Tamper Detection against Unitary Operators

We consider (Enc, Dec) schemes which are used to encode a classical/quantum message $m$ and derive an $n$-qubit quantum codeword $\psi_m$. The quantum codeword $\psi_m$ can adversarially tamper via a unitary $U \in \mathcal{U}$ from some known tampering unitary family $\mathcal{U}$, resulting in $U \psi_m U^\dagger$. Firstly, we initiate the general study of quantum tamper detection codes, which must detect that tampering occurred with high probability. In case there was no tampering, we would like to output the message $m$ with a probability of $1$. We show that quantum tamper detection codes exist for both classical messages and quantum messages for any family of unitaries $\mathcal{U}$, such that $|\mathcal{U}|<2^{2^{\alpha n}}$ for some known constant $\alpha \in (0,1)$ and all the unitaries satisfy one additional condition : \begin{itemize} \item Far from Identity : For each $U \in \mathcal{U}$, we require that its modulus of trace value isn't too much i.e. $ |Trace(U)| \leq \phi N$, where $N=2^n.$ \end{itemize} Quantum tamper-detection codes are quantum generalizations of classical tamper detection codes studied by Jafargholi et al. \cite{JW15}. Additionally for classical message $m$, if we must either output message $m$ or detect that tampering occurred and output $\perp$ with high probability, we show that it is possible without the restriction of Far from Identity condition for any family of unitaries $\mathcal{U}$, such that $|\mathcal{U} |<2^{2^{\alpha n}}$. We also provide efficient (Enc, Dec) schemes when the family of tampering unitaries are from Pauli group $\mathcal{P}_n$, which can be thought of as a quantum version of the algebraic manipulation detection (AMD) codes of Cramer et al. \cite{CDFPW08}.


Introduction
Traditionally, cryptographic schemes have been analyzed assuming that an adversary has only black-box access to the underlying functionality and no way to manipulate the internal state.Tamper-resilient cryptography is a model in cryptography where an adversary is allowed to tamper with the internal state of a device (without necessarily knowing what it is) and then observe the outputs of the tampered device.By doing so, an attacker may learn additional sensitive information that would not be available otherwise.One natural approach to protect against such attacks is to encode the data on the device in some way.One can try to use error-correcting codes such as Reed-Solomon codes, but such an encoding will prevent tampering with bounded Hamming weights, typically less than the distance of codes.Tamper detection codes introduced by Jafargholi and Wichs [1] provide meaningful guarantees on the integrity of an encoded message in the presence of a tampering adversary, even in settings where error correction and error detection may not be possible.
Consider the following: suppose one wants to store a message in a database accessible to an adversary.The adversary is then allowed to tamper the stored message using a function f from some function family F Adv .Naturally, from a decent storage, we expect two properties -• If there is tampering, we should be able to detect it with high probability.
• If there was no tampering, then we should always be able to recover the original message.
Let M be the set of messages, and let the storage be labelled by C. For such a scheme, we require an encoder (Enc) from M to C and a decoding procedure (Dec) that reverses this operation.The decoder Dec is additionally allowed to output a special symbol ⊥, to indicate that the message was tampered.The experiment can be modelled as a simple three-step procedure: a) A message m ∈ M is encoded via a (possibly randomized) encoder Enc : M → C, yielding a codeword c = Enc(m).
b) An adversary can tamper c (non-trivially) via a function f from some known tampering function family F Adv , resulting in ĉ = f (c).
c) The tampered codeword ĉ is then decoded to a candidate message m ∈ M ∪ {⊥} using a (possibly randomized) decoder Dec : C → M ∪ {⊥}.
The properties that we desire from this scheme are: A. Pr (Dec (Enc(m)) = m) = 1 (Completeness).
Property A indicates that if no one tampers anything, we can always get back the original message.Property B states that the decoder can detect every non-trivial tampering with probability1 at least 1 − ϵ.If some encoding and decoding scheme (Enc, Dec) satisfies the above properties, we say that it is an ϵ-secure tamper detection code (for family F Adv ).
Note that Property B can hold in two different degrees.One, it is valid for all messages m; where we call the scheme to be a strong tamper detection code (or simply tamper detection code).And two, it can be valid for a randomly chosen m, in which case we say the scheme is a weak tamper detection code.In this work, we restrict ourselves to the strong form of tamper detection.
For tampering to be meaningful, we assume that f is not the identity map.It is easy to see that for any function family F Adv , the storage size |C| has to be greater than or equal to |M|.Otherwise, the encoding scheme will be many-to-one, and Property A can not be satisfied.Also, the larger the family F Adv becomes, the stronger the adversary gets, and we expect the size of C to increase.This raises a natural question: for a given M and F Adv , how large does C need to be?

Previous works
The above experiment has been extensively studied, both in the weak and the general form, when the message set M and storage C are classical strings [1,2,3].In the classical setup, one typically has M = {0, 1} k , C = {0, 1} n , and a tampering family where F n is the set of all possible Boolean functions from n-bits to n-bits, F n = {f : {0, 1} n → {0, 1} n }.Suppose we restrict ourselves to encoding and decoding strategies that are deterministic.In that case, tamper detection schemes do not exist even for the family of additive tampering F ∆ = {f e (x) = x ⊕ e} e where e ∈ {0, 1} n \ 0 n .This can be seen as follows: let messages m 0 and m 1 be any two distinct messages with Enc(m 0 ) and Enc(m 1 ) as their corresponding encodings.Consider the function f e for e = Enc(m 0 ) ⊕ Enc(m 1 ).
The tampering then results in Dec(f e (Enc(m i ))) = m 1−i for i ∈ {0, 1}; making randomness a necessity for tamper detection.
Cramer et al. [4] studied the problem of tamper detection for the function family F ∆ and gave corresponding construction of what they refer to as algebraic manipulation detection codes.
Algebraic Manipulation Detection (AMD) Codes.These codes provide tamper detection security for the function family F ∆ = {f e (x) = x ⊕ e, e ̸ = 0}.Formally, Fact 1 (Theorem 2, [4]).Let q be a prime power and d be a positive integer such that d < q.There is an explicit (Enc, Dec) construction that is tamper-secure with parameters k = d log q, n = (d + 2) log q, ϵ = d+1 q against F ∆ .
Recall that k and n are bit lengths of message and codewords, respectively.The additive overhead of n over k measures the efficiency of AMD codes.An optimal code for parameters k and ϵ has the smallest possible n.For the security parameter ϵ ≤ 2 −λ , Fact 1 gives (k, k + 2λ + 2 log(d + 1), 2 −λ ) AMD codes.Thus, the overhead for codeword length (over the message length) is 2λ + 2 log(d + 1), which was later shown to be optimal up to a multiplicative factor two [5].
Classical Tamper Detection.AMD codes provide tamper detection security against a function family of size 2 n .However, the size of the tampering family F Adv can be up to 2 n2 n when one considers all classical Boolean functions f from n-bits to n-bits.Thus, it is interesting to see how big this family can be made, while achieving tamper detection.Again, one can see that it is not possible to construct tamper detection codes for the complete family of size 2 n2 n .For example, consider a family of functions No scheme can satisfy Property B (or even B ′ ) for such a family.
Interestingly, Jafargholi and Wichs [1] showed that tamper detection codes indeed exist for any F Adv of size upto 22 αn (for any constant α < 1), as long as every function f ∈ F Adv satisfies two additional conditions: • High min-entropy: f (U X ) has sufficiently high min-entropy 2 , where U X is the uniform distribution on the domain of f .
• Few fixed points: There are not too many points such that f (x) = x.
The condition of high min-entropy avoids functions that put too much weight on a single point in the output.In particular, it avoids functions that are close to constant functions.Similarly, the condition of a few fixed points avoids functions that are close to the identity map.This result shows that tamper detection codes exist against any family that avoids these cases, even for those with size doubly exponential in n.Note that this result is based on a probabilistic argument, and as such, it only shows the existence of such codes, and it is not known if they can be constructed efficiently.However, for smaller families (having sizes upto 2 poly(n) ), one can indeed construct them efficiently [3] in the "common reference string" (CRS) model.

Our results
In this work, we aim to extend the scope of the theory of tamper detection to include adversaries that are capable of doing quantum operations.Hence, a family of unitary operators is a natural place to start the discussion.In particular, we consider a setting where the space of codewords C is of quantum states, and an adversary can apply a unitary operator from a known family of unitary operators U Adv .The analogous question of tamper detection can now be asked in different scenarios: 1. Do tamper detection codes exist when M is the set of k-bit (classical) messages?
2. Do tamper detection codes exist when M is the set of k-qubit (quantum) messages?
3. Can these constructions be made efficient, potentially considering families of relatively small size, say, The first and the second question are direct analogues of the tamper detection theory when the adversary has their action defined via a unitary operator (instead of classical bits-to-bits manipulation).The first question considers the scenario of protecting classical information from a quantum adversary, whereas, for the second question, the information to be stored is itself quantum.The third question is inspired by the fact that efficient classical tamper detection codes (such as AMD codes) exist when the adversarial family has small cardinality.We provide affirmative answers to questions 1 and 2 using probabilistic arguments.Partially addressing question 3, as an example of efficient construction, we show that a natural quantum analogue of classical AMD codes is sufficient for the purpose.
How far does the classical theory take us in question 1? Before going towards truly quantum encoding-decoding strategies, one can ask if the existing classical schemes themselves provide us security against unitary tamperings when M is classical.There is a natural strategy to follow: Consider a classical tamper detection code with the encoder Enc Cl .Since the encoder is randomized, for a message m ∈ {0, 1} k and randomness r, its encoding is given as , where R 0 is an appropriate normalization constant.After the adversary acts via a unitary U , the decoder simply measures in the computational basis, forcing the tampering to be effectively classical.Then, one can try to use the classical decoder to recover the message.
The rationale for the above strategy is simple.Although the tampering can be nonclassical (that is, not via a function f : {0, 1} n → {0, 1} n ), the decoder can first measure in the computational basis.The resultant operation can now be treated as a (potentially randomized) function from n-bits to n-bits.And thus, a unitary adversary followed by the computational measurement can be simulated by a randomized classical adversary given by F Adv .However, classical tamper detection does not protect against arbitrary function families.Thus, one would additionally need a statement of the following form: Given an adversarial unitary family U Adv there exists a classical function family F Adv such that: 1.There exists a classical tamper detection code against F Adv .
2. For every U ∈ U Adv and c ∈ {0, 1} n , its action followed by measurement in the computational basis can be emulated classically via F Adv .That is, where P U (f ) is a probability distribution supported on F Adv depending only on U (and not on c), and 1 is the indicator function.
Typically, one would need |F Adv | ≤ 2 2 αn for some appropriately chosen constant α < 1 in addition to every f having enough min-entropy and few fixed points.Indeed, one can construct such F Adv for some families U Adv .For example, consider the family of generalized Pauli operators (see Section 2.4.1 for the definition).

Example 1.
The unitary operators in the family are indexed by a, b and given as σ a,b = X a Z b .A rather straightforward calculation leads to the following: -X a Z b acting on any c followed by computational basis measurement results in c + a with probability 1.Now, consider F ∆ = {f e (x) = x ⊕ e, e ̸ = 0}.Define P a,b (f e ) = δ a,e where δ is the standard Kronecker delta function.Then it is easy to verify that for σ a,b such that a ̸ = 0, Whereas, any σ a,b with a = 0, the codeword is not even perturbed by the action of σ a,b as the Z b operator can only result in adding a global phase to classical messages.Thus, any (non-trivial) action of a generalized Pauli operator, followed by measurement, can be simulated by F Adv = F ∆ .This gives us the following: Theorem 1 (Quantum AMD codes).Let q be a prime power and d be an integer such that 0 < d < q.Let U P N be the group of generalized Pauli operators 3 acting on n = log N qubits.There exists an efficient (Enc, Dec) scheme that is relaxed tamper-secure against Since there exists a family F ∆ that can simulate generalized Pauli operators, we can directly use the classical scheme to detect a generalized Pauli operator adversary (see Appendix A for proof).However, it is not clear if, for a general unitary family U Adv (following some reasonable conditions), there exists a classical family F Adv satisfying conditions 1 and 2. And hence, in general, we can not ascertain that the natural quantum analogue of merely taking superpositions of classical encodings will suffice.Now, we move on to the main contribution of the work, considering general families of unitary operators.Recall that classical results are proved under two restrictions.One, every function has enough min-entropy.And two, every function has at most a few fixed points (also referred to as the far from the identity condition).We also provide our results under similar restrictions.Note that when considering a unitary family, we readily have the min-entropy condition satisfied.So, we additionally impose a condition that captures closeness to the identity.We require that for every unitary operator U ∈ U Adv , its inner product with the identity map (|⟨1, U ⟩| = |Tr(U )|) is bounded away from N .The main contribution of this work can then be stated as follows: Theorem 2 (Quantum tamper detection for quantum messages).Let M be the set of quantum messages and let U Adv ⊂ U C 2 n be a family of size 2 2 αn for some constant α < 1 6 .Moreover, every U ∈ U Adv is such that |Tr(U )| ≤ ϕ2 n , where ϕ is a constant strictly less than 1.Then there exists a quantum tamper detection code against U Adv .
Note that in the above theorem, ϕ is not an absolute constant but depends on the size of plaintext space K and the security parameter ϵ.
Although our main motivation is to consider tamperings against quantum messages, as a warm-up, we consider the case of classical messages.This will help us to demonstrate our technique, give a brief overview and establish some bounds that will be used later.
Theorem 3 (Quantum tamper detection for classical messages).Let M be the set of classical messages and let U Adv ⊂ U C 2 n be a family of size 2 2 αn for some constant α < 1  6 .Moreover, every U ∈ U Adv is such that |Tr(U )| ≤ ϕ2 n , where ϕ is some constant strictly less than 1.Then there exists a quantum tamper detection code against U Adv .
We also show that even if one drops the condition on trace, we can achieve a relaxed version of quantum tamper detection (where quantum counterparts of Property A and B ′ are satisfied).Again, here we state the theorem informally.The formal statement, along with its proof, is presented in Section 3.1.
Theorem 4 (Relaxed quantum tamper detection for classical messages).Let M be the set of classical messages and let U Adv ⊂ U C 2 n be a family of size 2 2 αn for some constant α < 1  6 .Then there exists a relaxed quantum tamper detection code against U Adv .Note that, Theorem 4 allows us to also include operators that are close to the identity operator.It is not hard to see that such a relaxation to Property B ′ is necessary as one can not satisfy Property B with such operators.
Proof overview.Similar to the proof provided by [1], our proofs for Theorem 2, 3 and 4 use probabilistic arguments via Chernoff-like tail bounds for limited independence.Before going ahead, we would like to fix some notation.
For a matrix A, let A(i) denote the i-th column of A, which we will often treat as a vector.When dealing with classical messages, we will denote them as m ∈ M, whereas for quantum messages, we will use |m⟩ ∈ M (or |s⟩ ∈ M to explicitly indicate that the message is in superposition).Moreover, we use K = 2 k and N = 2 n , for ease of presentation.
Let us first consider the case when M is the set computational basis states, M = {|m⟩, m ∈ {0, 1} k }.Our scheme uses a strategy where encoding is done by a Haar-random isometry V .For a fixed V ∈ U C N , our encoding scheme is fairly natural; we encode a classical message m as the m-th column of V , giving Enc(m) = |V (m)⟩.
Then the quantum tampering experiment can be thought of as below: 2. An adversary then tampers with U ∈ U Adv , resulting in the state U |ψ m ⟩⟨ψ m |U † .

For
4. If the measurement results in Π ⊥ , then abort with detection of tampering.Otherwise, apply V † and output the resulting candidate message m.
The completeness of the protocol is easy to check.To show that the above encodingdecoding is ϵ-tamper secure, one needs Π ⊥ to be a high probability event for any non-trivial tampering; For that, we define the following random variables: • X js = |⟨ψ j |U |ψ s ⟩| 2 denotes the probability that message s was decoded to j.
X js denotes the probability of decoding s to a message other than s and ⊥.
Measurement results in either the same Π s = |ψ s ⟩⟨ψ s | (with probability P same = X ss ) or one of the Π j = |ψ j ⟩⟨ψ j | that is different from s (with probability P diff ) or Π ⊥ that indicates the tampering (with probability P ⊥ ).Thus, P same + P diff + P ⊥ = 1.Recall that we need to lower bound the probability of obtaining P ⊥ .We do this by upper bounding P same and P diff , which requires us to prove sharp Chernoff-like tail bounds for random variables X ss and X s , respectively.This completes our proof for M = {0, 1} k .
The setup when M is quantum (that is, messages to be stored are k-qubit states), is slightly more involved.Let |s⟩ ∈ M be a message that we want to store.Note that we need to preserve not only 2 k basis states but also the arbitrary superposition; arbitrary message |s⟩ is a linear combination of computational basis states |s⟩ = i α i |b i ⟩.Suppose one uses a direct linear extension of the earlier encoding-decoding strategy, Enc(|s⟩ The measurement in step 3 is done over the basis encodings {Enc(b i )}, and hence it can destroy the superposition.To recover |s⟩, it is necessary to keep |s⟩ intact, and in particular, the resulting state after the measurement should not be disturbed too much from the premeasurement state Enc(|s⟩).To remedy this, we modify the decoder slightly, where we do measurement with a two-outcome POVM (instead of K + 1 outcomes).The binary POVM we use corresponds to the projection on Enc(M) = V (M) (and its orthogonal complement).Hence, for |s⟩ ∈ M, we require that any adversarial unitary U ∈ U Adv takes Enc(|s⟩) to a vector in the orthogonal complement of V (M).This reduces the problem of tamper security of |s⟩ to Chernoff-like tail bounds for a slightly different random variable To prove sharp Chernoff-like tail bounds for random variables X ss , X s , and X m , we use techniques from representation theory.The proof uses Weingarten calculus and some properties of the symmetric group.
We note that Theorem 3 (regarding the security of classical messages) follows as a corollary of Theorem 2 (regarding the security of quantum messages), as the former is a strict subset of the latter.Nonetheless, we include it as we also show Theorem 3 in the relaxed form, on an adversarial family with no trace bound needed (see Theorem 4).This is further used to show the existence of non-malleable codes via a standard reduction (see Theorem 7) against a unitary family of size upto of size 2 2 n/6 .
Related Works and Future Directions.
Since Shor's work on the existence of error-correcting structures for the quantum framework [6], there has been a rich history of quantum error correction [7,8,9,10].One can draw similar parallels between quantum error correction and quantum tamper detection as those present in the classical framework.In particular, tamper detection schemes try to handle an error set that is not bounded by weight with a possible loss in the ability to correct.
Quantum Authentication Schemes (QAS).The work of [11,12] studies the notion of nonmalleability in quantum authentication schemes.In quantum authentication schemes, both the encoder and decoder have a pre-shared private random key K that is not accessible to an adversary.We require that in the absence of an adversary, the received state should be the same as the sent state, and otherwise, with high probability, either the decoder rejects, or the received state is the same as that sent by the encoder.It is known that such quantum authentication schemes exist (for example, Clifford authentication [11]), whereas tamper detection schemes are keyless.Similarly, a few other works have also considered a "tampering" adversary [13,14].Again, these works are keyed primitives, making them different from tamper detection that works without keys.
Classically, tamper detection codes have turned out to be a fruitful object with rich applications.The work of [15] introduced non-malleable codes for which decoding a tampered codeword either results in an original message or a message unrelated to m.The work of [1] made the connection between tamper detection and non-malleable codes more explicit; by giving a modular construction of non-malleable codes out of weak tamper detection codes and leakage-resilient codes.There is a vast body of literature that considers tampering attacks using other approaches besides non-malleable codes and tamper detection codes (see [16,17,18,19,20,21,22,23,24,25]).We refer to [15] for a more detailed comparison between these approaches and non-malleable codes, which have been a central object of study in recent times.

Subsequent works on tamper detection and non-malleable codes
On tamper detection in the qubit-wise tampering model In [26], Bergamaschi studied a particular subclass of tamper detection codes, namely, against an adversary holding only Pauli operators.In what they refer to as PMD codes, they construct an efficient tamper detection scheme against such a Pauli adversary when (plaintext) messages are quantum.Hence, as mentioned by them, PMD codes can be thought of as a natural generalization of quantum AMD codes.We would also like to point out that the existence of such codes for quantum messages is also implied by our work as the family of Pauli operators falls within the scope of Theorem 8.As an application, they use PMD codes to construct keyless authentication codes against qubit-wise tamperings, a task that is provably impossible, solely with a classical encoding.
On non-malleability in the split-state tampering model In another work, Aggarwal, Boddu and Jain [27] defined the notion of non-malleable codes for classical messages against quantum adversaries (having access to shared entanglement) in the split-state model, where cipher-text is split into two parts, and the adversary is allowed to tamper them independently (via unitaries of the form Definition 1.1 ([27] non-malleable codes against adversary family Φ Adv ).We say that an encoding-decoding scheme (Enc, Dec) (see Definition 2.2 and Figure 1) is ϵ-non-malleable secure against adversary family Φ Adv for classical messages M, if for all m ∈ M, ϕ ∈ Φ Adv , the following holds: where (p ϕ , η ϕ ) depend only on adversary ϕ.Here p ϕ ∈ [0, 1] and η ϕ are independent of original message m.
This work considers a much more general class of unitaries (which are not necessarily in a split form).Of course, this comes at the cost that their constructions are explicit and efficient, whereas our constructions are probabilistic and existential.Note that this is also seen in the classical tamper detection literature, where split-state codes are efficient, whereas the codes against a general adversary are known to exist (without any explicitly known construction).

Organization of the paper
For a quantum adversary with access to unitary operators, the Haar measure is the canonical measure to work with.For getting bounds on unitary operators, we use Weingarten functions as a tool.Well-known, relevant results are summarized in Section 2.5.Additionally, Section 2 also contains elementary observations on permutation groups, along with some technical proofs.In Appendix A, we prove Theorem 1; in Section 3, we prove Theorem 3 and Theorem 4; and in Section 4, we prove Theorem 2. All the proofs involve technical tail bounds regarding moments of certain random variables, which we include in Appendix B and C.

Preliminaries 2.1 Some notation
All the logarithms are evaluated to the base 2. Consider a finite-dimensional Hilbert space H endowed with an inner product ⟨•, •⟩ (we only consider finite-dimensional Hilbert spaces).For p ≥ 1 we write ∥ • ∥ p for the Schatten p-norm.We use ρ 1 ≈ ϵ ρ 2 to mean that A similar convention will be followed for two probability distributions as well.A quantum state (or a density matrix or a state) is a positive semi-definite matrix on H with the trace equal to 1.It is called pure if and only if its rank is 1.Let |ψ⟩ be a unit vector on H, that is ⟨ψ, ψ⟩ = 1.The topological space of norm-1 vectors (the unit N -sphere) in a normed N -dimensional vector space V , is denoted as S (N −1) (V ).When V is clear from the context, we drop it.For an n-dimensional vector v, we will use the standard notation v = (v 1 , . . ., v n ) and thus v i will refer to the i-th coordinate.Similarly, for a matrix M , we will denote its i, j-th entry by M ij .
-A unitary operator U : The set of all unitary operators on H is denoted by U(H).
-An isometry V : is the projection on the image of H A under V .
-A POVM {M, I − M } is a 2-outcome quantum measurement for 0 ≤ M ≤ I.We use the shorthand M = I − M , where I is clear from the context.Similarly, a measurement M A acting on a combined space H A ⊗ H B will be used to represent We now state the following useful facts.

Some elementary bounds
Fact 2. For any integer n ≥ 1

Definitions for Tamper Detection
Definition 2.1 (ϵ-net (Lemma 5.2, [28])).Fix an ϵ > 0. Then there exists an integer N and a set of vectors {|ψ 1 ⟩, |ψ 2 ⟩, . . ., |ψ N ⟩} in S d−1 such that the following properties hold: Definition 2.3 (Tamper detection (against unitary adversaries)).Let U Adv ⊂ U C N be a family of unitary operators.We say that an encoding-decoding scheme (Enc, Dec) is ϵ-tamper secure against family U Adv for messages M, if for all m ∈ M, U ∈ U Adv , the following holds: classical messages, whereas if M = S K−1 , we say that (Enc, Dec) is (K, N, ϵ)-tamper secure for quantum messages.
Now we define a relaxed version of tamper detection.In this version, the aim of a decoder is to either detect tampering or output the original message.Compared to the original definition of tampered detection, the relaxed version has a scope to revert a tampering, without even detecting it.Since our result holds for classical messages (against unitary tamperings), we define relaxed tamper detection only for classical messages but one can define an analogous notion for quantum messages as well.
Definition 2.4 (Relaxed tamper detection).Let U Adv ⊂ U C N be a family of unitary operators and let M = {0, 1} k .We say that an encoding-decoding scheme (Enc, Dec) is (K, N, ϵ)-tamper secure in the relaxed setting (against U Adv ), if for all m ∈ M, U ∈ U Adv , the following holds: Definition 2.5 (Adversarial unitary families).Let U Adv ⊂ U C N be a family of unitary operators such that the following holds: 1.For all U ∈ U Adv , we have, We call U Adv as an (N, α, ϕ) adversarial unitary family or simply (N, α, ϕ) family.
Definition 2.6 (Random Haar encoding and decoding schemes).Let H be a random unitary drawn from U C N (according to the Haar measure).Let V be the following matrix constructed by restricting H to its first K columns: Note that V is an isometry.Consider the following encoding and decoding scheme.
If the message set S is quantum, the extension is canonical.
-Dec to be implemented according to the following procedure: To decode a message |θ⟩, we measure |θ⟩ in a two-valued POVM i Π i , Π ⊥ .Let ψ ′ be the post-measurement state.If the measurement results in ⊥ then abort (indicating tamper detection); otherwise the decoder outputs V † (ψ ′ )V .
Note that if the message set is classical M = {0, 1} k , then the decoder can be reduced to the following action: - Below we give the necessary details of permutation groups, generalized Pauli matrices, Haar random unitary operators, and Weingarten unitary calculus, which will be required to state our results.We refer the reader to [29] for details on Weingarten unitary calculus.

Permutation groups
Let S n be the symmetric group of degree n acting canonically on the set [n] := {1, 2, . . ., n}.
Let H ≤ S n be a permutation group.For x ∈ [n], orbit of x under H, denoted as O H (x) is the set of elements that can be reached from x via H, We say that x is fixed by H if O H = {x}.Otherwise, we say that H moves x.We denote the set of elements fixed by H as Fix (H) and the set of elements moved as Move (H).By extension, for σ ∈ S n we write Fix(σ) and Move(σ) to mean Fix (⟨σ⟩) and Move (⟨σ⟩) respectively, where ⟨σ⟩ is the group generated by σ.
Given a σ ∈ S n , orbits for H = ⟨σ⟩ partition the set [n] into disjoint subsets as O H gives an equivalence relation.When one writes σ as a permutation in a disjoint cycle form, each orbit is a cycle of σ and each cycle is an orbit, and hence, we denote an orbit (or a disjoint cycle) by c.Let C (σ) denote the set of orbits c under H = ⟨σ⟩.
For an orbit c, let odd(c) denote the number of odd elements in it and even(c) be the number of even elements in it.We define an evaluation map Val on orbits of σ.An orbit c is given a value equal to the difference between the number of odd and even elements it contains.
We also extend the evaluation map to S n by assigning a value for each permutation.In this case, a permutation will get a value equal to the sum of the values of all of its orbits.
We denote the set of orbits with value 1 by C 1 (σ).It is easy to see that σ has full valuation n if and only if it preserves the parity; that is, it takes odd elements to odd elements and even elements to even elements.
A transposition is a cycle of size 2. Every permutation σ ∈ S n can be written as a product of transpositions.Let T(σ) denote the minimum number of transpositions required to obtain σ.It is known that We use e to represent identity permutation.For i ∈ [0 : n − 1], let Σ i := {σ ∈ S n : T(σ) = i} denote the number of permutations σ such that the number of transpositions in σ is i.
Let B 2n be the set of permutations on 2n letters that take odd elements to even elements and vice-versa.Proof.We will prove this by induction on T(α).
Base Case: T(α) = 0, that is, α = e.Note that for β ∈ B 2n , every cycle must have a length of at least two as β can not fix any element.Thus, We will show that the upper bound holds for α with T(α) = T 0 .
The General Case: Let C(α) = {C 1 , C 2 , . . ., C l }.Since α ̸ = e, there exists a cycle of length strictly greater than one.Without loss of generality, let that be C l and . Alternatively, α ′ can be obtained from α by fixing x m , that is, The inequality follows from Observation 1. Putting this along with T(α) = T(α ′ ) + 1 we get the lemma.

Generalized Pauli matrices
Let q be a prime power and F q be the field of size q.And let ω denote the q-th primitive root of unity.Let X a and Z b be the following collection of operators indexed by a, b ∈ F q .
The group of generalized Pauli matrices is generated by ⟨X 1 , Z 1 ⟩.Generalized Pauli matrices obey the twisted commutation relations given by
The following result encloses all the information we need for our computations about the asymptotics of the Wg function; see [31] for a proof.
Fact 7 (Asymptotics of Weingarten functions (Section 2.6.3,[29])).For σ ∈ S t , Fact 8 (Proposition 2.4, [29]).For all t ≥ 1, . (2) Other than the sum of the Weingarten function, one more quantity that will be important for us is its L 1 norm.Here, we derive a useful expression for that.(N + J k ) where J k is k-th Jucys-Murphy element, defined as follows:
We give some values of the Weingarten functions for the unitary group U(C N ) taken from [31] upto third moments. .

A Warm-up: Quantum tamper detection codes for classical messages
In this section, we consider quantum tamper detection codes for classical messages.We give a probabilistic proof that quantum tamper detection codes for classical messages exist.
Theorem 5. Let U Adv be an N, α, family such that 1 6 − α log(N ) ≥ log(K) + log 1 ϵ + 2. Then there exists a (K, N, ϵ)-tamper secure scheme for classical messages.Furthermore, a uniformly random encoding and decoding strategy according to Haar measure (see (Enc, Dec Cl ) in Definition 2.6) gives such a code with probability at least Proof.We show that an encoding and decoding strategy, as given in Definition 2.6, gives a tamper detection code for the given set of parameters.
For a fixed unitary U ∈ U Adv , let us define random variables X js = |⟨ψ j |U |ψ s ⟩| 2 for j, s ∈ M.Here the randomness is over the Haar measure in choosing (Enc, Dec) strategy as an isometry V .Let X s = j̸ =s X js .The random variable X js denotes the probability that message j was decoded given that message s was encoded.Similarly, X s denotes the probability that the procedure resulted in an incorrectly decoded message.Both X js and X s are non-negative random variables with values less than or equal to 1.
Let E be the event that (Enc, Dec) is not an ϵ-secure tamper detection code against U Adv .Then, To bound Pr (E 1 ) = Pr X js ≥ ϵ K and Pr (E 2 ) = Pr X ss ≥ ϵ K using a Chernoff-like argument, we need to calculate moments of random variable X js and X ss .Note that we could not directly use Chernoff bound to bound j X js as for different j 1 ̸ = j 2 , the random variables X j 1 s and X j 2 s are not independent of each other.Naturally, the problem of calculating moments of random variable X js is closely related to Weingarten unitary calculus (see Section 2.5) as our encoding strategy is Haar random.
Here we present first-order moments for variables X js and X ss .Computation for higher moments is similar but slightly more involved and can be found in the Appendix B.

First moment of random variable X js and X ss :
We begin with the first moment of X js .
The final equality is due to Fact 6.Note that when j ̸ = s and β = I, we get, δ β (sj, js) = 0. Thus, the only terms that survive are those corresponding to β = (1 2).

E[X
Thus, we get the following bounds: Similarly, we get higher moment bounds (see Appendix B); Now we proceed to bound the probability Pr X js ≥ ϵ K .
Similarly when j = s, we bound the probability Pr X ss ≥ ϵ K .

Relaxed tamper detection for classical messages
We would like to point out that an interesting side result follows from our previous calculation.It follows that one can get a relaxed version of tamper detection even if even when the family U Adv does not satisfy the far from identity condition.Recall that, in the relaxed version, we aim to either output the original message or detect that it was tampered and output ⊥.In principle, the relaxed version allows us to revert back to the original message without detecting tampering.Such a "reversion without detection" is inherent to the quantum setting due to the action of measurement operators.For example, consider a message m encoded as |ψ⟩.Suppose a unitary takes |ψ⟩ to where |ψ ′ ⟩ is orthogonal to the space of codewords.The measurement of the decoder can result in |ψ ′ ⟩ indicating that there was tampering.If the measurement results in |ψ⟩, we can not detect the tampering, but nonetheless, the decoder still outputs the correct message m = m.Thus, one gets a qualitatively similar version of tamper detection where the decoder either aborts or returns the correct plaintext.Theorem 6.Let U Adv be an (N, α, 1) family such that 1  6 − α log(N ) ≥ log(K) + log 1 ϵ + 2. Then a uniform Haar random encoding-decoding strategy is (K, N, ϵ)-relaxed tamper secure with probability at least Proof.For a fixed unitary U , recall that random variables were defined as follows: X js = |⟨ψ j |U |ψ s ⟩|2 and X s = j̸ =s X js .Let E be the event that (Enc, Dec) is not ϵ-secure relaxed tamper detection code against U Adv .

From relaxed tamper detection to non-malleability
The relaxed form of tamper detection aims to either output the original message, or detect that it was tampered (indicated by the output ⊥).On the other hand, a non-malleable code insists that we either output the original message or an unrelated message, but with an additional requirement that the probability (of a message being the same) depends only on the adversarial unitary U .And hence, it is not a priori clear if relaxed tamper detection will immediately give non-malleable security.In particular, the probability distribution may depend on U , as well as the original message s.However, this potential dependency on s can be removed by first analysing the distribution for an average s.Then, a standard averagecase to worst-case reduction shows that non-malleability can be achieved by incurring a nominal hit in the parameters.This line of argument of first going to an average case setting to remove the dependency on s, followed by a reduction to worst case non-malleability is fairly common (see for example, Section 3.3 in [33]).We include it below.
Claim 1.Let (Enc, Dec) be ϵ-secure relaxed tamper detection scheme.Let S be the uniform distribution on M = {0, 1} k .Then, Proof.Note that, since S is the uniform distribution, each s is sampled with probability 1 2 k , and moreover, any particular s gives back the same s on decoding with probability p same (s), some different s ′ with p diff (s) and ⊥ with probability p ⊥ (s).And hence, we can represent the relevant distribution as the following convex combination: Since (Enc, Dec) is ϵ-secure relaxed tamper detection code, p diff (s) ≤ ϵ, for all s.

Tamper Detection Codes for Quantum Messages
In this section, we consider quantum tamper detection codes for quantum messages.Again, we give a probabilistic proof that quantum tamper detection codes exist for quantum messages.Our probabilistic methods are similar, but some subtle intricacies are involved for quantum messages due to superposition.
Theorem 8. Let U Adv be an N, α, family such that 1 6 − α log(N ) ≥ log k + log 1 ϵ +2 and let δ = 2 2+log K− N α K .Then a uniformly random Haar encoding and decoding strategy (see (Enc, Dec) in Definition 2.6) is a (K, N, ϵ + δ)-tamper secure scheme with Let |θ⟩ be an arbitrary quantum message from δ-net.We express θ in the computational basis with a i as coefficients Note that for a fixed U , Recall that Π is a projector on the space of codewords, that is, Π = (from eq. ( 10)) Let E be the event that (Enc, Dec) is not ϵ-secure against U Adv .Again, for bounding the probability of E, we need the higher moments of X m , the calculation of which we defer to Appendix C.
After this, an argument similar to the previous one (breaking sum into two parts; t ≤ N 1/5 and t > N 1/5 followed by union bound over all messages and accounting for the size of |U Adv |) directly can be applied.For completeness, we provide it here.
And finally, with the union bound,

Conclusion and future work
Our main result exhibits the existence of quantum tamper detection codes for large families of unitary operators of size upto 2 2 αn .Since the proof is probabilistic, one natural direction would be to give a constructive proof for quantum tamper detection codes.However, it should be noted that such efficient constructions are not known even against a classical adversary of such a large size.Typically, efficient constructions are known for families of size 2 poly(n) in the CRS model.Hence, one has to first find out families of relatively small size (and of some interest) against which tamper detection can be made efficient.We present one such example, the family of generalized Pauli operators.There are other natural follow-up questions: • An arbitrary quantum adversary is capable of doing CPTP operations.Can we provide quantum tamper detection security for families of CPTP maps?As a first work in this line, we restrict ourselves to unitary tamperings.
• Similar to the classical result of [1], can we obtain an efficient construction of tamper detection codes for an arbitrary family of unitary operators of size 2 s(n) where s is an arbitrary polynomial in n?
• Classically tamper detection codes exist for any α < 1.In the current work, we show the existence of unitary tamper detection codes for α < 1 6 .Although we note that with careful optimization of parameters, the same analysis goes through for any α < 1  4 , it will be interesting to see if we can get tamper detection codes for α ≥ 1 4 , possibly using some other techniques.
• Classical tamper detection codes turned out to be an important component in the construction of classical non-malleable codes.Even in the case of unitary tamperings against classical messages, we show that tamper detection can lead to meaningful non-malleable guarantees.It would be interesting to see if a similar approach can be taken for quantum messages as well.
NUS, Singapore.This work is supported by the Prime Minister's Office, Singapore and the Ministry of Education, Singapore, under the Research Centres of Excellence program.

A Quantum AMD codes
Let F q be the field of size q with characteristic p.Let d be an integer such that p does not divide d + 2. Consider the following function f : We consider an encoding and decoding strategy analogous to classical encoding [4].The analysis and proof also follow similar lines and are fairly straightforward.Here we present the same for the sake of completeness.For compactness, we will use s to denote (s 1 , s 2 , . . ., s d ) ∈ F d q .We will also use v i:j to denote the restriction of the vector v to coordinates from i through j.That is, for a vector v = (v 1 , v 2 , . . ., v n ), the restriction v i:j = (v i , v i+1 , . . ., v j ).
• Let Enc be a quantum encoding defined as below: |s, r, f (s, r)⟩.
• Let Dec be the POVM {Π ⊥ , Π s∈F d q } such that Proof.Note that the following equation gives a d + 1 degree polynomial in r.Hence, for at most d + 1 values of r, we can get f ((s + x . The desired inequality now follows. Theorem 9.The above (Enc, Dec) construction is quantum tamper secure (in the relaxed form) against generalized Pauli matrices with parameters d log q, (d + 2) log q, d+1 q 2 .Proof.Let the error term due to generalized Pauli unitary X be x = (x 1 , x 2 , . . ., x d+2 ) to indicate the tampering by Similarly let the error term due to generalized Pauli unitary Z be z to indicate the tampering by For any message s = (s 1 , s 2 , . . ., s d ), the state of the message after encoding and the tampering operation is For any other message s ′ = (s ′ 1 , s ′ 2 , . . ., s ′ d ) ̸ = s, the probability of outputting s ′ when the encoded message s is tampered by X x Z z is given by the probability |⟨ψ s ′ |X x Z z |ψ s ⟩| 2 .Thus, the probability of outputting a different message can be bounded as follows:

B Higher moments for classical messages
Similar to the case of the first-order moments, we start expressing X js as a sum of products.We then deal with both the cases j = s and j ̸ = s individually.
Higher moments of random variable X js and X ss : Before going ahead, we would like to introduce some shorthand and notation, given the number of terms involved in expressions to come.
Definition B.1.For a unitary operator, let U c i be defined as follows: For definitions of C(α), C 1 (α), Σ i and Val(α) see Section 2.4.See Section 2.5 for the definition of δ as well as other notations regarding Weingarten functions.

C Higher moments for quantum messages
We start by representing X t m as a sum of products and then move on to calculating higher moments.
Higher moments of random variable X m : Thus, . . .