Results 1  10
of
59
Generalized Privacy Amplification
 IEEE Transactions on Information Theory
, 1995
"... This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionallysecure secretkey agreement protocols, quantum cryptography and to a nonasymptotic ..."
Abstract

Cited by 212 (18 self)
 Add to MetaCart
This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionallysecure secretkey agreement protocols, quantum cryptography and to a nonasymptotic and constructive treatment of the secrecy capacity of wiretap and broadcast channels, even for a considerably strengthened definition of secrecy capacity. I. Introduction This paper is concerned with unconditionallysecure secretkey agreement by two communicating parties Alice and Bob who both know a random variable W, for instance a random nbit string, about which an eavesdropper Eve has incomplete information characterized by the random variable V jointly distributed with W according to PV W . This distribution may partially be under Eve's control. Alice and Bob know nothing about PV W , except that it satisfies a certain constraint. We present protocols by which Alice and Bob can us...
Experimental Quantum Cryptography
 Journal of Cryptology
, 1992
"... We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the ..."
Abstract

Cited by 195 (20 self)
 Add to MetaCart
We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...
SecretKey Reconciliation by Public Discussion
, 1994
"... . Assuming that Alice and Bob use a secret noisy channel (modelled by a binary symmetric channel) to send a key, reconciliation is the process of correcting errors between Alice's and Bob's version of the key. This is done by public discussion, which leaks some information about the secret key to an ..."
Abstract

Cited by 92 (3 self)
 Add to MetaCart
. Assuming that Alice and Bob use a secret noisy channel (modelled by a binary symmetric channel) to send a key, reconciliation is the process of correcting errors between Alice's and Bob's version of the key. This is done by public discussion, which leaks some information about the secret key to an eavesdropper. We show how to construct protocols that leak a minimum amount of information. However this construction cannot be implemented efficiently. If Alice and Bob are willing to reveal an arbitrarily small amount of additional information (beyond the minimum) then they can implement polynomialtime protocols. We also present a more efficient protocol, which leaks an amount of information acceptably close to the minimum possible for sufficiently reliable secret channels (those with probability of any symbol being transmitted incorrectly as large as 15%). This work improves on earlier reconciliation approaches [R, BBR, BBBSS]. 1 Introduction Unlike public key cryptosystems, the securi...
A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties
, 1993
"... Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be ..."
Abstract

Cited by 68 (12 self)
 Add to MetaCart
Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be able to tell from that evidence what x is. At a later time, Alice can reveal, through a procedure unveil(x), the value of x and prove to Bob that the piece of evidence sent earlier really corresponded to that bit. Classical bit commitment schemes (by which Alice's piece of evidence is classical information such as a bit string) cannot be secure against unlimited computing power and none have been proven secure against algorithmic sophistication. Previous quantum bit commitment schemes (by which Alice's piece of evidence is quantum information such as a stream of polarized photons) were known to be invulnerable to unlimited computing power and algorithmic sophistication, but not to arbitrary...
Why quantum bit commitment and ideal quantum coin tossing are impossible
 In Proceedings of PhysComp96
, 1996
"... There had been well known claims of unconditionally secure quantum protocols for bit commitment. However, we, and independently Mayers, showed that all proposed quantum bit commitment schemes are, in principle, insecure because the sender, Alice, can almost always cheat successfully by using an Eins ..."
Abstract

Cited by 62 (7 self)
 Add to MetaCart
There had been well known claims of unconditionally secure quantum protocols for bit commitment. However, we, and independently Mayers, showed that all proposed quantum bit commitment schemes are, in principle, insecure because the sender, Alice, can almost always cheat successfully by using an EinsteinPodolskyRosen (EPR) type of attack and delaying her measurements. One might wonder if secure quantum bit commitment protocols exist at all. We answer this question by showing that the same type of attack by Alice will, in principle, break any bit commitment scheme. The cheating strategy generally requires a quantum computer. We emphasize the generality of this “nogo theorem”: Unconditionally secure bit commitment schemes based on quantum mechanics—fully quantum, classical or quantum but with measurements—are all ruled out by this result. Since bit commitment is a useful primitive for building up more sophisticated protocols such as zeroknowledge proofs, our results cast very serious doubt on the security of quantum cryptography in the socalled “postcoldwar ” applications. We also show that ideal quantum coin tossing is impossible because of the EPR attack. This nogo theorem for ideal quantum coin tossing may help to shed some lights on the possibility of nonideal protocols. 1
Is Quantum Bit Commitment Really Possible?
, 1996
"... We show that all proposed quantum bit commitment schemes are insecure because the sender can always cheat successfully by using an EPRtype of attack and delaying her measurement until she opens her commitment. PACS Numbers: 03.65.Bz, 89.70.+c, 89.80.+h Typeset using REVT E X email: hkl@sns.ias.e ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
We show that all proposed quantum bit commitment schemes are insecure because the sender can always cheat successfully by using an EPRtype of attack and delaying her measurement until she opens her commitment. PACS Numbers: 03.65.Bz, 89.70.+c, 89.80.+h Typeset using REVT E X email: hkl@sns.ias.edu y email: chau@sns.ias.edu A bit commitment scheme generally involves two parties, a sender, Alice and a receiver, Bob. Suppose that Alice has a bit (b = 0 or 1) in mind, to which she would like to be committed towards Bob. That is to say, she wishes to provide Bob with a piece of evidence that she has a bit in mind and that she cannot change it. Meanwhile, Bob should not be able to tell from that evidence what b is. At a later time, however, it must be possible for Alice to open the commitment. In other words, Alice must be able to show Bob which bit she has committed to and convinced him that this is indeed the genuine bit that she had in mind when she committed. Various quantum bit...
The Quantum Challenge to Structural Complexity Theory
, 1992
"... This is a nontechnical survey paper of recent quantummechanical discoveries that challenge generally accepted complexitytheoretic versions of the ChurchTuring thesis. In particular, building on pionering work of David Deutsch and Richard Jozsa, we construct an oracle relative to which there exi ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
This is a nontechnical survey paper of recent quantummechanical discoveries that challenge generally accepted complexitytheoretic versions of the ChurchTuring thesis. In particular, building on pionering work of David Deutsch and Richard Jozsa, we construct an oracle relative to which there exists a set that can be recognized in Quantum Polynomial Time (QP), yet any Turing machine that recognizes it would require exponential time even if allowed to be probabilistic, provided that errors are not tolerated. In particular, QP 6` ZPP relative to this oracle. Furthermore, there are cryptographic tasks that are demonstrably impossible to implement with unlimited computing power probabilistic interactive Turing machines, yet they can be implemented even in practice by quantum mechanical apparatus. 1 Deutsch's Quantum Computer In a bold paper published in the Proceedings of the Royal Society, David Deutsch put forth in 1985 the quantum computer [7] (see also [8]). Even though this may c...
Efficient Cryptographic Protocols based on Noisy Channels
, 1996
"... The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a crypto ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires\Omega\Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O(n 3 ) bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [1] that allow two people to extract secret information from partially compromised data. 1 Introduction The cryptographic power of...
Quantum Key Distribution and String Oblivious Transfer on Noisy Channels, Los Alamos preprint archive quantph/9606003
 Advances in Cryptology: Proceeding of Crypto ’96, Lecture Notes in Computer Science
"... Abstract. We prove the unconditional security of a quantum key distribution (QKD) protocol on a noisy channel against the most general attack allowed by quantum physics. We use the fact that in a previous paper we have reduced the proof of the unconditionally security of this QKD protocol to a proof ..."
Abstract

Cited by 42 (9 self)
 Add to MetaCart
Abstract. We prove the unconditional security of a quantum key distribution (QKD) protocol on a noisy channel against the most general attack allowed by quantum physics. We use the fact that in a previous paper we have reduced the proof of the unconditionally security of this QKD protocol to a proof that a corresponding Quantum String Oblivious Transfer (StringQOT) protocol would be unconditionally secure against Bob if implemented on top of an unconditionally secure bit commitment scheme. We prove a lemma that extends a security proof given by Yao for a (one bit) QOT protocol to this StringQOT protocol. This result and the reduction mentioned above implies the unconditional security of our QKD protocol despite our previous proof that unconditionally secure bit commitment schemes are impossible. 1
Security of Quantum Protocols against Coherent Measurements
 Proceedings of 26th Annual ACM Symposium on the Theory of Computing
, 1995
"... The goal of quantum cryptography is to design cryptographic protocols whose security depends on quantum physics and little else. A serious obstacle to security proofs is the cheaters' ability to make coherent measurements on the joint properties of large composite states. With the exception of comm ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
The goal of quantum cryptography is to design cryptographic protocols whose security depends on quantum physics and little else. A serious obstacle to security proofs is the cheaters' ability to make coherent measurements on the joint properties of large composite states. With the exception of commit protocols, no cryptographic primitives have been proved secure when coherent measurements are allowed. In this paper we develop some mathematical techniques for analyzing probabilistic events in Hilbert spaces, and prove the security of a canonical quantum oblivious transfer protocol against coherent measurements. 1 Introduction Work on quantum cryptography was started by Wiesner [Wi70] twentyfive years ago. Much knowledge on how to exploit quantum physics for cryptographic purposes has been gained through the work of Bennet and Brassard ([BBBW83][BB84][BBBSS92]), and later Cr'epeau ([Cr90][BC91][BBCS92][Cr94]). Furthermore, prototypes for implementing some of these This research was...