An optical implementation of quantum bit commitment using infinite-dimensional systems

Unconditionally secure quantum bit commitment (QBC) was widely believed to be impossible for more than two decades. But recently, based on an anomalous behavior found in quantum steering, we proposed a QBC protocol which can be unconditionally secure in principle. The protocol requires the use of infinite-dimensional systems, therefore it may seem less feasible in practice. Here we propose a quantum optical method based on Mach-Zehnder interferometer, which gives a very good approximation to such infinite-dimensional systems. Thus, it enables a proof-of-principle experimental implementation of our protocol, which can also serve as a practically secure QBC scheme. Other multi-party cryptographic protocols such as quantum coin tossing can be built upon it too. Our approach also reveals a relationship between infinity and non-locality, which may have an impact on the research of fundamental theories.


I. INTRODUCTION
Quantum cryptography has achieved great success in many fields such as key distribution [1], but there are still other cryptographic problems remain unconquered. Bit commitment (BC) [2] is known to be an essential building block for coin tossing [1], oblivious transfer [3,4], and even more complicated multi-party secure computation protocols [5]. Unfortunately, since 1996, people started to realize that unconditionally secure quantum BC (QBC) is hard to achieve. The cheating strategy against the QBC protocol in Ref. [2] was first proposed in Ref. [6]. Shortly after, it was further asserted that all QBC protocols are not unconditionally secure in principle [7,8]. Later, Refs. [9][10][11][12][13][14] reviewed the original no-go proof, with some examples of insecure protocols given in Refs. [9,13]. Ref. [11] also extended the proof to cover ideal quantum coin tossing (QCT). More examples on how to break some promising BC protocols at that time were provided too [15,16]. Refs. [17][18][19][20] proved the impossibility of some types of BC with slightly different security criterion. Refs. [21][22][23][24][25] gave quantitative studies on the security bounds of QBC, with Ref. [22] focused on the protocol in Ref.
[1] while Refs. [23,24] focused on another class of protocols. A very lengthy proof was first presented in the Heisenberg picture [26], then shortened and rephrased in the Schrödinger picture [27]. The validity of the no-go result was also studied in a world subject to superselection rules [28][29][30] or an epistemic local hidden variable theory [31], as well as for QBC associated with secret parameters [32,33] or secret probability distributions [34], or when the participants are restricted to use Gaussian states and operations only [35]. Refs. [36,37] attempted to deduce the impossibility of QBC from the no-masking theorem. Ref. [38] * Electronic address: hegp@mail.sysu.edu.cn studied the security of BC under the relativistic setting. Other efforts include Refs. [39][40][41][42][43][44], which tried to proved the no-go theorem with alternative approaches. These results, known as the Mayers-Lo-Chau (MLC) no-go theorem, were widely accepted despite of some attempts towards secure QBC (e.g., the references in Refs. [45][46][47][48][49][50][51]), and were considered as putting a serious drawback on the potential of quantum cryptography.
Nevertheless, the cheating strategy in all these no-go proofs is based on the Hughston-Jozsa-Wootters (HJW) theorem [52], a.k.a. the Uhlmann theorem [53,54]. Recently, it was found that in infinite-dimensional systems, there exists a specific form of quantum states to which the HJW theorem does not apply [55]. Based on this finding, we proposed a QBC protocol and proved theoretically that it remains secure against the cheating strategy in the no-go proofs [56]. Therefore, implementing the protocol in practice will be of great significance as it can re-open the venue to many useful multi-party secure computation protocols that was once closed by the MLC no-go theorem.
As pointed out in Ref. [56], since the protocol requires infinite-dimensional systems, the implementation may be very hard if we want to use physical systems with an infinite number of energy levels, because it may imply an infinitely high energy. To circumvent the problem, here we use the arrival time of photons as a trick, so that the infinite-dimensional systems can be realized using simple optical devices. Consequently, the QBC protocol in Ref. [56] can be implemented with Mach-Zehnder (MZ) interferometer, which is within the capability of currently available technology.

II. RESULTS
A. The theoretical description of the protocol Let us begin with a brief review on the definition of BC and the theoretical scheme in Ref. [56]. BC is a two-party cryptography between Alice and Bob, which includes the following phases. In the commit phase, Alice decides the value of the bit b that she wants to commit, and sends Bob a piece of evidence, e.g., some quantum states. Later, in the unveil phase, Alice announces the value of b, and Bob checks it with the evidence. The interval between the commit and unveil phases can be called the holding phase. An unconditionally secure BC protocol needs to be both binding (i.e., Alice cannot change the value of b after the commit phase) and concealing (Bob cannot know b before the unveil phase).
Since whether QBC can be unconditionally secure in principle is a very important theoretical problem, here we only consider the ideal case without transmission errors, detection loss, dark counts, or other practical imperfections. In Ref. [56], the following protocol was proposed.
Our theoretical QBC protocol: The commit phase: (i) Alice decides on the value of b ( b = 0 or 1) that she wants to commit. Then for j = 1 to s: She randomly picks an integer i j ∈ {1, 2, ..., ∞}, and sends Bob a quantum register Ψ j , which is an infinitedimensional system prepared in the state ψ b ij = (|0 + (−1) b |i j )/ √ 2. That is, if b = 0 she randomly picks a state from the set or if b = 1 she randomly picks a state from the set where |0 , |1 , |2 , ... , |i , ... are orthogonal to each other, and n → ∞. Note that in each round, i j is independently chosen, while b remains the same for all j.
The holding phase: (ii) Bob stores these s quantum registers unmeasured. The unveil phase: (iii) Alice announces the values of b and all i j ( j = 1, ..., s).
(iv) Bob tries to project each Ψ j into the state ψ b ij = (|0 + (−1) b |i j )/ √ 2. If the projections are successful for all registers, Bob accepts Alice's commitment. Else if any of the projections fails, Bob concludes that Alice cheated.
The key reason that this protocol can be unconditionally secure, is the specific forms of the states in Eqs. (1) and (2). In general, the cheating strategy in the no-go proofs  can be successful in most QBC protocols using other forms of quantum states for the following reason. Suppose that honest Alice is supposed to send Bob the state ψ ′0 (ψ ′1 ) if she wants to commit b = 0 (b = 1), where ψ ′0 (ψ ′1 ) is picked from a set of states described by the density matrix ρ β 0 (ρ β 1 ). Since an unconditionally secure QBC protocol needs to be concealing against dishonest Bob, there should be so that Bob cannot discriminate the state himself. Then the HJW theorem applies. That is, dishonest Alice can begin the QBC protocol by preparing the system α⊗β in such a state that β alone has density matrix ρ β 0 . Then she skips the measurement in the commit phase so that α and β remain entangled. In the unveil phase, since Eq. (3) is satisfied, according to the HJW theorem there exist two measurements M 0 and M 1 on α, such that if Alice applies M 0 (M 1 ) on α, then β will collapse to a state belonging to the set described by ρ β 0 (ρ β 1 ). Therefore, Alice can unveil b as whatever value she likes in the unveil phase by choosing between the two measurements M 0 and M 1 .
However, in our protocol the two sets of states take the forms in Eqs. (1) and (2). Suppose that dishonest Alice prepares a bipartite system α ⊗ β in the state so that she can cheat using the strategy in the no-go proofs. Here {|α i+ , i = 0, ..., n − 1} is an orthonormal basis of the n-dimensional system α. Let ρ β 0 and ρ β 1 be the density matrices corresponding to the sets ψ 0 i = |φ i+ and ψ 1 i = |φ i− , respectively. As shown in Ref. [55], when n → ∞, Eq. (3) is satisfied, so that it seems to meet the requirement of the HJW theorem. Now let us see what happens if Alice wants to cheat.
Surely, if she wants to unveil b = 0, all she needs is simply to use {|α 1+ , |α 2+ , ..., α (n−1)+ } as the basis of the measurement M 0 , and applies it on her system α, which will make Bob's system β collapse into one of the state in {|φ i+ } so that she can complete the protocol without being caught. Now the question is whether she can unveil b = 1 successfully. According to the HJW theorem, there should exist another measurement M 1 with the basis {|α 1− , |α 2− , ..., α (n−1)− }, such that Eq. (4) can be expressed as so that Alice's measuring α in this basis will make β collapse into a state in {|φ i− }. To find the form of {|α i− }, following Ref. [56], we expand each |φ i+ in Eq. (4) using {|φ i− }, and the result is where and For a given i ∈ {1, ..., n−1}, if Alice can project system α to |α i− , then Eq. (6) shows that system β will collapse to where Multiplying φ i− | by Eq. (10), we have In the limit n → ∞, φ i− can be arbitrarily close to |φ i− . Thus, we know that |α i− is the form of {|α i− } that we are looking for. Nevertheless, by taking the limit n → ∞ in Eq. (9), we find Consequently, if Alice wants to collapse β into a state in {|φ i− } so that she can unveil b = 1 successfully, then the corresponding measurement M 1 is to measure α in the basis {− |α 1+ , − |α 2+ , ..., − α (n−1)+ }. Since the global negative sign before the state vectors has no physical meaning, the bases of the "two" measurements M 0 and M 1 are actually the same. Consequently, Alice no longer has the freedom to choose between two different measurements to alter the value of her committed bit b.
Thus the cheating strategy in the no-go proofs fails in our protocol. Please see Ref. [56] for the complete security proof.

B. The experimental implementation
Ref. [56] was devoted to the problem of whether unconditionally secure QBC is allowed in principle. Thus, it only provided a theoretical description of the protocol without considering the implementation. To realize the protocol, the most important point is to find a feasible implementation of the infinite-dimensional systems. Here we propose a trick to implement the infinite-dimensional system in each round of the protocol using a single photon only. The experimental apparatus is illustrated in Fig. 1. In each of the s rounds of step (i) of the protocol, Alice sends a single photon either from the source S 0 (for sending ψ 0 i ) or S 1 (for sending ψ 1 i ), then splits it into two wave packets |x and |y by the 50:50 non-polarizing beam splitter BS A . |x is sent directly to Bob via path X while |y is delayed by the storage ring SR A (which introduces a delay time τ chosen by Alice secretly) before sending via path Y . At Bob's site, |x is delayed by the storage rings SR x and SR B . |y is delayed by the storage ring SR y which is identical to SR x so that they introduce the same amount of delay time, then meets |x at the 50:50 beam splitter BS B and interferes. We can see that when the delay times caused by SR A and SR B are tuned equal, the complete apparatus forms a balanced MZ interferometer, so that ψ 0 i (ψ 1 i ) will make the detector D 0 (D 1 ) click with certainty in principle.
Before running the protocol, Bob should setup another set of devices at his own site as a reference, which is completely identical to that of Alice's. By sending photons using this reference set and monitoring his detectors D 0 and D 1 , he can estimate the error rate ε of the whole system, i.e., the probability that the photon ψ 0 i (ψ 1 i ) sent from the source S 0 (S 1 ) will mistakenly make the detector D 1 (D 0 ) click or simply get lost. For better performance, if the distance between Alice and Bob is very long, paths X and Y in Fig. 1 should be implemented using optical fibers, instead of letting the photons travel through free space. Meanwhile, Bob should also have optical fibers of the same length in his reference set, and place them in an environment (e.g., temperature, humidity, etc.) similar to that of the optical fibers placed between Alice and Bob in the actual set. The purpose is to ensure that the error rate ε that Bob learns from his reference set is very close to the one in the actual set. After obtaining ε all by himself, Bob runs the following experimental protocol with Alice.
Our experimental QBC protocol: The commit phase: (i) Alice and Bob agree on a maximum delay time τ max and the sending times t j ( j = 1, ..., s) with t 1 < t 2 < ... < t s and τ max < t j − t j−1 ( j = 2, ..., s). Then Alice decides on the value of b ( b = 0 or 1) that she wants to commit, and for j = 1 to s: Alice randomly picks τ j ∈ [0, τ max ], and sets the delay time of her storing ring SR A as τ j . Then she sends Bob a photon Ψ j from the source S b at time t j .
Note that in each round, τ j is independently chosen, while b remains the same for all j.
The holding phase: (ii) Bob stores the wave packets of each photon in SR x and SR y unmeasured.
(iv) For j = 1 to s: Bob sets the delay time of his storing ring SR B as τ j . Then he releases the wave packets of photon Ψ j from SR x and SR y and directs them into his part of the MZ interferometer (as presented in the green dash-dot box at the right-hand side of Fig. 1).
If there are totally about (1−ε)s photons (see Appendix A for the tolerable range of statistical deviations) detected by D b instead of Db then Bob accepts Alice's commitment. Otherwise Bob concludes that Alice cheated.

C. The relationship between the two protocols
Now we show that in principle, the above experimental protocol is a faithful implementation of the theoretical one. In the experimental protocol, following the occupation number representation widely used in quantum optics [57], at time t if there is a wave packet of a photon on path X and no wave packet on path Y , the state can be denoted by |1 X |0 Y . Or if there is a wave packet on path Y and no wave packet on path X, the state can be denoted by |0 X |1 Y . To make the time t more explicit, let us write them as |t X |0 Y and |0 X |t Y , respectively. That is, we use the symbol t in |... to denote the time that the wave packet of a single photon presents in the path, instead of the number of photons; and |0 means that no wave packet is presented in the path at any time. Obviously, the state |t P is orthogonal to |t ′ P (P = X, Y ) for any t = t ′ and they are all orthogonal to |0 P . For simplicity, suppose that except for SR A , SR B , SR x , and SR y , the time for the photon to travel through all other devices in Fig. 1 is negligible. Under this formalism, when Alice sends the photon Ψ j (j = 1, ..., s) from the source S b at time t j , the initial state of Ψ j after passing BS A is After passing SR A which introduces the delay time τ j to path Y , the state of Ψ j that left Alice's site is In the unveil phase when Bob learns Alice's delay time τ j and sets SR B accordingly, the final state of the photon Ψ j arriving at BS B after passing SR x , SR y and SR B is where τ hold is the length of the time that Ψ j was stored in SR x and SR y , and Meanwhile, when combined with BS B , the detectors D 0 and D 1 serve as the projective operators P 0 ≡ |ψ 0 ψ| 0 (18) and respectively, where and with t B denoting the time that Bob applies the measurement. Therefore, if Bob takes t B = t ′ j , then in the ideal case where the error rate ε is negligible, the detector D b should click with certainty where b is Alice's committed bit. Otherwise he knows that Alice cheated.
To see that the above presentation of the states is equivalent to that in our theoretical QBC protocol, let us view the time range [0, τ max ] (within which Alice picks her delay time τ j ) as a series of time slots T 1 , T 2 , ..., T i , ..., T n−1 . Here 0 ≤ T i ≤ τ max (i = 1, ..., n − 1), and T i = T i ′ for any i = i ′ . When time can be treated as a continuous variable, there is an infinite number of choices for T i , i.e., n → ∞. Now for each Ψ j (j = 1, ..., s), let us define and |i ≡ |0 X |t j + T i Y .
It is easy to verify that i ′ |i = δ i ′ i . That is, a single photon Ψ j can be treated as an n-dimensional system, with {|i , i = 0, ..., n − 1} being an orthonormal basis. With these newly defined |0 and |i , we can see that in the experimental protocol, when Alice chooses the delay time as τ j = T i (i ∈ {1, ..., n − 1}), Eq. (15) can be rewritten as This is exactly the state that Alice sends in step (i) of the theoretical protocol for committing the bit b, as shown by Eqs.
(1) and (2). Thus, it is proven that our proposed experimental protocol is equivalent to the theoretical one in principle, so that the security proof in Ref. [56] also applies. Consequently, the experimental protocol is secure as long as time can be treated as a continuous variable so that the condition n → ∞ can be reached.

D. Feasibility
The experimental apparatus shown in Fig. 1 is much the same as those of the quantum key distribution (QKD) and quantum private query protocols in Refs. [57][58][59]. The only difference is that our protocol requires two more storage rings SR x and SR y . The QKD protocol in Ref. [57] was already realized experimentally in Ref. [60]. By comparing our apparatus with Fig. 1 of Ref. [60], we can see that the technology in Ref. [60] is sufficient for implementing our protocol too. Detailed description of the actual experimental devices can be found in Section III of Ref. [60].
An important part of the implementation is to find storage rings SR x and SR y with a sufficiently long delay time, because they determine the holding time (the time interval between the commit phase and the unveil phase) of the protocol. Using 150km optical fiber (which was proven to be able to guarantee sufficiently high key rate for QKD in practice) to make the storage ring can generate about 500µs delay time. While such a holding time seems short, it is already sufficient for practical applications such as quantum coin tossing, as shown in Appendix B.

E. Practical difficulties
The security of the practical implementation of the protocol, however, is limited by two difficulties. (1) The length of the classical communications between Alice and Bob has to remain finite, so that Alice cannot announce the delay times τ j (j = 1, ..., s) with an unlimited number of digits. (2) The delay time of the storage rings SR A and SR B cannot be adjusted to an unlimited precision either, so that Alice and Bob cannot set τ j precisely to any desired value. Consequently, the number of choices for the time slots T i in Eq. (23) (from which τ j can be picked) cannot really go to infinite. Instead, when the above two difficulties limit the precision of time control to ∆τ , the number of time slots within the range [0, τ max ] is n = τ max /∆τ + 1. (25) Therefore, the quantum optical method in Section II B actually implements finite n-dimensional systems, instead of infinite-dimensional ones. That is, though the two protocols are equivalent in principle, in practice the experimental scheme is not a faithful implementation of our theoretical protocol in Section II A. Thus, it cannot be as secure as the latter. Nevertheless, making use of this limitation for cheating is technically challenging too. Suppose that Alice and Bob know the value of ∆τ and therefore know the actual finite n. According to Section 5 of Ref. [56], if Alice wants to cheat, she needs to have the technology to prepare entangled states in the form of Eq. (4) in the commit phase, which is the quantum superposition of n different states. Moreover, later in the unveil phase when she measures system α to complete her cheating, she needs to discriminate her measurement result between |α i+ and |α i− , where the latter is defined by Eq. (9). multiplying α i+ | by it and we yield (i.e., Eq. (3.10) of Ref. [56]). In our experimental protocol, suppose that the storage rings can achieve a precision of ∆τ = 300ps; then for τ max = 500µs, there is n ≃ 1.67 × 10 6 . We can see that | α i+ |α i− | 2 is so close to 1, that even a tiny bit of noise and error in Alice's experimental devices (which is inevitable in practice) could make the discrimination between |α i+ and |α i− impossible. On the other hand, if Bob is dishonest and wants to learn the committed bit b before the unveil phase, according to Section 7 of Ref. [56] he needs to be capable of discriminating the two density matrices ρ β 0 = ρ ⊗s + and ρ β 1 = ρ ⊗s − where the trace distance between ρ + and ρ − is (i.e., Eq. (3.1) of Ref. [56]). Again, in the practical setting, such a tiny difference between the states could be completely drown by the noise and error in the experimental devices. Therefore, even with the limited n value achievable today, the experimental protocol in Section II B can at least be used as a practically secure (instead of unconditionally secure) QBC scheme, or serve as a proofof-principle implementation of the theoretical protocol in Section II A.

III. DISCUSSION
In summary, we showed that as long as time can be treated as a continuous variable, then each infinitedimensional system in the unconditionally secure QBC protocol proposed in Ref. [56] can be realized using a single photon. Thus we obtained an experimental implementation of this QBC protocol which is feasible under currently available technology. Other "post-cold-war era" multi-party cryptographic protocols are therefore made possible too, e.g., quantum coin tossing, as elaborated in Appendix B.
The dimension of the systems cannot really be infinite in practice though, making the current experimental implementation a practically secure QBC only. But it still has an advantage over many other practically secure QBC protocols (e.g., Refs. [61][62][63]). While these protocols could be more feasible than ours in practice, their security is based on certain practical limitations. For example, currently available quantum memory cannot store the quantum states for a long period of time, so that as long as the holding phase of the protocol is longer than this period of time, we can be sure that Alice can no longer cheat by storing the states and delay the measurement until the unveil phase. But as technology advances, the storage time of quantum memory will increase, making it harder and harder to keep the corresponding protocol secure. On the contrary, the security of our experimental protocol is based on the unconditionally secure theoretical protocol in Ref. [56]. Practical limitation is the reason that weakens its security so that it can be practically secure only, not the reason that makes it secure. Therefore, with the advance of the technology on the precision of the delay time adjustment, we can expect the security of this experimental protocol to be constantly improved towards that of the theoretical protocol in Ref. [56]. Meanwhile, it is also worth studying whether some new technologies can be adopted to implement the infinite-dimensional systems to make our protocol even more feasible, e.g., the continuous phase noise resulting from gain switching laser operation [64].
Our result may also contributes to the development of fundamental theories. There is a brilliant idea called the CBH theorem [65], which intents to deduce quantum theory by using three information-theoretic constraints as fundamental axioms. (I) the impossibility of superluminal information transfer, (II) the impossibility of perfectly broadcasting of an unknown state, and (III) the impossibility of unconditionally secure BC. The reason for including the last constraint, is that Alice's cheating strategy against BC requires the use of entangled states, as can be seen from Section II A of the current work. That is, the impossibility of unconditionally secure BC entails the existence of non-locality, which is one of the essential feature of quantum theory. However, in the three QBC protocols we previously proposed in Refs. [45][46][47] which manage to evade the MLC no-go theorem, nonlocality is necessary even for honest participants. This observation implies that if the constraint (III) is wrong, i.e., unconditionally secure QBC exists, then non-locality is also entailed. For this reason, we tend to believe that the (in)validity of the constraint (III) has nothing to do with the existence of non-locality. The latter has to exist in our physical world anyway. To complete the deduction of quantum theory from information-theoretic axioms, we should look for another constraint to replace constraint (III). Nevertheless, the finding of the unconditionally secure QBC protocol in Ref. [56] may blur the above picture at first glance. This is because the protocol makes use of infinite-dimensional systems instead of entangled states, so that it seems to indicate that besides non-locality, infinity should also be taken into account as the quantum resources that need to be entailed if we want to build quantum theory completely on top of information-theoretic axioms. But the result in the current work provides a clue to clean this mist. As can be seen from Fig. 1, in our implementation of the infinitedimensional systems, each photon state is divided spatially into two wave packets that travel along different paths, so that non-locality is introduced. Therefore, the current implementation scheme bridges infinity with nonlocality, so that non-locality could still be considered as the only quantum resource that guarantees unconditionally secure QBC. In the last step of our experimental QBC protocol, Bob is supposed to find (1 − ε)s photons detected by D b instead of Db when Alice is honest. But since ε is only the statistical average of the error rate of the experimental apparatus, Bob cannot expect to find exactly (1 − ε)s photons detected correctly. A certain range of statistical deviations has to be allowed. Now let us estimate the size of this range.
According to Theorem 3.3 of Ref.
[2] (which is based on Bernshtein's law of large numbers), when each of the s photons stands the probability p = (1 − ε) to make the correct detector D b click, for arbitrarily small positive value δ ≤ p(1−p), the probability for the case |s ′ /s − p| ≥ δ to occur satisfies Here s ′ denotes the actual number of photons being detected correctly in a complete run of the protocol. This inequality means that s ′ should be within the range [(1 − ε)s − δs, (1 − ε)s + δs], except with a probability 2e −sδ 2 at the most. For example, when s = 10000, ε = 10% and δ = 5%, we have 2e −sδ 2 ≃ 2.8 × 10 −11 , which is extremely small. As a result, the number of photons that are actually detected by Bob's D b should be within the range [8500, 9500], otherwise he can confidently conclude that Alice is dishonest.

Appendix B: Quantum coin tossing as an application
Although the holding time of our QBC protocol may look short even with state-of-the-art optical delay devices, it is sufficient for some practical applications. Here, as an example, we will show how quantum coin tossing (QCT, a.k.a. quantum coin flipping) [1] can be realized.
The goal of QCT is to provide a method for two separated parties Alice and Bob to generate a random bit value c = 0 or 1 remotely, while they do not trust each other. If the parties have opposite desired values, e.g., Alice wants c = 0 while Bob wants c = 1, then it is called weak QCT. Or if their desired values are random, then it is called strong QCT. Here we focus on strong QCT. Such a protocol is considered secure if neither party can bias the outcome, so that c = 0 and c = 1 will occur with the equal probabilities 1/2, just as if they are tossing an ideal fair coin. Possible application scenario of QCT may include the case where divorced and separated couples, who want to decide how to divide their property through telephone. Other more complicated applications such as online gambling can be constructed through it too.
Strong QCT with an arbitrarily small bias was also considered a hard task if unconditionally secure QBC is impossible [11]. But when QBC becomes available, QCT can easily be built upon it as follows.
Strong QCT protocol: (I) Alice and Bob complete the commit phase of our QBC protocol, where Alice picks the value of her committed bit b randomly.
(II) During the holding phase, Bob picks a random bit x and announces it to Alice through the classical channel.
(III) Alice and Bob complete the unveil phase of our QBC protocol. That is, Alice unveils her committed bit b, and Bob checks whether she is honest or not.
(IV) Both Alice and Bob accept y ≡ b ⊕ x as the coin tossing result.
It is trivial to show that if the QBC protocol is secure (i.e., Alice cannot change b after the commit phase, and Bob cannot know b before the unveil phase), then the value of the final tossing result y is completely random. Neither Alice nor Bob can bias it to any specific value.
In this example, the commit and unveil phases of the QBC protocol are separated merely by step (II), where only one classical bit x is transferred. Bob can decide the value of x beforehand but keep it secret from Alice during step (I). Then step (II) can be performed automatically under the control of classical computers, which can be done very fast. Therefore, the holding time in our QBC protocol is already long enough for such operations, so that it can result in a useful QCT protocol in practice.