Institute of Information Science, Academia Sinica

In this talk I will present recent results on the topic of computationally secure transmission of quantum states. The Internet of the future will arguably include both large-scale quantum computers and high-capacity quantum channels. How will we securely transmit data (including quantum states) over the resulting "quantum Internet?"
Entanglement-based methods (e.g., teleportation) are costly and inefficient, both in terms of communication and storage complexity. Encryption and authentication offer a non-interactive and efficient alternative, with the basic features of Internet communication: (i.) keys exchanged over public channels, (ii.) a short key suffices for transmitting unlimited amount of data, and (iii.) security guarantees are maximal for both secrecy and authenticity. However, encrypting, authenticating, and signing quantum data requires understanding the following core components, which have essentially not been studied in the quantum setting: ciphertext authentication (even one-time), k-time secret-key authentication (even for k = 2), unforgeability against adaptive chosen message attacks, public-key verifiable signatures, adaptive chosen-ciphertext security for encryption (CCA2), and authenticated encryption. The lack of progress in this area has largely been due to fundamental obstacles involving no-cloning and measurement, which make it difficult even to formulate proper security definitions, much less construct schemes or prove their security.
I will present recent results that make significant progress on each component listed above. Starting with the symmetric-key case, the first security definitions, constructions, security proofs, relations, and separations are given. These results are then extended to the public-key case. Herein, of particular interest are results regarding public-key signatures on quantum states: first, a very strong impossibility result convincingly shows that signatures only exist for purely classical data. It is then shown that one can nonetheless sign quantum data, provided that it is also encrypted. A thorough treatment of the theory of the resulting "quantum signcryption" notion is finally provided.