Secure Quantum Network Coding Theory

Tao Shang
Jianwei Liu
Secure
Quantum
Network
Coding Theory
Secure Quantum Network Coding Theory
Tao Shang Jianwei Liu
•
Secure Quantum Network

Coding Theory
123
Tao Shang Jianwei Liu
School of Cyber Science and Technology School of Cyber Science and Technology
Beihang University Beihang University
Beijing, China Beijing, China
ISBN 978-981-15-3385-3 ISBN 978-981-15-3386-0 (eBook)

https://doi.org/10.1007/978-981-15-3386-0
Jointly published with National Defense Industry Press
The print edition is not for sale in China. Customers from China please order the print book from:
National Defense Industry Press.
© Springer Nature Singapore Pte Ltd. 2020

This work is subject to copyright. All rights are reserved by the Publishers, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission
or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt from
the relevant protective laws and regulations and therefore free for general use.
The publishers, the authors, and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publishers nor the
authors or the editors give a warranty, express or implied, with respect to the material contained herein or
for any errors or omissions that may have been made. The publishers remain neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore
Preface
In 2009, after the author JianWei Liu visited the University of Florida as a senior
visiting scholar, the author Tao Shang first learned about network coding from the
received proceedings. In fact, the concept of network coding was first proposed in
2000 and has been always a hot topic of communication field till now. At that time,
the authors became interested in network coding and attracted by the great charm of
network coding. That is to say, encoding operation can greatly enhance the per-
formance of network communication instead of pervasive routing technology,
which will become a kind of overturning technology for network communication.
Thus, the authors began to dedicate more efforts to network coding from principle
to application.
In 2013, the author Tao Shang learned about the importance of quantum com-
munication in the near future. He thought that network coding was a new com-
munication technology and wondered whether it was feasible to apply network
coding to quantum communication or not. Meanwhile, he recognized that quantum
communication is featured with security inherent in communication, which can be
believed to be the perfect combination of communication and security. So he
planned to solve the bottleneck problem of quantum network coding from the
perspective of communication and security.
As far as we know, quantum network coding was first proposed in 2006. Till
2013, there were few achievements and only several schemes were proposed.
However, it aroused the authors’ immense interest, they attempted to combine
coding theory with cryptography. From the viewpoints of the coding method,
coding model, and coding security, the author designed a series of quantum net-
work coding schemes by means of combining quantum cryptography into quantum
communication. During the process of research, many students showed great
enthusiasm in quantum network coding and provided many valuable achievements.
Three representative schemes that not only influenced the authors greatly but
also provided a deep insight into the subject and fueled their interests in network
coding and quantum network coding are as follows: foremost is the classic “XQQ”
scheme proposed by Masahito Hayashi, the second is “prior entanglement” also
proposed by Masahito Hayashi, the third is quantum repeater scheme proposed by
v
vi Preface
Takahiko Satoh. Although many schemes have been proposed untilnow, theoretical
knowledge on quantum network coding such as classification, performance anal-
ysis, security analysis, and future direction is still not clear.
In recent years, network coding has been applied to classical communication,
especially in wireless communication. Since quantum network coding was pro-
posed for quantum communication, the advent of quantum network coding gave a
new dimension to the use of network coding. The advent in the past few years of
technology has given an added dimension to the network coding. A simple example
is a scenario of quantum internet proposed in the 2017 Qcrypt conference.
Persistent objective is to effectively combine cryptography into
communication, especially quantum communication, even if quantum communi-
cation is thought to be unconditionally secure in the case of two-party communi-
cation. The authors believe that quantum communication needs cryptography and
general security analysis methods can facilitate the design of quantum protocols.
The authors expect the readers of this book to first learn about quantum network
coding, its principle, classification, development, and main problems. The authors
expect them to design secure quantum network coding and finally develop the
theory of quantum network coding.
What is the range of topics, innovative technologies for designing a secure
quantum network coding scheme? This book will help the readers understand these
with ease. What is an effective analysis method for quantum protocols? Exemplary
protocols are shown such as quantum authentication, quantum signature, quantum
encryption, and quantum network coding. So this book consists of two parts. Part I
is quantum network coding from Chaps. 1 to 8 and Part II is security analysis
method from Chaps. 9 to 13.
The organization of the chapters is as follows:
Chapter 1 gives a detailed introduction to quantum network coding. It empha-
sizes the basic concept of quantum network coding and introduces the development
of quantum network coding from 2006.
Chapter 2 explains the preliminaries of quantum network coding, including main
notions and key operations. Classification is provided for the existing schemes of
quantum network coding. Also, the main directions are discussed for the future research.
Chapter 3 describes the paradigm schemes of quantum network coding. These
schemes are divided from the viewpoints of non-additional resource, prior entangle-
ment, quantum register, quantum repeater, quantum cluster, and performance analysis.
Chapter 4 concentrates on quantum network coding based on the repeater.
Quantum repeater is an important device of quantum networks. Firstly, quantum
repeater is introduced into quantum network coding for a general network.
Here LOCC operations and general graph are two basic points. Then secure
quantum network coding scheme for controlled repeater networks is designed by
considering node authentication and network model. Especially, LOCC is replaced
by LOQC from the perspective of security.
Chapter 5 explains quantum network coding based on controller. Quantum
teleportation is a process by which quantum information can be transmitted from one
location to another, with the help of classical communication and previously shared
Preface vii
quantum entanglement between the sending and receiving location. It depends on

classical communication. From the perspective of security, controlled teleportation
is a good choice for quantum communication. A controller can be looked on as a
trusted third party, which can introduce some classical secure mechanisms into
quantum communication. Through identity authentication between a node and a
controller, secure quantum network coding scheme is designed.
Chapter 6 explains opportunistic quantum network coding. COPE is a classical
opportunistic coding method. How to design a quantum network coding scheme
with opportunistic characteristics like COPE is a key problem. Furthermore, the
problem of how to distinguish between legal listener and illegal eavesdropper is
needed to be solved. Opportunistic quantum network coding scheme is designed by
means of combining quantum channel verification and opportunistic listening.
Chapter 7 is for quantum network coding with message authentication. Digital
signature is an effective method for message authentication, while quantum digital
signature is an effective method for quantum message authentication. For quantum
network coding, quantum homomorphic signature is a basic point. Quantum
homomorphic signature is based on entanglement swapping. Then a quantum
network coding scheme against pollution attacks is designed.
Chapter 8 covers continuous-variable quantum network coding using coherent
states. Continuous variable is the most feasible approach. From the perspective of
continuous variable, two schemes based on coherent states are designed. Especially,
for the practical performance, practical influence on network throughput and imple-
mentation scheme of nonideal amplifier are considered. In addition, continuous-
variable quantum homomorphic signature is designed for continuous-variable
quantum network coding based on continuous-variable entanglement swapping.
Chapter 9 describes security analysis of quantum cryptographic protocols,
including main attacks and analysis methods.
Chapter 10 describes security analysis based on BAN logic. Quantum identity
authentication protocol is taken for example.
Chapter 11 describes security analysis based on quantum random oracle model.
Quantum random oracle model is a new concept. Quantum digital signature pro-
tocol is taken for example. Analysis procedure based on quantum random oracle
model is described in detail.
Chapter 12 explains security analysis of quantum obfuscation. A series of new
concepts of quantum obfuscation are defined. Quantum point function is taken for
discussion. Analysis procedure based on quantum obfuscation is described in detail.
Chapter 13 explains security analysis of measurement-device independency.
Continuous-variable quantum homomorphic signature protocol is taken for example.
Analysis procedure for measurement-device independency is described in detail.
Beijing, China Tao Shang

Jianwei Liu
Acknowledgements
The author Tao Shang is grateful to his advisor, Prof. ShuoYu Wang at the Kochi
University of Technology in Japan, an eminent scientist, and educationist. From
this teacher, he learned about the great role of self-learning and interest arousing for
understanding emerging technologies, and he developed passion and patience for
knowledge acquirement. He also learned to keep abreast of the latest technology
areas no matter whatever a young scholar could meet at the initial work phase. He
has blessed the author all through his academic life since 2006.
The author Tao Shang is grateful to Prof. JianWei Liu at the Beihang University,
a distinguished scientist in the field of network security and cryptography. Prof. Liu
guided him into the field of cryptography, gave him an opportunity to set up from
scratch the quantum cryptography group, and cooperated on the writing of this
book. The research group member, XiaoJie Zhao (2012–2015) at the Beihang
University, Jiao Li and Zhuang Pei (2013–2016) at the Beihang University, Gang
Du (2014–2017) at the Beihang University, Ke Li and Qi Lei (2015–2018) at the
Beihang University, ChengRan Fang (2016–2019) at the Beihang University,
RanYiLiu Chen and Zheng Zhao (2017–2020) at the Beihang University, Ran Liu
and HaiZheng Sun (2018–2021) at the Beihang University. All members proofread
the manuscript, particularly RanYiLiu Chen and Zheng Zhao provided many ser-
vices for the editing of the book, such as checking and minutely tracing the errors in
the book.
The author Tao Shang is especially thankful to Prof. XiuBo Chen at the Beijing
University of Posts and Telecommunications for the cooperation of quantum
cryptography and quantum network coding and Prof. QianHong Wu, ChunDi Xiu,
Jian Mao, ZhenYu Guan, and Zongyang Zhang at the Beihang University for the
support during this process.
Blessings of Prof. Zheng Zheng at the Beihang University, Head of Department
of Optoelectronics and Information Engineering, and his continuous support in
theory and experiment are also unforgettable. The help of his colleague, particularly
Prof. Xin Zhao at various stages is gratefully acknowledged.
ix
x Acknowledgements
The book is supported by the National Natural Science Foundation of China

(No. 61571024 and No. 61971021), the National Key Research and Development
Program of China (No. 2016YFC1000307), and Aeronautical Science Foundation
of China (No. 2018ZC51016).
The authors are thankful to Miss XingYue Chen for making the drawings and
Miss Ran Liu for making the related translations. The authors are grateful to the
editorial team for reviews and suggestions.
Finally, the author Tao Shang is grateful to his understanding spouse, two lovely
daughters, and his kind parents.
Contents
Part I Quantum Network Coding

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Concept of Network Coding . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Development of Quantum Network Coding . . . . . . . . . . . . . . . 5
1.3 Classification of Quantum Network Coding . . . . . . . . . . . . . . . 7
1.4 Future Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1 Main Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.1 Hilbert Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.2 Tensor Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.3 Quantum State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.4 Density Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1.5 Quantum Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.6 Quantum Measurement . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.7 Bloch Sphere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.8 Fidelity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.9 Trace Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2 Key Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.1 Bell Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.2 Group Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.3 Quantum Teleportation . . . . . . . . . . . . . . . . . . . . . . . . 24
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3 Typical Quantum Network Coding Schemes . . . . . . . . . . . . . . . . . . 27
3.1 Non-additional Resource Scheme . . . . . . . . . . . . . . . . . . . . . . . 27
3.1.1 XQQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.1.2 General Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
xi
xii Contents
3.2 Prior Entanglement Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.2.1 Prior Entanglement Between Senders . . . . . . . . . . . . . . 32
3.2.2 Sharing Non-maximally Entangled States . . . . . . . . . . . 34
3.3 Quantum Register Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.3.1 Perfect Linear Quantum Network Coding . . . . . . . . . . 36
3.3.2 Perfect Nonlinear Quantum Network Coding . . . . . . . . 40
3.3.3 Perfect Quantum Network Coding for Multicast . . . . . . 41
3.4 Quantum Repeater Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.5 Quantum Cluster Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.6 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.6.1 Achievable Rate Region . . . . . . . . . . . . . . . . . . . . . . . 47
3.6.2 With Free Classical Communication . . . . . . . . . . . . . . 48
3.6.3 With Free Entanglement . . . . . . . . . . . . . . . . . . . . . . . 49
3.6.4 Comparison of Schemes . . . . . . . . . . . . . . . . . . . . . . . 50
3.6.5 Comparison with Routing . . . . . . . . . . . . . . . . . . . . . . 50
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4 Quantum Network Coding Based on Repeater . . . . . . . . . . . . . . . . 53
4.1 Quantum Network Coding for General Repeater Networks . . . . 53
4.1.1 Requirement of General Networks . . . . . . . . . . . . . . . . 53
4.1.2 Quantum Repeater Network . . . . . . . . . . . . . . . . . . . . 54
4.1.3 LOCC (Local Operations and Classical
Communication) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.1.4 Basic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.1.5 QNC Scheme for General Repeater Networks . . . . . . . 59
4.1.6 Property of QNC Scheme . . . . . . . . . . . . . . . . . . . . . . 68
4.1.7 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.1.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.2 Secure Quantum Network Coding for Controlled Repeater
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 72
4.2.1 Consumption and Security of Quantum Repeater
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.2.2 Quantum One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . 72
4.2.3 Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.4 Basic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.2.5 QNC Scheme for Controlled Repeater Networks . . . . . 76
4.2.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.2.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Contents xiii
5 Quantum Network Coding Based on Controller . . . . . . . ........ 87

5.1 Quantum Network Coding Based on Controlled
Teleportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.1.1 Requirement of a Trusted Third Party . . . . . . . . . . . . . 87
5.1.2 Controlled Teleportation . . . . . . . . . . . . . . . . . . . . . . . 88
5.1.3 QNC Scheme Based on XQQ . . . . . . . . . . . . . . . . . . . 89
5.1.4 QNC Scheme Based on Prior Entanglement . . . . . . . . . 91
5.1.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.2 Secure Quantum Network Coding with Identity
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.2.1 Requirement of Identity Authentication . . . . . . . . . . . . 96
5.2.2 Quantum Security Direct Communication . . . . . . . . . . 96
5.2.3 QNC Scheme with Identity Authentication . . . . . . . . . . 97
5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6 Opportunistic Quantum Network Coding . . . . . . . . . . . . . . . . . . . . 105
6.1 Opportunistic Characteristic of Network Coding . . . . . . . . . . . . 105
6.2 Classical Opportunistic Coding . . . . . . . . . . . . . . . . . . . . . . . . 106
6.3 Quantum Channel Verification . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.4 Opportunistic QNC Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.5 Property of QNC Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.6 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.6.1 Network Throughput . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.6.2 Resource Consumption . . . . . . . . . . . . . . . . . . . . . . . . 119
6.7 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6.7.1 Classical Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6.7.2 Quantum Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
7 Quantum Network Coding with Message Authentication . . . . . . . . 125
7.1 Quantum Homomorphic Signature for QNC . . . . . . . . . . . . . . . 125
7.1.1 Signature for Quantum Networks . . . . . . . . . . . . . . . . 125
7.1.2 Homomorphic Signature . . . . . . . . . . . . . . . . . . . . . . . 126
7.1.3 Entanglement Swapping . . . . . . . . . . . . . . . . . . . . . . . 127
7.1.4 Quantum Homomorphic Signature Scheme . . . . . . . . . 129
7.1.5 Property of Signature Scheme . . . . . . . . . . . . . . . . . . . 132
7.1.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
xiv Contents
7.2 Secure Quantum Network Coding with Message

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.2.1 Efficient Authentication of Homomorphic
Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.2.2 Problem of Quantum Homomorphic Signature
Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.2.3 QNC Scheme with Message Authentication . . . . . . . . . 141
7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
8 Continuous-Variable Quantum Network Coding . . . . . . . . . . . . . . 147
8.1 Continuous-Variable Quantum Network Coding Using
Coherent States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
8.1.1 Advantage of Continuous Variables . . . . . . . . . . . . . . . 147
8.1.2 Continuous-Variable Quantum Cloning . . . . . . . . . . . . 149
8.1.3 Linear Optics for Continuous Variables . . . . . . . . . . . . 150
8.1.4 Continuous-Variable Quantum Teleportation . . . . . . . . 151
8.1.5 CVQNC Scheme Using Approximate Operations . . . . . 152
8.1.6 CVQNC Scheme with Prior Entanglement . . . . . . . . . . 155
8.1.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.2 Continuous-Variable Quantum Homomorphic Signature . . . . . . 167
8.2.1 Homomorphic Signature for CVQNC . . . . . . . . . . . . . 167
8.2.2 Requirement of Quantum Homomorphic Signature . . . . 168
8.2.3 Continuous-Variable Entanglement Swapping . . . . . . . 169
8.2.4 CVQHS Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
8.2.5 Property of CVQHS Scheme . . . . . . . . . . . . . . . . . . . . 173
8.3 Secure CVQNC with Message Authentication . . . . . . . . . . . . . 180
8.3.1 Message Authentication of CVQNC . . . . . . . . . . . . . . 180
8.3.2 Secure CVQNC Scheme . . . . . . . . . . . . . . . . . . . . . . . 181
8.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Contents xv
Part II Security Analysis Method

9 Security Analysis of Quantum Cryptographic Protocols . . . . . . . . . 191
9.1 Main Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
9.1.1 Intercept-and-Resend Attack . . . . . . . . . . . . . . . . . . . . 191
9.1.2 Teleportation Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 193
9.1.3 Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . . . . . . 193
9.1.4 Participant Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
9.1.5 Implementation Attack . . . . . . . . . . . . . . . . . . . . . . . . 195
9.2 Security Analysis Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
9.2.1 BAN Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
9.2.2 Random Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . 199
9.2.3 Quantum-Accessible Random Oracle Model . . . . . . . . 200
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
10 Security Analysis Based on BAN Logic . . . . . . . . . . . . . . . . . . . . . . 203
10.1 Formal Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
10.2 Quantum Identity Authentication . . . . . . . . . . . . . . . . . . . . . . . 204
10.3 Representative QIA Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 204
10.4 Analysis Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
10.4.1 Description of Notions and Rules . . . . . . . . . . . . . . . . 206
10.4.2 Inference Based on BAN Logic . . . . . . . . . . . . . . . . . 207
10.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
11 Security Analysis Based on Quantum Random Oracle Model . . . . . 213
11.1 Quantum Random Oracle Model for Quantum Digital
Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
11.1.1 Development of Random Oracle . . . . . . . . . . . . . . . . . 213
11.1.2 Quantum Digital Signature . . . . . . . . . . . . . . . . . . . . . 214
11.1.3 Representative QDS Scheme . . . . . . . . . . . . . . . . . . . . 215
11.1.4 Security Analysis from RO to QRO . . . . . . . . . . . . . . 216
11.1.5 Quantum Random Oracle Model for QDS . . . . . . . . . . 218
11.1.6 Analysis Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
11.1.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
11.2 Quantum Random Oracle Model for Quantum Public-Key
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
11.2.1 Instantiation of Quantum Random Oracle Model . . . . . 225
11.2.2 Quantum Hash Function . . . . . . . . . . . . . . . . . . . . . . . 226
11.2.3 Quantum Public-Key Encryption . . . . . . . . . . . . . . . . . 227
11.2.4 QPKE in the QRO Model . . . . . . . . . . . . . . . . . . . . . . 229
11.2.5 Instantiation of QRO for a Bad and a Good
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
11.2.6 Numerical Simulation of Key-Collision Attack . . . . . . . 236
xvi Contents
11.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
12 Security Analysis of Quantum Obfuscation . . . . . . . . . . . . . . . . . . . 241
12.1 Obfuscatability of Quantum Point Functions . . . . . . . . . . . . . . . 241
12.1.1 Development of Obfuscation . . . . . . . . . . . . . . . . . . . . 241
12.1.2 Quantum Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
12.1.3 Quantum Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . 243
12.1.4 Quantum-Accessible Random Oracle Model . . . . . . . . 244
12.1.5 Reduction for Quantum Obfuscation . . . . . . . . . . . . . . 245
12.1.6 Obfuscation of Combined Quantum Circuits . . . . . . . . 247
12.1.7 Quantum Point Function . . . . . . . . . . . . . . . . . . . . . . . 249
12.1.8 Application to Quantum Zero-Knowledge . . . . . . . . . . 253
12.2 Quantum Symmetric Encryption Based on Quantum
Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
12.2.1 Requirement of Indistinguishability . . . . . . . . . . . . . . . 255
12.2.2 Efficient Quantum Circuit and Quantum
Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
12.2.3 Quantum One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . 256
12.2.4 Quantum Symmetric Encryption and Its Security . . . . . 257
12.2.5 Quantum Point Obfuscation . . . . . . . . . . . . . . . . . . . . 258
12.2.6 IND-Secure Quantum Symmetric Encryption
Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
12.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
13 Security Analysis of Measurement-Device Independency . . . . . . . . 267
13.1 Device Independency Analysis . . . . . . . . . . . . . . . . . . . . . . . . 267
13.2 Measurement-Device Independency . . . . . . . . . . . . . . . . . . . . . 268
13.3 Continuous-Variable Quantum Homomorphic Signature . . . . . . 269
13.4 Analysis Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
13.4.1 Attack Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
13.4.2 Probability of a Forged Signature Passing
Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
13.4.3 Probability of a Legal Signature Being Denied . . . . . . . 273
13.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
13.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Part I
Quantum Network Coding
Chapter 1
Introduction
As quantum network coding is an important and potential research topic in quantum

communication, in this chapter, we summarize the main research results of quantum
network coding in recent years. Firstly, we briefly introduce the concept of quantum
network coding. Then we introduce the development of quantum network coding
schemes and classify the typical quantum network coding schemes from the view-
point of additional resources. Finally, we point out the future research directions of
quantum network coding.
1.1 Concept of Network Coding
In 2000, Ahlswede, Cai, Li, and Yeung found a new way to implement better commu-
nication performance over a network than ever in the fundamental article of network
coding (NC) [1]. The main idea of network coding is that we can encode informa-
tion at intermediate nodes in a network, thus improving throughput, robustness, and
security and reducing the complexity of a network. Figure 1.1 gives an example of
network coding which realizes the improvement of network throughput. The exam-
ple features multicast from two sources to two destinations (sinks or targets). The
two sinks wish to receive the total messages sent by the two sources. The capacity
of each directed link is one. As we can see, the node s0 performs a coding opera-
tion by taking the binary sum (XOR, exclusive OR), which allows the message to
pass across over the bottleneck channel s0 t0 . In this way, the messages x, y can be
received simultaneously at t1 and t2 , which is impossible for the traditional routing
paradigm, where intermediate nodes are allowed only to make copies of received
bits for output. Network coding has pointed out the fact that the information flow
cannot be treated as the materials flow since the information can be encoded.
Classical network coding has inspired the studies of quantum network cod-
ing (QNC) because quantum communication is expensive and the efficiency is an
important topic of quantum communication. In 2006, Iwama, Hayashi, Nishimura,
Raymond, and Yamashita [2] initiated the study of quantum network coding for
© Springer Nature Singapore Pte Ltd. 2020 3
T. Shang and J. Liu, Secure Quantum Network Coding Theory,
https://doi.org/10.1007/978-981-15-3386-0_1
4 1 Introduction
Fig. 1.1 Network coding on

the butterfly network X Y
S1 S2
X Y
S0
X X Y Y
t0
X Y X Y
t2 t1
Y X ( X Y ), X X ( X Y ) Y,Y
the butterfly network. They confirmed the feasibility of quantum network coding if
approximation is allowed. In fact, it is impossible that without additional modifica-
tion, perfect quantum network coding on the butterfly network transfers two quantum
states crossly over bottleneck with high fidelity. The principal problems concerning
quantum network coding are the exact copy of a quantum state and the operation
of a qubit. The no-cloning theorem which states that it is impossible to create an
identical copy of an arbitrary unknown quantum state prevents the exact copy of an
unknown qubit. Consequently, we can only use approximated cloning such as the
universal cloning proposed by Buzek and Hillery [3] or the probabilistic cloning
proposed by Duan and Guo [4]. However, both of these cloning techniques are not
able to realize the exact copy of a unknown quantum state. On this occasion, perfect
quantum network coding seems to be impossible.
With the development of quantum technology, more processing methods have
been found. Researchers began to introduce additional resources into quantum net-
works and aimed to realize the perfect quantum network coding. Moreover, because
of the no-cloning theorem, people believe that perfect quantum multicast cannot be
achieved, therefore the vast majority of researchers pay their attention to the k-pair
problem (or multi–unicast problem). In this case, the copy of quantum states is not
needed. The aim is to transmit k quantum states across over a bottleneck network
to k targets. It turns out that perfect quantum network coding for the k-pair problem
with additional resources is possible and plenty of schemes with different resources
appear. These schemes will be introduced in the following part.
1.2 Development of Quantum Network Coding 5
1.2 Development of Quantum Network Coding
Before quantum network coding schemes are designed, several famous theorems
have been proved in quantum communication. One of the most important is the no-
cloning theorem that forbids the copy of an unknown quantum state. Even though
classical network coding can achieve multicasting tasks effectively, it seems that
we cannot multicast a quantum state in a quantum network faithfully. As a result,
researchers pay their attention to a subproblem of network coding, namely k-pair
problem. In the k-pair problem, there are k source–target pairs. Each source wants
to send a quantum state to a corresponding target and some bottleneck channels
could appear between these source–target pairs. Until now, most quantum network
coding schemes aim at the k-pair problem. Indeed, some researchers, like Shi and
Soljanin [5] and Iwama [6], attempted to multicast quantum states by supposing that
sources have many identical quantum states to send, but the price is that faithful
communication will never be achieved.
Since 2006, Hayashi et al. explored the possibility of quantum network coding
[2] and proposed the first quantum network coding protocol XQQ [7]. They are the
pioneers of this domain, so the first question they should resolve is whether quantum
network coding is possible. By designing the XQQ protocol, they showed that one
can design a quantum network coding protocol which transmits across two qubits for
the butterfly network with the fidelity greater than 1/2. An upper bound of the fidelity
which is less than 1 was also calculated. But this work still cannot fully answer the
basic question, because a general form of network topology is not considered.
As a successor of XQQ, Iwama et al. [6] extended network topology to the graph
class G4 which allows some nonlinear operations over a four-letter alphabet to achieve
classical network coding. We notice that each graph in G4 associates with a classical
k-pair network coding protocol which is indispensable to design the quantum coun-
terpart. The true problem for a general graph is the introduction of extra entanglement.
It is difficult to get rid of extra entanglement after the transmission of a complex net-
work. Therefore, they put forward the entanglement-free cloning to eliminate extra
entanglement. The proposed protocol is a quantum simulation of classical network
coding protocol. It turns out that for a given G in G4 and a corresponding classical
network coding protocol, a quantum network coding protocol can send some arbi-
trary qubits with the fidelity greater than 1/2, perfect quantum state transmission
cannot be achieved with the fidelity of 1.
The first two works of quantum network coding, namely [7] and [6], inspired
research interest for quantum network coding but negated the existence of perfect
quantum network coding. However, [7] and [6] are both stuck in the quantum weird-
ness, like the no-cloning theorem, but do not take the advantage of quantum properties
such as teleportation and dense coding. Consequently, it is not surprising that they
cannot achieve perfect quantum network coding. Once some additional resources are
added, some new inspiring results will come out.
Hayashi [8] began to explore the effect of prior entanglement. He proposed a
perfect quantum network coding protocol transmitting two non-entangled quantum
6 1 Introduction
states across over the butterfly network with prior entanglement sharing between
two senders. Nevertheless, the particles shared by the two senders are maximally
entangled in the state |+ which is not easy to obtain in the reality. Then Ma et al.
[9] considered the non-maximally entangled case. They designed a QNC protocol that
can perfectly transmit two 2-level states (possibly entangled) across over the butterfly
network by sharing non-maximally entangled particles between two senders. The
side effect of the non-maximal entanglement is that sometimes no information can be
transmitted so that perfect transmission can be achieved only with certain probability
less than 1. We should point out that with the development of quantum communication
and quantum computation, the maximally entangled particles can be prepared by
quantum circuit, entanglement distillation, quantum repeater, etc.
Some other protocols of perfect transmission have also been proposed. Kobayashi
et al. [10] considered another auxiliary resource, namely free classical communica-
tion. It was proved that perfect quantum network coding using free classical commu-
nication is possible over a general network with k source–target pairs if there exists
a classical linear (or even vector linear) coding scheme over a finite ring. Further-
more, the nonlinear version was also be solved [11]. It was verified that the perfect
quantum network coding protocol for any instance of the k-pair problem exists, if the
corresponding classical version is solvable (classical version has a k-pair problem
solution). Kobayashi et al. [12] slightly changed the hypotheses, i.e., we can design
perfect k-pair quantum network coding using free classical communication over a
general network if the corresponding classical graph has multicast problem solution.
It seems that this protocol does not make use of any quantum property, but further
studies show that many quantum computation methods have been used. Beaudrap
et al. [13] proved that those protocols [10–12] can be regarded as one-way quantum
computation.
As for perfect quantum network coding using free classical communication, Satoh
et al. [14] criticized that those protocols [10–12] focused on an abstract model, in
which quantum registers can be freely introduced at each node and need to be trans-
mitted between nodes. Especially, how to implement a quantum system is a cru-
cial problem to the development of quantum communication so that it is difficult
to realize a long-distance quantum communication. Quantum repeater is a poten-
tial approach to realizing long-distance quantum communication. Satoh et al. [14]
explored quantum repeater and designed a quantum repeater network coding proto-
col for the butterfly network. In this protocol, adjacent nodes initially share one EPR
(Einstein–Podolsky–Rosen)-pair and no additional register is needed. The main idea
is to control the entanglement state of a quantum network thus forming the quantum
channel (EPR-pair) between each source–target pair. The performance analysis of
quantum repeater network coding protocol was executed in [15], which shows that
quantum repeater network coding is more sensitive to entanglement errors (errors on
the initial Bell pairs), Pauli errors and local gate errors than entanglement swapping.
In brief, quantum repeater network coding is useful when quantum resources are
limited or high communication speed is required.
Similar to the idea of quantum repeater network coding which controls the entan-
glement state of a quantum network, cluster state is a type of highly entangled multi-
1.2 Development of Quantum Network Coding 7
particle quantum states and used as a universal resource for measurement-based

quantum computation. Especially, it can be represented by mathematical graphs.
The control of cluster state has been widely studied in quantum computation [16].
Li et al. [17] utilized 2D and 3D cluster state to solve the k-pair quantum network
coding problem. They proposed three protocols to realize perfect quantum network
coding for the butterfly network, grail network, and extended butterfly network. A
method based on stabilizer was also presented to analyze the resolvability of a certain
type of network.
In recent years, some other additional resources have been explored in order
to improve the performance of quantum network coding. For example, Shang et
al. proposed continuous-variable quantum network coding [18] and opportunistic
quantum network coding [19]. These protocols are quite different from previous
schemes and give us a new viewpoint to treat the quantum network coding problem.
The security analysis of quantum network coding is also a key point of recent
researches. Owari et al. [20] proposed a secure quantum network coding on the
butterfly network in the multi–unicast setting based on a secure classical network
coding. Shang et al. introduced a controller to control the decoding process in order
to improve the security of quantum communication in [21] and extended the idea
of a controller to the quantum repeater network coding in [22]. To analyze the risk
of pollution attacks on prior entanglement, they designed aquantum network coding
protocol against pollution attacks by using quantum homomorphic signature [23].
Recently, Nguyen et al. explored a generalized quantum network coding protocol for
large-scale quantum communication networks [24]. This work is a further work to
analyze the performance of quantum repeater network coding for large-scale quantum
communication networks under the Z-error perturbations. It extends the case to the
large-scale quantum communication and finds the benefits brought by large-scale
quantum communication networks.
As we can see, many quantum network coding protocols are inspired by other
quantum processing techniques. Vice versa, the application of quantum network cod-
ing for realizing other quantum processing techniques has attracted much attention.
Epping et al. [25] proposed a scheme to verify that robust entanglement distribution
can be realized via quantum network coding. Nguyen et al. [26] realized cooperative
quantum key distribution over free-space optical channels aided by network cod-
ing. Soeda et al. [27] realized quantum computation over the butterfly network and
Akibue et al. [28] proposed a scheme for distributed quantum computation over the
cluster and butterfly network.
1.3 Classification of Quantum Network Coding
Although many quantum network coding schemes have been proposed till now, quan-
tum network coding is still not classified clearly. In fact, quantum network coding
schemes can be classified in terms of network topology, node, channel, resource,
security, etc. From the development that we have discussed above, we can see that
8 1 Introduction
quantum network coding schemes can be precisely classified according to what kind
of additional resources are used. Different schemes have their own special proper-
ties characterized by the additional resources used. We will list the main classes of
quantum network coding and emphasize their peculiarities.
1. Non-additional resource: XQQ [7], general graph [6].

• Capability of quantum multicasting for a general graph in the graph class G4 .
• Impossibility of perfect QNC, i.e., fidelity is always less than 1.
2. Prior entangled state between sources: maximal entangled state [8], non-maximal
entangled state [9].
• Capability of perfect QNC for the k-pair problem over the butterfly network,
i.e., fidelity equals one.
• Capability of transmitting an entangled state.
3. Free classical communication + quantum register: Perfect QNC [10–12].
• Capability of perfect QNC for the k-pair problem over a general network
which has a classical solution.
• Capability of transmitting an entangled state.
4. LOCC + quantum repeater network: repeater QNC [14].
• Capability of perfect QNC for the k-pair problem over the butterfly network.
• Independence of classical network coding protocol.
5. Free classical communication + quantum cluster: cluster QNC [17].
• Capability of perfect QNC for the k-pair problem over the butterfly network,
grail network and extended butterfly network.
• Independence of classical network coding protocol.
6. Continuous variable + free classical communication: perfect CVQNC
(continuous-variable quantum network coding) [18].
• Capability of perfect CVQNC for the k-pair problem over the butterfly net-
work.
• Capability of transmitting continuous-variable quantum states.
1.4 Future Direction
According to the previous analysis, we point out that the design of quantum network
coding concentrates on the additional resources used in each protocol. There are two
choices in front of us. One is that we attempt to find more new quantum techniques and
integrate them to quantum network coding thus proposing new theoretical schemes.
Some ideas are, for example, quantum polar encoding, quantum superactivation,
1.4 Future Direction 9
dense coding, quantum wavelet transforms, probabilistic quantum clone, etc. The
other is that we take realistic conditions into account and design more robust quantum
network coding schemes.
Performance analysis is also a key direction to study. Since the starting points of
quantum network coding schemes are quite different, we cannot find a consistent
standard to measure different schemes. For example, repeater network and cluster
network can achieve almost the same task, but we cannot simply say which is better
or worse. We cannot order the cost of different quantum resources which depends on
real conditions. Furthermore, the security of quantum communication depends on
the specific protocol or the realization. If we want to distinguish the pros and cons
of different protocols, the realistic situation should be considered.
So far the main purpose of quantum network coding is to improve the throughput
of quantum networks which was inspired by the advantages of classical network
coding. Apart from the improvement of network throughput, classical networks can
also enhance the robustness and security and reduce the complexity. Few works have
brought other benefits of classical network coding into quantum network coding.
One example is that reference [15] shows that the repeater QNC scheme is more
sensitive than the entanglement swapping scheme. As a result, some researches on
improving the robustness of quantum network could be interesting. Some security
analyses have been conducted with the help of secure quantum communication or
quantum cryptography. However, classical network coding could provide some secu-
rity on its own, exploring this property in quantum networks may save some quantum
communication resources.
The application of quantum network coding to other quantum techniques is also
attractive. We have shown that quantum network coding can help realize entangle-
ment distribution, distributed quantum computing, etc. More studies of application
need to be explored in the near future.
References
1. Ahlswede, R., Cai, N., Li, S., et al.: Network information flow. IEEE Trans. Inf. Theory 46(4),
1204–1216 (2000)
2. Iwama, K.: Classic and quantum network coding. In: Scandinavian Symposium and Workshops
on Algorithm Theory (SWAT). LNCS, vol. 4059, pp. 3–4 (2006)
3. Buzek, V., Hillery, M.: Quantum copying: beyond the no-cloning theorem. Phys. Rev. A 54(3),
1844–1852 (1996)
4. Duan, L.M., Guo, G.C.: Probabilistic cloning and identification of linearly independent quan-
tum states. Phys. Rev. Lett. 80(22), 4999–5002 (1998)
5. Shi, Y., Soljanin, E.: On multicast in quantum networks. In: Conference on Information Sciences
and Systems (CISS), pp. 871–876 (2006)
6. Iwama, K., Nishimura, H., Raymond, R., et al.: Quantum network coding for general graphs.
Physics 52(3), 610–621 (2006)
7. Hayashi, M., Iwama, K., Nishimura, H., et al.: Quantum network coding. In: IEEE Annual
Symposium on Theoretical Aspects of Computer Science (STACS), pp. 610–621 (2007)
8. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding
with modification. Phys. Rev. A 76(4), 538 (2007)
10 1 Introduction
9. Ma, S.Y., Chen, X.B., Luo, M.X., et al.: Probabilistic quantum network coding of M-qudit
states over the butterfly network. Opt. Commun. 283(3), 497–501 (2010)
10. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: General scheme for perfect quantum net-
work coding with free classical communication. In: International Colloquium on Automata,
Languages and Programming (ICALP), pp. 622–633 (2009)
11. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Constructing quantum network coding schemes
from classical nonlinear protocols. In: IEEE International Symposium on Information Theory
(ISIT), pp. 109–113 (2011)
12. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Perfect quantum network communication
protocol based on classical network coding. In: IEEE International Symposium on Information
Theory (ISIT), pp. 2686–2690 (2010)
13. de Beaudrap, N., Roetteler, M.: Quantum linear network coding as one-way quantum compu-
tation (2014). arXiv:1403.3533
14. Satoh, T., Le Gall, F., Imai, H.: Quantum network coding for quantum repeaters. Phys. Rev. A
86(3), 9591–9598 (2012)
15. Satoh, T., Ishizaki, K., Nagayama, S., et al.: Analysis of quantum network coding for realistic
repeater networks. Phys. Rev. A 93(3), 032302 (2016)
16. Briegel, H.J., Browne, D.E., Dur, W., et al.: Measurement-based quantum computation. Nat.
Phys. 5(1), 19–26 (2009)
17. Li, J., Chen, X., Sun, X., et al.: Quantum network coding for multi-unicast problem based on
2D and 3D cluster states. Sci. China Inf. Sci. 59(4), 1–15 (2016)
18. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding for coherent states.
Quantum Inf. Process. 16(4), 107 (2017)
19. Shang, T., Du, G., Liu, J.W.: Opportunistic quantum network coding based on quantum tele-
portation. Quantum Inf. Process. 15(4), 1–12 (2016)
20. Owari, M., Kato, G., Hayashi, M.: Secure quantum network coding on butterfly network (2017).
arXiv:1705.01474
21. Shang, T., Zhao, X., Liu, J.W.: Quantum network coding based on controlled teleportation.
IEEE Commun. Lett. 18(5), 865–868 (2014)
22. Shang, T., Li, J., Liu, J.W.: Secure quantum network coding for controlled repeater networks.
Quantum Inf. Process. 15(7), 2937–2953 (2016)
23. Shang, T., Pei, Z., Zhao, X.J., et al.: Quantum network coding against pollution attacks. IEEE
Commun. Lett. 20(7), 1369–1372 (2016)
24. Nguyen, H.V., Babar, Z., Alanis, D., et al.: Towards the quantum internet: generalised quantum
network coding for large-scale quantum communication networks. IEEE Access 5, 17288–
17308 (2017)
25. Epping, M., Kampermann, H., Brub, D.: Robust entanglement distribution via quantum network
coding. New J. Phys. 18(10), 103052 (2016)
26. Nguyen, H., Trinh, P., Pham, A., et al.: Network coding aided cooperative quantum key distri-
bution over free-space optical channels. IEEE Access 5(99), 12301–12317 (2017)
27. Soeda, A., Kinjo, Y., Turner, P.S., et al.: Quantum computation over the butterfly network.
Phys. Rev. A 84(1), 012333 (2011)
28. Akibue, S., Murao, M.: Network coding for distributed quantum computation over cluster and
butterfly networks. IEEE Trans. Inf. Theory 62(11), 6620–6637 (2016)
Chapter 2
Preliminaries
Quantum communication is a new interdiscipline combining quantum mechanics

and information theory which has the feature of unconditional security. Usually, the
handling of quantum information is harder than that of the classical counterparts.
Copying and coding are two typical operations of network coding. The question is
whether or not quantum network coding is possible with the quantum counterpart of
key operations. In this chapter, we introduce the preliminaries of quantum network
coding, including main notions and key operations.
2.1 Main Notions
2.1.1 Hilbert Space
The Hilbert space is a generalization of the Euclidean space. It extends a 2-

dimensional or 3-dimensional space to any number of dimensions space. That is
to say, an infinite-dimensional space is also possible. First of all, the Hilbert space
which we study in quantum mechanics is a vector space (also called a linear space)
represented by (E H , C, +). E H is the vector space whose elements are called vectors
(or states or state vectors). C is the filed of complex numbers whose elements are
called scalars. The vector space E H over the field C possesses two operations:
• the vector addition (or simply addition) +: E H2 −→ E H
• the scalar multiplication ·: C × E H −→ E H
For example, the addition takes two vectors (x, y) ∈ E H2 and assigns to them a third
vector which is commonly written as x + y belonging to E H . And the scalar mul-
tiplication takes a scalar and a vector (α, x) ∈ C × E H and assigns to them a third
vector which is commonly written as αx belonging to E H . We can notice that any
superposition of two or more vectors is also a legitimate vector of the Hilbert space
E. Namely,

https://doi.org/10.1007/978-981-15-3386-0_2
12 2 Preliminaries
(α, β) ∈ C2 , (x, y) ∈ E H2 so that αx + β y ∈ E H .
This property implies the linearity of a quantum system.

The vector space E and the complex field C together with two operations above
should respect many axioms such as the associativity of addition, the commutativity
of addition, etc. Here we will not discuss these details. Another advantage of the
Hilbert space is that we can define the notion of distance and angle between two
vectors like the case of the Euclidean space. That is to say, we can define the Hermitian
positive-definite inner product ·|· of two vectors. The inner product is defined by
·|· : E H2 −→ C
(x, y) −→ x| y
Some properties should be respected:

• x ∈ E H , x|x = 0 ⇒ x = 0
• x ∈ E H , x = 0 ⇒ x|x ∈ R+∗
• x, y, z ∈ E H and α ∈ C, αx + y|z = α∗ x|z + y|z
• x, y, z ∈ E H and β ∈ C, x|β y + z = β x| y + x|z
• x, y ∈ E H , x| y = y|x∗
Once we have defined the inner product, we can define the norm || · || associated
with the inner product. For a vector in the Hilbert space x ∈ E H , the norm is defined
by

||x|| = x|x
Since x|x ≥ 0 for an arbitrary vector x ∈ E H , the norm is well defined.

The Hilbert space is an effective tool to describe the state of a quantum system.
We usually use the Dirac notation ket, for example |ψ, to represent a vector in the
Hilbert space. We also have the notation bra denoted by ψ| for representing the dual
vector in the dual space. The bra is a linear form from the vector space to its field of
scalars. Every |ψ corresponds to a specific ψ|, and the action of the ψ| over the
ket |φ is related to the inner product of the two vectors. That is,
ψ| (|φ) = ψ|φ
Once we have defined the Hilbert space, we can pose the postulate of the super-
position and the postulate of the evolution [1].
Postulate of the superposition: Associated to any isolated physical system is a complex
vector space with inner product (that is, a Hilbert space) known as the state space of the
system. The system is completely described by its state vector, which is a unit vector in the
state space of the system.
Postulate of the evolution: The time evolution of the state of a closed quantum system is
described by the Schrodinger equation,
2.1 Main Notions 13
d |ψ
i = Ĥ |ψ
dt
where is the reduced Planck constant, Ĥ is a fixed Hermitian operator called the Hamil-
tonian of the closed system.
We can simplify the postulate of the evolution by considering only two different
times t1 and t2 . This edition is used widely in the quantum mechanics.
Postulate of the evolution 2: The evolution of a closed quantum system is described by a
unitary
transformation.
That means the state |ψ of the system at time t1 is related to the
state ψ of the system at time t2 by a unitary operator U which depends only on the time
t1 and t2 ,
ψ = U |ψ .
2.1.2 Tensor Product
One example of the Hilbert space is the space L2 (R) which is the set of square-
integrable functions from R to C. All the Hermite functions {φn }n∈N form an orthonor-
mal basis of L2 (R). The Hermite functions φn (x) are
√ − 1 x 2 √ − 1 x 2 d n −x 2
φn (x) = 2n n! π 2 e− 2 Hn (x) = (−1)n 2n n! π 2 e 2 e
dxn
For space L2 (R2 ) which is the set of square-integrable functions from R2 to C.

One of the bases of the L2 (R2 ) is the set {φm φn , (m, n) ∈ N2 }. In other words, every
function (x, y) in the space L2 (R2 ) can be decomposed into the form

(x, y) = Cm,n φm (x)φn (y)
m,n
Mathematically, we say that the space L2 (R2 ) is the tensor product of the two space
L2 (R). Namely,
L2 (R2 ) = L2 (R) ⊗ L2 (R)
If we use the Dirac notation, that is,

| = Cm,n |φm ⊗ |φn
m,n
where | is the ket related to the function (x, y) and |φm ⊗ |φn is the ket in the
space L2 (R2 ) related to the function φm (x)φn (y).
Definition of tensor product Given two Hilbert spaces E and F, we can associate a
third Hilbert space G and a bilinear application T from the space E × F to the third
space G, such that
14 2 Preliminaries
1. T (E × F) spans G, in other words, all the elements of the space G are the sum of
the elements with the form T (|u , |v), where |u ∈ E and |v ∈ F.
2. Let {|em }m∈N is a basis of the space E and {| f n }n∈N is a basis of the space F.
Then the set {T (|em , | f n )}m,n is a basis of the space G.
Here G is the tensor product of E and F, which is denoted by G = E ⊗ F. The
elements of E ⊗ F is called the tensor and T (|u , |v) = |u ⊗ |v. For convenience,
one usually writes |u ⊗ |v as |u |v or |u, v or |uv.
2.1.3 Quantum State
In quantum physics, a quantum state refers to the state of an isolated quantum system.
There are two main classes of quantum states, namely pure quantum state and
mixed quantum state.
Pure quantum state All the vectors in the Hilbert space describe the pure quantum
states. A pure quantum state can be represented by a ray in a Hilbert space over the
complex numbers. The ray is a set of nonzero vectors differing by just a complex
scalar factor, any of them can be chosen as a state vector to represent the ray and
the corresponding state. For example, |ψ ∈ E H or α |ψ, where α ∈ C, represents a
pure quantum state. The superposition of some kets are also a ket that represents a
pure quantum state, for instance, α |ψ + β |φ belongs to E H and is a pure quantum
state.
Entangled quantum state For the quantum system which has two or more degrees
of freedom, the Hilbert space E describing the total system can be factorized to the
tensor product of several subspaces. For example, we suppose that we only study the
spin of two particles with spin 1/2. The Hilbert space E which describes the spin
state of the total system, can be factorized. That is to say, E = E1 ⊗ E2 . The number
of dimensions of Ei , i = 1, 2 is 2. So the dimension of E is 4 = 2 × 2.
One example of the ket in the E is the |+ ⊗ |− or |+− which means the first
particle has the spin up and the second particle has the spin down. This state is
similar to the classical situation with two balls, one of the balls is white and the other
is black. But the difference is that any superposition of the kets is also a legitimate
1
state in the Hilbert space. In other words, the state like | = √ (|+− + |−+)
2
can exist. This kind of quantum state which cannot be factorized to the tensor product
of two kets is called entangled state. We would like to point out that if we consider
the entangled state from the space E, it is still a pure quantum state for reason of
| ∈ E.
Mixed quantum state There exists another quantum state that cannot be represented
by the vector in the Hilbert space. This state is called mixed quantum state which
corresponds to a probabilistic mixture of pure states. The mixed quantum state usually
arises from the lack of information. The state vector of a quantum system is unknown
2.1 Main Notions 15
at
least
to the experimenter, but the appearance probability p j of a quantum state
ψ j is known. Thus, we cannot describe this quantum state by simply using the state
vector of the Hilbert space. A mathematical tool called density operator discussed
in the Sect. 2.1.4 will be used to represent this kind of quantum state.
One famous example of the different quantum states is about the light polarization.
Photons can have two helicities, which correspond to two orthogonal quantum states,
|R (right circular polarization) and |L (left circular √ polarization). A Photon can
also be in a superposition
√ state, such as (|R + |L) / 2 (vertical polarization) or
(|R − |L) / 2 (horizontal polarization). More generally, it can be in any state
α |R + β |L (with |α|2 + |β|2 = 1). All these quantum states are the pure states
that can be described by the vector of the Hilbert space.
However, unpolarized light is different from any state like α |R + β |L. It can be
described with ensemble averages, i.e., each photon is either |R with the probability
of 50% or |L with the probability of 50%. The same behavior will occur if each
photon is either vertically polarized with 50% probability or horizontally polarized
with the probability of 50%. These two configurations give exactly the same results in
the experiments. They are completely indistinguishable experimentally so that they
are considered the same mixed state. Moreover, unpolarized light cannot be described
by any pure state, but can be described as a statistical ensemble of pure states in at
least two ways (the ensemble of half-left and half- right circularly polarized, or the
ensemble of half vertically and half horizontally linearly polarized).
There are many origins of the mixed quantum state. For the origins of the unpo-
larized light, we should consider the mechanism of the generation of the light. For
the unpolarized light emitted by the incandescent light bulb, the polarization of the
light is closely related to the thermal randomness. The filament is in the thermal
equilibrium, a statistical mixture of enormous numbers of micro-states, each with a
certain probability (the Boltzmann factor), switching rapidly from one to the next
due to thermal fluctuations. Each micro-state emits a certain kind of polarized light.
Thus, the global polarization of the light is a probabilistic mixture of some certain
kind of polarized lights (pure states).
A particular example of the mixed state is related to the entangled
√ state. For
example, two photons in the entangled state (|R, L + |L , R)/ 2. If we treat the
two photons together, they are in the pure state since the total system can be described
by a state vector, but if we only observe one of the photons and ignore the other, the
photon behaves just like unpolarized light, the photon is in the mixed state.
We can conclude some main reasons for the mixed state [2]:
• the system preparation is imperfect, like for a thermal state;
• through decoherence processes;
• after a measurement if the outcome is not revealed to the observer;
• observe an entangled state in a subsystem;
• some other mechanism that produces quantum; states ψ j with probability p j .
16 2 Preliminaries
2.1.4 Density Operator
The density operator is a mathematical tool to describe the quantum states, including
the pure state and the mixed state. For a finite-dimensional function space, the most
general density operator is described by

ρ= p j ψ j ψ j
j
where the coefficients p j are nonnegative and add up to one. This form represents
a mixed quantum state that is in the quantum state ψ j with the probability of p j .
Note that the density operator ρ pur e for a pure state |φ is a special case of the density
operator with
ρ pur e = |φ φ|
We will list some important properties of the density operator:

1. The density operator ρ is a Hermitian operator with T r (ρ) = 1. All the coeffi-
cients of the probability p j respect 0 ≤ p j ≤ 1.
2. If we measure a physical quantity A, corresponding to the observable Â, the
probability to obtain the eigenvalue aα is P(aα ) = T r P̂α ρ , where P̂α is the
projector over the sub-eigenspace of Â corresponding to the eigenvalue aα .
3. If we measure a physical quantity A, corresponding to the observable Â, the
expectation value of the physical quantity is a = T r Âρ .
4. Immediately after a measurement giving the result aα , the state of the system is
P̂α |ψ
ψ = .
|| P̂α |ψ ||
The density operator of this new state is
P̂α ρ P̂α
ρ =
P(aα )
5. The Schrodinger equation which describes the evolution of the quantum system
is written as
dρ
i = Ĥ (t), ρ(t)
dt
There is a practical method to distinguish the pure quantum state and the mixed
quantum state using the density operator. If T r (ρ2 ) = T r (ρ) = 1, then the state is
a pure quantum state. If T r (ρ2 ) < 1, then the state is a mixed state.
2.1 Main Notions 17
2.1.5 Quantum Operator
Let A be a linear quantum operator on a Hilbert space E H .
A : E H −→ E H
The Hermitian conjugate or adjoint of Â: Â† : E H −→ E H is defined by
(|v , Â |w) = ( Â† |v , |w)
where |v and |w belong to E H , (·|·) is the inner product of quantum states.
Once we defined the Hermitian conjugation, we can classify the quantum
operators.
• Normal operator: Â is a normal operator if Â Â† = Â† Â.

1. Normal operator ⇔ diagonalizable operator (cf. theorem of spectral decompo-
sition).
2. If all eigenvalues of a normal operator Â are real, Â is Hermitian.
• Hermitian operator: Â is a Hermitian operator if Â = Â† .
1. Hermitian operator ⇒ normal operator.
2. All eigenvalues of Hermitian operator are real.
• Positive operator: Positive operators are a special subclass of Hermitian operators.
Â is a positive operator if (|v , Â |v) is a real and nonnegative number for any
vector |v.
1. If (|v , Â |v) is strictly greater than zero for all |v = 0, Â is positive definite.
• Unitary operator: Â is a unitary operator if Â† Â = Iˆ.
1. Â Â† = Â† Â = Iˆ, unitary operator ⇒ normal operator.
2. Unitary operator preserves the inner product, i.e., (U |v , U |w) = v|w.
2.1.6 Quantum Measurement
To understand the issue of the quantum measurement, we should firstly give the
postulate of the measurement [1].
Postulate
of the measurement: Quantum measurements are described by a collection
M̂m of measurement operators. These are operators acting on the state space of the system
being measured. The index m refers to the measurement outcomes that may occur in the
experiment. If the state of the quantum system is |ψ immediately before the measurement,
then the probability that result m occurs is given by
18 2 Preliminaries
P (m) = ψ| M̂m† M̂m |ψ
and the state of the system after the measurement is
M̂m |ψ

ψ| M̂m† M̂m |ψ
The measurement operators satisfy the completeness equation,

M̂m† M̂m = Iˆ
m
The first corollary of the completeness equation is the fact that probabilities sum
to one.

P(m) = ψ| M̂m† M̂m |ψ = ψ| M̂m† M̂m |ψ = 1
m m m
The postulate of the measurement has pointed out two important things in quantum
mechanics. The first is the statistic result of a series of measurements. One can know
the probability that a certain result m occurs. The second is the quantum state of the
measured system after the measurement.
Projective measurement There exist a particular type of measurement in quantum
mechanics, projective measurement. The projective measurement turns out to be
equivalent to the general measurement defined in the postulate of the measurement
if we can perform the unitary transformation as described in the postulate of the
evolution. Firstly, let us look at the definition of the projective measurement according
to the reference [1].
A projective measurement is described by an observable M̂, a Hermitian oper-
ator on the state space of the system being observed. The observable has a spectral
decomposition:
M̂ = m P̂m
m
where P̂m is the projector onto the eigenspace of M̂ with eigenvalue m. The possible
outcomes of the measurement correspond to the eigenvalues, m, of the observable.
Upon measuring the state |ψ, the probability of getting result m is given by
P(m) = ψ| P̂m |ψ
Given that outcome m occurred, the state of the quantum system immediately after
the measurement is
P̂m |ψ

ψ| P̂m |ψ
2.1 Main Notions 19
The projective measurement is a special case of the general measurement with

P̂m = M̂m , for all m, defined in the postulate of the measurement. However, the
projective measurement is equivalent to the general measurement if we perform the
unitary transformation. Furthermore, the observable has some good properties:
1. Since P̂m is Hermitian, we have P̂m† = P̂m , for all m.
2. Since P̂m is orthogonal projector, we have P̂m P̂m = δm,m P̂m , for all m, m .
3. P̂ † P̂ = P̂ P̂m = P̂m , because P̂m is a projector, for all m.
m m † m
4. m P̂m P̂m =
ˆ
m P̂m = I .
5. The average value m of the observable M̂ in measuring the quantum state |ψ
is
m = ψ|M̂|ψ

6. The average square value m 2 of the observable M̂ in measuring the quantum
state |ψ is
2
m = ψ|M̂2 |ψ

7. The variance (m)2 = m 2 − m2
If {|m} is the set of normal eigenvectors of the non-degenerate observable M̂,

then the set {|m} forms a basis of the corresponding Hilbert space and we have
P̂m = |m m|. The degenerate cases are somewhat different but keep the same idea.
We say that “measure the |ψ in the basis |m” to describe this case.
POVM Projective measurement is important and useful in the quantum measurement,
but sometimes it is complicate to use. To have these good properties of the projective
measurement, we also have many restrictions on the choice of the operators. What’s
more, we usually have little interest about the quantum state after the measurement,
but concern more about the probabilities of the respective measurement outcomes.
The POVM (Positive Operator-Valued Measure) formalism is a well-adapted tool to
analyze the result of the measurement. Certainly, we will lose some good properties
such as the repeatability, but sometimes we cannot repeat the measurement, we can
only measure a quantum state once. At the beginning, we put the definition of the
POVM here.
Conversely, suppose that we have a set of positive Hermitian operators Ê m

such that m Ê m = Iˆ. We can prove that there exists a set of measurement
operators
M̂m defining a measurement described by the POVM Ê m . By defining M̂m ≡

Ê m , we obtain m M̂m† M̂m = m Ê m = Iˆ, and therefore the set M̂m describes

a measurement with POVM Ê m .

For this reason, we can simply define a POVM to be a set of operators Ê m
satisfying
20 2 Preliminaries
•
Ê m is Hermitian and positive, for all m.
• m Ê m = Iˆ.
Example of comparison of two measurements This example is from the reference
√ to transmit one of the two non-orthogonal states, |ψ1 = |0
[1]. Suppose Alice wants
or |ψ2 = (|0 + |1)/ 2, to Bob. There is a theorem saying two non-orthogonal
states cannot be reliably distinguished. But we will see the difference between two
types of measurements.
Suppose that Bob uses the projective measurement to determine what he received.
The observable is
M̂ = |0 0| + |1 1|
If Bob receives the state |ψ1 , then he will get 0 with the probability 1. If Bob receives
the state |ψ2 , then he will get 0 with the probability 0.5 and 1 with the probability
0.5. That is to say, if Bob obtains 1, he certainly receives the state |ψ2 , but if he
obtains 0, he cannot know exactly what Alice has transmitted. So Bob could make
the error of misidentification.
Now, consider a POVM containing three elements:
√
2
Ê 1 = √ |1 1|
1+ 2
√
2 (|0 − |1)(0| − 1|)
Ê 2 = √
1+ 2 2
ˆ
Ê 3 = I − Ê 1 − Ê 2
It is clear that Ê 1 + Ê 2 + Ê 3 = Iˆ and Ê 1 , Ê 2 , Ê 3 are positive Hermitian operators. So

Ê 1 , Ê 2 , Ê 3 forms a legitimate POVM. If Bob receives the state |ψ1 , he will never
observe the result corresponding to Ê 1 . So, if he observes the result corresponding
to Ê 1 , what he received is certainly |ψ2 . Similarly, if Bob receives the state |ψ2 ,
he will never observe the result corresponding to Ê 2 . So, if he observes the result
corresponding to Ê 2 , what he received is certainly |ψ1 . Moreover, if he receives the
result corresponding to Ê 3 , he cannot get any information. By using the POVM, we
can avoid the error of misidentification, even if we cannot reliably distinguish two
non-orthogonal states.
2.1.7 Bloch Sphere
There are many quantum effects that could be used to represent a qubit, such as spin
states (up and down) of an electron, charge states of the quantum dots and polarization
states of photons [2]. Although we do not want to discuss physics details, the state
vector is a useful abstract to describe these effects. In the classical information
2.1 Main Notions 21
system, the bit which is a two-state system is used to represent arbitrary information.
Similarly, in a quantum information system, we study the system which has two
degrees of freedom. The two kets |0 and |1 consist of the basis of a Hilbert space.
|0 is just like the logical state 0 in the classical system, and |1 is like 1. But the
difference is that any superposition state |ψ of |0 and |1 is also a possible state of
the quantum system. That is to say, any state vector which has the form
|ψ = α |0 + β |1
where α, β ∈ C is also a legitimate state of the quantum information system.

The Bloch sphere is a useful mathematical tool to visualize the quantum state
|ψ. Firstly, the quantum state should be normalized, in other words, |α|2 + |β|2 = 1.
Secondly, the absolute phase of a quantum system is not measurable. Consequently,
it has no physical significance, quantum state |ψ, and eiθ |ψ where θ is an arbitrary
real number represent the same quantum state [3]. We should notice that the relative
phase between two quantum states is important. For example, the state |φ1 and the
state |φ2 = eiθ |φ1 where θ is an real number represent two different quantum states.
This means we can choose α to be a real number, and a qubit could be represented
by
|ψ = cos(θ/2) |0 + eiφ sin(θ/2) |1
where 0 ≤ θ ≤ π and 0 ≤ φ ≤ 2π. Note that θ = 0 corresponds to |0, and θ = π

corresponds to |1. It is clear that any |ψ can be related to a point of a sphere of
radius 1 with latitude and azimuth angles θ and φ. The sphere is called Bloch sphere
(cf. Fig. 2.1).
Fig. 2.1 Bloch sphere z 0
|ψ
θ
y
φ
x
z 1
22 2 Preliminaries
2.1.8 Fidelity
The fidelity F is measure of distance between two density operators θ and ρ. The
fidelity can be defined as
2
F(θ, ρ) = T r ρ1/2 θρ1/2
It is the largest fidelity between any two purifications of the given states.
Fidelity as a distance measure between pure states used to be called transition
probability. For two pure states given by unit vectors |ψ and |φ, fidelity between
them is F(|ψ , |φ) = | ψ|φ |2 . For a pure state (unit vector |ψ) and a mixed state
(density operator ρ), this generalizes to ψ|ρψ.
Properties are listed as follows:
1. 0 ≤ F(θ, ρ) ≤ 1.
2. F(θ, ρ) = F(ρ, θ).
3. F(ρ1 ⊗ ρ2 , θ 1 ⊗ θ 2 ) = F(ρ1 , θ 1 )F(ρ2 , θ 2 ).
4. The fidelity is preserved by unitary evolution, i.e.,
F(ρ, θ) = F(U ρU † , U θU † )
.
5. F(ρ, αθ 1 + (1 − α)θ 2 ) ≥ αF(ρ, θ 1 ) + (1 − α)F(ρ, θ 2 ), α ∈ [0, 1].
2.1.9 Trace Distance
The trace distance D between two density matrices θ, ρ is defined to be
1
D(θ, ρ) = tr (|θ − ρ|)
2
√
where we define |A| = A† A. We notice that the trace distance between two single
qubits is equal to one half of the ordinary Euclidean distance between them on the
Bloch sphere.
Properties are listed as follows:
1. 0 ≤ D(θ, ρ) with equality if and only if θ = ρ.
2. D(θ, ρ) ≤ 1 with equality if and only if θ is orthogonal to ρ, i.e., tr (θρ) = 0.
3. D(θ, ρ) = D(ρ, θ)
4. D(ρ1 ⊗ ρ2 , θ 1 ⊗ θ 2 ) ≤ D(ρ1 , θ 1 ) + D(ρ2 , θ 2 ).
2.2 Key Operations 23
2.2 Key Operations
2.2.1 Bell Measurement
We consider a system of two particles with spin 1/2. The general state of the system
is given by
| = α |00 + β |01 + γ |10 + δ |11
with |α|2 + |β|2 + |γ|2 + |δ|2 = 1.

If we measure the spin of each particle over ordinary basis {|00 , |01 , |10 ,
|11}, we will obtain
• (+/2, +/2) with probability of |α|2 .
• (+/2, −/2) with probability of |β|2 .
• (−/2, +/2) with probability of |γ|2 .
• (−/2, −/2) with probability of |δ|2 .
Bell measurement is the measurement over the Bell basis:
+ |00 + |11 − |00 − |11
= √ , = √
2 2
+ |01 + |10 − |01 − |10
= √ , = √
2 2
The Bell measurement which is denoted by μ(|) or μ(σ) will give us the result:
• state |+ with probability of |α + β|2 /2.
• state |− with probability of |α − β|2 /2.
• state |+ with probability of |γ + δ|2 /2.
• state |− with probability of |γ − δ|2 /2.
The Bell measurement is a very useful measurement method in quantum mechanics
[4]. One example will be given in the Sect. 2.2.3.
2.2.2 Group Operation
We consider four operations, the bit-flip operation σ X or X = |0 1| + |1 0|, the
phase-flip operation σ Z or Z = |0 0| − |1 1|, the bit+phase-flip operation σY or
Y = − |0 1| + |1 0| and the identity operation σ I or I . The group operation under
a two-bit string r1r2 is denoted by G R(ρ, r1r2 ).
24 2 Preliminaries
Fig. 2.2 Quantum

teleportation
⎧
⎪
⎪ ρ, r1 r2 = 00
⎪
⎨ Z ρZ † , r1 r2 = 01
G R(ρ, r1r2 ) =
⎪
⎪ X ρX † , r1 r2 = 10
⎪
⎩
Y ρY † , r1 r2 = 11
2.2.3 Quantum Teleportation
In 1993, Bennett et al. [5] proposed the concept of quantum teleportation. Quan-
tum teleportation is a method that allows us to transmit perfectly an unknown pure
quantum state by using a pair of entangled particles.
As shown in Fig. 2.2, Alice wants to transmit a particle A with spin 1/2 in an
unknown pure quantum state |ψ = α |0 + β |1 with |α|2 + |β|2 = 1 to Bob. In
order to realize the teleportation, Alice and Bob share two entangled particles B and
√C
with spin 1/2. The two particles are in the entangled state |s = (|01 − |10)/ 2.
Consequently, the three particles A, B and C form the state |:
α β α β
| = √ |001 + √ |101 − √ |010 − √ |110
2 2 2 2
We want to realize the Bell measurement to the pair of particles A and B. We can
firstly write | under the Bell basis, i.e.,
1
| = + |+ ⊗ (α |1 − β |0)
2
1
+ |− ⊗ (α |1 + β |0)
2
1
− |+ ⊗ (α |0 − β |1)
2
1
− |− ⊗ (α |0 + β |1)

2 par ticle C
par ticles AB
We can see that after the measurement of the particles A and B, we obtain that
2.2 Key Operations 25
• if we obtain |− , we can say for sure that the state of the particle C is exactly
what we want to transmit |ψ.
• if we obtain |+ , we act the phase-flip Z = |0 0| − |1 1| to the particle C,
then we obtain the state |ψ.
• if we obtain |− , we act the bit-flip X = |0 1| + |1 0| to the particle C, then
we obtain the state |ψ.
• if we obtain |+ , we act the bit+phase-flip Y = |0 1| − |1 0| to the particle
C, then we obtain the state |ψ.
References
1. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge
University Press, Cambridge (2002)
2. Jones, J.A., Jaksch, D.: Quantum Information, Computation and Communication. Cambridge
University Press, Cambridge (2012)
3. Basdevant, J.L., Dalibard, J., Joffre, M.: Mécanique quantique. Editions Ecole Polytechnique
(2002)
4. Schwabl, F.: Quantum Mechanics. Springer Nature, Berlin (2002)
5. Bennett, C.H., Brassard, G., Crepeau, C.: Teleportation an unknown quantum state via dual
classical and EPR channel. Phys. Rev. Lett. 70(13), 1895–1899 (1993)
Chapter 3
Typical Quantum Network Coding
Schemes
Many quantum network coding schemes are different in terms of node, channel,
resources, security, etc. Considering their own special properties characterized by
the additional resources used, quantum network coding schemes can be precisely
classified according to what kind of additional resources are used. In this chapter, we
introduce several main classes of quantum network coding. Beside non-additional
resource scheme, additional resource schemes include prior entanglement scheme,
quantum register scheme, quantum repeater scheme, and quantum cluster scheme.
Also, performance analysis approaches are summarized.
3.1 Non-additional Resource Scheme
3.1.1 XQQ
Hayashi et al. [1] started the first study of quantum network coding. They verified
the possibility of quantum network coding and proposed an approximated network
coding protocol, namely crossing two qubits (XQQ).
This protocol requires three basic operations.
Universal cloning (UC) The universal cloning was proposed by Buzek and Hillery
[2] as an approximated cloning method of an unknown qubit state. It is given by the
TP-CP map U C.
2 1
U C(|0 0|) = |00 00| + |+ + |
3
√ 3 √
2 2
U C(|0 1|) = |+ 11| + |00 + |
√3 √3
2 2
U C(|1 0|) = |11 + | + |+ 00|
3 3

https://doi.org/10.1007/978-981-15-3386-0_3
28 3 Typical Quantum Network Coding Schemes
2 1
U C(|1 1|) = |11 11| + |+ + |
3 3
This map is intended to clone not only classical states |0 and |1 but also any
superposition by mixing the symmetric state |+ with |00 and |11 as the output.
Let ρ1 = Tr2 U C(|ψ) and ρ2 = Tr1 U C(|ψ), where Tri is the partial trace over the
ith qubit. Then we obtain ρ1 = ρ2 = 23 |ψ ψ| + 13 2I as the universal cloning. We
can prove that the universal cloning is 2/3-shrinking.
Tetra measurement (TTR) There are the four states as follows:
|χ(00) = cos θ̃ |0 + eiπ/4 sin θ̃ |1

|χ(01) = cos θ̃ |0 + e−3iπ/4 sin θ̃ |1
|χ(10) = sin θ̃ |0 + e−iπ/4 cos θ̃ |1
|χ(11) = sin θ̃ |0 + e3iπ/4 cos θ̃ |1
√
with cos2 θ̃ = 1/2 + 3/6, which
form a tetrahedron in the Bloch sphere repre-
sentation. We can prove that χ̂(00), χ̂(01), χ̂(10), χ̂(11) , where χ̂ = |χ χ| are
linearly independent.
The tetra measurement is defined by the

POV M χ̂(00), χ̂(01), χ̂(10), χ̂(11)
We list some properties of the tetra measurement:

• TTR on |χ(z1 z2 ) produces the two bits z1 z2 with probability 1/2, and other three
bits with probability 1/6, respectively.
1 Î
• The TP-CP map induced by TTR, |ψ → χ̂(TTR(|ψ)) = |ψ ψ| + , is 1/3-
3 3
shrinking.
3D Bell measurement(BM) 3D Bell measurement is based on the Bell measurement,
denoted by BM (Q, Q ) or BM (σ). The input is the state σ of the two-qubit system
Q ⊗ Q . The output belongs to the set
|0 + |1 |0 − |1 |0 + i |1 |0 − i |1
|0 , |1 , |+ = √ , |− = √ , + = √ , − = √ .
2 2 2 2
We apply the following three operations a, b, c with probability 1/3 for each.

|0 , if μ(σ) = + or −
a=
|1 , if μ(σ) = + or −

|+ , if μ(σ) = + or +
b=
|− , if μ(σ) = − or −
3.1 Non-additional Resource Scheme 29
Fig. 3.1 XQQ
S1 S2
Q2 Q3
Q1 Q5 Q4
Q6 Q7
t2 t1

+ , if μ(σ) = + or −
c =
− , if μ(σ) = − or +
Figure 3.1 represents the network configuration.

This protocol is described as follows.
• Input: |ψ1 at s1 , and |ψ2 at s2 .

• Output: ρ1out at t1 , and ρ2out at t2 .
• Step 1: (Q1 , Q2 ) = U C(|ψ1 ) at s1 ; (Q3 , Q4 ) = U C(|ψ2 ) at s2 .
• Step 2: X = TTR(Q3 ), Q5 = GR(Q2 , X ) at s0 .
• Step 3: (Q6 , Q7 ) = U C(Q5 ) at t0 .
• Step 4: ρ1out = GR(Q7 , TTR(Q4 )) at t1 ; ρ2out = BM (Q1 , Q6 ) at t2 .
We observe that the two qubits pass across over the bottleneck channel s0 t0 . The
main idea is that by using the tetra measurement, we discretize the qubit Q3 into two
classical bits which are then used to encode the qubit Q2 by the Group operation.
To recover the qubits at the two sinks, we use the Group operation and the 3D Bell
measurement at t1 and t2 , respectively. Because the approximated cloning is used, we
cannot get the exactly transmitted qubits at the two sinks. So the fidelity of quantum
communication has to be considered.
We calculate the fidelity Ft1 at t1 and Ft2 at t2 and obtain
1 2
• + ≤ Ft1 ≤ 0.983
2 81√
1 2 3
• + ≤ Ft2 ≤ 0.983
2 243
We observe that the lower bound is strictly greater than 1/2, which means some
quantum information has been successfully transferred via the quantum butterfly
network by the XQQ protocol.
3.1.2 General Graph
The first quantum network coding protocol XQQ [1] achieved the cross transmission
of two qubits with fidelity greater than 1/2 for the butterfly network. Then Iwama
et al. [3] attempted to extend the result to a larger class of general graph.
This protocol requires two basic operations.
Entanglement-free cloning The entanglement-free cloning (EFC) is defined as fol-
lows:

A TP-CP map f is an EFC for a set of quantum states Q = ρ1 , ..., ρm if there exist p, q > 0
I I
such that, for any ρ ∈ Q, f (ρ) = (pρ + (1 − p) ) ⊗ (qρ + (1 − q) ). If such a map exists,
2 2
we say that Q admits an EFC.
Necessary Conditions for EFC

If a set Q = ρ1 , ..., ρm of quantum states admits an EFC, then ρ1 , ..., ρm are linearly
independent (on the vector space M2×2 (C)).
Operation of EFCα

• Input: ρα = αχ̂ + (1 − α) 2Î where χ̂ ∈ χ̂(z1 z2 )|z1 z2 ∈ F22 .
• Step 1: Apply the tetra measurement on ρα , let X = TTR(ρα ) where X ∈ F22 .
• Step 2: Produce the pairs of two bits (Z1 , Z2 ) from the measurement value
X according to the following probability distribution: (X , X ) with probability
2
p1 = 81+6α+α
432
, each of the forms (X , Y ) or (Y , X ) (6 patterns) with probability
(9−α)(15+α)
p2 = 1296
where Y is two-bit information different from X, each of the
forms (Y , Y ) (6 patterns) with probability p3 = (9−α)(3+α)
1296
where Y is two-bit
information different from X and Y , and each of the forms (Y , Y ) (3 patterns)
2
with probability p4 = 9−2α+α 432
.
• Step 3: Send |χ(Z1 ) and |χ(Z2 ) to the two outgoing edges.
For any α > 0, the output of EFCα on input ρα is ( α9 χ̂ + (1 − α9 ) 2Î )⊗2 which is
entanglement-free defined above.
Before introducing the protocol, we provide some important definitions and lem-
mas.
Degree-3 graph A degree-3 (D3) graph has five different kinds of nodes, fork nodes,
join nodes, transform nodes, source nodes, and sink nodes whose (indegree, outde-
gree) is (1, 2), (2, 1), (1, 1), (0, 1), and (1, 0), respectively.
3.1 Non-additional Resource Scheme 31
Simple classical protocol The classical protocol PC (G) for a D3 graph is called
simple if the operation at each node is restricted as follows:
1. The input is sent to the outgoing edge without any change at each source node.
2. The incoming value is just copied and sent to the two outgoing edges at each fork
node.
3. The operation of each transform node is constant, one-to-one, or two-to-one.
4. The operation of each join node is the addition (denoted by +) over F22 .
5. The sink node just receives the incoming value (no operation).
Lemma For a given general graph G and a classical protocol PC (G), we can
transform them to a D3 graph G and a varying protocol PC (G ) from which we can
design our quantum counterpart PQ (G) by simulating PC (G ).
Protocol PQ (G) In this paragraph, we introduce the algorithm for designing PQ (G)
based on all the preliminaries above. Q(v) is the operation at a node v, and α(v) is
the shrinking factor at that node v.
• Input: A pair of general graph and classical protocol (G, PC (G)).
• Output: A QNC protocol PC (G) which simulates PC (G).
• Step 1: Transform (G, PC (G)) to D3 graph and a simple protocol (G , PC (G )).
• Step 2: Determine a total order for the nodes of G by their depth (= the length of
the longest path from a source node). Break ties arbitrarily. Let v1 , ..., vr be their
order.
• Step 3: For each v = v1 , ..., vr , do the following work according to the type of a
node:
– source node: Let α(v) = 1 and let Q(v) = [apply TTR for the source, obtain
the measurement value x1 x2 ∈ F22 and send χ̂(x1 x2 ) to its child node].
– joint node: Let α(v) = 19 α(v1 )α(v2 ) where v1 and v2 are v’s parent nodes, and
let Q(v) = [apply TTR for the two source states, obtain measurement value
x1 x2 ∈ F22 and y1 y2 ∈ F22 , and send χ̂(x1 x2 + y1 y2 ) to its child node].
– fork node: Let α(v) = 19 α(v1) for the parent node v1 , and Q(v) = [apply
EFCα(v) for the incoming state and send the resulting two-qubit state to its
child nodes].
– sink node: Q(v) = [Do nothing].
– transform node: Let g be the corresponding operation in PC (G ). If g is a
constant function, i.e., for a fixed x1 x2 ∈ F22 , g(.) = x1 x2 , then let α(v) = 1 and
Q(v) = [send χ̂(x1 x2 ) to its child node]. Else if g is a one-to-one function, then
let α(v) = α(v1 )/3 for the parent node v1 , and Q(v) = [apply TTR for the source
state, obtain the measurement value x1 x2 ∈ F22 and send χ̂(g(x1 x2 )) to its child
α(v1 )
nodes]. Else g is a two-to-one function, let α(v) = 6−α(v 1)
for the parent node
v1 and Qv = [apply TTR for the source state, obtain the measurement value
x1 x2 ∈ F22 , send χ̂(g(x1 x2 )) to its child with probability 6−α(v)
3
and send χ̂(y1 y2 )
and χ̂(z1 z2 ) to its child with probability 2(6−α(v)) for each, where {y1 y2 , z1 z2 } =
3−α(v)
F22 \Im(g)].
By applying the protocol above, Iwama et al. obtained several important results
which lead to the approximate quantum network coding. First of all, for the node
v ∈ V , suppose that PC (G ) produces output values y ∈ F22 from input values
(x1 , ..., xn ) ∈ F2n
2 . If input states χ̂(xi ) are supplied to source node si for i = 1, ..., n,
then PQ (G) produces the state α(u)χ̂(y) + (1 − α(u)) 2Î . Such result leads to the
main conclusion:
Suppose that PC (G) is a classical protocol for the graph G and we supply general input
states |ψ1 , ..., |ψn . If PQ (G)
produces output states ρ1 , ..., ρm , the fidelity between ρi and
corresponding initial state ψj is greater than 1/2.
This protocol is a quantum simulation of the classical network coding protocol. So

the classical network coding protocol is indispensable. It can achieve the transmission
of non-entangled states in a general graph G4 network with fidelity greater than 1/2.
The key operation used is the EFCα which produces no entanglement thus allowing
us to get rid of complicated entanglement situations after propagating in a complex
network. By EFC, this protocol can achieve multicasting of quantum states with
certain fidelity less than 1.
3.2 Prior Entanglement Scheme
3.2.1 Prior Entanglement Between Senders
Entanglement provides some miracle performances in quantum information such as

quantum teleportation and dense coding. Leung et al. [4] showed that the combination
of quantum teleportation and dense coding enables perfect quantum transmission in
the butterfly network. Furthermore, Hayashi [5] explored the effect of prior entan-
glement and reduced the number of players sharing the prior entanglement.
Hayashi’s protocol ((here it is called PE)) [5] uses two pairs of the maximally
entangled state + (one of the Bell bases) shared between two senders to transmit
two non-entangled quantum states across in the butterfly network. Figure 3.2 shows
the network configuration.
• Input: |ψ1 at s1 , and |ψ2 at s2 .

• Preparation:
The two sources
s1 and s2 share two pairs of maximally entangled
qubits + A11 A21 , + A12 A22 . One of each maximally entangled particles belongs
to the source s1 and the other
one belongs to the source s2 . So the state of the whole
system at si is |ψi ⊗ + A1i A2i , i = 1, 2.

• Step 1: the source si carries out the Bell measurement of the state |ψi ⊗ + A1i A2i ,
+ − + −
i = 1, 2. The result { , , , } corresponds to {00, 10, 01, 11},
respectively. For convenience, we denote Xi ∈ {00, 10, 01, 11} as the result of
measurement at source si , i = 1, 2. In this case, the state on the remaining site A12
3.2 Prior Entanglement Scheme 33
Fig. 3.2 Sharing maximally

entangled states
(A21 , respectively) is UX−1

2
|ψ2 (UX−11
|ψ1 , respectively), where UX is the recovering
unitary operation for teleportation.
• Step 2: the source s1 (s2 , respectively) performs the unitary operation UX−1 1
(UX−1
2
,
respectively) to the remaining site A12 (A21 , respectively).
Hence, we obtain the state UX−1 1 ⊕X2
|ψ2 and UX−1 1 ⊕X2
|ψ1 at the source s1 and s2 .
Then we send the two states to the sinks. The sources also send the two bits strings
X1 and X2 to the node s0 .
• Step 3: the node s0 performs the XOR operation of X1 and X2 . After that, we send
the result to the node t0 then to the sinks t1 and t2 .
• Step 4: the sink ti performs the unitary operation UX1 ⊕X2 to the received state
UX−1
1 ⊕X2
|ψi . The output is ρiout = UX1 ⊕X2 UX−1 1 ⊕X2
|ψi = |ψi .
The unitary operation UX used in the Step 2 is chosen from

10 1 0 01 0 1
U00 = , U10 = , U01 = , U11 =
01 0 −1 10 −1 0
In this protocol, either one-qubit quantum transmission or two-bit classical com-

munication was allowed over the network. If the dense coding was used, one qubit
can represent two classical bits.
Fig. 3.3 Sharing

non-maximally entangled
states
3.2.2 Sharing Non-maximally Entangled States
It is difficult to have a maximally entangled state at one’s disposal in real situation.

As a successor of [5], Ma et al. [6] investigated quantum network coding via non-
maximally entangled pairs.
Their protocol can transmit 2-level quantum states across over the butterfly
network with two non-maximally entangled qubit pairs shared only between two
senders. Figure 3.3 shows the network configuration.
• Input: |ϕ1 = α1 |0 + β1 |1 at s1 , and |ϕ2 = α2 |0 + β2 |1 at s2 with αi2 +
βi2 = 1, i = 1, 2.
• Preparation: two sources s1 and s2 share two pairs of non-maximally entangled
qubits: |A11 A21 = (b0 |00 + b1 |11)A11 A21 , |A12 A22 = (b0 |00 + b1 |11)A12 A22
with b20 + b21 = 1 and |b0 | < |b1 |. One of each non-maximally entangled parti-
cles belongs to the source s1 and the other one belongs to the source s2 . So the
state of the whole system at si is |φi ⊗ |A1i A2i , i = 1, 2.
• Step 1: the source si carries
out the Bell
measurement
of the state |φi ⊗ |A1i A2i ,
i = 1, 2. The result {+ , − , + and − } corresponds to {00, 10, 01, 11},
respectively. For convenience, we denote Xi = ni mi ∈ {00, 10, 01, 11} as the result
of measurement at source si , i = 1, 2. We denote also |ϕ1 (X1 ) (|ϕ2 (X2 ), respec-
tively) as the state on the remaining site A21 (A12 , respectively) after the measure-
ment.
3.2 Prior Entanglement Scheme 35
• Step 2: the source s1 (s2 , respectively) sends the state UX−1 1

|ϕ2 (X2 ) (UX−1
2
|ϕ1 (X1 ),
respectively) to the sink t2 (t1 , respectively), and sends a classical two-bit string
X1 (X2 , respectively) to the node s0 .
• Step 3: the node s0 sends a classical three-bit string p1 p2 m1 to t0 . Then t0 sends
the same bit string to t1 and t2 . Here p1 p2 = X1 ⊕ X2 .
• Step 4: the sink t1 (t2 , respectively) performs the unitary operation Up1 p2 on the
received state UX−1 2
|ϕ1 (X1 ) (UX−1 1
|ϕ2 (X2 ), respectively). The outputs are ρ1out and
ρout .
2
• Step 5: the sink si introduces an auxiliary qubit with the original state |0si . Every
sink takes a collective unitary transformation depending on m1 and p2 . (i) the sink
s1 takes the collective unitary transformation V0 if m1 = 0, otherwise takes V1 .
(ii) the sink s2 takes the collective unitary transformation V0 if m1 = p2 , otherwise
takes V1 . If the result is |0Bi , the transmission succeeds, otherwise the transmission
fails.
The collective unitary transformations are described as follows:

⎡ ⎤
1 0 0 0
⎢ ⎥
⎢ b0 b20 ⎥
⎢0 0 1− ⎥
⎢ b1 b21 ⎥
V0 = ⎢
⎢0
⎥
⎥
⎢ 0 −1 0 ⎥
⎢ ⎥
⎣ b20 b0 ⎦
0 1− 0 −
b21 b1
⎡ ⎤
b0 b20
⎢ 0 1− 2 0 ⎥
⎢ b1 b1 ⎥
⎢ ⎥
⎢ 10 0 0⎥
V1 = ⎢
⎢
⎥
⎥
⎢ b2
b0 ⎥
⎢ 1 − 02 0 − 0⎥
⎣ b1 b1 ⎦
0 0 0 −1
This protocol can transmit entangled state across over the butterfly network. Some
new technique such as entanglement distillation and quantum repeater can realize
maximally entangled state efficiently. In this protocol, the state of non-maximally
entangled particles is also difficult to determine, which means that the coefficients
b0 and b1 can hardly be obtained.
3.3 Quantum Register Scheme
3.3.1 Perfect Linear Quantum Network Coding
Since it is impossible to achieve perfect quantum network coding without additional

assumptions, Kobayashi et al. [7] studied the problem of transmitting quantum states
efficiently through a network, which allows free classical communication between
any pairs of network nodes.
This protocol requires three basic operations.
Unitary operator W Let φ be a group isomorphism from the additive group of R to
some abelian group A = Zr1 × · · · × Zrl with li=1 ri = |R| (but φ is not necessarily
a ring isomorphism). There are many possibilities for the choice of A and φ. It
is convenient to take Zr1 × · · · × Zrl to be the invariant factor decomposition of
the additive group of R. For any x ∈ R and i ∈ {1, ..., l}, let φi (x) denote the ith
coordinate of φ(x), i.e., an element of Zri . In the quantum setting, each register
contains a quantum state over H = C|R| , and denote an orthonormal basis of H by
{|z}z∈R .
We define a unitary operator W over the Hilbert space H as follows: for any y ∈ R,
the operator W maps the basis state |y to the state

1 l
φi (y)φi (z)
√ exp 2πi |z
|R| z∈R i=1
ri
Note that W is basically the quantum Fourier transform over the additive group of R.
Operator Uf1 ,...,fn Let m and n be two positive integers and f1 , ..., fn be n functions
from Rm to R. Let Uf1 ,...,fn be the unitary operator over the Hilbert space H⊗m ⊗ H⊗n
defined as follows: for any m elements y1 , ..., ym and any n elements z1 , ..., zn of R,
the operator Uf1 ,...,fn maps the basis state |y1 , ..., ym |z1 , ..., zn to the state
|y1 , ..., ym |z1 + f1 (y1 , ..., ym ), ..., zn + fn (y1 , ..., ym )
Encoding(f1 , ..., fn )
• Input: quantum registers Q1 , ..., Qm ∈ H;
• Output: quantum registers Q1 , ..., Qn ∈ H and elements a1 , ..., am ∈ R.
• Introduce n registers Q1 , ..., Qn , each is initialized to |0.
• Apply the operator Uf1 ,...,fn to (Q1 , ..., Qm , Q1 , ..., Qn ).
• For each i ∈ {1, ..., m}, apply W to Qi .
• Measure the first m registers Q1 , ..., Qm in the {|i}i∈R basis. Let a1 , ..., am ∈ R
denote the outcomes of the measurements.
• Output Q1 , ..., Qn and the m elements a1 , ..., am .
3.3 Quantum Register Scheme 37
Suppose that the contents of the registers Q1 , ..., Qm form the state
|y1 , ..., ym (Q1 ,...,Qm ) for some elements y1 , ..., ym of R. Then the state in (Q1 , ..., Qn )
after applying Encoding(f1 , ..., fn ) is of the form
exp (2πig(y1 , ..., ym )) |f1 (y1 , ..., ym ), ..., fn (y1 , ..., ym )Q1 ,...,Qn
where g is an additive group homomorphism determined by the measurement out-

comes a1 , ..., am :
g : Rm −→ Q

l
m
φi (aj )φi (yj )
(y1 , ..., ym ) −→
i=1 j=1
ri
Perfect quantum network coding using free classical communication is possible

over a network with k source–target pairs if there exists a classical linear (or even
vector linear) coding scheme over a finite ring.
The strategy is to simulate the solution to the associated classical task node by
node. More precisely, let v ∈ V be a node of graph G with fan-in m and fan-out n.
The classical protocol performs fv,1 , ..., fv,n to the m inputs and produces n outputs,
each fv,i corresponds to one output. The quantum simulation is designed as follows:
the quantum procedure Encoding(fv,1 , ..., fv,n ) is used on the inputs of m quantum
registers to v through its m incoming edges. The procedure outputs n registers and m
elements a1 , ..., am of R. Then all the elements a1 , ..., am are sent to each target node
(via free classical communication), and the n registers are sent along the n outgoing
edges of v. Such a simulation is done for all the nodes in V .
Finally, the phases are corrected at each target with the help of the elements
transmitted by classical communication. The linearity of the function f makes phase
correction possible.
Here we will give an example of using this protocol to simulate the classical
network coding with a little modification. Rather than the case of multicast, we study
the k-pair problem sending a quantum state |ψs (potentially entangled quantum
state) from s1 and s2 to the target nodes t1 ans t2 . Figure 3.4 shows the network
configuration. s0 , s1 , s2 , t0 , t1 , t2 are nodes of the network and S1 , S2 , T1 , T2 , R1 − R7
are single-qubit quantum registers. The space of the information forms a ring R, in
this case R = F2 , possessing the operation of addition “+”. The Hilbert space H for a
single qubit has consequently two dimensions. We denote {|z}z∈F2 as an orthonormal
basis of H. By using the tensor product, we can construct the Hilbert space for any
number of qubits. All the registers are supposed to be initialized to |0. According
to the protocol, the measurement results at each node are sent to both t1 and t2 , and
the measured registers are disregarded.
First of all, we list the operators which will be used in the protocol. The copy proce-
dure Encoding(fI , fI ) which is applied at nodes s1 , s2 , t0 is implemented by using the
Hadamard operator W , here a unitary operator UfI ,fI maps the state |y |z1 , z2 to the
Fig. 3.4 Perfect QNC

S1 S2
S1 S2
R2 R4
S0
R1 R5 R3
t0
R6 R7
t2 t1
T2 T1
state |y |y + z1 , y + z2 and “+” is the addition operation in the ring F2 . The addition
procedure Encoding(f+ ) which is applied at nodes s0 , t1 , t2 is implemented by using
the Hadamard operator H, here a unitary operator Uf+ mapping the state |y1 , y2 |z
to |y1 , y2 |z + y1 + y2 and f+ is the addition in the ring F2 . All the operators UfI ,fI
and Uf+ can be realized by using the controlled-NOT operators. The controlled-NOT

operator defined in the ring F2 maps the state |z z to the state |z z + z .
Suppose the quantum state is stored in the registers (S1 , S2 ), we want to transmit
it in a general form.
|ψs (S1 ,S2 ) = α00 |0S1 |0S2 + α01 |0S1 |1S2 + α10 |1S1 |0S2 + α11 |1S1 |1S2
• Step 1: Implement UfI ,fI (S1 , R1 , R2 ) and UfI ,fI (S2 , R3 , R4 ), then obtain the state
α00 |0S1 |0R1 |0R2 |0S2 |0R3 |0R4

+α01 |0S1 |0R1 |0R2 |1S2 |1R3 |1R4
+α10 |1S1 |1R1 |1R2 |0S2 |0R3 |0R4
+α11 |1S1 |1R1 |1R2 |1S2 |1R3 |1R4
• Step 2: Apply the operator W to each register S1 and S2 , then measure these
two registers in the basis {|z}z∈F2 . Let a ∈ F2 and b ∈ F2 denote the measurement
outcomes, then obtain the state
α00 |0R1 |0R2 |0R3 |0R4

+(−1) α01 |0R1 |0R2 |1R3 |1R4
b
+(−1)a α10 |1R1 |1R2 |0R3 |0R4

+(−1)a+b α11 |1R1 |1R2 |1R3 |1R4
After that, send the registers R1 , R2 , R3 and R4 to t2 , s0 , t1 and s0 , respectively. a and

b are sent to both target nodes, i.e., t1 and t2 , by classical communication.
• Step 3: Prepare a new register R5 initiated to |0 on the node s0 , and imple-
ment Encoding(f+ ) by executing CNOT (R2 ,R5 ) and CNOT (R4 ,R5 ) . The quantum state
becomes
α00 |0R1 |0R2 |0R3 |0R4 |0R5

+(−1) α01 |0R1 |0R2 |1R3 |1R4 |1R5
b
+(−1)a α10 |1R1 |1R2 |0R3 |0R4 |1R5

+(−1)a+b α11 |1R1 |1R2 |1R3 |1R4 |0R5
• Step 4: Measure the registers R2 and R5 in the Hadamard basis. The measure-
ment outcomes, denoted by c1 and c2 , are sent to both target nodes. The quantum
state becomes
α00 |0R1 |0R3 |0R5

+(−1) b+c2
α01 |0R1 |1R3 |1R5
+(−1) a+c1
α10 |1R1 |0R3 |1R5
+(−1)a+b+c1 +c2 α11 |1R1 |1R3 |0R5
After that, send the register R5 to the node t0 .

• Step 5: Prepare two registers R6 and R7 on the node t0 , implement UfI ,fI (R5 ,
R6 , R7 ) and measure register R5 in the Hadamard basis. The measurement outcome
is denoted by d . The quantum state becomes
α00 |0R1 |0R3 |0R6 |0R7

b+c2 +d
+(−1) α01 |0R1 |1R3 |1R6 |1R7
a+c1 +d
+(−1) α10 |1R1 |0R3 |1R6 |1R7
a+b+c1 +c2
+(−1) α11 |1R1 |1R3 |0R6 |0R7
After that, send the register R6 and R7 to t2 and t1 , respectively. d is sent to t1 and t2 .
• Step 6: Prepare two registers T1 and T2 on the node t1 and the node t2 , then
apply CNOT (R3 ,T1 ) , CNOT (R7 ,T1 ) , CNOT (R1 ,T2 ) and CNOT (R6 ,T2 ) for Encoding(f+ ).
The resulting state becomes
α00 |0R1 |0R3 |0R6 |0R7 |0T1 |0T2

b+c2 +d
+(−1) α01 |0R1 |1R3 |1R6 |1R7 |0T1 |1T2
a+c1 +d
+(−1) α10 |1R1 |0R3 |1R6 |1R7 |1T1 |0T2
+(−1)a+b+c1 +c2 α11 |1R1 |1R3 |0R6 |0R7 |1T1 |1T2
• Step 7: Measures R3 and R7 (R1 and R6 , respectively) in the Hadamard basis

on the node t1 (t2 , respectively). Let e1 and e2 (f1 and f2 , respectively) be the outcomes
of the measurement. The quantum state becomes
α00 |0T1 |0T2

+(−1)b+c2 +d +e1 +e2 +f2 α01 |0T1 |1T2
+(−1)a+c1 +d +e2 +f1 +f2 α10 |1T1 |0T2
+(−1)a+b+c1 +c2 +e1 +f1 α11 |1T1 |1T2
• Step 8: On the node t1 (t2 , respectively), apply the quantum operation

Y1 (Y2 , respectively) mapping, for any z ∈ F2 , the basis state |zT1 to the state
(−1)(a+c1 +d +e2 +f1 +f2 )z · |zT1 (mapping |zT2 to the state (−1)(b+c2 +d +e1 +e2 +f2 )z |zT1 ,
respectively). The quantum state becomes
|ψS (T1 ,T2 ) = α00 |0T1 |0T2 + α01 |0T1 |1T2 + α10 |1T1 |0T2 + α11 |1T1 |1T2
The input state of this protocol is generally entangled state between the sources.
This protocol is a simulation of the classical linear network coding protocol for the
k-pair problem. The linearity of the classical network coding protocol allows the
phase correction at each target. This protocol realizes the propagation of entangled
state over a network. Li et al. [8] proposed a more efficient protocol for the extended
butterfly network and reduced communication cost by using a certain special type of
quantum operations.
3.3.2 Perfect Nonlinear Quantum Network Coding
The general scheme for perfect quantum network coding by simulating the classical
linear network coding protocol for the k-pair problem has been proposed in [7].
In fact, there are some networks for which no linear solutions exist to the k-pair
problem, whereas nonlinear solutions should exist. We wonder whether nonlinear
classical network coding schemes can help design quantum network coding schemes.
Kobayashi et al. [9] used the same quantum operators as the perfect linear protocol.
All difficulties come from the non-linearity of classical protocols for which we cannot
correct the phase errors at each target node. Consequently, we need to correct the
phase errors locally. More precisely, we send the measurement outcomes to the nodes
to which the current node has incoming edges and correct the phase introduced by
the measurements. If these operations could be done in a proper order, the phase
errors can be corrected perfectly. In reverse, the difficulty also provides convenience
that only undirected classical communication between two adjacent nodes is needed.
They proved that perfect quantum network coding is also possible for the graphs
which only have nonlinear classical solutions [10]. By combining with the result
obtained in [7], we can say that a quantum protocol solving any instance of the
k-pair problem exists, if the corresponding classical version is solvable under any
coding scheme (linear or nonlinear).
This protocol is a simulation of the classical nonlinear quantum network coding
protocol. Classical communication is needed, but is only used between two nodes
linked by quantum channel.
3.3.3 Perfect Quantum Network Coding for Multicast
Kobayashi et al. [7] has studied the case of perfect quantum network coding by
simulating the classical linear network coding protocol for the k-pair problem. The
hypotheses is that a classical network possesses a solution to the k-pair problem.
Then they slightly changed the hypotheses in [10] which assumes that classical
linear network coding over F2 is possible in the multicast model.
Generally, we consider the qubits as the carrier of quantum information. The
orthonormal basis of a qubit is {|i}i∈F2 , where F2 = Z/2Z. And the general state
of a qubit is given by |ψ = α |0 + β |1, where |α|2 + |β|2 = 1 and α, β ∈ C.
The Hilbert space EH of a qubit is two dimensional. A general state of a quantum
register of n qubits is a normalized vector in EH⊗n , given by |ψ = x∈Fn2 αx |x, where

x∈Fn2 |αx | = 1 and αx ∈ C.
2
This protocol requires some basic operations.

Elementary clifford operation The following four operations are called elementary
clifford operations:
• σX = |0 1| + |1 0|
• σZ = |0 0| − |1 1|
|0 + |1 |0 − |1
• Hadamard operator √ 0| + √ 1| = |+ 0| + |− 1|
2 2
• CNOT (A,B) = |0 0|A ⊗ (|0 0|B + |1 1|B ) + |1 1|A ⊗ (|1 0|B + |0 1|B )
Let us look closely at the functions of these four operations. Let |ψ = α |0 + β |1.
For σX |ψ = β |0 + α |1, the operation σX changes the coefficients of |0 and |1.
For σZ |ψ = α |0 − β |1, the operation σZ changes the sign of the coefficients of
|1. The Hadamard operator is a linear operation mapping the |0 to the |+ and the
|1 to the |−.
For the CNOT operation or controlled-NOT operator, we list four elementary
results:
Fig. 3.5 A classical node x1 xi xm

with m inputs and n outputs
... ...
... ...
z1 zj zn
|00 → |00 , |01 → |01 , |10 → |11 , |11 → |10
We can see that the state of the particle A is a controller. When the state of A is |0,
we do nothing to the particle B. When the state of A is |1, we change the state of B.

Effect of measuring in the Hadamard basis For a joint state ψ(A,B) = x∈Fn2 αx

|f (x)A · |f (x)B , the state in A obtained from ψ(A,B) by measuring each qubit in B in
|B|
the {|+ |−} basis has the form |ψA = x∈Fn2 (−1)y0 .g(x) αx |f (x) where y0 ∈ F2
is a random vector of measurement results.

Phase error fixing The state x∈Fn2 (−1)
L(x)
αx |x can be mapped to the state

n αx |x.
x∈F2
Quantum coding operation The quantum coding operation is a method of simulat-

ing the classical coding operation. For simplicity, we consider the case where each
edge has the capacity one.
Let us consider a node v ∈ V with m-fan-in and n-fan-out performing classical

linear coding. The node has m inputs {xi ∈ F2 }i∈{1..m} and n outputs zj ∈ F2 j∈{1..n} .
This node can be represented by Fig. 3.5.
For each output zj ∈ F2 , zj = m i=1 γji xi , where j ∈ {1..n} and γji is a fixed coef-
ficient in F2 .
Now let us look at the quantum counterpart, quantum coding operations. For this
purpose, we should attach n new ancilla qubits zj , j ∈ {1..n} initialized to|0 for
each output edge, as shown in the left sub-image of Fig. 3.6. Then for every zj , we
execute the CNOT
operation according to the value of γji . If γji = 0, we do nothing
to zj . If γji = 1, we execute CNOT (|xi , zj ). In the end, we can obtain
the state

zj = m γji xi . Furthermore, we can send the n ancillas zj , j ∈ {1..n} along on
i=1
the n outgoing edges and all the incoming qubits are retained at the node. Thus we
simulate the classical coding by means of qubits.
Fan-out operation The operation is in fact the copy of the incoming quantum state.
This operation does not violate the no-cloning theorem because we only use two
orthogonal vectors |0 and |1. The operation is a special case of quantum coding
operations such that only one input state |x , x ∈ F2 , and γj1 = 1. The procedure is
represented by Fig. 3.7.
x1 xi xm x1 xi xm
... ... ... ...
CNOT according to ji
... ... ... ...
0 0 0 z1 zj zn
Fig. 3.6 Quantum coding with m inputs and n outputs
x x
CNOT
... ... ... ...
0 0 0 x x x
Fig. 3.7 Fan-out operations
Measurement It is used to make the superfluous qubits (kept at each node) collapse,
by measuring them in the Hadamard basis.
Let G = (V, E) be a quantum network with a subset S ⊆ V of source nodes
and an integral weight that describes its quantum capacity. Assume that classical
network coding is possible in the multicast model from S to T . Then perfect quantum
teleportation from S to any ordered subset T0 ⊆ T with |S| = |T0 | is possible.
This protocol is a quantum simulation of classical network coding for the multicast
problem. Non-entangled states can be transmitted through a network. This protocol
realizes the construction of quantum channels (EPR-pairs) between a source and a
target.
3.4 Quantum Repeater Scheme
The perfect quantum network coding schemes proposed in [7, 9, 10] primarily focus
on an abstract model, in which quantum registers can be freely introduced at each
nodes. However, the implementation of a quantum system should be taken account
of. One fact is that it is difficult to realize long-distance quantum communication
Fig. 3.8 Quantum repeater EPR-pair Quantum repeater

network
A B
S r C D
t
Classical channel
(free, undirected)
using quantum registers. In reverse, quantum repeater is a potential approach for

dealing with this problem. Satoh et al. [11] aimed to explore the quantum repeater
and design a quantum network coding protocol for quantum repeater networks.
Quantum repeater network consists of a number of quantum repeaters, undirected
classical channels, and EPR-pairs |+ (each pair of adjacent quantum repeaters
shares one EPR-pair). Figure 3.8 is an example of a network with three quantum
repeaters, two EPR-pair, and two undirected classical channels.
This protocol requires some basic operations.
Connection ConCR→T
Connection is a non-unitary operation between two repeaters (u and v). Repeater u
has Control and Resource qubits (C and R). Repeater v has a Target qubit (T ).
Procedure:
• Setup: C and R are 1-qubit registers owned by u. T is a 1-qubit register owned
by v. R and T share an EPR-pair |+ .
• Step 1: u applies CONT (C,R) .
• Step 2: u measures R in the {|0 , |1} basis. Let a ∈ {0, 1} be the outcome.
• Step 3: u sends a to v via a classical channel.
• Step 4: If a = 1, then v applies σX to T .
For an initial state |init = (α |ψ0 |0C + β |ψ1 |1C ) ⊗ |+ RT ⊗ |, the out-
put of ConCR→T (|init ) is final = (α |ψ0 |00CT + β |ψ1 |11CT ) ⊗ |.
Connection: Fanout FanoutRC1 →T1 ,R2 →T2
Connection: Fanout is a variant of the Connection operation. Fanout is a non-unitary
operation between three repeaters (u, v, and w). Repeater u has Control and Resource
qubits (C and R1 , R2 ), repeater v and w have target qubits T1 and T2 , respectively.
R1 shares an EPR-pair |+ with T1 , and R2 with T2 .
Procedure:
• Setup: C, R1 and R2 are 1-qubit registers owned by u. T1 is a 1-qubit register
owned by v. T2 is a 1-qubit register owned by w.
• Step 1: u and v apply ConCR1 →T1 .
• Step 2: u and w apply ConCR2 →T2 .
For an initial state |init = (α |ψ0 |0C + β |ψ 1 |1C ) ⊗ |+ R1 T1 |+ R2 T2 ⊗
|, the output of FanoutRC1 →T1 ,R2 →T2 (|init ) is final = (α |ψ0 |000CT1 T2 + β
|ψ1 |111CT1 T2 ) ⊗ |.
3.4 Quantum Repeater Scheme 45
C1 ,C2
Connection: Add AddR→T
Connection: Add is a variant of the Connection operation. Add is a non-unitary
operation between two repeaters (u and v). Repeater u has Control and Resource
qubits (C1 , C2 and R), repeater v has target qubit T . R shares a EPR-pair |+ with
T.
Procedure:
• Setup: C1 , C2 and R are 1-qubit registers owned by u. T is a 1-qubit register
owned by v.
• Step 1: u applies CNOT (C1 ,R) .
• Step 2: u and v apply ConCR→T 2
.
For an initial state |init = (α |ψ0 |0C1 + β |ψ1 |1C1 ) ⊗ (γ |φ0 |0C2 + δ

|φ1 |1C2 ) ⊗ |+ CD ⊗ |, then the output of AddR→T C1 ,C2
(|init ) is final =
((αγ |ψ0 |φ0 |00C1 C2 + βδ |ψ1 |φ1 |11C1 C2 ) |0T + (αδ |ψ0 |φ1 |01C1 C2 +
βγ |ψ1 |φ0 |10C1 C2 ) |1T ) ⊗ |.
Removal RemR→T
Removal is a non-unitary operation between two repeaters (u and v) which deletes
a resource qubit R of a quantum state using measurement in the Hadamard basis
and σZ . Repeater u has Resource qubit R, repeater v has target qubit T . R shares a
EPR-pair |+ with T .
Procedure:
• Setup: R is a 1-qubit register owned by u. T is a 1-qubit register owned by v.
• Step 1: u applies the Hadamard gate to R.
• Step 2: u measures R in {|0 , |1} basis. Let a ∈ {0, 1} be the outcome.
• Step 3: u sends a to v via a classical channel.
• Step 4: If a = 1, then v applies σZ to T .
For an initial state |init = (α |00RT |ψ00 + β |11RT |ψ11 ) ⊗ |, then the out-
put of RemR→T (|init ) is final = (α |0T |ψ00 + β |1T |ψ11 ) ⊗ |.
Removal: Add RemAddR→T1 ,T2
Removal: Add is a variant of the removal operation. RemAdd is a non-unitary oper-
ation between three repeaters (u, v, and w) which deletes the target qubit used in
Connection: Add operation. Repeater u has Resource qubit R, repeater v has target
qubit T1 and w has T2 . R, T1 and T2 are entangled.
Procedure:
• Setup: R is a 1-qubit register owned by u. T1 is a 1-qubit register owned by v.
T2 is a 1-qubit register owned by w.
• Step 1: u applies the Hadamard gate to R.
• Step 2: u measures R in {|0 , |1} basis. Let a ∈ {0, 1} be the outcome.
• Step 3: u sends a to v and w via a classical channel.
• Step 4: If a = 1, then v and w apply σZ to T1 and T2 .
1
For an initial state |init =
i,j=0 aij |ijAB |i ⊕ jC ψij ⊗ |, then the output
1
of RemAddR→T1 ,T2 (|init ) is final =
i,j=0 aij |ijAB ψij ⊗ |.
With the help of the above techniques, we can design a protocol without additional
registers that creates two quantum channels (EPR-pairs) between s1 and t1 , s2 and t2 ,
s1 C s2 s1 s2
G
A E A E
D H
s0 s0
I
J
t0 t0
K M
B F B F
L N
t2 t1 t2 t1
Fig. 3.9 Repeater QNC
and are then able to perform quantum teleportation. The butterfly repeater network
as well as the execution result of the protocol is represented by Fig. 3.9.
Procedure:
• Setup: Described as Fig. 3.9.
• Step 1: s1 and r1 apply ConAC→D ; s2 and r2 apply ConEG→H .
• Step 2: r1 and r2 apply AddID,H →J .
• Step 3: r2 , t1 , and t2 apply FanoutK→L,MJ
→N .
(N ,F)
• Step 4: t1 applies CNOT ; t2 applies CNOT (L,B) .
• Step 5: t2 and r2 apply RemL→J ; t1 and r2 apply RemN →J .
• Step 6: r2 and r1 apply RemAddJ →D,H .
• Step 7: r1 and s1 apply RemD→A ; r1 and s2 apply RemH →E
This protocol which creates two quantum channels from sources to sinks can
transmit two non-entangled qubits across over the butterfly network. This protocol
is independent of the classical network coding protocol. The Ref. [12] studied the
performance of the repeater scheme under the conditions of noise, errors, and shortage
of quantum resources. They have found that the repeater scheme is more sensitive
to entanglement errors (errors on the initial Bell pairs), Pauli errors and local gate
errors than entanglement swapping. In short, the repeater scheme is useful when the
quantum resources are limited or high communication speed is required.
3.5 Quantum Cluster Scheme 47
3.5 Quantum Cluster Scheme
Since it is impossible to achieve the perfect quantum network coding without addi-
tional assumptions, Li et al. [8] studied the solubility of perfect quantum network
coding by taking advantage of global entanglement state (2D and 3D cluster states).
The cluster state belongs to a family of highly entangled multi-particle quantum
states, which can be efficiently parameterized by mathematical graphs [13]. The
cluster state is generally considered as a communication resource. By exploring
the properties of the cluster state, they proposed a perfect quantum network coding
k-pair problem protocol for butterfly network, grail network, and extended butterfly
network. They have also proposed a new approach based on stabilizer to analyze the
resolvability of a certain quantum multi-unicast network.
In this protocol, free classical communication is also needed. The bigraph property
of a cluster allows parallel operations which give a constant-step scheme as the scale
of a network increases.
3.6 Performance Analysis
In 2011, Jain et al. [14] studied the non-additional resource schemes and the
entanglement-supported schemes by information-theoretic and graph-theoretic
approach. In 2014, Nishimura [15] summarized the known results of quantum net-
work coding, mainly focusing on the multi-unicast networks. These two references
are few achievements that study the quantum network coding schemes by theoretical
approach. More study of quantum network coding needs to be developed. Especially,
there are very few results on general networks for difficulties.
3.6.1 Achievable Rate Region
The basic setting of the well-known butterfly network is the so-called one-shot, i.e.,
one qubit at each source node must be sent to the corresponding target node by a
single use of the network. Leung et al. [16] extended this setting to the following
asymptotic version.
Achievable rate A rate (r1 , . . . , rk ) is achievable in a quantum network N if there is
a choice of quantum operations such that by n uses of N , each si can send n(ri − δn )
qubits to with fidelity 1 − n , where δn , n → 0 as n → ∞.
In this asymptotic setting, they investigated inner and outer bounds of the rates
in several simple networks. In the butterfly network, it was proven that the rate
region was bounded by r1 + r2 ≤ 1, which is trivially achievable by routing. In their
proof, any protocol on the butterfly network was reduced to a quantum secret sharing
protocol where the quantum secret is the two source qubits. Then they gave the
above outer bound by applying a lower bound on the quantum secret sharing [17,
18]. Hayashi [5] also proved a similar impossibility result without reducing to the
quantum secret sharing by using information-theoretic arguments more directly. He
also improved the upper bound of the fidelity of the one-shot case to 0.951.
3.6.2 With Free Classical Communication
In this section, we give the case where classical communication is available in addi-
tion to the basic quantum networks. This setting can be considered as the second-best
when quantum network coding is impossible in the basic setting since the cost of
classical communication is much cheaper than that of quantum communication.
In the case where classical communication is freely available between any two
nodes, Leung et al. [16] made an important observation: the underlying quantum
network becomes undirected. In fact, we can send a qubit in the reverse direction of
each directed edge by first preparing an EPR pair using the directed quantum channel
corresponding to the edge, and then by applying quantum teleportation using two
free classical bits and the EPR pair. For the butterfly network, this enables us to
send two qubits from s1 to t1 by a single use of the network, and two qubits from
s2 to t2 by another single use. Thus, the rate (r1 , r2 ) = (x, 2 − x) (where 0 ≤ x ≤ 2)
becomes achievable by time sharing (and this is shown to be optimal by a simple
min-cut argument). On the contrary, Kobayashi et al. [9, 10] showed the following
relation between classical and quantum network coding in general multiple unicast
networks.
Theorem 3.1 If the rate (r1 , . . . , rk ) is achievable in a classical network, then the
same rate is also achievable in the corresponding quantum network under free clas-
sical communication.
Note that the converse of Theorem 3.1 is trivially false when the classical network
is directed since the quantum network becomes undirected due to free classical
communication. However, if the classical network is undirected, it is open to show
whether the converse holds or not.
In the case where classical one-way communication is freely available, Leung
et al. [16] studied the case where classical communication is freely available accord-
ing to the directed edges of the underlying graph. Although we cannot reverse the
edges at will, we can increase the rates in some networks, compared to the case of
no additional resources. For example, the rate (r1 , r2 ) = (0.5, 1) is achievable in the
butterfly network as follows: (i) s1 sends the two subsystems of an EPR pair to s0
and t2 , respectively. (ii) s2 sends s0 a source qubit, and s0 teleports it to t2 by using
the EPR pair and free two bits. (iii) s1 and s2 send their qubits by routing. This
protocol uses the network twice while one qubit is sent from s1 to t1 , and two qubits
are sent from s2 to t2 . A similar protocol with time sharing achieves the rate region
{(r1 , r2 )|r1 , r2 ≤ 1, r1 + r2 ≤ 1.5}, which was proven to be optimal.
3.6 Performance Analysis 49
3.6.3 With Free Entanglement
In this section, we give the case where entanglement is allowed as additional

resources. While entanglement is not cheaper than classical communication, there is
an advantage that we can prepare it offline, i.e., at any time.
In the case where any two nodes in a quantum network share any entangled state
at will, Leung et al. [16] observed two facts that can be immediately obtained from
quantum teleportation and dense coding.
The first fact is the exact relation between the amounts of quantum and classical
communication that can be sent on a quantum network.
Proposition 3.1 Under free entanglement, the achievable rate for “quantum com-
munication” in a quantum network is exactly half of that for “classical communica-
tion” in the same network.
Leung et al. gave the exact rate region {(r1 , r2 )|r1 , r2 ≤ 2} for classical commu-
nication in the butterfly network. By Proposition 1, this implies that the rate region
for quantum communication is {(r1 , r2 )|r1 , r2 ≤ 1}.
The second fact is a relation between the amount of quantum communication on a
quantum network and the amount of classical communication on the corresponding
classical network.
Proposition 3.2 The achievable rate for quantum communication in a quantum

network under free entanglement is at least that for classical communication in the
corresponding classical network.
The converse of Proposition 3.2 was conjectured, but it still remains an interesting
open question. If the conjecture is true, it implies that by Proposition 1, the rates for
classical communication in quantum networks (even with free entanglement) is at
most twice as much as those in classical networks, which extends the known results
for point-to-point communication channels to networks.
In the case where any two neighboring nodes are allowed to share entanglement,
the Hayashi’s impossibility proof [11] implies that the achievable rate region in the
butterfly network is also the same as that for the case of no additional resources.
Recently, motivated by quantum repeater networks [19], Satoh et al. [11] studied
the setting where any two neighboring nodes share EPR pairs and free classical
communication is allowed, but no quantum communication is available and any
extra qubits other than receiving qubits are not allowed to use at each node (which
make the physical implementation easier). In this setting, they gave a protocol for
the butterfly network that can send two source qubits simultaneously by a single use
of the network.
In the case where any source nodes are allowed to share entanglement, Hayashi
[5] introduced a bit flexible setting where each edge can choose sending one qubit
or two bits. This was motivated by the equivalence between one qubit and two
bits under shared entanglement via quantum teleportation and dense coding. Then
he showed that two source qubits can be sent simultaneously by a single use of
Table 3.1 Performance N {(r1 , r2 )|r1 + r2 ≤ 1}

C1 {(r1 , r2 )|r1 + r2 ≤ 2}
C2 {(r1 , r2 )|r1 , r2 ≤ 1, r1 + r2 ≤ 1.5}
E1 {(r1 , r2 )|r1 , r2 ≤ 1}
E2 {(r1 , r2 )|r1 + r2 ≤ 1}
thenetwork. This possibility result can be regarded as swapping two source qubits
on the butterfly network. Under this viewpoint, Soeda et al. [20] investigated which
two-qubit operations can be done on the butterfly network.
3.6.4 Comparison of Schemes
We summarize the achievable rate region in the butterfly network for quantum com-
munication in Table 3.1, where N , C1, C2, E1, and E2 represent the basic settings
with no additional resources, with free classical communication among any nodes,
with free classical communication according to the directed edges, with free entan-
glement among any two nodes, and with free entanglement between neighboring
nodes, respectively.
3.6.5 Comparison with Routing
One may wonder that the optimal rates in all quantum networks are achievable
by network coding or routing. Jain et al. [14] observed that there exists a quantum
network such that the achievable rate by network coding is k times the rate by routing,
here k is the number of source-target pairs. This example was based on the classical
example by using quantum teleportation and dense coding, which allow us to take
advantage of directed edges that are trivially useless by any routing protocol [21].
The results are summarized below:
1. On the butterfly network, the total quantum information flow is bounded by what
can be routed through the bottleneck channel.
2. For the k-pair multiple unicast problem and for all k ≥ 2, there exists a family of
networks where quantum network coding achieves k times greater quantum infor-
mation flow than what can be achieved by routing, with entanglement assistance
that is intrinsic to the topology of a network.
3. Given a non-entanglement-supported k-pair multiple unicast problem on a net-
work N , the 1-max-flow is bounded by the sparsest multi-cut capacity.
References 51
References
2. Buzek, V., Hillery, M.: Quantum copying: beyond the no-cloning theorem. Phys. Rev. A 54(3),
1844–1852 (1996)
Physics 52(3), 610–621 (2006)
4. Leung, D., Oppenheim, J., Winter, A.: Quantum network communication-the butterfly and
beyond. IEEE Trans. Inf. Theory 56(7), 3478–3490 (2010)
with modification. Phys. Rev. A 76(4), 538 (2007)
6. Ma, S.Y., Chen, X.B., Luo, M.X., et al.: Probabilistic quantum network coding of M-qudit
states over the butterfly network. Opt. Commun. 283(3), 497–501 (2010)
7. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: General scheme for perfect quantum net-
work coding with free classical communication. In: International Colloquium on Automata,
Languages and Programming (ICALP), pp. 622–633 (2009)
8. Li, J., Chen, X., Sun, X., et al.: Quantum network coding for multi-unicast problem based on
2D and 3D cluster states. Sci. China Inf. Sci. 59(4), 1–15 (2016)
(ISIT), pp. 109–113 (2011)
10. Kobayashi, H., Le Gall, F., Nishimura, H., et al.: Perfect quantum network communication
protocol based on classical network coding. In: IEEE International Symposium on Information
Theory, pp. 2686–2690 (2010)
86(3), 9591–9598 (2012)
12. Satoh, T., Ishizaki, K., Nagayama, S., et al.: Analysis of quantum network coding for realistic
repeater networks. Phys. Rev. A 93(3), 032302 (2016)
13. Briegel, H.J., Browne, D.E., Dur, W., et al.: Measurement-based quantum computation. Nat.
Phys. 5(1), 19–26 (2009)
14. Jain, A., Franceschetti, M., Meyer, DA.: On quantum network coding. J. Math. Phys. 52(3),
032201 (2011)
15. Nishimura, H.: Quantum network coding—how can network coding be applied to quantum
information? In: International Symposium on Network Coding (NetCod), pp. 1–5 (2013)
16. Leung, D., Oppenheim, J., Winter, A.: Quantum network communication: the butterfly and
beyond. IEEE Trans. Inf. Theory 56(7), 3478–3490 (2010)
17. Gottesman, D.: On the theory of quantum secret sharing. Phys. Rev. A 61(4), 042311 (1999)
18. Imai, H., Muellerquade, J., Nascimento, A.C.A., et al.: A quantum information theoretical
model for quantum secret sharing schemes. Quantum Inf. Comput. 5(1), 69–80 (2003)
19. Briegel, H.J., Dur, W., Cirac, J.I., et al.: Quantum repeaters: the role of imperfect local operations
in quantum communication. Phys. Rev. Lett. 81(26), 5932–5935 (1998)
20. Soeda, A., Kinjo, Y., Turner, P.S., et al.: Quantum computation over the butterfly network.
Phys. Rev. A 84(1), 012333 (2011)
21. Harvey, N.J., Kleinberg, R.D., Lehman, A.R.: Comparing network coding with multicommod-
ity flow for the K-pairs communication problem. MIT LCS technical report 964 (2004)
Chapter 4
Quantum Network Coding Based
on Repeater
How to design network coding beyond the butterfly network is desired to be resolved.
Quantum repeaters are potential candidates to create nonlocal entanglement between
distant particles and realize long-distance quantum communication. In this chapter,
we introduce a quantum network coding scheme for general repeater networks with
either maximally or non-maximally entangled EPR-pairs and apply it to complex
network scenarios. Considering the resource consumption and security of quantum
repeater network, we introduce a quantum network coding scheme with an EPR-pair
distribution controller, which can realize long-distance quantum communication with
minimal resource consumption.
4.1 Quantum Network Coding for General Repeater

Networks
4.1.1 Requirement of General Networks
Evidently, typical quantum network coding schemes were designed based on the
butterfly network. It is more difficult and meaningful to design quantum network
coding beyond the butterfly network. In 2009, Kobayashi et al. [1] pointed out that
perfect quantum network coding is feasible for any graph. In 2013, Nishimura et al.
[2] summarized the achievable rate region in the butterfly network for quantum com-
munication, and pointed out that the future works of quantum network coding should
be extended to general graphs. With the rapid development of quantum network, the
complexity of actual network topology brings challenges to quantum network cod-
ing, i.e., it remains to be an open problem of how to realize quantum communication
on general networks securely and efficiently.
In order to design quantum network coding for general networks, a few valuable
schemes have been proposed. Iwama et al. [3] proposed the quantum network cod-
ing scheme in general graph networks by using a new cloning method called EFC

https://doi.org/10.1007/978-981-15-3386-0_4
54 4 Quantum Network Coding Based on Repeater
(entanglement-free cloning) which solves the problem of entanglement in quantum

cloning, and adopting graph transformation which has extremely important signifi-
cance in the complex algorithm design because of its nature. Although the existing
quantum network coding scheme for general graphs can achieve fidelity larger than
1/2, the optimality of EFC and efficiency remain to be solved. As we know, repeaters
are necessary for remote quantum communication in a general network. Yan et al.
[4] proposed the scheme of quantum repeater, with which quantum communica-
tion systems can be used for long-distance quantum communication. Then they [5]
further designed the scheme of long-distance quantum communication system with
the source of entangled photon pairs, which transmits quantum information by the
principle of simple entanglement swapping. Moreover, Satoh et al. [6] presented a
quantum network coding scheme for quantum repeaters with certain quantum oper-
ations under weaker assumption that adjacent nodes initially share one maximally
entangled EPR-pair but cannot add any quantum registers or send any quantum
information. The feasibility of quantum network coding for quantum repeaters was
verified. Hence, we can easily conclude that quantum repeaters are promising can-
didates for the implementation of general quantum networks.
Currently, quantum repeaters are mainly used in the butterfly network, how to set
the initial condition and ensure the feasibility of algorithms in networks with complex
topology is remained to be solved. Moreover, the difficult preparation of maximally
entangled EPR-pairs also brings challenges to quantum repeater networks.
4.1.2 Quantum Repeater Network
In 2012, Satoh et al. [6] presented the protocol for quantum repeater networks, in
which quantum repeaters were introduced into the butterfly network. Compared with
the XQQ protocol, all nodes are quantum repeaters which are capable of sharing and
conservation, and adjacent nodes initially share one EPR-pair. With the quantum
circuits constructed by Hadamard gate and controlled-NOT (also CNOT) gate, non-
unitary operations are applied to qubits between two repeaters to generate EPR-pairs
between crossing source nodes and target nodes, remote quantum communication is
realized by using quantum entanglement as a channel which can perform quantum
teleportation.
In the butterfly network of quantum repeaters, the setting is presented in Fig. 4.1.
Source nodes s1 and s2 simultaneously send quantum information to target nodes t1
and t2 in the butterfly network. r1 and r2 are two intermediate nodes. Between any

two adjacent nodes, one EPR-pair is initially shared, such as two EPR-pairs + AB

and + C D between s1 -t2 and s1 -r1 , et al. As a result, s1 and t2 (similarly, s2 and t2 )
share one EPR-pair.
The quantum network coding scheme for quantum repeaters includes three core
parts: Setup, Quantum channel generation, and Quantum information transmission.
It is described in the following parts:
4.1 Quantum Network Coding for General Repeater Networks 55
C G
s1 s2
A E
D H
r1
I
r2
K M
B F
t2 t1
L N
Fig. 4.1 Quantum repeater network based on butterfly network
(1) Setup
Encoding for quantum repeater network should be on the condition that any two
adjacent nodes initially share an EPR-pair. The phase of setup is responsible for
distributing EPR-pairs to all the legitimate nodes before encoding for generating
quantum entanglement channel.
(2) Quantum channel generation
To construct a network which can perform teleportation, the sender and the receiver
should share an EPR-pair, i.e., use quantum entanglement as a quantum channel.
The phase of quantum channel generation is responsible for generating EPR-pairs
between source nodes and target nodes by operating the EPR-pairs between any
adjacent nodes with LOCC.
(3) Quantum information transmission
Quantum information transmission is responsible for transmitting quantum informa-
tion by means of quantum teleportation through quantum entanglement channels.
Obviously, in the above quantum repeater communication system, EPR-pairs
shared by any two adjacent nodes are distributed firstly before quantum informa-
tion transmission under the condition that the whole process of quantum channel
generation is secure. However, if there exist active attacks during the process of
quantum channel generation, the encoding process for quantum channel will not be
completed properly. In this case, a trusted party, which can control the distribution
of EPR-pairs, is very necessary for quantum repeater network. With the help of the
trusted party, the process of quantum channel generation terminates once the active
attack is found and EPR-pairs are no longer distributed, so that waste of particle
consumption can be avoided.
4.1.3 LOCC (Local Operations and Classical

Communication)
LOCC [6] are non-unitary operations between two repeaters with Hadamard gate,
CNOT gate, Pauli operator, and transformation of measurement result in the {|0 , |1}
basis over a classical channel. LOCC consists of Connection, Removal, and other
algorithms, which are described as follows:
(1) Connection
The setting for Connection is shown in Fig. 4.2, in a network
with quantum repeaters
R1 , R 2 , and +
3 , R1 and R2 share one EPR-pair AB , R2 and share
R R 3 one

EPR-
pair + C D . Let the input state |init be a form |init = + AB ⊗ + C D . By

applying Con C−>D A
, the state becomes f inal = |G H Z AB D . The procedure for
Connection is listed in Table 4.1.
(2) Removal
The setting for Removal is shown in Fig. 4.3, in a network with three quantum
repeaters R1 , R2 and R3 , which share one Greenberger–Horne–Zeilinger (GHZ)
be a form
state. Let the input state |init |init = |G H Z ABC . By applying
Rem A−>B , the state becomes f inal = + BC . The procedure for Removal is
listed in Table 4.2.
Fig. 4.2 The setting for

connection
A
Table 4.1 Con C−>D Step 1. R2 applies C N O T (A,C)
Step 2. R2 measures particle C in the {|0 , |1} basis
Let a ∈ {0, 1} be the outcome
Step 3. R2 sends a to R3 by a classical channel
Step 4. If a = 1 then R3 applies σx to D
Fig. 4.3 The setting for

removal
Table 4.2 Rem A−>B Step 1. R2 applies the Hadamard gate to A

Step 2. R2 measures particle A in the {|0 , |1} basis
Let a ∈ {0, 1} be the outcome
Step 3. R2 sends a to R1 by a classical channel
Step 4. If a = 1 then R1 applies σz to B
(3) Other algorithms

Other algorithms are Fanout, Add, Rem Add, etc., which also enable us to manip-
ulate EPR-pairs and encode for the quantum repeater network.
It is easy to find that all the above algorithms of LOCC need to measure particles
in the {|0 , |1} basis and then transmit the measurement result by classical channels,
which are liable to be attacked. To secure the LOCC operations, the transmission
of measurement result in the {|0 , |1} basis can be realized by means of quantum
information.
4.1.4 Basic Operations
LOCC is the key technology for encoding in quantum repeater networks, which
is constructed by Control-NOT gate, Hadamard operator and measurements in
the {|0, |1} basis, by applying the non-unitary operations to qubits between two
repeaters, entangled states can be generated between source nodes and correspond-
ing target nodes, then remote quantum communication is realized by using quantum
entanglement as quantum channels which can perform quantum teleportation.
LOCC contains two basic algorithms “Connection” and “Removal”, which can
manipulate entangled states and systematize the methods of encoding. The two spe-
cific algorithms on entangled states are defined as follows:
(1) Connection with entangled states
In a particle system with two entangled EPR-pairs | AB and |C D , where
| AB = x1 |00 + y1 |11, |C D = x2 |00 + y2 |11, and x1 , y1 , x2 , y2 are positive
real numbers satisfying x12 + y12 = 1, x22 + y22 = 1. That is, we can obtain |00 AB in
a probability of x1 2 , and |11 AB in a probability of y1 2 . Similarly, for |C D , |00C D ,
|11C D can be obtained in probabilities of x2 2 and y2 2 , respectively. The circuit for
A
Con C−>D is shown in Fig. 4.4.
Let |init be a state of the form
|init = | AB ⊗ |C D

= (x1 |00 AB + y1 |11 AB ) ⊗ (x2 |00C D + y2 |11C D ),
A
Fig. 4.4 Con C−>D A
Con C D
2
0 x1
A 2
1 y1
B
2
0 x2 a
C 2
1 y2
D Xa
init final
A
then by applying Con C−>D to |init , we can obtain |000 AB D in a probability of
x1 x2 + x1 y2 = x1 , and |111 AB D in a probability of y1 2 x2 2 + y1 2 y2 2 = y1 2 , so
2 2 2 2 2
the state becomes
| f inal = x1 |000 AB D + y1 |111 AB D

= |G H Z AB D .
Thus, one entangled GHZ state |G H Z AB D can be obtained. Especially,

|G H Z AB D is maximally entangled when x1 2 = y1 2 = 1/2.
(2) Removal with entangled states
In an entangled three-particle system with |G H Z ABC , where |G H Z ABC =
x1 |000 ABC + y1 |111 ABC , and x1 , y1 are positive real numbers satisfying x12 + y12 =
1. That is, we can obtain |000 ABC and |111 ABC in probabilities of x1 2 and y1 2 ,
respectively. The circuit for Rem A−>B is shown in Fig. 4.5.
Let |init be a state of the form
|init = |G H Z ABC
= x1 |000 ABC + y1 |111 ABC ,
then by applying Rem A−>B to |init , we can obtain |000 BC in a probability of

1/2x1 2 + 1/2x1 2 = x1 2 , and |11 BC in a probability of 1/2y1 2 + 1/2y1 2 = y1 2 , so
the state becomes
| f inal = x1 |00 BC + y1 |11 BC

= | BC .
Thus, one entangled EPR-pair | BC can be obtained. Especially, | BC is max-
imally entangled when x1 2 = y1 2 = 1/2.
Fig. 4.5 Rem A−>B

Re m A B
2
0 x1 a
A 2
H
1 y1
B Xa
init final
4.1.5 QNC Scheme for General Repeater Networks
Inspired by the quantum repeater communication system which can realize long-
distance quantum communication [5], a quantum network coding scheme for gen-
eral repeater networks [7] was designed, which can realize long-distance quantum
communication in repeater networks with complex topology. It introduces D3 graph
transformation to establish a general transmission network model and uses arbitrary
entangled EPR-pairs as a resource to build quantum entanglement channel.
The quantum network coding scheme for general repeater networks includes three
core parts: Graph transformation, Quantum channel generation, and Quantum infor-
mation transmission, so this scheme is also called as “GQQ”. It is described in the
following part:
(1) Graph transformation
To ensure the versatility of encoding algorithm, a general transmission model is
established by graph transformation, i.e., for a graph with the degree being more
than 3, we should firstly transform it into a D3 graph, whereas it is not necessary to
transform a graph with degree being no more than 3. And the transformation schemes
[3] of one-to-many, many-to-one and many-to-many are shown in Figs. 4.6, 4.7 and
4.8, respectively.
(2) Quantum channel generation
To construct a network which can perform quantum teleportation, the sender and
the receiver should share an EPR-pair, i.e., use quantum entanglement as a quantum
channel. The phase of quantum channel generation is responsible for generating EPR-
pairs between source nodes and target nodes in a D3 graph network by operating
the EPR-pairs between any adjacent nodes with LOCC. Although Satoh et al. [6]
proposed a protocol to generate quantum channels in the butterfly network, here the
algorithms are further provided to generate quantum channels in a D3 graph network
Fig. 4.6 (1, 3) transformation. For a node with one input X and three outputs Y1 , Y2 , Y3 , its
(indegree, outdegree) is (1, 3). It can be transformed into a combination of nodes whose degrees
are no more than 3 by means of the multilevel structure of a binary tree
Fig. 4.7 (3, 1) transformation. For a node with three inputs X 1 , X 2 , X 3 and one output Y , its
(indegree, outdegree) is (3, 1). Compared with the node of (1, 3), it is a single-input and multi-
output model, and can also be transformed into a combination of nodes whose degrees are no more
than 3 by means of the multilevel structure of a binary tree
X1 X2 X3 X1 X2 X3
Y1 Y2 Y1 Y2
Fig. 4.8 (3, 2) transformation. For a node with three inputs X 1 , X 2 , X 3 and two outputs Y1 , Y2 ,
it is a multi-input and multi-output model whose (indegree, outdegree) is (3, 2). Assume that node
operation is simple X O R without any superposition coefficient, the many-to-many node can be
transformed into a combination of one-to-many nodes and many-to-one nodes
1
A A1 A2
B B1 B1
C 1 E1
E
F1
F
2 I
G
D H J
1 2 3
Fig. 4.9 One-to-many network (Solid line denotes one-way connection between any two adjacent
nodes, and dotted line denotes quantum entanglement channel)
which is transformed from a general graph with degree being more than 3. According
to the network types of one-to-many, many-to-one, and many-to-many, the quantum
channel generation schemes are described, respectively, as follows:
(1) One-to-many network
In a one-to-many network with quantum repeaters, the setting for this scheme
is presented in Fig. 4.9. Between any two adjacent nodes, EPR-pairs are initially
shared. The goal of this work is to simultaneously send quantum information
between three pairs of quantum repeaters ((s1 , t1 ), (s1 , t2 ), and (s1 , t3 )). r1 and
r2 are two intermediate nodes. To generate EPR-pairs between one source node
and three target nodes, additional EPR-pairs should be needed, such as | A1 B1 ,
| A2 B2 between s1 -r1 , | E1 F1 between r1 -r2 . And all the EPR-pairs have coeffi-
cients xi and yi for |00 and |11 basis in turn, where 1 ≤ i ≤ 8, such as | AB is
denoted as | AB = x1 |00 AB + y1 |11 AB , | A1 B1 = x2 |00 A1 B1 + y2 |11 A1 B1 , . . .,
| I J = x8 |00 I J + y8 |11 I J .
Let the input state of the one-to-many network |init be a state of the form as
follows:
|init = | AB | A1 B1 | A2 B2 |C D | E F | E1 F1 |G H | I J ,
and the algorithm of quantum channel generation is described as follows:

A
Step 1: By applying Con C−>D A1
, Con E−>F and Con EA12 −> F1 to |init , the state
becomes
|1 = |G H Z AB D |G H Z A1 B1 F |G H Z A2 B2 F1 |G H | I J ,
where |G H Z AB D = x1 |000 AB D + y1 |111 AB D , |G H Z A1 B1 F = x2 |000 A1 B1 F +

y2 |111 A1 B1 F , |G H Z A2 B2 F1 = x3 |000 A2 B2 F1 + y3 |111 A2 B2 F1 .
Step 2: By applying Rem B−>A , Rem B1 −> A1 and Rem B2 −> A2 to |1 , the state
becomes
|2 = | AD | A1 F | A2 F1 |G H | I J ,
where | AD = x1 |00 AD + y1 |11 AD , | A1 F = x2 |00 A1 F + y2 |11 A1 F ,

| A2 F1 = x3 |00 A2 F1 + y3 |11 A2 F1 .
Step 3: By applying Con G−>H A1
, Con IA−>J
2
to |2 , the state becomes
|3 = | AD |G H Z A1 F H |G H Z A2 F1 J ,
where |G H Z A1 F H = x2 |000 A1 F H + y2 |111 A1 F H ,

|G H Z A2 F1 J = x3 |000 A2 F1 J + y3 |111 A2 F1 J .
Step 4: By applying Rem F−>H , Rem F1 −>J to |3 , the state becomes

|4 = | AD ⊗ | A1 H ⊗ | A2 J = f inal ,
where | A1 H = x2 |00 A1 H + y2 |11 A1 H , | A2 J = x3 |00 A2 J + y3 |11 A2 J .

As a result, three EPR-pairs are obtained. The first one is owned by (s1 , t1 ), the
second one is owned by (s1 , t2 ), and the third one is owned by (s1 , t3 ). That means
that quantum channel is generated with quantum entanglement and then is able to
perform quantum teleportation. The corresponding procedure is shown in Table 4.3.
(2) Many-to-one network
In a many-to-one network with quantum repeaters, the setting for this scheme is
presented in Fig. 4.10. r1 and r2 are two intermediate nodes. In comparison with one-
to-many network, additional EPR-pairs are needed between r1 -r2 , r2 -t1 to generate
EPR-pairs between three source nodes and one target node. Similarly, all the EPR-
pairs have coefficients xi and yi for |00 and |11 basis in turn, where 1 ≤ i ≤ 8.
Let the input state of the many-to-one network |init be a state of the form as
follows:
Table 4.3 Encoding for a A

Step 1. r1 and t1 apply Con C−>D ,
one-to-many network A1
r1 and r2 apply Con E−>F and Con EA12 −>F1
Step 2. s1 and r1 apply Rem B−>A , Rem B1 −> A1 and
Rem B2 −> A2
A1
Step 3. r2 and t2 apply Con G−>H ,
A2
r2 and t3 apply Con I −>J
Step 4. r2 and t2 apply Rem F−>H ,
r2 and t3 apply Rem F1 −>J
1 2 3
A C G
B 1 D
E1
E
F1
F 2 H
I I1 I2
J J1 J2
Fig. 4.10 Many-to-one network
|init = | AB |C D | E F | E1 F1 |G H | I J | I1 J1 | I2 J2 ,

A
Step 1: By applying Con E−>F , Con CE1 −> F1 and Con GI2 −> J2 to |init , the state
becomes
|1 = |G H Z AB F |G H Z C D F 1 |G H Z G H J 2 | I J | I1 J1 ,
where |G H Z AB F = x1 |000 AB F + y1 |111 AB F , |G H Z C D F1 = x2 |000C D F1 +

y2 |111C D F1 , |G H Z G H J2 = x5 |000G H J2 + y5 |111G H J2 .
Step 2: By applying Rem B−>A , Rem D−>C , and Rem H −>G to |1 , the state
becomes
|2 = | AF |C F 1 |G J 2 | I J | I1 J1 ,
where | AF = x1 |00 AF + y1 |11 AF , |C F1 = x2 |00C F1 + y2 |11C F1 , |G J2 =

x5 |00G J2 + y5 |11G J2 .
Step 3: By applying Con IA−>J , Con CI1 −> J1 to |2 , the state becomes
|3 = |G H Z AF J |G H Z C F 1 J1 |G J 2 ,
where |G H Z AF J = x1 |000 AF J + y1 |111 AF J , |G H Z C F1 J1 = x2 |000C F1 J1 +

y2 |111C F1 J1 .

Step 1. r1 and r2 apply Con E−>F and Con CE 1 −>F1 ,
many-to-one network G
r2 and t1 apply Con I1 −>J1
Step 2. s1 and r1 apply Rem B−>A ,
s2 and r1 apply Rem D−>C ,
s3 and r2 apply Rem H −>G
Step 3. r2 and t1 apply Con IA−>J and Con CI1 −>J1
Step 4. r2 and t1 apply Rem F−>J , Rem F1 −>J1
Step 4: By applying Rem F−>J , Rem F1 −>J1 to |3 , the state becomes

|4 = | A J ⊗ |C J 1 ⊗ |G J 2 = f inal ,
where | A J = x1 |00 A J + y1 |11 A J , |C J1 = x2 |00C J1 + y2 |11C J1 .

Similarly, three EPR-pairs owned by (s1 , t1 ), (s2 , t1 ), and (s3 , t1 ) are obtained,
thus quantum channel is generated in the many-to-one network. The corresponding
procedure is shown in Table 4.4.
(3) Many-to-many network
In a many-to-many network with quantum repeaters, the setting for this scheme is
presented in Fig. 4.11. Note that here we adopt a network with three inputs and two
outputs, which has more generality than the above two types of network. Source
nodes s1 and s2 communicate with target node t1 , r1 , r2 , and r3 are three intermediate
nodes, so additional EPR-pairs are needed between r1 -r2 , r2 -r3 and r3 -t1 . Similarly,
all the EPR-pairs have coefficients xi and yi for |00 and |11 basis in turn, where
1 ≤ i ≤ 11.
Let the input state of the many-to-many network |init be a state of the form as
follows:
|init = | AB |C D | E F | E1 F1 |G H | I J

⊗ | | + |
I1 J1 I2 J2 KL
| M N ,
K1 L 1

A
Step 1: By applying Con E−>F , Con CE1 −> F1 , and Con GI2 −> J2 to |init , the state
becomes
|1 = |G H Z AB F |G H Z C D F 1 |G H Z G H J 2 | I J | I1 J1 | K L | K 1 L 1 | M N ,
where |G H Z AB F = x1 |000 AB F + y1 |111 AB F , |G H Z C D F1 = x2 |000C D F1

+ y2 |111C D F1 , |G H Z G H J2 = x5 |000G H J2 + y5 |111G H J2 .
Step 2: By applying Rem B−>A , Rem D−>C , and Rem H −>G to |1 , the state
becomes
|2 = | AF |C F 1 |G J 2 | I J | I1 J1 | K L | K 1 L 1 | M N ,

1 2 3
A C G
B 1 D
E1
E
F1
F 2 H
I I1 I2
J J1 J2
K 3 M
K1
L N
L1
1 2
Fig. 4.11 Many-to-many network
where | AF = x1 |00 AF + y1 |11 AF , |C F1 = x2 |00C F1 + y2 |11C F1 , |G J2 =

x5 |00G J2 + y5 |11G J2 .
Step 3: By applying Con IA−>J , Con CI1 −> J1 to |2 , the state becomes
|3 = |G H Z AF J |G H Z C F 1 J1 |G J 2 | K L | K 1 L 1 | M N ,
where |G H Z AF J = x1 |000 AF J + y1 |111 AF J , |G H Z C F1 J1 = x2 |000C F1 J1 +

y2 |111C F1 J1 .
Step 4: By applying Rem F−>A , Rem F1 −>C to |3 , the state becomes
|4 = | A J |C J 1 |G J 2 | K L | K 1 L 1 | M N ,
where | A J = x1 |00 A J + y1 |11 A J , |C J1 = x2 |00C J1 + y2 |11C J1 .

Step 5: By applying Con KA −>L , Con CK 1 −> L 1 and Con GM−>N to |4 , the state
becomes
|5 = |G H Z A J L ⊗ |G H Z C J 1 L 1 ⊗ |G H Z G J 2 N ,

Step 1. r1 and r2 apply Con E−>F and Con CE 1 −>F1 ,
many-to-many network G
r2 and r3 apply Con I2 −>J2
Step 2. s1 and r1 apply Rem B−>A ,
s2 and r1 apply Rem D−>C ,
s3 and r2 apply Rem H −>G
Step 3. r2 and r3 apply Con IA−>J and Con CI1 −>J1
Step 4. r2 and r3 apply Rem F−>J , Rem F1 −>J1
Step 5. r3 and t1 apply Con KA −>L and Con CK 1 −>L 1 ,
r3 and t2 apply Con G
M−>N
Step 6. r3 and t1 apply Rem J −>L , Rem J2 −>N ,
s3 and t2 apply Rem H −>G
where |G H Z A J L = x1 |000 A J L + y1 |111 A J L , |G H Z C J1 L 1 = x2 |000C J1 L 1 +

y2 |111C J1 L 1 , |G H Z G J2 N = x5 |000G J2 N + y5 |111G J2 N .
Step 6: By applying Rem J −>A , Rem J1 −>C , and Rem J2 −>G to |5 , the state
becomes
|6 = | AL ⊗ |C L 1 ⊗ |G N = f inal ,
where | AL = x1 |00 AL + y1 |11 AL , |C L 1 = x2 |00C L 1 + y2 |11C L 1 , |G N =

x5 |00G N + y5 |11G N .
Thus, the expected EPR-pairs are obtained, so quantum channel is also generated
in the many-to-many network. The corresponding procedure is shown in Table 4.5.
In summary, we can see that additional EPR-pairs are essential in the networks
for the quantum channel generation schemes according to different network con-
ditions. The key is to firstly define the two sides of communication session, then
add EPR-pairs to ensure that EPR-pairs can be generated between source nodes and
corresponding target nodes. After the generation of quantum channel, we can then
transmit quantum information.
(3) Quantum information transmission
In this scheme, quantum information is transmitted by means of quantum teleporta-
tion. Inspired by teleportation scheme of an unknown bipartite state [8], the quantum
information transmission protocol is given. Without loss of generality, here we take
many-to-many network as an example. Assume s1 wants to transmit single quantum
state |ϕ1 to t1 , |ϕ1 is a state of the form |ϕ1 = α|01 + β|11 , where α and β are
positive real number satisfying α 2 + β 2 = 1. The whole state is
|ψ = | AL |ϕ1 = (x1 |00 + y1 |11) AL (α |0 + β |1)1

= x1 α|000 AL1 + x1 β|001 AL1 + y1 α|110 AL1 + y1 β|111 AL1
= x1 α|000 A1L + x1 β|010 A1L + y1 α|101 A1L + y1 β|111 A1L
1 1
= √ | + A1 (x1 α|0 L + y1 β|1 L ) + √ | − A1 (x1 α|0 L − y1 β|1 L )
2 2
1 1
+ √ |+ A1 (x1 β|0 L + y1 α|1 L ) + √ |− A1 (x1 β|0 L − y1 α|1 L ),
2 2
where | ± A1 = √12 (|00 A1 ± |11 A1 ), |± A1 = √12 (|01 A1 ± |10 A1 ).

The algorithm of quantum state transmission is described as follows:
Step 1: s1 measures particles A, 1 in a Bell basis, and the state of whole system
will collapse into one of the following four states:
1
√ (x1 α|0 L + y1 β|1 L ),
2
1
√ (x1 α|0 L − y1 β|1 L ),
2
1
√ (x1 β|0 L + y1 α|1 L ),
2
1
√ (x1 β|0 L − y1 α|1 L ),
2
s1 turns Bell measurement results {| + , | − , |+ , |− } into corresponding clas-
sical bits {00, 01, 10, 11}, and notifies r1 the outcome of its measurement via a clas-
sical channel. Assume that the measurement result of particles A, 1 is 10, then the
state of particle L is x1 β|0 L + y1 α|1 L .
Step 2: r1 introduces an auxiliary two-state particle 2 with the initial state |02 and
applies a unitary transformation U to particles L, 2 in the {|00 L2 , |01 L2 , |10 L2 ,
|11 L2 } basis, U is denoted as follows:
⎡ ⎤
y1 /x1 − 1 − y12 /x12 0 0
⎢ ⎥
⎢ ⎥
U =⎢ ⎢ 1 − y 2
/x 2
y /x 0 0 ⎥
1 1 1 1
⎥
⎣ 0 0 1 0⎦
0 0 01
the state becomes

y1 (α|0 L + β|1 L ) ⊗ |02 + x1 β 1 − y12 /x12 |0 L ⊗ |12 .
Step 3: r1 measures particle 2 in the {|0, |1} basis. If the measurement result
is |12 , the teleportation fails. If the measurement result is |02 , the teleportation
succeeds. The state will collapse into
y1 (α|0 L + β|1 L ),
i.e., s1 can transform an unknown qubit to r1 , we can realize quantum communication

with quantum channel built by quantum entanglement in a D3 graph network.
4.1.6 Property of QNC Scheme
Quantum network coding scheme for general repeater networks can achieve quantum
communication in a network with complex topology. Since it combines the generality
of general graphs and the capacity of quantum repeaters, two properties can be
obtained as follows:
(1) From the viewpoint of network model, general graphs have more generalities
than the butterfly network which is a special D3 graph, which are more widely used
in practical applications. To realize quantum communication in any general network,
the scheme adopts the technique of graph transformation, i.e., realize encoding for
quantum entanglement channel by means of transforming a Dk (k > 3) graph to a
D3 graph.
Proposition 1 Graph transformation can realize encoding for quantum entangle-

ment channel.
Proof We compare the expected results of the three transformation schemes with
the actual results.
(a) One-to-many scheme
As can be seen from Fig. 4.6, the expected result of communication is Y1 = Y2 =
Y3 = X , i.e., receivers Y1 , Y2 , Y3 can receive information from sender X.
In Fig. 4.9, we take the state | AB ⊗ | C D as example, after encoding at inter-
mediate node r1 by applying Con C−>D A
and Rem B−>A , it becomes | AD . Simi-
larly, the other EPR-pairs are encoded at intermediate nodes r1 and r2 . Thus after
the quantum channel generation process, the actual result is that three EPR-pairs are
generated, | AD is owned by (s1 , t1 ), | A1 H is owned by (s1 , t2 ), and | A2 J is
owned by (s1 , t3 ), which means quantum channel between the source node s1 and
the three target nodes t1 , t2 , t3 are generated to realize quantum communication.
(b) Many-to-one scheme
As can be seen from Fig. 4.7, the expected result of communication is Y = X 1 +
X 2 + X 3 , i.e., receiver Y can receive information from senders X 1 , X 2 , X 3 .
In Fig. 4.10, the two EPR-pairs | AB ⊗ | E F are converted to one EPR-pair
| AF after encoding at intermediate node r1 . For the whole scheme, the actual result
is that three EPR-pairs are generated, | AL is owned by (s1 , t1 ), | C J 1 is owned
by (s2 , t1 ), and | G J 2 is owned by (s3 , t1 ), which means quantum channel between
three source nodes s1 , s2 , s3 and the target node t1 are generated to realize quantum
communication.
(c) Many-to-many scheme
As can be seen from Fig. 4.8, the expected result of communication is Y1 + Y2 =
X 1 + X 2 + X 3 , i.e., receivers Y1 , Y2 can receive information from senders X 1 , X 2 ,
X 3.
Here, X 1 , X 2 communicate with Y1 , X 3 communicates with Y2 . After encoding at
intermediates r1 , r2 , r3 , the actual result is that three EPR-pairs are generated, | A J
is owned by (s1 , t1 ), |C L 1 is owned by (s2 , t1 ), and |G N is owned by (s3 , t2 ),
which means quantum channel between three source nodes s1 , s2 , s3 and two target
node t1 , t2 are generated to realize quantum communication.
All the above completes the proof.
(2) From the viewpoint of transmission distance, Yan et al. [4] analyzed the feasi-
bility of quantum repeaters that communication distance of quantum communication
system is positively related to the series of repeater nodes. With the increasing com-
plexity of a general network, the types of nodes also increase, such as the nodes
with degrees being 4 or larger. The transformation of nodes will add the depth of
graphs, and increase the series of repeater nodes, hence the communication distance
of quantum communication system also increases. Thus we can get Proposition 2.
Definition 1 For a general graph G = (V, E), where V is a set of all nodes and E
is a set of all links, the complexity of a graph O(G) represents the number level of
V and E.
Proposition 2 The communication distance of quantum communication system is

positively related to the complexity of general graphs.
Proof Assume that there exists a general graph Dk , k ∈ N ∗ .

When 1 ≤ k ≤ 3, the Dk graph can be encoded directly without graph transforma-
tion, the number of repeater nodes doesn’t change, and neither does communication
distance.
When k > 3, for a general graph with only a k-degree node, we can conclude
from the three graph transformation schemes as follows:
k = 4, the repeater series of the original graph is 3, and the repeater series increases
by 1 after graph transformation.
k = 5, compared with the original graph, the repeater series increases by 2 after
graph transformation.
k = m(m > 5), it can be inferred that compared with the original graph, the
repeater series increases by (m − 3) after graph transformation.
Thus, for a general graph which contains not only k-degree nodes but also nodes
with smaller degrees, after the transformation into a D3 graph, let the increased series
of intermediate repeater nodes be a variable , we can infer that must satisfy the
following condition:
k
(k − 3) ≤ ≤ Ni (i − 3),
i=4
where Ni is the number of i-degree nodes contained by the general graph Dk .

That means with the diversification of general networks, the complexity of a graph
increases, repeater series increase after graph transformation, so does communication
distance. This completes the proof.
4.1.7 Performance Analysis
This scheme will be analyzed from the aspects of success probability of teleportation,
particle consumption, transmission rate, transmission distance, etc.
(1) Success probability of teleportation
Theorem 1 Suppose that |st = a|00st + b|11st (a, b ∈ R+, a 2 + b2 = 1 and

a ≥ b) is the quantum entanglement channel generated by this scheme in a network
with complex topology, and an unknown qubit |φm = x|0m + y|1m (x, y ∈ R+,
x 2 + y 2 = 1) is transmitted via quantum entanglement channel. Then the success
probability of teleportation via the quantum entanglement channel is 2b2 .
Proof By teleporting the unknown qubit |φm via the quantum entanglement channel,
√ 2
|φm can be obtained in a probability of (b/ 2) when introducing another auxiliary
for any state of the four collapsed states, so the probability of successful teleportation
p is
√ 2
p = (b/ 2) × 4 = 2b2
√
If a = b = 1/ 2, |st works as a maximally entangled quantum channel, over
which the successful probability of teleportation is strictly 1. Hence we can easily
obtain Theorem 1.
(2) Particle consumption
Theorem 2 Let O(G) be the complexity of a general graph G. Suppose that E(G)
is EPR particles consumed to encode for G, then E (G)O (G) ≥ 0, where E (G)
and O (G) are differential coefficients of E(G) and O(G), respectively.
Proof Assume that a Dk (k ∈ N ∗ ) graph G is given, and Ni (i ∈ N ∗ , 1 ≤ i ≤ k) is

the number of i-degree nodes. For any i-degree (i > 3) nodes, we decompose them
into (i − 2) 3-degree nodes. Then after the transformation, the total number of nodes
k k k
is Nsum = i=1 Ni + i=4 Ni (i − 3), where i=4 Ni (i − 3) is positive related to
the complexity O(G). In this scheme, EPR-pairs should be initially shared between
adjacent nodes only, so EPR particles consumed E(G) depend on Nsum . Apparently,
as the complexity O(G) increases, node number increases and consequently EPR
particle consumption E(G) increases, similarly, same change rule works when O(G)
decreases, i.e., E(G) keeps the same change trend with O(G). This completes the
proof.
(3) Transmission rate
Theorem 3 Let N S be the number of source nodes in a general graph G. Suppose

that r b is the transmission rate between adjacent nodes and r bn is the transmission
rate of this scheme, then r bn = N S × r b.
Proof This scheme uses quantum entanglement as quantum channel, quantum infor-
mation is transmitted between source nodes and target nodes directly by quantum
teleportation which breaks through the limit of channel capacity. For example, we
can analyze the transmission rate for the many-to-many network with N S = 3 source
nodes. Clearly, if quantum information is transformed through non-entanglement
quantum channel, to ensure target nodes t1 and t2 can decode, only one qubit is
allowed to transmit at one time in a transmission rate of r b, so we should transmit
three times to realize quantum communication in the many-to-many network. With
quantum entanglement channel which is constructed by EPR-pairs, three qubits can
be transmitted by quantum teleportation simultaneously, i.e., the transmission rate
of this scheme is 3 × r b.
The same conclusion can be easily drawn for one-to-many and many-to-one net-
works. Without loss of generality, for any network G with N S inputs, quantum entan-
glement channels can be generated between source nodes and corresponding target
nodes, that means N S qubits can be transmitted by quantum teleportation simultane-
ously, the maximal transmission rate r bn is determined by N S . Hence we can obtain
Theorem 3.
(4) Transmission distance
Theorem 4 Let R(G) be the actual repeater series participating in encoding after
D3 graph transformation of a general graph G, and L be the transmission dis-
tance of this scheme, then the maximal transmission distance L max = 125 × R(G) +
125 (km).
Proof Yan et al. [4] quantitatively analyzed the performance of quantum repeaters
by giving the relationship curve between transmission distance and repeater series
in the case of an ideal passivation, i.e., transmission distance L is positively related
with repeater series R(G). Considering the distribution of actual network nodes, we
can get the corresponding functional expression as follows:
L max = 125 × R(G) + 125 (km).
4.1.8 Discussion
According to the above analysis, we can conclude that this scheme can achieve remote
quantum communication in a network with complex topology, at the expense of
increase of particle consumption which is related to network complexity as described
in Table 4.4. Compared with the XQQ protocol, this scheme weakens the claim to
quantum channel, break through the limit of channel capacity, and makes a signifi-
cant improvement in transmission rate. Moreover, according to the results of quan-
tum channel generation, we can conclude that the entanglement degree of EPR-pairs
between source nodes and corresponding target nodes only depends on that of EPR-
pairs initially distributed between source nodes and corresponding adjacent nodes.
That is, as long as source nodes and the adjacent nodes are distributed maximally
entangled EPR-pairs, regardless of the entanglement degree of EPR-pairs between
the rest nodes, the scheme can also generate maximally entangled quantum chan-
nel and achieve high-reliability quantum communication with the fidelity of 1. If
the consumed EPR pairs are all non-maximally entangled, the generated quantum
channel will be of less entanglement, and success probability of teleportation will be
lower accordingly. We have taken teleportation of a single unknown qubit over the
quantum entanglement channel as an example, and actually the quantum entangle-
ment channel can also teleport an unknown bipartite state. Apparently, there remains
a lot of future works for communication capacity which is limited by the storage and
operation performance of quantum repeaters.
4.2 Secure Quantum Network Coding for Controlled

Repeater Networks
4.2.1 Consumption and Security of Quantum Repeater

Networks
In quantum repeater networks, quantum communication system consumes EPR-pairs

as resources, which are hard to prepare and should be initially shared by legitimated
nodes. Although the existing schemes can achieve high-reliability and high-rate quan-
tum information transmission, the optimization of resource consumption is remained
to be solved. Meanwhile, the rapid development of quantum repeater networks has
also exposed some security issues. Security attacks can be usually divided into passive
attacks and active attack. Although passive attacks such as eavesdropping can gen-
erally be detected in quantum communication, it is possible for a quantum repeater
to be confronted with active attacks such as intercept-resend attack, impersonation
attack, and relay attack. Figure 4.12 shows an example of intercept-resend attack in a
quantum repeater network. As a typical active attack, it may occur during the process
of encoding for quantum entanglement channel.
In this section, considering the resource consumption and security of quantum
repeater networks, a quantum network coding scheme with an EPR-pair distribution
controller was proposed, which can realize long-distance quantum communication
with minimal resource consumption [9].
4.2.2 Quantum One-Time Pad
To realize secure point-to-point quantum communication, several approaches have

been proposed, such as QSDC (quantum secure direct communication), quantum
one-time pad [10], et al. Among these approaches, quantum one-time pad, which
4.2 Secure Quantum Network Coding for Controlled Repeater Networks 73

Fig. 4.12 Intercept-resend attack in a quantum repeater network. + AB is an EPR-pair shared
by quantum repeaters R1 and R2 . Sender R1 measures particle A and sends the measurement result
M1 to receiver R2 . Attacker intercepts M1 and sends another information M2 to R2
can realize optimal encryption of quantum bits, can be adopted to detect the real-
time performance of quantum communication. It allows a user to encrypt its quantum
bits using secret and random classical bits. The procedure of quantum one-time pad
is described as follows:
l
Let a quantum message be the form |M = ⊗ | Mi , where | Mi = αi |0 +
i=1
βi |1, αi and βi are complex number satisfying |αi |2 + |βi |2 = 1, and l is the
length of a quantum message. Sender and receiver share 2l random secret bits
K = ( K 1 · · · K l K l+1 · · · K 2l ), satisfying K i ∈ {0, 1}, where K i is the ith bit of K .
The encryption E K on |M for quantum one-time pad can be described as follows:
l l
|C = E K (|M) = ⊗ σx K 2i−1 σz K 2i |Mi = ⊗ |Ci ,
i=1 i=1
where σx and σz are Pauli operators, |Ci is the ith qubit of |C. The corresponding
decryption is
l
D K (|C) = ⊗ σz K 2i σx K 2i−1 |Ci .
i=1
4.2.3 Network Model
Figure 4.13 shows a network model with one controller and n quantum repeaters,
where n is a positive integer, and n ≥ 3. The controller works as a trusted party
which can control the distribution of EPR-pairs. So we call such network to be
controlled repeater network. To transmit quantum information from source node R1
to target node Rn , we should generate quantum entanglement channel between R1
and Rn , here R2 , . . . , Rn−1 are intermediate nodes.
For each node Ri (i ≤ n), we establish an identity I D i , which is only known
to all legitimate nodes and the controller. Particularly, the identities are quantum
bits. In this scheme, the controller controls the EPR-pair distribution by judging the
Controller
Quantum channel
A
R1 B Rn
ID1 R2 R3 IDn
C D ID3
ID2
Fig. 4.13 Quantum repeater network with a controller
information received from the legitimate nodes. As a result, during encoding for
quantum entanglement channel, particle consumption can be avoided being wasted
in the presence of active attacks.
The key operations of controlled repeater networks can be described as follows:
(1) Node-to-node Communication. To extend quantum entanglement in the
repeater network, any two adjacent nodes should operate on the distributed EPR-
pairs and transmit the corresponding {|0 , |1} measurement result.
(2) Security Confirmation. Every receiver of node-to-node communication should
judge the legitimacy and instantaneity of {|0 , |1} measurement result, then send
corresponding message to the controller.
(3) EPR-pair Distribution. By judging the message from any node of the repeater
network, the controller determines whether the system distributes EPR-pairs or not.
As a result, one EPR-pair between R1 and Rn is obtained, which means quantum
entanglement channel is generated and then is able to perform quantum teleportation.
4.2.4 Basic Operations
To realize node-to-node communication and secure confirmation between two spe-

cific legitimate nodes in controlled repeater networks, we introduce a new approach
to transmitting measurement result in the {|0 , |1} basis, which is based on quantum
one-time pad and used to improve the security problem of LOCC. In this approach,
we give each node an identity for authentication. As shown in Fig. 4.14, in a network
with quantum repeaters R1 , R2 , both repeaters have quantum identities I D 1 , I D 2 ,
which are known to each other, where I D i = id i1 id i2 · · · id li ∈ {|0, |1}l . Let M1
measure in the { 0 , 1 } basis
A B
1 2
ID1 M1 ID2
Quantum channel
Encryption Ek(M1 ID1)
Fig. 4.14 Quantum transmission for measurement result in the {|0 , |1} basis
Table 4.6 LOQC

Algorithms Items
LOCC Con Rem Fanout Add RemAdd
LOQC QCon QRem QFanout QAdd QRemAdd
be the measurement result of particle A in the {|0 , |1} basis. The procedure for
transmitting M1 to R2 is described as follows:
Step 1: Key establishment. R1 , R2 agree the way to generate a 2(l + 1) bit random
key K .
Step 2: Particle measurement and state transition. R1 measures particle A in the
{|0 , |1} basis, let {0, 1} be the outcome. Then it transforms the measurement result
into quantum message M1 according to the rules 0 → |0, 1 → |1.
Step 3: Encryption and transmission. R1 applies quantum one-time pad encryption
E K on ( M1 , I D 1 ), and transmits quantum message E K ( M1 , I D 1 ) to R2 over the
quantum channel.
Step 4: Decryption and Pauli operation. R2 decrypts the received quantum mes-
sage E K ( M1 , I D 1 ) and gains ( M1 , I D 1 ). With I D 1 , R2 can confirm that M1 is a
real-time message from R1 . Then it can apply the corresponding Pauli operator to
particle B.
As we can see, the improved LOCC focus on transmitting measurement result in
the {|0 , |1} basis by means of quantum information, so we rename the improved
LOCC as LOQC, namely Local Operations and Quantum Communication. LOQC
allow legitimate nodes to identify the source of received information and judge the
freshness of received information in the presence of active attacks. Therefore, we
can denote the algorithms of LOQC by renaming the algorithms of LOCC according
to the rule of Table 4.6.
4.2.5 QNC Scheme for Controlled Repeater Networks
Inspired by the idea of quantum network coding scheme based on controlled telepor-
tation [11], QNC can control the decoding process of two receivers on the butterfly
network simultaneously by introducing a controller. By introducing the role of a
controller as a trusted party to control the distribution of EPR-pairs for quantum
repeater networks, a secure quantum network coding scheme for controlled repeater
networks was proposed [9] and its objective is to reduce particle consumption during
the encoding process in the presence of active attacks. Moreover, during the process
of quantum channel generation, to verify secure communication between any two
legitimate nodes, including the controller, we establish an identity for each legitimate
node, with which communication party can be authenticated.
In the butterfly network of quantum repeaters, the setting for this scheme is pre-
sented in Fig. 4.15. Source nodes s1 and s2 simultaneously send quantum information
to target nodes t1 and t2 in the butterfly network by quantum entanglement channel.
r1 and r2 are two intermediate nodes. The identity of any node is represented as
I D x (x is the name of a node), e.g., I Ds 1 denotes the identity of source node s1 .
Secure encoding (SE). For convenience, we define the secure encoding operation
of repeaters rm , rn with a controller. Let |be be the state before encoding, AlgoN
be the algorithm name, and |a f be the state after encoding. rm , rn apply AlgoN on
|be , rn marks its state with qubit by judging the security of node-to-node commu-
nication, if rn receives a real-time message from rm , the state becomes |a f . Then rn
marks its state Sym i as qubit |1, otherwise marks Sym i as |0. rn applies quantum
one-time pad encryption on (Sym i , I Dr n ) and transmits E K (Sym i , I Dr n ) to the
controller. The controller decrypts the received message. If the controller can obtain
|1 from rn , it means that no attack happens, continue to next step, otherwise return to
the beginning. Note that the function is used in the form of S E(AlgoN , Sym i , I Dr n ).
The secure quantum network coding scheme for butterfly network can be described
as follows:
Step 1: Distribute two EPR-pairs + AB and + C D to s1 − t2 and s1 − r1 ,
respectively. Let the input state |init be a form as follows:

|init = + AB ⊗ + C D ,
A
s1 , r2 apply S E(QCon C−>D , Sym 1 , I Dr 1 ) on |1 , the state becomes
|1 = |G H Z AB D .

Step 2: Distribute two EPR-pairs + E F and + G H to s2 − t1 and s2 − r1 ,
respectively, the state becomes

|2 = |G H Z AB D ⊗ + E F ⊗ + G H ,
Quantum channel Controller
IDs1 IDs2
1 10 11
2
A C 1 IDr1 2
10
1 11
D
9
1 3 2
7 2 8
IDr2
B 4 5
7 8
2 1
6 IDt2 IDt1 6
Fig. 4.15 Butterfly network of quantum repeaters
E
s2 , r1 apply S E(QCon G−>H , Sym 2 , I Dr 1 ) on |2 , the state becomes
|3 = |G H Z AB D |G H Z E F H .

Step 3: Distribute + I J to r1 − r2 , the state becomes

|4 = |G H Z AB D |G H Z E F H ⊗ + I J ,
−>J , Sym 3 , I Dr 2 ) on |4 , the state becomes

r1 , r2 apply S E(Q Add ID,H
1
|5 = (|000000 + |111111) AB D E F H |0 J
2
1
+ (|000111 + |111000) AB D E F H |1 J .
2

Step 4: Distribute + K L to r2 − t2 , the state becomes
1
|6 = (|000000 + |111111) AB D E F H |0 J ⊗ + K L
2
1
+ (|000111 + |111000) AB D E F H |1 J ⊗ + K L ,
2
r2 , t2 apply S E(QCon KJ −>L , Sym 4 , I Dt 2 ) on |6 , the state becomes
1
|7 = (|000000 + |111111) AB D E F H |00 J L
2
1
+ (|000111 + |111000) AB D E F H |11 J L ,
2

Step 5: Distribute + M N to r2 − t1 , the state becomes
1
|8 = (|000000 + |111111) AB D E F H |00 J L ⊗ + M N
2
1
+ (|000111 + |111000) AB D E F H |11 J L ⊗ + M N ,
2
J
r2 , t1 apply S E(QCon M−>N , Sym 5 , I Dt 1 ) on |8 , the state becomes
1
|9 = (|000000 + |111111) AB D E F H |000 J L N
2
1
+ (|000111 + |111000) AB D E F H |111 J L N .
2
Step 6: t1 applies C N O T (N ,F) , t2 applies C N O T (L ,B) , the state becomes
1
|10 = (|000000 + |111111) AB D E F H |000 J L N
2
1
+ (|010101 + |101010) AB D E F H |111 J L N .
2
Step 7: t2 , r2 apply S E(Q Rem L−>J , Sym 6 , I Dr 2 ) on |10 , the state becomes
1
|11 = (|000000 + |111111) AB D E F H |00 J N
2
1
+ (|010101 + |101010) AB D E F H |11 J N .
2
Step 8: t1 , r2 apply S E(Q Rem N −>J , Sym 7 , I Dr 2 ) on |11 , the state becomes
1
|12 = (|000000 + |111111) AB D E F H |0 J
2
1
+ (|010101 + |101010) AB D E F H |1 J .
2
Step 9: r2 , r1 apply S E(Q Rem Add J −>D,H , Sym 8 , I Dr 1 ) on |12 , the state
becomes
1
|13 = (|000000 + |111111) AB D E F H
2
1
+ (|010101 + |101010) AB D E F H .
2
Step 10: r1 , s1 apply S E(Q Rem D−>A , Sym 9 , I Ds 1 ) on |13 , the state becomes
1
|14 = (|00000 + |11111 + |01101 + |10010) AB E F H .
2
Step 11: r1 , s2 apply Q Rem H −>E , if s2 receives real-time message from r1 , the
state becomes
1
|15 = (|0000 + |1111 + |0110 + |1001) AB E F
2
+
= AF ⊗ + B E = f inal .

As a result, two EPR-pairs are obtained, + AF between s1 − t1 , and + B E
between s2 − t2 , which means quantum entanglement channel between source and
target is generated and then is able to perform quantum teleportation.
Theorem 5 The particle consumption for a controlled repeater network E q is pos-

itive to the total number of network nodes Nsum .
Proof Suppose that a controlled repeater network has Nsum nodes, if no active attack
happens during the encoding process, the minimum number of communications
between adjacent nodes is (Nsum − 1), so is the number of communication between
network nodes and the controller. In any communication of this scheme, a node
should send a qubit ({|0 , |1} measurement result or state symbol of communication
security) and a quantum information I D, the length of which is supposed to be
l. Thus, the consumption of particles for a controlled quantum repeater network
is Nq ≥ (l + 1) × 2 (Nsum − 1). Apparently, with the total number of nodes Nsum
Table 4.7 Particle consumption in the case of no active attack

Item Parameter
Total number of nodes Nsum
Total number of ID (l qubits) l × 2 (Nsum − 1)
Minimum number of {|0 , |1} measurement 2 (Nsum − 1)
result or state symbol
Minimum particle consumption Min(E q ) (l + 1) × 2 (Nsum − 1)
increasing, the particle consumption E q will increase correspondingly. Thus we can

prove Theorem 5, and the details are listed in Table 4.7.
Theorem 6 Secure quantum network coding scheme for controlled repeater net-
works can reduce EPR-pair consumption in the presence of active attacks to a max-
imum extent.
Proof As a trusted party, the controller regulates the process of EPR-pair distribution
by judging the source and freshness of received information. With quantum one-time
pad, the controller obtains (l + 1) qubits message (Mi , I D i ), where Mi and I D i
represent the operating state and identity of node i, respectively. If the controller can
receive real-time quantum information from legitimate nodes in the whole process
of quantum channel generation, i.e., no attack happens, quantum repeater network
can generate quantum entanglement channel with any adjacent nodes only should
share one EPR-pair initially. If attack happens, quantum channel generation process
is terminated to avoid waste of particle consumption, so that no more EPR-pairs
will be distributed. In contrast to quantum repeater network without a controller, this
scheme can reduce particle consumption in the presence of active attacks, and the
earlier the attack is detected, the fewer particle will be wasted.
Assume that secure encoding for a quantum repeater network needs n e EPR-
pairs by m s steps, x represents the xth step when the controller detects an attack,
the particle consumption N P is positively related with x, and the corresponding
functional expression is given as follows:
N P = f (x, m s , n e ) ,
where the function f is monotone increased. Compared with a quantum repeater

network without a controller, (n e − N P ) EPR-pairs can be saved when an attack
happens. The comparison results between with-controller case and without-controller
case over the butterfly network are listed in Table 4.8.
Table 4.8 EPR-pair consumption in the case of active attack

Step of attack happening Step 1 Step 2 Step 3 Step 4 Step
5–11
EPR-pairs consumed without a controller 7 7 7 7 7
EPR-pairs consumed with a controller 2 4 5 6 7
EPR-pairs saved 5 3 2 1 0
4.2.7 Security Analysis

Theorem 7 Let + AB be an EPR-pair shared by two legitimate nodes r1 and r2
in a quantum repeater network, where I D 1 and I D 2 are identities of r1 and r2 ,
and known to each other. Transmission of measurement result on particle A in the
{|0 , |1} basis with quantum one-time pad can detect active attacks and generate
entanglement channel securely.
Proof Let M A be the {|0 , |1} basis measurement result of particle A in the legit-
imate node r1 . During the process of quantum channel generation, only when the
current legitimate node r2 receives a real-time quantum message from the previous
legitimate node r1 , does it apply Pauli operator on its own particle B. There will be
four possible scenarios listed as follows:
(a) No attack happens, r2 receives the encrypted quantum information and decrypts
it to obtain (M A , I D 1 ), then applies a corresponding Pauli operator on particle B.
(b) Attacker intercepts the encrypted quantum information and sends other infor-
mation to r2 , r2 receives the information and decrypts with the correct secret key,
only to find that decrypted information is not the identity of r1 , and it will do no
operation on particle B.
(c) Attacker impersonates r1 and sends information to r2 , r2 judges the received
information as irrelevant information because r1 does not send request of key gen-
eration to r2 , so r2 will discard it and do no operation on particle B.
(d) Attacker intercepts an encrypted quantum information and resends the same
information to r2 in the latter communication, the first time r2 receives the informa-
tion, it can decrypt and obtain the correct information, while it can tell out that the
rest received information are not in real time.
As we see from above analysis that a legitimate node can judge the source and
freshness of received information with quantum one-time pad, so it will not apply
wrong or redundant operation on its particle during quantum channel generation.
Thus Theorem 7 is proved.
Fig. 4.16 Many-to-many

D3 repeater network
1 2 3
IDs1 IDs2 IDs3
1
IDr1
2
IDr2
Controller
IDr3
3
1 2
IDt1 IDt2
4.2.8 Discussion
According to the above analysis, we can conclude that this scheme can not only
achieve secure quantum channel generation for long-distance quantum communica-
tion, but also reduce particle consumption in the presence of active attacks. Beyond
butterfly network, this scheme would also be applied to general scenarios, such as
general quantum repeater networks.
Consider that the key technique of general graph networks is to transform a general
graph into a D3 (Degree 3) graph, Iwama et al. [3] gave the transformation schemes
of one-to-many, many-to-one, and many-to-many. Here we give an example of many-
to-many D3 repeater network with a controller shown as Fig. 4.16. Note that here we
adopt a network with three inputs and two outputs, and assume that source nodes s1
and s2 communicate with target node t1 , source nodes s3 communicates with target
node t2 , r1 , r2 , and r3 are three intermediate nodes. The identity of any node is
represented as I D x (x is the name of a node).
By applying the quantum repeater network coding scheme, three EPR-pairs are
obtained by (s1 , t1 ), (s2 , t1 ), and (s3 , t2 ) finally, thus quantum entanglement channel
is generated in the many-to-many network. During the process of quantum channel
generation, the controller controls the distribution of EPR-pairs. In comparison with
the setting of the butterfly network, additional EPR-pairs are needed between r1 − r2 ,
r2 − r3 , and r3 − t1 , if there exists an active attack, more particle resource could be
Fig. 4.17 Site selection of a

controller for the butterfly
network r r
r
Controller
r
r r
250km
saved. That means with the diversification of general graph network, the controller
will play a more important role in the presence of active attacks.
Obviously, there remains a lot of future works, such as site selection of a controller
in the quantum repeater network with complex topology, which is limited by practical
operability of EPR-pair distribution. If the controller was nearer to each node, it will
save more resource. In this scheme, the controller needs to keep in touch with every
network node, which severely restricts the size of a network. Yan et al. [4] have ever
quantitatively analyzed the performance of quantum repeater that one repeater can
support quantum communication for 125 km, i.e., the controller should be no more
than 125 km away from each node. We give a simple model of site selection for
the butterfly network with one controller (see Fig. 4.17). The controller is located at
the center of a circle which contains all repeater nodes with diameter no more than
250 km.
For a more complex network, one possible solution to site selection is dividing the
network with (a + b + c + · · · ) nodes into a few groups by the principle of proximity
and following the rule that each node is no more than 125 km away from a controller
(see Fig. 4.18), we set one controller for the system and each group to control EPR-
pair distribution. The main idea is that the main controller communicates with the
group controllers (Con 1 , Con 2 , Con 3 , . . .), while the group controllers communicate
with the repeater nodes.
4.3 Summary
The objective was to realize long-distance quantum communication over quantum

repeater networks with complex topology. In this chapter, we introduced a quantum
network coding scheme “GQQ” for general repeater networks. The detailed algo-
Controller
Quantum channel
Con1 Con2 Con3
r11 r1a r21 r2b r31 r3c
Fig. 4.18 Quantum repeater network with hierarchical controllers
rithms of quantum channel generation scheme for the cases of one-to-many, many-
to-one, and many-to-many were given to generate quantum entanglement channels
in a D3 graph network. Then we introduced a new quantum repeater network adding
a controller as a trusted party, which controls the EPR-pair distribution in the whole
quantum channel generation process. Quantum one-time pad is utilized to improve
the basic operations LOCC. With the improved algorithms LOQC, legitimate nodes
can apply correct operation to the particles when encoding for quantum entangle-
ment channel. Scheme analysis demonstrates that the scheme can realize secure
long-distance quantum communication and achieve resource saving if there exist
active attacks to a maximum extent.
References
(ISIT), pp. 109–113 (2011)
2. Nishimura, H.: Quantum network coding - how can network coding be applied to quantum
information? In: International Symposium on Network Coding (NetCod), 1–5 (2013)
Physics 52(3), 610–621 (2006)
4. Yan, Y., Pei, C.X., Han, B.B., et al.: A quantum repeater for quantum communication sys-
tems. In: The First Chinese Conference on Communications Departments of Colleges and
Universities, pp. 791–796 (2007)
5. Pei, C.X., Yan, Y., Liu, D., et al.: A quantum repeater communication system based on entan-
glement. Acta Photon. Sin. 37(12), 2422–2426 (2008)
86(3), 9591–9598 (2012)
References 85
7. Shang, T., Li, J., Pei, Z., Liu, J.W.: Quantum network coding for general repeater networks.
Quantum Inf. Process. 14(9), 3533–3552 (2015)
8. Cao, H.J., Guo, Y.Q., Song, H.S.: Teleportation of an unknown bipartite state via non-maximal
entangled two-particle state. Chin. Phys. 15(5), 915–918 (2006)
9. Shang, T., Li, J., Pei, Z., Liu, J.W.: Secure quantum network coding for controlled repeater
network. Quantum Inf. Process. 15(7), 2937–2953 (2016)
10. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev. A 67(4),
645–648 (2003)
11. Shang, T., Zhao, X., Liu, J.W.: Quantum network coding based on controlled teleportation.
IEEE Commun. Lett. 18(5), 865–868 (2014)
Chapter 5
Quantum Network Coding Based
on Controller
Controlled teleportation introduces the concept of a controller and can control the
reconstruction process of a receiver by sharing a GHZ state between the sender and
the receiver. In this chapter, we introduce quantum network coding schemes based
on controlled teleportation to control the decoding process of receivers in a butterfly
network. By introducing a third party, the schemes provide a model of three-party
communication for each unicast stream in the butterfly network. Furthermore, by
introducing an identity authentication mechanism into the quantum network coding
scheme, the schemes will have good potential to enhance the security of communi-
cation in the quantum network.
5.1 Quantum Network Coding Based on Controlled

Teleportation
5.1.1 Requirement of a Trusted Third Party
With the rapid development of quantum network, the security of quantum informa-
tion transmission has become a crucial issue. Researchers have explored to transmit
information in quantum channels directly, namely, quantum security direct communi-
cation (QSDC) [1]. However, the QSDC schemes based on teleportation must send
measurement results via classical channels to receivers, which will arouse hidden
danger due to the unreliability of classical communication. Research achievements
[2, 3] show that if the measurement results are governed by a trusted third party, the
security of QSDC will be greatly enhanced.
Following this idea, we focus on new quantum network coding schemes based
on controlled teleportation [4]. By introducing a third party, namely, the controller,
these schemes provide a model of three-party communication for each unicast stream
in the butterfly network. Such schemes have good potential to enhance the security
of communication in the quantum network.

https://doi.org/10.1007/978-981-15-3386-0_5
88 5 Quantum Network Coding Based on Controller
5.1.2 Controlled Teleportation
In 2007, Zhou et al. [5] proposed a controlled teleportation scheme. This scheme
introduces the concept of a controller and can control the reconstruction process of
a receiver by sharing a GHZ state between the sender and the receiver.
Assume that the state of the particle to be sent is |ϕ D = α|0 D + β|1 D (where
|α|2 + |β|2 = 1). The GHZ state shared by Alice, Bob and Charlie initially is:
1
|ϕ ABC = √ (|000 + |111) ABC . (5.1)
2
The subscripts A, B, and C represent the three particles owned by the parties
Alice, Bob, and Charlie, respectively. The whole state can be represented to be:
|ψ = |ϕ ABC ⊗ |ϕ D .
It can be rewritten as follows:

1 +
|ψ = φ (α|00 BC + β|11 BC )+
2 AD
φ− (α|00 BC − β|11 BC )+
+ AD
ψ (α|11 BC + β|00 BC )+
− AD
ψ (α|11 BC − β|00 BC ) .
AD
For convenience, four operators are defined as follows:

10
U0 = |0 0| + |1 1| =
01

1 0
U1 = |0 0| − |1 1| =
0 −1
(5.2)
01
U2 = |1 0| + |0 1| =
10

0 1
U3 = |0 1| − |1 0| = .
−1 0
The Bell states are:

±
φ = √1 (|00 ± |11) , ψ ± = √1 (|01 ± |10) .
2 2
Let the classical bits correspond to the result of Bell-state measurement as follows:

00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ − .
5.1 Quantum Network Coding Based on Controlled Teleportation 89
The controlled teleportation scheme is described as follows:

(1) The sender Alice performs a Bell-state measurement on her particles A and
D, then Alice can transmit the result to Bob by classical channel. Hence the particles

B and C collapse to a corresponding entangled state. We pick out the result φ+ AD
as an example. Then |ψ BC = α|00 BC + β|11 BC .
(2) If Charlie allows Bob to acquire the originally unknown state, he can perform
a Hadamard operation on the particle C:
1 1
H |0C = √ (|0 + |1)C , H |1C = √ (|0 − |1)C .
2 2
Then the state of the particles B and C becomes:

ψ = (α|0 B + β|1 B )|0C + (α|0 B − β|1 B )|1C .
BC
(3) After Charlie’s single-particle measurement (in the basis of |0 and |1) on C,
Bob can obtain a state that can be transformed to the originally unknown state with
or without a local unitary operation.
5.1.3 QNC Scheme Based on XQQ
We describe a scheme with two controllers (Con1 and Con2 ) based on the XQQ
protocol as shown in Fig. 5.1. In this scenario, there are two unicast streams, including
two senders A1 and A2 , two receivers B1 and B2 . M1 and M2 are two intermediate
nodes. The unknown quantum states to be sent by Ai is |ϕi = αi |0 + βi |1 , i ∈
{1, 2}. More importantly, the controller Con(i⊕1) and the sender Ai share a GHZ state:
1
|ϕ Ai,3 Ai,4 Ci⊕1 = √ (|000 + |111) Ai,3 Ai,4 Ci⊕1 .
2
Where ⊕ denotes classical exclusive OR operation, Ai,3 Ai,4 are owned by Ai ,

and Ci⊕1 is owned by Con(i⊕1) . Considering the latter scheme, here we use Ai,3 and
Ai,4 to denote the particles of GHZ states instead of Ai,1 and Ai,2 .
The first scheme is described as follows:
Step 1: At the sender A1 , (Q 1 , Q 2 ) = U C (|ϕ1 ); At the sender A2 , (Q 3 , Q 4 ) =
U C (|ϕ2 ).
Step 2: The sender A1 (A2 ) performs a Bell-state measurement on the particles
Q 1 (Q 4 ) and A1,3 (A2,3 ), and obtains the classical bit strings (r1r2 )1 ((r1r2 )2 ) corre-
sponding to the measurement result (see Eq. 5.2). Then the sender Ai transmits the
result (r1r2 )i to the controller Con(i⊕1) , respectively.
Step 3: The controller Con(i⊕1) performs a Hadamard operation on its particle
Ci⊕1 and performs a single-particle measurement on Ci⊕1 to obtain a classical bit
Controller 2 Controller 1
1 2
Con 2 A1 A2 Con1
Q2 Q3
Q1 Q4
GHZ M1 GHZ
state state
Q1 1 Q5 Q4 2
M2
H2 H1
Q6 Q7
B2 B1
Fig. 5.1 Scheme based on the XQQ protocol
(r3 )i . Let the classical bit (r3 )i correspond to the measurement result: 0 → |0C ,
1 → |1C .
According to controlled teleportation, after this step the state of the particle Ai,4
becomes ρi = (Uxi )−1 · U C(|ϕi ), which can be denoted as Q 1 = ρ1 = (Ux1 )−1 ·
U C(|ϕ1 ), Q 4 = ρ2 = (Ux2 )−1 · U C(|ϕ2 ). Here Uxi is the unitary operator chosen
to reconstruct |ϕi according to (r1r2 r3 )i .
Step 4: At the node M1 , Q 5 = G R (Q 2 , T T R(Q 3 )).
Step 5: At the node M2 , (Q 6 , Q 7 ) = U C (Q 5 ).
Step 6: If the controller Coni allows the receiver Bi to obtain the original state
|ϕi , it can send the classical bits (r1r2 r3 )i⊕1 to the receiver Bi via the channel Hi .
Thus the receiver Bi can obtain the operator Ux(i⊕1) according to (r1r2 r3 )i⊕1 . Then
the decoding processes are described as follows:
At the receiver B1 , the output state is
ρ1 out = G R Q 7 , T T R(Ux2 · Q 4 ) = G R(Q 7 , T T R(Q 4 )) = |ϕ1 .
At the receiver B2 , the output state is
ρ2 out = B M(Ux1 · Q 1 , Q 6 ) = B M(Q 1 , Q 6 ) = |ϕ2 .
Here U C denotes the operation of universal cloning, T T R denotes the operation of

tetra measurement, G R denotes the group operation, and B M denotes the operation
of 3D Bell measurement. Note that U C(|ϕ1 ) can produce two quantum states which
are approximate to |ϕ1 . T T R(Q 3 ) is to perform a tetra measurement on the quantum
Table 5.1 Measurement results of the particles and the corresponding Uxi operator
|ϕ Ai,3 Si |ϕCi⊕1 (r1 r2 r3 )i Uxi
+
φ |0Ci⊕1 000 U0
A S
i,3 i
|1Ci⊕1 001 U1
−
φ |0Ci⊕1 010 U1
Ai,3 Si
|1Ci⊕1 011 U0
+
ψ |0Ci⊕1 100 U2
Ai,3 Si
|1Ci⊕1 101 U3
−
ψ |0Ci⊕1 110 U3
Ai,3 Si
|1Ci⊕1 111 U2
state Q 3 , which can produce two classical bits r1r2 . Then r1r2 can be used to select
one operator of Pauli operators as GR operator (00 → I = U1 ,10 → σx = U2 ,01 →
σz = U3 ,11 → iσY = U4 ). More details can be seen in Hayashi’s work [6].
In other cases, the state of the particles after the corresponding measurement and
the unitary operator chosen to reconstruct the original states by the receivers are
shown in Table 5.1 (See the Eq. 5.1 for Uxi ). The particles Q 1 (Q 4 ) sent by A1 (A2 )
is denoted as S1 (S2 ) for convenience.
5.1.4 QNC Scheme Based on Prior Entanglement
Due to approximate cloning, the fidelity of the XQQ protocol is obviously smaller
than 1. For this reason, another scheme for high fidelity was designed based on the
perfect quantum network coding protocol with prior entanglement [7]. The scheme
is shown in Fig. 5.2.
Here we also use two controllers of Con1 and Con2 . The sender A1 (A2 ) can transmit
on1(Con2 ) freely. The two senders share two pairs of the maximally
classical bits to C
entangled state φ+ , where the first pair has two particles A1,1 and A2,1 , and the
second pair has two particles A1,2 and A2,2 . Here A1,1 and A1,2 are owned by A1 .
The sender Ai and the controller Coni (i ∈ {1, 2}) share a GHZ state as follows:
1
|ϕ Ai,3 Ai,4 Ci = √ (|000 + |111) Ai,3 Ai,4 Ci .
2
Here Ai,3 Ai,4 are owned by Ai , and Ci is owned by Coni . The unknown quantum
states to be sent by Ai is |ϕi = αi |0 + βi |1. The corresponding particle is denoted
as Si . Then
Controller 1 1 2 Controller 2
Con1 A1 A2 Con 2
D1 : X1 D2 : X 2
GHZ GHZ
state
M1 state
1 1
E1 : U (X1 X2 ) 4
F : X1 X 2 E2 : U (X1 X2 ) 3
H1 M2 H2
G2 : X1 X 2 G1 : X1 X2
B2 B1
Fig. 5.2 Scheme based on prior entanglement
|ϕ Ai,3 Ai,4 Ci ⊗ |ϕ Si

1
= [φ+ Ai,3 Si (αi |00 Ai,4 Ci + βi |11 Ai,4 Ci )
2
+ φ− Ai,3 Si (αi |00 Ai,4 Ci − βi |11 Ai,4 Ci )

+ ψ + Ai,3 Si (αi |11 Ai,4 Ci + βi |00 Ai,4 Ci )

+ ψ − Ai,3 Si (αi |11 Ai,4 Ci − βi |00 Ai,4 Ci )] .
The second scheme is described as follows:

Step 1: The sender Ai performs a Bell-state measurement on the particles Si (i =
1 or 2) and Ai,3 . Then he can obtain the classical bit string (r1r2 )i corresponding to
the Bell-state measurement result. The sender Ai transmits the result (r1r2 )i to the
controller Coni , respectively.
Step 2: The controller Coni performs a Hadamard operation on its particle Ci
and performs a single-particle measurement on Ci , and obtains the classical bit (r3 )i
corresponding to the measurement result: 0 → |0C , 1 → |1C .
becomes |ϕi+2 = (Uxi )−1 · |ϕi , where Uxi is the unitary operator chosen to recon-
struct |ϕi . The value of Uxi can be seen in Table 5.1 (Here we need to replace Ci⊕1
with Ci in Table 5.1).
Step 3: The sender Ai performs a joint measurement on the particle Ai,4 and the
particle Ai,i in the Bell basis, and he obtains the measurement result X i = n i m i .

The state of Ai,i⊕1 after measurement is U (X i⊕1 )−1 · ϕ(i⊕1)+2 (Here U (00) → I
U (10) → σ Z U (01) → σ X U (11) → iσY ).
Step 4: The sender Ai performs the unitary operation U (X i )−1 to Ai,i⊕1 . Hence the
−1 −1
state of the particle Ai,i⊕1 becomes U (X ) · U (X ) · ϕ(i⊕1)+2 =
i i⊕1
c(X i , X i⊕1 ) · U (X 1 ⊕ X 2 )−1 · ϕ(i⊕1)+2 , where |c (X i , X i⊕1 )| = 1. Then the sender
Ai sends the particle Ai,i⊕1 to Bi⊕1 via the channel E i . He also sends the classical
bits X i to Mi .
Step 5: The node M1 sends X 1 ⊕ X 2 to the node M2 . Also the node M2 sends
X 1 ⊕ X 2 on the receivers B1 and B2 .
Step 6: The receiver Bi performs the unitary operation U (X 1 ⊕ X 2 ) to the received
state U (X 1 ⊕ X 2 )−1 · |ϕi+2 . He can obtain the state |ϕi+2 .
Step 7: If the controller Coni allows the receiver Bi to obtain the original state
|ϕi , he can send the classical bits (r1r2 r3 )i to the receiver Bi via the channel Hi .
Then the receiver Bi can choose the suitable operator to recover the quantum state
|ϕi according to the classical bits (r1r2 r3 )i . This process can be written as follows:
(Uxi ) · |ϕi+2 = (Uxi ) · (Uxi )−1 · |ϕi = |ϕi .
If the controller Coni forbids the receiver Bi to obtain the original state, he would
not transmit the classical bits (r1r2 r3 )i to the receiver Bi . Without the corresponding
unitary operator, Bi would fail to recover the original state |ϕi by |ϕi+2 .
As we know, controlled teleportation can transmit a quantum state perfectly. All the
operations of controlled teleportation have no effect on the fidelity. Hence we can
easily obtain Theorem 1.
Theorem 1 The fidelity of the scheme with two controllers based on the XQQ pro- √
tocol is smaller than 1 and larger than 1/2, specially F1 ≥ 21 + 81 2
, F2 ≥ 21 + 22433 .
The fidelity of the scheme with two controllers based on the perfect quantum network
coding protocol with prior entanglement is strictly 1.
Definition 1 If a protocol uses the network n times along with other allowed
resources, and communicates m 1 , m 2 of sizes n (r1 − δn ), n (r2 − δn ) bits/qubits
with fidelity at least 1 − ξn for δn , ξn → 0. Then we say that the rate pair (r1 , r2 ) is
achievable. The achievable rate region is the set of all achievable rate pairs [8].
In the schemes, each channel can optionally transmit one qubit or two bits as
required. Note that it needs to transmit three bits (r1r2 r3 )i via the classical channel
between the controllers and the receivers. Hence we can easily conclude that it
totally needs to use the network 1.5 times to transmit two source qubits across in two
schemes, i.e., (r1 , r2 ) = 23 , 23 . Obviously, the rate region of the schemes would be
(r1 , r2 ) r1 , r2 ≤ 23 .
Table 5.2 Performance comparison

Fidelity Rate region Quantum channels
X QQ <1 {(r1 , r2 ) |r1 , r2 ≤ 1 } 7

Scheme1 <1 (r1 , r2 ) r1 , r2 ≤ 2
3 7
PE =1 {(r1 , r2 ) |r1 , r2 ≤ 1 } 2

Scheme2 =1 (r1 , r2 ) r1 , r2 ≤ 2
3 2
Fig. 5.3 Wiretap attack

model
1
1
Q7 (or X 1 X2) (or U x1 1 )
U x 2 (or U x1 )
1
Q4 (or U X 1 X2 3 )
Furthermore, the second scheme needs only two quantum channels which con-
sumes fewer resources compared with the first scheme. In summary, comparison
between the schemes and reference schemes as shown in Table 5.2.
In the schemes, without the controllers, the receivers cannot obtain the quantum states
from the senders. This means that the schemes can effectively defend against wiretap
attack if the controllers can communicate with the receivers safely. The wiretap attack
model is shown in Fig. 5.3. For the first scheme, without the information Ux2 from
the controller, which can be treated as communication key, any attacker would fail
to obtain the original quantum state |ϕ1 from the sender even if he can capture Q 7
and Q 4 . For the second scheme, the related information is listed in the brackets of
Fig. 5.3.
To assure the security of the communication between the controllers and the
receivers, we can replace the classical channels between them with the quantum
channels by means of the simple QSDC protocol [9]. The controllers can produce
some particles to correspond to the measurement results. After the receivers obtain
all the particles, the controllers tell them the base vector of every particle. Then
by measuring these particles with the corresponding base vector, the receivers can
obtain the measurement results. Any wiretap attack will distort the quantum state of
these particles if it attempts to measure the particles. Note that the controllers tell the
receivers the base vectors only after the receivers obtain all the particles. Hence any
attacker cannot own the particles and the base vectors simultaneously. Obviously the
schemes can defend against the wiretap attack as shown in Fig. 5.3.
Moreover, the second scheme intrinsically needs more classical channels which
would be susceptible to tampering attacks. Comparatively, the first scheme achieves
higher security for its all quantum channels against tampering attacks.
5.1.7 Discussion
According to the above analysis, we can conclude that the first scheme can be applied
where higher security and lower fidelity are needed while the second scheme can be
applied where higher fidelity and lower security are needed.
Furthermore, the two schemes realize the control of decoding processes at the
expense of decrease of rate region from {(r1 , r2 )|r1 , r2 ≤ 1} to (r1 , r2 )|r1 , r2 ≤ 23
as described in Table 5.2 and extra consumption of resources, including two GHZ
states |ϕ A1,3 A1,4 C2 and |ϕ A2,3 A2,4 C1 for Scheme1, |ϕ A1,3 A1,4 C1 and |ϕ A2,3 A2,4 C2 for
Scheme2, and two additional channels H1 and H2 , in comparison with the schemes
without security consideration.
The key idea of the schemes is that we firstly perform a unitary operation on the
quantum state to be sent by means of controlled teleportation, then the controller
becomes the only one who knows the operator after the measurement. The first
scheme can be generalized to multicast case by minor adjustments. As we know, the
main idea of the XQQ protocol is the discretization of quantum state |ϕ2 upon which
the encoding of |ϕ1 depends. On this basis, we can control the decoding processes
of receivers by controlling the transmission of Q 2 with one controller. Thus we can
apply this idea into multicast case where the decoding processes of all destination
nodes are controlled by one controller. Obviously, the second scheme is not suitable
for the multicast case, because the quantum state upon which the decoding process
depends at each destination is different.
In the butterfly network, it is better to introduce a controller for each receiver.
By means of two controllers of two streams, we can control the decoding processes
of two different streams separately. Furthermore, if the network is generalized to
the model of k-pair problem, we can specify some sender-receiver pairs to complete
decoding arbitrarily by introducing different controllers, which could be of great
benefit to realize access control between these receivers.
5.2 Secure Quantum Network Coding with Identity

Authentication
5.2.1 Requirement of Identity Authentication
The rapid development of quantum network have also exposed some security issues
of quantum information transmission. Researchers have explored to design variable
quantum security mechanisms. Especially, the scheme of transmitting information in
quantum channels directly, namely quantum secure direct communication (QSDC)
[1] has drawn more and more attention. However, the QSDC schemes based on
teleportation depend on classical measurement results. This means that senders must
transmit these classical bits via classical channels to receivers, which will arouse
hidden danger due to the unreliability of classical communication. Obviously, if the
measurement results are governed by a trusted third party, the security of QSDC will
be greatly enhanced.
Similarly, many quantum network coding schemes still rely on classical channels
which are vulnerable to some active attacks. Due to the unreliability of classical chan-
nels, attackers can easily wiretap and falsify data packets so as to impede message
recovery. Then Shang et al. [10] proposed the controlled quantum network coding
scheme based on controlled teleportation. In this scheme, the decoding processes of
the receivers rely on the measurement result which is governed by the controller.
The controller sends the measurement result to the receivers to complete decoding
on the premise that the receivers communicates with the controller safely. Hence
it is necessary to authenticate the identity of the receivers to defend against active
attacks, such as impersonation attack and wiretap attack.
Following this idea, we focus on new quantum network coding scheme with
identity authentication [11] in this section. By introducing an identity authentica-
tion mechanism into the controlled quantum network coding scheme, the scheme
will have better potential to enhance the security of communication in the quantum
network.
5.2.2 Quantum Security Direct Communication
QSDC schemes aim to transmit quantum state securely and directly between two
parties. Thus it is meaningful to introduce the QSDC schemes into the implementation
of quantum identity authentication between the controller and the receiver in the
butterfly network.
Researchers have designed many QSDC schemes which are based on teleporta-
tion, entanglement swapping, single particle and so on. A simple QSDC protocol
based on the delayed choice BB84 protocol [9] is described as follows:
Assume Alice wants to transmit some classical bits (0 or 1) to Bob. She can
produce some particles corresponding to the classical bits as follows: |0 or |+ →
5.2 Secure Quantum Network Coding with Identity Authentication 97
0, |1 or |− → 1. Then she transmits these particles to Bob. After Bob obtains all
the particles, Alice tells him the base vector of every particle (|0|1 basis or |+|−
basis). Then by measuring these particles with the corresponding base vector, Bob
can obtain the classical bits. Any wiretap attack will distort the quantum state of these
particles if it attempts to measure the particles. Note that Alice tells Bob the base
vectors only after Bob obtains all the particles. Hence any attacker cannot own both
the particles and the base vectors simultaneously. This means any attacker can not
capture the particles and obtain the classical bits by measurement. In other words,
Alice can transmit her classical information to Bob securely via the quantum channel.
5.2.3 QNC Scheme with Identity Authentication
A secure quantum network coding scheme was designed by introducing identity

authentication into the communication between the controller and the receiver. The
classical bits r1r2 r3 would be transmitted to the receivers to complete decoding only
when the controller verifies the identity of the receiver. Due to approximate cloning,
the fidelity of the XQQ protocol is obviously smaller than 1. For this reason, a scheme
for high fidelity based on the perfect quantum network coding protocol with prior
entanglement [7] was designed and its fidelity is 1. Here four operators are defined
for convenience as follows:

10
U0 = |0 0| + |1 1| = ,
01

1 0
U1 = |0 0| − |1 1| = ,
0 −1

01
U2 = |1 0| + |0 1| = ,
10

0 1
U3 = |0 1| − |1 0| = .
−1 0
The network model is shown in Fig. 5.4.

Different from the prior work, we add two controllers of Con1 and Con2 to authen-
ticate the receivers so as to control the decoding process of each destination node,
respectively. The sender A1 (A2 ) can transmit classical bits to Con1
(Con2 ) freely. The
two senders share two pairs of the maximally entangled state φ+ , where the first pair
has two particles A1,1 and A2,1 , and the second pair has two particles A1,2 and A2,2 .
Here A1,1 and A1,2 are owned by A1 . The sender Ai and the controller Coni (i ∈ {1, 2})
share two same GHZ states as follows:
1
|ϕ Ai,3 Ai,4 Ci = √ (|000 + |111) Ai,3 Ai,4 Ci ,
2
Controller 1 1 2
Controller 2
Con1 A1 A2 Con 2
D1 : X1 D2 : X 2
GHZ GHZ
state
M1 state
1
E1 : U (X1 X2 ) 4 F : X1 X 2 E2 : U (X1 X2 ) 1
3
H1 M2 H2
G2 : X1 X 2 G1 : X1 X2
B2 B1
Fig. 5.4 Secure quantum network coding with identity authentication
1
|ϕ Ai,5 Ai,6 Ci0 = √ (|000 + |111) Ai,5 Ai,6 Ci0 .
2
Here Ai,3 Ai,4 Ai,5 Ai,6 are owned by Ai , and Ci Ci0 are owned by Coni . The unknown
quantum states to be sent by Ai is |ϕi = αi |0 + βi |1. The corresponding particle
is denoted as Si . Then
|ϕ Ai,3 Ai,4 Ci ⊗ |ϕ Si

1
= [φ+ Ai,3 Si (αi |00 Ai,4 Ci + βi |11 Ai,4 Ci )
2
+ φ− Ai,3 Si (αi |00 Ai,4 Ci − βi |11 Ai,4 Ci )

+ ψ + Ai,3 Si (αi |11 Ai,4 Ci + βi |00 Ai,4 Ci )

+ ψ − Ai,3 Si (αi |11 Ai,4 Ci − βi |00 Ai,4 Ci )] .
The secure quantum network coding scheme with identity authentication includes
four core parts: Setup, Transmission, Authentication, and Decoding, just as described
in the following part:
(1) Setup
Step 1: EPR
pair
distribution.
The sender
Ai and the receiver Bi share a prior
entanglement φ+ Vi1 Vi2 = √12 0Vi1 0Vi2 + 1Vi1 1Vi2 . Ai owns the particle Vi1 and
Bi owns the particle Vi2 .
Step 2: GHZ state distribution. Here the first GHZ state, namely |ϕ Ai,3 Ai,4 Ci , would
be used to transmit the unknown states, while the second GHZ state |ϕ Ai,5 Ai,6 Ci0 would
be used for authentication.
(2) Transmission
Step 1: The sender Ai performs a Bell-state measurement on the particles Si (i =
1 or 2) and Ai,3 . Then it can obtain the classical bit string (r1r2 )i corresponding to
the Bell-state measurement result. The sender Ai transmits the result (r1r2 )i to the
controller Coni , respectively.
Step 2: The controller Coni performs a Hadamard operation on its particle Ci
and performs a single-particle measurement on Ci , and obtains the classical bit (r3 )i
corresponding to the measurement result: 0 → |0C , 1 → |1C .
becomes |ϕi+2 = (Uxi )−1 · |ϕi , where Uxi is the unitary operator chosen to recon-
struct |ϕi . The value of Uxi can be seen in Table 5.3.
Step 3: The sender Ai performs a joint measurement on the particle Ai,4 and
the particle Ai,i in the Bell basis, and it obtains the measurement
result X i = n i m i .
The state of Ai,i⊕1 after measurement is U (X i⊕1 )−1 · ϕ(i⊕1)+2 (here U (00) → I
U (10) → σ Z U (01) → σ X U (11) → iσY ).
Step 4: The sender Ai performs the unitary operation U (X i )−1 to Ai,i⊕1 . Hence the
−1 −1
state of the particle Ai,i⊕1 becomes U (X ) · U (X ) · ϕ(i⊕1)+2 =
−1
i i⊕1
c(X i , X i⊕1 ) · U (X 1 ⊕ X 2 ) · ϕ(i⊕1)+2 , where |c (X i , X i⊕1 )| = 1. Then the sender
Ai sends the particle Ai,i⊕1 to Bi⊕1 via the channel E i . It also sends the classical bits
X i to Mi .
Step 5: The node M1 sends X 1 ⊕ X 2 to the node M2 . Also the node M2 sends
X 1 ⊕ X 2 on the receivers B1 and B2 .
Step 6: The receiver Bi performs the unitary operation U (X 1 ⊕ X 2 ) to the received
state U (X 1 ⊕ X 2 )−1 · |ϕi+2 . It can obtain the state |ϕi+2 .
(3) Authentication
Step 1: The sender Ai transmit the particle Vi1 across the butterfly network by
means of the second GHZ state |ϕ Ai,5 Ai,6 Ci0 , which is similar to the process of the
“Transmission” part.
Obviously, the controller Coni would obtain a classical bit string (denoted as
(K 1 K 2 K 3 )i ) as the measurement result. Besides, the sender Bi would receive a state
U K i −1 · |ϕVi1 (here U K i is the unitary operator corresponding to (K 1 K 2 K 3 )i accord-
ing to Table 5.3).
Step 2: The receiver Bi performs a Bell-state measurement on the particles Vi1 and
Vi2 , and obtains a Bell state |ϕVi1 Vi2 . Comparing with the original states φ+ Vi1 Vi2 ,
Bi can obtain U K i .
Step 3: The controller Coni transmits (K 3 )i to the sender Bi via the channel H.
According to U K i and (K 3 )i , Bi can obtain a classical bit string (V1 V2 V3 )i which
corresponds to U K i according to Table 5.3. (V1 V2 V3 )i can be treated as the key of Bi .
Step 4: The sender Bi transmits (V1 V2 )i to Coni to request authentication by the
QSDC protocol which is described in the related work. Then if (V1 V2 )i = (K 1 K 2 )i ,
Coni would confirm the identity of Bi and allow Bi to decode. Otherwise Coni would
deny to participate in decoding.
Table 5.3 Measurement results of the particles and the corresponding Uxi operator
|ϕ Ai,3 Si |ϕCi |ϕ Ai,4 = |ϕi+2 (r1 r2 r3 )i Uxi
+
φ |0Ci αi |0 Ai,4 + βi |1 Ai,4 000 U0
A S
i,3 i
|1Ci αi |0 Ai,4 − βi |1 Ai,4 001 U1
−
φ |0Ci αi |0 Ai,4 − βi |1 Ai,4 010 U1
Ai,3 Si
|1Ci αi |0 Ai,4 + βi |1 Ai,4 011 U0
+
ψ |0Ci αi |1 Ai,4 + βi |0 Ai,4 100 U2
Ai,3 Si
|1Ci αi |1 Ai,4 − βi |0 Ai,4 101 U3
−
ψ |0Ci αi |1 Ai,4 − βi |0 Ai,4 110 U3
Ai,3 Si
|1Ci αi |1 Ai,4 + βi |0 Ai,4 111 U2
(4) Decoding
Step 1: If the controller Coni allows the receiver Bi to obtain the original state |ϕi ,
it can send the classical bits (r1r2 r3 )i ⊕ (K 1 K 2 )i to the receiver Bi via the channel
Hi . Then the receiver Bi can calculate (r1r2 r3 )i by (r1r2 r3 )i ⊕ (K 1 K 2 )i ⊕ (V1 V2 )i .
Then it can choose a suitable operator to recover the quantum state |ϕi according
to the classical bits (r1r2 r3 )i . This process can be written as follows:
(Uxi ) · |ϕi+2 = (Uxi ) · (Uxi )−1 · |ϕi = |ϕi .
Step 2: If the controller Coni forbids the receiver Bi to obtain the original state, it
would not transmit the classical bits (r1r2 r3 )i to the receiver Bi . Obviously, without
the corresponding unitary operator, Bi would fail to recover the original state |ϕi
by |ϕi+2 .
As we know, Hayashi’s protocol with prior entanglement between the senders can
transmit quantum states perfectly and across over the butterfly network, which means
its fidelity is 1. Futhermore, controlled teleportation can also transmit a quantum state
perfectly, which means all operations of controlled teleportation have no effect on
the fidelity, namely ρ = |ψ0 . Hence we can easily obtain Theorem 2.
Theorem 2 The fidelity of the quantum network coding scheme with identity authen-
tication is strictly 1.

Theorem 3 The rate region of the scheme is (r1 , r2 ) r1 , r2 ≤ 23 .
Proof It is worth noting that each channel can optionally transmit one qubit or two
bits as required in the scheme. Note that it needs to transmit three bits (r1r2 r3 )i via
the classical channel between the controllers and the receivers. Hence we can easily
conclude that it totally needs to use the network 1.5 times to transmit two source
i.e., (r1 ,2 r2 ) = 3 , 3 . Obviously, the rate region of the schemes would
2 2
qubits across,
be (r1 , r2 ) r1 , r2 ≤ 3 .
Besides, it would need 2n GHZ states for transmission and two extra GHZ states
for authentication to transmit n qubits from A1 to B1 and A2 to B2 , respectively.
In summary, the scheme realizes identity authentication at expense of slight decline
of rate region and a little more resource. Thus it is a feasible scheme for quantum
network coding.
In this scheme, without the controllers, the receivers cannot obtain the quantum states
from the senders. This means that the security of the scheme mainly depends on the
authentication mechanism between the controllers and the receivers.
Theorem 4 Any attacker cannot obtain the key (V1 V2 V3 )i of Bi by wiretapping the
butterfly network.
Proof As described in the scheme, U K i is necessary to calculate (V1 V2 V3 )i . More-
over, U K i corresponds to two values of (V1 V2 V3 )i according to Table 5.3. For exam-
ple, if U K i = U1 , the classical bit string would be (V1 V2 V3 )i = 001 or (V1 V2 V3 )i =
010. Thus (K 3 )i from Coni is also indispensable to confirm the value of (V1 V2 V3 )i .
As shown in Fig. 5.5, even an attacker can capture the particle U K i −1 · |ϕVi1 and
(K 3 )i from Coni , he still cannot obtain (V1 V2 V3 )i . Without the particle Vi2 which
is owned by Bi , an attacker cannot obtain U K i by performing measurement on one
particle Vi1 . Hence we have Theorem 4.
Theorem 5 Any attcaker cannot obtain the key (V1 V2 V3 )i of Bi by wiretapping the
communication between the controller Coni and the receiver Bi .

aiming to obtain the key
from the butterfly network
U Ki
U Ki Vi 1
U Ki
K3 K1
V1V2V3 i
i
i

aiming to obtain the key
from the auxiliary channel
K1 i
V1V2V3
U Ki i
K3 i
V1V2
K1 K 2 K 3 i
i
Fig. 5.7 Attack model
1
X1 X2 i 2 U xi i
r1r2 r3 i
r1r2 r3 i
K1 K 2 i
1
U X1 X2 i 2
Proof As shown in Fig. 5.6, Bi needs to transmit (V1 V2 )i to Coni to complete identity
authentication after Bi obtains (V1 V2 V3 )i . Here we transmit (V1 V2 )i by the QSDC
protocol described in the related work. Thus any attacker can not obtain (V1 V2 )i by
wiretapping the communication between Coni and Bi . Thus we have Theorem 5.
Obviously, (V1 V2 )i is necessary to complete identity authentication. According to

the above theorems, no attacker can obtain the key (V1 V2 )i . Hence we can conclude
that any impersonation attack would be found by the controller Coni . Besides, in the
decoding process the controller Coni transmits (r1r2 r3 )i ⊕ (K 1 K 2 )i to the receiver
Bi . Without (V1 V2 )i any attacker cannot obtain (r1r2 r3 )i . As shown in Fig. 5.7, any
attacker would fail to obtain |ϕi even if he can capture the state |ϕi+2 . Thus this
scheme can defend against impersonation attack and wiretap attack.
It is worth noting that the value of (K 1 K 2 K 3 )i would fall into eight possible
results at random in the authentication process. This means that the key of Bi differs
each time when we choose to authenticate the identity of Bi . This also enhances the
security of this scheme.
5.3 Summary 103
5.3 Summary
In this chapter, we introduced a trusted third party into quantum network coding
schemes to realize the control of decoding process of the receivers. The senders will
fail to transmit quantum information to the receivers without the participation of
the controllers. Then we introduced a secure quantum network coding scheme with
identity authentication between the controller and the receiver. Performance analysis
demonstrates that the scheme can authenticate the identity of the receivers at expense
of acceptable decline of rate region and a little more resource. Furthermore, by means
of quantum identity authentication mechanism, the scheme can effectively defend
against some active attacks, such as impersonation attack and wiretap attack.
References
1. Beige, A., Englert, B.G., Kurtsiefer, C., et al.: Secure communication with a publicly known
key. Acta Phys. Pol. A 101(3), 357–368 (2002)
2. Chen, X.B., Wang, T.Y., Du, J.Z., et al.: Controlled quantum secure direct communication with
quantum encryption. Int. J. Quantum Inf. 6(3), 543–551 (2008)
3. Chen, X.B., Xu, G., Yang, Y.X., et al.: Centrally controlled quantum teleportation. Opt. Com-
mun. 283(23), 4802–4809 (2010)
4. Shang, T., Zhao, X.J., Liu, J.W.: Quantum network coding based on controlled teleportation.
IEEE Commun. Lett. 18(5), 865–868 (2014)
5. Zhou, J.D., Hao, G., Wu, S.J.: Controlled teleportation of an arbitrary multi-qudit state in a
general form with d-dimensional Greenberger-Horne-Zeilinger states. Chin. Phys. Lett. 24(5),
1151–1153 (2007)
with modification. Phys Rev A 76(4), 040301 (2007)
8. Nishimura, H.: Quantum network coding - How can network coding be applied to quantum
information? In: International Symposium on Network Coding (NetCod), pp. 1–5 (2013)
9. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: On the information-splitting essence of two types of
quantum key distribution protocols. Phys Lett A 355(3), 172–175 (2005)
10. Shang, T., Zhao, X.J., Wang, C., Liu, J.W.: Controlled quantum network coding scheme. Chin
J Electron 42(3), 1–6 (2014)
11. Zhao, X.J., Shang, T., Li, J., Wang, C.: A secure quantum network coding scheme with identity
authentication. Sens. Lett. 12(2), 460–465 (2014)
Chapter 6
Opportunistic Quantum Network Coding
Opportunistic coding can take advantage of channel characteristic to maximize the

gain from network coding. The achievement of air-to-ground quantum key distri-
bution represents a key milestone towards quantum communication in free space.
Thus it is worth concerning whether quantum network coding with opportunistic
characteristic is also feasible or not. In this chapter, we introduce a quantum network
coding scheme with opportunistic characteristic by taking full advantage of channel
characteristic of quantum teleportation. The problem of how to distinguish between
legal listener and illegal eavesdropper is well solved.
6.1 Opportunistic Characteristic of Network Coding
Network coding theory [1] greatly improves network throughput and also creates a
huge milestone for information area. On account of the broadcasting nature of wire-
less medium, wireless network coding has attracted much attention from researchers.
In order to maximize the gain from network coding, there have been two alternative
approaches to developing interflow network coding protocols, based on either oppor-
tunistic coding or coordinated coding [2]. In deriving the upper bounds of coding gain,
it is often necessary to make assumptions about a particular coding structure, such as
coding opportunities at a hotspot. As a paradigm of wireless network coding protocol,
“COPE” (complete opportunity encoding) [3] allows nodes to combine more than
two packets together through opportunistic listening. Relay nodes can learn neigh-
bor states through opportunistic listening so that they can make an optimal coding
option to ensure more neighbors can decode encoded packets. However, opportunis-
tic coding such as in COPE may miss several coding opportunities, depending on
the order in which nodes in a neighborhood transmit packets. Then the use of coor-
dinated network coding was proposed, in which transmissions of neighboring nodes
are scheduled with the goal of maximizing the gain from network coding. These
works provide the key idea is to strengthen the cooperation and maximize the gain
from network coding.
https://doi.org/10.1007/978-981-15-3386-0_6
106 6 Opportunistic Quantum Network Coding
As we know, these existing schemes cannot provide opportunistic characteristic

for quantum network like COPE. Recently, the achievement of air-to-ground quantum
key distribution [4] represents a key milestone towards quantum communication
in free space. Thus it is worth concerning whether quantum network coding with
opportunistic characteristic is also feasible or not.
Our objective is to strengthen the cooperation by virtue of opportunistic character-
istics and maximize the gain from network coding. From the viewpoint of motivation,
an opportunistic quantum network coding scheme is considered to provide oppor-
tunistic characteristic for quantum network so as to improve network performance.
Since the demand for channel listening has great conflicts with the fact that quantum
channel cannot be overheard without disturbance, it is a key issue to provide a feasi-
ble approach to channel listening and distinguish between legal listening and illegal
eavesdropping in quantum communication.
Inspired by the characteristic of mixed channels of quantum teleportation, an
opportunistic quantum network coding scheme was presented to solve above problem
by utilizing quantum channel for secure transmission of quantum states and classical
channel for both opportunistic listening to neighbor states and opportunistic coding
by means of broadcasting measurement outcome [5].
6.2 Classical Opportunistic Coding
COPE [3] is a practical forwarding architecture that substantially improves the

throughput of wireless networks. It detects coding opportunities and exploits them
to forward multiple packets in a single transmission. Especially, it relies heavily on
opportunistic listening of all the transmissions in a node’s neighborhood, in order to
identify coding opportunities.
COPE incorporates three main techniques as follows:
(1) Opportunistic listening
It sets the nodes to snoop on all communications over the wireless medium and
store the overheard packets for a limited period. In addition, each node broadcasts
reception reports to tell its neighbors which packets it has stored.
(2) Opportunistic coding
Packets from multiple unicast flows may have encoded together at some intermediate
hops. The nodes that perform encoding should aim to maximize the number of native
packets delivered in a single transmission, while ensuring that each intended nexthop
has enough information to decode its native packet. This can be achieved using the
following simple rule: to transmit n packets, P1 , . . . , Pn , to n nexthops, r1 ,…, rn , a
node can XOR(exclusive OR) the n packets together only if each nexthop ri has all
n − 1 packets P j for j = i . Opportunistic coding is illustrated in Fig. 6.1. Relay node
R has four packets P1 , P2 , P3 , and P4 . For each coding option for R, it turns out different
results. R obtains the states of neighbors by listening to neighbors and would like to
choose to broadcast the encoded packets P1 ⊕ P3 ⊕ P4 , which seems to be the best
option for the reason that it allows all neighbors to decode native packet once.
6.2 Classical Opportunistic Coding 107
P1 P4 Coding option Benefited node
P1 P2 B( P2 ) C( P2 )
P1 P3 A( P1 ) C( P3 )
P1 P2 P3 P4
P1 P3 P4 A( P1 ) B( P4 ) C( P3 )
P3 P4 P1 P3
Fig. 6.1 Opportunistic coding
(3) Learning neighbor state

As explained earlier, each node broadcasts reception reports to tell neighbors its
packet state. When the network suffers from congestion, reception reports might
arrive too late or even get lost. Therefore, a node can not only rely on reception
reports, but also needs to guess whether a neighbor has the packet.
In conclusion, COPE is executed by overhearing and broadcasting packets. The
characteristic of overhearing generates coding opportunities that can benefit both
encoding and decoding, and reduce the times of packet transmissions, thus improving
network throughput.
6.3 Quantum Channel Verification
Quantum communication provides its unconditional security guaranteed by

Heisenberg uncertainty principle and quantum no-cloning theory. Based on such
quantum characteristic, quantum channel verification is used to detect the integrity
of quantum channel, and further judge whether there exists an attack. Many schemes
such as quantum key distribution (QKD), quantum secure direct communication
(QSDC) and quantum identity authentication (QIA) have adopted the related methods
based on single particle, quantum teleportation, entanglement swapping, and so on.
The first quantum key distribution protocol BB84 [6] uses a sequence of single
photons and the bit information of measure bases to evaluate the quantum bit error
rate(QBER). If QBER is larger than the threshold value, they abort the protocol.
Otherwise, they proceed to the post-processing of classical data and generate a secure
key. Considering the potential of quantum teleportation for network coding model,
we focus on the quantum channel verification method for EPR pairs [7] as illustrated
in Fig. 6.2.
The quantum channel verification method is described as follows:
Fig. 6.2 Quantum channel pa1 pa2 pa1 pb1 pm pb1 pb2
verification pm
pm
pm pa2 pb2 pm
Step 1: Communication parties A and B share a quantum channel which consists

of n EPR pairs in advance. Each EPR pair can be expressed as
1
+
j = √ 0a j 0b j + 1a j 1b j , j = 1, . . . , n
2
where a j and b j represents the particles pa j and pb j owned by A and B, respectively.

Step 2: A prepares an arbitrary qubit pm as measure particle.
|ψm = cos θ |0 +e−iϕ sin θ |1
where θ and ϕ are the secret parameters of A. Then A applies a C-Not gate on its
particle pa1 and measures particle pm . This operation makes pm entangled with an
EPR pair pa1 pb1 .
+
| c = C

a 1 m 1 ⊗ |ψm
= γi 0a1 0b1 i m + 1a1 1b1 (i ⊕ 1)
i=0,1 (6.1)
1
=√ 1 i a i b ⊗ Iδi,0 + Xm δi,0 |ψm
2 1 1
i=0
where γl = √1 (cos θδl,0

2
+ sin θe−iϕ δl,1 ), δi, j is Kronecker Delta function:

1i= j
δi, j =
0 i = j
Then A sends the measure particle pm to B.

Step 3: B receives pm and applies a C-Not gate on pm and pb1 , which results in

Cb1 m c = +
1 ⊗ |ψm (6.2)
The above
equation shows that the state |m is disentangled from the combined
state +1 , which means that the measure particle pm is independent from the EPR
pair pa1 pb1 .
Step 4: B makes pm entangled with next EPR pair pa2 pb2 by the same operation
as Step 2 through a C-Not gate, and then B sends pm back to A.
Step 5: A disentangles the entangled system to obtain independent pm . Then A
measures the parameters θ and ϕ of pm , and compares both the measurement outcome
6.3 Quantum Channel Verification 109
and original parameters. If they are consistent, the two EPR pairs pa1 pb1 and pa2 pb2
are integral. Otherwise, at least one EPR pair is disturbed.
Step 6: A and B choose a certain amount, 2h(h ∈ N + , h ≤ n2 ) EPR pairs for
quantum channel verification. If error rate ξ satisfies ξ ≤ ξ0 + ξ0 (here ξ0 rep-
resents average influence of noise, while ξ0 represents disturbance threshold value),
i.e., disturbance is within normal range and the EPR pairs are secure. Otherwise, if
error rate ξ is beyond permission limit, it indicates that there exists an attack over
quantum channels.
6.4 Opportunistic QNC Scheme
As we know, it is most difficult for opportunistic quantum network coding to realize

opportunistic operation such as opportunistic listening and opportunistic coding in
the three core parts of COPE due to the unconditional security of quantum com-
munication. Thus it is important to acquire coding opportunity from neighborhood
and use the broadcasting characteristic of classical channels to reduce the times of
transmissions.
The main idea of the scheme is described as follows: quantum teleportation uses
EPR pairs as quantum channel by sharing EPR pairs between communication par-
ties, while it uses classical channel to transmit the measurement outcome. Assume
there exists an eavesdropper during the transmission process. If it listens to quantum
channel, quantum channel verification can help find the eavesdropper. If it listens to
classical channel, the leakage of measurement outcome does not destroy the security
of transmitted quantum states even though the eavesdropper cannot be found. Thus if
channel listening was desired for normal acquisition information, only does it happen
to classical channel. As a more meaningful approach, the transmission over classical
channel can provide an immediate notification for neighboring nodes that a quantum
information has just been transmitted from one communication party to another com-
munication party, which is very important for opportunistic network coding to grasp
the opportunity to obtain neighbor’s states at the right time. Meanwhile, multiple
measurement outcomes can be transmitted simultaneously by broadcast, which will
reduce the times of transmissions.
A typical network model for opportunistic quantum network coding is constructed
as shown in Fig. 6.3. In this scenario, L is a relay node which will try to overhear
its neighbors and encode own packets, A and B are L’s neighbors and can commu-
nicate with each other. E is an eavesdropper who may launch classical attacks or
quantum attacks. Every two legal nodes share prior entangled EPR pairs, which are
the foundation of quantum teleportation and quantum channel verification.
Assume that A will transmit a packet to B, the scheme is described as follows:
Step 1: Quantum channel verification. Before communication, quantum channel
verification is performed to verify the integrity of quantum channels (EPR pairs)
and detect whether there exists an eavesdropper who launches quantum attacks. The
procedure of quantum channel verification between A and B is described as follows:
Fig. 6.3 Network model (Si

denotes the step of the
scheme)
(1.1) A and B share prior EPR pairs, and each EPR pair between A and B can be
expressed as
1
+
j = √ 0a j 0b j + 1a j 1b j , j = 1, . . . , n
2
(1.2) A prepares an arbitrary qubit pm as measure particle. Here θ and ϕ are the
secret parameters.
|m = cos θ |0 +e−iϕ sin θ |1
Then A applies a C-Not gate on its particle pa1 and measures particle pm , which
makes pm entangled with an EPR pair pa1 pb1 .
+
| c = C
a1 m 1 ⊗ |ψm
= γi 0a1 0b1 i m + 0a1 0b1 (i ⊕ 1)
i=0,1
1

= √1 i a i b ⊗ Iδi,0 + Xm δi,0 |ψm
2 1 1
i=0
Then A sends the measure particle pm to B.

(1.3) B receives pm and applies a C-Not gate on pm and its particle pb1 , which
results in
Cb1 m c = +
1 ⊗ |m
B makes pm entangled with next EPR pair pa2 pb2 by the same operation as Step
1.2, and then B sends pm back to A.
(1.4) A disentangles the entangled system to obtain independent pm . Then A
measures the parameters θ and ϕ of pm , and compares both the measurement outcome
6.4 Opportunistic QNC Scheme 111
and original parameters. If they are consistent, the two EPR pairs pa1 pb1 and pa2 pb2
are integral. Otherwise, at least one EPR pair is disturbed.
(1.5) A and B choose a certain amount, 2h(h ∈ N + , h ≤ n2 ) EPR pairs for quantum
channel verification. If the EPR pairs are secure, they proceed. Otherwise, they abort
communication.
Note that quantum channel verification can be performed by any two nodes.
In consideration of EPR pair resource and communication efficiency, there is no
need to implement quantum channel verification between every two nodes. It can be
performed between a certain number of random node pairs, before the network runs
or during a certain period of communication process, which needs to be designed
and completed together by all nodes.
Step 2: Quantum information transmission. When the quantum channel verifica-
tion is completed, A intends to transmit a w-bit packet to B by quantum teleportation.
Based on√ the nature
√
of quantum mechanics
√
that√orthogonal quantum states (such
as |0 = 22 |0 + 22 |1 and |1 = 22 |0 − 22 |1) can be completely distin-
guished by measurement, A selects one pair of orthogonal bases |0 and |1 ,
which represent 0 and 1, respectively.
√ √ √ √
2 2 2 2
0 → |0 = |0 + |1 , 1 → |1 = |0 − |1 (6.3)
2 2 2 2
(2.1) According to the w-bit packet and Eq. 6.3, A prepares w qubits.
Assume that A would like to transmit a qubit pi , i = 1, . . . , w, with state | pi =
α |0 + β |1(here | pi can be |0 or |1 ) to B, the overall state of three particles
is

| pi ai bi = | pi ⊗ φ+ a b
i i
1 (6.4)
= (α |0 + β |1) pi ⊗ √ (|00 + |11)ai bi
2
(2.2) A makes a Bell-measurement on both qubits pi ai in its possession.

Note that the system state Eq. 6.4 can be rewritten as follows:
1
|ψ pi ai bi = |ψ pi ⊗ φ+ a b = √ [(φ+ p a ⊗ (α |0 + β |1)bi +
i i i i
2
−
(φ pi ai ⊗ (α |0 − β |1)bi +
(6.5)
(ψ + pi ai ⊗ (α |0 + β |1)bi +

(ψ − p a ⊗ (α |0 − β |1)bi
i i

where φ± and ψ ± are Bell states, which are defined as follows:
±
φ = √1 (|00 ± |11) , ψ ± = √1 (|01 ± |10) (6.6)
2 2
According to Eq. 6.5, the measurement outcome must be one of the four Bell
states in Eq. 6.6, with the same probability 41 .
(2.3) A tells B the measurement outcome over a classical channel.
Let the classical bits correspond to the outcomes of Bell-state measurement as
follows:
00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ −
(2.4) When B receives the bits corresponding to measurement outcome, he can

infer the state of his member of EPR pair:
+
φ → (α |0 + β |1)bi
pa
− i i
φ → (α |0 − β |1)bi
pa
+ i i
ψ → (α |0 + β |1)bi
pa
− i i
ψ → (α |0 − β |1)bi
pi ai
then B can apply an appropriate operator U to its particle bi , which makes the state
of bi turn out to be |bi = (α |0 + β |1). So the state of pi is finally transmitted
and stored in the particle bi .
Note that the sender A transforms classical bit into quantum state by Eq. 6.3, so the
receiver B can easily transform the quantum state back into classical bit by measure.
For example, B √
receives√ a qubit |bi , then√ it measures
√
the qubit with orthogonal
bases |0 = 2 |0 + 2 |1 and |1 = 2 |0 − 2 |1, and transforms it back
2 2 2 2
into classical bit:

√ √ √ √
2 2 2 2
|0 = |0 + |1 → 0, |1 = |0 − |1 → 1
2 2 2 2
Step 3: Opportunistic listening. L overhears the classical bits during the com-
munication between A and B. These classical bits are the outcomes of Bell-state
measurement:

00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ −
There will be 2w bits over a classical channel during communication when a w-bit
classical packet is transmitted by quantum teleportation. By virtue of these classical
bits, L can judge that a new transmission between A and B is occurring and desires
the latest packet from A(or B), so L sends a request order to A(or B) to request the
packet delivered just now which is denoted by Pr . Here the request order is one of the
defined orders in the form of classical bits and it is used to request communication
parties for latest packet, which is defined and listed in Table 6.1.
Step 4: Neighbor state acquisition. After receiving the request order from L, A(or
B) will refer to its own transmission record and send a corresponding reply to L. As
a result, L can acquire neighbor state by definite steps. Here the transmission record
Table 6.1 Defined orders

Orders Bits Sender Receiver Meaning
Request order 11111 L A or B A request for the
latest packet
Rejection order 10101 A or B L A rejection to the
packet request
R1 R2 Rg
S5.3 S5.3 S5.3
Broadcast S5.2
...
S5.1
L
Fig. 6.4 Opportunistic coding
is stored locally so as to record which packets have been sent to each destination
node. There are two cases for the corresponding reply of A(or B):
(i) If transmission record indicates the packet Pr was not transmitted to L before,
namely L does not own the packet it requests for, A(or B) will send the packet Pr to
L by means of quantum channel verification and quantum teleportation as in Step 1
and Step 2.
(ii) Otherwise, if transmission record indicates the Pr has been transmitted to
L before, namely L has owned the packet it requests for, then A(or B) will send a
rejection order to L and let L know that Pr is a packet it owns. Here the rejection
order is also one of the defined orders in the form of classical bits, and it is used to
reject the requester for packet request and terminate the process of packet request,
which is defined and listed in Table 6.1.
Note that although L can overhear the classical bits and judge that a new trans-
mission is occurring between A and B, it does not know what is transmitting so that
L may send multiple requests for the same packets. For this reason, the above second
case is used to avoid repetitive transmissions.
Step 5: Opportunistic coding. L refers to its stored packets and makes an optimal
coding decision for neighbors. An optimal coding is to ensure more neighbors can
decode the encoded packet.
The procedure of opportunistic coding is illustrated in Fig. 6.4.
(5.1) For the purpose of allowing more neighbors to decode a new packet, L
encodes a new packet Pg for neighbors.
2w bits 2w bits 2w bits l bits
Outcomes for recevier 1 Outcomes for recevier 2 Outcomes for recevier g Notification bits
Fig. 6.5 Measurement outcomes and notification bits
To ensure g neighbors R1 , R2 , . . . , Rg can decode their needed packets P1 , P2 ,

. . . , Pg , L can XOR the g packets together when each neighbor Ri owns all g − 1
packets P j ( j = i). The encoded packet can be generated by
Pe = P1 ⊕ P2 ⊕ . . . ⊕ Pg
Then L transmits the encoded packet to them by quantum teleportation, respec-

tively. Since the operation on different EPR pairs occurs in local place, L can operate
several EPR pairs at the same time as long as there are enough capacity of opera-
tion. Such encoding operation can reduce the requirement for quantum states in local
preparation.
(5.2) When L completes the operation on its particles of EPR pairs, which is
shared with g neighbors, respectively, L combines the measurement outcomes of g
neighbors together, and adds an l-bit notification bits to notify which nodes should
operate their EPR pairs, because not every node is the desired receiver except the g
neighbors. As shown in Fig. 6.5, the notification bits are set according to two simple
rules as follows:
(i) l denotes the total amount of nodes in a network, and each notification bit
corresponds to a node.
(ii) For a certain bit, the value of “1” means that the corresponding node is one
of the desired receivers in this transmission, while the value of “0” means the corre-
sponding node is not. That is to say, there will be g “1” in the notification bits if a
node generates an encoded packet for g neighbors.
Then L broadcasts one packet of the measurement outcomes and notification bits
once.
(5.3) Each neighbor receives the broadcast packet from L and checks the noti-
fication bits. If it is a desired receiver in the notification bits, the node will apply
transformation by its corresponding measurement outcomes, to its own particles in
the EPR pairs with L. Thus it can get the w qubits and further the encoded packet.
Otherwise, it is not a receiver, then it will do nothing.
We take an example to illuminate this scheme more clearly, which is shown in
Fig. 6.6.
Example 1 In the scenario of Fig. 6.6, packet state is shown beneath a node. Assume
A would like to send a w-bit packet P1 to B. After quantum channel verification
between A and B, A selects a pair of orthogonal bases and specifies the corresponding
classical bits of 0 and 1 as follows:
Fig. 6.6 Example of the proposed scheme
2w bits 2w bits 2w bits l bits
Outcomes for A Outcomes for B Outcomes for C Notification bits
Fig. 6.7 Example of measurement outcomes and notification bits
√ √ √ √
2 2 2 2
0→ |0 + |1 , 1 → |0 − |1
2 2 2 2
A prepares w qubits according to the packet P1 and the above rule, and then it
transmits these w qubits to B by quantum teleportation over the shared EPR pairs.
Then B measures the received qubits with orthogonal bases to get the packet P1 .
Note that during the process of quantum teleportation, A sends 2w bits via classical
channel. When L overhears these classical bits, it knows that data transmission is
happening, so it sends a request order (11111) to A to request the latest packet P1 .
After receiving request order, A checks the packet states and knows that L does
not own the packet P1 , so A sends P1 to L by the same way as it sends P1 to B.
After receiving the packet P1 , L tries to make an optimal coding decision for
neighbors A, B, and C, by referring to neighbors’ packet states. L encodes a new
packet Pe = P1 ⊕ P2 ⊕ P4 for neighbors A, B, and C, and prepares three copies of
the same w qubits according to Pe , then it operates the particles in different EPR
pairs with A, B, and C, respectively, to transmit the packet Pe . When the opera-
tion on EPR pairs is completed, L broadcasts a packet which includes all measure-
ment outcomes and corresponding notification bits to the receivers A, B, and C as
follows (Fig. 6.7):
Each of A, B, and C gets its corresponding measurement outcomes in the broad-

casted packet from L, and applies corresponding transformation to the particles in
EPR pairs with L, thus all of them can get the w qubits and further the packet Pe
from one transmission of broadcast.
A B A B
Fig. 6.8 Two types of opportunistic characteristic
6.5 Property of QNC Scheme
Definition 1 Assume that there are l(l ≥ 2) neighbors around a relay node, then
the number of listeners who successfully obtain packets by opportunistic listening
in unit time can be used to evaluate the extent of opportunistic characteristic. If all
neighbors can successfully overhear the packet from the relay node, it is defined as
completely opportunistic characteristic. If the number of successful listeners is ≤, it
is defined as weakly opportunistic characteristic.
Property 1 The scheme has weakly opportunistic characteristic compared with

COPE which has completely opportunistic characteristic.
Proof Because of the cooperation of classical channel and quantum channel in quan-
tum teleportation, we can implement opportunistic listening in quantum communi-
cation, which seems to be impossible by using only quantum channel. However, the
opportunistic characteristic in this scheme is weaker than COPE.
Consider a common scenario in Fig. 6.8, there are l(l = 4) neighbors around two
communication parties A and B. In COPE, all neighbors can overhear the encoded
packet sent from A to B in unit time. Comparatively, in this scheme, all neighbors
send request orders to A or B, but A and B can only transmit the packet to one
neighbor, respectively, so the number of successful listeners are 2 and 2 ≤ l, the
equal sign makes sense only if there are merely 2 neighbors. So this scheme satisfies
the condition of weakly opportunistic characteristic.
Because the cooperation of quantum channel for communication, and classical
channel for listening in this scheme, the opportunistic characteristic of this scheme
has some difference with COPE. A summary of comparison is shown in Table 6.2.
Property 2 Assume T (l) represents the delay of a packet obtained by l neighbors,

T (l) in the scheme can achieve O(log2 l) ≤ T (l) ≤ O(l).
6.5 Property of QNC Scheme 117
Table 6.2 Comparison between COPE and the scheme

COPE The scheme
Channel type Classical Classical + Quantum
Channel type for Classical Classical
opportunistic listening
Communication mode Broadcast Unicast + Broadcast
Object for Encoded Measurement outcomes and
broadcasting packet notification bits
Opportunistic extent Complete Weak
(a) (b)
Fig. 6.9 Maximum delay in the worst case
Proof Assume that a packet Pr is transmitted between A and B, and all l neigh-
boring nodes can judge that a new transmission is occurring between A and B by
opportunistic listening. We define a learned node as the node who owns the packet
Pr , then neighbors will send a request order to the learned node A or B, with the
same probability 21 , to request for Pr . Restricted by quantum channel, A or B can
only send the packet Pr to one requester and other requesters will have to wait.
T (l) represents the delay of a packet obtained by l neighbors during the process of
opportunistic listening, which will decide the subsequent coding strategy of oppor-
tunistic coding so as to describe the transmission performance of a network. Fewer
delay means higher flexibility and better performance. So the delay will be discussed
in detail.
Firstly, we consider the worst case. If all neighbors send request orders to one
node (e.g., A) as shown in Fig. 6.9a, A can only choose one requester (e.g., L 1 )
to transmit Pr . The rest of the nodes has to wait, but they hear the transmission
occurring between A and L 1 , so they know that L 1 becomes a learned node. Then
the rest of nodes will send request orders to three learned nodes A, B, L 1 with the
same probability 31 . In the worst case, all nodes send request orders to the same node
(just like A in Fig. 6.9b), regardless of how many leaned nodes there are. In this way,
T (l) will reach maximum:
(a) (b)
Fig. 6.10 Minimum delay in the best case
T (l) = O(l)
Secondly, we consider the best case as shown in Fig. 6.10. In Fig. 6.10a, A and
B both receive a request order and send Pr to the requester L 1 and L 5 , respectively.
By opportunistic listening, neighbors know that L 1 and L 5 have received the packet
from A and B, so there are 22 = 4 learned nodes now. Next, the rest of nodes will
send request orders again, but they have four choices this time, so they will send
request order to A, B, L 1 , L 5 with probability 41 , respectively. In the best case, four
learned nodes will all receive request orders, and the number of learned nodes will be
changed to 23 = 8 after packet transmission. In this way, T (l) will reach minimum:
21 + 22 + 23 + · · · + 2 T ≥ l
It can be rewritten as
T (l) = O(log2 l)
So the delay T (l) of this scheme achieves O(log2 l) ≤ T (l) ≤ O(l).
6.6 Performance Analysis
6.6.1 Network Throughput
Compared with conventional QNC schemes, this scheme realizes opportunistic char-
acteristic by listening to classical channel. Furthermore, this scheme realizes oppor-
tunistic coding by broadcasting the measurement outcomes and notification bits,
which allows more than one neighbor to receive the measurement outcome during
one transmission, and therefore improves network throughput.
6.6 Performance Analysis 119
Table 6.3 Performance comparison

Conventional QNC The scheme
Opportunistic characteristic No Yes
Times of transmitting a encoded packet to Nv No
g neighbors (Nv = g) (No = 1)
Assume that a relay node L intends to send an encoded packet Pg to g neighbors

as shown in Fig. 6.4. For conventional quantum network without opportunistic char-
acteristic, it can only transmit the packet Pg to each neighbor, respectively, which
results in a total number of Nv = g for transmission. In contrast, this scheme takes full
advantage of channel characteristic of quantum teleportation. For quantum telepor-
tation, the operation on EPR pairs occurs at the local location of sender and receiver,
as long as a relay node has enough capacity for operation, it can operate several EPR
pairs, which are shared with different nodes, at the same time. So the transmission
time mainly depends on when the measurement outcomes arrive at receivers. In this
scheme, a relay node operates different EPR pairs with g neighbors in its own place,
and then broadcasts the measurement outcomes and notification bits to notice the
receivers, which helps each one of g neighbors get its needed measurement outcomes
and further the encoded packet, during a number No = 1 of transmission. Table 6.3
lists the comparison result.
In a word, compared with conventional unicast quantum communication, this
scheme can improve network throughput by NNvo = g, where g is the number of
packet’s receivers.
6.6.2 Resource Consumption
Since quantum communication is expensive, some extra resources, which may be less
expensive than quantum communication, are considered in many quantum network
coding schemes. Such representative resources include the following:
(i) Classical communication;
(ii) Pre-shared entanglement (such as EPR pairs).
The above two kinds of resources are both used in this scheme.
This scheme is designed in the setting where every two nodes possess pre-shared
entanglement (EPR pairs). For transmitting a w-bit encoded packet to g neighbors,
a relay node needs to apply quantum teleportation, it consumes wg qubits, wg EPR
pairs, 2wg bits, and another l bits for notification bits. For each time of quantum
channel verification, it consumes h qubits and 2h EPR pairs to detect the integrity of
EPR pairs. Meanwhile, some procedures consume only classical bits, such as sending
request order or rejection order. Table 6.4 gives a summary of resource consumption
in this scheme.
Table 6.4 Resource consumption

Resource consumption
Procedure Qubits EPR pairs Classical bits
Transmitting a w-bit packet to g neighbors wg wg 2wg + l
Quantum channel verification h 2h 0
Sending a request order 0 0 5
Sending a rejection order 0 0 5
6.7 Security Analysis
6.7.1 Classical Attack
Theorem 1 By only capturing classical bits, an attacker cannot get the transmitted
packet in the scheme.
Proof Assume that an attacker can capture classical bits without being discovered.
In this scheme, the attacker may capture the following:
(i) The classical bits between two communication parties.
In quantum teleportation, these bits are the outcomes of Bell-state measurement
as follows:
00 → φ+ , 10 → φ− , 01 → ψ + , 11 → ψ −
According to the principle of quantum teleportation, they are used to tell the
receiver which unitary operation should be performed on the particle of the shared
EPR pair so as to “recover” the transmitted quantum state. So without the shared
EPR pair, the measurement outcomes are meaningless for an attacker.
(ii) The request order or rejection order between two communication parties.
In this scheme, the request order is used to ask the receiver for latest packet, and
the rejection order is used to refuse the packet request. Such orders are irrelevant to
the content of a packet, so they are useless for attacker to get the transmitted packet.
(iii) The broadcast packet from a relay node who encodes for neighbors.
The broadcast packet from a relay node consists of measurement outcomes and
notification bits. Measurement outcomes make no sense for an attacker, which is
explained in the case of (i). The function of notification bits is to tell who are the
desired receivers of measurement outcomes. It also makes no sense for an attacker
unless what it wants to know is merely who the relay node sends the packet to, which
is certainly not a secret for all nodes.
6.7 Security Analysis 121
Fig. 6.11 Quantum attack
pm pm
pm
pa1 , pa2 , pa3 pb1 , pb2 , pb3
6.7.2 Quantum Attack
There are two types of quantum channels in this scheme: one is the direct quantum
channel used to transmit one measure particle pm during the process of quantum
channel verification, and the other one is the latent channel between the shared EPR
pairs. In order to obtain information, an attacker can disturb the above two types of
quantum channels.
Theorem 2 Assume that an attacker replaces the measure particle pm with another
particle pm , namely pm → pm , it can be detected by quantum channel verification.
Proof As shown in Fig. 6.11, any substitutionof pm → pm will
cause that the state
of quantum system changes, namely | c → c , and c can be described as
c c
= ⊗ |Am
When B receives the replaced pm and applies next operation:

Cb j m c =Cb j m ( c ⊗ |Am ) = + ⊗ |m

The above equation means that + and |m are not in product state, so the mea-
sure particle pm cannot be separated from the entangled system. When the replaced
particle pm is transmitted back to A, secret parameters θ and ϕ are changed so that
quantum channel verification will fail.

Theorem 3 Any operation Uε that attackers perform on the shared EPR pair +j
will destroy the integrity of quantum channel, which can be detected by quantum
channel verification.
Proof Assume that an attacker have the chance to disturb the EPR pairs, we denote
his auxiliary quantum state by |e , the entire state of the shared EPR pair and the
auxiliary quantum state is

a b e = + ⊗ |e
j j j
where a, b represent two particles of the shared EPR pair, while e represents the
particle corresponding to |e . The attacker applies a unitary operation Uε in a j b j e ,
the entire state of quantum system becomes

Uε ψa j b j e = 0a j 0b j ⊗ |E1 + 0a j 0b j ⊗ |E2

+ 1a 0b ⊗ Ẽ 1 + 1a 1b ⊗ Ẽ 2
j j j j

where |E 1 ⊥ |E 2 , Ẽ 1 ⊥ Ẽ 2 , and E 1 | Ẽ 2 + E 2 | Ẽ 1 = 0.
When A applies the C-NOT gate, Eq. 6.1 can be rewritten as follows:
c
ψ = Cam Uε ψa b e |ψm
j j
= 21 [(cos θ 0a j 0b j 0m + e−iϕ sin θ 0a j 0b j 1m ) ⊗ |E 2

+[(cos θ 1a j 1b j 1m + e−iϕ sin θ 1a j 1b j 0m ) ⊗ Ẽ 2

+[(cos θ 0a j 1b j 0m + e−iϕ sin θ 0a j 1b j 1m ) ⊗ |E 1

−iϕ
+[(cos θ 1a j 0b j 1m + e sin θ 1a j 0b j 1m ) ⊗ Ẽ 1 ]
The above equation shows the entire state after Step 2 in quantum channel
veri-

fication under an attack’s disturbance. Then B performs some operations on ψ c in
Step 3 in quantum channel verification, the entire state 6.2 becomes

Cbm ψ c = 21 [(cos θ 0a j 0b j 0m + e−iϕ sin θ 0a j 0b j 1m ) ⊗ |E 2

+[(cos θ 1a j 1b j 0m + e−iϕ sin θ 1a j 1b j 1m ) ⊗ Ẽ 2

+[(cos θ 0a j 1b j 1m + e−iϕ sin θ 0a j 1b j 0m ) ⊗ |E 1

+[(cos θ 1a j 0b j 1m + e sin θ 1a j 0b j 1m ) ⊗ Ẽ 1 ]
−iϕ

It is obvious that Cbm ψ c = + ⊗ |ψm , the measurement pm cannot be sep-
arated correctly, and the parameters are changed, so the disturbance can be detected
by quantum channel verification.
6.8 Summary
In this chapter, we introduced an opportunistic quantum network coding scheme by

taking full advantage of quantum teleportation. The scheme has opportunistic char-
acteristic by listening to classical channel and broadcasting measurement outcomes
6.8 Summary 123
via classical channel, which generally cannot be achieved in conventional quantum

network. Meanwhile, it can resist classical passive attack and quantum active attack.
Furthermore, it is worthwhile to explore the usage of mixed channels of quantum
teleportation. Classical channel can not only be used to broadcast measurement out-
comes, but also be used to broadcast encoded packet directly on the premise of secure
transmission. Moreover, some new quantum operations on qubit can be designed for
the part of opportunistic coding, which will realize the improvement of transmission
performance in quantum networks.
References
1. Ahlswede, R., Cai, N., Li, S.: Network information flow. IEEE Trans. Inf Theory 46(4), 1204–
1216 (2000)
2. Koutsonikolas, D., Hu, Y.C., Wang, C.C.: An empirical study of performance benefits of net-
work coding in multihop wireless networks. In: IEEE International Conference on Computer
Communications (ICCC), pp. 2981–2985 (2009)
3. Katti, S., Rahul, H., Hu, W., et al.: XORs in the air: practical wireless network coding. IEEE/ACM
Trans. Netw. 16(3), 497–510 (2008)
4. Sebastian, N., Florian, M., Markus, R., et al.: Air-to-ground quantum communication. Nat.
Photonics Lett. 3(7), 382–386 (2013)
5. Shang, T., Du, G., Liu, J.W.: Opportunistic quantum network coding based teleportation. Quan-
tum Inf. Process. 15(4), 1743–1763 (2016)
6. Bennett, C.H., Brassard, G.: An update on quantum cryptography. In: International Cryptology
Conference (CRYPTO’84), 475–480 (1984)
7. Zeng, G.H.: Quantum identity authentication without lost of quantum channel. In: China
Crypt’04, pp. 141–146 (2004)
Chapter 7
Quantum Network Coding with Message
Authentication
Quantum network coding is vulnerable to pollution attacks, especially when using

classical channel as an auxiliary resource. In this chapter, we introduce a secure
quantum network coding scheme against pollution attacks. The scheme uses quantum
homomorphic signature for efficient authentication of different data sources so as
to detect pollution attacks in the butterfly network. Furthermore, with the help of
trusted intermediate nodes, it can locate a corrupt data source.
7.1 Quantum Homomorphic Signature for QNC
7.1.1 Signature for Quantum Networks
In order to authenticate the identity of data sources in a network, homomorphic

signature scheme [1] is considerably paid attention to instead of standard signature
schemes in classical cryptography. However, homomorphic signature schemes of
classical information are inapplicable in quantum networks. It is believed that homo-
morphic signature of quantum information is more meaningful and difficult than its
counterpart in classical cryptography. Particularly, homomorphic signature in form
of quantum states is desired for quantum networks. On one hand, the main prob-
lem is how to design a signature operation for quantum states. On the other hand,
the authentication of different data sources is also a very hard problem for classical
networks. Thus, it is necessary to explore whether it is a hard problem for quantum
networks to design quantum homomorphic signature or not. If quantum homomor-
phic signature scheme is feasible, it will be very helpful to enhance the security
of quantum networks. However, a solution to quantum homomorphic signature still
remains open. It is crucial to find an equivalent quantum homomorphic operation to
realize signature computing in form of quantum states. Until now, there is no obvious
way to combine two quantum signatures (e.g., S1 and S2 ) from the senders to realize
a homomorphic operation due to the properties of quantum mechanics.

https://doi.org/10.1007/978-981-15-3386-0_7
126 7 Quantum Network Coding with Message Authentication
In 2015, the first quantum homomorphic signature scheme based on entangle-

ment swapping [2] was proposed which can be used to authenticate data packets of
multiple streams for quantum networks [3]. After combining two quantum signa-
tures by entanglement swapping, the quantum signature scheme can generate a new
homomorphic signature at the intermediate node. It can effectively guarantee the
security of secret keys and verify the identity of different data sources in a quantum
network.
7.1.2 Homomorphic Signature
Homomorphism can be divided into two types: additive homomorphism and multi-
plicative homomorphism [4]. Given variables X 1 and X 2 , a function φ is additively
homomorphic if there exists a function f satisfying φ (X 1 + X 2 ) = f (φ (X 1 ) ,
φ (X 2 )). Similarly, φ is multiplicative homomorphic if there exists a function f satis-
fying φ (X 1 × X 2 ) = f (φ (X 1 ) , φ (X 2 )). Homomorphic signature scheme is based
on homomorphic algorithm. Assume that a node receives messages (E 1 , E 2 , . . . , E n )
and corresponding signatures (φ(E 1 ), φ(E 2 ), . . . , φ(E n )), where φ is additively
homomorphic. If this node wants to generate a signature on a1 E 1 + a2 E 2 , . . . +
an E n , it can obtain the signature by means of S = f (φ(E 1 ), φ(E 2 ), . . . φ(E n )) =
φ(a1 E 1 + a2 E 2 , . . . + an E n ). A concrete example of homomorphic signature scheme
BFKW was given by Boneh et al. [5]. Hence homomorphic signature scheme can
generate a new signature on its message without the private keys of data sources,
which is very important to distribute networks and can be used to generate new
signatures at intermediate nodes by directly manipulating the original signatures of
received messages without encryption operation.
A general quantum signature model is conjectured just as shown in Fig. 7.1. By
sharing an EPR pair (denoted as |ψ12 ) with a verifier V , a signer A can sign on its
classical information X by means of performing a corresponding unitary operation
on its particle 2. For the aggregation of multiple signatures, it is the most straight
idea to guarantee that each signer shares an EPR pair with the aggregator C, then
the aggregator generates a new signature. Just as described in Fig. 7.1, the key is to
generate a new homomorphic signature S3 = U (X 1 ⊕ X 2 ) · |ψ4 at the aggregator
C according to two signatures S1 and S2 . As far as we know, no quantum signature
schemes have been proposed to combine the homomorphic algorithm till now. The
existing quantum signature schemes are also not suitable for quantum networks
just as described in Motivation. Hence it is significant to investigate the design of
quantum homomorphic signature for the authentication of data sources in quantum
networks.
7.1 Quantum Homomorphic Signature for QNC 127
Fig. 7.1 Quantum signature

X
model A V
S U X 2
S1 U X 1 2
X1
S3 U X 1 X2 4
C V
X2
B
S2 U X2 4
Bell-state Measurement
2 1 2 1
4 3 4 3
Fig. 7.2 Entanglement swapping
7.1.3 Entanglement Swapping
Entanglement swapping [2] is a miracle property of quantum entanglement. The key

idea of entanglement swapping is that two non-entangled particles (1, 3) become an
entangled state by measurement as shown in Fig. 7.2. Assume the original states of
these particles as
+ 1
φ = √ (|0012 + |1112 ) ,
12
2
+
ψ = √1 (|0134 +|1034 ) .
34
2
Then
Table 7.1 States of particles after entanglement swapping

Original states States of particles after entanglement swapping
+ + − − + + − −
φ
⊗ φ 1 + +
+ 12 − 34 2 φ 13 φ 24 + φ 13 φ 24 + ψ 13 ψ 24 + ψ 13 ψ 24
φ
⊗ φ 1 + − − + + − − +
+ 12 + 34 2 φ 13 φ 24 + φ 13 φ 24 − ψ 13 ψ 24 − ψ 13 ψ 24
φ
⊗ ψ 1 + + − − + + − −
+ 12 − 34 2 φ 13 ψ 24 + φ 13 ψ 24 + ψ 13 φ 24 + ψ 13 φ 24
φ ⊗ ψ + − − + + − − +
2 φ 13 ψ 24 + φ 13 ψ 24 − φ 13 ψ 24 − φ 13 ψ 24
1
− 12 + 34
φ ⊗ φ + − − + + − − +
2 φ 13 φ 24 + φ 13 φ 24 + ψ 13 ψ 24 + ψ 13 ψ 24
1
− 12 − 34
φ ⊗ φ 1 + + − − + + − −
− 12 + 34 2 φ 13 φ 24 + φ 13 φ 24 − ψ 13 ψ 24 − ψ 13 ψ 24
φ
⊗ ψ 1 + − − + + − − +
− 12 − 34 2 φ 13 ψ 24 + φ 13 ψ 24 + ψ 13 φ 24 + ψ 13 φ 24
φ
⊗ ψ 1 + + − − + + − −
+ 12 + 34 2 φ 13 ψ 24 + φ 13 ψ 24 − ψ 13 φ 24 − ψ 13 φ 24
ψ
⊗ φ 1 + + − − + + − −
+ 12 − 34 2 φ 13 ψ 24 − φ 13 ψ 24 + ψ 13 φ 24 − ψ 13 φ 24
ψ ⊗ φ + ψ − + φ − ψ + + ψ + φ − − ψ − φ+
2 − φ 13
1
+ 12 + 34 + 24 − 13 − 24 + 13 + 24 − 13 − 24
ψ ⊗ ψ 34 1 φ + φ − φ 13 φ 24 + ψ 13 ψ 24 − ψ 13 ψ 24
+ 12 2 + +
13 24 − − + + − −
ψ ⊗ ψ −
2 −φ 13 φ 24 + φ 13 φ 24 + ψ 13 ψ 24 − ψ 13 ψ 24
1
− 12 + 34
ψ
⊗ φ + − − + + − − φ+
2 − φ 13 ψ + φ ψ − ψ φ + ψ
1
− 12 − 34 24 − 13 − 24 + 13 + 24 − 13 − 24
ψ
⊗ φ 1 + +
− 12 + 34 2 φ 13 ψ 24 − φ 13 ψ 24
− ψ 13 φ 24 + ψ 13 φ 24

ψ ⊗ ψ + φ+ + φ− φ− − ψ + ψ + + ψ − ψ −
2 − φ 13
1
− 12 − 34 24
13 24
13 24
13
24
ψ ⊗ ψ 1 + +
φ φ − φ− φ− − ψ + ψ + + ψ − ψ −
12 34 2 13 24 13 24 13 24 13 24
+
φ ⊗ ψ + 34
12
1
= (|00011234 +|00101234 +|11011234 +|11101234 )
2
1
= (|00011324 +|01001324 +|10111324 +|11101324 )
2
1 + − + − + −
= φ +φ ψ + ψ 24 + ψ 13 + ψ 13 (7.1)
4 13 13 24
× φ+ 24 + φ− 24 + ψ + 13 − ψ − 13 φ+ 24 − φ− 24
+
+ φ+ − φ −13
ψ
13
− ψ − 24 24
1 + +
= φ 13 ψ 24 + φ− 13 ψ − 24 + ψ + 13 φ+ 24
2
+ψ − 13 φ− 24
According to Eq. 7.1, if we perform a Bell-state measurement on the particles 1

and 3, the particles 2 and 4 would collapse to another + entangled state. For instance, if
the measurement result of the particles 1 and 3 is φ , then the state of the particles
+ 13
2 and 4 would be ψ 24 .
In other cases, the states of particles after entanglement swapping are shown in
Table 7.1.
Note that if we treat the particles 2 and 4 as two signatures, we can transform these
two signatures into an entangled state without original data by means of entanglement
swapping. Then in the new entangled state, the particle 4 can be treated as a new
signature. Here we take a simple example for illustration. Firstly, four operators are
defined as follows for convenience:

10
U (00) = I = |0 0| + |1 1| =
01

01
U (01) = σx = |1 0| + |0 1| =
10

1 0
U (10) = σz = |0 0| − |1 1| =
0 −1

0 −1
U (11) = −iσ y = |0 1| − |1 0| = .
1 0
Assume the signatures are S1 = U (01) |ψ

2 = σx |ψ2 and S2 = U (10) |ψ 4 =
σz |ψ4 , the state of all particles would be ψ 12 ⊗ ψ 34 = σx (2) φ+ 12 ⊗ σz (4) φ+ 34 ,
here the superscript (i) means performing an operation on the particle i. After entan-
glement swapping, the particles 2 and 4 would collapse to an entangled state. Without
loss
of generality, we assume that the measurement result of the particles 1 and 3
is φ+ . Hence according to Table 7.1, the state of the particles 2 and 4 would be
− 13 +
ψ
24
. In comparison with the original resulting
− + φ 24 after entanglement
state of
swapping without signature, we obtain ψ 24 = −iσ y φ 24 = U (01 ⊕ 10) φ+ 24 .

This result gives an important hint of the relationship between entanglement swap-
ping and homomorphic operation. The key to the design of homomorphic operation
is to make the particle 4 become the homomorphic signature result of combining
two original signatures. Hence entanglement swapping provides the possibility of
homomorphic operation for quantum signature.
7.1.4 Quantum Homomorphic Signature Scheme
The quantum homomorphic signature scheme is based on entanglement swapping

[3]. Assume that the object of a signature is classical information, and the carrier of a
signature is quantum information, a signer sends the data of classical bits X 1 (X 2 ) with
the signature of quantum states to a verifier. Quantum homomorphic signature model
is shown in Fig. 7.3. A1 (A2 ) are the signers, M1 is the aggregator who aggregates the
received signatures to generate a new signature according to original signatures, and
M2 is the verifier.
The signature scheme is defined by a tuple of algorithms (Setup, Sign, Combine,
Verify) such that:
(1) Setup
Step 1: Quantum key distribution. A1 (A2 ) chooses two classical bits (denoted as
Y1 (Y2 )) as its secret key and shares this key with M2 by quantum key distribution
protocol, such as an improved BB84 protocol with authentication [6] which can
defend against middle-man attack, here Y1 , Y2 ∈ {00, 01, 10, 11}.
Fig. 7.3 Quantum

homomorphic signature A1 S1 x 2
S2 z 4
A2
model
X1 Y1 X2 Y2
M1
X1 Y1 X2 Y2
M2
Step 2: EPR pair distribution. M1 firstly prepares two pairs of entangled particles
+ 1
φ = √ (|0012 + |1112 ) ,
12
2
+
φ = √1 (|0034 +|1134 ) .
34
2
M1 sends its particles 2 and 4 (denoted as |ψ2 , |ψ4 ) to A1 and A2 , respectively.

(2) Sign
After receiving the particle from M1 , A1 (A2 ) chooses a unitary operator according
to the exclusive OR result of its classical bits X 1 (X 2 ) and key Y1 (Y2 ), and performs
a corresponding
operation on the particle 2(4).
Note that ψ 12 = U (X 1 ⊕ Y1 )(2) |ψ12 . Although the particles 1 and2 belong to

one entangled pair, we view the resulting state of the particle 2(4), namely ψ 2 ( ψ 4 ),
as the signature of A1 (A2 ) just for convenient description. In fact, the particle 2(4)
is in an entangled state and thus has no pure state representation on its own.
Here the unitary operator corresponding to the classical bits X i and the key Yi is
chosen as follows:
10
X i ⊕ Yi = 00 → I =
01

01
X i ⊕ Yi = 01 → σx =
10

1 0
X i ⊕ Yi = 10 → σz =
0 −1

0 −1
X i ⊕ Yi = 11 → −iσ y =
1 0

Hence after signing phase the state of the two EPR pairs would be ψ 12 =

U (X 1 ⊕ Y1 )(2) · φ+ 12 , ψ 34 = U (X 2 ⊕ Y2 )(4) · φ+ 34 .
(3) Combine
Step 1: A1 (A2 ) sends the transformed particle 2(4), namely ψ 2 (ψ 4 ), and the
classical bits X 1 ⊕ Y1 (X 2 ⊕ Y2 ) to M1 .
Step 2: M1 performs a Bell-state measurement on the particles 1 and 3. Here we
denote ψ 13 as the state of the particles 1 and 3 after measurement. Then according
to entanglement swapping,
the particles 2 and 4 would collapse to the Bell-state which

can be denoted as ψ 24 . ψ 4 would be the signature of M1 , i.e., |S M1 = ψ 4 .
Step 3: M1 sends the classical
information
(X 1 ⊕ Y1 ) ⊕ (X 2 ⊕ Y2 ) and the parti-
cles (1, 2, 3, 4) (i.e., ψ 13 ⊗ ψ 24 ) to M2 .
(4) Verify
After receiving the classical information and the particles from M1 , M2 can verify
the signature as follows:
1: M2 performs
Step a Bell-state measurement on the particles 1 and 3, and obtains
ψ . Note that ψ falls to one of the four Bell-states according to Table 7.1.
13 13
Hence the Bell-state measurement on the particles 1 and 3 from M2 would be non-
destructive.
2: M2 performs a Bell-state measurement on the particles 2 and 4, and obtains
Step
ψ .
24
Step 3: According to Table 7.1, M2 compares ψ 24 with |ψ24 , and obtains

an operator which satisfies ψ 24 = c (Z ) U (Z )(4) · |ψ24 . Here the superscript (4)
means performing an operation on the particle 4, and |c (Z )| = 1. Consider the result-
ing state of the original particles after entanglement swapping. If the measurement
result of the original particles 1 and 3 satisfies |ψ13 = ψ 13 , then we denote |ψ24
as the resulting state of the original particles 2 and 4 after entanglement swapping.
Step 4: M2 compares X 1 ⊕ X 2 ⊕ Y1 ⊕ Y2 with Z . If X 1 ⊕ X 2 ⊕ Y1 ⊕ Y2 = Z ,
M2 would confirm that ψ 4 is the signature of M1 . Then M2 can calculate X 1 ⊕ X 2
by its keys Y1 and Y2 (which are prior shared with the senders as described in the
process of signature). Otherwise M2 would deny the signature.
We take an example to illuminate this scheme more clearly.
Example 7.1 Assume X 1 = 00, Y1 = 01, X 2 = 01 and Y2 = 11. Then the signatures
of A1 and A2 are S1 = U (00 ⊕ 01) |ψ2 = σx |ψ2 , S2 = U (01 ⊕ 11)|ψ4 = σz |ψ4 ,
respectively. After signing phase, the state of the particles (1, 2, 3, 4) becomes
+
φ → ψ 12 = σx (2) φ+ 12 = ψ + 12
+12

φ → ψ 34 = σz (4) φ+ 34 = φ− 34 .
34
After combining phase, the particles 1(2) and 3(4) would collapse to a Bell-

state according to entanglement swapping. Here we assume that ψ 13 = ψ + 13 .
After
receiving
the information and signatures (the particles),
M2 would obtain that
ψ = φ− by measurement. Then M2 compares φ− with the corresponding
24 24 24
original state of |ψ24 (which equals to ψ + 24 as shown in Table 7.1). Without mod-

ification from attackers, M2 will obtain that ψ 24 = φ− 24 = −U (11)(4) |ψ24 =

−U (11)(4) ψ + 24 , i.e., Z = 11. By verifying that Z equals to X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2
(=11), M2 can confirm that the resulting data X 1 ⊕ X 2 is surely from the senders
A1 and A2 .
7.1.5 Property of Signature Scheme
To prove the homomorphism of the quantum signature scheme, we give two lemmas
as follows:
Lemma 7.1
U (X 1 )U (X 2 ) |ϕ = c(X 1 , X 2 )U (X 1 ⊕ X 2 ) |ϕ ,
where X 1 , X 2 ∈ {00, 10, 01, 11}, |c (X 1 , X 2 )| = 1.

Proof Since c(X 1 , X 2 ) depends on X 1 and X 2 , its value equals to −1 or 1. Hence
when |c (X 1 , X 2 )| = 1, the above lemma can be easily proved.
Lemma 7.2
U1 (1) · U2 (2) · |ψ12 = cx · (U1 · U2 )(2) |ψ12 , |cx | = 1,
where the superscript (i) means

performing
an operation
on the particle i, U1 , U2 ∈
I, σx , σz , −iσ y , |ψ12 ∈ φ+ , φ− , ψ + , ψ − .

x1 x2 y y
Proof Assume that U1 = , U2 = 1 2 . Considering U1 , U2 ∈
x3 x4 y3 y4
I, σx , σz , −iσ y , we can obtain that
|x1 | = |x4 | |x2 | = |x3 | x1 · x2 = 0

|y1 | = |y4 | |y2 | = |y3 | y1 · y2 = 0. (7.2)

Take |ψ12 = φ+ 12 as an example, we obtain that
U1 (1) · U2 (2) · |ψ12

1 x1 x2 1 y1 y2 1
=√ · ⊗ ·
2 x3 x4 0 y3 y4 0

x1 x2 0 y1 y2 0
+ · ⊗ ·
x3 x4 1 y3 y4 1

1 x1 y x y
=√ ⊗ 1 + 2 ⊗ 2
2 x3 y3 x4 y4
⎛ ⎞
x1 y1 + x2 y2
1 ⎜ x1 y3 + x2 y4 ⎟
=√ ⎜ ⎟
⎝
2 x3 y1 + x4 y2 ⎠
x3 y3 + x4 y4
(U1 · U2 )(2) |ψ12

1 1 x1 y1 + x2 y3 x1 y2 + x2 y4 1
=√ ⊗ ·
2 0 x y
3 1 + x y x
4 3 3 2 y + x y
4 4 0

1 0 x1 y1 + x2 y3 x1 y2 + x2 y4 0
+√ ⊗ ·
2 1 x y
3 1 + x y x
4 3 3 2 y + x y
4 4 1
⎛ ⎞
x1 y1 + x2 y3
1 ⎜ x3 y1 + x4 y3 ⎟
=√ ⎜ ⎝
⎟
2 x 1 y2 + x 2 y4 ⎠
x3 y2 + x4 y4
In consideration of Eq. 7.2, we obtain that
x1 = 1 = y1 → U1 (1) · U2 (2) · |ψ12

⎛ ⎞ ⎛ ⎞
x1 y1 + x2 y2 x1 y1
1 ⎜x1 y3 + x2 y4 ⎟ ⎜
⎟ = √1 ⎜ 0 ⎟
⎟
=√ ⎜ ⎝ ⎠ ⎝
2 x3 y1 + x4 y2 2 0 ⎠
x3 y3 + x4 y4 x4 y4
⎛ ⎞
x1 y1 + x2 y3
1 ⎜ x3 y1 + x4 y3 ⎟
=√ ⎜ ⎟ = (U1 · U2 )(2) |ψ12
⎝
2 x1 y2 + x2 y4 ⎠
x3 y2 + x4 y4
In other cases, the same conclusion can be drawn. Hence Lemma 7.2 is proved.
Proposition 7.1 The quantum signature scheme is additively homomorphic.

Proof According to this scheme, the signature of Ai is ψ 2i = U (X i ⊕ Yi )|ψ2i .
after Ai generates a signature would be transformed
Then the state of all particles
into φ+ 12 ⊗ φ+ 34 → ψ 1234 .

ψ = U (X 1 ⊕ Y1 )(2) φ+ 12 ⊗ U (X 2 ⊕ Y2 )(4) φ+ 34
1234
1
= U (X 1 ⊕ Y1 )(2) U (X 2 ⊕ Y2 )(4) (|00001234 +|00111234
2
+|11001234 +|11111234 )
1
= U (X 1 ⊕ Y1 )(2) U (X 2 ⊕ Y2 )(4) φ+ 13 φ+ 24 +
2
− − + + − −
φ φ + ψ ψ + ψ ψ
13 24 13 24 13 24
It can be rewritten as follows according to Lemma 7.1 and Lemma 7.2

1 +
ψ = φ 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) φ+ 24
1234
2
+ φ− 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) φ− 24

+ ψ + 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) ψ + 24

+ ψ − 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) ψ − 24
1 +
= φ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
2
+ −
φ + φ cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
− 24 + 13
φ + ψ cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
+ 24 − 13
ψ + ψ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4)
− 24
ψ
24
After
performing a Bell-state measurement on the particles 1 and 3, we obtain
that ψ 24 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) |ψ24 . Note that |cx · c (U1 , U2 )| = 1 is a
phase factor and can be ignored after
performing
a Bell-state
measurement.
Com-
paring with the original state φ+ 12 ⊗ φ+ 34 = 21 φ+ 13 φ+ 24 + 21 φ− 13 φ− 24 +

1 +

2
ψ 13 ψ + 24 + 21 ψ − 13 ψ − 24 , we obtain that ψ 24 = c(Z ) · U (Z )(4) · |ψ24 ,
Z = X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 .
Here we can view the operation of entanglement swapping as a function f and
the operation of signature as a function Sign . As we know, the effect of f is φ+ 12 ⊗
+
φ → ψ 13 ⊗ ψ 24 , and the effect of Sign is Sign (X ) = U (X ⊕ Y )(2) |ψ12 , here
34
Y is the secret key corresponding to the information X .
By definition, the aggregator M1 receives the messages (X 1 ⊕ Y1 , X 2 ⊕ Y2 )
and the corresponding signatures. Note that different from classical case, we only
view the particles 2(4) as the signature S1 (S2 ). Hence S1 (S2 ) can be generated by
Sign (X 1 )(Sign (X 2 )) as follows:

Sign (X 1 ) → S1 = ψ 2 = U (X 1 ⊕ Y1 )|ψ2 ,

Sign (X 2 ) → S2 = ψ 4 = U (X 2 ⊕ Y2 )|ψ4 .
Without the keys Y1 and Y2 , M1 generates a new signature by entanglement swap-

ping. The whole process can be described as follows:

f Sign (X 1 ) , Sign (X 2 ) = ψ 13 ⊗ ψ 24
= U (X 1 ⊕ Y1 )(2) |ψ12 ⊗ U (X 2 ⊕ Y2 )(4) |ψ24
= |ψ13 ⊗ U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) |ψ24 .

Obviously f (Sign (X 1 ), Sign (X 2 )) → S M1 = ψ 4 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )|ψ4 .
If M1 generates its signature according to the information X 1 ⊕ X 2 and the key Y1 ⊕
Y2 , then Sign (X 1 ⊕ X 2 ) → S M1 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )|ψ4 . Thus f (Sign (X 1 ),
Sign (X 2 )) → S M1 = S M1 ← Sign (X 1 ⊕ X 2 ). Comparing with the definition of
classical additive homomorphism φ (X 1 + X 2 ) = f (φ (X 1 ) , φ (X 2 )), the signature

scheme satisfies the property of additive homomorphism.
To prove the unforgeability of the scheme, we give two lemmas as follows:

Lemma 7.3 The secret key Yi is shared by M2 and Ai securely.
Proof Although the BB84 protocol has been proved to be unconditionally secure,
it is vulnerable to a middle-man attack. Hence an improved BB84 protocol inspired
by the literature [6] can be used to distribute the key to defend against a middle-man
attack.
In this protocol, M2 and Ai share a series of EPR pairs. M2 owns one half of
these particles and Ai owns the others. M2 prepares a photon sequence (we called
these particles as “key particles” for convenience), whose particles correspond to
the base vector |+ |− or |1 |0 at random. Firstly, M2 inserts its EPR particles
into its photon sequence at random and preserve the sequence number of these EPR
particles. Then M2 sends its photon sequence and the sequence number to Ai . Ai
performs the measurement on the key particles with the basis of |+ |− or |0 |1.
And Ai tells M2 the chosen measurement basis. M2 tells Ai the photons measured
by the corresponding base vectors. Consequently, they discard the photons that they
measure by the different base vectors. After transforming the remaining key particles
to classical bits (called raw key) as follows: |1 → 1, |0 → 0 |+ → 1, |− → 0,
they choose some bits of the raw key and compare them. Obviously, if the unequal
bits exceed a certain threshold, they have suffered from a wiretapping attack.
In this process, Ai can also detect the middle-man attack by measuring the EPR
particles in the photon sequence and its own EPR particles. If a middle-man, Mallory,
captures the sequence number of these EPR particles and the photon sequence, forges
the EPR particles and sends them to Ai . Because Ai can measure the EPR particles
by four Bell bases at random, the measurement results of the EPR particles forged
by Mallory would be different from the EPR particles of Ai . Hence the middle-man
attack would be found. Based on the improved BB84 protocol, this quantum key
distribution protocol can defend against any middle-man attack. Hence we can prove
Lemma 7.3.
Lemma 7.4 The secret key Yi is impossibly calculated by means of classical infor-
mation and its corresponding quantum signature.
Proof As shown in Fig. 7.4, any attacker cannot obtain the secret key by capturing
classical information and its quantum signature. The details are as follows:
(1) If an attacker captures the particle 2i (i ∈ {1, 2}) and the information X i ⊕ Yi
which are sent by Ai , he cannot obtain the key Yi .
Fig. 7.4 The security of

secret key S1 S2 A2
A1
X1 Y1 X2 Y2
M1
S M1
X1 Y1 X2 Y2
M2
Assume an attacker obtains the particle

2 and the classical bits X 1 ⊕ Y1 . Without
the particle 1, he cannot obtain ψ 12 , but the state of the particle 2 (|+ or |−)
by a corresponding measurement basis, which can prevent him from calculating the
unitary operation U (X 1 ⊕ Y1 ). Hence any attacker cannot obtain the key Yi only by
capturing the particle 2i and the information X i ⊕ Yi sent by Ai .
(2) If an attacker captures the particles (1, 2, 3, 4) and the information (X 1 ⊕ Y1 ) ⊕
(X 2 ⊕ Y2 ) which are sent by the intermediate node M1 , he cannot obtain the key Yi .
In
this case, an attacker can obtain the state of the particles 2 and 4, namely
ψ = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ) (4)
|ψ24 by performing a Bell-state measurement
24
on them. However, the attacker can only obtain the classical bits X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2
by the unitary operator U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ). But he cannot obtain the keys Y1
and Y2 separately even if he can also captures X 1 ⊕ Y1 and X 2 ⊕ Y2 .
Proposition 7.2 The signature Si is unforgeable.
Proof According to the quantum signature scheme, the signature of Ai is Si =

U (X i ⊕ Yi ) |ψ2i . In other words, the key Yi is necessary to generate a signature.
According to Lemmas 7.3 and 7.4, any attacker cannot obtain the key Yi by wiretap
attacks. Hence without the key Yi , any attacker cannot forge a signature corresponding
to his data X i .
In a quantum network, quantum channels are secure. In virtue of quantum homo-

morphic signature scheme, the classical bits would not be falsified. Even if an attacker
obtains the classical bits by wiretap, he cannot recover the original quantum states.
Furthermore, even if an attacker or malicious node falsifies these classical bits, the
receivers would find and filter out these corrupt packets. Hence our quantum signature
scheme can effectively defend against active attacks and wiretap attacks.
Proposition 7.3 If two senders use the same secret key, namely Y1 = Y2 , the quantum
signature scheme can verify the identity of a single data source. If two senders use
different secret keys, namely Y1 = Y2 , the quantum signature scheme can verify the
identity of different data sources.
Fig. 7.5 Multi-source model

A
X Y
A M M
X Y X Y
X Y X Y X Y
X Y
D
A X Y
Proof When Y1 = Y2 , the quantum network model can be viewed as a single-source

multicast network. The information sent by A1 and A2 is from a single-source node
upstream. Then by verifying the homomorphic signature, we can directly confirm
that whether the classical bits X 1 ⊕ X 2 received by M2 are the exclusive OR result
of the classical bits X 1 and X 2 from a certain source node. When Y1 = Y2 , the
quantum network model can be viewed as a multi-source unicast network, where
there are two source nodes A1 and A2 . The homomorphic signature received by M2
is the combination of signatures from A1 and A2 at the intermediate node M1 . Hence
by verifying the signature of M1 , we can confirm that whether the classical bits
X 1 ⊕ X 2 are from M1 . Note that the classical bits of M1 are the exclusive OR result
of the classical bits X 1 from A1 and X 2 from A2 . On this basis, we can indirectly
authenticate the identity of the data source.
7.1.7 Discussion
In this section, we discuss the effect of quantum homomorphic signature on the

quantum network. For a more complicated and general scenario, there exist more
than two source nodes. Thus, it is necessary to discuss whether the scheme can
be realized to combine more signatures by some adjustment. As shown in Fig. 7.5,
a multi-source model always can be transformed into double-source model. In this
model, three source nodes A1 , A2 and A3 transmit their information to an intermediate
node M1 . By adding a node D1 , we can transform this triple-source model into two
double-source models whose source nodes are A1 , D1 and A2 , A3 , respectively.
Obviously, the quantum homomorphic signature scheme can be extended to this
scenario after transformation. The details are described as follows:
(1) Setup
Similarly, we assume that Ai share its key Yi with M2 by the improved BB84
protocol described in Lemma 7.3. Furthermore, M1 prepares three pairs of entangled
states
+ 1
φ = √ (|0012 + |1112 ) ,
12
2
+
φ = √1 (|0034 +|1134 ) ,
34
2
+ 1
φ = √ (|0056 + |1156 ) .
56
2
M1 sends its particles 2, 4 and 6 (denoted as |ψ2 , |ψ4 , |ψ6 ) to A1 , A2 and A3 ,

respectively.
(2) Sign
In this phase each source node Ai signs on its particle 2i according to its classical
information X i ⊕ Yi . The method of signature is the same as that in double-source
model which is described in Sect. 7.1.4. Then Ai send its particle 2i and classical
information X i ⊕ Yi to M1 . Here we assume that the state of the particle 2i is ψ (2i) =
U (X i ⊕ Yi ) |ψ(2i) .
(3) Combine
After receiving the particles and information from source nodes, M1 first combines
the signature of A2 and A3 , and obtains a result (which can be viewed as the signature
of the added node D1 in Fig. 7.5). Then M1 combines the result and the signature of
A1 . The detailed process is described as follows:
Step 1: M1 performs a Bell-state measurement on the particles 3 and 5, and
obtains the result ψ 35 . Obviously, the state of the particles 4 and 6 would be

ψ = c1 · U (X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 )(6) |ψ46 according to the Property 7.1. Here the
46
value of c1 depends on X 2 ⊕ Y2 and X 3 ⊕ Y3 , which satisfies |c1 | = 1 according to
Lemma 7.1.
Step 2: M1 performs
a Bell-state measurement on the particles 1 and 4, and
obtains the result ψ 14 . Then the state of the particles 2 and 6 would be ψ 26 =
c1 · c2 · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 )(6) |ψ26 . Here the value of c2 depends on
X 1 ⊕ Y1 and X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 , which satisfies |c2 | = 1 according to Lemma 7.1.
Step 3: M1 sends the classical information
X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 and
the particles (1, 2, 3, 4, 5, 6) (i.e., ψ 35 ⊗ ψ 14 ⊗ ψ 26 ) to M2 .
(4) Verify
After receiving the particles and X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 , M2 can verify
the signature as follows:
Step 1: M 2 performs
the Bell-state measurements on the particles 3, 5 and 1, 4, and
obtains ψ 35 and ψ 14 . According to Table 7.1, we can find out the value of |ψ46

which is the entanglement swapping result of |ψ34 ⊗ |ψ56 when |ψ35 = ψ 35 .
Similarly, with the value of |ψ46 we can also calculate the value of |ψ 26 which is
the entanglement swapping result of |ψ12 ⊗ |ψ46 when |ψ14 = ψ 14 .
Step
2: M2 performs a Bell-state
measurement on the particles 2, 6 and obtains
ψ . Then M compares ψ with |ψ26 , and obtains an operator which satisfies
26 2 26
ψ (6)
= c (Z ) U (Z ) · |ψ26 . Here |c (Z )| = 1.
26
Step 3: M2 calculates X 1 ⊕ X 2 ⊕ X 3 by its keys . Furthermore, if X 1 ⊕ Y1 ⊕
X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 = Z , M2 would confirm that ψ 6 is the signature of M1 and
assure that the resulting information X 1 ⊕ X 2 ⊕ X 3 originates from the source nodes
A1 , A2 and A3 . Otherwise M2 would deny the signature.
According to the above approach, the scheme can be easily extended to multi-
source model which may contain n source nodes. Moreover, it can solve the problem
of identity authentication of single-source unicast, single-source multicast, multi-
source unicast, or multi-source multicast in quantum networks.
Note that the scheme will consume 4 extra particles (two entangled pairs) to gen-
erate a homomorphic signature. Obviously, for an n-source node model it would
need 2n particles. Hence the efficiency and security of EPR pair distribution is very
important. An effective distribution scheme would be of great value to the popu-
larization of the scheme in the future. It is worth noting that the particles (1,2,3,4)
in the scheme will still fall into the Bell-state after homomorphic signature as fol-
lows: |ϕ12 ⊗ |ϕ34 → |ϕ13 ⊗ |ϕ24 . This means that the particles can be reused
for next signature. Hence by a reasonable design in the future, the consumed parti-
cles for homomorphic signature would be reduced, which could greatly enhance the
efficiency of the scheme.
7.2 Secure Quantum Network Coding with Message

Authentication
7.2.1 Efficient Authentication of Homomorphic Signature
As we know, the security of quantum communication is assured by physical principles

of the Heisenberg uncertainty principle and quantum no-cloning theorem. However,
with the study of quantum cryptography, quite a few effective attack strategies have
been proposed, such as intercept-resend attack, entanglement swapping attack, tele-
portation attack, etc. Until now, the security mechanism for quantum network coding
is still very few.
Due to the encoding characteristics, quantum network coding suffers from pollu-
tion attacks like classical network coding. If an attacker injects a corrupt packet at
upstream nodes, all packets of downstream nodes will be polluted for the reason of
encoding. For example, in Hayashi’s scheme with prior entanglement [7], attackers
can easily wiretap and falsify packets to realize pollution attacks and prevent mes-
sage recovery. As shown in Fig. 7.6, an attacker can tamper the packet X 2 over the
classical channel D2 between A2 and M1 . As a result, B1 and B2 cannot decode the
Fig. 7.6 Pollution attack for 1 2

Hayashi’s scheme with prior X2
entanglement A1 A2
D1 : X1 D2 : X 2
M1
1
F : X1 X 2 1
E1 : U (X1 X2 ) 2 E2 : U (X1 X2 ) 1
(X 2 )
M2
B2 G2 : X1 X2 G1 : X1 X2 B1
(X 2 ) (X 2 )
original states correctly. Hence it is necessary to verify the identity of the data source
to defend against such attacks.
As homomorphic signature scheme can authenticate data source and allows inter-
mediate nodes to generate a new signature by directly manipulating original signa-
tures without encryption operation, it is widely applied in classical network coding
to defend against pollution attacks. If quantum homomorphic signature scheme is
feasible in quantum network coding, it will be very helpful to enhance the security
of quantum network communication, beyond quantum network coding. By introduc-
ing quantum homomorphic signature [3] into the typical quantum network coding
scheme with prior entanglement, a secure quantum network coding scheme against
pollution attacks was designed [8].
7.2.2 Problem of Quantum Homomorphic Signature Scheme
The first quantum homomorphic signature scheme [3] creatively treats entanglement
swapping as a quantum homomorphic operation. As shown in Fig. 7.7, A1 and A2
are signers, M1 is an aggregator who generates a new homomorphic signature from
received signatures, M2 is a verifier, and ⊕ denotes the operation of exclusive OR.
After analysis, two problems are found in the scheme. Firstly, only one node
can achieve signature verification. Hence the scheme does not completely suit for
defending against pollution attacks in quantum network coding, where two or more
destination nodes need to authenticate data source by verifying a signature. Secondly,
the signature sent from M1 to M2 can be easily forged if the classical bits X 1 ⊕
Y1 ⊕ X 2 ⊕ Y2 and the particles (1, 3, 2, 4) were captured by an attacker. Suppose
that
+ the state of the particles (1, 3) after the entanglement swapping is ψ 13 =
ψ , then the state of the particles (2, 4) should be ψ 24 = c · U (X 1 ⊕ Y1 ⊕ X 2 ⊕
13
(4) +
Y2 ) ψ 24 . As we know, the verifier accepts the signature
as long as the(4)
received

classical message Z and the Bell-state ψ 24 satisfy ψ 24 = c · U (Z ) ψ + 24
(here Z = X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ). If an attacker replaces the classical bits X 1 ⊕ Y1 ⊕
X 2 ⊕ Y2 by a corrupt data E while preparing two entangled particles (5, 6) with
7.2 Secure Quantum Network Coding with Message Authentication 141
Fig. 7.7 Quantum

homomorphic signature A1 S1 x 2
S2 z 4 A2
model X1 Y1 X2 Y2
M1
X1 Y1 X2 Y2
M2

|ψ56 = c · U (E)(4) ψ + 24 , the verifier would accept the signature according to the
received information E and the particles (1, 3, 5, 6). In other words, the attacker has
forged the signature successfully.
7.2.3 QNC Scheme with Message Authentication
In Hayashi’s scheme with prior entanglement, classical bits are indispensable to

perfect quantum network coding. To assure that these classical bits are from senders
rather than attackers, we can introduce the quantum homomorphic signature scheme
into the butterfly network as shown in Fig. 7.8. Esepcially, we should solve the two
problems mentioned above. The main ideas are described as follows:
(1) We can add a signature copy operation at the intermediate node M2 to generate
another copy of the signature S3 . As we know, after the Bell measurement by M1 , the
particles (1, 3) and (2, 4) fall into Bell-states. In order to precisely copy the signature

S3 , M2 just needs to prepare two EPR pairs |ψ and |ψ such that |ψ = ψ ,
56 78
56 13

|ψ78 = ψ 24 . Now |ψ56 |ψ78 is in the same state as ψ 13 ψ 24 , and the
particle 8 can be viewed as a copy of the homomorphic signature S3 . In fact, a node
can copy multiple signatures according to the number of next-hops.
(2) To solve the signature forgery problem between M1 and M2 , we need to
guarantee the confidentiality of unitary operator for signature generation. We can
transmit X i ⊕ K i instead of X i ⊕ Yi in our new scheme. Here K i is another key pair
shared between a signer and a verifier and K i ∈ {00, 01, 10, 11}.
Assume that an attacker can capture and falsify information over quantum chan-
nels or classical channels. Our objective is to guarantee that the receivers can verify
the identity of data source by means of quantum signature verification during the
process of network coding. The two senders A1 and A2 share two pairs of the max-
imally entangled state φ+ in prior. The first pair has two particles A1,1 and A2,1 ,
and the second pair has two particles A1,2 and A2,2 . A1 owns two particles A1,1 and
A1,2 . A2 owns the other two particles A2,1 and A2,2 .
Fig. 7.8 Quantum network

coding scheme against
pollution attacks
The quantum network coding scheme with message authentication is described

as the following
Step 1: The sender Ai prepares its state |ϕi , then Ai shares its keys Yi and K i with
B1 and B2 by quantum key distribution protocol. Here i ∈ {00, 01, 10, 11}.
Yi , K
Step 2: The node M1 prepares two EPR pairs φ+ 12 , φ+ 34 , and sends the particle
2i (denoted as |ψ2i ) to Ai .
Step 3: Ai performs a Bell measurement on the system |ϕi ⊗ Ai,i , and +the
mea-
surement result is mapped to classical bits X according to the rule of φ → 00,
− i
φ → 10, ψ + → 01, ψ − → 11. Through quantum teleportation, the state of the
remaining particle A1,2 at A1 becomes U (X 2 )−1 |ϕ2 and the state of the remaining
particle A2,1 at A2 becomes U (X 1 )−1 |ϕ1 .
Step 4: Ai generates the signature of X i , namely Si = U (X i ⊕ Yi ) |ψ2i . In other
words, the particle 2i after transformation (ψ 2i ) would be the signature of the
sender Ai .
Step 5: Ai performs a unitary operation U (X i )−1 on its remaining particle.
Then the state of the particle A1,2 at A1 will become U (X 1 )−1 U (X 2 )−1 |ϕ2 =
c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 , where |c (X 1 , X 2 )| = 1; the state of the particle A2,1
at A2 will become U (X 2 )−1 U (X 1 )−1 |ϕ1 = c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ1 , where
|c (X 1 , X 2 )| = 1.
Step 6: A1 sends the particle A1,2 after transformation, namely
c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 , to B2 . A2 sends the particle A2,1 after transformation,
namely c (X 1 , X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ1 , to B1 . Then the sender Ai sends the classical
bits Ci = X i ⊕ K i and its signature particle 2i to M1 .
Step 7: The node M1 performs Bell measurements on the particles
(1, 2) and (3,
4) to obtain the measurement results V1 = ψ 12 and V2 = ψ 34 . M1 records the
information {C1 , C2 , V1 , V2 } which will be used to locate a corrupt data source when
pollution attack happens. Then M the classical bits X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 and
1 sends
the particles (1, 2, 3, 4) (i.e., ψ 12 ⊗ ψ 34 ) to the node M2 .
Step 8: The node M2 first performs
Bell measurements on the particles (1, 3) and
(2, 4) to obtain ψ 13 and ψ 24 . Now the particle 4 is the homomorphic signature
generated by entanglement swapping. Then M2 can make a copy of the signature

by preparing two EPR pairs |ψ56 and |ψ78 , with |ψ56 = ψ 13 , |ψ78 = ψ 24 .
After that, M2 sends the classical information X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 and the quantum

particles (1, 3, 2, 4) to B1 , and then sends the classical information X 1 ⊕ K 1 ⊕ X 2 ⊕
K 2 and the quantum particles (5, 6, 7, 8) to B2 .
Step 9: The receiver B1 completes data source authentication by verifying the
signature according to its received particles (1, 3, 2, 4) and classical bits X 1 ⊕ K 1 ⊕
X 2 ⊕ K2.
B1 performs a Bell measurement on the particles (1, 3) to obtain ψ 13 , and

performs a Bell measurement on the particles (2, 4) to obtain ψ 24 . Assume that
|ψ24 is the entanglement swapping result of the
particles (2, 4) without performing

unitary operations on them while |ψ13 = ψ 13 is satisfied. By comparing ψ 24

with |ψ24 , B1 will obtain an operator U (Z ) such that ψ 24 = c (Z ) U (Z )(4) |ψ24 .
B1 can calculate X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 according to the received information X 1 ⊕
K 1 ⊕ X 2 ⊕ K 2 and the keys K 1 , K 2 , Y1 and Y2 . Then B1 compares X 1 ⊕ Y1 ⊕ X 2 ⊕
Y2 with Z . If X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 = Z , B1 would confirm that the classical bits X 1
and X 2 are from the senders A1 and A2 . Otherwise B1 would conclude that the data
has been falsified.
Similarly, the receiver B2 completes data source authentication by verifying the
signature according to its received particles (5, 6, 7, 8) and classical bits X 1 ⊕ K 1 ⊕
X 2 ⊕ K2.
Step 10: If the receiver Bi verifies the signatures successfully, Bi first calculates the
result of X 1 ⊕ X 2 according to the keys Y1 , Y2 and the information X 1 ⊕ Y1 ⊕ X 2 ⊕
Y2 . Then Bi performs the unitary operation U (X 1 ⊕ X 2 ) on its received particle to
recover the original quantum state. Concretely, B1 recovers
U (X 1 ⊕ X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ1 = |ϕ1
and B2 recovers
U (X 1 ⊕ X 2 ) U (X 1 ⊕ X 2 )−1 |ϕ2 = |ϕ2 .
Here, the phase factor c(X 1 , X 2 ) is ignored.
Theorem 7.1 The fidelity of the quantum network coding scheme with message
authentication is 1.
Proof As we know, Hayashi’s scheme with prior entanglement can transmit two
qubits crossly and perfectly over the butterfly network. Note that all the operations
introduced would not affect the fidelity of transmitting unknown qubits. Hence the
fidelity of the scheme is the same as that of Hayashi’s scheme, namely 1.
In order to securely transmit two qubits over the butterfly network by Hayashi’s
scheme with prior entanglement, quantum signatures need to be introduced to achieve
Fig. 7.9 Particles consumed
data source authentication. In the scheme, 8 quantum particles are needed in each
transmission process. 4 of the 8 particles are used to generate original signatures
and the homomorphic signature, and the other 4 particles to copy the homomorphic
signature. This can be seen from Fig. 7.9a. By contrast, if we generate a signature
at each node instead of using homomorphic signature, 10 quantum particles will
be needed, which can be seen from Fig. 7.9b. Hence the scheme saves 2 quantum
particles in each transmission process, and saves 2n particles during n transmission
processes. The amount of saved particles increases linearly with transmission.
In this scheme, each channel can optionally transmit one qubit or two bits as
required.
Theorem 7.2 The achievable rate for the scheme declines from (r1 , r2 ) = (1, 1)
to (r1 , r2 ) = 15 , 15 compared with the perfect quantum network coding with prior
entanglement between two senders.
Proof Hayashi’s scheme with prior entanglement can reach a rate pair as (r1 , r2 ) =
(1, 1). This means Hayashi’s scheme can transmit two source qubits simultaneously
by a single use of the network. The scheme adds a signature mechanism for data
source authentication which needs to send the extra information of signatures in the
network. Obviously, this would reduce the achievable rate. Compared with Hayashi’s
work, to transmit two source qubits simultaneously, this scheme needs to transmit
four extra particles which are sent via S1 (S2 ) → M1 → M2 → B1 for signature.
Due to the capacity of channels, we need to transmit these particles by using the
network four times. Then we can easily obtain that (r1 , r2 ) = 15 , 15 for this scheme.
Proposition 7.4 In this scheme, any corrupt packet which prevents receivers from
recovering original states would be detected.
Proof As mentioned above, during the signature verification process B1 will first
derive a unitary operator U (Z ) by comparing ψ 24 with |ψ24 such that ψ 24 =
c (Z ) U (Z )(4) |ψ24 . Here Z = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . Assume that an attacker mod-
ifies packets and the packet B1 receives after modification is denoted as E, then the
following two cases may occur
Case 1: E = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . In this case, the modified packets will pass
the signature verification, but will not be found out. As the modification does not
affect the decoding process, B1 and B2 can still recover the original quantum states.
Therefore, such modification will not be treated as an attack.
Case 2: E = X 1 ⊕ K 1 ⊕ X 2 ⊕ K 2 . In this case, the modified packets cannot pass
the signature verification and will be found out by B1 and B2 .
All in all, any corrupt packet which prevents receivers from recovering original
states would be detected.
Proposition 7.5 With the information of trusted intermediate nodes, this scheme
can locate a corrupt data source.
Proof As mentioned above, if the signature verification successes at the receiver B1 ,

it would confirm that the classical bits X 1 and X 2 are from the source nodes A1 and
A2 . However, if the verification fails, B1 can only conclude that the information has
been modified somewhere in the network, but cannot locate the corrupt data source.
Assume that the intermediate node M1 is a trusted node. Here “trusted” means that
the node would not modify any packet and can share all the keys Y1 , Y2 , K 1 , K 2 . In
this case, with the help of the trusted node, M1 , B1 can find out the corrupt packet
and locate the corrupt data source.
Concretely, when B1 finds out data corruption by verifying the signature, it notifies
information {C1 , C2 , V1 , V2 } to it (see
M1 to transmit the Step
6 of Sect. 7.2.3). Con-
sider that V1 = ψ 12 = U (X 1 ⊕ Y1 )(2) |ψ12 and V2 = ψ 34 = U (X 2 ⊕ Y2 )(4) |ψ34 ,
B1+can
obtain +X1 ⊕ Y1 and X 2 ⊕ Y2 by comparing V1 and V2 with the original states
φ and φ . If X i ⊕ Yi = Ci ⊕ K i ⊕ Yi , B1 can conclude that X i ⊕ K i has
12 34
been modified before M1 and the modification of data occurs in the channel Di . Oth-
erwise, B1 can confirm that the modification of data occurs in the channels F, G 1 , G 2
instead of D1 and D2 . If the intermediate node M2 is also a trusted node, we can
further locate with accuracy in which channel of F, G 1 , G 2 the modification occurs.
7.3 Summary
In this chapter, to verify the identity of different data sources in the quantum network,
we introduced a quantum homomorphic signature scheme based on entanglement
swapping. In this scheme, any attacker which attempts to falsify the data would be
found. Security analysis shows that this scheme can effectively guarantee the security
of secret keys and verify the identity of different data sources in the quantum network.
Then we provided a quantum network coding scheme with message authentication

which can effectively defend against pollution attacks. Compared to quantum net-
work coding scheme with ordinary signature, this scheme consumes fewer quantum
particles, while the rate region of the scheme declines due to the attachment of signa-
tures. Pollution attacks can only be detected at sink nodes so far. If pollution attacks
can be detected immediately at intermediate nodes, the scheme will be more efficient
and consume less resource.
References
1. Johnson, R., Molnar, D., Song, D., et al.: Homomorphic signature schemes. Top Cryptol CT-RSA
2271, 244–262 (2002)
2. Lu, H., Guo, G.: Teleportation of a two-particle entangled state via entanglement swapping.
Phys. Lett. A 276(5), 209–212 (2000)
3. Shang, T., Zhao, X.J., Wang, C., et al.: Quantum homomorphic signature. Quantum Inf. Process.
14(1), 393–410 (2015)
4. Yu, Z., Wei, Y., Ramkumar, B.: An efficient Signature-based scheme for securing network coding
against pollution attacks. In: IEEE International Conference on Computer Communications
(ICCC), pp. 1409–1417
5. Boneh, D., Freeman, D., Katz, J., et al.: Signing a linear subspace: signature schemes for network
coding. Public Key Cryptogr. 68–87, (2009)
6. Ljunggren, D., Bourennane, M., Karlsson, A.: Authority-based user authentication in quantum
key distribution. Phys. Rev. A 62(2), 1–7 (2000)
7. Hayashi, M.: Prior entanglement between senders enables perfect quantum network coding with
modification. Phys. Rev. A 76(4), 538–538 (2007)
8. Shang, T., Pei, Z., Liu, J.W.: Quantum network coding against pollution attacks. IEEE Commun.
Lett. 20(7), 1369–1372 (2016)
Chapter 8
Continuous-Variable Quantum Network
Coding
Considering the practical advantage of continuous variables, in this chapter, we

introduce continuous-variable quantum network coding (CVQNC) schemes. Basic
operations are provided. To verify the identity of different data sources in a quan-
tum network, we introduce a continuous-variable quantum homomorphic signature
scheme. It is based on continuous-variable entanglement swapping and provides
additive and subtractive homomorphism.
8.1 Continuous-Variable Quantum Network Coding Using

Coherent States
8.1.1 Advantage of Continuous Variables
According to the fact that a quantum system has either a discrete spectrum or a con-
tinuous spectrum, quantum information can be classified into two categories, namely
discrete variables and continuous variables. Discrete variables denote quantum vari-
ables of finite-dimensional Hilbert space such as the polarization of single photons.
Continuous variables denote quantum variables of infinite-dimensional Hilbert space
such as the amplitude and phase quadratures of an optical field. In fact, the exist-
ing quantum network coding schemes can be called the discrete-variable quantum
network coding (DVQNC) schemes, which use discrete variables as information
carrier for QNC. These schemes encode discrete information on single photons
which are difficult to prepare and detect. As a result, the cost of a discrete-variable
quantum communication system is rather high. The transmission rate is also very
low because many vacuum pulses are generated when single photons are prepared.
From a conceptual point of view, it is illuminating to consider continuous variables
in quantum network coding. This includes the extension of quantum communica-
tion protocols from discrete to continuous variables and hence from finite to infi-
nite dimensions. The main motivation for dealing with quantum information with

https://doi.org/10.1007/978-981-15-3386-0_8
148 8 Continuous-Variable Quantum Network Coding
continuous variables originates in a more practical observation: the essential steps

in quantum communication protocols such as preparing, unitarily manipulating, and
measuring quantum states, are efficiently achievable in quantum optics by utilizing
continuous quadrature amplitudes of the quantized electromagnetic field [1]. More-
over, physical observables of continuous-variable quantum states can be modulated
with continuous classical characters, which allows the quantum states to carry more
information. So continuous-variable quantum network coding (CVQNC), which use
continuous variables as information carrier for QNC, is a very meaningful direction
for quantum communication in the perspective of efficiency and practicability.
Towards possible applications in quantum communication, both theoretical and
experimental investigations increasingly focus on continuous variables. The first
continuous-variable quantum teleportation scheme was proposed by Vaidman in
1994 [2]. Since then, the study on continuous quantum variables has attracted much
interest. The appearances of technologies such as continuous-variable quantum key
distribution (CVQKD) [3–5], continuous-variable quantum information processing
[6, 7], continuous-variable quantum cloning [8–10], and continuous-variable quan-
tum signature [11] provide sufficient technical support for the design of CVQNC.
Particularly, an important part of continuous variable research focuses on coherent
states. In 2000, Cerf et al. [8] proposed a Gaussian cloning machine that works opti-
mally with coherent states. After that, optical implementations of continuous-variable
cloning machines for coherent states [9, 10] were proposed. In 2002, Grosshans
et al. [5] proposed a CVQKD scheme using coherent states. In 2004, Weedbrook
et al. [12] proposed a CVQKD scheme using coherent states without switching the
measurement bases. In 2010, Zavatta et al. [13] designed a high fidelity noiseless
amplifier for coherent states. Obviously, coherent states are usually utilized by virtue
of their good characteristics. Firstly, they can be easily generated. Secondly, coherent
states are minimum-uncertainty states that satisfy equality in the Heisenberg uncer-
tainty relation. So the characteristics of coherent states are close to those of classical
optical fields. Optimal results can be obtained by applying some continuous-variable
quantum operations such as Gaussian cloning to coherent states.
As the present DVQNC have low transmission rate and high implementation
cost, the utilization of continuous variables can be taken into account to improve the
performance of quantum communication networks. Concretely, coherent states are
used at source nodes as information carrier. The amplitude and phase quadratures
of coherent states are modulated with classical characters so as to greatly improve
transmission rate. Furthermore, extra resources such as free classical communication
and pre-shared entanglement can be used for a high fidelity. Considering the prac-
tical advantage of continuous variables, two feasible continuous-variable quantum
network coding (CVQNC) schemes were proposed [14].
In the quantum setting, there is the famous no-cloning theorem against the copying
operation and also no obvious way to encode quantum states. Are there any quantum
counterparts for these key operations? Hayashi et al. [15] gives a positive answer
to this question in the XQQ scheme. Now we need to further find the continuous-
variable counterparts for these operations of CVQNC.
8.1 Continuous-Variable Quantum Network Coding Using Coherent States 149
8.1.2 Continuous-Variable Quantum Cloning
Copying is a basic operation in classical network coding schemes. For continuous-

variable counterparts, approximate cloning schemes are used to simulate the copying
operation. A Gaussian cloning machine for continuous quantum variables was pro-
posed in 2000 [8]. It copies the states of two conjugate variables such as the amplitude
and phase quadratures with equal accuracy. When the input is a coherent state, the
maximal fidelity of 2/3 can be reached. In 2001, Grosshans and Grangier [16] proved
that the fidelity limit for 1 → 2 continuous-variable quantum cloning is 2/3, which
can be reached in the case of ideal Gaussian cloning for coherent states. Here and
throughout, the N → M cloning machine is defined as an operator that can prepare
M identical replicas of N available copies. After that, some optical implementation
schemes of the Gaussian cloning machine were designed. Fiurasek [9] constructed
a N → M symmetric Gaussian cloner and designed a class of 1 → 2 asymmetric
Gaussian cloners explicitly. Andersen et al. [10] demonstrated an optical implemen-
tation of the Gaussian cloning machine for coherent states by using linear optical
elements and homodyne detection. The experimental fidelity almost reached the ideal
value of 2/3.
The Gaussian cloning machine is defined as the unitary transformation Û2,3,4 =
e−i(x̂4 −x̂3 )p̂2 e−ix̂2 (p̂3 +p̂4 ) acting on one input state and two auxiliary states, which are
labeled as states 2, 3, and 4. x̂ and p̂ are the position and momentum operators,
respectively. A reference state (state 1) maximally entangled with the input is also
introduced to simplify the analysis. The maximally entangled state is defined as
∞
1
|ψ(x, p)A,B = √ dx eipx |x A |x + xB ,
2π −∞
where x and p are real parameters and the subscripts A and B denote different states.
Assume that the reference state 1 and the input state 2 are in the joint state
|ψ(0, 0)1,2 and the auxiliary states 3 and 4 are prepared in the state
∞
|χ3,4 = dxdpf (x, p)|ψ(x, −p)3,4 ,
−∞
where f (x, p) is a complex amplitude function. After applying the cloning transfor-
mation Û2,3,4 , the result is
∞
| = dxdpf (x, p)|ψ(x, p)1,2 |ψ(x, −p)3,4 . (8.1)
−∞
∞
The first copy ρ̂a = −∞ dxdpPa (x, p)|ψ(x, p)ψ(x, p)| will be obtained by
tracing over states 3 and 4. It is affected by an error distribution of Pa (x, p) =
|f (x, p)|2 .
By exchanging states 2 and 3, Eq. 8.1 can be represented as
∞
| = dxdpg(x, p)|ψ(x, p)1,3 |ψ(x, −p)2,4 ,
−∞
∞ i(px −xp )
where g(x, p) = 2π 1
−∞ dx dp e f (x , p ).
Similarly, the second copy ρ̂b can be obtained by tracing over states 2 and 4. It is
affected by an error distribution of Pb (x, p) = |g(x, p)|2 .
In order√to construct a symmetric cloner, f (x, y) is chosen to be f (x, p) =
e−(x +p )/2 / π so that the symmetric requirement |f (x, y)|2 = |g(x, y)|2 can be sat-
2 2
isfied. In this case, the variances of the position and momentum error of the two
copies are the same, namely (xa )2 = (pa )2 = (xb )2 = (pb )2 .
Assume that the input is an arbitrary state |ξ, then applying the Gaussian cloning
machine to the state |ξ results in
∞
ρ̂ = dxdpP(x, p)|ξ(x, p)ξ(x, p)|, (8.2)
−∞
where |ξ(x, p) = D̂(x, p)|ξ. D̂(x, p) denotes the displacement operator parameter-
ized by x and p, which displaces the momentum by p and then the position by x.
Equation 8.2 shows that the output is a mixture of the displaced states, with x and p
distributed according to a bivariate Gaussian distribution P(x, y) = e−(x +y ) /π.
2 2
In fact, x̂ and p̂ can be any conjugate pair of quadratures such as the amplitude
and phase quadratures.
8.1.3 Linear Optics for Continuous Variables
From the perspective of encoding and decoding, input states at intermediate nodes
are combined or transformed in some way that is represented by a unitary operator.
Some operators can be described by a unitary matrix, which can be implemented
with linear optics. Furthermore, any network of linear optics can be described by
the input–output relationship âi = j Uij âj , where Uij are N × N unitary matrices
when acting on N optical modes [1].
Although not all unitary operators can be implemented by linear optics such as
beam splitters and phase shifters, the linear-optics toolbox provides essential ways for
generation, manipulation, and measurement of continuous-variable quantum states,
which are sufficient to build a basic communication system.
Specifically, any unitary transformation acting on two modes can be denoted by
the matrix [17] −i(φ+δ)
e sin θ e−iδ cos θ
U (2) = ,
e−i(φ+δ ) cos θ −e−iδ sin θ
which can be decomposed into a sequence of phase shifts and phase-free beam splitter
rotations,

e−iδ 0 sin θ cos θ e−iφ 0
U (2) = . (8.3)
0 e−iδ cos θ − sin θ 0 1
The ideal phase-free beam splitter is described by the matrix with the parameter
θ in Eq. 8.3. When θ = π4 , it becomes a 50:50 beam splitter and its outputs are
| √12 (â1 ± â2 ). Thus, the addition and subtraction operations of inputs can be easily
accomplished by a beam splitter.
8.1.4 Continuous-Variable Quantum Teleportation
Quantum teleportation is an important technique that can reliably transfer quantum

information via a classical channel by means of shared entanglement. The idea of
continuous-variable quantum teleportation was proposed by Vaidman [2]. Then a
realistic implementation was proposed by Braunstein and Kimble [18]. The general
procedure of continuous-variable teleportation is described as follows:
Step 1. Alice and Bob share two entangled optical modes â1 = x̂1 + ip̂1 and â2 =
x̂2 + ip̂2 . Alice combines her mode √ â1 with an input mode √ âin at a 50:50 beam
splitter, obtaining x̂u = (x̂in − x̂1 )/ 2 and p̂v = (p̂in + p̂1 )/ 2, which are measured
by means of Bell detection. Alice then sends her measurement results xu and pv to
Bob.
Step 2. After receiving xu and pv , Bob displaces his mode â2 ,
√
x̂2 → x̂tel = x̂2 + √2x̂u = x̂in + x̂2 − x̂1
,
p̂2 → p̂tel = p̂2 + 2p̂v = p̂in + p̂2 + p̂1
thus accomplishing the teleportation.

Entanglement can be prepared by squeezing two vacuum states:
⎧ √
⎪ r (0) −r (0)
⎪
⎪ x̂1 = (e x̂1 + e x̂2 )/ √2
⎨ −r (0) r (0)
p̂1 = (e p̂1 + e p̂2 )/√ 2
r (0) −r (0)
, (8.4)
⎪
⎪ x̂2 = (e x̂1 − e x̂2 )/ √2
⎪
⎩
p̂2 = (e−r p̂1(0) − er p̂2(0) )/ 2
where the superscript (0) denotes vacuum state and r is the squeezing parameter.
According to Eq. 8.4, when r → ∞, it is calculated that x̂2 = x̂in and p̂2 = p̂in .
Teleportation realizes the transmission of quantum states with only classical com-
munication. As long as Bob receives the same classical message as Alice sent, he can
obtain a quantum state with a high fidelity. So teleportation is more reliable compared
with the direct quantum transmission, in which quantum states may be attenuated
or affected by noise in quantum channels. By virtue of reliability, teleportation is
utilized to design quantum network coding schemes. A paradigm is the PE scheme
proposed by Hayashi [19]. Furthermore, by utilizing continuous-variable teleporta-
tion, a continuous-variable quantum network coding scheme can be constructed.
8.1.5 CVQNC Scheme Using Approximate Operations
According to the characteristics of coherent states, we provide the basic operations of

copying and coding, as well as a basic continuous-variable quantum network coding
scheme.
A. Basic operations
(1) Gaussian Cloning (GC)
Gaussian cloning machine, which was briefly introduced in Sect. 8.1.2, can be used
as the copying operation for coherent states. The input coherent state is denoted by
|α0 , then the output of GC is

ρ̂ = d 2 αG(α)|α0 + αα0 + α|,
where the displacement error α = x + ip is composed of the position error x and the
phase error p. x and p obey the bivariate Gaussian distribution with zero mean and a
variance of 1/4, i.e., P(x, p) = π2 exp[−2(x2 + p2 )]. So the distribution function of
α is G(α) = π2 exp(−2|α|2 ). We can calculate the fidelity of the Gaussian cloner as
follows:
2 2
d 2 αe−3|α| = .
2
f = α0 |ρ̂|α0 =
π 3
(2) ADD/SUB operators
After two single-mode states |α1 = |x1 + ip1 and |α2 = |x2 + ip2 are mixed on
a 50:50 beam splitter, the transformation of Eq. 8.5 can be performed.
⎧ √
⎪
⎪ x̂1 → x̂1 = (x̂1 − x̂2 )/ √2
⎨
p̂1 → p̂1 = (p̂1 − p̂2 )/√ 2
(8.5)
⎪ x̂2 → x̂2
⎪ = (x̂1 + x̂2 )/ √2
⎩
p̂2 → p̂2 = (p̂1 + p̂2 )/ 2
As shown in Fig. 8.1, the add and subtract states of the inputs can be obtained by
amplifying (x̂1 , p̂1 ) and (x̂2 , p̂2 ), respectively. Let the inputs be mixed at the 50:50
beam splitter BS. According to a desired operation, one of the output beams of BS is
chosen as the input of the √ noiseless linear amplifier (NLA). After the amplification
process with a factor g = 2, the desired state |α+ = |α1 + α2 or |α− = |α1 −
α2 is obtained. Generally, we can use |α± to represent the output of ADD/SUB
operators.
Thereby, we can define the ADD operator as ADD(|α1 , |α2 ) = |(x1 + x2 ) +
i(p1 + p2 ) and the SUB operator as SU B(|α1 , |α2 ) = |(x1 − x2 ) + i(p1 − p2 ).
Theorem 1 The ADD operator and the SUB operator can be applied to encode and
decode coherent states, respectively.
g 2
|  in  |  
| 1 
BS 
| 2 
Fig. 8.1 Diagram of ADD/SUB operators
Proof During the encoding process, two input coherent states are |α1 = |x1 + ip1
and |α2 = |x2 + ip2 . By applying the ADD operator to them, we obtain the encoded
state |αE = ADD(|α1 , |α2 ) = |(x1 + x2 ) + i(p1 + p2 ).
During the decoding process, by applying the SUB operator to |αE and |α2 , we
obtain the decoded state |αD = SU B(|αE , |α2 ) = |x1 + ip1 = |α1 . Similarly,
the decoded state will be |α2 if |αE and |α1 are the inputs to the SUB operator.
So one of the inputs to the ADD operator can be decoded by the SUB operator if we
have the other input.
B. Basic scheme
The network setting is presented in Fig. 8.2. It is based on the butterfly network
with all-quantum channels. Source nodes s1 and s2 simultaneously send quantum
states to target nodes t1 and t2 . r1 and r2 are two intermediate nodes. Quantum
states are encoded at r1 and decoded at t1 and t2 . The rest of the nodes only need
to clone the quantum states they have received and send the replicas to subsequent
nodes. To achieve the maximal cloning fidelity, we use coherent states as information
carrier. The coherent states at s1 and s2 are denoted by |αA = |xA + ipA and |αB =
|xB + ipB , respectively.
The scheme is described as follows:
Step 1. s1 and s2 apply the GC operator to |αA and |αB . The resulting states are
{Q1 , Q2 } = GC(|αA ) and {Q3 , Q4 } = GC(|αB ). s1 sends Q1 to t2 and Q2 to r1 . s2
sends Q3 to r1 and Q4 to t1 .
Step 2. Encoding phase. r1 applies the ADD operator to the quantum states it has
received and then sends the result Q5 = ADD(Q2 , Q3 ) = |αA + αB to r2 .
Step 3. r2 applies the GC operator to Q5 and sends the replicas {Q6 , Q7 } = GC(Q5 )
to t2 and t1 , respectively.
Step 4. Decoding phase. t1 and t2 apply the SUB operator to the quantum states
they have received. The resulting states are ρ̂Aout = SU B(Q7 , Q4 ) = |αA and ρ̂Bout =
SU B(Q6 , Q1 ) = |αB .
Thereby, this scheme can successfully transmit two coherent states across in the
butterfly network by a single network use. Meanwhile, quantum states are not trans-
mitted perfectly due to the noise introduced by the approximate Gaussian cloning.
Fig. 8.2 CVQNC scheme

A B
using approximate
operations
Q Q
Q Q Q
Q Q
B A
out out
C. Fidelity
For the CVQNC scheme, we need to assess the resemblance of quantum states
between target node and source node by means of fidelity. For an arbitrary input
state |φin , a fidelity F is defined as [20]
F ≡ φin |ρ̂out |φin ,
where ρ̂out is the density operator of the output state.

Theorem 2 With ideal ADD/SUB operators, the fidelity F of the CVQNC scheme
using approximate operations is 21 .
Proof We consider the fidelity between the coherent states at both ends of the link
s1 → t1 when the ADD/SUB operators are ideal. The relationship between the vari-
ances of the inputs |α1 , |α2 and the output |α± is

2 x± = 2 x1 = 2 x2
,
2 p± = 2 p1 = 2 p2
which indicates that quantum fluctuations will not be amplified during this operation.
After the GC operation at s1 , the replicas of |αA are

{Q1 , Q2 } = d 2 αG(α)|αA + ααA + α|,
where the displacement error α obeys a Gaussian distribution of G(α) =

2
π
exp(−2|α|2 ).
Similarly, after the GC operation at s2 , the replicas of |αB are

{Q3 , Q4 } = d 2 αG(α)|αB + ααB + α|.
By applying the ideal SUM operation to Q2 and Q3 at r1 , we obtain the quantum

state of
Q5 = d 2 βG(β)|αA + αB + βαA + αB + β|,
where β has the same distribution as α. After the GC operation at r2 , the replicas of
Q5 are

{Q6 , Q7 } = d 2 γG(γ) d 2 βG(β)|αA + αB + β + γαA + αB + β + γ|,
where γ has the same distribution as α, i.e., G(γ) = π2 exp(−2|γ|2 ).

After the ideal SUB operator at t1 , the output becomes

ρ̂Aout = d 2 λG(λ) d 2 βG(β)|αA + β + λαA + β + λ|,
where λ has the same distribution as α.

By using the property of coherent states, namely |α|α |2 = exp(−|α − α |2 ), it
is easy to calculate the fidelity of the link s1 → t1 as follows:

4 1
d 2 λd 2 βe−(2|β| +2|λ|2 +|β+λ|2 )
2
FA = αA |ρ̂Aout |αA = = .
π2 2
According to symmetry, the fidelity of the link s2 → t2 is also 21 . Therefore,

the fidelity F of the first CVQNC scheme is proved to be 21 with ideal ADD/SUB
operators.
8.1.6 CVQNC Scheme with Prior Entanglement
For a higher fidelity, we provide a CVQNC scheme by utilizing prior entanglement

shared between two source nodes.
A. Basic operations
(1) Bell detection
Bell detection [1] is analogous to the Bell measurement of the spin- 21 particle pair.
It can be accomplished by using a symmetric beam splitter and two homodyne
detectors. One of the homodyne detectors measures the amplitude quadrature and
the other measures the phase quadrature. As a result, input modes |α1 and |α2 can
be projected onto the maximally entangled continuous-variable basis:
x̂out = √1 (x̂1 ± x̂2 )

2 .
p̂out = √1 (p̂1 ∓ p̂2 )
2
(2) Displacement
The displacement operator is D̂(α) = exp(αâ† − α† â), where α is a complex num-
ber. D̂(α) acts on a mode â and yields a displacement by α,
D̂† (α)âD̂(α) = â + α.
D̂(α) is a unitary operator, which means to find D̂† (α) = D̂−1 (α) = D̂(−α) so
as to offset the displacement yielded by D̂(α).
Theorem 3 The Bell detection and the displacement operator can be used to encode
and decode quantum states.
Proof During the encoding process, assume the input quantum state is |xin + ipin .
We apply the Bell detection and obtain the measurement results α1 = √12 [(xin −
x1 ) + i(pin + p1 )], where x√
1 and p1 are quadratures of an ancilla. Then another ancilla
|x2 + ip2 is displaced by 2α1 , obtaining the encoded state

x̂encode = x̂2 + x̂in − x̂1
.
p̂encode = p̂2 + p̂in + p̂1
During the decoding process, the input state will be recovered as long as we find
the complex number α2 = (x1 − x2 ) − i(p1 + p2 ) and apply D̂(α2 ) to the encoded
state.
It seems difficult to find the complex number α2 due to the uncertainty of x2 and p2 ,
but they can be offset by using the intrinsic correlation of entanglement, as demon-
strated in the teleportation scheme. Based on the basic operations of Bell detection
and displacement, we design a CVQNC scheme utilizing pre-shared entanglement.
B. Basic scheme
The network setting is presented in Fig. 8.3. The scheme requires one optical mode
transmission or one complex number transmission in the butterfly network. Two
quantum states can be transmitted across by a single network use.
In the scheme, two source nodes s1 and s2 share two EPR pairs described by
Wigner functions WEPR (x̂11 , p̂11 , x̂12 , p̂12 ) and WEPR (x̂21 , p̂21 , x̂22 , p̂22 ), of which the
conjugate quadratures meet the correlation of Eq. 8.4 so that
√
x̂k1 − x̂k2 = √2e−r x̂2(0)
, k = 1, 2, (8.6)
p̂k1 + p̂k2 = 2e−r p̂1(0)
| x A  ip A  | xB  ipB 
| x11  ip11  | x12  ip12 
| x21  ip21  | x22  ip22 
s1 s2
x  ip
1 1
x2  ip2
r1
| x11  ip11  ( x1  x2 )  i ( p1  p2 )   ip22
| x22  
r2
( x1  x2 )  i ( p1  p2 ) ( x1  x2 )  i ( p1  p2 )
t2 t1
| xB  ipB  | x A  ip A 
Fig. 8.3 CVQNC scheme with prior entanglement
where x̂2(0) and p̂1(0) are quadratures of vacuum states and r is the squeezing parameter.
s1 has the first mode of the EPR pairs, namely |xk1 + ipk1 (k = 1, 2), and s2 has the
second mode |xk2 + ipk2 (k = 1, 2). s1 and s2 prepare their coherent states |xA + ipA
and |xB + ipB . t1 and t2 are target nodes.
Step 1. s1 applies Bell detection and displacement. Mix |xA + ipA and |x21 + ip21
at a 50:50 beam splitter which performs the transformations:
⎧ √
⎪
⎪ x̂A → x̂1 = (x̂A − x̂21 )/ 2
⎨ √
p̂A → k̂1 = (p̂A − p̂21 )/ √2
.
⎪
⎪ x̂ → q̂1 = (x̂A + x̂21 )/ √2
⎩ 21
p̂21 → p̂1 = (p̂A + p̂21 )/ 2
Then s1 measures the pair (x̂1 , p̂1 ) and displaces |x11 + ip11 as

√
x̂11 → x̂11 = x̂11 − √2x̂1
.
p̂11 → p̂11 = p̂11 − 2p̂1
Measurement results (x1 , p1 ) are sent to r1 as a complex number x1 + ip1 via a

classical channel and mode |x11 + ip11 is sent to t2 via a quantum channel.
Similarly, the measurement results of s2 are

√
x2 = (xB − x12 )/ √2
p2 = (pB + p12 )/ 2

and the displaced mode |x22 + ip22 is

√
x̂22 = x̂22 − √2x̂2
.
p̂22 = p̂22 − 2p̂2

s2 sends x2 + ip2 to r1 and |x22 + ip22 to t1 .
Step 2. r1 adds up the received classical numbers and sends the result (x1 + x2 ) +
i(p1 + p2 ) to r2 .
Step 3. r2 copies the received classical message and sends replicas to t1 and t2 .
Step 4. According to the received classical message, tk (k = 1, 2) displaces the

quantum state |x̂k⊕1,k⊕1 + ip̂k⊕1,k⊕1 as

√
x̂k⊕1,k⊕1 → x̂k⊕1,k⊕1 + √2(x̂1 + x̂2 )
.
p̂k⊕1,k⊕1 → p̂k⊕1,k⊕1 + 2(p̂1 + p̂2 )
By using Eq. 8.6 and setting r → ∞, t1 and t2 obtain |xA + ipA and |xB + ipB ,
respectively.
C. Fidelity
Theorem 4 If the EPR pairs shared between two source nodes are ideal, i.e., per-
fectly correlated and maximally entangled, r → ∞, then the CVQNC scheme with
prior entanglement can transmit two quantum states across perfectly by a single
network use.
Proof Here we consider the quantum state at the target node t1 . The case of the target
node t2 will be the same for the reason of symmetry.

After step 1, the two quadratures of |x22 + ip22 are

x̂22 = x̂22 − x̂B + x̂12
.
p̂22 = p̂22 − p̂B − p̂12

At t1 , x̂22 is displaced as

√
x̂22 → x̂22 = x̂22 + 2(x̂1 + x̂2 )
= x̂A − x̂21 + x̂22 .
√ −r (0)
= x̂A − 2e x̂2

Similarly, p̂22 is displaced as

√
p̂22 → p̂22 = p̂22 + 2(p̂1 + p̂2 )
= p̂A + p̂21 + p̂22 .
√ −r (0)
= p̂A + 2e p̂1
When r increases to infinity, the final quantum state at t1 becomes |x̂A + ip̂A ,
which is the same as the quantum state sent by s1 . As a result, we can conclude that
the CVQNC scheme with prior entanglement can successfully transmit two quantum
states across perfectly by a single network use.
A. Network throughput
Network throughput is an important criterion for evaluating the performance of net-
work coding schemes. As aforementioned, continuous variables are quantum vari-
ables of infinite-dimensional Hilbert space. Compared with two-dimensional discrete
variables frequently used in the conventional DVQNC schemes such as the polariza-
tion of single photons, continuous variables can carry much more information. As
a result, the CVQNC schemes are supposed to have larger network throughput than
the DVQNC schemes.
Theorem 5 Assume that a coherent state |x + ip is modulated with classical char-
acters, i.e., x, p ∈ {0, 1, ..., N − 1}, then each target node can receive 4log2 N bits
of classical information by a single network use when applying the CVQNC scheme
using approximate operations.
Proof When the classical character set for modulation has N elements, each charac-
ter contains log2 N bits of information. As described in Sect. 8.1.5, each target node
receives two coherent states by a single network use, which contains four classical
characters, i.e., 4log2 N bits.
Theorem 6 Assume that a coherent state |x + ip is modulated with classical char-
acters, i.e., x, p ∈ {0, 1, ..., N − 1}, then each target node can receive 2log2 N bits of
classical information by a single network when applying the CVQNC scheme with
prior entanglement.
Proof In the CVQNC scheme with prior entanglement, each target node receives
one coherent state with a fidelity of 1. As mentioned in Theorem 5, each quadrature
of a coherent state contains log2 N bits of classical information, so each target node
receives 2log2 N bits.
As a matter of fact, coherent states are nonorthogonal, which means they cannot
be perfectly distinguished to yield the ideal entropy calculated in Theorems 5 and 6.
The square of the inner product of two arbitrary coherent states |α and |β is
|β|α|2 = e−|α−β| .
2
(8.7)
Equation 8.7 shows that coherent states |α and |β are approximately orthogo-
nal when |α − β| 1 so they can be measured by heterodyne detection with high
accuracy. The condition |α − β| 1 requires the elements of classical character set
to have large values, which may be impractical for implementation.
It is necessary to explore how to discriminate nonorthogonal states. There are
mainly two types of discrimination, namely minimum error discrimination (MED)
and unambiguous state discrimination (USD). MED is a measurement that mini-
mizes the probability of erroneously identifying the quantum states, while USD is a
measurement that maximizes the probability of conclusively identifying the quantum
states. In 1999, Banaszek [21] proposed a USD scheme that discriminates two arbi-
trary coherent states with an inconclusive probability of Pinc = exp(−|α1 − α2 |2 ).
Then van Enk [22] proposed a USD scheme that optimally discriminates multiple
coherent states in the limit of small amplitudes. Finding a scheme for optimally
discriminating coherent states with any input amplitudes become an open prob-
lem. Both MED and USD schemes are explored to discriminate four coherent states
[23, 24], which are not optimal but can outperform heterodyne detection. In 2014, da
Silva et al. [25] proposed an MED scheme for optimal discrimination of M coherent
states.
To achieve the theoretical throughput of the CVQNC schemes, we need careful
selection of the classical character set, as well as the measurement scheme.
B. Performance comparison
The performance comparison among the CVQNC schemes, the XQQ scheme [15]
and the PE scheme [19] is listed in Table 8.1.
The DVQNC schemes transmit orthogonal quantum states which are of two-
dimensional Hilbert space, namely |0 and |1. Two quantum states can be discrim-
Table 8.1 Performance comparison among our CVQNC schemes, XQQ and PE
Item Scheme
All-quantum channels Quantum-classical channels
CVQNC using XQQ CVQNC with PE
approximate prior
operations entanglement
Fidelity 1/2 Strictly larger 1 1
than 1/2
Classical network 4log2 N bits 2 bits 2log2 N bits 1 bit
throughput
inated by measurement, of which the measurement results are 0 and 1. To compare

the transmission performance of the CVQNC schemes with the DVQNC schemes,
we suppose the DVQNC schemes are also used to transmit classical information. As
mentioned in Theorems 5 and 6, we use the quadratures of a coherent state to carry
classical characters 0, 1, ..., N − 1. Similarly, we can use qubits |0 and |1 to carry
classical bits 0 and 1, respectively. In this case, the information of one qubit can be
the same as that of one-bit. Then the network throughput of the DVQNC schemes can
be calculated in terms of classical bits. As a result, the network throughput between
CVQNC and DVQNC schemes is comparable. Table 8.1 shows that the CVQNC
schemes have a great advantage in improving network throughput.
Although the fidelity of the first scheme using all-quantum channels is relatively
low, we can utilize extra resources such as pre-shared entanglement and free classi-
cal communication to improve the fidelity, as demonstrated in the second scheme.
Since the efficient implementation of essential operators for continuous variables is
available in quantum optics, CVQNC systems are more practical to construct.
8.1.8 Discussion
A. Practical influence on network throughput

During propagation, signals would be affected by noise in the channel, so the network
throughput of the CVQNC schemes might be reduced due to practical imperfections.
(1) Practical model of quantum channels
In the quantum setting, the decoherence process is an analogy to classical noise.
There are mainly two forms of decoherence, namely quantum diffusion and amplitude
damping. Quantum diffusion, which leads to phase-space displacements, can be well
modeled by the Pauli channel [26]. Amplitude damping is a bilinear coupling process,
which provides a good description of photon loss from a bosonic system to a zero-
temperature environment [27]. When the time interval of reaction is short enough,
we can also see the effect of amplitude damping as phase-space displacements, in
which case quantum diffusion and amplitude damping are equivalent.
To carry more information, we use coherent states with larger amplitude |α|, which
means the bosonic mode has more photons. These quantum states are vulnerable to
photon loss, making the effect of decoherence nonnegligible. As a result, the capacity
of quantum channels will decrease, which restricts the network throughput of the
CVQNC schemes.
A convenient model for describing linear or bilinear decohering environment is
the Gaussian channel. Since it is a Pauli channel and amplitude damping is a bilinear
process, we can use the Gaussian channel to model decoherence in our CVQNC
schemes. Mathematically, a single-mode Gaussian channel G(d , T , N ) transforms
the state ρ̂(x̄, V ) with mean x̄ and covariance matrix V into [28]
x̄ → T x̄ + d , V → T V T T + N ,
where d ∈ R2 is a displacement vector, while T and N are 2 × 2 real matrices.

According to Holevo [29], a canonical form C(τ , r, n̄) can be adopted to represent
the simplified Gaussian channel, where τ = det T is the generalized transmissivity,
r = min[rank(T ), rank(N )] is the rank of the channel, and n̄ is the thermal number
defined by ⎧
⎪
⎨ (det N ) ,
1/2
τ =1
n̄ = (det N ) 1/2
1 .
⎪
⎩ − , τ =1
2|1 − τ | 2
Specifically, C(I ) = C(1, 0, 0) is the identity channel. L(τ , n̄) = C(0 < τ <
1, 2, n̄) is the most important model which represents lossy channels with attenuation
and thermal noise. If the thermal number is zero, Lp (τ ) = C(0 < τ < 1, 2, 0) is a
pure-loss channel. In this case, the physical representation of Lp (τ ) is a beam split-
ter of transmissivity τ mixing its input with a vacuum state. This pure-loss channel
model can be used to describe broadband communication lines such as waveguides
and free-space optical communication [30]. Without loss of generality, we use the
pure-loss channel model to describe the noisy channels in the CVQNC schemes.
(2) Capacity of quantum channels
To evaluate the effect of noise on network throughput, we calculate the capacity of
the pure-loss channels in the CVQNC schemes, which imposes restriction on trans-
mission rate. Quantum channels can be used for transmitting quantum information
and classical information, so there are two kinds of channel capacity for quantum
channels, namely quantum capacity and classical capacity. The quantum capacity of
a quantum channel is defined to be the number of qubits that can be reliably trans-
mitted by a single channel use. While the classical capacity of a quantum channel is
defined to be the number of bits a receiver can extract from the quantum states by a
single channel use. The CVQNC schemes use quantum states as information carrier
to transmit classical information, so the network throughput calculated in Sect. 8.1.7
is classical. Since the performance of the schemes is evaluated in terms of classical
information, it is reasonable to consider the classical capacity of quantum channels.
Besides, classical capacity is restricted by quantum laws. Assume an arbitrary ran-
dom variable for modulation is A = {a, pa }, and the corresponding quantum ensem-
ble is Q = {ρ̂a , pa }, where each character a occurs with probability pa . The quantum
states are transformed by a quantum channel N , i.e., Q → N (Q). A receiver needs
to use a measuring operation to extract information as much as possible from N (Q),
and the maximal quantity is called the accessible information. The upper bound of
the accessible information of N (Q) is the Holevo bound, which is asymptotically
achievable and defined as

χ(Q, N ) = S N pa ρ̂a − pa S N ρ̂a , (8.8)
a a
where S is the von Neumann entropy, which is a quantum analogy to the classical
Shannon entropy. By maximizing χ(Q, N ) over all possible sources, one can obtain
the one-shot classical capacity of N as
C (1) (N ) = max χ(Q, N ).

Q
Then the full classical capacity is obtained by regularizing n uses of the channel:
1 (1) ⊗n
C(N ) = lim C (N ). (8.9)
n→∞ n
Calculation of Eq. 8.9 seems infeasible since it involves optimization over infinite
uses of the channel, but a feasible formula has been given for pure-loss channels
[30]. Using von Neumann entropy instead of Shannon entropy in Eq. 8.8 shows that
quantum laws impose restriction on the classical capacity of quantum channels. A
physical interpretation is that the modulated quantum states are usually nonorthog-
onal and cannot be distinguished, so information is only partly accessible in the
quantum setting. The lack of accessibility of quantum information restricts the clas-
sical capacity of quantum channels. In other words, the classical capacity of quantum
channels is restricted by quantum laws so it can be used to evaluate the transmission
performance of quantum communication.
Quantum capacity is a straightforward criterion for evaluating the performance of
quantum channels. The calculation of quantum capacity is similar to that of classical
capacity and involves regularizing arbitrarily many uses of the channel:
1
Q(n) (N ) = max Icoh (N ⊗n , ρ̂(n) ),
n ρ̂(n)
Q(N ) = lim Q(n) (N ). (8.10)

n→∞
Here the coherent information Icoh (N , ρ̂) is a function of input ρ̂ and the channel N ,
Icoh (N , ρ̂) = S(N (ρ̂)) − S(N (ρ̂R )),
where ρR is a purification of ρ and S denotes the von Neumann entropy. For pure-loss
channels, coherent information is not always additive. When transmissivity τ < 0.5,
pure-loss channels are antidegradable and their quantum capacity is zero [31], in
which case the quantum capacity is not additive. Recent work has proved that one can
construct a quantum channel for which quantum capacity is zero by arbitrary n uses of
N , i.e., Q(n) (N ) = 0, while achieves positive quantum capacity by a larger number
of uses [32]. So the quantum capacity of a channel does not completely specify
its capability for transmitting quantum information. The regularization in Eq. 8.10
cannot be ignored, which makes the calculation of quantum capacity infeasible.
Considering the above reasons, classical capacity is used to evaluate the trans-
mission performance of the noisy quantum channels in the CVQNC schemes.
(3) Result analysis
The schemes use infinite-dimensional quantum variables, which seems to carry infi-
nite information. However, if we encode classical information in these variables,
then the classical capacity of quantum channels depends on the input energy. The
classical capacity of a pure-loss channel Lp (τ ) is C(Lp ) = g(τ μ + 1 − τ ), where
g(x) = x+12
log x+12
− x−1
2
log x−1
2
, μ = 2m̄ + 1 and m̄ is the mean number of pho-
tons in one input mode. One can reach this capacity by using Gaussian-modulated
coherent states and heterodyne detection [30].
In the CVQNC schemes, assume the classical characters are {0, 1, ..., N − 1}
with uniform distribution. By modulating the amplitude and phase quadratures, we
obtain the quantum ensemble, namely {|0, |i, ..., |i(N − 1), |1, |1 + i, ..., |N −
1 + i(N − 1)}. For a coherent state |α, its mean photon number is |α|2 . According
to this property, the mean photon number of the modulated set of coherent states is
2N 2
m̄ = [1 + 22 + · · · + (N − 1)2 ]
N2 .
2
= (N − 1)(2N − 1)
3
We can roughly regard m̄ as the mean photon number of the channels in our CVQNC
schemes. In Scheme 1, links s1 → {r1 , t2 } and s2 → {r1 , t1 } send replicas of modu-
lated coherent states and links r1 → r2 , r2 → {t1 , t2 } send the sum state |αA + αB .
Obviously, we only need to consider the capacity of links s1 → {r1 , t2 }, s2 → {r1 , t1 }
with mean photon number m̄ because it is the lower bound of the network. In Scheme
2, links s1 → t2 and s2 → t1 send the mixtures of a modulated coherent state and
two EPR modes. The EPR pairs are two-mode squeezed vacuum states, so they do
not affect the mean number of photons.
Let μ = 2m̄ + 1 = 43 (N − 1)(2N − 1) + 1, then the capacity of pure-loss chan-
nels is
4(N − 1)(2N − 1)
C(Lp ) = g(τ μ + 1 − τ ) = g[ τ + 1],
3
where τ (0 < τ < 1) is the transmissivity of the channels. Figure 8.4 shows the
channel capacity with different τ s. The cross curve (“×”) shows the case of τ = 1
when the channel is an identity channel. The dot curve shows the function of 2log2 N ,
which is the quantity of classical information one can extract from a coherent state,
according to Sect. 8.1.7. The rest of the curves from top to bottom show the cases
of τ = 0.5, 0.3, 0.2. Obviously, channels with lower transmissivity τ have lower
capacity.
From Fig. 8.4, we observe the capacity is higher than 2log2 N in the case of τ > 0.5.
When the transmissivity is high enough, the ideal throughput can be reached. In fact,
the modulation method of our scheme sacrifices throughput for the tolerance of noise.
In low-noise channels, displacements in quantum variables are much smaller than the
10
Channel Capacity (bits) 8
τ=1
3
τ = 0.5
2 τ = 0.3
τ = 0.2
1 2logN
0
2 4 6 8 10 12 14 16
N
Fig. 8.4 Channel capacity of pure-loss channels with different τ s (0 < τ < 1)
gap between two modulation characters, so the displacement error can be corrected
easily. If input energy is not limited, then we can expand the modulation gap to
reduce the effect of noise in quantum channels.
B. Implementation scheme of nonideal amplifier
Among the basic operations of the CVQNC schemes, most of them can be imple-
mented with basic optical elements while the ADD/SUB operators have no obvious
implementation schemes. An idea of designing the ADD/SUB operators is depicted
in Fig. 8.1, where the key component is the noiseless linear amplifier. As a matter of
fact, a deterministic noiseless, phase insensitive, linear amplifier, as seen in classical
systems is unphysical in quantum theory [33]. Considering the practical usage of
the CVQNC Scheme, we introduce two implementation schemes of the nonideal
amplifier.
(1) Photon addition-subtraction scheme
A high fidelity noiseless amplifier for coherent states was proposed in 2010 [13]
and can be directly utilized for ADD/SUB operators. By combining photon addition
and subtraction in different orders, weak coherent
√ states can be amplified with a
high fidelity. Let the amplification gain g = 2, the amplification fidelity and the
effective gain are [13]
√ 2 √ 2
2)|α|2 ] e−( 2−1) |α|
2
[1 + (2 −
Famp1 = √ 2
, (8.11)
1 + |α|2 + ( 2 − 1) |α|4
√ √
( 2 − 1)[1 + ( 2 − 1)|α|2 ]
geff =1+ √ 2
. (8.12)
1 + |α|2 + ( 2 − 1) |α|4
Equations (8.11) and (8.12) show that the maximal amplification fidelity and the
maximal effective gain can be reached when |α| = 0. As |α| becomes large, they
decrease sharply. When |α| = 2.58, the fidelity is 0.5 and the effective gain is approx-
imately 1.102, namely about 77.9% of the ideal gain.
(2) Measure-displace scheme
In some optical implementations, part of optical circuits has a function of amplifica-
tion. In 2005, Andersen et al. [10] proposed a quantum cloning scheme for coherent
states with linear optical elements. An intermediate result of the cloning scheme is

1 λ 1 λ λ
|α = | √ + αin + √ − v1 − √ v2† , (8.13)
2 2 2 2 2
λ
which contains a quantum state amplified by a factor of √1
2
+ 2
and noise introduced
by vacuum states v1 and v2 .
Let λ = 21 , the output state in Eq. 8.13 becomes
√
|α± = | 2αin − v2† , (8.14)
where |α± represents the output state of the ADD/SUB operators in Fig. 8.1. Whether
it is |α+ or |α− depends on which output of the beam splitter becomes |ain .
Assume that the amplitude and phase variances of the inputs are the same. Accord-
ing to Eq. 8.14, the variances of the output are

2 x± = 22 xin + 2 xv
.
2 p± = 22 pin + 2 pv
The fidelity of a cloning machine can be calculated as
2
F=
(1 + 2 xclone )(1 + 2 pclone )
according to [10], which gauges the similarity between the input and the output.
Similarly, the amplification fidelity is
2
Famp2 = ,
(1 + 2 x± )(1 + 2 p± )
Table 8.2 Performance comparison of two amplifier implementation schemes

Item Scheme
Measure-displace scheme Photon addition-subtraction
scheme
Optical components linear nonlinear and linear
Amplification fidelity (Famp ) 1/2 Famp decreases as |α|
increases. When |α| = 2.58,
Famp ≈ 1/2
√
Effective gain (geff ) 2 geff is always larger than 1 and
decreases as |α| increases.
When |α| = 2.58,
geff ≈ 1.102
which gauges the similarity between the ideal output and the actual output. After
normalizing the variance of a vacuum state to unity, the amplification fidelity of the
measure-displace scheme is calculated to be 1/2.
The performance comparison between the measure-displace scheme and the pho-
ton addition-subtraction scheme is shown in Table 8.2. For weak coherent states
whose amplitude |α| is smaller than 2.58, the photon addition-subtraction scheme
is superior to the other one for a higher amplification fidelity. For strong coherent
states, the measure-displace scheme is better.
8.2 Continuous-Variable Quantum Homomorphic

Signature
8.2.1 Homomorphic Signature for CVQNC
To date, many continuous-variable quantum cryptography protocols have been put

forward. They are believed to be more secure than classical cryptography protocols
because their security is ensured by physical laws rather than computation complex-
ity. To solve the problems of forgery and modification, continuous-variable quantum
signature schemes were exploited. In 2007, Zeng et al. [11] proposed a continuous-
variable quantum signature scheme without an arbitrator. A signer signs a quantum
message with its private key and obtains two continuous-variable entangled states as
a signature. Then the receiver decodes the signature with the public key and compares
the decoded state with the original state by using a quantum circuit. They claimed
that the scheme is theoretically secure. Later in 2013, the claim was refuted by Li
et al. [34] proving the impossibility of signing quantum messages securely without
the existence of an arbitrator. In 2012, Clarke et al. [35] provided an experimental
demonstration of a continuous-variable quantum signature scheme. A signer gener-
ates two sequences of phase-encoded coherent states as the signature of a one-bit
message and distributes them to two verifiers. It is a continuous-variable scheme

because the phase of a coherent state has a continuous spectrum. The negotiation
between two verifiers prevents repudiation by the signer. In 2014, Collins et al. [36]
proposed an experimental system that can realize quantum digital signature without
using quantum memory. This scheme also encodes messages on the phase of coherent
states. In 2016, Guo et al. [37] proposed an arbitrated continuous-variable quantum
signature scheme to sign a quantum message. Recently, experimental breakthroughs
on the transmission distance of continuous-variable quantum signature have been
made [38, 39], increasing the transmission distance from several meters to up to
2 km.
These signature schemes were designed for point-to-point communication so can-
not adapt to the crossing case of multiple data streams. In a network, data streams
from different data sources converge at an intermediate node and are combined by
the encoding operation. When a receiver receives the encoded message, it should be
able to verify the identities of all data sources. So the intermediate node needs to
generate a signature of the encoded message without knowing their secret keys. To
accomplish this, homomorphic signature schemes were needed. In 2015, Shang et
al. [40] proposed the first quantum homomorphic signature scheme based on entan-
glement swapping. The scheme guarantees the security of secret keys and realizes
identity verification for different data sources. The scheme has no resistance to the
forgery attack executed by an intermediate node. In 2016, Luo et al. [41] proposed
a quantum homomorphic signature scheme based on Bell-state measurement, which
can be realized with current technology. In this scheme, the intermediate node was
designed to be semi-honest and strictly follows the prescribed steps so that it cannot
conspire with attackers. Current quantum homomorphic signature schemes belong to
discrete-variable schemes. Considering the feasibility and efficiency of continuous-
variable quantum communication, it is necessary to design a quantum homomorphic
signature scheme for continuous variables.
Our objective is to design a continuous-variable quantum homomorphic signature
(CVQHS) scheme to verify the identities of multiple data sources in a network. Firstly,
we need to design a homomorphic operation for continuous variables. Continuous-
variable entanglement swapping can be utilized to generate a homomorphic signature
[42]. Secondly, we need to prevent a dishonest intermediate node from forgery, which
is impossible for the schemes in Refs. [40, 41].
8.2.2 Requirement of Quantum Homomorphic Signature
Given variables x and y, a function f is homomorphic if f (x ◦ y) = f (x) ◦ f (y), where

“◦” is an algebraic operation. In the real number field, operation ◦ usually can be
addition, subtraction, multiplication, and division. And the corresponding function f
is an additive, subtractive, multiplicative, and divisive homomorphism, respectively.
Since there is no obvious way of algebraically computing quantum states, such as
adding up |0 and |1 to be |0 + |1, a more feasible definition of homomorphism for
8.2 Continuous-Variable Quantum Homomorphic Signature 169
quantum states is given [40]. Given variables x and y, a function f is homomorphic

if there exists a function φ satisfying f (x ◦ y) = φ(f (x), f (y)), where “◦” is the add
operation or the multiply operation. Actually, we can extend it to any algebraic
operation.
For a quantum homomorphic signature scheme, f is usually the signing operation
that maps a tuple of a classical message and a secret key to a quantum state, namely
f : (message, secret key) → quantum state (signature), which is relatively easy to
design. To realize the homomorphism of a signature scheme, it is crucial to find a
quantum operation that can play the role of the function φ. The existing quantum
homomorphic signature schemes in Refs. [40, 41] both use Bell-state measurement to
implement the function φ at the combining phase, while they have different signing
operations. In Shang’s scheme [40], a signer encodes a classical message on an
entangled particle with a secret key. Then Bell-state measurement is applied to the
entangled states and the process is called entanglement swapping. At the verifier, a
signature can be verified by utilizing the intrinsic relationship between two particles
in an entangled state. In Luo’s scheme [41], a signer generates a quantum particle
sequence according to a classical message and a secret key. Decoy states are inserted
into the quantum particle sequence so as to help a verifier verify the authenticity and
integrity of a signature. Although the second scheme has fewer times of operation
and transmission of quantum states, its consumption of quantum states is larger than
the first scheme. For fewer resource consumption, it is necessary to design a CVQHS
scheme based on continuous-variable entanglement swapping.
8.2.3 Continuous-Variable Entanglement Swapping
Entanglement swapping [43] is a technique that realizes the entanglement of two

quantum systems that have no direct interaction with each other. By operating on
halves of two entangled states, the other halves are entangled. So it looks like entan-
glement is swapped among the particles. A continuous-variable approach for entan-
glement swapping has been proposed [44], which is briefly introduced as follows:
Assume there are two pairs of entangled states, namely (|α1 , |α2 ) and
(|α3 , |α4 ). They meet the following correlations:
⎧ (0) (0) √
⎪
⎪ x̂1(3) = (er x̂1(3) + e−r x̂2(4) )/ 2
⎪
⎨ p̂ −r (0) r (0)
√
1(3) = (e p̂1(3) + e p̂2(4) )/ 2
r (0) −r (0)
√ , (8.15)
⎪
⎪ x̂2(4) = (e x̂1(3) − e x̂2(4) )/ √2
⎪
⎩ (0) (0)
p̂2(4) = (e−r p̂1(3) − er p̂2(4) )/ 2

(x̂1(3) − x̂2(4) )2 = e−2r /2
, (8.16)
(p̂1(3) + p̂2(4) )2 = e−2r /2
where x̂k(0) and p̂k(0) (k = 1, 2, 3, 4) are a conjugate pair of quadratures of a vac-

uum state |αk(0) and |αk(0) = |xk(0) + ipk(0) . They follow the Gaussian distribution,
xk(0) , pk(0) ∼ N (0, 41 ).
Then we apply Bell detection to |α1 and |α3 by using a beam splitter (BS) and
homodyne detectors. By mixing |α1 and |α3 at a 50:50 BS, we obtain the output
states
|α 1 = | √12 (α1 + α3 ) = | √12 [(x1 + x3 ) + i(p1 + p3 )]
.
|α 3 = | √12 (α1 − α3 ) = | √12 [(x1 − x3 ) + i(p1 − p3 )]
Then classical measurement results x1 = √12 (x1 + x3 ) and p3 = √12 (p1 − p3 ) are
obtained by operating homodyne detection on the x quadrature of |α1 and the p
quadrature of |α3 . Let r → ∞, then we can denote |α2 and |α4 as

|α2 = |x1 − ip1 √ √ . (8.17)
|α4 = |x3 − ip3 = | 2x 1 − x1 + i( 2p 3 − p1 )
Equation 8.17 shows that |α2 and |α4 are entangled. So the continuous-variable
entanglement swapping process is accomplished.
If |α2 and |α4 are displaced at first, obtaining |α2 = |α2 + mA and |α4 =
|α4 + mB , then |α2 and |α4 will still get entangled after applying Bell detection
to |α1 and |α3 . The entangled states can be expressed as

|α 2 = |x1 + xA − i(p1 − pA )
,
|α 4 = |x3 + xB − i(p3 − pB )
√ √
where mA(B) = xA(B) + ipA(B) , x1 + x3 = 2x1 , and p1 − p3 = 2p3 . We mix |α2
and |α4 at a 50:50 BS, then the output states are
|α 2 = | √12 [x1 + x3 + xA + xB − i(p1 + p3 − pA − pB )]

.
|α 4 = | √12 [x1 − x3 + xA − xB − i(p1 − p3 − pA + pB )]
Note that |α2 and |α4 can be expressed as |α2 = | √12 (α+
∗
+ mA + mB ) and
|α4 = | √12 (α−
∗ ∗
+ mA − mB ), where |α± = |x1 ± x3 − i(p1 ± p3 ). It can be seen
that the displacements on |α2 and |α4 are added up on |α+ after entanglement
swapping. The addition of displacements is completed without directly adding mA and
mB together, so the process of continuous-variable entanglement is a homomorphic
operation.
8.2.4 CVQHS Scheme
We provide a definition of continuous-variable quantum signature and a basic

CVQHS scheme based on continuous-variable entanglement swapping.
Definition 1 Assume that a signer has a classical message a, an arbitrary continuous-

variable quantum state |α, and two secret keys k1 and k2 . Then the continuous-
variable quantum signature of a is defined as Sk (a) = D̂(ma + mk1 + mk2 )|α, where
D̂(γ) = exp(γ â† − γ ∗ â) is the displacement operator, which satisfies
D̂(γ)|α= |α+γ. ma , mk1 and mk2 are complex numbers, namely ma = a + ia,
mk1 = k1 + ik1 , mk2 = xk2 + ipk2 , where xk2 and pk2 satisfy
xk2 = k2 , pk2 = 0 if a + k2 is odd

.
xk2 = 0, pk2 = k2 if a + k2 is even
Assume there are two signers A and B, an intermediate node M and a verifier
V . A(orB) uses two pre-shared secret keys to sign its classical message a(b), and
generates a quantum state as a signature. M combines two signatures from A and B
and generates two new signatures by means of entanglement swapping. The basic
model is shown in Fig. 8.5.
The CVQHS scheme is defined by a tuple of algorithms (Setup, Sign, Combine,
Verify) and is described as follows:
(1) Setup
Step 1. A shares two secret keys kA1 and kA2 with V by continuous-variable quan-
tum key distribution. Meanwhile, B shares two secret keys kB1 and kB2 with V . The
secret keys are real numbers.
Step 2. M prepares two pairs of entangled states, namely (|α1 , |α2 ) and
(|α3 , |α4 ). They meet the correlations of Eqs. 8.15 and 8.16. When the squeezing
parameter r → ∞, it is approximate that x̂1 = x̂2 , p̂1 = −p̂2 , x̂3 = x̂4 , and p̂3 = −p̂4 .
Then M sends |α2 to A and |α4 to B.
Fig. 8.5 Basic model of a b

CVQHS
A B
2
mA mB 4
k A1 k A2 k B1 k B2
Sk A (a) S kB (b)
1
M3
| 1 | 2 mA mB*
| 3 | 4
Quantum Channel
V Classical Channel
Entanglement
k A1 k A2 k B1 k B2
(2) Sign
Step 1. A signs its classical message a by displacing the quadratures of |α2 , while
B signs its classical message b by displacing the quadratures of |α4 . The signatures
are
SkA (a) = |α2 + mA + mkA1 + mkA2 = |α 2
,
SkB (b) = |α4 + mB + mkB1 + mkB2 = |α 4
where mA = a + ia, mkA1 = kA1 + ikA1 , and mkA2 = xkA2 + ipkA2 . xkA2 and pkA2 are
determined by the classical message and kA2 :
xkA2 = kA2 , pkA2 = 0 if a + kA2 is odd

,
xkA2 = 0, pkA2 = kA2 if a + kA2 is even
mB = b + ib, mkB1 = kB1 + ikB1 , and mkB2 = xkB2 + ipkB2 . xkB2 and pkB2 are deter-
mined by the classical message and kB2 :
xkB2 = kB2 , pkB2 = 0 if b + kB2 is odd

.
xkB2 = 0, pkB2 = kB2 if b + kB2 is even
Step 2. A sends the signature |α2 and the classical message mA to M , while B
sends the signature |α4 and the classical message mB to M .
(3) Combine
Step 1. M applies Bell detection on |α1 and |α3 . Firstly, M mixes |α1 and |α3
at a 50:50 BS and obtains
|α 1 = | √12 (α1 + α3 )

.
|α 3 = | √12 (α1 − α3 )
Then M measures the x quadrature of |α1 and the p quadrature of |α3 by homodyne
detection and obtains the classical measurement results x1 = √12 (x1 + x3 ) and p3 =
√1 (p1
2
− p3 ). At this point, |α2 and |α4 are entangled.
Step 2. M mixes |α2 and |α4 at a 50:50 BS and obtains two new signatures
|α 2 = | √12 (α 2 + α 4 )

.
|α 4 = | √12 (α 2 − α 4 )
Step 3. M sends the quantum states |α1 , |α2 , |α3 , |α4 and the classical message
mA+B = mA + m∗B to V .
(4) Verify
Step 1. V measures the x quadrature of |α2 and the p quadrature of |α4 by
homodyne detection and obtains the measurement results
x 2 = √1 (a + kA1 + xkA2 + b + kB1 + xkB2 + x1 + x3 )

2 .
p 4 = √1 (a
2
+ kA1 + pkA2 − b − kB1 − pkB2 − p1 + p3 )
Step 2. V measures the x quadrature of |α1 and the p quadrature √ of |α3 by

homodyne√detection and obtains x1 and p3 . Then V calculates xV = 2(x2 − τ x1 )
and pV = 2(p4 − τ p3 ), where τ is the transmissivity of quantum channels. If the
quantum channels are identity channels, τ = 1.
Step 3. V calculates a and b from the received classical message mA+B =
mA + m∗B . Then V calculates mkA2 (B2 ) , xV = a + kA1 + xkA2 + b + kB1 + xkB2 , and
pV = a + kA1 + pkA2 − b − kB1 − pkB2 according to pre-shared secret keys. To verify
the authenticity and integrity of the signatures, V calculates Hx = (xV − τ xV )2 and
Hp = (pV − τ pV )2 . If Hx ≤ Hth and Hp ≤ Hth , V will confirm that |α2 and |α4 are
the signatures of M and accept the classical messages a and b. Otherwise, V will deny
the signatures. Hth is the verification threshold. If imperfections of implementation
are not considered, Hth = 0.
8.2.5 Property of CVQHS Scheme
Proposition 1 The proposed CVQHS scheme is additively and subtractively homo-

morphic.
Proof In the signing phase of the CVQHS scheme, A and B generate their signatures
SkA (a) = |α2 + mA + mkA1 + mkA2 and SkB (b) = |α4 + mB + mkB1 + mkB2 . At Step
2 of the combining phase, entangled signatures are mixed at a 50:50 BS. The output
quantum states are
|α 2 = | √12 (α+

∗
+ mA + mB + mkA1 + mkA2 + mkB1 + mkB2 )
∗ .
|α 4 = | √2 (α− + mA − mB + mkA1 + mkA2 − mkB1 − mkB2 )
1
According to Definition 1, the signature of a + b is SkA +kB (a + b) = |α + mA+B +

mkA1 +kA2 + mkB1 +kB2 , where |α is an arbitrary quantum state and the secret keys are
kA1 + kB1 and kA2 + kB2 . It can be expressed as
SkA +kB (a + b) = |α + mA + mB + mkA1 + mkA2 + mkB1 +kB2

.
= |α + mA + mB + mkA1 + mkA2 + mkB1 + mkB2
Since |α is an arbitrary quantum state, it can be |α+

∗
. We denote the operations
performed in the combining phase by a function f , then
√
SkA +kB (a + b) = 2|α 2
√ .
= 2f (SkA (a), SkB (b))
√
It seems impossible to implement a function φ = 2f so that
φ(SkA (a), SkB (b)) = SkA +kB (a + b), because there exists no ideal linear amplifier in
the quantum setting. But in the verifying phase, a verifier converts quantum states into
classical information by measurement. √ Since classical information can be linearly
amplified, we can ignore the coefficient 2 and approximately regard the combining
phase as a function φ. So the proposed CVQHS scheme is additively homomorphic.
∗
Similarly, assume SkA −kB (a − b) = |α− + mA − mB + mkA1 + mkA2 − mkB1
− mkB2 , we can approximately regard the combining phase as a function ϕ, which
satisfies SkA −kB (a − b) = ϕ(SkA (a), SkB (b)). So the CVQHS scheme is subtractively
homomorphic.
In conclusion, the CVQHS scheme is additively and subtractively homomorphic.
In Proposition 2, even if an attacker performs a replay attack, i.e., it intercepts and
stores the signatures from a legitimate signer and sends them later, the signatures
cannot pass verification.
Proposition 2 For the same message, the CVQHS scheme generates different sig-
natures each time.
Proof In the signing phase, A displaces the quadratures of |α2 by mA + mkA1 + mkA2
to generate a signature, while B displaces the quadratures of |α4 by mB + mkB1 + mkB2
to generate a signature. |α2 and |α4 are half of an entangled state which was
prepared by M in the initial phase every times, respectively. According to Eqs. (8.15)
and (8.16), the quadratures of entangled states are very noisy when the squeezing
parameter r → ∞. So A or B receives different quantum states as |α2 or |α4 ,
which has random values for their quadratures, and generates different signatures
each times for the same message. Similarly, the signatures |α2 and |α4 generated
by M are different each time because they are based on the noisy entangled states.
In conclusion, the CVQHS scheme generates different signatures each time for the
same message.
A. Resource consumption
In the CVQHS scheme, the intermediate node M prepares |αi (i = 1, 2, 3, 4) and
sends |α2 and |α4 to two signers. The signers apply displacement operator to the
received quantum states and send them back to M as signatures. After |α1 and |α3
are mixed at a 50:50 BS and measured by homodyne detectors, M combines two
signatures at a 50:50 BS and sends all quantum states to the verifier V . Then V
measures the quantum states and verifies the identities of the signers according to
measurement results and pre-shared secret keys.
During this process, four quantum states are consumed, where two of them are
used to generate signatures and the rest are ancillas. |α2(4) is operated three times and
Table 8.3 Comparison among the CVQHS scheme, Shang’s scheme, and Luo’s scheme
Item Scheme
CVQHS scheme Shang’s scheme Luo’s scheme
Consumption of 4 4 3(m + k )
quantum states
Average number of 3 3 1+ 2m
3(m+k )
operation
Average number of 2 2 1
transmission
transmitted three times, while |α1(3) is operated three times and transmitted once.
So the average number of operation is (3 × 2 + 3 × 2)/4 = 3 times per quantum
state and the average number of transmission is (3 × 2 + 1 × 2)/4 = 2 times per
quantum state.
Similarly, we can calculate the consumption and complexity of previous discrete-
variable quantum homomorphic signature (DVQHS) schemes [40, 41]. Shang’s
scheme [40] provides the basic structure for the CVQHS scheme and is different
in basic operations, so its consumption and complexity are the same as the CVQHS
scheme. In Luo’s scheme [41], a signer generates a sequence of m quantum particles
and k decoy states as its signature. The intermediate node M measures k decoy
states to check the existence of an eavesdropper and applies Bell-state measurement
to the rest of this sequence. Then M generates a new signature by using measure-
ment results. The new signature generated by M is composed of m quantum particles
and k decoy states and is measured by the verifier V in the verifying phase. The
scheme consumes 3(m + k ) quantum states and each quantum state is transmitted
once. If we treat Bell-state measurement as a combination of two operations, namely
a mixing operation of two quantum states at a 50:50 BS and single-photon detection,

)×2+(m+k )
the average number of operation is (2m+k3(m+k ) = 1 + 3(m+k
2m
) times per quantum
state.
Comparison among the CVQHS scheme and two DVQHS schemes is listed in
Table 8.3. It can be seen that the CVQHS scheme has lower consumption of quantum
states and more average number of operation and transmission than Luo’s scheme.
Although the average number are larger, our CVQHS schemes require fewer opera-
tions and transmissions in total because fewer quantum states are needed. Compared
with Shang’s scheme, the CVQHS scheme has the same performance on consump-
tion and complexity. Because quantum communication using continuous variables
has prominent advantages over discrete variables from the perspective of practical
use, the CVQHS scheme is more feasible than Shang’s DVQHS scheme.
B. Practical influence on verification threshold
Verification threshold Hth shows the tolerance of deviation between the transmitted
message and the message recovered from a signature. In the ideal case, Hth = 0
because messages and signatures will only be affected by potential attackers and any
slight deviation shows the existence of an attacker. Nevertheless, in the nonideal case,
quantum states will be affected by practical imperfections, so Hth should be higher.
Concretely, there are mainly two types of imperfections, namely device imperfection
and transmission imperfection. Device imperfection results from the nonideal imple-
mentation of quantum operators. Transmission imperfection results from the noise
in quantum channels. Here we consider the influence of finite squeezing parameter
r and lossy quantum channels with thermal noise.
Assume the quantum channels are modeled as
√ √
|α → | τ α + 1 − τ αN ,
where τ (0 < τ < 1) is transmissivity and |αN = |xN + ipN is thermal noise.
Assume thermal noise in each quantum channel is independently and identically
distributed and their quadratures follow Gaussian distribution: xN , pN ∼ N (0, VN ).
Next, we will calculate the verification threshold according to the process of the
proposed CVQHS scheme.
(1) Setup √ √
In Step 2, M sends |α2 to A and √ √ | τ α2 + 1 − τ αN1 . Meanwhile,
A receives
M sends |α4 to B and B receives | τ α4 + 1 − τ αN2 . Here |αN1 and |αN2 are
thermal noise.
(2) Sign √ √
In Step 2, A sends its signature | τ α2 + 1 − τ αN + mA + mkA1 + mkA2 to M and
M receives
√ √
|α2 = |τ α2 + τ (mA + mkA1 + mkA2 )+ τ (1 − τ )αN1 + 1 − τ αN3 ,
where |αN3 is thermal noise.

Similarly, M receives the signature from B,
√ √
|α4 = |τ α4 + τ (mB + mkB1 + mkB2 )+ τ (1 − τ )αN2 + 1 − τ αN4 ,
where |αN4 is thermal noise.

(3) Combine
In Step 2, |α2 and |α4 are mixed at a 50:50 BS. According to Eq. 8.15, it can be
calculated that
1
|α 2 = | √ (α 2 + α 4 )
2

τ τ ∗
=| (mA + mkA1 + mkA2 + mB + mkB1 + mkB2 ) + √ α+
2 2

1−τ √
− τ e−r [x2(0) + x4(0) − i(p1(0) + p3(0) )] + [ τ (αN1
2
+ αN2 ) + αN3 + αN4 ]

τ
= Sk +k (mA + mB )
2 A B
1
|α 4 = | √ (α 2 − α 4 )
2

τ τ ∗
=| (mA + mkA1 + mkA2 − mB − mkB1 − mkB2 ) + √ α−
2 2
−r (0) (0) (0) (0)
− τ e [x2 − x4 − i(p1 − p3 )]

1−τ √
+ [ τ (αN1 − αN2 ) + αN3 − αN4 ]
2

τ
= Sk −k (mA − mB )
2 A B
In Step 3, M sends |α1 , |α2 , |α3 , and |α4 to V :

τ √
|α1 →| (α1 + α3 ) + 1 − τ αN5
2
τ τ 3/2 ∗
|α 2 → | √ (mA + mkA1 + mkA2 + mB + mkB1 + mkB2 ) + √ α+
2 2
(0) (0) (0) (0)
√ τ
− τ 3/2 e−r [x2 + x4 − i(p1 + p3 )] + 1 − τ [ √ (αN1 + αN2 )
2

τ
+ (αN3 + αN4 ) + αN5 ]
2

τ √
|α3 → | (α1 − α3 ) + 1 − τ αN5
2
τ τ 3/2 ∗
|α 4 → | √ (mA + mkA1 + mkA2 − mB − mkB1 + mkB2 ) + √ α−
2 2
3/2 −r (0) (0) (0) (0)
√ τ
− τ e [x2 − x4 − i(p1 − p3 )] + 1 − τ [ √ (αN1 − αN2 )
2

τ
+ (αN3 − αN4 ) + αN5 ]
2
(4) Verify
In Step 2, V calculates
⎧ √
⎪
⎪ xV =τ (a + kA1 + xkA2 + b + kB1 + xkB2 ) − 2τ 3/2 e−r (x2(0) + x4(0) )
⎪
⎪ √ √ √
⎪
⎨ + 1 − τ [τ (xN1 + xN2 ) + τ (xN3 + xN4 ) + 2(1 − τ )xN5 ]
√
⎪
⎪ pV =τ (a + kA1 + pkA2 − b − kB1 − pkB2 ) + 2τ 3/2 e−r (p1(0) − p3(0) )
⎪
⎪
⎪
⎩ √ √ √
+ 1 − τ [τ (pN1 − pN2 ) + τ (pN3 − pN4 ) + 2(1 − τ )pN5 ]
In Step 3, V calculates xV = a + kA1 + xkA2 + b + kB1 + xkB2 and pV = a + kA1 +
pkA2 − b − kB1 − pkB2 by using pre-shared secret keys. Note that xk(0) , pk(0) ∼ N (0, 41 )
and xN , pN ∼ N (0, VN ), so Hx = (xV − τ xV )2 and Hp = (pV − τ pV )2 are very likely
to be larger than 0. The degree of deviation from 0 can be evaluated by the variances
of xV − τ xV and pV − τ p . So we calculate δ(xV − τ xV ) and δ(pV − τ pV ) as the
verification threshold in the nonideal case.
Hth = δ(xV − τ x V )
= δ(pV − τ p V )
= τ 3 e−r + 2(1 − τ )(1 − τ + 2τ 2 )VN

Assume that a, b, kA1 , kA2 , kB1 , kB2 ∼ N (0, σ 2 ). When one of them is wrong, Hx(p)
achieves the minimum.

Hx(p) ≥ τ 3 e−r + 2(1 − τ )(1 − τ + 2τ 2 )VN + 2τ 2 σ 2

It is obvious that Hx(p) > Hx(p) . So when a classical message or signature is tam-
pered or forged by an attacker or a dishonest intermediate node, Hx(p) is larger than
the verification threshold.
We provide a lemma to prove the unforgeability of the CVQHS scheme in Proposi-

tions 3 and 4.
Lemma 1 Secret keys cannot be calculated on the basis of the classical messages
and quantum states transmitted in the channels.
Proof Firstly, the link A → M is considered. Obviously, an attacker Eve cannot
calculate the secret keys kA1 and kA2 on the basis of mA = a + ia and |α2 + mA +
mkA1 + mkA2 . Similarly, for the link B → M , the secret keys kB1 and kB2 cannot be
calculated.
Secondly, the link M → V is considered. Eve can intercept the classical message
mA + m∗B and the quantum states
⎧
⎪
⎪ |α 1 = | √12 α+
⎪
⎨ |α 2 = | √1 (α∗ + mA + mB + mk + mk + mk + mk )
+
.
2 A1 A2 B1 B2

⎪
⎪ |α 3 = | √1 α−
⎪ 2
⎩ |α = | √1 (α∗ + m − m + m + m − m − m )
4 2 − A B kA1 kA2 kB1 kB2
Owing to the famous uncertainty principle, two quadratures x and p cannot be

precisely measured at the same time. To calculate as much information as possible,
Eve needs to measure the x quadrature of part of the quantum states and the p
quadrature of the other part of the quantum states. Without loss of generality, we
assume Eve measures the x quadrature of |α1 and |α2 and the p quadrature of |α3
and |α4 . Eve can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2
on the basis of the measurement results and mA + m∗B . So the secret keys kA1 , kA2 ,
kB1 , and kB2 cannot be calculated.
Proposition 3 An attacker Eve cannot forge the signature of a legitimate signer.
Proof In the verifying phase, the verifier V uses pre-shared secret keys to verify a
signature. So Eve must obtain secret keys to forge a signature that can pass verifi-
cation. According to Lemma 1, Eve cannot calculate secret keys on the basis of the
classical messages and the quantum states transmitted in the channels. Assume the
secret keys are distributed securely in the setup phase, then it is impossible for Eve
to have the secret keys. So Eve cannot forge the signature of a legitimate signer.
In fact, even if Eve obtains the secret keys in the setup phase, it cannot forge
the signature of a legitimate signer because it does not share entangled states with
M . Assume Eve has a quantum state |α0 = |x0 + ip0 and the secret keys of A,
namely kA1 and kA2 . Eve signs a message e with secret keys kA1 and kA2 and gen-
erates the signature SkEA (e) = |α0 + mE + mkA1 + mkA2 = |αE , where mE = e + ie.
Then it substitutes the classical message and the signature of A with mE and |αE ,
respectively. In the verifying phase, V calculates

xV = x0 − x1 + e + kA1 + xkA2 + b + kB1 + xkB2
pV = p1 − p0 + e + kA1 + pkA2 − b − kB1 − pkB2
and
x V = e + kA1 + xkA2 + b + kB1 + xkB2
.
p V = e + kA1 + pkA2 − b − kB1 − pkB2
It is obvious that xV = xV and pV = pV . The verifier confirms the existence of an
attacker or a dishonest intermediate node and denies the signatures.
In conclusion, Eve cannot forge the signature of a legitimate signer.
Proposition 4 Assume secret keys are distributed securely in the setup phase, then
a dishonest intermediate node M cannot forge the signatures of legitimate signers.
Proof According to Lemma 1 and the assumption that secret keys are distributed
securely, M cannot obtain the secret keys kA1 , kA2 , kB1 and kB2 . Instead, M can only
calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2 .
Assume M substitutes mA+B with a fake message mM A+B . It needs to prepare

∗ ∗
two quantum states |α2M = | √12 (α+ + mM
2 ) and |α M
4 = | √12 (α− + mM4 ) to sub-

stitute the original signatures |α2 and |α4 , respectively. Here, m2 and mM
M
4 are
complex numbers and expressed as mM 2 = x2
M
+ ip2
M
and m M
4 = x4
M
+ ip M
4 . In the
verifying phase, V measures quantum states and calculates xV = x2M and pV = p4M .

According to mMA+B , V calculates a and b that satisfy a + b + i(a − b ) = mA+B .
M

Then mkA = xkA + ipkA can be calculated according to the pre-shared secret
1(2) 1(2) 1(2)
keys kA2 and kB2 . After that, V calculates xV = xA+BM

+ kA1 + xk A + kB1 + xk B and
2 2
pV = pA+B
M
+ kA1 + pk A − kB1 − pk B . Finally, V calculates Hx = (xV − τ xV )2 and
2 2
Hp = (pV − τ pV )2 . If Hx ≤ Hth and Hp ≤ Hth , V accepts the signatures. Otherwise,
V denies the signatures. If imperfections of implementation are not considered,
Hth = 0.
To make the fake signatures pass verification, M should choose mM M
2 , m4 , and
mM to satisfy
A+B M
x2 = xA+B
M
+ kA1 + x kA2 + kB1 + x kB2
.
p4 = pA+B + kA1 + p kA − kB1 − p kB
M M
2 2
Since M cannot obtain kA2 and kB2 , it cannot calculate the correct values for mkA
1
and mkA . So M cannot forge the signatures of legitimate signers.
2
Finally, we prove the non-repudiation of the CVQHS scheme in Propersition 5.
Proposition 5 Assume secret keys are distributed securely in the setup phase, then
a signer cannot repudiate its signature after it has passed verification.
Proof According to Propersitions 3 and 4, a dishonest intermediate node M and

an attacker cannot perform forgery, so the signatures generated only by legitimate
signers with their own secret keys can pass verification. According to Lemma 1 and
the assumption that secret keys are distributed securely, nobody but legitimate signers
and the verifier can obtain the secret keys. Therefore, a signer cannot repudiate its
signature after it has passed verification.
8.3 Secure CVQNC with Message Authentication
8.3.1 Message Authentication of CVQNC
Like network coding, continuous-variable quantum network coding scheme could be

confronted with pollution attacks, so we try to combine continuous-variable quantum
homomorphic signature with continuous-variable quantum network coding [45]. The
scheme is based on the CVQNC scheme with prior entanglement. A source node
applies Bell detection to two of its quantum states and displaces another quantum
state according to the measurement results. Then it sends the displaced quantum state
to a target node and the measurement results to an intermediate node, respectively. For
the purpose of message authentication, the source node generates a quantum signature
of the measurement results and sends it to the intermediate node. Intermediate nodes
will generate homomorphic quantum signatures. Before a target node decodes the
quantum message, it must verify the received quantum signatures.
8.3 Secure CVQNC with Message Authentication 181
8.3.2 Secure CVQNC Scheme
The network setting is presented in Fig. 8.6. s1 and s2 are source nodes and signers,
r1 and r2 are intermediate nodes, and t1 and t2 are target nodes and verifiers.
Step 1. Setup phase. s1 shares secret keys kA1 and kA2 with target nodes. s2 shares
secret keys kB1 and kB2 with target nodes. s1 and s2 share two pairs of entangled states,
namely (|α11 , |α12 ) and (|α21 , |α22 ), and si (i = 1, 2) holds the ith modes of the
entangled states. r1 prepares two pairs of entangled states, namely (|α1 , |α2 ) and
(|α3 , |α4 ). A pair of entangled states (|α1 , |α2 ) meet the following correlations
⎧ (0) √
⎪
⎪ x̂1 = (er x̂1(3) + e−r x̂2(0) )/ 2
⎨ p̂ = (e−r p̂(0) + er p̂(0) )/√2
⎪
1
r (0)
1(3)
−r (0)
2 √ ,
⎪
⎪ x̂ = (e x̂ − e x̂ )/ 2
⎪
⎩
2 1(3)
(0)
2) √
p̂2 = (e−r p̂1(3) − er p̂2(0) )/ 2

(x̂1 − x̂2 )2 = e−2r /2
,
(p̂1 + p̂2 )2 = e−2r /2
where x̂k(0) and p̂k(0) (k = 1, 2) are a conjugate pair of quadratures of a vacuum state
|αk(0) and |αk(0) = |xk(0) + ipk(0) . Then r1 sends |α2 to s1 and |α4 to s2 .
| A | B
| 11 | 12
| 21 | 22
s1 s2
Sk A (a) S kB (b)
mA mB
r1
| 1 | 2 mA mB*
| 11 | | | 22
3 4
r2
mA mB* mA mB*
| 5 | 6 | 1 | 2
| | | |
t2 7 8 3 4
t1
Fig. 8.6 CVQNC scheme against pollution attacks
Step 2. Encoding phase. s1 applies Bell detection to |α21 and its signal mode |αA .
Concretely, it mixes two modes at a 50:50 beam splitter (BS) and applies homodyne
detection to the output states. Then it displaces the quadratures of |α11 according
to the measurement results (xA1 , pA1 ), where xA1 is the measurement result of the x
quadrature of |αA + α21 and pA1 the p quadrature of |αA − α21 . The displaced mode
is denoted as |α 11 .
Similarly, s2 applies Bell detection to |α12 and its signal mode |αB . Then it
displaces the quadratures of |α22 according to the measurement results (xB2 , pB2 ).
The displaced mode is denoted as |α 22 .
Step 3. Signing phase. s1 generates a real number a from (xA1 , pA1 ) according to
an encoding rule which is predetermined among all nodes. Then s1 uses secret keys
kA1 and kA2 to generate a signature of a, which is denoted by SkA (a). SkA (a) = D̂(ma +
mkA1 + mkA2 )|α, where D̂(γ) = exp(γ â† − γ ∗ â) is the displacement operator. ma ,
mkA1 and mkA2 are complex numbers, namely ma = a + ia, mkA1 = kA1 + ikA1 , mkA2 =
xkA2 + ipkA2 , where xkA2 and pkA2 satisfy
xkA2 = kA2 , pkA2 = 0 if a + kA2 is odd

.
xkA2 = 0, pkA2 = kA2 if a + kA2 is even
s1 sends mA = a + ia and SkA (a) to r1 and |α 11 to t2 .

Similarly, s2 generates a real number b from (xB2 , pB2 ) and generates its signature
SkB (b). Then s2 sends mB = b + ib and SkB (b) to r1 and |α 22 to t1 .
Step 4. Combining phase. r1 applies Bell detection to |α1 and |α3 , and denotes
output states as |α 1 and |α 3 . Then r1 mixes SkA (a) and SkA (a) at a 50:50 BS and
denotes output states as |α 2 and |α 4 . After that, r1 sends |α 1 , |α 3 , |α 2 , |α 4 ,
and mA + m∗B to r2 .
Step 5. Copying phase. After applying homodyne detection to the received quan-
tum states, r2 prepares quantum states |α5 , |α6 , |α7 , and |α8 according to mea-
surement results, where x5 = x 1 , p6 = p 3 , x7 = x 2 , and p8 = p 4 . Then r2 sends
|α 1 , |α 3 , |α 2 , and |α 4 to t1 , and sends |α5 , |α6 , |α7 , and |α8 to t2 .
Step 6. Verifying phase. t1 applies homodyne detection to the received quantum
states and calculates √
xV = 2(x 2 − τ x 1 )
and √
pV = 2(p 4 − τ p 3 )
according to measurement results. Then t1 calculates x V = a + kA1 + xkA2 + b +

kB1 + xkB2 and p V = a + kA1 + pkA2 − b − kB1 − pkB2 according to the classical mes-
sage and pre-shared secret keys. If Hx = (xV − τ x V )2 ≤ Hth and Hp =
(pV − τ p V )2 ≤ Hth , t1 will confirm that the messages are from s1 and s2 . Other-
wise, t1 will deny the signatures and abort the protocol. t2 verifies the signatures in
a similar way.
Step 7. Decoding phase. t1 applies displacement operator to |α 22 so as to obtain

|αA , which displaces the x quadrature by xA1 +xB2 and the p quadrature by pA1 +pB2 .
Similarly, t2 obtains |αB .
In this section, we will analyze the performance of the scheme from the perspectives
of fidelity and network throughput.
A. Fidelity
Here we consider the quantum state at the target node t1 . The case of the target
node t2 will be the same for the reason of symmetry. Assume the entangled states
shared between two source nodes are ideal, i.e., perfectly correlated and maximally
entangled, r → ∞.

After step 2, the two quadratures of |x22 + ip22 are

x̂22 = x̂22 − x̂B + x̂12
.
p̂22 = p̂22 − p̂B − p̂12

At t1 , x̂22 is displaced as

√
x̂22 → x̂22 = x̂22 + 2(x̂A1 + x̂B2 )
= x̂A − x̂21 + x̂22 .
√
= x̂A − 2e−r x̂2(0)

Similarly, p̂22 is displaced as

√
p̂22 → p̂22 = p̂22 + 2(p̂A1 + p̂B2 )
= p̂A + p̂21 + p̂22 .
√
= p̂A + 2e−r p̂1(0)
When r increases to infinity, the final quantum state at t1 becomes |x̂A + ip̂A ,
which is the same as the quantum state sent by s1 . As a result, we can conclude that
our CVQNC scheme can successfully transmit two quantum states across perfectly
by a single network use. The fidelity of the scheme is 1.
B. Network throughput
Assume that a coherent state |x + ip is modulated with classical characters, i.e.,
x, p ∈ {0, 1, ..., N − 1}. When the classical character set for modulation has N ele-
ments, each character contains log2 N bits of information. In the proposed CVQNC
scheme, each target node receives one coherent state with a fidelity of 1. So each
target node can receive 2log2 N bits of classical information by a single network when
applying the CVQNC scheme.
As a matter of fact, coherent states are nonorthogonal, which means they cannot
be perfectly distinguished to yield the ideal entropy calculated. The square of the
inner product of two arbitrary coherent states |α and |β is
|β|α|2 =e−|α−β| .
2
(8.18)
Equation 8.18 shows that coherent states |α and |β are approximately orthogonal
when |α − β| 1 so they can be measured by heterodyne detection with high accu-
racy. The condition |α − β| 1 requires the elements of classical character set to
have large values, which may be impractical for implementation.
The CVQNC scheme utilizes quantum homomorphic signature to resist pollution

attacks. To successfully tamper or forge messages, an attacker Eve or dishonest
intermediate nodes must forge a signature that can pass verification. Meanwhile, a
legitimate source node may attempt to deny that it has sent a message to a target node.
In this section, we will analyze the security of the scheme from the perspectives of
unforgeability and non-repudiation.
A. Unforgeability
Firstly, we analyze whether secret keys can be calculated on the basis of the classical
messages and quantum states transmitted in the channels.
By eavesdropping the link s1 → r1 , an attacker Eve cannot calculate the secret
keys kA1 and kA2 on the basis of mA = a + ia and |α2 + mA + mkA1 + mkA2 . Similarly,
for the link B → r1 , the secret keys kB1 and kB2 cannot be calculated.
By eavesdropping the link r1 → r2 → t1 , Eve can intercept the classical message
mA + m∗B and the quantum states
⎧ 1
⎪
⎪ | √2 α+
⎪
⎨ | √1 (α∗ + mA + mB + mk + mk + mk + mk )
+
.
2 A1 A2 B1 B2
⎪
⎪ | √1 α−
⎪ 2
⎩ | √1 (α∗ + m − m + m + m − m − m )
2 − A B kA1 kA2 kB1 kB2
Owing to the famous uncertainty principle, two quadratures x and p cannot be

precisely measured at the same time. To calculate as much information as possible,
Eve needs to measure the x quadrature of part of the quantum states and the p
quadrature of the other part of the quantum states. Without loss of generality, we
assume Eve measures the x quadrature of |α1 and |α2 and the p quadrature of |α3
and |α4 . Eve can only calculate kA1 + xkA2 + kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2
on the basis of the measurement results and mA + m∗B . So the secret keys kA1 , kA2 ,
kB1 , and kB2 cannot be calculated.
Secondly, we analyze whether an attacker Eve or a dishonest intermediate node
r2 can forge the signature of a legitimate source node.
In the verifying phase, t1 and t2 use pre-shared secret keys to verify a signature.
So Eve and r2 must obtain secret keys to forge a signature that can pass verification.
It has been proved that Eve and r2 cannot calculate secret keys on the basis of the
classical messages and the quantum states transmitted in the channels. Assume the
secret keys are distributed securely in the setup phase, then it is impossible for Eve
and r2 to have the secret keys. So Eve and r2 cannot forge the signature of a legitimate
signer.
In fact, even if Eve and r2 obtain the secret keys in the setup phase, they cannot
forge the signature of a legitimate signer because they do not share entangled states
with r1 . Assume Eve or r2 has a quantum state |α0 = |x0 + ip0 and the secret
keys of A, namely kA1 and kA2 . It signs a message e with secret keys kA1 and kA2
and generates the signature SkEA (e) = |α0 + mE + mkA1 + mkA2 = |αE , where mE =
e + ie. Then it substitutes the classical message and the signature of A with mE and
|αE , respectively. In the verifying phase, t1 calculates

xV = x0 − x1 + e + kA1 + xkA2 + b + kB1 + xkB2
pV = p1 − p0 + e + kA1 + pkA2 − b − kB1 − pkB2
and
x V = e + kA1 + xkA2 + b + kB1 + xkB2
.
p V = e + kA1 + pkA2 − b − kB1 − pkB2
It is obvious that xV = xV and pV = pV . t1 confirms the existence of an attacker

or a dishonest intermediate node and denies the signatures. The case of t2 will be the
same for the reason of symmetry. In conclusion, Eve and t2 cannot forge the signature
of a legitimate source node.
Thirdly, we analyze whether a dishonest intermediate node r1 can forge the sig-
natures of a legitimate source node under the assumption of secure secret key distri-
bution.
According to the assumption that secret keys are distributed securely, r1 cannot
obtain the secret keys kA1 , kA2 , kB1 and kB2 . Instead, r1 can only calculate kA1 + xkA2 +
kB1 + xkB2 and kA1 + pkA2 − kB1 − pkB2 .
Assume r1 substitutes mA+B with a fake message mM A+B . It needs to prepare
∗ ∗
two quantum states |α2M = | √12 (α+ + mM
2 ) and |α4
M
= | √12 (α− + mM4 ) to sub-

stitute the original signatures |α2 and |α4 , respectively. Here, m2 and mM M
4 are
complex numbers and expressed as mM 2 = x2 + ip2 and m4 = x4 + ip4 . In the
M M M M M
verifying phase, t1 measures quantum states and calculates xV = x2M and pV = p4M .

According to mM A+B , t1 calculates a and b that satisfy a + b + i(a − b ) = mA+B .
M

Then mkA = xkA + ipkA can be calculated according to the pre-shared secret
1(2) 1(2) 1(2)
keys kA2 and kB2 . After that, t1 calculates xV = xA+B

M
+ kA1 + xk A + kB1 + xk B and
2 2
pV = pA+B
M
+ kA1 + pk A − kB1 − pk B . Finally, t1 calculates Hx = (xV − τ xV )2 and
2 2
Hp = (pV − τ pV )2 . If Hx ≤ Hth and Hp ≤ Hth , t1 accepts the signatures. Otherwise,
t1 denies the signatures.
To make the fake signatures pass verification, r1 should choose mM M
2 , m4 , and
M
mA+B to satisfy
M
x2 = xA+B
M
+ kA1 + x kA2 + kB1 + x kB2
.
p4 = pA+B + kA1 + p kA − kB1 − p kB
M M
2 2
Since r1 cannot obtain kA2 and kB2 , it cannot calculate the correct values for mkA
1
and mkA . So r1 cannot forge the signatures of a legitimate source node.
2
B. Non-repudiation
Assume secret keys are distributed securely in the setup phase and the target nodes
are honest. It has been proved that an attacker Eve and dishonest intermediate nodes
cannot perform forgery, so only the signatures generated by pre-shared secret keys
can pass verification. It has also been proved that secret keys cannot be calculated, so
nobody but legitimate source nodes and target nodes can obtain the secret keys. Since
the target nodes are honest, they always announce the correct verification results and
will not forge signatures. Therefore, a source node cannot repudiate its signature
after it has passed verification.
8.4 Summary
In this chapter, we introduced two feasible CVQNC schemes. The first scheme uses
the Gaussian cloning and ADD/SUB operators as the counterparts of key opera-
tions of quantum network coding. As quantum states cannot be cloned perfectly, the
fidelity of this scheme is constrained to be 1/2, which is rather low compared with the
existing DVQNC schemes. With the help of extra resources, i.e., pre-shared entangle-
ment and classical communication, the second scheme can transmit quantum states
with a fidelity of 1. By encoding classical information on quantum states, quantum
network coding schemes can be utilized to transmit classical information. Scheme
analysis shows that the CVQNC schemes have great advantage over discrete-variable
paradigms in network throughput from the viewpoint of classical information trans-
mission. Thus, CVQNC is a meaningful direction for quantum communication in
the perspective of efficiency and practicability.
Then we introduced a CVQHS scheme. The scheme is based on continuous-
variable entanglement swapping and provides additive and subtractive homomor-
phism. The CVQHS scheme is a basic model for verifying two different data sources
in a quantum network and future work is needed to extend it to multiple data sources.
Furthermore, we introduced a continuous-variable quantum network coding scheme
against pollution attacks. By combining continuous-variable quantum homomorphic
signature, the scheme can verify the identity of different data sources. As long as
8.4 Summary 187
quantum signatures pass verification, target nodes can decode their quantum states
and obtain the correct messages. Security analysis shows that the scheme is secure
against forgery and repudiation.
References
1. Braunstein, S.L., Loock, P.V.: Quantum information with continuous variables. Rev. Mod.
Phys. 77(2), 513–577 (2005)
2. Vaidman, L.: Teleportation of quantum states. Phys. Rev. A 49(2), 1473–1476 (1994)
3. Hillery, M.: Quantum cryptography with squeezed states. Phys. Rev. A 61(2), 022309 (1999)
4. Cerf, N.J., Levy, M., Assche, G.V.: Quantum distribution of gaussian keys using squeezed
states. Phys. Rev. A 63(5), 535–540 (2001)
5. Frederic, G., Philippe, G.: Continuous variable quantum cryptography using coherent states.
Phys. Rev. Lett. 88(5), 057902 (2002)
6. Bartlett, S.D., Sanders, B.C., Braunstein, S.L., et al.: Efficient classical simulation of continuous
variable quantum information processes. Phys. Rev. Lett. 88(9), 47–55 (2001)
7. Miwa, Y., Yoshikawa, J.I., van Loock, P., et al.: Demonstration of a universal one-way quantum
quadratic phase gate. Phys. Rev. A 80(5), 050303 (2009)
8. Cerf, N.J., Ipe, A., Rottenberg, X.: Cloning of continuous quantum variables. Phys. Rev. Lett.
85(8), 1754–1757 (2000)
9. Fiurasek, J.: Optical implementation of continuous-variable quantum cloning machines. Phys.
Rev. Lett. 86(21), 4942 (2001)
10. Andersen, U.L., Josse, V., Leuchs, G.: Unconditional quantum cloning of coherent states with
linear optics. Phys. Rev. Lett. 94(24), 240503 (2005)
11. Zeng, G., Lee, M., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int. J.
Quantum Inf. 5(4), 553–573 (2007)
12. Weedbrook, C., Lance, A.M., Bowen, W.P., et al.: Quantum cryptography without switching.
Phys. Rev. Lett. 93(17), 170504-1–170504-4 (2004)
13. Zavatta, A., Fiurasek, J., Bellini, M.: A high-fidelity noiseless amplifier for quantum light
states. Nat. Photonics 5(1), 52–60 (2011)
14. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding for coherent states.
Quantum Inf. Process. 16(4), 107 (2017)
16. Grosshans, F., Grangier, P.: Quantum cloning and teleportation criteria for continuous quantum
variables. Phys. Rev. A 64(1), 783–797 (2001)
17. Bernstein, H.J.: Must quantum theory assume unrestricted superposition? J. Math. Phys. 15(10),
1677–1679 (1974)
18. Braunstein, S.L., Kimble, H.J.: Teleportation of continuous quantum variables. Phys. Rev. Lett.
80(4), 869 (1998)
with modification. Phys. Rev. A 76(4), 538–538 (2007)
20. Braunstein, S.L., Fuchs, C.A., Kimble, H.J.: Criteria for continuous-variable quantum telepor-
tation. J. Mod. Opt. 47(2–3), 267–278 (2000)
21. Banaszek, K.: Optimal receiver for quantum cryptography with two coherent states. Phys. Lett.
A 253(1), 12–15 (1999)
22. van Enk, S.J.: Unambiguous state discrimination of coherent states with linear optics: applica-
tion to quantum cryptography. Phys. Rev. A 66, 042313 (2002)
23. Muller, C., Usuga, M.A., Wittmann, C., et al.: Quadrature phase shift keying coherent state
discrimination via a hybrid receiver. New J. Phys. 14(8), 83009–83021 (2012)
24. Becerra, F.E., Fan, J., Migdall, A.: Implementation of generalized quantum measurements for
unambiguous discrimination of multiple non-orthogonal coherent states. Nat. Commun. 4(3),
131–140 (2013)
25. da Silva, M.P., Guha, S., Dutton, Z.: Optimal discrimination of M coherent states with a small
quantum computer. In: International Conference on Quantum Communication, Measurement
and Computation (QCMC), vol. 1633, no. 1, pp. 225–227 (2014)
26. Gottesman, D., Kitaev, A., Preskill, J.: Encoding a qubit in an oscillator. Phys. Rev. A 64(1),
012310 (2001)
27. Chuang, I.L., Leung, D.W., Yamamoto, Y.: Bosonic quantum codes for amplitude damping.
Phys. Rev. A 56(2), 1114 (1997)
28. Holevo, A.S., Werner, R.F.: Evaluating capacities of bosonic Gaussian channels. Phys. Rev. A
63(3), 032312 (2001)
29. Holevo, A.S.: One-mode quantum Gaussian channels: structure and quantum capacity. Probl.
Inf. Transm. 43(1), 1–11 (2007)
30. Weedbrook, C., Pirandola, S., Garcia-Patron, R., et al.: Gaussian quantum information. Rev.
Mod. Phys. 84(2), 621 (2012)
31. Caruso, F., Giovannetti, V.: Degradability of bosonic Gaussian channels. Phys. Rev. A 74(6),
062307 (2006)
32. Cubitt, T., Elkouss, D., Matthews, W., et al.: Unbounded number of channel uses may be
required to detect quantum capacity. Nat. Commun. 6, 6739 (2015)
33. Caves, C.M.: Quantum limits on noise in linear amplifiers. Phys. Rev. D 26(8), 1817 (1982)
34. Li, Q., Chan, W.H., Wu, C., Wen, Z.: On the existence of quantum signature for quantum
messages. Int. J. Theor. Phys. 52(12), 4335–4341 (2013)
35. Clarke, P.J., Collins, R.J., Dunjko, V., et al.: Experimental demonstration of quantum digital
signatures using phase-encoded coherent states of light. Nat. Commun. 3, 1174 (2012)
36. Collins, R.J., Donaldson, R.J., Dunjko, V., et al.: Realization of quantum digital signatures
without the requirement of quantum memory. Phys. Rev. Lett. 113(4), 040502 (2014)
37. Guo, Y., Feng, Y., Huang, D., et al.: Arbitrated quantum signature scheme with continuous-
variable coherent states. Int. J. Theor. Phys. 55(4), 2290–2302 (2016)
38. Croal, C., Peuntinger, C., Heim, B., et al.: Free-space quantum signatures using heterodyne
measurements. Phys. Rev. Lett. 117(10), 100503 (2016)
39. Donaldson, R.J., Collins, R.J., Kleczkowska, K., et al.: Experimental demonstration of
kilometer-range quantum digital signatures. Phys. Rev. A 93(1), 012329 (2016)
40. Shang, T., Zhao, X.J., Wang, C., et al.: Quantum homomorphic signature. Quantum Inf. Process.
14(1), 393–410 (2015)
41. Luo, Q.B., Yang, G.W., She, K., et al.: Quantum homomorphic signature based on Bell-state
measurement. Quantum Inf. Process. 15(12), 5051–5061 (2016)
42. Li, K., Shang, T., Liu, J.W.: Continuous-variable quantum homomorphic signature. Quantum
Inf. Process. 16(10), 246 (2017)
43. Zukowski, M., Zeilinger, A., Horne, M.A., et al.: ‘Event-ready-detectors’ Bell experiment via
entanglement swapping. Phys. Rev. Lett. 71(26), 4287 (1993)
44. Polkinghorne, R.E.S., Ralph, T.C.: Continuous variable entanglement swapping. Phys. Rev.
Lett. 83(11), 2095 (1999)
45. Shang, T., Li, K., Liu, J.W.: Continuous-variable quantum network coding against pollution
attacks. In: 2018 IEEE Information Theory Workshop (ITW), 25–29 November 2018 (Submit-
ted)
Part II
Security Analysis Method
Chapter 9
Security Analysis of Quantum
Cryptographic Protocols
In this chapter, we review the principle of some common quantum attacks, such as
intercept-and-resend attack, teleportation attack, man-in-the-middle attack, partic-
ipant attack and implementation attack. Also, we introduce some general security
analysis methods, such as BAN logic, random oracle model and quantum-accessible
random oracle model. These methods for classical cryptographic protocols can pro-
vide effective tools for quantum cryptographic protocols.
9.1 Main Attacks
In this section, we introduce the main attacks on quantum protocols. Indeed many
attacks are contrived for particular protocols, while we still can conclude repre-
sentative attack models against various quantum protocols, including quantum key
distribution (QKD), quantum secure direct communication (QSDC) and quantum
secret sharing (QSS).
9.1.1 Intercept-and-Resend Attack
The intercept-and-resend attack is the most common type of attack used on quantum
protocols. An eavesdropper interrupts quantum channel, measures each quantum
signal received from a sender in one of measurement bases (according to the proto-
col), which it chooses randomly. Then the eavesdropper sends the quantum signal
to a receiver, and will replace the compromised signal with other signals, without
leaving traces of the attack.
We present an example of intercept-and-resend attack on QKD. In naive intercept-
and-resend, Eve intercepts the light photons coming from the sender Alice with his
own predefined basis. Since detectors are highly efficient in the ideal environment,
Eve can get a hold on each photon. Eve follows a scheme which is shown in the
https://doi.org/10.1007/978-981-15-3386-0_9
192 9 Security Analysis of Quantum Cryptographic Protocols
Fig. 9.1 Decision tree of Eve
form of the decision tree in Fig. 9.1. The scheme is shown for sending a bit value
0. Eve then sends the replacement photon to Bob as his predefined basis. Now, the
intensity of the pulse to Bob is such adjusted that Bob will detect this pulse with the
same rate. So, in a sense Eve is working like a median person and performing the
detection of the photons from the Alice side the same√ as that of Bob. Eve’s efforts
are said to be worth if he succeeds in getting the 1/ 2 of the Alice’s information. In
the error correction and privacy amplification phase of the BB84 protocol, suppose t
error bits are detected. By using this information, Alice and Bob get some estimation
that lesser than e1 bits are subjected to intercept/resend√attack. Furthermore, the
amount of information gained by Eve is not more than e1 / 2. In the naive intercept-
and-resend attack, the assumption is that Eve is not listening over public channel
during the sifting phase of the BB84 protocol. This gives the information gain of
approximately 0.2 bits out of every bit sent by Alice.
Intercept-and-resend attack is also used against quantum protocols like Byzantine
agreement [1] and QSDC [2]. Therefore, despite the intercept-and-resend attack is
very simple in principle, enough attention should be paid carefully.
9.1 Main Attacks 193
9.1.2 Teleportation Attack
Teleportation attack [3] was presented originally against a certain QSDC protocol [4].
However, it is demonstrated that quantum teleportation can be employed to weaken
the role of the order-rearrangement encryption in certain protocols. With the help of
this special attack, an eavesdropper can obtain half of the transmitted secret bits.
To understand this attack, we introduce the basic idea of the QSDC protocol
in [4]. At the beginning of the QSDC protocol, Alice’s sending qubits are in the
states |φi1 = Û y (θi )|0 = cos θi |0 − sin θi |1, which looks as if Alice puts a lock
Û y (θi ) on each carrier state |0. Similarly, Bob also puts another lock Û y (φi ) on each
of them. Because θi and φi are randomly selected by Alice and Bob, respectively,
all locks can be removed only by the one who initially puts them on. Afterward,
Alice opens her locks by the operations Û y (−θi ) and encodes her secret bits by
Û y (± π4 ). Finally Bob removes his locks by Û y (−φi ) and then obtains the secret bits
by measurements. To extract the transmitted bits, from the perspective of Eve who
has no keys to these locks, the only way is to acquire the qubits without any lock at
a certain stage. However, Bob will disorder the sequence before sending it. In this
condition, the simple attack would be invalid because Alice cannot remove her locks
appropriately (the key and the lock for a certain qubit are not matched due to the
order-restoring operation by Alice).
To resolve this problem, Eve can employ the technique of quantum telepor-
tation. When Eve sends the faked sequence S1E to Alice, the role of the order-
rearrangement encryption would be weakened because Eve can also adjust the order
of his corresponding sequence S2E according to Bob’s announcement. In the tele-
portation process, if Eve acquires one of the results {|+, |−, |+, |−},
she knows that the state of the corresponding qubit in Alice’s hand would be one
of { Iˆ|φi1 , σ̂z |φi1 , σ̂x |φi1 , iσ̂ y |φi1 }, respectively. At that time, if the sequence is in
the control of Eve, she can change each qubit into the (preferred) state |φi1 by
one of the above operations and subsequently eliminate the influence of the order-
rearrangement encryption completely. Thus, Eve can extract secret information if he
obtains {|+ or |−} in a certain teleportation process, because both Iˆ and iσ̂ y
commute with Alice’s operation Û y (−θi ± π4 ).
9.1.3 Man-in-the-Middle Attack
The man-in-the-middle (MITM) attack is a very common attack method in classical

cryptography. Generally, the MITM attack is a form of active eavesdropping in which
the attacker makes independent connections with the victims and relays messages
between them, making them believe that they are talking directly to each other over a
private connection, when in fact the entire conversation is controlled by the attacker.
An MITM attack can succeed only when the attacker can impersonate each endpoint
to the satisfaction of the other. In quantum cryptography, there also exists the MITM
attack. For example, Zou and Qiu [5] considered the MITM attack on the QSDC
protocol.
We briefly explain why the MITM attack is feasible in QSDC. According to the
request of QSDC and the QSDC scheme [6], we can learn that Alice and Bob do
not share any secret key or quantum entanglement in the QSDC scheme. Therefore,
when Alice receives the quantum information |ψ, she cannot confirm that it was
sent by Bob. Similarly, Bob cannot determine that the received quantum information
|ψ came from Alice. Furthermore, we know that Alice and Bob do not discuss the
measurement results in the classical communication channel. Thereby, at the end of
the QSDC scheme, Alice cannot be sure that |ψ was sent by Bob, and Bob cannot
be sure that |ψ came from Alice. Accordingly, what quantum messages cannot be
authenticated in the QSDC scheme provides the possibility of the MITM attacks.
To deal with this problem, measuring partial quantum states and discussing the
measurement results with Bob by the unblocked classical public communication
channel must be undertaken before Alice encrypts the message p and sends it to
Bob.
MITM can also attack other quantum protocols. For example, Wang et al. [7]
considered the MITM attack on the BB84 protocol.
9.1.4 Participant Attack
In most multi-party quantum cryptographic protocols, participants tend to be more

aggressive than external attackers. This is because participants can use their legal
control of some carrier particles and participate in detecting eavesdropping processes
to enhance their attacks. We call this attack a ‘participant attack’. Therefore, when
analyzing the security of multi-party quantum cryptography protocols like QSS, we
should prevent dishonest participants from eavesdropping more carefully. Generally
speaking, if a multi-party protocol can resist participant attacks, then it can resist
external attacks and therefore is secure.
An example of participant attack against QSS is in [8]. In this attack, two dishonest
agents together can illegally recover the secret quantum state without the help of any
other controller, and it will not be detected by any other users.
We describe how participants Bob and Charlie1 in QSS protocol [9] can illegally
obtain the secret quantum state. After the secure distribution process of the particles,
Alice performs Bell measurements on particles p, 1 and particles q, 3 and announces
the measurement results via the classical channel. If Alice’s measurement results are
in the states of |+ p1 and |+q3 , the state of other particles would be projected.
At an appropriate time, if Charlie1 cooperates with Bob and sends the particle 4 to
Bob, Bob just performs σx on the particle 4, and then the particles 2 and 4 would
be in the state | pq . So Bob obtains the secret state in an illegal way. In the QSS
protocol, the process of detection aims to detect whether the particles have securely
arrived at each agent. This participant attack is performed after this process, so it
9.1 Main Attacks 195
cannot be detected by other users. Thus, this strategy can successfully attack the QSS
protocol [9].
9.1.5 Implementation Attack
The attack methods described above are all from the viewpoint of theoretical analysis.
In the experimental implementation, the various devices are not as perfect as in the
theoretical hypothesis. Therefore, in addition to the theoretical attacks, there are
some attacks that are considered from an implementation perspective, such as faked
state attack [10], Trojan horse attack [11], and photon number splitting attack [12].
9.2 Security Analysis Methods
A variety of common attack methods in the quantum cryptographic protocol has

been introduced above. When analyzing the security of a quantum cryptographic
protocol, a good way is to consider all possible attacks. Of course, we would prefer
more general security analysis.
In classical cryptography, provably security is a way to generally analyze the secu-
rity of protocols. Provably security refers to a reduction approach: firstly, determine
the security objectives of a protocol; then build a form of adversary model based
on the capabilities of the adversary; finally, reduce the protocol to a mathematical
assumption. Here we introduce classical BAN logic model and random oracle model,
and quantum-accessible random oracle model for post-quantum cryptosystems.
9.2.1 BAN Logic
In 1989, Burrows, Abadi, and Needham [13] proposed a model logic based on knowl-
edge and belief, namely BAN Logic. BAN logic can be used to describe and verify
authentication protocols, the purpose of which is to analyze the security of authenti-
cation protocols in computer networks or distributed systems. After authentication,
three principals (people, computers, or services) should be entitled to believe that
they are communicating with each other and not with intruders.
Applying the BAN logic for protocol analysis requires converting a protocol into
formulas in the BAN logic, i.e., performing the “idealization step” of the protocol,
and makes reasonable postulates according to specific situation. Then it uses logical
rules to infer whether the protocol can achieve the desired goal based on idealized
protocols and postulates. The simplicity and practicality of protocol analysis has
made BAN logic widely used.
Basic notation The logic distinguishes several sorts of objects: principals, encryption
keys, and formulas (also called statements). The symbols A, B, and S denote specific
principals; K ab , K as , and K bs denote specific shared keys; K a , K b , and K s denote
specific public keys, and K a−1 , K b−1 , and K s−1 denote corresponding secret keys; and
Na , Nb , and Nc denote specific statements. The symbols P, Q, and R range over
principals; X and Y range over statements; and K ranges over encryption keys.
The logic uses the following notation [14]:
P believes X : P believes X , or P would be entitled to believe X .
P sees X : P sees X . Someone has sent a message containing X to P, who can
read and repeat X (possibly after doing some decryption).
P said X : P once said X . The principal P at some time sent a message including
the statement X . It is not known whether the message was sent long ago or during
the current run of the protocol, but it is known that P believed X then.
P controls X : P has jurisdiction over X . The principal P is an authority on X
and should be trusted on this matter.
fresh (X ): The formula X is f r esh, i.e., X has not been sent in a message at any
time before the current run of the protocol.
K
P ↔ Q: P and Q may use the shar ed key K to communicate. The key K is
good, in that it will never be discovered by any principal except P or Q, or a principal
trusted by either P or Q.
K
→ P: P has K as a public key. The matching secr et key (denoted K −1 ) will
never be discovered by any principal except P or a principal trusted by P.
X
P Q: The formula X is a secr et known only to P and Q, and possibly to
principals trusted by them. Only P and Q may use X to prove their identities to one
another.
{X } K : This represents the formula X encrypted under the key K . Formally, {X } K
is a convenient abbreviation for an expression of the form {X } K from P.
X Y : This represents X combined with the formula Y . It is intended that Y
be a secret and that its presence proves the identity of whoever utters X Y . In
implementations, X is simply concatenated with the password Y .
Logical postulates BAN logic has 19 inference rules. Some representative rules are
listed:
(1) The message-meaning rules: the interpretation of messages. Two of the three
concern the interpretation of encrypted messages, and the third concerns the inter-
pretation of messages with secrets. They all explain how to derive beliefs about the
origin of messages.
For shared keys, we postulate
K
P believes Q ↔ P, P sees {X } K
P believes Q said X
That is, if P believes that the key K is shared with Q and sees X encrypted under
K , then P believes that Q once said X .
9.2 Security Analysis Methods 197
For public keys, we postulate
K
P believes → Q, P sees {X } K −1
P believes Q said X
That is, if P believes that K is the public key of Q, and K −1 is the secret key, the
message is sent by Q when P sees the message encrypted with K −1 .
For shared secrets, we postulate
Y
P believes Q P, P sees X Y
P believes Q said X
That is, if P believes that the secret Y is shared with Q and sees X Y , then P believes
that Q once said X .
(2) The nonce-verification rule:
P believes fresh(X ), P believes Q said X

P believes Q believes X
That is, if P believes that X could have been uttered only recently (in the present)
and that Q once said X (either in the past or in the present), then P believes that Q
believes X .
(3) The jurisdiction rule:
P believes Q controls X, P believes Q believes X

P believes X
That is, if P believes that Q has jurisdiction over X then P trusts Q on the truth of
X.
(4) The seeing rules:
K
P sees (X, Y ) P sees X Y P believes Q ↔ P, P sees {X } K
, ,
P sees X P sees X P sees X
K K
P believes → P, P sees {X } K P believes → Q, P sees {X } K −1
,
P sees X P sees X
That is, if a principal sees a formula, then he also sees its components, and he knows
the necessary keys.
(5) The freshness rules:
P believes fresh(X ) P believes fresh(X )

,
P believes fresh(X, Y ) P believes fresh(α X )
That is, if one part of a formula is fresh, then the entire formula must also be fresh.
(6) The belief rules:
P believes X, P believes Y P believes (X, Y )

,
P believes (X, Y ) P believes X
P believes Q believes (X, Y ) P believes Q said (X, Y )
,
P believes Q believes X P believes Q said X
(7) The key and secret rules:
K K
P believes R ↔ R P believes Q believes R ↔ R
K
, K
P believes R ↔ R P believes Q believes R ↔ R
X X
P believes R R P believes Q believes R R
X
, X
P believes R R P believes Q believes R R
(8)The session key rule:
A believes fresh(K ), A believes B believes X

K
A believes A ↔ B
Idealized protocol Authentication protocols are described by listing their messages.
Each message is typically written in the form
P → Q : message.
This denotes that the principal P sends a message to the principal Q. The message
is presented in an informal notation designed to suggest the bit-string that a con-
crete implementation would use. This presentation is often ambiguous and not an
appropriate basis for formal analysis.
Therefore, we transform each protocol step into an idealized form. A message in
the idealized protocol is a formula. For instance, the protocol step
A → B : {A, K ab } K bs
may tell B, who knows the key K bs , that K ab is a key to communicate with A. This
step should then be idealized as
K ab
A → B : {A ↔ B} K bs .
Idealized protocols usually ignore certain unimportant messages and elements.

The criterion for judging whether a message or element of the message is important is
whether the message or element of the message can help the principal establish a new
belief. In general, we omit cleartext communication simply because it can be forged,
and so its contribution to an authentication protocol is mostly one of providing hints

as to what might be placed in encrypted messages.
Protocol analysis BAN logic can solve four problems in the formal analysis of the
protocol:
(1) Does this protocol work? Can it be made to work?
(2) Exactly what does this protocol achieve?
(3) Does this protocol need more assumptions than another protocol?
(4) Does this protocol do anything unnecessary?
The analysis steps of the BAN logic are described as follows:
(1) Describe the initial state of the system with a logical language and establish an
initial set of postulates.
(2) Establish an idealized protocol model and convert the actual message of the
protocol into a formula that can be recognized by the BAN logic.
(3) Transform the message (P → Q : X ) into a logical language (Q sees X ).
(4) Apply inference rules to formally analyze the protocol and derive the analysis
results.
In order to analyze the idealized protocols, we annotate them with logical formu-
las. The main rules for deriving legal annotations are the following:
(1) If X holds before the message P → Q : Y , then both X and Q sees Y hold
afterward.
(2) If Y can be derived from X by the logical postulates, then Y holds whenever X
holds.
Step by step, we can follow the evolution from the initial beliefs to the final ones,
from the original assumptions to the conclusions.
9.2.2 Random Oracle Model
The random oracle model is an important way to balance the provable security and
practicality of a cryptographic scheme compared with standard model. The idea is to
prove the scheme secure in a model in which every party, legitimate or malicious, has
access to a public random function. The idea of a public random function was first
introduced in 1986 by Fiat and Shamir [15]. They argued the security of a method
to turn identification schemes into signature schemes by assuming every party has
access to a public random function. This method was later used to provide a security
argument for blind signatures and electronic cash.
The random oracle model was formalized and popularized by Bellare and Rog-
away [16]. In particular, they showed that many “tricks” that were used to construct
cryptographic schemes could be proven secure in the random oracle model. Follow-
ing this, the random oracle model was used to argue the security of many efficient
cryptographic protocols.
The random oracle is a deterministic and publicly accessible random uniform

distribution function. For any length of input, a deterministic length value is uniformly
selected in the output field as the answer to the query. The random oracle model adds a
publicly accessible random oracle to the standard model and idealizes a hash function
as a random oracle. Bellare and Rogaway described the random oracle methodology
as a paradigm. Suppose one has a protocol problem . In order to devise a good
protocol P for :
(1) Find a formal definition for in the model of computation in which all parties
(including the adversary) share a random oracle R.
(2) Devise an efficient protocol P for in this random oracle model.
(3) Prove that P satisfies the definition for .
(4) Replace oracle accesses to R by computation of a cryptographic hash function.
In the random oracle model, the adversary can only obtain the required hash value
by the random oracle. The simulator exploits the adversary in a number of steps to
turn the adversary’s ability into an advantage that breaks a known difficult problem.
A secure hash function (such as SHA-1, SHA-256, 384, etc.) is used in most practical
applications instead of the random oracle. The security of a scheme is based on the
provable security results and the distinguishability of the hash function from the
random oracle. Compared with the provable security scheme in the standard model,
the computational cost is also greatly reduced due to tight reduction in the random
oracle model. Many widely used cryptographic schemes are based on the random
oracle model, such as digital signature scheme PSS [17], public-key encryption
scheme RSA-OAEP [18, 19], key exchange protocol [16], etc.
9.2.3 Quantum-Accessible Random Oracle Model
The interest in post-quantum cryptosystems, namely systems that remain secure in

the presence of a quantum adversary, has generated elegant proposals for new cryp-
tography. A promising direction is lattice-based cryptography, where the underlying
problems are related to finding short vectors in high- dimensional lattices. As it is
often the case, lattice-based cryptosystems are set in the random oracle model and
are proven secure relative to adversaries that have classical access to the random
oracle. In this model, the adversary is given oracle access to a random hash function
O : {0, 1}∗ → {0, 1}∗ and it can only “learn” a value O(x) by querying the oracle
O at the classical bits x. However, to obtain a concrete system, the random oracle is
eventually replaced by a concrete hash function thereby enabling a quantum attacker
to evaluate this hash function on quantum states. To capture this issue in the model,
an adversary should be allowed to evaluate the random oracle “in superposition”, i.e.,
the adversary can submit quantum states |φ = αx |x to the oracle O and receives
back the evaluated state αx |O(x) (appropriately encoded to make the transforma-
tion unitary). This is called the quantum-accessible random oracle model. To prove
post-quantum security, one needs to prove security in the quantum-accessible random

oracle model.
Relative works of quantum-accessible random oracle are carried out by [20, 21].
The works of Boneh et al. [22] showed the separation of the classical and quantum-
accessible random oracle models by presenting a scheme that is secure when the
adversary is given classical access to the random oracle, but is insecure when the
adversary can make quantum oracle queries. Then generic conditions are devel-
oped under which a classical random oracle proof implies security in the quantum-
accessible random oracle model.
References
1. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Comment on experimental demonstration of a quantum
protocol for byzantine agreement and liar detection. Phys. Rev. Lett. 101(20), 208901 (2008)
2. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Forcible measurement attack on quantum direct commu-
nication protocol with cluster state. Chin. Phys. Lett. 25(8), 2766–2769 (2008)
3. Gao, F., Wen, Q.Y., Zhu, F.C.: Teleportation attack on the QSDC protocol with a random basis
and order. Chin. Phys. B 17(9), 3189–3193 (2008)
4. Song, J., Zhu, A.D., Zhang, T.: Quantum secure direct communication protocol with blind
polarization bases and particles’ transmitting order. Chin. Phys. B 16(3), 621–623 (2007)
5. Zou, X.F., Qiu, D.W.: Attacks and improvements of QSDC schemes based on CSS codes. Int.
Conf. Intell. Comput. (ICIC) 6840, 239–246 (2012)
6. Lu, X., Ma, Z., Feng, D.G.: Quantum secure direct communication using quantum calderbank-
shor-steane error correcting codes. J. Softw. 17(3), 509–515 (2006)
7. Wang, Y., Wang, H.D., Li, Z.H., et al.: Man-in-the-middle attack on BB84 protocol and its
defence. In: IEEE International Conference on Computer Science and Information Technology
(ICCSIT) pp. 438–439 (2009)
8. Song, T.T., Zhang, J., Gao, F., et al.: Participant attack on quantum secret sharing based on
entanglement swapping. Chin. Phys. B 18(4), 1333–1337 (2009)
9. Zhang, Y.Q., Jin, X.R., Zhang, S.: Secret sharing of quantum information via entanglement
swapping. China Phys. B 15(10), 2252–2255 (2006)
10. Makarov, V., Hjelme, D.R.: Faked states attack on quantum cryptosystems. J. Mod. Opt. 52(5),
691–705 (2005)
11. Vakhitov, A., Makarov, V., Hjelme, D.R.: Large pulse attack as a method of conventional optical
eavesdropping in quantum cryptography. Opt. Acta Int. J. Opt. 48(13), 2023–2038 (2001)
12. Lutkenhaus, N.: Security against eavesdropping in quantum cryptography. Phys. Rev. A 54(1),
97 (1996)
13. Burrows, M., Abadi, M. and Needham, R:. A logic of authentication. ACM Trans. Comput.
Syst. 8(1):18–36 (1990)
14. Dong, L., Chen, K.F.: Cryptographic Protocol. Springer Nature (2012)
15. Fiat, A., Shamir, A.: How to prove ourself: practical solutions to identification and signature
problems. In: Annual International Cryptology Conference (CRYPTO’ 86), vol. 263, pp. 186–
194 (1987)
16. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient
protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73
(1993)
17. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA
and Rabin. In: International Conference on the Theory and Applications of Cryptographic
Techniques (EUROCRYPT’ 96), vol. 1070, pp. 399–416 (1996)
18. Bellare, M., Rogaway, P.: Optimal asymmetric encryption: how to encrypt with RSA. In: Inter-
national Conference on the Theory and Applications of Cryptographic Techniques (EURO-
CRYPT’ 94), vol. 950, pp. 92–111 (1995)
19. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes.
J. Cryptol. 26(1), 80–101 (2013)
20. Aaronson, S.: Quantum copy-protection and quantum money. In: Annual IEEE Conference on
Computational Complexity (CCC), pp. 229–242 (2009)
21. Brassard, G., Hoyer, P., Kalach, K., et al.: Merkle puzzles in a quantum world. In: Annual
International Cryptology Conference (CRYPTO 2011), vol. 6841, pp. 391–410 (2011)
22. Boneh, D., Dagdelen, O., Fischlin, M., et al.: Random oracles in a quantum world. Comput.
Sci. 7073(1), 41–69 (2010)
Chapter 10
Security Analysis Based on BAN Logic
Many quantum authentication schemes have been designed according to quantum key
distribution. Scheme security is proved heuristically by employing attack strategies
such as intercept-measure-resend attack, entanglement-measure attack, etc. In this
chapter, we introduce security analysis based on BAN logic. In contrast to analyzing
protocols with common quantum attacks, formal approach is a more universal tool
which helps understand whether a quantum cryptographic protocol meets its security
goal or not.
10.1 Formal Analysis
Due to its capability to detect potential eavesdropper with high probability, quan-
tum cryptography has been widely explored in many emerging cryptography and
communication systems. Based on quantum mechanics, a variety of protocols have
been proposed to support diverse systems, such as quantum key distribution (QKD)
protocol, quantum signature (QS) protocol, quantum secure direct communication
(QSDC) protocol, etc. So it is necessary to provide an efficient analysis tool for
quantum cryptographic protocol, which will help analyze the correctness of quan-
tum protocol in a simple and uniform way.
Formal method is a combination of a mathematical or logic model of a system
and its requirements, together with an effective procedure for determining whether
a proof that a system satisfies its requirement is correct [1]. Since the first mention
of formal methods, by Needham and Schroeder, was a possible tool for analysis [2],
Dolev and Yao accomplished the first protocol analysis work by developing a formal
model of an environment in 1981 [3]. Then a lot of research focused on the general
use of model checker based on the Dolev–Yao model. These belong to the model
checking approach. Given a system model and desired system properties, the model
checker explores the full state space of the system model to check whether the given
system properties are satisfied by the model [4]. Until the publication of BAN logic
[5], formal methods became apprehensible to a larger research community and led to
https://doi.org/10.1007/978-981-15-3386-0_10
204 10 Security Analysis Based on BAN Logic
a host of other logics to expand it such as GNY-logic, SVO-logic, etc. Featured with
BAN logic, these techniques fall into the domain of logical inference, which is based
on an agreed set of deduction rules for formally reasoning about the authentication
protocols.
In this chapter, we introduce BAN logic and expend it for quantum circumstance
and present a detailed security analysis for quantum identity authentication protocols
in BAN logic together with a brief discussion.
10.2 Quantum Identity Authentication
One branch of these protocols is quantum identity authentication (QIA) protocol,

which certifies the identity of the legitimate users of a communication line so that
no third party can impersonate either of them. With the achievements of quantum
key distribution, early authentication schemes were designed according to quantum
key distribution. Dusek et al. [6] presented a proposal based on the combination of
classical identification procedure and QKD. Zeng et al. [7] proposed a quantum key
verification scheme, which can simultaneously distribute the quantum secret key and
verify the communicator’s identity. Similarly, functions of QKD and QIA can also
be implemented with Einstein–Podolsky–Rosen (EPR) pair in protocol [8]. Later,
a one-way quantum identity authentication scheme [9] was proposed by employing
mechanism of ping-pong protocol and property of quantum controlled-NOT gate.
Obviously, no authentication is possible between two communicating parties with-
out a previously shared secret including a message and entanglement states [10].
Even with the help of a third party called referee, who can prevent observers from
masquerade, the shared secret is necessary in identity authentication. The referee
needs to verify a shared entangled resource in a trust-free manner by using classical
and quantum communication channels appropriately [11]. For these protocols, dis-
tinctive attack strategies have been put forward to analyze their security accordingly
since the types of threats become more various in quantum fields. An eavesdrop-
per may impersonate legitimate users, for instance, by intercepting the transmitting
particle and resending a fake particle according to its measurement result, which is
called intercept-measure-resend attack. To obtain more shared messages from the
sending particle in a quantum channel, eavesdropper may send an ancillary particle
to entangle with the message particle, which is called entanglement-measure attack.
Any attempt to assure the correctness of cryptographic protocols must take all these
new attack developments into account.
10.3 Representative QIA Protocol
In 2000, Zeng et al. [7] claimed that it is necessary to verify the key in quantum key
management while classical verification cannot simultaneously complete identity
verification and quantum key distribution as in the literature [6], so they proposed
10.3 Representative QIA Protocol 205
a quantum key verification scheme in case that eavesdroppers avoid the identity
verification procedure. EPR pair and Bell theorem were used in their two-phase
protocol. In the initial phase, two communicators gain the shared message with the
help of an information center which is neither responsible for identity verification
nor for generating or distributing secret keys. After the legitimate users, Alice and
Bob, obtain the sharing key K1 , no more communication is necessary with the center.
Then two communicators execute the verification phase.
(1) Alice and Bob convert the sharing key K1 into a series of measurement basis
MK . If K1 = 1, MK corresponds to the rectilinear measurement basis. If K1 = 0,
MK corresponds to the diagonal measurement basis.
(2) Alice prepares the EPR pair. She measures one particle of each EPR pair in the
string and sends the other to Bob. Alice chooses a random basis like in the EPR
protocol [1] for measuring.
(3) Bob randomly measures the received string of particles by using two measure-
ment basis M , MK . Note that M is the measurement basis for the quantum key
distribution and obtainment of a new identity sharing key. MK is the measurement
basis for identity verification in the current communication.
(4) Alice and Bob check the eavesdropper first. Bob randomly chooses some mea-
surement results measured by the basis M to judge the eavesdroppers according
to Bell theorem.
(5) If there is no eavesdropper, Bob transforms the results measured by the basis
MK into a binary bit string m according to the beforehand appointment. The
corresponding sequence number is Ni in Alice’s whole qubits strings. Then Bob
encrypts m and Ni with K1 . Bob obtains secret message y and sends it to Alice.
(6) Alice decrypts y and gets m , Ni . Alice compares her results with m and gets the
measurement basis MKt . If Kt = K1 , Bob’s identity is true.
(7) Alice sends Bob the results m . If m = m, Alice’s identity is true.
(8) If the communicators are legitimate, Alice and Bob distribute the quantum secret
key using the remainder qubits as in the EPR protocols [12].
(9) Alice and Bob discard the sharing key K1 , and set up a new sharing key K2
from qubits measured by M or from taking portion bits of the final distributed
quantum key.
This verification protocol is featured in using the measurement basis to encode
message and applying Bell theorem to guarantee unconditional security. The only
pitfall is that the process is rather complicated with too much classical messages
transmitted. Next, we will focus on a simpler protocol in which only quantum channel
is needed.
Compared with the shared information schemes [6, 7], the shared entangled states
protocols provide further security since the “sharing keys” cannot be copied and
spread according to non-cloning theorem. Although it is hard to distribute entan-
gled states and store them, numerous protocols have been proposed considering the
speeding progress will be made in technique. Here we consider a quantum identity
protocol proposed by Shi et al. [8] for formal analysis. It can not only be used for
QKD and QIA, but also for QSDC since no qubit is discarded in the case of an
error-free quantum channel.
Suppose that Alice and Bob have previously shared pairs of entangled states, Bob
performs randomly one of two local unitary operations I and X on his particle in
each EPR pair, where
10 01
I= ,X = .
01 10
If Bob performs the unitary operation I on the particle belonging to him, the state
ψ − holds unchanged. If the unitary operation performed by Bob is X , the state ψ −
will be transformed into state φ− . Then Bob sends his particle back to Alice. Alice
does a Bell state measurement on the particle from Bob and the particle from herself.
Alice and Bob let state ψ − correspond to “1”, state φ− correspond to “0”. Then they
get the sharing key. Moreover, when Alice gets the result of the other two Bell states
ψ + , φ+ , there must be someone who impersonates Bob. In this way, every EPR pair
is used to distribute a quantum key and verify the user’s identification simultaneously
without transmission of any classical message.
10.4 Analysis Procedure
10.4.1 Description of Notions and Rules
BAN logic is a formal method for verifying that three principals (including people,
computer and services) are entitled to believe they are communicating with each other
and not the intruders. It concentrates on the beliefs of trustworthy parties involved
in the protocol and the evolution of these beliefs through communication processes.
The procedure of BAN logic for analyzing the crypotographic protocol is described
as follows:
(1) Transform protocol into some “idealized” form;
(2) Identify the initial assumptions in the language of BAN logic;
(3) Use the postulates and rules of the logic to deduce new predicates;
(4) Interpret the statements proved by the process to check whether the protocol
meets the goal.
In order to apply the same concept to analyze the QIA protocol, some expending
work [13] has been made to adjust to quantum circumstance. The supplement notions
and postulates we will rely on are summarized in (Tables 10.1 and 10.2), while the
initial notions are the same as the literature [5].
Then we analyze a QIA protocol from an efficient perspective by using the BAN
logic.
10.4 Analysis Procedure 207
Table 10.1 Supplement notions of BAN logic

Supplement notions Meaning
Lowercase (a, b) Classical bit string
Capital letter (A, B) Quantum bit string
A_ > B :? A sends B? through quantum channel
A− > B :? A sends B? through classical channel
A The measured quantum bit string
A ::! A have!
(y, Y ) = Measure(Y /z) Measure quantum string Y with basis z and
gain classical string y and quantum string Y
Number(x) or Number(X ) Number of 1 in string x or X
x = Count(X ) Number of bits in quantum string X
Table 10.2 Rules of BAN logic

Rules Postulate Meaning
K
P≡P ↔ Q,P{X }K
Message-meaning rules P≡Q|∼X If P believes that the key K is
shared with Q and sees a
message X encrypted under K,
then P believes that Q once
said X
P≡Q⇒X ,P≡Q∼X
Jurisdiction rule P≡X If P believes that Q has
jurisdiction over X then P
trusts Q on the truth of X
P≡Q∼X ,P≡#(X )
Nonce-verification rule P≡Q≡X If P believes that X could have
been uttered only recently and
that Q once said X, then P
believes that Q believes X
P|≡#(X )
Freshness rule P|≡#(X ,Y ) If P believes that Q has
jurisdiction over X then P
trusts Q on the truth of X
P|≡(X ,Y ) P|≡X ,P|≡Y
Belief rule P|≡X , P|≡(X ,Y ) P believes a collection of
statements if and only if it
believes each of the statements
separately
10.4.2 Inference Based on BAN Logic
For the QIA protocol proposed by Shi et al. [8], we divide it into two parts. The
idealized version derived from the original is presented as follows together with the
initial version as a reference.
(1) Alice identifies Bob
This verification process is shown in Fig. 10.1.
Fig. 10.1 Alice identifies S2′ (x)

Bob
Bob Alice
Fig. 10.2 Bob identifies 1: S 2 (y)

Alice
Bob Alice
2 : S1′ (m − y)
(2) Bob identifies Alice

This verification process is shown in Fig. 10.2.
To verify the security of the QIA protocols, we make a reasonable assumption
that when Alice sends a bit string X in a quantum channel, ALL| ≡ Alice| ∼ X ,
ALL| ≡ #X .
Then we use the rules of BAN logic to determine whether the goal of authentication
is met or not.
(1) Alice identifies Bob
Bob sends S 2 (x) to Alice in a quantum channel, recall assumption, we get
Alice| ≡ Bob ∼ S 2 (10.1)
Alice| ≡ (#S 2 ).
According to Nonce-verification rule, Alice| ≡ Bob| ≡ S 2 ;

Since Bob sends S 2 (x), Alice| ≡ Bob ⇒ S 2 .
Together with Eq. 10.1, according to Jurisdiction rule,
Alice| ≡ S 2 (10.2)
If Number(r a (x)) = 0, Alice| ≡ Number(ra (x)) = 0, ka (x) = Kab .

Since ka (x) was the measurement result of S 2 , Alice| ≡ S2 ⇒ ka (x).
Together with Eq. 10.2, according to Jurisdiction rule, Alice| ≡ ka (x), i.e., Alice|
≡ Kab .
Kab
So we derive that Alice| ≡ Alice ↔ Bob (Table 10.3).
(2) Bob identifies Alice
The steps are similar to (1).
Bob sends S 2 (y) to Alice in a quantum channel, recall assumption, we get:
Alice| ≡ Bob ∼ S 2 (10.3)
Alice| ≡ (#S 2 ),
Table 10.3 Idealized version of Alice identifies Bob

Idealized version Initial protocol
Alice :: {S1 (m + n)}, Bob :: {S2 (m + n)} There are m + n pair of EPR pair and m is
public to every one. Alice has one string of
qubits S1 , Bob has another S2
Bob :: (kb (x), S2 (x)) =
. Note: base(m) is Bob performs randomly one of two local
Measure(S2 (x))/base(m) unitary operations X and I on x of his qubits
the measurement basis, m = 0 corresponds to
operation I , m = 1 corresponds to operation X
Bob_ > Alice : S 2 (x) Bob sends his measured qubits back to Alice
Alice :: (ra (x), ka (x)) =
. Note: If the Alice does a Bell state measurement on the
Measure(S1 (x), S2 (x))/BELL particle from Bob and the particle from herself
result measured by BELL basis is
⎧ −
⎪ φ , ra = 1, ka = 1
⎪
⎨
ψ − , ra = 1, ka = 0
⎪
⎪
⎩ φ+ or ψ + , r = 0
a
Alice :: Number(ra (x)), If Number(ra (x)) > 0, Alice counts the number of 1 in ra to figures
stop, discard ka (x); If Number(ra (x)) = 0, out whether there is impersonation
Alice :: Kab = ka (x)
According to Nonce-verification rule, Alice| ≡ Bob| ≡ S 2 ;

Since Bob sends S 2 (y), Alice| ≡ Bob ⇒ S 2 .
Together with Eq. 10.3, according to Jurisdiction rule, Alice| ≡ S 2 .
Since y is the number of S 2 (y), we obtain y ⊂ S 2 , according to belief rule, Alice| ≡
y, then Alice sends the next S 1 (m − y) to Bob;
If b = m − y, Bob| ≡ Alice ∼ S 1 , Bob| ≡ (#S 1 ).
According to Nonce-verification rule, we get
Bob| ≡ Alice| ≡ S 1 (10.4)
Since Alice sends S 1 (m − y), Bob| ≡ Alice ⇒ S 1 .

Together with Eq. 10.4, according to Jurisdiction rule,
Bob| ≡ S 1 (10.5)
If Number(rb (x)) = 0, Bob| ≡ Number(rb (x)) = 0, kb (x) = Kab ;

Since kb (x) was the measurement result of S 1 , Bob| ≡ Alice ⇒ S 1 .
Together with Eq. 10.5, according to Jurisdiction rule, Bob| ≡ kb (x), i.e., Bob| ≡
Kab .
Kab
So we deduce that Bob| ≡ Alice ↔ Bob (Table 10.4).
Through the analysis of this protocol, we obtain the outcome that the authentica-
tion between Alice and Bob is complete.
Table 10.4 Idealized version of Bob identifies Alice

Idealized version Initial protocol
Bob_ > Alice : S 2 (y), Alice :: y = Bob sends y number of qubits to Alice
Count(S2 (y))
Alice :: (S1 (m − y)) =
Alice performs randomly one of two local
Measure(S1 (m − y))/base(m) unitary operations X and Y on m − y of her
qubits
Alice_ > Bob : S 1 (m − y) Bob sends his measured qubits back to Alice
Bob :: b = Count(S 1 (m − y)). If b = m − y, Bob counts the number of the received string to
Stop; If b = m − y. figure out whether Alice get the y qubits
Bob :: (rb (n)) = Measure
(S1 (m − y), S2 (m − y))/BELL
Bob :: Number(rb (n)); If Number(rb (n)) > 0, Alice counts the number of 1 in to figures out
stop, discard kb (x); If Number(rb (n)) = 0, whether there is impersonation
Bob :: Kab = kb (x)
From above analysis, BAN logic is verified that it can help make the analysis
of protocols more efficient by eliminating contents of message or encryptions of
messages. In order to verify a protocol by using BAN logic, a set of hypotheses
have been made to obtain the initial beliefs. Thus, in classical environment, some
hypotheses make it problematic to distinguish between freshness of creation and
freshness of receipt roles. On the contrary, in quantum environment, scarcely when
the communicators operate on the qubits can the message be validated and this
guarantees the freshness of creation as shown in our assumption. However, BAN
logic also has its limitation. Since there is no systematic way for translating a protocol
description into a BAN description, subjective factors may be introduced and cause
a biased view of analysis.
10.5 Summary
In this chapter, we applied BAN logic to the formal verification of QIA protocols.
We gived the description of notions and rules, and analyzed the security of a rep-
resentative QIA protocol. BAN logic provides a concise way of proving security of
authentication protocols. Especially for quantum circumstances, ambiguity can be
avoided in creating the freshness of a message. With finer modeling hypotheses or
a finer level of description, more application of logic-based formal methods can be
adopted to verify the security of quantum cryptographic protocols.
References 211
References
1. Meadows, C.: Formal methods for cryptographic protocol analysis: emerging issues and trends.
IEEE J. Sel. Areas Commun. 21(1), 44–54 (2003)
2. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of
computers. Commun. ACM 21(12), 993–999 (1978)
3. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(20),
198–208 (1983)
4. Lal, S., Jain, M., Chaplot, V.: Approaches to formal verification of security protocols.
arXiv:1101.1815 (2011)
5. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst.
8(1), 18–36 (1990)
6. Dusek, M., Haderka, O., Hendrych, M., et al.: Quantum identification system. Phys. Rev. A
60(1), 149–156 (1999)
7. Zeng, G., Zhang, W.: Identity verification in quantum key distribution. Phys. Rev. A 61(2),
022303 (2000)
8. Shi, B.S., Li, J., Liu, J.M., et al.: Quantum key distribution and quantum authentication based
on entangled state. Phys. Lett. A 281(2), 83–87 (2001)
9. Zhang, Z., Zeng, G., Zhou, N., et al.: Quantum identity authentication based on ping-pong
technique for photons. Phys. Lett. A 356(3), 199–205 (2006)
10. Curty, M., Santos, D.J., Perez, E., et al.: Qubit authentication. Phys. Rev. A 66(2), 022301
(2002)
11. Cavalcanti, E.G., Hall, M.J., Wiseman, H.M.: Entanglement verification and steering when
Alice and Bob cannot be trusted. Phys. Rev. A 87(3), 032306 (2013)
12. Ekert, A.K.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67(6), 661 (1991)
13. Sheng, Z.: A Research on the formal analysis of quantum cryptography protocols. Dissertation
thesis, National University of Defense Technology (2007)
Chapter 11
Security Analysis Based on Quantum
Random Oracle Model
Random oracle model is a general security analysis tool for rigorous security proof
and effective cryptographic protocol design. In the quantum world, the attempts of
constructing a quantum random oracle (QRO) have been made, such as quantum-
accessible random oracle for post-quantum cryptography and quantum random
oracle for quantum cryptography. To facilitate the security analysis of quantum
cryptographic protocols, we introduce quantum random oracle. As in the classical
circumstance, it is crucial and challenging to design and instantiate the QRO model
with an appropriate quantum hash function. As a result, we use the QRO model for the
security analysis of quantum public-key encryption and quantum digital signature.
This new tool can be a test-bed for the cryptanalysis of more quantum cryptographic
protocols based on quantum one-way function.
11.1 Quantum Random Oracle Model for Quantum Digital

Signature
11.1.1 Development of Random Oracle
Random oracle (RO) has been used to design effective cryptographic protocols and
give rigorous proofs of security for cryptographic protocols over 20 years [1–4]. RO
is virtually a theoretical black box which outputs random bits in equal length when
queried by all parties including an adversary. Queries to RO are standardly designed
to model an adversary’s attack power [5]. The rapidly evolving quantum computation
equips a quantum adversary with sufficient computational power. To analyze clas-
sical cryptographic protocols against quantum adversaries, Boneh et al. [6] started
pioneering work of the quantum random oracle (QRO) model, more precisely, the
quantum-accessible random oracle model, in which an adversary can make quantum
superposition queries. Later, Zhandry [7, 8] upgraded the quantum-accessible ran-
dom oracle with a semi-constant distribution to make it indistinguishable with iden-

https://doi.org/10.1007/978-981-15-3386-0_11
214 11 Security Analysis Based on Quantum Random Oracle Model
tical uniform distribution under quantum algorithms. In 2013, Boneh and Zhandry
[9] made a significant progress to initiate the study of quantum-secure digital sig-
natures and quantum chosen ciphertext security. In the quantum-accessible random
oracle model, an adversary can make quantum chosen message queries and quantum
chosen ciphertext queries. Till now, most of the quantum-accessible random oracle
model research has focused on classical cryptographic protocols against quantum
adversaries. Furthermore, can we explore the construction of a new QRO model to
effectively analyze quantum cryptographic protocols against quantum attacks?
In this section, we introduce a new QRO model to analyze the security of QDS
schemes based on quantum one-way function [10]. We start with the quantum random
oracle modeling a collision-free quantum one-way function. Then we will give a
general security analysis procedure in the QRO model. For convenient analysis, we
choose the original QDS scheme [11]. It is very meaningful to endow new meaning
and explanation to the QRO model for quantum cryptosystems.
11.1.2 Quantum Digital Signature
Quantum digital signature (QDS) is an important direction of quantum cryptog-

raphy, which can be used to prevent impersonation, tampering, and repudiation
in an information-theoretically secure way. Comparatively, classical uncondition-
ally secure signature schemes against quantum computing attacks have been pro-
posed [12, 13], but the resource assumption of secure classical channels is practi-
cally impossible [14]. With the security verified by information-theoretical limits
and quantum mechanics, QDS schemes have been applicable by just using existing
mature quantum key distribution (QKD) equipment and the experimental transmis-
sion distance can achieve over 100 km [15, 16]. In 2001, Gottesman et al. [11]
first proposed a QDS scheme, a quantum version of the Lamport public key based
signature scheme [17], for certifying the origin and authenticity of a message. In
this QDS scheme, public keys are produced through a quantum one-way function
instead of the frequently used trapdoor one-way function in classical cryptography.
A quantum one-way function transforms a classical bit-string into quantum states.
To ensure the validity of transmitted messages, a sender transmits pairs of quantum
signatures, consisting of classical secret keys and quantum public keys, to several
recipients. The recipients store the signature pairs and verify the quantum signa-
tures by nondestructive quantum state comparison, such as SWAP-test. As we know,
general nondestructive quantum state comparison and quantum memory are two
key constraints for the development of QDS. Over ten years later, in 2012, Clarke
et al. [18] experimentally realized a QDS scheme based on coherent states, while
the remaining challenge for QDS to be feasible in practice is quantum memory. The
critical requirement of quantum memory was circumvented by Dunjko et al. [19,
20]. They put forward a practical QDS scheme without quantum memory and later
implemented it. Obviously, the slow pacing of experimental realization hampered
the progress of QDS and other quantum protocols. Alternatively, we can construct
11.1 Quantum Random Oracle Model for Quantum Digital Signature 215
a security model which can facilitate the exploration of a quantum one-way func-
tion to more scenarios and the security analysis of related quantum cryptographic
protocols, such as quantum digital signature schemes [11, 15, 19] and quantum
public-key encryption schemes [21, 22]. The desirable security model needs to pro-
vide participants with outputs of a quantum one-way function and results of quantum
states comparison, and also, give the same response to an adversary to model possi-
ble quantum attacks. Then the security model can be instantiated with continuously
developed techniques [18, 20]. In classical cryptography, similar efficient analysis
model named random oracle (RO) was introduced in 1993 [1].
11.1.3 Representative QDS Scheme
We briefly recall the representative QDS scheme proposed by Gottesman et al. [11].
The scheme assumes all participants will know how to implement the quantum one-
way function, and it is based on perfect devices and channels. Notations are described
as follows:
b: 1-bit classical message.
k bi : L-bit
classical secret key.

f kbi : n-bit public keys of quantum states that a quantum one-way function gen-
erates.

kbi → f kbi : quantum one-way function that maps a classical bit-string kbi to quan-

tum states f kbi .
Initializing phase:
Alice chooses a series of L-bit classical bit-strings {k0i , k1i }, 1 ≤ i ≤ M as secret
keys for a single message b. k0 is used to sign the message b = 0, and k1 is used to
sign the message b = 1. Note that k0 and k1 are chosen independently and randomly
for each i. M is a security parameter and the scheme is exponentially secure in M
when other parameters are fixed.
Signing and verifying phase:
(1) Alice chooses secret keys according to b. Then she sends public-keys to at most
t recipients, t < L/n. The signed message (b, kb1 , kb2 . . . kbM ) are sent to recipients
via insecure classical channel.

(2) Every recipient checks each of the revealed public-keys to verify kbi → f kbi
by quantum states comparison. Then each recipient j counts the number of incorrect
keys as s j ;
(3) According to s j , each recipient determines the message b as transferable, valid
or invalid. Then all participants discard all used and unused keys.
To prove the impossibility of forgery and repudiation, the original security model
sets security parameters. In the forging scenario, an adversary wants to convince Bob
that a faked message b is valid, i.e., b = b. Thus, the secret keys kbi not received
by recipients can be modified by the adversary. Some public-keys will fail and the
number of incorrect keys s j will increase. The scheme defines the rejection parameter
c2 so that when s j > c2 M, the recipients reject the signature. In Alice’s repudiation
scenario, Alice wishes Bob (for instance) to accept a message and Charlie to reject
it, so she may give completely different public keys to Bob and Charlie. To avoid
this kind of cheating, Bob and Charlie will exchange quantum public keys to be
compared with SWAP-test. So Alice’s goal is to pass all SWAP-tests and make her
message to be intransferable. Analysis shows the possibility of passing SWAP-test is
exponentially small in M. In participants’ reputation scenario, they can always deny
the sender Alice’s message. Therefore, there must be at least two honest participants.
Note that quantum states can store arbitrary amount of data and can be different
for unequal messages, but the measurement procedure may lead to collision-type
errors, i.e., different classical inputs may lead to equal quantum outputs. Gottesman
et al. [11] assumed δ-orthogonal quantum states to limit the measurement errors of
SWAP-test. Instead, to give an effective analysis of schemes based on quantum one-
way function, we may reasonably use the QRO model to realize the collision-free
property. So we assume that the quantum states generated by QRO are distinguishable
by its measurement.
11.1.4 Security Analysis from RO to QRO
Bellare and Rogaway [1] introduced random oracle (RO) model, which made it
possible to give a rigorous proof of security for certain basic cryptographic protocols
[23]. RO is used to model a hash function and output total random hash results. All
parties, including legal communicators and an adversary, should query RO for the
hash value. The security analysis procedure based on the RO model is summarized
as follows:
(1) Define a hard problem .
(2) Redescribe a protocol for .
(3) Define the specific security for the protocol.
(4) Prove the security of the protocol by reduction.
According to the methodology of the RO model, the QRO model for quantum
cryptographic protocols can also conform to the above analysis procedure. Proving
security in the QRO model presents many challenges. For each step of this analysis
procedure, we can further explore the following problems
(1) What is a feasible hard problem in the QRO model? Hard problems for
reduction vary among different RO models.
In the RO model, Hwang et al. [24] put forward a new quantum primitive called
“Unbiased Chosen Basis” (UCB) assumption based on no-cloning theorem, and use
it as a hard problem for an adversary to prove the security of three-party quantum
key distribution protocol. No-cloning theorem is the foundation of quantum cryp-
tography, which indicates that one cannot copy a qubit if he/she does not know the
polarization basis of the qubit. This physical property of quantum mechanics can
provide an absolutely secure reduction for the QRO model.
In the quantum-accessible random oracle model for post-quantum cryptography,

an adversary with the quantum end-user machine is allowed to issue random oracle
quantum queries, i.e., exponential number of queries in superposition states. The
difficult point for reduction lies in the fact that the reduction algorithm must evaluate
RO at all points in the superposition. To provide an indistinguishable output under
this powerful query, Boneh et al. [6] assumed there exists a quantum-secure pseu-
dorandom function (QPRF) which ensures that random oracle queries are answered
consistently across queries. Thus, cryptographic protocols can be proven secure by
means of history-free reductions related to the existence of QPRF. Their work gives
an important hint of construction of the QRO model considering quantum queries.
Furthermore, Definitions 1 and 2 give the detailed description of related quantum
query and quantum oracles [9].
Definition 1 Quantum chosen message query is the transformation

ψm |m → ψm |m, S (k, m)
m m
where S (k, m) is the signature on m using signing key k.

An attacker can sample the response to such a query and obtain one valid message-
signature pair. After q such queries, it can obtain q valid message-signature pairs.
Definition 2 An oracle O : X → Y is implemented by a unitary transformation O
where
O |x, y, z = |x, y + O(x), z
where + : X × X → X is some group operation on X . Suppose there is a quantum

algorithm that makes quantum queries to oracles O1 , . . . , Oq . Let |ψ0 be the input
state of the algorithm, and let U0 , . . . , Uq be the unitary transformations applied
between queries. Note that the transformations Ui are themselves possibly the prod-
ucts of many simpler unitary transformations. The final state of the algorithm will
be
Uq Oq · · · U1 O1 U0 |ψ0
We can also have an algorithm to make classical queries to Oi . In this case, the
input to the oracle is measured before applying the transformation Oi . We call a
quantum oracle algorithm efficient if the number of queries q is a polynomial in the
size of its input, and each of the transformations Ui between queries can be written
as the product of polynomially many unitary transformations from some fixed basis
set.
(2) How to redescribe a protocol for ? Redescribing a protocol means to formally

define the parameters for the protocol and the queries for modeling an adversary’s
capability. A similar description has been given in the Refs. [5, 24]. In the RO model,
an adversary interacts with players by making various queries to RO, such as “Send
query” and “Hash query” [24]. Modifications of such queries can be made for the
security proofs in the QRO model.
(3) What is the specific security for quantum cryptographic protocols? For security
definition of the signature scheme, existential forgery under chosen message attack
is always considered [9, 25]. Chosen message attack means that an adversary cannot
produce q + 1 valid message-signature pairs with q chosen message queries.
(4) How to prove the security of quantum cryptographic protocols by reduction?
Reduction means that if an adversary wants to break the security of a protocol, a chal-
lenger can take advantage of the adversary’s capability to solve the hard problem
by controlling the random oracle and providing indistinguishable output. Consider-
ing the superposition quantum query for reduction algorithm, Zhandry [7] provided
the related definition and the lemma which allows for the efficient simulation of an
exponentially-large list of samples given only a polynomial number of samples.
Definition 3 Fix sets X and Y and a distribution D on Y. Fix an integer r. Let

y = (y1 , y2 , . . . yr ) be a list of r samples from D and let P be a random function from
X to [r ]. The distributions on y and P induce a distribution on functions H : X → Y
defined by H (x) = y P(x) . This distribution is called a small-range distribution with
r samples of D.
Lemma 1 There is a universal constant C0 such that, for any sets X and Y, dis-
tribution D on Y, any integer , and any quantum algorithm F making q queries to
an oracle H : X → Y, the following two cases are indistinguishable, except with
probability less than C0 q 3 /l
– H (x) = yx where y is a list of samples of D of size |X |.
– H is drawn from the small-range distribution with samples of D.
11.1.5 Quantum Random Oracle Model for QDS
Different from classical RO model and prior QRO model (precisely, quantum-
accessible random oracle model), our objective is to construct a new QRO model for
quantum cryptographic protocols.
Considering the possible quantum collision problem resulted from quantum mea-
surement, we assume that there exists a collision-free quantum one-way function and
use QRO to model it by requiring that different quantum states produced by QRO
are distinguishable when QRO measures. Since an adversary may have access to
all quantum states, we assume all parties, including sender Alice, recipient Bob and
adversary A, query QRO for classical random bits, quantum one-way function out-
puts and quantum states comparison results. For a quantum adversary, this QRO can
respond consistently to quantum superposition query like the quantum-accessible
oracle [9]. We also assume that quantum states are transmitted without interference.
Definition
4 A quantum
random oracle is a tuple of efficient algorithms
G, Hq , Measur e where:
G: for any input of a classical bit-string m, it outputs a random bit-string k =
{0, 1}k .
Hψ : for any input of a classical bit-string k = {0, 1}k , it operates
ψ : {0, 1}k → H⊗s ,
to generate distinguishable quantum states |ψk i , where
H⊗s = H1 ⊗ · · · ⊗ Hs
is a 2s -dimensional Hilbert space made up of s products of single-qubit spaces Hi2 .

Measur e: any qubits |ψk i ,|ψk j QRO generates are distinguishable when QRO
measures, i.e.,
| ψk i |ψk j |2 = ε,
where ε is negligible for i = j.
We illustrate these three parts of QRO in Fig. 11.1.
Proposition
1 Quantum random oracle can respond consistently to quantum queries
ψm |m by mapping X → Y
m

O(m, k) : ψm |m → ψm |m, k,
m m
where k is a random bit-string on m.

Then it samples r times from some distribution on X such that, for every m and
k, O(m, k) is uniformly distributed on Y.
Proof Let r be some integer to be chosen later. Replace X with small-range distri-
butions of r samples on Y. Lemma 1 shows that an adversary can distinguish X with
Y with probability less than C0 q 3 /r . Thus, we use r samples of a small-range Y to
replace r samples of an exponentially-large range X with distinguishable probabil-
ity less than C0 q 3 /r , which facilitates the quantum random oracle to respond to a
quantum query with suitable r .
Proposition 2 Quantum random oracle can accurately match classical secret keys
with corresponding quantum public-keys.
Proof A quantum one-way function transforms an input of classical bit-string to an

output of quantum states. A forgery of signature can be made when an adversary
finds out a collision error, i.e., different quantum states pass the test of equality by
measurement. In case of possible quantum collision error, we use a quantum random
oracle to generate collision-free quantum states |ψk i as Definition 4:
| ψk i |ψk j |2 = ε, (11.1)
where ε is negligible for i = j. Equation 11.1 implies that all quantum states gen-
erated by QRO vary with different classical inputs and can be measured by QRO
accurately, so this quantum random oracle can accurately match classical secret keys
with corresponding quantum public-keys.
In order to prove whether a QDS scheme is resistant to a chosen message attack,

even when an adversary submits quantum superpositions of messages, we need a
suitable definition of QDS scheme in the QRO model.
Definition 5 A quantum digital signature scheme is a tuple of (G, Sign, Verify)

algorithms called generator, signing algorithm, and verifying algorithm, respectively.
Generator G: On inputting a bit-string 1k , the generator randomly produces a
classical secret key k.
Signing algorithm Sign(m, k): To sign a message m, QRO operates | f k ←
H (m, k) to generate a public key of quantum state | f k .
Verifying algorithm Verify (k, | f k ): To verify a signature pair (k, | f k ), QRO
takes quantum measurement Verify (k, | f k ) ∈ {0, 1}. It must be the case for all | f k ∈
H (m, k), Verify (k, | f k ) = 1.
In contrast to core algorithms of classical digital signature scheme, QDS generates

a public-key of quantum states in the Signing algorithm, and the verifying algorithm
is measurement rather than computation.
11.1.6 Analysis Procedure
As mentioned in Sec.II, the security analysis of quantum cryptographic protocols

in QRO follows the procedure: (1) Define a hard problem , (2) Redescribe the
quantum protocol for , (3) Define the specific security for the quantum protocol,
(4) Prove the security of the quantum protocol by reduction. Phases (1) and (3)
are related to specific quantum protocols. For example, the three-party quantum
key distribution protocol [24] chooses UCB assumption as a hard problem for the
authenticated quantum key distribution security. Here we use no-cloning theorem as
a hard problem for the provable security of a QDS scheme. Phases (2) and (4) are
common for all quantum cryptographic protocols, just as in classical cryptography
[1, 5, 9]. Formal queries need to be defined in phase (2) for modeling an adversary’s
capability and proving security. Here we take the QDS scheme [11] described in
related works as an example for security analysis.
A. Hard problem in the QRO model
For quantum cryptographic protocols, we choose no-cloning theorem, one of the
foundations of quantum cryptography, to be the hard problem for reduction. No-
cloning theorem indicates that it is impossible to create an identical copy of an
arbitrary unknown quantum state. Note that we carry out security reduction relative
to quantum physical property instead of the existence of collision-free quantum one-
way function. For example, consider a QDS scheme, we prove it to be unforgeable
for quantum adversaries by a reduction to no-cloning theorem. We can claim that
the QDS scheme is unforgeable as long as violating no-cloning theorem is infeasible
even when an adversary has quantum access to random oracle. This technique works
well whenever we can assure the success of the adversary A.
B. Description of the QDS scheme
Since an adversary interacts with players by making various queries to QRO,
we formulate specific queries to describe the QDS scheme [11]. According to
Proposition 2, QRO can correctly match secret keys and public keys. So the number
of incorrect keys s j is equal to 0. Then we do not need the acceptable or transferable
boundaries. Here we present the QDS scheme with a single key pair.
(1) Message query qmessage {Alice}: All parties are allowed to know whether Alice
has sent a message b to QRO or not. If Alice sends the message, QRO sends (b, kb )
back. Otherwise, it outputs (l + 1)-bit zeros (1-bit message and l-bit secret key).
Since classical channel cannot guarantee message not being tapped, we use this
query to model the process that A eavesdrops message and secret keys via classical
channel. The worst case is that A fully accesses message and secret key, i.e., QRO
directly returns b and kb .
(2) Signing query qsign {b}: Anyone could ask QRO for quantum digital signature

for b. QRO operates quantum one-way function to output key pairs kb , f kb . This
query models the process that a signer (Alice) generates secret keys of classical bits
and public keys of quantum statesfor every message bit b.

q send {b, kb , f kb , Bob}: To transfer a signature to Bob, Alice
(3) Sending query

qsend {b, kb , f kb , Bob} to QRO. QRO sends a secret key kb and a public key
sends
f k to Bob. In this query, a signer can choose a secret key and a public key to a
b
recipient, which models an adversary’s forgery attack. Besides, A might practically
intercept the key pair, measure it and resend the tampered keys to Bob. This scenario
also changes the key pair and can be modeled by sending query.
(4) Verifying query qveri f y {kb , f kb }: Bob sends QRO the key pair kb , f kb he
received to verify the signature. If the pair is validated by quantum states measure-
ment, QRO returns 1. Otherwise it returns 0. QRO records the verifier’s identity and
verification result. This query models the verifying phase that recipients compare
the quantum states they received with the quantum states generated according to the
secret key.
(5) Accepting query qacc {Bob}: If the record value in verifying query is 1, i.e., the
signature is valid, then QRO returns 1. Otherwise, it returns 0. Through this query,
Alice can make sure whether her signature is accepted and adversary A can figure
out whether his attack is successful.
Different queries related to corresponding parts of QRO are shown in Fig. 11.1.
Based on these specific queries, we present the execution of the QDS scheme [11].
(1) Alice sends 1-bit message
to QRO with qsign {b} query and gets corresponding
secret keys and public keys kb , f kb .
QRO
Alice
qmessage
Eavesdropping  b, k b 
b
qsign
H
k ,
b f kb 
b, kb , f kb , Bob
kb , f kb qsend
qverify Forgery attack
Intercept-resend attack
{0,1}
Measure
qacc User
{0,1}
Fig. 11.1 QRO model

(2) Alice sends Bob the key pairs kb , f kb by q send {b, k b , f k , Bob}.
b

(3) Bob makes a query, namely qveri f y {kb , f kb } to verify the signature he received.
Then QRO records measurement result for next Accepting query.
C. Definition of security in the QRO model
Definition 6 A quantum digital signature scheme (G, Sign, Verify) is existentially
unforgeable under quantum chosen message attacks (QCMA-secure) if, for any effi-
cient quantum algorithm F and any polynomial q (in the input of the quantum
algorithm), F’s probability of success in the following game is negligible
Key Gen. A challenger runs k b ← G, then operates f k ← H (m, kb ) to generate
b
a public key of quantum states f kb and gives f kb to F.
Signing Queries. An adversary makes a polynomial q chosen message queries.
For each query, the challenger responds by signing each message in the query by
mapping X → Y,

O(m, k) : ψm |m → ψm |m, k
m m
Forgeries. The adversary is required to produce q + 1 message-signature pairs.

The challenger then measures that all signatures are valid and all message-signature
pairs are distinct. If so, the challenger reports that the adversary wins.
D. Proof of security in the QRO model
Theorem 1 Assume an adversary A has algorithm F and queries QRO for quantum
state signature. A breaks the QCMA-security if A inputs an inconsistent pair of secret
key and public key that QRO cannot distinguish with non-negligible probability. Then
a challenger takes advantage of A to clone quantum states. If quantum states cannot
be cloned perfectly, then the signature is QCMA-secure in the quantum random
oracle model.
Proof We can use QRO to construct a signature on any given message b and output
the signature kb , f kb . Then we prove this QRO can respond to a classical chosen
message attack when A is only given a polynomial number of signatures on random
messages.
If A intends to forge a signature, A queries qmessage {Alice} to identify whether

Alice has sent the message b to QRO. Then A gets the message and secret key
(b, kb ). Through
q times queries of qmessage {Alice}, A gets q pairs of message and

secret key bi , kbi , 1 < i < q. A runs the algorithm F to produce a message b .
A queries qsign {b } to get q + 1 key pairs kb , f kb . A sends the secret key of

b and the public key of b to Bob through qsend {b , kb , f kb , Bob} query. Then A
sends qveri f y {kb , f kb } query to figure out whether his attack is successful. If QRO
outputs 1, A successfully makes a forgery attack with non-negligible probability ε.
Therefore, a challenger could use kb to clone quantum states f kb with probability
ε, which violates quantum physical property.
Furthermore, if the adversary is armed with a quantum computer and issues quan-
tum chosen message queries, each of the exponentially many messages in the query
superposition are to be signed. Therefore, using the above technique directly would
require an exponential number of random values for quantum one-way function.
To avoid exponential quantum states needed, we use the technique of small-range
distributions and Lemma 1 to reduce the number of signed messages required to a
polynomial. Let A be a quantum adversary breaking the QCMA-security of signature
with non-negligible probability ε. The idea of security proof is a slight modification
to Boneh’s work [9] that the contradiction lies in violating quantum physical property
instead of hash collision-resistance property. The security of the scheme is proved
through a sequence of games in QRO.
Game 0. A issues qmessage {Alice} query and receives q pairs of message and
secret key b, kbi , 1 < i < q. A is allowed to make a polynomial number of quantum
chosen message queries. For query i, the challenger runs random generator G, and
responds to each message in the query superposition as follows:
– Let kbi = G (i) (b).

– Operate quantum one-way function f kbi = Hψ (kbi ).

– Respond with the signature kbi , f kbi .

In the end, A must produce q + 1 distinct pairs kbi , f kbi such that verifying

query qveri f y {kbi , f kbi }= 1. By definition, A wins with probability ε, which is non-
negligible. Therefore, there is some polynomial p = p(λ) such that p(λ) > 1/ε(λ)
for infinitely-many λ. Here λ is the input of G.
i Game
1. We modify the condition in which A wins by requiring that no two pairs
k , f k i form a collision error for H in QRO. Then A succeeds in Game 1 with
probability at least ε − negl.
Game 2. Let = 2C0 qp where C0 is a constant from Lemma 1. At the beginning
ˆ
of the game, for i = 1, . . . , q and j = 1, . . . , , sample values k̂ (i)
j and let f k (i) =
j
Hψ (k̂b(i) ). Also pick q random

functions
Oi to map m to according to Proposition 1.
(i) (i) ˆ
Then let km = k̂ Oi (m) and f km(i) = f k (i) . The difference between Game 1 and
Oi (m)

Game 2 only lies in the generation of km(i) and f km(i) by q small-range distributions
on samples. Each of the small-range distributions is only required once, so Lemma 1
implies that the success probability is still at least ε − negl − 1/2 p.
∗ ∗
wins in Game 2, it produces two secret keys kb , kb on a same
If the adversary

public-key f kbi . Then a challenger could produce same quantum states with proba-
bility ε − negl − 1/2 p. The quantum states produced by QRO are distinguishable,
which implies this quantity is negligible, thus ε − 1/2 p is negligible. Since ε > 1/ p
infinitely often, 1/2 p < negl infinitely often, there exists a contradiction. So ε is
negligible.
In this section, we formulate Message query, Signing query, Sending query, and
Verifying query, etc. These queries are used to model an adversary’s possible attack
such as eavesdropping, forgery attack, and intercept-resend attack. Then we give a
general definition of QCMA-security for the QDS scheme based on quantum one-way
function. Through a series of games, we prove the QDS scheme is QCMA-secure
even under quantum chosen message attack by a reliable reduction to no-cloning
theorem.
11.1.7 Discussion
In the original security model [11], the QDS scheme is proved information-
theoretically secure, which relies on significantly large security parameter. An adver-
sary may use the collision-type error to easily pass the verifying phase, while the
original security model does not provide the related analysis. Apart from information-
theoretical security, we can provide the provable security of quantum cryptographic
protocols, e.g., the unforgeable security of QDS. In the new QRO model, we prove
the QCMA-security of a QDS scheme via a series of indistinguishability games, even
if an adversary has quantum access to QRO. We use different queries to model dif-
ferent attack scenarios, including the collision case. The QRO model can be used to
simplify quantum cryptographic protocols based on quantum one-way function and
testify its security on every step. When QRO is instantiated, we can analyze special
attack scenarios and define the similar security parameter to protect its security.
Table 11.1 Comparison with different RO models

Comparison items RO model Quantum-accessible QRO model
random oracle model
Model Hash function Hash function Quantum one-way
function
Assumption PRF QPRF Collision-free
measurement
Response to quantum No Yes Yes
query
Form of signature Classical Classical Quantum
Reduction PRF etc. LWE, QPRF, etc. No-cloning theorem
Furthermore, in contrast to the classical RO model, QRO is used to model quantum

one-way function to analyze the provable security of QDS scheme. Considering the
vague-defined and not yet implemented quantum hash [26], we select a broader con-
cept, namely quantum one-way function, to be a modeling object. In the QRO model,
collision-free measurement assumption replaces computational hardness assumption
of pseudorandom function (PRF) in the RO model. A new function is added to QRO
that it cannot only respond to the quantum state queries, but output signatures of
quantum states. Unlike the prior quantum-accessible random oracle model [6] which
relies on classical hard problems such as learning with errors (LWE) problem and
the assumption of QPRF against quantum adversaries, we use no-cloning theorem
as a hard problem for reduction. In addition, we use queries to QRO to model an
adversary’s capability. Comparison among different RO models is summarized in
Table 11.1.
11.2 Quantum Random Oracle Model for Quantum

Public-Key Encryption
11.2.1 Instantiation of Quantum Random Oracle Model
Different from famous quantum key distribution (QKD) protocols [27], a new crypto-
graphic primitive, namely quantum hash function, has been considered by researchers
for cryptographic protocols with higher level of security. The quantum hash function
maps a classical bit-string to a quantum state. Due to the accountability of unknown
quantum states, quantum hash functions were first used to design unforgeable quan-
tum digital signatures [28] and quantum fingerprints [29]. Then quantum public-key
encryption (QPKE) schemes also made use of the uncloneablility [30, 31], regarding
secret keys as the trapdoor information. In 2014, Ablayev et al. [32] for the first time
gave a rigorous definition of quantum hash function. They subsequently discussed
several constructions of quantum hash function [33]. Recent works on quantum hash
function include new ways of constructions [34] and its applications [35]. However,
there are still some open problems in the field of quantum hash functions. In the
previous researches, some of quantum hash functions are given concrete construc-
tions of quantum circuits [29–31, 33], while others are only used as a black box [28].
For the existing and future protocols which use quantum hash functions as secure
subprograms (and do not care about how exactly they are instantiated), we do lack
an ideal model of such quantum hash function for further analysis and design.
Previous security analyses of quantum cryptographic protocols mainly concen-
trate on scenario quantum attacks, i.e., only limited types of attack are analyzed [30,
31]. Such analysis of diverse quantum attacks is not general enough to prove the
security of quantum cryptographic protocols, and a more precise and generic tool is
needed for the protocols using quantum hash functions to perform provable security
analysis. A new type of QRO which can model a quantum hash function is such an
efficient tool to solve these problems. A well-defined QRO can reasonably simulate
a quantum hash function in terms of protocol designing. The attempt of constructing
a QRO model has been made in [36] for cryptanalysis of quantum digital signature
(QDS).
In this section, we generalize the construction and property of the QRO model,
and redefine the QRO model to analyze the security of quantum hash based QPKE
against key-collision attack [37]. Concretely, we introduce a paradigm of security
analysis in the QRO model, and give the instantiation method of the QRO model for
quantum cryptographic protocols, i.e., how to replace the QRO with an appropriate
quantum hash function.
11.2.2 Quantum Hash Function
Unlike classical cases where the security analysis relies on computational assump-
tion, the security of quantum hash functions is guaranteed by quantum physical laws.
A quantum hash function takes a classical bit-string as an input and outputs a quan-
tum state of fixed length. It also has its one-wayness and collision-resistance. Similar
to the classical case, the one-wayness of a quantum hash function requires that the
input of a classical bit-string cannot be deduced from the output of quantum states
[32, 33]. The no-cloning theorem avoids an adversary obtaining a large enough num-
ber of an unknown hash value. Thus, the one-wayness can be guaranteed by Holevo
bound [38], i.e., no more than O(s) bits of information can be learned from s qubits.
According to the Holevo bound, the one-wayness condition holds when the length
of an input is much larger than that of an output.
As for collision-resistance, a quantum hash function becomes more complicated
and very different from its classical counterpart. Since the Hilbert space is an infinite
field (while a set of bit-strings with fixed length is a finite one), we can easily design
a quantum hash function that is mathematically an injective function, i.e., there is no
collision according to its definition. However, when comparing two quantum states
11.2 Quantum Random Oracle Model for Quantum Public-Key Encryption 227
or recovering classical information from a quantum state, one will introduce mea-
surement operations, which could lead to collision-type errors. Now the ‘collision’
refers to the case where quantum hash values are measured to be identical while
they are actually different. The probability of this collision is closely related to the
inner product of two quantum states. Thus, for the collision-resistance condition, the
outputs of a quantum hash function are required to be nearly orthogonal [32, 33].
Based on the above considerations, the quantum hash function is defined as fol-
lows:
Definition 7 (quantum hash function [33]) Let > 0 and δ > 0. We call the function
ψ : {0, 1}n → (H2 )⊗s a (, δ)-quantum hash function if the following conditions hold
• One-wayness: for any quantum algorithm A, the probability of finding a preimage
of ψ is bounded by :
Pr[A(ψ(x)) = x] < (11.2)

• √ pair (w, w ), the norm of the inner product
Collision resistance: for any different
of their hash value is bounded by δ, then the probability that two different hash
values are measured to be identical is bounded by
Pr[Measur e(|ψ(w)) = Measur e(|ψ(w ))]

(11.3)
=| ψ(w)|ψ(w )|2 < δ
11.2.3 Quantum Public-Key Encryption
QPKE protocols can be qubit rotations-based [30, 31], knapsack-based [39] or fully-
flipped-permutations-based [40]. Some of them [30, 31, 40] can be abstracted as
ones that bases on a quantum hash function in which the secret key and the plaintext
are classical, while the public key and the ciphertext are quantum states. This type
of QPKE can be described as follows:
Definition 8 The QPKE protocol based on a quantum hash function ψ consists of

3 steps
• Key-generation Gen: the key-generation Gen outputs the secret key sk ∈ {0, 1}n ,
then generates s-qubit public key | pk by using the quantum hash function ψ
Gen(1n ) = sk, | pk = ψsk |0⊗s (11.4)
• Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically encrypts m
with the public key | pk and outputs s-qubit ciphertext |c
|c = Encm | pk = Encm · ψsk |0⊗s (11.5)

• Decryption Dec: for the ciphertext |c ∈ (H2 )⊗s , Dec deterministically decrypts
|c with the secret key sk . Since the Dec is a quantum algorithm, we introduce
a tracing-out operator of the Dec’s output to get 1-bit plaintext m
|m = Tr s−1 [Decsk |c]

(11.6)
= Tr s−1 [Decsk · Encm · ψsk |0⊗s ]
then the measurement on the base vector {|0, |1} can output a classical m .
The quantum algorithms Enc and Dec are designed based on the quantum hash
function ψ, obeying the following rules
• Enc and ψ are commute, i. e.,
[Enc, ψ] = Encψ − ψ Enc = 0 (11.7)
• When the public-key | pk = |0⊗s , the last qubit of the output of Enc becomes
the base vector
Tr s−1 [Encm · |0⊗s ] = |m, m ∈ {0, 1} (11.8)
• Dec reverses ψ
−1
Decsk = ψsk (11.9)
These three rules guarantee that decryption with the correct sk outputs the origi-
nal m
|m = Tr s−1 [Decsk · Encm · ψsk |0⊗s ]
= Tr s−1 [Decsk · ψsk · Encm |0⊗s ] (11.10)
= Tr s−1 [Encm |0⊗s ] = |m
Note that the probabilistic encryption algorithm Enc can be the one that randomly
parity-codes the plaintext m then encrypts the codeword. This strategy was suggested
against forward-search attack in [31].
The security notions defined in [41] can help with the cryptanalysis of the QPKE
protocols. In the quantum chosen plaintext attack (qCPA) model, (constant) C copies
of the public-key are fed to the adversary, so it can invoke the encryption oracle with
| pk for at most C times. The security under qCPA is defined as follows:
Definition 9 (indistinguishability under qCPA) A QPKE protocol is indistinguish-

able [41] under qCPA, if for any quantum adversary A, for every plaintext pair
(m x , m y ), the following difference of probability
|Pr[A(| pk ⊗C , Encm x | pk ) = 1]

(11.11)
−Pr[A(| pk ⊗C , Encm y | pk ) = 1]|
is negligible.
11.2.4 QPKE in the QRO Model
In this section, we analyze the security of QPKE in the QRO model. We firstly, define
the QRO so that it can simulate cryptographic procedures of QPKE. Then we describe
the QPKE protocol in the QRO model by defining the adversary-challenger game
with the random oracle. Finally, we give a paradigm of security proof for QPKE in
the QRO model. Herein, we introduce a new type of attack, namely key-collision
attack. Analysis demonstrates that the property of QRO must be satisfied to prevent
from this attack.
A. Re-definition of the QRO model
We make reasonable adjustments to the first “classical-quantum” random oracle
in Definition 4. Firstly, we remove the classical random number generator G in
Definition 4. This part of QRO simulates the secret key generation step in a protocol,
but the input of a message m is unnecessary. In fact, the secret key is generated locally
in the QPKE or the QDS protocols, and this step will not be explored in any classical
or quantum communication. Removing G does not violate the security proof in [36].
We mainly focus on the possible attacks to quantum hash functions. So the classical
random number generator G is removed in our QRO model.
Then we remove the decision part Measur e in Definition 4 and describe the
distinguishability as the property of QRO instead. The expression is identical in
security proof, while the re-description of the distinguishability is more natural and
simplifies the QRO model.
Finally, we add a C-restriction of the QRO, i.e., if the QRO is invoked by the
challenger, it only generates at most C copies of the output. This restriction reflects
the fact that the adversary can only intercept limited copies of the unknown public
key due to the no-cloning theorem.
According to the above considerations, we re-define the QRO as follows:
Definition 10 (quantum random oracle) A quantum random oracle is an efficient

algorithm Hq that satisfies the following properties
• When queried with a classical bit-string k ∈ {0, 1}n , Hq randomly and consistently
generates s-qubit quantum states |Hq (k) ∈ (H2 )⊗s .
• Any pair of outputs of Hq with different inputs is nearly orthogonal
| Hq (w)|Hq (w )| < δ (11.12)
where δ is negligible in n.
• If Hq is invoked by the challenger with any input k, it responds for at most C times
for the same input.
In the next sections, the QRO in Definition 10 will be utilized for security analysis.
We denote that the corollaries in [36] still hold in the adjusted QRO model.
B. Description of the QPKE protocol

Here we present the QPKE protocol in the QRO model defined in definition 10. The
adversary-challenger game is defined as follows:
Definition 11 (the adversary-challenger game) The adversary-challenger game of
the QPKE protocol in Definition 8 consists of the following three phases
Phase 1. The Challenger runs Gen(1n ) to get secret key sk. Then it queries QRO
Hq with sk. The QRO gives at most C copies of |Hq (sk) to the adversary.
Phase 2. The adversary in this phase can query the challenger with message-key
pairs (m i , |Hq (ki )). The challenger encrypts the messages with the corresponding
public key and returns the ciphertext Encm i |Hq (ki ) to the adversary. The number of
this query is denoted by qenc . The adversary can generate arbitrary many of its own
public keys by querying QRO. So the public key it supplies to the challenger can be
the limited ones it gets in Phase 1, or arbitrary many of its own keys generated in
Phase 2. The number of the adversary querying QRO in this phase is denoted by qr o .
Obviously, we have qenc ≤ qr o + C.
Phase 3. The adversary chooses two distinct plaintexts (m 0 , m 1 ). The challenger
encrypts one of them with its public key |Hq (sk) and returns Encm b |Hq (sk), b ∈
{0, 1}. Then the adversary outputs a single bit b ∈ {0, 1}. The advantage of the
adversary is denoted by the probability that b = b :
1
AdvqCPA (adver sar y) = 2 Pr[b = b ] − (11.13)
2
The adversary-challenger game is shown in Fig. 11.2. The challenger wins the
game if the adversary’s advantage is negligible beyond 21 . In this case the QPKE
protocol has ciphertext indistinguishability under qCPA according to Definition 9.
C. Security of the QPKE protocol
Theorem 2 The QPKE protocol in Definition 8 has ciphertext indistinguishability
under qCPA in the QRO model.
Proof We start with regular analysis as it is in the classical case where the adversary
attempts to get a secret key sk. Let A be the event that the adversary asks the query
sk in Phase 2 of the game. If A happens, the adversary can decrypt Encm b |Hq (sk)
in Phase 3 with probability 1 according to the consistency of Definition 8. But in the
game, |Hq (sk) is randomly generated by QRO and independent from sk. Thus, no
public information is related to sk. The probability that the adversary obtains sk is
that it asks sk in qr o queries, i. e., the event A happens.
When A does not happen, the adversary faces qenc pieces of ciphertext. Recall that
the public keys are generated independently and randomly. The state of the entire
possible public keys indicates maximum mixed state
I⊗s
ρ pk = . (11.14)
2s
Fig. 11.2 The adversary-challenger game
The ciphertext is generated from the public key by a completely positive map Encm
ρ pk → ρc = Encm ρ pk Encm† . (11.15)
The mixed state ρc stays maximally mixed under the encryption operator, i. e., ρc =
I⊗s
2s
. Hence, the adversary cannot distinguish from distinct messages.
Based on the above considerations, the advantage of the adversary
Pr[b = b ]
=Pr[A] · Pr[Encm b |Hq (sk) = Encm b |Hq (ki )|A]
+Pr[A] · Pr[b = b |A]
(11.16)
qr o qr o 1
≤ n · 1 + (1 − n ) ·
2 2 2
1 qr o 1
= + = + negl(n)
2 2 · 2n 2
Now we consider two special attacks only possible in the quantum world. The
first attack is so-called ‘forward-search’ attack [31]. This type of attack is invalidated
by randomization as mentioned in Definition 8.
The second attack is a collision-type attack. Consider a quantum obtaining the
key-generation algorithm Gen without the secret key sk. By Randomly guessing
secret key, he/she probably gets a wrong public key |Hq (sk ). This wrong public
key |Hq (sk ), however, may help the adversary distinguish the ciphertext encrypted
with the right key sk in the game due to the probabilistic measurement. This is a
collision-type attack and is called here a key-collision attack. In the quantum hash-
based QPKE, the key-collision attack is possible only when the possible public keys
are non-orthogonal.
Definition 12 A key-collision attack on QPKE helps the adversary distinguish the

ciphertext in the game. An adversary undertakes this attack by randomly guess-
ing sk , generating ciphertext Encm b |Hq (sk ), and comparing it with the challenge
ciphertext Encm b |Hq (sk).
Theorem 3 If the inner product of two distinct public keys | pk| pk | is negligible,
then QPKE in the QRO model is secure under the key-collision attack.
Proof Note that distinct public keys are near-orthogonal according to definition 10,
i.e., |(Hq (ki )|Hq (k j ))| = δ where δ is negligible. For comparing technique of SWAP-
test [32], the probability that the adversary can distinguish the challenger’s ciphertext
with a wrong secret key sk is
1
PrSWAP [b = b ] = (1 + |(Encm b |Hq (sk ), Encm b |Hq (sk))|2 )
2
1
= (1 + | Hq (sk )|Hq (sk)|2 ) (11.17)
2
1 1 1
= + δ 2 = + negl(n)
2 2 2
By means of partial-trace and measurement, the adversary can obtain |m with only
negligible probability δ 2 . Since the ciphertext can only be decrypted once, the QPKE
is secure under the key-collision attack.
In the QRO model, the key-collision attack is impossible since the outputs of
QRO are nearly orthogonal. When realizing the QRO, the corresponding property of
quantum hash function must be considered. Detailed discussions about this attack
will be described in the latter instantiation.
11.2.5 Instantiation of QRO for a Bad and a Good Example
Both in classical and quantum circumstances, the instantiation of the RO model with
a concrete hash function is crucial for the practical analysis of cryptographic pro-
tocols. In this section, we will discuss what kind of quantum functions is suitable
for the instantiation of QRO. We give a qubit rotation-based function and a quantum
fingerprinting-based one as examples. For the former, it is a bad attempt of instan-
tiation because of the non-orthogonality of its outputs. The adversary can decrypt a
ciphertext with non-negligible probability even without a secret key. For the latter,
it is a (, δ)-quantum hash function and thus suitable for the instantiation of QRO.
A. A bad example: single-qubit rotation
The QPKE protocol based on single-qubit rotation is presented in [30], and random-
ized against forward-search attack in [31]. In this scheme, the QRO is instantiated by
a single-qubit rotation around y-axis in the Bloch-sphere, where the rotating angle is
determined by the secret key. A probabilistic QPKE protocol based on single-qubit
rotation is described as follows:
Scheme 1: The QPKE protocol based on single-qubit rotation [31] consists of
three steps
• Key-generation Gen: Gen chooses a random n-bit-string sk = k1 k2 . . . ks ∈
{0, 1}n with each k j chosen independently from Z2n/s (suppose s divides n). Then
Gen prepares s qubits of |0z ⊗s and performs a rotation operation R̂(k j ) on each
πk πk
of the jth qubit to obtain ⊗sj=1 (cos( 2n/sj )|0 + sin( 2n/sj )|1). Here the rotation
operation
πk j πk j
R̂(k j ) = cos n/s |0 + sin n/s |1 (11.18)
2 2
πk πk
The secret key is sk and the public key is | pk = ⊗sj=1 (cos( 2n/sj )|0 + sin( 2n/sj )|1).
• Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically parity-codes
m into s-bit codeword w = w1 w2 . . . ws , then Enc encrypts w by rotating jth
qubit of the public key with the angle πw j
πk j πk j
|c = ⊗sj=1 (cos( + πw j )|0 + sin( n/s + πw j )|1) (11.19)
2n/s 2
• Decryption Dec: for the ciphertext |c, Dec decrypts |c by rotating jth qubit
πk
of |c with angle − 2n/sj and gets
⊗sj=1 (cos(πw j )|0 + sin(πw j )|1) (11.20)
then applies CNOT gate where the first s − 1 qubits are the control qubits. Now
the last qubit becomes
|w1 ⊕ w2 ⊕ · · · ⊕ ws = |m. (11.21)
The measurement on the base vector {|0, |1} can output a classical m.
When the QRO is instantiated, the secrecy of sk is guaranteed by Holevo bound.
According to the Holevo-Nayak bound [42], the secret key sk is secure against any
adversary when
2sC
Pr[A(| pk⊗C ) = sk] < <
2n (11.22)
2 log2
⇒s<
C
This scheme is randomized against the forward-search attack. However, it is vul-
nerable under the key-collision attack. This is because as mentioned in Sect. 11.2.4,
the public keys are not “orthogonal” enough. The inner product of any two possible
public key is
πk j πk j
|(⊗sj=1 (cos( n/s )|0 + sin( n/s )|1),
2 2
πk j πk j
⊗sj=1 (cos( n/s )|0 + sin( n/s )|1))| (11.23)
2 2
π(k j − k j )
=|sj=1 cos( )|
2n/s
and can be non-negligible. In this case, the adversary can decrypt the ciphertext with
π(k j −k )
non-negligible probability |sj=1 cos( 2n/s j )|2 . Thus, single-qubit rotation is not
suitable for instantiating the QRO.
B. A good example: quantum fingerprinting
The quantum fingerprinting technique was used for constructing a quantum hash
function [32]. By replacing QRO with this quantum hash function, we can describe
the QPKE protocol as follows:
Scheme 2: The QPKE protocol based on quantum fingerprinting [32] consists of
three steps
• Key-generation Gen: Gen fixes a number t. Gen chooses a random n-bit-string
sk = k1 k2 . . . kt ∈ {0, 1}n with each k j chosen independently from Z2n/t . Gen
also selects dt = 2s/t−1 t parameters K = {κ1,1 , . . . , κd,t } where κi, j ∈ Z2n/t .
Then Gen prepares s qubits of |0z ⊗s and obtains a public key
1
d
| pk = ⊗tj=1 √ |i·
d i=1 (11.24)
2πκi, j k j πκi, j k j
(cos( )|0 + sin( n/t )|1)
2n/t 2
The secret key is sk.
• Encryption Enc: for the plaintext m ∈ {0, 1}, Enc probabilistically parity-codes
m into t-bit codeword w = w1 w2 . . . wt , then Enc encrypts w by rotating js/tth
qubit of the public key with the angle πw j
1
d
⊗tj=1 √ |i·
d i=1
(11.25)
cos n/t
+ πw j |0 + sin + πw j |1
2 2n/t
• Decryption Dec: for the ciphertext |c, Dec operates the inversion of Gen to
obtain
1
d
⊗tj=1 √ |0(cos(πw j )|0 + sin(πw j )|1) (11.26)
d i=1
then applies CNOT gate where the first s − 1 qubits are the control qubits. Now
the last qubit becomes
|w1 ⊕ w2 ⊕ · · · ⊕ ws = |m. (11.27)
The measurement on the base vector {|0, |1} can output a classical m.
By means of properly choosing the parameter K , this scheme is secure under the
key-collision attack. Consider the encryption of one codeword bit w j . The public
key for this codeword is
1
d
| pk(k j ) = √ |i cos |0 + sin |1 (11.28)
d i=1 2n/t 2n/t
It can be proved that the public-keys of any distinct pairs (k j , k j ) are near-orthogonal
with properly selected {κ1, j , κ2, j , . . . , κd, j }. In [32], the proof of following lemma
was given.
Lemma 2 For a quantum hash function
1
d
2πκi k πκi k
|h(k) = √ |i cos |0 + sin |1 (11.29)
d i=1 2n 2n
and arbitrary δ > 0, there exists a set K = {κi } such that
| h(k)|h(k )| < δ (11.30)
for any distinct pair of (k, k ).
From Lemma 2, we know that public keys of any distinct pairs (k j , k j ) are near-
orthogonal with properly selected {κ1, j , κ2, j , . . . , κd, j }. Since the public keys for
different codewords are not entangled with each other, the inner product of any two
distinct public keys is
| pk(k)| pk(k )| = tj=1 | pk(k j )| pk(k j )| < δ t (11.31)
Thus, the probability that the adversary successfully implements the key-collision
attack Prkey−collision attack (adver sar y) = | pk(k)| pk(k )|2 is bounded by δ 2t .
According to a similar technique in the proof of Theorem 3, the QPKE protocol
is secure against the key-collision attack.
11.2.6 Numerical Simulation of Key-Collision Attack
We give the numerical results of the simulation of the key-collision attack on the
aforementioned two examples of the QRO instantiation.
Simulation parameters are set as follows: To make comparison of the two instan-
tiation examples with the same consumption of quantum resource, the length of the
public key n in two examples is the same, ranging from 1 qubit to 1000 qubits. Each
component of the secret key in both scheme (ki , i = 1, . . . , s in Scheme 1 and k j ,
j = 1, . . . , t in Scheme 2 is 8 bits. Parameter d in Scheme 1 is d = 8, thus the length
of the public key in Scheme 2 is n = (log2 d + 1)t ⇒ t = log nd+1 = n4 . Parame-
2
ters κi, j ∈ {0, 1}8 , so 8dt = 16n-bit extra memory for K = {κi, j , i = 1, . . . , d, j =
1, . . . , k} is required in Scheme 2. To simulate the key-collision attack, we assume
that the difference of rotating angle of the correct public key and the attacker’s public
key is less than θ = 2π5 . The probability of this attack is no less than 2θ
π
= 216 ≈ 6%,
which corresponds to the random guess of the rotating angle of the correct public
key.
Fig. 11.3 shows the comparison between the adversary’s advantage over Scheme 1
and Scheme 2, and Table 11.2 specifies parameters and results when n = 100. Appar-
ently, while increasing the length of the public key can help reduce the advantage of
the adversary, Scheme 1 is vulnerable under the key-collision attack when n = 100.
On the other hand, Scheme 2 performs well under the key-collision attack even with
a short public key, while it requires extra storage of 1600 bits for K = {κi, j } when
n = 100.
11.3 Summary
In this chapter, we provided a new QRO model and a framework of security analysis
procedure for the provable security of quantum cryptographic protocols based on
quantum one-way function. A QDS scheme was proved QCMA-secure through a
sufficiently reliable reduction to no-cloning theorem. Then we provided a new quan-
tum random oracle model with reasonable properties for quantum hash-based QPKE
protocol. We also demonstrated what kind of instantiation is suitable for the quantum
random oracle and verified it by numerical simulation. We note that, while it is natural
11.3 Summary 237
1
Scheme 1
Scheme 2
0.9
0.8
0.7
adversary's advantage
0.6
0.5
0.4
0.3
0.2
0.1
0
0 100 200 300 400 500 600 700 800 900 1000
length of the public key
Fig. 11.3 Adversary’s advantage
Table 11.2 Simulation result of n = 100

Parameters & Results Scheme 1 Scheme 2
| pk 100 qubits 100 qubits
sk 800 bits 800 bits
|c 100 qubits 100 qubits
d – 8
K – 1600 bits
Simulation time 1000 1000
Adversary’s winning time 801 522
Advantage 0.602 0.044
to conceive secure QPKE schemes under quantum chosen cyphertext attack (qCCA)
as in the classical circumstances, how the adversary would deal with the quantum
decryption oracle which is probabilistic due to the randomness of measurement is
still an open question. Further work lies in the security analysis of quantum public
key cryptographic protocols under qCCA, or other kinds of quantum random oracle
like “quantum-to-quantum” random oracle.
References
protocols. In: ACM Conference on Computer and Communications Security (CCS) pp. 62–73
(1993)
2. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA
and Rabin. In: International Conference on the Theory and Applications of Cryptographic
Techniques (EUROCRYPT’ 96), vol. 1070, pp. 399–416 (1996)
3. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: International Conference
on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’ 96), vol. 1070,
pp. 387–398 (1996)
4. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption.
In: International Conference on the Theory and Applications of Cryptographic Techniques
(EUROCRYPT 2004), vol. 3027, pp. 207–222 (2004)
5. Bresson, E., Chevassut, O., Pointcheval, D., et al.: Provably authenticated group Diffie-Hellman
key exchange. In: ACM Conference on Computer and Communications Security (CCS), pp.
255–264 (2001)
Sci. 7073(1), 41–69 (2010)
7. Zhandry, M.: How to construct quantum random functions. In: Annual IEEE Symposium on
Foundations of Computer Science (FOCS), pp. 679–687 (2012)
8. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Annual
International Cryptology Conference (CRYPTO 2012), vol. 7417, pp. 758–775 (2012)
9. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum com-
puting world. In: Annual International Cryptology Conference (CRYPTO 2013), vol. 8043,
pp. 361–379 (2013)
10. Shang, T., Lei, Q., Liu, J.W.: Quantum random oracle model for quantum digital signature.
Phys. Rev. A 94(4), 042314 (2016)
11. Gottesman, D., Chuang, I.L.: Quantum digital signatures. arXiv:quant-ph/0105032 (2001)
12. Swanson, C.M., Stinson, D.R.: Unconditionally secure signature schemes revisited. In: Inter-
national Conference on Information Theoretic Security (ICITS), vol. 6673, pp. 100–116 (2011)
13. Amiri, R., Andersson, E.: Unconditionally secure quantum signatures. Entropy 17(8), 5635–
5659 (2015)
14. Arrazola, J.M., Wallden, P., Andersson, E.: Multiparty quantum signature schemes. Quantum
Inf. Comput. 16(5–6), 435–464 (2016)
15. Yin, H.L., Fu, Y., Chen, Z.B.: Practical quantum digital signature. Phys. Rev. A 93(3), 032316
(2016)
16. Yin, H.L., Fu, Y., Liu, H., et al.: Experimental quantum digital signature over 102 km. Phys.
Rev. A 95(3), 032334 (2017)
17. Lamport, L.: Constructing digital signatures from a one-way function. Palo Alto: Technical
Report CSL-98, SRI International, vol. 238 (1979)
18. Clarke, P.J., Collins, R.J., Dunjko, V., et al.: Experimental demonstration of quantum digital
signatures using phase-encoded coherent states of light. Nat. Commun. 3, 1174 (2012)
19. Dunjko, V., Wallden, P., Andersson, E.: Quantum digital signatures without quantum memory.
Phys. Rev. Lett. 112(4), 040502 (2014)
20. Collins, R.J., Donaldson, R.J., Dunjko, V., et al.: Realization of quantum digital signatures
without the requirement of quantum memory. Phys. Rev. Lett. 113(4), 040502 (2014)
21. Nikolopoulos, G.M.: Applications of single-qubit rotations in quantum public-key cryptogra-
phy. Phys. Rev. A 77(3), 032348 (2008)
22. Seyfarth, U., Nikolopoulos, G.M., Alber, G.: Symmetries and security of a quantum-public-key
encryption based on single-qubit rotations. Phys. Rev. A 85(2), 022342 (2012)
23. Koblitz, N., Menezes, A.J.: The random oracle model: a twenty-year retrospective. Des., Codes
Cryptogr. 77(2–3), 587–610 (2015)
References 239
24. Hwang, T., Lee, K.C., Li, C.M.: Provably secure three-party authenticated quantum key distri-
bution protocols. IEEE Trans. Dependable Secur. Comput. 4(1), 71–80 (2007)
25. Pointcheval, D., Stern, J.: Provably secure blind signature schemes. In: International Conference
on the Theory and Applications of Cryptology and Information Security (ASIACRYPT’ 96),
vol. 1163, pp. 252–265 (1996)
26. Ablayev, F., Vasiliev, A.: Quantum hashing. arXiv:1310.4922 (2013)
27. Bennett, C., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In:
Proceedings of the International Conference on Computers, Systems, and Signal Processing,
pp. 157–179 (1984)
28. Zhou, J., Zhou, Y., Niu, X., Yang, Y.: Quantum proxy signature scheme with public verifiability.
Sci. China-Phys. Mech. Astron. 54(10), 1828–1832 (2011)
29. Buhrman, H., Cleve, R., Watrous, J., de Wolf, R.: Quantum fingerprinting. Phys. Rev. Lett. 87,
167902 (2001)
30. Nikolopoulos, G.M.: Applications of single-qubit rotations in quantum public-key cryptogra-
phy. Phys. Rev. A 77(78), 156 (2008)
31. Nikolopoulos, G.M., Ioannou, L.M.: Deterministic quantum-public-key encryption: forward
search attack and randomization. Phys. Rev. A 79(4), 126–136 (2009)
32. Ablayev, F., Vasiliev, A.: Cryptographic quantum hashing. Laser Phys. Lett. 11(2), 25202
(2014)
33. Ablayev, F., Ablayev, M., Vasiliev, A.: On the balanced quantum hashing. J. Phys.: Conf. Ser.
681(1), 12019 (2016)
34. Ziatdinov, M.: From graphs to keyed quantum hash functions. Lobachevskii J. Math. 37(6),
705–712 (2016)
35. Yang, Y., Xu, P., Yang, R., Zhou, Y., Shi, W.: Quantum hash function and its application
to privacy amplification in quantum key distribution, pseudo-random number generation and
image encryption. Sci. Rep. 6(1), 19788 (2016)
36. Shang, T., Lei, Q., Liu, J.: Quantum random oracle model for quantum digital signature. Phys.
Rev. A 94, 042314 (2016)
37. Shang, T., Chen, R., Lei, Q.: Quantum random oracle model for quantum public-key encryption.
IEEE Access 7(1), 130024–130031 (2019)
38. Holevo, A.S.: Bounds for the quantity of information transmitted by a quantum communication
channel. Probl. Inf. Transm. 9, 3–11 (1973)
39. Okamoto, T., Tanaka, K., Uchiyama, S.: Quantum public-key cryptosystems. In: Advances in
Cryptology - CRYPTO 2000, International Cryptology Conference, pp. 147–165 (2000)
40. Kawachi, A., Koshiba, T., Nishimura, H., Yamakami, T.: Computational indistinguishability
between quantum states and its cryptographic application. J. Cryptol. 25(3), 528–555 (2012)
41. Koshiba, T.: Security notions for quantum public-key cryptography. arXiv:quant-ph/0702183
(2007)
42. Nayak, A.: Optimal lower bounds for quantum automata and random access codes. In: 40th
Annual Symposium on Foundations of Computer Science, pp. 369–376 (1999)
Chapter 12
Security Analysis of Quantum
Obfuscation
Quantum cryptography has developed some fundamental primitives such as quantum

one-time pad and quantum IND (indistinguishability)-security. Compared with other
terms in quantum cryptography, quantum obfuscation attracts less attention and is still
in its infancy due to its difficulty in implementation and application. In this chapter,
we provide a positive result of quantum obfuscation. To analyze the obfuscatability
of quantum point functions, we introduce the strict definition of a quantum point
function and discuss its variants of multiple points and multiple qubits. Furthermore,
we discuss the application of quantum obfuscation in quantum zero-knowledge and
quantum symmetric encryption. As a start of the study on quantum point functions,
such work will be very useful in the future development of quantum obfuscation
theory.
12.1 Obfuscatability of Quantum Point Functions
12.1.1 Development of Obfuscation
Promoted by the vigorous development of computer science, cryptology became

a new discipline in the 1970s. The study of cryptography has made remarkable
achievements over the past few decades, especially on secure protocols and encryp-
tion methods based on complexity theory. However, there are still some problems
left unsolved. As a powerful means to protect information, obfuscation can obstruct
malicious analysis effectively. In software development, obfuscation is the deliber-
ate act of creating obfuscated code, i.e., source or machine code that is difficult for
humans to understand. Like obfuscation in natural language, it may use one need-
lessly roundabout expression to compose statements. The first formal definition of
program obfuscation was proposed by Hada [1], which we call a strong virtual black-
box obfuscation. Hada’s definition is modeled on a simulation paradigm and requires
an attacker to learn information from the obfuscated code which can be learned by

https://doi.org/10.1007/978-981-15-3386-0_12
242 12 Security Analysis of Quantum Obfuscation
simply accessing the function with a black-box oracle. In 2001, Barak et al. [2] first
introduced the concept of obfuscation into the field of cryptography and proposed
its three features as follows:
1. (Functionality) The obfuscated program has the same computational function as
the original one.
2. (Polynomial slowdown) The running time of the obfuscated program cannot
exceed the polynomial size of the original running time.
3. (Black-box property) Any valid message computed through the obfuscated pro-
gram can be effectively computed with access to the oracle of the original program.
This is a guarantee for the security of the obfuscated program, which is based on
the security of simulation paradigm.
They also pointed out that obfuscation will have a series of cryptographic purposes
such as transforming private-key encryption into public-key encryption, removing
a random oracle, etc. Unfortunately, they also proved that such an obfuscator is
nonexistent.
In the next few years, some positive results of obfuscation were proposed. Lynn
et al. [3] discussed point functions and the simple obfuscation of combined point
functions, and gave the first positive result of obfuscation theory by means of access
control problem based on regular expression. After that, point functions become one
of the focus problems of obfuscation theory. In 2005, Wee [4] made a more detailed
study on the obfuscation of point functions and drew some important conclusions.
He proved that we can construct a valid obfuscator for point functions by weaken-
ing the concept of obfuscation, although an obfuscator has certain constrains. For
example, a simulated adversary must output a single bit. For such constrains, Canetti
et al. proposed an obfuscator for multi-bit output point functions [5], thereafter dis-
cussed the possibility of its application in symmetric encryption [6]. In connection
with obfuscation of combined point functions, they presented a concept of virtual
gray-box obfuscation, which is weaker than a virtual black-box one. Also, some
researches suggest that there is a certain connection between obfuscation theory and
zero-knowledge [1].
Quantum obfuscation is based on the theory of quantum circuit and quantum
computing. Since quantum computing theory is far from maturer than its classical
counterpart, until 2014, no one had publicly published research on quantum obfusca-
tion. At the 2014 Quantum Computing Theory Conference (TQC), Alagic et al. [7]
first proposed quantum obfuscation based on quantum topological calculations. They
used the specific high-dimensional expression of the braid group to compile quan-
tum circuits into braids, and then convert it into a normal form. In 2016, Alagic and
Fefferman [8] formally proposed the definition of quantum obfuscation. The quantum
black-box obfuscator was first defined and proved more practicable than classical
black-box obfuscator. Then they defined the quantum indistinguishable obfuscator
and pointed out some possible application such as quantum-secure one-way function
(qOWF) and public-key quantum money.
In this chapter, we give a further discussion on quantum obfuscation, then
introduce the definition and obfuscatability of quantum point functions under the
12.1 Obfuscatability of Quantum Point Functions 243
quantum-accessible random oracle model [9]. We start with reduction skills for
quantum obfuscation and the obfuscator for combined quantum circuits, then we
give a definition of quantum point functions. Under the quantum-accessible random
oracle, we discuss the obfuscatability of quantum point function families and their
variants. Finally, we discuss a probable application of quantum obfuscation.
12.1.2 Quantum Circuit
Similar to classical ones, quantum circuits consist of quantum gates, which are
described by the individual behavior of the state of microscopic particles, and evolve
from one state to another. The unitarity is the only limitation of a quantum logic
gate and each unitary matrix defines an effective quantum gate. Nielson and Chuang
[10] proved that we can construct a reversible quantum gate sequence for classi-
cal computable functions. Any classical function f that has m-bit inputs and k-
bit outputs can be implemented on a quantum computer. Assuming that there is
a quantum gate sequence U f of m + k qubits, the function f is implemented as
U f : |x, y → |x, y ⊕ f (x). The quantum gate sequence U f represented above is
unitary for any function f . To calculate f (x), we can apply U f to the state |x, 0.
f (x) ⊕ f (x) = 0, so U f U f = I .
We can combine quantum circuits together to construct a new quantum circuit. In
this case, a control register is needed to decide which circuit is to be used. Formally,
a combined quantum circuit denoted by
C1 #C2 # . . . #Ct
has a control register of logt-qubit and an input register of n-qubit. Of course, to

meet the request of unitarity, all component circuits have to be of the same input size
of n.
Quantum polynomial time algorithm (or QPT) A is a uniform set of quantum
circuits. It can also include operations of measurement and tracing out any qubit.
Therefore, the input and output size can be verified according to the definition of
QPT [8].
12.1.3 Quantum Obfuscation
The definition of a quantum obfuscator, proposed by Alagic and Fefferman [8], is

similar to its classical counterpart.
Definition 12.1 A black-box quantum obfuscator is a quantum algorithm O and a

QPT δ such that whenever C is an n-qubit quantum circuit, the output of O is an
m-qubit state O(C) satisfying
1. (Polynomial expansion) m = poly(n),

2. (Functional equivalence)
δ(O(C) ⊗ ρ) − UC ρUC† tr ≤ negl(n),
3. (Virtual black-box) for every QPT A there exists a QPT S UC such that
|Pr [A(O(C)) = 1] − Pr [S UC (|0n ) = 1]| ≤ negl(n).
When carrying obfuscation over the quantum case, the “interpreter” algorithm δ
must be well explained. Since an end user (and hence also any adversary) should be in
possession of a quantum computer, it is conceivable that the obfuscation result may
not just be another description of a quantum circuit. Instead, the obfuscator might
output a quantum state, which is then to be employed by the end user to execute a
desired function in some “well-specified” manner [8]. Now we no longer have any
quantum circuit description in hand, therefore, an interpreter algorithm δ must be
used to execute a specific function.
How to understand such a QPT δ? One may think of δ as an algorithm which
is fixed once and for all for a certain state class. It is also feasible to regard the
obfuscation result as a quantum state O(C) and an algorithm δ which inputs O(C)
and r ho and implements the function of UC . Alagic and Fefferman [8] pointed out that
all of these variants are equivalent, in the sense that a black-box quantum obfuscator
of each variant exists if and only if the other variants exist. Since the interpreters are
used not only when obfuscating a quantum circuit but also in some reduction skills
in this work, we will set the interpreter δ to be universal, and it is conceivable to
assume that we can always implement a function by producing a specific state and
executing it with δ.
We note that the quantum obfuscation theory is so far a relatively rough one. Many
critical concepts and theorems in the classical case have not yet been well presented
in quantum behavior.
12.1.4 Quantum-Accessible Random Oracle Model
Bellare and Rogaway [11] proposed the classical random oracle (RO) model in 1993,
which provides a rigorous reduction method of cryptographic security proof. Under
such a model, all parties, namely adversaries and legal ones, have access to the same
oracle R, and get random yet consistent answers. An algorithm S is denoted by S R ,
so long as queries to R have been made.
As for quantum circumstances, security proof becomes complicated. Bennett and
Brassard [12] discussed an oracle quantum
Turing machine A, which responds intu-
itively a string in the entangled
state x a x |x ◦ A(x) when called with a query tape
of superposition state x ax |x ◦ 0. It will also be useful to put the target bit b into a
√
superposition, like β = (|0 − |1)/ 2. In this case, the whole input state will be left
unchanged if A(x) = 0 and will be left unchanged while introducing a phase factor
1 if A(x) = 1. Such an oracle quantum Turing machine can also be assumed as a
length-preserving one, and it can be achieved by interpreting the oracle answer on the
pair (x, i) as the ith bit of the function value. In this case, A is called a permutation
oracle.
Intuitively, a query with superposition state should also be allowed in the quantum-
accessible random oracle (QRO) model. A QRO must simultaneously compute for
the query at possibly exponentially many points. For post-quantum cryptography,
Boneh et al. [13] gave out a key separation by presenting that a protocol is secure in
the classical random oracle model while insecure in the quantum-accessible random
oracle model.
In this work, a QRO, when no confusion may arise, will be interpreted as a length-
preserving oracle, which means Rq : |x, y → |x, y ⊕ R(x), where R : {0, 1}∗ →
{0, 1}∗ .
12.1.5 Reduction for Quantum Obfuscation
In this section, we will discuss reduction skills for quantum obfuscation and the
obfuscator for combined quantum circuits. Many of our ideas come from Lynns’
work [3] on classical obfuscation theory, which helps us extend obfuscation into
quantum circumstances.
Definition 12.2 A quantum circuit family C is said to be obfuscatable if there is a

quantum state family S, for every C ∈ C, there is a |s ∈ S such that |s = O(C).
This definition is similar to its classical counterpart.
Definition 12.3 A n-qubit quantum circuit family C is said to be oracle imple-

mentable relative to a n-qubit quantum circuit family D, if there exists n-qubit
quantum circuits M and N , for every C ∈ C, there exists a D ∈ D such that
δ(M U D (|0n ) ⊗ ρ) − UC ρUC† tr ≤ negl(n)
δ(N UC (|0n ) ⊗ ρ) − U D ρU D† tr ≤ negl(n)
for every valid input ρ. This relationship is called Oracle implementable relationship.
Here we denote by C D such relationship of C and D.
In this definition, we follow the idea of Alagics’ work that our quantum state
achieves a specific function with an interpreter δ. This is consistent with the definition
of a quantum obfuscator, which helps our following proof.
Since an interpreter is necessary in the application of an obfuscated quantum

circuit, we denote δ(s ⊗ ρ) by δs (ρ), for any quantum state s and ρ. Therefore,
N δ O(C) refers to a quantum circuit N with oracle access to the obfuscation of C. We
note that in this circumstance, an oracle δ O(C) receives a quantum state ρ, computes
δ(O(C) ⊗ ρ) and returns it to N . So, functionally, the interaction between N and
δs (ρ) is exactly the same as N UC , due to the functional equivalence property defined
by [8]. And N δ O(C) is also effective so long as N UC is effective, since the definition
of obfuscation guarantees the polynomial property of an interpreter δ.
Lemma 12.1 if C D, D is obfuscatable, then so is C.
Proof Our goal is to build an obfuscation of C. Since D is obfuscatable, we set

O (D) to be an obfuscation result of any D ∈ D. Given C D, we have a quantum
circuit M such that
δ(M U D (|0n ) ⊗ ρ) − UC ρUC† tr ≤ negl

Now we show that M δ O (D) (|0n ) is an obfuscation of C. Here M δ O (D) (|0n ) and

O(C) are both quantum states. According to previous discussion, M δ O (D) works

exactly the same as M U D , therefore, M δ O (D) (|0n ) satisfies polynomial slowdown
and functionality.
Here we prove the black-box property. For any adversary A(O(C)) =

A(M δ O (D) (|0n )), consider QPT A (M O (D) ), which runs A internally. A works
as follows:
1. With an input O (D) and a quantum circuit M, A builds a quantum circuit M O(D) .
2. Then A passes M O(D) (|0n ) to A.
3. Finally A outputs what A outputs.
So we have
Pr [A (O (D)) = 1] = Pr [A(M O(D) ) = 1]. (12.1)
Due to the black-box property of O (D), there exists a simulator S such that
|Pr [A (O (D)) = 1]−

. (12.2)
Pr [S U D (|0n ) = 1]| ≤ negl(n)
Then we construct a simulator S UC from S U D . The key of this construction is to

respond to the query which S interacts with an oracle U D . Note that C D, we
have a quantum circuit N such that
δ(N UC (|0n ) ⊗ ρ) − U D ρU D† tr ≤ negl(n).
It indicates that with a quantum circuit N and oracle access to UC , one can simulate
oracle access to U D , with negligible Euclid distance. So our S UC works as follows.
Fig. 12.1 Structure of A
1. Firstly, S UC gets its input |0n , then passes it to S .

2. For every query by which S interacts with U D with state ρ, S UC computes
δ N UC (|0n ) (ρ) and returns the result to S .
3. Finally S UC outputs what S outputs.
In this case, we have
Pr [S UC (|0n ) = 1] = Pr [S U D (|0n ) = 1]. (12.3)
Finally, according to Eqs. 12.1, 12.2 and 12.3, we have
|Pr [A(M O(D) ) = 1]−

.
Pr [S UC (|0n ) = 1]| ≤ negl(n)
The structures of A and S are shown in Figs. 12.1 and 12.2. So we finish our proof
that M O(D) (|0n ) is an obfuscation of C.
12.1.6 Obfuscation of Combined Quantum Circuits
An obfuscated quantum circuit can be idealized as oracle access to the original

quantum circuit. Naturally, we want to combine different obfuscation results so as
to compose a new obfuscation which also can be idealized as oracle access to the
original one. We then discuss the obfuscatability of combined quantum circuits.
The definition of a combined quantum circuit has been presented in Sect. 12.1.2.
Here we give out some intuitive obfuscations of combined quantum circuits.
Fig. 12.2 Structure of S
Definition 12.4 Given an obfuscatable quantum circuit family C. If
O ∗ (C1 # . . . #Ck ) = O(C1 )# . . . #O(Ck )
is an effective obfuscation of C1 # . . . #Ck for any Ci ∈ C, we say it is a simple

obfuscation of combined quantum circuits C1 # . . . #Ck .
Even in the classical setting, it is hard to construct a non-trivial simple obfuscation

of combined circuits. However, we can define a simple obfuscation of any trivial
combined quantum circuit.
Definition 12.5 A quantum circuit family C is learnable, if for any C ∈ C there exists
a quantum circuit P such that
δ(P C (|0⊗|C| ) ⊗ ρ) − UC ρUC† tr ≤ negl.
If a quantum circuit family C is learnable, it is easy to prove that C is also obfus-

catable. To obtain O(C), an obfuscator takes an input C, makes oracle access to C
over P to get P C (|0⊗|C| ). Obviously, P C (|0⊗|C| ) is an effective obfuscation of C,
since for any adversary A, a simulator can have oracle access to C, get P C (|0⊗|C| )
and pass it to A.
Definition 12.6 A learnable quantum circuit family is called trivial quantum obfus-
catable family. Given a quantum circuit learnable family, the obfuscation via learning
is called trivial quantum obfuscation.
Lemma 12.2 Given a learnable quantum circuit family C, D is obfuscatable if and

only if {C# D|C ∈ C, D ∈ D} is obfuscatable.
Proof Firstly, we prove that {C# D} is obfuscatable ⇒D is obfuscatable. We ran-

domly choose C ∈ C, D ∈ D. With similar technique in the proof of Lemma 12.2,
for any adversary A, we build QPT A (O(C# D)) which works as follows: A sets
the control register of O(C# D)) to |1, then passes it to A, finally outputs what A
outputs. Clearly, we have
Pr [A (O(C# D)) = 1] = Pr [A(O(C# D)|1 ) = 1].
Since O(C# D) is an obfuscation of C# D, there exists a simulator S such that
|Pr [A (O(C# D)) = 1]−

(12.4)
Pr [S UC# D (|0⊗|C# D| ) = 1]| ≤ negl.
Then we build S U D from S UC# D . S U D works as follows: firstly S UC gets input

⊗|D|
|0 , adds |0 to it and passes |0⊗|C# D| to S UC# D . Every time S UC# D queries UC# D
with ρ, S U D checks the control register of ρ. If it is |0, S U D returns δ(C(ρ), otherwise
S U D has oracle access to U D and returns it to S UC# D . Finally, it outputs what S UC# D
outputs. Through the construction, we have
Pr [S UC# D (|0⊗|C# D| ) = 1]
(12.5)
= Pr [S U D (|0⊗|D| ) = 1].
With Eqs. 12.4 and 12.5, we have
|Pr [A(O(D)|1 ) = 1]−

Pr [S U D (|0⊗|D| ) = 1]| ≤ negl.
So we finish the proof that {C# D} is obfuscatable ⇒D is obfuscatable. Proof of

reverse direction is very similar and will not be described again.
12.1.7 Quantum Point Function
In this section, we will give a precise definition of quantum point functions, especially
the ones with an input of quantum superposition.
12.1.7.1 Quantum Point Function Family and Its Obfuscatability
In the classical case, a point function is defined by

1 if x = α
Pα (x) = .
0 other wise
According to quantum computation theory, any classical function f can be imple-

mented by a quantum circuit. To implement such a function, a quantum circuit maps
input register x and target register b |x ◦ b to |x ◦ b ⊕ f (x), where ◦ denotes con-
catenation. For convenience, the target register b can be set to zero. From this premise,
we can define a quantum point function as follows:
Definition 12.7 A quantum point function Uα is defined as
Uα : |x, 0 → |x, Pα (x)
where α ∈ {0, 1}n .

Obviously, with an input in superposition
x a x |x ◦ 0, the point function will
also return a result of superposition x ax |x ◦ Pα (x), where
ax is a complex coef-
ficient. After defining Un = {Uα : α ∈ {0, 1}n } and U = n Un , we can build the
obfuscation of U and prove the following lemma.
Lemma 12.3 A quantum point function family U is obfuscatable, under the quantum-
accessible random oracle model.
Proof Note that the quantum-accessible random oracle Rq is interpreted as a length-

preserving permutation oracle, Rq : |x, y → |x, y ⊕ R(x), where R : {0, 1}n →
{0, 1}n and x, y ∈ {0, 1}n . The obfuscator for quantum point function Uα works as
follows: O R (Uα ) firstly makes query to oracle Rq with a classical bit string α to get
R(α), then removes any information about α except R(α). When it receives an input
|x, 0, O R (Uα ) accesses to quantum-accessible random oracle Rq with |x, 0n to get
|x, R(x). Finally, O R (Uα ) implements the checking function

1 i f x = R(α)
Ch(x) =
0 other wise
by quantum gate Ch q : |x, y → |x, y ⊕ Ch(x) and uses it on both the second
register of return result of the oracle and the target register of input of the quantum
circuit. The whole quantum circuit is implemented as Fig. 12.3.
Firstly, we prove the functional equivalence property of Uα . We point out that the
quantum-accessible oracle is implemented as a permutation oracle {0, 1}n → {0, 1}n .
hence R(x)= R(α) if and only if x = α. Therefore,
In this sense R is a bijective,
O R (Uα ) correctly maps x ax |x ◦ 0 to x ax |x ◦ Pα (x).
Since quantum random query is made once for any input, polynomial slowdown
condition holds. Now we prove the black-box property. For any adversary A, a
simulator S Uα can be built as follows: S sets a copy of A internally (noted by A ),
then S randomly chooses a ∈ {0, 1}n and builds a quantum state |α, 0m , then queries
the random oracle Rq with it twice to get two same quantum states |r1 , |r2 . Then it
builds a circuit C like this: for an input |x, y, C queries random oracle with |x, 0m ,
keeps the return value |r , and check if r1 = r . If so, it reverses register |y. Next,
Fig. 12.3 Quantum circuit for O(Uα )
S puts C into A , every time A queries Rq with |x, y, S queries Uα with |x, 0. If
S gets |1, it returns |x, y ⊕ r2 , otherwise S randomly chooses a number in {0, 1}n ,
queries R with it and returns to A . Finally, S outputs what A outputs. Obviously,
A performs exactly the same as A.
|Pr [A = 1] − Pr [S Uα = 1]| = 0
So the black-box condition holds.
12.1.7.2 Quantum Point Functions with Multi-qubit Output
In the context of multi-qubit output, |0n becomes a possibly valid output. In the
classical case, the invalid output ⊥ is introduced and a point function with multi-
qubit output is defined by

β if x = α
Pα,β (x) = .
⊥ other wise
where α, β ∈ {0, 1}n . However, as the quantum circuits are required to be invertible
and unitary, concession must be made to keep consistence with well-formed QPT.
Conceretly, to avoid the use of ⊥, we manually set |0n to present an invalid input,
therefore, β is restricted in any bit string in {0, 1}n except 0n . In this sense, Pα,β will

be modified as Pα,β to output 0n when x = α.
Definition 12.8 A quantum point function with general output is defined as follows:

Uα,β : |x, 0n → |x, Pα,β
where α ∈ {0, 1}n , and β ∈ {0, 1}n \0n .

Let Cα,β to be a quantum circuit which implements Uα,β . Define Cn = {Cα,β :

α, β ∈ {0, 1}n }.
Lemma 12.4 A quantum point function family C with multi-qubit output is obfus-
catable, under the quantum random oracle model.
Proof A QRO Rq is used in the proof. Firstly, we randomly choose r ∈ {0, 1}n ,
query Rq with |r, α, 02n and get |r, α, 02n ⊕ R(r, α) = |r, α, a ◦ b, where a and
b is the first n bits and the last n bits of R(r, α). Note that R is a length-preserving
oracle. Then we compute c = b ⊕ β. Now we can remove any information about α
and β, and just keep r , a and c. Next, for every input |x, 0, O R (Uα,β ) makes query to
Rq with |r, x|02n , gets |r, x|R(r, x) = |r, x|R1 (r, x), R2 (r, x) in return. Finally,
O R (Uα,β ) implements the checking function

c ⊕ R2 i f x = a
Ch(x) =
0n other wise
by a quantum gate Ch q : |x, y → |x, y ⊕ Ch(x) and implies it on both the second
register of return result of the oracle and the target register of input of the quantum
circuit.
It is obvious that this obfuscation is valid, with the similar method used in the
proof of Lemma 12.3.
We can see that C can be simply obfuscated. Note that we have only polynomial
many obfuscations, the probability that two of them happen to pick up the same r is
negligible. Under this condition, the simulator will be able to simulate any adversary.
12.1.7.3 Quantum Multi-point Functions with Multi-qubit Output
Definition 12.9 A quantum multi-point function with multi-qubit output is defined

as
U(α1 ,β1 ),...,(αt ,βt ) : |x, y → |x, y ⊕ P(α1 ,β1 ),...,(αt ,βt ) ,
where αi ∈ {0, 1}n , βi ∈ {0, 1}n \0n and P(α1 ,β1 ),...,(αt ,βt ) is a classical function that
maps {0, 1}n to {0, 1}tn :

βi i f x = αi
P(α1 ,β1 ),...,(αt ,βt ) (x)|i =
0n other wise
and P(α1 ,β1 ),...,(αt ,βt ) (x) = P(α1 ,β1 ),...,(αt ,βt ) (x)|1 ◦ · · · ◦ P(α1 ,β1 ),...,(αt ,βt ) (x)|t .
Let C(α1 ,β1 ),...,(αt ,βt ) to be a quantum circuit which implements U(α1 ,β1 ),...,(αt ,βt ) .
Define Cnt = {C(α1 ,β1 ),...,(αt ,βt (n) ) : αi , βi ∈ {0, 1}n }. Define C ∗ = poly t Cnt
Lemma 12.5 A quantum circuit family C ∗ is obfuscatable.

Proof We will show that Cnt {Cn1 # . . . #Cnt : Cni ∈ Cn }. Since C can be simply
obfuscated, {C1 # . . . #Ct : Ci ∈ C} is obfuscatable. Therefore, given Lemma 12.1,
C t is obfuscatable, so is C ∗ .
To built a QTP M that M UCn1 #...#Cnt computes Cnt , M has access to each oracle
successively and simply concatenates all return values. To built a QTP N that N UCnt
computes Cn1 # . . . #Cnt , N query the oracle of Cnt with the input register once and
discard the unwanted part of output according to the control register. Since the control
register is fixed to be a basic state, measurement will not cause any information loss
of the input register.
12.1.8 Application to Quantum Zero-Knowledge
Quantum obfuscation allows users to run quantum circuits functionally as an unpen-

etrable black-box. In a quantum zero-knowledge circumstance, a protocol allows
a verifier to accept a statement without leaking extra information. Moreover, the
definition of both quantum obfuscation and QZK are simulation-based paradigm.
All these similarities inspire us to study on applications of quantum obfuscation in
QZK. In this section, we will discuss a possible scheme of QZK based on quantum
obfuscation.
The classical idea of constructing zero-knowledge by obfuscation was initiated in
the beginning of researches on obfuscation [1], but was realized relatively recently
in the work of Bitansky [14]. Bitansky built a zero-knowledge scheme for languages
in NP, based on obfuscation of point functions and 2-message delegation. Extending
Bitansky’s idea to quantum circumstance includes transferring the primitives, such
as NP, zero-knowledge, delegation, and obfuscation, into their quantum version.
(1) quantum version of NP: quantum Merlin-Arthur (QMA) [15]. QMA is defined
analogously to NP, except that the witness is presented as a quantum state. For
a language L in QMA, any statement x ∈ L has (at least) a witness ρ helping x
pass the family of verifier circuits {V er L (x, ρ)}, while any statement x ∈
/ L has
no witness helping x pass the verifier.
(2) quantum version of zero-knowledge: quantum zero-knowledge (QZK). Trans-
ferring prover and verifier into quantum computer extends ZK to QZK. Here
one interesting thing is that in quantum circumstances we do not limit a verifier
to be honest because honest-verifier quantum zero-knowledge equals general
quantum zero-knowledge [16].
(3) quantum version of delegation: secure multiparty quantum computation (SQMC).
We roughly explain what we need from SMQC: essentially a 2-party quantum
computation task. Consider Alice (holding secret state ρ A ) and Bob (holding
a secret circuit f = f (x)). After particular operations, Bob obtains the result
f (ρ A ) while Alice obtains nothing about f . This task can be specialized from
Min’s universal SQMC structure [17]. Since Min’s scheme is valid based on
quantum oblivious transfer [18], our expectation for SMQC is feasible.
Table 12.1 QZK scheme

Step 1. Public input: x, P holds witness ρ, V holds verifier V er L (x, ρ)
Step 2. V randomly generates |y and sends f |y (ρ) to P
Step 3. P receives function f , computes f (ρ) and sends a quantum obfuscation quantum
point function O(U f (ρ) ) to V
Step 4. V receives O and accepts iff δ O is identical to U|y
(4) obfuscation: quantum obfuscation. We defined quantum obfuscation in

Definition 12.1, and quantum point functions with general outputs in Defini-
tion 12.8. According to Lemma 12.4, the quantum obfuscation for quantum
point functions is valid.
Now we build up our QZK scheme. We start with the following awkward strategy: V
selects a verifier V er L (x, ρ), P sends V er L (x, ρ) to V directly. It is unsound since P
can always send ‘yes’. To fulfill the requirement of soundness, we introduce SMQC
strategy mentioned above. That is, P holds a secret ρ, V randomly generates a secret
|y and offers circuit working as:

|y i f V er L (x, ρ) says “yes”
f |y (ρ) =
|0|y| other wise
After calculation, P obtains the output of f and sends it to V , and V compares

the result and its secret |y. Since SMQC leaks no information about |y, malicious
P cannot cheat V .
However, the scheme is now non-ZK: a cheating V may send any circuit of ρ
(like trivial circuit f (ρ) = ρ) to learn about ρ. Here the key is to make sure that
V compares the output of P without “knowing” it. An intuitive way of doing so is
obfuscation. Concretely, after calculation, P obtains the output of f |y (ρ), and sends
a quantum obfuscation of quantum point function O(U f|y (ρ) ) instead of f |y (ρ) itself.
Now the whole scheme works as Table 12.1.
At last, we point out two notable details. One is that the scheme is somewhat similar
to the quantum version of witness hiding scheme rather than zero-knowledge scheme
in Bitansky’s work [14], but satisfies QZK property. This is because that Bitansky’s
attack on ZK requires repeated comparison of the obfuscation’s output, which is
ruled out by quantum no-cloning theory. The other is that Bitansky’s structure is
insecure in post-quantum cryptographic. The reason is that the 2-message delegation
on which the scheme based is proved insecure against quantum adversaries [19].
12.2 Quantum Symmetric Encryption Based on Quantum Obfuscation 255
12.2 Quantum Symmetric Encryption Based on Quantum

Obfuscation
12.2.1 Requirement of Indistinguishability
The study of obfuscation was initiated by Hada [1], and was formally proposed and
formulated in Barak’s influential work [2]. In the first few years, research develop-
ment was restricted by crucial negative results. Hada [1] observed that a piece of
code cannot be perfectly obfuscated unless it is learnable. Barak et al. [2] demon-
strated that the virtual black-box property unconditionally rules out the existence of
a general obfuscator, i.e., an obfuscator for all circuit families. In 2005, Goldwasser
and Kalai [20] showed the impossibility of obfuscator with arbitrary auxiliary inputs.
Sequentially in 2007, Hofheinz et al. [21] gave out the reason why many determin-
istic functions cannot be obfuscated. Recent negative results include the works of
Bitansky [22, 23] and Garg et al. [24]. All these impossibilities demand to either
refer to some more relaxed definition of obfuscation, or try to obfuscate programs
with limited categories of functions.
In the path of weaker definition, Barak et al. [2] put forth the idea of indis-
tinguishable obfuscation (iO). An iO makes it hard for adversaries to distinguish
two obfuscated programs if they agree on all inputs. Indistinguishable obfusca-
tion is also proved to be equivalent to the so-called best-possible obfuscation [25],
which can hide any information that any other obfuscation can hide. The usage
and construction of iO have been discussed recently by Sahai and Waters [26] and
Garg et al. [27]. In terms of limited kinds of functions, point functions first drew
academic attention and was proved obfuscatable under the random oracle model [3].
Following this idea, some positive results have been published successively. Canetti
and Dakdouk [5] formally extended the point functions to the ones with multi-bit
outputs by means of composition technique. This extension essentially strengthens
the connection between obfuscation and encryption. Subsequently, he showed this
tight connection [6]. In 2010, the virtual gray-box (VGB) property was proposed and
point functions were proved composable under this meaning.
One branch of quantum cryptography, beyond quantum key distribution (QKD)
and post-quantum cryptography, is to carry classical cryptographic primitives over
quantum circumstances. Quantum one-time pad (QOTP) [28] is a representative
example, but for so long there have been a lacking even in the most basic cryp-
tographic concepts. Scattered primitives such as quantum homomorphic encryption
[29], quantum homomorphic signature [30], and quantum random oracle (QRO) [13,
31], have been discussed. In 2016, Alagic et al. [32] built the concept of semantic secu-
rity, IND-CPA (indistinguishability under chosen plaintext attack) and IND-CCA1
(indistinguishability under non-adaptive chosen ciphertext attack) for quantum sit-
uation. More recent work includes quantum non-malleability [33], quantum IND-
CCA2 (indistinguishability under adaptive chosen ciphertext attack), and authenti-
cated encryption [34]. As for the notion of obfuscation, the research is relatively
immature. The first idea of “protecting software by a quantum state” was originated
in Scott Aaronson’s ten semi-grand challenges for quantum computation. In 2016, the
definition of quantum VBB obfuscation and quantum iO was proposed [8], although
many basic concepts in this area is yet to be set.
In this section, we introduce a quantum symmetric encryption scheme by means
of quantum obfuscator [35]. We start with the basic requirement of IND-secure and
point out that a quantum VBB obfuscator satisfies this requirement unconditionally.
Then we prove that a quantum obfuscator with combinable property or auxiliary input
property corresponds to encryptions with IND-CPA security or leakage resilience.
Note that the absence of the usefulness of quantum obfuscation may eliminate the
positivity of related research. We hope that such work will be inspiring in the field
of quantum obfuscation.
12.2.2 Efficient Quantum Circuit and Quantum Computation
Due to the strong Church-Turing thesis [36], deterministic polynomial-time (PT)

algorithm and probabilistic polynomial-time (PPT) algorithm are the most represen-
tative calculation models in classical complexity theory. In quantum situation, the
first formalized model by Deutsch [37] was realized by quantum circuits consisting
of unitary quantum gates. An improved solution takes measurements in the middle
of the computation and decoherence into account [38]. Here, a quantum polynomial-
time (QPT) algorithm is defined as a family of quantum circuits, each composed of
polynomial many admissible (rather than unitary) quantum gates. Oracle gates are
feasible only under such model of QPT, which are crucial in IND-CPA security.
12.2.3 Quantum One-Time Pad
Recall that the single qubit Pauli operators are defined as:

01 0 −i 1 0
σX = , σY = , σZ =
10 i 0 0 −1
Here we take an identity matrix I2 into account. So the Pauli operation set consists
of four Pauli matrices P = {I2 , σ X , σY , σ Z }.
The definition of quantum one-time is quite simple: for each qubit ρ, randomly
choose one operator from Pauli set P and apply it on ρ. It is evident that such operation
is information-theoretically indistinguishable, since the output state is maximally
mixed
1 I2
(ρ + σ X ρσ †X + σY ρσY† + σ Z ρσ †Z ) =
4 2
Since the Pauli operators are self-adjoint, the above operation can be achieved by
choosing two single bits α, β ∈ {0, 1}, and applying the mapping
β β
ρ → σ αX σ Z ρσ Z σ αX
In the case of n-qubits message ρ, α, β ∈ {0, 1}n . Define X α = ⊗σ αXi and Z β =

β
⊗σ Zi . The quantum one-time pad [28] for n-qubits goes
ρ → X α Z β ρZ β X α
Through analysis, the output is still maximally mixed
1 1
2n
Un ρUn† = 2n α,β X α Z β ρZ β X α
2 2
= α,β T r (ρZ β X α )δα,0 δβ,0 X α Z β
T r (ρ)
= I2n
2n
I2n
= n
2
12.2.4 Quantum Symmetric Encryption and Its Security
Following the idea of quantum one-time pad, we are interested in the circumstances
where the message space and cypher-text space are the set of density operators
on Hilbert space H M , HC , and the key space K = {0, 1}n [32]. The set of density
operators, i.e., all physically possible quantum states on Hilbert space H is denoted
by D(H). Then a quantum symmetric encryption scheme is defined as follows:
Definition 12.10 A quantum symmetric encryption scheme is a triple QPTs of
(key generation)Gen : 1n → k ∈ Kn , (encryption)Enck : K × D(HM ) → D(HC )
and (decryption)Deck : K × D(HC ) → D(HM ), satisfying correctness property:
Enck ◦ Deck − I M ≤ negl(n)
for all k ∈ Kn .
To analyze the security of a quantum encryption scheme, we introduce Alagic’s
work [32] on indistinguishably of encryptions.
Challenger
Fig. 12.4 IND-security game
Definition 12.11 A quantum symmetric encryption scheme is indistinguishable (or

IND-secure), if for any QPT adversary A = (M, D) we have
|Pr {D[(Enck ⊗ I E )ρ M E ] = 1]}

−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1]}| < negl(n)
where ρ M E ← M(1n ), ρ E = tr M (ρ M E ).
Figure 12.4 shows the IND-security game.
Definition 12.12 An IND-secure quantum symmetric encryption scheme is IND-

CPA, if A has oracle access to Enck .
We denote again that A runs in polynomial time. If we assume that an oracle gate
runs in a unit of time O(1), then A has only polynomial many of oracle queries sent
to Enck .
12.2.5 Quantum Point Obfuscation
The definition of a quantum obfuscator, proposed by Alagic and Fefferman [8], is

similar to its classical counterpart.
Definition 12.13 A quantum black-box obfuscator is a quantum algorithm O and

QPT δ, for any n-qubit quantum circuit C, the output of O is an m-qubit state O(C)
and the following three conditions hold.
1. (Polynomial expansion)
m = poly(n)
2. (Functional equivalence) for any possible ρ
δ(O(C) ⊗ ρ) − UC ρUC† tr ≤ negl(n)
3. (Virtual black-box) for every QPT A, there exists a QPT S UC such that
|Pr [A(O(C)) = 1] − Pr [S UC (|0n ) = 1]| ≤ negl(n)
Point functions return an internal value m when the input equals a specific k, and
0 elsewise. In the theory of quantum computation, such a function can be described
as
|x, y ⊕ m i f x = k
Uk,m : |x, y →
|x, y other wise
Since an obfuscator for all functions does not exist, consider a quantum obfuscator
only for quantum point functions, then we assume that the input of an obfuscator
is delineated by m and k. Therefore, n in Definition 12.13 equals |m| + |k|, and we
have |O(Um,k )| = poly(|m| + |k|).
We then define a stronger version of quantum point obfuscator, which preserves
security even when an adversary has a combination of different point functions. With
respect to quantum encryption, we are interested in the case where the point functions
are of the same k. In this case, we call it self-combinable.
Definition 12.14 A quantum point obfuscator is self-combinable, if for any t =

poly(n) the combination of t’s obfuscators is still secure, i.e., we have a simulator
S such that
|Pr [A(O(Uk,r1 , O(Uk,r2 ), . . . , O(Uk,rt ))) = 1]
−Pr [S Uk,r1 ,Uk,r2 ,...,Uk,rt (0n ) = 1]| ≤ negl(n)
In quantum encryption, we are also interested in the case where A is provided

some auxiliary inputs (always some information on k). In this case, we define a
quantum secure obfuscator with auxiliary inputs.
Definition 12.15 A quantum point obfuscator with auxiliary inputs f is secure, if

we have a simulator S such that
|Pr [A(O(Uk,r ), f (k)) = 1]

−Pr [S Uk,r ( f (k)) = 1]| ≤ negl(n)
12.2.6 IND-Secure Quantum Symmetric Encryption Scheme
In this section, we give the construction of symmetric encryption scheme. Then we

prove its IND-security, which comes from the VBB property of a quantum obfuscator.
Scheme 12.1 Let O be a quantum point obfuscator and Uk,r be a quantum point
function. A quantum symmetric encryption scheme is a triple QPTs of following
algorithms
1. (key generation)Gen(1n ) = k ∈ Kn ,
2. (encryption)Enck (ρ) = Pr ρPr ⊗ O(Ur,k ), where r is randomly chosen from
{0, 1}2n ,
3. (decryption)Deck (c ⊗ ) = Pr c Pr , where r is the measurement result of
T r1 [δ( ⊗ |k, 02n k, 02n |)].
The encryption and decryption algorithm are shown in Figs. 12.5 and 12.6.
Correctness of the scheme. Proving the scheme’s correctness, we apply
|kright , 02n with the right key kright = k to the obfuscated point function. By func-
tional equivalence property, we get
δ( ⊗ |k, 02n k, 02n |) = δ(O(Uk,r ) ⊗ |k, 02n k, 02n |)
≈ p Uk,r (|k, 02n ) = |k, r
After tracing out the first register of |k|-qubits and measurement, we get r = r , with
which we can correctly recover ρ from Pr ρPr .
While with the wrong key kwr ong = k, the measurement gives r = 0, and the
message is kept secret.
Fig. 12.5 Encryption

algorithm Enc
RNG
Output
k k
Gen
r O
Fig. 12.6 Decryption

algorithm
Dec
c
c
k r
M
Now we indicate the security of the encryption scheme. Specifically, we have the
following theorem.
Theorem 12.1 If a quantum point obfuscator exists, then the quantum symmetric
encryption scheme in Scheme 12.1 is IND-secure.
Proof For any adversary A = (M, D), set s = (Pr ⊗ I E )ρ M E , and t = (Enck ⊗
I E )(|00| M ⊗ ρ E ), we have
|Pr {D[(Enck ⊗ I E )ρ M E ] = 1}
−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}|
=|Pr {D[s ⊗ O(Uk,r )] = 1} − Pr {D[t ⊗ O(Uk,r )] = 1}|
(12.6)
=|Pr {D[s, O(Uk,r )] = 1} − Pr {D[t, O(Uk,r )] = 1}|
≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}|
·Pr [D (O(Uk,r )) = g(r )]
In the last equation, the sum symbol is for all possible g(r ), and D is a subroutine
of D dealing with O. By the VBB property, we have a simulator S satisfying
|Pr [D(O(Uk,r )) = f (r )] − Pr [S Uk,r (0n ) = f (r )]| ≤ negl(n)
Note that S has oracle access to Uk,r , then g(r ) can only be r (when S successfully
accesses the oracle with k), or 0 (when not). So we can rewrite Eq. 12.6 as
g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}|

·Pr [D(O(Uk,r )) = g(r )]
≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}|
·|Pr [S Uk,r (0n ) = g(r )] + negl(n)|
=|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}|
·|Pr [S Uk,r (0n ) = r ] + negl(n)|

+|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}|
·|Pr [S Uk,r (0n ) = 0] + negl(n)|
For the first item to the right side of the inequality, consider QPT S with polyno-
mial many queries. While the key space K is uniformly random {0, 1}n , the possi-
bility Pr [S Uk,r (0n ) = r ] = poly(n)/2n ≤ negl(n). For the second item to the right
of inequality, we have
|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}|

=|Pr {D[(Pr ⊗ I E )ρ M E ] = 1}
−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}|
This difference is negligible, according to indistinguishableness of quantum one-

time pad.
Finally, we have
|Pr {D[(Enck ⊗ I E )ρ M E ] = 1}
−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1}|
≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}|
·|Pr [S Uk,r (0n ) = r ] + negl(n)|
+|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}|
·|Pr [S Uk,r (0n ) = 0] + negl(n)|
≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}| · negl(n)
+negl(n) · |Pr [S Uk,r (0n ) = 0] + negl(n)|
≤negl(n)
This is exactly what we need for IND-security.
In this section, we provide the extension of an obfuscator and encryption scheme.

Specifically, a self-combinable obfuscator implements IND-CPA-secure encryption
and an auxiliary input obfuscator implements leakage-resilient encryption.
12.2.7.1 Self-combinable Obfuscator and IND-CPA-Secure Encryption
Here we point out the self-combinable property in obfuscation corresponds to the

IND-CPA security in quantum encryption.
We continue to use the construction of Scheme 12.1, requiring that the obfuscator
O is self-combinable. We prove the following theorem.
Theorem 12.2 If a quantum point obfuscator O is self-combinable, then the quan-

tum symmetric encryption scheme in Scheme 12.1 is IND-CPA-secure.
Proof The correctness holds obviously. Assume that A = (M, D) queries encryp-
tion oracle for t = poly(n) times. Then there are r1 , . . . , rt (used by the encryption
oracle) and r (used by the challenger) that maximize the difference
|Pr {D Enc [(Enck ⊗ I E )ρ M E ] = 1]}

−Pr {D Enc [(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1]}|
From A we build an adversary A attacking the obfuscator. Specifically, when A

queries the encryption oracle for the ith time, A responses with Pri ρPri ⊗ O(Uk,ri ).
During the distinguishing challenge game, A responds either Pr ρPr ⊗ O(Uk,r ) or
Pr |00|Pr ⊗ O(Uk,r ). Therefore, when A outputs the same as A,
|Pr {D Enc [(Enck ⊗ I E )ρ M E ] = 1]}

−Pr {D Enc [(Enck ⊗ I E )(|00| M ⊗ ρ E )] = 1]}|
≤|Pr {A [O(Uk,r1 ), . . . , O(Uk,rt ); Enck (ρ)] = 1]|}
−Pr {A [O(Uk,r1 ), . . . , O(Uk,rt ); Enck (|0)] = 1]}|
≤|Pr {S O(Uk,r1 ),...,O(Uk,rt ) [Enck (ρ)] = 1]|}
−Pr {S O(Uk,r1 ),...,O(Uk,rt ) [Enck (|0)] = 1]}| + negl(n)
≤negl(n)
where the last inequality comes from self-combinablelity.
12.2.7.2 Auxiliary Input and Leakage Resilience
Here we prove that auxiliary input corresponds to the quantum leakage resilience.
We firstly define a quantum leakage-resilient encryption scheme, which is similar to
its classical counterpart just like many other quantum cryptographic terminologies.
Definition 12.16 An IND-secure quantum symmetric encryption scheme is

leakage-resilient, if after Gen(1n ) generates a key k, A submits an quantum-secure
one-way function (qOWF) f and gets f (k).
We now show that a quantum point obfuscator with auxiliary inputs implements
quantum leakage-resilient encryption. The proof is very similar to that of Theorem
12.1.
Theorem 12.3 If (O, δ) is an quantum point obfuscator with auxiliary input f , then
Scheme 12.1 is leakage-resilient against key information f (k).
Proof The correctness holds obviously. For any adversary A = (M, D), set s =
(Pr ⊗ I E )ρ M E , and t = (Enck ⊗ I E )(|00| M ⊗ ρ E ), we have
|Pr {D[(Enck ⊗ I E )ρ M E , f (k)] = 1}

−Pr {D[(Enck ⊗ I E )(|00| M ⊗ ρ E ), f (k)] = 1}|
=|Pr {D[s, O(Uk,r ), f (k)] = 1}
−Pr {D[t, O(Uk,r ), f (k)] = 1}|
≤g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}|
·Pr [D [O(Uk,r ), f (k)] = g(r )]
Similarly, we have
g(r ) |Pr {D[s, g(r )] = 1} − Pr {D[t, g(r )] = 1}|

·Pr [D [O(Uk,r ), f (k)] = g(r )]
≤|Pr {D(s, r ) = 1} − Pr {D(t, r ) = 1}|
·|Pr [S Uk,r ( f (k)) = r ]|
+|Pr {D(s, 0) = 1} − Pr {D(t, 0) = 1}|
·|Pr [S Uk,r ( f (k)) = 0]|
+negl(n)
For the first item to the right side of the the inequality, Pr [S Uk,r ( f (k)) = r ] ≤
negl(n) due to the irreversibility of f and uniformity of k. For the second item to
the right side of the inequality, it is negligible according to the indistinguishableness
of quantum one-time pad. Therefore, the whole difference is negligible, and Scheme
12.1 is leakage-resilient against f .
12.3 Summary
In this chapter, to precisely define quantum point function family and analyze its
obfuscatability under the quantum-accessible random oracle, we introduce essential
reduction and combination skills. A quantum multi-point function family with multi-
qubit output was proved obfuscatable under the QRO model. We also discussed an
obfuscation-based QZK scheme. Then we demonstrate the usability of a quantum
point obfuscator in a quantum symmetric key encryption. We give the construction
12.3 Summary 265
of an IND-secure encryption scheme and extend various properties of an obfuscator

and corresponding encryption security. Further work lies in the routine similar to
classical obfuscation theory on point functions such as obfuscatability under the
standard model, or how to build obfuscators, by encryption schemes.
References
1. Hada, S.: Zero-knowledge and code obfuscation. In: International Conference on the Theory
and Application of Cryptology and Information Security (ASIACRYPT 2000), vol. 1976, pp.
443–457 (2000)
2. Barak, B., Goldreich, O., Impagliazzo, R., et al.: On the (im)possibility of obfuscating programs.
In: Annual International Cryptology Conference (CRYPTO 2001), vol. 2139, no. 2, pp. 1–18
(2001)
3. Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Inter-
national Conference on the Theory and Applications of Cryptographic Techniques (EURO-
CRYPT 2004), vol. 3027, pp. 20–39 (2004)
4. Wee, H.: On obfuscating point functions. In: ACM Symposium on Theory of Computing
(STOC), pp. 523–532 (2005)
5. Canetti, R., Dakdouk, R.R.: Obfuscating point functions with multibit output. In: Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT
2008), vol. 4965, pp. 489–508 (2008)
6. Canetti, R., Kalai, Y.T., Varia, M., et al.: On symmetric encryption and point obfuscating. In:
Theory of Cryptography Conference (TCC), vol. 5978, pp. 52–71 (2010)
7. Alagic, G., Jeffery, S., Jordan, S.: Circuit obfuscation using braids. In: Conference on the
Theory of Quantum Computation, Communication and Cryptography (TQC), vol. 27, pp.
141–160 (2014)
8. Alagic, G., Fefferman, B.: On quantum obfuscation (2016). arXiv:1602.01771
9. Shang, T., Chen, R.Y.L., Liu, J.W.: On the obfuscatability of quantum point functions. Quantum
Inf. Process. 18(2), 55 (2019)
10. Nielson, M.A., Chuang, I.: Quantum Computation and Quantum Information. Cambridge Uni-
versity Press, IL (2002)
protocols. In: ACM Conference on Computer and Communications Security (CCS), pp. 62–73
(1993)
12. Bennett, C.H., Brassard, G.: Strengths and weaknesses of quantum computing. SIAM J. Com-
put. 26(5), 1510–1523 (1997)
Sci. 7073(1), 41–69 (2010)
14. Nir, B., Omer, P.: Point obfuscation and 3-round zero-knowledge. In: International Conference
on Theory of Cryptography, pp. 190–208 (2012)
15. Bookatz, A.D.: QMA-complete problems. Quantum Inf. Comput. 14, 361–383 (2012)
16. Kobayashi, H.: General properties of quantum zero-knowledge proofs. In: Conference on The-
ory of Cryptography, pp. 107–124 (2008)
17. Liang, M.: Secure multiparty quantum computation based on bit commitment (2013).
arXiv:1306.0447
18. Liang, M.: Symmetric quantum fully homomorphic encryption with perfect security. Quantum
Inf. Comput. 12, 3675–3687 (2013)
19. Lo, H.K.: Insecurity of quantum secure computations. Phys. Rev. A 52, 1154–1162 (1996)
20. Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: Annual
IEEE Symposium on Foundations of Computer Science (FOCS), pp. 553–562 (2005)
21. Hofheinz, D., Malone-Lee, J., Stam, M.: Obfuscation for cryptographic purposes. In: Theory
of Cryptography Conference (TCC), vol. 4392, pp. 214–232 (2007)
22. Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to
resettable cryptography. In: ACM Symposium on Theory of Computing (STOC), pp. 241–250
(2013)
23. Bitansky, N., Canetti, R., Cohn, H., et al.: The impossibility of obfuscation with auxiliary input
or a universal simulator. In: Annual International Cryptology Conference (CRYPTO 2014),
pp. 71–89 (2014)
24. Garg, S., Gentry, C., Halevi, S., et al.: On the implausibility of differing-inputs obfuscation and
extractable witness encryption with auxiliary input. Algorithmica 79(4), 1353–1373 (2017)
25. Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: Theory of Cryptography
Conference (TCC), vol. 4392, pp. 194–213 (2007)
26. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and
more. In: ACM Symposium on Theory of Computing (STOC), pp. 475–484 (2014)
27. Garg, S., Gentry, C., Halevi, S., et al.: Candidate indistinguishability obfuscation and functional
encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
28. Ambainis, A., Mosca, M., Tapp, A., et al.: Private quantum channels. In: Annual IEEE Sym-
posium on Foundations of Computer Science (FOCS), pp. 547–553 (2000)
29. Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low T-gate com-
plexity. In: Annual International Cryptology Conference (CRYPTO 2015), vol. 9216, pp. 609-
629 (2015)
30. Shang, T., Zhao, X.J., Liu, J.W.: Quantum homomorphic signature. Quantum Inf. Process.
14(1), 393–410 (2015)
31. Shang, T., Lei, Q., Liu, J.W.: Quantum random oracle model for quantum digital signature.
Phys. Rev. A 94(4), 042314 (2016)
32. Alagic, G., Broadbent, A., Fefferman, B., et al.: Computational security of quantum encryption.
In: International Conference on Information Theoretic Security (ICITS), vol. 10015, pp. 47–71
(2016)
33. Alagic, G., Majenz, C.: Quantum non-malleability and authentication. In: International Con-
ference on Information Theoretic Security (ICITS), pp. 310–341 (2017)
34. Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption (2017).
arXiv:1709.06539
35. Chen, R.Y.L., Shang, T., Liu, J.W.: Quantum symmetric encryption based on quantum obfus-
cation. Quantum Inf. Process. 18(6), 161 (2019)
36. Slot, C., Boas, P.: On tape versus core an application of space efficient perfect hash functions to
the invariance of space. In: ACM Symposium on Theory of Computing (STOC), pp. 391–400
(1984)
37. Deutsch, D.: Quantum theory, the Church-Turing principle and the universal quantum computer.
SIAM J. Comput. 400(1818), 97–117 (1985)
38. Dorit, A., Alexei, Y.K., Noam, N.: Quantum circuits with mixed states. In: ACM Symposium
on Theory of Computing (STOC), pp. 20–30 (1998)
Chapter 13
Security Analysis of
Measurement-Device Independency
With the practical implementation of continuous-variable quantum cryptographic

protocols, security problems resulting from measurement-device loopholes are being
paid increasing attention. At present, research on measurement-device independency
analysis is limited in quantum key distribution protocols, while there exist differ-
ent security problems for different protocols. Considering the importance of quan-
tum digital signature in quantum cryptography, in this chapter, we introduce the
measurement-device independency analysis of continuous-variable quantum digital
signature, especially continuous-variable quantum homomorphic signature. Also,
the analysis method can be extended to other quantum cryptographic protocols.
13.1 Device Independency Analysis
Since continuous-variable quantum cryptographic protocols are very probable to

be implemented in practice, such analysis which assumes all devices are perfect is
insufficient to judge whether a protocol is truly secure or not. An attacker could exploit
the loopholes of a device to successfully attack a protocol even though it is proved
theoretically secure. To analyze the practical security of a quantum cryptographic
protocol, the definition of device independency was proposed. If a protocol can
complete its task securely even if all devices are untrusted, which means some devices
might be controlled by an attacker, it is called a device-independent (DI) protocol.
To date, research on device independency analysis only focuses on quantum key
distribution (QKD) protocols. In 2006, Acin et al. [1] proposed the first device-
independent quantum key distribution (DI-QKD) protocol and proved its security
against individual attacks. Before long security analyses against collective attacks
of DI-QKD protocols were proposed [2, 3]. Since 2011, general formalisms for
proving the security of DI-QKD protocols have been proposed [4, 5], which can
defend against the most general attacks. However, these analyses were proposed for
discrete-variable QKD protocols, which means they cannot be directly applied to
continuous-variable quantum cryptographic protocols.
https://doi.org/10.1007/978-981-15-3386-0_13
268 13 Security Analysis of Measurement-Device Independency
As we know, in the continuous-variable setting, research focuses more on the

measurement-device independency of a protocol rather than device independency,
which only considers the independency of measurement devices. Measurement
devices are the devices used for measuring quantum observables, such as beam
splitter (BS) and homodyne detector. The concept of measurement-device inde-
pendency was put forward by Lo et al. [6] in 2012. It can be regarded as a
weakened version of device independency because it only considers the security
loopholes of measurement devices. Compared to DI quantum cryptographic proto-
cols, measurement-device-independent (MDI) quantum cryptographic protocols are
widely studied because they can achieve higher efficiency with practical implemen-
tation while not losing much security. To improve practicability and the efficiency of
QKD, several continuous-variable measurement-device-independent quantum key
distribution (CV-MDI-QKD) protocols were proposed [7–9]. In recent years, study
on measurement-device independency extends to other types of quantum crypto-
graphic protocols other than QKD. In 2016, Wu et al. [10] proposed a CV-MDI
multipartite quantum communication protocol, which can implement both quantum
cryptographic conference and quantum secret sharing. In 2018, Li et al. [11] tried
to solve the practical problem of implementing scalable quantum networks and pro-
posed a CV-MDI quantum relay network with phase-sensitive amplifiers. Recently,
towards estimating entanglement in a quantum network, MDI entanglement estima-
tion schemes were proposed [12, 13].
Since there exist different security problems for different protocols, device inde-
pendency analysis of other continuous-variable quantum cryptographic protocols
except QKD protocols should be explored. Continuous-variable quantum digi-
tal signature (CVQDS) [14–16] is a sufficiently studied technology in the field
of continuous-variable quantum cryptography. It is an essential part of a secure
continuous-variable quantum network, so its device independency can affect the
practical security of a network. Yet, there is no research on the measurement-device
independency of CVQDS. Generally, CVQDS protocols are not device-independent
because secret keys are directly passed to the device that generates signatures as a
parameter, in which case an attacker can easily obtain the secret keys. Therefore, we
assume the devices for quantum state preparation as trusted and perfect, and focus
on analyzing the measurement-device independency of CVQDS [17].
13.2 Measurement-Device Independency
If a quantum cryptographic protocol can complete its task securely with untrusted
measurement devices, it is called a measurement-device-independent protocol. To
analyze the security of a quantum cryptographic protocol under the worst case, we
assume measurement devices are prepared and controlled by an attacker and can
work in the way that is most favorable to the attacker. Concretely, the assumptions
are
13.2 Measurement-Device Independency 269
(1) An attacker can tamper and forge the output of measurement devices.
(2) An attacker can eavesdrop quantum channels by any means.
For simplicity, we call the above assumptions the MDI assumptions. In other
words, if the task of a quantum cryptographic protocol is completed under the MDI
assumptions, the protocol is measurement-device-independent.
To date, there are only achievements of MDI analysis for QKD protocols. The
first MDI-QKD protocol was proposed by Lo et al. [6], which is a discrete-variable
quantum cryptographic protocol. The security proof utilizes the monogamous nature
of quantum entanglement and removes detector side-channel attacks while it is not a
mathematical proof. In the same year, Ma and Razavi [18] proposed the alternative
schemes for MDI-QKD using phase and path or time encoding. In the security anal-
ysis, the lower bound of the secret key rate was calculated. A protocol is secure if its
secret key rate is higher than the lower bound. In 2014, several CV-MDI-QKD pro-
tocols were proposed [7]. In the security analysis, the secret key rate of an equivalent
one-way CVQKD model was calculated, which is the lower bound for the proposed
protocol. The calculation was simplified by applying the theorem of optimality of
Gaussian collective attacks [19]. The analysis of other CV-MDI-QKD protocols [8,
9] are similar in calculating the lower bound of the secret key rate.
Obviously, we cannot directly calculate the secret key rate of a non-CVQKD
protocol, so we should put forward a new method of analyzing its measurement-
device independency.
13.3 Continuous-Variable Quantum Homomorphic

Signature
In CVQDS protocols, there are usually at most three participants, i.e., a signer, a ver-
ifier, and an arbitrator. Since the verifier and the arbitrator are assumed to be honest,
the only untrusted party is the signer, so it seems easy to analyze measurement-device
independency. Nevertheless, in 2017, Li et al. [20] proposed a continuous-variable
quantum homomorphic signature (CVQHS) scheme, where an aggregator gener-
ates a homomorphic quantum signature for verifying the identities of multiple data
sources. The aggregator has access to all quantum and classical data in the network,
so the scheme probably will not be secure if an attacker takes control of the devices of
the aggregator. The existence of an untrusted aggregator has posed a new challenge
in analyzing the measurement-device independency of CVQDS.
Li’s CVQHS scheme is based on continuous-variable entanglement swapping and
provides additive and subtractive homomorphism. The basic model of the CVQHS
scheme is shown in Fig. 13.1. A and B are signers, M is an aggregator who aggregates
the received signatures to generate two new signatures, and V is a verifier.
a b
A B
2
mA mB 4
k A1 k A2 k B1 k B2
Sk A (a) SkB (b)
M
1 3
| 1 | 2 mA mB*
| 3 | 4
Quantum Channel
V Classical Channel
Entanglement
k A1 k A2 k B1 k B2
Fig. 13.1 Basic model of CVQHS
13.4 Analysis Procedure
If the task of a quantum cryptographic protocol is completed under the MDI assump-
tions, the protocol is measurement-device-independent. The task of CVQHS is to ver-
ify the identities of different data sources at a low error rate. So in the measurement-
device analysis of the CVQHS scheme, we can calculate the upper bound of the
error rate. If the upper bound is negligible under the MDI assumptions, the CVQHS
scheme is measurement-device-independent.
The upper bound of the error rate is the error rate under the worst-case when an
attacker can carry out any possible attack. So we will find out the optimal attack
model and calculate the error rate under the model.
13.4.1 Attack Model
Considering all possible cases which are shown in Fig. 13.2, the error rate is equal
to the probability of a forged signature passing verification plus the probability of a
legal signature being denied.
Obviously, the probability of a legal signature being denied is only affected by
noise. So we only consider the attack model of the case that an attacker tries to forge
a signature. In the CVQHS scheme, when an attacker Eve has secret keys and is able
to prepare quantum states which are entangled with those at honest signers, it can
forge a signature that can pass verification.
Throughout the CVQHS scheme, only the aggregator M and the verifier V use
measurement devices. Here we assume the measurement devices controlled by V
Fig. 13.2 Possible errors in

CVQHS Eve
S k E ( e) S k A ( a )
Sk A (a)
A M V
Signature Accepted
Sk A (a)
A M V
Signature Denied
are trusted because the protocol will be extremely inefficient and meaningless if
the verifier is dishonest. So the MDI assumptions only apply to the measurement
devices controlled by M, namely a 50:50 BS and two homodyne detectors which are
used to perform Bell detection, and a 50:50 BS for mixing two quantum signatures.
According to assumption (1), Eve is able to tamper and forge the results of Bell
detection and the mixtures of quantum signatures at the combining phase. So Eve
can forge a quantum signature that can pass verification as long as it obtains the
pre-shared secret keys. So the security of the CVQHS scheme is guaranteed by the
secrecy of secret keys. The probability of a forged signature passing verification is
equal to the probability of Eve obtaining secret keys. At this point, the complicated
attack model which contains forgery is simplified as a simple eavesdropping model.
According to assumption (2), Eve is able to eavesdrop all quantum channels by any
means. From the perspective of an attacker’s ability, eavesdropping can be divided
into three types, namely coherent attack, collective attack, and individual attack.
Coherent attack is the most general attack by which an attacker can perform joint
quantum operations and joint measurement to all quantum states sent via quantum
channels. The proof of security against coherent attack is the strictest proof for
security, but the model of coherent attack cannot be effectively parameterized. A
common approach is to extend the security against collective attack to coherent
attack by using the exponential de Finetti theorem [21]. Collective attack is a special
case of coherent attack, where an attacker can only perform quantum operations
individually on each quantum state.
Fortunately, analysis shows that the security bound under coherent attack is the
same as that under collective attack for QKD protocols [22]. This result can be
applied to CVQHS because a signature in the scheme is in a single quantum state.
The quantum states in a quantum channel are not correlated, so introducing correla-
tions to them by performing joint operations will not help the attacker obtain more
information. Therefore, we can analyze the security against collective attack.
13.4.2 Probability of a Forged Signature Passing Verification
At the first step of the setup phase, the signers and the verifier share secret keys.
Assume they use a MDI-QKD protocol in this step, then Eve can only obtain the secret
keys by eavesdropping the quantum channels. The information on the secret keys that
Eve can obtain is the mutual information I (k : E), where k = (k1 , k2 ) denotes the
secret keys and E is the quantum system of Eve. The larger the mutual information
I (k : E) is, the more information Eve can obtain. When I (k : E) = H (k), Eve can
recover the secret keys accurately. The upper bound of I (k : E) is usually used to
estimate the security of a protocol.
According to the symmetry of CVQHS, we only need to calculate the upper bounds
of I (k A1 : E) and I (k A2 : E). According to quantum information theory, it is known
that I (k A1 : E) ≤ χ(k A1 : E), where χ(k A1 : E) is the Holevo bound [23]. It can
be calculated that χ(k A1 : E) = S(ρ̂ E ) − S(ρ̂ E |k A1 ) under collective attack, where
S(ρ̂ E |k A1 ) = p(k A1 )S(ρ̂ E|k A1 )dk A1 and ρ̂ E is the quantum system of Eve. Accord-
ing to assumption (1) aforementioned in Sect. 13.2, Eve can purify the whole quan-
tum system, so χ(k A1 : E) = χ(k A1 : ρ̂1 2 3 4 ), where ρ̂1 2 3 4 = |α1 |α2 |α3 |α4 .
Because |α1 and |α3 are independent of the secret keys, their entropy will be
offset during subtraction. So S(ρ̂ E ) − S(ρ̂ E |k A1 ) = S(ρ̂2 4 ) − S(ρ̂2 4 |k A1 ), where
ρ̂2 4 = |α2 |α4 .
The quantum states in the CVQHS scheme are Gaussian states, whose von Neu-
mann entropy can be calculated based on their covariance matrices. Assume the
original entangled states prepared by the aggregator have the same density matrix,
i.e., ρ12 = ρ34 = ρin . Their covariance matrix is
√
√ VI V 2 − 1diag(1, −1)
Vin = ,
V 2 − 1diag(1, −1) VI
where V = cosh 2r is the variance of two-mode squeezed states. Assume the quan-
tum channels are modeled as
√ √
|α → | τ α + 1 − τ α N ,
where τ (0 < τ < 1) is transmissivity and |α N = |x N + i p N is thermal noise.

Assume thermal noise in each quantum channel is independently and identically
distributed and their quadratures follow Gaussian distribution: x N , p N ∼ N (0, VN ).
After |α2 and |α4 are transmitted twice via noisy quantum channels, the covari-
ance matrix becomes

V I V 2
− 1diag(1, −1)
Vin = 2
1 1
,
V1 − 1diag(1, −1) V1 I
where V1 = τ 2 V + (τ + 1)VN .
After entanglement swapping, the covariance matrix of ρ̂2 4 = |α2 |α4 is

1 diag(V1 2 + 1, V1 2 + 1) diag(V1 2 − 1, −V1 2 + 1)
V2 4 = .
2V1 diag(V1 2 − 1, −V1 2 + 1) diag(V1 2 + 1, V1 2 + 1)
Then |α2 and |α4 are mixed at a 50:50 beam splitter, outputting |α2 and |α4 .
Beam splitter is a Gaussian operator, which does not change the von Neumann entropy
of a quantum system. So the von Neumann entropy of ρ̂2 4 can be calculated based
on V2 4 .
S(ρ̂2 4 |k A1 ) is the von Neumann entropy of ρ̂2 4 when k A1 is given. It can be
calculated based on a new covariance matrix

1 diag(V 2 + 1, V 2 + 1) diag(V 2 − 1, −V 2 + 1)
V2 4 |k A1 = ,
2V diag(V 2 − 1, −V 2 + 1) diag(V 2 + 1, V 2 + 1)
where V = V1 − Vk A1 .
Simple calculation shows that I (k A1 : E) = 0, which means Eve cannot obtain any
information on k A1 . Similarly, we can calculate that I (k A2 : E) = 0. So Eve cannot
obtain any information on the pre-shared secret keys between the signers and the
verifier. The probability of a forged signature passing verification is the probability
of Eve guessing the exact secret keys, which is negligible.
In the above theoretical analysis, we only considered the case of collective attack,
which is proved to be the optimal attack model. In fact, simulation or experiment
considering more complex scenarios can be conducted to verify our calculation
results in future works. It will be much easier to obtain the error rate for complex
scenarios such as coherent attack and forgery, which involve complex modeling
and calculation in theoretical analysis and cannot be efficiently parameterized [22].
Special attack models may be also implemented to discuss how parameters affect
the result of CVQHS.
13.4.3 Probability of a Legal Signature Being Denied
In the CVQHS scheme, if the deviation between the value calculated from a signature
and the value calculated from pre-shared messages is larger than certain verification
threshold, the signature will be denied by the verifier. The deviation can be caused
by an attacker or noise. Here it is assumed that the verifier receives a signature that is
generated by a legal signer and not tampered by an attacker. So the probability only
depends on noise.
A verification threshold Hth in a noisy environment is given in Ref. [20], which
is equal to the variance of x V − τ x V . In the verification phase, the verifier compares
(x V − τ x V )2 , ( pV − τ pV )2 and Hth . If (x V − τ x V )2 > Hth or ( pV − τ pV )2 > Hth ,
it will deny the signature. Denote x V − τ x V as a random variable X whose first and
second moments are E X = 0 and D X = Hth . So the probability of a legal signature

being denied is
P(X 2 > Hth ) = P(X 2 > D X )
√
= P(|X | > D X )
Since X is a linear combination of quadratures, secret keys, and classical messages,

it follows the Gaussian distribution. According to the property of Gaussian distribu-
tion, P(X 2 > Hth ) ≈ 0.32. So the probability of a legal signature being denied is
0.32.
By adding up two probabilities in Sects. 13.4.2 and 13.4.3, we can conclude that
the upper bound of the error rate of the CVQHS scheme is 0.32 when all measurement
devices are untrusted. Although 0.32 is not negligible, the probability of correctly
verifying the identities is twice of error rate. So the CVQHS scheme is deemed to be
measurement-device-independent.
13.5 Discussion
Firstly, we discuss how the parameters of the CVQHS scheme affect the error rate.
The calculation of the probability of a forged signature passing verification
involves three parameters, namely the variance V of two-mode squeezed states,
the transmissivity τ of quantum channels, and the variance VN of thermal noise of
quantum channels. According to the calculation result, the probability is always 0
provided V is nonzero, which means an attacker cannot obtain the pre-shared secret
keys as long as the entangled states are properly prepared and not collapsed before
being used for generating quantum signatures. And noisy quantum channels do not
have any influence on the probability of a forged signature passing verification. It
is the randomness of quantum states that prevents the pre-shared secret keys from
being leaked during transmission.
The calculation of the probability of a legal signature being denied involves the
values of both quadratures of entangled states, pre-shared secret keys, the transmis-
sivity and the variance of thermal noise of quantum channels, and the verification
threshold. In the calculation, the parameters follow Gaussian distribution so the
probability can be easily obtained. The probability is influenced by the verification
threshold Ht h. If Ht h is larger, the probability will decrease but it will be easier for a
forged quantum signature to pass verification. If Ht h is smaller, the probability will
increase. So the verification should be carefully set in order to lower the error rate.
Secondly, we discuss the application of the analysis method. The analysis method
can be summarized in the following three steps
Step 1. Analyze the objective of the protocol and find the parameter that can be
used to decide whether the protocol has completed its task.
Step 2. Analyze the topology and the communication pattern of the protocol to
obtain a simplified attack model, which may be a sufficiently studied attack.
13.5 Discussion 275
Step 3. Calculate the parameter under the attack model to judge the measurement-
device independency of the protocol.
In our analysis procedure, the parameter is the upper bound of error rate and the
attack model can be simplified as collective attack. Although we only analyze the
CVQHS scheme, the analysis method can be applied to other CVQDS protocols by
means of calculating the same parameter under a similar attack model.
Concretely, the objective of a CVQDS protocol is to verify the identity of a data
source, which is the same as the CVQHS scheme. So at Step 1, the parameter will
be the upper bound of error rate as well. From the perspective of verification results,
errors can be classified into two types. The first type of error is the case where a
tampered or forged quantum signature passes verification. The second type of error
is the case where a legal quantum signature which is not tampered by attackers gets
denied by the verifier. In order to calculate the error rate, we should, respectively,
construct models for the two types of errors. The first type of error usually evolves
attackers so we should construct an attack model. The second type of error is caused
by noise so we should also construct a model for noisy quantum channels.
Constructing an attack model in Step 2 is the key step of the MDI analysis method.
The most effective way of attack can be found by means of applying MDI assump-
tions to the protocol. And attack models may be different for different CVQDS
protocols if the protocols have different network topologies and communication pat-
terns. Since most of the CVQDS protocols do not involve an untrusted aggregator,
we believe attack models for CVQDS protocols will be simpler than the CVQHS
scheme. Furthermore, it seems that the attack model of a CVQDS protocol can often
become an eavesdropping model because it is necessary for an attacker to obtain
secret keys. After simplification, the calculation process at Step 3 will be similar to
our calculation.
The above analysis procedure seems to be a general formalism for analyzing
measurement-device independency. In this procedure, the key point of analyzing a
protocol is to find an appropriate parameter and constructing an attack model. For
a complicated protocol carried out in a large-scale network, it may have several
tasks that affect each other and each task is completed by several nodes. It will be
difficult to find an appropriate parameter in Step 1. Also, unintended entanglement
among different nodes will not only affect the quantum states transmitted between
two legal nodes in an unexpected way, but also increase the complexity of analysis
and calculation. It will be difficult to construct an attack model that is simple enough
for calculation. So MDI analysis method of quantum cryptographic protocols except
CVQDS protocols still need to be explored.
13.6 Summary
In this chapter, we analyzed the measurement-device independency of continuous-

variable quantum digital signature. According to the objective of CVQDS, we ver-
ify that a CVQDS protocol is measurement-device-independent if its error rate is
negligible on condition that all measurement devices are untrusted. Concretely, we

take a continuous-variable quantum homomorphic signature protocol as an exam-
ple. The error rate of the CVQHS scheme is equal to the probability of a forged
signature passing verification plus the probability of a legal signature being denied.
In the analysis procedure, we introduced an attack model in order to calculate the
error rate. The attack model was simplified as collective attack by means of apply-
ing MDI assumptions to the protocol. The calculation was also simplified by using
advantage of Gaussian states, i.e., the von Neumann entropy of a Gaussian state can
be calculated from its first and second moments. Calculation results show that the
error rate is 0.32 so that the CVQHS scheme is deemed to be measurement-device-
independent. Although we only analyze the measurement-device independency of
the CVQHS scheme, our analysis can be summarized in three steps and applied to
other CVQDS protocols. Whether this approach is a general formalism for analyz-
ing the measurement-device independency of all quantum protocols is still an open
question and will be discussed in future works.
References
1. Acin, A., Gisin, N., Masanes, L.: From Bell’s theorem to secure quantum key distribution.
Phys. Rev. Lett. 97(12), 120405 (2006)
2. Acin, A., Brunner, N., Gisin, N., et al.: Device-independent security of quantum cryptography
against collective attacks. Phys. Rev. Lett. 98(23), 230501 (2007)
3. Pironio, S., Acin, A., Brunner, N., et al.: Device-independent quantum key distribution secure
against collective attacks. New J. Phys. 11(4), 1–2 (2009)
4. Masanes, L., Pironio, S., Acin, A.: Secure device-independent quantum key distribution with
causally independent measurement devices. Nat. Commun. 2(1), 238 (2011)
5. Vazirani, U., Vidick, T.: Fully device-independent quantum key distribution. Phys. Rev. Lett.
11(4), 1–2 (2014)
6. Lo, H.K., Curty, M., Qi, B.: Measurement-device-independent quantum key distribution. Phys.
Rev. Lett. 108(13), 130503 (2012)
7. Li, Z.Y., Zhang, Y.C., Xu, F.H., et al.: Continuous-variable measurement-device-independent
quantum key distribution. Phys. Rev. A 89(5), 052301 (2014)
8. Zhang, Y.C., Li, Z.Y., Yu, S., et al.: Continuous-variable measurement-device-independent
quantum key distribution using squeezed states. Phys. Rev. A 90(5), 052325 (2014)
9. Pirandola, S., Ottaviani, C., Spedalieri, G., et al.: High-rate measurement-device-independent
quantum cryptography. Nat. Photonics 9(6), 397–402 (2015)
10. Wu, Y.D., Zhou, J., Gong, X.B., et al.: Continuous-variable measurement-device-independent
multipartite quantum communication. Phys. Rev. A 93(2), 022325 (2016)
11. Li, F., Zhao, W., Guo, Y.: Continuous-variable measurement-device-independent quantum relay
network with phase-sensitive amplifiers. Int. J. Theor. Phys. 57(1), 112–126 (2018)
12. Supic, I., Skrzypczyk, P., Cavalcanti, D.: Measurement-device-independent entanglement and
randomness estimation in quantum networks. Phys. Rev. A 95(4), 042340 (2017)
13. Rosset, D., Martin, A., Verbanis, E., et al.: Practical measurement-device-independent entan-
glement quantification (2017). arXiv:1709.03090
14. Zeng, G.H., Lee, M.H., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int.
J. Quantum Inf. 5(4), 553–573 (2007)
15. Guo, Y., Feng, Y.Y., Huang, D.Z., et al.: Arbitrated quantum signature scheme with continuous-
variable coherent states. Int. J. Theor. Phys. 55(4), 2290–2302 (2016)
References 277
16. Donaldson, R.J., Collins, R.J., Kleczkowska, K., et al.: Experimental demonstration of
kilometer-range quantum digital signatures. Phys. Rev. A 93(1), 012329 (2016)
17. Shang, T., Li, K., Liu, J.W.: Measurement-device independency analysis of continuous-variable
quantum digital signature. Entropy 20(4), 291 (2018)
18. Ma, X.F., Razavi, M.: Alternative schemes for measurement-device-independent quantum key
distribution. Phys. Rev. A 86(6), 062319 (2012)
19. Navascues, M., Grosshans, F., Acin, A.: Optimality of Gaussian attacks in continuous-variable
quantum cryptography. Phys. Rev. Lett. 97(19), 190502 (2006)
20. Li, K., Shang, T., Liu, J.W.: Continuous-variable quantum homomorphic signature. Quantum
Inf. Process. 16(10), 246 (2017)
21. Renner, R., Cirac, J.I.: de Finetti representation theorem for infinite-dimensional quantum
systems and applications to quantum cryptography. Phys. Rev. Lett. 102(11), 110504 (2009)
22. Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., et al.: The security of practical quantum
key distribution. Rev. Mod. Phys. 81(3), 1301–1350 (2009)
23. Holevo, A.S.: Bounds for the quantity of information transmitted by a quantum communication
channel. Probl. Peredachi Informatsii 9(3), 3–11 (1973)
Index
A Continuous-variable quantum cloning, 148,

Achievable rate, 47, 49, 50, 53, 93, 144 149
Achievable rate region, 47, 49, 50, 53, 93 Continuous-Variable Quantum Digital Sig-
ADD/SUB operators, 152–155, 165, 166, nature (CVQDS), 267–269, 275, 276
186 Continuous-Variable Quantum Homomor-
Adjoint, 17 phic Signature (CVQHS), 147, 167–
169, 171, 173–176, 178, 180, 186,
267, 269–276
B Continuous-Variable Quantum Key Distri-
BAN logic, 191, 195, 196, 199, 203, 204, bution (CVQKD), 148, 171, 269
206–208, 210 Continuous-Variable Quantum Network
BB84, 96, 107, 129, 135, 138, 192, 194 Coding (CVQNC), 7, 147, 148, 154–
156, 158–162, 164, 165, 180, 183,
Beam Splitter (BS), 152, 170, 172–176, 182,
184, 186
268, 271
Continuous-variable quantum teleportation,
Bell detection, 151, 155–157, 170, 172, 180,
148, 151
182, 271
Continuous variables, 147, 148, 150, 159,
Bell Measurement (BM), 23, 24, 28, 29, 32,
161, 168, 175
34, 67, 90, 141–143, 155, 194
Controlled repeater networks, 72–74, 76, 79,
Bell states, 88, 99, 111, 112, 131, 139–141,
80
206, 209
Controlled teleportation, 76, 87–90, 92, 93,
Best-possible obfuscation, 255
95, 96, 99, 100
BFKW, 126
CV-MDI-QKD, 268, 269
Black-box quantum obfuscator, 243, 244
Bloch sphere, 20–22, 28
D
3D Bell measurement, 28, 29, 90
C Degree-3 (D3), 30, 31
Cluster QNC, 8 Degree-3 graph, 30, 31
Cluster state, 6, 7, 9, 47 Density operator, 15, 16, 22, 154, 257
CNOT, 41, 42, 54, 56, 233, 235 Device-Independent (DI), 267, 268
Completely opportunistic characteristic, 116 Device-Independent Quantum Key distribu-
Complete Opportunity Encoding (COPE), tion (DI-QKD), 267
105–107, 109, 116, 117 Discrete-Variable Quantum Network Cod-
Connection, 44, 45, 56, 57, 61, 193, 242, 255 ing (DVQNC), 147 148, 159–161,
Continuous-variable entanglement swap- 186
ping, 147, 168–171, 186, 269 Discrete variables, 147, 159, 175
https://doi.org/10.1007/978-981-15-3386-0
280 Index
Displacement, 150, 152, 155–157, 161, 162, I

164, 165, 170, 171, 174, 182, 183 Implementation attack, 191, 195
IND-CCA1, 255
IND-CCA2, 255
E IND-CPA, 255, 256, 258, 263
Einstein–Podolsky–Rosen (EPR), 6, 43–45, Indistinguishable Obfuscation (IO), 255,
48, 49, 53–59, 61, 62, 64, 66, 68, 70– 256
74, 76, 79–84, 98, 107–112, 114, 115, IND-secure, 256, 258, 260, 261, 263, 265
119–122, 126, 130, 135, 139, 141, Inner product, 12, 17, 160, 184, 227, 232,
142, 156–158, 164, 204–206, 209 234, 235
Elementary clifford operation, 41 Instantiation of QRO, 232, 233
Entangled quantum state, 14, 37 Intercept-and-resend attack, 191, 192
Entanglement-Free Cloning (EFC), 5, 30,
32, 53, 54 J
Entanglement swapping, 6, 9, 46, 54, 96, Joint node, 31
107, 126–129, 131, 134, 138–140,
142, 143, 145, 147, 168–171, 186,
269, 273 K
Error-free, 206 k-pair problem, 4–6, 8, 37, 40, 41, 47, 95
L
F
Learnable, 248, 255
Fan-out operation, 42, 43
Learnable quantum circuit family, 248
Fidelity, 4, 5, 8, 22, 29, 30, 32, 47, 48, 54, Learning With Errors (LWE), 225
72, 91, 93–95, 97, 100, 143, 148, 149, Light polarization, 15
151–155, 158–161, 165–167, 183, Linear optics for continuous variables, 150
186 Linear space, 11
Fork node, 30, 31 Local Operations and Classical Communi-
Free classical communication, 6, 8, 9, 36, 37, cation (LOCC), 8, 55–57, 59, 74, 75,
47–50, 148, 161 84
Local Operations and Quantum Communi-
cation (LOQC), 75, 84
G
Gaussian Cloning (GC), 148–150, 152–155,
186 M
General graph, 5, 8, 30–32, 53, 61, 69–71, Man-in-the-Middle Attack (MITM), 191,
82, 83 193, 194
GHZ state, 58, 87–89, 91, 95, 97, 99, 101 Maximal entangled state, 8
GNY-logic, 204 MDI-QKD, 269, 272
GR, 90, 91 Measurement-device independency, 267–
Group operation, 23, 29, 90, 217 269, 275, 276
Measurement-Device-Independent (MDI),
268–270, 274–276
Measurement-displace scheme, 166, 167
H Measurement operators, 17–19
Hermitian conjugate, 17 Minimum Error Discrimination (MED), 160
Hermitian operator, 13, 16–20 Mixed quantum state, 14–16
Hilbert space, 11–15, 17, 19, 21, 36, 37, 41, Multi-source model, 137, 139
147, 159, 160, 219, 226, 257
Homomorphic signature, 7, 125, 126, 129,
130, 136, 137, 139–142, 144, 145, N
147, 167–169, 175, 180, 184, 186, Network Coding (NC), 3–9, 11, 27, 30, 32,
255, 269, 276 34, 36, 37, 40, 41, 43, 44, 46–48, 50,
Index 281
53, 54, 59, 68, 72, 76, 80, 82, 83, 87, Q
91, 93, 96–98, 100, 101, 103, 105– QCMA-secure, 222–224, 236
107, 109, 119, 122, 125, 139–144, QCPA-secure, 228, 230
146–149, 151, 152, 159, 180, 186 Quantum-accessible random oracle model,
No-cloning theorem, 4, 5, 42, 139, 148, 216, 191, 195, 200, 201, 213, 214, 217,
220, 221, 224–226, 229, 236 218, 225, 243, 245, 250
Non-maximal entangled state, 8 Quantum Bit Error Rate (QBER), 107
Norm, 12, 227 Quantum black-box obfuscator, 242, 258
Normal operator, 17 Quantum channel verification, 107, 109,
Notation bra, 12 111, 113, 114, 119, 121, 122
Notation ket, 12 Quantum chosen message query, 217
NP, 253 Quantum circuit, 6, 54, 167, 226, 242–248,
250–253, 256, 258
Quantum circuit family, 245, 248
Quantum coding operation, 42
O Quantum communication, 3, 5–7, 9, 11, 29,
Obfuscatable, 245, 246, 248–250, 252, 253, 43, 48–50, 53, 54, 57, 59, 67–69, 71–
255, 264 73, 75, 82–84, 105, 106, 109, 116,
Obfuscation, 241, 242, 244–250, 252–256, 119, 139, 147, 148, 163, 168, 175,
258, 263, 265 186, 204, 229, 268
Opportunistic coding, 105–107, 109, 113, Quantum Digital Signature (QDS), 168,
117, 118, 123 213–215, 218, 220–222, 224–226,
Oracle implementable, 245 229, 236, 267
Quantum homomorphic signature scheme,
129, 140
Quantum Identity Authentication (QIA), 96,
P
103, 107, 204, 206–208, 210
Participant attack, 191, 194
Quantum indistinguishability under chosen
Particle consumption, 55, 70, 71, 74, 76, 79,
plaintext attack, 255
80, 82
Quantum indistinguishable-secure, 242
PE, 5, 8, 32, 34, 48, 49, 151, 156, 160, 161
Quantum Key Distribution (QKD), 7, 105–
Perfect CVQNC, 8
107, 129, 135, 142, 191, 203–206,
Perfect linear quantum network coding, 36 214, 216, 220, 225, 255, 267–269,
Perfect nonlinear quantum network coding, 271
40 Quantum measurement, 17, 19, 218, 220
Perfect QNC, 8 Quantum Merlin-Arthur (QMA), 253
Phase error fixing, 42 Quantum multi-point function with multi-
Photon addition-subtraction scheme, 167 qubit output, 252
Pollution attack, 7, 125, 139, 140, 142, 146, Quantum Network Coding (QNC), 3–9, 11,
180, 181, 184, 186 27, 30, 32, 34, 36, 37, 40, 41, 43, 44,
Polynomial-Time (PT), 256 47, 48, 50, 53, 54, 59, 68, 72, 76, 80,
Positive operator, 17 83, 87, 91, 93, 96–98, 100, 101, 103,
Positive Operator-Valued Measure (POVM), 105, 106, 109, 119, 122, 125, 139–
19, 20, 28 144, 146–148, 151, 152, 180, 186
Postulate of the evolution, 12, 13, 18 Quantum obfuscation, 241–245, 253, 254,
Postulate of the evolution 2, 13 256
Postulate of the measurement, 17–19 Quantum One-Time Pad (QOTP), 72–76, 80,
Postulate of the superposition, 12 81, 84, 241, 255–257, 262, 264
Prior entanglement between senders, 32 Quantum operator, 17, 40, 176
Probabilistic Polynomial-Time (PPT), 256 Quantum point function, 241–243, 249–252,
Projective measurement, 18–20 254, 259, 260, 264
Pseudorandom Function (PRF), 225 Quantum point function with general output,
Pure quantum state, 14, 16, 24 251
282 Index
Quantum point obfuscation, 258 R

Quantum point obfuscation with auxiliary Random Oracle (RO), 200, 201, 213, 216–
input, 258 218, 221, 229, 237, 242–244, 250,
Quantum polynomial time algorithm, 243 264
Quantum Polynomial-Time (QPT), 243, Random oracle model, 191, 195, 199, 200,
244, 246, 249, 251, 256–260, 262 245, 255
Quantum Public-Key Encryption (QPKE), Repeater QNC, 9
213, 215, 225–230, 232–234, 236, Repudiation, 168, 187, 214–216
237
Quantum Random Oracle (QRO), 213, 214,
S
216–226, 229, 230, 232–234, 236,
Scalars, 11, 12, 14
237, 245, 252, 255, 264
Secure Encoding (SE), 76, 80
Quantum random oracle model, 213, 214, Secure Multiparty Quantum Computation
216–218, 220, 223–226, 229, 230, (SQMC), 253
232, 236, 245 Self-combinable, 259, 262, 263
Quantum repeater, 6–8, 27, 35, 44, 49, 53– Sharing non-maximally entangled states, 34
57, 59, 61, 62, 64, 68, 69, 71–74, 76, Simple classical protocol, 31
80, 81, 83 Simple obfuscation, 242, 248
Quantum repeater network, 6, 7, 44, 49, 53– Sink node, 30, 31, 146
55, 57, 72, 73, 76, 79–84 Small-range distribution, 218, 219, 223, 224
Quantum Secret Sharing (QSS), 47, 48, 191, Source node, 30–32, 43, 47, 49, 54, 55, 57,
194, 195, 268 59, 61, 62, 64, 66, 68–73, 76, 82, 137–
Quantum Secure Direct Communication 139, 145, 148, 153–156, 158, 180,
(QSDC), 72, 87, 94, 96, 99, 102, 107, 181, 183–186
191–194, 203, 206 SVO-logic, 204
Quantum-secure One-Way Function
(QOWF), 242, 263
Quantum-Secure Pseudorandom Function T
(QPRF), 217, 225 Teleportation attack, 139, 191, 193
Quantum Signature (QS), 125, 126, 129, Tensor product, 13, 14, 37
132, 133, 135, 136, 141, 143, 148, Tetra measurement (TTR), 28–31, 90
167, 168, 171, 180, 187, 203, 214, Thermal equilibrium, 15
269, 271, 274, 275 TQC, 242, 265
Trace distance, 22
Quantum state, 4–8, 14–19, 21, 30, 32, 34,
Transform node, 30, 31
36–40, 42, 45, 47, 66, 67, 89–91, 93–
Transition probability, 22
98, 100, 101, 106, 109, 111, 112, 114,
Transmission distance, 69–71, 168, 214
120, 122, 125, 129, 136, 143, 145,
Transmission rate, 70, 71, 147, 148, 162
148, 150, 151, 153–156, 158–163,
Trivial quantum obfuscation, 248
166, 168, 169, 171–175, 178–180,
182–187, 194, 200, 214–216, 218–
227, 229, 244–246, 250, 253, 255,
U
257, 268, 270–272, 274, 275
Unambiguous State Discrimination (USD),
Quantum symmetric encryption, 241, 256– 160
258, 260, 261, 263 Unbiased Chosen Basis (UCB), 216, 220
Quantum teleportation, 24, 32, 43, 46, 48– Unforgeability, 135, 178, 184
50, 54, 57, 59, 62, 66, 71, 74, 79, 105– Unitary operator, 13, 17, 36–38, 90–93, 99,
107, 109, 111–116, 119, 120, 122, 100, 130, 136, 141, 145, 150, 156
123, 142, 193 Universal Cloning (UC), 4, 27, 28, 90
Quantum Zero-Knowledge (QZK), 241,
253, 254, 264
Quantum-Secure Pseudorandom Function V
(QPRF), 225 VBB, 256, 260, 261
Index 283
Vectors, 6, 11, 12, 14, 15, 17, 20–22, 30, 37, W

41, 42, 95, 97, 135, 162, 200, 228, Weakly opportunistic characteristic, 116
233, 235
Vector space, 11, 12, 30
Verification threshold, 173, 175, 176, 178,
273, 274
Virtual black-box obfuscator, 241, 242, 244, X
255, 259 XQQ, 5, 8, 27, 30, 54, 71, 89, 91, 93, 95, 97,
Virtual Gray-Box (VGB), 242, 255 148, 160

Secure Quantum Network Coding Theory

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure Quantum Network Coding Theory

Uploaded by

Copyright:

Available Formats

Tao Shang

Secure Quantum Network

ISBN 978-981-15-3385-3 ISBN 978-981-15-3386-0 (eBook)

© Springer Nature Singapore Pte Ltd. 2020

quantum entanglement between the sending and receiving location. It depends on

Beijing, China Tao Shang

The book is supported by the National Natural Science Foundation of China

Part I Quantum Network Coding

3.2 Prior Entanglement Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5 Quantum Network Coding Based on Controller . . . . . . . ........ 87

7.2 Secure Quantum Network Coding with Message

Part II Security Analysis Method

11.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

As quantum network coding is an important and potential research topic in quantum

1.1 Concept of Network Coding

Fig. 1.1 Network coding on

1.2 Development of Quantum Network Coding

particle quantum states and used as a universal resource for measurement-based

1.3 Classification of Quantum Network Coding

1. Non-additional resource: XQQ [7], general graph [6].

1.4 Future Direction

Quantum communication is a new interdiscipline combining quantum mechanics

2.1 Main Notions

2.1.1 Hilbert Space

The Hilbert space is a generalization of the Euclidean space. It extends a 2-

© Springer Nature Singapore Pte Ltd. 2020 11

(α, β) ∈ C2 , (x, y) ∈ E H2 so that αx + β y ∈ E H .

This property implies the linearity of a quantum system.

Some properties should be respected:

Since x|x ≥ 0 for an arbitrary vector x ∈ E H , the norm is well defined.

ψ| (|φ) = ψ|φ

2.1.2 Tensor Product

For space L2 (R2 ) which is the set of square-integrable functions from R2 to C.

L2 (R2 ) = L2 (R) ⊗ L2 (R)

If we use the Dirac notation, that is,

2.1.3 Quantum State

2.1.4 Density Operator

ρ pur e = |φ φ|

We will list some important properties of the density operator:

The density operator of this new state is

2.1.5 Quantum Operator

Let A be a linear quantum operator on a Hilbert space E H .

The Hermitian conjugate or adjoint of Â: Â† : E H −→ E H is defined by

(|v , Â |w) = ( Â† |v , |w)

• Normal operator: Â is a normal operator if Â Â† = Â† Â.

2.1.6 Quantum Measurement

P (m) = ψ| M̂m† M̂m |ψ

and the state of the system after the measurement is

The measurement operators satisfy the completeness equation,

P(m) = ψ| P̂m |ψ

The projective measurement is a special case of the general measurement with

If {|m} is the set of normal eigenvectors of the non-degenerate observable M̂,

It is clear that Ê 1 + Ê 2 + Ê 3 = Iˆ and Ê 1 , Ê 2 , Ê 3 are positive Hermitian operators. So

2.1.7 Bloch Sphere

|ψ = α |0 + β |1

where α, β ∈ C is also a legitimate state of the quantum information system.

|ψ = cos(θ/2) |0 + eiφ sin(θ/2) |1

where 0 ≤ θ ≤ π and 0 ≤ φ ≤ 2π. Note that θ = 0 corresponds to |0, and θ = π

Fig. 2.1 Bloch sphere z 0

2.1.9 Trace Distance

The trace distance D between two density matrices θ, ρ is defined to be

2.2 Key Operations

2.2.1 Bell Measurement

| = α |00 + β |01 + γ |10 + δ |11

Since x|x ≥ 0 for an arbitrary vector x ∈ E H , the norm is well defined.

ψ| (|φ) = ψ|φ

ρ pur e = |φ φ|

(|v , Â |w) = ( Â† |v , |w)

P (m) = ψ| M̂m† M̂m |ψ

P(m) = ψ| P̂m |ψ

If {|m} is the set of normal eigenvectors of the non-degenerate observable M̂,

It is clear that Ê 1 + Ê 2 + Ê 3 = Iˆ and Ê 1 , Ê 2 , Ê 3 are positive Hermitian operators. So

|ψ = α |0 + β |1

|ψ = cos(θ/2) |0 + eiφ sin(θ/2) |1

where 0 ≤ θ ≤ π and 0 ≤ φ ≤ 2π. Note that θ = 0 corresponds to |0, and θ = π

| = α |00 + β |01 + γ |10 + δ |11