February 7, 2007

18:8

RPS: EMTM2N - 2007

main

Quantum Cryptography: State-of-Art and Future Perspectives Vishnu Teja∗ , Payel Banerjee∗∗ , N. N. Sharma† and R. K. Mittal‡ Birla Institute of Technology and Science, Pilani-333031 ∗ [email protected], ∗∗ [email protected] † [email protected], ‡ [email protected] With quantum computing, we are witnessing an exciting and very promising merging of three of the deepest and most successful scientific and technological developments of modern era: quantum physics, computer science, and nanotechnology. Quantum computers have the potential to perform certain calculations billions of times faster than any silicon-based computer. A functional quantum computer will be invaluable in factoring large numbers, and therefore extremely useful for decoding and encoding secret information. In this paper we have discussed contemporary cryptographic systems and their strengths and drawbacks. Two of the most common quantum key distribution protocols have been explained. This is followed by a note on the experimental realizations of quantum key distribution and the associated technological challenges. A few novel extensions of this concept in the future have also been dealt with. This paper aims at familiarizing the reader with the field of quantum cryptography and gives an insight about the latest developments. Keywords: Quantum cryptography; quantum key distribution; data encryption standard; public key cryptography; one-time pad; BB84 protocol; Shannon’s condition.

channel therefore causes an unavoidable disturbance alerting the legitimate users. The fact that QC draws largely from the fundamental randomness of quantum mechanics yields a robust cryptographic system. Two parties initially sharing no secret information can thus exchange a secret random cryptographic key using quantum cryptography that is secure against an eavesdropper. The present work compiles state-of-art applications and research done so far in the field of Quantum Cryptography. Various classical cryptography schemes, their strengths and weaknesses explaining the need for QC have been described in Section 2. The BB84 protocol [4–5] and an alternate protocol with encoding built upon quantum entanglement [6] have been dealt with in Section 3. In Section 4, the scope for technological improvement in QC has been presented. The future scope of encryption and tasks beyond quantum key distribution are given in Section 5. Conclusions drawn from present work are presented in Section 6.

1. Introduction Cryptography is the technique by which a message that has to be transmitted over an insecure channel is rendered indecipherable to any unauthorized party who might eavesdrop. To achieve secure transmission, an algorithm is used to combine the message with additional information to produce a cryptogram. The algorithm is also called a cryptosystem or cipher and the additional information is known as the key. The technique is known as encryption [1]. Encryption in conventional cryptography is based on mathematical relations wherein security is ensured by choosing mathematical functions that has superpolynomial time complexity. Classical computers thus are not capable of breaking them. As improving processor speeds render existing algorithms increasingly vulnerable to cracking, the security of the classical encryption technique is debatable [1]. Quantum key distribution (QKD) [2] is a method in which quantum states are used for encryption. The strength of quantum cryptography (QC) is that the codes that are generated are not even in theory decodable. QC is based on Heisenberg’s uncertainty principle [3] according to which measuring a quantum system in general disturbs it and yields incomplete information about its state before the measurement. Eavesdropping on a quantum communication

2. Classical Cryptography Classical cryptography [1] employs various mathematical techniques to restrict eavesdroppers from learning the contents of encrypted messages. The three most popular schemes adopted world wide have been explained below. Throughout the paper, the 355

FINAL

February 7, 2007

356

18:8

RPS: EMTM2N - 2007

main

EMTM2N-2007

transmitter is referred as ‘A’, the receiver as ‘B’, and an adversarial eavesdropper as ‘E’.

quantum computer, Shor’s algorithm [9] could break RSA easily in polynomial time.

2.1. Data Encryption Standard (DES)

2.3. One-time pad (OTP) cryptosystem

In DES, a set of parameters, called a key, is supplied together with the plaintext as an input to the encrypting algorithm, and together with the cryptogram as an input to the decrypting algorithm [7]. The encrypting and decrypting algorithms are publicly announced; the security of the cryptogram depends entirely on the secrecy of the key, and the key consist of randomly chosen, sufficiently long string of bits. Once the key is established, subsequent communication involves sending cryptograms over a public channel which is vulnerable to total passive eavesdropping. However in order to establish the key, two users, who share no secret information initially, must at a certain stage of communication use a reliable and a very secure channel. A random key must first be communicated through a secret channel prior to the actual message transfer. The major drawback of DES is no classical cryptographic mechanism can guarantee ultimate security of a communication channel.

2.2. Public Key Cryptographic (PKC) Systems An improvement over DES, public key cryptography [7] eliminates the problem of key distribution prior to communication. In this system, every person would have a public encoding key and a secret decoding key such that encryption and decryption using these keys would be inverse functions. If ‘A’ wants to send a secret message to ‘B’, he would encrypt his message with B’s public key and send it through an insecure channel. ‘B’ receiving the message would then decode it using his private key. The methodology ensures that the sender can’t decode his own message once encrypted. The PKC systems exploit the fact that certain mathematical operations are easier to do in one direction than the other. For example, multiplication of two large prime numbers is easy but factoring the result would be infeasible if computational resources are insufficient and the number is large. The best classical algorithm known to factor takes super-polynomial time. RSA (Rivest-Shamir-Adleman Encryption Algorithm) cryptosystem [8] gets its security from the simple fact that factoring large numbers is excessively tough. The disadvantage is that classical cryptosystem provides no mechanism for detecting eavesdropping. Moreover, if researchers succeed in building a feasible

The one-time pad cryptosystem [10] created by Gilbert Vernam in 1917 is very simple and yet, very effective. The system ensures perfect secrecy. But again the key has to remain secret. The system works as follows: 1. Prior to the communication, ‘A’ and ‘B’ secretly exchange a random key k = k1 . . . kn of n bits. 2. When ‘A’ wants to send the message m = m1 . . . mn to ‘B’, encoding is done by computing the bitwise exclusive-or (XOR) between the message and the key producing the cipher text c = (m1 XORk1 ) . . . (mn XORkn ). 3. Receiving cipher text, ‘B’ decodes the cipher text by applying the inverse operation m = (c1 XORk1 ) . . . (cn XORkn ). For example, consider ‘A’ and ‘B’ shares the secret key 011100 and that ‘A’ wants to send the message m = 101110 to ‘B’. After encoding, the cipher text c = 110010 (101110 XOR 011100) is obtained by XOR-ing individual bits. To recover the message, ‘B’ XORs the key to the cipher text yielding m = cXORk(110010XOR011100) = 101110. The major disadvantage with one-time pad is despite its security it is very impractical. For every message encoded with the system, the participants need to exchange a secret key that has at least the same length. Also, one must not use the same key twice. If the same key k is used to encode the two messages m and m’, the eavesdropper intercepting the two cipher texts c and c’, has to compute c XOR c’ to obtain the key of both messages, which reveals a lot of information. c XOR c = (m XOR k) XOR (m’ XOR k’); if k = k’, c XOR c’ = m XOR m’ 3. Quantum Cryptography Quantum cryptographic systems rely on Heisenberg’s uncertainty principle. A quantum system when measured is disturbed and yields incomplete information about the state it was in prior to the measurement. Eavesdropping on a quantum communication channel therefore alerts legitimate users. The No Cloning Theorem [11] states that an unknown quantum state cannot be cloned. If such a quantum copier existed, then ‘E’ could have measured the quantum system, and then could have sent the copied state to ‘B’. Since cloning is not possible, an act of eavesdropping would be detected. The possibility of detection of eavesdropping makes quantum cryptography superior to conventional cryptography.

FINAL

February 7, 2007

18:8

RPS: EMTM2N - 2007

main

Posters Presentation

3.1. BB84 protocol The first Quantum Key Distribution used in Quantum Cryptography scheme was presented by Bennett and Brassard in 1984 and is now commonly referred as BB84 protocol [4, 5]. The first experimental demonstration of the protocol was performed in 1991 using the polarization states of single photons to transmit a random key. The polarization state of single photon is characterized by polarization angle a. The angle corresponds to the angle of the plane in which the photons oscillate on their propagation axis. α varies from 0◦ to 180◦ . Photons emerging from a light source often have an unknown polarization angle. To induce a µ◦ polarization to a photon, a light filter is used that allows only photons polarized at µ◦ to pass through. Photons having any other degree of polarization either gets stopped or gets re-polarized to µ◦ . The two possibilities are dictated by the laws of probability. According to quantum mechanics [12] a photon polarized at angle a passing through a µ filter has probability cos2 (α − µ) of emerging with polarization µ and a probability sin2 (α − µ) of being stopped by the filter. Polarization angles are used to encode bits to be transmitted. A basis is chosen to distinguish the two values 0 and 1 without ambiguity. One choice is the rectilinear basis where photons are polarized at angle 0◦ or 90◦ representing 0 and 1 respectively. Another choice is the diagonal basis where 0 is represented by photons polarized at 45◦ and 1 by photons polarized at 135◦ . The quantum protocol BB84 is a key distribution technique that when clubbed with the one-time pad system (classical cryptographic scheme) makes communication unconditionally secure. For simplicity, denote the 0◦ , 90◦ , 45◦ and 135◦ as H,V,D and A respectively. The polarization basis H, V is denoted by + and {D, A} by *. The steps of the protocol have been illustrated below. Step 1: ‘A’ sends a sequence of randomly polarized photons. Polarization basis: + + + + * + * *. . . Polarization angle: V V V H A V A A . . . Interpreted as: 1 1 1 0 1 1 1 1 . . . Step 2: ‘B’ receives the photons and for each one the rectilinear or the diagonal basis for measurement is independently chosen. The result is noted down accordingly. Some photons may not be received due to imperfection of the transmitting and the measuring devices. ‘B’ notes down the result as follows: Polarization basis: * + * + * * * *. . .

357

Polarization angle: D V A H A D A A. . . Interpreted as: 0 1 1 0 1 0 1 1. . . Step 3: Next ‘A’ and ‘B’ communicates through the public channel the sequences of encoding basis of ‘A’ and the decoding basis of ‘B’, as well as B’s failures in detection. Neither the specific states prepared by ‘A’ in each basis nor the resulting states obtained by ‘B’ upon measuring is communicated. The communication is as follows: A to B (as in Step 1): + + + + * + * *. . . B to A (as in Step 2): * + * + * * * *. . . Step 4: Cases in which ‘B’ detects no photons and also the cases in which the encoding basis used by ‘A’ and the decoding basis used by ‘B’ differ are discarded. After this distillation, both are left out with the same random subsequence of bits 0, 1, which is adopted as the shared sifted key. Initial A’s bits: 1 1 1 0 1 1 1 1. . . A’s polarization basis: + + + + * + * *. . . B’s bits: 0 1 1 0 1 0 1 1 . . . B’s polarization basis: * + * + * * * *. . . Final after distillation A’s substring: - 1 - 0 1 - 1 1. . . B’s substring: - 1 - 0 1 - 1 1. . . The distilled key is 10111... with length ,on average, one half of the length of the initial sequence. In the ideal case with no eavesdroppers, no noise in the transmission or defects in the encoding and decoding, the distilled keys of ‘A’ and ‘B’ match. Thus encryption is secure. In case ‘E’ “taps” the quantum channel having the same equipment as B’s, analyzes the polarization state of each photon, forwarding them next to ‘B’, the keys of ‘A’ and ‘B’ after distillation wouldn’t match. The Shannon’s theorem [13] states that in any situation, the amount of information ‘B’ has should exceed the information possessed by ‘E’ i.e. ‘B’ must have more information on A’s bits than ‘E’. If this isn’t the case, then the bits transmitted so far are discarded and the Steps 1 to 3 is carried on again until this condition is satisfied. Once the sifted key is obtained, ‘A’ and ‘B’ publicly compare a randomly chosen subset of it. These disclosed bits are discarded but they serve to estimate the error rate or more precisely the marginal probability distribution. If the Shannon’s condition (calculated by substituting the marginal probability in the equation [13]) is satisfied, the next algorithm is processed as follows showing how ‘A’ and ‘B’ can establish a secret key from the sifted key.

FINAL

February 7, 2007

358

18:8

RPS: EMTM2N - 2007

main

EMTM2N-2007

1) ‘A’ randomly chooses pairs of bits and announces the XOR value over an insecure channel. If ‘B’ has the same XOR value for corresponding bits, ‘B’ replies “accept” else “reject”. 2) If ‘B’ accepts, both ‘A’ and ‘B’ keep the first bit intact and eliminate the second one. While in the “reject” case, both the bits are rejected. This procedure continues for a considerable number of times so as to produce identical copies of a key. The first two steps are for error correction [14]. 3) But ‘E’ may still have some information about the key. Privacy amplification [15], a classical protocol, is implemented to reduce E’s knowledge of the key. ‘A’ chooses pairs of bits, computes their XOR values but unlike error correction he only announces the bit positions he chose. Then ‘A’ and ‘B’ both replace the announced bit positions by the XOR value. ‘E’ only has partial information on the two bits; his information on XOR value is even lower. In this way, they can shorten the key while keeping the key error free. For example ‘E’ knows the value of both the bits with 60% probability, then the probability that he guesses correctly the value of XOR is only of 0.62 + 0.42 = 0.52 i.e. 52% probability. The process when repeated several times reduces the probability of E’s correct guessing. The following figure gives an illustration of the aforementioned algorithm. In Fig. 1a the initial situation is depicted. During the public phase of the protocol, because of the one-way communication, ‘E’ receives as much information as ‘B’; the initial information difference shown by * thus remains. In Fig. 1b, after error correction B’s information equals 1. In Fig. 1c, after privacy amplification E’s information is zero. In Fig. 1d, ‘B’ replaces all bits to be disregarded by random bits. Hence the key has still the original length,

Fig. 3.6.1. Illustration of an algorithm that’s a part of BB84 cryptography scheme.

but the information content gets reduced. Finally, on removal of the random bits, the key is shortened to the initial information difference. Eventually, ‘B’ has full information on this final key, while ‘E’ has none. Every key distribution system must incorporate some authentication [16] scheme i.e. the two parties must identify themselves. If not, ‘A’ could actually be communicating directly with ‘E’. A possibility is that ‘A’ and ‘B’ initially share a short secret. Then quantum cryptography provides them with a longer one of which a small portion is kept for authentication at the next session. From this perspective, QC is a Quantum Secret Growing protocol [1]. 3.2. Cryptosystems with encoding built upon quantum entanglement Consider a quantum computer made of two atomic nuclei acted on by an external magnetic field. Suppose the nuclei belong to the neighboring atoms of carbon and hydrogen in a single molecule of chloroform, CHCl3. Just as electrons do, the nuclei align their spins with the magnetic field in the direction up (1) or down (0). By tuning the frequency and duration of a radio pulse, it is possible to make one or the other nucleus flip its spin or to ensure that the hydrogen nucleus flips over only if the carbon nucleus is already pointing up. The quantized behavior of the two nuclei functions as a controlled-NOT gate, with the carbon nucleus as the control. Chloroform molecule is placed in a strong external magnetic field that aligns both atomic nuclei into the down position to do a partial flip into a superposed state. The probabilities for both spin directions in the superposed state are 50 percent. A controlledNOT operation with the carbon nucleus as the control qubit is carried out next. Because the second qubit (the hydrogen nucleus) started out in the zero state, only two of the operations are relevant- if the carbon nucleus had initially gotten flipped to a 1, the controlled-NOT operation would flip the hydrogen nucleus into the 1 state, too. If the carbon had remained a 0, the controlled-NOT operation would have left the hydrogen in the 0 state, too. But the action of controlled-NOT on the superposed state of the carbon nucleus and the 0 state of the hydrogen nucleus leaves the two-qubit system as a whole in a more complicated superposition, with a 50 percent chance of being in the (1,1) state and a 50 percent chance of being in the (0,0) state. Such a superposition is called an EPR state, after the physicists Einstein, Podolsky and Nathan Rosen, who first studied it in 1935. [17] Entanglement [6] is the non local quantummechanical correlation that can exist between two quantum systems that have interacted at some point.

FINAL

February 7, 2007

18:8

RPS: EMTM2N - 2007

main

Posters Presentation

A source of entangled-photon pairs is configured to send one photon to ‘A’ and one photon to ‘B’. ‘A’ and B’s detectors are both configured to measure randomly in one of two measurement bases. ‘A’ and ‘B’ then record the bit value, measurement basis, and exact time for each detection. Arrival times are used to establish coincident detections. Due to entanglement, when measurement bases coincide, the bits are near 100% correlated and can be used to form a secret key. Eavesdropping will cause errors as the entangled state will be measured in one basis and the ensuing state collapse leads to imperfect correlations in the other basis.

4. Scopes for Improvement Future developments in quantum cryptography will certainly concentrate on the increase of the key exchange rate. Several approaches have also been proposed to increase the range of the systems [1]. The first one is to get rid of the optical fiber. It is possible to exchange key using quantum cryptography between a terrestrial station and a low orbit satellite (absorption in the atmosphere takes place mainly over the first few kilometers. It can be low, if an adequate wavelength is selected and the weather is clear.) Such a satellite moves with respect to the earth surface. When passing over a second station, located thousands of kilometers away from the first one, it can retransmit the key. The satellite is implicitly considered as a secure intermediary station. Presently this technology is less mature than that based on optical fibers. Research groups have already performed preliminary tests of such a system, but an actual key exchange with a satellite remains to be demonstrated [1]. There are theoretical proposals for building quantum repeaters [1], relaying quantum bits without measuring and thus perturbing them. They could, in principle, be used to extend the key exchange range over arbitrarily long distances. In practice, such quantum repeaters do not exist yet, not even in laboratories, and much research remains to be done. It is nevertheless interesting to note that a quantum repeater is a rudimentary quantum computer. At the same time as it will make public key cryptography obsolete, the development of quantum computers will also allow to implement quantum cryptography over transcontinental distances. One technological challenge at present concerns improved detectors compatible with telecom fibers. Moreover, public key systems occupy the market and, being pure software, are tremendously easier to manage.

359

5. Future Frontiers Beyond Quantum Key Distribution, there are many other cryptographic tasks for which quantum protocols offer significant potential advantages over classical protocols. A brief overview of some of the recent developments is given as follows. 5.1. Bit commitment Bit commitment is a special case of a commitment protocol where the data m consists of only a single bit. Unconditionally secure quantum bit commitment is impossible. A commitment protocol is a procedure in which ‘A’ deposits a message such that no one can either read or change it. ‘A’ commits himself to the data m by computing c= f(m) and sends c to ‘B’. ‘A’ unveils the commitment by showing ‘B’ the pre-image m of c. In bit-commitment ‘A’ chooses a bit and keeps it secret until he is ready to reveal it to ‘B’. A bitcommitment [19] protocol is “binding” if ‘A’ is unable to change the value of his bit after committing to it, and “concealing” if ‘B’ is unable to learn the bit before ‘A’ unveils the bit. The protocol is secure if it is both binding and concealing. While introducing the BB84 protocol, Bennett and Brassard also proposed a protocol for coin tossing that in retrospect can be seen to be a quantum bitcommitment protocol. They demonstrated its security against some attacks but showed that it can be defeated by a cheating ‘A’ who exploits quantum entanglement to alter the bit decided upon after committing. 5.2. Quantum fingerprinting Buhrman, Cleve, Watrous, and de Wolf showed that fingerprints consisting of quantum information can be exponentially shorter than the original strings but with a distinct advantage. There need not be any correlations between the parties [19]. A fingerprint is a short bit string associated with a long string, such that any two long strings can be distinguished with high probability by comparing the fingerprints alone. Classically, the fingerprint can be exponentially shorter than the original string, but the parties preparing the fingerprints need to share a random key. 5.3. Quantum Data Hiding Schemes for hiding classical data in bipartite quantum states were first formulated by Di Vincenzo, Leung, and Terha [20]. Hayden, Leung, Shor, and Winter [21]

FINAL

February 7, 2007

360

18:8

RPS: EMTM2N - 2007

main

EMTM2N-2007

have shown that when the amount of hidden information is large, one hidden qubit can be encoded per each pair of physical qubits shared by ‘A’ and ‘B’. Information is encoded in a bipartite quantum state and is distributed to ‘A’ and ‘B’. The way in which it’s distributed is such that both of them are able to recover the encoded information with high fidelity if they get together and communicate using quantum cryptography schemes. But if ‘A’ and ‘B’ are limited to classical communication, they cannot learn more than a negligible amount about the encoded information, even if their local computational power is unlimited. 5.4. Authentication of quantum messages In classical authentication as discussed in Section 3.1, a shared private random key has to be used to verify that a message sent from ‘A’ to ‘B’ has not been modified during transmission. Barnum, Cr´epeau, Gottesman, Smith, and Tapp [22] showed that quantum states sent from ‘A’ and ‘B’ can be similarly authenticated. Furthermore, it has been shown that when authentication is successful, most of the classical key can be safely reused in further rounds of authentication. Gottesman [23] has shown that a quantum authentication scheme can be used for uncloneable encryption of classical messages; which means that an eavesdropper will not be able to decipher the message even if he later discovers the classical key that was used to encode. Quantum cryptography is a fast emerging technology and with high potential for commercial applications as compiled above. The conclusion of the present study is given in the next section. 6. Conclusion Quantum cryptography is an illustration of the dialog between basic and applied physics. It is based on combinations of concepts from quantum physics and information theory. The security principle in QC relies on theorems in classical information theory and on a profound understanding of the Heisenberg’s uncertainty principle. Quantum mechanics provides an intrusion detection mechanism never thought possible within the world of classical cryptography. QC could well be the first application of quantum mechanics at the single quanta level. Experiments have demonstrated that keys can be exchanged over distances of a few tens of kilometers at rates at least of the order of a thousand bits per second. Using QC, the security of cryptography does not depend any more on the computing resources of the adversary, nor does it depend on mathematical

progress. Quantum cryptography allows exchanging encryption keys, whose secrecy is future-proof and guaranteed by the laws of quantum physics. Its combination with conventional secret-key cryptographic algorithms allows raising the confidentiality of data transmissions to an unprecedented level. References 1. Gisin, N., Ribordy, G., Tittel, W. and Zbinden, H., January 4, 2006, “Quantum Cryptography,” Reviews of Modern Physics, available at http://prola.aps.org/abstract/ RMP/v74/i1/p145 1 2. Elliott, C., Pearson, D. and Troxel, G., 2003, “Quantum Cryptography in practice,” available at http://arXiv. org/quant-ph/0307049. 3. Volovich, I. V. and Volovich, Y. I., Aug 2001, August 2001, “On Classical and Quantum Crytography,” available at http://arxiv.org/abs/quant-ph/0108133. 4. Boyer, M., “Security of Quantum Key Distribution the BB84 protocol,” Lecture Notes, available at http:// www.iro.umontreal.ca/ boyer. 5. Shor, P. W. and Preskill, J., 2000, “Simple Proof of Security of the BB84 Quantum Key Distribution Protocol,” Phys. Rev. Lett. 85, 441–444, available at http://arxiv. org/abs/quantph/0003004/. 6. Poppe, A., Fedrizzi, A., Hubel, ¨ H., Ursin, R. and Zeilinger, A., “Entangled State Quantum Key Distribution and Teleportation,” available at http://www. quantenkryptographie.at/ECOCPoppe 2005.pdf. 7. Paquin, C., Aug 1999, “Quantum Cryptography: a new hope,” available at http://www.iro.umontreal. ca/∼paquin/Qu/quantumCrypto.pdf. 8. Rivest, R., Shamir, A. and Adleman, L., February 1978, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, 21, 120, available at http://theory.lcs. mit.edu/∼rivest/rsapaper.ps. 9. Devitt, S., Fowler, A. G., Lloyd and C. L., Hollenberg, 2006, “Robustness of Shor’s Algorithm,” Journal ref: Quant. Inf. Comp., 6, 616–629, (2006), Quantum Physics, available at http://arXiv.org/abs/quant-ph/0408081. 10. Blakley, G. R., 1980, “One time Pads are Key Safegaurding Schemes, not Cryptosystems. Fast Key Safeguarding Schemes (Threshold Schemes) Exist.,” sp, p. 0108, 1980 IEEE Symposium on Security and Privacy, available at http://csdl2.computer.org/persagen/DLAbsToc.jsp? resourcePath=/dl/proceedings/&toc=comp/ proceedings/sp/1980/1522/ 00/1522toc.xml. 11. Lomonaco, S. J., November 1998, “A Quick Glance at Quantum Cryptography,” available at http://arXiv. org/abs/quant-ph/9811056. 12. Preskill, John, 1998, “Quantum Information and Computation,” Lecture Notes for Physics, 229, available at http://www.theory.caltech.edu/ preskill/ph229/. 13. Galindo, M. A. Martin-Delgado, “Information and Computation: Classical and Quantum Aspects,” Reviews of Modern Physics, available at http://arxiv. org/ abs/ quantph/0112105. 14. Renner, R., “Security of Quantum Key Distribution,” available at http://arxiv.org/abs/quant-ph/0512258. 15. Bennett, C. H., Brassard, G., Crepeau, C. and Maurer, U. M., 1995, “Generalized privacy amplification,” IEEE Transactions on Information Theory 41, 1915–1923, available

FINAL

February 7, 2007

18:8

RPS: EMTM2N - 2007

main

Posters Presentation

16.

17.

18.

19.

at http://ieeexplore.ieee.org/xpl/freeabs all.jsp? arnumber=476316. Kuhn, R., “A Hybrid Authentication Protocol Using Quantum Entanglement and Symmetric Cryptography,” available at http://arXiv.org/abs/quant-ph /0301150. Einstein, A., B. Podolsky and N. Rosen, “Can quantum mechanical description of physical reality be considered complete?,” Phys. Rev. 47, 777 (1935), available at http:// prola.aps.org/abstract/PR/v47/i10/p777 1. Brassard, G., Crepeau, C., Jozsa, R. and Langlois, D., “A quantum bit commitment scheme provable unbreakable by both parties,” available at http://ieeexplore. ieee.org/xpl/freeabs all.jsp?isnumber=8405& arnumber= 366851&type=ref. Buhrman, H., Cleve, R., Watrous, J. and Wolf, R. D., 2001, “Quantum fingerprinting,” Physical Review Letters 87, 167902 (2001).

361

20. Di Vincenzo, D. P., Leung, D. W. and Terhal, 2002, “Quantum data hiding,” IEEE Transactions on Information Theory 48(3), 580–599. 21. Hayden, P., Leung, D., Shor, P. W. and Winter, A., “Randomizing quantum states: Constructions and applications,” available at http://arxiv.org/abs/quantph/ 0307104. 22. Barnum, H., Cr´epeau, C., Gottesman, D., Smith, A. and Tapp, A., “Authentication of quantum messages,” in Proceedings of the 43rd Annual IEEE Symposium on the Foundations of Computer Science (FOCS ’02), (IEEE Press, New York, 2002), pp. 449–458. 23. Gottesman, D., 2003, “Uncloneable encryption,” Quantum Information and Computing 3(6), 581–602 (2003).

FINAL