arXiv:quant-ph/0504134v1 18 Apr 2005 ueetrsl) h togs osbecreain are correlations mea- possible (their strongest (their output the input binary binary result), a surement single and a setting) have For possible measurement both strongest [6]. who relativity parties, the with two provide consistent not correlations non-local do states quantum [5]. These powerful extremely nevertheless [4]. are sig- but super-luminal model nalling, for allow hidden-variable not do local correlations sim- ‘non-local’ any be cannot by which systems ulated Bob’s and Alice’s between no-bit-commitment quantum within uncondi- physics. scheme an in implement bit-commitment to cheat secure impossible tionally can therefore is Alice It against that secure Bob. show is which to scheme bit-commitment [3], quantum Chow and Lo in states. However, convincingly entangled cheat using can states. by Alice separable protocol authors, their only the Al- by using when noted to secure as limited is is used protocol be ice Their directly could bit-commitment. that for quan- [1] a protocol constructed coin-tossing tum Brassard and Bennett Alice distribution, stage, while revealing Bob, the Bob). Alice’s to in to given key Then is the (eg. key. sends which point the safe that keeps a party until in Alice second can- sealed decision but a is it, her as decision reveals out later way she find a when not such her believe in will decision (Bob) a to commit unu rmwr.Prastebs nw fteeis a these of within known commitment secure best bit the unconditionally Perhaps made framework. quantum be assump- could unprovable cryptographic on other tions), rely many that classically (which hope primitives the cryptography, to quantum rise re- of gave cornerstones result and the This of one uncon- eavesdroppers. mains with against communicate security to them ditional allowing key, establish secret can parties a two which by (BB84) scheme physics neetnl,PpsuadRhlc aesonthat shown have Rohrlich and Popescu Interestingly, this proving in crucial are states quantum Entangled by and [2], Mayers by expanded later was result This key- for as scheme encoding same the Using to (Alice) party one allows scheme bit-commitment A n18,BnetadBasr 1 rpsdaquantum a proposed [1] Brassard and Bennett 1984, In h hsc fn-i-omtet:Gnrlzdqatmnon quantum Generalized : no-bit-commitment of physics The rnfr ae ntetm-reigo hi nusadout and inputs their of time-ordering the be This on difference based the m transfer, stressing quantum bit-commitment. by in paradox for apparent which this correlations used resolve non-local be of c existence could very non-local mechanics that quantum possibility in the opens apparently transfer a eso eeta h eetwr fWl n ulclgr(qu Wullschleger and Wolf of work recent the that here show We HWlsPyisLbrtr,Uiest fBitl Tyndal Bristol, of University Laboratory, Physics Wills HH . eut loigcreain oexist to correlations allowing result, c elt-akr aoaois tk iod rso S26 BS12 Bristol Gifford, Stoke Laboratories, Hewlett-Packard 0red ’cl-emeeie H11 eea4 Switzerl 4, Geneva l’Ecole-de-m´edecine, CH-1211 de rue 20 b oyShort Tony ru fApidPyis nvriyo Geneva, of University Physics, Applied of Group a ioa Gisin Nicolas , transfer oblivious any hc mlmnsti ceea nOT-box. an device the as to scheme refer this will We both) implements not which Alice. (but by either submitted learn bits two secretly cryptographic of can a Bob which simulate in to 11], used as be known also primitive can PR-box a state singlet quantum entangled measure- maximally bipartite [8]. any a of on results the ment simulate can to randomness) Fur- used shared [7]. be (with operations PR-box local single of a mixture thermore, constructed a and be PR-box can a outputs from and no-signalling inputs bipartite binary All with boxes general. very also are outputs) space). Hilbert Complex (eg. model physical of concept details particular the a the from separate correlations to non-signalling us non-local of allow they 8]. as 7, non-locality, ing [6, PR-boxes as known systems by given instead R n h Tbxs ial,w hwta h anal- the that show PR-boxes we involving Finally, scheme ogous OT-boxes. the the and between PR- Next, connection Wullschleger’s an OT-boxes. and Wolf using give recall scheme we and a such scheme of commitment the example introduce explicit bit we a First, for follows. requirements as organized is letter this possible. as very is where, bit-commitment are theory, no quantum correlations previously, in emphasized PR-box would attainable as those This to result, similar PR-boxes. com- surprising bit using a that achieved be implies be can this can then OT-boxes mitment PR-boxes, If from commitment. built bit be secure implement to rtcl CMI n EEL hc aif the satisfy which REVEAL) requirements: following and (COMMIT protocols significance. its on elaborate and bit-commitment secure b neetnl,i skonta OT-boxes that known is it Interestingly, that shown have [9] Wullschleger and Wolf Recently, and inputs more with analogues their (and PR-boxes understand- in tool conceptual valuable a are PR-boxes nodrt netgt hsagmn nmr detail, more in argument this investigate to order In omly i omtetshm ossso two of consists scheme commitment Bit a Formally, ad Popescu Sandu , 1. reain hc r togrta those than stronger are which orrelations we o-oa orltosadoblivious and correlations non-local tween Correctness au o e omte bit selects committed Alice her for protocol, value COMMIT a the during then au slan yBbdrn h EELproto- REVEAL the during Bob col. by learnt is value us hc rvnsbit-commitment. prevents which puts, caispeet i-omtet We bit-commitment. prevents echanics vne rso,B81L UK 1TL, BS8 Bristol, Avenue, l ssrrsn,bcuei sthe is it because surprising, is n-h0000 noblivious on ant-ph/0502030) fAieadBbaebt honest, both are Bob and Alice If : n-u-ftoolvostransfer oblivious one-out-of-two a,c Z UK QZ, and. lclt versus -locality osnot does α { ∈ 0 , nfc allow fact in can 1 } n this and , eused be [10, 2

2. Privacy: If Alice is honest, then Bob can learn x y c x0 PR-box OT-box nothing about α until the REVEAL protocol is en- x1 a b x acted. C Alice Bob Alice Bob 3. Binding: If Bob is honest, then after the COM- MIT protocol has finished, there is (at most) only FIG. 1: A schematic representation of the PR-box (left), and one specific value of α (e.g. α = 0) which Bob will the OT-box (right) showing the input and output parameters accept during the REVEAL protocol. He will never for . accept the other possible value of α. This prevents Alice from ‘changing her mind’ about which value of α she committed. 2. Alice inputs x0 = r and x1 = r ⊕ α into the OT-box, where ⊕ denotes addition modulo 2. A bit-commitment scheme satisfying these three con- 3. Alice sends a message to Bob telling him it is ditions would be perfectly secure. However, for crypto- his turn. graphic purposes it is interesting to consider the slightly weaker case of secure bit commitment, in which a bit- 4. Bob selects a random bit s and inputs c = s commitment scheme can be made arbitrarily close to per- into the OT-box fectly secure. 5. Bob records the output bit xc. If the OT-box In particular, we consider a weakening of the binding fails to produce an output (as Alice has not requirement to the following: yet made her inputs), Bob knows that Alice is cheating and will not accept her revealed bit. 3. Secure binding: The scheme must permit arbi- trarily large values of a security parameter Nǫ ∈ N, REVEAL : such that if Bob is honest, then after the COMMIT process has finished there is at most one value of α 1. Alice sends α and r to Bob. (e.g. α = 0) which Bob will accept with probability 2. Bob checks to see if xc = r ⊕ αs. If this re- greater than 2−Nǫ in the REVEAL protocol. This lation is true, Bob accepts α as the revealed is Alice’s committed value of α. bit, otherwise he knows that Alice has cheated and rejects Alice’s revelation. Note that given a secure bit-commitment protocol with secure binding parameter Nǫ = 1, it is possible to obtain COMMIT and REVEAL constitute a secure bit- a protocol with an arbitrarily large security parameter commitment scheme with security parameter Nǫ = 1, as ′ ′ ′ Nǫ by running 2Nǫ − 1 copies of the Nǫ = 1 protocol in can easily be checked. Using 2Nǫ − 1 OT-boxes in par- parallel (with Bob only accepting Alice’s commitment if allel, it is therefore possible to obtain arbitrarily secure she is not caught cheating in any of the parallel runs). bit commitment. As the schemes we consider have perfect privacy, this will We now consider whether one can generate an anal- not help Bob gain any further information about Alice’s ogous bit-commitment scheme to that given above us- committed bit. ing PR-boxes (figure 1). Recall that a PR-box can be Now, it is possible to construct a secure bit- thought of as an abstraction and generalization of a Bell- commitment scheme using . Following type experiment [4], in which Alice and Bob share an Wolf and Wullschleger [9], we consider OT-boxes which entangled system on which they can each perform one implement one-out-of-two oblivious transfer, in which Al- of two different dichotomic measurements. If we denote ice inputs two bits, x0 and x1, into the system and Bob Alice’s and Bob’s binary inputs (their measurement set- inputs a single choice bit c. Finally, the system outputs tings) by x and y respectively, and their binary outputs xc = x0 ⊕ c(x0 ⊕ x1) to Bob, where ⊕ denotes addition (their measurement results) by a and b respectively, the modulo 2. This allows Bob to learn one of Alice’s two extremal non-local correlations given by a PR-box are of input bits, without Alice knowing which bit he has ob- the form tained (see figure 1). A well-known way to implement bit-commitment from a ⊕ b = xy, (1) one-out-of-two oblivious transfer is to use this to simulate where all outcomes consistent with (1) are equally likely, ordinary oblivious transfer [12] and then use the latter and each party obtains their output bit immediately af- for bit commitment [13]. Here we give an explicit pro- ter entering their input. Although such correlations are tocol which uses one-out-of-two oblivious transfer (our stronger than anything attainable in quantum theory, Al- OT-box) to directly implement bit-commitment. ice and Bob cannot use the PR-box to signal to one an- Consider first a scheme in which Alice and Bob share other. a single OT-box, which is as follows: In order to simulate a PR-box using an OT-box and COMMIT : vice-versa, Wolf and Wullschleger propose the following protocols [9]: 1. Alice selects a random bit r, and her commit- ted bit α. PR-box from OT-box : 3

1. Alice chooses a random bit a. transmits r = a ⊕ m (as well as her selected α) to Bob. 2. Alice inputs x0 = a and x1 = x ⊕ a into the When he checks whether he should accept α, Bob will OT-box. find that 3. Bob inputs c = y into the OT-box and obtains xc = b ⊕ m = r ⊕ a ⊕ b = r ⊕ αs, (2) output b = xc. Note that b = a ⊕ xc = a ⊕ xy as required. and will therefore accept Alice’s revealed α with cer- OT-box from PR-box : tainty, despite the fact that it was selected after the COMMIT′ protocol had finished. This violates the se- 1. Alice inputs x = (x0 ⊕ x1) into the PR-box cure binding condition, which requires that only one and obtains output a. value of α will be accepted with probability greater than 2. Alice sends m = x0 ⊕ a to Bob 1/2 during the REVEAL protocol (for Nǫ = 1). Even with multiple PR-boxes in parallel, Alice can use the 3. Bob inputs y = c into the PR-box and obtains same trick independently on each to cheat with certainty. output b. COMMIT′ and REVEAL do not therefore form a secure 4. Bob computes the output xc = m ⊕ b. Note bit-commitment protocol. that xc = m⊕b = x0 ⊕(a⊕b)= x0 ⊕c(x0 ⊕x1) Let us stress that all PR-boxes must yield an output for as required. Bob even if Alice has not yet entered her inputs, as this is essential to prevent signalling from Alice to Bob. This Directly applying the latter simulation procedure to is in full analogy with the case of quantum entanglement. the COMMIT protocol for the OT-box, we find the anal- ′ For instance, if Alice and Bob share a singlet, then Bob ogous procedure COMMIT for the PR-box. The RE- can measure his half independently of Alice, and vice- VEAL protocol is the same in both cases: versa. There is thus no chance of Bob detecting Alice cheating during the COMMIT′ protocol. COMMIT′ : Consequently, despite the fact that it is possible to 1. Alice selects a random bit r, and her commit- simulate the outputs of an OT-box using a PR-box and ted bit α. 1 bit of communication, this result shows that the sim- ulation is not universally composable. In particular, the 2. Alice inputs x = α into the PR-box, and simulation cannot be used to implement a secure bit- records her output bit a commitment protocol in the same way as the original 3. Alice sends Bob the message m = r ⊕ a OT-box. 4. Bob selects a random bit s and inputs y = s The crucial difference between the OT-box and the into his PR-box. PR-box lies in the time ordering of the inputs. Bob 5. Bob records his output bit-string b, and com- can only obtain an output from the OT-box after Al- putes x = b ⊕ m. ice has entered her inputs, and can therefore check to see c whether Alice has entered her inputs during the COM- Apparently the correctness, privacy and secure binding MIT protocol. In the case of the PR-box, the output of this protocol COMMIT′ should be just as good as for is independent of the time-ordering of the two measure- the protocol COMMIT (i.e. secure bit commitment with ments, and no such check exists. [16] Nǫ = 1), and should therefore yield arbitrarily secure In conclusion, in [9] Wolf and Wullschleger showed that bit-commitment if enough PR-boxes are used. However, there is a deep connection between a fundamental prim- this strongly suggests that a similar protocol based on itive of non-local correlations, the PR-box, and a fun- quantum entanglement instead of the PR-boxes should damental , oblivious transfer. In work equally well, something proven impossible! particular they show that a PR-box can be used to sim- In fact, the PR-box protocol does not provide secure ulate the correlations produced by an OT-box and vice- bit commitment, as we will now show. As is the case versa. when proving the impossibility of quantum bit commit- In this letter, we have shown that such simulation is ment, it is the secure binding that fails. Indeed, unlike not the whole story. In addition to recreating the correct the OT case, Bob has no way of telling if Alice has ap- probability distributions, it is important to incorporate plied her inputs during the COMMIT′ protocol, as the any restrictions on the timings of the box inputs. Such re- PR-box will give him an output as soon as he applies strictions play a crucial role in any attempt to implement his input, regardless of Alice’s actions. Interestingly, this secure bit-commitment schemes using the two primitives. allows Alice to successfully cheat by adopting the follow- We have shown that the protocols COMMIT and RE- ing strategy: During the COMMIT′ protocol, Alice does VEAL form a secure bit-commitment scheme using OT- not select her committed bit α or apply any input to boxes. However, the analogous protocols COMMIT′ and her PR-box, but instead sends a random bit m to Bob. REVEAL, in which the OT-boxes are simulated using Then, during the REVEAL protocol, Alice chooses which PR-boxes, do not constitute a secure bit-commitment α she wishes to reveal, enters x = α into her PR-box, and scheme as they are not binding. 4

The main issue is that, due to the non-signalling char- can only use limited entanglement, it is easy to construct acter of the PR box, Alice can postpone her measure- a reliable protocol based on states for which cheating ments, and actually perform them during the REVEAL would require more entanglement than Alice can pro- protocol, rather than the COMMIT′ protocol. We em- duce. phasize that it is this liberty (which is in common with To conclude, no signalling - no obligation to perform ) that is the main element in the no- the measurement until the end- no commitment! bit-commitment property of nature, rather than any of Note added: After the completion of this work, we the particular characteristics of quantum entanglement. became aware of a work by Buhrman et al. [15] that The above results were obtained for a particular bit- addresses the same problem from a different perspective. commitment scheme based on the OT-box protocol. However, we conjecture that no-bit-commitment is a gen- eral feature of nature in the presence of non-signalling non-local correlations, since any such correlations allow Acknowledgments Alice the liberty of postponing her measurements. Note that in order for this conjecture to be true, we need to al- low for the existence of all possible non-local correlation- The authors acknowledge support from the U.K. En- boxes (not only PR boxes) [7], and the corresponding gineering and Physical Sciences Research Council (IRC dynamics of such boxes (which generalize quantum evolu- “Quantum Information Processing”) and from the E.U. tions) [14]. Any limitations could allow bit-commitment. under European Commission project RESQ (contract This is similar to the quantum mechanical case: If Alice IST-2001-37559).

[1] C.H.Bennett and G.Brassard, Proc. IEEE Int. Conf. on [10] S.Wiesner, SIGACT News 15, 78 (1983). Computers, Systems and Signal Processing, 175 (1984). [11] S.Even, O.Goldreich, and A.Lempel, Communications of [2] D.Mayers, Phys. Rev. Lett. 78 3414 (1997). the ACM 28, 637 (1985). [3] H.-K. Lo and H.F.Chau, Phys. Rev. Lett. 78, 3410 [12] C. Cr´epeau., Advances in Cryptology: Proceedings of (1997). Crypto ’87 , Springer-Verlag Lecture Notes in Computer [4] J.S.Bell, Physics 1, 195 (1964). Science 293, 350 (1988). [5] M.A.Nielsen and I.L.Chuang, Quantum Computation [13] J.Kilian, Proc. of the 20th Annual ACM Symposium on and Quantum Information, Cambridge University Press Theory of Computing, 20 (1988). (2000). [14] A.J.Short, N.Gisin, and S.Popescu, in preparation. [6] S.Popescu and D.Rohrlich, Found. Phys. 24, 379 (1994). [15] H. Buhrman, M. Christandl, F. Unger, S. Wehner, [7] J.Barrett, N.Linden, S.Massar, S.Pironio, S.Popescu, A. Winter, Implications of Superstrong Nonlocality for and D.Roberts, quant-ph/0404097 (2004). Cryptography. quant-ph/0504133 (2005). [8] N.J.Cerf, N.Gisin, S.Massar, and S.Popescu, [16] Furthermore, in the case of the PR-box, Alice has an quant-ph/0410027 (2004). output which is correlated with Bob’s input and output, [9] S.Wolf and J.Wullschleger, Oblivious Transfer and Quan- which she can use to help her cheat. tum Nonlocality, quant-ph/0502030 (2005).