Unconditionally Secure Relativistic Quantum Qubit Commitment

: Quantum qubit commitment is a stronger version of the quantum bit commitment. It is impossible to realize unconditionally secure quantum qubit commitment in nonrelativistic domain. In this paper, we propose an unconditionally secure relativistic quantum qubit commitment protocol for the ﬁrst time, which will have some unique applications in the upcoming era of quantum network.


Introduction
Quantum bit commitment [1,2] is a cryptographic mistrustful task between two adversarial parties, in which, the committer Alice decides the value of the bit b (b = 0 or 1) that she wants to commit to the receiver Bob, and sends him some quantum encrypted information about the bit for evidence, e.g., some quantum states, in the commit phase. Later, in the unveil phase, Alice announces the correct value of b as well as some information for decrypting the evidence, then Bob decrypts the evidence and checks whether the decryption output value of b is consistent with Alice's announcement. If a quantum bit commitment protocol is secure against both Bob and Alice, and its security does not rely on any computational assumption, it is said to be unconditionally secure. Secure quantum bit commitment is an essential cryptographic primitive in quantum cryptography. It could be used as a building block for protocols implementing a wide range of other cryptographic tasks [3][4][5]. However, within the framework of nonrelativistic quantum mechanics, unconditionally secure quantum bit commitment is impossible since the perfect securities against Alice and Bob are incompatible, which is known as Mayers-Lo-Chau (MLC) no-go theorem [6,7]. Though there are some doubts on the generality of the theoretical model of quantum bit commitment used in the no-go proof and, new protocols attempting to evade the no-go theorem were proposed every now and then, the result of MLC no-go theorem is widely accepted nowadays, which was introduced in detail in ref. [8]. It is considered as a serious drawback in quantum cryptography, as it tells us when the rapid development of quantum computers makes the computational assumptions underlying present day classical bit commitment become distinctly vulnerable, the quantum cryptography cannot offer any compensating solution [9]. Fortunately, it was proved later that by imposing causal restrictions via relativistic quantum mechanics, unconditionally secure quantum bit commitment is possible [10][11][12][13].
Recently, quantum qubit commitment, a stronger version of the quantum bit commitment, was introduced in Ref. [14]. It was found that the quantum qubit commitment has some unique applications [15] beyond quantum bit commitment in the upcoming era of quantum network, including implementing a fair version of quantum state exchange [16] and preventing cheating in such a task that two quantum computers are demanded to generate certain quantum states independently and to be cross-checked afterward [17], in which one computer may try to delay to generate its state after the other party and cheat by learning from the other party's state or even try to imperfectly clone the state to pretend to have high computational power. It was also pointed out [15] that secure quantum qubit commitment can break asynchronous quantum network assumption since it can effectively activate multiple quantum machines at the same time. These unique applications motivate the wide range of interest of developing unconditional security quantum qubit commitment protocols. However, it is found that, similar to quantum bit commitment, it is impossible to realize unconditionally secure quantum qubit commitment in nonrelativistic domain [14]. Naturally, as a consequence, researchers attempt to develop security quantum qubit commitment schemes via adding some additional experimental constraints or causal restrictions of relativistic quantum mechanics. In Ref. [15], a secure quantum qubit commitment scheme is proposed by using the approach of quantum one-time tables, in which a trusted third party is needed. To the best of our knowledge, however, it remains an open question whether unconditionally secure quantum qubit commitment protocol can be realized in relativistic domain. Therefore, it is both theoretically interesting and practically valuable to develop unconditional security relativistic quantum qubit commitment protocols, which must be in line with and will promote the development of the upcoming era of quantum network [18]. Stimulated by this, in this paper we focus on and, for the first time, propose an unconditionally secure relativistic quantum qubit commitment scheme.
Before giving our protocol, we first explain some details of the concepts of quantum qubit commitment and unconditional security that we used throughout this paper. In quantum qubit commitment, instead of a bit, Alice commits to a qubit from a certain set (that can potentially also contain nonorthogonal quantum states), and later unveils to Bob that she has indeed committed to that qubit [14]. The qubit set should be open, since if the qubits are prepared by a third party and are unknown to Alice, she cannot unveil the quantum state of the committed qubit in the unveil phase. The fundamental difference between quantum qubit commitment and quantum bit commitment is that a quantum qubit commitment protocol preserves the coherence of the committed quantum state, therefore, to commit to a specific qubit in the commit phase, Alice should present quantum states (obtained via appropriate unitary transformations of the committed qubit) rather than the quantum-encrypted classical information of the qubit to Bob for evidence (if she presents the quantum-encrypted classical information for evidence, it is essentially a quantum bit string commitment).
In Ref. [15], the authors defined that a quantum qubit commitment scheme is unconditionally secure if, without any assumption on computational power, its output is indistinguishable from the output of an instance of the ideal functionality unless the probability of the committer passing the unveil phase is lower than a certain threshold which can be made arbitrarily small by increasing the security parameters. Here we give a more straightforward mathematical description as: a quantum qubit commitment scheme is unconditionally secure if it guarantees ∑ k p k < 1 + δ(N) with δ(N) → 0 as N → ∞ , where N is the security parameter and p k is the probability of successfully unveiling the kth qubit of the qubit set in the unveil phase. It should be noted that δ(N) is the probability of successfully unveiling the k 1 th qubit when Alice committed to the kth qubit (k 1 = k) in the commit phase, which can be made arbitrarily small by choosing the security parameters appropriately but cannot be zero. ∑ k p k < 1 + δ(N) will reduce to be p 1 + p 2 < 1 + δ when there are only two qubits in the qubit set, which is the unconditionally secure condition of quantum bit commitment.

Quantum Qubit Commitment Scheme
In this section, we show our protocol. The relativistic geometry of our protocol is chosen to be same as that of Ref. [10], i.e., Alice and Bob agree on a fixed inertial reference frame with coordinates (x, y, z, t), within which the space-time point O is the origin and two points Q 0 = (−x, 0, 0, x) and Q 1 = (x, 0, 0, x) are lightlike separated from O (see Figure 1).
Alice and Bob each have agents, separated in their own secure laboratories, adjacent to each of the points O, Q 0 , and Q 1 .

Quantum Qubit Commitment Scheme
In this section, we show our protocol. The relativistic geometry of our protocol is chosen to be same as that of Ref. [10], i.e., Alice and Bob agree on a fixed inertial reference frame with coordinates (x, y, z, t), within which the space-time point O is the origin and two points Q0 = (−x, 0, 0, x) and Q1 = (x, 0, 0, x) are lightlike separated from O (see Figure  1). Alice and Bob each have agents, separated in their own secure laboratories, adjacent to each of the points O, Q0, and Q1. β α ± cannot be selected as elements of the qubit set at the same time for arbitrary α and β parameters; (2) any two elements, , of the qubit set should satisfy where ε is the probability of the channel errors. Any set satisfying the above two restrictive conditions can be used as a qubit set of our protocol. The second restrictive condition is related to the non-ideal case that there exist channel errors. In the following, we first present our protocol in an idealized form and ignore the second restrictive condition. In the ideal case, we assume perfect state preparations, transmissions, and measurements. We also make idealizations about the relativistic geometry and signaling speed as Ref. [10], supposing that Alice can signal at precisely light speed, all information processing is instantaneous, and the distances from both parties' labs to the relevant points O, Q0, and Q1 are infinitesimal and can be considered to be negligible.  Before the commitment, Alice and Bob agree on a security parameter N, and a public fixed qubit set {|ψ k X = α k |0 X + β k |1 X } d k=1 , where {|0 X , |1 X } is an orthonormal basis in H X space, α k and β k are complex weight factors, and d is the number of the qubits in the set. In our protocol, the qubit set is constrained by two restrictive conditions: (1) any two of the four qubits α|0 X ± β|1 X and β|0 X ± α|1 X cannot be selected as elements of the qubit set at the same time for arbitrary α and β parameters; (2) any two elements, |ψ 0 X = α 0 |0 X + β 0 |1 X and |ψ 1 X = α 1 |0 X + β 1 |1 X , of the qubit set should satisfy where ε is the probability of the channel errors. Any set satisfying the above two restrictive conditions can be used as a qubit set of our protocol. The second restrictive condition is related to the non-ideal case that there exist channel errors. In the following, we first present our protocol in an idealized form and ignore the second restrictive condition. In the ideal case, we assume perfect state preparations, transmissions, and measurements. We also make idealizations about the relativistic geometry and signaling speed as Ref. [10], supposing that Alice can signal at precisely light speed, all information processing is instantaneous, and the distances from both parties' labs to the relevant points O, Q 0 , and Q 1 are infinitesimal and can be considered to be negligible.
Commit: In the commit phase, Bob prepares securely a set of qubits {|Ψ i } N i=1 independently randomly chosen from Bell states and keeps them private.
At point O, Bob sends qubits A (| A ) of his Bell states to Alice and keeps qubits B (| B ) to himself. To commit to a qubit α|0 X + β|1 X in H X space, Alice carries out teleportation via measuring qubits X (| X ) and A collectively in the Bell basis resulting qubits B on Bob's side collapse to α|0 B ± β|1 B and β|0 B ± α|1 B with equal probability, and sends over secure channels to her agents at Q 0 and Q 1 the outcomes of the collective measurement of qubits X and A. In this stage, the collapsed states of qubits B act as the evidence of the commitment and preserve the coherence of the committed qubit; and the outcomes of the collective measurement carry the information that which specific state of each qubits B has collapsed to and determine the unitary transformations that can transform the collapsed states to the state α|0 B + β|1 B (that is equal to the committed qubit). The outcomes can be represented by binary numbers, and it can be transmitted by using secure classical channels, which can be built by presharing one-time pads between her agent at O and those at Q 0 and Q 1 and sending pad-encrypted classical signals.
Unveil: Alice's agents at Q 0 and Q 1 announce the classic information of the committed qubit and the outcomes of the collective measurement to adjacent Bob's agents to unveil the commitment. Bob carries out the unitary transformations determined by the outcomes to the corresponding collapsed qubits B in his possession to transform each of them to the state |ϕ B and decides whether to accept the commitment and unveiling as genuine or not by comparing the announced information and checking the transformed state |ϕ B at somewhere in the intersection of the future light cones of Q 0 and Q 1 . If the declared outcomes on both wings are the same and Bob's measurement results of |ϕ B are consistent with the announced committed qubit, Bob accepts the commitment. Otherwise, Bob concludes that Alice cheated and rejects her commitment.

Security of the Protocol
In this section, we prove the unconditional security of our protocol. Since Alice does not send any quantum and classical information to Bob before the unveiling, the protocol is obviously secure against Bob. It is because no matter what strategy Bob takes (including the strategy that Bob prepares any kind of quantum state), any local measurement performed in Alice's side does not change the reduced density matrix of the qubits in Bob's side, so Bob cannot get any information about the committed qubit by only measuring the qubits in his side before the unveiling. From another perspective, the security against Bob is guaranteed by the theorem of impossibility of superluminal signaling. Since if Bob can learn something about the committed qubit before the unveiling, it means that an Alice in a distant location can send information to Bob simply by measuring the qubits on her side, which is essentially superluminal signaling. Hence, in our protocol, Bob can learn nothing about Alice's choice until she chooses to unveil the qubit.
The security of this protocol against Alice should be discussed in different cases. The first case is that Alice follows the honest strategy at point O. In this case, she cannot change the collapsed states of qubits B again after O, but she is free to pretend that one original input qubit (committed qubit) from α|0 X ± β|1 X and β|0 X ± α|1 X is any one of the three remaining ones of the four qubits just by properly interchanging her results of the collective measurement of qubits X and A. For example, she can pretend that the input qubit α|0 X + β|1 X is α|0 X − β|1 X by interchanging her measurement results |φ 1 XA with |φ 2 XA , and |φ 3 XA with |φ 4 XA . However, because of the prior agreement that any two of the four qubits α|0 X ± β|1 X and β|0 X ± α|1 X cannot be selected as the elements of the qubit set {|ψ k X } d k=1 at the same time, Alice's cheating has no positive significance if qubit α|0 X + β|1 X is one of the element of the qubit set. The reverse case is that Alice's input qubit α|0 X + β|1 X is not the element of the qubit set while she unveils the right one, such as qubit α|0 X − β|1 X . From the perspective of the input, this is of course cheating. Although such cheating does not increase Alice's probability of successfully revealing any correct qubit, it cannot be prohibited. However, from the perspective of the output, no matter which of the four qubits Alice inputs, the output is that qubits B on Bob's side collapse to α|0 B ± β|1 B and β|0 B ± α|1 B with equal probability, implying the four inputs are equivalent. In the second scenario, we ask if it is possible for Alice to pretend that the input qubit α|0 X + β|1 X is another qubit with parameters different from α and β, such as m|0 X + n|1 X . If she tries to do this, she needs to pretend that the string of qubit |ϕ 0 B = α|0 B + β|1 B within the collapsed qubits B is the string of |ϕ 1 B = m|0 B + n|1 B . The results of Ref. [19] show that once the density matrix of the qubit string is fixed, the probabilities p i of Bob accepting a revelation of the string of |ϕ i B satisfy p 0 + p 1 < 1 + δ, where δ can be made arbitrarily small by choosing the security parameters appropriately, therefore Alice has no successful strategy for such cheating.
Second, in the case that Alice does not follow the honest strategy at point O, we can suppose that some operations are carried out at this point, but they leave her significantly uncommitted and retain as much freedom as possible in her choice of which qubit to unveil. We then further suppose that in the causal future of O, all the strategies that the agent on the line segment (O, Q i ] can follow form a set S iq and the probabilities of successfully unveiling the qubit |ψ k X when the agent on the line segment (O, Q 0 ] performs the strategy S 0q while the other agent on the line segment (O, Q 1 ] performs S 1j is T qjk (S 0q , S 1j , |ψ k X ). Similar to the discussion in the case that Alice follows the honest strategy at point O, by the results of Ref. [19] again, when the two agents follow S 0q and S 1j strategies, once the qubits B collapse to the states corresponding to the committed qubit |ψ k X , there should exist no cheating strategy for Alice to successfully unveil any other qubit unless the probability of passing the unveil phase is lower than a certain threshold δ which can be made arbitrarily small by increasing the security parameters, therefore the sum of the probabilities of successfully unveiling all the qubits of the public fixed qubit set except |ψ k X when the two agents follow S 0q and S 1j strategies must be less than , and vice versa. The agent at Q 1 can only guess the strategy S 0q that the agent at Q 0 follows with probability t q , which must be agreed by the two agents at or before O or decided by the agent at Q 1 alone, hence satisfies ∑ q t q = 1. Therefore, the probability of successfully unveiling the qubit |ψ k X in the unveil phase is p k = ∑ qj t q r qj T qjk , where r qj is the probability of the agent at Q 1 following S 1j when the agent at Q 0 follows S 0q , which must satisfy ∑ j r qj = 1. Combining the three conditions ∑ k T qjk < 1 + δ, ∑ q t q = 1, and ∑ j r qj = 1, we have ∑ k p k = ∑ qjk t q r qj T qjk < 1 + δ. This is consistent with our above mathematical definition of unconditionally secure of a quantum qubit commitment.

Discussion of Qubit Certification
Classical certification [20,21] is a well-known constraint that a quantum cryptographic protocol guarantees to all the other parties that one party is restricted so that, to avoid being detected as cheating, his quantum inputs must take the form of pure states of the basis elements of a public fixed basis {|i } d i=1 of the appropriate d-dimensional input space. Here, as the qubit set {|ψ k X } d k=1 in the quantum qubit commitment is not always a set of orthonormal bases in H X space, we define qubit certification, a new constraint similar to classical certification, that a protocol guarantees to all the other parties that one party is restricted so that his quantum inputs must be a specific qubit of the public fixed set, which can be described as, in a quantum qubit commitment, that any unveiled qubit commitments necessarily have a definite committed qubit choosing from the public set. Like all technologically unconstrained quantum bit commitment protocols, [9,12] do not force Alice to commit to a specific bit, the protocol here does not force to commit to a specific qubit, as it does not prevent Alice from preparing states in H X entangled with other system H C with the form ∑ k √ p k |k C |ψ k X , where {|k C } d k=1 is a set of orthonormal bases. In the commitment, Alice can choose to keep the states in quantum entanglement, and input | X as the committed qubit and store the entangled state | C and then measure it in the computational basis until unveiling. In this case there is a definite committed qubit without being detected cheating, but from Alice's perspective the unveiled qubit remains unknown with subjective probabilities obeying ∑ k p k = 1. It does not rule out the case that Alice's measurement result of qubit C is |k 1 C (k 1 = k) but she successfully unveils qubit |ψ k X , or even the case that she prepares states entangling the subset √ p k |k C |ψ k X satisfying ∑ d 1 k=1 p k = 1, but successfully unveils a qubit |ψ k X / ∈ {|ψ k X } d 1 k=1 , with a probability δ, which can be made arbitrarily small by choosing the security parameters appropriately as there is no any measurement result that could act as an evidence to support Alice to obtain a successful probability of unveiling this qubit higher than the successful probability of just guessing by chance. Hence, we say a quantum qubit commitment protocol with a security parameter N is unconditionally secure when it guarantees ∑ k p k < 1 + δ(N) with δ(N) → 0 as N → ∞ .
It is the complete mathematical definition of unconditionally secure of a quantum qubit commitment that we presented above.

The Non-Ideal Case in Practical Application
The protocol proposed above is idealized with some ideal assumptions. In this section, we discuss the non-ideal case in practical application. Realistically, it is not possible for Alice and Bob to have secure access to precisely the same space-time point to exchange a qubit; Alice cannot signal at precisely light speed; and information cannot be processed instantaneously. In a realistic implementation, all the corrections about the idealized assumptions of these aspects will introduce time delays at various stages of the protocol. The effects of these time delays can be discussed same as the other relativistic protocols [9,12]. If the corrections are small, the protocol remains secure and the only significant effect is that Alice can only persuade Bob that her commitment is binding from some point in the near causal future of O, rather than from O itself [9,12].
Realistically, too, perfect state preparations, transmissions, and measurements are impossible with unavoidable channel losses and errors. A low possibility of losses does not affect the security since the security parameter N of the protocol implies essentially committing N copies of the qubit, hence Bob can always be able to receive enough evidence qubits to finally check Alice's unveiling. To deal with the channel errors, we consider that the two qubits |ψ 0 X = α 0 |0 X + β 0 |1 X and |ψ 1 X = α 1 |0 X + β 1 |1 X are two arbitrary elements of the public qubit set {|ψ k X } d k=1 . If Alice attempts to cheat to pretend that the committed qubit |ψ 0 X is |ψ 1 X in a concrete implementation, she needs to persuade Bob that the strings of |ϕ 0 B = α 0 |0 B ± β 0 |1 B and β 0 |0 B ± α 0 |1 B within the collapsed qubits B are the strings of |ϕ 1 B = α 1 |0 B ± β 1 |1 B and β 1 |0 B ± α 1 |1 B , respectively. Let p 1 i = B <ϕ 1 |ϕ 0 > B B <ϕ 0 |ϕ 1 > B be the probability of Bob accepting a revelation of |ϕ 1 B for the ith |ϕ 0 B . We have p 1 i = α * 0 α 1 + β * 0 β 1 2 , and the probability that Alice is detected cheating in unveiling |ϕ 1 B is 1 − p 1 i . If the probability of the channel errors ε is bigger than 1 − p 1 i , Alice can always claim that the error was due to channel errors, even if she did cheat. Therefore, Bob can be guaranteed that Alice's commitment is binding only when 1 − p 1 i >> ε. Since it can be found that p 1 i = X <ψ 1 |ψ 0 > X X <ψ 0 |ψ 1 > X in our protocol, it finally becomes X <ψ 1 |ψ 0 > X X <ψ 0 |ψ 1 > X << 1 − ε, which gives, to counter the channel errors, a definite constraint in determining the qubit set. When this constraint condition is satisfied, the channel errors make no essential difference as long as they are small and Bob needs only to check that Alice's revelation is statistically consistent with the output corresponding to the unveiled qubit and statistically inconsistent with the other. In practical application, we think that 1 − X <ψ 1 |ψ 0 > X X <ψ 0 |ψ 1 > X ≥ 2ε is good enough to implement our protocol. To illustrate this constraint more visually, we suppose that |ψ 0 X = |0 and |ψ 1 X = cos θ|0 + sin θ|1 are two qubits in the qubit set and ε = 3% in a practical application, hence we have X <ψ 1 |ψ 0 > X X <ψ 0 |ψ 1 > X = cos2θ. In this case, the constraint 1 − X <ψ 1 |ψ 0 > X X <ψ 0 |ψ 1 > X ≥ 2ε requires cos 2 θ ≤ 94%, i.e., the angle θ is not smaller than arccos √ 0.94 = 14.1788 • .

Conclusions and Discussion
Quantum qubit commitment is a rather new concept, which was first proposed in 2018 [14]. It was pointed out in 2021 [15] that the quantum qubit commitment has some unique and important applications beyond quantum bit commitment in the upcoming era of quantum network. Therefore, it is both theoretically interesting and practically valuable to develop unconditional secure quantum qubit commitment protocols. In this paper, we proposed an unconditionally secure relativistic quantum qubit commitment protocol for the first time. Comparing to the existed quantum bit commitment, our protocol does not destroy the coherence of the committed qubit (the collapsed states of qubits B preserve the coherence of the committed qubit). This is the fundamental difference between quantum qubit commitment and quantum bit commitment.
Since quantum qubit commitment is a stronger version of the quantum bit commitment, our quantum qubit commitment protocol of course can be used to fulfill quantum bit commitment. However, to preserve the coherence of the committed qubit, when our protocol is used to execute a quantum bit commitment, it needs more quantum resources (quantum entanglement in our protocol) than the dedicated quantum bit commitment protocols [9,10,12]. This is the limitation of our protocol.
In the last two decades, relativistic quantum cryptography has become an important branch of quantum physics. Numerous researchers have carried out a great deal of research in this field, including revealing information causality as a physical principle in quantum physics [22] as well as developing relativistic quantum protocols with wide range of important applications, such as quantum tokens [23] and quantum tagging [24]. As our proposed protocol is the first unconditionally secure relativistic quantum qubit commitment scheme, we think that it comes timely in the rapid development of relativistic quantum cryptography and will help stimulate further interest in the theory and practical implementation of this field.