3. Quantum fingerprinting

The ideas of the fingerprinting technique in the quantum setting for the first time appeared in [4]. The authors used a succinct presentation of the classical input by a quantum automata state, which resulted in an exponential improvement over classical algorithm. Later in the works of [12] the ideas were developed further to give an arbitrarily small probability of error. This was the basis for the general quantum fingerprinting framework proposed in [11].

However, the term "quantum fingerprinting" is mostly used in scientific literature to address a seminal paper [5], where this notion first appeared explicitly. To distinguish between different versions of the quantum fingerprinting techniques, the fingerprinting function from [5] is called as "binary" (since it uses some binary error-correcting code in its construction), whereas the fingerprinting from [11] is called "q-ary" for it uses presentation of the input in ℤq.

#### 3.1. Binary quantum fingerprinting

The quantum fingerprinting function was formally defined in [5], where it was used for quantum equality testing in a quantum communication model. It is based on the notion of a binary error-correcting code.

An (n, k, d) error-correcting code is a map C :Σ<sup>k</sup> !Σ<sup>n</sup> such that, for any two distinct words <sup>w</sup>, w0 ∈ Σ<sup>k</sup> , the Hamming distance d(C(w), C(w<sup>0</sup> )) between code words C(w) and C(w<sup>0</sup> ) is at least d. The code is binary if Σ = {0, 1}.

The construction of the quantum fingerprinting function is as follows.

Conventionally, we use notation |i〉 for the vector from H<sup>d</sup>

20 Advanced Technologies of Quantum Key Distribution

<sup>⊗</sup><sup>s</sup> to a quantum state |ψ(w)〉∈(ℋ<sup>2</sup>

ψ : f ψ<sup>0</sup> 

 

computational basis.

function) to be mapping

)

where U(w) is a unitary matrix.

with respect to computational basis.

3. Quantum fingerprinting

3.1. Binary quantum fingerprinting

binary error-correcting code.


and 0 elsewhere. An orthonormal basis |1〉, … ,|d〉 is usually referred to as the standard

We let ℤ<sup>q</sup> to be a finite additive group of Z/qZ, the integers modulo q. Let Σ<sup>k</sup> be a set of words of length <sup>k</sup> over a finite alphabet <sup>Σ</sup>. Let <sup>X</sup> be a finite set. In this paper, we let <sup>X</sup> <sup>¼</sup> <sup>Σ</sup><sup>k</sup> or <sup>X</sup> <sup>¼</sup> <sup>ℤ</sup>q. For K ¼ ∣X∣ and integer s ≥ 1, we define a (K;s) classical-quantum function (or just quantum

In order to outline a computational aspect and present a procedure for quantum function ψ, we define ψ to be a unitary transformation (determined by an element w ∈ X) of the initial state

> ) ⊗s

Extracting information on w from |ψ(w)〉 is a result of measurements of quantum state |ψ(w)〉. In this chapter, we consider quantum transformations and measurements of quantum states

The ideas of the fingerprinting technique in the quantum setting for the first time appeared in [4]. The authors used a succinct presentation of the classical input by a quantum automata state, which resulted in an exponential improvement over classical algorithm. Later in the works of [12] the ideas were developed further to give an arbitrarily small probability of error. This was the basis for the general quantum fingerprinting framework proposed in [11].

However, the term "quantum fingerprinting" is mostly used in scientific literature to address a seminal paper [5], where this notion first appeared explicitly. To distinguish between different versions of the quantum fingerprinting techniques, the fingerprinting function from [5] is called as "binary" (since it uses some binary error-correcting code in its construction), whereas

The quantum fingerprinting function was formally defined in [5], where it was used for quantum equality testing in a quantum communication model. It is based on the notion of a

the fingerprinting from [11] is called "q-ary" for it uses presentation of the input in ℤq.

g � <sup>X</sup> ! <sup>ℋ</sup><sup>2</sup> <sup>⊗</sup> <sup>s</sup> <sup>ψ</sup>ð Þi ¼ <sup>w</sup> U wð Þ <sup>ψ</sup><sup>0</sup>

<sup>ψ</sup> : <sup>X</sup> ! <sup>ℋ</sup><sup>2</sup> <sup>⊗</sup> <sup>s</sup> or <sup>ψ</sup> : <sup>w</sup> <sup>↦</sup> <sup>j</sup>ψð Þi <sup>w</sup> : (2)

(3)

 ,

, which has a 1 on the i-th position


$$|\psi\_{\mathbb{F}\_{\mathbb{E}}}(w)\rangle = \frac{1}{\sqrt{n}}\sum\_{i=1}^{n} |i\rangle |E\_i(w)\rangle. \tag{4}$$

Original paper of [5] used this function to construct a quantum communication protocol that tests equality in the simultaneous message passing (SMP) model with no shared resources. This protocol requires O(log n) qubits to compare n-bit binary strings, which is exponentially smaller than any classical deterministic or even randomized protocol in the SMP setting with no shared randomness. The proposed quantum protocol has one-sided error of 1/2(1 + 〈ψFE (x)| ψFE (y)〉 2 ), where |ψFE (x)〉 and |ψFE (y)〉 are two different quantum fingerprints. Their inner product |〈ψFE (x)| ψFE (y)〉| is bounded by ε, if the Hamming distance of the underlying code is (1 � ε)n. Thus, ε is determined by the chosen errorcorrecting code. For instance, Justesen codes mentioned in the paper give ε < 9/10 + 1/(15c) for any chosen c > 2.

In the same paper, it was shown that this result can be improved by choosing an errorcorrecting code with Hamming distance between any two distinct code words (1 � ε)n/2 and (1 + ε)n/2 for any ε > 0 (however, the existence of such codes can only be proved nonconstructively via probabilistic argument).

Further research on this topic mostly used the following phase presentation version of quantum fingerprinting. We define the quantum fingerprinting function ψ: {0, 1}<sup>k</sup> !(ℋ<sup>2</sup> ) <sup>⊗</sup><sup>s</sup> determined by a word w as

$$\psi\_{\mathbb{F}\_{\mathbb{E}}}(w) = \frac{1}{\sqrt{n}} \sum\_{i=1}^{n} (-1)^{\mathbb{E}i(w)} |i\rangle \tag{5}$$

This function gives the following bound for the fingerprints of distinct inputs

$$\left| \left\langle \psi\_{F\_{\mathbb{E}}}(\mathbf{x}) | \psi\_{F\_{\mathbb{E}}}(\mathbf{y}) \right\rangle \right| = \frac{1}{n} \sum\_{i=1}^{n} \left( -1 \right)^{E\_i(w) \oplus E\_i(w')} = \frac{n - d(E(w), E(w'))}{n} \le \varepsilon \tag{6}$$

#### 3.2. q-ary quantum fingerprinting

In this section, we demonstrate the generalization of binary fingerprinting function to the q-ary case. General technique is presented in [11, 15]. Here, we present the idea using specific Boolean function g : {0, 1}<sup>n</sup> !{0, 1} where g(σ) = 1 iff σ = 0 mod sq. We treat σ also as an integer encoded by binary string σ.

To test g, we rotate the initial state |0〉 of a single qubit by an angle θ = πσ/q:

$$|0\rangle \to |\psi(\sigma)\rangle = \cos\theta |0\rangle + \sin\theta |1\rangle\tag{7}$$

program is a circuit with ability to test in each of its computational step a needed bit of an input. Such circuit is a realization of a program that uses only "if then else" and "go to"

Definition 1 ([18]) A Quantum Branching Program Q over the Hilbert space ℋ<sup>d</sup> is defined as

Vectors |ψ〉∈ ℋ<sup>d</sup> are called states (state vectors) of Q, |ψ0〉∈ ℋ<sup>d</sup> is the initial state of Q.

) to the current state |ψ〉 to obtain the state |ψ

1

Uj σij � � <sup>0</sup>

1

j¼l

Accepting of an input sequence is a result of measuring of final state |ψ(σ)〉 in computational basis and is formalized as follows. Let Accept⊆{1, 2, …d} be the set of indices of accepting basis states. After the l-th (last) step of quantum transformation, Q measures its configuration |ψσ〉 =

Figure 1. Branching program in the form of circuit. Variables xi<sup>1</sup> , … , xil denoting classical control (input) bits. Single

wires carry quantum information, and double wires denote classical information and control.

@

<sup>j</sup>ψ σð Þ〉 <sup>¼</sup> <sup>Y</sup>

We define a computation of Q on an input σ = σ<sup>1</sup> , … , σn∈ {0, 1}<sup>n</sup> as follows:

2. The j-th instruction of Q reads the input symbol σij (the value of xij

<sup>T</sup> and the input σ is accepted with probability

Q ¼ T; ψ<sup>0</sup>

� � � �

.

, � (9)

On Quantum Fingerprinting and Quantum Cryptographic Hashing

http://dx.doi.org/10.5772/intechopen.70692

23

, Uj(0), Uj(1)) is determined by variable xij tested on the

0 〉 = Uj(σij

) and applies the transition

)|ψ〉.

Ajψ0〉: (10)

primitives. We use the definition from [18]

where T is a sequence of l instructions: Tj = (xij

matrix Uj = Uj(σij

3. The final state is

(α1, …, αd)

step j, and Uj(0) and Uj(1) are unitary transformations in ℋ<sup>d</sup>

1. A computation of Q starts from the initial state |ψ0〉.

Then, this state |ψ(σ)〉 is measured and the input σ is accepted iff the result of the measurement is |0〉.

Obviously, this quantum state is �|0〉 iff σ = 0 mod q. In the worst case, this algorithm gives the one-sided error of cos<sup>2</sup> π(q � 1)/q, which can be arbitrarily close to 1.

The above description can be presented as follows using log t + 1 = (log log q) + 1 qubits:

$$\underbrace{|0\rangle\otimes\cdots\otimes|0\rangle}\_{\log t}\otimes|0\rangle \to \frac{1}{\sqrt{t}}\sum\_{i=1}^{t}|i\rangle(\cos\theta\_i|0\rangle + \sin\theta\_i|1\rangle),\tag{8}$$

where <sup>θ</sup><sup>i</sup> <sup>¼</sup> <sup>2</sup>πsi<sup>σ</sup> <sup>q</sup> and the set S = {s1, …,st} ⊆ ℤ<sup>q</sup> is chosen in order to guarantee the small probability of error [11, 15]. That is, the last qubit is simultaneously rotated in t different subspaces by corresponding angles θi.

The above q-ary quantum fingerprinting method can be presented in the following procedure:


In [11, 15, 16], we have applied this technique to construct efficient quantum algorithms for a certain class of Boolean functions in the model of read-once quantum branching programs [17].

#### 3.2.1. Quantum branching programs

Branching program is a well-known computational model in computer science, also known as a binary decision diagram in Applied Computer Science. Informally speaking, branching program is a circuit with ability to test in each of its computational step a needed bit of an input. Such circuit is a realization of a program that uses only "if then else" and "go to" primitives. We use the definition from [18]

Definition 1 ([18]) A Quantum Branching Program Q over the Hilbert space ℋ<sup>d</sup> is defined as

$$Q = \langle T, |\psi\_0\rangle\rangle. \tag{9}$$

where T is a sequence of l instructions: Tj = (xij , Uj(0), Uj(1)) is determined by variable xij tested on the step j, and Uj(0) and Uj(1) are unitary transformations in ℋ<sup>d</sup> .

Vectors |ψ〉∈ ℋ<sup>d</sup> are called states (state vectors) of Q, |ψ0〉∈ ℋ<sup>d</sup> is the initial state of Q.

We define a computation of Q on an input σ = σ<sup>1</sup> , … , σn∈ {0, 1}<sup>n</sup> as follows:


3.2. q-ary quantum fingerprinting

22 Advanced Technologies of Quantum Key Distribution

Boolean function g : {0, 1}<sup>n</sup>

one-sided error of cos<sup>2</sup>

where <sup>θ</sup><sup>i</sup> <sup>¼</sup> <sup>2</sup>πsi<sup>σ</sup>

by corresponding angles θi.

{|j〉|0〉: j∈ {1, …, t}}.

<sup>q</sup> Þj0<sup>i</sup> <sup>⊗</sup> log <sup>t</sup>

3.2.1. Quantum branching programs

cos <sup>2</sup>πsl<sup>σ</sup>

j0〉 ⊗⋯⊗ j0〉 |fflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflffl} log t

1. The initial state of the quantum register is |0〉

3. Based on the input <sup>σ</sup>, its fingerprint is created: <sup>1</sup>ffi

j0i þ …

2. The Hadamard transform creates the uniform superposition <sup>1</sup>ffi

is |0〉.

encoded by binary string σ.

In this section, we demonstrate the generalization of binary fingerprinting function to the q-ary case. General technique is presented in [11, 15]. Here, we present the idea using specific

Then, this state |ψ(σ)〉 is measured and the input σ is accepted iff the result of the measurement

Obviously, this quantum state is �|0〉 iff σ = 0 mod q. In the worst case, this algorithm gives the

π(q � 1)/q, which can be arbitrarily close to 1. The above description can be presented as follows using log t + 1 = (log log q) + 1 qubits:

> ffiffi <sup>t</sup> <sup>p</sup> <sup>X</sup><sup>t</sup> i¼1

bility of error [11, 15]. That is, the last qubit is simultaneously rotated in t different subspaces

The above q-ary quantum fingerprinting method can be presented in the following procedure:

4. The Hadamard transform turns the fingerprint into the state <sup>j</sup>ψ〉 <sup>¼</sup> <sup>1</sup>

5. The quantum state |ψ〉 is measured and the input is accepted iff the result is |0〉

In [11, 15, 16], we have applied this technique to construct efficient quantum algorithms for a certain class of Boolean functions in the model of read-once quantum branching programs [17].

Branching program is a well-known computational model in computer science, also known as a binary decision diagram in Applied Computer Science. Informally speaking, branching

<sup>q</sup> and the set S = {s1, …,st} ⊆ ℤ<sup>q</sup> is chosen in order to guarantee the small proba-

⊗ log t |0〉.

> t <sup>p</sup> P<sup>t</sup>

<sup>j</sup>¼<sup>1</sup> <sup>j</sup>j〉 cos

To test g, we rotate the initial state |0〉 of a single qubit by an angle θ = πσ/q:

<sup>⊗</sup> <sup>j</sup>0〉 ! <sup>1</sup>

!{0, 1} where g(σ) = 1 iff σ = 0 mod sq. We treat σ also as an integer

j0i ! jψ σð Þi ¼ cos θj0i þ sin θj1i (7)

jiið cos θij0i þ sin θij1iÞ, (8)

t p Pt j¼1

2πsjσ

<sup>q</sup> <sup>j</sup>0〉 <sup>þ</sup> sin <sup>2</sup>πsj<sup>σ</sup>

� �

jjij0iof the basis states

<sup>q</sup> j1〉

.

t P<sup>t</sup> l¼1

⊗ log t |0〉.

�

$$|\psi(\sigma)\rangle = \left(\prod\_{j=l}^{1} \mathcal{U}\_{\mathfrak{f}}(\sigma\_{i\_{j}})\right) |\psi\_{0}\rangle. \tag{10}$$

Accepting of an input sequence is a result of measuring of final state |ψ(σ)〉 in computational basis and is formalized as follows. Let Accept⊆{1, 2, …d} be the set of indices of accepting basis states. After the l-th (last) step of quantum transformation, Q measures its configuration |ψσ〉 = (α1, …, αd) <sup>T</sup> and the input σ is accepted with probability

Figure 1. Branching program in the form of circuit. Variables xi<sup>1</sup> , … , xil denoting classical control (input) bits. Single wires carry quantum information, and double wires denote classical information and control.

$$Pr\_{\text{accept}}(\sigma) = \sum\_{i \in \text{Accept}} |\alpha\_i|^2. \tag{11}$$

Pr½ � Y ¼ X ≤

prove effectiveness of this construction.

The following definition was presented in [24].

Definition 3 Let <sup>ε</sup> > 0. We call a quantum function <sup>ψ</sup> : <sup>X</sup> ! <sup>ℋ</sup><sup>2</sup> <sup>⊗</sup> <sup>s</sup>

of different inputs, |〈ψ(w)|ψ(w<sup>0</sup>

to get small probability of collision, that is, if one tests states |ψ(w)〉 and |ψ(w<sup>0</sup>

Informally speaking, we need two states |ψ(w)〉 and |ψ(w<sup>0</sup>

〉 (see [6, 25] for more information).

elements v, w ∈ X, it is true that |〈ψ(v)|ψ(w)〉| ≤ ε. Then,

Proof. From the description of SWAP test, it follows that


Prswap½ �¼ v ¼ w

4.2. Collision ε resistance

quantum testing procedures.

4.2.1. Testing equality

see for example [6].

4.2.1.1. REVERSE test


for any pair w, w<sup>0</sup>

So, extracting an information on input σ from state |ψ(σ)〉 in conditions of Property 1 is "hard." The effectiveness of computation |ψ(σ)〉 depends on construction of quantum hash function ψ. In Section 4.4, we consider quantum hash function construction based on small-biased sets and

)〉| ≤ ε.

then a testing procedure should give positive result with a small probability. We start with

The crucial procedure for quantum hashing is an equality test for |ψ(v)〉 and |ψ(w)〉 that can be used to compare encoded classical messages v and w. This procedure can be a well-known SWAP test [5] or something that is adapted for specific hashing function, like REVERSE test,

The SWAP test is the known quantum test for the equality of two unknown quantum states

We denote PrSWAP[v = w] a probability that the SWAP test having quantum hashes |ψ(v)〉 and

Property 2 ([6]) Let function ψ: w↦|ψ(w)〉 satisfy the following condition. For any two different

1

Prswap½ � v ¼ w ≤

1

The test for equality, which we are presenting here, was first mentioned in [6]. In our paper [25], we call this test a REVERSE test. This test checks if a quantum state |ψ〉 is a hash of an element v by applying the procedure that inverts the creation of a quantum quantum

2s

<sup>2</sup><sup>k</sup> : (13)

http://dx.doi.org/10.5772/intechopen.70692

On Quantum Fingerprinting and Quantum Cryptographic Hashing

a collision ε-resistant function if

)〉 for equality,

25

)〉 that is almost orthogonal in order

<sup>2</sup> <sup>1</sup> <sup>þ</sup> <sup>ε</sup><sup>2</sup> : (14)

<sup>2</sup> <sup>1</sup> þ j〈ψð Þ<sup>v</sup> j j <sup>ψ</sup>ð Þ <sup>w</sup> 〉 <sup>2</sup> : (15)

#### 3.2.2. Circuit representation

Quantum circuits are good formalism for quantum algorithms representation [19, 20]. A quantum branching programs can be viewed as a quantum circuit aided with an ability to read classical bits as control variables for unitary operations (see Figure 1).
