{{short description|Cryptography based on quantum mechanical phenomena}} {{Hatnote|Compare post-quantum cryptography, which is any cryptography (nonquantum or quantum) that resists cryptanalysis that uses quantum computing.}} {{Use dmy dates|date=December 2025}}
'''Quantum cryptography''' is the science of exploiting quantum mechanical properties such as quantum entanglement, measurement disturbance, no-cloning theorem, and the principle of superposition to perform various cryptographic tasks.<ref>{{Cite journal |last1=Gisin |first1=Nicolas |last2=Ribordy |first2=Grégoire |last3=Tittel |first3=Wolfgang |last4=Zbinden |first4=Hugo |year=2002 |title=Quantum cryptography |url=https://journals.aps.org/rmp/abstract/10.1103/RevModPhys.74.145 |journal=Reviews of Modern Physics |volume=74 |issue=1 |pages=145–195 |arxiv=quant-ph/0101098 |bibcode=2002RvMP...74..145G |doi=10.1103/RevModPhys.74.145 |s2cid=6979295}}</ref><ref name="Pirandola-2020">{{Cite journal |last1=Pirandola |first1=S. |last2=Andersen |first2=U. L. |last3=Banchi |first3=L. |last4=Berta |first4=M. |last5=Bunandar |first5=D. |last6=Colbeck |first6=R. |last7=Englund |first7=D. |last8=Gehring |first8=T. |last9=Lupo |first9=C. |last10=Ottaviani |first10=C. |last11=Pereira |first11=J. L. |display-authors=et al. |year=2020 |title=Advances in quantum cryptography |url=https://www.osapublishing.org/aop/abstract.cfm?uri=aop-12-4-1012 |journal=Advances in Optics and Photonics |volume=12 |issue=4 |pages=1012–1236 |arxiv=1906.01645 |bibcode=2020AdOP...12.1012P |doi=10.1364/AOP.361502 |s2cid=174799187}}</ref><ref>{{Cite journal |last1=Renner |first1=Renato |last2=Wolf |first2=Ramona |date=2023 |title=Quantum Advantage in Cryptography |journal=AIAA Journal |volume=61 |issue=5 |pages=1895–1910 |arxiv=2206.04078 |bibcode=2023AIAAJ..61.1895R |doi=10.2514/1.J062267 |issn=0001-1452}}</ref> Historically defined as the practice of encoding messages, a concept since referred to as encryption, quantum cryptography plays a crucial role in the secure processing, storage, and transmission of information across various domains.
One aspect of quantum cryptography is quantum key distribution (QKD), which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication. Furthermore, quantum cryptography affords the authentication of messages, which allows the legitimates parties to prove that the messages were not wiretapped during transmission.<ref>{{Cite journal |last1=Gisin |first1=Nicolas |last2=Ribordy |first2=Grégoire |last3=Tittel |first3=Wolfgang |last4=Zbinden |first4=Hugo |date=8 March 2002 |title=Quantum cryptography |url=https://link.aps.org/doi/10.1103/RevModPhys.74.145 |journal=Reviews of Modern Physics |volume=74 |issue=1 |pages=145–195 |arxiv=quant-ph/0101098 |bibcode=2002RvMP...74..145G |doi=10.1103/RevModPhys.74.145}}</ref> For example, in a cryptographic set-up, it is impossible to copy with perfect fidelity, the data encoded in a quantum state.<ref>{{Cite book |last1=Nielsen |first1=Michael A. |url=https://www.cambridge.org/highereducation/books/quantum-computation-and-quantum-information/01E10196D0A682A6AEFFEA52D53BE9AE |title=Quantum Computation and Quantum Information: 10th Anniversary Edition |last2=Chuang |first2=Isaac L. |date=9 December 2010 |isbn=978-1-107-00217-3 |language=en |doi=10.1017/CBO9780511976667 |access-date=2 September 2025}}</ref>{{page needed|date=December 2025}} If one attempts to read the encoded data, the quantum state will be changed due to wave function collapse (no-cloning theorem). This could be used to detect eavesdropping in QKD schemes, or in quantum communication links and networks. These advantages have significantly influenced the evolution of quantum cryptography, making it practical in the digital age, where devices are increasingly interconnected and cyberattacks have become more sophisticated. As such quantum cryptography is a critical component in the advancement of a quantum internet, as it establishes robust mechanisms to ensure the long-term privacy and integrity of digital communications and systems.<ref>{{Cite book |last1=Mitra |first1=Saptarshi |title=2017 4th International Conference on Opto-Electronics and Applied Optics (Optronix) |last2=Jana |first2=Bappaditya |last3=Bhattacharya |first3=Supratim |last4=Pal |first4=Prashnatita |last5=Poray |first5=Jayanta |date=November 2017 |isbn=978-1-5386-1119-7 |pages=1–7 |chapter=Quantum cryptography: Overview, security issues and future challenges |doi=10.1109/OPTRONIX.2017.8350006}}</ref>
== History == [[File:BB84-network setup.svg|thumb|The polarized light is transmitted across an insecure quantum channel and detected by Bob while Eve attempts to eavesdrop on the communication.]] In the early 1970s, Stephen Wiesner, then at Columbia University in New York, introduced the concept of quantum conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by the IEEE Information Theory Society but was eventually published in 1983 in ''SIGACT News''.<ref name="Bennett-1992">{{cite journal |last1=Bennett |first1=Charles H. |display-authors=etal |date=1992 |title=Experimental quantum cryptography |journal=Journal of Cryptology |volume=5 |issue=1 |pages=3–28 |doi=10.1007/bf00191318 |s2cid=206771454 |doi-access=free}}</ref> In this paper he showed how to store or transmit two messages by encoding them in two "conjugate observables", such as linear and circular polarization of photons,<ref>{{cite journal |last=Wiesner |first=Stephen |date=1983 |title=Conjugate coding |journal=ACM SIGACT News |volume=15 |issue=1 |pages=78–88 |doi=10.1145/1008908.1008920 |s2cid=207155055}}</ref> so that either, but not both, properties may be received and decoded. It was not until Charles H. Bennett, of the IBM's Thomas J. Watson Research Center, and Gilles Brassard met in 1979 at the 20th IEEE Symposium on the Foundations of Computer Science, held in Puerto Rico, that they discovered how to incorporate Wiesner's findings. "The main breakthrough came when we realized that photons were never meant to store information, but rather to transmit it."<ref name="Bennett-1992" /> In 1984, building upon this work, Bennett and Brassard proposed a method for secure communication, which is now called BB84, the first Quantum Key Distribution system.<ref>{{cite book |last1=Bennett |first1=C. H. |title=Proceedings of the International Conference on Computers, Systems & Signal Processing, Bangalore, India |last2=Brassard |first2=G. |publisher=IEEE |year=1984 |volume=1 |location=New York |pages=175–179 |chapter=Quantum cryptography: Public key distribution and coin tossing}} Reprinted as {{cite journal|first1=C. H. |last1=Bennett |first2=G. |last2=Brassard |title=Quantum cryptography: Public key distribution and coin tossing |journal=Theoretical Computer Science |series=Theoretical Aspects of Quantum Cryptography – celebrating 30 years of BB84 |volume=560 |number=1 |date=4 December 2014 |pages=7–11 |doi=10.1016/j.tcs.2014.05.025 |doi-access=free|arxiv=2003.06557 |bibcode=2014TComS.560....7B }}</ref><ref>{{Cite web |date=29 November 2023 |title=What Is Quantum Cryptography? {{!}} IBM |url=https://www.ibm.com/topics/quantum-cryptography |access-date=25 September 2024 |website=www.ibm.com |language=en}}</ref> Independently, in 1991 Artur Ekert proposed to use Bell's inequalities to achieve secure key distribution.<ref>{{cite journal |last1=Ekert |first1=A |year=1991 |title=Quantum cryptography based on Bell's theorem |journal=Physical Review Letters |volume=67 |issue=6 |pages=661–663 |bibcode=1991PhRvL..67..661E |doi=10.1103/physrevlett.67.661 |pmid=10044956 |s2cid=27683254}}</ref> Ekert's protocol for the key distribution, as it was subsequently shown by Dominic Mayers and Andrew Yao, offers device-independent quantum key distribution.
Companies that manufacture quantum cryptography systems include MagiQ Technologies, Inc. (Boston), ID Quantique (Geneva), QuintessenceLabs (Canberra, Australia), Toshiba (Tokyo), QNu Labs (India) and SeQureNet (Paris).
== Advantages == Cryptography is the strongest link in the chain of data security.<ref>{{Cite web |title=Crypto-gram: December 15, 2003 – Schneier on Security |url=https://www.schneier.com/crypto-gram/archives/2003/1215.html |access-date=13 October 2020 |website=www.schneier.com}}</ref> However, interested parties cannot assume that cryptographic keys will remain secure indefinitely.<ref name="Stebila-2010">{{cite book |last1=Stebila |first1=Douglas |chapter=The Case for Quantum Key Distribution |date=2010 |title=Quantum Communication and Quantum Networking |volume=36 |pages=283–296 |editor-last=Sergienko |editor-first=Alexander |editor2-last=Pascazio |editor2-first=Saverio |editor3-last=Villoresi |editor3-first=Paolo |chapter-url=http://link.springer.com/10.1007/978-3-642-11731-2_35 |access-date=13 October 2020 |place=Berlin, Heidelberg |publisher=Springer Berlin Heidelberg |arxiv=0902.2839 |bibcode=2010qcqn.book..283S |doi=10.1007/978-3-642-11731-2_35 |isbn=978-3-642-11730-5 |s2cid=457259 |last2=Mosca |first2=Michele |last3=Lütkenhaus |first3=Norbert }}</ref> Quantum cryptography<ref name="Pirandola-2020" /> has the potential to encrypt data for longer periods than classical cryptography.<ref name="Stebila-2010" /> Using classical cryptography, scientists cannot guarantee encryption beyond approximately 30 years, but some stakeholders could use longer periods of protection.<ref name="Stebila-2010" /> Take, for example, the healthcare industry. As of 2017, 85.9% of office-based physicians are using electronic medical record systems to store and transmit patient data.<ref>{{Cite web |date=4 August 2020 |title=FastStats |url=https://www.cdc.gov/nchs/fastats/electronic-medical-records.htm |access-date=13 October 2020 |website=www.cdc.gov |language=en-us}}</ref> Under the Health Insurance Portability and Accountability Act, medical records must be kept secret.<ref>{{Cite web |last=Rights (OCR) |first=Office for Civil |date=7 May 2008 |title=Privacy |url=https://www.hhs.gov/hipaa/for-professionals/privacy/index.html |access-date=13 October 2020 |website=HHS.gov |language=en}}</ref> Quantum key distribution can protect electronic records for periods of up to 100 years.<ref name="Stebila-2010" /> Also, quantum cryptography has useful applications for governments and militaries as, historically, governments have kept military data secret for periods of over 60 years.<ref name="Stebila-2010" /> There also has been proof that quantum key distribution can travel through a noisy channel over a long distance and be secure. It can be reduced from a noisy quantum scheme to a classical noiseless scheme. This can be solved with classical probability theory.<ref name="Lo-1999">{{Cite journal |last1=Lo |first1=Hoi-Kwong |last2=Chau |first2=H. F. |year=1999 |title=Unconditional Security of Quantum Key Distribution over Arbitrarily Long Distances |url=https://www.jstor.org/stable/pdf/2896688.pdf |journal=Science |volume=283 |issue=5410 |pages=2050–2056 |arxiv=quant-ph/9803006 |bibcode=1999Sci...283.2050L |doi=10.1126/science.283.5410.2050 |jstor=2896688 |pmid=10092221 |s2cid=2948183}}</ref> This process of having consistent protection over a noisy channel can be possible through the implementation of quantum repeaters. Quantum repeaters have the ability to resolve quantum communication errors in an efficient way. Quantum repeaters, which are quantum computers, can be stationed as segments over the noisy channel to ensure the security of communication. Quantum repeaters do this by purifying the segments of the channel before connecting them creating a secure line of communication. Sub-par quantum repeaters can provide an efficient amount of security through the noisy channel over a long distance.<ref name="Lo-1999"/>
== Applications == Quantum cryptography is a general subject that covers a broad range of cryptographic practices and protocols. While encryption techniques are widely recognized and understood, a significant challenge remains in the secure distribution of shared keys, often referred to as key establishment or key agreement. Quantum Key Distribution (QKD) aims to address this particular challenge. Below, we explore various notable methodologies and applications currently employed in quantum cryptography. {{Main|Quantum key distribution}}
The best-known and developed application of quantum cryptography is QKD, which is the process of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn information about the key being established, discrepancies will arise causing Alice and Bob to notice. Once the key is established, it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used for symmetric cryptography (e.g. one-time pad).
The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a man-in-the-middle attack would be possible.
While QKD is secure, its practical application faces some challenges. There are in fact limitations for the key generation rate at increasing transmission distances.<ref name="Pirandola-2009">{{Cite journal |last1=Pirandola |first1=S. |last2=García-Patrón |first2=R. |last3=Braunstein |first3=S. L. |last4=Lloyd |first4=S. |date=2009 |title=Direct and Reverse Secret-Key Capacities of a Quantum Channel |journal=Physical Review Letters |language=en |volume=102 |issue=5 |arxiv=0809.3273 |bibcode=2009PhRvL.102e0503P |doi=10.1103/PhysRevLett.102.050503 |pmid=19257494 |s2cid=665165 |article-number=050503}}</ref><ref name="Takeoka-2014">{{Cite journal |last1=Takeoka |first1=Masahiro |last2=Guha |first2=Saikat |last3=Wilde |first3=Mark M. |date=2014 |title=Fundamental rate-loss tradeoff for optical quantum key distribution |journal=Nature Communications |language=en |volume=5 |arxiv=1504.06390 |bibcode=2014NatCo...5.5235T |doi=10.1038/ncomms6235 |pmid=25341406 |s2cid=20580923 |article-number=5235}}</ref><ref name="Pirandola-2017">{{Cite journal |last1=Pirandola |first1=S. |last2=Laurenza |first2=R. |last3=Ottaviani |first3=C. |last4=Banchi |first4=L. |date=2017 |title=Fundamental limits of repeaterless quantum communications |journal=Nature Communications |language=en |volume=8 |arxiv=1510.08863 |bibcode=2017NatCo...815043P |doi=10.1038/ncomms15043 |pmc=5414096 |pmid=28443624 |article-number=15043}}</ref> Recent studies have allowed important advancements in this regard. In 2018, the protocol of twin-field QKD<ref name="Shields-2018">{{Cite journal |last1=Shields |first1=A. J. |last2=Dynes |first2=J. F. |last3=Yuan |first3=Z. L. |last4=Lucamarini |first4=M. |date=May 2018 |title=Overcoming the rate–distance limit of quantum key distribution without quantum repeaters |journal=Nature |language=en |volume=557 |issue=7705 |pages=400–403 |arxiv=1811.06826 |bibcode=2018Natur.557..400L |doi=10.1038/s41586-018-0066-6 |issn=1476-4687 |pmid=29720656 |s2cid=21698666}}</ref> was proposed as a mechanism to overcome the limits of lossy communication. The rate of the twin field protocol was shown to overcome the secret key-agreement capacity of the lossy communication channel, known as repeater-less PLOB bound,<ref name="Pirandola-2017"/> at 340 km of optical fiber; its ideal rate surpasses this bound already at 200 km and follows the rate-loss scaling of the higher repeater-assisted secret key-agreement capacity<ref name="Pirandola-2019">{{Cite journal |last1=Pirandola |first1=S. |date=2019 |title=End-to-end capacities of a quantum communication network |journal=Communications Physics |language=en |volume=2 |issue=1 |arxiv=1601.00966 |bibcode=2019CmPhy...2...51P |doi=10.1038/s42005-019-0147-3 |s2cid=170078611 |article-number=51}}</ref> (see figure 1 of<ref name="Shields-2018"/> and figure 11 of<ref name="Pirandola-2020" /> for more details). The protocol suggests that optimal key rates are achievable on "550 kilometers of standard optical fibre", which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the PLOB bound which has been characterized as the first ''effective'' quantum repeater.<ref>{{cite journal |last1=Minder |first1=Mariella |last2=Pittaluga |first2=Mirko |last3=Roberts |first3=George |last4=Lucamarini |first4=Marco |last5=Dynes |first5=James F. |last6=Yuan |first6=Zhiliang |last7=Shields |first7=Andrew J. |date=February 2019 |title=Experimental quantum key distribution beyond the repeaterless secret key capacity |journal=Nature Photonics |volume=13 |issue=5 |pages=334–338 |arxiv=1910.01951 |bibcode=2019NaPho..13..334M |doi=10.1038/s41566-019-0377-7 |s2cid=126717712}}</ref> Notable developments in terms of achieving high rates at long distances are the sending-not-sending (SNS) version of the TF-QKD protocol.<ref>{{cite journal |last1=Wang |first1=Xiang-Bin |last2=Yu |first2=Zong-Wen |last3=Hu |first3=Xiao-Long |date=2018 |title=Twin-field quantum key distribution with large misalignment error |journal=Physical Review A |volume=98 |issue=6 |arxiv=1805.09222 |bibcode=2018PhRvA..98f2323W |doi=10.1103/PhysRevA.98.062323 |s2cid=51204011 |article-number=062323}}</ref><ref>{{cite journal |last1=Xu |first1=Hai |last2=Yu |first2=Zong-Wen |last3=Hu |first3=Xiao-Long |last4=Wang |first4=Xiang-Bin |date=2020 |title=Improved results for sending-or-not-sending twin-field quantun key distribution: breaking the absolute limit of repeaterless key rate |journal=Physical Review A |volume=101 |arxiv=1904.06331 |doi=10.1103/PhysRevA.101.042330 |s2cid=219003338 |article-number=042330}}</ref> and the no-phase-postselected twin-field scheme.<ref>{{cite journal |last1=Cui |first1=C. |last2=Yin |first2=A.-Q. |last3=Wang |first3=R. |last4=Chen |first4=W. |last5=Wang |first5=S. |last6=Guo |first6=G.-C. |last7=Han |first7=Z.-F. |date=2019 |title=Twin-Field Quantum Key Distribution without Phase Postselection |journal=Physical Review Applied |volume=11 |issue=3 |arxiv=1807.02334 |bibcode=2019PhRvP..11c4053C |doi=10.1103/PhysRevApplied.11.034053 |s2cid=53624575 |article-number=034053}}</ref>
=== Mistrustful quantum cryptography === In mistrustful cryptography the participating parties do not trust each other. For example, Alice and Bob collaborate to perform some computation where both parties enter some private inputs. But Alice does not trust Bob and Bob does not trust Alice. Thus, a secure implementation of a cryptographic task requires that after completing the computation, Alice can be guaranteed that Bob has not cheated and Bob can be guaranteed that Alice has not cheated either. Examples of tasks in mistrustful cryptography are commitment schemes and secure computations, the latter including the further examples of coin flipping and oblivious transfer. Key distribution does not belong to the area of mistrustful cryptography. Mistrustful quantum cryptography studies the area of mistrustful cryptography using quantum systems.
In contrast to quantum key distribution where unconditional security can be achieved based only on the laws of quantum physics, in the case of various tasks in mistrustful cryptography there are no-go theorems showing that it is impossible to achieve unconditionally secure protocols based only on the laws of quantum physics. However, some of these tasks can be implemented with unconditional security if the protocols not only exploit quantum mechanics but also special relativity. For example, unconditionally secure quantum bit commitment was shown impossible by Mayers<ref name="Mayers-1997"/> and by Lo and Chau.<ref>{{Cite journal |last1=Lo |first1=H.-K. |last2=Chau |first2=H. |date=1997 |title=Is Quantum Bit Commitment Really Possible? |journal=Physical Review Letters |language=en |volume=78 |issue=17 |page=3410 |arxiv=quant-ph/9603004 |bibcode=1997PhRvL..78.3410L |doi=10.1103/PhysRevLett.78.3410 |s2cid=3264257}}</ref> Unconditionally secure ideal quantum coin flipping was shown impossible by Lo and Chau.<ref>{{Cite journal |last1=Lo |first1=H.-K. |last2=Chau |first2=H. |date=1998 |title=Why quantum bit commitment and ideal quantum coin tossing are impossible |journal=Physica D: Nonlinear Phenomena |language=en |volume=120 |issue=1–2 |pages=177–187 |arxiv=quant-ph/9711065 |bibcode=1998PhyD..120..177L |doi=10.1016/S0167-2789(98)00053-0 |s2cid=14378275}}</ref> Moreover, Lo showed that there cannot be unconditionally secure quantum protocols for one-out-of-two oblivious transfer and other secure two-party computations.<ref>{{Cite journal |last=Lo |first=H.-K. |date=1997 |title=Insecurity of quantum secure computations |journal=Physical Review A |language=en |volume=56 |issue=2 |pages=1154–1162 |arxiv=quant-ph/9611031 |bibcode=1997PhRvA..56.1154L |doi=10.1103/PhysRevA.56.1154 |s2cid=17813922}}</ref> However, unconditionally secure relativistic protocols for coin flipping and bit-commitment have been shown by Kent.<ref>{{Cite journal |last=Kent |first=A. |date=1999 |title=Unconditionally Secure Bit Commitment |journal=Physical Review Letters |language=en |volume=83 |issue=7 |pages=1447–1450 |arxiv=quant-ph/9810068 |bibcode=1999PhRvL..83.1447K |doi=10.1103/PhysRevLett.83.1447 |s2cid=8823466}}</ref><ref>{{Cite journal |last=Kent |first=A. |date=1999 |title=Coin Tossing is Strictly Weaker than Bit Commitment |journal=Physical Review Letters |language=en |volume=83 |issue=25 |pages=5382–5384 |arxiv=quant-ph/9810067 |bibcode=1999PhRvL..83.5382K |doi=10.1103/PhysRevLett.83.5382 |s2cid=16764407}}</ref>
==== Quantum coin flipping ==== {{Main|Quantum coin flipping}} thumb|upright=1.5|Alice decides her random basis and sequence of qubits. She then sends the qubits as photons to Bob via the quantum channel. Bob detects these qubits and records his results in a table. Based on the table, Bob makes his guess to Alice on what basis she used. Unlike quantum key distribution, quantum coin flipping is a protocol that is used between two participants who do not trust each other.<ref name="Dambort-2014">{{cite web |first=Stuart Mason |last=Dambort |date=26 March 2014 |title=Heads or tails: Experimental quantum coin flipping cryptography performs better than classical protocols |url=https://phys.org/news/2014-05-tails-experimental-quantum-coin-flipping.html |url-status=live |archive-url=https://web.archive.org/web/20170325025154/https://phys.org/news/2014-05-tails-experimental-quantum-coin-flipping.html |archive-date=25 March 2017 |website=Phys.org}}</ref> The participants communicate via a quantum channel and exchange information through the transmission of qubits.<ref name="Doescher-2002">{{Cite arXiv |eprint=quant-ph/0206088 |first1=C. |last1=Doescher |first2=M. |last2=Keyl |title=An introduction to quantum coin-tossing |year=2002 }}</ref> But because Alice and Bob do not trust each other, each expects the other to cheat. Therefore, more effort must be spent on ensuring that neither Alice nor Bob can gain a significant advantage over the other to produce a desired outcome. An ability to influence a particular outcome is referred to as a bias, and there is a significant focus on developing protocols to reduce the bias of a dishonest player,<ref name="Pappa-2014">{{Cite journal |last1=Pappa |first1=Anna |last2=Jouguet |first2=Paul |last3=Lawson |first3=Thomas |last4=Chailloux |first4=André |last5=Legré |first5=Matthieu |last6=Trinkler |first6=Patrick |last7=Kerenidis |first7=Iordanis |last8=Diamanti |first8=Eleni |date=24 April 2014 |title=Experimental plug and play quantum coin flipping |url=https://www.nature.com/articles/ncomms4717 |journal=Nature Communications |language=en |volume=5 |issue=1 |page=3717 |arxiv=1306.3368 |bibcode=2014NatCo...5.3717P |doi=10.1038/ncomms4717 |issn=2041-1723 |pmid=24758868 |s2cid=205325088}}</ref><ref name="Ambainis-2004">{{Cite journal |last1=Ambainis |first1=Andris |date=1 March 2004 |title=A new protocol and lower bounds for quantum coin flipping |url=https://www.sciencedirect.com/science/article/pii/S0022000003001417 |journal=Journal of Computer and System Sciences |language=en |volume=68 |issue=2 |pages=398–416 |arxiv=quant-ph/0204022 |doi=10.1016/j.jcss.2003.07.010 |issn=0022-0000}}</ref> otherwise known as cheating. Quantum communication protocols, including quantum coin flipping, have been shown to provide significant security advantages over classical communication, though they may be considered difficult to realize in the practical world.<ref name="Dambort-2014"/>
A coin flip protocol generally occurs like this:<ref name="Bennett-2014">{{Cite journal |last1=Bennett |first1=Charles H. |last2=Brassard |first2=Gilles |date=4 December 2014 |title=Quantum cryptography: Public key distribution and coin tossing |journal=Theoretical Computer Science |language=en |volume=560 |pages=7–11 |arxiv=2003.06557 |doi=10.1016/j.tcs.2014.05.025 |issn=0304-3975 |s2cid=27022972 |doi-access=free |bibcode=2014TComS.560....7B }}</ref> # Alice chooses a basis (either rectilinear or diagonal) and generates a string of photons to send to Bob in that basis. # Bob randomly chooses to measure each photon in a rectilinear or diagonal basis, noting which basis he used and the measured value. # Bob publicly guesses which basis Alice used to send her qubits. # Alice announces the basis she used and sends her original string to Bob. # Bob confirms by comparing Alice's string to his table. It should be perfectly correlated with the values Bob measured using Alice's basis and completely uncorrelated with the opposite.
Cheating occurs when one player attempts to influence, or increase the probability of a particular outcome. The protocol discourages some forms of cheating; for example, Alice could cheat at step 4 by claiming that Bob incorrectly guessed her initial basis when he guessed correctly, but Alice would then need to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table.<ref name="Bennett-2014" /> Her chance of generating a matching string of qubits will decrease exponentially with the number of qubits sent, and if Bob notes a mismatch, he will know she was lying. Alice could also generate a string of photons using a mixture of states, but Bob would easily see that her string will correlate partially (but not fully) with both sides of the table, and know she cheated in the process.<ref name="Bennett-2014" /> There is also an inherent flaw that comes with current quantum devices. Errors and lost qubits will affect Bob's measurements, resulting in holes in Bob's measurement table. Significant losses in measurement will affect Bob's ability to verify Alice's qubit sequence in step 5.
One theoretically surefire way for Alice to cheat is to utilize the Einstein-Podolsky-Rosen (EPR) paradox. Two photons in an EPR pair are anticorrelated; that is, they will always be found to have opposite polarizations, provided that they are measured in the same basis. Alice could generate a string of EPR pairs, sending one photon per pair to Bob and storing the other herself. When Bob states his guess, she could measure her EPR pair photons in the opposite basis and obtain a perfect correlation to Bob's opposite table.<ref name="Bennett-2014" /> Bob would never know she cheated. However, this requires capabilities that quantum technology currently does not possess, making it impossible to do in practice. To successfully execute this, Alice would need to be able to store all the photons for a significant amount of time as well as measure them with near perfect efficiency. This is because any photon lost in storage or in measurement would result in a hole in her string that she would have to fill by guessing. The more guesses she has to make, the more she risks detection by Bob for cheating.
==== Quantum commitment ==== In addition to quantum coin-flipping, quantum commitment protocols are implemented when distrustful parties are involved. A commitment scheme allows a party Alice to fix a certain value (to "commit") in such a way that Alice cannot change that value while at the same time ensuring that the recipient Bob cannot learn anything about that value until Alice reveals it. Such commitment schemes are commonly used in cryptographic protocols (e.g. Quantum coin flipping, Zero-knowledge proof, secure two-party computation, and Oblivious transfer).
In the quantum setting, they would be particularly useful: Crépeau and Kilian showed that from a commitment and a quantum channel, one can construct an unconditionally secure protocol for performing so-called oblivious transfer.<ref name="Crépeau-1988" /> Oblivious transfer, on the other hand, had been shown by Kilian to allow implementation of almost any distributed computation in a secure way (so-called secure multi-party computation).<ref name="Kilian-1988" /> (Note: The results by Crépeau and Kilian<ref name="Crépeau-1988" /><ref name="Kilian-1988" /> together do not directly imply that given a commitment and a quantum channel one can perform secure multi-party computation. This is because the results do not guarantee "composability", that is, when plugging them together, one might lose security.)
Early quantum commitment protocols<ref name="Brassard-1993"/> were shown to be flawed. In fact, Mayers showed that (unconditionally secure) quantum commitment is impossible: a computationally unlimited attacker can break any quantum commitment protocol.<ref name="Mayers-1997"/>
Yet, the result by Mayers does not preclude the possibility of constructing quantum commitment protocols (and thus secure multi-party computation protocols) under assumptions that are much weaker than the assumptions needed for commitment protocols that do not use quantum communication. The bounded quantum storage model described below is an example for a setting in which quantum communication can be used to construct commitment protocols. A breakthrough in November 2013 offers "unconditional" security of information by harnessing quantum theory and relativity, which has been successfully demonstrated on a global scale for the first time.<ref>{{Cite journal |last1=Lunghi |first1=T. |last2=Kaniewski |first2=J. |last3=Bussières |first3=F. |last4=Houlmann |first4=R. |last5=Tomamichel |first5=M. |last6=Kent |first6=A. |last7=Gisin |first7=N. |last8=Wehner |first8=S. |last9=Zbinden |first9=H. |year=2013 |title=Experimental Bit Commitment Based on Quantum Communication and Special Relativity |journal=Physical Review Letters |volume=111 |issue=18 |arxiv=1306.4801 |bibcode=2013PhRvL.111r0504L |doi=10.1103/PhysRevLett.111.180504 |pmid=24237497 |s2cid=15916727 |article-number=180504}}</ref> More recently, Wang et al., proposed another commitment scheme in which the "unconditional hiding" is perfect.<ref>{{Cite journal |last1=Wang |first1=Ming-Qiang |last2=Wang |first2=Xue |last3=Zhan |first3=Tao |year=2018 |title=Unconditionally secure multi-party quantum commitment scheme |journal=Quantum Information Processing |language=en |volume=17 |issue=2 |page=31 |bibcode=2018QuIP...17...31W |doi=10.1007/s11128-017-1804-7 |issn=1570-0755 |s2cid=3603337}}</ref>
Physical unclonable functions can be also exploited for the construction of cryptographic commitments.<ref>{{Cite journal |last=Nikolopoulos |first=Georgios M. |date=2019 |title=Optical scheme for cryptographic commitments with physical unclonable keys |journal=Optics Express |volume=27 |issue=20 |pages=29367–29379 |arxiv=1909.13094 |bibcode=2019OExpr..2729367N |doi=10.1364/OE.27.029367 |pmid=31684673 |s2cid=203593129}}</ref>
=== Bounded- and noisy-quantum-storage model === One possibility to construct unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols is to use the bounded quantum storage model (BQSM). In this model, it is assumed that the amount of quantum data that an adversary can store is limited by some known constant Q. However, no limit is imposed on the amount of classical (i.e., non-quantum) data the adversary may store.
In the BQSM, one can construct commitment and oblivious transfer protocols.<ref name="Damgård-2005"/> The underlying idea is the following: The protocol parties exchange more than Q quantum bits (qubits). Since even a dishonest party cannot store all that information (the quantum memory of the adversary is limited to Q qubits), a large part of the data will have to be either measured or discarded. Forcing dishonest parties to measure a large part of the data allows the protocol to circumvent the impossibility result, commitment and oblivious transfer protocols can now be implemented.<ref name="Mayers-1997"/>
The protocols in the BQSM presented by Damgård, Fehr, Salvail, and Schaffner<ref name="Damgård-2005"/> do not assume that honest protocol participants store any quantum information; the technical requirements are similar to those in quantum key distribution protocols. These protocols can thus, at least in principle, be realized with today's technology. The communication complexity is only a constant factor larger than the bound Q on the adversary's quantum memory.
The advantage of the BQSM is that the assumption that the adversary's quantum memory is limited is quite realistic. With today's technology, storing even a single qubit reliably over a sufficiently long time is difficult. (What "sufficiently long" means depends on the protocol details. By introducing an artificial pause in the protocol, the amount of time over which the adversary needs to store quantum data can be made arbitrarily large.)
An extension of the BQSM is the noisy-storage model introduced by Wehner, Schaffner and Terhal.<ref name="Wehner-2008"/> Instead of considering an upper bound on the physical size of the adversary's quantum memory, an adversary is allowed to use imperfect quantum storage devices of arbitrary size. The level of imperfection is modelled by noisy quantum channels. For high enough noise levels, the same primitives as in the BQSM can be achieved<ref name="Doescher-2009"/> and the BQSM forms a special case of the noisy-storage model.
In the classical setting, similar results can be achieved when assuming a bound on the amount of classical (non-quantum) data that the adversary can store.<ref name="Cachin-1998"/> It was proven, however, that in this model also the honest parties have to use a large amount of memory (namely the square-root of the adversary's memory bound).<ref name="Dziembowski-2004"/> This makes these protocols impractical for realistic memory bounds. (Note that with today's technology such as hard disks, an adversary can cheaply store large amounts of classical data.)
=== Position-based quantum cryptography === {{See also|Non-local quantum computation}} The goal of position-based quantum cryptography is to use the ''geographical location'' of a player as its (only) credential. For example, one wants to send a message to a player at a specified position with the guarantee that it can only be read if the receiving party is located at that particular position. In the basic task of ''position-verification'', a player, Alice, wants to convince the (honest) verifiers that she is located at a particular point. It has been shown by Chandran ''et al.'' that position-verification using classical protocols is impossible against colluding adversaries (who control all positions except the prover's claimed position).<ref name="Chandran-2009"/> Under various restrictions on the adversaries, schemes are possible.
Under the name of 'quantum tagging', the first position-based quantum schemes have been investigated in 2002 by Kent. A US-patent<ref name="kent06patent"/> was granted in 2006. The notion of using quantum effects for location verification first appeared in the scientific literature in 2010.<ref name="Malaney-2010b"/><ref name="Malaney-2010a"/> After several other quantum protocols for position verification have been suggested in 2010,<ref name="Doescher-2011"/><ref name="Lau-2010"/> Buhrman et al. claimed a general impossibility result:<ref name="Doescher-2010"/> using an enormous amount of quantum entanglement (they use a doubly exponential number of EPR pairs, in the number of qubits the honest player operates on), colluding adversaries are always able to make it look to the verifiers as if they were at the claimed position. However, this result does not exclude the possibility of practical schemes in the bounded- or noisy-quantum-storage model (see above). Later Beigi and König improved the amount of EPR pairs needed in the general attack against position-verification protocols to exponential. They also showed that a particular protocol remains secure against adversaries who controls only a linear amount of EPR pairs.<ref name="Beigi-2011"/> It is argued in<ref name="Malaney-2016"/> that due to time-energy coupling the possibility of formal unconditional location verification via quantum effects remains an open problem. The study of position-based quantum cryptography also has connections with the protocol of port-based quantum teleportation, which is a more advanced version of quantum teleportation, where many EPR pairs are simultaneously used as ports.
=== Device-independent quantum cryptography === {{Main|Device-independent quantum cryptography}} A quantum cryptographic protocol is '''device-independent''' if its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices.<ref>{{Cite journal |last=Radanliev |first=Petar |date=October 2023 |title=Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the NIST-approved Quantum-Resistant Cryptographic Algorithms |url=https://ora.ox.ac.uk/objects/uuid:45d125d9-2ae5-4dff-9806-6ea4c512c6b1/download_file?file_format=application%2Fpdf&safe_filename=Radanliev_et_al_2023_Red_Teaming_Generative.pdf&type_of_work=Internet+publication |journal=University of Oxford |arxiv=2310.04425}}</ref> Mayers and Yao<ref name="Mayers-1998"/> proposed the idea of designing quantum protocols using "self-testing" quantum apparatus, the internal operations of which can be uniquely determined by their input-output statistics. Subsequently, Roger Colbeck in his Thesis<ref name="Colbeck-2006"/> proposed the use of Bell tests for checking the honesty of the devices. Since then, several problems have been shown to admit unconditional secure and device-independent protocols, even when the actual devices performing the Bell test are substantially "noisy", i.e., far from being ideal. These problems include quantum key distribution,<ref name="Vazirani-2014"/><ref name="Miller-2014"/> randomness expansion,<ref name="Miller-2014"/><ref name="Miller-2017"/> and randomness amplification.<ref name="Chung-2014"/>
In 2018, theoretical studies performed by Arnon- Friedman et al. suggest that exploiting a property of entropy that is later referred to as "Entropy Accumulation Theorem (EAT)", an extension of Asymptotic equipartition property, can guarantee the security of a device independent protocol.<ref>{{Cite journal |last1=Arnon-Friedman |first1=Rotem |last2=Dupuis |first2=Frédéric |last3=Fawzi |first3=Omar |last4=Renner |first4=Renato |author-link4=Renato Renner |last5=Vidick |first5=Thomas |date=31 January 2018 |title=Practical device-independent quantum cryptography via entropy accumulation |journal=Nature Communications |language=En |volume=9 |issue=1 |page=459 |bibcode=2018NatCo...9..459A |doi=10.1038/s41467-017-02307-4 |issn=2041-1723 |pmc=5792631 |pmid=29386507}}</ref>
== Post-quantum cryptography == {{Main|Post-quantum cryptography}}
Cryptographically-relevant quantum computers may become a technological reality; it is therefore important to study cryptographic schemes used against adversaries with access to a quantum computer. The study of such schemes is often referred to as post-quantum cryptography. The need for post-quantum cryptography arises from the fact that many popular encryption and signature schemes, mainly those based on ECC and RSA, can be broken using Shor's algorithm for factoring and computing discrete logarithms on a quantum computer. Examples for schemes that are, as of today's knowledge, secure against quantum adversaries are McEliece and lattice-based schemes, as well as most symmetric-key algorithms.<ref name="Daniel J. Bernstein-2009b">{{cite book |author=Daniel J. Bernstein |author-link=Daniel J. Bernstein |title=Post-Quantum Cryptography |year=2009 |chapter=Introduction to post-quantum cryptography |chapter-url=http://www.pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf}}</ref><ref name="Daniel J. Bernstein-2009a">{{cite report |url=http://cr.yp.to/hash/collisioncost-20090823.pdf |title=Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? |author=Daniel J. Bernstein |author-link=Daniel J. Bernstein |date=17 May 2009 |archive-url=https://web.archive.org/web/20170825091116/https://cr.yp.to/hash/collisioncost-20090823.pdf |archive-date=25 August 2017 |url-status=live}}</ref> Surveys of post-quantum cryptography are available.<ref name="pqcrypto.org"/><ref name="Springer-2009"/>
Additional research was made into how existing cryptographic techniques have to be modified to be able to cope with quantum adversaries. For example, when trying to develop zero-knowledge proof systems that are secure against quantum adversaries, new techniques need to be used: In a classical setting, the analysis of a zero-knowledge proof system usually involves "rewinding", a technique that makes it necessary to copy the internal state of the adversary. In a quantum setting, copying a state is not always possible (no-cloning theorem); a variant of the rewinding technique has to be used.<ref name="Watrous-2009"/>
Post-quantum algorithms are also called "quantum resistant", because – unlike quantum key distribution – it is not known or provable that there will not be potential future quantum attacks against them. Even though they may possibly be vulnerable to quantum attacks in the future, the NSA is announcing plans to transition to quantum resistant algorithms.<ref name="NSASuiteBTransition"/> The National Institute of Standards and Technology (NIST) believes that it is time to think of quantum-safe primitives.<ref>{{Cite web |date=13 October 2016 |title=Quantum Resistant Public Key Exchange: The Supersingular Isogenous Diffie-Hellman Protocol – CoinFabrik Blog |url=http://blog.coinfabrik.com/quantum-resistant-public-key-exchange-the-supersingular-isogenous-diffie-hellman-protocol/ |url-status=live |archive-url=https://web.archive.org/web/20170202071502/http://blog.coinfabrik.com/quantum-resistant-public-key-exchange-the-supersingular-isogenous-diffie-hellman-protocol/ |archive-date=2 February 2017 |access-date=24 January 2017 |website=blog.coinfabrik.com |language=en-US}}</ref>
== Quantum cryptography beyond key distribution == So far, quantum cryptography has been mainly identified with the development of quantum key distribution protocols. Symmetric cryptosystems with keys that have been distributed by means of quantum key distribution become inefficient for large networks (many users), because of the necessity for the establishment and the manipulation of many pairwise secret keys (the so-called "key-management problem"). Moreover, this distribution alone does not address many other cryptographic tasks and functions, which are of vital importance in everyday life. Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution, in which the cryptographic transformation uses classical algorithms.<ref>{{cite journal |last1=Thapliyal |first1=K. |last2=Pathak |first2=A. |date=2018 |title=Kak's three-stage protocol of secure quantum communication revisited |journal=Quantum Information Processing |volume=17 |issue=9 |page=229 |arxiv=1803.02157 |bibcode=2018QuIP...17..229T |doi=10.1007/s11128-018-2001-z |s2cid=52009384}}</ref>
Besides quantum commitment and oblivious transfer (discussed above), research on quantum cryptography beyond key distribution revolves around quantum message authentication,<ref>{{Cite journal |last1=Nikolopoulos |first1=Georgios M. |last2=Fischlin |first2=Marc |date=2020 |title=Information-Theoretically Secure Data Origin Authentication with Quantum and Classical Resources |journal=Cryptography |language=en |volume=4 |issue=4 |page=31 |arxiv=2011.06849 |doi=10.3390/cryptography4040031 |s2cid=226956062 |doi-access=free}}</ref> quantum digital signatures,<ref>{{Cite arXiv |eprint=quant-ph/0105032 |first1=C. |last1=Doescher |first2=M. |last2=Keyl |title=Quantum Digital Signatures |year=2001 }}</ref><ref>{{Cite journal |last1=Collins |first1=Robert J. |last2=Donaldson |first2=Ross J. |last3=Dunjko |first3=Vedran |last4=Wallden |first4=Petros |last5=Clarke |first5=Patrick J. |last6=Andersson |first6=Erika |last7=Jeffers |first7=John |last8=Buller |first8=Gerald S. |year=2014 |title=Realization of Quantum Digital Signatures without the Requirement of Quantum Memory |journal=Physical Review Letters |volume=113 |issue=4 |arxiv=1311.5760 |bibcode=2014PhRvL.113d0502C |doi=10.1103/PhysRevLett.113.040502 |pmid=25105603 |s2cid=23925266 |article-number=040502}}</ref> quantum one-way functions and public-key encryption,<ref>{{Cite journal |last1=Kawachi |first1=Akinori |last2=Koshiba |first2=Takeshi |last3=Nishimura |first3=Harumichi |last4=Yamakami |first4=Tomoyuki |year=2011 |title=Computational Indistinguishability Between Quantum States and its Cryptographic Application |journal=Journal of Cryptology |volume=25 |issue=3 |pages=528–555 |arxiv=quant-ph/0403069 |citeseerx=10.1.1.251.6055 |doi=10.1007/s00145-011-9103-4 |s2cid=6340239}}</ref><ref>{{Cite journal |last1=Kabashima |first1=Yoshiyuki |last2=Murayama |first2=Tatsuto |last3=Saad |first3=David |year=2000 |title=Cryptographical Properties of Ising Spin Systems |journal=Physical Review Letters |volume=84 |issue=9 |pages=2030–2033 |arxiv=cond-mat/0002129 |bibcode=2000PhRvL..84.2030K |doi=10.1103/PhysRevLett.84.2030 |pmid=11017688 |s2cid=12883829}}</ref><ref>{{Cite journal |last1=Nikolopoulos |first1=Georgios M. |year=2008 |title=Applications of single-qubit rotations in quantum public-key cryptography |journal=Physical Review A |volume=77 |issue=3 |arxiv=0801.2840 |bibcode=2008PhRvA..77c2348N |doi=10.1103/PhysRevA.77.032348 |s2cid=119097757 |article-number=032348}}</ref><ref>{{Cite journal |last1=Nikolopoulos |first1=Georgios M. |last2=Ioannou |first2=Lawrence M. |year=2009 |title=Deterministic quantum-public-key encryption: Forward search attack and randomization |journal=Physical Review A |volume=79 |issue=4 |arxiv=0903.4744 |bibcode=2009PhRvA..79d2327N |doi=10.1103/PhysRevA.79.042327 |s2cid=118425296 |article-number=042327}}</ref><ref>{{Cite journal |last1=Seyfarth |first1=U. |last2=Nikolopoulos |first2=G. M. |last3=Alber |first3=G. |year=2012 |title=Symmetries and security of a quantum-public-key encryption based on single-qubit rotations |journal=Physical Review A |volume=85 |issue=2 |arxiv=1202.3921 |bibcode=2012PhRvA..85b2342S |doi=10.1103/PhysRevA.85.022342 |s2cid=59467718 |article-number=022342}}</ref><ref>{{Cite journal |last1=Nikolopoulos |first1=Georgios M. |last2=Brougham |first2=Thomas |date=11 July 2016 |title=Decision and function problems based on boson sampling |url=https://link.aps.org/doi/10.1103/PhysRevA.94.012315 |journal=Physical Review A |volume=94 |issue=1 |arxiv=1607.02987 |bibcode=2016PhRvA..94a2315N |doi=10.1103/PhysRevA.94.012315 |s2cid=5311008 |article-number=012315}}</ref><ref>{{Cite journal |last=Nikolopoulos |first=Georgios M. |date=13 July 2019 |title=Cryptographic one-way function based on boson sampling |journal=Quantum Information Processing |language=en |volume=18 |issue=8 |arxiv=1907.01788 |bibcode=2019QuIP...18..259N |doi=10.1007/s11128-019-2372-9 |issn=1573-1332 |s2cid=195791867 |article-number=259}}</ref> quantum key-exchange,<ref>{{Cite journal |last=Nikolopoulos |first=Georgios M. |date=16 January 2025 |title=Quantum Diffie–Hellman key exchange |journal=APL Quantum |volume=2 |issue=1 |arxiv=2501.09568 |doi=10.1063/5.0242473 |issn=2835-0103 |doi-access=free |article-number=016107}}</ref> quantum fingerprinting<ref>{{Cite journal |last1=Buhrman |first1=Harry |last2=Cleve |first2=Richard |last3=Watrous |first3=John |last4=De Wolf |first4=Ronald |year=2001 |title=Quantum Fingerprinting |journal=Physical Review Letters |volume=87 |issue=16 |arxiv=quant-ph/0102001 |bibcode=2001PhRvL..87p7902B |doi=10.1103/PhysRevLett.87.167902 |pmid=11690244 |s2cid=1096490 |article-number=167902}}</ref> and entity authentication<ref>{{Cite journal |last1=Nikolopoulos |first1=Georgios M. |last2=Diamanti |first2=Eleni |date=10 April 2017 |title=Continuous-variable quantum authentication of physical unclonable keys |journal=Scientific Reports |language=en |volume=7 |issue=1 |arxiv=1704.06146 |bibcode=2017NatSR...746047N |doi=10.1038/srep46047 |issn=2045-2322 |pmc=5385567 |pmid=28393853 |article-number=46047}}</ref><ref>{{Cite journal |last=Nikolopoulos |first=Georgios M. |date=22 January 2018 |title=Continuous-variable quantum authentication of physical unclonable keys: Security against an emulation attack |url=https://link.aps.org/doi/10.1103/PhysRevA.97.012324 |journal=Physical Review A |volume=97 |issue=1 |arxiv=1801.07434 |bibcode=2018PhRvA..97a2324N |doi=10.1103/PhysRevA.97.012324 |s2cid=119486945 |article-number=012324}}</ref><ref>{{Cite journal |last1=Fladung |first1=Lukas |last2=Nikolopoulos |first2=Georgios M. |last3=Alber |first3=Gernot |last4=Fischlin |first4=Marc |date=2019 |title=Intercept-Resend Emulation Attacks against a Continuous-Variable Quantum Authentication Protocol with Physical Unclonable Keys |journal=Cryptography |language=en |volume=3 |issue=4 |page=25 |arxiv=1910.11579 |doi=10.3390/cryptography3040025 |s2cid=204901444 |doi-access=free}}</ref> (for example, see Quantum readout of PUFs), etc.
== Y-00 protocol == H. P. Yuen presented Y-00 as a stream cipher using quantum noise around 2000 and applied it for the U.S. Defense Advanced Research Projects Agency (DARPA) High-Speed and High-Capacity Quantum Cryptography Project as an alternative to quantum key distribution.<ref>{{Cite journal |last1=Barbosa |first1=Geraldo A. |last2=Corndorf |first2=Eric |last3=Kumar |first3=Prem |last4=Yuen |first4=Horace P. |date=2 June 2003 |title=Secure Communication Using Mesoscopic Coherent States |journal=Physical Review Letters |volume=90 |issue=22 |arxiv=quant-ph/0212018 |bibcode=2003PhRvL..90v7901B |doi=10.1103/PhysRevLett.90.227901 |pmid=12857341 |s2cid=12720233 |article-number=227901}}</ref><ref>{{Cite thesis |last=Yuen |first=H. P. |title=Physical Cryptography: A New Approach to Key Generation and Direct Encryption |date=31 July 2009 |degree=PhD |url=https://apps.dtic.mil/sti/pdfs/ADA512847.pdf}}</ref> The review paper summarizes it well.<ref name="Verma-2018">{{Cite book |last1=Verma |first1=Pramode K. |title=Multi-photon Quantum Secure Communication |last2=El Rifai |first2=Mayssaa |last3=Chan |first3=K. W. Clifford |date=19 August 2018 |isbn=978-981-10-8617-5 |series=Signals and Communication Technology |pages=85–95 |chapter=Secure Communication Based on Quantum Noise |doi=10.1007/978-981-10-8618-2_4 |chapter-url=https://doi.org/10.1007/978-981-10-8618-2_4 |s2cid=56788374}}</ref>
Unlike quantum key distribution protocols, the main purpose of Y-00 is to transmit a message without eavesdrop-monitoring, not to distribute a key. Therefore, privacy amplification may be used only for key distributions.<ref name="Takehisa-2020">{{Cite journal |last=Takehisa |first=Iwakoshi |date=27 January 2020 |title=Analysis of Y00 Protocol Under Quantum Generalization of a Fast Correlation Attack: Toward Information-Theoretic Security |journal=IEEE Access |volume=8 |pages=23417–23426 |arxiv=2001.11150 |bibcode=2020IEEEA...823417I |doi=10.1109/ACCESS.2020.2969455 |doi-access=free|s2cid=210966407}}</ref> Currently, research is being conducted mainly in Japan and China: e.g.<ref>{{Cite journal |last1=Hirota |first1=Osamu |display-authors=etal |date=1 September 2010 |title=Getting around the Shannon limit of cryptography |journal=SPIE Newsroom |doi=10.1117/2.1201008.003069}}</ref><ref>{{Cite journal |last1=Quan |first1=Yu |display-authors=etal |date=30 March 2020 |title=Secure 100Gb/s IMDD transmission over 100 km SSMF enabled by quantum noise stream cipher and sparse RLS-Volterra equalizer |journal=IEEE Access |volume=8 |pages=63585–63594 |bibcode=2020IEEEA...863585Y |doi=10.1109/ACCESS.2020.2984330 |s2cid=215816092 |doi-access=free}}</ref>
The principle of operation is as follows. First, legitimate users share a key and change it to a pseudo-random keystream using the same pseudo-random number generator. Then, the legitimate parties can perform conventional optical communications based on the shared key by transforming it appropriately. For attackers who do not share the key, the wire-tap channel model of Aaron D. Wyner is implemented. The legitimate users' advantage based on the shared key is called "advantage creation". The goal is to achieve longer covert communication than the information-theoretic security limit (one-time pad) set by Shannon.<ref>{{Cite journal |last=Wyner |first=A. D. |date=October 1975 |title=The Wire-Tap Channel |journal=Bell System Technical Journal |volume=54 |issue=8 |pages=1355–1387 |doi=10.1002/j.1538-7305.1975.tb02040.x |bibcode=1975BSTJ...54.1355W |s2cid=21512925}}</ref> The source of the noise in the above wire-tap channel is the uncertainty principle of the electromagnetic field itself, which is a theoretical consequence of the theory of laser described by Roy J. Glauber and E. C. George Sudarshan (coherent state).<ref>{{Cite journal |last=Roy J. |first=Glauber |date=15 June 1963 |title=The Quantum Theory of Optical Coherence |journal=Physical Review |volume=130 |issue=6 |pages=2529–2539 |bibcode=1963PhRv..130.2529G |doi=10.1103/PhysRev.130.2529 |doi-access=free}}</ref><ref>{{Cite journal |last=E. C. G. |first=Sudarshan |date=1 April 1963 |title=Equivalence of Semiclassical and Quantum Mechanical Descriptions of Statistical Light Beams |journal=Physical Review Letters |volume=10 |issue=7 |pages=277–279 |bibcode=1963PhRvL..10..277S |doi=10.1103/PhysRevLett.10.277}}</ref><ref>{{Cite book |last1=Walls |first1=D. F. |url=https://books.google.com/books?id=LiWsc3Nlf0kC |title=Quantum optics |last2=Milburn |first2=G. J. |date=January 2008 |publisher=Springer |isbn=978-3-540-28573-1}}</ref> Therefore, existing optical communication technologies are sufficient for implementation that some reviews describes: e.g.<ref name="Verma-2018"/> Furthermore, since it uses ordinary communication laser light, it is compatible with existing communication infrastructure and can be used for high-speed and long-distance communication and routing.<ref>{{Cite journal |last1=Hirota |first1=Osamu |display-authors=etal |date=26 August 2005 |title=Quantum stream cipher by the Yuen 2000 protocol: Design and experiment by an intensity-modulation scheme |journal=Physical Review A |volume=72 |issue=2 |arxiv=quant-ph/0507043 |bibcode=2005PhRvA..72b2335H |doi=10.1103/PhysRevA.72.022335 |s2cid=118937168 |article-number=022335}}</ref> <ref>{{Cite journal |last1=Yoshida |first1=Masato |display-authors=etal |date=15 February 2021 |title=10 Tbit/s QAM Quantum Noise Stream Cipher Coherent Transmission Over 160 Km |journal=Journal of Lightwave Technology |volume=39 |issue=4 |pages=1056–1063 |bibcode=2021JLwT...39.1056Y |doi=10.1109/JLT.2020.3016693 |s2cid=225383926}}</ref> <ref>{{Cite book |last1=Futami |first1=Fumio |title=Optical Fiber Communication Conference |date=March 2018 |isbn=978-1-943580-38-5 |chapter=Dynamic Routing of Y-00 Quantum Stream Cipher in Field-Deployed Dynamic Optical Path Network |doi=10.1364/OFC.2018.Tu2G.5 |display-authors=etal |chapter-url=https://doi.org/10.1364/OFC.2018.Tu2G.5 |s2cid=49185664 |article-number=Tu2G.5}}</ref> <ref>{{Cite book |last1=Tanizawa |first1=Ken |title=2020 European Conference on Optical Communications (ECOC) |last2=Futami |first2=Fumio |date=2020 |isbn=978-1-7281-7361-0 |pages=1–4 |chapter=Security-Enhanced 10, 118-km Single-Channel 40-Gbit/s Transmission Using PSK Y-00 Quantum Stream Cipher |doi=10.1109/ECOC48923.2020.9333304 |chapter-url=https://doi.org/10.1109/ECOC48923.2020.9333304 |s2cid=231852229}}</ref> <ref>{{Cite journal |last1=Tanizawa |first1=Ken |last2=Futami |first2=Fumio |date=April 2020 |title=Quantum Noise-Assisted Coherent Radio-over-Fiber Cipher System for Secure Optical Fronthaul and Microwave Wireless Links |journal=Journal of Lightwave Technology |volume=38 |issue=16 |pages=4244–4249 |bibcode=2020JLwT...38.4244T |doi=10.1109/JLT.2020.2987213 |s2cid=219095947 |doi-access=free}}</ref>
Although the main purpose of the protocol is to transmit the message, key distribution is possible by simply replacing the message with a key.<ref>{{Cite journal |last=Yuen |first=Horace P. |date=November 2009 |title=Key Generation: Foundations and a New Quantum Approach |journal=IEEE Journal of Selected Topics in Quantum Electronics |volume=15 |issue=6 |pages=1630–1645 |arxiv=0906.5241 |bibcode=2009IJSTQ..15.1630Y |doi=10.1109/JSTQE.2009.2025698 |s2cid=867791}}</ref><ref name="Takehisa-2020"/> Since it is a symmetric key cipher, it must share the initial key previously; however, a method of the initial key agreement was also proposed.<ref>{{Cite journal |last=Iwakoshi |first=Takehisa |date=5 June 2019 |title=Message-Falsification Prevention With Small Quantum Mask in Quaternary Y00 Protocol |journal=IEEE Access |volume=7 |pages=74482–74489 |bibcode=2019IEEEA...774482I |doi=10.1109/ACCESS.2019.2921023 |s2cid=195225370 |doi-access=free}}</ref>
On the other hand, it is currently unclear what implementation realizes information-theoretic security, and security of this protocol has long been a matter of debate.<ref>{{Cite journal |last1=Nishioka |first1=Tsuyoshi |display-authors=etal |date=21 June 2004 |title=How much security does Y-00 protocol provide us? |journal=Physics Letters A |volume=327 |issue=1 |pages=28–32 |arxiv=quant-ph/0310168 |bibcode=2004PhLA..327...28N |doi=10.1016/j.physleta.2004.04.083 |s2cid=119069709}}</ref><ref>{{Cite journal |last1=Yuen |first1=Horace P. |display-authors=etal |date=10 October 2005 |title=Comment on:'How much security does Y-00 protocol provide us?'[Phys. Lett. A 327 (2004) 28] |journal=Physics Letters A |volume=346 |issue=1–3 |pages=1–6 |bibcode=2005PhLA..346....1Y |doi=10.1016/j.physleta.2005.08.022}}</ref><ref>{{Cite journal |last1=Nishioka |first1=Tsuyoshi |display-authors=etal |date=10 October 2005 |title=Reply to:"Comment on:'How much security does Y-00 protocol provide us?'" [Phys. Lett. A 346 (2005) 1] |journal=Physics Letters A |volume=346 |issue=1–3 |bibcode=2005PhLA..346....1Y |doi=10.1016/j.physleta.2005.08.022}}</ref><ref>{{Cite arXiv |eprint=quant-ph/0509092 |first1=Ranjith |last1=Nair |title=Reply to:'Reply to:"Comment on:'How much security does Y-00 protocol provide us?'"' |date=13 September 2005 |display-authors=etal }}</ref><ref>{{Cite journal |last1=Donnet |first1=Stéphane |display-authors=etal |date=21 August 2006 |title=Security of Y-00 under heterodyne measurement and fast correlation attack |journal=Physics Letters A |volume=356 |issue=6 |pages=406–410 |bibcode=2006PhLA..356..406D |doi=10.1016/j.physleta.2006.04.002}}</ref><ref>{{Cite journal |last1=Yuen |first1=Horace P. |display-authors=etal |date=23 April 2007 |title=On the security of Y-00 under fast correlation and other attacks on the key |journal=Physics Letters A |volume=364 |issue=2 |pages=112–116 |arxiv=quant-ph/0608028 |bibcode=2007PhLA..364..112Y |doi=10.1016/j.physleta.2006.12.033 |s2cid=7824483}}</ref><ref>{{Cite journal |last=Mihaljević |first=Miodrag J. |date=24 May 2007 |title=Generic framework for the secure Yuen 2000 quantum-encryption protocol employing the wire-tap channel approach |journal=Physical Review A |volume=75 |issue=5 |bibcode=2007PhRvA..75e2334M |doi=10.1103/PhysRevA.75.052334 |article-number=052334}}</ref><ref>{{Cite journal |last1=Shimizu |first1=Tetsuya |display-authors=etal |date=27 March 2008 |title=Running key mapping in a quantum stream cipher by the Yuen 2000 protocol |journal=Physical Review A |volume=77 |issue=3 |bibcode=2008PhRvA..77c4305S |doi=10.1103/PhysRevA.77.034305 |article-number=034305}}</ref><ref>{{Cite journal |last1=Tregubov |first1=P. A. |last2=Trushechkin |first2=A. S. |date=21 November 2020 |title=Quantum Stream Ciphers: Impossibility of Unconditionally Strong Algorithms |journal=Journal of Mathematical Sciences |volume=252 |pages=90–103 |doi=10.1007/s10958-020-05144-x |s2cid=254745640}}</ref><ref>{{Cite journal |last=Iwakoshi |first=Takehisa |date=February 2021 |title=Security Evaluation of Y00 Protocol Based on Time-Translational Symmetry Under Quantum Collective Known-Plaintext Attacks |journal=IEEE Access |volume=9 |pages=31608–31617 |bibcode=2021IEEEA...931608I |doi=10.1109/ACCESS.2021.3056494 |s2cid=232072394 |doi-access=free}}</ref>
== Implementation in practice == In theory, quantum cryptography seems to be a successful turning point in the information security sector. However, no cryptographic method can ever be absolutely secure.<ref>{{Cite journal |last1=Scarani |first1=Valerio |last2=Bechmann-Pasquinucci |first2=Helle |last3=Cerf |first3=Nicolas J. |last4=Dušek |first4=Miloslav |last5=Lütkenhaus |first5=Norbert |last6=Peev |first6=Momtchil |date=29 September 2009 |title=The security of practical quantum key distribution |journal=Reviews of Modern Physics |volume=81 |issue=3 |pages=1301–1350 |arxiv=0802.4155 |bibcode=2009RvMP...81.1301S |doi=10.1103/revmodphys.81.1301 |issn=0034-6861 |s2cid=15873250}}</ref> In practice, quantum cryptography is only conditionally secure, dependent on a key set of assumptions.<ref name="Zhao-2009">{{Cite thesis |last=Zhao |first=Yi |title=Quantum cryptography in real-life applications: assumptions and security |date=2009 |url=https://pdfs.semanticscholar.org/ccc3/cb3422d8b2b02f66515d45710a09df8c56d0.pdf |archive-url=https://web.archive.org/web/20200228224625/https://pdfs.semanticscholar.org/ccc3/cb3422d8b2b02f66515d45710a09df8c56d0.pdf |archive-date=28 February 2020 |bibcode=2009PhDT........94Z |s2cid=118227839}}</ref>
=== Single-photon source assumption === The theoretical basis for quantum key distribution assumes the use of single-photon sources. However, such sources are difficult to construct, and most real-world quantum cryptography systems use faint laser sources as a medium for information transfer.<ref name="Zhao-2009" /> These multi-photon sources open the possibility for eavesdropper attacks, particularly a photon splitting attack.<ref name="Lo-2005">{{Cite journal |last=Lo |first=Hoi-Kwong |date=22 October 2005 |title=Decoy State Quantum Key Distribution |journal=Quantum Information Science |publisher=WORLD SCIENTIFIC |volume=94 |issue=23 |page=143 |arxiv=quant-ph/0411004 |bibcode=2005qis..conf..143L |doi=10.1142/9789812701633_0013 |isbn=978-981-256-460-3 |pmid=16090452}}</ref> An eavesdropper, Eve, can split the multi-photon source and retain one copy for herself.<ref name="Lo-2005" /> The other photons are then transmitted to Bob without any measurement or trace that Eve captured a copy of the data.<ref name="Lo-2005" /> Scientists believe they can retain security with a multi-photon source by using decoy states that test for the presence of an eavesdropper.<ref name="Lo-2005" /> However, in 2016, scientists developed a near perfect single photon source and estimate that one could be developed in the near future.<ref>{{Cite journal |last1=Reimer |first1=Michael E. |last2=Cher |first2=Catherine |date=November 2019 |title=The quest for a perfect single-photon source |url=https://www.nature.com/articles/s41566-019-0544-x |journal=Nature Photonics |language=en |volume=13 |issue=11 |pages=734–736 |bibcode=2019NaPho..13..734R |doi=10.1038/s41566-019-0544-x |issn=1749-4893 |s2cid=209939102 |url-access=subscription}}</ref>
=== Identical detector efficiency assumption === In practice, multiple single-photon detectors are used in quantum key distribution devices, one for Alice and one for Bob.<ref name="Zhao-2009" /> These photodetectors are tuned to detect an incoming photon during a short window of only a few nanoseconds.<ref name="Makarov-2008">{{Cite journal |last1=Makarov |first1=Vadim |last2=Anisimov |first2=Andrey |last3=Skaar |first3=Johannes |date=31 July 2008 |title=Erratum: Effects of detector efficiency mismatch on security of quantum cryptosystems [Phys. Rev. A74, 022313 (2006)] |journal=Physical Review A |volume=78 |issue=1 |bibcode=2008PhRvA..78a9905M |doi=10.1103/physreva.78.019905 |issn=1050-2947 |doi-access=free |article-number=019905}}</ref> Due to manufacturing differences between the two detectors, their respective detection windows will be shifted by some finite amount.<ref name="Makarov-2008" /> An eavesdropper, Eve, can take advantage of this detector inefficiency by measuring Alice's qubit and sending a "fake state" to Bob.<ref name="Makarov-2008" /> Eve first captures the photon sent by Alice and then generates another photon to send to Bob.<ref name="Makarov-2008" /> Eve manipulates the phase and timing of the "faked" photon in a way that prevents Bob from detecting the presence of an eavesdropper.<ref name="Makarov-2008" /> The only way to eliminate this vulnerability is to eliminate differences in photodetector efficiency, which is difficult to do given finite manufacturing tolerances that cause optical path length differences, wire length differences, and other defects.<ref name="Makarov-2008" />
=== Deprecation of quantum key distributions from governmental institutions === Given the practical challenges raised below, several organizations recommend using "post-quantum cryptography (or quantum-resistant cryptography)" instead of quantum key distribution.
# USA National Security Agency,<ref name="NSA">{{cite web |title=Quantum Key Distribution (QKD) and Quantum Cryptography (QC) |url=https://www.nsa.gov/Cybersecurity/Quantum-Key-Distribution-QKD-and-Quantum-Cryptography-QC/ |access-date=16 July 2022 |publisher=National Security Agency}} {{PD-notice}}</ref> # European Union Agency for Cybersecurity of EU (ENISA),<ref>Post-Quantum Cryptography: Current state and quantum mitigation, Section 6 "Conclusion" [https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation]</ref> # United Kingdom's National Cyber Security Centre,<ref>[https://www.ncsc.gov.uk/whitepaper/quantum-security-technologies Quantum security technologies]</ref> #French Secretariat for Defense and Security (ANSSI),<ref>[https://cyber.gouv.fr/en/publications/should-quantum-key-distribution-be-used-secure-communications Should Quantum Key Distribution be Used for Secure Communications?]</ref> #German Federal Office for Information Security (BSI)<ref>{{cite web |title=Quantum Cryptography |url=https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/Quantenkryptografie/quantenkryptografie.html}}</ref> #Australia's ASD<ref>{{cite web |title=Planning for post-quantum cryptography |url=https://www.cyber.gov.au/business-government/secure-design/planning-post-quantum-cryptography |url-status=dead |archive-url=https://web.archive.org/web/20250914222458/https://www.cyber.gov.au/business-government/secure-design/planning-post-quantum-cryptography |archive-date=14 September 2025 |access-date=12 September 2025}}</ref> #Netherland National Communications Security Agency (NLNCSA) #and Swedish National Communications Security Authority, Swedish Armed Forces <ref>{{cite web |title=Position Paper on Quantum Key Distribution |url=https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/Quantum_Positionspapier.pdf?__blob=publicationFile&v=4}}</ref><br /> For example, the US National Security Agency addresses five issues:<ref name="NSA" /> * Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or pre-placed keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile. * Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches. * Quantum key distribution increases infrastructure costs and insider-threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration. * Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than what is available in most physical engineering scenarios, making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.<ref>{{Cite journal |last1=Scarani |first1=Valerio |last2=Kurtsiefer |first2=Christian |date=4 December 2014 |title=The black paper of quantum cryptography: Real implementation problems |journal=Theoretical Computer Science |volume=560 |pages=27–32 |arxiv=0906.4547 |doi=10.1016/j.tcs.2014.09.015 |s2cid=44504715}}</ref> * Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.
In response to problem 1 above, attempts to deliver authentication keys using post-quantum cryptography (or quantum-resistant cryptography) have been proposed worldwide. On the other hand, quantum-resistant cryptography is cryptography belonging to the class of computational security. In 2015, a research result was already published that "sufficient care must be taken in implementation to achieve information-theoretic security for the system as a whole when authentication keys that are not information-theoretic secure are used" (if the authentication key is not information-theoretically secure, an attacker can break it to bring all classical and quantum communications under control and relay them to launch a man-in-the-middle attack).<ref>{{Cite journal |last1=Pacher |first1=Christoph |last2=et |first2=al. |date=January 2016 |title=Attacks on quantum key distribution protocols that employ non-ITS authentication |journal=Quantum Information Processing |volume=15 |issue=1 |pages=327–362 |arxiv=1209.0365 |bibcode=2016QuIP...15..327P |doi=10.1007/s11128-015-1160-4 |s2cid=254986932}}</ref> Ericsson, a private company, also cites and points out the above problems and then presents a report that it may not be able to support the zero trust security model, which is a recent trend in network security technology.<ref>{{Cite arXiv |eprint=2112.00399 |class=cs.CR |first1=J. P. |last1=Mattsson |title=Quantum-Resistant Cryptography |date=December 2021 |display-authors=etal}}</ref>
=== Quantum cryptography in education ===
Quantum cryptography, specifically the BB84 protocol, has become an important topic in physics and computer science education. The challenge of teaching quantum cryptography lies in the technical requirements and the conceptual complexity of quantum mechanics. However, simplified experimental setups for educational purposes are becoming more common,<ref>{{Cite journal |last1=Bloom |first1=Yuval |last2=Fields |first2=Ilai |last3=Maslennikov |first3=Alona |last4=Rozenman |first4=Georgi Gary |year=2022 |title=Quantum Cryptography—A Simplified Undergraduate Experiment and Simulation |journal=Physics |volume=4 |issue=1 |pages=104–123 |bibcode=2022Physi...4..104B |doi=10.3390/physics4010009 |doi-access=free}}</ref> allowing undergraduate students to engage with the core principles of quantum key distribution (QKD) without requiring advanced quantum technology.
== References == {{reflist|30em|refs= <!-- **** hidden code of the cite journal reference template because is not working *** Cite error: <ref> tag with name "BB84" defined in <references> is not used in prior text; see the help page.; see the help page. 1:05 pm local time 1 December 2010 <ref name="BB84"> {{cite conference |last=Bennett |first=Charles H. |last2=Gilles |first2=Brassard |date=1984 |title=Quantum cryptography: Public-key distribution and coin tossing |publisher=IEEE Computer Society |pages=175–179 |book-title=Proceedings of IEEE International Conference on Computers, Systems and Signal Processing 1984}}</ref> --> <!-- **** hidden code of the cite journal reference template because is not working *** Cite error: <ref> tag with name "wiesner83conjugate" defined in <references> is not used in prior text; see the help page. 1:01 pm local time 1 December 2010 <ref name="wiesner83conjugate"> {{cite journal |last=Wiesner |first=Stephen |date=1983 |title=Conjugate coding |journal=SIGACT News |location=New York, NY, USA |publisher=ACM |volume=15 |issue=1 |pages=78–88 |doi=10.1145/1008908.1008920 |issn=0163-5700}} Manuscript written c. 1970</ref> --> <ref name="Crépeau-1988"> {{cite conference |last1=Crépeau |first1=Claude |last2=Joe |first2=Kilian |date=1988 |title=Achieving Oblivious Transfer Using Weakened Security Assumptions (Extended Abstract) |conference=FOCS 1988 |publisher=IEEE |pages=42–52}}</ref> <ref name="Kilian-1988"> {{cite conference |last=Kilian |first=Joe |date=1988 |title=Founding cryptography on oblivious transfer |url=http://external.nj.nec.com/homepages/joe/collected-papers/Kil88b.ps |conference=STOC 1988 |publisher=ACM |pages=20–31 |archive-url=https://web.archive.org/web/20041224234245/http://external.nj.nec.com/homepages/joe/collected-papers/Kil88b.ps |archive-date=24 December 2004}}</ref> <ref name="Mayers-1997"> {{cite journal |last=Mayers |first=Dominic |date=1997 |title=Unconditionally Secure Quantum Bit Commitment is Impossible |journal=Physical Review Letters |volume=78 |issue=17 |pages=3414–3417 |arxiv=quant-ph/9605044 |bibcode=1997PhRvL..78.3414M |citeseerx=10.1.1.251.5550 |doi=10.1103/PhysRevLett.78.3414 |s2cid=14522232}}</ref> <ref name="Brassard-1993"> {{cite conference |last1=Brassard |first1=Gilles |last2=Claude |first2=Crépeau |last3=Jozsa |first3=Richard |last4=Langlois |first4=Denis |date=1993 |title=A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties |conference=FOCS 1993 |publisher=IEEE |pages=362–371}}</ref> <ref name="Damgård-2005"> {{cite conference |last1=Damgård |first1=Ivan |last2=Fehr |first2=Serge |last3=Salvail |first3=Louis |last4=Schaffner |first4=Christian |date=2005 |title=Cryptography in the Bounded Quantum-Storage Model |conference=FOCS 2005 |publisher=IEEE |pages=449–458 |arxiv=quant-ph/0508222}}</ref> <ref name="Dziembowski-2004"> {{cite conference |last1=Dziembowski |first1=Stefan |last2=Ueli |first2=Maurer |date=2004 |title=On Generating the Initial Key in the Bounded-Storage Model |url=https://www.crypto.ethz.ch/publications/files/DziMau04b.pdf |conference=Eurocrypt 2004 |series=LNCS |publisher=Springer |volume=3027 |pages=126–137 |archive-url=https://web.archive.org/web/20200311235001/https://www.crypto.ethz.ch/publications/files/DziMau04b.pdf |archive-date=11 March 2020 |access-date=11 March 2020 |url-status=live}}</ref> <ref name="Cachin-1998"> {{cite conference |last1=Cachin |first1=Christian |last2=Crépeau |first2=Claude |last3=Marcil |first3=Julien |date=1998 |title=Oblivious Transfer with a Memory-Bounded Receiver |conference=FOCS 1998 |publisher=IEEE |pages=493–502}}</ref> <ref name="Springer-2009"> {{cite book |title=Post-quantum cryptography |date=2009 |publisher=Springer |isbn=978-3-540-88701-0 |editor-last=Bernstein |editor-first=Daniel J. |editor2-last=Buchmann |editor2-first=Johannes |editor3-last=Dahmen |editor3-first=Erik}}</ref> <ref name="pqcrypto.org"> {{cite web |title=Post-quantum cryptography |url=http://pqcrypto.org/ |url-status=live |archive-url=https://web.archive.org/web/20110717174032/http://pqcrypto.org/ |archive-date=17 July 2011 |access-date=29 August 2010}}</ref> <ref name="Watrous-2009"> {{cite journal |last=Watrous |first=John |author-link1=John Watrous (computer scientist)|date=2009 |title=Zero-Knowledge against Quantum Attacks |journal=SIAM Journal on Computing |volume=39 |issue=1 |pages=25–58 |arxiv=quant-ph/0511020 |citeseerx=10.1.1.190.2789 |doi=10.1137/060670997}}</ref> <ref name="NSASuiteBTransition">{{cite web |title=NSA Suite B Cryptography |url=https://www.nsa.gov/ia/programs/suiteb_cryptography/ |archive-url=https://web.archive.org/web/20160101091229/https://www.nsa.gov/ia/programs/suiteb_cryptography/ |archive-date=1 January 2016 |access-date=29 December 2015}}</ref> <ref name="Wehner-2008"> {{cite journal |last1=Wehner |first1=Stephanie |last2=Schaffner |first2=Christian |last3=Terhal |first3=Barbara M. |year=2008 |title=Cryptography from Noisy Storage |journal=Physical Review Letters |volume=100 |issue=22 |arxiv=0711.2895 |bibcode=2008PhRvL.100v0502W |doi=10.1103/PhysRevLett.100.220502 |pmid=18643410 |s2cid=2974264 |article-number=220502}}</ref> <ref name="Doescher-2009">{{Cite journal |last1=Doescher |first1=C. |last2=Keyl |first2=M. |last3=Wullschleger |first3=Jürg |year=2009 |title=Unconditional security from noisy quantum storage |journal=IEEE Transactions on Information Theory |volume=58 |issue=3 |pages=1962–1984 |arxiv=0906.1030 |doi=10.1109/TIT.2011.2177772 |s2cid=12500084}}</ref>
<ref name="Doescher-2011">{{Cite journal |last1=Doescher |first1=C. |last2=Keyl |first2=M. |last3=Spiller |first3=Timothy P. |year=2011 |title=Quantum Tagging: Authenticating Location via Quantum Information and Relativistic Signalling Constraints |journal=Physical Review A |volume=84 |issue=1 |arxiv=1008.2147 |bibcode=2011PhRvA..84a2326K |doi=10.1103/PhysRevA.84.012326 |s2cid=1042757 |article-number=012326}}</ref>
<ref name="kent06patent"> {{cite patent |country=US |number=7075438 |gdate=2006-07-11}} </ref>
<ref name="Chandran-2009"> {{Cite journal |last=Chandran |first=Nishanth |author2=Moriarty, Ryan |author3=Goyal, Vipul |author4=Ostrovsky, Rafail |date=2009 |title=Position-Based Cryptography |url=http://eprint.iacr.org/2009/364 |journal=Cryptology ePrint Archive}}</ref>
<ref name="Malaney-2010b"> {{cite journal |last=Malaney |first=Robert |date=2010 |title=Location-dependent communications using quantum entanglement |journal=Physical Review A |volume=81 |issue=4 |arxiv=1003.0949 |bibcode=2010PhRvA..81d2319M |doi=10.1103/PhysRevA.81.042319 |s2cid=118704298 |article-number=042319}}</ref>
<ref name="Malaney-2010a"> {{cite conference |last=Malaney |first=Robert |date=2010 |title=2010 IEEE Global Telecommunications Conference GLOBECOM 2010 |conference=IEEE Global Telecommunications Conference GLOBECOM 2010 |pages=1–6 |arxiv=1004.4689 |doi=10.1109/GLOCOM.2010.5684009 |isbn=978-1-4244-5636-9 |chapter=Quantum Location Verification in Noisy Channels}}</ref>
<ref name="Malaney-2016"> {{cite journal |last=Malaney |first=Robert |year=2016 |title=The Quantum Car |journal=IEEE Wireless Communications Letters |volume=5 |pages=624–627 |arxiv=1512.03521 |bibcode=2016IWCL....5..624M |doi=10.1109/LWC.2016.2607740 |s2cid=2483729 |number=6}}</ref>
<ref name="Lau-2010"> {{cite journal |last1=Lau |first1=Hoi-Kwan |last2=Lo |first2=Hoi-Kwong |date=2010 |title=Insecurity of position-based quantum-cryptography protocols against entanglement attacks |journal=Physical Review A |volume=83 |issue=1 |arxiv=1009.2256 |bibcode=2011PhRvA..83a2322L |doi=10.1103/PhysRevA.83.012322 |s2cid=17022643 |article-number=012322}}</ref> <ref name="Doescher-2010">{{Cite journal |last1=Doescher |first1=C. |last2=Keyl |first2=M. |last3=Fehr |first3=Serge |last4=Gelles |first4=Ran |last5=Goyal |first5=Vipul |last6=Ostrovsky |first6=Rafail |last7=Schaffner |first7=Christian |year=2010 |title=Position-Based Quantum Cryptography: Impossibility and Constructions |journal=SIAM Journal on Computing |volume=43 |pages=150–178 |arxiv=1009.2490 |bibcode=2010arXiv1009.2490B |doi=10.1137/130913687 |s2cid=220613220}}</ref> <ref name="Mayers-1998"> {{Cite conference |last1=Mayers |first1=Dominic |last2=Yao |first2=Andrew C.-C. |date=1998 |title=Quantum Cryptography with Imperfect Apparatus |conference=IEEE Symposium on Foundations of Computer Science (FOCS) |arxiv=quant-ph/9809039 |bibcode=1998quant.ph..9039M}}</ref> <ref name="Colbeck-2006"> {{Cite thesis |last=Colbeck |first=Roger |title=Quantum And Relativistic Protocols For Secure Multi-Party Computation |date=December 2006 |publisher=University of Cambridge |chapter=Chapter 5 |arxiv=0911.3814}}</ref> <ref name="Vazirani-2014">{{Cite journal |last1=Vazirani |first1=Umesh |last2=Vidick |first2=Thomas |date=2014 |title=Fully Device-Independent Quantum Key Distribution |journal=Physical Review Letters |volume=113 |issue=2 |page=140501 |arxiv=1403.3830 |bibcode=2014PhRvL.113b0501A |doi=10.1103/PhysRevLett.113.020501 |pmid=25062151 |s2cid=23057977}}</ref> <ref name="Miller-2014">{{Cite journal |last1=Miller |first1=Carl |last2=Shi |first2=Yaoyun |date=2014 |title=Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices |journal=Journal of the ACM |volume=63 |issue=4 |page=33 |arxiv=1402.0489 |bibcode=2014arXiv1402.0489M}}</ref> <ref name="Miller-2017">{{Cite journal |last1=Miller |first1=Carl |last2=Shi |first2=Yaoyun |date=2017 |title=Universal security for randomness expansion |journal=SIAM Journal on Computing |volume=46 |issue=4 |pages=1304–1335 |arxiv=1411.6608 |doi=10.1137/15M1044333 |s2cid=6792482}}</ref> <ref name="Chung-2014">{{cite arXiv |eprint=1402.4797 |class=quant-ph |first1=Kai-Min |last1=Chung |first2=Yaoyun |last2=Shi |title=Physical Randomness Extractors: Generating Random Numbers with Minimal Assumptions |date=2014 |last3=Wu |first3=Xiaodi}}</ref> <ref name="Beigi-2011">{{cite journal |last1=Beigi |first1=Salman |last2=König |first2=Robert |date=2011 |title=Simplified instantaneous non-local quantum computation with applications to position-based cryptography |journal=New Journal of Physics |volume=13 |issue=9 |arxiv=1101.1065 |bibcode=2011NJPh...13i3036B |doi=10.1088/1367-2630/13/9/093036 |s2cid=27648088 |article-number=093036}}</ref> <!-- not used in article <ref name="NISTIR8105">{{cite journal |last1=Chen |first1=Lily |last2=Jordan |first2=Yi-Kai Liu |last3=Moody |first3=Dustin |last4=Peralta |first4=Rene |last5=Smith-Tone |first5=Daniel |date=April 2016 |title=Report on Post-Quantum Cryptography |url=https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf |publisher=NIST |doi=10.6028/NIST.IR.8105 |id=NISTIR 8105 |access-date=20 July 2018}}</ref>-->
}} {{Cryptography navbox}} {{emerging technologies|quantum=yes|other=yes}} {{Quantum information}} {{Quantum mechanics topics|state=expanded}}
{{Authority control}}
Category:Quantum cryptography