69 research outputs found
Complete Insecurity of Quantum Protocols for Classical Two-Party Computation
A fundamental task in modern cryptography is the joint computation of a
function which has two inputs, one from Alice and one from Bob, such that
neither of the two can learn more about the other's input than what is implied
by the value of the function. In this Letter, we show that any quantum protocol
for the computation of a classical deterministic function that outputs the
result to both parties (two-sided computation) and that is secure against a
cheating Bob can be completely broken by a cheating Alice. Whereas it is known
that quantum protocols for this task cannot be completely secure, our result
implies that security for one party implies complete insecurity for the other.
Our findings stand in stark contrast to recent protocols for weak coin tossing,
and highlight the limits of cryptography within quantum mechanics. We remark
that our conclusions remain valid, even if security is only required to be
approximate and if the function that is computed for Bob is different from that
of Alice.Comment: v2: 6 pages, 1 figure, text identical to PRL-version (but reasonably
formatted
Secure two-party quantum evaluation of unitaries against specious adversaries
We describe how any two-party quantum computation, specified by a unitary
which simultaneously acts on the registers of both parties, can be privately
implemented against a quantum version of classical semi-honest adversaries that
we call specious. Our construction requires two ideal functionalities to
garantee privacy: a private SWAP between registers held by the two parties and
a classical private AND-box equivalent to oblivious transfer. If the unitary to
be evaluated is in the Clifford group then only one call to SWAP is required
for privacy. On the other hand, any unitary not in the Clifford requires one
call to an AND-box per R-gate in the circuit. Since SWAP is itself in the
Clifford group, this functionality is universal for the private evaluation of
any unitary in that group. SWAP can be built from a classical bit commitment
scheme or an AND-box but an AND-box cannot be constructed from SWAP. It follows
that unitaries in the Clifford group are to some extent the easy ones. We also
show that SWAP cannot be implemented privately in the bare model
Experimental quantum tossing of a single coin
The cryptographic protocol of coin tossing consists of two parties, Alice and
Bob, that do not trust each other, but want to generate a random bit. If the
parties use a classical communication channel and have unlimited computational
resources, one of them can always cheat perfectly. Here we analyze in detail
how the performance of a quantum coin tossing experiment should be compared to
classical protocols, taking into account the inevitable experimental
imperfections. We then report an all-optical fiber experiment in which a single
coin is tossed whose randomness is higher than achievable by any classical
protocol and present some easily realisable cheating strategies by Alice and
Bob.Comment: 13 page
Recommended from our members
Optical pumping and readout of bismuth hyperfine states in silicon for atomic clock applications
The push for a semiconductor-based quantum information technology has renewed interest in the spin states and optical transitions of shallow donors in silicon, including the donor bound exciton transitions in the near-infrared and the Rydberg, or hydrogenic, transitions in the mid-infrared. The deepest group V donor in silicon, bismuth, has a large zero-field ground state hyperfine splitting, comparable to that of rubidium, upon which the now-ubiquitous rubidium atomic clock time standard is based. Here we show that the ground state hyperfine populations of bismuth can be read out using the mid-infrared Rydberg transitions, analogous to the optical readout of the rubidium ground state populations upon which rubidium clock technology is based. We further use these transitions to demonstrate strong population pumping by resonant excitation of the bound exciton transitions, suggesting several possible approaches to a solid-state atomic clock using bismuth in silicon, or eventually in enriched 28Si
Using quantum key distribution for cryptographic purposes: a survey
The appealing feature of quantum key distribution (QKD), from a cryptographic
viewpoint, is the ability to prove the information-theoretic security (ITS) of
the established keys. As a key establishment primitive, QKD however does not
provide a standalone security service in its own: the secret keys established
by QKD are in general then used by a subsequent cryptographic applications for
which the requirements, the context of use and the security properties can
vary. It is therefore important, in the perspective of integrating QKD in
security infrastructures, to analyze how QKD can be combined with other
cryptographic primitives. The purpose of this survey article, which is mostly
centered on European research results, is to contribute to such an analysis. We
first review and compare the properties of the existing key establishment
techniques, QKD being one of them. We then study more specifically two generic
scenarios related to the practical use of QKD in cryptographic infrastructures:
1) using QKD as a key renewal technique for a symmetric cipher over a
point-to-point link; 2) using QKD in a network containing many users with the
objective of offering any-to-any key establishment service. We discuss the
constraints as well as the potential interest of using QKD in these contexts.
We finally give an overview of challenges relative to the development of QKD
technology that also constitute potential avenues for cryptographic research.Comment: Revised version of the SECOQC White Paper. Published in the special
issue on QKD of TCS, Theoretical Computer Science (2014), pp. 62-8
Possibility, Impossibility and Cheat-Sensitivity of Quantum Bit String Commitment
Unconditionally secure non-relativistic bit commitment is known to be
impossible in both the classical and the quantum worlds. But when committing to
a string of n bits at once, how far can we stretch the quantum limits? In this
paper, we introduce a framework for quantum schemes where Alice commits a
string of n bits to Bob in such a way that she can only cheat on a bits and Bob
can learn at most b bits of information before the reveal phase. Our results
are two-fold: we show by an explicit construction that in the traditional
approach, where the reveal and guess probabilities form the security criteria,
no good schemes can exist: a+b is at least n. If, however, we use a more
liberal criterion of security, the accessible information, we construct schemes
where a=4log n+O(1) and b=4, which is impossible classically. We furthermore
present a cheat-sensitive quantum bit string commitment protocol for which we
give an explicit tradeoff between Bob's ability to gain information about the
committed string, and the probability of him being detected cheating.Comment: 10 pages, RevTex, 2 figure. v2: title change, cheat-sensitivity adde
Composability in quantum cryptography
In this article, we review several aspects of composability in the context of
quantum cryptography. The first part is devoted to key distribution. We discuss
the security criteria that a quantum key distribution protocol must fulfill to
allow its safe use within a larger security application (e.g., for secure
message transmission). To illustrate the practical use of composability, we
show how to generate a continuous key stream by sequentially composing rounds
of a quantum key distribution protocol. In a second part, we take a more
general point of view, which is necessary for the study of cryptographic
situations involving, for example, mutually distrustful parties. We explain the
universal composability framework and state the composition theorem which
guarantees that secure protocols can securely be composed to larger
applicationsComment: 18 pages, 2 figure
High rate, long-distance quantum key distribution over 250km of ultra low loss fibres
We present a fully automated quantum key distribution prototype running at
625 MHz clock rate. Taking advantage of ultra low loss fibres and low-noise
superconducting detectors, we can distribute 6,000 secret bits per second over
100 km and 15 bits per second over 250km
Reexamination of Quantum Bit Commitment: the Possible and the Impossible
Bit commitment protocols whose security is based on the laws of quantum
mechanics alone are generally held to be impossible. In this paper we give a
strengthened and explicit proof of this result. We extend its scope to a much
larger variety of protocols, which may have an arbitrary number of rounds, in
which both classical and quantum information is exchanged, and which may
include aborts and resets. Moreover, we do not consider the receiver to be
bound to a fixed "honest" strategy, so that "anonymous state protocols", which
were recently suggested as a possible way to beat the known no-go results are
also covered. We show that any concealing protocol allows the sender to find a
cheating strategy, which is universal in the sense that it works against any
strategy of the receiver. Moreover, if the concealing property holds only
approximately, the cheat goes undetected with a high probability, which we
explicitly estimate. The proof uses an explicit formalization of general two
party protocols, which is applicable to more general situations, and a new
estimate about the continuity of the Stinespring dilation of a general quantum
channel. The result also provides a natural characterization of protocols that
fall outside the standard setting of unlimited available technology, and thus
may allow secure bit commitment. We present a new such protocol whose security,
perhaps surprisingly, relies on decoherence in the receiver's lab.Comment: v1: 26 pages, 4 eps figures. v2: 31 pages, 5 eps figures; replaced
with published version; title changed to comply with puzzling Phys. Rev.
regulations; impossibility proof extended to protocols with infinitely many
rounds or a continuous communication tree; security proof of decoherence
monster protocol expanded; presentation clarifie
Single-shot security for one-time memories in the isolated qubits model
One-time memories (OTM's) are simple, tamper-resistant cryptographic devices,
which can be used to implement sophisticated functionalities such as one-time
programs. Can one construct OTM's whose security follows from some physical
principle? This is not possible in a fully-classical world, or in a
fully-quantum world, but there is evidence that OTM's can be built using
"isolated qubits" -- qubits that cannot be entangled, but can be accessed using
adaptive sequences of single-qubit measurements.
Here we present new constructions for OTM's using isolated qubits, which
improve on previous work in several respects: they achieve a stronger
"single-shot" security guarantee, which is stated in terms of the (smoothed)
min-entropy; they are proven secure against adversaries who can perform
arbitrary local operations and classical communication (LOCC); and they are
efficiently implementable.
These results use Wiesner's idea of conjugate coding, combined with
error-correcting codes that approach the capacity of the q-ary symmetric
channel, and a high-order entropic uncertainty relation, which was originally
developed for cryptography in the bounded quantum storage model.Comment: v2: to appear in CRYPTO 2014. 21 pages, 3 figure
- …