Coset State Authentication Scheme

• Coset State Authentication Scheme is a protocol where algebraic structures like non-commutative semigroups and quantum coset states secure authentication via hard decomposition problems.
• The method employs both classical and quantum techniques, integrating challenge-response mechanisms and error-correcting codes to ensure message integrity and efficient key recycling.
• These schemes underpin unclonable cryptographic primitives, enabling advanced applications such as quantum money and tokenized signatures that resist cloning and side-channel attacks.

A coset state authentication scheme is any protocol in which the security properties of authentication or copy-protection derive from the algebraic or quantum structure of coset states. Such schemes encompass methods spanning non-commutative semigroups, quantum authentication leveraging coset/membership states, direct construction of coset-based unclonable objects, and integrated quantum error-correcting/authentication codes where accepting states correspond to coset membership. The following sections present key constructions, mathematical frameworks, efficiency results, and security consequences found in this domain.

1. Algebraic Foundations and Non-Commutative Semigroup Protocols

Coset state authentication schemes frequently begin from non-commutative group or semigroup platforms, exploiting the hardness of certain decomposition or conjugacy search problems. In the two-pass scheme described in "Key Agreement and Authentication Schemes Using Non-Commutative Semigroups" (0708.2395), users operate within a public non-commutative semigroup $G$, with public element $z$, and subsets $LA,$ $LB,$ $RA,$ $RB$, and $Z$ satisfying exact commutativity constraints. These are explicitly:

$$\begin{aligned} &[LA, LB] = 1,\quad [RA, RB] = 1, \ &[LB, Z] \neq 1,\quad [LA, Z] \neq 1,\quad [RB, Z] \neq 1,\quad [RA, Z] \neq 1 \ &[LA, RA] \neq 1,\quad [LB, RB] \neq 1 \end{aligned} \tag{2}$$

Key generation and authentication leverage double-sided multiplication, with prover’s public key $K_A = a_1 z a_2$ for $a_1 \in LA,\, a_2 \in RA$, and verifier’s challenge $x = b_1 z b_2$ for $b_1 \in LB,\, b_2 \in RB$. The response $w = H(a_1 x a_2)$ is verified against $H(b_1 K_A b_2)$. The security depends on the inability to solve the generalized Diffie-HeLLMan decomposition problem (DH-DP or DH-DP′) unless the adversary inverts the coset decomposition, i.e., reconstructs secret factors given $K_A$ and the public parameters.

In these schemes, authentication states (public keys and challenges) naturally represent the action of secret elements upon coset representatives, and the protocol’s commutativity design ensures only the legitimate prover can respond correctly.

2. Quantum Authentication: Coset and Maximally Entangled States

Coset state authentication extends naturally to quantum settings, where the authentication protocol may accept or reject quantum states according to their structure as cosets of some subspace or as maximally entangled states. "New security notions and feasibility results for authentication of quantum data" (Garg et al., 2016) introduces definitions and protocols where authentication is analyzed for quantum adversaries, including superposition and side-information attacks.

A classical MAC with tags $|m, h_k(m)\rangle$ defines a subspace of "valid" authenticated states. In the quantum construction, authentication is defined via two families of keyed superoperators, e.g.,

$$\text{Auth}_k(\rho) = U_k(\rho \otimes |0\rangle\langle 0|^{\otimes s})U_k^\dagger$$

where $U_k$ is an approximate unitary $t$-design. The lifting theorem asserts that if the scheme authenticates a maximally entangled state (formally, a coset state):

$$|\Phi\rangle^{MB} = \frac{1}{\sqrt{|M|}} \sum_{m} |m\rangle^M |m\rangle^B,$$

then it authenticates arbitrary states, even when entangled with the adversary. This equates the challenge of authenticating coset states with authenticating the entire message space, thus establishing total authentication.

Key consequences include information-theoretic key recycling and the inability of adversaries to couple the secret key or the authenticated quantum state with their side-information, given protocol acceptance.

3. Efficiency Improvements in Authentication and Error Correction

Several works address resource efficiency, especially in quantum authentication combined with error correction. "An efficient combination of quantum error correction and authentication" (Dulek et al., 2022) constructs the threshold authentication scheme where acceptance is determined by one’s coset state passing a threshold error test across designated "traps".

Formally, Alice encodes her quantum data via an error-correcting code, appends $n$ computational and $n$ Hadamard basis trap qubits, then applies a secret permutation $\pi_k$ and quantum one-time pad $P_l$:

$$\sigma_{AS} = P_l\, \pi_k \bigl(\operatorname{Enc}(\rho_A) \otimes |0\rangle^{\otimes n}\langle 0| \otimes |+\rangle^{\otimes n}\langle+|\bigr) \pi_k^\dagger P_l$$

Bob measures traps and accepts if fewer than $r = \alpha n$ show errors. The authentication coset is thus the set of states mapped by the code/trap permutation that yield less than threshold errors. The scheme achieves correctness and security parameters $(\epsilon, \delta)$ while ensuring the physical qubit count grows only polylogarithmically as $\max\{\log(1/\epsilon)^C,\, \log(1/\delta)^C\}$, with $C$ determined by the code parameters.

Compared to naive compositions (e.g., trap code plus external CSS error correction), the threshold scheme provides polynomial improvement in overhead, achieving both error correction and authentication in a single coset-based code framework.

4. Coset States and Unclonable Cryptography

Coset state authentication forms the cryptographic basis of unclonable primitives such as quantum money and copy-protection. "Hidden Cosets and Applications to Unclonable Cryptography" (Coladangelo et al., 2021) demonstrates that hidden coset states possess direct product hardness under indistinguishability obfuscation (iO), facilitating tokenized signature and unclonable decryption schemes without reliance on oracles.

A key security proof employs the "hidden trigger" technique. Given an adversary presented either with a uniformly random input $u$ or a trigger-generated $u'$ that activates special modes in an iO-obfuscated program $P$, the adversary cannot distinguish the source. The GenTrigger procedure creates $u'$ by masking via puncturable PRFs $F_2,F_3$ on substrings of $u$ and auxiliary circuit $Q'$:

$$u' = u_0 \| F_2(K_2, u_0\|Q) \| \bigl(F_3(K_3, F_2(K_2, u_0 \| Q)) \oplus (u_0 \| Q)\bigr),$$

where $P$ only triggers the alternate verification circuit on precalculated coset membership conditions. Hybrid argument and subspace-hiding properties of iO ensure quantum distinguishers have negligible advantage.

Furthermore, these schemes leverage conjectured (and now proven) monogamy-of-entanglement for coset states to realize unclonable copy-protection, where authenticated states are uncloneable and cannot be forged even with auxiliary quantum information.

5. Comparison of Frameworks and Security Guarantees

The surveyed schemes share the unifying theme: authentication or copy-protection security ensues from the computational or quantum hardness of determining coset (subgroup, subspace, or codeword) membership. Algebraic protocols focus on non-commutative structure and challenge-response via decomposition problems; quantum schemes enforce coset structure by subspace projection or encode-then-encrypt methods, while unclonable constructions leverage coset state monogamy and indistinguishability obfuscation.

Specific schemes highlighted include:

Scheme Type	Essential Security Property	Resource Efficiency
Two-pass semigroup auth (0708.2395)	DH-DP hardness, commutativity controls	Fewer multiplications by proper $z$ selection
Quantum total auth (Garg et al., 2016)	Simulation-based, total authentication	Key reuse; $2^{-s/2}$ security via padding
Threshold code (Dulek et al., 2022)	Trap error threshold, composable sim.	Polylog qubit growth $(\log(1/\epsilon)^C)$
Hidden coset unclonability (Coladangelo et al., 2021)	Monogamy, direct product hardness	Obfuscation and PRF-based trigger sparse sets

Key implications include the ability to tune commutativity/trap thresholds for balance between correctness and security, avoidance of expensive group operation via coset representative design, composable security guarantees compatible with adversarial quantum side-information, and feasibility of practical quantum copy-protection without oracle support.

6. Generalizations, Open Questions, and Applications

Generalization of coset state authentication encompasses broader class of hybrid codes supporting both robust error correction and adversarial isolation, optimal balancing of code parameters for efficiency, and extension beyond information-theoretic to computational security notions (e.g., incorporating key recycling). Open questions include the design of naturally error-robust Clifford codes and the ultimate theoretical minimum overhead achievable by simultaneous authentication/error correction.

Practical applications are found in quantum networks, delegated computation, quantum one-time programs, and tokenized signature schemes where message integrity, authenticity, and unclonability are essential. The integration of coset state authentication into these contexts enables efficient quantum-safe cryptography, both against classical and full quantum attacks.

This suggests future research should continue to explore coset-based hybrid code constructions, examine security in asynchronous multi-party quantum operations, and refine composable frameworks accommodating evolving adversary models.