[go: up one dir, main page]

WO2018127693A1 - Engagement à une position future - Google Patents

Engagement à une position future Download PDF

Info

Publication number
WO2018127693A1
WO2018127693A1 PCT/GB2018/050008 GB2018050008W WO2018127693A1 WO 2018127693 A1 WO2018127693 A1 WO 2018127693A1 GB 2018050008 W GB2018050008 W GB 2018050008W WO 2018127693 A1 WO2018127693 A1 WO 2018127693A1
Authority
WO
WIPO (PCT)
Prior art keywords
commitment
user
token
issuer
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/GB2018/050008
Other languages
English (en)
Inventor
Adrian Kent
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cambridge Enterprise Ltd
Original Assignee
Cambridge Enterprise Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cambridge Enterprise Ltd filed Critical Cambridge Enterprise Ltd
Publication of WO2018127693A1 publication Critical patent/WO2018127693A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0858Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the present invention relates to secure authentication. More particularly, the invention provides an authentication token that cannot be forged, and can be transmitted by electromagnetic waves and/or other standard means of communication; as well as methods for issuing and validating the token.
  • Everyday currency is the most immediate example.
  • no standard banknote is impossible to copy: forgery is a real world problem.
  • familiar, tangible banknotes and coins are of limited use insofar as the speed with which they can be transferred from one place to another is fundamentally restricted. This property makes material money an asset of limited value in many situations, such as modern financial trading networks.
  • one solution commonly adopted is to issue a password at a first point, P, in space and time (for example, in return for a payment) that can be used by the recipient as an authentication token at any one of a finite number of future points
  • the issuing party may choose to determine a unique password password for use at each of the points Q(, ask, at point P, the receiving party at which future point they intend to use the password; and issue the relevant password accordingly.
  • this approach may be appropriate only in a limited number of circumstances.
  • the token recipient may not know, when receiving the token at P, at which of the Qi she will choose to redeem it.
  • she may wish to keep this information private: for instance, if the token is to be used to place a stock trade at some point Q k on a global financial network, the trader may not wish to give the market advance warning of the time or place of her intended trade.
  • 'unconditional security' and 'information-theoretic security' are used interchangeably in this document to refer to security that can be proven relying only on the laws of physics, provided the protocol is followed faithfully (there is no cheating). In other words, the relevant proofs do not rely on the presumed practical intractability of a computational problem that can, in principle, be solved.
  • quantum states can be encoded in photons of electromagnetic radiation, with sufficiently good technology quantum money tokens have the further advantage of being susceptive to transmission at light speed: they do not suffer the drawback mentioned above of classical, physical tokens such as banknotes.
  • known techniques such as quantum teleportation and quantum secret sharing in principle allow quantum states to be transmitted in a way that affords more flexibility in response to incoming data than would be possible by sending a token along a single, definable path through space-time at speeds up to and including light speed.
  • past privacy refers to the ability of the recipient to redeem the token at a chosen point - say, Q k - without unavoidably revealing any information about the token's whereabouts between P and Q k : so long as they are stored and transmitted securely, quantum tokens carry no record of their past locations.
  • Future privacy and past privacy can be desirable or even imperative for certain individuals but also, for example, in the context of financial trading, where a record of past locations of the token implies a record of past locations where a trade could have been made. Such a record can encode valuable, exploitable information about trading strategies.
  • quantum money solutions are not, to date, technically feasible: at present, the art lacks adequate solutions for long-term, interference-free storage of the sorts of systems in which quantum states can be encoded.
  • the present invention improves upon the earlier approach just described, principally by introducing greater flexibility in terms of the technological capabilities required of the parties.
  • one problem that this invention addresses is to provide classical, secure authentication tokens for use by a recipient in exchange for a resource, in a scenario in which the party issuing the token does not have ready access to any means for generating and/or transmitting quantum states, and/or the party requesting and using the token does not have ready access to any means for receiving and/or measuring quantum states.
  • a further problem that may be addressed by the invention is where the user and issuer may have classical technologies that allow secure implementation but they may not (or not both) have quantum technologies available. Or they may only have available quantum technologies that are more costly, cumbersome or unreliable than their classical technologies.
  • the invention relates to a cryptographic system for enabling a user securely to access a resource from an issuer at a first future point in space-time selected by the user and unknown to the issuer, but not at a second, different future space- time point.
  • the parties pre-agree representations of the future space-time points
  • the cryptographic system comprises a commitment device for use in a bipartite commitment protocol between them, in which the user makes a secure commitment to the issuer that comprises the agreed representation of the point in space-time selected by the user. In other words, she commits to the fact that she will present the token at that chosen point, and not at the other point.
  • the commitment device is configured to generate commitment data at a first output associated with the user, and to generate validation data at a second output associated with the issuer.
  • the cryptographic system further includes at least two redemption devices, one
  • the redemption devices each have an input for receiving a token that may be presented by the user to the issuer (or directly to the device) at the respective point in space-time, the token being derived from the commitment data generated in the secure commitment.
  • Each redemption device is configured to validate such a token if, and only if, it is presented at the point in space-time selected by the user and represented in the commitment; that is, if (and only if) the token is derived from commitment data generated in a commitment representing the selected point in space-time to which the respective redemption device corresponds.
  • the invention is conceived particularly for application to scenarios in which the token is to be valid at a single, unique future point - it may resemble familiar, physical money in this way and this is one of its principal advantages.
  • the invention is not intended to be limited to such applications, nor should it be construed as such; in its broadest sense, the invention provides a token that, when presented to the issuer at one point, guarantees him that it has not been presented at one or more alternative points.
  • embodiments of the invention may enable the user to access the resource at her chosen time and location without requiring any transfer of information between the first point, at which it is valid, and the second, at which it is not.
  • the first and second points in space-time may be two of a larger plurality of space-time points, each in the future of the point at which the commitment is made.
  • the user and/or the issuer may each be represented by a plurality of agents, one corresponding to each at of the future space-time points (as well as one corresponding to the issuance point). At least two of the points (or the first and second points, where there are only two) may be space-like separated from one another.
  • the invention may be particularly advantageous in such scenarios, in that the ability conferred on the agent to whom the token is presented to know with certainty whether or not it has been presented at any point with an earlier (or equal) time co-ordinate, without reliance on data received from those earlier, perhaps space-like, points becomes relevant.
  • the agent may be particularly advantageous in such scenarios, in that the ability conferred on the agent to whom the token is presented to know with certainty whether or not it has been presented at any point with an earlier (or equal) time co-ordinate, without reliance on data received from those earlier, perhaps space
  • the secure commitment made by the user of the resource using the commitment device is information-theoretically (synonymously, unconditionally) secure.
  • the commitment may be at least computationally secure.
  • the 'computational security' here is meant security that is guaranteed unless at least one party can solve some computational problem that is believed to be hard to solve in timescales over which security is a relevant concern.
  • the commitment may be at least technologically secure; viz., secure unless at least one party has technology that is believed to be impractical at the time in which the protocol takes place.
  • the token presented to the issuer by the user in exchange for the resource may consist exclusively of classical data.
  • the token may simply be the commitment data generated in the secure commitment, or may be derived from or representative of those data in some way.
  • Embodiments conferring unconditional security using a purely classical token are preferred, in that they may provide one of the principal advantages of quantum money whilst avoiding the problematic need for long-term storage and/or long-distance transmission of quantum information that is characteristic of quantum money solutions.
  • the invention in another aspect, in general, relates to a commitment device usable within such a cryptographic system, for enabling a user of a resource to make a secure commitment to the issuer of that resource.
  • the commitment device is configured to output commitment data generated in the secure commitment, from which the user's
  • the commitment device is also configured to output validation data generated in the secure commitment, which the issuer may use to verify that the token is valid at the space-time point at which it is presented to the issuer by the user.
  • the token may be transmitted to agents of the user at one or more of the future space-time points; and the validation data may be transmitted to agents of the issuer at both (or all) of the future space-time points. Since the issuer is unaware of the specific future space-time point selected by the user until the moment at which the token is presented, the presence of agents at all possible token redemption points will ensure that he is able to validate the token wherever she should present it.
  • the agreed representation of the space-time point selected by the user corresponds to a binary word of suitable length and agreed to represent, or code for, that point.
  • the secure commitment comprises a series of bit commitments: one to each bit of the word.
  • a commitment protocol that is based on bit commitments may be advantageously straightforward for the parties to carry out, though in principle other alphabets could be used to compose representations of the various space-time points and such representations are not excluded from the scope of the appended claims.
  • the commitment device may comprise suitable functionality for generating and measuring quantum information, for example under the control of a suitably-programmed computer or processor.
  • a suitably-programmed computer or processor for example, a computer or processor.
  • the commitment device may comprise a suitably programmed computer or processor.
  • the invention in yet another aspect, relates to a redemption device usable within a cryptographic system, for enabling an issuer of a resource to validate a token presented to him by a user of the resource.
  • the redemption device includes an input for receiving the token, and is configured to validate the token if and only if the token is ascertained to be derived from commitment data generated in a commitment to the space-time point at (or corresponding to) which the token is presented.
  • the invention in general, relates to a method for enabling a user securely to access a resource from an issuer at a first future point in space-time selected by the user, but not at a second, different future space-time point.
  • the method preferably comprises the step of the user and the issuer implementing a bipartite commitment protocol, in which the user makes a secure commitment to the issuer.
  • the commitment comprises a representation agreed by the parties to represent the user's selected future space-time point.
  • the commitment phase generates commitment data for use by the user and validation data for use by the issuer.
  • the method further includes the step of the issuer (or an agent of the issuer) receiving, at one or both of the space-time points, a token presented by the user (or an agent of the user).
  • the token is derived from the commitment data generated in the secure
  • the issuer validates it if, and only if, the token is presented at the point in space-time selected by the user and represented in the commitment; that is, if (and only if) the token is derived from commitment data generated in a commitment representing the point in space-time at (or corresponding to) which the token is presented.
  • the commitment device of the cryptographic system is a quantum device
  • the commitment made by the user to the issuer is a quantum commitment
  • a quantum commitment device in accordance with these embodiments may enable the user to generate a sequence of quantum states, and to transmit those states to the issuer.
  • the commitment data here comprise the quantum information encoded in the sequence; and the token may comprise a classical description (or representation) of the overall quantum state of the sequence.
  • the quantum commitment device in these examples may also include means enabling the issuer to receive the quantum states from the user, to apply a randomly chosen measurement to each of the quantum states received and to record (classically) the outcomes of those measurements.
  • the validation data in this case may be derived from those measurement results.
  • the user may commit to each bit of the appropriate binary word by generating a particular sub-sequence of her overall sequence of quantum states in a particular way. That is, she may commit to a first value of a bit (say, ⁇ ') by generating a sub-sequence of quantum states chosen randomly from among a first set of quantum states, pre-agreed with the issuer, and to a second value of a bit (say, ) by generating a sub-sequence of quantum states chosen randomly from among a second set, also pre-agreed with the issuer.
  • a bit say, ⁇ '
  • each sub-sequence used to encode a single bit of the binary word in these embodiments includes at least around fifty quantum states, for example at least 30 or 40 or 50.
  • the first and second sets of quantum states may be the pure states of respective bases of the Hilbert space of the relevant quantum systems, used to encode the quantum states.
  • each quantum state generated by the user corresponds to a bit of quantum information, a qubit.
  • each qubit may be encoded as a photon of electromagnetic energy or, realistically, as a weak light pulse with low expected photon number.
  • each qubit in this case may be realised as a polarisation state of the corresponding photon (or of the corresponding weak light pulse).
  • the commitment device of the cryptographic system is a classical device, and the commitment made by the user to the issuer is a classical commitment.
  • a classical commitment device in accordance with these embodiments which may enable the user to commit to a representation, such as a binary representation, of her chosen space-time point may enable the issuer and the user independently to generate a respective string of random numbers, and to transmit data derived from at least one of those random numbers to the user or the issuer, respectively.
  • the data transmitted may be derived from (or a function of) the respective party's random numbers as well as data received from the other party.
  • the user may realise each of her bit commitments as a plurality of elementary bit commitments.
  • the classical commitment device may enable the issuer to transmit a first pair of random numbers to the user, wherein each of the random numbers corresponds to a respective bit value. It may further enable the user to make an elementary bit commitment by adding, to the one of the random numbers received from the issuer that corresponds to the bit value to which she wishes to commit, one of her (independently-generated) random numbers; and to transmit the result of the addition to the issuer.
  • the token here may include the random number generated by the user and used in the addition.
  • Alternative embodiments discussed herein may provide a commitment protocol of less- than-unconditional security by enabling the user to return instead a number that is the result of a different function performed on the two numbers received from the issuer.
  • Schemes according to such embodiments may be at least computationally secure. In some cases, they may be unconditionally secure.
  • references herein to events or to the performance of method steps 'at' a space-time point are intended to comprise occurrences within an agreed, small (four-dimensional) region around the relevant point.
  • the exchange of information generally requires classical and/or quantum data to be sent through agreed channels between two nearby secure sites controlled respectively by each of the parties to the exchange.
  • Such an exchange may be said to occur at a point in space-time, the point defined as the geographical region occupied by the two sites and the space in between them taken together with the finite time required for the data to be transmitted.
  • the term 'random' is intended throughout to connote perfect or near-perfect randomness.
  • the states are generated perfectly at random with a view to precluding any possibility that the scheme may successfully be cheated.
  • those of skill in the art will appreciate that some deviations from perfect randomness can be tolerated, provided that the bounds on that deviation are known: in particular, slight deviations from perfect randomness do not, materially, compromise security, and are intended to fall within the scope of the claimed invention.
  • figure 1 is a schematic diagram of a two-dimensional space-time, illustrating an exemplary situation in which the present invention finds application;
  • figure 2 is a flow-chart illustrating a method of generating an authentication token in accordance with one aspect of the invention
  • figure 3 is a flow-chart illustrating a second method of generating an authentication token in accordance with one aspect of the invention.
  • figure 4 is a flow-chart illustrating a method of generating a portion of an
  • the light speed signalling bound is one important motivation for this invention.
  • the present schemes will be described in a relativistic context, in which some or all of the space-time points of interest may be space-like separated from one another. As already mentioned, this is not essential, and the more general application of the invention to non-relativistic settings will be apparent to those of skill in the art.
  • Figure 1 is a schematic diagram of a simplified, two-dimensional space-time and will be used to illustrate an exemplary situation in which the present invention finds application.
  • a first party, a recipient A, wishes to receive from a second party, an issuer B, at a point P (x 0 , t 0 ) in space and time a token that she can return to him, in exchange for an asset, at some point in the future of P.
  • the token may be a voucher, password or other encoding of information of any of the sorts discussed above for allowing access to a particular resource.
  • the token acts as physical money, exchangeable for goods and/or services.
  • the token is a password for gaining access to a given network and may be presented in digital form. In yet further examples, it may represent virtual credit for use in trading on a financial network, for instance taking the form of a signed document stating that A owns some number of shares of a given corporation.
  • the token issuer B is more generally an 'agency', with agents as introduced in the Summary above distributed across a network of points at which A may choose to trade in her token (as well as at point P).
  • the token user A may in some embodiments be a similar agency with a similar network of agents, though this is not in general essential.
  • a and B could be financial institutions participating in a global financial network, with trading systems controlled by human agents and/or computers at many locations around the globe.
  • A may be represented by a private individual (or a small group of individuals) who may only visit some of the potential redemption points and who wishes to keep her (or who wish to keep their) movements, and in particular the token's location, secret insofar as possible.
  • B's agents operate with complete trust in one another and are able to share secret (classical) information securely between themselves at or near light speed.
  • A's agents (where they exist) also co-operate with complete mutual trust and may also be able to share secret classical information securely between themselves at or near light speed. If light speed or near-light speed transmission of information is not feasible for A's agents, then the scheme is still useful but the mobility of her token is restricted.
  • the protocols discussed below give A security based on the assumption that any sharing of information between her agents is done securely, and using separate communications channels to those used by B and his agents. In communicating amongst themselves, either group of agents could use any standard cryptographically secure communications scheme and any standard communications system.
  • Some embodiments may make use of one-time pads to encrypt and decrypt the communications, in accordance with Vernam G. S. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Journal American Institute of Electrical Engineers XLV, 109-1 15 (1926), so as to ensure theoretically perfect security. These pads could be generated ahead of time and/or during the protocol, for example by using standard quantum key distribution schemes implemented by commercially available quantum cryptography apparatus. As the skilled reader will appreciate, many such quantum key distribution schemes exist and are known. A recent review is given, for example, in Lo, H.-K. et al. Secure quantum key distribution. Nature photonics 8, 595-604 (2014).
  • the invention encompasses both schemes in which a token is generated through use of quantum systems generated by the user to complete a quantum commitment from her to the issuer that she will redeem the token at a given point, as well as wholly classical schemes for making a similar commitment in which no quantum technology is required.
  • the remaining discussions of this document present one example of a scheme involving quantum commitments and two example schemes involving classical commitments, and are organised as follows. First, embodiments of the exemplary quantum scheme will be described.
  • a second section of the disclosure presents an exemplary commitment scheme within the scope of the invention that is purely classical in nature.
  • a third section presents a further exemplary commitment scheme within the scope of the invention that is again purely classical in nature and which relies on a computational hardness assumption for its security and is, as such, computationally secure modulo the stated assumption.
  • the scheme is information-theoretically secure against the issuer.
  • Schemes with the reverse property that is, which are information-theoretically secure against the user and computationally secure against the issuer are also possible.
  • n ⁇ E N and may, for example, be on the order of 10 3 , though depending upon the application of interest it may be many orders of magnitude larger or as small as 2.
  • the token issuer B is represented by a network of agents, one located at P and one at each of the points Qi at which the parties have agreed that A may trade in her token.
  • agents each possess apparatus suitable for receiving and measuring quantum states sent over short distances, as well as for transmitting and receiving classical data securely to and from each other as discussed above.
  • the user A of the eventual token holds means for generating quantum states, and for transmitting them over at least short distances.
  • she may be equipped with a credit card-sized device resembling a mobile phone, designed to receive classical data or use securely stored classical data in a way that allows it to generate and transmit in a narrow beam quantum states for the implementation of protocols for quantum key distribution and related cryptographic tasks.
  • Such a device could transmit quantum states to a similarly-sized device operated by the issuer B, which is able to receive classical data in a way that allows it to make appropriate measurements for the implementation of quantum key distribution and related cryptographic tasks and securely to record the results.
  • the transmission could, for example, be of quantum states encoded in photon polarisation states as discussed further below, transmitted over a short distance through free space (with the two devices appropriately aligned) or, alternatively, through an optical fibre connecting the devices.
  • a as a party may also be represented as a number of agents, distributed across the network of possible trade points Q at which tokens may be presented, as well as at P.
  • FIG. 2 illustrates schematically a quantum token-generation protocol 20 according to the invention that is designed to be applicable in the scenario just outlined.
  • the various steps of the protocol will be introduced concretely in the context of one specific embodiment. Several variations on certain details of that example that are envisaged will then be discussed.
  • a and B Before engaging in the exchange 20, A and B agree - in addition to the points Qi themselves at which A may redeem her token - a coding for those points, designating each with a unique binary code word of suitable length.
  • a first point Q 1 may be labelled as a string of O's; a second Q 2 as a string of O's with a final ; and so on. They then also agree that A will 'commit' at P to a trade at the point Q k of her choosing, unknown to B, by generating and sending to B's agent at P a sequence of quantum states that 'spell' the relevant code word in some suitable way.
  • M is on the order of 10; preferably, the user A would use at least 50 photons to represent each bit of the word.
  • the scheme does not rely for its security on the user A's ability to generate states perfectly randomly from the relevant bases. Further and additionally, security may also be guaranteed notwithstanding a less-than-perfect independence of the probabilities of generating each of the two possible states for any one given qubit from the corresponding probabilities associated with any other (for example, if the generation of a photon in the
  • the parties engage in the exchange 20 of figure 2.
  • the token user A generates a sequence of N quantum states that codes for her chosen trading point Q k in the sense just described.
  • N is preferably on the order of log or larger.
  • the state ⁇ ) might look something like (
  • the quantum information encoded in that sequence represents commitment data, by means of which A commits to B that she will trade at Q k . She records a classical description (such as this) of the sequence generated, which she will carry with her to Q k to act, in effect, as her authentication token.
  • A transmits her sequence of states to B's agent at P.
  • the individual qubit states are encoded as single photons, they may be sent through optical fibre or free space using standard, commercially available quantum key distribution sending and receiving apparatus. They might use the setup described in Lunghi, T. et al.
  • A may transmit her string of states to B's agent in an agreed time sequence that constitutes a short transmission burst (such as 1000 states every microsecond within an agreed millisecond, for example).
  • B's agent at P proceeds to carry out a sequence of measurements on them at step 26. Specifically, for each state that he receives, he makes a random choice to measure the photon's polarisation either in the computational basis or in the Hadamard basis. Concretely: he might measure the state of the qubit in the computational basis by arranging a vertical polarisation filter before a photodetector.
  • B's agent at P may use birefringent crystals or polarising beam splitters to allow both polarisation types in the relevant basis to pass, but in beams that emerge from different points or have different spatial directions.
  • the collection of all apparatus used by the token recipient A in generating and transmitting her sequence, and in recording the overall state ⁇ ), together with that used by the token issuer B's agent at P in receiving and measuring the sequence and recording his results, is referred to herein as a 'commitment device'.
  • the commitment device may be a single apparatus at the same location as the relevant agents of A and B, or it may comprise two portions, one held by the agent of A and one by the agent of B, linked by a suitable communications channel.
  • the commitment device may comprise apparatus for generating and measuring the quantum states, controlled by a suitably-programmed processor or computer, and may comprise inputs and outputs for receiving data or information from and outputting data or information to the agents of A and B.
  • B's agent at P records, at step 28, the measurements performed and their outcomes, classically (by writing them down, for instance; or by inputting them to a computer memory; or by utilising a suitably-programmed processor or computer that automatically generates signals corresponding to the measurement results from detection devices and transfers them directly to a computer memory); and sends that information as validation data securely to all other agents of B, each of which is prepared to be presented with A's token at one of the Q
  • A reveals to B's agent at Q k the classical description of the sequence of states that she generated at P: she presents her token. To validate the token, he verifies whether the results of the measurements on the sequence of states actually received at P could (statistically plausibly) have been obtained by performing those same measurements on the sequence that A now claims to have sent.
  • the redemption device may be a single apparatus at the same location as the relevant agents of A and B, or it may comprise two portions, one held by the agent of A and one by the agent of B, which may be linked by a suitable communications channel.
  • the commitment device may comprise inputs and outputs for receiving data or information from and outputting data or information to the agents of A and B.
  • the short-distance communication at step 24 is the only point of the scheme at which transportation of quantum information is required.
  • the skilled reader will appreciate that, although some errors, noise and losses may be incurred at this step, errors up to a threshold value can be allowed for by taking the number N of states to be sufficiently large to compensate for the associated error probability and by standard statistical tests.
  • B's agent at P may in reality succeed in measuring only a subset of the N states prepared and sent by A's agent at P.
  • B's agent may in this case provide feedback to A's in real- or near-real-time about which qubit states produced a measurement outcome, based on the timings of the positive measurement results.
  • the token in this case can be made up simply as a redacted version of A's classical description of the state ⁇ ); and B's agents at the various Qi need only be made aware of the successful measurement outcomes.
  • B's agent at P carries out the measurement step 26 immediately on receiving A's sequence of states at P. Though this may be preferred by parties not wishing to incur unnecessary experimental burdens, costs or risks, it is not an essential feature of the invention. In other words, should the relevant agent of B have the technological capabilities to store and/or transmit quantum states reliably, the
  • measurement may instead be carried out at a later time, at a different point in space or even by another agent (provided, of course, that the measurement takes place at a space- time point that is in the causal past of the earliest point Q 1 at which A may appear and present her token for verification.)
  • -) ⁇ for A's qubits given above (referred to herein as the ⁇ 84 states') is given by way of example only, and in other embodiments the states generated by A may be chosen instead from any number of (complete or incomplete) bases.
  • a sufficient condition on the states, and on the issuer B's possible measurements, is that each pair that the user might have sent according to the protocol can be statistically distinguished by one of the measurements that the issuer may choose to apply according to the protocol.
  • 'statistically distinguished' here is meant that the probabilities of the relevant outcomes when a measurement is performed are different for the two states in the pair.
  • the invention has been illustrated as a commitment scheme in which the parties agree a binary encoding of the points at which the token user may elect to trade.
  • Other possibilities are envisaged: with a suitable choice of sets of quantum states corresponding to the various letters, the alphabet used for the encoding may alternatively include three or more letters.
  • qubit implementations are presently preferred for reasons of simplicity both of exposition and of implementation, the skilled reader will appreciate that the invention is not limited to the use of two-level quantum systems, and still further embodiments may implement the present methods using d-level quantum systems such as trapped ions to encode so-called qudit quantum states.
  • A might not know, or may prefer not to decide, at P when and where she will want to redeem her token. For example, if the token represents credit for a trade, then A may want to keep open the option of making the trade somewhere in a global trading network at time t t , or of waiting until a later time t 2 , or a third time t 3 that is later still, and so on.
  • Her chosen location may also be time-dependent, and this sequence may not be known to her in advance. For instance, trading conditions at her first chosen point (say, London at t t ) may determine both whether she should trade then and there and, if not, where she should consider next.
  • Embodiments of this invention foresee several adaptations of the scheme discussed in section A.1 above to this set of circumstances.
  • A (or her agents) is (or are) at all points able to generate and transmit quantum states; and that all of B's agents are able to receive and measure states that may be sent to them, in the appropriate bases, as well as to send and receive classical data amongst themselves.
  • a and B proceed as described above with reference to figure 2.
  • A generates at step 322 a sequence of qubits (or qudits) that code for a first point at which she has decided she may wish to trade; she records the classical description ⁇ ) of the overall sequence, and passes the quantum states to B's agent at P along a suitable channel at step 324.
  • B's agent carries out a sequence of random measurements on the states he has received; records the outcomes as before; and sends those data securely to his agents at all points Q A, meanwhile, either sends her classical description of her sequence ⁇ viz.
  • step 34 A makes a decision whether or not to redeem the token generated at P. If not, she returns to step 322.
  • she chooses from among the next agreed set ( ⁇ 2 " 1 ], a new candidate point at which she may prefer to trade, and generates a second sequence of quantum states that code for that point in the sense described above.
  • She again makes a record of the states produced, which can be appended to her original token to define a new token ⁇ ) ® ⁇ ) that will be valid at oi 2 ; and transmits the states to B's respective agent, thus committing to the new
  • B's agent On receiving the fresh sequence of states, B's agent at measures them randomly as before and records his findings. He too appends the measurement data to those obtained by B's agent at P, and sends the cumulative data via secure channels to his colleagues at all points Q ⁇ 2 (As before, that B's agent acts immediately upon receiving the states from A is not a requisite of the scheme: should he happen to be able to store quantum systems reliably for an extended period of time, and/or send them to another point in space-time, he may prefer to measure them later on and/or at another location on the globe, with the proviso noted previously; viz., that the measurement takes place at a point in space-time that is in the causal past of the earliest point Q 1 on the network at which A may appear and present her token for verification.
  • B's agent at may optionally report to A which qubit states gave a positive measurement outcome, so that between them they may adapt the token to exclude the information encoded in the redundant or 'lost' qubits.
  • the number of states in the new sequence may be the same as or different to the number JV ( ° ) of states in
  • the invention in principle does not exclude the possibility that the states generated at embody the coding of the points [ ⁇ 2 2 2) ] in a manner different from that adopted at P.
  • the parties at may exchange photons in states other than the BB84 states introduced above, or may even work with alternative quantum systems (such as electrons, for example), should that prove more convenient for whatever reason.
  • A may prefer to be represented by a plurality of agents, (one at each point for example), each tasked with generating and sending a fresh sequence of states to a respective agent of B.
  • B cannot learn anything about A's initial choice of trading point - and thus, her trading strategy and its development over time - should she decide to postpone her trade to an alternative point later in time.
  • A's agents at many of the may prepare and send to the corresponding agents of B 'dummy' states, not intended to play any role in generating the token but which may prevent B from inferring the initial choice of trading point
  • Such dummy states should ideally take the form of a set of states that would be a valid continuation of the token, if the original sequence ⁇ ⁇ ) had in fact represented a commitment to the respective point (at which the relevant agent is located).
  • A's agents should ideally follow the other communications prescribed by the protocol, as though the states might genuinely be used for a token continuation.
  • B's nearby agent sends to an agent of A states for which measurement outcomes were obtained, as above, she accepts this list and follows any further rules prescribed by the protocol. She also sends secure messages to A's other agents, of suitable lengths, so that they are indistinguishable by signal traffic analysis from the secure messages that would contain data continuing the token.
  • the extended, 'hybrid' token will take the form of a classical description of the sequence of states sent to B's agent at P by A, followed by a series of (classical) measurement results obtained by A at by measuring a second sequence of states received by her from B's agent there.
  • a at wishes to obtain a token segment that can be appended to her description of the state ⁇ ) that she generated at P, to give a token that will allow her to trade at a next chosen point B's agent, at step 42, now generates a sequence of photons of suitable length N (1) , chosen this time independently at random from among the BB84 states. He records the states generated, classically, as his validation data; and transmits the photons to A at step 44. Thus A may receive an overall state of the form ⁇ ) I °>i I +>21— >3 ⁇ I 0 ); ⁇
  • the user may then commit to the first bit of that word by measuring a first sub-sequence of M of the states received from the issuer's agent at in the appropriate one of two bases for the photonic Hilbert space. For instance, mirroring the discussion in section A.1 above, she may commit to a '0' bit by measuring the first M states in the computational basis, and to a bit by measuring those states in the Hadamard basis. She records the results of her measurements as her commitment data for this round of the scheme which, in this instance, also represent her new token segment.
  • Each 'point' here is now taken to be a region in space-time (for example, the spatial extension of the region could be defined by a city, or a building or a room; and the temporal extension by some small time interval); a first agent of each of the issuer and the user are taken to be relatively close together at one point within that region; and a second agent of each are also taken to be relatively close together at a second point within the region, where the first and second points are space-like separated from one another with significantly greater spatial separation than between the first pair of agents or the second pair of agents.
  • All agents of the issuer B pre-agree, and privately share, a string of random numbers, defined modulo R, where R is a large integer defining a security parameter.
  • R is a large integer defining a security parameter.
  • R might be taken to be 50, although it could be significantly smaller or larger, such as between 10 and 200 or between 25 and 100. They also agree that particular pairs of random numbers in the string are to be used by particular agents at particular times in the protocol. The pairings are again chosen at random, subject only to the constraint that the two numbers in any given pair are different.
  • All agents of the user A also pre-agree, and privately share, their own string of random numbers, again defined modulo R; and assign particular ones of those random numbers to be used by particular agents at particular times in the protocol.
  • the agents of the token recipient at P then proceed to commit to each bit of the appropriate binary word, by completing a set of 25 elementary bit commitments, where 5 is a second agreed large integer defining a further security parameter.
  • 5 is a second agreed large integer defining a further security parameter.
  • S might be taken to be 20, although it could be significantly smaller or larger, such as between 10 and 200 or between 25 and 100.
  • Each of the elementary bit commitments is implemented as follows.
  • the first of A's two agents at P requests to the first of B's two agents at P that the protocol commences; and B's agent responds by sending to A's agent the pair of random numbers assigned to that particular point in space-time.
  • the agent of A initiating the protocol responds by swiftly returning the single number n b + r t (evaluated modulo R), where b is the value of the bit to which she wishes to commit and r t is the one of her pre- distributed random numbers assigned to be used in this exchange.
  • the commitment can be further continued by similar exchanges, which alternately take place between the first agents of A and B and the second agents of A and B, again as described in Kent, A. Secure Classical Bit Commitment using Fixed Capacity
  • issuer's validation data comprise the totality of all pairs of random numbers previously sent (i.e. sent in rounds of the protocol prior to the unveiling) to either agent of the user, together with all numbers received from either agent in these rounds.
  • the user's commitment data comprise the totality of all the pre-distributed shared random numbers used by the user's agents in the commitment exchanges previously sent to generate numbers sent to the issuer's agents. Although commitment and validation data thus continue to be generated at each round of the protocol, the user's commitment to their original choice of committed data is guaranteed secure against all known attacks, as shown in the cited reference (Kent, 2005).
  • an agent of A's located at the chosen point in space sends to a nearby agent of B's, for input to a redemption device, all the random data used by the two agents of A in the relevant bit commitment protocols, from the initiation round onwards, including data used in at least one round that is spacelike separated from the point in space-time where the nearby agent of B's will receive this communication.
  • This spacelike separation guarantees to B's agent that the commitments are being validly unveiled, and hence that the token is being validly presented.
  • B's agent at the redemption point needs to wait to receive from the agents of B at the initiation point the data they received in the final spacelike separated round. (He also needs the data from earlier rounds, but this may already have been sent to and reached him, so it per se requires no further delay.)
  • the scheme just described may be extended in a manner similar to the extension of the quantum scheme outlined in section A.2, in the event that the token user A on reaching the point committed to decides to postpone her trade. Rather than unveiling the token at the original token redemption point, A's agents at that point may initiate a second set of commitments defining a valid continuation of the token. If the possibility exists that the token will be continued in this fashion, A's and B's agents at P continue to sustain the original commitments, defining the original token, until they learn that the token has been redeemed.
  • £ (Q ⁇ ) may comprise any number of quantum state descriptions
  • schemes for generating and extending a secure authentication token may find application in a more varied set of circumstances than those disclosed previously.
  • this invention accommodates situations in which the token user A (or her agents) and agents of the token issuer B at a given, m th stage of the scheme may possess either means for generating and sending quantum states; or means for receiving and measuring them; or neither.
  • the parties may choose, stage by stage (including at P), to follow the protocol of figure 2, that of figure 4 or that of this section, a choice dictated by their respective technological capabilities at that point in space and time.
  • C Classical commitment scheme based on computational security assumptions
  • the classical commitment scheme of this example may be realised by single agents representing each party A, B located at each point P, Qi in the network; that is, each party may have one agent located at each network point.
  • Each 'point' here is again taken to be a small region in space-time (for example, the spatial extension of the region could be defined as a city, or a building, or a room, and the temporal extension by some small time interval).
  • the commitment device may be implemented as a suitably-programmed processor or computer, having suitable inputs and outputs for receiving and transmitting data or information from and to the agents of A and B.
  • a and B agree a large prime number p , sufficiently large that B is willing to accept security based on the assumption that A cannot solve random instances of the discrete logarithm problem modulo p with any technology, including any algorithm she may run on any classical or quantum computer, during any time interval over which a token may be defined and sustained.
  • All agents of the issuer B pre-agree, and privately share, a string of random numbers, defined modulo p . They also agree that particular pairs of random numbers in the string are to be used by particular agents at particular times in the protocol. The pairings are again chosen at random, subject only to the constraint that the two numbers in any given pair are different.
  • All agents of the user A also pre-agree, and privately share, their own string of random numbers, again defined modulo p; and assign particular ones of those random numbers to be used by particular agents at particular times in the protocol.
  • the agent of the token recipient A at P then proceeds to commit to the valid redemption point as follows.
  • A's agent at P requests to B's agent at P that the protocol commences; B's agent responds by sending to A's agent the pair of random numbers (g ! , g 2 ) assigned to that particular point in space-time.
  • t is the code representing her chosen space-time point Q ⁇ , as described above, and r is the one of her pre- distributed random numbers assigned to be used in this exchange.
  • an agent of A's located at the chosen point jn space-time sends to a nearby agent of B's the numbers (r, t) (modulo p).
  • the scheme just described may be extended in a manner similar to the extension of the quantum scheme outlined in section A.2, in the event that the token user A on reaching the point committed to decides to postpone her trade. Rather than unveiling the token at the originally-chosen redemption point, A's agent there may use a suitable commitment device at that location to initiate a second commitment defining a valid continuation of the token.
  • the classical commitment scheme just outlined as a scheme for committing to one particular point in space-time, may be combined with either of the quantum schemes described in section A or with the classical commitment scheme previously outlined in section B to produce a hybrid token that is derived from two, three or four types of commitment data.
  • A's hybrid token which she may eventually choose to redeem at some final e ⁇ ? ( y ⁇ ], may comprise any number of quantum state descriptions
  • schemes for generating and extending a secure authentication token may find application in a more varied set of circumstances than those disclosed previously.
  • this invention accommodates situations in which, depending on the commitment device functionality available at each point, the token user A (or her agents) and agents of the token issuer B at a given, m th stage of the scheme may possess either means for generating and sending quantum states; or means for receiving and measuring them; or neither.
  • the parties may choose, stage by stage (including at P), to follow the protocol of figure 2, that of figure 4 or that of this section, a choice dictated by their respective technological capabilities at that point in space and time.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Un système cryptographique permet à un utilisateur d'accéder de manière sécurisée à une ressource provenant d'un émetteur à un premier point spatiotemporel sélectionné par l'utilisateur, mais pas à un second (ou un autre) point spatiotemporel. Les parties (l'émetteur et l'utilisateur) approuvent au préalable les représentations des futurs points spatiotemporels, lesquels peuvent comprendre un nombre quelconque de futurs points spatiotemporels. Le système comprend ensuite un dispositif d'engagement, à utiliser dans un protocole d'engagement entre l'utilisateur et l'émetteur, avec lequel l'utilisateur effectue un engagement sécurisé à l'égard de l'émetteur, l'engagement comprenant la représentation convenue du point spatiotemporel sélectionné par l'utilisateur. Le dispositif d'engagement est configuré pour générer des données d'engagement à une première sortie associée à l'utilisateur ainsi que des données de validation à une seconde sortie, associée aux dispositifs de remboursement respectifs de l'émetteur, à chacun des points spatiotemporels ayant chacun une entrée pour recevoir un jeton présenté par l'utilisateur, le jeton étant dérivé des données d'engagement. Chaque dispositif de remboursement est configuré pour valider le jeton si et seulement si le jeton est présenté au point spatio-temporel sélectionné par l'utilisateur et représenté dans l'engagement.
PCT/GB2018/050008 2017-01-04 2018-01-03 Engagement à une position future Ceased WO2018127693A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GBGB1700085.2A GB201700085D0 (en) 2017-01-04 2017-01-04 Future position commitment
GB1700085.2 2017-01-04

Publications (1)

Publication Number Publication Date
WO2018127693A1 true WO2018127693A1 (fr) 2018-07-12

Family

ID=58412275

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2018/050008 Ceased WO2018127693A1 (fr) 2017-01-04 2018-01-03 Engagement à une position future

Country Status (2)

Country Link
GB (1) GB201700085D0 (fr)
WO (1) WO2018127693A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266489A (zh) * 2019-07-16 2019-09-20 重庆邮电大学 一种基于拉格朗日酉算子的量子门限秘密共享方法及系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060022832A1 (en) * 2004-07-30 2006-02-02 Kent Adrian P Tagging systems
WO2007011935A1 (fr) * 2005-07-15 2007-01-25 Honeywell International Inc. Mecanisme d'authentification de donnees fonde sur la propriete

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060022832A1 (en) * 2004-07-30 2006-02-02 Kent Adrian P Tagging systems
WO2007011935A1 (fr) * 2005-07-15 2007-01-25 Honeywell International Inc. Mecanisme d'authentification de donnees fonde sur la propriete

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GHOSH S K ET AL: "A plan-commit-prove protocol for secure verification of traversal path", NETWORKS, 2004. (ICON 2004). PROCEEDINGS. 12TH IEEE INTERNATIONAL CONF ERENCE ON SINGAPORE 16-19 NOV. 2004, PISCATAWAY, NJ, USA,IEEE, US, vol. 2, 16 November 2004 (2004-11-16), pages 458 - 462, XP010778590, ISBN: 978-0-7803-8783-6, DOI: 10.1109/ICON.2004.1409208 *
ROBERT A MALANEY: "Location-Dependent Communications using Quantum Entanglement", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 4 March 2010 (2010-03-04), XP080394291, DOI: 10.1103/PHYSREVA.81.042319 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266489A (zh) * 2019-07-16 2019-09-20 重庆邮电大学 一种基于拉格朗日酉算子的量子门限秘密共享方法及系统

Also Published As

Publication number Publication date
GB201700085D0 (en) 2017-02-15

Similar Documents

Publication Publication Date Title
US11444757B2 (en) Quantum tokens
US9294280B2 (en) Location verification in quantum communications
Wang et al. Quantum blockchain based on asymmetric quantum encryption and a stake vote consensus algorithm
US20160191173A1 (en) Location Verification in Quantum Communications
Dušek et al. Quantum identification system
Gao Two quantum dialogue protocols without information leakage
Mishra et al. Quantum anonymous veto: a set of new protocols
JP2018526865A5 (ja) トークンを提示又は検証する方法
US20100150349A1 (en) Method and system for performing quantum bit commitment protocol
Zheng et al. A practical quantum designated verifier signature scheme for E-voting applications
Guo et al. Arbitrated quantum signature scheme with continuous-variable coherent states
Lai et al. An efficient quantum blind digital signature scheme
Zawadzki Advances in quantum secure direct communication
Guo et al. A novel quantum proxy blind signature scheme
WO2018127693A1 (fr) Engagement à une position future
Li et al. Quantum key agreement via non-maximally entangled cluster states
Nadeem Quantum non-locality, causality and mistrustful cryptography
Mishra et al. Quantum and semi-quantum lottery: strategies and advantages
Gupta et al. An efficient and secure quantum blind signature‐based electronic cash transaction scheme
Shimizu et al. Communication channels analogous to one out of two oblivious transfers based on quantum uncertainty
Son et al. Improving the asymmetric encryption algorithm based on genetic algorithm, application in online information transmission
Nadeem The causal structure of Minkowski space time: possibilities and impossibilities of secure positioning
HK1258435B (en) Quantum tokens
Fatahi et al. Secure electronic voting scheme by the new quantum signature-masked authentication
Pérez et al. Quantum authentication with unitary coding sets

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18700227

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18700227

Country of ref document: EP

Kind code of ref document: A1