Efficient Simulation for Quantum Message Authentication

Abstract

Quantum message authentication codes are families of keyed encoding and decoding maps that enable the detection of tampering on encoded quantum data. Here, we study a new class of simulators for quantum message authentication schemes, and show how they are applied in the context of two codes: the Clifford and the trap code. Our results show for the first time that these codes admit an efficient simulation (assuming that the adversary is efficient). Such efficient simulation is typically crucial in order to establish a composable notion of security.

A Appendix

Lemma A.1

For a fixed \(P \in {\mathbb {P}}_{3n}\), let \(\eta _P\) denote the number of permutations \(\pi \) of P such that \(\pi ^{\dagger }P\pi \in {\mathbb {P}}_{{\mathscr {E}}} \setminus {\mathbb {P}}_{{\mathscr {F}}}\) Then for all P:

$$\begin{aligned} \eta _P \le {n \atopwithdelims ()t+1}(t+1)!(3n-(t+1))!\,. \end{aligned}$$

(44)

An intuitive argument for the above lemma is that \(\eta _P\) can be upper-bounded by fixing a Pauli \(P \in \{I,X\}^{3n}\) of weight \(t+1\). We show that a Pauli with greater weight will have \(\le \eta _P\) possible allowed permutations. To find the number of possible allowed permutations, we will consider the first n positions, where we require at least \(t+1\) non-identity Paulis (for a total of \(\left( {\begin{array}{c}n\\ t+1\end{array}}\right) (t+1)!\) permutations). The remaining positions are then simply permuted, since we have used all of the non-identity Paulis already, contributing a multiplicative factor of \((3n-(t+1))!\) permutations. This is formalized below (where we also consider general attack Paulis consisting of combinations of X, Y and Z).

Proof

In order to find an upper bound for \(\eta _P\), we look to find the Pauli, P, that has the largest number of permutations, \(\pi \), such that \(\pi ^{\dagger }P \pi \in {\mathbb {P}}_{{\mathscr {E}}}\setminus {\mathbb {P}}_{{\mathscr {F}}}\).

For a Pauli P with \(\omega (P)=d\), we write \(d=d_x+d_y+d_z+x_1+y+z_1+x_2+z_2\) for values \(d_x, d_y, d_z, x_1, y, z_1, x_2, z_2\) as follows:

1. 1.

   \(d_x, d_y, d_z\) where \(d_x + d_y + d_z=t+1\). These are the \(t+1\) X, Y, and Z Paulis that must be applied to the first n qubits for the Pauli to be in \({\mathbb {P}}_{{\mathscr {E}}} \setminus {\mathbb {P}}_{{\mathscr {F}}}\).

2. 2.

   y where \(y+d_y\) is the total number of Y Paulis in P and y are the additional Y Paulis applied to the first n qubits. Note that Y Paulis cannot be applied to either set of traps without altering them.

3. 3.

   \(x_1, x_2\) where \(x_1+x_2 + d_x\) is the total number of X Paulis in P and \(x_1\) are the additional X Paulis applied to the first n qubits and \(x_2\) are the X Paulis applied to the \(|{+}\rangle \langle {+}|^{\otimes n}\) traps.

4. 4.

   \(z_1, z_2\) where \(z_1+z_2 + d_z\) is the total number of Z Paulis in P and \(z_1\) are the additional Z Paulis applied to the first n qubits and \(z_2\) are the Z Paulis applied to the \(|{0}\rangle \langle {0}|^{\otimes n}\) traps.

Then the possible permutations on P are found by multiplying the following terms:

1. 1.

   \(\left( {\begin{array}{c}n\\ d_x,d_y,d_z,n-t-1\end{array}}\right) d_x!d_y!d_z!\) Which is the number of ways to choose the required \(t+1\) spots for the minimum number of Paulis applied to the first n qubits, multiplied by the number of ways of permuting each of the sets of X, Y, and Z Paulis. Note that this term simplifies to \(\frac{n!}{(n-t-1)!}\),

2. 2.

   \(\left( {\begin{array}{c}n-t-1\\ x_1\end{array}}\right) x_1!\), the number of ways to apply \(x_1\) additional X Paulis to the first n qubits,

3. 3.

   \(\left( {\begin{array}{c}n-t-1-x_1\\ y\end{array}}\right) y!\), the number of ways to apply y additional Y Paulis to the first n qubits,

4. 4.

   \(\left( {\begin{array}{c}n-t-1-x_1-y\\ z_1\end{array}}\right) z_1!\), the number of ways to apply \(z_1\) additional Z Paulis to the first n qubits,

5. 5.

   \(\left( {\begin{array}{c}n\\ x_2\end{array}}\right) x_2!\), the number of ways to apply \(x_2\) X Paulis to the n traps that will not be changed by them,

6. 6.

   \(\left( {\begin{array}{c}n\\ z_2\end{array}}\right) z_2!\), the number of ways to apply \(z_2\) Z Paulis to the n traps that will not be changed by them, and

7. 7.

   \((3n-(d_x+d_y+d_z+x_1+y+z_1+x_2+z_2))!\) the number of ways to permute the remaining identity qubits, which simplifies to \((3n-d)!\).

The product, once simplified, is then:

$$\begin{aligned} \eta _P&= \frac{n!n!n!(3n-d)!}{(n-t-1-x_1-y-z_1)!(n-x_2)!(n-z_2)!} \nonumber \\&= \prod \limits _{n-t-x_1-y-z_1}^{n}i\prod \limits _{n-x_2+1}^{n}i\prod \limits _{n-z_2+1}^{n}i\prod \limits _{i=1}^{3n-t-1-x_1-y-z_1-x_2-z_2}i \end{aligned}$$

(45)

Since t is fixed, in order to maximize the above expression, we need to minimize \(x_1, y, z_1, x_2, z_2\). This is achieved by setting \(x_1=y=z_1=x_2=z_2=0\), and therefore \(d=t+1\): we thus find that \(\eta _P \le \prod \limits _{n-t}^{n}i\prod \limits _{i=1}^{3n-t-1}i={n \atopwithdelims ()t+1}(t+1)!(3n-(t+1))!\).    \(\square \)