1 Introduction

Consider the following scenario: Alice sends a ciphertext to Bob, but in addition, she wants to encode the data in a way such that Bob can prove to her that he deleted the information contained in the ciphertext. Such a deletion should prevent Bob from retrieving any information on the encoded plaintext once the key is revealed. We call this certified deletion.

Informally, this functionality stipulates that Bob should not be able to do the following two things simultaneously: (1) Convince Alice that he has deleted the ciphertext; and (2) Given the key, recover information about the encrypted message. To better understand this concept, consider an analogy to certified deletion in the physical world: “encryption” would correspond to locking information into a keyed safe, the “ciphertext” comprising of the locked safe. In this case, “deletion” may simply involve returning the safe in its original state. This “deletion” is intrinsically certified since, without the safe (and having never had access to the key and the safe at the same time), Bob is relinquishing the possibility of gaining access to the information (even in the future when the key may be revealed) by returning the safe. However, in the case that encryption is digital, Bob may retain a copy of the ciphertext; there is therefore no meaningful way for him to certify “deletion” of the underlying information, since clearly a copy of the ciphertext is just as good as the original ciphertext, when it comes time to use the key to decrypt the data.

Quantum information, on the other hand, is known for its no-cloning principle [8, 19, 36], which states that quantum states cannot, in general, be copied. This quantum feature has been explored in many cryptographic applications, including unforgeable money [35], quantum key distribution (QKD) [2], and more (for a survey, see [4]).

1.1 Summary of Contributions

In this work, we add to the repertoire of functionalities that are classically impossible but are achievable with unconditional security using quantum information. We give a formal definition of certified deletion encryption and certified deletion security. Moreover, we construct an encryption scheme which, as we demonstrate, satisfies these notions (in addition, our proofs are applicable in the finite-key regime). Furthermore, our scheme is technologically simple since it can be implemented by honest parties who have access to rudimentary quantum devices (that is, they only need to prepare single-qubit quantum states, and perform single-qubit measurements); we also show that our scheme is robust against noise in these devices. We now elaborate on these contributions.

Definitions. In order to define our notion of encryption, we build on the quantum encryption of classical messages (QECM) framework [3]Footnote 1 (for simplicity, our work is restricted to the single-use, private-key setting). To the QECM, we add a delete circuit which is used by Bob if he wishes to delete his ciphertext and generate a corresponding verification state, and a verify circuit which uses the key and is used by Alice to determine whether Bob really deleted the ciphertext.

Next, we define the notion of certified deletion security for a QECM scheme (See Fig. 1 and Definition 13). Our definition is inspired by elements of the definition in [33]. The starting point for this definition is the well-known indistinguishability experiment, this time played between an adversary \(\mathcal {A}=(\mathcal {A}_0, \mathcal {A}_1, \mathcal {A}_2)\) and a challenger. After running the Key Generation procedure, the adversary \(\mathcal {A}_0\) submits an n-bit plaintext \(\textsf {msg}_0\) to the challenger. Depending on a random bit b, the challenger either encrypts \(\textsf {msg}_0\) or a dummy plaintext \(0^n\), and sends the ciphertext to \(\mathcal {A}_1\). The adversary \(\mathcal {A}_1\) then produces a candidate classical “deletion certificate”, y. Next, the key is sent to the adversary \(\mathcal {A}_2\) who produces an output bit \(b' \in \{0,1\}\).Footnote 2 A scheme is deemed secure if the choice of b does not change the probability of the following event: “\(b' = 1\) and the deletion certificate y is accepted”. We note that it would be incorrect to formulate a definition that conditions on y being accepted (see discussion in [33]). We note that certified deletion security does not necessarily imply ciphertext indistinguishability; hence these two properties are defined and proven separately.

Fig. 1.
figure 1

Schematic representation of the security notion for certified deletion security. The game is parametrized by \(b \in \{0,1\}\) and \(\text {Enc}_0\) outputs an encryption of \(0^n\) while \(\text {Enc}_1\) encrypts its input, \(\mathsf {msg}_0\). Security holds if for each adversary \(\mathcal {A}=(\mathcal {A}_0, \mathcal {A}_1, \mathcal {A}_2)\), the probability of (\(b' = 1\) and \(ok = 1\)) is essentially the same, regardless of the value of b.

Full size image

Scheme. In Sect. 4, we present our scheme. Our encoding is based on the well-known Wiesner encoding [35]. Informally, the message is encoded by first generating m random Wiesner states, \(|r\rangle ^\theta \) (\(r, \theta \in \{0,1\}^m\)) (for notation, see Sect. 2.1). We let \(r|_\mathcal {I}\) be the substring of r where qubits are encoded in the computational basis, and we let \(r|_{\bar{\mathcal {I}}}\) be the remaining substring of r (where qubits are encoded in the Hadamard basis). Then, in order to create a classical proof of deletion, Bob measures the entire ciphertext in the Hadamard basis. The result is a classical string, and Alice accepts the deletion if all the bits corresponding to positions encoded in the Hadamard basis are correct according to \(r|_{\bar{\mathcal {I}}}\). As for the message \(\mathsf {msg}\), it is encoded into \(x'= \mathsf {msg}\oplus H(r|_\mathcal {I}) \oplus u\), where H is a two-universal hash function and u is a fresh, random string. Intuitively speaking, the use of the hash function is required in order to prevent that partial information retained by Bob could be useful in distinguishing the plaintext, while the random u is used to guarantee security in terms of an encryption scheme. Robustness of the protocol is achieved by using an error correcting code and including an encrypted version of the error syndrome. We note that while our definitions do not require it, our scheme provides a further desirable property, namely that the proof of deletion is a classical string only.

Proof. In Sect. 5, we present the security analysis of our scheme and give concrete security parameters (Theorem 3 and its proof). First, the fact that the scheme is an encryption scheme is relatively straightforward; it follows via a generalization of the quantum one-time pad (see Sect. 5.1). Next, correctness and robustness (Sect. 5.2) follow from the properties of the encoding and of the error correcting mechanism.

Next, the proof of security for certified deletion has a number of key steps. First, we apply the security notion of certified deletion (Definition 13) to our concrete scheme (Scheme 1). This yields a “prepare-and-measure” security game (see Game 1). However, for the purposes of the analysis, it is convenient to consider instead an entanglement-based game (this is a common proof technique for quantum protocols that include the preparation of random states [17, 25]). In this game (Game 2), the adversary, Bob, creates an initial entangled state, from which Alice derives (via measurements in a random basis \(\theta \) of her choosing) the value of \(r \in \{0,1\}^m\). We show that, without loss of generality, Bob can produce the proof of deletion, y, before he receives any information from Alice (this is due, essentially, to the fact that the ciphertext is uniformly random from Bob’s point of view). Averaging over Alice’s choice of basis \(\theta \), we arrive at a very powerful intuition: in order for Bob’s probability of creating an acceptable proof of deletion y (i.e. he produces a string where the positions corresponding to \(\theta =1\) match with \( r|_{\bar{\mathcal {I}}}\)) to be high, he must unavoidably have a low probability of correctly guessing \(r|_\mathcal {I}\). The above phenomenon is embodied in the following entropic uncertainty relation for smooth entropies [30, 31]. We consider the scenario of Eve preparing a tripartite state \(\rho _{ABE}\) with Alice, Bob, and Eve receiving the A, B and E systems, respectively (here, A and B contain n qubits). Next, Alice either measures all of her qubits in the computational basis to obtain string X, or she measures all of her qubits in the Hadamard basis to obtain string Z; meanwhile, Bob measures his qubits in the Hadamard basis to obtain \(Z'\). We then have the relation:

$$\begin{aligned} H_{\min } ^\epsilon (X \mid E) + H_{\max } ^\epsilon (Z \mid Z') \ge n, \end{aligned}$$
(1)

In the above, \(\epsilon \le 0\) is a smoothing parameter which represents a probability of failure, and the smooth min-entropy \(H_{\min } ^\epsilon (X\mid E)\) characterizes the average probability that Eve guesses X correctly using her optimal strategy and given her quantum register E, while the smooth max-entropy \(H_{\max } ^\epsilon (Z\mid Z')\) corresponds to the number of bits that are needed in order to reconstruct Z from \(Z'\) up to a failure probability \(\epsilon \) (for details, see Sect. 2.4).

Our proof technique thus consists in formally analysing the entanglement-based game and applying the appropriate uncertainty relation in the spirit of the one above. Finally, we combine the bound on Bob’s min-entropy with a universal\(_2\) hash function and the Leftover Hashing Lemma of [21] to prove indistinguishability between the cases \(b=0\) and \(b=1\) after Alice has been convinced of deletion.

1.2 Related Work

To the best of our knowledge, the first use of a quantum encoding to certify that a ciphertext is completely “returned” was developed by Unruh [33] in the context of revocable timed-release encryptionFootnote 3: in this case, the revocation process is fully quantum. Our main security definition (Definition 13) is closely related to the security definitions from this work. On the technical side, our work differs significantly since [33] uses techniques related to CSS codes and quantum random oracles, whereas we use privacy amplification and uncertainty relations. Our work also considers the concept of “revocation” outside the context of timed-release encryption, and it is also a conceptual and technical improvement since it shows that a proof of deletion can be classical. Fu and Miller [11] gave the first evidence that quantum information could be used to prove deletion of information and that this could be verified using classical interaction only: they showed that, via a two-party nonlocality game (involving classical interaction), Alice can become convinced that Bob has deleted a single-bit ciphertext (in the sense that the deleted state is unreadable even if Bob were to learn the key). Their results are cast in the device-independent setting (meaning that security holds against arbitrarily malicious quantum devices). Further related work (that is independent from ours) by Coiteux-Roy and Wolf [7] touches on the question of provable deletion using quantum encodings. However, their work is not concerned with encryption schemes, and therefore does not consider leaking of the key. By contrast, we are explicitly concerned with what it would mean to delete a quantum ciphertext. We note, however, that there are similarities between our scheme and the proposed scheme in [7], namely the use of conjugate coding, with the message encoded in one basis and its conjugate basis, to prove deletion.

Relationship with Quantum Key Distribution. It can be instructive to compare our results to the ones obtained in the analysis of QKD [29]. Firstly, our adversarial model appears different since in certified deletion, we have one honest party (Alice, the sender) and one cheating party (Bob, the receiver), whereas QKD involves two honest parties (Alice and Bob) and one adversary (Eve). Next, the interaction model is different since certified deletion is almost non-interactive, whereas QKD involves various rounds of interaction between Alice and Bob. However, the procedures and proof techniques for certified deletion are close to the ones used in QKD: we use similar encodings into Wiesner states, similar privacy amplification and error correction, and the analysis via an entanglement-based game uses similar entropic uncertainty relations, leading to a security parameter that is very similar to the one in [29]. While we are not aware of any direct reduction from the security of a QKD scheme to certified deletion, we note that, as part of our proof technique, we manage to essentially map the adversarial model for certified deletion to one similar to the QKD model since we split the behaviour of our adversarial Bob into multiple phases: preparation of the joint state \(\rho _{ABE}\), measurement of a register B in a determined basis, and finally bounding the advantage that the adversary has in simultaneously making Alice accept the outcome of the measurement performed on B and predicting some measurement outcome on register A given quantum side-information E. This scenario is similar to QKD, although we note that the measurement bases are not chosen randomly but are instead consistently in the Hadamard basis (for Bob’s measurement) and that Eve’s challenge is to predict Alice’s measurement in the computational basis only (this situation is reminiscent of the single-basis parameter estimation technique [20, 29]).

1.3 Applications and Open Questions

While the main focus of this work is on the foundations of certified deletion, we can nevertheless envisage potential applications which we briefly discuss below (we leave the formal analyses for future work).

Protection Against Key Leakage. Almost all encryption schemes suffer from the drawback that, eventually (given enough computational time and power), keys are leaked. Here, certified deletion could be used to mitigate this risk. For instance, using certified deletion, a sender using a storage server for encrypted data could at any time (and in particular, as soon as the sender has doubts that the keys are about to be leaked) request a proof of deletion of the data. This could give some reassurance on the secrecy of the data; in contrast, classical solutions clearly are inadequate.

Protection Against Data Retention. In 2016, the European Union adopted a regulation on the processing and free movement of personal data [26]. Included is a clause on the “right to be forgotten”: a person should be able to have their data erased whenever its retention is no longer necessary. See also [12]. Certified deletion encryption might help facilitate this scenario in the following way: if a party were to provide their data to an organization via a certified deletion encryption, the organization would be able to certify deletion of the data using the deletion circuit included in the scheme. Future work could develop a type of homomorphic encryption with certified deletion so that the ciphertexts could be useful to some extent while a level of security, in terms of deletion, is maintained. Also useful would be a type of “public verifiability” which would enable parties other than the originator to verify deletion certificates. Contact tracing [5] is another relevant scenario where individual data could be safeguarded against data retention by using certified deletion.

Encryption with Classical Revocation. The concept of ciphertext revocation allows a recipient to provably return a ciphertext (in the sense that the sender can confirm that the ciphertext is returned and that the recipient will not be able to decrypt, even if the key is leaked in the future); such a functionality is unachievable with classical information alone, but it is known to be achievable using quantum ciphertexts [33]. In a sense, our contribution is an extension of revocation since from the point of view of the recipient, whether quantum information is deleted or returned, the end result is similar: the recipient is unable to decrypt even given the key. Our scheme, however, has the advantage of using classical information only for the deletion.

As a use case for classical revocation, consider a situation where Bob loans Alice an amount of money. Alice agrees to pay back the full amount in time T plus 15 % interest if Bob does not recall the loan within that time. To implement this scheme, Alice uses a certified deletion encryption scheme to send Bob an encrypted cheque and schedules her computer to send Bob the key at time T. If Bob wishes to recall the loan within time T, he sends Alice the deletion string. Another possible application is timed-release encryption [33], where the key is included in the ciphertext, but with the ciphertext encoded in a classical timed-release encryption.

Composable and Everlasting Security. We leave as an open question the composability of our scheme (as well as security beyond the one-time case). We note that through a combination of composability with our quantum encoding, it may be possible to transform a long-term computational assumption into a temporary one. That is, a computational assumption would need to be broken during a protocol, or else the security would be information-theoretically secure as soon as the protocol ends. This is called everlasting security [32].

For example, consider the situation encountered in a zero-knowledge proof system for a \(\Sigma \)-protocol (for instance, for graph 3-colouring [14]): the prover commits to an encoding of an \(\textsf {NP}\)-witness using a statistically binding and computationally concealing commitment scheme. The verifier then randomly chooses which commitments to open, and the prover provides the information required to open the commitment. If, in addition, we could encode the commitments with a scheme that provides composable certified deletion, then the verifier could also prove that the unopened commitments are effectively deleted. This has the potential of ensuring that the zero-knowledge property becomes statistical as long as the computational assumption is not broken during the execution of the proof system. This description assumes an extension of our certified deletion encoding to the computational setting and also somehow assumes that the verifier would collaborate in its deletion actions (we leave for future work the formal statement and analysis). Nevertheless, since zero-knowledge proofs are building blocks for a host of cryptographic protocols, certified deletion has the potential to unleash everlasting security; this is highly desirable given steady progress in both algorithms and quantum computers. Another potential application would be proving erasure (in the context where there is no encryption) [7].

Outline. The remainder of this paper is structured as follows. Section 2 is an introduction to concepts and notation used in the rest of this work. Section 3 lays out the novel security definitions which appear in this paper. Section 4 is an exposition of our main scheme, while Sect. 5 provides a security analysis.

2 Preliminaries

In this section, we outline certain concepts and notational conventions which are used throughout the article. We assume that the reader has a basic familiarity with quantum computation and quantum information. We refer to [18] for further background.

2.1 Notation

We make use of the following notation: for a function \(f :X \rightarrow \mathbb {R}\), we denote

$$\begin{aligned} \mathop {\mathbb {E}}_x f(x) = \frac{1}{|X|} \sum _{x \in X} f(x). \end{aligned}$$
(2)

We represent the Hamming weight of strings as the output of a Hamming weight function \(\omega :\{0,1\}^* \rightarrow \mathbb {N}\). If \(x_1, \ldots , x_n\) are strings, then we define \((x_1, \ldots , x_n)\) to be the concatenation of these strings. Let [n] denote the set \(\{ 1, 2, \ldots , n \}\). Then, for any string \(x = (x_1, \ldots , x_n)\) and any subset \(\mathcal {I}\subseteq [n]\), we use \(x |_\mathcal {I}\) to denote the string x restricted to the bits indexed by \(\mathcal {I}\). We call a function \(\eta :\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) negligible if for every positive polynomial p, there exists an integer N such that, for all integers \(n > N\), it is true that \(\eta (n) < \frac{1}{p(n)}\).

We let \(\mathcal {Q}:=\mathbb {C}^2\) denote the state space of a single qubit, and we use the notation \(\mathcal {Q}(n) :=\mathcal {Q}^{\otimes n}\) for any \(n \in \mathbb {N}\). Let \(\mathcal {H}\) be a Hilbert space. The group of unitary operators on \(\mathcal {H}\) is denoted by \(\mathcal {U}(\mathcal {H})\), and the set of density operators on \(\mathcal {H}\) is denoted by \(\mathcal {D}(\mathcal {H})\). Through density operators, a Hilbert space may correspond to a quantum system, which we represent by capital letters. The set of diagonal density operators on \(\mathcal {H}\) is denoted by \(\mathfrak {D}(\mathcal {H})\)—the elements of this set represent classical states. Discrete random variables are thus modeled as finite-dimensional quantum systems, called registers. A register X takes values in \(\mathcal {X}\). A density operator \(|x\rangle \langle x|\) will be denoted as \(\Gamma (x)\). We employ the operator norm, which we define for a linear operator \(A :\mathcal {H}\rightarrow \mathcal {H}'\) between finite-dimensional Hilbert spaces \(\mathcal {H}\) and \(\mathcal {H}'\) as \(\Vert A \Vert = \sup \{ \Vert Av \Vert \mid v \in \mathcal {H}, \Vert v \Vert = 1 \}\). Moreover, for two density operators \(\rho , \sigma \in \mathcal {D}(\mathcal {H})\), we use the notation \(\rho \le \sigma \) to say that \(\sigma - \rho \) is positive semi-definite.

In order to illustrate correlations between a classical register X and a quantum state A, we use the formalism of a classical-quantum state:

$$\begin{aligned} \rho _{XA} = \sum _{x \in \mathcal {X}} P_X (x) \Gamma (x)_X \otimes \rho _{A \mid X = x}, \end{aligned}$$
(3)

where \(P_X (x) :=\Pr [X = x]_\rho = {{\,\mathrm{Tr}\,}}[\Gamma (x)_X \rho _{XA}]\) and \(\rho _{A \mid X = x}\) is the state of A conditioned on the event that \(X = x\).

Let \(\Gamma (x_i) \in \mathfrak {D}(\mathcal {H})\) be classical states for integers i such that \(1 \le i \le n\). Then we use the notation \(\Gamma (x_1, x_2, \ldots , x_n) :=\Gamma (x_1) \otimes \Gamma (x_2) \otimes \cdots \otimes \Gamma (x_n)\).

Let \({{\,\mathrm{\mathsf {H}}\,}}\in \mathcal {U}(\mathcal {Q})\) denote the Hadamard operator, which is defined by \(|0\rangle \mapsto \frac{|0\rangle + |1\rangle }{\sqrt{2}}, \quad |1\rangle \mapsto \frac{|0\rangle - |1\rangle }{\sqrt{2}}\). For any strings \(x, \theta \in \{0,1\}^n\), we define \(|x^\theta \rangle = {{\,\mathrm{\mathsf {H}}\,}}^\theta |x\rangle = {{\,\mathrm{\mathsf {H}}\,}}^{\theta _1} |x_1\rangle \otimes {{\,\mathrm{\mathsf {H}}\,}}^{\theta _2} |x_2\rangle \otimes \cdots \otimes {{\,\mathrm{\mathsf {H}}\,}}^{\theta _n} |x_n\rangle \). States of the form \(|x^\theta \rangle \) are here called Wiesner states in recognition of their first use in [35].

We make use of the Einstein-Podolsky-Rosen (EPR) state [10], defined as \(|\text {EPR}\rangle = \frac{1}{\sqrt{2}} (|0\rangle \otimes |0\rangle + |1\rangle \otimes |1\rangle )\).

We use \(x \xleftarrow {\$}X\) to denote sampling an element \(x \in X\) uniformly at random from a set X. This uniform randomness is represented in terms of registers in the fully mixed state which is, given a d-dimensional Hilbert space \(\mathcal {H}\), defined as \(\frac{1}{d} 1_{d}\), where \(1_d\) denotes the identity matrix with d rows.

For two quantum states \(\rho , \sigma \in \mathcal {D}(\mathcal {H})\), we define the trace distance \(\Vert \rho - \sigma \Vert _{{{\,\mathrm{Tr}\,}}} :=\frac{1}{2} \Vert \rho - \sigma \Vert \). Note also an alternative formula for the trace distance: \( \Vert \rho - \sigma \Vert _{{{\,\mathrm{Tr}\,}}} = \max _P {{\,\mathrm{Tr}\,}}[P(\rho - \sigma )]\), where \(P \le 1_d\) is a positive operator. Hence, in terms of a physical interpretation, the trace distance is the upper bound for the difference in probabilities with respect to the states \(\rho \) and \(\sigma \) that a measurement outcome P may occur on the state.

We define purified distance, which is a metric on quantum states.

Definition 1

(Purified Distance). Let A be a quantum system. For two (subnormalized) states \(\rho _A, \sigma _A\), we define the generalized fidelity,

$$\begin{aligned} F(\rho _A, \sigma _A) :=\left( {{\,\mathrm{Tr}\,}}\left[ \sqrt{\sqrt{\rho _A} \sigma _A \sqrt{\rho _A}} \right] + \sqrt{1 - {{\,\mathrm{Tr}\,}}[\rho _A]} \sqrt{1 - {{\,\mathrm{Tr}\,}}[\sigma _A]} \right) ^2, \end{aligned}$$
(4)

and the purified distance,

$$\begin{aligned} P(\rho _A, \sigma _A) :=\sqrt{1 - F(\rho _A, \sigma _A)}. \end{aligned}$$
(5)

2.2 Hash Functions and Error Correction

We make use of universal\(_2\) hash functions, first introduced by Carter and Wegman [6].

Definition 2

(Universal\(_2\) Hashing). Let \(\mathfrak {H}= \{H :\mathcal {X}\rightarrow \mathcal {Z}\}\) be a family of functions. We say that \(\mathfrak {H}\) is universal\(_2\) if \(\Pr [H(x) = H(x')] \le \frac{1}{| \mathcal {Z}|}\) for any two distinct elements \(x, x' \in \mathcal {X}\), when H is chosen uniformly at random from \(\mathfrak {H}\).

Such families exist if \(|\mathcal {Z}|\) is a power of two (see [6]). Moreover, there exist universal\(_2\) families of hash functions which take strings of length n as input and which contain \(2^{O(n)}\) hash functions; therefore it takes O(n) bits to specify a hash function from such a family [34]. Thus, when we discuss communication of hash functions, we assume that both the sender and the recipient are aware of the family from which a hash function has been chosen, and that the transmitted data consists of O(n) bits used to specify the hash function from the known family.

In the context of error correction, we note that linear error correcting codes can generate syndromes, and that corrections to a message can be made when given the syndrome of the correct message. This is called syndrome decoding. Therefore, we implicitly refer to syndrome decoding of an \([n, n-s]\)-linear code which handles codewords of length n and generates syndromes of length \(s < n\) when we use functions \(\mathrm {synd}:\{0,1\}^n \rightarrow \{0,1\}^s\) and \(\mathrm {corr}:\{0,1\}^n \times \{0,1\}^s \rightarrow \{0,1\}^n\), where \(\mathrm {synd}\) is a syndrome-generating function and \(\mathrm {corr}\) is a string-correcting function. We also make reference to the distance of an error correcting code, which is the minimum distance between distinct codewords.

2.3 Quantum Channels and Measurements

Let A and B be two quantum systems, and let X be a classical register. A quantum channel \(\Phi :A \rightarrow B\) is a completely positive trace-preserving (CPTP) map. A generalized measurement on A is a set of linear operators \(\{M^x _A\}_{x \in \mathcal {X}}\), where \(x \in \mathcal {X}\) are potential classical outcomes, such that

$$\begin{aligned} \sum _{x \in \mathcal {X}} (M_A ^x )^\dagger (M_A ^x) = 1_A. \end{aligned}$$
(6)

A positive-operator valued measure (POVM) on A is a set of Hermitian positive semidefinite operators \(\{M^x _A\}_{x \in \mathcal {X}}\), where \(x \in \mathcal {X}\) are potential classical outcomes, such that

$$\begin{aligned} \sum _{x \in \mathcal {X}} (M_A ^x) = 1_A. \end{aligned}$$
(7)

We also represent measurements with CPTP maps such as \(\mathcal {M}_{A \rightarrow X}\), which map quantum states in system A to classical states in register X using POVMs.

For two registers X and Y, if we have a function, \(f :\mathcal {X}\rightarrow \mathcal {Y}\) then we denote by \(\mathcal {E}_f :X \rightarrow XY\) the CPTP map

$$\begin{aligned} \mathcal {E}_f [\cdot ] :=\sum _{x \in X} |f(x)\rangle _Y \Gamma (x)_X \cdot \Gamma (x)_X \langle f(x)|_Y. \end{aligned}$$
(8)

In this work, measurement of a qubit in our scheme will always occur in one of two bases: the computational basis (\(\{ |0\rangle , |1\rangle \}\)) or the Hadamard basis \((\{ |+\rangle , |-\rangle \})\). Thus, for a quantum system A, we notate these measurements as \( \{ M_{A} ^{\theta , x} \}_{x \in \{0,1\}}\), where \(x \in \{0,1\}\) ranges over the possible outcomes, and where \(\theta \in \{0,1\}\) determines the basis of measurement (\(\theta = 0\) indicates computational basis and \(\theta = 1\) indicates Hadamard basis).

Let \(\{M^x _A\}_x\) and \(\{N^y _A\}_y\) be two POVMs acting on a quantum system A. We define the overlap

$$\begin{aligned} c(\{M^x _A\}_x, \{N^y _B\}_y) :=\max _{x,y} \left\Vert \sqrt{M^x _A} \sqrt{N^y _A} \right\Vert ^2 _\infty . \end{aligned}$$
(9)

wherever dealing with an m-qubit quantum system A, we define, for all \(i = 1, \ldots , m\),

$$\begin{aligned} c_i :=c \left( \{M^{0,x} _{A_i}\}_x , \{M^{1,y} _{A_i}\}_y \right) . \end{aligned}$$
(10)

We assume our measurements are ideal, so \(c_i = 1/2\).

2.4 Entropic Uncertainty Relations

The purpose of entropy is to quantify the amount of uncertainty an observer has concerning the outcome of a random variable. Since the uncertainty of random variables can be understood in different ways, there exist different kinds of entropy. Key to our work are min- and max-entropy, first introduced by Renner and König [15, 21], as a generalization of conditional Rényi entropies [22] to the quantum setting. Min-entropy, for instance, quantifies the degree of uniformity of the distribution of a random variable.

Definition 3

(Min-entropy). Let A and B be two quantum systems. For any bipartite state \(\rho _{AB}\), we define

$$\begin{aligned} H_{\min } (A \mid B)_\rho :=\sup \{ \xi \in \mathbb {R}\mid \exists ~\text {state}~\sigma _B~\text {such that}~\rho _{AB} \le 2^{-\xi } 1_A \otimes \sigma _B \}. \end{aligned}$$
(11)

Max-entropy quantifies the size of the support of a random variable, and is here defined by its dual relation to min-entropy.

Definition 4

(Max-entropy). Let A and B be two quantum systems. For any bipartite state \(\rho _{AB}\), we define

$$\begin{aligned} H_{\max } (A \mid B)_\rho :=- H_{\min } (A \mid C)_\rho , \end{aligned}$$
(12)

where \(\rho _{ABC}\) is any pure state with \({{\,\mathrm{Tr}\,}}_C [\rho _{ABC}] = \rho _{AB}\), for some quantum system C.

In order to deal with finite-size effects, it is necessary to generalize min- and max-entropy to their smooth variants.

Definition 5

(Smooth Entropies). Let A and B be two quantum systems. For any bipartite state \(\rho _{AB}\), and \(\epsilon \in \left[ 0, \sqrt{{{\,\mathrm{Tr}\,}}[\rho _{AB}]} \right) \), we define

$$\begin{aligned}&H_{\min }^\epsilon (A \mid B)_\rho :=\sup _{\begin{array}{c} \tilde{\rho }_{AB} \\ P(\tilde{\rho }_{AB}, \rho _{AB}) \le \epsilon \end{array}} H_{\min } (A \mid B)_{\tilde{\rho }}, \end{aligned}$$
(13)
$$\begin{aligned}&H_{\max }^\epsilon (A \mid B)_\rho :=\inf _{\begin{array}{c} \tilde{\rho }_{AB} \\ P(\tilde{\rho }_{AB}, \rho _{AB}) \le \epsilon \end{array}} H_{\max } (A \mid B)_{\tilde{\rho }}. \end{aligned}$$
(14)

It is of note that smooth entropies satisfy the following inequality, commonly referred to as the data-processing inequality [28].

Proposition 1

Let \(\epsilon \ge 0\), \(\rho _{AB}\) be a quantum state, and \(\mathcal {E}:\mathcal {D}(\mathcal {H}_A) \rightarrow \mathcal {D}(\mathcal {H}_C)\) be a CPTP map. Define \(\sigma _{AC} :=( 1_{\mathcal {D}(\mathcal {H}_A)} \otimes \mathcal {E}) (\rho _{AB})\). Then,

$$\begin{aligned} H_{\min } ^\epsilon (A \mid B)_\rho \le H_{\min } ^\epsilon (A \mid C)_\sigma \quad \text {and} \quad H_{\max } ^\epsilon (A \mid B )_\rho \le H_{\max } ^\epsilon (A \mid C)_\sigma . \end{aligned}$$
(15)

We use one half of the generalized uncertainty relation theorem found in [27], the precursor of which was introduced by Tomamichel and Renner [31]. The original uncertainty relation was understood in terms of its application to QKD, and was used to prove the secrecy of the key in a finite-key analysis of QKD [30].

Proposition 2

Let \(\epsilon \ge 0\), let \(\rho _{ACE}\) be a tripartite quantum state, let \(\{M^x _A \}_{x \in \mathcal {X}}\) and \(\{N^z _A \}_{z \in \mathcal {Z}}\) be two POVMs acting on A, and let \(\{P^k _A\}_{k \in \mathcal {K}}\) be a projective measurement acting on A. Then the post-measurement states

$$\begin{aligned} \rho _{XKC} = \sum _{x, k} \langle x|x\rangle \otimes \langle k|k\rangle \otimes {{\,\mathrm{Tr}\,}}_{AE} \left[ \sqrt{M^x _A} P^k _A \rho _{ACE} P^k _A \sqrt{M^x _A} \right] \end{aligned}$$
(16)

and

$$\begin{aligned} \rho _{YKE} = \sum _{y, k} \langle y|y\rangle \otimes \langle k|k\rangle \otimes {{\,\mathrm{Tr}\,}}_{AC} \left[ \sqrt{N^y _A} P^k _A \rho _{ACE} P^k _A \sqrt{N^y _A} \right] \end{aligned}$$
(17)

satisfy

$$\begin{aligned} H^\epsilon _{\min } (X \mid KC)_\rho + H^\epsilon _{\max } (Y \mid KE)_\rho \ge \log \frac{1}{c_\mathcal {K}} \end{aligned}$$
(18)

where \(c_\mathcal {K}= \max _{k,x,y} \left\Vert \sqrt{M^x _A} P^k \sqrt{N^y _A} \right\Vert _\infty \).

We also use the Leftover Hashing Lemma, introduced by Renner [21]. It is typically understood in relation to the privacy amplification step of QKD. We state it in the form given in [29].

Proposition 3

Let \(\epsilon \ge 0\) and \(\sigma _{AX}\) be a classical-quantum state, with X a classical register which takes values on \(\mathcal {X}= \{0,1\}^s\). Let \(\mathfrak {H}\) be a universal\(_2\) family of hash functions from \(\mathcal {X}\) to \(\mathcal {Y}= \{0,1\}^n\). Let \(\chi _Y = \frac{1}{2^n} 1_{\mathcal {D}(\mathcal {Y})}\) be the fully mixed state, \(\rho _{S^H} = \frac{1}{| \mathfrak {H}|} \sum _{H \in \mathfrak {H}} \Gamma (H)_{S^H}\) and \(\zeta _{AYS^H} = {{\,\mathrm{Tr}\,}}_X[\mathcal {E}_f (\sigma _{AX} \otimes \rho _{S^H})]\) for the function \(f :(x,H) \mapsto H(x)\) be the post-hashing state. Then,

$$\begin{aligned} \left\Vert \zeta _{A Y S^H} - \chi _{Y} \otimes \zeta _{A S^H} \right\Vert _{{{\,\mathrm{Tr}\,}}} \le \frac{1}{2}2^{- \frac{1}{2} (H_{\min } ^\epsilon (X \mid A)_\sigma - n)} + 2 \epsilon . \end{aligned}$$
(19)

2.5 Statistical Lemmas

The following lemmas are required to bound a specific max-entropy quantity. They are both proven in [29] as part of a security proof of finite-key QKD, and this line of thinking originated in [30].

The following lemma is a consequence of Serfling’s bound [24].

Lemma 1

Let \(Z_1, \ldots Z_m\) be random variables taking values in \(\{0,1\}\). Let \(m = s + k\). Let \(\mathcal {I}\) be an independent and uniformly chosen subset of [m] with s elements. Then, for \(\nu \in [0,1]\) and \(\delta \in (0,1),\)

$$\begin{aligned} \Pr \left[ \sum _{i \in \mathcal {I}} Z_i \le k \delta \wedge \sum _{i \in \bar{\mathcal {I}}} Z_i \ge s (\delta + \nu ) \right] \le \exp \left( \frac{-2 \nu ^2\,s k^2}{m (k+1)} \right) . \end{aligned}$$
(20)

It will also be useful to condition a quantum state on future events. The following lemma from [29] states that, given a classical-quantum state, there may exist a nearby state on which a certain event does not occur.

Lemma 2

Let \(\rho _{AX}\) be a classical-quantum state with X a classical register, and \(\Omega :\mathcal {X}\rightarrow \{0,1\}\) be an event with \(\Pr [\Omega ]_\rho = \epsilon < {{\,\mathrm{Tr}\,}}[\rho _{AX}]\). Then there exists a classical-quantum state \(\tilde{\rho }_{AX}\) with \(\Pr [\Omega ]_{\tilde{\rho }} = 0\) and \(P(\rho _{AX}, \tilde{\rho }_{AX}) \le \sqrt{\epsilon }\).

2.6 Quantum Encryption and Security

Whenever an adversary \(\mathcal {A}\) is mentioned, it is assumed to be quantum and to have unbounded computational power, and we allow it to perform generalized measurements.

Considering that the scheme introduced in this paper is an encryption scheme with a quantum ciphertext, we rely on the “quantum encryption of classical messages” framework developed by Broadbent and Lord [3]. This framework describes an encryption scheme as a set of parameterized CPTP maps which satisfy certain conditions.

Definition 6

(Quantum Encryption of Classical Messages). Let n be an integer. An n-quantum encryption of classical messages (n-QECM) is a tuple of uniform efficient quantum circuits \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec})\) implementing CPTP maps of the form

  • \(\Phi _\lambda ^\mathsf {key}:\mathcal {D}(\mathbb {C}) \rightarrow \mathcal {D}(\mathcal {H}_{K, \lambda })\),

  • \(\Phi _\lambda ^\mathsf {enc}:\mathcal {D}(\mathcal {H}_{K, \lambda } \otimes \mathcal {H}_{M}) \rightarrow \mathcal {D}(\mathcal {H}_{T, \lambda })\), and

  • \(\Phi _\lambda ^\mathsf {dec}:\mathcal {D}(\mathcal {H}_{K, \lambda } \otimes \mathcal {H}_{T, \lambda }) \rightarrow \mathcal {D}(\mathcal {H}_{M})\),

where \(\mathcal {H}_{M} = \mathcal {Q}(n)\) is the plaintext space, \(\mathcal {H}_{T, \lambda } = \mathcal {Q}(\ell (\lambda ))\) is the ciphertext space, and \(\mathcal {H}_{K, \lambda } = \mathcal {Q}(\kappa (\lambda ))\) is the key space for functions \(\ell , \kappa :\mathbb {N}^+ \rightarrow \mathbb {N}^+\).

For all \(\lambda \in \mathbb {N}^+, k \in \{0,1\}^{\kappa (\lambda )}\), and \(m \in \{0,1\}^n\), the maps must satisfy

$$\begin{aligned} {{\,\mathrm{Tr}\,}}[\Gamma (k) \Phi ^\mathsf {key}(1)] > 0 \Rightarrow {{\,\mathrm{Tr}\,}}[ \Gamma (m) \Phi ^\mathsf {dec}_k \circ \Phi ^\mathsf {enc}_k \Gamma (m)] = 1, \end{aligned}$$
(21)

where \(\lambda \) is implicit, \(\Phi _k ^\mathsf {enc}\) is the CPTP map defined by \(\rho \mapsto \Phi ^\mathsf {enc}(\Gamma (k) \otimes \rho )\), and we define \(\Phi ^\mathsf {dec}_k\) analogously. We also define the CPTP map \(\Phi ^\mathsf {enc}_{k,0} :\mathcal {D}(\mathcal {H}_{M}) \rightarrow \mathcal {D}(\mathcal {H}_{T, \lambda })\) by

$$\begin{aligned} \rho \mapsto \Phi ^\mathsf {enc}_{k} (\Gamma (\mathbf{0})) \end{aligned}$$
(22)

where \(\varvec{0} \in \{0,1\}^n\) is the all-zero bit string, and the CPTP map \(\Phi ^\mathsf {enc}_{k,1} :\mathcal {D}(\mathcal {H}_{M}) \rightarrow \mathcal {D}(\mathcal {H}_{T, \lambda })\) by

$$\begin{aligned} \rho \mapsto \sum _{m \in \{0, 1\}^n} {{\,\mathrm{Tr}\,}}[\Gamma (m) \rho ] \cdot \Phi ^\mathsf {enc}_k (\Gamma (m)). \end{aligned}$$
(23)

As part of the security of our scheme, we wish to ensure that should an adversary obtain a copy of the ciphertext and were to know that the original message is one of two hypotheses, she would not be able to distinguish between the hypotheses. We refer to this notion of security as ciphertext indistinguishability (called indistinguishable security in [3]). It is best understood in terms of a scheme’s resilience to an adversary performing what we refer to as a distinguishing attack.

Definition 7

(Distinguishing Attack). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec})\) be an n-QECM. A distinguishing attack is a quantum adversary \(\mathcal {A}= (\mathcal {A}_0, \mathcal {A}_1)\) implementing CPTP maps of the form

  • \(\mathcal {A}_{0, \lambda } :\mathcal {D}(\mathbb {C}) \rightarrow \mathcal {D}(\mathcal {H}_{M} \otimes \mathcal {H}_{S, \lambda })\) and

  • \(\mathcal {A}_{1, \lambda } :\mathcal {D}(\mathcal {H}_{T, \lambda } \otimes \mathcal {H}_{S, \lambda }) \rightarrow \mathcal {D}(\mathcal {Q})\)

where \(\mathcal {H}_{S, \lambda } = \mathcal {Q}(s(\lambda ))\) for a function \(s :\mathbb {N}^+ \rightarrow \mathbb {N}^+\).

Definition 8

(Ciphertext Indistinguishability). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec})\) be an n-QECM. Then we say that \(\mathcal {S}\) has ciphertext indistinguishability if for all distinguishing attacks \(\mathcal {A}\) there exists a negligible function \(\eta \) such that

$$\begin{aligned} \mathop {\mathbb {E}}_b \mathop {\mathbb {E}}_{k \leftarrow \mathcal {K}} {{\,\mathrm{Tr}\,}}[\Gamma (b) \mathcal {A}_{1, \lambda } \circ (\Phi ^\mathsf {enc}_{k,b} \otimes \mathbbm {1}_S ) \circ \mathcal {A}_{0, \lambda }(1)] \le \frac{1}{2} + \eta (\lambda ) \end{aligned}$$
(24)

where \(\lambda \) is implicit on the left-hand side, \(b \in \{0,1 \}\), and \(\mathcal {K}_{\lambda }\) is the random variable distributed on \(\{0,1\}^{\kappa (\lambda )}\) such that

$$\begin{aligned} \Pr [\mathcal {K}_\lambda = k] = {{\,\mathrm{Tr}\,}}[\Gamma (k) \Phi ^\mathsf {key}_\lambda (1)]. \end{aligned}$$
(25)

3 Security Definitions

In this section, we introduce a new description of the certified deletion security notion. First, however, we must augment our QECM framework to allow it to detect errors on decryption.

Definition 9

(Augmented Quantum Encryption of Classical Messages). Let n be an integer. Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec})\) be an n-QECM. An n-augmented quantum encryption of classical messages (n-AQECM) is a tuple of uniform efficient quantum circuits \(\hat{\mathcal {S}} = (\mathsf {key}, \mathsf {enc}, \widehat{\mathsf {dec}})\), where \(\widehat{\mathsf {dec}}\) implements a CPTP map of the form

$$\begin{aligned} \Phi _{\lambda } ^{\widehat{\mathsf {dec}}} :\mathcal {D}(\mathcal {H}_{K, \lambda } \otimes \mathcal {H}_{T, \lambda }) \rightarrow \mathcal {D}( \mathcal {H}_M \otimes \mathcal {Q}). \end{aligned}$$
(26)

For all \(\lambda \in \mathbb {N}^+, k \in \{0,1\}^{\kappa (\lambda )}\), and \(m \in \{0,1\}^n\), the maps corresponding to the circuits must satisfy

$$\begin{aligned} {{\,\mathrm{Tr}\,}}[\Gamma (k) \Phi ^\mathsf {key}(1)] > 0 \Rightarrow {{\,\mathrm{Tr}\,}}[ \Gamma (m) \otimes \Gamma (1) \Phi ^{\widehat{\mathsf {dec}}} _k \circ \Phi ^\mathsf {enc}_k \Gamma (m)] = 1, \end{aligned}$$
(27)

where \(\lambda \) is implicit, \(\Phi _k ^\mathsf {enc}\) is the CPTP map defined by \(\rho \mapsto \Phi ^\mathsf {enc}(\Gamma (k) \otimes \rho )\), and we define \(\Phi ^\mathsf {dec}_k\) analogously.

The extra qubit (which will be referred to as a flag), though by itself without any apparent use, may serve as a way to indicate that the decryption process did not proceed as expected in any given run. In the case of decryption without error, the circuit should output \(\Gamma (1)\), and in the case of decryption error, the circuit should output \(\Gamma (0)\). This allows us to define a criterion by which an AQECM might be robust against a certain amount of noise.

Since the original QECM framework will no longer be used for the rest of this paper, we henceforth note that all further references to the QECM framework are in fact references to the AQECM framework.

Definition 10

(Robust Quantum Encryption of Classical Messages). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec})\) be an n-QECM. We say that \(\mathcal {S}\) is \(\epsilon \)-robust if, for all adversaries \(\mathcal {A}\) implementing CPTP maps of the form

$$\begin{aligned} \mathcal {A}:\mathcal {D}( \mathcal {H}_{T, \lambda } ) \rightarrow \mathcal {D}( \mathcal {H}_{T, \lambda } ), \end{aligned}$$
(28)

and for two distinct messages \(m, m' \in \mathcal {H}_M\), we have that

$$\begin{aligned} \mathop {\mathbb {E}}_{k \leftarrow \mathcal {K}} {{\,\mathrm{Tr}\,}}[\Gamma (m') \otimes \Gamma (1) \Phi _k ^\mathsf {dec}\circ \mathcal {A}\circ \Phi _k ^\mathsf {enc}\Gamma (m)] \le \epsilon . \end{aligned}$$
(29)

In other words, a QECM is \(\epsilon \)-robust if, under interference by an adversary, the event that decryption yields a different message than was encrypted and that the decryption circuit approves of the outcome is less than or equal to \(\epsilon \). This is functionally equivalent to a one-time quantum authentication scheme, where messages are classical (see e.g. [1, 9, 13]).

Our description takes the form of an augmentation of the QECM framework described in Definition 9. Given a QECM with key k and encrypting message m, the certified deletion property should guarantee that the recipient, Bob, cannot do the following two things simultaneously: (1) Make Alice, the sender, accept his certificate of deletion; and (2) Given k, recover information about m.

Definition 11

(Certified Deletion Encryption). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec})\) be an n-QECM. Let \(\mathsf {del}\) and \(\mathsf {ver}\) be efficient quantum circuits implemented by CPTP maps of the form

  • \(\Phi ^\mathsf {del}_{\lambda } :\mathcal {D}(\mathcal {H}_{T, \lambda }) \rightarrow \mathcal {D}(\mathcal {H}_{D, \lambda })\)

  • \(\Phi ^\mathsf {ver}_{\lambda } :\mathcal {D}(\mathcal {H}_{K, \lambda } \otimes \mathcal {H}_{D, \lambda }) \rightarrow \mathcal {D}(\mathcal {Q})\)

where \(\mathcal {H}_{D, \lambda } = \mathcal {Q}(d(\lambda ))\) for a function \(d :\mathbb {N}^+ \rightarrow \mathbb {N}^+\).

For all \(\lambda \in \mathbb {N}^+\), \(k \in \{0,1\}^{\kappa (\lambda )}\), and \(m \in \{0,1\}^n\), the maps must satisfy

$$\begin{aligned} {{\,\mathrm{Tr}\,}}[\Gamma (k) \Phi ^{\mathsf {key}}(1)] > 0 \implies {{\,\mathrm{Tr}\,}}[\Gamma (1) \Phi ^\mathsf {ver}\circ \left( \Gamma (k) \otimes \left( \Phi ^\mathsf {del}\circ \Phi ^\mathsf {enc}_k \Gamma (m) \right) \right) ] = 1 \end{aligned}$$
(30)

where \(\lambda \) is implicit.

We call the tuple \(\mathcal {S}' = (\mathsf {key}, \mathsf {enc}, \mathsf {dec}, \mathsf {del}, \mathsf {ver})\) an n-certified deletion encryption (n-CDE).

Definition 12

(Certified Deletion Attack). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec}, \mathsf {del}, \mathsf {ver})\) be an n-CDE. A certified deletion attack is a quantum adversary \(\mathcal {A}= (\mathcal {A}_0, \mathcal {A}_1, \mathcal {A}_2)\) implementing CPTP maps of the form

  • \(\mathcal {A}_{0, \lambda } :\mathcal {D}(\mathbb {C}) \rightarrow \mathcal {D}(\mathcal {H}_{M} \otimes \mathcal {H}_{S, \lambda })\),

  • \(\mathcal {A}_{1, \lambda } :\mathcal {D}(\mathcal {H}_{T, \lambda } \otimes \mathcal {H}_{S, \lambda }) \rightarrow \mathcal {D}(\mathcal {H}_{D, \lambda } \otimes \mathcal {H}_{S, \lambda } \otimes \mathcal {H}_{T', \lambda })\), and

  • \(\mathcal {A}_{2, \lambda } :\mathcal {D}(\mathcal {H}_{K, \lambda } \otimes \mathcal {H}_{S, \lambda } \otimes \mathcal {H}_{T', \lambda }) \rightarrow \mathcal {D}(\mathcal {Q})\)

where \(\mathcal {H}_{S, \lambda } = \mathcal {Q}(s(\lambda ))\) and \(\mathcal {H}_{T', \lambda } = \mathcal {Q}(\ell '(\lambda ))\) for functions \(s, \ell ' :\mathbb {N}^+ \rightarrow \mathbb {N}^+\).

We are now ready to define our notion of certified deletion security. We refer the reader to Sect. 1.1 for an informal explanation of the definition, and we recall that notation \(\Phi ^\mathsf {enc}_{k,b}\) is defined in Eq. (22).

Definition 13

(Certified Deletion Security). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec}, \mathsf {del},\) \(\mathsf {ver})\) be an n-CDE. For any fixed and implicit \(\lambda \in \mathbb {N}^+\), we define the CPTP map \(\Phi ^\mathsf {ver}_{k} :\mathcal {D}(\mathcal {H}_{K, \lambda } \otimes \mathcal {H}_{D, \lambda }) \rightarrow \mathcal {D}(\mathcal {Q}\otimes \mathcal {H}_{K, \lambda })\) by

$$\begin{aligned} \rho \mapsto \Phi ^\mathsf {ver}(\Gamma (k) \otimes \rho ) \otimes \Gamma (k). \end{aligned}$$
(31)

Let \(b \in \{0,1\}\), let \(\mathcal {A}\) be a certified deletion attack, and let

$$\begin{aligned} p_b = \mathop [{\mathbb {E}}_{k \leftarrow \mathcal {K}} {{\,\mathrm{Tr}\,}}[(\Gamma (1, 1)) (\mathbbm {1} \otimes \mathcal {A}_{2}) \circ (\Phi ^\mathsf {ver}_k \otimes \mathbbm {1}_{ST'}) \circ \mathcal {A}_{1} \circ (\Phi ^\mathsf {enc}_{k,b} \otimes \mathbbm {1}_S ) \circ \mathcal {A}_{0} (1)], \end{aligned}$$
(32)

where \(\lambda \) is implicit, and where \(\mathcal {K}_{\lambda }\) is the random variable distributed on \(\{0,1\}^{\kappa (\lambda )}\) such that

$$\begin{aligned} \Pr [\mathcal {K}_\lambda = k] = {{\,\mathrm{Tr}\,}}[\Gamma (k) \Phi ^\mathsf {key}_\lambda (1)]. \end{aligned}$$
(33)

Then we say that \(\mathcal {S}\) is \(\eta \)-certified deletion secure if, for all certified deletion attacks \(\mathcal {A}\), there exists a negligible function \(\eta \) such that

$$\begin{aligned} |p_0 - p_1| \le \eta (\lambda ). \end{aligned}$$
(34)

4 Constructing an Encryption Scheme with Certified Deletion

Scheme 1 aims to exhibit a noise-tolerant prepare-and-measure n-CDE with ciphertext indistinguishability and certified deletion security.

Table 1. Overview of nomenclature used in Sect. 4 and Sect. 5
Full size table

Scheme 1

(Prepare-and-Measure Certified Deletion) Let \(n, \lambda , \tau , \mu , m = s + k\) be integers. Let \(\Theta = \{ \theta \in \{0,1\}^m \mid \omega (\theta ) = k \}\). Let both \(\mathfrak {H}_{\text {ec}} :=\{ h :\{ 0,1 \}^s \rightarrow \{ 0,1 \}^\tau \}\) and \(\mathfrak {H}_{\text {pa}} :=\{ h :\{ 0, 1 \}^s \rightarrow \{0, 1\}^n \}\) be universal\(_2\) families of hash functions. Let \(\mathrm {synd}:\{0,1\}^n \rightarrow \{0,1\}^\mu \) be an error syndrome function, let \(\mathrm {corr}:\{0,1\}^n \times \{0,1\}^\mu \rightarrow \{0,1\}^n\) be the corresponding function used to calculate the corrected string, and let \(\delta \in [0,1]\) be a tolerated error rate for verification. We define a noise-tolerant prepare-and-measure n-CDE by Circuits 1–5. This scheme satisfies both Eq. (21) and Eq. (30). It is therefore an n-CDE.

5 Security Analysis

In this section, we present the security analysis for Scheme 1: in Sect. 5.1, we show the security of the scheme in terms of an encryption scheme, then, in Sect. 5.2, we show that the scheme is correct and robust. Finally in Sect. 5.3, we show that the scheme is a certified deletion scheme.

figure a
figure b
figure c
figure d
figure e

5.1 Ciphertext Indistinguishability

In considering whether Scheme 1 has ciphertext indistinguishability (Definition 8), one need only verify that an adversary, given a ciphertext, would not be able to discern whether a known message was encrypted.

Theorem 1

Scheme 1 has ciphertext indistinguishability.

Proof

For any distinguishing attack \(\mathcal {A}= (\mathcal {A}_0, \mathcal {A}_1)\), any state \(\rho = \rho _S \otimes \Gamma (\mathsf {msg}) \in \mathcal {D}(\mathcal {H}_S \otimes \mathcal {Q}(n))\), and where \(k = (r|_{\bar{\mathcal {I}}}, \theta , u, d, e, H_\text {pa}, H_\text {ec}) \in \{ 0,1 \}^{k + m + n + \mu + \tau } \times \mathfrak {H}_\text {pa}\times \mathfrak {H}_\text {ec}\) is a key, we have that

$$\begin{aligned} \mathop {\mathbb {E}}_k \left( \mathbbm {1}_S \otimes \Phi ^\mathsf {enc}_{k,1} \right) (\rho )&= \frac{1}{2^{m + n + \mu + \tau } |\mathfrak {H}_\text {pa}| |\mathfrak {H}_\text {ec}|} \sum _{k} \rho _S \otimes \Gamma (r^\theta ) \otimes \Gamma (\mathsf {msg}\oplus x \oplus u, p, q) \\&= \frac{1}{2^{m + n + \mu + \tau } |\mathfrak {H}_\text {pa}| |\mathfrak {H}_\text {ec}|} \sum _{k} \rho _S \otimes \Gamma (r^\theta ) \otimes \Gamma (x \oplus u, p, q) \\&= \mathop {\mathbb {E}}_k \left( \mathbbm {1}_S \otimes \Phi ^\mathsf {enc}_{k,0} \right) (\rho ), \end{aligned}$$

where the second equality is due to the uniform distribution of both \(\mathsf {msg}\oplus x \oplus u\) and u. Therefore, an adversary can do no better than guess b correctly half of the time in a distinguishing attack. This implies perfect ciphertext indistinguishability with \(\eta = 0\). \(\square \)

5.2 Correctness

Thanks to the syndrome and correction functions included in the scheme, the decryption circuit is robust against a certain amount of noise; that is, below such a level of noise, the decryption circuit outputs Alice’s original message with high probability. This noise threshold is determined by the distance of the linear code used. In particular, where \(\Delta \) is the distance of the code, decryption should proceed normally as long as fewer than \(\lfloor \frac{\Delta - 1}{2} \rfloor \) errors occur to the quantum encoding of \(r|_\mathcal {I}\) during transmission through the quantum channel.

To account for greater levels of noise (such as may occur in the presence of an adversary), we show that the error correction measures implemented in Scheme 1 ensure that errors in decryption are detected with high probability. In other words, we show that the scheme is \(\epsilon _\text {rob}\)-robust, where \(\epsilon _\text {rob}:=\frac{1}{2^\tau }\).

Recall that \(\tau \) is the length of the error correction hash, and that \(\mu \) is the length of the error correction syndrome. Consider that Bob has received a ciphertext state \(\rho _B \otimes \Gamma (c,p,q) \in \mathcal {D}(\mathcal {Q}(m + n + \mu + \tau ))\) and a key \((r|_{\bar{\mathcal {I}}}, \theta , u, d, e, H_\text {pa}, H_\text {ec}) \in \Theta \times \{0,1\}^{n + \mu + \tau } \times \mathfrak {H}_\text {pa}\times \mathfrak {H}_\text {ec}\). Given \(\theta \), Bob learns \(\mathcal {I}\). This allows him to perform the following measurement on \(\rho _B\):

$$\begin{aligned} \mathcal {M}_{B \rightarrow Y} ^\mathcal {I}(\cdot ) = \sum _{y \in \{0,1\}^s} |y\rangle _Y \left( M_{B_\mathcal {I}} ^{0, y} \right) \cdot \left( M_{B_\mathcal {I}} ^{0, y} \right) ^\dagger \langle y|_Y \end{aligned}$$
(35)

The new register Y contains a hypothesis of the random string Alice used in generating c. Since \(\rho _B\) was necessarily transmitted through a quantum channel, it may have been altered due to noise. Bob calculates a corrected estimate: \(\hat{x} = \mathrm {corr}(y, q \oplus e)\). Finally, he compares a hash of the estimate with \(p \oplus d\), which is the hash of Alice’s corresponding randomness. This procedure is represented by a function \(\text {ec}:\{0,1\}^s \times \{0,1\}^\mu \times \mathfrak {H}_\text {ec}\rightarrow \{0,1\}\) defined by

$$\begin{aligned} \text {ec}(x,y) = {\left\{ \begin{array}{ll} 0 \quad &{}\text {if}~H_\text {ec}(x) \ne y\\ 1 \quad &{}\text {else.} \end{array}\right. } \end{aligned}$$
(36)

To record the value of this test, we use a flag \(F^\text {ec}:=\text {ec}(\hat{x}, p \oplus d)\). It is very unlikely that both \(F^\text {ec}= 1\) and the outcome of Bob’s decryption procedure is not equal to Alice’s originally intended message. This is shown in the following proposition, the proof of which follows that of an analogous theorem in [29].

Theorem 2

If \(r|_{\mathcal {I}} \in \{0,1\}^s\) is the random string Alice samples in encryption, and \(\hat{x} = \mathrm {corr}(y, q \oplus e)\), then

$$\begin{aligned} \Pr [H_\text {pa}(r|_\mathcal {I}) \ne H_\text {pa}(\hat{x}) \wedge F^\text {ec}= 1] \le \frac{1}{2^\tau }. \end{aligned}$$
(37)

Proof

$$\begin{aligned}&\begin{aligned}&\Pr [H_\text {pa}(r|_\mathcal {I}) \ne H_\text {pa}(\hat{x}) \wedge F^\text {ec}= 1]\\&\qquad = \Pr [H_\text {pa}(r|_\mathcal {I}) \ne H_\text {pa}(\hat{x}) \wedge H_\text {ec}(p \oplus d) = H_\text {ec}(\hat{x})] \end{aligned} \end{aligned}$$
(38)
$$\begin{aligned}&\qquad = \Pr [H_\text {pa}(r|_\mathcal {I}) \ne H_\text {pa}(\hat{x}) \wedge H_\text {ec}(r|_\mathcal {I}) = H_\text {ec}(\hat{x})] \end{aligned}$$
(39)
$$\begin{aligned}&\qquad \le \Pr [r|_\mathcal {I}\ne \hat{x} \wedge H_\text {ec}(r|_\mathcal {I}) = H_\text {ec}(\hat{x})] \end{aligned}$$
(40)
$$\begin{aligned}&\qquad = \Pr [r|_\mathcal {I}\ne \hat{x}] \Pr [H_\text {ec}(r|_\mathcal {I}) = H_\text {ec}(\hat{x})] \end{aligned}$$
(41)
$$\begin{aligned}&\qquad \le \Pr [H_\text {ec}(r|_\mathcal {I}) = H_\text {ec}(\hat{x}) \mid r|_\mathcal {I}\ne \hat{x}] \end{aligned}$$
(42)
$$\begin{aligned}&\qquad \le \frac{1}{ \Vert \mathfrak {H}_\text {ec}\Vert } = \frac{1}{2^\tau }. \end{aligned}$$
(43)

\(\square \)

5.3 Certified Deletion Security

We now prove certified deletion security of Scheme 1. Our technique consists in formalizing a game (Game 1) that corresponds to the security definition (Definition 13) applied to Scheme 1. Next, we develop an entanglement-based sequence of interactions (Game 2) which accomplish the same task as in the previous Game. We analyze this game and, afterwards, we show formally that the aforementioned analysis, via its relation to Game 1, implies the certified deletion security of Scheme 1. To begin, we describe a game which exhibits a certified deletion attack on Scheme 1, and which thus allows us to examine whether the scheme has certified deletion security. In what follows, the challenger represents the party who would normally encrypt and send the message (Alice), and the adversary \(\mathcal {A}\) represents the recipient (Bob). The adversary sends the challenger a candidate message \(\mathsf {msg}_0 \in \{0,1\}^n\) and Alice chooses, with uniform randomness, whether to encrypt \(0^n\) or \(\mathsf {msg}_0\); security holds if, for any adversary, the probabilities of the following two events are negligibly close:

  • verification passes and Bob outputs 1, in the case that Alice encrypted \(0^n\);

  • verification passes and Bob output 1, in the case that Alice encrypted \(\mathsf {msg}_0\).

Game 1

(Prepare-and-Measure Game). Let \(\mathcal {S}= (\mathsf {key}, \mathsf {enc}, \mathsf {dec}, \mathsf {del}, \mathsf {ver})\) be an n-CDE with \(\lambda \) implicit, and with circuits defined as in Scheme 1. Let \(\mathcal {A}= (\mathcal {A}_0, \mathcal {A}_1, \mathcal {A}_2)\) be a certified deletion attack. The game is parametric in \(b \xleftarrow {\$}\{0,1\}\) and is called Game 1(b).

  1. 1.

    Run \(\Gamma (\mathsf {msg}_0)_M \otimes \rho _S \leftarrow \mathcal {A}_0 (1)\). Generate

    $$\begin{aligned} \Gamma (\theta , u, d, e, H_{\text {pa}}, H_{\text {ec}}, r|_{\bar{\mathcal {I}}})_K \leftarrow \Phi ^\mathsf {key}. \end{aligned}$$
    (44)

    Denote

    $$\begin{aligned} \mathsf {msg}:={\left\{ \begin{array}{ll} 0^n \quad &{}\text {if}~b = 0\\ \mathsf {msg}_0 \quad &{}\text {if}~b = 1. \end{array}\right. } \end{aligned}$$
    (45)

    Compute

    $$\begin{aligned} \begin{aligned} \Gamma (r^\theta )_T&\otimes \Gamma (\mathsf {msg}\oplus x \oplus u, p, q)_T \\&\leftarrow \Phi ^\mathsf {enc}(\Gamma (\theta , u, d, e, H_{\text {pa}}, H_{\text {ec}}, r|_{\bar{\mathcal {I}}})_K \otimes \Gamma (\mathsf {msg})_M). \end{aligned} \end{aligned}$$
    (46)
  2. 2.

    Run

    $$\begin{aligned} \Gamma (y)_D&\otimes \rho '_S \otimes \rho _{T'} \leftarrow \mathcal {A}_1 (\Gamma (r^\theta )_T \otimes \Gamma (\mathsf {msg}\oplus x \oplus u, p, q)_T \otimes \rho _S). \end{aligned}$$
    (47)

    Compute

    $$\begin{aligned} \Gamma (ok) \leftarrow \Phi ^\mathsf {ver}(\Gamma (\theta , u, d, e, H_{\text {pa}}, H_{\text {ec}}, r|_{\bar{\mathcal {I}}})_K \otimes \Gamma (y)_D). \end{aligned}$$
    (48)
  3. 3.

    If \(ok = 1\), run

    $$\begin{aligned} \Gamma (b') \leftarrow \mathcal {A}_2 (\Gamma (r|_{\bar{\mathcal {I}}}, \theta , u, d, e, H_{\text {pa}}, H_{\text {ec}})_{K'} \otimes \rho '_S \otimes \rho _{T'}); \end{aligned}$$
    (49)

    else, \(b' :=0\).

Let \(p_b\) be the probability that the output of Game 1(b) is 1. Comparing Game 1 with Definition 13, we note that the former runs the adversary to the end only in the case that \(ok = 1\), while the latter runs the adversary to the end in both cases. However, the obtained distribution for \(p_b\) is the same, since in Game 1, \(p_b=1\) whenever the adversary outputs 1 and \(ok = 1\). Hence we wish to bound \(|p_0 - p_1|\) in Game 1. Instead of directly analyzing Game 1, we analyze a game wherein the parties use entanglement; this allows us to express the game in a format that is conducive for the analysis that follows.

Game 2

(EPR Game). Alice is the sender, and Bob is the recipient and adversary. The game is parametric in \(b \xleftarrow {\$}\{0,1\}\) and is called Game 2(b).

  1. 1.

    Bob selects a string \(\mathsf {msg}_0 \in \{0,1\}^n\) and sends \(\mathsf {msg}_0\) to Alice. Bob prepares a tripartite state \(\rho _{ABB'} \in \mathcal {D}(\mathcal {Q}(3m))\) where each system contains m qubits. Bob sends the A system to Alice and keeps the systems B and \(B'\). Bob measures the B system in the Hadamard basis and obtains a string \(y \in \{0,1\}^m\). Bob sends y to Alice.

  2. 2.

    Alice samples \(\theta \xleftarrow {\$}\Theta \), \(u \xleftarrow {\$}\{0,1\}^n\), \(d \xleftarrow {\$}\{0,1\}^\mu \), \(e \xleftarrow {\$}\{0,1\}^\tau \), \(H_{\text {pa}} \xleftarrow {\$}\mathfrak {H}_\text {pa}\), and \(H_\text {ec}\xleftarrow {\$}\mathfrak {H}_\text {ec}\). She applies a CPTP map to system A which measures \(A_i\) according to the computational basis if \(\theta _i = 0\) and the Hadamard basis if \(\theta _i = 1\). Call the result r. Let \(\mathcal {I}= \{i \in [m] \mid \theta _i = 0\}\). Alice computes \(x = H_\text {pa}(r|_\mathcal {I}), p = H_\text {ec}(r|_\mathcal {I}) \oplus d,\) and \(q = \mathrm {synd}(r|_\mathcal {I}) \oplus e\). Alice selects a message:

    $$\begin{aligned} \mathsf {msg}:={\left\{ \begin{array}{ll} 0^n \quad &{}\text {if}~b = 0\\ \mathsf {msg}_0 \quad &{}\text {if}~b = 1. \end{array}\right. } \end{aligned}$$
    (50)

    If \(\omega ( y \oplus r|_{\bar{\mathcal {I}}} ) < k \delta \), \(ok :=1\) and Alice sends

    $$\begin{aligned} (\mathsf {msg}\oplus x \oplus u, r|_{\bar{\mathcal {I}}}, \theta , u, d, e, p, q, H_\text {pa}, H_\text {ec})\end{aligned}$$
    (51)

    to Bob. Else, \(ok :=0\) and \(b :=0\).

  3. 3.

    If \(ok = 1\), Bob computes

    $$\begin{aligned} \begin{aligned}&\Gamma (b') \leftarrow \mathcal {E}(\rho _{B'} \otimes \\ {}&\Gamma (\mathsf {msg}\oplus x \oplus u, \mathsf {msg}_0, r_{\bar{\mathcal {I}}}, \theta , u, d, e, p, q, H_\text {pa}, H_\text {ec})) \end{aligned} \end{aligned}$$
    (52)

    for some CPTP map \(\mathcal {E}\); else \(b' :=0\).

Game 2 is intended to model a purified version of Game 1. Note that Bob’s measuremement of B in the Hadamard basis is meant to mimic the \(\mathsf {del}\) circuit of Scheme 1. Although it may seem strange that we impose a limitation of measurement basis on Bob here, it is in fact no limitation at all; indeed, since Bob prepares \(\rho _{ABB'}\), he is in total control of the state that gets measured, and hence may assume an arbitrary degree of control over the measurement outcome. Therefore, the assumption that he measures in the Hadamard basis is made without loss of generality.

It may also appear that the adversary in Game 1 has more information when producing the deletion string than Bob in Game 2. This, however, is not true, as the adversary in Game 1 has only received information from Alice that appears to him to be uniformly random (as mentioned, the statement is formalized later, in Sect. 5.4). In order to further the analysis, we assign more precise notation for the maps described in Game 2.

Bob’s Measurements. Measurement of Bob’s system B of m qubits in Step 1 is represented using two CPTP maps: one acting on the systems in \(\mathcal {I}\), with outcome recorded in register Y; and one acting on the systems in \(\bar{\mathcal {I}}\), with outcome recorded in W. Note, however, that Bob has no access to \(\theta \), and therefore has no way of determining \(\mathcal {I}\). The formal separation of registers Y and W is simply for future ease of specifying the qubits to which we refer.

Recall the definition of the measurements \(M_B ^{x,y}\) from Sect. 2.3.

The first measurement, where the outcome is stored in register Y, is defined by

$$\begin{aligned} \mathcal {M}_{B \rightarrow Y} ^\mathcal {I}(\cdot ) = \sum _{y \in \{0,1\}^s} |y\rangle _Y \left( M_{B_\mathcal {I}} ^{1, y} \right) \cdot \left( M_{B_\mathcal {I}} ^{1, y} \right) ^\dagger \langle y|_Y \end{aligned}$$
(53)

and the second, where the outcome is stored in register W, is defined by

$$\begin{aligned} \mathcal {M}_{B \rightarrow W} ^{\bar{\mathcal {I}}} ( \cdot ) = \sum _{w \in \{0,1\}^k} |w\rangle _W \left( M_{B_{\bar{\mathcal {I}}}} ^{1, w} \right) \cdot \left( M_{B_{\bar{\mathcal {I}}}} ^{1, w} \right) ^\dagger \langle w|_W, \end{aligned}$$
(54)

where \(M_{B_\mathcal {I}} ^{1, y} :=\bigotimes _{i \in \mathcal {I}} M_{B_i} ^{1, y_i}\), and the definition of \(M_{B_{\bar{\mathcal {I}}}} ^{1, w}\) is analogous.

Alice’s Measurements. We represent the randomness of Alice’s sampling using seed registers. Thus, the randomness used for Alice’s choice of basis is represented as

$$\begin{aligned} \rho _{S^\Theta } = \frac{1}{\left( {\begin{array}{c}m\\ k\end{array}}\right) } \sum _{\theta \in \Theta } \Gamma (\theta )_{S^\Theta }. \end{aligned}$$
(55)

Similarly, Alice’s randomness for choice of a hash function for privacy amplification is represented as

$$\begin{aligned} \rho _{S^{H_\text {pa}}} = \frac{1}{|\mathfrak {H}_\text {pa}|} \sum _{h \in \mathfrak {H}_\text {pa}} \Gamma (h)_{S^{H_\text {pa}}}. \end{aligned}$$
(56)

Recall that \(m = s + k\), where k is the weight of all strings in \(\Theta \). Measurement of Alice’s system A of m qubits in Step 2 is represented using two CPTP maps: one acting on the systems in \(\mathcal {I}\), with outcome recorded in register X (by definition, these qubits are measured in the computational basis); and one acting on the systems in \(\bar{\mathcal {I}}\), with outcome recorded in register V (by definition, these qubits are measured in the Hadamard basis).

$$\begin{aligned} \mathcal {M}_{A \rightarrow X | S^\Theta } ^\mathcal {I}(\cdot ) = \sum _{\theta \in \Theta } \sum _{x \in \{0,1\}^s} |x\rangle _X \left( M_{A_\mathcal {I}} ^{0, x} \otimes \Gamma (\theta )_{S^\Theta } \right) \cdot \left( M_{A_\mathcal {I}} ^{0, x} \otimes \Gamma (\theta )_{S^\Theta } \right) ^\dagger \langle x|_X; \end{aligned}$$

and the second measurement, where the outcome is stored in register V, is defined by

$$\begin{aligned} \mathcal {M}_{A \rightarrow V | S^\Theta } ^{\bar{\mathcal {I}}} ( \cdot ) = \sum _{\theta \in \Theta } \sum _{v \in \{0,1\}^k} |v\rangle _V \left( M_{A_{\bar{\mathcal {I}}}} ^{1, v} \otimes \Gamma (\theta )_{S^\Theta } \right) \cdot \left( M_{A_{\bar{\mathcal {I}}}} ^{1, v} \otimes \Gamma (\theta )_{S^\Theta } \right) ^\dagger \langle v|_V, \end{aligned}$$

where \(M_{A_\mathcal {I}} ^{0, x} :=\bigotimes _{i \in \mathcal {I}} M_{A_i} ^{0, x_i}\) and the definition of \(M_{A_{\bar{\mathcal {I}}}} ^{1, v}\) is analogous.

We also introduce a hypothetical measurement for the sake of the security analysis. Consider the case where Alice measures all of her qubits in the Hadamard basis. In this case, instead of \(\mathcal {M}_{A \rightarrow X | S^\Theta } ^\mathcal {I}\), Alice would use the measurement

$$\begin{aligned} \mathcal {M}_{A \rightarrow Z | S^\Theta } ^\mathcal {I}(\cdot ) = \sum _{\theta \in \Theta } \sum _{z \in \{0,1\}^s} |z\rangle _Z \left( M_{A_\mathcal {I}} ^{1, z} \otimes \Gamma (\theta )_{S^\Theta } \right) \cdot \left( M_{A_\mathcal {I}} ^{1, z} \otimes \Gamma (\theta )_{S^\Theta } \right) ^\dagger \langle z|_Z. \end{aligned}$$

Each of Alice’s and Bob’s measurements commute with each other as they all act on distinct quantum systems. We can thus define the total measurement map

$$\begin{aligned} \mathcal {M}_{AB \rightarrow VWXY|S^\Theta } = \mathcal {M}_{A \rightarrow X|S^\Theta } ^\mathcal {I}\circ \mathcal {M}_{A \rightarrow V|S^\Theta } ^{\bar{\mathcal {I}}} \circ \mathcal {M}_{B \rightarrow Y} ^\mathcal {I}\circ \mathcal {M}_{B \rightarrow W} ^{\bar{\mathcal {I}}}. \end{aligned}$$
(57)

The overall post-measurement state (i.e. the joint state held by Alice and Bob after both their measurements) is denoted \(\sigma _{VWXYS^\Theta }\). We analogously define the hypothetical post-measurement state \(\hat{\sigma }_{VWZYS^\Theta }\) (which is the joint state of Alice and Bob given Alice has used \(\mathcal {M}_{A \rightarrow Z \mid S^\Theta }\)).

Alice’s Verification: Alice completes the verification procedure by comparing the V register to the W register. If they differ in less than \(k \delta \) bits, then the test is passed. The test is represented by a function \(\mathrm {comp}:\{0,1\}^k \times \{0,1\}^k \rightarrow \{0,1\}\) defined by

$$\begin{aligned} \mathrm {comp}(v,w) = {\left\{ \begin{array}{ll} 0 \quad &{}\text {if}~\omega (v \oplus w) \ge k \delta \\ 1 \quad &{}\text {else.} \end{array}\right. } \end{aligned}$$
(58)

To record the value of this test, we use a flag \(F^\mathrm {comp}:=\mathrm {comp}(v,w)\).

The import of the outcome of this comparison test is that if Bob is good at guessing Alice’s information in the Hadamard basis, it is unlikely that he is good at guessing Alice’s information in the computational basis. This trade-off is represented in the uncertainty relation of Proposition 2.

Note that we can define the post-comparison test state, since \(A|_\mathcal {I}\) is disjoint from \(A|_{\bar{\mathcal {I}}}\) and \(B|_\mathcal {I}\) is disjoint from \(B|_{\bar{\mathcal {I}}}\). The state is denoted \(\tau _{ABVWS^\Theta \mid F^\mathrm {comp}= 1}\).

The following proposition shows that in order to ensure that Bob’s knowledge of X is limited after a successful comparison test, and receiving the key, his knowledge about Alice’s hypothetical Hadamard measurement outcome must be bounded below.

Proposition 4

Let \(\epsilon \ge 0\). Then

$$\begin{aligned} H_{\min } ^\epsilon (X \wedge F^\mathrm {comp}= 1 | VWS^\Theta B')_\sigma + H_{\max } ^\epsilon (Z \wedge F^\mathrm {comp}= 1 | Y)_{\sigma } \ge s. \end{aligned}$$
(59)

Proof

We apply Proposition 2 to the state \(\tau _{ABVWS^\Theta \mid F^\mathrm {comp}= 1}\). To do this, we equate \(C = VWS^\Theta B'\) and \(E = S^\Theta B\). Using the measurement maps \(\mathcal {M}_{A \rightarrow X \mid S^\Theta }\) and \(\mathcal {M}_{A \rightarrow Z \mid S^\Theta }\) as the POVMS and using \(\{ \langle \theta |\theta \rangle \}\) as the projective measurement, applying Proposition 2 yields

$$\begin{aligned} H_{\min } ^\epsilon (X \wedge F^\mathrm {comp}= 1 | VWS^\Theta B')_\sigma + H_{\max } ^\epsilon (Z \wedge F^\mathrm {comp}= 1 | S^\Theta B)_\tau \ge s. \end{aligned}$$
(60)

We then apply the measurement map \(\mathcal {M}_{B \rightarrow Y \mid S^\Theta }\) and discard \(S^\Theta \). Finally, by Proposition 1, we note that

$$\begin{aligned} H_{\max } ^\epsilon (Z \wedge F^\mathrm {comp}= 1 \mid S^\Theta B )_\tau \le H_{\max } ^\epsilon (Z \wedge F^\mathrm {comp}= 1 \mid Y)_{\hat{\sigma }}, \end{aligned}$$
(61)

which concludes the proof. \(\square \)

In the spirit of [29], we provide an upper bound for the max-entropy quantity, thus establishing a lower bound for the min-entropy quantity.

Proposition 5

Letting \(\nu \in (0,1)\), we define

$$\begin{aligned} \epsilon (\nu ) :=\exp \left( \frac{-s k^2 \nu ^2}{m (k+1)} \right) . \end{aligned}$$
(62)

Then, for any \(\nu \in (0, \frac{1}{2} - \delta ]\) such that \(\epsilon (\nu )^2 < \Pr [F^\mathrm {comp}= 1]_\sigma = \Pr [F^\mathrm {comp}= 1]_{\hat{\sigma }}\),

$$\begin{aligned} H_{\max } ^{\epsilon (\nu )} (Z \wedge F^\mathrm {comp}= 1 \mid Y)_{\hat{\sigma }} \le s \cdot h(\delta + \nu ) \end{aligned}$$
(63)

where

$$\begin{aligned} h(x) :=-x \log x - (1-x) \log (1-x). \end{aligned}$$
(64)

Proof

Define the event

$$\begin{aligned} \Omega :={\left\{ \begin{array}{ll} 1 \quad &{}\text {if}~\omega (Z \oplus Y) \ge s(\delta + \nu )\\ 0 \quad &{}\text {else.} \end{array}\right. } \end{aligned}$$
(65)

Using Lemma 1, we get that

$$\begin{aligned} \Pr \left[ F^\mathrm {comp}= 1 \wedge \Omega \right] _{\hat{\sigma }}&= \Pr \left[ \omega (V \oplus W) \le k \delta \wedge \omega (Z \oplus Y) \ge s (\delta + \nu )\right] _{\sigma } \end{aligned}$$
(66)
$$\begin{aligned}&\le \epsilon (\nu )^2. \end{aligned}$$
(67)

Given the state \(\hat{\sigma }_{ZYF^\mathrm {comp}= 1}\), we use Lemma 2 to get the state \(\tilde{\sigma }_{ZYF^\mathrm {comp}}\) with \(\Pr [\Omega ]_{\tilde{\sigma }} = 0\) and

$$\begin{aligned} P(\hat{\sigma }_{ZYF^\mathrm {comp}=1}, \tilde{\sigma }_{ZYF^\mathrm {comp}}) \le \epsilon (\nu ). \end{aligned}$$
(68)

Since \(\Pr [F^\mathrm {comp}= 1]_{\tilde{\sigma }} = 1\), we get that

$$\begin{aligned} H_{\max }^{\epsilon (\nu )} (Z \wedge F^\mathrm {comp}= 1 \mid Y)_{\hat{\sigma }} \le H_{\max } (Z \wedge F^\mathrm {comp}= 1 \mid Y)_{\tilde{\sigma }} = H_{\max } (Z \mid Y)_{\tilde{\sigma }}. \end{aligned}$$
(69)

Expanding this conditional max-entropy [27, Sect. 4.3.2], we obtain

$$\begin{aligned} H_{\max } (Z \mid Y)_{\tilde{\sigma }}&= \log \left( \sum _{y \in \{0,1\}^s} \Pr [Y = y]_{\tilde{\sigma }} 2^{H_{\max } (Z \mid Y)_{\tilde{\sigma }}} \right) \end{aligned}$$
(70)
$$\begin{aligned}&\le \max _{\begin{array}{c} y \in \{0,1\}^s \\ \Pr [Y = y]_{\tilde{\sigma }} > 0 \end{array}} H_{\max } (Z \mid Y = y)_{\tilde{\sigma }} \end{aligned}$$
(71)
$$\begin{aligned}&\le \max _{\begin{array}{c} y \in \{0,1\}^s \\ \Pr [Y = y]_{\tilde{\sigma }}> 0 \end{array}} \log \left| \left\{ z \in \{0,1\}^s :\Pr [Z = z \mid Y = y]_{\tilde{\sigma }} > 0 \right\} \right| \end{aligned}$$
(72)
$$\begin{aligned}&= \max _{y \in \{0,1\}^s} \log \left| \left\{ z \in \{0,1\}^s :\Pr [Z = z \wedge Y = y]_{\tilde{\sigma }} > 0 \right\} \right| . \end{aligned}$$
(73)

Since \(\Pr [\Omega ]_{\tilde{\sigma }} = 0\), we have

$$\begin{aligned}&\begin{aligned} \vert \{ z \in \{0,1\}^s&:\Pr [Z = z \wedge Y = y]_{\tilde{\sigma }} > 0 \} \vert \\ {}&\le \vert \{ z \in \{0,1\}^s :\omega (z \oplus y) < s(\delta + \nu ) \} \vert \end{aligned} \end{aligned}$$
(74)
$$\begin{aligned}&= \sum _{\gamma = 0} ^{\lfloor s (\delta + \nu ) \rfloor } \left( {\begin{array}{c}s\\ \gamma \end{array}}\right) . \end{aligned}$$
(75)

When \(\delta + \nu \le 1/2\) (see [16, Sect. 1.4]), we have that \(\sum _{\gamma = 0} ^{\lfloor s(\delta = \nu ) \rfloor } \left( {\begin{array}{c}s\\ \gamma \end{array}}\right) \le 2^{s \cdot h(\delta + \nu )}\). \(\square \)

At this point, we use Proposition 3, the Leftover Hashing Lemma, to turn the min-entropy bound into a statement about how close to uniformly random the string \(\tilde{X} = H_\text {pa}(X)\) is from Bob’s perspective. We name this final state \(\zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} = {{\,\mathrm{Tr}\,}}_X[\mathcal {E}_f (\sigma _{X S^\Theta S^{H_\text {ec}} F^\mathrm {comp}} \otimes \rho _{S^{H_\text {pa}}})]\) for the function \(f :(X, H_\text {pa}) \mapsto H_\text {pa}(X)\). We compare this to the state \(\chi _{\tilde{X}} \otimes \zeta _{S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}\) where \(\chi _{\tilde{X}}\) is the fully mixed state on \(\tilde{X}\).

Proposition 6

Let \(\epsilon (\nu )\) be as defined in (62). Then for any \(\nu \in (0, \frac{1}{2} - \delta ]\) such that \(\epsilon (\nu )^2 < \Pr [F^\mathrm {comp}= 1]_\sigma \), we have

$$\begin{aligned} \Vert \zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} - \chi _{\tilde{X}} \otimes \zeta _{S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}} \le \frac{1}{2} 2^{- \frac{1}{2}g(\nu )} + 2 \epsilon (\nu ), \end{aligned}$$
(76)

where \(g(\nu ) :=s(1 - h(\delta + \nu )) - n\).

Proof

By Proposition 5, we see that

$$\begin{aligned} H_{\max } ^{\epsilon (\nu )} (Z \wedge F^\mathrm {comp}= 1 \mid Y)_\sigma \le s \cdot h(\delta + \nu ). \end{aligned}$$
(77)

Together, with Proposition 4, and taking \(q = 1 - h(\delta + \nu )\), we get:

$$\begin{aligned} H_{\min } ^\epsilon (X \wedge F^\mathrm {comp}= 1 | VWS^\Theta B')_\sigma \ge sq. \end{aligned}$$
(78)

Finally, applying Proposition 3, we obtain the desired inequality. \(\square \)

For the case where \(\epsilon (\nu )^2 \ge \Pr [F^\mathrm {comp}= 1]_\sigma \), we note that the trace distance \(\Vert \zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} - \chi _{\tilde{X}} \otimes \zeta _{S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}}\) is upper bounded by \(\Pr [F^\mathrm {comp}= 1]_\zeta \). Hence, considering the inequality \(\Pr [F^\mathrm {comp}= 1]_\zeta \le \epsilon (\nu )^2 \le \epsilon (\nu )\) results in the proof of the following corollary.

Corollary 1

For any \(\nu \in (0, \frac{1}{2} - \delta ]\), the following holds:

$$\begin{aligned} \Vert \zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}&- \chi _{\tilde{X}} \otimes \zeta _{S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}} \end{aligned}$$
(79)
$$\begin{aligned}&\le \frac{1}{2}\sqrt{2^{-s(1 - h(\delta + \nu )) + n}} + 2 \epsilon (\nu ). \end{aligned}$$
(80)

Finally, we would like to translate this into a statement about \(|p_0 - p_1|\) in Game 2.

Corollary 2

The difference of probabilities

$$\begin{aligned} \vert \Pr [b' = 1 \wedge ok = 1 \mid Game~2(0)] - \Pr [b' = 1 \wedge ok = 1 \mid Game~2(1)] \vert \end{aligned}$$
(81)

is negligible.

Proof

Let \(\zeta ^b _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}\) be the state of \(\zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}\) in the case that \(b \in \{0,1\}\) was selected at the beginning of Game 2. Note that the following trace distance is bounded above by a negligible function:

$$\begin{aligned} \Vert \zeta ^0&_{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} - \zeta ^1 _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}} \end{aligned}$$
(82)
$$\begin{aligned}&\begin{aligned} \le \Vert \zeta ^0 _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} - \chi _{\tilde{X}} \otimes \zeta _{S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}} \\ + \Vert \zeta ^1 _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} - \chi _{\tilde{X}} \otimes \zeta _{S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}} \end{aligned} \end{aligned}$$
(83)
$$\begin{aligned}&\le 2\left( \frac{1}{2}\sqrt{2^{-s(1 - h(\delta + \nu )) + n}} + 2 \epsilon (\nu ) \right) . \end{aligned}$$
(84)

Next, note the following equality:

$$\begin{aligned}&\Pr [b' = 1 \wedge ok = 1 \mid Game~2(b)] \end{aligned}$$
(85)
$$\begin{aligned}&= \sum _{\zeta } {{\,\mathrm{Tr}\,}}[{\zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}}] \Pr [b' = 1 \mid Game~2(b)] \end{aligned}$$
(86)

Hence,

$$\begin{aligned}&\vert \Pr [b' = 1 \wedge ok = 1 \mid Game~2(0)] - \Pr [b' = 1 \wedge ok = 1 \mid Game~2(1)] \vert \end{aligned}$$
(87)
$$\begin{aligned}&\le \sum _{\zeta } {{\,\mathrm{Tr}\,}}[{\zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}}] \Vert \zeta ^0 _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} - \zeta ^1 _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1} \Vert _{{{\,\mathrm{Tr}\,}}} \end{aligned}$$
(88)
$$\begin{aligned}&\le \sum _{\zeta } 2 {{\,\mathrm{Tr}\,}}[{\zeta _{\tilde{X} S F^\mathrm {comp}E \wedge F^\mathrm {comp}= 1}}] \left( \frac{1}{2}\sqrt{2^{-s(1 - h(\delta + \nu )) + n}} + 2 \epsilon (\nu ) \right) \end{aligned}$$
(89)
$$\begin{aligned}&=2\left( \frac{1}{2}\sqrt{2^{-s(1 - h(\delta + \nu )) + n}} + 2 \epsilon (\nu ) \right) . \end{aligned}$$
(90)

The conclusion follows from convexity and the physical interpretation of the trace distance (see Sect. 2). In particular, the difference in probabilities of obtaining the measurement outcome \(b' = 1\) given states \(\zeta ^0\) and \(\zeta ^1\) is bounded above by the aforementioned trace distance. \(\square \)

5.4 Security Reduction

We now show that the security of Game 1 can be reduced to that of Game 2. In order to do so, we construct a sequence of games starting at Game 1 and ending at Game 2, and show that each transformation can only increase the advantage in distinguishing the case \(b=0\) from \(b=1\). For a game G, let \(\mathsf {Adv}(G) = |p_0 - p_1|\) be the advantage, as defined in Eq. (34).

Proposition 7

\(\mathsf {Adv}(Game~1) \le \mathsf {Adv}(Game~2)\,. \)

Proof

We show a sequence of games, transforming Game 1 to Game 2, such that each successive transformation either has no effect on, or can potentially increase the advantage.

Let G be a game like Game 1 except that in G, we run

$$\begin{aligned} \mathcal {A}_1 (\Gamma (r^\theta )_T \otimes \Gamma (\alpha _1, \alpha _2, \alpha _3)_T \otimes \rho _S )\,, \end{aligned}$$
(91)

where \(\alpha _1, \alpha _2, \alpha _3\) are uniformly random bit strings of the appropriate length. Verification is performed as usual, and if \(ok = 1\), we run

$$\begin{aligned} \mathcal {A}_2 (\Gamma (r|_{\bar{\mathcal {I}}}, \theta , \mathsf {msg}\oplus x \oplus \alpha _1, H_{\text {ec}} (r|_\mathcal {I}) \oplus \alpha _2, \mathrm {synd}(r|_\mathcal {I}) \oplus \alpha _3, H_{\text {pa}}, H_{\text {ec}})_{K'} \otimes \rho '_S \otimes \rho _{T'}). \end{aligned}$$
(92)

By a change of variable, \(\mathsf {Adv}(Game~1) = \mathsf {Adv}(G)\).

Next, we obtain \(G'\) from G by defining a new adversary \(\mathcal {A}'_1\) which is like \(\mathcal {A}'_1\), but only receives part of register T. Thus we run

$$\begin{aligned} \mathcal {A}'_1 (\Gamma (r^\theta )_T \otimes \rho _S )\,, \end{aligned}$$
(93)

and to compensate, we directly give \(\mathcal {A}'_2\) the information that was previously hidden by the \(\alpha \) values:

$$\begin{aligned} \mathcal {A}'_2 (\Gamma (r|_{\bar{\mathcal {I}}}, \theta , \mathsf {msg}\oplus x, H_{\text {ec}} (r|_\mathcal {I}), \mathrm {synd}(r|_\mathcal {I}), H_{\text {pa}}, H_{\text {ec}})_{K'} \otimes \rho '_S \otimes \rho _{T'}) \end{aligned}$$
(94)

Then \(\mathsf {Adv}(G) \le \mathsf {Adv}(G')\), since an adversary \(\mathcal {A}'\) for \(G'\) can simulate any adversary \(\mathcal {A}\) in G, and win with the same advantage. To do this, \(\mathcal {A}'\) simply creates its own randomness for \(\alpha _1, \alpha _2\) and \(\alpha _3\), and adjusts the input to \(\mathcal {A}_2\) based on its own knowledge of \(\mathsf {msg}\oplus x, H_{\text {ec}} (r|_\mathcal {I})\) and \(\mathrm {synd}(r|_\mathcal {I})\).

Let \(G''\) be a game like \(G'\) except that, in \(G''\), instead of \(\mathcal {A}'_1\) being given \(\Gamma (r^\theta )\), m EPR pairs are prepared, yielding quantum systems A and B, of which the adversary \(\mathcal {A}'_1\) is given B. System A is measured in basis \(\theta \) yielding a string r, and \(\mathcal {A}'_1\) then computes

$$\begin{aligned} \Gamma (y)_D \otimes \rho '_S \otimes \rho _{T'} \leftarrow A'_1 (\rho _B \otimes \rho _S). \end{aligned}$$
(95)

We show that, due to the measurement of system A, adversary \(\mathcal {A}'_1\) receives \(\Gamma (r^\theta )\), where r is uniformly random. The post-measurement state, conditioned on the measurement of system A yielding outcome r, will be equivalent to

$$\begin{aligned} |\psi _r\rangle&= \left( {{\,\mathrm{\mathsf {H}}\,}}^\theta \Gamma (r) {{\,\mathrm{\mathsf {H}}\,}}^\theta \otimes 1_m \right) |\text {EPR}^m\rangle \end{aligned}$$
(96)
$$\begin{aligned}&= \left( {{\,\mathrm{\mathsf {H}}\,}}^\theta \otimes 1_m \right) \left( \Gamma (r) \otimes 1_m \right) \left( 1_m \otimes {{\,\mathrm{\mathsf {H}}\,}}^\theta \right) |\text {EPR}^m\rangle \end{aligned}$$
(97)
$$\begin{aligned}&= \sum _{\tilde{r} \in \{0, 1\}^m} \frac{1}{2^{m/2}} \left( {{\,\mathrm{\mathsf {H}}\,}}^\theta \Gamma (r) |\tilde{r}\rangle \right) \left( {{\,\mathrm{\mathsf {H}}\,}}^\theta |\tilde{r}\rangle \right) \end{aligned}$$
(98)
$$\begin{aligned}&= \frac{1}{2^{m/2}} \left( {{\,\mathrm{\mathsf {H}}\,}}^\theta |r\rangle \right) \left( {{\,\mathrm{\mathsf {H}}\,}}^\theta |r\rangle \right) \end{aligned}$$
(99)
$$\begin{aligned}&= \frac{1}{2^{m/2}} |r^\theta \rangle \otimes |r^\theta \rangle , \end{aligned}$$
(100)

which occurs with probability \(\Vert |\psi _r\rangle \Vert ^2 = \frac{1}{2^{m}}\). Therefore, the advantage in \(G'\) is the same as the advantage in \(G''\).

Let \(G'''\) be a game like \(G''\) except that, in \(G'''\), instead of system A being measured before running \(\mathcal {A}'_1\), system A is measured after running \(\mathcal {A}'_1\). Then the advantage is unchanged because the measurement and \(\mathcal {A}_1\) act on distinct systems, and therefore commute.

We note that \(G'''\) is like Game 2 except that, in the latter game, Bob is the party that prepares the state. Since allowing Bob to select the initial state can only increase the advantage, we get that \(\mathsf {Adv}(G''') \le \mathsf {Adv}(Game~2)\). This concludes the proof. \(\square \)

Theorem 3

Scheme 1 is certified deletion secure.

Proof

Through a combination of Corollary 2 and Proposition 7, we arrive at the following inequality:

$$\begin{aligned}&\vert \Pr [b' = 1 \wedge ok = 1 \mid Game~2(0)] - \Pr [b' = 1 \wedge ok = 1 \mid Game~1(1)] \vert \end{aligned}$$
(101)
$$\begin{aligned}&\le 2\left( \frac{1}{2}\sqrt{2^{-s(1 - h(\delta + \nu )) + n}} + 2 \epsilon (\nu ) \right) . \end{aligned}$$
(102)

Since Game 1 is a certified deletion attack for Scheme 1, we see that Scheme 1 is \(\eta \)-certified deletion secure for

$$\begin{aligned} \eta (\lambda ) = 2\left( \frac{1}{2}\sqrt{2^{-(s(\lambda ))(1 - h(\delta + \nu )) + n}} + 2 \exp \left( \frac{-(s(\lambda )) (k(\lambda ))^2 \nu ^2}{(m(\lambda )) ((k(\lambda ))+1)} \right) \right) , \end{aligned}$$
(103)

which is negligible for large enough functions sk. \(\square \)