1. Introduction
One of the most basic building blocks of complex cryptosystems is commitment schemes. A commitment scheme is a protocol that allows two mistrustful parties to interact in order to communicate some information that is set up a priori by the sender and that the receiver can only unveil at a later stage. In other words, it is just as if the message was sent inside a locked box, which can only be opened after the sender hands the key over to the receiver. The protocol is secure if the receiver cannot learn the message before the sender wishes to unveil it, and the sender cannot change the message after committing to it. Commitment schemes are used in several protocols, such as coin flipping, zeroknowledge proofs, and secure multiparty computation [
1,
2,
3,
4]. Since any weakness in the building blocks affects the security of the overall system, it is important to ensure that they are highly reliable.
Unfortunately, classical bit commitment (BC) schemes cannot be simultaneously unconditionally secure against a corrupted sender and a corrupted receiver, and Canetti and Fischlin proved that universally composable (UC) BC is impossible in the plain model [
5]. Together with the impossibility proof, a UC commitment protocol in the common reference string model is provided in [
5]. Similarly to the common reference string, the random oracle assumption also allows the existence of UC commitments [
6,
7].
In 1996, Lo and Chau [
8] and independently Mayers [
9] proved a nogo theorem for unconditionally secure quantum BC in the standard nonrelativistic quantum cryptographic framework. Since then, many protocols relying on additional assumptions have been presented. Entanglement is one of the most extraordinary effects in quantum mechanics, and it is crucially important for quantum computing and quantum cryptography. There are multiple commitment schemes using EPR pairs, such as the one in [
10], which is a purified analog of [
11], and the relativistic and unconditionally secure protocols in [
12] (note that, although secure commitment schemes can be obtained through the exploitation of relativistic constraints, these types of protocols are challenging to implement).
In this paper, we propose a new private commitment protocol, i.e., a commitment where the message is never announced, nor can it be derived from the messages exchanged between the parties. This property is attained through the use of entanglement. Since commitment protocols are mostly used as cryptographic primitives, it is of the utmost importance to study their security in different computational environments. As such, a strong emphasis is placed on the composability of these protocols. After characterizing the commitment functionality, the EPR pair trusted source functionality, and the random oracle functionality in
Section 2, we show in
Section 3 that these last two functionalities can be used as a resource to achieve a private commitment protocol with composable security, which is proven in
Section 4. In
Section 5, we analyze the security of the protocol in the bad PUF attack model.
Section 6 features our final conclusions alongside with some directions for future work.
2. Preliminaries
A bit commitment protocol starts with the commitment phase, during which Alice chooses the value m she wants to commit to, and generates the pair $(c,d)$. c is the commitment, which she immediately sends to Bob (who outputs a receipt message), and d is the decommitment, which she keeps to herself. In the opening phase, Alice sends $(b,d)$ to Bob, who can either accept or reject. The protocol is said to be concealing if Bob cannot learn Alice’s committed message m before the opening phase, and binding if Alice cannot change her committed message m after the commitment phase.
The security of commitment protocols can be studied from a standalone perspective, with the requirements of concealingness and bindingness. However, since commitments are generally used as a subroutine of more complex tasks, it becomes mandatory for protocols to be secure in any computational environment. In a composable security proof, the parties running the protocol are considered as a single big party which must be indistinguishable from a simulated machine running an ideal functionality for commitment (see
Figure 1).
In the protocol described in the next section, we assume that the parties have access to two different resources. The first one is an EPR pair trusted source modeled by the functionality in
Figure 2. Note that the existence of this source is a very reasonable assumption since entanglement distribution has already been successfully implemented [
13,
14]. Before the beginning of the protocol, Alice and Bob can additionally sacrifice a small number of entangled pairs to estimate their correlation by using an algorithm such as the one described in Section 6.2 of [
15]. Even if noisy quantum channels result in a loss of entanglement, the parties can run an entanglement distillation protocol and transform nonmaximally entangled shared pairs into a smaller number of maximally entangled ones by using only local operations and classical communication (e.g., [
16,
17]—the last one is significantly less effective than the first, but has the advantage of being within the reach of current technology).
The second required resource, described by the functionality
${\mathcal{F}}_{RO}$ in
Figure 3, is named random oracle and behaves as an ideal cryptographic hash function, i.e., it maps each query to a fixed and uniformly random output in its range.
It is essential in our proof that a quantum computer cannot call the random oracle in superposition. Therefore, a realizable random oracle implementation cannot be a cryptographic hash function such as Secure Hash Algorithm (SHA).This fact makes the random oracle quite a strong assumption; nevertheless, it can be realized using physical unclonable functions (PUFs). PUFs are physical systems with some microscale structural disorder, which is assumed to be unique to each PUF and unclonable even by the PUF manufacturer. When external stimuli (challenges) are applied to a PUF, its response will depend on the disorder of the device. Therefore, each PUF
P implements a unique function
${f}_{P}$ that gives responses
$r={f}_{P}\left(c\right)$ to challenges
c. For more about PUFs, we refer to [
18,
19,
20,
21]. PUFs have a classical interface, and cannot be run in superposition, even by an allpowerful quantum adversary.
3. The Proposed Protocol
One of the characteristics of ${\mathcal{F}}_{COM}$, the functionality for commitments, is that the message is never publicly announced. In most of the existing commitment protocols, nonetheless, the opening step includes sending the message over a public channel. Here, we propose a protocol (Protocol 1) that is not only composable, but also preserves the privacy of the message. We note that the privacy property is vulnerable to maninthemiddle attacks: a third party, Eve, can pretend to be the EPR pair trusted source and send different sets of EPR pairs to Alice and Bob and then forward any received message. This can be prevented by adding an authenticated channel between Alice and Bob, as similarly done in quantum key distribution protocols.
The protocol will use as a resource the EPR pair trusted source functionality (
Figure 2) and the random oracle functionality (
Figure 3) presented in the previous section. It needs two instances of
${\mathcal{F}}_{RO}$:
${\mathsf{H}}_{1}$ with range
${\{0,1\}}^{2n}$ and
${\mathsf{H}}_{2}$ with range
${\{0,1\}}^{n}$. Note that, unfortunately, we cannot use the weaker version of the RO, the global RO [
7], since the programmability of the oracle is a key point of our security proof.
Protocol 1 Private Quantum Bit String Commitment. 
Message to be shared: $m={m}_{1}\dots {m}_{2n}$. 
Setup: Alice chooses a message size $2n$ and sends the value n to ${\mathcal{F}}_{EPR}$. The functionality prepares the state $\psi \rangle ={\u2a02}_{i=1}^{n}\phantom{\rule{0.166667em}{0ex}}{\Psi}_{00}\rangle $ and sends the odd qubits to Alice and the even ones to Bob. 
Commitment phase:  1.
To commit to a message m, Alice generates an uniformly random basis string $b\in {\{\{0\rangle ,1\rangle \},\{+\rangle ,\rangle \}\}}^{n}$, where $+\rangle ={\displaystyle \frac{0\rangle +1\rangle}{\sqrt{2}}}$ and $\rangle ={\displaystyle \frac{0\rangle 1\rangle}{\sqrt{2}}}$, and measures each of her qubits i in the basis ${b}_{i}$, obtaining outcomes $O\in {\{0,1\}}^{n}$. She then sends Bob the strings ${c}_{1}=m\oplus {\mathsf{H}}_{1}\left(b\rightO)$ and ${c}_{2}={\mathsf{H}}_{2}\left(b\right)$, where $bO$ is the concatenation of b and O. Opening phase:  2.
Alice sends the bases b to Bob.  3.
If ${\mathsf{H}}_{2}\left(b\right)={c}_{2}$, Bob accepts the opening, measures each of his qubits i in the basis ${b}_{i}$, obtaining outcomes ${O}^{\prime}\in {\{0,1\}}^{n}$, and calculates $m={c}_{1}\oplus {\mathsf{H}}_{1}\left(b\right{O}^{\prime})$. Otherwise, he rejects.

4. Security Analysis
We proceed now to prove the security of Protocol 1 in the Abstract Cryptography framework [
22] instantiated with quantum Turing machines [
23]. The equivalences that need to be satisfied are depicted in
Figure 4.
Theorem 1. Protocol 1 is composably secure. That is, the proposed commitment protocol constructs, from ${\mathcal{F}}_{EPR}$ and ${\mathcal{F}}_{RO}$, a resource that is within a negligible distance from the ideal resource ${\mathcal{F}}_{COM}$, where simulators and distinguishers are modeled as quantum Turing machines.
Proof. This proof will be divided into three parts, one for each of the required equivalences. □
4.1. Soundness
Let
$\psi \rangle $ be the overall state of the system after Step 1. Note that
so, when Alice measures each of her qubits, the corresponding EPR pair will collapse to either
$00\rangle $ or
$11\rangle $ (for
${b}_{i}=\{0\rangle ,1\rangle \}$), or to either
$++\rangle $ or
$\rangle $ (for
${b}_{i}=\{+\rangle ,\rangle \}$). Therefore, when Bob measures each of his qubits
i in the basis
${b}_{i}^{\prime}={b}_{i}$ he received from Alice in the opening phase, he will get exactly the same outcome as Alice,
${O}_{i}^{\prime}={O}_{i}$, implying that
${\mathsf{H}}_{1}\left({b}^{\prime}\right{O}^{\prime})={\mathsf{H}}_{1}\left(b\rightO)$. Bob will then retrieve the message successfully, since
${c}_{1}\oplus {\mathsf{H}}_{1}\left({b}^{\prime}\right{O}^{\prime})=m\oplus {\mathsf{H}}_{1}\left(b\rightO)\oplus {\mathsf{H}}_{1}\left({b}^{\prime}\right{O}^{\prime})=m$.
4.2. Concealingness
Given any behavior of a dishonest receiver, we have to construct a simulator ${\sigma}_{B}$ that simulates ${\mathsf{H}}_{1}$, ${\mathsf{H}}_{2}$, and ${\mathcal{F}}_{EPR}$ and provides the receiver with a commitment that can later be opened to the message in ${\mathcal{F}}_{COM}$. Consider the following program for ${\sigma}_{B}$:
Simulation of ${\mathsf{H}}_{1}$: Whenever ${\sigma}_{B}$ receives the query $bO$ to ${\mathsf{H}}_{1}$, it answers with $h=m\oplus {c}_{1}$. In all other cases, it returns a value h as the ideal functionality would do and keeps $(q,h)$ on a list of queries and respective answers.
Simulation of ${\mathsf{H}}_{2}$: Whenever ${\sigma}_{B}$ receives queries q to ${\mathsf{H}}_{2}$, it returns a value h as the ideal functionality would do and keeps $(q,h)$ on a list of queries and respective answers.
Simulation of ${\mathcal{F}}_{EPR}$: During the setup phase, ${\sigma}_{B}$ generates the state $\psi \rangle ={\u2a02}_{i=1}^{n}\phantom{\rule{0.166667em}{0ex}}{\Psi}_{00}\rangle $, sends the even qubits to the corrupted receiver and keeps the odd ones to itself.
During the commitment phase, upon receiving the receipt from ${\mathcal{F}}_{COM}$, ${\sigma}_{B}$ chooses two uniformly random strings, ${c}_{1}\in {\{0,1\}}^{2n}$ and $b\in {\{\{0\rangle ,1\rangle \},\{+\rangle ,\rangle \}\}}^{n}$, and measures each of its qubits i in the basis ${b}_{i}$, obtaining outcomes $O\in {\{0,1\}}^{n}$. It then sends ${c}_{1}$ and ${c}_{2}={\mathsf{H}}_{2}\left(b\right)$ to the corrupted receiver.
During the opening phase, upon receiving the message m from ${\mathcal{F}}_{COM}$, ${\sigma}_{B}$ sends the bases b to the corrupted receiver.
The behavior of ${\sigma}_{B}$ is the same regardless of the message that was sent to ${\mathcal{F}}_{COM}$, and hence there is no algorithm for the dishonest receiver allowing him to guess the committed message with probability greater than $1/{2}^{2n}$.
4.3. Bindingness
Given any behavior of a dishonest sender, we have to construct a simulator ${\sigma}_{A}$ that simulates ${\mathsf{H}}_{1}$, ${\mathsf{H}}_{2}$, and ${\mathcal{F}}_{EPR}$ and retrieves the message m from the sender’s commitment values and sends it to ${\mathcal{F}}_{COM}$. It must also be able to detect when the sender is cheating and, whenever that happens, not send the opening message to ${\mathcal{F}}_{COM}$. Consider the following program for ${\sigma}_{A}$:
Simulation of ${\mathsf{H}}_{1}$ and ${\mathsf{H}}_{2}$: Whenever ${\sigma}_{A}$ receives queries q to ${\mathsf{H}}_{1}$ or ${\mathsf{H}}_{2}$, it returns a value h as the ideal functionality would do and keeps $(q,h)$ on a list of queries and respective answers.
Simulation of ${\mathcal{F}}_{EPR}$: During the setup phase, ${\sigma}_{A}$ generates the state $\psi \rangle ={\u2a02}_{i=1}^{n}\phantom{\rule{0.166667em}{0ex}}{\Psi}_{00}\rangle $, sends the odd qubits to the corrupted sender and keeps the even ones to itself.
During the commitment phase, upon receiving the commitment strings ${c}_{1}$ and ${c}_{2}$ from the corrupted sender, ${\sigma}_{A}$ sends $m={c}_{1}\oplus {\mathsf{H}}_{1}\left(b\rightO)$ to ${\mathcal{F}}_{COM}$.
During the opening phase, upon receiving the basis string ${b}^{\prime}$ from the corrupted sender, ${\sigma}_{A}$ sends the message ‘open’ to ${\mathcal{F}}_{COM}$ if ${b}^{\prime}=b$. Otherwise, it does not open the commitment.
The real world receiver outputs error whenever the string ${b}^{\prime}$ sent by the sender is such that ${\mathsf{H}}_{2}\left({b}^{\prime}\right)\ne {\mathsf{H}}_{2}\left(b\right)$. From the soundness property, we know that, when ${b}^{\prime}=b$, the receiver correctly retrieves the message. We are interested in the situation where ${b}^{\prime}\ne b$ (in which case the commitment will not be opened in the ideal world) and ${\mathsf{H}}_{2}\left({b}^{\prime}\right)={\mathsf{H}}_{2}\left(b\right)$. Since ${\mathcal{F}}_{RO}$ is collisionresistant, this can only happen with negligible probability.
The addition of an authenticated communication channel makes this protocol a private and composable commitment protocol, which is yet to be achieved by classical cryptography based on the same assumptions.
5. Analysis in the Realistic Bad PUF Model
In order to study the security of PUF applications in a realistic scenario, the bad PUF attack model is described in [
19]. In the bad PUF model, the fact that PUFs are real physical objects is exploited, and we consider both the simulatable bad PUFs, which possess a simulation algorithm that can be used by the manufacturer to compute responses to challenges and the challengelogging bad PUFs, which allow the manufacturer to access a memory module in the device and read all the challenges applied to it (this malicious feature could also be added by an adversary after the construction of the PUF).
In our brief analysis, we consider that, in the proposed protocol (Protocol 1), the RO is replaced by PUFs. We may additionally suppose that the manufacturer (Alice, in our protocol), when in possession of a PUF, can program its responses to challenges. In this case, Alice should send ${\mathsf{H}}_{1}$ to Bob at the end of the commitment phase, or else it would be easy for her to open a different message of her choosing without being caught. Protocol 2 describes a secure commitment in the bad PUF model where the adversary can program PUF responses. The requirement that the basis string b is a codeword of a minimum distance code will be important to guarantee security against a dishonest Alice. Note that, since the PUF responses may be programmed, ${\mathsf{H}}_{2}$ can no longer be used by Bob to check the validity of the opening information and thus Protocol 2 only requires one PUF (represented by ${\mathsf{H}}_{1}$). Instead, contrary to what happened in Protocol 1, Alice reveals the outcomes of her measurements in the opening phase. Bob then compares the revealed outcomes with his own measurement results in order to either accept or reject the opening. This does not affect the privacy of the protocol since only Bob has access to the PUF ${\mathsf{H}}_{1}$ after the commitment phase.
Protocol 2 Quantum Bit String Commitment with PUFs. 
Message to be shared: $m={m}_{1}\dots {m}_{2n}$. 
Setup: Alice chooses a message size $2n$ and sends the value n to ${\mathcal{F}}_{EPR}$. The functionality prepares the state $\psi \rangle ={\u2a02}_{i=1}^{n}\phantom{\rule{0.166667em}{0ex}}{\Psi}_{00}\rangle $ and sends the odd qubits to Alice and the even ones to Bob. Alice prepares the PUF ${\mathsf{H}}_{1}$. 
Commitment phase:  1.
To commit to a message m, Alice generates a uniformly random basis string $b\in {\{\{0\rangle ,1\rangle \},\{+\rangle ,\rangle \}\}}^{n}$ such that b is a codeword of some preagreed code with minimum distance d and where $+\rangle ={\displaystyle \frac{0\rangle +1\rangle}{\sqrt{2}}}$ and $\rangle ={\displaystyle \frac{0\rangle 1\rangle}{\sqrt{2}}}$. She measures each of her qubits i in the basis ${b}_{i}$, obtaining outcomes $O\in {\{0,1\}}^{n}$, and then sends Bob the PUF ${\mathsf{H}}_{1}$ and the string ${c}_{1}=m\oplus {\mathsf{H}}_{1}\left(b\rightO)$, where $bO$ is the concatenation of b and O. Opening phase:  2.
Alice sends the bases b and the outcomes O to Bob.  3.
Bob measures each of his qubits i in the basis ${b}_{i}$, obtaining outcomes ${O}^{\prime}\in {\{0,1\}}^{n}$. If ${O}^{\prime}=O$, Bob accepts the opening. Otherwise, he rejects. He then calculates $m={c}_{1}\oplus {\mathsf{H}}_{1}\left(b\rightO)$.

Theorem 2. Protocol 2 is unconditionally secure in the bad PUF model.
Proof. The soundness proof is similar to the one for Protocol 1. We now prove security against a dishonest Bob (receiver). □
5.1. Concealingness
Suppose that Bob wants to know the message m before the opening phase. After the commitment phase, he knows ${c}_{1}$ and is in possession of the PUF ${\mathsf{H}}_{1}$. He might try to use ${\mathsf{H}}_{1}$ and ${c}_{1}$ to get some information about the message. However, even if he knows ${\mathsf{H}}_{1}$’s answer to every possible challenge, he still will not be able to get any information about the message from ${c}_{1}$, since every possible message will be equally likely.
Finally, we show that Protocol 2 is secure against a dishonest Alice (sender).
5.2. Bindingness
Suppose that Alice wants to change the committed message after the commitment phase. Before the opening phase, she has yet to send the basis string b and the measurement outcomes O to Bob. She might try to reveal a different basis string ${b}^{\prime}$ from what she used to measure her qubits. However, since ${b}^{\prime}$ must also be part of the same minimum distance code as b, Bob will end up measuring at least d of his qubits in the wrong basis. As was mentioned before, the outcomes ${O}_{i}^{\prime}$ of Bob’s measurements of these qubits will be uniformly random, and the probability of Alice revealing an outcome string ${O}^{\u2033}$ such that ${O}^{\u2033}={O}^{\prime}$ is, therefore, $\frac{1}{{2}^{d}}$.
Classical commitments with PUFs have also been studied in the composability setting. In [
20], PUFs were first formalized in the UC framework and an unconditionally secure commitment protocol was constructed. However, in this work, only honestly generated PUFs were considered and, in [
21], a model where attackers can create malicious PUFs (very similar to the concept of bad PUFs) was proposed, together with a computational UC commitment scheme. Since then, it was shown in [
24] that commitments with unconditional security can be obtained in the malicious PUF model and, in [
25], an unconditional UC commitment in a stronger adversarial model (allowing PUF encapsulation) was presented. In these papers, it is assumed that, due to the nature of the PUFs, the simulator cannot simulate the answers of a PUF, and so it must honestly forward the queries to the PUF functionality. Protocol 2 is therefore clearly not composable since it is not equivocable, i.e., in the case of a dishonest Bob,
${\sigma}_{B}$ is unable to generate
${c}_{1}$ and
${\mathsf{H}}_{1}$ during the commitment phase such that it can open it later to any message that happens to be in the functionality
${\mathcal{F}}_{COM}$.
6. Conclusions
With this work, we achieved a commitment protocol that is not only composable but also private, since the message is never publicly announced. Maninthemiddle attacks can be prevented by adding an authenticated channel. We suggest the use of physical unclonable functions to model random oracles, and note that the protocol remains secure and private (although not composable) if we consider the bad PUF attack model, which has been proven impossible for classical bit commitment without other assumptions. In future work, it would be important to obtain a protocol that remains composable in the bad PUF model, as well as analyzing the possibility of transmission errors or implementationrelated vulnerabilities (as discussed in [
26], for example).
Additionally, it is of interest to further study how to obtain composability in commitment schemes while using the minimum possible assumptions (for more on this topic, see [
27]), and which of these assumptions are needed to achieve privacy.
Author Contributions
Conceptualization and supervision, A.S. and P.M.; methodology, A.S., P.M., and M.G.; formal analysis, M.G.; writing—original draft preparation, M.G.; writing—review and editing, M.G., P.M., and A.S. All authors have read and agreed to the published version of the manuscript.
Funding
The authors acknowledge the support of SQIG (Security and Quantum Information Group), the Instituto de Telecomunicações (IT) Research Unit, Ref. UIDB/EEA/50008/2020, funded by Fundação para a Ciência e Tecnologia e Ministério Ciência, Tecnologia e Ensino Superior (FCT/MCTES), and the FCT projects Confident PTDC/EEICTP/4503/2014, QuantumMining POCI010145FEDER031826, and Predict PTDC/CCICIF/29877/2017, supported by the European Regional Development Fund (FEDER), through the Competitiveness and Internationalization Operational Programme (COMPETE 2020), and by the Regional Operational Program of Lisbon. A.S. acknowledges funds granted to Laboratório de Sistemas Informáticos de Grande Escala (LASIGE) Research Unit, Ref. UIDB/00408/2020. M.G. also acknowledges the support of the Calouste Gulbenkian Foundation through the New Talents in Quantum Technologies Programme.
Acknowledgments
We are deeply grateful to Mariano Lemus, Manuel Goulão, and Nikola Paunković, for several discussions during the elaboration of this work.
Conflicts of Interest
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; nor in the decision to publish the results.
References
 Blum, M. Coin Flipping by Telephone a Protocol for Solving Impossible Problems. ACM SIGACT News 1983, 15, 23–27. [Google Scholar] [CrossRef]
 Brassard, G.; Chaum, D.; Crépeau, C. Minimum Disclosure Proofs of Knowledge. J. Comput. Syst. Sci. 1988, 37, 156–189. [Google Scholar] [CrossRef] [Green Version]
 Damgård, I.; Fehr, S.; Lunemann, C.; Salvail, L.; Schaffner, C. Improving the Security of Quantum Protocols via CommitandOpen. In Proceedings of the CRYPTO, Santa Barbara, CA, USA, 16–20 August 2009. [Google Scholar]
 Almeida, Á.J.; Loura, R.; Paunković, N.; Silva, N.A.; Muga, N.J.; Mateus, P.; André, P.S.; Pinto, A.N. A brief review on quantum bit commitment. In Proceedings of the SPIE, Volume 9286, Aveiro, Portugal, 22 August 2014; Volume 9286, p. 92861C. [Google Scholar] [CrossRef]
 Canetti, R.; Fischlin, M. Universally Composable Commitments. In Proceedings of the CRYPTO—Advances in Cryptology, Santa Barbara, CA, USA, 19–23 August 2001; Kilian, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 19–40. [Google Scholar]
 Hofheinz, D.; MüllerQuade, J. Universally Composable Commitments Using Random Oracles. In Theory of Cryptography; Naor, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2004; pp. 58–76. [Google Scholar]
 Canetti, R.; Jain, A.; Scafuro, A. Practical UC Security with a Global Random Oracle. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014. [Google Scholar] [CrossRef] [Green Version]
 Lo, H.K.; Chau, H.F. Is quantum bit commitment really possible? Phys. Rev. Lett. 1997, 78, 3410. [Google Scholar] [CrossRef] [Green Version]
 Mayers, D. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett. 1997, 78, 3414. [Google Scholar] [CrossRef] [Green Version]
 Kaniewski, J.; Tomamichel, M.; Hänggi, E.; Wehner, S. Secure Bit Commitment From Relativistic Constraints. IEEE Trans. Inf. Theory 2013, 59, 4687–4699. [Google Scholar] [CrossRef] [Green Version]
 Kent, A. Unconditionally secure bit commitment by transmitting measurement outcomes. Phys. Rev. Lett. 2012, 109, 130501. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Adlam, E.; Kent, A. Deterministic relativistic quantum bit commitment. Int. J. Quantum Inf. 2015, 13, 1550029. [Google Scholar] [CrossRef] [Green Version]
 Wengerowsky, S.; Joshi, S.K.; Steinlechner, F.; Zichi, J.R.; Dobrovolskiy, S.M.; van der Molen, R.; Los, J.W.N.; Zwiller, V.; Versteegh, M.A.M.; Mura, A.; et al. Entanglement distribution over a 96kmlong submarine optical fiber. Proc. Natl. Acad. Sci. USA 2019, 116, 6684–6688. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Yin, J.; Cao, Y.; Li, Y.H.; Liao, S.K.; Zhang, L.; Ren, J.G.; Cai, W.Q.; Liu, W.Y.; Li, B.; Dai, H.; et al. Satellitebased entanglement distribution over 1200 kilometers. Science 2017, 356, 1140–1144. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Renner, R. Security of Quantum Key Distribution. Ph.D. Thesis, ETH Zurich, Zürich, Switzerland, 2005. [Google Scholar]
 Bennett, C.H.; Brassard, G.; Popescu, S.; Schumacher, B.; Smolin, J.A.; Wootters, W.K. Purification of Noisy Entanglement and Faithful Teleportation via Noisy Channels. Phys. Rev. Lett. 1996, 76, 722–725. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Pan, J.W.; Simon, C.; Brukner, Č.; Zeilinger, A. Entanglement purification for quantum communication. Nature 2001, 410, 1067–1070. [Google Scholar] [CrossRef] [PubMed]
 Pappu, R.; Recht, B.; Taylor, J.; Gershenfeld, N. Physical OneWay Functions. Science 2002, 297, 2026–2030. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 Rührmair, U.; van Dijk, M. PUFs in Security Protocols: Attack Models and Security Evaluations. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 19–22 May 2013; pp. 286–300. [Google Scholar] [CrossRef] [Green Version]
 Brzuska, C.; Fischlin, M.; Schröder, H.; Katzenbeisser, S. Physically Uncloneable Functions in the Universal Composition Framework. In Proceedings of the CRYPTO 2011, Santa Barbara, CA, USA, 14–18 August 2011; p. 681. [Google Scholar] [CrossRef] [Green Version]
 Ostrovsky, R.; Scafuro, A.; Visconti, I.; Wadia, A. Universally Composable Secure Computation with (Malicious) Physically Uncloneable Functions. In Proceedings of the EUROCRYPT—Advances in Cryptology, Athens, Greece, 26–30 May 2013; Johansson, T., Nguyen, P.Q., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; pp. 702–718. [Google Scholar]
 Maurer, U.; Renner, R. Abstract cryptography. In Innovations in Computer Science; Tsinghua University Press: Beijing, China, 2011. [Google Scholar]
 Mateus, P.; Sernadas, A.; Souto, A. Universality of quantum Turing machines with deterministic control. J. Log. Comput. 2015, 27, 1–19. [Google Scholar] [CrossRef] [Green Version]
 Damgård, I.; Scafuro, A. Unconditionally Secure and Universally Composable Commitments from Physical Assumptions. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, 1–5 December 2013. [Google Scholar] [CrossRef] [Green Version]
 Badrinarayanan, S.; Khurana, D.; Ostrovsky, R.; Visconti, I. Unconditional UCSecure Computation with (StrongerMalicious) PUFs. In Proceedings of the EUROCRYPT—Advances in Cryptology, Paris, France, 30 April–4 May 2017; Coron, J.S., Nielsen, J.B., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 382–411. [Google Scholar]
 Pljonkin, A. Vulnerability of the Synchronization Process in the Quantum Key Distribution System. Int. J. Cloud Appl. Comput. 2019, 9, 50–58. [Google Scholar] [CrossRef] [Green Version]
 Lemus, M.; Yadav, P.; Mateus, P.; Paunković, N.; Souto, A. On minimal assumptions to obtain a universally composable quantum bit commitment. In Proceedings of the 2019 21st International Conference on Transparent Optical Networks (ICTON), Angers, France, 9–13 July 2019; pp. 1–4. [Google Scholar] [CrossRef]
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).