Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Adaptive Versus Non-Adaptive Attacks. We consider attacks on cryptographic schemes, and we compare adaptive versus non-adaptive strategies for the adversary. In our context, a strategy is adaptive if the adversary’s action can depend on some auxiliary side information, and it is non-adaptive if the adversary has no access to any such side information. Non-adaptive strategies are typically much easier to analyze than adaptive ones.

Adaptive strategies are clearly more powerful than non-adaptive ones, but this advantage is limited by the amount and quality of the side-information available to the attacker. In the classical case, this can be made precise by the following simple argument. If the side information consists of a classical n-bit string, then adaptivity increases the adversary’s success probability in breaking the scheme by at most a factor of \(2^n\). Indeed, a particular non-adaptive strategy is to try to guess the n-bit side information and then apply the best adaptive strategy. Since the guess will be correct with probability at least \(2^{-n}\), it follows that \(P^{\mathrm {NA}}_{\mathrm {succ}}\ge 2^{-n} P^{\mathrm {A}}_{\mathrm {succ}}\), and thus \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^n P^{\mathrm {NA}}_{\mathrm {succ}}\), where \(P^{\mathrm {A}}_{\mathrm {succ}}\) and \(P^{\mathrm {NA}}_{\mathrm {succ}}\) respectively denote the optimal adaptive and non-adaptive success probabilities for the adversary to break the scheme. Even though there is an exponential loss, this is a very powerful relation between adaptive and non-adaptive strategies as it applies very generally, and it provides a non-trivial bound as long as we can control the size of the side information, and the non-adaptive success probability is small enough.

Our Technical Result. In this work, we consider the case where the side information (and the cryptographic scheme as a whole) may be quantum. A natural question is whether the same (or a similar) relation holds between adaptive and non-adaptive quantum strategies. The quantum equivalent to guessing the side information would be to emulate the n-qubit quantum side information by the completely mixed state \(\frac{\mathbb {I}_A}{2^n}\). Since it always holds that \(\rho _{AB}\le 2^{2n}\frac{\mathbb {I}_A}{2^n}\otimes \rho _B\), we immediately obtain a similar relation \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^{2n} P^{\mathrm {NA}}_{\mathrm {succ}}\), but with an additional factor of 2 in the exponent. The bound is tight for certain choices of \(\rho _{AB}\), and thus this additional loss is unavoidable in general; this seems to mostly answer the above question.

In this work, we show that this is actually not yet the end of the story. Our main technical result consists of a more refined treatment — and analysis — of the relation between adaptive and non-adaptive quantum strategies. We show that in a well-defined and rather general context, we can actually bound \(P^{\mathrm {A}}_{\mathrm {succ}}\) as

$$P^{\mathrm {A}}_{\mathrm {succ}}\le 2^{I_{\max }^{\mathrm {acc}}(B;A)} P^{\mathrm {NA}}_{\mathrm {succ}},$$

where \(I_{\max }^{\mathrm {acc}}(B;A)\) is a new (quantum) information measure that is upper bounded by the number of qubits of A. As such, we not only recover the classical relation \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^n P^{\mathrm {NA}}_{\mathrm {succ}}\) in the considered context, but we actually improve on it.

In more detail, we consider an abstract “game”, specified by an arbitrary bipartite quantum state \(\rho _{AB}\), of which the adversary Alice and a challenger Bob hold the respective registers A and B, and by an arbitrary family \(\{E^j\}_{j \in \mathcal J}\) of binary-outcome POVMs acting on register B. The game is played as follows: Alice chooses an index j, communicates it to Bob, and Bob measures his state B using the POVM \(E^j = \{E_0^j,E_1^j\}\) specified by Alice. Alice wins the game if Bob’s measurement outcome is 1. In the adaptive version of the game, Alice can choose the index j by performing a measurement on A; in the non-adaptive version, she has to decide upon j without resorting to A. As we will see, this game covers a large class of quantum cryptographic schemes, where Bob’s binary measurement outcome specifies whether Alice succeeded in breaking the scheme.

Our main result shows that in any such game it holds that \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^n P^{\mathrm {NA}}_{\mathrm {succ}}\) where \(n = {{\mathrm{H}}}_{0} ^{}(A)\), i.e., the number of qubits of A. Actually, as already mentioned, we show a more general and stronger bound \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^{I_{\max }^{\mathrm {acc}}(B;A)} P^{\mathrm {NA}}_{\mathrm {succ}}\) that also applies if we have no bound on the number of qubits of A, but we have some control over its “information content” \(I_{\max }^{\mathrm {acc}}(B;A)\), which is a new information measure that we introduce and show to be upper bounded by \( {{\mathrm{H}}}_{0} ^{}(A)\).

To give a first indication of the usefulness of our result, we observe that it easily provides a lower-bound on the quantity, or quality, of entanglement (as measured by \(I_{\max }^{\mathrm {acc}}(B;A)\)) that a dishonest committer needs in order to carry out the standard attack [18] on a quantum bit commitment scheme. Let Alice be the committer and Bob the receiver in a bit commitment scheme in which the opening phase consists of Alice announcing a classical string j and Bob applying a verification described by POVM \(\{E_{\mathrm {accept}}^j, E_{\mathrm {reject}}^j\}\). In the standard attack, Alice always commits to 0 while purifying her actions and applies an operation on her register if she wants to change her commitment to 1. If we let \(\rho _{AB}\) be the state of Bob’s register B that corresponds to a commitment to 0, then the probability that a memoryless Alice successfully changes her commitment to 1 is \(P^{\mathrm {NA}}_{\mathrm {succ}}=\max _j{{\mathrm{tr}}}(E_{\mathrm {accept}}^j \rho _{AB})\) where the maximum is over all j that open 1. If Alice holds a register A entangled with B, our main result implies that \(I_{\max }^{\mathrm {acc}}(B;A)\) must be proportional to \(-\log P^{\mathrm {NA}}_{\mathrm {succ}}\) for Alice to have a constant probability of changing her commitment.

But the real potential lies in the observation that adaptivity is notoriously difficult to handle in the analysis of cryptographic protocols, and as such our result provides a very powerful tool: as long as we have enough control over the side information, it is sufficient to restrict ourselves to non-adaptive attacks.

Applications. We demonstrate the usefulness of this methodology by proving the security of two commitment schemes. In both examples, the fact that the adversary holds quantum side information obstructs a direct analysis of the scheme, and we circumvent it by analyzing a non-adaptive version and applying our general result.

One-Bit Cut-and-Choose is Universal for Two-Party Computation. As a first example, we propose and prove secure a quantum bit commitment scheme that uses an ideal 1-bit cut-and-choose primitive \(\textsf {1CC}\) (see Fig. 1 in Sect. 4) as a black box. Since bit commitment (\(\textsf {BC}\)) implies oblivious transfer (\(\textsf {OT}\)) in the quantum setting [2, 7, 20], and oblivious transfer is universal for two-party computation, this implies the universality of \(\textsf {1CC}\) and thus completes the zero/xor/one law proposed in [9]. Indeed, it was shown in [9] that in the information-theoretic quantum setting, every primitive is either trivial (zero), universal (one), or can be used to implement an XOR — except that there was one missing piece in their characterization: it excluded \(\textsf {1CC}\) (and any primitive that implies \(\textsf {1CC}\) but not \(\textsf {2CC}\)). How \(\textsf {1CC}\) fits into the landscape was left as an open problem in [9]; we resolve it here.

The BCJL Bit Commitment Scheme in (A Variant of) The Bounded Quantum Storage Model. As a second application, we consider a general class of non-interactive commitment schemes and we show that for any such scheme, security against an adversary with no quantum memory at all implies security in a slightly strengthened version of the standard bounded quantum storage modelFootnote 1, with a corresponding loss in the error parameter.Footnote 2

As a concrete example scheme, we consider the classic BCJL scheme that was proposed in 1993 by Brassard et al. [6] as a candidate for an unconditionally-secure scheme — back when this was thought to be possible — but until now has resisted any rigorous positive security analysis. Our methodology of relating adaptive to non-adaptive security allows us to prove it secure in (a variant of) the bounded quantum storage model.

2 Preliminaries

2.1 Basic Notation

For any string \(x = (x_1,\ldots ,x_n) \in \{0,1\}^n\) and any subset \(t=\{t_1,\dots t_k\}\subseteq [n]\), we write \(x_t\) for the substring \(x_t = (x_{t_1},\dots ,x_{t_k}) \in \{0,1\}^{|t|}\). The n-bit all-zero string is denoted as \(0^n\). The Hamming distance between two strings \(x,y\in \{0,1\}^n\) is defined as \(d(x,y)= \sum _{i=1}^n x_i\oplus y_i\). For \(\delta >0\) and \(x\in \{0,1\}^n\), \(B^\delta (x)\) denotes the set of all n bit strings at Hamming distance at most \(\delta n\) from x. We denote by \(\lg {(\cdot )}\) the logarithm with respect to base 2. It is well known that the set \(B^\delta (x)\) contains at most \(2^{nh(\delta )}\) strings where \(h(\delta )=-\delta \lg (\delta )-(1-\delta )\lg (1-\delta )\) is the binary entropy function.

Ideal cryptographic functionalities (or primitives) are referenced by their name written in sans-serif font. They are fully described by their input/output behaviour (see, e.g., functionality \(\textsf {1CC}\) described in Fig. 1 in Sect. 4). Cryptographic protocols have their names written in small capitals with a primitive name in superscript if the protocol has black-box access to this primitive (e.g. protocol \(\textsc {bc}^\textsf {1CC}\) in Sect. 4).

2.2 Quantum States and More

We assume familiarity with the basic concepts of quantum information; we merely fix notation and terminology here. We label quantum registers by capital letters AB etc. and their corresponding Hilbert spaces are respectively denoted by \(\mathcal {H}_A, \mathcal {H}_B\) etc. We say that a quantum register A is “empty” if \(\dim (\mathcal {H}_A) = 1\). The state of a quantum register is specified by a density operator \(\rho \), a positive semidefinite trace-1 operator. We typically write \(\rho _A\) for the state of A, etc. The set of density operators for register A is denoted \(\mathcal{D}(\mathcal {H}_A)\). We write \(X \ge 0\) to express that the operator X is positive semidefinite, and \(Y \ge X\) to express that \(Y-X\) is positive semidefinite.

We measure the distance between two states \(\rho \) and \(\sigma \) in terms of their trace distance \(D(\rho , \sigma ):= \frac{1}{2}\Vert \rho -\sigma \Vert _{1}\), where \(\Vert X \Vert _{1}:= {{\mathrm{tr}}}(\sqrt{X^\dagger X})\) is the trace norm. We say that \(\rho \) and \(\sigma \) are \(\epsilon \) -close if \(D(\rho ,\sigma )\le \epsilon \), and we call them indistinguishable if their trace distance is negligible (in the security parameter).

The computational (or rectilinear) basis for a single qubit quantum register is denoted by \(\{{|0\rangle }_+, {|1\rangle }_+\}\), and the diagonal basis by \(\{{|0\rangle }_\times , {|1\rangle }_\times \}\). Recall that \({|0\rangle }_\times = \frac{1}{\sqrt{2}} ({|0\rangle }_++{|1\rangle }_+)\) and \({|1\rangle }_\times = \frac{1}{\sqrt{2}} ({|0\rangle }_+-{|1\rangle }_+)\). For any \(x\in \{0,1\}^n\) and \(\theta \in \{+,\times \}^n\), we set \({|x\rangle }_\theta := \bigotimes _{i=1}^n {|x_i\rangle }_{\theta _i}\). In the following, we will view and represent any sequence of diagonal and computational bases by a bit string \(\theta \in \{0,1\}^n\), where \(\theta _i=0\) represents the computational basis and \(\theta _i=1\) the diagonal basis. In other words, for \(b\in \{0,1\}\), \({|b\rangle }_0:={|b\rangle }_+\) and \({|b\rangle }_1 :={|b\rangle }_{\times }\). And for \(\theta ,x\in \{0,1\}^n\), we define \({|x\rangle }_\theta := \bigotimes _{i=1}^n {|x_i\rangle }_{\theta _i}\).

Operations on quantum registers are modeled as completely-positive trace-preserving (CPTP) maps. To indicate that a CPTP map \(\mathcal {E}\) takes inputs in A and outputs to B, we use subscript \(A \rightarrow B\). If \(\mathcal E_{A\rightarrow B}\) is a CPTP map acting on register A, we slightly abuse notation and write \(\mathcal E(\rho _{AC})\) instead of \(\mathcal E\otimes \mathbb {I}_C(\rho _{AC})\) where \(\mathbb {I}_C\) is the CPTP map that leaves register C unchanged. A measurement on a quantum register A, producing a measurement outcome X, is a CPTP map \(\mathcal {E}_{A \rightarrow X}\) of the form

$$ \mathcal {E}(\rho _A) = \sum _{x\in \mathcal X} {{\mathrm{tr}}}(E_x \rho _A) {|x\rangle \!\langle x|}_X, $$

where \(\{{|x\rangle }\}\) a basis of \(\mathcal {H}_X\) and \(E = \{ E_x \}_{x \in \mathcal X}\) is a POVM, i.e., a collection of positive semidefinite operators satisfying \(\sum _{x\in \mathcal X} E_x= \mathbb {I}\).

The spectral norm of an operator X is defined as \(\Vert X\Vert := \max _{{|u\rangle }}{\Vert X{|u\rangle }\Vert }\), where the maximum is over all normalized vectors \({|u\rangle }\), and an operator is called an orthogonal projector if \(X^\dagger = X\) and \(X^2 = X\). The following was shown in [8].

Lemma 1

For any two orthogonal projectors X and Y: \(\Vert X+Y\Vert \le 1+\Vert XY\Vert \).

2.3 Entropy and Privacy Amplification

In the following, the two notions of entropy that we will be dealing with are the min-entropy and the zero-entropy of a quantum register. They are defined as follows:

Definition 1

The min-entropy of a bipartite quantum state \(\rho _{AB}\) relative to register B is the largest number \( {{\mathrm{H}}}_{\infty } ^{}(A|B)_{\rho }\) such that there exists a \(\sigma _B\in \mathcal{D}(\mathcal {H}_B)\),

$$\begin{aligned} 2^{- {{\mathrm{H}}}_{\infty } ^{}(A|B)_{\rho }}\cdot \mathbb {I}_A\otimes \sigma _B\ge \rho _{AB}. \end{aligned}$$

The zero-entropy of a state \(\rho _A\) is defined as

$$\begin{aligned} { {{\mathrm{H}}}_{0} ^{}(A)_\rho } = \lg {\left( {{\text {rank}}(\rho _A)}\right) }. \end{aligned}$$

We write \( {{\mathrm{H}}}_{\infty } ^{}(A|B)\) and \( {{\mathrm{H}}}_{0} ^{}(A)\) when the state of the registers is clear from the context.

The min-entropy has the following operational interpretation [13]. Let \(\rho _{XB}\) be a so-called cq-state, i.e., of the from \(\rho _{XB} = \sum _x P_X(x){|x\rangle \!\langle x|}_X \otimes \rho ^x_B\). Then \(P_{\mathrm {guess}}(X|B)= 2^{- {{\mathrm{H}}}_{\infty } ^{}(X|B)_\rho }\) where \(P_{\mathrm {guess}}(X|B)\) is the probability of guessing the value of the classical random variable X, maximized over all POVMs on B.

Let \(\mathcal G_n\) be a family of hash functions \(g: \{0,1\}^n\rightarrow \{0,1\}\) with a binary output. The family \(\mathcal G_n\) is said to be two-universal if for any \(x, y\in \{0,1\}^n\) with \(x\ne y\) and \(G\in _R\mathcal G_n\),

$$\Pr {\left( G(x)=G(y)\right) }\le \frac{1}{2}.$$

Privacy amplification against quantum side information, in case of hash functions with a binary-output, can be stated as follows:

Theorem 1

(Privacy Amplification [19]). Let \(\mathcal G_n\) be a two-universal family of hash functions \(g: \{0,1\}^n\rightarrow \{0,1\}\) with a binary output. Furthermore, let \(\rho _{XE} = \sum _{x \in \{0,1\}^n} P_X(x) {|x\rangle \!\langle x|}_X \otimes \rho _E^x\) be an arbitrary cq-state, and let

$$ \rho _{YGXE} := \frac{1}{|\mathcal {G}_n|} \sum _{g \in \mathcal {G}_n} \sum _{x \in \{0,1\}^n} P_X(x) {|g(x)\rangle \!\langle g(x)|}_Y \otimes {|g\rangle \!\langle g|}_G \otimes {|x\rangle \!\langle x|}_X \otimes \rho _E^x $$

be the state obtained by choosing a random g in \(\mathcal {G}_n\), applying g to the value stored in X, and storing the result in register Y. Then,

$$ D\biggl (\rho _{YGE}, \frac{\mathbb {I}_{Y}}{2}\otimes \rho _{GE}\biggr ) \le \frac{1}{2} \cdot 2^{-\frac{1}{2} ( {{\mathrm{H}}}_{\infty } ^{}(X|E)-1)}. $$

3 Main Result

We consider an abstract game between two parties Alice and Bob. The game is specified by a joint state \(\rho _{AB}\), shared between Alice and Bob who hold respective registers A and B, and by a non-empty finite family \(\mathbf{E} = \{E^j\}_{j\in \mathcal J}\) of binary-outcome POVMs \(E^j = \{E^j_0,E^j_1\}\) acting on B. An execution of the game works as follows: Alice announces an index \(j \in \mathcal J\) to Bob, and Bob measures register B of the state \(\rho _{AB}\) using the POVM \(E^j\) specified by Alice’s choice of j. Alice wins the game if the measurement outcome is 1. We distinguish between an adaptive and a non-adaptive Alice. An adaptive Alice can obtain j by performing a measurement on her register A of \(\rho _{AB}\); on the other hand, an non-adaptive Alice has to produce j from scratch, i.e., without accessing A. This motivates the following formal definitions.

Definition 2

Let \(\rho _{AB}\) be a bipartite quantum state, and let \(\mathbf{E} = \{E^j\}_{j\in \mathcal J}\) be a non-empty finite family of binary-outcome POVMs \(E^j = \{E^j_0,E^j_1\}\) acting on B. Then, we define

$$ P_{\mathrm {succ}}(\rho _{AB},\mathbf{E}) := \max _{\{F_j\}_{j}}\sum _{j\in \mathcal J} {{\mathrm{tr}}}\Bigl (\bigl (F_j\otimes E_1^j\bigr )\rho _{AB}\Bigr ), $$

where the maximum is over all POVMs \(\{F_j\}_{j\in \mathcal J}\) acting on A. We call \(P_{\mathrm {succ}}(\rho _{AB},\mathbf{E})\) the adaptive success probability, and we call \(P_{\mathrm {succ}}(\rho _{B},\mathbf{E})\) the non-adaptive success probability, where the latter is naturally understood by considering an “empty” A, and it equals

$$ P_{\mathrm {succ}}(\rho _{B},\mathbf{E}) = \max _{j\in \mathcal J}{{\mathrm{tr}}}\bigl (E_1^j \rho _{B}\bigr ). $$

If \(\rho _{AB}\) and \(\mathbf E\) are clear from the context, we write \(P^{\mathrm {A}}_{\mathrm {succ}}\) and \(P^{\mathrm {NA}}_{\mathrm {succ}}\) instead of \(P_{\mathrm {succ}}(\rho _{AB},\mathbf{E})\) and \(P_{\mathrm {succ}}(\rho _{B},\mathbf{E})\).

As a matter of fact, for the sake of generality, we consider a setting with an additional quantum register \(A'\) to which both the adaptive and the non-adaptive Alice have access to, but, as above only the adaptive Alice has access to A. In that sense, we will compare an adaptive with a semi-adaptive Alice. Formally, we will consider a tripartite state \(\rho _{AA'B}\) and relate \(P_{\mathrm {succ}}(\rho _{AA'B},\mathbf{E})\) to \(P_{\mathrm {succ}}(\rho _{A'B},\mathbf{E})\). Obviously, the special case of an “empty” \(A'\) will then provide a relation between \(P^{\mathrm {A}}_{\mathrm {succ}}\) and \(P^{\mathrm {NA}}_{\mathrm {succ}}\).

We now introduce a new measure of (quantum) information \(I_{\max }^{\mathrm {acc}}(B;A|A')_\rho \), which will relate the adaptive to the non- or semi-adaptive success probability in our main theorem. In its unconditional form \(I_{\max }^{\mathrm {acc}}(B;A)_\rho \), it is the accessible version of the max-information \(I_{\max }(B;A)_\rho \) introduced in [3]; this means that it is the amount of max-information that can be accessed via measurements on Alice’s share.

Definition 3

Let \(\rho _{AA'B}\) be a tripartite quantum state. Then, we define \(I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }\) as the smallest real number such that, for every measurement \(\mathcal {M}_{AA' \rightarrow X}\) there exists a measurement \(\mathcal {N}_{A' \rightarrow X}\) such that

$$\begin{aligned} \mathcal {M}(\rho _{AA'B}) \le 2^{I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }} \mathcal {N}(\rho _{A'B}). \end{aligned}$$

The unconditional version \(I_{\max }^{\mathrm {acc}}(B;A)_{\rho }\) is naturally defined by considering \(A'\) to be “empty”; the above condition then coincides with

$$\begin{aligned} \mathcal M(\rho _{AB})\le 2^{I_{\max }^{\mathrm {acc}}(B;A)_\rho }\sigma _X\otimes \rho _B, \end{aligned}$$

for some normalized density matrix \(\sigma _X \in \mathcal{D}(\mathcal {H}_X)\), which can be interpreted as the outcome of a measurement \(\mathcal N_{\mathbb C\rightarrow X}\) on an “empty” register.

We are now ready to state and prove our main result.

Theorem 2

Let \(\rho _{AA'B}\) be a tripartite quantum state, and let \(\mathbf{E} = \{E^j\}_{j\in \mathcal J}\) be a non-empty finite family of binary-outcome POVMs \(E^j\) acting on B. Then, we have that

$$\begin{aligned} P_{\mathrm {succ}}(\rho _{AA'B},\mathbf{E}) \le 2^{I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }} P_{\mathrm {succ}}(\rho _{A'B},\mathbf{E}). \end{aligned}$$

By considering an “empty” \(A'\), we immediately obtain the following.

Corollary 1

Let \(\rho _{AB}\) be a bipartite quantum state, and let \(\mathbf{E} = \{E^j\}_{j\in \mathcal J}\) be as above. Then,

$$\begin{aligned} P^{\mathrm {A}}_{\mathrm {succ}}\le 2^{I_{\max }^{\mathrm {acc}}(B;A)_{\rho }} P^{\mathrm {NA}}_{\mathrm {succ}}. \end{aligned}$$

Proof

(of Theorem 2 ). Let \(\{F_j\}_{j \in \mathcal J}\) be an arbitrary POVM acting on \(AA'\), and let \(\mathcal {M}_{AA' \rightarrow J}\) be the corresponding measurement \(\mathcal {M}(\sigma _{AA'}) = \sum _j {{\mathrm{tr}}}(F_j \sigma ) {|j\rangle \!\langle j|}\). We define the map

$$\begin{aligned} \mathcal {E}_{JB \rightarrow \mathbb C}(\sigma _{JB}) := \sum _j {{\mathrm{tr}}}(({|j\rangle \!\langle j|} \otimes E_1^j) \sigma _{JB}), \end{aligned}$$

which is completely positive (but not trace-preserving in general). From the definition of \(I_{\max }^{\mathrm {acc}}\), we know that there exists a measurement \(\mathcal {N}_{A' \rightarrow J}\), i.e., a CPTP map of the form \(\mathcal {N}(\sigma _{A'}) = \sum _j {{\mathrm{tr}}}(F'_j \sigma ) {|j\rangle \!\langle j|}\) for a POVM \(\{F'_j\}_{j \in \mathcal J}\) acting on \(A'\), such that

$$\begin{aligned} \mathcal {M}(\rho _{AA'B}) \le 2^{I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }} \mathcal {N}(\rho _{A'B}). \end{aligned}$$

Applying \(\mathcal {E}\) on both sides gives

$$\begin{aligned} (\mathcal {E} \circ \mathcal {M})(\rho _{AA'B}) \le 2^{I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }} (\mathcal {E} \circ \mathcal {N})(\rho _{A'B}), \end{aligned}$$

and expanding both sides using the definitions of \(\mathcal {E}\), \(\mathcal {M}\) and \(\mathcal N\) gives

$$\begin{aligned} \sum _j {{\mathrm{tr}}}((F_j \otimes E_1^j) \rho _{AA'B})&\le 2^{I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }} \sum _j {{\mathrm{tr}}}((F'_j \otimes E_1^j) \rho _{A'B}) \\ {}&\le 2^{I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }} P_{\mathrm {succ}}(\rho _{A'B},\mathbf{E}). \end{aligned}$$

This yields the theorem statement, since the left-hand side equals to \(P_{\mathrm {succ}}(\rho _{AA'B},\mathbf{E})\) when maximized over the choice of the POVM \(\{F_j\}_{j \in \mathcal J}\).   \(\square \)

By the following proposition, we see that Corollary 1 implies a direct generalization of the classical bound, which ensures that giving access to n bits increases the success probability by at most \(2^n\), to qubits.

Proposition 1

For any \(\rho _{AB}\), we have that \(I_{\max }^{\mathrm {acc}}(B;A)_{\rho } \le H_0(A)_{\rho }\).

Proof

Let \({|\psi \rangle }_{ABR}\) be a purification of \(\rho _{AB}\) and let \(\mathcal {M}_{A\rightarrow X}\) be a measurement on A. Since \({|\psi \rangle }\) is also a purification of \(\rho _{A}\), there exists a linear operator \(V_{\bar{A} \rightarrow BR}\) from a register \(\bar{A}\) of the same dimension as A into BR such that \({|\psi \rangle }_{ABR} = (\mathbb {I}_A \otimes V) {|\varPhi \rangle }_{A\bar{A}}\), with \({|\varPhi \rangle } = \sum _i {|i\rangle }_{A} \otimes {|i\rangle }_{\bar{A}}\). Now, first note that

$$\begin{aligned} 2^{-H_0(A)} (\mathcal {M} \otimes \mathbb {I})(\varPhi _{A\bar{A}}) = \sum _x \lambda _x {|x\rangle \!\langle x|}_X \otimes \omega _{\bar{A}}^x \le \sum _x \lambda _x {|x\rangle \!\langle x|}_X \otimes \mathbb {I}_{\bar{A}}, \end{aligned}$$

where \(\{ \lambda _x \}\) is a probability distribution, and each \(\omega _{\bar{A}}^x\) is normalized because \({{\mathrm{tr}}}(\varPhi )=2^{ {{\mathrm{H}}}_{0} ^{}(A)}\). Multiplying both sides of the inequality by \(2^{H_0(A)}\) and conjugating by V, we get

$$\begin{aligned} (\mathcal {M} \otimes \mathbb {I})({|\psi \rangle \!\langle \psi |}) \le 2^{H_0(A)} \sum _x \lambda _x {|x\rangle \!\langle x|} \otimes VV^{\dagger }. \end{aligned}$$

Using the fact that \(VV^{\dagger } = \psi _{BR}:={{\mathrm{tr}}}_{A}({|\psi \rangle \!\langle \psi |})\), this yields

$$\begin{aligned} (\mathcal {M} \otimes \mathbb {I})({|\psi \rangle \!\langle \psi |}) \le 2^{H_0(A)} \sum _x \lambda _x {|x\rangle \!\langle x|} \otimes \psi _{BR}. \end{aligned}$$

Tracing out R on both sides and defining \(\sigma _X = \sum _x \lambda _x {|x\rangle \!\langle x|}\) then yields

$$\begin{aligned} (\mathcal {M} \otimes \mathbb {I})(\rho _{AB}) \le 2^{H_0(A)} \sigma _X \otimes \rho _{B}, \end{aligned}$$

which proves the claim.    \(\square \)

One might naively expect that also the conditional version \(I_{\max }^{\mathrm {acc}}(B;A|A')_{\rho }\) is upper bounded by \(H_0(A)_{\rho }\), implying a corresponding statement for a semi-adaptive Alice: giving access to n additional qubits increases the success probability by at most \(2^n\). However, this is not true, as the following example illustrates. Let register B contain two random classical bits, and let A and \(A'\) be two qubit registers, containing one of the four Bell states, and which one it is, is determined by the two classical bits. Alice’s goal is to guess the two bits. Clearly, \(A'\) alone is useless, and thus a semi-adaptive Alice having access to \(A'\) has a guessing probability of at most \(\frac{1}{4}\). On the other hand, adaptive Alice can guess them with certainty by doing a Bell measurement on \(AA'\).

However, Proposition 1 does generalize to the conditional version in case of a classical \(A'\).

Proposition 2

For any state \(\rho _{ZAB}\) with classical Z:

$$\begin{aligned}I_{\max }^{\mathrm {acc}}(B;A|Z)_{\rho } \le \max _z I_{\max }^{\mathrm {acc}}(B;A)_{\rho ^z} \le H_0(A)_{\rho }. \end{aligned}$$

An additional property of \(I_{\max }^{\mathrm {acc}}\) is that quantum operations that are in tensor product form on registers A and B cannot increase the max-accessible-information.

Proposition 3

Let \(\mathcal E_{AB\rightarrow A'B'}\) be a CPTP map of the form \(\mathcal E= \mathcal E^A\otimes \mathcal E^B\). Then

$$\begin{aligned} I_{\max }^{\mathrm {acc}}(B';A')_{\mathcal E(\rho )} \le I_{\max }^{\mathrm {acc}}(B;A)_\rho . \end{aligned}$$

The proofs the two previous results can be found in Appendix A.

4 Application 1: \(\textsf {1CC}\) Is Universal

4.1 Background

It is a well-known fact that information-theoretically secure two-party computation is impossible without assumptions. As a result, one of the natural questions that arises is: what are the minimal assumptions required to achieve it? One way to attack this question is to try to identify the simplest cryptographic primitives which, when made available in a black-box way to the two parties, allow them to perform arbitrary two-party computations. We then say that such a primitive is “universal”. Perhaps the best known such primitive is one-out-of-two oblivious transfer (OT), which has been shown to be universal by Kilian [10]. Since then, the power of various primitives for two-party computation has been studied in much more detail [11, 12, 1417]. Recently, it has been shown in [16] that every non-trivial two-party primitive (i.e. any primitive that cannot be done from scratch without assumptions) can be used as a black-box to implement one of four basic primitives: oblivious transfer (\(\textsf {OT}\)), bit commitment (\(\textsf {BC}\)), an XOR between Alice’s and Bob’s inputs, or a primitive called cut-and-choose (CC) as depicted in Fig. 1.

Fig. 1.
figure 1

The cut-and-choose functionality. The one-bit and two-bit versions of the functionality refer to the length of x. One player chooses x, and the other player chooses whether he wants to see x or not. The first player then learns the choice that was made.

Full size image

Interestingly, this picture becomes considerably simpler when we consider quantum protocols. First, \(\textsf {BC}\) can be used to implement \(\textsf {OT}\) [2, 7, 20] and is therefore universal. Furthermore, as was shown in [9], even a 2-bit cut-and-choose (2CC) is universal in the quantum setting, giving rise to what they call a zero/xor/one law: every primitive is either trivial (zero), universal (one), or can be used to implement an XOR. However, there was one missing piece in this characterization: it applies to all functionalities except those that are sufficient to implement 1-bit cut-and-choose (1CC), but not 2CC. In this section, we resolve this issue by showing that 1CC is universal. We do this by presenting a quantum protocol for bit commitment that uses 1CC as a black box, and we prove its security using our adaptive to non-adaptive reduction.

Fig. 2.
figure 2

Bit commitment protocol \(\textsc {bc}^\textsf {1CC}\) based on the 1-bit cut-and-choose primitive.

Full size image

4.2 The Protocol

The protocol is given in Fig. 2, where Alice is the committer and Bob the receiver. The protocol is parameterized by \(N \in \mathbb {N}\), which acts as security parameter, and by constants \(q,\tau \) and r, where \(q,\tau > 0\) are small and \(r < 1\) is close to 1. Intuitively, our bit commitment protocol uses the \(\textsf {1CC}\) primitive to ensure that the state Alice sends to Bob is close to what it is supposed to be: \({|0^N\rangle }_\theta \) for some randomly chosen but fixed basis \(\theta \). Indeed, the \(\textsf {1CC}\) primitive allows Bob to sample a small random subset of the qubits and check for correctness on that subset; if the state looks correct on this subset, we expect that it cannot be too far off on the unchecked part.

Note that our protocol uses the B92 [1] encoding (\(\{ {|0\rangle }_+, {|0\rangle }_\times \}\)), rather than the more common BB84 encoding. This allows us to get away with a one-bit cut-and-choose functionality; with the BB84 encoding, Alice would have to “commit” to two bits: the basis and the measurement outcome.

We use the quantum sampling framework of Bouman and Fehr [4] to analyze the checking procedure of the protocol. Actually, we use the adaptive version of [9], which deals with an Alice that can decide on the next basis adaptively depending on what Bob has asked to see so far. On the other hand, to deal with Bob choosing his sample subset adaptively depending on what he has seen so far, we require the sample subset to be rather small, so that we can then apply union bound over all possible choices.

4.3 Security Proofs

We use the standard notion of hiding for a (quantum) bit commitment scheme.

Definition 4

(Hiding). A bit-commitment scheme is \(\epsilon \)-hiding if, for any dishonest receiver Bob, his state \(\rho _0\) corresponding to a commitment to \(b = 0\) and his state \(\rho _{1}\) corresponding to a commitment to \(b = 1\) satisfy \(D(\rho _0,\rho _1) \le \epsilon \).

Since the proof that our protocol is hiding uses a standard approach, we only briefly sketch it.

Theorem 3

Protocol \(\textsc {commit}_{N,q,\tau ,r}^{\textsf {1CC}}\) is \(2^{-\frac{1}{2} N(\lg (1/\gamma )-2q-(1-r))}\)-hiding, where \(\gamma = \cos ^2(\pi /8) \approx 0.85\) (and hence \(\lg (1/\gamma ) \approx 0.23\)).

Proof (sketch)

We need to argue that there is sufficient min-entropy in \(\theta _{\bar{t}}\) for Bob; then, privacy amplification does the job. This means that we have to show that Bob has small success probability in guessing \(\theta _{\bar{t}}\). What makes the argument slightly non-trivial is that Bob can choose t depending on the qubits \({|0^N\rangle }_{\theta }\). Note that since Alice aborts in case \(|t| > 2qN\), we may assume that \(|t| \le 2qN\).

It is a straightforward calculation to show that Bob’s success probability in guessing \(\theta \) right after step 1 of the protocol, i.e., when given the qubits \({|0^N\rangle }_{\theta }\), is \(\gamma ^N\), where \(\gamma = \cos ^2(\pi /8) \approx 0.85\). From this it then follows that right after step 2, Bob’s success probability in guessing \(\theta _{\bar{t}}\) is at most \(\gamma ^N \cdot 2^{2qN}\): if it was larger, then he could guess \(\theta \) right after step 1 with probability larger than \(\gamma ^N\) by simulating the sampling and guessing the \(|t| \le 2qN\) bits \(\theta _i\) that Alice provides. It follows that right after step 2, Bob’s min-entropy in \(\theta _{\bar{t}}\) is \(N(\lg (1/\gamma ) - 2q)\). Finally, by the chain rule for min-entropy, Bob’s min-entropy in \(\theta _{\bar{t}}\) when additionally given the syndrome s is \(N\bigl (\lg (1/\gamma ) - 2q\bigr ) - (n-k) = N\bigl (\lg (1/\gamma ) - 2q\bigr ) - n(1-k/n) \ge N\bigl (\lg (1/\gamma ) - 2q - (1-r)\bigr )\). The statement then directly follows from privacy amplification (Theorem 1) and the triangle inequality.   \(\square \)

As for the binding property of our commitment scheme, as we will show, we achieve a strong notion of security that not only guarantees the existence of a bit to which Alice is bound in that she cannot reveal the other bit, but this bit is actually universally extractable from the classical information held by Bob together with the inputs to the 1CC:

Definition 5

(Universally Extractable). A bit-commitment scheme (in the \(\textsf {1CC}\)-hybrid model) is \(\epsilon \)-universally extractable if there exists a function c that acts on the classical information \(view_{Bob,\textsf {1CC}}\) held by Bob and \(\textsf {1CC}\) after the commit phase, so that for any pure commit and open strategy for dishonest Alice, she has probability at most \(\epsilon \) of successfully unveiling the bit \(1-c(view_{Bob,\textsf {1CC}})\).

Our strategy for proving the binding property for our protocol is as follows. First, we show that due to the checking part, the (joint) state after the commit phase is of a restricted form. Then, we show that, based on this restriction on the (joint) state, a non-adaptive Alice who has no access to her quantum state, cannot open to the “wrong” bit. And finally, we apply our main result to conclude security against a general (adaptive) Alice.

The following lemma follows immediately from (the adaptive version of) Bouman and Fehr’s quantum sampling framework [4, 9]. Informally, it states that if Bob did not abort during sampling, then the post-sampling state of Bob’s register is close to the correct state, up to a few errors. In other words, after the commit phase, Bob’s state is a superposition of strings close to \(0^n\) in the basis specified by \(\theta _{\bar{t}}\).

Lemma 2

Consider an arbitrary pure strategy for Alice in protocol \(\textsc {commit}_{N,q,\tau ,r}^{\textsf {1CC}}\). Let \(\rho _{AB}\) be the joint quantum state at the end of the commit phase, conditioned (and thus dependent) on \(t, \theta , g, w\) and s. Then, for any \(\delta >0\), on average over the choices of \(t,\theta , g, w\) and s, the state \(\rho _{AB}\) is \(\epsilon \)-close to an “ideal state” \(\tilde{\rho }_{AB}\) (which is also dependent on \(t, \theta \) etc.) with the property that the conditional state of \(\tilde{\rho }_{AB}\) conditioned on Bob not aborting is pure and of the form

$$\begin{aligned} {| \phi _{AB}\rangle } = \sum _{y\in B^{\delta }(0^n)} \alpha _y{|\xi ^y\rangle }_A{|y\rangle }_{\theta _{\bar{t}}} \end{aligned}$$
(1)

where \({|\xi ^y\rangle }\) are arbitrary states on Alice’s register and \(\epsilon \le \sqrt{4\exp (-q^2\delta ^2N/8)}\).

The following lemma implies that after the commit phase, if Alice and Bob share a state of the form of (1), then a non-adaptive Alice is bound to a fixed bit which is defined by some string \(\theta '\).

Lemma 3

For any \(t, \theta \) and s there exists \(\theta '\) with syndrome s such that for every \(\theta ''\ne \theta '\) with syndrome s, and for every state \({| \phi _{AB}\rangle }\) of the form of (1),

$$ {{\mathrm{tr}}}\bigl ((\mathbb {I}\otimes {|0\rangle \!\langle 0|}_{\theta ''}) \phi _{AB}\bigr ) \le 2^{-\frac{d}{2}+nh(\delta )}. $$

Proof

Let \(\theta '\in \{0,1\}^n\) be the string with syndrome s closest to \(\theta _{\bar{t}}\) (in Hamming distance). Then, since the set of strings with a fixed syndrome form an error correcting code of distance d, every other \(\theta ''\in \{0,1\}^n\) of syndrome s is at distance at least d / 2 from \(\theta _{\bar{t}}\). Bob’s reduced density operator of state (1) is \(\phi _{B}= \sum _{y,y'\in B^{\delta }(0^n)} \alpha _y\alpha _{y'}^*{\langle \xi _{y'}|\xi _{y}\rangle } {|y\rangle \!\langle y'|}_{\theta _{\bar{t}}}\). Using the fact that \(d(\theta _{\bar{t}},\theta '')\ge d/2\) for every \(\theta ''\ne \theta '\) (and hence \(|{{\mathrm{tr}}}({|0\rangle \!\langle 0|}_{\theta ''} {|y\rangle \!\langle y'|}_{\theta _{\bar{t}}})| \le 2^{-\frac{d}{2}}\)) and the triangle inequality, we get:

$$\begin{aligned} {{\mathrm{tr}}}({|0\rangle \!\langle 0|}_{\theta ''} \phi _{B})&\le 2^{-\frac{d}{2}} \sum _{y,y' \in B^{\delta }(0^n)} \left| \alpha _y \alpha _{y'}^{*} {\langle \xi _{y'}|\xi _{y}\rangle } \right| \\&\le 2^{-\frac{d}{2}} \sum _{y,y' \in B^{\delta }(0^n)} |\alpha _y| |\alpha _{y'}^{*}|\\&= 2^{-\frac{d}{2}} \bigg ( \sum _y |\alpha _y| \bigg )^2\\&\le 2^{-\frac{d}{2} + nh(\delta )}, \end{aligned}$$

where the last inequality is argued by viewing \(\sum _{y} |\alpha _y|\) as inner product of the vectors \(\sum _y |\alpha _y|{|y\rangle }\) and \(\sum _y{|y\rangle }\), and applying the Cauchy-Schwarz inequality.    \(\square \)

We are now ready to prove that the scheme is universally extractable:

Theorem 4

For any \(\delta > 0\), \(\textsc {commit}_{N,q,\tau ,r}^{\textsf {1CC}}\) is \(\epsilon \)-universally extractable with

$$\begin{aligned} \epsilon \le 2^{-N(1-2q)(\tau /2-2h(\delta ))} + \sqrt{4\exp (-q^2\delta ^2N/8)}. \end{aligned}$$

Proof

We need to show the existence of a binary-valued function \(c(\theta , t, g, w,s)\) as required by Definition 5, i.e., such that for any commit strategy, there is no opening strategy that allows Alice to unveil \(\bar{c}\), except with small probability. We define this function as \(c(t,\theta ,g,s,w):= g(\theta ')\oplus w\) where \(\theta '\) is as in Lemma 3, depending on \(t,\theta \) and s only.

Now, consider an arbitrary pure strategy for Alice in protocol \(\textsc {commit}^\textsf {1CC}\). Let \(\theta , g, w\) and s be the values chosen by Alice during the commit phase and let \(\rho _{AB}\) be the joint state of Alice and Bob after the commit phase. Fix \(\delta > 0\) and consider the states \(\tilde{\rho }_{AB}\) and \({|\phi _{AB}\rangle }\) as promised by Lemma 2. Recall that \(\rho _{AB}\) is \(\epsilon \)-close to \(\tilde{\rho }_{AB}\) (on average over \(\theta , g, w\) and s, and for \(\epsilon \le \sqrt{4\exp (-q^2\delta ^2N/8)}\)), and \(\tilde{\rho }_{AB}\) is a mixture of Bob aborting in the commit phase and of \({|\phi _{AB}\rangle }\); therefore, we may assume that Alice and Bob share the pure state \(\phi _{AB} = {|\phi _{AB}\rangle \!\langle \phi _{AB}|}\) instead of \(\rho _{AB}\) by taking into account the probability at most \(\epsilon \) that the two states behave differently.

Let \(\mathcal B\) be the set of strings \(\theta ''\) with syndrome s such that \(g(\theta '')\oplus w=\bar{c}\) and let \(\mathbf{E}=\{\{E_0^{\theta ''}, E_1^{\theta ''}\}\}_{\theta ''\in \mathcal B}\) be the family of POVMs that correspond to Bob’s verification measurement when Alice announces \(\theta ''\), i.e. where \(E_1^{\theta ''}= {|0\rangle \!\langle 0|}_{\theta ''}\) and \(E_0^{\theta ''}= \mathbb {I}- {|0\rangle \!\langle 0|}_{\theta ''}\). Then, Alice’s probability of successfully unveiling bit \(\bar{c}\) equals \(P_{\mathrm {succ}}(\phi _{AB}, \mathbf{E})\) as defined in Sect. 3. In order to apply Corollary 1, we must first control the size of the side-information that Alice holds. By looking at the definition of \({|\phi _{AB}\rangle }\) in (1), we notice that it is a superposition of at most \(|B^{\delta }(0^n)|\le 2^{nh(\delta )}\) terms. Therefore, the rank of \(\phi _A\) is at most \(2^{nh(\delta )}\) and \( {{\mathrm{H}}}_{0} ^{}(A)\le nh(\delta )\). We can now bound Alice’s probability of opening \(\bar{c}\):

$$ P_{\mathrm {succ}}(\phi _{AB}, \mathbf{E})\le 2^{ {{\mathrm{H}}}_{0} ^{}(A)} P_{\mathrm {succ}}(\phi _{B}, \mathbf{E})\le 2^{-\frac{d}{2}+2nh(\delta )} \le 2^{-n(\tau /2-2h(\delta ))}$$

where the first inequality follows from Corollary 1 and Proposition 1, and the second from the bound on \( {{\mathrm{H}}}_{0} ^{}(A)\) and from Lemma 3.    \(\square \)

Regarding the choice of parameters \(q,\tau \) and r, and the choice of the code, we note that the Gilbert-Varshamov bound guarantees that the code defined by a random binary \(n\times (n-rn)\) generator matrix G has minimal distance \(d \ge \tau n\), except with negligible probability, as long as \(r< 1-h(\tau )\). On the other hand, for the hiding property, we need that \(r > 1 - 0.23 + 2q\). As such, as long as \(h(\tau ) < 0.23-2q\), there exists a suitable rate r and a suitable generator matrix G, so that our scheme offers statistical security against both parties.

4.4 Universality of \(\textsf {1CC}\)

By using our \(\textsf {1CC}\)-based bit commitment scheme \(\textsc {bc}^{\textsf {1CC}}\) in the standard construction for obtaining \(\textsf {OT}\) from \(\textsf {BC}\) in the quantum setting [2, 7], we can conclude that \(\textsf {1CC}\) implies \(\textsf {OT}\) in the quantum setting, and since \(\textsf {OT}\) is universal we thus immediately obtain the universality of \(\textsf {1CC}\). However, strictly speaking, this does not solve the open problem of [9] yet. The caveat is that [9] asks about the universality of \(\textsf {1CC}\) in the UC security model [20], in other words, whether \(\textsf {1CC}\) is “universally-composable universal”. So, to truly solve the open problem of [9] we still need to argue UC security of the resulting \(\textsf {OT}\) scheme, for instance by arguing that our scheme \(\textsc {bc}^{\textsf {1CC}}\) is UC secure.

UC-security of \(\textsc {bc}^{\textsf {1CC}}\) against malicious Alice follows immediately from our binding criterion (Definition 5); after the commit phase, Alice is bound to a bit that can be extracted in a black-box way from the classical information held by Bob and the \(\textsf {1CC}\) functionality. Thus, a simulator can extract that bit from malicious Alice and input it into the ideal commitment functionality, and since Alice is bound to this bit, this ideal-world attack is indistinguishable from the real-world attack.

However, it is not clear if \(\textsc {bc}^{\textsf {1CC}}\) is UC-secure against malicious Bob. The problem is that it is unclear whether it is universally equivocable, which is a stronger notion than the standard hiding property (Definition 4).

Nevertheless, we can still obtain a UC-secure \(\textsf {OT}\) scheme in the \(\textsf {1CC}\)-hybrid model, and so solve the open problem of [9]. For that, we slightly modify the standard \(\textsf {BC}\)-based \(\textsf {OT}\) scheme [2, 7] with \(\textsf {BC}\) instantiated by \(\textsc {bc}^{\textsf {1CC}}\) as follows: for every BB84 qubit that the receiver is meant to measure, he commits to the basis using \(\textsc {bc}^{\textsf {1CC}}\), but he uses the \(\textsf {1CC}\)-functionality directly to “commit” to the measurement outcome, i.e., he inputs the measurement outcome into \(\textsf {1CC}\) — and if the sender asks \(\textsf {1CC}\) to reveal it, the receiver also unveils the accompanying basis by opening the corresponding commitment.

Definition 5 ensures universal extractability of the committed bases and thus of the receiver’s input. This implies UC-security against dishonest receiver. In order to argue UC-security against dishonest sender, we consider a simulator that acts like the honest receiver, i.e., chooses random bases and commits to them, but only measures those positions that the sender wants to see — because the simulator controls the \(\textsf {1CC}\)-functionality he can do that. Then, once he has learned the sender’s choices for the bases, he can measure all (remaining) qubits in the correct basis, and thus reconstruct both messages and send them to the ideal \(\textsf {OT}\) functionality. The full details of the proof are in Appendix B.

5 Application 2: On the Security of BCJL Commitment Scheme

In this section, we show that for a wide class of bit-commitment schemes, the binding property of the scheme in (a slightly strengthened version of) the bounded-quantum-storage model reduces to its binding property against a dishonest committer that has no quantum memory at all. We then demonstrate the usefulness of this on the example of the bcjl commitment scheme [6].

5.1 Setting up the Stage

The class of schemes to which our reduction applies consists of the schemes that are non-interactive: all communication goes from Alice, the committer, to Bob, the verifier. Furthermore, we require that Bob’s verification be “projective” in the following sense.

Definition 6

We say that a bit-commitment scheme is non-interactive and with projective verification, if it is of the following form.

  • Commit: Alice sends a classical message x and a quantum register B to Bob.

  • Opening to b: Alice sends a classical opening \(y_b\) to Bob, and Bob applies a binary-outcome projective measurement \(\{\mathbb V_{x,y_b}, \mathbb {I}-\mathbb V_{x,y_b}\}\) to register B.

Since x is fixed after the commit phase, we tend to leave the dependency of \(\mathbb V_{x,y_b}\) from x implicit and write \(\mathbb V_{y_b}\) instead. Also, to keep language simple, we will just speak of a non-interactive bit-commitment scheme and drop the projective verification part in the terminology.

We consider the security — more precisely: the binding property — of such bit-commitment schemes in a slightly strengthened version of the bounded-quantum-storage model [8], where we bound the quantum memory of Alice, but we also restrict her measurement (for producing \(y_b\) in the opening phase) to be projective. This restriction on Alice’s measurement is well justified since a general non-projective measurement requires additional quantum storage in the form of an ancilla to be performed coherently. From a technical perspective, this restriction (as well as the restriction on Bob’s verification) is a byproduct of our proof technique, which requires the measurement operator describing the (joint) opening procedure to be repeatable; avoiding it is an open question.Footnote 3

Formally, we capture the binding property as follows in this variation of the bounded-quantum-storage model.

Definition 7

(Binding). A non-interactive bit commitment scheme is called \(\epsilon \) -binding against q-quantum-memory-bounded (or q-QMB for short) projective adversaries if, for all states \(\rho _{AB}\in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) with \(\dim (\mathcal {H}_A)\le 2^q\) and for all classical messages x,

$$ P^A_0(\rho _{AB}) + P^A_1(\rho _{AB}) \le 1+ \epsilon $$

where

$$P_b^{A}(\rho _{AB}) := \max _{ \{\mathbb F_{y_b}\}_{y_b}}\sum _{y_b} {{\mathrm{tr}}}((\mathbb F_{y_b}\otimes \mathbb V_{x,y_b})\rho _{AB}) $$

is the probability of successfully opening bit b, maximized over all projective measurements \(\{\mathbb F_{y_b}\}_{y_b}\).

In case \(q = 0\), where the above requirement reduces to

$$ P^{NA}_0(\rho _{AB}) + P^{NA}_1(\rho _{AB}) \le 1+ \epsilon \quad \text {with}\quad P_b^{NA}(\rho _{AB}) :=\max _{y_b}{{\mathrm{tr}}}(\mathbb V_{x,y_b} \rho _{B}) $$

and \(\rho _B= {{\mathrm{tr}}}_{A}(\rho _{AB})\), we also speak of \(\epsilon \)-binding against non-adaptive adversaries.

On the Binding Criterion for Non-interactive Commitment Schemes.

Binding criteria analogous to the one specified in Definition 7 have traditionally been weak notions of security against dishonest committers for quantum commitment schemes, as opposed to criteria that are more in the spirit of a bit that cannot be opened by the adversary. While more convenient for proving security of commitment schemes, a notable flaw of the \(p_0+p_1\le 1+\epsilon \) definition is that it does not rule out the following situation. An adversary might, by some complex measurement, either completely ruin its capacity to open the commitment, or be able to open the bit of its choice. Then the total probability of opening 0 and 1 sum to 1, but, conditioned on the second outcome of this measurement, they sum to 2. This is obviously an undesirable property of a quantum bit-commitment scheme.

Non-interactive schemes that are secure according to Definition 7 are binding in a stronger sense. For instance, the above problem of the \(p_0+p_1\le 1+\epsilon \) definition does not hold for non-interactive schemes. If a scheme is \(\epsilon \)-binding, then any state \(\rho \) obtained by conditioning on some measurement outcome must satisfy \(P^A_0(\rho )+P_1^A(\rho )\le 1+\epsilon \). If the total probability of opening 0 and 1 was any higher, then the adversary could have prepared the state \(\rho \) in the first place, contradicting the fact that the protocol is \(\epsilon \)-binding. It remains an open question how to accurately describe the security of non-interactive commitment schemes that satisfy Definition 7.

5.2 The General Reduction

We want to reduce security against a q-QMB projective adversary to the security against a non-adaptive adversary (which should be much easier to show) by means of applying our general adaptive-to-non-adaptive reduction. However, Corollary 1 does not apply directly; we need some additional gadget, which is in the form of the following lemma. It establishes that if there is a commit strategy for Alice so that the cumulative probability of opening 0 and 1 exceeds 1 by a non-negligible amount, then there is also a commit strategy for her so that she can open 0 with certainty and 1 with still a non-negligible probability.

Lemma 4

Let \(\rho \in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) and \(\epsilon > 0\) be such that \(P_0^A(\rho )+P_1^A(\rho ) \ge 1+\epsilon \). Then, there exists \(\rho ^0\in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) such that \(P_0^A(\rho ^0)=1\) and \(P_1^A(\rho ^0)\ge \epsilon ^2\).

Proof

Let \(\{\mathbb F_{y_0}\}_{y_0}\) and \(\{\mathbb G_{y_1}\}_{y_1}\) be the projective measurements maximizing \(P_0^A(\rho )\) and \(P_1^A(\rho )\), respectively. Define the projections onto the 0/1-accepting subspaces as

$$\begin{aligned} \mathbb P_0:= \sum _{y_0} \mathbb F_{y_0}\otimes \mathbb V_{y_0} \text { and } \mathbb P_1:= \sum _{y_1} \mathbb G_{y_1}\otimes \mathbb V_{y_1}. \end{aligned}$$

Since \({{\mathrm{tr}}}((\mathbb P_0+\mathbb P_1)\rho )= P_0^A(\rho )+P_1^A(\rho ) \ge 1+\epsilon \), it follows that \(\Vert \mathbb P_0+\mathbb P_1\Vert \ge 1+\epsilon \). From Lemma 1, we have that

$$\begin{aligned} 1+\Vert \mathbb P_1\mathbb P_0 \Vert \ge \Vert \mathbb P_0+\mathbb P_1\Vert \ge 1+\epsilon . \end{aligned}$$

Therefore there exists \({|\phi \rangle }\) such that \(\Vert \mathbb P_1\mathbb P_0 {|\phi \rangle }\Vert \ge \epsilon \). Define \({|\phi _0\rangle }:= \mathbb P_0{|\phi \rangle }/\Vert \mathbb P_0{|\phi \rangle }\Vert \), which we claim has the required properties. The probability to open 0 from \({|\phi _0\rangle }\) is \(\Vert \mathbb P_0 {|\phi _0\rangle }\Vert ^2=1\), and the probability to open 1 from \({|\phi _0\rangle }\) is \(\Vert \mathbb P_1\mathbb P_0 {|\phi _0\rangle }\Vert ^2=\Vert \mathbb P_1\mathbb P_0 {|\phi \rangle }\Vert ^2/\Vert \mathbb P_0{|\phi \rangle }\Vert ^2 \ge \epsilon ^2\).    \(\square \)

Now, we are ready to state and prove the general reduction.

Theorem 5

If a non-interactive bit-commitment scheme is \(\epsilon \)-binding against non-adaptive adversaries, then it is \((2^{\frac{1}{2}q}\sqrt{\epsilon })\)-binding against q-QMB projective adversaries.

Proof

Let \(\rho _{AB}\in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) be the joint state of Alice and Bob where \(\dim (\mathcal {H}_A)\le 2^q\) and let \(\alpha >0\) be such that the opening probabilities satisfy \(P_0^A(\rho )+P_1^A(\rho )= 1+\alpha \). From Lemma 4, we know that there exists \(\rho _{AB}^0\in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) constructed from \(\rho \) such that

$$\begin{aligned} P_0^A(\rho ^0)=1 \text { and } P_1^A(\rho ^0)\ge \alpha ^2. \end{aligned}$$

We use Corollary 1 and the assumption that the protocol is \(\epsilon \)-binding against non-adaptive adversaries to show that \(\alpha \) cannot be too large. Let \(\{\mathbb F_{y_0}\}_{y_0}\) be the measurement that maximizes \(P_0^A(\rho ^0)\). Let us consider Bob’s reduced density operator of \(\rho ^0\):

$$\begin{aligned} \rho ^0_B = {{\mathrm{tr}}}_{A}(\rho ^0_{AB}) = \sum _{y_0}{{\mathrm{tr}}}_{A}((\mathbb F_{y_0}\otimes \mathbb {I})\rho ^0_{AB}) = \sum _{{y_0}}\lambda _{y_0} \sigma _{y_0} \end{aligned}$$

where for each \({y_0}\), it holds that \({{\mathrm{tr}}}(\mathbb V_{y_0} \sigma _{y_0})=1\). This implies \({{\mathrm{tr}}}(\mathbb V_{y_1} \sigma _{y_0})\le \epsilon \) for every \(y_1\) that opens 1 from our assumption of the non-adaptive security of the commitment scheme. Then

$$\begin{aligned} P_1^{NA}(\rho ^0_{AB})= \max _{y_1}{{\mathrm{tr}}}(\mathbb V_{y_1} \rho ^0_{B}) = \max _{y_1}\sum _{y_0} \lambda _{y_0} {{\mathrm{tr}}}(\mathbb V_{y_1} \sigma _{y_0}) \le \epsilon . \end{aligned}$$

Applying Corollary 1 completes the proof:

$$\begin{aligned} \alpha ^2 \le P_1^A(\rho ^0)\le 2^{I_{\max }^{\mathrm {acc}}(B;A)_{\rho _0}}P_1^{NA}(\rho ^0) \le 2^{ {{\mathrm{H}}}_{0} ^{}(A)_{\rho _0}}\epsilon \le 2^{q}\epsilon . \end{aligned}$$

   \(\square \)

5.3 Special Case: The BCJL Bit-Commitment Scheme

In this subsection, we use the results of the previous section to prove the security of the bcjl scheme in the bounded storage model against projective measurement attacks.

The bcjl bit-commitment scheme was proposed in 1993 by Brassard et al. [6]. They proposed to hide the committed bit using a two-universal family of hash functions applied on the codeword of an error correcting code and then send this codeword through BB84 qubits. The idea behind this protocol is that privacy amplification hides the committed bit while the error correcting code makes it hard to change the value of this bit without being detected. While their intuition was correct, their proof ultimately was not, as shown by Mayers’ impossibility result for bit commitment [18].

The following scheme (Fig. 3) differs only slightly from the original [6], this allows us to recycle some of the analysis from Sect. 4.

Fig. 3.
figure 3

The bcjl bit-commitment scheme

Full size image

Theorem 6

bcjl is statistically hiding as long as \(0.22 - (1-k/n) \in \varOmega (1)\).

The proof of Theorem 6 is straightforward. It follows the same approach as that of Theorem 3 by noticing that Bob has the same uncertainty about each \(x_i\) as he had about \(\theta _i\) in protocol commit \(^\textsf {1CC}\).

Instead of proving that bcjl is binding, we prove that an equivalent scheme bcjl \(_\delta \) (see Fig. 4) is binding. The bcjl \(_\delta \) scheme is a modified version of bcjl in which Bob has unlimited quantum memory and stores the qubits sent by Alice during the commit phase instead of measuring them. The opening phase of bcjl \(_\delta \) is characterized by a parameter \(\delta \) which determines how close it is to the opening phase of bcjl. The following lemma shows that the two protocols are equivalent from Alice’s point of view; if Alice can cheat an honest Bob then she can cheat a Bob with unbounded quantum computing capabilities.

Fig. 4.
figure 4

The bcjl \(_\delta \) bit-commitment scheme.

Full size image

Lemma 5

Let \(\delta >0\). If bcjl \(_\delta \) is \(\epsilon \)-binding then bcjl is \((\epsilon +2\cdot 2^{-\delta n})\)-binding.

Proof

Let \((x,\theta )\) be an opening to 0. First notice that Bob’s actions in bcjl are equivalent to holding onto his state until the opening procedure, measuring in basis \(\theta \) and verifying \(x_T= \hat{x}_T\) for a randomly chosen sample \(T\subseteq [n]\). From this point of view, Bob’s measurement result is identically distributed in both protocols and we can speak of \(\hat{x}\) without ambiguity. If \(d(x,\hat{x})> \delta n\), then the probability that \(x_i= \hat{x}_i\) for all \(i\in T\) is at most \(2^{-\delta n}\). Therefore, if Bob rejects in reveal \(_\delta \) with measurement outcome \(\hat{x}\), then the probability that he rejects in reveal with the same outcome is at least \(1-2^{-\delta n}\). If we let \(p_0\) denote Bob’s accepting probability in the original protocol and \(p_0^\delta \) in the modified protocol, we have \(p_0 \le p_0^\delta + 2^{-\delta n}\). Since the same holds for openings to 1, we have

$$\begin{aligned} p_0+p_1\le p_0^\delta + p_1^\delta + 2\cdot 2^{-\delta n} \le 1+\epsilon + 2\cdot 2^{-\delta n}. \end{aligned}$$

   \(\square \)

The following proposition establishes the security of bcjl \(_\delta \) in the non-adaptive setting. Its proof is straightforward and can be found in Appendix A.

Proposition 4

bcjl \(_\delta \) is \(2^{-d/2+\delta n +h(\delta )n}\)-binding against non-adaptive adversaries.

Since the bit-commitment scheme bcjl \(_\delta \) is non-interactive, it directly follows from Theorem 5 and Proposition 4 that bcjl \(_\delta \) is \(2^{\frac{1}{2}(q-d/2 +\delta n + h(\delta )n)}\)-binding against q-QMB projective adversaries. Combining the above with Lemma 5, we have the following statement for the bcjl scheme.

Theorem 7

The bcjl bit-commitment scheme is \((2^{\frac{1}{2}(q-d/2 +\delta n + h(\delta )n)}+2\cdot 2^{-\delta n})\)-binding against q-QMB projective adversaries.