An Optical Implementation of Quantum Bit Commitment Using Infinite-Dimensional Systems

Abstract

Unconditionally secure quantum bit commitment (QBC) was widely believed to be impossible for more than two decades, but recently, based on an anomalous behavior found in quantum steering, we proposed a QBC protocol which can be unconditionally secure in principle. The protocol requires the use of infinite-dimensional systems, so it may seem less feasible in practice. Here, we propose a quantum optical method based on the Mach–Zehnder interferometer, which gives a very good approximation to such infinite-dimensional systems. Thus, it enables a proof-of-principle experimental implementation of our protocol, which can also serve as a practically secure QBC scheme. Other multi-party cryptographic protocols such as quantum coin tossing can be built upon it too. Our approach also reveals a relationship between infinity and non-locality, which may have an impact on the research of fundamental theories.

1. Introduction

Quantum cryptography has achieved great success in many fields such as key distribution [1], but there are still other cryptographic problems that remain unconquered. Bit commitment (BC) [2] is known to be an essential building block for coin tossing [1], oblivious transfer [3,4], and even more complicated multi-party secure computation protocols [5]. Unfortunately, since 1996, people started to realize that unconditionally secure quantum BC (QBC) is hard to achieve. The cheating strategy against the QBC protocol in ref. [2] was first proposed in ref. [6]. Shortly after, it was further asserted that all QBC protocols are not unconditionally secure in principle [7,8]. Later, refs. [9,10,11,12,13,14] reviewed the original no-go proof, with some examples of insecure protocols given in refs. [9,13]. Ref. [11] also extended the proof to cover ideal quantum coin tossing (QCT). More examples on how to break some promising BC protocols at that time were provided too [15,16]. Refs. [17,18,19,20] proved the impossibility of some types of BC with a slightly different security criterion. Refs. [21,22,23,24,25] gave quantitative studies on the security bounds of QBC, with ref. [22] focused on the protocol in ref. [1], while refs. [23,24] focused on another class of protocols. A very lengthy proof was first presented in the Heisenberg picture [26], then shortened and rephrased in the Schrödinger picture [27]. The validity of the no-go result was also studied in a world subject to superselection rules [28,29,30] or an epistemic local hidden variable theory [31]; for QBC associated with secret parameters [32,33] or secret probability distributions [34]; or when the participants are restricted to use Gaussian states and operations only [35]. Refs. [36,37] attempted to deduce the impossibility of QBC from the no-masking theorem. Ref. [38] studied the security of BC under the relativistic setting. Other efforts include refs. [39,40,41,42,43,44], which tried to proved the no-go theorem with alternative approaches. These results, known as the Mayers–Lo–Chau (MLC) no-go theorem, were widely accepted despitesome attempts towards secure QBC (e.g., the references in refs. [45,46,47,48,49,50,51]), and were considered as a serious drawback on the potential of quantum cryptography.

Nevertheless, the cheating strategy in all these no-go proofs is based on the Hughston–Jozsa–Wootters (HJW) theorem [52], a.k.a. the Uhlmann theorem [53,54]. Recently, it was found that, in infinite-dimensional systems, there exists a specific form of quantum states to which the HJW theorem does not apply [55]. Based on this finding, we proposed a QBC protocol and proved theoretically that it remains secure against the cheating strategy in the no-go proofs [56]. Therefore, implementing the protocol in practice will be of great significance, as it can re-open the venue to many useful multi-party secure computation protocols that were once closed by the MLC no-go theorem.

As pointed out in ref. [56], since the protocol requires infinite-dimensional systems, the implementation may be very hard if we want to use physical systems with an infinite number of energy levels, because it may imply an infinitely high energy. To circumvent the problem, here, we use the arrival time of photons as a trick, so that infinite-dimensional systems can be realized using simple optical devices. Consequently, the QBC protocol in ref. [56] can be implemented with a Mach–Zehnder (MZ) interferometer, which is within the capability of currently available technology.

2. Results

2.1. The Theoretical Description of the Protocol

Let us begin with a brief review on the definition of BC and the theoretical scheme in ref. [56]. BC is a two-party cryptography between Alice and Bob, which includes the following phases. In the commit phase, Alice decides the value of the bit b that she wants to commit and sends Bob a piece of evidence, e.g., some quantum states. Later, in the unveil phase, Alice announces the value of b, and Bob checks it with the evidence. The interval between the commit and unveil phases can be called the holding phase. An unconditionally secure BC protocol needs to be both binding (i.e., Alice cannot change the value of b after the commit phase) and concealing (Bob cannot know b before the unveil phase).

Since whether QBC can be unconditionally secure in principle is a very important theoretical problem, here, we only consider the ideal case without transmission errors, detection loss, dark counts, or other practical imperfections. In ref. [56], the following protocol was proposed:

Our theoretical QBC protocol:

The commit phase:

(i) Alice decides on the value of b ($b=0$ or 1) that she wants to commit. Then, for $j=1$ to s:

She randomly picks an integer $i_j\in \{1,2,\cdots ,\infty \}$ and sends Bob a quantum register ${\Psi }_j$, which is an infinite-dimensional system prepared in the state ${\psi }_{i_j}^b=(\left|0\right.〉+{(-1)}^b\left|i_j\right.〉)/\sqrt{2}$.

That is, if $b=0$ she randomly picks a state from the set:

$$\left\{{\psi }_i^0\equiv \left|{\varphi }_{i+}\right.〉=\frac{1}{\sqrt{2}}(\left|0\right.〉+\left|i\right.〉),i=1,\cdots ,n-1\right\},$$

(1)

or, if $b=1$, she randomly picks a state from the set:

$$\left\{{\psi }_i^1\equiv \left|{\varphi }_{i-}\right.〉=\frac{1}{\sqrt{2}}(\left|0\right.〉-\left|i\right.〉),i=1,\cdots ,n-1\right\},$$

(2)

where $\left|0\right.〉$, $\left|1\right.〉$, $\left|2\right.〉$, …, $\left|i\right.〉$, …are orthogonal to each other and $n\to \infty$.

Note that, in each round, $i_j$ is independently chosen, while b remains the same for all j;

The holding phase:

(ii) Bob stores these s quantum registers unmeasuredly;

The unveil phase:

(iii) Alice announces the values of b and all $i_j$ ( $j=1,\cdots ,s$ );

(iv) Bob tries to project each ${\Psi }_j$ into the state ${\psi }_{i_j}^b=(\left|0\right.〉+{(-1)}^b\left|i_j\right.〉)/\sqrt{2}$. If the projections are successful for all registers, Bob accepts Alice’s commitment. Else, if any of the projections fails, Bob concludes that Alice cheated.

The key reason that this protocol can be unconditionally secure is the specific forms of the states in Equations (1) and (2). In general, the cheating strategy in the no-go proofs [6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44] can be successful in most QBC protocols using other forms of quantum states for the following reason. Suppose that honest Alice is supposed to send Bob the state ${\psi }^{\prime 0}$ (${\psi }^{\prime 1}$) if she wants to commit $b=0$ ($b=1$), where ${\psi }^{\prime 0}$ (${\psi }^{\prime 1}$) is picked from a set of states described by the density matrix ${\rho }_0^{\beta }$ (${\rho }_1^{\beta }$). Since an unconditionally secure QBC protocol needs to be concealing against dishonest Bob, there should be the following:

$${\rho }_0^{\beta }\simeq {\rho }_1^{\beta }$$

(3)

so that Bob cannot discriminate the state himself. Then, the HJW theorem applies. That is, dishonest Alice can begin the QBC protocol by preparing the system $\alpha \otimes \beta$ in such a state that $\beta$ alone has density matrix ${\rho }_0^{\beta }$. Then, she skips the measurement in the commit phase so that $\alpha$ and $\beta$ remain entangled. In the unveil phase, since Equation (3) is satisfied, according to the HJW theorem, there exist two measurements $M_0$ and $M_1$ on $\alpha$ such that, if Alice applies $M_0$ ($M_1$) on $\alpha$, then $\beta$ will collapse to a state belonging to the set described by ${\rho }_0^{\beta }$ (${\rho }_1^{\beta }$). Therefore, Alice can unveil b as whatever value she likes in the unveil phase by choosing between the two measurements $M_0$ and $M_1$.

However, in our protocol, the two sets of states take the forms in Equations (1) and (2). Suppose that dishonest Alice prepares a bipartite system $\alpha \otimes \beta$ in the state:

$$\left|\Omega \right.〉=\frac{1}{\sqrt{n-1}}\sum _{i=1}^{n-1}\left|{\alpha }_{i+}\right.〉\left|{\varphi }_{i+}\right.〉$$

(4)

so that she can cheat using the strategy in the no-go proofs. Here, $\{\left|{\alpha }_{i+}\right.〉,i=0,\cdots ,n-1\}$ is an orthonormal basis of the n-dimensional system $\alpha$. Let ${\rho }_0^{\beta }$ and ${\rho }_1^{\beta }$ be the density matrices corresponding to the sets $\left\{{\psi }_i^0=\left|{\varphi }_{i+}\right.〉\right\}$ and $\left\{{\psi }_i^1=\left|{\varphi }_{i-}\right.〉\right\}$, respectively. As shown in ref. [55], when $n\to \infty$, Equation (3) is satisfied, so that it seems to meet the requirement of the HJW theorem. Now, let us see what happens if Alice wants to cheat.

Surely, if she wants to unveil $b=0$, all she needs is simply to use $\{\left|{\alpha }_{1+}\right.〉,\left|{\alpha }_{2+}\right.〉,\cdots ,\left|{\alpha }_{(n-1)+}\right.〉\}$ as the basis of the measurement $M_0$ and apply it on her system $\alpha$, which will make Bob’s system $\beta$ collapse into one of the state in $\left\{\left|{\varphi }_{i+}\right.〉\right\}$ so that she can complete the protocol without being caught. Now, the question is, can she unveil $b=1$ successfully? According to the HJW theorem, there should exist another measurement $M_1$ with the basis $\{\left|{\alpha }_{1-}\right.〉,\left|{\alpha }_{2-}\right.〉,\cdots ,\left|{\alpha }_{(n-1)-}\right.〉\}$, such that Equation (4) can be expressed as follows:

$$\left|\Omega \right.〉\simeq \frac{1}{\sqrt{n-1}}\sum _{i=1}^{n-1}\left|{\alpha }_{i-}\right.〉\left|{\varphi }_{i-}\right.〉$$

(5)

so that Alice’s measuring $\alpha$, in this basis, will make $\beta$ collapse into a state in $\left\{\left|{\varphi }_{i-}\right.〉\right\}$. To find the form of $\left\{\left|{\alpha }_{i-}\right.〉\right\}$, following ref. [56], we expand each $\left|{\varphi }_{i+}\right.〉$ in Equation (4) using $\left\{\left|{\varphi }_{i-}\right.〉\right\}$, and the result is below:

$$\begin{array}{ccc}\hfill \left|\Omega \right.〉& =& \frac{1}{\sqrt{n-1}}\sum _{i=1}^{n-1}\sqrt{1-\frac{4}{n^2}}\left|{\tilde{\alpha }}_{i-}\right.〉\left|{\varphi }_{i-}\right.〉\hfill \\ & & +\sqrt{\frac{2}{n}}\left|{\tilde{\alpha }}_{n-}\right.〉\left|{\varphi }_{n-}\right.〉,\hfill \end{array}$$

(6)

where

$$\left|{\varphi }_{n-}\right.〉\equiv \frac{1}{\sqrt{n}}\left(\left|0\right.〉+{\sum }_{i=1}^{n-1}\left|i\right.〉\right),$$

(7)

$$\left|{\tilde{\alpha }}_{n-}\right.〉\equiv \frac{1}{\sqrt{n-1}}\sum _{i=1}^{n-1}\left|{\alpha }_{i+}\right.〉,$$

(8)

and

$$\left|{\tilde{\alpha }}_{i-}\right.〉\equiv \frac{1}{\sqrt{1-\frac{4}{n^2}}}\left(\frac{2-n}{n}\left|{\alpha }_{i+}\right.〉+\frac{2}{n}\sum _{i^{\prime }=1,i^{\prime }\ne i}^{n-1}\left|{\alpha }_{i^{\prime }+}\right.〉\right),$$

(9)

for $i=1,\cdots ,n-1$.

For a given $i\in \{1,\cdots ,n-1\}$, if Alice can project system $\alpha$ to $\left|{\tilde{\alpha }}_{i-}\right.〉$, then Equation (6) shows that system $\beta$ will collapse to the following:

$$\begin{array}{ccc}\hfill \left|{\tilde{\varphi }}_{i-}\right.〉& \equiv & c^{\prime }\left[\frac{\sqrt{1-\frac{4}{n^2}}}{\sqrt{n-1}}\left(\left|{\varphi }_{i-}\right.〉+\sum _{i^{\prime }=1,i^{\prime }\ne i}^{n-1}〈{\tilde{\alpha }}_{i-}\left|{\tilde{\alpha }}_{i^{\prime }-}\right.〉\left|{\varphi }_{i^{\prime }-}\right.〉\right)\right.\hfill \\ & & \left.+\sqrt{\frac{2}{n}}〈{\tilde{\alpha }}_{i-}\left|{\tilde{\alpha }}_{n-}\right.〉\left|{\varphi }_{n-}\right.〉\right]\hfill \\ & =& c^{\prime }\left[\sqrt{\frac{n^2-4}{n^2(n-1)}}\left(\left|{\varphi }_{i-}\right.〉-\frac{4{\sum }_{i^{\prime }=1,i^{\prime }\ne i}^{n-1}\left|{\varphi }_{i^{\prime }-}\right.〉}{n^2-4}\right)\right.\hfill \\ & & \left.+\sqrt{\frac{2(n-2)}{n(n-1)(n+2)}}\left|{\varphi }_{n-}\right.〉\right],\hfill \end{array}$$

(10)

where

$$c^{\prime }=\sqrt{\frac{n(n-1)(n+2)}{(n^2+2)}}.$$

(11)

Multiplying $\left.〈{\varphi }_{i-}\right|$ by Equation (10), we have the following:

$$〈{\varphi }_{i-}\left|{\tilde{\varphi }}_{i-}\right.〉=\sqrt{1-\frac{2n+2}{n^2+2}}.$$

(12)

In the limit $n\to \infty$, $\left|{\tilde{\varphi }}_{i-}\right.〉$ can be arbitrarily close to $\left|{\varphi }_{i-}\right.〉$. Thus, we know that $\left|{\tilde{\alpha }}_{i-}\right.〉$ is the form of $\left\{\left|{\alpha }_{i-}\right.〉\right\}$ that we are looking for.

Nevertheless, by taking the limit $n\to \infty$ in Equation (9), we find the following:

$$\left|{\tilde{\alpha }}_{i-}\right.〉=-\left|{\alpha }_{i+}\right.〉.$$

(13)

Consequently, if Alice wants to collapse $\beta$ into a state in $\left\{\left|{\varphi }_{i-}\right.〉\right\}$ so that she can unveil $b=1$ successfully, then the corresponding measurement $M_1$ is to measure $\alpha$ in the basis $\{-\left|{\alpha }_{1+}\right.〉,-\left|{\alpha }_{2+}\right.〉,\cdots ,-\left|{\alpha }_{(n-1)+}\right.〉\}$. Since the global negative sign before the state vectors has no physical meaning, the bases of the “two” measurements $M_0$ and $M_1$ are actually the same. Consequently, Alice no longer has the freedom to choose between two different measurements to alter the value of her committed bit b. Thus, the cheating strategy in the no-go proofs fails in our protocol. (Please see ref. [56] for the complete security proof.)

2.2. The Experimental Implementation

Ref. [56] was devoted to the problem of whether unconditionally secure QBC is allowed in principle. Thus, it only provided a theoretical description of the protocol without considering the implementation. To realize the protocol, the most important point is to find a feasible implementation of the infinite-dimensional systems. Here, we propose a trick to implement the infinite-dimensional system in each round of the protocol using a single photon only. The experimental apparatus is illustrated in Figure 1. In each of the s rounds of step (i) of the protocol, Alice sends a single photon either from the source $S_0$ (for sending ${\psi }_i^0$) or $S_1$ (for sending ${\psi }_i^1$), then splits it into two wave packets $\left|x\right.〉$ and $\left|y\right.〉$ by the 50:50 non-polarizing beam splitter $B{S}_A$. $\left|x\right.〉$ is sent directly to Bob via path X while $\left|y\right.〉$ is delayed by the storage ring $S{R}_A$ (which introduces a delay time $\tau$ chosen by Alice secretly) before sending via path Y. At Bob’s site, $\left|x\right.〉$ is delayed by the storage rings $S{R}_x$ and $S{R}_B$. $\left|y\right.〉$ is delayed by the storage ring $S{R}_y$, which is identical to $S{R}_x$, so that they introduce the same amount of delay time, then meets $\left|x\right.〉$ at the 50:50 beam splitter $B{S}_B$ and interferes. We can see that when the delay times caused by $S{R}_A$ and $S{R}_B$ are tuned to be equal, the complete apparatus forms a balanced MZ interferometer, so that ${\psi }_i^0$ (${\psi }_i^1$) will make the detector $D_0$ ($D_1$) click with certainty in principle.

Before running the protocol, Bob should set up another set of devices at his own site as a reference, which is completely identical to that of Alice’s. By sending photons using this reference set and monitoring his detectors $D_0$ and $D_1$, he can estimate the error rate $\epsilon$ of the whole system, i.e., the probability that the photon ${\psi }_i^0$ (${\psi }_i^1$) sent from the source $S_0$ ($S_1$) will mistakenly make the detector $D_1$ ($D_0$) click or simply get lost. For better performance, if the distance between Alice and Bob is very long, paths X and Y in Figure 1 should be implemented using optical fibers, instead of letting the photons travel through free space. Meanwhile, Bob should also have optical fibers of the same length in his reference set and place them in an environment (e.g., temperature, humidity, etc.) similar to that of the optical fibers placed between Alice and Bob in the actual set. The purpose is to ensure that the error rate $\epsilon$ that Bob learns from his reference set is very close to the one in the actual set. After obtaining $\epsilon$ all by himself, Bob runs the following experimental protocol with Alice.

Our experimental QBC protocol:

The commit phase:

(i) Alice and Bob agree on a maximum delay time ${\tau }_{max}$ and the sending times $t_j$ ( $j=1,\cdots ,s$ ) with $t_1<t_2<\cdots <t_s$ and ${\tau }_{max}<t_j-t_{j-1}$ ( $j=2,\cdots ,s$). Then, Alice decides on the value of b ($b=0$ or 1) that she wants to commit, and for $j=1$ to s:

Alice randomly picks  ${\tau }_j\in [0,{\tau }_{max}]$ and sets the delay time of her storing ring $S{R}_A$ as ${\tau }_j$. Then, she sends Bob a photon ${\Psi }_j$ from the source $S_b$ at time $t_j$;

Note that, in each round, ${\tau }_j$ is independently chosen, while b remains the same for all j;

The holding phase:

(ii) Bob stores the wave packets of each photon in $S{R}_x$ and $S{R}_y$ unmeasuredly;

The unveil phase:

(iii) Alice announces the values of b and all ${\tau }_j$ ( $j=1,\cdots ,s$);

(iv) For $j=1$ to s: Bob sets the delay time of his storing ring $S{R}_B$ as ${\tau }_j$. Then, he releases the wave packets of photon ${\Psi }_j$ from $S{R}_x$ and $S{R}_y$ and directs them into his part of the MZ interferometer (as presented in the green dash-dot box at the right-hand side of Figure 1);

If there are, in total, about $(1-\epsilon )s$ photons (see Appendix A for the tolerable range of statistical deviations) detected by $D_b$ instead of $D_{\overline{b}}$, then Bob accepts Alice’s commitment. Otherwise, Bob concludes that Alice cheated.

2.3. The Relationship between the Two Protocols

Now, we show that, in principle, the above experimental protocol is a faithful implementation of the theoretical one. In the experimental protocol, following the occupation number representation widely used in quantum optics [57], at time t if there is a wave packet of a photon on path X and no wave packet on path Y, the state can be denoted by ${\left|1\right.〉}_X{\left|0\right.〉}_Y$. Conversely, if there is a wave packet on path Y and no wave packet on path X, the state can be denoted by ${\left|0\right.〉}_X{\left|1\right.〉}_Y$. To make the time t more explicit, let us write them as ${\left|t\right.〉}_X{\left|0\right.〉}_Y$ and ${\left|0\right.〉}_X{\left|t\right.〉}_Y$, respectively. That is, we use the symbol t in $\left|\cdots \right.〉$ to denote the time that the wave packet of a single photon presents in the path, instead of the number of photons, and $\left|0\right.〉$ to denote that no wave packet is presented in the path at any time. Obviously, the state ${\left|t\right.〉}_P$ is orthogonal to ${\left|t^{\prime }\right.〉}_P$ ($P=X,Y$) for any $t\ne t^{\prime }$ and they are all orthogonal to ${\left|0\right.〉}_P$. For simplicity, suppose that, except for $S{R}_A$, $S{R}_B$, $S{R}_x$, and $S{R}_y$, the time for the photon to travel through all other devices in Figure 1 is negligible. Under this formalism, when Alice sends the photon ${\Psi }_j$ ($j=1,\cdots ,s$) from the source $S_b$ at time $t_j$, the initial state of ${\Psi }_j$ after passing $B{S}_A$ is as shown:

$${\left|{\Psi }_j\right.〉}_{ini}=\frac{1}{\sqrt{2}}({\left|t_j\right.〉}_X{\left|0\right.〉}_Y+{(-1)}^b{\left|0\right.〉}_X{\left|t_j\right.〉}_Y).$$

(14)

After passing $S{R}_A$, which introduces the delay time ${\tau }_j$ to path Y, the state of ${\Psi }_j$ that left Alice’s site is as below:

$${\left|{\psi }_j\right.〉}_A=\frac{1}{\sqrt{2}}({\left|t_j\right.〉}_X{\left|0\right.〉}_Y+{(-1)}^b{\left|0\right.〉}_X{\left|t_j+{\tau }_j\right.〉}_Y).$$

(15)

In the unveil phase, when Bob learns Alice’s delay time ${\tau }_j$ and sets $S{R}_B$ accordingly, the final state of the photon ${\Psi }_j$ arriving at $B{S}_B$ after passing $S{R}_x$, $S{R}_y$ and $S{R}_B$ is as follows:

$$\begin{array}{ccc}\hfill {\left|{\psi }_j\right.〉}_{fin}& =& \frac{1}{\sqrt{2}}({\left|t_j+{\tau }_{hold}+{\tau }_j\right.〉}_X{\left|0\right.〉}_Y\hfill \\ & & +{(-1)}^b{\left|0\right.〉}_X{\left|t_j+{\tau }_j+{\tau }_{hold}\right.〉}_Y)\hfill \\ & =& \frac{1}{\sqrt{2}}({\left|t_j^{\prime }\right.〉}_X{\left|0\right.〉}_Y+{(-1)}^b{\left|0\right.〉}_X{\left|t_j^{\prime }\right.〉}_Y),\hfill \end{array}$$

(16)

where ${\tau }_{hold}$ is the length of the time that ${\Psi }_j$ was stored in $S{R}_x$ and $S{R}_y$, and

$$t_j^{\prime }\equiv t_j+{\tau }_{hold}+{\tau }_j.$$

(17)

Meanwhile, when combined with $B{S}_B$, the detectors $D_0$ and $D_1$ serve as the projective operators:

$$P_0\equiv {\left|\psi \right.〉}_0{\left.〈\psi \right|}_0$$

(18)

and

$$P_1\equiv {\left|\psi \right.〉}_1{\left.〈\psi \right|}_1,$$

(19)

respectively, where

$${\left|\psi \right.〉}_0\equiv \frac{1}{\sqrt{2}}({\left|t_B\right.〉}_X{\left|0\right.〉}_Y+{\left|0\right.〉}_X{\left|t_B\right.〉}_Y)$$

(20)

and

$${\left|\psi \right.〉}_1\equiv \frac{1}{\sqrt{2}}({\left|t_B\right.〉}_X{\left|0\right.〉}_Y-{\left|0\right.〉}_X{\left|t_B\right.〉}_Y),$$

(21)

with $t_B$ denoting the time that Bob applies the measurement. Therefore, if Bob takes $t_B=t_j^{\prime }$, then, in the ideal case where the error rate $\epsilon$ is negligible, the detector $D_b$ should click with certainty where b is Alice’s committed bit. Otherwise, he knows that Alice cheated.

To see that the above presentation of the states is equivalent to that in our theoretical QBC protocol, let us view the time range $[0,{\tau }_{max}]$ (within which Alice picks her delay time ${\tau }_j$) as a series of time slots $T_1$, $T_2$, …, $T_i$, …, $T_{n-1}$. Here, $0\le T_i\le {\tau }_{max}$ ($i=1,\dots ,n-1$), and $T_i\ne T_{i^{\prime }}$ for any $i\ne i^{\prime }$. When time can be treated as a continuous variable, there is an infinite number of choices for $T_i$, i.e., $n\to \infty$. Now, for each ${\Psi }_j$ ($j=1,\dots ,s$), let us define:

$$\left|0\right.〉\equiv {\left|t_j\right.〉}_X{\left|0\right.〉}_Y$$

(22)

and

$$\left|i\right.〉\equiv {\left|0\right.〉}_X{\left|t_j+T_i\right.〉}_Y.$$

(23)

It is easy to verify that $〈i^{\prime }\left|i\right.〉={\delta }_{i^{\prime }i}$. That is, a single photon ${\Psi }_j$ can be treated as an n-dimensional system, with $\{\left|i\right.〉,i=0,\dots ,n-1\}$ being an orthonormal basis.

With these newly defined $\left|0\right.〉$ and $\left|i\right.〉$, we can see that, in the experimental protocol, when Alice chooses the delay time as ${\tau }_j=T_i$ ($i\in \{1,\dots ,n-1\}$), Equation (15) can be rewritten as follows:

$${\left|{\psi }_j\right.〉}_A=\frac{1}{\sqrt{2}}(\left|0\right.〉+{(-1)}^b\left|i\right.〉).$$

(24)

This is exactly the state that Alice sends in step (i) of the theoretical protocol for committing the bit b, as shown by Equations (1) and (2). Thus, it is proven that our proposed experimental protocol is equivalent to the theoretical one in principle, so that the security proof in ref. [56] also applies. Consequently, the experimental protocol is secure as long as time can be treated as a continuous variable so that the condition $n\to \infty$ can be reached.

2.4. Feasibility

The experimental apparatus shown in Figure 1 is much the same as those of the quantum key distribution (QKD) and quantum private query protocols in refs. [57,58,59]. The only difference is that our protocol requires two more storage rings $S{R}_x$ and $S{R}_y$. The QKD protocol in ref. [57] was already realized experimentally in ref. [60]. By comparing our apparatus with Figure 1 of ref. [60], we can see that the technology in ref. [60] is sufficient for implementing our protocol too. Detailed description of the actual experimental devices can be found in Section III of ref. [60].

An important part of the implementation is to find storage rings $S{R}_x$ and $S{R}_y$ with a sufficiently long delay time because they determine the holding time (the time interval between the commit phase and the unveil phase) of the protocol. Using 150 km of optical fiber (which was proven to be able to guarantee sufficiently high key rate for QKD in practice) to make the storage ring can generate about $500\mathsf{\mu }$s delay time. While such a holding time seems short, it is already sufficient for practical applications such as quantum coin tossing, as shown in Appendix B.

2.5. Practical Difficulties

The security of the practical implementation of the protocol, however, is limited by two difficulties. (1) The length of the classical communications between Alice and Bob has to remain finite, so that Alice cannot announce the delay times ${\tau }_j$ ($j=1,\dots ,s$) with an unlimited number of digits. (2) The delay time of the storage rings $S{R}_A$ and $S{R}_B$ cannot be adjusted to an unlimited precision either, so that Alice and Bob cannot set ${\tau }_j$ precisely to any desired value. Consequently, the number of choices for the time slots $T_i$ in Equation (23) (from which ${\tau }_j$ can be picked) cannot really go to infinite. Instead, when the above two difficulties limit the precision of time control to $\Delta \tau$, the number of time slots within the range $[0,{\tau }_{max}]$ is as below:

$$n={\tau }_{max}/\Delta \tau +1.$$

(25)

Therefore, the quantum optical method in Section 2.2 actually implements finite n-dimensional systems, instead of infinite-dimensional ones. That is, though the two protocols are equivalent in principle, in practice, the experimental scheme is not a faithful implementation of our theoretical protocol in Section 2.1. Thus, it cannot be as secure as the latter.

Nevertheless, making use of this limitation for cheating is technically challenging too. Suppose that Alice and Bob know the value of $\Delta \tau$ and therefore know the actual finite n. According to Section 5 of ref. [56], if Alice wants to cheat, she needs to have the technology to prepare entangled states in the form of Equation (4) in the commit phase, which is the quantum superposition of n different states. Moreover, later in the unveil phase, when she measures system $\alpha$ to complete her cheating, she needs to discriminate her measurement result between $\left|{\alpha }_{i+}\right.〉$ and $\left|{\tilde{\alpha }}_{i-}\right.〉$, where the latter is defined by Equation (9). Multiplying $\left.〈{\alpha }_{i+}\right|$ by it and we yield the following:

$$|〈{\alpha }_{i+}\left|{\tilde{\alpha }}_{i-}\right.〉{|}^2=1-\frac{4}{n+2}$$

(26)

(i.e., Equation (3.10) of ref. [56]). In our experimental protocol, suppose that the storage rings can achieve a precision of $\Delta \tau =300$ ps; then, for ${\tau }_{max}=500$ μs, there is $n\simeq 1.67\times {10}^6$. We can see that $|〈{\alpha }_{i+}\left|{\tilde{\alpha }}_{i-}\right.〉{|}^2$ is so close to 1 that even a tiny amount of noise and error in Alice’s experimental devices (which is inevitable in practice) could make the discrimination between $\left|{\alpha }_{i+}\right.〉$ and $\left|{\tilde{\alpha }}_{i-}\right.〉$ impossible. On the other hand, if Bob is dishonest and wants to learn the committed bit b before the unveil phase, according to Section 7 of ref. [56], he needs to be capable of discriminating the two density matrices ${\rho }_0^{\beta }={\rho }_{+}^{\otimes s}$ and ${\rho }_1^{\beta }={\rho }_{-}^{\otimes s}$ where the trace distance between ${\rho }_{+}$ and ${\rho }_{-}$ is below:

$$D({\rho }_{+},{\rho }_{-})=\frac{1}{\sqrt{n-1}}$$

(27)

(i.e., Equation (3.1) of ref. [56]). Again, in the practical setting, such a tiny difference between the states could be completely drowned by the noise and error in the experimental devices. Therefore, even with the limited n value achievable today, the experimental protocol in Section 2.2 can at least be used as a practically secure (instead of unconditionally secure) QBC scheme, or serve as a proof-of-principle implementation of the theoretical protocol in Section 2.1.

3. Discussion

In summary, we showed that, as long as time can be treated as a continuous variable, then each infinite-dimensional system in the unconditionally secure QBC protocol proposed in ref. [56] can be realized using a single photon. Thus, we obtained an experimental implementation of this QBC protocol which is feasible under currently available technology. Other “post-cold-war era” multi-party cryptographic protocols are, therefore, made possible too, e.g., quantum coin tossing, as elaborated in Appendix B.

The dimension of the systems cannot really be infinite in practice though, making the current experimental implementation a practically secure QBC only. Nevertheless, it still has an advantage over many other practically secure QBC protocols (e.g., refs. [61,62,63]). While these protocols could be more feasible than ours in practice, their security is based on certain practical limitations. For example, currently available quantum memory cannot store the quantum states for a long period of time, so that, as long as the holding phase of the protocol is longer than this period of time, we can be sure that Alice can no longer cheat by storing the states and delaying the measurement until the unveil phase. However, as technology advances, the storage time of quantum memory will increase, making it harder and harder to keep the corresponding protocol secure. On the contrary, the security of our experimental protocol is based on the unconditionally secure theoretical protocol in ref. [56]. Practical limitation is the reason that weakens its security so that it can be practically secure only, not the reason that makes it secure. Therefore, with the advance in the technology on the precision of the delay time adjustment, we can expect the security of this experimental protocol to be constantly improved towards that of the theoretical protocol in ref. [56]. Meanwhile, it is also worth studying whether some new technologies can be adopted to implement the infinite-dimensional systems to make our protocol even more feasible, e.g., the continuous phase noise resulting from gain switching laser operation [64].

Our result may also contribute to the development of fundamental theories. There is a brilliant idea called the CBH theorem [65], which intends to deduce quantum theory by using three information–theoretic constraints as fundamental axioms: (I) the impossibility of superluminal information transfer, (II) the impossibility of perfect broadcasting of an unknown state, and (III) the impossibility of unconditionally secure BC. The reason for including the last constraint is that Alice’s cheating strategy against BC requires the use of entangled states, as can be seen from Section 2.1 of the current work. That is, the impossibility of unconditionally secure BC entails the existence of non-locality, which is one of the essential feature of quantum theory. However, in the three QBC protocols we previously proposed in refs. [45,46,47], which manage to evade the MLC no-go theorem, non-locality is necessary even for honest participants. This observation implies that, if the constraint (III) is wrong, i.e., unconditionally secure QBC exists, then non-locality is also entailed. For this reason, we tend to believe that the (in)validity of constraint (III) has nothing to do with the existence of non-locality. The latter has to exist in our physical world. To complete the deduction of quantum theory from information–theoretic axioms, we should look for another constraint to replace constraint (III). Nevertheless, the finding of the unconditionally secure QBC protocol in ref. [56] may blur the above picture at first glance. This is because the protocol makes use of infinite-dimensional systems instead of entangled states, so that it seems to indicate that, in addition to non-locality, infinity should also be taken into account as the quantum resources that need to be entailed if we want to build quantum theory completely on top of information–theoretic axioms. Notably, the result in the current work provides a clue to clean this mist. As can be seen from Figure 1, in our implementation of the infinite-dimensional systems, each photon state is divided spatially into two wave packets that travel along different paths, so that non-locality is introduced. Therefore, the current implementation scheme bridges infinity with non-locality, so that non-locality could still be considered as the only quantum resource that guarantees unconditionally secure QBC.