pith. sign in

arxiv: 2606.01949 · v1 · pith:FJZ7KLOXnew · submitted 2026-06-01 · 🪐 quant-ph

Quantum secure blind decryption with two users

Masahito Hayashi , Yuki Ito This is my paper

Pith reviewed 2026-06-28 14:05 UTC · model grok-4.3

classification 🪐 quant-ph
keywords quantum secure blind decryptiontwo usersnon-commuting serverspost-attack secrecyquantum cryptographyblind decryptionkey index secrecyquantum protocols
0
0 comments X

The pith

A quantum protocol for blind decryption with two servers keeps the message and key index secret even after the servers later communicate.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces two quantum protocols where one user holds an encrypted message, servers hold indexed keys, and a second user obtains the decryption while servers learn nothing about the message and users learn nothing about the keys. The second protocol additionally hides which key was used and relies on two servers that cannot communicate during the run. Analysis shows the quantum version maintains all secrecy requirements even when the servers exchange information afterward, whereas the classical version loses secrecy under the same post-protocol communication.

Core claim

The protocols achieve blind decryption such that User 2 recovers the plaintext while servers gain no information on the plaintext and users gain no information on the keys or, in the second protocol, on the key index; the second protocol uses two non-commuting servers and remains secure against their post-protocol communication, a property that fails for the corresponding classical protocol.

What carries the argument

Two non-commuting servers that are forbidden from communicating during protocol execution, whose quantum states enforce secrecy of the message, keys, and key index.

If this is right

  • User 2 obtains the decrypted text without servers learning any information about it.
  • Servers' keys remain unknown to both users throughout the protocol.
  • In the second protocol the index identifying the encryption key stays hidden from the servers.
  • All secrecy properties hold after the servers communicate with each other following protocol completion.
  • The corresponding classical protocol loses secrecy of the plaintext and key index once the servers communicate afterward.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The non-communication requirement during execution could be realized by placing the servers in physically separated locations connected only by quantum channels.
  • The same separation principle might apply to other multi-party quantum tasks that need privacy against later information pooling.
  • Scaling the protocol to additional users or larger key sets would require checking whether the non-communication condition can still be maintained.
  • Classical protocols might recover security by adding extra assumptions such as computational hardness, but the paper shows they fail under the stated information-theoretic post-attack model.

Load-bearing premise

The two servers are unable to communicate with each other while the protocol runs, even if they may communicate afterward.

What would settle it

An explicit strategy allowing the servers, after exchanging their post-protocol information, to recover either the plaintext or the index of the used key from the quantum states they received during execution.

Figures

Figures reproduced from arXiv: 2606.01949 by Masahito Hayashi, Yuki Ito.

Figure 1
Figure 1. Figure 1: FIG. 1. Secure decryption protocol without key index secrecy. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: FIG. 2. two-server protocol [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
read the original abstract

We propose two types of protocols for quantum secure blind decryption, involving two users and servers. User 1 holds the encrypted ciphertext. The servers store several indexed keys including the key encrypting the ciphertext. User 2 aims to obtain the decrypted text. The protocols are designed to preserve the following types of secrecy: Users ensure the secrecy of the text from the servers. Servers maintain the secrecy of the keys from the users. Our protocols enable User 2 to obtain the decrypted text while preserving these secrecy requirements. Additionally, the second protocol ensures the secrecy of the key index to identify the key encrypting the ciphertext from the servers, and the second protocol requires two non-commuting servers. Furthermore, we analyze the secrecy of the second protocol under post-attack scenarios, where the two servers communicates with each other after the completion of the protocol. We show that our quantum protocol satisfies the secrecy under these attacks, whereas its classical counterpart fails to do so.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The manuscript proposes two quantum protocols for blind decryption involving two users and two servers. User 1 holds an encrypted ciphertext; the servers hold indexed keys, one of which encrypts the ciphertext. User 2 obtains the decrypted plaintext while the protocols are claimed to enforce (i) secrecy of the plaintext from the servers and (ii) secrecy of the keys from the users. The second protocol additionally claims to hide the key index from the servers by using two non-communicating servers during execution and asserts that this secrecy persists even when the servers later exchange all information, whereas the corresponding classical protocol fails.

Significance. If the post-attack security argument is rigorous, the result would establish a quantum-classical separation in a collusion model where servers are isolated only during protocol execution but may collude afterward. This is a stronger security requirement than standard semi-honest or non-communicating server models and could be relevant to delegated decryption or multi-server cloud scenarios.

major comments (2)
  1. [Abstract] Abstract (post-attack analysis paragraph): the central claim that the quantum protocol maintains key-index secrecy after the servers exchange all local data rests on an unstated modeling assumption that the quantum resources used during the non-communication phase create an information-theoretic barrier that survives full subsequent classical communication. No explicit argument, security definition, or reduction is supplied in the abstract showing why reconstruction of the index becomes impossible for the quantum case while remaining possible classically; this is load-bearing for the stated quantum advantage.
  2. [Abstract] Abstract (second protocol description): the requirement that the two servers are 'non-commuting' is introduced without a formal definition in terms of quantum channels, measurement operators, or no-signaling conditions. It is therefore unclear whether the claimed secrecy follows from standard quantum information constraints or from an additional ad-hoc restriction on the protocol execution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful reading of the manuscript and the constructive comments on the abstract. We address each major comment below and will revise the abstract accordingly to improve clarity and self-containment while preserving the core claims.

read point-by-point responses

  1. Referee: [Abstract] Abstract (post-attack analysis paragraph): the central claim that the quantum protocol maintains key-index secrecy after the servers exchange all local data rests on an unstated modeling assumption that the quantum resources used during the non-communication phase create an information-theoretic barrier that survives full subsequent classical communication. No explicit argument, security definition, or reduction is supplied in the abstract showing why reconstruction of the index becomes impossible for the quantum case while remaining possible classically; this is load-bearing for the stated quantum advantage.

    Authors: We agree that the abstract, as a concise summary, does not spell out the full security definition or reduction. The main text contains the detailed post-attack analysis showing that the quantum resources (entanglement and measurements performed under the non-communication constraint) create an information-theoretic barrier that prevents index reconstruction even after full classical communication between servers, while the classical protocol allows it. To address the concern, we will revise the abstract to include a brief statement of the modeling assumption and the reason the quantum case differs from the classical one. revision: yes

  2. Referee: [Abstract] Abstract (second protocol description): the requirement that the two servers are 'non-commuting' is introduced without a formal definition in terms of quantum channels, measurement operators, or no-signaling conditions. It is therefore unclear whether the claimed secrecy follows from standard quantum information constraints or from an additional ad-hoc restriction on the protocol execution.

    Authors: We accept that a formal definition is required for precision. The term 'non-commuting' is intended to mean that the servers are restricted to local operations and measurements with no quantum or classical communication during protocol execution, which enforces the no-signaling condition. We will add an explicit definition in the revised abstract (and ensure it is stated clearly in the main text) in terms of quantum channels and the no-signaling principle, confirming that the secrecy follows from standard quantum information constraints rather than an ad-hoc rule. revision: yes

Circularity Check

0 steps flagged

No circularity: protocol construction with independent security analysis

full rationale

The paper proposes two quantum protocols for blind decryption and claims secrecy properties under specified attacks, including post-protocol server communication for the second protocol. No equations, fitted parameters, predictions, or derivations appear that reduce to inputs by construction. The security distinction between quantum and classical versions is presented as a direct consequence of the protocol design and quantum resources rather than any self-referential fit or imported uniqueness theorem. The modeling of non-communicating servers is an explicit assumption stated in the abstract, not a hidden reduction. This is a standard protocol paper whose claims rest on construction and analysis rather than any of the enumerated circular patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities are identifiable from the abstract alone.

pith-pipeline@v0.9.1-grok · 5679 in / 1053 out tokens · 20491 ms · 2026-06-28T14:05:07.538198+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

28 extracted references · 16 canonical work pages

  1. [1]

    Letρ user,i be the state that User2 receives oni-th composite system HA i ⊗H B i

    Correctness We prove that User 2 can obtain the correct message Mafter the protocol is finished, assuming that the users and the server execute Protocol 1 correctly. Letρ user,i be the state that User2 receives oni-th composite system HA i ⊗H B i . After Step 1, the state onH A i ⊗H B i that User1 has is written as (W(E2i−1, E2i)⊗I)|ϕ⟩=|ϕ E2i−1,E2i ⟩.(15)...

  2. [2]

    By performing similar measurements on each composite systemH A i ⊗ HB i respectively, User2 obtains the messageM= (M 1, M2, . . . , . . . , M2n−1, M2n) with probability 1

  3. [3]

    Letρ user(m, key, k) be a density matrix of the state that User2 received when the messageMism, and the key indexKisk, the keys Key arekey

    Key-and-key-index secrecy againstUser 2 Assume that User 2 recovers the messageMcorrectly. Letρ user(m, key, k) be a density matrix of the state that User2 received when the messageMism, and the key indexKisk, the keys Key arekey. At the beginning of Step 3, the chain rule of the mutual information guaran- tees that I(M, K,Key;B, C) =I(M;B, C) +I(K,Key;B,...

  4. [4]

    Message secrecy against the server: Assuming that the users execute the protocol correctly, we prove that the messageMis secure from the server regardless of whether the server runs the protocol cor- rectly. In step. 3, the server obtains the maximally en- tangled state onH A i (i= 1, . . . , n). That is, the state on eachH A i (i= 1, . . . , n) obtained ...

  5. [5]

    At the step 1, User1 set the initial state on thei-th two-qubit system ˜A1 i ⊗ ˜A2 i to be the state|ϕ Ei,E2i ⟩

    Correctness We prove that User2 can obtain the desired messageM when all the users and servers execute the protocol cor- rectly. At the step 1, User1 set the initial state on thei-th two-qubit system ˜A1 i ⊗ ˜A2 i to be the state|ϕ Ei,E2i ⟩. Then, since the messageMhas the relationM=E⊕Key K and queries satisfyC A ⊕C B = KeyK, the stateρ user,i on the i-th...

  6. [6]

    Key-and-key-index secrecy againstUser 2 Since the dimension of User 2 receives is 2 2n, in the same way as Subsection III D 2, we can show that any code of Protocol 2 satisfies the sever secrecy by using the chain rule of quantum mutual information

  7. [7]

    In Step 3,t-th server Servt obtains only the system ˜At which is one side of the composite system of the maximally entangled state

    Message secrecy against the servers Assuming that the users follow the protocol, we prove that the messageMis secure against the servers even if 8 they do not execute it correctly. In Step 3,t-th server Servt obtains only the system ˜At which is one side of the composite system of the maximally entangled state. Hence, when the message isMand the key index...

  8. [8]

    Since the queriesQ 1 andQ 2 are con- structed randomly, they are independent fromK

    Key-index secrecy against the servers Assuming that the users run the protocol correctly, we prove that the servers obtains no information about the key indexK. Since the queriesQ 1 andQ 2 are con- structed randomly, they are independent fromK. That is, the condition I(K;Q 1) =I(K;Q 2) = 0 holds. Therefore, we find that the code has the key-index secrecy ...

  9. [9]

    Further, the state Tr2τm⊕kk0 that Serv1 receives does not depend onm

    Since (Γ 1⊗Id)(τ m⊕kk0 ) is a pure state, Tr 1,2U1(τm⊕kk0 ⊗ρ 1)U † 1 is a pure state. Further, the state Tr2τm⊕kk0 that Serv1 receives does not depend onm. Hence, the pure state Tr 1,2U1(τm⊕kk0 ⊗ ρ1)U † 1 does not depend onm. We denote it byκ 1. We make the same discussion by exchanging the roles of Serv1 and Serv2. Then, we find that Tr1,2U2(τm⊕kk0 ⊗ ρ2)...

  10. [10]

    (43) Then, we defineg t := EncServt(Qt, Key) and Dec as gt(Xt) := fM j=1 Qt,j Keyj ⊕X t (44) Dec(X ′ 1, X′

    We define (X 1, X2, Q1, Q2) := EncUser(E, K, R1) as X1 :=R 1,1, X 2 :=E⊕R 1,1, Q 1 :=R 1,2 (42) and Q2,j := Q1,j ⊕1 whenj=K Q1,j whenj̸=K. (43) Then, we defineg t := EncServt(Qt, Key) and Dec as gt(Xt) := fM j=1 Qt,j Keyj ⊕X t (44) Dec(X ′ 1, X′

  11. [11]

    specious

    :=X ′ 1 ⊕X ′ 2.(45) D. Analysis of our code with key index secrecy We show the following theorem in this section. Theorem 6.The code presented in Section VI C satisfies the correctness, the message secrecy, the key secrecy and the key index secrecy. Proof.When User 1,User 2 and Serv 1, Serv 2 are honest, we have Dec(g1(X1), g2(X2)) = fM j=1 Qt,1 Keyj ⊕X 1...

  12. [12]

    Blind Signatures for Untraceable Pay- ments,

    D. Chaum, “Blind Signatures for Untraceable Pay- ments,” In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds)Advances in Cryptology, Springer, 1983, pp. 199–

    1983

  13. [13]

    doi: 10.1007/978-1-4757-0602-4 18

    work page doi:10.1007/978-1-4757-0602-4

  14. [14]

    Blind decoding, blind un- deniable signatures, and their applications to privacy 12 protection,

    K. Sakurai and Y. Yamane, “Blind decoding, blind un- deniable signatures, and their applications to privacy 12 protection,” In: Anderson, R. (ed.)Information Hiding. IH 1996, Lecture Notes in Computer Science, vol. 1174, Springer, 1996, pp. 257–264. doi: 10.1007/3-540-61996- 8 45

    work page doi:10.1007/3-540-61996- 1996

  15. [15]

    Secure Blind Decryption,

    M. Green, “Secure Blind Decryption,” In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds)Public Key Cryptography – PKC 2011, Lecture Notes in Com- puter Science, vol. 6571, Springer, 2011, pp. 265–282. doi: 10.1007/978-3-642-19379-8 16

    work page doi:10.1007/978-3-642-19379-8 2011

  16. [16]

    Two- step quantum direct communication protocol using the Einstein- Podolsky-Rosen pair block,

    Fu-Guo Deng, Gui Lu Long, and Xiao Shu Liu, “Two- step quantum direct communication protocol using the Einstein- Podolsky-Rosen pair block,”Phys. Rev. A68, 042317 (2003). doi: 10.1103/PhysRevA.68.042317

    work page doi:10.1103/physreva.68.042317 2003

  17. [17]

    Quantum secure direct communication with private dense coding using a general preshared quantum state,

    J. Wu, G.-L. Long, and M. Hayashi, “Quantum secure direct communication with private dense coding using a general preshared quantum state,”Phys. Rev. Appl.17, 064011 (2022). doi: 10.1103/PhysRevApplied.17.064011

    work page doi:10.1103/physrevapplied.17.064011 2022

  18. [18]

    Capacity of Quantum Pri- vate Information Retrieval With Multiple Servers,

    S. Song and M. Hayashi, “Capacity of Quantum Pri- vate Information Retrieval With Multiple Servers,”IEEE Transactions on Information Theory, vol. 67, no. 1, pp. 452–463, Jan. 2021. doi: 10.1109/TIT.2020.3022515

    work page doi:10.1109/tit.2020.3022515 2021

  19. [19]

    Secure two- party quantum evaluation of unitaries against specious adversaries,

    F. Dupuis, J. B. Nielsen, and L. Salvail, “Secure two- party quantum evaluation of unitaries against specious adversaries,” InAdvances in Cryptology – CRYPTO 2010, Lecture Notes in Computer Science, vol. 6223, Springer, 2010, pp. 685–706. doi: 10.1007/978-3-642- 14623-7 37

    work page doi:10.1007/978-3-642- 2010

  20. [20]

    Entanglement-assisted classical capacity of noisy quantum channels,

    C.H. Bennett, P.W. Shor, J.A. Smolin, and A.V. Thap- liyal, “Entanglement-assisted classical capacity of noisy quantum channels,”Phys. Rev. Lett.,83, 3081–3084 (1999). doi: 10.1103/PhysRevLett.83.3081

    work page doi:10.1103/physrevlett.83.3081 1999

  21. [21]

    Entanglement-assisted capacity of a quan- tum channel and the reverse Shannon theorem,

    C.H. Bennett, P.W. Shor, J.A. Smolin, and A.V. Thapliyal, “Entanglement-assisted capacity of a quan- tum channel and the reverse Shannon theorem,”IEEE Trans. Inf. Theory,48(10), 2637–2655 (2002). doi: 10.1109/TIT.2002.802612

    work page doi:10.1109/tit.2002.802612 2002

  22. [22]

    On entanglement-assisted classical ca- pacity,

    A.S. Holevo, “On entanglement-assisted classical ca- pacity,”J. Math. Phys.43, 4326–4333 (2002). doi: 10.1063/1.1495877

    work page doi:10.1063/1.1495877 2002

  23. [23]

    Private information retrieval,

    B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private information retrieval,”Journal of the ACM, 45(6), 965–981 (1998). doi: 10.1145/293347.293350

    work page doi:10.1145/293347.293350 1998

  24. [24]

    The Capacity of Private Infor- mation Retrieval,

    H. Sun and S. A. Jafar, “The Capacity of Private Infor- mation Retrieval,”IEEE Transactions on Information Theory, vol. 63, no. 7, pp. 4075–4088, July 2017. doi: 10.1109/TIT.2017.2689028

    work page doi:10.1109/tit.2017.2689028 2017

  25. [25]

    Quantum symmetrically- private information retrieval,

    I. Kerenidis and R. de Wolf, “Quantum symmetrically- private information retrieval,”Information Process- ing Letters, vol. 90, no. 3, pp. 109–114, 2004. doi: 10.1016/j.ipl.2004.02.003

    work page doi:10.1016/j.ipl.2004.02.003 2004

  26. [26]

    Secure quantum private information re- trieval using phase-encoded queries,

    L. Olejnik, “Secure quantum private information re- trieval using phase-encoded queries,”Physical Review A 84, 022313 (2011). doi: 10.1103/PhysRevA.84.022313

    work page doi:10.1103/physreva.84.022313 2011

  27. [27]

    Unconditionally Secure Quantum Bit Commitment is Impossible,

    Dominic Mayers, “Unconditionally Secure Quantum Bit Commitment is Impossible,”Phys. Rev. Lett.78, 3414– 3417 (1997). doi: 10.1103/PhysRevLett.78.3414

    work page doi:10.1103/physrevlett.78.3414 1997

  28. [28]

    Is quantum bit commit- ment really possible?

    Hoi-Kwong Lo and H. F. Chau, “Is quantum bit commit- ment really possible?”Phys. Rev. Lett.,78, 3410–3413 (1997). doi: 10.1103/PhysRevLett.78.3410

    work page doi:10.1103/physrevlett.78.3410 1997