Quantum randomized encoding, verification of quantum computing, no-cloning, and blind quantum computing

Randomized encoding is a powerful cryptographic primitive with various applications such as secure multiparty computation, verifiable computation, parallel cryptography, and complexity lower bounds. Intuitively, randomized encoding $\hat{f}$ of a function $f$ is another function such that $f(x)$ can be recovered from $\hat{f}(x)$, and nothing except for $f(x)$ is leaked from $\hat{f}(x)$. Its quantum version, quantum randomized encoding, has been introduced recently [Brakerski and Yuen, arXiv:2006.01085]. Intuitively, quantum randomized encoding $\hat{F}$ of a quantum operation $F$ is another quantum operation such that, for any quantum state $\rho$, $F(\rho)$ can be recovered from $\hat{F}(\rho)$, and nothing except for $F(\rho)$ is leaked from $\hat{F}(\rho)$. In this paper, we show three results. First, we show that if quantum randomized encoding of BB84 state generations is possible with an encoding operation $E$, then a two-round verification of quantum computing is possible with a classical verifier who can additionally do the operation $E$. One of the most important goals in the field of the verification of quantum computing is to construct a verification protocol with a verifier as classical as possible. This result therefore demonstrates a potential application of quantum randomized encoding to the verification of quantum computing: if we can find a good quantum randomized encoding (in terms of the encoding complexity), then we can construct a good verification protocol of quantum computing. Our second result is, however, to show that too good quantum randomized encoding is impossible: if quantum randomized encoding for the generation of even simple states (such as BB84 states) is possible with a classical encoding operation, then the no-cloning is violated. Finally, we consider a natural modification of blind quantum computing protocols in such a way that the server gets the output like quantum randomized encoding. We show that the modified protocol is not secure.

Message randomization and strong security in quantum stabilizer-based secret sharing for classical secrets

We improve the flexibility in designing access structures of quantum stabilizer-based secret sharing schemes for classical secrets, by introducing message randomization in their encoding procedures. We generalize the Gilbert–Varshamov bound for deterministic encoding to randomized encoding of classical secrets. We also provide an explicit example of a ramp secret sharing scheme with which multiple symbols in its classical secret are revealed to an intermediate set, and justify the necessity of incorporating strong security criterion of conventional secret sharing. Finally, we propose an explicit construction of strongly secure ramp secret sharing scheme by quantum stabilizers, which can support twice as large classical secrets as the McEliece–Sarwate strongly secure ramp secret sharing scheme of the same share size and the access structure.

Short Non-Malleable Codes from Related-Key Secure Block Ciphers

A non-malleable code is an unkeyed randomized encoding scheme that offers the strong guarantee that decoding a tampered codeword either results in the original message, or in an unrelated message. We consider the simplest possible construction in the computational split-state model, which simply encodes a message m as k||Ek(m) for a uniformly random key k, where E is a block cipher. This construction is comparable to, but greatly simplifies over, the one of Kiayias et al. (ACM CCS 2016), who eschewed this simple scheme in fear of related-key attacks on E. In this work, we prove this construction to be a strong non-malleable code as long as E is (i) a pseudorandom permutation under leakage and (ii) related-key secure with respect to an arbitrary but fixed key relation. Both properties are believed to hold for “good” block ciphers, such as AES-128, making this non-malleable code very efficient with short codewords of length |m|+2τ (where τ is the security parameter, e.g., 128 bits), without significant security penalty.