Short course on quantum computing Andris Ambainis University of Latvia
Lecture 3 Recent results in quantum cryptography
Quantum cryptography Unconditional secure key distribution. Unconditional security for other tasks?
Setting QKD: two honest parties, connected by insecure channel. Protection from eavesdropping. Two (or more) parties, some of them might be dishonest. Honest parties need to be protected from dishonest ones.
Bit commitment Alice has a bit a. She wants to commit it to Bob so that Bob does not learn a, Alice cannot change it.
Coin flipping Alice and Bob want to flip a coin so that neither of them controls the outcome. If both honest, 0 (1) with probability 1/2. If one honest, 0 (1) with probability at most 1/2+ .
Oblivious transfer Alice has two bits x 0, x 1. Bob wants to learn x b so that: Alice does not learn b. Alice is guaranteed that Bob gets only one bit.
Secret sharing Secret m. Distribute it among n parties so that any k parties have no information about m.
Multiparty computation Alice has x, Bob has y. They want to compute f(x, y) so that: Alice learns nothing about y except f(x, y). Bob learns nothing about x except f(x, y). Generalizes to more than two parties.
Coin flipping Alice and Bob want to flip a coin so that neither of them controls the outcome. If both honest, 0 (1) with probability 1/2. If one honest, 0 (1) with probability at most 1/2+ .
Classical coin flipping If hard functions are available, Information-theoretically (unlimited computational power), one party can always force one outcome with probability 1.
Quantum coin flipping Protocol with =1/4 [A, 2000]. Lower bound of 1/2+ 1/ 2 [Kitaev, 2001]. Better protocols with weaker definition [A, RS, 2002].
Classical coin flipping a {0, 1}b {0, 1} Commit (a) b Reveal (a) Result: (a+b) mod 2.
Why is this secure? Bob is honest, Alice cheating. Alice’s bit a does not depend on b because Alice has to commit a before seeing b. Bob picks 0/1 with probability ½. The result is a or (a+1) mod 2 with probability ½.
Quantum coin flipping a, x {0, 1}b {0, 1} b a,x Result: (a+b) mod 2.
General quantum states k-dimensional quantum system. Basis |1>, |2>, …, |k>. General state 1 |1>+ 2 |2>+…+ k |k>, | 1 |^2+…+ | k |^2=1 2 k dimensional system can be constructed as a tensor product of k quantum bits.
Measurements Measuring 1 |1>+ 2 |2>+…+ k |k> in the basis |1>, |2>, …, |k> gives |i> with probability | i | 2. Any orthogonal basis can be used.
Quantum coin flipping a, x {0, 1}b {0, 1} b a,x Result: (a+b) mod 2.
States
Security result Theorem. Alice (Bob) cannot achieve 0 (1) with probability more than 3/4.
Cheating Bob Bob could measure the state in basis |0>, |1>, |2>. If a=0, he gets |0> or |1> with probabilities 1/2. If a=1, |0> or |2> with probabilities 1/2. Learns a with probability 1/2, no information otherwise.
Mixed states If a=0, Alice sends |0> |1> with probabilities 1/2. If a=1, Alice sends |0> |2> with probabilities 1/2. How well can Bob distinguish these two?
Mixed states Probabilistic combinations of quantum states. (|0> with probability 1/2 and |1> with probability 1/2) not the same as |0>+|1>. |1> |0> |0> +|1> |0> -|1>
Equivalent mixed states Let 0 be |0> or |1> with probabilities 1/2. Let 1 be |0> |1> with probabilities 1/2. Any measurement on 0 produces the same probability distribution as on 1.
Bra-ket notation
Inner product
Density matrix Consider the mixed state that is | i > with probabilities p i. The density matrix is
Density matrix Let
Cheating Bob Alice sends 0, 1. How well can Bob distinguish these two?
Cheating Bob Theorem: The best probability with which Bob can guess i, given i, is For matrices in our protocol, || 0 - 1 || t =1, probability 3/4.
Cheating Alice. Fidelity of two density matrices. Bounds how one state can be transformed into another. Probability that Alice can convince Bob that a=0 is F( , 0 ). Probability that Alice can convince Bob that a=1 is F( , 1 ).
Quantum coin flipping a, x {0, 1}b {0, 1} b a,x Result: (a+b) mod 2.
Better bit commitment Quantum bit commitment => Quantum coin flipping. Better commitment? Bob can’t guess a at all, but Alice can’t change it?
Impossibility theorem Theorem [Mayers, 1996]. Perfect quantum bit commitment is impossible. If Bob’s state contains no information about Alice’s bit, Alice can change commitment perfectly. Note: there was a “provably secure” protocol before Mayers’ proof.
Delayed measurements Any measurement can be delayed till end of protocol. Any classical random variable can be replaced by a quantum state. E.g. 0/1 random bit can be replaced by
State after commitment By delayed measurement, pure state | >. Let | 0 > be the state if Alice commits 0, | 1 > be the state if Alice commits 1. How well Bob can distinguish | 0 > and | 1 >?
Tracing out Imagine that Alice measures her part. Then, Bob is left with mixed state. |0> |1>
Distinguishability If Bob cannot access Alice’s part, distinguishing | 0 > and | 1 > is equivalent to distinguishing 0 and 1. Bob can guess commitment with probability Perfectly secure if || 0 - 1 || t =0, i.e. 0 = 1.
Transformability Theorem. If 0 = 1, then there is a unitary U on Alice’s part such that U| 0 >= | 1 >. Perfectly hiding commitments are completely non-binding. Almost perfecly hiding commitments?
Fidelity F( 0, 1 )=max | | 2, over all | 0 >, | 1 > that give 0, 1 if Alice’s part is traced out. Any test that accepts | 0 > with certainty, accepts | 1 > with probability at least | | 2.
Fidelity Theorem. For any | 0 >, | 1 > Alice can transform | 0 > into a state that is accepted as | 1 > with probability F( 0, 1 ). Theorem [Ullman, 1972]
Trace distance vs. fidelity Theorem [Fuchs, van de Graaf, 1997] Tradeoff between Alice’s and Bob’s cheating probabilities.
Summary on bit commitment In any protocol, either Alice or Bob is capable of cheating with a constant success probability. Protocols in which both parties can’t cheat perfectly, exist.
Coin flipping Trace distance vs. fidelity gives some lower bounds for coin flipping. Based on one-round commitment [A,RS, 2001]: 3/4. Based on multi-round commitment: 9/16 [Nayak,Shor,2002]. Not based on commitment?
Different protocol [Salvail, 2000] Alice generate two copies of sends second qubits to Bob. Bob randomly chooses one and verifies it. Alice and Bob measure the other pair.
Security Theorem [Salvail, 2000] No party can achieve 0 (1) with probability more than 3/4.
Lower bound [Kitaev, 2002] Theorem. In any protocol, one party can force 0 (1) with probability at least 1/ . Proof. Write a semidefinite program for max probability achieved by Alice/ Bob. Look at the dual program. Combine the dual programs.
Weak CF Assume that Alice can achieve 0 with probability 1 and Bob can achieve 1 with probability 1. Would the protocol be useful? Yes, if Alice wants 1 and Bob wants 0. Still allowed by Kitaev’s theorem.
Weak CF Only interested in probability of Alice achieving 1 and Bob achieving 0. Kitaev’s lower bound allows 1/2+ . Theorem [A, Rudolph-Spekkens, 2002] There is a protocol with probability 1/ 2.
Protocol Alice prepares Bob maps |12> Bob wins, Alice verifies Alice wins, Bob verifies
CF summary StrongWeak 3/4 1/ 2 >0 Protocol Lower bound
CF open problems Better protocols/lower bounds. Coin flipping with penalty for cheating. Party caught cheating loses k coins instead of 1. Best result achievable by cheater? The tradeoff between successful cheating vs. being caught.
Open problems Other cryptographic primitives. Quantum zero knowledge? Multiparty computation. Composing the primitives.