Abstract
Assuming an insecure quantum channel, a quantum computer, and an authenticated classical channel, we propose an unconditionally secure scheme for encrypting classical messages under a shared key, where attempts to eavesdrop the ciphertext can be detected. If no eavesdropping is detected, we can securely re-use the entire key for encrypting new messages. If eavesdropping is detected, we must discard a number of key bits corresponding to the length of the message, but can re-use almost all of the rest. We show this is essentially optimal. Thus, provided the adversary does not interfere (too much) with the quantum channel, we can securely send an arbitrary number of message bits, independently of the length of the initial key. Moreover, the key-recycling mechanism only requires one-bit feedback. While ordinary quantum key distribution with a classical one time pad could be used instead to obtain a similar functionality, this would need more rounds of interaction and more communication.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Even in this case, qkd does something that is impossible classically, namely it generates a shared key that is longer than the initial one.
Remember that the key length of \(\hat{K}\) is \(s\) conditioned on \({\mathcal{A}}_{\text{ok}}\) and \(t\) conditioned on \({\mathcal{A}}_{\text{no}}\).
\((x_1,\ldots ,x_n)\prec (y_1,\ldots ,y_n)\) means that vector \(x\) is majorized by vector \(y\). That is, \(\sum _{i=1}^{\ell } x_i \le \sum _{i=1}^{\ell } y_i\) for all \(1\le \ell \le n\).
References
Advances in Cryptology—EUROCRYPT ’04 (2004) vol. 3027 of Lecture Notes in Computer Science, Springer, New York
Ambainis A, Mosca M, Tapp A, de Wolf R (2000) Private quantum channels. In: 41st annual IEEE symposium on foundations of computer science (FOCS), pp 547–553
Barnum H, Crépeau C, Gottesman D, Smith A, Tapp A (2002) Authentication of quantum messages. In: 43rd annual IEEE symposium on foundations of computer science (FOCS), pp 449–458
Ben-Or M, Horodecki M, Leung DW, Mayers D, Oppenheim J (2005) The universal composable security of quantum key distribution. In: Theory of cryptography conference (TCC) (Theory of Cryptography Conference (TCC) 2005), pp 386–406
Bennett CH, Brassard G, Breidbart S (1982) Quantum cryptography II: How to re-use a one-time pad safely even if P = NP.
Bhatia R (1997) Matrix analysis, graduate texts in mathematics. Springer, New York
Boykin PO, Roychowdhury V (2003) Optimal encryption of quantum bits. Phys Rev A 67(4):042317
Carter JL, Wegman MN (1977) Universal classes of hash functions. In: 9th annual ACM symposium on theory of computing (STOC), pp 106–112
Cleve R, Gottesman D, Lo H-K (1999) How to share a quantum secret. Phys Rev Lett 83(3):648–651
Damgård IB, Pedersen TB, Salvail L (2004) On the key-uncertainty of quantum ciphers and the computational security of one-way quantum transmission. In: Advances in Cryptology–EUROCRYPT ’04 (Advances in Cryptology—EUROCRYPT ’04 2004), pp 91–108
Damgård IB, Pedersen TB, Salvail L (2005) A quantum cipher with near optimal key-recycling. In: Advances in Cryptology–CRYPTO ’05’, vol. 3621 of Lecture Notes in Computer Science, Springer, New York, pp 494–510
Dziembowski S, Maurer UM (2004) On generating the initial key in the bounded-storage model. In: Advances in Cryptology–EUROCRYPT ’04 (Advances in Cryptology—EUROCRYPT ’04 2004), pp 126–137
Hayden P, Leung D, Mayers D (2011) Authentication of quantum messages. Imaging Appl Opt
Hayden P, Leung D, Mayers D (2004) Authentication of quantum messages. J Cryptol 17:386–406
Lawrence J, Brukner Č (2002) Mutually unbiased binary observable sets on N qubits. Phys Rev A 65(3):5
Leung DW (2002) Quantum vernam cipher. Quantum Inf Comput 2(1):14–34
Lu C-J (2004) Encryption against storage-bounded adversaries from on-line strong extractors. J Cryptol 17:27–42
Mandayam P, Balachandran N, Wehner S (2010) A transform of complementary aspects with applications to entropic uncertainty relations. J Math Phys 51(8):082201
Nielsen MA, Chuang IL (2000) Quantum computation and quantum information. Cambridge university press, Cambridge
Oppenheim J, Horodecki M (2003) How to reuse a one-time pad and other notes on authentication, encryption and protection of quantum information. http://arxiv.org/abs/quant-ph/0306161
Renner R, König R (2005) Universally composable privacy amplification against quantum adversaries. In: Theory of cryptography conference (TCC) (Theory of Cryptography Conference (TCC) 2005), pp 407–425
Shor PW, Preskill J (2000) Simple proof of security of the BB84 quantum key distribution protocol. Phys Rev Lett 85(2):441–444
Theory of Cryptography Conference (TCC) (2005) vol. 3378 of Lecture Notes in Computer Science, Springer, New York
Vadhan SP (2004) On constructing locally computable extractors and cryptosystems in the bounded storage model. J Cryptol 17:43–77
Wootters WK, Fields BD (1989) Optimal state-determination by mutually unbiased measurements. Ann Phys 191(2):363–381
Wootters WK, Sussman DM (2007) Discrete phase space and minimum-uncertainty states. In: Proceedings of the eighth international conference on quantum communication, measurement and computing, pp 296–274
Acknowledgments
Thomas Brochmann Pedersen was partially funded by European projects PROSECCO and SECOQC. Louis Salvail was supported by Canada’s NSERC and the QuantumWorks Network.
Author information
Authors and Affiliations
Corresponding author
Additional information
The extended abstract version of this paper originally appears in Damgård et al. (2005) under the title: A Quantum Cipher with Near Optimal Key-Recycling.
Rights and permissions
About this article
Cite this article
Damgård, I., Pedersen, T.B. & Salvail, L. How to re-use a one-time pad safely and almost optimally even if P = NP . Nat Comput 13, 469–486 (2014). https://doi.org/10.1007/s11047-014-9454-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11047-014-9454-5