Quantum one-time tables for unconditionally secure qubit- commitment Seok Hyung Lie1, Hyukjoon Kwon2, M. S. Kim2,3, and Hyunseok Jeong1 1Department of Physics and Astronomy, Seoul National University, Seoul, 151-742, Korea 2QOLS, Blackett Laboratory, Imperial College London, London SW7 2AZ, United Kingdom 3Korea Institute for Advanced Study, Seoul, 02455, Korea 2020-08-31 The commodity-based cryptography is 1 Introduction an alternative approach to realize conven- tionally impossible cryptographic primi- In a commitment protocol, Alice commits to a tives such as unconditionally secure bit- secret value by transmitting an encoding of the commitment by consuming pre-established value to Bob. If Bob cannot access the value un- correlation between distrustful partici- til revealed by Alice, the scheme is said to be se- pants. A unit of such classical correlation cure against Bob. On the other hand, if Bob can is known as the one-time table (OTT). In reject Alice’s cheating of revealing a value dif- this paper, we introduce a new example ferent from the originally committed value, then besides quantum key distribution in which the scheme is said to be secure against Alice. An quantum correlation is useful for cryptog- unconditionally and perfectly secure [1] commit- raphy. We propose a scheme for uncondi- ment scheme could have many cryptographical tionally secure qubit-commitment, a quan- applications [2,3]. However, such a commitment tum cryptographic primitive forbidden by protocol is impossible since the perfect securities the recently proven no-masking theorem against Alice and Bob are incompatible. Quan- in the standard model, based on the con- tum bit-commitment is an attempt to circumvent sumption of the quantum generalization of this difficulty by using quantum mechanics [4]. the OTT, the bipartite quantum state we However, it was proved [5,6] that an uncondi- named quantum one-time tables (QOTT). tionally secure commitment of a classical value The construction of the QOTT is based on is impossible even with the aid of quantum me- the newly analyzed internal structure of chanics unless there is a relativistic structure that quantum masker and the quantum secret imposes causal restrictions between prover and sharing schemes. Our qubit-commitment verifier [7–9]. scheme is shown to be universally com- To circumvent this difficulty, a new approach posable. We propose to measure the ran- called the commodity-based cryptography [10] was domness cost of preparing a (Q)OTT in developed. Since secure two-party computation is terms of its entropy, and show that the impossible without mutual trust, the suggested QOTT with superdense coding can in- idea was to construct cryptographical primitives crease the security level with half the cost that consume tradeable resource named the one- arXiv:1903.12304v4 [quant-ph] 8 Mar 2021 of OTTs for unconditionally secure bit- time table (OTT). The OTT is a unit of suit- commitment. The QOTT exemplifies an ably pre-calculated correlation that provides veri- operational setting where neither maxi- fiable randomness to mutually mistrustful clients. mally classically correlated state nor max- The OTTs enable unconditionally secure bit- imally entangled state, but rather a well- commitment, oblivious transfer [1] and field com- structured partially entangled mixed state putation [11]. While the OTT could be estab- is more valuable resource. lished off-line (before a useful primitive protocol begins) by a central server (known as the ‘trusted initializer’ [1]), also there has been a recent at- tempt to construct a protocol for establishing the Hyunseok Jeong: [email protected] OTT without a third party [12]. Therefore, we Accepted in Quantum 2021-03-03, click title to verify. Published under CC-BY 4.0. 1 can treat the OTTs as a resource stored in the one who is holding that information, therefore form of correlation regardless of its origin. modification of that information cannot be de- The OTTs studied so far are, however, all clas- tected. Therefore it is natural to design a qubit- sical correlations. This raises a natural question commitment scheme based on quantum maskers. that if there is a quantum generalization of the Masking quantum information is a quantum OTT that is more suitable for quantum two-party process that encodes a quantum state in a bi- tasks. In this paper, we construct the quantum partite quantum system, while hiding it from one-time table (QOTT) for a universally com- both subsystems. Quantum masker was first in- posable qubit-commitment Qubit-commitment is troduced [13] for pure bipartite states, where en- a quantum cryptographic primitive that is im- tanglement is the only form of correlations. How- possible utilizing only pure states because of the ever, there are quantum correlations beyond en- recently proven no-go result known as the no- tanglement [18–20] in the case of mixed states. A masking theorem [13]. The construction of the typical example is quantum discord [21]. We re- QOTT is based on the internal structure of quan- define the quantum masker for a general mixed tum masker reinterpreted as a quantum pro- state. Let B(H) be the algebra of bounded oper- cess that consumes randomness to hide quantum ators on a Hilbert space H. information into bipartite correlations, and its relation with quantum secret sharing protocols Definition 1. An operator M from B(HA) to [14, 15]. From this, we show that the no-masking B(HA0 ⊗ HB0 ) is said to mask quantum infor- theorem cannot be extended to mixed states in mation contained in states {φkA ∈ B(HA)} by the way that the no-cloning theorem [16] was ex- mapping them to {ΨkA0B0 ∈ B(HA0 ⊗ HB0 )} such tended to the no-broadcasting theorem [17], and that all marginal states of ΨkA0B0 = M(φkA) that the qualitatively stronger constraint on the are identical, i.e., ρA0 = TrB0 ΨkA0B0 , and ρB0 = strength of viable quantum correlation requires TrA0 ΨkA0B0 , with an unmasking operator U from more randomness for masking quantum informa- B(HA0 ⊗ HB0 ) to B(HA) such that tion. U(Ψ 0 0 ) = φ We suggest the entropy of commodity such kA B kA as (Q)OTT, named the shared randomness for all k. cost, as a measure of the randomness cost of a commodity-based cryptography protocol. We We call such M a (quantum) masker, and we show that our QOTT-based qubit-commitment, say that M is universal if it masks an arbitrary which is different from quantum bit-commitment quantum state. Our main interest is universal as will be elaborated afterwards, scheme could quantum masker, so unless remarked otherwise, achieve asymptotically the same shared random- afterwards every masker is assumed to be univer- ness cost compared to Rivest’s OTT-based bit- sal. commitment scheme [1]. When the superdense Here, two observations can be made. First, ev- coding is employed, this implies that the QOTT- ery universal quantum masker is demanded to be based bit-commitment scheme has half the ran- an invertible quantum process. Such a process, domness cost of the OTT-based bit-commitment say ΦM , can always be expressed [22] in terms scheme. of a quantum state ωS and a unitary transforma- tion M which maps the input system C and the ancillary system S to the systems A and B such 2 Quantum Masker that When it comes to commitment schemes, security † ΦM (ρC ) = MCS→AB(ρC ⊗ ωS)MAB→CS, (1) against Bob, also known as the hiding property, is important. However, for qubit-commitment for every quantum state ρC with some ancillary schemes, the information being committed to state ωS. In the equations given hereunder, sys- should be also hidden from Alice, otherwise Al- tem subscripts will be omitted when it is clear ice could freely change the information [15]. It from the context. We denote the unitary M as the is because, from the no-cloning theorem, acquisi- masking unitary of ΦM and the ancillary state ωS tion of quantum information implies being only as the safe state of ΦM . This observation implies Accepted in Quantum 2021-03-03, click title to verify. Published under CC-BY 4.0. 2 ρin 2 2 • ρ ρin X Z A1 H X B in X • A1 ρin X • A |0i X A 2 1 1 d • B1 |0i X B1 1 1 • † 2 1 1 d X H K 1 d • X B 1 1 1 • B2 d • H • B2 d (c) A minimal masker. (d) A minimal masker that is (b) The quantum one time pad (a) The 4-qubit(qudit) masker. dual to (c) for partitions (QOTP). (A, B) and (B, K). Figure 1: Examples of universal quantum maskers. Output systems with indices Ai and Bi belong to Alice and Bob, respectively. In each case, discarding one party’s quantum state yields the maximally mixed state for the other party. 1 ρin denotes the input state and d denotes the maximally mixed state. (a) The output state is partially entangled in general. (b) The output state is always a classical-quantum state therefore separable. (c) A minimal masker for any odd d, where every system has the minimal dimension d and has a maximally mixed marginal state. By purifying the safe system S of (c) to SK and tracing out system A, one gets (d). We will call such maskers are Pd Pd dual to each other for given partitions. Here, X := j=1 |j ⊕ 1 (mod d)ihj|, Z := j=1 exp(i2πj/d) |jihj| and H := √1 P ei2πjk/d|jihk| and the controlled-G gate for a set of operators {Gj} is defined as P |jihj| ⊗ Gj. d j,k j that masking quantum information is a process state) with von Neumann entropy no less than that should consume randomness supplied in the log2 d bits, [27], so the key system of a quantum form of safe state.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages17 Page
-
File Size-