INTERNATIONAL
CONFERENCE ON
COMPUTERS, SYSTEMS &
SIGNAL PROCESSING
Dec 9-12, 1984
BANGALORE INDIA
Volume 1 of 3 Pages 1 - 427
Sponsored by
1EEE Computer Society @
IEEE Circuits and Systems Society }
®
Indian Institute of Science
1909) 1984STEERING COMMITTEE
GENERAL CHAIRMAN
1G. Sarma
‘School of Automation
Indian Institute of Science
Bangalore - 560 012, India
Telephone: 34411 Telex: 0845-8349
VICE-CHAIRMAN
V.K. Aatre
Naval Physical and
Oceanographic Laboratory
Naval Base
Cochin - 682 004, India
TECHNICAL PROGRAMME
K. Ramakrishna
Dept. of Electrical Engineering
Indian Institute of Science
Bangalore - 560 012, India
SPECIAL SESSIONS AND
SHORT COURSES
Vv. Rajaraman
Computer Centre
Indian Institute of Science
Bangalore - 560 012, India
INTERNATIONAL COORDINATION
V. Ramachandran
Concordia University
1455 De Maisonneuve Blvd. W
Montreal, Canada H3G 1M8
Telephone: (514) 879-2828
FINANCE
HP. Khincha
Dept. of Electrical Engineering
Indian Institute of Science
Bangalore - 560 012, India
PUBLICATIONS
K. Soundararajan
Simulation Division
Aeronautical Development Establishment
Bangalore - 560 075, India
INDUSTRIAL RELATIONS
MN. Srinivasan
Centre for Scientific and
Industrial Consultancy
Indian Institute of Science
Bangalore - 560 012, India
LOGISTICS AND COORDINATION
G.R, Nagabhushana
Dept. of High Voltage Engineering
Indian Institute of Science
Bangalore - 560 012, India.QUANTUM CRYPTOGRAPHY: PUBLIC KEY DISTRIBUTION AND COIN TOSSING
Charles H. Bennett (18M Researct, Yorktown Heights NY 10596 USA)
it
tien slenentary quanti systems, auch ax polarized
Photons, "are used to erammit digital infornstion
the uncertainty principle giver rise to novel. cryP=
tographic. phenoeana unachsevesble with, traditional
transmission media,” e.g. a communications channel on
which st is "inpossibie ‘in principle eo eavesdrop
“thou a high probability of aisturping the trans”
Sstion in sven a way at to. Be detected. Such
rntum channel can be sed an conjunction with or=
Ginary’ insecure classical channels. to. distribute
Tandon key. information between two vsers with the
Ssrorance’ that it) zeuuina taken” to" snyouw, lee,
ven when the users share no secret infomation ini
Clalay., We also present « protocol for coln-tomsing
by exchange of, quantum messages, which is secure
Shain, traditional Kinds of cheating, even by an
pponent with unlimited computing power, but, ironi~
SWliy"'can’ be subverted by use Of a still hubeler
‘Guentam phenomenon, the Eunstein-Podelsky-Rosen er=
Shon.
1. Introduction
Conventional eryptosystems such as EVIGHA,
DES, or even RSA, are based on a mixture of guess-
work and tathenatics, information theory shows that
traditional secret-key eryptosystems cannot be to-
tally secure unless the key, used once only, ia at
least as long az the cleartext, On the other hand,
tthe theory of computational complexity 1s not yet
well enough understood to prove the computat ional
Security of public-key cryptosystems.
In this paper we use a radically different.
Foundation for cryptography, viz. the uncertainty
principle of quantun physics. In conventional in
formation theory and cryptography, at is taken for
granted that digital comunications in principle can
Slvays be passively monitored or copied, even by
Bomeone ignorant of their meaning, However, when
information is encoded in non-orthogonal quantum
states, such as single photons with polarization
Girections 0, 45, 90, and 125 degrees, one obtains «
Communications channel whose transmissions in prin
ciple cannot be read or copied reliably by an eaves=
Gropper ignorant of certain key information used in
forming the transmission. The eavesdropper cannot
‘ven gain partial information about such s tranomis~
Sion without altering it a random and uncontrollabic
way Likely to be detected by the channel's legiti-
Quantum coding was first described in (3),
along with two applications: making money that is sn
Brassard (dept. 1RO, Univ.
@e Montreal, W3C 337 Canada)
Principle impossible to counterfeit, and multiplex:
ng to or three messages in such away that reading
fone destroys the others. Nore recently [SBBK),
‘Geantum coding has boen used in conjunction with
Public key cryptographic techniques to yielé several
schemes for unforgeable subway tokens. Here we show
hat quantum coding by itself achieves one of the
fin advantages. of public key cryptography by per~
mmitting secure distribution of random key informa-
tion between parties who share no secret information
initially, provided the parties have access, besides
‘the quantum channel, to an ordinary channel. suscep-
tible to passive but not active eavesdropping. Even
in the presence of active eavesdropping, the two
parties can still distribute key securely if they
share some secret information initially, provided
‘the eavesdropping is not so active as to suppress
‘conmunications completely. We also present proto-
‘col for coin tossing by exchange of quantum mes
sages. Except where otherwise noted the protocols
fare provably secure even against an opponent with
superior technology and unlimited computing power,
barring fundamental violations of accepted physical
Tas
Offsetting these advantages is the practical
Aisadvantage that quantum transmissions are neces-
sarily very weak and cannot be amplified in transit.
Moreover, quantum cryptography does not provide di
Gital signatures, oF applications such as certified
mmail or the ability to settle cisputes before a
swage.
IY, Essential Properties of Polarized Photons
Polarized Light can be produced by sending an
ordinary Light beam through a polarizing apparatus
such at Polaroid falter or calcite crystal; the
bean’s polarization axis 1s determined by the orien
tation of the polarizing apparatus in which the beam
originates. Generating single polarized photons 12
also possible, in principle by picking them out of @
polarized beam, and in practice by a variation of an
experinent [aGR] of Aspect, et. al
Aithough polarization is a continuous varia~
ble, the uncertainty principle forbids noasurcnents
fon any single photon from revealing more than one
bit about its polarization. For exanple, if a tight
beam with polarization axis @ is sent into a filter
oriented at angle f, the individual photons benave
Aichotonously and probabiliseically, being trance
ted with probability cos*(e-) and abscrsed with the
complementary probability 2is?(a-f). The photone
Behave deterministically only when the two axes are
Intemational Conference on Computers, Systems & Signal Processing Bangalore, India December 10-12, 1984
175————_$_$_$$
parallel (certain transmission) or perpendicular
(certain absorbtion)
1 the two axes are not perpendicular, so that
‘some photons are transmitted, one might hope to
Tearn aéditional information about” @ by measuring
the transmitted photons again with a polarizer ori~
fented at sone third angle; but this is to no avail,
because the Eranamatted photons, in passing through
the Prpolarizer, energe with exactly. f polarize:
ton, having lost all memory of thelr previous pom
another way one might hope to Learn more than
fone bit from a single photon would be not to measure
Ge airectly, but rather sonchow amplify it into a
Clone of identically polarized photons, then perform
neasurenents on these; but this hope is also vain,
Because such cloning can be shown to be inconsistent
with the foundations of quantum mechanics (WZ).
Formally, quantun mechanics represents the
internal state of a quantum systen (0.9. the polari-
zation of a photon) az a vector of unit Length
inva Linear space H over the field of complex mum
bers (Hilbert space). The inner product of two vec~
tors , da defined as 2y$,°V,, where * indi~
Cates complex conjugation. thd dindnstonality of
the flilbert space depends on the system, being Larg~
er (or even infinite) for more complicated systems.
Each physical measurement W that might be performed
fon the system corresponds tog resolution of its
Hilbert space into orthogonal subspaces, one for
teach possible outcome of the measurement. ‘The num
ber of possible outcones is thus Linited to the
Ginensionality 4 of the Hilbert space, the most.
Complete measurements being those that resolve the
ilbert space into. @ T-dimensional subspaces.
Let th, represent the projection operator onto
‘the kith subspace of measurement M, 0 that the
identity operator on if can be represented as a sum
Of projections: I= MyeHre.+. When a system in
State $ is subjected to measurement M, its behavior
is in general probabilistic: gutcene K occurs with
‘8 probability equal to 1,12, the square of the
length of the state vectors projection into sub-
space My. After the measurement, the system is left
in anew state ¥,0/1MVI, which is the normalized
lunit vector in the Girection of the old state
vector's projection into subspace ty. The measure
mont thus haa a deterministic outcofe, and leaves
the state vector unmodified, only in the exceptional
case that the initial state vector happens to Lie
fentixely in one of the orthogonal subspaces charac
Eerizing the measurement.
The Hilhert space for a single polarized pho-
ton is 2-dinensional; thus the state of a photon may
be completely described as a Linear combination of,
for example, the tho unit vectors Fy = (1,0) and
Fy = (0,1), representing respectively horizontal and
tireical polarization. In particular, a photon po~
Yerized at angle. @ to the horizontal is described
the state vector (cosa, sina). When subjected
Or Ee TES stne of vereical-vrchoritontal polar
Socom: such a Fhoton in effect chooses to become
weeeSheat wien probabiiity cor?a and vertical with
peobabiliey sinta. The two orthogonal vectors 1
Sha rz thus a exemplify the resolution of a 2-
Sthongional Wilbert pace into"? orthogonal 1~
@imensional subspaces; henceforth ry and x, will be
said to conprise the ‘rectilinear’ basis for the
Bitbere spect
An alternative basis for the same Hilbert
‘space is provided by the two ‘diagonal’ basis vec=
tors dy = (0.707,0,707), representing a a5-degr
photon, and d= (0.707,-0.707), representing a
125-degree photén. To bases (e.g. rectilinear and
Giagonat) are said to be ‘conjugate’ [x], Lf each
Yector of one basis has equal-Length projections
fonto all vectors of the other basis: this means that
a systen prepared in a specific state of one basie
Will behave entirely randomly, and Lose all ite
Stored information, when subjected to measurement
corresponding to the other basis. Owing to the com
plex nature of its coefficients, the two-dimensional
Hilbert space also admits a third basis conjugate to
both the rectilinear and diagonal bases, comprising
the two so-called ‘circular’ polarizations
£1 = (0.707,0.7073) and ey = (0.7071,0,707); but.
the rectilinear and diagonal bases are all that will
be needed for the cryptographic applications in this
paper.
The titbert space for a compound system és
constructed by taking the tensor product of the Hil~
bert spaces of its conponents; this the state of a
air of photons is characterized by a unit vector in
the 4-dimensional Wilbert space spanned by the or~
thogonal Basis vectors Fyrqy FyFgr Far, and Fyrp.
This formalism qntails that the state of a compound
system i not generally expressible as the cartesian
product of the states of its parts: e.g. the
Einstein-Podol sky-Rosen state of two photons,
0,7071(ryr3-F9F}), £0 be discussed Later, 18 not
‘equivalent to any product of one-photon states.
TZ, Quantum Public Key Distribution
Im traditional public-key cryptography, trap-
door functions are used to conceal the neaning of
eseages Between t¥o users from a passive eavesdrop~
er, depite the Lack of any initial shared secret
ntormation between the two users, In quantum pub-
Lic key distribution, the quantum channel is not
tured directly to send meaningful messages, but 1a
Father used to transmit a supply of random bits be
teen two users vho share no secret information ini-
tally, in such a way that the users, by subsequent
consultation over an ordinary non-quantum channel
‘subject to passive eavesdropping, can tell with high
probability whether the original quantum transmis
‘Sion has been disturbed in transit, as it would be
by an eavesdrooper (it 4a the quantur channel's pe~
culiar virtue to compel eavesdropping to be active).
Ef the transmission has not been disturbed, they
agree to use these shared secret bits in the well
Known way a5 a one-time pad to conceal the meaning
fof subsequent meaningful communications, or for Oth
fer cryptographic applications (e.g. authentication
tags) requiring shared secret random information.
Tf transmission has been disturbed, they discard it
tana try again, deferring any meaningful communica
Eons until they have succeeded in transmitting
‘enough random bits through the quantum channel. to.
Serve as 4 one-tine pad.
Intemational Conference on Computers, Systems & Signal Processing Bangalore, India December 10-19, 1984
176In more detail one user ("Alice") chooses a
random bit string and a random sequence of polariza~
tion bases (rectilinear or diajonal). She then
sends the other user (Bob) 2 train of photons, each
Fepresenting one bit of the string in the basis cho-
sen for that bit position, a horizontal or a5-degree
photon standing fer a binary zero and a vertical or
435-degree photon standing for a binary 1. As Bob
receives the photons he decides, randomly for each
Photon and independently of Alice, whether to meas~
bre the photon's rectilinear polarization or its
Giagonal polarization, and interprets the result of
fhe measurement as a binary zero or one. Ay ex
plained in the previous section @ random answer 1s
Produced and all information lost Wien one ateampts
fo measure the rectilinear polarization of a diago-
hall photon, oF vice versa. Thus 80d obtains mean=
Ungful data from only half the photons he detects
those for which he guessed the correct polarization
basis. Bob's information is further degraded by the
fact that, realistically, sone of the photons would
be lost in transit or would fall to be counted by
Bob's imperfectly-efficient detectors.
Subsequent steps of the protocol také place
over an ordinary public communications channel, as:
sumed to be susceptible to eavesdropping but not to
the injection or alteration of messages. 30 and
Alice first determine, by public exchange of mes~
Sages, which photons were successfully received and
Of these which were received with the correct basis.
Tf the quantum transmission has been undisturbed,
Alice and Bob should agree on the bits encoded by
these photons, even this data has never been dis-
cussed over the public channel. Each of these pho-
tons, in other words, presumably carries one bit of
random information (o.g. whether a rectilinear pho-
ton was vertical or horizontal) known to Alice and
Bob but to no one else.
Because of the random mix of rectilinear and
Giagonal photons in the quantum transmission, any
eavesdropping carries the risk of altering the
transmission in such a way ax to produce disagree
nent between Bob and Alice on sone of the bits on
Which they think they should agree, Specifically,
it can be shown that no measurement on a photon in
transit, by an eavesdropper who is informed of the
Photon's original basis only after he has performed
his measurement, can yield more than 1/2 expected
bits of information about the key bit encoded by
‘that photon; and that any such measurement yielding
b bits of expected information (b= 1/2) must induce
a disagreenent with probability at least b/2 if
the measured photon, or an attempted forgery of it,
is later re-measured in its original basis. (This
optimum tradeoff occurs, for example, when the ea
vesdropper measures and retransnits all intercepted
photons in the rectilinear basis, thereby Learning
the correct polarizations of half the photons and
Andueing disagreements in 1/4 of those that ate Lat~
fer re-neasured in the original basis.)
Alice and Bob can therefore test for eaves
Aropping by publicly coaparing sone of the bits on
which they think they should agree, though of course
this sacrifices the secrecy of these bits, The bit
positions used in this comparison should be a random
Subset (say one third) of the correctly receives
bits, 90 that eavesdropping on more than a few pho
tone is unlikely to escape detection. Zf all the
conparisons agree, Alice and Bob can conclude that
the quontim transnission has been free of signifi~
cant eavesdropping, and those of the remaining bite
that were sent and received with the sane basis also
agree, and can safely be used az a one tine pad for
Subsequent secure communications over the public
Channel. When this one-time pad ia used up, the
protocol is repeated to send a new body of random
information over the quantum channel.
Te following example illustrates the above proto-
‘QUANTUM TRANSMISSION
Alice's random bits. ad
Random sending bases. aia
Photons Alice sends. ne
Random receiving ba: De
Bits as received by Bob.lc sss. ti
puaLie Drscussiox
Bob reports bases of received bits. sek
Alice says which bases were correct. en
Presumably shared information (Af no eavesdrop). ~
Bob reveals sone key bits at random...
Alice confirms then.
Remaining shared secret bits...
10 1 1 0 0 1 0 1 1 Oo 1
DR RR RR DODRD DOE
Ne LTpeon etna t
DR R Dp R DR DDD DR
1 10 0 0 4d 4
> RD DR RD > DR
oK Ok ox OK OK OK.
. . ° 1 Oo
1 °
1 ° 1 1
‘the need for the public (non-quantum) channel
in this achene £0 be immune to active eavesdropping
Un be relaxed if the Alice and Bob have agreed be-
forehand on a small secret key, which they use to
cerete'egman-carter authentication tags [WC] for
Gheit messages over the public channel, In more
Steal’ the Wegnan-Carter mulciple-nessage authenti~
Setlan scheme uses a small random key to produce a
seeigecgopendent. "tag" (rather Like a check sum)
Tor an acpierary large message, in such a way that
‘an eavestropper ignorant of the Key has only a small
probability of being able to generate any other va~
Lig message-tag pairs. The tag thus provides evi-
dence that the message ia legitimate, and was not
Generated or altered by someone ignorant of the key.
{key bits are gradually usea up in the Wegman-Carter
schene, and cannot be reused without compromising
the aysten's provable security, however, in the
present application, these key bits can be replaced
by fresh random bits successfully tranemietes
Intemational Conference on Computers, Systems & Signal Processing Bangalore, India December 10-19, 1984
177‘through the quantum channel.) The eavesdropper can ‘technology. The honestly-followed protocol, on the
‘still prevent conminication by suppressing messages other hand, covld be realized with current technolo-
Sn the public channel, as of course he can By sup oy.
pressing or excessively perturbing the photons sent
Chrough the quantum channel. However, an either 1. Alice chooses randomly one basis (say rectili~
‘case, Alice and Bod will conclude with high proba~ near) and @ sequence of random bite (one thousand
bility that their secret communications are being should be sufficient). she then encodes her bits as
suppressed, and vill not be fooled into thirkang 42 sequence of photons in this sane basis, using the
‘heir comminicaticns are secure when in fact they're sane ‘coding scheme as before. she sends the result~
not. 4ing train of polarized photons to Bob.
2. Bob chooses, independently and randomly for each
Photon, a sequence of reading bases. He reads the
1V, Quantum Coin Tossing photons accordingly, recording the results in two
tables, one of rectilinearly received photons and
‘coin Flipping by Telephone! was First ai fone of diagonally received photons, Because of
cussed by Blum [B1], The problem is for two ais Losses in his detectors and of the transmission
trustful parties, communicating at a distance vith- channel, sone of the photons may not be received at
‘out the help of third party, to cone to agree ona all, resulting in holes in his tases, Ae this
Winner and a loser in such a way that each party hes tine, Bob makes hiz guess as to which basis Alice
exactly 50 per cent chance of winning. Any attempt uused, and announces it to Alice. He wine if he
by either party to bins th: outcome should be de guessed correctly, loses othervise
tected by the other party as cheating. Previous
protocols for this problem are based on unproved
Alice reports to Bob whether he won, by telling
‘assumptions in conputaticnal complexity theory, hhim which basis she haa actually used. She certit=
Yhich makes them vulnerable to a breakthrough in es this information by sending Bob, over a classi-
algorithm design. cal channel, her entire original Dit sequence used
An step 1
By contrast, we present here a scheme anvoly-
ing classical auc ‘quant messages which 1s secure 48, Bob verifies that no cheating has occurred by
Saainst teaditioual kinds of cheating, even by an comparing Alice's sequence with both his tables.
cpponent with unlinited computing power. Irenical~ There shovld bo perfect agreenent with the table
ty, At can be subverted Ly a still subtier quantun
phtnoseaon, the so-callec Einstesn-Podolsky-Rosen
effect. This threat is nercly theorstical, beenuse Foe rsaaseTeuncf aia efocisianivieete (esd aan
it requires perfoct efficiency of storage and detec- —— fectitines ay clainea
tion of photons, “hich though not impossible in
Principle is “2° beyond the capabilaties of current
corresponding to Alice's baie ané no correlation
vith the other table. In our example, Bob can be
Ellustrsting the protocol by @ specific example,
Blcete BIE eteiny cceeescesesee
1004 1 10104400
Rice's random Posies : Regtilinear
Protons alicw senés.svsvvesss peo PPS pep tee
bob's vandom b2rC3.00c0ccsss DoD R R DR R DR RD DR
bob's rectilinee sable... t 5 ®
Poe's @iagonsl t7-ke...s. + 7 : °
cbta guess.cee0 seecsosesese *Rectitinear*
ice's replys. veeeeecseceseeeee an "you win"
Alice sends her viginal bil string to certify... 41 9 4 0 0 1 1 1 0 1 0 3 4 0 oF
Rob's rectilinec: table... sed 1 ° °
‘38 diagonal aloe... ° 1 1 °
In order “9 cheat, Bo would nove to quess
pice's aris ¥.ch probability grsate then 1/2.
this anounts to dietingushing a tain of photons
would need to convince Bob that her photons were
Biagonally polarized, which she can only do by prod
cing a sequence of bits in perfect agreenent with
wandonly polarizcé in one basis from a train randcn- op's Giagonl table. This she cannot do reliably
Ly polarized in another basis. However, it car be because this table is the result of probebiliatse
shown that any measuring ajparatus capable of making behavior of the photons after the left her hacia
thas distincticn ecn algo be used, in conjunction Suppose she gocs ahead anyway and sends Bob a new
with the Einstein-Podolsiy-Roven effect dererined ‘original’ sequence, different from the one that she
Hetow fo transmit useful information faster than uused in step 1, in hopes that it will by Luck ageee
tthe speod of Light, in viclation of well-establirved perfectly with’ Bob's diaognal table. This attonst,
physical Laws. to cheat requires Alice to be not only lucky but’
Saring, because in the vast majority of cases, the
Mice coulé attempt cheating either at step 1 ganble would fail and would be detected as cheating.
or step i. Let us first aveune that she follons By contrast, in traditional coin-tossing schemes,
Scep 1 honestly and finds herself los-ng at the end, analogous attenpts to seize @ lucky victory frow’ the
"Step 2, because Bob made he correct guess, here javs of defeat, though unlikely to succeed, are
Cutlinuear, In order £6 pretend the hag won, she ‘unaccompanied by any anger of detection.
Ineinationel Cor‘e-ence on Computers, Systems & Signal Processing Bangalore, India December 10-19, 1984
178It is easy to see that things are even worse
for Alice if she attenpts to cheat in step 1, by
Sending a mixture of rectilinear and diagonal pho-
tons, of photons which are polarized neither rectil-
Ineatty of diagonally. In this cage she will not be
able to agree with either of Bob's tables in step 3,
Since both tables will record the results of proba~
Bilistic behavior ot under her control.
In order to say how Alice can chest using
quentun mechanics it is necessary to describe the
Einstein-Pouolsky-Rosen (EPR) effect (B0,AGR), often
Called # paradox because it contradicts the common
Sense notion that for two individually random events
happening at distance fron one another to be corre
lated, some physical influence must have propagated
from the earlier event to the later, or else from
some common random cause to both events.
‘The EPR effect occurs when certain types of
aton or molecule decay with the emission of two pho-
fons, and consists of the fact that the two photons
are always found to have opposite polarization, re-
Gardless of the basis used to observe them, provided
Both are observed in the sane basis. For example,
ff both photons are measured rectilineariy, ie will
‘always be found that one is horizontal and the other
Vertical, though which 4s horizontal will vary ran-
Gomly from one decay to the next. Tf both photons
fare measured diagonally, one will always be 135-
Gegrae and the other a5-degree. A moment's reflec
tion will show that this behavior cannot be ex
plained by assuring the decay produces « distribu-
‘tion over a of oppositely polarized (a and «+90;
photons, since, in that cage, if such a pair of pho-
tons were measured in an internodiate basis (say
‘a+45), both would behave probabilistically so as to
Sonetines come out with the sane polarization.
Probably the simplest, but paradoxical~
sounding, verbal explanation of the EPR effect is to
say that the two photons are produced in an initial
state of undefined polarization; and when one of
them 19 measured, the measuring apparatus forces it
to choose a polarization (choosing randoaly and
cquiprobably between the two characteristic direc~
tions offered by the apparatus) while simultaneously
forcing the other unmeasured photon, no matter how
far avay, to choose the opposite polarization, This
Amplausible-sounding explanation is supported by
formal quantum mechanics, which represents the state
of « pair of photons as a vector in a &-cimensionel
Hilbert space obtained by taking the tensor product
fof two 2-dimensional Hilsert spaces. The EPR state
produced by the decay is descricod by the vector
0.7071 ryry ~ ary) and the EPR effect is explained
by the fact thet this vector haz anticorrelates pro-
Sections into the 2-dinensional Hilbert spaces of
the two photons no matter what Hasis is eed to ex-
press the tensor product (e.g. the same state vector
fe demonstrably equal to 0.7071(ddy = d9d,), and
bo 0.7071 (eye9 = €04))
In order to cheat, Alice produces a nunber of
EpR photon-pairs instead of individual random pho-
In each case she senda Bob one nem=
erself, per~
tons in step 1.
ber of the pair and stores the other
Rope setheen perfectly reflecting mirrors.
makes his guess (ec. ractilinoar) she then measures
all her stored protcrs in tho opposite (diagonal)
basis, thereby obtainin: cesults perfectly correlat=
fed with his diagonal tatte sie uncorrelated with his
rectilinear table. she tice announces thes
sults, pretending thom too
supposed to have encoded .n the ghotont in step te
land thereby forces a win i-om which Bob cannot es
cape even by delaying his mca-urements until after
pis guess. This cheat requires that Alice be able
fo store the twin photons for a considerable tine
fan then measure them with hugh detection efficien=
fey, and thus would be postiis'> only in principle,
Rot in practice. Any photons Lost by Alice during
storage or measurement would result in holes in bet
pretended bit sequence, which she would have to fill
by guessing, and these guewins would risk detection
by Bob if they failed to agrac with his tables
the random bits she was
REFERENCES
[WGRI A. Aspect, P. Granyiex, and 6, Roger,
‘experimental Realiza.on of the Einstein=
Podolsky-Rosen-Bohm adankenexperiment: a New
Violation of Bell's inaqualities',
Phys.tev.tete. 49, 91-98 (1982).
(885H] C.¥.sennete, G. Brassard, S.areidbart, and 6.
Wiesner, "Quantum Cryptography, or Unforgeable
Subway Tokens", to appear in Advances in Cryp=
tography: Proceedings of CRYPT0%2, Plenum
Press.
manuel Blum, "Coin Flipping by Telephone:
Protocol for Solving Impossible Problens|
cher mews 35:1, 23-27 (1963).
[9] avid Bohm, Quantum Theory (Prentice-Hall, En~
glewood Cliffs, WI 1951), pp. 614-619.
oie] M, Wegnan and L.Carter, ‘New Hash Functions and
‘Their Use In Authentication and Set Equality, *
‘Jicomp.s¥s.Sei, 22, 265-279, (1981).
Ii) Stephen Wiesner, ‘Conjugate Coding’, (manuacsapt
ea 1970); subsequently published in S704c? ews
Bet, 78-88 (1983).
Ii} W.k. Wootters and W.ll, Zurek, ‘A Single Quantum
Cannot be Cloned", ature 295, 602-803 (1962) .
International Conference on Computers Systems & Signa’ Processing Bangalore India December 10:12, 1984
1