# Improving Classical Authentication over a Quantum Channel

^{1}

^{2}

^{3}

^{4}

^{5}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminary Results

**Definition 2.1 (**$\epsilon -$

**almost strongly universal-2 hash functions)**Let $\mathcal{M}$ and $\mathcal{T}$ be finite sets and call functions from $\mathcal{M}$ to $\mathcal{T}$ hash functions. Let ε be a positive real number. A set $\mathcal{H}$ of hash functions is $\epsilon -$almost strongly universal-2 if the following two conditions are satisfied

- (1)
- The number of hash functions in $\mathcal{H}$ that takes an arbitrary $m\in \mathcal{M}$ to an arbitrary $t\in \mathcal{T}$ is exactly $\left|\mathcal{H}\right|/\left|\mathcal{T}\right|.$
- (2)
- The fraction of those functions that also takes ${Y}^{\prime}\ne Y$ in $\mathcal{M}$ to an arbitrary ${T}^{\prime}\in \mathcal{T}$ (possibly equal to T) is no more than $\epsilon .$

`XOR`of Brassard’s protocol with a quantum coder (QC) similar to that used in the BB84 protocol [2]. As we shall see later on, the key ${U}^{\left(l\right)}$ may be discarded. Assume that Alice and Bob agree on two orthonormal bases ${B}_{0}$ and ${B}_{1}$ for the 2-dimensional Hilbert space,

**Figure 1.**Brassard’s classical authentication protocol [3].

#### Weak Pseudorandom Generators

**Definition 2.2**We say that a pseudorandom generator G is attackable in (quantum/probabilistic) polynomial time if there exists a (quantum/probabilistic) polynomial time algorithm P and polynomial p such that if P is fed with a subsequence of $p\left(n\right)$ (not necessarily contiguous) generated bits ${X}^{p\left(n\right)}$ of G we have that:

**Theorem 2.3**If a pseudorandom generator G is attackable in (quantum/probabilistic) polynomial time then the scheme presented in Figure 3 is not secure in polynomial-time for a quantum adversary that has access to $Y=\left\{{Y}_{i}\right\}$.

**Proof.**Since G is attackable, there exists a quantum polynomial time algorithm P and a polynomial p such that if P is fed with $p\left(n\right)$ bits of the string X generated by G, then P computes (up to negligible uncertainty) the seed ${X}^{\left(n\right)}$ of G. So it is enough to show that Eve, upon capturing the qubits generated by $\mathtt{QC}$ (the quantum coder in page 5), is able to recover (with non-negligible probability) $p\left(n\right)$ bits of X.

**Corollary 1**If a pseudorandom generator G is attackable, then the scheme presented in Figure 2 is not secure in polynomial-time for a quantum adversary that has access to hash function $h.$

**Proof.**Eve is able to calculate $h\left(Y\right)$ from Y that is public. Therefore she can apply Theorem 2.3 by observing a number N of tags such that $Nlog\left|\mathcal{T}\right|\ge 8p\left(n\right).$ ☐

**Example 2.4 (State Recovery Attack for Linear Congruential Generator(LCG))**Let A be a positive integer and ${\mathbb{Z}}_{A}$ the set of integers modulo $A.$ The seed of the LCG is the vector ${X}^{\left(n\right)}=(A,{s}_{0},a,b)$, where ${s}_{0},a,b\in {\mathbb{Z}}_{A}$. The length of the seed is $n=4\lceil logA\rceil $. A binary pseudorandom sequence with length $N\times \lceil logA\rceil $ bits is obtained from the 2-radix expansion of the sequence $\mathbf{s}=\{{s}_{1},\phantom{\rule{4pt}{0ex}}{s}_{2},\dots ,{s}_{N}\}$ created by the following recursion:

`XOR`is utilized. We notice that the state recovery attack is applicable without change to the

`XOR`-based scheme. It is enough to compute $X=Z\oplus Y$ before applying the algorithm. In contrast, for the quantum scheme, Eve has an irreducible uncertainty on the X values due to quantum coding. In particular, if she employs the procedure described in the proof of the Theorem 2.3 it is expected only one fourth of the X’s to be correct. The problem from Eve’s point of view is how to solve the seed from a degraded version of the algorithm input X.

## 3. Comparing `XOR` with Quantum Coding

`XOR`and the quantum coding performances using information-theoretical measures.

#### 3.1. Fair Input Single-Sized Block

`XOR`encoding case we have that $Z=X\oplus Y$ and thus $H\left(X\right|Y,Z)=0$. So, Eve has no doubt about X. In the quantum encoding case, we begin by observing that one can compute easily the von Neumann entropy of $S\left(\rho \right(Y\left)\right)=S\left(\rho \right(0\left)\right)=S\left(\rho \right(1\left)\right)$. Therefore we have:

**Theorem 3.1**Following the notation in Figure 4 (right), the minimum uncertainty for X given Z and Y is

**Proof.**The Holevo bound states that

#### 3.2. Fair Input k-Blocks

**Example 3.2**Table 1 illustrates the scenario for $k=2$. Rows are indexed by the four possible values of ${Y}^{2}$ and columns are indexed by the bases corresponding to the four values of ${X}^{2}.$ Notice that Eve is not able to distinguish which column is being used. Then, her uncertainty is lower bounded by the von Neumann entropy of the quantum system formed by states listed in row indexed by the values of ${Y}^{2}$ that she can access.

${Y}^{2}$ | Bases | |||
---|---|---|---|---|

${B}_{0}{B}_{0}$ | ${B}_{0}{B}_{1}$ | ${B}_{1}{B}_{0}$ | ${B}_{1}{B}_{1}$ | |

00 | $|00\rangle $ | $|0+\rangle $ | $|+0\rangle $ | $|++\rangle $ |

01 | $|01\rangle $ | $|0-\rangle $ | $|+1\rangle $ | $|+-\rangle $ |

10 | $|10\rangle $ | $|1+\rangle $ | $|-0\rangle $ | $|-+\rangle $ |

11 | $|11\rangle $ | $|1-\rangle $ | $|-1\rangle $ | $|--\rangle $ |

**Property 3.3**Let ρ and σ be quantum states; then $S\left(\right)open="("\; close=")">\rho \otimes \sigma =S\left(\rho \right)+S\left(\sigma \right).$

**Theorem 3.4 (Generalization of Theorem 3.1)**Following the notation in Figure 4 (right), the minimum uncertainty for k-blocks ${X}^{k}$ given ${Z}^{k}$ and ${Y}^{k}$ is

#### 3.3. Unfair Input k-Blocks

`XOR`encoding case where $H\left({X}^{k}\right|{Y}^{k},{Z}^{k})=0$ (since ${Z}^{k}={X}^{k}\oplus {Y}^{k}$). As expected, we show that the uncertainty is directly proportional to the size of the seed of the PRG under reasonable assumptions.

#### 3.4. Almost Fair Input k-Blocks

## 4. Improving Key-Tag Secrecy

#### 4.1. Modified Classical Case

#### 4.2. Uncertainty of the Tag in the Quantum Case

**Theorem 4.1**If $I\left(\right)open="("\; close=")">T;{X}^{k}|Y,{Z}^{k}=H\left(T\right)$ then the tag is secure in the information theoretical sense, that is, $H\left(T\right|Y,{Z}^{k})=H\left(T\right)$.

**Proof.**

#### 4.3. Robustness of the Protocol under Noisy Quantum Channels

**Corollary 2**Let ${W}^{k}$ be the degraded version of ${X}^{k}$ observed by Bob caused by noise and let s be the number of bits from the seed of the PRG that Eve does not know. Then, if $I({X}^{k};{W}^{k}|{Y}^{k})>s{S}^{*}+\u03f5$ then Alice and Bob can exchange tags with perfect security at rate smaller than $I({X}^{k};{W}^{k}|{Y}^{k})-s{S}^{*}-\u03f5$.

## 5. Summary

`XOR`function. Then, we have used this quantum coding to propose a quantum-enhanced protocol to authenticate classical messages, with improved security with respect to the classical scheme introduced by Brassard in 1983. Our protocol is also more practical in the sense that it requires a shorter key than the classical scheme by using the pseudorandom bits to choose the hash function. Finally, we prove that quantum resources can improve both the secrecy of the key generated by the PRG and the secrecy of the tag obtained with a hidden hash function.

## Acknowledgments

## References and Notes

- Wegman, M.N.; Carter, J.L. New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci.
**1981**, 22, 265–279. [Google Scholar] [CrossRef] - Bennett, C.H.; Brassard, G. Quantum cryptography: Public-key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, 1984; pp. 175–179.
- Brassard, G. On computationally secure authentication tags requiring short secret shared keys. In Advances in Cryptology; Springer-Verlag: New York, NY, USA, 1983; pp. 79–86. [Google Scholar]
- Krawczyk, H. LFSR-based hashing and authentication. In Advances in Cryptology; Springer-Verlag: New York, NY, USA, 1994; pp. 29–42. [Google Scholar]
- Rogaway, P. Bucket hashing and its application to fast messages authentication. In Advances in Cryptology; Springer-Verlag: New York, NY, USA, 1995; pp. 29–42. [Google Scholar]
- Shoup, V. On fast and provably secure message authentication based on universal hashing. In Advances in Cryptology; Springer-Verlag: New York, NY, USA, 1996; pp. 313–328. [Google Scholar]
- Blum, L.; Blum, M.; Shub, M. A simple unpredictable pseudo random number generator. SIAM J. Comput.
**1986**, 15, 364–383. [Google Scholar] [CrossRef] - Sidorenko, A.; Shoenmakers, B. State recovery attacks on pseudorandom generators. In Western European Workshop on Research in Cryptology, Lectures Notes in Informatics (LNI); GI: Bonn, Germany, 2005; Volume 74, pp. 53–63. [Google Scholar]
- Alleaume, R.; Bouda, J.; Branciard, C.; Debuisschert, T.; Dianati, M.; Gisin, N.; Godfrey, M.; Grangier, P.; Langer, T.; Leverrier, A.; et al. SECOQC white paper on quantum key distribution and cryptography. arXiv
**2007**. [Google Scholar] - Ioannou, L.M.; Mosca, M. A new spin on quantum cryptography: Avoiding trapdoors and embracing public keys. Post-Quantum Cryptography
**2011**, 7071, 255–274. [Google Scholar] - Kunz-Jacques, S.; Jouguet, P. Using hash-based signatures to bootstrap quantum key distribution. arXiv
**2012**. [Google Scholar] - Goldreich, O. Modern Cryptography, Probabilistic Proofs and Pseudorandomness; Springer: Berlin, Germany, 1999. [Google Scholar]
- Cover, T.M.; Thomas, J.A. Elements of Information Theory; Jonh Wiley & Sons: Hoboken, NJ, USA, 2006. [Google Scholar]
- Wyner, A.D. The wire-tap channel. Bell Syst. Tech. J.
**1975**, 54, 1355–1387. [Google Scholar] [CrossRef] - Maurer, U.M. Secret key agreement by public discussion from common information. IEEE Trans. Inform. Theor.
**1993**, 39, 733–742. [Google Scholar] [CrossRef] - Simmons, G.J. Authentication theory/coding theory. In Proceedings of the CRYPTO 84 on Advances in Cryptology, Santa Barbara, CA, USA, 1984; Springer-Verlag: New York, NY, USA, 1975; pp. 411–431. [Google Scholar]
- Lai, L.; El Gamal, H.; Poor, H.V. Authentication over noisy channels. IEEE Trans. Inform. Theor.
**2009**, 55, 906–916. [Google Scholar] [CrossRef] - Cederlörf, J.; Larsson, J. Security aspects of the authentication used in quantum cryptography. IEEE Trans. Inform. Theor.
**2008**, 54, 1735–1741. [Google Scholar] [CrossRef] - Damgaard, I.; Pedersen, T.; Salvail, L. On the key-uncertainty of quantum ciphers and the computational security of one-way quantum transmission. arXiv
**2004**. [Google Scholar] - Goldreich, O. Foundations of Cryptography: Volume I Basic Tools; Cambridge University Press: Cambridge, UK, 2001. [Google Scholar]
- Paris, M.G.A.; Rehácek, J. Lectures Notes in Physics, Quantum State Estimation; Springer: Berlin, Germany, 2004. [Google Scholar]
- Nielsen, M.A.; Chuang, I.L. Quantum Computation and Quantum Information; Cambridge University Press: Cambridge, UK, 2000. [Google Scholar]
- Csiszar, I.; Korner, J. Broadcast channels with confidential messages. IEEE Trans. Inform. Theor.
**1978**, 24, 339–238. [Google Scholar] [CrossRef] - Although this sequence is cyclic, the cycle is exponential in the size of the seed, and so the standard QKD key maintenance will eventually be restored before the cycle ends.
- A similar analysis can be made to the Blum-Micali PRG assuming the large prime is kept secret [26].
- Blum, M.; Micali, S. How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Comput.
**1984**, 13, 850–864. [Google Scholar] [CrossRef]

© 2012 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).

## Share and Cite

**MDPI and ACS Style**

Assis, F.M.; Stojanovic, A.; Mateus, P.; Omar, Y.
Improving Classical Authentication over a Quantum Channel. *Entropy* **2012**, *14*, 2531-2549.
https://doi.org/10.3390/e14122531

**AMA Style**

Assis FM, Stojanovic A, Mateus P, Omar Y.
Improving Classical Authentication over a Quantum Channel. *Entropy*. 2012; 14(12):2531-2549.
https://doi.org/10.3390/e14122531

**Chicago/Turabian Style**

Assis, Francisco M., Aleksandar Stojanovic, Paulo Mateus, and Yasser Omar.
2012. "Improving Classical Authentication over a Quantum Channel" *Entropy* 14, no. 12: 2531-2549.
https://doi.org/10.3390/e14122531