A Private Quantum Bit String Commitment

by   Mariana Gama, et al.

We propose an entanglement-based quantum bit string commitment protocol whose composability is proven in the random oracle model. This protocol has the additional property of preserving the privacy of the committed message. Even though this property is not resilient against man-in-the-middle attacks, this threat can be circumvented by considering that the parties communicate through an authenticated channel. The protocol remains secure (but not private) if we realize the random oracles as physical unclonable functions in the so-called bad PUF model with access before the opening phase.



page 1

page 2

page 3

page 4


Communication Complexity of Private Simultaneous Quantum Messages Protocols

The private simultaneous messages model is a non-interactive version of ...

Entanglement-based quantum private comparison protocol with bit-flipping

Quantum private comparison (QPC), whose security is based on the laws of...

Fiat-Shamir for Proofs Lacks a Proof Even in the Presence of Shared Entanglement

We explore the cryptographic power of arbitrary shared physical resource...

Two-message verification of quantum computation

We describe a two-message protocol that enables a purely classical verif...

Quantum Merkle Trees

Commitment scheme is a central task in cryptography, where a party (typi...

Secure list decoding and its application to bit-string commitment

We propose a new concept of secure list decoding, which is related to bi...

Quantum string comparison method

We propose a quantum string comparison method whose main building blocks...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

One of the most basic building blocks of complex cryptosystems is commitment schemes. A commitment scheme is a protocol that allows two mistrustful parties to interact in order to communicate some information that is set up a priori by the sender and that the receiver can only unveil at a later stage. In other words, it is just as if the message was sent inside a locked box, which can only be opened after the sender hands the key over to the receiver. The protocol is secure if the receiver cannot learn the message before the sender wishes to unveil it, and the sender cannot change the message after committing to it. Commitment schemes are used in several protocols, such as coin flipping, zero-knowledge proofs, and secure multiparty computation [BLU83, BCC88, DFL+09, ALP+14]. Since any weakness in the building blocks affects the security of the overall system, it is important to ensure that they are highly reliable.

Unfortunately, classical bit commitment (BC) schemes cannot be simultaneously unconditionally secure against a corrupted sender and a corrupted receiver, and Canetti and Fischlin proved that universally composable BC is impossible in the plain model [CF01]. In 1996, Lo and Chau [LC97] and independently Mayers [MAY96] proved a no-go theorem for unconditionally secure quantum BC in the standard non-relativistic quantum cryptographic framework. Since then, many protocols relying on additional assumptions have been presented. Although secure commitment schemes can be obtained through the exploitation of relativistic constraints, these types of protocols are challenging to implement.

In this paper, we propose a new private commitment protocol, i.e., a commitment where the message is never announced, nor can be derived from the messages exchanged between the parties. This property is attained through the use of entanglement. Since commitment protocols are mostly used as cryptographic primitives, it is of the utmost importance to study their security in different computational environments. As such, a strong emphasis is placed on the composability of these protocols. After characterizing the commitment functionality, the EPR pair trusted source functionality and the random oracle functionality in Section 2, we show in Section 3 that these last two functionalities can be used as a resource to achieve a private commitment protocol with composable security, which is proven in Section 4. In Section 5, we analyse the security of the protocol in the bad PUF attack model. Section 6 features our final conclusions alongside with some directions for future work.

2 Preliminaries

A bit commitment protocol starts with the commitment phase, during which Alice chooses the value she wants to commit to, and generates the pair . is the commitment, which she immediately sends to Bob (who outputs a receipt message), and is the decommitment, which she keeps to herself. In the opening phase, Alice sends to Bob, who can either accept or reject. The protocol is said to be concealing if Bob cannot learn Alice’s committed message before the opening phase, and binding if Alice cannot change her committed message after the commitment phase.

The security of commitment protocols can be studied from a stand-alone perspective, with the requirements of concealingness and bindingness. However, since commitments are generally used as a subroutine of more complex tasks, it becomes mandatory for protocols to be secure in any computational environment. In a composable security proof, the parties running the protocol are considered as a single big party which must be indistinguishable from a simulated machine running an ideal functionality for commitment (see Figure 1).

margin=1em,width=set height=0.5cm,set depth=5.1cm,frame


Figure 1: Commitment functionality.

In the protocol described in the next section, we assume that the parties have access to two different resources. The first one is an EPR pair trusted source modelled by the functionality in Figure 2. Note that the existence of this source is a very reasonable assumption since entanglement distribution has already been successfully implemented [WJS+19, YCL+17]

. Before the beginning of the protocol, Alice and Bob can additionally sacrifice a small number of entangled pairs to estimate their correlation by using an algorithm such as the one described in Section 6.2 of 

[REN05]. Even if noisy quantum channels result in a loss of entanglement, the parties can run an entanglement distillation protocol and transform non-maximally entangled shared pairs into a smaller number of maximally entangled ones by using only local operations and classical communication (e.g. [BBP+96] and [PSB+01] — the last one is significantly less effective than the first, but has the advantage of being within the reach of current technology).

margin=1em,width=set height=0.5cm,set depth=3.4cm,frame


Figure 2: EPR pair source functionality.

The second required resource, described by the functionality in Figure 3, is named random oracle and behaves as an ideal cryptographic hash function, i.e., it maps each query to a fixed and uniformly random output in its range.

margin=1em,width=set height=0.5cm,set depth=4.4cm,frame


Figure 3: Random oracle functionality.

It is essential in our proof that a quantum computer cannot call the random oracle in superposition. Therefore a realizable random oracle implementation cannot be a cryptographic hash function such as SHA. This fact makes the random oracle quite a strong assumption; nevertheless, it can be realized using physical unclonable functions (PUFs). PUFs are physical systems with some microscale structural disorder, which is assumed to be unique to each PUF and unclonable even by the PUF manufacturer. When external stimuli (challenges) are applied to a PUF, its response will depend on the disorder of the device. Therefore, each PUF implements a unique function that gives responses to challenges . For more about PUFs we refer to [RSS09] and [vR12]. PUFs have a classical interface, and cannot be run in superposition, even by an all-powerful quantum adversary.

3 The Proposed Protocol

Protocol 1 Private Quantum Bit String Commitment
Message to be shared: .
Setup: Alice chooses a message size and sends the value to . The functionality prepares the state

and sends the odd qubits to Alice and the even ones to Bob.

Commitment phase:
  1. To commit to a message , Alice generates an uniformly random basis string , where and , and measures each of her qubits in the basis , obtaining outcomes . She then sends Bob the strings and , where is the concatenation of and .

Opening phase:
  1. [resume]

  2. Alice sends the bases to Bob.

  3. If , Bob accepts the opening, measures each of his qubits in the basis , obtaining outcomes , and calculates . Otherwise, he rejects.

One of the characteristics of , the functionality for commitments, is that the message is never publicly announced. In most of the existing commitment protocols, nonetheless, the opening step includes sending the message over a public channel. Here we propose a protocol (Protocol 3) that is not only composable but also preserves the privacy of the message. We note that the privacy property is vulnerable to man-in-the-middle attacks: a third party, Eve, can pretend to be the EPR pair trusted source and send different sets of EPR pairs to Alice and Bob and then forward any received message. This can be prevented by adding an authenticated channel between Alice and Bob, as similarly done in quantum key distribution protocols.

The protocol will use as a resource the EPR pair trusted source functionality (Figure 2) and the random oracle functionality (Figure 3) presented in the previous section. It needs two instances of : with range and with range . Note that, unfortunately, we cannot use the weaker version of the ROM, the global ROM [CJS14], since the programmability of the oracle is a key point of our security proof.

4 Security Analysis

We proceed now to prove the security of Protocol 3 in the Abstract Cryptography framework [MR11]

instantiated with quantum Turing machines 

[MSS15]. The equivalences that need to be satisfied are depicted in Figure 4.

(a) Soundness.

(b) Concealing.

(c) Binding.
Figure 4: Conditions for the constructability of the resource from the resources and . Diagram (fig:honest_ro) corresponds to the soundness property by showing the equivalence between the ideal commitment functionality and the protocol for honest parties (Alice and Bob behave according to and , respectively). Diagrams (fig:bob_ro) and (fig:alice_ro) correspond to security against dishonest Bob and Alice, respectively. Since the algorithm they follow is unknown, and are removed from the respective real system, while the simulators and are respectively added to the ideal system.
Theorem 1.

Protocol 3 constructs from and a resource that is within a negligible distance from the resource for simulators and distinguishers modelled as quantum Turing machines.


This proof will be divided into three parts, one for each of the required equivalences.


Let be the overall state of the system after Step 1. Note that

so when Alice measures each of her qubits, the corresponding EPR pair will collapse to either or (for ), or to either or (for ). Therefore, when Bob measures each of his qubits in the basis he received from Alice in the opening phase, he will get exactly the same outcome as Alice, , implying that . Bob will then retrieve the message successfully, since .


Given any behaviour of a dishonest receiver, we have to construct a simulator that simulates , , and and provides the receiver with a commitment that can later be opened to the message in . Consider the following program for :

  • Simulation of : Whenever receives the query to , it answers with . In all other cases it returns a value as the ideal functionality would do and keeps on a list of queries and respective answers.

  • Simulation of : Whenever receives queries to , it returns a value as the ideal functionality would do and keeps on a list of queries and respective answers.

  • Simulation of : During the setup phase, generates the state , sends the even qubits to the corrupted receiver and keeps the odd ones to itself.

  • During the commitment phase, upon receiving the receipt from , chooses two uniformly random strings, and , and measures each of its qubits in the basis , obtaining outcomes . It then sends and to the corrupted receiver.

  • During the opening phase, upon receiving the message from , sends the bases to the corrupted receiver.

The behaviour of is the same regardless of the message that was sent to

, and hence there is no algorithm for the dishonest receiver allowing him to guess the committed message with probability greater than



Given any behaviour of a dishonest sender, we have to construct a simulator that simulates , , and and retrieves the message from the sender’s commitment values and sends it to . It must also be able to detect when the sender is cheating and, whenever that happens, not send the opening message to . Consider the following program for :

  • Simulation of and : Whenever receives queries to or , it returns a value as the ideal functionality would do and keeps on a list of queries and respective answers.

  • Simulation of : During the setup phase, generates the state , sends the odd qubits to the corrupted sender and keeps the even ones to itself.

  • During the commitment phase, upon receiving the commitment strings and from the corrupted sender, sends to .

  • During the opening phase, upon receiving the basis string from the corrupted sender, sends the message ‘open’ to if . Otherwise, it does not open the commitment.

The real world receiver outputs error whenever the string sent by the sender is such that . From the soundness property, we know that when the receiver correctly retrieves the message. We are interested in the situation where (in which case the commitment will not be opened in the ideal world) and . Since is collision-resistant, this can only happen with negligible probability. ∎

The addition of an authenticated communication channel makes this protocol a private and composable commitment protocol, which is yet to be achieved by classical cryptography based on the same assumptions.

5 Analysis in the Realistic Bad PUF Model

In order to study the security of PUF applications in a realistic scenario, two attack models are described in [Rv13]: the PUF re-use model and the bad PUF model. In the PUF re-use model, we assume some PUFs are used more than once throughout the protocol and the adversary has access to the PUFs more than once. In the bad PUF model, the fact that PUFs are real physical objects is exploited, and we consider both the simulatable bad PUFs, which possess a simulation algorithm that can be used by the manufacturer to compute responses to challenges and the challenge-logging bad PUFs, which allow the manufacturer to access a memory module in the device and read all the challenges applied to it (this malicious feature could also be added by an adversary after the construction of the PUF). The notion of strong PUFs is also described. Strong PUF is a type of PUF with a public interface (i.e., anyone holding it can apply challenges and read the responses), a large number of possible challenges and behaviour so complex that it cannot be modelled to predict responses to challenges. In our brief analysis, we consider that in the proposed protocol (Protocol 3) the ROM is replaced by strong PUFs.

Note that Protocol 3 is secure in the bad PUF model if we also consider that Alice sends the message to Bob in the opening phase, thus giving up the privacy property. The security holds independently of whether the malicious party has access to the PUFs before the opening phase or not. This follows from the fact that considering the PUFs are manufactured by Alice and she can find collisions in and , she will still not know what message to open to in order to match the one calculated by Bob since the outcomes of his measurements of qubits in incorrect bases will be uniformly random.

6 Conclusions

With this work, we achieved a commitment protocol that is not only composable but also private, since the message is never publicly announced. Man-in-the-middle attacks can be prevented by adding an authenticated channel. We suggest the use of physical unclonable functions to model random oracles, and note that the protocol remains secure (although not private) if we consider the bad PUF attack model with access before the opening phase, which has been proven impossible for classical bit commitment without other assumptions.

Additionally, it is also of interest to further study how to obtain composability in commitment schemes while using the minimum possible assumptions (for more on this topic see [LYM+19]), and which of these assumptions are needed to achieve privacy.


The authors acknowledge the support of SQIG (Security and Quantum Information Group), the Instituto de Telecomunicações (IT) Research Unit, Ref. UIDB/EEA/50008/2020, funded by Fundação para a Ciência e Tecnologia e Ministério Ciêncica, Tecnologia e Ensino Superior (FCT/MCTES), and the FCT projects Confident PTDC/EEI-CTP/4503/2014, QuantumMining POCI-01-0145-FEDER-031826, and Predict PTDC/CCI-CIF/29877/2017, supported by the European Regional Development Fund (FEDER), through the Competitiveness and Internationalization Operational Programme (COMPETE 2020), and by the Regional Operational Program of Lisbon. A.S. acknowledges funds granted to Laboratório de Sistemas Informáticos de Grande Escala (LASIGE) Research Unit, Ref. UIDB/00408/2020. M.G. also acknowledges the support of the Calouste Gulbenkian Foundation through the New Talents in Quantum Technologies Programme.


  • [ALP+14] Á. J. Almeida, R. Loura, N. Paunković, N. A. Silva, N. J. Muga, P. Mateus, P. S. André, and A. N. Pinto (2014) A brief review on quantum bit commitment. In Proceedings of the SPIE, Volume 9286, id. 92861C 8 pp. (2014)., Society of Photo-Optical Instrumentation Engineers (SPIE) Conference Series, Vol. 9286, pp. 92861C. External Links: Document Cited by: §1.
  • [BBP+96] C. H. Bennett, G. Brassard, S. Popescu, B. Schumacher, J. A. Smolin, and W. K. Wootters (1996-01) Purification of noisy entanglement and faithful teleportation via noisy channels. Phys. Rev. Lett. 76, pp. 722–725. External Links: Document, Link Cited by: §2.
  • [BLU83] M. Blum (1983-01) Coin flipping by telephone a protocol for solving impossible problems. SIGACT News 15 (1), pp. 23–27. External Links: ISSN 0163-5700, Link, Document Cited by: §1.
  • [BCC88] G. Brassard, D. Chaum, and C. Crépeau (1988-10) Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37 (2), pp. 156–189. External Links: ISSN 0022-0000, Link, Document Cited by: §1.
  • [CF01] R. Canetti and M. Fischlin (2001) Universally composable commitments. In Advances in Cryptology — CRYPTO 2001, J. Kilian (Ed.), Berlin, Heidelberg, pp. 19–40. External Links: ISBN 978-3-540-44647-7 Cited by: §1.
  • [CJS14] R. Canetti, A. Jain, and A. Scafuro (2014-11) Practical uc security with a global random oracle. pp. . External Links: Document Cited by: §3.
  • [DFL+09] I. Damgård, S. Fehr, C. Lunemann, L. Salvail, and C. Schaffner (2009) Improving the security of quantum protocols via commit-and-open. In CRYPTO, Cited by: §1.
  • [LYM+19] M. Lemus, P. Yadav, P. Mateus, N. Paunković, and A. Souto (2019-07) On minimal assumptions to obtain a universally composable quantum bit commitment. In 2019 21st International Conference on Transparent Optical Networks (ICTON), Vol. , pp. 1–4. External Links: Document, ISSN 2162-7339 Cited by: §6.
  • [LC97] H. Lo and H. F. Chau (1997) Is quantum bit commitment really possible?. Phys. Rev. Lett. 78, pp. 3410. External Links: Document, quant-ph/9603004 Cited by: §1.
  • [MSS15] P. Mateus, A. Sernadas, and A. Souto (2015-02) Universality of quantum Turing machines with deterministic control. Journal of Logic and Computation 27 (1), pp. 1–19. External Links: ISSN 0955-792X, Document, Link, http://oup.prod.sis.lan/logcom/article-pdf/27/1/1/9688079/exv008.pdf Cited by: §4.
  • [MR11] U. Maurer and R. Renner (2011) Abstract cryptography. In IN INNOVATIONS IN COMPUTER SCIENCE, Cited by: §4.
  • [MAY96] D. Mayers (1996) Unconditionally secure quantum bit commitment is impossible. Note: [Phys. Rev. Lett.78,3414(1997)] External Links: Document, quant-ph/9605044 Cited by: §1.
  • [PSB+01] J. Pan, C. Simon, Č. Brukner, and A. Zeilinger (2001) Entanglement purification for quantum communication. Nature 410, pp. 1067–1070. Cited by: §2.
  • [REN05] R. Renner (2005) Security of quantum key distribution. Ph.D. Thesis, ETH Zurich. Cited by: §2.
  • [Rv13] U. Rührmair and M. van Dijk (2013-05) PUFs in security protocols: attack models and security evaluations. In 2013 IEEE Symposium on Security and Privacy, Vol. , pp. 286–300. External Links: Document, ISSN 1081-6011 Cited by: §5.
  • [RSS09] U. Rührmair, J. Sölter, and F. Sehnke (2009-01) On the foundations of physical unclonable functions. IACR Cryptology ePrint Archive 2009, pp. 277. Cited by: §2.
  • [vR12] M. van Dijk and U. Rührmair (2012) Physical unclonable functions in cryptographic protocols: security proofs and impossibility results. IACR Cryptology ePrint Archive 2012, pp. 228. Cited by: §2.
  • [WJS+19] S. Wengerowsky, S. K. Joshi, F. Steinlechner, J. R. Zichi, S. M. Dobrovolskiy, R. van der Molen, J. W. N. Los, V. Zwiller, M. A. M. Versteegh, A. Mura, D. Calonico, M. Inguscio, H. Hübel, L. Bo, T. Scheidl, A. Zeilinger, A. Xuereb, and R. Ursin (2019) Entanglement distribution over a 96-km-long submarine optical fiber. Proceedings of the National Academy of Sciences 116 (14), pp. 6684–6688. External Links: Document, ISSN 0027-8424, Link, https://www.pnas.org/content/116/14/6684.full.pdf Cited by: §2.
  • [YCL+17] J. Yin, Y. Cao, Y. Li, S. Liao, L. Zhang, J. Ren, W. Cai, W. Liu, B. Li, H. Dai, G. Li, Q. Lu, Y. Gong, Y. Xu, S. Li, F. Li, Y. Yin, Z. Jiang, M. Li, J. Jia, G. Ren, D. He, Y. Zhou, X. Zhang, N. Wang, X. Chang, Z. Zhu, N. Liu, Y. Chen, C. Lu, R. Shu, C. Peng, J. Wang, and J. Pan (2017) Satellite-based entanglement distribution over 1200 kilometers. Science 356 (6343), pp. 1140–1144. External Links: Document, ISSN 0036-8075, Link, https://science.sciencemag.org/content/356/6343/1140.full.pdf Cited by: §2.