Professional Documents
Culture Documents
Jianwei Liu
Secure
Quantum
Network
Coding Theory
Secure Quantum Network Coding Theory
Tao Shang Jianwei Liu
•
123
Tao Shang Jianwei Liu
School of Cyber Science and Technology School of Cyber Science and Technology
Beihang University Beihang University
Beijing, China Beijing, China
This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore
Preface
In 2009, after the author JianWei Liu visited the University of Florida as a senior
visiting scholar, the author Tao Shang first learned about network coding from the
received proceedings. In fact, the concept of network coding was first proposed in
2000 and has been always a hot topic of communication field till now. At that time,
the authors became interested in network coding and attracted by the great charm of
network coding. That is to say, encoding operation can greatly enhance the per-
formance of network communication instead of pervasive routing technology,
which will become a kind of overturning technology for network communication.
Thus, the authors began to dedicate more efforts to network coding from principle
to application.
In 2013, the author Tao Shang learned about the importance of quantum com-
munication in the near future. He thought that network coding was a new com-
munication technology and wondered whether it was feasible to apply network
coding to quantum communication or not. Meanwhile, he recognized that quantum
communication is featured with security inherent in communication, which can be
believed to be the perfect combination of communication and security. So he
planned to solve the bottleneck problem of quantum network coding from the
perspective of communication and security.
As far as we know, quantum network coding was first proposed in 2006. Till
2013, there were few achievements and only several schemes were proposed.
However, it aroused the authors’ immense interest, they attempted to combine
coding theory with cryptography. From the viewpoints of the coding method,
coding model, and coding security, the author designed a series of quantum net-
work coding schemes by means of combining quantum cryptography into quantum
communication. During the process of research, many students showed great
enthusiasm in quantum network coding and provided many valuable achievements.
Three representative schemes that not only influenced the authors greatly but
also provided a deep insight into the subject and fueled their interests in network
coding and quantum network coding are as follows: foremost is the classic “XQQ”
scheme proposed by Masahito Hayashi, the second is “prior entanglement” also
proposed by Masahito Hayashi, the third is quantum repeater scheme proposed by
v
vi Preface
Takahiko Satoh. Although many schemes have been proposed untilnow, theoretical
knowledge on quantum network coding such as classification, performance anal-
ysis, security analysis, and future direction is still not clear.
In recent years, network coding has been applied to classical communication,
especially in wireless communication. Since quantum network coding was pro-
posed for quantum communication, the advent of quantum network coding gave a
new dimension to the use of network coding. The advent in the past few years of
technology has given an added dimension to the network coding. A simple example
is a scenario of quantum internet proposed in the 2017 Qcrypt conference.
Persistent objective is to effectively combine cryptography into
communication, especially quantum communication, even if quantum communi-
cation is thought to be unconditionally secure in the case of two-party communi-
cation. The authors believe that quantum communication needs cryptography and
general security analysis methods can facilitate the design of quantum protocols.
The authors expect the readers of this book to first learn about quantum network
coding, its principle, classification, development, and main problems. The authors
expect them to design secure quantum network coding and finally develop the
theory of quantum network coding.
What is the range of topics, innovative technologies for designing a secure
quantum network coding scheme? This book will help the readers understand these
with ease. What is an effective analysis method for quantum protocols? Exemplary
protocols are shown such as quantum authentication, quantum signature, quantum
encryption, and quantum network coding. So this book consists of two parts. Part I
is quantum network coding from Chaps. 1 to 8 and Part II is security analysis
method from Chaps. 9 to 13.
The organization of the chapters is as follows:
Chapter 1 gives a detailed introduction to quantum network coding. It empha-
sizes the basic concept of quantum network coding and introduces the development
of quantum network coding from 2006.
Chapter 2 explains the preliminaries of quantum network coding, including main
notions and key operations. Classification is provided for the existing schemes of
quantum network coding. Also, the main directions are discussed for the future research.
Chapter 3 describes the paradigm schemes of quantum network coding. These
schemes are divided from the viewpoints of non-additional resource, prior entangle-
ment, quantum register, quantum repeater, quantum cluster, and performance analysis.
Chapter 4 concentrates on quantum network coding based on the repeater.
Quantum repeater is an important device of quantum networks. Firstly, quantum
repeater is introduced into quantum network coding for a general network.
Here LOCC operations and general graph are two basic points. Then secure
quantum network coding scheme for controlled repeater networks is designed by
considering node authentication and network model. Especially, LOCC is replaced
by LOQC from the perspective of security.
Chapter 5 explains quantum network coding based on controller. Quantum
teleportation is a process by which quantum information can be transmitted from one
location to another, with the help of classical communication and previously shared
Preface vii
The author Tao Shang is grateful to his advisor, Prof. ShuoYu Wang at the Kochi
University of Technology in Japan, an eminent scientist, and educationist. From
this teacher, he learned about the great role of self-learning and interest arousing for
understanding emerging technologies, and he developed passion and patience for
knowledge acquirement. He also learned to keep abreast of the latest technology
areas no matter whatever a young scholar could meet at the initial work phase. He
has blessed the author all through his academic life since 2006.
The author Tao Shang is grateful to Prof. JianWei Liu at the Beihang University,
a distinguished scientist in the field of network security and cryptography. Prof. Liu
guided him into the field of cryptography, gave him an opportunity to set up from
scratch the quantum cryptography group, and cooperated on the writing of this
book. The research group member, XiaoJie Zhao (2012–2015) at the Beihang
University, Jiao Li and Zhuang Pei (2013–2016) at the Beihang University, Gang
Du (2014–2017) at the Beihang University, Ke Li and Qi Lei (2015–2018) at the
Beihang University, ChengRan Fang (2016–2019) at the Beihang University,
RanYiLiu Chen and Zheng Zhao (2017–2020) at the Beihang University, Ran Liu
and HaiZheng Sun (2018–2021) at the Beihang University. All members proofread
the manuscript, particularly RanYiLiu Chen and Zheng Zhao provided many ser-
vices for the editing of the book, such as checking and minutely tracing the errors in
the book.
The author Tao Shang is especially thankful to Prof. XiuBo Chen at the Beijing
University of Posts and Telecommunications for the cooperation of quantum
cryptography and quantum network coding and Prof. QianHong Wu, ChunDi Xiu,
Jian Mao, ZhenYu Guan, and Zongyang Zhang at the Beihang University for the
support during this process.
Blessings of Prof. Zheng Zheng at the Beihang University, Head of Department
of Optoelectronics and Information Engineering, and his continuous support in
theory and experiment are also unforgettable. The help of his colleague, particularly
Prof. Xin Zhao at various stages is gratefully acknowledged.
ix
x Acknowledgements
xi
xii Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Part I
Quantum Network Coding
Chapter 1
Introduction
In 2000, Ahlswede, Cai, Li, and Yeung found a new way to implement better commu-
nication performance over a network than ever in the fundamental article of network
coding (NC) [1]. The main idea of network coding is that we can encode informa-
tion at intermediate nodes in a network, thus improving throughput, robustness, and
security and reducing the complexity of a network. Figure 1.1 gives an example of
network coding which realizes the improvement of network throughput. The exam-
ple features multicast from two sources to two destinations (sinks or targets). The
two sinks wish to receive the total messages sent by the two sources. The capacity
of each directed link is one. As we can see, the node s0 performs a coding opera-
tion by taking the binary sum (XOR, exclusive OR), which allows the message to
pass across over the bottleneck channel s0 t0 . In this way, the messages x, y can be
received simultaneously at t1 and t2 , which is impossible for the traditional routing
paradigm, where intermediate nodes are allowed only to make copies of received
bits for output. Network coding has pointed out the fact that the information flow
cannot be treated as the materials flow since the information can be encoded.
Classical network coding has inspired the studies of quantum network cod-
ing (QNC) because quantum communication is expensive and the efficiency is an
important topic of quantum communication. In 2006, Iwama, Hayashi, Nishimura,
Raymond, and Yamashita [2] initiated the study of quantum network coding for
© Springer Nature Singapore Pte Ltd. 2020 3
T. Shang and J. Liu, Secure Quantum Network Coding Theory,
https://doi.org/10.1007/978-981-15-3386-0_1
4 1 Introduction
S0
X X Y Y
t0
X Y X Y
t2 t1
Y X ( X Y ), X X ( X Y ) Y,Y
the butterfly network. They confirmed the feasibility of quantum network coding if
approximation is allowed. In fact, it is impossible that without additional modifica-
tion, perfect quantum network coding on the butterfly network transfers two quantum
states crossly over bottleneck with high fidelity. The principal problems concerning
quantum network coding are the exact copy of a quantum state and the operation
of a qubit. The no-cloning theorem which states that it is impossible to create an
identical copy of an arbitrary unknown quantum state prevents the exact copy of an
unknown qubit. Consequently, we can only use approximated cloning such as the
universal cloning proposed by Buzek and Hillery [3] or the probabilistic cloning
proposed by Duan and Guo [4]. However, both of these cloning techniques are not
able to realize the exact copy of a unknown quantum state. On this occasion, perfect
quantum network coding seems to be impossible.
With the development of quantum technology, more processing methods have
been found. Researchers began to introduce additional resources into quantum net-
works and aimed to realize the perfect quantum network coding. Moreover, because
of the no-cloning theorem, people believe that perfect quantum multicast cannot be
achieved, therefore the vast majority of researchers pay their attention to the k-pair
problem (or multi–unicast problem). In this case, the copy of quantum states is not
needed. The aim is to transmit k quantum states across over a bottleneck network
to k targets. It turns out that perfect quantum network coding for the k-pair problem
with additional resources is possible and plenty of schemes with different resources
appear. These schemes will be introduced in the following part.
1.2 Development of Quantum Network Coding 5
Before quantum network coding schemes are designed, several famous theorems
have been proved in quantum communication. One of the most important is the no-
cloning theorem that forbids the copy of an unknown quantum state. Even though
classical network coding can achieve multicasting tasks effectively, it seems that
we cannot multicast a quantum state in a quantum network faithfully. As a result,
researchers pay their attention to a subproblem of network coding, namely k-pair
problem. In the k-pair problem, there are k source–target pairs. Each source wants
to send a quantum state to a corresponding target and some bottleneck channels
could appear between these source–target pairs. Until now, most quantum network
coding schemes aim at the k-pair problem. Indeed, some researchers, like Shi and
Soljanin [5] and Iwama [6], attempted to multicast quantum states by supposing that
sources have many identical quantum states to send, but the price is that faithful
communication will never be achieved.
Since 2006, Hayashi et al. explored the possibility of quantum network coding
[2] and proposed the first quantum network coding protocol XQQ [7]. They are the
pioneers of this domain, so the first question they should resolve is whether quantum
network coding is possible. By designing the XQQ protocol, they showed that one
can design a quantum network coding protocol which transmits across two qubits for
the butterfly network with the fidelity greater than 1/2. An upper bound of the fidelity
which is less than 1 was also calculated. But this work still cannot fully answer the
basic question, because a general form of network topology is not considered.
As a successor of XQQ, Iwama et al. [6] extended network topology to the graph
class G4 which allows some nonlinear operations over a four-letter alphabet to achieve
classical network coding. We notice that each graph in G4 associates with a classical
k-pair network coding protocol which is indispensable to design the quantum coun-
terpart. The true problem for a general graph is the introduction of extra entanglement.
It is difficult to get rid of extra entanglement after the transmission of a complex net-
work. Therefore, they put forward the entanglement-free cloning to eliminate extra
entanglement. The proposed protocol is a quantum simulation of classical network
coding protocol. It turns out that for a given G in G4 and a corresponding classical
network coding protocol, a quantum network coding protocol can send some arbi-
trary qubits with the fidelity greater than 1/2, perfect quantum state transmission
cannot be achieved with the fidelity of 1.
The first two works of quantum network coding, namely [7] and [6], inspired
research interest for quantum network coding but negated the existence of perfect
quantum network coding. However, [7] and [6] are both stuck in the quantum weird-
ness, like the no-cloning theorem, but do not take the advantage of quantum properties
such as teleportation and dense coding. Consequently, it is not surprising that they
cannot achieve perfect quantum network coding. Once some additional resources are
added, some new inspiring results will come out.
Hayashi [8] began to explore the effect of prior entanglement. He proposed a
perfect quantum network coding protocol transmitting two non-entangled quantum
6 1 Introduction
states across over the butterfly network with prior entanglement sharing between
two senders. Nevertheless, the particles shared by the two senders are maximally
entangled in the state |+ which is not easy to obtain in the reality. Then Ma et al.
[9] considered the non-maximally entangled case. They designed a QNC protocol that
can perfectly transmit two 2-level states (possibly entangled) across over the butterfly
network by sharing non-maximally entangled particles between two senders. The
side effect of the non-maximal entanglement is that sometimes no information can be
transmitted so that perfect transmission can be achieved only with certain probability
less than 1. We should point out that with the development of quantum communication
and quantum computation, the maximally entangled particles can be prepared by
quantum circuit, entanglement distillation, quantum repeater, etc.
Some other protocols of perfect transmission have also been proposed. Kobayashi
et al. [10] considered another auxiliary resource, namely free classical communica-
tion. It was proved that perfect quantum network coding using free classical commu-
nication is possible over a general network with k source–target pairs if there exists
a classical linear (or even vector linear) coding scheme over a finite ring. Further-
more, the nonlinear version was also be solved [11]. It was verified that the perfect
quantum network coding protocol for any instance of the k-pair problem exists, if the
corresponding classical version is solvable (classical version has a k-pair problem
solution). Kobayashi et al. [12] slightly changed the hypotheses, i.e., we can design
perfect k-pair quantum network coding using free classical communication over a
general network if the corresponding classical graph has multicast problem solution.
It seems that this protocol does not make use of any quantum property, but further
studies show that many quantum computation methods have been used. Beaudrap
et al. [13] proved that those protocols [10–12] can be regarded as one-way quantum
computation.
As for perfect quantum network coding using free classical communication, Satoh
et al. [14] criticized that those protocols [10–12] focused on an abstract model, in
which quantum registers can be freely introduced at each node and need to be trans-
mitted between nodes. Especially, how to implement a quantum system is a cru-
cial problem to the development of quantum communication so that it is difficult
to realize a long-distance quantum communication. Quantum repeater is a poten-
tial approach to realizing long-distance quantum communication. Satoh et al. [14]
explored quantum repeater and designed a quantum repeater network coding proto-
col for the butterfly network. In this protocol, adjacent nodes initially share one EPR
(Einstein–Podolsky–Rosen)-pair and no additional register is needed. The main idea
is to control the entanglement state of a quantum network thus forming the quantum
channel (EPR-pair) between each source–target pair. The performance analysis of
quantum repeater network coding protocol was executed in [15], which shows that
quantum repeater network coding is more sensitive to entanglement errors (errors on
the initial Bell pairs), Pauli errors and local gate errors than entanglement swapping.
In brief, quantum repeater network coding is useful when quantum resources are
limited or high communication speed is required.
Similar to the idea of quantum repeater network coding which controls the entan-
glement state of a quantum network, cluster state is a type of highly entangled multi-
1.2 Development of Quantum Network Coding 7
Although many quantum network coding schemes have been proposed till now, quan-
tum network coding is still not classified clearly. In fact, quantum network coding
schemes can be classified in terms of network topology, node, channel, resource,
security, etc. From the development that we have discussed above, we can see that
8 1 Introduction
quantum network coding schemes can be precisely classified according to what kind
of additional resources are used. Different schemes have their own special proper-
ties characterized by the additional resources used. We will list the main classes of
quantum network coding and emphasize their peculiarities.
According to the previous analysis, we point out that the design of quantum network
coding concentrates on the additional resources used in each protocol. There are two
choices in front of us. One is that we attempt to find more new quantum techniques and
integrate them to quantum network coding thus proposing new theoretical schemes.
Some ideas are, for example, quantum polar encoding, quantum superactivation,
1.4 Future Direction 9
dense coding, quantum wavelet transforms, probabilistic quantum clone, etc. The
other is that we take realistic conditions into account and design more robust quantum
network coding schemes.
Performance analysis is also a key direction to study. Since the starting points of
quantum network coding schemes are quite different, we cannot find a consistent
standard to measure different schemes. For example, repeater network and cluster
network can achieve almost the same task, but we cannot simply say which is better
or worse. We cannot order the cost of different quantum resources which depends on
real conditions. Furthermore, the security of quantum communication depends on
the specific protocol or the realization. If we want to distinguish the pros and cons
of different protocols, the realistic situation should be considered.
So far the main purpose of quantum network coding is to improve the throughput
of quantum networks which was inspired by the advantages of classical network
coding. Apart from the improvement of network throughput, classical networks can
also enhance the robustness and security and reduce the complexity. Few works have
brought other benefits of classical network coding into quantum network coding.
One example is that reference [15] shows that the repeater QNC scheme is more
sensitive than the entanglement swapping scheme. As a result, some researches on
improving the robustness of quantum network could be interesting. Some security
analyses have been conducted with the help of secure quantum communication or
quantum cryptography. However, classical network coding could provide some secu-
rity on its own, exploring this property in quantum networks may save some quantum
communication resources.
The application of quantum network coding to other quantum techniques is also
attractive. We have shown that quantum network coding can help realize entangle-
ment distribution, distributed quantum computing, etc. More studies of application
need to be explored in the near future.
References
1. Ahlswede, R., Cai, N., Li, S., et al.: Network information flow. IEEE Trans. Inf. Theory 46(4),
1204–1216 (2000)
2. Iwama, K.: Classic and quantum network coding. In: Scandinavian Symposium and Workshops
on Algorithm Theory (SWAT). LNCS, vol. 4059, pp. 3–4 (2006)
3. Buzek, V., Hillery, M.: Quantum copying: beyond the no-cloning theorem. Phys. Rev. A 54(3),
1844–1852 (1996)
4. Duan, L.M., Guo, G.C.: Probabilistic cloning and identification of linearly independent quan-
tum states. Phys. Rev. Lett. 80(22), 4999–5002 (1998)
5. Shi, Y., Soljanin, E.: On multicast in quantum networks. In: Conference on Information Sciences
and Systems (CISS), pp. 871–876 (2006)
6. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs.
Physics 52(3), 610–621 (2006)
7. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual
Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007)
8. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding
with modification. Phys. Rev. A 76(4), 538 (2007)
10 1 Introduction
9. Ma, S.Y., Chen, X.B., Luo, M.X., et al.: Probabilistic quantum network coding of M-qudit
states over the butterfly network. Opt. Commun. 283(3), 497–501 (2010)
10. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: General scheme for perfect quantum net-
work coding with free classical communication. In: International Colloquium on Automata,
Languages and Programming (ICALP), pp. 622–633 (2009)
11. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes
from classical nonlinear protocols. In: IEEE International Symposium on Information Theory
(ISIT), pp. 109–113 (2011)
12. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Perfect quantum network communication
protocol based on classical network coding. In: IEEE International Symposium on Information
Theory (ISIT), pp. 2686–2690 (2010)
13. de Beaudrap, N., Roetteler, M.: Quantum linear network coding as one-way quantum compu-
tation (2014). arXiv:1403.3533
14. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A
86(3), 9591–9598 (2012)
15. Satoh, T., Ishizaki, K., Nagayama, S., et al.: Analysis of quantum network coding for realistic
repeater networks. Phys. Rev. A 93(3), 032302 (2016)
16. Briegel, H.J., Browne, D.E., Dur, W., et al.: Measurement-based quantum computation. Nat.
Phys. 5(1), 19–26 (2009)
17. Li, J., Chen, X., Sun, X., et al.: Quantum network coding for multi-unicast problem based on
2D and 3D cluster states. Sci. China Inf. Sci. 59(4), 1–15 (2016)
18. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding for coherent states.
Quantum Inf. Process. 16(4), 107 (2017)
19. Shang, T., Du, G., Liu, J.W.: Opportunistic quantum network coding based on quantum tele-
portation. Quantum Inf. Process. 15(4), 1–12 (2016)
20. Owari, M., Kato, G., Hayashi, M.: Secure quantum network coding on butterfly network (2017).
arXiv:1705.01474
21. Shang, T., Zhao, X., Liu, J.W.: Quantum network coding based on controlled teleportation.
IEEE Commun. Lett. 18(5), 865–868 (2014)
22. Shang, T., Li, J., Liu, J.W.: Secure quantum network coding for controlled repeater networks.
Quantum Inf. Process. 15(7), 2937–2953 (2016)
23. Shang, T., Pei, Z., Zhao, X.J., et al.: Quantum network coding against pollution attacks. IEEE
Commun. Lett. 20(7), 1369–1372 (2016)
24. Nguyen, H.V., Babar, Z., Alanis, D., et al.: Towards the quantum internet: generalised quantum
network coding for large-scale quantum communication networks. IEEE Access 5, 17288–
17308 (2017)
25. Epping, M., Kampermann, H., Brub, D.: Robust entanglement distribution via quantum network
coding. New J. Phys. 18(10), 103052 (2016)
26. Nguyen, H., Trinh, P., Pham, A., et al.: Network coding aided cooperative quantum key distri-
bution over free-space optical channels. IEEE Access 5(99), 12301–12317 (2017)
27. Soeda, A., Kinjo, Y., Turner, P.S., et al.: Quantum computation over the butterfly network.
Phys. Rev. A 84(1), 012333 (2011)
28. Akibue, S., Murao, M.: Network coding for distributed quantum computation over cluster and
butterfly networks. IEEE Trans. Inf. Theory 62(11), 6620–6637 (2016)
Chapter 2
Preliminaries
·|· : E H2 −→ C
(x, y) −→ x| y
Once we have defined the Hilbert space, we can pose the postulate of the super-
position and the postulate of the evolution [1].
Postulate of the superposition: Associated to any isolated physical system is a complex
vector space with inner product (that is, a Hilbert space) known as the state space of the
system. The system is completely described by its state vector, which is a unit vector in the
state space of the system.
Postulate of the evolution: The time evolution of the state of a closed quantum system is
described by the Schrodinger equation,
2.1 Main Notions 13
d |ψ
i = Ĥ |ψ
dt
where is the reduced Planck constant, Ĥ is a fixed Hermitian operator called the Hamil-
tonian of the closed system.
We can simplify the postulate of the evolution by considering only two different
times t1 and t2 . This edition is used widely in the quantum mechanics.
Postulate of the evolution 2: The evolution of a closed quantum system is described by a
unitary
transformation.
That means the state |ψ of the system at time t1 is related to the
state ψ of the system at time t2 by a unitary operator U which depends only on the time
t1 and t2 ,
ψ = U |ψ .
One example of the Hilbert space is the space L2 (R) which is the set of square-
integrable functions from R to C. All the Hermite functions {φn }n∈N form an orthonor-
mal basis of L2 (R). The Hermite functions φn (x) are
√ − 1 x 2 √ − 1 x 2 d n −x 2
φn (x) = 2n n! π 2 e− 2 Hn (x) = (−1)n 2n n! π 2 e 2 e
dxn
Mathematically, we say that the space L2 (R2 ) is the tensor product of the two space
L2 (R). Namely,
where | is the ket related to the function (x, y) and |φm ⊗ |φn is the ket in the
space L2 (R2 ) related to the function φm (x)φn (y).
Definition of tensor product Given two Hilbert spaces E and F, we can associate a
third Hilbert space G and a bilinear application T from the space E × F to the third
space G, such that
14 2 Preliminaries
1. T (E × F) spans G, in other words, all the elements of the space G are the sum of
the elements with the form T (|u , |v), where |u ∈ E and |v ∈ F.
2. Let {|em }m∈N is a basis of the space E and {| f n }n∈N is a basis of the space F.
Then the set {T (|em , | f n )}m,n is a basis of the space G.
Here G is the tensor product of E and F, which is denoted by G = E ⊗ F. The
elements of E ⊗ F is called the tensor and T (|u , |v) = |u ⊗ |v. For convenience,
one usually writes |u ⊗ |v as |u |v or |u, v or |uv.
In quantum physics, a quantum state refers to the state of an isolated quantum system.
There are two main classes of quantum states, namely pure quantum state and
mixed quantum state.
Pure quantum state All the vectors in the Hilbert space describe the pure quantum
states. A pure quantum state can be represented by a ray in a Hilbert space over the
complex numbers. The ray is a set of nonzero vectors differing by just a complex
scalar factor, any of them can be chosen as a state vector to represent the ray and
the corresponding state. For example, |ψ ∈ E H or α |ψ, where α ∈ C, represents a
pure quantum state. The superposition of some kets are also a ket that represents a
pure quantum state, for instance, α |ψ + β |φ belongs to E H and is a pure quantum
state.
Entangled quantum state For the quantum system which has two or more degrees
of freedom, the Hilbert space E describing the total system can be factorized to the
tensor product of several subspaces. For example, we suppose that we only study the
spin of two particles with spin 1/2. The Hilbert space E which describes the spin
state of the total system, can be factorized. That is to say, E = E1 ⊗ E2 . The number
of dimensions of Ei , i = 1, 2 is 2. So the dimension of E is 4 = 2 × 2.
One example of the ket in the E is the |+ ⊗ |− or |+− which means the first
particle has the spin up and the second particle has the spin down. This state is
similar to the classical situation with two balls, one of the balls is white and the other
is black. But the difference is that any superposition of the kets is also a legitimate
1
state in the Hilbert space. In other words, the state like | = √ (|+− + |−+)
2
can exist. This kind of quantum state which cannot be factorized to the tensor product
of two kets is called entangled state. We would like to point out that if we consider
the entangled state from the space E, it is still a pure quantum state for reason of
| ∈ E.
Mixed quantum state There exists another quantum state that cannot be represented
by the vector in the Hilbert space. This state is called mixed quantum state which
corresponds to a probabilistic mixture of pure states. The mixed quantum state usually
arises from the lack of information. The state vector of a quantum system is unknown
2.1 Main Notions 15
at
least
to the experimenter, but the appearance probability p j of a quantum state
ψ j is known. Thus, we cannot describe this quantum state by simply using the state
vector of the Hilbert space. A mathematical tool called density operator discussed
in the Sect. 2.1.4 will be used to represent this kind of quantum state.
One famous example of the different quantum states is about the light polarization.
Photons can have two helicities, which correspond to two orthogonal quantum states,
|R (right circular polarization) and |L (left circular √ polarization). A Photon can
also be in a superposition
√ state, such as (|R + |L) / 2 (vertical polarization) or
(|R − |L) / 2 (horizontal polarization). More generally, it can be in any state
α |R + β |L (with |α|2 + |β|2 = 1). All these quantum states are the pure states
that can be described by the vector of the Hilbert space.
However, unpolarized light is different from any state like α |R + β |L. It can be
described with ensemble averages, i.e., each photon is either |R with the probability
of 50% or |L with the probability of 50%. The same behavior will occur if each
photon is either vertically polarized with 50% probability or horizontally polarized
with the probability of 50%. These two configurations give exactly the same results in
the experiments. They are completely indistinguishable experimentally so that they
are considered the same mixed state. Moreover, unpolarized light cannot be described
by any pure state, but can be described as a statistical ensemble of pure states in at
least two ways (the ensemble of half-left and half- right circularly polarized, or the
ensemble of half vertically and half horizontally linearly polarized).
There are many origins of the mixed quantum state. For the origins of the unpo-
larized light, we should consider the mechanism of the generation of the light. For
the unpolarized light emitted by the incandescent light bulb, the polarization of the
light is closely related to the thermal randomness. The filament is in the thermal
equilibrium, a statistical mixture of enormous numbers of micro-states, each with a
certain probability (the Boltzmann factor), switching rapidly from one to the next
due to thermal fluctuations. Each micro-state emits a certain kind of polarized light.
Thus, the global polarization of the light is a probabilistic mixture of some certain
kind of polarized lights (pure states).
A particular example of the mixed state is related to the entangled
√ state. For
example, two photons in the entangled state (|R, L + |L , R)/ 2. If we treat the
two photons together, they are in the pure state since the total system can be described
by a state vector, but if we only observe one of the photons and ignore the other, the
photon behaves just like unpolarized light, the photon is in the mixed state.
We can conclude some main reasons for the mixed state [2]:
• the system preparation is imperfect, like for a thermal state;
• through decoherence processes;
• after a measurement if the outcome is not revealed to the observer;
• observe an entangled state in a subsystem;
• some other mechanism that produces quantum; states ψ j with probability p j .
16 2 Preliminaries
The density operator is a mathematical tool to describe the quantum states, including
the pure state and the mixed state. For a finite-dimensional function space, the most
general density operator is described by
ρ= p j ψ j ψ j
j
where the coefficients p j are nonnegative and add up to one. This form represents
a mixed quantum state that is in the quantum state ψ j with the probability of p j .
Note that the density operator ρ pur e for a pure state |φ is a special case of the density
operator with
P̂α |ψ
ψ = .
|| P̂α |ψ ||
P̂α ρ P̂α
ρ =
P(aα )
5. The Schrodinger equation which describes the evolution of the quantum system
is written as
dρ
i = Ĥ (t), ρ(t)
dt
There is a practical method to distinguish the pure quantum state and the mixed
quantum state using the density operator. If T r (ρ2 ) = T r (ρ) = 1, then the state is
a pure quantum state. If T r (ρ2 ) < 1, then the state is a mixed state.
2.1 Main Notions 17
A : E H −→ E H
where |v and |w belong to E H , (·|·) is the inner product of quantum states.
Once we defined the Hermitian conjugation, we can classify the quantum
operators.
To understand the issue of the quantum measurement, we should firstly give the
postulate of the measurement [1].
Postulate
of the measurement: Quantum measurements are described by a collection
M̂m of measurement operators. These are operators acting on the state space of the system
being measured. The index m refers to the measurement outcomes that may occur in the
experiment. If the state of the quantum system is |ψ immediately before the measurement,
then the probability that result m occurs is given by
18 2 Preliminaries
M̂m |ψ
ψ| M̂m† M̂m |ψ
The first corollary of the completeness equation is the fact that probabilities sum
to one.
P(m) = ψ| M̂m† M̂m |ψ = ψ| M̂m† M̂m |ψ = 1
m m m
The postulate of the measurement has pointed out two important things in quantum
mechanics. The first is the statistic result of a series of measurements. One can know
the probability that a certain result m occurs. The second is the quantum state of the
measured system after the measurement.
Projective measurement There exist a particular type of measurement in quantum
mechanics, projective measurement. The projective measurement turns out to be
equivalent to the general measurement defined in the postulate of the measurement
if we can perform the unitary transformation as described in the postulate of the
evolution. Firstly, let us look at the definition of the projective measurement according
to the reference [1].
A projective measurement is described by an observable M̂, a Hermitian oper-
ator on the state space of the system being observed. The observable has a spectral
decomposition:
M̂ = m P̂m
m
where P̂m is the projector onto the eigenspace of M̂ with eigenvalue m. The possible
outcomes of the measurement correspond to the eigenvalues, m, of the observable.
Upon measuring the state |ψ, the probability of getting result m is given by
Given that outcome m occurred, the state of the quantum system immediately after
the measurement is
P̂m |ψ
ψ| P̂m |ψ
2.1 Main Notions 19
6. The average square value m 2 of the observable M̂ in measuring the quantum
state |ψ is
2
m = ψ|M̂2 |ψ
7. The variance (m)2 = m 2 − m2
•
Ê m is Hermitian and positive, for all m.
• m Ê m = Iˆ.
Example of comparison of two measurements This example is from the reference
√ to transmit one of the two non-orthogonal states, |ψ1 = |0
[1]. Suppose Alice wants
or |ψ2 = (|0 + |1)/ 2, to Bob. There is a theorem saying two non-orthogonal
states cannot be reliably distinguished. But we will see the difference between two
types of measurements.
Suppose that Bob uses the projective measurement to determine what he received.
The observable is
M̂ = |0 0| + |1 1|
If Bob receives the state |ψ1 , then he will get 0 with the probability 1. If Bob receives
the state |ψ2 , then he will get 0 with the probability 0.5 and 1 with the probability
0.5. That is to say, if Bob obtains 1, he certainly receives the state |ψ2 , but if he
obtains 0, he cannot know exactly what Alice has transmitted. So Bob could make
the error of misidentification.
Now, consider a POVM containing three elements:
√
2
Ê 1 = √ |1 1|
1+ 2
√
2 (|0 − |1)(0| − 1|)
Ê 2 = √
1+ 2 2
ˆ
Ê 3 = I − Ê 1 − Ê 2
There are many quantum effects that could be used to represent a qubit, such as spin
states (up and down) of an electron, charge states of the quantum dots and polarization
states of photons [2]. Although we do not want to discuss physics details, the state
vector is a useful abstract to describe these effects. In the classical information
2.1 Main Notions 21
system, the bit which is a two-state system is used to represent arbitrary information.
Similarly, in a quantum information system, we study the system which has two
degrees of freedom. The two kets |0 and |1 consist of the basis of a Hilbert space.
|0 is just like the logical state 0 in the classical system, and |1 is like 1. But the
difference is that any superposition state |ψ of |0 and |1 is also a possible state of
the quantum system. That is to say, any state vector which has the form
|ψ
θ
y
φ
x
z 1
22 2 Preliminaries
2.1.8 Fidelity
The fidelity F is measure of distance between two density operators θ and ρ. The
fidelity can be defined as
2
F(θ, ρ) = T r ρ1/2 θρ1/2
It is the largest fidelity between any two purifications of the given states.
Fidelity as a distance measure between pure states used to be called transition
probability. For two pure states given by unit vectors |ψ and |φ, fidelity between
them is F(|ψ , |φ) = | ψ|φ |2 . For a pure state (unit vector |ψ) and a mixed state
(density operator ρ), this generalizes to ψ|ρψ.
Properties are listed as follows:
1. 0 ≤ F(θ, ρ) ≤ 1.
2. F(θ, ρ) = F(ρ, θ).
3. F(ρ1 ⊗ ρ2 , θ 1 ⊗ θ 2 ) = F(ρ1 , θ 1 )F(ρ2 , θ 2 ).
4. The fidelity is preserved by unitary evolution, i.e.,
F(ρ, θ) = F(U ρU † , U θU † )
.
5. F(ρ, αθ 1 + (1 − α)θ 2 ) ≥ αF(ρ, θ 1 ) + (1 − α)F(ρ, θ 2 ), α ∈ [0, 1].
1
D(θ, ρ) = tr (|θ − ρ|)
2
√
where we define |A| = A† A. We notice that the trace distance between two single
qubits is equal to one half of the ordinary Euclidean distance between them on the
Bloch sphere.
Properties are listed as follows:
1. 0 ≤ D(θ, ρ) with equality if and only if θ = ρ.
2. D(θ, ρ) ≤ 1 with equality if and only if θ is orthogonal to ρ, i.e., tr (θρ) = 0.
3. D(θ, ρ) = D(ρ, θ)
4. D(ρ1 ⊗ ρ2 , θ 1 ⊗ θ 2 ) ≤ D(ρ1 , θ 1 ) + D(ρ2 , θ 2 ).
2.2 Key Operations 23
We consider a system of two particles with spin 1/2. The general state of the system
is given by
The Bell measurement which is denoted by μ(|) or μ(σ) will give us the result:
• state |+ with probability of |α + β|2 /2.
• state |− with probability of |α − β|2 /2.
• state |+ with probability of |γ + δ|2 /2.
• state |− with probability of |γ − δ|2 /2.
The Bell measurement is a very useful measurement method in quantum mechanics
[4]. One example will be given in the Sect. 2.2.3.
We consider four operations, the bit-flip operation σ X or X = |0 1| + |1 0|, the
phase-flip operation σ Z or Z = |0 0| − |1 1|, the bit+phase-flip operation σY or
Y = − |0 1| + |1 0| and the identity operation σ I or I . The group operation under
a two-bit string r1r2 is denoted by G R(ρ, r1r2 ).
24 2 Preliminaries
⎧
⎪
⎪ ρ, r1 r2 = 00
⎪
⎨ Z ρZ † , r1 r2 = 01
G R(ρ, r1r2 ) =
⎪
⎪ X ρX † , r1 r2 = 10
⎪
⎩
Y ρY † , r1 r2 = 11
In 1993, Bennett et al. [5] proposed the concept of quantum teleportation. Quan-
tum teleportation is a method that allows us to transmit perfectly an unknown pure
quantum state by using a pair of entangled particles.
As shown in Fig. 2.2, Alice wants to transmit a particle A with spin 1/2 in an
unknown pure quantum state |ψ = α |0 + β |1 with |α|2 + |β|2 = 1 to Bob. In
order to realize the teleportation, Alice and Bob share two entangled particles B and
√C
with spin 1/2. The two particles are in the entangled state |s = (|01 − |10)/ 2.
Consequently, the three particles A, B and C form the state |:
α β α β
| = √ |001 + √ |101 − √ |010 − √ |110
2 2 2 2
We want to realize the Bell measurement to the pair of particles A and B. We can
firstly write | under the Bell basis, i.e.,
1
| = + |+ ⊗ (α |1 − β |0)
2
1
+ |− ⊗ (α |1 + β |0)
2
1
− |+ ⊗ (α |0 − β |1)
2
1
− |− ⊗ (α |0 + β |1)
2 par ticle C
par ticles AB
We can see that after the measurement of the particles A and B, we obtain that
2.2 Key Operations 25
• if we obtain |− , we can say for sure that the state of the particle C is exactly
what we want to transmit |ψ.
• if we obtain |+ , we act the phase-flip Z = |0 0| − |1 1| to the particle C,
then we obtain the state |ψ.
• if we obtain |− , we act the bit-flip X = |0 1| + |1 0| to the particle C, then
we obtain the state |ψ.
• if we obtain |+ , we act the bit+phase-flip Y = |0 1| − |1 0| to the particle
C, then we obtain the state |ψ.
References
1. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge
University Press, Cambridge (2002)
2. Jones, J.A., Jaksch, D.: Quantum Information, Computation and Communication. Cambridge
University Press, Cambridge (2012)
3. Basdevant, J.L., Dalibard, J., Joffre, M.: Mécanique quantique. Editions Ecole Polytechnique
(2002)
4. Schwabl, F.: Quantum Mechanics. Springer Nature, Berlin (2002)
5. Bennett, C.H., Brassard, G., Crepeau, C.: Teleportation an unknown quantum state via dual
classical and EPR channel. Phys. Rev. Lett. 70(13), 1895–1899 (1993)
Chapter 3
Typical Quantum Network Coding
Schemes
Many quantum network coding schemes are different in terms of node, channel,
resources, security, etc. Considering their own special properties characterized by
the additional resources used, quantum network coding schemes can be precisely
classified according to what kind of additional resources are used. In this chapter, we
introduce several main classes of quantum network coding. Beside non-additional
resource scheme, additional resource schemes include prior entanglement scheme,
quantum register scheme, quantum repeater scheme, and quantum cluster scheme.
Also, performance analysis approaches are summarized.
3.1.1 XQQ
Hayashi et al. [1] started the first study of quantum network coding. They verified
the possibility of quantum network coding and proposed an approximated network
coding protocol, namely crossing two qubits (XQQ).
This protocol requires three basic operations.
Universal cloning (UC) The universal cloning was proposed by Buzek and Hillery
[2] as an approximated cloning method of an unknown qubit state. It is given by the
TP-CP map U C.
2 1
U C(|0 0|) = |00 00| + |+ + |
3
√ 3 √
2 2
U C(|0 1|) = |+ 11| + |00 + |
√3 √3
2 2
U C(|1 0|) = |11 + | + |+ 00|
3 3
2 1
U C(|1 1|) = |11 11| + |+ + |
3 3
This map is intended to clone not only classical states |0 and |1 but also any
superposition by mixing the symmetric state |+ with |00 and |11 as the output.
Let ρ1 = Tr2 U C(|ψ) and ρ2 = Tr1 U C(|ψ), where Tri is the partial trace over the
ith qubit. Then we obtain ρ1 = ρ2 = 23 |ψ ψ| + 13 2I as the universal cloning. We
can prove that the universal cloning is 2/3-shrinking.
Tetra measurement (TTR) There are the four states as follows:
|+ , if μ(σ) = + or +
b=
|− , if μ(σ) = − or −
3.1 Non-additional Resource Scheme 29
S1 S2
Q2 Q3
Q1 Q5 Q4
Q6 Q7
t2 t1
+ , if μ(σ) = + or −
c =
− , if μ(σ) = − or +
We observe that the two qubits pass across over the bottleneck channel s0 t0 . The
main idea is that by using the tetra measurement, we discretize the qubit Q3 into two
classical bits which are then used to encode the qubit Q2 by the Group operation.
To recover the qubits at the two sinks, we use the Group operation and the 3D Bell
measurement at t1 and t2 , respectively. Because the approximated cloning is used, we
cannot get the exactly transmitted qubits at the two sinks. So the fidelity of quantum
communication has to be considered.
We calculate the fidelity Ft1 at t1 and Ft2 at t2 and obtain
1 2
• + ≤ Ft1 ≤ 0.983
2 81√
1 2 3
• + ≤ Ft2 ≤ 0.983
2 243
30 3 Typical Quantum Network Coding Schemes
We observe that the lower bound is strictly greater than 1/2, which means some
quantum information has been successfully transferred via the quantum butterfly
network by the XQQ protocol.
The first quantum network coding protocol XQQ [1] achieved the cross transmission
of two qubits with fidelity greater than 1/2 for the butterfly network. Then Iwama
et al. [3] attempted to extend the result to a larger class of general graph.
This protocol requires two basic operations.
Entanglement-free cloning The entanglement-free cloning (EFC) is defined as fol-
lows:
A TP-CP map f is an EFC for a set of quantum states Q = ρ1 , ..., ρm if there exist p, q > 0
I I
such that, for any ρ ∈ Q, f (ρ) = (pρ + (1 − p) ) ⊗ (qρ + (1 − q) ). If such a map exists,
2 2
we say that Q admits an EFC.
Operation of EFCα
• Input: ρα = αχ̂ + (1 − α) 2Î where χ̂ ∈ χ̂(z1 z2 )|z1 z2 ∈ F22 .
• Step 1: Apply the tetra measurement on ρα , let X = TTR(ρα ) where X ∈ F22 .
• Step 2: Produce the pairs of two bits (Z1 , Z2 ) from the measurement value
X according to the following probability distribution: (X , X ) with probability
2
p1 = 81+6α+α
432
, each of the forms (X , Y ) or (Y , X ) (6 patterns) with probability
(9−α)(15+α)
p2 = 1296
where Y is two-bit information different from X, each of the
forms (Y , Y ) (6 patterns) with probability p3 = (9−α)(3+α)
1296
where Y is two-bit
information different from X and Y , and each of the forms (Y , Y ) (3 patterns)
2
with probability p4 = 9−2α+α 432
.
• Step 3: Send |χ(Z1 ) and |χ(Z2 ) to the two outgoing edges.
For any α > 0, the output of EFCα on input ρα is ( α9 χ̂ + (1 − α9 ) 2Î )⊗2 which is
entanglement-free defined above.
Before introducing the protocol, we provide some important definitions and lem-
mas.
Degree-3 graph A degree-3 (D3) graph has five different kinds of nodes, fork nodes,
join nodes, transform nodes, source nodes, and sink nodes whose (indegree, outde-
gree) is (1, 2), (2, 1), (1, 1), (0, 1), and (1, 0), respectively.
3.1 Non-additional Resource Scheme 31
Simple classical protocol The classical protocol PC (G) for a D3 graph is called
simple if the operation at each node is restricted as follows:
1. The input is sent to the outgoing edge without any change at each source node.
2. The incoming value is just copied and sent to the two outgoing edges at each fork
node.
3. The operation of each transform node is constant, one-to-one, or two-to-one.
4. The operation of each join node is the addition (denoted by +) over F22 .
5. The sink node just receives the incoming value (no operation).
Lemma For a given general graph G and a classical protocol PC (G), we can
transform them to a D3 graph G and a varying protocol PC (G ) from which we can
design our quantum counterpart PQ (G) by simulating PC (G ).
Protocol PQ (G) In this paragraph, we introduce the algorithm for designing PQ (G)
based on all the preliminaries above. Q(v) is the operation at a node v, and α(v) is
the shrinking factor at that node v.
• Input: A pair of general graph and classical protocol (G, PC (G)).
• Output: A QNC protocol PC (G) which simulates PC (G).
• Step 1: Transform (G, PC (G)) to D3 graph and a simple protocol (G , PC (G )).
• Step 2: Determine a total order for the nodes of G by their depth (= the length of
the longest path from a source node). Break ties arbitrarily. Let v1 , ..., vr be their
order.
• Step 3: For each v = v1 , ..., vr , do the following work according to the type of a
node:
– source node: Let α(v) = 1 and let Q(v) = [apply TTR for the source, obtain
the measurement value x1 x2 ∈ F22 and send χ̂(x1 x2 ) to its child node].
– joint node: Let α(v) = 19 α(v1 )α(v2 ) where v1 and v2 are v’s parent nodes, and
let Q(v) = [apply TTR for the two source states, obtain measurement value
x1 x2 ∈ F22 and y1 y2 ∈ F22 , and send χ̂(x1 x2 + y1 y2 ) to its child node].
– fork node: Let α(v) = 19 α(v1) for the parent node v1 , and Q(v) = [apply
EFCα(v) for the incoming state and send the resulting two-qubit state to its
child nodes].
– sink node: Q(v) = [Do nothing].
– transform node: Let g be the corresponding operation in PC (G ). If g is a
constant function, i.e., for a fixed x1 x2 ∈ F22 , g(.) = x1 x2 , then let α(v) = 1 and
Q(v) = [send χ̂(x1 x2 ) to its child node]. Else if g is a one-to-one function, then
let α(v) = α(v1 )/3 for the parent node v1 , and Q(v) = [apply TTR for the source
state, obtain the measurement value x1 x2 ∈ F22 and send χ̂(g(x1 x2 )) to its child
α(v1 )
nodes]. Else g is a two-to-one function, let α(v) = 6−α(v 1)
for the parent node
v1 and Qv = [apply TTR for the source state, obtain the measurement value
x1 x2 ∈ F22 , send χ̂(g(x1 x2 )) to its child with probability 6−α(v)
3
and send χ̂(y1 y2 )
and χ̂(z1 z2 ) to its child with probability 2(6−α(v)) for each, where {y1 y2 , z1 z2 } =
3−α(v)
F22 \Im(g)].
32 3 Typical Quantum Network Coding Schemes
By applying the protocol above, Iwama et al. obtained several important results
which lead to the approximate quantum network coding. First of all, for the node
v ∈ V , suppose that PC (G ) produces output values y ∈ F22 from input values
(x1 , ..., xn ) ∈ F2n
2 . If input states χ̂(xi ) are supplied to source node si for i = 1, ..., n,
then PQ (G) produces the state α(u)χ̂(y) + (1 − α(u)) 2Î . Such result leads to the
main conclusion:
Suppose that PC (G) is a classical protocol for the graph G and we supply general input
states |ψ1 , ..., |ψn . If PQ (G)
produces output states ρ1 , ..., ρm , the fidelity between ρi and
corresponding initial state ψj is greater than 1/2.
• Input: |ϕ1 = α1 |0 + β1 |1 at s1 , and |ϕ2 = α2 |0 + β2 |1 at s2 with αi2 +
βi2 = 1, i = 1, 2.
• Output: ρ1out at t1 , and ρ2out at t2 .
• Preparation: two sources s1 and s2 share two pairs of non-maximally entangled
qubits: |A11 A21 = (b0 |00 + b1 |11)A11 A21 , |A12 A22 = (b0 |00 + b1 |11)A12 A22
with b20 + b21 = 1 and |b0 | < |b1 |. One of each non-maximally entangled parti-
cles belongs to the source s1 and the other one belongs to the source s2 . So the
state of the whole system at si is |φi ⊗ |A1i A2i , i = 1, 2.
• Step 1: the source si carries
out the Bell
measurement
of the state |φi ⊗ |A1i A2i ,
i = 1, 2. The result {+ , − , + and − } corresponds to {00, 10, 01, 11},
respectively. For convenience, we denote Xi = ni mi ∈ {00, 10, 01, 11} as the result
of measurement at source si , i = 1, 2. We denote also |ϕ1 (X1 ) (|ϕ2 (X2 ), respec-
tively) as the state on the remaining site A21 (A12 , respectively) after the measure-
ment.
3.2 Prior Entanglement Scheme 35
• Step 5: the sink si introduces an auxiliary qubit with the original state |0si . Every
sink takes a collective unitary transformation depending on m1 and p2 . (i) the sink
s1 takes the collective unitary transformation V0 if m1 = 0, otherwise takes V1 .
(ii) the sink s2 takes the collective unitary transformation V0 if m1 = p2 , otherwise
takes V1 . If the result is |0Bi , the transmission succeeds, otherwise the transmission
fails.
⎡ ⎤
b0 b20
⎢ 0 1− 2 0 ⎥
⎢ b1 b1 ⎥
⎢ ⎥
⎢ 10 0 0⎥
V1 = ⎢
⎢
⎥
⎥
⎢ b2
b0 ⎥
⎢ 1 − 02 0 − 0⎥
⎣ b1 b1 ⎦
0 0 0 −1
This protocol can transmit entangled state across over the butterfly network. Some
new technique such as entanglement distillation and quantum repeater can realize
maximally entangled state efficiently. In this protocol, the state of non-maximally
entangled particles is also difficult to determine, which means that the coefficients
b0 and b1 can hardly be obtained.
36 3 Typical Quantum Network Coding Schemes
Note that W is basically the quantum Fourier transform over the additive group of R.
Operator Uf1 ,...,fn Let m and n be two positive integers and f1 , ..., fn be n functions
from Rm to R. Let Uf1 ,...,fn be the unitary operator over the Hilbert space H⊗m ⊗ H⊗n
defined as follows: for any m elements y1 , ..., ym and any n elements z1 , ..., zn of R,
the operator Uf1 ,...,fn maps the basis state |y1 , ..., ym |z1 , ..., zn to the state
Encoding(f1 , ..., fn )
• Input: quantum registers Q1 , ..., Qm ∈ H;
• Output: quantum registers Q1 , ..., Qn ∈ H and elements a1 , ..., am ∈ R.
• Introduce n registers Q1 , ..., Qn , each is initialized to |0.
• Apply the operator Uf1 ,...,fn to (Q1 , ..., Qm , Q1 , ..., Qn ).
• For each i ∈ {1, ..., m}, apply W to Qi .
• Measure the first m registers Q1 , ..., Qm in the {|i}i∈R basis. Let a1 , ..., am ∈ R
denote the outcomes of the measurements.
• Output Q1 , ..., Qn and the m elements a1 , ..., am .
3.3 Quantum Register Scheme 37
Suppose that the contents of the registers Q1 , ..., Qm form the state
|y1 , ..., ym (Q1 ,...,Qm ) for some elements y1 , ..., ym of R. Then the state in (Q1 , ..., Qn )
after applying Encoding(f1 , ..., fn ) is of the form
exp (2πig(y1 , ..., ym )) |f1 (y1 , ..., ym ), ..., fn (y1 , ..., ym )Q1 ,...,Qn
g : Rm −→ Q
l
m
φi (aj )φi (yj )
(y1 , ..., ym ) −→
i=1 j=1
ri
S1 S2
R2 R4
S0
R1 R5 R3
t0
R6 R7
t2 t1
T2 T1
state |y |y + z1 , y + z2 and “+” is the addition operation in the ring F2 . The addition
procedure Encoding(f+ ) which is applied at nodes s0 , t1 , t2 is implemented by using
the Hadamard operator H, here a unitary operator Uf+ mapping the state |y1 , y2 |z
to |y1 , y2 |z + y1 + y2 and f+ is the addition in the ring F2 . All the operators UfI ,fI
and Uf+ can be realized by using the controlled-NOT operators. The controlled-NOT
operator defined in the ring F2 maps the state |z z to the state |z z + z .
Suppose the quantum state is stored in the registers (S1 , S2 ), we want to transmit
it in a general form.
|ψs (S1 ,S2 ) = α00 |0S1 |0S2 + α01 |0S1 |1S2 + α10 |1S1 |0S2 + α11 |1S1 |1S2
• Step 1: Implement UfI ,fI (S1 , R1 , R2 ) and UfI ,fI (S2 , R3 , R4 ), then obtain the state
• Step 2: Apply the operator W to each register S1 and S2 , then measure these
two registers in the basis {|z}z∈F2 . Let a ∈ F2 and b ∈ F2 denote the measurement
outcomes, then obtain the state
3.3 Quantum Register Scheme 39
• Step 4: Measure the registers R2 and R5 in the Hadamard basis. The measure-
ment outcomes, denoted by c1 and c2 , are sent to both target nodes. The quantum
state becomes
After that, send the register R6 and R7 to t2 and t1 , respectively. d is sent to t1 and t2 .
• Step 6: Prepare two registers T1 and T2 on the node t1 and the node t2 , then
apply CNOT (R3 ,T1 ) , CNOT (R7 ,T1 ) , CNOT (R1 ,T2 ) and CNOT (R6 ,T2 ) for Encoding(f+ ).
The resulting state becomes
40 3 Typical Quantum Network Coding Schemes
|ψS (T1 ,T2 ) = α00 |0T1 |0T2 + α01 |0T1 |1T2 + α10 |1T1 |0T2 + α11 |1T1 |1T2
The input state of this protocol is generally entangled state between the sources.
This protocol is a simulation of the classical linear network coding protocol for the
k-pair problem. The linearity of the classical network coding protocol allows the
phase correction at each target. This protocol realizes the propagation of entangled
state over a network. Li et al. [8] proposed a more efficient protocol for the extended
butterfly network and reduced communication cost by using a certain special type of
quantum operations.
The general scheme for perfect quantum network coding by simulating the classical
linear network coding protocol for the k-pair problem has been proposed in [7].
In fact, there are some networks for which no linear solutions exist to the k-pair
problem, whereas nonlinear solutions should exist. We wonder whether nonlinear
classical network coding schemes can help design quantum network coding schemes.
Kobayashi et al. [9] used the same quantum operators as the perfect linear protocol.
All difficulties come from the non-linearity of classical protocols for which we cannot
correct the phase errors at each target node. Consequently, we need to correct the
phase errors locally. More precisely, we send the measurement outcomes to the nodes
3.3 Quantum Register Scheme 41
to which the current node has incoming edges and correct the phase introduced by
the measurements. If these operations could be done in a proper order, the phase
errors can be corrected perfectly. In reverse, the difficulty also provides convenience
that only undirected classical communication between two adjacent nodes is needed.
They proved that perfect quantum network coding is also possible for the graphs
which only have nonlinear classical solutions [10]. By combining with the result
obtained in [7], we can say that a quantum protocol solving any instance of the
k-pair problem exists, if the corresponding classical version is solvable under any
coding scheme (linear or nonlinear).
This protocol is a simulation of the classical nonlinear quantum network coding
protocol. Classical communication is needed, but is only used between two nodes
linked by quantum channel.
Kobayashi et al. [7] has studied the case of perfect quantum network coding by
simulating the classical linear network coding protocol for the k-pair problem. The
hypotheses is that a classical network possesses a solution to the k-pair problem.
Then they slightly changed the hypotheses in [10] which assumes that classical
linear network coding over F2 is possible in the multicast model.
Generally, we consider the qubits as the carrier of quantum information. The
orthonormal basis of a qubit is {|i}i∈F2 , where F2 = Z/2Z. And the general state
of a qubit is given by |ψ = α |0 + β |1, where |α|2 + |β|2 = 1 and α, β ∈ C.
The Hilbert space EH of a qubit is two dimensional. A general state of a quantum
register of n qubits is a normalized vector in EH⊗n , given by |ψ = x∈Fn2 αx |x, where
x∈Fn2 |αx | = 1 and αx ∈ C.
2
... ...
z1 zj zn
We can see that the state of the particle A is a controller. When the state of A is |0,
we do nothing to the particle B. When the state of A is |1, we change the state of B.
Effect of measuring in the Hadamard basis For a joint state ψ(A,B) = x∈Fn2 αx
|f (x)A · |f (x)B , the state in A obtained from ψ(A,B) by measuring each qubit in B in
|B|
the {|+ |−} basis has the form |ψA = x∈Fn2 (−1)y0 .g(x) αx |f (x) where y0 ∈ F2
is a random vector of measurement results.
Phase error fixing The state x∈Fn2 (−1)
L(x)
αx |x can be mapped to the state
n αx |x.
x∈F2
x1 xi xm x1 xi xm
... ... ... ...
CNOT according to ji
0 0 0 z1 zj zn
x x
CNOT
0 0 0 x x x
Measurement It is used to make the superfluous qubits (kept at each node) collapse,
by measuring them in the Hadamard basis.
Let G = (V, E) be a quantum network with a subset S ⊆ V of source nodes
and an integral weight that describes its quantum capacity. Assume that classical
network coding is possible in the multicast model from S to T . Then perfect quantum
teleportation from S to any ordered subset T0 ⊆ T with |S| = |T0 | is possible.
This protocol is a quantum simulation of classical network coding for the multicast
problem. Non-entangled states can be transmitted through a network. This protocol
realizes the construction of quantum channels (EPR-pairs) between a source and a
target.
The perfect quantum network coding schemes proposed in [7, 9, 10] primarily focus
on an abstract model, in which quantum registers can be freely introduced at each
nodes. However, the implementation of a quantum system should be taken account
of. One fact is that it is difficult to realize long-distance quantum communication
44 3 Typical Quantum Network Coding Schemes
C1 ,C2
Connection: Add AddR→T
Connection: Add is a variant of the Connection operation. Add is a non-unitary
operation between two repeaters (u and v). Repeater u has Control and Resource
qubits (C1 , C2 and R), repeater v has target qubit T . R shares a EPR-pair |+ with
T.
Procedure:
• Setup: C1 , C2 and R are 1-qubit registers owned by u. T is a 1-qubit register
owned by v.
• Step 1: u applies CNOT (C1 ,R) .
• Step 2: u and v apply ConCR→T 2
.
For an initial state |init = (α |ψ0 |0C1 + β |ψ1 |1C1 ) ⊗ (γ |φ0 |0C2 + δ
|φ1 |1C2 ) ⊗ |+ CD ⊗ |, then the output of AddR→T C1 ,C2
(|init ) is final =
((αγ |ψ0 |φ0 |00C1 C2 + βδ |ψ1 |φ1 |11C1 C2 ) |0T + (αδ |ψ0 |φ1 |01C1 C2 +
βγ |ψ1 |φ0 |10C1 C2 ) |1T ) ⊗ |.
Removal RemR→T
Removal is a non-unitary operation between two repeaters (u and v) which deletes
a resource qubit R of a quantum state using measurement in the Hadamard basis
and σZ . Repeater u has Resource qubit R, repeater v has target qubit T . R shares a
EPR-pair |+ with T .
Procedure:
• Setup: R is a 1-qubit register owned by u. T is a 1-qubit register owned by v.
• Step 1: u applies the Hadamard gate to R.
• Step 2: u measures R in {|0 , |1} basis. Let a ∈ {0, 1} be the outcome.
• Step 3: u sends a to v via a classical channel.
• Step 4: If a = 1, then v applies σZ to T .
For an initial state |init = (α |00RT |ψ00 + β |11RT |ψ11 ) ⊗ |, then the out-
put of RemR→T (|init ) is final = (α |0T |ψ00 + β |1T |ψ11 ) ⊗ |.
Removal: Add RemAddR→T1 ,T2
Removal: Add is a variant of the removal operation. RemAdd is a non-unitary oper-
ation between three repeaters (u, v, and w) which deletes the target qubit used in
Connection: Add operation. Repeater u has Resource qubit R, repeater v has target
qubit T1 and w has T2 . R, T1 and T2 are entangled.
Procedure:
• Setup: R is a 1-qubit register owned by u. T1 is a 1-qubit register owned by v.
T2 is a 1-qubit register owned by w.
• Step 1: u applies the Hadamard gate to R.
• Step 2: u measures R in {|0 , |1} basis. Let a ∈ {0, 1} be the outcome.
• Step 3: u sends a to v and w via a classical channel.
• Step 4: If a = 1, then v and w apply σZ to T1 and T2 .
1
For an initial state |init =
i,j=0 aij |ijAB |i ⊕ jC ψij ⊗ |, then the output
1
of RemAddR→T1 ,T2 (|init ) is final =
i,j=0 aij |ijAB ψij ⊗ |.
With the help of the above techniques, we can design a protocol without additional
registers that creates two quantum channels (EPR-pairs) between s1 and t1 , s2 and t2 ,
46 3 Typical Quantum Network Coding Schemes
s1 C s2 s1 s2
G
A E A E
D H
s0 s0
I
J
t0 t0
K M
B F B F
L N
t2 t1 t2 t1
and are then able to perform quantum teleportation. The butterfly repeater network
as well as the execution result of the protocol is represented by Fig. 3.9.
Procedure:
• Setup: Described as Fig. 3.9.
• Step 1: s1 and r1 apply ConAC→D ; s2 and r2 apply ConEG→H .
• Step 2: r1 and r2 apply AddID,H →J .
• Step 3: r2 , t1 , and t2 apply FanoutK→L,MJ
→N .
(N ,F)
• Step 4: t1 applies CNOT ; t2 applies CNOT (L,B) .
• Step 5: t2 and r2 apply RemL→J ; t1 and r2 apply RemN →J .
• Step 6: r2 and r1 apply RemAddJ →D,H .
• Step 7: r1 and s1 apply RemD→A ; r1 and s2 apply RemH →E
This protocol which creates two quantum channels from sources to sinks can
transmit two non-entangled qubits across over the butterfly network. This protocol
is independent of the classical network coding protocol. The Ref. [12] studied the
performance of the repeater scheme under the conditions of noise, errors, and shortage
of quantum resources. They have found that the repeater scheme is more sensitive
to entanglement errors (errors on the initial Bell pairs), Pauli errors and local gate
errors than entanglement swapping. In short, the repeater scheme is useful when the
quantum resources are limited or high communication speed is required.
3.5 Quantum Cluster Scheme 47
Since it is impossible to achieve the perfect quantum network coding without addi-
tional assumptions, Li et al. [8] studied the solubility of perfect quantum network
coding by taking advantage of global entanglement state (2D and 3D cluster states).
The cluster state belongs to a family of highly entangled multi-particle quantum
states, which can be efficiently parameterized by mathematical graphs [13]. The
cluster state is generally considered as a communication resource. By exploring
the properties of the cluster state, they proposed a perfect quantum network coding
k-pair problem protocol for butterfly network, grail network, and extended butterfly
network. They have also proposed a new approach based on stabilizer to analyze the
resolvability of a certain quantum multi-unicast network.
In this protocol, free classical communication is also needed. The bigraph property
of a cluster allows parallel operations which give a constant-step scheme as the scale
of a network increases.
In 2011, Jain et al. [14] studied the non-additional resource schemes and the
entanglement-supported schemes by information-theoretic and graph-theoretic
approach. In 2014, Nishimura [15] summarized the known results of quantum net-
work coding, mainly focusing on the multi-unicast networks. These two references
are few achievements that study the quantum network coding schemes by theoretical
approach. More study of quantum network coding needs to be developed. Especially,
there are very few results on general networks for difficulties.
The basic setting of the well-known butterfly network is the so-called one-shot, i.e.,
one qubit at each source node must be sent to the corresponding target node by a
single use of the network. Leung et al. [16] extended this setting to the following
asymptotic version.
Achievable rate A rate (r1 , . . . , rk ) is achievable in a quantum network N if there is
a choice of quantum operations such that by n uses of N , each si can send n(ri − δn )
qubits to with fidelity 1 − n , where δn , n → 0 as n → ∞.
In this asymptotic setting, they investigated inner and outer bounds of the rates
in several simple networks. In the butterfly network, it was proven that the rate
region was bounded by r1 + r2 ≤ 1, which is trivially achievable by routing. In their
proof, any protocol on the butterfly network was reduced to a quantum secret sharing
protocol where the quantum secret is the two source qubits. Then they gave the
48 3 Typical Quantum Network Coding Schemes
above outer bound by applying a lower bound on the quantum secret sharing [17,
18]. Hayashi [5] also proved a similar impossibility result without reducing to the
quantum secret sharing by using information-theoretic arguments more directly. He
also improved the upper bound of the fidelity of the one-shot case to 0.951.
In this section, we give the case where classical communication is available in addi-
tion to the basic quantum networks. This setting can be considered as the second-best
when quantum network coding is impossible in the basic setting since the cost of
classical communication is much cheaper than that of quantum communication.
In the case where classical communication is freely available between any two
nodes, Leung et al. [16] made an important observation: the underlying quantum
network becomes undirected. In fact, we can send a qubit in the reverse direction of
each directed edge by first preparing an EPR pair using the directed quantum channel
corresponding to the edge, and then by applying quantum teleportation using two
free classical bits and the EPR pair. For the butterfly network, this enables us to
send two qubits from s1 to t1 by a single use of the network, and two qubits from
s2 to t2 by another single use. Thus, the rate (r1 , r2 ) = (x, 2 − x) (where 0 ≤ x ≤ 2)
becomes achievable by time sharing (and this is shown to be optimal by a simple
min-cut argument). On the contrary, Kobayashi et al. [9, 10] showed the following
relation between classical and quantum network coding in general multiple unicast
networks.
Theorem 3.1 If the rate (r1 , . . . , rk ) is achievable in a classical network, then the
same rate is also achievable in the corresponding quantum network under free clas-
sical communication.
Note that the converse of Theorem 3.1 is trivially false when the classical network
is directed since the quantum network becomes undirected due to free classical
communication. However, if the classical network is undirected, it is open to show
whether the converse holds or not.
In the case where classical one-way communication is freely available, Leung
et al. [16] studied the case where classical communication is freely available accord-
ing to the directed edges of the underlying graph. Although we cannot reverse the
edges at will, we can increase the rates in some networks, compared to the case of
no additional resources. For example, the rate (r1 , r2 ) = (0.5, 1) is achievable in the
butterfly network as follows: (i) s1 sends the two subsystems of an EPR pair to s0
and t2 , respectively. (ii) s2 sends s0 a source qubit, and s0 teleports it to t2 by using
the EPR pair and free two bits. (iii) s1 and s2 send their qubits by routing. This
protocol uses the network twice while one qubit is sent from s1 to t1 , and two qubits
are sent from s2 to t2 . A similar protocol with time sharing achieves the rate region
{(r1 , r2 )|r1 , r2 ≤ 1, r1 + r2 ≤ 1.5}, which was proven to be optimal.
3.6 Performance Analysis 49
The converse of Proposition 3.2 was conjectured, but it still remains an interesting
open question. If the conjecture is true, it implies that by Proposition 1, the rates for
classical communication in quantum networks (even with free entanglement) is at
most twice as much as those in classical networks, which extends the known results
for point-to-point communication channels to networks.
In the case where any two neighboring nodes are allowed to share entanglement,
the Hayashi’s impossibility proof [11] implies that the achievable rate region in the
butterfly network is also the same as that for the case of no additional resources.
Recently, motivated by quantum repeater networks [19], Satoh et al. [11] studied
the setting where any two neighboring nodes share EPR pairs and free classical
communication is allowed, but no quantum communication is available and any
extra qubits other than receiving qubits are not allowed to use at each node (which
make the physical implementation easier). In this setting, they gave a protocol for
the butterfly network that can send two source qubits simultaneously by a single use
of the network.
In the case where any source nodes are allowed to share entanglement, Hayashi
[5] introduced a bit flexible setting where each edge can choose sending one qubit
or two bits. This was motivated by the equivalence between one qubit and two
bits under shared entanglement via quantum teleportation and dense coding. Then
he showed that two source qubits can be sent simultaneously by a single use of
50 3 Typical Quantum Network Coding Schemes
thenetwork. This possibility result can be regarded as swapping two source qubits
on the butterfly network. Under this viewpoint, Soeda et al. [20] investigated which
two-qubit operations can be done on the butterfly network.
We summarize the achievable rate region in the butterfly network for quantum com-
munication in Table 3.1, where N , C1, C2, E1, and E2 represent the basic settings
with no additional resources, with free classical communication among any nodes,
with free classical communication according to the directed edges, with free entan-
glement among any two nodes, and with free entanglement between neighboring
nodes, respectively.
One may wonder that the optimal rates in all quantum networks are achievable
by network coding or routing. Jain et al. [14] observed that there exists a quantum
network such that the achievable rate by network coding is k times the rate by routing,
here k is the number of source-target pairs. This example was based on the classical
example by using quantum teleportation and dense coding, which allow us to take
advantage of directed edges that are trivially useless by any routing protocol [21].
The results are summarized below:
1. On the butterfly network, the total quantum information flow is bounded by what
can be routed through the bottleneck channel.
2. For the k-pair multiple unicast problem and for all k ≥ 2, there exists a family of
networks where quantum network coding achieves k times greater quantum infor-
mation flow than what can be achieved by routing, with entanglement assistance
that is intrinsic to the topology of a network.
3. Given a non-entanglement-supported k-pair multiple unicast problem on a net-
work N , the 1-max-flow is bounded by the sparsest multi-cut capacity.
References 51
References
1. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual
Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007)
2. Buzek, V., Hillery, M.: Quantum copying: beyond the no-cloning theorem. Phys. Rev. A 54(3),
1844–1852 (1996)
3. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs.
Physics 52(3), 610–621 (2006)
4. Leung, D., Oppenheim, J., Winter, A.: Quantum network communication-the butterfly and
beyond. IEEE Trans. Inf. Theory 56(7), 3478–3490 (2010)
5. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding
with modification. Phys. Rev. A 76(4), 538 (2007)
6. Ma, S.Y., Chen, X.B., Luo, M.X., et al.: Probabilistic quantum network coding of M-qudit
states over the butterfly network. Opt. Commun. 283(3), 497–501 (2010)
7. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: General scheme for perfect quantum net-
work coding with free classical communication. In: International Colloquium on Automata,
Languages and Programming (ICALP), pp. 622–633 (2009)
8. Li, J., Chen, X., Sun, X., et al.: Quantum network coding for multi-unicast problem based on
2D and 3D cluster states. Sci. China Inf. Sci. 59(4), 1–15 (2016)
9. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes
from classical nonlinear protocols. In: IEEE International Symposium on Information Theory
(ISIT), pp. 109–113 (2011)
10. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Perfect quantum network communication
protocol based on classical network coding. In: IEEE International Symposium on Information
Theory, pp. 2686–2690 (2010)
11. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A
86(3), 9591–9598 (2012)
12. Satoh, T., Ishizaki, K., Nagayama, S., et al.: Analysis of quantum network coding for realistic
repeater networks. Phys. Rev. A 93(3), 032302 (2016)
13. Briegel, H.J., Browne, D.E., Dur, W., et al.: Measurement-based quantum computation. Nat.
Phys. 5(1), 19–26 (2009)
14. Jain, A., Franceschetti, M., Meyer, DA.: On quantum network coding. J. Math. Phys. 52(3),
032201 (2011)
15. Nishimura, H.: Quantum network coding—how can network coding be applied to quantum
information? In: International Symposium on Network Coding (NetCod), pp. 1–5 (2013)
16. Leung, D., Oppenheim, J., Winter, A.: Quantum network communication: the butterfly and
beyond. IEEE Trans. Inf. Theory 56(7), 3478–3490 (2010)
17. Gottesman, D.: On the theory of quantum secret sharing. Phys. Rev. A 61(4), 042311 (1999)
18. Imai, H., Muellerquade, J., Nascimento, A.C.A., et al.: A quantum information theoretical
model for quantum secret sharing schemes. Quantum Inf. Comput. 5(1), 69–80 (2003)
19. Briegel, H.J., Dur, W., Cirac, J.I., et al.: Quantum repeaters: the role of imperfect local operations
in quantum communication. Phys. Rev. Lett. 81(26), 5932–5935 (1998)
20. Soeda, A., Kinjo, Y., Turner, P.S., et al.: Quantum computation over the butterfly network.
Phys. Rev. A 84(1), 012333 (2011)
21. Harvey, N.J., Kleinberg, R.D., Lehman, A.R.: Comparing network coding with multicommod-
ity flow for the K-pairs communication problem. MIT LCS technical report 964 (2004)
Chapter 4
Quantum Network Coding Based
on Repeater
How to design network coding beyond the butterfly network is desired to be resolved.
Quantum repeaters are potential candidates to create nonlocal entanglement between
distant particles and realize long-distance quantum communication. In this chapter,
we introduce a quantum network coding scheme for general repeater networks with
either maximally or non-maximally entangled EPR-pairs and apply it to complex
network scenarios. Considering the resource consumption and security of quantum
repeater network, we introduce a quantum network coding scheme with an EPR-pair
distribution controller, which can realize long-distance quantum communication with
minimal resource consumption.
Evidently, typical quantum network coding schemes were designed based on the
butterfly network. It is more difficult and meaningful to design quantum network
coding beyond the butterfly network. In 2009, Kobayashi et al. [1] pointed out that
perfect quantum network coding is feasible for any graph. In 2013, Nishimura et al.
[2] summarized the achievable rate region in the butterfly network for quantum com-
munication, and pointed out that the future works of quantum network coding should
be extended to general graphs. With the rapid development of quantum network, the
complexity of actual network topology brings challenges to quantum network cod-
ing, i.e., it remains to be an open problem of how to realize quantum communication
on general networks securely and efficiently.
In order to design quantum network coding for general networks, a few valuable
schemes have been proposed. Iwama et al. [3] proposed the quantum network cod-
ing scheme in general graph networks by using a new cloning method called EFC
In 2012, Satoh et al. [6] presented the protocol for quantum repeater networks, in
which quantum repeaters were introduced into the butterfly network. Compared with
the XQQ protocol, all nodes are quantum repeaters which are capable of sharing and
conservation, and adjacent nodes initially share one EPR-pair. With the quantum
circuits constructed by Hadamard gate and controlled-NOT (also CNOT) gate, non-
unitary operations are applied to qubits between two repeaters to generate EPR-pairs
between crossing source nodes and target nodes, remote quantum communication is
realized by using quantum entanglement as a channel which can perform quantum
teleportation.
In the butterfly network of quantum repeaters, the setting is presented in Fig. 4.1.
Source nodes s1 and s2 simultaneously send quantum information to target nodes t1
and t2 in the butterfly network. r1 and r2 are two intermediate nodes. Between any
two adjacent nodes, one EPR-pair is initially shared, such as two EPR-pairs + AB
and + C D between s1 -t2 and s1 -r1 , et al. As a result, s1 and t2 (similarly, s2 and t2 )
share one EPR-pair.
The quantum network coding scheme for quantum repeaters includes three core
parts: Setup, Quantum channel generation, and Quantum information transmission.
It is described in the following parts:
4.1 Quantum Network Coding for General Repeater Networks 55
C G
s1 s2
A E
D H
r1
I
r2
K M
B F
t2 t1
L N
(1) Setup
Encoding for quantum repeater network should be on the condition that any two
adjacent nodes initially share an EPR-pair. The phase of setup is responsible for
distributing EPR-pairs to all the legitimate nodes before encoding for generating
quantum entanglement channel.
(2) Quantum channel generation
To construct a network which can perform teleportation, the sender and the receiver
should share an EPR-pair, i.e., use quantum entanglement as a quantum channel.
The phase of quantum channel generation is responsible for generating EPR-pairs
between source nodes and target nodes by operating the EPR-pairs between any
adjacent nodes with LOCC.
(3) Quantum information transmission
Quantum information transmission is responsible for transmitting quantum informa-
tion by means of quantum teleportation through quantum entanglement channels.
Obviously, in the above quantum repeater communication system, EPR-pairs
shared by any two adjacent nodes are distributed firstly before quantum informa-
tion transmission under the condition that the whole process of quantum channel
generation is secure. However, if there exist active attacks during the process of
quantum channel generation, the encoding process for quantum channel will not be
completed properly. In this case, a trusted party, which can control the distribution
of EPR-pairs, is very necessary for quantum repeater network. With the help of the
trusted party, the process of quantum channel generation terminates once the active
attack is found and EPR-pairs are no longer distributed, so that waste of particle
consumption can be avoided.
56 4 Quantum Network Coding Based on Repeater
LOCC [6] are non-unitary operations between two repeaters with Hadamard gate,
CNOT gate, Pauli operator, and transformation of measurement result in the {|0 , |1}
basis over a classical channel. LOCC consists of Connection, Removal, and other
algorithms, which are described as follows:
(1) Connection
The setting for Connection is shown in Fig. 4.2, in a network
with quantum repeaters
R1 , R 2 , and +
3 , R1 and R2 share one EPR-pair AB , R2 and share
R R 3 one
EPR-
pair + C D . Let the input state |init be a form |init = + AB ⊗ + C D . By
applying Con C−>D A
, the state becomes f inal = |G H Z AB D . The procedure for
Connection is listed in Table 4.1.
(2) Removal
The setting for Removal is shown in Fig. 4.3, in a network with three quantum
repeaters R1 , R2 and R3 , which share one Greenberger–Horne–Zeilinger (GHZ)
be a form
state. Let the input state |init |init = |G H Z ABC . By applying
Rem A−>B , the state becomes f inal = + BC . The procedure for Removal is
listed in Table 4.2.
A
Table 4.1 Con C−>D Step 1. R2 applies C N O T (A,C)
Step 2. R2 measures particle C in the {|0 , |1} basis
Let a ∈ {0, 1} be the outcome
Step 3. R2 sends a to R3 by a classical channel
Step 4. If a = 1 then R3 applies σx to D
LOCC is the key technology for encoding in quantum repeater networks, which
is constructed by Control-NOT gate, Hadamard operator and measurements in
the {|0, |1} basis, by applying the non-unitary operations to qubits between two
repeaters, entangled states can be generated between source nodes and correspond-
ing target nodes, then remote quantum communication is realized by using quantum
entanglement as quantum channels which can perform quantum teleportation.
LOCC contains two basic algorithms “Connection” and “Removal”, which can
manipulate entangled states and systematize the methods of encoding. The two spe-
cific algorithms on entangled states are defined as follows:
(1) Connection with entangled states
In a particle system with two entangled EPR-pairs | AB and |C D , where
| AB = x1 |00 + y1 |11, |C D = x2 |00 + y2 |11, and x1 , y1 , x2 , y2 are positive
real numbers satisfying x12 + y12 = 1, x22 + y22 = 1. That is, we can obtain |00 AB in
a probability of x1 2 , and |11 AB in a probability of y1 2 . Similarly, for |C D , |00C D ,
|11C D can be obtained in probabilities of x2 2 and y2 2 , respectively. The circuit for
A
Con C−>D is shown in Fig. 4.4.
Let |init be a state of the form
A
Fig. 4.4 Con C−>D A
Con C D
2
0 x1
A 2
1 y1
B
2
0 x2 a
C 2
1 y2
D Xa
init final
A
then by applying Con C−>D to |init , we can obtain |000 AB D in a probability of
x1 x2 + x1 y2 = x1 , and |111 AB D in a probability of y1 2 x2 2 + y1 2 y2 2 = y1 2 , so
2 2 2 2 2
|init = |G H Z ABC
= x1 |000 ABC + y1 |111 ABC ,
Thus, one entangled EPR-pair | BC can be obtained. Especially, | BC is max-
imally entangled when x1 2 = y1 2 = 1/2.
4.1 Quantum Network Coding for General Repeater Networks 59
2
0 x1 a
A 2
H
1 y1
B Xa
init final
Inspired by the quantum repeater communication system which can realize long-
distance quantum communication [5], a quantum network coding scheme for gen-
eral repeater networks [7] was designed, which can realize long-distance quantum
communication in repeater networks with complex topology. It introduces D3 graph
transformation to establish a general transmission network model and uses arbitrary
entangled EPR-pairs as a resource to build quantum entanglement channel.
The quantum network coding scheme for general repeater networks includes three
core parts: Graph transformation, Quantum channel generation, and Quantum infor-
mation transmission, so this scheme is also called as “GQQ”. It is described in the
following part:
(1) Graph transformation
To ensure the versatility of encoding algorithm, a general transmission model is
established by graph transformation, i.e., for a graph with the degree being more
than 3, we should firstly transform it into a D3 graph, whereas it is not necessary to
transform a graph with degree being no more than 3. And the transformation schemes
[3] of one-to-many, many-to-one and many-to-many are shown in Figs. 4.6, 4.7 and
4.8, respectively.
(2) Quantum channel generation
To construct a network which can perform quantum teleportation, the sender and
the receiver should share an EPR-pair, i.e., use quantum entanglement as a quantum
channel. The phase of quantum channel generation is responsible for generating EPR-
pairs between source nodes and target nodes in a D3 graph network by operating
the EPR-pairs between any adjacent nodes with LOCC. Although Satoh et al. [6]
proposed a protocol to generate quantum channels in the butterfly network, here the
algorithms are further provided to generate quantum channels in a D3 graph network
60 4 Quantum Network Coding Based on Repeater
Fig. 4.6 (1, 3) transformation. For a node with one input X and three outputs Y1 , Y2 , Y3 , its
(indegree, outdegree) is (1, 3). It can be transformed into a combination of nodes whose degrees
are no more than 3 by means of the multilevel structure of a binary tree
Fig. 4.7 (3, 1) transformation. For a node with three inputs X 1 , X 2 , X 3 and one output Y , its
(indegree, outdegree) is (3, 1). Compared with the node of (1, 3), it is a single-input and multi-
output model, and can also be transformed into a combination of nodes whose degrees are no more
than 3 by means of the multilevel structure of a binary tree
X1 X2 X3 X1 X2 X3
Y1 Y2 Y1 Y2
Fig. 4.8 (3, 2) transformation. For a node with three inputs X 1 , X 2 , X 3 and two outputs Y1 , Y2 ,
it is a multi-input and multi-output model whose (indegree, outdegree) is (3, 2). Assume that node
operation is simple X O R without any superposition coefficient, the many-to-many node can be
transformed into a combination of one-to-many nodes and many-to-one nodes
4.1 Quantum Network Coding for General Repeater Networks 61
1
A A1 A2
B B1 B1
C 1 E1
E
F1
F
2 I
G
D H J
1 2 3
Fig. 4.9 One-to-many network (Solid line denotes one-way connection between any two adjacent
nodes, and dotted line denotes quantum entanglement channel)
which is transformed from a general graph with degree being more than 3. According
to the network types of one-to-many, many-to-one, and many-to-many, the quantum
channel generation schemes are described, respectively, as follows:
(1) One-to-many network
In a one-to-many network with quantum repeaters, the setting for this scheme
is presented in Fig. 4.9. Between any two adjacent nodes, EPR-pairs are initially
shared. The goal of this work is to simultaneously send quantum information
between three pairs of quantum repeaters ((s1 , t1 ), (s1 , t2 ), and (s1 , t3 )). r1 and
r2 are two intermediate nodes. To generate EPR-pairs between one source node
and three target nodes, additional EPR-pairs should be needed, such as | A1 B1 ,
| A2 B2 between s1 -r1 , | E1 F1 between r1 -r2 . And all the EPR-pairs have coeffi-
cients xi and yi for |00 and |11 basis in turn, where 1 ≤ i ≤ 8, such as | AB is
denoted as | AB = x1 |00 AB + y1 |11 AB , | A1 B1 = x2 |00 A1 B1 + y2 |11 A1 B1 , . . .,
| I J = x8 |00 I J + y8 |11 I J .
Let the input state of the one-to-many network |init be a state of the form as
follows:
|3 = | AD |G H Z A1 F H |G H Z A2 F1 J ,
1 2 3
A C G
B 1 D
E1
E
F1
F 2 H
I I1 I2
J J1 J2
|3 = |G H Z AF J |G H Z C F 1 J1 |G J 2 ,
Step 4: By applying Rem F−>J , Rem F1 −>J1 to |3 , the state becomes
|4 = | A J ⊗ |C J 1 ⊗ |G J 2 = f inal ,
1 2 3
A C G
B 1 D
E1
E
F1
F 2 H
I I1 I2
J J1 J2
K 3 M
K1
L N
L1
1 2
1 1
+ √ |+ A1 (x1 β|0 L + y1 α|1 L ) + √ |− A1 (x1 β|0 L − y1 α|1 L ),
2 2
1
√ (x1 α|0 L + y1 β|1 L ),
2
1
√ (x1 α|0 L − y1 β|1 L ),
2
1
√ (x1 β|0 L + y1 α|1 L ),
2
1
√ (x1 β|0 L − y1 α|1 L ),
2
s1 turns Bell measurement results {| + , | − , |+ , |− } into corresponding clas-
sical bits {00, 01, 10, 11}, and notifies r1 the outcome of its measurement via a clas-
sical channel. Assume that the measurement result of particles A, 1 is 10, then the
state of particle L is x1 β|0 L + y1 α|1 L .
Step 2: r1 introduces an auxiliary two-state particle 2 with the initial state |02 and
applies a unitary transformation U to particles L, 2 in the {|00 L2 , |01 L2 , |10 L2 ,
|11 L2 } basis, U is denoted as follows:
⎡ ⎤
y1 /x1 − 1 − y12 /x12 0 0
⎢ ⎥
⎢ ⎥
U =⎢ ⎢ 1 − y 2
/x 2
y /x 0 0 ⎥
1 1 1 1
⎥
⎣ 0 0 1 0⎦
0 0 01
Step 3: r1 measures particle 2 in the {|0, |1} basis. If the measurement result
is |12 , the teleportation fails. If the measurement result is |02 , the teleportation
succeeds. The state will collapse into
y1 (α|0 L + β|1 L ),
Quantum network coding scheme for general repeater networks can achieve quantum
communication in a network with complex topology. Since it combines the generality
of general graphs and the capacity of quantum repeaters, two properties can be
obtained as follows:
(1) From the viewpoint of network model, general graphs have more generalities
than the butterfly network which is a special D3 graph, which are more widely used
in practical applications. To realize quantum communication in any general network,
the scheme adopts the technique of graph transformation, i.e., realize encoding for
quantum entanglement channel by means of transforming a Dk (k > 3) graph to a
D3 graph.
Proof We compare the expected results of the three transformation schemes with
the actual results.
(a) One-to-many scheme
As can be seen from Fig. 4.6, the expected result of communication is Y1 = Y2 =
Y3 = X , i.e., receivers Y1 , Y2 , Y3 can receive information from sender X.
In Fig. 4.9, we take the state | AB ⊗ | C D as example, after encoding at inter-
mediate node r1 by applying Con C−>D A
and Rem B−>A , it becomes | AD . Simi-
larly, the other EPR-pairs are encoded at intermediate nodes r1 and r2 . Thus after
the quantum channel generation process, the actual result is that three EPR-pairs are
generated, | AD is owned by (s1 , t1 ), | A1 H is owned by (s1 , t2 ), and | A2 J is
owned by (s1 , t3 ), which means quantum channel between the source node s1 and
the three target nodes t1 , t2 , t3 are generated to realize quantum communication.
(b) Many-to-one scheme
As can be seen from Fig. 4.7, the expected result of communication is Y = X 1 +
X 2 + X 3 , i.e., receiver Y can receive information from senders X 1 , X 2 , X 3 .
In Fig. 4.10, the two EPR-pairs | AB ⊗ | E F are converted to one EPR-pair
| AF after encoding at intermediate node r1 . For the whole scheme, the actual result
is that three EPR-pairs are generated, | AL is owned by (s1 , t1 ), | C J 1 is owned
by (s2 , t1 ), and | G J 2 is owned by (s3 , t1 ), which means quantum channel between
three source nodes s1 , s2 , s3 and the target node t1 are generated to realize quantum
communication.
(c) Many-to-many scheme
As can be seen from Fig. 4.8, the expected result of communication is Y1 + Y2 =
X 1 + X 2 + X 3 , i.e., receivers Y1 , Y2 can receive information from senders X 1 , X 2 ,
X 3.
Here, X 1 , X 2 communicate with Y1 , X 3 communicates with Y2 . After encoding at
intermediates r1 , r2 , r3 , the actual result is that three EPR-pairs are generated, | A J
is owned by (s1 , t1 ), |C L 1 is owned by (s2 , t1 ), and |G N is owned by (s3 , t2 ),
4.1 Quantum Network Coding for General Repeater Networks 69
which means quantum channel between three source nodes s1 , s2 , s3 and two target
node t1 , t2 are generated to realize quantum communication.
All the above completes the proof.
(2) From the viewpoint of transmission distance, Yan et al. [4] analyzed the feasi-
bility of quantum repeaters that communication distance of quantum communication
system is positively related to the series of repeater nodes. With the increasing com-
plexity of a general network, the types of nodes also increase, such as the nodes
with degrees being 4 or larger. The transformation of nodes will add the depth of
graphs, and increase the series of repeater nodes, hence the communication distance
of quantum communication system also increases. Thus we can get Proposition 2.
Definition 1 For a general graph G = (V, E), where V is a set of all nodes and E
is a set of all links, the complexity of a graph O(G) represents the number level of
V and E.
This scheme will be analyzed from the aspects of success probability of teleportation,
particle consumption, transmission rate, transmission distance, etc.
(1) Success probability of teleportation
Proof By teleporting the unknown qubit |φm via the quantum entanglement channel,
√ 2
|φm can be obtained in a probability of (b/ 2) when introducing another auxiliary
for any state of the four collapsed states, so the probability of successful teleportation
p is
√ 2
p = (b/ 2) × 4 = 2b2
√
If a = b = 1/ 2, |st works as a maximally entangled quantum channel, over
which the successful probability of teleportation is strictly 1. Hence we can easily
obtain Theorem 1.
Theorem 2 Let O(G) be the complexity of a general graph G. Suppose that E(G)
is EPR particles consumed to encode for G, then E (G)O (G) ≥ 0, where E (G)
and O (G) are differential coefficients of E(G) and O(G), respectively.
Proof This scheme uses quantum entanglement as quantum channel, quantum infor-
mation is transmitted between source nodes and target nodes directly by quantum
teleportation which breaks through the limit of channel capacity. For example, we
can analyze the transmission rate for the many-to-many network with N S = 3 source
nodes. Clearly, if quantum information is transformed through non-entanglement
quantum channel, to ensure target nodes t1 and t2 can decode, only one qubit is
allowed to transmit at one time in a transmission rate of r b, so we should transmit
three times to realize quantum communication in the many-to-many network. With
quantum entanglement channel which is constructed by EPR-pairs, three qubits can
be transmitted by quantum teleportation simultaneously, i.e., the transmission rate
of this scheme is 3 × r b.
The same conclusion can be easily drawn for one-to-many and many-to-one net-
works. Without loss of generality, for any network G with N S inputs, quantum entan-
glement channels can be generated between source nodes and corresponding target
nodes, that means N S qubits can be transmitted by quantum teleportation simultane-
ously, the maximal transmission rate r bn is determined by N S . Hence we can obtain
Theorem 3.
(4) Transmission distance
Theorem 4 Let R(G) be the actual repeater series participating in encoding after
D3 graph transformation of a general graph G, and L be the transmission dis-
tance of this scheme, then the maximal transmission distance L max = 125 × R(G) +
125 (km).
Proof Yan et al. [4] quantitatively analyzed the performance of quantum repeaters
by giving the relationship curve between transmission distance and repeater series
in the case of an ideal passivation, i.e., transmission distance L is positively related
with repeater series R(G). Considering the distribution of actual network nodes, we
can get the corresponding functional expression as follows:
4.1.8 Discussion
According to the above analysis, we can conclude that this scheme can achieve remote
quantum communication in a network with complex topology, at the expense of
increase of particle consumption which is related to network complexity as described
in Table 4.4. Compared with the XQQ protocol, this scheme weakens the claim to
quantum channel, break through the limit of channel capacity, and makes a signifi-
cant improvement in transmission rate. Moreover, according to the results of quan-
tum channel generation, we can conclude that the entanglement degree of EPR-pairs
between source nodes and corresponding target nodes only depends on that of EPR-
pairs initially distributed between source nodes and corresponding adjacent nodes.
72 4 Quantum Network Coding Based on Repeater
That is, as long as source nodes and the adjacent nodes are distributed maximally
entangled EPR-pairs, regardless of the entanglement degree of EPR-pairs between
the rest nodes, the scheme can also generate maximally entangled quantum chan-
nel and achieve high-reliability quantum communication with the fidelity of 1. If
the consumed EPR pairs are all non-maximally entangled, the generated quantum
channel will be of less entanglement, and success probability of teleportation will be
lower accordingly. We have taken teleportation of a single unknown qubit over the
quantum entanglement channel as an example, and actually the quantum entangle-
ment channel can also teleport an unknown bipartite state. Apparently, there remains
a lot of future works for communication capacity which is limited by the storage and
operation performance of quantum repeaters.
Fig. 4.12 Intercept-resend attack in a quantum repeater network. + AB is an EPR-pair shared
by quantum repeaters R1 and R2 . Sender R1 measures particle A and sends the measurement result
M1 to receiver R2 . Attacker intercepts M1 and sends another information M2 to R2
can realize optimal encryption of quantum bits, can be adopted to detect the real-
time performance of quantum communication. It allows a user to encrypt its quantum
bits using secret and random classical bits. The procedure of quantum one-time pad
is described as follows:
l
Let a quantum message be the form |M = ⊗ | Mi , where | Mi = αi |0 +
i=1
βi |1, αi and βi are complex number satisfying |αi |2 + |βi |2 = 1, and l is the
length of a quantum message. Sender and receiver share 2l random secret bits
K = ( K 1 · · · K l K l+1 · · · K 2l ), satisfying K i ∈ {0, 1}, where K i is the ith bit of K .
The encryption E K on |M for quantum one-time pad can be described as follows:
l l
|C = E K (|M) = ⊗ σx K 2i−1 σz K 2i |Mi = ⊗ |Ci ,
i=1 i=1
where σx and σz are Pauli operators, |Ci is the ith qubit of |C. The corresponding
decryption is
l
D K (|C) = ⊗ σz K 2i σx K 2i−1 |Ci .
i=1
Figure 4.13 shows a network model with one controller and n quantum repeaters,
where n is a positive integer, and n ≥ 3. The controller works as a trusted party
which can control the distribution of EPR-pairs. So we call such network to be
controlled repeater network. To transmit quantum information from source node R1
to target node Rn , we should generate quantum entanglement channel between R1
and Rn , here R2 , . . . , Rn−1 are intermediate nodes.
For each node Ri (i ≤ n), we establish an identity I D i , which is only known
to all legitimate nodes and the controller. Particularly, the identities are quantum
bits. In this scheme, the controller controls the EPR-pair distribution by judging the
74 4 Quantum Network Coding Based on Repeater
Controller
Quantum channel
A
R1 B Rn
ID1 R2 R3 IDn
C D ID3
ID2
information received from the legitimate nodes. As a result, during encoding for
quantum entanglement channel, particle consumption can be avoided being wasted
in the presence of active attacks.
The key operations of controlled repeater networks can be described as follows:
(1) Node-to-node Communication. To extend quantum entanglement in the
repeater network, any two adjacent nodes should operate on the distributed EPR-
pairs and transmit the corresponding {|0 , |1} measurement result.
(2) Security Confirmation. Every receiver of node-to-node communication should
judge the legitimacy and instantaneity of {|0 , |1} measurement result, then send
corresponding message to the controller.
(3) EPR-pair Distribution. By judging the message from any node of the repeater
network, the controller determines whether the system distributes EPR-pairs or not.
As a result, one EPR-pair between R1 and Rn is obtained, which means quantum
entanglement channel is generated and then is able to perform quantum teleportation.
A B
1 2
ID1 M1 ID2
Quantum channel
Fig. 4.14 Quantum transmission for measurement result in the {|0 , |1} basis
be the measurement result of particle A in the {|0 , |1} basis. The procedure for
transmitting M1 to R2 is described as follows:
Step 1: Key establishment. R1 , R2 agree the way to generate a 2(l + 1) bit random
key K .
Step 2: Particle measurement and state transition. R1 measures particle A in the
{|0 , |1} basis, let {0, 1} be the outcome. Then it transforms the measurement result
into quantum message M1 according to the rules 0 → |0, 1 → |1.
Step 3: Encryption and transmission. R1 applies quantum one-time pad encryption
E K on ( M1 , I D 1 ), and transmits quantum message E K ( M1 , I D 1 ) to R2 over the
quantum channel.
Step 4: Decryption and Pauli operation. R2 decrypts the received quantum mes-
sage E K ( M1 , I D 1 ) and gains ( M1 , I D 1 ). With I D 1 , R2 can confirm that M1 is a
real-time message from R1 . Then it can apply the corresponding Pauli operator to
particle B.
As we can see, the improved LOCC focus on transmitting measurement result in
the {|0 , |1} basis by means of quantum information, so we rename the improved
LOCC as LOQC, namely Local Operations and Quantum Communication. LOQC
allow legitimate nodes to identify the source of received information and judge the
freshness of received information in the presence of active attacks. Therefore, we
can denote the algorithms of LOQC by renaming the algorithms of LOCC according
to the rule of Table 4.6.
76 4 Quantum Network Coding Based on Repeater
Inspired by the idea of quantum network coding scheme based on controlled telepor-
tation [11], QNC can control the decoding process of two receivers on the butterfly
network simultaneously by introducing a controller. By introducing the role of a
controller as a trusted party to control the distribution of EPR-pairs for quantum
repeater networks, a secure quantum network coding scheme for controlled repeater
networks was proposed [9] and its objective is to reduce particle consumption during
the encoding process in the presence of active attacks. Moreover, during the process
of quantum channel generation, to verify secure communication between any two
legitimate nodes, including the controller, we establish an identity for each legitimate
node, with which communication party can be authenticated.
In the butterfly network of quantum repeaters, the setting for this scheme is pre-
sented in Fig. 4.15. Source nodes s1 and s2 simultaneously send quantum information
to target nodes t1 and t2 in the butterfly network by quantum entanglement channel.
r1 and r2 are two intermediate nodes. The identity of any node is represented as
I D x (x is the name of a node), e.g., I Ds 1 denotes the identity of source node s1 .
Secure encoding (SE). For convenience, we define the secure encoding operation
of repeaters rm , rn with a controller. Let |be be the state before encoding, AlgoN
be the algorithm name, and |a f be the state after encoding. rm , rn apply AlgoN on
|be , rn marks its state with qubit by judging the security of node-to-node commu-
nication, if rn receives a real-time message from rm , the state becomes |a f . Then rn
marks its state Sym i as qubit |1, otherwise marks Sym i as |0. rn applies quantum
one-time pad encryption on (Sym i , I Dr n ) and transmits E K (Sym i , I Dr n ) to the
controller. The controller decrypts the received message. If the controller can obtain
|1 from rn , it means that no attack happens, continue to next step, otherwise return to
the beginning. Note that the function is used in the form of S E(AlgoN , Sym i , I Dr n ).
The secure quantum network coding scheme for butterfly network can be described
as follows:
Step 1: Distribute two EPR-pairs + AB and + C D to s1 − t2 and s1 − r1 ,
respectively. Let the input state |init be a form as follows:
|init = + AB ⊗ + C D ,
A
s1 , r2 apply S E(QCon C−>D , Sym 1 , I Dr 1 ) on |1 , the state becomes
|1 = |G H Z AB D .
Step 2: Distribute two EPR-pairs + E F and + G H to s2 − t1 and s2 − r1 ,
respectively, the state becomes
|2 = |G H Z AB D ⊗ + E F ⊗ + G H ,
4.2 Secure Quantum Network Coding for Controlled Repeater Networks 77
IDs1 IDs2
1 10 11
2
A C 1 IDr1 2
10
1 11
D
9
1 3 2
7 2 8
IDr2
B 4 5
7 8
2 1
6 IDt2 IDt1 6
Fig. 4.15 Butterfly network of quantum repeaters
E
s2 , r1 apply S E(QCon G−>H , Sym 2 , I Dr 1 ) on |2 , the state becomes
|3 = |G H Z AB D |G H Z E F H .
Step 3: Distribute + I J to r1 − r2 , the state becomes
|4 = |G H Z AB D |G H Z E F H ⊗ + I J ,
1
|5 = (|000000 + |111111) AB D E F H |0 J
2
1
+ (|000111 + |111000) AB D E F H |1 J .
2
78 4 Quantum Network Coding Based on Repeater
Step 4: Distribute + K L to r2 − t2 , the state becomes
1
|6 = (|000000 + |111111) AB D E F H |0 J ⊗ + K L
2
1
+ (|000111 + |111000) AB D E F H |1 J ⊗ + K L ,
2
1
|7 = (|000000 + |111111) AB D E F H |00 J L
2
1
+ (|000111 + |111000) AB D E F H |11 J L ,
2
Step 5: Distribute + M N to r2 − t1 , the state becomes
1
|8 = (|000000 + |111111) AB D E F H |00 J L ⊗ + M N
2
1
+ (|000111 + |111000) AB D E F H |11 J L ⊗ + M N ,
2
J
r2 , t1 apply S E(QCon M−>N , Sym 5 , I Dt 1 ) on |8 , the state becomes
1
|9 = (|000000 + |111111) AB D E F H |000 J L N
2
1
+ (|000111 + |111000) AB D E F H |111 J L N .
2
1
|10 = (|000000 + |111111) AB D E F H |000 J L N
2
1
+ (|010101 + |101010) AB D E F H |111 J L N .
2
Step 7: t2 , r2 apply S E(Q Rem L−>J , Sym 6 , I Dr 2 ) on |10 , the state becomes
1
|11 = (|000000 + |111111) AB D E F H |00 J N
2
1
+ (|010101 + |101010) AB D E F H |11 J N .
2
4.2 Secure Quantum Network Coding for Controlled Repeater Networks 79
Step 8: t1 , r2 apply S E(Q Rem N −>J , Sym 7 , I Dr 2 ) on |11 , the state becomes
1
|12 = (|000000 + |111111) AB D E F H |0 J
2
1
+ (|010101 + |101010) AB D E F H |1 J .
2
Step 9: r2 , r1 apply S E(Q Rem Add J −>D,H , Sym 8 , I Dr 1 ) on |12 , the state
becomes
1
|13 = (|000000 + |111111) AB D E F H
2
1
+ (|010101 + |101010) AB D E F H .
2
Step 10: r1 , s1 apply S E(Q Rem D−>A , Sym 9 , I Ds 1 ) on |13 , the state becomes
1
|14 = (|00000 + |11111 + |01101 + |10010) AB E F H .
2
Step 11: r1 , s2 apply Q Rem H −>E , if s2 receives real-time message from r1 , the
state becomes
1
|15 = (|0000 + |1111 + |0110 + |1001) AB E F
2
+
= AF ⊗ + B E = f inal .
As a result, two EPR-pairs are obtained, + AF between s1 − t1 , and + B E
between s2 − t2 , which means quantum entanglement channel between source and
target is generated and then is able to perform quantum teleportation.
Proof Suppose that a controlled repeater network has Nsum nodes, if no active attack
happens during the encoding process, the minimum number of communications
between adjacent nodes is (Nsum − 1), so is the number of communication between
network nodes and the controller. In any communication of this scheme, a node
should send a qubit ({|0 , |1} measurement result or state symbol of communication
security) and a quantum information I D, the length of which is supposed to be
l. Thus, the consumption of particles for a controlled quantum repeater network
is Nq ≥ (l + 1) × 2 (Nsum − 1). Apparently, with the total number of nodes Nsum
80 4 Quantum Network Coding Based on Repeater
Theorem 6 Secure quantum network coding scheme for controlled repeater net-
works can reduce EPR-pair consumption in the presence of active attacks to a max-
imum extent.
Proof As a trusted party, the controller regulates the process of EPR-pair distribution
by judging the source and freshness of received information. With quantum one-time
pad, the controller obtains (l + 1) qubits message (Mi , I D i ), where Mi and I D i
represent the operating state and identity of node i, respectively. If the controller can
receive real-time quantum information from legitimate nodes in the whole process
of quantum channel generation, i.e., no attack happens, quantum repeater network
can generate quantum entanglement channel with any adjacent nodes only should
share one EPR-pair initially. If attack happens, quantum channel generation process
is terminated to avoid waste of particle consumption, so that no more EPR-pairs
will be distributed. In contrast to quantum repeater network without a controller, this
scheme can reduce particle consumption in the presence of active attacks, and the
earlier the attack is detected, the fewer particle will be wasted.
Assume that secure encoding for a quantum repeater network needs n e EPR-
pairs by m s steps, x represents the xth step when the controller detects an attack,
the particle consumption N P is positively related with x, and the corresponding
functional expression is given as follows:
N P = f (x, m s , n e ) ,
Proof Let M A be the {|0 , |1} basis measurement result of particle A in the legit-
imate node r1 . During the process of quantum channel generation, only when the
current legitimate node r2 receives a real-time quantum message from the previous
legitimate node r1 , does it apply Pauli operator on its own particle B. There will be
four possible scenarios listed as follows:
(a) No attack happens, r2 receives the encrypted quantum information and decrypts
it to obtain (M A , I D 1 ), then applies a corresponding Pauli operator on particle B.
(b) Attacker intercepts the encrypted quantum information and sends other infor-
mation to r2 , r2 receives the information and decrypts with the correct secret key,
only to find that decrypted information is not the identity of r1 , and it will do no
operation on particle B.
(c) Attacker impersonates r1 and sends information to r2 , r2 judges the received
information as irrelevant information because r1 does not send request of key gen-
eration to r2 , so r2 will discard it and do no operation on particle B.
(d) Attacker intercepts an encrypted quantum information and resends the same
information to r2 in the latter communication, the first time r2 receives the informa-
tion, it can decrypt and obtain the correct information, while it can tell out that the
rest received information are not in real time.
As we see from above analysis that a legitimate node can judge the source and
freshness of received information with quantum one-time pad, so it will not apply
wrong or redundant operation on its particle during quantum channel generation.
Thus Theorem 7 is proved.
82 4 Quantum Network Coding Based on Repeater
1 2 3
IDs1 IDs2 IDs3
1
IDr1
2
IDr2
Controller
IDr3
3
1 2
IDt1 IDt2
4.2.8 Discussion
According to the above analysis, we can conclude that this scheme can not only
achieve secure quantum channel generation for long-distance quantum communica-
tion, but also reduce particle consumption in the presence of active attacks. Beyond
butterfly network, this scheme would also be applied to general scenarios, such as
general quantum repeater networks.
Consider that the key technique of general graph networks is to transform a general
graph into a D3 (Degree 3) graph, Iwama et al. [3] gave the transformation schemes
of one-to-many, many-to-one, and many-to-many. Here we give an example of many-
to-many D3 repeater network with a controller shown as Fig. 4.16. Note that here we
adopt a network with three inputs and two outputs, and assume that source nodes s1
and s2 communicate with target node t1 , source nodes s3 communicates with target
node t2 , r1 , r2 , and r3 are three intermediate nodes. The identity of any node is
represented as I D x (x is the name of a node).
By applying the quantum repeater network coding scheme, three EPR-pairs are
obtained by (s1 , t1 ), (s2 , t1 ), and (s3 , t2 ) finally, thus quantum entanglement channel
is generated in the many-to-many network. During the process of quantum channel
generation, the controller controls the distribution of EPR-pairs. In comparison with
the setting of the butterfly network, additional EPR-pairs are needed between r1 − r2 ,
r2 − r3 , and r3 − t1 , if there exists an active attack, more particle resource could be
4.2 Secure Quantum Network Coding for Controlled Repeater Networks 83
Controller
r
r r
250km
saved. That means with the diversification of general graph network, the controller
will play a more important role in the presence of active attacks.
Obviously, there remains a lot of future works, such as site selection of a controller
in the quantum repeater network with complex topology, which is limited by practical
operability of EPR-pair distribution. If the controller was nearer to each node, it will
save more resource. In this scheme, the controller needs to keep in touch with every
network node, which severely restricts the size of a network. Yan et al. [4] have ever
quantitatively analyzed the performance of quantum repeater that one repeater can
support quantum communication for 125 km, i.e., the controller should be no more
than 125 km away from each node. We give a simple model of site selection for
the butterfly network with one controller (see Fig. 4.17). The controller is located at
the center of a circle which contains all repeater nodes with diameter no more than
250 km.
For a more complex network, one possible solution to site selection is dividing the
network with (a + b + c + · · · ) nodes into a few groups by the principle of proximity
and following the rule that each node is no more than 125 km away from a controller
(see Fig. 4.18), we set one controller for the system and each group to control EPR-
pair distribution. The main idea is that the main controller communicates with the
group controllers (Con 1 , Con 2 , Con 3 , . . .), while the group controllers communicate
with the repeater nodes.
4.3 Summary
Controller
Quantum channel
rithms of quantum channel generation scheme for the cases of one-to-many, many-
to-one, and many-to-many were given to generate quantum entanglement channels
in a D3 graph network. Then we introduced a new quantum repeater network adding
a controller as a trusted party, which controls the EPR-pair distribution in the whole
quantum channel generation process. Quantum one-time pad is utilized to improve
the basic operations LOCC. With the improved algorithms LOQC, legitimate nodes
can apply correct operation to the particles when encoding for quantum entangle-
ment channel. Scheme analysis demonstrates that the scheme can realize secure
long-distance quantum communication and achieve resource saving if there exist
active attacks to a maximum extent.
References
1. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes
from classical nonlinear protocols. In: IEEE International Symposium on Information Theory
(ISIT), pp. 109–113 (2011)
2. Nishimura, H.: Quantum network coding - how can network coding be applied to quantum
information? In: International Symposium on Network Coding (NetCod), 1–5 (2013)
3. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs.
Physics 52(3), 610–621 (2006)
4. Yan, Y., Pei, C.X., Han, B.B., et al.: A quantum repeater for quantum communication sys-
tems. In: The First Chinese Conference on Communications Departments of Colleges and
Universities, pp. 791–796 (2007)
5. Pei, C.X., Yan, Y., Liu, D., et al.: A quantum repeater communication system based on entan-
glement. Acta Photon. Sin. 37(12), 2422–2426 (2008)
6. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A
86(3), 9591–9598 (2012)
References 85
7. Shang, T., Li, J., Pei, Z., Liu, J.W.: Quantum network coding for general repeater networks.
Quantum Inf. Process. 14(9), 3533–3552 (2015)
8. Cao, H.J., Guo, Y.Q., Song, H.S.: Teleportation of an unknown bipartite state via non-maximal
entangled two-particle state. Chin. Phys. 15(5), 915–918 (2006)
9. Shang, T., Li, J., Pei, Z., Liu, J.W.: Secure quantum network coding for controlled repeater
network. Quantum Inf. Process. 15(7), 2937–2953 (2016)
10. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev. A 67(4),
645–648 (2003)
11. Shang, T., Zhao, X., Liu, J.W.: Quantum network coding based on controlled teleportation.
IEEE Commun. Lett. 18(5), 865–868 (2014)
Chapter 5
Quantum Network Coding Based
on Controller
Controlled teleportation introduces the concept of a controller and can control the
reconstruction process of a receiver by sharing a GHZ state between the sender and
the receiver. In this chapter, we introduce quantum network coding schemes based
on controlled teleportation to control the decoding process of receivers in a butterfly
network. By introducing a third party, the schemes provide a model of three-party
communication for each unicast stream in the butterfly network. Furthermore, by
introducing an identity authentication mechanism into the quantum network coding
scheme, the schemes will have good potential to enhance the security of communi-
cation in the quantum network.
With the rapid development of quantum network, the security of quantum informa-
tion transmission has become a crucial issue. Researchers have explored to transmit
information in quantum channels directly, namely, quantum security direct communi-
cation (QSDC) [1]. However, the QSDC schemes based on teleportation must send
measurement results via classical channels to receivers, which will arouse hidden
danger due to the unreliability of classical communication. Research achievements
[2, 3] show that if the measurement results are governed by a trusted third party, the
security of QSDC will be greatly enhanced.
Following this idea, we focus on new quantum network coding schemes based
on controlled teleportation [4]. By introducing a third party, namely, the controller,
these schemes provide a model of three-party communication for each unicast stream
in the butterfly network. Such schemes have good potential to enhance the security
of communication in the quantum network.
In 2007, Zhou et al. [5] proposed a controlled teleportation scheme. This scheme
introduces the concept of a controller and can control the reconstruction process of
a receiver by sharing a GHZ state between the sender and the receiver.
Assume that the state of the particle to be sent is |ϕ D = α|0 D + β|1 D (where
|α|2 + |β|2 = 1). The GHZ state shared by Alice, Bob and Charlie initially is:
1
|ϕ ABC = √ (|000 + |111) ABC . (5.1)
2
The subscripts A, B, and C represent the three particles owned by the parties
Alice, Bob, and Charlie, respectively. The whole state can be represented to be:
Let the classical bits correspond to the result of Bell-state measurement as follows:
00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ − .
5.1 Quantum Network Coding Based on Controlled Teleportation 89
1 1
H |0C = √ (|0 + |1)C , H |1C = √ (|0 − |1)C .
2 2
(3) After Charlie’s single-particle measurement (in the basis of |0 and |1) on C,
Bob can obtain a state that can be transformed to the originally unknown state with
or without a local unitary operation.
We describe a scheme with two controllers (Con1 and Con2 ) based on the XQQ
protocol as shown in Fig. 5.1. In this scenario, there are two unicast streams, including
two senders A1 and A2 , two receivers B1 and B2 . M1 and M2 are two intermediate
nodes. The unknown quantum states to be sent by Ai is |ϕi = αi |0 + βi |1 , i ∈
{1, 2}. More importantly, the controller Con(i⊕1) and the sender Ai share a GHZ state:
1
|ϕ Ai,3 Ai,4 Ci⊕1 = √ (|000 + |111) Ai,3 Ai,4 Ci⊕1 .
2
Controller 2 Controller 1
1 2
Con 2 A1 A2 Con1
Q2 Q3
Q1 Q4
GHZ M1 GHZ
state state
Q1 1 Q5 Q4 2
M2
H2 H1
Q6 Q7
B2 B1
(r3 )i . Let the classical bit (r3 )i correspond to the measurement result: 0 → |0C ,
1 → |1C .
According to controlled teleportation, after this step the state of the particle Ai,4
becomes ρi = (Uxi )−1 · U C(|ϕi ), which can be denoted as Q 1 = ρ1 = (Ux1 )−1 ·
U C(|ϕ1 ), Q 4 = ρ2 = (Ux2 )−1 · U C(|ϕ2 ). Here Uxi is the unitary operator chosen
to reconstruct |ϕi according to (r1r2 r3 )i .
Step 4: At the node M1 , Q 5 = G R (Q 2 , T T R(Q 3 )).
Step 5: At the node M2 , (Q 6 , Q 7 ) = U C (Q 5 ).
Step 6: If the controller Coni allows the receiver Bi to obtain the original state
|ϕi , it can send the classical bits (r1r2 r3 )i⊕1 to the receiver Bi via the channel Hi .
Thus the receiver Bi can obtain the operator Ux(i⊕1) according to (r1r2 r3 )i⊕1 . Then
the decoding processes are described as follows:
At the receiver B1 , the output state is
Table 5.1 Measurement results of the particles and the corresponding Uxi operator
|ϕ Ai,3 Si |ϕCi⊕1 (r1 r2 r3 )i Uxi
+
φ |0Ci⊕1 000 U0
A S
i,3 i
|1Ci⊕1 001 U1
−
φ |0Ci⊕1 010 U1
Ai,3 Si
|1Ci⊕1 011 U0
+
ψ |0Ci⊕1 100 U2
Ai,3 Si
|1Ci⊕1 101 U3
−
ψ |0Ci⊕1 110 U3
Ai,3 Si
|1Ci⊕1 111 U2
state Q 3 , which can produce two classical bits r1r2 . Then r1r2 can be used to select
one operator of Pauli operators as GR operator (00 → I = U1 ,10 → σx = U2 ,01 →
σz = U3 ,11 → iσY = U4 ). More details can be seen in Hayashi’s work [6].
In other cases, the state of the particles after the corresponding measurement and
the unitary operator chosen to reconstruct the original states by the receivers are
shown in Table 5.1 (See the Eq. 5.1 for Uxi ). The particles Q 1 (Q 4 ) sent by A1 (A2 )
is denoted as S1 (S2 ) for convenience.
Due to approximate cloning, the fidelity of the XQQ protocol is obviously smaller
than 1. For this reason, another scheme for high fidelity was designed based on the
perfect quantum network coding protocol with prior entanglement [7]. The scheme
is shown in Fig. 5.2.
Here we also use two controllers of Con1 and Con2 . The sender A1 (A2 ) can transmit
on1(Con2 ) freely. The two senders share two pairs of the maximally
classical bits to C
entangled state φ+ , where the first pair has two particles A1,1 and A2,1 , and the
second pair has two particles A1,2 and A2,2 . Here A1,1 and A1,2 are owned by A1 .
The sender Ai and the controller Coni (i ∈ {1, 2}) share a GHZ state as follows:
1
|ϕ Ai,3 Ai,4 Ci = √ (|000 + |111) Ai,3 Ai,4 Ci .
2
Here Ai,3 Ai,4 are owned by Ai , and Ci is owned by Coni . The unknown quantum
states to be sent by Ai is |ϕi = αi |0 + βi |1. The corresponding particle is denoted
as Si . Then
92 5 Quantum Network Coding Based on Controller
Controller 1 1 2 Controller 2
Con1 A1 A2 Con 2
D1 : X1 D2 : X 2
GHZ GHZ
state
M1 state
1 1
E1 : U (X1 X2 ) 4
F : X1 X 2 E2 : U (X1 X2 ) 3
H1 M2 H2
G2 : X1 X 2 G1 : X1 X2
B2 B1
If the controller Coni forbids the receiver Bi to obtain the original state, he would
not transmit the classical bits (r1r2 r3 )i to the receiver Bi . Without the corresponding
unitary operator, Bi would fail to recover the original state |ϕi by |ϕi+2 .
As we know, controlled teleportation can transmit a quantum state perfectly. All the
operations of controlled teleportation have no effect on the fidelity. Hence we can
easily obtain Theorem 1.
Theorem 1 The fidelity of the scheme with two controllers based on the XQQ pro- √
tocol is smaller than 1 and larger than 1/2, specially F1 ≥ 21 + 81 2
, F2 ≥ 21 + 22433 .
The fidelity of the scheme with two controllers based on the perfect quantum network
coding protocol with prior entanglement is strictly 1.
Definition 1 If a protocol uses the network n times along with other allowed
resources, and communicates m 1 , m 2 of sizes n (r1 − δn ), n (r2 − δn ) bits/qubits
with fidelity at least 1 − ξn for δn , ξn → 0. Then we say that the rate pair (r1 , r2 ) is
achievable. The achievable rate region is the set of all achievable rate pairs [8].
In the schemes, each channel can optionally transmit one qubit or two bits as
required. Note that it needs to transmit three bits (r1r2 r3 )i via the classical channel
between the controllers and the receivers. Hence we can easily conclude that it
totally needs to use the network 1.5 times to transmit two source qubits across in two
schemes, i.e., (r1 , r2 ) = 23 , 23 . Obviously, the rate region of the schemes would be
(r1 , r2 ) r1 , r2 ≤ 23 .
94 5 Quantum Network Coding Based on Controller
1
1
Q7 (or X 1 X2) (or U x1 1 )
U x 2 (or U x1 )
1
Q4 (or U X 1 X2 3 )
Furthermore, the second scheme needs only two quantum channels which con-
sumes fewer resources compared with the first scheme. In summary, comparison
between the schemes and reference schemes as shown in Table 5.2.
In the schemes, without the controllers, the receivers cannot obtain the quantum states
from the senders. This means that the schemes can effectively defend against wiretap
attack if the controllers can communicate with the receivers safely. The wiretap attack
model is shown in Fig. 5.3. For the first scheme, without the information Ux2 from
the controller, which can be treated as communication key, any attacker would fail
to obtain the original quantum state |ϕ1 from the sender even if he can capture Q 7
and Q 4 . For the second scheme, the related information is listed in the brackets of
Fig. 5.3.
To assure the security of the communication between the controllers and the
receivers, we can replace the classical channels between them with the quantum
channels by means of the simple QSDC protocol [9]. The controllers can produce
some particles to correspond to the measurement results. After the receivers obtain
5.1 Quantum Network Coding Based on Controlled Teleportation 95
all the particles, the controllers tell them the base vector of every particle. Then
by measuring these particles with the corresponding base vector, the receivers can
obtain the measurement results. Any wiretap attack will distort the quantum state of
these particles if it attempts to measure the particles. Note that the controllers tell the
receivers the base vectors only after the receivers obtain all the particles. Hence any
attacker cannot own the particles and the base vectors simultaneously. Obviously the
schemes can defend against the wiretap attack as shown in Fig. 5.3.
Moreover, the second scheme intrinsically needs more classical channels which
would be susceptible to tampering attacks. Comparatively, the first scheme achieves
higher security for its all quantum channels against tampering attacks.
5.1.7 Discussion
According to the above analysis, we can conclude that the first scheme can be applied
where higher security and lower fidelity are needed while the second scheme can be
applied where higher fidelity and lower security are needed.
Furthermore, the two schemes realize the control of decoding processes at the
expense of decrease of rate region from {(r1 , r2 )|r1 , r2 ≤ 1} to (r1 , r2 )|r1 , r2 ≤ 23
as described in Table 5.2 and extra consumption of resources, including two GHZ
states |ϕ A1,3 A1,4 C2 and |ϕ A2,3 A2,4 C1 for Scheme1, |ϕ A1,3 A1,4 C1 and |ϕ A2,3 A2,4 C2 for
Scheme2, and two additional channels H1 and H2 , in comparison with the schemes
without security consideration.
The key idea of the schemes is that we firstly perform a unitary operation on the
quantum state to be sent by means of controlled teleportation, then the controller
becomes the only one who knows the operator after the measurement. The first
scheme can be generalized to multicast case by minor adjustments. As we know, the
main idea of the XQQ protocol is the discretization of quantum state |ϕ2 upon which
the encoding of |ϕ1 depends. On this basis, we can control the decoding processes
of receivers by controlling the transmission of Q 2 with one controller. Thus we can
apply this idea into multicast case where the decoding processes of all destination
nodes are controlled by one controller. Obviously, the second scheme is not suitable
for the multicast case, because the quantum state upon which the decoding process
depends at each destination is different.
In the butterfly network, it is better to introduce a controller for each receiver.
By means of two controllers of two streams, we can control the decoding processes
of two different streams separately. Furthermore, if the network is generalized to
the model of k-pair problem, we can specify some sender-receiver pairs to complete
decoding arbitrarily by introducing different controllers, which could be of great
benefit to realize access control between these receivers.
96 5 Quantum Network Coding Based on Controller
The rapid development of quantum network have also exposed some security issues
of quantum information transmission. Researchers have explored to design variable
quantum security mechanisms. Especially, the scheme of transmitting information in
quantum channels directly, namely quantum secure direct communication (QSDC)
[1] has drawn more and more attention. However, the QSDC schemes based on
teleportation depend on classical measurement results. This means that senders must
transmit these classical bits via classical channels to receivers, which will arouse
hidden danger due to the unreliability of classical communication. Obviously, if the
measurement results are governed by a trusted third party, the security of QSDC will
be greatly enhanced.
Similarly, many quantum network coding schemes still rely on classical channels
which are vulnerable to some active attacks. Due to the unreliability of classical chan-
nels, attackers can easily wiretap and falsify data packets so as to impede message
recovery. Then Shang et al. [10] proposed the controlled quantum network coding
scheme based on controlled teleportation. In this scheme, the decoding processes of
the receivers rely on the measurement result which is governed by the controller.
The controller sends the measurement result to the receivers to complete decoding
on the premise that the receivers communicates with the controller safely. Hence
it is necessary to authenticate the identity of the receivers to defend against active
attacks, such as impersonation attack and wiretap attack.
Following this idea, we focus on new quantum network coding scheme with
identity authentication [11] in this section. By introducing an identity authentica-
tion mechanism into the controlled quantum network coding scheme, the scheme
will have better potential to enhance the security of communication in the quantum
network.
QSDC schemes aim to transmit quantum state securely and directly between two
parties. Thus it is meaningful to introduce the QSDC schemes into the implementation
of quantum identity authentication between the controller and the receiver in the
butterfly network.
Researchers have designed many QSDC schemes which are based on teleporta-
tion, entanglement swapping, single particle and so on. A simple QSDC protocol
based on the delayed choice BB84 protocol [9] is described as follows:
Assume Alice wants to transmit some classical bits (0 or 1) to Bob. She can
produce some particles corresponding to the classical bits as follows: |0 or |+ →
5.2 Secure Quantum Network Coding with Identity Authentication 97
0, |1 or |− → 1. Then she transmits these particles to Bob. After Bob obtains all
the particles, Alice tells him the base vector of every particle (|0|1 basis or |+|−
basis). Then by measuring these particles with the corresponding base vector, Bob
can obtain the classical bits. Any wiretap attack will distort the quantum state of these
particles if it attempts to measure the particles. Note that Alice tells Bob the base
vectors only after Bob obtains all the particles. Hence any attacker cannot own both
the particles and the base vectors simultaneously. This means any attacker can not
capture the particles and obtain the classical bits by measurement. In other words,
Alice can transmit her classical information to Bob securely via the quantum channel.
Controller 1 1 2
Controller 2
Con1 A1 A2 Con 2
D1 : X1 D2 : X 2
GHZ GHZ
state
M1 state
1
E1 : U (X1 X2 ) 4 F : X1 X 2 E2 : U (X1 X2 ) 1
3
H1 M2 H2
G2 : X1 X 2 G1 : X1 X2
B2 B1
1
|ϕ Ai,5 Ai,6 Ci0 = √ (|000 + |111) Ai,5 Ai,6 Ci0 .
2
Here Ai,3 Ai,4 Ai,5 Ai,6 are owned by Ai , and Ci Ci0 are owned by Coni . The unknown
quantum states to be sent by Ai is |ϕi = αi |0 + βi |1. The corresponding particle
is denoted as Si . Then
The secure quantum network coding scheme with identity authentication includes
four core parts: Setup, Transmission, Authentication, and Decoding, just as described
in the following part:
(1) Setup
Step 1: EPR
pair
distribution.
The sender
Ai and the receiver Bi share a prior
entanglement φ+ Vi1 Vi2 = √12 0Vi1 0Vi2 + 1Vi1 1Vi2 . Ai owns the particle Vi1 and
Bi owns the particle Vi2 .
5.2 Secure Quantum Network Coding with Identity Authentication 99
Step 2: GHZ state distribution. Here the first GHZ state, namely |ϕ Ai,3 Ai,4 Ci , would
be used to transmit the unknown states, while the second GHZ state |ϕ Ai,5 Ai,6 Ci0 would
be used for authentication.
(2) Transmission
Step 1: The sender Ai performs a Bell-state measurement on the particles Si (i =
1 or 2) and Ai,3 . Then it can obtain the classical bit string (r1r2 )i corresponding to
the Bell-state measurement result. The sender Ai transmits the result (r1r2 )i to the
controller Coni , respectively.
Step 2: The controller Coni performs a Hadamard operation on its particle Ci
and performs a single-particle measurement on Ci , and obtains the classical bit (r3 )i
corresponding to the measurement result: 0 → |0C , 1 → |1C .
According to controlled teleportation, after this step the state of the particle Ai,4
becomes |ϕi+2 = (Uxi )−1 · |ϕi , where Uxi is the unitary operator chosen to recon-
struct |ϕi . The value of Uxi can be seen in Table 5.3.
Step 3: The sender Ai performs a joint measurement on the particle Ai,4 and
the particle Ai,i in the Bell basis, and it obtains the measurement
result X i = n i m i .
The state of Ai,i⊕1 after measurement is U (X i⊕1 )−1 · ϕ(i⊕1)+2 (here U (00) → I
U (10) → σ Z U (01) → σ X U (11) → iσY ).
Step 4: The sender Ai performs the unitary operation U (X i )−1 to Ai,i⊕1 . Hence the
−1 −1
state of the particle Ai,i⊕1 becomes U (X ) · U (X ) · ϕ(i⊕1)+2 =
−1
i i⊕1
c(X i , X i⊕1 ) · U (X 1 ⊕ X 2 ) · ϕ(i⊕1)+2 , where |c (X i , X i⊕1 )| = 1. Then the sender
Ai sends the particle Ai,i⊕1 to Bi⊕1 via the channel E i . It also sends the classical bits
X i to Mi .
Step 5: The node M1 sends X 1 ⊕ X 2 to the node M2 . Also the node M2 sends
X 1 ⊕ X 2 on the receivers B1 and B2 .
Step 6: The receiver Bi performs the unitary operation U (X 1 ⊕ X 2 ) to the received
state U (X 1 ⊕ X 2 )−1 · |ϕi+2 . It can obtain the state |ϕi+2 .
(3) Authentication
Step 1: The sender Ai transmit the particle Vi1 across the butterfly network by
means of the second GHZ state |ϕ Ai,5 Ai,6 Ci0 , which is similar to the process of the
“Transmission” part.
Obviously, the controller Coni would obtain a classical bit string (denoted as
(K 1 K 2 K 3 )i ) as the measurement result. Besides, the sender Bi would receive a state
U K i −1 · |ϕVi1 (here U K i is the unitary operator corresponding to (K 1 K 2 K 3 )i accord-
ing to Table 5.3).
Step 2: The receiver Bi performs a Bell-state measurement on the particles Vi1 and
Vi2 , and obtains a Bell state |ϕVi1 Vi2 . Comparing with the original states φ+ Vi1 Vi2 ,
Bi can obtain U K i .
Step 3: The controller Coni transmits (K 3 )i to the sender Bi via the channel H.
According to U K i and (K 3 )i , Bi can obtain a classical bit string (V1 V2 V3 )i which
corresponds to U K i according to Table 5.3. (V1 V2 V3 )i can be treated as the key of Bi .
Step 4: The sender Bi transmits (V1 V2 )i to Coni to request authentication by the
QSDC protocol which is described in the related work. Then if (V1 V2 )i = (K 1 K 2 )i ,
Coni would confirm the identity of Bi and allow Bi to decode. Otherwise Coni would
deny to participate in decoding.
100 5 Quantum Network Coding Based on Controller
Table 5.3 Measurement results of the particles and the corresponding Uxi operator
|ϕ Ai,3 Si |ϕCi |ϕ Ai,4 = |ϕi+2 (r1 r2 r3 )i Uxi
+
φ |0Ci αi |0 Ai,4 + βi |1 Ai,4 000 U0
A S
i,3 i
|1Ci αi |0 Ai,4 − βi |1 Ai,4 001 U1
−
φ |0Ci αi |0 Ai,4 − βi |1 Ai,4 010 U1
Ai,3 Si
|1Ci αi |0 Ai,4 + βi |1 Ai,4 011 U0
+
ψ |0Ci αi |1 Ai,4 + βi |0 Ai,4 100 U2
Ai,3 Si
|1Ci αi |1 Ai,4 − βi |0 Ai,4 101 U3
−
ψ |0Ci αi |1 Ai,4 − βi |0 Ai,4 110 U3
Ai,3 Si
|1Ci αi |1 Ai,4 + βi |0 Ai,4 111 U2
(4) Decoding
Step 1: If the controller Coni allows the receiver Bi to obtain the original state |ϕi ,
it can send the classical bits (r1r2 r3 )i ⊕ (K 1 K 2 )i to the receiver Bi via the channel
Hi . Then the receiver Bi can calculate (r1r2 r3 )i by (r1r2 r3 )i ⊕ (K 1 K 2 )i ⊕ (V1 V2 )i .
Then it can choose a suitable operator to recover the quantum state |ϕi according
to the classical bits (r1r2 r3 )i . This process can be written as follows:
Step 2: If the controller Coni forbids the receiver Bi to obtain the original state, it
would not transmit the classical bits (r1r2 r3 )i to the receiver Bi . Obviously, without
the corresponding unitary operator, Bi would fail to recover the original state |ϕi
by |ϕi+2 .
As we know, Hayashi’s protocol with prior entanglement between the senders can
transmit quantum states perfectly and across over the butterfly network, which means
its fidelity is 1. Futhermore, controlled teleportation can also transmit a quantum state
perfectly, which means all operations of controlled teleportation have no effect on
the fidelity, namely ρ = |ψ0 . Hence we can easily obtain Theorem 2.
Theorem 2 The fidelity of the quantum network coding scheme with identity authen-
tication is strictly 1.
Theorem 3 The rate region of the scheme is (r1 , r2 ) r1 , r2 ≤ 23 .
Proof It is worth noting that each channel can optionally transmit one qubit or two
bits as required in the scheme. Note that it needs to transmit three bits (r1r2 r3 )i via
the classical channel between the controllers and the receivers. Hence we can easily
5.2 Secure Quantum Network Coding with Identity Authentication 101
conclude that it totally needs to use the network 1.5 times to transmit two source
i.e., (r1 ,2 r2 ) = 3 , 3 . Obviously, the rate region of the schemes would
2 2
qubits across,
be (r1 , r2 ) r1 , r2 ≤ 3 .
Besides, it would need 2n GHZ states for transmission and two extra GHZ states
for authentication to transmit n qubits from A1 to B1 and A2 to B2 , respectively.
In summary, the scheme realizes identity authentication at expense of slight decline
of rate region and a little more resource. Thus it is a feasible scheme for quantum
network coding.
In this scheme, without the controllers, the receivers cannot obtain the quantum states
from the senders. This means that the security of the scheme mainly depends on the
authentication mechanism between the controllers and the receivers.
Theorem 4 Any attacker cannot obtain the key (V1 V2 V3 )i of Bi by wiretapping the
butterfly network.
Proof As described in the scheme, U K i is necessary to calculate (V1 V2 V3 )i . More-
over, U K i corresponds to two values of (V1 V2 V3 )i according to Table 5.3. For exam-
ple, if U K i = U1 , the classical bit string would be (V1 V2 V3 )i = 001 or (V1 V2 V3 )i =
010. Thus (K 3 )i from Coni is also indispensable to confirm the value of (V1 V2 V3 )i .
As shown in Fig. 5.5, even an attacker can capture the particle U K i −1 · |ϕVi1 and
(K 3 )i from Coni , he still cannot obtain (V1 V2 V3 )i . Without the particle Vi2 which
is owned by Bi , an attacker cannot obtain U K i by performing measurement on one
particle Vi1 . Hence we have Theorem 4.
Theorem 5 Any attcaker cannot obtain the key (V1 V2 V3 )i of Bi by wiretapping the
communication between the controller Coni and the receiver Bi .
U Ki Vi 1
U Ki
K3 K1
V1V2V3 i
i
i
102 5 Quantum Network Coding Based on Controller
K3 i
V1V2
K1 K 2 K 3 i
i
1
X1 X2 i 2 U xi i
r1r2 r3 i
r1r2 r3 i
K1 K 2 i
1
U X1 X2 i 2
Proof As shown in Fig. 5.6, Bi needs to transmit (V1 V2 )i to Coni to complete identity
authentication after Bi obtains (V1 V2 V3 )i . Here we transmit (V1 V2 )i by the QSDC
protocol described in the related work. Thus any attacker can not obtain (V1 V2 )i by
wiretapping the communication between Coni and Bi . Thus we have Theorem 5.
5.3 Summary
In this chapter, we introduced a trusted third party into quantum network coding
schemes to realize the control of decoding process of the receivers. The senders will
fail to transmit quantum information to the receivers without the participation of
the controllers. Then we introduced a secure quantum network coding scheme with
identity authentication between the controller and the receiver. Performance analysis
demonstrates that the scheme can authenticate the identity of the receivers at expense
of acceptable decline of rate region and a little more resource. Furthermore, by means
of quantum identity authentication mechanism, the scheme can effectively defend
against some active attacks, such as impersonation attack and wiretap attack.
References
1. Beige, A., Englert, B.G., Kurtsiefer, C., et al.: Secure communication with a publicly known
key. Acta Phys. Pol. A 101(3), 357–368 (2002)
2. Chen, X.B., Wang, T.Y., Du, J.Z., et al.: Controlled quantum secure direct communication with
quantum encryption. Int. J. Quantum Inf. 6(3), 543–551 (2008)
3. Chen, X.B., Xu, G., Yang, Y.X., et al.: Centrally controlled quantum teleportation. Opt. Com-
mun. 283(23), 4802–4809 (2010)
4. Shang, T., Zhao, X.J., Liu, J.W.: Quantum network coding based on controlled teleportation.
IEEE Commun. Lett. 18(5), 865–868 (2014)
5. Zhou, J.D., Hao, G., Wu, S.J.: Controlled teleportation of an arbitrary multi-qudit state in a
general form with d-dimensional Greenberger-Horne-Zeilinger states. Chin. Phys. Lett. 24(5),
1151–1153 (2007)
6. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual
Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007)
7. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding
with modification. Phys Rev A 76(4), 040301 (2007)
8. Nishimura, H.: Quantum network coding - How can network coding be applied to quantum
information? In: International Symposium on Network Coding (NetCod), pp. 1–5 (2013)
9. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: On the information-splitting essence of two types of
quantum key distribution protocols. Phys Lett A 355(3), 172–175 (2005)
10. Shang, T., Zhao, X.J., Wang, C., Liu, J.W.: Controlled quantum network coding scheme. Chin
J Electron 42(3), 1–6 (2014)
11. Zhao, X.J., Shang, T., Li, J., Wang, C.: A secure quantum network coding scheme with identity
authentication. Sens. Lett. 12(2), 460–465 (2014)
Chapter 6
Opportunistic Quantum Network Coding
Network coding theory [1] greatly improves network throughput and also creates a
huge milestone for information area. On account of the broadcasting nature of wire-
less medium, wireless network coding has attracted much attention from researchers.
In order to maximize the gain from network coding, there have been two alternative
approaches to developing interflow network coding protocols, based on either oppor-
tunistic coding or coordinated coding [2]. In deriving the upper bounds of coding gain,
it is often necessary to make assumptions about a particular coding structure, such as
coding opportunities at a hotspot. As a paradigm of wireless network coding protocol,
“COPE” (complete opportunity encoding) [3] allows nodes to combine more than
two packets together through opportunistic listening. Relay nodes can learn neigh-
bor states through opportunistic listening so that they can make an optimal coding
option to ensure more neighbors can decode encoded packets. However, opportunis-
tic coding such as in COPE may miss several coding opportunities, depending on
the order in which nodes in a neighborhood transmit packets. Then the use of coor-
dinated network coding was proposed, in which transmissions of neighboring nodes
are scheduled with the goal of maximizing the gain from network coding. These
works provide the key idea is to strengthen the cooperation and maximize the gain
from network coding.
© Springer Nature Singapore Pte Ltd. 2020 105
T. Shang and J. Liu, Secure Quantum Network Coding Theory,
https://doi.org/10.1007/978-981-15-3386-0_6
106 6 Opportunistic Quantum Network Coding
P1 P2 B( P2 ) C( P2 )
P1 P3 A( P1 ) C( P3 )
P1 P2 P3 P4
P1 P3 P4 A( P1 ) B( P4 ) C( P3 )
P3 P4 P1 P3
Fig. 6.2 Quantum channel pa1 pa2 pa1 pb1 pm pb1 pb2
verification pm
pm
pm pa2 pb2 pm
where θ and ϕ are the secret parameters of A. Then A applies a C-Not gate on its
particle pa1 and measures particle pm . This operation makes pm entangled with an
EPR pair pa1 pb1 .
+
| c = C
a 1 m 1 ⊗ |ψm
= γi 0a1 0b1 i m + 1a1 1b1 (i ⊕ 1)
i=0,1 (6.1)
1
=√ 1 i a i b ⊗ Iδi,0 + Xm δi,0 |ψm
2 1 1
i=0
The above
equation shows that the state |m is disentangled from the combined
state +1 , which means that the measure particle pm is independent from the EPR
pair pa1 pb1 .
Step 4: B makes pm entangled with next EPR pair pa2 pb2 by the same operation
as Step 2 through a C-Not gate, and then B sends pm back to A.
Step 5: A disentangles the entangled system to obtain independent pm . Then A
measures the parameters θ and ϕ of pm , and compares both the measurement outcome
6.3 Quantum Channel Verification 109
and original parameters. If they are consistent, the two EPR pairs pa1 pb1 and pa2 pb2
are integral. Otherwise, at least one EPR pair is disturbed.
Step 6: A and B choose a certain amount, 2h(h ∈ N + , h ≤ n2 ) EPR pairs for
quantum channel verification. If error rate ξ satisfies ξ ≤ ξ0 + ξ0 (here ξ0 rep-
resents average influence of noise, while ξ0 represents disturbance threshold value),
i.e., disturbance is within normal range and the EPR pairs are secure. Otherwise, if
error rate ξ is beyond permission limit, it indicates that there exists an attack over
quantum channels.
(1.1) A and B share prior EPR pairs, and each EPR pair between A and B can be
expressed as
1
+
j = √ 0a j 0b j + 1a j 1b j , j = 1, . . . , n
2
(1.2) A prepares an arbitrary qubit pm as measure particle. Here θ and ϕ are the
secret parameters.
|m = cos θ |0 +e−iϕ sin θ |1
Then A applies a C-Not gate on its particle pa1 and measures particle pm , which
makes pm entangled with an EPR pair pa1 pb1 .
+
| c = C
a1 m 1 ⊗ |ψm
= γi 0a1 0b1 i m + 0a1 0b1 (i ⊕ 1)
i=0,1
1
= √1 i a i b ⊗ Iδi,0 + Xm δi,0 |ψm
2 1 1
i=0
B makes pm entangled with next EPR pair pa2 pb2 by the same operation as Step
1.2, and then B sends pm back to A.
(1.4) A disentangles the entangled system to obtain independent pm . Then A
measures the parameters θ and ϕ of pm , and compares both the measurement outcome
6.4 Opportunistic QNC Scheme 111
and original parameters. If they are consistent, the two EPR pairs pa1 pb1 and pa2 pb2
are integral. Otherwise, at least one EPR pair is disturbed.
(1.5) A and B choose a certain amount, 2h(h ∈ N + , h ≤ n2 ) EPR pairs for quantum
channel verification. If the EPR pairs are secure, they proceed. Otherwise, they abort
communication.
Note that quantum channel verification can be performed by any two nodes.
In consideration of EPR pair resource and communication efficiency, there is no
need to implement quantum channel verification between every two nodes. It can be
performed between a certain number of random node pairs, before the network runs
or during a certain period of communication process, which needs to be designed
and completed together by all nodes.
Step 2: Quantum information transmission. When the quantum channel verifica-
tion is completed, A intends to transmit a w-bit packet to B by quantum teleportation.
Based on√ the nature
√
of quantum mechanics
√
that√orthogonal quantum states (such
as |0 = 22 |0 + 22 |1 and |1 = 22 |0 − 22 |1) can be completely distin-
guished by measurement, A selects one pair of orthogonal bases |0 and |1 ,
which represent 0 and 1, respectively.
√ √ √ √
2 2 2 2
0 → |0 = |0 + |1 , 1 → |1 = |0 − |1 (6.3)
2 2 2 2
(2.1) According to the w-bit packet and Eq. 6.3, A prepares w qubits.
Assume that A would like to transmit a qubit pi , i = 1, . . . , w, with state | pi =
α |0 + β |1(here | pi can be |0 or |1 ) to B, the overall state of three particles
is
| pi ai bi = | pi ⊗ φ+ a b
i i
1 (6.4)
= (α |0 + β |1) pi ⊗ √ (|00 + |11)ai bi
2
1
|ψ pi ai bi = |ψ pi ⊗ φ+ a b = √ [(φ+ p a ⊗ (α |0 + β |1)bi +
i i i i
2
−
(φ pi ai ⊗ (α |0 − β |1)bi +
(6.5)
(ψ + pi ai ⊗ (α |0 + β |1)bi +
(ψ − p a ⊗ (α |0 − β |1)bi
i i
where φ± and ψ ± are Bell states, which are defined as follows:
±
φ = √1 (|00 ± |11) , ψ ± = √1 (|01 ± |10) (6.6)
2 2
112 6 Opportunistic Quantum Network Coding
According to Eq. 6.5, the measurement outcome must be one of the four Bell
states in Eq. 6.6, with the same probability 41 .
(2.3) A tells B the measurement outcome over a classical channel.
Let the classical bits correspond to the outcomes of Bell-state measurement as
follows:
00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ −
then B can apply an appropriate operator U to its particle bi , which makes the state
of bi turn out to be |bi = (α |0 + β |1). So the state of pi is finally transmitted
and stored in the particle bi .
Note that the sender A transforms classical bit into quantum state by Eq. 6.3, so the
receiver B can easily transform the quantum state back into classical bit by measure.
For example, B √
receives√ a qubit |bi , then√ it measures
√
the qubit with orthogonal
bases |0 = 2 |0 + 2 |1 and |1 = 2 |0 − 2 |1, and transforms it back
2 2 2 2
There will be 2w bits over a classical channel during communication when a w-bit
classical packet is transmitted by quantum teleportation. By virtue of these classical
bits, L can judge that a new transmission between A and B is occurring and desires
the latest packet from A(or B), so L sends a request order to A(or B) to request the
packet delivered just now which is denoted by Pr . Here the request order is one of the
defined orders in the form of classical bits and it is used to request communication
parties for latest packet, which is defined and listed in Table 6.1.
Step 4: Neighbor state acquisition. After receiving the request order from L, A(or
B) will refer to its own transmission record and send a corresponding reply to L. As
a result, L can acquire neighbor state by definite steps. Here the transmission record
6.4 Opportunistic QNC Scheme 113
R1 R2 Rg
S5.3 S5.3 S5.3
Broadcast S5.2
...
S5.1
L
is stored locally so as to record which packets have been sent to each destination
node. There are two cases for the corresponding reply of A(or B):
(i) If transmission record indicates the packet Pr was not transmitted to L before,
namely L does not own the packet it requests for, A(or B) will send the packet Pr to
L by means of quantum channel verification and quantum teleportation as in Step 1
and Step 2.
(ii) Otherwise, if transmission record indicates the Pr has been transmitted to
L before, namely L has owned the packet it requests for, then A(or B) will send a
rejection order to L and let L know that Pr is a packet it owns. Here the rejection
order is also one of the defined orders in the form of classical bits, and it is used to
reject the requester for packet request and terminate the process of packet request,
which is defined and listed in Table 6.1.
Note that although L can overhear the classical bits and judge that a new trans-
mission is occurring between A and B, it does not know what is transmitting so that
L may send multiple requests for the same packets. For this reason, the above second
case is used to avoid repetitive transmissions.
Step 5: Opportunistic coding. L refers to its stored packets and makes an optimal
coding decision for neighbors. An optimal coding is to ensure more neighbors can
decode the encoded packet.
The procedure of opportunistic coding is illustrated in Fig. 6.4.
(5.1) For the purpose of allowing more neighbors to decode a new packet, L
encodes a new packet Pg for neighbors.
114 6 Opportunistic Quantum Network Coding
Outcomes for recevier 1 Outcomes for recevier 2 Outcomes for recevier g Notification bits
Pe = P1 ⊕ P2 ⊕ . . . ⊕ Pg
Example 1 In the scenario of Fig. 6.6, packet state is shown beneath a node. Assume
A would like to send a w-bit packet P1 to B. After quantum channel verification
between A and B, A selects a pair of orthogonal bases and specifies the corresponding
classical bits of 0 and 1 as follows:
6.4 Opportunistic QNC Scheme 115
√ √ √ √
2 2 2 2
0→ |0 + |1 , 1 → |0 − |1
2 2 2 2
A prepares w qubits according to the packet P1 and the above rule, and then it
transmits these w qubits to B by quantum teleportation over the shared EPR pairs.
Then B measures the received qubits with orthogonal bases to get the packet P1 .
Note that during the process of quantum teleportation, A sends 2w bits via classical
channel. When L overhears these classical bits, it knows that data transmission is
happening, so it sends a request order (11111) to A to request the latest packet P1 .
After receiving request order, A checks the packet states and knows that L does
not own the packet P1 , so A sends P1 to L by the same way as it sends P1 to B.
After receiving the packet P1 , L tries to make an optimal coding decision for
neighbors A, B, and C, by referring to neighbors’ packet states. L encodes a new
packet Pe = P1 ⊕ P2 ⊕ P4 for neighbors A, B, and C, and prepares three copies of
the same w qubits according to Pe , then it operates the particles in different EPR
pairs with A, B, and C, respectively, to transmit the packet Pe . When the opera-
tion on EPR pairs is completed, L broadcasts a packet which includes all measure-
ment outcomes and corresponding notification bits to the receivers A, B, and C as
follows (Fig. 6.7):
A B A B
Definition 1 Assume that there are l(l ≥ 2) neighbors around a relay node, then
the number of listeners who successfully obtain packets by opportunistic listening
in unit time can be used to evaluate the extent of opportunistic characteristic. If all
neighbors can successfully overhear the packet from the relay node, it is defined as
completely opportunistic characteristic. If the number of successful listeners is ≤, it
is defined as weakly opportunistic characteristic.
Proof Because of the cooperation of classical channel and quantum channel in quan-
tum teleportation, we can implement opportunistic listening in quantum communi-
cation, which seems to be impossible by using only quantum channel. However, the
opportunistic characteristic in this scheme is weaker than COPE.
Consider a common scenario in Fig. 6.8, there are l(l = 4) neighbors around two
communication parties A and B. In COPE, all neighbors can overhear the encoded
packet sent from A to B in unit time. Comparatively, in this scheme, all neighbors
send request orders to A or B, but A and B can only transmit the packet to one
neighbor, respectively, so the number of successful listeners are 2 and 2 ≤ l, the
equal sign makes sense only if there are merely 2 neighbors. So this scheme satisfies
the condition of weakly opportunistic characteristic.
Because the cooperation of quantum channel for communication, and classical
channel for listening in this scheme, the opportunistic characteristic of this scheme
has some difference with COPE. A summary of comparison is shown in Table 6.2.
(a) (b)
Proof Assume that a packet Pr is transmitted between A and B, and all l neigh-
boring nodes can judge that a new transmission is occurring between A and B by
opportunistic listening. We define a learned node as the node who owns the packet
Pr , then neighbors will send a request order to the learned node A or B, with the
same probability 21 , to request for Pr . Restricted by quantum channel, A or B can
only send the packet Pr to one requester and other requesters will have to wait.
T (l) represents the delay of a packet obtained by l neighbors during the process of
opportunistic listening, which will decide the subsequent coding strategy of oppor-
tunistic coding so as to describe the transmission performance of a network. Fewer
delay means higher flexibility and better performance. So the delay will be discussed
in detail.
Firstly, we consider the worst case. If all neighbors send request orders to one
node (e.g., A) as shown in Fig. 6.9a, A can only choose one requester (e.g., L 1 )
to transmit Pr . The rest of the nodes has to wait, but they hear the transmission
occurring between A and L 1 , so they know that L 1 becomes a learned node. Then
the rest of nodes will send request orders to three learned nodes A, B, L 1 with the
same probability 31 . In the worst case, all nodes send request orders to the same node
(just like A in Fig. 6.9b), regardless of how many leaned nodes there are. In this way,
T (l) will reach maximum:
118 6 Opportunistic Quantum Network Coding
(a) (b)
T (l) = O(l)
Secondly, we consider the best case as shown in Fig. 6.10. In Fig. 6.10a, A and
B both receive a request order and send Pr to the requester L 1 and L 5 , respectively.
By opportunistic listening, neighbors know that L 1 and L 5 have received the packet
from A and B, so there are 22 = 4 learned nodes now. Next, the rest of nodes will
send request orders again, but they have four choices this time, so they will send
request order to A, B, L 1 , L 5 with probability 41 , respectively. In the best case, four
learned nodes will all receive request orders, and the number of learned nodes will be
changed to 23 = 8 after packet transmission. In this way, T (l) will reach minimum:
21 + 22 + 23 + · · · + 2 T ≥ l
It can be rewritten as
T (l) = O(log2 l)
Compared with conventional QNC schemes, this scheme realizes opportunistic char-
acteristic by listening to classical channel. Furthermore, this scheme realizes oppor-
tunistic coding by broadcasting the measurement outcomes and notification bits,
which allows more than one neighbor to receive the measurement outcome during
one transmission, and therefore improves network throughput.
6.6 Performance Analysis 119
Since quantum communication is expensive, some extra resources, which may be less
expensive than quantum communication, are considered in many quantum network
coding schemes. Such representative resources include the following:
(i) Classical communication;
(ii) Pre-shared entanglement (such as EPR pairs).
The above two kinds of resources are both used in this scheme.
This scheme is designed in the setting where every two nodes possess pre-shared
entanglement (EPR pairs). For transmitting a w-bit encoded packet to g neighbors,
a relay node needs to apply quantum teleportation, it consumes wg qubits, wg EPR
pairs, 2wg bits, and another l bits for notification bits. For each time of quantum
channel verification, it consumes h qubits and 2h EPR pairs to detect the integrity of
EPR pairs. Meanwhile, some procedures consume only classical bits, such as sending
request order or rejection order. Table 6.4 gives a summary of resource consumption
in this scheme.
120 6 Opportunistic Quantum Network Coding
Theorem 1 By only capturing classical bits, an attacker cannot get the transmitted
packet in the scheme.
Proof Assume that an attacker can capture classical bits without being discovered.
In this scheme, the attacker may capture the following:
(i) The classical bits between two communication parties.
In quantum teleportation, these bits are the outcomes of Bell-state measurement
as follows:
00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ −
According to the principle of quantum teleportation, they are used to tell the
receiver which unitary operation should be performed on the particle of the shared
EPR pair so as to “recover” the transmitted quantum state. So without the shared
EPR pair, the measurement outcomes are meaningless for an attacker.
(ii) The request order or rejection order between two communication parties.
In this scheme, the request order is used to ask the receiver for latest packet, and
the rejection order is used to refuse the packet request. Such orders are irrelevant to
the content of a packet, so they are useless for attacker to get the transmitted packet.
(iii) The broadcast packet from a relay node who encodes for neighbors.
The broadcast packet from a relay node consists of measurement outcomes and
notification bits. Measurement outcomes make no sense for an attacker, which is
explained in the case of (i). The function of notification bits is to tell who are the
desired receivers of measurement outcomes. It also makes no sense for an attacker
unless what it wants to know is merely who the relay node sends the packet to, which
is certainly not a secret for all nodes.
6.7 Security Analysis 121
pm pm
pm
There are two types of quantum channels in this scheme: one is the direct quantum
channel used to transmit one measure particle pm during the process of quantum
channel verification, and the other one is the latent channel between the shared EPR
pairs. In order to obtain information, an attacker can disturb the above two types of
quantum channels.
Theorem 2 Assume that an attacker replaces the measure particle pm with another
particle pm , namely pm → pm , it can be detected by quantum channel verification.
Proof As shown in Fig. 6.11, any substitutionof pm → pm will
cause that the state
of quantum system changes, namely | c → c , and c can be described as
c c
= ⊗ |Am
Proof Assume that an attacker have the chance to disturb the EPR pairs, we denote
his auxiliary quantum state by |e , the entire state of the shared EPR pair and the
auxiliary quantum state is
a b e = + ⊗ |e
j j j
where a, b represent two particles of the shared EPR pair, while e represents the
particle corresponding to |e . The attacker applies a unitary operation Uε in a j b j e ,
the entire state of quantum system becomes
Uε ψa j b j e = 0a j 0b j ⊗ |E1 + 0a j 0b j ⊗ |E2
+ 1a 0b ⊗ Ẽ 1 + 1a 1b ⊗ Ẽ 2
j j j j
where |E 1 ⊥ |E 2 , Ẽ 1 ⊥ Ẽ 2 , and E 1 | Ẽ 2 + E 2 | Ẽ 1 = 0.
When A applies the C-NOT gate, Eq. 6.1 can be rewritten as follows:
c
ψ = Cam Uε ψa b e |ψm
j j
= 21 [(cos θ 0a j 0b j 0m + e−iϕ sin θ 0a j 0b j 1m ) ⊗ |E 2
+[(cos θ 1a j 1b j 1m + e−iϕ sin θ 1a j 1b j 0m ) ⊗ Ẽ 2
+[(cos θ 0a j 1b j 0m + e−iϕ sin θ 0a j 1b j 1m ) ⊗ |E 1
−iϕ
+[(cos θ 1a j 0b j 1m + e sin θ 1a j 0b j 1m ) ⊗ Ẽ 1 ]
The above equation shows the entire state after Step 2 in quantum channel
veri-
fication under an attack’s disturbance. Then B performs some operations on ψ c in
Step 3 in quantum channel verification, the entire state 6.2 becomes
Cbm ψ c = 21 [(cos θ 0a j 0b j 0m + e−iϕ sin θ 0a j 0b j 1m ) ⊗ |E 2
+[(cos θ 1a j 1b j 0m + e−iϕ sin θ 1a j 1b j 1m ) ⊗ Ẽ 2
+[(cos θ 0a j 1b j 1m + e−iϕ sin θ 0a j 1b j 0m ) ⊗ |E 1
+[(cos θ 1a j 0b j 1m + e sin θ 1a j 0b j 1m ) ⊗ Ẽ 1 ]
−iϕ
It is obvious that Cbm ψ c = + ⊗ |ψm , the measurement pm cannot be sep-
arated correctly, and the parameters are changed, so the disturbance can be detected
by quantum channel verification.
6.8 Summary
References
1. Ahlswede, R., Cai, N., Li, S.: Network information flow. IEEE Trans. Inf Theory 46(4), 1204–
1216 (2000)
2. Koutsonikolas, D., Hu, Y.C., Wang, C.C.: An empirical study of performance benefits of net-
work coding in multihop wireless networks. In: IEEE International Conference on Computer
Communications (ICCC), pp. 2981–2985 (2009)
3. Katti, S., Rahul, H., Hu, W., et al.: XORs in the air: practical wireless network coding. IEEE/ACM
Trans. Netw. 16(3), 497–510 (2008)
4. Sebastian, N., Florian, M., Markus, R., et al.: Air-to-ground quantum communication. Nat.
Photonics Lett. 3(7), 382–386 (2013)
5. Shang, T., Du, G., Liu, J.W.: Opportunistic quantum network coding based teleportation. Quan-
tum Inf. Process. 15(4), 1743–1763 (2016)
6. Bennett, C.H., Brassard, G.: An update on quantum cryptography. In: International Cryptology
Conference (CRYPTO’84), 475–480 (1984)
7. Zeng, G.H.: Quantum identity authentication without lost of quantum channel. In: China
Crypt’04, pp. 141–146 (2004)
Chapter 7
Quantum Network Coding with Message
Authentication
Homomorphism can be divided into two types: additive homomorphism and multi-
plicative homomorphism [4]. Given variables X 1 and X 2 , a function φ is additively
homomorphic if there exists a function f satisfying φ (X 1 + X 2 ) = f (φ (X 1 ) ,
φ (X 2 )). Similarly, φ is multiplicative homomorphic if there exists a function f satis-
fying φ (X 1 × X 2 ) = f (φ (X 1 ) , φ (X 2 )). Homomorphic signature scheme is based
on homomorphic algorithm. Assume that a node receives messages (E 1 , E 2 , . . . , E n )
and corresponding signatures (φ(E 1 ), φ(E 2 ), . . . , φ(E n )), where φ is additively
homomorphic. If this node wants to generate a signature on a1 E 1 + a2 E 2 , . . . +
an E n , it can obtain the signature by means of S = f (φ(E 1 ), φ(E 2 ), . . . φ(E n )) =
φ(a1 E 1 + a2 E 2 , . . . + an E n ). A concrete example of homomorphic signature scheme
BFKW was given by Boneh et al. [5]. Hence homomorphic signature scheme can
generate a new signature on its message without the private keys of data sources,
which is very important to distribute networks and can be used to generate new
signatures at intermediate nodes by directly manipulating the original signatures of
received messages without encryption operation.
A general quantum signature model is conjectured just as shown in Fig. 7.1. By
sharing an EPR pair (denoted as |ψ12 ) with a verifier V , a signer A can sign on its
classical information X by means of performing a corresponding unitary operation
on its particle 2. For the aggregation of multiple signatures, it is the most straight
idea to guarantee that each signer shares an EPR pair with the aggregator C, then
the aggregator generates a new signature. Just as described in Fig. 7.1, the key is to
generate a new homomorphic signature S3 = U (X 1 ⊕ X 2 ) · |ψ4 at the aggregator
C according to two signatures S1 and S2 . As far as we know, no quantum signature
schemes have been proposed to combine the homomorphic algorithm till now. The
existing quantum signature schemes are also not suitable for quantum networks
just as described in Motivation. Hence it is significant to investigate the design of
quantum homomorphic signature for the authentication of data sources in quantum
networks.
7.1 Quantum Homomorphic Signature for QNC 127
S1 U X 1 2
X1
S3 U X 1 X2 4
C V
X2
B
S2 U X2 4
Bell-state Measurement
2 1 2 1
4 3 4 3
Then
128 7 Quantum Network Coding with Message Authentication
+
φ ⊗ ψ + 34
12
1
= (|00011234 +|00101234 +|11011234 +|11101234 )
2
1
= (|00011324 +|01001324 +|10111324 +|11101324 )
2
1 + − + − + −
= φ +φ ψ + ψ 24 + ψ 13 + ψ 13 (7.1)
4 13 13 24
× φ+ 24 + φ− 24 + ψ + 13 − ψ − 13 φ+ 24 − φ− 24
+
+ φ+ − φ −13
ψ
13
− ψ − 24 24
1 + +
= φ 13 ψ 24 + φ− 13 ψ − 24 + ψ + 13 φ+ 24
2
+ψ − 13 φ− 24
signature. Here we take a simple example for illustration. Firstly, four operators are
defined as follows for convenience:
10
U (00) = I = |0 0| + |1 1| =
01
01
U (01) = σx = |1 0| + |0 1| =
10
1 0
U (10) = σz = |0 0| − |1 1| =
0 −1
0 −1
U (11) = −iσ y = |0 1| − |1 0| = .
1 0
X1 Y1 X2 Y2
M2
Step 2: EPR pair distribution. M1 firstly prepares two pairs of entangled particles
+ 1
φ = √ (|0012 + |1112 ) ,
12
2
+
φ = √1 (|0034 +|1134 ) .
34
2
(3) Combine
Step 1: A1 (A2 ) sends the transformed particle 2(4), namely ψ 2 (ψ 4 ), and the
classical bits X 1 ⊕ Y1 (X 2 ⊕ Y2 ) to M1 .
Step 2: M1 performs a Bell-state measurement on the particles 1 and 3. Here we
denote ψ 13 as the state of the particles 1 and 3 after measurement. Then according
to entanglement swapping,
the particles 2 and 4 would collapse to the Bell-state which
can be denoted as ψ 24 . ψ 4 would be the signature of M1 , i.e., |S M1 = ψ 4 .
Step 3: M1 sends the classical
information
(X 1 ⊕ Y1 ) ⊕ (X 2 ⊕ Y2 ) and the parti-
cles (1, 2, 3, 4) (i.e., ψ 13 ⊗ ψ 24 ) to M2 .
(4) Verify
After receiving the classical information and the particles from M1 , M2 can verify
the signature as follows:
1: M2 performs
Step a Bell-state measurement on the particles 1 and 3, and obtains
ψ . Note that ψ falls to one of the four Bell-states according to Table 7.1.
13 13
Hence the Bell-state measurement on the particles 1 and 3 from M2 would be non-
destructive.
2: M2 performs a Bell-state measurement on the particles 2 and 4, and obtains
Step
ψ .
24
Step 3: According to Table 7.1, M2 compares ψ 24 with |ψ24 , and obtains
an operator which satisfies ψ 24 = c (Z ) U (Z )(4) · |ψ24 . Here the superscript (4)
means performing an operation on the particle 4, and |c (Z )| = 1. Consider the result-
ing state of the original particles after entanglement swapping. If the measurement
result of the original particles 1 and 3 satisfies |ψ13 = ψ 13 , then we denote |ψ24
as the resulting state of the original particles 2 and 4 after entanglement swapping.
Step 4: M2 compares X 1 ⊕ X 2 ⊕ Y1 ⊕ Y2 with Z . If X 1 ⊕ X 2 ⊕ Y1 ⊕ Y2 = Z ,
M2 would confirm that ψ 4 is the signature of M1 . Then M2 can calculate X 1 ⊕ X 2
by its keys Y1 and Y2 (which are prior shared with the senders as described in the
process of signature). Otherwise M2 would deny the signature.
We take an example to illuminate this scheme more clearly.
Example 7.1 Assume X 1 = 00, Y1 = 01, X 2 = 01 and Y2 = 11. Then the signatures
of A1 and A2 are S1 = U (00 ⊕ 01) |ψ2 = σx |ψ2 , S2 = U (01 ⊕ 11)|ψ4 = σz |ψ4 ,
respectively. After signing phase, the state of the particles (1, 2, 3, 4) becomes
+
φ → ψ 12 = σx (2) φ+ 12 = ψ + 12
+12
φ → ψ 34 = σz (4) φ+ 34 = φ− 34 .
34
After combining phase, the particles 1(2) and 3(4) would collapse to a Bell-
state according to entanglement swapping. Here we assume that ψ 13 = ψ + 13 .
After
receiving
the information and signatures (the particles),
M2 would obtain that
ψ = φ− by measurement. Then M2 compares φ− with the corresponding
24 24 24
original state of |ψ24 (which equals to ψ + 24 as shown in Table 7.1). Without mod-
ification from attackers, M2 will obtain that ψ 24 = φ− 24 = −U (11)(4) |ψ24 =
132 7 Quantum Network Coding with Message Authentication
−U (11)(4) ψ + 24 , i.e., Z = 11. By verifying that Z equals to X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2
(=11), M2 can confirm that the resulting data X 1 ⊕ X 2 is surely from the senders
A1 and A2 .
To prove the homomorphism of the quantum signature scheme, we give two lemmas
as follows:
Lemma 7.1
U (X 1 )U (X 2 ) |ϕ = c(X 1 , X 2 )U (X 1 ⊕ X 2 ) |ϕ ,
In other cases, the same conclusion can be drawn. Hence Lemma 7.2 is proved.
ψ = U (X 1 ⊕ Y1 )(2) φ+ 12 ⊗ U (X 2 ⊕ Y2 )(4) φ+ 34
1234
1
= U (X 1 ⊕ Y1 )(2) U (X 2 ⊕ Y2 )(4) (|00001234 +|00111234
2
+|11001234 +|11111234 )
1
= U (X 1 ⊕ Y1 )(2) U (X 2 ⊕ Y2 )(4) φ+ 13 φ+ 24 +
2
− − + + − −
φ φ + ψ ψ + ψ ψ
13 24 13 24 13 24
1 +
ψ = φ 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) φ+ 24
1234
2
+ φ− 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) φ− 24
+ ψ + 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) ψ + 24
+ ψ − 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) ψ − 24
1 +
= φ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
2
+ −
φ + φ cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
− 24 + 13
φ + ψ cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
+ 24 − 13
ψ + ψ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
− 24
ψ
24
After
performing a Bell-state measurement on the particles 1 and 3, we obtain
that ψ 24 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) |ψ24 . Note that |cx · c (U1 , U2 )| = 1 is a
phase factor and can be ignored after
performing
a Bell-state
measurement.
Com-
paring with the original state φ+ 12 ⊗ φ+ 34 = 21 φ+ 13 φ+ 24 + 21 φ− 13 φ− 24 +
1 +
2
ψ 13 ψ + 24 + 21 ψ − 13 ψ − 24 , we obtain that ψ 24 = c(Z ) · U (Z )(4) · |ψ24 ,
Z = X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 .
Here we can view the operation of entanglement swapping as a function f and
the operation of signature as a function Sign . As we know, the effect of f is φ+ 12 ⊗
+
φ → ψ 13 ⊗ ψ 24 , and the effect of Sign is Sign (X ) = U (X ⊕ Y )(2) |ψ12 , here
34
Y is the secret key corresponding to the information X .
By definition, the aggregator M1 receives the messages (X 1 ⊕ Y1 , X 2 ⊕ Y2 )
and the corresponding signatures. Note that different from classical case, we only
view the particles 2(4) as the signature S1 (S2 ). Hence S1 (S2 ) can be generated by
Sign (X 1 )(Sign (X 2 )) as follows:
Sign (X 1 ) → S1 = ψ 2 = U (X 1 ⊕ Y1 )|ψ2 ,
Sign (X 2 ) → S2 = ψ 4 = U (X 2 ⊕ Y2 )|ψ4 .
Proof Although the BB84 protocol has been proved to be unconditionally secure,
it is vulnerable to a middle-man attack. Hence an improved BB84 protocol inspired
by the literature [6] can be used to distribute the key to defend against a middle-man
attack.
In this protocol, M2 and Ai share a series of EPR pairs. M2 owns one half of
these particles and Ai owns the others. M2 prepares a photon sequence (we called
these particles as “key particles” for convenience), whose particles correspond to
the base vector |+ |− or |1 |0 at random. Firstly, M2 inserts its EPR particles
into its photon sequence at random and preserve the sequence number of these EPR
particles. Then M2 sends its photon sequence and the sequence number to Ai . Ai
performs the measurement on the key particles with the basis of |+ |− or |0 |1.
And Ai tells M2 the chosen measurement basis. M2 tells Ai the photons measured
by the corresponding base vectors. Consequently, they discard the photons that they
measure by the different base vectors. After transforming the remaining key particles
to classical bits (called raw key) as follows: |1 → 1, |0 → 0 |+ → 1, |− → 0,
they choose some bits of the raw key and compare them. Obviously, if the unequal
bits exceed a certain threshold, they have suffered from a wiretapping attack.
In this process, Ai can also detect the middle-man attack by measuring the EPR
particles in the photon sequence and its own EPR particles. If a middle-man, Mallory,
captures the sequence number of these EPR particles and the photon sequence, forges
the EPR particles and sends them to Ai . Because Ai can measure the EPR particles
by four Bell bases at random, the measurement results of the EPR particles forged
by Mallory would be different from the EPR particles of Ai . Hence the middle-man
attack would be found. Based on the improved BB84 protocol, this quantum key
distribution protocol can defend against any middle-man attack. Hence we can prove
Lemma 7.3.
Lemma 7.4 The secret key Yi is impossibly calculated by means of classical infor-
mation and its corresponding quantum signature.
Proof As shown in Fig. 7.4, any attacker cannot obtain the secret key by capturing
classical information and its quantum signature. The details are as follows:
(1) If an attacker captures the particle 2i (i ∈ {1, 2}) and the information X i ⊕ Yi
which are sent by Ai , he cannot obtain the key Yi .
136 7 Quantum Network Coding with Message Authentication
M1
S M1
X1 Y1 X2 Y2
M2
In
this case, an attacker can obtain the state of the particles 2 and 4, namely
ψ = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ) (4)
|ψ24 by performing a Bell-state measurement
24
on them. However, the attacker can only obtain the classical bits X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2
by the unitary operator U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ). But he cannot obtain the keys Y1
and Y2 separately even if he can also captures X 1 ⊕ Y1 and X 2 ⊕ Y2 .
Proposition 7.3 If two senders use the same secret key, namely Y1 = Y2 , the quantum
signature scheme can verify the identity of a single data source. If two senders use
different secret keys, namely Y1 = Y2 , the quantum signature scheme can verify the
identity of different data sources.
7.1 Quantum Homomorphic Signature for QNC 137
A M M
X Y X Y
X Y X Y X Y
X Y
D
A X Y
7.1.7 Discussion
(1) Setup
Similarly, we assume that Ai share its key Yi with M2 by the improved BB84
protocol described in Lemma 7.3. Furthermore, M1 prepares three pairs of entangled
states
+ 1
φ = √ (|0012 + |1112 ) ,
12
2
+
φ = √1 (|0034 +|1134 ) ,
34
2
+ 1
φ = √ (|0056 + |1156 ) .
56
2
Similarly, with the value of |ψ46 we can also calculate the value of |ψ 26 which is
the entanglement swapping result of |ψ12 ⊗ |ψ46 when |ψ14 = ψ 14 .
Step
2: M2 performs a Bell-state
measurement on the particles 2, 6 and obtains
ψ . Then M compares ψ with |ψ26 , and obtains an operator which satisfies
26 2 26
ψ (6)
= c (Z ) U (Z ) · |ψ26 . Here |c (Z )| = 1.
26
Step 3: M2 calculates X 1 ⊕ X 2 ⊕ X 3 by its keys . Furthermore, if X 1 ⊕ Y1 ⊕
X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 = Z , M2 would confirm that ψ 6 is the signature of M1 and
assure that the resulting information X 1 ⊕ X 2 ⊕ X 3 originates from the source nodes
A1 , A2 and A3 . Otherwise M2 would deny the signature.
According to the above approach, the scheme can be easily extended to multi-
source model which may contain n source nodes. Moreover, it can solve the problem
of identity authentication of single-source unicast, single-source multicast, multi-
source unicast, or multi-source multicast in quantum networks.
Note that the scheme will consume 4 extra particles (two entangled pairs) to gen-
erate a homomorphic signature. Obviously, for an n-source node model it would
need 2n particles. Hence the efficiency and security of EPR pair distribution is very
important. An effective distribution scheme would be of great value to the popu-
larization of the scheme in the future. It is worth noting that the particles (1,2,3,4)
in the scheme will still fall into the Bell-state after homomorphic signature as fol-
lows: |ϕ12 ⊗ |ϕ34 → |ϕ13 ⊗ |ϕ24 . This means that the particles can be reused
for next signature. Hence by a reasonable design in the future, the consumed parti-
cles for homomorphic signature would be reduced, which could greatly enhance the
efficiency of the scheme.
M1
1
F : X1 X 2 1
E1 : U (X1 X2 ) 2 E2 : U (X1 X2 ) 1
(X 2 )
M2
B2 G2 : X1 X2 G1 : X1 X2 B1
(X 2 ) (X 2 )
original states correctly. Hence it is necessary to verify the identity of the data source
to defend against such attacks.
As homomorphic signature scheme can authenticate data source and allows inter-
mediate nodes to generate a new signature by directly manipulating original signa-
tures without encryption operation, it is widely applied in classical network coding
to defend against pollution attacks. If quantum homomorphic signature scheme is
feasible in quantum network coding, it will be very helpful to enhance the security
of quantum network communication, beyond quantum network coding. By introduc-
ing quantum homomorphic signature [3] into the typical quantum network coding
scheme with prior entanglement, a secure quantum network coding scheme against
pollution attacks was designed [8].
The first quantum homomorphic signature scheme [3] creatively treats entanglement
swapping as a quantum homomorphic operation. As shown in Fig. 7.7, A1 and A2
are signers, M1 is an aggregator who generates a new homomorphic signature from
received signatures, M2 is a verifier, and ⊕ denotes the operation of exclusive OR.
After analysis, two problems are found in the scheme. Firstly, only one node
can achieve signature verification. Hence the scheme does not completely suit for
defending against pollution attacks in quantum network coding, where two or more
destination nodes need to authenticate data source by verifying a signature. Secondly,
the signature sent from M1 to M2 can be easily forged if the classical bits X 1 ⊕
Y1 ⊕ X 2 ⊕ Y2 and the particles (1, 3, 2, 4) were captured by an attacker. Suppose
that
+ the state of the particles (1, 3) after the entanglement swapping is ψ 13 =
ψ , then the state of the particles (2, 4) should be ψ 24 = c · U (X 1 ⊕ Y1 ⊕ X 2 ⊕
13
(4) +
Y2 ) ψ 24 . As we know, the verifier accepts the signature
as long as the(4)
received
classical message Z and the Bell-state ψ 24 satisfy ψ 24 = c · U (Z ) ψ + 24
(here Z = X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ). If an attacker replaces the classical bits X 1 ⊕ Y1 ⊕
X 2 ⊕ Y2 by a corrupt data E while preparing two entangled particles (5, 6) with
7.2 Secure Quantum Network Coding with Message Authentication 141
M1
X1 Y1 X2 Y2
M2
|ψ56 = c · U (E)(4) ψ + 24 , the verifier would accept the signature according to the
received information E and the particles (1, 3, 5, 6). In other words, the attacker has
forged the signature successfully.
and B2 recovers
U (X 1 ⊕ X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 = |ϕ2 .
Theorem 7.1 The fidelity of the quantum network coding scheme with message
authentication is 1.
Proof As we know, Hayashi’s scheme with prior entanglement can transmit two
qubits crossly and perfectly over the butterfly network. Note that all the operations
introduced would not affect the fidelity of transmitting unknown qubits. Hence the
fidelity of the scheme is the same as that of Hayashi’s scheme, namely 1.
In order to securely transmit two qubits over the butterfly network by Hayashi’s
scheme with prior entanglement, quantum signatures need to be introduced to achieve
144 7 Quantum Network Coding with Message Authentication
data source authentication. In the scheme, 8 quantum particles are needed in each
transmission process. 4 of the 8 particles are used to generate original signatures
and the homomorphic signature, and the other 4 particles to copy the homomorphic
signature. This can be seen from Fig. 7.9a. By contrast, if we generate a signature
at each node instead of using homomorphic signature, 10 quantum particles will
be needed, which can be seen from Fig. 7.9b. Hence the scheme saves 2 quantum
particles in each transmission process, and saves 2n particles during n transmission
processes. The amount of saved particles increases linearly with transmission.
In this scheme, each channel can optionally transmit one qubit or two bits as
required.
Theorem 7.2 The achievable rate for the scheme declines from (r1 , r2 ) = (1, 1)
to (r1 , r2 ) = 15 , 15 compared with the perfect quantum network coding with prior
entanglement between two senders.
Proof Hayashi’s scheme with prior entanglement can reach a rate pair as (r1 , r2 ) =
(1, 1). This means Hayashi’s scheme can transmit two source qubits simultaneously
by a single use of the network. The scheme adds a signature mechanism for data
source authentication which needs to send the extra information of signatures in the
network. Obviously, this would reduce the achievable rate. Compared with Hayashi’s
work, to transmit two source qubits simultaneously, this scheme needs to transmit
four extra particles which are sent via S1 (S2 ) → M1 → M2 → B1 for signature.
Due to the capacity of channels, we need to transmit these particles by using the
network four times. Then we can easily obtain that (r1 , r2 ) = 15 , 15 for this scheme.
Proposition 7.4 In this scheme, any corrupt packet which prevents receivers from
recovering original states would be detected.
7.2 Secure Quantum Network Coding with Message Authentication 145
Proof As mentioned above, during the signature verification process B1 will first
derive a unitary operator U (Z ) by comparing ψ 24 with |ψ24 such that ψ 24 =
c (Z ) U (Z )(4) |ψ24 . Here Z = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . Assume that an attacker mod-
ifies packets and the packet B1 receives after modification is denoted as E, then the
following two cases may occur
Case 1: E = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . In this case, the modified packets will pass
the signature verification, but will not be found out. As the modification does not
affect the decoding process, B1 and B2 can still recover the original quantum states.
Therefore, such modification will not be treated as an attack.
Case 2: E = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . In this case, the modified packets cannot pass
the signature verification and will be found out by B1 and B2 .
All in all, any corrupt packet which prevents receivers from recovering original
states would be detected.
Proposition 7.5 With the information of trusted intermediate nodes, this scheme
can locate a corrupt data source.
Assume that the intermediate node M1 is a trusted node. Here “trusted” means that
the node would not modify any packet and can share all the keys Y1 , Y2 , K 1 , K 2 . In
this case, with the help of the trusted node, M1 , B1 can find out the corrupt packet
and locate the corrupt data source.
Concretely, when B1 finds out data corruption by verifying the signature, it notifies
information {C1 , C2 , V1 , V2 } to it (see
M1 to transmit the Step
6 of Sect. 7.2.3). Con-
sider that V1 = ψ 12 = U (X 1 ⊕ Y1 )(2) |ψ12 and V2 = ψ 34 = U (X 2 ⊕ Y2 )(4) |ψ34 ,
B1+can
obtain +X1 ⊕ Y1 and X 2 ⊕ Y2 by comparing V1 and V2 with the original states
φ and φ . If X i ⊕ Yi = Ci ⊕ K i ⊕ Yi , B1 can conclude that X i ⊕ K i has
12 34
been modified before M1 and the modification of data occurs in the channel Di . Oth-
erwise, B1 can confirm that the modification of data occurs in the channels F, G 1 , G 2
instead of D1 and D2 . If the intermediate node M2 is also a trusted node, we can
further locate with accuracy in which channel of F, G 1 , G 2 the modification occurs.
7.3 Summary
In this chapter, to verify the identity of different data sources in the quantum network,
we introduced a quantum homomorphic signature scheme based on entanglement
swapping. In this scheme, any attacker which attempts to falsify the data would be
found. Security analysis shows that this scheme can effectively guarantee the security
of secret keys and verify the identity of different data sources in the quantum network.
146 7 Quantum Network Coding with Message Authentication
References
1. Johnson, R., Molnar, D., Song, D., et al.: Homomorphic signature schemes. Top Cryptol CT-RSA
2271, 244–262 (2002)
2. Lu, H., Guo, G.: Teleportation of a two-particle entangled state via entanglement swapping.
Phys. Lett. A 276(5), 209–212 (2000)
3. Shang, T., Zhao, X.J., Wang, C., et al.: Quantum homomorphic signature. Quantum Inf. Process.
14(1), 393–410 (2015)
4. Yu, Z., Wei, Y., Ramkumar, B.: An efficient Signature-based scheme for securing network coding
against pollution attacks. In: IEEE International Conference on Computer Communications
(ICCC), pp. 1409–1417
5. Boneh, D., Freeman, D., Katz, J., et al.: Signing a linear subspace: signature schemes for network
coding. Public Key Cryptogr. 68–87, (2009)
6. Ljunggren, D., Bourennane, M., Karlsson, A.: Authority-based user authentication in quantum
key distribution. Phys. Rev. A 62(2), 1–7 (2000)
7. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding with
modification. Phys. Rev. A 76(4), 538–538 (2007)
8. Shang, T., Pei, Z., Liu, J.W.: Quantum network coding against pollution attacks. IEEE Commun.
Lett. 20(7), 1369–1372 (2016)
Chapter 8
Continuous-Variable Quantum Network
Coding
According to the fact that a quantum system has either a discrete spectrum or a con-
tinuous spectrum, quantum information can be classified into two categories, namely
discrete variables and continuous variables. Discrete variables denote quantum vari-
ables of finite-dimensional Hilbert space such as the polarization of single photons.
Continuous variables denote quantum variables of infinite-dimensional Hilbert space
such as the amplitude and phase quadratures of an optical field. In fact, the exist-
ing quantum network coding schemes can be called the discrete-variable quantum
network coding (DVQNC) schemes, which use discrete variables as information
carrier for QNC. These schemes encode discrete information on single photons
which are difficult to prepare and detect. As a result, the cost of a discrete-variable
quantum communication system is rather high. The transmission rate is also very
low because many vacuum pulses are generated when single photons are prepared.
From a conceptual point of view, it is illuminating to consider continuous variables
in quantum network coding. This includes the extension of quantum communica-
tion protocols from discrete to continuous variables and hence from finite to infi-
nite dimensions. The main motivation for dealing with quantum information with
where x and p are real parameters and the subscripts A and B denote different states.
Assume that the reference state 1 and the input state 2 are in the joint state
|ψ(0, 0)1,2 and the auxiliary states 3 and 4 are prepared in the state
∞
|χ3,4 = dxdpf (x, p)|ψ(x, −p)3,4 ,
−∞
where f (x, p) is a complex amplitude function. After applying the cloning transfor-
mation Û2,3,4 , the result is
∞
| = dxdpf (x, p)|ψ(x, p)1,2 |ψ(x, −p)3,4 . (8.1)
−∞
∞
The first copy ρ̂a = −∞ dxdpPa (x, p)|ψ(x, p)ψ(x, p)| will be obtained by
tracing over states 3 and 4. It is affected by an error distribution of Pa (x, p) =
|f (x, p)|2 .
By exchanging states 2 and 3, Eq. 8.1 can be represented as
150 8 Continuous-Variable Quantum Network Coding
∞
| = dxdpg(x, p)|ψ(x, p)1,3 |ψ(x, −p)2,4 ,
−∞
∞ i(px −xp )
where g(x, p) = 2π 1
−∞ dx dp e f (x , p ).
Similarly, the second copy ρ̂b can be obtained by tracing over states 2 and 4. It is
affected by an error distribution of Pb (x, p) = |g(x, p)|2 .
In order√to construct a symmetric cloner, f (x, y) is chosen to be f (x, p) =
e−(x +p )/2 / π so that the symmetric requirement |f (x, y)|2 = |g(x, y)|2 can be sat-
2 2
isfied. In this case, the variances of the position and momentum error of the two
copies are the same, namely (xa )2 = (pa )2 = (xb )2 = (pb )2 .
Assume that the input is an arbitrary state |ξ, then applying the Gaussian cloning
machine to the state |ξ results in
∞
ρ̂ = dxdpP(x, p)|ξ(x, p)ξ(x, p)|, (8.2)
−∞
where |ξ(x, p) = D̂(x, p)|ξ. D̂(x, p) denotes the displacement operator parameter-
ized by x and p, which displaces the momentum by p and then the position by x.
Equation 8.2 shows that the output is a mixture of the displaced states, with x and p
distributed according to a bivariate Gaussian distribution P(x, y) = e−(x +y ) /π.
2 2
In fact, x̂ and p̂ can be any conjugate pair of quadratures such as the amplitude
and phase quadratures.
From the perspective of encoding and decoding, input states at intermediate nodes
are combined or transformed in some way that is represented by a unitary operator.
Some operators can be described by a unitary matrix, which can be implemented
with linear optics. Furthermore, any network of linear optics can be described by
the input–output relationship âi = j Uij âj , where Uij are N × N unitary matrices
when acting on N optical modes [1].
Although not all unitary operators can be implemented by linear optics such as
beam splitters and phase shifters, the linear-optics toolbox provides essential ways for
generation, manipulation, and measurement of continuous-variable quantum states,
which are sufficient to build a basic communication system.
Specifically, any unitary transformation acting on two modes can be denoted by
the matrix [17] −i(φ+δ)
e sin θ e−iδ cos θ
U (2) = ,
e−i(φ+δ ) cos θ −e−iδ sin θ
which can be decomposed into a sequence of phase shifts and phase-free beam splitter
rotations,
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 151
e−iδ 0 sin θ cos θ e−iφ 0
U (2) = . (8.3)
0 e−iδ cos θ − sin θ 0 1
The ideal phase-free beam splitter is described by the matrix with the parameter
θ in Eq. 8.3. When θ = π4 , it becomes a 50:50 beam splitter and its outputs are
| √12 (â1 ± â2 ). Thus, the addition and subtraction operations of inputs can be easily
accomplished by a beam splitter.
where the superscript (0) denotes vacuum state and r is the squeezing parameter.
According to Eq. 8.4, when r → ∞, it is calculated that x̂2 = x̂in and p̂2 = p̂in .
Teleportation realizes the transmission of quantum states with only classical com-
munication. As long as Bob receives the same classical message as Alice sent, he can
obtain a quantum state with a high fidelity. So teleportation is more reliable compared
with the direct quantum transmission, in which quantum states may be attenuated
or affected by noise in quantum channels. By virtue of reliability, teleportation is
utilized to design quantum network coding schemes. A paradigm is the PE scheme
proposed by Hayashi [19]. Furthermore, by utilizing continuous-variable teleporta-
tion, a continuous-variable quantum network coding scheme can be constructed.
152 8 Continuous-Variable Quantum Network Coding
Gaussian cloning machine, which was briefly introduced in Sect. 8.1.2, can be used
as the copying operation for coherent states. The input coherent state is denoted by
|α0 , then the output of GC is
ρ̂ = d 2 αG(α)|α0 + αα0 + α|,
where the displacement error α = x + ip is composed of the position error x and the
phase error p. x and p obey the bivariate Gaussian distribution with zero mean and a
variance of 1/4, i.e., P(x, p) = π2 exp[−2(x2 + p2 )]. So the distribution function of
α is G(α) = π2 exp(−2|α|2 ). We can calculate the fidelity of the Gaussian cloner as
follows:
2 2
d 2 αe−3|α| = .
2
f = α0 |ρ̂|α0 =
π 3
After two single-mode states |α1 = |x1 + ip1 and |α2 = |x2 + ip2 are mixed on
a 50:50 beam splitter, the transformation of Eq. 8.5 can be performed.
⎧ √
⎪
⎪ x̂1 → x̂1 = (x̂1 − x̂2 )/ √2
⎨
p̂1 → p̂1 = (p̂1 − p̂2 )/√ 2
(8.5)
⎪ x̂2 → x̂2
⎪ = (x̂1 + x̂2 )/ √2
⎩
p̂2 → p̂2 = (p̂1 + p̂2 )/ 2
As shown in Fig. 8.1, the add and subtract states of the inputs can be obtained by
amplifying (x̂1 , p̂1 ) and (x̂2 , p̂2 ), respectively. Let the inputs be mixed at the 50:50
beam splitter BS. According to a desired operation, one of the output beams of BS is
chosen as the input of the √ noiseless linear amplifier (NLA). After the amplification
process with a factor g = 2, the desired state |α+ = |α1 + α2 or |α− = |α1 −
α2 is obtained. Generally, we can use |α± to represent the output of ADD/SUB
operators.
Thereby, we can define the ADD operator as ADD(|α1 , |α2 ) = |(x1 + x2 ) +
i(p1 + p2 ) and the SUB operator as SU B(|α1 , |α2 ) = |(x1 − x2 ) + i(p1 − p2 ).
Theorem 1 The ADD operator and the SUB operator can be applied to encode and
decode coherent states, respectively.
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 153
g 2
| in |
| 1
BS
| 2
Proof During the encoding process, two input coherent states are |α1 = |x1 + ip1
and |α2 = |x2 + ip2 . By applying the ADD operator to them, we obtain the encoded
state |αE = ADD(|α1 , |α2 ) = |(x1 + x2 ) + i(p1 + p2 ).
During the decoding process, by applying the SUB operator to |αE and |α2 , we
obtain the decoded state |αD = SU B(|αE , |α2 ) = |x1 + ip1 = |α1 . Similarly,
the decoded state will be |α2 if |αE and |α1 are the inputs to the SUB operator.
So one of the inputs to the ADD operator can be decoded by the SUB operator if we
have the other input.
B. Basic scheme
The network setting is presented in Fig. 8.2. It is based on the butterfly network
with all-quantum channels. Source nodes s1 and s2 simultaneously send quantum
states to target nodes t1 and t2 . r1 and r2 are two intermediate nodes. Quantum
states are encoded at r1 and decoded at t1 and t2 . The rest of the nodes only need
to clone the quantum states they have received and send the replicas to subsequent
nodes. To achieve the maximal cloning fidelity, we use coherent states as information
carrier. The coherent states at s1 and s2 are denoted by |αA = |xA + ipA and |αB =
|xB + ipB , respectively.
The scheme is described as follows:
Step 1. s1 and s2 apply the GC operator to |αA and |αB . The resulting states are
{Q1 , Q2 } = GC(|αA ) and {Q3 , Q4 } = GC(|αB ). s1 sends Q1 to t2 and Q2 to r1 . s2
sends Q3 to r1 and Q4 to t1 .
Step 2. Encoding phase. r1 applies the ADD operator to the quantum states it has
received and then sends the result Q5 = ADD(Q2 , Q3 ) = |αA + αB to r2 .
Step 3. r2 applies the GC operator to Q5 and sends the replicas {Q6 , Q7 } = GC(Q5 )
to t2 and t1 , respectively.
Step 4. Decoding phase. t1 and t2 apply the SUB operator to the quantum states
they have received. The resulting states are ρ̂Aout = SU B(Q7 , Q4 ) = |αA and ρ̂Bout =
SU B(Q6 , Q1 ) = |αB .
Thereby, this scheme can successfully transmit two coherent states across in the
butterfly network by a single network use. Meanwhile, quantum states are not trans-
mitted perfectly due to the noise introduced by the approximate Gaussian cloning.
154 8 Continuous-Variable Quantum Network Coding
Q Q
Q Q Q
Q Q
B A
out out
C. Fidelity
For the CVQNC scheme, we need to assess the resemblance of quantum states
between target node and source node by means of fidelity. For an arbitrary input
state |φin , a fidelity F is defined as [20]
which indicates that quantum fluctuations will not be amplified during this operation.
After the GC operation at s1 , the replicas of |αA are
{Q1 , Q2 } = d 2 αG(α)|αA + ααA + α|,
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 155
where β has the same distribution as α. After the GC operation at r2 , the replicas of
Q5 are
{Q6 , Q7 } = d 2 γG(γ) d 2 βG(β)|αA + αB + β + γαA + αB + β + γ|,
detectors. One of the homodyne detectors measures the amplitude quadrature and
the other measures the phase quadrature. As a result, input modes |α1 and |α2 can
be projected onto the maximally entangled continuous-variable basis:
(2) Displacement
The displacement operator is D̂(α) = exp(α↠− α† â), where α is a complex num-
ber. D̂(α) acts on a mode â and yields a displacement by α,
D̂† (α)âD̂(α) = â + α.
D̂(α) is a unitary operator, which means to find D̂† (α) = D̂−1 (α) = D̂(−α) so
as to offset the displacement yielded by D̂(α).
Theorem 3 The Bell detection and the displacement operator can be used to encode
and decode quantum states.
Proof During the encoding process, assume the input quantum state is |xin + ipin .
We apply the Bell detection and obtain the measurement results α1 = √12 [(xin −
x1 ) + i(pin + p1 )], where x√
1 and p1 are quadratures of an ancilla. Then another ancilla
|x2 + ip2 is displaced by 2α1 , obtaining the encoded state
x̂encode = x̂2 + x̂in − x̂1
.
p̂encode = p̂2 + p̂in + p̂1
During the decoding process, the input state will be recovered as long as we find
the complex number α2 = (x1 − x2 ) − i(p1 + p2 ) and apply D̂(α2 ) to the encoded
state.
It seems difficult to find the complex number α2 due to the uncertainty of x2 and p2 ,
but they can be offset by using the intrinsic correlation of entanglement, as demon-
strated in the teleportation scheme. Based on the basic operations of Bell detection
and displacement, we design a CVQNC scheme utilizing pre-shared entanglement.
B. Basic scheme
The network setting is presented in Fig. 8.3. The scheme requires one optical mode
transmission or one complex number transmission in the butterfly network. Two
quantum states can be transmitted across by a single network use.
In the scheme, two source nodes s1 and s2 share two EPR pairs described by
Wigner functions WEPR (x̂11 , p̂11 , x̂12 , p̂12 ) and WEPR (x̂21 , p̂21 , x̂22 , p̂22 ), of which the
conjugate quadratures meet the correlation of Eq. 8.4 so that
√
x̂k1 − x̂k2 = √2e−r x̂2(0)
, k = 1, 2, (8.6)
p̂k1 + p̂k2 = 2e−r p̂1(0)
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 157
| x A ip A | xB ipB
| x11 ip11 | x12 ip12
| x21 ip21 | x22 ip22
s1 s2
x ip
1 1
x2 ip2
r1
| x11 ip11 ( x1 x2 ) i ( p1 p2 ) ip22
| x22
r2
( x1 x2 ) i ( p1 p2 ) ( x1 x2 ) i ( p1 p2 )
t2 t1
| xB ipB | x A ip A
where x̂2(0) and p̂1(0) are quadratures of vacuum states and r is the squeezing parameter.
s1 has the first mode of the EPR pairs, namely |xk1 + ipk1 (k = 1, 2), and s2 has the
second mode |xk2 + ipk2 (k = 1, 2). s1 and s2 prepare their coherent states |xA + ipA
and |xB + ipB . t1 and t2 are target nodes.
The scheme is described as follows:
Step 1. s1 applies Bell detection and displacement. Mix |xA + ipA and |x21 + ip21
at a 50:50 beam splitter which performs the transformations:
⎧ √
⎪
⎪ x̂A → x̂1 = (x̂A − x̂21 )/ 2
⎨ √
p̂A → k̂1 = (p̂A − p̂21 )/ √2
.
⎪
⎪ x̂ → q̂1 = (x̂A + x̂21 )/ √2
⎩ 21
p̂21 → p̂1 = (p̂A + p̂21 )/ 2
Then s1 measures the pair (x̂1 , p̂1 ) and displaces |x11 + ip11 as
√
x̂11 → x̂11 = x̂11 − √2x̂1
.
p̂11 → p̂11 = p̂11 − 2p̂1
and the displaced mode |x22 + ip22 is
√
x̂22 = x̂22 − √2x̂2
.
p̂22 = p̂22 − 2p̂2
s2 sends x2 + ip2 to r1 and |x22 + ip22 to t1 .
Step 2. r1 adds up the received classical numbers and sends the result (x1 + x2 ) +
i(p1 + p2 ) to r2 .
Step 3. r2 copies the received classical message and sends replicas to t1 and t2 .
Step 4. According to the received classical message, tk (k = 1, 2) displaces the
quantum state |x̂k⊕1,k⊕1 + ip̂k⊕1,k⊕1 as
√
x̂k⊕1,k⊕1 → x̂k⊕1,k⊕1 + √2(x̂1 + x̂2 )
.
p̂k⊕1,k⊕1 → p̂k⊕1,k⊕1 + 2(p̂1 + p̂2 )
By using Eq. 8.6 and setting r → ∞, t1 and t2 obtain |xA + ipA and |xB + ipB ,
respectively.
C. Fidelity
Theorem 4 If the EPR pairs shared between two source nodes are ideal, i.e., per-
fectly correlated and maximally entangled, r → ∞, then the CVQNC scheme with
prior entanglement can transmit two quantum states across perfectly by a single
network use.
Proof Here we consider the quantum state at the target node t1 . The case of the target
node t2 will be the same for the reason of symmetry.
After step 1, the two quadratures of |x22 + ip22 are
x̂22 = x̂22 − x̂B + x̂12
.
p̂22 = p̂22 − p̂B − p̂12
At t1 , x̂22 is displaced as
√
x̂22 → x̂22 = x̂22 + 2(x̂1 + x̂2 )
= x̂A − x̂21 + x̂22 .
√ −r (0)
= x̂A − 2e x̂2
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 159
Similarly, p̂22 is displaced as
√
p̂22 → p̂22 = p̂22 + 2(p̂1 + p̂2 )
= p̂A + p̂21 + p̂22 .
√ −r (0)
= p̂A + 2e p̂1
When r increases to infinity, the final quantum state at t1 becomes |x̂A + ip̂A ,
which is the same as the quantum state sent by s1 . As a result, we can conclude that
the CVQNC scheme with prior entanglement can successfully transmit two quantum
states across perfectly by a single network use.
A. Network throughput
Network throughput is an important criterion for evaluating the performance of net-
work coding schemes. As aforementioned, continuous variables are quantum vari-
ables of infinite-dimensional Hilbert space. Compared with two-dimensional discrete
variables frequently used in the conventional DVQNC schemes such as the polariza-
tion of single photons, continuous variables can carry much more information. As
a result, the CVQNC schemes are supposed to have larger network throughput than
the DVQNC schemes.
Theorem 5 Assume that a coherent state |x + ip is modulated with classical char-
acters, i.e., x, p ∈ {0, 1, ..., N − 1}, then each target node can receive 4log2 N bits
of classical information by a single network use when applying the CVQNC scheme
using approximate operations.
Proof When the classical character set for modulation has N elements, each charac-
ter contains log2 N bits of information. As described in Sect. 8.1.5, each target node
receives two coherent states by a single network use, which contains four classical
characters, i.e., 4log2 N bits.
Theorem 6 Assume that a coherent state |x + ip is modulated with classical char-
acters, i.e., x, p ∈ {0, 1, ..., N − 1}, then each target node can receive 2log2 N bits of
classical information by a single network when applying the CVQNC scheme with
prior entanglement.
Proof In the CVQNC scheme with prior entanglement, each target node receives
one coherent state with a fidelity of 1. As mentioned in Theorem 5, each quadrature
of a coherent state contains log2 N bits of classical information, so each target node
receives 2log2 N bits.
160 8 Continuous-Variable Quantum Network Coding
As a matter of fact, coherent states are nonorthogonal, which means they cannot
be perfectly distinguished to yield the ideal entropy calculated in Theorems 5 and 6.
The square of the inner product of two arbitrary coherent states |α and |β is
|β|α|2 = e−|α−β| .
2
(8.7)
Equation 8.7 shows that coherent states |α and |β are approximately orthogo-
nal when |α − β| 1 so they can be measured by heterodyne detection with high
accuracy. The condition |α − β| 1 requires the elements of classical character set
to have large values, which may be impractical for implementation.
It is necessary to explore how to discriminate nonorthogonal states. There are
mainly two types of discrimination, namely minimum error discrimination (MED)
and unambiguous state discrimination (USD). MED is a measurement that mini-
mizes the probability of erroneously identifying the quantum states, while USD is a
measurement that maximizes the probability of conclusively identifying the quantum
states. In 1999, Banaszek [21] proposed a USD scheme that discriminates two arbi-
trary coherent states with an inconclusive probability of Pinc = exp(−|α1 − α2 |2 ).
Then van Enk [22] proposed a USD scheme that optimally discriminates multiple
coherent states in the limit of small amplitudes. Finding a scheme for optimally
discriminating coherent states with any input amplitudes become an open prob-
lem. Both MED and USD schemes are explored to discriminate four coherent states
[23, 24], which are not optimal but can outperform heterodyne detection. In 2014, da
Silva et al. [25] proposed an MED scheme for optimal discrimination of M coherent
states.
To achieve the theoretical throughput of the CVQNC schemes, we need careful
selection of the classical character set, as well as the measurement scheme.
B. Performance comparison
The performance comparison among the CVQNC schemes, the XQQ scheme [15]
and the PE scheme [19] is listed in Table 8.1.
The DVQNC schemes transmit orthogonal quantum states which are of two-
dimensional Hilbert space, namely |0 and |1. Two quantum states can be discrim-
Table 8.1 Performance comparison among our CVQNC schemes, XQQ and PE
Item Scheme
All-quantum channels Quantum-classical channels
CVQNC using XQQ CVQNC with PE
approximate prior
operations entanglement
Fidelity 1/2 Strictly larger 1 1
than 1/2
Classical network 4log2 N bits 2 bits 2log2 N bits 1 bit
throughput
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 161
8.1.8 Discussion
x̄ → T x̄ + d , V → T V T T + N ,
162 8 Continuous-Variable Quantum Network Coding
Specifically, C(I ) = C(1, 0, 0) is the identity channel. L(τ , n̄) = C(0 < τ <
1, 2, n̄) is the most important model which represents lossy channels with attenuation
and thermal noise. If the thermal number is zero, Lp (τ ) = C(0 < τ < 1, 2, 0) is a
pure-loss channel. In this case, the physical representation of Lp (τ ) is a beam split-
ter of transmissivity τ mixing its input with a vacuum state. This pure-loss channel
model can be used to describe broadband communication lines such as waveguides
and free-space optical communication [30]. Without loss of generality, we use the
pure-loss channel model to describe the noisy channels in the CVQNC schemes.
(2) Capacity of quantum channels
To evaluate the effect of noise on network throughput, we calculate the capacity of
the pure-loss channels in the CVQNC schemes, which imposes restriction on trans-
mission rate. Quantum channels can be used for transmitting quantum information
and classical information, so there are two kinds of channel capacity for quantum
channels, namely quantum capacity and classical capacity. The quantum capacity of
a quantum channel is defined to be the number of qubits that can be reliably trans-
mitted by a single channel use. While the classical capacity of a quantum channel is
defined to be the number of bits a receiver can extract from the quantum states by a
single channel use. The CVQNC schemes use quantum states as information carrier
to transmit classical information, so the network throughput calculated in Sect. 8.1.7
is classical. Since the performance of the schemes is evaluated in terms of classical
information, it is reasonable to consider the classical capacity of quantum channels.
Besides, classical capacity is restricted by quantum laws. Assume an arbitrary ran-
dom variable for modulation is A = {a, pa }, and the corresponding quantum ensem-
ble is Q = {ρ̂a , pa }, where each character a occurs with probability pa . The quantum
states are transformed by a quantum channel N , i.e., Q → N (Q). A receiver needs
to use a measuring operation to extract information as much as possible from N (Q),
and the maximal quantity is called the accessible information. The upper bound of
the accessible information of N (Q) is the Holevo bound, which is asymptotically
achievable and defined as
χ(Q, N ) = S N pa ρ̂a − pa S N ρ̂a , (8.8)
a a
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 163
where S is the von Neumann entropy, which is a quantum analogy to the classical
Shannon entropy. By maximizing χ(Q, N ) over all possible sources, one can obtain
the one-shot classical capacity of N as
Then the full classical capacity is obtained by regularizing n uses of the channel:
1 (1) ⊗n
C(N ) = lim C (N ). (8.9)
n→∞ n
Calculation of Eq. 8.9 seems infeasible since it involves optimization over infinite
uses of the channel, but a feasible formula has been given for pure-loss channels
[30]. Using von Neumann entropy instead of Shannon entropy in Eq. 8.8 shows that
quantum laws impose restriction on the classical capacity of quantum channels. A
physical interpretation is that the modulated quantum states are usually nonorthog-
onal and cannot be distinguished, so information is only partly accessible in the
quantum setting. The lack of accessibility of quantum information restricts the clas-
sical capacity of quantum channels. In other words, the classical capacity of quantum
channels is restricted by quantum laws so it can be used to evaluate the transmission
performance of quantum communication.
Quantum capacity is a straightforward criterion for evaluating the performance of
quantum channels. The calculation of quantum capacity is similar to that of classical
capacity and involves regularizing arbitrarily many uses of the channel:
1
Q(n) (N ) = max Icoh (N ⊗n , ρ̂(n) ),
n ρ̂(n)
Here the coherent information Icoh (N , ρ̂) is a function of input ρ̂ and the channel N ,
where ρR is a purification of ρ and S denotes the von Neumann entropy. For pure-loss
channels, coherent information is not always additive. When transmissivity τ < 0.5,
pure-loss channels are antidegradable and their quantum capacity is zero [31], in
which case the quantum capacity is not additive. Recent work has proved that one can
construct a quantum channel for which quantum capacity is zero by arbitrary n uses of
N , i.e., Q(n) (N ) = 0, while achieves positive quantum capacity by a larger number
of uses [32]. So the quantum capacity of a channel does not completely specify
its capability for transmitting quantum information. The regularization in Eq. 8.10
cannot be ignored, which makes the calculation of quantum capacity infeasible.
164 8 Continuous-Variable Quantum Network Coding
Considering the above reasons, classical capacity is used to evaluate the trans-
mission performance of the noisy quantum channels in the CVQNC schemes.
(3) Result analysis
The schemes use infinite-dimensional quantum variables, which seems to carry infi-
nite information. However, if we encode classical information in these variables,
then the classical capacity of quantum channels depends on the input energy. The
classical capacity of a pure-loss channel Lp (τ ) is C(Lp ) = g(τ μ + 1 − τ ), where
g(x) = x+12
log x+12
− x−1
2
log x−1
2
, μ = 2m̄ + 1 and m̄ is the mean number of pho-
tons in one input mode. One can reach this capacity by using Gaussian-modulated
coherent states and heterodyne detection [30].
In the CVQNC schemes, assume the classical characters are {0, 1, ..., N − 1}
with uniform distribution. By modulating the amplitude and phase quadratures, we
obtain the quantum ensemble, namely {|0, |i, ..., |i(N − 1), |1, |1 + i, ..., |N −
1 + i(N − 1)}. For a coherent state |α, its mean photon number is |α|2 . According
to this property, the mean photon number of the modulated set of coherent states is
2N 2
m̄ = [1 + 22 + · · · + (N − 1)2 ]
N2 .
2
= (N − 1)(2N − 1)
3
We can roughly regard m̄ as the mean photon number of the channels in our CVQNC
schemes. In Scheme 1, links s1 → {r1 , t2 } and s2 → {r1 , t1 } send replicas of modu-
lated coherent states and links r1 → r2 , r2 → {t1 , t2 } send the sum state |αA + αB .
Obviously, we only need to consider the capacity of links s1 → {r1 , t2 }, s2 → {r1 , t1 }
with mean photon number m̄ because it is the lower bound of the network. In Scheme
2, links s1 → t2 and s2 → t1 send the mixtures of a modulated coherent state and
two EPR modes. The EPR pairs are two-mode squeezed vacuum states, so they do
not affect the mean number of photons.
Let μ = 2m̄ + 1 = 43 (N − 1)(2N − 1) + 1, then the capacity of pure-loss chan-
nels is
4(N − 1)(2N − 1)
C(Lp ) = g(τ μ + 1 − τ ) = g[ τ + 1],
3
where τ (0 < τ < 1) is the transmissivity of the channels. Figure 8.4 shows the
channel capacity with different τ s. The cross curve (“×”) shows the case of τ = 1
when the channel is an identity channel. The dot curve shows the function of 2log2 N ,
which is the quantity of classical information one can extract from a coherent state,
according to Sect. 8.1.7. The rest of the curves from top to bottom show the cases
of τ = 0.5, 0.3, 0.2. Obviously, channels with lower transmissivity τ have lower
capacity.
From Fig. 8.4, we observe the capacity is higher than 2log2 N in the case of τ > 0.5.
When the transmissivity is high enough, the ideal throughput can be reached. In fact,
the modulation method of our scheme sacrifices throughput for the tolerance of noise.
In low-noise channels, displacements in quantum variables are much smaller than the
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 165
10
τ=1
3
τ = 0.5
2 τ = 0.3
τ = 0.2
1 2logN
0
2 4 6 8 10 12 14 16
N
Fig. 8.4 Channel capacity of pure-loss channels with different τ s (0 < τ < 1)
gap between two modulation characters, so the displacement error can be corrected
easily. If input energy is not limited, then we can expand the modulation gap to
reduce the effect of noise in quantum channels.
B. Implementation scheme of nonideal amplifier
Among the basic operations of the CVQNC schemes, most of them can be imple-
mented with basic optical elements while the ADD/SUB operators have no obvious
implementation schemes. An idea of designing the ADD/SUB operators is depicted
in Fig. 8.1, where the key component is the noiseless linear amplifier. As a matter of
fact, a deterministic noiseless, phase insensitive, linear amplifier, as seen in classical
systems is unphysical in quantum theory [33]. Considering the practical usage of
the CVQNC Scheme, we introduce two implementation schemes of the nonideal
amplifier.
(1) Photon addition-subtraction scheme
A high fidelity noiseless amplifier for coherent states was proposed in 2010 [13]
and can be directly utilized for ADD/SUB operators. By combining photon addition
and subtraction in different orders, weak coherent
√ states can be amplified with a
high fidelity. Let the amplification gain g = 2, the amplification fidelity and the
effective gain are [13]
√ 2 √ 2
2)|α|2 ] e−( 2−1) |α|
2
[1 + (2 −
Famp1 = √ 2
, (8.11)
1 + |α|2 + ( 2 − 1) |α|4
166 8 Continuous-Variable Quantum Network Coding
√ √
( 2 − 1)[1 + ( 2 − 1)|α|2 ]
geff =1+ √ 2
. (8.12)
1 + |α|2 + ( 2 − 1) |α|4
Equations (8.11) and (8.12) show that the maximal amplification fidelity and the
maximal effective gain can be reached when |α| = 0. As |α| becomes large, they
decrease sharply. When |α| = 2.58, the fidelity is 0.5 and the effective gain is approx-
imately 1.102, namely about 77.9% of the ideal gain.
(2) Measure-displace scheme
In some optical implementations, part of optical circuits has a function of amplifica-
tion. In 2005, Andersen et al. [10] proposed a quantum cloning scheme for coherent
states with linear optical elements. An intermediate result of the cloning scheme is
1 λ 1 λ λ
|α = | √ + αin + √ − v1 − √ v2† , (8.13)
2 2 2 2 2
λ
which contains a quantum state amplified by a factor of √1
2
+ 2
and noise introduced
by vacuum states v1 and v2 .
Let λ = 21 , the output state in Eq. 8.13 becomes
√
|α± = | 2αin − v2† , (8.14)
where |α± represents the output state of the ADD/SUB operators in Fig. 8.1. Whether
it is |α+ or |α− depends on which output of the beam splitter becomes |ain .
Assume that the amplitude and phase variances of the inputs are the same. Accord-
ing to Eq. 8.14, the variances of the output are
2 x± = 22 xin + 2 xv
.
2 p± = 22 pin + 2 pv
2
F=
(1 + 2 xclone )(1 + 2 pclone )
according to [10], which gauges the similarity between the input and the output.
Similarly, the amplification fidelity is
2
Famp2 = ,
(1 + 2 x± )(1 + 2 p± )
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 167
which gauges the similarity between the ideal output and the actual output. After
normalizing the variance of a vacuum state to unity, the amplification fidelity of the
measure-displace scheme is calculated to be 1/2.
The performance comparison between the measure-displace scheme and the pho-
ton addition-subtraction scheme is shown in Table 8.2. For weak coherent states
whose amplitude |α| is smaller than 2.58, the photon addition-subtraction scheme
is superior to the other one for a higher amplification fidelity. For strong coherent
states, the measure-displace scheme is better.
Then classical measurement results x1 = √12 (x1 + x3 ) and p3 = √12 (p1 − p3 ) are
obtained by operating homodyne detection on the x quadrature of |α1 and the p
quadrature of |α3 . Let r → ∞, then we can denote |α2 and |α4 as
|α2 = |x1 − ip1 √ √ . (8.17)
|α4 = |x3 − ip3 = | 2x 1 − x1 + i( 2p 3 − p1 )
Equation 8.17 shows that |α2 and |α4 are entangled. So the continuous-variable
entanglement swapping process is accomplished.
If |α2 and |α4 are displaced at first, obtaining |α2 = |α2 + mA and |α4 =
|α4 + mB , then |α2 and |α4 will still get entangled after applying Bell detection
to |α1 and |α3 . The entangled states can be expressed as
|α 2 = |x1 + xA − i(p1 − pA )
,
|α 4 = |x3 + xB − i(p3 − pB )
√ √
where mA(B) = xA(B) + ipA(B) , x1 + x3 = 2x1 , and p1 − p3 = 2p3 . We mix |α2
and |α4 at a 50:50 BS, then the output states are
Note that |α2 and |α4 can be expressed as |α2 = | √12 (α+
∗
+ mA + mB ) and
|α4 = | √12 (α−
∗ ∗
+ mA − mB ), where |α± = |x1 ± x3 − i(p1 ± p3 ). It can be seen
that the displacements on |α2 and |α4 are added up on |α+ after entanglement
swapping. The addition of displacements is completed without directly adding mA and
mB together, so the process of continuous-variable entanglement is a homomorphic
operation.
8.2 Continuous-Variable Quantum Homomorphic Signature 171
Assume there are two signers A and B, an intermediate node M and a verifier
V . A(orB) uses two pre-shared secret keys to sign its classical message a(b), and
generates a quantum state as a signature. M combines two signatures from A and B
and generates two new signatures by means of entanglement swapping. The basic
model is shown in Fig. 8.5.
The CVQHS scheme is defined by a tuple of algorithms (Setup, Sign, Combine,
Verify) and is described as follows:
(1) Setup
Step 1. A shares two secret keys kA1 and kA2 with V by continuous-variable quan-
tum key distribution. Meanwhile, B shares two secret keys kB1 and kB2 with V . The
secret keys are real numbers.
Step 2. M prepares two pairs of entangled states, namely (|α1 , |α2 ) and
(|α3 , |α4 ). They meet the correlations of Eqs. 8.15 and 8.16. When the squeezing
parameter r → ∞, it is approximate that x̂1 = x̂2 , p̂1 = −p̂2 , x̂3 = x̂4 , and p̂3 = −p̂4 .
Then M sends |α2 to A and |α4 to B.
k A1 k A2 k B1 k B2
Sk A (a) S kB (b)
1
M3
| 1 | 2 mA mB*
| 3 | 4
Quantum Channel
V Classical Channel
Entanglement
k A1 k A2 k B1 k B2
172 8 Continuous-Variable Quantum Network Coding
(2) Sign
Step 1. A signs its classical message a by displacing the quadratures of |α2 , while
B signs its classical message b by displacing the quadratures of |α4 . The signatures
are
SkA (a) = |α2 + mA + mkA1 + mkA2 = |α 2
,
SkB (b) = |α4 + mB + mkB1 + mkB2 = |α 4
where mA = a + ia, mkA1 = kA1 + ikA1 , and mkA2 = xkA2 + ipkA2 . xkA2 and pkA2 are
determined by the classical message and kA2 :
mB = b + ib, mkB1 = kB1 + ikB1 , and mkB2 = xkB2 + ipkB2 . xkB2 and pkB2 are deter-
mined by the classical message and kB2 :
Step 2. A sends the signature |α2 and the classical message mA to M , while B
sends the signature |α4 and the classical message mB to M .
(3) Combine
Step 1. M applies Bell detection on |α1 and |α3 . Firstly, M mixes |α1 and |α3
at a 50:50 BS and obtains
Then M measures the x quadrature of |α1 and the p quadrature of |α3 by homodyne
detection and obtains the classical measurement results x1 = √12 (x1 + x3 ) and p3 =
√1 (p1
2
− p3 ). At this point, |α2 and |α4 are entangled.
Step 2. M mixes |α2 and |α4 at a 50:50 BS and obtains two new signatures
Step 3. M sends the quantum states |α1 , |α2 , |α3 , |α4 and the classical message
mA+B = mA + m∗B to V .
(4) Verify
Step 1. V measures the x quadrature of |α2 and the p quadrature of |α4 by
homodyne detection and obtains the measurement results
8.2 Continuous-Variable Quantum Homomorphic Signature 173
Proof In the signing phase of the CVQHS scheme, A and B generate their signatures
SkA (a) = |α2 + mA + mkA1 + mkA2 and SkB (b) = |α4 + mB + mkB1 + mkB2 . At Step
2 of the combining phase, entangled signatures are mixed at a 50:50 BS. The output
quantum states are
Proof In the signing phase, A displaces the quadratures of |α2 by mA + mkA1 + mkA2
to generate a signature, while B displaces the quadratures of |α4 by mB + mkB1 + mkB2
to generate a signature. |α2 and |α4 are half of an entangled state which was
prepared by M in the initial phase every times, respectively. According to Eqs. (8.15)
and (8.16), the quadratures of entangled states are very noisy when the squeezing
parameter r → ∞. So A or B receives different quantum states as |α2 or |α4 ,
which has random values for their quadratures, and generates different signatures
each times for the same message. Similarly, the signatures |α2 and |α4 generated
by M are different each time because they are based on the noisy entangled states.
In conclusion, the CVQHS scheme generates different signatures each time for the
same message.
A. Resource consumption
In the CVQHS scheme, the intermediate node M prepares |αi (i = 1, 2, 3, 4) and
sends |α2 and |α4 to two signers. The signers apply displacement operator to the
received quantum states and send them back to M as signatures. After |α1 and |α3
are mixed at a 50:50 BS and measured by homodyne detectors, M combines two
signatures at a 50:50 BS and sends all quantum states to the verifier V . Then V
measures the quantum states and verifies the identities of the signers according to
measurement results and pre-shared secret keys.
During this process, four quantum states are consumed, where two of them are
used to generate signatures and the rest are ancillas. |α2(4) is operated three times and
8.2 Continuous-Variable Quantum Homomorphic Signature 175
Table 8.3 Comparison among the CVQHS scheme, Shang’s scheme, and Luo’s scheme
Item Scheme
CVQHS scheme Shang’s scheme Luo’s scheme
Consumption of 4 4 3(m + k )
quantum states
Average number of 3 3 1+ 2m
3(m+k )
operation
Average number of 2 2 1
transmission
transmitted three times, while |α1(3) is operated three times and transmitted once.
So the average number of operation is (3 × 2 + 3 × 2)/4 = 3 times per quantum
state and the average number of transmission is (3 × 2 + 1 × 2)/4 = 2 times per
quantum state.
Similarly, we can calculate the consumption and complexity of previous discrete-
variable quantum homomorphic signature (DVQHS) schemes [40, 41]. Shang’s
scheme [40] provides the basic structure for the CVQHS scheme and is different
in basic operations, so its consumption and complexity are the same as the CVQHS
scheme. In Luo’s scheme [41], a signer generates a sequence of m quantum particles
and k decoy states as its signature. The intermediate node M measures k decoy
states to check the existence of an eavesdropper and applies Bell-state measurement
to the rest of this sequence. Then M generates a new signature by using measure-
ment results. The new signature generated by M is composed of m quantum particles
and k decoy states and is measured by the verifier V in the verifying phase. The
scheme consumes 3(m + k ) quantum states and each quantum state is transmitted
once. If we treat Bell-state measurement as a combination of two operations, namely
a mixing operation of two quantum states at a 50:50 BS and single-photon detection,
)×2+(m+k )
the average number of operation is (2m+k3(m+k ) = 1 + 3(m+k
2m
) times per quantum
state.
Comparison among the CVQHS scheme and two DVQHS schemes is listed in
Table 8.3. It can be seen that the CVQHS scheme has lower consumption of quantum
states and more average number of operation and transmission than Luo’s scheme.
Although the average number are larger, our CVQHS schemes require fewer opera-
tions and transmissions in total because fewer quantum states are needed. Compared
with Shang’s scheme, the CVQHS scheme has the same performance on consump-
tion and complexity. Because quantum communication using continuous variables
has prominent advantages over discrete variables from the perspective of practical
use, the CVQHS scheme is more feasible than Shang’s DVQHS scheme.
B. Practical influence on verification threshold
Verification threshold Hth shows the tolerance of deviation between the transmitted
message and the message recovered from a signature. In the ideal case, Hth = 0
because messages and signatures will only be affected by potential attackers and any
slight deviation shows the existence of an attacker. Nevertheless, in the nonideal case,
quantum states will be affected by practical imperfections, so Hth should be higher.
176 8 Continuous-Variable Quantum Network Coding
Concretely, there are mainly two types of imperfections, namely device imperfection
and transmission imperfection. Device imperfection results from the nonideal imple-
mentation of quantum operators. Transmission imperfection results from the noise
in quantum channels. Here we consider the influence of finite squeezing parameter
r and lossy quantum channels with thermal noise.
Assume the quantum channels are modeled as
√ √
|α → | τ α + 1 − τ αN ,
where τ (0 < τ < 1) is transmissivity and |αN = |xN + ipN is thermal noise.
Assume thermal noise in each quantum channel is independently and identically
distributed and their quadratures follow Gaussian distribution: xN , pN ∼ N (0, VN ).
Next, we will calculate the verification threshold according to the process of the
proposed CVQHS scheme.
(1) Setup √ √
In Step 2, M sends |α2 to A and √ √ | τ α2 + 1 − τ αN1 . Meanwhile,
A receives
M sends |α4 to B and B receives | τ α4 + 1 − τ αN2 . Here |αN1 and |αN2 are
thermal noise.
(2) Sign √ √
In Step 2, A sends its signature | τ α2 + 1 − τ αN + mA + mkA1 + mkA2 to M and
M receives
√ √
|α2 = |τ α2 + τ (mA + mkA1 + mkA2 )+ τ (1 − τ )αN1 + 1 − τ αN3 ,
1
|α 4 = | √ (α 2 − α 4 )
2
τ τ ∗
=| (mA + mkA1 + mkA2 − mB − mkB1 − mkB2 ) + √ α−
2 2
−r (0) (0) (0) (0)
− τ e [x2 − x4 − i(p1 − p3 )]
1−τ √
+ [ τ (αN1 − αN2 ) + αN3 − αN4 ]
2
τ
= Sk −k (mA − mB )
2 A B
τ τ 3/2 ∗
|α 2 → | √ (mA + mkA1 + mkA2 + mB + mkB1 + mkB2 ) + √ α+
2 2
(0) (0) (0) (0)
√ τ
− τ 3/2 e−r [x2 + x4 − i(p1 + p3 )] + 1 − τ [ √ (αN1 + αN2 )
2
τ
+ (αN3 + αN4 ) + αN5 ]
2
τ √
|α3 → | (α1 − α3 ) + 1 − τ αN5
2
τ τ 3/2 ∗
|α 4 → | √ (mA + mkA1 + mkA2 − mB − mkB1 + mkB2 ) + √ α−
2 2
3/2 −r (0) (0) (0) (0)
√ τ
− τ e [x2 − x4 − i(p1 − p3 )] + 1 − τ [ √ (αN1 − αN2 )
2
τ
+ (αN3 − αN4 ) + αN5 ]
2
(4) Verify
In Step 2, V calculates
⎧ √
⎪
⎪ xV =τ (a + kA1 + xkA2 + b + kB1 + xkB2 ) − 2τ 3/2 e−r (x2(0) + x4(0) )
⎪
⎪ √ √ √
⎪
⎨ + 1 − τ [τ (xN1 + xN2 ) + τ (xN3 + xN4 ) + 2(1 − τ )xN5 ]
√
⎪
⎪ pV =τ (a + kA1 + pkA2 − b − kB1 − pkB2 ) + 2τ 3/2 e−r (p1(0) − p3(0) )
⎪
⎪
⎪
⎩ √ √ √
+ 1 − τ [τ (pN1 − pN2 ) + τ (pN3 − pN4 ) + 2(1 − τ )pN5 ]
178 8 Continuous-Variable Quantum Network Coding
In Step 3, V calculates xV = a + kA1 + xkA2 + b + kB1 + xkB2 and pV = a + kA1 +
pkA2 − b − kB1 − pkB2 by using pre-shared secret keys. Note that xk(0) , pk(0) ∼ N (0, 41 )
and xN , pN ∼ N (0, VN ), so Hx = (xV − τ xV )2 and Hp = (pV − τ pV )2 are very likely
to be larger than 0. The degree of deviation from 0 can be evaluated by the variances
of xV − τ xV and pV − τ p . So we calculate δ(xV − τ xV ) and δ(pV − τ pV ) as the
verification threshold in the nonideal case.
Hth = δ(xV − τ x V )
= δ(pV − τ p V )
= τ 3 e−r + 2(1 − τ )(1 − τ + 2τ 2 )VN
Assume that a, b, kA1 , kA2 , kB1 , kB2 ∼ N (0, σ 2 ). When one of them is wrong, Hx(p)
achieves the minimum.
Hx(p) ≥ τ 3 e−r + 2(1 − τ )(1 − τ + 2τ 2 )VN + 2τ 2 σ 2
It is obvious that Hx(p) > Hx(p) . So when a classical message or signature is tam-
pered or forged by an attacker or a dishonest intermediate node, Hx(p) is larger than
the verification threshold.
Eve needs to measure the x quadrature of part of the quantum states and the p
quadrature of the other part of the quantum states. Without loss of generality, we
assume Eve measures the x quadrature of |α1 and |α2 and the p quadrature of |α3
and |α4 . Eve can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2
on the basis of the measurement results and mA + m∗B . So the secret keys kA1 , kA2 ,
kB1 , and kB2 cannot be calculated.
Proof In the verifying phase, the verifier V uses pre-shared secret keys to verify a
signature. So Eve must obtain secret keys to forge a signature that can pass verifi-
cation. According to Lemma 1, Eve cannot calculate secret keys on the basis of the
classical messages and the quantum states transmitted in the channels. Assume the
secret keys are distributed securely in the setup phase, then it is impossible for Eve
to have the secret keys. So Eve cannot forge the signature of a legitimate signer.
In fact, even if Eve obtains the secret keys in the setup phase, it cannot forge
the signature of a legitimate signer because it does not share entangled states with
M . Assume Eve has a quantum state |α0 = |x0 + ip0 and the secret keys of A,
namely kA1 and kA2 . Eve signs a message e with secret keys kA1 and kA2 and gen-
erates the signature SkEA (e) = |α0 + mE + mkA1 + mkA2 = |αE , where mE = e + ie.
Then it substitutes the classical message and the signature of A with mE and |αE ,
respectively. In the verifying phase, V calculates
xV = x0 − x1 + e + kA1 + xkA2 + b + kB1 + xkB2
pV = p1 − p0 + e + kA1 + pkA2 − b − kB1 − pkB2
and
x V = e + kA1 + xkA2 + b + kB1 + xkB2
.
p V = e + kA1 + pkA2 − b − kB1 − pkB2
It is obvious that xV = xV and pV = pV . The verifier confirms the existence of an
attacker or a dishonest intermediate node and denies the signatures.
In conclusion, Eve cannot forge the signature of a legitimate signer.
Proposition 4 Assume secret keys are distributed securely in the setup phase, then
a dishonest intermediate node M cannot forge the signatures of legitimate signers.
Proof According to Lemma 1 and the assumption that secret keys are distributed
securely, M cannot obtain the secret keys kA1 , kA2 , kB1 and kB2 . Instead, M can only
calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2 .
verifying phase, V measures quantum states and calculates xV = x2M and pV = p4M .
According to mMA+B , V calculates a and b that satisfy a + b + i(a − b ) = mA+B .
M
Then mkA = xkA + ipkA can be calculated according to the pre-shared secret
1(2) 1(2) 1(2)
Since M cannot obtain kA2 and kB2 , it cannot calculate the correct values for mkA
1
and mkA . So M cannot forge the signatures of legitimate signers.
2
Finally, we prove the non-repudiation of the CVQHS scheme in Propersition 5.
Proposition 5 Assume secret keys are distributed securely in the setup phase, then
a signer cannot repudiate its signature after it has passed verification.
The network setting is presented in Fig. 8.6. s1 and s2 are source nodes and signers,
r1 and r2 are intermediate nodes, and t1 and t2 are target nodes and verifiers.
The scheme is described as follows:
Step 1. Setup phase. s1 shares secret keys kA1 and kA2 with target nodes. s2 shares
secret keys kB1 and kB2 with target nodes. s1 and s2 share two pairs of entangled states,
namely (|α11 , |α12 ) and (|α21 , |α22 ), and si (i = 1, 2) holds the ith modes of the
entangled states. r1 prepares two pairs of entangled states, namely (|α1 , |α2 ) and
(|α3 , |α4 ). A pair of entangled states (|α1 , |α2 ) meet the following correlations
⎧ (0) √
⎪
⎪ x̂1 = (er x̂1(3) + e−r x̂2(0) )/ 2
⎨ p̂ = (e−r p̂(0) + er p̂(0) )/√2
⎪
1
r (0)
1(3)
−r (0)
2 √ ,
⎪
⎪ x̂ = (e x̂ − e x̂ )/ 2
⎪
⎩
2 1(3)
(0)
2) √
p̂2 = (e−r p̂1(3) − er p̂2(0) )/ 2
(x̂1 − x̂2 )2 = e−2r /2
,
(p̂1 + p̂2 )2 = e−2r /2
where x̂k(0) and p̂k(0) (k = 1, 2) are a conjugate pair of quadratures of a vacuum state
|αk(0) and |αk(0) = |xk(0) + ipk(0) . Then r1 sends |α2 to s1 and |α4 to s2 .
| A | B
| 11 | 12
| 21 | 22
s1 s2
Sk A (a) S kB (b)
mA mB
r1
| 1 | 2 mA mB*
| 11 | | | 22
3 4
r2
mA mB* mA mB*
| 5 | 6 | 1 | 2
| | | |
t2 7 8 3 4
t1
Fig. 8.6 CVQNC scheme against pollution attacks
182 8 Continuous-Variable Quantum Network Coding
Step 2. Encoding phase. s1 applies Bell detection to |α21 and its signal mode |αA .
Concretely, it mixes two modes at a 50:50 beam splitter (BS) and applies homodyne
detection to the output states. Then it displaces the quadratures of |α11 according
to the measurement results (xA1 , pA1 ), where xA1 is the measurement result of the x
quadrature of |αA + α21 and pA1 the p quadrature of |αA − α21 . The displaced mode
is denoted as |α 11 .
Similarly, s2 applies Bell detection to |α12 and its signal mode |αB . Then it
displaces the quadratures of |α22 according to the measurement results (xB2 , pB2 ).
The displaced mode is denoted as |α 22 .
Step 3. Signing phase. s1 generates a real number a from (xA1 , pA1 ) according to
an encoding rule which is predetermined among all nodes. Then s1 uses secret keys
kA1 and kA2 to generate a signature of a, which is denoted by SkA (a). SkA (a) = D̂(ma +
mkA1 + mkA2 )|α, where D̂(γ) = exp(γ ↠− γ ∗ â) is the displacement operator. ma ,
mkA1 and mkA2 are complex numbers, namely ma = a + ia, mkA1 = kA1 + ikA1 , mkA2 =
xkA2 + ipkA2 , where xkA2 and pkA2 satisfy
and √
pV = 2(p 4 − τ p 3 )
In this section, we will analyze the performance of the scheme from the perspectives
of fidelity and network throughput.
A. Fidelity
Here we consider the quantum state at the target node t1 . The case of the target
node t2 will be the same for the reason of symmetry. Assume the entangled states
shared between two source nodes are ideal, i.e., perfectly correlated and maximally
entangled, r → ∞.
After step 2, the two quadratures of |x22 + ip22 are
x̂22 = x̂22 − x̂B + x̂12
.
p̂22 = p̂22 − p̂B − p̂12
At t1 , x̂22 is displaced as
√
x̂22 → x̂22 = x̂22 + 2(x̂A1 + x̂B2 )
= x̂A − x̂21 + x̂22 .
√
= x̂A − 2e−r x̂2(0)
Similarly, p̂22 is displaced as
√
p̂22 → p̂22 = p̂22 + 2(p̂A1 + p̂B2 )
= p̂A + p̂21 + p̂22 .
√
= p̂A + 2e−r p̂1(0)
When r increases to infinity, the final quantum state at t1 becomes |x̂A + ip̂A ,
which is the same as the quantum state sent by s1 . As a result, we can conclude that
our CVQNC scheme can successfully transmit two quantum states across perfectly
by a single network use. The fidelity of the scheme is 1.
B. Network throughput
Assume that a coherent state |x + ip is modulated with classical characters, i.e.,
x, p ∈ {0, 1, ..., N − 1}. When the classical character set for modulation has N ele-
ments, each character contains log2 N bits of information. In the proposed CVQNC
scheme, each target node receives one coherent state with a fidelity of 1. So each
184 8 Continuous-Variable Quantum Network Coding
target node can receive 2log2 N bits of classical information by a single network when
applying the CVQNC scheme.
As a matter of fact, coherent states are nonorthogonal, which means they cannot
be perfectly distinguished to yield the ideal entropy calculated. The square of the
inner product of two arbitrary coherent states |α and |β is
|β|α|2 =e−|α−β| .
2
(8.18)
Equation 8.18 shows that coherent states |α and |β are approximately orthogonal
when |α − β| 1 so they can be measured by heterodyne detection with high accu-
racy. The condition |α − β| 1 requires the elements of classical character set to
have large values, which may be impractical for implementation.
⎪
⎪ | √1 α−
⎪ 2
⎩ | √1 (α∗ + m − m + m + m − m − m )
2 − A B kA1 kA2 kB1 kB2
on the basis of the measurement results and mA + m∗B . So the secret keys kA1 , kA2 ,
kB1 , and kB2 cannot be calculated.
Secondly, we analyze whether an attacker Eve or a dishonest intermediate node
r2 can forge the signature of a legitimate source node.
In the verifying phase, t1 and t2 use pre-shared secret keys to verify a signature.
So Eve and r2 must obtain secret keys to forge a signature that can pass verification.
It has been proved that Eve and r2 cannot calculate secret keys on the basis of the
classical messages and the quantum states transmitted in the channels. Assume the
secret keys are distributed securely in the setup phase, then it is impossible for Eve
and r2 to have the secret keys. So Eve and r2 cannot forge the signature of a legitimate
signer.
In fact, even if Eve and r2 obtain the secret keys in the setup phase, they cannot
forge the signature of a legitimate signer because they do not share entangled states
with r1 . Assume Eve or r2 has a quantum state |α0 = |x0 + ip0 and the secret
keys of A, namely kA1 and kA2 . It signs a message e with secret keys kA1 and kA2
and generates the signature SkEA (e) = |α0 + mE + mkA1 + mkA2 = |αE , where mE =
e + ie. Then it substitutes the classical message and the signature of A with mE and
|αE , respectively. In the verifying phase, t1 calculates
xV = x0 − x1 + e + kA1 + xkA2 + b + kB1 + xkB2
pV = p1 − p0 + e + kA1 + pkA2 − b − kB1 − pkB2
and
x V = e + kA1 + xkA2 + b + kB1 + xkB2
.
p V = e + kA1 + pkA2 − b − kB1 − pkB2
verifying phase, t1 measures quantum states and calculates xV = x2M and pV = p4M .
According to mM A+B , t1 calculates a and b that satisfy a + b + i(a − b ) = mA+B .
M
Then mkA = xkA + ipkA can be calculated according to the pre-shared secret
1(2) 1(2) 1(2)
pV = pA+B
M
+ kA1 + pk A − kB1 − pk B . Finally, t1 calculates Hx = (xV − τ xV )2 and
2 2
Hp = (pV − τ pV )2 . If Hx ≤ Hth and Hp ≤ Hth , t1 accepts the signatures. Otherwise,
t1 denies the signatures.
To make the fake signatures pass verification, r1 should choose mM M
2 , m4 , and
M
mA+B to satisfy
M
x2 = xA+B
M
+ kA1 + x kA2 + kB1 + x kB2
.
p4 = pA+B + kA1 + p kA − kB1 − p kB
M M
2 2
Since r1 cannot obtain kA2 and kB2 , it cannot calculate the correct values for mkA
1
and mkA . So r1 cannot forge the signatures of a legitimate source node.
2
B. Non-repudiation
Assume secret keys are distributed securely in the setup phase and the target nodes
are honest. It has been proved that an attacker Eve and dishonest intermediate nodes
cannot perform forgery, so only the signatures generated by pre-shared secret keys
can pass verification. It has also been proved that secret keys cannot be calculated, so
nobody but legitimate source nodes and target nodes can obtain the secret keys. Since
the target nodes are honest, they always announce the correct verification results and
will not forge signatures. Therefore, a source node cannot repudiate its signature
after it has passed verification.
8.4 Summary
In this chapter, we introduced two feasible CVQNC schemes. The first scheme uses
the Gaussian cloning and ADD/SUB operators as the counterparts of key opera-
tions of quantum network coding. As quantum states cannot be cloned perfectly, the
fidelity of this scheme is constrained to be 1/2, which is rather low compared with the
existing DVQNC schemes. With the help of extra resources, i.e., pre-shared entangle-
ment and classical communication, the second scheme can transmit quantum states
with a fidelity of 1. By encoding classical information on quantum states, quantum
network coding schemes can be utilized to transmit classical information. Scheme
analysis shows that the CVQNC schemes have great advantage over discrete-variable
paradigms in network throughput from the viewpoint of classical information trans-
mission. Thus, CVQNC is a meaningful direction for quantum communication in
the perspective of efficiency and practicability.
Then we introduced a CVQHS scheme. The scheme is based on continuous-
variable entanglement swapping and provides additive and subtractive homomor-
phism. The CVQHS scheme is a basic model for verifying two different data sources
in a quantum network and future work is needed to extend it to multiple data sources.
Furthermore, we introduced a continuous-variable quantum network coding scheme
against pollution attacks. By combining continuous-variable quantum homomorphic
signature, the scheme can verify the identity of different data sources. As long as
8.4 Summary 187
quantum signatures pass verification, target nodes can decode their quantum states
and obtain the correct messages. Security analysis shows that the scheme is secure
against forgery and repudiation.
References
1. Braunstein, S.L., Loock, P.V.: Quantum information with continuous variables. Rev. Mod.
Phys. 77(2), 513–577 (2005)
2. Vaidman, L.: Teleportation of quantum states. Phys. Rev. A 49(2), 1473–1476 (1994)
3. Hillery, M.: Quantum cryptography with squeezed states. Phys. Rev. A 61(2), 022309 (1999)
4. Cerf, N.J., Levy, M., Assche, G.V.: Quantum distribution of gaussian keys using squeezed
states. Phys. Rev. A 63(5), 535–540 (2001)
5. Frederic, G., Philippe, G.: Continuous variable quantum cryptography using coherent states.
Phys. Rev. Lett. 88(5), 057902 (2002)
6. Bartlett, S.D., Sanders, B.C., Braunstein, S.L., et al.: Efficient classical simulation of continuous
variable quantum information processes. Phys. Rev. Lett. 88(9), 47–55 (2001)
7. Miwa, Y., Yoshikawa, J.I., van Loock, P., et al.: Demonstration of a universal one-way quantum
quadratic phase gate. Phys. Rev. A 80(5), 050303 (2009)
8. Cerf, N.J., Ipe, A., Rottenberg, X.: Cloning of continuous quantum variables. Phys. Rev. Lett.
85(8), 1754–1757 (2000)
9. Fiurasek, J.: Optical implementation of continuous-variable quantum cloning machines. Phys.
Rev. Lett. 86(21), 4942 (2001)
10. Andersen, U.L., Josse, V., Leuchs, G.: Unconditional quantum cloning of coherent states with
linear optics. Phys. Rev. Lett. 94(24), 240503 (2005)
11. Zeng, G., Lee, M., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int. J.
Quantum Inf. 5(4), 553–573 (2007)
12. Weedbrook, C., Lance, A.M., Bowen, W.P., et al.: Quantum cryptography without switching.
Phys. Rev. Lett. 93(17), 170504-1–170504-4 (2004)
13. Zavatta, A., Fiurasek, J., Bellini, M.: A high-fidelity noiseless amplifier for quantum light
states. Nat. Photonics 5(1), 52–60 (2011)
14. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding for coherent states.
Quantum Inf. Process. 16(4), 107 (2017)
15. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual
Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007)
16. Grosshans, F., Grangier, P.: Quantum cloning and teleportation criteria for continuous quantum
variables. Phys. Rev. A 64(1), 783–797 (2001)
17. Bernstein, H.J.: Must quantum theory assume unrestricted superposition? J. Math. Phys. 15(10),
1677–1679 (1974)
18. Braunstein, S.L., Kimble, H.J.: Teleportation of continuous quantum variables. Phys. Rev. Lett.
80(4), 869 (1998)
19. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding
with modification. Phys. Rev. A 76(4), 538–538 (2007)
20. Braunstein, S.L., Fuchs, C.A., Kimble, H.J.: Criteria for continuous-variable quantum telepor-
tation. J. Mod. Opt. 47(2–3), 267–278 (2000)
21. Banaszek, K.: Optimal receiver for quantum cryptography with two coherent states. Phys. Lett.
A 253(1), 12–15 (1999)
22. van Enk, S.J.: Unambiguous state discrimination of coherent states with linear optics: applica-
tion to quantum cryptography. Phys. Rev. A 66, 042313 (2002)
23. Muller, C., Usuga, M.A., Wittmann, C., et al.: Quadrature phase shift keying coherent state
discrimination via a hybrid receiver. New J. Phys. 14(8), 83009–83021 (2012)
188 8 Continuous-Variable Quantum Network Coding
24. Becerra, F.E., Fan, J., Migdall, A.: Implementation of generalized quantum measurements for
unambiguous discrimination of multiple non-orthogonal coherent states. Nat. Commun. 4(3),
131–140 (2013)
25. da Silva, M.P., Guha, S., Dutton, Z.: Optimal discrimination of M coherent states with a small
quantum computer. In: International Conference on Quantum Communication, Measurement
and Computation (QCMC), vol. 1633, no. 1, pp. 225–227 (2014)
26. Gottesman, D., Kitaev, A., Preskill, J.: Encoding a qubit in an oscillator. Phys. Rev. A 64(1),
012310 (2001)
27. Chuang, I.L., Leung, D.W., Yamamoto, Y.: Bosonic quantum codes for amplitude damping.
Phys. Rev. A 56(2), 1114 (1997)
28. Holevo, A.S., Werner, R.F.: Evaluating capacities of bosonic Gaussian channels. Phys. Rev. A
63(3), 032312 (2001)
29. Holevo, A.S.: One-mode quantum Gaussian channels: structure and quantum capacity. Probl.
Inf. Transm. 43(1), 1–11 (2007)
30. Weedbrook, C., Pirandola, S., Garcia-Patron, R., et al.: Gaussian quantum information. Rev.
Mod. Phys. 84(2), 621 (2012)
31. Caruso, F., Giovannetti, V.: Degradability of bosonic Gaussian channels. Phys. Rev. A 74(6),
062307 (2006)
32. Cubitt, T., Elkouss, D., Matthews, W., et al.: Unbounded number of channel uses may be
required to detect quantum capacity. Nat. Commun. 6, 6739 (2015)
33. Caves, C.M.: Quantum limits on noise in linear amplifiers. Phys. Rev. D 26(8), 1817 (1982)
34. Li, Q., Chan, W.H., Wu, C., Wen, Z.: On the existence of quantum signature for quantum
messages. Int. J. Theor. Phys. 52(12), 4335–4341 (2013)
35. Clarke, P.J., Collins, R.J., Dunjko, V., et al.: Experimental demonstration of quantum digital
signatures using phase-encoded coherent states of light. Nat. Commun. 3, 1174 (2012)
36. Collins, R.J., Donaldson, R.J., Dunjko, V., et al.: Realization of quantum digital signatures
without the requirement of quantum memory. Phys. Rev. Lett. 113(4), 040502 (2014)
37. Guo, Y., Feng, Y., Huang, D., et al.: Arbitrated quantum signature scheme with continuous-
variable coherent states. Int. J. Theor. Phys. 55(4), 2290–2302 (2016)
38. Croal, C., Peuntinger, C., Heim, B., et al.: Free-space quantum signatures using heterodyne
measurements. Phys. Rev. Lett. 117(10), 100503 (2016)
39. Donaldson, R.J., Collins, R.J., Kleczkowska, K., et al.: Experimental demonstration of
kilometer-range quantum digital signatures. Phys. Rev. A 93(1), 012329 (2016)
40. Shang, T., Zhao, X.J., Wang, C., et al.: Quantum homomorphic signature. Quantum Inf. Process.
14(1), 393–410 (2015)
41. Luo, Q.B., Yang, G.W., She, K., et al.: Quantum homomorphic signature based on Bell-state
measurement. Quantum Inf. Process. 15(12), 5051–5061 (2016)
42. Li, K., Shang, T., Liu, J.W.: Continuous-variable quantum homomorphic signature. Quantum
Inf. Process. 16(10), 246 (2017)
43. Zukowski, M., Zeilinger, A., Horne, M.A., et al.: ‘Event-ready-detectors’ Bell experiment via
entanglement swapping. Phys. Rev. Lett. 71(26), 4287 (1993)
44. Polkinghorne, R.E.S., Ralph, T.C.: Continuous variable entanglement swapping. Phys. Rev.
Lett. 83(11), 2095 (1999)
45. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding against pollution
attacks. In: 2018 IEEE Information Theory Workshop (ITW), 25–29 November 2018 (Submit-
ted)
Part II
Security Analysis Method
Chapter 9
Security Analysis of Quantum
Cryptographic Protocols
In this chapter, we review the principle of some common quantum attacks, such as
intercept-and-resend attack, teleportation attack, man-in-the-middle attack, partic-
ipant attack and implementation attack. Also, we introduce some general security
analysis methods, such as BAN logic, random oracle model and quantum-accessible
random oracle model. These methods for classical cryptographic protocols can pro-
vide effective tools for quantum cryptographic protocols.
In this section, we introduce the main attacks on quantum protocols. Indeed many
attacks are contrived for particular protocols, while we still can conclude repre-
sentative attack models against various quantum protocols, including quantum key
distribution (QKD), quantum secure direct communication (QSDC) and quantum
secret sharing (QSS).
The intercept-and-resend attack is the most common type of attack used on quantum
protocols. An eavesdropper interrupts quantum channel, measures each quantum
signal received from a sender in one of measurement bases (according to the proto-
col), which it chooses randomly. Then the eavesdropper sends the quantum signal
to a receiver, and will replace the compromised signal with other signals, without
leaving traces of the attack.
We present an example of intercept-and-resend attack on QKD. In naive intercept-
and-resend, Eve intercepts the light photons coming from the sender Alice with his
own predefined basis. Since detectors are highly efficient in the ideal environment,
Eve can get a hold on each photon. Eve follows a scheme which is shown in the
© Springer Nature Singapore Pte Ltd. 2020 191
T. Shang and J. Liu, Secure Quantum Network Coding Theory,
https://doi.org/10.1007/978-981-15-3386-0_9
192 9 Security Analysis of Quantum Cryptographic Protocols
form of the decision tree in Fig. 9.1. The scheme is shown for sending a bit value
0. Eve then sends the replacement photon to Bob as his predefined basis. Now, the
intensity of the pulse to Bob is such adjusted that Bob will detect this pulse with the
same rate. So, in a sense Eve is working like a median person and performing the
detection of the photons from the Alice side the same√ as that of Bob. Eve’s efforts
are said to be worth if he succeeds in getting the 1/ 2 of the Alice’s information. In
the error correction and privacy amplification phase of the BB84 protocol, suppose t
error bits are detected. By using this information, Alice and Bob get some estimation
that lesser than e1 bits are subjected to intercept/resend√attack. Furthermore, the
amount of information gained by Eve is not more than e1 / 2. In the naive intercept-
and-resend attack, the assumption is that Eve is not listening over public channel
during the sifting phase of the BB84 protocol. This gives the information gain of
approximately 0.2 bits out of every bit sent by Alice.
Intercept-and-resend attack is also used against quantum protocols like Byzantine
agreement [1] and QSDC [2]. Therefore, despite the intercept-and-resend attack is
very simple in principle, enough attention should be paid carefully.
9.1 Main Attacks 193
Teleportation attack [3] was presented originally against a certain QSDC protocol [4].
However, it is demonstrated that quantum teleportation can be employed to weaken
the role of the order-rearrangement encryption in certain protocols. With the help of
this special attack, an eavesdropper can obtain half of the transmitted secret bits.
To understand this attack, we introduce the basic idea of the QSDC protocol
in [4]. At the beginning of the QSDC protocol, Alice’s sending qubits are in the
states |φi1 = Û y (θi )|0 = cos θi |0 − sin θi |1, which looks as if Alice puts a lock
Û y (θi ) on each carrier state |0. Similarly, Bob also puts another lock Û y (φi ) on each
of them. Because θi and φi are randomly selected by Alice and Bob, respectively,
all locks can be removed only by the one who initially puts them on. Afterward,
Alice opens her locks by the operations Û y (−θi ) and encodes her secret bits by
Û y (± π4 ). Finally Bob removes his locks by Û y (−φi ) and then obtains the secret bits
by measurements. To extract the transmitted bits, from the perspective of Eve who
has no keys to these locks, the only way is to acquire the qubits without any lock at
a certain stage. However, Bob will disorder the sequence before sending it. In this
condition, the simple attack would be invalid because Alice cannot remove her locks
appropriately (the key and the lock for a certain qubit are not matched due to the
order-restoring operation by Alice).
To resolve this problem, Eve can employ the technique of quantum telepor-
tation. When Eve sends the faked sequence S1E to Alice, the role of the order-
rearrangement encryption would be weakened because Eve can also adjust the order
of his corresponding sequence S2E according to Bob’s announcement. In the tele-
portation process, if Eve acquires one of the results {|+, |−, |+, |−},
she knows that the state of the corresponding qubit in Alice’s hand would be one
of { Iˆ|φi1 , σ̂z |φi1 , σ̂x |φi1 , iσ̂ y |φi1 }, respectively. At that time, if the sequence is in
the control of Eve, she can change each qubit into the (preferred) state |φi1 by
one of the above operations and subsequently eliminate the influence of the order-
rearrangement encryption completely. Thus, Eve can extract secret information if he
obtains {|+ or |−} in a certain teleportation process, because both Iˆ and iσ̂ y
commute with Alice’s operation Û y (−θi ± π4 ).
attack. For example, Zou and Qiu [5] considered the MITM attack on the QSDC
protocol.
We briefly explain why the MITM attack is feasible in QSDC. According to the
request of QSDC and the QSDC scheme [6], we can learn that Alice and Bob do
not share any secret key or quantum entanglement in the QSDC scheme. Therefore,
when Alice receives the quantum information |ψ, she cannot confirm that it was
sent by Bob. Similarly, Bob cannot determine that the received quantum information
|ψ came from Alice. Furthermore, we know that Alice and Bob do not discuss the
measurement results in the classical communication channel. Thereby, at the end of
the QSDC scheme, Alice cannot be sure that |ψ was sent by Bob, and Bob cannot
be sure that |ψ came from Alice. Accordingly, what quantum messages cannot be
authenticated in the QSDC scheme provides the possibility of the MITM attacks.
To deal with this problem, measuring partial quantum states and discussing the
measurement results with Bob by the unblocked classical public communication
channel must be undertaken before Alice encrypts the message p and sends it to
Bob.
MITM can also attack other quantum protocols. For example, Wang et al. [7]
considered the MITM attack on the BB84 protocol.
cannot be detected by other users. Thus, this strategy can successfully attack the QSS
protocol [9].
The attack methods described above are all from the viewpoint of theoretical analysis.
In the experimental implementation, the various devices are not as perfect as in the
theoretical hypothesis. Therefore, in addition to the theoretical attacks, there are
some attacks that are considered from an implementation perspective, such as faked
state attack [10], Trojan horse attack [11], and photon number splitting attack [12].
In 1989, Burrows, Abadi, and Needham [13] proposed a model logic based on knowl-
edge and belief, namely BAN Logic. BAN logic can be used to describe and verify
authentication protocols, the purpose of which is to analyze the security of authenti-
cation protocols in computer networks or distributed systems. After authentication,
three principals (people, computers, or services) should be entitled to believe that
they are communicating with each other and not with intruders.
Applying the BAN logic for protocol analysis requires converting a protocol into
formulas in the BAN logic, i.e., performing the “idealization step” of the protocol,
and makes reasonable postulates according to specific situation. Then it uses logical
rules to infer whether the protocol can achieve the desired goal based on idealized
protocols and postulates. The simplicity and practicality of protocol analysis has
made BAN logic widely used.
196 9 Security Analysis of Quantum Cryptographic Protocols
Basic notation The logic distinguishes several sorts of objects: principals, encryption
keys, and formulas (also called statements). The symbols A, B, and S denote specific
principals; K ab , K as , and K bs denote specific shared keys; K a , K b , and K s denote
specific public keys, and K a−1 , K b−1 , and K s−1 denote corresponding secret keys; and
Na , Nb , and Nc denote specific statements. The symbols P, Q, and R range over
principals; X and Y range over statements; and K ranges over encryption keys.
The logic uses the following notation [14]:
P believes X : P believes X , or P would be entitled to believe X .
P sees X : P sees X . Someone has sent a message containing X to P, who can
read and repeat X (possibly after doing some decryption).
P said X : P once said X . The principal P at some time sent a message including
the statement X . It is not known whether the message was sent long ago or during
the current run of the protocol, but it is known that P believed X then.
P controls X : P has jurisdiction over X . The principal P is an authority on X
and should be trusted on this matter.
fresh (X ): The formula X is f r esh, i.e., X has not been sent in a message at any
time before the current run of the protocol.
K
P ↔ Q: P and Q may use the shar ed key K to communicate. The key K is
good, in that it will never be discovered by any principal except P or Q, or a principal
trusted by either P or Q.
K
→ P: P has K as a public key. The matching secr et key (denoted K −1 ) will
never be discovered by any principal except P or a principal trusted by P.
X
P Q: The formula X is a secr et known only to P and Q, and possibly to
principals trusted by them. Only P and Q may use X to prove their identities to one
another.
{X } K : This represents the formula X encrypted under the key K . Formally, {X } K
is a convenient abbreviation for an expression of the form {X } K from P.
X Y : This represents X combined with the formula Y . It is intended that Y
be a secret and that its presence proves the identity of whoever utters X Y . In
implementations, X is simply concatenated with the password Y .
Logical postulates BAN logic has 19 inference rules. Some representative rules are
listed:
(1) The message-meaning rules: the interpretation of messages. Two of the three
concern the interpretation of encrypted messages, and the third concerns the inter-
pretation of messages with secrets. They all explain how to derive beliefs about the
origin of messages.
For shared keys, we postulate
K
P believes Q ↔ P, P sees {X } K
P believes Q said X
That is, if P believes that the key K is shared with Q and sees X encrypted under
K , then P believes that Q once said X .
9.2 Security Analysis Methods 197
K
P believes → Q, P sees {X } K −1
P believes Q said X
That is, if P believes that K is the public key of Q, and K −1 is the secret key, the
message is sent by Q when P sees the message encrypted with K −1 .
For shared secrets, we postulate
Y
P believes Q P, P sees X Y
P believes Q said X
That is, if P believes that the secret Y is shared with Q and sees X Y , then P believes
that Q once said X .
(2) The nonce-verification rule:
That is, if P believes that X could have been uttered only recently (in the present)
and that Q once said X (either in the past or in the present), then P believes that Q
believes X .
(3) The jurisdiction rule:
K
P sees (X, Y ) P sees X Y P believes Q ↔ P, P sees {X } K
, ,
P sees X P sees X P sees X
K K
P believes → P, P sees {X } K P believes → Q, P sees {X } K −1
,
P sees X P sees X
That is, if a principal sees a formula, then he also sees its components, and he knows
the necessary keys.
(5) The freshness rules:
That is, if one part of a formula is fresh, then the entire formula must also be fresh.
198 9 Security Analysis of Quantum Cryptographic Protocols
K K
P believes R ↔ R P believes Q believes R ↔ R
K
, K
P believes R ↔ R P believes Q believes R ↔ R
X X
P believes R R P believes Q believes R R
X
, X
P believes R R P believes Q believes R R
P → Q : message.
This denotes that the principal P sends a message to the principal Q. The message
is presented in an informal notation designed to suggest the bit-string that a con-
crete implementation would use. This presentation is often ambiguous and not an
appropriate basis for formal analysis.
Therefore, we transform each protocol step into an idealized form. A message in
the idealized protocol is a formula. For instance, the protocol step
A → B : {A, K ab } K bs
may tell B, who knows the key K bs , that K ab is a key to communicate with A. This
step should then be idealized as
K ab
A → B : {A ↔ B} K bs .
The random oracle model is an important way to balance the provable security and
practicality of a cryptographic scheme compared with standard model. The idea is to
prove the scheme secure in a model in which every party, legitimate or malicious, has
access to a public random function. The idea of a public random function was first
introduced in 1986 by Fiat and Shamir [15]. They argued the security of a method
to turn identification schemes into signature schemes by assuming every party has
access to a public random function. This method was later used to provide a security
argument for blind signatures and electronic cash.
The random oracle model was formalized and popularized by Bellare and Rog-
away [16]. In particular, they showed that many “tricks” that were used to construct
cryptographic schemes could be proven secure in the random oracle model. Follow-
ing this, the random oracle model was used to argue the security of many efficient
cryptographic protocols.
200 9 Security Analysis of Quantum Cryptographic Protocols
References
1. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Comment on experimental demonstration of a quantum
protocol for byzantine agreement and liar detection. Phys. Rev. Lett. 101(20), 208901 (2008)
2. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Forcible measurement attack on quantum direct commu-
nication protocol with cluster state. Chin. Phys. Lett. 25(8), 2766–2769 (2008)
3. Gao, F., Wen, Q.Y., Zhu, F.C.: Teleportation attack on the QSDC protocol with a random basis
and order. Chin. Phys. B 17(9), 3189–3193 (2008)
4. Song, J., Zhu, A.D., Zhang, T.: Quantum secure direct communication protocol with blind
polarization bases and particles’ transmitting order. Chin. Phys. B 16(3), 621–623 (2007)
5. Zou, X.F., Qiu, D.W.: Attacks and improvements of QSDC schemes based on CSS codes. Int.
Conf. Intell. Comput. (ICIC) 6840, 239–246 (2012)
6. Lu, X., Ma, Z., Feng, D.G.: Quantum secure direct communication using quantum calderbank-
shor-steane error correcting codes. J. Softw. 17(3), 509–515 (2006)
7. Wang, Y., Wang, H.D., Li, Z.H., et al.: Man-in-the-middle attack on BB84 protocol and its
defence. In: IEEE International Conference on Computer Science and Information Technology
(ICCSIT) pp. 438–439 (2009)
8. Song, T.T., Zhang, J., Gao, F., et al.: Participant attack on quantum secret sharing based on
entanglement swapping. Chin. Phys. B 18(4), 1333–1337 (2009)
9. Zhang, Y.Q., Jin, X.R., Zhang, S.: Secret sharing of quantum information via entanglement
swapping. China Phys. B 15(10), 2252–2255 (2006)
10. Makarov, V., Hjelme, D.R.: Faked states attack on quantum cryptosystems. J. Mod. Opt. 52(5),
691–705 (2005)
11. Vakhitov, A., Makarov, V., Hjelme, D.R.: Large pulse attack as a method of conventional optical
eavesdropping in quantum cryptography. Opt. Acta Int. J. Opt. 48(13), 2023–2038 (2001)
12. Lutkenhaus, N.: Security against eavesdropping in quantum cryptography. Phys. Rev. A 54(1),
97 (1996)
13. Burrows, M., Abadi, M. and Needham, R:. A logic of authentication. ACM Trans. Comput.
Syst. 8(1):18–36 (1990)
14. Dong, L., Chen, K.F.: Cryptographic Protocol. Springer Nature (2012)
15. Fiat, A., Shamir, A.: How to prove ourself: practical solutions to identification and signature
problems. In: Annual International Cryptology Conference (CRYPTO’ 86), vol. 263, pp. 186–
194 (1987)
16. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient
protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73
(1993)
17. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA
and Rabin. In: International Conference on the Theory and Applications of Cryptographic
Techniques (EUROCRYPT’ 96), vol. 1070, pp. 399–416 (1996)
202 9 Security Analysis of Quantum Cryptographic Protocols
18. Bellare, M., Rogaway, P.: Optimal asymmetric encryption: how to encrypt with RSA. In: Inter-
national Conference on the Theory and Applications of Cryptographic Techniques (EURO-
CRYPT’ 94), vol. 950, pp. 92–111 (1995)
19. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes.
J. Cryptol. 26(1), 80–101 (2013)
20. Aaronson, S.: Quantum copy-protection and quantum money. In: Annual IEEE Conference on
Computational Complexity (CCC), pp. 229–242 (2009)
21. Brassard, G., Hoyer, P., Kalach, K., et al.: Merkle puzzles in a quantum world. In: Annual
International Cryptology Conference (CRYPTO 2011), vol. 6841, pp. 391–410 (2011)
22. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput.
Sci. 7073(1), 41–69 (2010)
Chapter 10
Security Analysis Based on BAN Logic
Many quantum authentication schemes have been designed according to quantum key
distribution. Scheme security is proved heuristically by employing attack strategies
such as intercept-measure-resend attack, entanglement-measure attack, etc. In this
chapter, we introduce security analysis based on BAN logic. In contrast to analyzing
protocols with common quantum attacks, formal approach is a more universal tool
which helps understand whether a quantum cryptographic protocol meets its security
goal or not.
Due to its capability to detect potential eavesdropper with high probability, quan-
tum cryptography has been widely explored in many emerging cryptography and
communication systems. Based on quantum mechanics, a variety of protocols have
been proposed to support diverse systems, such as quantum key distribution (QKD)
protocol, quantum signature (QS) protocol, quantum secure direct communication
(QSDC) protocol, etc. So it is necessary to provide an efficient analysis tool for
quantum cryptographic protocol, which will help analyze the correctness of quan-
tum protocol in a simple and uniform way.
Formal method is a combination of a mathematical or logic model of a system
and its requirements, together with an effective procedure for determining whether
a proof that a system satisfies its requirement is correct [1]. Since the first mention
of formal methods, by Needham and Schroeder, was a possible tool for analysis [2],
Dolev and Yao accomplished the first protocol analysis work by developing a formal
model of an environment in 1981 [3]. Then a lot of research focused on the general
use of model checker based on the Dolev–Yao model. These belong to the model
checking approach. Given a system model and desired system properties, the model
checker explores the full state space of the system model to check whether the given
system properties are satisfied by the model [4]. Until the publication of BAN logic
[5], formal methods became apprehensible to a larger research community and led to
© Springer Nature Singapore Pte Ltd. 2020 203
T. Shang and J. Liu, Secure Quantum Network Coding Theory,
https://doi.org/10.1007/978-981-15-3386-0_10
204 10 Security Analysis Based on BAN Logic
a host of other logics to expand it such as GNY-logic, SVO-logic, etc. Featured with
BAN logic, these techniques fall into the domain of logical inference, which is based
on an agreed set of deduction rules for formally reasoning about the authentication
protocols.
In this chapter, we introduce BAN logic and expend it for quantum circumstance
and present a detailed security analysis for quantum identity authentication protocols
in BAN logic together with a brief discussion.
In 2000, Zeng et al. [7] claimed that it is necessary to verify the key in quantum key
management while classical verification cannot simultaneously complete identity
verification and quantum key distribution as in the literature [6], so they proposed
10.3 Representative QIA Protocol 205
a quantum key verification scheme in case that eavesdroppers avoid the identity
verification procedure. EPR pair and Bell theorem were used in their two-phase
protocol. In the initial phase, two communicators gain the shared message with the
help of an information center which is neither responsible for identity verification
nor for generating or distributing secret keys. After the legitimate users, Alice and
Bob, obtain the sharing key K1 , no more communication is necessary with the center.
Then two communicators execute the verification phase.
(1) Alice and Bob convert the sharing key K1 into a series of measurement basis
MK . If K1 = 1, MK corresponds to the rectilinear measurement basis. If K1 = 0,
MK corresponds to the diagonal measurement basis.
(2) Alice prepares the EPR pair. She measures one particle of each EPR pair in the
string and sends the other to Bob. Alice chooses a random basis like in the EPR
protocol [1] for measuring.
(3) Bob randomly measures the received string of particles by using two measure-
ment basis M , MK . Note that M is the measurement basis for the quantum key
distribution and obtainment of a new identity sharing key. MK is the measurement
basis for identity verification in the current communication.
(4) Alice and Bob check the eavesdropper first. Bob randomly chooses some mea-
surement results measured by the basis M to judge the eavesdroppers according
to Bell theorem.
(5) If there is no eavesdropper, Bob transforms the results measured by the basis
MK into a binary bit string m according to the beforehand appointment. The
corresponding sequence number is Ni in Alice’s whole qubits strings. Then Bob
encrypts m and Ni with K1 . Bob obtains secret message y and sends it to Alice.
(6) Alice decrypts y and gets m , Ni . Alice compares her results with m and gets the
measurement basis MKt . If Kt = K1 , Bob’s identity is true.
(7) Alice sends Bob the results m . If m = m, Alice’s identity is true.
(8) If the communicators are legitimate, Alice and Bob distribute the quantum secret
key using the remainder qubits as in the EPR protocols [12].
(9) Alice and Bob discard the sharing key K1 , and set up a new sharing key K2
from qubits measured by M or from taking portion bits of the final distributed
quantum key.
This verification protocol is featured in using the measurement basis to encode
message and applying Bell theorem to guarantee unconditional security. The only
pitfall is that the process is rather complicated with too much classical messages
transmitted. Next, we will focus on a simpler protocol in which only quantum channel
is needed.
Compared with the shared information schemes [6, 7], the shared entangled states
protocols provide further security since the “sharing keys” cannot be copied and
spread according to non-cloning theorem. Although it is hard to distribute entan-
gled states and store them, numerous protocols have been proposed considering the
speeding progress will be made in technique. Here we consider a quantum identity
protocol proposed by Shi et al. [8] for formal analysis. It can not only be used for
206 10 Security Analysis Based on BAN Logic
QKD and QIA, but also for QSDC since no qubit is discarded in the case of an
error-free quantum channel.
Suppose that Alice and Bob have previously shared pairs of entangled states, Bob
performs randomly one of two local unitary operations I and X on his particle in
each EPR pair, where
10 01
I= ,X = .
01 10
If Bob performs the unitary operation I on the particle belonging to him, the state
ψ − holds unchanged. If the unitary operation performed by Bob is X , the state ψ −
will be transformed into state φ− . Then Bob sends his particle back to Alice. Alice
does a Bell state measurement on the particle from Bob and the particle from herself.
Alice and Bob let state ψ − correspond to “1”, state φ− correspond to “0”. Then they
get the sharing key. Moreover, when Alice gets the result of the other two Bell states
ψ + , φ+ , there must be someone who impersonates Bob. In this way, every EPR pair
is used to distribute a quantum key and verify the user’s identification simultaneously
without transmission of any classical message.
BAN logic is a formal method for verifying that three principals (including people,
computer and services) are entitled to believe they are communicating with each other
and not the intruders. It concentrates on the beliefs of trustworthy parties involved
in the protocol and the evolution of these beliefs through communication processes.
The procedure of BAN logic for analyzing the crypotographic protocol is described
as follows:
(1) Transform protocol into some “idealized” form;
(2) Identify the initial assumptions in the language of BAN logic;
(3) Use the postulates and rules of the logic to deduce new predicates;
(4) Interpret the statements proved by the process to check whether the protocol
meets the goal.
In order to apply the same concept to analyze the QIA protocol, some expending
work [13] has been made to adjust to quantum circumstance. The supplement notions
and postulates we will rely on are summarized in (Tables 10.1 and 10.2), while the
initial notions are the same as the literature [5].
Then we analyze a QIA protocol from an efficient perspective by using the BAN
logic.
10.4 Analysis Procedure 207
For the QIA protocol proposed by Shi et al. [8], we divide it into two parts. The
idealized version derived from the original is presented as follows together with the
initial version as a reference.
(1) Alice identifies Bob
This verification process is shown in Fig. 10.1.
208 10 Security Analysis Based on BAN Logic
Alice| ≡ (#S 2 ).
Alice| ≡ S 2 (10.2)
Alice| ≡ (#S 2 ),
10.4 Analysis Procedure 209
Alice :: Number(ra (x)), If Number(ra (x)) > 0, Alice counts the number of 1 in ra to figures
stop, discard ka (x); If Number(ra (x)) = 0, out whether there is impersonation
Alice :: Kab = ka (x)
Bob| ≡ S 1 (10.5)
From above analysis, BAN logic is verified that it can help make the analysis
of protocols more efficient by eliminating contents of message or encryptions of
messages. In order to verify a protocol by using BAN logic, a set of hypotheses
have been made to obtain the initial beliefs. Thus, in classical environment, some
hypotheses make it problematic to distinguish between freshness of creation and
freshness of receipt roles. On the contrary, in quantum environment, scarcely when
the communicators operate on the qubits can the message be validated and this
guarantees the freshness of creation as shown in our assumption. However, BAN
logic also has its limitation. Since there is no systematic way for translating a protocol
description into a BAN description, subjective factors may be introduced and cause
a biased view of analysis.
10.5 Summary
In this chapter, we applied BAN logic to the formal verification of QIA protocols.
We gived the description of notions and rules, and analyzed the security of a rep-
resentative QIA protocol. BAN logic provides a concise way of proving security of
authentication protocols. Especially for quantum circumstances, ambiguity can be
avoided in creating the freshness of a message. With finer modeling hypotheses or
a finer level of description, more application of logic-based formal methods can be
adopted to verify the security of quantum cryptographic protocols.
References 211
References
1. Meadows, C.: Formal methods for cryptographic protocol analysis: emerging issues and trends.
IEEE J. Sel. Areas Commun. 21(1), 44–54 (2003)
2. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of
computers. Commun. ACM 21(12), 993–999 (1978)
3. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(20),
198–208 (1983)
4. Lal, S., Jain, M., Chaplot, V.: Approaches to formal verification of security protocols.
arXiv:1101.1815 (2011)
5. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst.
8(1), 18–36 (1990)
6. Dusek, M., Haderka, O., Hendrych, M., et al.: Quantum identification system. Phys. Rev. A
60(1), 149–156 (1999)
7. Zeng, G., Zhang, W.: Identity verification in quantum key distribution. Phys. Rev. A 61(2),
022303 (2000)
8. Shi, B.S., Li, J., Liu, J.M., et al.: Quantum key distribution and quantum authentication based
on entangled state. Phys. Lett. A 281(2), 83–87 (2001)
9. Zhang, Z., Zeng, G., Zhou, N., et al.: Quantum identity authentication based on ping-pong
technique for photons. Phys. Lett. A 356(3), 199–205 (2006)
10. Curty, M., Santos, D.J., Perez, E., et al.: Qubit authentication. Phys. Rev. A 66(2), 022301
(2002)
11. Cavalcanti, E.G., Hall, M.J., Wiseman, H.M.: Entanglement verification and steering when
Alice and Bob cannot be trusted. Phys. Rev. A 87(3), 032306 (2013)
12. Ekert, A.K.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67(6), 661 (1991)
13. Sheng, Z.: A Research on the formal analysis of quantum cryptography protocols. Dissertation
thesis, National University of Defense Technology (2007)
Chapter 11
Security Analysis Based on Quantum
Random Oracle Model
Random oracle model is a general security analysis tool for rigorous security proof
and effective cryptographic protocol design. In the quantum world, the attempts of
constructing a quantum random oracle (QRO) have been made, such as quantum-
accessible random oracle for post-quantum cryptography and quantum random
oracle for quantum cryptography. To facilitate the security analysis of quantum
cryptographic protocols, we introduce quantum random oracle. As in the classical
circumstance, it is crucial and challenging to design and instantiate the QRO model
with an appropriate quantum hash function. As a result, we use the QRO model for the
security analysis of quantum public-key encryption and quantum digital signature.
This new tool can be a test-bed for the cryptanalysis of more quantum cryptographic
protocols based on quantum one-way function.
Random oracle (RO) has been used to design effective cryptographic protocols and
give rigorous proofs of security for cryptographic protocols over 20 years [1–4]. RO
is virtually a theoretical black box which outputs random bits in equal length when
queried by all parties including an adversary. Queries to RO are standardly designed
to model an adversary’s attack power [5]. The rapidly evolving quantum computation
equips a quantum adversary with sufficient computational power. To analyze clas-
sical cryptographic protocols against quantum adversaries, Boneh et al. [6] started
pioneering work of the quantum random oracle (QRO) model, more precisely, the
quantum-accessible random oracle model, in which an adversary can make quantum
superposition queries. Later, Zhandry [7, 8] upgraded the quantum-accessible ran-
dom oracle with a semi-constant distribution to make it indistinguishable with iden-
tical uniform distribution under quantum algorithms. In 2013, Boneh and Zhandry
[9] made a significant progress to initiate the study of quantum-secure digital sig-
natures and quantum chosen ciphertext security. In the quantum-accessible random
oracle model, an adversary can make quantum chosen message queries and quantum
chosen ciphertext queries. Till now, most of the quantum-accessible random oracle
model research has focused on classical cryptographic protocols against quantum
adversaries. Furthermore, can we explore the construction of a new QRO model to
effectively analyze quantum cryptographic protocols against quantum attacks?
In this section, we introduce a new QRO model to analyze the security of QDS
schemes based on quantum one-way function [10]. We start with the quantum random
oracle modeling a collision-free quantum one-way function. Then we will give a
general security analysis procedure in the QRO model. For convenient analysis, we
choose the original QDS scheme [11]. It is very meaningful to endow new meaning
and explanation to the QRO model for quantum cryptosystems.
a security model which can facilitate the exploration of a quantum one-way func-
tion to more scenarios and the security analysis of related quantum cryptographic
protocols, such as quantum digital signature schemes [11, 15, 19] and quantum
public-key encryption schemes [21, 22]. The desirable security model needs to pro-
vide participants with outputs of a quantum one-way function and results of quantum
states comparison, and also, give the same response to an adversary to model possi-
ble quantum attacks. Then the security model can be instantiated with continuously
developed techniques [18, 20]. In classical cryptography, similar efficient analysis
model named random oracle (RO) was introduced in 1993 [1].
We briefly recall the representative QDS scheme proposed by Gottesman et al. [11].
The scheme assumes all participants will know how to implement the quantum one-
way function, and it is based on perfect devices and channels. Notations are described
as follows:
b: 1-bit classical message.
k bi : L-bit
classical secret key.
f kbi : n-bit public keys of quantum states that a quantum one-way function gen-
erates.
kbi → f kbi : quantum one-way function that maps a classical bit-string kbi to quan-
tum states f kbi .
Initializing phase:
Alice chooses a series of L-bit classical bit-strings {k0i , k1i }, 1 ≤ i ≤ M as secret
keys for a single message b. k0 is used to sign the message b = 0, and k1 is used to
sign the message b = 1. Note that k0 and k1 are chosen independently and randomly
for each i. M is a security parameter and the scheme is exponentially secure in M
when other parameters are fixed.
Signing and verifying phase:
(1) Alice chooses secret keys according to b. Then she sends public-keys to at most
t recipients, t < L/n. The signed message (b, kb1 , kb2 . . . kbM ) are sent to recipients
via insecure classical channel.
(2) Every recipient checks each of the revealed public-keys to verify kbi → f kbi
by quantum states comparison. Then each recipient j counts the number of incorrect
keys as s j ;
(3) According to s j , each recipient determines the message b as transferable, valid
or invalid. Then all participants discard all used and unused keys.
To prove the impossibility of forgery and repudiation, the original security model
sets security parameters. In the forging scenario, an adversary wants to convince Bob
that a faked message b is valid, i.e., b = b. Thus, the secret keys kbi not received
by recipients can be modified by the adversary. Some public-keys will fail and the
216 11 Security Analysis Based on Quantum Random Oracle Model
number of incorrect keys s j will increase. The scheme defines the rejection parameter
c2 so that when s j > c2 M, the recipients reject the signature. In Alice’s repudiation
scenario, Alice wishes Bob (for instance) to accept a message and Charlie to reject
it, so she may give completely different public keys to Bob and Charlie. To avoid
this kind of cheating, Bob and Charlie will exchange quantum public keys to be
compared with SWAP-test. So Alice’s goal is to pass all SWAP-tests and make her
message to be intransferable. Analysis shows the possibility of passing SWAP-test is
exponentially small in M. In participants’ reputation scenario, they can always deny
the sender Alice’s message. Therefore, there must be at least two honest participants.
Note that quantum states can store arbitrary amount of data and can be different
for unequal messages, but the measurement procedure may lead to collision-type
errors, i.e., different classical inputs may lead to equal quantum outputs. Gottesman
et al. [11] assumed δ-orthogonal quantum states to limit the measurement errors of
SWAP-test. Instead, to give an effective analysis of schemes based on quantum one-
way function, we may reasonably use the QRO model to realize the collision-free
property. So we assume that the quantum states generated by QRO are distinguishable
by its measurement.
Bellare and Rogaway [1] introduced random oracle (RO) model, which made it
possible to give a rigorous proof of security for certain basic cryptographic protocols
[23]. RO is used to model a hash function and output total random hash results. All
parties, including legal communicators and an adversary, should query RO for the
hash value. The security analysis procedure based on the RO model is summarized
as follows:
(1) Define a hard problem .
(2) Redescribe a protocol for .
(3) Define the specific security for the protocol.
(4) Prove the security of the protocol by reduction.
According to the methodology of the RO model, the QRO model for quantum
cryptographic protocols can also conform to the above analysis procedure. Proving
security in the QRO model presents many challenges. For each step of this analysis
procedure, we can further explore the following problems
(1) What is a feasible hard problem in the QRO model? Hard problems for
reduction vary among different RO models.
In the RO model, Hwang et al. [24] put forward a new quantum primitive called
“Unbiased Chosen Basis” (UCB) assumption based on no-cloning theorem, and use
it as a hard problem for an adversary to prove the security of three-party quantum
key distribution protocol. No-cloning theorem is the foundation of quantum cryp-
tography, which indicates that one cannot copy a qubit if he/she does not know the
polarization basis of the qubit. This physical property of quantum mechanics can
provide an absolutely secure reduction for the QRO model.
11.1 Quantum Random Oracle Model for Quantum Digital Signature 217
Uq Oq · · · U1 O1 U0 |ψ0
We can also have an algorithm to make classical queries to Oi . In this case, the
input to the oracle is measured before applying the transformation Oi . We call a
quantum oracle algorithm efficient if the number of queries q is a polynomial in the
size of its input, and each of the transformations Ui between queries can be written
as the product of polynomially many unitary transformations from some fixed basis
set.
capability. A similar description has been given in the Refs. [5, 24]. In the RO model,
an adversary interacts with players by making various queries to RO, such as “Send
query” and “Hash query” [24]. Modifications of such queries can be made for the
security proofs in the QRO model.
(3) What is the specific security for quantum cryptographic protocols? For security
definition of the signature scheme, existential forgery under chosen message attack
is always considered [9, 25]. Chosen message attack means that an adversary cannot
produce q + 1 valid message-signature pairs with q chosen message queries.
(4) How to prove the security of quantum cryptographic protocols by reduction?
Reduction means that if an adversary wants to break the security of a protocol, a chal-
lenger can take advantage of the adversary’s capability to solve the hard problem
by controlling the random oracle and providing indistinguishable output. Consider-
ing the superposition quantum query for reduction algorithm, Zhandry [7] provided
the related definition and the lemma which allows for the efficient simulation of an
exponentially-large list of samples given only a polynomial number of samples.
Lemma 1 There is a universal constant C0 such that, for any sets X and Y, dis-
tribution D on Y, any integer , and any quantum algorithm F making q queries to
an oracle H : X → Y, the following two cases are indistinguishable, except with
probability less than C0 q 3 /l
– H (x) = yx where y is a list of samples of D of size |X |.
– H is drawn from the small-range distribution with samples of D.
Different from classical RO model and prior QRO model (precisely, quantum-
accessible random oracle model), our objective is to construct a new QRO model for
quantum cryptographic protocols.
Considering the possible quantum collision problem resulted from quantum mea-
surement, we assume that there exists a collision-free quantum one-way function and
use QRO to model it by requiring that different quantum states produced by QRO
are distinguishable when QRO measures. Since an adversary may have access to
all quantum states, we assume all parties, including sender Alice, recipient Bob and
adversary A, query QRO for classical random bits, quantum one-way function out-
puts and quantum states comparison results. For a quantum adversary, this QRO can
respond consistently to quantum superposition query like the quantum-accessible
oracle [9]. We also assume that quantum states are transmitted without interference.
11.1 Quantum Random Oracle Model for Quantum Digital Signature 219
Definition
4 A quantum
random oracle is a tuple of efficient algorithms
G, Hq , Measur e where:
G: for any input of a classical bit-string m, it outputs a random bit-string k =
{0, 1}k .
Hψ : for any input of a classical bit-string k = {0, 1}k , it operates
H⊗s = H1 ⊗ · · · ⊗ Hs
Proposition
1 Quantum random oracle can respond consistently to quantum queries
ψm |m by mapping X → Y
m
O(m, k) : ψm |m → ψm |m, k,
m m
Proof Let r be some integer to be chosen later. Replace X with small-range distri-
butions of r samples on Y. Lemma 1 shows that an adversary can distinguish X with
Y with probability less than C0 q 3 /r . Thus, we use r samples of a small-range Y to
replace r samples of an exponentially-large range X with distinguishable probabil-
ity less than C0 q 3 /r , which facilitates the quantum random oracle to respond to a
quantum query with suitable r .
Proposition 2 Quantum random oracle can accurately match classical secret keys
with corresponding quantum public-keys.
where ε is negligible for i = j. Equation 11.1 implies that all quantum states gen-
erated by QRO vary with different classical inputs and can be measured by QRO
accurately, so this quantum random oracle can accurately match classical secret keys
with corresponding quantum public-keys.
arbitrary unknown quantum state. Note that we carry out security reduction relative
to quantum physical property instead of the existence of collision-free quantum one-
way function. For example, consider a QDS scheme, we prove it to be unforgeable
for quantum adversaries by a reduction to no-cloning theorem. We can claim that
the QDS scheme is unforgeable as long as violating no-cloning theorem is infeasible
even when an adversary has quantum access to random oracle. This technique works
well whenever we can assure the success of the adversary A.
B. Description of the QDS scheme
Since an adversary interacts with players by making various queries to QRO,
we formulate specific queries to describe the QDS scheme [11]. According to
Proposition 2, QRO can correctly match secret keys and public keys. So the number
of incorrect keys s j is equal to 0. Then we do not need the acceptable or transferable
boundaries. Here we present the QDS scheme with a single key pair.
(1) Message query qmessage {Alice}: All parties are allowed to know whether Alice
has sent a message b to QRO or not. If Alice sends the message, QRO sends (b, kb )
back. Otherwise, it outputs (l + 1)-bit zeros (1-bit message and l-bit secret key).
Since classical channel cannot guarantee message not being tapped, we use this
query to model the process that A eavesdrops message and secret keys via classical
channel. The worst case is that A fully accesses message and secret key, i.e., QRO
directly returns b and kb .
(2) Signing query qsign {b}: Anyone could ask QRO for quantum digital signature
for b. QRO operates quantum one-way function to output key pairs kb , f kb . This
query models the process that a signer (Alice) generates secret keys of classical bits
and public keys of quantum statesfor every message bit b.
q send {b, kb , f kb , Bob}: To transfer a signature to Bob, Alice
(3) Sending query
qsend {b, kb , f kb , Bob} to QRO. QRO sends a secret key kb and a public key
sends
f k to Bob. In this query, a signer can choose a secret key and a public key to a
b
recipient, which models an adversary’s forgery attack. Besides, A might practically
intercept the key pair, measure it and resend the tampered keys to Bob. This scenario
also changes the key pair and can be modeled by sending query.
(4) Verifying query qveri f y {kb , f kb }: Bob sends QRO the key pair kb , f kb he
received to verify the signature. If the pair is validated by quantum states measure-
ment, QRO returns 1. Otherwise it returns 0. QRO records the verifier’s identity and
verification result. This query models the verifying phase that recipients compare
the quantum states they received with the quantum states generated according to the
secret key.
(5) Accepting query qacc {Bob}: If the record value in verifying query is 1, i.e., the
signature is valid, then QRO returns 1. Otherwise, it returns 0. Through this query,
Alice can make sure whether her signature is accepted and adversary A can figure
out whether his attack is successful.
Different queries related to corresponding parts of QRO are shown in Fig. 11.1.
Based on these specific queries, we present the execution of the QDS scheme [11].
(1) Alice sends 1-bit message
to QRO with qsign {b} query and gets corresponding
secret keys and public keys kb , f kb .
222 11 Security Analysis Based on Quantum Random Oracle Model
QRO
Alice
qmessage
Eavesdropping b, k b
b
qsign
H
k ,
b f kb
b, kb , f kb , Bob
kb , f kb qsend
qverify Forgery attack
Intercept-resend attack
{0,1}
Measure
qacc User
{0,1}
Fig. 11.1 QRO model
(2) Alice sends Bob the key pairs kb , f kb by q send {b, k b , f k , Bob}.
b
(3) Bob makes a query, namely qveri f y {kb , f kb } to verify the signature he received.
Then QRO records measurement result for next Accepting query.
C. Definition of security in the QRO model
Definition 6 A quantum digital signature scheme (G, Sign, Verify) is existentially
unforgeable under quantum chosen message attacks (QCMA-secure) if, for any effi-
cient quantum algorithm F and any polynomial q (in the input of the quantum
algorithm), F’s probability of success in the following game is negligible
Key Gen. A challenger runs k b ← G, then operates f k ← H (m, kb ) to generate
b
a public key of quantum states f kb and gives f kb to F.
Signing Queries. An adversary makes a polynomial q chosen message queries.
For each query, the challenger responds by signing each message in the query by
mapping X → Y,
O(m, k) : ψm |m → ψm |m, k
m m
key and public key that QRO cannot distinguish with non-negligible probability. Then
a challenger takes advantage of A to clone quantum states. If quantum states cannot
be cloned perfectly, then the signature is QCMA-secure in the quantum random
oracle model.
Proof We can use QRO to construct a signature on any given message b and output
the signature kb , f kb . Then we prove this QRO can respond to a classical chosen
message attack when A is only given a polynomial number of signatures on random
messages.
i Game
1. We modify the condition in which A wins by requiring that no two pairs
k , f k i form a collision error for H in QRO. Then A succeeds in Game 1 with
probability at least ε − negl.
Game 2. Let = 2C0 qp where C0 is a constant from Lemma 1. At the beginning
ˆ
of the game, for i = 1, . . . , q and j = 1, . . . , , sample values k̂ (i)
j and let f k (i) =
j
11.1.7 Discussion
In the original security model [11], the QDS scheme is proved information-
theoretically secure, which relies on significantly large security parameter. An adver-
sary may use the collision-type error to easily pass the verifying phase, while the
original security model does not provide the related analysis. Apart from information-
theoretical security, we can provide the provable security of quantum cryptographic
protocols, e.g., the unforgeable security of QDS. In the new QRO model, we prove
the QCMA-security of a QDS scheme via a series of indistinguishability games, even
if an adversary has quantum access to QRO. We use different queries to model dif-
ferent attack scenarios, including the collision case. The QRO model can be used to
simplify quantum cryptographic protocols based on quantum one-way function and
testify its security on every step. When QRO is instantiated, we can analyze special
attack scenarios and define the similar security parameter to protect its security.
11.1 Quantum Random Oracle Model for Quantum Digital Signature 225
Different from famous quantum key distribution (QKD) protocols [27], a new crypto-
graphic primitive, namely quantum hash function, has been considered by researchers
for cryptographic protocols with higher level of security. The quantum hash function
maps a classical bit-string to a quantum state. Due to the accountability of unknown
quantum states, quantum hash functions were first used to design unforgeable quan-
tum digital signatures [28] and quantum fingerprints [29]. Then quantum public-key
encryption (QPKE) schemes also made use of the uncloneablility [30, 31], regarding
secret keys as the trapdoor information. In 2014, Ablayev et al. [32] for the first time
gave a rigorous definition of quantum hash function. They subsequently discussed
226 11 Security Analysis Based on Quantum Random Oracle Model
several constructions of quantum hash function [33]. Recent works on quantum hash
function include new ways of constructions [34] and its applications [35]. However,
there are still some open problems in the field of quantum hash functions. In the
previous researches, some of quantum hash functions are given concrete construc-
tions of quantum circuits [29–31, 33], while others are only used as a black box [28].
For the existing and future protocols which use quantum hash functions as secure
subprograms (and do not care about how exactly they are instantiated), we do lack
an ideal model of such quantum hash function for further analysis and design.
Previous security analyses of quantum cryptographic protocols mainly concen-
trate on scenario quantum attacks, i.e., only limited types of attack are analyzed [30,
31]. Such analysis of diverse quantum attacks is not general enough to prove the
security of quantum cryptographic protocols, and a more precise and generic tool is
needed for the protocols using quantum hash functions to perform provable security
analysis. A new type of QRO which can model a quantum hash function is such an
efficient tool to solve these problems. A well-defined QRO can reasonably simulate
a quantum hash function in terms of protocol designing. The attempt of constructing
a QRO model has been made in [36] for cryptanalysis of quantum digital signature
(QDS).
In this section, we generalize the construction and property of the QRO model,
and redefine the QRO model to analyze the security of quantum hash based QPKE
against key-collision attack [37]. Concretely, we introduce a paradigm of security
analysis in the QRO model, and give the instantiation method of the QRO model for
quantum cryptographic protocols, i.e., how to replace the QRO with an appropriate
quantum hash function.
Unlike classical cases where the security analysis relies on computational assump-
tion, the security of quantum hash functions is guaranteed by quantum physical laws.
A quantum hash function takes a classical bit-string as an input and outputs a quan-
tum state of fixed length. It also has its one-wayness and collision-resistance. Similar
to the classical case, the one-wayness of a quantum hash function requires that the
input of a classical bit-string cannot be deduced from the output of quantum states
[32, 33]. The no-cloning theorem avoids an adversary obtaining a large enough num-
ber of an unknown hash value. Thus, the one-wayness can be guaranteed by Holevo
bound [38], i.e., no more than O(s) bits of information can be learned from s qubits.
According to the Holevo bound, the one-wayness condition holds when the length
of an input is much larger than that of an output.
As for collision-resistance, a quantum hash function becomes more complicated
and very different from its classical counterpart. Since the Hilbert space is an infinite
field (while a set of bit-strings with fixed length is a finite one), we can easily design
a quantum hash function that is mathematically an injective function, i.e., there is no
collision according to its definition. However, when comparing two quantum states
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 227
or recovering classical information from a quantum state, one will introduce mea-
surement operations, which could lead to collision-type errors. Now the ‘collision’
refers to the case where quantum hash values are measured to be identical while
they are actually different. The probability of this collision is closely related to the
inner product of two quantum states. Thus, for the collision-resistance condition, the
outputs of a quantum hash function are required to be nearly orthogonal [32, 33].
Based on the above considerations, the quantum hash function is defined as fol-
lows:
Definition 7 (quantum hash function [33]) Let > 0 and δ > 0. We call the function
ψ : {0, 1}n → (H2 )⊗s a (, δ)-quantum hash function if the following conditions hold
• One-wayness: for any quantum algorithm A, the probability of finding a preimage
of ψ is bounded by :
Pr[A(ψ(x)) = x] < (11.2)
• √ pair (w, w ), the norm of the inner product
Collision resistance: for any different
of their hash value is bounded by δ, then the probability that two different hash
values are measured to be identical is bounded by
QPKE protocols can be qubit rotations-based [30, 31], knapsack-based [39] or fully-
flipped-permutations-based [40]. Some of them [30, 31, 40] can be abstracted as
ones that bases on a quantum hash function in which the secret key and the plaintext
are classical, while the public key and the ciphertext are quantum states. This type
of QPKE can be described as follows:
• Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically encrypts m
with the public key | pk and outputs s-qubit ciphertext |c
• Decryption Dec: for the ciphertext |c ∈ (H2 )⊗s , Dec deterministically decrypts
|c with the secret key sk . Since the Dec is a quantum algorithm, we introduce
a tracing-out operator of the Dec’s output to get 1-bit plaintext m
then the measurement on the base vector {|0, |1} can output a classical m .
The quantum algorithms Enc and Dec are designed based on the quantum hash
function ψ, obeying the following rules
• Enc and ψ are commute, i. e.,
• When the public-key | pk = |0⊗s , the last qubit of the output of Enc becomes
the base vector
Tr s−1 [Encm · |0⊗s ] = |m, m ∈ {0, 1} (11.8)
• Dec reverses ψ
−1
Decsk = ψsk (11.9)
These three rules guarantee that decryption with the correct sk outputs the origi-
nal m
|m = Tr s−1 [Decsk · Encm · ψsk |0⊗s ]
= Tr s−1 [Decsk · ψsk · Encm |0⊗s ] (11.10)
= Tr s−1 [Encm |0⊗s ] = |m
Note that the probabilistic encryption algorithm Enc can be the one that randomly
parity-codes the plaintext m then encrypts the codeword. This strategy was suggested
against forward-search attack in [31].
The security notions defined in [41] can help with the cryptanalysis of the QPKE
protocols. In the quantum chosen plaintext attack (qCPA) model, (constant) C copies
of the public-key are fed to the adversary, so it can invoke the encryption oracle with
| pk for at most C times. The security under qCPA is defined as follows:
is negligible.
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 229
In this section, we analyze the security of QPKE in the QRO model. We firstly, define
the QRO so that it can simulate cryptographic procedures of QPKE. Then we describe
the QPKE protocol in the QRO model by defining the adversary-challenger game
with the random oracle. Finally, we give a paradigm of security proof for QPKE in
the QRO model. Herein, we introduce a new type of attack, namely key-collision
attack. Analysis demonstrates that the property of QRO must be satisfied to prevent
from this attack.
A. Re-definition of the QRO model
We make reasonable adjustments to the first “classical-quantum” random oracle
in Definition 4. Firstly, we remove the classical random number generator G in
Definition 4. This part of QRO simulates the secret key generation step in a protocol,
but the input of a message m is unnecessary. In fact, the secret key is generated locally
in the QPKE or the QDS protocols, and this step will not be explored in any classical
or quantum communication. Removing G does not violate the security proof in [36].
We mainly focus on the possible attacks to quantum hash functions. So the classical
random number generator G is removed in our QRO model.
Then we remove the decision part Measur e in Definition 4 and describe the
distinguishability as the property of QRO instead. The expression is identical in
security proof, while the re-description of the distinguishability is more natural and
simplifies the QRO model.
Finally, we add a C-restriction of the QRO, i.e., if the QRO is invoked by the
challenger, it only generates at most C copies of the output. This restriction reflects
the fact that the adversary can only intercept limited copies of the unknown public
key due to the no-cloning theorem.
According to the above considerations, we re-define the QRO as follows:
where δ is negligible in n.
• If Hq is invoked by the challenger with any input k, it responds for at most C times
for the same input.
In the next sections, the QRO in Definition 10 will be utilized for security analysis.
We denote that the corollaries in [36] still hold in the adjusted QRO model.
230 11 Security Analysis Based on Quantum Random Oracle Model
1
AdvqCPA (adver sar y) = 2 Pr[b = b ] − (11.13)
2
The adversary-challenger game is shown in Fig. 11.2. The challenger wins the
game if the adversary’s advantage is negligible beyond 21 . In this case the QPKE
protocol has ciphertext indistinguishability under qCPA according to Definition 9.
C. Security of the QPKE protocol
Theorem 2 The QPKE protocol in Definition 8 has ciphertext indistinguishability
under qCPA in the QRO model.
Proof We start with regular analysis as it is in the classical case where the adversary
attempts to get a secret key sk. Let A be the event that the adversary asks the query
sk in Phase 2 of the game. If A happens, the adversary can decrypt Encm b |Hq (sk)
in Phase 3 with probability 1 according to the consistency of Definition 8. But in the
game, |Hq (sk) is randomly generated by QRO and independent from sk. Thus, no
public information is related to sk. The probability that the adversary obtains sk is
that it asks sk in qr o queries, i. e., the event A happens.
When A does not happen, the adversary faces qenc pieces of ciphertext. Recall that
the public keys are generated independently and randomly. The state of the entire
possible public keys indicates maximum mixed state
I⊗s
ρ pk = . (11.14)
2s
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 231
The ciphertext is generated from the public key by a completely positive map Encm
The mixed state ρc stays maximally mixed under the encryption operator, i. e., ρc =
I⊗s
2s
. Hence, the adversary cannot distinguish from distinct messages.
Based on the above considerations, the advantage of the adversary
Pr[b = b ]
=Pr[A] · Pr[Encm b |Hq (sk) = Encm b |Hq (ki )|A]
+Pr[A] · Pr[b = b |A]
(11.16)
qr o qr o 1
≤ n · 1 + (1 − n ) ·
2 2 2
1 qr o 1
= + = + negl(n)
2 2 · 2n 2
Now we consider two special attacks only possible in the quantum world. The
first attack is so-called ‘forward-search’ attack [31]. This type of attack is invalidated
by randomization as mentioned in Definition 8.
The second attack is a collision-type attack. Consider a quantum obtaining the
key-generation algorithm Gen without the secret key sk. By Randomly guessing
232 11 Security Analysis Based on Quantum Random Oracle Model
secret key, he/she probably gets a wrong public key |Hq (sk ). This wrong public
key |Hq (sk ), however, may help the adversary distinguish the ciphertext encrypted
with the right key sk in the game due to the probabilistic measurement. This is a
collision-type attack and is called here a key-collision attack. In the quantum hash-
based QPKE, the key-collision attack is possible only when the possible public keys
are non-orthogonal.
Theorem 3 If the inner product of two distinct public keys | pk| pk | is negligible,
then QPKE in the QRO model is secure under the key-collision attack.
Proof Note that distinct public keys are near-orthogonal according to definition 10,
i.e., |(Hq (ki )|Hq (k j ))| = δ where δ is negligible. For comparing technique of SWAP-
test [32], the probability that the adversary can distinguish the challenger’s ciphertext
with a wrong secret key sk is
1
PrSWAP [b = b ] = (1 + |(Encm b |Hq (sk ), Encm b |Hq (sk))|2 )
2
1
= (1 + | Hq (sk )|Hq (sk)|2 ) (11.17)
2
1 1 1
= + δ 2 = + negl(n)
2 2 2
By means of partial-trace and measurement, the adversary can obtain |m with only
negligible probability δ 2 . Since the ciphertext can only be decrypted once, the QPKE
is secure under the key-collision attack.
In the QRO model, the key-collision attack is impossible since the outputs of
QRO are nearly orthogonal. When realizing the QRO, the corresponding property of
quantum hash function must be considered. Detailed discussions about this attack
will be described in the latter instantiation.
Both in classical and quantum circumstances, the instantiation of the RO model with
a concrete hash function is crucial for the practical analysis of cryptographic pro-
tocols. In this section, we will discuss what kind of quantum functions is suitable
for the instantiation of QRO. We give a qubit rotation-based function and a quantum
fingerprinting-based one as examples. For the former, it is a bad attempt of instan-
tiation because of the non-orthogonality of its outputs. The adversary can decrypt a
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 233
ciphertext with non-negligible probability even without a secret key. For the latter,
it is a (, δ)-quantum hash function and thus suitable for the instantiation of QRO.
A. A bad example: single-qubit rotation
The QPKE protocol based on single-qubit rotation is presented in [30], and random-
ized against forward-search attack in [31]. In this scheme, the QRO is instantiated by
a single-qubit rotation around y-axis in the Bloch-sphere, where the rotating angle is
determined by the secret key. A probabilistic QPKE protocol based on single-qubit
rotation is described as follows:
Scheme 1: The QPKE protocol based on single-qubit rotation [31] consists of
three steps
• Key-generation Gen: Gen chooses a random n-bit-string sk = k1 k2 . . . ks ∈
{0, 1}n with each k j chosen independently from Z2n/s (suppose s divides n). Then
Gen prepares s qubits of |0z ⊗s and performs a rotation operation R̂(k j ) on each
πk πk
of the jth qubit to obtain ⊗sj=1 (cos( 2n/sj )|0 + sin( 2n/sj )|1). Here the rotation
operation
πk j πk j
R̂(k j ) = cos n/s |0 + sin n/s |1 (11.18)
2 2
πk πk
The secret key is sk and the public key is | pk = ⊗sj=1 (cos( 2n/sj )|0 + sin( 2n/sj )|1).
• Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically parity-codes
m into s-bit codeword w = w1 w2 . . . ws , then Enc encrypts w by rotating jth
qubit of the public key with the angle πw j
πk j πk j
|c = ⊗sj=1 (cos( + πw j )|0 + sin( n/s + πw j )|1) (11.19)
2n/s 2
• Decryption Dec: for the ciphertext |c, Dec decrypts |c by rotating jth qubit
πk
of |c with angle − 2n/sj and gets
then applies CNOT gate where the first s − 1 qubits are the control qubits. Now
the last qubit becomes
The measurement on the base vector {|0, |1} can output a classical m.
When the QRO is instantiated, the secrecy of sk is guaranteed by Holevo bound.
According to the Holevo-Nayak bound [42], the secret key sk is secure against any
adversary when
234 11 Security Analysis Based on Quantum Random Oracle Model
2sC
Pr[A(| pk⊗C ) = sk] < <
2n (11.22)
2 log2
⇒s<
C
This scheme is randomized against the forward-search attack. However, it is vul-
nerable under the key-collision attack. This is because as mentioned in Sect. 11.2.4,
the public keys are not “orthogonal” enough. The inner product of any two possible
public key is
πk j πk j
|(⊗sj=1 (cos( n/s )|0 + sin( n/s )|1),
2 2
πk j πk j
⊗sj=1 (cos( n/s )|0 + sin( n/s )|1))| (11.23)
2 2
π(k j − k j )
=|sj=1 cos( )|
2n/s
and can be non-negligible. In this case, the adversary can decrypt the ciphertext with
π(k j −k )
non-negligible probability |sj=1 cos( 2n/s j )|2 . Thus, single-qubit rotation is not
suitable for instantiating the QRO.
B. A good example: quantum fingerprinting
The quantum fingerprinting technique was used for constructing a quantum hash
function [32]. By replacing QRO with this quantum hash function, we can describe
the QPKE protocol as follows:
Scheme 2: The QPKE protocol based on quantum fingerprinting [32] consists of
three steps
• Key-generation Gen: Gen fixes a number t. Gen chooses a random n-bit-string
sk = k1 k2 . . . kt ∈ {0, 1}n with each k j chosen independently from Z2n/t . Gen
also selects dt = 2s/t−1 t parameters K = {κ1,1 , . . . , κd,t } where κi, j ∈ Z2n/t .
Then Gen prepares s qubits of |0z ⊗s and obtains a public key
1
d
| pk = ⊗tj=1 √ |i·
d i=1 (11.24)
2πκi, j k j πκi, j k j
(cos( )|0 + sin( n/t )|1)
2n/t 2
The secret key is sk.
• Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically parity-codes
m into t-bit codeword w = w1 w2 . . . wt , then Enc encrypts w by rotating js/tth
qubit of the public key with the angle πw j
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 235
1
d
⊗tj=1 √ |i·
d i=1
(11.25)
2πκi, j k j πκi, j k j
cos n/t
+ πw j |0 + sin + πw j |1
2 2n/t
• Decryption Dec: for the ciphertext |c, Dec operates the inversion of Gen to
obtain
1
d
⊗tj=1 √ |0(cos(πw j )|0 + sin(πw j )|1) (11.26)
d i=1
then applies CNOT gate where the first s − 1 qubits are the control qubits. Now
the last qubit becomes
The measurement on the base vector {|0, |1} can output a classical m.
By means of properly choosing the parameter K , this scheme is secure under the
key-collision attack. Consider the encryption of one codeword bit w j . The public
key for this codeword is
1
d
2πκi, j k j πκi, j k j
| pk(k j ) = √ |i cos |0 + sin |1 (11.28)
d i=1 2n/t 2n/t
It can be proved that the public-keys of any distinct pairs (k j , k j ) are near-orthogonal
with properly selected {κ1, j , κ2, j , . . . , κd, j }. In [32], the proof of following lemma
was given.
1
d
2πκi k πκi k
|h(k) = √ |i cos |0 + sin |1 (11.29)
d i=1 2n 2n
From Lemma 2, we know that public keys of any distinct pairs (k j , k j ) are near-
orthogonal with properly selected {κ1, j , κ2, j , . . . , κd, j }. Since the public keys for
different codewords are not entangled with each other, the inner product of any two
distinct public keys is
236 11 Security Analysis Based on Quantum Random Oracle Model
Thus, the probability that the adversary successfully implements the key-collision
attack Prkey−collision attack (adver sar y) = | pk(k)| pk(k )|2 is bounded by δ 2t .
According to a similar technique in the proof of Theorem 3, the QPKE protocol
is secure against the key-collision attack.
We give the numerical results of the simulation of the key-collision attack on the
aforementioned two examples of the QRO instantiation.
Simulation parameters are set as follows: To make comparison of the two instan-
tiation examples with the same consumption of quantum resource, the length of the
public key n in two examples is the same, ranging from 1 qubit to 1000 qubits. Each
component of the secret key in both scheme (ki , i = 1, . . . , s in Scheme 1 and k j ,
j = 1, . . . , t in Scheme 2 is 8 bits. Parameter d in Scheme 1 is d = 8, thus the length
of the public key in Scheme 2 is n = (log2 d + 1)t ⇒ t = log nd+1 = n4 . Parame-
2
ters κi, j ∈ {0, 1}8 , so 8dt = 16n-bit extra memory for K = {κi, j , i = 1, . . . , d, j =
1, . . . , k} is required in Scheme 2. To simulate the key-collision attack, we assume
that the difference of rotating angle of the correct public key and the attacker’s public
key is less than θ = 2π5 . The probability of this attack is no less than 2θ
π
= 216 ≈ 6%,
which corresponds to the random guess of the rotating angle of the correct public
key.
Fig. 11.3 shows the comparison between the adversary’s advantage over Scheme 1
and Scheme 2, and Table 11.2 specifies parameters and results when n = 100. Appar-
ently, while increasing the length of the public key can help reduce the advantage of
the adversary, Scheme 1 is vulnerable under the key-collision attack when n = 100.
On the other hand, Scheme 2 performs well under the key-collision attack even with
a short public key, while it requires extra storage of 1600 bits for K = {κi, j } when
n = 100.
11.3 Summary
In this chapter, we provided a new QRO model and a framework of security analysis
procedure for the provable security of quantum cryptographic protocols based on
quantum one-way function. A QDS scheme was proved QCMA-secure through a
sufficiently reliable reduction to no-cloning theorem. Then we provided a new quan-
tum random oracle model with reasonable properties for quantum hash-based QPKE
protocol. We also demonstrated what kind of instantiation is suitable for the quantum
random oracle and verified it by numerical simulation. We note that, while it is natural
11.3 Summary 237
1
Scheme 1
Scheme 2
0.9
0.8
0.7
adversary's advantage
0.6
0.5
0.4
0.3
0.2
0.1
0
0 100 200 300 400 500 600 700 800 900 1000
length of the public key
to conceive secure QPKE schemes under quantum chosen cyphertext attack (qCCA)
as in the classical circumstances, how the adversary would deal with the quantum
decryption oracle which is probabilistic due to the randomness of measurement is
still an open question. Further work lies in the security analysis of quantum public
key cryptographic protocols under qCCA, or other kinds of quantum random oracle
like “quantum-to-quantum” random oracle.
238 11 Security Analysis Based on Quantum Random Oracle Model
References
1. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient
protocols. In: ACM Conference on Computer and Communications Security (CCS) pp. 62–73
(1993)
2. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA
and Rabin. In: International Conference on the Theory and Applications of Cryptographic
Techniques (EUROCRYPT’ 96), vol. 1070, pp. 399–416 (1996)
3. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: International Conference
on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’ 96), vol. 1070,
pp. 387–398 (1996)
4. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption.
In: International Conference on the Theory and Applications of Cryptographic Techniques
(EUROCRYPT 2004), vol. 3027, pp. 207–222 (2004)
5. Bresson, E., Chevassut, O., Pointcheval, D., et al.: Provably authenticated group Diffie-Hellman
key exchange. In: ACM Conference on Computer and Communications Security (CCS), pp.
255–264 (2001)
6. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput.
Sci. 7073(1), 41–69 (2010)
7. Zhandry, M.: How to construct quantum random functions. In: Annual IEEE Symposium on
Foundations of Computer Science (FOCS), pp. 679–687 (2012)
8. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Annual
International Cryptology Conference (CRYPTO 2012), vol. 7417, pp. 758–775 (2012)
9. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum com-
puting world. In: Annual International Cryptology Conference (CRYPTO 2013), vol. 8043,
pp. 361–379 (2013)
10. Shang, T., Lei, Q., Liu, J.W.: Quantum random oracle model for quantum digital signature.
Phys. Rev. A 94(4), 042314 (2016)
11. Gottesman, D., Chuang, I.L.: Quantum digital signatures. arXiv:quant-ph/0105032 (2001)
12. Swanson, C.M., Stinson, D.R.: Unconditionally secure signature schemes revisited. In: Inter-
national Conference on Information Theoretic Security (ICITS), vol. 6673, pp. 100–116 (2011)
13. Amiri, R., Andersson, E.: Unconditionally secure quantum signatures. Entropy 17(8), 5635–
5659 (2015)
14. Arrazola, J.M., Wallden, P., Andersson, E.: Multiparty quantum signature schemes. Quantum
Inf. Comput. 16(5–6), 435–464 (2016)
15. Yin, H.L., Fu, Y., Chen, Z.B.: Practical quantum digital signature. Phys. Rev. A 93(3), 032316
(2016)
16. Yin, H.L., Fu, Y., Liu, H., et al.: Experimental quantum digital signature over 102 km. Phys.
Rev. A 95(3), 032334 (2017)
17. Lamport, L.: Constructing digital signatures from a one-way function. Palo Alto: Technical
Report CSL-98, SRI International, vol. 238 (1979)
18. Clarke, P.J., Collins, R.J., Dunjko, V., et al.: Experimental demonstration of quantum digital
signatures using phase-encoded coherent states of light. Nat. Commun. 3, 1174 (2012)
19. Dunjko, V., Wallden, P., Andersson, E.: Quantum digital signatures without quantum memory.
Phys. Rev. Lett. 112(4), 040502 (2014)
20. Collins, R.J., Donaldson, R.J., Dunjko, V., et al.: Realization of quantum digital signatures
without the requirement of quantum memory. Phys. Rev. Lett. 113(4), 040502 (2014)
21. Nikolopoulos, G.M.: Applications of single-qubit rotations in quantum public-key cryptogra-
phy. Phys. Rev. A 77(3), 032348 (2008)
22. Seyfarth, U., Nikolopoulos, G.M., Alber, G.: Symmetries and security of a quantum-public-key
encryption based on single-qubit rotations. Phys. Rev. A 85(2), 022342 (2012)
23. Koblitz, N., Menezes, A.J.: The random oracle model: a twenty-year retrospective. Des., Codes
Cryptogr. 77(2–3), 587–610 (2015)
References 239
24. Hwang, T., Lee, K.C., Li, C.M.: Provably secure three-party authenticated quantum key distri-
bution protocols. IEEE Trans. Dependable Secur. Comput. 4(1), 71–80 (2007)
25. Pointcheval, D., Stern, J.: Provably secure blind signature schemes. In: International Conference
on the Theory and Applications of Cryptology and Information Security (ASIACRYPT’ 96),
vol. 1163, pp. 252–265 (1996)
26. Ablayev, F., Vasiliev, A.: Quantum hashing. arXiv:1310.4922 (2013)
27. Bennett, C., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In:
Proceedings of the International Conference on Computers, Systems, and Signal Processing,
pp. 157–179 (1984)
28. Zhou, J., Zhou, Y., Niu, X., Yang, Y.: Quantum proxy signature scheme with public verifiability.
Sci. China-Phys. Mech. Astron. 54(10), 1828–1832 (2011)
29. Buhrman, H., Cleve, R., Watrous, J., de Wolf, R.: Quantum fingerprinting. Phys. Rev. Lett. 87,
167902 (2001)
30. Nikolopoulos, G.M.: Applications of single-qubit rotations in quantum public-key cryptogra-
phy. Phys. Rev. A 77(78), 156 (2008)
31. Nikolopoulos, G.M., Ioannou, L.M.: Deterministic quantum-public-key encryption: forward
search attack and randomization. Phys. Rev. A 79(4), 126–136 (2009)
32. Ablayev, F., Vasiliev, A.: Cryptographic quantum hashing. Laser Phys. Lett. 11(2), 25202
(2014)
33. Ablayev, F., Ablayev, M., Vasiliev, A.: On the balanced quantum hashing. J. Phys.: Conf. Ser.
681(1), 12019 (2016)
34. Ziatdinov, M.: From graphs to keyed quantum hash functions. Lobachevskii J. Math. 37(6),
705–712 (2016)
35. Yang, Y., Xu, P., Yang, R., Zhou, Y., Shi, W.: Quantum hash function and its application
to privacy amplification in quantum key distribution, pseudo-random number generation and
image encryption. Sci. Rep. 6(1), 19788 (2016)
36. Shang, T., Lei, Q., Liu, J.: Quantum random oracle model for quantum digital signature. Phys.
Rev. A 94, 042314 (2016)
37. Shang, T., Chen, R., Lei, Q.: Quantum random oracle model for quantum public-key encryption.
IEEE Access 7(1), 130024–130031 (2019)
38. Holevo, A.S.: Bounds for the quantity of information transmitted by a quantum communication
channel. Probl. Inf. Transm. 9, 3–11 (1973)
39. Okamoto, T., Tanaka, K., Uchiyama, S.: Quantum public-key cryptosystems. In: Advances in
Cryptology - CRYPTO 2000, International Cryptology Conference, pp. 147–165 (2000)
40. Kawachi, A., Koshiba, T., Nishimura, H., Yamakami, T.: Computational indistinguishability
between quantum states and its cryptographic application. J. Cryptol. 25(3), 528–555 (2012)
41. Koshiba, T.: Security notions for quantum public-key cryptography. arXiv:quant-ph/0702183
(2007)
42. Nayak, A.: Optimal lower bounds for quantum automata and random access codes. In: 40th
Annual Symposium on Foundations of Computer Science, pp. 369–376 (1999)
Chapter 12
Security Analysis of Quantum
Obfuscation
simply accessing the function with a black-box oracle. In 2001, Barak et al. [2] first
introduced the concept of obfuscation into the field of cryptography and proposed
its three features as follows:
1. (Functionality) The obfuscated program has the same computational function as
the original one.
2. (Polynomial slowdown) The running time of the obfuscated program cannot
exceed the polynomial size of the original running time.
3. (Black-box property) Any valid message computed through the obfuscated pro-
gram can be effectively computed with access to the oracle of the original program.
This is a guarantee for the security of the obfuscated program, which is based on
the security of simulation paradigm.
They also pointed out that obfuscation will have a series of cryptographic purposes
such as transforming private-key encryption into public-key encryption, removing
a random oracle, etc. Unfortunately, they also proved that such an obfuscator is
nonexistent.
In the next few years, some positive results of obfuscation were proposed. Lynn
et al. [3] discussed point functions and the simple obfuscation of combined point
functions, and gave the first positive result of obfuscation theory by means of access
control problem based on regular expression. After that, point functions become one
of the focus problems of obfuscation theory. In 2005, Wee [4] made a more detailed
study on the obfuscation of point functions and drew some important conclusions.
He proved that we can construct a valid obfuscator for point functions by weaken-
ing the concept of obfuscation, although an obfuscator has certain constrains. For
example, a simulated adversary must output a single bit. For such constrains, Canetti
et al. proposed an obfuscator for multi-bit output point functions [5], thereafter dis-
cussed the possibility of its application in symmetric encryption [6]. In connection
with obfuscation of combined point functions, they presented a concept of virtual
gray-box obfuscation, which is weaker than a virtual black-box one. Also, some
researches suggest that there is a certain connection between obfuscation theory and
zero-knowledge [1].
Quantum obfuscation is based on the theory of quantum circuit and quantum
computing. Since quantum computing theory is far from maturer than its classical
counterpart, until 2014, no one had publicly published research on quantum obfusca-
tion. At the 2014 Quantum Computing Theory Conference (TQC), Alagic et al. [7]
first proposed quantum obfuscation based on quantum topological calculations. They
used the specific high-dimensional expression of the braid group to compile quan-
tum circuits into braids, and then convert it into a normal form. In 2016, Alagic and
Fefferman [8] formally proposed the definition of quantum obfuscation. The quantum
black-box obfuscator was first defined and proved more practicable than classical
black-box obfuscator. Then they defined the quantum indistinguishable obfuscator
and pointed out some possible application such as quantum-secure one-way function
(qOWF) and public-key quantum money.
In this chapter, we give a further discussion on quantum obfuscation, then
introduce the definition and obfuscatability of quantum point functions under the
12.1 Obfuscatability of Quantum Point Functions 243
quantum-accessible random oracle model [9]. We start with reduction skills for
quantum obfuscation and the obfuscator for combined quantum circuits, then we
give a definition of quantum point functions. Under the quantum-accessible random
oracle, we discuss the obfuscatability of quantum point function families and their
variants. Finally, we discuss a probable application of quantum obfuscation.
Similar to classical ones, quantum circuits consist of quantum gates, which are
described by the individual behavior of the state of microscopic particles, and evolve
from one state to another. The unitarity is the only limitation of a quantum logic
gate and each unitary matrix defines an effective quantum gate. Nielson and Chuang
[10] proved that we can construct a reversible quantum gate sequence for classi-
cal computable functions. Any classical function f that has m-bit inputs and k-
bit outputs can be implemented on a quantum computer. Assuming that there is
a quantum gate sequence U f of m + k qubits, the function f is implemented as
U f : |x, y → |x, y ⊕ f (x). The quantum gate sequence U f represented above is
unitary for any function f . To calculate f (x), we can apply U f to the state |x, 0.
f (x) ⊕ f (x) = 0, so U f U f = I .
We can combine quantum circuits together to construct a new quantum circuit. In
this case, a control register is needed to decide which circuit is to be used. Formally,
a combined quantum circuit denoted by
C1 #C2 # . . . #Ct
3. (Virtual black-box) for every QPT A there exists a QPT S UC such that
When carrying obfuscation over the quantum case, the “interpreter” algorithm δ
must be well explained. Since an end user (and hence also any adversary) should be in
possession of a quantum computer, it is conceivable that the obfuscation result may
not just be another description of a quantum circuit. Instead, the obfuscator might
output a quantum state, which is then to be employed by the end user to execute a
desired function in some “well-specified” manner [8]. Now we no longer have any
quantum circuit description in hand, therefore, an interpreter algorithm δ must be
used to execute a specific function.
How to understand such a QPT δ? One may think of δ as an algorithm which
is fixed once and for all for a certain state class. It is also feasible to regard the
obfuscation result as a quantum state O(C) and an algorithm δ which inputs O(C)
and r ho and implements the function of UC . Alagic and Fefferman [8] pointed out that
all of these variants are equivalent, in the sense that a black-box quantum obfuscator
of each variant exists if and only if the other variants exist. Since the interpreters are
used not only when obfuscating a quantum circuit but also in some reduction skills
in this work, we will set the interpreter δ to be universal, and it is conceivable to
assume that we can always implement a function by producing a specific state and
executing it with δ.
We note that the quantum obfuscation theory is so far a relatively rough one. Many
critical concepts and theorems in the classical case have not yet been well presented
in quantum behavior.
Bellare and Rogaway [11] proposed the classical random oracle (RO) model in 1993,
which provides a rigorous reduction method of cryptographic security proof. Under
such a model, all parties, namely adversaries and legal ones, have access to the same
oracle R, and get random yet consistent answers. An algorithm S is denoted by S R ,
so long as queries to R have been made.
As for quantum circumstances, security proof becomes complicated. Bennett and
Brassard [12] discussed an oracle quantum
Turing machine A, which responds intu-
itively a string in the entangled
state x a x |x ◦ A(x) when called with a query tape
of superposition state x ax |x ◦ 0. It will also be useful to put the target bit b into a
12.1 Obfuscatability of Quantum Point Functions 245
√
superposition, like β = (|0 − |1)/ 2. In this case, the whole input state will be left
unchanged if A(x) = 0 and will be left unchanged while introducing a phase factor
1 if A(x) = 1. Such an oracle quantum Turing machine can also be assumed as a
length-preserving one, and it can be achieved by interpreting the oracle answer on the
pair (x, i) as the ith bit of the function value. In this case, A is called a permutation
oracle.
Intuitively, a query with superposition state should also be allowed in the quantum-
accessible random oracle (QRO) model. A QRO must simultaneously compute for
the query at possibly exponentially many points. For post-quantum cryptography,
Boneh et al. [13] gave out a key separation by presenting that a protocol is secure in
the classical random oracle model while insecure in the quantum-accessible random
oracle model.
In this work, a QRO, when no confusion may arise, will be interpreted as a length-
preserving oracle, which means Rq : |x, y → |x, y ⊕ R(x), where R : {0, 1}∗ →
{0, 1}∗ .
In this section, we will discuss reduction skills for quantum obfuscation and the
obfuscator for combined quantum circuits. Many of our ideas come from Lynns’
work [3] on classical obfuscation theory, which helps us extend obfuscation into
quantum circumstances.
for every valid input ρ. This relationship is called Oracle implementable relationship.
Here we denote by C D such relationship of C and D.
In this definition, we follow the idea of Alagics’ work that our quantum state
achieves a specific function with an interpreter δ. This is consistent with the definition
of a quantum obfuscator, which helps our following proof.
246 12 Security Analysis of Quantum Obfuscation
Due to the black-box property of O (D), there exists a simulator S such that
It indicates that with a quantum circuit N and oracle access to UC , one can simulate
oracle access to U D , with negligible Euclid distance. So our S UC works as follows.
12.1 Obfuscatability of Quantum Point Functions 247
The structures of A and S are shown in Figs. 12.1 and 12.2. So we finish our proof
that M O(D) (|0n ) is an obfuscation of C.
Definition 12.5 A quantum circuit family C is learnable, if for any C ∈ C there exists
a quantum circuit P such that
Definition 12.6 A learnable quantum circuit family is called trivial quantum obfus-
catable family. Given a quantum circuit learnable family, the obfuscation via learning
is called trivial quantum obfuscation.
Pr [S UC# D (|0⊗|C# D| ) = 1]
(12.5)
= Pr [S U D (|0⊗|D| ) = 1].
In this section, we will give a precise definition of quantum point functions, especially
the ones with an input of quantum superposition.
Lemma 12.3 A quantum point function family U is obfuscatable, under the quantum-
accessible random oracle model.
by quantum gate Ch q : |x, y → |x, y ⊕ Ch(x) and uses it on both the second
register of return result of the oracle and the target register of input of the quantum
circuit. The whole quantum circuit is implemented as Fig. 12.3.
Firstly, we prove the functional equivalence property of Uα . We point out that the
quantum-accessible oracle is implemented as a permutation oracle {0, 1}n → {0, 1}n .
hence R(x)= R(α) if and only if x = α. Therefore,
In this sense R is a bijective,
O R (Uα ) correctly maps x ax |x ◦ 0 to x ax |x ◦ Pα (x).
Since quantum random query is made once for any input, polynomial slowdown
condition holds. Now we prove the black-box property. For any adversary A, a
simulator S Uα can be built as follows: S sets a copy of A internally (noted by A ),
then S randomly chooses a ∈ {0, 1}n and builds a quantum state |α, 0m , then queries
the random oracle Rq with it twice to get two same quantum states |r1 , |r2 . Then it
builds a circuit C like this: for an input |x, y, C queries random oracle with |x, 0m ,
keeps the return value |r , and check if r1 = r . If so, it reverses register |y. Next,
12.1 Obfuscatability of Quantum Point Functions 251
S puts C into A , every time A queries Rq with |x, y, S queries Uα with |x, 0. If
S gets |1, it returns |x, y ⊕ r2 , otherwise S randomly chooses a number in {0, 1}n ,
queries R with it and returns to A . Finally, S outputs what A outputs. Obviously,
A performs exactly the same as A.
|Pr [A = 1] − Pr [S Uα = 1]| = 0
In the context of multi-qubit output, |0n becomes a possibly valid output. In the
classical case, the invalid output ⊥ is introduced and a point function with multi-
qubit output is defined by
β if x = α
Pα,β (x) = .
⊥ other wise
where α, β ∈ {0, 1}n . However, as the quantum circuits are required to be invertible
and unitary, concession must be made to keep consistence with well-formed QPT.
Conceretly, to avoid the use of ⊥, we manually set |0n to present an invalid input,
therefore, β is restricted in any bit string in {0, 1}n except 0n . In this sense, Pα,β will
be modified as Pα,β to output 0n when x = α.
Definition 12.8 A quantum point function with general output is defined as follows:
Uα,β : |x, 0n → |x, Pα,β
Lemma 12.4 A quantum point function family C with multi-qubit output is obfus-
catable, under the quantum random oracle model.
Proof A QRO Rq is used in the proof. Firstly, we randomly choose r ∈ {0, 1}n ,
query Rq with |r, α, 02n and get |r, α, 02n ⊕ R(r, α) = |r, α, a ◦ b, where a and
b is the first n bits and the last n bits of R(r, α). Note that R is a length-preserving
oracle. Then we compute c = b ⊕ β. Now we can remove any information about α
and β, and just keep r , a and c. Next, for every input |x, 0, O R (Uα,β ) makes query to
Rq with |r, x|02n , gets |r, x|R(r, x) = |r, x|R1 (r, x), R2 (r, x) in return. Finally,
O R (Uα,β ) implements the checking function
c ⊕ R2 i f x = a
Ch(x) =
0n other wise
by a quantum gate Ch q : |x, y → |x, y ⊕ Ch(x) and implies it on both the second
register of return result of the oracle and the target register of input of the quantum
circuit.
It is obvious that this obfuscation is valid, with the similar method used in the
proof of Lemma 12.3.
We can see that C can be simply obfuscated. Note that we have only polynomial
many obfuscations, the probability that two of them happen to pick up the same r is
negligible. Under this condition, the simulator will be able to simulate any adversary.
where αi ∈ {0, 1}n , βi ∈ {0, 1}n \0n and P(α1 ,β1 ),...,(αt ,βt ) is a classical function that
maps {0, 1}n to {0, 1}tn :
βi i f x = αi
P(α1 ,β1 ),...,(αt ,βt ) (x)|i =
0n other wise
and P(α1 ,β1 ),...,(αt ,βt ) (x) = P(α1 ,β1 ),...,(αt ,βt ) (x)|1 ◦ · · · ◦ P(α1 ,β1 ),...,(αt ,βt ) (x)|t .
Let C(α1 ,β1 ),...,(αt ,βt ) to be a quantum circuit which implements U(α1 ,β1 ),...,(αt ,βt ) .
Define Cnt = {C(α1 ,β1 ),...,(αt ,βt (n) ) : αi , βi ∈ {0, 1}n }. Define C ∗ = poly t Cnt
Proof We will show that Cnt {Cn1 # . . . #Cnt : Cni ∈ Cn }. Since C can be simply
obfuscated, {C1 # . . . #Ct : Ci ∈ C} is obfuscatable. Therefore, given Lemma 12.1,
C t is obfuscatable, so is C ∗ .
To built a QTP M that M UCn1 #...#Cnt computes Cnt , M has access to each oracle
successively and simply concatenates all return values. To built a QTP N that N UCnt
computes Cn1 # . . . #Cnt , N query the oracle of Cnt with the input register once and
discard the unwanted part of output according to the control register. Since the control
register is fixed to be a basic state, measurement will not cause any information loss
of the input register.
The study of obfuscation was initiated by Hada [1], and was formally proposed and
formulated in Barak’s influential work [2]. In the first few years, research develop-
ment was restricted by crucial negative results. Hada [1] observed that a piece of
code cannot be perfectly obfuscated unless it is learnable. Barak et al. [2] demon-
strated that the virtual black-box property unconditionally rules out the existence of
a general obfuscator, i.e., an obfuscator for all circuit families. In 2005, Goldwasser
and Kalai [20] showed the impossibility of obfuscator with arbitrary auxiliary inputs.
Sequentially in 2007, Hofheinz et al. [21] gave out the reason why many determin-
istic functions cannot be obfuscated. Recent negative results include the works of
Bitansky [22, 23] and Garg et al. [24]. All these impossibilities demand to either
refer to some more relaxed definition of obfuscation, or try to obfuscate programs
with limited categories of functions.
In the path of weaker definition, Barak et al. [2] put forth the idea of indis-
tinguishable obfuscation (iO). An iO makes it hard for adversaries to distinguish
two obfuscated programs if they agree on all inputs. Indistinguishable obfusca-
tion is also proved to be equivalent to the so-called best-possible obfuscation [25],
which can hide any information that any other obfuscation can hide. The usage
and construction of iO have been discussed recently by Sahai and Waters [26] and
Garg et al. [27]. In terms of limited kinds of functions, point functions first drew
academic attention and was proved obfuscatable under the random oracle model [3].
Following this idea, some positive results have been published successively. Canetti
and Dakdouk [5] formally extended the point functions to the ones with multi-bit
outputs by means of composition technique. This extension essentially strengthens
the connection between obfuscation and encryption. Subsequently, he showed this
tight connection [6]. In 2010, the virtual gray-box (VGB) property was proposed and
point functions were proved composable under this meaning.
One branch of quantum cryptography, beyond quantum key distribution (QKD)
and post-quantum cryptography, is to carry classical cryptographic primitives over
quantum circumstances. Quantum one-time pad (QOTP) [28] is a representative
example, but for so long there have been a lacking even in the most basic cryp-
tographic concepts. Scattered primitives such as quantum homomorphic encryption
[29], quantum homomorphic signature [30], and quantum random oracle (QRO) [13,
31], have been discussed. In 2016, Alagic et al. [32] built the concept of semantic secu-
rity, IND-CPA (indistinguishability under chosen plaintext attack) and IND-CCA1
(indistinguishability under non-adaptive chosen ciphertext attack) for quantum sit-
uation. More recent work includes quantum non-malleability [33], quantum IND-
CCA2 (indistinguishability under adaptive chosen ciphertext attack), and authenti-
cated encryption [34]. As for the notion of obfuscation, the research is relatively
immature. The first idea of “protecting software by a quantum state” was originated
256 12 Security Analysis of Quantum Obfuscation
in Scott Aaronson’s ten semi-grand challenges for quantum computation. In 2016, the
definition of quantum VBB obfuscation and quantum iO was proposed [8], although
many basic concepts in this area is yet to be set.
In this section, we introduce a quantum symmetric encryption scheme by means
of quantum obfuscator [35]. We start with the basic requirement of IND-secure and
point out that a quantum VBB obfuscator satisfies this requirement unconditionally.
Then we prove that a quantum obfuscator with combinable property or auxiliary input
property corresponds to encryptions with IND-CPA security or leakage resilience.
Note that the absence of the usefulness of quantum obfuscation may eliminate the
positivity of related research. We hope that such work will be inspiring in the field
of quantum obfuscation.
Recall that the single qubit Pauli operators are defined as:
01 0 −i 1 0
σX = , σY = , σZ =
10 i 0 0 −1
Here we take an identity matrix I2 into account. So the Pauli operation set consists
of four Pauli matrices P = {I2 , σ X , σY , σ Z }.
The definition of quantum one-time is quite simple: for each qubit ρ, randomly
choose one operator from Pauli set P and apply it on ρ. It is evident that such operation
is information-theoretically indistinguishable, since the output state is maximally
mixed
1 I2
(ρ + σ X ρσ †X + σY ρσY† + σ Z ρσ †Z ) =
4 2
12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation 257
Since the Pauli operators are self-adjoint, the above operation can be achieved by
choosing two single bits α, β ∈ {0, 1}, and applying the mapping
β β
ρ → σ αX σ Z ρσ Z σ αX
ρ → X α Z β ρZ β X α
1 1
2n
Un ρUn† = 2n α,β X α Z β ρZ β X α
2 2
= α,β T r (ρZ β X α )δα,0 δβ,0 X α Z β
T r (ρ)
= I2n
2n
I2n
= n
2
Following the idea of quantum one-time pad, we are interested in the circumstances
where the message space and cypher-text space are the set of density operators
on Hilbert space H M , HC , and the key space K = {0, 1}n [32]. The set of density
operators, i.e., all physically possible quantum states on Hilbert space H is denoted
by D(H). Then a quantum symmetric encryption scheme is defined as follows:
Definition 12.10 A quantum symmetric encryption scheme is a triple QPTs of
(key generation)Gen : 1n → k ∈ Kn , (encryption)Enck : K × D(HM ) → D(HC )
and (decryption)Deck : K × D(HC ) → D(HM ), satisfying correctness property:
for all k ∈ Kn .
To analyze the security of a quantum encryption scheme, we introduce Alagic’s
work [32] on indistinguishably of encryptions.
258 12 Security Analysis of Quantum Obfuscation
Challenger
where ρ M E ← M(1n ), ρ E = tr M (ρ M E ).
We denote again that A runs in polynomial time. If we assume that an oracle gate
runs in a unit of time O(1), then A has only polynomial many of oracle queries sent
to Enck .
1. (Polynomial expansion)
m = poly(n)
3. (Virtual black-box) for every QPT A, there exists a QPT S UC such that
Point functions return an internal value m when the input equals a specific k, and
0 elsewise. In the theory of quantum computation, such a function can be described
as
|x, y ⊕ m i f x = k
Uk,m : |x, y →
|x, y other wise
Since an obfuscator for all functions does not exist, consider a quantum obfuscator
only for quantum point functions, then we assume that the input of an obfuscator
is delineated by m and k. Therefore, n in Definition 12.13 equals |m| + |k|, and we
have |O(Um,k )| = poly(|m| + |k|).
We then define a stronger version of quantum point obfuscator, which preserves
security even when an adversary has a combination of different point functions. With
respect to quantum encryption, we are interested in the case where the point functions
are of the same k. In this case, we call it self-combinable.
Scheme 12.1 Let O be a quantum point obfuscator and Uk,r be a quantum point
function. A quantum symmetric encryption scheme is a triple QPTs of following
algorithms
1. (key generation)Gen(1n ) = k ∈ Kn ,
2. (encryption)Enck (ρ) = Pr ρPr ⊗ O(Ur,k ), where r is randomly chosen from
{0, 1}2n ,
3. (decryption)Deck (c ⊗ ) = Pr c Pr , where r is the measurement result of
T r1 [δ( ⊗ |k, 02n k, 02n |)].
The encryption and decryption algorithm are shown in Figs. 12.5 and 12.6.
Correctness of the scheme. Proving the scheme’s correctness, we apply
|kright , 02n with the right key kright = k to the obfuscated point function. By func-
tional equivalence property, we get
δ( ⊗ |k, 02n k, 02n |) = δ(O(Uk,r ) ⊗ |k, 02n k, 02n |)
≈ p Uk,r (|k, 02n ) = |k, r
After tracing out the first register of |k|-qubits and measurement, we get r = r , with
which we can correctly recover ρ from Pr ρPr .
While with the wrong key kwr ong = k, the measurement gives r = 0, and the
message is kept secret.
RNG
Output
k k
Gen
r O
12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation 261
c
c
k r
M
Now we indicate the security of the encryption scheme. Specifically, we have the
following theorem.
Theorem 12.1 If a quantum point obfuscator exists, then the quantum symmetric
encryption scheme in Scheme 12.1 is IND-secure.
Proof For any adversary A = (M, D), set s = (Pr ⊗ I E )ρ M E , and t = (Enck ⊗
I E )(|00| M ⊗ ρ E ), we have
|Pr {D[(Enck ⊗ I E )ρ M E ] = 1}
−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}|
=|Pr {D[s ⊗ O(Uk,r )] = 1} − Pr {D[t ⊗ O(Uk,r )] = 1}|
(12.6)
=|Pr {D[s, O(Uk,r )] = 1} − Pr {D[t, O(Uk,r )] = 1}|
≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}|
·Pr [D (O(Uk,r )) = g(r )]
In the last equation, the sum symbol is for all possible g(r ), and D is a subroutine
of D dealing with O. By the VBB property, we have a simulator S satisfying
Note that S has oracle access to Uk,r , then g(r ) can only be r (when S successfully
accesses the oracle with k), or 0 (when not). So we can rewrite Eq. 12.6 as
For the first item to the right side of the inequality, consider QPT S with polyno-
mial many queries. While the key space K is uniformly random {0, 1}n , the possi-
bility Pr [S Uk,r (0n ) = r ] = poly(n)/2n ≤ negl(n). For the second item to the right
of inequality, we have
Finally, we have
|Pr {D[(Enck ⊗ I E )ρ M E ] = 1}
−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}|
≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}|
·|Pr [S Uk,r (0n ) = r ] + negl(n)|
+|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}|
·|Pr [S Uk,r (0n ) = 0] + negl(n)|
≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}| · negl(n)
+negl(n) · |Pr [S Uk,r (0n ) = 0] + negl(n)|
≤negl(n)
Proof The correctness holds obviously. Assume that A = (M, D) queries encryp-
tion oracle for t = poly(n) times. Then there are r1 , . . . , rt (used by the encryption
oracle) and r (used by the challenger) that maximize the difference
Here we prove that auxiliary input corresponds to the quantum leakage resilience.
We firstly define a quantum leakage-resilient encryption scheme, which is similar to
its classical counterpart just like many other quantum cryptographic terminologies.
We now show that a quantum point obfuscator with auxiliary inputs implements
quantum leakage-resilient encryption. The proof is very similar to that of Theorem
12.1.
Theorem 12.3 If (O, δ) is an quantum point obfuscator with auxiliary input f , then
Scheme 12.1 is leakage-resilient against key information f (k).
Proof The correctness holds obviously. For any adversary A = (M, D), set s =
(Pr ⊗ I E )ρ M E , and t = (Enck ⊗ I E )(|00| M ⊗ ρ E ), we have
Similarly, we have
For the first item to the right side of the the inequality, Pr [S Uk,r ( f (k)) = r ] ≤
negl(n) due to the irreversibility of f and uniformity of k. For the second item to
the right side of the inequality, it is negligible according to the indistinguishableness
of quantum one-time pad. Therefore, the whole difference is negligible, and Scheme
12.1 is leakage-resilient against f .
12.3 Summary
In this chapter, to precisely define quantum point function family and analyze its
obfuscatability under the quantum-accessible random oracle, we introduce essential
reduction and combination skills. A quantum multi-point function family with multi-
qubit output was proved obfuscatable under the QRO model. We also discussed an
obfuscation-based QZK scheme. Then we demonstrate the usability of a quantum
point obfuscator in a quantum symmetric key encryption. We give the construction
12.3 Summary 265
References
1. Hada, S.: Zero-knowledge and code obfuscation. In: International Conference on the Theory
and Application of Cryptology and Information Security (ASIACRYPT 2000), vol. 1976, pp.
443–457 (2000)
2. Barak, B., Goldreich, O., Impagliazzo, R., et al.: On the (im)possibility of obfuscating programs.
In: Annual International Cryptology Conference (CRYPTO 2001), vol. 2139, no. 2, pp. 1–18
(2001)
3. Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Inter-
national Conference on the Theory and Applications of Cryptographic Techniques (EURO-
CRYPT 2004), vol. 3027, pp. 20–39 (2004)
4. Wee, H.: On obfuscating point functions. In: ACM Symposium on Theory of Computing
(STOC), pp. 523–532 (2005)
5. Canetti, R., Dakdouk, R.R.: Obfuscating point functions with multibit output. In: Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT
2008), vol. 4965, pp. 489–508 (2008)
6. Canetti, R., Kalai, Y.T., Varia, M., et al.: On symmetric encryption and point obfuscating. In:
Theory of Cryptography Conference (TCC), vol. 5978, pp. 52–71 (2010)
7. Alagic, G., Jeffery, S., Jordan, S.: Circuit obfuscation using braids. In: Conference on the
Theory of Quantum Computation, Communication and Cryptography (TQC), vol. 27, pp.
141–160 (2014)
8. Alagic, G., Fefferman, B.: On quantum obfuscation (2016). arXiv:1602.01771
9. Shang, T., Chen, R.Y.L., Liu, J.W.: On the obfuscatability of quantum point functions. Quantum
Inf. Process. 18(2), 55 (2019)
10. Nielson, M.A., Chuang, I.: Quantum Computation and Quantum Information. Cambridge Uni-
versity Press, IL (2002)
11. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient
protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73
(1993)
12. Bennett, C.H., Brassard, G.: Strengths and weaknesses of quantum computing. SIAM J. Com-
put. 26(5), 1510–1523 (1997)
13. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput.
Sci. 7073(1), 41–69 (2010)
14. Nir, B., Omer, P.: Point obfuscation and 3-round zero-knowledge. In: International Conference
on Theory of Cryptography, pp. 190–208 (2012)
15. Bookatz, A.D.: QMA-complete problems. Quantum Inf. Comput. 14, 361–383 (2012)
16. Kobayashi, H.: General properties of quantum zero-knowledge proofs. In: Conference on The-
ory of Cryptography, pp. 107–124 (2008)
17. Liang, M.: Secure multiparty quantum computation based on bit commitment (2013).
arXiv:1306.0447
18. Liang, M.: Symmetric quantum fully homomorphic encryption with perfect security. Quantum
Inf. Comput. 12, 3675–3687 (2013)
19. Lo, H.K.: Insecurity of quantum secure computations. Phys. Rev. A 52, 1154–1162 (1996)
20. Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: Annual
IEEE Symposium on Foundations of Computer Science (FOCS), pp. 553–562 (2005)
266 12 Security Analysis of Quantum Obfuscation
21. Hofheinz, D., Malone-Lee, J., Stam, M.: Obfuscation for cryptographic purposes. In: Theory
of Cryptography Conference (TCC), vol. 4392, pp. 214–232 (2007)
22. Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to
resettable cryptography. In: ACM Symposium on Theory of Computing (STOC), pp. 241–250
(2013)
23. Bitansky, N., Canetti, R., Cohn, H., et al.: The impossibility of obfuscation with auxiliary input
or a universal simulator. In: Annual International Cryptology Conference (CRYPTO 2014),
pp. 71–89 (2014)
24. Garg, S., Gentry, C., Halevi, S., et al.: On the implausibility of differing-inputs obfuscation and
extractable witness encryption with auxiliary input. Algorithmica 79(4), 1353–1373 (2017)
25. Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: Theory of Cryptography
Conference (TCC), vol. 4392, pp. 194–213 (2007)
26. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and
more. In: ACM Symposium on Theory of Computing (STOC), pp. 475–484 (2014)
27. Garg, S., Gentry, C., Halevi, S., et al.: Candidate indistinguishability obfuscation and functional
encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
28. Ambainis, A., Mosca, M., Tapp, A., et al.: Private quantum channels. In: Annual IEEE Sym-
posium on Foundations of Computer Science (FOCS), pp. 547–553 (2000)
29. Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low T-gate com-
plexity. In: Annual International Cryptology Conference (CRYPTO 2015), vol. 9216, pp. 609-
629 (2015)
30. Shang, T., Zhao, X.J., Liu, J.W.: Quantum homomorphic signature. Quantum Inf. Process.
14(1), 393–410 (2015)
31. Shang, T., Lei, Q., Liu, J.W.: Quantum random oracle model for quantum digital signature.
Phys. Rev. A 94(4), 042314 (2016)
32. Alagic, G., Broadbent, A., Fefferman, B., et al.: Computational security of quantum encryption.
In: International Conference on Information Theoretic Security (ICITS), vol. 10015, pp. 47–71
(2016)
33. Alagic, G., Majenz, C.: Quantum non-malleability and authentication. In: International Con-
ference on Information Theoretic Security (ICITS), pp. 310–341 (2017)
34. Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption (2017).
arXiv:1709.06539
35. Chen, R.Y.L., Shang, T., Liu, J.W.: Quantum symmetric encryption based on quantum obfus-
cation. Quantum Inf. Process. 18(6), 161 (2019)
36. Slot, C., Boas, P.: On tape versus core an application of space efficient perfect hash functions to
the invariance of space. In: ACM Symposium on Theory of Computing (STOC), pp. 391–400
(1984)
37. Deutsch, D.: Quantum theory, the Church-Turing principle and the universal quantum computer.
SIAM J. Comput. 400(1818), 97–117 (1985)
38. Dorit, A., Alexei, Y.K., Noam, N.: Quantum circuits with mixed states. In: ACM Symposium
on Theory of Computing (STOC), pp. 20–30 (1998)
Chapter 13
Security Analysis of
Measurement-Device Independency
If a quantum cryptographic protocol can complete its task securely with untrusted
measurement devices, it is called a measurement-device-independent protocol. To
analyze the security of a quantum cryptographic protocol under the worst case, we
assume measurement devices are prepared and controlled by an attacker and can
work in the way that is most favorable to the attacker. Concretely, the assumptions
are
13.2 Measurement-Device Independency 269
(1) An attacker can tamper and forge the output of measurement devices.
(2) An attacker can eavesdrop quantum channels by any means.
For simplicity, we call the above assumptions the MDI assumptions. In other
words, if the task of a quantum cryptographic protocol is completed under the MDI
assumptions, the protocol is measurement-device-independent.
To date, there are only achievements of MDI analysis for QKD protocols. The
first MDI-QKD protocol was proposed by Lo et al. [6], which is a discrete-variable
quantum cryptographic protocol. The security proof utilizes the monogamous nature
of quantum entanglement and removes detector side-channel attacks while it is not a
mathematical proof. In the same year, Ma and Razavi [18] proposed the alternative
schemes for MDI-QKD using phase and path or time encoding. In the security anal-
ysis, the lower bound of the secret key rate was calculated. A protocol is secure if its
secret key rate is higher than the lower bound. In 2014, several CV-MDI-QKD pro-
tocols were proposed [7]. In the security analysis, the secret key rate of an equivalent
one-way CVQKD model was calculated, which is the lower bound for the proposed
protocol. The calculation was simplified by applying the theorem of optimality of
Gaussian collective attacks [19]. The analysis of other CV-MDI-QKD protocols [8,
9] are similar in calculating the lower bound of the secret key rate.
Obviously, we cannot directly calculate the secret key rate of a non-CVQKD
protocol, so we should put forward a new method of analyzing its measurement-
device independency.
In CVQDS protocols, there are usually at most three participants, i.e., a signer, a ver-
ifier, and an arbitrator. Since the verifier and the arbitrator are assumed to be honest,
the only untrusted party is the signer, so it seems easy to analyze measurement-device
independency. Nevertheless, in 2017, Li et al. [20] proposed a continuous-variable
quantum homomorphic signature (CVQHS) scheme, where an aggregator gener-
ates a homomorphic quantum signature for verifying the identities of multiple data
sources. The aggregator has access to all quantum and classical data in the network,
so the scheme probably will not be secure if an attacker takes control of the devices of
the aggregator. The existence of an untrusted aggregator has posed a new challenge
in analyzing the measurement-device independency of CVQDS.
Li’s CVQHS scheme is based on continuous-variable entanglement swapping and
provides additive and subtractive homomorphism. The basic model of the CVQHS
scheme is shown in Fig. 13.1. A and B are signers, M is an aggregator who aggregates
the received signatures to generate two new signatures, and V is a verifier.
270 13 Security Analysis of Measurement-Device Independency
a b
A B
2
mA mB 4
k A1 k A2 k B1 k B2
Sk A (a) SkB (b)
M
1 3
| 1 | 2 mA mB*
| 3 | 4
Quantum Channel
V Classical Channel
Entanglement
k A1 k A2 k B1 k B2
If the task of a quantum cryptographic protocol is completed under the MDI assump-
tions, the protocol is measurement-device-independent. The task of CVQHS is to ver-
ify the identities of different data sources at a low error rate. So in the measurement-
device analysis of the CVQHS scheme, we can calculate the upper bound of the
error rate. If the upper bound is negligible under the MDI assumptions, the CVQHS
scheme is measurement-device-independent.
The upper bound of the error rate is the error rate under the worst-case when an
attacker can carry out any possible attack. So we will find out the optimal attack
model and calculate the error rate under the model.
Considering all possible cases which are shown in Fig. 13.2, the error rate is equal
to the probability of a forged signature passing verification plus the probability of a
legal signature being denied.
Obviously, the probability of a legal signature being denied is only affected by
noise. So we only consider the attack model of the case that an attacker tries to forge
a signature. In the CVQHS scheme, when an attacker Eve has secret keys and is able
to prepare quantum states which are entangled with those at honest signers, it can
forge a signature that can pass verification.
Throughout the CVQHS scheme, only the aggregator M and the verifier V use
measurement devices. Here we assume the measurement devices controlled by V
13.4 Analysis Procedure 271
A M V
Signature Accepted
Sk A (a)
A M V
Signature Denied
are trusted because the protocol will be extremely inefficient and meaningless if
the verifier is dishonest. So the MDI assumptions only apply to the measurement
devices controlled by M, namely a 50:50 BS and two homodyne detectors which are
used to perform Bell detection, and a 50:50 BS for mixing two quantum signatures.
According to assumption (1), Eve is able to tamper and forge the results of Bell
detection and the mixtures of quantum signatures at the combining phase. So Eve
can forge a quantum signature that can pass verification as long as it obtains the
pre-shared secret keys. So the security of the CVQHS scheme is guaranteed by the
secrecy of secret keys. The probability of a forged signature passing verification is
equal to the probability of Eve obtaining secret keys. At this point, the complicated
attack model which contains forgery is simplified as a simple eavesdropping model.
According to assumption (2), Eve is able to eavesdrop all quantum channels by any
means. From the perspective of an attacker’s ability, eavesdropping can be divided
into three types, namely coherent attack, collective attack, and individual attack.
Coherent attack is the most general attack by which an attacker can perform joint
quantum operations and joint measurement to all quantum states sent via quantum
channels. The proof of security against coherent attack is the strictest proof for
security, but the model of coherent attack cannot be effectively parameterized. A
common approach is to extend the security against collective attack to coherent
attack by using the exponential de Finetti theorem [21]. Collective attack is a special
case of coherent attack, where an attacker can only perform quantum operations
individually on each quantum state.
Fortunately, analysis shows that the security bound under coherent attack is the
same as that under collective attack for QKD protocols [22]. This result can be
applied to CVQHS because a signature in the scheme is in a single quantum state.
The quantum states in a quantum channel are not correlated, so introducing correla-
tions to them by performing joint operations will not help the attacker obtain more
information. Therefore, we can analyze the security against collective attack.
272 13 Security Analysis of Measurement-Device Independency
At the first step of the setup phase, the signers and the verifier share secret keys.
Assume they use a MDI-QKD protocol in this step, then Eve can only obtain the secret
keys by eavesdropping the quantum channels. The information on the secret keys that
Eve can obtain is the mutual information I (k : E), where k = (k1 , k2 ) denotes the
secret keys and E is the quantum system of Eve. The larger the mutual information
I (k : E) is, the more information Eve can obtain. When I (k : E) = H (k), Eve can
recover the secret keys accurately. The upper bound of I (k : E) is usually used to
estimate the security of a protocol.
According to the symmetry of CVQHS, we only need to calculate the upper bounds
of I (k A1 : E) and I (k A2 : E). According to quantum information theory, it is known
that I (k A1 : E) ≤ χ(k A1 : E), where χ(k A1 : E) is the Holevo bound [23]. It can
be calculated that χ(k A1 : E) = S(ρ̂ E ) − S(ρ̂ E |k A1 ) under collective attack, where
S(ρ̂ E |k A1 ) = p(k A1 )S(ρ̂ E|k A1 )dk A1 and ρ̂ E is the quantum system of Eve. Accord-
ing to assumption (1) aforementioned in Sect. 13.2, Eve can purify the whole quan-
tum system, so χ(k A1 : E) = χ(k A1 : ρ̂1 2 3 4 ), where ρ̂1 2 3 4 = |α1 |α2 |α3 |α4 .
Because |α1 and |α3 are independent of the secret keys, their entropy will be
offset during subtraction. So S(ρ̂ E ) − S(ρ̂ E |k A1 ) = S(ρ̂2 4 ) − S(ρ̂2 4 |k A1 ), where
ρ̂2 4 = |α2 |α4 .
The quantum states in the CVQHS scheme are Gaussian states, whose von Neu-
mann entropy can be calculated based on their covariance matrices. Assume the
original entangled states prepared by the aggregator have the same density matrix,
i.e., ρ12 = ρ34 = ρin . Their covariance matrix is
√
√ VI V 2 − 1diag(1, −1)
Vin = ,
V 2 − 1diag(1, −1) VI
where V = cosh 2r is the variance of two-mode squeezed states. Assume the quan-
tum channels are modeled as
√ √
|α → | τ α + 1 − τ α N ,
where V1 = τ 2 V + (τ + 1)VN .
13.4 Analysis Procedure 273
Then |α2 and |α4 are mixed at a 50:50 beam splitter, outputting |α2 and |α4 .
Beam splitter is a Gaussian operator, which does not change the von Neumann entropy
of a quantum system. So the von Neumann entropy of ρ̂2 4 can be calculated based
on V2 4 .
S(ρ̂2 4 |k A1 ) is the von Neumann entropy of ρ̂2 4 when k A1 is given. It can be
calculated based on a new covariance matrix
1 diag(V 2 + 1, V 2 + 1) diag(V 2 − 1, −V 2 + 1)
V2 4 |k A1 = ,
2V diag(V 2 − 1, −V 2 + 1) diag(V 2 + 1, V 2 + 1)
where V = V1 − Vk A1 .
Simple calculation shows that I (k A1 : E) = 0, which means Eve cannot obtain any
information on k A1 . Similarly, we can calculate that I (k A2 : E) = 0. So Eve cannot
obtain any information on the pre-shared secret keys between the signers and the
verifier. The probability of a forged signature passing verification is the probability
of Eve guessing the exact secret keys, which is negligible.
In the above theoretical analysis, we only considered the case of collective attack,
which is proved to be the optimal attack model. In fact, simulation or experiment
considering more complex scenarios can be conducted to verify our calculation
results in future works. It will be much easier to obtain the error rate for complex
scenarios such as coherent attack and forgery, which involve complex modeling
and calculation in theoretical analysis and cannot be efficiently parameterized [22].
Special attack models may be also implemented to discuss how parameters affect
the result of CVQHS.
In the CVQHS scheme, if the deviation between the value calculated from a signature
and the value calculated from pre-shared messages is larger than certain verification
threshold, the signature will be denied by the verifier. The deviation can be caused
by an attacker or noise. Here it is assumed that the verifier receives a signature that is
generated by a legal signer and not tampered by an attacker. So the probability only
depends on noise.
A verification threshold Hth in a noisy environment is given in Ref. [20], which
is equal to the variance of x V − τ x V . In the verification phase, the verifier compares
(x V − τ x V )2 , ( pV − τ pV )2 and Hth . If (x V − τ x V )2 > Hth or ( pV − τ pV )2 > Hth ,
it will deny the signature. Denote x V − τ x V as a random variable X whose first and
274 13 Security Analysis of Measurement-Device Independency
13.5 Discussion
Firstly, we discuss how the parameters of the CVQHS scheme affect the error rate.
The calculation of the probability of a forged signature passing verification
involves three parameters, namely the variance V of two-mode squeezed states,
the transmissivity τ of quantum channels, and the variance VN of thermal noise of
quantum channels. According to the calculation result, the probability is always 0
provided V is nonzero, which means an attacker cannot obtain the pre-shared secret
keys as long as the entangled states are properly prepared and not collapsed before
being used for generating quantum signatures. And noisy quantum channels do not
have any influence on the probability of a forged signature passing verification. It
is the randomness of quantum states that prevents the pre-shared secret keys from
being leaked during transmission.
The calculation of the probability of a legal signature being denied involves the
values of both quadratures of entangled states, pre-shared secret keys, the transmis-
sivity and the variance of thermal noise of quantum channels, and the verification
threshold. In the calculation, the parameters follow Gaussian distribution so the
probability can be easily obtained. The probability is influenced by the verification
threshold Ht h. If Ht h is larger, the probability will decrease but it will be easier for a
forged quantum signature to pass verification. If Ht h is smaller, the probability will
increase. So the verification should be carefully set in order to lower the error rate.
Secondly, we discuss the application of the analysis method. The analysis method
can be summarized in the following three steps
Step 1. Analyze the objective of the protocol and find the parameter that can be
used to decide whether the protocol has completed its task.
Step 2. Analyze the topology and the communication pattern of the protocol to
obtain a simplified attack model, which may be a sufficiently studied attack.
13.5 Discussion 275
Step 3. Calculate the parameter under the attack model to judge the measurement-
device independency of the protocol.
In our analysis procedure, the parameter is the upper bound of error rate and the
attack model can be simplified as collective attack. Although we only analyze the
CVQHS scheme, the analysis method can be applied to other CVQDS protocols by
means of calculating the same parameter under a similar attack model.
Concretely, the objective of a CVQDS protocol is to verify the identity of a data
source, which is the same as the CVQHS scheme. So at Step 1, the parameter will
be the upper bound of error rate as well. From the perspective of verification results,
errors can be classified into two types. The first type of error is the case where a
tampered or forged quantum signature passes verification. The second type of error
is the case where a legal quantum signature which is not tampered by attackers gets
denied by the verifier. In order to calculate the error rate, we should, respectively,
construct models for the two types of errors. The first type of error usually evolves
attackers so we should construct an attack model. The second type of error is caused
by noise so we should also construct a model for noisy quantum channels.
Constructing an attack model in Step 2 is the key step of the MDI analysis method.
The most effective way of attack can be found by means of applying MDI assump-
tions to the protocol. And attack models may be different for different CVQDS
protocols if the protocols have different network topologies and communication pat-
terns. Since most of the CVQDS protocols do not involve an untrusted aggregator,
we believe attack models for CVQDS protocols will be simpler than the CVQHS
scheme. Furthermore, it seems that the attack model of a CVQDS protocol can often
become an eavesdropping model because it is necessary for an attacker to obtain
secret keys. After simplification, the calculation process at Step 3 will be similar to
our calculation.
The above analysis procedure seems to be a general formalism for analyzing
measurement-device independency. In this procedure, the key point of analyzing a
protocol is to find an appropriate parameter and constructing an attack model. For
a complicated protocol carried out in a large-scale network, it may have several
tasks that affect each other and each task is completed by several nodes. It will be
difficult to find an appropriate parameter in Step 1. Also, unintended entanglement
among different nodes will not only affect the quantum states transmitted between
two legal nodes in an unexpected way, but also increase the complexity of analysis
and calculation. It will be difficult to construct an attack model that is simple enough
for calculation. So MDI analysis method of quantum cryptographic protocols except
CVQDS protocols still need to be explored.
13.6 Summary
References
1. Acin, A., Gisin, N., Masanes, L.: From Bell’s theorem to secure quantum key distribution.
Phys. Rev. Lett. 97(12), 120405 (2006)
2. Acin, A., Brunner, N., Gisin, N., et al.: Device-independent security of quantum cryptography
against collective attacks. Phys. Rev. Lett. 98(23), 230501 (2007)
3. Pironio, S., Acin, A., Brunner, N., et al.: Device-independent quantum key distribution secure
against collective attacks. New J. Phys. 11(4), 1–2 (2009)
4. Masanes, L., Pironio, S., Acin, A.: Secure device-independent quantum key distribution with
causally independent measurement devices. Nat. Commun. 2(1), 238 (2011)
5. Vazirani, U., Vidick, T.: Fully device-independent quantum key distribution. Phys. Rev. Lett.
11(4), 1–2 (2014)
6. Lo, H.K., Curty, M., Qi, B.: Measurement-device-independent quantum key distribution. Phys.
Rev. Lett. 108(13), 130503 (2012)
7. Li, Z.Y., Zhang, Y.C., Xu, F.H., et al.: Continuous-variable measurement-device-independent
quantum key distribution. Phys. Rev. A 89(5), 052301 (2014)
8. Zhang, Y.C., Li, Z.Y., Yu, S., et al.: Continuous-variable measurement-device-independent
quantum key distribution using squeezed states. Phys. Rev. A 90(5), 052325 (2014)
9. Pirandola, S., Ottaviani, C., Spedalieri, G., et al.: High-rate measurement-device-independent
quantum cryptography. Nat. Photonics 9(6), 397–402 (2015)
10. Wu, Y.D., Zhou, J., Gong, X.B., et al.: Continuous-variable measurement-device-independent
multipartite quantum communication. Phys. Rev. A 93(2), 022325 (2016)
11. Li, F., Zhao, W., Guo, Y.: Continuous-variable measurement-device-independent quantum relay
network with phase-sensitive amplifiers. Int. J. Theor. Phys. 57(1), 112–126 (2018)
12. Supic, I., Skrzypczyk, P., Cavalcanti, D.: Measurement-device-independent entanglement and
randomness estimation in quantum networks. Phys. Rev. A 95(4), 042340 (2017)
13. Rosset, D., Martin, A., Verbanis, E., et al.: Practical measurement-device-independent entan-
glement quantification (2017). arXiv:1709.03090
14. Zeng, G.H., Lee, M.H., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int.
J. Quantum Inf. 5(4), 553–573 (2007)
15. Guo, Y., Feng, Y.Y., Huang, D.Z., et al.: Arbitrated quantum signature scheme with continuous-
variable coherent states. Int. J. Theor. Phys. 55(4), 2290–2302 (2016)
References 277
16. Donaldson, R.J., Collins, R.J., Kleczkowska, K., et al.: Experimental demonstration of
kilometer-range quantum digital signatures. Phys. Rev. A 93(1), 012329 (2016)
17. Shang, T., Li, K., Liu, J.W.: Measurement-device independency analysis of continuous-variable
quantum digital signature. Entropy 20(4), 291 (2018)
18. Ma, X.F., Razavi, M.: Alternative schemes for measurement-device-independent quantum key
distribution. Phys. Rev. A 86(6), 062319 (2012)
19. Navascues, M., Grosshans, F., Acin, A.: Optimality of Gaussian attacks in continuous-variable
quantum cryptography. Phys. Rev. Lett. 97(19), 190502 (2006)
20. Li, K., Shang, T., Liu, J.W.: Continuous-variable quantum homomorphic signature. Quantum
Inf. Process. 16(10), 246 (2017)
21. Renner, R., Cirac, J.I.: de Finetti representation theorem for infinite-dimensional quantum
systems and applications to quantum cryptography. Phys. Rev. Lett. 102(11), 110504 (2009)
22. Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., et al.: The security of practical quantum
key distribution. Rev. Mod. Phys. 81(3), 1301–1350 (2009)
23. Holevo, A.S.: Bounds for the quantity of information transmitted by a quantum communication
channel. Probl. Peredachi Informatsii 9(3), 3–11 (1973)
Index
L
F
Learnable, 248, 255
Fan-out operation, 42, 43
Learnable quantum circuit family, 248
Fidelity, 4, 5, 8, 22, 29, 30, 32, 47, 48, 54, Learning With Errors (LWE), 225
72, 91, 93–95, 97, 100, 143, 148, 149, Light polarization, 15
151–155, 158–161, 165–167, 183, Linear optics for continuous variables, 150
186 Linear space, 11
Fork node, 30, 31 Local Operations and Classical Communi-
Free classical communication, 6, 8, 9, 36, 37, cation (LOCC), 8, 55–57, 59, 74, 75,
47–50, 148, 161 84
Local Operations and Quantum Communi-
cation (LOQC), 75, 84
G
Gaussian Cloning (GC), 148–150, 152–155,
186 M
General graph, 5, 8, 30–32, 53, 61, 69–71, Man-in-the-Middle Attack (MITM), 191,
82, 83 193, 194
GHZ state, 58, 87–89, 91, 95, 97, 99, 101 Maximal entangled state, 8
GNY-logic, 204 MDI-QKD, 269, 272
GR, 90, 91 Measurement-device independency, 267–
Group operation, 23, 29, 90, 217 269, 275, 276
Measurement-Device-Independent (MDI),
268–270, 274–276
Measurement-displace scheme, 166, 167
H Measurement operators, 17–19
Hermitian conjugate, 17 Minimum Error Discrimination (MED), 160
Hermitian operator, 13, 16–20 Mixed quantum state, 14–16
Hilbert space, 11–15, 17, 19, 21, 36, 37, 41, Multi-source model, 137, 139
147, 159, 160, 219, 226, 257
Homomorphic signature, 7, 125, 126, 129,
130, 136, 137, 139–142, 144, 145, N
147, 167–169, 175, 180, 184, 186, Network Coding (NC), 3–9, 11, 27, 30, 32,
255, 269, 276 34, 36, 37, 40, 41, 43, 44, 46–48, 50,
Index 281
53, 54, 59, 68, 72, 76, 80, 82, 83, 87, Q
91, 93, 96–98, 100, 101, 103, 105– QCMA-secure, 222–224, 236
107, 109, 119, 122, 125, 139–144, QCPA-secure, 228, 230
146–149, 151, 152, 159, 180, 186 Quantum-accessible random oracle model,
No-cloning theorem, 4, 5, 42, 139, 148, 216, 191, 195, 200, 201, 213, 214, 217,
220, 221, 224–226, 229, 236 218, 225, 243, 245, 250
Non-maximal entangled state, 8 Quantum Bit Error Rate (QBER), 107
Norm, 12, 227 Quantum black-box obfuscator, 242, 258
Normal operator, 17 Quantum channel verification, 107, 109,
Notation bra, 12 111, 113, 114, 119, 121, 122
Notation ket, 12 Quantum chosen message query, 217
NP, 253 Quantum circuit, 6, 54, 167, 226, 242–248,
250–253, 256, 258
Quantum circuit family, 245, 248
Quantum coding operation, 42
O Quantum communication, 3, 5–7, 9, 11, 29,
Obfuscatable, 245, 246, 248–250, 252, 253, 43, 48–50, 53, 54, 57, 59, 67–69, 71–
255, 264 73, 75, 82–84, 105, 106, 109, 116,
Obfuscation, 241, 242, 244–250, 252–256, 119, 139, 147, 148, 163, 168, 175,
258, 263, 265 186, 204, 229, 268
Opportunistic coding, 105–107, 109, 113, Quantum Digital Signature (QDS), 168,
117, 118, 123 213–215, 218, 220–222, 224–226,
Oracle implementable, 245 229, 236, 267
Quantum homomorphic signature scheme,
129, 140
Quantum Identity Authentication (QIA), 96,
P
103, 107, 204, 206–208, 210
Participant attack, 191, 194
Quantum indistinguishability under chosen
Particle consumption, 55, 70, 71, 74, 76, 79,
plaintext attack, 255
80, 82
Quantum indistinguishable-secure, 242
PE, 5, 8, 32, 34, 48, 49, 151, 156, 160, 161
Quantum Key Distribution (QKD), 7, 105–
Perfect CVQNC, 8
107, 129, 135, 142, 191, 203–206,
Perfect linear quantum network coding, 36 214, 216, 220, 225, 255, 267–269,
Perfect nonlinear quantum network coding, 271
40 Quantum measurement, 17, 19, 218, 220
Perfect QNC, 8 Quantum Merlin-Arthur (QMA), 253
Phase error fixing, 42 Quantum multi-point function with multi-
Photon addition-subtraction scheme, 167 qubit output, 252
Pollution attack, 7, 125, 139, 140, 142, 146, Quantum Network Coding (QNC), 3–9, 11,
180, 181, 184, 186 27, 30, 32, 34, 36, 37, 40, 41, 43, 44,
Polynomial-Time (PT), 256 47, 48, 50, 53, 54, 59, 68, 72, 76, 80,
Positive operator, 17 83, 87, 91, 93, 96–98, 100, 101, 103,
Positive Operator-Valued Measure (POVM), 105, 106, 109, 119, 122, 125, 139–
19, 20, 28 144, 146–148, 151, 152, 180, 186
Postulate of the evolution, 12, 13, 18 Quantum obfuscation, 241–245, 253, 254,
Postulate of the evolution 2, 13 256
Postulate of the measurement, 17–19 Quantum One-Time Pad (QOTP), 72–76, 80,
Postulate of the superposition, 12 81, 84, 241, 255–257, 262, 264
Prior entanglement between senders, 32 Quantum operator, 17, 40, 176
Probabilistic Polynomial-Time (PPT), 256 Quantum point function, 241–243, 249–252,
Projective measurement, 18–20 254, 259, 260, 264
Pseudorandom Function (PRF), 225 Quantum point function with general output,
Pure quantum state, 14, 16, 24 251
282 Index