On the question of secret probability distributions in quantum bit commitment
Chi-Yee Cheung

TL;DR
This paper explores how secret probability distributions used by Bob in quantum bit commitment affect the security proof, showing that secret distributions lead to mixed states and impact Alice's ability to cheat.
Contribution
It provides a simplified proof that secret distributions by Bob influence the no-go theorem, extending the analysis to imperfect concealing scenarios.
Findings
Secret distributions lead to mixed quantum states.
Alice's cheating ability remains possible with secret distributions.
The proof extends to imperfect concealing cases.
Abstract
The proof of the No-Go Theorem of unconditionally secure quantum bit commitment depends on the assumption that Alice knows every detail of the protocol, including the probability distributions associated with all the random variables generated by Bob. We argue that this condition may not be universally satisfied. In fact it can be shown that when Bob is allowed to use a secret probability distribution, the joint quantum state is inevitably mixed. It is then natural to ask if Alice can still cheat. A positive answer has been given by us [13] for the perfect concealing case. In this paper, we present a simplified proof of our previous result, and extend it to cover the imperfect concealing case as well.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
On the question of secret probability distributions in quantum bit commitment
Chi-Yee Cheung
Institute of Physics, Academia Sinica
Taipei, Taiwan 11529, Republic of China
Abstract
The proof of the No-Go Theorem of unconditionally secure quantum bit commitment depends on the assumption that Alice knows every detail of the protocol, including the probability distributions associated with all the random variables generated by Bob. We argue that this condition may not be universally satisfied. In fact it can be shown that when Bob is allowed to use a secret probability distribution, the joint quantum state is inevitably mixed. It is then natural to ask if Alice can still cheat. A positive answer has been given by us Cheung07 for the perfect concealing case. In this paper, we present a simplified proof of our previous result, and extend it to cover the imperfect concealing case as well.
quantum bit commitment, quantum cryptography
pacs:
03.67.Dd
Quantum bit commitment is an important two-party primitive in quantum cryptography, because a secure quantum bit commitment protocol can be used to guarantee the security of a number of other cryptographic protocols.Brassard96 ; Blum83 ; Bennett91 ; Crepeau94 ; Yao95 ; Mayers96 ; Brassard88 ; Kilian88 ; Crepeau95
Bit commitment involves a sender (Alice) and a receiver (Bob). Alice commits to Bob a secret bit and at the same time provides him with a piece of evidence. When Alice unveils the secret bit sometime in the future, Bob can check the evidence and verify that the unveiled bit is the same as what was committed by Alice in the beginning. Now Alice and Bob do not trust each other, in the sense that Bob would try to gain information about the committed bit (from the provided evidence) before Alice unveils it, and Alice would try to change her commitment if it is to her advantage to do so. A bit commitment protocol is said to be secure if, (1) Bob cannot know the value of before Alice reveals it (concealing), and (2) Alice cannot change without Bob’s knowledge (binding).
In quantum bit commitment (QBC), Alice and Bob together execute a series of quantum and classical operations during the commitment procedure, such that in the end Bob holds a quantum state which serves as the evidence of Alice’s commitment. If
[TABLE]
the protocol is said to be perfect concealing, and obviously Bob is not able to extract any information about the value of from the in his possession. For imperfect protocols, the two density matrices are equal only asymptotically as the security parameter . For large but finite , one has
[TABLE]
so that Bob’s knowledge of (before Alice unveils it) vanishes in the limit .
If a QBC protocol is secure even if both Alice and Bob had unlimited computing power, then it is said to be unconditionally secure. Unfortunately unconditionally secure quantum bit commitment is ruled out by a no-go theorem Mayers97 ; LoChau97 . In essence the theorem says that, if a protocol is concealing to Bob, then it is cannot be binding to Alice. That means, if , then using a unitary transformation Alice has the freedom to rotate into or vice versa by operating on her own quantum particles only. As a result she can commit to one bit value and safely unveils another without Bob’s knowledge. It is not hard to see that this no-go conclusion depends on the assumption that Alice can always calculate without the help of Bob, which is equivalent to saying that she knows “every detail of the protocol, including the distribution of probability of a random variable generated by another participant” Brassard97 . However it is not obvious that this condition is universally valid in all possible QBC protocols. And when it is not, the validity of the no-go proof needs to be reexamined.
In the picture where all random variables are purified (that is, where all unrevealed classical choices are left undetermined by quantum entanglement), the only parameters that can remain secret are probability distributions. The problem of secret probability distributions in QBC has been addressed partially in Cheung07 , where we showed that for perfect concealing protocols Alice can still safely cheat even if she does not know the probability distribution Bob used to entangle a random variable. The purpose of this paper is to provide a simplified proof of our earlier result, furthermore we show that the same conclusion applies to imperfect concealing protocols as well.
To facilitate our discussion, we shall first outline the proof of the no-go theorem below. The crucial observation is that, using quantum entanglement, Alice and Bob can keep all undisclosed classical information undetermined and stored at the quantum level. In other words, they can always choose to delay any prescribed classical actions without consequences until it is required to disclose the outcomes. Then one can assume that, at the end of the commitment procedure, there exists a pure state in the joint Hilbert space of Alice and Bob . is called a purification of the quantum state in Bob’s hand, such that
[TABLE]
Note that, because and are disjoint, whether Bob actually purifies or not is irrelevant to Alice, without loss of generality she can assume he always does. In general, purification requires access to fully functioning quantum computers, which is nevertheless not a problem since both participants are assumed to have unlimited computational power.
For the perfect concealing case, where , it can be shown that the two purifications and are related by a unitary transformation on Alice’s side Hughston93 , namely,
[TABLE]
If Alice knows all the parameters used by Bob, then she can compute and then execute without Bob’s help. That means she can commit to but safely unveil (or vice versa); this is called the entanglement attack. It follows that perfect concealing protocols are not binding.
Next we consider the imperfect case where and are close but unequal. Quantitatively that means the fidelity of the two density matrices is close to one. Using Uhlmann’s theorem Jozsa94 , we can write
[TABLE]
where as the security parameter , and are purifications of and respectively, and the maximization is over all possible purifications. Uhlmann’s theorem also implies that, for a fixed purification of , there exists an optimal purification of such that
[TABLE]
Since and are two purifications of the same density matrix , by the previous argument, there must exist a unitary transformation such that , so
[TABLE]
So Alice can also cheat when , provided that she knows .
Mathematically the no-go theorem only proves that there exists a unitary transformation which can turn to , either exactly or asymptotically. As mentioned before, for the no-go theorem to be valid, one must also assume that Alice knows how to calculate by herself in every possible protocol. But that is by no mean obvious.
For example it may occur that the wavefunction depends on a certain parameter secretly chosen by Bob, then may also depend on and it would be unknown to Alice, unless proven otherwise. If so, could Alice still cheat?
One may doubt if this is a valid question, for what we are saying is that may be unknown to Alice and she is actually dealing with a mixed state, while as we saw the proof of the no-go theorem depends critically on the assumption that is pure. The original idea of the no-go proof is that whenever there is a random variable which renders the quantum state a mixed one, Alice can always work with the corresponding purified state. But that is possible only if she knew the probability distribution associated with the random variable in question. However if the probability distribution () is unknown, then the state is inevitably a mixed one, and any further purification attempt using another unknown probability distribution will not change that.
So the question being raised here is this: If a protocol allows Bob to choose a probability distribution which is not disclosed to Alice, could she still cheat by entanglement attack? Unfortunately the answer is positive for both perfect and imperfect concealing protocols, as we shall show in the following.
Consider first the perfect concealing case. It has been discussed in Cheung07 , and we are presenting here a simplified and improved proof. Suppose and are any two possible probability distributions that Bob can use, the concealing condition implies that
[TABLE]
where and are unitary operators acting on Alice’s particles. Obviously Bob has the freedom to entangle his choices, in which case the overall state is given by
[TABLE]
where is a real number, , are ancilla states controlled by Bob, and . The protocol should remain concealing, so and are again connected by a unitary transformation:
[TABLE]
where may or may not depend on , , and . Since the ancilla states and are not affected by , and they are orthogonal, it is easy to see that
[TABLE]
Comparing these relations with with Eqs. (8,9), we get
[TABLE]
for arbitrary and . Hence depends neither on nor . Therefore, as long as , Alice can calculate without the knowledge of the actually employed by Bob.
Next we consider the imperfect case, where the density matrices on Bob’s side and are close but not equal. As in the perfect concealing case, if and are two possible choices for Bob, then the concealing condition guarantees that there exist optimal unitary operators and such that,
[TABLE]
where , and as the security parameter approaches infinity. As before when Bob entangles his choices as in Eq. (10), there exists a such that
[TABLE]
where as . Substituting Eq. (10) into this equation gives
[TABLE]
Let
[TABLE]
where . Then Eq. (18) gives
[TABLE]
for arbitrary , which implies that as the security parameter ,
[TABLE]
like .
Comparing Eq. (19) and Eq. (20) with Eq. (15) and Eq. (16), respectively, we get
[TABLE]
for arbitrary and , such that in the limit of ,
[TABLE]
Consequently Alice only needs to calculate for any value of , and she can use it to change her committed bit if she prefers - her chance of being discovered approaches zero when the security parameter approaches infinity.
Conversely, it is easy to see that if in any protocol one finds that the operator between and depends on , then this protocol cannot be concealing, because when Bob entangles as in Eq. (10), the resulting pure states and are not connected by an unitary transformation operating in Alice’s Hilbert space, implying that
In summary we have argued in this paper that Alice cannot possibly know all the probability distributions used by Bob, because they do not trust each other. Then for a complete proof of the no-go result, one must also address the following question: In protocols where Bob is allowed to use probability distributions unknown to Alice during the commitment phase, can Alice still apply the entanglement attack? The answer we have arrived at is positive for both perfect and imperfect concealing cases, so unconditionally secure quantum bit commitment remains impossible.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1) See, e.g., G. Brassard and C. Crépeau, SIGACT News 27 , 12 (1996).
- 2(2) M. Blum, SIGACT News, 15 , 23 (1983).
- 3(3) C. H. Bennett, G. Brassard, C. Crépeau, and M. H. Skubiszewska, in Advances in Cryptology − - Proceedings of CRYPTO’91 , edited by J. Feigenbaum (Springer, Berlin, 1991), p. 351.
- 4(4) C. Crépeau, J. Mod. Opt. 41 , 2455 (1994).
- 5(5) A. C. C. Yao, in Proceedings of the 27th ACM Symposium on Theory of Computing , edited by T. Leighton and A. Borodin (ACM, New York, 1995), p. 67.
- 6(6) D. Mayers, in Advances in Cryptology − - Proceedings of Crypto’96 (Springer, Berlin, 1996), p. 343.
- 7(7) See, e.g., G. Brassard, Modern Cryptology: A Tutorial , Lecture Notes in Computer Science Vol. 325 (Springer-Verlag, New York, 1988).
- 8(8) J. Kilian, in Proceedings of the 20th ACM Symposium on Theory of Computing , edited by J. Simon (ACM, New York,1988), p. 20.
