由於量子電腦的發展，一些傳統電腦難解的數學難題，已經被證明出可以在多項式時間內被量子電腦破解。因而，傳統密碼學中許多安全性植基於解數學難題之金鑰分配協定，未來可能變得不安全而無法使用。相對的，量子密碼學主要是利用量子的物理特性，例如：量子的不可複製性，量子的量測不確定性原理等，來達到資訊安全的應用。

相較於傳統金鑰分配協定，量子金鑰分配協定具有下列兩項優點：1.協定之安全性係植基於量子的物理特性，而非解數學難題上；2.便於檢測金鑰分配過程是否遭人竊聽。即是運用量子物理特性達到安全分配金鑰的目的。然而，探討現有的量子金鑰分配協定，亦存在以下待解決的問題：量子位元利用率低、量子設備昂貴、與假設傳統通信通道具備身分認證的功能。

量子金鑰分配過程，金鑰傳送者與接收者必須透過傳統通信通道進行量測基底資訊之交換，捨棄量測基底不同之量子位元。剩下的分享位元，通訊雙方仍須再次透過傳統通信通道交換資訊檢測金鑰正確性與竊聽者是否存在，並捨棄檢測之位元。兩次的協商過程，需消耗大部份的量子位元，因而造成量子使用率不彰。

此外，根據目前科技的現況，製造量子的相關設備仍是非常昂貴。例如，單顆量子產生儀器、精確的量子狀態量測儀器、長時間的量子儲存儀器、穩定的量子狀態轉換閘道、與長距離的量子傳輸通道等。考量成本，一般使用者並無法負擔與持有大量的量子設備，一些量子金鑰分配協定並無考量成本問題，假設通訊雙方擁有各式量子設備，因而造成其協定可行性降低。

大部分現存的量子金鑰分配協定假設傳統通信通道可達到身分認證功能。意即，傳統通信通道的傳輸信息，可以被竊聽，無法被攻擊者竄改。若屏除身分認證的傳統通信通道的假設，則此類量子金鑰分配協定會遭受到中間人攻擊 (man-in-the-middle attack) 的威脅。

本論文結合古典密碼技術與量子物理特性之優點，提出高效率之量子金鑰分配協定，發展出在量子環境下可以安全執行的量子金鑰分配協定。讓合法的通訊者，在面臨具有量子運算能力之攻擊者時，可以安全的進行金鑰分配作業。除了達到金鑰分配協定的安全要求，還可將量子使用率提升。此外，本論文亦提出資源分配不平均狀況下之量子金鑰分配協定，讓一般通訊者在配備少量的量子設備環境下，仍能進行量子金鑰分配作業，以符合環境現況，而更具實用性。最後，本論文提出可驗證通訊者身份的量子金鑰分配協定。讓合法的通訊者，在沒有身分認證的傳統通信通道環境下，可以安全的進行金鑰分配作業。

The security of key distribution in the classical cryptography is usually based on the fact that an attacker is unable to solve a certain mathematical problem, such as the discrete logarithm problem or the factoring problem. In the environment of quantum computation, the discrete logarithm problem and the factoring problem have been found solvable in the polynomial time. More classical mathematical problems may become insecure against the quantum computation in the future. Without using the mathematical problem, the quantum key distribution provides the unconditional security of key distribution between communicants based on quantum physics, such as the quantum uncertainty principle and the quantum no-cloning theorem.

Compare to the key distribution in the classical cryptography, the quantum key distribution protocol (QKDP) has two merits: (1) quantum mechanism provides a good solution to secure key distribution without the use of mathematical problems; and (2) legitimate participants can detect the eavesdroppings due to the quantum phenomena. Therefore, QKDPs are considered more secure than the classical key distribution protocols. However, there are problems of the current QKDPs, such as the inefficiency of qubit utilization rate, the overhead of equipping expensive quantum devices, and the assumption of authenticated classical channel.

During quantum key distributions, the sender and the receiver must exchange the information of their measuring bases through the classical communication channel, which spends 50% of the distributed qubits. Moreover, users perform the random sampling public discussion for the eavesdropping check, which also use 50% of the shared bits. Consequently, valuable qubits are wasted during the execution of the QKDPs and legitimate participants can share only 25% of the distributed qubits as the secret key. The qubit utilization rate of current QKDPs is inefficient.

The quantum devices, e.g., the qubit generating machine, or the quantum memory, or the qubit measuring machine, or the quantum unitary operator, are expensive to develop based on the current technology because of the difficulties on their constructions. Many QKDPs assume that every communicating party is able to equip with various quantum devices. In this situation, the QKDPs become impractical to implement.

The authenticated classical channel is required in most existing QKDPs for the bases negotiation and the random sampling public discussion. The QKDPs assume that the information transmitted in the authenticated classical channel can be eavesdropped, but cannot be modified by an outsider. However, the assumption of authenticated classical channel is usually unavailable. If there is no authenticated classical channel available, the QKDPs suffer the man-in-the-middle attack. An attacker can impersonate as one legitimate user to perform a QKDP with another legitimate user.

This thesis focuses on designing high qubit efficiency QKDPs in bringing the advantages of classical cryptography to the quantum cryptography, in which legitimate users can securely perform key distributions even an attacker has the ability of quantum computation. The proposed QKDPs not only achieve the security requirements of quantum key distribution, but also increase the qubit efficiency. Moreover, consider expensive quantum devices, the dissertation proposes the resource unbalanced QKDPs, which are suitable for the key distribution of the resource unbalanced environment, e.g., the wealthy center and a normal user. The normal user can perform a QKDP with only a few quantum devices. Finally, to eliminate the requirement of authenticated classical channel, the authenticated QKDP is proposed.

[1] S. Wiesner, Conjugate coding, Sigact News 15 (1) (1983; original manuscript written circa 1970) 78.
[2] C. H. Bennett, G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Proceedings of the IEEE international conference on computers, systems and signal processing, Bangalore, India (1984) 175–179.
[3] C. H. Bennett, Quantum cryptography using any two nonorthogonal states, Phys. Rev. Lett. 68 (1992) 3121–3124.
[4] A. K. Ekert, Quantum cryptography based on Bell’s theorem, Phys. Rev. Lett. 67 (1991) 661–663.
[5] W. Y. Hwang, I. G. Koh, Y. D. Han, Quantum cryptography without public announcement of bases, Physical Letter A 244 (1998) 489–494.
[6] F. G. Deng, G. L. Long, X. S. Liu, Increasing the efficiencies of random-choicebased quantum communication protocols with delayed measurement, Chinese Physics Letters 21 (2004) 2097–2100.
[7] H.-K. Lo, H. F. Chau, M. Ardehali, Efficient quantum key distribution scheme and a proof of its unconditional security, Journal of Cryptology 18 (2005) 133–165.
[8] M. Dusek, O. Haderka, M. Hendrych, R. Myska, Quantum identification system, Physical Review A 60 (1999) 149–156.
[9] G. Zeng, W. Zhang, Identity verification in quantum key distribution, Physical Review A 61 (2000) 0223031–0223035.
[10] B. S. Shi, J. Li, J. M. Liu, X. F. Fan, G. C. Guo, Quantum key distribution and quantum authentication based on entangled state, Physics Letters A 281 (2001) 83–87.
[11] C.-M. Li, Authenticated quantum key distributions, PhD thesis of National Cheng Kung University.
[12] S. Phoenix, S. Barnett, P. Townsend, K. Blow, Multi-user quantum cryptography on optical networks, Journal of Modern Optics 42 (1995) 1155–1163.
[13] C.-Y. Li, H.-Y. Zhou, Y. Wang, F.-G. Deng, Secure quantum key distribution network with Bell states and local unitary operations, Chinese Physics Letters 22 (2005) 1049–1052.
[14] H. K. Lo, H. F. Chau, Unconditional security of quantum key distribution over arbitrarily long distances, Science 283 (1999) 2050–2056.
[15] E. Biham, M. Boyer, P. O. Boykin, T. Mor, V. Roychowdhury, A proof of the security of quantum key distribution, Proceedings of the thirty-second annual ACM symposium on Theory of computing (2000) 715–724.
[16] D. Mayers, Unconditional security in quantum cryptography, Journal of the ACM 48 (3) (2001) 351–406.
[17] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, Experimental quantum cryptography, Journal of Cryptology 5 (1992) 3–28.
[18] P. D. Townsend, Secure key distribution system based on quantum cryptography, Electronics Letters 30 (1994) 809–811.
[19] R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson, C. Simmons, Quantum cryptography over underground optical fibers, Proceedings of Advances in Cryptology - CRYPTO’96, Lecture Notes in Computer Science, Springer-Verlag 1109 (1996) 329–342.
[20] M. A. Nielsen, I. L. Chuang, Quantum computation and quantum information, Cambridge University Press, Cambridge, England, 2000.
[21] B. Julsgaard, J. Sherson, J. I. Cirac, J. Fiuraek, E. S. Polzik, Experimental demonstration
of quantum memory for light, Nature 432 (2004) 482–486.
[22] A. J. Shields, M. P. O’Sullivan, I. Farrer, D. A. Ritchie, M. L. Leadbeater, N. K. Patel, R. A. Hogg, C. E. Norman, N. J. Curson, M. Pepper, Single photon detection with a quantum dot transistor, Japanese Journal of Applied Physics 40 (2001) 2058–2064.
[23] P. A. Hiskett, D. Rosenberg, C. G. Peterson, R. J. Hughes, S. Nam, A. E. Lita, A. J. Miller, J. E. Nordholt, Long-distance quantum key distribution in optical fibre, New Journal of Physics 8 (2006) 193–200.
[24] B. Schneier, Applied cryptography: Protocols, algorithms, and source code in C, Wiley, 1995.
[25] W. Stallings, Cryptography and network security: Principles and practice, Third Edition, Prentice Hall International Inc., 2003.
[26] R. Bose, Information theory coding and cryptography, International Edition, McGraw-Hill, Singapore, 2003.
[27] Key distribution, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Key_distribution.
[28] Session key, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Session_key.
[29] Cryptographic hash function, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Cryptographic_hash_function.
[30] X. Wang, Y. L. Yin, H. Yu, Finding collisions in the full SHA-1, Proceedings of Advances in Cryptology - CRYPTO 2005, LNCS 3621, Springer-Verlag (2005) 17–36.
[31] C. Shannon, Communication theory of secrecy systems, Bell System Technical Journal 28 (1949) 656–715.
[32] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM 26 (5) (1997) 1484–1509.
[33] E. G. Rieffel, W. Polak, An introduction to quantum computing for non-physicists, ACM Computing Surveys 32 (2000) 300–335.
[34] A. Christ, A. Eckstein, P. J. Mosley, C. Silberhorn, Pure single photon generation by type-I PDC with backward-wave amplification, OPTICS EXPRESS 17 (2009) 3441–3446.
[35] R. Namiki, Y. Kawamoto, T. Hirano, Efficient phase-encoding schemes for quantum cryptography using balanced homodyne detection and postselection, Quantum Electronics Conference 2005 International (2005) 1610–1611.
[36] W. Wootters, W. Zurek, A single quantum cannot be cloned, Nature 299 (1992) 802–803.
[37] No cloning theorem, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/No_cloning_theorem.
[38] K. Bostroem, T. Felbinger, Deterministic secure direct communication using entanglement, Phys. Rev. Lett. 89 (2002) 187902.
[39] A. Einstein, P. Podolsky, S. Rosen, Can quantum-mechanical description of physical reality be considered complete, Physical Review 47 (1935) 777–780.
[40] Bell state, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Bell_state.
[41] E. Hagley, X. Maitre, G. Nogues, C. Wunderlich, M. Brune, J. Raimond, S. Haroche, Generation of Einstein-Podolsky-Rosen pairs of atoms, Physical Review Letters 79 (1997) 1–5.
[42] A. Cabello, Quantum key distribution in the Holevo Limit, Physical Review Letters 85 (26) (2000) 5635–5638.
[43] J. L. Duligall, M. S. Godfrey, K. A. Harrison, W. J. Munro, J. G. Rarity, Low cost and compact quantum key distribution, New Journal of Physics 8 (2006) 249–265.
[44] M. Fujiwara, M. Sasaki, Direct measurement of photon number statistics at telecom wavelengths using a charge integration photon detector, Applied Optics 46 (2007) 3069–3074.
[45] D. Gottesman, H.-K. Lo, Proof of security of quantum key distribution with twoway classical communications, IEEE Transactions on Information Theory 49 (2) (2003) 457–475.
[46] M. Curty, N. Lutkenhaus, Intercept-resend attacks in the Bennett-Brassard 1984 quantum-key-distribution protocol with weak coherent pulses, Physical Review A 71 (2005) 06230101–06230110.
[47] P. W. Shor, J. Preskill, Simple proof of security of the BB84 quantum key distribution protocol, Physical Review Letters 85 (2000) 441–444.
[48] X.-H. Li, F.-G. Deng, H.-Y. Zhou, Efficient quantum key distribution over a collective noise channel, Physical Review A 78 (2008) 0223211–0223216.
[49] L.-F. Han, Y.-M. Liu, J. Liu, Z.-J. Zhang, Multiparty quantum secret sharing of secure direct communication using single photons, Optics Communications 281 (2008) 2690–2694.
[50] S. Castelletto, I. P. Degiovanni, M. L. Rastello, Quantum and classical noise in practical quantum-cryptography systems based on polarization-entangled photons, Physical Review A 67 (2003) 02230501–02230512.
[51] M. Bellare, P. Rogaway, Provably secure session key distribution: The three party case, Proc. 27th ACM Symp. on Theory of Computing (1995) 57–66.
[52] G. Li, Efficient network authentication protocols: Lower bounds and optimal implementations, Distributed Computing 9 (3) (1995) 131–145.
[53] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, W. K. Wootters, Mixed-state entanglement and quantum error correction, Physical Review A 54 (1996) 3824–3851.
[54] A. R. Calderbank, P. W. Shor, Good quantum error-correcting codes exist, Physical Review A 54 (1996) 1098–1105.
[55] D. Deutsch, A. Ekert, R. Jozsa, C. Macchiavello, S. Popescu, A. Sanpera, Quantum privacy amplification and the security of quantum cryptography over noisy channels, Physical Review Letters 77 (1996) 2818–2821.
[56] N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, Quantum cryptography, Reviews of modern physics 74 (2002) 145–190.
[57] A. E. Kozhekin, K. Molmer, E. Polzik, Quantum memory for light, Physical Review A 62 (2000) 033809.
[58] M. Fleischhauer, M. D. Lukin, Quantum memory for photons: Dark-state polaritons, Physical Review A 65 (2002) 022314.
[59] T. Hwang, K.-C. Lee, EPR quantum key distribution protocols with potential 100% qubit efficiency, IET Proceedings Information Security 1 (2007) 43–45.
[60] NIST, Advanced encryption standard, Federal information processing standards publication 197, 2001.
[61] Million instructions per second, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Instructions_per_second.
[62] Quantum computing, Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Quantum_computing.
[63] G. L. Long, X. S. Liu, Theoretically efficient high-capacity quantum-keydistribution scheme, Physical Review A 65 (2002) 032302.
[64] C. S. Laih, L. Harn, C. C. Chang, Contemporary Cryptography and Its Applications, UNALIS CORPORATION, 1995.
[65] Z. Zhang, G. Zeng, N. Zhou, J. Xiong, Quantum identity authentication based on ping-pong technique for photons, Physics Letters A 356 (2006) 199–205.
[66] E. Waks, K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G. S. Solomon, Y. Yamamoto, Secure communication: Quantum cryptography with a photon turnstile, Nature 420 (2002) 762–762.
[67] R. Alleaume, F. Treussart, G. Messin, Y. Dumeige, J.-F. Roch, A. Beveratos, R. Brouri-Tualle, J.-P. Poizat, P. Grangier, Experimental open-air quantum key distribution with a single-photon source, New Journal of Physics 92 (2004) 1–14.
[68] A. Marent, M. Geller, D. Bimberga, A novel nonvolatile memory based on selforganized quantum dots, Microelectronics Journal 40 (2008) 492–495.
[69] J. Emerson, Y. S. Weinstein, M. Saraceno, S. Lloyd, D. G. Cory, Pseudo-random unitary operators for quantum information processing, Science 302 (2003) 2098–2100.
[70] K. Bostroem, T. Felbinger, Deterministic secure direct communication using entanglement, Physical Review Letters 89 (2002) 1879021–1879024.
[71] F.-G. Deng, G.-L. Long, Secure direct communication with a quantum one-time pad, Physical Review A 69 (2004) 052319.
[72] M. Lucamarini, S. Mancini, Secure deterministic communication without entanglement, Physical Review Letters 94 (2005) 1405011–1405014.
[73] Q.-Y. Cai, Eavesdropping on the two-way quantum communication protocols with invisible photons, Physics Letters A 351 (2006) 23–25.
[74] X.-H. Li, F.-G. Deng, H.-Y. Zhou, Improving the security of secure direct communication based on the secret transmitting order of particles, Physical Review A 74 (2006) 0543021–0543024.