Lo, H.--K. and H. F. Chau, "Is quantum Bit Commitment Really Possible?", Physical Review Letters, vol. 78, no 17, April 1997, pp. 3410 -- 3413.  Home/Search   Document Details and Download   Summary   APS   Related Articles   Check

....parties is considered. Mayers [13] has proven that any quantum bit commitment scheme can either be defeated by the committer or the receiver as long as both sides have unrestricted quantum computational power. Mayers general result was built upon previous works of Mayers [11] and Lo and Chau [9]. However, the no go theorem does not imply that quantum cryptography in the two party case is equivalent to complexity based classical cryptography. For example, quantum bit commitment schemes can be built from physical assumptions that are independent of the existence of one way functions [16] ....

Lo, H.--K. and H. F. Chau, "Is quantum Bit Commitment Really Possible?", Physical Review Letters, vol. 78, no 17, April 1997, pp. 3410 -- 3413.

....but the required attack and proof are more subtle. Here we provide the first complete proof that the BCJL protocol is insecure. 1994 PACS numbers: 03.65.Bz, 42.50.Dv, 89.70. c Typeset using REVT E X 1 a. Introduction Recently, Lo and Chau have made available on the quant ph archives [10] a preprint that explains how to break a family of quantum bit commitment schemes, and they claim that their attack applies to the protocol of Brassard, Cr epeau, Jozsa and Langlois [4] hereafter called the BCJL protocol. The intuition behind their attack against the BCJL protocol is correct, and ....

....holds. c. A simpler case This section considers the security of any bit commitment protocol in which Alice commits herself to b by sending photons to Bob where the density matrices for b = 0 and b = 1 are identical. This is precisely the case that was independently considered by Lo and Chau [10]. This is sufficient to break the old protocol in [2] which is not surprising since a simple EPR type attack was already included in the same paper [2] as well as a more recent protocol proposed by Ardehali [1] However, this analysis is insufficient to break the BCJL protocol since the density ....

H.-K. Lo, H. F. Chau, "Is quantum bit commitment really possible?", Los Alamos preprint archive quant-ph/9603004, March 1996.

....Supported in part by Canada s Nserc and Qu ebec s Fcar. y D epartement IRO, Universit e de Montr eal, C.P. 6128, succursale centre ville, Montr eal (Qu ebec) Canada H3C 3J7. e mail: mayersd.umontreal.ca. 1 1 Introduction Recently, Lo and Chau have made available on the quant ph archives [7] a preprint that explains how to break a family of quantum bit commitment schemes, and they claim that their attack applies to the protocol of Brassard, Cr epeau, Jozsa and Langlois [3] hereafter called the BCJL protocol. Furthermore, they express the concern that secure quantum bit commitment ....

....1 holds. 4 A simpler case This section considers the security of any bit commitment protocol in which Alice commits herself to b by sending photons to Bob and where the density matrices for b = 0 and b = 1 are identical. This is precisely the case that was independently considered by Lo and Chau [7]. This is sufficient to break the old protocol in [2] which is not surprising since a simple EPR type attack was already included in the same paper [2] as well as a more recent protocol proposed by Ardehali [1] However, this analysis is insufficient to break the BCJL protocol since the density ....

H.-K. Lo, H. F. Chau, "Is quantum bit commitment really possible?", Los Alamos preprint archive quant-ph/9603004, March 1996.

.... subtle flaw in the BCJL proof of security [57] The irony is that the successful attack was identical in spirit although technically more difficult to the technique published in 1984 to break the original coinflipping protocol The basic flaw was also discovered independently by Lo and Chau [53] even though their attack did not apply directly to BCJL. Since then, Mayers discovered that not only BCJL fails but it cannot be fixed: unconditionally secure quantum bit commitment is impossible [59] The part of the proof of [24] that goes wrong is the claim that A is committed to a bit. The ....

Lo, H.--K. and H. F. Chau, "Is quantum bit commitment really possible?", manuscript, 1996. Available at http://xxx.lanl.gov/ps/quant-ph/9603004.

....unbreakable by both parties [7] Unfortunately, it turns out that this claim was wrong. The protocol of [7] may be broken in theory for similar reasons as the protocol of Bennett and Brassard as demonstrated by Mayers [20] Note that a similar weaker result was later achieved by Lo and Chau [17]. Indeed, a more general result of Mayers [19] suggests that no quantum bit commitment scheme may be secure. The ideas behind this work will be covered in sections 3 and 4. Section 4.1 considers the practical consequences of this result and some new approaches to bypass Mayers result are analyzed ....

....matrix ae 0 , that she can send to B in order to later force fi to collapse to one of the i s to unveil b = 0 or one of the i s to unveil b = 1 by measuring ff appropriately. Mayers showed that this can be done despite the small difference between ae 0 and ae 1 (a subtlety overlooked in [17]) The fact that B may or not make measurements on fi before A causes it to collapse to a specific state is irrelevant; B s outcomes would be the same. For similar reasons, any bit commitment scheme where B is unable to tell whether the committed bit is b = 0 or b = 1, can be cheated by A using a ....

H.--K. Lo and H.F. Chau, "Is Quantum Bit Commitment Really Possible?", manuscript posted on Los Alamos reprint archive quant-ph, March 96.

....began in October 1995 when Mayers found a subtle flaw in the BCJL protocol. Though Mayers explained his discovery to many researchers interested in quantum bit commitment [18] his result was not made entirely public until after Lo and Chau discovered independently a similar result in March 1996 [19]. The result of Mayers was more general than the one obtained by Lo and Chau, but both used the same basic idea. The result of Lo and Chau did not encompass the BCJL protocol in which Bob can obtain an exponentially small amount of information. In practice a protocol is considered secure as long ....

....as long as Bob cannot obtain more than an exponentially small amount of information on the bit committed by Alice, that is, an amount of information that goes exponentially fast to 0 as the number of photons used in the protocol increases. However, the final version published by Lo and Chau [19] used the techniques previously used by Mayers [18] to prove the non security of the BCJL protocol and any other protocol published at the time. So, the paper of Lo and Chau [19] is a proper account of these preliminary results. 2 The general impossibility theorem Now, we review the general ....

[Article contains additional citation context not shown here]

Lo, H.--K. and H. F. Chau, "Is quantum bit commitment really possible?", Physical Review Letters, vol 78, pp. 3410 -- 3413 (1997).

....tape. Chapter 3 provides us with the right notion of exponential indistinguishability. Despite the fact that there are many papers on quantum cryptography, no formal definition has been presented so far. A protocol model was presented by Yao [YA95] and was adapted by Mayers [MA97] and Lo and Chau [LC97A, LC97B]. However, the explanations and justification for the underlying assumption was either brief or imprecise, and sometimes difficult to comprehend for someone without a proper physical background. Here we examine the model from the point of view of a cryptographer with a strong interest, but not ....

....(forces a collapse ) classical bits, s he is protected. 101 4.4.5 Comparison with other work The first model for quantum protocols was presented by Yao [YA95] who mentions that separating out the classical communication is useful. This model was adapted both by Mayers [MA97] and by Lo and Chau [LC97A] to prove that Quantum Bit Commitment is impossible. The model introduced in [MA97] addresses the issue of classical information, but without giving any explanation, which was provided by personal communication [MS97] This issue is nowhere addressed in the works of Lo and Chau, but this is not ....

LO, H.-K. AND H. F. CHAU, "Is quantum bit commitment really possible?", Physical Review Letters 78 (1997), pp. 3410--3413.

....began in October 1995 when Mayers found a subtle flaw in the BCJL protocol. Though Mayers explained his discovery to many researchers interested in quantum bit commitment [14] his result was not made entirely public until after Lo and Chau discovered independently a similar result in March 1996 [15]. The result of Mayers was more general than the one obtained by Lo and Chau, but both used the same basic idea. The result of Lo and Chau did not encompass the BCJL protocol in which Bob can obtain an exponentially small amount of information. In practice a protocol is considered secure as long ....

....secure as long as Bob cannot obtain more than an exponentially small amount of information on the bit commited by Alice, that is, an amount of information that goes exponentially fast to 0 as the number of photons used in the protocol increases. However, the final version published by Lo and Chau [15] used the techniques previously used by Mayers [14] to prove the non security of the BCJL protocol and any other protocol published at the time. So, the paper of Lo and Chau [15] is a proper account of these preliminary results. 2 The general impossibility theorem Now, we review the general ....

[Article contains additional citation context not shown here]

Lo, H.--K. and H. F. Chau, "Is quantum bit commitment really possible?", Physical Review Letters, vol 78, pp. 3410 -- 3413 (1997).

.... [16] and also oblivious transfer [17,18] However, such optimism has recently been put into serious question due to the surprising demonstration of the insecurity of quantum bit commitment (against an EPR type of attack with delayed measurements) by Mayers [20,21] and also by Chau and me [22,23]. Yet an important question remains: Other than quantum key distribution, can quantum cryptographic protocols, in particular, two party computation, be unconditionally secure at all This is an important question because, in many cases, quantum bit commitment might be thought of as a means to an ....

H.-K. Lo and H. F. Chau, "Is quantum bit commitment really possible?", Phys. Rev. Lett. 78, 3410 (1997).

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC