Unconditionally secure quantum bit commitment is impossible

The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not depend on any restriction on the time, space or technology available to the cheaters. We show that this claim does not hold for any quantum bit commitment protocol. Since many cryptographic tasks use bit commitment as a basic primitive, this result implies a severe setback for quantum cryptography. The model used encompasses all reasonable implementations of quantum bit commitment protocols in which the participants have not met before, including those that make use of the theory of special relativity.Comment: 4 pages, revtex. Journal version replacing the version published in the proceedings of PhysComp96. This is a significantly improved version which emphasis the generality of the resul

Bound on distributed entanglement

Using the convex-roof extended negativity and the negativity of assistance as quantifications of bipartite entanglement, we consider the possible remotely-distributed entanglement. For two pure states $\ket{\phi}_{AB}$ and $\ket{\psi}_{CD}$ on bipartite systems $AB$ and $CD$, we first show that the possible amount of entanglement remotely distributed on the system $AC$ by joint measurement on the system $BD$ is not less than the product of two amounts of entanglement for the states $\ket{\phi}_{AB}$ and $\ket{\psi}_{CD}$ in two-qubit and two-qutrit systems. We also provide some sufficient conditions, for which the result can be generalized into higher-dimensional quantum systems.Comment: 5 page

Cheat Sensitive Quantum Bit Commitment

We define cheat sensitive cryptographic protocols between mistrustful parties as protocols which guarantee that, if either cheats, the other has some nonzero probability of detecting the cheating. We give an example of an unconditionally secure cheat sensitive non-relativistic bit commitment protocol which uses quantum information to implement a task which is classically impossible; we also describe a simple relativistic protocol.Comment: Final version: a slightly shortened version of this will appear in PRL. Minor corrections from last versio

Quantum Bit String Commitment

A bit string commitment protocol securely commits $N$ classical bits in such a way that the recipient can extract only $M<N$ bits of information about the string. Classical reasoning might suggest that bit string commitment implies bit commitment and hence, given the Mayers-Lo-Chau theorem, that non-relativistic quantum bit string commitment is impossible. Not so: there exist non-relativistic quantum bit string commitment protocols, with security parameters $\epsilon$ and $M$, that allow $A$ to commit $N = N(M, \epsilon)$ bits to $B$ so that $A$'s probability of successfully cheating when revealing any bit and $B$'s probability of extracting more than $N'=N-M$ bits of information about the $N$ bit string before revelation are both less than $\epsilon$. With a slightly weakened but still restrictive definition of security against $A$, $N$ can be taken to be $O(\exp (C N'))$ for a positive constant $C$. I briefly discuss possible applications.Comment: Published version. (Refs updated.

Is Quantum Bit Commitment Really Possible?

We show that all proposed quantum bit commitment schemes are insecure because the sender, Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen type of attack and delaying her measurement until she opens her commitment.Comment: Major revisions to include a more extensive introduction and an example of bit commitment. Overlap with independent work by Mayers acknowledged. More recent works by Mayers, by Lo and Chau and by Lo are also noted. Accepted for publication in Phys. Rev. Let

Insecurity of Quantum Secure Computations

It had been widely claimed that quantum mechanics can protect private information during public decision in for example the so-called two-party secure computation. If this were the case, quantum smart-cards could prevent fake teller machines from learning the PIN (Personal Identification Number) from the customers' input. Although such optimism has been challenged by the recent surprising discovery of the insecurity of the so-called quantum bit commitment, the security of quantum two-party computation itself remains unaddressed. Here I answer this question directly by showing that all ``one-sided'' two-party computations (which allow only one of the two parties to learn the result) are necessarily insecure. As corollaries to my results, quantum one-way oblivious password identification and the so-called quantum one-out-of-two oblivious transfer are impossible. I also construct a class of functions that cannot be computed securely in any ``two-sided'' two-party computation. Nevertheless, quantum cryptography remains useful in key distribution and can still provide partial security in ``quantum money'' proposed by Wiesner.Comment: The discussion on the insecurity of even non-ideal protocols has been greatly extended. Other technical points are also clarified. Version accepted for publication in Phys. Rev.

Towards Communication-Efficient Quantum Oblivious Key Distribution

Oblivious Transfer, a fundamental problem in the field of secure multi-party computation is defined as follows: A database DB of N bits held by Bob is queried by a user Alice who is interested in the bit DB_b in such a way that (1) Alice learns DB_b and only DB_b and (2) Bob does not learn anything about Alice's choice b. While solutions to this problem in the classical domain rely largely on unproven computational complexity theoretic assumptions, it is also known that perfect solutions that guarantee both database and user privacy are impossible in the quantum domain. Jakobi et al. [Phys. Rev. A, 83(2), 022301, Feb 2011] proposed a protocol for Oblivious Transfer using well known QKD techniques to establish an Oblivious Key to solve this problem. Their solution provided a good degree of database and user privacy (using physical principles like impossibility of perfectly distinguishing non-orthogonal quantum states and the impossibility of superluminal communication) while being loss-resistant and implementable with commercial QKD devices (due to the use of SARG04). However, their Quantum Oblivious Key Distribution (QOKD) protocol requires a communication complexity of O(N log N). Since modern databases can be extremely large, it is important to reduce this communication as much as possible. In this paper, we first suggest a modification of their protocol wherein the number of qubits that need to be exchanged is reduced to O(N). A subsequent generalization reduces the quantum communication complexity even further in such a way that only a few hundred qubits are needed to be transferred even for very large databases.Comment: 7 page

Quantum Key Distribution Using Quantum Faraday Rotators

We propose a new quantum key distribution (QKD) protocol based on the fully quantum mechanical states of the Faraday rotators. The protocol is unconditionally secure against collective attacks for multi-photon source up to two photons on a noisy environment. It is also robust against impersonation attacks. The protocol may be implemented experimentally with the current spintronics technology on semiconductors.Comment: 7 pages, 7 EPS figure

Unconditionally Secure Bit Commitment

We describe a new classical bit commitment protocol based on cryptographic constraints imposed by special relativity. The protocol is unconditionally secure against classical or quantum attacks. It evades the no-go results of Mayers, Lo and Chau by requiring from Alice a sequence of communications, including a post-revelation verification, each of which is guaranteed to be independent of its predecessor.Comment: Typos corrected. Reference details added. To appear in Phys. Rev. Let

Unconditional security at a low cost

By simulating four quantum key distribution (QKD) experiments and analyzing one decoy-state QKD experiment, we compare two data post-processing schemes based on security against individual attack by L\"{u}tkenhaus, and unconditional security analysis by Gottesman-Lo-L\"{u}tkenhaus-Preskill. Our results show that these two schemes yield close performances. Since the Holy Grail of QKD is its unconditional security, we conclude that one is better off considering unconditional security, rather than restricting to individual attacks.Comment: Accepted by International Conference on Quantum Foundation and Technology: Frontier and Future 2006 (ICQFT'06