1 Introduction
1.1 Background
Commitments [C:Blum81] are one of the most central primitives in cryptography. Assume that a sender wants to commit a message to a receiver. The sender encrypts it and sends it to the receiver. Later, the sender sends a key so that the receiver can open the message . Before the sender sends the key, the receiver should not be able to learn the message , which is called hiding. Furthermore, the sender should not be able to change the message later once the sender commits it, which is called binding. (Imagine that the sender’s message is put in a safe box and sent to the receiver. The receiver cannot open it until the receiver receives the key, and the sender cannot change the message in the safe box once it is sent to the receiver.) In cryptography, there are two types of definitions for security. One is statistical security and the other is computational security. Statistical security means that it is secure against any computationallyunbounded adversary, while computational security means that it is secure against adversaries restricted to polynomialtime classical/quantum computations. It is easy to see that both hiding and binding cannot be statistical at the same time in the classical setting, ^{1}^{1}1
If a commitment scheme is statistically binding, there exists at most one message to which a commitment can be opened except for a negligible probability. This unique message can be found by a bruteforce search, which means that the scheme is not statistically hiding.
and therefore one of them has to be based on a computational assumption. In other words, in a computationally hiding commitment scheme, a malicious receiver can learn the message before the opening if its computational power is unbounded, and in a computationally binding commitment scheme, a malicious sender can change its committed message later if its computational power is unbounded. For the computational assumption, the existence of oneway functions is known to be equivalent to the existence of classical commitments [Nao91, HILL99]. The existence of oneway functions is considered the weakest assumption in classical cryptography, because virtually all complexitybased classical cryptographic primitives are known to imply the existence of oneway functions [STOC:LubRac86, FOCS:ImpLub89, STOC:ImpLevLub89].The history of quantum information has demonstrated that utilizing quantum physics in information processing achieves many advantages. In particular, it has been shown in quantum cryptography that quantum physics can weaken cryptographic assumptions. For example, if quantum states are transmitted, statisticallysecure key distribution is possible [BB84], although it is impossible classically. Furthermore, oblivious transfer is possible with only (quantumsecure) oneway functions when quantum states are transmitted [C:BCKM21b, EC:GLSV21, FOCS:CreKil88, C:BBCS91, MS94, STOC:Yao95, C:DFLSS09]. Classically, it is known to be impossible to construct oblivious transfer from only oneway functions [C:ImpRud88].^{2}^{2}2 [C:ImpRud88] showed the impossibility of relativizing constructions of key exchange from oneway functions, and oblivious transfer is stronger than key exchange. Since most cryptographic constructions are relativizing, this gives a strong negative result on constructing oblivious transfer from oneway functions in the classical setting.
As we have mentioned, it is classically impossible to realize commitments with statistical hiding and statistical binding. Does quantum physics overcome the barrier? Unfortunately, it is already known that both binding and hiding cannot be statistical at the same time even in the quantum world [LC97, May97]. In fact, all known constructions of quantum commitments use at least (quantumsecure) oneway functions [EC:DumMaySal00, EC:CreLegSal01, KO09, KO11, YWLQ15, Yan20, TCC:BitBra21].
In this paper, we ask the following fundamental question:
Are oneway functions really necessary for commitments?
It could be the case that in the quantum world commitments can be constructed from an assumption weaker than the existence of oneway functions. This possibility is mentioned in previous works [C:BCKM21b, EC:GLSV21], but no construction is provided.
Digital signatures [DifHel76] are other important primitives in cryptography. In a signature scheme, a secret key and a public key are generated. The secret key is used to generate a signature for a message , and the public key is used for the verification of the pair of the message and the signature. Any adversary who has and can query the signing oracle many times cannot forge a signature for a message which is not queried. In other words, is not accepted by the verification algorithm except for an negligible probability.
Obviously, statisticallysecure digital signatures are impossible, because an unbounded adversary who can access and the verification algorithm can find a valid signature by a bruteforce search. In the classical world, it is known that the existence of digital signatures is equivalent to the existence of oneway functions. In the quantum setting, on the other hand, digital signatures are not known to imply oneway functions. Gottesman and Chuang introduced digital signatures with quantum public keys [Gottesman_Chuang], but they considered informationtheoretical security, and therefore the number of public keys should be bounded. Our second fundamental question in this paper is the following:
Are digital signatures possible without oneway functions?
1.2 Our Results
In this paper, we answer the above two fundamental questions affirmatively. The first result of this paper is a construction of quantum commitments from pseudorandom quantum states generators (PRSGs) [C:JiLiuSon18, TCC:BraShm19, C:BraShm20]. A PRSG is a quantum polynomialtime algorithm that, on input , outputs an
qubit state
such that over uniform random is computationally indistinguishable from the same number of copies of Haar random states for any polynomial . (The formal definition of PRSGs is given in Definition 1.)Our first result is stated as follows:^{3}^{3}3Our construction of commitments also satisfies perfect correctness, i.e., the probability that the honest receiver opens the correct bit committed by the honest sender is 1.
Theorem 1.1.
If a pseudorandom quantum states generator with for a constant exists, then noninteractive quantum commitments (for classical messages) with computational hiding and statistical binding exist.
In [Kre21], it is shown that PRSGs exist even if relative to a quantum oracle. If , no quantumsecure classical cryptographic primitive exists, because means . In particular, no quantumsecure oneway function exists. Our Theorem 1.1 therefore shows that quantum commitments can exist even if no quantumsecure classical cryptographic primitive exists.^{4}^{4}4It actually shows stronger things, because also excludes the existence of some quantumsecure quantum cryptographic primitives where honest algorithms are quantum. In particular, quantum commitments can exist even if no quantumsecure oneway function exists.
As we will see later (Section 3), what we actually need is a weaker version of PRSGs where only the computational indistinguishability of a single copy of from the Haar random state is required. We call such a weaker version of PRSGs singlecopysecure PRSGs. (See Definition 2. It is the version of Definition 1.) Because a single copy of the Haar random state is equivalent to the maximallymixed state, the singlecopy security means the computational indistinguishability from the maximallymixed state. It could be the case that the realization of singlecopysecure PRSGs is easier than that of (multicopysecure) PRSGs. (For more discussions, see Section 2.2.)
Noninteractive commitments are a special type of commitments. (See Definition 3.) In general, the sender and the receiver exchange many rounds of messages during the commitment phase, but in noninteractive commitments, only a single message from the sender to the receiver is enough for the commitment. It is known that noninteractive quantum commitments (for classical messages) are possible with (quantumsecure) oneway functions [YWLQ15], while it is subject to a blackbox barrier in the classical case [MP12].
As the definition of binding, we choose a standard one, sumbinding [AC:Unruh16], which roughly means that , where is a negligible function, is a security parameter, and and are probabilities that the malicious sender makes the receiver open 0 and 1, respectively. (The formal definition of statistical sumbinding is given in Definition 6.)
Our first result, Theorem 1.1, that quantum commitments can be possible without oneway functions has important consequences in cryptography. It is known that quantum commitments imply the existence of quantumsecure zeroknowledge proofs (of knowledge) for all languages [FUYZ20] and quantumsecure oblivious transfer (and therefore multiparty computations (MPC)) [C:BCKM21b, EC:GLSV21]. Thus, those primitives can also exist even if (and in particular quantumsecure oneway functions do not exist)^{5}^{5}5 Indeed, [C:BCKM21b] states as follows: “Moreover if in the future, new constructions of statistically binding, quantum computationally hiding commitments involving quantum communication are discovered based on assumptions weaker than quantumhard oneway functions, it would be possible to plug those into our protocol compilers to obtain QOT." while classical constructions of them imply the existence of oneway functions. For more details, see Appendix 0.B.
We also remark that there is no known construction of PRSGs from weaker assumptions than the existence of oneway functions without oracles. Thus, our result should be understood as a theoretical evidence that quantum commitments can exist even if rather than a new concrete construction. It is an interesting open problem to construct a PRSG from weaker assumptions than the existence of oneway functions without oracles. Such a construction immediately yields commitments (and more) by our result.
One might ask the following question: can we remove (or improve) the condition of with a constant in Theorem 1.1? The answer is no for singlecopysecure PRSGs, because if , there is a trivial construction of a singlecopysecure PRSG without any assumption: for any , where is the th bit of . In fact, . If quantum commitments were constructed from such a singlecopysecure PRSG, we could realize quantum commitments without any assumption, which is known to be impossible [LC97, May97]. We note that [Kre21] considers only the case when , but it is clear that the result holds for with constant .
Finally, we do not know whether the opposite of Theorem 1.1 holds or not. Namely, do quantum commitments imply PRSGs (or singlecopysecure PRSGs)? It is an interesting open problem.
Now let us move on to our second subject, namely, digital signatures. Our second result in this paper is the following:
Theorem 1.2.
If a pseudorandom quantum states generator with for a constant exists, then onetime secure digital signatures with quantum public keys exist.
Onetime security means that the adversary can query the signing oracle at most once. (See Definition 8 and Definition 10.) In the classical setting, it is known how to construct manytime secure digital signatures from onetime secure digital signatures [C:Merkle89a], but we do not know how to generalize our onetime secure quantum signature scheme to a manytime secure one, because in our case public keys are quantum. It is an important open problem to construct manytime secure digital signatures from PRSGs.
Due to the oracle separation by [Kre21], Theorem 1.2 means that (at least onetime secure) digital signatures can exist even if no quantumsecure classical cryptographic primitive exists.^{6}^{6}6Again, it also excludes some quantumsecure quantum cryptographic primitives. In particular, (onetime secure) digital signatures can exist even if no quantumsecure oneway function exists.
Our construction is similar to the “quantum public key version" of the classical Lamport signature [DifHel76] by Gottesman and Chuang [Gottesman_Chuang]. They consider informationtheoretical security, and therefore the number of public keys should be bounded. On the other hand, our construction from PRSGs allows unbounded polynomial number of public keys. Quantum cryptography with quantum public keys are also studied in [JC:KKNY12, Doliskani21].
We do not know whether the condition, with a constant , can be improved or not in Theorem 1.2. Although it is possible to construct PRSGs without this restriction [C:BraShm20], this is satisfied in the construction of [Kre21], and therefore enough for our purpose of showing the existence of digital signatures without oneway functions.
As we will see later (Section 4), our construction of digital signatures is actually based on what we call oneway quantum states generators (OWSGs) (Definition 7). Intuitively, we say that a quantum polynomialtime algorithm that outputs an qubit quantum state on input is a OWSG if it is hard to find, given polynomially many copies of (with uniformly random ), an bit string such that is close to . In other words, what we actually show is the following:
Theorem 1.3.
If a oneway quantum states generator exists, then onetime secure digital signatures with quantum public keys exist.
We show that a PRSG is a OWSG (Lemma 4), and therefore, Theorem 1.2 is obtained as a corollary of Theorem 1.3. The concept of OWSGs itself seems to be of independent interest. In particular, we do not know whether OWSGs imply PRSGs or not, which is an interesting open problem.
Remember that for the construction of our commitment scheme we use only singlecopysecure PRSGs. Unlike our commitment scheme, on the other hand, our signature scheme uses the security of PRSGs for an unbounded polynomial number of copies, because the number of copies decides the number of quantum public keys. In other words, singlecopysecure PRSGs enable commitments but (multicopysecure) PRSGs enable signatures. There could be therefore a kind of hierarchy in PRSGs for different numbers of copies, which seems to be an interesting future research subject.
1.3 Technical Overviews
1.3.1 Commitments
The basic idea of our construction of commitments is, in some sense, a quantum generalization of the classical Naor’s commitment scheme [Nao91].
Let us recall Naor’s construction. The receiver first samples uniformly random , and sends it to the sender. The sender chooses a uniformly random seed , and sends to the receiver, where is a lengthtripling pseudorandom generator, and is the bit to commit. Hiding is clear: because the receiver does not know , the receiver cannot distinguish and . The decommitment is . The receiver can check whether the commitment is or from . Binding comes from the fact that if both 0 and 1 can be opened, there exist such that . There are such seeds, and therefore for a random , it is impossible except for probability.
Our idea is to replace with a pseudorandom state , and to replace the addition of
with the quantum onetime pad, which randomly applies Pauli
and . More precisely, the sender who wants to commit generates the stateand sends the register to the receiver, where . It is the commitment phase. At the end of the commitment phase, the receiver’s state is when and when . By the security of singlecopysecure PRSGs, is computationally indistinguishable from the qubit maximallymixed state , while due to the quantum onetime pad (Lemma 1). The two states, and , are therefore computationally indistinguishable, which shows computational hiding.
For statistical sumbinding, we show that the fidelity between and is negligibly small. It is intuitively understood as follows: has a support in at most dimensional space, while has a support in the entire dimensional space, where with , and therefore the “overlap" between and is small.
A detailed explanation of our construction of commitments and its security proof are given in Section 3.
1.3.2 Digital Signatures
Our construction of digital signatures is a quantum public key version of the classical Lamport signature. The Lamport signature scheme is constructed from a oneway function. For simplicity, let us explain the Lamport signature scheme for a singlebit message. Let be a oneway function. The secret key is , where are uniform randomly chosen bit strings. The public key is , where and . The signature for a message is , and the verification is to check whether . Intuitively, the (onetime) security of this signature scheme comes from that of the oneway function .
We consider the quantum public key version of it: is a quantum state. More precisely, our key generation algorithm chooses , and runs for , where is a PRSG.^{7}^{7}7It is not necessarily a PRSG. Any OWSG (Definition 7) is enough. For details, see Section 4. It outputs and , where and for . To sign a bit , the signing algorithm outputs the signature . Given the messagesignature pair , the verification algorithm measures with and accepts if and only if the result is .
Intuitively, this signature scheme is onetime secure because cannot be obtained from : If is obtained, can be distinguished from Haar random states, which contradicts the security of PRSGs. In order to formalize this intuition, we introduce what we call OWSGs (Definition 7), and show that PRSGs imply OWSGs (Lemma 4). For details of our construction of digital signatures and its security proof, see Section 4.
1.4 Concurrent Work
Few days after the first version of this paper was made online, a concurrent work [AQY21] appeared. The concurrent work also constructs commitments from PRSGs. We give comparisons between our and their results.

For achieving the security level of for binding, they rely on PRSGs with and any , or and . On the other hand, we rely on PRSGs with and . Thus, the required parameters seem incomparable though we cannot simply compare them due to the difference of definitions of binding. (See also Appendix 0.B.)

Our scheme is noninteractive whereas theirs is interactive though we believe that their scheme can also be made noninteractive by a similar technique to ours.

They consider a more general definition of PRSGs than us that allows the state generation algorithm to sometimes fail. We do not take this into account since we can rely on PRSGs of [Kre21] whose state generation never fails for our primary goal to show that commitments and digital signatures can exist even if oneway functions do not exist. Moreover, the failure probability has to be anyway negligibly small due to the security of PRSGs, and therefore it would be simpler to ignore the failure.
Besides commitments, the result on digital signatures is unique to this paper. On the other hand, [AQY21] contains results that are not covered in this paper such as pseudorandom functionlike states and symmetric key encryption. We remark that our result on digital signatures was added a few days after the initial version of [AQY21] was made online, but the result was obtained independently, and there is no overlap with [AQY21] in this part.
Though most part of this work was done independently of [AQY21], there are two part where we revised the paper based on [AQY21]. The first is the definition of PRSGs. As pointed out in the initial version of [AQY21], the initial version of this work implicitly assumed that PRSGs do not use any ancillary qubits, which is a very strong restriction. However, we found that all of our results can be based on PRSGs that use ancillary qubits with just notational adaptations. Thus, we regard this as a notational level issue and fixed it.
The second is the connection to oblivious transfer and MPC explained in Appendix 0.B. In the initial version of this work, we only mentioned the idea of using the techniques of [FUYZ20] to instantiate oblivious transfer and MPC of [C:BCKM21b] based on quantum commitments. On the other hand, [AQY21] shows it assuming that the base quantum commitment satisfies a newly introduced definition of statistical binding property, which we call AQYbinding. Interestingly, we found that it is already implicitly shown in [FUYZ20] that the sumbinding implies AQYbinding. As a result, our commitment scheme can also be used to instantiate oblivious transfer and MPC of [C:BCKM21b]. See Appendix 0.B for more detail.
2 Preliminaries
In this section, we provide preliminaries.
2.1 Basic Notations
We use standard notations in quantum information. For example, is the twodimensional identity operator. For notational simplicity, we sometimes write the qubit identity operator just when it is clear from the context. are Pauli operators. means the Pauli operator that acts on the th qubit. Let be a quantum state over the subsystems and . Then is the partial trace of over subsystem . For bit strings , and , where and are the th bit of and , respectively.
We also use standard notations in cryptography. A function is negligible if for all constant , for large enough . QPT and PPT stand for quantum polynomial time and (classical) probabilistic polynomial time, respectively. means that is sampled from uniformly at random. For an algorithm , means that the algorithm outputs on input .
In this paper, we use the following lemma. It can be shown by a straightforward calculation.
Lemma 1 (Quantum onetime pad).
For any qubit state ,
2.2 Pseudorandom Quantum States Generators
Let us review pseudorandom quantum states generators (PRSGs) [C:JiLiuSon18, TCC:BraShm19, C:BraShm20]. The definition of PRSGs is given as follows.
Definition 1 (Pseudorandom quantum states generators (PRSGs) [C:JiLiuSon18, TCC:BraShm19, C:BraShm20]).
A pseudorandom quantum states generator (PRSG) is a QPT algorithm that, on input , outputs an qubit quantum state . As the security, we require the following: for any polynomial and any nonuniform QPT adversary , there exists a negligible function such that for all ,
where is the Haar measure on qubit states.
Remark 1.
In the most general case, is the following QPT algorithm: given an input , it first computes a classical description of a unitary quantum circuit , and next applies on the all zero state to generate . It finally outputs the qubit state . However, is, on average, almost pure, because otherwise the security is broken by a QPT adversary who runs the SWAP test on two copies.^{8}^{8}8 Let us consider an adversary that runs the SWAP test on two copies of the received state and outputs the result of the SWAP test. When is sent with uniformly random , the probability that outputs 1 is . When the copies of Haar random states is sent, the probability that outputs 1 is 1. For the security, has to be satisfied, which means the expected purity of , , has to be negligibly close to 1. In this paper, for simplicity, we assume that is pure, and denote it by . The same results hold even if it is negligibly close to pure. What generates is therefore with an ancilla state . In this paper, for simplicity, we assume that there is no ancilla state in the final state generated by , but actually the same results hold even if ancilla states exist. (See Section 3 and Section 4.) Moreover, [Kre21] considers the case with pure outputs and no ancilla state, and therefore restricting to the pure and no ancilla case is enough for our purpose of showing the existence of commitments and digital signatures without oneway functions.
Interestingly, what we actually need for our construction of commitments (Section 3) is a weaker version of PRSGs where the security is satisfied only for . We call them singlecopysecure PRSGs:
Definition 2 (Singlecopysecure PRSGs).
A singlecopysecure pseudorandom quantum states generator (PRSG) is a QPT algorithm that, on input , outputs an qubit quantum state . As the security, we require the following: for any nonuniform QPT adversary , there exists a negligible function such that for all ,
where is the Haar measure on qubit states.
Remark 2.
Because a single copy of an qubit state sampled Haar randomly is equivalent to the qubit maximallymixed state, , the security of singlecopysecure PRSGs is in fact the computational indistinguishability of a single copy of from .
Remark 3.
As we have explained in Remark 1, in the definition of PRSGs (Definition 1), the output state of has to be negligibly close to pure (on average). When we consider singlecopysecure PRSGs (Definition 2), on the other hand, the SWAPtest attack does not work because only a single copy is available to adversaries. In fact, there is a trivial construction of a singlecopysecure PRSG whose output is not pure: for all . We therefore assume that the output of is pure, i.e., , when we consider singlecopysecure PRSGs.
Remark 4.
It could be the case that singlecopysecure PRSGs are easier to realize than (multicopysecure) PRSGs. In fact, the security proofs of the constructions of [C:JiLiuSon18, TCC:BraShm19] are simpler for . Furthermore, there is a simple construction of a singlecopysecure PRSG by using a pseudorandom generator . In fact, we have only to take for all .
Remark 5.
One might think that a singlecopysecure PRSG with is a pseudorandom generator (PRG), because if the qubit state
is measured in the computational basis, the probability distribution of the measurement results is computationally indistinguishable from that (i.e., the
bit uniform distribution) obtained when the
qubit maximally mixed state is measured in the computational basis. It is, however, strange because if it was true then the existence of singlecopysecure PRSGs implies the existence of PRGs, which contradicts [Kre21]. The point is that measuring in the computational basis does not work as PRGs because the output is not deterministically obtained. (Remember that PRGs are deterministic algorithms.)3 Commitments
In this section, we provide our construction of commitments, and show its security.
3.1 Definition
Let us first give a formal definition of noninteractive quantum commitments.
Definition 3 (Noninteractive quantum commitments (Syntax)).
A noninteractive quantum commitment scheme is the following protocol.

Commit phase: Let be the bit to commit. The sender generates a quantum state on registers and , and sends the register to the receiver. The states can be generated in quantum polynomialtime from the all zero state.

Reveal phase: The sender sends and the register to the receiver. The receiver does the measurement on the registers and . If the result is , the receiver outputs . Otherwise, the receiver outputs . Because can be generated in quantum polynomialtime from the all zero state, the measurement can be implemented efficiently.
The perfect correctness is defined as follows:
Definition 4 (Perfect correctness).
A commitment scheme satisfies perfect correctness if the following is satisfied: when the honest sender commits , the probability that the honest receiver opens is 1.
The computational hiding is defined as follows:
Definition 5 (Computational hiding).
Let us consider the following security game, , with the parameter between a challenger and a QPT adversary .

generates and sends the register to .

outputs , which is the output of the experiment.
We say that a noninteractive quantum commitment scheme is computationally hiding if for any QPT adversary there exists a negligible function such that,
As the definition of binding, we consider sumbinding [AC:Unruh16] that is defined as follows:
Definition 6 (Statistical sumbinding).
Let us consider the following security game between a challenger and an unbounded adversary :

generates a quantum state on the three registers , , and .

sends the register to , which is the commitment.

If wants to make open , applies a unitary on the registers and . sends and the register to .

does the measurement on the registers and . If the result is obtained, accepts . Otherwise, outputs .
Let be the probability that makes open :
We say that the commitment scheme is statistical sumbinding if for any unbounded there exists a negligible function such that
3.2 Construction
Let us explain our construction of commitments.^{9}^{9}9 Another example of constructions is and . We have chosen the one we have explained, because the analogy to Naor’s commitment scheme is clearer. Let be a singlecopysecure PRSG that, on input , outputs an qubit state . The commit phase is the following.

Let be the bit to commit. The sender generates
and sends the register to the receiver, where .
The reveal phase is the following.

The sender sends the register and the bit to the receiver.

The receiver measures the state with . If the result is , the receiver outputs . Otherwise, the receiver outputs . (Note that such a measurement can be done efficiently: first apply such that , and then measure all qubits in the computational basis to see whether all results are zero or not.)
It is obvious that this construction satisfies perfect correctness (Definition 4).
Remark 6.
Note that if we slightly modify the above construction, the communication in the reveal phase can be classical. In fact, we can show it for general settings. We will provide a detailed explanation of it in Appendix 0.A. Here, we give an intuitive argument. In general noninteractive quantum commitments (Definition 3), the sender who wants to commit generates a certain state on the registers and , and sends the register to the receiver, which is the commit phase. In the reveal phase, and the register are sent to the receiver. The receiver runs the verification algorithm on the registers and . Let us modify it as follows. In the commit phase, the sender chooses uniform random and applies on the register of , where is the number of qubits in the register . The sender then sends both the registers and to the receiver. It ends the commit phase. In the reveal phase, the sender sends the bit to open and to the receiver. The receiver applies on the register and runs the original verification algorithm. Hiding is clear because the register is traced out to the receiver before the reveal phase due to the quantum onetime pad. Binding is also easy to understand: Assume a malicious sender of the modified scheme can break binding. Then, we can construct a malicious sender that breaks binding of the original scheme, because the malicious sender of the original scheme can simulate the malicious sender of the modified scheme.
Remark 7.
We also note that our construction of commitments can be extended to more general cases where ancilla qubits are used in PRSGs. Let us consider a more general PRSG that generates and outputs , where is an ancilla state. In that case, hiding and binding hold if we replace with
3.3 Computational Hiding
We show computational hiding of our construction.
Theorem 3.1 (Computational hiding).
Our construction satisfies computational hiding.
Proof of Theorem 3.1.
Let us consider the following security game, , which is the same as the original experiment.

The challenger generates
and sends the register to the adversary , where .

outputs , which is the output of this hybrid.
Let us define as follows:

If , chooses a Haar random qubit state , and sends it to . If , generates and sends the register to .

outputs , which is the output of this hybrid.
Lemma 2.
for each .
Proof of Lemma 2.
It is clear that
Let us show
To show it, assume that
is nonnegligible. Then, we can construct an adversary that breaks the security of PRSGs as follows. Let be the parameter of the security game of PRSGs.

The challenger of the security game of PRSGs sends the state with uniform random if and a Haar random state if .

sends the received state to .

outputs the output of .
If , it simulates . If , it simulates . Therefore, breaks the security of PRSGs. ∎
Let us define as follows:

The challenger chooses a Haar random qubit state , and sends it to the adversary.

The adversary outputs , which is the output of this hybrid.
Lemma 3.
for each .
Proof of Lemma 3.
is clear. Let us show
To show it, assume that
is nonnegligible. Then, we can construct an adversary that breaks the security of PRSGs as follows. Let be the parameter of the security game of PRSGs.

The challenger of the security game of PRSGs sends the state with uniform random if and a Haar random state if .

applies with uniform random , and sends the state to .

outputs the output of .
If , it simulates . If , it simulates . Therefore, breaks the security of PRSGs. ∎
3.4 Statistical Binding
Let us show that our construction satisfies statistical sumbinding.
Theorem 3.2 (Statistical sumbinding).
Our construction satisfies statistical sumbinding.
Proof of Theorem 3.2.
Let
be the fidelity between two states and . Then we have
Here, we have used the facts that if , , and that for any bipartite states , , where and .
Therefore,
In the first inequality, we have used the fact that for any states ,
is satisfied [NayakShor]. In the fourth equality, is the diagonalization of . In the sixth inequality, we have used Cauchy–Schwarz inequality. In the seventh inequality, we have used . In the last inequality, we have used for a constant . ∎
4 Digital Signatures
In this section, we provide our construction of digital signatures and show its security. For that goal, we first define OWSGs (Definition 7), and show that PRSGs imply OWSGs (Lemma 4).
4.1 Oneway Quantum States Generators
For the construction of our signature scheme, we introduce OWSGs, which are defined as follows:
Definition 7 (Oneway quantum states generators (OWSGs)).
Let be a QPT algorithm that, on input , outputs a quantum state . Let us consider the following security game, , between a challenger and a QPT adversary :

chooses .

runs times.

sends to .

sends to .

measures with . If the result is , the output of the experiment is 1. Otherwise, the output of the experiment is 0.
We say that is a oneway quantum states generator (OWSG) if for any and for any QPT adversary there exists a negligible function such that
Remark 8.
Note that another natural definition of onewayness is that given it is hard to find . However, as we will see later, it is not useful for our construction of digital signatures.
Remark 9.
The most general form of is as follows: on input , it computes a classical description of a unitary quantum circuit , and applies on to generate , and outputs . However, because plays the role of a public key in our construction of digital signatures, we assume that is pure. (It is not natural if public keys and secret keys are entangled.) In that case, , where is an ancilla state. For simplicity, we assume that there is no ancilla state: . In that case, the measurement by the challenger in Definition 7 can be done as follows: the challenger first applies on the state and then measures all qubits in the comptuational basis. The all zero measurement result corresponds to and other results correspond to . Even if ancilla states exist, however, the same result holds. In that case, the verification of the challenger in Definition 7 is modified as follows: given , it generates to obtain , applies on , and measures all qubits in the computational basis. If the result is all zero, it accepts, i.e., the output of the experiment is 1. Otherwise, it rejects.
We can show the following:
Lemma 4 (PRSGs imply OWSGs).
If a pseudorandom quantum states generator with for a constant exists, then a oneway quantum states generator exists.
Proof of Lemma 4.
Assume that of the security game of Definition 7 with is nonnegligible. Then we can construct an adversary that breaks the security of PRSGs as follows. Let be the parameter of the security game for PRSGs.

If , the challenger of the security game for PRSGs chooses , runs times, and sends to . If , the challenger of the security game for PRSGs sends copies of Haar random state to . In other words, receives , where if and if .

sends to .

outputs .

measures with . If the result is , outputs 1. Otherwise, outputs 0.
It is clear that
By assumption, is nonnegligible, and therefore is also nonnegligible. On the other hand,
Comments
There are no comments yet.