The Security of Quantum Bit Commitment Schemes
Total Page:16
File Type:pdf, Size:1020Kb
The Security of Quantum Bit Commitment Schemes z Claude Crep eau Gilles Brassard x y McGill University Universite de Montreal k Dominic Mayers Louis Salvail Princeton University Aarhus Universitet Abstract Can quantum mechanics b e harnessed to provide unconditionally secure bit commit ment schemes and other cryptographic primitives beyond key distribution We review the general imp ossibility pro of of Mayers and illustrate it by showing how to break some recent attempts to bypass it In particular secure schemes would followifwe could force participants to perform measurements at sp ecied p oints in the execution of the proto col It has been suggested to use shortlived classical bit commitment schemes for this purp ose Alas this strategy was do omed as measurements can always be postponed in an undetectable wayuntil cheating b ecomes p ossible It is well known that quantum mechanics can be used to allow two people to establish con dential communication under thenoseofaneavesdropp er equipp ed with unlimited computing power Can quantum mechanics b e useful for the implementation of other cryptographic tasks One of the most imp ortant primitives in classical cryptography is the bit commitment schemewhich allows one party Alice to give something to another party Bob in a way that commits her to a bit b of her choice so that Bob cannot tell what b is but Alice can later prove to him what b originally was You may think of this as Alice sending to Bob a lo cked safe that contains the value of b written on a slip of pap er later she can send him the key that op ens the safe if she wants him to know to which bit she had committed ealing A commitment scheme is binding if Alice cannot change the value of b and it is conc if Bob cannot obtain any information ab out b without the help of Alice It is secure if it is simultaneously binding and concealing and it is unconditional ly secure if it is secure against a cheater either Alice or Bob equipp ed with unlimited technology and computational p ower It has long been known that unconditionally secure bit commitment schemes cannot exist in Supp orted in part by Canadas nsercQueb ecs fcar and the Canada Council y DepartementIRO Universite de Montreal CP succursale centreville Montreal Queb ec Canada HC J email brassardiroumontrealca z Supp orted in part by Canadas nserc and Queb ecs fcar x Scho ol of Computer Science McGill UniversityPavillon McConnell rue University Montreal Queb ec Canada HA A email crepeaucsmcgillca Department of Computer Science Princeton University Princeton NJ USA email mayerscsprincetonedu k Supp orted in part by the Danish National ResearchFoundation under the Basic Research in Computer Science BRICS programme Department of Computer Science University of Aarhus Ny Munkegade building DK Arhus C email salvaildaimiaaudk Denmark the classical world After the success of quantum key distribution it was natural to hop e that quantum mechanics mightprovide such an unconditionally secure scheme A proto col for quantum bit commitment henceforth referred to as BCJL was prop osed in and claimed to b e provably secure whichwould also haveallowed secure quantum oblivious transfer another fundamental primitive in classical cryptography Because of this the future of quan tum cryptography lo oked very bright indeed with new applications such as the identication proto col of Crep eau and Salvail coming up regularly Trouble began in Octob er when Mayers found a subtle aw in the BCJL proto col The pro of that Bob cannot cheat BCJL and learn information on the committed bit was correct and so was the pro of that it is not p ossible for Alice to simultaneously know how to op en the commitment to show a and how to op en it to show a However it was p ossible for Alice through the magic of quantum entanglement to learn at her choice either how to op en the commitment to show a or how to op en it to show a Because of the destructive nature of quantum measurements cho osing either one of these alternatives destroyed her chances for learning how to op en the commitment the other way a situation that has no classical analogue It is as if Alice could provide Bob with one of two p ossible quantum keys to op en the safe whose eect would b e to make the desired bit app ear surreptitiously on the slip of pap er in an irreversible manner Though Mayers explained his discovery to several researchers interested in quantum information pro cessing his result was not made public until after Lo and Chau discovered indep endently a similar technique This prompted several attempts at xing the proto col but every time ad hoc successful attacks so on followed This catandmouse game went on until Mayers proved that all these attempts had b een in vain unconditionally secure quantum bit commitment schemes are imp ossible Despite all o dds various kinds of ideas continued to be prop osed by some of us as well as others in the hop e they would not fall prey to Mayers result arious typ es of shortlived classical Perhaps the most interesting approach consisted in using v bit commitment schemes to force the cheater to p erform measurements at sp ecied p oints in the execution of the proto col which indeed would x the problem Alas this strategy was do omed as measurements can always be postponed until cheating b ecomes p ossible This is not surprising in retrosp ect b ecause it has since b een realized that these apparently promising ideas were also ruled out byMayers general imp ossibility theorem Nevertheless these attempts contributed to enhance our understanding of what is going on with quantum bit commitment schemes and other quantum cryptographic proto cols Assume for example that you are given an unknown quantum bit ji ji ji and you are exp ected to measure it either in the computational basis ji versus ji or the diagonal p p basis ji ji versus jiji You could cheat the proto col if only you could postpone the choice of basis and therefore the measurement until after subsequent classical information b ecomes available To prevent this you are asked to use a classical p erhaps multi party commitment scheme to commit to your choice of basis computational or diagonal as well as to the result of your measurement Then either you are immediately challenged to op en those commitments to prove that you had measured in which case this quantum bit is not used any further or you are allowed to keep secret your choice of basis and measurement result hop e was that this approach could turn a classical bit commitment scheme for later use The that is reasonably secure for a very short time into a quantum bit commitment scheme that is p ermanently secure Unfortunately it turns out that you can always p ostp one measuring the quantum bit and oer fake commitments even if you are unable to break the underlying commitmentscheme in the time that elapses between the commitment and the challenge if a challenge comes you can op en your commitments in a way consistent with what you would have committed to had you measured the quantum bit and if the challenge do es not come you can keep the quantum bit intact for later measurement in the basis of your choice For a detailed description of these awed quantum bit commitmentschemes and how to break them the reader is encouraged to consult a preliminary version of the full pap er currently available on the Los Alamos National Lab oratory ePrintquantum physics archive References Bennett Charles H Francois Bessette Gilles Brassard Louis Salvail and John Smolin Exp erimental quantum cryptography Journal of CryptologyVol no pp Bennett Charles H Gilles Brassard Claude Crepeau and MarieHelene Sku biszewska Practical quantum oblivious transfer Advances in Cryptology Proceedings of Crypto August pp Bennett Charles H Gilles Brassard and Artur K Ekert Quantum cryptography Scientic American Octob er pp Brassard Gilles and Claude Crepeau Cryptology column years of quantum cryptography Sigact News Vol no pp Brassard Gilles Claude CrepeauRichard Jozsa and Daniel Langlois A quantum bit commitmentscheme provably unbreakable by b oth parties Proceedings of th Annual IEEE Symposium on Foundations of Computer ScienceNovember pp Brassard Gilles Claude Crepeau Dominic Mayers and Louis Salvail Defeating classical bit commitments with a quantum computer available as quantph in the LANL ePrint archiveatURLhttpxxxlanlgovarchiv eq uant ph June Crepeau Claude What is going on with quantum bit commitment Proceedings of Pragocrypt Prague Octob er Czech Technical University Publishing House pp Crepeau Claude and Louis Salvail Quantum oblivious mutual identication Advances in Cryptology Proceedings of Eurocrypt May pp Lo HoiKwong and H F Chau Is quantum bit commitment really p ossible Phys ical Review Letters Vol no April pp rst app eared as t archive see March quantph in the LANL ePrin Mayers Dominic The trouble with quantum bit commitment available as quantph in the LANL ePrint archive see rst discussed at a Workshop on Quantum Information Theory held in Montreal Octob er Mayers Dominic Unconditionally secure quantum bit commitment is imp ossible Physical Review Letters Vol no April pp .