Bound on distributed entanglement

Using the convex-roof extended negativity and the negativity of assistance as quantifications of bipartite entanglement, we consider the possible remotely-distributed entanglement. For two pure states $\ket{\phi}_{AB}$ and $\ket{\psi}_{CD}$ on bipartite systems $AB$ and $CD$, we first show that the possible amount of entanglement remotely distributed on the system $AC$ by joint measurement on the system $BD$ is not less than the product of two amounts of entanglement for the states $\ket{\phi}_{AB}$ and $\ket{\psi}_{CD}$ in two-qubit and two-qutrit systems. We also provide some sufficient conditions, for which the result can be generalized into higher-dimensional quantum systems.Comment: 5 page

Unconditionally secure quantum bit commitment is impossible

The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not depend on any restriction on the time, space or technology available to the cheaters. We show that this claim does not hold for any quantum bit commitment protocol. Since many cryptographic tasks use bit commitment as a basic primitive, this result implies a severe setback for quantum cryptography. The model used encompasses all reasonable implementations of quantum bit commitment protocols in which the participants have not met before, including those that make use of the theory of special relativity.Comment: 4 pages, revtex. Journal version replacing the version published in the proceedings of PhysComp96. This is a significantly improved version which emphasis the generality of the resul

Quantum Bit String Commitment

A bit string commitment protocol securely commits $N$ classical bits in such a way that the recipient can extract only $M<N$ bits of information about the string. Classical reasoning might suggest that bit string commitment implies bit commitment and hence, given the Mayers-Lo-Chau theorem, that non-relativistic quantum bit string commitment is impossible. Not so: there exist non-relativistic quantum bit string commitment protocols, with security parameters $\epsilon$ and $M$, that allow $A$ to commit $N = N(M, \epsilon)$ bits to $B$ so that $A$'s probability of successfully cheating when revealing any bit and $B$'s probability of extracting more than $N'=N-M$ bits of information about the $N$ bit string before revelation are both less than $\epsilon$. With a slightly weakened but still restrictive definition of security against $A$, $N$ can be taken to be $O(\exp (C N'))$ for a positive constant $C$. I briefly discuss possible applications.Comment: Published version. (Refs updated.

Cheat Sensitive Quantum Bit Commitment

We define cheat sensitive cryptographic protocols between mistrustful parties as protocols which guarantee that, if either cheats, the other has some nonzero probability of detecting the cheating. We give an example of an unconditionally secure cheat sensitive non-relativistic bit commitment protocol which uses quantum information to implement a task which is classically impossible; we also describe a simple relativistic protocol.Comment: Final version: a slightly shortened version of this will appear in PRL. Minor corrections from last versio

Is Quantum Bit Commitment Really Possible?

We show that all proposed quantum bit commitment schemes are insecure because the sender, Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen type of attack and delaying her measurement until she opens her commitment.Comment: Major revisions to include a more extensive introduction and an example of bit commitment. Overlap with independent work by Mayers acknowledged. More recent works by Mayers, by Lo and Chau and by Lo are also noted. Accepted for publication in Phys. Rev. Let

Insecurity of Quantum Secure Computations

It had been widely claimed that quantum mechanics can protect private information during public decision in for example the so-called two-party secure computation. If this were the case, quantum smart-cards could prevent fake teller machines from learning the PIN (Personal Identification Number) from the customers' input. Although such optimism has been challenged by the recent surprising discovery of the insecurity of the so-called quantum bit commitment, the security of quantum two-party computation itself remains unaddressed. Here I answer this question directly by showing that all ``one-sided'' two-party computations (which allow only one of the two parties to learn the result) are necessarily insecure. As corollaries to my results, quantum one-way oblivious password identification and the so-called quantum one-out-of-two oblivious transfer are impossible. I also construct a class of functions that cannot be computed securely in any ``two-sided'' two-party computation. Nevertheless, quantum cryptography remains useful in key distribution and can still provide partial security in ``quantum money'' proposed by Wiesner.Comment: The discussion on the insecurity of even non-ideal protocols has been greatly extended. Other technical points are also clarified. Version accepted for publication in Phys. Rev.

Quantum identification system

A secure quantum identification system combining a classical identification procedure and quantum key distribution is proposed. Each identification sequence is always used just once and new sequences are ``refuelled'' from a shared provably secret key transferred through the quantum channel. Two identification protocols are devised. The first protocol can be applied when legitimate users have an unjammable public channel at their disposal. The deception probability is derived for the case of a noisy quantum channel. The second protocol employs unconditionally secure authentication of information sent over the public channel, and thus it can be applied even in the case when an adversary is allowed to modify public communications. An experimental realization of a quantum identification system is described.Comment: RevTeX, 4 postscript figures, 9 pages, submitted to Physical Review

Quantum Key Distribution Using Quantum Faraday Rotators

We propose a new quantum key distribution (QKD) protocol based on the fully quantum mechanical states of the Faraday rotators. The protocol is unconditionally secure against collective attacks for multi-photon source up to two photons on a noisy environment. It is also robust against impersonation attacks. The protocol may be implemented experimentally with the current spintronics technology on semiconductors.Comment: 7 pages, 7 EPS figure

Security of quantum bit string commitment depends on the information measure

Unconditionally secure non-relativistic bit commitment is known to be impossible in both the classical and the quantum world. However, when committing to a string of n bits at once, how far can we stretch the quantum limits? In this letter, we introduce a framework of quantum schemes where Alice commits a string of n bits to Bob, in such a way that she can only cheat on a bits and Bob can learn at most b bits of information before the reveal phase. Our results are two-fold: we show by an explicit construction that in the traditional approach, where the reveal and guess probabilities form the security criteria, no good schemes can exist: a+b is at least n. If, however, we use a more liberal criterion of security, the accessible information, we construct schemes where a=4 log n+O(1) and b=4, which is impossible classically. Our findings significantly extend known no-go results for quantum bit commitment.Comment: To appear in PRL. Short version of quant-ph/0504078, long version to appear separately. Improved security definition and result, one new lemma that may be of independent interest. v2: added funding reference, no other change

Unconditional security at a low cost

By simulating four quantum key distribution (QKD) experiments and analyzing one decoy-state QKD experiment, we compare two data post-processing schemes based on security against individual attack by L\"{u}tkenhaus, and unconditional security analysis by Gottesman-Lo-L\"{u}tkenhaus-Preskill. Our results show that these two schemes yield close performances. Since the Holy Grail of QKD is its unconditional security, we conclude that one is better off considering unconditional security, rather than restricting to individual attacks.Comment: Accepted by International Conference on Quantum Foundation and Technology: Frontier and Future 2006 (ICQFT'06