281 research outputs found
Unconditionally secure quantum bit commitment is impossible
The claim of quantum cryptography has always been that it can provide
protocols that are unconditionally secure, that is, for which the security does
not depend on any restriction on the time, space or technology available to the
cheaters. We show that this claim does not hold for any quantum bit commitment
protocol. Since many cryptographic tasks use bit commitment as a basic
primitive, this result implies a severe setback for quantum cryptography. The
model used encompasses all reasonable implementations of quantum bit commitment
protocols in which the participants have not met before, including those that
make use of the theory of special relativity.Comment: 4 pages, revtex. Journal version replacing the version published in
the proceedings of PhysComp96. This is a significantly improved version which
emphasis the generality of the resul
Bound on distributed entanglement
Using the convex-roof extended negativity and the negativity of assistance as
quantifications of bipartite entanglement, we consider the possible
remotely-distributed entanglement. For two pure states and
on bipartite systems and , we first show that the
possible amount of entanglement remotely distributed on the system by
joint measurement on the system is not less than the product of two
amounts of entanglement for the states and
in two-qubit and two-qutrit systems. We also provide some sufficient
conditions, for which the result can be generalized into higher-dimensional
quantum systems.Comment: 5 page
Cheat Sensitive Quantum Bit Commitment
We define cheat sensitive cryptographic protocols between mistrustful parties
as protocols which guarantee that, if either cheats, the other has some nonzero
probability of detecting the cheating. We give an example of an unconditionally
secure cheat sensitive non-relativistic bit commitment protocol which uses
quantum information to implement a task which is classically impossible; we
also describe a simple relativistic protocol.Comment: Final version: a slightly shortened version of this will appear in
PRL. Minor corrections from last versio
Quantum Bit String Commitment
A bit string commitment protocol securely commits classical bits in such
a way that the recipient can extract only bits of information about the
string. Classical reasoning might suggest that bit string commitment implies
bit commitment and hence, given the Mayers-Lo-Chau theorem, that
non-relativistic quantum bit string commitment is impossible. Not so: there
exist non-relativistic quantum bit string commitment protocols, with security
parameters and , that allow to commit
bits to so that 's probability of successfully cheating when revealing
any bit and 's probability of extracting more than bits of
information about the bit string before revelation are both less than
. With a slightly weakened but still restrictive definition of
security against , can be taken to be for a positive
constant . I briefly discuss possible applications.Comment: Published version. (Refs updated.
Is Quantum Bit Commitment Really Possible?
We show that all proposed quantum bit commitment schemes are insecure because
the sender, Alice, can almost always cheat successfully by using an
Einstein-Podolsky-Rosen type of attack and delaying her measurement until she
opens her commitment.Comment: Major revisions to include a more extensive introduction and an
example of bit commitment. Overlap with independent work by Mayers
acknowledged. More recent works by Mayers, by Lo and Chau and by Lo are also
noted. Accepted for publication in Phys. Rev. Let
Insecurity of Quantum Secure Computations
It had been widely claimed that quantum mechanics can protect private
information during public decision in for example the so-called two-party
secure computation. If this were the case, quantum smart-cards could prevent
fake teller machines from learning the PIN (Personal Identification Number)
from the customers' input. Although such optimism has been challenged by the
recent surprising discovery of the insecurity of the so-called quantum bit
commitment, the security of quantum two-party computation itself remains
unaddressed. Here I answer this question directly by showing that all
``one-sided'' two-party computations (which allow only one of the two parties
to learn the result) are necessarily insecure. As corollaries to my results,
quantum one-way oblivious password identification and the so-called quantum
one-out-of-two oblivious transfer are impossible. I also construct a class of
functions that cannot be computed securely in any ``two-sided'' two-party
computation. Nevertheless, quantum cryptography remains useful in key
distribution and can still provide partial security in ``quantum money''
proposed by Wiesner.Comment: The discussion on the insecurity of even non-ideal protocols has been
greatly extended. Other technical points are also clarified. Version accepted
for publication in Phys. Rev.
Towards Communication-Efficient Quantum Oblivious Key Distribution
Oblivious Transfer, a fundamental problem in the field of secure multi-party
computation is defined as follows: A database DB of N bits held by Bob is
queried by a user Alice who is interested in the bit DB_b in such a way that
(1) Alice learns DB_b and only DB_b and (2) Bob does not learn anything about
Alice's choice b. While solutions to this problem in the classical domain rely
largely on unproven computational complexity theoretic assumptions, it is also
known that perfect solutions that guarantee both database and user privacy are
impossible in the quantum domain. Jakobi et al. [Phys. Rev. A, 83(2), 022301,
Feb 2011] proposed a protocol for Oblivious Transfer using well known QKD
techniques to establish an Oblivious Key to solve this problem. Their solution
provided a good degree of database and user privacy (using physical principles
like impossibility of perfectly distinguishing non-orthogonal quantum states
and the impossibility of superluminal communication) while being loss-resistant
and implementable with commercial QKD devices (due to the use of SARG04).
However, their Quantum Oblivious Key Distribution (QOKD) protocol requires a
communication complexity of O(N log N). Since modern databases can be extremely
large, it is important to reduce this communication as much as possible. In
this paper, we first suggest a modification of their protocol wherein the
number of qubits that need to be exchanged is reduced to O(N). A subsequent
generalization reduces the quantum communication complexity even further in
such a way that only a few hundred qubits are needed to be transferred even for
very large databases.Comment: 7 page
Quantum Key Distribution Using Quantum Faraday Rotators
We propose a new quantum key distribution (QKD) protocol based on the fully
quantum mechanical states of the Faraday rotators. The protocol is
unconditionally secure against collective attacks for multi-photon source up to
two photons on a noisy environment. It is also robust against impersonation
attacks. The protocol may be implemented experimentally with the current
spintronics technology on semiconductors.Comment: 7 pages, 7 EPS figure
Unconditionally Secure Bit Commitment
We describe a new classical bit commitment protocol based on cryptographic
constraints imposed by special relativity. The protocol is unconditionally
secure against classical or quantum attacks. It evades the no-go results of
Mayers, Lo and Chau by requiring from Alice a sequence of communications,
including a post-revelation verification, each of which is guaranteed to be
independent of its predecessor.Comment: Typos corrected. Reference details added. To appear in Phys. Rev.
Let
Unconditional security at a low cost
By simulating four quantum key distribution (QKD) experiments and analyzing
one decoy-state QKD experiment, we compare two data post-processing schemes
based on security against individual attack by L\"{u}tkenhaus, and
unconditional security analysis by Gottesman-Lo-L\"{u}tkenhaus-Preskill. Our
results show that these two schemes yield close performances. Since the Holy
Grail of QKD is its unconditional security, we conclude that one is better off
considering unconditional security, rather than restricting to individual
attacks.Comment: Accepted by International Conference on Quantum Foundation and
Technology: Frontier and Future 2006 (ICQFT'06
- …