Polynomial Code based Quantum Authentication

The paper Authentication of Quantum Messages by Barnum et al. provides a non-interactive scheme for the sender to encrypt as well as authenticate quantum messages. It was the first protocol designed to achieve the task of authentication for quantum states, i.e. it gives the guarantee that the message sent by a party (suppliant) over a communication line is received by a party on the other end (authenticator) as it is and, has not been tampered with or modified by the dishonest party (eavesdropper).

Tags: Two Party Protocol, Quantum Functionality, Specific Task, Building Block

Assumptions

The sender and the receiver share a private, classical random key drawn from a probability distribution

Notations

Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathcal{S}} : suppliant (sender)
${\mathcal {A}}$ : authenticator (prover)
$\rho$ : quantum message to be sent
$m$ : number of qubits in the message Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \rho}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \{Q_k\}} : stabilizer purity testing code, each stabilizer code is identified by index $k$
$n$ : number of qubits used to encode the message with Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \{Q_k\}}
$x$ : random binary $2m$ -bit key
$s$ : security parameter

Properties

For a $m$ -qubit message, the protocol requires $m+s$ qubits to encode the quantum message.
The protocol requires a private key of size $2m+O(s)$ .

Protocol Description

Preprocessing: ${\mathcal {S}}$ and ${\mathcal {A}}$ agree on some stabilizer purity testing code $\{Q_{k}\}$ and some private and random binary strings $k,x,y$ .
- $k$ is used to choose a random stabilizer code $Q_{k}$
- $x$ is a $2m$ -bit random key used for q-encryption
- $y$ is a random syndrome
Encryption and encoding:

${\mathcal {S}}$ q-encrypts the $m$ -qubit original message $\rho$ as $\tau$ using the classical key $x$ and a quantum one-time pad. This encryption is given by $\tau =\sigma _{x}^{{\vec {t}}_{1}}\sigma _{z}^{{\vec {t}}_{2}}\rho \sigma _{z}^{{\vec {1}}_{1}}\sigma _{x}^{{\vec {t}}_{1}}$ , where ${\vec {t}}_{1}$ and ${\vec {t}}_{2}$ are $m$ -bit vectors and given by the random binary key $x$ .
${\mathcal {S}}$ then encodes $\tau$ according to $Q_{k}$ with syndrome $y$ , which results in the $n$ -qubit state $\sigma$ . This means ${\mathcal {S}}$ encodes $\rho$ in $n$ qubits using $Q_{k}$ , and then "applies" errors according to the random syndrome.
${\mathcal {S}}$ sends $\sigma$ to ${\mathcal {A}}$ .

Decoding and decryption:

${\mathcal {A}}$ receives the $n$ qubits, whose state is denoted by $\sigma ^{\prime }$ .
${\mathcal {A}}$ measures the syndrome $y^{\prime }$ of the code $Q_{k}$ on his $n$ qubits in state $\sigma ^{\prime }$ .
${\mathcal {A}}$ compares the syndromes $y$ and $y^{\prime }$ and aborts the process if they are different.
${\mathcal {A}}$ decodes his $n$ -qubit word according to $Q_{k}$ obtaining $\tau ^{\prime }$ .
${\mathcal {A}}$ q-decrypts $\tau ^{\prime }$ using the random binary strings $x$ obtaining $\rho ^{\prime }$ .

Further Information

References

Barnum et al. (2002).

contributed by Shraddha Singh and Isabel Nha Minh Le