Quantum One-Time Pad (QOTP)

Updated 26 December 2025

Quantum One-Time Pad (QOTP) is a symmetric-key quantum encryption scheme that applies random Pauli operators to qubits, ensuring perfect information-theoretic secrecy.
It encrypts each qubit by independently masking with Pauli operations, making encrypted states statistically indistinguishable from the maximally mixed state.
Advanced variants like Quantum Block Encryption and higher-dimensional QOTP extend its utility in secure cloud storage, distributed quantum computation, and quantum key distribution.

A quantum one-time pad (QOTP) is the canonical symmetric-key quantum encryption protocol, providing perfect information-theoretic secrecy for quantum data by masking each qubit with independently chosen Pauli operators parameterized by classical random bits. This primitive is both a central theoretical construct and the practical cryptographic foundation for secure quantum communication and computation in the presence of quantum adversaries. The standard QOTP leverages the structure and orthogonality of the Pauli group to guarantee that, absent the secret key, any quantum ciphertext is statistically indistinguishable from the maximally mixed state. In the post-quantum era, QOTP underpins practical applications such as quantum-secure cloud storage systems, secure delegation of computation, and cryptographic protocols based on quantum key distribution. Several generalizations and extensions, including block-encryption variants with key reusability and higher-dimensional (qutrit) constructions, refine or overcome key limitations of the QOTP while maintaining formal security guarantees.

1. Formal Definition and Construction

At its core, the QOTP encrypts each qubit of an arbitrary $n$ -qubit state by applying a random element from the $n$ -fold Pauli group parameterized by $2n$ classical bits. For a single qubit described by density matrix $\rho$ and a secret key $(a,b)\in\{0,1\}^2$ , the cipher is generated as

$E_{a,b}(\rho) = X^a Z^b\, \rho\, Z^b X^a,$

where $X$ (bit-flip) and $Z$ (phase-flip) are the canonical Pauli operators. For multi-qubit encryption, the key consists of two $n$ -bit strings $a=(a_1,\dots,a_n)$ and $b=(b_1,\dots,b_n)$ , yielding

$E_{a,b}(\rho) = X^{a} Z^{b} \rho Z^{b} X^{a},$

with $X^{a} = X^{a_1}\otimes\dots\otimes X^{a_n}$ , $Z^{b} = Z^{b_1}\otimes\dots\otimes Z^{b_n}$ (Liang et al., 2018, Xu et al., 2024, Lakshmi et al., 10 Jun 2025).

Decryption applies the inverse Pauli string, leveraging the involutive properties of $X$ and $Z$ : $\rho = X^a Z^b \left[X^a Z^b \rho Z^b X^a\right] Z^b X^a.$ The key must be uniformly random and used only once per encryption to maintain security (Liang et al., 2018, Brandão et al., 2010).

2. Security Proof: Perfect Secrecy

The QOTP is information-theoretically secure by design. The core of its security argument relies on the orthogonality relations for Pauli operators. When averaging over all $2^{2n}$ possible keys, the ciphertext ensemble becomes

$\sigma_{\text{cipher}} = 2^{-2n} \sum_{a,b} X^aZ^b\, \rho\, Z^b X^a = \frac{I}{2^n},$

where $I$ is the identity operator on $n$ qubits. Thus, regardless of plaintext $\rho$ , the ciphertext is the maximally mixed state, leaking no information to any observer lacking the key (Liang et al., 2018, Xu et al., 2024, Bitan et al., 2023, Lakshmi et al., 10 Jun 2025).

This property holds for any choice of plaintext—including entangled or otherwise structured quantum states—and for all measurement scenarios. Even an adversary with arbitrary quantum computational power cannot distinguish ciphertexts corresponding to different plaintexts without the key (Xu et al., 2024, Brandão et al., 2010).

3. Shannon-Style Limitations: Key Usage and Reuse

The QOTP is subject to Shannon-type restrictions analogous to the classical one-time pad. Each $n$ -qubit block requires a fresh $2n$-bit key. Key reuse across blocks immediately compromises the protocol: if two ciphertexts are encrypted with the same key, joint attacks can reveal correlations between the underlying plaintexts (Liang et al., 2018, Brandão et al., 2010). This constraint is fundamental—perfect secrecy necessitates key-length at least the message-length, and every key is consumed irreversibly with each encryption operation.

In quantum cloud or multi-user workflows, it is essential to freshen the key material for every session or block to avoid state leakage and privacy compromise, as shown in the context of cloud-based computation and the quantum reset mechanisms (Xu et al., 2024, Lakshmi et al., 10 Jun 2025).

4. Block Encryption and Key Reuse: Quantum Block Encryption (QBE)

New cryptographic primitives, such as the quantum block encryption (QBE) scheme developed by Liang and Yang, extend QOTP concepts to enable key reuse for a substantially larger number of encryptions (Liang et al., 2018). The construction, based on the "EHE" (Encrypt-Hadamard-Encrypt) mode, uses two independent pseudorandom functions (PRFs) and fresh public randomness per encryption, but a fixed $2n$-bit secret key.

Key steps in QBE:

Key Selection: Two keys $(k_1, k_2)$ are chosen, each for a separate PRF.
Encryption: For each message,
1. Apply an $X$ -mask generated by $F(k_1, r_1)$ to the plaintext using random seed $r_1$ .
2. Apply a transversal Hadamard $H^{\otimes n}$ .
3. Apply a second $X$ -mask from $G(k_2, r_2)$ using independent random $r_2$ .
Decryption: Reverses the three-stage process.
Security: If $F$ and $G$ are standard-secure PRFs, the QBE attains IND-CPA security; if they are permutations for each $r$ , QBE attains perfect secrecy—the ciphertext is again uniformly mixed.

Crucially, QBE allows the same key to be reused across exponentially many encryptions (up to $O(2^{2n})$ ), with each use requiring only fresh public randomness. Thus, QBE breaks the classical bound that enforces single-use keys, transferring perfect secrecy requirements from the key to the random seed. This quantum extension of block encryption makes QOTP-level perfect secrecy practically scalable in certain settings (Liang et al., 2018).

5. Generalizations: QOTP for Qutrits, SU(2), Anyons, and Beyond

Several research directions have expanded the QOTP framework:

Ternary (Qutrit) QOTP: For $n$ qutrits, the pad uses three $n$ -length keys: shift, Hadamard, and phase rotations in the qutrit Hilbert space, yielding a keyspace of size $3^{3n}$ and similar security guarantees. It enables information-theoretic security for higher-dimensional quantum logic and is integrated into ternary homomorphic encryption schemes (Wang et al., 2015).
Quaternionic/SU(2) QOTP: By using the full single-qubit unitary group (SU(2)), the QOTP scheme can mask with arbitrary one-qubit rotations parameterized by four real numbers constrained to the unit three-sphere. This extension enables more efficient quantum fully homomorphic encryption, supporting single-qubit gates with encrypted angle parameters and classical control (Ma et al., 2020).
Anyonic (Non-Abelian) QOTP: In topological quantum computation, deterministic QOTP via Fibonacci anyons uses the mutual information of shared anyonic states (e.g., vacuum-fused τ-anyon pairs) as the masking resource. The asymptotic capacity per pair is bounded by $2\log_2 d_\tau$ , where $d_\tau$ is the quantum dimension of the τ anyon. These schemes leverage topological robustness and superselection sectors for built-in error resilience (Xu et al., 2021).
Random Basis Encryption (RBE): A protocol closely related to QOTP replaces the finite four-element Pauli mask set with a dense (continuous) set of rotation angles, providing statistically perfect secrecy when integrating over key space. RBE also supports a richer set of homomorphic operations and is robust to certain weak-measurement attacks that challenge classical and QOTP-based QKD (Bitan et al., 2023).

6. Applications in Secure Quantum Computing and Storage

The QOTP is deployed in several key quantum security protocols:

Cloud Quantum Storage: Combined with QKD (e.g., BB84), QOTP securely encrypts quantum data for cloud storage. A quantum key generated via BB84 is split into the required $2n$ bits for masking the quantum plaintext, and the encrypted data can securely reside on untrusted servers as ciphertext without leakage risk (Lakshmi et al., 10 Jun 2025).
State Leakage Mitigation in Quantum Computing: QOTP insertion post-measurement and pre-reset on NISQ devices ensures that any residual system state is rendered maximally mixed, suppressing cross-shot leakage. The QOTP remains the only universally effective solution for horizontal state leakage when operations or measurements are not axis-restricted (Xu et al., 2024).
Quantum Key Distribution and Homomorphic Encryption: QOTP is foundational to information-theoretic secure quantum homomorphic encryption. It allows non-interactive application of Pauli gates on ciphertext and is the natural masking layer for QKD "prepare-and-measure" protocols, such as BB84 and its variants (Bitan et al., 2023).
Securing Entanglement and Distributed Quantum Resources: The QOTP framework extends to protection of entangled pairs and multipartite states during storage, transport, or computation, as any subsystem encrypted with QOTP appears maximally mixed to unauthorized parties, even in the presence of channel or environmental noise (Bitan et al., 2023, Xu et al., 2021).

7. Practical Implementation Considerations and Performance

Implementing QOTP on current quantum hardware is technically straightforward, requiring only single-qubit Pauli operations, which are among the most robust and well-characterized gates on any platform. No entangling gates are necessary. In the context of QBE, only Pauli- $X$ and Hadamard gates are involved, rendering these schemes compatible with near-term devices and scalable architectures (Liang et al., 2018).

The main limitations are key-generation and management overhead (necessitating fresh, private randomness per encrypted qubit or block unless using QBE), and the (imperfect) efficiency of QKD protocols in realistic settings, where loss and error rates determine achievable secure key rates (Lakshmi et al., 10 Jun 2025). Any deviation from strict uniform randomness, accidental key reuse, or information leakage of the key bits defeats the perfect secrecy guarantee.

Comparison to classical OTP and symmetric encryption highlights the unconditional security of QOTP but also its greater key consumption unless quantum-secure key expansion or block-encryption modifications are deployed (Liang et al., 2018).

References

"Block encryption of quantum messages" (Liang et al., 2018)
"A Thorough Study of State Leakage Mitigation in Quantum Computing with One-Time Pad" (Xu et al., 2024)
"Deterministic quantum one-time pad via Fibonacci anyons" (Xu et al., 2021)
"Randomly Choose an Angle from an Immense Number of Angles to Rotate Qubits, Compute and Reverse" (Bitan et al., 2023)
"Symmetric Ternary Quantum Homomorphic Encryption Schemes Based on the Ternary Quantum One-Time Pad" (Wang et al., 2015)
"Quantum Fully Homomorphic Encryption by Integrating Pauli One-time Pad with Quaternions" (Ma et al., 2020)
"The quantum one-time pad in the presence of an eavesdropper" (Brandão et al., 2010)
"Secure Data Access in Cloud Environments Using Quantum Cryptography" (Lakshmi et al., 10 Jun 2025)