Relativistic quantum cryptography

Relativistic quantum cryptography is a sub-field of quantum cryptography, in which in addition to exploiting the principles of quantum physics, the no-superluminal signalling principle of relativity theory stating that information cannot travel faster than light is exploited too. Technically speaking, relativistic quantum cryptography is a sub-field of relativistic cryptography, in which cryptographic protocols exploit the no-superluminal signalling principle, independently of whether quantum properties are used or not. However, in practice, the term relativistic quantum cryptography is used for relativistic cryptography too.

History

In 1997 and 1998, some important tasks in mistrustful cryptography were shown to be impossible to achieve with unconditional security. Mayers ^[1] and Lo and Chau ^[2] showed that unconditionally secure quantum bit commitment was impossible. Lo showed that oblivious transfer and a broad class of secure computations were also impossible to achieve with unconditional security in quantum cryptography. ^[3] Moreover, Lo and Chau showed that unconditionally secure ideal quantum coin tossing was impossible too. ^[4] In this context, Kent provided in 1999 the first relativistic cryptographic protocols, for bit commitment and ideal coin tossing, which overcome the assumptions made by Mayers, Lo and Chau, and achieve unconditional security. ^{[5] [6]} Since then, other unconditionally secure relativistic protocols for bit commitment have been found by Kent and others, ^{[7] [8] [9] [10] [11]} and other cryptographic tasks have been investigated in the setting of relativistic quantum cryptography. ^{[12] [13] [14] [15] [16] [17] [18]}

Basics

No-signalling and no-superluminal signalling

The no-signalling principle of quantum theory states that information cannot be communicated between two distinct locations L₀ and L₁ without the transmission of any physical systems, despite any quantum entanglement shared between L₀ and L₁. This implies, in particular, that without the transmission of any physical systems between L₀ and L₁, quantum correlation between L₀ and L₁ cannot be used to transmit information between L₀ and L₁, even if they are non-locally causal and violate Bell inequalities. According to relativity theory, physical systems cannot travel faster than the speed of light. Thus, it follows from the no-signalling principle that information cannot travel faster than the speed of light. This is called the no-superluminal signalling principle.

The principle of no-superluminal signalling is the key physical principle exploited in relativistic cryptography. It guarantees that the outcome x of a random variable X obtained at some spacetime point P cannot influence the probability that a random variable Y takes some value y at a spacelike separated spacetime point Q. Thus, for example, if two parties Alice and Bob have each two agents, with the first agent of Bob sending a secret message x to a first agent of Alice at the spacetime point P, and with the second agent of Alice sending a secret message y to the second agent of Bob at the spacetime point Q, with P and Q spacelike separated, then Bob can be guaranteed that the message y received from Alice was chosen independently of the message x that he gave Alice, and vice versa. This is a useful mathematical property that is exploited to prove the security of cryptographic protocols in relativistic cryptography.

The setting

It is a fundamental requirement in relativistic cryptography that the parties implementing the cryptographic task have a good description of spacetime, at least within the region of spacetime where the task is implemented. For example, in protocols implemented near the Earth surface, it can be assumed that spacetime is close to Minkowski. Importantly, this means that, near the Earth surface, physical systems and information cannot travel faster than the speed of light through vacuum, which is approximately 300,000 km/s. In principle, relativistic cryptography can be applied with more general spacetimes, as long as the parties can guarantee that there are no mechanisms allowing instant communication, like wormholes. Another requirement is that the parties have access to a common reference frame, so that they can guarantee that some communication events are spacelike separated. ^[5]

In relativistic cryptography, it is assumed that each party participating in the cryptographic task has various trusted agents that collaborate to implement the task. The agents implement the protocol by performing different actions at various points in spacetime. The agents of the same party may communicate via authenticated and secure channels, which can be implemented with previously shared secure keys, for example using one-time pads. ^{[5] [18]}

Various tasks investigated by relativistic cryptography consist in tasks of mistrustful cryptography, in which two or more mistrustful parties must collaborate to implement a cryptographic task while at the same time being guaranteed that other parties do not cheat. Examples of tasks in mistrustful cryptography are bit commitment, coin tossing, oblivious transfer and secure computations. Key distribution does not belong to mistrustful cryptography, because in this case the parties distributing the key trust each other. In relativistic cryptography, each participating party has various trusted agents, who collaborate with each other by performing different actions at various spacetime points. For example, Alice and Bob can be two companies with offices and laboratories at various locations in the Earth. Alice's offices and laboratories work in collaboration and trust each other. Similarly, Bob's offices and laboratories work in collaboration and trust each other. But Alice and Bob do not trust each other. ^{[5] [18]}

Tasks investigated in relativistic cryptography

Bit commitment

Main article: Bit commitment

Bit commitment is an important cryptographic task that has been widely investigated in relativistic cryptography. In bit commitment, Alice commits to a bit b at some time t, and at some later time t’ > t Alice unveils her committed bit b to Bob. A bit commitment is said to be "hiding" if Bob cannot know b before Alice unveils. It is said to be "binding" if after the commitment time t, Alice cannot choose the value of b and successfully unveil b to Bob. A bit commitment protocol is "secure" if it is hiding and binding. The Mayers-Lo-Chau no go theorem states that unconditionally secure bit commitment is impossible based only on the laws of quantum physics. ^{[1] [2]} It was shown by Kent that the Mayers-Lo-Chau theorem is not general enough because it excludes protocols that exploit the principle of no-superluminal signalling. ^[5] Kent provided the first unconditionally secure bit commitment protocol in the setting of relativistic cryptography. ^[5] Various protocols for bit commitment have been devised by Kent and others. ^{[7] [8] [9] [10] [11]} Experimental demonstrations of relativistic bit commitment have been implemented. ^{[19] [20] [10] [21]}

Coin tossing

In strong coin tossing, Alice and Bob are at different locations and they wish to toss a coin in such a way that Alice is guaranteed that Bob cannot bias the outcome, and Bob is guaranteed that Alice cannot bias the outcome either. It was shown by Lo and Chau that ideal strong coin tossing is impossible to achieve with unconditional security based only on the laws of quantum physics. ^[4] However, Kent overcame this no-go theorem by providing a relativistic protocol for strong coin tossing that is unconditionally secure. ^[6] This protocol is conceptually very simple and is illustrated here as an example of a protocol in relativistic cryptography.

In Kent's coin tossing protocol, Alice has two agents A₀ and A₁, and Bob has two agents B₀ and B₁. A_i and B_i are at location L_i, for ${\displaystyle i\in \{0,1\}}$. Let L₀ and L₁ have a distant separation D. Let us assume that spacetime is Minkowski. Thus, the minimum time that light takes to travel between L₀ and L₁ is t = D/c, where c is the speed of light through vacuum. A₀ generates a random bit ${\displaystyle a}$ in a secure laboratory and gives it to B₀ at a time t₀. B₁ generates a random bit b in a secure laboratory and gives it to A₁ at a time t₁. B₀ and B₁ communicate ${\displaystyle a}$ and b through a secure and authenticated channel. Similarly, A₀ and A₁ communicate ${\displaystyle a}$ and b through a secure and authenticated channel. Alice and Bob agree that the output of the toss d is the xor of the bits ${\displaystyle a}$ and b, ${\displaystyle d=a\oplus b}$. Alice and Bob agree on advance on the values of t₀ and t₁ in a common reference frame, in such a way that |t₀ - t₁| < t. Thus, from the principle of no superluminal signalling, at receiving ${\displaystyle a}$ from A₀, B₀ cannot send any signal that arrives to B₁ before B₁ gives b to A₁. Therefore, Alice is guaranteed that the bit b is chosen by Bob independently of the bit ${\displaystyle a}$ chosen by her. Since Alice chooses ${\displaystyle a}$ randomly, and since b is independent of ${\displaystyle a}$, Alice is guaranteed that the bit ${\displaystyle d=a\oplus b}$ is random. With similar arguments, Bob is also guaranteed that the bit d is random.

Variations of coin tossing have been investigated in relativistic cryptography by Colbeck and Kent. ^{[12] [14]}

Oblivious transfer and secure computations

Lo showed that oblivious transfer and other secure computations cannot be achieved with unconditional security based only on the laws of quantum physics. ^[3] This impossibility result by Lo extends to the more general setting of relativistic quantum cryptography. ^{[12] [13]} Colbeck showed that various secure computations are impossible to achieve with unconditional security in relativistic quantum cryptography. ^{[13] [14]}

Position-based quantum cryptography

Position-based quantum cryptography consists in cryptographic tasks whose security exploit the location of a party, the principle of no-superluminal signalling and the laws of quantum physics. ^{[16] [15]} For example, in the problem of quantum location authentication, a prover wants to demonstrate his location L to a set of verifiers using quantum systems. A protocol for quantum location authentication works as follows. A set of verifiers at various locations that surround the location L send classical messages and quantum states towards the location L. If the prover is at the location L then he can receive the signals at specific times and reply to the verifiers with requested classical messages and/or quantum states, which must be received by the verifiers at specific times. ^{[16] [15]}

Quantum location authentication was first investigated by Kent in 2002, which he called ‘quantum tagging’, resulting in a filed US patent by Kent et al. in 2007, ^[22] and a publication in the academic literature in 2010, ^[15] after a paper on position-based quantum cryptography was published by Buhrman et al. ^[16] There is a no-go theorem for quantum location authentication proved by Buhrman et al. stating that it is impossible for a set of verifiers to authenticate the location of a prover with unconditional security. ^[16] This is because for any quantum location authentication protocol, a set of dishonest provers sharing a sufficient amount of entanglement and positioned between the verifiers and the location L can intercept all communications from the verifiers, including all transmitted quantum states, and then apply a non-local quantum operation which allows them to reply correctly and at the correct times to the verifiers. Since the dishonest provers do not need to be at the location L to do this, the quantum location authentication protocol is insecure. This no-go theorem assumes that the location L of the honest prover is his only credential. Kent showed that if the prover shares secret keys with the verifiers then location authentication can be implemented securely. ^[23]

References

1. Mayers, Dominic (1997). "Unconditionally Secure Quantum Bit Commitment is Impossible". Physical Review Letters. 78 (17): 3414–3417. arXiv: quant-ph/9605044 . Bibcode:1997PhRvL..78.3414M. CiteSeerX   10.1.1.251.5550 . doi:10.1103/PhysRevLett.78.3414. S2CID   14522232.
2. Lo, Hoi-Kwong; Chau, H. F. (1997). "Is Quantum Bit Commitment Really Possible?". Physical Review Letters. 78 (17): 3410–3413. arXiv: quant-ph/9603004 . Bibcode:1997PhRvL..78.3410L. doi:10.1103/PhysRevLett.78.3410. S2CID   3264257.
3. Lo, Hoi-Kwong (1997). "Insecurity of quantum secure computations". Physical Review A. 56 (2): 1154–1162. arXiv: quant-ph/9611031 . Bibcode:1997PhRvA..56.1154L. doi:10.1103/PhysRevA.56.1154. S2CID   17813922.
4. Lo, Hoi-Kwong; Chau, H. F. (1998). "Why quantum bit commitment and ideal quantum coin tossing are impossible". Physica D: Nonlinear Phenomena. 120 (1–2): 177–187. arXiv: quant-ph/9711065 . Bibcode:1998PhyD..120..177L. doi:10.1016/S0167-2789(98)00053-0. S2CID   14378275.
5. Kent, Adrian (1999). "Unconditionally Secure Bit Commitment". Physical Review Letters. 83 (7): 1447–1450. arXiv: quant-ph/9810068 . Bibcode:1999PhRvL..83.1447K. doi:10.1103/PhysRevLett.83.1447. S2CID   8823466.
6. Kent, Adrian (1999). "Coin Tossing is Strictly Weaker than Bit Commitment". Physical Review Letters. 83 (25): 5382–5384. arXiv: quant-ph/9810067 . Bibcode:1999PhRvL..83.5382K. doi:10.1103/PhysRevLett.83.5382. S2CID   16764407.
7. Kent, Adrian (2005). "Secure Classical Bit Commitment Using Fixed Capacity Communication Channels". Journal of Cryptology. 18 (4): 313–335. arXiv: quant-ph/9906103 . doi:10.1007/s00145-005-0905-8. S2CID   9732039.
8. Kent, Adrian (2011). "Unconditionally secure bit commitment with flying qudits". New Journal of Physics. 13 (11): 113015. arXiv: 1101.4620 . Bibcode:2011NJPh...13k3015K. doi:10.1088/1367-2630/13/11/113015. S2CID   12472004.
9. Kent, Adrian (2012). "Unconditionally Secure Bit Commitment by Transmitting Measurement Outcomes". Physical Review Letters. 109 (13): 130501. arXiv: 1108.2879 . Bibcode:2012PhRvL.109m0501K. doi:10.1103/PhysRevLett.109.130501. PMID   23030073. S2CID   15681144.
10. Lunghi, T.; Kaniewski, J.; Bussières, F.; Houlmann, R.; Tomamichel, M.; Wehner, S.; Zbinden, H. (2016). "Practical Relativistic Bit Commitment". Physical Review Letters. 115 (3): 030502. arXiv: 1608.03398 . doi:10.1103/PhysRevLett.115.030502. PMID   26230775. S2CID   20797497.
11. Adlam, Emily; Kent, Adrian (2015). "Device-independent relativistic quantum bit commitment". Physical Review A. 92 (2): 022315. arXiv: 1504.00944 . Bibcode:2015PhRvA..92b2315A. doi:10.1103/PhysRevA.92.022315. S2CID   16654172.
12. Colbeck, Roger; Kent, Adrian (2006). "Variable-bias coin tossing". Physical Review A. 73 (3): 032320. arXiv: quant-ph/0508149 . Bibcode:2006PhRvA..73c2320C. doi:10.1103/PhysRevA.73.032320. S2CID   10583364.
13. Colbeck, Roger (2007). "Impossibility of secure two-party classical computation". Physical Review A. 76 (6): 062308. arXiv: 0708.2843 . Bibcode:2007PhRvA..76f2308C. doi:10.1103/PhysRevA.76.062308. S2CID   18745956.
14. Colbeck, Roger (December 2006). Quantum And Relativistic Protocols For Secure Multi-Party Computation (Thesis). University of Cambridge. arXiv: 0911.3814 .
15. Kent, A.; Munro, William J.; Spiller, Timothy P. (2011). "Quantum Tagging: Authenticating location via quantum information and relativistic signalling constraints". Physical Review A. 84 (1): 012326. arXiv: 1008.2147 . Bibcode:2011PhRvA..84a2326K. doi:10.1103/PhysRevA.84.012326. S2CID   1042757.
16. Buhrman, Harry; Chandran, Nishanth; Fehr, Serge; Gelles, Ran; Goyal, Vipul; Ostrovsky, Rafail; Schaffner, Christian (2014). "Position-Based Quantum Cryptography: Impossibility and Constructions". SIAM Journal on Computing. 43 (1): 150–178. arXiv: 1009.2490 . doi:10.1137/130913687. S2CID   220613220.
17. Kent, Adrian (2011). "Location-oblivious data transfer with flying entangled qudits". Physical Review A. 84 (1): 012328. arXiv: 1102.2816 . Bibcode:2011PhRvA..84a2328K. doi:10.1103/PhysRevA.84.012328. S2CID   14751282.
18. Kent, Adrian (2012). "Quantum tasks in Minkowski space". Classical and Quantum Gravity. 29 (22): 224013. arXiv: 1204.4022 . Bibcode:2012CQGra..29v4013K. doi:10.1088/0264-9381/29/22/224013. S2CID   55127845.
19. Lunghi, T.; Kaniewski, J.; Bussières, J.; Houlmann, R.; Tomamichel, M.; Kent, A.; Gisin, N.; Wehner, S.; Zbinden, H. (2013). "Experimental Bit Commitment Based on Quantum Communication and Special Relativity". Physical Review Letters. 111 (18): 180504. arXiv: 1306.4801 . Bibcode:2013PhRvL.111r0504L. doi:10.1103/PhysRevLett.111.180504. PMID   24237497. S2CID   15916727.
20. Liu, Yang; Cao, Yuan; Curty, Marcos; Liao, Sheng-Kai; Wang, Jian; Cui, Ke; Li, Yu-Huai; Lin, Ze-Hong; Sun, Qi-Chao; Li, Dong-Dong; Zhang, Hong-Fei; Zhao, Yong; Chen, Teng-Yun; Peng, Cheng-Zhi; Zhang, Qiang; Cabello, Adán; Pan, Jian-Wei (2014). "Experimental Unconditionally Secure Bit Commitment". Physical Review Letters. 112 (1): 010504. arXiv: 1306.4413 . Bibcode:2014PhRvL.112a0504L. doi:10.1103/PhysRevLett.112.010504. PMID   24483878. S2CID   31546945.
21. Verbanis, Ephanielle; Martin, Anthony; Houlmann, Raphaël; Boso, Gianluca; Bussières, Félix; Zbinden, Hugo (2016). "24-Hour Relativistic Bit Commitment". Physical Review Letters. 117 (14): 140506. arXiv: 1605.07442 . Bibcode:2016PhRvL.117n0506V. doi:10.1103/PhysRevLett.117.140506. PMID   27740788. S2CID   1992228.
22. US 7075438,Kent, A.; Munro, W.& Spiller, T.et al.,"Tagging systems",published 2006-07-11 
23. Kent, Adrian (2011). "Quantum tagging for tags containing secret classical data". Physical Review A. 84 (2): 022335. arXiv: 1008.5380 . Bibcode:2011PhRvA..84b2335K. doi:10.1103/PhysRevA.84.022335. S2CID   17776740.