Table of Contents
- Introduction
- What Is Bit Commitment?
- Importance in Cryptography
- Classical Bit Commitment
- Quantum Approach to Bit Commitment
- Hiding and Binding Properties
- Quantum Mechanics and Bit Commitment
- Early Quantum Bit Commitment Proposals
- Lo-Chau No-Go Theorem
- Mayers’ Impossibility Proof
- The Impossibility of Unconditionally Secure QBC
- Why Perfect Binding and Hiding Can’t Coexist
- The Role of Quantum Entanglement
- Mathematical Model of Bit Commitment
- Cheating Strategies in Quantum Bit Commitment
- Bit Commitment and No-Cloning Theorem
- Bit Commitment with Trusted Third Parties
- Relativistic Quantum Bit Commitment
- Device-Independent Bit Commitment
- Cheat-Sensitive Bit Commitment
- Practical Considerations and Limitations
- Theoretical Interest and Use Cases
- Connections to Coin Flipping and Oblivious Transfer
- Current Research Directions
- Conclusion
1. Introduction
Quantum Bit Commitment (QBC) is a cryptographic task in which one party (Alice) commits to a bit \( b \in \{0,1\} \) in such a way that:
- She cannot change it later (binding), and
- The other party (Bob) cannot learn it before she reveals it (hiding).
QBC was once thought to be unconditionally secure using quantum mechanics, but this view has changed drastically.
2. What Is Bit Commitment?
It is a two-phase protocol:
- Commit phase: Alice commits to a bit and gives Bob evidence of her commitment.
- Reveal phase: Alice opens the commitment; Bob checks consistency with the original commitment.
3. Importance in Cryptography
Bit commitment is a foundational primitive for:
- Zero-knowledge proofs
- Secure multi-party computation
- Digital contracts
- Coin flipping protocols
4. Classical Bit Commitment
Achieved using:
- Hash functions (computational assumptions)
- Trusted third parties
- Timelock puzzles
But insecure against quantum adversaries if assumptions fail.
5. Quantum Approach to Bit Commitment
Initially, quantum protocols appeared to enable unconditionally secure bit commitment using:
- Superposition
- Quantum measurement disturbance
- No-cloning theorem
6. Hiding and Binding Properties
- Hiding: Bob cannot learn \( b \) before Alice opens it.
- Binding: Alice cannot change \( b \) after committing.
Quantum physics was hoped to provide both.
7. Quantum Mechanics and Bit Commitment
Quantum states seem to allow binding (due to disturbance) and hiding (due to uncertainty). But entanglement enables cheating strategies.
8. Early Quantum Bit Commitment Proposals
Early protocols (1990s) used:
- Polarized photons
- Quantum state encoding
- Measurement basis concealment
Believed to be unconditionally secure.
9. Lo-Chau No-Go Theorem
Lo and Chau (1997) proved that any protocol claiming to be perfectly hiding and binding is insecure if quantum entanglement is available.
10. Mayers’ Impossibility Proof
Dominic Mayers (1996–1997) proved no quantum bit commitment protocol can be both perfectly hiding and binding, without additional assumptions.
11. The Impossibility of Unconditionally Secure QBC
Due to quantum purifications, Alice can delay choosing a bit until the reveal phase using entanglement.
12. Why Perfect Binding and Hiding Can’t Coexist
The density matrix Bob receives must be the same for both bits (hiding), allowing Alice to delay measurement (breaking binding).
13. The Role of Quantum Entanglement
Alice prepares an entangled state:
\[
|\psi\rangle = \frac{1}{\sqrt{2}}(|0\rangle_A |0\rangle_B + |1\rangle_A |1\rangle_B)
\]
She can later project it to either basis — enabling cheating.
14. Mathematical Model of Bit Commitment
Let \( \rho_0 \) and \( \rho_1 \) be Bob’s reduced density matrices for bits 0 and 1.
If \( \rho_0 = \rho_1 \), it’s perfectly hiding. But this means Alice can steer the commitment during reveal.
15. Cheating Strategies in Quantum Bit Commitment
Using entangled ancilla and deferred measurement:
- Alice commits to a superposition
- Reveals either 0 or 1 by choosing measurement basis
16. Bit Commitment and No-Cloning Theorem
While no-cloning prevents Bob from copying qubits, it doesn’t prevent Alice from exploiting entanglement to cheat.
17. Bit Commitment with Trusted Third Parties
Adding a trusted third party allows for secure commitments. This is often used in semi-honest or honest-but-curious models.
18. Relativistic Quantum Bit Commitment
Protocols based on relativistic signaling constraints:
- Exploit the impossibility of faster-than-light communication
- Use multiple space-time separated agents
Example: Kent’s protocols
19. Device-Independent Bit Commitment
Uses violation of Bell inequalities to enforce commitment. Still limited by the no-go theorems unless assumptions are added.
20. Cheat-Sensitive Bit Commitment
If cheating is detected with some probability, the protocol can be useful in practice even if not unconditionally secure.
21. Practical Considerations and Limitations
- Device calibration
- Synchronization
- Photon loss and detection inefficiency
- Man-in-the-middle attacks
22. Theoretical Interest and Use Cases
Despite no-go theorems, QBC is valuable:
- Theoretically for understanding limits of quantum crypto
- Practically under assumptions (relativistic, cheat-sensitive)
23. Connections to Coin Flipping and Oblivious Transfer
- Bit commitment is often a component in other protocols.
- Its impossibility constrains unconditional fairness in related tasks.
24. Current Research Directions
- Exploring bounded quantum storage models
- Post-quantum secure commitment schemes
- Experimentally feasible cheat-sensitive protocols
25. Conclusion
Quantum bit commitment, once thought to be unconditionally secure, was later proven impossible under general conditions due to the power of entanglement and purification. However, relativistic and cheat-sensitive variants show promise for practical use. Understanding QBC helps map the limits of quantum cryptography and inspires novel cryptographic approaches grounded in physical principles.
