Authentication of Quantum Messages: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
==Functionality==
==Functionality==
If a person sends some information over an insecure channel (a dishonest/malicious party has access to the channel), what is the guarantee that the receiver on the other end will receive the same information as sent and not something which is modified or replaced by the dishonest party? Authentication of quantum channels/quantum states/quantum messages provides this guarantee to the users of a quantum communication line/ channel. The sender is called the suppliant (prover) and the receiver is called the authenticator. <br/> Note that, it is different from the functionality of [[Quantum Digital Signature|digital signatures]], a multi-party (more than two) protocol, which comes with additional properties (non-repudiation, unforgeability and transferability). Authenticating quantum states is possible but signing quantum states is impossible, as concluded in [[Authentication of Quantum Messages#References|(1)]].  
Imagine a person sends some quantum information to another pereson over an insecure channel, where a dishonest party has access to the channel. How can it be guaranteed that in the end the receiver has the same quantum information and not something modified or replaced by the dishonest party? Authentication of quantum channels/quantum states/quantum messages provides this guarantee to the users of a quantum communication line/ channel. The sender is called the suppliant (prover) and the receiver is called the authenticator. <br/> <br/>Note that, it is different from the functionality of [[Quantum Digital Signature|digital signatures]], a multi-party (more than two) protocol, which comes with additional properties (non-repudiation, unforgeability and transferability). Authenticating quantum states is possible, but signing quantum states is impossible, as concluded in [[Authentication of Quantum Messages#References|(1)]].  
Also, unlike [[Authentication of Classical Messages|classical message authentication]], quantum messages authentication requires encryption. However, classical messages can be publicly readable (not encrypted) and yet authenticated.
Also, unlike [[Authentication of Classical Messages|classical message authentication]], quantum message authentication requires encryption. However, classical messages can be publicly readable (not encrypted) and yet authenticated.


'''Tags:''' [[:Category:Two Party Protocols|Two Party Protocol]][[Category:Two Party Protocols]], [[Quantum Digital Signature]], [[:Category:Quantum Functionality|Quantum Functionality]][[Category:Quantum Functionality]], [[:Category:Specific Task|Specific Task]][[Category:Specific Task]], [[:Category:Building Blocks|Building Block]][[Category:Building Blocks]]
<br/>'''Tags:''' [[:Category:Two Party Protocols|Two Party Protocol]][[Category:Two Party Protocols]], [[Quantum Digital Signature]], [[:Category:Quantum Functionality|Quantum Functionality]][[Category:Quantum Functionality]], [[:Category:Specific Task|Specific Task]][[Category:Specific Task]], [[:Category:Building Blocks|Building Block]][[Category:Building Blocks]]


==Use Case==
==Use Case==
*No classical analogue
*No classical analogue
==Protocols==
==Protocols==
*Non-interactive Protocols
'''Non-interactive Protocols:'''
*Interactive Protocols
*[[Purity Testing based Quantum Authentication]]
*[[Polynomial Code based Quantum Authentication]]
*[[Clifford Code for Quantum Authentication]]
'''Interactive Protocols:'''
*tbd


==Properties==
==Properties==
*Any scheme which authenticates quantum messages must also encrypt them. [[Authentication of Quantum Messages#References|(1)]]
*Any scheme, which authenticates quantum messages must also encrypt them [[Authentication of Quantum Messages#References|(1)]].
*'''Definition 1:''' A quantum authentication scheme (QAS) is a pair of polynomial time quantum algorithms <math>\mathcal{S}</math> (suppliant) and <math>\mathcal{A}</math> (authenticator) together with a set of classical keys <math>K</math> such that:
*'''Definition: Quantum Authentication Scheme (QAS)''' <br/>A quantum authentication scheme (QAS) consists of a suppliant <math>\mathcal{S}</math>, an authenticator <math>\mathcal{A}</math> and a set of classical keys <math>K</math>. <math>\mathcal{S}</math> and <math>\mathcal{A}</math> are each polynomial time quantum algorithms. The following is fullfilled:
# <math>\mathcal{S}</math> takes as input an <math>m</math>-qubit message system <math>M</math> and a key <math>k\epsilon K</math> and outputs a transmitted system <math>T</math> of <math>m + t</math> qubits.
# <math>\mathcal{S}</math> takes as input an <math>m</math>-qubit message system <math>M</math> and a key <math>k\in K</math> and outputs a transmitted system <math>T</math> of <math>m + t</math> qubits.
# <math>\mathcal{A}</math> takes as input the (possibly altered) transmitted system <math>T</math>' and a classical key <math>k\epsilon K</math> and outputs two systems: a <math>m</math>-qubit message state <math>M</math>, and a single qubit <math>V</math> which indicates acceptance or rejection. The classical basis states of <math>V</math> are called <math>|ACC\rangle, |REJ\rangle</math> by convention. For any fixed key <math>k</math>, we denote the corresponding super-operators by <math>S_k</math> and <math>A_k</math>.
# <math>\mathcal{A}</math> takes as input the (possibly altered) transmitted system <math>T^\prime</math> and a classical key <math>k\in K</math> and outputs two systems: a <math>m</math>-qubit message state <math>M</math>, and a single qubit <math>V</math> which indicates acceptance or rejection. The classical basis states of <math>V</math> are called <math>|\mathrm{ACC}\rangle, |\mathrm{REJ}\rangle</math> by convention. </br>For any fixed key <math>k</math>, we denote the corresponding super-operators by <math>S_k</math> and <math>A_k</math>.
*For non-interactive protocols, a QAS is secure with error <math>\epsilon</math> for a state <math>|\psi\rangle</math> if it satisfies:
*'''Definition: Security of a QAS''' <br/>For non-interactive protocols, a QAS is secure with error <math>\epsilon</math> if it is complete for all states <math>|\psi\rangle</math> and has a soundness error <math>\epsilon</math> for all states <math>|\psi\rangle</math>. The latter is the case (for a specific state <math>|\psi\rangle</math>) if:
#Completeness: For all keys <math>k\epsilon K: A_k(S_k(|\psi\rangle \langle\psi|)=|\psi\rangle \langle\psi| \otimes |ACC\rangle \langle ACC|</math>
#''Completeness:'' <math>\forall k\in K: A_k(S_k(|\psi\rangle \langle\psi|)=|\psi\rangle \langle\psi| \otimes |\mathrm{ACC}\rangle \langle \mathrm{ACC}|</math> <br/>This means if no adversary has acted on the encoded quantum message <math>|\psi\rangle</math>, the quantum information received by <math>\mathcal{A}</math> is the same initially sent by <math>\mathcal{S}</math> and the single qubit <math>V</math> is in state <math>|\mathrm{ACC}\rangle \langle \mathrm{ACC}|</math>. To this end, we assume that the channel between <math>\mathcal{S}</math> and <math>\mathcal{A}</math> is noiseless if no adversary intervention appeared.
#Soundness: : For all super-operators <math>\mathcal{O}</math>, let <math>\rho_{auth}</math> be the state output be <math>\mathcal{A}</math> when the adversary’s intervention
#''Soundness:'' For all super-operators <math>\mathcal{O}</math>, let <math>\rho_\text{auth}</math> be the state output by <math>\mathcal{A}</math> when the adversary’s intervention is characterized by <math>\mathcal{O}</math>, that is: <math display=block>\rho_\text{auth}=\mathbf{E}_k\left[ \mathcal{A}_k\left( \mathcal{O}(\mathcal{S}(|\psi\rangle \langle\psi |)) \right) \right] = \frac{1}{|K|}\sum_k \mathcal{A}_k\left( \mathcal{O}(\mathcal{S}_k(|\psi\rangle \langle\psi |)) \right).</math> <br/>Here, <math>\mathbf{E}_k</math> means the expectation when <math>k</math> is chosen uniformly at random from <math>K.</math> The QAS then has a soundness error <math>\epsilon</math> for <math>|\psi\rangle</math> if <math display=block>\mathrm{Tr}\left( P_1^{|\psi\rangle}\rho_\text{auth} \right)\geq 1-\epsilon,</math> </br>where <math>P_1^{|\psi\rangle}</math> is the projector <math display=block>P_1^{|\psi\rangle} = |\psi\rangle \langle\psi | \otimes I_V + I_M \otimes |\mathrm{REJ}\rangle \langle \mathrm{REJ}| - |\psi\rangle \langle \psi| \otimes |\mathrm{REJ}\rangle \langle \mathrm{REJ}|.</math>
is characterized by <math>\mathcal{O}</math>, that is:


==Further Information==
==Further Information==
#[https://arxiv.org/pdf/quant-ph/0205128.pdf Barnum et al (2002)] First protocol on authentication of quantum messages. It is also used later for verification of quantum computation in [[Interactive Proofs for Quantum Computation]]. Protocol file for this article is given as the [[Polynomial Code based Quantum Authentication]]
#[https://arxiv.org/pdf/quant-ph/0205128.pdf Barnum et al (2002)] First protocol on authentication of quantum messages. It is also used later for verification of quantum computation in [[Interactive Proofs for Quantum Computation]]. Protocol file for this article is given as the [[Polynomial Code based Quantum Authentication]]
<div style='text-align: right;'>''contributed by Shraddha Singh''</div>
<div style='text-align: right;'>''contributed by Shraddha Singh and Isabel Nha Minh Le''</div>

Revision as of 16:48, 28 November 2021

Functionality

Imagine a person sends some quantum information to another pereson over an insecure channel, where a dishonest party has access to the channel. How can it be guaranteed that in the end the receiver has the same quantum information and not something modified or replaced by the dishonest party? Authentication of quantum channels/quantum states/quantum messages provides this guarantee to the users of a quantum communication line/ channel. The sender is called the suppliant (prover) and the receiver is called the authenticator.

Note that, it is different from the functionality of digital signatures, a multi-party (more than two) protocol, which comes with additional properties (non-repudiation, unforgeability and transferability). Authenticating quantum states is possible, but signing quantum states is impossible, as concluded in (1). Also, unlike classical message authentication, quantum message authentication requires encryption. However, classical messages can be publicly readable (not encrypted) and yet authenticated.


Tags: Two Party Protocol, Quantum Digital Signature, Quantum Functionality, Specific Task, Building Block

Use Case

  • No classical analogue

Protocols

Non-interactive Protocols:

Interactive Protocols:

  • tbd

Properties

  • Any scheme, which authenticates quantum messages must also encrypt them (1).
  • Definition: Quantum Authentication Scheme (QAS)
    A quantum authentication scheme (QAS) consists of a suppliant , an authenticator and a set of classical keys . and are each polynomial time quantum algorithms. The following is fullfilled:
  1. takes as input an -qubit message system and a key and outputs a transmitted system of qubits.
  2. takes as input the (possibly altered) transmitted system and a classical key and outputs two systems: a -qubit message state , and a single qubit which indicates acceptance or rejection. The classical basis states of are called by convention.
    For any fixed key , we denote the corresponding super-operators by and .
  • Definition: Security of a QAS
    For non-interactive protocols, a QAS is secure with error if it is complete for all states and has a soundness error for all states . The latter is the case (for a specific state ) if:
  1. Completeness:
    This means if no adversary has acted on the encoded quantum message , the quantum information received by is the same initially sent by and the single qubit is in state . To this end, we assume that the channel between and is noiseless if no adversary intervention appeared.
  2. Soundness: For all super-operators , let be the state output by when the adversary’s intervention is characterized by , that is:

    Here, means the expectation when is chosen uniformly at random from The QAS then has a soundness error for if

    where is the projector

Further Information

  1. Barnum et al (2002) First protocol on authentication of quantum messages. It is also used later for verification of quantum computation in Interactive Proofs for Quantum Computation. Protocol file for this article is given as the Polynomial Code based Quantum Authentication
contributed by Shraddha Singh and Isabel Nha Minh Le