Quantum statistical mechanics of encryption: Reaching the speed limit of classical block ciphers

Abstract

We cast encryption via classical block ciphers in terms of operator spreading in a dual space of Pauli strings, a formulation which allows us to characterize classical ciphers by using tools well known in the analysis of quantum many-body systems. We connect plaintext and ciphertext attacks to out-of-time order correlators (OTOCs) and quantify the quality of ciphers using measures of delocalization in string space such as participation ratios and corresponding entropies obtained from the wave function amplitudes in string space. In particular, we show that in Feistel ciphers the entropy saturates its bound to exponential precision for ciphers with 4 or more rounds, consistent with the classic Luby–Rackoff result that it takes these many rounds to generate strong pseudorandom permutations. The saturation of the string-space information entropy and the vanishing of the OTOCs to exponential precision are taken as necessary conditions for the security of the cipher — we conjecture these criteria are also sufficient, as physically they signal irreversibility and chaos. We argue that the conditions on both OTOCs and string entropies can be satisfied by n-bit block ciphers implemented via random reversible circuits with O(nlogn) gates. This paper focuses on a tree-structured cipher composed of layers of n/3 3-bit gates, for which a “key” specifies uniquely the sequence of gates that comprise the circuit. We show that in order to reach this “speed limit” one must employ a three-stage circuit consisting of a nonlinear stage implemented by layers of nonlinear gates that proliferate the number of strings, flanked by two linear stages, each deploying layers of a special set of linear “inflationary” gates that accelerate the growth of small individual strings. The close formal correspondence to quantum scramblers established in this work leads us to suggest that this three-stage construction is also required in order to scramble quantum states to similar precision and with circuits of similar size. A shallow, O(logn)-depth cipher of the type described here can be used in constructing a polynomial-overhead scheme for computation on encrypted data proposed in another publication as an alternative to Homomorphic Encryption.