The Search for the Holy Grail in Quantum Cryptography

Abstract

In 1982, Bennett and Brassard suggested a new way to provide privacy in long distance communications with security based on the correctness of the basic principles of quantum mechanics. The scheme allows two parties, Alice and Bob, sharing no secret information in the first place, to exchange messages that nobody else can figure out. The only requirement is a quantum channel and a normal phone line connecting the two parties. The fact that quantum mechanics provides unconditional secure communications is a remarkable result that cannot be achieved by classical techniques alone. Apart from secure communication, cryptography is also interested in tasks that aim at protecting one party against a potentially dishonest peer. This scenario, called secure two-party computation, is usually modelled by a function f(x(A), x(B)) where a(A) and x(B) are Alice's and Bob's secret input respectively. They would like to execute a protocol that produces z = f(x(A), x(B)) to both parties without disclosing their secret input to the other party. The only information about a secret input that can be leaked toward the other party is what the output z itself discloses about it. Unlike secure communication, secure two-party computation does not assume that Alice and Bob are honest. One honest party's input should remain secret whatever the other party's behaviour. It is well-known that in order to find a protocol for secure two-party computation, one must have access to a secure bit commitment scheme. Unfortunately, in 1996 Mayers showed that no secure quantum bit commitment scheme exists. Similarly to the classical case (where trapdoor one-way functions are needed) quantum cryptography does not protide secure two-party computation for free. In this paper, we discuss the possibilities and limits of quantum cryptography for two-party computation. We describe the essential distinctions between classical and quantum cryptography in this scenario.