‘QUISTUM CRYPTOGRAPHY: PUBLIC KEY DISTRIBUTION AND COIN TOSSING ‘charles H, Bennett (Z3H Research, Yorktown Heights MY 10598 usa) Gilles Brassard (Gept. 1RO, Univ. de Montreal, H3C 39? Canasay nen elementary quantum systens, such as polarized Photons, "are used to tranemit digital information, the uncertainty principle gives rise to novel eryp: tographic phenonena unachieveable with teasitional Eransmission media, e.g. a communications channel. on whieh se ds “ampossisie in principle to eavescrop without a high probability of Sistarning the trane= Imission in such a way as to be detected, uch a ‘Quantum channel can be used in conjunction with Ore Sinary” insecure classical channels to cistribute Fandon key information Between, two users. with. the assurance that it romaine unknown to. anyone. e even when the users share no secret information ini Eially. We also present a protocol for coin-tossung by exchange of quantum messages, which is secure against tragitions! kings of cheating, even by an ‘opponent with unlimited computing power, but ironi= eslly can be subverted by use of a still subtler ‘Wuantun phenomenon, the Einste:n-Posolshy-Rosen ber seen. Conventional eryptosystens such as EVICHA DES, or even RSA, are based ona minture of guest work and mathonaties, information theory show's that Eragitionel secret-key eryptorystens carnot be to~ tally secure unless the key, seed once only, a8 at Beast as long as the cleartext, on the other hand, the theory of computational complenity ds noe yee elt enough snderstooe to prove the conpitat ioral security of public-key cryptesystens. In this paper we use a radically difforent foundation for cryptography, via. the uncertainty Brinciple of quantum physics. in conventional, in fomation theory ane eryptography, it in taken for Granted that digital conmanications in prancigie can alvays be passively monitored or copied, even by ‘oneone ignorant of their meaning, However, When information is encoded in non-orthogone! quanta states, such as single photons with polarisation Garections 0, 45, 90, and 135 degrees, one ebteins & conmnications channel whose transmissions in prin ciple cannot be read or copied rellasly by an eaves Gropper ignorant of certsin key information used in forming the transnission. The eavessroppe cannot ‘even gain partial information about sich a teansnis~ sion without altering it a rantem ané uncontrollable vay Likely to be éetected by the channel's Lesiti~ Quantin cating was first described in {#), ‘Along with to applications: making money that is in ‘principle inpossinie to counterfeit, and multiplox- ing! two or three messages in such a way that seescng fone destroys the others. More recently [assal, ‘Guantun coding has Been used in conjunction vith public key eryptographic techniques to yiclé aeveral schemes for unforgesble subvay tokens, Here ve shew ‘that quantim coding by itself achieves one of the rain advantages of public key eryptestaphy Sy fer= sitting secure distribstion of ranéem hey. intoren ion between parties who share no secret. infornat lon the Quantum channel, to an orginery channel sascens Eble fo passive but not active eavescropping. Even in the presence of active eavesdropping, the two parties can still distribute key secarely if they share some secret information initially, provises the eavessropping is not #0 active as to suppres communications completely. We also present « preter col for coin tossing by exchange of quenton men sages. Except where otherwise noted the prorecals are provably secure even against an opponent with superior technology and unlimited conpating power, barring fundamental Violations of accented physical lave, Offsetting these advantages is the practical tage that quantum transmissions ave neces. ily very weak and cannot be amplified in eransit, woreover, quantum cryptography doer not provice ie gital signatures, or applications such as cereitied Neil or the ability to settle disputes before ¢ Sedge, tial Properties of Polarized Photons Polarized Light can be produced by sending an ordinary Light beam through a polarizing anpatacas such a3 @ Polaroid filter or calcite crystal; the Estion Of the polarizing apparatus in which the Seah originates. "Generating single polarizea shotont ss aiso possible, in principle by picking then out of & Polarized bean, and in practice by a varsavion of an experiment [AGR) of Arpect, ets ale Although polarization is continuous varia~ ble, the uncertainty principle forbids measarencrts fon any single photon fron revealing more thas ove ‘bit about its polarization. For exemple, if a Ticht beam vith polarization axa a is sent into @ fiver griented at angle f, the individual photons Behave Sichotomously and prcbaniisetically, being tranomt= ted with probability cos‘(a-B) and absorbed wich the complementary probability sin®a-B). the photons Dehave deterministically only when the txo axes are |mterational Conference on Computers, ystems & Signal Pocessing Banglore, Indis December 10-12, 1984parallel (certein transmission) of perpendicular (certain abscestion) Bf the two axes are not perpendicular, 0 that sone photons are tranemittes, one might hope to Learn adeitional information about’ @ by measuring the transmitted photons again with a polarizer ori tented at one thiré angles but thas de te no avelly because the transmittes photons, im passing through the polarizer, emerge with exactly B polarize tion, having lost all menory of their previous po- larization a. ‘Another vay one might hope to learn more than fone bit from a single photon would be not to measure SCieirectiy, but rather sonchow amplify it into a lone of identically polarized photons, then perform rmeasurenents on these; but this hope is alse vain, Because such cloning can be shown to be inconsistent with the foundations of quantum mechanics’ (hal Formally, quantum mechanics represents the Anternal state of a quantum systen (e.g. the polari- zation of a photon) as a vector ¢ of unit length Ina Linear space H over the field of complex mun bers (iilbert space). The anner product of two vec™ tors , is defined as F5e;"Vy, where * Andi- cates complex conjugetion. The dindnaionality of the Hilbert apace depends on the aysten, being Lerg= fer (Or even infinite) for more conplicated systems: Each physical neassrenent "that might be performed fon the systen corresponds to a resolution of its itbert space into erthogonal subspaces, one for ‘each possible outcone of the measurement. The nun ber of possible outcones iz thor Limited to the Ginensionality & of the Hilbert space, the most conplete neasirenente being those that resolve the Mlbere space into. Todunensional subspaces. tthe bith subspace of measurement Il, 20 that the Agenesty operator on Hl can be represented as a sim of projections; T= MysHgrsecs, When a system in State is subjected to'maasurencnt M, aes behavior is in general probabilistic: gutcore k occurs with 4 probability equal to ihy0I®, the square of ‘the length of the state vector's projection into #ub~ space my. After the measurencnt, the system is left Sp ane state MU/ IMG, which ie the normalized nat vector an the eiréetion of the ole state vector's projection into SUDspace Mk. ‘The meassr rent this has a deterministic outcohe, and leaves the state vector unnosifies, only in the exceptional case that the initial state vector happens te Lie entirely in one of the orthogonal susepaces charac The Wilbert space for a single polarises pho- ton as 2edinensionaly this the state Gf a photon may be completely describes at Linear Combination of for enarple, the to unit vectors Fy = (1/0) and Fy0 (Ort), representing respectively horizontal and vertical polarization. an particular, = photon por Tarized at angle a £9 the horizontal ss Gescribed by the state vector (cosa, nine) When subjected to a measurenent of vertical-ve,-horizontal polari= ation, sacha photon in effect, chooses’ to become horizontal wath probability cos?a ana vertical with probanility sina, The two orthogonal vectors Fy nd ry thus a exenplaty the reaohotion of # 2 Glnengional ilbert space into 2 orthogonal 1= Intemational Conference on Como.ers, Systems & Sgrsl Processing Bangalore Inde Decembe Gimensional subspaces: henceforth ry and r will be ‘381d to conprise the *rectilinear* basse for the An alternative basis for the sane Hilbert space is provided by the tvo “diagonal” basis vec~ tors dy = (0.707,0.707), representing @ as-degres Photon, and d, = (0,707,-0.707),, representing a 13Sedegree photon. Ivo bases (e.g. rectilinear ané Asagonal) are said to be ‘conjugate’ vl, if each vector of one basis has equal-lengeh projections fonto all vectors of the other basis: this means that 4 systen prepared in a specific state of one basis Will behave entirely randomly, and Lose all ies stored information, When subjected to a measurement corresponding to the other basis. Oving to the cor plex nature of its coefficients, the two-einensional Rilbert apace also agmite « third basis conjugate £3 Doth the rectilinear and éiagonal bases, comprising the two sorealied "circular" polarizasions ey = (0.707,0.2074) and cy = (0.7071,0.707); but the rectilinear and éiagotal bases ave all that will bbe needed for the cryptographic applications in this The Hilbert space for a compound system is constructed by taking the tensor prosuct of che Hil- bert spaces of its componente; thos the state of @ air of photons is characterized by @ unit vector in the 4-inensional Wilbert space spanned by the er Bhogonal basis vectors ryr4, F491 Foy. ane eyes Tis formalism entasis thal the state of e conedns system is not generally expressible as the cartezsen product of the states of its parts: e.g. the Einstein-Podolsky-Rosen state of two protons, 0.7071 (ryrgrrzry)s £0 De discusses Later, is not equivalent to’ any product of one-photon states 352, Quantum PubLie Key Disteiiation an traditional public-key cryptography, trap door functions are used to conceal the meaning oF IRessagos beticen to users froma prasive cavescrop~ Per, depite the lack of any initial shared secret Information Between the twa users, In quantum pase Lic key diseramstion, ‘the quantum channel is not Uses directly to send neaningfal messases, fue 12 rather used to transmit « supply of randon sits 2c- tally, an such a way that the seers, by csssegee consultation ever an ordinary non-quantum channel subject to passive eavescropping, can tell with hish Probability whether the original quantum transmis sion has been eisturbed in transit, aa it woule be Dy an eavescropper (Lt 4s the quantum channel's pe- cular virtue to compel eavesdropping to be active) 1f the transnission has not becn disturbed, they agree to use these shared secret bits in the vell- Known way as & one-time pad £0 conceal the meaning fof subsequent meaningfal communications, ox for oth- fer cryptographic applications (e.g. authentication fags) requiring shared secret rancom information If transmission has been eisturped, they Giscare at land try agin, deferring any meaningful. communica tions until they'have succeedes in transmicting ‘enough randon bits through the quantum channel to Serve ae a one-time pad) 1019, 1968Jn more detail one user (*ALice') chooses & Fandon Bit string and a random sequence of polarize: Eon bases (rectilinear or Giagonai). She then ends the other user (BoD) & train of photons, each Fepresenting one bit of the string in the basis cho= sen for that Bit position, a horszontal or #5-degree Dhoton stanéang for a Binary zero and a vertical or 135-desree photon standing for # binary 1s, As Bob Feceives the photons he deciées, randomly for each Bhoton and independently of Alice, whether to meas lure the photon's rectilinear polarization or ies @iasonal polarization, and interprets the readle of the measurement as a binary zero of one.” AS ex Plaine’ in the previous section a random answer i Droduced and all information lost when one actenpes to measure the rectilinear polarization of « dingo. fal photon, or vice versa. ‘Thus Bob obtains Angful ata from only half the photons he. det those for which he guessed the correct polarization basis. Bob's information 1s further degraced by the fact that, realistically, sone of the photons would bbe lost in transit or would fail to be counted By Bob's imperfectly-efficient Getectors, Subsequont steps of the protocol take place lover an ordinary public eomminications channels #5 sumed to be susceptible to eavescropping bot not eo the injection or alteration of messages, Bob and Alice first determine, by public exchanse of nese sages, which photons were successfully received and (of these which were received with the correct basis If the quantum transmission has been undisturbed, Alice and so should agree on the bits encoses By ‘even this data has never been ise essse over the public channel. Each of these pho tons, An other words, presumebiy carries one bit of Fandom information (¢.g- whether a rectilinear phoe ton was vertical or horizontal) known to Alice ane Bob but #0 no one else. Because of the random mix of rectilinear and ‘QUANTUM TRAXSH:8E204 Randon sending bases. Bits as received by 305, ‘pus.te prscussson Bob reports bascs of received bits... Alice says which bases were correct Presumably shareé information (1f no eavesdesp] Bob reveals some key bits at random Alice confirms then... ‘ourcone Remaining shared secret bits... Giagonal photons in the quantun transmission, any eavesdropping carries the risk of altering he Eransmission in such a way as to prosice aisegree= ment between Sob and Alice on sone of the bie on which they think they shool@ apres. Speciticaiiy, 4¢ can be shoun that no meaturemens ona photon aa transit, by an eavesdropper who iv infornee of ee photon's original basis only after he has pocfomed his measurement, can yield more than 1/2 exceccee Bits of information about the hey bit encoeee ep tht photons and that any auch measurenent: Yael cing B Bits of expected information {os 1/2) mist sag ce 4 disagreenent with probability ae least bys it he measured photon, or an attempted forgery of it, is later re-measured in its original basta,” (This optimum tradeoff occurs, for exanpie, when the eat vesdropper measures and retransmits all iotescooeee Photons in the rectilinear basis, thereby leassece Gropping by publicly comparing some ef the sive on hich they think they shosld agree, though of course his sacritices the secrecy of these mie, thet Positions used in this comparison should be © sancom subset (say one thire) of the correctly. reser bits, s0 that eavesdropping on more than s fev ghor fons is unlikely to excape detection. If all the comparisons agree, Alice and oo can conclate shee the quentun transmission has been free of sini cant eaveséropping, and those of the rensinine seve hat wore sent and receives with the same baris cio agree, and can safely be ured as a one tine rea fen subsequent secure conminicat ions over the patie channel. When this one-time pad te used up, the Protocol = repeated to send « new bosy of fanvon Anformation over the quantum channel, The following example illustrates the above proton rer Ppissorxsisssi a a re ) ° 7 1 ‘The neeé for the public (non-quantum) channel 4m this scheme to be inmane to active eavesdropping can be relaxed Af the Alice and Bom have agrees bet forehand on a small secret key, which they one to exeate Wegnan-Carter authentication tage [We] for their messages over the public channel. In nore eetail the Wegman-Carter multiple-nessage euvhenti ceation schene uses a snall random hey to produce essage-dependent "tag (rather Like a check tum) for an arbitrary large message, in such a way that fan eavesdropper ignorant of the key has only @ snail Probability of being able to genorate any ovher ve Lid message-tag pairs. The tag thus provides evs. Gence that the message 1s Legitinate, and wes not Generated or altered by someone ignorant of the Key. Grey bits are gradually sea up in the Wegnan Certo scheme, and cannot be reused withovt comproniiey the systen's provanle sccuraty; however in the present application, these key bits can be replacce Dy fresh randon bits successfully transmetes \rcerravors! Conference on Comptes, Systems & Signal Processing Bangslore, Inde December 10-19, 1964‘through the quantum channel.) The eaveséronper can still prevent communication by suppressing messages in the publie channel, as of course he cen BY supe Dressing or excessively perturbing the photons ent hrough the quantum channel, However, in either case, Alice and Bob will conclude with high prebe~ bility that their secret communications are being suppressed, and will not be fooled into thanking these communications are ascure when in fact they're 1, Quantam Coin Tossing ‘Coin Flipping by Telephone’ vas first dis- ‘cussed by Blum [Bl]. The probles is for two ia trustful parties, communicating at a distance with fut the help of a thira party, to cone to agree on & winner and a loser in such a vay that each party has exactly $0 per cent chance of winning. Any attempt by either party to bias the ovteone should be de tected by the other party as cheating. Previous protocols for this problen are bese? on nproves Assumptions in computational complexity theory, Which makes then valneraole to @ breakthrough dn gorithm design. By contrast, we present here a schene anvoly= ng classical and quantan messages which is secure ‘against traditional kinds of cheating, even by an 1y, it can be subvertes by @ still subtler quantum Phenomenon, the so-called Einstein-Poelsky-Rosen effect. This threat 4s merely theoretical, because it requires perfect efficiency of storage and detec {ton ef photons, which though net impossible sn principle is far beyond the capanilities of current echnology. The honestiy-followed protocol, on the ‘other hand, coulé be realized with current. technolo= 1, Alice chooses randomly one basis (aay rectili- near) and a sequence of random bits (one thossene should be sufficient). She then encodes her bits es fs sequence of photons in this sane basis, using the ane cocing achene az before, she sence the ress! ing train of polarizeé photons to Bob, 2. Bob chooses, independently and randomly for each Photon, a sequence of reading bases. He reads the Photons accordingly, recording the results in tuo tables, one of rectilinearly recesved photons and fone of diagonally received photons. Because of Losses in his detectors and of the transmsssion fchannel, sone of the photons may not be receives at a1, resulting in holes in his tables. At this tino, Bob makes his guess as to which basis Alice ‘used, and announces it to Alice. Me wine if he Guesiee correctly, loses othervise, 3. Alice reports to Bob whether he won, by telling him which basis she had actually used.” She certif= Aes this infornation by sending 805, over a classi~ cal channel, her entire original bit sequence used an step 1 4, Bob verifies that no cheating has occurred by comparing Alice's sequence with Both hie tables ‘There should be perfect agreenent with the tasie corresponding to Alice's Basis and no correlation with the other table. In our example, 0D can be ‘confident that Alice's original basis war indeed Bustrating the protocol by a specific example, Dice's Blt strings Photons Alice sence Bob's random bases. . Bob's rectilinear table. Bob's Giagonal table. Rice's replys Alice sends ner original bit string to” cereify.. Bob's rectilinear table, Bob's Elagonal table. sss. Toot t yoy 01700 negestineas tery pre te ties DDR ROR RD RROD DR + ° ° : 1 ° “nectstineas* er 1 ° ° In order to cheat, Bob vould need to gu Alice's basis with probability greater than 1/2, This amounts to eLstingushing @ train of photons angomly polarized in one basis from a train random Ay polarized in another basis, However, it can be ‘shown that any measuring apparatus capable of making this distinction can also be ured, in conjunction with the Einstein-Podoishy-Rosen effect described below, to tranonie useful information faster than the speed of Light, in violation of well-established physical laws. Mice coulé attenpt cheating either at step 1 or step 3. Let us first assume that she follows Step 1 honestly and finde herself losing at the end Of step 2, because Bob made he correct quess, here Fectliniear, In oréer Co pretend she has won, she Intemational Conference on Comouters, Systems & Signal Processing Bangoore, India December 20 ould need to convince Bob that her photons were Akagonaily polarized, which she can eniy eo by pros cing @ sequence of bits in perfect agreement with Bob's Giagenal table. This she cannot go relissly because this table iz the reault of proosbilistie behavior of the photons after the lefe her hands ‘Suppose she goes ahead anyway and sends’ Bob a new ‘original’ sequence, aifferent from the one that she used! in step 1, in hopes that it will by Tuck agree perfectly with'sob's Giacgnal table. This attence to cheat requires Alice to be net only tuchy bse Baring, because in the vast sajority of cares, the Genble would fail and would be etectes ex cheatns. By contrast, in traditional coin-tossing schemes, analogous attenpts to seize » lucky victory tron the save of defeat, though unlikely to succeed, are Unacconpansed by any danger of detection. 19, 19883t As easy to see that things are even worse for Alice if she attempts to cheat in step 1, by sending a mixture of rectilinear and Giagonal pho tons, ‘er photons which are polarised neither rectil~ Aneatly of éiagonally. “ih this case she vill not be ble to agree with eicher of Bob's tables an step 3. Since both tables will record the results of proce bilistic oehavior not under her ‘control~ In order to say how Alice can cheat using ‘quantum mechanics st iz necessary to descrise the Einstein-podolsky-Hosen (EPR) effect (80, AGR), often called a paradox because it contradicts the common. sense notion that for tvo inaividually random events happening at distance from one another to be corre. 5 ated, sone physical anfluence must have propesated from the earlier event to the later, cr else from ‘The EPR effect occurs when certain types of ‘atom or molecule decay with the emission Of two Pho fons, and consists of the fact that the tre photon are aluays found to have opposite polarization, Fe Gerdless of the basis used to observe then, proviced Doth are observed in the sane basis. For exampie, Af both photons are measured rectilineariy, it wii fluays be found that one is horizontal and’ the other Vertical, though which iz horizontal vill vary Fane Gomly from one decay to the next, If soth photons fare nessured éiagonally, one vill always be 135" Gegree and the other a5-degree. A moment's reflec ‘tion will show that this behavior cannot be ex plained by assuning the decay produces a eusteibi- tion over a of oppositely polarized (@ and 0490) photons, since, in that case, if auch # paar of Bho tons were measured in an intermediate basis (aay 9185), both woulé behave prosanilistically so a2 to Probably the simplest, but paradoxical- sounding, verbal explanation of the EPR effect is to say that ‘the two photons are procuced in an anieial state of undefines polarization; and when one of then 4s measured, the measuring apparatus forces 4€ $0 choosa # polarization (choosing ranéomly and fequiprobasly between the two characteristic eirec ‘ions offered by the apparatus) while simltaneosoly forcing the other unmeasured photon, no matter how far avay, to choose the opporite polarization. ‘This inplausible-sounding explanation is supported by Formal quantum mechanics, which represents the state of a pair of photons as & vector in a #-2inensional utbert space obtaines by taking the tensor proguct fof two 2-dinensional Hilbert spaces, ‘The EPR state produced by the decay is described by the vector 0.7071 ryrz ~ r9ry), and the EPR effect is explained by the fact that this vector has anticorrelates pro- jections into the 2-cimensional Hilbert spaces of ‘the two photons no matter what basie 12 used to ex- ress the tensor profuct (e.g. the sane state vector As demonstrably equal to 0.7091(dydy = 92y) and £0. 0.707 e403 e704) In order to chest, Alice produces # number of EPR photon-pairs instead of individual ranzom phow tons in step 1. In each case she sens Bob one men ber of the pair and stores the other herself, per= haps between perfectly reflecting mirrors. shen Bob wakes his guess (e.g. rectilinear) she then measares all her stored photons in the oppotite (eiesonel basis, thereby obtaining results perfectly corseset~ fe with his diagonal taste but uncorrelated with has Fectilinear table, she then announces these re, sults, pretending them to be the renion bits sha was supponed to have encoded in the photons in sten ty and thereby forces @ vin from which Bob cannst ent cape even by delaying his measurements until after his guess. This cheat requires thet Alice be aule £0 store the twin photons for a consicersiie tine and then measure then with high detection efticren- ©, and thus would be possible only in principles fot in practice. Any photons lost by Alice esting storage or neasurenent would result in holes in her Pretended bit sequence, which she would have to fii By guessing, and these guesses would risk detection by Bob Af they failed to agree with his tables, WOR) A. Aspect, P. Grangier, and 6. Roger ‘Biperinental Realseatisn of the Einsvein~ Podolsky-Rosen-soh= GeCankenexpersnents a Nox Violation of Bell's Snequal ities", Phys.hev.tett. «8, 9-94 (1962) lmp0n) C.m.aennete, 6. Srassaré, s.sreidsart, and 5. Siesner, ‘Quantum Cryptography, or Unforgecsie Subway Tokens", to appear in Advances in C2yp~ ography: Proceedings of CRIPTON2, Plenin {821 Manuel alum, ‘Coin Flipping by Teteprone-~ a Protocol for Solving Impossible Prosiens’) I~ GACT mews 35:3, 23-27 (1883). {ol David Bohm, quantum theory (Prentice-Hall, En- Glevood CLitfs, MI 1951), pp. elaceid, Wel M. Wegman and L.carter, ‘New Hash Functions ané Their Use in Authentication ane Set Fqsaliey. Yeconp.sys.8ei. 22, 265-279, (1981) I) Stephen Wiesner, “Conjugate Coding", (manuscript ca 1970); subsequently published 4n S7cAcT News B52, Tees (1983), Ui2l Wk. Wootters and WH. Zurek, ‘A Single Quantum Cannot be Cloned", ature #83, 802-603 (1382) Intemational Corference on Computers, Systems & Signal Processing Bangalore India December 10-12. 1984