With the rise of artificial intelligence and machine learning, a new wave of private information is being flushed into applications. This development raises privacy concerns, as private datasets can be stolen or abused for non-authorized purposes. Secure function computation aims to solve such problems by allowing a service provider to compute functions of datasets in the possession of a a data provider without reading the data itself. A foundational primitive for such tasks is Bit Commitment (BC), which is known to be impossible to realize without added assumptions. Given the pressing nature of the topic, it is thus important to develop BC systems and prove their security under reasonable assumptions. In this work, we provide a novel quantum optical BC protocol that uses the added assumption that the network provider will secure transmission lines against eavesdropping. Under this added assumption, we prove security of our protocol in the honest but curious setting and discuss the hardness of Mayer's attack in the context of our protocol.
requirements (memory size, coherence time, synchronization accuracy) that experimentalists can target. Thus, assumption-based protocols offer a pragmatic pathway to realizing advanced two-party primitives (like BC and oblivious transfer) in the quantum era, providing a bridge between theoretical limits and physically implementable security. The works of [11], [12] expanded the scope of the known no-go results to further protocol classes and more generic quantum systems. In [13], the authors showed that quantum BC becomes possible when only separable operations are allowed for the committing party.
In this work we provide a novel protocol starting out from the assumption that network connections will be secured by the network provider. The provider thus becomes a Trusted Third Party (TTP). In a realistic use of our protocol where the transmittivity τ of the link connecting Alice and Bob satisfies τ < 1, the provider ensures that Bob cannot access the link at a different position and thereby change τ in his favor. In addition, our discussion will reveal that the provider could ensure τ ≪ 1 for protocol efficiency.
Basics: For every M ∈ N we set [M ] := {0, . . . , M -1} and let ⊕ denote addition module M on [M ], and ⊖ the respective subtraction. When ⊕ or ⊖ are involved, M will be implicit from the context. The set of probability measures on a finite set A is written P(A), and the set of states on a Hilbert space H is P(H). The trace of an operator A on H is tr(A), the scalar product of x, y ∈ H ⟨x, y⟩. The Kronecker delta is δ mn = 1 iff m = n and δ x = 1 iff x = 1. The one-norm on P(H) is denoted as ∥ • ∥ 1 . We note that it has an operational interpretation as the maximum probability of a given measurement for distinguishing two quantum states ϱ, ς: ∥ϱ -
For a ∈ [0, 1] we set a ′ := 1 -a. The single-mode Fock space is F . It is spanned by the photon number basis {|n⟩} ∞ n=0 and has corresponding sub-spaces F N := span{|0⟩, . . . , |N ⟩} with restricted photon numbers and corresponding projections P N := N n=0 |n⟩⟨n|. On F , we use the usual creation operators â † which act as â † |n⟩ = √ n + 1|n + 1⟩. We will need another important type of state: The so-called coherent states |α⟩. For a generic complex number α, the corresponding coherent state is defined as
A measurement of the photon number operator on |α⟩ yields result n ∈ N with probability |α| 2n /n!. Finally, the Wigner function of the state ρ is a quasiprobability distribution on phase space (x, p) ∈ R 2n which is defined as W ρ (x, p) = 1 (πℏ) ∞ -∞ ⟨x -y|ρ|x + y⟩e 2ipy/ℏ dy. The Wigner function of a convex combination p(α)|α⟩⟨α|dα is always non-negative and equal to the convolution of p with a Gaussian: W (ρ)(x, p) = p(α)e -|α-x-ip| 2 dα. In this case, they describe the statistics of a homodyne measurement and bear operational significance.
Definition 1 (ϵ-Security): A bit commitment protocol needs to be binding (implying that Alice cannot change her mind after she committed to a bit b) and concealing (meaning that Bob cannot learn the value of b before Alice reveals it). The protocol that we propose here is only approximately binding and concealing. In order to assess its quality via a single number we define the notion of ϵ-security. The protocol is said to be ϵ secure if the probability that Bob can learn b before Alice reveals it is upper bounded by ϵ and at the same time the probability that Alice can cheat and change her mind regarding her commitment is upper bounded by ϵ.
Remark 1 (Trusted Third Party): For sake of simplicity, we assume τ = 1 in our technical derivations.
The protocol assumes system parameters such as the received energy E of the signals and the number k of signals which together form a commitment are fixed and agreed upon between Alice and Bob.
Commitment: Alice commits to a bit b and samples a random string m k ∈ [M ] k . She then prepares the state
and sends this state to Bob.
Opening: Alice sends (b, m k ) to Bob. He displaces the state he received from Alice by applying displacements D(-2π
). He then measures in the photon number basis. Upon measuring the result A = (0, . . . , 0) he accepts Alice’s claim. If his measurement result is not equal to A he rejects and the protocol aborts with an error.
Remark 2: After receiving Alice’s commitment and without any extra knowledge, Bob holds either one of σ ⊗k 0 or σ ⊗k 1 . Upon choosing the appropriate parameters E, k and M the protocol ensures that both code states σ ⊗k 0 , σ ⊗k b are almost identical to ρ ⊗k . This ensures that the protocol is hiding. To understand why it is also binding, note that after Alice reveals (b, m k ) Bob’s state changes to a specific coherent state. Assuming Bob is equipped with a perfect photon counting device plus the ability to perform a displacement operation, he can test whether the state he holds equals the one that he should have if Alice did not cheat. This measurement will succeed with high probability, making it hard for Al
This content is AI-processed based on open access ArXiv data.