Block encryption of quantum messages

In modern cryptography, block encryption is a fundamental cryptographic primitive. However, it is impossible for block encryption to achieve the same security as one-time pad. Quantum mechanics has changed the modern cryptography, and lots of researches have shown that quantum cryptography can outperform the limitation of traditional cryptography. This article proposes a new constructive mode for private quantum encryption, named $\mathcal{EHE}$, which is a very simple method to construct quantum encryption from classical primitive. Based on $\mathcal{EHE}$ mode, we construct a quantum block encryption (QBE) scheme from pseudorandom functions. If the pseudorandom functions are standard secure, our scheme is indistinguishable encryption under chosen plaintext attack. If the pseudorandom functions are permutation on the key space, our scheme can achieve perfect security. In our scheme, the key can be reused and the randomness cannot, so a $2n$-bit key can be used in an exponential number of encryptions, where the randomness will be refreshed in each time of encryption. Thus $2n$-bit key can perfectly encrypt $O(n2^n)$ qubits, and the perfect secrecy would not be broken if the $2n$-bit key is reused for only exponential times. Comparing with quantum one-time pad (QOTP), our scheme can be the same secure as QOTP, and the secret key can be reused (no matter whether the eavesdropping exists or not). Thus, the limitation of perfectly secure encryption (Shannon's theory) is broken in the quantum setting. Moreover, our scheme can be viewed as a positive answer to the open problem in quantum cryptography "how to unconditionally reuse or recycle the whole key of private-key quantum encryption". In order to physically implement the QBE scheme, we only need to implement two kinds of single-qubit gates (Pauli $X$ gate and Hadamard gate), so it is within reach of current quantum technology.Comment: 13 pages, 1 figure. Prior version appears in eprint.iacr.org(iacr/2017/1247). This version adds some analysis about multiple-message encryption, and modifies lots of contents. There are no changes about the fundamental result

On the Optimality of Quantum Encryption Schemes

It is well known that n bits of entropy are necessary and sufficient to perfectly encrypt n bits (one-time pad). Even if we allow the encryption to be approximate, the amount of entropy needed doesn't asymptotically change. However, this is not the case when we are encrypting quantum bits. For the perfect encryption of n quantum bits, 2n bits of entropy are necessary and sufficient (quantum one-time pad), but for approximate encryption one asymptotically needs only n bits of entropy. In this paper, we provide the optimal trade-off between the approximation measure epsilon and the amount of classical entropy used in the encryption of single quantum bits. Then, we consider n-qubit encryption schemes which are a composition of independent single-qubit ones and provide the optimal schemes both in the 2- and the operator-norm. Moreover, we provide a counterexample to show that the encryption scheme of Ambainis-Smith based on small-bias sets does not work in the operator-norm.Comment: 15 page

General Impossibility of Group Homomorphic Encryption in the Quantum World

Group homomorphic encryption represents one of the most important building blocks in modern cryptography. It forms the basis of widely-used, more sophisticated primitives, such as CCA2-secure encryption or secure multiparty computation. Unfortunately, recent advances in quantum computation show that many of the existing schemes completely break down once quantum computers reach maturity (mainly due to Shor's algorithm). This leads to the challenge of constructing quantum-resistant group homomorphic cryptosystems. In this work, we prove the general impossibility of (abelian) group homomorphic encryption in the presence of quantum adversaries, when assuming the IND-CPA security notion as the minimal security requirement. To this end, we prove a new result on the probability of sampling generating sets of finite (sub-)groups if sampling is done with respect to an arbitrary, unknown distribution. Finally, we provide a sufficient condition on homomorphic encryption schemes for our quantum attack to work and discuss its satisfiability in non-group homomorphic cases. The impact of our results on recent fully homomorphic encryption schemes poses itself as an open question.Comment: 20 pages, 2 figures, conferenc

Small Pseudo-Random Families of Matrices: Derandomizing Approximate Quantum Encryption

A quantum encryption scheme (also called private quantum channel, or state randomization protocol) is a one-time pad for quantum messages. If two parties share a classical random string, one of them can transmit a quantum state to the other so that an eavesdropper gets little or no information about the state being transmitted. Perfect encryption schemes leak no information at all about the message. Approximate encryption schemes leak a non-zero (though small) amount of information but require a shorter shared random key. Approximate schemes with short keys have been shown to have a number of applications in quantum cryptography and information theory. This paper provides the first deterministic, polynomial-time constructions of quantum approximate encryption schemes with short keys. Previous constructions (quant-ph/0307104) are probabilistic--that is, they show that if the operators used for encryption are chosen at random, then with high probability the resulting protocol will be a secure encryption scheme. Moreover, the resulting protocol descriptions are exponentially long. Our protocols use keys of the same length as (or better length than) the probabilistic constructions; to encrypt $n$ qubits approximately, one needs $n+o(n)$ bits of shared key. An additional contribution of this paper is a connection between classical combinatorial derandomization and constructions of pseudo-random matrix families in a continuous space.Comment: 11 pages, no figures. In Proceedings of RANDOM 2004, Cambridge, MA, August 200

Quantum key distribution via quantum encryption

A quantum key distribution protocol based on quantum encryption is presented in this Brief Report. In this protocol, the previously shared Einstein-Podolsky-Rosen pairs act as the quantum key to encode and decode the classical cryptography key. The quantum key is reusable and the eavesdropper cannot elicit any information from the particle Alice sends to Bob. The concept of quantum encryption is also discussed.Comment: 4 Pages, No Figure. Final version to appear in PR

Experimental Demonstration of Quantum Fully Homomorphic Encryption with Application in a Two-Party Secure Protocol

A fully homomorphic encryption system hides data from unauthorized parties while still allowing them to perform computations on the encrypted data. Aside from the straightforward benefit of allowing users to delegate computations to a more powerful server without revealing their inputs, a fully homomorphic cryptosystem can be used as a building block in the construction of a number of cryptographic functionalities. Designing such a scheme remained an open problem until 2009, decades after the idea was first conceived, and the past few years have seen the generalization of this functionality to the world of quantum machines. Quantum schemes prior to the one implemented here were able to replicate some features in particular use cases often associated with homomorphic encryption but lacked other crucial properties, for example, relying on continual interaction to perform a computation or leaking information about the encrypted data. We present the first experimental realization of a quantum fully homomorphic encryption scheme. To demonstrate the versatility of a a quantum fully homomorphic encryption scheme, we further present a toy two-party secure computation task enabled by our scheme