Quantum public-key cryptosystems based on induced trapdoor one-way transformations

Transcription

1 Quantu public-key cryptosystes based on induced trapdoor one-way transforations Li Yang a, Min Liang a, Bao Li a, Lei Hu a, Deng-Guo Feng b arxiv: v2 [quant-ph] 12 Jul 2011 a State Key Laboratory of Inforation Security, Graduate University of Chinese Acadey of Sciences, Beijing , China b State Key Laboratory of Inforation Security, Institute of Software, Chinese Acadey of Sciences, Beijing , China Abstract A concept naed induced trapdoor one-way quantu transforation(owqt) has been introduced, and a theoretical fraework of public-key encryption (PKE) of quantu essage is presented based on it. Then several kinds of quantu public-key encryption (QPKE) protocols, such as quantu version PKE of RSA, ElGaal, Goldwasser-Micali, elliptic curve, McEliece, Niederreiter and Okaoto-Tanaka-Uchiyaa, are given within this fraework. Though all of these protocols are only coputationally secure, the last three are probably secure in post-quantu era. Besides, theoretical fraeworks for public-key authentication and signature of quantu essage are also given based on the induced trapdoor OWQT. As exaples, a public-key authentication protocol of quantu essage based on SN-S authentication schee and two quantu digital signature protocols based on RSA and McEliece algoriths respectively are presented. Keywords: Cryptology of quantu inforation, quantu public-key encryption, quantu authentication, quantu digital signature, one-way quantu transforation 1. Introduction Most public-key cryptosystes currently used are based on the hardness of probles such as integer factoring and discrete logariths. Since these Eail address: yangli@gucas.ac.cn (Li Yang)

2 probles would not aintain their hardness in post-quantu era [1], people have to consider cryptosystes based on other hard probles. It is believed that there does not exist efficient quantu algorith to solve NP-coplete probles [2], therefore, cryptosystes based on NP-coplete probles are regarded as good choices against quantu attacks. Okaoto et al. [3] constructed the first quantu public-key cryptosyste (QPKC) based on subset-su proble. Their key-generation algoriths include a quantu algorith, though the private-key, public-key, plaintext and ciphertext are all classical. Gottesan and Chuang [4] constructed a quantu digital signature, whose pubic key is quantu, but private-key and essage are classical. In [5], a QPKC is constructed based on a hard proble so called QSCD ff, which has been proved to be one with bounded inforation theoretic security. By using single-qubit rotations, Nikolopoulos [6] proposed a QPKC with classical private-key and quantu public-key. Based on quantu encryption, Gao et al. [7] presented a QPKC with syetric keys, here two qubits fro a Bell state serve as the public-key and the private-key respectively. Pan and Yang [8] constructed a quantu public-key encryption (QPKE) schee with inforation theoretic security. These QPKCs are all classical bits oriented. Yang [9] proposed a QPKE schee for quantu essage encryption, which is a variation of McEliece public-key cryptosyste [10]. In [11], quantu essage authentication schees were discussed. Based on classical SN-S authentication code, a public-key authentication schee of quantu essage was also constructed [12]. This paper focuses on the public-key encryption (PKE), authentication and signature of quantu essage. A concept naed induced trapdoor oneway quantu transforation (OWQT) is introduced, and a coputationally secure theoretical fraework is presented based on it. QPKE protocols such as quantu version of RSA, ElGaal, Goldwasser-Micali, elliptic curve, McEliece, Niederreiter and Okaoto-Tanaka-Uchiyaa PKE are given. Besides, theoretical fraeworks for public-key authentication and signature of quantu essage are also proposed. 2. Induced trapdoor one-way quantu transforation Quantu transforation U f coputing a function f : {0,1} n {0,1} is defined as U f ( x y ) = x y f(x), (1) 2

3 where denotes bitwise addition in F 2. It is worth to ention that the quantu transforation U f 1 coputing f 1 does not equal to U 1 f coputing the inverse of U f. Given function f(, r), a unitary transforation coputing f is defined as U f ( r 0 ) = r f(,r). (2) Another unitary transforation U(f, g) coputing fro values of f(, r), g(,r) and r is defined as U(f, g)( r 0 g(, r) f(, r) ) = r g(, r) f(, r). (3) Unitary transforation ipleented via quantu circuits of U f, U g and U(f,g) is shown in Figure 1. r r 0 U f U g U ( f, g) 0 g(, r) 0 f (, r) Figure 1: The quantu circuit ipleentation of U fg (r) via U f,u g,u(f,g). The quantu circuits U f and U g copute the functions f(,r) and g(,r) respectively. The quantu circuit U(f,g) coputes fro r, g(,r) and f(,r). It can be seen that the quantu circuit in Figure 1 ipleents a unitary transforation defined as U fg (r)( 0 0 ) = 0 g(,r) f(,r), (4) where g(,r) g(,r) and f(,r) f(,r) if. To the receiver and adversaries, this transforation can be regarded as a trace-preserving quantu operation. Definition 1: Given a classical trapdoor one-way function f(, r) with a rando paraeter r, and a classical function g(, r), the quantu transforation U fg (r) : g(,r) f(,r) is an induced trapdoor one-way quantu transforation if it satisfy 3

4 1. Easy to operate. A sufficient condition is: both f(,r) and g(,r) can be coputed efficiently; Given r, one can efficiently get fro f(,r) or g(,r). 2. Hard to invert. A sufficient condition is: fro the values of f(,r) and g(,r), one cannot efficiently get both and r. 3. Easy to invert with the trapdoor s. Asufficientconditionis: withthetrapdoor s, one can efficiently get fro f(,r) and g(,r), and efficiently get r fro, f(,r) and g(,r). Reark 1: In 1, it is required that can be efficiently obtained fro r, f(,r) and g(,r). This condition is necessary for the ipleentation of the quantu transforation U fg (r), see Figure 1. The property 2 eans that the adversary without r cannot get U fg (r). In 3, for the case that r cannot be obtained even with the aid of trapdoor s, we have to require that 1) g(,r) = g(r) or g(,r) = g(); 2) f(,r) can be efficiently evaluated fro s, and g(,r). 3. Public-key cryptosystes of quantu essage 3.1. Public-key encryption Consider encrypting a quantu essage α with induced trapdoor OWQT U fg (r). The algorith is as follows: r 1 r α 0 0 α g(,r) f(,r) 2 r 0 α g(,r) f(,r), (5) which copletes the encryption transforation ( ) U fg (r) α 0 0 = 0 α g(,r) f(,r). (6) According to the definition of induced trapdoor OWQT, the quantu transforation U fg (r) is an efficient encryption transforation. It can be seen 4

5 that, given the value of r, the inverse transforation of U fg (r) can also be operated efficiently. Because Bob do not know the value of r, the quantu cipher state to hi is a ixed state with density atrix p r ( α g(,r) f(,r) )( α g(,r) f(,r) ). (7) r Given the trapdoor s of f(,r), the decryption transforation on quantu cipher state α g(,r) f(,r) proceeds as follows (without loss of generality, we restrict our attention to a pure state in the decryption procedure). For the case that r cannot be obtained, we require g(,r) depending only on or r (according to the definition of induced trapdoor OWQT, g(,r) = g(r) or g(,r) = g()), and the decryption is as follows: s 0 α g(r) f(,r) 1 s 2 s α g(r) f(,r) α g(r) 0. (8) or s 0 α g() f(,r) 1 s 2 s 2 s α g() f(,r) α g() 0 α 0 0. (9) Suppose can be efficiently get fro the value of f(,r) and g(,r) with the trapdoor s (see the sufficient condition of 3 in the definition of U fg (r)), 5

6 the first step can be carried out efficiently. If f(,r) can be efficiently coputed fro s, and g(r), the second step can also be carried out efficiently (see 1, 3 and Reark 1). For the case that r can be obtained with the trapdoor s, the decryption is as follows: s 0 0 α g(,r) f(,r) 1 s r α g(,r) f(,r) 2 s r α 0 0. (10) In the above two steps, the first step can be carried out efficiently according to the property 3, and the the quantu transforations U f and U g areefficiently perfored in the second step. Then the quantu essage α can be obtained after polynoial tie quantu coputation. Denote the decryption transforation as D 1s (f,g) and D 2s (f,g) for case 1 and case 2, respectively. The decryption transforations are as follows: D 1s (f,g)( 0 α g(r) f(,r) ) = α g(r) 0, (11) or D 1s (f,g)( 0 α g() f(,r) ) = α 0 0, (12) ( ) D 2s (f,g) 0 0 α g(,r) f(,r) = r α 0 0. (13) Then we arrive at the following protocol: f(,r) is a trapdoor one-way function, and Bob posses its trapdoor s. f(,r) and g(,r) are public. Ecryption Toencryptaquantuessage α,aliceselectsrandoly a nuber r, then carries out the encryption transforation U fg (r), and obtainedthecipher state α g(,r) f(,r). Then shesends the cipher state to Bob (Notice that classical plaintext counication is allowed here). Decryption BobperforsthedecryptiontransforationD 1s (f,g)ord 2s (f,g) to the cipher state, and get the quantu essage α. 6

7 3.2. Authentication In a classical authentication schee, the authentication rule is h() = (, a()), here a() is the authentication code of essage. An authentication schee for quantu essage can be described as follows: (1) Alice encodes a k-qubit essage α as follows: α 0 α h() = α,a() 0 α,a(). (14) (2) Alice encrypts the quantu state α,a() via PKE of quantu essage. (3) Bob decrypts the received quantu state and obtains the plaintext α,a(). (4) Bob carries out the following transforation to the quantu state α,a(). α,a() 0 α,a() α 0,a() α 0,a() a() = 0 α. (15) (5) Bob easures the first register to check whether it is in the state 0, then he gets the essage coing fro Alice in the second register with authentication. In this kind of authentication schee of quantu essage, the authentication rule h() is public and the schee is a public-key data integrity schee. Reark 2: If we require the schee to be one against substitution, it should be odified slightly as follows: Suppose Alice s identity inforation S cannot be forged. A quantu register naed identity register is 7

8 initiated with quantu state S. In step (1), Alice firstly carries out an Hadaard transforation H l on the quantu state S, then encodes the quantu state H l ( S ) α. In step (5), Bob finally obtains the state H l ( S ) α. After step (5), he carries out Hadaard transforation H l on state H l ( S ) and gets S, then easures it to identify the sender. Since the identity inforation S cannot be forged, the attackers cannot substitute the essage successfully Digital signature Suppose f : {0,1} k+n {0,1} k +n is a trapdoor one-way function, Alice has its trapdoor s. Alice signs a quantu essage α to Bob as follows: (1) Bobrandoly generates a nuber r B {0,1} k, and sends it to Alice. (2) Alice randoly generates a nuber r A {0,1} n, and coputes f 1 (r B,r A ) = (r,r ), (16) where r {0,1} k and r {0,1} n. Then Alice signs the quantu essage α α α f(,r), (17) and sends the quantu state α f(,r) to Bob. (3) Bob tells Alice that he has received the quantu state. (4) Alice announces r and r. (5) Bob coputes f(r,r ) and checks whether the first k bits are r B. Then he perfors the transforation α f(,r) α 0, (18) and easures the second quantu register. He accepts the signature if and only if the second register is in state 0. Reark 3: (1) These protocols are interactive digital signature protocols of quantu essage. (2) They are undeniable signature protocols and Alice s collaboration is needed during the verification. (3) Multiple verification is possible through copying f(, r) to other registers. But after the quantu essage α is extracted, it is ipossible to verify any ore. So these signatures are signed on the envelop and this kind of signature should be tered as quantu sealing wax. 8

9 4. Concrete protocols A quantu essage is a sequence of pure states. Without loss of generality, we restrict our attention to the encryption and decryption of a pure state Encryption protocols without post-quantu security Quantu RSA PKE In RSA PKE [13], p and q are two large pries, N = pq, φ(n) = (p 1)(q 1), e satisfies (e,φ(n)) = 1, and s = e 1 od(φ(n)). According to the theoretical fraework established in the previous section, we construct a PKE of quantu essage which is a quantu version of RSA. Let g(,r) = r, f(,r) = e odn, s is the trapdoor of f(,r). Encryption Alice selects a value of r, then does the following encryption transforation r r r α 0 α e odn α r e odn. (19) After that, she sends to Bob the cipher state α r e odn. Decryption After receiving the cipher state, Bob does the decryption transforation using the private-key s, s s α r e odn 0 α r e odn ( e ) s odn = s α r e odn 9

10 s r α e odn s r 0 α. (20) Finally, Bob obtains the quantu essage α Quantu ElGaal PKE In the ElGaal PKE [14], s is private, p,α,β arepublic, here β = α s. Let g(,r) = α r odp and f(,r) = β r odp. The quantu ElGaal PKE is as follows: Encryption Alice randoly selects a nuber r and perfors the following transforations to encrypt a quantu essage α : r r α 0 α β r odp. (21) ThenAlicesends α r odpandthecipherstate α β r odp tobob. Decryption After receiving the cipher state and α r odp, Bob decrypts it using the private-key s. The procedure is as follows: s α r odp s α r odp α β r odp α β r (α r ) s odp = s α r odp α 0. (22) Then Bob obtains the quantu essage α Quantu Goldwasser-Micali PKE In Goldwasser-Micali PKE [15], p and q are two pries, N = pq, t Z 1 N is a quadratic nonresidue odulo N. N,t are public and p,q are private. 10

11 Q N (x) = 1 if x is a quadratic residue odulo N, otherwise Q N (x) = 0. To encrypt a binary string = 1 2 k, Alice selects randoly r 1,r 2,...,r k, then coputes c i = t i r 2 iodn for i = 1,2,...,k. The nubers (c 1,c 2,...,c k ) are sent to Bob as the cipher. As Bob knows the factors of N, he can know whether c i is a quadratic residue odulo N. Let i = Q N (c i ), he obtains the plaintext = 1 k. Letg(,r 1,,r k ) = ( r 1,(r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k ) and f(,r 1,,r k ) = (c 1,,c k ), here c i = t i r 2 iodn and i is the ith bit of its binary string. The quantu Goldwasser-Micali PKE is as follows: Encryption Alice encrypts the quantu essage α via coputing r 1 r k r 1 r k r 1 r k α 0 0 α 0 c 1 c k α r 1, (r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k c 1 c k r 1 r k 0 α r 1,(r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k c 1 c k, (23) thensendsthecipherstate α r 1,(r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k c 1 c k to Bob. Decryption Afterreceivingthecipherstate α r 1,(r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k c 1 c k, Bob coputes p,q α r 1,(r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k c 1 c k 0 p,q α r 1,(r 1 od2 k ) r 2, 11

12 ...,(r k 1 od2 k ) r k c 1 c k p,q r 1,...,r k α c 1 c k p,q r 1,...,r k α 0 = p,q r 1,...,r k 0 α. (24) Finally, Bob obtains the quantu essage α Quantu elliptic curve PKE In [16], the classical elliptic curves PKE is proposed. An elliptic curve defined over Z p (p > 3 is prie) is the set of solutions (x,y) Z p Z p to the equation y 2 x 3 +ax+b(odp), here a,b Z p satisfy 4a 3 +27b 2 0(odp). The points on the elliptic curve for a group with identity eleent the point at infinity. Given a point P does not equal to identity eleent, and chosen Q being sp, s is the private-key and Q is the public-key. Let g(,r) = rp and f(,r) = x 2, here x 2 satisfies (x 2,y 2 ) = rq. The quantu elliptic curve PKE is as follows. Encryption Alice randoly selects a nuber r, and coputes rq = (x 2,y 2 ). Given any quantu essage α, she carries out encryption with r as follows: r 0 0 α r x 2,y 2 α rp r x 2,y 2 rp α x 2, (25) then sends the quantu state rp α x 2. Decryption Bob receives the cipher state rp α x 2, then uses s to decrypt 12

13 it: s rp α x 2 s x 2,y 2 s x 2,y 2 α x 2 α. (26) Finally, Bob obtains the quantu essage α. Notice that in the cipher state, rp can be replaced with classical essage (x 1,y 1 ) Encryption protocols with post-quantu security Quantu McEliece PKE [9] Consider McEliece PKE protocol [10]. Suppose G is a k n generator atrix of a Goppa code, G = SGP, here S is a k k invertible atrix and P is an n n perutation atrix. We choose G as the public-key and (S,G,P) as the private-key. Let H is the check atrix of Goppa code satisfying GH T = 0. Suppose g(,r) = 0 and f(,r) = G r. The quantu McEliece PKE schee is as follows: Encryption Alice selects a rando nuber r, and uses Bob s public-key G with r to encrypt a k-qubit state α as follows: r r r α 0 α G α G G 1 G = r 0 α G r 0 α G r, (27) where the atrix G 1 is a generalized inverse atrix of G. Because G is a full row rank atrix, there exists G 1 that satisfies G G 1 = I k. This is the condition that one can get α G fro α. Alice sends the cipher state α G r to Bob. 13

14 Decryption Bob uses his private-key s = (S,G,P) to decrypt the state coing fro Alice, s s s α G r 0 0 α G r (G r)p 1 0 α 0 (G r)p 1 0 = s 0 α SG rp 1 0 s 0 α SG rp 1 (SG rp 1 )H T = s 0 α SG rp 1 rp 1 H T, (28) then easures the second register to get rp 1 H T, and find rp 1 via the fast decoding algorith of the Goppa code generated by G. Bob carries out the following transforation on the quantu state α SG rp 1 according to the value of rp 1, rp 1 α SG rp 1 rp 1 α SG. (29) Then he coputes s s s α SG 0 0 α SG SGG 1 0 = s α 0 S 0 α SG S 0 s 0 α S SS 1 = s 0 α S s 0 0 α. (30) Finally, the quantu essage α is obtained. 14

15 Quantu Niederreiter PKE In Niederreiter PKE protocol [17], M is an invertible atrix, H is a check atrix of a code with rando-error-correcting capability t, and P is a perutation atrix. Let H = MHP. (M,H,P) is the private-key and H is the public-key. Let g(,r) = r, f(,r) = H T, the quantu Niederreiter PKE is as follows: Encryption Alicerandoly selects anerror vector r which satisfies w(r) = t, herew( ) represents Haing weight. She encrypts a quantu essage α using r: r r r α 0 α H T α r H T, (31) then sends the quantu states α r H T as cipher state to Bob. Decryption Bob receives the cipher state and decrypts it as follows: he coputes α r H T α r H T ( r)h T = α r rh T, (32) and then uses the private-key s = (M,H,P) to coputes r which includes 4 steps1)easurethesecondregisterandobtainrh T ; 2)coputerH T (M T ) 1 = r(mhp) T (M T ) 1 = rp T H T ; 3) find rp T via the fast decoding algorith of the code generated by H; 4) copute (rp T )(P T ) 1 = r. Finally, he perfors the following transforation according to the value of r: r α r r α, (33) 15

16 and obtains the quantu essage α Quantu Okaoto-Tanaka-Uchiyaa PKE Inthe Okaoto-Tanaka-Uchiyaa PKEschee [3], (g,d,p,p 1,p 2,...,p n ) is private-key. The public-key (n,k,b 1,b 2,...,b n ) is coputed fro the private-key with Shor s algorith for finding discrete logariths [1]. In the encryption procedure, the plaintext is encoded to a codee() = e 1 e 2 e n of constant weight k, the cipher is c() = n i=1 e ib i. In the decryption procedure, Bob coputes u = g (c kd)od(p 1) odp, then chooses e i = 1 if p i u, i 1 otherwise 0. Finally, he coputes = e n i i=1 Ck j=1 e j n i. Let g(,r) = r and f(,r) = f() = n i=1 e ib i, here e 1 e n is the constant weight code of. We construct a quantu Okaoto-Tanaka- Uchiyaa PKE as follows. Encryption Alice randoly selects a nuber r, then encrypts the quantu essage α using r and the public-key (n,k,b 1,b 2,...,b n ). Suppose e() = e 1 e 2 e n is the constant weight encoding of, and c() = n i=1 e ib i is the cipher of. Alice coputes r r r r r α 0 0 α 0 e() α c() e() α c() 0 α r c() 0, (34) then obtains the cipher state α r c(). Decryption Bob uses his private-key s = (g,d,p,p 1,p 2,...,p n ) to decrypt the cipher state. During the decryption process, in order to get e() fro c(), Bob 16

17 coputes u = g (c() kd)od(p 1) odp firstly, then check if p i u for each i {1,2,,n}. If p i u, then set e i = 1, otherwise, set e i = 0. Based on this algorith, he can coputes s s s α r c() 0 0 α r c() e() 0 α r c() e() s r α c() e() s r 0 α e() s r 0 0 α. (35) Finally, he obtains the quantu essage α Rearks of QPKE protocols We have proposed seven QPKE protocols, which are all under our theoretical fraework. The four protocols in Sec.4.1 are based on factoring proble or discrete logariths proble which can be solved efficiently on quantu coputer. However, these protocols can help us to understand the theoretical fraework of quantu essage oriented PKE. The three protocols in Sec.4.2 are based on the hardness of NP-coplete proble and currently regarded as ones with post-quantu security. In this section, we give a brief overview of the above seven protocols. (1) Quantu RSA PKE g(,r) = r, f(,r) = e odn, andthetrapdooriss = e 1 od(φ(n)). (2) Quantu ElGaal PKE g(,r) =, f(,r) = β r odp, and the trapdoor s satisfies β = α s. In this protocol, classical essage α r odp ust be transitted. 17

18 (3) Quantu Goldwasser-Micali PKE g(,r 1,,r k ) = ( r 1,(r 1 od2 k ) r 2,...,(r k 1 od2 k ) r k ) and f(,r 1,,r k ) = (c 1,,c k ), here c i = t i r 2 i odn and i is the ith bit of its binary string. In this protocol, the pries p,q are the trapdoor, which satisfy pq = N. (4) Quantu elliptic curve PKE g(,r) = rp and f(,r) = x 2, here x 2 satisfies (x 2, ) = rq. The trapdoor s satisfies Q = sp. In this protocol, rp in the cipher state can be replaced with classical essage rp = (x 1,y 1 ). (5) Quantu McEliece PKE g(,r) = 0 and f(,r) = G r. The trapdoor s (S,G,P) satisfies SGP = G. (6) Quantu Niederreiter PKE g(,r) = r and f(,r) = H T. The trapdoor s (M,H,P) satisfies MHP = H. (7) Quantu Okaoto-Tanaka-Uchiyaa PKE g(,r) = r and f(,r) = n i=1 e ib i, here e 1 e n is the constant weight encoding of. The trapdoor is s (g,d,p,p 1,p 2,...,p n ). In these seven QPKE protocols, the protocols (2) and (4) satisfy the case related with Forula.(8)(9). In these two protocols, a classical essage is transferred and the value of r is not coputed during the decryption process. We can see that the other protocols satisfy the case related with Forula.(10). No classical inforation is transferred in these protocols, and r is coputed during the decryption process An authentication protocol [12] Consider the original SN-S authentication schee[18]. Suppose generator atrix G s is a k by n 1 atrix and in standard for: G s = [I k A], here I k is the k by k identity atrix, A is chosen randoly fro k by n 1 k atrices. The [n 1,k] linear code generated by G s need not be of any 18

19 error-correctingorerror-detectingcapability. Generalizedinverse atrixg 1 s satisfies: G s G 1 s = I k. Suppose the parity check atrix of the linear code generated by G s is H s, then H s = [ ] A T I n k. Public-key authentication of quantu essage is proposed in the following steps. (1) Alice encodes a k-qubit essage α into n 1 -qubit one as follows: α 0 α G s α G s G 1 s G s = 0 α G s. (36) (2) Alice uses Bob spublic-key G to encrypt n 1 -qubit state α G s via Quantu McEliece PKE. (3) Bob uses his private-key (S,G,P) to decrypt the received quantu state and obtains the n 1 -qubit plaintext α G s. (4) Bob perfors the following transforations on the quantu state α G s. 0 0 α G s 0 α G s G s G 1 s = 0 α G s α G s H s G s = 0 α G s 0 α G s G s = 0 0 α. (37) (5) Bob easures the first register to check whether it is in the state 0. If it is, he accepts the essage in the third register. For the case that G s is public, the schee is a public-key data integrity schee. This schee can be odified to be one against substitution, the details are given in Sec Quantu essage signature protocols We have established a theoretical fraework of signature of quantu essage. Here, two protocols are proposed as the instances of the theoretical 19

20 fraework. One is not secure in post-quantu era, while the other is postquantu secure. In the first protocol, we take the function f(x) = x e odn as the trapdoor one-way function, here the nubers e and N is the sae as in Sec Because f(x) = x e odn is a trapdoor one-way perutation, it can be expressed as f : {0,1} k {0,1} n {0,1} k {0,1} n, here k +n = log 2 N. That eans, in the fraework described in Sec.3.3, the rando nuber generated by Bob is r B {0,1} k and the rando nuber generated by Alice is r A {0,1} n. Alice uses her private-key d to copute f 1 (r B,r A ) = (r B,r A ) d odn = (r,r ), then obtains r {0,1} k and r {0,1} n. With the nuber r and the function f, Alice signs the n-qubit essage α and gets k+2n-qubit state α (r,) e odn, then sends it to Bob. After receiving the quantu state, Bob tells Alice that he has received it. Then Alice announces r and r. Bob coputes (r,r ) e odn, and if its first k bits are r B, he perfors the transforation α (r,) e odn α 0. (38) Bob easures the second quantu register and accepts the signature if and only if the second register is in the state 0. This signature protocol bases its security on the hardness of factoring proble. Because there exists efficient quantu algorith for this proble [1], the protocol is not secure in post-quantu era. In the second protocol, we take the function f(x) = x 1 G x 2, here x {0,1} k+n is divided into two parts x 1 {0,1} k and x 2 {0,1} n, and the k n atrix G is the sae as in Sec Thus the trapdoor one-way function can be expressed as f : {0,1} k {0,1} n {0,1} n 2 {0,1} n 2. In the fraework described in Sec.3.3, the rando nuber generated by Bob is r B {0,1} n 2 and the rando nuber generated by Alice is r A {0,1} n 2. It isrequired thatw H (r A ) = W H (r B ) = t 2, herew H(x)denotestheHaing weight of x, and t is the correctable nuber of errors. Alice uses her privatekey s (S,G,P) to copute (r,r) which satisfy r G r = (r B,r A ), then obtains r {0,1} k and r {0,1} n. With the nuber r and the function f, Alice signs the k-qubit essage α and gets 2k + n-qubit state α G r, then sends it to Bob. After receiving the quantu state, Bob tells Alice that he has received it. Then Alice announces r and r. Bob coputes r G r, and if its first n 2 bits are r B, he perfors the 20

21 transforation α G r α 0, (39) and easures the second quantu register. He accepts the signature if and only if the second register is in state 0. For the second protocol, it is worth to ention that, in order to ake it possible to copute f 1 efficiently, the su of Haing weights of r A and r B should not exceed t. Denote H as the check atrix of the code generated by G. If r G r = (r B,r A ), according to (r G r)p 1 H = rp 1 H, we have rp 1 H = (r B,r A )P 1 H. Because P is a n n perutation, W H (wp 1 ) = W H (w) for any w {0,1} n. Then W H (r) = W H (r B,r A ) = W H (r B ) + W H (r A ). BecauseW H (r)shouldnotexceedt, thesuofhaingweightsof r A and r B should not exceed t also. Here, we take W H (r A ) = W H (r B ) = t 2 for convenience. 5. Security evaluation Now we evaluate the security of proposed theoretical fraeworks. Proposition 1: In the QPKE fraework based on induced trapdoor OWQT, it can be verified that the encryption transforation does not decrease the fidelity between two quantu states. Proof: For two quantu essages M 1 = α and M 2 = α, their fidelity is F( M 1, M 2 ) = M 1 M 2 = α α. (40) The ciphers of M 1 and M 2 are r p rρ r and r p rσ r respectively, here ρ r and σ r can be expressed as ρ r = ( α g(,r) f(,r) )( α g(,r) f(,r) ), (41) and σ r = ( α g(,r) f(,r) )( α g(,r) f(,r) ). (42) 21

22 According to the joint concavity of fidelity, it holds that ( F p r ρ r, ) p r σ r p r F (ρ r,σ r ). (43) r r r Because ρ r and σ r are pure states, then F(ρ r,σ r ) = α α n g(,r) g(n,r) f(,r) f(n,r) n = α α = F( M 1, M 2 ). (44) Therefore, F( r p rρ r, r p rσ r ) F( M 1, M 2 ). Fro this proposition, we can also know that the trace distance between two quantu states does not increase after the encryption transforation. It can be seen that the holding of these results relates with the fact that the encryption transforation can be regarded as a trace-preserving quantu operation to Bob and Eve. According to the definition of induced trapdoor OWQT, the function f(,r) and g(,r) are classical functions. Finding the trapdoor s is a classical coputational proble in each protocol. Thus, the QPKE protocols based on induced trapdoor OWQT are just coputational secure. Now we prove that those seven encryption protocols are at least as secure as their classical counterparts. Theore 2: The quantu McEliece PKE is ore secure than classical McEliece PKE. Proof: Suppose there is a quantu algorith A, which can efficiently transforthecipherstate α G r intoquantuessage α. In order to decrypt arbitrary classical cipher 0 G r 0, we firstly prepare a quantu state 0 G r 0. Then, the quantu state 0 G r 0 is an input to the quantu algorith A, and will be transfored into the quantu state 0. Finally, the classical essage 0 is obtained via easuring the output quantu state 0. Thus, if there is an attack to quantu McEliece PKE, there would be an attack to classical McEliece PKE. However, an attack to classical McEliece PKE does not ean an attack to quantu McEliece PKE. There are several kinds of attack to classical McEliece PKE, such as Korzhik-Turkin attack [19], essage-resend attack 22

23 and related-essage attack [20]. Since the detail of Korzhik-Turkin attack has not been given till now, the efficiency of this attack is still an open proble. Because iterative decoding algorith is used in the Korzhik-Turkin attack, and quantu state cannot be reused, it fails when attacking quantu McEliece PKE. Though classical McEliece PKE have to be iproved to prevent essage-resend attack and related-essage attack [21], these attacks also fail while facing the quantu McEliece PKE. Therefore, quantu McEliece PKE is ore secure than classical McEliece PKE. In the sae way, it can be proved that the other QPKE protocols within our fraework are at least as secure as their classical counterparts. In our fraework of authentication, QPKE schee are used to ensure the quantu essage with authentication being transitted securely. Eve cannot get the quantu essage with authentication if she cannot break related QPKE schee. So it sees hard for her to successfully break the integrity of quantu essage. In our fraework of digital signature, if Eve wants to forge the signature of Alice, she ust capture the nuber r B and find (r,r ) which satisfies f(r,r ) = (r B, ). However, this iplies she can invert the trapdoor one-way function f. So the security of digital signature is ensured by the trapdoor one-way function f. 6. Discussions (1) In the fraework of QPKE, given the rando nuber r or the trapdoor inforation s of f(,r), the transforation fro cipher state α g(,r) f(,r) to plaintext state α can be copleted efficiently. Both r and s are trapdoors of the induced trapdoor OWQT U fg (r). Moreover, it can be concluded within the fraework that, as an encryption algorith is one with rando nuber, the disentangleent in the decryption is a process of extracting the pure state fro the received ixed state. (2) If the essage to be encrypted is α, and only one of α is 1 and others are 0, the QPKE protocols above degenerate into corresponding classical PKE protocols respectively. (3) The encryption transforations in this paper are trace-preserving quantu operation to Bob and Eve, which are induced fro the classical functions g(,r) and f(,r). So that our protocols can be regarded as ones constructed via trace-preserving quantu operations. 23

24 (4)OurQPKEscheesaredesignedtoencryptquantuessage α. However, if we consider the nuber r involved as classical essage to be encrypted, the QPKE schees can also transit classical inforation via sending quantu states, so this kind of QPKE schee can also be naed as quantu envelope. In addition, since the attacks to classical McEliece PKE, such as Korzhik-Turkin attack [19], essage-resend attack and relatedessage attack [20], fail to attack quantu McEliece PKE, we believe it is ore secure to transit classical inforation via quantu McEliece PKE than via classical McEliece PKE. (5) It can be seen that our QPKE schees are coputationally secure. The protocols in Sec.4.1 base their security on factoring proble or discrete logariths proble, so they are not secure in post-quantu era. However, since the protocols in Sec.4.2 base their security on the hardness of different NP-coplete probles, we guess they are secure against quantu attacks. 7. Conclusions Induced trapdoor OWQT has been introduced, and a theoretical fraework of QPKE based on it has been proposed. Seven QPKE protocols are given within this fraework, such as quantu version of RSA, ElGaal, Goldwasser-Micali, elliptic curve, McEliece, Niederreiter and Okaoto- Tanaka-Uchiyaa PKE. These QPKE protocols for quantu essage are shown to be at least as secure as their classical counterparts. The last three protocols ay be secure under the assuption that NP-coplete probles cannot be solved efficiently with quantu algoriths. Besides, theoretical fraeworks for public-key authentication and signature of quantu essage are also proposed. A public-key authentication protocol and two digital signature protocols are given as their instances. Acknowledgeents This work was supported by the National Natural Science Foundation of China under Grant No References [1] P. Shor, Algoriths for quantu coputation - discrete logariths and factoring. 35th Annual Syposiu on Foundations of Coputer Science: (1994). 24

25 [2] C. H. Bennett, E. Bernstein, G. Brassard, and U. Vazirani, Strengths and weaknesses of quantu coputing. SIAM Journal on Coputing 26(5): (1997). [3] T. Okaoto, K. Tanaka, and S. Uchiyaa, Quantu public-key cryptosystes. Advances in Cryptology [4] D. Gottesan and I. Chuang, Quantu Digital Signatures. e-print arxiv: quant-ph/ [5] A. Kawachi, T. Koshiba, H. Nishiura, and T. Yaakai, Coputational indistinguishability between quantu states and its cryptographic application. Advances in Cryptology-EUROCRYPT 2005: [6] G. Nikolopoulos, Applications of single-qubit rotations in quantu public-key cryptography. Physical Review A 77(3): (2008). [7] F. Gao, Q. Y. Wen, S. J. Qin, F. C. Zhu, Quantu asyetric cryptography with syetric keys. Science in China Series G: Physics Mechanics and Astronoy 52(12): (2009). [8] J. Y. Pan and L. Yang, Quantu Public-Key Encryption with Inforation Theoretic Security. e-print arxiv: [9] L. Yang, A public-key cryptosyste for quantu essage transission. Proceedings of the SPIE - The International Society for Optical Engineering 5631(1): (2005).(also see: e-print arxiv: quant-ph/ ) [10] R. McEliece, A public-key cryptosyste based on algebraic coding theory. DSN progress report 42(44): (1978). [11] H. Barnu, C. Crepeau, D. Gottesan, A. Sith, and A. Tapp, Authentication of Quantu Messages. e-print arxiv: quant-ph/ [12] L. Yang, L. Hu, and D. G. Feng, Quantu essage authentication based on classical NP-coplete proble. e-print arxiv: quant-ph/ [13] R. Rivest, A. Shair, and L. Adlean, A ethod for obtaining digital signatures and public-key cryptosystes. Counications of the ACM 21(2): (1978). 25

26 [14] T. ElGaal, A public key Cryptosyste and a Signature Schee Based on Discrete Logariths. IEEE Transactions on Inforation Theory 31(4) (1985). [15] S. Goldwasser and S. Micali, Probabilistic encryption. Journal of Coputer and Syste Sciences 28(2): (1984). [16] N. Koblitz, Elliptic curve cryptosystes. Matheatics of coputation 48(177): (1987). [17] H. Niederreiter, Knapsack-type cryptosystes and algebraic coding theory. Probles of Control and Inforation Theory 15(2): (1986). [18] R. Safavi-Naini and J. Seberry, Error-correcting codes for authentication and subliinal channels. IEEE Transactions on Inforation Theory 37(1): (1991). [19] V. Korzhik and A. Turkin, Cryptanalysis of McEliece s public-key cryptosyste. Advances in Cryptology-EUROCRYPT [20] T. Berson, Failure of the McEliece public-key cryptosyste under essage-resend and related-essage attack. Advances in Cryptology- CRYPTO 1997: [21] H. M. Sun, Iproving the security of the McEliece public-key cryptosyste. Advances in Cryptology-ASIACRYPT