This protocol provides a non-interactive scheme with classical keys for the sender to encrypt as well as authenticate quantum messages. This was to achieve the task of authentication for quantum states, i.e. it gives the guarantee that the message sent by a party (suppliant) over a communication line is received by a party on the other end (authenticator) without having been tampered with or modified by the dishonest party (eavesdropper).

Authentication of Quantum Messages

The polynomial code consists of three steps: preprocessing, encryption and encoding, and decoding and decryption. Within the preprocessing, sender and receiver agree on a stabilizer purity testing code and three private, random binary keys. Within the encryption and encoding step, the sender uses one of these keys to encrypt the original message. Consequently, a second key is used to choose a specific quantum error correction code out of the stabilizer purity testing code. The chosen quantum error correction code is then used, together with the last key, to encode the encrypted quantum message. Within the last step, the decoding and decryption step, the respective keys are used by the receiver to decide whether to abort or not, and if not, to decode and decrypt the received quantum message.

• The sender and the receiver share a private, classical random key drawn from a probability distribution

• ${\mathcal {S}}$: suppliant (sender)
• ${\mathcal {A}}$: authenticator (prover)
• $\rho$: quantum message to be sent
• $m$: number of qubits in the message $\rho$
• $\{Q_{k}\}$: stabilizer purity testing code, each stabilizer code is identified by index $k$
• $n$: number of qubits used to encode the message with $\{Q_{k}\}$
• $x$: random binary $2m$-bit key
• $y$: random syndrome for a specific $Q_{k}$

acheck

Input: $\rho$ owned by $\mathcal{S}$; $k$, $x$, $y$ shared among $\mathcal{S}$ and $\mathcal{A}$.

Output: Receiver accepts or aborts the quantum state $\rho^{\prime}$.

Encryption and encoding:

1. $\mathcal{S}$ q-encrypts the $m$-qubit original message $\rho$ as $\tau$ using the classical key $x$ and a quantum one-time pad. This encryption is given by $\tau = \sigma_{x}^{\vec{t}_{1}} \sigma_{z}^{\vec{t}_{2}} \rho \sigma_{z}^{\vec{1}_{1}} \sigma_{x}^{\vec{t}_{1}}$, where $\vec{t}_{1}$ and $\vec{t}_{2}$ are $m$-bit vectors and given by the random binary key $x$.
2. $\mathcal{S}$ then encodes $\tau$ according to $Q_{k}$ with syndrome $y$, which results in the $n$-qubit state $\sigma$. This means $\mathcal{S}$ encodes $\rho$ in $n$ qubits using $Q_{k}$, and then “applies” errors according to the random syndrome.
3. $\mathcal{S}$ sends $\sigma$ to $\mathcal{A}$.

Decoding and decryption:

1. $\mathcal{A}$ receives the $n$ qubits, whose state is denoted by $\sigma^{\prime}$.
2. $\mathcal{A}$ measures the syndrome $y^{\prime}$ of the code $Q_{k}$ on his $n$ qubits in state $\sigma^{\prime}$.
3. $\mathcal{A}$ compares the syndromes $y$ and $y^{\prime}$ and aborts the process if they are different.
4. $\mathcal{A}$ decodes his $n$-qubit word according to $Q_{k}$ obtaining $\tau^{\prime}$.
5. $\mathcal{A}$ q-decrypts $\tau^{\prime}$ using the random binary strings $x$ obtaining $\rho^{\prime}$.

Some relevent papers for further reading:

• Interactive Proofs for Quantum Computations
• Secure Multiparty Quantum Computation with (Only) a Strict Honest Majority

1. Barnum, Howard, Claude Crépeau, Daniel Gottesman, Adam Smith, and Alain Tapp. “Authentication of quantum messages.” In The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings., pp. 449-458. IEEE, 2002.