Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Relating Quantum Tamper-Evident Encryption to Other Cryptographic Notions

Sébastien Lord

TL;DR

The paper situates quantum tamper-evident encryption (QTE) within the broader landscape of quantum cryptographic primitives, establishing that tamper evidence implies encryption and can be constructed from encryption with revocation (and vice versa). It formalizes a bridge from tamper-evident schemes to quantum money and certifies deletion, and provides two generic transformations between tamper evidence and revocation, with controlled, polynomial security loss. It also clarifies limits by presenting separations showing that tamper evidence does not imply authentication or uncloneable encryption. Through a detailed, information-theoretic treatment (trace distance, coherent gentle measurements), the work unifies multiple notions under a common framework and opens questions about computational and device-independent extensions.

Abstract

A quantum tamper-evident encryption scheme is a non-interactive symmetric-key encryption scheme mapping classical messages to quantum ciphertexts such that an honest recipient of a ciphertext can detect with high probability any meaningful eavesdropping. This quantum cryptographic primitive was first introduced by Gottesman in 2003. Beyond formally defining this security notion, Gottesman's work had three main contributions: showing that any quantum authentication scheme is also a tamper-evident scheme, noting that a quantum key distribution scheme can be constructed from any tamper-evident scheme, and constructing a prepare-and-measure tamper-evident scheme using only Wiesner states inspired by Shor and Preskill's proof of security for the BB84 quantum key distribution scheme. In this work, we further our understanding of tamper-evident encryption by formally relating it to other quantum cryptographic primitives in an information-theoretic setting. In particular, we show that tamper evidence implies encryption, answering a question left open by Gottesman, we show that it can be constructed from any encryption scheme with revocation and vice-versa, and we formalize an existing sketch of a construction of quantum money from any tamper-evident encryption scheme. These results also yield as a corollary that any scheme allowing the revocation of a message must be an encryption scheme. We also show separations between tamper evidence and other primitives, notably showing that tamper evidence does not imply authentication and does not imply uncloneable encryption.

Relating Quantum Tamper-Evident Encryption to Other Cryptographic Notions

TL;DR

The paper situates quantum tamper-evident encryption (QTE) within the broader landscape of quantum cryptographic primitives, establishing that tamper evidence implies encryption and can be constructed from encryption with revocation (and vice versa). It formalizes a bridge from tamper-evident schemes to quantum money and certifies deletion, and provides two generic transformations between tamper evidence and revocation, with controlled, polynomial security loss. It also clarifies limits by presenting separations showing that tamper evidence does not imply authentication or uncloneable encryption. Through a detailed, information-theoretic treatment (trace distance, coherent gentle measurements), the work unifies multiple notions under a common framework and opens questions about computational and device-independent extensions.

Abstract

A quantum tamper-evident encryption scheme is a non-interactive symmetric-key encryption scheme mapping classical messages to quantum ciphertexts such that an honest recipient of a ciphertext can detect with high probability any meaningful eavesdropping. This quantum cryptographic primitive was first introduced by Gottesman in 2003. Beyond formally defining this security notion, Gottesman's work had three main contributions: showing that any quantum authentication scheme is also a tamper-evident scheme, noting that a quantum key distribution scheme can be constructed from any tamper-evident scheme, and constructing a prepare-and-measure tamper-evident scheme using only Wiesner states inspired by Shor and Preskill's proof of security for the BB84 quantum key distribution scheme. In this work, we further our understanding of tamper-evident encryption by formally relating it to other quantum cryptographic primitives in an information-theoretic setting. In particular, we show that tamper evidence implies encryption, answering a question left open by Gottesman, we show that it can be constructed from any encryption scheme with revocation and vice-versa, and we formalize an existing sketch of a construction of quantum money from any tamper-evident encryption scheme. These results also yield as a corollary that any scheme allowing the revocation of a message must be an encryption scheme. We also show separations between tamper evidence and other primitives, notably showing that tamper evidence does not imply authentication and does not imply uncloneable encryption.

Paper Structure

This paper contains 59 sections, 39 theorems, 197 equations, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Organization.
  3. Acknowledgements.
  4. The State of the Art
  5. Our Contributions
  6. Tamper Evidence, Encryption, and Authentication
  7. Contribution.
  8. Proving that tamper evidence implies encryption.
  9. Proving that tamper evidence does not imply authentication.
  10. Other separations.
  11. Formalizing Quantum-Money from Tamper Evidence
  12. Contribution.
  13. Related counterexamples.
  14. Revocation From Tamper Evidence, and Vice-Versa
  15. Contribution.
  16. ...and 44 more sections

Key Result

Theorem 1

Let $X$ be a random variable distributed on the non-negative reals $\mathbb{R}^+_0$. Then, for any strictly positive $\alpha \in \mathbb{R}^+$, we have that

Figures (5)

  • Figure 1: A classical symmetric-key encryption scenario. Alice and Bob share a classical key $k$ which Alice uses to encrypt a classical plaintext $m$ as a classical ciphertext $c$ from which Bob recovers $m$. An eavesdropping Eve obtains, undetected, a copy of $c$.
  • Figure 2: The communication scenario considered for tamper-evident schemes. Alice and Bob share a classical key $k$ which Alice uses to encrypt a classical message $m$ as a quantum ciphertext $\rho$. Eve attempts to eavesdrop on this ciphertext, possibly introducing some changes. Bob then decrypts, possibly obtaining different a message, and either accepts or rejects the transmission to indicate if he detected Eve eavesdropping or not. Eve only learns the key $k$after her eavesdropping attempt.
  • Figure 3: A Venn diagram showing the relations between quantum authentication schemes, tamper-evident schemes, and encryption schemes within all keyed quantum encoding schemes where the decoding map must also produce an accept/reject flag. Some schemes are pinpointed to illustrate that each discernable region shown here is distinct. The identity, OTP, and QOTP schemes have decoding maps augmented to always accept.
  • Figure 4: Conceptual identification between the parties in a tamper-evident scheme and revocation scheme. Contrast with \ref{['fg:te-scenario']}. Note that in the revocation scenario Alice does not output a decoded message $m'$ and $\rho'$ may be on a different space than $\rho$.
  • Figure 5: An AQECM scheme $(K, E, D)$ subject to a tamper attack $A$, as considered in \ref{['df:te-attack']} and \ref{['df:te-security']}. For any given message $m$ and key $k$, the final subnormalized state held by the adversary if the receiver does not detect any eavesdropping is $\rho_{k,m} \in \mathcal{D}_\bullet(\textsf{A})$.

Theorems & Definitions (100)

  • Theorem 1
  • Lemma 2
  • proof
  • Lemma 3
  • proof
  • Lemma 4: Wat18
  • Lemma 5: BCG+02
  • Lemma 6
  • proof
  • Theorem 7: Wat18
  • ...and 90 more