Adaptive Versus NonAdaptive Strategies in the Quantum Setting with Applications
 2 Citations
 1.7k Downloads
Abstract
We prove a general relation between adaptive and nonadaptive strategies in the quantum setting, i.e., between strategies where the adversary can or cannot adaptively base its action on some auxiliary quantum side information. Our relation holds in a very general setting, and is applicable as long as we can control the bitsize of the side information, or, more generally, its “information content”. Since adaptivity is notoriously difficult to handle in the analysis of (quantum) cryptographic protocols, this gives us a very powerful tool: as long as we have enough control over the side information, it is sufficient to restrict ourselves to nonadaptive attacks.
We demonstrate the usefulness of this methodology with two examples. The first is a quantum bit commitment scheme based on 1bit cutandchoose. Since bit commitment implies oblivious transfer (in the quantum setting), and oblivious transfer is universal for twoparty computation, this implies the universality of 1bit cutandchoose, and thus solves the main open problem of [9]. The second example is a quantum bit commitment scheme proposed in 1993 by Brassard et al. It was originally suggested as an unconditionally secure scheme, back when this was thought to be possible. We partly restore the scheme by proving it secure in (a variant of) the bounded quantum storage model.
In both examples, the fact that the adversary holds quantum side information obstructs a direct analysis of the scheme, and we circumvent it by analyzing a nonadaptive version, which can be done by means of known techniques, and applying our main result.
Keywords
Side Information Cryptographic Protocol Commitment Scheme Quantum Memory Oblivious Transfer1 Introduction
Adaptive Versus NonAdaptive Attacks. We consider attacks on cryptographic schemes, and we compare adaptive versus nonadaptive strategies for the adversary. In our context, a strategy is adaptive if the adversary’s action can depend on some auxiliary side information, and it is nonadaptive if the adversary has no access to any such side information. Nonadaptive strategies are typically much easier to analyze than adaptive ones.
Adaptive strategies are clearly more powerful than nonadaptive ones, but this advantage is limited by the amount and quality of the sideinformation available to the attacker. In the classical case, this can be made precise by the following simple argument. If the side information consists of a classical nbit string, then adaptivity increases the adversary’s success probability in breaking the scheme by at most a factor of \(2^n\). Indeed, a particular nonadaptive strategy is to try to guess the nbit side information and then apply the best adaptive strategy. Since the guess will be correct with probability at least \(2^{n}\), it follows that \(P^{\mathrm {NA}}_{\mathrm {succ}}\ge 2^{n} P^{\mathrm {A}}_{\mathrm {succ}}\), and thus \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^n P^{\mathrm {NA}}_{\mathrm {succ}}\), where \(P^{\mathrm {A}}_{\mathrm {succ}}\) and \(P^{\mathrm {NA}}_{\mathrm {succ}}\) respectively denote the optimal adaptive and nonadaptive success probabilities for the adversary to break the scheme. Even though there is an exponential loss, this is a very powerful relation between adaptive and nonadaptive strategies as it applies very generally, and it provides a nontrivial bound as long as we can control the size of the side information, and the nonadaptive success probability is small enough.
Our Technical Result. In this work, we consider the case where the side information (and the cryptographic scheme as a whole) may be quantum. A natural question is whether the same (or a similar) relation holds between adaptive and nonadaptive quantum strategies. The quantum equivalent to guessing the side information would be to emulate the nqubit quantum side information by the completely mixed state \(\frac{\mathbb {I}_A}{2^n}\). Since it always holds that \(\rho _{AB}\le 2^{2n}\frac{\mathbb {I}_A}{2^n}\otimes \rho _B\), we immediately obtain a similar relation \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^{2n} P^{\mathrm {NA}}_{\mathrm {succ}}\), but with an additional factor of 2 in the exponent. The bound is tight for certain choices of \(\rho _{AB}\), and thus this additional loss is unavoidable in general; this seems to mostly answer the above question.
In more detail, we consider an abstract “game”, specified by an arbitrary bipartite quantum state \(\rho _{AB}\), of which the adversary Alice and a challenger Bob hold the respective registers A and B, and by an arbitrary family \(\{E^j\}_{j \in \mathcal J}\) of binaryoutcome POVMs acting on register B. The game is played as follows: Alice chooses an index j, communicates it to Bob, and Bob measures his state B using the POVM \(E^j = \{E_0^j,E_1^j\}\) specified by Alice. Alice wins the game if Bob’s measurement outcome is 1. In the adaptive version of the game, Alice can choose the index j by performing a measurement on A; in the nonadaptive version, she has to decide upon j without resorting to A. As we will see, this game covers a large class of quantum cryptographic schemes, where Bob’s binary measurement outcome specifies whether Alice succeeded in breaking the scheme.
Our main result shows that in any such game it holds that \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^n P^{\mathrm {NA}}_{\mathrm {succ}}\) where \(n = {{\mathrm{H}}}_{0} ^{}(A)\), i.e., the number of qubits of A. Actually, as already mentioned, we show a more general and stronger bound \(P^{\mathrm {A}}_{\mathrm {succ}}\le 2^{I_{\max }^{\mathrm {acc}}(B;A)} P^{\mathrm {NA}}_{\mathrm {succ}}\) that also applies if we have no bound on the number of qubits of A, but we have some control over its “information content” \(I_{\max }^{\mathrm {acc}}(B;A)\), which is a new information measure that we introduce and show to be upper bounded by \( {{\mathrm{H}}}_{0} ^{}(A)\).
To give a first indication of the usefulness of our result, we observe that it easily provides a lowerbound on the quantity, or quality, of entanglement (as measured by \(I_{\max }^{\mathrm {acc}}(B;A)\)) that a dishonest committer needs in order to carry out the standard attack [18] on a quantum bit commitment scheme. Let Alice be the committer and Bob the receiver in a bit commitment scheme in which the opening phase consists of Alice announcing a classical string j and Bob applying a verification described by POVM \(\{E_{\mathrm {accept}}^j, E_{\mathrm {reject}}^j\}\). In the standard attack, Alice always commits to 0 while purifying her actions and applies an operation on her register if she wants to change her commitment to 1. If we let \(\rho _{AB}\) be the state of Bob’s register B that corresponds to a commitment to 0, then the probability that a memoryless Alice successfully changes her commitment to 1 is \(P^{\mathrm {NA}}_{\mathrm {succ}}=\max _j{{\mathrm{tr}}}(E_{\mathrm {accept}}^j \rho _{AB})\) where the maximum is over all j that open 1. If Alice holds a register A entangled with B, our main result implies that \(I_{\max }^{\mathrm {acc}}(B;A)\) must be proportional to \(\log P^{\mathrm {NA}}_{\mathrm {succ}}\) for Alice to have a constant probability of changing her commitment.
But the real potential lies in the observation that adaptivity is notoriously difficult to handle in the analysis of cryptographic protocols, and as such our result provides a very powerful tool: as long as we have enough control over the side information, it is sufficient to restrict ourselves to nonadaptive attacks.
Applications. We demonstrate the usefulness of this methodology by proving the security of two commitment schemes. In both examples, the fact that the adversary holds quantum side information obstructs a direct analysis of the scheme, and we circumvent it by analyzing a nonadaptive version and applying our general result.
OneBit CutandChoose is Universal for TwoParty Computation. As a first example, we propose and prove secure a quantum bit commitment scheme that uses an ideal 1bit cutandchoose primitive \(\textsf {1CC}\) (see Fig. 1 in Sect. 4) as a black box. Since bit commitment (\(\textsf {BC}\)) implies oblivious transfer (\(\textsf {OT}\)) in the quantum setting [2, 7, 20], and oblivious transfer is universal for twoparty computation, this implies the universality of \(\textsf {1CC}\) and thus completes the zero/xor/one law proposed in [9]. Indeed, it was shown in [9] that in the informationtheoretic quantum setting, every primitive is either trivial (zero), universal (one), or can be used to implement an XOR — except that there was one missing piece in their characterization: it excluded \(\textsf {1CC}\) (and any primitive that implies \(\textsf {1CC}\) but not \(\textsf {2CC}\)). How \(\textsf {1CC}\) fits into the landscape was left as an open problem in [9]; we resolve it here.
The BCJL Bit Commitment Scheme in (A Variant of) The Bounded Quantum Storage Model. As a second application, we consider a general class of noninteractive commitment schemes and we show that for any such scheme, security against an adversary with no quantum memory at all implies security in a slightly strengthened version of the standard bounded quantum storage model^{1}, with a corresponding loss in the error parameter.^{2}
As a concrete example scheme, we consider the classic BCJL scheme that was proposed in 1993 by Brassard et al. [6] as a candidate for an unconditionallysecure scheme — back when this was thought to be possible — but until now has resisted any rigorous positive security analysis. Our methodology of relating adaptive to nonadaptive security allows us to prove it secure in (a variant of) the bounded quantum storage model.
2 Preliminaries
2.1 Basic Notation
For any string \(x = (x_1,\ldots ,x_n) \in \{0,1\}^n\) and any subset \(t=\{t_1,\dots t_k\}\subseteq [n]\), we write \(x_t\) for the substring \(x_t = (x_{t_1},\dots ,x_{t_k}) \in \{0,1\}^{t}\). The nbit allzero string is denoted as \(0^n\). The Hamming distance between two strings \(x,y\in \{0,1\}^n\) is defined as \(d(x,y)= \sum _{i=1}^n x_i\oplus y_i\). For \(\delta >0\) and \(x\in \{0,1\}^n\), \(B^\delta (x)\) denotes the set of all n bit strings at Hamming distance at most \(\delta n\) from x. We denote by \(\lg {(\cdot )}\) the logarithm with respect to base 2. It is well known that the set \(B^\delta (x)\) contains at most \(2^{nh(\delta )}\) strings where \(h(\delta )=\delta \lg (\delta )(1\delta )\lg (1\delta )\) is the binary entropy function.
Ideal cryptographic functionalities (or primitives) are referenced by their name written in sansserif font. They are fully described by their input/output behaviour (see, e.g., functionality \(\textsf {1CC}\) described in Fig. 1 in Sect. 4). Cryptographic protocols have their names written in small capitals with a primitive name in superscript if the protocol has blackbox access to this primitive (e.g. protocol \(\textsc {bc}^\textsf {1CC}\) in Sect. 4).
2.2 Quantum States and More
We assume familiarity with the basic concepts of quantum information; we merely fix notation and terminology here. We label quantum registers by capital letters A, B etc. and their corresponding Hilbert spaces are respectively denoted by \(\mathcal {H}_A, \mathcal {H}_B\) etc. We say that a quantum register A is “empty” if \(\dim (\mathcal {H}_A) = 1\). The state of a quantum register is specified by a density operator \(\rho \), a positive semidefinite trace1 operator. We typically write \(\rho _A\) for the state of A, etc. The set of density operators for register A is denoted \(\mathcal{D}(\mathcal {H}_A)\). We write \(X \ge 0\) to express that the operator X is positive semidefinite, and \(Y \ge X\) to express that \(YX\) is positive semidefinite.
We measure the distance between two states \(\rho \) and \(\sigma \) in terms of their trace distance \(D(\rho , \sigma ):= \frac{1}{2}\Vert \rho \sigma \Vert _{1}\), where \(\Vert X \Vert _{1}:= {{\mathrm{tr}}}(\sqrt{X^\dagger X})\) is the trace norm. We say that \(\rho \) and \(\sigma \) are \(\epsilon \) close if \(D(\rho ,\sigma )\le \epsilon \), and we call them indistinguishable if their trace distance is negligible (in the security parameter).
The computational (or rectilinear) basis for a single qubit quantum register is denoted by \(\{{0\rangle }_+, {1\rangle }_+\}\), and the diagonal basis by \(\{{0\rangle }_\times , {1\rangle }_\times \}\). Recall that \({0\rangle }_\times = \frac{1}{\sqrt{2}} ({0\rangle }_++{1\rangle }_+)\) and \({1\rangle }_\times = \frac{1}{\sqrt{2}} ({0\rangle }_+{1\rangle }_+)\). For any \(x\in \{0,1\}^n\) and \(\theta \in \{+,\times \}^n\), we set \({x\rangle }_\theta := \bigotimes _{i=1}^n {x_i\rangle }_{\theta _i}\). In the following, we will view and represent any sequence of diagonal and computational bases by a bit string \(\theta \in \{0,1\}^n\), where \(\theta _i=0\) represents the computational basis and \(\theta _i=1\) the diagonal basis. In other words, for \(b\in \{0,1\}\), \({b\rangle }_0:={b\rangle }_+\) and \({b\rangle }_1 :={b\rangle }_{\times }\). And for \(\theta ,x\in \{0,1\}^n\), we define \({x\rangle }_\theta := \bigotimes _{i=1}^n {x_i\rangle }_{\theta _i}\).
The spectral norm of an operator X is defined as \(\Vert X\Vert := \max _{{u\rangle }}{\Vert X{u\rangle }\Vert }\), where the maximum is over all normalized vectors \({u\rangle }\), and an operator is called an orthogonal projector if \(X^\dagger = X\) and \(X^2 = X\). The following was shown in [8].
Lemma 1
For any two orthogonal projectors X and Y: \(\Vert X+Y\Vert \le 1+\Vert XY\Vert \).
2.3 Entropy and Privacy Amplification
In the following, the two notions of entropy that we will be dealing with are the minentropy and the zeroentropy of a quantum register. They are defined as follows:
Definition 1
The minentropy has the following operational interpretation [13]. Let \(\rho _{XB}\) be a socalled cqstate, i.e., of the from \(\rho _{XB} = \sum _x P_X(x){x\rangle \!\langle x}_X \otimes \rho ^x_B\). Then \(P_{\mathrm {guess}}(XB)= 2^{ {{\mathrm{H}}}_{\infty } ^{}(XB)_\rho }\) where \(P_{\mathrm {guess}}(XB)\) is the probability of guessing the value of the classical random variable X, maximized over all POVMs on B.
Theorem 1
3 Main Result
We consider an abstract game between two parties Alice and Bob. The game is specified by a joint state \(\rho _{AB}\), shared between Alice and Bob who hold respective registers A and B, and by a nonempty finite family \(\mathbf{E} = \{E^j\}_{j\in \mathcal J}\) of binaryoutcome POVMs \(E^j = \{E^j_0,E^j_1\}\) acting on B. An execution of the game works as follows: Alice announces an index \(j \in \mathcal J\) to Bob, and Bob measures register B of the state \(\rho _{AB}\) using the POVM \(E^j\) specified by Alice’s choice of j. Alice wins the game if the measurement outcome is 1. We distinguish between an adaptive and a nonadaptive Alice. An adaptive Alice can obtain j by performing a measurement on her register A of \(\rho _{AB}\); on the other hand, an nonadaptive Alice has to produce j from scratch, i.e., without accessing A. This motivates the following formal definitions.
Definition 2
As a matter of fact, for the sake of generality, we consider a setting with an additional quantum register \(A'\) to which both the adaptive and the nonadaptive Alice have access to, but, as above only the adaptive Alice has access to A. In that sense, we will compare an adaptive with a semiadaptive Alice. Formally, we will consider a tripartite state \(\rho _{AA'B}\) and relate \(P_{\mathrm {succ}}(\rho _{AA'B},\mathbf{E})\) to \(P_{\mathrm {succ}}(\rho _{A'B},\mathbf{E})\). Obviously, the special case of an “empty” \(A'\) will then provide a relation between \(P^{\mathrm {A}}_{\mathrm {succ}}\) and \(P^{\mathrm {NA}}_{\mathrm {succ}}\).
We now introduce a new measure of (quantum) information \(I_{\max }^{\mathrm {acc}}(B;AA')_\rho \), which will relate the adaptive to the non or semiadaptive success probability in our main theorem. In its unconditional form \(I_{\max }^{\mathrm {acc}}(B;A)_\rho \), it is the accessible version of the maxinformation \(I_{\max }(B;A)_\rho \) introduced in [3]; this means that it is the amount of maxinformation that can be accessed via measurements on Alice’s share.
Definition 3
We are now ready to state and prove our main result.
Theorem 2
By considering an “empty” \(A'\), we immediately obtain the following.
Corollary 1
Proof
By the following proposition, we see that Corollary 1 implies a direct generalization of the classical bound, which ensures that giving access to n bits increases the success probability by at most \(2^n\), to qubits.
Proposition 1
For any \(\rho _{AB}\), we have that \(I_{\max }^{\mathrm {acc}}(B;A)_{\rho } \le H_0(A)_{\rho }\).
Proof
One might naively expect that also the conditional version \(I_{\max }^{\mathrm {acc}}(B;AA')_{\rho }\) is upper bounded by \(H_0(A)_{\rho }\), implying a corresponding statement for a semiadaptive Alice: giving access to n additional qubits increases the success probability by at most \(2^n\). However, this is not true, as the following example illustrates. Let register B contain two random classical bits, and let A and \(A'\) be two qubit registers, containing one of the four Bell states, and which one it is, is determined by the two classical bits. Alice’s goal is to guess the two bits. Clearly, \(A'\) alone is useless, and thus a semiadaptive Alice having access to \(A'\) has a guessing probability of at most \(\frac{1}{4}\). On the other hand, adaptive Alice can guess them with certainty by doing a Bell measurement on \(AA'\).
However, Proposition 1 does generalize to the conditional version in case of a classical \(A'\).
Proposition 2
An additional property of \(I_{\max }^{\mathrm {acc}}\) is that quantum operations that are in tensor product form on registers A and B cannot increase the maxaccessibleinformation.
Proposition 3
The proofs the two previous results can be found in Appendix A.
4 Application 1: \(\textsf {1CC}\) Is Universal
4.1 Background
4.2 The Protocol
The protocol is given in Fig. 2, where Alice is the committer and Bob the receiver. The protocol is parameterized by \(N \in \mathbb {N}\), which acts as security parameter, and by constants \(q,\tau \) and r, where \(q,\tau > 0\) are small and \(r < 1\) is close to 1. Intuitively, our bit commitment protocol uses the \(\textsf {1CC}\) primitive to ensure that the state Alice sends to Bob is close to what it is supposed to be: \({0^N\rangle }_\theta \) for some randomly chosen but fixed basis \(\theta \). Indeed, the \(\textsf {1CC}\) primitive allows Bob to sample a small random subset of the qubits and check for correctness on that subset; if the state looks correct on this subset, we expect that it cannot be too far off on the unchecked part.
Note that our protocol uses the B92 [1] encoding (\(\{ {0\rangle }_+, {0\rangle }_\times \}\)), rather than the more common BB84 encoding. This allows us to get away with a onebit cutandchoose functionality; with the BB84 encoding, Alice would have to “commit” to two bits: the basis and the measurement outcome.
We use the quantum sampling framework of Bouman and Fehr [4] to analyze the checking procedure of the protocol. Actually, we use the adaptive version of [9], which deals with an Alice that can decide on the next basis adaptively depending on what Bob has asked to see so far. On the other hand, to deal with Bob choosing his sample subset adaptively depending on what he has seen so far, we require the sample subset to be rather small, so that we can then apply union bound over all possible choices.
4.3 Security Proofs
We use the standard notion of hiding for a (quantum) bit commitment scheme.
Definition 4
(Hiding). A bitcommitment scheme is \(\epsilon \)hiding if, for any dishonest receiver Bob, his state \(\rho _0\) corresponding to a commitment to \(b = 0\) and his state \(\rho _{1}\) corresponding to a commitment to \(b = 1\) satisfy \(D(\rho _0,\rho _1) \le \epsilon \).
Since the proof that our protocol is hiding uses a standard approach, we only briefly sketch it.
Theorem 3
Protocol \(\textsc {commit}_{N,q,\tau ,r}^{\textsf {1CC}}\) is \(2^{\frac{1}{2} N(\lg (1/\gamma )2q(1r))}\)hiding, where \(\gamma = \cos ^2(\pi /8) \approx 0.85\) (and hence \(\lg (1/\gamma ) \approx 0.23\)).
Proof (sketch)
We need to argue that there is sufficient minentropy in \(\theta _{\bar{t}}\) for Bob; then, privacy amplification does the job. This means that we have to show that Bob has small success probability in guessing \(\theta _{\bar{t}}\). What makes the argument slightly nontrivial is that Bob can choose t depending on the qubits \({0^N\rangle }_{\theta }\). Note that since Alice aborts in case \(t > 2qN\), we may assume that \(t \le 2qN\).
It is a straightforward calculation to show that Bob’s success probability in guessing \(\theta \) right after step 1 of the protocol, i.e., when given the qubits \({0^N\rangle }_{\theta }\), is \(\gamma ^N\), where \(\gamma = \cos ^2(\pi /8) \approx 0.85\). From this it then follows that right after step 2, Bob’s success probability in guessing \(\theta _{\bar{t}}\) is at most \(\gamma ^N \cdot 2^{2qN}\): if it was larger, then he could guess \(\theta \) right after step 1 with probability larger than \(\gamma ^N\) by simulating the sampling and guessing the \(t \le 2qN\) bits \(\theta _i\) that Alice provides. It follows that right after step 2, Bob’s minentropy in \(\theta _{\bar{t}}\) is \(N(\lg (1/\gamma )  2q)\). Finally, by the chain rule for minentropy, Bob’s minentropy in \(\theta _{\bar{t}}\) when additionally given the syndrome s is \(N\bigl (\lg (1/\gamma )  2q\bigr )  (nk) = N\bigl (\lg (1/\gamma )  2q\bigr )  n(1k/n) \ge N\bigl (\lg (1/\gamma )  2q  (1r)\bigr )\). The statement then directly follows from privacy amplification (Theorem 1) and the triangle inequality. \(\square \)
As for the binding property of our commitment scheme, as we will show, we achieve a strong notion of security that not only guarantees the existence of a bit to which Alice is bound in that she cannot reveal the other bit, but this bit is actually universally extractable from the classical information held by Bob together with the inputs to the 1CC:
Definition 5
(Universally Extractable). A bitcommitment scheme (in the \(\textsf {1CC}\)hybrid model) is \(\epsilon \)universally extractable if there exists a function c that acts on the classical information \(view_{Bob,\textsf {1CC}}\) held by Bob and \(\textsf {1CC}\) after the commit phase, so that for any pure commit and open strategy for dishonest Alice, she has probability at most \(\epsilon \) of successfully unveiling the bit \(1c(view_{Bob,\textsf {1CC}})\).
Our strategy for proving the binding property for our protocol is as follows. First, we show that due to the checking part, the (joint) state after the commit phase is of a restricted form. Then, we show that, based on this restriction on the (joint) state, a nonadaptive Alice who has no access to her quantum state, cannot open to the “wrong” bit. And finally, we apply our main result to conclude security against a general (adaptive) Alice.
The following lemma follows immediately from (the adaptive version of) Bouman and Fehr’s quantum sampling framework [4, 9]. Informally, it states that if Bob did not abort during sampling, then the postsampling state of Bob’s register is close to the correct state, up to a few errors. In other words, after the commit phase, Bob’s state is a superposition of strings close to \(0^n\) in the basis specified by \(\theta _{\bar{t}}\).
Lemma 2
The following lemma implies that after the commit phase, if Alice and Bob share a state of the form of (1), then a nonadaptive Alice is bound to a fixed bit which is defined by some string \(\theta '\).
Lemma 3
Proof
We are now ready to prove that the scheme is universally extractable:
Theorem 4
Proof
We need to show the existence of a binaryvalued function \(c(\theta , t, g, w,s)\) as required by Definition 5, i.e., such that for any commit strategy, there is no opening strategy that allows Alice to unveil \(\bar{c}\), except with small probability. We define this function as \(c(t,\theta ,g,s,w):= g(\theta ')\oplus w\) where \(\theta '\) is as in Lemma 3, depending on \(t,\theta \) and s only.
Now, consider an arbitrary pure strategy for Alice in protocol \(\textsc {commit}^\textsf {1CC}\). Let \(\theta , g, w\) and s be the values chosen by Alice during the commit phase and let \(\rho _{AB}\) be the joint state of Alice and Bob after the commit phase. Fix \(\delta > 0\) and consider the states \(\tilde{\rho }_{AB}\) and \({\phi _{AB}\rangle }\) as promised by Lemma 2. Recall that \(\rho _{AB}\) is \(\epsilon \)close to \(\tilde{\rho }_{AB}\) (on average over \(\theta , g, w\) and s, and for \(\epsilon \le \sqrt{4\exp (q^2\delta ^2N/8)}\)), and \(\tilde{\rho }_{AB}\) is a mixture of Bob aborting in the commit phase and of \({\phi _{AB}\rangle }\); therefore, we may assume that Alice and Bob share the pure state \(\phi _{AB} = {\phi _{AB}\rangle \!\langle \phi _{AB}}\) instead of \(\rho _{AB}\) by taking into account the probability at most \(\epsilon \) that the two states behave differently.
Regarding the choice of parameters \(q,\tau \) and r, and the choice of the code, we note that the GilbertVarshamov bound guarantees that the code defined by a random binary \(n\times (nrn)\) generator matrix G has minimal distance \(d \ge \tau n\), except with negligible probability, as long as \(r< 1h(\tau )\). On the other hand, for the hiding property, we need that \(r > 1  0.23 + 2q\). As such, as long as \(h(\tau ) < 0.232q\), there exists a suitable rate r and a suitable generator matrix G, so that our scheme offers statistical security against both parties.
4.4 Universality of \(\textsf {1CC}\)
By using our \(\textsf {1CC}\)based bit commitment scheme \(\textsc {bc}^{\textsf {1CC}}\) in the standard construction for obtaining \(\textsf {OT}\) from \(\textsf {BC}\) in the quantum setting [2, 7], we can conclude that \(\textsf {1CC}\) implies \(\textsf {OT}\) in the quantum setting, and since \(\textsf {OT}\) is universal we thus immediately obtain the universality of \(\textsf {1CC}\). However, strictly speaking, this does not solve the open problem of [9] yet. The caveat is that [9] asks about the universality of \(\textsf {1CC}\) in the UC security model [20], in other words, whether \(\textsf {1CC}\) is “universallycomposable universal”. So, to truly solve the open problem of [9] we still need to argue UC security of the resulting \(\textsf {OT}\) scheme, for instance by arguing that our scheme \(\textsc {bc}^{\textsf {1CC}}\) is UC secure.
UCsecurity of \(\textsc {bc}^{\textsf {1CC}}\) against malicious Alice follows immediately from our binding criterion (Definition 5); after the commit phase, Alice is bound to a bit that can be extracted in a blackbox way from the classical information held by Bob and the \(\textsf {1CC}\) functionality. Thus, a simulator can extract that bit from malicious Alice and input it into the ideal commitment functionality, and since Alice is bound to this bit, this idealworld attack is indistinguishable from the realworld attack.
However, it is not clear if \(\textsc {bc}^{\textsf {1CC}}\) is UCsecure against malicious Bob. The problem is that it is unclear whether it is universally equivocable, which is a stronger notion than the standard hiding property (Definition 4).
Nevertheless, we can still obtain a UCsecure \(\textsf {OT}\) scheme in the \(\textsf {1CC}\)hybrid model, and so solve the open problem of [9]. For that, we slightly modify the standard \(\textsf {BC}\)based \(\textsf {OT}\) scheme [2, 7] with \(\textsf {BC}\) instantiated by \(\textsc {bc}^{\textsf {1CC}}\) as follows: for every BB84 qubit that the receiver is meant to measure, he commits to the basis using \(\textsc {bc}^{\textsf {1CC}}\), but he uses the \(\textsf {1CC}\)functionality directly to “commit” to the measurement outcome, i.e., he inputs the measurement outcome into \(\textsf {1CC}\) — and if the sender asks \(\textsf {1CC}\) to reveal it, the receiver also unveils the accompanying basis by opening the corresponding commitment.
Definition 5 ensures universal extractability of the committed bases and thus of the receiver’s input. This implies UCsecurity against dishonest receiver. In order to argue UCsecurity against dishonest sender, we consider a simulator that acts like the honest receiver, i.e., chooses random bases and commits to them, but only measures those positions that the sender wants to see — because the simulator controls the \(\textsf {1CC}\)functionality he can do that. Then, once he has learned the sender’s choices for the bases, he can measure all (remaining) qubits in the correct basis, and thus reconstruct both messages and send them to the ideal \(\textsf {OT}\) functionality. The full details of the proof are in Appendix B.
5 Application 2: On the Security of BCJL Commitment Scheme
In this section, we show that for a wide class of bitcommitment schemes, the binding property of the scheme in (a slightly strengthened version of) the boundedquantumstorage model reduces to its binding property against a dishonest committer that has no quantum memory at all. We then demonstrate the usefulness of this on the example of the bcjl commitment scheme [6].
5.1 Setting up the Stage
The class of schemes to which our reduction applies consists of the schemes that are noninteractive: all communication goes from Alice, the committer, to Bob, the verifier. Furthermore, we require that Bob’s verification be “projective” in the following sense.
Definition 6
We say that a bitcommitment scheme is noninteractive and with projective verification, if it is of the following form.

Commit: Alice sends a classical message x and a quantum register B to Bob.

Opening to b: Alice sends a classical opening \(y_b\) to Bob, and Bob applies a binaryoutcome projective measurement \(\{\mathbb V_{x,y_b}, \mathbb {I}\mathbb V_{x,y_b}\}\) to register B.
Since x is fixed after the commit phase, we tend to leave the dependency of \(\mathbb V_{x,y_b}\) from x implicit and write \(\mathbb V_{y_b}\) instead. Also, to keep language simple, we will just speak of a noninteractive bitcommitment scheme and drop the projective verification part in the terminology.
We consider the security — more precisely: the binding property — of such bitcommitment schemes in a slightly strengthened version of the boundedquantumstorage model [8], where we bound the quantum memory of Alice, but we also restrict her measurement (for producing \(y_b\) in the opening phase) to be projective. This restriction on Alice’s measurement is well justified since a general nonprojective measurement requires additional quantum storage in the form of an ancilla to be performed coherently. From a technical perspective, this restriction (as well as the restriction on Bob’s verification) is a byproduct of our proof technique, which requires the measurement operator describing the (joint) opening procedure to be repeatable; avoiding it is an open question.^{3}
Formally, we capture the binding property as follows in this variation of the boundedquantumstorage model.
Definition 7
On the Binding Criterion for Noninteractive Commitment Schemes.
Binding criteria analogous to the one specified in Definition 7 have traditionally been weak notions of security against dishonest committers for quantum commitment schemes, as opposed to criteria that are more in the spirit of a bit that cannot be opened by the adversary. While more convenient for proving security of commitment schemes, a notable flaw of the \(p_0+p_1\le 1+\epsilon \) definition is that it does not rule out the following situation. An adversary might, by some complex measurement, either completely ruin its capacity to open the commitment, or be able to open the bit of its choice. Then the total probability of opening 0 and 1 sum to 1, but, conditioned on the second outcome of this measurement, they sum to 2. This is obviously an undesirable property of a quantum bitcommitment scheme.
Noninteractive schemes that are secure according to Definition 7 are binding in a stronger sense. For instance, the above problem of the \(p_0+p_1\le 1+\epsilon \) definition does not hold for noninteractive schemes. If a scheme is \(\epsilon \)binding, then any state \(\rho \) obtained by conditioning on some measurement outcome must satisfy \(P^A_0(\rho )+P_1^A(\rho )\le 1+\epsilon \). If the total probability of opening 0 and 1 was any higher, then the adversary could have prepared the state \(\rho \) in the first place, contradicting the fact that the protocol is \(\epsilon \)binding. It remains an open question how to accurately describe the security of noninteractive commitment schemes that satisfy Definition 7.
5.2 The General Reduction
We want to reduce security against a qQMB projective adversary to the security against a nonadaptive adversary (which should be much easier to show) by means of applying our general adaptivetononadaptive reduction. However, Corollary 1 does not apply directly; we need some additional gadget, which is in the form of the following lemma. It establishes that if there is a commit strategy for Alice so that the cumulative probability of opening 0 and 1 exceeds 1 by a nonnegligible amount, then there is also a commit strategy for her so that she can open 0 with certainty and 1 with still a nonnegligible probability.
Lemma 4
Let \(\rho \in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) and \(\epsilon > 0\) be such that \(P_0^A(\rho )+P_1^A(\rho ) \ge 1+\epsilon \). Then, there exists \(\rho ^0\in \mathcal D(\mathcal {H}_A\otimes \mathcal {H}_B)\) such that \(P_0^A(\rho ^0)=1\) and \(P_1^A(\rho ^0)\ge \epsilon ^2\).
Proof
Now, we are ready to state and prove the general reduction.
Theorem 5
If a noninteractive bitcommitment scheme is \(\epsilon \)binding against nonadaptive adversaries, then it is \((2^{\frac{1}{2}q}\sqrt{\epsilon })\)binding against qQMB projective adversaries.
Proof
5.3 Special Case: The BCJL BitCommitment Scheme
In this subsection, we use the results of the previous section to prove the security of the bcjl scheme in the bounded storage model against projective measurement attacks.
The bcjl bitcommitment scheme was proposed in 1993 by Brassard et al. [6]. They proposed to hide the committed bit using a twouniversal family of hash functions applied on the codeword of an error correcting code and then send this codeword through BB84 qubits. The idea behind this protocol is that privacy amplification hides the committed bit while the error correcting code makes it hard to change the value of this bit without being detected. While their intuition was correct, their proof ultimately was not, as shown by Mayers’ impossibility result for bit commitment [18].
Theorem 6
bcjl is statistically hiding as long as \(0.22  (1k/n) \in \varOmega (1)\).
The proof of Theorem 6 is straightforward. It follows the same approach as that of Theorem 3 by noticing that Bob has the same uncertainty about each \(x_i\) as he had about \(\theta _i\) in protocol commit \(^\textsf {1CC}\).
Lemma 5
Let \(\delta >0\). If bcjl \(_\delta \) is \(\epsilon \)binding then bcjl is \((\epsilon +2\cdot 2^{\delta n})\)binding.
Proof
The following proposition establishes the security of bcjl \(_\delta \) in the nonadaptive setting. Its proof is straightforward and can be found in Appendix A.
Proposition 4
bcjl \(_\delta \) is \(2^{d/2+\delta n +h(\delta )n}\)binding against nonadaptive adversaries.
Since the bitcommitment scheme bcjl \(_\delta \) is noninteractive, it directly follows from Theorem 5 and Proposition 4 that bcjl \(_\delta \) is \(2^{\frac{1}{2}(qd/2 +\delta n + h(\delta )n)}\)binding against qQMB projective adversaries. Combining the above with Lemma 5, we have the following statement for the bcjl scheme.
Theorem 7
The bcjl bitcommitment scheme is \((2^{\frac{1}{2}(qd/2 +\delta n + h(\delta )n)}+2\cdot 2^{\delta n})\)binding against qQMB projective adversaries.
Footnotes
 1.
Beyond bounding the adversary’s quantum memory, we also restrict its measurements to be projective; this can be justified by the fact that to actually impleprojections onto thement a nonprojective measurement, additional quantum memory is needed.
 2.
We have already shown above how to argue for the standard attack [18] against quantum bit commitment schemes; taking care of arbitrary attacks is more involved.
 3.
The standard technique (using Naimark’s dilation theorem) does not work here.
Notes
Acknowledgments
FD acknowledges the support of the Czech Science Foundation (GA\(\check{\mathrm{C}}\)R) project no. GA1622211S and of the EU FP7 under grant agreement no. 323970 (RAQUEL). LS is supported by Canada’s NSERC discovery grant.
Supplementary material
References
 1.Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68, 3121–3124 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
 2.Bennett, C.H., Brassard, G., Crépeau, C., Skubiszewska, M.H.: Practical quantum oblivious transfer. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 351–366. Springer, Heidelberg (1992)Google Scholar
 3.Berta, M., Christandl, M., Renner, R.: The quantum reverse Shannon theorem based on oneshot information theory. Commun. Math. Phys. 306(3), 579–615 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Bouman, N.J., Fehr, S.: Sampling in a quantum population, and applications. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 724–741. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 5.Bouman, N.J., Fehr, S., GonzálezGuillén, C., Schaffner, C.: An allbutone entropic uncertainty relation, and application to passwordbased identification. In: Kawano, Y. (ed.) TQC 2012. LNCS, vol. 7582, pp. 29–44. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 6.Brassard, G., Crépeau, C., Jozsa, R., Langlois, D.: A quantum bit commitment scheme provably unbreakable by both parties. In: Proceedings of the 34th Annual IEEE Symposium on the Foundation of Computer Science, pp. 362–371 (1993)Google Scholar
 7.Crépeau, C.: Quantum oblivious transfer. J. Mod. Opt. 41(12), 2445–2454 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 8.Damgård, I., Fehr, S., Salvail, L., Schaffner, C.: Cryptography in the boundedquantumstorage model. SIAM J. Comput. 37(6), 1865–1890 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 9.Fehr, S., Katz, J., Song, F., Zhou, H.S., Zikas, V.: Feasibility and completeness of cryptographic tasks in the quantum world. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 281–296. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 10.Kilian, J.: Founding cryptography on oblivious transfer. In: Proceedings of the ACM Symposium on Theory of Computing, STOC 1988, pp. 20–31. ACM, New York (1988)Google Scholar
 11.Kilian, J.: A general completeness theorem for two party games. In: Proceedings of the TwentyThird Annual ACM Symposium on Theory of Computing, STOC 1991, pp. 553–560 (1991)Google Scholar
 12.Kilian, J.: More general completeness theorems for secure twoparty computation. In: Proceedings of the ThirtySecond Annual ACM Symposium on Theory of Computing, STOC 2000, pp. 316–324 (2000)Google Scholar
 13.König, R., Renner, R., Schaffner, C.: The operational meaning of min and maxentropy. IEEE Trans. Inf. Theor. 55(9), 4337–4347 (2009)MathSciNetCrossRefGoogle Scholar
 14.Kraschewski, F.: Complete primitives for informationtheoretically secure twoparty computation. Ph.D. thesis, Karlsruhe Institute of Technology (2013)Google Scholar
 15.Kraschewski, D., MüllerQuade, J.: Completeness theorems with constructive proofs for finite deterministic 2party functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 364–381. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 16.Maji, H.K., Prabhakaran, M., Rosulek, M.: A zeroone law for cryptographic complexity with respect to computational UC security. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 595–612. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 17.Maji, H.K., Prabhakaran, M., Rosulek, M.: A unified characterization of completeness and triviality for secure function evaluation. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 40–59. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 18.Mayers, D.: Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett. 78, 3414–3417 (1997)CrossRefGoogle Scholar
 19.Renner, R.S., König, R.: Universally composable privacy amplification against quantum adversaries. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 407–425. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 20.Unruh, D.: Universally composable quantum multiparty computation. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 486–505. Springer, Heidelberg (2010)CrossRefGoogle Scholar