MB1.

1 (Invited) 11:00 - 11:30

And God said, Let there be Condentiality

Gilles Brassard
D partement dinformatique et de recherche op rationnelle, Universit de Montr al e e e e C.P. 6128, Succ. Centre-Ville, Montr al (Qu bec), H3C 3J7 Canada e e http://www.iro.umontreal.ca/brassard

Abstract After a brief historical perspective on quantum cryptography, this essay asks the question: Why should perfect condentiality be possible according to quantum mechanics, but not perfect bit commitment? For the sake of liveliness, the style is purposely that of a spontaneous after-dinner speech.

I. P REHISTORY The story 1 begins in the early 1960s, when Stephen Wiesner and Charles Bennett, who were undergraduate students together at Brandeis University, enjoyed talking with each other. Later, after Wiesner had gone to graduate school at Columbia and Bennett at Harvard, they kept in touch. In particular, the former payed frequent visits to the latters communal house in Boston. During one of those visits in the late 60s or early 70s, Wiesner told Bennett of his ideas for using quantum mechanics to make banknotes that would be impossible to counterfeit according to the laws of nature, as well as of a quantum multiplexing channel, which would allow one party to send two messages to another in a way that the receiving party could decide which message to read but only at the cost of destroying the other message irreversibly. Wiesner submitted his paper Conjugate Coding to the IEEE Transactions on Information Theory. Regrettably, it was rejected, probably deemed incomprehensible by the editors and referees because it was written in the technical jargon of physicists. It is fortunate that Wiesner had expounded his ideas to Bennett, for they might otherwise have been lost forever. Instead, Bennett mentioned them occasionally to various people in the subsequent years, invariably meeting with very little sympathy until. . . II. H ISTORY One ne afternoon in late October 1979, I was swimming at the beach of a posh hotel in San Juan, Puerto Rico. Imagine my surprise when this complete stranger swims up to me and starts telling me, without apparent provocation on my part, about Wiesners quantum banknotes! This was probably the most bizarre, and certainly the most magical, moment in my professional life. Within hours, we had found ways to mesh Wiesners coding scheme with some of the then-new concepts of public-key cryptography (PKC). Thus was born a wonderful collaboration that was to spin out quantum teleportation, entanglement distillation, the rst quantum lower bound, privacy amplication and, of course, quantum cryptography.
1 The brief personal historical perspective on the eld of quantum cryptography found in the rst three sections of this essay is mostly excerpted from a more elaborate account I had written for another IEEE Conference [8].

The ideas that Bennett and I tossed around on the beach that day resulted in the rst paper ever published on quantum cryptography [6], indeed the paper in which the term Quantum Cryptography was coined. This event triggered in 1983 the belated publication of Wiesners paper [12]. Wiesners original banknotes, as well as our subsequent variation that beneted from PKC, required quantum information to be held captive in one place. This was a major practical drawback because we were thinking of photon polarization as the carrier of quantum information. Strangely, despite knowing about Wiesners quantum multiplexing channel, Bennett and I failed to realize for a few years after meeting in Puerto Rico that God had meant photons to travel rather than to stay put! This was the insight that made us think in 1982 of using a quantum channel to transmit condential information. However, we did not think of quantum key distribution right away. At rst, we wanted the quantum signal to encode the transmitters condential message in such a way that the receiver could decode it if no eavesdropper were present, but any attempt by the eavesdropper to intercept the message would spoil it without revealing any information. Any such futile attempt at eavesdropping would be detected by the legitimate receiver, alerting him to the presence of the eavesdropper. Since this early scheme was unidirectional, it required the legitimate parties to share a secret key, much as in a onetime pad encryption. The originality of our scheme was that the same one-time pad could be reused safely over and over again as long as no eavesdropping were detected. Thus, the title of our paper was Quantum Cryptography II : How to reuse a one-time pad safely even if P = NP [5]. We submitted this paper to major theoretical computer science conferences, such as STOC, but we failed to have it accepted. We all but forgot about this early idea in 1983, when we realized how much easier it would be to use the quantum channel to transmit an arbitrarily long random secret key. Should eavesdropping be detected on the quantum channel, due to unavoidable disturbance, the key would be thrown away; otherwise it could be used safely to transmit a sensitive message by use of the classical one-time pad scheme. In essence, this detour via the one-time pad allowed us to turn Gods given eavesdropping-detection channel into an eavesdroppingprevention channel. Moreover, the new scheme was much more robust against lost photons. We wrote up a winning proposal for the 1983 IEEE Symposium on Information Theory (ISIT). The corresponding publication [3] can be seen as the ofcial birth certicate for Quantum Key Distribution (QKD).

1-4244-0090-2/06/$20.00 2006 IEEE

Authorized licensed use limited to: Sharif University of Technology. Downloaded on January 14, 2010 at 13:38 from IEEE Xplore. Restrictions apply.

Shortly thereafter, Vijay Bhargava was in charge of a special session on coding and information theory for another IEEE conference, which took place in Bangalore, India, in December 1984. He invited me to give a talk on any subject of my choice, and naturally I chose quantum cryptography considering how difcult it was to get these ideas published at the time. The resulting paper [4] gave its name to the BB84 protocol. For lack of space, I must refer the reader to my more detailed account on the history of quantum cryptography [8] for such important topics as our original 1989 prototype [2] and Artur Ekerts introduction of entanglement in QKD [9]. III. B EYOND K EY D ISTRIBUTION Many people think that quantum cryptography and QKD are one and the same. Nothing could be farther from the truth! Remember Wiesners Conjugate Coding, which started the entire eld. Whether or not his quantum banknotes can be considered cryptography is a matter of taste. However, there can be no doubt that his quantum multiplexing channel, with its eerie resemblance with yet-to-be-invented oblivious transfer, was mainstream cryptography ahead of its time. Another task that we studied in the early days of quantum cryptography is coin-tossing. Alongside QKD, the BB84 paper [4] described the rst quantum coin-tossing protocol and explained how EPR correlations could be used to defeat it! Attention soon turned to bit commitment, a powerful primitive in classical cryptography. After various ups and downs, it was discovered that unconditionally secure quantum bit commitment is impossible [11]. Does it follow that the benets of quantum information for cryptography cannot go further than allowing two people to exchange messages with absolute condentiality? Certainly not! Consider coin-tossing again. Even though perfect quantum coin-tossing protocols cannot exist, Andris Ambainis has discovered a quantum protocol [1] in which neither party can select a desired outcome and inuence the process in a way that this wish will come true with a probability better than 75%. As I write these lines, researchers round the world are hard at work, nding ever more imaginative ways to design quantum cryptographic protocols that achieve goals that would be out of reach for their classical counterparts. IV. I S G OD T ELLING US S OMETHING ? Quantum mechanics has forced us to rethink the nature of the physical world, its teachings often running counter to our misleading macroscopic experience. It is time to pause and reect on what we have learned since Albert Einsteins annus mirabilis, 101 years ago. Alongside Christopher Fuchs [10], I contend that there is a fresh perspective to be taken on the axioms of quantum mechanics that could yield a more satisfactory foundation for the theory. Let me indulge in my favourite bedtime story. After creating Adam and Eve, God asked them what they wanted most. Adam requested condentiality. So, God said, Let there be condentiality. And He saw that it was good. Then, God asked them what else they wished to enjoy. Eve requested

commitment. So, God said, Let there be (bit) commitment. And all hell broke loose! God had to backtrack and make sure that unconditionally secure bit commitment would remain forever impossible. It was at this point in time, my story goes, that God invented quantum mechanics because it is the most natural physical theory that could simultaneously grant Adams wish and deny Eves! The purpose of this parable is to wonder if the possibility of unconditionally secure condential communication but the impossibility of unconditionally secure bit commitment should be considered as mere consequences of the axioms of quantum mechanics that we have inherited from Einstein, Bohr, Schr dinger and Heisenberg. Or could it be the other o way round? Could it be that these theorems (or other established facts about quantum information, such as the impossibility of cloning it and of transmitting it instantaneously) hold the key to understanding the world at its most profound level? Could it be that the truly fundamental laws of nature concern, not waves and particles, but information? For more musing on this topic, you are invited to read my commentary in the inaugural issue of Nature Physics [7]. ACKNOWLEDGEMENT I am most grateful to Charles Bennett, whose assistance with fact-checking was essential, especially in the prehistory part of this essay. R EFERENCES
[1] A. Ambainis, A new protocol and lower bounds for quantum coin ipping, Journal of Computer and System Sciences 68(2), pp. 398 416, March 2004. [2] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin, Experimental quantum cryptography, Journal of Cryptology 5(1), pp. 3 28, 1992. [3] C. H. Bennett and G. Brassard, Quantum cryptography and its application to provably secure key expansion, public-key distribution, and cointossing, Proceedings of IEEE International Symposium on Information Theory, St-Jovite, Canada, page 91, September 1983. [4] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Proceedings of IEEE International Conference on Computers, Systems & Signal Processing, Bangalore, India, pp. 175 179, December 1984. [5] C. H. Bennett, G. Brassard and S. Breidbart, Quantum Cryptography II : How to reuse a one-time pad safely even if P = NP , Rejected from 15th Annual ACM Symposium on Theory of Computing, Boston, May 1983. Historical document dated November 1982 available from the authors. [6] C. H. Bennett, G. Brassard, S. Breidbart and S. Wiesner, Quantum cryptography, or Unforgeable subway tokens, Advances in Cryptology: Proceedings of Crypto 82, Santa Barbara, Plenum Press, pp. 267 275, August 1982. [7] G. Brassard, Is information the key?, Nature Physics 1(1), pp. 2 4, October 2005. [8] G. Brassard, Brief history of quantum cryptography: A personal perspective, Proceedings of IEEE Information Theory Workshop on Theory and Practice in Information Theoretic Security, Awaji Island, Japan, pp. 19 23, October 2005. Also available at http://arxiv.org/ quant-ph/0604072. [9] A. K. Ekert, Quantum cryptography based on Bells theorem, Physical Review Letters 67(6), pp. 661 663, 5 August 1991. [10] C. A. Fuchs, Quantum mechanics as quantum information (and only a little more), available at http://arxiv.org/quant-ph/ 0205039, May 2002. [11] D. Mayers, Unconditionally secure quantum bit commitment is impossible, Physical Review Letters 78(17), pp. 3414 3417, 28 April 1997. [12] S. Wiesner, Conjugate coding, written circa 1970 and belatedly published in Sigact News 15(1), pp. 78 88, January 1983.

Authorized licensed use limited to: Sharif University of Technology. Downloaded on January 14, 2010 at 13:38 from IEEE Xplore. Restrictions apply.