Abstract. We prove the unconditional security of a quantum key distribution (QKD) protocol on a noisy channel against the most general attack allowed by quantum physics. We use the fact that in a previous paper we have reduced the proof of the unconditionally security of this QKD protocol to a proof that a corresponding Quantum String Oblivious Transfer (String-QOT) protocol would be unconditionally secure against Bob if implemented on top of an unconditionally secure bit commitment scheme. We prove a lemma that extends a security proof given by Yao for a (one bit) QOT protocol to this String-QOT protocol. This result and the reduction mentioned above implies the unconditional security of our QKD protocol despite our previous proof that unconditionally secure bit commitment schemes are impossible. 1

One of the most intriguing facts about communication using quantum states is that these states cannot be used to transmit more classical bits than the number of qubits used, yet in some scenarios there are ways of conveying information with much fewer, even exponentially fewer, qubits than possible classically [1], [2], [3]. Moreover, some of these methods have a very simple structure|they involve only few message exchanges between the communicating parties. We consider the question as to whether every classical protocol may be transformed to a \simpler" quantum protocol|one that has similar eciency, but uses fewer message exchanges.

Abstract. We show that although unconditionally secure quantum bit commitment is impossible, it can be based upon any family of quantum one-way permutations. The resulting scheme is unconditionally concealing and computationally binding. Unlike the classical reduction of Naor, Ostrovski, Ventkatesen and Young, our protocol is non-interactive and has communication complexity O(n) qubits for n a security parameter. 1

We devise a simple modification that essentially doubles the efficiency of the BB84 quantum key distribution scheme proposed by Bennett and Brassard. We also prove the security of our modified scheme against the most general eavesdropping attack that is allowed by the laws of physics. The first major ingredient of our scheme is the assignment of significantly different probabilities to the different polarization bases during both transmission and reception, thus reducing the fraction of discarded data. A second major ingredient of our scheme is a refined analysis of accepted data: We separate the accepted data into various subsets according to the basis employed and estimate an error rate for each subset separately. We then show that such a refined data analysis guarantees the security of our scheme against the most general eavesdropping strategy, thus generalizing Shor and Preskill’s proof of security of BB84 to our new scheme. Up till now, most proposed proofs of security of singleparticle type quantum key distribution schemes have relied heavily upon the fact that the bases are chosen uniformly, randomly and independently. Our proof removes this symmetry requirement.

We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup phase. The scheme also utilizes private channels between each pair of parties. The Sender is able to easily commit to a large value; the scheme is not just a "bit-commitment " scheme. We also observe that 1-out-of-n oblivious transfer is easily handled in the same model, using a simple OT protocol due to Bennett et al.[2].

We present a new protocol and two lower bounds for quantum coin flipping. In our protocol, no dishonest party can achieve one outcome with probability more than 0.75. Then, we show that our protocol is optimal for a certain type of quantum protocols. For arbitrary quantum protocols, we show that if a protocol achieves a bias of at most ǫ, it must use at least Ω(log log 1 ǫ) rounds of communication. This implies that the parallel repetition fails for quantum coin flipping. (The bias of a protocol cannot be arbitrarily decreased by running several copies of it in parallel.) 1

Unconditionally secure bit commitment and coin flipping are known to be impossible in the classical world. Bit commitment is known to be impossible also in the quantum world. We introduce a related new primitive - quantum bit escrow. In this primitive Alice commits to a bit b to Bob. The commitment is binding in the sense that if Alice is asked to reveal the bit, Alice can not bias her commitment without having a good probability of being detected cheating. The commitment is sealing in the sense that if Bob learns information about the encoded bit, then if later on he is asked to prove he was playing honestly, he is detected cheating with a good probability. Rigorously proving the correctness of quantum cryptographic protocols has proved to be a difficult task. We develop techniques to prove quantitative statements about the binding and sealing properties of the quantum bit escrow protocol.

We show that three fundamental information-theoretic constraints—the impossibility of superluminal information transfer between two physical systems by performing measurements on one of them, the impossibility of broadcasting the information contained in an unknown physical state, and the impossibility of unconditionally secure bit commitment—suffice to entail that the observables and state space of a physical theory are quantum-mechanical. We demonstrate the converse derivation in part, and consider the implications of alternative answers to a remaining open question about nonlocality and bit commitment. KEY WORDS: quantum theory; information-theoretic constraints. Of John Wheeler’s ‘‘Really Big Questions,’ ’ the one on which most progress has been made is It from Bit?—does information play a significant role at the foundations of physics? It is perhaps less ambitious than some of the other Questions, such as How Come Existence?, because it does not necessarily require a metaphysical answer. And unlike, say, Why the Quantum?, it does not require the discovery of new laws of nature: there was room for hope that it might be answered through a better understanding of the laws as we currently know them, particularly those of quantum physics. And this is what has happened: the better understanding is the quantum theory of information and computation. 1

This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the well-known Goldreich-Micali-Wigderson classical zero-knowledge protocols for Graph Isomorphism and Graph 3-Coloring (assuming the existence of quantum computationally concealing commitment schemes in the second case). Also included is a quantum interactive protocol for a complete problem for the complexity class of problems having “honest verifier” quantum statistical zero-knowledge proofs, which therefore establishes that honest verifier and general quantum statistical zero-knowledge are equal: QSZK = QSZK HV. Previously no non-trivial proof systems were known to be zero-knowledge against quantum attacks, except in restricted settings such as the honest-verifier and common reference string models. This paper therefore establishes for the first time that true zero-knowledge is indeed possible in the presence of quantum information and computation.

In this paper we propose a definition for honest verifier quantum statistical zero-knowledge interactive proof systems and study the resulting complexity class, which we denote QSZK