as a change in either one of the two component states.
Example 2.4 Consider the possible results of measuring theEPRstate (2.11). The observer tries to observe system S1first, then system S2. From the definition of the state
ψ0 [12] =c1 j00i+c2 j11i=c1 j0i[1] j0i[2]+c2 j1i[1] j1i[2]
it can be seen that the result of the measurement will bej0i[1] j0i[2]with probability c21, orj1i[1] j1i[2]
with probability c2
2. The first system will either be found to be in statej0ior in statej1i. If it is found in
statej0i, then subsequent measurement of the second system will yieldj0iwith certainty. If it is found in statej1i, then subsequent measurement of the second system will yieldj1iwith certainty.
2.2 Perfect Secrecy and Security
Next, a handful of concepts from Shannon’s theory of information will be presented. Of interest to us is the application of information theory to cryptographic systems12. Formal definitions of the notion of security will also be given.
As explained at length in Chapter 1, the objective of a cryptographic protocol is to code mes- sages in such a manner as to prevent an enemy, such as an eavesdropper, from learning their content. The situation is described by two sets of probabilities; the so–calleda priori probabil- ities quantify the likelihood of a particular message and key being chosen in the first instance; they represent the enemy’sa prioriknowledge. When a cryptogram is intercepted, the enemy can computea posterioriprobabilities of key and message combinations.
The set of possible messages is termed themessage spacefmig. The probability that message mi is chosen for transmission is written P(M) = PrfM = mig, where M is a random variable over the message space. One can similarly define the probability that a keykiis chosen asP(K) = PrfK = kig, and the probabilityP(E) = PrfE = eigthat cryptogrameiis intercepted. Keys are chosen from a key space fkigand cryptograms from a space feig, whileK and E are random variables over these spaces.
Thea prioriprobabilityP(EjM) = PrfE=eijM=migdetermines with what likelihood the cryptogramei is produced when messagemiis to be transmitted. On the other hand, wheneiis intercepted by an enemy, she can compute with what probabilitymiwas the chosen message; this latter is thea posterioriprobability of messagemi“given cryptogramei” and is writtenP(MjE) = PrfM=mijE=eig.
Note that the enemy is assumed to know the cryptographic mechanism being used by the sender13, as well as the probabilitiesP(K)of choosing various keys. The a priori and a posteriori probabilities are related quite simply through Bayes’ theorem:
P(MjE) = P(M) P(EjM)
P(E) (2.13)
Shannon also developed the theoretical notion of perfect secrecy:
22 ❦ Chapter 2. A Survey of Quantum Protocols and Security Criteria probabilities are equal to the a priori probabilities, whatever their value:
P(EjM) =P(E)
and conversely P(MjE) =P(M)
Perfect secrecy is achieved only in a system where intercepting a cryptogram gives absolutely no information about the content of the message it represents.
The most basic concept in information theory isentropy,which quantifies the amount of uncer- tainty associated with any datum or, put otherwise, the amount of information generated when a datum is first produced. In a cryptographic system there is uncertainty associated with the choice of message,
H(M) =
∑
P(M)logP(M) (2.14)as well as uncertainty associated with the choice of key:
H(K) =
∑
P(K)logP(K) (2.15)When the concept of entropy is applied within the context of a cryptosystem, a useful measure of the system’s secrecy results; this is termed the equivocation, given by
H(KjE) =
∑
E,K
P(E,K) logP(KjE) for keys (2.16) H(MjE) =
∑
E,M
P(E,M) logP(MjE) for messages (2.17) whereP(E,K)is the probability that keyKand cryptogramEoccur together;P(E,M)is similarly defined.
When considering any cryptosystem, one associates with it a formal level of security. The strongest possible definition of security is based on Shannon’s ideas:
Definition 2.3 (Unconditional Security) A cryptosystem with messages M, keys K, and cryptograms E isperfectly or unconditionally secureif an enemy with unlimited computational power can learn nothing about a message migiven the matching cryptogram ei. This requires that:
1. the key used should be at least as long as the message, i.e.jkij>jmij.
2. the same key is never used twice, i.e. every key is used with equal probability and, for all messages miand cryptograms ei, there is a unique key kithat matches mito ei.
A cryptosystem rarely achieves perfect security; the most well–known example of a perfectly secure system is the one–time pad, described previously in section 1.3.2. There exist weaker definitions of security, which ascribe limited computational power to the enemy14:
Definition 2.4 (Computational Security) A cryptosystem iscomputationally secure if the best known algorithm for breaking it requires an unreasonably large amount of computational resources.