Information Exchange for the Mistrustful
Quantum cryptography is used commercially to protect data sent between people who trust each other against eavesdroppers. Now two teams, one writing in Physical Review Letters and the other online at arXiv.org*, have demonstrated ways for mistrustful parties to arrange for a secure communication where the bits are temporarily and verifiably inaccessible to both parties. The techniques could ultimately lead to a range of technologies, such as better decentralized bidding or voting systems, in which no one should learn anyone else’s intent before an appointed time.
Quantum bit commitment is a procedure that allows Alice to send Bob a bit of information (a or ) locked in a metaphorical safe and open it at a later time. Bob needs to know that Alice cannot change the contents of the safe while it is locked; Alice wants proof that Bob cannot break into the safe before she opens it. Such a protocol would be the basis for many other cryptographic functions, such as a system where one person can prove the possession of a piece of information (the authenticity of a document, for instance) without revealing it, or a scheme for an ATM that never sees the PIN codes of its users.
Theorists have proven that secure bit commitment is impossible if based purely on quantum mechanics. But in 2012 Adrian Kent of the University of Cambridge in the UK reported a new, secure bit commitment protocol that also relies on special relativity . Kent’s approach starts with Bob sending Alice a stream of photons, each of which has a randomly chosen polarization known to Bob—horizontal, vertical, or one of two diagonal directions. Alice choses the single bit she wants to securely send to Bob by setting her measuring device to detect either horizontal and vertical polarizations (for a 0) or diagonal polarizations (for a 1). If her detector is set to horizontal/vertical, for example, she can correctly measure photons with those polarizations, but diagonal photons will also register as either vertical or horizontal, with probability for each. By analyzing these data, Bob (who knows the correct polarizations) can learn whether Alice’s detector was set to 0 or 1. And more importantly, Bob can verify that Alice made the choice at the time of the measurements.
To make the information temporarily inaccessible, Alice “commits” to her bit by sending her data to two trusted agents located far from herself and from each other. Assuming the information travels at the speed of light, and the agents are at opposite ends of the Earth, the bit could remain inaccessible for tens of milliseconds—not much time, but still useful for high speed enterprises such as stock trading. After receiving the data, Alice’s agents “open the safe” by passing on the information to Bob’s two agents, who are close to them.
This protocol protects against several types of cheating. For example, the distance between Alice and her agents prevents her from ordering an immediate alteration of the data at the opening time. Another potential cheat is that one of Alice’s agents could alter the polarization data and claim that any discrepancy with the other agent was a result of experimental error. So both parties must agree in advance on the level of error that can be tolerated. The more photons Bob sends, the lower the experimental error, and the harder it is for the agents to cheat in this way.
Kent’s idea has now been implemented by Qiang Zhang of the University of Science and Technology of China in Hefei and colleagues . The researchers sent the photons and polarization data through the air using infrared lasers because light in a fiber optic cable would move more slowly. Alice could then cheat by sending late information to her agents with a speedier free space transmission. With 107 photons transferred, the team calculated that the chance of cheating—for example, by one of Alice’s agents altering the data to switch Alice’s bit—was just over . The need for line-of-sight communication limited the distances—the agents were only 20 kilometers apart, so the commitment time was about 30 microseconds.
To improve the security and practicality of quantum bit commitment, Kent has now teamed up with researchers in Switzerland and Singapore and demonstrated a modified version of the protocol that allows the use of fiber optic cables. (They used short pulses and their phase differences in direct analogy with photons and polarizations.)
In the new scheme, Alice makes measurements with a random choice of the detector position and is not committed to a choice of bit until the moment that her agents transfer the first of two messages to Bob’s agents. The first message (the commitment) is the sum of the random bit and Alice’s chosen bit, so the chosen bit is fixed but not yet accessible to Bob. The second message (the opening) includes both Alice’s chosen bit and her data. The two messages are close enough in time that Alice and her agents are prevented by their spatial separation from making any late changes after the commitment. Fiber optic cables are acceptable because the transmission from Alice to her agents is no longer the commitment step, when rapid communication is required.
In the demonstration, Alice’s agents were 9354 kilometers apart, for a secure commitment time of 15 milliseconds. The team calculates that the chance of cheating was about one in 18 million. Giacomo Mauro D’Ariano, of the University of Pavia, Italy, agrees that Kent’s protocol should be secure, in principle. But he urges caution. “Protocols may look simple and convincing at first sight, but then their analysis of security may turn out to be hard, and ultimately they may be proven insecure.”
* Correction (27 Sep. 2016): Reference 2 has been updated because the paper is no longer on the ArXiv but was published in Physical Review Letters in Jan. 2014.
Devin Powell is a freelance science writer in Washington, D.C.