Fully Simulatable Quantum-Secure Coin-Flipping and Applications

We propose a coin-flip protocol which yields a string of strong, random coins and is fully simulatable against poly-sized quantum adversaries on both sides. It can be implemented with quantum-computational security without any set-up assumptions, since our construction only assumes mixed commitment schemes which we show how to construct in the given setting. We then show that the interactive generation of random coins at the beginning or during outer protocols allows for quantum-secure realizations of classical schemes, again without any set-up assumptions. As example applications we discuss quantum zero-knowledge proofs of knowledge and quantum-secure two-party function evaluation. Both applications assume only fully simulatable coin-flipping and mixed commitments. Since our framework allows to construct fully simulatable coin-flipping from mixed commitments, this in particular shows that mixed commitments are complete for quantum-secure two-party function evaluation. This seems to be the first completeness result for quantum-secure two-party function evaluation from a generic assumption.

💡 Research Summary

This paper addresses a fundamental problem in quantum‑secure cryptography: how to generate a shared random string between two parties when the adversary may possess quantum computational power, while still allowing a full simulation of both parties in polynomial time. The authors propose a coin‑flipping protocol that outputs a λ‑bit string and is fully simulatable against any polynomial‑size quantum adversary on either side. The construction relies only on mixed commitment schemes—a primitive that combines a statistically hiding commitment (secure against quantum attacks) with an extractable commitment (allowing a simulator to recover the committed value). The authors show how to instantiate such mixed commitments from standard quantum‑hard assumptions, for example the Learning‑with‑Errors (LWE) problem.

The paper first defines a hierarchy of security notions for coin‑flipping, ranging from weak (only computational hiding) to strong (full simulation). It then presents a series of amplification transformations that, starting from a weak coin‑flipping protocol, produce a protocol with stronger guarantees while preserving a constant number of communication rounds. Crucially, each amplification step uses only mixed commitments and does not require any setup assumption such as a Common Reference String (CRS). The final protocol achieves full simulability: a quantum polynomial‑time simulator can generate a view indistinguishable from a real execution for both a cheating Alice and a cheating Bob, without needing to rewind the quantum adversary—a technique that is generally impossible in the quantum setting.

The security proof is carried out in the standard simulation‑based framework (real/ideal world paradigm). The authors formalize correctness (the output distribution matches the ideal functionality) and computational security against dishonest parties, using quantum‑polynomial indistinguishability (q‑≈). The key technical insight is that the extractability property of the mixed commitment allows the simulator to extract the adversary’s committed value on the fly, thereby avoiding any need for quantum rewinding. This extraction is possible because the commitment is either in a “binding” mode (where the simulator knows the opening) or a “hiding” mode (where the simulator can generate a fake commitment that looks valid). By carefully orchestrating these modes across the amplification steps, the authors obtain a protocol where the simulator can produce a perfectly consistent transcript for any quantum adversary.

Having built a robust, setup‑free coin‑flipping primitive, the paper demonstrates two important applications:

1. Quantum‑Secure Zero‑Knowledge Proofs of Knowledge (ZK‑PoK).
   The authors design a witness‑encoding scheme that transforms a classical witness into an encoded form compatible with mixed commitments. The coin‑flipping protocol supplies a random challenge string, eliminating the need for a CRS. The simulator, using the extraction capability of the mixed commitment, can produce a fake proof that convinces any quantum verifier while preserving zero‑knowledge. This yields a UC‑secure ZK‑PoK in the plain model against quantum adversaries.

2. Quantum‑Secure Two‑Party Function Evaluation (2PFE).
   By first constructing an oblivious transfer (OT) protocol from mixed commitments (secure against passive quantum adversaries), the authors extend it to active security using standard compiler techniques. The resulting protocol enables two parties to jointly evaluate any classical polynomial‑time function f with security against active quantum adversaries, again without any setup assumptions. The authors argue that mixed commitments are complete for quantum‑secure 2PFE, establishing the first generic completeness result of this kind.

The paper concludes by highlighting open problems, most notably the construction of a constant‑round fully simulatable coin‑flipping protocol that outputs a long random string in a single execution—a task that remains unresolved. The authors suggest that their amplification framework could serve as a stepping stone toward this goal and that mixed commitments might be instantiated from other post‑quantum assumptions to improve efficiency.

In summary, the work makes three major contributions: (i) a novel, setup‑free, fully simulatable quantum‑secure coin‑flipping protocol built from mixed commitments; (ii) a technical toolkit that avoids quantum rewinding by leveraging extractability; and (iii) concrete applications to quantum‑secure zero‑knowledge proofs and two‑party function evaluation, establishing mixed commitments as a universal primitive for these tasks. This advances the state of the art in quantum cryptographic protocol design and opens new avenues for building higher‑level quantum‑secure primitives without relying on trusted setup.