Skip to main content
Scientific Reports logoLink to Scientific Reports
. 2016 Jan 29;6:19788. doi: 10.1038/srep19788

Quantum Hash function and its application to privacy amplification in quantum key distribution, pseudo-random number generation and image encryption

Yu-Guang Yang 1,2,3,4,a, Peng Xu 1, Rui Yang 1, Yi-Hua Zhou 1, Wei-Min Shi 1
PMCID: PMC4731770  PMID: 26823196

Abstract

Quantum information and quantum computation have achieved a huge success during the last years. In this paper, we investigate the capability of quantum Hash function, which can be constructed by subtly modifying quantum walks, a famous quantum computation model. It is found that quantum Hash function can act as a hash function for the privacy amplification process of quantum key distribution systems with higher security. As a byproduct, quantum Hash function can also be used for pseudo-random number generation due to its inherent chaotic dynamics. Further we discuss the application of quantum Hash function to image encryption and propose a novel image encryption algorithm. Numerical simulations and performance comparisons show that quantum Hash function is eligible for privacy amplification in quantum key distribution, pseudo-random number generation and image encryption in terms of various hash tests and randomness tests. It extends the scope of application of quantum computation and quantum information.


With the rapid development of quantum communication, quantum key distribution (QKD) is the most mature branch of quantum communication. The goal of QKD is to create an absolutely secure key between two communicating parties. QKD generally contains three steps: (1) raw key sifting, (2) error reconciliation, and (3) privacy amplification. As an important step of QKD, the privacy amplification process is implemented by adopting universal hash functions1. However, these hash functions are generally constructed based on mathematics complexity and thus they are computationally secure. Because the fundamental principles of quantum mechanics ensure lots of quantum cryptographic protocols2,3,4 with unconditional security, this stimulates us to consider the privacy amplification problem in the context of quantum information, and intend to get a more secure solution to the privacy amplification process.

In this paper, we construct a quantum Hash function (QHF) by subtly modifying the quantum walks (QW) model5,6,7,8,9,10,11,12,13 and it can be used for the privacy amplification process of QKD systems with higher security by means of the physical principles of quantum mechanics. As a byproduct, QHF can also be used for pseudo-random number generation due to its inherent chaotic dynamics and further we propose a novel QHF-based image encryption algorithm. Numerical simulations and performance comparisons show that QHF is eligible as a hash function for privacy amplification in QKD, pseudo-random number generation and image encryption in terms of various hash tests and randomness tests.

Compared to the QW-based algorithm14, the novelty of the present QHF-based scheme lies in that the constructed QHF can be not only used for pseudo-random number generation and further image encryption, but also used for the privacy amplification process of QKD systems with higher security. It extends the scope of application of quantum computation and quantum information.

Results

The construction of QHF

QHF can be constructed by subtly modifying QW. QW has two models: discrete QW and continuous QW5. The basic discrete QW includes two quantum systems: walker and coin. The state of the walker-coin system is denoted by a vector in the Hilbert space Inline graphic, where the subscripts p and c stand for the walker and the coin, respectively. The motion of the walk is conditioned by the coin state via a conditional shift operator

graphic file with name srep19788-m2.jpg

where the summation symbol denotes the sum over all possible positions. The evolution of the total quantum system can be implemented by repeating the global unitary operator

graphic file with name srep19788-m3.jpg

where Inline graphic is the identity operator and Inline graphic is the coin operator applied on the coin state. Hence the final state Inline graphic after t steps is expressed by

graphic file with name srep19788-m7.jpg

and the probability of locating the walker at position x after t steps is

graphic file with name srep19788-m8.jpg

where Inline graphic is the initial state of the total quantum system.

In a discrete-time QW, the coin operator is fixed. The resulting probability distribution relies on only the initial coin state and the step number. Suppose the coin operator at each step depends on a binary string, i.e., message, and accordingly a QHF is constructed, similar to that in Ref.15. The input of the constructed QHF is a binary string, i.e., message and the resulting probability distribution is used as the output hash value. The coin state is the control parameter so the constructed QHF is a keyed one. The nth bit of the message controls the nth step of the walk. Here we introduce two coin operators, i.e., the Grover operator Inline graphic16 and the coin operator Inline graphic17 in equation (5) and equation (6) respectively. The message bit “0” denotes Inline graphic and “1” for Inline graphic.

graphic file with name srep19788-m14.jpg
graphic file with name srep19788-m15.jpg

The construction process of the QHF is as follows:

  1. Select the parameters (n, (α, β, χ, δ)) and the message with arbitrary length.

  2. Run the one-dimensional two-particle discrete-time QW on a circle under the control of the message and generate the output hash value, i.e., the probability distribution. Here α, β, χ, δ are the amplitudes of the initial coin state Inline graphic. n is the node number of a circle.

  3. Multiply all values in the resulting probability distribution by 108 modulo 256 to form a binary string as a secret key K, i.e., the hash value.

The hash property of the proposed QHF

In this section, we performed several hash tests to evaluate the performance of the proposed QHF. The message can be randomly chosen as shown in Supplemental materials.

Statistical distribution of hash value

Based on the principles of quantum mechanics, the security of the QHF can be proved partly by the uniform distribution of the hash value. The plots of the ASCII codes of the message and its hash value are shown in Supplementary Fig. S1 online. Supplementary Fig. S1(a) demonstrates that the ASCII code of the message is located within a small range, but in Supplementary Fig. S1(b), the hash value of the message in hexadecimal format is scattered uniformly.

Sensitivity of hash value to message

C1, C2, C3 and C4 represent the message, and the message with tiny modifications respectively. The results listed below show the high sensitivity to the message and the tiny changes.

Condition 1: The original message;

Condition 2: Change the 8th bit from 0 to 1;

Condition 3: Delete the last bit of the message;

Condition 4: Insert a bit in front of the 100th bit.

The corresponding 128-bit hash value in the hexadecimal format is given by:

Condition 1: 8AE72983687E9AD1B6FCA54546AE7799;

Condition 2: 3BD58DB7B86827AE6323E6E496A634A8;

Condition 3: E9678E1EA9180A8EE01AA008EB46E989;

Condition 4: E9277B78B3D62DEB77839DB9E90F210D.

The plots of the hash values are shown respectively in Supplementary Fig. S2 online and it is clearly indicated that any tiny modification to the message or the key will cause a substantial change in the final hash value.

Statistical analysis of diffusion and confusion

The diffusion and confusion tests are performed as follows:

  1. Select a message and generate the corresponding hash value.

  2. Change one bit of the message randomly and generate a new hash value.

  3. Compare the two hash values and count the changed bits called Bi.

  4. Repeat steps (1) to (3) N times.

The corresponding distribution and the histogram of Biare shown respectively in Supplementary Figs S3(a) and S3(b) online, where N = 10,000.

Minimum changed bit number Inline graphic;

Maximum changed bit number Inline graphic;

Mean changed bit number Inline graphic;

Mean changed probability Inline graphic;

Standard variance of the changed bit number Inline graphic;

Standard variance of the changed probability Inline graphic.

Next the diffusion and confusion tests are performed with N = 1024, 2048, 10,000, respectively, as shown in Table 1. We concluded from the tests that the mean changed bit number B and the mean changed probability P are close to the ideal value 64 and 50% respectively. ΔB and ΔP are very little, so that it demonstrates the stability of diffusion and confusion. The excellent statistical effect ensures that it is impossible to forge plaintext-cipher pairs given known plaintext-cipher pairs.

Table 1. The static number of changed bit Bi.

  N = 1024 N = 2048 N = 10,000 Mean
Inline graphic 63.5654 63.5864 64.2894 63.8137
P(%) 49.6605 49.6769 50.2261 49.8545
ΔB 5.4616 5.5841 5.6686 5.6314
ΔP 4.3881 4.3626 4.4286 4.3931
Bmin 45 44 43 44
Bmax 81 83 89 84.3333

The mean changed bit number B and the mean changed probability P are very close to the ideal value 64 bit and 50% respectively. ΔB and ΔP are very little, so that it demonstrates the stability of diffusion and confusion. The excellent statistical effect ensures that it is impossible to forge plaintext-cipher text pairs given several known plaintext-cipher text pairs.

Collision analysis

It is hard to provide a mathematical proof on the capability of collision resistance of chaotic hash functions. Thus, we performed the following test for collision resistance:

  1. Select an original message randomly and generate the corresponding hash value in ASCII format.

  2. Choose a bit in the message randomly and change its value.

  3. Generate a new hash value.

  4. Compare these two hash values and count the number of ASCII characters with the same value at the same location.

Moreover, the absolute difference of the two hash values, i.e., d, and the theoretical number of ω with different values through N independent tests, i.e., WN(ω) can be computed according to the following formulas:

graphic file with name srep19788-m23.jpg
graphic file with name srep19788-m24.jpg
graphic file with name srep19788-m25.jpg

where ei and e’i are the ith entries of the original and new hash values, respectively. The function t(·) converts the entries to their equivalent decimal value. We run this test N = 10, 000 times, and listed the maximum, minimum, and mean of d in Supplementary Table 1 online respectively. In equation (8), ω = 0, 1, …, s. The experimental values of WN(ω) in the proposed scheme are: WN(0) = 9367, WN(1) = 617, WN(2) = 16, and WN(ω) = 0 for ω = 3, 4, …, 16 respectively. The distribution of the number of ASCII characters with the same value at the same location in the hash value is displayed in Fig. 1.

Figure 1. Distribution of the number of positions where the ASCII characters are identical in the 128-bit hash values generated for test, where N = 10,000.

Figure 1

(see text in the section entitled Results).

Uniform distribution on hash space

In order to check the distribution capacity in hash space, similar to that in ref. 18, we generated two hash values according to the method described in previous subsection and then counted the number of the changed bits at each location. The minimum, maximum and mean of changed bit numbers are 4072, 5689 and 4973.5, respectively for N = 10,000. The statistical results for N = 10,000 are shown in Supplementary Fig. S4 online. The mean of the changed bit number 4973.5 is very close to the ideal value 5000, which accounts for half of the test times. It can be concluded that the hash value is distributed uniformly in the hash space as all the changed bit numbers are around the ideal value. Obviously, this demonstrates the resistance against statistical attack.

Resistance to birthday attack

Similar to collision resistance, the birthday attack is mainly aimed to find two messages with identical hash values with less than 2n/2 trials (n is the size of hash value). According to the current computing power, the size of hash value should be greater than 128 to ensure the birthday attack complexity is greater than 264. In our proposed hash scheme, the length of hash value is 128-bit and it can be easily extended to 256-bit or 512-bit. So the attack difficulty is at least 264, which is huge enough to resist brute force attack and birthday attack. Also in the proposed algorithm, in order to analyze the security, several tests including the SP800-22 test and the collision tests were applied. Therefore, the results of the tests, the size of the hash value, and the collision resistance of the proposed algorithm suggest that the birthday attack is almost impossible and that the proposed algorithm is resistant against this type of attack.

Speed analysis

Our proposed hash algorithm does not need to pad bits. The time required to generate a hash value is closely related to the length of the message. The algorithm is simulated in MATLAB on a PC with Intel(R) Core(TM) i3-2370M CPU 2.40 GHz 2 GB RAM running on Windows 7 professional OS. The average speed of our algorithm is 0.2 Mbit/s. Although the speed of the proposed algorithm is lower than the traditional hash functions such as SHA-1 and MD519, it is acceptable for practical use. At the same time, the algorithm is so flexible since the length of hash value can be 128, 256, or 512 bits. Moreover, because of the excellent properties of quantum parallel computing, the speed of the proposed algorithm will increase exponentially in the quantum computing environment. For example, finding the prime factorization of an n-bit integer is thought to require Inline graphic operations using the best classical algorithm. In contrast, a quantum algorithm can accomplish the same task using Inline graphic operations20. That is, a quantum computer can factor a number exponentially faster than the best known classical algorithms.

Flexibility

Our hash scheme is based on the QW model. Although the proposed hash function is constructed as a keyed one, we can also regard it as an unkeyed one if the initial parameters of the coin state of QHF act as the constants. Besides we can also get a 256-bit or 512-bit hash function with a slight change in the original version, similar to refs 21,22.

Resistance to meet-in-the-middle attack

The meet-in-the-middle attack is valid for the block cipher encryption mode. Block cipher mode allows the use of a cipher key for encrypting more than one block of data. In contrast, in our proposed algorithm, we use just the nonlinear quantum map to construct the hash function, so the attack is useless for the proposed algorithm.

Resistance to forgery attack

Most of the parallel hash function algorithms have a mixing section in their structure which usually uses the XOR operation for preventing forgery attack. Unfortunately, some of these algorithms are broken by such an attack23,24. In the proposed algorithm, the state evolution of the total quantum system can be implemented by repeating the sequence of the coin flipping operator and the conditional shift operator step by step according to the message(so-called discrete time). That is, the nth bit of the message controls the nth step of the walk, i.e., applying the Grover operator Inline graphic16 or the coin operator Inline graphic17 on the coin state. This leads to high complexity in mixture and can resist forgery attack in any section of the proposed algorithm.

Security analyses of the QHF-based pseudo-random number generator (PRNG)

QHF can also be used for pseudo-random number generation due to its inherent chaotic dynamics. To analyze the pseudo-randomness of the QHF-based PRNG, we analyzed its statistical properties and some quantifiers were proposed. The quantifiers are mainly classified into two classes: (i) quantifiers based on information theory25,26,27, (ii) quantifiers based on recurrence plots28,29.

Statistical complexity measure

Complexity is a measure of off-equilibrium ‘order’. Statistical complexity measures (SCM) were proposed as quantifiers of the degree of physical structure in a signal25,30,31. Based on the method of Ref. 32, we analyzed the statistical complexity of the QHF-based PRNG. The intensive SCM (CJ[P]) can be considered as a quantity that characterizes the probability distribution P associated with the time series generated by the dynamical system32. It quantifies not only randomness but also the presence of correlational structures31,32. The measure of statistical complexity CJ[P] is defined as32:

graphic file with name srep19788-m30.jpg

where the normalized entropic measure Inline graphic is associated with the probability distribution P, with Inline graphic Inline graphic for the equilibrium distribution Pe and S is the Shannon entropy. The disequilibrium QJ is defined in terms of the Jensen-Shannon divergence26,32 by

graphic file with name srep19788-m34.jpg

with Q0 being the normalization constant Inline graphic. Thus, the disequilibrium QJ is an intensive quantity. Following the methodology proposed by Bandt and Pompe33, the comparisons between our proposal and the QW-based PRNG14 in terms of the normalized entropy HS and the intensive statistical complexity CJ as functions of the number of 8 bits and 16 bits-words are shown in Figs 2 and 3 respectively. When the number of words of the analyzed sequence increases, the statistical complexity and the normalized entropy tend to 0 and 1 respectively. It is shown that given the same words, our scheme has better statistical complexity and normalized entropy than the QW-based PRNG14.

Figure 2. Comparisons in terms of Normalized Shannon entropy HS.

Figure 2

The black and red curves denote the Normalized Shannon entropy HS for the number of 8 bits and 16 bits-words respectively in our proposal, while the blue and green curves represent the Normalized Shannon entropy of the QW-based scheme14 for the number of 8 bits and 16 bits-words respectively. (see text in the section entitled Results).

Figure 3. Comparisons in terms of intensive statistical complexity measure CJ respectively.

Figure 3

The black and red curves denote the intensive statistical complexity measure CJ for the number of 8 bits and 16 bits-words respectively in our proposal, while the blue and green curves represent the intensive statistical complexity measure CJ of the QW-based scheme14 for the number of 8 bits and 16 bits-words respectively. (see text in the section entitled Results).

Recurrence plots

Recurrence is a fundamental property of dynamical systems, which can be exploited to characterize the system’s behavior in phase space. In 1987, Eckmann et al. introduced a powerful tool for visualization and analysis of recurrences called recurrence plot (RP)28. RP is a two-dimensional representation in which both axes are time ones. The recurrence of a state appearing at two given times ti, tj is pictured in the two-dimensional graph by means of a black dot.

To visualize the recurrences of states of a dynamical system, the RP of a trajectory Inline graphic can be formally expressed by the matrix

graphic file with name srep19788-m37.jpg

where N is the number of measured points Inline graphic, ε is a threshold distance, Inline graphic is the Heaviside function (i.e. Inline graphic, if x < 0, and Inline graphic otherwise) and Inline graphic is a norm.

RPs for various values of the message exhibit visually the recurrences of the QHF-based PRNG (Supplementary Fig. S5 online). We used an embedding dimension m = 2 and the delay τ = 1. The threshold distance ε is set to be 10% of the mean phase space radius σ. It is shown that the QHF-based PRNG with different messages causes a rather homogeneous RP with numerous single points and some short, diagonal or vertical lines.

Because the visual impact produced by the RP is insufficient to demonstrate the quality of the QHF-based PRNG because of the ‘small-scale’ structures29, several measures of complexity which quantify the small scale structures in RPs, have been proposed34,35,36 and are known as recurrence quantification analysis (RQA). In this paper, these measures based on the recurrence point density and the diagonal and vertical line structures are considered.

Measures based on the recurrence density

The simplest measure of the RQA is the recurrence rate (RR)

graphic file with name srep19788-m43.jpg

which is a measure of the density of recurrence points in the RP. Furthermore, in the limit N → ∞, RR is the probability that a state recurs to its ε-neighbourhood in phase space. For PRNGs, the ideal value would be RR = 0. But in practice, in order that the quantifier may make sense, a larger ε should be adopted to avoid the situation in which no points are found in the recurrence plot. It is shown that the value of the RR ranges from 0.00595 to 0.00662 for different messages (see Supplementary Fig. S6 online). It exhibits the good randomness of the QHF-based PRNG.

Measures based on diagonal lines

The measures are related to the histogram Inline graphic of the diagonal line lengths l, given by

graphic file with name srep19788-m45.jpg

Supplementary Fig. S7 online shows the histogram of the diagonal line lengths of the RP in Supplementary Fig. S5 online with the parameter message = 50. It is shown that the diagonal line lengths are mainly very short exhibiting the good randomness.

Processes with uncorrelated or weakly correlated behaviors cause none or very short diagonals, whereas deterministic processes cause longer diagonals and less single, isolated recurrence points. Therefore, the ratio of recurrence points that form diagonal structures (of at least length lmin) to all recurrence points

graphic file with name srep19788-m46.jpg

is introduced as a measure for determinism (or predictability) of the system. The threshold lmin excludes the diagonal lines which are formed by the tangential motion of the phase space trajectory.

A diagonal line of length l means that a segment of the trajectory is rather close during l time steps to another segment of the trajectory at a different time; thus these lines are related to the divergence of the trajectory segments. The average diagonal line length

graphic file with name srep19788-m47.jpg

is the average time that two segments of the trajectory are close to each other, and can be interpreted as the mean prediction time.

Another RQA measure considers the length Lmax of the longest diagonal line found in the RP,

graphic file with name srep19788-m48.jpg

where Inline graphic is the total number of diagonal lines. These measures are related to the exponential divergence of the phase space trajectory. The faster the trajectory segments diverge, the shorter the diagonal lines are.

The measure entropy refers to the Shannon entropy of the probability Inline graphic to find a diagonal line of exactly length l in the RP, where Inline graphic is the total number of diagonal lines.

graphic file with name srep19788-m52.jpg

ENTR reflects the complexity of the RP in respect of the diagonal lines, e.g. for uncorrelated noise the value of ENTR is rather small, indicating its low complexity, as shown in Supplementary Fig. S8 online.

Measures based on vertical lines

The total number of the vertical lines of the length v in the RP is then given by the histogram

graphic file with name srep19788-m53.jpg

Supplementary Fig. S9 online shows the histogram of vertical line lengths of the RP in Supplementary Fig. S5 with the parameter message = 50. It is shown that the vertical line lengths are mainly very short exhibiting the good randomness.

Analogous to the definition of the determinism in equation (15), the ratio between the recurrence points forming the vertical structures and the entire set of recurrence points can be computed,

graphic file with name srep19788-m54.jpg

The computation of LAM is realized for those v that exceed a minimal length vmin in order to decrease the influence of the tangential motion. LAM will decrease if the RP consists of more single recurrence points than vertical structures.

The average length of vertical structures is given by

graphic file with name srep19788-m55.jpg

and is called trapping time. TT estimates the mean time that the system will abide at a specific state or how long the state will be trapped.

Finally, the maximal length of the vertical lines in the RP

graphic file with name srep19788-m56.jpg

can be defined, analogously to the standard measure Lmax (Nv is the absolute number of vertical lines).

Figures 4, 5, 6 give some selected RQA measures for different values of the message and demonstrates the good statistical properties of the QHF-based PRNG.

Figure 4. Selected RQA measures DET, Lmax.

Figure 4

DET and LAM change with different messages are shown in (a,b) respectively. (see text in the section entitled Results).

Figure 5. Selected RQA measures L and TT.

Figure 5

L and TT change with different messages are shown in (a,b) respectively. (see text in the section entitled Results).

Figure 6. Selected RQA measures LAM and Vmax.

Figure 6

Lmax and Vmax change with different messages are shown in (a,b) respectively. (see text in the section entitled Results).

Degree of non-periodicity

In order to study the non-periodicity in the QHF-based PRNG, the scale index analysis (SIA) is carried out which is introduced by Benìtez et al.37. The SIA method is often used as a framework to enhance the general performance of cryptosystems in designing new chaos-based cryptosystems and PRNGs. For example, recently Akhshani et al. proposed a new scheme for generating good PRNGs based on quantum logistic map38. They used the SIA technique to assess the degree of non-periodicity of the chaotic sequences of the quantum map. The SIA technique is based on the continuous wavelet transform (CWT) and the wavelet multi-resolution analysis39. To study the non-periodicity of the QHF-based PRNG40, we assumed that the key sequence f generated by QHF is compactly supported and is defined over a finite time interval T = [a, b]. The CWT of f at time u and scale s is defined as39:

graphic file with name srep19788-m57.jpg

and it provides the frequency component (or details) of f corresponding to the scale s and time location t. Supplementary Fig. S10 online shows the time frequency decomposition of f in the time-frequency plane which provided by the wavelet transform given in equation (23).

The wavelet transform given in equation (23), provides a time frequency decomposition of f in the time-frequency plane.

The scalogram of f is defined as follows:

graphic file with name srep19788-m58.jpg

where Inline graphic is the energy of the CWT of f at scale s. The scalogram is a useful tool for studying a signal, since it allows the detection of its most representative scales or frequencies37,40. The innerscalogram of f at a scale s can be defined by:

graphic file with name srep19788-m60.jpg

where Inline graphic is the maximal subinterval in T for which the support of Inline graphic is included in T for all Inline graphic. As the length of J(s) depends on the scale s, the values of the inner scalogram at different scales cannot be compared. Therefore, the inner scalogram should be normalized as follows37:

graphic file with name srep19788-m64.jpg

Supplementary Fig. S11 online shows that the normalized inner scalogram can be a valuable tool for detecting the non-periodicity of the signals, where a signal with details at every scale is non-periodic.

The scale index of f in the scale interval [s0, s1] can be defined by:

graphic file with name srep19788-m65.jpg

where smax is the smallest scale such that Inline graphic for all Inline graphic, and smin the smallest scale such that Inline graphic for all Inline graphic. The scale index will be zero or close to zero for periodic sequences and close to one for highly non-periodic sequences37.

In Fig. 7, the SIA of the QHF-based key sequence is presented. It can be concluded that the best value of the scale index is up to 0.98. Thus, the key sequence in this state is highly non-periodic and it can be used for any PRNG purposes.

Figure 7. The scale index of the QHF-based key sequence for different messages.

Figure 7

It can be concluded that, the value of the scale index is larger than 0.7 and the best value of the scale index is up to 0.98. Thus, the key sequence in this state is highly non-periodic and it can be used for any PRNG purposes. (see text in the section entitled Results).

The application of the QHF-based PRNG to image encryption

The proposed image encryption algorithm consists of the following major steps:

Step 1: Initialization step

In this step we choose the parameters (n, (α, β, χ, δ)) and the message, then generate a random sequence S by running our proposed PRNG given by

graphic file with name srep19788-m70.jpg

Each value of the sequence S is a floating-point number ranging from 0 to 1.

Step 2: Encryption procedure

  1. Divide the original image I with size M × N into four parts with the same size and determine the encryption order of four image blocks according to the size of the first four values of the sequence S. For example, Inline graphic if Inline graphic. Here we take Buddha image as an example (see Supplementary Fig. S12 online).

  2. The encryption process is a two round one (Supplementary Fig. S13 online) i.e.,

graphic file with name srep19788-m73.jpg

Then we describe the encrypt function Inline graphic by taking I2 as an example.

1. Sum the gray values of EI1 to produce a binary sequence V, use V as the message to generate a new random sequence S1 as follows.

graphic file with name srep19788-m75.jpg

where pixeli,j represents the gray value of the pixel in the ith row and jth column of EI1.

graphic file with name srep19788-m76.jpg

where dec2bin is a function to convert the decimal to binary sequence.

2. Do the tensor product of S and S1 to obtain a new sequence and transform it into a two-dimensional matrix of size Inline graphic.

graphic file with name srep19788-m78.jpg

where Inline graphic is tensor product operator.

3. Multiply all values in the P matrix by 108 modulo 256 to form a new matrix P′.

graphic file with name srep19788-m80.jpg

4. Make P′ exclusive-OR (XOR) with I2 and get

graphic file with name srep19788-m81.jpg

5. Sort the elements in P′ in ascending order, and obtain the index vector.

graphic file with name srep19788-m82.jpg

where sortedP is the sorted matrix and index is the index vector, i.e., Inline graphic.

6. Shuffle the elements in temp_I2 and get encrypted image block EI2 for the first round.

graphic file with name srep19788-m84.jpg

At last we can get the final encrypted image by executing the encrypt function as the order shown in Step 2.

Step 3: Decryption procedure

In the decryption process, we use the secret key to determine the decryption order, shown as follows.

graphic file with name srep19788-m85.jpg

Here, Inline graphic represents the decryption operation and it is the reverse of the encryption process.

Experimental simulations

Experiments are performed on a laptop with Intel(R) Core(TM) i3-2370M CPU 2.40 GHz 2 GB RAM running on Windows 7 professional equipped with the MATLAB R2012a environment and the Python 2.7.8. To test our encryption method for security and robustness, we choose a group of images with size 512 × 512, which were taken by Yu-Guang Yang and list them and their corresponding encrypted images and decrypted images in Supplementary Figs S12–S18.

Key space analysis

A desirable encryption scheme should have a sufficiently large key space to resist brute-force attacks. Here the encryption key can be represented by (n, (α, β, χ, δ), message), where n denotes the number of nodes in a circle. α, β, χ, δ are complex numbers and also control parameters of the coin state satisfying the normalization constraint: Inline graphic. Message is a binary string as an input of the proposed QHF, which can have an infinite length theoretically. Although there is an infinite key space theoretically, because of finite precision of digital computers, the key space actually turns out to be finite. Considering that the calculation precision is 10−14, the size of key space for initial conditions and control parameters would be roughly 2325, which is large enough for any encryption purposes and is also large enough to resist all kinds of brute-force attacks.

Histogram analysis

Histogram is a very important security measure for evaluating the security of an image encryption algorithm. The histograms of seven images and the corresponding cipher images are shown in Supplementary Figs S12–S18 online. It is shown that the histograms of the cipher images are nearly uniform and significantly different from the ones of the original images. Therefore they provide no clue for attackers in a statistical analysis attack.

Correlation analysis

A desirable encryption scheme should generate the cipher image with rather low correlation between adjacent pixels. By randomly selecting 10000 pairs (in horizontal, vertical and diagonal directions respectively) of adjacent pixels from the original image and the cipher image, respectively, we test the correlation between adjacent pixels, and draw the correlation distribution of adjacent pixels in the Buddha image and its cipher image in Supplementary Fig. S21 online, respectively. It is shown that the original image has strong correlation, but the cipher image is quite random. The encryption scheme improves the security of the test images greatly.

We also calculate the correlation coefficient rxy of adjacent pixels of the original image and the cipher image given by

graphic file with name srep19788-m88.jpg

where E(x) and D(x) are the expectation and variance of variable x, respectively.

We compute the correlation coefficients of the seven images and their cipher images. From Supplementary Table S2 online, we can see that the average correlation coefficients of the encrypted images are 0.0010, 0.0012, 0.0023 and they are very close to zero. The result demonstrates that our scheme is effective.

Comparison with other image encryption techniques

Experimental results of the proposed image encryption scheme were compared with six typical image encryption techniques, i.e., chaos-based image encryption41, optics-based image encryption42, hash-based image encryption43, quantum image encryption44, the QW-based image encryption14, and the image encryption based on quantum logistic map45, respectively. From Supplementary Tables S3–S8 online, we can see that the images encrypted by our algorithm have lower correlation compared with the six image encryption schemes14,41,42,43,44,45. In addition, we also compared our algorithm with two recently published schemes46,47 and see Supplementary Tables S9 and S10 online for details.

Differential attack analysis

In general, two common performance measures are used to test the influence of a little change in the original image on the cipher image, i.e., the number of pixels change rate (NPCR) and the unified average changing intensity (UACI). NPCR is expressed by

graphic file with name srep19788-m89.jpg

where

graphic file with name srep19788-m90.jpg

and c1 and c2 are two cipher images with size m × n.

UACI is defined by

graphic file with name srep19788-m91.jpg

In our tests, we just put the gray value of grid (100,100) minus one in the seven images in Supplementary Figs S12–S18 with size 512 × 512, respectively. From Supplementary Table S11 online, we can see that NPCR is 99.61% and UACI is 33.46% in our algorithm which implies that it is highly sensitive to the original image and is robust against differential attacks. In addition, we also compared our proposal with other image encryption schemes41,43,45,46,47 and see Supplementary Tables S12–S17 online for details. From these tables, it is indicated that the proposed algorithm can resist the differential attack. The secret key in our algorithm is related to the image self. So it makes a good performance in this field.

Key sensitivity analysis

First, we encrypted Buddha image with the key n = 1, [α, β, χ, δ] = [0, 0, 0, 1], message = [1, 0, 1, 0, …, 1, 0, 1, 0…], and obtained the cipher image in Supplementary Fig. S22(a). Then we encrypted Buddha image by making a little change of the message and got the cipher image in Supplementary Fig. S22(b). We also draw the differential image of Supplementary Fig. S22(a) and S22(b) in Supplementary Fig. S22(c). By calculation, we got that the difference (NPCR) between Supplementary Fig. S22(a) and Supplementary Fig. S22(b) is 99.59%(see Supplementary Tables S18 online), which implies the encryption process is quite sensitive to the encryption key.

Second, we encrypted Buddha image by the key n = 1, [α, β, χ, δ] = [0, 0, 0, 1], message = [1, 0, 0, 1, …, 1, 0, 1, 1…], and then decrypted the resulting cipher image with the correct key (see Supplementary Fig. S22(d)) and the wrong key with a little change of the message = [1, 0, 0, 1, …, 1, 1, 1, 1…] (see Supplementary Fig. S22(e)), respectively. We calculated out the difference (NPCR) between Supplementary Fig. S22(d) and Fig. S22(e) is 99.61% (see Supplementary Tables S18 online). Therefore, the decryption process is also highly sensitive to the decryption key.

In the same way, we also calculated the NPCR of other test images from Supplementary Figs S12–S18, and listed the results in Supplementary Table S18 online. It is found that the results are approximately 99.60%, which shows that the proposed algorithm is of good key sensitivity to images.

Information entropy analysis

The information entropy is often used to measure the randomness of the cipher images. The entropy H(x) of a message source m is given by

graphic file with name srep19788-m92.jpg

where p(xi) represents the probability of the occurrence of symbol xi.

From Supplementary Table S19 online, we can see the average information entropy of our cipher images is very close to the theoretical value 8. We also compared our algorithm with the algorithm based on quantum logistic map45 in terms of information entropy(Supplementary Table S20 online). This implies that the information leakage in the encryption process is negligible and the proposed algorithm is stable and secure against information entropy attack.

Randomness test analysis

Next, we used NIST SP800-22 and TestU0148 tools to test the randomness of the cipher images. Each test produces a P-value in [0, 1]. If the P-value is higher than a preset threshold α, it means that the cipher image passes the test. In our tests, we set α = 0.01 and Buddha’s cipher image with size 1024 × 1024. α = 0.01 implies that the cipher image can be inferred to be random with 99% probability if it passes the test. From Supplementary Table S21 online, we can judge that our proposed algorithm passes the NIST SP800-22 tests.

However, when we applied the most stringent test by TestU0148 on the cipher images, surprisingly, the TestU01 test cannot be done successfully. Maybe the coin flipping operators were not chosen properly. Therefore, the future work will focus on the improvement of our proposal.

Speed performance analysis

Speed is an important factor for evaluating the performance of an image encryption algorithm. For the proposed image encryption algorithm, we measured the time cost in the operating environment: Windows 7, Matlab R2012a, Intel(R) Core(TM) i3-2370M CPU 2.40 GHz 4 GB RAM. In our algorithm, the time is mainly spent on shuffling pixels, we can figure out that the time complexity of our algorithm is Inline graphic and the average time cost for encrypting images of size 512 × 512 is 0.015 seconds or so. Therefore, our algorithm is fast enough for practical applications.

Discussion

The main contribution of the work is to construct a hash function used for the privacy amplification process of QKD systems with higher security by means of the physical principles of quantum mechanics. As a byproduct, QHF can also be used for pseudo-random number generation due to its inherent chaotic dynamics and further we propose a novel QHF-based image encryption algorithm.

The QHF is in fact constructed in the quantum context. Because the practical quantum computation device is unavailable, we have to do the simulations by MATLAB software on a classical computer in order to demonstrate the performance of the constructed QHF. However, in fact the properties of quantum parallel computation cannot be simulated precisely on a classical computer. So both randomness and speed of the proposed scheme seem not acceptable for cryptographic purpose. Fortunately, with the rapid development of the field of quantum computation, maybe the practical quantum computer is possible in the future. When the QHF operates on a practical quantum computer, the computation speed will be increased exponentially because of the properties of quantum parallel computation.

Methods

The construction of a QHF by modifying the one-dimensional two-particle discrete-time QW on a circle

A one-dimensional two-particle discrete-time QW on a circle describes the QW of two walkers whose motions are restricted to the circle. The operators Inline graphic and Inline graphic of two-particle QW on circles becomes

graphic file with name srep19788-m96.jpg

Here Inline graphic is similar to Inline graphic. The total conditional sift operator Inline graphic is denoted as Inline graphic.

When the ith bit of the message is 0(1), the ith step of the walk executes with the interaction Inline graphic. For example, if the message, m is ‘0100110’, then the final state evolves

graphic file with name srep19788-m102.jpg

where Inline graphic and Inline graphic. The initial state of the total quantum system Inline graphic is given by

graphic file with name srep19788-m106.jpg

Here

graphic file with name srep19788-m107.jpg

where Inline graphic.

Additional Information

How to cite this article: Yang, Y.-G. et al. Quantum Hash function and its application to privacy amplification in quantum key distribution, pseudo-random number generation and image encryption. Sci. Rep. 6, 19788; doi: 10.1038/srep19788 (2016).

Supplementary Material

Supplementary Information
srep19788-s1.pdf (3.8MB, pdf)

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant No.61572053); The Importation and Development of High-Caliber Talents Project of Beijing Municipal Institutions (No.CIT&TCD201304039); The Scientific Research Common Program of Beijing Municipal Commission of Education (No.KM201510005016); The Basic Research Foundation of Beijing University of Technology (Nos.X4007999201501,007000514315501); Jing-Hua Talents Project of Beijing University of Technology(2014-JH-L06); Beijing Natural Science Foundation (Grant No.4152038).

Footnotes

Author Contributions Y.-G.Y. proposed the theoretical method and wrote the main manuscript text. P.X. made the numerical simulations. R.Y., Y.-H.Z. and W.-M.S. reviewed the manuscript.

References

  1. Bennett C. H., Brassard G., Crépeau C. & Maurer U. M. Generalized privacy amplification. IEEE Trans. Inf. Theory 41, 1915–1923 (1995). [Google Scholar]
  2. Bennett C. H. & Brassard G. Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, IEEE, New York, pp. 175-179 (1984).
  3. Ekert A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661–663 (1991). [DOI] [PubMed] [Google Scholar]
  4. Tamaki K., Koashi M. & Imoto N. Unconditionally secure key distribution based on two nonorthogonal states. Phys. Rev. Lett. 90, 167904 (2003). [DOI] [PubMed] [Google Scholar]
  5. Elías S. & Andraca V. Quantum walks: a comprehensive review. Quantum Inf. Process. 11, 1015–1106 (2012). [Google Scholar]
  6. Ambainis A. Quantum walk algorithm for element distinctness. SIAM J. Comput. 37, 210–239 (2007). [Google Scholar]
  7. Magniez F., Santha M. & Szegedy M. Quantum algorithms for the triangle problem. SIAM J. Comput. 37, 413–424 (2007). [Google Scholar]
  8. Li Q., He Y. & Jiang J.-P. A hybrid classical-quantum clustering algorithm based on quantum walks. Quantum Inf. Process. 10, 13–26 (2011). [Google Scholar]
  9. Babatunde A. M., Cresser J. & Twamley J. Using a biased quantum random walk as a quantum lumped element router. Phys. Rev. A 90, 012339 (2014). [Google Scholar]
  10. Tamascelli D. & Zanetti L. A quantum-walk-inspired adiabatic algorithm for solving graph isomorphism problems. J. Phys. A-Math. Theor. 47, 325302 (2014). [Google Scholar]
  11. Childs A. M. & Ge Y. M. Spatial search by continuous-time quantum walks on crystal lattices. Phys. Rev. A 89, 052337(2014). [Google Scholar]
  12. Izaac J. A. & Wang J. B. pyCTQW: A continuous-time quantum walk simulator on distributed memory computers. Comput. Phys. Commun. 186, 81–92 (2015). [Google Scholar]
  13. Zhan X., Qin H., Bian Z. H., Li J. & Xue P. Perfect state transfer and efficient quantum routing: A discrete-time quantum-walk approach. Phys. Rev. A 90, 012331 (2014). [Google Scholar]
  14. Yang Y. G., Pan Q. X., Sun S. J. & Xu P. Novel image encryption based on quantum walks. Sci. Rep. 5, 7784 (2015). [DOI] [PMC free article] [PubMed] [Google Scholar]
  15. Li D., Zhang J., Guo F.-Z., Huang W. & Wen Q.-Y. Discrete-time interacting quantum walks and quantum Hash schemes. Quantum Inf. Process. 12, 1501–1513 (2013). [Google Scholar]
  16. Shenvi N., Kempe J. & Whaley K. B. Quantum random-walk search algorithm. Phys. Rev. A 67, 052307 (2003). [Google Scholar]
  17. Štefaňák M., Barnett S. M., Kollár B., Kiss T. & Jex I. Directional correlations in quantum walks with two particles. New J. Phys. 13, 033029 (2011). [Google Scholar]
  18. Zhang J., Wang X. & Zhang W. Chaotic keyed hash function based on feed forward-feedback nonlinear digital filter. Phys. Lett. A 362, 439–448 (2007). [Google Scholar]
  19. Rivest R. The MD5 message-digest algorithm. RFC 1321 http://www.fourmilab.ch/hotbits (1992) (29/6/2015).
  20. Nielsen M. & Chuang I. Quantum Computation and Quantum Information. Cambridge University Press, New York, 2000. [Google Scholar]
  21. Akhavan A., Samsudin A. & Akhshani A. A novel parallel hash function based on 3D chaotic map. EURASIP J. Adv. Signal Process. 2013, 126 (2013). [Google Scholar]
  22. Akhshani A. et al. Hash function based on hierarchy of 2D piecewise nonlinear chaotic maps. Chaos, Solitons and Fractals 42, 2405–2412 (2009). [Google Scholar]
  23. Wei G., Wang X. M., He D. K. & Cao Y. Cryptanalysis on a parallel keyed hash function based on chaotic maps. Phys. Lett. A 373, 3201–3206 (2009). [Google Scholar]
  24. Wang X.-Y. & Zhao J.-F. Cryptanalysis on a parallel keyed hash function based on chaotic neural network. Neurocomputing 73, 3224–3228 (2010). [Google Scholar]
  25. López-Ruiz R., Mancini H. L. & Calbet X. A statistical measure of complexity. Phys. Lett. A 209, 321–326 (1995). [Google Scholar]
  26. Lamberti P. W., Martin M. T., Piastino A. & Rosso O. A. Intensive entropy non-triviality measure. Physica A 334, 119–131 (2004). [Google Scholar]
  27. Rosso O. A., Larrondo H. A., Martin M. T., Plastino A. & Fuentes M. A. Distinguishing noise from chaos. Phys. Rev. Lett. 99, 154102 (2007). [DOI] [PubMed] [Google Scholar]
  28. Eckmann J. P., Oliffson Kamphorst S. & Ruelle D. Recurrence plots of dynamical systems. Europhys. Lett. 4, 973–977 (1987). [Google Scholar]
  29. Marwan N., Romano M. C., Thiel M. & Kurths J. Recurrence plots for the analysis of complex systems. Phys. Rep. 438, 237–329 (2007). [Google Scholar]
  30. Shiner J. S., Davison M. & Landsberg P. T. Simple measure for complexity. Phys. Rev. E 59, 1459–1464 (1999). [DOI] [PubMed] [Google Scholar]
  31. Martin M. T., Plastino A. & Rosso O. A. Statistical complexity and disequilibrium. Phys. Lett. A 311, 126–132 (2003). [Google Scholar]
  32. Larrondo H. A., González C. M., Martin M. T., Plastino A. & Rosso O. A. Intensive statistical complexity measure of pseudorandom number generators. Physica A 356, 133–138 (2005). [Google Scholar]
  33. Bandt C. & Pompe B. Permutation Entropy: A natural complexity measure for time series. Phys. Rev. Lett. 88, 174102 (2002). [DOI] [PubMed] [Google Scholar]
  34. Marwan N., Wessel N., Meyerfeldt U., Schirdewan A. & Kurths J. Recurrence plot based measures of complexity and its application to heart rate variability data. Phys. Rev. E 66, 026702 (2002). [DOI] [PubMed] [Google Scholar]
  35. Zbilut J. P. & Webber C. L. Embeddings and delays as derived from quantification of recurrence plots. Phys. Lett. A 171, 199–203 (1992). [Google Scholar]
  36. Webber C. L. & Zbilut J. P. Dynamical assessment of physiological systems and states using recurrence plot strategies. J. Appl. Physiol. 76, 965–973 (1994). [DOI] [PubMed] [Google Scholar]
  37. Benítez R., Bolós V. J. & Ramírez M. E. A wavelet-based tool for studying non-periodicity. Comput. Math. Appl. 60, 634–641 (2010). [Google Scholar]
  38. Akhshani A., Akhavan A., Mobaraki A., Lim S.-C. & Hassan Z. Pseudo random number generator based on quantum chaotic map. Commun. Nonlinear Sci. Numer. Simulat. 19, 101–111 (2014). [Google Scholar]
  39. Mallat S. A wavelet tour of signal processing. Academic Press: London, (1999). [Google Scholar]
  40. Chandre C., Wiggins S. & Uzer T. Time-frequency analysis of chaotic systems. Physica D 181, 171–196 (2003). [Google Scholar]
  41. Gao T. & Chen Z. A new image encryption algorithm based on hyper-chaos. Phys. Lett. A 372, 394–400 (2008). [Google Scholar]
  42. Refregier P. & Javidi B. Optical image encryption based on input plane and Fourier plane random encoding. Opt. Lett. 20, 767–769 (1995). [DOI] [PubMed] [Google Scholar]
  43. Cheddad A., Condell J., Curran K. & McKevitt P. A hash-based image encryption algorithm. Opt. Commun. 283, 879–893 (2010). [Google Scholar]
  44. Yang Y.-G., Xia J., Jia X. & Zhang H. Novel image encryption/decryption based on quantum Fourier transform and double phase encoding. Quantum Inf. Process. 12, 3477–3493 (2013). [Google Scholar]
  45. Akhshani A., Akhavan A., Lim S.-C. & Hassan Z. An image encryption scheme based on quantum logistic map. Commun Nonlinear Sci. Numer. Simulat. 17, 4653–4661 (2012). [Google Scholar]
  46. Huang X. L. & Ye G. D. An image encryption algorithm based on hyper-chaos and DNA sequence. Multimed. Tools Appl. 72, 57–70 (2014). [Google Scholar]
  47. Shahram E. G. & Mohammad E. Chaotic image encryption system using phase-magnitude transformation and pixel substitution. Telecommun. Syst. 52, 525–537 (2013). [Google Scholar]
  48. L’Ecuyer P. & Simard R. J. TestU01: A C library for empirical testing of random number generators. ACM Trans. Math. Soft. 33, 22 (2007). [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

Supplementary Information
srep19788-s1.pdf (3.8MB, pdf)

Articles from Scientific Reports are provided here courtesy of Nature Publishing Group

RESOURCES