The Clifford code [ABE10] is a quantum authentication code in which a random multi-qubit Clifford gate is applied on the data register together with a set of all-zero check qubits. Since a random Clifford may contain SWAP operations, the check qubits are hidden among the data.
Key features: authentication
Let \(d \in \mathbb{N}\) be a parameter of the scheme.
| Key generation |
For \(n\) qubits, select a random \((n+d)\)-qubit Clifford \(C_k\) |
| Encoding |
Apply the mapping \(|\psi\rangle \mapsto C_k(|\psi\rangle \otimes |0\rangle^{\otimes d})\) |
| Decoding |
Apply \(C_k^{\dagger}\), and measure the \(d\) auxiliary registers. Abort if they are not all zero. |
For larger \(n\), this encoding may be applied in smaller blocks (each with their own \(d\) check qubits). This variation is called the concatenated Clifford code.
Clifford gates are easy, since they only require updating the key. Suppose the key is \(C_k\), then in order to apply a Clifford \(D\), one updates the key to the Clifford group element \(C_{k'} := C_kD^{\dagger}\). This is a classical operation that can be performed by the client.
The T gate is harder. In [ABE10], the only option that is given is to send the qubit to the client, let the client remove the key, apply the gate, and apply a fresh key before sending the qubit back.
\(\epsilon\)-security requires two things:
In [ABE10], it is shown that the Clifford code with \(d\) check qubits is\(2^{-d}\)-secure. This is proven by first reducing every attack to a mixture of Pauli operators and then using a Clifford twirl to show that nontrivial Pauli operators will, with high probability, affect one of the check qubits.
In [BW16], it is shown that the Clifford code admits efficient simulation: any efficient attack by an adversary can be simulated efficiently by some simulator that only has access to the ideal functionality for authentication. This result is useful in the context of universal composability.
TODO