Quantum Lazy Sampling and Game-Playing Proofs for Quantum Indifferentiability

Game-playing proofs constitute a powerful framework for non-quantum cryptographic security arguments, most notably applied in the context of indifferentiability. An essential ingredient in such proofs is lazy sampling of random primitives. We develop a quantum game-playing proof framework by generalizing two recently developed proof techniques. First, we describe how Zhandry's compressed quantum oracles~(Crypto'19) can be used to do quantum lazy sampling of a class of non-uniform function distributions. Second, we observe how Unruh's one-way-to-hiding lemma~(Eurocrypt'14) can also be applied to compressed oracles, providing a quantum counterpart to the fundamental lemma of game-playing. Subsequently, we use our game-playing framework to prove quantum indifferentiability of the sponge construction, assuming a random internal function

Constraints on Multipartite Quantum Entropies

The von Neumann entropy plays a vital role in quantum information theory. As the Shannon entropydoes in classical information theory, the von Neumann entropy determines the capacities of quan-tum channels. Quantum entropies of composite quantum systems are important for future quantumnetwork communication their characterization is related to the so calledquantum marginal problem.Furthermore, they play a role in quantum thermodynamics. In this thesis the set of quantum entropiesof multipartite quantum systems is the main object of interest. The problem of characterizing this setis not new – however, progress has been sparse, indicating that the problem may be considered hardand that new methods might be needed. Here, a variety of different and complementary aprroachesare taken.First, I look at global properties. It is known that the von Neumann entropy region – just likeits classical counterpart – forms aconvex cone. I describe the symmetries of this cone and highlightgeometric similarities and differences to the classical entropy cone.In a different approach, I utilize thelocalgeometric properties ofextremal raysof a cone. I showthat quantum states whose entropy lies on such an extremal ray of the quantum entropy cone have avery simple structure.As the set of all quantum states is very complicated, I look at a simple subset calledstabilizerstates. I improve on previously known results by showing that under a technical condition on the localdimension, entropies of stabilizer states respect an additional class of information inequalities that isvalid for random variables from linear codes.In a last approach I find a representation-theoretic formulation of the classical marginal problemsimplifying the comparison with its quantum mechanical counterpart. This novel correspondenceyields a simplified formulation of the group characterization of classical entropies (IEEE Trans. Inf.Theory, 48(7):1992–1995, 2002) in purely combinatorial terms

Weak approximate unitary designs and applications to quantum encryption

Unitary t-designs are the bread and butter of quantum information theory and beyond. An important issue in practice is that of efficiently constructing good approximations of such unitary t-designs. Building on results by Aubrun (Comm. Math. Phys. 2009), we prove that sampling dtpoly(t,logd,1/ϵ) unitaries from an exact t-design provides with positive probability an ϵ-approximate t-design, if the error is measured in one-to-one norm distance of the corresponding t-twirling channels. As an application, we give a partially derandomized construction of a quantum encryption scheme that has roughly the same key size and security as the quantum one-time pad, but possesses the additional property of being non-malleable against adversaries without quantum side information

Limitations on Uncloneable Encryption and Simultaneous One-Way-to-Hiding

We study uncloneable quantum encryption schemes for classical messages as recently proposed by Broadbent and Lord. We focus on the information-theoretic setting and give several limitations on the structure and security of these schemes: Concretely, 1) We give an explicit cloning-indistinguishable attack that succeeds with probability $\frac12 + \mu/16$ where $\mu$ is related to the largest eigenvalue of the resulting quantum ciphertexts. 2) For a uniform message distribution, we partially characterize the scheme with the minimal success probability for cloning attacks. 3) Under natural symmetry conditions, we prove that the rank of the ciphertext density operators has to grow at least logarithmically in the number of messages to ensure uncloneable security. 4) The \emph{simultaneous} one-way-to-hiding (O2H) lemma is an important technique in recent works on uncloneable encryption and quantum copy protection. We give an explicit example which shatters the hope of reducing the multiplicative "security loss" constant in this lemma to below 9/8.Comment: v2 and v3: several fixes, including a missing attribution to Broadbent and Lor

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More

We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir transformation of $\Sigma$-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the Fiat-Shamir transformation of multi-round interactive proofs, and (2) whether Don et al.'s $O(q^2)$ loss in security is optimal. Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROM-security of a non-interactive OR proof by Liu, Wei and Wong. As for question (2), we show via a Grover-search based attack that Don et al.'s quadratic security loss for the Fiat-Shamir transformation of $\Sigma$-protocols is optimal up to a small constant factor. This extends to our new multi-round result, proving it tight up to a factor that depends on the number of rounds only, i.e. is constant for any constant-round interactive proof.Comment: 22 page

Coarse-Graining Can Beat the Rotating Wave Approximation in Quantum Markovian Master Equations

We present a first-principles derivation of the Markovian semi-group master equation without invoking the rotating wave approximation (RWA). Instead we use a time coarse-graining approach which leaves us with a free timescale parameter, which we can optimize. Comparing this approach to the standard RWA-based Markovian master equation, we find that significantly better agreement is possible using the coarse-graining approach, for a three-level model coupled to a bath of oscillators, whose exact dynamics we can solve for at zero temperature. The model has the important feature that the RWA has a non-trivial effect on the dynamics of the populations. We show that the two different master equations can exhibit strong qualitative differences for the population of the energy eigenstates even for such a simple model. The RWA-based master equation misses an important feature which the coarse-graining based scheme does not. By optimizing the coarse-graining timescale the latter scheme can be made to approach the exact solution much more closely than the RWA-based master equation

Quantum non-malleability and authentication

Abstract: In encryption, non-malleability is a highly desirable property: it ensures that adversaries cannot manipulate the plaintext by acting on the ciphertext. Ambainis et al. gave a definition of non-malleability for the encryption of quantum data. In this work, we show that this definition is too weak, as it allows adversaries to ``inject'' plaintexts of their choice into the ciphertext. We give a new definition of quantum non-malleability which resolves this problem. Our definition is expressed in terms of entropic quantities, considers stronger adversaries, and does not assume secrecy. Rather, we prove that quantum non-malleability implies secrecy; this is in stark contrast to the classical setting, where the two properties are completely independent. For unitary schemes, our notion of non-malleability is equivalent to encryption with a two-design (and hence also to the definition of Ambainis et al.). Our techniques also yield new results regarding the closely-related task of quantum authentication. We show that ``total authentication'' (a notion recently proposed by Garg et al.) can be satisfied with two-designs, a significant improvement over their eight-design-based construction. We also show that, under a mild adaptation of the rejection procedure, both total authentication and our notion of non-malleability yield quantum authentication as defined by Dupuis et al