Quantum cryptography beyond key distribution: theory and experiment

TL;DR

This review surveys quantum cryptography beyond key distribution, covering both theory and experiment. It classifies primitives into trustful, mistrustful, and computational-security categories, and connects them to physical assumptions such as relativity, storage constraints, and hardware unclonability. The article surveys foundational tools (conjugate coding, no-cloning, teleportation) and then details secure primitives (tokens, signatures, data locking, covert communication, and public-key money) alongside secure quantum computation (blind and verifiable computing, classical-client schemes, and fully homomorphic approaches). It concludes with outlook on composability, quantum advantage, and the hardware challenges necessary for scalable quantum networks, highlighting loss-tolerance and device-independence as central future directions.

Abstract

Owing to its fundamental principles, quantum theory holds the promise to enhance the security of modern cryptography, from message encryption to anonymous communication, digital signatures, online banking, leader election, one-time passwords and delegated computation. While quantum key distribution (QKD) has already enabled secure key exchange over hundreds of kilometers, a myriad of other quantum-cryptographic primitives are being developed to secure future applications against quantum adversaries. This review surveys the theoretical and experimental developments in quantum cryptography beyond QKD over the decades, along with advances in secure quantum computation. It provides an intuitive classification of the main quantum primitives and their security levels, summarizes their possibilities and limits, and discusses their implementation with current photonic technology.

Figures (8)

• Figure 1: Adversarial settings for two-party quantum primitives. a) Honest protocol: Alice generates a quantum state $\rho$ using her source $S$ and an encoding unitary $U_A$. Bob applies a unitary $U_B$ and performs a measurement with a detection device $D$, possibly followed by some classical post-processing $CPP$ b) Protocol with a dishonest Alice: she can replace $\rho$ with another state $\sigma$, possibly living in a larger Hilbert space c) Protocol with a dishonest Bob: he can perform any CPTD map on the state $\rho$ he receives.
• Figure 2: Constructions for trustful quantum cryptography. In the i.t.-secure setting, quantum key distribution may be constructed from unclonable quantum encryption, or from its weaker variant of tamper-evident quantum encryption G:QIC03. Once a uniformly distributed secret key has been established between two (or more) parties, the three primitives of unforgeable quantum tokens (Section \ref{['sec:tokens']}), quantum position verification (Section \ref{['sec:position']}) and covert communication (Section \ref{['sec:covert']}) may be securely constructed.
• Figure 3: Simple quantum position verification in 1D. We illustrate a variation of Scheme III from Kent:PRA11, secure against unentangled dishonest provers. Two verifiers $V_0$ and $V_1$ are placed equidistantly from the honest prover's location $P$. These verifiers can communicate through secure authenticated classical channels and share a trusted GPS reference, and all signals are sent at light speed. a) In the challenge phase, $V_0$ sends $N$ uniformly chosen basis bits $b_i\in\{0,1\}$ and $V_1$ sends $N$ uniformly chosen quantum states $\ket{\psi_i}\in \{\ket{0},\ket{1},\ket{+},\ket{-}\}$ such that both signals reach $P$ at time $t=t_c$ --or at matching time-tags for each $i$ if the $N$ states are sent one after the other--. Note that $b_i=0,1$ challenges a measurement of $\ket{\psi_i}$ in the $X$ and $Z$ basis, respectively. b) In the response phase, an honest prover located at $P$ will immediately measure each $\ket{\psi_i}$ in the basis dictated by $b_i$ and broadcast the corresponding measurement outcome $m_i\in\{0,1\}$ such that both verifiers receive their signal at time $t=t_r$. Using their secure channel, $V_0$ and $V_1$ will check that the time-tags of each $m_i$ are equal, and that each $m_i$ is consistent with a measurement of $\ket{\psi_i}$ in basis $b_i$. If these conditions are satisfied, the location of $P$ is successfully authenticated.
• Figure 4: General representation of a quantum coin flipping scheme. Adapted from ACG:SIAM16, the protocol starts with a separable state $\ket{\psi_0}$ living in Hilbert space $\mathcal{A}\otimes\mathcal{M}\otimes\mathcal{B}$, where $\mathcal{A}$ and $\mathcal{B}$ are Alice and Bob's spaces, respectively, and the message register living on $\mathcal{M}$ is sent back and forth between the two parties at each round. At each odd round $i$, Alice applies a unitary $U_{A,i}$ and projection $E_{A,i}$ on the space $\mathcal{A}\otimes\mathcal{M}$, while at every even round $i$, Bob applies a unitary $U_{B,i}$ and projection $E_{B,i}$ on the space $\mathcal{M}\otimes\mathcal{B}$. After the final round $n$, each party measures their private register to obtain the outcome of the coin flip.
• Figure 5: Quantum bit commitment based on special relativity. First proposed in K:PRL12, this space-time diagram $(x,t)$ was taken from Zbind:PRL13. In the commit phase, Alice sends Bob a string of BB84 states using conjugate coding (Section \ref{['sec:conjugate']}). Bob commits to a bit $b$ by measuring all states in the same basis $b$, and sending his measurement outcomes $r^{(b)}$ at light speed to agents $B_1$ and $B_2$. In the reveal phase, $B_1$ (resp. $B_2$) communicates these strings to Alice's agent $A_1$ (resp. $A_2$). In the verification phase, $A_1$ and $A_2$ cross-check that both messages from $B_1$ and $B_2$ were received at time $t_0$, and that $b$ and $r^{(b)}$ are consistent with the initial description of the BB84 states. A successful verification implies that Bob must have measured and committed no later than $t_0-d/2c$, where $d$ is the distance separating $\{A_1,B_1\}$ from $\{A_2,B_2\}$ and $c$ is the speed of light.