Skip to main content

Quantum encryption of superposition states with quantum permutation pad in IBM quantum computers

Abstract

We present an implementation of Kuang and Bettenburg’s Quantum Permutation Pad (QPP) used to encrypt superposition states. The project was conducted on currently available IBM quantum systems using the Qiskit development kit. This work extends previously reported implementation of QPP used to encrypt basis states and demonstrates that application of the QPP scheme is not limited to the encryption of basis states. For this implementation, a pad of 56 2-qubit Permutation matrices was used, providing 256 bits of entropy for the QPP algorithm. An image of a cat was used as the plaintext for this experiment. The plaintext was randomized using a classical XOR function prior to the state preparation procedure. To create corresponding superposition states, we applied a novel operator defined in this paper. These superposition states were then encrypted using QPP, with 2-qubit Permutation Operators, producing superposition ciphertext states. Due to the lack of a quantum channel, we omitted the transmission and executed the decryption procedure on the same IBM quantum system. If a quantum channel existed, the superposition ciphertext states could be transmitted as qubits, and be directly decrypted on a different quantum system. We provide a brief discussion of the security, although the focus of the paper remains on the implementation. Previously we have demonstrated QPP operating in both classical and quantum computers, offering an interesting opportunity to bridge the security gap between classical and quantum systems. This work broadens the applicability of QPP for the encryption of basis states as well as superposition states. We believe that quantum encryption schemes that are not limited to basis states will be integral to a secure quantum internet, to reduce vulnerabilities introduced by using two separate algorithms for secure communication between a quantum and a classical computer.

1 Introduction

Recent developments in the field of quantum computing, including demonstrations of quantum supremacy [1, 2], indicate a significant shift in cryptography. Quantum cryptography and quantum encryption are now critical elements in the field of cryptography. The terms “Quantum encryption” and “Quantum cryptography” often refer to Quantum Key Distribution (QKD) or Post-Quantum cryptography (PQC). Both of these methods are used to establish a secret key for digital symmetric encryption. However, the former uses quantum mechanics and is implemented in a quantum system with a classical post-processing part, and the latter describes classical algorithms with an underlying mathematical problem that can not be solved by a quantum computing system [35].

There exists another notable family of algorithms that can be described as Quantum encryption and Quantum cryptography but is not frequently mentioned. This family includes the symmetric cryptographic algorithms to be implemented on quantum systems, such as the quantum implementation of the AES-128. The first quantum circuit design of AES-128 was proposed by Almazrooie et al. [6]. This work was further improved by Langenberg et al. to reduce the implementation to 880 qubits, 1507 X gates, 107960 CNOT gates, and 16940 Toffoli gates [7]. Wang, Wei, and Long proposed a different implementation with 656 qubits, 1976 X gates, 101174 CNOT gates, and 18040 Toffoli gates [8]. Zou et al. introduced a new implementation with 512 qubits for AES-128 [9]. All of these implementations, however, require noticeably large quantum resources not currently available, thus, an efficient implementation of AES-128 might not be possible in the near future.

Other quantum communication methods proposed in recent years include Quantum secure direct communication without a pre-shared key or QSDC [1012], and a lightweight quantum encryption scheme [13]. The lightweight quantum encryption scheme uses a generic unitary gate in conjunction with the CNOT gates to enforce diffusion and confusion capability to the cipher quantum states. These cipher quantum states are generally in superposition, thus preventing possible eavesdropping during their transmission to a receiver. Other important algorithms include the Quantum One-Time Pad algorithm (QOTP) [1416] and the \(\mathcal{EHE}\) algorithm [17].

A different symmetric cryptographic algorithm was proposed by Kuang and Bettenburg in 2020, called the Quantum Permutation Pad (QPP) [18]. QPP has since been applied to create lightweight block cipher [19], streaming cipher [20], entropy expansion [21], and a pseudo-Quantum Random Number Generator or pQRNG [22]. Kuang and Barbeau recently proposed a concept of universal cryptography using QPP which can be implemented in both classical and quantum computing systems [23]. Perepechaenko and Kuang demonstrated the implementation of QPP in the IBM Quantum systems using a few simple examples [2426]. The QPP uses permutation matrices to encrypt any given plaintext, and their respective Hermitian conjugates to decrypt the produced ciphertext and successfully unveil the plaintext. To guarantee that the decrypting party applies respective conjugates of the same permutation matrices that were used to encrypt plaintext, the two communicating parties pre-share a secret key using some asymmetric key exchange scheme. This secret key is used to create the Permutation Pad, consisting of permutations, as well as the Inverse Permutation Pad, consisting of the Hermitian conjugates of the permutations used for the encryption. Permutation matrices can be efficiently implemented in a quantum circuit using CNOT, NOT, Toffoli, and SWAP gates [27]. Moreover, permutation matrices can be used to specify Qiskit operator objects using row-by-row matrix description, thus making it possible to implement QPP in the IBM Quantum systems. On the other hand, permutation matrices can be converted into arrays, to be implemented in classical systems. To the best of our knowledge, QPP is the first ever hybrid quantum-classical scheme. It will require further examination to determine whether there are advantages to using the quantum implementation of QPP as opposed to a classical implementation, for instance, we would expect that the quantum implementation is more efficient than the classical implementation. However, one of the main attributes of QPP is that it can be implemented in both classical and quantum devices. Previous implementations of QPP have shown that it is lightweight and can be run today on a free-of-charge IBM Quantum system as well as any classical computer, unlocking the potential of being widely used for quantum encryption in classical systems, quantum systems, as well as hybrid systems, with significant potential use-cases such as quantum internet [1921, 2426]. Having a hybrid encryption scheme reduces the limitations and vulnerabilities of a scenario where two different schemes are used on quantum and classical devices, and therefore we continue advancing QPP to ensure that both quantum and classical QPP implementations are efficient and secure.

In this work, we present a fully-functioning implementation of the QPP algorithm used to encrypt superposition states with Qiskit in IBM Quantum systems. We were curious to examine whether QPP is limited to basis states, and also explore whether there are any security benefits brought about by introducing superposition states. This work goes beyond academic interest and exhibits potential to be used in the future quantum internet where the states of quantum systems may generally be superposition states transmitted over a quantum channel [28, 29]. This paper builds on and extends our previous research [2426]. In [2426] we describe how QPP can be used to encrypt basis states in an IBM Quantum device using Qiskit. We find it important to provide the reader with a brief description of the previous work, to facilitate a better understanding of the developments described in this paper.

1.1 Encryption of basis states using quantum permutation pad

QPP is a symmetric encryption scheme that requires a pre-shared secret key for configuration. Consider two communicating parties, Alice and Bob, with a pre-shared secret key. Alice prepares a message “Hello Bob!”, expressed as a binary string to be encrypted using QPP with 2-qubit permutations. This QPP scheme uses Permutation Operators that act on 2-qubit states, one at a time. Thus, Alice splits the message into 2-bit blocks, to be encrypted one at a time. For each message block, a quantum circuit is created with 2 qubits and 2 classical bits. The initial state of each such circuit is set to reflect the corresponding binary message block using Qiskit’s QuantumCircuit.initialize(Statevector.from_ label(state_vector)) command. That is, if the corresponding message block is ‘01’, the initial state of the system will be set to \(|01\rangle \). Using the pre-shared secret key Alice generates a Permutation Pad consisting of 2-qubit Permutation Operators, by specifying matrices row by row, and converting them to Operators using Qiskit’s Operator() command. There are 24 possible distinct 2-qubit Permutation Operators, however, to achieve 256 bits of entropy the permutation pad consists of 56 2-qubit permutation matrices chosen at random using the pre-shared secret key. In this case, repetitions are allowed. To encrypt every plaintext state, that is the state initialized according to the plaintext message block, Alice dispatches a Permutation Operator from the Permutation Pad to act on a given plaintext state, producing a ciphertext state. The dispatching of the Permutation Operator from the Permutation Pad can be done using the pre-shared secret key.

Due to a lack of a quantum channel, the quantum ciphertext states can not be sent directly and must be measured, with the highest probability results used to create a binary file containing the ciphertext. Figure 1 illustrates a general form of the encryption circuit, used to encrypt each plaintext block.

Figure 1
figure 1

A sample encryption circuit of a plaintext block being encrypted with QPP using Qiskit on an IBM Quantum system. The initialization operator produces an initial state vector that corresponds to a given specified binary string. The Permutation Operator encrypts the state vector to produce a cipher state, which is then measured. This illustration corresponds to our previous work [25, 26]

Upon receiving the binary file containing the ciphertext, Bob extracts the ciphertext as a binary string. Bob then generates an Inverse Permutation Pad, using the pre-shared secret key, which consists of Hermitian conjugates of the corresponding Permutation Operators in the Permutation Pad. Similar to Alice, Bob separates the ciphertext into 2-bit ciphertext blocks and creates a decryption circuit for each such block. Similar to the encryption circuits, the initial state in each decryption circuit is set to reflect the corresponding ciphertext bits in each given 2-bit ciphertext block. The ciphertext quantum states are then acted on with the operators from the Inverse Permutation Pad. These Permutation Operators are dispatched using the pre-shared secret key, one for each circuit. The dispatching procedure is the same for Bob and Alice to ensure that Bob dispatches precisely the Hermitian conjugates of the Permutation Operators used by Alice. This process decrypts the ciphertext states and produces plaintext states. The plaintext states are then measured, to yield the binary message. Figure 2 illustrates the general form of a decryption circuit for each ciphertext block. Figure 3 depicts the general QPP symmetric scheme.

Figure 2
figure 2

A sample decryption circuit of a ciphertext block being decrypted with QPP using Qiskit on an IBM Quantum system. The initialization operator produces an initial state vector that corresponds to a given specified binary string. The Hermitian conjugate of the Permutation Operator decrypts the state vector to produce a message state, which is then measured. This illustration corresponds to our previous work [25, 26]

Figure 3
figure 3

A diagram illustrating the logical flow of the QPP encryption and decryption algorithm as described in our previous work [25, 26]

2 Materials and methods

The motivation for this work was a question of whether the 2-qubit QPP can be used to encrypt superposition states, rather than basis states, and whether adding the superposition into the framework increases the security. We present an implementation of QPP with 2-qubit Permutation Operators applied to superposition states on the IBM quantum systems using the Qiskit software development kit. We will demonstrate the encryption of the image given in Fig. 4.

Figure 4
figure 4

An image of the cat to be encrypted with Quantum Permutation Pad as described in this work

Similar to our previous work [2426], the current implementation is done using 2-qubit Permutations Operators. Such 2-qubit Permutation Operators act simultaneously on 2 qubits, in other words, these permutations permute 4 state vectors. Hence, each 2-qubit permutation is an element of the Symmetric group \(S_{4}\). There are at most \(4! = 24\) such 2-qubit permutations. Each such permutation supplies \(\log _{2} 24 \approx 4.58\) bits of entropy. Thus, to achieve 256 bits of entropy, we need to use 56 of 2-qubit permutations chosen at random to encrypt any given plaintext. In this work, we create a Permutation Pad consisting of 56 of 2-qubit Permutation Operators used to encrypt a given plaintext.

Throughout the manuscript, we refer to 2-qubit QPP as QPP, and 2-qubit permutations and Permutation Operators as permutations and Permutation Operators respectively, unless explicitly states otherwise.

We first give a general overview of the procedure and then describe in more detail techniques that are special to the current implementation and were not used in our previous work in Sect. 4.

2.1 Initial set up procedure

  1. Step 1

    As discussed in [23], QPP is a symmetric encryption algorithm that requires a pre-shared secret key. Thus, communication starts with two parties, Alice and Bob, establishing a pre-shared secret.

  2. Step 2

    Alice uses the pre-shared secret to produce 56 of the \(4\times 4\) permutation matrices using the secret key and the Fisher-Yates shuffling algorithm. Once the permutation matrices are created, they can be specified row-by-row to produce quantum operators using Qiskit’s Operator() command. These Permutation Operators are used to populate a list which we refer to as the Permutation Pad. Similarly, Bob uses the same pre-shared secret to produce an Inverse Permutation Pad, consisting of respective Hermitian conjugates of the Permutation Operators in the Permutation Pad. In order to create the respective Hermitian conjugates of the Permutation Operators, one can simply create the conjugate transpose matrices of each permutation matrix. These conjugate transpose matrices are then specified row-by-row to produce Hermitian conjugate operators using the Operator() command.

  3. Step 3

    The two parties also use the pre-shared key to dispatch the Permutation Operators from the Permutation Pad and their respective Hermitian conjugates from the Inverse Permutation Pad for encryption and decryption respectively. Note that the dispatching procedure must be agreed upon between Alice and Bob to insure that the Permutation Operators dispatched for decryption are precisely the respective Hermitian conjugates of the Permutation Operators dispatched for encryption for the corresponding states.

    For the dispatching procedure described in this work, the pre-shared key was used to create a list of indices, where each index indicates the position of the Permutation Operator in the Permutation Pad and its Hermitian conjugate in the Inverse Permutation Pad respectively. Then, based on the index, a single Permutation Operator is dispatched from the Permutation Pad for encryption of a given state. Similarly, a single Hermitian conjugate operator is dispatched from the Inverse Permutation Pad to decrypt the corresponding ciphertext state. That is, one operator per state.

2.2 Encryption procedure

The first few steps of the encryption procedure described in this section are similar to those described in Sect. 1.1.

  1. Step 1

    Alice prepares a binary message, which we will refer to as the original plaintext.

  2. Step 2

    In contrast to the process described in Sect. 1.1, where the original plaintext is being encrypted directly, here the original plaintext is being randomized first to erase any statistical patterns that can leak the private information. We refer to the original plaintext that has been randomized as the randomized plaintext. For the current implementation, we utilize classical XOR to randomize the original plaintext. That is, we XOR the original plaintext with the pre-shared secret key and produce the randomized plaintext. Recall, that the original plaintext is written in binary and so is the pre-shared secret key, thus, the randomization procedure can be done using Python command

    figure e

    where message denotes the original plaintext, key_for_xor denotes the pre-shared secret key block used for randomization, and randomized_message denotes the randomized plaintext. This randomized plaintext is used for encryption.

  3. Step 3

    The randomized plaintext is then split into 2-bit blocks, to be encrypted one at a time, using Python’s for loop. The reason for separating plaintext in blocks is the current limitations of quantum devices, such as a number of qubits and Quantum volume.

  4. Step 4

    For each such 2-bit block of randomized plaintext, a quantum circuit is created with 2 qubits and 2 classical bits. The state vector of each such circuit is initialized according to the corresponding 2-bit randomized plaintext block using Qiskit’s QuantumCircuit.initialize(Statevector.from_label(state_ vector)) command.

  5. Step 5

    Now that the initial state vector of each circuit reflects the corresponding 2-bit block of randomized plaintext, they are used to produce superposition states. That is, the initialized state of each system is acted on with the unitary operator superposition_operator, which is a Qiskit operator class object created using the matrix

    $$ \hat{H} = \frac{1}{2} \begin{bmatrix} 1 & 1& -1 & -1 \\ 1 & -1 & -i& i \\ 1 & -1 & i &-i \\ 1 & 1 & 1 & 1 \end{bmatrix} , $$
    (1)

    that produces a respective superposition state. Qiskit allows to create an operator object by initializing it with a matrix given as a list or a Numpy array. Thus we define an operator superposition_operator by specifying the underlying matrix Ĥ row by row as

    figure f

    Note that superposition_operator is not a secret and can be used by the communicating parties as well as the adversary.

  6. Step 6

    The produced superposition states are then encrypted using Permutation Operators dispatched from the Permutation Pad. Note that a single Permutation Operator is dispatched per circuit from the Permutation Pad to encrypt the corresponding superposition state. This process produces the ciphertext state for each circuit. The ciphertext states are themselves superposition states since Permutation Operators are linear. This is discussed in more detail in Sect. 4.

We provide the reader with Fig. 5 illustrating the encryption procedure described in this section.

Figure 5
figure 5

A diagram illustrating the logical flow of the encryption procedure of a single plaintext block with QPP using Qiskit on a IBM Quantum system. This illustration corresponds to our current work described in this paper

2.3 Transmission

Assuming that a quantum channel existed, it would have been possible to send the ciphertext states directly to Bob as qubits, act on them on Bob’s side, and then measure the plaintext states at the end. However, currently, there does not exist quantum channel. Measuring the ciphertext states to create a classical binary ciphertext will destroy the superposition states and affect the decryption procedure. Therefore, we pretend as if the quantum channel exists, and continue running the source code to mimic the decryption procedure. Note that the decryption will be performed on the same quantum system as the one used for encryption.

2.4 Decryption procedure

Suppose that Bob received the ciphertext states one by one and has already assigned a quantum circuit to each of them. Suppose that the initial state vector of each such 2-qubit and 2-bit circuit reflects the respective ciphertext state vectors.

  1. Step 1

    Bob acts on each initial state with the corresponding Permutation Operator dispatched from the Inverse Permutation Pad. This procedure decrypts the encrypted superposition states and produces the original superposition states that correspond to the randomized plaintext states.

  2. Step 2

    Then, Bob acts on the superposition states with the Hermitian conjugate of the superposition_operator, producing randomized plaintext states. The Hermitian conjugate of the superposition_operator can be produced by specifying conjugate transpose of the matrix Ĥ row-by-row into Qiskit’s Operator() command.

  3. Step 3

    These randomized plaintext states are then measured, producing randomized plaintext bits.

  4. Step 4

    The randomized plaintext bits, then, undergo a classical de-randomization procedure using the classical XOR function and the secret key. This process produces the original plaintext.

We provide the reader with Fig. 6, illustrating the decryption procedure described in this section.

Figure 6
figure 6

A diagram illustrating the logical flow of the decryption procedure of a single ciphertext state with QPP using Qiskit on a IBM Quantum system. This illustration corresponds to our current work described in this paper

2.5 ENT randomness testing

The security of the QPP symmetric scheme is studied thoroughly in Kuang and Barbeau’s work [23]. Here, we will use the randomness testing tool ENT to examine if the ciphertext demonstrates good randomness. The ENT program applies various tests to sequences of bytes stored in files and reports the six results of those tests. The program is useful for evaluating pseudo-random number generators for encryption and statistical sampling applications, compression algorithms, and other applications where the information density of a file is of interest. Note that there are various test programs to verify the randomness of any given data, including the Diehard, the NIST SP 800-22, and their combination the Dieharder test. However, only the ENT testing tool works with smaller binary files being a few KB. To perform randomness testing with NIST SP 800-22 the required file size should be at least 100 MB. Given the current free of charge IBMQ, generating files of this size requires a very long running time. In this experiment, the original plaintext is merely 9 KB and so is the ciphertext. Thus, we use the ENT to examine the randomness of plaintext, the randomized plaintext, and the superposed randomized plaintext and ciphertext. Note that the most sensitive testing report of ENT is the Chi Square value, which can detect very small biases at the byte and bit level. Looking at the value of the ENT test, including the Chi Square values, we can see the randomness change at different steps of the QPP encryption.

3 Results

In this section we provide implementation results of the procedure described in Sect. 2.We present the results at different stages of the implementation to dynamically show the plaintext and the ciphertext changes.

Suppose that Alice wants to send an image illustrated in the Fig. 4 to Bob. The encrypting procedure is as described in Sect. 2. The source code of the encryption procedure is given in the Appendix.

3.1 The ciphertext

We want to confirm that the ciphertext is truly random and does not leak any information about the original plaintext. We also want to see dynamic results of how the original plaintext changes at every stage of the ciphertext creation procedure. For that, we provide the reader with Table 1 reporting on the ENT randomness test results of the system at different stages of the encryption procedure, namely, the original plaintext, the randomized plaintext, the superposition state, and the encrypted superposition state or the ciphertext.

Table 1 This table illustrates ENT randomness test results of the original plaintext, the randomized plaintext, the superposed randomized plaintext, and the ciphertext against the optimal parameters’ values

To run the ENT tests on the original plaintext and the randomized plaintext, they were converted into binary files. To test the superposition states, the states were measured and the per-shot measurement bitstrings were saved using Qiskit’s job = execute(my_ circ,backend = qcomp, shots = 20000, memory = True) command. This binary information was used for the ENT tests. Notice that measurement destroys the superposition states. Thus, in order to test the ciphertext, we re-run the source code and measure the ciphertext states. The ciphertext states are themselves superposition states, thus, here too, we save the per-shot measurement results and use them for the ENT testing.

Table 1 shows that the sensitive Chi-square, denoted \(\chi ^{2}\), reports are 2403.83 for original plaintext indicating very biased and 283.07 for randomized plaintext demonstrating less biased; 254.31 after superposition operations and 262.26 for ciphertext showing good randomness with \(\chi ^{2}\) values very close to the optimal 256, respectively. Another interesting report needed to mention is the Serial Correlation Coefficient. Of all reports from the original plaintext to the ciphertext, the ciphertext encrypted with QPP demonstrates the least correlation for each byte to its previous byte. Overall, QPP encryption offers good randomness in its ciphertext.

In Fig. 7, we include an image of a ciphertext associated with the plaintext illustrated in Fig. 4.

Figure 7
figure 7

An illustration of the ciphertext associated with the plaintext picture in Fig. 4 and the encryption procedure described in Sect. 2

3.2 Applying Hermitian conjugate of the superposition operator to the ciphertext state

In the current implementation, the superposition operator Ĥ is publicly known. Thus, one might argue that the adversary can use it to try and perpetrate an attack to obtain information about the plaintext or the secret key. However, we claim that this scenario does not benefit the attacker without any knowledge of the permutation operator P used for encryption. First, for this attack, we must assume that the adversary has a way to apply the Hermitian conjugate of Ĥ to the ciphertext without altering it. Note that this is a rather ambitious assumption to make since that would require the adversary to act on the entire ciphertext in its original superposition form, rather than the measurement result. In general, the adversary can measure the ciphertext and obtain a single measurement result corresponding to one of the states \(|00\rangle , |01\rangle , |10\rangle \), or \(|11\rangle \). Moreover, since the adversary does not know which permutation operator was used for encryption, they might even further obscure the plaintext by applying the operator Ĥ to the ciphertext.

In this section, we use ENT tests to verify that after applying the Hermitian conjugate of Ĥ to the ciphertext, it remains random. In the later sections, we consider this scenario in more detail and discuss whether there are any vulnerabilities introduced by the publicly known Ĥ.

In Sect. 4.3, we discuss that there are only 4 possible superposition states that correspond to the superposition operator Ĥ applied to a given input state vector. After a superposition state was acted on with a Permutation Operator it might not be of the same form as the mentioned 4 possible superposition states up to a global phase. That is if P denotes a Permutation Operator, and Ĥ the superposition operator, then it is often the case that the ciphertext

$$ P(\hat{H}|r\rangle ) \ne \hat{H}|s\rangle , $$
(2)

up to a global phase, where r and s are in \(\{00, 01, 10, 11\}\). Therefore, applying the Hermitian conjugate of Ĥ to the ciphertext state might not produce a basis state, but rather a different superposition state. Indeed, it might be often the case that

$$ \hat{H}^{\dagger}\bigl(P(\hat{H}|r\rangle )\bigr)) \ne \hat{H}^{\dagger}( \hat{H}|s\rangle ) = |s\rangle , $$
(3)

up to a global phase. In this case, adversary measuring the state \(\hat{H}^{\dagger}(P(\hat{H}|r\rangle )))\) will not gain any advantage. Moreover, it is important to mention that the attacker does not have any knowledge of the permutation P used during encryption. That is, the attacker can measure the result of the operation \(\hat{H}^{\dagger}[P(\hat{H}|r\rangle )]\), where P is such that \(P(\hat{H}|r\rangle ) = e^{i\theta}\hat{H}|r\rangle \), while the same result can be obtained by measuring \(\hat{H}^{\dagger}[P(\hat{H}|s\rangle )] = \frac{1}{2}|r\rangle + \frac{1}{2}|s\rangle \) for basis states \(r,s \in \{00,01,10,11\}\).

Suppose that the adversary knows the superposition operator Ĥ and uses its Hermitian conjugate operator \(\hat{H}^{\dagger}\) to act on the superposition state. We are wondering, whether the adversary will gain some information about the plaintext or the secret key. We perform the measurements after \(\hat{H}^{\dagger}\) operation and then test the randomness of the measurement results with ENT. Table 2 illustrates the ENT test results of the mentioned superposition states which were acted on with the operator \(\hat{H}^{\dagger}\) as well as the ciphertext, the randomized plaintext, and the optimal values. It can be seen that the reports from the 2nd last column still demonstrate good randomness, especially its \(\chi ^{2}\) value. That means, QPP encryption still offers good protection on the original plaintext.

Table 2 This table illustrates ENT randomness test results of the randomized plaintext, the ciphertext, and the ciphertext that was acted on with Hermitian conjugate of the superposition operator against the optimal parameters’ values

Table 2 shows that the ciphertext remains random even if the adversary acts on it with the Hermitian conjugate of the operator Ĥ. Note also, that the scenario described in this section is in favor of the adversary.

3.3 Result of the encryption and decryption using quantum permutation pad

We have run the source code given in the Appendix to encrypt and decrypt the image given in Fig. 4. We invite the reader to test the code on any free-of-charge IBM Quantum system with the same or a different image. The produced ciphertext corresponds to the one described in Sect. 3.2. The decryption procedure returns the exact image as in the Fig. 4.

4 Analysis and discussion

In this work, we explore whether superposition states can be encrypted using the QPP algorithm with Qiskit on the IBM Quantum systems, and what are the implications of introducing the superposition in the framework of the QPP algorithm. Our previous work [2426] described encryption of basis states with QPP, which can be considered a quantum counterpart of the classical QPP encryption algorithm from [23]. We were then curious to examine whether the quantum implementation of QPP can be extended to the framework that can not be replicated on a classical computer, such as encryption of the superposition states and entangled states using QPP. We were also wondering if implementing the QPP algorithm to act on superposition states or entangled states improves security. For one, we were curious whether the inherent randomness nature of superposition adds a new layer of security to the scheme. For this work, we focused only on the superposition states.

Recall, that in the framework of the QPP symmetric scheme, the plaintext is segmented into 2-bit blocks due to the limitations of the current quantum computers. Each block is encrypted and decrypted, one at a time, using Python’s for loop. Thus, at any given moment the quantum system has only one quantum circuit to execute. Each such circuit has 2 qubits and 2 bits, which implies that the system can be in one of the 4 possible state vectors. Therefore, it is sufficient to discuss QPP in the context of a single sample circuit that is in one of the 4 possible states.

In this section, we focus mainly on the techniques that are special to the current implementation and were not used in our previous work.

4.1 Initial set up procedure

Recall, that communicating parties must first pre-share a secret key k to effectively communicate using the QPP algorithm. As with most other symmetric schemes, the security of QPP does not depend entirely on the design of the scheme itself, but also the secure establishment of the pre-shared secret k as well as the randomness of k. That is, we require that k is truly random. To generate k a good source of QRNG can be used, and the randomness of k can be tested using the ENT randomness test. Moreover, we require that k is established using a quantum-safe algorithm. NIST has recently announced candidate algorithms for quantum-safe key encapsulation and digital signatures [30]. These algorithms can be used for authentication and key establishment. Moreover, novel PQC algorithms such as MPPK/DS and MPPK can be used to pre-share a secret key k [31, 32].

4.2 Randomization

In the framework of QPP, the plaintext must be randomized prior to being encrypted to eliminate any statistical patterns that can be used by the adversary for statistical analysis attacks. The importance of this step, from the security perspective, is discussed in [23]. However, in our previous work [25, 26] we did not incorporate a randomization step as we were exploring whether QPP can be implemented in quantum computers and did merely a toy example of the implementation.

For this implementation, we use the classical XOR function and the secret key to randomize the plaintext. This step is done classically before any quantum circuits are created, as discussed in Sect. 2. However, ideally, the randomization step would be done using the quantum Controlled Pauli X (CX) gates. The CX gates are a quantum alternative to the classical XOR function and would be an ideal tool for the quantum randomization procedure. In this case, the original plaintext as well as the secret key would be broken into 2-bit blocks, used to initialize the initial states of the corresponding circuits. The circuits in this case would have 4 qubits and 2 classical bits, where 2 qubits correspond to the plaintext, and the other 2 qubits correspond to the secret key. The secret key qubits would then be used as control qubits, and the X gates would act on the plaintext qubits.

Current limitations, however, make it difficult to implement the above-discussed quantum randomization procedure. We use free-of-charge IBM Quantum computers for this implementation that has a Quantum Volume (QV) of 32. This means that the width (the number of qubits) and the depth (the number of layers) of the largest quantum volume circuits that can be executed ‘successfully’ on a specified quantum device is 5. We noticed that running QPP circuits with 4 qubits on devices with QV of 32 produces a lot of noise and makes it difficult to interpret the correct results.

4.3 Creation of superposition states

For a single qubit or equivalently 2 states, it is customary to use the Hadamard gate to create the superposition of 2 states. Indeed,

$$ H|0\rangle = \frac{1}{\sqrt{2}} \vert 0\rangle + \frac{1}{\sqrt{2}} \vert 1 \rangle \quad \text{and}\quad H|1\rangle = \frac{1}{\sqrt{2}} \vert 0\rangle - \frac{1}{\sqrt{2}} \vert 1\rangle , $$

where the amplitudes satisfy \(|\alpha |^{2} + |\beta |^{2} = 1\).

However, for 2 qubits or 4 states, there are various ways to create the superposition state. For instance, one could apply Hadamard gate to each qubit, as illustrated in Fig. 8. In this case the operator acting on the entire system is

$$ H \otimes H = \frac{1}{2} \begin{bmatrix} 1 & 1& 1 & 1 \\ 1 & -1 & 1& -1 \\ 1 & 1 & -1 &-1 \\ 1 & -1 & -1 & 1 \end{bmatrix} . $$
(4)

The reader can easily verify that this operator creates a superposition for any input state. In Fig. 9 we provide a sample plot histogram of counts result from a circuit execution of the operator \(H \otimes H\) applied to the state vector \(|00\rangle \). The circuit was executed 1024 times.

Figure 8
figure 8

A circuit illustrating how to create superposition of four states using Hadamard gates

Figure 9
figure 9

A plot histogram of counts result from a circuit execution of the operator \(H \otimes H\) applied to the state vector \(|00\rangle \)

Another way to create a superposition of four states is to act on the state vector of the system with the operator which diagonalizes a permutation operator. In this paper, we use the following superposition operator

$$ \hat{H} = \frac{1}{2} \begin{bmatrix} 1 & 1& -1 & -1 \\ 1 & -1 & -i& i \\ 1 & -1 & i &-i \\ 1 & 1 & 1 & 1 \end{bmatrix} . $$
(5)

established from the diagonalization of the permutation operator

$$ P_{1} = \begin{bmatrix} 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 \end{bmatrix} . $$

It is easy to prove that the operator Ĥ is a unitary, and so we leave the proof to the reader. Let the state \(|rs\rangle \) denote the tensor product \(|r\rangle \otimes |s\rangle \), for some \(r,s \in \{0,1\}\). Operator Ĥ produces the following superposition states depending on the input state

$$\begin{aligned}& \hat{H}|00\rangle = \frac{1}{2} \vert 00\rangle + \frac{1}{2} \vert 01\rangle +\frac{1}{2} \vert 10 \rangle +\frac{1}{2} \vert 11\rangle, \end{aligned}$$
(6)
$$\begin{aligned}& \hat{H}|01\rangle = \frac{1}{2} \vert 00\rangle - \frac{1}{2} \vert 01\rangle - \frac{1}{2} \vert 10\rangle +\frac{1}{2} \vert 11\rangle, \end{aligned}$$
(7)
$$\begin{aligned}& \hat{H}|10\rangle = \frac{1}{2} \vert 00\rangle - \frac{1}{2}i \vert 01\rangle +\frac{1}{2}i \vert 10 \rangle +\frac{1}{2} \vert 11\rangle, \end{aligned}$$
(8)
$$\begin{aligned}& \hat{H}|11\rangle = -\frac{1}{2} \vert 00\rangle + \frac{1}{2}i \vert 01\rangle -\frac{1}{2}i \vert 10 \rangle +\frac{1}{2} \vert 11\rangle , \end{aligned}$$
(9)

where the amplitudes satisfy \(\sum_{i}|\alpha _{i}|^{2} = 1\).

In Qiskit, The Operator class is used to represent matrix operators acting on a quantum system. Qiskit allows to create an operator object by initializing it with a matrix given as a list or a Numpy array. Thus we define an operator superposition_operator by specifying the underlying matrix Ĥ row by row as superposition_operator = Operator ([[1/2,1/2,-1/2,-1/2], [1/2,-1/2,(-1j)/2,(1j)/2], [1/2,-1/2,(1j)/2, (-1j)/2], [1/2,1/2,1/2,1/2]]). To test the superposition_operator we have created four quantum circuits in Qiskit with 2 qubits and 2 classical bits each. The state of each one of this circuits has been initialized to one of the four possible states vectors of the system, namely, \(|00\rangle , |01\rangle , |10\rangle \), and \(|11\rangle \). We then applied superposition_operator to the initial state of each of the four circuits, and measured the results. Each such circuit has been executed on both, the IBM Qasm simulator, and the IBM Manila quantum computer 20,000 times. We illustrate the measurement results in a form of plot histograms in Fig. 10 and Fig. 11 corresponding to the simulated results and results of the circuit executed on a quantum computer respectively.

Figure 10
figure 10

This figure illustrates the measurement results in the form of plot histogram of the state \(\hat{H}|r\rangle \) for every \(r \in \{00,01,10,11\}\). Each corresponding circuit was executed 20,000 times on the IBM Qasm simulator. (a) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|00\rangle \). (b) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|01\rangle \). (d) (c) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|10\rangle \). (d) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|11\rangle \)

Figure 11
figure 11

This figure illustrates the measurement results in the form of plot histogram of the state \(\hat{H}|r\rangle \) for every \(r \in \{00,01,10,11\}\). Each corresponding circuit was executed 20,000 times on the IBM Manila Quantum computer. (a) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|00\rangle \). (b) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|01\rangle \). (d) (c) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|10\rangle \). (d) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}|11\rangle \)

In this work, we decided to use the operator Ĥ to create superposition states, since this operator was discussed in our previous work [24], and will be used in our future work to generate quantum raw random numbers.

4.4 Dispatching

The dispatching procedure used in this work differs slightly from the one described in our previous work [25, 26]. In [25, 26] we simply use Python’s seed and randint functions to randomly choose a few Permutation Operations from the Permutation Pad and Inverse Permutation Pad by index. That is, we chose a few indices that correspond to the positions of the Permutation Operators in the Permutation Pad and its Hermitian conjugates in the Inverse Permutation Pad respectively. One of these Permutation Operators acts on a given plaintext state and its Hermitian conjugate acts on the ciphertext state respectively.

The dispatching procedure described in this work is similar. The pre-shared key was used to create a list of indices, where each index indicates the position of the Permutation Operator in the Permutation Pad and its Hermitian conjugate in the Inverse Permutation Pad respectively. Then, based on the index, a single Permutation Operator is dispatched from the Permutation Pad and Inverse Permutation Pad to encrypt or decrypt the corresponding state. That is, one operator per state.

4.5 Encryption with quantum permutation pad

In this work, the state vector of the system, before the encryption step with QPP, is of the form

$$ |\phi \rangle = \alpha _{a} \vert a\rangle + \alpha _{b} \vert b\rangle + \alpha _{c} \vert c \rangle + \alpha _{d} \vert d\rangle , $$
(10)

where the amplitudes satisfy \(|\alpha _{a}|^{2} + |\alpha _{ b}|^{2} + |\alpha _{c}|^{2} +|\alpha _{d}|^{2} = 1\), and \(a,b,c,d \in \{00, 01, 10, 11\}\). In Sect. 4.3, we discussed the possible superposition states that are produced by applying the operator Ĥ to the initial state vector of any given circuit. The produced states form the set

$$\begin{aligned} S = &\biggl\{ \frac{1}{2} \vert 00\rangle + \frac{1}{2} \vert 01\rangle +\frac{1}{2} \vert 10 \rangle +\frac{1}{2} \vert 11\rangle , \frac{1}{2} \vert 00\rangle - \frac{1}{2} \vert 01 \rangle - \frac{1}{2} \vert 10\rangle +\frac{1}{2} \vert 11\rangle , \\ &{}\frac{1}{2} \vert 00\rangle - \frac{1}{2}i \vert 01\rangle +\frac{1}{2}i \vert 10 \rangle + \frac{1}{2} \vert 11\rangle ,-\frac{1}{2} \vert 00\rangle + \frac{1}{2}i \vert 01 \rangle - \frac{1}{2}i \vert 10\rangle +\frac{1}{2} \vert 11\rangle \biggr\} . \end{aligned}$$
(11)

So for any \(a,b,c,d \in \{00,01,10,11\}\), the state \(|\phi \rangle \) is in the set S.

The Permutation Operations are linear operations as shown in [23]. Thus, applying them to superposition states creates new superposition states. Indeed, let P be a Permutation Operator dispatched from the Permutation Pad, then

$$\begin{aligned} P|\phi \rangle &=P\bigl(\alpha _{a} \vert a\rangle + \alpha _{b} \vert b\rangle + \alpha _{c} \vert c\rangle + \alpha _{d} \vert d\rangle \bigr) \\ & =\alpha _{a}P \vert a\rangle + \alpha _{b}P \vert b\rangle + \alpha _{c}P \vert c \rangle + \alpha _{d}P \vert d\rangle \\ &=\alpha _{a} \vert a'\rangle + \alpha _{b} \vert b'\rangle + \alpha _{c} \vert c' \rangle + \alpha _{d} \vert d'\rangle , \end{aligned}$$
(12)

where \(a', b', c', d' \in \{00,01,10,11\}\). Thus, Permutation Operators essentially reassign the phases of the qubits, which leads to a few notable observations. For instance let P be an operator such that \(P|00\rangle = |01\rangle , P|01\rangle = |10\rangle \), \(P|10\rangle = |11\rangle \) and \(P|11\rangle = |00\rangle \). Then,

$$\begin{aligned} P(\hat{H}|01\rangle ) & =P\biggl(\frac{1}{2} \vert 00\rangle - \frac{1}{2} \vert 01 \rangle -\frac{1}{2} \vert 10\rangle +\frac{1}{2} \vert 11\rangle \biggr) \\ & =\frac{1}{2}P \vert 00\rangle - \frac{1}{2}P \vert 01\rangle -\frac{1}{2}P \vert 10 \rangle +\frac{1}{2}P \vert 11\rangle \\ & =\frac{1}{2} \vert 01\rangle - \frac{1}{2} \vert 10\rangle -\frac{1}{2} \vert 11 \rangle + \frac{1}{2} \vert 00\rangle \notin S, \end{aligned}$$
(13)

even up to a global phase, where S is the set of all possible superposition states given in the Eq. (11). That is, \(P(\hat{H}|01\rangle ) \ne e^{i\theta}\hat{H}|r\rangle \) for any \(r \in \{00,01,10,11\}\) and any global phase.

On the other hand, let the Permutation Operator be such that \(P|00\rangle = |10\rangle , P|01\rangle = |11\rangle \), \(P|10\rangle = |00\rangle \) and \(P|11\rangle = |01\rangle \). Then,

$$\begin{aligned} P(\hat{H}|01\rangle ) &=P\biggl(\frac{1}{2} \vert 00\rangle - \frac{1}{2} \vert 01 \rangle -\frac{1}{2} \vert 10\rangle +\frac{1}{2} \vert 11\rangle \biggr) \\ & =-\frac{1}{2} \vert 00\rangle +\frac{1}{2} \vert 01\rangle + \frac{1}{2} \vert 10 \rangle - \frac{1}{2} \vert 11\rangle \in S \quad \text{up to a global phase}. \end{aligned}$$
(14)

So applying the operator P, previously specified, to the state \(\hat{H}|01\rangle \) produced a new superposition state which is equivalent to the state \(\hat{H}|01\rangle \) up to a global phase. In other words, the encryption did not essentially change the pre-encryption state.

Another notable observation is the so-called super superposition state that remains the same after the encryption, including the global phase. Given the same Permutation Operator P, consider

$$\begin{aligned} P(\hat{H}|00\rangle ) &=P\biggl(\frac{1}{2} \biggl\vert 00\rangle + \frac{1}{2} \biggr\vert 01 \rangle +\frac{1}{2} \biggl\vert 10\rangle +\frac{1}{2} \biggr\vert 11\rangle \biggr) \\ & =\frac{1}{2} \biggl\vert 00\rangle + \frac{1}{2} \biggr\vert 01\rangle + \frac{1}{2} \biggl\vert 10 \rangle + \frac{1}{2} \biggr\vert 11\rangle = \hat{H}|00 \rangle \in S, \end{aligned}$$
(15)

where S is the set of all possible superposition states given in the Eq. (11). This phenomenon demonstrates a significant difference between the encryption of basis states and superposition states using QPP. When encrypting basis states, any given single state with phase \(\alpha =1\) is changed and a new state with the same phase \(\alpha =1\) is produced. On the other hand, when encrypting the superposition states, the phases are reassigned and in certain cases, the produced state is equivalent to the input state. In Sect. 4.7 we discuss the security implications of this phenomenon. We point out that this phenomenon is introduced by the operator Ĥ and does not affect the QPP algorithm itself. Moreover, the adversary can not use this feature to perpetrate an attack since the adversary does not have knowledge of the permutation operator used. In other words, the adversary does not know whether a given ciphertext is equal to the pre-encryption state or not.

We provide the reader with Fig. 12 and Fig. 13 depicting the measurement results of the ciphertext states \(P(\hat{H}|r\rangle )\), for every \(r \in \{00,01,10,11\}\) and a randomly chosen Permutation Operator P to demonstrate that the ciphertext states are a superposition of four states. Figure 12 corresponds to a sample circuit executed on the IBM Qasm simulator 20,000 times, and Fig. 13 corresponds to the same circuit executed on the IBM Manila Quantum computer 20,000 times.

Figure 12
figure 12

This figure illustrates the measurement results in the form of plot histogram to verify that any given ciphertext state is a superposition of four states. The results are illustrated for some randomly chosen Permutation Operator P. The circuit was executed on the IBM Qasm simulator 20,000 times. (a) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|00\rangle )\). (b) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|01\rangle )\). (c) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|10\rangle )\). (d) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|11\rangle )\)

Figure 13
figure 13

This figure illustrates the measurement results in the form of plot histogram to verify that any given ciphertext state is a superposition of four states. The results are illustrated for some randomly chosen Permutation Operator P. The circuit was executed on the IBM Manila Quantum computer 20,000 times. (a) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|00\rangle )\). (b) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|01\rangle )\). (c) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|10\rangle )\). (d) Plot histogram of measurement results of the state \(|\phi \rangle = P(\hat{H}|11\rangle )\)

4.6 Decryption of superposition states using \(\mathrm{QPP} ^{\dagger}\)

Following the general step-by-step logic of how QPP is used to encrypt superposition states, illustrated in Fig. 5, it is clear that decryption can be done by applying Hermitian conjugates of the operators used for encryption in the correct order. Indeed, the operator that creates superposition states is a unitary. It was proved in [23] that Permutation Operators are unitary operators. The XOR operation used for randomization can be used again with the same key for de-randomization. Thus, it is possible to apply Permutation Operators from the Inverse Permutation Pad, followed by the Hermitian conjugate of the operator Ĥ, followed by the XOR operator with the same key to decrypt the ciphertext. Indeed, let P denote a Permutation Operator, then for each randomized 2-bit plaintext block r we have

$$ \hat{H}^{\dagger}\bigl(P^{\dagger}\bigl(P\bigl(\hat{H}(|r\rangle ) \bigr)\bigr)\bigr) = \hat{H}^{ \dagger}\bigl(P^{\dagger}P\bigr) \hat{H}|r\rangle = \hat{H}^{\dagger}\hat{H}|r \rangle = |r\rangle . $$
(16)

Suppose that \(r = m \oplus k\), where m denotes the message, and k denotes the key. Then, we have

$$ r \oplus k = (m \oplus k) \oplus k = m \oplus (k \oplus k) = m. $$
(17)

There are different ways to create Hermitian conjugate operators in Qiskit. One way that we used in our previous work [25] is to create inverse circuit consisting of the operator, for which we are looking to create Hermitian conjugate. Such circuit can be appended to the main circuit in the appropriate place. This way, although is correct, is not the most convenient. Far better way is to create conjugate transpose of the matrices and use them to create Qiskit Operator objects. In Sect. 4.3 we discuss how to create an operator by specifying the corresponding matrices row-by-row. We used this technique to create Hermitian conjugate operators. The source code for this part can be found in the Appendix. We give an example of the

figure p

where inverse_superposition_operator denotes the operator \(\hat{H}^{\dagger}\). The reader is welcome to test that this operator is indeed the Hermitian conjugate of the superposition_ operator, using for instance, the procedure illustrated in Fig. 14.

Figure 14
figure 14

An illustration of a Qiskit command that verifies that the operator \(\hat{H}^{\dagger}\) is indeed the Hermitian conjugate of the operator Ĥ

Overall, to guarantee the successful decryption we rely on the property \(U^{\dagger}U = I\), for a unitary operator U, and the properties of the classical XOR function. In the ideal case, where randomization is done using the CX gates, the same property \(U^{\dagger}U = I\) can be used for decryption since CX is a unitary operator.

To demonstrate that the decryption procedure works indeed, as specified in this section we provide the reader with Fig. 15 and Fig. 16 illustrating the measurement result of the state \(\hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|r\rangle )))\), for a randomized plaintext block \(r \in \{00,01,10,11\}\).

Figure 15
figure 15

This figure illustrates measurement results of the state \(\hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|r\rangle )))\), for some randomly chosen Permutation Operator P and \(r \in \{00,01,10,11\}\). Each circuit was executed 20,000 times on the IBM Qasm simulator. This figure illustrates the measurement results in the form of plot histogram. (a) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|00\rangle )))\). (b) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|01\rangle )))\). (c) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|10\rangle )))\). (d) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|11\rangle )))\)

Figure 16
figure 16

This figure illustrates measurement results of the state \(\hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|r\rangle )))\), for some randomly chosen Permutation Operator P and \(r \in \{00,01,10,11\}\). Each circuit was executed 20,000 times on the IBM Manila Quantum computer. This figure illustrates the measurement results in the form of plot histogram. (a) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|00\rangle )))\). (b) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|01\rangle )))\). (c) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|10\rangle )))\). (d) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P^{\dagger}(P(\hat{H}|11\rangle )))\)

4.7 Security

The security of the QPP algorithm is discussed in detail in [18, 23]. In fact, Kuang and Bettenburg showed that the QPP algorithm as described in [23] achieves perfect secrecy [18]. In this work, we apply the encryption and decryption procedures on the superposition states. Indeed, the superposition states are created and respectively transformed back into the basis states before the encryption and respectively after the decryption, without changing the QPP encryption and decryption mechanisms. We do not aim to discuss the in-depth security of the current implementation, as it deserves a separate paper, however, we will briefly mention certain security aspects that we found interesting.

Note that there are advantages and disadvantages of having the ciphertext states being superposition states. Since the only way for the attacker to obtain the ciphertext is to measure it and since the measurement destroys the superposition states, the attacker, in general, will not be able to obtain the ciphertext in its original superposition form, but rather just the corresponding measurement outcome. Meanwhile, when the ciphertext is a basis state, the adversary can learn the ciphertext directly. Thus, having the ciphertext being a superposition state disfavors the attacker and adds an extra layer of security to the scheme.

On the other hand, as discussed in Sect. 4.3, encryption of the superposition states with Permutation Operators reassigns the phases of the qubits. Thus, we must consider the case that the adversary can act on the ciphertext by acting on the phases alone and try to reassign them back. This will require the adversary to act on the ciphertext in its original form without measurement, which is not generally possible.

Recall that, unlike the Permutation Operators that are chosen to be applied at random, the single operator Ĥ is applied to each one of the initial state vectors of every encryption circuit. Moreover, the operator Ĥ is publicly shared. Thus, it is natural to examine whether knowing Ĥ leaks any information about the plaintext or the secret key. We claim that knowing the operator Ĥ does not benefit the attacker.

Suppose that the ciphertext is in the state

$$ P(\hat{H}|00\rangle ) = \frac{1}{2} \vert 00\rangle + \frac{1}{2} \vert 01 \rangle +\frac{1}{2} \vert 10\rangle +\frac{1}{2} \vert 11\rangle , $$

which is indistinguishable from the state

$$ P(\hat{H}|01\rangle ) = \frac{1}{2} \vert 01\rangle - \frac{1}{2} \vert 10 \rangle -\frac{1}{2} \vert 11\rangle +\frac{1}{2} \vert 00\rangle $$

from the point of view of the attacker. Since the attacker can not observe the superposition state, but only measure it, the adversary can not distinguish between the two. Indeed, denote the measurement result as \(m_{0}\). It is true that

$$ \Pr\bigl(m_{0} \vert \vert \phi \rangle = P(\hat{H}|00\rangle ) \bigr) = \Pr\bigl(m_{0} \vert \vert \phi \rangle = P(\hat{H}|01 \rangle )\bigr) = \frac{1}{4}. $$

In the first case, applying the operator Ĥ to the ciphertext will yield the randomized plaintext block “00”. Indeed, for any Permutation Operator P

$$\begin{aligned} P(\hat{H}|00\rangle ) &=P\biggl(\frac{1}{2} \vert 00\rangle + \frac{1}{2} \vert 01 \rangle +\frac{1}{2} \vert 10\rangle +\frac{1}{2} \vert 11\rangle \biggr) \\ & =\frac{1}{2} \vert a\rangle + \frac{1}{2} \vert b\rangle +\frac{1}{2} \vert c\rangle + \frac{1}{2} \vert d\rangle = \hat{H}|00\rangle , \end{aligned}$$
(18)

where \(a,b,c,d \in \{00,01,10,11\}\). Thus,

$$ \hat{H}^{\dagger}\bigl[P(\hat{H}|00\rangle )\bigr] = |00\rangle , $$
(19)

for any Permutation Operator P. Meanwhile, applying Ĥ to the ciphertext \(P(\hat{H}|01\rangle ) = \frac{1}{2}|01\rangle - \frac{1}{2}|10 \rangle -\frac{1}{2}|11\rangle +\frac{1}{2}|00\rangle \) will further obscure the plaintext. Consider

$$ \hat{H}^{\dagger}\bigl[P(\hat{H}|01\rangle )\bigr] = \frac{1}{4} \begin{bmatrix} 0 \\ 0 \\ -2+2i \\ -2-2i \end{bmatrix} . $$

Measuring both states will not yield any information about the plaintext, moreover, the adversary won’t be able to distinguish the original form of the ciphertext or tell which permutation operator P was used for encryption.

Another point that we would like to raise is that, in general, having ciphertext as a superposition state disables the attacker to act on it in its original form. Indeed, if the ciphertext state is a superposition state, the attacker needs to measure it which will collapse the state to a basis state.

We illustrate measurement results of the sample states \(\hat{H}^{\dagger}(P(\hat{H}|r\rangle ))\), for a randomly chosen Permutation Operator P and every \(r \in \{00,01,10,11\}\) in Fig. 17 and Fig. 18.

Figure 17
figure 17

This figure illustrates the measurement results in the form of plot histogram. Each corresponding circuit was executed 20,000 times on the IBM Qasm simulator. (a) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|00\rangle ))\). (b) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|01\rangle ))\). (c) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|10\rangle ))\). (d) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|11\rangle ))\)

Figure 18
figure 18

This figure illustrates the measurement results in the form of plot histogram. Each corresponding circuit was executed 20,000 times on the IBM Manila Quantum computer. (a) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|00\rangle ))\). (b) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|01\rangle ))\). (c) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|10\rangle ))\). (d) Plot histogram of measurement results of the state \(|\phi \rangle = \hat{H}^{\dagger}(P(\hat{H}|11\rangle ))\)

4.8 QPP and other quantum encryption schemes

A reader familiar with Quantum encryption will notice similarities between the QPP algorithm and the Quantum One-Time Pad algorithm (QOTP) [1416]. Boykin and Roychowdhury pointed out that a generic quantum algorithm to encrypt quantum data would consist of a finite number of unitary operators \(U_{k}\), used to encrypt a quantum state and their respective Hermitian conjugates \(U_{k}^{\dagger}\) are used for decryption, utilizing the property \(U_{k}^{\dagger}U_{k}|r\rangle = |r\rangle \) [14]. More explicitly, the value k is a classical secret key. The key k specifies the unitary operator \(U_{k}\) that is applied to encrypt a quantum state that represents a message. To decrypt the produced ciphertext, an operator \(U_{k}^{\dagger}\) is applied to the ciphertext state to retrieve the original state [14]. Inspired by the property \(U_{k}^{\dagger}U_{k}|r\rangle = |r\rangle \), QPP was developed with specific unitary operators in mind, namely, Permutation operators. Note that while both QPP and QOTP schemes use classical key material to determine whether to act on the plaintext qubits, and what unitary operators are acting on the given quantum state, the techniques used in the QOTP scheme are different. For instance, we have not necessarily considered permutation operators from an angle of basis gates. We use the Qiskit transpile() to express permutation operators in terms of basis gates with no particular conditions, while the QOTP scheme uses basis operators \(\sigma _{x}\) and \(\sigma _{z}\). Moreover, QPP is designed to act on basis states, producing basis states as ciphertext, while in the framework of the QOTP scheme, the ciphertext is a totally mixed quantum state. We also mention that QOTP requires 2n classical bits for encryption, while the size of the key material and the number of qubits in the framework of QPP depends on the entropy required. Note also that QPP can be implemented on both classical and quantum computers and is not limited by the quantum nature of the encryption operators used, while QOTP is truly a quantum encryption algorithm that is designed for quantum devices alone.

Another quantum encryption scheme closely related to QOTP is the \(\mathcal{EHE}\) scheme by Liang and Yang [17]. In fact, the authors refer to the QOTP as a special case of the \(\mathcal{EHE}\) scheme. Note that in [17] quantum block encryption (QBE) scheme is constructed in the form of \(\mathcal{EHE}\) encryption using two pseudorandom functions. In our work, although we break the plaintext and the secret key into blocks, QPP is not a block cipher. In this implementation, plaintext and secret key are broken into blocks due to the limitations of the current quantum computers. As the NISQ era devices improve, we will be able to implement QPP to encrypt an entire message as a whole. The \(\mathcal{EHE}\) encryption is a three-part process. First, the plaintext p is encrypted using the first quantum encryption scheme \(\mathcal{E}_{k_{1}}\), producing \(c_{1} = \mathcal{E}_{k_{1}}(p)\). Next, a transversal Hadamard transformation is then performed on \(c_{1}\), producing \(c_{1}' = Hc_{1}\). The new ciphertext \(c_{1}'\) is then encrypted again using the second quantum encryption scheme \(\mathcal{E}_{k_{2}}\), producing \(c_{2} = \mathcal{E}_{k_{2}}H\mathcal{E}_{k_{1}}(p)\). The implementation of QPP described in this work follows a similar process. Indeed, the message is first encrypted using the XOR function with the secret key. The produced state is then used to create a superposition using the operator Ĥ, which is then encrypted using QPP Permutation operators. However, we would like to point out that the QPP algorithm itself is not limited to superposition states. That is, this work explored whether QPP would benefit from introducing superposition states. The core of the QPP algorithm remains the encryption of a randomized plaintext with permutation operators, while in the framework of the \(\mathcal{EHE}\) scheme, the use of the Hadamard gate H is a significant part of the algorithm design. Liang and Yang in [17] considered the security of the scheme in terms of IND-CPA and IND-CCA properties as defined in [3336]. Note that we have not considered the current implementation in terms of IND-CPA or IND-CCA, as the focus of this work was on the implementation of the scheme. Moreover, we claim that the security of the current implementation depends largely on the choice of the operator Ĥ for the creation of the superposition states.

5 Conclusion

In this work, we report on an implementation of Kuang and Bettenburg’s symmetric Quantum Permutation Pad (QPP) algorithm used to encrypt superposition states in IBM quantum systems using the Qiskit development kit. This work builds on and extends our previous research [2426] on the implementation of the QPP algorithm used to encrypt basis states. The implementation described in this paper is fully-functioning, lightweight, and can be run on any IBM quantum system with at least 5 qubits and a Quantum Volume of 32. This implementation includes the addition of a plaintext randomization procedure which is important to the overall security of the algorithm. The focus of this work, the creation, and encryption of superposition states, was discussed in depth. We explained how these procedures are implemented and introduced an operator Ĥ established from the diagonalization of a certain permutation operator \(P_{1}\) given in this paper. This operator Ĥ was used to create the superposition states, which were then encrypted using QPP. We also briefly discuss the security of this implementation.

This work broadens the applicability of QPP for the encryption of both basis states and superposition states. In the future, we will examine if the implementation of QPP can be extended to entangled states. Moreover, we will continue analyzing the general security of the QPP algorithm used to encrypt superposition states.

Availability of data and materials

Partial data generated or analysed during this study are included in this published article and its supplementary information files. Any datasets used and/or analysed during the current study that have not been included in this published article or its supplementary information files are available from the corresponding author on reasonable request.

Abbreviations

QPP:

Quantum Permutation Pad

QKD:

Quantum KeyDistribution

QV:

Quantum Volume

CNOT:

Control-NOT gate

QRNG:

Quantum Random Number Generator

pQRNG:

Pseudo QRNG

QSDC:

Quantum Secure Direct Communication

CX:

Controlled Pauli X gate

PQC:

Post-Quantum Cryptography

References

  1. Zhong H-S, Wang H, Deng Y-H, Chen M-C, Peng L-C, Luo Y-H, Qin J, Wu D, Ding X, Hu Y, Hu P, Yang X-Y, Zhang W-J, Li H, Li Y, Jiang X, Gan L, Yang G, You L, Wang Z, Li L, Liu N-L, Lu C-Y, Pan J-W. Quantum computational advantage using photons. Science. 2020;370(6523):1460–3.

    Article  ADS  Google Scholar 

  2. Arute F, Arya K, Babbush R, Bacon D, Bardin J, Barends R, Biswas R, Boixo S, Brandao F, Buell D, Burkett B, Chen Y, Chen Z, Chiaro B, Collins R, Courtney W, Dunsworth A, Farhi E, Foxen B, Martinis J. Quantum supremacy using a programmable superconducting processor. Nature. 2019;574:505–10.

    Article  ADS  Google Scholar 

  3. Wolf R. Quantum key distribution: an introduction with exercises. Lecture notes in physics. vol. 988. Cham: Springer; 2021.

    Book  MATH  Google Scholar 

  4. Seito T, Shikata J. Trend survey on post-quantum cryptography and its standardization. Syst Control Inf. 2021;65(2):60–6.

    Google Scholar 

  5. Maimut D, Simion E. Post-quantum cryptography and a (qu)bit more. In: Innovative security solutions for information technology and communications. Lecture notes in computer science. Cham: Springer; 2019. p. 22–8.

    Chapter  Google Scholar 

  6. Almazrooie M, Samsudin A, Abdullah R, Mutter KN. Quantum reversible circuit of aes-128. In: Quantum information processing 17(5). 2018. p. 1–30. https://doi.org/10.1007/s11128-018-1864-3.

    Chapter  MATH  Google Scholar 

  7. Langenberg B, Pham H, Steinwandt R. Reducing the cost of implementing the advanced encryption standard as a quantum circuit. IEEE Trans Quantum Eng. 2020;1:1–12. https://doi.org/10.1109/TQE.2020.2965697.

    Article  Google Scholar 

  8. Wang Z, Wei S, Long G. A quantum circuit design of AES. (2021). arXiv:2109.12354.

  9. Zou J, Wei Z, Sun S, Liu X, Wu W. Quantum circuit implementations of aes with fewer qubits. 2020. https://doi.org/10.1007/978-3-030-64834-3_-.

  10. Deng F-G, Long GL, Liu X-S. Two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen pair block. Physical Review A. 2003;68(4). https://doi.org/10.1103/physreva.68.042317.

  11. Deng F-G, Long GL. Secure direct communication with a quantum one-time pad. Physical Review A. 2004;69(5). https://doi.org/10.1103/physreva.69.052319.

  12. Zhang W, Ding D-S, Sheng Y-B, Zhou L, Shi B-S, Guo G-C. Quantum secure direct communication with quantum memory. Physical Review Letters. 2017;118(22). https://doi.org/10.1103/physrevlett.118.220501.

  13. Hu Z, Kais S. A quantum encryption design featuring confusion, diffusion, and mode of operation. Sci Rep. 2021. https://doi.org/10.1038/s41598-021-03241-8.

    Article  Google Scholar 

  14. Boykin PO, Roychowdhury V. Optimal encryption of quantum bits. Phys Rev A. 2003;67:042317. https://doi.org/10.1103/PhysRevA.67.042317.

    Article  ADS  Google Scholar 

  15. Mosca M, Tapp A, de Wolf R. Private Quantum Channels and the Cost of Randomizing Quantum Information. 2000. https://doi.org/10.48550/ARXIV.QUANT-PH/0003101.

  16. Leung DW. Quantum vernam cipher. 2000. https://doi.org/10.48550/ARXIV.QUANT-PH/0012077.

    MATH  Google Scholar 

  17. Liang M, Yang L. Block encryption of quantum messages. Quantum Inf Process. 2020;19. https://doi.org/10.1007/s11128-020-2612-z.

  18. Kuang R, Bettenburg N. Shannon perfect secrecy in a discrete Hilbert space. In: 2020 IEEE international conference on Quantum Computing and Engineering (QCE). 2020. p. 249–55. https://doi.org/10.1109/QCE49297.2020.00039.

    Chapter  Google Scholar 

  19. Kuang R, Lou D, He A, Conlon A. Quantum safe lightweight cryptography with quantum permutation pad. In: 2021 IEEE 6th International Conference on Computer and Communication Systems (ICCCS). 2021. p. 790–5. https://doi.org/10.1109/ICCCS52626.2021.9449247.

    Chapter  Google Scholar 

  20. Kuang R, Lou D, Alex He AC. Quantum secure lightweight cryptography with quantum permutation pad. ASTES J. 2021;6(4):790–5. https://doi.org/10.25046/aj060445.

    Article  Google Scholar 

  21. Lou D, Kuang R, He A. Entropy transformation and expansion with quantum permutation pad for 5g secure networks. In: 2021 IEEE 21st International Conference on Communication Technology (ICCT). 2021. p. 840–5. https://doi.org/10.1109/ICCT52962.2021.9657891.

    Chapter  Google Scholar 

  22. Kuang R, Lou D, He A, McKenzie C, Redding M. Pseudo quantum random number generator with quantum permutation pad. In: 2021 IEEE international conference on Quantum Computing and Engineering (QCE). 2021. p. 359–64. https://doi.org/10.1109/QCE52317.2021.00053.

    Chapter  Google Scholar 

  23. Kuang R, Barbeau M. Quantum permutation pad for universal quantum-safe cryptography. Quantum Inf Process. 2022;21:211.

    Article  ADS  MathSciNet  MATH  Google Scholar 

  24. Kuang R, Perepechaenko M. Quantum encryption with quantum permutation pad in ibmq systems. EPJ Quantum Technol. 2022;9:26. https://doi.org/10.1140/epjqt/s40507-022-00145-y.

    Article  Google Scholar 

  25. Perepechaenko M, Kuang R. Quantum encrypted communication between two IBMQ systems using quantum permutation pad. In: 2022 11th international conference on communications, circuits and systems (ICCCAS). Singapore: IEEE; 2022. p. 146–52. https://doi.org/10.1109/ICCCAS55266.2022.9824836.

    Chapter  Google Scholar 

  26. Perepechaenko M, Kuang R. Quantum encryption and decryption in IBMQ systems using quantum permutation pad. J Commun. 2022;17:972–8. https://doi.org/10.12720/jcm.17.12.972-978

    Article  Google Scholar 

  27. Shende VV, Prasad AK, Markov IL, Hayes JP. Synthesis of reversible logic circuits. IEEE Trans Comput-Aided Des Integr Circuits Syst. 2003;22(6):710–22. https://doi.org/10.1109/TCAD.2003.811448.

    Article  Google Scholar 

  28. Illiano J, Caleffi M, Manzalini A, Cacciapuoti AS. Quantum Internet protocol stack: A comprehensive survey. Comput Netw. 2022;213:109092. ISSN 1389-1286. https://doi.org/10.1016/j.comnet.2022.109092.

    Article  Google Scholar 

  29. Cacciapuoti AS, Illiano J, Koudia S, Simonov K, Caleffi M. The Quantum Internet: Enhancing Classical Internet Services One Qubit at A Time. IEEE Netws. 2022;36(5):6–12. https://doi.org/10.1109/MNET.001.2200162.

    Article  Google Scholar 

  30. NIST: Computer Security Division, I.T.L.: Post-quantum cryptography: PQC. Last accessed on 01/10/23. https://csrc.nist.gov/Projects/post-quantum-cryptography.

  31. Kuang R, Perepechaenko M, Barbeau M. A new post-quantum multivariate polynomial public key encapsulation algorithm. Quantum Inf Process. 2022;21. https://doi.org/10.1007/s11128-022-03712-5.

  32. Kuang R, Perepechaenko M, Barbeau M. A new quantum-safe multivariate polynomial public key digital signature algorithm. Scientific Reports. 2022;12. https://doi.org/10.1038/s41598-022-15843-x.

  33. Xiang C, Yang L. Indistinguishability and semantic security for quantum encryption scheme. 2015. https://doi.org/10.48550/ARXIV.1506.05944.

  34. Alagic G, Broadbent A, Fefferman B, Gagliardoni T, Schaffner C, Jules MS. Computational security of quantum encryption. In: Lecture notes in computer science. Berlin: Springer; 2016. p. 47–71.

    Google Scholar 

  35. Liang M, Yang L. Public-key encryption and authentication of quantum information. Sci China Phys Mech Astron. 2012;55. https://doi.org/10.1007/s11433-011-4806-y.

  36. Broadbent A, Jeffery S. Quantum homomorphic encryption for circuits of low t-gate complexity. In: Lecture notes in computer science. Berlin: Springer; 2015. p. 609–29.

    Google Scholar 

Download references

Acknowledgements

Authors acknowledge IBM for their free of charge 5-qubit quantum computers used for this study.

Authors’ information

Affiliations: Quantropi Inc., Ottawa, ON, Canada, ON K1Z 8P9.

Funding

Authors have no funding to report.

Author information

Authors and Affiliations

Authors

Contributions

Both authors contributed to the work described in this paper. Mrs. Perepechaenko prepared the manuscript and the authors jointly reviewed the manuscript and approved the submission. Dr. Kuang majorly contributed to the development and the advancement of the QPP algorithm. Mrs. Perepechaenko proposed to consider superposition states in the framework of QPP and contributed on the implementation of QPP in IBMQ systems described in this paper as well as the security analysis given in this work.

Corresponding author

Correspondence to Maria Perepechaenko.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Both authors have approved the publication. The research in this work did not involve any human, animal or other participants.

Competing interests

The authors declare no competing interests.

Appendix

Appendix

We include a source code for the implementation described in this work. Current version of the source code as well as the more detailed implementation code is available upon request to the corresponding author.

figure v

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Perepechaenko, M., Kuang, R. Quantum encryption of superposition states with quantum permutation pad in IBM quantum computers. EPJ Quantum Technol. 10, 7 (2023). https://doi.org/10.1140/epjqt/s40507-023-00164-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1140/epjqt/s40507-023-00164-3

Keywords