Relativistic quantum cryptography is a sub-field of quantum cryptography, in which in addition to exploiting the principles of quantum physics, the no-superluminal signalling principle of relativity theory stating that information cannot travel faster than light is exploited too. Technically speaking, relativistic quantum cryptography is a sub-field of relativistic cryptography, in which cryptographic protocols exploit the no-superluminal signalling principle, independently of whether quantum properties are used or not. However, in practice, the term relativistic quantum cryptography is used for relativistic cryptography too.
In 1997 and 1998, some important tasks in mistrustful cryptography were shown to be impossible to achieve with unconditional security. Mayers [1] and Lo and Chau [2] showed that unconditionally secure quantum bit commitment was impossible. Lo showed that oblivious transfer and a broad class of secure computations were also impossible to achieve with unconditional security in quantum cryptography. [3] Moreover, Lo and Chau showed that unconditionally secure ideal quantum coin tossing was impossible too. [4] In this context, Kent provided in 1999 the first relativistic cryptographic protocols, for bit commitment and ideal coin tossing, which overcome the assumptions made by Mayers, Lo and Chau, and achieve unconditional security. [5] [6] Since then, other unconditionally secure relativistic protocols for bit commitment have been found by Kent and others, [7] [8] [9] [10] [11] and other cryptographic tasks have been investigated in the setting of relativistic quantum cryptography. [12] [13] [14] [15] [16] [17] [18]
The no-signalling principle of quantum theory states that information cannot be communicated between two distinct locations L0 and L1 without the transmission of any physical systems, despite any quantum entanglement shared between L0 and L1. This implies, in particular, that without the transmission of any physical systems between L0 and L1, quantum correlation between L0 and L1 cannot be used to transmit information between L0 and L1, even if they are non-locally causal and violate Bell inequalities. According to relativity theory, physical systems cannot travel faster than the speed of light. Thus, it follows from the no-signalling principle that information cannot travel faster than the speed of light. This is called the no-superluminal signalling principle.
The principle of no-superluminal signalling is the key physical principle exploited in relativistic cryptography. It guarantees that the outcome x of a random variable X obtained at some spacetime point P cannot influence the probability that a random variable Y takes some value y at a spacelike separated spacetime point Q. Thus, for example, if two parties Alice and Bob have each two agents, with the first agent of Bob sending a secret message x to a first agent of Alice at the spacetime point P, and with the second agent of Alice sending a secret message y to the second agent of Bob at the spacetime point Q, with P and Q spacelike separated, then Bob can be guaranteed that the message y received from Alice was chosen independently of the message x that he gave Alice, and vice versa. This is a useful mathematical property that is exploited to prove the security of cryptographic protocols in relativistic cryptography.
It is a fundamental requirement in relativistic cryptography that the parties implementing the cryptographic task have a good description of spacetime, at least within the region of spacetime where the task is implemented. For example, in protocols implemented near the Earth surface, it can be assumed that spacetime is close to Minkowski. Importantly, this means that, near the Earth surface, physical systems and information cannot travel faster than the speed of light through vacuum, which is approximately 300,000 km/s. In principle, relativistic cryptography can be applied with more general spacetimes, as long as the parties can guarantee that there are no mechanisms allowing instant communication, like wormholes. Another requirement is that the parties have access to a common reference frame, so that they can guarantee that some communication events are spacelike separated. [5]
In relativistic cryptography, it is assumed that each party participating in the cryptographic task has various trusted agents that collaborate to implement the task. The agents implement the protocol by performing different actions at various points in spacetime. The agents of the same party may communicate via authenticated and secure channels, which can be implemented with previously shared secure keys, for example using one-time pads. [5] [18]
Various tasks investigated by relativistic cryptography consist in tasks of mistrustful cryptography, in which two or more mistrustful parties must collaborate to implement a cryptographic task while at the same time being guaranteed that other parties do not cheat. Examples of tasks in mistrustful cryptography are bit commitment, coin tossing, oblivious transfer and secure computations. Key distribution does not belong to mistrustful cryptography, because in this case the parties distributing the key trust each other. In relativistic cryptography, each participating party has various trusted agents, who collaborate with each other by performing different actions at various spacetime points. For example, Alice and Bob can be two companies with offices and laboratories at various locations in the Earth. Alice's offices and laboratories work in collaboration and trust each other. Similarly, Bob's offices and laboratories work in collaboration and trust each other. But Alice and Bob do not trust each other. [5] [18]
Bit commitment is an important cryptographic task that has been widely investigated in relativistic cryptography. In bit commitment, Alice commits to a bit b at some time t, and at some later time t’ > t Alice unveils her committed bit b to Bob. A bit commitment is said to be "hiding" if Bob cannot know b before Alice unveils. It is said to be "binding" if after the commitment time t, Alice cannot choose the value of b and successfully unveil b to Bob. A bit commitment protocol is "secure" if it is hiding and binding. The Mayers-Lo-Chau no go theorem states that unconditionally secure bit commitment is impossible based only on the laws of quantum physics. [1] [2] It was shown by Kent that the Mayers-Lo-Chau theorem is not general enough because it excludes protocols that exploit the principle of no-superluminal signalling. [5] Kent provided the first unconditionally secure bit commitment protocol in the setting of relativistic cryptography. [5] Various protocols for bit commitment have been devised by Kent and others. [7] [8] [9] [10] [11] Experimental demonstrations of relativistic bit commitment have been implemented. [19] [20] [10] [21]
In strong coin tossing, Alice and Bob are at different locations and they wish to toss a coin in such a way that Alice is guaranteed that Bob cannot bias the outcome, and Bob is guaranteed that Alice cannot bias the outcome either. It was shown by Lo and Chau that ideal strong coin tossing is impossible to achieve with unconditional security based only on the laws of quantum physics. [4] However, Kent overcame this no-go theorem by providing a relativistic protocol for strong coin tossing that is unconditionally secure. [6] This protocol is conceptually very simple and is illustrated here as an example of a protocol in relativistic cryptography.
In Kent's coin tossing protocol, Alice has two agents A0 and A1, and Bob has two agents B0 and B1. Ai and Bi are at location Li, for . Let L0 and L1 have a distant separation D. Let us assume that spacetime is Minkowski. Thus, the minimum time that light takes to travel between L0 and L1 is t = D/c, where c is the speed of light through vacuum. A0 generates a random bit in a secure laboratory and gives it to B0 at a time t0. B1 generates a random bit b in a secure laboratory and gives it to A1 at a time t1. B0 and B1 communicate and b through a secure and authenticated channel. Similarly, A0 and A1 communicate and b through a secure and authenticated channel. Alice and Bob agree that the output of the toss d is the xor of the bits and b, . Alice and Bob agree on advance on the values of t0 and t1 in a common reference frame, in such a way that |t0 - t1| < t. Thus, from the principle of no superluminal signalling, at receiving from A0, B0 cannot send any signal that arrives to B1 before B1 gives b to A1. Therefore, Alice is guaranteed that the bit b is chosen by Bob independently of the bit chosen by her. Since Alice chooses randomly, and since b is independent of , Alice is guaranteed that the bit is random. With similar arguments, Bob is also guaranteed that the bit d is random.
Variations of coin tossing have been investigated in relativistic cryptography by Colbeck and Kent. [12] [14]
Lo showed that oblivious transfer and other secure computations cannot be achieved with unconditional security based only on the laws of quantum physics. [3] This impossibility result by Lo extends to the more general setting of relativistic quantum cryptography. [12] [13] Colbeck showed that various secure computations are impossible to achieve with unconditional security in relativistic quantum cryptography. [13] [14]
Position-based quantum cryptography consists in cryptographic tasks whose security exploit the location of a party, the principle of no-superluminal signalling and the laws of quantum physics. [16] [15] For example, in the problem of quantum location authentication, a prover wants to demonstrate his location L to a set of verifiers using quantum systems. A protocol for quantum location authentication works as follows. A set of verifiers at various locations that surround the location L send classical messages and quantum states towards the location L. If the prover is at the location L then he can receive the signals at specific times and reply to the verifiers with requested classical messages and/or quantum states, which must be received by the verifiers at specific times. [16] [15]
Quantum location authentication was first investigated by Kent in 2002, which he called ‘quantum tagging’, resulting in a filed US patent by Kent et al. in 2007, [22] and a publication in the academic literature in 2010, [15] after a paper on position-based quantum cryptography was published by Buhrman et al. [16] There is a no-go theorem for quantum location authentication proved by Buhrman et al. stating that it is impossible for a set of verifiers to authenticate the location of a prover with unconditional security. [16] This is because for any quantum location authentication protocol, a set of dishonest provers sharing a sufficient amount of entanglement and positioned between the verifiers and the location L can intercept all communications from the verifiers, including all transmitted quantum states, and then apply a non-local quantum operation which allows them to reply correctly and at the correct times to the verifiers. Since the dishonest provers do not need to be at the location L to do this, the quantum location authentication protocol is insecure. This no-go theorem assumes that the location L of the honest prover is his only credential. Kent showed that if the prover shares secret keys with the verifiers then location authentication can be implemented securely. [23]
Faster-than-light travel and communication are the conjectural propagation of matter or information faster than the speed of light. The special theory of relativity implies that only particles with zero rest mass may travel at the speed of light, and that nothing may travel faster.
Quantum teleportation is a technique for transferring quantum information from a sender at one location to a receiver some distance away. While teleportation is commonly portrayed in science fiction as a means to transfer physical objects from one location to the next, quantum teleportation only transfers quantum information. The sender does not have to know the particular quantum state being transferred. Moreover, the location of the recipient can be unknown, but to complete the quantum teleportation, classical information needs to be sent from sender to receiver. Because classical information needs to be sent, quantum teleportation cannot occur faster than the speed of light.
Quantum entanglement is the phenomenon that occurs when a group of particles are generated, interact, or share spatial proximity in such a way that the quantum state of each particle of the group cannot be described independently of the state of the others, including when the particles are separated by a large distance. The topic of quantum entanglement is at the heart of the disparity between classical and quantum physics: entanglement is a primary feature of quantum mechanics not present in classical mechanics.
A wormhole is a hypothetical structure connecting disparate points in spacetime, and is based on a special solution of the Einstein field equations.
Quantum key distribution (QKD) is a secure communication method that implements a cryptographic protocol involving components of quantum mechanics. It enables two parties to produce a shared random secret key known only to them, which then can be used to encrypt and decrypt messages. The process of quantum key distribution is not to be confused with quantum cryptography, as it is the best-known example of a quantum-cryptographic task.
Numerical relativity is one of the branches of general relativity that uses numerical methods and algorithms to solve and analyze problems. To this end, supercomputers are often employed to study black holes, gravitational waves, neutron stars and many other phenomena governed by Einstein's theory of general relativity. A currently active field of research in numerical relativity is the simulation of relativistic binaries and their associated gravitational waves.
BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure assuming a perfect implementation, relying on two conditions: (1) the quantum property that information gain is only possible at the expense of disturbing the signal if the two states one is trying to distinguish are not orthogonal ; and (2) the existence of an authenticated public classical channel. It is usually explained as a method of securely communicating a private key from one party to another for use in one-time pad encryption. The proof of BB84 depends on a perfect implementation. Side channel attacks exist, taking advantage of non-quantum sources of information. Since this information is non-quantum, it can be intercepted without measuring or cloning quantum particles.
Quantum cloning is a process that takes an arbitrary, unknown quantum state and makes an exact copy without altering the original state in any way. Quantum cloning is forbidden by the laws of quantum mechanics as shown by the no cloning theorem, which states that there is no operation for cloning any arbitrary state perfectly. In Dirac notation, the process of quantum cloning is described by:
In theoretical physics, quantum nonlocality refers to the phenomenon by which the measurement statistics of a multipartite quantum system do not admit an interpretation in terms of a local realistic theory. Quantum nonlocality has been experimentally verified under different physical assumptions. Any physical theory that aims at superseding or replacing quantum theory should account for such experiments and therefore cannot fulfill local realism; quantum nonlocality is a property of the universe that is independent of our description of nature.
SARG04 is a 2004 quantum cryptography protocol derived from the first protocol of that kind, BB84.
Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution, which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed due to wave function collapse. This could be used to detect eavesdropping in quantum key distribution (QKD).
The Bousso bound captures a fundamental relation between quantum information and the geometry of space and time. It appears to be an imprint of a unified theory that combines quantum mechanics with Einstein's general relativity. The study of black hole thermodynamics and the information paradox led to the idea of the holographic principle: the entropy of matter and radiation in a spatial region cannot exceed the Bekenstein–Hawking entropy of the boundary of the region, which is proportional to the boundary area. However, this "spacelike" entropy bound fails in cosmology; for example, it does not hold true in our universe.
The noisy-storage model refers to a cryptographic model employed in quantum cryptography. It assumes that the quantum memory device of an attacker (adversary) trying to break the protocol is imperfect (noisy). The main goal of this model is to enable the secure implementation of two-party cryptographic primitives, such as bit commitment, oblivious transfer and secure identification.
Within quantum cryptography, the Decoy state quantum key distribution (QKD) protocol is the most widely implemented QKD scheme. Practical QKD systems use multi-photon sources, in contrast to the standard BB84 protocol, making them susceptible to photon number splitting (PNS) attacks. This would significantly limit the secure transmission rate or the maximum channel length in practical QKD systems. In decoy state technique, this fundamental weakness of practical QKD systems is addressed by using multiple intensity levels at the transmitter's source, i.e. qubits are transmitted by Alice using randomly chosen intensity levels, resulting in varying photon number statistics throughout the channel. At the end of the transmission Alice announces publicly which intensity level has been used for the transmission of each qubit. A successful PNS attack requires maintaining the bit error rate (BER) at the receiver's end, which can not be accomplished with multiple photon number statistics. By monitoring BERs associated with each intensity level, the two legitimate parties will be able to detect a PNS attack, with highly increased secure transmission rates or maximum channel lengths, making QKD systems suitable for practical applications.
Quantum readout is a method to verify the authenticity of an object. The method is secure provided that the object cannot be copied or physically emulated.
A quantum cryptographic protocol is device-independent if its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices. Several important problems have been shown to admit unconditional secure and device-independent protocols. A closely related topic is measurement-device independent quantum key distribution.
The six-state protocol (SSP) is the quantum cryptography protocol that is the version of BB84 that uses a six-state polarization scheme on three orthogonal bases.
Consider two remote players, connected by a channel, that don't trust each other. The problem of them agreeing on a random bit by exchanging messages over this channel, without relying on any trusted third party, is called the coin flipping problem in cryptography. Quantum coin flipping uses the principles of quantum mechanics to encrypt messages for secure communication. It is a cryptographic primitive which can be used to construct more complex and useful cryptographic protocols, e.g. Quantum Byzantine agreement.
Continuous-variable (CV) quantum information is the area of quantum information science that makes use of physical observables, like the strength of an electromagnetic field, whose numerical values belong to continuous intervals. One primary application is quantum computing. In a sense, continuous-variable quantum computation is "analog", while quantum computation using qubits is "digital." In more technical terms, the former makes use of Hilbert spaces that are infinite-dimensional, while the Hilbert spaces for systems comprising collections of qubits are finite-dimensional. One motivation for studying continuous-variable quantum computation is to understand what resources are necessary to make quantum computers more powerful than classical ones.
Adrian Kent is a British theoretical physicist, Professor of Quantum Physics at the University of Cambridge, member of the Centre for Quantum Information and Foundations, and Distinguished Visiting Research Chair at the Perimeter Institute for Theoretical Physics. His research areas are the foundations of quantum theory, quantum information science and quantum cryptography. He is known as the inventor of relativistic quantum cryptography. In 1999 he published the first unconditionally secure protocols for bit commitment and coin tossing, which were also the first relativistic cryptographic protocols. He is a co-inventor of quantum tagging, or quantum position authentication, providing the first schemes for position-based quantum cryptography. In 2005 he published with Lucien Hardy and Jonathan Barrett the first security proof of quantum key distribution based on the no-signalling principle.