INTERNATIONAL CONFERENCE ON COMPUTERS, SYSTEMS & SIGNAL PROCESSING Dec 9-12, 1984 BANGALORE INDIA Volume 1 of 3 Pages 1 - 427 Sponsored by 1EEE Computer Society @ IEEE Circuits and Systems Society } ® Indian Institute of Science 1909) 1984STEERING COMMITTEE GENERAL CHAIRMAN 1G. Sarma ‘School of Automation Indian Institute of Science Bangalore - 560 012, India Telephone: 34411 Telex: 0845-8349 VICE-CHAIRMAN V.K. Aatre Naval Physical and Oceanographic Laboratory Naval Base Cochin - 682 004, India TECHNICAL PROGRAMME K. Ramakrishna Dept. of Electrical Engineering Indian Institute of Science Bangalore - 560 012, India SPECIAL SESSIONS AND SHORT COURSES Vv. Rajaraman Computer Centre Indian Institute of Science Bangalore - 560 012, India INTERNATIONAL COORDINATION V. Ramachandran Concordia University 1455 De Maisonneuve Blvd. W Montreal, Canada H3G 1M8 Telephone: (514) 879-2828 FINANCE HP. Khincha Dept. of Electrical Engineering Indian Institute of Science Bangalore - 560 012, India PUBLICATIONS K. Soundararajan Simulation Division Aeronautical Development Establishment Bangalore - 560 075, India INDUSTRIAL RELATIONS MN. Srinivasan Centre for Scientific and Industrial Consultancy Indian Institute of Science Bangalore - 560 012, India LOGISTICS AND COORDINATION G.R, Nagabhushana Dept. of High Voltage Engineering Indian Institute of Science Bangalore - 560 012, India.QUANTUM CRYPTOGRAPHY: PUBLIC KEY DISTRIBUTION AND COIN TOSSING Charles H. Bennett (18M Researct, Yorktown Heights NY 10596 USA) it tien slenentary quanti systems, auch ax polarized Photons, "are used to erammit digital infornstion the uncertainty principle giver rise to novel. cryP= tographic. phenoeana unachsevesble with, traditional transmission media,” e.g. a communications channel on which st is "inpossibie ‘in principle eo eavesdrop “thou a high probability of aisturping the trans” Sstion in sven a way at to. Be detected. Such rntum channel can be sed an conjunction with or= Ginary’ insecure classical channels. to. distribute Tandon key. information between two vsers with the Ssrorance’ that it) zeuuina taken” to" snyouw, lee, ven when the users share no secret infomation ini Clalay., We also present « protocol for coln-tomsing by exchange of, quantum messages, which is secure Shain, traditional Kinds of cheating, even by an pponent with unlimited computing power, but, ironi~ SWliy"'can’ be subverted by use Of a still hubeler ‘Guentam phenomenon, the Eunstein-Podelsky-Rosen er= Shon. 1. Introduction Conventional eryptosystems such as EVIGHA, DES, or even RSA, are based on a mixture of guess- work and tathenatics, information theory shows that traditional secret-key eryptosystems cannot be to- tally secure unless the key, used once only, ia at least as long az the cleartext, On the other hand, tthe theory of computational complexity 1s not yet well enough understood to prove the computat ional Security of public-key cryptosystems. In this paper we use a radically different. Foundation for cryptography, viz. the uncertainty principle of quantun physics. In conventional in formation theory and cryptography, at is taken for granted that digital comunications in principle can Slvays be passively monitored or copied, even by Bomeone ignorant of their meaning, However, when information is encoded in non-orthogonal quantum states, such as single photons with polarization Girections 0, 45, 90, and 125 degrees, one obtains « Communications channel whose transmissions in prin ciple cannot be read or copied reliably by an eaves= Gropper ignorant of certain key information used in forming the transmission. The eavesdropper cannot ‘ven gain partial information about such s tranomis~ Sion without altering it a random and uncontrollabic way Likely to be detected by the channel's legiti- Quantum coding was first described in (3), along with two applications: making money that is sn Brassard (dept. 1RO, Univ. @e Montreal, W3C 337 Canada) Principle impossible to counterfeit, and multiplex: ng to or three messages in such away that reading fone destroys the others. Nore recently [SBBK), ‘Geantum coding has boen used in conjunction with Public key cryptographic techniques to yielé several schemes for unforgeable subway tokens. Here we show hat quantum coding by itself achieves one of the fin advantages. of public key cryptography by per~ mmitting secure distribution of random key informa- tion between parties who share no secret information initially, provided the parties have access, besides ‘the quantum channel, to an ordinary channel. suscep- tible to passive but not active eavesdropping. Even in the presence of active eavesdropping, the two parties can still distribute key securely if they share some secret information initially, provided ‘the eavesdropping is not so active as to suppress ‘conmunications completely. We also present proto- ‘col for coin tossing by exchange of quantum mes sages. Except where otherwise noted the protocols fare provably secure even against an opponent with superior technology and unlimited computing power, barring fundamental violations of accepted physical Tas Offsetting these advantages is the practical Aisadvantage that quantum transmissions are neces- sarily very weak and cannot be amplified in transit. Moreover, quantum cryptography does not provide di Gital signatures, oF applications such as certified mmail or the ability to settle cisputes before a swage. IY, Essential Properties of Polarized Photons Polarized Light can be produced by sending an ordinary Light beam through a polarizing apparatus such at Polaroid falter or calcite crystal; the bean’s polarization axis 1s determined by the orien tation of the polarizing apparatus in which the beam originates. Generating single polarized photons 12 also possible, in principle by picking them out of @ polarized beam, and in practice by a variation of an experinent [aGR] of Aspect, et. al Aithough polarization is a continuous varia~ ble, the uncertainty principle forbids noasurcnents fon any single photon from revealing more than one bit about its polarization. For exanple, if a tight beam with polarization axis @ is sent into a filter oriented at angle f, the individual photons benave Aichotonously and probabiliseically, being trance ted with probability cos*(e-) and abscrsed with the complementary probability 2is?(a-f). The photone Behave deterministically only when the two axes are Intemational Conference on Computers, Systems & Signal Processing Bangalore, India December 10-12, 1984 175————_$_$_$$ parallel (certain transmission) or perpendicular (certain absorbtion) 1 the two axes are not perpendicular, so that ‘some photons are transmitted, one might hope to Tearn aéditional information about” @ by measuring the transmitted photons again with a polarizer ori~ fented at sone third angle; but this is to no avail, because the Eranamatted photons, in passing through the Prpolarizer, energe with exactly. f polarize: ton, having lost all memory of thelr previous pom another way one might hope to Learn more than fone bit from a single photon would be not to measure Ge airectly, but rather sonchow amplify it into a Clone of identically polarized photons, then perform neasurenents on these; but this hope is also vain, Because such cloning can be shown to be inconsistent with the foundations of quantum mechanics (WZ). Formally, quantun mechanics represents the internal state of a quantum systen (0.9. the polari- zation of a photon) az a vector of unit Length inva Linear space H over the field of complex mum bers (Hilbert space). The inner product of two vec~ tors , da defined as 2y$,°V,, where * indi~ Cates complex conjugation. thd dindnstonality of the flilbert space depends on the system, being Larg~ er (or even infinite) for more complicated systems. Each physical measurement W that might be performed fon the system corresponds tog resolution of its Hilbert space into orthogonal subspaces, one for teach possible outcome of the measurement. ‘The num ber of possible outcones is thus Linited to the Ginensionality 4 of the Hilbert space, the most. Complete measurements being those that resolve the ilbert space into. @ T-dimensional subspaces. Let th, represent the projection operator onto ‘the kith subspace of measurement M, 0 that the identity operator on if can be represented as a sum Of projections: I= MyeHre.+. When a system in State $ is subjected to measurement M, its behavior is in general probabilistic: gutcene K occurs with ‘8 probability equal to 1,12, the square of the length of the state vectors projection into sub- space My. After the measurement, the system is left in anew state ¥,0/1MVI, which is the normalized lunit vector in the Girection of the old state vector's projection into subspace ty. The measure mont thus haa a deterministic outcofe, and leaves the state vector unmodified, only in the exceptional case that the initial state vector happens to Lie fentixely in one of the orthogonal subspaces charac Eerizing the measurement. The Hilhert space for a single polarized pho- ton is 2-dinensional; thus the state of a photon may be completely described as a Linear combination of, for example, the tho unit vectors Fy = (1,0) and Fy = (0,1), representing respectively horizontal and tireical polarization. In particular, a photon po~ Yerized at angle. @ to the horizontal is described the state vector (cosa, sina). When subjected Or Ee TES stne of vereical-vrchoritontal polar Socom: such a Fhoton in effect chooses to become weeeSheat wien probabiiity cor?a and vertical with peobabiliey sinta. The two orthogonal vectors 1 Sha rz thus a exemplify the resolution of a 2- Sthongional Wilbert pace into"? orthogonal 1~ @imensional subspaces; henceforth ry and x, will be said to conprise the ‘rectilinear’ basis for the Bitbere spect An alternative basis for the same Hilbert ‘space is provided by the two ‘diagonal’ basis vec= tors dy = (0.707,0,707), representing a a5-degr photon, and d= (0.707,-0.707), representing a 125-degree photén. To bases (e.g. rectilinear and Giagonat) are said to be ‘conjugate’ [x], Lf each Yector of one basis has equal-Length projections fonto all vectors of the other basis: this means that a systen prepared in a specific state of one basie Will behave entirely randomly, and Lose all ite Stored information, when subjected to measurement corresponding to the other basis. Owing to the com plex nature of its coefficients, the two-dimensional Hilbert space also admits a third basis conjugate to both the rectilinear and diagonal bases, comprising the two so-called ‘circular’ polarizations £1 = (0.707,0.7073) and ey = (0.7071,0,707); but. the rectilinear and diagonal bases are all that will be needed for the cryptographic applications in this paper. The titbert space for a compound system és constructed by taking the tensor product of the Hil~ bert spaces of its conponents; this the state of a air of photons is characterized by a unit vector in the 4-dimensional Wilbert space spanned by the or~ thogonal Basis vectors Fyrqy FyFgr Far, and Fyrp. This formalism qntails that the state of a compound system i not generally expressible as the cartesian product of the states of its parts: e.g. the Einstein-Podol sky-Rosen state of two photons, 0,7071(ryr3-F9F}), £0 be discussed Later, 18 not ‘equivalent to any product of one-photon states. TZ, Quantum Public Key Distribution Im traditional public-key cryptography, trap- door functions are used to conceal the neaning of eseages Between t¥o users from a passive eavesdrop~ er, depite the Lack of any initial shared secret ntormation between the two users, In quantum pub- Lic key distribution, the quantum channel is not tured directly to send meaningful messages, but 1a Father used to transmit a supply of random bits be teen two users vho share no secret information ini- tally, in such a way that the users, by subsequent consultation over an ordinary non-quantum channel ‘subject to passive eavesdropping, can tell with high probability whether the original quantum transmis ‘Sion has been disturbed in transit, as it would be by an eavesdrooper (it 4a the quantur channel's pe~ culiar virtue to compel eavesdropping to be active). Ef the transmission has not been disturbed, they agree to use these shared secret bits in the well Known way a5 a one-time pad to conceal the meaning fof subsequent meaningful communications, or for Oth fer cryptographic applications (e.g. authentication tags) requiring shared secret random information. Tf transmission has been disturbed, they discard it tana try again, deferring any meaningful communica Eons until they have succeeded in transmitting ‘enough random bits through the quantum channel. to. Serve as 4 one-tine pad. Intemational Conference on Computers, Systems & Signal Processing Bangalore, India December 10-19, 1984 176In more detail one user ("Alice") chooses a random bit string and a random sequence of polariza~ tion bases (rectilinear or diajonal). She then sends the other user (Bob) 2 train of photons, each Fepresenting one bit of the string in the basis cho- sen for that bit position, a horizontal or a5-degree photon standing fer a binary zero and a vertical or 435-degree photon standing for a binary 1. As Bob receives the photons he decides, randomly for each Photon and independently of Alice, whether to meas~ bre the photon's rectilinear polarization or its Giagonal polarization, and interprets the result of fhe measurement as a binary zero or one. Ay ex plained in the previous section @ random answer 1s Produced and all information lost Wien one ateampts fo measure the rectilinear polarization of a diago- hall photon, oF vice versa. Thus 80d obtains mean= Ungful data from only half the photons he detects those for which he guessed the correct polarization basis. Bob's information is further degraded by the fact that, realistically, sone of the photons would be lost in transit or would fall to be counted by Bob's imperfectly-efficient detectors. Subsequent steps of the protocol také place over an ordinary public communications channel, as: sumed to be susceptible to eavesdropping but not to the injection or alteration of messages. 30 and Alice first determine, by public exchange of mes~ Sages, which photons were successfully received and Of these which were received with the correct basis. Tf the quantum transmission has been undisturbed, Alice and Bob should agree on the bits encoded by these photons, even this data has never been dis- cussed over the public channel. Each of these pho- tons, in other words, presumably carries one bit of random information (o.g. whether a rectilinear pho- ton was vertical or horizontal) known to Alice and Bob but to no one else. Because of the random mix of rectilinear and Giagonal photons in the quantum transmission, any eavesdropping carries the risk of altering the transmission in such a way ax to produce disagree nent between Bob and Alice on sone of the bits on Which they think they should agree, Specifically, it can be shown that no measurement on a photon in transit, by an eavesdropper who is informed of the Photon's original basis only after he has performed his measurement, can yield more than 1/2 expected bits of information about the key bit encoded by ‘that photon; and that any such measurement yielding b bits of expected information (b= 1/2) must induce a disagreenent with probability at least b/2 if the measured photon, or an attempted forgery of it, is later re-measured in its original basis. (This optimum tradeoff occurs, for example, when the ea vesdropper measures and retransnits all intercepted photons in the rectilinear basis, thereby Learning the correct polarizations of half the photons and Andueing disagreements in 1/4 of those that ate Lat~ fer re-neasured in the original basis.) Alice and Bob can therefore test for eaves Aropping by publicly coaparing sone of the bits on which they think they should agree, though of course this sacrifices the secrecy of these bits, The bit positions used in this comparison should be a random Subset (say one third) of the correctly receives bits, 90 that eavesdropping on more than a few pho tone is unlikely to escape detection. Zf all the conparisons agree, Alice and Bob can conclude that the quontim transnission has been free of signifi~ cant eavesdropping, and those of the remaining bite that were sent and received with the sane basis also agree, and can safely be used az a one tine pad for Subsequent secure communications over the public Channel. When this one-time pad ia used up, the protocol is repeated to send a new body of random information over the quantum channel. Te following example illustrates the above proto- ‘QUANTUM TRANSMISSION Alice's random bits. ad Random sending bases. aia Photons Alice sends. ne Random receiving ba: De Bits as received by Bob.lc sss. ti puaLie Drscussiox Bob reports bases of received bits. sek Alice says which bases were correct. en Presumably shared information (Af no eavesdrop). ~ Bob reveals sone key bits at random... Alice confirms then. Remaining shared secret bits... 10 1 1 0 0 1 0 1 1 Oo 1 DR RR RR DODRD DOE Ne LTpeon etna t DR R Dp R DR DDD DR 1 10 0 0 4d 4 > RD DR RD > DR oK Ok ox OK OK OK. . . ° 1 Oo 1 ° 1 ° 1 1 ‘the need for the public (non-quantum) channel in this achene £0 be immune to active eavesdropping Un be relaxed if the Alice and Bob have agreed be- forehand on a small secret key, which they use to cerete'egman-carter authentication tags [WC] for Gheit messages over the public channel, In more Steal’ the Wegnan-Carter mulciple-nessage authenti~ Setlan scheme uses a small random key to produce a seeigecgopendent. "tag" (rather Like a check sum) Tor an acpierary large message, in such a way that ‘an eavestropper ignorant of the Key has only a small probability of being able to generate any other va~ Lig message-tag pairs. The tag thus provides evi- dence that the message ia legitimate, and was not Generated or altered by someone ignorant of the key. {key bits are gradually usea up in the Wegman-Carter schene, and cannot be reused without compromising the aysten's provable security, however, in the present application, these key bits can be replaced by fresh random bits successfully tranemietes Intemational Conference on Computers, Systems & Signal Processing Bangalore, India December 10-19, 1984 177‘through the quantum channel.) The eavesdropper can ‘technology. The honestly-followed protocol, on the ‘still prevent conminication by suppressing messages other hand, covld be realized with current technolo- Sn the public channel, as of course he can By sup oy. pressing or excessively perturbing the photons sent Chrough the quantum channel. However, an either 1. Alice chooses randomly one basis (say rectili~ ‘case, Alice and Bod will conclude with high proba~ near) and @ sequence of random bite (one thousand bility that their secret communications are being should be sufficient). she then encodes her bits as suppressed, and vill not be fooled into thirkang 42 sequence of photons in this sane basis, using the ‘heir comminicaticns are secure when in fact they're sane ‘coding scheme as before. she sends the result~ not. 4ing train of polarized photons to Bob. 2. Bob chooses, independently and randomly for each Photon, a sequence of reading bases. He reads the 1V, Quantum Coin Tossing photons accordingly, recording the results in two tables, one of rectilinearly received photons and ‘coin Flipping by Telephone! was First ai fone of diagonally received photons, Because of cussed by Blum [B1], The problem is for two ais Losses in his detectors and of the transmission trustful parties, communicating at a distance vith- channel, sone of the photons may not be received at ‘out the help of third party, to cone to agree ona all, resulting in holes in his tases, Ae this Winner and a loser in such a way that each party hes tine, Bob makes hiz guess as to which basis Alice exactly 50 per cent chance of winning. Any attempt uused, and announces it to Alice. He wine if he by either party to bins th: outcome should be de guessed correctly, loses othervise tected by the other party as cheating. Previous protocols for this problem are based on unproved Alice reports to Bob whether he won, by telling ‘assumptions in conputaticnal complexity theory, hhim which basis she haa actually used. She certit= Yhich makes them vulnerable to a breakthrough in es this information by sending Bob, over a classi- algorithm design. cal channel, her entire original Dit sequence used An step 1 By contrast, we present here a scheme anvoly- ing classical auc ‘quant messages which 1s secure 48, Bob verifies that no cheating has occurred by Saainst teaditioual kinds of cheating, even by an comparing Alice's sequence with both his tables. cpponent with unlinited computing power. Irenical~ There shovld bo perfect agreenent with the table ty, At can be subverted Ly a still subtier quantun phtnoseaon, the so-callec Einstesn-Podolsky-Rosen effect. This threat is nercly theorstical, beenuse Foe rsaaseTeuncf aia efocisianivieete (esd aan it requires perfoct efficiency of storage and detec- —— fectitines ay clainea tion of photons, “hich though not impossible in Principle is “2° beyond the capabilaties of current corresponding to Alice's baie ané no correlation vith the other table. In our example, Bob can be Ellustrsting the protocol by @ specific example, Blcete BIE eteiny cceeescesesee 1004 1 10104400 Rice's random Posies : Regtilinear Protons alicw senés.svsvvesss peo PPS pep tee bob's vandom b2rC3.00c0ccsss DoD R R DR R DR RD DR bob's rectilinee sable... t 5 ® Poe's @iagonsl t7-ke...s. + 7 : ° cbta guess.cee0 seecsosesese *Rectitinear* ice's replys. veeeeecseceseeeee an "you win" Alice sends her viginal bil string to certify... 41 9 4 0 0 1 1 1 0 1 0 3 4 0 oF Rob's rectilinec: table... sed 1 ° ° ‘38 diagonal aloe... ° 1 1 ° In order “9 cheat, Bo would nove to quess pice's aris ¥.ch probability grsate then 1/2. this anounts to dietingushing a tain of photons would need to convince Bob that her photons were Biagonally polarized, which she can only do by prod cing a sequence of bits in perfect agreenent with wandonly polarizcé in one basis from a train randcn- op's Giagonl table. This she cannot do reliably Ly polarized in another basis. However, it car be because this table is the result of probebiliatse shown that any measuring ajparatus capable of making behavior of the photons after the left her hacia thas distincticn ecn algo be used, in conjunction Suppose she gocs ahead anyway and sends Bob a new with the Einstein-Podolsiy-Roven effect dererined ‘original’ sequence, different from the one that she Hetow fo transmit useful information faster than uused in step 1, in hopes that it will by Luck ageee tthe speod of Light, in viclation of well-establirved perfectly with’ Bob's diaognal table. This attonst, physical Laws. to cheat requires Alice to be not only lucky but’ Saring, because in the vast majority of cases, the Mice coulé attempt cheating either at step 1 ganble would fail and would be detected as cheating. or step i. Let us first aveune that she follons By contrast, in traditional coin-tossing schemes, Scep 1 honestly and finds herself los-ng at the end, analogous attenpts to seize @ lucky victory frow’ the "Step 2, because Bob made he correct guess, here javs of defeat, though unlikely to succeed, are Cutlinuear, In order £6 pretend the hag won, she ‘unaccompanied by any anger of detection. Ineinationel Cor‘e-ence on Computers, Systems & Signal Processing Bangalore, India December 10-19, 1984 178It is easy to see that things are even worse for Alice if she attenpts to cheat in step 1, by Sending a mixture of rectilinear and diagonal pho- tons, of photons which are polarized neither rectil- Ineatty of diagonally. In this cage she will not be able to agree with either of Bob's tables in step 3, Since both tables will record the results of proba~ Bilistic behavior ot under her control. In order to say how Alice can chest using quentun mechanics it is necessary to describe the Einstein-Pouolsky-Rosen (EPR) effect (B0,AGR), often Called # paradox because it contradicts the common Sense notion that for two individually random events happening at distance fron one another to be corre lated, some physical influence must have propagated from the earlier event to the later, or else from some common random cause to both events. ‘The EPR effect occurs when certain types of aton or molecule decay with the emission of two pho- fons, and consists of the fact that the two photons are always found to have opposite polarization, re- Gardless of the basis used to observe them, provided Both are observed in the sane basis. For example, ff both photons are measured rectilineariy, ie will ‘always be found that one is horizontal and the other Vertical, though which 4s horizontal will vary ran- Gomly from one decay to the next. Tf both photons fare measured diagonally, one will always be 135- Gegrae and the other a5-degree. A moment's reflec tion will show that this behavior cannot be ex plained by assuring the decay produces « distribu- ‘tion over a of oppositely polarized (a and «+90; photons, since, in that cage, if such a pair of pho- tons were measured in an internodiate basis (say ‘a+45), both would behave probabilistically so as to Sonetines come out with the sane polarization. Probably the simplest, but paradoxical~ sounding, verbal explanation of the EPR effect is to say that the two photons are produced in an initial state of undefined polarization; and when one of them 19 measured, the measuring apparatus forces it to choose a polarization (choosing randoaly and cquiprobably between the two characteristic direc~ tions offered by the apparatus) while simultaneously forcing the other unmeasured photon, no matter how far avay, to choose the opposite polarization, This Amplausible-sounding explanation is supported by formal quantum mechanics, which represents the state of « pair of photons as a vector in a &-cimensionel Hilbert space obtained by taking the tensor product fof two 2-dimensional Hilsert spaces. The EPR state produced by the decay is descricod by the vector 0.7071 ryry ~ ary) and the EPR effect is explained by the fact thet this vector haz anticorrelates pro- Sections into the 2-dinensional Hilbert spaces of the two photons no matter what Hasis is eed to ex- press the tensor product (e.g. the same state vector fe demonstrably equal to 0.7071(ddy = d9d,), and bo 0.7071 (eye9 = €04)) In order to cheat, Alice produces a nunber of EpR photon-pairs instead of individual random pho- In each case she senda Bob one nem= erself, per~ tons in step 1. ber of the pair and stores the other Rope setheen perfectly reflecting mirrors. makes his guess (ec. ractilinoar) she then measures all her stored protcrs in tho opposite (diagonal) basis, thereby obtainin: cesults perfectly correlat= fed with his diagonal tatte sie uncorrelated with his rectilinear table. she tice announces thes sults, pretending thom too supposed to have encoded .n the ghotont in step te land thereby forces a win i-om which Bob cannot es cape even by delaying his mca-urements until after pis guess. This cheat requires that Alice be able fo store the twin photons for a considerable tine fan then measure them with hugh detection efficien= fey, and thus would be postiis'> only in principle, Rot in practice. Any photons Lost by Alice during storage or measurement would result in holes in bet pretended bit sequence, which she would have to fill by guessing, and these guewins would risk detection by Bob if they failed to agrac with his tables the random bits she was REFERENCES [WGRI A. Aspect, P. Granyiex, and 6, Roger, ‘experimental Realiza.on of the Einstein= Podolsky-Rosen-Bohm adankenexperiment: a New Violation of Bell's inaqualities', Phys.tev.tete. 49, 91-98 (1982). (885H] C.¥.sennete, G. Brassard, S.areidbart, and 6. Wiesner, "Quantum Cryptography, or Unforgeable Subway Tokens", to appear in Advances in Cryp= tography: Proceedings of CRYPT0%2, Plenum Press. manuel Blum, "Coin Flipping by Telephone: Protocol for Solving Impossible Problens| cher mews 35:1, 23-27 (1963). [9] avid Bohm, Quantum Theory (Prentice-Hall, En~ glewood Cliffs, WI 1951), pp. 614-619. oie] M, Wegnan and L.Carter, ‘New Hash Functions and ‘Their Use In Authentication and Set Equality, * ‘Jicomp.s¥s.Sei, 22, 265-279, (1981). Ii) Stephen Wiesner, ‘Conjugate Coding’, (manuacsapt ea 1970); subsequently published in S704c? ews Bet, 78-88 (1983). Ii} W.k. Wootters and W.ll, Zurek, ‘A Single Quantum Cannot be Cloned", ature 295, 602-803 (1962) . International Conference on Computers Systems & Signa’ Processing Bangalore India December 10:12, 1984 1