*Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known
*example of quantum cryptography is quantum key distribution which offers an information-theoretically secure solution to the key
*exchange problem. Currently used popular public-key encryption and signature schemes (e.g., RSA and ElGamal) can be broken by
*quantum adversaries. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic
*Quantum key distribution
*The most well known and developed application of quantum cryptography is quantum key distribution (QKD), which is the process
*of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party
*symmetric cryptography.
*(Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn
*information about the key being established, key establishment will fail causing Alice and Bob to notice. Once the key is established,
*it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used as for
*.
*tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication (see below for
*examples). For example, it is impossible to copy data encoded in a quantum state and the very act of reading data encoded in a
*quantum state changes the state. This is used to detect eavesdropping in quantum key distribution.
*Quantum commitment
*Following the discovery of quantum key distribution and its unconditional security, researchers tried to achieve other cryptographic
*tasks with unconditional security. One such task was commitment. A commitment scheme allows a party Alice to fix a certain value
*(to "commit") in such a way that Alice cannot change that value while at the same time ensuring that the recipient Bob cannot learn
*anything about that value until Alice reveals it. Such commitment schemes are commonly used in cryptographic protocols. In the
*quantum setting, they would be particularly useful: Crépeau and Kilian showed that from a commitment and a quantum channel, one
*can construct an unconditionally secure protocol for performing so-calledo blivious transfer.[13] Oblivious transfer, on the other hand,
*had been shown by Kilian to allow implementation of almost any distributed computation in a secure way (so-called secure multiparty
*computation).[14]

Bounded- and noisy-quantum-storage model

 

*One possibility to construct unconditionally secure quantum commitment and quantum oblivious transfer (OT) protocols is to use the
*bounded quantum storage model (BQSM). In this model, we assume that the amount of quantum data that an adversary can store is
*limited by some known constant Q. We do not, however, impose any limit on the amount of classical (i.e., non-quantum) data the
*adversary may store.
*In the BQSM, one can construct commitment and oblivious transfer protocols.[18] The underlying idea is the following: The protocol
*parties exchange more than Q quantum bits (qubits). Since even a dishonest party cannot store all that information (the quantum
*memory of the adversary is limited to Q qubits), a large part of the data will have to be either measured or discarded. Forcing
*dishonest parties to measure a large part of the data allows to circumvent the impossibility result by Mayers;[16] commitment and
*oblivious transfer protocols can now be implemented.
*The protocols in the BQSM presented by Damgård, Fehr, Salvail, and Schaffner[18] do not assume that honest protocol participants
*store any quantum information; the technical requirements are similar to those in QKD protocols. These protocols can thus, at least in
*principle, be realized with today's technology. The communication complexity is onlyaconstant factor larger than the bound Q the adversary's quantum memory.
*Post-quantum cryptography
*Quantum computers may become a technological reality; it is therefore important to study cryptographic schemes used against
*adversaries with access to a quantum computer. The study of such schemes is often referred to as post-quantum cryptography. The
*need for post-quantum cryptography arises from the fact that many popular encryption and signature schemes (such as RSA and its
*variants, and schemes based on elliptic curves) can be broken using Shor's algorithm for factoring and computing discrete logarithms
*on a quantum computer. Examples for schemes that are, as of today's knowledge, secure against quantum adversaries are McEliece
*and lattice-based schemes. Surveys of post-quantum cryptography are available[3.6][37]
*There is also research into how existing cryptographic techniques have to be modified to be able to cope with quantum adversaries.
*For example, when trying to develop zero-knowledge proof systems that are secure against quantum adversaries, new techniques
*need to be used: In a classical setting, the analysis of a zero-knowledge proof system usually involves "rewinding", a technique that
*makes it necessary to copy the internal state of the adversary. In a quantum setting, copying a state is not always possible (no-cloning
*theorem); a variant of the rewinding technique has to be used[3. 8]
*Post quantum algorithms are also called "quantum resistant", because – unlike QKD – it is not known or provable that there will not
*be potential future quantum attacks against them. Even though they are not vulnerable to Shor's algorithm, the NSA is announcing
*plans to transition to quantum resistant algorithms.[39] The National Institute of Security and Technology (NIST) believes that it is
*time to think of quantum-safe primitives[.40]