Commitment Schemes from OWFs with Applications to Quantum Oblivious Transfer

Abstract

Commitment schemes (CSs) are essential to many cryptographic protocols and schemes with applications that include privacy-preserving computation on data, privacy-preserving authentication, and, in particular, oblivious transfer protocols. For quantum oblivious transfer (qOT) protocols, unconditionally binding commitment schemes that do not rely on hardness assumptions from structured mathematical problems are required. These additional constraints severely limit the choice of commitment schemes to random oracle-based constructions or Naor’s bit commitment scheme. As these protocols commit to individual bits, the use of such commitment schemes comes at a high bandwidth and computational cost. In this work, we investigate improvements to the efficiency of commitment schemes used in qOT protocols and propose an extension of Naor’s commitment scheme requiring the existence of one-way functions (OWFs) to reduce communication complexity for 2-bit strings. Additionally, we provide an interactive string commitment scheme with preprocessing to enable the fast and efficient computation of commitments.

1. Introduction

In the field of cryptography, the concept of secure communication is fundamental, particularly in scenarios involving multiple parties, where some could behave maliciously. Oblivious transfer (OT) [1,2] results as a fundamental cryptographic primitive that enables two parties, often referred to as the sender and the receiver, to exchange information, preserving the privacy of the receiver’s choices while ensuring that the sender’s data remain hidden except for a selected datum. In the simplest case, for example, the receiver obtains one element from a server with two elements. Protocols can be extended to one-out-of-N with a set of N elements [1]. OT is used mainly as a subprimitive for other protocols, such as multiparty computation (MPC) [3], private information retrieval protocols, and simultaneous contract signing protocols [4].

Despite its theoretical significance and practical applications, achieving efficient and provably secure OT protocols often requires striking a delicate balance between computational complexity, communication overhead (e.g., as in [5]), and resilience against various adversarial models, including active attacks and side-channel threats.

1.1. Related Work

In a classical environment, it has been proved that OT implies public-key encryption [6]. This means that the security of these protocols is based on quantum weak or unproven assumptions. Quantum cryptography offers the possibility to build OT protocols whose security is based solely on symmetric key primitives [7]. Specifically, unconditionally binding commitment schemes are essential [8] for a practical version of the most relevant quantum oblivious transfer protocol known in the literature [9], even if simulation-based security is not essential [10].

Despite the strong security assumption behind qOT, execution is very slow, also due to the huge amount of data to be exchanged during the postprocessing phase required to deal with imperfect quantum channels [11]. In our experiments, the commitment phase appeared as one substantial bottleneck in qOT execution. Indeed, a way to commit to many bits (states) and open the commitment of only some of them is needed, ideally with an unconditionally binding commitment scheme whose security is based only on one-way functions.

1.2. Contribution and Structure

In this work, we propose a new unconditional binding commitment scheme based only on the existence of OWFs, which is communication-wise lighter and still efficient in the case of 2-bit strings. We also present a string commitment of the same type for arbitrarily long strings, whose complexity can be analyzed more easily than the one from Naor. We also propose a generic method to shift the expensive operations of bit commitment schemes in an interactive setting to a preprocessing phase. This method is of particular interest for interactive protocols such as quantum oblivious transfer.

This paper is structured as follows: we begin by outlining the quantum OT protocol that motivates our need for a commitment scheme. Next, we introduce the necessary preliminaries, including the definition and key characteristics of commitment schemes. We then detail Naor’s commitment scheme, which forms the foundation for our proposed scheme. Following this, we present a novel, unconditionally binding commitment scheme based on OWFs, including an ad hoc construction for 2-bit strings and an optimization technique to enhance efficiency within the quantum OT context. Finally, we summarize our findings and highlight the achieved improvements.

1.3. Quantum Oblivious Transfer Protocol

We now recall the quantum oblivious transfer protocol by Bennet et al. [9]. The flow of the protocol is shown in Algorithm 1. Here, for a given finite set, Q, $q\stackrel{\$}{\leftarrow }Q$ means that q is sampled uniformly and randomly from Q.

This protocol requires a natural number, n, and a two-universal family of hash functions, $\mathcal{F}$, as security parameters. The sender S inputs $(m_0,m_1)\in {\{0,1\}}^l$, and the receiver R inputs $b\in \{0,1\}$, which represent the two messages and the bit choice of the OT protocol, respectively.

S starts by randomly choosing some basis and sending some qubits that R measures with a new random basis. This phase is called the BB84 phase since it is the same as the first phase in the quantum key distribution protocol BB84.

After this, S reveals their basis and sets their oblivious key ${\mathbf{x}}^S$ as the set of qubits sent at the very beginning of the protocol. Upon the reception of the sender’s basis, R can compare the two bases and set their oblivious key as the measured qubits. During this phase, the parties define two oblivious keys (one per party), so it is called Oblivious Key Phase.

Then, the receiver defines $I_0=\{i:{e_i}^R=0\}$, the set of indices such that the bases of R and S are the same, and $I_1=I_0^c$, the set of indices such that the bases of R and S are different. R can then select a bit, b, which encodes the choice bits of the quantum oblivious transfer protocol, and sends $I_b$ to S. S chooses two random hash functions, $f_0,f_1\in \mathcal{F}$, computes the pair of strings $(s_0,s_1)$ as $s_i=m_i\oplus f_i\left({\mathbf{ok}}_{I_{b\oplus i}}^S\right)$, and sends ($f_0,f_1)$ and $(s_0,s_1)$ to R. In the end, R is able to compute $m_b=s_b\oplus f_b\left({\mathbf{ok}}_{I_0}^R\right)$. This is possible since ${\mathbf{ok}}_{I_0}^R={\mathbf{ok}}_{I_0}^S$, thanks to the definition of $I_0$. Moreover, this is not the case for $I_1$, so there is no way for S to compute $I_1$. This last phase is called the Transfer Phase.

Algorithm 1 ${\mathsf{\Pi }}^{\mathrm{BBCS}}$ quantum oblivious transfer protocol.

Parameters: n (security parameter), $\mathcal{F}$ (two-universal family of hash functions) Inputs: Sender S: $(m_0,m_1)\in {\{0,1\}}^l$ Receiver R: $b\in \{0,1\}$ // BB84 Phase     1: S samples random bits ${\mathbf{x}}^S\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ and random bases ${\mathit{\theta }}^S\stackrel{\$}{\leftarrow }{\{+,\times \}}^n$     2: S sends the quantum state ${|{\mathbf{x}}^S\rangle }_{{\theta }^S}$ to R     3: R samples random bases ${\mathit{\theta }}^R\stackrel{\$}{\leftarrow }{\{+,\times \}}^n$ and measures each qubit in ${\mathit{\theta }}^R$ basis to get output bits ${\mathbf{x}}^R$ // Oblivious Key Phase     4: S reveals ${\theta }^S$ to R     5: S sets ${\mathbf{ok}}^S{\mathbf{x}}^S$     6: R computes ${\mathbf{e}}^R={\mathit{\theta }}^R\oplus {\mathit{\theta }}^S$     7: R sets ${\mathbf{ok}}^R{\mathbf{x}}^R$ // Transfer Phase     8: R defines index sets:      $I_0=\{i:e_i^R=0\}$      $I_1=\{i:e_i^R=1\}$     9: R sends $I_b$ to S   10: S samples $f_0,f_1\stackrel{\$}{\leftarrow }\mathcal{F}$ uniformly   11: S computes for $i\in \{0,1\}$: $$s_i=m_i\oplus f_i\left({\mathbf{ok}}_{I_{b\oplus i}}^S\right)$$   12: S sends $(f_0,f_1)$ and $(s_0,s_1)$ to R   13: R computes: $$m_b=s_b\oplus f_b\left({\mathbf{ok}}_{I_0}^R\right)$$ Output:       S outputs ⊥       R outputs $m_b$

Security

The security of this protocol is unconditional with a dishonest sender. Indeed, during the protocol, S does not receive any information from R other than $I_b$, which, in the view of S, is simply a set of indices where either the basis is the same or different.

However, it is not the same with a dishonest receiver. R can learn both $m_0$ and $m_1$ by delaying their measurements (which should happen in step 2) after step 3. This is called memory attack since it requires some sort of memory to hold the received qubits (quantum memory) until step 3. By delaying the measurements after step 3, R can learn and use the same bases as S to measure the signal and gain knowledge of all the states. This implies that R will know both the input messages of the quantum oblivious transfer protocol.

This attack was discovered directly by the authors of the protocol. They also suggested a way to prevent it: the sender needs to make sure that the receiver measures the received qubits immediately. This can be achieved by requiring R to commit to all measurements (bases and measured states). In particular, each measurement is encoded with a couple of bits, so R has to commit to 2-bit strings. Then, S can open a random subset of the values (measurements) to verify that R has behaved honestly. This brings a good level of security; indeed, the possibility that R passes this control is negligible in the size of the set of values S opens. In Algorithm 2 we can observe the QOT enriched with the bit commitment phase we described above.

Algorithm 2 ${\mathsf{\Pi }}_{{\mathcal{F}}_{\mathrm{com}}}^{\mathrm{BBCS}}$: BBCS QOT protocol with commitment functionality.

Parameters: Same as in protocol ${\mathsf{\Pi }}^{\mathrm{BBCS}}$ Inputs: Same as in protocol ${\mathsf{\Pi }}^{\mathrm{BBCS}}$ // BB84 Phase   1: Same as in protocol ${\mathsf{\Pi }}^{\mathrm{BBCS}}$ // Cut-and-Choose Phase   2: R commits to ${\mathit{\theta }}^R$ and ${\mathbf{x}}^R$ using a commitment scheme: send $\mathrm{com}({\theta }^R,{\mathbf{x}}^R)$ to S   3: S selects a random subset $T\subseteq \left[n\right]$ (e.g., $\left|T\right|=n/2$) and asks R to open commitments for all $i\in T$   4: R reveals ${\{{\theta }_i^R,x_i^R\}}_{i\in T}$ to S   5: S checks: Validity of the opened commitments For all $i\in T$ such that ${\theta }_i^S={\theta }_i^R$, check $x_i^S=x_i^R$   6: If any check fails, abort. Otherwise, continue. // Oblivious Key Phase   7: Same as in protocol ${\Pi }^{\mathrm{BBCS}}$ // Transfer Phase   8: Same as in protocol ${\Pi }^{\mathrm{BBCS}}$ Outputs: S outputs ⊥, R outputs $m_b$

There exist proofs of security for a practical version of the quantum oblivious transfer protocol enriched with the commitment scheme [8]. All these proofs make use of unconditional binding commitment schemes. Moreover, the commitment scheme used in these proofs should be based on OWFs only. Indeed, we want to use the qOT protocol to avoid weakness against quantum cryptanalysis and having unproven and non-well-established hypotheses. If we use a post-quantum commitment scheme, we could directly employ a post-quantum OT protocol.

2. Preliminaries

2.1. Definitions

In simple terms, a commitment scheme is a protocol that allows a party called the prover to commit to a hidden value and send it to another party called the verifier. Once the value has been sent, the verifier should not be able to check it until the sender gives their permission. Also, the prover should not be able to change its value once it has been sent. We can think of the protocol as a box: the sender sends their committed message to the verifier hidden in a locked box. Once the verifier has the locked box, the sender is not able to change the value anymore. Moreover, the verifier is not able to unlock and open the box, since the sender has the key. Finally, the sender sends the key to the verifier so the latter can check the correctness of the claimed value.

Following [12], we give the formal definition of a commitment scheme:

Definition 1

(Commitment Scheme). A commitment scheme consists of three polynomial-time algorithms $(\mathsf{Setup},\mathsf{Com},\mathsf{Ver})$ such that we have the following:

-

$\mathsf{Setup}\left(1^n\right)$ takes as input $1^n$, for a security parameter, n, and outputs some public parameter, $pk$, as a public commitment key, i.e., $pk\leftarrow \mathsf{Setup}\left(1^n\right)$;

-

$\mathsf{Com}(pk,m)$ takes as input a public key, $pk$, and a message, m. It outputs a commitment, c, and a reveal value, d, i.e., $(c,d)\leftarrow \mathsf{Com}(pk,m)$;

-

$\mathsf{Ver}(pk,m,c,d)$ takes as input a public key, $pk$, a message, m, a commitment, c, and a reveal value, d. It returns 1 or 0 to accept or reject, respectively, i.e., $b\leftarrow \mathsf{Ver}(pk,m,c,d)$, where $b\in \{0,1\}$.

Moreover, it must satisfy the following basic requirements:

-

Perfect completeness: The verification algorithm $\mathsf{Ver}$ outputs 1 whenever the inputs are computed honestly, i.e., for all messages, m,

$$\mathbb{P}[\mathsf{Ver}(pk,m,c,d)=1\mid pk\leftarrow \mathsf{Setup}\left(1^n\right),(c,d)\leftarrow \mathsf{Com}(pk,m)]=1.$$

We say that a commitment scheme is interactive if the commitment algorithm requires some exchange of messages between two or more parties. Otherwise, the commitment scheme is said to be non-interactive.

Security

The two fundamental security properties of commitment schemes are the hiding and the binding, as introduced above. Let us give a formal definition of these:

Definition 2

(Binding Property). A commitment scheme $(\mathsf{Setup},\mathsf{Com},\mathsf{Ver})$ is statistically (respectively, computationally) binding if no (respectively, probabilistic polynomial-time (PPT)) forger ${\mathcal{P}}^{*}$ can come up with a commitment and two different openings with noticeable (non-obvious) probability, i.e., for every (respectively, PPT) forger ${\mathcal{P}}^{*}$, and every two distinct messages, m and $m^{\prime }$, from the message space, there exists a negligible function, $ϵ\left(n\right)$, such that

$$\mathbb{P}\left[{\mathsf{V}}_1={\mathsf{V}}_2=1|pk\leftarrow \mathsf{Setup}\left(1^n\right),(c,m,d,m^{\prime },d^{\prime })\leftarrow {\mathcal{P}}^{*}\left(pk\right)\right]\le ϵ\left(n\right),$$

where ${\mathsf{V}}_1=\mathsf{Ver}(pk,m,c,d)$, ${\mathsf{V}}_2=\mathsf{Ver}(pk,m^{\prime },c,d^{\prime }),(c,d)$$\leftarrow \mathsf{Com}(pk,m),$$(c,d^{\prime })\leftarrow \mathsf{Com}(pk,m^{\prime }),$$pk\leftarrow \mathsf{Setup}\left(1^n\right)$.

The scheme is perfectly binding if, with overwhelming probability over the choice of the public key $pk\leftarrow \mathsf{Setup}\left(1^n\right)$, it holds that

$$\left(\mathsf{Ver}(pk,m,c,d)=1\wedge \mathsf{Ver}(pk,m^{\prime },c,d^{\prime })=1\right)\Rightarrow m=m^{\prime }.$$

Definition 3

(Hiding Property). A commitment scheme $(\mathsf{Setup},\mathsf{Com},\mathsf{Ver})$ is statistically (respectively, computationally) hiding if no (respectively, PPT) distinguisher, ${\mathcal{V}}^{*}$, is able to distinguish $(pk,c)$ and $(pk,c^{\prime })$, for two distinct messages, m and $m^{\prime }$, with non-negligible advantage. This means that for every (respectively, PPT) distinguisher, ${\mathcal{V}}^{*}$, and every two distinct messages, m and $m^{\prime }$, from the message space, there exists a negligible function, $ϵ\left(n\right)$, such that the statistical distance between $(pk,c)$ and $(pk,c^{\prime })$ is $ϵ\left(n\right)$, i.e.,

$$\Delta \left((pk,c),(pk,c^{\prime })\right)\le ϵ\left(n\right),$$

where $(c,d)\leftarrow \mathsf{Com}(pk,m)$, $(c^{\prime },d^{\prime })\leftarrow \mathsf{Com}(pk,m^{\prime })$, and $pk\leftarrow \mathsf{Setup}\left(1^n\right)$.

• The scheme is perfectly hiding if $(pk,c)$ and $(pk,c^{\prime })$ are equally distributed.

If one of these two properties holds statistically or perfectly, we say that it holds unconditionally. There exists an important negative result regarding these two properties. Namely, a commitment scheme cannot be both unconditionally hiding and unconditionally binding. Thus, at least one of both the prover and verifier must be at most computationally bounded.

2.2. Commitment Scheme for qOT

As discussed in Section 1.3, an unconditionally binding commitment scheme is required, ideally based on the existence of OWFs. There are two possible schemes satisfying this: one is based on domain-increasing hash functions [13] and the other is the commitment scheme from Naor [14]. We will consider using the latter, which can be less time-consuming and gives the same level of security as the former approach with fewer assumptions.

Indeed, to prove a commitment scheme based on domain-increasing hash functions is statistically binding, the random oracle model assumption must be employed. This is not necessary for Naor’s commitment scheme. Moreover, Naor’s approach can also be faster if AES in counter mode is exploited as a secure pseudorandom number generator (PRNG), given the size of the commitment [15]. The only advantage of the hash approach is that it gives a non-interactive commitment scheme. However, the commitment must be executed, as already seen previously, in a protocol requiring interaction, so non-interactivity is of no benefit in this case.

2.3. Naor’s Bit Commitment Scheme

The bit commitment scheme from Naor is described, as the proofs of security for the new schemes will be similar.

Let n be a security parameter. In particular, it guarantees the security of the used PRNG for seeds of the length n. Then the scheme works as follows:

-

$\mathsf{Setup}\left(1^n\right)$: The setup algorithm chooses any pseudorandom number generator, G, that stretches a random seed with the length n to $3n$ bits, i.e., $G:{\{0,1\}}^n\to {\{0,1\}}^{3n}$;

-

$\mathsf{Com}(G,b)$: This algorithm has two phases:

-

Commit phase:

1.

$\mathcal{V}$ selects a random bit string, r, of the length $3n$ and sends it to $\mathcal{P}$;

2.

After receiving r, $\mathcal{P}$ selects a random seed, $\mathbf{x}\in {\{0,1\}}^n$, and returns the commitment string c to $\mathcal{V}$, where

$$\mathbf{c}=\left\{\begin{array}{c}G\left(\mathbf{x}\right)\mathrm{if}b=0\hfill \\ G\left(\mathbf{x}\right)\oplus \mathbf{r}\mathrm{if}b=1\hfill \end{array}\right.$$

-

Reveal phase: To open the commitment, $\mathcal{P}$ sends b and x to $\mathcal{V}$.

-

$\mathsf{Ver}(G,\mathbf{r},\mathbf{c},b,\mathbf{x})$: $\mathcal{V}$ verifies that the values $b,\mathbf{x}$, and r match the previously given commitment.

Now, the properties of this commitment scheme are formally proven:

• Computational Hiding: We have to prove that no PPT distinguisher ${\mathcal{V}}^{*}$ is capable of distinguishing between $(G,\mathbf{c})$ and $(G,{\mathbf{c}}^{\prime })$ for two distinct bits, b and $b^{\prime }$, with a non-negligible advantage. Specifically, we will demonstrate that if G is a secure PRNG, then the scheme possesses the hiding property. To argue by contradiction, suppose that the scheme is not hiding. This implies the existence of an adversary, $\mathcal{A}$, who can distinguish between $(G,\mathbf{c})$ and $(G,{\mathbf{c}}^{\prime })$ for two different bits, b and $b^{\prime }$, with a non-negligible probability. Given this situation, we can construct another adversary, $\mathcal{B}$, that can distinguish between a truly random string, $\mathbf{r}\stackrel{\$}{\leftarrow }{\{0,1\}}^{3n}$, and a pseudorandom string, $G\left(\mathbf{s}\right)$, for a seed, $\mathbf{s}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$.
  To model this attack, we refer to Figure 1. Notably, we recognize that the adversary $\mathcal{A}$ can break the hiding property. In other words, $\mathcal{A}$ is able to distinguish between $G\left(\mathbf{s}\right)$ and $G\left(\mathbf{s}\right)\oplus {\mathbf{r}}^{\prime }$ with a non-negligible probability in n, where $\mathbf{s}$ is a random string chosen from ${\{0,1\}}^n$ and ${\mathbf{r}}^{\prime }\in {\{0,1\}}^{3n}$ is chosen by $\mathcal{A}$.
  Now, let us assume that the challenger selects $\mathbf{r}$ to be a truly random string, i.e., $\mathbf{r}\stackrel{\$}{\leftarrow }{\{0,1\}}^{3n}$. Under this assumption, it becomes crucial to analyze the behavior of $\mathcal{A}$ and understand how it exploits the properties of G to distinguish between the given instances.
  Then, $\mathbf{r}\oplus i·{\mathbf{r}}^{\prime }$ remains random for $i\in \{0,1\}$, so $\mathcal{A}$ cannot distinguish it with non-negligible probability.
  Specifically, in this case, we have

  $$\mathbb{P}\left[i=i^{\prime }|\mathbf{r}\stackrel{\$}{\leftarrow }{\{0,1\}}^{3n}\right]={\displaystyle \frac{1}{2}}.$$
  Now, consider the scenario where the challenger instead chooses $\mathbf{r}$ as a pseudorandom string (i.e., $\mathbf{r}=G\left(\mathbf{s}\right)$, where $\mathbf{s}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$). In this situation, $\mathbf{c}=G\left(\mathbf{s}\right)\oplus i·{\mathbf{r}}^{\prime }$. Under this assumption, when $i=0$, $\mathbf{c}=G\left(\mathbf{s}\right)$, which is a pseudorandom string generated by G using a random seed, $\mathbf{s}$. Instead, when $i=1$, $\mathbf{c}$ is the XOR of a pseudorandom string, $G\left(\mathbf{s}\right)$, and a random string ($G\left(\mathbf{s}\right)\oplus {\mathbf{r}}^{\prime }$). This is precisely the case where $\mathcal{A}$ can distinguish, with a non-negligible advantage, the two cases.
  Thus, with a non-negligible advantage, $\mathcal{A}$ will correctly identify i, that is,

  $$\mathbb{P}\left[i=i^{\prime }|\mathbf{r}=G\left(\mathbf{s}\right),\mathbf{s}\stackrel{\$}{\leftarrow }{\{0,1\}}^n\right]={\displaystyle \frac{1}{2}}+non-neg\left(n\right).$$
  Recall that the ultimate goal is to prove that $\mathcal{B}$ can distinguish a pseudorandom string from a random string with non-negligible probability, i.e.,

  $$\left|\mathbb{P}\right[\mathcal{B}\mathrm{outputs}\mathrm{PR}\left|\mathbf{r}\mathrm{is}\mathrm{random}\right]-\mathbb{P}\left[\mathcal{B}\mathrm{outputs}\mathrm{PR}\right|\mathbf{r}\mathrm{is}\mathrm{pseudorandom}\left]\right|$$

  $$=non-neg\left(n\right).$$
  In this case, the previous difference is

  $$\left|\mathbb{P}\left[i=i^{\prime }|\mathbf{r}=G\left(\mathbf{s}\right),s\stackrel{\$}{\leftarrow }{\{0,1\}}^n\right]-\mathbb{P}\left[i=i^{\prime }|\mathbf{r}\stackrel{\$}{\leftarrow }{\{0,1\}}^{3n}\right]\right|=$$

  $$\left|\left({\displaystyle \frac{1}{2}}+non-neg\left(n\right)\right)-{\displaystyle \frac{1}{2}}\right|=non-neg\left(n\right).$$
  This result confirms that $\mathcal{B}$ can indeed distinguish between a pseudorandom string and a random string with a non-negligible probability, confirming the computational hiding property of the scheme.
• Statistical Binding: We must establish that for every potential forger, ${\mathcal{P}}^{*}$, and for any two distinct messages, m and $m^{\prime }$, from the message space, there exists a negligible function, $ϵ\left(n\right)$, such that

  $$\mathbb{P}[{\mathsf{V}}_1={\mathsf{V}}_2=1|pk\leftarrow \mathsf{Setup}\left(1^n\right),(c,m,d,m^{\prime },d^{\prime })\leftarrow {\mathcal{P}}^{*}\left(pk\right)]\le ϵ\left(n\right),$$

  where ${\mathsf{V}}_1=\mathsf{Ver}(pk,m,c,d)$, ${\mathsf{V}}_2=\mathsf{Ver}(pk,m^{\prime },c,d^{\prime })$, $(c,d)\leftarrow \mathsf{Com}(pk,m)$, $(c,d^{\prime })\leftarrow \mathsf{Com}(pk,m^{\prime })$, and $pk\leftarrow \mathsf{Setup}\left(1^n\right)$.
  Considering the commitment notation, this requirement translates to

  $$\mathbb{P}\left[G\left(\mathbf{x}\right)=\mathbf{c}=G\left({\mathbf{x}}^{\prime }\right)\oplus \mathbf{r}\mid \mathbf{r}\in {\{0,1\}}^{3n},\mathbf{x},{\mathbf{x}}^{\prime }\in {\{0,1\}}^n\right].$$
  It is important to note that the set $\{G\left(\mathbf{x}\right)\mid \mathbf{x}\in {\{0,1\}}^n\}$ contains at most $2^n$ elements. Consequently, the set $\{G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right)\mid \mathbf{x}\in {\{0,1\}}^n,{\mathbf{x}}^{\prime }\in {\{0,1\}}^n\}$ can have at most $2^{2n}$ elements. Given this, the probability that a randomly chosen string, $\mathbf{r}\in {\{0,1\}}^{3n}$, falls within this set is at most

  $${\displaystyle \frac{2^{2n}}{2^{3n}}}=2^{-n}.$$
  Therefore, this is the maximum probability with which a forger can identify two values that generate two different valid openings for the commitment. This extremely low probability, decreasing exponentially with n, ensures that the statistical binding property is verified, effectively preventing the forger from finding such values and thus maintaining the integrity and security of the commitment scheme.

2.4. On Naor’s String Commitment Scheme

In [14], Naor also presented a string version of his commitment scheme. This scheme is not analyzed here because it is not useful. What is interesting about this scheme, related to this work, is that the complexity to commit to a string of t bits, communication-wise, is $4q+n+t$, where n is the number of security bits regarding the binding property, q must satisfy $q>{\displaystyle \frac{3n}{log\left(\frac{2}{2-ϵ}\right)}}$, and $ϵq$ is the minimum distance in a set of $2^t$ binary vectors of the length q (see the follow-up of Claim 4.2. of [14]). To keep q small, the set of $2^t$ vectors of the length q with the highest minimum distance should be picked. In general, this problem is known to be hard. However, it can be easily proved that the minimum distance in a set of at least three binary vectors of the length n is at most ${\displaystyle \frac{2}{3}}n$, leading to a total complexity of at least $7.8n+2$ per 2-bit string we have to commit to.

As pointed out at the end of [14], Joe Kilian has suggested a slightly different method for amortizing the communication complexity when we have to commit to a bit string. In particular, we can commit to a seed, $\mathbf{s}$, by committing to each of its bits separately, with Naor’s bit commitment scheme, and then commit to the string $(b_1,b_2,\dots ,b_t)$ by providing its XOR with the pseudorandom sequence generated by $\mathbf{s}$. In this case we need two pseudorandom number generators: $G_1:{\{0,1\}}^n\to {\{0,1\}}^{3n}$ and $G_2:{\{0,1\}}^{\left|\mathbf{s}\right|}\to {\{0,1\}}^t$.

However, this method starts to be effective when t is at least $n^2$, since the communication cost is always at least $3n^2$, independently of the value of t. The hiding and binding properties of this protocol come directly from Naor’s bit commitment scheme.

3. New String Commitment Based on Naor

Given Naor’s bit commitment scheme, the commitment $\mathbf{c}$ for a bit b is calculated as $\mathbf{c}=G\left(\mathbf{x}\right)\oplus b·\mathbf{r}$. From this, one can think that if $\mathcal{P}$ (the prover) needs to commit to more than one bit at a time, say a string of bits $(b_1,\dots ,b_t)$, it can compute the commitment as $\mathbf{c}=G\left(\mathbf{x}\right)\oplus {\sum }_{i=1}^t{b}_i·{\mathbf{r}}_i$. Indeed, the bit commitment is a special case of this with $t=1$.

However, in this case, the vectors ${\left\{{\mathbf{r}}_i\right\}}_{i=1}^t$ must be linearly independent. Indeed, if they are not linearly independent, then there exists a non-zero linear combination that gives the zero vector, namely ${\sum }_{i=1}^t{b}_i{\mathbf{r}}_i=\mathbf{0}$ with some string $(b_1,b_2,\dots ,b_n)$ where $b_i\ne 0$ for at least one index, i. But then, committing to the bit string $(b_1,b_2,\dots ,b_n)$ is the same as committing to the string $(0,0,\dots ,0)$, so the statistical binding property is certainly not satisfied since the committer can always commit to $(b_1,b_2,\dots ,b_n)$ and open to $(0,0,\dots ,0)$ and vice versa.

Also, if $\mathcal{V}$ has to choose and send all these vectors to $\mathcal{P}$, the communication cost can become very high. If there exists a “good” way to generate these vectors starting from one initial vector, ${\mathbf{r}}_1$, chosen by $\mathcal{V}$, this communication cost can be significantly reduced. This makes committing to a string of t bits much more efficient compared to committing to t bits separately, especially in terms of communication costs. For the moment, assume that the prover and the receiver have a random oracle $\mathcal{O}$ that returns random linearly independent vectors given as input a specific one.

To ensure a security level of n bits for the binding property, we need to increase the length of the pseudorandom number generator output by t bits. The protocol’s flow is detailed in Figure 2.

It is possible to prove that this commitment scheme is computationally hiding and statistically binding:

• Computational Hiding: The proof of the computational hiding property can be obtained naturally by modifying that of Naor’s bit commitment scheme. In particular, the attack is the same as the one described in Figure 1, just changing the fact that instead of committing to a bit, a bit string is committed to and the adversary $\mathcal{A}$ can guess the right values for $(b_1,\dots ,b_t)$ with a probability of ${\displaystyle \frac{1}{2^t}}+$$non$-$neg\left(n\right)$ when $\mathbf{r}=G\left(\mathbf{s}\right)$ is given and with the probability ${\displaystyle \frac{1}{2^t}}$ when $\mathbf{r}\stackrel{\$}{\leftarrow }{\{0,1\}}^{3n}$.
• Statistical Binding: Suppose that $\mathcal{P}$ wants to open the commitment to a different value, ${\mathbf{b}}^{\prime }\ne \mathbf{b}$, after already committing to $\mathbf{b}$. To carry this out, $\mathcal{P}$ needs to find a new ${\mathbf{x}}^{\prime }$ such that $\mathbf{c}=G\left({\mathbf{x}}^{\prime }\right)\oplus {\sum }_{i=1}^t{b}_i^{\prime }{\mathbf{r}}_i$. We know that for any fixed value of ${\mathbf{b}}^{\prime }$, the chance of successfully finding such an ${\mathbf{x}}^{\prime }$ is very low, specifically bounded by $2^{-n-t}$. This can be shown by following the proof of the binding property in Naor’s bit commitment scheme and adjusting the length of the pseudorandom string generated by G.
  Thus, the probability that $\mathcal{P}$ can find one such value to cheat is bounded by $2^t·2^{-n-t}=2^{-n}$ since all possible values that allow $\mathcal{P}$ to cheat are $2^t-1$ (that is, all the possible values ${\mathbf{b}}^{\prime }\ne \mathbf{b}$) and the probability for all is bounded by $2^{-n-t}$.

3.1. On the Algorithm for Generating Some Linearly Independent Vectors from a Random One

The previous protocol exploits a random oracle to generate some linearly independent vectors starting from a single random vector. In practice, however, it is not possible to rely on this, since the existence of random oracles is an idealized assumption. Thus, a deterministic algorithm to generate such vectors is needed. However, the generated vectors must be, in a certain sense, uniformly distributed (which is the case when they are randomly picked) between the linearly independent ones.

For example, suppose that we start with one randomly chosen non-zero vector in ${\{0,1\}}^n$ with $n\ge 2$, and we pick the second vector fixing the first coordinate of the first vector, whose value is 1 and flipping all the other bits. In this manner, we obtain two linearly independent vectors, as the second vector is not the zero vector (it retains a 1 from the first vector) and it is different from the first vector (at least one bit is flipped, since $n\ge 2$). However, with this approach, we know that the bitwise XOR between the two vectors is a vector with all coordinates set to 1 except for one coordinate, which is 0.

If we suppose the usage of an algorithm like this in a scheme like the one described in Figure 2, the statistical binding property is compromised. In particular, the binding property does not hold unconditionally anymore; it depends on the pseudorandom number generator. Indeed, if $G\left(\mathbf{x}\right)$ is defined such that all vectors in the codomain with all 1s except for one 0 are images of some input, $\mathbf{x}$, the prover can always find, by brute-force, an ${\mathbf{x}}^{\prime }$ such that $G\left(\mathbf{x}\right)\oplus {\sum }_{i=1}^2{\mathbf{r}}_i=G\left({\mathbf{x}}^{\prime }\right)$, allowing the prover to commit to (1,1,0,…,0) and to open the commitment to the 0 string.

Therefore, all generated vectors and their linear combinations should be “uniformly distributed”. Uniform distribution, in this case, means that a fixed non-zero linear combination of the vectors is generated; to change the value to the initial vector, we have to obtain a different result every time.

Mathematically speaking, this means that the linear system given by $\mathbf{s}={\sum }_{i=1}^t{b}_i·{\mathbf{r}}_i$ must have a unique solution in the indeterminates describing the generated vectors, for every coefficient combination of $b_1,\dots ,b_t$ and for every value of $\mathbf{s}$.

We were not able to find an algorithm satisfying such a strong property. However, vectors with a slightly weaker property can still be generated, which suffices to prove the binding property of the scheme.

To show and discuss the new protocol, we need a couple more definitions and results:

Definition 4

(Circulant Matrix). A circulant matrix is a square matrix in which each row is obtained by rotating one element to the right of the preceding row.

Definition 5

(Associated Polynomial of Circulant Matrix). Let C be the circulant matrix obtained by rotating the vector $(a_0,a_1,\dots ,a_{n-1})$. Then the polynomial $f={\sum }_{i=0}^{n-1}{a}_i{x}^i$ is called the associated polynomial of C.

Theorem 1.

Let C be a circulant matrix with entries in ${\mathbb{F}}_2$ of the order $n=2^t$ for some $t\ge 0$. Then the following conditions are equivalent:

• The rank of C is n;
• The degree of the greatest common divisor of $x^n-1$ and the associated polynomial of C is 0.

Proof. 

Let g be the greatest common divisor of f and $x^n-1$. First, assume that $f\ne 0$, since if $f=0$, the corresponding circulant matrix is the zero matrix. Now, suppose that $g\ne 0$. By definition, g divides $x^n-1=x^{2^t}-1={(x-1)}^{2^t}={(x\oplus 1)}^{2^t}$, due to the fact that we are operating in ${\mathbb{F}}_2$, where subtraction is equivalent to addition (i.e., $-=\oplus$), and in finite fields with the characteristic p, powers of p can be distributed over sums. Consequently, g divides ${(x\oplus 1)}^{2^t}$. Since $x\oplus 1$ is irreducible, we have that either $g=1$ or $x\oplus 1$ divides g.

We now proceed to prove both implications:

• $\mathrm{deg}\left(g\right)=0$⇒$\mathrm{rank}\left(C\right)=n$:
  Suppose, for the sake of contradiction, that $\mathrm{rank}\left(C\right)<n$. This implies the existence of a non-zero linear combination of the matrix vectors that results in the zero vector. Each vector can be identified with a polynomial in ${\mathbb{F}}_2\left[x\right]/(x^n-1)$. Specifically, the polynomial corresponding to the first vector is the polynomial f; the second vector corresponds to $x·fmod{x}^n-1$, and so on. Finding a non-zero linear combination that generates $\mathbf{0}$ translates into finding a subset, $I\subseteq [n-1]\cup \left\{0\right\}$, such that ${\sum }_{i\in I}{\mathbf{x}}_i=\mathbf{0}$. In polynomial terms, this means that ${\sum }_{i\in I}{x}^i·f\equiv 0mod{x}^n-1$, which implies that $x^n-1$ divides $f·{\sum }_{i\in I}{x}^i$. Since $x^n-1={(x\oplus 1)}^{2^t}$, two possibilities arise: either $x\oplus 1$ divides f, which implies that $x\oplus 1$ divides both f and $x^n-1$, leading to $deg\left(g\right)>0$, contradicting our initial assumption; or ${(x\oplus 1)}^{2^t}$ divides ${\sum }_{i\in I}{x}^i$. Given that $I\subseteq [n-1]\cup \left\{0\right\}$, this is only possible if $I=\varnothing$, which contradicts our assumption of a non-zero linear combination.
• $\mathrm{rank}\left(C\right)=n$⇒$deg\left(g\right)=0$:
  Suppose, for the sake of contradiction, that $deg\left(g\right)\ne 0$. According to the earlier discussion, this implies that $x\oplus 1$ divides g. Since g divides f by definition, f must have a root in 1. This means that f has an even number of terms. If this is the case, it is easy to check that the sum of all vectors in the matrix is $\mathbf{0}$, implying that the rank of the matrix is strictly less than n. Therefore, $g=1$, and thus its degree is 0.

□

So, for the generation of vectors, we can consider the following algorithm:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \mathbf{x}& =\left(\begin{array}{c}{x}_1\\ x_2\\ ⋮\\ x_{n-1}\\ x_n\end{array}\right)\to \begin{array}{ccccc}{x}_1& x_n& \dots & x_3& x_2\\ x_2& x_1& \dots & x_4& x_3\\ ⋮& ⋮& \ddots & ⋮& ⋮\\ x_{n-1}& x_{n-2}& \dots & x_1& x_n\\ x_n& x_{n-1}& \dots & x_2& x_1\end{array}\hfill \end{array}\\ \hfill \begin{array}{ccccc}{x}_1& x_2& \dots & x_{n-1}& x_n\end{array}\end{array}$$

(1)

For $n=2^t$, a full-rank matrix can be constructed by selecting an initial vector with odd weight. This ensures that the associated polynomial f has no root at 1, meaning that $x-1$ does not divide f. Consequently, the greatest common divisor of f and $x^n-1=x^{2^t}-1={(x-1)}^{2^t}$ is 1. By Theorem 1, this guarantees that the resulting matrix is full-rank.

Proposition 1.

The circulant matrix of dimension $n=2^t$ obtained by rotating an initial vector of odd weight is complete (i.e., full-rank).

Proving the unconditional binding property of the new commitment scheme constructed in this paper requires one last result:

Theorem 2.

Let z be a power of 2 greater than $2t$, $\mathbf{b}\ne \mathbf{0}$, $\mathbf{s}={\sum }_{i=1}^z{\widehat{b}}_i·{\mathbf{r}}_i$, where ${\widehat{b}}_i=b_i$ for $i=1,\dots ,t$ and ${\widehat{b}}_i=0$ otherwise, and ${\left\{{\mathbf{r}}_i\right\}}_{i=1}^z$ are vectors generated with the algorithm in Equation (1) (namely, ${\mathbf{r}}_i={\mathbf{x}}_i)$, where ${\mathbf{r}}_1$ has odd weight. Then, the matrix representing the linear system

$$\left\{\begin{array}{c}{s}_1=\sum _{k=1}^z{b}_k·x_{1+k-1modz}\hfill \\ ⋮\hfill \\ s_z=\sum _{k=1}^z{b}_k·x_{z+k-1modz}\hfill \end{array}\right.$$

has at least $z/2$ linearly independent vectors.

Proof. 

The matrix representing the linear system is a circulant matrix. Moreover, in the first row, there is a 1 (as $\mathbf{b}\ne \mathbf{0}$) followed by at least $z-t$ consecutive 0s (as ${\widehat{b}}_i=0$ for $i=t+1,\dots ,z$). If we consider the $z-t$ vectors obtained by rotating this vector one bit to the right each time, they can be grouped and seen as forming a lower triangular matrix with 1s on the diagonal. Therefore, they are linearly independent.

This means that the circulant matrix has at least $z-t$ linearly independent vectors. By hypothesis, $2t<z$, i.e., $t<z/2$, so we can conclude that $z-t>z-z/2=z/2$. □

With these properties, the commitment scheme described in Figure 3 can be proved to be statistically binding.

Indeed, suppose that the prover wants to commit to a t-bit string, $b_1,\dots ,b_t$. The verifier then sends the initial vector ${\mathbf{r}}_1$, with odd weight, which is the smallest power of 2 longer than $6n+2t$. Let z be this length. The prover will encode the string it wants to commit to into a z-bit string by appending zeros to the original string. The procedure then continues in the same way as in the previous protocol. If the prover wants to open the string $\mathbf{b}$ to a different one ${\mathbf{b}}^{\prime }$, it must find an ${\mathbf{x}}^{\prime }$ such that $\mathbf{s}={\sum }_{i=1}^z({\widehat{b}}_i\oplus {\widehat{b}}_i^{\prime }){\mathbf{r}}_i=G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right)$. Thus, $\mathbf{s}$ should belong to the set $\{G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right)\mid \mathbf{x},{\mathbf{x}}^{\prime }\in {\{0,1\}}^n\}$, which has at most $2^{2n}$ elements. Now, thanks to Theorem 2 we know that at least half of the bits of $\mathbf{s}$ are uniformly distributed. Specifically, for every linear combination (this time given by the coefficients ${\widehat{b}}_i\oplus {\widehat{b}}_i^{\prime }$, i.e., for every possible value the prover tries to open the commitment to), $\mathbf{s}$ lays in a vector subspace of a dimension of at least $z/2>(6n+2t)/2$. This means that such an ${\mathbf{x}}^{\prime }$ exists with a probability of at most

$${\displaystyle \frac{2^{2n}}{2^{(6n+2t)/2}}}={\displaystyle \frac{2^{2n}}{2^{3n+t}}}.$$

Thus, the final probability of cheating can be bounded by $2^{-n}$, as before. The computational hiding property comes directly from Naor’s commitment scheme. The communication complexity of this scheme is $2z+n+t$, where z is the smallest power of 2 strictly greater than $6n+2t$. This complexity is significantly easier to quantify compared to that of Naor’s string commitment scheme.

3.2. Extending Kilian with Our Approach

The Kilian technique, as already stated before, consists of committing to a seed of a pseudorandom number generator instead of the entire bit string. The bit string is then masked by XORing it with another bit string generated by a pseudorandom number generator, using the previously committed seed. This allows to commit to longer strings with the efficiency of committing to a seed, to generate a long enough string and an XOR. Starting from the natural extension of Naor and from the Kilian method, we can devise a new scheme whose flow is described in Figure 4. The key difference from the scheme described by Kilian in [14] lies in the method of seed commitment.

Specifically, the seed is committed with the natural extension of Naor described in Figure 3. Recall that this scheme is more efficient compared to the normal extension when the string to commit to is much greater than the length of a secure seed of a PRNG.

The proofs of computational hiding and statistical binding properties naturally follow the proofs of our extension of Naor and the Kilian method.

3.3. The Commitment Scheme Used in qOT

The commitment scheme used in the qOT protocol is shown in Figure 5. Observe that this does not follow the rules of the general string commitment scheme described in Figure 3. It is an ad hoc version for committing to 2-bit strings.

Initially, the verifier generates a random vector, ${\mathbf{r}}_1$, of the length $3n+3$, ensuring that it differs from both the all-zero vector and the all-one vector. This vector ${\mathbf{r}}_1$ is then sent to the prover. In response, the prover selects a random seed, $\mathbf{x}$, of the length n for the pseudorandom number generator and generates ${\mathbf{r}}_2$ by rotating ${\mathbf{r}}_1$ by one position. The commitment is subsequently computed following the same procedure as in the commitment scheme described in Figure 3, and the verification phase proceeds in the same manner.

Clearly, the hiding property of this scheme follows from the security of the pseudorandom number generator. The binding property, instead, can be proved to hold statistically. Suppose indeed the prover has already committed to $\mathbf{b}$ and wants to open the commitment to a different string. Then it should find an ${\mathbf{x}}^{\prime }$ such that

$$(b_1\oplus b_1^{\prime }){\mathbf{r}}_1\oplus (b_2\oplus b_2^{\prime }){\mathbf{r}}_2=G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right)$$

(2)

for ${\mathbf{b}}^{\prime }\ne \mathbf{b}$. As before, the set $\{G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right)|\mathbf{x},{\mathbf{x}}^{\prime }\in {\{0,1\}}^n\}$ has at most $2^{2n}$ elements. Now, there are three cases:

• If ${\mathbf{b}}^{\prime }\oplus \mathbf{b}=(1,0)$ then Equation (2) is

  $${\mathbf{r}}_1=G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right)$$

  and since ${\mathbf{r}}_1$ is randomly chosen, the probability that such an ${\mathbf{x}}^{\prime }$ exists is

  $${\displaystyle \frac{2^{2n}}{2^{3n+3}-2}};$$
• If ${\mathbf{b}}^{\prime }\oplus \mathbf{b}=(1,0)$ then we have the same as before with ${\mathbf{r}}_2$ in place of ${\mathbf{r}}_1$, but ${\mathbf{r}}_2$ is obtained by rotating ${\mathbf{r}}_1$, so it is random as well, and the same as before can be said;
• If, instead, ${\mathbf{b}}^{\prime }\oplus \mathbf{b}=(1,1)$, then the equation the prover must be able to satisfy is

  $${\mathbf{r}}_1\oplus {\mathbf{r}}_2=G\left(\mathbf{x}\right)\oplus G\left({\mathbf{x}}^{\prime }\right).$$

  (3)
  Now, for every value of ${\mathbf{r}}_1$, ${\mathbf{r}}_1\oplus {\mathbf{r}}_2$ has even weight. However, there are no more constraints on it. So, it is a random value in a subspace of the dimension $3n+3-1$, and the probability of finding an ${\mathbf{x}}^{\prime }$ satisfying Equation (3) is

  $${\displaystyle \frac{2^{2n}}{2^{3n+3-1}-1}}$$
  (it is not possible that ${\mathbf{r}}_1\oplus {\mathbf{r}}_2=\mathbf{0}$ because it would imply that ${\mathbf{r}}_1={\mathbf{r}}_2$ and, in our case, this implies that either ${\mathbf{r}}_1=\mathbf{0}$ or ${\mathbf{r}}_1=\mathbf{1}$).

In the end, there is a probability of at most ${\displaystyle \frac{2^{2n}}{2^{3n+3-1}-1}}\simeq 2^{-n-2}$ that an ${\mathbf{x}}^{\prime }$ allowing the prover to open the commitment to another specific string exists. (The above estimation can be considered as an equality since the value of n, as length of the seed of the PRNG, should be at least 128, but can be 256 in quantum environments, to bring a good enough level of security regarding the hiding property. So, the effect of subtracting 1 from the denominator is negligible.) In the end, the probability that there exists an ${\mathbf{x}}^{\prime }$ that allows the prover to open the commitment to any other string is bounded by $4\times 2^{-n-2}=2^{-n}$. With this approach, the communication complexity is $7n+8$ bits for each 2-bit string to be committed to.

4. A New Preprocessing Model for Commitments

Despite our improvements, for qOT a commitment scheme satisfying the subvector opening property is needed. This means that the prover should be able to open only some of the committed bits. However, we are not aware of any efficient vector commitment scheme (where the prover can indeed open only a subset of committed bits) or, in general, string commitment scheme with the subvector opening property satisfying the unconditional binding property based on the existence of OWFs only. In this situation, one has to commit to all the bits (or all the measurements, i.e., couples of bits) separately. This is very time-consuming, considering that qOT requires a lot of quantum communication (so a lot of states are to be measured and a lot of measurements are to be committed).

We therefore introduce a new preprocessing model to improve the online phase of commitment schemes. By letting the sender and receiver of the qOT exchange data during a preprocessing phase, i.e., before the actual qOT begins, the receiver could commit to random bits. During the actual qOT execution, to commit to its measurements, the prover can then simply XOR the bits it wants to commit to with the bits already committed to in the preprocessing phase. To open a specific commitment, the prover reveals the commitment from the preprocessing phase and discloses the committed bit. In this way, the verifier can check that the bit committed to in the preprocessing phase meets the commitment’s conditions and can verify that the XOR result is as expected.

This method is extremely fast and efficient during the qOT execution. Additionally, its security is equivalent to the security of the commitment scheme used in the preprocessing phase. For example, suppose that the prover committed to a bit, m, in the preprocessing phase using an unconditionally binding commitment scheme, such as Naor’s scheme. To commit to a new bit, b, the prover simply publishes $b\oplus m$. Then, to open the commitment, the prover reveals b and everything needed to reveal the commitment generated with m. The flow of the protocol is described in Figure 6.

The properties of the commitment execution following this “trick” are the same as those of the commitment scheme used in the preprocessing phase:

• Binding: Suppose that the prover commits to b by publishing $b\oplus m$ for a committed m in the preprocessing phase, with the commitment c. To open to $1\oplus b$, the prover must be able to open c to $1\oplus m$, so that $(1\oplus m)\oplus (1\oplus b)=m\oplus b$. However, if the prover cannot open c to $1\oplus m$, this is impossible. Therefore, to break the binding property here, the prover would need to break the binding property of the commitment scheme used in the preprocessing phase.
• Hiding: Again, suppose that the prover commits to b by publishing $b\oplus m$ for a committed m in the preprocessing phase, with the commitment c. For the verifier, learning b from $b\oplus m$ is equivalent to learning m from $b\oplus m$. To learn m, the verifier would need to break the hiding property of the commitment scheme used in the preprocessing phase.

Note that this is a generic proof: it works independently of the commitment scheme considered.

5. Conclusions

In conclusion, the optimal choice for the commitment scheme in the quantum oblivious transfer protocol is to commit to each quantum state separately (i.e., 2 bits at a time) with our bit string commitment scheme (Figure 5). This approach offers a significant improvement, considering that most known implementations rely on hash-based string commitments, which are proven secure only under the random oracle model. By committing to each state individually using our string commitment scheme, we enhance security, as we can prove its security without relying on the random oracle model assumption. Furthermore, with the preprocessing phase technique, we reduce the computational cost of the commitment in the online phase to almost zero, greatly improving efficiency.

Future work may include trying to find an unconditional binding commitment scheme based on OWFs with the subvector opening property, as well as trying to improve the efficiency of our new string commitment scheme.