*"Post-Quantum" Cryptography*

In quantum key distribution schemes, Alice and Bob exchange quantum and classical information in order to generate a shared secret key. There are several well-known schemes, which are provably secure against eavesdropping, so long as quantum theory is correct. But what if quantum theory isn't correct? This might seem a rather academic question, since quantum theory has been confirmed in an impressive range of experiments since 1926. But cryptologists are supposed to examine their assumptions carefully. Physical theories have been superseded in the past, and there's no strong reason to think it won't happen again. (And in fact, although it's a minority view, there is a very respectable case for believing that the lingering conceptual problems in interpreting quantum theory point to some subtle defect in the theory itself.) You can't prove anything secure without making some assumptions, and in particular you can't prove any physics-based cryptography scheme secure without making some assumptions about physics. But Jonathan Barrett, Lucien Hardy and I were recently able to show that a quantum key distribution scheme can be proved secure even if quantum theory is incorrect, so long as we assume that (as special relativity suggests) it is impossible to send signals faster than light. The scheme is, admittedly, very inefficient, but it's at least a proof of principle that security guarantees can be based on either of two independent theories (quantum mechanics and special relativity), rather than on one alone. It would be very interesting to know if significantly more efficient schemes exist, or indeed if the security of standard quantum key distribution schemes can also be based on relativity. There's a popular account of this work in Physical Review Focus, linked here. ... Bit commitment is one of the main primitives of mistrustful cryptography, the branch of cryptography dealing with parties who need to exchange or process information but cannot rely on each other's honesty. ... It turns out, though, that secure (and practically feasible) bit commitment protocols can be implemented if Alice and Bob use separated sites and take account of the impossibility of signalling faster than light. "