Fully Distrustful Quantum Cryptography J. Silman,1 A. Chailloux,2 N. Aharon,3 I. Kerenidis,4,5 S. Pironio,1 and S. Massar1 1Laboratoire d’Information Quantique, Universit´e Libre de Bruxelles, 1050 Bruxelles, Belgium 2LIAFA, Univ. Paris 7, F-75205 Paris, France; and Univ. Paris-Sud, 91405 Orsay, France 3School of Physics and Astronomy, Tel-Aviv University, Tel-Aviv 69978, Israel 4LIAFA, Univ. Paris 7 - CNRS; F-75205 Paris, France 5Centre for Quantum Technologies, National University of Singapore, Singapore 117543 Inthedistrustfulquantumcryptographymodelthedifferentpartieshaveconflictinginterestsand do not trust one another. Nevertheless, they trust the quantum devices in their labs. The aim of the device-independent approach to cryptography is to do away with the necessity of making this assumption,and,consequently,significantlyincreasesecurity. Inthispaperweenquirewhetherthe 1 scope of the device-independent approach can be extended to the distrustful cryptography model, 1 thereby rendering it ‘fully’ distrustful. We answer this question in the affirmative by presenting a 0 device-independent(imperfect) bit-commitment protocol, which we thenuse toconstruct a device- 2 independentcoin flippingprotocol. n a J Introduction–Aquantumprotocolissaidtobedevice- In this paper we show that protocols in this model are 7 independentifthereliabilityofitsimplementationcanbe indeed amenable to a device-independent formulation. 2 guaranteed without making any assumptions regarding As our aim is to provide a proof of concept, we con- the internal workings of the underlying apparatus. The centrate on one of the simplest, yet most fundamental, ] h key idea is that the certification of a sufficient amount primitives in this model, bit-commitment. We present p of nonlocality ensures that the underlying systems are a device-independent bit-commitment protocol, wherein - quantum and entangled. By dispensing with the (math- after the commit phase Alice cannot controlthe value of t n ematically convenient but physically untestable) notion thebitshewishestorevealwithprobabilitygreaterthan a of a Hilbert space of a fixed dimension, the device- cos2 π ≃ 0.854 and Bob cannot learn its value prior u (cid:0)8(cid:1) q independent approach does away with many cheating to the reveal phase with probability greater than 3. We 4 [ mechanisms and modes of failure, such as, for example, then use this protocolto construct a device-independent 2 those exploited in [1, 2]. In fact, a device-independent coin flipping protocol with bias <∼0.336. v protocol, in principle, remains secure even if the de- Bit-commitment–Abit-commitmentprotocolconsists 6 vices were fabricated by an adversary. So far, device- oftwo phases. In the commit phase,Alice interacts with 8 independent protocols have been proposed for quantum Bob in order to commit to a bit. In the reveal phase, 0 key-distribution [3–6], random number generation [7, 8], 5 Alice reveals the value of the bit, possibly followed by stateestimation[9],andtheself-testingofquantumcom- . some test that each party carries out to ensure that the 1 puters [10]. 0 other party has not cheated. In the time between the 1 Inmanyeverydayscenarios(e.g. theuseofcreditcards two phases, which may be of any duration, no actions 1 on the internet, secure identification, digital signatures), are taken. The security of a protocol is always analyzed v: we need to ensure security not only against an eaves- under the assumption that one of the parties is honest. Xi dropper, but crucially against malicious parties partak- We designate by Pcont, the maximum of the average of ing inthe protocol,i.e. whenAlice andBobdo nottrust theprobabilitieswithwhichAlice canrevealeithervalue r eachother. Manyimportantresultsinquantumcryptog- of the bit without being caught cheating, and by P a gain raphy are related to the fundamental primitives in this the maximum probability that dishonest Bob learns the setting: While,ontheonehand,quantumweakcoinflip- valueofbitbeforetherevealphasewithoutbeingdiscov- pingwitharbitrarilysmallbiasispossible[11],arbitrarily ered, where these quantities are maximized over the set concealing and binding quantum bit-commitment is im- ofpossiblecheatingstrategiesavailabletoAliceandBob. possible[12–14]. However,lesssecurebutnon-trivialbit- The quantities ǫ = P − 1 and ǫ = P − 1 cont cont 2 gain gain 2 commitment has been shown to be possible with trusted aretermed‘Alice’scontrol’and‘Bob’sinformationgain’. devices [15]. A protocol with arbitrarily small ǫ is called arbitrar- cont Itisnotaprioriclear,whetherthescopeofthedevice- ily binding, while a protocol with arbitrarily small ǫ gain independent approach can be extended to cover crypto- is called arbitrarily concealing. As already mentioned, graphic problems with distrustful parties. In particular, quantum mechanics does not allow for a protocol to be this setting presents us with a novel challenge: Whereas botharbitrarilybindingandconcealingatthesametime. in device-independent quantum key-distribution Alice Infact,fora‘fair’protocol,inthesensethatǫ =ǫ , cont gain and Bob will cooperate to estimate the amount of non- ǫ is bounded from below by 0.207 [16]. The best cont locality present, for protocols in the distrustful cryptog- known protocol gives ǫ = 1 [15]. In contrast, in any cont 4 raphymodel, honestpartiescanrelyonlyonthemselves. classicalprotocoleither Alice or Bobcan cheat perfectly 2 (ǫ = 1). to commit to. Denote the input and output of her box cont 2 Device-independence – In our device-independent for- bys andr . Shethenselectsaclassicalbitauniformly A A mulation, we assume that each honest party has one or atrandom. Ifa=0(a=1),shesendsBobaclassicalbit several devices which are viewed as ‘black boxes’. Each c=r (c =r ⊕s ) as her commitment. Reveal phase: A A A box allows for a classicalinput s ∈{0,1}, and produces Alice sends Bob s and r . Bob first checks whether i A A a classical output r ∈ {0,1} (the index i designates the c=r or c=r ⊕s . He then randomly chooses a pair i A A A box). We make the assumption that the probabilities of of inputs s and s , satisfying s ⊕s =1⊕s , inputs B C B C A the outputs given the inputs for an honest party can be themintohistwoboxesandchecksthattheGHZparadox expressed as P(r|s) = Tr ρ Π , where ρ is some issatisfied. Ifanyofthesetestsfailsthenheaborts. Note (cid:0) Ni risi(cid:1) | joint quantum state and Π is a POVM element cor- that if the parties are honest (and the boxes satisfy the risi responding to inputting s i|n box i and obtaining the GHZ paradox),then the protocol never aborts. i outcome ri. Apart from this constraint we impose no Alice’s control – We consider the worst-case scenario, restrictions on the boxes’ behavior. In particular, we al- wherein (dishonest) Alice prepares (honest) Bob’s boxes low a dishonest party to choose the state ρ (which she in any state she wants, possibly entangled with her own can entangle with her system) and the POVM elements ancillary systems. Since the commit phase consists of Πrisi for the other party’s boxes. Alice sending a classical bit c as a token of her commit- | The above assumption amounts to the most general ment, without receiving any information from Bob, with modeling of boxes that (i) satisfy the laws of quantum no loss of generality we may assume that Alice decides theory, and (ii) are such that the physical process yield- on the value of c beforehand, and accordingly prepares ingthe output ri inbox idepends solelyonthe input si, Bob’sboxestomaximizehercontrol. Furthermore,since i.e. the boxes cannot communicate with one another. It Alice’swinningprobabilityisinvariantundertherelabel- isalsoimplicitinouranalysisthatnounwantedinforma- ing, c→c⊕1, r →r ⊕1, r →r ⊕1, no value of c A A B B tion can enter or exit an honest party’s laboratory. In a is preferable, and we assume that she sends c=0. ‘fully’distrustfulsetting,wherethedevicestoocannotbe Suppose now that Alice wishes to reveal 0 (i.e. she trusted,theseconditionscanbesatisfiedbyshieldingthe sends s = 0). She will then carry out some operation A boxes. Inparticular,itisnotnecessarytocarryoutmea- on her systems in order to decide the value of r to be A surements in space-like separated locations to guarantee sent. Bobwillfirstcheckwhetherr =0orr ⊕s =0, A A A (ii), as in fundamental tests of nonlocality (see [8, 17]). and since s =0 it follows that Alice must send r =0. A A Thisobservationisimportantbecauserelativisticcausal- Subsequently, Bob finds that the GHZ paradox is satis- ity is by itself sufficient for perfect bit-commitment and fied whenever r 6= r for a choice of inputs such that B C coinflipping[18,19]. Hence,the factthatwedonotrely s 6=s . Switchingtoamorecompactnotationinwhich B C on space-like measurements makes the conceptual impli- y = (−1)ri (x = (−1)ri) designates the output corre- i i cationsofourworkclearerandthequantumoriginofthe sponding to s = 0 (s = 1), Alice’s cheating probability i i security evident. in this case equals 1[P (y x =−1)+P (x y =−1)]. 2 B C B C The protocol – Our protocol is based on the Ontheotherhand,supposethatAlicewishestoreveal1. Greenberger-Horne-Zeilinger (GHZ) paradox [20, 21]. Then, r may take on any value (since Bob knows that A WeconsiderthreeboxesA,B,andC withbinaryinputs, in this case r = 0 or r ⊕1 = 0), and hence, the only A A sA, sB and sC, and outputs rA, rB and rC, respectively. relevant test is the satisfaction of the GHZ paradox, i.e. The GHZ paradox consists of the fact that if the inputs whether r ⊕r =s s ⊕1⊕r for a choice of inputs B C B C A satisfysA⊕sB⊕sC =1,wecanalwayshavetheoutputs such that sB = sC. Alice’s cheating probability then satisfy rA⊕rB⊕rC =sAsBsC⊕1. This relationcanbe equals 21[P(yAyByC =−1)+P (xAxBxC =1)]. Hence, guaranteed if the three boxes implement measurements Alice’s optimal cheating probability is obtained by max- on a three-qubit GHZ state 1 (|000i + |111i), where imizing over √2 s =0(1)correspondstomeasuringσ (σ ). Incontrast, i y x for local boxes this relation can only be satisfied with 3 1 4 (cid:2)P (yBxC =−1)+P(xByC =−1) probabilityatmost. The nonlocalandpseudo-telepathic 4 nature of the GHZ paradox – the non-occurrence of cer- +P(x y y =−1)+P (x x x =1) (1) A B C A B C (cid:3) tain input-output pairs that would necessarily occur in any local theory – are key, both to ensure that when since we consider the average probability that Alice can both parties are honest the protocoldoes not abort, and reveal 0 and 1. As this expression involves only a single to ensure that a dishonest party always has a non-zero measurementsettingforAlice’sbox,itadmitsalocalde- probability of being caught cheating. scription, implying that the maximum is obtained when The protocol runs as follows. Alice has a box, A, and Alice’s box is deterministic. We see that in both cases Bob has a pair of boxes, B and C. The three boxes are (i.e. x = ±1), the problem reduces to maximizing the A supposed to satisfy the GHZ paradox. Commit phase: Clauser-Horne-Shimony-Holt(CHSH) inequality [22], so Alice inputs into her box the value of the bit she wishes that P =cos2 π ≃0.854. cont (cid:0)8(cid:1) 3 Bob’s information gain – Bob’s most general strategy UsingtheGHZstate,dishonestBob’sstrategyconsists consists of sending Alice a box entangled with some an- ofhavingAlicemeasureσ andσ accordingtothevalue y x cillary system in his possession. Depending on the value of her commitment. Bob then measures the polarization of c he receives from Alice (which is uniformly random ofoneofhisqubitsalongthey axisandthatoftheother sinceAliceishonest),Bobcarriesoutoneofapairoftwo- along the x axis. Whenever his outcomes are correlated, outcome measurements on his system. We denote Bob’s intheeventthatAlicesendsc=0(c=1)heguessesthat binary input and output by m and g , where m = 0 shehasinput1(0),whilewheneverhisoutcomesareanti- B B B (m =1)correspondstothemeasurementhecarriesout correlatedheguessesthereverse. Itisstraightforwardto B when Alice sends c = 0 (c = 1), and g = 0 (g = 1) verifythatthisstrategygivesriseto aninformationgain B B corresponds to his guessing that Alice has committed to of 3. 4 0 (1). Bob’s information gain is Device-independent coin flipping – (Strong) coin flip- ping is defined as the problem of two remote distrustful P gain parties having to agree on a bit. If both parties are hon- = X P(sA,rA, a)P(gB =sA |mB =rA⊕(sA·a)) est, then the outcome of the coin is uniformly random. sA,rA,a The degree of security afforded by a protocol is quanti- 1 fied by the biases ǫA =PA− 1 and ǫB =PB− 1, where = 4 X P (rA |sA)(cid:2)P (gB =sA |mB =rA) PiA (PiB) is Alice’si(Bob’is) m2aximaliprobabiility2of bias- sA,rA=0,1 ing the outcome to i. The quantity ǫ = max ǫA, ǫB +P(g =s |m =r ⊕s ) (cid:8) i j (cid:9)i,j B A B A A (cid:3) is usually referred to as the bias of the protocol. A pro- 1 tocol is said to be fair whenever Alice and Bob enjoy = X (cid:2)P(rA, gB =sA |sA, mB =rA) 4 the same bias. Like bit-commitment, and indeed most sA,rA=0,1 non-trivial protocols in distrustful cryptography, in the +P(r , g =s |s , m =r ⊕s ) . (2) A B A A B A A (cid:3) classical world its security is completely breached if no limits are placed on a dishonest party’s computational Using the fact that P(k, 0|0, k) + P(0, 1|1, k) + power. In the quantum world the story is different [24], P(1, 1|1, k) ≤ 1 and P (0, 0|0, 0) + P (1, 0|0, 1) ≤ the optimal bias is ǫ = 0.207 [25, 26] (a weaker version 1, which follow from no-signaling (i.e. of coin flipping, on the other hand, allows for arbitrarily P (i , i |j , j ) = P(i |j ) and the Pl=0,1 A B A B A A small bias [11]). same relation with A ↔ B) and normalization, we obtain that P = 3. We remind the reader of a standard method to imple- gain 4 Optimal cheating strategies–BothAliceandBobhave mentcoinflipping usingbit-commitment: Alicecommits a number of simple optimal cheating strategies available to a random bit a, Bob sends a random bit b to Alice, to them. Interestingly, both can optimally cheat using and then Alice reveals a. The outcome of the coin flip a three-qubit GHZ state and having the measurements is just a⊕b. In particular, ǫAi = ǫcont and ǫBi = ǫgain. of the honest party correspond to the measurement of Usingthis constructionwithourdevice-independentbit- σ and σ axes (corresponding to inputting 0 and 1), as commitment protocol, we obtain a device-independent y x in the GHZ paradox described above. This implies that coin flipping protocol with biases ǫAi = cos2(cid:0)π8(cid:1)− 12 ≃ the device-dependent version of our protocol, in which 0.354 and ǫBj = 14. (honest) Alice and Bob share a GHZ state and measure Since ǫA > ǫB, this construction advantages Alice. It i j σy andσx (recallthatinthedevice-dependentsettingan is possible to lower the bias by equalizing the individual honestpartycantrustitsmeasurementdevices),doesnot biases. Consider a new coin flipping protocolwhich con- afford more security. Our protocol has thus the curious sistsoftworepetitionsoftheabovecoinflippingprotocol property that its device-dependent version is essentially as follows. The result of the first (in which Alice com- device-independent, in the sense that its security is not mits) is used to determine who commits in the second. compromised in the event that an honest party cannot Say if the outcome is 0 (1), then Alice (Bob) commits in trust its measurement devices. the second. It is no longer a priori clear what strategy Using the GHZ state, dishonest Alice’s strategy con- Alice should adopt in the first repetition, since, in prin- sists of measuring the polarization of her qubit along ciple, it may be beneficial for her to adopt one in which the axis nˆ = 1 (xˆ+yˆ). If she obtains 0 then she she sometimes loses the first coin flip, but increases her √2 knows she has ‘prepared’ Bob’s boxes in the state chances of making it to the second repetition (by not √12(cid:0)e−iπ/8|00i+eiπ/8|11i(cid:1), and she sends c =0. If she getting caught cheating in the first repetition in which wishes to reveal0, she tells Bob she had input 0 and ob- case Bob aborts). Nevertheless, it is evident that Alice’s tained 0. If she wishes to reveal 1, she tells Bob she had maximal cheating probability is bounded from above by input 1 and obtained 0. Similarly, if she obtains 1, she cos4 π + 1−cos2 π ·3 ≃0.838. Ontheotherhand, (cid:0)8(cid:1) (cid:0) (cid:0)8(cid:1)(cid:1) 4 sends c=1, etc. It is straightforward to verify that this Bob never gets caught cheating in the first repetition strategy gives rise to P =cos2 π ≃0.854. (thoughhe mayofcourselose), thereforeBob’s maximal cont (cid:0)8(cid:1) 4 cheating probability is just 3cos2 π + 1 · 3 ≃ 0.827. protocol that is secure against dishonest parties limited 4 (cid:0)8(cid:1) 4 4 By allowing for more repetitions (the n−1th repetition onlybythe no-signalingprinciple, asis the caseinquan- determining who commits in the nth, etc.) we obtain tum key-distribution [4, 32]. that the biases ǫA and ǫB of the resulting protocol are i j Acknowledgments – We acknowledgesupport from the bounded from above by ≃0.336. BSF (grant no. 32/08) (N.A.), the Inter-University At- Discussion – By introducing explicit device- traction Poles Programme (Belgian Science Policy) un- independentbit-commitmentandcoinflippingprotocols, derProjectIAP-P6/10(Photonics@be)(S.M.,S.P.,J.S), we have shown that protocols in the distrustful cryptog- a BB2B grant of the Brussels-Capital region (S.P.), the raphy model – wherein Alice and Bob do not cooperate FNRS(J.S.),theprojectsANR-09-JCJC-0067-01,ANR- to estimate the amount of nonlocality present – are 08-EMER-012 (A.C., I.K.), and the project QCS (grant amenable to a device-independent formulation. The 255961)of the E.U. (S.M., S.P., J.S., A.C., I.K.). fascinating connection between quantum nonlocality and cryptography,first noted by Ekert twenty years ago [27], is thus seen to apply also in the very rich field of cryptography with mutually distrustful parties (and [1] F. Xuet al.,arXiv:1005.2376. [2] L. Lydersen et al.,Nat. Photonics 4, 686 (2010). devices), affording us with a novel perspective on the [3] D.MayersandA.Yao,QuantumInform.Comput.4,273 connection between cryptography and the foundations (2004). of quantum mechanics. [4] J. Barrett et al., Phys.Rev.Lett. 95, 010503 (2005). To conclude, we would like to point out some notable [5] A. Ac´ın et al., Phys.Rev.Lett. 97, 120405 (2006). features of our protocols. (i) The protocols are single- [6] A. Ac´ın et al., Phys.Rev.Lett. 98, 230501 (2007). shot and do not rely on any statistical estimation of the [7] R. Colbeck, PhD dissertation, Univ. Cambridge (2007), amount of nonlocality such as in the testing the degree arXiv:0911.3814; R. Colbeck, A. Kent,arXiv:1011.4474. [8] S. Pironio et al., Nature464, 1021 (2010). of violation of a Bell inequality (even though their secu- [9] C.-E. Bardyn et al.,Phys.Rev.A 80, 062327 (2009). rity is of course based on nonlocality). (ii) The device- [10] F.Magniezetal.,inProceedingsofthe33rdInternational dependent version of our protocol does not offer more Colloquium on Automata, Languages and Programming, security than the device-independent version. (iii) Since (Springer, 2006), p.72. oursecurityanalysisisdevice-independent,italsocovers [11] C. Mochon, arXiv:0711.4114. the case where Alice’s and Bob’s outputs are affected by [12] H.-K. Lo and H.F. Chau, Phys. Rev. Lett. 78, 3410 (1997). noise. Note that the analysis of noisy classical coin flip- [13] D. Mayers, Phys. Rev.Lett. 78, 3414 (1997). pingin[28,29]allowsustocomputethequantumadvan- [14] G.M. D’Ariano et al.,Phys.Rev. A 76, 032328 (2007). tageinthiscase. (iv)Thesecurityaffordedbyourdevice- [15] R.W.SpekkensandT.Rudolph,Phys.Rev.A65,012310 independent protocols is reasonably close to (though of (2001). course greater than) that of the best known device- [16] This bound follows from Kitaev’s bound on the bias of dependent protocols. For the bit-commitment protocol strong coin flippingprotocols [25]. we have P ≃ 0.854 and P = 3, as compared to [17] S. Pironio et al., NewJ. Phys.11, 045021 (2009). P = P cont= 3 for the bestgakinnown4device-dependent [18] A. Kent,Phys. Rev.Lett. 83, 1447 (1999). prcoonttocol. Tgahinecoi4nflippingprotocolhasabiasof<∼0.336, [[1290]] AD..MK.enGtr,ePenhbyse.rgReerve.tLeatl.t,. 8in3,B5e3l8l’2s(T19h9eo9r)e.m, Quantum as compared to 0.207 in the device-dependent case. (v) Theory, and Conceptions of the Universe, edited by M. Our work allows the study of bit-commitment and coin Kafatos (Kluwer,1989), p.74. flipping in the context of theories other than quantum [21] N.D. Mermin, Phys. Today 43, 9 (1990). mechanics. Indeed, it relies only on the GHZ paradox [22] J.F. Clauser et al., Phys.Rev.Lett. 23, 880 (1969). (todefinetheprotocolinthehonestcase),onTsirelson’s [23] B.S. Cirel’son, Lett. Math. Phys.4, 93 (1980). bound on the CHSH inequality violation (which limits [24] D. Aharonov et al., in Proceedings of the 32nd Annual ACM Symposium on the Theory of Computing (ACM Alice’s control) and on the no-signaling principle (which Press, 2000), p.705. limitsBob’sinformationgain). Curiously,thesecurityof [25] A. Kitaev, unpublished. Proof reproduced in A. Ambai- the protocol would increase if Tsirelson’s bound were to nis et al., in Proceedings of the 19th Annual IEEE Con- decrease, reaching Pcont = Pgain = 43 if it were equal to ference on Computational Complexity, (CS Press, 2004), the local causal bound. In a theory constrained only by p. 250. no-signaling,ourprotocolisnolongersecureasPRboxes [26] A.Chailloux and I.Kerenidis,in Proceedings of the 50th Annual IEEE Symposium on the Foundations of Com- [30]allowtomaximallyviolatetheCHSHinequality,im- puter Science, (CS Press, 2009), p. 527. plying P = 1. Note that perfect bit-commitment cont [27] A.K. Ekert, Phys.Rev.Lett. 67, 661 (1991). was shown to be possible provided that honest parties [28] A.T. Nguyenet al., New J. Phys.10, 083037 (2008). have access to PR boxes and under the strong hypothe- [29] E.Ha¨nggi and J. Wullschleger, arXiv:1009.4741. sis (which we do not make) that a dishonest party can- [30] S.PopescuandD.Rohrlich,Found.Phys.24,379(1994). notin anywaytamper with the boxes [31]. Itis anopen [31] H. Buhrman et al.,Proc. R.Soc. A 462, 1919 (2006). questionwhetherthereexistsaquantumbit-commitment [32] Ll. Masanes, Phys. Rev.Lett. 102, 140501 (2009).

