) to get the bound Theorem 5.4: Let the key length be set as ℓ = n − t + 2 log 1 ε + 3. Then the quantum encryption scheme of Section V-A is (t, ε)-strongly entropically secure for all functions.
Note that we achieve (t, ε)-entropic indistinguishability with key length n − t + 2 log 1 ε .For approximate randomization, where the plaintext is unentangled (t = 0), we thus get the key length n + 2 log 1 ε as listed in Table I.A special case of quantum encryption is when the plaintext is classical.Then the quantum encryption scheme typically reduces to a classical scheme that is secure against quantum adversaries.The QOTP (11), when applied to classical plaintext bits encoded in the z-basis 5 , has the effect of xor-ing the plaintext with the string s ∈ {0, 1} n , while the string q does nothing and can be omitted from the scheme.

VI. COMPLEXITY OF THE KEY EXPANSION
We comment on the complexity of our key expansion compared to previous works.Complexity is typically quantified as the number of bit-AND operations; bit-XOR operations are considered to be much cheaper.Multiplication in GF(2 ν ) has time complexity O(ν log ν) [22], [23] whereas GF(2 ν ) addition (subtraction) consists of ν bit-XOR operations.Mateer [24] introduced an improved version of Schönhage's multiplication algorithm [25].If m is of the form 3 κ and κ is a power of two, then multiplication of two elements in 5 A similar result holds for the x and y basis.However, if the (1, 1, 1) basis is chosen then the result is a quantum encryption scheme for classical plaintext, with recyclable keys [15].√ m bit-XORs.If κ is not a power of two, then the number of ANDs slightly increases to 6m log 3 m while the bound on the XORs stays the same.Entropically secure encryption.Dodis and Smith's key expansion for classical entropicallysecure encryption [6] makes use of a xor-universal hash function that is implemented by GF(2 n )-multiplying the key k ∈ {0, 1} ℓ times a random string i ∈ {0, 1} n .In contrast, our classical scheme has multiplication in GF(2 λ ), and the concatenation with k is for free.For short keys the speedup is modest; only when the key length ℓ is a sizeable part of n does the speedup become interesting.
The situation is similar in the general quantum case with entanglement.The scheme of Desrosiers and Dupuis [8] has a key expansion that is the same as in [6] but for string length 2n instead of n.Again, our speedup from GF(2 2n )-multiplication to GF(2 2n−ℓ ) is modest when the key is short.Approximate randomization.The case of approximate randomization corresponds to entropically secure encryption with t = 0, i.e. without entanglement between Eve and the plaintext state, but with no further guarantees about Eve's (lack of) knowledge.The key size ℓ is slightly larger than one-half of the extended length 2n.
Our key expansion consists of one multiplication in GF(2 ℓ ) and one addition in GF(2 2n−ℓ ) or, since ℓ asymptotically almost equals n, roughly speaking one multiplication and one addition in GF(2 n ).With Mateer's multiplication for general κ, this yields a total cost of 3n log 3 n − 3n log 3 2 ANDs and ≥ n log n{ 26  5 log log n 2 + 3 4 } − n{ 26 5 log log n 2 + 1 2 } +O( √ n) XORs for our key expansion.
In [13] the ℓ-bit key k is multiplied by a string α ∈ {0, 1} 2n , and the multiplication is in GF (2 2n ).If we write α = L||R and take ℓ ≈ n then this can be reorganized into the following steps: (i) a polynomial multiplication k • R without modular reduction; (ii) a polynomial multiplication k • L shifted by n positions, resulting in a polynomial of degree at most 3n, followed by GF(2 2n ) modular reduction; (iii) addition of the two above contributions.As we count two XORs per monomial that needs to be reduced 6 , we see that the addition in step (iii) precisely compensates the missing reduction in step (i).Furthermore, the number of monomials that needs reducing in step (ii) is n, which is the same as in GF(2 n ) multiplication.Hence the cost of computing k • α equals the cost of two GF(2 n ) multiplications.Since in GF(2 n ) multiplication is much more expensive than addition, we see that our key expansion is a factor 2 cheaper than [13].VII.DISCUSSION Our scheme achieves the same shortest key length ℓ = n − t + 2 log 1 ε reported in other studies, but with a more efficient key expansion.
It is interesting to note that the security proof in [13] uses Fourier analysis and δ-biased families, and invokes Cayley graphs for intuition, whereas our proof is more straightforward.Furthermore, the security proof in [8] uses an expansion in the Pauli basis, which we do not need.
We note that in the classical case our scheme always needs public randomness that is as large as the plaintext.In the quantum case, however, the size of the public randomness is not the same in the two cases that we distinguish (ℓ < n versus ℓ > n).It is left for future work to see if this can be improved.
All the definitions of entropic indistinguishability and entropic security put a condition on the min-entropy of the plaintext, whereas all the security proofs yield expressions that contain the collision entropy.It may be advantageous to work with modified definitions that put a condition on the collision entropy, since that is more easily met.

TABLE I RESULTS
ON APPROXIMATE RANDOMIZATION OF n QUBITS The security is in terms of the trace distance: cipherstate − fully mixed state 1 ≤ ε.The listed complexity for the finite field multiplications is based on the fastest known implementation and shows only the number of AND operations.(See Section VI) ε n qubits Pseudorandom QOTP based on small-bias sets.Key expansion takes O(n 2 ) operations.ε n qubits + 2n bits Pseudorandom QOTP based on multiplication in GF(2 2n ).Key expansion takes ≈ 6n log 3 n operations.ε n qubits + 2n bits Pseudorandom QOTP based on affine function in GF(2 ℓ ).Key expansion takes ≈ 3n log 3 n operations.