Soft ComputDOI 10.1007/s00500-014-1555-7

FOCUS

Quantum-based secure communications with noprior key distribution

Marius Nagy · Naya Nagy

© Springer-Verlag Berlin Heidelberg 2014

Abstract Current quantum cryptographic protocols aim todistribute a classical secret key to be used afterwards inclassical encryption/decryption schemes. We show in thispaper that quantum information processing can be used todo much more than just key distribution. Simple quantumtransformations augmented with the ability to store qubitsin a quantum memory are the building blocks of a class ofprotocols allowing two parties to communicate secretly byencoding/decoding the exchanged message directly throughquantum means, without the need to establish a secretencryption/decryption key first. Consequently, our quan-tum mechanical process of securely transmitting a messagethrough a public channel is conceptually simpler than thetwo-step scenario with a quantum distributed classical key.In addition, since the encrypted message is only transmittedthrough a quantum channel, copying and off-line analysisof the transmission is impossible. Our algorithms rely on thecommon assumption that public information can be authenti-cated. In terms of security, the protocol using three encodingbases achieves the maximum detection rate of 33 % per qubittested. The probability of catching a potential eavesdroppercan be brought as close to 1 as desired by increasing thelength of the signature string attached to the message.

Communicated by C. M. Vide.

M. Nagy (B) · N. NagyCollege of Computer Engineering and Science, Prince MohammadBin Fahd University, Al Azeziya, Eastern Province, KSAe-mail: mnagy@pmu.edu.sa

M. Nagy · N. NagySchool of Computing, Queen’s University, Kingston, ON, Canadae-mail: marius@cs.queensu.ca

N. Nagye-mail: nagy@cs.queensu.ca

Keywords Quantum gates · Quantum memory ·Measurement · Cryptography · Quantum protocol ·Key distribution · Security · Eavesdropping ·Intruder detection · Bit rank

1 Introduction

Quantum cryptography has been mainly concerned withquantum key distribution (Bennett 1992; Bennett and Bras-sard 1984; Bennett et al. 1992; Ekert 1991). Regardlessof whether they rely on quantum entanglement or not, allthese quantum protocols are used with a single goal: toestablish a classical secret key that is subsequently usedto encrypt/decrypt a message using classical cryptographicalgorithms. Actually, a large body of literature considers thequantum key distribution problem to be in fact a key enhance-ment (Lomonaco 2000), since a small secret key must alreadybe available to the two communicating parties to authenticatethe classical channel. Key enhancement means that Alice andBob share already a small secret key, possibly obtained via aclassical protocol, and then develop a large secret key. Keydistribution starts from public information only and developsa secret key during the protocol.

As we have previously argued in Nagy et al. (2010), truekey distribution is possible through quantum means usingprotected public information to guarantee the authenticityof exchanged messages. In our scheme, the public infor-mation that supports authentication is still classical, but aninteresting area of research was opened by Gottesman andChuang, when they proposed a quantum digital signaturescheme, based on quantum one-way functions, that employsa public key made up of a set of quantum states (Gottesmanand Chuang 2001). The scheme allows for a small numberof quantum digital signatures to be shared among potential

123

M. Nagy, N. Nagy

recipients. It has the disadvantage of using several copiesof the signatures, thus revealing more information about theactual signature to potential malevolent parties. The difficultyof using a quantum public key for a reduced number of timesis discussed in Cao (2010). A scheme that does not use quan-tum memories is proposed in Dunjko et al. (2014). It uses onlyclassical information when sending messages. Thus, signinga message is rather classical, but has good implementationprospects, as can be seen in the implementation-oriented ver-sion of the paper (Collins et al. 2014). Non-interactive quan-tum authentication schemes with classical keys are also stud-ied in Barnum et al. (2002), where an efficient procedure tocreate purity-testing protocols is given. Finally, the originalidea of Gottesman and Chuang was later enhanced by otherresearchers (Zeng and Keitel 2002; Lu and Feng 2005) toallow general quantum states to be signed, not just classicalbitstrings.

After this brief detour on authentication techniques, wecome back to the problem of encrypting a message directlythrough quantum means, which is the main focus of our paper.Although in the protocols developed herein, each physicalmessage contains a signature along with the useful informa-tion, this signature plays the role of a sentinel, as it is used fordetecting eavesdropping rather than for authentication pur-poses. The signature is unique for each message, that is, onceused for a message it is not used again. Thus our protocolsimplement one-time signatures.

In any existing quantum key distribution protocol, animportant characteristic of the classical secret key is that itis randomly generated. No quantum key distribution schemecan be used to distribute a key that is known a priori to anyof the communicating parties. This randomness comes fromthe implicit randomness associated with the measurementpostulate in quantum mechanics. In this paper, we distanceourselves from the very idea of using a key for encryption. Wedevelop a class of protocols that transmit a message secretlyby scrambling the order of the bits rather than explicitlyencrypting the message with a key. The scrambled messageis transmitted via a quantum channel and therefore consistsof quantum bits (qubits) rather than classical bits.

Our protocols come with all the advantages of quantumcryptography. An intruder, Eve, listening to the messagebeing transmitted, destroys the superposition state of thequbits and thus can gain knowledge about it only with a lowprobability. Also, the intruder is detected by Alice and Bobwith an arbitrarily high probability. In addition, our protocolsare equivalent to a one-time pad (Shannon 1949). As we useno key, information about the scrambling of the message is ofthe same order as the message itself. Eavesdropping on oneapplication of the protocol provides no gain to the intruderfor any subsequent protocol applications.

We first illustrate our idea with a simple protocol encod-ing bits in one of two complementary bases and show that

the detection rate per qubit checked is 25 % (same as inBennett and Brassard 1984; Bennett 1992). We then extendthe encoding strategy to three complementary bases, whichimproves the detection rate per qubit to 33 %. Finally, wedescribe a general quantum protocol in which the encod-ing basis is arbitrary (not chosen from a pre-defined discreteset). In all three protocols, the step of establishing and dis-tributing a cryptographic key is no longer needed. Togetherwith the fact that we are using only simple unary quantumgates, the whole process of securely transmitting a messagebetween two communicating parties becomes greatly sim-plified and streamlined. By comparison, the RSA algorithm(Rivest et al. 1978) used to just distribute the secret keyneeded to encrypt/decrypt the actual message through clas-sical means is much more computationally intensive. More-over, our protocols benefit from the level of security conferredby quantum mechanical properties when the encrypted mes-sage is transmitted. The no-cloning theorem makes it impos-sible for an eavesdropper to copy the transmission withoutdisturbing it and then analyze the transmission off-line. Pre-vious protocols benefit from this quantum level of securityjust for the key distribution step, the encrypted message isstill transmitted through a classical channel, which is subjectto all classical ways of attack.

Beside simple quantum gates, our scheme also relies onthe use of a quantum memory capable of storing qubits(described by their quantum states) for a certain amount oftime as detailed in the description of the protocol. Althoughbuilding such a quantum memory is a challenging endeavor inpractice, important steps in this direction have been recentlyreported (Gisin et al. 2011; Tittel et al. 2011; Lukin et al.2012; Steger et al. 2012). Any practical implementation ofa quantum protocol aimed at securing communications hasto find an appropriate physical embodiment for the qubitstransmitted over the quantum channel. The best choice inthis respect seems to be photons, whose polarizations caneasily be manipulated and which are, by definition, very fast,traveling at the speed of light. On the other hand, photonsare not well suited for storage, where solid-state approachesseem to be the most promising technology.

Now, two separate teams, one led by Wolfgang Tittel at theUniversity of Calgary in Alberta, Canada (Tittel et al. 2011)and another led by Nicolas Gisin at the University of Genevain Switzerland (Gisin et al. 2011) are reporting advanceson the road to make the two technologies work together.Experimenting with different types of crystals, they man-aged to have the quantum state of a photon being captured insolid crystals through entanglement. Furthermore, scientistsat Harvard University have developed a room-temperaturequantum memory that can hold information on the order ofseconds by using the spin of the nucleus of an atom inside adiamond to physically realize a qubit (Lukin et al. 2012). Butthe record on how long a superposition state can be main-

123

Quantum-based secure communications

tained definitely belongs to a team led by Professor MikeThewalt of Simon Fraser University, Canada (Steger et al.2012). Using the spins of atomic nuclei embedded in silicon,the research team was able to create a superposition statewhich lasted for 192 s (more than 3 min). These advancesseem to hint to the possibility of practical realizations forprotocols using quantum memories (like the one describedin this paper) in the near future.

The remainder of the paper is organized as follows. Sec-tion 2 presents a simple keyless protocol that securely trans-mits a message from a source to a destination. It also ana-lyzes the protocol’s protection from the intruder’s actionsincluding a formal proof of security. The analysis is formal-ized to measure the intruder’s gain of knowledge for dif-ferent levels of attack. Section 3 describes an improvementon the detection rate of the intruder using an encoding inthree complementary bases. A generalized encoding schemewhere the encoding basis can be any ortho-normal basis span-ning a two-dimensional Hilbert space is presented in Sect. 4.Finally, Sect. 5 offers some conclusions and highlights themain ideas that made the results in this paper possible.

2 Keyless quantum message transmission

In this section, we describe in detail the inner workings ofa protocol that allows two parties (commonly referred to asAlice and Bob) to communicate secretly over an insecure,public quantum channel. The protocol relies on the fact thata quantum channel cannot be eavesdropped on without dis-turbing the quantum information transmitted over the chan-nel. To communicate secretly, the two parties are assumed tohave access to the following resources:

– a public quantum channel capable of delivering a blockof qubits from Alice to Bob. This could be a fiber-opticcable or even air, depending on the particular physicalembodiment chosen for a qubit. No particular restrictionsare imposed on the quantum channel. In particular, it isopen to any form of eavesdropping.

– a public classical channel that allows Alice and Bob tocommunicate with each other, exchanging classical infor-mation. Although this channel is also public and open toeavesdropping, it is authenticated. This means that Alicehas the certainty of speaking to (communicating with)Bob and Bob has the certainty of speaking to Alice.

– a quantum memory required by Bob to store the qubitssent by Alice until the signature is verified and they canbe decrypted.

– the ability to perform quantum information processing,namely applying single-qubit gates and measurementsin the normal computational basis {|0〉, |1〉}. Note thatthis is not equivalent to the power of a general quantum

computer, since two-qubit gates are required for universalquantum computation.

The main steps of the protocol are given next. Also, a graphi-cal representation of the information flow during the unfold-ing of the protocol is depicted in Fig. 1.

Phase I: Communication over the quantum channelStep 1: Alice concatenates the two binary strings, one

representing the message she intends to send over to Boband the other representing the signature bitstring that will beused for eavesdropping.

Step 2: For each bit in the concatenated sequence, Aliceuses one of the two bases, or alphabets (chosen randomly) toencode the value of the respective bit in the quantum state ofthe resulting qubit.

Step 3: Alice scrambles the order of the qubits formingthe quantum encrypted block obtained in step 2, by choosingan arbitrary permutation of the qubits and then sends themover to Bob through the insecure, public quantum channel.

Step 4: Bob applies the necessary procedures to safelystore the qubits received from Alice until the second phase ofthe protocol, when he will gain knowledge about each qubit’sencoding basis and position in the original qubit sequence.The position, or index of the qubit in the original sequenceis called the qubit’s rank.

Phase II: Communication over the classical channelStep 1: Alice discloses to Bob which of the qubits trans-

mitted are part of the signature string and the encoding baseof each.

Step 2: Following Alice’s instructions, Bob reconstructsthe signature bitstring.

Step 3: Alice and Bob proceed to verify, bit by bit,whether the signature bitstring was untampered with, dur-ing the transmission.

Step 4: If the discrepancy between Alice and Bob is dis-covered in the values of the signature bits, the presence of aneavesdropper is inferred and the protocol is abandoned.

Otherwise, Alice informs Bob about the correct position(rank) of each qubit in the original message and the encodingalphabet employed to obtain each qubit.

Step 5: Bob decodes and re-arranges the qubits he stillhas in storage to obtain the plain message sent to him byAlice.

Having presented the structure of the protocol, a few clar-ifications and an analysis of it are perhaps appropriate at thispoint. Generally, the length of the signature bitstring reflectsthe intended level of security for the transmitted message.The analysis below clearly shows that a longer signaturebitstring results in higher chances of detecting a potentialeavesdropper. Consequently, the signature length can be var-ied according to the importance of the message.

The protocol above is described in general terms,abstracted away from any particular physical realizations for

123

M. Nagy, N. Nagy

Fig. 1 Information flow diagram outlining the steps of the communi-cation protocol using two bases

a qubit. Moreover, any two alphabets, i.e., encoding bases,can be used, as long as they are complementary. Complemen-tary bases means that they correspond to conjugate quantumvariables. In this situation, trying to measure (decode) a qubitusing the other basis, and not the one used for encoding, willmaximize the uncertainty over the value of the correspond-ing bit: equal chances to obtain 0 or 1. From a mathematicalpoint of view, the simplest example to achieve complemen-tarity would probably be the use of the regular computa-tional basis {|0〉, |1〉} together with the “Hadamard basis”{

H |0〉 = |0〉√2

+ |1〉√2, H |1〉 = |0〉√

2− |1〉√

2

}. We note in passing

that the BB84 protocol (Bennett and Brassard 1984), whichuses photon polarization as qubit embodiment, achievescomplementarity by choosing randomly between rectilinearpolarization {|→〉, |↑〉} and diagonal polarization {|↗〉, |↖〉}as the two possible encoding bases. In general, the precisemeaning or interpretation of a certain basis depends entirelyon the physical realization chosen for the qubit. To keep ourdiscussion as general as possible, while still referring to aconcrete pair of complementary bases, we assume hence-forth that the two encoding alphabets are the computationalbasis (see Fig. 2) and the Hadamard basis (see Fig. 3), asspecified above. This basically means that Alice will create

Fig. 2 Normal computational basis

Fig. 3 Hadamard basis

a |0〉 qubit for each 0 bit in the message and a |1〉 qubit foreach 1 bit in the message, with a random choice to apply aHadamard gate on the resulting qubit.

What can Eve, the prototypical eavesdropper do, to elicitas much information as possible about the transmitted mes-sage, while the qubits are in transit from Alice to Bob? Thetwo main possible eavesdropping strategies are discussednext.

2.1 Opaque eavesdropping

Opaque eavesdropping refers to Eve’s attempt to gain knowl-edge about the transmitted message by measuring each qubitpassing through the quantum channel in one of the two possi-ble bases. Eve knows the two bases that Eve has used: com-putational and Hadamard. Yet, for any specific qubit, Evedoes not know the basis used, as Alice chooses the basis ran-domly. If Eve is lucky and chooses the same basis, she willbe able to read the binary value of the qubit and will leaveno trace of her interference. Nevertheless, if Eve chooses thewrong basis, she gains no knowledge about the binary valueof the qubit, and also may disturb the correct measurementfor Bob. There are two cases with similar results. First, Alicemay send the qubit simply in the computational basis (seeFig. 4). If Eve mistakenly applies a Hadamard gate prior toher own measurement, she will get either 0 or 1 with equalprobability, regardless of Alice’s original value. Therefore,

123

Quantum-based secure communications

Fig. 4 Opaque eavesdropping.Eve wrongly measures in theHadamard basis a qubit sent byAlice in the computational basis

Bob may measure the wrong value with a 50 % chance. Ifthis is a qubit that Alice and Bob check, again they have a50 % chance to catch Eve. Secondly, Alice may send a qubitin the Hadamard basis. If Eve mistakenly measures the qubitdirectly she again produces a qubit on which she may becaught with a chance of 50 %. Therefore, on each qubit thatEve wrongly disturbs, she is caught 50 % of the times. As sheis disturbing half the qubits on average, Eve is caught witha probability of 25 % on each qubit she chooses to observe.Or else, on each qubit that Eve decides to observe and Bobdecides to check, Eve remains undetected with a probabilityof 75 % = 3

4 .Suppose, there are n qubits in the signature string. They

are observed by Eve and checked by Bob. Eve remains unde-tected with a probability of

( 34

)n. Therefore, Bob’s detection

rate over n qubits is given by the formula

Rate = 1 −(

3

4

)n

. (1)

Nevertheless, if Eve gets lucky enough to remain undetected,then she will gain access to the rank and encoding basis ofeach bit in the message. This means that she can put the bits inthe correct order, but she can only be certain about their valuefor half of them, the ones for which she correctly guessed theencoding basis. For example, if Eve listens to n qubits, she iscertain of the value of n

2 qubits. Thus, her information gainis 50 % = 1

2 .Note that the probability for Eve to remain undetected

may be very low; for example, if the signature string is 25bits long, Eve remains undetected with a probability of about0.075 %.

2.2 Translucent eavesdropping

Alternatively, Eve could try a more insidious eavesdroppingstrategy, avoiding a direct measurement on the qubits in tran-sit through the quantum channel. This can be achieved bymaking a copy of each qubit or entangling each qubit to oneof her own, before sending the original further on to Bob.Since the two encoding bases are complementary, no quan-

tum circuit exists that can accurately duplicate all four basevectors (no-cloning theorem). For example, the Controlled-NOT (CNOT) gate acts as a cloning gate for qubits encodedin the computational basis, but creates as entangled pair

1√2(|00〉 ± |11〉) whenever we push a quantum state like

1√2(|0〉±|1〉) through it. Consequently, each qubit originally

encoded by Alice in the Hadamard basis will arrive at Bobentangled with a corresponding qubit in Eve’s possession.Now when Bob applies a Hadamard gate on his half of theentanglement, to decode the qubit, he effectively transformsthe state of the Bob–Eve ensemble as follows:

H ⊗ I

(1√2|00〉 + 1√

2|11〉

)

= 1

2(|00〉 + |01〉 + |10〉 − |11〉) , (2)

and

H ⊗ I

(1√2|00〉 − 1√

2|11〉

)

= 1

2(|00〉 − |01〉 + |10〉 + |11〉) . (3)

When any of the two quantum states above is measured byBob in the normal computational basis, the entanglement willcollapse to one of the four basis vectors {|00〉, |01〉, |10〉,|11〉} and Bob will have a 50 % chance to obtain the correctbit value, the one originally encoded by Alice. Consequently,the detection rate for translucent eavesdropping is the sameas the one derived for opaque eavesdropping.

2.3 Lower levels of eavesdropping

The above analysis for eavesdropping consequences is basedon the assumption that Eve tampers with all qubits transmit-ted through the quantum channel. Here, tampering with aqubit means either measuring or trying to clone it. If Eve iscaught, she gains no knowledge whatsoever about the con-tent of the message. This happens because whenever Eve iscaught in Step 4 of Phase II of the protocol (see descrip-tion at the beginning of Sect. 2), the protocol is abandoned.

123

M. Nagy, N. Nagy

Fig. 5 The graph shows thedetection rate together withEve’s information gain for a16-bit signature. The Ox axisrepresents x , the percentage ofthe signature read by Eve. TheOy axis shows both thedetection rate and theinformation gain

Alice does not reveal the correct order of the qubits and thescrambled message is meaningless both to Eve and Bob.

Consequently, Eve could settle for a more discrete strat-egy, according to the plan that partial information is betterthan no information at all. If Eve decides to eavesdrop ona fraction x of the qubits in the quantum encrypted blocktransmitted, then the detection rate varies with x and withthe signature length n as follows:

rate = 1 −(

3

4

)x ·n, (4)

where 0 ≤ x ≤ 1 and n is the length of the signature, forexample n = 16 bits long.

In the eventuality that she remains undetected, the per-centage of the message that Eve is certain she has correctlydecoded is 50 %. Thus the information gain on a fractionx is x

2 . A graph depicting the variation of the detection rateand information gain for various levels of eavesdropping ispresented in Fig. 5. The graph assumes a constant signaturelength of 16 bits. A longer signature will, of course, push thedetection rates asymptotically closer to the 100 % limit.

From Eve’s point of view, probably the most pertinentquestion is: What is the optimal level of eavesdropping suchthat the probability of escaping detection and the knowledgegained about the message are both maximized? To answerthis question, we need to find the maximum of a benefit func-tion that quantifies both these quantities. A suitable functionis

fbenefit : [0, 1] → [0, 1], fbenefit(x) = x

2

(3

4

)x ·n. (5)

This function was obtained by multiplying the two quan-tities, probability of escaping detection and the fraction ofthe message correctly decoded, normalized to the interval[0, 1]. As it can be seen from Fig. 6, this function reachesits maximum for a level of eavesdropping of about 22 %, if

the signature string consists of 16 bits. This maximum dropsto 14 % for a 24-bit signature and to around 11 % for a 32-bit signature. These data suggest that the best strategy forEve is to decrease the level of eavesdropping as the size ofthe signature increases. However, the length of the signa-ture string is disclosed only during the second phase of theprotocol, so Eve cannot use this information in planning hereavesdropping strategy.

2.4 Security proof

Having discussed the main eavesdropping strategies for Eve,we close this section with a formal proof of security for ourkeyless protocol in the special case of single-qubit eavesdrop-ping. As in the case of BB84, the security of the protocol isguaranteed by the very laws of quantum mechanics, namely,the indistinguishability of non-orthogonal quantum states,the no-clonability theorem and the measurement postulate.Since the qubits passing through the quantum channel areencoded in complementary bases, there is no quantum circuitEve can use to consistently make copies of them or entanglethem with her measuring apparatus. To extract information,Eve has to perform a measurement that will inevitably alterthe state of the qubit, an act which opens the possibility forBob to detect the intrusion.

Formally, any signature qubit on which Eve decides toeavesdrop is in a state |ϕ〉 taken from the set {|0〉, |1〉, H |0〉,H |1〉}. In general, the act of eavesdropping on a qubit canbe modeled by first applying some unitary transformationU followed by a von Neumann measurement in an ortho-normal basis {|m1〉, |m2〉}. Note that this model is generalenough to also cover strategies in which Eve may attemptto copy the quantum state of the qubit or entangle it withher measurement apparatus. According to the measurementpostulate of quantum mechanics, the probability of obtainingresult mi is

123

Quantum-based secure communications

Fig. 6 The benefit ofeavesdropping versus thedetection rate

p(mi ) = 〈ϕ|U † Pmi U |ϕ〉, (6)

where Pmi = |mi 〉〈mi | is the projector associated with mea-surement outcome mi .

The qubit eavesdropped upon, now in state |mi 〉, is againmeasured by Bob and the outcome verified with Alice. Themeasurement applied by Bob is again a projective measure-ment, either in the normal or Hadamard basis. This processcan be viewed as a measurement of observable

Z =[

1 00 −1

]= |0〉〈0| − |1〉〈1| (7)

with eigenvectors |0〉 and |1〉 on the state V |mi 〉, where V= I , if Bob measures in the normal computational basis, andV = H , if Bob measures in the Hadamard basis.

The only chance for Eve to consistently pass the verifica-tion test between Alice and Bob is that state |mi 〉 coincideswith the initial state |ϕ〉 prepared by Alice. In other words,the quantum state of the qubit is not altered by the eaves-dropping action. However, according to the laws of quantummechanics, the vectors in the normal computational basis{|0〉, |1〉} cannot be reliably distinguished from the vectorsin the Hadamard basis H |0〉, H |1〉} because they are non-orthogonal. Consequently, for each qubit “observed” by Eve,there is a non-zero probability that |mi 〉 �= |ϕ〉, which trans-lates into a non-zero probability pd that what Bob observesupon measuring this qubit is different from what Alice hasprepared.

From the point of view of ensuring the security of theprotocol, the actual value of pd is irrelevant as long as pd > 0.This is because the length of the signature string n acts as asecurity parameter that can bring the probability of catchingEve as close to 1 as desired:

limn→∞(1 − (1 − pd)n) = 1. (8)

Even if the exact value of pd does not affect the security ofthe protocol, it affects its efficiency. Consequently, in the next

section, we show how the efficiency of the protocol can beimproved by encoding each bit in one of three complementarybases.

3 Encoding in three bases

We have discussed an algorithm that reveals the presenceof Eve whenever the signature test fails. For each bit of thesignature, Eve can be detected with a probability of 25 %.This detection rate per qubit is common to all classical keydistribution protocols (Bennett and Brassard 1984; Bennett1992). We hereby propose an encoding scheme that improvesthe detection rate per qubit to 33 %. The improved detectionrate comes from encoding each qubit in three complementarybases. Note that this detection rate is optimal, since we cannotselect more than three pairwise complementary bases for thestate space of a qubit. Expressing this in the geometry of theBloch sphere, we cannot have more than three lines goingthrough the center of the sphere that are perpendicular toeach other.

While working with three bases may seem to increase thecomplexity in manipulating each qubit, the gates used forencoding are common and simple. More precisely, in thefollowing protocol, the three bases used for encoding arethe computational basis, the Hadamard basis, and the phase-shift-Hadamard basis. The phase-shift-Hadamard basis hastwo gates applied to a qubit: a Hadamard gate and then a R π

2rotation (see Fig. 7).

When Alice wants to send a binary digit 0 or 1, she firstprepares a qubit in the computational basis |0〉 or |1〉. ThenAlice chooses randomly one of the three bases to encode herqubit:

1. The computational basis |0〉 and |1〉.2. The Hadamard basis, 1√

2(|0〉+|1〉) for 0 and 1√

2(|0〉−|1〉)

for 1.

123

M. Nagy, N. Nagy

Fig. 7 The phase-shift Hadamard basis

3. The R π2

-Hadamard basis, 1√2(|0〉 + i |1〉) for 0 and

1√2(|0〉 − i |1〉) for 1.

If Alice chooses the computational basis, she simply sendsthe qubit to Bob. If Alice chooses the Hadamard basis, thenshe applies a Hadamard gate first and then sends the trans-formed qubit to Bob. If Alice chooses the R π

2-Hadamard

basis, Alice applies a Hadamard gate then a π2 phase-shift

gate, and then sends the doubly transformed qubit to Bob.According to the protocol, when Bob receives a qubit

from Alice, he waits to be informed on the classical channelwhat encoding basis was used. Then he applies the necessarygates in reverse order: the phase-shift gate first and then theHadamard gate.

3.1 What Eve can do

The eavesdropper can be supposed to know the mechanismof encryption, while not knowing the random encoding basis.

In opaque eavesdropping, Eve will try to measure the qubitintercepted from Alice and then will further transmit eitherthe measured qubit or a qubit of her choice to Bob. Eveguesses one of the three encoding bases and treats the qubitintercepted from Alice accordingly.

Suppose Eve tries the computational basis. If Alice’s qubitis encoded in the computational basis, Eve reads the correctvalue and remains undetected. If Alice’s qubit is encoded

in the Hadamard basis, Eve wrongly pushes Alice’s qubitthrough a Hadamard gate and will be detected by Bob in50 % of the cases. This situation is represented in Fig. 4.If Alice’s qubit was encoded in the phase-shift -Hadamardbasis and Eve measures the qubit in the computational basis,Eve destroys the balanced superposition. As in the previouscase, Bob can catch Eve with a 50 % chance. Figure 8 showsan example of Alice encoding a binary 0 in the phase-shift-Hadamard basis. Bob, by applying the same steps that Alicedid in reverse order will retrieve the initial 0 only 50 % of thetimes. As Alice encodes a qubit randomly in one of the threebases, and Eve reads the stolen qubit in the computationalbasis, Eve will be caught in two situations with a chance of

50 %. This yields an overall probability of 13

(12 + 1

2

)= 33 %.

This chance is considerably higher than 25 % offered by twobases encoding.

We supposed that Eve decides to measure the interceptedqubit in the computational basis. If Eve chooses to measure inany other of the three bases, a similar result can be obtained.The detection probability is 33 % no matter what basis Evechooses.

If eavesdropping is tested on a larger signature, the detec-tion rate increases sharply with the length of the signaturen:

rate = 1 −(

2

3

)n

. (9)

Figure 9 shows a comparison on the detection rate for thecase of two encoding and three encoding bases, respectively.The graph shows that for short signatures, the detection ratefor three encoding bases is measurably larger, whereas signa-tures large than 25 qubits do not benefit from three encodingbases.

3.2 Lower levels of eavesdropping

Let us study the optimal level of eavesdropping on the threebases encoding scheme. Under the assumption that Eve is notcaught, Eve gains the value of the qubits that she has luckilymeasured in the same basis as Bob. As there are three possiblebases, Eve reads correctly 1

3 of the qubits she intercepts.

Fig. 8 Alice encodes her qubitin the phase-shift-Hadamardbasis. Eve guesses thecomputational basis. Bobcatches Eve with a 50 % chance

123

Quantum-based secure communications

Fig. 9 The graph shows thedetection rate versus thesignature length for threeencoding bases. The Ox axisrepresents the length of thesignature string. The Oy axisshows the probability for Eve tobe detected

Fig. 10 The graph shows thedetection rate together withEve’s information gain for a16-bit signature. The Ox axisrepresents the percentage of thesignature read by Eve. The Oyaxis shows both the detectionrate and the information gain

Suppose Eve does not listen to the entire qubit block, buteavesdrops a fraction x . Therefore, she will disturb a fractionx of the signature of length n. The detection rate varies withx according to the following formula

rate = 1 −(

2

3

)x ·n. (10)

Also, x affects the information gain, which will be the frac-tion x

3 of the message. Figure 10 represents both the detectionrate and the information gain for the three bases encodingscheme, computed on a signature of 16 bits. In the figure,we also show with a thin line the graphs for encoding in twobases, for comparison purposes. It can be seen that the threebases protocol improves over the two bases protocol, both interms of detection rate as well as information gain.

In Sect. 2.3, we defined a benefit function that Eve uses tofind the optimal level of eavesdropping. For the three basesencoding, the function becomes

Fig. 11 The benefit of eavesdropping versus the detection rate

fbenefit : [0, 1] → [0, 1], fbenefit(x) = x

3

(2

3

)x ·n. (11)

Figure 11 shows the graph of this function juxtaposed withthe graph for the two bases encoding defined in Sect. 2.3. By

123

M. Nagy, N. Nagy

Fig. 12 Information flow diagram outlining the steps of the general-ized communication protocol

comparison, we see that the optimal level of eavesdropping isapproximately the same, about 22 %. Nevertheless, for a threebases encoding scheme the benefit is considerably lower.

4 Generalization to an arbitrary basis

In the previous two sections, we have described and analyzedtwo protocols sharing the same idea of a random choice forthe encoding basis. The first protocol uses two complemen-tary bases while the second protocol uses three complemen-tary bases. In this section, we describe a general quantumcommunication protocol in which the encoding basis can beany ortho-normal basis spanning a two-dimensional Hilbertspace.

The information flow diagram describing the steps of thisgeneralized protocol is given in Fig. 12. The process startswith Alice choosing an encoding basis for the bitstring shewants to send to Bob. This bitstring is formed by the actualmessage to which a signature bitstring is appended. The sig-nature will allow Alice and Bob to detect anyone trying toeavesdrop on the transmitted message. This means that everybit in the plaintext block (message and signature) will be con-verted to one of the two basis vectors of the quantum basis

Fig. 13 Encoding basis is a straight line through the center of the Blochsphere, specified by a pair (θ, ϕ)

chosen. An intuitive graphical representation of an encodingbasis is a straight line going through the center of the Blochsphere. Such a line is fully specified by two real-valued para-meters: the angle θ between the line and the z axis, and theangle ϕ between the projection of the line on the equatorialplane and the x axis (see Fig. 13). In some sense, this encod-ing method is somewhat similar to anamorphosis, since theactual message can only be “seen” when viewed from theproper angle. With the major difference that attempting to“read” the message from any angle except the correct one isequivalent to a quantum measurement that will necessarilyalter the message.

Therefore, to choose an encoding basis, Alice needs todecide on a pair (θ, ϕ). For example, the pair (0, 0) specifiesthe computational basis, described by the two basis vectors|0〉 and |1〉 aligned along the z axis (see Fig. 2). Alterna-tively, pair (π/2, 0) specifies the Hadamard basis, describedby basis vectors H |0〉 = (1/

√2)|0〉+(1/

√2)|1〉 and H |1〉 =

(1/√

2)|0〉−(1/√

2)|1〉, aligned along the x axis (see Fig. 3).As a last example, pair (π/2, π/2) specifies an encodingbasis whose base vectors are (1/

√2)|0〉 + (i/

√2)|1〉 and

(1/√

2)|0〉 − (i/√

2)|1〉. Note that these two vectors are ori-ented in opposite directions along the y axis (see Fig. 7).

In general, for an arbitrarily chosen encoding basis (θ, ϕ),each 0 bit in the plaintext is embodied in a qubit with thequantum state

|�0〉 = RϕUθ |0〉 = cosθ

2|0〉 + eiϕ sin

θ

2|1〉. (12)

Similarly, a qubit in the quantum state

|�1〉 = RϕUθ |1〉 = sinθ

2|0〉 − eiϕ cos

θ

2|1〉 (13)

will carry a value of 1. The quantum operations (gates) Uθ

and Rϕ are described by the following matrices:

Uθ =⎡⎣

cos θ2 sin θ

2

sin θ2 − cos θ

2

⎤⎦ ; Rϕ =

⎡⎣

1 0

0 eiϕ

⎤⎦. (14)

123

Quantum-based secure communications

Once the plaintext is properly encoded, Alice will scram-ble the qubits so that signature qubits are scattered through-out and interspersed with message qubits. Consequently, theoriginal ordering of bits in the message and in the signature(the rank of each bit) will no longer be preserved after thescrambling process. Whatever the scrambled quantum blockis, Alice will send it through the quantum channel over toBob, who will store each qubit received in a quantum mem-ory, in the order they arrive. With this step, the quantumcommunication part of the protocol, that is, communicationthrough the quantum channel is over. In the second phase, allcommunication between Alice and Bob is carried out throughthe public authenticated classical channel.

This second phase starts with Alice disclosing to Bobthe exact encoding basis that she used to encrypt the plain-text. With this information Bob is able to decrypt each qubit(whether belonging to the message or to the signature) storedin his quantum memory. Next, Alice shares with Bob theposition and value of each bit in the signature string. In thisway, they can verify that the signature string received by Bobmatches exactly the one sent by Alice. A perfect match willbe taken as proof that the encoded quantum block was nottampered with while in transit, or at least not to a signifi-cant level. Of course, a potential eavesdropper may remainundetected if she is lucky enough not to disturb the quantumstates of the qubits in the signature. But this probability canbe made arbitrarily small by increasing the signature length.

Finally, if the verification step reveals no trace of an eaves-dropper, Alice informs Bob about the rank (actual position) ofeach bit in the message string. This allows Bob to re-arrangethe bits in the proper order and thus recover the originalmessage.

4.1 Analysis

In what follows, we analyze the security of the protocol byinvestigating the effects of a possible eavesdropping act onthe quantum and classical communication channels. Sincethe quantum channel is public, an eavesdropper (conven-tionally named Eve) may choose to act on any of the qubitspassing by on their way from Alice to Bob. For concreteness,but without loss of generality, let us analyze the scenario inwhich Eve eavesdrops on a qubit encoding the value 0. Theother case, in which a qubit encodes a 1 is perfectly similar.

The quantum state of a qubit embodying a 0 is |�0〉 (seeEq. 12). When Eve intercepts this qubit, she may try to mea-sure it directly in the computational basis or try to guess whatthe encoding basis may have been, so that she can decrypt thequbit before measuring it. Let us denote the encoding basis(the one chosen by Alice) by (θA, ϕA) and label the basisguessed by Eve (θE , ϕE ). Trying to decrypt the qubit, Eveapplies R−ϕE followed by UθE to |�0〉 altering the qubit stateas follows:

UθE R−ϕE |�0〉 = UθE

(cos

θA

2|0〉 + ei(ϕA−ϕE ) sin

θA

2|1〉

)

=(

cosθE

2cos

θA

2+ ei(ϕA−ϕE ) sin

θE

2sin

θA

2

)|0〉

+(

sinθE

2cos

θA

2− ei(ϕA−ϕE ) cos

θE

2sin

θA

2

)|1〉 (15)

Consequently, Eve will now measure a 0 with probability

p0Eve = | cos

θE

2cos

θA

2+ ei(ϕA−ϕE ) sin

θE

2sin

θA

2|2

= cos2 θA − θE

2− 1

2sin θE sin θA(1 − cos �ϕ) (16)

and a 1 with probability

p1Eve = | sin

θE

2cos

θA

2− ei(ϕA−ϕE ) cos

θE

2sin

θA

2|2

= sin2 θA + θE

2− 1

2sin θE sin θA(1 + cos �ϕ) (17)

where �ϕ = ϕA − ϕE .Eve is aware that her actions may have modified the state

of the qubit, so before sending it further on to Bob, she will tryto undo the consequences of her eavesdropping by applyingUθE followed by RϕE . Therefore, what Bob receives (fromEve) is a qubit in the state

|�0〉 = cosθE

2|0〉 + eiϕE sin

θE

2|1〉 (18)

with probability p0Eve, or in the state

|�1〉 = sinθE

2|0〉 − eiϕE cos

θE

2|1〉 (19)

with probability p1Eve.

Assuming that the qubit comes straight from Alice, Bobnow applies R−ϕA and UθA to decode it:

UθA R−ϕA |�0〉 =(

cosθA

2cos

θE

2+ ei(ϕE −ϕA) sin

θA

2sin

θE

2

)|0〉

+(

sinθA

2cos

θE

2− ei(ϕE −ϕA) cos

θA

2sin

θE

2

)|1〉 (20)

UθA R−ϕA |�1〉 =(

cosθA

2sin

θE

2− ei(ϕE −ϕA) sin

θA

2cos

θE

2

)|0〉

−(

sinθA

2sin

θE

2+ ei(ϕE −ϕA) cos

θA

2cos

θE

2

)|1〉 (21)

When measuring UθA R−ϕA |�0〉, Bob will obtain 0 with prob-ability p0

Eve. Similarly, if the state of the qubit received by Bobis |�1〉, he will measure a 0 with probability p1

Eve. Overall, theprobability that Bob correctly decodes the qubit and obtainsa 0 is (p0

Eve)2 + (p1

Eve)2. In this case, Eve’s eavesdropping

activity remains undetected. The probability of detection ona single qubit is therefore:

pd,1=1−((p0Eve)

2+(p1Eve)

2)=2p0Eve p1

Eve=2p0Eve(1 − p0

Eve)

(22)

123

M. Nagy, N. Nagy

This probability achieves its maximum of 1/2 when p0Eve =

p1Eve = 1/2. This happens when the basis guessed by

Eve (θE , ϕE ) is “maximally non-orthogonal” to the basis(θA, ϕA) chosen by Alice. In BB84 (Bennett and Brassard1984), for example, this maximum non-orthogonality is real-ized by choosing horizontal/vertical together with diagonalpolarization. In terms of the Bloch sphere representation, twobases are “maximally non-orthogonal” if the two straightlines corresponding to the two bases are perpendicular toeach other. On the other hand, the detection probability is 0,when Eve chooses the same basis as Alice (p0

Eve = 1) or anorthogonal basis in which the roles of the two basis vectorsare reversed (p0

Eve = 0).When Alice uses a signature bitstring of length n, the prob-

ability of detecting the disruptions caused by eavesdroppingon the qubits encoding the signature grows to

pd,n = 1 − ((p0Eve)

2 + (p1Eve)

2)n (23)

Since (p0Eve)

2 + (p1Eve)

2 = 2(p0Eve)

2 − 2p0Eve + 1 ∈ (0, 1],

it follows that

limn→∞ pd,n = 1, (24)

except for the particular case when Eve correctly guessesthe encoding basis (p0

Eve = 1 or p1Eve = 1) and remains

undetected (pd,1 = pd,n = 0). Consequently, the longer thesignature string is, the larger the number of qubits that aretested for eavesdropping and the higher the probability tocatch a potential eavesdropper.

4.2 Opaque eavesdropping

In the previous section, we have analyzed a rather elaboratescheme for Eve to hide her presence and make her eaves-dropping actions transparent to Alice and Bob. Even with allthose precautions, we have seen that the detection rate canbe pushed as high as desired by increasing the number ofbits tested for eavesdropping in the signature string. In thissection, we investigate a more direct, opaque eavesdroppingstrategy in which Eve directly measures some or all of thequbits traveling through the quantum channel from Alice toBob.

Again, without loss of generality, let us assume Eve inter-cepts a qubit encoding a value of 0. Such a qubit is describedby quantum state |�0〉 (see Eq. 12). Upon measuring thisqubit in the normal computational basis, Eve will observe a0 with probability p0

Eve = cos2 (θ/2) and a 1 with probabil-ity p1

Eve = sin2 (θ/2), where θ is one of the two parameterscharacterizing the encoding basis chosen by Alice. Accord-ing to the measurement postulate of quantum mechanics, thepost-measurement state of the qubit must be compatible withthe measurement outcome, so Eve will pass on to Bob a qubit

in state |0〉 (with probability p0Eve) or a qubit in state |1〉 (with

probability p1Eve).

During the second phase of the protocol, after Alice hasdisclosed the encoding basis, Bob can proceed to decryptthe received qubits. Note that at this time, although Eve canalso eavesdrop on the classical communication channel andthus gain knowledge of θ and ϕ, the message qubits are nolonger in her possession, so there is nothing else she can doto increase her knowledge about the transmitted message. Byapplying R−ϕ and Uθ to the received qubit, Bob will evolveits quantum state to

Uθ R−ϕ |0〉 = cosθ

2|0〉 + sin

θ

2|1〉 (25)

with probability p0Eve, or to

Uθ R−ϕ |1〉 = Uθ (e−iϕ |1〉) = e−iϕ(sin

θ

2|0〉 − cos

θ

2|1〉)

(26)

with probability p1Eve. A measurement on these quantum

states will yield a 0 (correct decoding) with probability

cos4 θ

2+ sin4 θ

2= 1 − 2 sin2 θ

2cos2 θ

2= 1 − sin2 θ

2(27)

and a 1 (incorrect decoding) with probability 12 sin2 θ . Con-

sequently, the eavesdropping detection probability per qubitvaries between 0 (realized when θ = 0) and 1/2 (achievedfor θ = π/2). In other words, Eve remains undetected whenthe encoding basis coincides with the normal computationalbasis; on the other hand, there is a 50 % probability of detect-ing the actions of Eve if the encoding basis is “maximallynon-orthogonal” to the normal computational basis (like theHadamard basis {H |0〉, H |1〉}, for example). Therefore, onaverage, the detection probability per qubit tested is given by

12

∫ π

0 sin2 θdθ

π=

∫ π2

0 sin2 θdθ

π= 1

4(28)

As in the more complex scenario discussed before, this prob-ability can be brought as close to 1 as desired by increasingthe number of qubits tested for eavesdropping (the signaturestring).

Another interesting question in this analysis is: How muchinformation from the transmitted message can Eve gain,assuming that she remains undetected? The condition toremain undetected is essential for Eve. Otherwise, Alice willnot disclose to Bob the rank (correct position) of each qubitin the message and consequently, the information gain forEve is null, even if she has correctly decoded each qubit.

A measure of the information gain is 1 − Hbin(p0Eve),

where Hbin(p0Eve) is the binary entropy associated with the

probability of seeing a 0 when measuring a qubit that encodesa 0. We can express this information gain as a function of the

123

Quantum-based secure communications

Fig. 14 Information gain as a function of the encoding angle θ

parameter θ as follows:

1 − Hbin(p0Eve) = 1 + p0

Eve log p0Eve + (

1 − p0Eve

)

× log(1 − p0

Eve

) = 1 + cos2 θ

2log cos2 θ

2+ sin2 θ

2

× log sin2 θ

2= 1 + 2 cos2 θ

2log cos

θ

2+ 2 sin2 θ

2log sin

θ

2(29)

The graph of this function is depicted in Fig. 14. When Eveperforms a direct measurement in the normal computationalbasis on a qubit encoding a 0, she can be certain of theobserved value for an encoding angle θ of 0 or π . On theother extremity, when θ = π

2 , the measurement provides noinformation gain whatsoever. From Eve’s point of view, themessage bit could still be a 0 or a 1, with equal probability.On average, the information gain is given by

∫ π

0

(1 + 2 cos2 θ

2 log cos θ2 + 2 sin2 θ

2 log sin θ2

)dθ

π≈ 0.44

(30)

4.3 Variations

The role of the signature string in this general protocol is toensure (with a certain probability, which can be made arbi-trarily large) its security or, in other words, the secrecy of thecommunication between Alice and Bob. To this end, the bitsforming the signature are treated in exactly the same way asthe bits composing the actual message: they are scrambledtogether and encoded according to a chosen basis (θ, ϕ).

Consequently, when attempting an eavesdropping, Eve hasno knowledge whatsoever if the bit she tampers with is partof the signature or part of the message. Ideally, she would liketo eavesdrop only on the message bitstring to avoid detectionand maximize her knowledge on the message transmitted.Unfortunately for her, the information gain is directly pro-portional to the probability of being detected, so Eve hasto think twice before deciding to eavesdrop on a particularqubit.

This property can be used to slightly simplify the protocolsuch that the bits in the signature string are not encoded (orequivalently, they are encoded in the normal computationalbasis: 0 becomes |0〉 and 1 becomes |1〉). Now Eve can com-pletely avoid detection by choosing to measure the bypassingqubits directly in the standard computational basis. In thisway, the quantum states of the signature qubits will not bealtered, but the state of any message qubit will be projectedto one of the two eigenvectors of the measurement basis: |0〉or |1〉.

Consequently, Alice may pick as encoding basis for themessage bitstring the Hadamard basis (π

2 , 0), which willmaximize Eve’s uncertainty over each measurement she per-forms on the message qubits. Effectively, the outcome of eachsuch measurement has a 50 % probability of being correct,which is not better than tossing a fair coin. Therefore, wecan confidently say that Eve has zero knowledge about thetrue value encoded in such a qubit, or equivalently, the binaryentropy of such a qubit is 1.

This variant of the protocol, in which the message bitsare encoded using the Hadamard basis while the bits in thesignature are encoded in the normal computational basis, isreminiscent of BB84 Bennett and Brassard (1984) with itstwo encoding bases: horizontal/vertical and diagonal that arerandomly applied by Alice. Here, as there, it is the “maximumnon-orthogonality” of the two bases that keeps Eve in thedark, but this protocol has an important advantage: it canbe used to directly encrypt any message without the need toestablish a secret key first. Still, the classical channel needsto be authenticated, which is usually done with a small secretkey, but it was shown that this requirement is too strong andall that is actually needed is protected public information(Nagy and Akl 2007).

Since the price for avoiding detection is total uncertaintyabout the transmitted message, Eve is forced to measure atleast some of the qubits in the Hadamard basis, thus exposingherself to detection. The choice for Eve is a difficult one:either try as much as possible to remain hidden, but then shefaces the prospect of gaining little information (if any at all)about the content of the message, or aiming at decryptingas much as possible from the transmitted message, whichincreases the risk of being caught. And in case of detection, noinformation is gained (zero knowledge), because Alice willno longer reveal the proper order of the bits in the message.

123

M. Nagy, N. Nagy

If the first variation discussed is one in which the com-plexity of the protocol is decreased, the second one involvesan increase in complexity with the purpose of also decreas-ing the probability of the worst case. In the original proto-col, the worst case happens when Eve gets so lucky that sheguesses precisely the encoding basis (θ, ϕ) used by Alice.We can think of a variation in which Alice randomly choosesa pair (θ, ϕ) for every single bit transmitted. This will notchange the average-case analysis, but will definitely make theworst-case much less probable, since Eve will have to getlucky N times now, where N is the total number of bitstransmitted (message and signature together).

5 Conclusion

Quantum mechanical properties have been used before incryptographic protocols, but only for key distribution pur-poses, or more precisely for key enhancement, if authentica-tion is achieved through a small secret key already distrib-uted to the parties involved. In this paper, we have shown thatsecret communication does not need an encryption key. Thesecrecy of the message ensues from randomly scrambling theorder of the bits in the message. As the bits are sent in ran-dom order, the scrambled message does not reveal anythingabout the content of the message. The correct order of thequbits is revealed publicly after the absence of an intruder ischecked. Our protocols are entanglement free and use onlyunary quantum transformations, which means that the com-putational power assumed is less than that of a universalquantum computer. Consequently, communicating securelythrough public channels can be performed simple, fast andefficient if we resort to quantum mechanics to directly encryptthe transmitted message into a sequence of qubits.

All protocols presented benefit from the capability ofdetecting an intruder, a trait which is unique to quantumprotocols. The intruder, Eve, leaves an unmistakable markon the qubits she read: she changes the intended value of thequbit with a certain probability. Our scheme has an improvedintruder detection rate of 33 % (from 25 %) per interceptedqubit. This is achieved using three complementary encodingbases. Eve’s presence is searched on a signature, as in allother protocols. Our paper also gives an extensive analysison what Eve can do: opaque and translucent eavesdropping,and also low levels of eavesdropping. It studies the advan-tages of Eve and the maximum benefit Eve can get from acertain signature length.

The two important ideas that made these results possibleare the use of a quantum memory and bringing the rank (orposition) of a bit in the message bitstring into play. The useof a quantum memory is essential to make “informed” mea-surements in the second phase of the protocols, after all thequbits have been received. Consequently, no qubits have to be

discarded due to “incorrect” measurements, which translatesinto increased efficiency in terms of the number of qubits thatneed to be transmitted. Yet, storing qubits is rarely contem-plated (if ever) in quantum protocols, perhaps due to theirfragility and ephemeral nature. Nevertheless, experimentalquantum physicists are making good progress towards mak-ing quantum memories a practical reality.

Scrambling the qubits encoding the message, on the otherhand, guarantees that no knowledge whatsoever about thecontent of the message is gained by a potential eavesdropper,even in the highly unlikely eventuality of correctly decodingthe individual bits in the message. It is our belief that thesynergy of these two ideas working together may open thedoor for a whole new class of cryptographic protocols withsuperior characteristics.

References

Barnum H, Crépeau C, Gottesman D, Smith A, Tapp A (2002) Authen-tication of quantum messages. In: Proceedings of the 43rd AnnualIEEE Symposium on Foundations of Computer Science, pp 449–458

Bennett CH (1992) Quantum cryptography using any two nonorthogo-nal states. Phys Rev Lett 68(21):3121–3124

Bennett CH, Brassard G (1984) Quantum cryptography: public keydistribution and coin tossing. In: Proceedings of IEEE InternationalConference on Computers, Systems and Signal Processing. IEEE,New York, pp 175–179 (Bangalore, India, December 1984)

Bennett CH, Brassard G, Mermin ND (1992) Quantum cryptographywithout Bell’s theorem. Phys Rev Lett 68(5):557–559

Cao Z (2010) A note on Gottesman-Chuang quantum signature scheme.http://eprint.iacr.org/2010/317

Collins RJ, Donaldson RJ, Dunjko V, Wallden P, Clarke PJ, AnderssonE, Jeffers J, Buller GS (2014) Realization of quantum digital sig-natures without the requirement of quantum memory. Phys RevLett 113:040502

Dunjko V, Wallden P, Andersson E (2014) Quantum digital signatureswithout quantum memory. Phys Rev Lett 112:040502–040506

Ekert A (1991) Quantum cryptography based on Bell’s theorem. PhysRev Lett 67:661–663

Gisin N et al (2011) Quantum storage of photonic entanglement in acrystal. Nature 469:508–511

Gottesman D, Chuang IL (2001) Quantum digital signatures.arXiv:quant-ph-0105032

Lu X, Feng DG (2005) Quantum digital signature based on quantumone-way functions. In: 7th International Conference on AdvancedCommunication Technology, ICACT 2005. IEEE, pp 514–517

Lomonaco Jr SJ (ed) (2000) Quantum computation: a grand mathemat-ical challenge for the twenty-first century and the millennium. In:Proceedings of Symposia in Applied Mathematics, vol 58. Amer-ican Mathematical Society, Short Course, Washington, DC

Lukin M et al (2012) Room-temperature quantum bit memory exceed-ing one second. Science 336:1283–1286

Nagy N, Akl SG (2007) Authenticated quantum key distribution with-out classical communication. Parallel Process Lett Special IssueUnconv Comput Probl 17(3):323–335

Nagy N, Nagy M, Akl SG (2010) Key distribution versus key enhance-ment in quantum cryptography. Parallel Process Lett 20(03):239–250

123

Quantum-based secure communications

Rivest RL, Shamir A, Adleman LM (1978) A method of obtainingdigital signatures and public-key cryptosystems. Commun ACM21(2):120–126

Shannon C (1949) Communication theory of secrecy systems. Bell Sys-tem Tech J 28(4):656–715

Steger M, Saeedi K, Thewalt MLW, Morton JJL, Riemann H, Abrosi-mov NV, Becker P, Pohl HJ (2012) Quantum information storagefor over 180s using donor spins in a Si28 “Semiconductor Vac-uum”. Science 336(6086):1280–1283

Tittel W et al (2011) Broadband waveguide quantum memory for entan-gled photons. Nature 469:512–515

Zeng G, Keitel CH (2002) Arbitrated quantum-signature scheme. PhysRev A 65:042312. http://link.aps.org/doi/10.1103/PhysRevA.65.042312

123