quantum cryptography thesis

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• My Account Login
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 10 December 2021

A quantum encryption design featuring confusion, diffusion, and mode of operation

• Zixuan Hu 1 , 2 &
• Sabre Kais 1 , 2  

Scientific Reports volume  11 , Article number:  23774 ( 2021 ) Cite this article

1801 Accesses

6 Citations

2 Altmetric

Metrics details

• Quantum information
• Quantum physics

Quantum cryptography—the application of quantum information processing and quantum computing techniques to cryptography has been extensively investigated. Two major directions of quantum cryptography are quantum key distribution (QKD) and quantum encryption, with the former focusing on secure key distribution and the latter focusing on encryption using quantum algorithms. In contrast to the success of the QKD, the development of quantum encryption algorithms is limited to designs of mostly one-time pads (OTP) that are unsuitable for most communication needs. In this work we propose a non-OTP quantum encryption design utilizing a quantum state creation process to encrypt messages. As essentially a non-OTP quantum block cipher the method stands out against existing methods with the following features: 1. complex key-ciphertext relation (i.e. confusion) and complex plaintext-ciphertext relation (i.e. diffusion); 2. mode of operation design for practical encryption on multiple blocks. These features provide key reusability and protection against eavesdropping and standard cryptanalytic attacks.

Similar content being viewed by others

Experimental quantum homomorphic encryption

Jonas Zeuner, Ioannis Pitsios, … Philip Walther

Quantum Search on Encrypted Data Based on Quantum Homomorphic Encryption

Qing Zhou, Songfeng Lu, … Jie Sun

Enhancing quantum cryptography with quantum dot single-photon sources

Mathieu Bozzio, Michal Vyvlecka, … Philip Walther

Introduction

Cryptography—the study of secure communication in the presence of eavesdropping adversaries—is an important application of classical computing and information processing. Inspired by the rapid progress in both theory and experiment, the application of quantum computing and information processing techniques to cryptography has been extensively investigated 1 , 2 , 3 , 4 . A prominent example is the potential of Shor’s factorization algorithm 5 to break the most widely used public-key encryption system. Facing this challenge, classical cryptography is considering post-quantum cryptographic systems 6 , 7 that are secure against current and future quantum algorithms. On the other hand, the emergence of cryptographic systems based on quantum technologies has led to the burgeoning field of quantum cryptography. Currently there are two major directions of quantum cryptography: quantum key distribution (QKD) and quantum encryption algorithm. The QKD 2 , 3 , 8 , 9 , 10 , 11 focuses on secure key generation and distribution by exploiting quantum phenomena such as the probabilistic nature of quantum measurement and the non-locality of entanglement. The development of the QKD has successfully produced widely accepted key-distribution protocols such as the BB84 3 . Note that the QKD only processes the keys while the encryption process, decryption process, and the communication process have to use established classical algorithms and channels. A notable derivation of the QKD, the quantum secure direct communication (the QSDC) 12 , 13 , 14 , 15 , 16 also exploits quantum measurement and entanglement to establish a secure quantum channel, which is then used to send direct messages without involving any encryption process. Here we see that neither the QKD nor the QSDC attempts to encrypt messages with quantum techniques, and that is the area covered by quantum encryption. Quantum encryption algorithms use quantum computing techniques to encrypt messages (classical or quantum) into quantum states that are communicated to and decrypted by the recipient. In contrast to the well accepted success of the QKD, the development of quantum encryption algorithms is rather limited to designs 17 , 18 , 19 that are mostly quantum versions of the one-time pad (OTP). The OTP is an encryption scheme that ensures perfect secrecy 20 in the sense that the ciphertext (i.e. the encrypted message) provides no information at all on the plaintext (i.e. the original message) to any cryptanalytic attempt—which means the OTP is unbreakable even with infinite computational resources. However, a critical problem with using the OTP is that each original message requires a unique key of the same length as the message itself. As the key must be random and can never be re-used 20 , the generation, transfer, and storage of indefinite amount of keys for an OTP are difficult in practice, making the OTP not suitable for the majority of the communication needs of the present day. Consequently most widely used encryption methods such as the symmetric encryption Advanced Encryption Standard (AES) 21 and the asymmetric encryption Rivest-Shamir-Adleman (RSA) 22 offer not perfect secrecy but practical secrecy 20 —i.e. breaking the encryption requires currently unrealistic computational resources. In this work we propose a new non-OTP quantum encryption design that utilizes a quantum state creation process to encrypt messages. Using a quantum state as the ciphertext, the quantum encryption offers an inherent level of protection against eavesdropping, because without the key any brute force measurement of the ciphertext state will collapse it into a random basis state. The non-readability of the ciphertext is a unique advantage of quantum encryption over classical methods where the ciphertext is just a bit string. Next we introduce the concepts of confusion (complex key-ciphertext relation) and diffusion (complex plaintext-ciphertext relation) from classical cryptography into quantum encryption and propose a novel encryption process that creates both confusion and diffusion. This ensures that small differences in the plaintext lead to substantial changes in the ciphertext or vice versa, such that the inability of a potential adversary to analyze the ciphertext state is amplified. Finally, we introduce the concept of mode of operation from classical cryptography into quantum encryption to enable practical encryption on arbitrary number of blocks of plaintexts. The mode of operation procedures developed for the quantum encryption design generalize the classical cipher block chaining (CBC) 23 to work with a quantum ciphertext by exploiting unique properties of quantum measurement and quantum superposition. The quantum mode of operation therefore has truly random or unreadable plaintext-altering materials that are impossible for the classical CBC mode. The adaptation of confusion, diffusion and mode of operation from classical cryptography into quantum cryptography not only provides key reusability and stronger security against standard cryptanalytic attacks but also establishes new design principles for the systematic development of quantum encryption methods which may lead to improved quantum cryptographic systems beyond the particular design of the current study.

Encrypting classical data with quantum states

The essence of any encryption method with practical secrecy is a reversible process whose computational cost strongly depends on a secret piece of information called the key. In this work we focus on the symmetric-key scenario where decryption uses the same key as encryption. Consider an n -bit classical plaintext, practical secrecy is defined such that for the legitimate parties of the communication Alice and Bob knowing the key, both encryption and decryption are computationally simple in the sense that the number of computational steps required is polynomial: i.e. \(O\left( {cn^{k} } \right)\) for some constant \(c\) and \(k\) such that \(cn^{k}\) is overwhelmingly smaller than \(2^{n}\) . In the meanwhile, for the adversary Eve not knowing the key, both encryption and decryption are computationally hard in the sense that the number of computational steps required is exponential: i.e. much greater than \(O\left( {2^{n} } \right)\) . To achieve this with quantum encryption Alice starts with an n -qubit quantum state in the initial state \(\left| 0 \right\rangle^{ \otimes n}\) . The first step Alice applies at most n Pauli-X gates to encode an n -bit classical plaintext into a quantum state plaintext: e.g. 00101 is coded into \(\left| {00101} \right\rangle\) . The second step she applies a polynomial sequence of 1-qubit and 2-qubit elementary gates to transform the quantum plaintext into a quantum state that serves as the quantum ciphertext, and then sends it to Bob. The account of the polynomial sequence of elementary gates used by Alice is the key pre-shared with Bob such that upon receiving the quantum ciphertext Bob can apply the inverse operations to recover the quantum plaintext. The classical plaintext can then be revealed by projection measurement on the quantum plaintext in the computational basis. So far without going into any detail of the encryption procedure, the just described process is not so different from a generalization of existing studies of quantum encryption 17 , 18 , 19 , 24 , and we will later in “ The quantum encryption with confusion and diffusion ” and “ Mode of operation ” present the new quantum encryption design with confusion, diffusion, and mode of operation that provide key reusability and stronger security. However, here we first discuss certain security already provided by just considering the quantum nature of the ciphertext.

Firstly, note the fact that a quantum state ciphertext naturally contains more uncertainty than a classical ciphertext. For example a classical bit 0 (1) can be mapped to a qubit state \(\left| 0 \right\rangle\) ( \(\left| 1 \right\rangle\) ), which after a unitary operation becomes \(a_{1} \left| 0 \right\rangle + a_{2} \left| 1 \right\rangle\) ( \(a_{2}^{*} \left| 0 \right\rangle - a_{1}^{*} \left| 1 \right\rangle\) ), where \(\left| {a_{1} } \right|^{2} + \left| {a_{2} } \right|^{2} = 1\) . For encryption purpose a ciphertext in the form of \(a_{1} \left| 0 \right\rangle + a_{2} \left| 1 \right\rangle\) presents more difficulty to the eavesdropper Eve, because even if she has successfully intercepted the state \(a_{1} \left| 0 \right\rangle + a_{2} \left| 1 \right\rangle\) , without the key (i.e. the value of \(a_{1}\) ) she cannot reliably read the content of the ciphertext. In practice if we assume \(a_{1}\) can take N discrete values between 0 and 1, the uncertainty associated with it is typically far greater than 1 bit as \(N \gg 2\) . This difficulty for Eve is much more significant for a multi-qubit ciphertext state in which qubits are entangled with each other. This is because a brute-force measurement on the ciphertext state destroys the intricate dependencies among qubits and collapses the ciphertext into a simple state with all qubits in either \(\left| 0 \right\rangle\) or \(\left| 1 \right\rangle\) : such a state has little resemblance to either the ciphertext state or the plaintext. Consequently quantum encryption exploits the quantum phenomena of superposition and entanglement to produce a ciphertext that cannot even be read without the key. In comparison, a classical ciphertext is typically a bit-string with the same length as the plaintext, and it can be read and analyzed by Eve to gain information on the key and the plaintext.

Secondly, even if Eve is able to read the ciphertext—assuming the rare and can-be-avoided scenario that Alice sends the same ciphertext state many times and Eve is able to gain statistical knowledge of it—it is still highly difficult for her to deduce the key or the plaintext from the ciphertext. The detail of this reasoning is presented in the Supplementary Information S1 where the quantum state complexity theory in our previous study has been used 25 . Furthermore, this compromising scenario of Alice sending the same copy of the ciphertext many times can be totally avoided by the confusion, diffusion, and mode of operation to be introduced in the following sections.

The quantum encryption with confusion and diffusion

So far we have seen two security features by using a quantum state as the ciphertext: the difficulty in reading the quantum ciphertext and the impossibility to deduce the key even if the quantum ciphertext is somehow known. These features however are not sufficient for a good encryption method: to provide reusability of keys and protection against standard cryptanalytic attacks we need to design an encryption with good confusion and diffusion 20 . Confusion means complex relation between the ciphertext and the key such that it is difficult to deduce key properties by analyzing the patterns in ciphertexts. Classically if one bit in the ciphertext depends on multiple parts of the key, confusion is provided. For our quantum encryption design, as the ciphertext cannot be measured deterministically, confusion can be accordingly defined that the statistics of measuring one qubit in the ciphertext state depends on multiple parts of the key. Diffusion means complex relation between the plaintext and the ciphertext such that it is difficult to deduce plaintext properties by analyzing the patterns in ciphertexts or vice versa. Classically if changing one bit in the plaintext (ciphertext) changes more than half of the bits in the ciphertext (plaintext), diffusion is provided. Again since in our quantum encryption the ciphertext cannot be measured deterministically, diffusion can be defined that changing the value of one qubit in the plaintext leads to changes of statistics of measuring more than half of the qubits in the ciphertext. Note the vice versa ciphertext-to-plaintext relation is not defined for the quantum case because it is impossible to create a proper ciphertext without knowing the plaintext and the key first.

We start with a basic encryption design where one unitary \(U_{i}\) with real parameters (for simplicity we assume all parameters in the following discussions are real, however the method can be generalized to have complex parameters) is applied to each qubit \(q_{i}\) of the plaintext, and no CNOT is applied. The key is then the collection \(\left\{ {U_{i} } \right\}\) where the order of \(U_{i}\) ’s is unimportant. Clearly this encryption does not provide either confusion or diffusion because the statistical pattern of measuring each qubit \(q_{i}\) of the ciphertext depends on only one part of the key \(U_{i}\) and only one qubit (the same \(q_{i}\) ) of the plaintext. For example suppose after this step in the ciphertext \(q_{1} = a_{1} \left| 0 \right\rangle_{1} + a_{2} \left| 1 \right\rangle_{1}\) and \(q_{2} = b_{1} \left| 0 \right\rangle_{2} + b_{2} \left| 1 \right\rangle_{2}\) , then the probability of measuring \(\left| 0 \right\rangle\) for \(q_{1}\) is \(p\left( {\left| 0 \right\rangle_{1} } \right) = a_{1}^{2}\) and the probability of measuring \(\left| 0 \right\rangle\) for \(q_{2}\) is \(p\left( {\left| 0 \right\rangle_{2} } \right) = b_{1}^{2}\) . If this key is reused many times, Eve would be able to deduce \(U_{1}\) and \(U_{2}\) by measuring the probability of outcomes for \(q_{1}\) and \(q_{2}\) of the ciphertext (the same for all other qubits). Now after this step if we apply \({\text{CNOT}}_{1 \to 2}\) (where \(1 \to 2\) means \(q_{1}\) is the control and \(q_{2}\) is the target), the 2-qubit state is:

then by simple calculation \(p\left( {\left| 0 \right\rangle_{1} } \right) = a_{1}^{2}\) still but \(p\left( {\left| 0 \right\rangle_{2} } \right) = a_{1}^{2} b_{1}^{2} + a_{2}^{2} b_{2}^{2}\) —we see that \(q_{2}\) gains a dependence on \(U_{1}\) in the sense that the probabilities of outcomes when measuring \(q_{2}\) depend on \(U_{1}\) after \({\text{CNOT}}_{1 \to 2}\) is applied. If we further apply \({\text{CNOT}}_{2 \to 3}\) to \(q_{3} = c_{1} \left| 0 \right\rangle_{3} + c_{2} \left| 1 \right\rangle_{3}\) , the 3-qubit state is:

then \(p\left( {\left| 0 \right\rangle_{1} } \right) = a_{1}^{2}\) , \(p\left( {\left| 0 \right\rangle_{2} } \right) = a_{1}^{2} b_{1}^{2} + a_{2}^{2} b_{2}^{2}\) , \(p\left( {\left| 0 \right\rangle_{3} } \right) = \left( {a_{1}^{2} b_{1}^{2} + a_{2}^{2} b_{2}^{2} } \right)c_{1}^{2} + \left( {a_{1}^{2} b_{2}^{2} + a_{2}^{2} b_{1}^{2} } \right)c_{2}^{2}\) —i.e. \(q_{3}\) gains dependences on both \(U_{1}\) and \(U_{2}\) . The results in Eqs. ( 1 ) and ( 2 ) reveal the effects of 1-qubit unitaries and CNOT’s from a cryptographic perspective:

If the probabilities of outcomes when measuring a qubit depend on some 1-qubit unitaries applied to this or any other qubit, we say this qubit has dependences on these 1-qubit unitaries. Then a 1-qubit unitary creates dependences on its target qubit and a CNOT causes the target qubit to gain all the dependences from the control qubit, while the control qubit retaining all its dependences.

Proof of Theorem 1

Suppose \(q_{1}\) is one qubit in a general n -qubit state \(\phi^{\left( n \right)}\) , the Schmidt decomposition of \(\phi^{\left( n \right)}\) with respect to \(q_{1}\) is:

where \(\phi_{1}^{{\left( {n - 1} \right)}}\) and \(\phi_{2}^{{\left( {n - 1} \right)}}\) are orthogonal, and therefore \(p\left( {\left| 0 \right\rangle_{1} } \right) = C_{1}^{2} a_{1}^{2} + C_{2}^{2} a_{2}^{2}\) : this means \(q_{1}\) depends on the pairs \(\left( {C_{1} ,C_{2} } \right)\) and \(\left( {a_{1} ,a_{2} } \right)\) that are created by previous quantum operations used to generate \(\phi^{\left( n \right)}\) . Now applying another unitary gate \(U = \left( {\begin{array}{*{20}c} {u_{1} } & {u_{2} } \\ {u_{2} } & { - u_{1} } \\ \end{array} } \right)\) to \(q_{1}\) we get:

where \(p\left( {\left| 0 \right\rangle_{1} } \right) = C_{1}^{2} \left( {a_{1} u_{1} + a_{2} u_{2} } \right)^{2} + C_{2}^{2} \left( {a_{2} u_{1} - a_{1} u_{2} } \right)^{2}\) , so indeed \(q_{1}\) has gained dependence on \(U\) . Note that for any \(U\) , \(\left( {a_{1} u_{1} + a_{2} u_{2} } \right)\left| 0 \right\rangle_{1} + \left( {a_{1} u_{2} - a_{2} u_{1} } \right)\left| 1 \right\rangle_{1}\) is always orthogonal to \(\left( {a_{2} u_{1} - a_{1} u_{2} } \right)\left| 0 \right\rangle_{1} + \left( {a_{2} u_{2} + a_{1} u_{1} } \right)\left| 1 \right\rangle_{1}\) , and thus the probabilities of no qubit other than \(q_{1}\) are affected by \(U\) . Now suppose we further Schmidt-decompose \(\phi_{1}^{{\left( {n - 1} \right)}}\) and \(\phi_{2}^{{\left( {n - 1} \right)}}\) in Eq. ( 3 ) with respect to another qubit \(q_{2}\) :

where \(\left\langle {{\phi_{11}^{{\left( {n - 2} \right)}} }} \mathrel{\left | {\vphantom {{\phi_{11}^{{\left( {n - 2} \right)}} } {\phi_{12}^{{\left( {n - 2} \right)}} }}} \right. \kern-\nulldelimiterspace} {{\phi_{12}^{{\left( {n - 2} \right)}} }} \right\rangle = \left\langle {{\phi_{21}^{{\left( {n - 2} \right)}} }} \mathrel{\left | {\vphantom {{\phi_{21}^{{\left( {n - 2} \right)}} } {\phi_{22}^{{\left( {n - 2} \right)}} }}} \right. \kern-\nulldelimiterspace} {{\phi_{22}^{{\left( {n - 2} \right)}} }} \right\rangle = 0\) , and then we can calculate the probability: \(p\left( {\left| 0 \right\rangle_{2} } \right) = C_{1}^{2} \left( {D_{11}^{2} b_{11}^{2} + D_{12}^{2} b_{12}^{2} } \right) + C_{2}^{2} \left( {D_{21}^{2} b_{21}^{2} + D_{22}^{2} b_{22}^{2} } \right)\) . We see that \(q_{1}\) and \(q_{2}\) share a dependence on the pair \(\left( {C_{1} ,C_{2} } \right)\) but the dependence on \(\left( {a_{1} ,a_{2} } \right)\) is unique to \(q_{1}\) . Now apply \({\text{CNOT}}_{1 \to 2}\) to \(\phi^{\left( n \right)}\) :

After some algebra we obtain:

where we see that \(q_{2}\) has gained dependence on the pair \(\left( {a_{1} ,a_{2} } \right)\) , which was originally unique to \(q_{1}\) . Because the form of \(\phi^{\left( n \right)}\) in Eq. ( 3 ) is entirely general, \(q_{1}\) ’s dependence on \(\left( {a_{1} ,a_{2} } \right)\) can be understood as a package including all its dependences gained in the process of creating \(\phi^{\left( n \right)}\) —through either 1-qubit unitaries applied to \(q_{1}\) or CNOT’s applied to \(q_{1}\) as the target. Equation ( 7 ) shows that by a single \({\text{CNOT}}_{1 \to 2}\) all \(q_{1}\) ’s dependences packaged in \(\left( {a_{1} ,a_{2} } \right)\) are created on \(q_{2}\) . It is trivial to see that \(q_{1}\) still retains its dependences. This concludes the proof for Theorem 1 . Note that the dependences created on \(q_{2}\) are not the same as those on \(q_{1}\) —the probabilities indeed depend on the same unitaries, but the exact forms are different. Theorem 1 is significant that it allows us to create new probability dependences with 1-qubit unitaries on selective qubits and then efficiently pass them onto other qubits by CNOT gates. In the following we show how to use this result to design an encrypting process with good confusion and diffusion properties.

The encrypting process with good confusion and diffusion:

Start with an n- qubit plaintext where each qubit \(q_{i}\) is either \(\left| 0 \right\rangle\) or \(\left| 1 \right\rangle\) .

Step 1 : Apply a 1-qubit unitary \(U_{i}\) to each qubit \(q_{i}\) and create the initial dependence of each \(q_{i}\) to its corresponding \(U_{i}\) . This is the basic key design mentioned earlier. If each \(U_{i}\) is defined by a real parameter that can take N discrete values, there are totally \(N^{n}\) possibilities that contribute to key size. This step costs n \(U_{i}\) gates.

Step 2 : Apply \({\text{CNOT}}_{i \to i + 1}\) sequentially for \(i = 1{\text{ to }}n - 1\) : i.e. \({\text{CNOT}}_{1 \to 2}\) first, then \({\text{CNOT}}_{2 \to 3}\) , then \({\text{CNOT}}_{3 \to 4}\) ,…, finally \({\text{CNOT}}_{n - 1 \to n}\) . By Theorem 1 , the \({\text{CNOT}}_{1 \to 2}\) causes \(q_{2}\) to gain the dependence on \(U_{1}\) from \(q_{1}\) , and then \({\text{CNOT}}_{2 \to 3}\) causes \(q_{3}\) to gain all the dependences from \(q_{2}\) that include both \(U_{2}\) from \(q_{2}\) itself and \(U_{1}\) that \(q_{2}\) has just gained from \(q_{1}\) . In such a snowball process, each further \({\text{CNOT}}_{k \to k + 1}\) causes \(q_{k + 1}\) to gain dependences on all the \(U_{i}\) ’s for \(i \le k\) . After this step each \(q_{i}\) with \(i > \frac{n}{2}\) ( n even) or \(i > \left( {\frac{n + 1}{2}} \right)\) ( n odd) has gained dependences on more than half of the \(U_{i}\) ’s. We remark that the order of the application of the \({\text{CNOT}}_{i \to i + 1}\) gates is important: if we apply \({\text{CNOT}}_{2 \to 3}\) before \({\text{CNOT}}_{1 \to 2}\) , \(q_{2}\) has not gained the dependence on \(U_{1}\) from \(q_{1}\) yet and thus \(q_{3}\) will not gain that dependence either. Applying \({\text{CNOT}}_{2 \to 3}\) before \({\text{CNOT}}_{1 \to 2}\) is therefore less efficient than applying \({\text{CNOT}}_{2 \to 3}\) after \({\text{CNOT}}_{1 \to 2}\) as the latter can pass more dependences from \(q_{2}\) to \(q_{3}\) . This step costs \(n - 1\) CNOT gates.

Step 3 : When n is even, for each \(q_{i}\) with \(i > \frac{n}{2}\) (the downstream qubits), randomly assign a different \(q_{k}\) with \(k \le \frac{n}{2}\) (the upstream qubits), such that all the qubits are paired. When n is odd, disregard the \(\left( {\frac{n + 1}{2}} \right)\) th qubit and pair the remaining even number of \(\left( {n - 1} \right)\) qubits as just described. Apply \({\text{CNOT}}_{i \to k}\) for each pair such that the upstream \(q_{k}\) gains all the dependences from the downstream \(q_{i}\) . After Step 2 each downstream \(q_{i}\) with \(i > \frac{n}{2}\) ( n even) or \(i > \left( {\frac{n + 1}{2}} \right)\) ( n odd) depends on more than half of the \(U_{i}\) ’s, and in Step 3 by the \({\text{CNOT}}_{i \to k}\) gates these downstream qubits pass all their dependences to the corresponding upstream qubits. Consequently after Step 3 each one of the upstream qubits will have gained dependences on more than half of the \(U_{i}\) ’, and this complex relation between the ciphertext and the key provides confusion as defined earlier. The process that gets all qubits into pairs has \(\left( \frac{n}{2} \right)!\) ( n even) or \(\left( {\frac{n - 1}{2}} \right)!\) ( n odd) possibilities that contribute to key size. This step costs \(\frac{n}{2}\) CNOT gates.

Step 4 : Now to achieve diffusion defined earlier we want the property that changing the value of one qubit in the plaintext changes the statistics of measuring more than half of the qubits in the ciphertext. Suppose a qubit \(q_{j}\) is \(\left| 0 \right\rangle\) in the plaintext, after \(U_{j}\) in Step 1 it becomes \(a_{1} \left| 0 \right\rangle_{j} + a_{2} \left| 1 \right\rangle_{j}\) and \(p\left( {\left| 0 \right\rangle_{1} } \right) = a_{1}^{2}\) . If the plaintext \(q_{j}\) is changed to \(\left| 1 \right\rangle\) then after \(U_{j}\) it becomes \(a_{2} \left| 0 \right\rangle_{j} - a_{1} \left| 1 \right\rangle_{j}\) and \(p\left( {\left| 0 \right\rangle_{1} } \right) = a_{2}^{2}\) , so the dependence of \(q_{j}\) on \(U_{j}\) has changed. In addition, although the minus sign in \(a_{2} \left| 0 \right\rangle_{j} - a_{1} \left| 1 \right\rangle_{j}\) does not immediately have an effect on probabilities, it can change how the subsequent qubits depend on \(U_{j}\) after Steps 2 and 3. Hence we see that a value change in one qubit \(q_{j}\) in the plaintext will affect all the ciphertext qubits that have gained dependences from \(q_{j}\) . This means that any upstream qubit \(q_{k}\) with \(k \le \frac{n}{2}\) already has diffusion after Steps 2, because all the downstream qubits in the ciphertext (more than half of all qubits) have gained dependences from \(q_{k}\) . On the other hand the downstream qubits do not yet have diffusion after Step 2: e.g. no other qubit is dependent on \(q_{n}\) because it is at the end of the chain of control in Step 2. Now to create diffusion in the downstream qubits, we just need to use these qubits as control and apply CNOT gates to random qubits as targets (can be either upstream or downstream) until on average more than half of all qubits have gained dependences from any qubit. For example, two qubits have gained dependences from the last qubit \(q_{n}\) after Step 3: \(q_{n}\) itself and the qubit assigned to pair with \(q_{n}\) , thus we need to apply at most \(\frac{n}{2} - 2\) CNOT gates using \(q_{n}\) as the control to pass \(q_{n}\) ’s dependences to half of all qubits. The actual CNOT gates required may be fewer than \(\frac{n}{2} - 2\) because we can first pass \(q_{n}\) ’s dependences to another downstream qubit such as \(q_{n - 2}\) , and then any CNOT gate using \(q_{n - 2}\) as the control will also pass \(q_{n}\) ’s dependences to the target. In fact, an example of a very efficient implementation is as shown in Step 4 of Fig.  1 to apply a series of CNOT gates running alternately through the downstream and upstream qubits, where the target qubit of the previous CNOT serves as the control qubit of the next CNOT: e.g. \({\text{CNOT}}_{n \to 1}\) first, then \({\text{CNOT}}_{1 \to n - 1}\) , then \({\text{CNOT}}_{n - 1 \to 2}\) , then \({\text{CNOT}}_{2 \to n - 2}\) , … , finally \({\text{CNOT}}_{{{n \mathord{\left/ {\vphantom {n 2}} \right. \kern-\nulldelimiterspace} 2} \to {n \mathord{\left/ {\vphantom {n 2}} \right. \kern-\nulldelimiterspace} 2} + 1}}\) . By Theorem 1 it is easy to verify that this implementation guarantees more than half of all qubits have gained dependences from any downstream qubit. Unlike the previous steps, Step 4 allows greater freedom in the key design and the exact evaluation of the contribution to key size and gate cost is impossible. However, for the particular implementation just described, the order of the upstream qubits can be any permutation and thus there are \(\left( \frac{n}{2} \right)!\) possibilities that contribute to key size. This implementation costs n CNOT gates.

Graphical illustration of the encrypting process with an 8-qubit example. The circles with numbers inside represent the qubits. The arrows represent CNOT gates for which each arrow begins at the control qubit and points to the target qubit. The numbers on the arrows indicate the order in which the CNOT gates are applied within the current step. Step 1: apply a 1-qubit \(U_{i}\) to each qubit \(q_{i}\) . Step 2: apply \({\text{CNOT}}_{i \to i + 1}\) sequentially for \(i = 1{\text{ to }}n - 1\) , this step causes the downstream qubits 5–8 to gain dependences on more than half of the \(U_{i}\) ’s. Step 3: use the downstream qubits 5–8 as controls and the upstream qubits 1–4 as targets to apply CNOT gates. Showing one example out of the \(\left( \frac{n}{2} \right)!\) possible ways the qubits are paired. The CNOT gates in this step all commute so the order is unimportant. After this step confusion is achieved. Step 4: with the general goal of achieving diffusion, this step has great freedom. In the particular example shown here, a series of CNOT gates run alternately between the downstream and upstream qubits. After this step diffusion is achieved.

Step 4 concludes the ciphertext creation process. A graphical illustration of the four steps of encryption is drawn in Fig. 1 . The account of all the unitaries and CNOT gates used is the key shared with the recipient, who can then recover the plaintext by reversing all the gates.

Through the description and analysis of the encrypting process, we can see that our quantum encryption design supports efficient implementation with \(O\left( n \right)\) gates and large key size with at least \(O\left( {N^{n} \left( \frac{n}{2} \right)!} \right)\) possible variations. More importantly the design has provable confusion and diffusion that makes the key reusable while protecting against common cryptanalytic attacks. A worked-out 4-qubit example of the encryption process can be found in the Supplementary Information ( S2 ).

Mode of operation

The quantum encryption described so far is a block cipher where each block of message containing n bits of classical information is encrypted into a quantum state of n qubits. Similar to the classical counterpart, the quantum block cipher also requires a mode of operation to ensure that different ciphertexts (blocks) are generated even with the same plaintext and key used. This feature together with diffusion allows the key to be reused many times to securely transmit large amount of information. Our mode of operation is inspired by the classical cipher block chaining (CBC) 23 . In the CBC mode a randomly chosen n -bit initialization vector (IV) is XORed ( \(\oplus\) ) with the plaintext \(P_{1}\) of the first block, the encrypting algorithm then works on \({\text{IV}} \oplus P_{1}\) to produce the first ciphertext \(C_{1}\) . Next \(C_{1}\) is XORed with the plaintext \(P_{2}\) of the second block before it is encrypted into \(C_{2}\) . Repeat this process many times where each time the plaintext \(P_{i}\) of the current block is XORed with the ciphertext \(C_{i - 1}\) of the previous block before getting encrypted into the ciphertext \(C_{i}\) of the current block:

where \(E_{K} \left( {} \right)\) is the encrypting function with the key K . To generalize the CBC to our quantum encryption, the ciphertext here is a quantum state that cannot be directly XORed with the plaintext of the following block, and in the following we propose two different modes to solve this problem.

In the first mode shown in Fig.  2 , after the first ciphertext state \(\left| {C_{1} } \right\rangle\) has been created \(\left| {C_{1} } \right\rangle = E_{K} \left( {P_{1} \oplus {\text{IV}}} \right)\) , we create an additional copy of \(\left| {C_{1} } \right\rangle\) and measure it in the computational basis \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle } \right\}\) . This will collapse the copy of \(\left| {C_{1} } \right\rangle\) into a classical bit string \(M\left( {\left| {C_{1} } \right\rangle } \right)\) , which can be then used to XOR with the plaintext of the following block to produce \(P_{2} \oplus M\left( {\left| {C_{1} } \right\rangle } \right)\) . We then encrypt this with \(E_{K} \left( {P_{2} \oplus M\left( {\left| {C_{1} } \right\rangle } \right)} \right) = \left| {C_{2} } \right\rangle\) and send the recipient both \(M\left( {\left| {C_{1} } \right\rangle } \right)\) and \(\left| {C_{2} } \right\rangle\) . Repeat this process iteratively we have the general procedure:

where \(M\left( {\left| {C_{i - 1} } \right\rangle } \right)\) is the measurement result on the extra copy of \(\left| {C_{i - 1} } \right\rangle\) . When the recipient has received \(M\left( {\left| {C_{i - 1} } \right\rangle } \right)\) and \(\left| {C_{i} } \right\rangle\) for each block after the first one, he decrypts with \(E_{K}^{ - 1} \left( {\left| {C_{i} } \right\rangle } \right) = P_{i} \oplus M\left( {\left| {C_{i - 1} } \right\rangle } \right)\) , and then XOR with \(M\left( {\left| {C_{i - 1} } \right\rangle } \right)\) such that \(P_{i} = P_{i} \oplus M\left( {\left| {C_{i - 1} } \right\rangle } \right) \oplus M\left( {\left| {C_{i - 1} } \right\rangle } \right)\) is recovered.

The first mode of operation mechanism shown with a 3-block example. In each iteration after the first one, the extra copy of the ciphertext state \(\left| {C_{i - 1} } \right\rangle\) is measured into a classical bit string \(M\left( {\left| {C_{i - 1} } \right\rangle } \right)\) that is then XORed with the plaintext \(P_{i}\) .

In the second mode shown in Fig.  3 , after the first ciphertext state has been created by \(\left| {C_{1} } \right\rangle = E_{K} \left( {P_{1} \oplus {\text{IV}}} \right)\) , we use the qubits of \(\left| {C_{1} } \right\rangle\) as controls to apply CNOT gates to the qubits of the following plaintext. Each qubit on \(\left| {C_{1} } \right\rangle\) as the control is paired with a different qubit on the following plaintext as the target. For simplicity, the same pairing plan that specifies which qubit of the current ciphertext state controls which target qubit of the next plaintext can be used for each iteration. Repeat this process iteratively:

where \({\text{CNOT}}\left( {\left| {C_{i - 1} } \right\rangle \to \left| P \right\rangle_{i} } \right)\) represents the altered plaintext after each qubit on the ciphertext state \(\left| {C_{i - 1} } \right\rangle\) as the control has applied a CNOT to a different qubit on the plaintext state \(\left| P \right\rangle_{i}\) as the target. When the recipient has received \(\left| {C_{i - 1} } \right\rangle\) and \(\left| {C_{i} } \right\rangle\) for each block after the first one, he decrypts with \(E_{K}^{ - 1} \left( {\left| {C_{i} } \right\rangle } \right) = {\text{CNOT}}\left( {\left| {C_{i - 1} } \right\rangle \to \left| P \right\rangle_{i} } \right)\) to get the altered plaintext, and then use the qubits of \(\left| {C_{i - 1} } \right\rangle\) as controls to apply CNOT gates on the qubits of the altered plaintext to recover \(\left| P \right\rangle_{i}\) .

The second mode of operation mechanism shown with a 3-block example. In each iteration after the first one, each qubit on the ciphertext state \(\left| {C_{i - 1} } \right\rangle\) as the control applies a CNOT to a different qubit on the plaintext state \(\left| P \right\rangle_{i}\) as the target.

Compared to the classical CBC, both quantum modes of operation have additional security because the material used to alter the plaintext for each iteration after the first one is not simply the ciphertext of the last block that is revealed to Eve. For the first mode, the bit string \(M\left( {C_{i - 1} } \right)\) for each iteration is generated with the truly random process of quantum measurement (as compared to pseudo-random number generation in classical computing) on the previous ciphertext state. For the second mode, all \(\left| {C_{i - 1} } \right\rangle\) ’s are quantum states that cannot be reliably read. Furthermore, in the second mode the pairing plan of which qubit on the \(\left| {C_{i - 1} } \right\rangle\) controls which qubit on the next plaintext can be pre-shared as additional parts of the key—which has \(n!\) complexity. Both quantum modes of operation ensure different ciphertexts are generated even with the same plaintext and key used. Now comparing the two designs, the first mode is much easier to implement because each \(M\left( {C_{i - 1} } \right)\) as in Eq. ( 9 ) is a classical object and its XOR operation with the next plaintext is classical. On the other hand the second mode requires the ability to use the ciphertext state to control the next plaintext, which means more sophisticated quantum operations at both the encryption and the decryption ends. As a tradeoff the first design requires an additional classical channel to transmit the bit string \(M\left( {C_{i - 1} } \right)\) for each iteration (note this channel does not need to be secure because the bit string used to alter the plaintext in a mode of operation can be public without compromising security), while the second design only needs to pre-share two pieces of information: the initial IV and the pairing plan, and none other than the ciphertext is shared at the time of communication. Hence, the first design would be used when we prefer minimal quantum operations and have an additional non-secure classical channel available, while the second design would be used when we can afford more complex quantum operations and prefer to send a single ciphertext without additional channels. The increased key complexity through the pairing plan for the second design would also be a consideration.

The mode of operation together with the encryption process completes our description of the new quantum encryption design. In actual application, Alice will first encode the classical bit string into a quantum basis state (e.g. 00101 is coded into \(\left| {00101} \right\rangle\) ), and then apply a sequence of quantum gates following the procedure in “ The quantum encryption with confusion and diffusion ” to create a quantum ciphertext. Note that the procedure in “ The quantum encryption with confusion and diffusion ” is only a guideline to ensure confusion and diffusion by the result of Theorem 1 . In this sense Theorem 1 can be considered as a foundational result that may inspire many other encryption procedures in addition to the particular one described in this work. Nonetheless the procedure in “ The quantum encryption with confusion and diffusion ” already provides great freedom with at least \(O\left( {N^{n} \left( \frac{n}{2} \right)!} \right)\) variations contributing to the key size if a brute force attack is attempted. On the other hand the implementation cost of the procedure is only \(O\left( n \right)\) gates, which is very efficient. The ciphertext state can then be sent to Bob through an unsecure channel with possible eavesdropping by Eve. An account of the exact sequence of quantum gates applied by Alice is the key shared with Bob through a secure channel—note this can be done long before the actual communication happens thus it is harder to expect and attack by Eve. Upon receipt of the ciphertext state, Bob can apply the inverse quantum operations to recover the plaintext. After the first block of plaintext, additional blocks of plaintexts can be encrypted with additional mode of operation procedures as described in “ Mode of operation ” such that the statistics of the ciphertext state is further disguised.

The security of the quantum encryption design is provided by multiple mechanisms. Firstly the use of a quantum state as the ciphertext makes it impossible for Eve to reliably read and analyze the ciphertext. This is a unique quantum advantage over classical methods for which the ciphertext is just a bit string. In principle Eve could gain statistical knowledge of the ciphertext if the same one is sent many times, but this possibility is prevented by implementing one of the two quantum modes of operation. The two quantum modes of operation provide truly random or unreadable plaintext-altering materials depending on the mode of choice, and these are impossible for classical modes of operation. Having provable confusion and diffusion provides our method an additional layer of protection against potential cryptanalysis, because small changes in the plaintext lead to substantial changes in the ciphertext or vice versa. On the contrary, knowing the key, the legitimate recipient Bob can easily reverse the encrypting process to generate the plaintext deterministically from the ciphertext, without the need to actually read the ciphertext. The unique situation that the ciphertext can lead to the plaintext deterministically while not readable itself, together with features like confusion, diffusion, and mode of operation, make our quantum encryption strongly resistant to cryptanalytic attacks. For example, the chosen-plaintext attack (CPA) and the chosen-ciphertext attacks (CCA1 and CCA2) require Eve to analyze a few plaintext-ciphertext pairs to gain knowledge of the key. Now that the ciphertext being unreadable, and the statistics being obscured by confusion, diffusion, and mode of operation, it is very difficult for Eve to extract information from a few plaintext-ciphertext pairs. In addition, eavesdropping by Eve on the ciphertext inevitably disturbs the quantum state such that the recipient Bob can detect such interception. For Bob to determine if his measurement result is the correct message, the message disturbed by Eve, or the message corrupted by inherent system uncertainties (gate error, channel noise, etc.), multiple blocks of the same plaintext should be sent thus to establish a protocol analogous to the repetition code for error correcting purposes. As an interesting idea for future studies, the exact number of repetitions required for reliable communication should depend on the gate quality, channel quality, and key design.

In this work we have developed a quantum encryption design that utilizes a quantum state creation process to encrypt messages. By using a quantum state as the ciphertext and the creation procedure as the key, an inherent level of security is guaranteed by the statistical nature of quantum measurements as well as the complexity of the state creation process. We then introduce the concepts of confusion and diffusion from classical cryptography into quantum encryption and provide both features with a novel quantum encryption process. Finally we introduce the concept of mode of operation from classical cryptography into quantum encryption by proposing two modes of operation inspired by the classical CBC mode. The adaptation of confusion, diffusion and mode of operation from classical cryptography into quantum cryptography not only provides key reusability and stronger security against standard cryptanalytic attacks but also establishes new design principles for the systematic development of quantum encryption methods which may lead to improved quantum cryptographic systems beyond the particular design of the current study.

Data availability

No data is generated in this work.

Gisin, N. et al. Quantum cryptography. Rev. Mod. Phys. 74 (1), 145–195 (2002).

Article   ADS   Google Scholar  

Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67 (6), 661–663 (1991).

Article   ADS   MathSciNet   CAS   Google Scholar  

Bennett, C. H. & Brassard, G. Quantum cryptography: Public key distribution and coin tossing. Theoret. Comput. Sci. 560 , 7–11 (2014).

Article   MathSciNet   Google Scholar  

Pirandola, S. et al. Advances in quantum cryptography. Adv. Opt. Photon. 12 (4), 1012–1236 (2020).

Article   Google Scholar  

Shor, P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26 (5), 1484–1509 (1997).

Bernstein, D. J. Introduction to post-quantum cryptography. In Post-quantum cryptography (eds Bernstein, D. J. et al. ) 1–14 (Springer, Berlin, 2009).

Chapter   Google Scholar  

Bernstein, D. J. & Lange, T. Post-quantum cryptography. Nature 549 (7671), 188–194 (2017).

Article   ADS   CAS   Google Scholar  

Bennett, C. H., Brassard, G. & Mermin, N. D. Quantum cryptography without Bell’s theorem. Phys. Rev. Lett. 68 (5), 557–559 (1992).

Jennewein, T. et al. Quantum cryptography with entangled photons. Phys. Rev. Lett. 84 (20), 4729–4732 (2000).

Xu, F. et al. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 92 (2), 5002 (2020).

Yin, J. et al. Entanglement-based secure quantum cryptography over 1120 kilometres. Nature 582 (7813), 501–505 (2020).

Long, G. L. & Liu, X. S. Theoretically efficient high-capacity quantum-key-distribution scheme. Phys. Rev. A. 65 (3), 032302 (2002).

Deng, F.-G., Long, G. L. & Liu, X.-S. Two-step quantum direct communication protocol using the Einstein–Podolsky–Rosen pair block. Phys. Rev. A 68 (4), 2317 (2003).

Google Scholar  

Zhang, W. et al. Quantum secure direct communication with quantum memory. Phys. Rev. Lett. 118 (22), 220501 (2017).

Zhou, L., Sheng, Y.-B. & Long, G.-L. Device-independent quantum secure direct communication against collective attacks. Sci. Bull. 65 (1), 12–20 (2020).

Zhou, Z. et al. Measurement-device-independent quantum secure direct communication. Sci. China Phys. Mech. Astron. 63 (3), 230362 (2019).

Boykin, P. O. & Roychowdhury, V. Optimal encryption of quantum bits. Phys. Rev. A. 67 (4), 042317 (2003).

Ambainis, A., et al. Private quantum channels . in Proceedings 41st Annual Symposium on Foundations of Computer Science (2000).

Hayden, P. et al. Randomizing quantum states: Constructions and applications. Commun. Math. Phys. 250 (2), 371–391 (2004).

Article   ADS   MathSciNet   Google Scholar  

Shannon, C. E. Communication theory of secrecy systems. Bell Syst. Tech. J. 28 (4), 656–715 (1949).

Nechvatal, J. et al. Report on the development of the advanced encryption standard (AES). J. Res. Nat. Inst. Stand. Technol. 106 (3), 511–577 (2001).

Article   CAS   Google Scholar  

Rivest, R. L., Shamir, A. & Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21 (2), 120–126 (1978).

Bellare, M., Kilian, J., & Rogaway, P. The security of cipher block chaining . in Advances in Cryptology—CRYPTO ’94 . 1994. Berlin, Heidelberg: Springer Berlin Heidelberg.

Zhou, N. et al. Novel qubit block encryption algorithm with hybrid keys. Phys. A 375 (2), 693–698 (2007).

Hu, Z. & Kais, S. Characterization of quantum states based on creation complexity. Adv. Quant. Technol. 1 , 43 (2020).

Download references

Acknowledgements

The authors would like to acknowledge funding by the U.S. Department of Energy (Office of Basic Energy Sciences) under Award No. DE-SC0019215.

This article was funded by US Department of Energy (Grant no. DE-SC0019215).

Author information

Authors and affiliations.

Department of Chemistry, Purdue Quantum Science and Engineering Institute, Purdue University, West Lafayette, IN, 47907, USA

Zixuan Hu & Sabre Kais

Department of Physics, Purdue Quantum Science and Engineering Institute, Purdue University, West Lafayette, IN, 47907, USA

You can also search for this author in PubMed   Google Scholar

Contributions

Z.H. and S.K. conceived the quantum encryption design. Z.H. developed the theory and the encryption procedure. All authors were involved in discussing the results and writing the manuscript.

Corresponding author

Correspondence to Sabre Kais .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Supplementary information., rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Hu, Z., Kais, S. A quantum encryption design featuring confusion, diffusion, and mode of operation. Sci Rep 11 , 23774 (2021). https://doi.org/10.1038/s41598-021-03241-8

Download citation

Received : 03 May 2021

Accepted : 09 November 2021

Published : 10 December 2021

DOI : https://doi.org/10.1038/s41598-021-03241-8

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

This article is cited by

The unitary dependence theory for characterizing quantum circuits and states.

Communications Physics (2023)

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

• Simple Search
• Advanced Search
• Deposit an Item
• Deposit Instructions
• Instructions for Students

Thesis Files

Repository Staff Only: item control page

This thesis focuses on the study of quantum authentication. The research begins with an introduction to classical cryptography and the limitations it faces in the modern computing era. It then explores the principles of quantum cryptography, highlighting its unique features that enable secure communication. The widely used BB84 protocol for quantum key distribution is examined in detail. The thesis also delves into the significance of authentication in ensuring data integrity and confidentiality. It discusses universal classes of hash functions and their role in generating message authentication codes for verifying message authenticity. The Wegman-Carter MAC scheme, a popular and secure authentication technique, is investigated, along with practical applications of authentication methods. Furthermore, the study explores quantum identity authentication, which employs quantum mechanics to achieve secure authentication in the presence of eavesdropping attacks. Two protocols, the Hong protocol and the Zawadzki protocol, are analyzed, comparing their strengths and weaknesses. Building upon existing protocols, a modification to the Zawadzki protocol is proposed. The modification enhances practicality, computational efficiency, resource utilization, and compatibility with existing infrastructure, without compromising security principles. To conclude, an experiment is conducted to assess the resilience of the proposed protocol against an intercept and resend attack.

Questo elaborato di studio ha come argomento principale l'autenticazione quantistica. Innanzitutto la ricerca introduce la crittografia classica e le limitazioni che affronta nell'era dell'informatica moderna. Successivamente, esplora i principi della crittografia quantistica, evidenziando le caratteristiche che consentono una comunicazione sicura. In particolar modo viene esaminato il protocollo BB84, ampiamente utilizzato per la distribuzione quantistica delle chiavi. In secondo luogo l'elaborato di studio tratta anche dell'importanza dell'autenticazione nel garantire l'integrità e la riservatezza dei dati. Si discutono le classi universali di funzioni hash e il loro ruolo nella generazione di codici di autenticazione dei messaggi per verificare l'autenticità dei messaggi. In particolare, viene spiegato lo schema di Wegman-Carter, una tecnica di autenticazione popolare e sicura, insieme alle applicazioni pratiche dei metodi di autenticazione. Inoltre, lo studio esplora l'autenticazione quantistica, che utilizza la meccanica quantistica per ottenere un'autenticazione sicura in presenza di attacchi. Due protocolli, il protocollo di Hong e il protocollo di Zawadzki, vengono analizzati confrontando i loro punti di forza e di debolezza. Sulla base dei protocolli esistenti, viene proposta una modifica al protocollo di Zawadzki. La modifica migliora la praticità, l'efficienza computazionale, l'utilizzo delle risorse e la compatibilità con l'infrastruttura esistente, senza compromettere i principi di sicurezza. Infine, viene condotto un esperimento per valutare la resistenza del protocollo contro un particolare attacco.

Implementation and experimentation of a practical Quantum Identity Authentication protocol

Saracino, cosimo andrea, scheda breve scheda completa.

I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

 ----- Informazioni -----

Conferma cancellazione.

Sei sicuro che questo prodotto debba essere cancellato?

???title.asn1820???

Reviews of Modern Physics

• Editorial Team

Quantum cryptography

Nicolas gisin, grégoire ribordy, wolfgang tittel, and hugo zbinden, rev. mod. phys. 74 , 145 – published 8 march 2002.

• Citing Articles (6,062)

Quantum cryptography could well be the first application of quantum mechanics at the single-quantum level. The rapid progress in both theory and experiment in recent years is reviewed, with emphasis on open questions and technological issues.

DOI: https://doi.org/10.1103/RevModPhys.74.145

©2002 American Physical Society

Authors & Affiliations

• Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland

References (Subscription Required)

Vol. 74, Iss. 1 — January - March 2002

Access Options

• Buy Article »
• Log in with individual APS Journal Account »
• Log in with a username/password provided by your institution »
• Get access through a U.S. public or high school library »

Authorization Required

Other options.

• Buy Article »
• Find an Institution with the Article »

Download & Share

Sign up to receive regular email alerts from Reviews of Modern Physics

• Forgot your username/password?
• Create an account

Article Lookup

Paste a citation or doi, enter a citation.

Post-quantum cryptography and the quantum future of cybersecurity

• Dissertations & Theses
• Collections

Home > Dissertations > 242

Yale Graduate School of Arts and Sciences Dissertations

Hardware Architectures for Post-Quantum Cryptography

Wen Wang , Yale University Graduate School of Arts and Sciences Follow

Date of Award

Spring 2021

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Electrical Engineering (ENAS)

First Advisor

Szefer, Jakub

The rapid development of quantum computers poses severe threats to many commonly-used cryptographic algorithms that are embedded in different hardware devices to ensure the security and privacy of data and communication. Seeking for new solutions that are potentially resistant against attacks from quantum computers, a new research field called Post-Quantum Cryptography (PQC) has emerged, that is, cryptosystems deployed in classical computers conjectured to be secure against attacks utilizing large-scale quantum computers. In order to secure data during storage or communication, and many other applications in the future, this dissertation focuses on the design, implementation, and evaluation of efficient PQC schemes in hardware. Four PQC algorithms, each from a different family, are studied in this dissertation. The first hardware architecture presented in this dissertation is focused on the code-based scheme Classic McEliece. The research presented in this dissertation is the first that builds the hardware architecture for the Classic McEliece cryptosystem. This research successfully demonstrated that complex code-based PQC algorithm can be run efficiently on hardware. Furthermore, this dissertation shows that implementation of this scheme on hardware can be easily tuned to different configurations by implementing support for flexible choices of security parameters as well as configurable hardware performance parameters. The successful prototype of the Classic McEliece scheme on hardware increased confidence in this scheme, and helped Classic McEliece to get recognized as one of seven finalists in the third round of the NIST PQC standardization process. While Classic McEliece serves as a ready-to-use candidate for many high-end applications, PQC solutions are also needed for low-end embedded devices. Embedded devices play an important role in our daily life. Despite their typically constrained resources, these devices require strong security measures to protect them against cyber attacks. Towards securing this type of devices, the second research presented in this dissertation focuses on the hash-based digital signature scheme XMSS. This research is the first that explores and presents practical hardware based XMSS solution for low-end embedded devices. In the design of XMSS hardware, a heterogenous software-hardware co-design approach was adopted, which combined the flexibility of the soft core with the acceleration from the hard core. The practicability and efficiency of the XMSS software-hardware co-design is further demonstrated by providing a hardware prototype on an open-source RISC-V based System-on-a-Chip (SoC) platform. The third research direction covered in this dissertation focuses on lattice-based cryptography, which represents one of the most promising and popular alternatives to today's widely adopted public key solutions. Prior research has presented hardware designs targeting the computing blocks that are necessary for the implementation of lattice-based systems. However, a recurrent issue in most existing designs is that these hardware designs are not fully scalable or parameterized, hence limited to specific cryptographic primitives and security parameter sets. The research presented in this dissertation is the first that develops hardware accelerators that are designed to be fully parameterized to support different lattice-based schemes and parameters. Further, these accelerators are utilized to realize the first software-harware co-design of provably-secure instances of qTESLA, which is a lattice-based digital signature scheme. This dissertation demonstrates that even demanding, provably-secure schemes can be realized efficiently with proper use of software-hardware co-design. The final research presented in this dissertation is focused on the isogeny-based scheme SIKE, which recently made it to the final round of the PQC standardization process. This research shows that hardware accelerators can be designed to offload compute-intensive elliptic curve and isogeny computations to hardware in a versatile fashion. These hardware accelerators are designed to be fully parameterized to support different security parameter sets of SIKE as well as flexible hardware configurations targeting different user applications. This research is the first that presents versatile hardware accelerators for SIKE that can be mapped efficiently to both FPGA and ASIC platforms. Based on these accelerators, an efficient software-hardwareco-design is constructed for speeding up SIKE. In the end, this dissertation demonstrates that, despite being embedded with expensive arithmetic, the isogeny-based SIKE scheme can be run efficiently by exploiting specialized hardware. These four research directions combined demonstrate the practicability of building efficient hardware architectures for complex PQC algorithms. The exploration of efficient PQC solutions for different hardware platforms will eventually help migrate high-end servers and low-end embedded devices towards the post-quantum era.

Recommended Citation

Wang, Wen, "Hardware Architectures for Post-Quantum Cryptography" (2021). Yale Graduate School of Arts and Sciences Dissertations . 242. https://elischolar.library.yale.edu/gsas_dissertations/242

Since November 11, 2021

Advanced Search

• Notify me via email or RSS
• Disciplines
• Researcher Profiles
• Author Help

Copyright, Publishing and Open Access

• Terms & Conditions
• Open Access at Yale
• Yale University Library
• Yale Law School Repository

Home | About | FAQ | My Account | Accessibility Statement

Privacy Copyright

Main navigation

• Agricultural and Environmental Sciences
• Bachelor of Arts and Science
• Continuing Studies
• Dental Med. and Oral Health Sci.
• Engineering
• Environment
• Interfaculty Studies
• Medicine and Health Sciences
• Physical and Occupational Therapy
• Study Abroad and Field Studies
• Summer Studies
• All Courses
• All Programs
• University Regulations and Resources
• Important Dates

COMP 649 Quantum Cryptography (4 credits)

Offered by: Computer Science ( Faculty of Science )

Administered by: Graduate Studies

Computer Science (Sci) : Review of the basic notions of cryptography and quantum information theory. Quantum key distribution and its proof of security. Quantum encryption, error-correcting codes and authentication. Quantum bit commitment, zero-knowledge and oblivious transfer. Multiparty quantum computations.

Terms: This course is not scheduled for the 2024-2025 academic year.

Instructors: There are no professors associated with this course for the 2024-2025 academic year.

Prerequisite: COMP 547 and permission of the instructor.

Restriction: An introduction to notions of Information Theory is required.

Related Content

Department and university information, enrolment services.

• Undergrad Admissions
• Grad & Postdoc Admissions
• Class Schedule
• Visual Schedule Builder
• Student Services

Journal of Materials Chemistry C

Colloidal quantum dots as single photon sources.

* Corresponding authors

a School of Physics, University of Melbourne, Victoria, Australia E-mail: [email protected]

b Department of Electrical and Electronic Engineering, University of Melbourne, Victoria, Australia E-mail: [email protected]

c Australian Research Council (ARC) Centre of Excellence for Transformative Meta-Optical Systems (TMOS), University of Melbourne, Victoria, Australia

Single photon sources (SPSs) are key components in various developing applications, such as quantum cryptography, optical quantum computation, and quantum sensing. Colloidal quantum dots (CQDs) have emerged as an attractive material for SPSs due to their solution-based processing, narrow and tunable photoluminescence (PL) wavelength, high quantum yield (QY), and integration with different substrates. In this paper, we will review the current state of research on using CQDs for SPSs, including the various methods for improving the optical properties of CQDs, the diverse types of CQDs that have been used as SPSs, and the nanophotonic approaches used to improve the single photon properties of CQDs. Additionally, we will discuss the challenges and future directions for the field.

• This article is part of the themed collection: Journal of Materials Chemistry C Recent Review Articles

Article information

Download citation, permissions.

D. Nelson, S. Byun, J. Bullock, K. B. Crozier and S. Kim, J. Mater. Chem. C , 2024, Advance Article , DOI: 10.1039/D3TC04165D

To request permission to reproduce material from this article, please go to the Copyright Clearance Center request page .

If you are an author contributing to an RSC publication, you do not need to request permission provided correct acknowledgement is given.

If you are the author of this article, you do not need to request permission to reproduce figures and diagrams provided correct acknowledgement is given. If you want to reproduce the whole article in a third-party publication (excluding your thesis/dissertation for which permission is not required) please go to the Copyright Clearance Center request page .

Read more about how to correctly acknowledge RSC content .

Social activity

Search articles by author.

This article has not yet been cited.

Advertisements

Quantonation Announces First Closing of Its New €200 Million Fund Dedicated to Quantum Technologies

• Capital Markets

Matt Swayne

• April 10, 2024

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Insider Brief

• Quantonation Ventures announces the first closing of its second early-stage fund dedicated to Quantum Technologies, Quantonation II.
• The closing was set at €70 million of the €200 million target.
• The firm’s first fund Quantonation I is considered the first ever quantum-focused fund and raised €91 million.

PRESS RELEASE — Quantonation Ventures announces the first closing of its second early-stage fund dedicated to Quantum Technologies, Quantonation II, at €70 million of the €200 million target. Quantonation is at the center of the emerging Quantum Tech industry, and is already investing globally in new companies from this second fund.

Physics has been, is and will be the fundamental operating system for world changing technology. While intimidating for some, we believe that innovations in physics, in computing and in quantum science are opportunities to build impactful companies.

In 2018, we began supporting founders in this deep-tech sector, who were working on transforming quantum science and deep physics into tangible devices and applications for sensing, communication, and computing. Our goal was to achieve performance levels that were not yet possible with existing technologies. Quantonation was founded on the belief that investing in this domain required a combination of scientific expertise, business acumen, and financial experience to accurately gauge the time and resources required to bring quantum innovation to the market.

Our first fund, Quantonation I (a 2021 vintage) – the first ever quantum-focused fund – raised €91 million beyond our original target, making investments in 27 companies worldwide, with two exits. We have invested in spin-outs from the most recognized academic ecosystems worldwide, like MIT, Ecole Polytechnique, Institut d’Optique, Oxford University, Waterloo University, University of Sherbrooke and more. We monitored over 600 startups developing Quantum Technologies over the last five years, constituting the field’s most significant deal flow. The fund has had strong performance, putting it in the top quartile of Venture Capital investors, even in a period where other venture investments are feeling a pullback.

We believe that the first era of pioneers in quantum computing is coming to an end. Advancements in hardware and software development are driving the quantum sector towards enterprise-grade use and a supply chain is developing to support faster iteration of new, scalable ideas. Many are starting to realize what has been a core part of our thesis: this is not a race to build the quantum computer . It is an interlocking ecosystem of products and applications across computing, networking, and sensing that will have a profound impact across many fields.

We are confident that an inflection point for Quantum Technologies is on the horizon, supported by our portfolio of industry leaders such as PASQAL, Nord Quantique, Multiverse, Qubit Pharmaceuticals, WeLinQ and QphoX, and the scientific progress made in labs.

Quantonation II follows our thesis from Quantonation I, investing from the pre-seed / seed stage. We are targeting 25 companies in our portfolio and, to accelerate the creation of new companies, are working with quantum venture studios worldwide. A US-based investment vehicle has been setup to make it easier for US investors to subscribe. The first two studios, QV Studio in Canada and Quantum Italia , have already been launched with our support; more projects are under development in Europe, the Asia-Pacific Region and the US. The scientific talent generating quantum and physics innovations is globally distributed and it is important to look globally to develop these innovations into large businesses.

After the first phase of building major quantum platforms, we expect to see more companies working on applications in health, climate change mitigation, security, energy, and high performance computing, and also on the supply chain that is starting to take shape with the transition to scale and industry-grade reliability.

The first closing at €70 million marks an essential milestone towards reaching our final target. It has allowed us to start investing from Quantonation II with four deals to date:

• Quantum Computing: Diraq (silicon spin qubits), our first investment in the promising Asia-Pacific region
• Materials: Pioniq (quantum materials for energy storage)
• Deep physics: Resolve stroke (high-resolution acoustic imaging) and Steerlight (Lidar)

Our investors (LPs) in Quantonation I have returned for Quantonation II. For instance, the Fonds National d’Amorçage 2 (the French Seed Fund), managed by Bpifrance on behalf of the French State, and Bradley M. Bloom (co-founder and former Managing Director of Berkshire Partners LLC).

Christophe Jurczak, Managing Partner, said, “This successful first closing shows, in addition to excellent funding rounds from our first portfolio, a remarkable dynamic in the quantum industry. With these resources, we can pursue scouting for the best quantum companies in the world and support a fantastic roster of founders in their entrepreneurial journey, including in new geographies for us. This will also be a great opportunity to expand the team and deepen our scientific expertise beyond our current focus. We’re looking forward to a bright future for the quantum industry.”

Bradley M. Bloom said, “I am delighted to be closely engaged with the Quantonation team who are using their collective expertise to identifying and accelerating some of the most promising innovations in this rapidly emerging sector that will affect all of us in the years ahead.”

For BCG partner and expert in Quantum Technologies Jean-François Bobier: “We released recently a report titled “Quantum Computing’s ‘ChatGPT Moment’ Could Be Sooner Than You Think”. With its first investments as early as 2018, Quantonation was right in time to catch the wave and is ideally positioned as the leading investor in Quantum Technologies to benefit from the new era that is opening for this sector”.

The fund Quantonation II is managed by Quantonation Ventures, headquartered in Paris and Boston, investing globally, and counts on the expertise of its team composed of Christophe Jurczak, Ph.D., Olivier Tonneau, Will Zeng, PhD, Jean-Gabriel Boinot-Tramoni, Pauline Boucher, PhD, Joseph Maillard, Alexandra Krivopavic, Raphaël Bodin, Eleonore de Rose and Charles Beigbeder.

If you found this article to be informative, you can explore more current quantum news here , exclusives, interviews, and podcasts.

The Future of Materials Discovery: Reducing R&D Costs significantly with GenMat’s AI and Machine Learning Tools

When: July 13, 2023 at 11:30am

What: GenMat Webinar

Jake Vikoren

Company Speaker

Deep Prasad

Araceli Venegas

Quantum Machine Learning Is The Next Big Thing

12 Top Quantum Computing Universities in 2024

Sifting through the Clouds: Polish Researchers Will Test the Utility of Quantum Algorithms for Satellite Imagery

Keep track of everything going on in the Quantum Technology Market.

In one place.

Related Articles

Rigetti and Oxford Instruments Announce Successful Completion of Innovate UK Project to Launch One of The First UK-Based Quantum Computers

April 16, 2024.

Researchers Rely on Hybrid Quantum-Classical Algorithm to Discover Potential Cancer Drug Treatment

‘Three Nines’ Surpassed: Quantinuum Notches Milestones For Hardware Fidelity And Quantum Volume

TQI’s Report Reveals Data Centers’ Use of Quantum Computing to Control Escalating Demand For Computation

Improved Performance of Superconducting Qubits Makes Investigation of Sapphire Substrates Compelling as an Alternative to Silicon

December 14, 2023.

What is Quantum Chess? [The Rules and How to Play Guide]

April 12, 2024.

US DoD and Small Business Administration Initiative Pairs Private Capital With Loans to Boost Critical Tech Investment

April 13, 2024.

NSF Invests $29 Million in 18 Research Teams for Quantum Sensing Investigations

Join our newsletter.

You can unsubscribe anytime. For more details, review our Privacy Policy.

You have successfully joined our subscriber list.