Results 1  10
of
469
Faulttolerant quantum computation
 In Proc. 37th FOCS
, 1996
"... It has recently been realized that use of the properties of quantum mechanics might speed up certain computations dramatically. Interest in quantum computation has since been growing. One of the main difficulties in realizing quantum computation is that decoherence tends to destroy the information i ..."
Abstract

Cited by 201 (4 self)
 Add to MetaCart
It has recently been realized that use of the properties of quantum mechanics might speed up certain computations dramatically. Interest in quantum computation has since been growing. One of the main difficulties in realizing quantum computation is that decoherence tends to destroy the information in a superposition of states in a quantum computer, making long computations impossible. A further difficulty is that inaccuracies in quantum state transformations throughout the computation accumulate, rendering long computations unreliable. However, these obstacles may not be as formidable as originally believed. For any quantum computation with t gates, we show how to build a polynomial size quantum circuit that tolerates O(1 / log c t) amounts of inaccuracy and decoherence per gate, for some constant c; the previous bound was O(1 /t). We do this by showing that operations can be performed on quantum data encoded by quantum errorcorrecting codes without decoding this data. 1.
Experimental Quantum Cryptography
 Journal of Cryptology
, 1992
"... We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the ..."
Abstract

Cited by 195 (20 self)
 Add to MetaCart
We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...
Unconditionally Secure Quantum Bit Commitment is Impossible,” Phys
 Rev. Lett
, 1997
"... The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not rely on any restriction on the time, space or technology available to the cheaters. We show that this claim cannot be applied to any quantum bit c ..."
Abstract

Cited by 134 (10 self)
 Add to MetaCart
The claim of quantum cryptography has always been that it can provide protocols that are unconditionally secure, that is, for which the security does not rely on any restriction on the time, space or technology available to the cheaters. We show that this claim cannot be applied to any quantum bit commitment protocol. We briefly discuss the consequences for quantum cryptography.
New Publickey Cryptosystem Using Braid Groups
 Advances in cryptology—CRYPTO 2000 (Santa Barbara, CA), 166–183, Lecture Notes in Comput. Sci. 1880
, 2000
"... Abstract. The braid groups are infinite noncommutative groups naturally arising from geometric braids. The aim of this article is twofold. One is to show that the braid groups can serve as a good source to enrich cryptography. The feature that makes the braid groups useful to cryptography includes ..."
Abstract

Cited by 98 (4 self)
 Add to MetaCart
Abstract. The braid groups are infinite noncommutative groups naturally arising from geometric braids. The aim of this article is twofold. One is to show that the braid groups can serve as a good source to enrich cryptography. The feature that makes the braid groups useful to cryptography includes the followings: (i) The word problem is solved via a fast algorithm which computes the canonical form which can be efficiently manipulated by computers. (ii) The group operations can be performed efficiently. (iii) The braid groups have many mathematically hard problems that can be utilized to design cryptographic primitives. The other is to propose and implement a new key agreement scheme and public key cryptosystem based on these primitives in the braid groups. The efficiency of our systems is demonstrated by their speed and information rate. The security of our systems is based on topological, combinatorial and grouptheoretical problems that are intractible according to our current mathematical knowledge. The foundation of our systems is quite different from widely used cryptosystems based on number theory, but there are some similarities in design. Key words: public key cryptosystem, braid group, conjugacy problem, key exchange, hard problem, noncommutative group, oneway function, public key infrastructure 1
Quantum cryptography
 Rev. Mod. Phys
, 2002
"... Quantum cryptography could well be the first application of quantum mechanics at the individual quanta level. The very fast progress in both theory and experiments over the recent years are reviewed, with emphasis on open questions and technological issues. Contents I ..."
Abstract

Cited by 94 (3 self)
 Add to MetaCart
Quantum cryptography could well be the first application of quantum mechanics at the individual quanta level. The very fast progress in both theory and experiments over the recent years are reviewed, with emphasis on open questions and technological issues. Contents I
Secure communications over insecure channels based on short authenticated strings
 In Advances in Cryptology (Crypto) (2005
"... Abstract. We propose a way to establish peertopeer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SASbased authentication as for authentication based on Short Authenticated Strings. The extra ch ..."
Abstract

Cited by 86 (2 self)
 Add to MetaCart
Abstract. We propose a way to establish peertopeer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SASbased authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modi£ed, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to publickey infrastructures, since we no longer need any central authority, and to passwordbased authenticated key exchange, since we no longer need to establish a con£dential password. It can be used to establish secure associations in adhoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the useraided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his longterm keys corrupted.
Practical Quantum Oblivious Transfer
, 1992
"... We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about ..."
Abstract

Cited by 73 (12 self)
 Add to MetaCart
We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he will learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol is easy to modify in order to implement the AllorNothing Disclosure of one out of two string messages, and it can be used to implement bit commitment and oblivious circuit evaluation without complexitytheoretic assumptions, in a way that remains secure e...
A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties
, 1993
"... Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be ..."
Abstract

Cited by 68 (12 self)
 Add to MetaCart
Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be able to tell from that evidence what x is. At a later time, Alice can reveal, through a procedure unveil(x), the value of x and prove to Bob that the piece of evidence sent earlier really corresponded to that bit. Classical bit commitment schemes (by which Alice's piece of evidence is classical information such as a bit string) cannot be secure against unlimited computing power and none have been proven secure against algorithmic sophistication. Previous quantum bit commitment schemes (by which Alice's piece of evidence is quantum information such as a stream of polarized photons) were known to be invulnerable to unlimited computing power and algorithmic sophistication, but not to arbitrary...
Practical and ProvablySecure Commitment Schemes from CollisionFree Hashing
 in Advances in Cryptology  CRYPTO96, Lecture Notes in Computer Science 1109
, 1996
"... . We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, a ..."
Abstract

Cited by 64 (6 self)
 Add to MetaCart
. We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, and computation. Our result also proves that constant round statistical zeroknowledge arguments and constantround computational zeroknowledge proofs for NP exist based on the existence of collisionfree hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following twostage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the Decommit stage), the Sender provides the Receiver with ...
Quantum mechanics as quantum information (and only a little more), Quantum Theory: Reconsideration of Foundations
, 2002
"... In this paper, I try once again to cause some goodnatured trouble. The issue remains, when will we ever stop burdening the taxpayer with conferences devoted to the quantum foundations? The suspicion is expressed that no end will be in sight until a means is found to reduce quantum theory to two or ..."
Abstract

Cited by 61 (6 self)
 Add to MetaCart
In this paper, I try once again to cause some goodnatured trouble. The issue remains, when will we ever stop burdening the taxpayer with conferences devoted to the quantum foundations? The suspicion is expressed that no end will be in sight until a means is found to reduce quantum theory to two or three statements of crisp physical (rather than abstract, axiomatic) significance. In this regard, no tool appears better calibrated for a direct assault than quantum information theory. Far from a strained application of the latest fad to a timehonored problem, this method holds promise precisely because a large part—but not all—of the structure of quantum theory has always concerned information. It is just that the physics community needs reminding. This paper, though takingquantph/0106166 as its core, corrects one mistake and offers several observations beyond the previous version. In particular, I identify one element of quantum mechanics that I would not label a subjective term in the theory—it is the integer parameter D traditionally ascribed to a quantum system via its Hilbertspace dimension. 1