Deuteron Momentum Distribution in KD2HPO4

The momentum distribution in KD2PO4(DKDP) has been measured using neutron Compton scattering above and below the weakly first order paraelectric-ferroelectric phase transition(T=229K). There is very litte difference between the two distributions, and no sign of the coherence over two locations for the proton observed in the paraelectric phase, as in KH2PO4(KDP). We conclude that the tunnel splitting must be much less than 20mev. The width of the distribution indicates that the effective potential for DKDP is significantly softer than that for KDP. As electronic structure calculations indicate that the stiffness of the potential increases with the size of the coherent region locally undergoing soft mode fluctuations, we conclude that there is a mass dependent quantum coherence length in both systems.Comment: 6 pages 5 figure

Effects of detector efficiency mismatch on security of quantum cryptosystems

We suggest a type of attack on quantum cryptosystems that exploits variations in detector efficiency as a function of a control parameter accessible to an eavesdropper. With gated single-photon detectors, this control parameter can be the timing of the incoming pulse. When the eavesdropper sends short pulses using the appropriate timing so that the two gated detectors in Bob's setup have different efficiencies, the security of quantum key distribution can be compromised. Specifically, we show for the Bennett-Brassard 1984 (BB84) protocol that if the efficiency mismatch between 0 and 1 detectors for some value of the control parameter gets large enough (roughly 15:1 or larger), Eve can construct a successful faked-states attack causing a quantum bit error rate lower than 11%. We also derive a general security bound as a function of the detector sensitivity mismatch for the BB84 protocol. Experimental data for two different detectors are presented, and protection measures against this attack are discussed.Comment: v3: identical to the journal version. However, after publication we have discovered that Eq. 11 is incorrect: the available bit rate after privacy amplification is reduced even in the case (QBER)=0 [see Quant. Inf. Comp. 7, 73 (2007)

Security Trade-offs in Ancilla-Free Quantum Bit Commitment in the Presence of Superselection Rules

Security trade-offs have been established for one-way bit commitment in quant-ph/0106019. We study this trade-off in two superselection settings. We show that for an `abelian' superselection rule (exemplified by particle conservation) the standard trade-off between sealing and binding properties still holds. For the non-abelian case (exemplified by angular momentum conservation) the security trade-off can be more subtle, which we illustrate by showing that if the bit-commitment is forced to be ancilla-free an asymptotically secure quantum bit commitment is possible.Comment: 7 pages Latex; v2 has 8 pages and additional references and clarifications, this paper is to appear in the New Journal of Physic

Is Quantum Bit Commitment Really Possible?

We show that all proposed quantum bit commitment schemes are insecure because the sender, Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen type of attack and delaying her measurement until she opens her commitment.Comment: Major revisions to include a more extensive introduction and an example of bit commitment. Overlap with independent work by Mayers acknowledged. More recent works by Mayers, by Lo and Chau and by Lo are also noted. Accepted for publication in Phys. Rev. Let

Quantum Kolmogorov Complexity and Quantum Key Distribution

We discuss the Bennett-Brassard 1984 (BB84) quantum key distribution protocol in the light of quantum algorithmic information. While Shannon's information theory needs a probability to define a notion of information, algorithmic information theory does not need it and can assign a notion of information to an individual object. The program length necessary to describe an object, Kolmogorov complexity, plays the most fundamental role in the theory. In the context of algorithmic information theory, we formulate a security criterion for the quantum key distribution by using the quantum Kolmogorov complexity that was recently defined by Vit\'anyi. We show that a simple BB84 protocol indeed distribute a binary sequence between Alice and Bob that looks almost random for Eve with a probability exponentially close to 1.Comment: typos correcte

Practical Quantum Bit Commitment Protocol

A quantum protocol for bit commitment the security of which is based on technological limitations on nondemolition measurements and long-term quantum memory is presented.Comment: Quantum Inf. Process. (2011

Quantum signature scheme with single photons

Quantum digital signature combines quantum theory with classical digital signature. The main goal of this field is to take advantage of quantum effects to provide unconditionally secure signature. We present a quantum signature scheme with message recovery without using entangle effect. The most important property of the proposed scheme is that it is not necessary for the scheme to use Greenberger-Horne-Zeilinger states. The present scheme utilizes single photons to achieve the aim of signature and verification. The security of the scheme relies on the quantum one-time pad and quantum key distribution. The efficiency analysis shows that the proposed scheme is an efficient scheme

Multi-Prover Commitments Against Non-Signaling Attacks

We reconsider the concept of multi-prover commitments, as introduced in the late eighties in the seminal work by Ben-Or et al. As was recently shown by Cr\'{e}peau et al., the security of known two-prover commitment schemes not only relies on the explicit assumption that the provers cannot communicate, but also depends on their information processing capabilities. For instance, there exist schemes that are secure against classical provers but insecure if the provers have quantum information processing capabilities, and there are schemes that resist such quantum attacks but become insecure when considering general so-called non-signaling provers, which are restricted solely by the requirement that no communication takes place. This poses the natural question whether there exists a two-prover commitment scheme that is secure under the sole assumption that no communication takes place; no such scheme is known. In this work, we give strong evidence for a negative answer: we show that any single-round two-prover commitment scheme can be broken by a non-signaling attack. Our negative result is as bad as it can get: for any candidate scheme that is (almost) perfectly hiding, there exists a strategy that allows the dishonest provers to open a commitment to an arbitrary bit (almost) as successfully as the honest provers can open an honestly prepared commitment, i.e., with probability (almost) 1 in case of a perfectly sound scheme. In the case of multi-round schemes, our impossibility result is restricted to perfectly hiding schemes. On the positive side, we show that the impossibility result can be circumvented by considering three provers instead: there exists a three-prover commitment scheme that is secure against arbitrary non-signaling attacks

Fair and optimistic quantum contract signing

We present a fair and optimistic quantum contract signing protocol between two clients that requires no communication with the third trusted party during the exchange phase. We discuss its fairness and show that it is possible to design such a protocol for which the probability of a dishonest client to cheat becomes negligible, and scales as N^{-1/2}, where N is the number of messages exchanged between the clients. Our protocol is not based on the exchange of signed messages: its fairness is based on the laws of quantum mechanics. Thus, it is abuse-free, and the clients do not have to generate new keys for each message during the Exchange phase. We discuss a real-life scenario when the measurement errors and qubit state corruption due to noisy channels occur and argue that for real, good enough measurement apparatus and transmission channels, our protocol would still be fair. Our protocol could be implemented by today's technology, as it requires in essence the same type of apparatus as the one needed for BB84 cryptographic protocol. Finally, we briefly discuss two alternative versions of the protocol, one that uses only two states (based on B92 protocol) and the other that uses entangled pairs, and show that it is possible to generalize our protocol to an arbitrary number of clients.Comment: 11 pages, 2 figure