A proposal for founding mistrustful quantum cryptography on coin tossing

A significant branch of classical cryptography deals with the problems which arise when mistrustful parties need to generate, process or exchange information. As Kilian showed a while ago, mistrustful classical cryptography can be founded on a single protocol, oblivious transfer, from which general secure multi-party computations can be built. The scope of mistrustful quantum cryptography is limited by no-go theorems, which rule out, inter alia, unconditionally secure quantum protocols for oblivious transfer or general secure two-party computations. These theorems apply even to protocols which take relativistic signalling constraints into account. The best that can be hoped for, in general, are quantum protocols computationally secure against quantum attack. I describe here a method for building a classically certified bit commitment, and hence every other mistrustful cryptographic task, from a secure coin tossing protocol. No security proof is attempted, but I sketch reasons why these protocols might resist quantum computational attack.Comment: Title altered in deference to Physical Review's fear of question marks. Published version; references update

No Superluminal Signaling Implies Unconditionally Secure Bit Commitment

Bit commitment (BC) is an important cryptographic primitive for an agent to convince a mutually mistrustful party that she has already made a binding choice of 0 or 1 but only to reveal her choice at a later time. Ideally, a BC protocol should be simple, reliable, easy to implement using existing technologies, and most importantly unconditionally secure in the sense that its security is based on an information-theoretic proof rather than computational complexity assumption or the existence of a trustworthy arbitrator. Here we report such a provably secure scheme involving only one-way classical communications whose unconditional security is based on no superluminal signaling (NSS). Our scheme is inspired by the earlier works by Kent, who proposed two impractical relativistic protocols whose unconditional securities are yet to be established as well as several provably unconditionally secure protocols which rely on both quantum mechanics and NSS. Our scheme is conceptually simple and shows for the first time that quantum communication is not needed to achieve unconditional security for BC. Moreover, with purely classical communications, our scheme is practical and easy to implement with existing telecom technologies. This completes the cycle of study of unconditionally secure bit commitment based on known physical laws.Comment: This paper has been withdrawn by the authors due to a crucial oversight on an earlier work by A. Ken

Coin Tossing is Strictly Weaker Than Bit Commitment

We define cryptographic assumptions applicable to two mistrustful parties who each control two or more separate secure sites between which special relativity guarantees a time lapse in communication. We show that, under these assumptions, unconditionally secure coin tossing can be carried out by exchanges of classical information. We show also, following Mayers, Lo and Chau, that unconditionally secure bit commitment cannot be carried out by finitely many exchanges of classical or quantum information. Finally we show that, under standard cryptographic assumptions, coin tossing is strictly weaker than bit commitment. That is, no secure classical or quantum bit commitment protocol can be built from a finite number of invocations of a secure coin tossing black box together with finitely many additional information exchanges.Comment: Final version; to appear in Phys. Rev. Let

On the communication cost of entanglement transformations

We study the amount of communication needed for two parties to transform some given joint pure state into another one, either exactly or with some fidelity. Specifically, we present a method to lower bound this communication cost even when the amount of entanglement does not increase. Moreover, the bound applies even if the initial state is supplemented with unlimited entanglement in the form of EPR pairs, and the communication is allowed to be quantum mechanical. We then apply the method to the determination of the communication cost of asymptotic entanglement concentration and dilution. While concentration is known to require no communication whatsoever, the best known protocol for dilution, discovered by Lo and Popescu [Phys. Rev. Lett. 83(7):1459--1462, 1999], requires a number of bits to be exchanged which is of the order of the square root of the number of EPR pairs. Here we prove a matching lower bound of the same asymptotic order, demonstrating the optimality of the Lo-Popescu protocol up to a constant factor and establishing the existence of a fundamental asymmetry between the concentration and dilution tasks. We also discuss states for which the minimal communication cost is proportional to their entanglement, such as the states recently introduced in the context of ``embezzling entanglement'' [W. van Dam and P. Hayden, quant-ph/0201041].Comment: 9 pages, 1 figure. Added a reference and some further explanations. In v3 some arguments are given in more detai

Beating the PNS attack in practical quantum cryptography

In practical quantum key distribution, weak coherent state is often used and the channel transmittance can be very small therefore the protocol could be totally insecure under the photon-number-splitting attack. We propose an efficient method to verify the upper bound of the fraction of counts caused by multi-photon pluses transmitted from Alice to Bob, given whatever type of Eve's action. The protocol simply uses two coherent states for the signal pulses and vacuum for decoy pulse. Our verified upper bound is sufficiently tight for QKD with very lossy channel, in both asymptotic case and non-asymptotic case. The coherent states with mean photon number from 0.2 to 0.5 can be used in practical quantum cryptography. We show that so far our protocol is the $only$ decoy-state protocol that really works for currently existing set-ups.Comment: So far this is the unique decoy-state protocol which really works efficiently in practice. Prior art results are commented in both main context and the Appendi

Noise Tolerance of the BB84 Protocol with Random Privacy Amplification

We prove that BB84 protocol with random privacy amplification is secure with a higher key rate than Mayers' estimate with the same error rate. Consequently, the tolerable error rate of this protocol is increased from 7.5 % to 11 %. We also extend this method to the case of estimating error rates separately in each basis, which enables us to securely share a longer key.Comment: 26 pages, 1 figure, version 2 fills a logical gap in the proof. Version 3 includes an upper bound on the mutual information with finete code length by using the decoding error probability of the code. Version 4 adds a paragraph clarifying that no previous paper has proved that the BB84 with random privacy amplification can tolerate the 11% error rat

Insecurity of position-based quantum cryptography protocols against entanglement attacks

Recently, position-based quantum cryptography has been claimed to be unconditionally secure. In contrary, here we show that the existing proposals for position-based quantum cryptography are, in fact, insecure if entanglement is shared among two adversaries. Specifically, we demonstrate how the adversaries can incorporate ideas of quantum teleportation and quantum secret sharing to compromise the security with certainty. The common flaw to all current protocols is that the Pauli operators always map a codeword to a codeword (up to an irrelevant overall phase). We propose a modified scheme lacking this property in which the same cheating strategy used to undermine the previous protocols can succeed with a rate at most 85%. We conjecture that the modified protocol is unconditionally secure and prove this to be true when the shared quantum resource between the adversaries is a two- or three- level system

Alternative schemes for measurement-device-independent quantum key distribution

Practical schemes for measurement-device-independent quantum key distribution using phase and path or time encoding are presented. In addition to immunity to existing loopholes in detection systems, our setup employs simple encoding and decoding modules without relying on polarization maintenance or optical switches. Moreover, by employing a modified sifting technique to handle the dead-time limitations in single-photon detectors, our scheme can be run with only two single-photon detectors. With a phase-postselection technique, a decoy-state variant of our scheme is also proposed, whose key generation rate scales linearly with the channel transmittance.Comment: 30 pages, 5 figure

A decoy-state protocol for quantum cryptography with 4 intensities of coherent states

In order to beat any type of photon-number-splitting attack, we propose a protocol for quantum key distributoin (QKD) using 4 different intensities of pulses. They are vacuum and coherent states with mean photon number $\mu,\mu'$ and $\mu_s$. $\mu_s$ is around 0.55 and this class of pulses are used as the main signal states. The other two classes of coherent states ($\mu,\mu'$) are also used signal states but their counting rates should be studied jointly with the vacuum. We have shown that, given the typical set-up in practice, the key rate from the main signal pulses is quite close to the theoretically allowed maximal rate in the case given the small overall transmittance of $10^{-4}$

Photon-number-solving Decoy State Quantum Key Distribution

In this paper, a photon-number-resolving decoy state quantum key distribution scheme is presented based on recent experimental advancements. A new upper bound on the fraction of counts caused by multiphoton pulses is given. This upper bound is independent of intensity of the decoy source, so that both the signal pulses and the decoy pulses can be used to generate the raw key after verified the security of the communication. This upper bound is also the lower bound on the fraction of counts caused by multiphoton pulses as long as faint coherent sources and high lossy channels are used. We show that Eve's coherent multiphoton pulse (CMP) attack is more efficient than symmetric individual (SI) attack when quantum bit error rate is small, so that CMP attack should be considered to ensure the security of the final key. finally, optimal intensity of laser source is presented which provides 23.9 km increase in the transmission distance. 03.67.DdComment: This is a detailed and extended version of quant-ph/0504221. In this paper, a detailed discussion of photon-number-resolving QKD scheme is presented. Moreover, the detailed discussion of coherent multiphoton pulse attack (CMP) is presented. 2 figures and some discussions are added. A detailed cauculation of the "new" upper bound 'is presente