that multiplies two prime numbers; if Shor’s algorithm for efficient quantum factorisation on a quantum computer is implemented, this defense is very vulnerable.
1.3.2 The One-Time Pad Thus far it has been shown:
❧
that quantum phenomena, as employed in conjugate coding, can be used to establish arbi- trarily secure bit sequences between two parties;❧
that secret–key cryptosystems generally suffer from the need to establish keys prior to trans- mission;❧
and that public–key cryptosystems alleviate the need for key distribution, but rely on the intractability of certain computational problems, which makes them vulnerable in the face of quantum computers.It follows that conjugate coding could likely be used to solve the problem of key distribution. Given that the keys that result from this process are highly secure, the only remaining issue is to select a perfect secret–key cryptosystem that uses them.
A cryptosystem isperfectin the information–theoretic sense if, intercepting any cryptogram gives no information whatsoever about the message it encodes. The Vernam cipher, orone–time pad, is the classic example of a perfect cryptosystem. In this system, the key used to encode a particular message is at least as long as the message itself, and a different key among these is used for each transmission. Since a different key is used every time, no gain of information can ever be made by eavesdropping on transmissions.
Combined with a perfect cryptosystem such as the one–time pad, quantum key distribution can be used in a communication system with perfect secrecy.
1.4 Other Quantum Protocols
Gilles Brassard and Charles Bennett extended the principles behind quantum key distribution and quantum oblivious transfer to other cryptographic applications16. In particular, they pro- posed protocols for quantumbit commitmentand quantumcoin–flipping,to be discussed next. We will turn our attention to these now, and we will also see how the quantum phenomenon ofen- tanglementcan be employed to construct useful protocols.
1.4.1 Bit Commitment and Coin Flipping
Commitmentas a cryptographic term refers to proof that a certain party possesses a particular datum. Although the datum is known only to that party, with commitment she can definitively prove to any other party that she is usingthatdatum and cannot alter it. A commitment protocol thus allows party A to commit to a prediction (i.e. a series of bits) without revealing her prediction to B until some time in the future17.
12 ❦ Chapter 1. Introduction and Preview Several commitment protocols exist18 but can be subverted using subtle attacks. The quan- tum bit commitmentprotocol was originally shown to beprovablysecure19. Unfortunately, it was
eventually proved that unconditionally secure quantum bit commitment is impossible20.
Coin flippingis another cryptographic problem akin to bit commitment. Using a coin flipping protocol, two parties can flip a coin at a distance and agree on the outcome. However, the outcome of the flip is not determined individually by one of the two parties, since it is assumed they do not trust each other. A coin flipping protocol allows them to agree on the outcome nevertheless.
In coin flipping, no third party is required to determine who the winner and loser are. There has to be a 50% chance of winning a coin flip for both parties, and any attempt to bias the outcome should be immediately detectable.
The traditional solutions to both problems of bit commitment and coin flipping rely on un- proven assumptions about computational complexity for their security. Just as cryptosystems that rely on the difficulty of factoring prime numbers are vulnerable against quantum computers, it is likely that existing schemes for the above problems will become defenseless with an increase in computational power. This is exactly why quantum protocols offer an elegant alternative; their security is only really related to our understanding of the physical world.
1.4.2 Entanglement-Based Protocols
So far, only superposition and the nature of measurement have been presented as distinctive aspects of quantum theory. There is one more feature of the subatomic world which allows the development of effective communication schemes:quantum entanglement.
A system of particles may exist in a certain state, which cannot be broken down and expressed in terms of the individual particles’ states; this state, which describes the totality of the particles, is anentangledstate. An example of such a state is
Ψ [12]= p1
2 j0i[1] j1i[2] j1i[1] j0i[2] (1.11) Notation 1.4 The tensor product of two state vectorsjaiandjbiis writtenjai jbiorjai jbi. This is frequently shortened tojabiin the literature. More information about the tensor product of quantum states can be found in Rieffel and Polak (2000); Nielsen and Chuang (2000) and in section 2.1.3.
Equation (1.11) describes the state of a system of two particles (labelled [1]and [2] respec- tively). The system is in a superposition of the statej0i[1] j1i[2] (in which particle 1 is statej0i
and particle 2 in statej1i) and the statej1i[1] j0i[2] (in which particle 1 is statej1iand particle
2 in statej0i). The state cannot be decomposed into a product of individual states of the form
(aj0i+bj1i), i.e.
@a1,b1,a2,b2: Ψ [12]= (a1 j0i[1]+b1 j1i[1]) (a2 j0i[2]+b2 j1i[2]) (1.12)
The existence of entangled states such as (1.11) led Einstein and some of his contemporaries to doubt the validity and completeness of quantum theory. The primary reason for this is that entangled quantum states exhibit unusual properties when measured. Two particles that are entangled are correlated in such a way that, if one of the two is measured, the other is affected. By
1.5. Protocol Specification and Verification ❦ 13