Quantum cryptography
Quantum cryptography is the science of exploiting
History
In the early 1970s,
Companies that manufacture quantum cryptography systems include MagiQ Technologies, Inc. (Boston), ID Quantique (Geneva), QuintessenceLabs (Canberra, Australia), Toshiba (Tokyo), QNu Labs (India) and SeQureNet (Paris).
Advantages
Cryptography is the strongest link in the chain of data security.[7] However, interested parties cannot assume that cryptographic keys will remain secure indefinitely.[8] Quantum cryptography[2] has the potential to encrypt data for longer periods than classical cryptography.[8] Using classical cryptography, scientists cannot guarantee encryption beyond approximately 30 years, but some stakeholders could use longer periods of protection.[8] Take, for example, the healthcare industry. As of 2017, 85.9% of office-based physicians are using electronic medical record systems to store and transmit patient data.[9] Under the Health Insurance Portability and Accountability Act, medical records must be kept secret.[10] Quantum key distribution can protect electronic records for periods of up to 100 years.[8] Also, quantum cryptography has useful applications for governments and militaries as, historically, governments have kept military data secret for periods of over 60 years.[8] There also has been proof that quantum key distribution can travel through a noisy channel over a long distance and be secure. It can be reduced from a noisy quantum scheme to a classical noiseless scheme. This can be solved with classical probability theory.[11] This process of having consistent protection over a noisy channel can be possible through the implementation of quantum repeaters. Quantum repeaters have the ability to resolve quantum communication errors in an efficient way. Quantum repeaters, which are quantum computers, can be stationed as segments over the noisy channel to ensure the security of communication. Quantum repeaters do this by purifying the segments of the channel before connecting them creating a secure line of communication. Sub-par quantum repeaters can provide an efficient amount of security through the noisy channel over a long distance.[11]
Applications
Quantum cryptography is a general subject that covers a broad range of cryptographic practices and protocols. Some of the most notable applications and protocols are discussed below.
Quantum key distribution
The best-known and developed application of quantum cryptography is
The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with classical key distribution. This is usually described as "unconditional security", although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise a man-in-the-middle attack would be possible.
While QKD is secure, its practical application faces some challenges. There are in fact limitations for the key generation rate at increasing transmission distances.[12][13][14] Recent studies have allowed important advancements in this regard. In 2018, the protocol of twin-field QKD[15] was proposed as a mechanism to overcome the limits of lossy communication. The rate of the twin field protocol was shown to overcome the secret key-agreement capacity of the lossy communication channel, known as repeater-less PLOB bound,[14] at 340 km of optical fiber; its ideal rate surpasses this bound already at 200 km and follows the rate-loss scaling of the higher repeater-assisted secret key-agreement capacity[16] (see figure 1 of[15] and figure 11 of[2] for more details). The protocol suggests that optimal key rates are achievable on "550 kilometers of standard optical fibre", which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the PLOB bound which has been characterized as the first effective quantum repeater.[17] Notable developments in terms of achieving high rates at long distances are the sending-not-sending (SNS) version of the TF-QKD protocol.[18][19] and the no-phase-postselected twin-field scheme.[20]
Mistrustful quantum cryptography
In mistrustful cryptography the participating parties do not trust each other. For example, Alice and Bob collaborate to perform some computation where both parties enter some private inputs. But Alice does not trust Bob and Bob does not trust Alice. Thus, a secure implementation of a cryptographic task requires that after completing the computation, Alice can be guaranteed that Bob has not cheated and Bob can be guaranteed that Alice has not cheated either. Examples of tasks in mistrustful cryptography are
In contrast to
Quantum coin flipping
Unlike quantum key distribution,
A coin flip protocol generally occurs like this:[32]
- Alice chooses a basis (either rectilinear or diagonal) and generates a string of photons to send to Bob in that basis.
- Bob randomly chooses to measure each photon in a rectilinear or diagonal basis, noting which basis he used and the measured value.
- Bob publicly guesses which basis Alice used to send her qubits.
- Alice announces the basis she used and sends her original string to Bob.
- Bob confirms by comparing Alice's string to his table. It should be perfectly correlated with the values Bob measured using Alice's basis and completely uncorrelated with the opposite.
Cheating occurs when one player attempts to influence, or increase the probability of a particular outcome. The protocol discourages some forms of cheating; for example, Alice could cheat at step 4 by claiming that Bob incorrectly guessed her initial basis when he guessed correctly, but Alice would then need to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table.[32] Her chance of generating a matching string of qubits will decrease exponentially with the number of qubits sent, and if Bob notes a mismatch, he will know she was lying. Alice could also generate a string of photons using a mixture of states, but Bob would easily see that her string will correlate partially (but not fully) with both sides of the table, and know she cheated in the process.[32] There is also an inherent flaw that comes with current quantum devices. Errors and lost qubits will affect Bob's measurements, resulting in holes in Bob's measurement table. Significant losses in measurement will affect Bob's ability to verify Alice's qubit sequence in step 5.
One theoretically surefire way for Alice to cheat is to utilize the Einstein-Podolsky-Rosen (EPR) paradox. Two photons in an EPR pair are anticorrelated; that is, they will always be found to have opposite polarizations, provided that they are measured in the same basis. Alice could generate a string of EPR pairs, sending one photon per pair to Bob and storing the other herself. When Bob states his guess, she could measure her EPR pair photons in the opposite basis and obtain a perfect correlation to Bob's opposite table.[32] Bob would never know she cheated. However, this requires capabilities that quantum technology currently does not possess, making it impossible to do in practice. To successfully execute this, Alice would need to be able to store all the photons for a significant amount of time as well as measure them with near perfect efficiency. This is because any photon lost in storage or in measurement would result in a hole in her string that she would have to fill by guessing. The more guesses she has to make, the more she risks detection by Bob for cheating.
Quantum commitment
In addition to quantum coin-flipping, quantum commitment protocols are implemented when distrustful parties are involved. A commitment scheme allows a party Alice to fix a certain value (to "commit") in such a way that Alice cannot change that value while at the same time ensuring that the recipient Bob cannot learn anything about that value until Alice reveals it. Such commitment schemes are commonly used in cryptographic protocols (e.g. Quantum coin flipping, Zero-knowledge proof, secure two-party computation, and Oblivious transfer).
In the quantum setting, they would be particularly useful: Crépeau and Kilian showed that from a commitment and a quantum channel, one can construct an unconditionally secure protocol for performing so-called oblivious transfer.[33] Oblivious transfer, on the other hand, had been shown by Kilian to allow implementation of almost any distributed computation in a secure way (so-called secure multi-party computation).[34] (Note: The results by Crépeau and Kilian[33][34] together do not directly imply that given a commitment and a quantum channel one can perform secure multi-party computation. This is because the results do not guarantee "composability", that is, when plugging them together, one might lose security.)
Early quantum commitment protocols
Yet, the result by Mayers does not preclude the possibility of constructing quantum commitment protocols (and thus secure multi-party computation protocols) under assumptions that are much weaker than the assumptions needed for commitment protocols that do not use quantum communication. The bounded quantum storage model described below is an example for a setting in which quantum communication can be used to construct commitment protocols. A breakthrough in November 2013 offers "unconditional" security of information by harnessing quantum theory and relativity, which has been successfully demonstrated on a global scale for the first time.[36] More recently, Wang et al., proposed another commitment scheme in which the "unconditional hiding" is perfect.[37]
Physical unclonable functions can be also exploited for the construction of cryptographic commitments.[38]
Bounded- and noisy-quantum-storage model
One possibility to construct unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols is to use the bounded quantum storage model (BQSM). In this model, it is assumed that the amount of quantum data that an adversary can store is limited by some known constant Q. However, no limit is imposed on the amount of classical (i.e., non-quantum) data the adversary may store.
In the BQSM, one can construct commitment and oblivious transfer protocols.
The protocols in the BQSM presented by Damgård, Fehr, Salvail, and Schaffner[39] do not assume that honest protocol participants store any quantum information; the technical requirements are similar to those in quantum key distribution protocols. These protocols can thus, at least in principle, be realized with today's technology. The communication complexity is only a constant factor larger than the bound Q on the adversary's quantum memory.
The advantage of the BQSM is that the assumption that the adversary's quantum memory is limited is quite realistic. With today's technology, storing even a single qubit reliably over a sufficiently long time is difficult. (What "sufficiently long" means depends on the protocol details. By introducing an artificial pause in the protocol, the amount of time over which the adversary needs to store quantum data can be made arbitrarily large.)
An extension of the BQSM is the noisy-storage model introduced by Wehner, Schaffner and Terhal.[40] Instead of considering an upper bound on the physical size of the adversary's quantum memory, an adversary is allowed to use imperfect quantum storage devices of arbitrary size. The level of imperfection is modelled by noisy quantum channels. For high enough noise levels, the same primitives as in the BQSM can be achieved[41] and the BQSM forms a special case of the noisy-storage model.
In the classical setting, similar results can be achieved when assuming a bound on the amount of classical (non-quantum) data that the adversary can store.[42] It was proven, however, that in this model also the honest parties have to use a large amount of memory (namely the square-root of the adversary's memory bound).[43] This makes these protocols impractical for realistic memory bounds. (Note that with today's technology such as hard disks, an adversary can cheaply store large amounts of classical data.)
Position-based quantum cryptography
The goal of position-based quantum cryptography is to use the geographical location of a player as its (only) credential. For example, one wants to send a message to a player at a specified position with the guarantee that it can only be read if the receiving party is located at that particular position. In the basic task of position-verification, a player, Alice, wants to convince the (honest) verifiers that she is located at a particular point. It has been shown by Chandran et al. that position-verification using classical protocols is impossible against colluding adversaries (who control all positions except the prover's claimed position).[44] Under various restrictions on the adversaries, schemes are possible.
Under the name of 'quantum tagging', the first position-based quantum schemes have been investigated in 2002 by Kent. A US-patent
Device-independent quantum cryptography
A quantum cryptographic protocol is device-independent if its security does not rely on trusting that the quantum devices used are truthful. Thus the security analysis of such a protocol needs to consider scenarios of imperfect or even malicious devices.
In 2018, theoretical studies performed by Arnon- Friedman et al. suggest that exploiting a property of entropy that is later referred to as "Entropy Accumulation Theorem (EAT)", an extension of Asymptotic equipartition property, can guarantee the security of a device independent protocol.[60]
Post-quantum cryptography
There is also research into how existing cryptographic techniques have to be modified to be able to cope with quantum adversaries. For example, when trying to develop zero-knowledge proof systems that are secure against quantum adversaries, new techniques need to be used: In a classical setting, the analysis of a zero-knowledge proof system usually involves "rewinding", a technique that makes it necessary to copy the internal state of the adversary. In a quantum setting, copying a state is not always possible (no-cloning theorem); a variant of the rewinding technique has to be used.[65]
Post quantum algorithms are also called "quantum resistant", because – unlike quantum key distribution – it is not known or provable that there will not be potential future quantum attacks against them. Even though they may possibly be vulnerable to quantum attacks in the future, the NSA is announcing plans to transition to quantum resistant algorithms.
Quantum cryptography beyond key distribution
So far, quantum cryptography has been mainly identified with the development of quantum key distribution protocols. Symmetric cryptosystems with keys that have been distributed by means of quantum key distribution become inefficient for large networks (many users), because of the necessity for the establishment and the manipulation of many pairwise secret keys (the so-called "key-management problem"). Moreover, this distribution alone does not address many other cryptographic tasks and functions, which are of vital importance in everyday life. Kak's three-stage protocol has been proposed as a method for secure communication that is entirely quantum unlike quantum key distribution, in which the cryptographic transformation uses classical algorithms[68]
Besides quantum commitment and oblivious transfer (discussed above), research on quantum cryptography beyond key distribution revolves around quantum message authentication,
Y-00 protocol
H. P. Yuen presented Y-00 as a stream cipher using quantum noise around 2000 and applied it for the U.S. Defense Advanced Research Projects Agency (DARPA) High-Speed and High-Capacity Quantum Cryptography Project as an alternative to quantum key distribution.[83][84] The review paper summarizes it well.[85]
Unlike quantum key distribution protocols, the main purpose of Y-00 is to transmit a message without eavesdrop-monitoring, not to distribute a key. Therefore,
The principle of operation is as follows. First, legitimate users share a key and change it to a pseudo-random keystream using the same pseudo-random number generator. Then, the legitimate parties can perform conventional optical communications based on the shared key by transforming it appropriately. For attackers who do not share the key, the wire-tap channel model of Aaron D. Wyner is implemented. The legitimate users' advantage based on the shared key is called "advantage creation". The goal is to achieve longer covert communication than the information-theoretic security limit (one-time pad) set by Shannon.[89] The source of the noise in the above wire-tap channel is the uncertainty principle of the electromagnetic field itself, which is a theoretical consequence of the theory of laser described by Roy J. Glauber and E. C. George Sudarshan (coherent state).[90][91][92] Therefore, existing optical communication technologies are sufficient for implementation that some reviews describes: e.g.[85] Furthermore, since it uses ordinary communication laser light, it is compatible with existing communication infrastructure and can be used for high-speed and long-distance communication and routing.[93] [94] [95] [96] [97]
Although the main purpose of the protocol is to transmit the message, key distribution is possible by simply replacing the message with a key.[98][86] Since it is a symmetric key cipher, it must share the initial key previously; however, a method of the initial key agreement was also proposed.[99]
On the other hand, it is currently unclear what implementation realizes information-theoretic security, and security of this protocol has long been a matter of debate.[100][101][102][103][104][105][106][107][108][109]
Implementation in practice
In theory, quantum cryptography seems to be a successful turning point in the information security sector. However, no cryptographic method can ever be absolutely secure.[110] In practice, quantum cryptography is only conditionally secure, dependent on a key set of assumptions.[111]
Single-photon source assumption
The theoretical basis for quantum key distribution assumes the use of single-photon sources. However, such sources are difficult to construct, and most real-world quantum cryptography systems use faint laser sources as a medium for information transfer.[111] These multi-photon sources open the possibility for eavesdropper attacks, particularly a photon splitting attack.[112] An eavesdropper, Eve, can split the multi-photon source and retain one copy for herself.[112] The other photons are then transmitted to Bob without any measurement or trace that Eve captured a copy of the data.[112] Scientists believe they can retain security with a multi-photon source by using decoy states that test for the presence of an eavesdropper.[112] However, in 2016, scientists developed a near perfect single photon source and estimate that one could be developed in the near future.[113]
Identical detector efficiency assumption
In practice, multiple single-photon detectors are used in quantum key distribution devices, one for Alice and one for Bob.[111] These photodetectors are tuned to detect an incoming photon during a short window of only a few nanoseconds.[114] Due to manufacturing differences between the two detectors, their respective detection windows will be shifted by some finite amount.[114] An eavesdropper, Eve, can take advantage of this detector inefficiency by measuring Alice's qubit and sending a "fake state" to Bob.[114] Eve first captures the photon sent by Alice and then generates another photon to send to Bob.[114] Eve manipulates the phase and timing of the "faked" photon in a way that prevents Bob from detecting the presence of an eavesdropper.[114] The only way to eliminate this vulnerability is to eliminate differences in photodetector efficiency, which is difficult to do given finite manufacturing tolerances that cause optical path length differences, wire length differences, and other defects.[114]
Deprecation of quantum key distributions from governmental institutions
Because of the practical problems with quantum key distribution, some governmental organizations recommend the use of post-quantum cryptography (quantum resistant cryptography) instead. For example, the US National Security Agency,[115] European Union Agency for Cybersecurity of EU (ENISA),[116] UK's National Cyber Security Centre,[117] French Secretariat for Defense and Security (ANSSI),[118] and German Federal Office for Information Security (BSI)[119] recommend post-quantum cryptography.
For example, the US National Security Agency addresses five issues:[115]
- Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or pre-placed keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
- Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
- Quantum key distribution increases infrastructure costs and insider-threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
- Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than what is available in most physical engineering scenarios, making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.[120]
- Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.
In response to problem 1 above, attempts to deliver authentication keys using post-quantum cryptography (or quantum-resistant cryptography) have been proposed worldwide. On the other hand, quantum-resistant cryptography is cryptography belonging to the class of computational security. In 2015, a research result was already published that "sufficient care must be taken in implementation to achieve information-theoretic security for the system as a whole when authentication keys that are not information-theoretic secure are used" (if the authentication key is not information-theoretically secure, an attacker can break it to bring all classical and quantum communications under control and relay them to launch a man-in-the-middle attack).[121] Ericsson, a private company, also cites and points out the above problems and then presents a report that it may not be able to support the zero trust security model, which is a recent trend in network security technology.[122]
References
- S2CID 6979295.
- ^ S2CID 174799187.
- ^ S2CID 206771454.
- S2CID 207155055.
- ^ Bennett, Charles H.; Brassard, Gilles (1984). "Quantum cryptography: Public key distribution and coin tossing". Proceedings of IEEE International Conference on Computers, Systems and Signal Processing. 175: 8.
- S2CID 27683254.
- ^ "Crypto-gram: December 15, 2003 – Schneier on Security". www.schneier.com. Retrieved 13 October 2020.
- ^ S2CID 457259, retrieved 13 October 2020
- ^ "FastStats". www.cdc.gov. 4 August 2020. Retrieved 13 October 2020.
- ^ Rights (OCR), Office for Civil (7 May 2008). "Privacy". HHS.gov. Retrieved 13 October 2020.
- ^ S2CID 2948183.
- S2CID 665165.
- S2CID 20580923.
- ^ PMID 28443624.
- ^ S2CID 21698666.
- S2CID 170078611.
- S2CID 126717712.
- S2CID 51204011.
- S2CID 219003338.
- S2CID 53624575.
- ^ a b c
Mayers, Dominic (1997). "Unconditionally Secure Quantum Bit Commitment is Impossible". Physical Review Letters. 78 (17): 3414–3417. S2CID 14522232.
- S2CID 3264257.
- S2CID 14378275.
- S2CID 17813922.
- S2CID 8823466.
- S2CID 16764407.
- ^ Stuart Mason Dambort (26 March 2014). "Heads or tails: Experimental quantum coin flipping cryptography performs better than classical protocols". Phys.org. Archived from the original on 25 March 2017.
- arXiv:quant-ph/0206088.
- S2CID 205325088.
- ISSN 0022-0000.
- ^ "Heads or tails: Experimental quantum coin flipping cryptography performs better than classical protocols". phys.org. Retrieved 18 October 2020.
- ^ S2CID 27022972.
- ^ a b Crépeau, Claude; Joe, Kilian (1988). Achieving Oblivious Transfer Using Weakened Security Assumptions (Extended Abstract). FOCS 1988. IEEE. pp. 42–52.
- ^ a b Kilian, Joe (1988). Founding cryptography on oblivious transfer. STOC 1988. ACM. pp. 20–31. Archived from the original on 24 December 2004.
- ^ Brassard, Gilles; Claude, Crépeau; Jozsa, Richard; Langlois, Denis (1993). A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties. FOCS 1993. IEEE. pp. 362–371.
- S2CID 15916727.
- S2CID 3603337.
- S2CID 203593129. Retrieved 13 November 2020.
- ^ a b
Damgård, Ivan; Fehr, Serge; Salvail, Louis; Schaffner, Christian (2005). Cryptography in the Bounded Quantum-Storage Model. FOCS 2005. IEEE. pp. 449–458. arXiv:quant-ph/0508222.
- ^
Wehner, Stephanie; Schaffner, Christian; Terhal, Barbara M. (2008). "Cryptography from Noisy Storage". Physical Review Letters. 100 (22): 220502. S2CID 2974264.
- S2CID 12500084.
- ^ Cachin, Christian; Crépeau, Claude; Marcil, Julien (1998). Oblivious Transfer with a Memory-Bounded Receiver. FOCS 1998. IEEE. pp. 493–502.
- ^ Dziembowski, Stefan; Ueli, Maurer (2004). On Generating the Initial Key in the Bounded-Storage Model (PDF). Eurocrypt 2004. LNCS. Vol. 3027. Springer. pp. 126–137. Archived (PDF) from the original on 11 March 2020. Retrieved 11 March 2020.
- ^ Chandran, Nishanth; Moriarty, Ryan; Goyal, Vipul; Ostrovsky, Rafail (2009). "Position-Based Cryptography". Cryptology ePrint Archive.
- ^ US 7075438, issued 2006-07-11
- ^
Malaney, Robert (2010). "Location-dependent communications using quantum entanglement". Physical Review A. 81 (4): 042319. S2CID 118704298.
- ^
Malaney, Robert (2010). "Quantum Location Verification in Noisy Channels". 2010 IEEE Global Telecommunications Conference GLOBECOM 2010. IEEE Global Telecommunications Conference GLOBECOM 2010. pp. 1–6. ISBN 978-1-4244-5636-9.
- S2CID 1042757.
- ^
Lau, Hoi-Kwan; Lo, Hoi-Kwong (2010). "Insecurity of position-based quantum-cryptography protocols against entanglement attacks". Physical Review A. 83 (1): 012322. S2CID 17022643.
- S2CID 220613220.
- S2CID 27648088.
- ^
Malaney, Robert (2016). "The Quantum Car". IEEE Wireless Communications Letters. 5 (6): 624–627. S2CID 2483729.
- arXiv:2310.04425.
- ^
Mayers, Dominic; Yao, Andrew C.-C. (1998). Quantum Cryptography with Imperfect Apparatus. IEEE Symposium on Foundations of Computer Science (FOCS). Bibcode:1998quant.ph..9039M.
- ^
Colbeck, Roger (December 2006). "Chapter 5". Quantum And Relativistic Protocols For Secure Multi-Party Computation (Thesis). University of Cambridge. arXiv:0911.3814.
- S2CID 23057977.
- ^ Bibcode:2014arXiv1402.0489M.
- S2CID 6792482.
- ].
- PMID 29386507.
- ^ Daniel J. Bernstein (2009). "Introduction to post-quantum cryptography" (PDF). Post-Quantum Cryptography.
- ^ Daniel J. Bernstein (17 May 2009). Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? (PDF) (Report). Archived (PDF) from the original on 25 August 2017.
- ^ "Post-quantum cryptography". Archived from the original on 17 July 2011. Retrieved 29 August 2010.
- ^
Bernstein, Daniel J.; Buchmann, Johannes; Dahmen, Erik, eds. (2009). Post-quantum cryptography. Springer. ISBN 978-3-540-88701-0.
- ^ Watrous, John (2009). "Zero-Knowledge against Quantum Attacks". SIAM Journal on Computing. 39 (1): 25–58. .
- ^ "NSA Suite B Cryptography". Archived from the original on 1 January 2016. Retrieved 29 December 2015.
- ^ "Quantum Resistant Public Key Exchange: The Supersingular Isogenous Diffie-Hellman Protocol – CoinFabrik Blog". blog.coinfabrik.com. 13 October 2016. Archived from the original on 2 February 2017. Retrieved 24 January 2017.
- S2CID 52009384.
- S2CID 226956062.
- arXiv:quant-ph/0105032.
- S2CID 23925266.
- S2CID 6340239.
- S2CID 12883829.
- S2CID 119097757.
- S2CID 118425296.
- S2CID 59467718.
- S2CID 5311008.
- S2CID 195791867.
- S2CID 1096490.
- PMID 28393853.
- S2CID 119486945.
- S2CID 204901444.
- S2CID 12720233.
- ^ Yuen, H. P. (31 July 2009). Physical Cryptography: A New Approach to Key Generation and Direct Encryption (PDF) (PhD thesis).
- ^ S2CID 56788374.
- ^ S2CID 210966407.
- .
- S2CID 215816092.
- S2CID 21512925.
- .
- .
- ISBN 9783540285731.
- S2CID 118937168.
- S2CID 225383926.
- S2CID 49185664.
- S2CID 231852229.
- S2CID 219095947.
- S2CID 867791.
- S2CID 195225370.
- S2CID 119069709.
- .
- .
- arXiv:quant-ph/0509092.
- .
- S2CID 7824483.
- .
- .
- S2CID 254745640.
- S2CID 232072394.
- S2CID 15873250.
- ^ S2CID 118227839. Archived from the original(PDF) on 28 February 2020.
- ^ PMID 16090452.
- S2CID 209939102.
- ^ ISSN 1050-2947.
- ^ a b "Quantum Key Distribution (QKD) and Quantum Cryptography (QC)". National Security Agency. Retrieved 16 July 2022.
This article incorporates text from this source, which is in the public domain.
- ^ Post-Quantum Cryptography: Current state and quantum mitigation, Section 6 "Conclusion" [1]
- ^ Quantum security technologies
- ^ Should Quantum Key Distribution be Used for Secure Communications?
- ^ "Quantum Cryptography".
- S2CID 44504715.
- S2CID 254986932.
- arXiv:2112.00399 [cs.CR].