^{1}

^{2}

^{3}

^{4}

^{3}

The image security problem is an important area in information security, and image encryption plays a vital role in this day. To protect the image encryption from the attack of quantum algorithm appeared recently, an image encryption method based on quantum Fourier transformation is proposed here. First, the image encryption and Fourier transformation are discussed here, then a encryption function is proposed. Second, a quantum Fourier transformation is introduced to quantum encryption, and the full step of quantum encryption is given as well. Third, the security of the proposed quantum encryption if analyzed, and some proposition s are also presented. Lastly, some conclusions are indicated and some possible directions are also listed.

Image encryption technology won great attention recently because of its complexity. [

Image encryption method often includes space encryption and condenses encryption. [

However, the appearance of quantum computing brought a great challenge to classic encryption methods. At the same time, quantum encryption also gives us an absolutely secure encryption method. For example, [

In quantum image encryption, the efficiency of transformation plays an important role, especially the Fourier transformation [

Section 2 defines the general notion of privacy for quantum key distribution. Section 3 contains preliminaries, basic rules and the general model used to analyze the protocol. In Section 4, the protocol is described. Section 5 contains the analysis of privacy protection.

Through bringing the ideal into this work from P D γ a brilliant estimation of this Fourier transform of P D γ is required, which denoted by η_{1/}_{r}. It might be illustrated that since 1 / r ≪ τ 1 ( D ∗ ) one has the estimation

η 1 / r ( x ) ≈ exp ( − π ( r ⋅ dist ( D * , x ) ) 2 ) (1)

Therefore, η 1 / r ( x ) ≈ 1 for any χ ∈ D ∗ (as a matter of fact a par holds) as well as one avoids D ∗ , its value drop off. For the dot not far from distance, for example, 1/r from this fretwork, its significance is still a little positive constant (approximately exp ( − π ) ). As the length from D ∗ increases, the significance of the purpose quickly changes into triffling. Because the length between any two matrixes in D ∗ is at any rate τ 1 ( D ∗ ) ≫ 1 / r , the normal distribution around each point of D ∗ are well fell apart.

Let us begin to try to comprehend what the distinguishing difference P D / p , r / p looks like. Point out that this image matrix D/p compound of p ∈ translates of the primal image matrix D that’s to say, as for each a ∈ O p ∈ , consider the set

D + D a / p = { D b / p | b ∈ O ∈ , b mod p = a } (2)

Then, { D + D a / p | a ∈ O P ∈ O } establishes a division of D/p. what’s more, it could be depicted that since r/p is bigger than the system parameter η ∈ ( D ) , the possibility distributed to each D + D a / p under P D / p , r / p is fundamentally alike, that is, p − ∈ . Intuitively, in addition to system parameter, the normal measure not any more “sees” the discerning construction of D, so distinguished from others, it is not influenced by translations.

It guided us to think about the next dispersion, name it P. A example from P is a pair ( a , y ) from which y is sampled P D / p , r / p , and a ∈ O p ∈ is such that y ∈ D + D a / p .

Now the Fourier transform of P D + D a / p , r / p is presently analyzed. When “a” is zero, the Fourier transform is known as f p / r . For universal a, a stock calculation illustrated that the Fourier transform of P D + D a / p , r / p is granted by

exp ( 2 π i 〈 a , T ( x ) 〉 / p ) ⋅ η p / r ( x ) (3)

where T ( x ) ∈ O p is outlined as

T ( x ) = ( D ∗ ) − 1 k D ∗ ( χ ) mod p ,

and k p ∗ ( χ ) gives the only hide vector in D ∗ to χ . Put differently, T ( x ) is the vector of constant number of the vector in D ∗ hide to x when laid out in the foundation of D ∗ , shrink possibility p. therefore seeing that the Fourier transform P D + D a / p , r / p is basically f p / r , besides that each “hill” has its unique phase as a support for the vector of constant number of the image matrix dot in its center. The visual aspect of those phases is as a termination of a famous dimension of the Fourier transform, given that translation is transmuted with phase to multiplication.

For two real numbers x and y > 0 , generally, x mod y can be defined as χ / y | y for χ ∈ R , ⌊ χ ⌋ is defined as the integer closest to x or, in case of existing two such integers, the small one of the two. For any integer p ≥ 2 , O p is written for the cyclic group { 0 , 1 , p − 1 } with addition possibility p.

As two possibility density functions λ_{1}，λ_{2} on R ∈ , the statistical length between them is defined as

Δ ( λ 1 , λ 2 ) = ∫ R ∈ | λ 1 ( x ) − λ 2 ( x ) | d x (4)

(as this definition observing, the statistical length ranges in [ 0 , 2 ] . A allied definition can be showed for sensible random variables. The statistical length satisfies the triangle inequality, it’s to say, for any, λ 1 , λ 2 , λ 3

Δ ( λ 1 , λ 3 ) ≤ Δ ( λ 1 , λ 2 ) + Δ ( λ 2 , λ 3 ) (5)

Another significant fact is that the statistical length cannot increase by using a possibility function f, that’s to say,

Δ ( η ( X ) , η ( Y ) ) ≤ Δ ( X , Y ) (6)

Retrieve that the normal distribution with variance a^{2} and mean 0 is the distribution on R illustrated by the density function 1 2 π σ exp ( − 1 / 2 ( x σ ) 2 )

where exp(y) denotes e^{y}. Also see from that the summary of two mean = 0 independent variables with variances σ 1 2 and σ 2 2 is also a normal variable. A vector x and any ω > 0 , let

Q w ( x ) : = exp ( − π ‖ x / w ‖ 2 ) (7)

be a normal function measured by a component of s. if denoted M1 by p. Note that ∫ R ∈ Q ω ( x ) d x = ω ∈ Therefore,

s ω : = Q ω / ω ∈ (8)

is an n-dimensional chance density function and like what have mentioned above, if apply s to denote s_{1}. Functions are expended to sets in the normal way; that’s to say, Q s ( A ) = ∑ x ∈ A Q ω ( x ) for any countable matrix A. For any vector c ∈ R ∈ , if defined Q ω ， c ( χ ) = Q ω ( χ − C ) to be a shifted version of Q ω . The next example bounds the sum by which Q δ ( χ ) can deduce by a little change in χ .

For all ω , t , l > 0 and χ , y ∈ R ∈ with ‖ χ ‖ ≤ t and ‖ χ − y ‖ ≤ 1 ,

Q w ( y ) ≥ ( 1 − π ( 2 l t + l 2 ) / w 2 ) Q ω (x)

Using the inequality e − z ≥ 1 − z ,

Q w ( y ) = e − π ‖ y w ‖ 2 ≥ e − π ( ‖ x ‖ w + 1 w ) 2 = e − π ( 2 l ‖ x ‖ w 2 + ( 1 w ) 2 ) Q w ( x ) ≥ ( 1 − π ( 2 l t + l 2 ) / w 2 ) Q ω ( x ) (9)

As the option of basis is obvious, if write M ( D ) instead of M ( s 1 , ⋯ , s ∈ ) . For a point χ ∈ R ∈ , χ mod M ( D ) is defined as the only point y ∈ M ( D ) such that y − x ∈ D . if denote by det ( D ) the volume of the primal parallelepiped of D or equivalently, the determinant’ absolute value of the matrix with the basis image matrixes of matrix ( det ( D ) is an image matrix invariant, to be exactly, it is free from the option of basis). The double of a image matrix D in R ∈ , denoted D ∗ , is the image matrix illustrated by the set of all matrixes y ∈ R ∈ such that 〈 x , y 〉 ∈ 0 for all matrixes x ∈ D . In the same way, given a basis ( s 1 , ⋯ , s ∈ ) of an image matrix, define the double basis as the vector set ( s 1 ∗ , ⋯ , s ∈ ∗ ) such that 〈 s i s j ∗ 〉 = δ i j for all i j ∈ [ ∈ ] where ω i j denotes the weight delta, in another word, 1 if i = j and 0 other than. With a little abuse of notation, people often use D for the ϵ x ϵ matrix whose columns are s 1 , ⋯ , s ∈ With this notation, find that D * = ( D T ) − 1 . Because of that, it shows that det ( D ∗ ) = 1 / det ( D ) . At another case, for a point s ∈ D , D − 1 s is written to illuminate the integer coefficient vector of s.

Because of the iterative step, the algorithm can be expressed as follows. Allow r i denote r ⋅ ( α p / ∈ ) i The algorithm begin with producing ∈ c samples from P D γ 3 ∈ On account of r 3 ∈ is indeed large, this samples can be computed expeditiously by a unproblematic procedure. The next comes the most essential part of the algorithm: for i = 3 ∈ , 3 ∈ − 1 , ⋯ 1 the algorithm applies t s ∈ c samples from P D , r ′ i _{ }to produce ∈ c samples from P D , r i − 1 by naming the iterative step ∈ c times. Finally, it ends up with ∈ c samples from P D , r 0 = P D , r as well as people finish the algorithm by uncomplicated outputting the initial of them. Note the next essential answer: applying ∈ c samples from P D , r i , there will have the ability to bring forth the same number of samples ∈ c from P D , r i − 1 (actually, people could even give forth more than ∈ c examples). The algorithm would not operate if only generate, in another word, ∈ c / 2 samples.

Now eventually get to depict the iterative step by us. Retrieve that as input the ∈ samples from P D , r and there will be supposed to give forth a sample from P D , r , where r 1 = r ∈ / ( a p ) . What’s more, r is knowable and assured to be at least 2 P f q ( D ) , which can be illustrated to illuminate that p / r < τ 1 ( D ∗ ) / 2 . From what have illustrated in the former passage, the exact lower related to r does not count much for this summary; it’s adequate to remember that r is adequately larger than (D), and that 1/r is adequately smaller than τ 1 (D∗)

The algorithm composed of two primary parts. In that passage, there will be described as a classical algorithm that applying W and the samples from P D , r ,

solve CVP D * , α p / ( 2 r ) . There, what illustrate a encryption algorithm is that, showed an oracle that solves CVP D * , α p / ( 2 r ) , outputs a example from P D , r ∈ / ( α p ) .

This is the unique encryption element in this essay. People find that the condition is content since ( 2 r ) ≤ 1 / f q ( D ) ≤ τ 1 ( D ∗ ) / 2

In a fast quantum Fourier transformation, the first aim is to produce a quantum announcement in relate to η 1 / r . with formality, it could be described as

∑ x ∈ R ∈ η 1 / r | x 〉 (10)

Taking account of some possibility distribution P on some image matrix D and its Fourier transform f : R ∈ → C , defined as

η ( x ) = ∑ y ∈ D P ( y ) exp ( 2 π i 〈 x , y 〉 ) = E x p y ~ P [ exp ( 2 π i 〈 x , y 〉 ) ] (11)

where in the second equality. the sum is simply be rewrote as an expectation. By definition, η is D ∗ -periodic, that’s to say, η ( x ) = η ( x + y ) for any χ ∈ R ∈ and y ∈ D ∗ It can compute an estimation of η to within ± 1 / poly ( ∈ ) . If y 1 , ⋯ , y N are N = poly ( ∈ ) independent samples from P, and then

f ( x ) ≈ 1 N ∑ j = 1 N exp ( 2 π i 〈 x , y j 〉 ) (12)

where the estimation is to within ± 1 / poly ( n ) and poses with possibility exponentially just about 1, presuming that N is a large adequate multinomial.

Let q = q ( ∈ ) be a negligible function, p = p ( ∈ ) ≥ 2 be an integer, and a = a ( ∈ ) ∈ ( 0 , 1 ) be a real number. presume that way to an oracle W that solves quantum oracle, given a multinomial number of examples. As for an ϵ-dimensional image matrix D, some 0 < d < τ 1 ( D ) / 2 , and an integer p ≥ 2 , there is an algorithm solves CVP D , d ( p ) if, depicted any point x ∈ R ∈ within distance d of D, it outputs D − l k 1 ( x ) mod p ∈ O P mod p ∈ O P , the coefficient matrix to x deduced possibility p. Here shows a reduction from CVP D , d to CVP D , d ( p ) .

There is an effective algorithm for given a image matrix D, a number d < τ 1 ( D ) / 2 and an integer p ≥ 2 , solves CVP D , d given way to an oracle for CVP D , d ( p ) .

The input is a point x in distance d of D. A sequence of points is defined as χ 1 , χ 2 , χ 3 , ⋯ as follows. Let a i = D − 1 K D ( χ i ) ∈ O ∈ be the coefficient image matrix point to x_{i}. Define. Find that the closest image matrix point to χ i + 1 = ( x i − D ( a i mod p ) ) / p ∈ D therefore a i + 1 = ( a i − a ( a i mod p ) ) / p what’s more, the length of x_{i}_{+1} from D is at most d/p^{i}. as well as depicted that this sequence can be computed by applying the oracle.

After ∈ steps, there is a point x ϵ + 1 whose length to the image matrix is at most d / p ∈ . An algorithm is applied for solving the closest matrix. This outputs a image matrix point Da within distance 2 ϵ ⋅ d / p ϵ ≤ d < τ 1 ( D ) / 2 of χ ∈ + 1 . Therefore, Da is the image matrix point closest to χ ∈ + 1 and one tried to retrieve a ∈ + 1 = a realizing and a ∈ mod p (by applying the oracle), one can recover a ∈ = p a ∈ + 1 + ( a ∈ mod p ) . proceeding this process, one could recover a ∈ − 1 , a ∈ − 2 , ⋯ , a 1 . This finishes the algorithm for Da_{1} is the closest point to x 1 = x

As the option of r, ( α p ( 2 r ) < τ 1 ( D ∗ ) / 2 it’s adequate to depict an efficient algorithm for CVP D * , α p / ( 2 r ) ( p ) . By combining the discussion above this could be done. Initially, it depicts an algorithm W’ that, showed samples from A s , ψ β . The next, it is described how to use W’ and the shown samples from P D γ in order to solve CVP D * , α p / ( 2 r ) (p)

Repeating the process illustrated above ∈ times, the system state is described as an ∈ -fold tensor product of the state in Equation (12), which might be understood as

∑ x ∈ { − ∈ r , ⋯ , ∈ r } ∈ Q 2 r ( x ) | x 〉 (13)

For O ∈ ∩ ∈ r η ∈ , { − ∈ r , ⋯ , ∈ r } ∈ it indicates that the state is within l_{2} distance 2 − Ω ( ∈ ) of

∑ x ∈ Z ∈ ∈ Q 2 r ( x ) | x 〉 (14)

Therefore, for the goal it can be presumed that it is generated the state in Equation (14).

The next step, applying the LLL foundation reduction algorithm, a base can be acquired for D of length at most 2 ∈ τ ∈ ( D ) and let M ( D ) be brought forth by a new register M ( D ) Let y ∈ M ( D ) denote the state that ‖ y ‖ ≤ d i a m ( M ( D ) ) < ∈ 2 ∈ τ ∈ ( D ) . The state acquired by us after the measurement is

∑ x ∈ L + y Q 2 r ( x ) | x 〉 (15)

In the end, subtract y from the register, and get

∑ x ∈ L Q 2 r ( x + y ) | x 〉 (16)

Therefore assume any x ∈ D with ‖ X ‖ ≤ ∈ r . The amplitude squared offered to it in Equation (13) is Q r ( X ) / M r ( D ) By The denominator is Q r ( D ) = det ( D ∗ ) ⋅ r ∈ Q 1 / r ( D ∗ ) ≥ det ( D ∗ ) ⋅ r ∈ and therefore the amplitude is at most Q r ( x ) / ( det ( D ∗ ) ⋅ r ∈ ) = det ( D ) s y (x)

In another word, the amplitude squared provided to x by the process is Q r ( X + y ) / Q y ( D + y ) . Then the denominator is

Q r ( D + y ) = det ( D * ) ⋅ r ∈ ∑ z ∈ D * e 2 π i 〈 z , y 〉 Q 1 r ( z ) ≤ ( 1 + 2 − Ω ( ∈ ) ) det ( D * ) ⋅ r ∈ (17)

To get this inequality, initially observe that by the simple part, τ 1 ( D ) ≥ 1 / τ ∈ ( D ) > ∈ / r , and then apply quantum Fourier transformation. what’s more, the numerator is in ( 1 − 2 − Ω ( ∈ ) ) Q y ( x ) . Therefore, the amplitude squared provided to x is in ( 1 − 2 − Ω ( ∈ ) ) Q y ( x ) det ( D ) s r (x)

The l_{2} distance between different states r to

| s 1 〉 = ∑ x ∈ D R , | | x | | < ∈ Q ( x ) | x mod M ( D ) 〉 , and

| s 2 〉 = ∑ x ∈ D R Q ( x ) | x mod M ( D ) 〉 = ∑ x ∈ D R ∩ M ( D ) ∑ y ∈ D Q ( x − y ) | x mod M ( D ) 〉

is 2 − Ω ( ∈ ) .

here, consider | s 1 〉 and | s 2 〉 as matrixes in R ∈ -dimensional space. Make Z be the l_{2} norm of | s 1 〉 . In the next it can be shown that the l_{2} length between | s 1 〉 and | s 2 〉 is at most 2 - Ω ( ∈ ) Z. it is adequate to build that the l_{2} distance between different states referring to | s 1 〉 and | s 2 〉 is exponentially tiny.

Initially, get a good approximation of Z. As far as τ 1 ( D ) > 2 ∈ , each key in the definition of | s 1 〉 , and so

Z = ∑ x ∈ D R , ‖ X ‖ < ∈ Q ( x ) 2 = q ( 2 D / R ∩ 2 ∈ η ∈ ) (18)

By applying the image matrix s_{2}"D/R, get that

( 1 − 2 − 2 ∈ ) Q ( 2 D R ) ≤ Z ≤ Q ( 2 D / R ) (19)

It is verified with an upper relate to the l_{2} distance between the two matrixes. Applying the normal monotonicity of s,

| | s 1 〉 − | s 2 〉 | 2 ≤ | | s 1 〉 − | s 2 〉 | 1 = ∑ x ∈ D R , ‖ x ‖ ≥ ∈ Q ( x ) ≤ 2 − 2 ∈ Q ( D / R ) ≤ 2 − 2 ∈ 2 ∈ / 2 Q ( 2 D / R ) ≤ 2 − ∈ Q ( 2 D / R ) (20)

There will be an effective quantum algorithm that, offered any n-dimensional image matrix D, a number d < τ 1 ( D ∗ ) / 2 , and an oracle that handles CVP D ∗ d , outputs a sample from P D , ∈ / 2 d .

By scaling, presume without decline in amount of generality that d = ∈ . Let R ≥ 2 ℑ ∈ τ ∈ ( D ∗ ) be a big adequate integer, presume that log R is multinomial in the image matrix D. The initial task is to build a state exponentially near to

∑ x ∈ D * R ∩ M ( D ) ∑ y ∈ D Q ( x − y ) | x 〉 (21)

As a state on ∈ log R qubits, that is a multinomial number in the input scale. In order to do in this way, initially, it is used with r = 1 / 2 and the image matrix D ∗ / R to make the state

∑ x ∈ D * R Q ( x ) | x ) (22)

Then, this is exponentially relate to

∑ x ∈ D * R , ‖ x ‖ < ∈ Q ( x ) | x ) (23)

An then, calculate x mod M(D^{*}) in a new register and get

∑ x ∈ D * R , ‖ x ‖ < ∈ Q ( x ) | x , x mod M ( D * ) ) (24)

applying the CVP oracle, recover x from x mod M(D*). This admits us to uncompute the primal register and get

∑ x ∈ D * R , ‖ x ‖ < ∈ Q ( x ) | x mod M ( D * ) ) (25)

Then, this state is exponentially close to the recommended state (25).

In the next step, apply the quantum Fourier transform. To begin with, applying the mapping between D ∗ / R R ∩ M ( D ∗ ) and O p ∈ , rewrite (25) as

∑ ω ∈ O R ∈ ∑ r ∈ O ∈ Q ( D * ω R − D * r ) | ω 〉 (26)

Then apply the quantum Fourier transform on O p ∈ . get a state where the amplitude of t for te, ZR is proportional to

∑ ω ∈ O R ∈ ∑ r ∈ O ∈ Q ( D * S R − D * r ) exp ( 2 π i 〈 ω , t 〉 / R ) = ∑ ω ∈ O R ∈ Q D * ω R exp ( 2 π i 〈 ω , t 〉 / R ) = ∑ ω ∈ D * / R Q ( x ) exp ( 2π i ( D * ) − 1 x , t ) = ∑ x ∈ D * / R Q ( x )exp ( 2π i 〈 x , D t 〉 ) = det ( R D ) ∑ Y ∈ R D Q ( y − D t ) (27)

where the last equality follows from Equation (26). Therefore, the crucial state can be fairly written as

∑ x ∈ M ( D ) ∩ D ∑ y ∈ R D Q ( y − x ) | x 〉 (28)

Look at that τ 1 ( R D ) = R τ 1 ( D ∗ ) ≥ 2 ℑ ∈ Therefore, according to the image matrix RD, and get that this state is exponentially close to

∑ x ∈ D , ‖ x ‖ < ∈ Q ( x ) | x mod M ( R D ) 〉 (29)

Quantify this state and get x mod M ( R D ) for some vector x with ‖ X ‖ < ∈ . Since x mod M ( R D ) is within ∈ of the image matrix RD, and τ 1 ( R D ) ≥ 2 ℑ ∈ , recuperate x by using. The answer of the algorithm is x.

Presume without deprivation of generalization that the vector ( 1 , 0 , ⋯ , 0 ) is or thogonal to H. There is,

E x p X ~ P D , r [ exp ( − π ( x 1 / r ) 2 ) ] = 1 Q r ( D ) ∑ x ∈ L exp ( − π ( 2 x 1 / r ) 2 ) exp ( − π ( 2 x 2 / r ) 2 ) ⋯ exp ( − π ( 2 x ∈ / r ) 2 ) = det ( D * ) r ∈ Q r ( D ) ∑ y ∈ L * exp ( − π ( r y 1 / r ) 2 ) exp ( − π ( r y 2 / r ) 2 ) ⋯ exp ( − π ( r y ∈ / r ) 2 ) = det ( D * ) r ∈ 2 Q r ( D ) Q 2 / r ( D * ) = det ( D * ) r ∈ 2 Q r ( D ) ( 1 + q ) (30)

Let be ∈ 2 matrixes chosen by P D , r For i = 1 , ⋯ , ∈ , let B i be the event that

dim span ( x 1 , ⋯ , x ( i − 1 ) ∈ ) = dim span ( x 1 , ⋯ , x i ∈ ) < ∈ .

Obviously, if none of the B ′ ω takes place, then dim span ( x 1 , ⋯ , x ∈ 2 ) = ∈ . Therefore, it is necessary to depict that for all i, M r [ B i ] < 2 − Ω ( ∈ ) . Indeed, fix some i on condition of x 1 , ⋯ , x ( i − 1 ) ∈ such that dim span ( x 1 , ⋯ , x ( i − 1 ) ∈ ) < ∈ . Then the possibility that

x ( i − 1 ) ∈ + 1 , ⋯ , x i ∈ ^{ dim span ( x 1 , ⋯ , x ( i − 1 ) ∈ ) }

is at most ( 9 / 10 ) ∈ = 2 − Ω ( ∈ ) . This indicated that M r [ B i ] < 2 − Ω ( ∈ ) , as commanded.

Let ϵ be the security parameter of encryption system. The encryption system is parameterized by two integers m，p and a possibility distribution x on O p . A parameters setting undertakes both safety and right is the next. pick P > 2 to be some initial number between ∈ 2 ^{ }and 2 ∈ 2 make m = ( 1 + q ) ( ∈ + 1 ) log p for some arbitrary constant q > 2 The chance distribution x is selected to be ψ α ( ∈ ) _{ }for α ( ∈ ) = O ( 1 / ∈ log ∈ ) , that’s to say, a ( ∈ ) is such that lim ∈ → ∞ a ( ∈ ) ⋅ ∈ log ∈ = 0 . For instance, it can be chosen as a ( ∈ ) = ∈ log ∈ . In the next illustration, all additions are operated in O p , i.e., possibility p.―Private key: select s ∈ O p ∈ uniformly randomly. The private key is ω .

―Public Key: for i = 1 , ⋯ , m select m matrixes a 1 , ⋯ , a m ∈ O P ∈ from the uniform distribution. Also select elements e 1 , ⋯ , e m ∈ O p referring to x . The public key is offered by ( a i , b i ) i = 1 m where

b i = 〈 a i , ω 〉 + e i

In case of encryption, first select a random set S uniformly between all 2 m subsets of [ m ] The encryption is ( ∑ i ∈ ω a i , ∑ i ∈ ω b i ) if the bit is 0 and

( ∑ i ∈ ω a i , ⌊ p 2 ⌋ , ∑ i ∈ ω b i ) if the bit is 1.

In case of decryption, the decryption of a pair (a, b) is 0 if b − ( a , ω ) is closer to 0 than to possibility p. whereas, the decryption is 1.

Apparently, the public key size is μ ( m ∈ log p ) = μ ˜ ( ∈ 2 ) and the encryption procedure multiplies the scale of a message by a element of μ ( ∈ log p ) = μ ˜ ( ∈ ) . As a matter of fact, it is probable to decrease the size of the public key to μ ( m ∈ log p ) = μ ˜ ( ∈ ) . Presume all users of the encryption system partake some fixed (and trustworthy) random options of a 1 , ⋯ , a m Next, the public key require just made of b 1 , ⋯ , b m . This tranformation does not influence the safety of the encryption system.

Next, illustrate that under a sure condition on x , m, and p , the possibility of decryption problem is tiny. Latterly, depict that the option of parameters meets this condition. There exists a desire to insert some additional notation. As for a distribution x on O p and an integer k ≥ 0, define x ∗ k as the distribution gotten by adding up k , whose addition is operated in O p (for k = 0 we define x ∗ 0 as the distribution that is incessantly 0). For a chance distribution λ on T define f likely. For an component a ∈ O p , | a | is defined as the integer a if

a ∈ { 0 , 1 , ⋯ , ⌊ p 2 ⌋ } and as the integer p - a otherwise. Differently, | a | reshowed

the distance of a from 0. likely, for x ∈ T , | x | is defined as x for x ∈ [ 0 , 1 / 2 ] and as 1 - x other than.

Let a > 0. Presume that for any k ∈ { 0 , 1 , ⋯ , m } , x’ meets that

M r e ~ x * k [ | e | < p / 2 ] / 2 > 1 − δ (31)

Next, the possibility of decryption error will be decreased. In another word, for any bit c ∈ { 0 , 1 } , if apply the protocol above to pick private and public keys, encrypt c, and then decrypt the answer, then the final result is c with possibility at least 1 - δ.

Initially, think about an encryption of 0. It is offered by (a, b) for a = ∑ i ∈ ω a i and

b = ∑ i ∈ ω b i = e i + ∑ i ∈ ω 〈 a i , ω 〉 = 〈 a , ω 〉 ∑ i ∈ ω e i + 〈 a , ω 〉 (32)

Therefore, b − 〈 a , ω 〉 is exactly ∑ i ∈ ω e i , with distribution function x ∗ | ω | . referring to the supposal, | ∑ i ∈ ω e i | is less than ⌊ p 2 ⌋ / 2 with possibility at least 1 - δ. From the aspect, it is closer to 0 than to ⌊ p 2 ⌋ and hence the decryption is right.

For the option of parameters it contains that for any k ∈ { 0 , 1 , ⋯ , m } ,

M r e ~ Ψ ¯ α * k [ | e | < p / 2 ] / 2 > 1 − δ ( ∈ ) (33)

for some trifling function δ( ∈ ).

For a selection g = ( g 1 , ⋯ , g l ) of l components from G, let M g be the distribution sum of g 1 , ⋯ , g l , i.e., 1

M g ( h ) = 1 2 l { b ∈ { 0 , 1 } l | ∑ i b i g i = h } (34)

By way of showing that this distribution is near uniform, compute its l_{2} norm, and observe that it is very approach to 1/|G|. From this it will keep up that the distribution must be approach to the distribution function. The l_{2} norm of M_{g} is given by

∑ h ∈ G M g ( h ) 2 = M r b , b ′ [ ∑ b i g i = ∑ b ′ i g i ] ≤ 1 2 l + M r b , b ′ [ ∑ b i g i = ∑ b ′ i g i | b ≠ b ′ ] (35)

In the end, the expected length from the uniform distribution is

E x p g [ ∑ h M g ( h ) − 1 | G | ] ≤ E x p g [ | G | 1 2 ( ∑ h ( M g ( h ) − 1 | G | ) 2 ) 1 2 ] ≤ | G | E x p g [ ∑ h ( M g ( h ) 2 − 1 | G | ) 1 2 ] ≤ | G | 2 (36)

For ω q O p ∈ , let p 0 ( ω ) be the possibility with input ( ( a i , b i ) i = 1 m , ( a , b ) ) where ( a i , b i ) i = 1 m are selected from A ω x , and ( a , b ) is an encryption of 0 with the public key ( a i , b i ) i = 1 m . likewise, define P u ( ω ) to be the acceptance possibility of W’, where ( a i , b i ) i = 1 m are selected from A ω x , and ( a , b ) is now selected randomly from O P ∈ O p . The assumption on W’ says that

| E x p ς [ p 0 ( ω ) ] E x p ς [ p μ ( ω ) ] | ≥ 1 2 ∈ c

Y = { s | p 0 ( ω ) − p u ( ω ) | ≥ 1 4 ∈ c } (37)

By an averaging line of reasoning in 1 4 ∈ c of the s are in Y. Therefore, it is

adequate to show a distinguisher Z that separates between U and A ω x for any ω q Y.

In the next, describe the distinguisher Z. distribution gives a R that is either U or A ω x for some s q Y. m samples is taken from ( a i , b i ) i = 1 m from R. Let p 0 ( a i , b i ) i = 1 m be the possibility with input ( ( a i , b i ) i = 1 m , ( a , b ) ) where the possibility is picked on ( a , b ) with the public key ( a i , b i ) i = 1 m as an encryption bit 0. Likewise, let p μ ( a i , b i ) i = 1 m be the possibility with input ( ( a i , b i ) i = 1 m , ( a , b ) ) where the possibility is picked over the option of ( a , b ) as a uniform component of O p ∈ ∗ O p . While W’ is applied as a multinomial number of times, the distinguisher Z reckon both p 0 ( ( a i , b i ) i = 1 m ) and p μ ( ( a i , b i ) i = 1 m ) up to an habit-forming error

of 1 64 ∈ c . If the two estimation is different from each other more than 1 64 ∈ c , Z will be accepted, or Z will be rejected.

Besides, to some very fundamental definitions referring to image matrixs, it must be made from the normal distribution on D of width r, denoted p D r The possibility of distribution image matrix of each x ∈ D is partial to exp ( − π ‖ x / r ‖ 2 ) . It is mentioned here the system parameter (D). This is a positive real number related to any image matrix D ( q ) is an error parameter can be safely omitted here. Inaccurate to say, it lets the smallest r beginning with which p D r like a continuous normal distribution. For example, for r > f q ( D ) , matrixes picked from p D r _{ }have norm about r ∈ with high possibility. By comparing, for enough small r, p D r _{ }offers almost all its mass to the primal 0, whereas not commanded for this part, a clear list of definitions can be seen in part 2.

The key of the encryption algorithm is called as the iterative step. Its input form a number r which is promised to be larger than 2 p f ∈ ( D ) , and n^{c} examples from p D r in which c is stable. Its output is an example from the distribution p D r , for r ′ = r ∈ / ( α p ) . Find that since α p > 2 ∈ , r ′ < r / 2 to make the shifting matrixes of norm ∈ r into smaller matrixes of norm ∈ r , the process prefers to using the quantum oracle.

This research was supported by the National Natural Science Foundation of China (No. 71471102), and Yichang University Applied Basic Research Project in China (Grant No. A17-302-a13).

The authors declare no conflicts of interest regarding the publication of this paper.

Liu, Y., Zhou, B., Li, Z.J., Deng, J.N. and Cai, Z.Y. (2018) An Image Encryption Method Based on Quantum Fourier Transformation. International Journal of Intelligence Science, 8, 75-87. https://doi.org/10.4236/ijis.2018.83004