Table Of ContentImplementable Quantum Bit-String Commitment Protocol
Toyohiro Tsurumaru
Mitsubishi Electric Corporation,
Information Technology R&D Center
5–1–1 Ofuna, Kamakura-shi,
Kanagawa, 247-8501, Japan
Quantumbitstringcommitment[A.Kent,Phys.Rev.Lett.,90,237901(2003)]orQBSCisavariant
ofbitcommitment(BC).Inthispaper,weproposeanewQBSCprotocolthatcanbeimplemented
using currently available technology, and prove its security under the same security criteria as
discussed by Kent. QBSC is a generalization of BC, but has slightly weaker requirements, and our
proposed protocol is not intended to break theno-go theorem of quantumBC.
PACS number(s): 03.67.-a, 03.67.Dd, 89.70.+c
5
0
0
I. INTRODUCTION tum key distribution(QKD). This is mainly because BC
2
isoneimportantbuildingblockinawholelistofinterest-
n
ingtools,suchasmulti-partyprotocolsorzero-knowledge
a Quantum bit string commitment (QBSC) was pro-
J posed by Kent[3], as a generalization of bit commitment proof, rooted in classicalcryptology(see e.g., Ref.[8][9]).
However, as pointed out in Ref.[3], we are not yet able
6 (BC).ThefundamentalgoalofQBSCisthesameasthat
ofBC;thatis,thesenderfirstsendsevidenceofassigned even to characterizethe range of cryptographictasks for
2 whichperfectlysecurequantumprotocolsmightpossibly
dataoveracommunicationchannelwithoutrevealingthe
v exist. Thus, we assume here that there must be distinct
actual data. Then, after an interval, the sender reveals
4 security notions that are unique to quantum cryptogra-
the data and the receiver verifies that the data have not
7
phy, and seek protocols that do not necessarily have a
1 been modified.
classical counterpart.
7 The difference in QBSC is that the sender commits a
This paper is organized as follows. In Section II, we
0 string A = (a , ,a ) with n > 1 in a single protocol
4 1 ··· n briefly review some of the results by Kent[3], including
session,andalimited(butcertain)numberofitsbitsare
0 the basic structure of QBSC and its security criteria.
accessible by the receiver before the open phase. This
/ Subsequently, we describe the proposed protocol in Sec-
h situation is referred to as (m,n) bit string commitment
tion III and prove its security in Section IV. Then in
p in Ref.[3], where m ( n) is the maximum number of
- ≤ Section V, we briefly comment on the implementation
nt accessible bits. Conventional BC schemes correspond to and finally conclude in Section VI.
thecasewheren=1andm=0,andinthissenseQBSC
a
is a generalizationof BC.
u
q In this paper, we propose a new QBSC protocol that
II. PREVIOUS METHOD
: canbeimplementedusingcurrentlyavailabletechnology,
v
such as single-photon sources and detectors, and then
i
X prove its security. The main difference from the previ- The original QBSC was proposed in Ref.[3], with two
r ous protocol is in the quantum measurement procedure example schemes, called Protocol 1 and Protocol 2. Be-
a performed by the receiver to verify a commitment. In forepresentingourprotocol,webrieflyreviewtheresults
our scheme, the receiver is allowed to perform the mea- by Kent in this section. Both of the example protocols
surements in the commitment phase using randomized share a simple basic structure, as follows. Throughout
bases, which means that it is not necessary to preserve this paper, we will call the sender Alice and the receiver
the quantum state until the open phase. Bob.
AlthoughQBSCisageneralizationofBC,thesecurity
level that it achieves is slightly weaker than that of BC
unless m=0. We would like to stress that our proposal A. Basic Structure of Kent’s Scheme
isnotintendedtobreaktheno-gotheoremofLo-Chau[5]
and Mayers[6], which states that if one takes full advan- 1. Procedure
tageofquantumcomputersandquantumcommunication
channels, any type of nonrelativistic BC scheme can be Alice and Bob proceed as follows.
attacked[17]. Our ultimate goal is to devise useful and
secure quantum cryptographic schemes that do not rely
Commitment Phase
on BC.
The no-go theorem of BC often makes people think 1. Alice chooses a bit string A = (a ,...,a ) to be
1 n
that it might be impossible to create any useful crypto- committed to and sends Bob the corresponding
graphicprotocolsbasedonquantumtheory,exceptquan- state Ψ .
A
| i
2
2. Bob preserves the received state Ψ . B. Example Protocols
A
| i
Open Phase
1. Protocol 1
1. Alice unveils A to Bob.
Define qubit states
2. Bob verifies A by a projective measurement on
Ψ . If the outcome is consistent with A, he ac-
A ψ = 0 , ψ =sinθ 0 +cosθ 1 .
| i 0 1
cepts the commitment, otherwise he rejects it. | i | i | i
Alice sends particles in the states ψ ,...,ψ for A =
The exact form of the state Ψ differs depending on a1 an
| Ai (a1,...,an), ai 0,1 . In other words, she transmits
the type of protocol and will be given below. to Bob the state∈Ψ{ :}= ψ ψ . Here θ R
| Ai | a1i⊗···⊗| ani ∈
isaconstantthatisdeterminedaccordingtothesecurity
parameter.
2. Security Requirement
a. ConcealingCondition FromtheHolevobound[7],
the information m that is accessible by Bob is bounded
ForBC,therearetwosecurityrequirements,whichare
by
called the concealing and binding conditions[9]. Similar
n
notionsarealsousedforQBSC,althoughwithsomewhat 1+sinθ
m S(ρ)= H , (2)
relaxed restrictions[3]. ≤ (cid:20) 2(cid:18) 2 (cid:19)(cid:21)
- Concealing Condition. The receiver can access where H (x) = xlogx (1 x)log(1 x). Hence m
2
only a limited number of bits in the committed can be arbitraril−y small b−y adj−usting θ. −
string A before the open phase. b. Binding Condition. InProtocol1,binding is dis-
Thenumberofaccessiblebits isreferredtoasmin cussedforeachbitseparately. Letpji =hψj|ρi|ψjibethe
Ref.[3]. probability of Bob accepting a revelationof j for the ith
bit. We have
- Binding Condition. It is unlikely that Alice will
change the content of her commitment A after the p0+p1 cos2[(π 2θ)/4]+sin2[(π+2θ)/4] , (3)
i i ≤ −
commitment phase.
where the RHS can again be chosen arbitrarily close to
Note that for BC schemes, Bob is assumed to gain no 1 by choosingsuitableθ. Ingeneral,the smaller θ is, the
information whatsoever regarding committed bit b until stronger the binding becomes; simultaneously, however,
Alice unveilsit, whereasinQBSC perfectconcealmentis concealingbecomesweaker,ascanbe seenfromInequal-
dispensed with; Bob is allowed to extract a certain but ity (2). Thus, θ needs to be chosen with this balance in
limited amount of information from A. mind.
The meaning of the term ‘unlikely’ in the definition of
the binding condition differs in the two protocols. This
point will be discussed below. 2. Protocol 2
As to the possibility of each player cheating, Alice
cheatingputsthebindingatriskandBobcheatingcorre- In Protocol 1, as m in (3) is in the same order as
sponds to concealment. Throughout this paper, we con- n, most bits from A are accessible by Bob, because the
sideronlycaseswhereeitheroneofthemischeating,but amountofdata encoded per qubit is rather small. Thus,
not both. Thus, the binding and concealing conditions anotherprotocolattheotherextremewithamuchhigher
can be discussed separately. encoding rate is considered here .
The basic idea here is that instead of using qubits,
oneencodesAintoageneralD-dimensionalvectorspace
3. Measurement by Bob =CD/C. Thus,onechoosesO(exp(const.D))states
D
H
Ψ out of .
A D
{| i} H
When considering Alice’s cheating, we denote the a. Binding Condition. In Protocol 1, we discussed
quantumstatesenttoBobasadensitymatrixρ,sincein bitwise security; here we take a different approach.
general,Alice would be likely to use a randomizedstrat-
Definition 1 Takeanarbitraryvalueofr Zandε R
egy or send an entangledstate. Note here that whatever ∈ ∈
(ε,r > 0). A QBSC protocol is binding if, by choosing
strategy Alice follows, once she transmits the quantum
a large enough n, the following inequality holds for arbi-
state to Bob, the density matrix ρ is fixed. Honest Bob
trarily chosen A ,...,A and ρ,
verifies Alice’s commitment by performing a projective 1 r
measurement of ρ using an orthonormal basis that in-
Pr[A ρ] 1+ε . (4)
cludes |ΨAi. Bob then accepts it as a correct commit- Xi i| ≤
ment of string A with the probability
Here, n is the length of the bit string that is to be com-
Pr[Aρ]= ΨA ρΨA . (1) mitted. 2
| h | | i
3
Intuitively, this definition can be illustrated as follows. Therefore, we cosider here whether Bob can distinguish
A cheating Alice might want to postpone her decision ρ sufficiently accurately without knowing A, because if
by selecting x patterns of bit strings A ,...,A in the that is the case, Bob does not need to preserve ρ for a
1 x
commitment phase. Then, later in the open phase, she long period.
could unveil any desired string among them. In such a In order to actually do this, we change Bob’s verifica-
case,themaximumprobabilityofhersuccessislessthan tion procedure. That is, Bob measures ρ as soon as he
1/x if x<r, and is less than 1/r if x>r. receives it using randomly chosen orthogonal bases, and
Infact,itcanbeshown[3]thatifthecommittedstates then stores the result until the open phase. Although
Ψ are chosen to be approximately orthogonal: much less information is obtained in this way than is
A
| i
obtained by directly comparing ρ with Ψ Ψ , it is
A A
| ih |
ΨA ΨA′ sinθ =ǫ 1 for A= A′ (5) enough to detect cheating by Alice, as we will show in
|h | i|≤ ≪ ∀ 6 ∀
Section IV.
the above binding condition (4) is true for ε (r 1)ǫ.
≤ −
That is, if one can construct approximately orthogonal
states ΨA ,the bindingconditionis automaticallyguar- A. Quantum State for Encoding
| i
anteed.
b. Approximately Orthogonal States. In this proto-
First we define the quantum state Ψ , which is used
A
col, one needs to choose exp(const.D) states Ψ out of | i
A as a commitment of the string A.
| i
D-dimensional vector space while keeping approximate
orthogonality as in (5). Although this seems impossi-
ble at first sight, interestingly, it can in fact be eas- 1. Error-Correcting Code
ily achieved by using classical error-correctingcodes[11].
One example is as follows.
Throughout this section, we assume that string A is
Take an error-correcting code E : 0,1 n 0,1 m
{ } → { } notnecessarilyabitstringbutisingeneralaq-arystring
with information rate R = n/m and minimum distance
A=(a1,...,an′), ai 0,...,q 1 . Iftheoriginaldata
d and let δ = d/m. Next choose quantum states h ∈{ − }
C2m/C corresponding to string A 0,1 n as: | Ai ∈ are a bit string, one needs to transform them into a q-
∈{ } arystringusingsomeappropriatesurjectivemapping. In
this case, A stands for the data of n= n log q bits.
1 m ⌈ ′ 2 ⌉
Thenwe fix a q-aryclassical(N,n,d)error-correcting
h := i E (A) . (6) ′
A i
| i √m | i⊗| i code :
Xi=1
E :A E(A)=(e ,...,e ) , e 0,...,q 1 .
Then, as hA hA′ (1 δ) for A = A′, an arbitrarily 7→ 1 N i ∈{ − }
|h | i| ≤ − 6
smallǫcanbechosenbydefining ΨA as ΨA := hA The sender stretches the string A into a q-ary string E
| i | i | i⊗
hA . of length N using this error-correctingcode.
···⊗| i
III. PROPOSED PROTOCOL 2. Quantum States of ‘Particles’
Theprotocolsdescribedintheprevioussectionarecer- The commitment Ψ takes the form
A
| i
tainly significant, in that they achieve a completely new
Ψ = Ψ := e e , (7)
type of security by using quantum mechanics. However, A E(A) 1 N
| i | i | i⊗···⊗| i
itseemsalmostimpossibletoimplementthemusingcur-
where each e is a D-dimensional vector. That is, the
i
rent technology. There are two main reasons. | i
sender commits by sending N ‘particles’ having inter-
nal degrees of freedom in a D-dimensional vector space
1. Bob needs to preserve the quantum state Ψ as
| Ai = CD/C. Each q-ary value e is encoded into this
it was created by Alice, until the open phase. HDD-dimensional space of the ith pariticle.
2. InProtocol2,highlyentangledstates,suchas h We use the same set of D-dimensional states for each
A
| i
given in (6), are necessary. particle and denote them as
In particular, the first point seems the more difficult to 0 , , q 1 D . (8)
| i ··· | − i ∈H
overcome. Thus,weproposeamodifiedversionofQBSC
Hence,Eqn.(7)meansthattheith particlehase th states
that can be implemented, and subsequently prove its se- i
of (8). The q states of (8) are all distinct but do not
curity.
necessarily form an orthonormal basis.
In Kent’s protocol, Bob needs to preserve the quan- It is assumed here that D satisfies q = lD for l Z,
tum state ρ as it wassentfromAlice inthe commitment ∈
and that the states of (8) can be groupedtogether into l
phase until the open phase. This is because Bob verifies
types of orthonormalbasis M(i), i=0,...,l 1
ρ by projective measurements using an orthonormal ba- −
sisincluding Ψ Ψ ,afterAlicehasunveiledstringA. M(i):= i;0 ,..., i;D 1 , i;j i;k =δ (9)
A A jk
| ih | {| i | − i} h | i
4
Previous Protocol Proposed Protocol
Alice Bob Alice Bob
Ψ Ψ
A A
Ψ Ψ
ρ ρ
A A
Measurement
Commitment
without knowing A
Phase
Preserve
Open Phase
A
A A A
ρ
Compare Aand the
Measurement using A
result of measurement
FIG. 1: Differences between theprevious and proposed protocols.
with 1. Alice reveals A to Bob.
2. Bob computes the codeword E(A).
iD+j = i;j .
| i | i
3. Bobverifiesthefollowingconditionforeachparticle
Also, for the sake of simplicity, we assume that the or-
1 i N :
thogonal bases M(i) are symmetric under a finite group ≤ ≤
Gthatactson . Inotherwords,forany0 i l 1, - If the basis that he chose is correct, i.e.,
D
H ≤ ≤ −
g G, there exists 0 i l 1 satisfying e M(s ), he obtains e as a result of
∈ ≤ ′ ≤ − | ii ∈ i | ii
his measurement.
gM(i):= R(g)i;0 , ..., R(g)i;D 1 =M(i′) ,
{ | i | − i} 4. If the abovecondition does not holdfor anyi, Bob
(10)
rejects the commitment, otherwise, he accepts it.
where R is a representation of G in . In Eqn.(10),
states are identified if they differ onlyHuDp to a phase of
complex number.
C. Differences from Kent’s Protocols
B. Protocol As stated earlier, Bob does not need to preserve the
quantum state ρ until the open phase as he examines ρ
inthecommitmentphase. Byusingrandomizedbases,he
Alice and Bob proceed as follows.
selects correct bases in a probabilistic way, and is there-
fore able to verify Alice’s commitment confidently.
Commitment Phase
In addition, players only need to be able to create
1. Alice chooses a q-ary string A = (a1,...,an′) to and detect D-dimensional quantum states, and thus the
which she is committed and computes the corre- highly entangled states, e.g., hA given in (6), are un-
| i
sponding codeword E(A)=(e ,...,e ). necessary. For instance, the case of D =2 can be imple-
1 N
mented using single-photons.
2. Bob chooses a l-ary random string Error-correcting code is used here to ensure approxi-
S =(s1,...,sN) 0,...,l 1 N. mate orthogonality of states |ΨE(A)i as in Kent’s proto-
∈{ − } col (c.f., Eqn.(5)). Indeed in our protocol, Alice sends
3. Alice sends N particles e ,..., e to Bob. Ψ := e e , which satisfies
| 1i | Ni | E(A)i | 1i⊗···⊗| Ni
4. Bobperformsmeasurementsoneachreceivedparti- A A′ A=A′ ΨE(A) ΨE(A′) <β¯d . (11)
∀ ∀ 6 → |
cle|eiiwiththebasisM(si)andrecordstheresult. Hereβ¯is th(cid:0)e maximum(cid:12)(cid:12)(cid:10)value ofthe in(cid:11)n(cid:12)(cid:12)er pro(cid:1)ductofthe
Open Phase particle states defined in (8), i.e., ee β¯ for e=e
′ ′
|h | i|≤ ∀ 6
5
(seealsoParagraphIVB2c). Inthenextsection,wewill if he chooses a wrong basis, he may accept Alice’s com-
exploit this property to prove the binding condition. mitment no matter what he obtains as a result of his
measurement. Thus, averaged over the random variable
S, the acceptance rate by Bob takes the form
IV. SECURITY EVALUATION
1 1
Pr [Aρ]:= 1 + e ρe =Trρπ(e ), (12)
N=1 1 1 1
| (cid:18) − l(cid:19) lh | | i
Nowwewillprovethesecurityoftheproposedscheme.
Throughoutthissection,weconsideranidealcasewitha
where
noiselesschannelanderror-freedetection. (Fornon-ideal
cases, see Section V.) 1 1
π(e) := 1 I + e e
As to what each player can do in quantum proto- (cid:18) − l(cid:19) D l| ih |
cols, we follow the definition given by Yao[14] and Lo-
1 1
Chau[15]. That is, quantum protocol is formalized in a = 1 I + i;j i;j =:π(i;j) . (13)
D
(cid:18) − l(cid:19) l| ih |
Hilbert space = , where (resp.
T A B C A
H H ⊗H ⊗H H
) refers to the space in which Alice (resp. Bob) can
HopBerate. HC is the communication channel. Every step HeSriemIiDlarislyafourniNt m>a1tr,iix.ei.n, iHf DA.lice sends more than one
ofthe protocolisdone byunitary operationsby Alice on
particle, the acceptance rate takes the form
and those by Bob on , alternately.
A C B C
H ⊗H H ⊗H
Pr[Aρ]=TrρP
E(A)
|
A. Concealing condition with
Intheproposedprotocol,nlog q-bitdataareencoded PE =π(e1) π(eN) . (14)
2 ⊗···⊗
in Nlog D qubits. Thus, the number of bits accessi-
2
b. What We Need to Prove. The sum of the accep-
ble by Bob, m, satisfies m Nlog D owing to the
≤ 2 tance rates for A ,...,A , which appears on the LHS of
Holevo bound. Hence, the protocol is concealing when 1 r
(4), takes the form
the bitnumberofAisgreaterthanthe qubitnumber,or
NlogD <nlogq.
Pr[A ρ]=Tr(ρQ) (15)
i
|
Xi
B. Binding Condition
with
In the remainder of this section, we will prove the fol- Q:=P + +P . (16)
E(A1) ··· E(Ar)
lowing theorem.
With this operator Q, what we need to do is to bound
Theorem 2 Theproposedprotocolisbindingintermsof TrρQfromaboveforanarbitrarydensitymatrixρ. How-
Definition 1. ever, it is obviously sufficient to consider instead the
upper bound on ΨQΨ for an arbitrary pure state
h | | i
Ψ . Moreover, in order to avoid complications from
| i
1. Basic Idea of the Proof statenormalizations,wedonotrequire Ψ tobenormal-
| i
izedandinsteaddiscusstheupperboundofthe quantity
ΨQΨ / ΨΨ .
The basic idea of the proof is the same as given in h | | i h | i
Ref.[3]. Namely, we exploit the approximate orthogonal-
ity (11) of Ψ (see Eqn.(5) andthe discussionnearby).
A
However,th|ereiis a complication,owingto the difference 2. Vector Subspace V(E(Ai))
in the form of the probability Pr[A ρ]. In our protocol,
i
Pr[A ρ] takes a different form, as th|e receiver performs In order to prove Theorem 2, it is convenient to di-
i
measu|rements on a randomly chosen orthogonal basis, vide the DN-dimensional space HDN, which consists of
whereas in Kent’s protocol, the receiver can make use of the degrees of freedom of the N particle used for com-
the string A unveiled by Alice. mitment. We herefocusespeciallyonthe eigenvectorsof
asaf.olloFwosr.mFoirfsPt,r[fAor|ρt]h.e sTahkeeporfosbimabpilliictyityP,rs[Aup|ρp]oissegtivheant cPoEn(tArii)buwtiethmroesltattiovehlΨy|lPaErg(Aeie)i|gΨeinvinaclulueds,edasinthheΨse|Qv|eΨctio.rs
N =1, that is, suppose that Alice sends only one parti- a. EigenstatesofoperatorPE. TheeigenstateofPE
cle. ThenBobchoosesthecorrectbasisformeasurement with eigenvalue 1, which is the largest, takes the form
(satisfyinge (A) M(s ))withprobability1/l,inwhich
1 1
case he can confid∈ently reject Alice’s commitment if the ΨE := e1 eN
| i | i⊗···⊗| i
outcome is different from e (A) . On the other hand, = i ;j i ;j . (17)
1 1 1 N N
| i | i⊗···⊗| i
6
This becomes the state that Alice sends as her commit- 3. Decomposition of |Ψi
ment of the q-ary string A, if we let E = (e ,...,e )
1 N
equal the codeword E(A) of A. a. SubspaceV andV . Nextwedefineanothersub-
⊥
ItisevidentthatalleigenvectorsofPE,including ΨE space
| i
take the form
V =V(E(A ))+ +V(E(A )) .
1 r
···
Ψ ;∆J := i ;j +∆j i ;j +∆j , (18)
E 1 1 1 N N N
| i | i⊗···⊗| i That is, any element of V is given by the sum of the
since PE is a tensor product of the smaller operator elements of V(E(A1)),...,V(E(Ar)). As can be seen
from the construction of V(E(A )), V is the subspace of
π(e )’s defined in Eqn.(13), which act on particles. Here i
i
∆J = (∆j1,...,∆jN) is an arbitrary D-ary string, and the quantum message space HDN which contributes by
far the most to ΨQΨ .
thesumj+∆j appearingontheRHSof(18)isassumed
h | | i
to be in modulo D. Recall that, as defined in (9), for Then we decompose Ψ into V and V⊥, where V⊥
| i
each i, the vectors i;0 ,..., i;D 1 form an orthonor- denotes the orthogonalcomplement of V.
| i | − i
malbasisinthe internalD-dimensionalvectorspace
D
aofcaompaprlteitceleo.rHtheonncoe,rmthael sbtaastiesso|Ψf tEh;e∆vJeictoobrvsiopuascley foHrm |Ψi:=|ΨVi+|Ψ⊥i = Xi vi|Γii+|Ψ⊥i , (22)
HDN
formed by N particles. v 2 = 1 (23)
i
| |
Roughly speaking, ∆J indicates the difference of Xi
Ψ ;∆J from Ψ . The eigenvalue of Ψ ;∆J
E E E
d|ecreasesi expone|ntiailly with the Hamming| weighit with Ψ V, Ψ V⊥ and vi C. The state
HW(∆J),orthenumberofnonzeroelementsofthe∆J: Γi is| aiss∈umed |to⊥biel∈ong to V(E(Ai∈)) and can thus
| i
be expanded as in Eqn.(20). We also assume that each
P Ψ ;∆J =(1 1/l)HW(∆J) Ψ ;∆J . (19) Γi is normalized, i.e., the coefficients wi,∆J defined in
E E E | i
| i − | i Eqn.(20) satisfy
For example, Ψ = Ψ ;∆J for ∆J =0.
| Ei | E i w 2 =1 .
b. Vector subspace V(E(Ai)). Then we define | i,∆J|
X
V(E(A )) as a vector subspace of , generated by ∆J HW(∆J)<α
i HDN { | }
eigenvectors Ψ ;∆J with HW(∆J)<α. The con-
| E(Ai) i Ontheotherhand,wedonotrequire Ψ tobenormal-
stant α here is an integer that determines the size of ized. Furthermore, Ψ is not a unit| v⊥ecitor in general,
the subspace and is supposed to satisfy 0 < α < d (see | Vi
althoughthecoefficientv ’sisnormalizedasinEqn.(23).
Fig.2). That is to say, any vector Γ V(E(A )) can i
be expanded as | ii ∈ i This is because |Γii’s with different values of i are not
exactly orthogonal as discussed above. It should also be
noted that there is arbitrarinessin the choice of Γ ow-
i
Γ = w Ψ ;∆J (20) | i
| ii i,∆J| E(Ai) i ing to this non-orthonognality.
X
∆J HW(∆J)<α It is still obvious that any vector Ψ can be
{ | } | i ∈ HDN
expanded as in Eqn.(22) with appropriate rescaling.
The appropriate value of α will be discussed later. b. V contributes only little. By definition, Ψ
⊥
c. V(E(Ai))’sareapproximatelyorthogonal. Infact satisfies ΨV Ψ = 0 for any ΨV V, and it is| a⊥pi-
the subspaces V(E(A ))’s with different values of i are h | ⊥i | i ∈
i parent that for any i, Ψ [V(E(Ai))]⊥ (see Fig.2).
approximately orthogonal to each other. Indeed, if Thismeansthat Ψ ca|n⊥biee∈xpandedbytheeigenstates
wΨe pick;∆twJo eflreommendtisffeorfenvetcstuobrspbaacsiess,|Ψi.eE.(,Afoi)r;∆i=Jij,awnde |ΨE(Ai);∆Ji wit|h H⊥iamming weight HW(∆J)≥α.
|havEe(Aj) ′i 6 1/Tl)hαuasn,ditwimemseeedtiahtaetlyΨfollowcosntthraibtu(cid:13)tPesE(lAitit)l|eΨt⊥oi(cid:13)Ψ≤Q(1Ψ−
ifαissufficientlylarge|. S⊥eei Lemma(cid:13)3foramoreh(cid:13)rig|or|ouis
Ψ ;∆J Ψ ;∆J <β¯d α , (21)
h E(Ai) | E(Aj) ′i − argument.
(cid:12) (cid:12)
(cid:12) (cid:12)
whereβ¯istheupperboundontheinnerproductsofpar-
ticle state 0 ,..., q 1 defined in (8). In other words, 4. Outline of the proof, and lemmas
β¯:=maxe=|ei′ ee′| −<1i.
6 |h | i|
Inequality(21)followsbecausewhenthetwostatesap- We have seen above that for large enough d and α
pearing on the LHS are representedusing particle states thesubspaceV(E(A ))sareapproximatelyorthogonalto
i
|aes′1i|Ψ⊗E·(·A·⊗i);|e∆′nJi,i|e=ii|ae1nid⊗|e·′ii··a⊗re|deniffiearenndt|fΨorEa(Atjle);a∆stJd′−i =α eTahcehno,tthheer,foalnlodw|iΨn⊥giin∈eqVu⊥alictoienstrsihbouuteldslhitotllde:tohΨ|Q|Ψi.
values of i, owing to the minimum distance property of
classical error correcting code. This is the main reason ΨQΨ = ΨP Ψ
forintroducingclassicalerror-correctingcode(seeFig.2). h | | i Xi h | E(Ai)| i
7
V where,
α 1
− N
V(E(A )) V(E(A2)) V(E(A3)) Fα(N):= Xi=0(cid:18)i(cid:19)(D−1)i .
1
ΨE(A2) ΨE(A3) Parameter β is definedamong particle states |ei, |e′i and
α d d operater π(e′′), which acts on them:
Ψ α
E(A1) α β := (em=ea′=xe′′)|he|π(e′′)|e′i| <1 . (30)
¬
The maximum value of Eqn.(30) is evaluated under the
condition thatthetriplete,e,e does notsatisfye=e =
′ ′′ ′
V e .
^ ′′
Proof.
Note
FIG. 2: A graphical image of vector spaces V and V⊥.
Ψ QΨ = v 2 Γ P Γ (31)
Vsta(Ete(sAwi)it)hisetigheenvveaclutoerssluarbgsepractheagnen(e1r−ate1d/lb)αy.PTEh(Auis),’stheeigpena-- h V| | Vi Xi | i| h i| E(Ai)| ii
rameter α serves as the radius of each V(E(Ai)). Parameter + v v Γ P Γ .
d denotes the separation between each V(E(Ai)). V is the X j∗ kh j| E(Ai)| ki
⊥ i,j,k (i=j=k)
sum of all V(E(Ai))’s and V is its orthogonal complement. { |¬ }
The first term on the RHS is clearly less than or equal
to 1. The secondtermis the sum ofthe crossterms gen-
v 2 Γ P Γ v 2 =1 , (24) erated by vectors from different subspaces V(E(A ))’s.
≃ | i| h i| E(Ai)| ii≤ | i| i
Xi Xi These should be negligible for a large enough d, since in
ΨΨ = Ψ Ψ + Ψ Ψ v 2 Γ Γ =1 , that case V(E(Ai))s are approximately orthogonal.
h | i h V| Vi h ⊥| ⊥i≃Xi | i| h i| ii Wewillevaluatethissecondtermexactlybelow. From
Eqn.(20), we have
(25)
Γ P Γ (32)
which means ΨQΨ / ΨΨ 1. h j| E(Ai)| ki
In the subshequ|en|t siuhbse|ctiio≃n, we will use this idea to = wj∗,∆Jwk,∆J hΨE(Aj);∆J|PE(Ai)|ΨE(Ak);∆J′i .
proveTheorem2rigorously,butfirstwepreparetwolem- ∆XJ,∆J′
mas that are convenient. First we show that the contri- The term appearing on the RHS can be bounded from
bution of Ψ is indeed small. above as
| ⊥i
Lemma 3 Ψ ;∆J P Ψ ;∆J βd α ,
For any i and s, (s 0, s Z), (cid:12)h E(Aj) | E(Ai)| E(Ak) ′i(cid:12)≤ −
≥ ∈ since t(cid:12)he triplet i,j,k does not satisfy i(cid:12)= j = k. In ad-
Ψ P s Ψ (1 1/l)sα Ψ Ψ , (26) dition, because the Hamming weight of ∆J is bounded
h ⊥|{ E(Ai)} | ⊥i ≤ − h ⊥| ⊥i from above as HW(∆J) α, there are only F (n) pat-
P Ψ (1 1/l)α Ψ . (27) ≤ α
E(Ai)| ⊥i ≤ − k | ⊥ik terns of wk,∆J (and equivalently for wj,∆J). Thus, max-
(cid:13) (cid:13)
Proof. (Se(cid:13)e also Para(cid:13)graph IVB3b and Fig.2.) As imizing the RHS of Eqn.(32) using the Lagrange multi-
plier for wj,∆J and wk,∆J′, we find
Ψ V⊥ [V(E(Ai)]⊥, Ψ can be expanded
w| it⊥hi t∈he eigen⊂states |ΨE;∆Ji|w⊥itih Hamming weight |hΓj|PE(Ai)|Γki|≤Fα(N)βd−α .
HW(∆J) α. Note that if HW(∆J) α, from the
definition o≥f π(e) given in Eqn.(13) ≥ Applying the Lagrangemultiplier againon vi, we obtain
anupper bound for the secondtermonthe RHS of(31),
and Inequality (28) can be proved. Inequality (29) can
(P )s Ψ ;∆J =(1 1/l)sHW(∆J) Ψ ;∆J .
E | E i − | E i be provedas well in a similar manner if one notices that
From this, Inequality (26) immediately follows. Inequal- maxe=e′ ee′ =β¯ β. 2
6 |h | i| ≤
ity (27) can be shown by setting s = 2 in (26) as the
operator P is Hermitian. 2
E 5. Proof of Theorem 2
NextwepresenttherigorousversionofInequality(24).
From the above two lemmas
Lemma 4
ΨQΨ
h | | i
ΨV QΨV 1+r(r 1)βd−αFα(N) , (28) ΨV QΨV +2 ΨV QΨ + Ψ QΨ
h | | i ≤ − ≤ h | | i |h | | ⊥i| h ⊥| | ⊥i
Ψ Ψ 1 (r 1)βd αF (N) , (29) 1+r(r 1)ǫ +2r(1+(r 1)ǫ )ǫ S+rǫ S2
V V − α 1 1 2 2
|h | i− | ≤ − ≤ − −
8
and From a well-known theorem of the theory of error-
correcting codes, N can be made arbitrarily large while
hΨ|Ψi=hΨV|ΨVi+hΨ⊥|Ψ⊥i≥1−(r−1)ǫ1+S2 , keeping constant the information rate n′/N and the rel-
ative minimum distance d/N. The RHS of (37) being
where
a constant and logβ being negative, Inequality (37) can
always be satisfied by choosing a large enough N.
ǫ = βd αF (N) , ǫ =(1 1/l)α , (33)
1 − α 2
−
S = Ψ Ψ 1/2 .
h ⊥| ⊥i
V. NOTES FOR IMPLEMENTATION
(c.f., Inequalities (24) and (25)), Thus,
Asmentionedearlier,ourprotocolcanbeimplemented
ΨQΨ
Pr[Ai ρ] h | | i using currently available technology. For example, the
| ≤ ΨΨ
Xi h | i case of D = 2 can be realized by single photon sources
1+r2ǫ +2rǫ (1+rǫ )S+rǫ S2 and detectors. Probably the most familiar way of en-
1 2 1 2
≤ 1 rǫ +S2 coding is the BB84-like states that are often used for
1
− quantum key exchange[1],
1+r2ǫ rǫ (1 rǫ )+rǫ (1+rǫ )S
1 2 1 2 1
= rǫ + − −
2 1 rǫ +S2 1 0
− 1 0 = , 1 = ,
c +c S | i (cid:18)0(cid:19) | i (cid:18)1 (cid:19)
1 2
=: rǫ + .
2 c3+S2 2 = 1 1 , 3 = 1 −1 ,
| i √2(cid:18)1 (cid:19) | i √2(cid:18) 1 (cid:19)
Assuming c ,c ,c > 0 and differentiating by S, we see
1 2 3
that which corresponds to q = 4, D = 2, l = 2, and β = 3/4.
As onecanseefromthe theoryoferror-correctingcodes,
Pr[A ρ] rǫ + 1 c21+c3c22+c1 =1+ε . (34) for sufficiently large N, there exists a code E with the
Xi i| ≤ 2 2p c3 informationraten′/N thatis virtually equalto 1. Thus,
in this case, a secure protocol can be constructed with
Here,asc ,c 1andc canbechosenarbitrarilysmall, m/n 1/2,where m is the bit number accessible by the
ε on the R1HS3 ≃can be ar2bitrarily small. 2 receiv≃er before unveiling.
For example, take r = 210 and ǫ = 2 10, which cor-
−
respond to α 26. Then, it is guaranteed from the
≥
6. Choice of Parameters Gilbert-Vershamovbound(seeRef.[12])thatthereexists
a linear code with q = 4, N = 105, d/N = 10 2, and
−
Next, we show that ε given in (34) can actually be n′/N 0.95, for which Inequality (37) holds. In this
≥
arbitrarily small by choosing sufficiently large N. Here, case, m/n<0.53 is satisfied.
we doa veryroughestimate withoutworryingaboutthe It should be noted, however, that in real life there
tightness of the bound. First assume rǫ 1/2 for ǫ are problems with information losses in optical channels
1 1
defined in (33), then ≤ and with the detection rate of photon detectors. Conse-
quently,Bobmightenduprejecting Alice’s commitment
c2+c c2+c even when an honest Alice has sent the correct commit-
p 1 c33 2 1 ≤(1+2rǫ1)(2c1+c2) . ment |ΨAi.
Still, we can overcome these problems by modifying
and immediately we have steps 3 and 4 of the open phase (Sec.IIIB) as follows.
First take an integer parameter t > 0, the exact value
Pr[A ρ] 1+4rǫ +4r2ǫ . (35) of which is determined by the noise level of the channel
i 2 1
| ≤
Xi andthe detectionrate. Thenchangesteps3and4ofthe
open phase as follows:
We will prove below that the second and the third term
on the RHS of Inequality (35) can be ε/2 respec- 3. Bobverifiesthefollowingconditionforeachparticle
tively. As to the second term, it suffic≤es to let α = 1 i N :
≤ ≤
log 2 6ε/r . As to the third term, first note
1 1/l − - If the basis he chooses is correct, i.e., e
− (cid:0) (cid:1) | ii ∈
M(s ), he obtains e as a result of his mea-
Fα(N)<(D−1)αexp[N ·H2(α/N)] (36) suremi ent. | ii
for N α+1 > N/D (see e.g., Ref.[12], Appendix A).
Then, he records as y the number of particles that
−
Using Inequality(36), we see that the third term on the
do not satisfy the above condition.
RHS of (35) can be bounded from above if
4. If the above condition does not hold for more than
α εβα t particles, i.e., if y >t, then Bob rejects the com-
N H +dlogβ log . (37)
· 2(cid:16)N(cid:17) ≤ (cid:18)8r2(D 1)α(cid:19) mitment. Otherwise he accepts it.
−
9
In other words, Bob accepts Alice’s commitment even classicalerror-correctingcode E needs to be ofthe order
when up to a certain number of particles does not meet of N 105 in length. Although possible in principle, it
≃
the condition of step 3. In this case too, the security of is not very practical to calculate a generator matrix of
the protocol can be shown in almost the same way as in this size using currently available computers. Instead, it
the previous section[13]. is much moreworthwhile to optimize the protocolor the
security proof so that we can ensure the same level of
security for smaller N.
VI. CONCLUSION For example, the estimate given in Section IVB6 is
not yet tight, since there we were interested mainly in
Inthis paper,we haveproposedanew QBSC protocol proving that the protocol is in fact possible. Thus, by
and shown that it is secure in terms of the same secu- using a better strategy,we might be able to obtain more
rity requirements as discussed in Ref.[3]. Our protocol securityforshorterbitlengthn. Note,inparticular,that
hasthemeritthatitcanbeimplementedusingcurrently evenwiththeratiom/noftheaccessiblebitsbeingfixed,
available technology such as single-photon sources and there is a variety of choices of parameters, such as q, D,
detectors. and l. It will be interesting to see how we can better
An example of future work is the optimization of the optimize the protocol,whether by making better choices
protocol presented here. As discussed in Section V, if for quantum states 0 ,..., q 1 or by optimizing the
| i | − i
the protocol is implemented using BB84-like states, the classical error-correctingcode E.
[1] C.H. Bennett and G. Brassard, “Quantum Cryptogra- Tools, (Cambridge Univ.Press, Cambridge, 2001).
phy: PublicKeyDistributionandCoinTossing,”inPro- [10] C.H. Bennett, G. Brassard, S. Breidbart and S. Wies-
ceedings of the IEEE International Conference on Com- ner, “Quantum Cryptography, or Unforgeable Subway
puters, SystemsandSignalProcessing(IEEE,NewYork, Tokens,” in Proceedings of CRYPTO ’82, p.267 (1982).
1984) p.175. [11] H. Buhrman, R. Cleve, J. Watrous and R. de Wolf,
[2] C.W. Helstrom, Quantum Detection and Estimation “QuantumFingerprinting,”Phys. Rev. Lett.,87,167902
Theory (AcademicPress, New York,1976). (2001).
[3] A.Kent,“QuantumBitStringCommitment,”Phys.Rev. [12] W.W. Peterson and E.J. Weldon, Jr., Error Correcting
Lett., 90, 237901 (2003). Codes (MIT Press, 1972).
[4] A. Kent, “Unconditionally Secure Bit Commitment,” [13] T. Tsurumaru, work in progress.
Phys.Rev.Lett., 83, 1447-1450 (1999). [14] A.C. Yao, “Security of Quantum Protocols against Co-
[5] H.-K.Loand H.F. Chau “Is QuantumBit Commitment herent Measurements,” in Proceedings of 1995 ACM
ReallyPossible?,”Phys.Rev.Lett.,78,3410-3413(1997). Symposium on Theory of Computing 67–75 (1995).
[6] D.Mayers, “Unconditionally Secure QuantumBit Com- [15] H.-K. Lo and H.F. Chau, “Why Quantum Bit Commit-
mitment is Impossible,” Phys. Rev. Lett., 78, 3414 ment and Ideal Quantum Coin Tossing are Impossible,”
(1997). Phisica, D120, pp.177–187 (1998).
[7] M.A. Nielsen and I.L. Chuang, Quantum Computa- [16] H.F. Chau and H.-K. Lo, “Making an Empty Promise
tion and Quantum Information(CambridgeUniv.Press, withaQuantumComputer,”Fortsch.Phys., 46,pp.507–
Cambridge, 2000). 520, (1998).
[8] H. Delfs and H. Knebl, Introduction to Cryptography, [17] Onthecontrary,abitcommitment schemethat exploits
Principles and Applications (Springer Verlag, Berlin, special relativity has been proposed and the security
2002). proof has been given. See Ref.[4].
[9] O.Goldreich,FoundationsofCryptography, Vol.I,Basic
