# Uncloneable Encryption

This example protocol achieves the task of Unclonable Encryption in which the sender sends classical message encoded using quantum states to the receiver. An eavesdropper can neither decrypt the message without the key nor can he copy the encrypted message for later decoding without getting caught.

## Assumptions

• Classical authenticated channels are available between sender and receiver.

## Outline

The protocol requires a pre-shared set of four keys that are partially consumed in the protocol and that can be regenerated by using the protocol itself.

### Encoding phase:

The message is divided into parts (registers). A polynomial of degree equal to the number of parts is defined with the value of the registers as its coefficients. The constant term is chosen such that the first key value is a root of the polynomial. The string formed by coefficients of the polynomial is then XORed with the second key value. This classical pre-processing step is reminiscent to Shamir Secret Sharing scheme.

Both codes are then used in conjunction with the obtained string to pick a string to encode the pre-processed string such that the first one offers error protection against noise in the channel and the second one for privacy amplification.

The obtained classical string is then encoded in the computational or Hadamard basis according to the corresponding bit in the fourth key value and sent to the receiver.

### Decoding phase:

Upon receiving the qubits, they are measured in the computational or Hadamard basis according to the corresponding bit in the fourth key value.

Calculate the parity checks of the first classical code. If they are not equal to the third shared key value, there are errors in the state, which can be corrected using the standard decoding map. Evaluate the parity checks of ${\displaystyle C_{2}/C_{1}^{\perp }}$, producing another string.

The string obtained is XORed with the second key value and used as coefficients of a polynomial. The polynomial is then evaluated at the first key value and if it gives zero, the message is accepted. It is rejected otherwise.

## Notation

• ${\displaystyle n}$: Bit length of the message.
• ${\displaystyle r}$: Number of registers of size ${\displaystyle s}$ the message is divided into.
• ${\displaystyle s}$: Bit length of each register the message is divided into.
• ${\displaystyle k}$: Random key of length ${\displaystyle s}$.
• ${\displaystyle m_{k}}$: Value of the ${\displaystyle k^{th}}$ register for ${\displaystyle k\in \{0,1,..,r\}}$
• ${\displaystyle e}$: Random key of length ${\displaystyle n+s}$.
• ${\displaystyle c_{1}}$: Random key for selecting the coset from ${\displaystyle C_{1}}$.
• ${\displaystyle C_{1}}$: Classical linear code for correcting bit flip errors.
• ${\displaystyle C_{2}}$: Classical linear code for performing privacy amplification.
• ${\displaystyle y}$: XORed product of ${\displaystyle e}$ and ${\displaystyle m_{k}}$s.
• ${\displaystyle z}$: Random string from the coset ${\displaystyle y}$ selected from ${\displaystyle C_{1}/C_{2}^{\perp }}$.
• ${\displaystyle N}$: Bit length of ${\displaystyle z}$.
• ${\displaystyle b}$: Random key of length ${\displaystyle N}$.

## Requirements

Network stage: Prepare and measure.

• A classical linear code for correcting bit-flip errors.
• A classical linear code for performing privacy amplification.
• Basic state preparation and measurement devices.
• A classical and a quantum channel between the sender and the receiver.

## Properties

• It uses up more than twice as much key as a classical one-time pad but the key can be partially reused upon successful transmission. The scheme can also be used to regenerate the keys itself.
• The protocol can be used for QKD with some slight modifications.

## Protocol Description

Pre-shared key ${\displaystyle (k,e,c_{1},b)}$ is established.

### Encoding:

1. Divide the ${\displaystyle n}$-bit message into ${\displaystyle r}$ groups of ${\displaystyle s}$ bits.
2. Define a polynomial ${\displaystyle f}$ of degree ${\displaystyle r}$ whose first ${\displaystyle r}$ coefficients are the registers ${\displaystyle m_{0},m_{1},\ldots ,m_{r-1}}$ of the ${\displaystyle n}$-bit message.
3. The constant term, ${\displaystyle m_{r}}$, is chosen such that ${\displaystyle f(k)=0}$.
4. XOR the string ${\displaystyle (m_{0},\ldots ,m_{r})}$ with ${\displaystyle e}$, producing a new classical string ${\displaystyle y}$ of length ${\displaystyle n+s}$ bits.
5. Consider the particular coset of the classical error-correcting code ${\displaystyle C_{1}}$ given by the syndrome ${\displaystyle c_{1}}$.
6. Pick the string ${\displaystyle z}$ at random so that its coset of ${\displaystyle C_{1}/C_{2}^{\perp }}$ in the coset ${\displaystyle c_{1}}$ of ${\displaystyle C_{1}}$ corresponds to ${\displaystyle y}$
7. Transmit ${\displaystyle N}$ qubits after operations based on b such that:
1. When the ${\displaystyle i^{th}}$ bit of ${\displaystyle b}$ is ${\displaystyle 0}$, transmit the ${\displaystyle i^{th}}$ bit of ${\displaystyle z}$ in the computational basis.
2. When the ${\displaystyle i^{th}}$ bit of ${\displaystyle b}$ is ${\displaystyle 1}$, transmit the ${\displaystyle i^{th}}$ bit of ${\displaystyle z}$ in the Hadamard basis.

### Decoding:

1. Upon receiving the ${\displaystyle N}$ qubits, measure in the computational basis if the ${\displaystyle i^{th}}$ bit of ${\displaystyle b}$ is ${\displaystyle 0}$, else in the Hadamard basis the ${\displaystyle i^{th}}$ bit of ${\displaystyle b}$ is ${\displaystyle 1}$, to get ${\displaystyle z}$.
2. Calculate the parity checks of the classical code ${\displaystyle C_{1}^{\perp }}$. If they are not equal to the string ${\displaystyle c_{1}}$, there are errors in the state, which can be corrected using the standard decoding map.
3. Evaluate the parity checks of ${\displaystyle C_{2}/C_{1}^{\perp }}$, producing a ${\displaystyle n+s}$-bit string ${\displaystyle y}$.
4. XOR ${\displaystyle y}$ with ${\displaystyle e}$, producing a new string ${\displaystyle (m_{0},\ldots ,m_{r})}$.
5. Consider the ${\displaystyle (m_{0},\ldots ,m_{r})}$ as the coefficients of a polynomial ${\displaystyle f}$. Accept only if ${\displaystyle f(k)=0}$.
*contributed by Natansh Mathur