Jump to content

Quantum cryptography: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Undid revision 967619475 by 95.174.102.180 (talk): predatory journals
Added more details about the performance of TF-QKD. Full disclosure: I am a colleague of the groups involved in these scientific results, but I am not involved in their references cited in this section.
Line 19: Line 19:
The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a [[man-in-the-middle attack]] would be possible.
The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a [[man-in-the-middle attack]] would be possible.


While quantum key distribution is seemingly secure, its applications face the challenge of practicality. This is due to transmission distance and key generation rate limitations. Ongoing studies and growing technology has allowed further advancements in such limitations. In 2018 Lucamarini et al. proposed a scheme that can possibly overcome the point-to-point repeater-less bounds of a lossy communication channel.<ref>{{Cite journal|last1=Takeoka|first1=Masahiro|last2=Guha|first2=Saikat|last3=Wilde|first3=Mark M.|date=2014|title=Fundamental rate-loss tradeoff for optical quantum key distribution|journal=Nature Communications|language=en|volume=5|pages=5235|doi=10.1038/ncomms6235|arxiv=1504.06390}}</ref><ref>{{Cite journal|last1=Pirandola|first1=S.|last2=Laurenza|first2=R.|last3=Ottaviani|first3=C.|last4=Banchi|first4=L.|date=2017|title=Fundamental limits of repeaterless quantum communications|journal=Nature Communications|language=en|volume=8|pages=15043|doi=10.1038/ncomms15043|arxiv=1510.08863}}</ref> The Twin-Field Quantum Key Distribution Scheme suggests that optimal key rates are achievable on "550 kilometers of standard [[Optical fiber|optical fibre]]", which is already commonly used in communications today.<ref>{{Cite journal|last=Shields|first=A. J.|last2=Dynes|first2=J. F.|last3=Yuan|first3=Z. L.|last4=Lucamarini|first4=M.|date=May 2018|title=Overcoming the rate–distance limit of quantum key distribution without quantum repeaters|journal=Nature|language=en|volume=557|issue=7705|pages=400–403|doi=10.1038/s41586-018-0066-6|pmid=29720656|issn=1476-4687|arxiv=1811.06826|bibcode=2018Natur.557..400L}}</ref> The claim was confirmed in the first experimental demonstration of QKD beyond the rate-loss limit by Minder et al. in 2019.<ref>{{cite journal|last1=Minder|first1=Mariella|last2=Pittaluga|first2=Mirko|last3=Roberts|first3=George|last4=Lucamarini|first4=Marco|last5=Dynes|first5=James F.|last6=Yuan|first6=Zhiliang|last7=Shields|first7=Andrew J.|title=Experimental quantum key distribution beyond the repeaterless secret key capacity|journal=Nature Photonics|date=February 2019|volume=13|issue=5|pages=334–338|doi=10.1038/s41566-019-0377-7|arxiv=1910.01951}}</ref> This QKD implementation has been characterised as the first ''effective'' quantum repeater.
While QKD is seemingly secure, its applications face the challenge of practicality. This is due to transmission distance and key generation rate limitations. Ongoing studies and growing technology has allowed further advancements in such limitations. In 2018 Lucamarini et al. proposed a twin-field QKD scheme<ref name=TFQKD>{{Cite journal|last=Shields|first=A. J.|last2=Dynes|first2=J. F.|last3=Yuan|first3=Z. L.|last4=Lucamarini|first4=M.|date=May 2018|title=Overcoming the rate–distance limit of quantum key distribution without quantum repeaters|journal=Nature|language=en|volume=557|issue=7705|pages=400–403|doi=10.1038/s41586-018-0066-6|pmid=29720656|issn=1476-4687|arxiv=1811.06826|bibcode=2018Natur.557..400L}}</ref> that can possibly overcome the point-to-point repeater-less bounds of a lossy communication channel.<ref>{{Cite journal|last1=Takeoka|first1=Masahiro|last2=Guha|first2=Saikat|last3=Wilde|first3=Mark M.|date=2014|title=Fundamental rate-loss tradeoff for optical quantum key distribution|journal=Nature Communications|language=en|volume=5|pages=5235|doi=10.1038/ncomms6235|arxiv=1504.06390}}</ref><ref name=PLOB>{{Cite journal|last1=Pirandola|first1=S.|last2=Laurenza|first2=R.|last3=Ottaviani|first3=C.|last4=Banchi|first4=L.|date=2017|title=Fundamental limits of repeaterless quantum communications|journal=Nature Communications|language=en|volume=8|pages=15043|doi=10.1038/ncomms15043|arxiv=1510.08863}}</ref> The rate of the twin field protocol was shown to overcome the repeaterless PLOB bound<ref name=PLOB/> at 340km of optical fiber; its ideal rate surpasses this bound already at 200km and follows the rate-loss scaling of the higher single-repeater bound (see figure 1 of <ref name=TFQKD/> for more details). The protocol suggests that optimal key rates are achievable on "550 kilometers of standard [[Optical fiber|optical fibre]]", which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the rate-loss limit by Minder et al. in 2019,<ref>{{cite journal|last1=Minder|first1=Mariella|last2=Pittaluga|first2=Mirko|last3=Roberts|first3=George|last4=Lucamarini|first4=Marco|last5=Dynes|first5=James F.|last6=Yuan|first6=Zhiliang|last7=Shields|first7=Andrew J.|title=Experimental quantum key distribution beyond the repeaterless secret key capacity|journal=Nature Photonics|date=February 2019|volume=13|issue=5|pages=334–338|doi=10.1038/s41566-019-0377-7|arxiv=1910.01951}}</ref> which has been characterised as the first ''effective'' quantum repeater.


==Mistrustful quantum cryptography==
==Mistrustful quantum cryptography==

Revision as of 10:42, 13 August 2020

Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed (no-cloning theorem). This could be used to detect eavesdropping in quantum key distribution.

History

Quantum cryptography attributes its beginning by the work of Stephen Wiesner and Gilles Brassard. In the early 1970s, Wiesner, then at Columbia University in New York, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by the IEEE Information Theory Society, but was eventually published in 1983 in SIGACT News.[1] In this paper he showed how to store or transmit two messages by encoding them in two "conjugate observables", such as linear and circular polarization of photons,[2] so that either, but not both, of which may be received and decoded. It was not until Charles H. Bennett, of the IBM's Thomas J. Watson Research Center and Gilles Brassard met in 1979 at the 20th IEEE Symposium on the Foundations of Computer Science, held in Puerto Rico, that they discovered how to incorporate the findings of Wiesner. "The main breakthrough came when we realized that photons were never meant to store information, but rather to transmit it"[1] In 1984, building upon this work Bennett and Brassard proposed a method for secure communication, which is now called BB84.[3] Following a proposal by David Deutsch for using quantum non-locality and Bell's inequalities to achieve secure key distribution [4] Artur Ekert analysed entanglement-based quantum key distribution in more detail in his 1991 paper.[5]

Random rotations of the polarization by both parties have been proposed in Kak's three-stage protocol.[6] In principle, this method can be used for continuous, unbreakable encryption of data if single photons are used.[7] The basic polarization rotation scheme has been implemented.[8] This represents a method of purely quantum-based cryptography as opposed to quantum key distribution where the actual encryption is classical.[9]

The BB84 method is at the basis of quantum key distribution methods. Companies that manufacture quantum cryptography systems include MagiQ Technologies, Inc. (Boston, Massachusetts, United States), ID Quantique (Geneva, Switzerland), QuintessenceLabs (Canberra, Australia), Toshiba (Tokyo, Japan), and SeQureNet (Paris, France).

Quantum key distribution

The best-known and developed application of quantum cryptography is quantum key distribution (QKD), which is the process of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn information about the key being established, discrepancies will arise causing Alice and Bob to notice. Once the key is established, it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used for symmetric cryptography.

The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a man-in-the-middle attack would be possible.

While QKD is seemingly secure, its applications face the challenge of practicality. This is due to transmission distance and key generation rate limitations. Ongoing studies and growing technology has allowed further advancements in such limitations. In 2018 Lucamarini et al. proposed a twin-field QKD scheme[10] that can possibly overcome the point-to-point repeater-less bounds of a lossy communication channel.[11][12] The rate of the twin field protocol was shown to overcome the repeaterless PLOB bound[12] at 340km of optical fiber; its ideal rate surpasses this bound already at 200km and follows the rate-loss scaling of the higher single-repeater bound (see figure 1 of [10] for more details). The protocol suggests that optimal key rates are achievable on "550 kilometers of standard optical fibre", which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the rate-loss limit by Minder et al. in 2019,[13] which has been characterised as the first effective quantum repeater.

Mistrustful quantum cryptography

In mistrustful cryptography the participating parties do not trust each other. For example, Alice and Bob collaborate to perform some computation where both parties enter some private inputs. But Alice does not trust Bob and Bob does not trust Alice. Thus, a secure implementation of a cryptographic task requires that after completing the computation, Alice can be guaranteed that Bob has not cheated and Bob can be guaranteed that Alice has not cheated either. Examples of tasks in mistrustful cryptography are commitment schemes and secure computations, the latter including the further examples of coin flipping and oblivious transfer. Key distribution does not belong to the area of mistrustful cryptography. Mistrustful quantum cryptography studies the area of mistrustful cryptography using quantum systems.

In contrast to quantum key distribution where unconditional security can be achieved based only on the laws of quantum physics, in the case of various tasks in mistrustful cryptography there are no-go theorems showing that it is impossible to achieve unconditionally secure protocols based only on the laws of quantum physics. However, some of these tasks can be implemented with unconditional security if the protocols not only exploit quantum mechanics but also special relativity. For example, unconditionally secure quantum bit commitment was shown impossible by Mayers[14] and by Lo and Chau.[15] Unconditionally secure ideal quantum coin flipping was shown impossible by Lo and Chau.[16] Moreover, Lo showed that there cannot be unconditionally secure quantum protocols for one-out-of-two oblivious transfer and other secure two-party computations.[17] However, unconditionally secure relativistic protocols for coin flipping and bit-commitment have been shown by Kent.[18][19]

Quantum coin flipping

Unlike quantum key distribution, quantum coin flipping is a protocol that is used between two participants who do not trust each other.[20] The participants communicate via a quantum channel and exchange information through the transmission of qubits.[21] For example, the sender, Alice, will determine a random basis and sequence of qubits and then transmit them to Bob. Bob then detects and records the qubits. Once Bob has recorded the qubits sent by Alice, he makes a guess to Alice on what basis she chose. Alice reports whether Bob won or lost and then transmits her entire original qubit sequence to him. Since the two parties do not trust each other, cheating is likely to occur at any step in the process.[22]

Quantum coin flipping is theoretically a secure means of communicating through two distrustful parties, but it is difficult to physically accomplish.[20]

Quantum commitment

In addition to quantum coin-flipping, quantum commitment protocols are implemented when distrustful parties are involved. A commitment scheme allows a party Alice to fix a certain value (to "commit") in such a way that Alice cannot change that value while at the same time ensuring that the recipient Bob cannot learn anything about that value until Alice reveals it. Such commitment schemes are commonly used in cryptographic protocols (e.g. Quantum coin flipping, Zero-knowledge proof, secure two-party computation, and Oblivious transfer).

In the quantum setting, they would be particularly useful: Crépeau and Kilian showed that from a commitment and a quantum channel, one can construct an unconditionally secure protocol for performing so-called oblivious transfer.[23] Oblivious transfer, on the other hand, had been shown by Kilian to allow implementation of almost any distributed computation in a secure way (so-called secure multi-party computation).[24] (Notice that here we are a bit imprecise: The results by Crépeau and Kilian[23][24] together do not directly imply that given a commitment and a quantum channel one can perform secure multi-party computation. This is because the results do not guarantee "composability", that is, when plugging them together, one might lose security.

Unfortunately, early quantum commitment protocols[25] were shown to be flawed. In fact, Mayers showed that (unconditionally secure) quantum commitment is impossible: a computationally unlimited attacker can break any quantum commitment protocol.[14]

Yet, the result by Mayers does not preclude the possibility of constructing quantum commitment protocols (and thus secure multi-party computation protocols) under assumptions that are much weaker than the assumptions needed for commitment protocols that do not use quantum communication. The bounded quantum storage model described below is an example for a setting in which quantum communication can be used to construct commitment protocols. A breakthrough in November 2013 offers "unconditional" security of information by harnessing quantum theory and relativity, which has been successfully demonstrated on a global scale for the first time.[26] More recently, Wang et al., proposed another commitment scheme in which the "unconditional hiding" is perfect.[27]

Bounded- and noisy-quantum-storage model

One possibility to construct unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols is to use the bounded quantum storage model (BQSM). In this model, it is assumed that the amount of quantum data that an adversary can store is limited by some known constant Q. However, no limit is imposed on the amount of classical (i.e., non-quantum) data the adversary may store.

In the BQSM, one can construct commitment and oblivious transfer protocols.[28] The underlying idea is the following: The protocol parties exchange more than Q quantum bits (qubits). Since even a dishonest party cannot store all that information (the quantum memory of the adversary is limited to Q qubits), a large part of the data will have to be either measured or discarded. Forcing dishonest parties to measure a large part of the data allows the protocol to circumvent the impossibility result, commitment and oblivious transfer protocols can now be implemented.[14]

The protocols in the BQSM presented by Damgård, Fehr, Salvail, and Schaffner[28] do not assume that honest protocol participants store any quantum information; the technical requirements are similar to those in quantum key distribution protocols. These protocols can thus, at least in principle, be realized with today's technology. The communication complexity is only a constant factor larger than the bound Q on the adversary's quantum memory.

The advantage of the BQSM is that the assumption that the adversary's quantum memory is limited is quite realistic. With today's technology, storing even a single qubit reliably over a sufficiently long time is difficult. (What "sufficiently long" means depends on the protocol details. By introducing an artificial pause in the protocol, the amount of time over which the adversary needs to store quantum data can be made arbitrarily large.)

An extension of the BQSM is the noisy-storage model introduced by Wehner, Schaffner and Terhal.[29] Instead of considering an upper bound on the physical size of the adversary's quantum memory, an adversary is allowed to use imperfect quantum storage devices of arbitrary size. The level of imperfection is modelled by noisy quantum channels. For high enough noise levels, the same primitives as in the BQSM can be achieved[30] and the BQSM forms a special case of the noisy-storage model.

In the classical setting, similar results can be achieved when assuming a bound on the amount of classical (non-quantum) data that the adversary can store.[31] It was proven, however, that in this model also the honest parties have to use a large amount of memory (namely the square-root of the adversary's memory bound).[32] This makes these protocols impractical for realistic memory bounds. (Note that with today's technology such as hard disks, an adversary can cheaply store large amounts of classical data.)

Position-based quantum cryptography

The goal of position-based quantum cryptography is to use the geographical location of a player as its (only) credential. For example, one wants to send a message to a player at a specified position with the guarantee that it can only be read if the receiving party is located at that particular position. In the basic task of position-verification, a player, Alice, wants to convince the (honest) verifiers that she is located at a particular point. It has been shown by Chandran et al. that position-verification using classical protocols is impossible against colluding adversaries (who control all positions except the prover's claimed position).[33] Under various restrictions on the adversaries, schemes are possible.

Under the name of 'quantum tagging', the first position-based quantum schemes have been investigated in 2002 by Kent. A US-patent[34] was granted in 2006. The notion of using quantum effects for location verification first appeared in the scientific literature in 2010.[35][36] After several other quantum protocols for position verification have been suggested in 2010,[37][38] Buhrman et al. claimed a general impossibility result:[39] using an enormous amount of quantum entanglement (they use a doubly exponential number of EPR pairs, in the number of qubits the honest player operates on), colluding adversaries are always able to make it look to the verifiers as if they were at the claimed position. However, this result does not exclude the possibility of practical schemes in the bounded- or noisy-quantum-storage model (see above). Later Beigi and König improved the amount of EPR pairs needed in the general attack against position-verification protocols to exponential. They also showed that a particular protocol remains secure against adversaries who controls only a linear amount of EPR pairs.[40] It is argued in [41] that due to time-energy coupling the possibility of formal unconditional location verification via quantum effects remains an open problem.

Device-independent quantum cryptography

A quantum cryptographic protocol is device-independent if its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices. Mayers and Yao[42] proposed the idea of designing quantum protocols using "self-testing" quantum apparatus, the internal operations of which can be uniquely determined by their input-output statistics. Subsequently, Roger Colbeck in his Thesis[43] proposed the use of Bell tests for checking the honesty of the devices. Since then, several problems have been shown to admit unconditional secure and device-independent protocols, even when the actual devices performing the Bell test are substantially "noisy," i.e., far from being ideal. These problems include quantum key distribution,[44][45] randomness expansion,[45][46] and randomness amplification.[47]

In 2018, theoretical studies performed by Arnon- Friedman et al. suggest that exploiting a property of entropy that is later referred to as "Entropy Accumulation Theorem (EAT)" , an extension of Asymptotic equipartition property, can guarantee the security of a device independent protocol.[48]

Post-quantum cryptography

Quantum computers may become a technological reality; it is therefore important to study cryptographic schemes used against adversaries with access to a quantum computer. The study of such schemes is often referred to as post-quantum cryptography. The need for post-quantum cryptography arises from the fact that many popular encryption and signature schemes (schemes based on ECC and RSA) can be broken using Shor's algorithm for factoring and computing discrete logarithms on a quantum computer. Examples for schemes that are, as of today's knowledge, secure against quantum adversaries are McEliece and lattice-based schemes, as well as most symmetric-key algorithms.[49][50] Surveys of post-quantum cryptography are available.[51][52]

There is also research into how existing cryptographic techniques have to be modified to be able to cope with quantum adversaries. For example, when trying to develop zero-knowledge proof systems that are secure against quantum adversaries, new techniques need to be used: In a classical setting, the analysis of a zero-knowledge proof system usually involves "rewinding", a technique that makes it necessary to copy the internal state of the adversary. In a quantum setting, copying a state is not always possible (no-cloning theorem); a variant of the rewinding technique has to be used.[53]

Post quantum algorithms are also called "quantum resistant", because – unlike quantum key distribution – it is not known or provable that there will not be potential future quantum attacks against them. Even though they are not vulnerable to Shor's algorithm, the NSA is announcing plans to transition to quantum resistant algorithms.[54] The National Institute of Standards and Technology (NIST) believes that it is time to think of quantum-safe primitives.[55]

Quantum cryptography beyond key distribution

So far, quantum cryptography has been mainly identified with the development of quantum key distribution protocols. Unfortunately, symmetric cryptosystems with keys that have been distributed by means of quantum key distribution become inefficient for large networks (many users), because of the necessity for the establishment and the manipulation of many pairwise secret keys (the so-called "key-management problem"). Moreover, this distribution alone does not address many other cryptographic tasks and functions, which are of vital importance in everyday life. Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution, in which the cryptographic transformation uses classical algorithms[56]

Besides quantum commitment and oblivious transfer (discussed above), research on quantum cryptography beyond key distribution revolves around quantum digital signatures,[57][58] quantum one-way functions and public-key encryption,[59][60][61][62][63] quantum fingerprinting[64] and entity authentication (for example, see Quantum readout of PUFs), etc.

References

  1. ^ a b Bennett, Charles H.; et al. (1992). "Experimental quantum cryptography". Journal of Cryptology. 5 (1): 3–28. doi:10.1007/bf00191318.
  2. ^ Wiesner, Stephen (1983). "Conjugate coding". ACM SIGACT News. 15 (1): 78–88. doi:10.1145/1008908.1008920.
  3. ^ Bennett, Charles H.; Brassard, Giles (1984). "Quantum cryptography: Public key distribution and coin tossing". Proceedings of IEEE International Conference on Computers, Systems and Signal Processing. 175: 8.
  4. ^ Deutsch, David (1985). "Quantum theory, the Church-Turing principle and the universal quantum computer". Proceedings of the Royal Society A. 400 (1818): 97. Bibcode:1985RSPSA.400...97D. doi:10.1098/rspa.1985.0070.
  5. ^ Ekert, A (1991). "Quantum cryptography based on Bell's theorem". Physical Review Letters. 67: 661–663. Bibcode:1991PhRvL..67..661E. doi:10.1103/physrevlett.67.661. PMID 10044956.
  6. ^ Kak, Subhash (2006). "A three-stage quantum cryptography protocol". Foundations of Physics Letters. 19 (3): 293–296. arXiv:quant-ph/0503027. doi:10.1007/s10702-006-0520-9.
  7. ^ Chen, Y.; et al. (2009). "Embedded security framework for integrated classical and quantum cryptography in optical burst switching networks". Security and Communication Networks. 2: 546–554.
  8. ^ "A multi-photon approach to quantum cryptography". Kurzweil. 5 October 2012. Archived from the original on 5 February 2015. Retrieved 5 February 2015.
  9. ^ Cardinal, David (2019), Quantum Cryptography Demystified: How It Works in Plain Language. Extreme Tech, March 11. [1]
  10. ^ a b Shields, A. J.; Dynes, J. F.; Yuan, Z. L.; Lucamarini, M. (May 2018). "Overcoming the rate–distance limit of quantum key distribution without quantum repeaters". Nature. 557 (7705): 400–403. arXiv:1811.06826. Bibcode:2018Natur.557..400L. doi:10.1038/s41586-018-0066-6. ISSN 1476-4687. PMID 29720656.
  11. ^ Takeoka, Masahiro; Guha, Saikat; Wilde, Mark M. (2014). "Fundamental rate-loss tradeoff for optical quantum key distribution". Nature Communications. 5: 5235. arXiv:1504.06390. doi:10.1038/ncomms6235.
  12. ^ a b Pirandola, S.; Laurenza, R.; Ottaviani, C.; Banchi, L. (2017). "Fundamental limits of repeaterless quantum communications". Nature Communications. 8: 15043. arXiv:1510.08863. doi:10.1038/ncomms15043.
  13. ^ Minder, Mariella; Pittaluga, Mirko; Roberts, George; Lucamarini, Marco; Dynes, James F.; Yuan, Zhiliang; Shields, Andrew J. (February 2019). "Experimental quantum key distribution beyond the repeaterless secret key capacity". Nature Photonics. 13 (5): 334–338. arXiv:1910.01951. doi:10.1038/s41566-019-0377-7.
  14. ^ a b c Mayers, Dominic (1997). "Unconditionally Secure Quantum Bit Commitment is Impossible". Physical Review Letters. 78 (17): 3414–3417. arXiv:quant-ph/9605044. Bibcode:1997PhRvL..78.3414M. CiteSeerX 10.1.1.251.5550. doi:10.1103/PhysRevLett.78.3414.
  15. ^ Lo, H.-K.; Chau, H. (1997). "Is Quantum Bit Commitment Really Possible?". Phys. Rev. Lett. 78 (17): 3410. arXiv:quant-ph/9603004. Bibcode:1997PhRvL..78.3410L. doi:10.1103/PhysRevLett.78.3410.
  16. ^ Lo, H.-K.; Chau, H. (1998). "Why quantum bit commitment and ideal quantum coin tossing are impossible". Physica D: Nonlinear Phenomena. 120 (1–2): 177–187. arXiv:quant-ph/9711065. doi:10.1016/S0167-2789(98)00053-0.
  17. ^ Lo, H.-K. (1997). "Insecurity of quantum secure computations". Phys. Rev. A. 56 (2): 1154–1162. arXiv:quant-ph/9611031. Bibcode:1997PhRvA..56.1154L. doi:10.1103/PhysRevA.56.1154.
  18. ^ Kent, A. (1999). "Unconditionally Secure Bit Commitment". Phys. Rev. Lett. 83 (7): 1447–1450. arXiv:quant-ph/9810068. doi:10.1103/PhysRevLett.83.1447.
  19. ^ Kent, A. (1999). "Coin Tossing is Strictly Weaker than Bit Commitment". Phys. Rev. Lett. 83 (25): 5382–5384. arXiv:quant-ph/9810067. Bibcode:1999PhRvL..83.5382K. doi:10.1103/PhysRevLett.83.5382.
  20. ^ a b Stuart Mason Dambort (26 March 2014). "Heads or tails: Experimental quantum coin flipping cryptography performs better than classical protocols". Phys.org. Archived from the original on 25 March 2017.
  21. ^ Doescher, C.; Keyl, M. (2002). "An introduction to quantum coin-tossing". arXiv:quant-ph/0206088.
  22. ^ Bennett, Charles H.; Brassard, Gilles (2014). "Quantum cryptography: Public key distribution and coin tossing". Theoretical Computer Science. 560: 7–11. doi:10.1016/j.tcs.2014.05.025.
  23. ^ a b Crépeau, Claude; Joe, Kilian (1988). Achieving Oblivious Transfer Using Weakened Security Assumptions (Extended Abstract). FOCS 1988. IEEE. pp. 42–52.
  24. ^ a b Kilian, Joe (1988). Founding cryptography on oblivious transfer. STOC 1988. ACM. pp. 20–31. Archived from the original on 24 December 2004.
  25. ^ Brassard, Gilles; Claude, Crépeau; Jozsa, Richard; Langlois, Denis (1993). A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties. FOCS 1993. IEEE. pp. 362–371.
  26. ^ Lunghi, T.; Kaniewski, J.; Bussières, F.; Houlmann, R.; Tomamichel, M.; Kent, A.; Gisin, N.; Wehner, S.; Zbinden, H. (2013). "Experimental Bit Commitment Based on Quantum Communication and Special Relativity". Physical Review Letters. 111 (18): 180504. arXiv:1306.4801. Bibcode:2013PhRvL.111r0504L. doi:10.1103/PhysRevLett.111.180504. PMID 24237497.
  27. ^ Wang, Ming-Qiang; Wang, Xue; Zhan, Tao (2018). "Unconditionally secure multi-party quantum commitment scheme". Quantum Information Processing. 17 (2): 31. Bibcode:2018QuIP...17...31W. doi:10.1007/s11128-017-1804-7. ISSN 1570-0755.
  28. ^ a b Damgård, Ivan; Fehr, Serge; Salvail, Louis; Schaffner, Christian (2005). Cryptography In the Bounded Quantum-Storage Model. FOCS 2005. IEEE. pp. 449–458. arXiv:quant-ph/0508222.
  29. ^ Wehner, Stephanie; Schaffner, Christian; Terhal, Barbara M. (2008). "Cryptography from Noisy Storage". Physical Review Letters. 100 (22): 220502. arXiv:0711.2895. Bibcode:2008PhRvL.100v0502W. doi:10.1103/PhysRevLett.100.220502. PMID 18643410.
  30. ^ Doescher, C.; Keyl, M.; Wullschleger, Jürg (2009). "Unconditional security from noisy quantum storage". IEEE Transactions on Information Theory. 58 (3): 1962–1984. arXiv:0906.1030. doi:10.1109/TIT.2011.2177772.
  31. ^ Cachin, Christian; Crépeau, Claude; Marcil, Julien (1998). Oblivious Transfer with a Memory-Bounded Receiver. FOCS 1998. IEEE. pp. 493–502.
  32. ^ Dziembowski, Stefan; Ueli, Maurer (2004). On Generating the Initial Key in the Bounded-Storage Model (PDF). Eurocrypt 2004. LNCS. Vol. 3027. Springer. pp. 126–137. Archived (PDF) from the original on 11 March 2020. Retrieved 11 March 2020.
  33. ^ Chandran, Nishanth; Moriarty, Ryan; Goyal, Vipul; Ostrovsky, Rafail (2009). Position-Based Cryptography.
  34. ^ US 7075438, issued 2006-07-11 
  35. ^ Malaney, Robert (2010). "Location-dependent communications using quantum entanglement". Physical Review A. 81 (4): 042319. arXiv:1003.0949. Bibcode:2010PhRvA..81d2319M. doi:10.1103/PhysRevA.81.042319.
  36. ^ Malaney, Robert (2010). Quantum Location Verification in Noisy Channels. IEEE Global Telecommunications Conference GLOBECOM 2010. pp. 1–6. arXiv:1004.4689. doi:10.1109/GLOCOM.2010.5684009.
  37. ^ Doescher, C.; Keyl, M.; Spiller, Timothy P. (2011). "Quantum Tagging: Authenticating Location via Quantum Information and Relativistic Signalling Constraints". Physical Review A. 84 (1): 012326. arXiv:1008.2147. Bibcode:2011PhRvA..84a2326K. doi:10.1103/PhysRevA.84.012326.
  38. ^ Lau, Hoi-Kwan; Lo, Hoi-Kwong (2010). "Insecurity of position-based quantum-cryptography protocols against entanglement attacks". Physical Review A. 83 (1): 012322. arXiv:1009.2256. Bibcode:2011PhRvA..83a2322L. doi:10.1103/PhysRevA.83.012322.
  39. ^ Doescher, C.; Keyl, M.; Fehr, Serge; Gelles, Ran; Goyal, Vipul; Ostrovsky, Rafail; Schaffner, Christian (2010). "Position-Based Quantum Cryptography: Impossibility and Constructions". SIAM Journal on Computing. 43: 150–178. arXiv:1009.2490. Bibcode:2010arXiv1009.2490B. doi:10.1137/130913687.
  40. ^ Beigi, Salman; König, Robert (2011). "Simplified instantaneous non-local quantum computation with applications to position-based cryptography". New Journal of Physics. 13 (9): 093036. arXiv:1101.1065. Bibcode:2011NJPh...13i3036B. doi:10.1088/1367-2630/13/9/093036.
  41. ^ Malaney, Robert (2016). "The Quantum Car". IEEE Wireless Communications Letters. 5 (6): 624–627. arXiv:1512.03521. doi:10.1109/LWC.2016.2607740.
  42. ^ Mayers, Dominic; Yao, Andrew C.-C. (1998). Quantum Cryptography with Imperfect Apparatus. IEEE Symposium on Foundations of Computer Science (FOCS). arXiv:quant-ph/9809039. Bibcode:1998quant.ph..9039M.
  43. ^ Colbeck, Roger (December 2006). "Chapter 5". Quantum And Relativistic Protocols For Secure Multi-Party Computation (Thesis). University of Cambridge. arXiv:0911.3814.
  44. ^ Vazirani, Umesh; Vidick, Thomas (2014). "Fully Device-Independent Quantum Key Distribution". Physical Review Letters. 113 (2): 140501. arXiv:1403.3830. Bibcode:2014PhRvL.113b0501A. doi:10.1103/PhysRevLett.113.020501. PMID 25062151.
  45. ^ a b Miller, Carl; Shi, Yaoyun (2014). "Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices". Journal of the ACM. 63 (4): 33. arXiv:1402.0489. Bibcode:2014arXiv1402.0489M.
  46. ^ Miller, Carl; Shi, Yaoyun (2017). "Universal security for randomness expansion". SIAM Journal on Computing. 46 (4): 1304–1335. arXiv:1411.6608. doi:10.1137/15M1044333.
  47. ^ Chung, Kai-Min; Shi, Yaoyun; Wu, Xiaodi (2014). "Physical Randomness Extractors: Generating Random Numbers with Minimal Assumptions". arXiv:1402.4797 [quant-ph].
  48. ^ Arnon-Friedman, Rotem; Dupuis, Frédéric; Fawzi, Omar; Renner, Renato; Vidick, Thomas (31 January 2018). "Practical device-independent quantum cryptography via entropy accumulation". Nature Communications. 9 (1): 459. Bibcode:2018NatCo...9..459A. doi:10.1038/s41467-017-02307-4. ISSN 2041-1723. PMC 5792631. PMID 29386507.
  49. ^ Daniel J. Bernstein (2009). "Introduction to post-quantum cryptography" (PDF). Post-Quantum Cryptography.
  50. ^ Daniel J. Bernstein (17 May 2009). Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? (PDF) (Report). Archived (PDF) from the original on 25 August 2017.
  51. ^ "Post-quantum cryptography". Archived from the original on 17 July 2011. Retrieved 29 August 2010.
  52. ^ Bernstein, Daniel J.; Buchmann, Johannes; Dahmen, Erik, eds. (2009). Post-quantum cryptography. Springer. ISBN 978-3-540-88701-0.
  53. ^ Watrous, John (2009). "Zero-Knowledge against Quantum Attacks". SIAM Journal on Computing. 39 (1): 25–58. arXiv:quant-ph/0511020. CiteSeerX 10.1.1.190.2789. doi:10.1137/060670997.
  54. ^ "NSA Suite B Cryptography". Archived from the original on 1 January 2016. Retrieved 29 December 2015.
  55. ^ "Quantum Resistant Public Key Exchange: The Supersingular Isogenous Diffie-Hellman Protocol – CoinFabrik Blog". blog.coinfabrik.com. 13 October 2016. Archived from the original on 2 February 2017. Retrieved 24 January 2017.
  56. ^ Thapliyal, K.; Pathak, A. (2018). "Kak's three-stage protocol of secure quantum communication revisited". Quantum Information Processing. 17 (9). arXiv:1803.02157. Bibcode:2018QuIP...17..229T. doi:10.1007/s11128-018-2001-z.
  57. ^ Doescher, C.; Keyl, M. (2001). "Quantum Digital Signatures". arXiv:quant-ph/0105032.
  58. ^ Collins, Robert J.; Donaldson, Ross J.; Dunjko, Vedran; Wallden, Petros; Clarke, Patrick J.; Andersson, Erika; Jeffers, John; Buller, Gerald S. (2014). "Realization of Quantum Digital Signatures without the Requirement of Quantum Memory". Physical Review Letters. 113 (4): 040502. arXiv:1311.5760. Bibcode:2014PhRvL.113d0502C. doi:10.1103/PhysRevLett.113.040502. PMID 25105603.
  59. ^ Kawachi, Akinori; Koshiba, Takeshi; Nishimura, Harumichi; Yamakami, Tomoyuki (2011). "Computational Indistinguishability Between Quantum States and its Cryptographic Application". Journal of Cryptology. 25 (3): 528–555. CiteSeerX 10.1.1.251.6055. doi:10.1007/s00145-011-9103-4.
  60. ^ Kabashima, Yoshiyuki; Murayama, Tatsuto; Saad, David (2000). "Cryptographical Properties of Ising Spin Systems". Physical Review Letters. 84 (9): 2030–2033. arXiv:cond-mat/0002129. Bibcode:2000PhRvL..84.2030K. doi:10.1103/PhysRevLett.84.2030. PMID 11017688.
  61. ^ Nikolopoulos, Georgios M. (2008). "Applications of single-qubit rotations in quantum public-key cryptography". Physical Review A. 77 (3): 032348. arXiv:0801.2840. doi:10.1103/PhysRevA.77.032348.
  62. ^ Nikolopoulos, Georgios M.; Ioannou, Lawrence M. (2009). "Deterministic quantum-public-key encryption: Forward search attack and randomization". Physical Review A. 79 (4): 042327. arXiv:0903.4744. Bibcode:2009PhRvA..79d2327N. doi:10.1103/PhysRevA.79.042327.
  63. ^ Seyfarth, U.; Nikolopoulos, G. M.; Alber, G. (2012). "Symmetries and security of a quantum-public-key encryption based on single-qubit rotations". Physical Review A. 85 (2): 022342. arXiv:1202.3921. Bibcode:2012PhRvA..85b2342S. doi:10.1103/PhysRevA.85.022342.
  64. ^ Buhrman, Harry; Cleve, Richard; Watrous, John; De Wolf, Ronald (2001). "Quantum Fingerprinting". Physical Review Letters. 87 (16): 167902. arXiv:quant-ph/0102001. doi:10.1103/PhysRevLett.87.167902. PMID 11690244.