1. Quantum Public Key Cryptography with Information- Theoretic Security Daniel Gottesman Perimeter Institute

2. Advantages of Public Key Crypto High efficiency New protocols oPublic key encryption oDigital signatures Better key distribution and management oNo danger that public key compromised oConvert authenticated channel to secure channel in interactive setting (QKD can do this too) oCertificate authorities oPGP (many redistribution sites)

3. Quantum Public Keys Consider a map f: k  f k . k is the private key  f k  is the public key However, there is a limit. More copies of  f k  means more information about k, and even one copy generally leaks some information about k. For some maps f, it can be impossible (information-theoretically) to determine k, even given many copies of  f k .

4. Quantum Fingerprinting For example, we can let k be an O(2 n )-bit string and  f k  be n qubits long using quantum fingerprints (Buhrman, Cleve, Watrous, de Wolf 2001). One construction: Let C be a [2 n, r2 n, p2 n ] code, with max dist. (1-p)2 n, and let x (k,i) be the i th bit of the codeword encoding k. Then  f k  = 2 -n/2  i (-1) x(k,i)  i , which implies that   f j  f k    1-2p (when i  j).

5. Quantum One-Way Function Thus, the function f: k  f k  is hard (impossible, actually) to invert, even given many copies of the output. It is a one-way function. This is why it is safe to use  f k  as a public key: we can give it to many people without revealing the private key k. From n qubits, we can extract at most n classical bits of information, so T copies of  f k  can only give at most Tn bits of information about k, which is r2 n bits long.

6. One-Time Digital Signature Classical scheme (Lamport 1979): One-way function f(x), private key (k 0, k 1 ), public key (f(k 0 ), f(k 1 )). To sign a bit b, send (b, k b ). Private key (k 0 (i), k 1 (i) ) (i=1,..., M) Public key (  f k  ) (for k=k b (i) ) To sign b, send (b, k b (1), k b (2),..., k b (M) ). To verify, measure  f k  to check k = k b (i). Quantum scheme (Gottesman, Chuang 2001):

7. Different Levels of Acceptance Suppose s keys fail the measurement test: s  c 1 M  1-ACC: Message comes from Alice, other recipients will agree. c 1 M < s  c 2 M  0-ACC: Message comes from Alice, another recipient might disagree. s > c 2 M  REJ: Message might not come from Alice. Similar to classical pseudo-signatures (Chaum and Roijakkers 1991), which are information-theoretically secure, but with complex set-up procedure.

8. Quantum Public Key Encryption Protocol defines map k  U k (unitary) Alice’s private key k Public key (I  U k ) (  0  0  +  1  1  ) To encrypt a quantum state , teleport state through the public key, getting Pauli matrix P. Transmit P and 2nd register of public key. Alice receives (P, U k P  ). Decrypts by performing U k -1 then P -1.

9. Notes on Quantum Public Key Encryption Expends one copy of the public key per encrypted message. When U k runs over Pauli matrices, this is the one-time pad, but only one copy of public key is allowed. For larger sets of U k, it is impossible to learn k completely. However, I have no security proof.

10. SWAP test BCWW also introduced a test to check if two fingerprints are the same without knowing their exact state: fjfj fkfk  0  +  1  Controlled-SWAP Measure  0  +  1  vs.  0  -  1  fjfj fkfk If they are the same, + result (fingerprints are unchanged) If they are different, often - result

11. Distributed SWAP Test How can we do a SWAP test at a distance? A SWAP test against a bad key corrupts your copy. Two problems with the straight SWAP test: Distributed SWAP test: key SWAP 1 1 2 keep discard Bob Charlie

12. Quantum Public Key Distribution Alice B C D E F F can compare if the public keys received from B and D are the same.

13. Certificate Authorities A certificate authority signs other people’s public keys. Everyone has the CA’s public key already, and they trust the CA to verify the public key’s source. Main advantage: the CA only needs to be involved in the distant past. Can we make a certificate authority for quantum public keys?

14. No Signatures of Quantum States There is no signature scheme for unknown quantum states, even with computational security. Anyone who can read the signed state can change it. (BCGST 2002) Let  S k (  )  be the signed state for  (purified). To cheat:  S k (  )  To read the state, use U:  S k (  )     R k (  ) . But No-Cloning implies  R k (  )  =  R k  does not depend on .   R k  U   R k Sk()Sk() U -1

15. Signing Known Quantum States However, this argument does not apply to a state which is known by the signer, or even if the signer has multiple copies of . Can we sign a known quantum state? Yes, sort of: we can sign the classical description of the state. What we really want is to sign the state efficiently in the number of qubits. Can we do this? Unknown.

16. Signing Known Quantum States Solutions to this problem could potentially allow: More efficient quantum signatures: sign a fingerprint of the classical message. Reusable quantum signatures: sign a message plus a new quantum public key. Quantum certificate authority: Provide multiple copies of your public key to the CA, allowing him to sign them.

17. Quantum Signature Efficiency One-time quantum signatures are very inefficient, but if it is possible to sign known states as suggested on the previous slide, they could become very efficient. Key length to sign n-bit message: O(log n)? Number of messages from single key: exp.? However: length of private key is still proportional to # of copies of public key. None of this is proved.

18. Capabilities of Quantum Public Keys High efficiency (No?) New protocols oPublic key encryption (Yes?) oDigital signatures (Yes) Better key distribution and management oNo danger that public key compromised (Yes) oConvert authenticated channel to secure channel (Yes, QKD) oCertificate authorities (Yes??) oPGP (many redistribution sites) (Yes)