Impossibility of Quantum Bit Commitment, a Categorical Perspective

Abstract

Bit commitment is a cryptographic task in which Alice commits a bit to Bob such that she cannot change the value of the bit after her commitment and Bob cannot learn the value of the bit before Alice opens her commitment. According to the Mayers–Lo–Chau (MLC) no-go theorem, ideal bit commitment is impossible within quantum theory. In the information theoretic-reconstruction of quantum theory, the impossibility of quantum bit commitment is one of the three information-theoretic constraints that characterize quantum theory. In this paper, we first provide a very simple proof of the MLC no-go theorem and its quantitative generalization. Then, we formalize bit commitment in the theory of dagger monoidal categories. We show that in the setting of dagger monoidal categories, the impossibility of bit commitment is equivalent to the unitary equivalence of purification.

1. Introduction

Bit commitment, used in a wide range of cryptographic protocols (e.g., zero-knowledge proof, multiparty secure computation, and oblivious transfer), consists of two phases, namely: commit and opening. In the commit phase, Alice the sender chooses a bit a ($a=0$ or 1) which she wishes to commit to the receiver Bob. Then, Alice presents Bob some evidence about the bit. The committed bit cannot be known by Bob prior to the opening phase. Later, in the opening phase, Alice announces some information for reconstructing a. Bob then reconstructs a bit $a^{\prime }$ using Alice’s evidence and announcement. A correct bit commitment protocol will ensure that $a^{\prime }=a$. A bit commitment protocol is concealing if Bob cannot know the bit Alice committed before the opening phase and it is binding if Alice cannot change the bit she committed after the commit phase. It is secure if it is both concealing and binding. It is unconditionally secure if it is secure and the security does not rely on any computational assumption.

Quantum bit commitment (QBC) [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] protocol was first proposed by Bennett and Brassard in 1984 [1]. Later, several QBC protocols were designed to achieve unconditional security, such as those in [17,18]. However, in 1996, Mayers [19] and Lo and Chau [20,21] showed that all previously proposed QBC protocols were vulnerable to an entanglement attack which can be launched by Alice. This result was later referred to as the Mayers–Lo–Chau (MLC) no-go theorem.

This no-go theorem has been continuously challenged in the past two decades. Yuen [22,23] repeatedly argued that the no-go proof is not general enough to exhaust all conceivable quantum bit commitment protocols. On the other hand, the no-go theorem has also been extended by several scholars. Nambu and Chiba-Kohno [24] gave a constructive proof of the theorem from the viewpoint of quantum information theory. Spekkens and Rudolph [25] and He [26] extended the no-go theorem with quantitative bounds on the degree of concealment and bindingness. D’Ariano et al. [27] provided a strengthened and explicit impossibility proof exhausting all conceivable protocols in which not only quantum information, but also classical information is exchanged between the two parties. However, the considerable length of the proof in [27] makes it still hard to follow. Chiribella et al. [28] simplified the proof in [27]. In the works of Cohn-Gordon [29] and Heunen and Kissinger [30], a clear and rigorous formalization of QBC is developed in the setting of categorical quantum mechanics. Cohn-Gordon [29] also provided a proof of the no-go theorem. While this proof is already simpler than all previous proofs, we find there is still room for simplification and extension.

In Clifton et al.’s information theoretic-reconstruction of quantum theory [31], the impossibility of bit commitment is conceived as one of the three fundamental information-theoretic constraints that characterize quantum theory. In [31], the authors partially proved that the impossibility of bit commitment is equivalent to the existence of entangled, or nonlocal, states. This result was questioned by Heunen and Kissinger [30], who demonstrated that, in the categorical setting, the impossibility of bit commitment is not equivalent to the existence of entangled states. Which quantum feature is the one that is equivalent to the impossibility of bit commitment is left unanswered in [30].

The contributions of this paper are ass follows.

• The length of the proof in Cohn-Gordon [29] is more than two pages. We provide a simpler proof which takes only a few lines.
• The proof in [29] only concerns the qualitative version of the no-go theorem. We formalize and prove the quantitative version of the no-go theorem.
• We show that the impossibility of bit commitment is equivalent to the unitary equivalence of purification in the setting of dagger monoidal categories. This provides an answer to the problem left by Heunen and Kissinger [30].

The structure of this paper is as follows. We simplify and extend the proof of Cohn-Gordon [29] in Section 2. Then, in Section 3, we study the impossibility of bit commitment in the setting of dagger monoidal categories and demonstrate that the quantum feature corresponding to the impossibility of bit commitment in the categorical setting is the unitary equivalence of purification. In Section 4, we discuss some related work. We conclude this paper with future work in Section 5.

2. The No-Go Theorem of Quantum Bit Commitment

In the literature [19,20,25,29,30], it is acknowledged that a general model of QBC protocols should at least includes the following ingredients:

• The Hilbert space required to describe the protocol is the tensor product of the Hilbert spaces that play a role in the protocol.
• The total system is initially in a pure state.
• Every action taken by a party corresponds to that party performing a unitary operation on the systems in his/her possession.
• Every communication corresponds to a party sending a subset of the systems in his/her possession to the other party.

Bearing this common knowledge in mind, we propose the most rigorous and simplest formalization of quantum bit commitment as follows.

Definition 1.

A quantum bit commitment protocol consists of the following:

(1) 

Two finite-dimensional Hiblert spaces A and B

(2) 

Two pure states $|H\rangle ,|T\rangle \in A\otimes B$

(3) 

A quantum operation (i.e., completely positive, trace-preserving super operator) $Open$ on $A\otimes B$ such that $Open\left(\right|H\rangle \langle H\left|\right)\ne Open\left(\right|T\rangle \langle T\left|\right)$

This QBC protocol is concealing if $T{r}_A\left(\right|H\rangle \langle H\left|\right)=T{r}_A\left(\right|T\rangle \langle T\left|\right)$. It is binding if there is no unitary U on A such that $(U\otimes I_B)|H\rangle =|T\rangle$.

This formalization provides a high level description of quantum bit commitment. Initially, Alice (possibly with the help of Bob) prepares a state $|H\rangle$ or $|T\rangle$ of quantum system $A\otimes B$ depending on the value of Alice’s bit. Note that $|H\rangle$ and $|T\rangle$ are not the initial states of the QBC protocol, but the final states of the commit phase. Starting from a pure state, a commit phase may involve many rounds of actions and communications. Alice sends $T{r}_A\left(\right|H\rangle \langle H\left|\right)$ or $T{r}_A\left(\right|T\rangle \langle T\left|\right)$ to Bob to perform the commitment. At the opening stage, Alice sends the rest sub-state of $|H\rangle$ or $|T\rangle$ to Bob to allow him to verify her commitment. Bob applies the quantum operation $Open$ to determine Alice’s commitment.

In our definition of bindingness, we only consider the situation in which Alice applies unitary operators to the pure state in her possession, instead of complete positive maps on mixed states. This is a reasonable assumption in the sense that complete positive maps on mixed states can be purified to unitary map on pure states via Stinespring representation [32]. This notion of bindingness is very strong: Alice must be able to alter $|H\rangle$ to $|T\rangle$ with certainty. In Section 2.2, we introduce $ϵ$-binding, a weaker notion of bindingness that allows Alice to alter $|H\rangle$ to a state which is similar to $|T\rangle$. Another issue concerning bindingness is that the operation $Open$ plays no role in the current definition of bindingness. We discuss an alternative notion of bindingness which involves $Open$ in Section 4.

Example 1.

The QBC protocol due to Bennett and Brassard [1] goes as follows: Alice and Bob first agree on a security parameter, a positive integer s.

1. 

Commit phase:

(a) 

Alice chooses the value of the committed bit c and the auxiliary bits $a_1,\dots ,a_s$.

(b) 

If $c=0$, she prepares and sends Bob s qubits, which are chosen to be either $|0\rangle$ or $|1\rangle$. The value of c is kept secret during the commit phase. If $a_i=0$, then Alice sets the ith qubit to be $|0\rangle$. If $a_i=1$, then she sets the ith qubit to be $|1\rangle$. The value of $a_1,\dots ,a_n$ are also kept secret during the commit phase.

(c) 

Similarly, if $c=1$, she prepares and sends Bob s qubits, which are chosen to be either $|+\rangle$ or $|-\rangle$. If $a_i=0$, then Alice sets the ith qubit to be $|+\rangle$. If $a_i=1$, and then she sets the ith qubit to be $|-\rangle$. The value of $c,a_1,\dots ,a_n$ are kept secret during the commit phase.

2. 

Opening phase:

(a) 

Bob randomly prepares auxiliary bits $b_1,\dots ,b_s$. If $b_i=0$, and then Bob measures the ith qubit in the $\left\{\right|0\rangle ,|1\rangle \}$ basis. If $b_i=1$, then Bob measures the ith qubit in the $\left\{\right|+\rangle ,|-\rangle \}$ basis.

(b) 

Alice announces the value of $c,a_1,\dots ,a_s$.

(c) 

Bob accepts Alice’s commitment if and only if, for all indexes $i\in \{1,\dots ,s\}$ with $c=b_i$, Bob’s measurement outcome agrees with Alice’s announcement.

We can formalize this QBC protocol as follows:

• Let $A={\mathbb{C}}^{\left(2^{1+s}\right)}$ and $B={\mathbb{C}}^{\left(2^s\right)}$.
• Let $|H\rangle ={\displaystyle \sum _{a_1\dots a_s}}|0a_1\dots a_s\rangle \otimes U_{0,a_1}|0\rangle \dots U_{0,a_s}|0\rangle$, where $U_{0,0}$ is the identity operator and $U_{0,1}$ is the Pauli X operator.
• Let $|T\rangle ={\displaystyle \sum _{a_1\dots a_s}}|1a_1\dots a_s\rangle \otimes U_{1,a_1}|0\rangle \dots U_{1,a_s}|0\rangle$, where $U_{1,0}$ is the Hadamard operator H and $U_{1,1}$ is $HX$.
• Let $Open$ be a completely positive map such that

  -

  $Open\left(\right|H\rangle \langle H\left|\right)={\displaystyle \sum _{a_1\dots a_s}}\left(\right|0a_1\dots a_s\rangle \langle 0a_1\dots a_s\left|\right)\otimes M_{b_1}\left(U_{0,a_1}\right|0\rangle \langle 0\left|U_{0,a_1}^{†}\right)\otimes \dots \otimes M_{b_s}\left(U_{0,a_s}\right|0\rangle \langle 0\left|U_{0,a_s}^{†}\right)$, where $M_0$ is the completely positive map which represents the measurement on the $\left\{\right|0\rangle ,|1\rangle \}$ basis and $M_1$ is the completely positive map which represents the measurement on the $\left\{\right|+\rangle ,|-\rangle \}$ basis.

  -

  $Open\left(\right|T\rangle \langle T\left|\right)={\displaystyle \sum _{a_1\dots a_s}}\left(\right|1a_1\dots a_s\rangle \langle 1a_1\dots a_s\left|\right)\otimes M_{b_1}\left(U_{1,a_1}\right|0\rangle \langle 0\left|U_{1,a_1}^{†}\right)\otimes \dots \otimes M_{b_s}\left(U_{1,a_s}\right|0\rangle \langle 0\left|U_{1,a_s}^{†}\right)$.

Note that, although our formalization of QBC protocols in Definition 1 looks simple, it is in fact already more general than the formalizations by Lo and Chau [20] and Cohn-Gordon [29]. It is also a proper extension of the purification bit commitment protocol by Spekkens and Rudolph [25].

Example 2.

A purification bit commitment protocol [25] makes use of two systems, the token system and the proof system. These are associated with Hilbert spaces $H_t$ and $H_p$. A purification bit commitment protocol also specifies two orthogonal states $|{\varphi }_0\rangle$ and $|{\varphi }_1\rangle$, which are states of the system $H_t\otimes H_p$. At the commit phase, Alice prepares the two systems in the state $|{\varphi }_b\rangle$ in order to commit to bit b, and sends the token system to Bob. At the opening phase, Alice sends the proof system to Bob, and Bob performs a measurement of the projector valued measure $\{P_0,P_1,P_{fail}\}$, where $P_b=|{\varphi }_b\rangle \langle {\varphi }_b|$.

We further discuss the generality of our formalism in Section 4.

2.1. The Qualitative No-Go Theorem

Within our formalization, the no-go theorem of quantum bit commitment becomes a precise mathematical statement. To prove this statement, we make use of the unitary equivalence of purification, which can be found in standard textbooks of quantum information [32,33].

Definition 2

(purification). Let A and B be two Hilbert spaces and $Pos\left(A\right)$ be the set of all positive semidefinite operators on A. For $\rho \in Pos\left(A\right)$ and $|\varphi \rangle \in A\otimes B$, $|\varphi \rangle$ is a purification of ρ if $T{r}_B\left(\right|\varphi \rangle \langle \varphi \left|\right)=\rho$.

Lemma 1

(unitary equivalence of purification). Let $|\varphi \rangle \in A\otimes B$ and $|\psi \rangle \in A\otimes B$ be two purifications of a positive smiedefinite operator $\rho \in Pos\left(A\right)$. There is a unitary transformation U acting on B such that $|\varphi \rangle =(I_A\otimes U)|\psi \rangle$.

Theorem 1

(no-go theorem, the qualitative version). If a quantum bit commitment protocol is concealing, then it is not binding.

Proof. 

If a QBC is concealing, then $T{r}_A\left(\right|H\rangle \langle H\left|\right)=T{r}_A\left(\right|T\rangle \langle T\left|\right)$. Hence, $|H\rangle$ and $|T\rangle$ are two purifications of the same mixed state. By Lemma 1, we know there is a unitary operator $U_A$ such that $|H\rangle =(U_A\otimes I_B)|T\rangle$, which means that the QBC is not binding. □

The astonishing simplicity of the above proof suggests a close relationship between the unitary equivalence of purification and the impossibility of quantum bit commitment. In Section 3, we show that they are actually equivalent in an abstract categorical framework.

2.2. The Quantitative No-Go Theorem

The qualitative version of the no-go theorem states that it is impossible for a QBC protocol to be both absolute concealing and absolute binding. However, it does not exclude the possibility of a QBC protocol to be both partially concealing and partially binding. We now formalize and prove the quantitative version of the no-go theorem, which establishes a relation between partially concealing and partially binding. The key notion we use is the fidelity between quantum states.

Definition 3

(fidelity [33]). Let $|\varphi \rangle$ and $|\psi \rangle$ be two pure states of a Hilbert space. The fidelity of $|\varphi \rangle$ and $|\psi \rangle$ is $F\left(\right|\varphi \rangle ,|\psi \rangle )=|\langle \varphi |\psi \rangle |$. Let ρ and σ be two mix states of a Hilbert space. The fidelity of ρ and σ is $F(\rho ,\sigma )=Tr\left(\sqrt{\sqrt{\rho }\sigma \sqrt{\rho }}\right)$.

After some careful calculation, we know that $F\left(\right|\varphi \rangle ,|\psi \rangle )=F\left(\right|\varphi \rangle \langle \varphi |,|\psi \rangle \langle \psi \left|\right)$. We define the relation $\stackrel{ϵ}{=}$, where $ϵ\in [0,1]$, between quantum states as follows: $\rho \stackrel{ϵ}{=}\sigma$ iff $F(\rho ,\sigma )\ge ϵ$. Apparently, $\rho =\sigma$ iff $\rho \stackrel{1}{=}\sigma$.

Definition 4

($ϵ$-concealing, $ϵ$-binding). A quantum bit commitment protocol is ϵ-concealing if $T{r}_A\left(\right|H\rangle \langle H\left|\right)\stackrel{ϵ}{=}T{r}_A\left(\right|T\rangle \langle T\left|\right)$. It is ϵ-binding if there is no unitary U on A such that $(U\otimes I_B)|H\rangle \stackrel{ϵ}{=}|T\rangle$.

The following Uhlmann’s theorem is used in the proof of the quantitative version of the no-go theorem.

Theorem 2

(Uhlmann’s theorem [33]). $F(\rho ,\sigma )={\displaystyle \underset{|\varphi \rangle ,|\psi \rangle }{max}}\left|\langle \varphi |\psi \rangle \right|$, where $|\varphi \rangle$ ranges over all purifications of ρ and ψ ranges over all purifications of σ. If $|\varphi \rangle$ is a fixed purification of ρ, then $F(\rho ,\sigma )={\displaystyle \underset{|\psi \rangle }{max}}\left|\langle \varphi |\psi \rangle \right|$, where ψ ranges over all purifications of σ.

Theorem 3

(no-go theorem, the quantitative version). If a quantum bit commitment protocol is ϵ-concealing, then it is not ϵ-binding.

Proof. 

If a QBC protocol is $ϵ$-concealing, then $T{r}_A\left(\right|H\rangle \langle H\left|\right)\stackrel{ϵ}{=}T{r}_A\left(\right|T\rangle \langle T\left|\right)$. Thus, we have $F(T{r}_A\left(\right|H\rangle \langle H\left|\right),T{r}_A\left(\right|T\rangle \langle T\left|\right))\ge ϵ$. Now, by Uhlmann’s theorem, we know there exists a purification $|T^{\prime }\rangle$ of $T{r}_A\left(\right|T\rangle \langle T\left|\right)$ such that $|\langle H|T^{\prime }\rangle |=F(T{r}_A\left(\right|H\rangle \langle H\left|\right),T{r}_A\left(\right|T\rangle \langle T\left|\right))\ge ϵ$. Therefore, $F\left(\right|H\rangle ,|T^{\prime }\rangle )\ge ϵ$ and $|H\rangle \stackrel{ϵ}{=}|T^{\prime }\rangle$. Note that, by the unitary equivalence of purification, we have $|T^{\prime }\rangle =(U_A\otimes I_B)|T\rangle$. This means that $(U_A\otimes I_B)|T\rangle \stackrel{ϵ}{=}|H\rangle$. Therefore, the QBC protocol is not $ϵ$-binding. □

3. Bit Commitment in Categorical Quantum Mechanics

Categorical quantum mechanics (CQM) [34,35,36,37,38,39,40,41,42,43,44,45] is the study of quantum computation and quantum foundations using category theory, as well as the graphical language closely related to category theory. In CQM, dagger monoidal categories (DMC) are used as an axiomatic basis for quantum mechanics, providing a generalization of the usual axiomatization in terms of Hilbert spaces.

Definition 5

(strict monoidal category [43]). A strict monoidal category $\mathcal{C}$ is a category equipped with:

1. 

a parallel composition operation for objects:

$$\otimes :ob\left(\mathcal{C}\right)\times ob\left(\mathcal{C}\right)\to ob\left(\mathcal{C}\right);$$

2. 

a unit object $I\in ob\left(\mathcal{C}\right)$; and

3. 

a parallel composition operation for morphisms:

$$\otimes :\mathcal{C}(A,B)\times \mathcal{C}(C,D)\to \mathcal{C}(A\otimes C,B\otimes D)$$

satisfying the following conditions:

1. 

⊗ is associative and unital on objects:

$$(A\otimes B)\otimes C=A\otimes (B\otimes C) A\otimes I=A=I\otimes A;$$

2. 

⊗ is associative and unital on morphisms:

$$(f\otimes g)\otimes h=f\otimes (g\otimes h) f\otimes 1_I=f=1_I\otimes f; and$$

3. 

⊗ and ∘ satisfy the interchange law:

$$(g_1\otimes g_2)\circ (f_1\otimes f_2)=(g_1\circ f_1)\otimes (g_2\circ f_2)$$

.

Definition 6

(dagger functor † [43]). A dagger functor for a strict monoidal category is an operation † that satisfies the following:

• identity on objects: $A^{†}=A$;
• reserves morphisms: ${(f:A\to B)}^{†}:=f^{†}:B\to A$;
• is involutive: ${\left(f^{†}\right)}^{†}=f$; and
• respects the symmetric monoidal category structure:

  $${(g\circ f)}^{†}=f^{†}\circ g^{†} {(f\otimes g)}^{†}=f^{†}\otimes g^{†}.$$

A dagger monoidal category is a strict monoidal category equipped with a dagger functor.

Example 3.

The category of finite dimensional Hilbert spaces FinHilb is a DMC. In FinHilb, objects are finite-dimensional Hilbert spaces over complex numbers, morphisms are linear maps, parallel composition is the tensor product, I is the one-dimensional Hilbert spaces $\mathbb{C}$, and † is the adjoin operator.

Example 4.

The category Dens of density operators and completely positive maps is a DMC. The objects of Dens are the same as the objects of FinHilb. A morphism from object ${\mathbb{C}}^m$ to object ${\mathbb{C}}^n$ is a completely positive map $f:{\mathbb{C}}^{m\times m}\to {\mathbb{C}}^{n\times n}$. Parallel composition is the tensor product, I is the one-dimensional Hilbert spaces $\mathbb{C}$, and † is the adjoin operator.

Example 5.

The category of arbitrary dimensional Hilbert spaces Hilb is a DMC. In Hilb, objects are Hilbert spaces over complex numbers, morphisms are bounded linear maps, parallel composition is the tensor product, I is the one-dimensional Hilbert spaces $\mathbb{C}$, and † is the adjoin operator.

To formalize bit commitment in DMC, we further need concepts such as environment structure and purification.

3.1. Environment Structure and Purification

Definition 7

(environment structure [46]). Let $\mathcal{C}$ be a dagger monoidal category. An environment structure for $\mathcal{C}$ is a monoidal category ${\mathcal{C}}^{\top }$ with the same objects as $\mathcal{C}$, together with a strict monoidal functor $\mathfrak{F}:\mathcal{C}\to {\mathcal{C}}^{\top }$ with $\mathfrak{F}\left(A\right)=A$, and for each object A a morphism ${\top }_A:A\to I$ in ${\mathcal{C}}^{\top }$, which we depict as:

satisfying:

1. 

We have ${\top }_I=1_I$, and for all objects A and B: ${\top }_{A\otimes B}={\top }_A\otimes {\top }_B$.

2. 

For morphisms $f:A\to X\otimes B$ and $g:A\to X\otimes B$ in $\mathcal{C}$, $f=g$ in $\mathcal{C}$ if and only if $({\top }_X\otimes 1_B)\circ \mathfrak{F}f=({\top }_X\otimes 1_B)\circ \mathfrak{F}g$ in ${\mathcal{C}}^{\top }$.

3. 

For each $f^{\prime }\in {\mathcal{C}}^{\top }(A,B)$, there is $f\in \mathcal{C}(A,X\otimes B)$ for some object X such that $f^{\prime }=({\top }_X\otimes 1_B)\circ \mathfrak{F}f$ in ${\mathcal{C}}^{\top }$. Such an f is called a purification of $f^{\prime }$.

Intuitively, if we think of the category $\mathcal{C}$ as consisting of pure states, then the category ${\mathcal{C}}^{\top }$ consists of mixed states. The morphisms ${\top }_A$ can be viewed as discarding system A to the environment, or, in other words, trace out A.

Example 6.

$\mathit{Dens}$ provides an environment structure for $\mathit{FinHilb}$, in which ${\top }_{{\mathbb{C}}^n}$ is the trace operator $Tr:{\mathbb{C}}^{n\times n}\to \mathbb{C}$. The functor $\mathfrak{F}$ maps a liner map $f\in \mathit{FinHilb}({\mathbb{C}}^m,{\mathbb{C}}^n)$ to a completely positive operator $\mathfrak{F}f$ such that $\mathfrak{F}f\left(\rho \right)=f\rho f^{†}$.

Definition 8

(unitary equivalence of purification). An environment structure ${\mathcal{C}}^{\top }$ for $\mathcal{C}$ satisfies the unitary equivalence of purification if the following is satisfied: for all $B\in ob\left({\mathcal{C}}^{\top }\right),f^{\prime }\in {\mathcal{C}}^{\top }(I,B)$, if $f,g\in \mathcal{C}(I,X\otimes B)$ are purifications of $f^{\prime }$, then there exists a unitary morphism $U:X\to X$ such that $(U\otimes 1_B)\circ f=g$.

3.2. Bit Commitment in Dagger Monoidal Category

Now, we formalize bit commitment in the setting of dagger monoidal categories. We do not assume compactness in our formalization. This is because assuming compactness will impose finite dimensionality on Hilbert spaces [47]: the DMC FinHilb is compact, while Hilb is not compact. Assuming no compactness makes our formalization more general than most formalizations in the literature, which only formalize bit commitment in finite dimensional Hilbert spaces.

Definition 9

(bit commitment in DMC). Let $\mathcal{C}$ be a dagger monoidal category with an environment structure ${\mathcal{C}}^{\top }$. A bit commitment protocol on $(\mathcal{C},{\mathcal{C}}^{\top })$ consists of the following:

1. 

Two objects A and B

2. 

Two states $H,T:I\to A\otimes B$ in $\mathcal{C}$

3. 

A morphism $Open$ on $A\otimes B$ in ${\mathcal{C}}^{\top }$ such that $Open\left(\mathfrak{F}H\right)\ne Open\left(\mathfrak{F}T\right)$ in ${\mathcal{C}}^{\top }$

A bit commitment protocol on $(\mathcal{C},{\mathcal{C}}^{\top })$ is concealing if $({\top }_A\otimes 1_B)\circ \mathfrak{F}H=({\top }_A\otimes 1_B)\circ \mathfrak{F}T$ in ${\mathcal{C}}^{\top }$.

It is binding if there is no unitary morphism $U:A\to A$ such that $(U\otimes 1_B)\circ H=T$ in $\mathcal{C}$. Equivalently, it is binding if, for all unitary morphisms $U:A\to A$, it holds that $(U\otimes 1_B)\circ H\ne T$ in $\mathcal{C}$.

Theorem 4.

Let $\mathcal{C}$ be a dagger monoidal category with an environment structure ${\mathcal{C}}^{\top }$. The following are equivalent:

(1) 

The unitary equivalence of purification is satisfied.

(2) 

For all bit commitment protocols on $(\mathcal{C},{\mathcal{C}}^{\top })$, if it is concealing, then it is not binding.

Proof. 

$\left(1\right)\Rightarrow \left(2\right)$ Assume the unitary equivalence of purification is satisfied. If a bit commitment protocol $(A,B,H,T,Open)$ on $(\mathcal{C},{\mathcal{C}}^{\top })$ is concealing, then $({\top }_A\otimes 1_B)\circ \mathfrak{F}H=({\top }_A\otimes 1_B)\circ \mathfrak{F}T$ in ${\mathcal{C}}^{\top }$. By the third requirement in the definition of environment structure, we know H and T are two purifications of the same state. By the unitary equivalence of purification, we know there is a unitary morphism $U:A\to A$ such that $H=(U\otimes 1_B)\circ T$, which means that the bit commitment protocol is not binding.

$\left(2\right)\Rightarrow \left(1\right)$ Assume for all bit commitment protocol on $(\mathcal{C},{\mathcal{C}}^{\top })$, if it is concealing then it is not binding. Let B be an arbitrary object in ${\mathcal{C}}^{\top }$ and $f^{\prime }\in {\mathcal{C}}^{\top }(I,B)$. Assume $f,g\in \mathcal{C}(I,X\otimes B)$ are purifications of $f^{\prime }$. This means that $f^{\prime }=({\top }_X\otimes 1_B)\circ \mathfrak{F}f=({\top }_X\otimes 1_B)\circ \mathfrak{F}g$.

• If $\mathfrak{F}f=\mathfrak{F}g$, then by the second requirement in the definition of environment structure, we know that $f=g$. Now, we let $U=1_X$. Then, it holds that $(U\otimes 1_B)\circ f=g$.
• If $\mathfrak{F}f\ne \mathfrak{F}g$, then we design a bit commitment protocol $(X,B,f,g,Open)$ in which $Open=1_{X\otimes B}$. Since $({\top }_X\otimes 1_B)\circ \mathfrak{F}f=({\top }_X\otimes 1_B)\circ \mathfrak{F}g$, we know this protocol is concealing. Hence, it cannot be binding, which means there is a unitary morphism $U:X\to X$ such that $(U\otimes 1_B)\circ f=g$.
  To conclude, no matter $\mathfrak{F}f=\mathfrak{F}g$ or $\mathfrak{F}f\ne \mathfrak{F}g$, the unitary equivalence of purification is satisfied. □

4. Related Work and Discussion

4.1. An Alternative Notion of Bindingness

The definition of bindingness described in Section 2 essentially says that Alice cannot change $|H\rangle$ to $|T\rangle$ by operating on the quantum system under her control. This definition is reasonable, but not uniquely reasonable. Another reasonable definition of bindingness, which says that Alice cannot change $Open\left(\right|H\rangle \langle H\left|\right)$ to $Open\left(\right|T\rangle \langle T\left|\right)$ by operating on the quantum system under her control, is formally given as follows.

Definition 10

($ϵ$-posterior binding). A quantum bit commitment protocol is ϵ-posterior binding if there is no unitary U on A such that $Open\left((U\otimes I_B)\right|H\rangle \langle H\left|(U^{†}\otimes I_B)\right)\stackrel{ϵ}{=}Open\left(\right|T\rangle \langle T\left|\right)$.

We can prove that, if a QBC protocol is $ϵ$-concealing, then it is not $ϵ$-posterior binding by combining Theorem 3 and the following theorem.

Theorem 5.

If a quantum bit commitment protocol is not ϵ-binding, then it is not ϵ-posterior binding.

Proof. 

If a QBC protocol is not $ϵ$-binding, then there is a unitary map U on A such that $(U\otimes I_B)|H\rangle \stackrel{ϵ}{=}|T\rangle$. Therefore, $F\left((U\otimes I_B)\right|H\rangle ,|T\rangle )\ge ϵ$. Note that $F\left((U\otimes I_B)\right|H\rangle ,|T\rangle )=F\left((U\otimes I_B)\right|H\rangle \langle H|(U^{†}\otimes I_B),|T\rangle \langle T\left|\right)$. Now, by the monotonicity of the fidelity function under quantum operations [32], we know that $F(Open\left((U\otimes I_B)\right|H\rangle \langle H\left|(U^{†}\otimes I_B)\right),Open\left(\right|T\rangle \langle T\left|\right))\ge F\left((U\otimes I_B)\right|H\rangle \langle H|(U^{†}\otimes I_B),|T\rangle \langle T\left|\right)=F\left((U\otimes I_B)\right|H\rangle ,|T\rangle )\ge ϵ$. Therefore, the QBC protocol is not $ϵ$-posterior binding. □

4.2. Mixed State Formalization of QBC

To the best of our knowledge, the most mathematically involved formalization of QBC was given by D’Ariano et al. [27] and Chiribella et al. [28]. In their formalization, the original state is a mixed state and the strategies that Alice and Bob can use are represented by super operators. These super operators are decomposed to a sequence of super operators to characterize the actions Alice and Bob may take at different steps of the protocol. Some distance functions between super operators are adopted to define $ϵ$-concealing and $ϵ$-binding.

Since super operators on mixed states can be represented by linear maps on pure states with some ancillary states by the Stinespring dilation, we conject that our formalism is equivalent to the mixed state formalism. A detailed comparison of these formalism is left as future work.

5. Conclusions and Future Work

In this paper, we first provide a very simple proof of the no-go theorem of quantum bit commitment and its quantitative generalization. Then, we formalize the no-go theorem in the theory of dagger monoidal categories. We show that, in the setting of dagger monoidal categories, the impossibility of bit commitment is equivalent to the unitary equivalence of purification.

The presented material also indicates some directions for future research:

• Sikora and Selby [48] formalized bit commitment in generalized probabilistic theories and showed that the no-go theorem holds by presenting a quantitative trade-off between Alice’s and Bob’s cheating probabilities. A comparison between our formalization and theirs will be carried out in the future.
• It was shown by Kent et al. [5,6,7,12] that perfect bit commitment is possible in the theory of relativity. Baez [49] pointed out that, from a categorical perspective, the theory of relativity and quantum theory resemble each other quite well. DMC plays an important role in both theories. In particular, nCob, the DMC which contains manifold as object and cobordism as morphism, plays an important role in general relativity. It will be interesting to formalize bit commitment in nCob and use it to analyze the similarity and difference of quantum theory and the theory of relativity.
• We also plan to apply the axiomatic and graphical language of categorical quantum mechanics in the formal verification of concrete QBC protocols in the future.
• The MLC no-go theorem does not rule out the feasibility of designing secure QBC in practice. Several practically secure QBC protocols have been devised and experimentally implemented in the last decade [50,51,52]. The security of those protocols typically relies on the current technological limitation on non-demolition measurement and long-term quantum memory. The implementation of those protocols often uses quantum optical devices such as nanosecond pulse laser, single mode optical fiber, and Mach–Zehnder interferometer for the generation, communication, and operation of non-entangled photons. With the recent development on the generation and manipulation of entangled photons [53], in the future, we are also interested in implementing QBC protocols based on (low-dimensional) entangled states [9,16].