# Quantum commitments and signatures without one-way functions

In the classical world, the existence of commitments is equivalent to the existence of one-way functions. In the quantum setting, on the other hand, commitments are not known to imply one-way functions, but all known constructions of quantum commitments use at least one-way functions. Are one-way functions really necessary for commitments in the quantum world? In this work, we show that non-interactive quantum commitments (for classical messages) with computational hiding and statistical binding exist if pseudorandom quantum states exist. Pseudorandom quantum states are sets of quantum states that are efficiently generated but their polynomially many copies are computationally indistinguishable from the same number of copies of Haar random states [Ji, Liu, and Song, CRYPTO 2018]. It is known that pseudorandom quantum states exist even if = (relative to a quantum oracle) [Kretschmer, TQC 2021], which means that pseudorandom quantum states can exist even if no quantum-secure classical cryptographic primitive exists. Our result therefore shows that quantum commitments can exist even if no quantum-secure classical cryptographic primitive exists. In particular, quantum commitments can exist even if no quantum-secure one-way function exists. In this work, we also consider digital signatures, which are other fundamental primitives in cryptography. We show that one-time secure digital signatures with quantum public keys exist if pseudorandom quantum states exist. In the classical setting, the existence of digital signatures is equivalent to the existence of one-way functions. Our result, on the other hand, shows that quantum signatures can exist even if no quantum-secure classical cryptographic primitive (including quantum-secure one-way functions) exists.

There are no comments yet.

## Authors

• 14 publications
• 10 publications
12/18/2021

### Cryptography from Pseudorandom Quantum States

Pseudorandom states, introduced by Ji, Liu and Song (Crypto'18), are eff...
03/16/2021

### Quantum Pseudorandomness and Classical Complexity

We construct a quantum oracle relative to which 𝖡𝖰𝖯 = 𝖰𝖬𝖠 but cryptograp...
11/28/2018

### Can you sign a quantum state?

Cryptography with quantum states exhibits a number of surprising and cou...
09/24/2020

### On One-way Functions and Kolmogorov Complexity

We prove that the equivalence of two fundamental problems in the theory ...
04/05/2022

### Verifiable Quantum Advantage without Structure

We show the following hold, unconditionally unless otherwise stated, rel...
11/01/2017

### Pseudorandom States, Non-Cloning Theorems and Quantum Money

We propose the concept of pseudorandom states and study their constructi...
02/09/2022

### Unconditionally secure digital signatures implemented in an 8-user quantum network

The ability to know and verifiably demonstrate the origins of messages c...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

### 1.1 Background

If a commitment scheme is statistically binding, there exists at most one message to which a commitment can be opened except for a negligible probability. This unique message can be found by a brute-force search, which means that the scheme is not statistically hiding.

and therefore one of them has to be based on a computational assumption. In other words, in a computationally hiding commitment scheme, a malicious receiver can learn the message before the opening if its computational power is unbounded, and in a computationally binding commitment scheme, a malicious sender can change its committed message later if its computational power is unbounded. For the computational assumption, the existence of one-way functions is known to be equivalent to the existence of classical commitments [Nao91, HILL99]. The existence of one-way functions is considered the weakest assumption in classical cryptography, because virtually all complexity-based classical cryptographic primitives are known to imply the existence of one-way functions [STOC:LubRac86, FOCS:ImpLub89, STOC:ImpLevLub89].

The history of quantum information has demonstrated that utilizing quantum physics in information processing achieves many advantages. In particular, it has been shown in quantum cryptography that quantum physics can weaken cryptographic assumptions. For example, if quantum states are transmitted, statistically-secure key distribution is possible [BB84], although it is impossible classically. Furthermore, oblivious transfer is possible with only (quantum-secure) one-way functions when quantum states are transmitted [C:BCKM21b, EC:GLSV21, FOCS:CreKil88, C:BBCS91, MS94, STOC:Yao95, C:DFLSS09]. Classically, it is known to be impossible to construct oblivious transfer from only one-way functions [C:ImpRud88].222 [C:ImpRud88] showed the impossibility of relativizing constructions of key exchange from one-way functions, and oblivious transfer is stronger than key exchange. Since most cryptographic constructions are relativizing, this gives a strong negative result on constructing oblivious transfer from one-way functions in the classical setting.

As we have mentioned, it is classically impossible to realize commitments with statistical hiding and statistical binding. Does quantum physics overcome the barrier? Unfortunately, it is already known that both binding and hiding cannot be statistical at the same time even in the quantum world [LC97, May97]. In fact, all known constructions of quantum commitments use at least (quantum-secure) one-way functions [EC:DumMaySal00, EC:CreLegSal01, KO09, KO11, YWLQ15, Yan20, TCC:BitBra21].

In this paper, we ask the following fundamental question:

Are one-way functions really necessary for commitments?

It could be the case that in the quantum world commitments can be constructed from an assumption weaker than the existence of one-way functions. This possibility is mentioned in previous works [C:BCKM21b, EC:GLSV21], but no construction is provided.

Digital signatures [DifHel76] are other important primitives in cryptography. In a signature scheme, a secret key and a public key are generated. The secret key is used to generate a signature for a message , and the public key is used for the verification of the pair of the message and the signature. Any adversary who has and can query the signing oracle many times cannot forge a signature for a message which is not queried. In other words, is not accepted by the verification algorithm except for an negligible probability.

Obviously, statistically-secure digital signatures are impossible, because an unbounded adversary who can access and the verification algorithm can find a valid signature by a brute-force search. In the classical world, it is known that the existence of digital signatures is equivalent to the existence of one-way functions. In the quantum setting, on the other hand, digital signatures are not known to imply one-way functions. Gottesman and Chuang introduced digital signatures with quantum public keys [Gottesman_Chuang], but they considered information-theoretical security, and therefore the number of public keys should be bounded. Our second fundamental question in this paper is the following:

Are digital signatures possible without one-way functions?

### 1.2 Our Results

In this paper, we answer the above two fundamental questions affirmatively. The first result of this paper is a construction of quantum commitments from pseudorandom quantum states generators (PRSGs) [C:JiLiuSon18, TCC:BraShm19, C:BraShm20]. A PRSG is a quantum polynomial-time algorithm that, on input , outputs an

-qubit state

such that over uniform random is computationally indistinguishable from the same number of copies of Haar random states for any polynomial . (The formal definition of PRSGs is given in Definition 1.)

Our first result is stated as follows:333Our construction of commitments also satisfies perfect correctness, i.e., the probability that the honest receiver opens the correct bit committed by the honest sender is 1.

###### Theorem 1.1.

If a pseudorandom quantum states generator with for a constant exists, then non-interactive quantum commitments (for classical messages) with computational hiding and statistical binding exist.

In [Kre21], it is shown that PRSGs exist even if relative to a quantum oracle. If , no quantum-secure classical cryptographic primitive exists, because means . In particular, no quantum-secure one-way function exists. Our Theorem 1.1 therefore shows that quantum commitments can exist even if no quantum-secure classical cryptographic primitive exists.444It actually shows stronger things, because also excludes the existence of some quantum-secure quantum cryptographic primitives where honest algorithms are quantum. In particular, quantum commitments can exist even if no quantum-secure one-way function exists.

As we will see later (Section 3), what we actually need is a weaker version of PRSGs where only the computational indistinguishability of a single copy of from the Haar random state is required. We call such a weaker version of PRSGs single-copy-secure PRSGs. (See Definition 2. It is the version of Definition 1.) Because a single copy of the Haar random state is equivalent to the maximally-mixed state, the single-copy security means the computational indistinguishability from the maximally-mixed state. It could be the case that the realization of single-copy-secure PRSGs is easier than that of (multi-copy-secure) PRSGs. (For more discussions, see Section 2.2.)

Non-interactive commitments are a special type of commitments. (See Definition 3.) In general, the sender and the receiver exchange many rounds of messages during the commitment phase, but in non-interactive commitments, only a single message from the sender to the receiver is enough for the commitment. It is known that non-interactive quantum commitments (for classical messages) are possible with (quantum-secure) one-way functions [YWLQ15], while it is subject to a black-box barrier in the classical case [MP12].

As the definition of binding, we choose a standard one, sum-binding [AC:Unruh16], which roughly means that , where is a negligible function, is a security parameter, and and are probabilities that the malicious sender makes the receiver open 0 and 1, respectively. (The formal definition of statistical sum-binding is given in Definition 6.)

Our first result, Theorem 1.1, that quantum commitments can be possible without one-way functions has important consequences in cryptography. It is known that quantum commitments imply the existence of quantum-secure zero-knowledge proofs (of knowledge) for all languages [FUYZ20] and quantum-secure oblivious transfer (and therefore multi-party computations (MPC)) [C:BCKM21b, EC:GLSV21]. Thus, those primitives can also exist even if (and in particular quantum-secure one-way functions do not exist)555 Indeed, [C:BCKM21b] states as follows: “Moreover if in the future, new constructions of statistically binding, quantum computationally hiding commitments involving quantum communication are discovered based on assumptions weaker than quantum-hard one-way functions, it would be possible to plug those into our protocol compilers to obtain QOT." while classical constructions of them imply the existence of one-way functions. For more details, see Appendix 0.B.

We also remark that there is no known construction of PRSGs from weaker assumptions than the existence of one-way functions without oracles. Thus, our result should be understood as a theoretical evidence that quantum commitments can exist even if rather than a new concrete construction. It is an interesting open problem to construct a PRSG from weaker assumptions than the existence of one-way functions without oracles. Such a construction immediately yields commitments (and more) by our result.

One might ask the following question: can we remove (or improve) the condition of with a constant in Theorem 1.1? The answer is no for single-copy-secure PRSGs, because if , there is a trivial construction of a single-copy-secure PRSG without any assumption: for any , where is the th bit of . In fact, . If quantum commitments were constructed from such a single-copy-secure PRSG, we could realize quantum commitments without any assumption, which is known to be impossible [LC97, May97]. We note that [Kre21] considers only the case when , but it is clear that the result holds for with constant .

Finally, we do not know whether the opposite of Theorem 1.1 holds or not. Namely, do quantum commitments imply PRSGs (or single-copy-secure PRSGs)? It is an interesting open problem.

Now let us move on to our second subject, namely, digital signatures. Our second result in this paper is the following:

###### Theorem 1.2.

If a pseudorandom quantum states generator with for a constant exists, then one-time secure digital signatures with quantum public keys exist.

One-time security means that the adversary can query the signing oracle at most once. (See Definition 8 and Definition 10.) In the classical setting, it is known how to construct many-time secure digital signatures from one-time secure digital signatures [C:Merkle89a], but we do not know how to generalize our one-time secure quantum signature scheme to a many-time secure one, because in our case public keys are quantum. It is an important open problem to construct many-time secure digital signatures from PRSGs.

Due to the oracle separation by [Kre21], Theorem 1.2 means that (at least one-time secure) digital signatures can exist even if no quantum-secure classical cryptographic primitive exists.666Again, it also excludes some quantum-secure quantum cryptographic primitives. In particular, (one-time secure) digital signatures can exist even if no quantum-secure one-way function exists.

Our construction is similar to the “quantum public key version" of the classical Lamport signature [DifHel76] by Gottesman and Chuang [Gottesman_Chuang]. They consider information-theoretical security, and therefore the number of public keys should be bounded. On the other hand, our construction from PRSGs allows unbounded polynomial number of public keys. Quantum cryptography with quantum public keys are also studied in [JC:KKNY12, Doliskani21].

We do not know whether the condition, with a constant , can be improved or not in Theorem 1.2. Although it is possible to construct PRSGs without this restriction [C:BraShm20], this is satisfied in the construction of [Kre21], and therefore enough for our purpose of showing the existence of digital signatures without one-way functions.

As we will see later (Section 4), our construction of digital signatures is actually based on what we call one-way quantum states generators (OWSGs) (Definition 7). Intuitively, we say that a quantum polynomial-time algorithm that outputs an -qubit quantum state on input is a OWSG if it is hard to find, given polynomially many copies of (with uniformly random ), an -bit string such that is close to . In other words, what we actually show is the following:

###### Theorem 1.3.

If a one-way quantum states generator exists, then one-time secure digital signatures with quantum public keys exist.

We show that a PRSG is a OWSG (Lemma 4), and therefore, Theorem 1.2 is obtained as a corollary of Theorem 1.3. The concept of OWSGs itself seems to be of independent interest. In particular, we do not know whether OWSGs imply PRSGs or not, which is an interesting open problem.

Remember that for the construction of our commitment scheme we use only single-copy-secure PRSGs. Unlike our commitment scheme, on the other hand, our signature scheme uses the security of PRSGs for an unbounded polynomial number of copies, because the number of copies decides the number of quantum public keys. In other words, single-copy-secure PRSGs enable commitments but (multi-copy-secure) PRSGs enable signatures. There could be therefore a kind of hierarchy in PRSGs for different numbers of copies, which seems to be an interesting future research subject.

### 1.3 Technical Overviews

Here we provide intuitive explanations of our constructions given in Section 3 and Section 4.

#### 1.3.1 Commitments

The basic idea of our construction of commitments is, in some sense, a quantum generalization of the classical Naor’s commitment scheme [Nao91].

Let us recall Naor’s construction. The receiver first samples uniformly random , and sends it to the sender. The sender chooses a uniformly random seed , and sends to the receiver, where is a length-tripling pseudorandom generator, and is the bit to commit. Hiding is clear: because the receiver does not know , the receiver cannot distinguish and . The decommitment is . The receiver can check whether the commitment is or from . Binding comes from the fact that if both 0 and 1 can be opened, there exist such that . There are such seeds, and therefore for a random , it is impossible except for probability.

Our idea is to replace with a pseudorandom state , and to replace the addition of

with the quantum one-time pad, which randomly applies Pauli

and . More precisely, the sender who wants to commit generates the state

 |ψb⟩\coloneqq1√22m+n∑x,z∈{0,1}m∑k∈{0,1}n|x,z,k⟩R⊗Pbx,z|ϕk⟩C,

and sends the register to the receiver, where . It is the commitment phase. At the end of the commitment phase, the receiver’s state is when and when . By the security of single-copy-secure PRSGs, is computationally indistinguishable from the -qubit maximally-mixed state , while due to the quantum one-time pad (Lemma 1). The two states, and , are therefore computationally indistinguishable, which shows computational hiding.

For statistical sum-binding, we show that the fidelity between and is negligibly small. It is intuitively understood as follows: has a support in at most -dimensional space, while has a support in the entire -dimensional space, where with , and therefore the “overlap" between and is small.

A detailed explanation of our construction of commitments and its security proof are given in Section 3.

#### 1.3.2 Digital Signatures

Our construction of digital signatures is a quantum public key version of the classical Lamport signature. The Lamport signature scheme is constructed from a one-way function. For simplicity, let us explain the Lamport signature scheme for a single-bit message. Let be a one-way function. The secret key is , where are uniform randomly chosen -bit strings. The public key is , where and . The signature for a message is , and the verification is to check whether . Intuitively, the (one-time) security of this signature scheme comes from that of the one-way function .

We consider the quantum public key version of it: is a quantum state. More precisely, our key generation algorithm chooses , and runs for , where is a PRSG.777It is not necessarily a PRSG. Any OWSG (Definition 7) is enough. For details, see Section 4. It outputs and , where and for . To sign a bit , the signing algorithm outputs the signature . Given the message-signature pair , the verification algorithm measures with and accepts if and only if the result is .

Intuitively, this signature scheme is one-time secure because cannot be obtained from : If is obtained, can be distinguished from Haar random states, which contradicts the security of PRSGs. In order to formalize this intuition, we introduce what we call OWSGs (Definition 7), and show that PRSGs imply OWSGs (Lemma 4). For details of our construction of digital signatures and its security proof, see Section 4.

### 1.4 Concurrent Work

Few days after the first version of this paper was made online, a concurrent work [AQY21] appeared. The concurrent work also constructs commitments from PRSGs. We give comparisons between our and their results.

1. For achieving the security level of for binding, they rely on PRSGs with and any , or and . On the other hand, we rely on PRSGs with and . Thus, the required parameters seem incomparable though we cannot simply compare them due to the difference of definitions of binding. (See also Appendix 0.B.)

2. Our scheme is non-interactive whereas theirs is interactive though we believe that their scheme can also be made non-interactive by a similar technique to ours.

3. They consider a more general definition of PRSGs than us that allows the state generation algorithm to sometimes fail. We do not take this into account since we can rely on PRSGs of [Kre21] whose state generation never fails for our primary goal to show that commitments and digital signatures can exist even if one-way functions do not exist. Moreover, the failure probability has to be anyway negligibly small due to the security of PRSGs, and therefore it would be simpler to ignore the failure.

Besides commitments, the result on digital signatures is unique to this paper. On the other hand, [AQY21] contains results that are not covered in this paper such as pseudorandom function-like states and symmetric key encryption. We remark that our result on digital signatures was added a few days after the initial version of [AQY21] was made online, but the result was obtained independently, and there is no overlap with [AQY21] in this part.

Though most part of this work was done independently of [AQY21], there are two part where we revised the paper based on [AQY21]. The first is the definition of PRSGs. As pointed out in the initial version of [AQY21], the initial version of this work implicitly assumed that PRSGs do not use any ancillary qubits, which is a very strong restriction. However, we found that all of our results can be based on PRSGs that use ancillary qubits with just notational adaptations. Thus, we regard this as a notational level issue and fixed it.

The second is the connection to oblivious transfer and MPC explained in Appendix 0.B. In the initial version of this work, we only mentioned the idea of using the techniques of [FUYZ20] to instantiate oblivious transfer and MPC of [C:BCKM21b] based on quantum commitments. On the other hand, [AQY21] shows it assuming that the base quantum commitment satisfies a newly introduced definition of statistical binding property, which we call AQY-binding. Interestingly, we found that it is already implicitly shown in [FUYZ20] that the sum-binding implies AQY-binding. As a result, our commitment scheme can also be used to instantiate oblivious transfer and MPC of [C:BCKM21b]. See Appendix 0.B for more detail.

## 2 Preliminaries

In this section, we provide preliminaries.

### 2.1 Basic Notations

We use standard notations in quantum information. For example, is the two-dimensional identity operator. For notational simplicity, we sometimes write the -qubit identity operator just when it is clear from the context. are Pauli operators. means the Pauli operator that acts on the th qubit. Let be a quantum state over the subsystems and . Then is the partial trace of over subsystem . For -bit strings , and , where and are the th bit of and , respectively.

We also use standard notations in cryptography. A function is negligible if for all constant , for large enough . QPT and PPT stand for quantum polynomial time and (classical) probabilistic polynomial time, respectively. means that is sampled from uniformly at random. For an algorithm , means that the algorithm outputs on input .

In this paper, we use the following lemma. It can be shown by a straightforward calculation.

###### Lemma 1 (Quantum one-time pad).

For any -qubit state ,

 14m∑x∈{0,1}m∑z∈{0,1}mXxZzρZzXx=I⊗m2m.

### 2.2 Pseudorandom Quantum States Generators

Let us review pseudorandom quantum states generators (PRSGs) [C:JiLiuSon18, TCC:BraShm19, C:BraShm20]. The definition of PRSGs is given as follows.

###### Definition 1 (Pseudorandom quantum states generators (PRSGs) [C:JiLiuSon18, TCC:BraShm19, C:BraShm20]).

A pseudorandom quantum states generator (PRSG) is a QPT algorithm that, on input , outputs an -qubit quantum state . As the security, we require the following: for any polynomial and any non-uniform QPT adversary , there exists a negligible function such that for all ,

 ∣∣Prk←{0,1}n[A(|ϕk⟩⊗t(n))→1]−Pr|ψ⟩←μm[A(|ψ⟩⊗t(n))→1]∣∣≤negl(n),

where is the Haar measure on -qubit states.

###### Remark 1.

In the most general case, is the following QPT algorithm: given an input , it first computes a classical description of a unitary quantum circuit , and next applies on the all zero state to generate . It finally outputs the -qubit state . However, is, on average, almost pure, because otherwise the security is broken by a QPT adversary who runs the SWAP test on two copies.888 Let us consider an adversary that runs the SWAP test on two copies of the received state and outputs the result of the SWAP test. When is sent with uniformly random , the probability that outputs 1 is . When the copies of Haar random states is sent, the probability that outputs 1 is 1. For the security, has to be satisfied, which means the expected purity of , , has to be negligibly close to 1. In this paper, for simplicity, we assume that is pure, and denote it by . The same results hold even if it is negligibly close to pure. What generates is therefore with an ancilla state . In this paper, for simplicity, we assume that there is no ancilla state in the final state generated by , but actually the same results hold even if ancilla states exist. (See Section 3 and Section 4.) Moreover, [Kre21] considers the case with pure outputs and no ancilla state, and therefore restricting to the pure and no ancilla case is enough for our purpose of showing the existence of commitments and digital signatures without one-way functions.

Interestingly, what we actually need for our construction of commitments (Section 3) is a weaker version of PRSGs where the security is satisfied only for . We call them single-copy-secure PRSGs:

###### Definition 2 (Single-copy-secure PRSGs).

A single-copy-secure pseudorandom quantum states generator (PRSG) is a QPT algorithm that, on input , outputs an -qubit quantum state . As the security, we require the following: for any non-uniform QPT adversary , there exists a negligible function such that for all ,

 ∣∣Prk←{0,1}n[A(|ϕk⟩)→1]−Pr|ψ⟩←μm[A(|ψ⟩)→1]∣∣≤negl(n),

where is the Haar measure on -qubit states.

###### Remark 2.

Because a single copy of an -qubit state sampled Haar randomly is equivalent to the -qubit maximally-mixed state, , the security of single-copy-secure PRSGs is in fact the computational indistinguishability of a single copy of from .

###### Remark 3.

As we have explained in Remark 1, in the definition of PRSGs (Definition 1), the output state of has to be negligibly close to pure (on average). When we consider single-copy-secure PRSGs (Definition 2), on the other hand, the SWAP-test attack does not work because only a single copy is available to adversaries. In fact, there is a trivial construction of a single-copy-secure PRSG whose output is not pure: for all . We therefore assume that the output of is pure, i.e., , when we consider single-copy-secure PRSGs.

###### Remark 4.

It could be the case that single-copy-secure PRSGs are easier to realize than (multi-copy-secure) PRSGs. In fact, the security proofs of the constructions of [C:JiLiuSon18, TCC:BraShm19] are simpler for . Furthermore, there is a simple construction of a single-copy-secure PRSG by using a pseudorandom generator . In fact, we have only to take for all .

###### Remark 5.

One might think that a single-copy-secure PRSG with is a pseudorandom generator (PRG), because if the -qubit state

is measured in the computational basis, the probability distribution of the measurement results is computationally indistinguishable from that (i.e., the

-bit uniform distribution) obtained when the

-qubit maximally mixed state is measured in the computational basis. It is, however, strange because if it was true then the existence of single-copy-secure PRSGs implies the existence of PRGs, which contradicts [Kre21]. The point is that measuring in the computational basis does not work as PRGs because the output is not deterministically obtained. (Remember that PRGs are deterministic algorithms.)

## 3 Commitments

In this section, we provide our construction of commitments, and show its security.

### 3.1 Definition

Let us first give a formal definition of non-interactive quantum commitments.

###### Definition 3 (Non-interactive quantum commitments (Syntax)).

A non-interactive quantum commitment scheme is the following protocol.

• Commit phase: Let be the bit to commit. The sender generates a quantum state on registers and , and sends the register to the receiver. The states can be generated in quantum polynomial-time from the all zero state.

• Reveal phase: The sender sends and the register to the receiver. The receiver does the measurement on the registers and . If the result is , the receiver outputs . Otherwise, the receiver outputs . Because can be generated in quantum polynomial-time from the all zero state, the measurement can be implemented efficiently.

The perfect correctness is defined as follows:

###### Definition 4 (Perfect correctness).

A commitment scheme satisfies perfect correctness if the following is satisfied: when the honest sender commits , the probability that the honest receiver opens is 1.

The computational hiding is defined as follows:

###### Definition 5 (Computational hiding).

Let us consider the following security game, , with the parameter between a challenger and a QPT adversary .

1. generates and sends the register to .

2. outputs , which is the output of the experiment.

We say that a non-interactive quantum commitment scheme is computationally hiding if for any QPT adversary there exists a negligible function such that,

 |Pr[Exp(0)=1]−Pr[Exp(1)=1]|≤negl(λ).

As the definition of binding, we consider sum-binding [AC:Unruh16] that is defined as follows:

###### Definition 6 (Statistical sum-binding).

Let us consider the following security game between a challenger and an unbounded adversary :

1. generates a quantum state on the three registers , , and .

2. sends the register to , which is the commitment.

3. If wants to make open , applies a unitary on the registers and . sends and the register to .

4. does the measurement on the registers and . If the result is obtained, accepts . Otherwise, outputs .

Let be the probability that makes open :

 pb\coloneqq⟨ψb|RCTrE(U(b)ER|Ψ⟩⟨Ψ|ERCU(b)†ER)|ψb⟩RC.

We say that the commitment scheme is statistical sum-binding if for any unbounded there exists a negligible function such that

 p0+p1≤1+negl(λ).

### 3.2 Construction

Let us explain our construction of commitments.999 Another example of constructions is and . We have chosen the one we have explained, because the analogy to Naor’s commitment scheme is clearer. Let be a single-copy-secure PRSG that, on input , outputs an -qubit state . The commit phase is the following.

1. Let be the bit to commit. The sender generates

 |ψb⟩\coloneqq1√22m+n∑x,z∈{0,1}m∑k∈{0,1}n|x,z,k⟩R⊗Pbx,z|ϕk⟩C,

and sends the register to the receiver, where .

The reveal phase is the following.

1. The sender sends the register and the bit to the receiver.

2. The receiver measures the state with . If the result is , the receiver outputs . Otherwise, the receiver outputs . (Note that such a measurement can be done efficiently: first apply such that , and then measure all qubits in the computational basis to see whether all results are zero or not.)

It is obvious that this construction satisfies perfect correctness (Definition 4).

###### Remark 6.

Note that if we slightly modify the above construction, the communication in the reveal phase can be classical. In fact, we can show it for general settings. We will provide a detailed explanation of it in Appendix 0.A. Here, we give an intuitive argument. In general non-interactive quantum commitments (Definition 3), the sender who wants to commit generates a certain state on the registers and , and sends the register to the receiver, which is the commit phase. In the reveal phase, and the register are sent to the receiver. The receiver runs the verification algorithm on the registers and . Let us modify it as follows. In the commit phase, the sender chooses uniform random and applies on the register of , where is the number of qubits in the register . The sender then sends both the registers and to the receiver. It ends the commit phase. In the reveal phase, the sender sends the bit to open and to the receiver. The receiver applies on the register and runs the original verification algorithm. Hiding is clear because the register is traced out to the receiver before the reveal phase due to the quantum one-time pad. Binding is also easy to understand: Assume a malicious sender of the modified scheme can break binding. Then, we can construct a malicious sender that breaks binding of the original scheme, because the malicious sender of the original scheme can simulate the malicious sender of the modified scheme.

###### Remark 7.

We also note that our construction of commitments can be extended to more general cases where ancilla qubits are used in PRSGs. Let us consider a more general PRSG that generates and outputs , where is an ancilla state. In that case, hiding and binding hold if we replace with

 1√22m+n∑x,z∈{0,1}m∑k∈{0,1}n(|x,z,k⟩⊗|ηk⟩)R⊗Pbx,z|ϕk⟩C.

### 3.3 Computational Hiding

We show computational hiding of our construction.

###### Theorem 3.1 (Computational hiding).

Our construction satisfies computational hiding.

###### Proof of Theorem 3.1.

Let us consider the following security game, , which is the same as the original experiment.

1. The challenger generates

 |ψb⟩=1√22m+n∑x,z∈{0,1}m∑k∈{0,1}n|x,z,k⟩R⊗Pbx,z|ϕk⟩C,

and sends the register to the adversary , where .

2. outputs , which is the output of this hybrid.

Let us define as follows:

1. If , chooses a Haar random -qubit state , and sends it to . If , generates and sends the register to .

2. outputs , which is the output of this hybrid.

for each .

###### Proof of Lemma 2.

It is clear that

 Pr[Hyb0(1)=1]=Pr[Hyb1(1)=1].

Let us show

 |Pr[Hyb0(0)=1]−Pr[Hyb1(0)=1]|≤negl(λ).

To show it, assume that

 |Pr[Hyb0(0)=1]−Pr[Hyb1(0)=1]|

is non-negligible. Then, we can construct an adversary that breaks the security of PRSGs as follows. Let be the parameter of the security game of PRSGs.

1. The challenger of the security game of PRSGs sends the state with uniform random if and a Haar random state if .

2. sends the received state to .

3. outputs the output of .

If , it simulates . If , it simulates . Therefore, breaks the security of PRSGs. ∎

Let us define as follows:

1. The challenger chooses a Haar random -qubit state , and sends it to the adversary.

2. The adversary outputs , which is the output of this hybrid.

###### Lemma 3.
 |Pr[Hyb1(b)=1]−Pr[Hyb2(b)=1]|≤negl(λ)

for each .

###### Proof of Lemma 3.
 Pr[Hyb1(0)=1]=Pr[Hyb2(0)=1]

is clear. Let us show

 |Pr[Hyb1(1)=1]−Pr[Hyb2(1)=1]|≤negl(λ).

To show it, assume that

 |Pr[Hyb1(1)=1]−Pr[Hyb2(1)=1]|

is non-negligible. Then, we can construct an adversary that breaks the security of PRSGs as follows. Let be the parameter of the security game of PRSGs.

1. The challenger of the security game of PRSGs sends the state with uniform random if and a Haar random state if .

2. applies with uniform random , and sends the state to .

3. outputs the output of .

If , it simulates . If , it simulates . Therefore, breaks the security of PRSGs. ∎

It is obvious that

 Pr[Hyb2(0)=1]=Pr[Hyb2(1)=1].

Therefore, from Lemma 2 and Lemma 3, we conclude

 |Pr[Hyb0(0)=1]−Pr[Hyb0(1)=1]|≤negl(λ),

which shows Theorem 3.1. ∎

### 3.4 Statistical Binding

Let us show that our construction satisfies statistical sum-binding.

###### Theorem 3.2 (Statistical sum-binding).

Our construction satisfies statistical sum-binding.

###### Proof of Theorem 3.2.

Let

 F(ρ,σ):=(Tr√√σρ√σ)2

be the fidelity between two states and . Then we have

 pb = ⟨ψb|RCTrE(U(b)ER|Ψ⟩⟨Ψ|ERCU(b)†ER)|ψb⟩RC = F(|ψb⟩RC,TrE(U(b)ER|Ψ⟩⟨Ψ|ERCU(b)†ER)) ≤ F(TrR(|ψb⟩⟨ψb|RC),TrRE(U(b)ER|Ψ⟩⟨Ψ|ERCU(b)†ER)) = F(TrR(|ψb⟩⟨ψb|RC),TrRE(|Ψ⟩⟨Ψ|ERC)).

Here, we have used the facts that if , , and that for any bipartite states , , where and .

Therefore,

 p0+p1 ≤ 1+√F(TrR(|ψ0⟩⟨ψ0|RC),TrR(|ψ1⟩⟨ψ1|RC)) = 1+√F(12n∑k|ϕk⟩⟨ϕk|,122m12n∑x,z∑kXxZz|ϕk⟩⟨ϕk|XxZz) = 1+√F(12n∑k|ϕk⟩⟨ϕk|,I⊗m2m) = 1+∥∥ξ∑i=1√λi1√2m|λi⟩⟨λi|∥∥1 = 1+ξ∑i=1√λi1√2m ≤ 1+ ⎷ξ∑i=1λi ⎷ξ∑i=112m ≤ 1+√2n2m ≤ 1+1√2(c−1)n.

In the first inequality, we have used the fact that for any states ,

 F(ρ,ξ)+F(σ,ξ)≤1+√F(ρ,σ)

is satisfied [NayakShor]. In the fourth equality, is the diagonalization of . In the sixth inequality, we have used Cauchy–Schwarz inequality. In the seventh inequality, we have used . In the last inequality, we have used for a constant . ∎

## 4 Digital Signatures

In this section, we provide our construction of digital signatures and show its security. For that goal, we first define OWSGs (Definition 7), and show that PRSGs imply OWSGs (Lemma 4).

### 4.1 One-way Quantum States Generators

For the construction of our signature scheme, we introduce OWSGs, which are defined as follows:

###### Definition 7 (One-way quantum states generators (OWSGs)).

Let be a QPT algorithm that, on input , outputs a quantum state . Let us consider the following security game, , between a challenger and a QPT adversary :

1. chooses .

2. runs times.

3. sends to .

4. sends to .

5. measures with . If the result is , the output of the experiment is 1. Otherwise, the output of the experiment is 0.

We say that is a one-way quantum states generator (OWSG) if for any and for any QPT adversary there exists a negligible function such that

 Pr[Exp=1]≤negl(n).
###### Remark 8.

Note that another natural definition of one-wayness is that given it is hard to find . However, as we will see later, it is not useful for our construction of digital signatures.

###### Remark 9.

The most general form of is as follows: on input , it computes a classical description of a unitary quantum circuit , and applies on to generate , and outputs . However, because plays the role of a public key in our construction of digital signatures, we assume that is pure. (It is not natural if public keys and secret keys are entangled.) In that case, , where is an ancilla state. For simplicity, we assume that there is no ancilla state: . In that case, the measurement by the challenger in Definition 7 can be done as follows: the challenger first applies on the state and then measures all qubits in the comptuational basis. The all zero measurement result corresponds to and other results correspond to . Even if ancilla states exist, however, the same result holds. In that case, the verification of the challenger in Definition 7 is modified as follows: given , it generates to obtain , applies on , and measures all qubits in the computational basis. If the result is all zero, it accepts, i.e., the output of the experiment is 1. Otherwise, it rejects.

We can show the following:

###### Lemma 4 (PRSGs imply OWSGs).

If a pseudorandom quantum states generator with for a constant exists, then a one-way quantum states generator exists.

###### Proof of Lemma 4.

Assume that of the security game of Definition 7 with is non-negligible. Then we can construct an adversary that breaks the security of PRSGs as follows. Let be the parameter of the security game for PRSGs.

1. If , the challenger of the security game for PRSGs chooses , runs times, and sends to . If , the challenger of the security game for PRSGs sends copies of Haar random state to . In other words, receives , where if and if .

2. sends to .

3. outputs .

4. measures with . If the result is , outputs 1. Otherwise, outputs 0.

It is clear that

 Pr[A′→1|b′=0]=Pr[Exp=1].

By assumption, is non-negligible, and therefore is also non-negligible. On the other hand,

 Pr[A′→1|b′=1] = ∫dμ(ψ)∑σ∈{0,1}nPr[σ←