Quantum Commitments and Signatures Without One-Way Functions

Abstract

In the classical world, the existence of commitments is equivalent to the existence of one-way functions. In the quantum setting, on the other hand, commitments are not known to imply one-way functions, but all known constructions of quantum commitments use at least one-way functions. Are one-way functions really necessary for commitments in the quantum world? In this work, we show that non-interactive quantum commitments (for classical messages) with computational hiding and statistical binding exist if pseudorandom quantum states exist. Pseudorandom quantum states are sets of quantum states that are efficiently generated but their polynomially many copies are computationally indistinguishable from the same number of copies of Haar random states [Ji, Liu, and Song, CRYPTO 2018]. It is known that pseudorandom quantum states exist even if \(\textbf{BQP}=\textbf{QMA}\) (relative to a quantum oracle) [Kretschmer, TQC 2021], which means that pseudorandom quantum states can exist even if no quantum-secure classical cryptographic primitive exists. Our result therefore shows that quantum commitments can exist even if no quantum-secure classical cryptographic primitive exists. In particular, quantum commitments can exist even if no quantum-secure one-way function exists. In this work, we also consider digital signatures, which are other fundamental primitives in cryptography. We show that one-time secure digital signatures with quantum public keys exist if pseudorandom quantum states exist. In the classical setting, the existence of digital signatures is equivalent to the existence of one-way functions. Our result, on the other hand, shows that quantum signatures can exist even if no quantum-secure classical cryptographic primitive (including quantum-secure one-way functions) exists.

Appendices

A Making Opening Message Classical

In this Appendix, we show that general quantum non-interactive commitments can be modified so that the opening message is classical.

Let us consider the following general non-interactive quantum commitments:

• Commit phase: The sender who wants to commit \(b\in \{0,1\}\) generates a certain state \(|\psi _b\rangle _{RC}\) on the registers R and C. The sender sends the register C to the receiver.

• Reveal phase: The sender sends b and the register R to the receiver. The receiver runs a certain verification algorithm on the registers R and C.

Let us modify it as follows:

• Commit phase: The sender who wants to commit \(b\in \{0,1\}\) chooses \(x,z\leftarrow \{0,1\}^{|R|}\), and generates the state

  $$\begin{aligned}{}[(X^xZ^z)_R\otimes I_C]|\psi _b\rangle _{RC}, \end{aligned}$$

  where |R| is the size of the register R. The sender sends the registers R and C to the receiver.

• Reveal phase: The sender sends (x, z) and b to the receiver. The receiver applies \((X^xZ^z)_R\otimes I_C\) on the state, and runs the original verification algorithm on the registers R and C.

Theorem A.1

If the original commitment scheme is computationally hiding and statistically sum-binding, then the modified commitment scheme is also computationally hiding and statistically sum-binding.

Proof

Let us first show hiding. Hiding is clear because what the receiver has after the commit phase in the modified scheme is \(\frac{I^{\otimes |R|}}{2^{|R|}}\otimes \text{ Tr}_R(|\psi _b\rangle \langle \psi _b|_{RC})\), which is the same as that in the original scheme.

Next let us show binding. Biding is also easy to understand. The most general action of a malicious sender in the modified scheme is as follows.

1. 1.

   The sender generates a state \(|\varPsi \rangle _{ERC}\) on the three registers E, R, and C. The sender sends the registers R and C to the receiver.

2. 2.

   Given \(b\in \{0,1\}\), the sender computes \((x,z)\in \{0,1\}^{|R|}\times \{0,1\}^{|R|}\). The sender sends (x, z) and b to the receiver.

3. 3.

   The receiver applies \(X^xZ^z\) on the register R.

4. 4.

   The receiver runs the verification algorithm on the registers R and C.

Assume that this attack breaks sum-binding of the modified scheme. Then we can construct an attack that breaks sum-binding of the original scheme as follows:

1. 1.

   The sender generates a state \(|\varPsi \rangle _{ERC}\) on the three registers E, R, and C. The sender sends the register C to the receiver.

2. 2.

   Given \(b\in \{0,1\}\), the sender computes (x, z) and applies \(X^xZ^z\) on the register R. The sender sends the register R, b, and (x, z) to the receiver.

3. 3.

   The receiver runs the verification algorithm on the registers R and C.

It is easy to check that the two states on which the receiver applies the verification algorithm are the same.    \(\square \)

B Equivalence of Binding Properties

In this paper, we adopt sum-binding (Definition 3.4) as a definition of binding property of commitment schemes. On the other hand, the concurrent work by Ananth et al. [AQY21] introduces a seemingly stronger definition of binding, which we call AQY-binding, and shows that their commitment scheme satisfies it. The advantage of the AQY-binding is that it naturally fits into the security analysis of oblivious transfer in [BCKM21]. That is, a straightforward adaptation of the proofs in [BCKM21] enables us to prove that a commitment scheme satisfying AQY-binding and computational hiding implies the existence of oblivious transfer and multi-party computation (MPC). Combined with their construction of an AQY-binding and computational hiding commitment scheme from PRSGs, they show that PRSGs imply oblivious transfer and MPC.

We found that it is already implicitly shown in [FUYZ20] that the sum-binding and AQY-binding are equivalent for non-interactive commitment schemes in a certain form called the generic form as defined in [YWLQ15, Yan20, FUYZ20].¹⁰ Since our commitment scheme is in the generic form, we can conclude that our commitment scheme also satisfies AQY-binding, and thus can be used for constructing oblivious transfer and MPC based on [BCKM21]. We explain this in more detail below.

Commitment Schemes in the General Form. We say that a commitment scheme is in the general form if it works as follows over registers (C, R).

1. 1.

   In the commit phase, for generating a commitment to \(b\in \{0,1\}\), the sender applies a unitary \(Q_b\) on \(|{0...0}\rangle _{C}\otimes |{0...0}\rangle _{R}\) and sends the C register to the receiver.

2. 2.

   In the reveal phase, the sender sends the R register along with the revealed bit b. Then, the receiver applies \(Q_b^\dagger \), measures both C and R in the computational basis, and accepts if the measurement outcome is 0...0.

See [Yan20, Definition 2] for the more formal definition. Yan [Yan20, Theorem 1] showed that for commitment schemes in the general form, the sum-binding is equivalent to the honest-binding, which means \(F(\sigma _0,\sigma _1)={\textsf{negl}}(\lambda )\), where F is the fidelity and \(\sigma _b\) is the honestly generated commitment to b for \(b\in \{0,1\}\), i.e., \(\sigma _b{:}{=}\textrm{Tr}_R(Q_b|0...0\rangle \langle 0...0|_{RC} Q_b^\dagger )\).

AQY-Binding. Roughly speaking, the AQY-binding requires that there is an (inefficient) extractor \(\mathcal {E}\) that extracts a committed message from the commitment and satisfies the following: We define the following two experiments between a (possibly dishonest) sender and the honest receiver:

• Real Experiment: In this experiment, the sender and receiver run the commit and reveal phases, and the experiment returns the sender’s final state \(\rho _S\) and the revealed bit b, which is defined to be \(\bot \) if the receiver rejects.

• Ideal Experiment: In this experiment, after the sender sends a commitment, the extractor \(\mathcal {E}\) extracts \(b'\) from the commitment. After that, the sender reveals the commitment and the receiver verifiers it. Let b be the revealed bit, which is defined to be \(\bot \) if the receiver rejects. The experiment returns \((\rho _S,b)\) if \(b=b'\) and otherwise \((\rho _S,\bot )\) where \(\rho _S\) is sender’s final state.

Then we require that for any (unbounded-time) malicious sender, outputs of the real and ideal experiments are statistically indistinguishable. See [AQY21, Definition 6.1] for the formal definition.

Sum-Binding and AQY-Binding are Equivalent. First, it is easy to see that AQY-binding implies sum-binding. By the AQY-binding, we can see that a malicious sender can reveal a commitment to \(b\in \{0,1\}\) only if \(\mathcal {E}\) extracts b except for a negligible probability. Moreover, it is clear that \(\Pr [\mathcal {E} \text {~extracts~} 0]+\Pr [\mathcal {E} \text {~extracts~} 1]\le 1\) for any fixed commitment. Thus, the sum-binding follows.

We observe that the other direction is implicitly shown in [FUYZ20] as explained below. As already mentioned, the sum-binding is equivalent to honest-binding. For simplicity, we start by considering the case of perfectly honest-binding, i.e., \(F(\sigma _0,\sigma _1)=0\).

First, as shown in [FUYZ20, Corollary 4], there is an (inefficient) measurement \((\varPi _0,\varPi _1)\) that perfectly distinguishes \(\sigma _0\) and \(\sigma _1\) since we assume \(F(\sigma _0,\sigma _1)=0\). Then, we can define the extractor \(\mathcal {E}\) for the AQY-binding as an algorithm that just applies the measurement \((\varPi _0,\varPi _1)\) and outputs the corresponding bit b. It is shown in [FUYZ20, Lemma 6] that the final joint state over sender’s and receiver’s registers does not change even if we apply the measurement \((\varPi _0,\varPi _1)\) to the commitment before the reveal phase conditioned on that the receiver accepts. In the case of rejection, note that the revealed bit is treated as \(\bot \) in the experiment for the AQY-binding. Moreover, the measurement on the commitment register does not affect sender’s final state since no information is sent from the receiver to the sender. By combining the above observations, the joint distribution of the sender’s final state and the revealed bit does not change even if we measure the commitment in \((\varPi _0,\varPi _1)\). This means that the AQY-binding is satisfied.

For the non-perfectly honest-binding case, i.e., \(F(\sigma _0,\sigma _1)={\textsf{negl}}(\lambda )\), we can rely on the perturbation technique. It is shown in [FUYZ20, Lemma 8] that for a non-perfectly honest-binding commitments characterized by unitaries \((Q_0,Q_1)\), there exist unitaries \((\tilde{Q}_0,\tilde{Q}_1)\) that characterize a perfectly honest-binding commitment scheme and are close to \((Q_0,Q_1)\) in the sense that replacing \((Q_0,Q_1)\) with \((\tilde{Q}_0,\tilde{Q}_1)\) in any experiment only negligibly changes the output as long as the experiment calls \((Q_0,Q_1)\) or \((\tilde{Q}_0,\tilde{Q}_1)\) polynomially many times. By using this, we can reduce the AQY-binding property of non-perfectly honest-binding commitment schemes to that of perfectly honest-binding commitment schemes with a negligible security loss.