A.C.-C. Yao. Security of quantum protocols against coherent measurements. In Proceedings of the 27th ACM Symposium on the Theory of Computing, pages 67-75. ACM Press, 1995.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... a negligible probability of cheating (as opposition to perfect security) Our result relies heavily upon the qot protocol for quantum 1 out of 2 oblivious transfer [7, 6] The qot protocol can be seen as a construction of a secure quantum oblivious transfer from a black box for bit commitment [7, 6, 25]. Therefore, unlike the classical case, there exists a black box reduction of quantum oblivious transfer to bit commitment. The construction of a statistically concealing quantum bit commitment scheme is obtained by using the qot protocol together with a statistically binding but otherwise ....

....one out of the two bits sent and computationally conceals the receiver s selection bit whenever it is used together with statistically binding but computationally concealing commitments instead of perfect commitments given as black boxes. This extends the security result for the qot protocol of [7, 6, 25] to this case. Our reduction of an adversary for the concealing condition of the initial commitment scheme to an adversary for the binding condition of the resulting commitment scheme is an expected polynomial time black box reduction. Although quantum information has peculiar behaviors adding ....

[Article contains additional citation context not shown here]

Yao, A. C., "Security of Quantum Protocols Against Coherent Measurements ", Proceedings of the 27th Annual ACM Symposium on Theory of Computing, 1995, pp. 67 -- 75. 51

....commitment, oblivious transfer, quantum measurement, computational assumptions. 1 Introduction As for the classical case, secure quantum 2 party cryptography must rely upon some kind of assumption[14, 15, 13] However, the two models of computation do not share the same capabilities and limits[11, 6, 20]. In particular, given a classical black box for bit commitment, there exists a quantum protocol, called the CK protocol [6, 5, 4] achieving 1 2 oblivious transfer (one out of two oblivious transfer) This is in sharp contrast with the classical case where such a reduction is not only unknown but ....

....1 is easy to detect and reject. p s Our reduction shows that using computationally binding commitments one can enforce a computational or apparent collapse of quantum information. This is the rst quantum black box reduction linking the security of those two primitives. Previously, Yao [20] has shown that if the string commitment is modeled by a classical black box then the CK protocol is secure. Our result can be used for proving the security of OT in the computational setting using a completely di erent approach. Our 1 2 oblivious transfer is unconditionally secure against the ....

[Article contains additional citation context not shown here]

Yao, A. C., Security of Quantum Protocols Against Coherent Measurements, Proceedings of the 27th ACM Symposium on Theory of Computing, 1995, pp. 6775. A Proof of Lemma 1 First, we prove the following related claim: Claim. Let f~u w;z g w;z be any family of vectors, indexed by w; z 2 f0; 1g

....bit commitment schemes can be weakened compared to its classical counterpart. Our construction relies upon the qot protocol for quantum 1 out of 2 oblivious transfer of Cr epeau [5] The qot protocol can be seen as a construction of quantum oblivious transfer from a black box for bit commitment [5, 19]. Therefore and unlike the classical case, there exists a black box reduction of quantum oblivious transfer to bit commitment. Our main contribution consists in showing how any statistically binding quantum bit commitment scheme can be transformed into a statistically concealing one. The ....

....one out of the two bits sent and computationally conceals the receiver s selection bit whenever it is used together with statistically binding but computationally concealing commitments instead of perfect commitments given as black boxes. This extends the security result for the qot protocol of [5, 19] to the computational case. Our reduction of an adversary for the binding condition of the resulting commitment scheme to an adversary for the concealing condition of the initial commitment is expected polynomial time black box. Although quantum information has peculiar behaviors adding complexity ....

[Article contains additional citation context not shown here]

Yao, A. C., \Security of Quantum Protocols Against Coherent Measurements ", Proceedings of the 27th ACM Symposium on Theory of Computing, 1995, pp. 67 - 75.

....bit commitment, oblivious transfer, quantum measurement, computational assumptions. Introduction As for the classical case, secure quantum 2 party cryptography must rely upon some kind of assumption[14, 15, 13] However, the two models of computation do not share the same capabilities and limits[11, 6,20]. In particular, given a classical black box for bit commitment, there exists a quantum protocol, called the CK protocol [6, 5, 4] achieving 1 2 oblivious transfer (one out of two oblivious transfer) This is in sharp contrast with the classical case where such a reduction is not only unknown ....

....not close to 1 is easy to detect and reject. Our reduction shows that using computationally binding commitments one can enforce a computational or apparent collapse of quantum information. This is the first quantum black box reduction linking the security of those two primitives. Previously, Yao [20] has shown that if the string commitment is modeled by a classical black box then the CK protocol is secure. Our result can be used for proving the security of OT in the computational setting using a completely different approach. Our 1 2 oblivious transfer is unconditionally secure against the ....

[Article contains additional citation context not shown here]

YAO, A. C., "Security of Quantum Protocols Against Coherent Measurements", Proceedings of the 7th ACM Symposium on Theory of Computing, 1995, pp. 67-75. A Proof of Lemma I First, we prove the following related claim: Claim. Let {g,.,z},.,z be any family of vectors, indexed by w, z E {0, 1} n, that satisfies,

....bit commitment schemes can be weakened compared to its classical counterpart. Our construction relies upon the QOT protocol for quantum 1 out of 2 oblivi ous transfer of Cr6peau [5] The QOT protocol can be seen as a construction of quantum oblivious transfer from a black box for bit commitment [5, 19]. There fore and unlike the classical case, there exists a black box reduction of quantum oblivious transfer to bit commitment. Our main contribution consists in showing how any statistically binding quantum bit commitment scheme can be transformed into a statistically concealing one. The ....

....one out of the two bits sent and computationally conceals the receiver s selection bit whenever it is used together with statistically binding but computationally concealing commitments instead of perfect commitments given as black boxes. This extends the security result for the QOT protocol of [5, 19] to the computational case. Our reduction of an adversary for the binding condition of the resulting commitment scheme to an adversary for the concealing condition of the initial commitment is expected polynomial time black box. Although quantum information has peculiar behaviors adding complexity ....

[Article contains additional citation context not shown here]

YAO, A. C., "Security of Quantum Protocols Against Coherent Measurements ", Proceedings of the 2?th ACM Symposium on Theory of Computing, 1995, pp. 67- 75.

....in the two party case is equivalent to complexity based classical cryptography. For example, quantum bit commitment schemes can be built from physical assumptions that are independent of the existence of one way functions [16] Moreover, bit commitment is su#cient for quantum oblivious transfer [4, 19] which would # Supported by a NSERC grant, part of this work was done while visiting BRICS and McGill SOCS. ## Part of this work was done while visiting BRICS and NEC Tsukuba Laboratory, Japan. # # # Supported by the Thomas B. Thriges Center for KvanteInformatik (CKI) Basic Research in ....

Yao, A. C.--C., "Security of Quantum Protocols Against Coherent Measurements ", Proceedings of the Twenty-seventh Annual ACM Symposium on Theory of Computing, May 1995, pp. 67 -- 75.

....of other quantum cryptographic protocols say for oblivious transfer [ remains to be examined. This would indeed have been a serious concern had it been impossible to provide a secure quantum bit commitment scheme because quantum oblivious transfer 2 depends on the security of bit commitment [13]. On the other hand, we disagree with the following sentence from Lo and Chau: One might wonder if all of quantum cryptography may stumble under closer scrutinies because our earlier proof of security for quantum key distribution [8] would hold even if secure quantum bit commitment had not been ....

....jOE 0 i, if she uses the measurement M 1 , except with a negligible probability, the function T b will accept the input (c; c; where b = 1. This concludes the proof that the BCJL protocol is broken. Note that as a consequence, Yao s proof of security for Quantum Oblivious Transfer [13] fails because it is built on insecure foundations (through no fault of Yao) Ironically, as we stated in the Introduction, the proof of security for Quantum Key Distribution shown in [8] stands despite the fact that it draws on Yao s work because it does not depend on the security of Bit ....

A. Yao, Security of Quantum Protocols Against Coherent Measurements, in Proceedings of the 26th Symposium on the Theory of Computing, June 1995. 11

....give a quantum key distribution protocol which is unconditionally secure over arbitrarily long distance. Brassard, Crpeau [BC90] gave quantum bit commitment and quantum coin tossing protocols. Brassard et al. [BCJ93] gives quantum bit commitment scheme provably unbreakable by both parties. Yao [Yao95] proved quantum protocols secure against coherent measurements. Brassard et al. [BCM 98] shows how to defeat classical bit commitments with a quantum computer. Chau, Lo [CL98] gives further methods for qubit commitment. Crpeau et al. [CS95] gives protocols for quantum oblivious mutual ....

A. C.-C. Yao. Q Security of quantum protocols against coherent measurements. In Proceedings of the TwentySeventh Annual ACM Symposium on the Theory of Computing, pages 67-75, Las Vegas, Nevada, (May-June 1995).

....presented by Hoi Kwong Lo and Hoi Fung Chau may well prove useful [52] In addition to the above, we are aware of one claim of unconditional security for BB84 against all possible attacks consistent with quantum mechanics, which is due to Dominic Mayers [58] drawing on work by Andrew C. C. Yao [76] and earlier work of Mayers in collaboration with Salvail [61] In practice, it is not sufficient to prove the security of quantum key distribution if the proof simply states the existence of a positive constant so that secure key distribution is possible provided the quantum channel has an ....

....allowed by quantum mechanics, under the sole restriction that the legitimate photons are measured one at a time, and they found that the protocol is secure provided a secure bit commitment is available. Finally Yao showed that no restrictions on the type of measurements are necessary at all [76], and Mayers extended the proof to oblivious transfer of strings rather than bits, and considered the possibility 1 Note that Wiesner also showed how to cheat his own quantum multiplexing technique in the paper that introduced it [74] Is there something wrong with us quantum cryptographers ....

Yao, A. C.--C., "Security of quantum protocols against coherent measurements", Proceedings of 26th Annual ACM Symposium on the Theory of Computing, 1995, pp. 67 -- 75.

....we have a secure bit commitment protocol. A more robust version of this protocol that deals with transmission errors may be found in [2] Mayers and Salvail [22] have later shown that the second restriction may be reduced to general measurements involving only one photon at a time, and finally Yao [30] showed that no restrictions on the type of measurements is necessary. Lately, Mayers [21] has shown a result similar to Yao s for the more robust protocol of [2] Similarly, a new protocol for quantum bit commitment has been developed by Brassard and Cr epeau [6] in order to close the gap and ....

A. Yao, "Security of Quantum Protocols Against Coherent Measurements", Proceedings of the 26th Symposium on the Theory of Computing, June 1995, pp. 67 -- 75.

.... associated with a cryptographic application called key distribution [11, 12] and it has achieved success in this area [3] However, other applications of quantum mechanics to cryptography have also been considered and bit commitment was at the basis of most if not all of these other applications [3, 14, 15, 16]. A bit commitment scheme allows Alice to send something to Bob that commits her to a bit b of her choice in such a way that Bob cannot tell what b is, but such that Alice can later prove him D epartement IRO, Universit e de Montr eal, C.P. 6128, succursale centre ville, Montr eal (Qu ebec) ....

....also wrote a paper [7] to discuss the issue of quantum communication and other aspects of Mayers result. They used a variant of Yao s model for quantum communication. The essence of this model is that a third system is passed back and fourth under the control of each participant at their turn [16]. Mayers attack works fine in this model, and it is indeed important to verify that the attack works in such a reasonable model. With regard to classical communication, the discussion of Lo and Chau [7] is similar to the indirect approach of Mayers. Now, let us consider the attack. Of course, we ....

Yao, A. C.--C., "Security of quantum protocols against coherent measurements", Proceedings of 26th Annual ACM Symposium on the Theory of Computing, 1995, pp. 67 -- 75.

....the security of a QKD protocol. 1 Introduction The goal of quantum cryptography is to design cryptographic protocols that are secure against unlimited quantum or classical computational power. At present, the quantum protocols that have been designed are commitment [BC, BCJL] oblivious transfer [Cr87, Cr94, BBCS, MS, Yao], key distribution [BB84, BBBSS, BBBW] and identification [CS] Furthermore, prototypes for implementing some of these protocols have been built [BBBSS, MT, To94, TRT1, TRT2] However, the full security of some of these protocols has not yet been proved. One of the difficulties in providing a full ....

....has not yet been proved. One of the difficulties in providing a full security proof is the cheaters ability to execute coherent measurements on many photons at a time. At present, security against coherent measurements has been obtained in the case of commitment [BCJL] and bit oblivious transfer [Yao]. The security of QKD against coherent measurements has not yet been addressed in the literature and it is not clear whether the techniques used by Yao in [Yao] for a QOT protocol may be easily used for a QKD protocol. In any case, we do not use Yao s techniques. We show that the security against ....

[Article contains additional citation context not shown here]

A. Yao, Security of Quantum Protocols Against Coherent Measurements, in Proceedings of the 26th Symposium on the Theory of Computing, June 1995, to appear. This article was processed using the L a T E X macro package with LLNCS style

....Turing Machines who communicate through a quantum tape. Chapter 3 provides us with the right notion of exponential indistinguishability. Despite the fact that there are many papers on quantum cryptography, no formal definition has been presented so far. A protocol model was presented by Yao [YA95] and was adapted by Mayers [MA97] and Lo and Chau [LC97A, LC97B] However, the explanations and justification for the underlying assumption was either brief or imprecise, and sometimes difficult to comprehend for someone without a proper physical background. Here we examine the model from the ....

....4.2, but in the end the argument does not differ much from the one given in the previous paragraph: as long as an honest participant measures (forces a collapse ) classical bits, s he is protected. 101 4.4. 5 Comparison with other work The first model for quantum protocols was presented by Yao [YA95], who mentions that separating out the classical communication is useful. This model was adapted both by Mayers [MA97] and by Lo and Chau [LC97A] to prove that Quantum Bit Commitment is impossible. The model introduced in [MA97] addresses the issue of classical information, but without giving any ....

YAO, A. C.-C., "Security of quantum protocols against coherent measurements", In Proc. 27th ACM Symp. on Theory of Computing (1995), ACM, pp. 67--82.

....of Computer Science,University of Arhus, Ny Munkegade, building 540, DK 8000 Arhus C, Denmark. e mail: salvail daimi.aau.dk other applications of quantum mechanics to cryptography have also been considered and bit commitment was at the basis of most if not all of these other applications [3, 10, 11, 12]. A bit commitment scheme allows Alice to send something to Bob that commits her to a bit b of her choice in such a way that Bob cannot tell what b is, but such that Alice can later prove him what b originally was. You may think of this as Alice sending a note with the value b written on it in a ....

....also wrote a paper [5] to discuss the issue of quantum communication and other aspects of Mayers s result. They used a variant of Yao s model for quantum communication. The essence of Yao s model is that a third system is passed back and fourth under the control of each participant at their turn [12]. Mayers s attack works fine in this model, and it is indeed important to verify that the attack works in such a reasonable model. With regard to classical communication, the discussion of Lo and Chau [5] is similar to the indirect approach described in the Appendix (in both cases the attack on ....

[Article contains additional citation context not shown here]

Yao, A. C.--C., "Security of quantum protocols against coherent measurements", Proceedings of 26th Annual ACM Symposium on the Theory of Computing, 1995, pp. 67 -- 75.

....give a quantum key distribution protocol which is unconditionally secure over arbitrarily long distance. Brassard, Crpeau [BC90] gave quantum bit commitment and quantum coin tossing protocols. Brassard et al. [BCJ93] gives quantum bit commitment scheme provably unbreakable by both parties. Yao [Yao95] proved quantum protocols secure against coherent measurements. Brassard et al. [BCM 98] shows how to defeat classical bit commitments with a quantum computer. Chau, Lo [CL98] gives further methods for qubit commitment. Crpeau et al. [CS95] gives protocols for quantum oblivious mutual ....

A. C.-C. Yao. Q Security of quantum protocols against coherent measurements. In Proceedings of the Twenty-Seventh Annual ACM Symposium on the Theory of Computing, pages 67-75, Las Vegas, Nevada, (May-June 1995).

No context found.

A.C.-C. Yao. Security of quantum protocols against coherent measurements. In Proceedings of the 27th ACM Symposium on the Theory of Computing, pages 67-75. ACM Press, 1995.

No context found.

Yao, A. C., "Security of Quantum Protocols Against Coherent Measurements ", Proceedings of the 27th Annual ACM Symposium on Theory of Computing, 1995, pp. 67 -- 75. 51

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC