当前位置:首页 >> >>

Secret parameters in quantum bit commitment

Secret parameters in quantum bit commitment
Chi-Yee Cheung?
Institute of Physics, Academia Sinica Taipei 11529, Taiwan, Republic of China The no-go theorem of unconditionally secure quantum bit commitment depends crucially on the assumption that Alice knows in detail all the probability distributions generated by Bob. We show that if a protocol is concealing, then the cheating unitary transformation is independent of any parameters (including probability distributions) secretly chosen by Bob, so that Alice can calculate it without knowing Bob’s secret choices. Otherwise the protocol cannot be concealing. Our result shows that the original impossibility proof was based on an incorrect assumption, despite the fact that its conclusion remains valid within the adopted framework. Furthermore, our result eliminates a potential loophole in the no-go theorem.
PACS numbers: 03.67.Dd, 03.67.Hk, 03.67.Mn Keywords: quantum bit commitment, quantum cryptography

arXiv:quant-ph/0508180v2 28 Sep 2005

The security of quantum bit commitment (QBC) is an important issue in quantum cryptography because QBC is a primitive which can be used as the building block of other important two-party cryptographic protocols [1]. A QBC protocol involves two parties customarily named Alice and Bob. Alice secretly commits to a bit b (0 or 1) which is to be revealed to Bob at a later time. In order to bind Alice to her commitment, the two parties execute a series of quantum and/or classical procedures, so that at the end of the commitment phase, Bob is in possession of a (b) quantum mechanical state |ψB . The idea is that, with additional classical information from Alice in the unveiling phase (when she unveils the value of (b) b), Bob can use |ψB to check whether Alice is honest. A QBC protocol is said to be binding if Alice cannot change her commitment or Bob will ?nd out. Furthermore it is concealing if Bob can obtain no information about the value of b before it is unveiled, (b) which implies that the encoding density matrix ρB (b) of the state |ψB is independent of the value of b, i.e., ρB = ρB .
(0) (1)

ble. In a nutshell, the proof goes as follows. It is observed that the commitment process, which may involves any number of rounds of quantum and classical exchange of information between Alice and Bob, can always be represented by an unitary transformation U (b) on some initial state |φAB in the combined Hilbert space HA ? HB of Alice and Bob: |ΨAB = U (b) |φAB ,
(b) (b) (b)



Without loss of generality, we can take |φAB and (b) |ΨAB to be pure states. In this approach, Alice and Bob do not ?x their undisclosed classical parameters in the commitment phase, but leave them undetermined at the quantum level instead. This is called quantum puri?cation. In general it requires that Alice and Bob have access to quantum computers with unrestricted capacities, which is consistent with the assumption that they have unlimited computational power. Therefore instead of honestly following the original protocol, Alice can always follow a modi?ed protocol as described above, so that at the end of the (b) commitment phase, there exists a pure state |ΨAB in HA ? HB . As long as the reduced density matrix on Bob’s side is unchanged, i.e., TrA |ΨAB ΨAB | = ρB ,
(b) (b) (b)

A QBC protocol is secure if and only if it is both binding and concealing. Moreover, if a protocol is secure even if Alice and Bob had unlimited computational power, then it is said to be unconditionally secure. In 1997, Lo and Chau [2, 3] and Mayers [4, 5] proved that unconditionally secure QBC is impossi-


Bob has no way of knowing what Alice has actually done. Then it follows from Schmidt decomposition theorem [6, 7] that, √ (0) i |ΨAB = λi |ei ? |ψB , (4) A

? Electronic

address: cheung@phys.sinica.edu.tw

|ΨAB =



√ i λi |e′i ? |ψB , A


i where {|ei }, {|e′i }, and {|ψB } are orthonormal A A bases in the respective Hilbert spaces as indicated, and λi ’s are real coe?cients. Notice that apart from the sets of bases {|ei } and A (0) (1) {|e′i }, |ΨAB and |ΨAB are identical. Since {|ei } A A and {|e′i } are related by an unitary transformation A UA acting on Alice’s Hilbert space HA only, we also have

|ΨAB = UA |ΨAB .




The existence of UA implies that Alice has a sure-win cheating strategy (called EPR attack): Alice always commits to b = 0 in the beginning. Later on, if she wants to keep her initial commitment, she unveils as prescribed. However if she wants to switch to b = 1 instead, she just needs to apply the unitary transformation UA to the particles in her control, and then proceeds as if she had committed to b = 1 in the ?rst place. The crucial point is that, because of Eq. (1), it is impossible for Bob to ?nd out what Alice actually did, and he would conclude that she is honest in either case. Hence if a QBC protocol is concealing, it cannot be binding at the same time. This is the conclusion of the “no-go theorem” of unconditionally secure QBC. Note that the no-go theorem only proves the existence of the cheating unitary transformation UA in a QBC protocol which is concealing, but there is no proof that UA is always known to Alice. The point is, at the end of the commitment phase, the overall (b) state |ΨAB (ω) may depend on some unknown parameter ω secretly chosen by Bob. If the reduced density matrix ρB (ω) = TrA |ΨAB (ω) ΨAB (ω)|
(b) (b) (b)

the protocol, including the distribution of probability of a random variable generated by another participant” [5]. In other words the no-go theorem asserts without proof that in any QBC protocol the overall (b) state |ΨAB cannot contain any unknown parameters. This assertion is in fact not correct, and it has caused confusion among researchers. Without clarifying this issue, the impossibility proof is not complete and the no-go theorem will continue being challenged [8]. In any case, as long as it does not jeopardize the security of a protocol, there is no reason why a party has to disclose the values of any secret parameters he/she might have chosen in the commitment phase. To settle this issue, we prove the following theorem. The secret parameter ω will be taken to be a probability distribution, because in a fully quantum description, probability distributions are the only unknowns left. Except for the issue of secret parameters, we shall stay within the QBC framework adopted by the no-go theorem. Theorem 1 If a QBC protocol is concealing, then the cheating unitary transformation is independent of any probability distributions (ω’s) secretly chosen by Bob. Proof If Bob is allowed to choose ω in secret, he can always postpone his choice with the help of a quantum computer. That means, instead of picking a particular ω = ωi and keeping it secret, he can purify his choices with a probability distribution π = {pi }. The resulting overall state is given by |ΨAB (π) =
′(b) i

√ (b) pi |ΨAB (ωi ) |χi ,



is independent of b, then in principle a cheating transformation UA (ω) exists, so that |ΨAB (ω) = UA (ω)|ΨAB (ω) .
(1) (0)

where {|χi } is a set of orthonormal ancilla states in Bob’s Hilbert space HB . The new density matrix is given by ρB (π) = TrA |ΨAB (π) ΨAB (π)|. Since the protocol is concealing, we have ρB (π) = ρB (π)
′(0) ′(1) ′(b) ′(b) ′(b)



However without the knowledge of ω, Alice cannot calculate UA (ω) by herself. As a result unconditionally secure QBC may be possible. This is a potential loophole of the no-go theorem. The no-go theorem emphasizes that one should purify all undisclosed classical variables in analyzing the security issues. Even so, the question remains: What if Bob is allowed to choose probability distributions secretly? To this question, the authors of the no-go theorem state that “In order that Alice and Bob can follow the procedures, they must know the exact forms of all unitary transformations involved” [2, 3], and “It is a principle that we must assume that every participant knows every detail of


for all possible π. Consider the case where pi = 0, for all i. According to the no-go theorem there exists ′ a cheating unitary transformation UA , such that
′ |ΨAB (π) = UA |ΨAB (π) . ′(1) ′(0)


′ It is easy to see that this same UA also transforms (0) (1) |ΨAB (ωi ) to |ΨAB (ωi ) for all possible ωi , i.e., ′ |ΨAB (ωi ) = UA |ΨAB (ωi ) , (1) (0)

?ωi .


3 The reason is that Bob can obtain |ΨAB (ωi ) from ′(b) |ΨAB (π) by collapsing the ancilla states {|χi } on ′ the right hand side of Eq. (9). Since UA acts on Alice’s Hilbert space HA only, it commutes with any operations executed on Bob’s Hilbert space HB . Consequently Eq. (12) holds independent of whether the ancilla has been measured or not, and ′ Eq. (13) follows. Hence UA is independent of ω. To avoid a circular argument, we need to show ′ that UA is also independent of the probability distribution π = {pi }. As shown in the Appendix, any superposition of probability distributions can be rewritten as a single e?ective distribution. That is, by a rede?nition of the ancilla states on Bob’s side, ′(b) we can rewrite |ΨAB (π) of Eq. (9) as |ΨAB (π) = |ΨAB (ωj (π)) .
′(b) (b) (b)

Suppose Bob chooses an unitary operator in {Vk } with a probability distribution ωi = {qik } and applies it to a state |φAB , such that |ψAB = Vk |φAB . (15) As is well known, if Vk is not disclosed, Bob can postpone (or purify) his decision by entangling with a set of orthonormal ancilla states {|ξk }, so that instead of |ψAB , he generates |ΨAB (ωi ) = √

qik |ξk Vk |φAB .


Likewise, if ωi is not disclosed, Bob can also purify his choices with another probability distribution π = {pi }, such that |Ψ′ (π) = AB =
i,k i


√ pi |χi |ΨAB (ωi ) ,


Substituting Eq. (14) into Eq. (12), we see that ′ UA might depend on π through ωj (π). But that is ′ not possible since we have already proved that UA is independent of ωi for all i [see Eq. (13)]. Hence ′ the EPR cheating transformation UA does not dependent on π. QED. Therefore in a concealing QBC protocol, the cheating unitary transformation UA is independent of any secret probability distributions chosen by Bob, and Alice can calculate UA without knowing Bob’s particular choices. In fact, according to the corollary proven in the Appendix, UA cannot depend on any probability distribution (speci?ed or secret) generated by Bob. This contradicts the claim that, to be able to cheat, Alice must know every detail of the protocol, including all the probability distributions generated by Bob, so that no unknown param(b) eter is allowed in |ΨAB [2, 3, 4, 5]. Conversely, if in any protocol the cheating unitary transformation is claimed to depend on a secret parameter ω chosen by Bob, then the protocol must be non-concealing under closer scrutiny. Thus our result eliminates a potential loophole in the no-go theorem. In summary, we ?nd that there is nothing wrong with secret parameters in QBC. We prove that in a concealing protocol, the cheating unitary transformation is independent of any parameters secretly chosen by Bob. Our result shows that the original proof of the no-go theorem [2, 3, 4, 5] was based on an incorrect assumption. Nevertheless, even with secret parameters, unconditional security remains impossible within the framework adopted by the no-go theorem. Appendix

√ √ pi qik |χi |ξk Vk |φAB ,(18)

where {|χi } is another set of orthonormal ancilla states. Theorem 2 Purifying a probability distribution [in Eq. (17)] is equivalent to picking a new e?ective one [in Eq. (16)]. Proof De?ne
′ qk ≡

pi qik ,


so that
′ qk = 1. k


On the right hand side of Eq. (18), we write √

pi qik |χi

= =

′ qk i ′ qk |χ′ , k

′ pi qik /qk |χi


where |χ′ ≡ k
′ pi qik /qk |χi .



Note that the |χ′ ’s are normalized but not necesk sarily orthogonal. Substituting Eq. (21) into Eq. (18), we get |Ψ′ (π) = AB =
k ′ qk |χ′ |ξk Vk |φAB , k ′ ′ qk |ξk Vk |φAB ,



4 where
′ |ξk ≡ |χ′ |ξk k


are the new orthonormal ancilla states. Comparing with Eq. (16), we obtain the desired result |Ψ′ (π) = |ΨAB (ωj (π)) , AB (25)

′ where ωj (π) ≡ {qk } is the new e?ective probability distribution. Using the above result, we can prove the following corollary:

that the e?ective distribution is ωj [see Eqs. (17, 25)]. Obviously Bob would have no problem passing any checks concerning ωj . In general some qubits are measured and discarded in the checking procedure. For each of the remaining qubits, Bob could either stay with ωj , or he could measure the ancilla states {|χi } in Eq. (17) to obtain a new distribution ωi which is not necessarily equal to ωj . For a large number of qubits, the probability that ωj is obtained for every qubit is exponentially small. Hence it is not meaningful to specify a probability distribution to an untrustful Bob, because one can never be sure that he is honest.

Corollary It is in general not meaningful to specify a probability distribution to an untrustful party in any quantum protocol, because he/she can always cheat. Proof Suppose the protocol speci?es that Bob should take certain action Vk on each qubit (or group of qubits) in his possession according to a probability ′ distribution ωj = {qk }. According to the theorem just proven, he can always generate a superposition of distributions with appropriately chosen pi ’s, such


It is a pleasure to thank H. P. Yuen, H. -K. Lo, C. H. Bennett, and S. Popescu for helpful discussions. This work is supported in part by National Science Council of the Republic of China under Grant NSC 92-2112-M-001-058.

[1] G. Brassard and C. Cr?peau, SIGACT News 27 e (1996) 13, and references therein. [2] H. -K. Lo and H. F. Chau, Phys. Rev. Lett. 78 (1997) 3410. [3] H. -K. Lo and H. F. Chau, Physica D 120 (1998) 177. [4] D. Mayers, Phys. Rev. Lett. 78 (1997) 3414. [5] G. Brassard, C. Cr?peau, D. Mayers, and L. Salvail, e

arXiv:quant-ph/9712023. [6] L. P. Hughston, R. Jozsa, and W. K. Wootters, Phys. Lett. A 183 (1993) 14. [7] E. Schmidt, Math. Ann. 63 (1906) 433. [8] H. P. Yuen, arXiv:quant-ph/0207089; /0505132.


All rights reserved Powered by 甜梦文库 9512.net

copyright ©right 2010-2021。