The single-qubit OWF can be defined as f c q : { 0,1 } n → H 2 , whose input is an integer s ∈ Z 2 n and whose output is the state of a quantum system, say ψ s θ n . For the sake of simplicity, we present a specific single-qubit OWF in the context of single-qubit states lying on the x − z plane of the Bloch-sphere. A general qubit state lying on the x − z plane can be written as ψ θ = cos θ 2 0 + sin θ 2 1 , where 0 ≤ θ < 2π, ϕ = 0, is shown in Figure 1. Hence, unlike the classical bit, which can store a discrete variable taking only two real values (that is “0” and “1”), a qubit may represent a continuum of states on the x − z plane. Introducing the rotation operator about the y axis, R ̂ θ = e − i θ Y ̂ / 2 with Y ̂ = i 1 0 − 0 1 , we may alternatively write O ̂ ( θ ) : ψ θ = R ̂ θ 0 .

The input of the proposed single-qubit OWF is a random integer s ∈ Z 2 n ≔ { 0,1 , … . , 2 n − 1 | n ∈ N } uniformly distributed over Z 2 n with n ≫ 1, and a qubit initially prepared in 0 . Thus, n-bit strings suffice as labels to identify the input s for fixed n. For given values of n ∈ N and s ∈ Z 2 n , the qubit state is rotated by sθ _n around the y axis with θ _n = π/2 ⁿ⁻¹. For some fixed n ∈ N , the output of the OWF pertains to the class of states Q n = ψ s θ n s ∈ Z 2 n , θ n = π / 2 n − 1 , with O ̂ ( n , s ) : ψ s θ n ≡ R ̂ s θ n 0 = cos s θ n / 2 0 + sin s θ n / 2 1 . Therefore, the single-qubit OWF f _cq described previously maps from an arbitrary n-bit classical string to the two-dimensional Hilbert space, which can also be expressed as f c q : { n , s } → ψ s θ n .

However, in quantum public-key encryption, we use a one-way function with multiple integers input and multiple qubits output, so we define the CQ-OWF based on the single-qubit OWF as follows: consider two sets, S and Q , which involve numbers and quantum states of a physical system, respectively. The input S includes an arbitrary integer string s of length k, i.e., s = s 1 , s 2 , … , s k , with ∀ s j ∈ Z 2 n independently. The output Q contains k-qubit states, which are mapped independently depending on each item s _j of the input set S to obtain Ψ s θ n ≡ ⊗ j = 1 k ψ s j θ n j . The mapping of the CQ-OWF is F c q : { n , s } → Ψ s θ n , which operates the mapping procedure of the single-qubit OWF f c q : { n , s } → ψ s θ n k times.

Theorem 1

The function denoted as F c q : { n , s } → Ψ s θ n consisting of k single-qubit OWF blocks, is a secure CQ-OWF with the following properties:

Deterministic: the same input always results in the same output.

Proof. As follows, we first prove the one-wayness of the single-qubit OWF and then the one-wayness of the CQ-OWF.

To further illustrate the two expressions “easy to compute” and “hard to invert,” a quantum system initially prepared in a state of 0 is considered, and let H 2 be its corresponding Hilbert space. We apply an operation O ̂ n , s : H 2 ↦ H 2 on the system with a randomly selected s ∈ Z 2 n . This operation converts the initial state such that 0 → ψ s θ n = O ̂ n , s . The ensemble of all probable output states of the single-qubit OWF is Q n ≡ ψ s θ n | s ∈ Z 2 n , and corresponds to H 2 . In case, the mapping M : Z 2 n ↦ Q n is a bijection, there is a unique s ∈ Z 2 n , i.e., M is one-to-one and Z 2 n = Q n . Consequently, we conclude that the single-qubit OWF meets the properties “deterministic.”

It is common knowledge that the mapping { n , s } → ψ s θ n must be “easy to compute.” For a given s ∈ Z 2 n , the transformation on the system 0 → ψ s θ n , can be efficiently executed on a single-qubit OWF. For a given pair of integers n , s , the function 0 → ψ s θ n is easy to compute since it involves single-qubit rotations only. In particular, it is known that any single-qubit operation can be simulated to an arbitrary accuracy of ϵ > 0 by a quantum algorithm involving a universal set of gates (i.e., Hadamard, phase, controlled-NOT, and π/8 gates) [28]. Additionally, this simulation is efficient since its implementation requires an overhead of resources that scales polynomially with log(ϵ ⁻¹). In a nutshell, there is always a family of quantum circuits C = { C i } i > 0 involving a universal set of gates for f _cq such that ∀s ∈ {0,1} ⁿ , ‖ C i ‖ ≤ O ( log ( ϵ − 1 ) ) .

Inversion of the map { n , s } → ψ s θ n must be a “hard” problem by virtue of some fundamental principles of quantum mechanics. The number of non-orthogonal states increases as we increase n, whereas for n ≫ 1 we have the nearest-neighbor overlap ψ s θ n ψ s + 1 θ n = cos θ n / 2 → 1 . Distinguishing between the two can be infeasible by virtue of the quantum uncertainty principle. To get the detailed information of the quantum state ψ s θ n , we must resort to measurements, which inevitably interfere with the quantum state. According to the theorem of Holevo [28], the classical information extracted from a single quantum bit by measurement is at most 1 bit. When n is fixed, a random selection of s ∈ Z 2 n requires n bits for recognition. Thus, we can conclude that the mapping is hard to invert when n is larger than 1 and sufficiently large. In fact, we do not publish n, which makes it more difficult to invert the mapping. Given a state ψ s θ n chosen at random from an unknown set Q n ≡ ψ s θ n | s ∈ Z 2 n , there is no efficient quantum algorithm C − 1 = { C i − 1 } i > 0 to recover the integer s from the given state ψ s θ n with a non-negligible probability. In other words, for all the family of quantum circuits C⁻¹ and for all n sufficiently large, it is always the case that their probability of getting back the correct input x is Pr ( C i − 1 ( f c q ( x ) ) = x ) ≤ 1 2 n .

Hence, we see that for a given n ≫ 1, the map { n , s } → ψ s θ n acts as a secure QOWF that is “easy to compute” but “hard to invert,” and the quantum one-way function under consideration is provably secure [27]. Furthermore, we will discuss the CQ-OWF proposed by Nikolopoulos, which consists of a number of single-qubit OWF blocks stitched together and whose validity can be statistically compared to a single-qubit OWF.

In general, there will always exist a family of quantum circuits C = { C i } i > 0 involving a universal set of gates for F _cq such that ∀ s ∈ {0,1} ^nk , ‖ C i ‖ ≤ O ( k log ( ϵ − 1 ) ) . For all families of quantum circuits C⁻¹ and for all n sufficiently large, it is always the case that their probability of getting back the correct input x is Pr ( C i − 1 ( F c q ( x ) ) = x ) ≤ ( 1 2 n ) k t . Eventually, we can conclude that the function F c q : { n , s } → Ψ s θ n is one-way function, which is “easy to compute” but “hard to invert.”

Choose a random integer string s of length k, i.e., s = s 1 , s 2 , … , s k , with s _j chosen independently of Z 2 n and then apply R ̂ j s j θ n rotations to the j-th qubit. Until here, we defined the secret key as S k = n , s and the public key as e = k , Ψ s pk θ n , with the k-qubit state Ψ s pk θ n ≡ ⊗ j = 1 k ψ s j θ n j . Clearly, in the proposed protocol, the secret key is classical, whereas the public key is quantum as it involves the state of k qubits, and ψ s j θ n are presented in Section 3. Moreover, note that its copying does not violate the no-cloning theorem.

Assume a sender wants to transfer a k-bit string m ≜ m ₁, m ₂, …, m _k , with m j ∈ 0,1 to a receiver. To encrypt the message, the sender will take the following steps without altering the order of the public-key qubits:

(1) Obtain authentic public key e.

To recover the plaintext m from the cipher state Ψ s , m c θ n , the receiver needs to perform the following steps:

(1) Undo initial rotations, i.e., to apply R ̂ ( j ) ( s j θ n ) − 1 to the j-th qubit of the cipher state.

In the introduction to quantum public-key cryptography [27], only one encryption method is included, which is R ̂ ( j ) ( m j π ) . Under this situation, it is always easy for the receiver (with the secret key) to get the encoded message m (here, b defaults to 0) when he receives the cipher state. In other words, the information encoded on the public key is plaintext information to the receiver. Given that we are designing an all-or-nothing OT protocol, the protocol requires that the receiver Bob cannot learn the message in more than 50% of the cases. Therefore, we will make relevant improvements to qPKE construction to satisfy the probabilistic transfer condition. In our improved version, we extend the encryption method into two, namely, R ̂ ( j ) ( m j π ) and R ̂ ( j ) ( m j π + π 2 ) , corresponding to the coding basis b = 0 and b =, respectively. Note that if the coding basis is known, Bob can get the encoded message m with probability 1. However, if Bob does not possess the coding basis, after undoing initial rotations, Bob will not be able to determine the measurement basis to get the exact encoded m. In this article, we set the coding basis at R ̂ ( j ) ( m j π + b π 2 ) where b ∈ {0, 1}. Here, we define basis 0 , 1 as computational and basis + , − as Hadamard. In the following section, we will discuss why Bob can receive bit m j ′ = m j with a probability of 1 when choosing the correct basis.

In Section 3.2, we would like to analyze the encryption encoding method ψ s j , m j θ n j = R ̂ j ( m j π + b π 2 ) ψ s j θ n j in further detail. It means that when m _j = 0 and b = 0, there is ψ s j , 0 θ n j = R ̂ j 0 ψ s j θ n j = cos s j θ n 2 0 j + sin s j θ n 2 1 j .

When b = 1, there is ψ ′ s j , 0 θ n j = R ̂ j π 2 ψ s j θ n j = cos s j θ n 2 + j + sin s j θ n 2 − j , where + = R ̂ ( π / 2 ) 0 , − = R ̂ ( π / 2 ) 1 . We would like to point out that for a single qubit, the cipher states ψ s j , 0 θ n j and ψ ′ s j , 0 θ n j are non-orthogonal when encoding the same binary bit with different encoding methods, and no quantum circuit can distinguish them, i.e., the indistinguishability of non-orthogonal states of quantum physics. Similarly, it means that when m _j = 1, b = 0, there is ψ s j , 1 θ n j = R ̂ j π ψ s j θ n j = cos s j θ n 2 1 j + sin s j θ n 2 0 j .

When b = 1, there is ψ ′ s j , 1 θ n j = R ̂ j π + π 2 ψ s j θ n j = cos s j θ n 2 − j + sin s j θ n 2 + j .

In contrast, encoding different binary bits with the same encoding method, the cipher states ψ ′ s j , 0 θ n j and ψ ′ s j , 1 θ n j are orthogonal and can be distinguished by performing a measurement with a probability of 1.

In Section 3.3, we would like to point out that the aforementioned two steps are basically equivalent to a von Neumann measurement, which projects the jth qubit onto the basis ψ s j θ n , R ̂ π ψ s j θ n . Here, we notice that R ̂ j α − 1 = R ̂ j α † = R ̂ j − α , while different rotations around the same axis commute, i.e., R ̂ j α , R ̂ j β = 0 . Next, we first describe the state after undoing the initial rotations in further detail, which means that when m _j = 0, b = 0, there is R ̂ j s j θ n − 1 ψ s j , 0 θ n j = cos 0 0 j + sin 0 1 j = 0 j → m j = 0 , where 0 = 1 2 ( + + − ) and when b = 1, there is R ̂ j s j θ n − 1 ψ ′ s j , 0 θ n j = cos 0 + j + sin 0 − j = + j → m j = 0 , where + = 1 2 ( 0 + 1 ) . It means that when m _j = 1, b = 0, there is R ̂ j s j θ n − 1 ψ s j , 1 θ n j = cos 0 1 j + sin 0 0 j = 1 j → m j = 1 .

When b = 1, there is R ̂ j s j θ n − 1 ψ ′ s j , 1 θ n j = cos 0 − j + sin 0 + j = − j → m j = 1 .

We can see that the quantum state after undoing the original rotation will only be in one of the four most common states { 0 , + , 1 , − } , which is the reason why we additionally picked R ̂ ( j ) ( m j π + b π 2 ) . So far, we can record the measurements with the two common measurement bases, namely, computational and Hadamard. If Bob has chosen the correct basis, the correct m _j is obtained with a probability of 1. Otherwise, the correct m _j is obtained with a probability of just 1/2.

In summary, the improvement version, which does not change the original features of qPKE construction, still guarantees secure communication. To be compatible with the proposed oblivious transfer scheme, new encryption has been added to ensure that Bob cannot distinguish between the two encryption methods. In addition, the inherent property of qPKE is not broken, i.e., the message can always be correctly decrypted by following the correct steps. Lastly, we have agreed on only two bases, computational and Hadamard, to ensure that the protocol is oblivious.

Notice that, unlike the classical public keys that can be reused unlimited times, in the qPKE construction, the same public key e can also be reused, but it cannot be reused unlimited times. The public and secret keys need to be replaced after the security factor is exceeded, i.e., the upper bound needs to be bounded as follows: I(x, d) ≤ kN. When N copies of the public key circulate simultaneously, the mutual information between Eve and the key I(x, d) increases, and the confidentiality of the secret key is always guaranteed if log 2 | N ̃ | + k n ̄ ≫ k N . In the proposed OT scheme, the public key is not required to be used many times, so the communication process of qPKE is still secure within this boundary. As a result, while the qPKE is not strictly speaking public-key encryption, it can still be used to design an all-or-nothing OT scheme.

In the following paragraphs, we prove the soundness of the proposed protocol: if both Alice and Bob are honest, then with a probability of 1/2 + ϵ(k), Bob will get the correct message, where ϵ(k) is a negligible function of the size of the message m = m ₁ m ₂…m _k . Bob is aware of whether he received the correct message or not, but Alice is not. As mentioned previously, the message can be recovered using the random key, and the information Bob receives about the random key consists of two parts: one belonging to the cipher state sent by Alice, and the other belonging to its hash value. It has shown that, by the nature of the digest algorithm, the hash function does not help Bob recover the random key r. This is because the hash is obtained in a lossy and irreversible way.

Without loss of generality, assume that Alice chooses b = 0, i.e., the computational method R ̂ ( j ) ( m j π ) is chosen to encode each qubit of the cipher state. The qubits Alice sent to Bob are the following: ψ = ⊗ j = 1 k t R ̂ s j θ n + r j π 0 = ⊗ j = 1 k t cos s j θ n + r j π 2 0 + sin s j θ n + r j π 2 1 .

In the opening phase, Bob receives the secret key S _k from Alice, where s = s ₁ s ₂…s _k . Later, he undoes their initial rotations, i.e., to apply R ̂ ( j ) ( − s j θ n ) to the jth qubit of the cipher state. The states he gets are either 0 or 1 . In fact: ψ ′ = ⊗ j = 1 k t R ̂ − s j θ n R ̂ s j θ n + r j π 0 = ⊗ j = 1 k t R ̂ r j π 0 = ⊗ j = 1 k t cos r j π 2 0 + sin r j π 2 1 = r j .

By the assumption b′ = 0, Bob chooses to measure each qubit on the basis of 0 , 1 , and the result is r _j with a probability 1. Clearly, there is r′ = r and h(r′) = d. Moreover, he can get the whole message m = ⊕ i = 1 t r ̄ i .

By the assumption b′ = 1, Bob chooses to measure each qubit on the basis of + , − , and the result r j ′ is r _j with a probability 1/2. More specifically, if r _j = 0, then the aforementioned state becomes 0 = cos ( π / 4 ) + + sin ( π / 4 ) − and by measuring the qubit with { + , − } Bob gets the correct result with a probability cos²(π/4) = 1/2. Likewise, if r _j = 1, then the aforementioned state becomes 1 = cos ( π / 4 ) − − sin ( π / 4 ) + and again Bob gets the correct bit with the probability 1/2. Not knowing b, Bob might make the wrong measurement basis on each qubit, and thus obtains a random key r′ differing from r in 1/2 of its bit positions (of course Bob does not know which ones). In this case, for Bob, the end of the protocol is just getting a random number with no meaning.

The two cases, b′ = b and b′ ≠ b, occur both with a probability of 1/2. While in the first case Bob always gets r correctly, in the second case, the probability of getting correct r _j is 1/2. Hence, the probability that Bob will get the whole random key r is Pr ψ ′ → r = Pr b ′ = b × Pr r | b ′ = b + Pr b ′ ≠ b × Pr r | b ′ ≠ b = 1 2 + 1 2 ∏ j = 1 k t cos 2 π 4 = 1 2 + 1 2 k t + 1 , where ϵ(k) = 1/2 ^kt+1 is negligible. Therefore, Alice is unaware of whether Bob received the correct message or not.

However, Bob can check whether he has recovered the correct random key r by comparing his hash value h(r′) with the second part of the received information d. According to the properties of the hash function, the probability of the first part of the hash value matching the second part is negligible in the case of Alice’s coding basis being different from the measurement basis chosen by Bob.

In this section, we show that if Alice is honest, the probability of Bob recovering the message to transfer before the opening phase is negligible.

This part of the statement follows directly from the security of the qPKE construction. The entropy of the entire secret key is given by the joint entropy H n , s of the unknown n and s. H d = H n + H s | n = log 2 N ̃ + ∑ v ∈ N ̃ p v H s | n = v = log N ̃ + k n u + n 1 / 2 , where n is distributed uniformly over a finite interval N ̃ = n 1 , n u , n 1 ≫ 1 . It can be seen that the secret key space is related to the range of n and the number of qubits (k). Obviously, the space of secret keys can be huge, and it is meaningless to pick them randomly from an infinite space. It follows that from the quantum public key, the possibility of achieving the inverse operation to obtain the secret key is negligible, which guarantees the unidirectionality of the one-way function.

In addition, the secrecy of the secret key is guaranteed by the fact that the preparation of the public key state is unknown to everyone except Alice before the opening phase. The state of each qubit of the public key is randomly chosen by Alice and is independent of the other qubits. As proven in [27], with a proper choice of n, the qPKE construction is secure against unauthorized users based on the uncertainty principle. Therefore, with the same choice of a proper n, the unidirectionality of the one-way function ensures that Bob cannot learn the message that Alice meant to send before the opening phase, and the protocol is a concealing one.

Furthermore, after the opening phase, Bob recovers the message with, up to a negligible value, a probability 1/2 + ϵ(k). This part of the description can be attributed to the fact that after Bob receives the secret key from Alice in the opening phase, there is still no strategy to get the whole encoded random key.

The proposed scheme divides the random key r into t successive units of bits r ̄ i , ( 1 ≤ i ≤ t ) , the random key of each unit represents the shared unit, and the message remains secret for any t − 1-shared units. To retrieve the message, dishonest Bob needs to know information about every shared unit, i.e., he needs to infer the correct measurement basis without destroying any of the shared units. This cannot be carried out.

Now consider dishonest Bob. First, we analyze the optimal cheating strategy if Bob has infinite ability. Bob chooses a basis to measure the quantum state, and if the projection is successful, i.e., the correct basis is chosen, he will further calculate to get the message. If the projection fails, Bob recovers the quantum state and then chooses another measurement basis and measures the quantum state again to obtain the message. However, both non-demolition measurements of qubits are out of technological reach today and could remain hard for a very long time for high k values [30]. Bob must therefore seek other strategies, such as utilizing the several qubits present in a shared unit to infer the coding basis with a probability greater than 1/2.

After undoing the initial rotation of the quantum state, Bob will get the following state: ψ ′ = ⊗ j = 1 k t R ̂ − s j θ n R ̂ s j θ n + b π 2 + r j π 0 = ⊗ j = 1 k t cos b π / 2 + r j π 2 0 + sin b π / 2 + r j π 2 1 .

Let 0 x = + , 1 x = − ; there is ψ ′ = ⊗ j = 1 k t r j if b = 0, and there is ψ ′ = ⊗ j = 1 k t r j x if b = 1. However, to Bob, ψ ′ j is randomly in one of the states { 0 , 1 } or { + , − } , i.e., ψ ′ j is a maximally mixed state whose density matrices are ρ = 1 2 ( 0 0 + 1 1 ) = I 2 . No measurement that Bob made could distinguish the maximally mixed state. Furthermore, for more effective cheating, Bob might perform a joint measurement on ψ ′ to replace the one qubit measurement. But his capability of cheating should not increase, as this is equal to measuring a maximally mixed state with multi-dimension. Consequently, dishonest Bob can only guess the basis successfully with a probability of 1/2.

In summary, Bob can only infer whether the measurement basis is correct by parity bits, i.e., he has to try one basis to measure several shared units. According to the idea of secret sharing (any t − 1-shared units will get nothing about the message), these shared units would also be irreversibly damaged, making it impossible for him to obtain the message.

To conclude our discussion on security, we demonstrate that the protocol is oblivious. At the end of the protocol, Alice is unaware of whether Bob has received the message or not. The no-communication theorem may be referenced in this section of the statement. It should be noted that Alice’s attacks should not have the effect of making it difficult for Bob to know for sure whether he obtained the correct message or not, as this would go against the original objective of OT.

Theorem 2

(No-communication theorem). During the measurement of an entangled quantum state, it is not possible for one observer, by measuring a subsystem of the total state, to communicate information to another observer. The theorem gives conditions under which such transfer of information between two observers is impossible.

As can be seen, Alice communicates with Bob in one-way communication, in which Bob performs local operations and measurements without communicating with Alice. Here, no follow-up communication of entanglement can be used to exchange and obtain information; therefore Alice has no way of knowing through entanglement whether Bob has chosen the correct measurement basis. Otherwise, one could achieve faster-than-light communication, thus explicitly violating causality and the principle of relativity. Indeed, what entanglement effects are the correlations: Bell inequalities are given in terms of various correlation functions, and the violation of local realism can be observed only upon distant observers exchanging the results of their local measurements. Alice honestly chooses the coding basis, sends the quantum state to Bob, and does not receive any feedback from Bob. Therefore, based on the no-communication theorem, Alice is oblivious to whether Bob gets the message or not.

On the one hand, dishonest Alice could not convince Bob that the lack of access to the message was his own business without being detected as cheating. For this reason, Bob can check whether Alice is cheating by following the steps as follows: first, Bob measures the quantum bits at position [1, kt/2]. Each bit d _i of the hash value d = h(r) is the parity of the ith unit of the message; hence, all the bits of the digest are mutually independent. If he always observes the parity bit d _i matching the shared unit r ̄ i in the opening phase, Bob can be sure that Alice is not cheating. Otherwise, he will choose another basis to measure the remaining quantum bits, and if he fails to observe matching parity bits, this means that Alice cheated and the protocol is terminated. Alice still does not know which basis Bob will use to check the second half. Therefore, she has to be honest, and she does not know whether Bob received the correct message or not.

On the other hand, dishonest Alice cannot ensure that Bob always gets the message. Entanglement attacks do not work, so Alice will look for other strategies, such as the existence of a quantum state that will collapse to a certain bit r _j with a high probability, regardless of Bob’s choice. In the proposed scheme, Bob getting the correct message depends on whether he chooses the basis that is consistent with Alice’s basis { 0 , 1 } and { + , − } . Any single quantum state can be written in the following form: ψ = α 0 + β 1 = α + β 2 + + α − β 2 − , where α 2 + β 2 = 1 . It is obvious that such a quantum state does not exist. Therefore, it does not convince Bob that he has chosen the correct measurement basis because d and h(r′) are not always the same.

Finally, we discuss the relationship between an all-or-nothing oblivious transfer protocol and the no-go theorem in two aspects. On the one hand, it is clear that the all-or-nothing OT protocol is based on a one-way function rather than any quantum bit commitment scheme, so it does not conflict with the result that an unconditionally secure QBC scheme cannot be achieved within non-relativistic physics [13]. On the other hand, the purposes of malicious Alice’s attack are different. In bit commitment, Alice may want to change what she has committed, while in oblivious transfer, Alice may want to know whether Bob receives the right state. Therefore, in the all-or-nothing OT, Alice may use coherence to change the coding basis, however, which is not Alice’s purpose.