Practical Quantum Bit Commitment Protocol Based on Quantum Oblivious Transfer

: Oblivious transfer (OT) and bit commitment (BC) are two-party cryptographic protocols which play crucial roles in the construction of various cryptographic protocols. We propose three practical quantum cryptographic protocols in this paper. We ﬁrst construct a practical quantum random oblivious transfer (R-OT) protocol based on the fact that non-orthogonal states cannot be reliably distinguished. Then, we construct a fault-tolerant one-out-of-two oblivious transfer ( OT 21 ) protocol based on the quantum R-OT protocol. Afterwards, we propose a quantum bit commitment (QBC) protocol which executes the fault-tolerant OT 21 several times. Mayers, Lo and Chau (MLC) no-go theorem proves that QBC protocol cannot be unconditionally secure. However, we ﬁnd that computing the unitary transformation of no-go theorem attack needs so many resources that it is not realistically implementable. We give a deﬁnition of physical security for QBC protocols and prove that the practical QBC we proposed is physically secure and can be implemented in the real world.


Introduction
Quantum oblivious transfer (QOT) and quantum bit commitment (QBC) protocols are basic in quantum cryptography. They are important building blocks of multi-party secure computations. The study of QOT was started by Crépeau and Kilian [1]. In 1992, a practical QOT protocol was proposed [2]. However, in these two protocols, if Bob measures the pulses after Alice disclosing the basis, he will get both messages and Alice's privacy will be destroyed. In the light of this drawback, Crépeau proposed a QOT protocol [3] based on a QBC scheme [4] to ensure that Bob cannot delay his measurement. Then, Yao proved that QOT constructed based on QBC [5] is secure. Shortly afterwards, Mayers, Lo and Chau separately presented no-go theorem and proved that there is no non-interactive QBC protocol with statistical security [6][7][8][9]. Subsequently, a great number of works that extend the framework of no-go theorem and further prove the impossibility of the standard QBC has been presented since Then, [10][11][12][13][14][15][16]. These results indicate that QOT protocols constructed based on QBC are not secure either. Then, quantum secure computations are also considered to be insecure [17][18][19][20].
Researchers Then, attempt to construct QBC protocols that can evade the no-go theorem. The most famous ones are relativistic QBC protocols, which were first proposed by Kent [21][22][23][24]. The protocol in Ref. [23] was implemented by different groups [25,26]. The time during commit phase and opening phase is limited by the distance between the trusted agents, which may be a restriction for building other multi-party cryptographic protocols. In addition, some QBC with computational security were proposed. Unconditionally binding and computationally concealing QBC schemes were presented by Tanaka [27] and Chailloux [28], respectively, and in 2016, another computationally binding commitment scheme was proposed and it can be realized from hash functions like SHA-3 [29]. The security of these QBC protocols depends on the limited computing power of the adversary. Once the computing power is improved in the future, the security of these protocols are threatened. Several QBC protocols were proposed based on physical hypothesis, such as bounded-quantum-storage model [30,31], noisy-storage model [32][33][34] and technological limitations on non-demolition measurements [35], the security of these protocols is threatened by the development of techniques. Some QBC schemes with security requirements relaxed were put forward, such as cheat-sensitive QBC [36][37][38][39] and game theoretic secure QBC [40]. There are also some non-relativistic QBC schemes which are claimed to be unconditionally secure [41][42][43][44][45][46]. However, most of them only exist theoretically. For example, in Ref. [43] Bob stores the quantum registers unmeasured until opening phase, which can be hardly implemented in practice.
In this paper, we do not devote to evading the no-go theorem. We give the definition of physical security. As long as the physical security is satisfied, even the attacker who ownes all the resources of the earth cannot break the protocol. The physical security was first proposed in Ref. [47]. The time complexity of no-go theorem attack algorithm is O(2 3n ), where n is the security parameter of the QBC. In addition this algorithm needs at least O(2 2n ) size of memory space to store the matrix of the unitary transformation. We define that if the entry number of the attack matrix is greater than the total number of protons on the earth (approximately 10 50 ), QBC achieves physical-secure binding. It means when n > 83, no-go theorem attack can hardly be realized in practice. Compared with those QBC schemes based on physical hypothesis, the definition of physical security limits the attacker with all the resources of the earth. QBC protocols that achieve physical security are more secure than other protocols based on physical hypothesis. In this paper, we focus on how to construct practical quantum protocols with physical security.
In [48], Yang constructed QBC based on QOT. We modify the protocols so that it can be applied in practice and achieve physical security. The imperfect sources, quantum channel and detectors are all allowed in the modified protocols. Considering error-correcting code and tolerable error rate, we describe the protocols in detail and analyze the security and problems we may face in practice.
The practical QBC protocol proposed in this paper has advantages over many existing protocols. Compared with the relativistic QBC protocols, the time between commit phase and opening phase is not limited in our scheme. Compared with the computationally secure protocols and QBC based on physical hypothesis, the physical security of our scheme will not be threatened by the growing computing power and techniques. Compared with those theoretical protocols, our schemes allow the imperfect equipment and can be implemented in the real world. The QBC protocols in Refs. [47,48] are also theoretical. The security analysis of these theoretical protocols is based on the ideal world rather than the real world. Therefore, these theoretical protocols which are not fault-tolerant cannot achieve the security they declared and cannot be realized in the real world. Our practical quantum cryptographic protocols, which are allowing the imperfection of current optoelectronic apparatus, provide appropriate security parameters and security analysis in the practical conditions. In sum, the practical QBC protocol achieves physical security and can be possible realized. Since the selection of security parameters and security analysis are based on available optoelectronic apparatus, the implement and security of the protocols are more practical and reliable.

The Efficiency and Errors of Practical Apparatuses
In practical protocols, all apparatuses should be realizable and convenient. All the apparatuses in the protocols are divided into three types: emission apparatuses, channel and detection apparatuses. In a practical protocol, the following situations should be considered.

•
Emission apparatuses. The practical and efficient single-photon sources have not yet been realized, while some researchers have been studying the spectra [49] and efficiency [50] of the single-photon sources. In this paper, the single-photon sources are not adopted. Instead, we use weak coherent pulses with typical average photon number of µ S in the following protocols, which can be easily prepared by standard semiconductor lasers and calibrated attenuators [51]. The error rate caused by the emission apparatuses is denoted as ε S . A pulse is requested to contain only one kind of polarization, but more than one photon in a pulse are allowed.

•
Channel loss and error. The existence of the channel loss leads to an imperfect transfer efficiency, and the noise in the channel leads to some channel error. Suppose the transfer efficiency of the channel is η C , the error rate caused by the channel is ε C . Refs. [52,53] provided the physical setups and detailed properties of some kinds of quantum channels. • Detection apparatuses. In practice there is no detector with perfect detection efficiency. The quantum efficiency η D is the probability that the detector registers a count when one photon comes in, and the error rate caused by the detection apparatuses is ε D , where the main error source is the dark count d. The single-photon detectors with high efficiency, like 80-93% have been realized in the laboratory [54,55]. Assume all the parameters described above are all known by both parities of the protocol, and the typical average photon number of the whole system is µ ≡ µ S η C η D . Then, the overall error rate is

Practical Weak QOT and QBC
Definition 1. Random Oblivious Transfer (R-OT) Channel. Alice sends a random bit r to Bob via a channel, if 1. Bob obtains the bit value r with a probability p satisfying 0 < b < p < a, a < 1 2 , where a and b are any two real numbers; 2. Alice does not know whether Bob has got the value of her bit.
Then, the channel is named as R-OT channel (an extended Rabin's OT channel).
To construct a quantum string R-OT protocol, non-orthogonal states are used. There is no measuring apparatus that can distinguish non-orthogonal states with certainty. Only some probabilistic information can be obtained. Let Bob measure a sequence of photons in two quantum states |Ψ 0 , |Ψ 1 , where Ψ 0 |Ψ 1 = cos ϕ. Here we choose ϕ = π 6 . The quantity of the information Bob obtains depends on the measurement he performs. The optimal measurement can differentiate the two non-orthogonal states with a probability of 1 − cos ϕ [56][57][58], which is a kind of POVM measurement. Actually, the complicated measurement is not necessary. Even if we construct the protocol with the sub-optimal measurement, the security of the protocols can still be ensured, which will be analyzed in detail in Section 4. Through all of the measurements, we choose the most practical and easiest one. That is, Bob measures photons in two bases, When the states is |Ψ 0 , the measurement results may be |Ψ 0 , |Ψ 1 or |Ψ 1 ⊥ . When the states is |Ψ 1 , the measurement results may be |Ψ 1 , |Ψ 0 or |Ψ 0 ⊥ . It can be seen that if Bob's measurement results in |Ψ x , he cannot distinguish which state is sent by Alice. If his measurement results in |Ψ x ⊥ , which is orthogonal to |Ψ x , the initial state cannot be |Ψ x and therefore is |Ψ x⊕1 . In this sub-optimal measurement, although Bob cannot distinguish the non-orthogonal states with 100%, he unambiguously knows that the receiving state must be |Ψ x⊕1 when his measurement results in |Ψ x ⊥ . Ideally, the probability of getting a conclusive result is Protocol 1. Practical weak quantum R-OT protocol.
1. Alice and Bob agree on three security parameters, N, α, and ε set . The parameter N is the length of the qubit string sent by Alice. The parameter α is the expected fraction of Bob's successful detection. The parameter ε set is the expected error rate. The number of photons in a weak coherent pulse with typical average photon number of µ S follows Poisson distribution p n (µ S ) = e −µ S µ n S n! . It can be seen that the probability of no photon in a pulse is p 0 (µ S ) = e −µ S . Then, the probability of detecting at least one photons in a pulse with typical average photon number µ S through a channel with transfer efficiency η C by a detector with quantum efficiency η D is 1 − e −µ . They can set the fraction α 1 − e −µ which is the probability that Alice expects Bob to detect successfully and set error rate ε set ε or a little bit higher to allow other noise. The parameters satisfy the equation to resist photon number splitting attack [2]. 2. Alice and Bob perform two tests.
Firstly, compare Alice's sending time t i with Bob's receiving time t i for each pulse. Since the distance between Alice and Bob is fixed, by the test they can easily get the traveling time θ, i.e., θ = t i − t i . This test not only marks the address of each pulse, but also helps to distinguish the error caused by noises and dark counts. Secondly, Alice sends a sequence of pulses through the quantum channel and tells Bob the bases of the pulses through a classical channel. Bob detects pulses in the other bases. If and only if Bob detects the pulses successfully with a probability greater than α and an error rate less than ε set , he agrees to continue the protocol. Otherwise, they take counsel together to adjust the parameter α or ε set . 3. Alice generates a random bit string (r 1 , ..., r N ) ∈ {0, 1} N , and sends qubit string |Ψ r 1 , . . . , |Ψ r N to Bob.
She also tells Bob the sending time t i of each pulse through the classical channel. 4. Bob records the receiving time t i of each pulse and compares with the sending time. If and only if t i = t i + θ, he admits |Ψ r i as a receiving pulse. He chooses B 0 or B 1 randomly to measure each receiving pulse. For these receiving pulses, when his measurement results in state |Ψ x ⊥ , he accepts the pulse as a conclusive pulse and takes the bit value of this pulse as x ⊕ 1.

The parameters are agreed by Alice and Bob. After
Step 1-4, if the number of the effective pulses detected by Bob is not approximately equal to αN, Bob has the right to abort the protocol. This step is a verification for the malicious Alice.
We regard Protocol 1 as a weak R-OT because it is similar to standard R-OT. But it is weaker in security when dishonest Alice sends different states, which will be explained in Section 4.2. Then, we construct a weak quantum OT 2 1 protocol based on R-OT protocol, the equivalence of R-OT and OT 2 1 has been proved in [59].
1. Alice and Bob execute Protocol 1 and an error correcting scheme. Denote Bob's probability of getting a conclusive bit as p con (µ). After Protocol 1, if the number of Bob's conclusive bits is not approximately equal to N p con (µ), he regards Alice as a malicious party and aborts the protocol. If Bob agrees to continue, they decide on a security parameter k according to an error correcting scheme and the probability p con (µ). The values of k are analyzed in Section 4 and listed in Table 1. 2. The error correcting scheme is applied to αN bits words with expected error rate ε set , which is non-uniqueness. The following is only an example of this kind of scheme, which is based on (63, 57, 3) Hamming code. There are k bits in sets I and J after the process of error correction, respectively. Let l obt denotes the number of the bits in I or J before error correction. Alice divides two sequences of l obt bits into 63-bit blocks and performs the wire link permutation W on it. When l obt = 63 l obt 63 − ∆, ∆ bits of the block in front should be added to the last block. Then, calculate the syndromes s A i and discard the check bits of each block. Repeat above operations four times and send these syndromes to Bob. Bob divides his l obt bits into 63-bit blocks and performs the wire link permutation W on it. When l obt = 63 l obt 63 − ∆, ∆ bits of the block in front should be added to the last block. For each round, he calculates the syndromes s B i and s i = s A i ⊕ s B i . Correct the error in each block and discard all check bits. After error correction, assume the error rate reduces to ε 1 .
3. Bob discards all check bits and selects from the remaining bits to obtain two sets I and J, where I = {i 1 , . . . , i k } and J = {j 1 , . . . , j k } with I ∩ J = ∅. The k bits r i 1 , . . . , r i k are chosen from the conclusive bits. In case the conclusive bits in Bob's hand are a little less than k, he adds some random bits. 4. Bob chooses a random bit m. If m = 0, he sends {X, Y} = {I, J} to Alice. Otherwise, he sends {X, Y} = {J, I}. 5. After receiving (X, Y), Alice encrypts her messages b 0 and b 1 with r i , Then, Alice sends c 0 , c 1 to Bob. 6. Bob calculates ⊕ i∈I r i and decrypts c m to obtain b m .
According to the error correcting scheme, the relation between the parameters k and l obt is Suppose the error rate of each bit in Protocol 1 is ε 1 = 0.3%, which is a general value in practice. After error correction, the error rate can be reduced to ε 1 = 0.0757% [60]. As long as there is one bit error in key used in the decryption algorithm, Bob cannot obtain b m in Protocol 2. The error rate of Protocol 2 is ε 2 . The relation of ε 2 and ε 1 is When ε 1 = 0.0757%, the values of ε 2 changing with the parameter k are shown in Figure 1. Protocol 2 is different from standard QOT since Alice may not transfer a correct message to Bob. If we set the upper bound of the error rate as 20%, the parameter k should be less than 295 according to Equation (3).
Then, we can construct a quantum bit commitment protocol by executing the quantum OT 2 1 protocol l times as follows. Opening phase:

Bob verifies whether {b
. . l} and those conclusive bits in J. If the consistency holds more than 80% of l rounds, he admits Alice's commitment value as b. Otherwise, he regards Alice as a malicious party and aborts the protocol.
In practice, the physical system and the coded bit string in OT protocols unavoidably have some errors. In Section 3, assume ε 1 = 0.3%, k ≤ 295, the error rate of OT 2 1 can be less than 20%. But it does not impact the construction of a BC protocol.

The Security of QOT
A standard OT 2 1 scheme satisfies the following requirements. The aim of our QOT is to construct a practical QBC. Therefore, the correctness of the QOT protocols is not necessary. To detect a cheating Alice, suppose the probability that an honest Bob cannot get a correct message is less than 20%. Execute Protocol 2 l times to construct QBC scheme. If and only if there are less than 0.2l rounds where Alice does not disclose the consistent results, Bob admits Alice's commitment.
For the security of OT 2 1 protocol, He [61] has proved that the OT 2 1 protocol implemented upon all-or-nothing OT is not covered by the cheating strategy in Ref. [17]. Therefore, the following security analysis of OT 2 1 does not contain the attack of entangled states.

Privacy for Alice
The operations executed by Bob in Protocol 2 include measuring the states sent by Alice, selecting the elements in Set I and J. Then, sending X, Y to Alice, decrypting the ciphertext c 0 or c 1 . It can be seen that only in the measurement, he can cheat and take a more superior measurement to obtain more conclusive results, which may lead him to get both b 0 and b 1 . We analyze the probabilities of getting a conclusive bit for the honest Bob and the malicious Bob in order to determine the security parameters in the practical protocols. n . Therefore, the probability of getting a conclusive resulting in a pulse which contains n photons is The probability of getting a conclusive bit in a pulse with the typical average photon number µ is It can be seen that an honest Bob is supposed to obtain N p con (µ) conclusive bits. The probability of getting a conclusive bit in one pulse with different µ can be seen in Figure 2. The larger µ S of emission apparatus and more efficient detector they use, the higher efficiency the protocol has.

Analysis on the Probability of Getting a Conclusive Bit for Malicious Bob
Assume that the malicious Bob has the ability of separating n photons by photon number splitting attack. For a single photon, the successful probability of optimal measurement to distinguish the two non-orthogonal states is 1 − cosϕ, which has been proved in Refs. [56][57][58]. For n photons, a malicious Bob's probability of distinguishing the non-orthogonal sates is Then, a malicious Bob using photon number splitting attack and optimal measurement for single-photon can get a conclusive bit with the probability of Here we consider that the malicious Bob has an ideal detector, the quantum efficient η D of which is 100%. Thus, µ = µ S η C = µ η D . Assume that the protocols are executed over atmospheric channel, the quantum efficiency η D of an honest Bob's detector is 80% and this kind of detector has already been realized in the laboratory [54,55]. The cheating Bob's probability of getting a conclusive bit is which can be seen in Figure 3. A malicious Bob can get about [1 − e − 5µ 4 (1− √ 3 Figure 3. The probability that a malicious Bob gets a conclusive bit changing with µ.

Contrastive Analysis and Determination of the Parameters in Practical Protocols
If a malicious Bob wants to obtain both b 0 and b 1 in Protocol 2, he must get at least 2k conclusive bits in Protocol 1. The difference between an honest Bob's probability of obtaining a conclusive bit and half of a malicious Bob's probability of obtaining a conclusive bit is p di f f (µ) = p con (µ) − 1 2 p con (µ), which can be seen in Figure 4. When µ = 4.85, the difference p di f f (µ) takes a maximum value 0.0732. The probability of obtaining i conclusive bits is p obt , which is referred to the binomial distribution and shown in Figure 5. Suppose the probability of the case where the number of conclusive bits obtained by an honest Bob is no more than l obt is p 1 , and the probability of the case where the number of conclusive bits obtained by a malicious Bob is no less than 2l obt is p 2 . Then, To ensure that the honest Bob obtains one correct message in Protocol 2 and the malicious Bob cannot obtain both b 0 and b 1 , p 1 and p 2 should be small enough.
The probability that an honest Bob cannot execute Protocol 2 successfully is p, To detect a cheating Alice, p should be less than 20%. Given an error rate ε 2 , p 1 has an upper bound p 1t to ensure p ≤ 20%. To ensure the concealing of the BC protocol, p 2 is set up with a magnitude of 10 −6 .
When µ is too low, the difference between the probability of obtaining a conclusive bit by an honest and a malicious Bob is not large enough to select the proper parameters. When µ is too large, the proper k is large, which will lead to a large ε 2 . Then, there is no proper parameters either. It can be seen from Table 1 that when 2 ≤ µ ≤ 6, we can always find the proper parameters to execute the protocols successfully. with B 1 , the probability that at least one of the photons of |n π 2 collapse to the state with polarization of 2π 3 is 1 − ( 1 4 ) n . According to Equation (5), the probability of choosing the basis B 1 and getting a conclusive bit in a pulse is When Bob chooses the measurement basis B 0 to detect the fake pulse, if there is only one photon in the pulse, the probability that he accepts it as conclusive pulse is 100%. The probability of choosing the basis B 0 and getting a conclusive bit in a pulse is Therefore, when Alice replaces one of the pulses with |Ψ 0 ⊥ , the average probability of Bob getting a conclusive result is Consequently, Bob accepts the fake pulse as a conclusive result with a larger probability of p (i) than the situation where Alice is honest. In the following, we will analyze that although the cheating Alice has a larger probability to know Bob's choice m, she still has no idea what is got by Bob. In standard OT 2 1 , if Alice has a probability larger than the legal threshold of knowing Bob's choice, she breaks Bob's privacy. In this paper, Protocol 2 is the block of constructing QBC. The security that requests Alice cannot know what is obtained by Bob is enough. It can be seen that the security is weaker than the standard OT 2 1 . Therefore, we call it weak quantum OT 2 1 , and Alice attacking the weak OT 2 1 successfully means that she knows the content of the message obtained by Bob. Protocol 2 is a fault-tolerant quantum OT 2 1 scheme with p ≤ 20%. When Bob does not get the correct message with a probability of p, whether Alice attacks successfully cannot be defined. Then, consider Alice's attack in the condition that Bob gets the correct message. When Alice replaces one of the pulses (|Ψ r c ) with |Ψ 0 ⊥ instead, the index of the fake pulse may be in Set I, J, or neither in I nor J. If Alice does not see the index c in Set X or Y, she randomly guesses which message Bob obtains. Suppose the probability that she guesses the correct m is 1 2 p[c / ∈ I ∧ c / ∈ J]. If Alice finds the index c in Set X or Y, she believes the set which contains c is Set I. In other words, when the index of the fake pulse in Set I, Alice knows Bob's choice with a large probability; when the index of the fake pulse in Set J, she has no choice to break the protocol. Then, Alice needs the following conditions to know the content of the message obtained by Bob. Item (iii) ensures that Bob can obtain a correct message. Suppose the probability of the above three conditions being satisfied is p(3con). The probability that Alice knows the content of the message obtained by Bob is The probability of Item (i) being satisfied is p (i) . In the practical protocol, an honest Bob is supposed to obtain N p con (µ) conclusive bits, where p con (µ) = (1 − e − µ 4 )/2 according to Equation (5).
He picks k bits from the conclusive results to form Set I. Assume the number of conclusive result is still N p con (µ). The probability that Bob accepts the fake pulse as the conclusive pulse and picks it in Set I is . (16) Suppose the probability that Bob measures in basis B 0 and gets a conclusive bit r c = 1 is p B 0 con (µ), the probability that Bob measures in basis B 1 and gets a conclusive bit r c = 0 is p B 1 con (µ). It can be seen that p B 0 con (µ) > p B 1 con (µ). Alice knows that Bob is more likely to obtain r c = 1. In the case that c ∈ I, the conditional probability that Bob accepts r c = 1 is p r c = 1|c ∈ I = p r c = 1|c ∈ I p r c = 1|c ∈ I + p r c = 0|c ∈ I = p B 0 con (µ) p B 0 con (µ) + p B 1 con (µ) The second "=" holds because Bob randomly picks the elements of Set I from his conclusive results in well-distributed. Therefore, the probability of the above three conditions being satisfied is Then, we analyze the condition that the index c is neither in Set I nor J. When Bob does not receive the fake pulse, the index c is certainly not in the sets, the probability of which is p 0 (µ) = e −µ . When Bob receives the fake pulse, the probability that the index c is not in the two sets depends on his choice of the elements in the sets. Suppose the probability that the index c is not in the two sets when Bob receives the fake pulse is where p[c / ∈ I ∧ c / ∈ J|Con] denotes the probability of the condition where Bob accepts the fake pulse as a conclusive result but does not choose it in Set I nor J; p[c / ∈ I ∧ c / ∈ J|Inc] denotes the probability of the condition where Bob accepts the fake pulse as an inconclusive result but does not choose it in Set J. Assume that Bob chooses x bits of the conclusive results into Set J while k − x bits of the inconclusive results into Set J, where 0 ≤ x ≤ p con (µ)N − k. Then, the number of conclusive results neither in Set I nor J is p con (µ)N − k − x, the number of inconclusive results not in Set J is Then, the probability that Alice attacks Protocol 2 successfully is When x = p con (µ)N − k , the minimum of p(OT) is When x = 0, the maximum of p(OT) is The minimum and the maximum probabilities that Alice attacks Protocol 2 successfully with different µ are listed in Table 2. Actually, Bob putting more index of conclusive results in Set I and J is beneficial for him to get more information about b 0 and b 1 . Bob should prefer to select x = p con (µ)N − k . Even if Alice guesses which message Bob obtains without any trick, she has a probability of 1/2 to get the right answer. It can be seen from Table 2 that when Bob chooses x = p con (µ)N − k , the probability that Alice breaks the OT 2 1 protocol is p(OT) min < 1/2, which causes that Alice replaces one of the states with |Ψ 0 ⊥ is not an effective attack. In addition, we will show in Section 5.2 that even Bob chooses x = 0, Alice cannot break the binding of our QBC protocol.

The Attack that Alice Sends All States Dishonestly in R-OT Protocol
The attack that Alice sends all states dishonestly may be detected by Bob through the different ratio of conclusive results. She should generate different proportions of different states. For example, Alice sends states in Breidbart basis to increase the proportion of Bob's conclusive (inconclusive) bits. Consider the ideal case, for |Ψ 0 = |0 and |Ψ 1 = |π/6 , the states in Breidbart basis are | π 12 and | 7π 12 . If Alice sends the state | π 12 and Bob randomly chooses the measurement basis B 0 or B 1 , the probability that Bob obtains a conclusive bit is If Alice sends the state | 7π 12 and Bob randomly chooses the measurement basis B 0 or B 1 , the probability that Bob obtains a conclusive bit is It is clear that when Alice sends | π 12 , she knows that Bob is likely to get an inconclusive bit. When Alice sends | 7π 12 , she knows that Bob is likely to get a conclusive bit. In order to ensure the ratio of the conclusive result is 1/8 according to Equation (1), Alice should set the proportion of | π 12 as 1 2 + √ 3 4 and the proportion of | 7π 12 as 1 2 − √ 3 4 . According to Equation (25), the ratio of state | 7π 12 accepted as conclusive results and inconclusive results is in OT 2 1 protocol, which is around 13.9. When Alice receives the index set X and Y, she regards the set contains more index of | 7π 12 as the set I. By this attack, she can know the value of m chosen by Bob with a large probability.
However, 7π 12 means that Alice has no idea about Bob's the measurement results by this attack. Bob cannot obtain the correct bit in OT 2 1 protocol, while Alice cannot disclose the correct r i in the opening phase of QBC protocol.

The Security of QBC
BC protocol is binding if Alice cannot change the value of b after she commits and it is concealing if Bob cannot obtain b before the opening phase. Protocol 3 is both physically binding and concealing in practice. We first show the concealing property.

Concealing of QBC
We first analyze the ideal protocol without error and loss to prove that QBC in ideal conditions is information-theoretically concealing. Then, further consider the practical conditions.

Theorem 1. Protocol 3 in ideal conditions without imperfect facilities and errors is information-theoretically concealing.
Proof. According to the description of Protocol 3, it is easy to see that the relation of r i , ciphertext c 0 , c 1 and the commit value b is Suppose ρ is the density operator of the whole state received by Bob when Alice commits b, As According to the process of analysis in [62], the density operators ρ Then, trace distance is For any positive polynomial p(·) and every sufficiently large n, holds. The theorem is proved.
In practical QBC protocol, the commit value is .., l. The OT 2 1 protocol is executed l times. When Bob breaks Alice's privacy just once in OT 2 1 protocol, he knows the commit value. Some security parameters of OT 2 1 protocol are given is Table 1 and the probability that Bob breaks Alice's privacy p 2 is controlled to be a magnitude of 10 −6 . Suppose the times of executing OT 2 1 protocol in bit commitment protocol is l = 40, a malicious Bob can obtain what Alice has committed before opening phase with a probability of In practical protocol, the probability of breaking the concealing of bit commitment around 4.0 × 10 −5 is allowed.

Binding of QBC
All of Alice's attacks can be divided into two categories, i.e., without entangled states, and with entangled states.

Attacks without Entangle States
When Alice attacks QBC protocol without entangle states, she has two different strategy. One is to attack QBC protocol directly. The other is to attack privacy for Bob of OT 2 1 first and knows Bob's choice m. Then, she changes the message b 1 just in the opening phase of QBC protocol. But some of these values are known by Bob. Alice has no idea about which bits Bob obtains. Because our OT 2 1 is a fault-tolerant scheme, the probability that Bob can obtain a correct b 0 or b 1 successfully is 1 − p = 0.8, which is the probability that there is no error for the key used in the decryption algorithm of OT 2 1 protocol and the conclusive results are enough to construct Set I. Bob has a probability of p = 20% of getting neither of the messages, a probability of 40% of getting the message b 0 , and a probability of 40% of getting the message b 1 . Therefore, if Alice randomly changes 1 , her probability of being detected is 40%. Alice's commitment in Protocol 3 contains l same value of b. A strategy for the cheating Alice is to commit "0" with the number of l 2 and commit "1" with the number of l 2 in commit phase, and change half of them in opening phase. Therefore, for l = 40, Alice's success probability of attacking is In practical protocol, the probability of breaking the binding of the bit commitment is allowed to be around 3.6 × 10 −5 .
The QBC protocol is a compositional protocol, which calls the OT 2 1 protocol several times. In Section 4.2, we analyze the privacy for Bob of OT 2 1 protocol. Alice could attack by replacing one of the states with |Ψ 0 ⊥ . Suppose the cheating Alice commits "0" with the number of l 2 and commit "1" with the number of l 2 in commit phase. When Alice attacks l/2 rounds without detection, she can break the binding of QBC. Bob has a probability of p = 20% getting neither of the messages. When Bob gets none of the correct messages, Alice can change one of the messages without being detected. When Bob gets one of the messages, the probability that Alice attacks without detection is not greater than p(OT) = p(3con) + 1 2 p 0 (µ) + 1 The reason is that when the index c is neither in Set I nor J, it is possible that the fake state |Ψ 0 ⊥ is accepted as a conclusive bit and Alice discloses an inconsistent result in opening phase of QBC. The probability that Alice attacks one round without being detected is When Alice attacks OT 2 1 protocol and changes b 0 or b 1 in opening phase of QBC, the probability that the attack is not detected by Bob is When Bob selects none of conclusive results into Set J, the maximum probability of attacking is which are listed in Table 3. Alice has the maximum probability of attacking the binding of QBC protocol with magnitudes of 10 −5 , which is allowed in practice.

Attack with Entangle States
The entanglement generation and control [63][64][65][66] are the preconditions of the attack with entangle states. Then, we analyze this kind of attacks. In Protocol 1, the states are generated by Alice and sent to Bob. After sending the states, if Alice does not perform the EPR type attack, she can do nothing with the outgoing states. If she prepares entangled states and sends a part of them to Bob, she tries to find the local unitary transformation to change the value of commitment, which is actually the no-go theorem attack.
When Alice commits "0" or "1", she prepares If Alice wants to change the value of commitment from "0" to "1", she needs to get state |ν with the same reduced density operator as |0 , which satisfies | 1|ν | = F(ρ 2k 0 , ρ 2k 1 ) = 1 − δ. Then, she must find out the unitary transformation acting on A alone to transform |0 into |ν . The calculation of unitary transformation is presented in Appendix A. As |ν and |1 are so similar, Bob can hardly detect the cheating Alice.
However, according to Appendix A, the no-go theorem attack algorithm's time complexity is O(2 3n ), besides, this algorithm needs at least O(2 2n ) size of memory space to store the matrix. The entry number of matrix U A is 2 2k × 2 2k , according to Table 1 this number is greater than the number of protons on the earth. It means that Alice is unable to get the matrix in practice, and the storage time of quantum states is limited. The bit commitment could be executed over a period of time to prevent Alice from applying transformation with the other part of entanglement states. Therefore, in practice Alice can hardly attack the binding of the bit commitment protocol with this method. Therefore, our protocol achieves the physical security defined in Section 1.

Discussions
In this paper, we analyze the situation where the protocols are executed on an atmospheric window with a high efficiency detector of 80%. If a malicious Bob has a greater ability to obtain information near Alice's site and has a super channel, the transfer efficiency could be 100%. To defend the attack, the product of the efficiency of transfer and an honest Bob's detector η C η D should be increased to 80%.
If we execute the protocols in optical fiber, the bit commitment protocol can be realized between two parties with a long distance. For a malicious Bob who uses photon number splitting attack and has a detector with an efficiency less than η D /80%, the analysis and security of the protocol also hold. It means that our protocols can probably be applied over a long distance in the future.
We considered another construction of quantum bit commitment protocol. In quantum R-OT protocol, Bob prepares a random qubit string |Φ 1 , ..., |Φ n and sends it to Alice, where |Φ i ∈ {|0 , |1 , |+ , |− }. Alice generates random bit string (r 1 , ..., r N ) ∈ {0, 1} N . When r i = 0, she keeps the ith qubit unchanged and sends it back to Bob; when r i = 1, she rotates the state along y axis with π 6 , and sends the qubit back to Bob, that is Bob chooses B 0 or B 1 randomly to measure the pulses coming from Alice, where |Ψ 0 = |Φ i and |Ψ 1 = |Φ i + π 6 . From these receiving pulses, if and only if his measurement results in state |Ψ x ⊥ , he accepts a pulse as a conclusive pulse and takes the bit value of this pulse as x ⊕ 1.
When attacking the quantum bit commitment protocols by no-go theorem, Alice usually prepares states as |0 = Σ i α i |e i A ⊗ |φ i B and |1 = Σ j β j |e j A ⊗ |φ j B . Then, she keeps the first register herself and sends the second register to Bob. Only by Alice's local unitary transformation, she can cheat by changing the value of the commit bit b in opening phase. In the protocol above, the quantum states are prepared by Bob and Alice has no original states. However, when she rotates the coming states, she can make the operation as a controlled unitary transformation. The control bit in the transformation is entangled with the other register. Similarly, Alice can cheat by local unitary transformation on the other register. The construction above actually is not beyond the no-go theorem and increase the complexity of the practical system. Therefore, we construct a more practical and easier protocol in Section 3.

Conclusions
Based on two non-orthogonal states, we construct a practical quantum R-OT protocol. Afterwards we construct a one-out-of-two oblivious transfer protocol based on the quantum R-OT protocol. Finally, we present a bit commitment protocol based on the one-out-of-two protocol. The security of concealing is kept by the measurement hypothesis and superposition principle of state in quantum mechanics. The binding of the bit commitment protocol is physically secure. By using weak coherent pulses and allowing some errors, our protocols can be applied in practice. With the advent of the higher efficiency detectors in optical fiber, our protocol can be realized with a long distance.
Author Contributions: L.Y. designed the research and the architecture of the protocols. Y.S. wrote the manuscript and gave security analysis. Authors have read and approved the final manuscript. For the entangled states prepared by Alice, there is an orthogonal basis set of 2k dimensions for subsystems A and B. Therefore, |0 can be written as where i, j ∈ {0, 1, ..., 2 2k − 1}, and θ ij = ∑ l α l A i|e l AB j|Ψ r l B .
The entries θ ij compose 2 2k × 2 2k matrix Θ. Θ can be decomposed by the singular value decomposition as Θ = UDV, where D is a diagonal matrix with positive elements, and U and V are unitary matrices. For ρ B 1 and ρ B 0 , the related polar decomposition is There is an orthogonal basis set with which ρ B 0 and ρ B 1 are in block-diagonal form [62] and blocks have a general expression, so that we can give the entries of matrix T based on this orthogonal basis.
2. Solving U A . Based on the proof of Uhlmann's theorem given by Jozsa [67], we have It can be seen that there is a local unitary transformation U A for Alice to transform |0 into |ν . According to Equation (A4), ρ B 0 = ∑ i |λ i | 2 |y i BB y i |, it gives It can be seen that Then, Alice can get all elements of U A from this equation.