Serial composition of quantum coin-flipping, and bounds on cheat detection for bit-commitment

Although it is impossible for a bit commitment protocol to be both arbitrarily concealing and arbitrarily binding, it is possible for it to be both partially concealing and partially binding. This means that Bob cannot, prior to the beginning of the unveiling phase, find out everything about the bit committed, and Alice cannot, through actions taken after the end of the commitment phase, unveil whatever bit she desires. We determine upper bounds on the degrees of concealment and bindingness that can be achieved simultaneously in any bit commitment protocol, although it is unknown whether these can be saturated. We do, however, determine the maxima of these quantities in a restricted class of bit commitment protocols, namely those wherein all the systems that play a role in the commitment phase are supplied by Alice. We show that these maxima can be achieved using a protocol that requires Alice to prepare a pair of systems in an entangled state, submit one of the pair to Bob at the commitment phase, and the other at the unveiling phase. Finally, we determine the form of the trade-off that exists between the degree of concealment and the degree of bindingness given various assumptions about the purity and dimensionality of the states used in the protocol.

There had been well known claims of unconditionally secure quantum protocols for bit commitment. However, we, and independently Mayers, showed that all proposed quantum bit commitment schemes are, in principle, insecure because the sender, Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen (EPR) type of attack and delaying her measurements. One might wonder if secure quantum bit commitment protocols exist at all. We answer this question by showing that the same type of attack by Alice will, in principle, break any bit commitment scheme. The cheating strategy generally requires a quantum computer. We emphasize the generality of this ``no-go theorem'': Unconditionally secure bit commitment schemes based on quantum mechanics---fully quantum, classical or quantum but with measurements---are all ruled out by this result. Since bit commitment is a useful primitive for building up more sophisticated protocols such as zero-knowledge proofs, our results cast very serious doubt on the security of quantum cryptography in the so-called ``post-cold-war'' applications. We also show that ideal quantum coin tossing is impossible because of the EPR attack. This no-go theorem for ideal quantum coin tossing may help to shed some lights on the possibility of non-ideal protocols.

We define cheat sensitive cryptographic protocols between mistrustful parties as protocols which guarantee that, if either cheats, the other has some nonzero probability of detecting the cheating. We give an example of an unconditionally secure cheat sensitive non-relativistic bit commitment protocol which uses quantum information to implement a task which is classically impossible; we also describe a simple relativistic protocol.