The Security of Quantum Bit Commitment Schemes
z �
Claude Cr�ep eau Gilles Brassard
x y
McGill University Universit�e de Montr�eal
k
Dominic Mayers Louis Salvail
� ��
Princeton University Aarhus Universitet
Abstract
Can quantum mechanics b e harnessed to provide unconditionally secure bit commit�
ment schemes and other cryptographic primitives beyond key distribution� We review
the general imp ossibility pro of of Mayers and illustrate it by showing how to break some
recent attempts to bypass it� In particular� secure schemes would followifwe could force
participants to perform measurements at sp eci�ed p oints in the execution of the proto�
col� It has been suggested to use short�lived classical bit commitment schemes for this
purp ose� Alas� this strategy was do omed as measurements can always be postponed in
an undetectable wayuntil cheating b ecomes p ossible�
It is well known that quantum mechanics can be used to allow two people to establish con��
dential communication under thenoseofaneavesdropp er equipp ed with unlimited computing
power�������� Can quantum mechanics b e useful for the implementation of other cryptographic
tasks� One of the most imp ortant primitives in classical cryptography is the bit commitment
scheme�which allows one party� Alice� to give something to another party� Bob� in a way that
commits her to a bit b of her choice so that Bob cannot tell what b is� but Alice can later prove
to him what b originally was� You may think of this as Alice sending to Bob a lo cked safe that
contains the value of b written on a slip of pap er� later� she can send him the key that op ens
the safe if she wants him to know to which bit she had committed�
ealing A commitment scheme is binding if Alice cannot change the value of b and it is conc
if Bob cannot obtain any information ab out b without the help of Alice� It is secure if it is
simultaneously binding and concealing� and it is unconditional ly secure if it is secure against
a cheater� either Alice or Bob� equipp ed with unlimited technology and computational p ower�
It has long been known that unconditionally secure bit commitment schemes cannot exist in
�
Supp orted in part by Canada�s nserc�Qu�eb ec�s fcar and the Canada Council�
y
D�epartementIRO� Universit�e de Montr�eal� C�P� ����� succursale centre�ville� Montr�eal �Qu�eb ec��
Canada H�C �J�� e�mail� brassard�iro�umontreal�ca�
z
Supp orted in part by Canada�s nserc and Qu�eb ec�s fcar�
x
Scho ol of Computer Science� McGill University�Pavillon McConnell� ���� rue University�
Montr�eal �Qu�eb ec�� Canada H�A �A�� e�mail� crepeau�cs�mcgill�ca�
�
Department of Computer Science� Princeton University� Princeton� NJ ����������� USA�
e�mail� mayers�cs�princeton�edu�
k
Supp orted in part by the Danish National ResearchFoundation under the Basic Research in Computer
Science �BRICS� programme�
��
�
Department of Computer Science� University of Aarhus� Ny Munkegade� building ���� DK����� Arhus C�
e�mail� salvail�daimi�aau�dk� Denmark�
the classical world� After the success of quantum key distribution� it was natural to hop e
that quantum mechanics mightprovide such an unconditionally secure scheme� A proto col for
quantum bit commitment� henceforth referred to as BCJL� was prop osed in ���� and claimed
to b e provably secure ���� whichwould also haveallowed secure quantum oblivious transfer ����
another fundamental primitive in classical cryptography� Because of this� the future of quan�
tum cryptography lo oked very bright indeed� with new applications such as the identi�cation
proto col of Cr�ep eau and Salvail ���� coming up regularly�
Trouble began in Octob er ���� when Mayers found a subtle �aw in the BCJL proto col� The
pro of that Bob cannot cheat BCJL and learn information on the committed bit was correct�
and so was the pro of that it is not p ossible for Alice to simultaneously know how to op en the
commitment to show a � and how to op en it to show a �� However� it was p ossible for Alice�
through the magic of quantum entanglement� to learn at her choice either how to op en the
commitment to show a � or how to op en it to show a �� Because of the destructive nature
of quantum measurements� cho osing either one of these alternatives destroyed her chances for
learning how to op en the commitment the other way� a situation that has no classical analogue�
It is as if Alice could provide Bob with one of two p ossible quantum keys to op en the safe�
whose e�ect would b e to make the desired bit app ear surreptitiously on the slip of pap er in an
irreversible manner�
Though Mayers explained his discovery to several researchers interested in quantum information
pro cessing ����� his result was not made public until after Lo and Chau discovered indep endently
a similar technique ���� This prompted several attempts at �xing the proto col� but every time ad
hoc successful attacks so on followed� This cat�and�mouse game went on until Mayers proved
that all these attempts had b een in vain� unconditionally secure quantum bit commitment
schemes are imp ossible ����� Despite all o dds� various kinds of ideas continued to be prop osed
by some of us as well as others in the hop e they would not fall prey to Mayers� result ��� ���
arious typ es of short�lived classical Perhaps the most interesting approach consisted in using v
bit commitment schemes to force the cheater to p erform measurements at sp eci�ed p oints in
the execution of the proto col� which indeed would �x the problem� Alas� this strategy was
do omed as measurements can always be postponed until cheating b ecomes p ossible� This is
not surprising in retrosp ect b ecause it has since b een realized that these apparently promising
ideas were also ruled out byMayers� general imp ossibility theorem� Nevertheless� these attempts
contributed to enhance our understanding of what is going on with quantum bit commitment
schemes and other quantum cryptographic proto cols�
Assume for example that you are given an unknown quantum bit j�i � � j�i � � j�i and you
are exp ected to measure it either in the computational basis� j�i versus j�i� or the diagonal
p p
basis� �j�i � j�i�� � versus �j�i�j�i�� �� You could cheat the proto col if only you could
postpone the choice of basis �and therefore the measurement� until after subsequent classical
information b ecomes available� To prevent this� you are asked to use a classical �p erhaps multi�
party� commitment scheme to commit to your choice of basis �computational or diagonal� as
well as to the result of your measurement� Then� either you are immediately challenged to op en
those commitments to �prove� that you had measured� in which case this quantum bit is not
used any further� or you are allowed to keep secret your choice of basis and measurement result
hop e was that this approach could turn a classical bit commitment scheme for later use� The
that is reasonably secure for a very short time into a quantum bit commitment scheme that
is p ermanently secure� Unfortunately� it turns out that you can always p ostp one measuring
the quantum bit and o�er fake commitments even if you are unable to break the underlying
commitmentscheme in the time that elapses between the commitment and the challenge� if a
challenge comes� you can op en your �commitments� in a way consistent with what you would
have committed to had you measured the quantum bit� and if the challenge do es not come� you
can keep the quantum bit intact for later measurement in the basis of your choice�
For a detailed description of these �awed quantum bit commitmentschemes and how to break
them� the reader is encouraged to consult a preliminary version of the full pap er� currently
available on the Los Alamos National Lab oratory e�Printquantum physics archive ����
References
��� Bennett� Charles H�� Fran�cois Bessette� Gilles Brassard� Louis Salvail and
John Smolin� �Exp erimental quantum cryptography�� Journal of Cryptology�Vol� �� no� ��
����� pp� �����
�
��� Bennett� Charles H�� Gilles Brassard� Claude Crepeau and Marie�H�el�ene Sku�
biszewska� �Practical quantum oblivious transfer�� Advances in Cryptology� Proceedings
of Crypto ���� August ����� pp� ��� � ����
��� Bennett� Charles H�� Gilles Brassard and Artur K� Ekert� �Quantum cryptography��
Scienti�c American� Octob er ����� pp� �� � ���
�
��� Brassard� Gilles and Claude Crepeau� �Cryptology column � �� years of quantum
cryptography�� Sigact News� Vol� ��� no� �� ����� pp� �� � ���
�
��� Brassard� Gilles� Claude Crepeau�Richard Jozsa and Daniel Langlois � �A quantum
bit commitmentscheme provably unbreakable by b oth parties�� Proceedings of ��th Annual
IEEE Symposium on Foundations of Computer Science�November ����� pp� ��� � ����
�
��� Brassard� Gilles� Claude Crepeau� Dominic Mayers and Louis Salvail� �Defeating
classical bit commitments with a quantum computer�� available as quant�ph�������� in
the LANL e�Print archiveatURLhttp���xxx�lanl�gov�archiv e�q uant �ph� June �����
�
��� Crepeau� Claude� �What is going on with quantum bit commitment��� Proceedings
of Pragocrypt ���� Prague� Octob er ����� Czech Technical University Publishing House�
pp� ��� � ����
�
��� Crepeau� Claude and Louis Salvail� �Quantum oblivious mutual identi�cation��
Advances in Cryptology� Proceedings of Eurocrypt ����May ����� pp� ��� � ����
��� Lo� Hoi�Kwong and H� F� Chau� �Is quantum bit commitment really p ossible��� Phys�
ical Review Letters� Vol� ��� no� ��� �� April ����� pp� ���� � ����� �rst app eared as
t archive �see ����� March ����� quant�ph�������� in the LANL e�Prin
���� Mayers� Dominic� �The trouble with quantum bit commitment�� available as
quant�ph�������� in the LANL e�Print archive �see ����� �rst discussed at a Workshop
on Quantum Information Theory held in Montr�eal� Octob er �����
���� Mayers� Dominic� �Unconditionally secure quantum bit commitment is imp ossible��
Physical Review Letters� Vol� ��� no� ��� �� April ����� pp� ���� � �����