ebook img

Quantum McEliece public-key encryption scheme PDF

0.16 MB·English
by  Li Yang
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Quantum McEliece public-key encryption scheme

Quantum McEliece public-key encryption scheme Li Yanga, Min Liangb 5 aState Key Laboratory of Information Security, Institute of Information Engineering, 1 Chinese Academy of Sciences, Beijing 100093, China 0 bData Communication Science and Technology Research Institute, Beijing 100191, China 2 n a J 9 Abstract 1 This paper investigates a quantum version of McEliece public-key encryption ] h (PKE) scheme, and analyzes its security. As is well known, the security p of classical McEliece PKE is not stronger than the onewayness of related - t classical one-way function. We prove the security of quantum McEliece PKE n a ranks between them. Moreover, we propose the double-encryption technique u to improve its security, and the security of the improved scheme is proved to q [ be between the original scheme and the quantum one-time pad. 1 Keywords: Cryptology of quantum information, quantum public-key v 5 encryption, one-way quantum transformation, McEliece public-key 9 encryption, NP-complete problem 8 4 0 1. 1. Introduction 0 5 Public-key encryption (PKE) is one of the most important research direc- 1 tions in modern cryptography, and has been widespread used in information : v communication. However, the widely used PKE schemes, such as RSA have i X beenthreatenedbyquantumattack. Thenitbecomes importanttoconstruct r a PKE scheme against quantum attack. Okamoto et al. [1] constructed the first quantum PKE scheme based on subset-sum problem, whose public-key is computed from the private-key with Shor’s algorithm for finding discrete logarithm, though the private-key, public-key, plaintext and ciphertext are all classical. In [2], a quantum PKE is constructed based on a hard problem QSCD , which has been proved ff Email addresses: [email protected](Li Yang), [email protected] (Min Liang) to be one with bounded information theoretic security [3]. By using single- qubit rotations, Nikolopoulos [4] proposed a quantum PKE with classical private-key and quantum public-key. Based on quantum encryption, Gao et al. [5] presented a quantum PKE with symmetric keys, with two qubits from a Bell state serving as the public-key and the private-key, respectively. Pan and Yang [6] constructed a quantum PKE scheme with information theoretic security. All these quantum PKEs above areclassical bits oriented. However, quantum messages also need to be encrypted in some cases. Though quan- tum key distribution (QKD) plus quantum one-time pad (QOTP) can finish the task of encrypting quantum messages, it needs some preshared keys in the implementation of QKD. This paper explores the asymmetric scheme of this task, and propose a quantum-message-oriented PKE. McEliece public-key encryption scheme [7] is based on coding theory and its security relies on the difficulty of solving a NP-complete (NPC) problem. Though the scheme is a classical PKE scheme, it is believed that it can resist quantumattack. Basedonitsconstruction, theresearchersbegintoconstruct PKE scheme in quantum world, for the purpose of encryption of quantum messages. Yang [8] proposed the first quantum analogue of McEliece PKE, in which the public-key and private-key are classical, however it can encrypt quantum messages. Later in 2010, we extend it and present the definition of induced trapdoor one-way transformation (OWT), then construct a frame- work of quantum PKE based on the induced trapdoor OWT. The quantum McEliece PKE proposed in [8] can be seen as a special case of the quantum PKE framework. In 2012, Fujita [9] also proposed a quantum analogue of McEliece PKE based on quantum coding theory, and its security also re- lies on the difficulty of solving a NPC problem. This scheme also uses the classical keys and can encrypt quantum messages. This paper studies the security of the quantum McEliece PKE scheme which is proposed in Ref.[8, 10], and then focuses on the improvement to it. 2. Quantum public-key encryption Firstly, wedefinequantumpublic-keyencryption(QPKE)asfollows. With- out loss of generality, the definition is presented for the encryption of quan- tum messages (The classical messages can be seen as a special case). Definition 1: A quantum public-key encryption scheme is described by a triplet (G,E,D), where 2 1. G is the polynomial time quantum key-generation algorithm. On input 1n, G outputs (e,d) in polynomial time, where e is a public key, d is a secret-key, and n is a security parameter. 2. E,D are the polynomial time quantum encryption/decryption algo- rithms. They satisfy this condition: For every n-qubit message σ, every polynomial poly(n), and all sufficiently large n, F(D(E(σ,e),d),σ) > 1−1/poly(n), where F(σ ,σ ) denotes the fidelity of two states σ ,σ . 1 2 1 2 Next, we present the security definition of QPKE. Definition 2: A quantum public-key encryption scheme is computation- ally(information-theoretically)secure, ifforeverypolynomial-size(unlimited- size)quantumcircuitfamilyC ,everypositivepolynomialp(.),allsufficiently n large n, and any two quantum messages σ,σ′ ∈ H , it holds that M 1 Pr[Cn(G(1n),EG(1n)(σ)) = 1]−Pr[Cn(G(1n),EG(1n)(σ′)) = 1] < , p(n) (cid:12) (cid:12) whe(cid:12)re E is a polynomial time quantum encryption algorithm(cid:12)and G is a polynomial time quantum algorithm for generating public-keys. 3. Quantum McEliece public-key encryption scheme 3.1. Some notations Suppose ρ = m∈{0,1}k m′∈{0,1}k αmm′|mihm′| and G is a k ×n matrix, then we denote P P ρ◦G = αmm′|mGihm′G|, m m′ XX where mG is the multiplication of the vector m and matrix G modular 2. Suppose x is arbitrary vector in {0,1}k, then we denote ρ∔x = αmm′|m+xihm′ +x|, m∈X{0,1}km′∈X{0,1}k where m+x is the bitwise addition of m and x modular 2. Suppose a matrix M is a n×n invertible matrix, then denote M−1 as the inverse matrix of M. Suppose a matrix M is a k×n (k < n) matrix and it is full row rank, then it has Moore-Penrose inverse. Denote M− as one of Moore-Penrose inverses of M satisfying MM− = I (I is identity matrix). 3 3.2. Scheme [8] Quantum McEliece public key encryption scheme is firstly proposed in Ref.[8]. This scheme will be briefly introduced before our analysis and im- provement. The quantum key-generation algorithm is the same as classical McEliece PKE protocol [7]: Suppose G is a k×n generator matrix of a [n,k,d] Goppa code, G′ = SGP, here S is a k×k invertible matrix and P is an n×n permu- tation matrix. We choose (G′,t),t ≤ ⌊d−1⌋ as the public-key and (S,G,P) 2 as the private-key. Let H is the check matrix of Goppa code satisfying GHT = 0. Alice selects a random number r of weight ≤ t, and uses Bob’s public-key G′ with r to encrypt a k-qubit state ρ. This encryption can be shown by the density as follows. ρ → ρ◦G′ → ρ◦G′ ∔r. Denote ρ◦G′ ∔r , ρ , the ρ is the quantum ciphertext. The above trans- c c formation is feasible. The reason will be shown later. Bob uses his private-key s = (S,G,P) to decrypt the state ρ coming c from Alice: Firstly he computes the state ρ ◦ P−1(=ρ ◦ SG ∔ rP−1) and c extract the value of rP−1; Then he computes ρ ◦P−1∔rP−1(=ρ◦SG), and c can further obtain the state ((ρ ◦P−1 ∔rP−1)◦G−)◦S−1, c which is equal to ((ρ ◦ SG) ◦ G−) ◦ S−1ρ = (ρ ◦ S) ◦ S−1 = ρ. Note that, G− is a Moore-Penrose inverse of G. So G− is a n × k(n > k) binary matrix. According to Proposition 5 in the appendix, the transformation σ◦G− is infeasible physically for arbitrary n-qubit state σ. However, ρ◦SG is a special subclass of all n-qubit states, which is related to G. So the computation (ρ◦SG)◦G− is feasible physically. This will be shown in the following concrete scheme, see Eq.(4). Next, we show the encryption/decryption algorithms in the Dirac form, which is a more understandable way. Denote the k-qubit state ρ as α |mi. Then, this encryption can be m m described in the following three steps P |ri α |mi|0i → |ri α |mi|mG′i → |ri α |m⊕mG′G′−i|mG′i m m m m m m X X X → |ri|0i α |mG′ ⊕ri, (1) m m X 4 where the matrix G′− is a generalized inverse matrix of G′. Because G′ is a full row rank matrix, there exists G′− that satisfies G′G′− = I . This is the k condition that one can get α |mG′i from α |mi. Alice sends the m m m m cipher state α |mG′ ⊕ri to Bob. m m P P Bob uses his private-key s = (S,G,P) to decrypt the state coming from P Alice, |si α |mG′ ⊕ri|0i|0i → |si α |mG′ ⊕ri|(mG′ ⊕r)P−1i|0i m m m m X X → |si α |0i|(mG′ ⊕r)P−1i|0i = |si|0i α |mSG⊕rP−1i|0i m m m m X X → |si|0i α |mSG⊕rP−1i|(mSG⊕rP−1)HTi m m X = |si|0i α |mSG⊕rP−1i|rP−1HTi, (2) m m X then measures the second register to get rP−1HT, and find rP−1 via the fast decoding algorithm of the Goppa code generated by G. Bob carries out the following transformation on the quantum state α |mSG ⊕ rP−1i m m according to the value of rP−1, P |rP−1i α |mSG⊕rP−1i → |rP−1i α |mSGi. (3) m m m m X X Then he computes |si α |mSGi|0i|0i m m X → |si α |mSGi|mSGG−i|0i = |si α |mSGi|mSi|0i m m m m X X → |si α |0i|mSi|0i m m X → |si|0i α |mSi|mSS−1i = |si|0i α |mSi|mi m m m m X X → |si|0i|0i α |mi. (4) m m X Finally, the quantum message α |mi is obtained. m m P 5 3.3. Analysis Induced trapdoor one-way transformation (OWT) has been defined in Ref. [10]. The above protocol satisfies the framework of QPKE based on induced trapdoor OWT. Let g(m,r) = 0 and f(m,r) = mG′ ⊕ r in the induced trapdoor OWT. Here g(m,r) is a constant function, then the en- cryption transformation can be simplified as U (r) = |0ihm|⊗|mG′ ⊕rih0|. fg m X The decryption transformation is D (s) = |r(f,s)ih0|⊗|mih0|⊗|0ihf(m,r)|. fg r,m X where r(f,s) denotes a function that is relative to f,s. • Firstly, we analyze its security while encrypting classical messages. The quantum McEliece PKE scheme can be used to encrypt classical message. In this case, the quantum McEliece PKE would degenerate to the corresponding classical PKE. The classical McEliece PKE has been studied for more than thirty years in modern cryptography, and is believed to be secure. Thus, our scheme is secure while encrypting classical messages. Ref.[9]believes ourscheme isinsecurewhenencrypting classical messages. Though the McEliece PKE has not been reduced to NP-complete problem, here we discuss the difficult from a new view when attacking the ciphertext mG′ ⊕ r. Attacking cipher mG′ ⊕ r is equivalent to attacking m ⊕ rG′−. Now,we show the difficulty of decoding m⊕rG′−. As it is in McEliece PKE scheme, we know G′ = SGP, where S,P are both invertible matrices, G is generator matrix of Goppa code and is full row rank, so G′ is also full row rank, and then it has Moore-Penrose inverse. Suppose G′− is one of Moore-Penrose inverses of G′ satisfying G′G′− = I. In 1 1 fact, G′− can be obtained by solving the linear equations G′X = I. Then all 1 the Moore-Penrose inverses of G′ can be written as the form G′− = G′− ⊕U ⊕G′−G′U, 1 1 where U is any n × k binary matrix. It can be verified that G′G′− = I. In classical McEliece PKE scheme, the cipher c and plaintext m satisfy the 6 relation c = mG′ ⊕ r, where r is a binary row vector of weight t. Suppose Eve finds another Moore-Penrose inverse of G′, denoted as G′−, then he can 2 computecG′− = m⊕rG′−. DenoteG′− = (e ···e ), whereeache isabinary 2 2 2 1 k i columnvector. ThencG′− canberepresented as(m ⊕r·e ),··· ,(m ⊕r·e ). 2 1 1 k k If each column e of G′− has more zeros (it means the Hamming weight of i 2 e is small enough), r · e would equal to 0 with large probability, then its i i i−th bit m ⊕r·e would reveal the i−th bit of original plaintext with large i i probability. Notice that e = g ⊕ (I ⊕ G′−G′)u , where g and u are the i i 1 i i i i−th column of G′− and U separately. Here g and I ⊕ G′−G are known, 1 i 1 but u is unknown. Now Eve have to face a problem: finding u , such that i i g ⊕(I⊕G′−G′)u has weight smaller than a given value. This is just a LPN i 1 i problem, which is a NP-complete problem. Remark 1: This problem can be seen from another view. I ⊕ G′−G′ is 1 a n × n matrix, and g ,u are two n × 1 vectors, but u is unknown. So i i i the above problem can be restated as follow: how to select some columns of I ⊕G′−G′, such that their summation is closest to vector g ? This is just a 1 i closest vector problem (CVP), which is a NP-hard problem. We have tried numerical experiment following the above attack, and it seems that this kind of attack is invalid. This attack is reduced to an optimal problem (CVP): finding u , such as g ⊕(I ⊕G′−G′)u (notice that it equals i i 1 i e ) has weight smaller than a given value. Suppose the parameters n = i 1024,k = 524,t = 50 in the McEliece PKC scheme. Firstly, because u has i 21024 choices, both the exhaustive search and random search are not realistic. Whilechoosingsomesmall parameterssuchasn = 60,k = 30, theexhaustive search can reduce the weight of e to 1 with probability 2%, and the random i search may be slightly better. With the greedy search, we obtain e of weight i 225 on average. In this case, Pr[r · e = 0] ≈ 0.5 + 0.1 × 10−13, here r is i a n-bit random vector of weight t = 50. Thus, the attack presented here is invalid. • Secondly, we strictly prove the relationship between the security of quan- tum PKE protocols and that of its classical counterpart. Theorem 1: ThequantumMcEliece PKEisatleastassecureasclassical McEliece PKE protocol. Proof: Suppose there is a quantum algorithm A, which can efficiently transformthecipherstate α |mG′⊕riintoquantummessage α |mi. m m m m In order to decrypt arbitrary classical cipher m G′⊕r , we firstly prepare a 0 0 P P 7 quantum state |m G′⊕r i. Then, the quantum state |m G′⊕r i is an input 0 0 0 0 to the quantum algorithm A, and will be transformed into the quantum state |m i. Finally, the classical message m is obtained via measuring the output 0 0 quantum state |m i. Thus, if there is an attack to quantum McEliece PKE, 0 there would be an attack to classical McEliece PKE. Therefore, quantum McEliece PKE is at least as secure as classical McEliece PKE protocol. (cid:3) Since the functions f(m,r) and g(m,r) are classical functions, finding the trapdoor s is a classical computational problem. Thus, the security of QPKEprotocolbasedoninduced trapdoorOWTdepends ontheonewayness of corresponding classical trapdoor one-way function. Now we can arrive at the following conclusion. The security of a QPKE protocol based on induced trapdoor OWQT is one between that of corresponding classical PKE and the onewayness of related classical one-way function. In other words, the security of a QPKE given above is not stronger than the onewayness of related classical trapdoor one- way function, and is not weaker than the security of its classical counterparts. • Finally, we analyze its security from the aspect of attack. The attacker can have two different strategies: 1) attacking the secret key from the public key; 2) attacking the ciphertext α |mG′ ⊕ri. m m If the attacker adopts the first strategy, the difficulty is the same as that P of attacking the classical McEliece PKE, because the quantum PKE scheme uses the same key-generating algorithm as its classical counterpart. If the attacker adopts the second strategy, we should analyze what can be extracted from the ciphertext α |mG′ ⊕ri. m m Theorem 2: The strategy 2) is inefficient when attacking the ciphertext P of quantum McEliece PKE scheme. Proof: Because k ×n matrix G′ is public and full rank k (k < n), the attacker can compute its generalized inverse matrix G′−, which is a n × k matrix. Thus, the attacker can perform the following processing on the ciphertext. α |mG′ ⊕ri|0i → α |mG′ ⊕ri|m⊕rG′−i m m m m X X → |r⊕rG′−G′i α |m⊕rG′−i. (5) m m X Then, the attacker can measurement the first register, and obtain the value of r(I⊕G′−G′). In addition, he can also obtaina new ciphertext α |m⊕ m m P 8 rG′−i,whichcanbewrittenasX(rG′−) α |mior α |(mG′⊕r)G′−i. m m m m From the following two propositions, the proof can be finished. P P Proposition 1: Given the values of r(I⊕G′−G′) and I⊕G′−G′, solving the value of r is a LPN problem. Proof: Now we know the attacker can obtain the values of r(I ⊕G′−G′) and I ⊕ G′−G′. Because G′(I ⊕ G′−G′) = G′ ⊕ G′ = 0 and G′ 6= 0, it can be inferred that n × n matrix I ⊕ G′−G′ is not full rank. So only a little information about r cannot be computed from the values of r(I ⊕ G′−G′) and I ⊕G′−G′. However, the value of rG′− is still hard to compute. Denote v = r(I ⊕ G′−G′). Then, computing the value of rG′− is a NPC problem: given the values of v,G′, r is a random binary vector, how to compute the value of rG′− from the equation v = r⊕(rG′−)G′? It is just a LPN problem which has been discussed above. (cid:3) Now we know the attacker can transform the ciphertext α |mG′⊕ri m m into α |(mG′⊕r)G′−i. However, it does not hold for any quantum state m m P α |mi. In other words, the transformation α |mi → α |mHi mPm m m m m may be physically infeasible. The proof is given in the appendix. P P P Proposition 2: The state X(rG′−) α |mi is unrelated with the m m plaintext α |mi, from the view of fidelity. m m P Proof: According to Fujita’s analysis [9], X basis measurement on the P two states X(rG′−) α |mi and α |mi can result a same statistical m m m m probability. This is obviously correct since the two states differ only in some P P bit-flips[12]. So itisexpected thattheattacker mayobtainsome information aboutthequantummessagesbyquantummeasurementonX(rG′−) α |mi. m m Though there exists a vulnerability in quantum McEliece PKE, it should P bestressedthatsimilarityofthesetwostatesX(rG′−) α |miand α |mi m m m m is described by the fidelity of them: P P F(e) = ( α∗ hm|)|X(e)|( α |ni) m n (cid:12) (cid:12) (cid:12) Xm Xn (cid:12) (cid:12) (cid:12) (cid:12) (cid:12) = (cid:12) α∗ α hm|X(e)|ni = α(cid:12)∗ α , (6) m n m m⊕e (cid:12) (cid:12) (cid:12) (cid:12) (cid:12)Xm,n (cid:12) (cid:12)Xm (cid:12) (cid:12) (cid:12) (cid:12) (cid:12) where e = rG′− is a ran(cid:12)dom string depending(cid:12) on(cid:12)the error r.(cid:12)It can be seen (cid:12) (cid:12) (cid:12) (cid:12) that F(e) may equals to any value from 0 to 1, then, generally speaking, identical probability distributions do not means identical states. (cid:3) Remark 2: The attack to the state X(rG′−) α |mi can also be ana- m m lyzed from information theory. According to Holevo theorem [12], the quan- P 9 tum measurement on X(r G′−) α |mi can obtain at most k-bit infor- 1 1 m m mation, but α |mi has 2k amplitudes α . Suppose each amplitude is m m P m accurate to l decimal places, then each α can be seen as l-bit complex m P number which has both real and image parts, so it is necessary to obtain 2l×2k-bit information for determining an unknown state α |mi. It can m m be seen that even Alice encrypts the same quantum state polynomial times, P the attacker can obtainat most a polynomial-bits information. It is still hard for her to determine the state α |mi. m m P 4. Double-encryption scheme 4.1. Scheme As stated by Fujita [9], the vulnerability of quantum McEliece PKE is due to the fact that our PKC introduces no phase encryption. In this section, we propose an improved variant of the quantum McEliece PKE scheme using double-encryption technique. The encryption is briefly stated as follows. The quantum McEliece PKE is used twice, however, the second encryption uses the different parameters from the first. 1. Alice uses two pairs of public-keys (G′,t ) and (G′,t ). She firstly uses 1 1 2 2 the first public-key (G′,t ) to encrypt the k-qubit message α |mi, 1 1 m m and obtain a n-qubit state α |mG′ ⊕r i. m m 1 1 P 2. Then she performs an Hadamard transformation H⊗n on this state and obtain H⊗n α |mG′ ⊕Pr i = α (−1)k·(mG′1⊕r1)|ki. m m 1 1 m m k 3. Finally she uses the second public-key (G′,t ) to encrypt the n-qubit P P P2 2 quantum state H⊗n α |mG′ ⊕ r i, and obtains a n′-qubit quan- m m 1 1 tum state, which is the ciphertext of the improved scheme. The final P ciphertext is as follow: α (−1)k·(mG′1⊕r1)|kG′ ⊕r i m 2 2 m k X X = α (−1)k·(mG′1⊕r1) |kG′ ⊕r i. (7) m 2 2 " # k m X X Bob receives the ciphertext, and performs the following decryption pro- cess. 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.