Quantum bit commitment (QBC) is a cryptographic primitive that allow one party, called Alice, to commit to a bit of information without revealing it to another party, Bob, also stopping Alice from changing her commitment later. This concept is similar to placing a sealed cover containing the bit with Bob; Bob doesn’t know the content until Alice later opens it, and Alice cannot change the content after giving it to Bob.
In the classical cryptography, perfectly secure bit commitment is impossible due to the limitations of information theory. For example, Alice could delay her decision about the bit until the opening phase, or she could potentially have a way to subtly change the committed bit without Bob’s detection.
The introduction of quantum mechanics presented the expectation of overcoming these limitations through its unique principles. Quantum bit commitment protocols were proposed concepts like superposition and entanglement to achieve security properties beyond classical possibilities. However, the field has met important challenges, concluding in proofs indicating the impossibility of secure quantum bit commitment.
Classical Bit Commitment
Before exploring the quantum version, it’s important to understand the concept in its classical form. A classical bit commitment scheme involves two phases:
- Commitment Phase: Alice has a bit ‘b’ that she wants to commit to. She performs some action and sends some information to Bob. This information should not reveal the bit ‘b’ to Bob.
- Opening Phase: At a later time, Alice reveals the bit ‘b’ and sends additional information to Bob, allowing him to verify that the bit revealed is certainly the bit Alice committed to in the first phase.
A classical bit commitment scheme, to be secure, should ideally satisfy two main properties:
- Concealing (or Secrecy): Bob should not be learning the value of the bit ‘b’ from the information received during the commitment phase.
- Binding: Alice should not be changing her commitment after the commitment phase is complete. When she opens the commitment, she must reveal the bit she originally committed to.
As stated, secure classical bit commitment is not achievable in an information-theoretic sense. Any classical commitment scheme can be broken, for example, by Alice delaying her decision or by the possibility of a hidden information operation.
Quantum Bit Commitment
Quantum bit commitment protocols achieve the covering and compulsory properties by utilizing quantum states and operations. The unit of information in quantum computing is the qubit. Unlike a classical bit that can be either 0 or 1, a qubit can exist in a superposition of both states simultaneously. The state of a qubit is described by a linear combination of the basis states |0⟩ and |1⟩: α|0⟩ + β|1⟩, where α and β are complex amplitudes such that α2 + β2 =1.
Early quantum bit commitment protocols discovered various methods, involving the transmission of qubits in superposition and the use of quantum measurements. The idea was laws of quantum mechanics, such as the no-cloning theorem (which states that an unknown quantum state cannot be perfectly copied), provide the necessary security guarantees.
Form of Quantum Bit Commitment Protocols
The main idea behind the Mayers–Chau–Lo proof, which established the dead end of unconditionally secure QBCP, assumes that each QBCP has the following general form:
- Commitment Phase:
- Alice and Bob put particles in some arranged initial states.
- Alice and Bob repeat sometimes the following steps:
- Depending on her commitment bit ‘b’, Alice applies a unitary transformation Ub on her particles and sends some of her particles to Bob.
- Opening Phase: Alice reveals her bit ‘b’ and sends information or performs actions to convince Bob of her original commitment.
The Impossibility of Secure Quantum Bit Commitment
it was thoroughly proven by Mayers and independently by Chau and Lo that totally secure quantum bit commitment is impossible. Their proofs demonstrated that for any quantum bit commitment protocol, either Alice can cheat (by changing her committed bit without Bob’s detection) or Bob can cheat (by learning Alice’s bit before the opening phase).
These impossibility proofs depend on the cheating party to maintain entanglement with the quantum systems involved. For example, during the commitment phase, Alice sends entangled qubits to Bob. If Bob attempts to measure these qubits to gain information about Alice’s bit (violating the concealing property), he certainly disturbs the state, which Alice is able to detect. Equally, if the protocol is designed to ensure that Bob cannot gain information prematurely, Alice recollects quantum information to change her committed bit later (violating the binding property).
Partially Concealing and Partially Binding QBC
Secure QBC appears unachievable; research has discovered the possibility of quantum protocols for bit commitment that are partially concealing and partially binding. These protocols offer a trade-off between the two security properties. For example, a protocol might offer strong concealing but only limited binding, or vice versa.
Secure protocols can still be valuable in specific cryptographic situations where some level of trust or computational expectations are involved. They serve as building blocks for more complex quantum cryptographic protocols.
Relation to Other Quantum Cryptographic protocols
Quantum bit commitment is closely related to other protocols in quantum cryptography, such as:
- Quantum Key Distribution (QKD): QKD protocols like BB84 and E91 to establish a shared secret key between two parties, Alice and Bob, with information-theoretic security by the laws of quantum mechanics. QKD focuses on secure communication rather than committing to a bit.
- Quantum Coin Flipping: This protocol allows two doubting parties to agree on a random bit over a distance. The impossibility of perfect QBC also has implications for quantum coin flipping.
Practical Considerations and the NISQ Era
In the Noisy Intermediate-Scale Quantum (NISQ) era, quantum computers are characterised by a limited number of qubits and high error rates. Applying and analysing quantum bit commitment protocols on these devices presents significant challenges. The noise in quantum gates and measurements can disturb the security properties of the protocols.
Researchers are discovering error-aware compilation and error correction techniques to moderate the effects of noise in quantum computations. Fault-tolerant quantum computing is a long-term goal aims to build quantum computers capable of performing complex computations reliably. Achieving fault tolerance is likely to be critical for the practical operation of advanced quantum cryptographic protocols, including bit commitment schemes that offer some level of security under realistic conditions.
Conclusion
Quantum bit commitment is a theoretically attractive cryptographic primitive that requires to the unique properties of quantum mechanics to achieve security guarantees impossible in the classical world. While the quest for unconditionally secure quantum bit commitment has been unsuccessful due to fundamental limitations revealed by no-cloning theorems, the study of QBC has meaningfully advanced our understanding of the capabilities and limitations of quantum information processing.
The investigation of secure quantum bit commitment protocols and their applications in specific cryptographic contexts continues. As quantum computing technology progresses, particularly in the era of fault-tolerant quantum computers, we may see the development and practical deployment of quantum cryptographic primitives, possibly including forms of bit commitment with useful security properties. The initial dream of an unconditionally secure quantum equivalent of a cover remains indefinable.