Quantum Non-malleability and Authentication

Abstract

In encryption, non-malleability is a highly desirable property: it ensures that adversaries cannot manipulate the plaintext by acting on the ciphertext. In [6], Ambainis et al. gave a definition of non-malleability for the encryption of quantum data. In this work, we show that this definition is too weak, as it allows adversaries to “inject” plaintexts of their choice into the ciphertext. We give a new definition of quantum non-malleability which resolves this problem. Our definition is expressed in terms of entropic quantities, considers stronger adversaries, and does not assume secrecy. Rather, we prove that quantum non-malleability implies secrecy; this is in stark contrast to the classical setting, where the two properties are completely independent. For unitary schemes, our notion of non-malleability is equivalent to encryption with a two-design (and hence also to the definition of [6]).

Our techniques also yield new results regarding the closely-related task of quantum authentication. We show that “total authentication” (a notion recently proposed by Garg et al. [18]) can be satisfied with two-designs, a significant improvement over the eight-design construction of [18]. We also show that, under a mild adaptation of the rejection procedure, both total authentication and our notion of non-malleability yield quantum authentication as defined by Dupuis et al. [16].

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Background. In its most basic form, encryption ensures secrecy in the presence of eavesdroppers. Besides secrecy, another desirable property is non-malleability, which guarantees that an active adversary cannot modify the plaintext by manipulating the ciphertext. In the classical setting, secrecy and non-malleability are independent: there are schemes which satisfy secrecy but are malleable, and schemes which are non-malleable but transmit the plaintext in the clear. If both secrecy and non-malleability is desired, then pairwise-independent permutations provide information-theoretically perfect (one-time) security [20]. In the computational security setting, non-malleability can be achieved by MACs, and ensures chosen-ciphertext security for authenticated encryption.

In the setting of quantum information, encryption is the task of transmitting quantum states over a completely insecure quantum channel. Information-theoretic secrecy for quantum encryption is well-understood. Non-malleability, on the other hand, has only been studied in one previous work, by Ambainis, Bouda and Winter [6]. Their definition (which we will call ABW-non-malleability, or ABW-NM) requires that the scheme satisfies secrecy, and that the “effective channel” \(\mathsf {Dec}\circ \varLambda \circ \mathsf {Enc}\) of any adversary \(\varLambda \) amounts to either the identity map or replacement by some fixed state. In the case of unitary schemes, ABW-NM is equivalent to encrypting with a unitary two-design. Unitary two-designs are a natural quantum analogue of pairwise-independent permutations, and can be efficiently constructed in a number of ways (see, e.g., [10, 14].)

While quantum non-malleability has only been considered by [6], the closely-related task of quantum authentication (where decryption is allowed to reject) has received significant attention (see, e.g., [2, 7, 11, 16, 18].) The widely-adopted definition of Dupuis, Nielsen and Salvail asks that the averaged effective channel of any adversary is close to a map which does not touch the plaintext [16]; we refer to this notion as DNS-authentication. Recent work by Garg, Yuen and Zhandry [18] established another notion of quantum authentication, which they call “total authentication.” The notion of total authentication has two major differences from previous definitions: (i) it asks for success with high probability over the choice of keys, rather than simply on average, and (ii) it makes no demands whatsoever in the case that decryption rejects. We refer to this notion of quantum authentication as GYZ-authentication. In [18], it is shown that GYZ-authentication can be satisfied with unitary eight-designs.

This Work. In this work, we devise a new definition of non-malleability (denoted NM) for quantum encryption, improving on ABW-NM in a number of ways. First, our definition is expressed in terms of entropic quantities, which allows us to bring several quantum-information-theoretic techniques to bear (such as decoupling.) Second, we consider more powerful adversaries, which can possess side information about the plaintext. Third, we remove the possibility of a “plaintext injection” attack, whereby an adversary against an ABW-NM scheme can send a plaintext of their choice to the receiver. Finally, our definition does not demand secrecy; instead, we show that quantum secrecy is a consequence of quantum non-malleability. This is a significant departure from the classical case, and is analogous to the fact that quantum authentication implies secrecy [7].

The primary consequence of our work is twofold: first, encryption with unitary two-designs satisfies all of the above notions of quantum non-malleability; second, when equipped with blank “tag” qubits, the same scheme also satisfies all of the above notions of quantum authentication. A more detailed summary of the results is as follows. For schemes which have unitary encryption maps, we prove that \(\textsf {NM}\) is equivalent to encryption with unitary two-designs, and hence also to ABW-NM. For non-unitary schemes, we prove a characterization theorem for \(\textsf {NM}\) schemes that shows that NM implies ABW-NM, and provide a strong separation example between \(\textsf {NM}\) and ABW-NM (the aforementioned plaintext injection attack). In the case of GYZ authentication, we prove that two-designs (with tags) are sufficient, a significant improvement over the state-of-the-art, which requires eight-designs [18]. Moreover, the simulation of adversaries in this proof is efficient, in the sense of Broadbent and Wainewright [11]. Finally, we show that GYZ-authentication implies DNS-authentication, and that equipping an arbitrary \(\textsf {NM}\) scheme with tags yields DNS-authentication.

We remark that, after the initial version of our results was submitted, an independent work of C. Portmann gave an alternative proof that GYZ-authentication can be satisfied by the 2-design scheme [26].

1.1 Summary of Contributions

In the following, all schemes are symmetric-key encryption schemes for quantum data, in the information-theoretic security setting.

Quantum Non-malleability. We begin with non-malleability, in both the perfect setting (Sect. 3) and the approximate setting (Sect. 4).

1. 1.

   New definition of non-malleability. We give a new definition of quantum non-malleability (NM), in terms of the information gain of an adversary’s effective attack on the plaintext. The quantum registers are: plaintext A, ciphertext C, user’s reference R, and adversary’s side information B.

Definition 1.1

( \({{\mathbf {\mathsf{{NM}}}}}\) , informal). A scheme is non-malleable (NM) if for any \(\varrho _{ABR}\) and any attack \(\varLambda _{CB \rightarrow C\tilde{B}}\), the effective attack \(\tilde{\varLambda }_{AB \rightarrow A\tilde{B}}\) satisfies

$$ I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )} \le I(AR:B)_\varrho + h(p_{=}(\varLambda ,\varrho )). $$

The binary entropy term is necessary because adversaries can always simply record whether they disturbed the ciphertext (see Definition 3.4).

1. 2.

   Results on non-malleability. Our first result is an alternative characterization of \(\textsf {NM}\), in terms of the form of the effective map \(\tilde{\varLambda }\).

Theorem 1.2

(informal). A scheme is \(\textsf {NM}\) if and only if, for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), there exist maps \(\varLambda '_{B\rightarrow \tilde{B}}\), \(\varLambda ''_{B\rightarrow \tilde{B}}\) such that the effective attack satisfies

$$ \tilde{\varLambda } =\mathrm {id}_A\otimes \varLambda '+\frac{1}{|C|^2-1}\left( |C|\left\langle D_K(\mathbbm {1}_C)\right\rangle -\mathrm {id}\right) _A\otimes \varLambda '' . $$

The fact that \(\textsf {NM}\) implies ABW-NM is an immediate corollary. The new definition is strictly stronger than ABW-NM: we give a scheme which is secure under ABW-NM but insecure under NM. This scheme is in fact susceptible to a powerful attack, whereby a simple adversary can replace the output of decryption with a plaintext of the adversary’s choice. On the other hand, if we restrict our attention to schemes where the encryption maps are unitary, then we are able to show the following.

Theorem 1.3

(informal). Let \(\varPi \) be a scheme such that encryption \(E_k\) is unitary for all keys k. Then \(\varPi \) is \(\textsf {NM}\) if and only if \(\{E_k\}_k\) is a two-design.

By the results of [6], we conclude that NM and ABW-NM are in fact equivalent for unitary schemes. Finally, we show that \(\textsf {NM}\) implies secrecy.

Theorem 1.4

(informal). Quantum non-malleability implies secrecy.

1. 3.

   Authentication from non-malleability. Our final result in the setting of non-malleability shows that, by adding a “tag” space to the plaintext (as in the Clifford scheme [2]), we can turn an \(\textsf {NM}\) scheme into an authentication scheme as defined in [16]. More precisely, given an encryption scheme \(\varPi = \{E_k\}\), we define \(\varPi ^{{\text {tag}}}_t\) to be a new scheme whose encryption is , and whose decryption rejects unless B measures to \(| 0^t \rangle \).

Theorem 1.5

(informal). Let \(\varPi = \{E_k\}\) be an encryption scheme. If \(\varPi \) is \(\textsf {NM}\), then \(\varPi ^{{\text {tag}}}_t\) is \(2^{2-t}\)-DNS-authenticating.

Quantum Authentication. Our results on quantum authentication are summarized as follows. We note that, strictly speaking, our definitions of authentication deviate slightly from the original versions [16, 18], in that decryption outputs a reject symbol in place of the plaintext (rather than setting an auxiliary bit to “reject.”) This adaptation is convenient for reasons we will return to later.

1. 1.

   \({{\mathbf {\mathsf{{GYZ}}}}}\) implies \({{\mathbf {\mathsf{{DNS}}}}}\) . First, we show that GYZ-authentication implies DNS-authentication. We remark that this is not trivial: on one hand, GYZ strengthens DNS by requiring high probability of success (rather than success on-average); on the other hand, in the reject case GYZ requires nothing while DNS makes rather stringent demands. Nonetheless, we show the following.

Theorem 1.6

(informal). Let \(\varPi \) be an encryption scheme. If \(\varPi \) is \(\varepsilon \)-GYZ-authenticating, then it is also \(O(\sqrt{\varepsilon })\)-DNS-authenticating.

1. 2.

   \({{\mathbf {\mathsf{{GYZ}}}}}\) is achievable with 2-designs. Next, we show that GYZ-authentication is achieved with a “tagged” two-design scheme. The analysis of [18] required eight-designs for the same construction.

Theorem 1.7

(informal). Let \(\varPi = \{ E_k \}_k\) be a \(2^{-t}\)-approximate 2-design scheme. Then \(\varPi ^{{\text {tag}}}_t\) is \(2^{-\varOmega (t)}\)-GYZ-authenticating.

1. 3.

   \({{\mathbf {\mathsf{{GYZ}}}}}\) authentication from non-malleability. As a straightforward consequence of Theorems 1.3 and 1.7, we finally record that tagging a unitary non-malleable scheme results in a GYZ-authenticating scheme.

Corollary 1.8

(informal). There exists a constant \(r > 0\) such that the following holds. If \(\varPi \) is a unitary \(\varOmega (2^{-r n})\)-\(\textsf {NM}\) scheme for n-qubit messages, and \(t = {\text {poly}}(n)\), then \(\varPi ^{{\text {tag}}}_t\) is \(2^{-\varOmega ({\text {poly}}(n))}\)-GYZ-authenticating.

A sufficiently strong \(\textsf {NM}\) scheme can be constructed via the \(\epsilon \)-approximate version of Theorem 1.3 (see Theorem 4.5 and Remark 2.3 below.)

The remainder of the paper is structured as follows. In Sect. 2, we review some basic facts regarding quantum states, registers, and channels, and recall several useful facts about unitary designs. In Sect. 3, we consider the exact setting, beginning with perfect secrecy and then continuing to perfect non-malleability (NM) and the relevant new results; we also discuss the relationship to ABW-NM in detail. We continue in Sect. 4 with the approximate setting, again beginning with secrecy and then continuing to approximate non-malleability. We end with the new results on quantum authentication, in Sect. 4.2.

2 Preliminaries

2.1 Quantum States, Registers, and Channels

We assume basic familiarity with the formalism of quantum states, operators, and channels. We denote quantum registers (i.e., systems and their subsystems) with capital Latin letters, e.g., A, B, C. The Hilbert space corresponding to system A is denoted by \(\mathcal {H}_A\). For a register A, we denote the dimension of \(\mathcal {H}_A\) by |A|. We emphasize that, in this work, all Hilbert spaces will be finite-dimensional.

The space operators on \(\mathcal {H}_A\) is denoted \(\mathcal B(\mathcal {H}_A)\). We say that a quantum state is classical if it is diagonal in the standard (i.e., computational) basis. We denote the adjoint of an operator \(X \in \mathcal B(\mathcal {H})\) by \(X^\dagger \) and its transpose with respect to the computational basis by \(X^T\). Where necessary, we will write a quantum state \(\varrho \in \mathcal B(\mathcal {H}_A \otimes \mathcal {H}_B \otimes \mathcal {H}_C)\) as \(\varrho _{ABC}\) to emphasize that the state is a multipartite state over registers A, B, and C. When such a state has already been defined, we will write reduced states by omitting the traced-out registers, e.g., \(\varrho _A := \mathrm {Tr}_{BC} [\varrho _{ABC}]\). We single out some special states which will appear frequently. Fix two systems \(S, S'\) with \(|S| = |S'|\). We let

$$ | \phi ^+ \rangle _{SS'} = |S|^{-1/2}\sum _i| ii \rangle _{SS'} \qquad \text {and} \qquad \phi ^+_{SS'} = |\phi ^+\rangle \langle \phi ^+|_{SS'} $$

denote the maximally entangled state on the bipartite system \(SS'\) (expressed as a pure state on the left, and as a density operator on the right.) Furthermore, we let \(\varPi ^-_{SS'}=\mathbbm {1}_{SS'}-\phi ^+_{SS'}\) and \(\tau ^-_{SS'}=\varPi ^-_{SS'}/(|S|^2-1)\). We also set \(\tau _S=\mathbbm {1}_S/|S|\) to be the maximally mixed state on S.

We denote the von Neumann entropy of a state \(\varrho _A\) by \(H(A)_\varrho \), and the joint entropy of \(\varrho _{AB}\) by \(H(AB)_\varrho \). We recall that the quantum mutual information of \(\varrho _{AB}\) is defined by

$$ I(A:B)_\varrho := H(A)_\varrho + H(B)_\varrho - H(AB)_\varrho . $$

The quantum conditional mutual information of \(\varrho _{ABC}\) is defined by

$$ I(A:B|C)_\varrho := H(AC)_\varrho + H(BC)_\varrho - H(ABC)_\varrho - H(C)_\varrho . $$

These quantities are nonnegative [21] and satisfy a chain rule:

$$ I(A:BC|D)_\varrho =I(A:B|D)_\varrho +I(A:C|BD)_\varrho . $$

We remark that the above also holds for trivial D. Together with the Stinespring dilation theorem [27], non-negativity [22] and the chain rule imply the data processing inequality

$$ I(A:\tilde{B}|C)_{\varLambda (\varrho )}\le I(A:B|C)_\varrho \,, $$

when \(\varLambda \) is a CPTP (completely-positive, trace-preserving) map from \(\mathcal B(\mathcal {H}_B)\) to \(\mathcal B(\mathcal {H}_{\tilde{B}})\). An important special case is where \(B=B_1B_2\) and \(\varLambda =\mathrm {Tr}_{B_2}\) discards the contents of \(B_2\).

We will refer to valid transformations between quantum states as channels, or CPTP maps. We will sometimes also consider trace-non-increasing completely-positive (CP) maps. When necessary, we will emphasize the input and output spaces of a map \( \varLambda : \mathcal B(\mathcal {H}_A\otimes \mathcal {H}_B) \rightarrow \mathcal B(\mathcal {H}_C) \) by writing \(\varLambda _{AB \rightarrow C}\). We denote the identity channel on, e.g., register A by \(\mathrm {id}_{A\rightarrow A}\) (or simply \(\mathrm {id}_A\)) and the channel from register A to \(A'\) with constant output \(\sigma _{A'}\) by \(\langle \sigma \rangle _{A\rightarrow A'}\). When composing operators on many registers, and if the context allows, we will elide tensor products with the identity operator. So, for example, with \(\varLambda \) as above we may write \(\tau _{CD} = \varLambda \, \varrho _{ABD}\) in place of \(\tau _{CD} = (\varLambda \otimes \mathrm {id}_D) \varrho _{ABD}\).

A standard tool in this setting is the Choi-Jamiołkowski (CJ) isomorphism [12, 19]. Let \(\varXi _{A\rightarrow B}: \mathcal B(\mathcal {H}_A)\rightarrow \mathcal B(\mathcal {H}_B)\) be a linear operator. Then its CJ matrix is defined as

$$\begin{aligned} \left( \eta _{\varXi }\right) _{BA'}=\varLambda _{A\rightarrow B}(\phi ^+_{AA'}). \end{aligned}$$

(2.1)

The linear operator mapping \(\varXi \) to \(\eta _{\varXi }\) is an isomorphism of vector spaces and \(\eta _\varXi \) is positive semidefinite iff \(\varXi \) is CP. Moreover \(\varXi _{A\rightarrow B}\) is TP iff \(\left( \eta _{\varXi }\right) _{A'}=\tau _A\). The inverse of the CJ isomorphism is given by the equation

$$\begin{aligned} \varXi _{A\rightarrow B}(X_A)=|A|\mathrm {Tr}_{A'}\left[ X_{A'}^T\left( \eta _{\varXi }\right) _{BA'}\right] . \end{aligned}$$

(2.2)

We denote the swap operator by \(F : | i \rangle \otimes | j \rangle \mapsto | j \rangle \otimes | i \rangle \).

Lemma 2.1

(Swap trick [17]). For matrices A and B, \(\mathrm {Tr}[AB]=\mathrm {Tr}[F A\otimes B]\).

We will make frequent use of the trace norm \(\Vert \cdot \Vert _1\), the operator norm \(\Vert \cdot \Vert _\infty \), and the diamond norm \(\Vert \varLambda _{A\rightarrow B}\Vert _\diamond :=\max _{\varrho _{AA'}}\Vert \varLambda _{A\rightarrow B}\otimes \mathrm {id}_{A'}(\varrho _{AA'})\Vert _1\); here the max is taken over all pure quantum states \(\varrho _{AA'}\) and \(\mathcal {H}_A\cong \mathcal {H}_{A'}\). Recall that the Hölder inequality for operators states that, for any two operators X and Y,

$$\begin{aligned} \mathrm {Tr}[XY] \le \Vert XY\Vert _1\le \Vert X\Vert _1\Vert Y\Vert _\infty . \end{aligned}$$

(2.3)

2.2 Unitary Designs

We now recall the definition of unitary t-design, and some relevant variants. We begin by considering three different types of “twirls.”

1. 1.

   For a finite subset \(\mathrm D\subset \mathrm {U}(\mathcal {H})\) of the unitary group on some finite dimensional Hilbert space \(\mathcal {H}\), let

   $$\begin{aligned} \mathcal T^{(t)}_{\mathrm D}(X)=\frac{1}{|\mathrm D|}\sum _{U\in \mathrm D}U^{\otimes t}X\left( U^\dagger \right) ^{\otimes t} \end{aligned}$$

   (2.4)

   be the associated t-twirling channel. If we take the entire unitary group (rather than just a finite subset), then we get the Haar t-twirling channel

   $$\begin{aligned} \mathcal T^{(t)}_\mathsf {Haar}(X)=\int U^{\otimes t}X\left( U^\dagger \right) ^{\otimes t} \mathrm {d}U. \end{aligned}$$

   (2.5)
2. 2.

   We define the U-\(\overline{U}\) twirl with respect to finite \(\mathrm D\subset \mathrm {U}(\mathcal {H})\) by

   $$\begin{aligned} \overline{\mathcal {T}}_{\mathrm D}(X) =\frac{1}{|\mathrm D|}\sum _{U\in \mathrm D}\left( U\otimes \overline{U} \right) X\left( U\otimes \overline{U}\right) ^\dagger . \end{aligned}$$

   (2.6)

   The analogous U-\(\overline{U}\) Haar twirling channel is denoted by \(\overline{\mathcal T}_{\mathsf {Haar}}\).

3. 3.

   The third notion is called a channel twirl, and is defined in terms of U-\(\overline{U}\)-twirling. Given a channel \(\varLambda \), let \(\eta _\varLambda \) be the CJ state of \(\varLambda \). The channel twirl \(\mathcal T_{\mathrm {D}}^{ch}(\varLambda )\) of \(\varLambda \) is defined to be the channel whose CJ state is \(\overline{\mathcal {T}}_{\mathrm D}(\eta _\varLambda )\).

Next, we define the three corresponding notions of designs.

Definition 2.2

Let \(\mathrm D\subset \mathrm {U}(\mathcal {H})\) be a finite set. We define the following.

• If \(\bigl \Vert \mathcal T^{(t)}_{\mathrm D}-\mathcal T^{(t)}_\mathsf {Haar}\bigr \Vert _\diamond \le \delta \) holds, then \(\mathrm {D}\) is a \(\delta \)-approximate t-design.

• If \(\bigl \Vert \overline{\mathcal T}_{\mathrm D}-\overline{\mathcal T}_\mathsf {Haar}\bigr \Vert _\diamond \le \delta \) holds, then \(\mathrm {D}\) is a \(\delta \)-approximate U-\(\overline{U}\)-twirl design.

• If \(\left\| \mathcal T^{ch}_{\mathrm D}(\varLambda )-T^{ch}_\mathsf {Haar}(\varLambda )\right\| _\diamond \le \delta \) holds for all CPTP maps \(\varLambda \), then \(\mathrm {D}\) is a \(\delta \)-approximate channel-twirl design.

For all three of the above, the case \(\delta = 0\) is called an “exact design” (or simply “design”.) All three notions of design are equivalent in the exact case. In the approximate case they are still connected, but there are some nontrivial costs in the approximation quality (See [23], Lemma 2.2.14, and an additional easy lemma proven in the full version [3]).

It is well-known that \(\varepsilon \)-approximate t-designs on n qubits can be generated by random quantum circuits of size polynomial in n, t and \(\log (1/\varepsilon )\) [10]. In particular, the size of these circuits is polynomial even for exponentially-small choices of \(\varepsilon \). We emphasize this observation as follows.

Remark 2.3

Fix a polynomial t in n. Then, for any \(\varepsilon > 0\), a random n-qubit quantum circuit consisting of \({\text {poly}}(n, \log (1/\varepsilon ))\) gates (from a universal set) satisfies every notion of \(\epsilon \)-approximate t-design in Definition 2.2.

For exact designs, we point out two important constructions. First, the prototypical example of a unitary one-design on n qubits is the n-qubit Pauli group. For exact unitary two-designs, the standard example is the Clifford group, which is the normalizer of the n-qubit Pauli group. Alternatively, the Clifford group is generated by circuits from the gate set \(\{H, P, \text {CNOT}\}\). It is well-known that one can efficiently generate exact unitary two-designs on n-qubits by building appropriate circuits from this gate set, using \(O(n^2)\) random bits [1, 14].

3 The Zero-Error Setting

We begin with the zero-error. In the case of secrecy, zero-error means that schemes cannot leak any information whatsoever. In the case of non-malleability, zero-error means that the adversary cannot increase their correlations with the secret by even an infinitesimal amount (except by trivial means; see below).

3.1 Perfect Secrecy

We begin with a definition of symmetric-key quantum encryption. Our formulation treats rejection during decryption in a slightly different manner from previous literature.

Definition 3.1

(Encryption scheme). A symmetric-key quantum encryption scheme (QES) is a triple \((\tau _K,E,D)\) consisting of a classical state \(\tau _K\in \mathcal B(\mathcal {H}_K)\) and a pair of channels

$$\begin{aligned} E&: \mathcal B(\mathcal {H}_A\otimes \mathcal {H}_K) \longrightarrow \mathcal B(\mathcal {H}_C\otimes \mathcal {H}_K)\\ D&: \mathcal B(\mathcal {H}_C\otimes \mathcal {H}_K) \longrightarrow \mathcal B(\left( \mathcal {H}_A\oplus \mathbb {C}| \bot \rangle \right) \otimes \mathcal {H}_K) \end{aligned}$$

satisfying \([D\circ E](\cdot \otimes |k\rangle \langle k|)= (\mathrm {id}_{A} \oplus 0_\bot ) \otimes |k\rangle \langle k|\) for all k.

The Hilbert spaces \(\mathcal {H}_A\), \(\mathcal {H}_C\) and \(\mathcal {H}_K\) are implicitly given by the triple \((\tau _K, E, D)\). The state \(| \bot \rangle \) is an error flag that allows the decryption map to report an error. For notational convenience when dealing with these schemes, we set

We will often slightly abuse notation by referring to decryption maps \(D_k\) as maps from C to A; in fact, the output space of \(D_k\) is really the slightly larger space \(\bar{A} := A \oplus \mathbb {C}| \bot \rangle \).

It is natural to define secrecy in the quantum world in terms of quantum mutual information. However, instead of asking for the ciphertext to be uncorrelated with the plaintext as in the classical case, we ask for the ciphertext to be uncorrelated from any reference system.

Definition 3.2

(Perfect secrecy). A QES \((\tau _K, E, D)\) satisfies information - theoretic secrecy (ITS) if, for any Hilbert space \(\mathcal {H}_B\) and any \(\varrho _{AB}\in \mathcal B(\mathcal {H}_A\otimes \mathcal {H}_B)\), setting \(\sigma _{CBK}=E(\varrho _{AB}\otimes \tau _K)\) implies \(I(C:B)_\sigma =0.\)

We note that, for perfect ITS, adding side information is unnecessary: the definition already implies that the ciphertext is in product with any other system. In particular, if the adversary has some auxiliary system E in their possession, then \(I(B:CE)_\sigma =I(B:E)_\sigma \). Several definitions of secrecy for symmetric-key quantum encryption have appeared in the literature, but the above formulation appears to be new. It can be shown that \(\textsf {ITS}\) is equivalent to perfect indistinguishability of ciphertexts (IND). The latter notion is a special case of an early indistinguishability-based definition of Ambainis et al. [5].

In many situations it makes sense to restrict ourselves to QES that have identical plaintext and ciphertext spaces; due to correctness, this is equivalent to unitarity.

Definition 3.3

(Unitary scheme). A QES \((\tau _K,E,D)\) is called unitary if the encryption and decryption maps are controlled unitaries, i.e., if there exists \(V = \sum _k U^{(k)}_A\otimes |k\rangle \langle k|_K\) such that \(E(X)=VXV^\dagger \).

It is straightforward to prove that, for unitary schemes, ITS is equivalent to the statement that the encryption maps \(\{E_k\}\) form a unitary 1-design. Note that unitarity of \(E_k\) and correctness imply unitarity of \(D_k\).

3.2 A New Notion of Non-malleability

Definition. We consider a scenario involving a user Alice and an adversary Mallory. The scenario begins with Mallory preparing a tripartite state \(\varrho _{ABR}\) over three registers: the plaintext A, the reference R, and the side-information B. The registers A and R are given to Alice, while Mallory keeps B. Alice then encrypts A into a ciphertext C and then transmits (or stores) it in the open. Mallory now applies an attack map

$$ \varLambda : \mathcal B(\mathcal {H}_C\otimes \mathcal {H}_B) \rightarrow \mathcal B(\mathcal {H}_C\otimes \mathcal {H}_{\tilde{B}}). $$

Mallory keeps the (transformed) side-information \(\tilde{B}\) and returns C to Alice. Finally, Alice decrypts C back to A, and the scenario ends. We are now interested in measuring the extent to which Mallory was able to increase her correlations with Alice’s systems A and R. This can be understood by analyzing the mutual information \(I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )}\) where \(\tilde{\varLambda }_{AB \rightarrow A\tilde{B}}\) is the effective channel corresponding to Mallory’s attack (Fig. 1):

$$\begin{aligned} \tilde{\varLambda }= \mathrm {Tr}_K (D\circ \varLambda \circ E)((\cdot )\otimes \tau _K). \end{aligned}$$

(3.1)

Fig. 1.

The quantum non-malleability scenario.

We point out one way in which Mallory can always increase these correlations, regardless of the structure of the encryption scheme. First, she flips a coin b, and records the outcome in B. If \(b=1\), she replaces the contents of C with some fixed state \(\sigma _C\), and otherwise she leaves C untouched. One then sees that Mallory’s correlations have increased by \(h(p_{=}(\varLambda ,\varrho ))\), where h denotes binary entropy and \(p_{=}\) is a defined as follows.

$$\begin{aligned} p_{=}(\varLambda , \varrho ) = \mathrm {Tr}\left[ (\phi ^+_{CC'}\otimes \mathbbm {1}_{\tilde{B}}) \varLambda (\phi ^+_{CC'} \otimes \varrho _B)\right] . \end{aligned}$$

(3.2)

This quantity is the inner product between the identity map and the map \(\varLambda ((\,\cdot \,) \otimes \varrho _B)\), expressed in terms of CJ states. Intuitively, it measures the probability with which Mallory chooses to apply the identity map; taking the binary entropy then gives us the information gain resulting from recording this choice.

We are now ready to define information-theoretic quantum non-malleability. Stated informally, a scheme is non-malleable if Mallory can only implement the attacks described above.

Definition 3.4

(Non-malleability). A QES \((\tau _K,E, D)\) is non-malleable (NM) if for any state \(\varrho _{ABR}\) and any CPTP map \(\varLambda _{CB \rightarrow C{\tilde{B}}}\), we have

$$\begin{aligned} I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )} \le I(AR:B)_\varrho + h(p_{=}(\varLambda ,\varrho )). \end{aligned}$$

(3.3)

One might justifiably wonder if the term \(h(p_{=}(\varLambda , \varrho ))\) is too generous to the adversary. However, as we showed above, every scheme is vulnerable to an attack which gains this amount of information. This term also appears (somewhat disguised) in the classical setting. In fact, if a classical encryption scheme satisfies Definition 3.4 against classical adversaries, then it also satisfies classical information-theoretic non-malleability as defined in [20].

Definition 3.4 directly generalizes the classical information-theoretic definition from [20]. In some settings, it might be preferable to have a definition which characterizes the set of effective attack channels as was done in [6]. As it turns out, \(\textsf {NM}\) can be defined in this way.

Theorem 3.7 (Non-malleability, alternative form). A QES \((\tau , E, D)\) is \(\textsf {NM}\) if and only if for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map \(\tilde{\varLambda }_{AB\rightarrow A\tilde{B}}\) has the form

$$\begin{aligned} \tilde{\varLambda } =\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2\left\langle D_K(\tau )\right\rangle -\mathrm {id}\right) _A\otimes \varLambda ''_{B\rightarrow \tilde{B}} \end{aligned}$$

(3.4)

where \(\varLambda ' =\mathrm {Tr}_{CC'}[\phi ^+_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))]\) and \(\varLambda '' =\mathrm {Tr}_{CC'}[\varPi ^-_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))].\)

The proof of this theorem is postponed to the results section below (proof sketch) and the appendix.

Finally, as we will show in later sections, Definition 3.4 implies ABW-NM (see Definition 3.8), and schemes satisfying Definition 3.4 are sufficient for building quantum authentication under the strongest known definitions.

Non-malleability Implies Secrecy. In the classical case, non-malleability is independent from secrecy: the one-time pad is secret but malleable, and non-malleability is unaffected by appending the plaintext to each ciphertext. In the quantum case, on the other hand, we can show that \(\textsf {NM}\) implies secrecy. This is analogous to the fact that “quantum authentication implies encryption” [7].

Proposition 3.5

Let \((\tau _K,E, D)\) be an NM QES. Then \((\tau _K,E, D)\) is ITS.

Proof

Let B, \(\varrho _{AB}\), and \(\sigma _{CBK} = E(\varrho _{AB} \otimes \tau _K)\) be as in the definition of ITS (Definition 3.2). We first rename B to R. We then consider the non-malleability property in the following special-case scenario. The initial side-information register is empty, the final side-information register \(\tilde{B}\) satisfies \(\mathcal {H}_{\tilde{B}} \cong \mathcal {H}_C\), and the adversary map \(\varLambda _{C\rightarrow C\tilde{B}}\) is defined as follows. Note that the “ciphertext-extraction” map \(\varTheta _{C\rightarrow C\tilde{B}}=\mathrm {id}_{C\rightarrow \tilde{B}}(\cdot )\otimes \tau _C\) has CJ state \(\eta ^{\varTheta }_{CC'\tilde{B}}=\phi ^+_{C'\tilde{B}}\otimes \tau _C\). We choose \(\varLambda \) so that its CJ state satisfies

$$\begin{aligned} \eta ^{\varLambda }_{CC'\tilde{B}}=\frac{d^2}{d^2-1}\varPi _{CC'}^- \,\eta ^{\varTheta }_{CC'\tilde{B}}\,\varPi _{CC'}^- . \end{aligned}$$

(3.5)

Applying the above projection to the CJ state of \(\varTheta \) ensures that \(\varLambda \) will have \(p_=({\varLambda })=0\) (note: \(p_=(\varTheta ) > 0\).)

Direct calculation of the \(C' \tilde{B}\) marginal of the CJ state of \(\varLambda \) yields

$$\begin{aligned} \eta ^{\varLambda }_{C'\tilde{B}}=\frac{d^2-2}{d^2-1}\phi ^+_{C'\tilde{B}}+\frac{1}{d^2-1}\tau _{C'}\otimes \tau _{\tilde{B}}. \end{aligned}$$

(3.6)

This implies that the output \(\sigma _{AR\tilde{B}}=\tilde{\varLambda }_{A\rightarrow A\tilde{B}}(\varrho _{AB})\) of the effective channel \(\tilde{\varLambda }\) will satisfy

$$\begin{aligned} \sigma _{\tilde{B}R}=\frac{d^2-2}{d^2-1}\gamma _{\tilde{B}R}+\frac{1}{d^2-1}\tau _{\tilde{B}}\otimes \varrho _R, \end{aligned}$$

(3.7)

where \(\gamma _{CR}=(E_K)_{A\rightarrow C}(\varrho _{AR})\) and we used the fact that \(\mathcal {H}_{\tilde{B}} \cong \mathcal {H}_C\). By non-malleability, we have

$$\begin{aligned} I(\tilde{B}:R)_{\sigma }+I(\tilde{B}:A|R)_{\sigma }=I(\tilde{B}:AR)_{\sigma }=0. \end{aligned}$$

(3.8)

In particular, \(I(\tilde{B}:R)_{\sigma }=0\) and thus \(\sigma _{\tilde{B}R}=\sigma _{\tilde{B}}\otimes \varrho _R.\) It follows by Eq. (3.7) that

$$\begin{aligned} \gamma _{\tilde{B}R}=\frac{d^2-1}{d^2-2}\left( \sigma _{\tilde{B}}-\frac{1}{d^2-1}\tau _{\tilde{B}}\right) \otimes \varrho _R, \end{aligned}$$

(3.9)

i.e., \(\gamma _{\tilde{B}R}\) is a product state. This is precisely the definition of information-theoretic secrecy.    \(\square \)

Characterization of Non-malleable Schemes. Next, we provide a characterization of non-malleable schemes. First, we show that unitary schemes are equivalent to encryption with a unitary 2-design.

Theorem 3.6

A unitary QES \((\tau _K, E, D)\) is NM if and only if \(\{E_k\}_{k\in K}\) is a unitary 2-design.

This fact is particularly intuitive when the 2-design is the Clifford group, a well-known exact 2-design. In that case, a Pauli operator acting on only one ciphertext qubit will be “propagated” (by the encryption circuit) to a completely random Pauli on all plaintext qubits. The plaintext is then maximally mixed, and the adversary gains no information. The Clifford group thus yields a perfectly non-malleable (and perfectly secret) encryption scheme using \(O(n^2)\) bits of key [1].

It will be convenient to prove Theorem 3.6 as a consequence of our general characterization theorem, which is as follows.

Theorem 3.7

Let \((\tau , E, D)\) be a QES. Then \((\tau , E, D)\) is \(\textsf {NM}\) if and only if, for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map \(\tilde{\varLambda }_{AB\rightarrow A\tilde{B}}\) has the form

$$\begin{aligned} \tilde{\varLambda } =\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2\left\langle D_K(\tau )\right\rangle -\mathrm {id}\right) _A\otimes \varLambda ''_{B\rightarrow \tilde{B}} \end{aligned}$$

(3.10)

where \(\varLambda ' =\mathrm {Tr}_{CC'}[\phi ^+_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))]\) and \(\varLambda '' =\mathrm {Tr}_{CC'}[\varPi ^-_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))].\)

We remark that the forward direction holds even if \((\tau , E, D)\) only fulfills the \(\textsf {NM}\) condition (Eq. (3.3)) against adversaries with empty side-information B. The proof of Theorem 3.7 (with this strengthening) is sketched below. The full proof is somewhat technical and can be found in Appendix B. More precisely, we prove the stronger Theorem B.3, which implies the above by setting \(\varepsilon =0\).

Proof sketch. The first implication, i.e. \(\textsf {NM}\) implies Eq. (3.10), is best proven in the Choi-Jamiołkowski picture. Here, any \(\textsf {QES}\) defines a map

$$\begin{aligned} \mathcal E_{CC'\rightarrow AA'}=\frac{1}{|K|}\sum _k D_k\otimes E_k^T, \end{aligned}$$

(3.11)

where the transpose \(E_k^T\) is the map whose Kraus operators are the transposes of the Kraus operators of \(E_k\) (in the standard basis). Our goal is to prove that this map essentially acts like the \(U\bar{U}\)-twirl. We decompose the space \(\mathcal {H}_C^{\otimes 2}\) as

$$\begin{aligned} \mathcal {H}_C^{\otimes 2}=\mathbb {C}| \phi + \rangle \oplus \mathrm {supp}\varPi ^- \end{aligned}$$

(3.12)

which induces a decomposition of

(3.13)

On the first and last direct summands, the correct behavior of \(\mathcal E\) is easy to show: the first one corresponds to the identity, and the last one to the non-identity channels \(\varLambda \) with \(p_=(\varLambda )=0\). For the remaining two spaces, we employ Lemma A.3 which shows that the encryption map of any valid encryption scheme has the form of appending an ancillary mixed state and then applying an isometry. Evaluating for \(\left\langle \phi ^+ \mid v \right\rangle =0\) reduces to evaluating the adjoint of the average encryption map, \(E^\dagger _K\), on traceless matrices. It is, however, easy to verify that

$$\mathrm {Tr}_A\mathcal E_{CC'\rightarrow AA'}(\sigma _C\otimes (\cdot )_{C'})=(E_K^T)_{C'\rightarrow A'}$$

for any \(\sigma _C\). This can be used to prove \(E_K=\langle \tau _C\rangle \) by observing that \(\langle \phi ^+ |_{CC'}\sigma _C\otimes \varrho _{C'}| \phi ^+ \rangle _{CC'}=\mathrm {Tr}(\sigma _C\varrho _{C})\), so for rank-deficient \(\varrho \) we can calculate \(\mathcal E_{CC'\rightarrow AA'}(\sigma _C\otimes (\cdot )_{C'})\) using what we have already proven.

The other direction is proven by a simple application of Lemma A.2.    \(\square \)

The fact that \(\textsf {NM}\) is equivalent to 2-designs (for unitary schemes) is a straightforward consequence of the above.

Proof

(of Theorem 3.6) First, assume \((\tau _K, E, D)\) is a unitary \(\textsf {NM}\) \(\textsf {QES}\) with \(E_k=U_k(\cdot )U_k^\dagger \). Then it has \(|C|=|A|\), and \(D_K(\tau _C)=\tau _A\), so the conclusion of Theorem 3.7 in this case (i.e., Eq. (3.10)) is exactly the condition for \(\{U_k\}\) to be an exact channel twirl design and therefore an exact 2-design. If \((\tau _K, E, D)\), on the other hand, is a unitary \(\textsf {QES}\) and \(\{U_k\}\) is a 2-design, then Eq. (3.10) holds and the scheme is therefore \(\textsf {NM}\) according to Theorem 3.7.

Relationship to ABW Non-malleability. Ambainis, Bouda and Winter give a different definition of non-malleability, expressed in terms of the effective maps that an adversary can apply to the plaintext by acting on the ciphertext produced from encrypting with a random key [6]. According to their definition, a scheme is non-malleable if the adversary can only apply maps from a very restricted class when averaging over the key, and without giving side information to the active adversary. Let us recall their definition here.

First, given a QES \((\tau _K, E,D)\), we define the set \(S := \{ D_K(\sigma _C) \,|\, \sigma _C \in \mathcal B(\mathcal {H}_C)\}\) consisting of all valid average decryptions. We then define the class \(C^S_A\) of all “replacement channels”. This is the set of CPTP maps belonging to the space

$$\begin{aligned} \mathrm {span}_{\mathbb {R}}\{\mathrm {id}_A, (X\mapsto \mathrm {Tr}(X)\sigma _A) : \sigma _A\in S\}. \end{aligned}$$

(3.14)

We then make the following definition, which first appeared in [6].

Definition 3.8

(ABW non-malleability). A QES \((\tau _K, E,D)\) is ABW-non-malleable (ABW-NM) if it is ITS, and for all channels \(\varLambda _{C\rightarrow C}\), we have

$$\begin{aligned} \mathrm {Tr}_K \left[ D_{CK\rightarrow AK} \circ \varLambda _{C\rightarrow C} \circ E_{AK\rightarrow CK}(\,\cdot \,\otimes \tau _K)\right] \,\in \, C_A^S. \end{aligned}$$

(3.15)

As indicated in [6], an approximate version of Eq. (3.15) is obtained by considering the diamond-norm distance between the effective channel and the set \(C_A^S\); this implies the possibility of an auxiliary reference system, which is denoted R in \(\textsf {NM}\). We emphasize that this reference system is not under the control of the adversary. In particular, ABW-NM does not allow for adversaries which maintain and actively use side information about the plaintext system.

Another notable distinction is that [6] includes a secrecy assumption in the definition of an encryption scheme; under this assumption, it is shown that a unitary QES is ABW-NM if and only if the encryption unitaries form a 2-design. By our Theorem 3.6, we see that NM and ABW-NM are equivalent in the case of unitary schemes. So, in that case, ABW-NM actually ensures a much stronger security notion than originally considered by the authors of [6].

In the general case, \(\textsf {NM}\) is strictly stronger than ABW-NM. First, by comparing the conditions of Definition 3.8 to Eq. (3.10), we immediately get the following corollary of Theorem 3.7.

Corollary 3.9

If a \(\textsf {QES}\) satisfies \(\textsf {NM}\), then it also satisfies ABW-NM.

Second, we give a separation example which shows that ABW-NM is highly insecure; in fact, it allows the adversary to “inject” a plaintext of their choice into the ciphertext. This is insecure even under the classical definition of information-theoretic non-malleability of [20]. We now describe the scheme and this attack.

Example 3.10

Suppose \((\tau _K, E, D)\) is a QES that is both \(\textsf {NM}\) and ABW-NM. Define a modified scheme \((\tau _K, E', D')\), with enlarged ciphertext space \(\mathcal {H}_{C'} = \mathcal {H}_{C}\oplus \mathcal {H}_{\hat{A}}\) (where \(\mathcal {H}_{\hat{A}}\cong \mathcal {H}_A\)) and encryption and decryption defined by

$$\begin{aligned} E'(X)&= E(X)_{C}\oplus 0_{\hat{A}}\\ D'(X)&= D_{CK\rightarrow AK}(\varPi _{C}X\varPi _{C})+ \mathrm {id}_{\hat{A}K\rightarrow AK}(\varPi _{\hat{A}}X\varPi _{\hat{A}}). \end{aligned}$$

Then \((\tau _K, E', D')\) is ABW-NM but not NM.

While encryption ignores \(\mathcal {H}_{\hat{A}}\), decryption measures if we are in C or \(\hat{A}\) and then decrypts (in the first case) or just outputs the contents (in the second case.) This is a dramatic violation of \(\textsf {NM}\): set \(\mathcal {H}_{\tilde{B}}\cong \mathcal {H}_{A}\), trivial B and R, and

$$\begin{aligned} \varLambda _{C'\rightarrow C' \tilde{B}}(X)=\mathrm {Tr}(X)0_{C}\oplus |\phi ^+\rangle \langle \phi ^+|_{\hat{A}\tilde{B}}\,; \end{aligned}$$

(3.16)

it follows that, for all \(\varrho \),

$$\begin{aligned} I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )}=2\log |A|\gg h(|C'|^{-2}) = h(p_=(\varLambda , \varrho )). \end{aligned}$$

(3.17)

Now let us show that \((\tau , E', D')\) is still ABW-NM. Let \(\varLambda _{C'\rightarrow C'}\) be an attack, i.e., an arbitrary CPTP map. Then the effective plaintext map is

$$\begin{aligned} \tilde{\varLambda }_{A\rightarrow A}=D\circ \varLambda ^C_{C\rightarrow C}\circ E+\varLambda ^{\hat{A}}_{C\rightarrow A}\circ E, \end{aligned}$$

(3.18)

where \(\varLambda ^C(X_C)=\varPi _C\varLambda (X_C\oplus 0_{\hat{A}})\varPi _C\) and \(\varLambda ^{\hat{A}}(X_C)=\mathrm {id}_{\hat{A}\rightarrow A}(\varPi _{\hat{A}}\varLambda (X_C\oplus 0_{\hat{A}})\varPi _{\hat{A}})\). Since \((\tau , E, D)\) is \(\textsf {ITS}\) (Proposition 3.5), there exists a fixed state \(\varrho ^0_C\) such that \(E_K(\varrho _A)=\varrho ^0_C\) for all \(\varrho _A\). Since \((\tau , E, D)\) is ABW-NM, we also know that

$$ \mathrm {Tr}_K\circ D\circ \varLambda ^C_{C\rightarrow C}\circ E=\tilde{\varLambda }_1 \in C_A^S , $$

with \(S=\{ D_K(\sigma _C)\,|\,\sigma _C \in \mathcal B(\mathcal {H}_C)\}\). We therefore get

$$\begin{aligned} \tilde{\varLambda }_{A\rightarrow A}=\tilde{\varLambda }_1+\langle \varLambda ^{\hat{A}}(\varrho ^0_C)\rangle \in C_A^{S'}, \end{aligned}$$

(3.19)

with \(S'=\{ D'_K(\sigma _{C'})\,|\,\sigma _{C'} \in \mathcal B(\mathcal {H}_{C'})\}.\) This is true because \(S'\) contains all constant maps, as \(D'_K(0_{C}\oplus \varrho _{\hat{A}})=\varrho _A\).

4 The Approximate Setting

We now consider the case of approximate non-malleability. Approximate schemes are relevant for several reasons. First, an approximate scheme with negligible error can be more efficient than an exact one: the most efficient construction of an exact 2-design requires a quantum circuit of \(O(n\log n\log \log n)\) gates [13], where approximate 2-designs can be achieved with linear-length circuits [14]. Second, in practice, absolutely perfect implementation of all quantum gates is too much to expect—even with error-correction. Third, when passing to authentication one must allow for errors, as it is always possible for the adversary to escape detection (with low probability) by guessing the secret key.

For all these reasons, it is important to understand what happens when the perfect secrecy and perfect non-malleability requirements are slightly relaxed. In this section, we show that our definitions and results are stable under such relaxations, and prove several additional results for quantum authentication. We begin with the approximate-case analogue of perfect secrecy.

Definition 4.1

(Approximate secrecy). Fix \(\varepsilon > 0\). A QES \((\tau _K, E, D)\) is \(\varepsilon \)-approximately secret (\(\epsilon \)-ITS) if, for any \(\mathcal {H}_B\) and any \(\varrho _{AB}\), setting \(\sigma _{CBK}=E(\varrho _{AB}\otimes \tau _K)\) implies \(I(C:B)_\sigma \le \varepsilon .\)

Analogously to the exact case, unitary schemes satisfying approximate secrecy are equivalent to approximate one-designs (see the full version of this article [3]).

4.1 Approximate Non-malleability

Definition. We now define a natural approximate-case analogue of NM, i.e., Definition 3.4. Let us briefly recall the context. The malleability scenario is described by systems A, C, B and R (respectively, plaintext, ciphertext, side-information, and reference), an initial tripartite state \(\varrho _{ABR}\), and an attack channel \(\varLambda _{CB\rightarrow C\tilde{B}}\). Given this data, we have the effective channel \(\tilde{\varLambda }_{AB \rightarrow A\tilde{B}}\) defined in Eq. (3.1) and the “unavoidable attack” probability \(p_=(\varLambda , \varrho )\) defined in Eq. (3.2). The new definition now simply relaxes the requirement on the increase of the adversary’s mutual information.

Definition 4.2

(Approximate non-malleability). A QES \(\,(\tau _K,E, D)\) is \(\varepsilon \)-non-malleable (\(\varepsilon \)-NM) if for any state \(\varrho _{ABR}\) and any CPTP map \(\varLambda _{CB \rightarrow C\tilde{B}}\), we have

$$\begin{aligned} I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )} \le I(AR:B)_\varrho + h(p_{=}(\varLambda ,\varrho ))+\varepsilon . \end{aligned}$$

(4.1)

We record the approximate version of Proposition 3.5, i.e., non-malleability implies secrecy. The proof is a straightforward adaptation of the exact case.

Proposition 4.3

Let \((\tau _K,E, D)\) be an \(\varepsilon \)-NM QES. Then \((\tau _K,E, D)\) is \(2\varepsilon \)-ITS.

Non-malleability with Approximate Designs. Continuing as before, we now generalize the characterization theorems of non-malleability (Theorems 3.6 and 3.7) to the approximate case.

Theorem 4.4

Let \((\tau , E, D)\) be a QES with ciphertext dimension \(|C|=2^{m}\) and \(r>0\) a sufficiently large constant. Then the following holds:

1. 1.

   If \((\tau , E, D)\) is \(2^{-r m}\)-\(\textsf {NM}\), then for any attack \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map \(\tilde{\varLambda }_{AB\rightarrow A\tilde{B}}\) is \(2^{-\varOmega (m)}\)-close (in diamond norm) to

   $$\begin{aligned} \tilde{\varLambda }^{\mathrm {exact}}_{AB\rightarrow A\tilde{B}}=\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2\left\langle D_K(\tau )\right\rangle -\mathrm {id}\right) _A\otimes \varLambda ''_{B\rightarrow \tilde{B}}, \end{aligned}$$

   with \(\varLambda '\), \(\varLambda ''\) as in Theorem 3.7.

2. 2.

   Suppose that \(\log |R| = O(2^m)\), where R is the reference register in Definition 4.2. Then there exists a constant r, such that if every attack \(\varLambda _{CB\rightarrow C\tilde{B}}\) results in an effective map that is \(2^{-r m}\)-close to \(\tilde{\varLambda }^{\mathrm {exact}}\), then the scheme is \(2^{-\varOmega (m)}\)-NM.

This theorem is proven with explicit constants in Appendix B as Theorem B.3. The condition on R required for the second implication is necessary, as the relevant mutual information can at worst grow proportional to the logarithm of the dimension according to the Alicki-Fannes inequality. This is not a very strong requirement, as it should be relatively easy for the honest parties to put a bound on their total memory.

Next, we record the corollary which states that, for unitary schemes, approximate non-malleability is equivalent to encryption with an approximate 2-design. The proof proceeds as in the exact case, now starting from Theorem 4.4.

Theorem 4.5

Let \(\varPi = (\tau _K, E, D)\) be a unitary \(\textsf {QES}\) for n-qubit messages and \(f:\mathbb {N}\rightarrow \mathbb {N}\) a function that grows at most exponential. Then there exists a constant \(r>0\) such that

1. 1.

   If \(\{E_k\}\) is a \(\varOmega (2^{-rn})\)-approximate 2-design and \(\log |R|\le f(n)\), then \(\varPi \) is \(2^{-\varOmega (n)}\)-\(\textsf {NM}\).

2. 2.

   If \(\varPi \) is \(\varOmega (2^{-rn})\)-\(\textsf {NM}\), then \(\{E_k\}_{k\in K}\) is a \(2^{-\varOmega (n)}\)-approximate 2-design.

Relationship to Approximate ABW. Recall that, in Sect. 3.2, we discussed the relationship between our notion of exact non-malleability and that of Ambainis et al. [6] (i.e., ABW-NM.) As we now briefly outline, our conclusions carry over to the approximate case without any significant changes.

As described in Eq. (3”) of [6], one first relaxes the notion of ABW-NM appropriately by requiring that the containment (3.15) in Definition 3.8 holds up to \(\varepsilon \) error in the diamond-norm distance. In the unitary case, both definitions are equivalent to approximate 2-designs (by the results of [6], and our Theorem 4.5). In the case of general schemes, the plaintext injection attack described in Example 3.10 again shows that approximate ABW-NM is insufficient, and that approximate \(\textsf {NM}\) is strictly stronger.

4.2 Authentication

Definitions. Our definitions of authentication will be faithful to the original versions in [16, 18], with one slight modification. When decryption rejects, our encryption schemes (Definition 3.1) output \(\bot \) in the plaintext space, rather than setting an auxiliary qubit to a “reject” state. These definitions are equivalent in the sense that one can always set an extra qubit to “reject” conditioned on the plaintext being \(\bot \) (or vice-versa). Nonetheless, as we will see below, this mild change has some interesting consequences.

We begin with the definition of Dupuis, Nielsen and Salvail [16], which demands that the effective average channel of the attacker ignores the plaintext.

Definition 4.6

(DNS Authentication [16]). A QES \((\tau _K, E, D)\) is called \(\varepsilon \)-DNS-authenticating if, for any CPTP-map \(\varLambda _{CB\rightarrow CB'}\), there exists CP-maps \(\varLambda ^\textsf {acc}_{B\rightarrow \tilde{B}}\) and \(\varLambda ^\textsf {rej}_{B\rightarrow \tilde{B}}\) such that \(\varLambda ^\textsf {acc}+ \varLambda ^\textsf {rej}\) is¹ TP, and for all \(\varrho _{AB}\) we have

$$\begin{aligned} \bigl \Vert \mathrm {Tr}_K D(\varLambda (E(\varrho _{AB}\otimes \tau _K))) - (\varLambda ^\textsf {acc}(\varrho _{AB}) + |\bot \rangle \langle \bot |\otimes \varLambda ^\textsf {rej}(\varrho _{B}))\bigr \Vert _1\le \varepsilon . \end{aligned}$$

(4.2)

An alternative definition was recently given by Garg, Yuen and Zhandry [18]. It asks that, conditioned on acceptance, with high probability the effective channel is close to a channel which ignores the plaintext.

Definition 4.7

(GYZ Authentication [18]). A QES \((\tau _K, E, D)\) is called \(\varepsilon \)-GYZ-authenticating if, for any CPTP-map \(\varLambda _{CB\rightarrow CB'}\), there exists a CP-map \(\varLambda ^\textsf {acc}_{B\rightarrow \tilde{B}}\) such that for all \(\varrho _{AB}\)

$$\begin{aligned} \bigl \Vert \varPi _\textsf {acc}\,D(\varLambda (E(\varrho _{AB}\otimes \tau _K)))\,\varPi _\textsf {acc}- \varLambda ^\textsf {acc}(\varrho _{AB})\otimes \tau _K\bigr \Vert _1\le \varepsilon . \end{aligned}$$

(4.3)

Here \(\varPi _\textsf {acc}\) is the acceptance projector, i.e. projection onto \(\mathcal {H}_A\) in \(\mathcal {H}_A\oplus \mathbb {C}| \bot \rangle \).

A peculiar aspect of the original definition in [18] is that it does not specify the outcome in case of rejection, and is thus stated in terms of trace non-increasing maps. Of course, all realistic quantum maps must be CPTP; this means that the designer of the encryption scheme must still declare what to do with the contents of the plaintext register after decryption. Our notion of decryption makes one such choice (i.e., output \(\bot \)) which seems natural.

GYZ Authentication Implies DNS Authentication. A priori, the relationship between Definition 2.2 in [16] and Definition 8 in [18] is not completely clear. On one hand, the latter is stronger in the sense that it requires success with high probability (rather than simply on average.) On the other hand, the former makes the additional demand that the ciphertext is untouched even if we reject. As we now show, GYZ-authentication in fact implies DNS-authentication.

Theorem 4.8

Let \((\tau , E,D)\) be \(\varepsilon \)-totally authenticating for sufficiently small \(\varepsilon \). Then it is \(O(\sqrt{\varepsilon })\)-DNS authenticating.

Proof

Let \(\varLambda _{CB\rightarrow C\tilde{B}}\) be a CPTP map and \(\varepsilon \le 62^{-2}\). By Definition 4.7 there exists a CP map \(\varLambda '_{B\rightarrow \tilde{B}}\) such that for all states \(\varrho _{AB}\),

$$\begin{aligned} \left\| \varPi _a D(\varLambda (E(\varrho _{AB}\otimes \tau _K)))\varPi _a-\varLambda '(\varrho _{AB}\otimes \tau _K)))\right\| _1\le \varepsilon . \end{aligned}$$

(4.4)

Assume for simplicity that \(D=M_\bot \circ D\), where \(M_\bot \) measures the rejection symbol versus the rest. (otherwise we can define a new decryption map that way.) Define the CP maps

$$ \varLambda ''_{B\rightarrow \tilde{B}} =\mathrm {Tr}_C\varLambda (E_K(\tau _A)\otimes (\cdot )). $$

By Theorem 15 in [18] we have

$$\begin{aligned} \left| E_K(\varrho _{ABR})-E_K(\tau _A)\otimes \varrho _{BR}\right\| _1\le 14\sqrt{\varepsilon }, \end{aligned}$$

(4.5)

which implies that

$$\begin{aligned} \left\| \mathrm {Tr}_A\otimes \varLambda ''-\mathrm {Tr}_C\circ \varLambda \circ E_K\right\| _\diamond \le \hat{\varepsilon }:= 14\sqrt{\varepsilon }. \end{aligned}$$

(4.6)

Note that

$$\begin{aligned} \mathrm {Tr}_C\!\circ \!\varLambda \!\circ \! E_K&=\mathrm {Tr}_{CK}\!\circ \!\varLambda \!\circ \! E((\cdot )\otimes \tau _K) \nonumber \\&=\mathrm {Tr}_{AK}\!\circ \! D\!\circ \!\varLambda \!\circ \! E((\cdot )\otimes \tau _K)=\mathrm {Tr}_A\!\circ \!\tilde{\varLambda }. \end{aligned}$$

(4.7)

On the other hand, we also have that, by Eq. (4.4),

$$\begin{aligned} \bigl \Vert \mathrm {Tr}_A\circ \tilde{\varLambda }-\mathrm {Tr}_A\otimes \varLambda '-\varLambda ^{(2)}\bigr \Vert \le \bigl \Vert \mathrm {Tr}_A\left( \varPi _a\tilde{\varLambda }(\cdot )\right) -\varLambda '\bigr \Vert _\diamond \le \varepsilon \end{aligned}$$

(4.8)

Combining Eqs. (4.6), (4.7) and (4.8), we get

$$\begin{aligned} \bigl \Vert \varLambda ^{(2)}-\mathrm {Tr}_A\otimes (\varLambda ''-\varLambda ')\bigr \Vert _\diamond \le \varepsilon +\hat{\varepsilon }. \end{aligned}$$

(4.9)

Now observe that

$$\begin{aligned} \left[ \mathrm {Tr}_A\otimes (\varLambda '-\varLambda '')_{B\rightarrow \tilde{B}}\right] \circ \varXi _{A\rightarrow A}=\mathrm {Tr}_A\otimes (\varLambda '-\varLambda '')_{B\rightarrow \tilde{B}} \end{aligned}$$

(4.10)

For all CPTP maps \(\varXi _{A\rightarrow A}\). We define \(\varLambda '''_{B\rightarrow \tilde{B}}=\varLambda ^{(2)}(\tau _A\otimes (\cdot ))\) and calculate

$$\begin{aligned} \bigl \Vert \varLambda ^{(2)}-\mathrm {Tr}_A\otimes \varLambda '''\bigr \Vert _\diamond&\le \bigl \Vert \varLambda ^{(2)}-\mathrm {Tr}_A\otimes (\varLambda ''-\varLambda ')\bigr \Vert _\diamond \\&~~~+\bigl \Vert \mathrm {Tr}_A\otimes (\varLambda ''-\varLambda ')-\mathrm {Tr}_A\otimes \varLambda '''\bigr \Vert _\diamond \,, \end{aligned}$$

by the triangle inequality for the diamond norm. Continuing with the calculation,

$$\begin{aligned} \bigl \Vert \varLambda ^{(2)}-\mathrm {Tr}_A\otimes \varLambda '''\bigr \Vert _\diamond&\le \varepsilon +\hat{\varepsilon }+\bigl \Vert \mathrm {Tr}_A\otimes (\varLambda ''-\varLambda ')-\mathrm {Tr}_A\otimes \varLambda '''\bigr \Vert _\diamond \nonumber \\&= \varepsilon +\hat{\varepsilon }+\bigl \Vert \bigl [\mathrm {Tr}_A\otimes (\varLambda ''-\varLambda ')-\varLambda ^{(2)}\bigr ]\circ \langle \tau _A\rangle _{A\rightarrow A}\bigr \Vert _\diamond \nonumber \\&\le 2(\varepsilon +\hat{\varepsilon })=28\sqrt{\varepsilon }+2\varepsilon . \end{aligned}$$

(4.11)

The first inequality above is Eq. (4.9). The first equality is just a rewriting of the definition of \(\varLambda '''\), and the second equality is Eq. (4.10). Finally, the last inequality is due to Eq. (4.9) and the fact that the diamond norm is submultiplicative.

We have almost proven security according to Definition 4.6, as we have shown \(\tilde{\varLambda }\) to be close in diamond norm to \(\mathrm {id}_A\otimes \varLambda '+\big \langle |\bot \rangle \langle \bot |\big \rangle \otimes \varLambda '''\). However, \(\varLambda '+\varLambda '''\) is only approximately TP; more precisely, we have that for all \(\varrho _{ABR}\),

$$\begin{aligned} |\mathrm {Tr}(\varLambda '+\varLambda ''')(\varrho _{ABR})-1|&\le 28\sqrt{\varepsilon }+3\varepsilon \end{aligned}$$

(4.12)

by the triangle inequality. We therefore have to modify \(\varLambda ' + \varLambda ''\) so that it becomes TP, while keeping the structure required for DNS authentication. Let \(M_B=(\varLambda '+\varLambda ''')^\dagger (\mathbbm {1}_{\tilde{B}})\). (4.12). Defining the CP-map \(\mathcal {M}(X)=M^{-1/2}XM^{-1/2}\) and noting it is well-behaved for small \(\varepsilon \), it follows from a straightforward calculation (see the full version [3] of this article for details) that

$$\begin{aligned} \left| \tilde{\varLambda }_{AB\rightarrow A\tilde{B}}-\mathrm {id}_A\otimes \varLambda ^{\textsf {acc}}_{B\rightarrow \tilde{B}}-\bot \otimes \varLambda ^{\textsf {rej}}_{B\rightarrow \tilde{B}}\right\| _\diamond \le O(\sqrt{\varepsilon }). \end{aligned}$$

(4.13)

with \(\lambda ^{\textsf {acc}}=\varLambda '\circ \mathcal M\) and \(\varLambda ^{\textsf {rej}}=\varLambda ''\circ \mathcal M\).    \(\square \)

Achieving GYZ Authentication with Two-Designs. In [18], the authors provide a scheme for their notion of authentication based on unitary eight-designs. We now show that, in fact, an approximate 2-design suffices. This implies that the well-known Clifford scheme (see e.g. [11, 15]) satisfies the strong security of Definition 4.7. We remark that our proof is inspired by the reasoning based on Schur’s lemma used in results on decoupling [8, 9, 17, 24].

Theorem 4.9

Let \(\mathrm D=\left\{ U_k\right\} _k\) be a \(\delta \)-approximate unitary 2-design on \(\mathcal {H}_C\). Let \(\mathcal {H}_C=\mathcal {H}_{A}\otimes \mathcal {H}_T\) and define

$$\begin{aligned} E_k(X_A)&= U_k\left( X_A\otimes |0\rangle \langle 0|_T\right) \left( U_k\right) ^\dagger \\ D_k(Y_C)&= \langle 0 |_T\left( U_k\right) ^\dagger Y U_k| 0 \rangle _T+\mathrm {Tr}((\mathbbm {1}_T-|0\rangle \langle 0|_T)\left( U_k\right) ^\dagger Y U_k)|\bot \rangle \langle \bot |. \end{aligned}$$

Then the QES \((\tau _K, E, D)\) is \(4(1/|T| + 3\delta )^{1/3}\)-GYZ-authenticating.

Remark 4.10

The following proof uses the same simulator as the proof for the 8-design scheme in [18], called “oblivious adversary” there. The construction exhibited there is efficient given that the real adversary is efficient.

Proof

To improve readability, we will occasionally switch between adding subscripts to operators (indicating which spaces they act on) and omitting these subscripts. We begin by remarking that it is sufficient to prove the GYZ condition (specifically, Eq. 4.3) for pure input states and isometric adversary channels. Indeed, for a general state \(\varrho _{AB}\) and a general map \(\varLambda _{CB\rightarrow C\tilde{B}}\), we may let \(\varrho _{ABR}\) and \(V_{CB\rightarrow C\tilde{B}E}\) be the purification and Stinespring dilation, respectively. We then simply observe that the trace distance decreases under partial trace (see e.g. [25]). Let \(\varrho _{AB}\) be a pure input state and

$$ \varLambda _{CB\rightarrow C\tilde{B}}(X_{CB}) = V_{CB\rightarrow C\tilde{B}}X_{CB}V_{CB\rightarrow C\tilde{B}}^\dagger $$

an isometry. We define the corresponding “ideal” channel \(\varGamma _V\), and the corresponding “real, accept” channel \(\varPhi _k\), as follows:

$$\begin{aligned} \left( \varGamma _V\right) _{B\rightarrow \tilde{B}}&=\frac{1}{|C|}\mathrm {Tr}_CV\text { and}\nonumber \\ \left( \varPhi _k\right) _{AB\rightarrow A\tilde{B}}&=\langle 0 |_T(U_k)^\dagger _C V_{CB\rightarrow C\tilde{B}} U_k| 0 \rangle _T. \end{aligned}$$

(4.14)

Note that for any matrix M with \(\Vert M\Vert _\infty \le 1\), the map \(\varLambda _M(X)=M^\dagger XM\) is completely positive and trace non-increasing. We have

$$\begin{aligned} \left\| \varGamma _V\right\| _\infty \le \frac{1}{|C|}\sum _i\left\| \langle i | V | i \rangle \right\| _\infty \le 1. \end{aligned}$$

(4.15)

We start by bounding the expectation of \(\left\| (\left( \varGamma _V\right) _{B\rightarrow \tilde{B}}-\left( \varPhi _k\right) _{AB\rightarrow A\tilde{B}})| \varrho \rangle _{AB}\right\| _2^2\), as follows. To simplify notation, we set \(\sigma _{ABT} := |\varrho \rangle \langle \varrho |_{AB}\otimes |0\rangle \langle 0|_T\) to be the tagged state corresponding to plaintext (and side information) \(\varrho _{AB}\).

$$\begin{aligned} \frac{1}{|K|}&\sum _k\left\| (\varGamma _V-\varPhi _k)| \varrho \rangle \right\| _2^2 =\frac{1}{|K|}\sum _k\langle \varrho |(\varGamma _V-\varPhi _k)^\dagger (\varGamma _V-\varPhi _k)| \varrho \rangle \nonumber \\&=\frac{1}{|K|}\sum _k\mathrm {Tr}\left[ \sigma _{ABT} (U_k)^\dagger V^\dagger U_k|0\rangle \langle 0|(U_k)^\dagger V U_k\right] \nonumber \\&~~~~~- 2\frac{1}{|K|}\sum _k\mathrm {Tr}\left[ \sigma _{ABT} (U_k)^\dagger V^\dagger U_k \varGamma _V\right] + \langle \varrho |\left( \varGamma _V\right) ^\dagger \varGamma _V| \varrho \rangle . \end{aligned}$$

(4.16)

First we bound the second term, using the fact that \(\varGamma _V\) only acts on B.

$$\begin{aligned} \frac{1}{|K|}&\sum _k\mathrm {Tr}\left[ \sigma _{ABT} (U_k)^\dagger V^\dagger U_k \varGamma _V\right] = \frac{1}{|K|}\sum _k\mathrm {Tr}\left[ U_k\sigma _{ABT}(U_k)^\dagger V^\dagger \varGamma _V\right] \nonumber \\&= \int \mathrm {Tr}\left[ \left( U \sigma _{ABT} U^\dagger +\varDelta \right) V^\dagger \varGamma _V\right] \ge \int \mathrm {Tr}\left[ U \sigma _{ABT} U^\dagger V^\dagger \varGamma _V\right] -\delta \nonumber \\&= \int \mathrm {Tr}\left[ \sigma _{ABT} U^\dagger V^\dagger U\varGamma _V\right] -\delta = \langle \varrho |\left( \varGamma _V\right) ^\dagger \varGamma _V| \varrho \rangle -\delta . \end{aligned}$$

(4.17)

In the above, the operator \(\varDelta \) is the “error” operator in the \(\delta \)-approximate 2-design. The second equality above follows from \(\Vert \varDelta \Vert _1 \le \delta \) and the fact that a 2-design is also a 1-design; the inequality follows by Hölder’s inequality, and the last step follows from Schur’s lemma.

The first term of the RHS of Eq. (4.16) can be simplified as follows. We will begin by applying the swap trick (Lemma 2.1) \(\mathrm {Tr}[XY]=\mathrm {Tr}[F X\otimes Y]\) in the second line below. The swap trick is applied to register \(CC'\), with the operators X and Y defined as indicated below.

$$\begin{aligned}&\frac{1}{|K|}\sum _k \mathrm {Tr}\Bigl [\,\underbrace{\sigma _{ABT}(U_k)^\dagger _{C} V^\dagger _{C\tilde{B}\rightarrow CB} (U_k)_C|0\rangle \langle 0|_T}_{X}\,\underbrace{(U_k)^\dagger _C V_{CB\rightarrow C\tilde{B}} (U_k)_C}_{Y}\,\Bigr ]\nonumber \\&= \frac{1}{|K|}\sum _k \mathrm {Tr}\left[ \left( \sigma _{ABT}\otimes |0\rangle \langle 0|_{T'}\right) \left( U_k^{\otimes 2}\right) _{CC'}V^\dagger _{C\tilde{B}\rightarrow CB}V_{C'B\rightarrow C'\tilde{B}}\left( U_k^{\otimes 2}\right) _{CC'}^\dagger F_{CC'}\right] \nonumber \\&= \frac{1}{|K|}\sum _k \mathrm {Tr}\left[ \left( U_k^{\otimes 2}\right) _{CC'}^\dagger \left( \sigma _{ABT}\otimes |0\rangle \langle 0|_{T'}\right) \left( U_k^{\otimes 2}\right) _{CC'}V^\dagger _{C\tilde{B}\rightarrow CB}V_{C'B\rightarrow C'\tilde{B}} F_{CC'}\right] \nonumber \\&\le \int \mathrm {Tr}\left[ \left( U^{\otimes 2}\right) _{CC'}^\dagger \left( \sigma _{ABT}\otimes |0\rangle \langle 0|_{T'}\right) U^{\otimes 2}_{CC'}V^\dagger _{C\tilde{B}\rightarrow CB}V_{C'B\rightarrow C'\tilde{B}} F_{CC'}\right] +\delta \nonumber \\&= \int \mathrm {Tr}\left[ \left( \sigma _{ABT}\otimes |0\rangle \langle 0|_{T'}\right) U^{\otimes 2}_{CC'}V^\dagger _{C\tilde{B}\rightarrow CB}V_{C'B\rightarrow C'\tilde{B}}\left( U^{\otimes 2}\right) _{CC'}^\dagger F_{CC'}\right] +\delta . \end{aligned}$$

(4.18)

The inequality above follows the same way as in Eq. 4.17. Let \(d=|C|\).

An easy representation-theoretic calculation (see the Full version [3] for details) shows that

$$\begin{aligned} \int U^{\otimes 2}V^\dagger _{C\tilde{B}\rightarrow CB}V_{C'B\rightarrow C'\tilde{B}}\left( U^{\otimes 2}\right) ^\dagger \mathrm {d}U = \mathbbm {1}_{CC'}\otimes R^{\mathbbm {1}}_B+F_{CC'}\otimes R^F_B, \end{aligned}$$

(4.19)

where we have set

$$\begin{aligned} R^{\mathbbm {1}}_B=&\frac{1}{d(d^2-1)}\left( d^3\varGamma _V^\dagger \varGamma _V -d\mathbbm {1}\right) =\frac{1}{(d^2-1)}\left( d^2\varGamma _V^\dagger \varGamma _V -\mathbbm {1}\right) \\ R^{F}_B=&\frac{1}{d(d^2-1)}\left( d^2\mathbbm {1}-d^2\varGamma _V^\dagger \varGamma _V\right) =\frac{d}{(d^2-1)}\left( \mathbbm {1}-\varGamma _V^\dagger \varGamma _V\right) . \end{aligned}$$

plugging (4.19) into (4.18) and using Lemma 2.1 again, we get

$$\begin{aligned} \int \mathrm {Tr}&\left[ \left( \sigma _{ABT}\otimes |0\rangle \langle 0|_{T'}\right) U^{\otimes 2}_{CC'}V^\dagger _{C\tilde{B}\rightarrow CB}V_{C'B\rightarrow C'\tilde{B}}\left( U^{\otimes 2}\right) _{CC'}^\dagger F_{CC'}\right] \nonumber \\&= \mathrm {Tr}\left[ \left( \sigma _{ABT}\otimes |0\rangle \langle 0|_{T'}\right) \left( \mathbbm {1}_{CC'}\otimes R^{\mathbbm {1}}_{B^2\rightarrow \tilde{B}^2}+F_{CC'}\otimes R^F_{B^2\rightarrow \tilde{B}^2}\right) F_{CC'}\right] \nonumber \\&= \mathrm {Tr}\left[ |\varrho \rangle \langle \varrho |_{B}\left( R^{\mathbbm {1}}_{B}+|A| R^F_{B}\right) \right] \nonumber \\&= \mathrm {Tr}\left[ |\varrho \rangle \langle \varrho |_{B}\left( \frac{d(d-|A|)}{d^2-1}\left( \varGamma _V^\dagger \varGamma _V\right) _B+\frac{d|A|-1}{d^2-1}\mathbbm {1}_B\right) \right] . \end{aligned}$$

(4.20)

Now recall that \(d=|A||T|\). Using the fact that \((a-1)/(b-1)\le a/b\) for \(b \ge a\), we can give a bound as follows.

$$\begin{aligned} \mathrm {Tr}&\left[ |\varrho \rangle \langle \varrho |\left( \frac{d(d-|A|)}{d^2-1}\left( \varGamma _V^\dagger \varGamma _V\right) +\frac{d|A|-1}{d^2-1}\mathbbm {1}\right) \right] \nonumber \\&= \frac{d|A|(|T|-1)}{d^2-1}\langle \varrho |\left( \varGamma _V^\dagger \varGamma _V\right) | \varrho \rangle +\frac{d|A|-1}{d^2-1}\nonumber \\&\le \langle \varrho |\left( \varGamma _V^\dagger \varGamma _V\right) | \varrho \rangle +\frac{1}{|T|} . \end{aligned}$$

(4.21)

Putting everything together, we arrive at

$$\begin{aligned} \frac{1}{|K|}\sum _k\left\| (\varGamma _V-\varPhi _k)| \varrho \rangle \right\| _2^2\le \frac{1}{|T|}+3\delta . \end{aligned}$$

(4.22)

By Markov’s inequality this implies

$$\begin{aligned} \mathbb {P}\left[ \bigl \Vert (\varGamma _V-\varPhi _k)| \varrho \rangle \bigr \Vert _2^2>\alpha \left( \frac{1}{|T|}+3\delta \right) \right] \le \frac{1}{\alpha } \end{aligned}$$

(4.23)

which is equivalent to

$$\begin{aligned} \mathbb {P}\left[ \bigl \Vert (\varGamma _V-\varPhi _k)| \varrho \rangle \bigr \Vert _2>\alpha ^{1/2}\left( \frac{1}{|T|}+3\delta \right) ^{1/2}\right] \le \frac{1}{\alpha }, \end{aligned}$$

(4.24)

where the probability is taken over the uniform distribution on \(\mathrm {D}\). Choosing \(\alpha =(1/|T|+3\delta )^{-1/3}\) this yields

$$\begin{aligned} \mathbb {P}\left[ \left\| (\varGamma _V-\varPhi _k)| \varrho \rangle \right\| _2>\left( \frac{1}{|T|}+3\delta \right) ^{1/3}\right] \le \left( \frac{1}{|T|}+3\delta \right) ^{1/3}. \end{aligned}$$

(4.25)

Let \(S\subset D\) be such that \(|S|/|\mathrm D|\ge 1-(1/|T|+3\delta )^{1/3}\) and \(\left\| (\varGamma _V-\varPhi _k)| \varrho \rangle \right\| _2\le (1/|T|+3\delta )^{1/3}\) for all \(U_k\in S\). Using the easy-to-verify inequality \(\Vert |\psi \rangle \langle \psi |-|\phi \rangle \langle \phi |\Vert _1\le 2\Vert | \psi \rangle -| \phi \rangle \Vert _2\), we can bound

$$\begin{aligned} \frac{1}{|K|}&\sum _{U_k\in \mathcal D}\left\| \varPhi _k|\varrho \rangle \langle \varrho |\left( \varPhi _k\right) ^\dagger -\varGamma _V|\varrho \rangle \langle \varrho |\varGamma _V^\dagger \right\| _1\nonumber \\&\le \frac{1}{|S|}\sum _{U_k\in \mathcal S}\left\| \varPhi _k|\varrho \rangle \langle \varrho |\left( \varPhi _k\right) ^\dagger -\varGamma _V|\varrho \rangle \langle \varrho |\varGamma _V^\dagger \right\| _1+2\left( \frac{1}{|T|}+3\delta \right) ^{1/3}\nonumber \\&\le \frac{2}{|S|}\sum _{U_k\in \mathcal S}\left\| (\varGamma _V-\varPhi _k)| \varrho \rangle \right\| _2+2|T|^{-1/3}\nonumber \\&\le 4\left( \frac{1}{|T|}+3\delta \right) ^{1/3}. \end{aligned}$$

(4.26)

This completes the proof for pure states and isometric adversary channels. As noted above, the general case follows.    \(\square \)

As an example, one may set \(|T|=2^{s}\) (i.e. s tag qubits) and take an approximate unitary 2-design of accuracy \(2^{-s}\). The resulting scheme would then be \(\varOmega (2^{-s/3})\)-GYZ-authenticating.

A straightforward corollary of the above result is that, in the case of unitary schemes, adding tags to non-malleable schemes results in GYZ authentication. We leave open the question of whether this is the case for general (not necessarily unitary) schemes.

Corollary 4.11

Let \((\tau , E, D)\) be a \(2^{-rn}\)-non-malleable unitary QES with plaintext space A. Define a new scheme \((\tau , E', D')\) with plaintext space \(A'\) where \(A = TA'\) and

$$\begin{aligned} E'(X)&= E(X\otimes |0\rangle \langle 0|_T)\\ D'(Y)&= \langle 0 |_TD(Y)| 0 \rangle _T+\mathrm {Tr}\left[ (\mathbbm {1}_T-|0\rangle \langle 0|_T)D(Y)\right] |\bot \rangle \langle \bot |. \end{aligned}$$

Then there is a constant \(r>0\) such that \((\tau , E', D')\) is \(2^{-\varOmega (n)}\)-GYZ-authenticating if \(|T|=2^{\varOmega (n)}\).

The proof is a direct application of Theorem 4.5 (approximate non-malleability is equivalent to approximate 2-design) and Theorem 4.9 (approximate 2-designs suffice for GYZ authentication.) We emphasize that, by Remark 2.3, exponential accuracy requirements can be met with polynomial-size circuits.

DNS Authentication from Non-malleability. We end with a theorem concerning the case of general (i.e., not necessarily unitary) schemes. We show that adding tags to a non-malleable scheme results in a DNS-authenticating scheme. In this proof we will denote the output system of the decryption map by \(\overline{A}\) to emphasize that it is A enlarged by the reject symbol.

Theorem 4.12

Let r be a sufficiently large constant, and let \((\tau , E, D)\) be an \(2^{-rn}\)-NM QES with n qubit plaintext space A, and choose an integer d dividing |A|. Then there exists a decomposition \(A=TA'\) and a state \(| \psi \rangle _T\) such that \(|T| = d\) and the scheme \((\tau , E', D')\) defined by

$$\begin{aligned} E^t(X)&= E(X\otimes |\psi \rangle \langle \psi |_T)\\ D^t(Y)&= \langle \psi |_TD(Y)| \psi \rangle _T+\mathrm {Tr}\left[ (\mathbbm {1}_T-|\psi \rangle \langle \psi |_T)D(Y)\right] |\bot \rangle \langle \bot |. \end{aligned}$$

is \((4/|T|)+2^{-\varOmega (n)}\)-DNS-authenticating.

Proof

We prove the statement for \(\varepsilon =0\) for simplicity, the general case follows easily by employing Theorem 4.4 instead of Theorem 3.7.

By Theorem 3.7, for any attack map \(\varLambda _{CB\rightarrow C\tilde{B}}\), the effective map is equal to

$$\begin{aligned} \tilde{\varLambda }_{AB\rightarrow \overline{A}\tilde{B}}=\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2 \langle D_K(\tau _C)\rangle -\mathrm {id}\right) _{\overline{A}}\otimes \varLambda ''_{B\rightarrow \tilde{B}} \end{aligned}$$

(4.27)

for CP maps \(\varLambda '\) and \(\varLambda ''\) whose sum is TP. The effective map under the tagged scheme is therefore

$$\begin{aligned} \tilde{\varLambda }^t_{A'B\rightarrow \overline{A}'\tilde{B}}&= \langle \psi |_T\tilde{\varLambda }_{AB\rightarrow \overline{A}\tilde{B}}((\cdot )\otimes \psi _T)| \psi \rangle _T\\&~~~+\mathrm {Tr}\bigl [(\mathbbm {1}_T-\psi _T)\tilde{\varLambda }_{AB\rightarrow \overline{A}\tilde{B}}((\cdot )\otimes \psi _T)\bigr ]|\bot \rangle \langle \bot |\\&=\left( \mathrm {id}_{A'}\right) _{A'\rightarrow \overline{A}'}\otimes \varLambda '_{B\rightarrow \tilde{B}}\\&~~~+\bigl (|C|^2 \big \langle \bigl (\langle \psi |_TD_K(\tau _C)| \psi \rangle _T\bigr )_{A'}\oplus \beta |\bot \rangle \langle \bot |\big \rangle -\mathrm {id}_{A'}\bigr )_{A\rightarrow \overline{A}'}\otimes \frac{\varLambda ''_{B\rightarrow \tilde{B}}}{|C|^2-1}\\ \end{aligned}$$

with \(\beta = \mathrm {Tr}\left[ (\mathbbm {1}-\psi )_TD_K(\tau _C)\right] \). We would like to say that, unless the output is the reject symbol, the effective map on A is the identity. We do not know, however, what \(D_K(\tau _C)\) looks like. Therefore we apply a standard reasoning that if a quantity is small in expectation, then there exists at least one small instance. We calculate the expectation of \(\mathrm {Tr}\langle \psi |_TD_K(\tau _C)| \psi \rangle _T\) when the decomposition \(A=TA'\) is drawn at random according to the Haar measure,

$$\begin{aligned} \int \mathrm {Tr}\langle \psi |U_A^\dagger D_K(\tau _C)U_A| \psi \rangle _T \mathrm {d}U_A&=\mathrm {Tr}\left[ \left( \int U_A| \psi \rangle _T\otimes \mathbbm {1}_{A'}\psi U_A^\dagger \mathrm {d}U_A\right) D_K(\tau _C)\right] \nonumber \\&=\frac{\mathrm {Tr}\mathbbm {1}_A}{\mathrm {Tr}\varPi _\textsf {acc}}\mathrm {Tr}\varPi _{\textsf {acc}}D_K(\tau _C)\nonumber \\&\le 1/|T|. \end{aligned}$$

(4.28)

Hence there exists at least one decomposition \(A=TA'\) and a state \(| \psi \rangle _T\) such that \(\hat{\gamma }:=\mathrm {Tr}\langle \psi |_TD_K(\tau _C)| \psi \rangle _T\le 1/|T|\). Define \(\gamma =\max (\hat{\gamma }, |C|^{-2})\). For the resulting primed scheme, let

$$ \varLambda _{\textsf {rej}}:=\frac{(1-\gamma )|C|^2}{|C|^2-1}\varLambda '' \qquad \text {and} \qquad \varLambda _{\textsf {acc}}=\varLambda '+\frac{\gamma |C|^2-1}{|C|^2-1}\varLambda '' . $$

We calculate the diamond norm difference between the real effective map an the ideal effective map,

$$\begin{aligned}&\bigl \Vert \tilde{\varLambda }^t-\mathrm {id}\otimes \varLambda _\textsf {acc}-\langle |\bot \rangle \langle \bot |\rangle \otimes \varLambda _\textsf {rej}\bigr \Vert _\diamond \nonumber \\&\le \bigl \Vert \mathrm {id}\otimes \varLambda '+\frac{1}{|C|^2-1}\bigl (|C|^2 \big \langle \bigl (\langle \psi |D_K(\tau )| \psi \rangle \bigr )\big \rangle -\mathrm {id}\bigr ) \otimes \varLambda ''-\mathrm {id}\otimes \varLambda _\textsf {acc}\bigr \Vert _\diamond \nonumber \\&~~~~~+\bigl \Vert \langle |\bot \rangle \rangle \langle \bot \rangle |\otimes (1-\hat{\gamma })|C|^2\varLambda '' / (|C|^2-1)-\langle |\bot \rangle \langle \bot |\rangle \otimes \varLambda _\textsf {rej}\bigr \Vert _\diamond \nonumber \\&\le (1+|C|^{-2})(|T|^{-1}+2|C|^{-2})\nonumber \\&= |T|^{-1}(1+(|A'||T|)^{-2})(1+2|A'|^{-2})\nonumber \\&\le 4|T|^{-1} \end{aligned}$$

(4.29)

as desired.    \(\square \)

Appendices

A Technical lemmas

In the following we state some technical Lemmas that we need in this article. The proofs can be found in the full version [3].

Lemma A.1

Let \(X_{A\rightarrow B}\in L(\mathcal {H}_A,\mathcal {H}_B)\) be a linear operator from A to B. Then

$$\begin{aligned} X_{A\rightarrow B}| \phi ^+ \rangle _{AA'}=\sqrt{\frac{|B|}{|A|}}X^T_{B'\rightarrow A'}| \phi ^+ \rangle _{BB'}. \end{aligned}$$

(A.1)

The next group of lemmas is concerned with entropic quantities.

Lemma A.2

Let \(\varLambda _{A\rightarrow A'}^{(i)}\) be CPTP maps and \(\varLambda _{B\rightarrow B'}^{(i)}\), \(i=1,...,k\) CP maps for \(i=1,...,k\) such that \(\sum _i\varLambda _{B\rightarrow B'}^{(i)}\) is trace preserving. Let \(\varLambda ^{(i)}_{AB\rightarrow A'B'}=\varLambda _{A\rightarrow A'}^{(i)}\otimes \varLambda _{B\rightarrow B'}^{(i)}\) and define the CPTP maps

$$\begin{aligned} \varLambda _{AB\rightarrow A'B'C}=&\sum _{i=1}^k\varLambda _{AB\rightarrow A'B'}^{(i)}\otimes |i\rangle \langle i|_C\text { and}\nonumber \\ \varLambda '_{B\rightarrow B'C}=&\sum _{i=1}^k\varLambda _{B\rightarrow B'}^{(i)}\otimes |i\rangle \langle i|_C. \end{aligned}$$

(A.2)

Then

$$\begin{aligned} I(A':B')_{\varLambda (\varrho )}\le I(A:B)_\varrho +H(C|A)_{\varLambda '(\varrho )}\le I(A:B)_\varrho +H(C)_{\varLambda (\varrho )} \end{aligned}$$

(A.3)

for any quantum state \(\varrho _{AB}\).

The final lemma characterizes CPTP maps that are invertible on their image such that the inverse is CPTP as well.

Lemma A.3

Let \((\tau _K,E, D)\) be a QES. Then the encryption maps have the structure

$$\begin{aligned} \left( E_k\right) _{A\rightarrow C}=\left( V_k\right) _{A\hat{C}\rightarrow C}\left( (\cdot )\otimes \sigma ^{(k)}_{\hat{C}}\right) \left( V_k\right) _{A\hat{C}\rightarrow C}^\dagger , \end{aligned}$$

(A.4)

and the decryption maps hence must have the form

$$\begin{aligned}&\left( D_k\right) _{C\rightarrow A}=\mathrm {Tr}_{\hat{C}}\left[ \varPi _{\mathrm {supp}\sigma ^{k}}\left( V_k\right) _{A\hat{C}\rightarrow C}^\dagger \left( \cdot \right) \left( V_k\right) _{A\hat{C}\rightarrow C}\right] \nonumber \\&+ \, \left( \hat{D}_k\right) _{ C\rightarrow A}\left[ \left( \mathbbm {1}_{ C}-\varPi ^{\mathrm {valid}}_k\right) \left( \cdot \right) \left( \mathbbm {1}_{C}-\varPi ^{\mathrm {valid}}_k\right) \right] \end{aligned}$$

(A.5)

for some quantum states \(\sigma ^{(k)}_{\hat{C}}\), isometries \((V_k)_{C\rightarrow A\hat{C}}\), and some CPTP map \(\hat{D}_k\). Here, \(\varPi ^{\mathrm {valid}}_k=\left( V_k\right) _{A\hat{C}\rightarrow C}\varPi _{\mathrm {supp}\sigma ^{k}}\left( V_k\right) _{A\hat{C}\rightarrow C}^\dagger \) is the projector onto the space of valid ciphertexts.

B Proof of characterization theorem

This section is dedicated to proving the characterization theorem for non-malle-able QES, i.e., Theorem 4.4. We begin with two preparatory lemmas.

Lemma B.1

For any \(\textsf {QES}\) \((\tau , E,D)\) the map \(\mathcal {E}:=|K|^{-1}\sum _{k}D_k\otimes E_{k}^T\) satisfies

$$\mathcal {E}\left( |\phi ^+\rangle \langle \phi ^+|_{CC'}(X_C\otimes \mathrm {id}_{C'})\right) =\frac{|A|}{|C|}|\phi ^+\rangle \langle \phi ^+|_{AA'}(E_K^{\dagger }(X)\otimes \mathrm {id}_{A'})$$

This lemma is a consequence of the correctness condition and is proven in the full version [3] of this article.

Lemma B.2

Suppose \((\tau _K,E, D)\) satisfies Definition 4.2 for trivial B. Then \(\mathcal {E}:=|K|^{-1}\sum _{k}D_k\otimes E_{k}^T\) satisfies

$$\begin{aligned}&\Bigg \Vert \mathcal {E}(X)-\frac{|A|}{|C|}\bigg [\langle \phi ^+ |X| \phi ^+ \rangle |\phi ^+\rangle \langle \phi ^+|\nonumber \\&+ \, \mathrm {Tr}\left( \varPi ^-X\right) \frac{1}{|C|^2-1}\left( |C|^2D_K(\tau _C)_A\otimes \tau _{A'}-\phi ^+_{AA'}\right) \bigg ]\Bigg \Vert _\diamond \nonumber \\ \le \,&2\sqrt{2\varepsilon }|A|\left( 2\sqrt{|A|}|C|+1\right) . \end{aligned}$$

(B.1)

Proof

It follows directly from the fact that \((\tau _K,E, D)\) is a QES together with Lemma A.1 that

$$\begin{aligned} \mathcal E(\phi ^+_{CC'})=\frac{|A|}{|C|}\phi ^+_{AA'}. \end{aligned}$$

(B.2)

Let \(\varLambda ^{(i)}_{C\rightarrow C\tilde{B}_1}\), \(i=0,1\) be two attack maps such that \(\eta _{\varLambda ^{(i)}}| \phi ^+ \rangle =0\) for \(i=0,1\) and define

$$\varLambda _{C\rightarrow C\tilde{B}_1\tilde{B}_2}=\frac{1}{2}\sum _{i=0,1}|i\rangle \langle i|_{\tilde{B}_2}\otimes \varLambda ^{(i)}.$$

The \(\varepsilon \)-\(\textsf {NM}\) property implies

$$I(AA':\tilde{B}_1\tilde{B}_2)_{\eta _{\tilde{\varLambda }}}\le \varepsilon ,$$

and therefore, using Pinsker’s inequality,

$$\begin{aligned}&\Bigg \Vert \frac{1}{2}\sum _{i=0,1}|i\rangle \langle i|_{\tilde{B}}\otimes \left( \eta _{\tilde{\varLambda }^{(i)}}\right) _{CC'\tilde{B}_1}\nonumber \\&-\frac{1}{4}\left( \sum _{i=0,1}|i\rangle \langle i|_{\tilde{B}}\otimes \left( \eta _{\tilde{\varLambda }^{(i)}}\right) _{\tilde{B}_1}\right) \otimes \left( \sum _{i=0,1} \left( \eta _{\tilde{\varLambda }^{(i)}}\right) _{CC'}\right) \Bigg \Vert _1\le \sqrt{2\varepsilon }. \end{aligned}$$

(B.3)

Observe that

$$\begin{aligned} \eta _{\tilde{\varLambda }}=&\frac{1}{|K|}\sum _kD_k\circ \varLambda \circ E_k(\phi ^+_{AA'})\nonumber \\ =&\frac{|C|}{|A|}\frac{1}{|K|}\sum _k\left( D_k\otimes E_k^T\right) \circ \varLambda (\phi ^+_{CC'})\nonumber \\ =&\frac{|C|}{|A|}\mathcal E\circ \varLambda (\phi ^+_{CC'}). \end{aligned}$$

(B.4)

Setting \(\left( \eta _{\varLambda ^{(0)}}\right) _{CC'\tilde{B}_1}=\tau ^-_{CC'}\otimes \left( \eta _{\varLambda ^{(1)}}\right) _{\tilde{B}_1} \), we get

$$\begin{aligned} \eta _{\tilde{\varLambda }^{(0)}}=&\frac{|C|}{|A|}\mathcal E(\tau ^-)\otimes \left( \eta _{\varLambda ^{(1)}}\right) _{\tilde{B}_1} \nonumber \\ =&\frac{|C|}{|A|}\frac{1}{|C|^2-1}\left( |C|^2 \mathcal {E}(\tau _{CC'})-\mathcal {E}(\phi ^+_{CC'})\right) \otimes \left( \eta _{\varLambda ^{(1)}}\right) _{\tilde{B}_1} \nonumber \\ =&\frac{1}{|C|^2-1}\left( |C|^2 D_K(\tau _C)\otimes \tau _A -\phi ^+_{AA'}\right) \otimes \left( \eta _{\varLambda ^{(1)}}\right) _{\tilde{B}_1} . \end{aligned}$$

(B.5)

and therefore

$$\begin{aligned}&\Bigg \Vert \frac{1}{|C|^2-1}\left( |C|^2 D_K(\tau _C)\otimes \tau _A -\phi ^+_{AA'}\right) \otimes \left( \eta _{\varLambda ^{(1)}}\right) _{\tilde{B}_1}-\frac{|C|}{|A|}\mathcal {E}\left( \left( \eta _{\varLambda ^{(1)}}\right) _{CC'\tilde{B}_1}\right) \Bigg \Vert _1\nonumber \\ \le \,&2\sqrt{2\varepsilon } \end{aligned}$$

(B.6)

for all \(\varLambda ^{(1)}\). For any state \(\varrho _{CC'\tilde{B}_1}\) with \(\varrho _{CC'\tilde{B}}| \phi ^+ \rangle _{CC'}=0\), we define the state

$$\begin{aligned}&\varrho '_{CC'\tilde{B}_1\tilde{B}_2}\frac{1}{C}\bigg (|0\rangle \langle 0|_{\tilde{B}_2}\otimes \varrho _{CC'\tilde{B}_1}\nonumber \\&+ \, |1\rangle \langle 1|_{\tilde{B}_2}\otimes \left[ \left( (\mathbbm {1}_C-\varrho _C)\otimes V_{C'}\right) \phi ^+\left( (\mathbbm {1}_C-\varrho _C)\otimes V_{C'}\right) \right] \otimes \varrho _{\tilde{B}_2}\bigg ). \end{aligned}$$

(B.7)

Here, V is a unitary such that \(\mathrm {Tr}(\mathbbm {1}_C-\varrho _C)V_C^T=0\). It is easy to see that such a unitary always exists, the existence is equivalent to the fact that any |C|-tuple of real numbers is the ordered list of side lengths of a polygon in the complex plain. Note that \(\varrho '_{CC'\tilde{B}_1\tilde{B}_2}| \phi ^+ \rangle _{CC'}=0\), and \(\varrho '_{C'}=\tau _{C'}\). Together with the triangle inequality, Eq. (B.6) implies therefore that

i.e. in particular

$$\begin{aligned} \bigg \Vert \frac{|C|}{|A|}\mathcal {E}(\varrho )-\frac{1}{|C|^2-1}\left( |C|^2 D_K(\tau _C)\otimes \tau _A -\phi ^+_{AA'}\right) \otimes \varrho _{\tilde{B}_1}\bigg \Vert _1\le 2\sqrt{2\varepsilon }|C|. \end{aligned}$$

As \(\varrho \) was arbitrary we have proven that

$$\begin{aligned} \bigg \Vert \frac{|C|}{|A|}\mathcal {E}-\left\langle \frac{1}{|C|^2-1}\left( |C|^2 D_K(\tau _C)\otimes \tau _A -\phi ^+_{AA'}\right) \right\rangle \bigg \Vert _\diamond \le 2\sqrt{2\varepsilon }|C|. \end{aligned}$$

(B.8)

The only fact that is left to show is, that is small for all normalized \(| v \rangle \) such that \(\left\langle \phi ^+ \mid v \right\rangle =0\). To this end, observe that \(\mathrm {Tr}_{A}\circ \mathcal E(\sigma _C\otimes (\cdot )_{C'})=E_K^T\) for all quantum states \(\sigma _C\). Let \(\varrho _C\) be any quantum state that does not have full rank, note that such states span all of \(\mathcal B(\mathcal {H}_C)\), and for hermitian operators there exists a decomposition into such operators that saturates the triangle inequality. Taking a quantum state \(\sigma _C\) such that \(\langle \phi ^+ |\varrho \otimes \sigma | \phi ^+ \rangle =\frac{1}{|C|}\mathrm {Tr}\varrho _C\sigma _C^T=0\) (the first equality is the mirror Lemma A.1), we have

$$\left\| \mathcal {E}(\varrho \otimes \sigma )-\frac{|A|}{|C|}\frac{1}{|C|^2-1}\left( |C|^2 D_K(\tau _C)\otimes \tau _A -\phi ^+_{AA'}\right) \right\| _1\le 2\sqrt{2\varepsilon }|A|$$

according to what we have already proven. Using inequality (B.8) we arrive at

$$\begin{aligned} \left\| E_K^\dagger (X)-\frac{|A|}{|C|}\tau _A\mathrm {Tr}(X)\right\| _{1}\le 2\sqrt{2\varepsilon }|A|\Vert X\Vert _1 \end{aligned}$$

(B.9)

For Hermitian matrices X and therefore

$$\begin{aligned} \left\| E_K^\dagger (X)-\frac{|A|}{|C|}\tau _A\mathrm {Tr}(X)\right\| _{1}\le 4\sqrt{2\varepsilon }|A|\Vert X\Vert _1 \end{aligned}$$

(B.10)

For arbitrary X. We can write \(| v \rangle _{CC'}=X_C| \phi ^+ \rangle _{CC'}\) for some traceless matrix \(X_C\). Now we calculate

(B.11)

The first equation is Lemma B.1, the second and third equations are easily verified, the first inequality is a standard norm inequality, the second inequality is Eq. (B.10), and the last inequality follows from the normalization of \(| v \rangle \). By the Schmidt decomposition, we get a stabilized version of this inequality,

$$\begin{aligned} \left\| \mathcal E(| \phi ^+ \rangle _{CC'}| \alpha \rangle _{\tilde{B}_1}\langle v |_{CC'\tilde{B}_1})\right\| _1\le&2\sqrt{2\varepsilon }|A|^{3/2}, \end{aligned}$$

(B.12)

for all \(| \alpha \rangle _{\tilde{B}_1}\) and all \(| v \rangle _{CC'\tilde{B}}\) such that \(\left\langle \phi ^+ \mid v \right\rangle =0\). Combining everything we arrive at

$$\begin{aligned}&\Bigg \Vert \mathcal {E}(X)-\frac{|A|}{|C|}\bigg [\langle \phi ^+ |X| \phi ^+ \rangle |\phi ^+\rangle \langle \phi ^+|\nonumber \\&+\,\mathrm {Tr}\left( \varPi ^-X\right) \frac{1}{|C|^2-1}\left( |C|^2D_K(\tau _C)_A\otimes \tau _{A'}-\phi ^+_{AA'}\right) \bigg ]\Bigg \Vert _\diamond \nonumber \\ \le \,&2\sqrt{2\varepsilon }|A|\left( 4\sqrt{|A|}+1\right) . \end{aligned}$$

(B.13)

   \(\square \)

We are now ready to prove the characterization theorem Theorem 4.4 in the \(\varepsilon \)-approximate setting (including the exact case, Theorem 3.7 by setting \(\varepsilon =0\).)

Theorem B.3

(Precise version of Theorem 4.4 ). Let \(\varPi =(\tau , E,D)\) be a QES.

1. 1.

   If \(\varPi \) is \(\varepsilon \)-NM, then any attack map \(\varLambda _{CB\rightarrow C\tilde{B}}\) results in an effective map \(\tilde{\varLambda }_{AB \rightarrow A{\tilde{B}}}\) fulfilling

   

   (B.14)

   where

   $$\begin{aligned} \tilde{\varLambda }^{\mathrm {exact}}_{AB\rightarrow A\tilde{B}}=\mathrm {id}_A\otimes \varLambda '_{B\rightarrow \tilde{B}}+\frac{1}{|C|^2-1}\left( |C|^2\left\langle D_K(\tau )\right\rangle -\mathrm {id}\right) _A\otimes \varLambda ''_{B\rightarrow \tilde{B}}, \end{aligned}$$

   with \(\varLambda ' =\mathrm {Tr}_{CC'}[\phi ^+_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))]\) and \(\varLambda '' =\mathrm {Tr}_{CC'}[\varPi ^-_{CC'}\varLambda (\phi ^+_{CC'}\otimes (\cdot ))].\)

2. 2.

   Conversely, if for a scheme all effective maps fulfill Eq. (B.14) with the right hand side replaced by \(\varepsilon \), then it is \(5\varepsilon (\log (|A|)+r)+3h(\varepsilon )\)-NM, where r is a bound on the size of the honest user’s side information.

Proof

We start with 1. We want to bound the diamond norm distance between the effective map \(\tilde{\varLambda }\) resulting from an attack \(\varLambda \) and the idealized effective map \(\tilde{\varLambda }^{\mathrm {exact}}\). Let

$$| \psi \rangle _{AA'BB'}=\sum _{i=0}^{|A|^2-1}\sqrt{p_i}| \alpha _i \rangle _{AA'}\otimes | \beta _i \rangle _{BB'}$$

be an arbitrary pure state given in its Schmidt decomposition across the bipartition \(AA'\) vs. \(BB'\). We can Write \(| \alpha _i \rangle _{AA'}=X^{(i)}_{A'}| \phi ^+ \rangle \) for some matrices \(X^{(i)}\) satisfying \(\Vert X^{(i)}\Vert _\infty \le |A|\). We calculate the action of \(\tilde{\varLambda }\) on ,

(B.15)

In a similar way we get

(B.16)

Using Lemma B.2 we bound

(B.17)

The inequalities result from applying Hölder’s inequality twice, and Lemma B.2, respectively. Using the triangle inequality we get

$$\begin{aligned}&\left\| \left( \tilde{\varLambda }_{AB \rightarrow A{\tilde{B}}}-\tilde{\varLambda }^{\mathrm {exact}}_{AB \rightarrow A{\tilde{B}}}\right) (|\psi \rangle \langle \psi |_{AA'BB'})\right\| _1\nonumber \\ \le \,&2\sqrt{2\varepsilon }|A|^2|C|\left( 4\sqrt{|A|}+1\right) \sum _{i,j=0}^{|A|^2-1}\sqrt{p_ip_j}\nonumber \\ \le \,&2\sqrt{2\varepsilon }|A|^4|C|\left( 4\sqrt{|A|}+1\right) . \end{aligned}$$

(B.18)

As \(| \psi \rangle \) was arbitrary, we have proven

$$\begin{aligned} \left\| \tilde{\varLambda }_{AB \rightarrow A{\tilde{B}}}-\tilde{\varLambda }^{\mathrm {exact}}_{AB \rightarrow A{\tilde{B}}}\right\| _\diamond \le&2\sqrt{2\varepsilon }|A|^4|C|\left( 4\sqrt{|A|}+1\right) . \end{aligned}$$

(B.19)

Now let us prove 2. Let \(\varLambda _{CB\rightarrow C\tilde{B}}\) again be an arbitrary attack map, and assume that the resulting effective map is \(\varepsilon \)-close to \(\tilde{\varLambda }^{\mathrm {exact}}_{AB\rightarrow A\tilde{B}}\). Observe that \(p^{=}(\varLambda ,\varrho )=\mathrm {Tr}\varLambda '(\varrho _B)\).

By the Alicki-Fannes inequality [4] and Lemma A.2, this implies

$$\begin{aligned} I(AR:\tilde{B})_{\tilde{\varLambda }(\varrho )}\le I(AR:B)_\varrho +h(p^=(\varLambda ,\varrho ))+5\varepsilon \log (|A||R|)+3h(\varepsilon ) \end{aligned}$$

(B.20)

with the help of Lemma A.2.    \(\square \)