Quantum cryptography describes the use of quantum mechanical effects (in particular quantum communication and quantum computation) to perform cryptographic tasks or to break cryptographic systems.
Wellknown examples of quantum cryptography are the use of quantum communication to exchange a key securely (quantum key distribution) and the hypothetical use of quantum computers that would allow the breaking of various popular publickey encryption and signature schemes (e.g., RSA and ElGamal).
The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. nonquantum) communication (see below for examples). For example, quantum mechanics guarantees that measuring quantum data disturbs that data; this can be used to detect eavesdropping in quantum key distribution.
Contents

History 1

Quantum key distribution 2

Quantum commitment 3

Bounded and noisyquantumstorage model 4

Positionbased quantum cryptography 5

Postquantum cryptography 6

References 7
History
Quantum cryptography was proposed first by Charles H. Bennett, of the IBM Thomas J. Watson Research Center, and Gilles Brassard, of the Université de Montréal, proposed a method for secure communication based on Wiesner’s "conjugate observables". In 1990, independently and initially unaware of the earlier work, Artur Ekert, then a Ph.D. student at Wolfson College, University of Oxford, developed a different approach to quantum key distribution based on peculiar quantum correlations known as quantum entanglement.
Quantum key distribution
The most well known and developed application of quantum cryptography is quantum key distribution (QKD). QKD describes the process of using quantum communication to establish a shared key between two parties (usually called Alice and Bob) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. This is achieved by Alice encoding the bits of the key as quantum data and sending them to Bob; if Eve tries to learn these bits, the messages will be disturbed and Alice and Bob will notice. The key is then typically used for encrypted communication.
The security of QKD can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a maninthemiddle attack would be possible.
Quantum commitment
Following the discovery of quantum key distribution and its unconditional security, researchers tried to achieve other cryptographic tasks with unconditional security. One such task was commitment. A commitment scheme allows a party Alice to fix a certain value (to "commit") in such a way that Alice cannot change that value while at the same time ensuring that the recipient Bob cannot learn anything about that value until Alice decides to reveal it. Such commitment schemes are commonly used in cryptographic protocols. In the quantum setting, they would be particularly useful: Crépeau and Kilian showed that from a commitment and a quantum channel, one can construct an unconditionally secure protocol for performing socalled oblivious transfer.^{[1]} Oblivious transfer, on the other hand, had been shown by Kilian to allow implementation of almost any distributed computation in a secure way (socalled secure multiparty computation).^{[2]} (Notice that here we are a bit imprecise: The results by Crépeau and Kilian^{[1]} and Kilian^{[2]} together do not directly imply that given a commitment and a quantum channel one can perform secure multiparty computation. This is because the results do not guarantee "composability", that is, when plugging them together, one might lose security. Later works showed, however, how composability can be ensured in this setting.)
Unfortunately, early quantum commitment protocols^{[3]} were shown to be flawed. In fact, Mayers showed that (unconditionally secure) quantum commitment is impossible: a computationally unlimited attacker can break any quantum commitment protocol.^{[4]}
Yet, the result by Mayers does not preclude the possibility of constructing quantum commitment protocols (and thus secure multiparty computation protocols) under assumptions that are much weaker than the assumptions needed for commitment protocols that do not use quantum communication. The bounded quantum storage model described below is an example for a setting in which quantum communication can be used to construct commitment protocols. A breakthrough in November 2013 offers “unconditional” security of information by harnessing quantum theory and relativity, which has been successfully demonstrated on a global scale for the first time.^{[5]}
Bounded and noisyquantumstorage model
One possibility to construct unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols is to use the bounded quantum storage model (BQSM). In this model, we assume that the amount of quantum data that an adversary can store is limited by some known constant Q. We do not, however, impose any limit on the amount of classical (i.e., nonquantum) data the adversary may store.
In the BQSM, one can construct commitment and oblivious transfer protocols.^{[6]} The underlying idea is the following: The protocol parties exchange more than Q quantum bits (qubits). Since even a dishonest party cannot store all that information (the quantum memory of the adversary is limited to Q qubits), a large part of the data will have to be either measured or discarded. Forcing dishonest parties to measure a large part of the data allows to circumvent the impossibility result by Mayers;^{[4]} commitment and oblivious transfer protocols can now be implemented.
The protocols in the BQSM presented by Damgård, Fehr, Salvail, and Schaffner^{[6]} do not assume that honest protocol participants store any quantum information; the technical requirements are similar to those in QKD protocols. These protocols can thus, at least in principle, be realized with today's technology. The communication complexity is only a constant factor larger than the bound Q on the adversary's quantum memory.
The advantage of the BQSM is that the assumption that the adversary's quantum memory is limited is quite realistic. With today's technology, storing even a single qubit reliably over a sufficiently long time is difficult. (What "sufficiently long" means depends on the protocol details. By introducing an artificial pause in the protocol, the amount of time over which the adversary needs to store quantum data can be made arbitrarily large.)
An extension of the BQSM is the noisystorage model introduced by Wehner, Schaffner and Terhal.^{[7]} Instead of considering an upper bound on the physical size of the adversary's quantum memory, an adversary is allowed to use imperfect quantum storage devices of arbitrary size. The level of imperfection is modelled by noisy quantum channels. For high enough noise levels, the same primitives as in the BQSM can be achieved ^{[8]} and the BQSM forms a special case of the noisystorage model.
In the classical setting, similar results can be achieved when assuming a bound on the amount of classical (nonquantum) data that the adversary can store.^{[9]} It was proven, however, that in this model also the honest parties have to use a large amount of memory (namely the squareroot of the adversary's memory bound).^{[10]} This makes these protocols impractical for realistic memory bounds. (Note that with today's technology such as hard disks, an adversary can cheaply store large amounts of classical data.)
Positionbased quantum cryptography
The goal of positionbased quantum cryptography is to use the geographical location of a player as its (only) credential. For example, one wants to send a message to a player at a specified position with the guarantee that it can only be read if the receiving party is located at that particular position. In the basic task of positionverification, a player Alice wants to convince the (honest) verifiers that she is located at a particular point. It has been shown by Chandran et al. that positionverification using classical protocols is impossible against colluding adversaries (who control all positions except the prover's claimed position).^{[11]} Under various restrictions on the adversaries, schemes are possible.
Under the name of 'quantum tagging', the first positionbased quantum schemes have been investigated in 2002 by Kent. A USpatent^{[12]} was granted in 2006, but the results only appeared in the scientific literature in 2010.^{[13]} After several other quantum protocols for position verification have been suggested in 2010,^{[14]}^{[15]} Buhrman et al. were able to show a general impossibility result:^{[16]} using an enormous amount of quantum entanglement, colluding adversaries are always able to make it look to the verifiers as if they were at the claimed position. However, this result does not exclude the possibility of practical schemes in the bounded or noisyquantumstorage model (see above).
Postquantum cryptography
In a predictive sense, [17]^{[18]}
There is also research into how existing cryptographic techniques have to be modified to be able to cope with quantum adversaries. For example, when trying to develop zeroknowledge proof systems that are secure against quantum adversaries, new techniques need to be used: In a classical setting, the analysis of a zeroknowledge proof system usually involves "rewinding", a technique that makes it necessary to copy the internal state of the adversary. In a quantum setting, copying a state is not always possible (nocloning theorem); a variant of the rewinding technique has to be used.^{[19]}
References

^ ^{a} ^{b} Crépeau, Claude; Joe, Kilian (1988). "Achieving Oblivious Transfer Using Weakened Security Assumptions (Extended Abstract)". FOCS 1988. IEEE. pp. 42–52.

^ ^{a} ^{b} Joe, Kilian (1988). "Founding cryptography on oblivious transfer". STOC 1988. ACM. pp. 20–31.

^ Gilles, Brassard; Crépeau, Claude; Richard, Jozsa; Langlois, Denis (1993). "A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties". FOCS 1993. IEEE. pp. 362–371.

^ ^{a} ^{b} Mayers, Dominic (1997). "Unconditionally Secure Quantum Bit Commitment is Impossible". Physical Review Letters (APS) 78 (17): 3414–3417. Preprint at arXiv:quantph/9605044v2

^ "Experimental Bit Commitment Based on Quantum Communication and Special Relativity".

^ ^{a} ^{b} Damgård, Ivan; Fehr, Serge; Salvail, Louis; Schaffner, Christian (2005). "Cryptography In the Bounded QuantumStorage Model". FOCS 2005. IEEE. pp. 449–458. A full version is available at arXiv:quantph/0508222.

^ Wehner, Stephanie; Schaffner, Christian; Terhal, Barbara M. (2008). "Cryptography from Noisy Storage". Physical Review Letters (APS) 100 (22): 220502. A full version is available at arXiv:0711.2895.

^ Koenig, Robert; Wehner, Stephanie; Wullschleger, Juerg. "Unconditional security from noisy quantum storage". A full version is available at arXiv:0906.1030.

^ Cachin, Christian; Crépeau, Claude; Marcil, Julien (1998). "Oblivious Transfer with a MemoryBounded Receiver". FOCS 1998. IEEE. pp. 493–502.

^ Dziembowski, Stefan; Ueli, Maurer (2004). "On Generating the Initial Key in the BoundedStorage Model". Eurocrypt 2004. LNCS 3027. Springer. pp. 126–137. Preprint available at [1].

^ Chandran, Nishanth; Moriarty, Ryan; Goyal, Vipul; Ostrovsky, Rafail (2009). PositionBased Cryptography. A full version is available at IACR eprint:2009/364.

^ US 7075438, issued 20060711

^ Kent, Adrian; Munro, Bill; Spiller, Tim (2010). "Quantum Tagging with Cryptographically Secure Tags". A full version is available at arXiv:1008.2147.

^ Lau, HoiKwan; Lo, HoiKwong (2010). "Insecurity of positionbased quantumcryptography protocols against entanglement attacks". Physical Review A (APS) 83: 012322. A full version is available at arXiv:1009.2256.

^ Malaney, Robert A. (2010). "Locationdependent communications using quantum entanglement". Physical Review A 81: 042319.

^ Buhrman, Harry; Chandran, Nishanth; Fehr, Serge; Gelles, Ran; Goyal, Vipul; Ostrovsky, Rafail; Schaffner, Christian (2010). "PositionBased Quantum Cryptography: Impossibility and Constructions". A full version is available at arXiv:1009.2490.

^ "Postquantum cryptography". Retrieved 29 August 2010.

^ Bernstein, Daniel J.; Buchmann, Johannes; Dahmen, Erik, eds. (2009). Postquantum cryptography. Springer.

^ Watrous, John (2009). "ZeroKnowledge against Quantum Attacks". SIAM J. Comput. 39 (1): 25–58.
This article was sourced from Creative Commons AttributionShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, EGovernment Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a nonprofit organization.