[0.8cm] Relativistic quantum cryptography
[0.25cm]
[1.5cm]
JĘDRZEJ KANIEWSKI
(MMath, University of Cambridge)
A thesis submitted in fulfilment of the requirements
for the degree of Doctor of Philosophy
[0.3cm] in the
[0.4cm] Centre for Quantum Technologies
National University of Singapore
[1cm]
Declaration
I hereby declare that this thesis is my original work and has been written by me in its entirety. I have duly acknowledged all the sources of information which have been used in the thesis.
This thesis has also not been submitted for any degree in any university previously.
Jędrzej Kaniewski
9 September 2015
Acknowledgements
I would like to thank my supervisor, Stephanie Wehner, for the opportunity to conduct a PhD in quantum information. I am grateful for her time, effort and resources invested in my education. Working with her and being part of her active and diverse research group made the last four years a great learning experience.
The fact that I was even able to apply for PhD positions is largely thanks to my brilliant and inspiring undergraduate supervisor, mentor and friend, Dr Peter Wothers MBE. I am particularly grateful for his supportive attitude when I decided to dedicate myself to quantum information. I am grateful to St. Catharine’s College for a wonderful university experience and several longlasting friendships.
I would like to thank my collaborators, Félix Bussières, Patrick J. Coles, Serge Fehr, Nicolas Gisin, Esther Hänggi, Raphael Houlmann, Adrian Kent, Troy Lee, Tommaso Lunghi, Atul Mantri, Nathan McMahon, Gerard Milburn, Corsin Pfister, Robin Schmucker, Marco Tomamichel, Ronald de Wolf and Hugo Zbinden, who made research enjoyable and from whom I have learnt a lot.
I am also indebted to Corsin Pfister and Le Phuc Thinh, who have read a preliminary version of this thesis, and Tommaso Lunghi and Laura Mančinska, who have given comments on parts of it.
Special thanks go to Evon Tan for being the omnipresent good spirit of CQT. Her incredible problemsolving skills allowed me to focus on research and contributed greatly to the scientific output of this thesis.
I would like to thank Valerio Scarani for being approachable and always happy to talk about various aspects of quantum information and the scientific world in general.
I am grateful to my examiners: Anne Broadbent, Marcin Pawłowski and Miklos Santha for the careful reading of this thesis and providing stimulating feedback. I would like to thank Alexandre Roulet, Jamie Sikora, Marco Tomamichel and Marek Wajs for useful comments on the defence presentation.
Dziękuję Markowi Wajsowi za nieocenioną pomoc przy drukowaniu i składaniu doktoratu.
Arturowi Ekertowi chciałbym podziękować za czas, wsparcie i konkretne wskazówki w chwilach zwątpienia.
Choć to już parę lat chciałbym również gorąco podziękować Krzysztofowi Kuśmierczykowi, Annie Mazurkiewicz i Bognie Lubańskiej za czas i wysiłek włożony w moją edukację oraz za bycie źródłem motywacji i inspiracji. Wszystko to, co udało mi się osiągnąć, jest oparte na solidnych licealnych fundementach i bez ich wkładu nie byłoby możliwe. Chcę także podziękować Poniatówce za niezapomniane trzy lata i wiele przyjaźni, które trwają do dzisiaj.
Jackowi Jemielitemu chciałbym podziękować za pierwsze spotkanie z nauką z prawdziwego zdarzenia, niespotykaną wytrwałość i cierpliwość a przede wszystkim za unikalne na skalę światową poczucie humoru, którego często mi brakuje.
Doktorat dedykuję w całości Mamie, Tacie, Siostrze i Bratu, bez wsparcia których to przełomowe dzieło nigdy by nie powstało.
Abstract
Special relativity states that information cannot travel faster than the speed of light, which means that communication between agents occupying distinct locations incurs some minimal delay. Alternatively, we can see it as temporary communication constraints between distinct agents and such constraints turn out to be useful for cryptographic purposes. In relativistic cryptography we consider protocols in which interactions occur at distinct locations at welldefined times and we investigate why such a setting allows to implement primitives which would not be possible otherwise.
Relativistic cryptography is closely related to noncommunicating models, which have been extensively studied in theoretical computer science. Therefore, we start by discussing noncommunicating models and its applications in the context of interactive proofs and cryptography. We find which noncommunicating models might be useful for the purpose of bit commitment, propose suitable bit commitment protocols and investigate their limitations. We explain how some noncommunicating models can be justified by special relativity and study what consequences such a translation brings about. In particular, we present a framework for analysing security of multiround relativistic protocols. We show that while the analysis of classical protocols against classical adversaries is tractable, the case of quantum protocols or quantum adversaries in a classical protocol constitutes a significantly harder task.
The second part of the thesis is dedicated to analysing specific protocols. We start by considering a recently proposed tworound quantum bit commitment protocol. We start by proving security under the assumption that idealised devices (singlephoton source, perfect detectors) are available. Then, we propose a faulttolerant variant of the protocol which can be implemented using realistic devices (weakcoherent source, noisy and inefficient detectors) and present a security analysis which takes into account losses, errors, multiphoton pulses, etc. We also report on an experimental implementation performed in collaboration with an experimental group at the University of Geneva.
In the last part we focus on classical schemes. We start by analysing a known tworound classical protocol and we show that successful cheating is equivalent to winning a certain nonlocal game. This is interesting as it demonstrates that even if the protocol is entirely classical, it might be advantageous for the adversary to use quantum systems. We also propose a new, multiround classical bit commitment protocol and prove its security against classical adversaries. The advantage of the multiround protocol is that it allows us to increase the commitment time without changing the locations of the agents. This demonstrates that in the classical world an arbitrary long commitment can be achieved even if the agents are restricted to occupy a finite region of space. Moreover, the protocol is easy to implement and we discuss an experiment performed in collaboration with the Geneva group.
We conclude with a brief summary of the current state of knowledge on relativistic cryptography and some interesting open questions that might lead to a better understanding of the exact power of relativistic models.
List of publications
This thesis is based on three publications.
Chapters 3 and 4 are based on

Secure bit commitment from relativistic constraints [arXiv:1206.1740]
J. Kaniewski, M. Tomamichel, E. Hänggi and S. Wehner
IEEE Transactions on Information Theory 59, 7 (2013).
(presented at QCrypt ’12)
Chapter 5 is based on

Experimental bit commitment based on quantum communication and special relativity [arXiv:1306.4801]
T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, A. Kent, N. Gisin, S. Wehner and H. Zbinden
Physical Review Letters 111, 180504 (2013).
(presented at QCrypt ’13)
Chapter 6 is based on

Practical relativistic bit commitment [arXiv:1411.4917]
T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, S. Wehner and H. Zbinden
Physical Review Letters 115, 030502 (2015).
(presented at QCrypt ’14)
During his graduate studies the author has also contributed to the following publications.

Query complexity in expectation [arXiv:1411.7280]
J. Kaniewski, T. Lee and R. de Wolf
Automata, Languages, and Programming: Proceedings of ICALP ’15,
Lecture Notes in Computer Science 9134 (2015). 
Equivalence of waveparticle duality to entropic uncertainty [arXiv:1403.4687]
P. J. Coles, J. Kaniewski and S. Wehner
Nature Communications 5, 5814 (2014).
(presented at AQIS ’14) 
Entropic uncertainty from effective anticommutators [arXiv:1402.5722]
J. Kaniewski, M. Tomamichel and S. Wehner
Physical Review A 90, 012332 (2014).
(presented at AQIS ’14 and QCrypt ’14) 
A monogamyofentanglement game with applications to deviceindependent quantum cryptography [arXiv:1210.4359]
M. Tomamichel, S. Fehr, J. Kaniewski and S. Wehner
New Journal of Physics 15, 103002 (2013).
(presented at Eurocrypt ’13 and QCrypt ’13)
Contents:
 1 Introduction

2 Preliminaries

2.1 Notation and miscellaneous lemmas
 2.1.1 Strings of bits

2.1.2 CauchySchwarz inequality for probabilities

2.1.3 Chernoff bound for the binomial distribution

2.2 Quantum mechanics
 2.2.1 Linear algebra
 2.2.2 Quantum formalism
 2.2.3 Remote state preparation

2.2 Quantum mechanics

2.1.3 Chernoff bound for the binomial distribution

2.1 Notation and miscellaneous lemmas
 3 Noncommunicating models
 4 Relativistic protocols
 5 Bit commitment by transmitting measurement outcomes
 6 Multiround relativistic bit commitment protocol
 7 Conclusions
 A Classical certification of relativistic bit commitment
Notation and list of symbols
Symbol  Meaning 

set of integers from to  
cardinality of a set or modulus of a number  
a Hilbert space  
dimension of  
dual space of  
linear operators acting on  
Hermitian operators acting on  
identity matrix  
complex conjugate of  
transpose of (with respect to the standard basis)  
Hermitian conjugate of  
pure quantum states  
mixed quantum states  
maximally entangled state of dimension  
Hadamard matrix  
Schatten norm  
Schatten norm  
trace  
partial trace over  
quantum channel  
identity channel  
Hamming weight  
Hamming distance  
exclusiveOR (XOR)  
finitefield multiplication  
probability  
inner product  
finite alphabets  
finite field of order  
player (in a multiplayer game) 
Chapter 1 Introduction
Quantum cryptography lies at the intersection of physics and computer science. It brings together different communities and makes for a lively and exciting environment. It demonstrates that the fundamental principles of quantum physics can be cast and studied using the operational approach of cryptography. Besides, thanks to recent technological advances, practical applications are just round the corner.
Due to the interdisciplinary nature of quantum cryptography the relevant background knowledge spans multiple fields, which makes it particularly difficult to provide an introduction which would be both complete and concise. We have, therefore, chosen to focus on the topics which are directly related to quantum cryptography and skip over the less relevant areas.
This chapter starts with a short introduction to cryptography, which is the study of exchanging and processing information in a secure fashion. We focus on twoparty (or mistrustful) cryptography, whose goal is to protect the privacy of an honest party interacting with potentially dishonest partners. Then, we introduce quantum information theory, which studies how quantum systems can be used to store and process information. We discuss the main features that distinguish it from the classical information theory and briefly describe the early history of the field. The next part of this chapter brings the two topics together under the name of quantum cryptography. We give a brief account of its early days, again, with a particular focus on twoparty cryptography. We finish by giving a brief outline of this thesis.
1.1 Cryptography
Cryptography has been around ever since rulers of ancient tribes realised the need to send secret (or private) messages. Ideally, such messages should reveal no information if intercepted by an unauthorised party. The solution to this problem is known as a cipher, which is simply a procedure for converting a secret message (called the plaintext) into another message (called the ciphertext), which should be intelligible to a friend (who knows the particular cipher we are using) but should give no information to an enemy. The first confirmed accounts of simple ciphers come from ancient Greece and Rome, for example Julius Caesar used a simple shift cipher (now also known as a Caesar cipher) to ensure privacy of his correspondence. Until modern times designing practical (i.e. easy to implement and difficult to break) ciphers was essentially the only branch of cryptography. One such cipher known as the onetime pad was invented by Gilbert S. Vernam and Joseph O. Mauborgne in 1917.
A report presented by Claude Shannon in 1945 marks the birth of modern cryptography [Sha49].
Nowadays cryptography is a mature field within which hundreds of cryptographic tasks (or primitives) have been defined and studied (and encryption, while obviously very important, is just one of them). Except for purely practical reasons for studying these tasks there is also a deeper motivation. Certain questions in cryptography (e.g. finding sufficient assumptions to perform a given task or proving impossibility results) give us valuable and operational insight into the underlying information theory. While classical information theory is relatively well understood, its quantum counterpart is not. That is why studying quantum cryptography is an important pursuit and contributes towards our understanding of the quantum world we (probably) live in.
In this thesis we only consider a branch of cryptography known as twoparty or mistrustful cryptography, in which two parties, usually referred to as Alice and Bob, want to perform a certain task together but since they do not fully trust each other they want to minimise the amount of information revealed during the protocol. A simple example of such a scenario is the millionaires’ problem introduced by Andrew Yao [Yao82], in which two millionaires want to find out who is richer without revealing their actual wealth. This is certainly an interesting problem and, in fact, one that we often face in our everyday lives. Below we present and motivate some other natural twoparty tasks.

Example 1: Alice uses an online movie service called Bob, which charges separately for every downloaded movie. Alice has paid for one movie and wants to download it but being paranoid about privacy she is reluctant to reveal her choice to Bob. On the other hand, Bob wants to make sure that Alice only downloads one movie (and not more) so he is not keen on giving her access to the entire database. This problem, called oblivious transfer
^{3} , turns out to be a convenient building block for twoparty cryptography. In fact, it can be used to construct any other twoparty primitive [Kil88]. 
Example 2: Alice has supernatural powers that allow her to predict the future, for example the results of tomorrow’s draw of the national lottery. She wants to impress Bob (she likes to be admired) but she does not want him to get rich (she knows that money does not bring happiness). Hence, the goal is to commit to a message without actually revealing it until some later time. Such primitives are known as commitment schemes [Blu81, BCC88]
^{4} and the simplest one, in which the committed message is just one bit, is called bit commitment and constitutes one of the main topics of this thesis. 
Example 3: Alice is a quantum hacker and throughout the years she has exposed dozens of improperly formulated security proofs and misguided calculations. Having realised the damage done to the quantum community she has contacted a law enforcement agency represented by Bob to negotiate turning herself in. Alice and Bob want to schedule a secret meeting but for obvious security reasons they want to make sure that the location is chosen in a truly random fashion. In other words, Alice and Bob want to agree on a random choice, which neither of them can bias (or predict it in advance). This primitive known as coin tossing (or coin flipping) was introduced by Blum [Blu81].
All these tasks produce conflicting interests between Alice and Bob. It is clear that security for either party can be ensured at the cost of leaving the other party completely unprotected. In case of oblivious transfer, for example, Alice could give up her privacy and simply announce which movie she wants to watch. Alternatively, Bob could provide Alice with the entire database, hoping that she will not abuse his trust.
The goal of twoparty cryptography is to first come up with the right mathematical definition of these primitives and then find in what circumstances and under what assumptions they can (or cannot) be implemented. It is also interesting to study reductions between different primitives, i.e. how to use one primitive to implement another one, which leads to a resource theory for cryptography. For example, oblivious transfer can be used to implement commitment schemes because choosing a particular message can be interpreted as committing to its label. Commitment schemes, on the other hand, can be used to generate trusted randomness. For example, in order to generate one trusted bit we use a commitment scheme with two possible values (such a primitive is known as bit commitment). Alice commits to a bit , then Bob announces bit and finally Alice reveals and the outcome of the coin toss is declared to be . As long as at least one of the parties is honest the resulting bit is uniform. The use of a commitment scheme ensures that does not depend on (which would allow Bob to cheat).
The holy grail of the field is the socalled informationtheoretic security
Unfortunately, it turns out that twoparty primitives cannot be implemented with informationtheoretic security (for both parties) unless we make some further assumptions.

Trusted thirdparty : The trivial solution is to introduce a trusted thirdparty, which implements the primitive for Alice and Bob. In the paranoid world, in which Alice and Bob trust nobody but themselves, this is not a satisfactory solution. Moreover, it makes all tasks trivially possible.

Preshared resources : Another solution that allows for twoparty cryptography is to equip Alice and Bob with some shared correlations. This could be either shared randomness [Riv99] or access to a source of inherent and unpredictable noise that allows to generate such correlations during the protocol [Cré97, WNI03].
^{7} 
Technological limitations : The standard realworld solution to the commitment task is for Alice to lock her message in a safe box, which she then hands over to Bob while keeping the key. Whenever Alice wants to reveal the message, she gives the key to Bob, who opens the safe box and reads the message. This is secure as long as Alice has no way of remotely modifying the message and Bob has no tools to open the safe box, i.e. we must assume that they are subject to certain technological limitations. One can also assume that their “digital technology” is limited, e.g. by restricting their computational power or storage capabilities, which again makes secure twoparty cryptography possible. The former leads to the rich and practically important field of computational security
^{8} , while the latter leads to the bounded storage model [Mau91]. 
Communication constraints : It is wellknown that interrogating suspects one by one leads to better results than dealing with the whole group at the same time. In the cryptographic language this corresponds to forcing one (or more) parties to delegate agents, who perform certain parts of the protocol without communicating. Such setting was originally introduced in complexity theory under the name of multiprover models
^{9} to evade certain impossibility results [BGKW88]. These models are interesting from the cryptographic point of view but we must be explicit how they are adjusted to fit the framework of standard twoparty cryptography (in which there are only two parties interacting and not more). On the bright side some types of noncommunicating models can (with subtle adjustments) be implemented by requiring multiple agents to interact simultaneously at multiple locations (under the assumption that the speed of light is finite). The first explicit examples of such relativistic protocols came from Adrian Kent [Ken99, Ken05]. This field, now known as relativistic cryptography, constitutes the main topic of this thesis.
1.2 Quantum information theory
As mentioned before the report written by Shannon in 1945 marks the beginning of modern cryptography [Sha49]. Thinking about encryption and the onetime pad led him to questions about the nature of information. Shannon’s next paper investigating fundamental limits of compression and transmission [Sha48] is considered the beginning of (classical) information theory, which became an active field of research with a wide range of practical implications. While the basic framework of quantum mechanics already existed at the time (introduced in the 1920s and 30s by Bohr, Born, de Broglie, Dirac, Einstein, Heisenberg, Planck, Schrödinger and others), rigorous connections between the two were not established until much later.
In 1935 Einstein, Podolsky and Rosen wrote a paper in which they argue that quantum mechanics cannot be considered a complete theory [EPR35]. They postulate that for every measurement whose outcome is certain there exists an “element of reality” and deduce that due to the uncertainty principle incompatible observables cannot have simultaneous elements of reality. On the other hand, they note that in case of entangled
In 1980 Boris Tsirelson published a breakthrough paper, which exactly characterises the set of correlations achievable using quantum systems (in a restricted class of scenarios) [Tsi80]. Another important result concerning quantum correlations comes from Reinhard Werner, who showed that entanglement, while necessary, is not a sufficient condition for observing strongerthanclassical correlations [Wer89]. In 1982 Wootters and Żurek proved the celebrated nocloning theorem, which states that given a single copy of an unknown quantum state, there does not exist a physical procedure that produces two (perfect) copies [WŻ82]. While the result itself is rather simple (including the proof), it has farreaching consequences and shows that one should be rather careful when applying the classical intuition to quantum systems. Around the same time the first ideas to use quantum systems to perform computation came about. Richard Feynman proposed the concept of quantum simulation, i.e. using one quantum system to simulate another [Fey82] while David Deutsch initiated the study of quantum computation by introducing the concept of a quantum Turing machine and presenting a simple problem which can be solved more efficiently using quantum systems [Deu85]. While the problem introduced by Deutsch is of little practical use, it is important as the first demonstration that quantum computing is strictly more powerful than its classical counterpart.
In 1994 Peter Shor published a paper that changed the status of quantum computation from an exercise in linear algebra to a field of potentially enormous practical impact [Sho94]. Shor proposed an algorithm that can efficiently factor large numbers and solve the discrete logarithm problem, which, as a consequence, allows to break all commonly used public cryptography systems. In 1996 Lov Grover published an algorithm that gives a quadratic speedup while searching an unstructured database [Gro96].
It seems fair to say that it is the breakthroughs in quantum computation that gave the whole field a significant push and encouraged many brilliant researchers to work on quantum information. Since then the field has developed rapidly and this includes aspects closely related to quantum computation like quantum errorcorrection or quantum computer architecture but also areas which are not directly relevant like quantum correlations, quantum foundations, quantum Shannon theory or quantum cryptography. For more information we refer to a brief survey on early quantum information written by Bennett and Shor in 1998 [BS98] or to a book by Nielsen and Chuang [NC00], which became the primary textbook in the field (in particular for quantum computation). For a detailed introduction to the informationtheoretic aspects (the quantum Shannon theory) see Chapter 1 of Mark M. Wilde’s book [Wil13].
1.3 Quantum cryptography
In the late 1960s Stephen Wiesner wrote a paper on how to use quantum particles of spin to produce money that is “physically impossible to counterfeit”. The paper got rejected from a journal and ended up in Wiesner’s drawer (the paper was eventually published in ACM SIGACT News [Wie83] about fifteen years later). These ideas were further pursued by Bennett, Brassard, Breidbart and Wiesner [BBBW83] and led to a groundbreaking paper proposing the first quantum key distribution protocol, which allows two distant parties to communicate securely through an insecure quantum channel [BB84]. In 1991 Artur Ekert proposed a quantum key distribution protocol that relied on entanglement and Bell’s theorem [Eke91]. Another protocol (which relies on entanglement but not Bell’s theorem) was presented in Ref. [BBM92] and soon the first experimental demonstration of quantum key distribution was reported together with concrete solutions for the classical postprocessing phase and explicit security estimates [BBB92]. Since then an enormous amount of progress has been made in both theoretical and practical aspects of quantum key distribution and it is well beyond the scope of this introduction to discuss it. A recent article by Ekert and Renner is an excellent account of the current state of quantum key distribution [ER14].
Before we go into the details let us state very clearly that throughout this thesis we work under the (implicit) assumption that Alice and Bob trust their own devices. In other words, if the protocol requires Alice to generate a certain quantum state, she is capable of constructing a device that does just that and she may rest assured that the source does not accumulate information about the previous uses or leak secret data through extra degrees of freedom. While this assumption seems natural and easy to ensure in the classical world, it becomes more of a challenge in the quantum world simply because our understanding and expertise in quantum technologies are limited. These considerations gave rise to the field of deviceindependent cryptography which aims to design protocols which remain secure even if executed using faulty or malicious devices. The fact that such strong security guarantees are even possible is clearly remarkable and this topic has received a lot of interest in the last couple of years. Due to a large volume of works on this topic we do not attempt to list the relevant references and point the interested reader at comprehensible and accessible lectures notes by Valerio Scarani [Sca12] as well as Sections IV.C and IV.D of a recent review on Bell nonlocality [BCP14].
While quantum key distribution was and still remains the predominant area of research in quantum cryptography, other applications have been present from the very beginning as exemplified by Wiesner’s unforgeable quantum money. The original paper of Bennett and Brassard contains a bitcommitmentbased coin tossing protocol [BB84]. As pointed out by the authors the protocol is insecure if one of the parties leaves the quantum states untouched (instead of performing the prescribed measurements) but they consider it a “merely theoretical threat” due to the technological difficulty of implementing such a strategy. In 1991 Brassard and Crépeau proposed a different quantum bit commitment protocol [BC91], which does not suffer from the previous problem but is vulnerable against an adversary who can perform coherent measurements, i.e. joint measurements on multiple quantum particles, which, again, is considered difficult. By combining the two quantum bit commitment protocols they obtain a coin tossing protocol which can only be broken by an adversary who can both keep entanglement and perform coherent measurements. In the meantime a quantum protocol for oblivious transfer was proposed whose security, again, relies on the adversary being technologically limited [BBCS92]. In 1993 Brassard, Crépeau, Jozsa and Langlois [BCJL93] proposed a new bit commitment protocol which comes with a complete security proof that does not rely on any technological assumptions. In other words, the protocol is claimed to be secure against all attacks compatible with quantum physics. In 1992 Bennett et al. suggested how bit commitment and quantum communication can be used to construct oblivious transfer [BBCS92]. This construction was formalised and proven secure by Yao [Yao95], who refers to it as the “canonical construction”, which gave the optimistic impression that quantum mechanics allows for secure twoparty cryptography without any extra assumptions.
The initial results of Mayers, Lo and Chau began a sequence of negative results. Impossibility of bit commitment immediately rules out oblivious transfer and, in fact, the same techniques can be used to rule out any onesided twoparty computation (i.e. a primitive in which inputs from two parties produce output which is only given to one of them) [Lo97]. The more complicated case of twosided computation was first considered by Colbeck (for a restricted class of functions) [Col07] while the general impossibility result was proven by Buhrman, Christandl and Schaffner [BCS12]. In case of string commitment (i.e. when we simultaneously commit to multiple bits) it is clear that the perfect primitive cannot be implemented but the situation becomes slightly more involved when it comes to imperfect primitives as the results depend on the exact security criteria used [BCH06, BCH08]. For more recent impossibility proofs of bit commitment see Refs. [DKSW07, WTHR11, CDP13].
While perfect quantum bit commitment is not possible, it is interesting to know what security tradeoffs are permitted by quantum mechanics. In the classical case the tradeoffs are trivial: in any classical protocol at least one of the parties can cheat with certainty. Preliminary results on the quantum security tradeoffs were proven by Spekkens and Rudolph [SR01], while the optimal tradeoff curve was found by Chailloux and Kerenidis [CK11]. Interestingly enough, the achievability is argued through a construction that uses a complicated and rather poorly understood weak coin flipping protocol by Mochon [Moc07].
Another direction (similar to what was done previously in the classical world) is to identify the minimal assumptions that would make twoparty cryptography possible in the quantum world.
One solution available in the classical world is to give Alice and Bob access to some trusted randomness. The quantum generalisation of this assumption would be to give Alice and Bob access to quantum systems or some other source of strongerthanclassical correlations [BCU06, WWW11]. Such correlations indeed allow us to implement secure bit commitment. The advantage of this assumption over the classical counterpart is that in the classical case we had to trust whoever distributed the randomness (in the original paper referred to as the trusted initialiser [Riv99]). On the other hand, strongerthanclassical correlations guarantee security regardless of where they came from.
A natural quantum extension of the bounded storage model proposed by Maurer [Mau91] is the quantum bounded storage model [DFSS05, DFR07, Sch10] and its generalisation to the case of noisy quantum storage [WST08, KWW12, BFW14]. While storing classical information seems easy and cheap (which makes the assumption of the adversary’s bounded storage not particularly convincing), reliable storage of quantum information continues to pose a significant challenge and, hence, makes for a reasonable assumption. Another technological limitation that leads to secure bit commitment is the restriction on the class of quantum measurements that the dishonest party can perform [Sal98].
The proposal to combine quantum mechanics with relativistic
1.4 Outline
The main theme of this thesis is relativistic quantum cryptography with a particular focus on commitment schemes. Chapter 2 contains the necessary background in quantum information theory and cryptography.
In Chapter 3 we introduce noncommunicating models as they originally appeared in the context of interactive proofs. We show why they are useful in cryptography and determine the exact communication constraints that might allow for secure commitment schemes. For each of these models we present a provably secure bit commitment protocol.
Chapter 4 introduces the framework for relativistic protocols. We start with a couple of simple examples and then present a procedure which maps a relativistic protocol onto a model with partial communication constraints. We show that at least in some scenarios the analysis of such models is tractable.
In Chapter 5 we focus on a particular quantum bit commitment protocol. We analyse its security by mapping it onto a simple quantum guessing game. Moreover, we adapt the original protocol to make it robust against experimental errors and we extend the security analysis appropriately. We briefly report on an implementation of the protocol done in collaboration with an experimental group at the University of Geneva.
In Chapter 6 we propose a new, classical multiround bit commitment protocol and analyse its security against classical adversaries. The multiround protocol allows to achieve arbitrarily long commitments (at the cost of growing resources) with explicit and easilycomputable security guarantees. Again, we briefly discuss an experiment performed in collaboration with the Geneva group.
Chapter 7 summarises the content of this thesis and outlines a couple of interesting direction for future research in quantum relativistic cryptography.
Chapter 2 Preliminaries
In this chapter we establish the notation, nomenclature and some basic concepts used throughout this thesis.
2.1 Notation and miscellaneous lemmas
2.1.1 Strings of bits
Given two bits we use “” to denote their exclusiveOR (XOR)
For an bit string , let be the bit of and the XOR of two strings (of equal length) is defined bitwise. The fractional Hamming weight of is the fraction of ones in the string
where denotes the cardinality of the set. The fractional Hamming distance between and is the fraction of positions at which the two strings differ
Note that the Hamming weight can be interpreted as the distance from the string of all zeroes : . For , we use to denote the substring of specified by the indices in . If is a bit, we define
2.1.2 CauchySchwarz inequality for probabilities
When dealing with probabilities we use uppercase letters to denote random variables and lowercase letters to denote values they might take, e.g. . For we use as a shorthand notation for .
Lemma 2.1.
Let be a uniform random variable over , i.e. for all , and let be a family of events defined on . Let be the average probability (of these events)
and be the cumulative size of the pairwise intersections
Then the following inequality holds
Proof.
Each event can be represented by a vector in whose entries are labelled by integers from . If a particular outcome belongs to the event, we set the corresponding component to and if it does not we set it to
Moreover, let be the normalised, uniform vector: for all . It is straightforward to check that with these definitions we have
where denotes the standard inner product on and since the vectors are nonnegative we have . Since the inner product is linear we have
which can be upper bounded using the CauchySchwarz inequality. Since we have
which gives the following quadratic constraint
Solving for gives the desired bound.