Table Of Content

Implementable Quantum Bit-String Commitment Protocol Toyohiro Tsurumaru Mitsubishi Electric Corporation, Information Technology R&D Center 5–1–1 Ofuna, Kamakura-shi, Kanagawa, 247-8501, Japan Quantumbitstringcommitment[A.Kent,Phys.Rev.Lett.,90,237901(2003)]orQBSCisavariant ofbitcommitment(BC).Inthispaper,weproposeanewQBSCprotocolthatcanbeimplemented using currently available technology, and prove its security under the same security criteria as discussed by Kent. QBSC is a generalization of BC, but has slightly weaker requirements, and our proposed protocol is not intended to break theno-go theorem of quantumBC. PACS number(s): 03.67.-a, 03.67.Dd, 89.70.+c 5 0 0 I. INTRODUCTION tum key distribution(QKD). This is mainly because BC 2 isoneimportantbuildingblockinawholelistofinterest- n ingtools,suchasmulti-partyprotocolsorzero-knowledge a Quantum bit string commitment (QBSC) was pro- J posed by Kent[3], as a generalization of bit commitment proof, rooted in classicalcryptology(see e.g., Ref.[8][9]). However, as pointed out in Ref.[3], we are not yet able 6 (BC).ThefundamentalgoalofQBSCisthesameasthat ofBC;thatis,thesenderfirstsendsevidenceofassigned even to characterizethe range of cryptographictasks for 2 whichperfectlysecurequantumprotocolsmightpossibly dataoveracommunicationchannelwithoutrevealingthe v exist. Thus, we assume here that there must be distinct actual data. Then, after an interval, the sender reveals 4 security notions that are unique to quantum cryptogra- the data and the receiver verifies that the data have not 7 phy, and seek protocols that do not necessarily have a 1 been modified. classical counterpart. 7 The difference in QBSC is that the sender commits a This paper is organized as follows. In Section II, we 0 string A = (a , ,a ) with n > 1 in a single protocol 4 1 ··· n briefly review some of the results by Kent[3], including session,andalimited(butcertain)numberofitsbitsare 0 the basic structure of QBSC and its security criteria. accessible by the receiver before the open phase. This / Subsequently, we describe the proposed protocol in Sec- h situation is referred to as (m,n) bit string commitment tion III and prove its security in Section IV. Then in p in Ref.[3], where m ( n) is the maximum number of - ≤ Section V, we briefly comment on the implementation nt accessible bits. Conventional BC schemes correspond to and finally conclude in Section VI. thecasewheren=1andm=0,andinthissenseQBSC a is a generalizationof BC. u q In this paper, we propose a new QBSC protocol that II. PREVIOUS METHOD : canbeimplementedusingcurrentlyavailabletechnology, v such as single-photon sources and detectors, and then i X prove its security. The main difference from the previ- The original QBSC was proposed in Ref.[3], with two r ous protocol is in the quantum measurement procedure example schemes, called Protocol 1 and Protocol 2. Be- a performed by the receiver to verify a commitment. In forepresentingourprotocol,webrieflyreviewtheresults our scheme, the receiver is allowed to perform the mea- by Kent in this section. Both of the example protocols surements in the commitment phase using randomized share a simple basic structure, as follows. Throughout bases, which means that it is not necessary to preserve this paper, we will call the sender Alice and the receiver the quantum state until the open phase. Bob. AlthoughQBSCisageneralizationofBC,thesecurity level that it achieves is slightly weaker than that of BC unless m=0. We would like to stress that our proposal A. Basic Structure of Kent’s Scheme isnotintendedtobreaktheno-gotheoremofLo-Chau[5] and Mayers[6], which states that if one takes full advan- 1. Procedure tageofquantumcomputersandquantumcommunication channels, any type of nonrelativistic BC scheme can be Alice and Bob proceed as follows. attacked[17]. Our ultimate goal is to devise useful and secure quantum cryptographic schemes that do not rely Commitment Phase on BC. The no-go theorem of BC often makes people think 1. Alice chooses a bit string A = (a ,...,a ) to be 1 n that it might be impossible to create any useful crypto- committed to and sends Bob the corresponding graphicprotocolsbasedonquantumtheory,exceptquan- state Ψ . A | i 2 2. Bob preserves the received state Ψ . B. Example Protocols A | i Open Phase 1. Protocol 1 1. Alice unveils A to Bob. Define qubit states 2. Bob verifies A by a projective measurement on Ψ . If the outcome is consistent with A, he ac- A ψ = 0 , ψ =sinθ 0 +cosθ 1 . | i 0 1 cepts the commitment, otherwise he rejects it. | i | i | i Alice sends particles in the states ψ ,...,ψ for A = The exact form of the state Ψ differs depending on a1 an | Ai (a1,...,an), ai 0,1 . In other words, she transmits the type of protocol and will be given below. to Bob the state∈Ψ{ :}= ψ ψ . Here θ R | Ai | a1i⊗···⊗| ani ∈ isaconstantthatisdeterminedaccordingtothesecurity parameter. 2. Security Requirement a. ConcealingCondition FromtheHolevobound[7], the information m that is accessible by Bob is bounded ForBC,therearetwosecurityrequirements,whichare by called the concealing and binding conditions[9]. Similar n notionsarealsousedforQBSC,althoughwithsomewhat 1+sinθ m S(ρ)= H , (2) relaxed restrictions[3]. ≤ (cid:20) 2(cid:18) 2 (cid:19)(cid:21) - Concealing Condition. The receiver can access where H (x) = xlogx (1 x)log(1 x). Hence m 2 only a limited number of bits in the committed can be arbitraril−y small b−y adj−usting θ. − string A before the open phase. b. Binding Condition. InProtocol1,binding is dis- Thenumberofaccessiblebits isreferredtoasmin cussedforeachbitseparately. Letpji =hψj|ρi|ψjibethe Ref.[3]. probability of Bob accepting a revelationof j for the ith bit. We have - Binding Condition. It is unlikely that Alice will change the content of her commitment A after the p0+p1 cos2[(π 2θ)/4]+sin2[(π+2θ)/4] , (3) i i ≤ − commitment phase. where the RHS can again be chosen arbitrarily close to Note that for BC schemes, Bob is assumed to gain no 1 by choosingsuitableθ. Ingeneral,the smaller θ is, the information whatsoever regarding committed bit b until stronger the binding becomes; simultaneously, however, Alice unveilsit, whereasinQBSC perfectconcealmentis concealingbecomesweaker,ascanbe seenfromInequal- dispensed with; Bob is allowed to extract a certain but ity (2). Thus, θ needs to be chosen with this balance in limited amount of information from A. mind. The meaning of the term ‘unlikely’ in the definition of the binding condition differs in the two protocols. This point will be discussed below. 2. Protocol 2 As to the possibility of each player cheating, Alice cheatingputsthebindingatriskandBobcheatingcorre- In Protocol 1, as m in (3) is in the same order as sponds to concealment. Throughout this paper, we con- n, most bits from A are accessible by Bob, because the sideronlycaseswhereeitheroneofthemischeating,but amountofdata encoded per qubit is rather small. Thus, not both. Thus, the binding and concealing conditions anotherprotocolattheotherextremewithamuchhigher can be discussed separately. encoding rate is considered here . The basic idea here is that instead of using qubits, oneencodesAintoageneralD-dimensionalvectorspace 3. Measurement by Bob =CD/C. Thus,onechoosesO(exp(const.D))states D H Ψ out of . A D {| i} H When considering Alice’s cheating, we denote the a. Binding Condition. In Protocol 1, we discussed quantumstatesenttoBobasadensitymatrixρ,sincein bitwise security; here we take a different approach. general,Alice would be likely to use a randomizedstrat- Definition 1 Takeanarbitraryvalueofr Zandε R egy or send an entangledstate. Note here that whatever ∈ ∈ (ε,r > 0). A QBSC protocol is binding if, by choosing strategy Alice follows, once she transmits the quantum a large enough n, the following inequality holds for arbi- state to Bob, the density matrix ρ is fixed. Honest Bob trarily chosen A ,...,A and ρ, verifies Alice’s commitment by performing a projective 1 r measurement of ρ using an orthonormal basis that in- Pr[A ρ] 1+ε . (4) cludes |ΨAi. Bob then accepts it as a correct commit- Xi i| ≤ ment of string A with the probability Here, n is the length of the bit string that is to be com- Pr[Aρ]= ΨA ρΨA . (1) mitted. 2 | h | | i 3 Intuitively, this definition can be illustrated as follows. Therefore, we cosider here whether Bob can distinguish A cheating Alice might want to postpone her decision ρ sufficiently accurately without knowing A, because if by selecting x patterns of bit strings A ,...,A in the that is the case, Bob does not need to preserve ρ for a 1 x commitment phase. Then, later in the open phase, she long period. could unveil any desired string among them. In such a In order to actually do this, we change Bob’s verifica- case,themaximumprobabilityofhersuccessislessthan tion procedure. That is, Bob measures ρ as soon as he 1/x if x<r, and is less than 1/r if x>r. receives it using randomly chosen orthogonal bases, and Infact,itcanbeshown[3]thatifthecommittedstates then stores the result until the open phase. Although Ψ are chosen to be approximately orthogonal: much less information is obtained in this way than is A | i obtained by directly comparing ρ with Ψ Ψ , it is A A | ih | ΨA ΨA′ sinθ =ǫ 1 for A= A′ (5) enough to detect cheating by Alice, as we will show in |h | i|≤ ≪ ∀ 6 ∀ Section IV. the above binding condition (4) is true for ε (r 1)ǫ. ≤ − That is, if one can construct approximately orthogonal states ΨA ,the bindingconditionis automaticallyguar- A. Quantum State for Encoding | i anteed. b. Approximately Orthogonal States. In this proto- First we define the quantum state Ψ , which is used A col, one needs to choose exp(const.D) states Ψ out of | i A as a commitment of the string A. | i D-dimensional vector space while keeping approximate orthogonality as in (5). Although this seems impossi- ble at first sight, interestingly, it can in fact be eas- 1. Error-Correcting Code ily achieved by using classical error-correctingcodes[11]. One example is as follows. Throughout this section, we assume that string A is Take an error-correcting code E : 0,1 n 0,1 m { } → { } notnecessarilyabitstringbutisingeneralaq-arystring with information rate R = n/m and minimum distance A=(a1,...,an′), ai 0,...,q 1 . Iftheoriginaldata d and let δ = d/m. Next choose quantum states h ∈{ − } C2m/C corresponding to string A 0,1 n as: | Ai ∈ are a bit string, one needs to transform them into a q- ∈{ } arystringusingsomeappropriatesurjectivemapping. In this case, A stands for the data of n= n log q bits. 1 m ⌈ ′ 2 ⌉ Thenwe fix a q-aryclassical(N,n,d)error-correcting h := i E (A) . (6) ′ A i | i √m | i⊗| i code : Xi=1 E :A E(A)=(e ,...,e ) , e 0,...,q 1 . Then, as hA hA′ (1 δ) for A = A′, an arbitrarily 7→ 1 N i ∈{ − } |h | i| ≤ − 6 smallǫcanbechosenbydefining ΨA as ΨA := hA The sender stretches the string A into a q-ary string E | i | i | i⊗ hA . of length N using this error-correctingcode. ···⊗| i III. PROPOSED PROTOCOL 2. Quantum States of ‘Particles’ Theprotocolsdescribedintheprevioussectionarecer- The commitment Ψ takes the form A | i tainly significant, in that they achieve a completely new Ψ = Ψ := e e , (7) type of security by using quantum mechanics. However, A E(A) 1 N | i | i | i⊗···⊗| i itseemsalmostimpossibletoimplementthemusingcur- where each e is a D-dimensional vector. That is, the i rent technology. There are two main reasons. | i sender commits by sending N ‘particles’ having inter- nal degrees of freedom in a D-dimensional vector space 1. Bob needs to preserve the quantum state Ψ as | Ai = CD/C. Each q-ary value e is encoded into this it was created by Alice, until the open phase. HDD-dimensional space of the ith pariticle. 2. InProtocol2,highlyentangledstates,suchas h We use the same set of D-dimensional states for each A | i given in (6), are necessary. particle and denote them as In particular, the first point seems the more difficult to 0 , , q 1 D . (8) | i ··· | − i ∈H overcome. Thus,weproposeamodifiedversionofQBSC Hence,Eqn.(7)meansthattheith particlehase th states that can be implemented, and subsequently prove its se- i of (8). The q states of (8) are all distinct but do not curity. necessarily form an orthonormal basis. In Kent’s protocol, Bob needs to preserve the quan- It is assumed here that D satisfies q = lD for l Z, tum state ρ as it wassentfromAlice inthe commitment ∈ and that the states of (8) can be groupedtogether into l phase until the open phase. This is because Bob verifies types of orthonormalbasis M(i), i=0,...,l 1 ρ by projective measurements using an orthonormal ba- − sisincluding Ψ Ψ ,afterAlicehasunveiledstringA. M(i):= i;0 ,..., i;D 1 , i;j i;k =δ (9) A A jk | ih | {| i | − i} h | i 4 Previous Protocol Proposed Protocol Alice Bob Alice Bob Ψ Ψ A A Ψ Ψ ρ ρ A A Measurement Commitment without knowing A Phase Preserve Open Phase A A A A ρ Compare Aand the Measurement using A result of measurement FIG. 1: Differences between theprevious and proposed protocols. with 1. Alice reveals A to Bob. 2. Bob computes the codeword E(A). iD+j = i;j . | i | i 3. Bobverifiesthefollowingconditionforeachparticle Also, for the sake of simplicity, we assume that the or- 1 i N : thogonal bases M(i) are symmetric under a finite group ≤ ≤ Gthatactson . Inotherwords,forany0 i l 1, - If the basis that he chose is correct, i.e., D H ≤ ≤ − g G, there exists 0 i l 1 satisfying e M(s ), he obtains e as a result of ∈ ≤ ′ ≤ − | ii ∈ i | ii his measurement. gM(i):= R(g)i;0 , ..., R(g)i;D 1 =M(i′) , { | i | − i} 4. If the abovecondition does not holdfor anyi, Bob (10) rejects the commitment, otherwise, he accepts it. where R is a representation of G in . In Eqn.(10), states are identified if they differ onlyHuDp to a phase of complex number. C. Differences from Kent’s Protocols B. Protocol As stated earlier, Bob does not need to preserve the quantum state ρ until the open phase as he examines ρ inthecommitmentphase. Byusingrandomizedbases,he Alice and Bob proceed as follows. selects correct bases in a probabilistic way, and is there- fore able to verify Alice’s commitment confidently. Commitment Phase In addition, players only need to be able to create 1. Alice chooses a q-ary string A = (a1,...,an′) to and detect D-dimensional quantum states, and thus the which she is committed and computes the corre- highly entangled states, e.g., hA given in (6), are un- | i sponding codeword E(A)=(e ,...,e ). necessary. For instance, the case of D =2 can be imple- 1 N mented using single-photons. 2. Bob chooses a l-ary random string Error-correcting code is used here to ensure approxi- S =(s1,...,sN) 0,...,l 1 N. mate orthogonality of states |ΨE(A)i as in Kent’s proto- ∈{ − } col (c.f., Eqn.(5)). Indeed in our protocol, Alice sends 3. Alice sends N particles e ,..., e to Bob. Ψ := e e , which satisfies | 1i | Ni | E(A)i | 1i⊗···⊗| Ni 4. Bobperformsmeasurementsoneachreceivedparti- A A′ A=A′ ΨE(A) ΨE(A′) <β¯d . (11) ∀ ∀ 6 → | cle|eiiwiththebasisM(si)andrecordstheresult. Hereβ¯is th(cid:0)e maximum(cid:12)(cid:12)(cid:10)value ofthe in(cid:11)n(cid:12)(cid:12)er pro(cid:1)ductofthe Open Phase particle states defined in (8), i.e., ee β¯ for e=e ′ ′ |h | i|≤ ∀ 6 5 (seealsoParagraphIVB2c). Inthenextsection,wewill if he chooses a wrong basis, he may accept Alice’s com- exploit this property to prove the binding condition. mitment no matter what he obtains as a result of his measurement. Thus, averaged over the random variable S, the acceptance rate by Bob takes the form IV. SECURITY EVALUATION 1 1 Pr [Aρ]:= 1 + e ρe =Trρπ(e ), (12) N=1 1 1 1 | (cid:18) − l(cid:19) lh | | i Nowwewillprovethesecurityoftheproposedscheme. Throughoutthissection,weconsideranidealcasewitha where noiselesschannelanderror-freedetection. (Fornon-ideal cases, see Section V.) 1 1 π(e) := 1 I + e e As to what each player can do in quantum proto- (cid:18) − l(cid:19) D l| ih | cols, we follow the definition given by Yao[14] and Lo- 1 1 Chau[15]. That is, quantum protocol is formalized in a = 1 I + i;j i;j =:π(i;j) . (13) D (cid:18) − l(cid:19) l| ih | Hilbert space = , where (resp. T A B C A H H ⊗H ⊗H H ) refers to the space in which Alice (resp. Bob) can HopBerate. HC is the communication channel. Every step HeSriemIiDlarislyafourniNt m>a1tr,iix.ei.n, iHf DA.lice sends more than one ofthe protocolisdone byunitary operationsby Alice on particle, the acceptance rate takes the form and those by Bob on , alternately. A C B C H ⊗H H ⊗H Pr[Aρ]=TrρP E(A) | A. Concealing condition with Intheproposedprotocol,nlog q-bitdataareencoded PE =π(e1) π(eN) . (14) 2 ⊗···⊗ in Nlog D qubits. Thus, the number of bits accessi- 2 b. What We Need to Prove. The sum of the accep- ble by Bob, m, satisfies m Nlog D owing to the ≤ 2 tance rates for A ,...,A , which appears on the LHS of Holevo bound. Hence, the protocol is concealing when 1 r (4), takes the form the bitnumberofAisgreaterthanthe qubitnumber,or NlogD <nlogq. Pr[A ρ]=Tr(ρQ) (15) i | Xi B. Binding Condition with In the remainder of this section, we will prove the fol- Q:=P + +P . (16) E(A1) ··· E(Ar) lowing theorem. With this operator Q, what we need to do is to bound Theorem 2 Theproposedprotocolisbindingintermsof TrρQfromaboveforanarbitrarydensitymatrixρ. How- Definition 1. ever, it is obviously sufficient to consider instead the upper bound on ΨQΨ for an arbitrary pure state h | | i Ψ . Moreover, in order to avoid complications from | i 1. Basic Idea of the Proof statenormalizations,wedonotrequire Ψ tobenormal- | i izedandinsteaddiscusstheupperboundofthe quantity ΨQΨ / ΨΨ . The basic idea of the proof is the same as given in h | | i h | i Ref.[3]. Namely, we exploit the approximate orthogonal- ity (11) of Ψ (see Eqn.(5) andthe discussionnearby). A However,th|ereiis a complication,owingto the difference 2. Vector Subspace V(E(Ai)) in the form of the probability Pr[A ρ]. In our protocol, i Pr[A ρ] takes a different form, as th|e receiver performs In order to prove Theorem 2, it is convenient to di- i measu|rements on a randomly chosen orthogonal basis, vide the DN-dimensional space HDN, which consists of whereas in Kent’s protocol, the receiver can make use of the degrees of freedom of the N particle used for com- the string A unveiled by Alice. mitment. We herefocusespeciallyonthe eigenvectorsof asaf.olloFwosr.mFoirfsPt,r[fAor|ρt]h.e sTahkeeporfosbimabpilliictyityP,rs[Aup|ρp]oissegtivheant cPoEn(tArii)buwtiethmroesltattiovehlΨy|lPaErg(Aeie)i|gΨeinvinaclulueds,edasinthheΨse|Qv|eΨctio.rs N =1, that is, suppose that Alice sends only one parti- a. EigenstatesofoperatorPE. TheeigenstateofPE cle. ThenBobchoosesthecorrectbasisformeasurement with eigenvalue 1, which is the largest, takes the form (satisfyinge (A) M(s ))withprobability1/l,inwhich 1 1 case he can confid∈ently reject Alice’s commitment if the ΨE := e1 eN | i | i⊗···⊗| i outcome is different from e (A) . On the other hand, = i ;j i ;j . (17) 1 1 1 N N | i | i⊗···⊗| i 6 This becomes the state that Alice sends as her commit- 3. Decomposition of |Ψi ment of the q-ary string A, if we let E = (e ,...,e ) 1 N equal the codeword E(A) of A. a. SubspaceV andV . Nextwedefineanothersub- ⊥ ItisevidentthatalleigenvectorsofPE,including ΨE space | i take the form V =V(E(A ))+ +V(E(A )) . 1 r ··· Ψ ;∆J := i ;j +∆j i ;j +∆j , (18) E 1 1 1 N N N | i | i⊗···⊗| i That is, any element of V is given by the sum of the since PE is a tensor product of the smaller operator elements of V(E(A1)),...,V(E(Ar)). As can be seen from the construction of V(E(A )), V is the subspace of π(e )’s defined in Eqn.(13), which act on particles. Here i i ∆J = (∆j1,...,∆jN) is an arbitrary D-ary string, and the quantum message space HDN which contributes by far the most to ΨQΨ . thesumj+∆j appearingontheRHSof(18)isassumed h | | i to be in modulo D. Recall that, as defined in (9), for Then we decompose Ψ into V and V⊥, where V⊥ | i each i, the vectors i;0 ,..., i;D 1 form an orthonor- denotes the orthogonalcomplement of V. | i | − i malbasisinthe internalD-dimensionalvectorspace D aofcaompaprlteitceleo.rHtheonncoe,rmthael sbtaastiesso|Ψf tEh;e∆vJeictoobrvsiopuascley foHrm |Ψi:=|ΨVi+|Ψ⊥i = Xi vi|Γii+|Ψ⊥i , (22) HDN formed by N particles. v 2 = 1 (23) i | | Roughly speaking, ∆J indicates the difference of Xi Ψ ;∆J from Ψ . The eigenvalue of Ψ ;∆J E E E d|ecreasesi expone|ntiailly with the Hamming| weighit with Ψ V, Ψ V⊥ and vi C. The state HW(∆J),orthenumberofnonzeroelementsofthe∆J: Γi is| aiss∈umed |to⊥biel∈ong to V(E(Ai∈)) and can thus | i be expanded as in Eqn.(20). We also assume that each P Ψ ;∆J =(1 1/l)HW(∆J) Ψ ;∆J . (19) Γi is normalized, i.e., the coefficients wi,∆J defined in E E E | i | i − | i Eqn.(20) satisfy For example, Ψ = Ψ ;∆J for ∆J =0. | Ei | E i w 2 =1 . b. Vector subspace V(E(Ai)). Then we define | i,∆J| X V(E(A )) as a vector subspace of , generated by ∆J HW(∆J)<α i HDN { | } eigenvectors Ψ ;∆J with HW(∆J)<α. The con- | E(Ai) i Ontheotherhand,wedonotrequire Ψ tobenormal- stant α here is an integer that determines the size of ized. Furthermore, Ψ is not a unit| v⊥ecitor in general, the subspace and is supposed to satisfy 0 < α < d (see | Vi althoughthecoefficientv ’sisnormalizedasinEqn.(23). Fig.2). That is to say, any vector Γ V(E(A )) can i be expanded as | ii ∈ i This is because |Γii’s with different values of i are not exactly orthogonal as discussed above. It should also be noted that there is arbitrarinessin the choice of Γ ow- i Γ = w Ψ ;∆J (20) | i | ii i,∆J| E(Ai) i ing to this non-orthonognality. X ∆J HW(∆J)<α It is still obvious that any vector Ψ can be { | } | i ∈ HDN expanded as in Eqn.(22) with appropriate rescaling. The appropriate value of α will be discussed later. b. V contributes only little. By definition, Ψ ⊥ c. V(E(Ai))’sareapproximatelyorthogonal. Infact satisfies ΨV Ψ = 0 for any ΨV V, and it is| a⊥pi- the subspaces V(E(A ))’s with different values of i are h | ⊥i | i ∈ i parent that for any i, Ψ [V(E(Ai))]⊥ (see Fig.2). approximately orthogonal to each other. Indeed, if Thismeansthat Ψ ca|n⊥biee∈xpandedbytheeigenstates wΨe pick;∆twJo eflreommendtisffeorfenvetcstuobrspbaacsiess,|Ψi.eE.(,Afoi)r;∆i=Jij,awnde |ΨE(Ai);∆Ji wit|h H⊥iamming weight HW(∆J)≥α. |havEe(Aj) ′i 6 1/Tl)hαuasn,ditwimemseeedtiahtaetlyΨfollowcosntthraibtu(cid:13)tPesE(lAitit)l|eΨt⊥oi(cid:13)Ψ≤Q(1Ψ− ifαissufficientlylarge|. S⊥eei Lemma(cid:13)3foramoreh(cid:13)rig|or|ouis Ψ ;∆J Ψ ;∆J <β¯d α , (21) h E(Ai) | E(Aj) ′i − argument. (cid:12) (cid:12) (cid:12) (cid:12) whereβ¯istheupperboundontheinnerproductsofpar- ticle state 0 ,..., q 1 defined in (8). In other words, 4. Outline of the proof, and lemmas β¯:=maxe=|ei′ ee′| −<1i. 6 |h | i| Inequality(21)followsbecausewhenthetwostatesap- We have seen above that for large enough d and α pearing on the LHS are representedusing particle states thesubspaceV(E(A ))sareapproximatelyorthogonalto i |aes′1i|Ψ⊗E·(·A·⊗i);|e∆′nJi,i|e=ii|ae1nid⊗|e·′ii··a⊗re|deniffiearenndt|fΨorEa(Atjle);a∆stJd′−i =α eTahcehno,tthheer,foalnlodw|iΨn⊥giin∈eqVu⊥alictoienstrsihbouuteldslhitotllde:tohΨ|Q|Ψi. values of i, owing to the minimum distance property of classical error correcting code. This is the main reason ΨQΨ = ΨP Ψ forintroducingclassicalerror-correctingcode(seeFig.2). h | | i Xi h | E(Ai)| i 7 V where, α 1 − N V(E(A )) V(E(A2)) V(E(A3)) Fα(N):= Xi=0(cid:18)i(cid:19)(D−1)i . 1 ΨE(A2) ΨE(A3) Parameter β is definedamong particle states |ei, |e′i and α d d operater π(e′′), which acts on them: Ψ α E(A1) α β := (em=ea′=xe′′)|he|π(e′′)|e′i| <1 . (30) ¬ The maximum value of Eqn.(30) is evaluated under the condition thatthetriplete,e,e does notsatisfye=e = ′ ′′ ′ V e . ^ ′′ Proof. Note FIG. 2: A graphical image of vector spaces V and V⊥. Ψ QΨ = v 2 Γ P Γ (31) Vsta(Ete(sAwi)it)hisetigheenvveaclutoerssluarbgsepractheagnen(e1r−ate1d/lb)αy.PTEh(Auis),’stheeigpena-- h V| | Vi Xi | i| h i| E(Ai)| ii rameter α serves as the radius of each V(E(Ai)). Parameter + v v Γ P Γ . d denotes the separation between each V(E(Ai)). V is the X j∗ kh j| E(Ai)| ki ⊥ i,j,k (i=j=k) sum of all V(E(Ai))’s and V is its orthogonal complement. { |¬ } The first term on the RHS is clearly less than or equal to 1. The secondtermis the sum ofthe crossterms gen- v 2 Γ P Γ v 2 =1 , (24) erated by vectors from different subspaces V(E(A ))’s. ≃ | i| h i| E(Ai)| ii≤ | i| i Xi Xi These should be negligible for a large enough d, since in ΨΨ = Ψ Ψ + Ψ Ψ v 2 Γ Γ =1 , that case V(E(Ai))s are approximately orthogonal. h | i h V| Vi h ⊥| ⊥i≃Xi | i| h i| ii Wewillevaluatethissecondtermexactlybelow. From Eqn.(20), we have (25) Γ P Γ (32) which means ΨQΨ / ΨΨ 1. h j| E(Ai)| ki In the subshequ|en|t siuhbse|ctiio≃n, we will use this idea to = wj∗,∆Jwk,∆J hΨE(Aj);∆J|PE(Ai)|ΨE(Ak);∆J′i . proveTheorem2rigorously,butfirstwepreparetwolem- ∆XJ,∆J′ mas that are convenient. First we show that the contri- The term appearing on the RHS can be bounded from bution of Ψ is indeed small. above as | ⊥i Lemma 3 Ψ ;∆J P Ψ ;∆J βd α , For any i and s, (s 0, s Z), (cid:12)h E(Aj) | E(Ai)| E(Ak) ′i(cid:12)≤ − ≥ ∈ since t(cid:12)he triplet i,j,k does not satisfy i(cid:12)= j = k. In ad- Ψ P s Ψ (1 1/l)sα Ψ Ψ , (26) dition, because the Hamming weight of ∆J is bounded h ⊥|{ E(Ai)} | ⊥i ≤ − h ⊥| ⊥i from above as HW(∆J) α, there are only F (n) pat- P Ψ (1 1/l)α Ψ . (27) ≤ α E(Ai)| ⊥i ≤ − k | ⊥ik terns of wk,∆J (and equivalently for wj,∆J). Thus, max- (cid:13) (cid:13) Proof. (Se(cid:13)e also Para(cid:13)graph IVB3b and Fig.2.) As imizing the RHS of Eqn.(32) using the Lagrange multi- plier for wj,∆J and wk,∆J′, we find Ψ V⊥ [V(E(Ai)]⊥, Ψ can be expanded w| it⊥hi t∈he eigen⊂states |ΨE;∆Ji|w⊥itih Hamming weight |hΓj|PE(Ai)|Γki|≤Fα(N)βd−α . HW(∆J) α. Note that if HW(∆J) α, from the definition o≥f π(e) given in Eqn.(13) ≥ Applying the Lagrangemultiplier againon vi, we obtain anupper bound for the secondtermonthe RHS of(31), and Inequality (28) can be proved. Inequality (29) can (P )s Ψ ;∆J =(1 1/l)sHW(∆J) Ψ ;∆J . E | E i − | E i be provedas well in a similar manner if one notices that From this, Inequality (26) immediately follows. Inequal- maxe=e′ ee′ =β¯ β. 2 6 |h | i| ≤ ity (27) can be shown by setting s = 2 in (26) as the operator P is Hermitian. 2 E 5. Proof of Theorem 2 NextwepresenttherigorousversionofInequality(24). From the above two lemmas Lemma 4 ΨQΨ h | | i ΨV QΨV 1+r(r 1)βd−αFα(N) , (28) ΨV QΨV +2 ΨV QΨ + Ψ QΨ h | | i ≤ − ≤ h | | i |h | | ⊥i| h ⊥| | ⊥i Ψ Ψ 1 (r 1)βd αF (N) , (29) 1+r(r 1)ǫ +2r(1+(r 1)ǫ )ǫ S+rǫ S2 V V − α 1 1 2 2 |h | i− | ≤ − ≤ − − 8 and From a well-known theorem of the theory of error- correcting codes, N can be made arbitrarily large while hΨ|Ψi=hΨV|ΨVi+hΨ⊥|Ψ⊥i≥1−(r−1)ǫ1+S2 , keeping constant the information rate n′/N and the rel- ative minimum distance d/N. The RHS of (37) being where a constant and logβ being negative, Inequality (37) can always be satisfied by choosing a large enough N. ǫ = βd αF (N) , ǫ =(1 1/l)α , (33) 1 − α 2 − S = Ψ Ψ 1/2 . h ⊥| ⊥i V. NOTES FOR IMPLEMENTATION (c.f., Inequalities (24) and (25)), Thus, Asmentionedearlier,ourprotocolcanbeimplemented ΨQΨ Pr[Ai ρ] h | | i using currently available technology. For example, the | ≤ ΨΨ Xi h | i case of D = 2 can be realized by single photon sources 1+r2ǫ +2rǫ (1+rǫ )S+rǫ S2 and detectors. Probably the most familiar way of en- 1 2 1 2 ≤ 1 rǫ +S2 coding is the BB84-like states that are often used for 1 − quantum key exchange[1], 1+r2ǫ rǫ (1 rǫ )+rǫ (1+rǫ )S 1 2 1 2 1 = rǫ + − − 2 1 rǫ +S2 1 0 − 1 0 = , 1 = , c +c S | i (cid:18)0(cid:19) | i (cid:18)1 (cid:19) 1 2 =: rǫ + . 2 c3+S2 2 = 1 1 , 3 = 1 −1 , | i √2(cid:18)1 (cid:19) | i √2(cid:18) 1 (cid:19) Assuming c ,c ,c > 0 and differentiating by S, we see 1 2 3 that which corresponds to q = 4, D = 2, l = 2, and β = 3/4. As onecanseefromthe theoryoferror-correctingcodes, Pr[A ρ] rǫ + 1 c21+c3c22+c1 =1+ε . (34) for sufficiently large N, there exists a code E with the Xi i| ≤ 2 2p c3 informationraten′/N thatis virtually equalto 1. Thus, in this case, a secure protocol can be constructed with Here,asc ,c 1andc canbechosenarbitrarilysmall, m/n 1/2,where m is the bit number accessible by the ε on the R1HS3 ≃can be ar2bitrarily small. 2 receiv≃er before unveiling. For example, take r = 210 and ǫ = 2 10, which cor- − respond to α 26. Then, it is guaranteed from the ≥ 6. Choice of Parameters Gilbert-Vershamovbound(seeRef.[12])thatthereexists a linear code with q = 4, N = 105, d/N = 10 2, and − Next, we show that ε given in (34) can actually be n′/N 0.95, for which Inequality (37) holds. In this ≥ arbitrarily small by choosing sufficiently large N. Here, case, m/n<0.53 is satisfied. we doa veryroughestimate withoutworryingaboutthe It should be noted, however, that in real life there tightness of the bound. First assume rǫ 1/2 for ǫ are problems with information losses in optical channels 1 1 defined in (33), then ≤ and with the detection rate of photon detectors. Conse- quently,Bobmightenduprejecting Alice’s commitment c2+c c2+c even when an honest Alice has sent the correct commit- p 1 c33 2 1 ≤(1+2rǫ1)(2c1+c2) . ment |ΨAi. Still, we can overcome these problems by modifying and immediately we have steps 3 and 4 of the open phase (Sec.IIIB) as follows. First take an integer parameter t > 0, the exact value Pr[A ρ] 1+4rǫ +4r2ǫ . (35) of which is determined by the noise level of the channel i 2 1 | ≤ Xi andthe detectionrate. Thenchangesteps3and4ofthe open phase as follows: We will prove below that the second and the third term on the RHS of Inequality (35) can be ε/2 respec- 3. Bobverifiesthefollowingconditionforeachparticle tively. As to the second term, it suffic≤es to let α = 1 i N : ≤ ≤ log 2 6ε/r . As to the third term, first note 1 1/l − - If the basis he chooses is correct, i.e., e − (cid:0) (cid:1) | ii ∈ M(s ), he obtains e as a result of his mea- Fα(N)<(D−1)αexp[N ·H2(α/N)] (36) suremi ent. | ii for N α+1 > N/D (see e.g., Ref.[12], Appendix A). Then, he records as y the number of particles that − Using Inequality(36), we see that the third term on the do not satisfy the above condition. RHS of (35) can be bounded from above if 4. If the above condition does not hold for more than α εβα t particles, i.e., if y >t, then Bob rejects the com- N H +dlogβ log . (37) · 2(cid:16)N(cid:17) ≤ (cid:18)8r2(D 1)α(cid:19) mitment. Otherwise he accepts it. − 9 In other words, Bob accepts Alice’s commitment even classicalerror-correctingcode E needs to be ofthe order when up to a certain number of particles does not meet of N 105 in length. Although possible in principle, it ≃ the condition of step 3. In this case too, the security of is not very practical to calculate a generator matrix of the protocol can be shown in almost the same way as in this size using currently available computers. Instead, it the previous section[13]. is much moreworthwhile to optimize the protocolor the security proof so that we can ensure the same level of security for smaller N. VI. CONCLUSION For example, the estimate given in Section IVB6 is not yet tight, since there we were interested mainly in Inthis paper,we haveproposedanew QBSC protocol proving that the protocol is in fact possible. Thus, by and shown that it is secure in terms of the same secu- using a better strategy,we might be able to obtain more rity requirements as discussed in Ref.[3]. Our protocol securityforshorterbitlengthn. Note,inparticular,that hasthemeritthatitcanbeimplementedusingcurrently evenwiththeratiom/noftheaccessiblebitsbeingfixed, available technology such as single-photon sources and there is a variety of choices of parameters, such as q, D, detectors. and l. It will be interesting to see how we can better An example of future work is the optimization of the optimize the protocol,whether by making better choices protocol presented here. As discussed in Section V, if for quantum states 0 ,..., q 1 or by optimizing the | i | − i the protocol is implemented using BB84-like states, the classical error-correctingcode E. [1] C.H. Bennett and G. Brassard, “Quantum Cryptogra- Tools, (Cambridge Univ.Press, Cambridge, 2001). phy: PublicKeyDistributionandCoinTossing,”inPro- [10] C.H. Bennett, G. Brassard, S. Breidbart and S. Wies- ceedings of the IEEE International Conference on Com- ner, “Quantum Cryptography, or Unforgeable Subway puters, SystemsandSignalProcessing(IEEE,NewYork, Tokens,” in Proceedings of CRYPTO ’82, p.267 (1982). 1984) p.175. [11] H. Buhrman, R. Cleve, J. Watrous and R. de Wolf, [2] C.W. Helstrom, Quantum Detection and Estimation “QuantumFingerprinting,”Phys. Rev. Lett.,87,167902 Theory (AcademicPress, New York,1976). (2001). [3] A.Kent,“QuantumBitStringCommitment,”Phys.Rev. [12] W.W. Peterson and E.J. Weldon, Jr., Error Correcting Lett., 90, 237901 (2003). Codes (MIT Press, 1972). [4] A. Kent, “Unconditionally Secure Bit Commitment,” [13] T. Tsurumaru, work in progress. Phys.Rev.Lett., 83, 1447-1450 (1999). [14] A.C. Yao, “Security of Quantum Protocols against Co- [5] H.-K.Loand H.F. Chau “Is QuantumBit Commitment herent Measurements,” in Proceedings of 1995 ACM ReallyPossible?,”Phys.Rev.Lett.,78,3410-3413(1997). Symposium on Theory of Computing 67–75 (1995). [6] D.Mayers, “Unconditionally Secure QuantumBit Com- [15] H.-K. Lo and H.F. Chau, “Why Quantum Bit Commit- mitment is Impossible,” Phys. Rev. Lett., 78, 3414 ment and Ideal Quantum Coin Tossing are Impossible,” (1997). Phisica, D120, pp.177–187 (1998). [7] M.A. Nielsen and I.L. Chuang, Quantum Computa- [16] H.F. Chau and H.-K. Lo, “Making an Empty Promise tion and Quantum Information(CambridgeUniv.Press, withaQuantumComputer,”Fortsch.Phys., 46,pp.507– Cambridge, 2000). 520, (1998). [8] H. Delfs and H. Knebl, Introduction to Cryptography, [17] Onthecontrary,abitcommitment schemethat exploits Principles and Applications (Springer Verlag, Berlin, special relativity has been proposed and the security 2002). proof has been given. See Ref.[4]. [9] O.Goldreich,FoundationsofCryptography, Vol.I,Basic

ebook img

Implementable Quantum Bit-String Commitment Protocol PDF

0.23 MB·English
by  Toyohiro Tsurumaru
#additional_collections #journals #arxiv
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Implementable Quantum Bit-String Commitment Protocol

Implementable Quantum Bit-String Commitment Protocol Toyohiro Tsurumaru Mitsubishi Electric Corporation, Information Technology R&D Center 5–1–1 Ofuna, Kamakura-shi, Kanagawa, 247-8501, Japan Quantumbitstringcommitment[A.Kent,Phys.Rev.Lett.,90,237901(2003)]orQBSCisavariant ofbitcommitment(BC).Inthispaper,weproposeanewQBSCprotocolthatcanbeimplemented using currently available technology, and prove its security under the same security criteria as discussed by Kent. QBSC is a generalization of BC, but has slightly weaker requirements, and our proposed protocol is not intended to break theno-go theorem of quantumBC. PACS number(s): 03.67.-a, 03.67.Dd, 89.70.+c 5 0 0 I. INTRODUCTION tum key distribution(QKD). This is mainly because BC 2 isoneimportantbuildingblockinawholelistofinterest- n ingtools,suchasmulti-partyprotocolsorzero-knowledge a Quantum bit string commitment (QBSC) was pro- J posed by Kent[3], as a generalization of bit commitment proof, rooted in classicalcryptology(see e.g., Ref.[8][9]). However, as pointed out in Ref.[3], we are not yet able 6 (BC).ThefundamentalgoalofQBSCisthesameasthat ofBC;thatis,thesenderfirstsendsevidenceofassigned even to characterizethe range of cryptographictasks for 2 whichperfectlysecurequantumprotocolsmightpossibly dataoveracommunicationchannelwithoutrevealingthe v exist. Thus, we assume here that there must be distinct actual data. Then, after an interval, the sender reveals 4 security notions that are unique to quantum cryptogra- the data and the receiver verifies that the data have not 7 phy, and seek protocols that do not necessarily have a 1 been modified. classical counterpart. 7 The difference in QBSC is that the sender commits a This paper is organized as follows. In Section II, we 0 string A = (a , ,a ) with n > 1 in a single protocol 4 1 ··· n briefly review some of the results by Kent[3], including session,andalimited(butcertain)numberofitsbitsare 0 the basic structure of QBSC and its security criteria. accessible by the receiver before the open phase. This / Subsequently, we describe the proposed protocol in Sec- h situation is referred to as (m,n) bit string commitment tion III and prove its security in Section IV. Then in p in Ref.[3], where m ( n) is the maximum number of - ≤ Section V, we briefly comment on the implementation nt accessible bits. Conventional BC schemes correspond to and finally conclude in Section VI. thecasewheren=1andm=0,andinthissenseQBSC a is a generalizationof BC. u q In this paper, we propose a new QBSC protocol that II. PREVIOUS METHOD : canbeimplementedusingcurrentlyavailabletechnology, v such as single-photon sources and detectors, and then i X prove its security. The main difference from the previ- The original QBSC was proposed in Ref.[3], with two r ous protocol is in the quantum measurement procedure example schemes, called Protocol 1 and Protocol 2. Be- a performed by the receiver to verify a commitment. In forepresentingourprotocol,webrieflyreviewtheresults our scheme, the receiver is allowed to perform the mea- by Kent in this section. Both of the example protocols surements in the commitment phase using randomized share a simple basic structure, as follows. Throughout bases, which means that it is not necessary to preserve this paper, we will call the sender Alice and the receiver the quantum state until the open phase. Bob. AlthoughQBSCisageneralizationofBC,thesecurity level that it achieves is slightly weaker than that of BC unless m=0. We would like to stress that our proposal A. Basic Structure of Kent’s Scheme isnotintendedtobreaktheno-gotheoremofLo-Chau[5] and Mayers[6], which states that if one takes full advan- 1. Procedure tageofquantumcomputersandquantumcommunication channels, any type of nonrelativistic BC scheme can be Alice and Bob proceed as follows. attacked[17]. Our ultimate goal is to devise useful and secure quantum cryptographic schemes that do not rely Commitment Phase on BC. The no-go theorem of BC often makes people think 1. Alice chooses a bit string A = (a ,...,a ) to be 1 n that it might be impossible to create any useful crypto- committed to and sends Bob the corresponding graphicprotocolsbasedonquantumtheory,exceptquan- state Ψ . A | i 2 2. Bob preserves the received state Ψ . B. Example Protocols A | i Open Phase 1. Protocol 1 1. Alice unveils A to Bob. Define qubit states 2. Bob verifies A by a projective measurement on Ψ . If the outcome is consistent with A, he ac- A ψ = 0 , ψ =sinθ 0 +cosθ 1 . | i 0 1 cepts the commitment, otherwise he rejects it. | i | i | i Alice sends particles in the states ψ ,...,ψ for A = The exact form of the state Ψ differs depending on a1 an | Ai (a1,...,an), ai 0,1 . In other words, she transmits the type of protocol and will be given below. to Bob the state∈Ψ{ :}= ψ ψ . Here θ R | Ai | a1i⊗···⊗| ani ∈ isaconstantthatisdeterminedaccordingtothesecurity parameter. 2. Security Requirement a. ConcealingCondition FromtheHolevobound[7], the information m that is accessible by Bob is bounded ForBC,therearetwosecurityrequirements,whichare by called the concealing and binding conditions[9]. Similar n notionsarealsousedforQBSC,althoughwithsomewhat 1+sinθ m S(ρ)= H , (2) relaxed restrictions[3]. ≤ (cid:20) 2(cid:18) 2 (cid:19)(cid:21) - Concealing Condition. The receiver can access where H (x) = xlogx (1 x)log(1 x). Hence m 2 only a limited number of bits in the committed can be arbitraril−y small b−y adj−usting θ. − string A before the open phase. b. Binding Condition. InProtocol1,binding is dis- Thenumberofaccessiblebits isreferredtoasmin cussedforeachbitseparately. Letpji =hψj|ρi|ψjibethe Ref.[3]. probability of Bob accepting a revelationof j for the ith bit. We have - Binding Condition. It is unlikely that Alice will change the content of her commitment A after the p0+p1 cos2[(π 2θ)/4]+sin2[(π+2θ)/4] , (3) i i ≤ − commitment phase. where the RHS can again be chosen arbitrarily close to Note that for BC schemes, Bob is assumed to gain no 1 by choosingsuitableθ. Ingeneral,the smaller θ is, the information whatsoever regarding committed bit b until stronger the binding becomes; simultaneously, however, Alice unveilsit, whereasinQBSC perfectconcealmentis concealingbecomesweaker,ascanbe seenfromInequal- dispensed with; Bob is allowed to extract a certain but ity (2). Thus, θ needs to be chosen with this balance in limited amount of information from A. mind. The meaning of the term ‘unlikely’ in the definition of the binding condition differs in the two protocols. This point will be discussed below. 2. Protocol 2 As to the possibility of each player cheating, Alice cheatingputsthebindingatriskandBobcheatingcorre- In Protocol 1, as m in (3) is in the same order as sponds to concealment. Throughout this paper, we con- n, most bits from A are accessible by Bob, because the sideronlycaseswhereeitheroneofthemischeating,but amountofdata encoded per qubit is rather small. Thus, not both. Thus, the binding and concealing conditions anotherprotocolattheotherextremewithamuchhigher can be discussed separately. encoding rate is considered here . The basic idea here is that instead of using qubits, oneencodesAintoageneralD-dimensionalvectorspace 3. Measurement by Bob =CD/C. Thus,onechoosesO(exp(const.D))states D H Ψ out of . A D {| i} H When considering Alice’s cheating, we denote the a. Binding Condition. In Protocol 1, we discussed quantumstatesenttoBobasadensitymatrixρ,sincein bitwise security; here we take a different approach. general,Alice would be likely to use a randomizedstrat- Definition 1 Takeanarbitraryvalueofr Zandε R egy or send an entangledstate. Note here that whatever ∈ ∈ (ε,r > 0). A QBSC protocol is binding if, by choosing strategy Alice follows, once she transmits the quantum a large enough n, the following inequality holds for arbi- state to Bob, the density matrix ρ is fixed. Honest Bob trarily chosen A ,...,A and ρ, verifies Alice’s commitment by performing a projective 1 r measurement of ρ using an orthonormal basis that in- Pr[A ρ] 1+ε . (4) cludes |ΨAi. Bob then accepts it as a correct commit- Xi i| ≤ ment of string A with the probability Here, n is the length of the bit string that is to be com- Pr[Aρ]= ΨA ρΨA . (1) mitted. 2 | h | | i 3 Intuitively, this definition can be illustrated as follows. Therefore, we cosider here whether Bob can distinguish A cheating Alice might want to postpone her decision ρ sufficiently accurately without knowing A, because if by selecting x patterns of bit strings A ,...,A in the that is the case, Bob does not need to preserve ρ for a 1 x commitment phase. Then, later in the open phase, she long period. could unveil any desired string among them. In such a In order to actually do this, we change Bob’s verifica- case,themaximumprobabilityofhersuccessislessthan tion procedure. That is, Bob measures ρ as soon as he 1/x if x<r, and is less than 1/r if x>r. receives it using randomly chosen orthogonal bases, and Infact,itcanbeshown[3]thatifthecommittedstates then stores the result until the open phase. Although Ψ are chosen to be approximately orthogonal: much less information is obtained in this way than is A | i obtained by directly comparing ρ with Ψ Ψ , it is A A | ih | ΨA ΨA′ sinθ =ǫ 1 for A= A′ (5) enough to detect cheating by Alice, as we will show in |h | i|≤ ≪ ∀ 6 ∀ Section IV. the above binding condition (4) is true for ε (r 1)ǫ. ≤ − That is, if one can construct approximately orthogonal states ΨA ,the bindingconditionis automaticallyguar- A. Quantum State for Encoding | i anteed. b. Approximately Orthogonal States. In this proto- First we define the quantum state Ψ , which is used A col, one needs to choose exp(const.D) states Ψ out of | i A as a commitment of the string A. | i D-dimensional vector space while keeping approximate orthogonality as in (5). Although this seems impossi- ble at first sight, interestingly, it can in fact be eas- 1. Error-Correcting Code ily achieved by using classical error-correctingcodes[11]. One example is as follows. Throughout this section, we assume that string A is Take an error-correcting code E : 0,1 n 0,1 m { } → { } notnecessarilyabitstringbutisingeneralaq-arystring with information rate R = n/m and minimum distance A=(a1,...,an′), ai 0,...,q 1 . Iftheoriginaldata d and let δ = d/m. Next choose quantum states h ∈{ − } C2m/C corresponding to string A 0,1 n as: | Ai ∈ are a bit string, one needs to transform them into a q- ∈{ } arystringusingsomeappropriatesurjectivemapping. In this case, A stands for the data of n= n log q bits. 1 m ⌈ ′ 2 ⌉ Thenwe fix a q-aryclassical(N,n,d)error-correcting h := i E (A) . (6) ′ A i | i √m | i⊗| i code : Xi=1 E :A E(A)=(e ,...,e ) , e 0,...,q 1 . Then, as hA hA′ (1 δ) for A = A′, an arbitrarily 7→ 1 N i ∈{ − } |h | i| ≤ − 6 smallǫcanbechosenbydefining ΨA as ΨA := hA The sender stretches the string A into a q-ary string E | i | i | i⊗ hA . of length N using this error-correctingcode. ···⊗| i III. PROPOSED PROTOCOL 2. Quantum States of ‘Particles’ Theprotocolsdescribedintheprevioussectionarecer- The commitment Ψ takes the form A | i tainly significant, in that they achieve a completely new Ψ = Ψ := e e , (7) type of security by using quantum mechanics. However, A E(A) 1 N | i | i | i⊗···⊗| i itseemsalmostimpossibletoimplementthemusingcur- where each e is a D-dimensional vector. That is, the i rent technology. There are two main reasons. | i sender commits by sending N ‘particles’ having inter- nal degrees of freedom in a D-dimensional vector space 1. Bob needs to preserve the quantum state Ψ as | Ai = CD/C. Each q-ary value e is encoded into this it was created by Alice, until the open phase. HDD-dimensional space of the ith pariticle. 2. InProtocol2,highlyentangledstates,suchas h We use the same set of D-dimensional states for each A | i given in (6), are necessary. particle and denote them as In particular, the first point seems the more difficult to 0 , , q 1 D . (8) | i ··· | − i ∈H overcome. Thus,weproposeamodifiedversionofQBSC Hence,Eqn.(7)meansthattheith particlehase th states that can be implemented, and subsequently prove its se- i of (8). The q states of (8) are all distinct but do not curity. necessarily form an orthonormal basis. In Kent’s protocol, Bob needs to preserve the quan- It is assumed here that D satisfies q = lD for l Z, tum state ρ as it wassentfromAlice inthe commitment ∈ and that the states of (8) can be groupedtogether into l phase until the open phase. This is because Bob verifies types of orthonormalbasis M(i), i=0,...,l 1 ρ by projective measurements using an orthonormal ba- − sisincluding Ψ Ψ ,afterAlicehasunveiledstringA. M(i):= i;0 ,..., i;D 1 , i;j i;k =δ (9) A A jk | ih | {| i | − i} h | i 4 Previous Protocol Proposed Protocol Alice Bob Alice Bob Ψ Ψ A A Ψ Ψ ρ ρ A A Measurement Commitment without knowing A Phase Preserve Open Phase A A A A ρ Compare Aand the Measurement using A result of measurement FIG. 1: Differences between theprevious and proposed protocols. with 1. Alice reveals A to Bob. 2. Bob computes the codeword E(A). iD+j = i;j . | i | i 3. Bobverifiesthefollowingconditionforeachparticle Also, for the sake of simplicity, we assume that the or- 1 i N : thogonal bases M(i) are symmetric under a finite group ≤ ≤ Gthatactson . Inotherwords,forany0 i l 1, - If the basis that he chose is correct, i.e., D H ≤ ≤ − g G, there exists 0 i l 1 satisfying e M(s ), he obtains e as a result of ∈ ≤ ′ ≤ − | ii ∈ i | ii his measurement. gM(i):= R(g)i;0 , ..., R(g)i;D 1 =M(i′) , { | i | − i} 4. If the abovecondition does not holdfor anyi, Bob (10) rejects the commitment, otherwise, he accepts it. where R is a representation of G in . In Eqn.(10), states are identified if they differ onlyHuDp to a phase of complex number. C. Differences from Kent’s Protocols B. Protocol As stated earlier, Bob does not need to preserve the quantum state ρ until the open phase as he examines ρ inthecommitmentphase. Byusingrandomizedbases,he Alice and Bob proceed as follows. selects correct bases in a probabilistic way, and is there- fore able to verify Alice’s commitment confidently. Commitment Phase In addition, players only need to be able to create 1. Alice chooses a q-ary string A = (a1,...,an′) to and detect D-dimensional quantum states, and thus the which she is committed and computes the corre- highly entangled states, e.g., hA given in (6), are un- | i sponding codeword E(A)=(e ,...,e ). necessary. For instance, the case of D =2 can be imple- 1 N mented using single-photons. 2. Bob chooses a l-ary random string Error-correcting code is used here to ensure approxi- S =(s1,...,sN) 0,...,l 1 N. mate orthogonality of states |ΨE(A)i as in Kent’s proto- ∈{ − } col (c.f., Eqn.(5)). Indeed in our protocol, Alice sends 3. Alice sends N particles e ,..., e to Bob. Ψ := e e , which satisfies | 1i | Ni | E(A)i | 1i⊗···⊗| Ni 4. Bobperformsmeasurementsoneachreceivedparti- A A′ A=A′ ΨE(A) ΨE(A′) <β¯d . (11) ∀ ∀ 6 → | cle|eiiwiththebasisM(si)andrecordstheresult. Hereβ¯is th(cid:0)e maximum(cid:12)(cid:12)(cid:10)value ofthe in(cid:11)n(cid:12)(cid:12)er pro(cid:1)ductofthe Open Phase particle states defined in (8), i.e., ee β¯ for e=e ′ ′ |h | i|≤ ∀ 6 5 (seealsoParagraphIVB2c). Inthenextsection,wewill if he chooses a wrong basis, he may accept Alice’s com- exploit this property to prove the binding condition. mitment no matter what he obtains as a result of his measurement. Thus, averaged over the random variable S, the acceptance rate by Bob takes the form IV. SECURITY EVALUATION 1 1 Pr [Aρ]:= 1 + e ρe =Trρπ(e ), (12) N=1 1 1 1 | (cid:18) − l(cid:19) lh | | i Nowwewillprovethesecurityoftheproposedscheme. Throughoutthissection,weconsideranidealcasewitha where noiselesschannelanderror-freedetection. (Fornon-ideal cases, see Section V.) 1 1 π(e) := 1 I + e e As to what each player can do in quantum proto- (cid:18) − l(cid:19) D l| ih | cols, we follow the definition given by Yao[14] and Lo- 1 1 Chau[15]. That is, quantum protocol is formalized in a = 1 I + i;j i;j =:π(i;j) . (13) D (cid:18) − l(cid:19) l| ih | Hilbert space = , where (resp. T A B C A H H ⊗H ⊗H H ) refers to the space in which Alice (resp. Bob) can HopBerate. HC is the communication channel. Every step HeSriemIiDlarislyafourniNt m>a1tr,iix.ei.n, iHf DA.lice sends more than one ofthe protocolisdone byunitary operationsby Alice on particle, the acceptance rate takes the form and those by Bob on , alternately. A C B C H ⊗H H ⊗H Pr[Aρ]=TrρP E(A) | A. Concealing condition with Intheproposedprotocol,nlog q-bitdataareencoded PE =π(e1) π(eN) . (14) 2 ⊗···⊗ in Nlog D qubits. Thus, the number of bits accessi- 2 b. What We Need to Prove. The sum of the accep- ble by Bob, m, satisfies m Nlog D owing to the ≤ 2 tance rates for A ,...,A , which appears on the LHS of Holevo bound. Hence, the protocol is concealing when 1 r (4), takes the form the bitnumberofAisgreaterthanthe qubitnumber,or NlogD <nlogq. Pr[A ρ]=Tr(ρQ) (15) i | Xi B. Binding Condition with In the remainder of this section, we will prove the fol- Q:=P + +P . (16) E(A1) ··· E(Ar) lowing theorem. With this operator Q, what we need to do is to bound Theorem 2 Theproposedprotocolisbindingintermsof TrρQfromaboveforanarbitrarydensitymatrixρ. How- Definition 1. ever, it is obviously sufficient to consider instead the upper bound on ΨQΨ for an arbitrary pure state h | | i Ψ . Moreover, in order to avoid complications from | i 1. Basic Idea of the Proof statenormalizations,wedonotrequire Ψ tobenormal- | i izedandinsteaddiscusstheupperboundofthe quantity ΨQΨ / ΨΨ . The basic idea of the proof is the same as given in h | | i h | i Ref.[3]. Namely, we exploit the approximate orthogonal- ity (11) of Ψ (see Eqn.(5) andthe discussionnearby). A However,th|ereiis a complication,owingto the difference 2. Vector Subspace V(E(Ai)) in the form of the probability Pr[A ρ]. In our protocol, i Pr[A ρ] takes a different form, as th|e receiver performs In order to prove Theorem 2, it is convenient to di- i measu|rements on a randomly chosen orthogonal basis, vide the DN-dimensional space HDN, which consists of whereas in Kent’s protocol, the receiver can make use of the degrees of freedom of the N particle used for com- the string A unveiled by Alice. mitment. We herefocusespeciallyonthe eigenvectorsof asaf.olloFwosr.mFoirfsPt,r[fAor|ρt]h.e sTahkeeporfosbimabpilliictyityP,rs[Aup|ρp]oissegtivheant cPoEn(tArii)buwtiethmroesltattiovehlΨy|lPaErg(Aeie)i|gΨeinvinaclulueds,edasinthheΨse|Qv|eΨctio.rs N =1, that is, suppose that Alice sends only one parti- a. EigenstatesofoperatorPE. TheeigenstateofPE cle. ThenBobchoosesthecorrectbasisformeasurement with eigenvalue 1, which is the largest, takes the form (satisfyinge (A) M(s ))withprobability1/l,inwhich 1 1 case he can confid∈ently reject Alice’s commitment if the ΨE := e1 eN | i | i⊗···⊗| i outcome is different from e (A) . On the other hand, = i ;j i ;j . (17) 1 1 1 N N | i | i⊗···⊗| i 6 This becomes the state that Alice sends as her commit- 3. Decomposition of |Ψi ment of the q-ary string A, if we let E = (e ,...,e ) 1 N equal the codeword E(A) of A. a. SubspaceV andV . Nextwedefineanothersub- ⊥ ItisevidentthatalleigenvectorsofPE,including ΨE space | i take the form V =V(E(A ))+ +V(E(A )) . 1 r ··· Ψ ;∆J := i ;j +∆j i ;j +∆j , (18) E 1 1 1 N N N | i | i⊗···⊗| i That is, any element of V is given by the sum of the since PE is a tensor product of the smaller operator elements of V(E(A1)),...,V(E(Ar)). As can be seen from the construction of V(E(A )), V is the subspace of π(e )’s defined in Eqn.(13), which act on particles. Here i i ∆J = (∆j1,...,∆jN) is an arbitrary D-ary string, and the quantum message space HDN which contributes by far the most to ΨQΨ . thesumj+∆j appearingontheRHSof(18)isassumed h | | i to be in modulo D. Recall that, as defined in (9), for Then we decompose Ψ into V and V⊥, where V⊥ | i each i, the vectors i;0 ,..., i;D 1 form an orthonor- denotes the orthogonalcomplement of V. | i | − i malbasisinthe internalD-dimensionalvectorspace D aofcaompaprlteitceleo.rHtheonncoe,rmthael sbtaastiesso|Ψf tEh;e∆vJeictoobrvsiopuascley foHrm |Ψi:=|ΨVi+|Ψ⊥i = Xi vi|Γii+|Ψ⊥i , (22) HDN formed by N particles. v 2 = 1 (23) i | | Roughly speaking, ∆J indicates the difference of Xi Ψ ;∆J from Ψ . The eigenvalue of Ψ ;∆J E E E d|ecreasesi expone|ntiailly with the Hamming| weighit with Ψ V, Ψ V⊥ and vi C. The state HW(∆J),orthenumberofnonzeroelementsofthe∆J: Γi is| aiss∈umed |to⊥biel∈ong to V(E(Ai∈)) and can thus | i be expanded as in Eqn.(20). We also assume that each P Ψ ;∆J =(1 1/l)HW(∆J) Ψ ;∆J . (19) Γi is normalized, i.e., the coefficients wi,∆J defined in E E E | i | i − | i Eqn.(20) satisfy For example, Ψ = Ψ ;∆J for ∆J =0. | Ei | E i w 2 =1 . b. Vector subspace V(E(Ai)). Then we define | i,∆J| X V(E(A )) as a vector subspace of , generated by ∆J HW(∆J)<α i HDN { | } eigenvectors Ψ ;∆J with HW(∆J)<α. The con- | E(Ai) i Ontheotherhand,wedonotrequire Ψ tobenormal- stant α here is an integer that determines the size of ized. Furthermore, Ψ is not a unit| v⊥ecitor in general, the subspace and is supposed to satisfy 0 < α < d (see | Vi althoughthecoefficientv ’sisnormalizedasinEqn.(23). Fig.2). That is to say, any vector Γ V(E(A )) can i be expanded as | ii ∈ i This is because |Γii’s with different values of i are not exactly orthogonal as discussed above. It should also be noted that there is arbitrarinessin the choice of Γ ow- i Γ = w Ψ ;∆J (20) | i | ii i,∆J| E(Ai) i ing to this non-orthonognality. X ∆J HW(∆J)<α It is still obvious that any vector Ψ can be { | } | i ∈ HDN expanded as in Eqn.(22) with appropriate rescaling. The appropriate value of α will be discussed later. b. V contributes only little. By definition, Ψ ⊥ c. V(E(Ai))’sareapproximatelyorthogonal. Infact satisfies ΨV Ψ = 0 for any ΨV V, and it is| a⊥pi- the subspaces V(E(A ))’s with different values of i are h | ⊥i | i ∈ i parent that for any i, Ψ [V(E(Ai))]⊥ (see Fig.2). approximately orthogonal to each other. Indeed, if Thismeansthat Ψ ca|n⊥biee∈xpandedbytheeigenstates wΨe pick;∆twJo eflreommendtisffeorfenvetcstuobrspbaacsiess,|Ψi.eE.(,Afoi)r;∆i=Jij,awnde |ΨE(Ai);∆Ji wit|h H⊥iamming weight HW(∆J)≥α. |havEe(Aj) ′i 6 1/Tl)hαuasn,ditwimemseeedtiahtaetlyΨfollowcosntthraibtu(cid:13)tPesE(lAitit)l|eΨt⊥oi(cid:13)Ψ≤Q(1Ψ− ifαissufficientlylarge|. S⊥eei Lemma(cid:13)3foramoreh(cid:13)rig|or|ouis Ψ ;∆J Ψ ;∆J <β¯d α , (21) h E(Ai) | E(Aj) ′i − argument. (cid:12) (cid:12) (cid:12) (cid:12) whereβ¯istheupperboundontheinnerproductsofpar- ticle state 0 ,..., q 1 defined in (8). In other words, 4. Outline of the proof, and lemmas β¯:=maxe=|ei′ ee′| −<1i. 6 |h | i| Inequality(21)followsbecausewhenthetwostatesap- We have seen above that for large enough d and α pearing on the LHS are representedusing particle states thesubspaceV(E(A ))sareapproximatelyorthogonalto i |aes′1i|Ψ⊗E·(·A·⊗i);|e∆′nJi,i|e=ii|ae1nid⊗|e·′ii··a⊗re|deniffiearenndt|fΨorEa(Atjle);a∆stJd′−i =α eTahcehno,tthheer,foalnlodw|iΨn⊥giin∈eqVu⊥alictoienstrsihbouuteldslhitotllde:tohΨ|Q|Ψi. values of i, owing to the minimum distance property of classical error correcting code. This is the main reason ΨQΨ = ΨP Ψ forintroducingclassicalerror-correctingcode(seeFig.2). h | | i Xi h | E(Ai)| i 7 V where, α 1 − N V(E(A )) V(E(A2)) V(E(A3)) Fα(N):= Xi=0(cid:18)i(cid:19)(D−1)i . 1 ΨE(A2) ΨE(A3) Parameter β is definedamong particle states |ei, |e′i and α d d operater π(e′′), which acts on them: Ψ α E(A1) α β := (em=ea′=xe′′)|he|π(e′′)|e′i| <1 . (30) ¬ The maximum value of Eqn.(30) is evaluated under the condition thatthetriplete,e,e does notsatisfye=e = ′ ′′ ′ V e . ^ ′′ Proof. Note FIG. 2: A graphical image of vector spaces V and V⊥. Ψ QΨ = v 2 Γ P Γ (31) Vsta(Ete(sAwi)it)hisetigheenvveaclutoerssluarbgsepractheagnen(e1r−ate1d/lb)αy.PTEh(Auis),’stheeigpena-- h V| | Vi Xi | i| h i| E(Ai)| ii rameter α serves as the radius of each V(E(Ai)). Parameter + v v Γ P Γ . d denotes the separation between each V(E(Ai)). V is the X j∗ kh j| E(Ai)| ki ⊥ i,j,k (i=j=k) sum of all V(E(Ai))’s and V is its orthogonal complement. { |¬ } The first term on the RHS is clearly less than or equal to 1. The secondtermis the sum ofthe crossterms gen- v 2 Γ P Γ v 2 =1 , (24) erated by vectors from different subspaces V(E(A ))’s. ≃ | i| h i| E(Ai)| ii≤ | i| i Xi Xi These should be negligible for a large enough d, since in ΨΨ = Ψ Ψ + Ψ Ψ v 2 Γ Γ =1 , that case V(E(Ai))s are approximately orthogonal. h | i h V| Vi h ⊥| ⊥i≃Xi | i| h i| ii Wewillevaluatethissecondtermexactlybelow. From Eqn.(20), we have (25) Γ P Γ (32) which means ΨQΨ / ΨΨ 1. h j| E(Ai)| ki In the subshequ|en|t siuhbse|ctiio≃n, we will use this idea to = wj∗,∆Jwk,∆J hΨE(Aj);∆J|PE(Ai)|ΨE(Ak);∆J′i . proveTheorem2rigorously,butfirstwepreparetwolem- ∆XJ,∆J′ mas that are convenient. First we show that the contri- The term appearing on the RHS can be bounded from bution of Ψ is indeed small. above as | ⊥i Lemma 3 Ψ ;∆J P Ψ ;∆J βd α , For any i and s, (s 0, s Z), (cid:12)h E(Aj) | E(Ai)| E(Ak) ′i(cid:12)≤ − ≥ ∈ since t(cid:12)he triplet i,j,k does not satisfy i(cid:12)= j = k. In ad- Ψ P s Ψ (1 1/l)sα Ψ Ψ , (26) dition, because the Hamming weight of ∆J is bounded h ⊥|{ E(Ai)} | ⊥i ≤ − h ⊥| ⊥i from above as HW(∆J) α, there are only F (n) pat- P Ψ (1 1/l)α Ψ . (27) ≤ α E(Ai)| ⊥i ≤ − k | ⊥ik terns of wk,∆J (and equivalently for wj,∆J). Thus, max- (cid:13) (cid:13) Proof. (Se(cid:13)e also Para(cid:13)graph IVB3b and Fig.2.) As imizing the RHS of Eqn.(32) using the Lagrange multi- plier for wj,∆J and wk,∆J′, we find Ψ V⊥ [V(E(Ai)]⊥, Ψ can be expanded w| it⊥hi t∈he eigen⊂states |ΨE;∆Ji|w⊥itih Hamming weight |hΓj|PE(Ai)|Γki|≤Fα(N)βd−α . HW(∆J) α. Note that if HW(∆J) α, from the definition o≥f π(e) given in Eqn.(13) ≥ Applying the Lagrangemultiplier againon vi, we obtain anupper bound for the secondtermonthe RHS of(31), and Inequality (28) can be proved. Inequality (29) can (P )s Ψ ;∆J =(1 1/l)sHW(∆J) Ψ ;∆J . E | E i − | E i be provedas well in a similar manner if one notices that From this, Inequality (26) immediately follows. Inequal- maxe=e′ ee′ =β¯ β. 2 6 |h | i| ≤ ity (27) can be shown by setting s = 2 in (26) as the operator P is Hermitian. 2 E 5. Proof of Theorem 2 NextwepresenttherigorousversionofInequality(24). From the above two lemmas Lemma 4 ΨQΨ h | | i ΨV QΨV 1+r(r 1)βd−αFα(N) , (28) ΨV QΨV +2 ΨV QΨ + Ψ QΨ h | | i ≤ − ≤ h | | i |h | | ⊥i| h ⊥| | ⊥i Ψ Ψ 1 (r 1)βd αF (N) , (29) 1+r(r 1)ǫ +2r(1+(r 1)ǫ )ǫ S+rǫ S2 V V − α 1 1 2 2 |h | i− | ≤ − ≤ − − 8 and From a well-known theorem of the theory of error- correcting codes, N can be made arbitrarily large while hΨ|Ψi=hΨV|ΨVi+hΨ⊥|Ψ⊥i≥1−(r−1)ǫ1+S2 , keeping constant the information rate n′/N and the rel- ative minimum distance d/N. The RHS of (37) being where a constant and logβ being negative, Inequality (37) can always be satisfied by choosing a large enough N. ǫ = βd αF (N) , ǫ =(1 1/l)α , (33) 1 − α 2 − S = Ψ Ψ 1/2 . h ⊥| ⊥i V. NOTES FOR IMPLEMENTATION (c.f., Inequalities (24) and (25)), Thus, Asmentionedearlier,ourprotocolcanbeimplemented ΨQΨ Pr[Ai ρ] h | | i using currently available technology. For example, the | ≤ ΨΨ Xi h | i case of D = 2 can be realized by single photon sources 1+r2ǫ +2rǫ (1+rǫ )S+rǫ S2 and detectors. Probably the most familiar way of en- 1 2 1 2 ≤ 1 rǫ +S2 coding is the BB84-like states that are often used for 1 − quantum key exchange[1], 1+r2ǫ rǫ (1 rǫ )+rǫ (1+rǫ )S 1 2 1 2 1 = rǫ + − − 2 1 rǫ +S2 1 0 − 1 0 = , 1 = , c +c S | i (cid:18)0(cid:19) | i (cid:18)1 (cid:19) 1 2 =: rǫ + . 2 c3+S2 2 = 1 1 , 3 = 1 −1 , | i √2(cid:18)1 (cid:19) | i √2(cid:18) 1 (cid:19) Assuming c ,c ,c > 0 and differentiating by S, we see 1 2 3 that which corresponds to q = 4, D = 2, l = 2, and β = 3/4. As onecanseefromthe theoryoferror-correctingcodes, Pr[A ρ] rǫ + 1 c21+c3c22+c1 =1+ε . (34) for sufficiently large N, there exists a code E with the Xi i| ≤ 2 2p c3 informationraten′/N thatis virtually equalto 1. Thus, in this case, a secure protocol can be constructed with Here,asc ,c 1andc canbechosenarbitrarilysmall, m/n 1/2,where m is the bit number accessible by the ε on the R1HS3 ≃can be ar2bitrarily small. 2 receiv≃er before unveiling. For example, take r = 210 and ǫ = 2 10, which cor- − respond to α 26. Then, it is guaranteed from the ≥ 6. Choice of Parameters Gilbert-Vershamovbound(seeRef.[12])thatthereexists a linear code with q = 4, N = 105, d/N = 10 2, and − Next, we show that ε given in (34) can actually be n′/N 0.95, for which Inequality (37) holds. In this ≥ arbitrarily small by choosing sufficiently large N. Here, case, m/n<0.53 is satisfied. we doa veryroughestimate withoutworryingaboutthe It should be noted, however, that in real life there tightness of the bound. First assume rǫ 1/2 for ǫ are problems with information losses in optical channels 1 1 defined in (33), then ≤ and with the detection rate of photon detectors. Conse- quently,Bobmightenduprejecting Alice’s commitment c2+c c2+c even when an honest Alice has sent the correct commit- p 1 c33 2 1 ≤(1+2rǫ1)(2c1+c2) . ment |ΨAi. Still, we can overcome these problems by modifying and immediately we have steps 3 and 4 of the open phase (Sec.IIIB) as follows. First take an integer parameter t > 0, the exact value Pr[A ρ] 1+4rǫ +4r2ǫ . (35) of which is determined by the noise level of the channel i 2 1 | ≤ Xi andthe detectionrate. Thenchangesteps3and4ofthe open phase as follows: We will prove below that the second and the third term on the RHS of Inequality (35) can be ε/2 respec- 3. Bobverifiesthefollowingconditionforeachparticle tively. As to the second term, it suffic≤es to let α = 1 i N : ≤ ≤ log 2 6ε/r . As to the third term, first note 1 1/l − - If the basis he chooses is correct, i.e., e − (cid:0) (cid:1) | ii ∈ M(s ), he obtains e as a result of his mea- Fα(N)<(D−1)αexp[N ·H2(α/N)] (36) suremi ent. | ii for N α+1 > N/D (see e.g., Ref.[12], Appendix A). Then, he records as y the number of particles that − Using Inequality(36), we see that the third term on the do not satisfy the above condition. RHS of (35) can be bounded from above if 4. If the above condition does not hold for more than α εβα t particles, i.e., if y >t, then Bob rejects the com- N H +dlogβ log . (37) · 2(cid:16)N(cid:17) ≤ (cid:18)8r2(D 1)α(cid:19) mitment. Otherwise he accepts it. − 9 In other words, Bob accepts Alice’s commitment even classicalerror-correctingcode E needs to be ofthe order when up to a certain number of particles does not meet of N 105 in length. Although possible in principle, it ≃ the condition of step 3. In this case too, the security of is not very practical to calculate a generator matrix of the protocol can be shown in almost the same way as in this size using currently available computers. Instead, it the previous section[13]. is much moreworthwhile to optimize the protocolor the security proof so that we can ensure the same level of security for smaller N. VI. CONCLUSION For example, the estimate given in Section IVB6 is not yet tight, since there we were interested mainly in Inthis paper,we haveproposedanew QBSC protocol proving that the protocol is in fact possible. Thus, by and shown that it is secure in terms of the same secu- using a better strategy,we might be able to obtain more rity requirements as discussed in Ref.[3]. Our protocol securityforshorterbitlengthn. Note,inparticular,that hasthemeritthatitcanbeimplementedusingcurrently evenwiththeratiom/noftheaccessiblebitsbeingfixed, available technology such as single-photon sources and there is a variety of choices of parameters, such as q, D, detectors. and l. It will be interesting to see how we can better An example of future work is the optimization of the optimize the protocol,whether by making better choices protocol presented here. As discussed in Section V, if for quantum states 0 ,..., q 1 or by optimizing the | i | − i the protocol is implemented using BB84-like states, the classical error-correctingcode E. [1] C.H. Bennett and G. Brassard, “Quantum Cryptogra- Tools, (Cambridge Univ.Press, Cambridge, 2001). phy: PublicKeyDistributionandCoinTossing,”inPro- [10] C.H. Bennett, G. Brassard, S. Breidbart and S. Wies- ceedings of the IEEE International Conference on Com- ner, “Quantum Cryptography, or Unforgeable Subway puters, SystemsandSignalProcessing(IEEE,NewYork, Tokens,” in Proceedings of CRYPTO ’82, p.267 (1982). 1984) p.175. [11] H. Buhrman, R. Cleve, J. Watrous and R. de Wolf, [2] C.W. Helstrom, Quantum Detection and Estimation “QuantumFingerprinting,”Phys. Rev. Lett.,87,167902 Theory (AcademicPress, New York,1976). (2001). [3] A.Kent,“QuantumBitStringCommitment,”Phys.Rev. [12] W.W. Peterson and E.J. Weldon, Jr., Error Correcting Lett., 90, 237901 (2003). Codes (MIT Press, 1972). [4] A. Kent, “Unconditionally Secure Bit Commitment,” [13] T. Tsurumaru, work in progress. Phys.Rev.Lett., 83, 1447-1450 (1999). [14] A.C. Yao, “Security of Quantum Protocols against Co- [5] H.-K.Loand H.F. Chau “Is QuantumBit Commitment herent Measurements,” in Proceedings of 1995 ACM ReallyPossible?,”Phys.Rev.Lett.,78,3410-3413(1997). Symposium on Theory of Computing 67–75 (1995). [6] D.Mayers, “Unconditionally Secure QuantumBit Com- [15] H.-K. Lo and H.F. Chau, “Why Quantum Bit Commit- mitment is Impossible,” Phys. Rev. Lett., 78, 3414 ment and Ideal Quantum Coin Tossing are Impossible,” (1997). Phisica, D120, pp.177–187 (1998). [7] M.A. Nielsen and I.L. Chuang, Quantum Computa- [16] H.F. Chau and H.-K. Lo, “Making an Empty Promise tion and Quantum Information(CambridgeUniv.Press, withaQuantumComputer,”Fortsch.Phys., 46,pp.507– Cambridge, 2000). 520, (1998). [8] H. Delfs and H. Knebl, Introduction to Cryptography, [17] Onthecontrary,abitcommitment schemethat exploits Principles and Applications (Springer Verlag, Berlin, special relativity has been proposed and the security 2002). proof has been given. See Ref.[4]. [9] O.Goldreich,FoundationsofCryptography, Vol.I,Basic

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users