skip to content

Timetable (QISW03)

Focus Week: Quantum Cryptography

Monday 6th September 2004 to Friday 10th September 2004

Monday 6th September 2004
11:30 to 12:15 Decoy state quantum key distribution: the best of both worlds?

The standard weak coherent state implementation of quantum cryptography has non-trivial security issues because an eavesdropper can, in principle, suppress single-photon signals relative to multi-photon signals. This leads to fundamental limits to the key generation rate [of order O (\eta2), where \eta is the transmission probability of the channel] and distance of uncondiitonally secure quantum key distribution [of order 20km for Telecom fibers]. Here, we show that the decoy state, first suggested by Hwang, can be used to prove unconditional security in the standard entanglement distillation approach. Our result shows that rather surprisingly, by using only current technology, unconditionally secure quantum key distribution can be achieved with a key generation rate of order O (\eta) and substantially longer distances (more than double). In our method, Alice simply turns the power of her laser up and down and prepares decoy states. The statistical properties of the transmitted decoy states are then analyzed to derive constraints on the signal states.

12:15 to 13:00 Privacy amplification against quantum adversaries

Privacy amplification is the art of shrinking a partially secret string Z to a highly secret key S. We show that, even if an adversary holds quantum information about the initial string Z, the key S obtained by two-universal hashing is secure, according to a universally composable security definition. Additionally, we give an asymptotically optimal lower bound on the length of the extractable key S in terms of the adversary's (quantum) knowledge about Z. Our result has applications in quantum cryptography. In particular, it implies that many of the known quantum key distribution protocols are universally composable.

14:15 to 15:00 A generic security proof for quantum key distribution

Quantum key distribution allows two parties, traditionally known as Alice and Bob, to establish a secure random cryptographic key if, firstly, they have access to a quantum communication channel, and secondly, they can exchange classical public messages which can be monitored but not altered by an eavesdropper, Eve. Quantum key distribution provides perfect security because, unlike its classical counterpart, it relies on the laws of physics rather than on ensuring that successful eavesdropping would require excessive computational effort. However, security proofs of quantum key distribution are not trivial and are usually restricted in their applicability to specific protocols. In contrast, we present a general and conceptually simple proof which can be applied to a number of different protocols. It relies on the fact that a cryptographic procedure called privacy amplification is equally secure when an adversary's memory for data storage is quantum rather than classical.

Tuesday 7th September 2004
11:30 to 12:15 N Gisin ([Geneva])
1. A new protocol for high bit rates 2. A new type of security proofs

Main message: Q crypto is entering the industrial age, but basic research is still needed. Examples: 1. New Q crypto protocols should be designed taking into account realistic constraints. Examples are "continuous variables" and the SARG protocol [PRL 92,057901,2004]. In this talk we present another new protocol that aims at Gbit/sec rates.

2. It is desirable to simplify proofs of security against the most general coherent attack. We take advantage of some recent results in classical information based cryptography and on the symmetry of the 6-state protocol to demonstrate that coherent attacks are not more powerfull than collective attacks. Using this we present a new kind of security proof that improves over the Shor-Preskill result.

12:15 to 13:00 Relating formal security for classical and quantum protocols

Using a simple example we demonstrate the necessity of a formal modelling of security. We explain the established notion of simulatable security (e.g. reactive simulatability by Backes, Pfitzmann, Waidner, or universal composability by Canetti) and show how this model can be extended to encompass quantum security (cf. also the work of Ben-Or, Mayers). We conclude with a Quantum Embedding Theorem that allows to securely use quantum protocols as sub-protocols in classically secure protocols.

14:15 to 14:35 S Wehner ([CWI])
Quantum anoymous transmissions

We consider the problem of hiding sender and recipient of classical and quantum bits, even if all physical transmissions can be monitored. We present a quantum protocol for sending and receiving classical bits anonymously, which unlike all classical protocols, prevents later reconstruction of the sender. It appears that entangled quantum states are uniquely suited for anonymous transmissions. We then extend this protocol to provide sender and recipient untraceability for transmissions of qubits as well. In the process we also introduce a new primitive called anonymous entanglement, which may be useful for other protocols as well.

14:35 to 14:55 R Colbeck ([Cambridge])
Variable bias coin tossing

I will introduce the task of variable bias coin tossing, and describe two protocols for achieving it.

14:55 to 15:15 A simple no-go lemma

I describe a simple general no-go result in mistrustful quantum cryptography.

Wednesday 8th September 2004
11:00 to 11:30 Coffee
11:30 to 12:15 Non-local correlations and key distribution

We present a quantum key distribution scheme that is secure even against eavesdroppers who can break the laws of quantum mechanics, as long as superluminal signalling is impossible. The scheme is based on violation of a Bell inequality, and its security stems from the fact that non-local correlations are monogamous, in analogy with the monogamy of entanglement.

14:15 to 15:00 Graph states - stability under decoherence, entanglement purification and possible applications

We will consider a specific family of multipartite entangled states, namely (weighted) graph states. We investigate the influence of decoherence on the entanglement properties of the states for various decoherence models. We show that the lifetime of entanglement of GHZ states decreases with the number of particles, while cluster (and similar) graph states the lifetime is independent of the size of the system. We discuss several multiparty entanglement purification protocols which allow one to create and/or maintain two colorable graph states with high fidelity. We compare direct multiparty entanglement purification protocols with protocols based on bipartite purification and show that the former are more efficient. We investigate the influence of imperfections in local control operations, where we find a remarkable robustness against errors for protocols which allow one, e.g., to purify cluster states. The achievable fidelity using direct multiparty purification is higher than purification based on bipartite protocols. We discuss possible applications of multiparty entanglement purification protocols for secure multiparty communication.

15:30 to 16:15 On the key-uncertainty of quantum ciphers and the computational security of one-way quantum transmission

We consider the scenario where Alice wants to send a secret (classical) $n$-bit message to Bob using a classical key, and where only one-way transmission from Alice to Bob is possible. In this case, quantum communication cannot help to obtain perfect secrecy with key length smaller then $n$. We study the question of whether there might still be fundamental differences between the case where quantum as opposed to classical communication is used. In this direction, we show that there exist ciphers with perfect security producing quantum ciphertext where, even if an adversary knows the plaintext and applies an optimal measurement on the ciphertext, his Shannon uncertainty about the key used is almost maximal. This is in contrast to the classical case where the adversary always learns $n$ bits of information on the key in a known plaintext attack. We also show that there is a limit to how different the classical and quantum cases can be: the most probable key, given matching plain- and ciphertexts, has the same probability in both the quantum and the classical cases. We suggest an application of our results in the case where only a short secret key is available and the message is much longer. Namely, one can use a pseudorandom generator to produce from the short key a stream of keys for a quantum cipher, using each of them to encrypt an $n$-bit block of the message. Our results suggest that an adversary with bounded resources in a known plaintext attack may potentially be in a much harder situation against quantum stream-ciphers than against any classical stream-cipher with the same parameters.

Thursday 9th September 2004
11:30 to 12:15 Cheat sensitive bit commitment

We define cheat sensitive cryptographic protocols between mistrustful parties as protocols which guarantee that, if either cheats, the other has some nonzero probability of detecting the cheating. We give an example of an unconditionally secure cheat sensitive non-relativistic bit commitment protocol which uses quantum information to implement a task which is classically impossible.

Related Links

12:15 to 13:00 Experimental quantum bit string generation

I will discuss the theory of quantum bit string generation, present an experimental realisation of quantum bit string generation with security better than can be achieved classicaly, and discuss how to improve on this first experimental realisation.

13:00 to 14:15 Lunch Churchill College cafeteria will close at 13:30
14:15 to 15:00 Applications of quantum universal composability theorem

The quantum universal composability theorem will first be reviewed. Next, applications to a new security definition of QKD and security proofs will be given. Finally, we prove composable security for various variants of the quantum message authentication scheme proposed in quant-ph/0205128 with key recycling.

16:00 to 22:00 PROSECCO meeting (joint with RESQ) INI 2
Friday 10th September 2004
11:30 to 12:15 Locking of entanglement

We study the loss of entanglement of bipartite state subjected to discarding or measurement of one qubit. Examining the behavior of different entanglement measures, we find that entanglement of formation, entanglement cost, and negativity are lockable measures in that they can decrease arbitrarily after measuring one qubit. Relative entropy of entanglement is shown to be a non-lockable measure.

12:15 to 13:00 Quantum correlations in quantum cryptology

In basic quantum communication protocols one party creates quantum states and uses a quantum channel to transmit it to another party that performs immediately some measurement on it. This means, we effectively create correlated (classical) data between distant parties. In order to use the power of quantum mechanics, these correlation must show effects of quantum mechanics.

In the specific example of quantum key distribution one uses the correlations to distill a secret key in (classical) public discussion protocols e.g. via sifting, error correction and privacy amplification. We give a necessary condition for the success of any public discussion protocol: the observed correlations should allow to prove the presence of an internal, virtual state of entanglement in the distribution. This poses a first test whether any presented real quantum key distribution is indeed useful for the desired purpose. Moreover, a gap between the parameter regime of proven security of given realistic schemes and the regime of proven presence of vitual entanglement furthers the search for the optimal public discussion protocol.

14:15 to 15:00 Distillation of secret key and entanglement from quantum states

Based on techniques from classical information theory, which we generalise to the quantum domain, we show how to distill secret key between two parties by local operations and public communication from given states, at an asymptotically optimal rate. By implementing this protocol "coherently", we then show how it yields actually entanglement, at the same rate, proving the long-conjectured "hashing inequality": it states that from a given quantum state, once can, using one-way LOCC, distill entanglement with rate given by the coherent information.

This is joint work with Igor Devetak; it is contained in eprints quant-ph/0306078 and quant-ph/0307053.

15:30 to 16:15 CH Bennett ([IBM])
Unlocking of a quantum channel's forward classical capacity by classical communication

Classical back communication does not increase a classical channel's forward capacity, but for quantum channels the situation is more complicated. It is well known that classical back communication can increase quantum capacity, but no example was known where it increased a quantum channel's classical capacity. We have found channels whose Holevo capacity is almost zero, but whose quantum and classical capacities in the presence of classical back communication are quite large. The greater complexity of the situation with quantum channels stems from the fundamental difference between entanglement and its closest classical analog, shared secret randomness. Joint work with Igor Devetak, Peter Shor, and John Smolin. quant-ph/0406086.

University of Cambridge Research Councils UK
    Clay Mathematics Institute London Mathematical Society NM Rothschild and Sons