Semi-Counterfactual Quantum Bit Commitment Protocol

A semi-counterfactual quantum bit commitment (SCQBC) protocol is presented here for the first time, which makes use of counterfactual property. Similar to a counterfactual quantum key distribution scheme, half-photons are not transmitted through the quantum channel in our proposed protocol. In the SCQBC protocol, Bob, the verification party of the quantum bit commitment (QBC), sends the states while Alice, the commitment party, receives. Since Alice cannot receive all the states and entangle the commit bits with the verifier’s registers, it is not subject to Mayers’ and Lo-Chau’s no-go theorem. In addition, a general bit commitment framework can be extracted from the SCQBC scheme, which opens up a new class of cryptographic protocols in counterfactual cryptography.

The bit commitment (BC) scheme is a basic primitive of modern cryptography. The BC concept was first proposed by Blum 1 , and it plays a crucial role in constructions of multi-party secure computation, such as zero-knowledge proof schemes and verified secret shared schemes.
The BC scheme includes two phases, namely, the commit phase and unveil phase. In the commit phase, the commitment party Alice chooses a commit bit x and provides a piece of evidence to the verifier Bob. In the unveil phase, Alice unveils the value of x and Bob checks it. A BC scheme has the following properties. (i) Correctness. If Alice and Bob execute the scheme honestly, Bob obtains the correct commit bit x in the unveil phase. (ii) Concealing. Bob cannot know the commit bit x before the unveil phase. (iii) Binding. Alice cannot change the commit bit after the commit phase. A BC scheme is unconditionally secure if there is no computational assumption on the attacker's ability and it satisfies both properties of concealing and binding.
There is at present no classical BC protocol that achieves unconditional security in both concealing and binding. With the development of quantum cryptography, many researchers attempted to construct unconditionally secure QBC. The first QBC scheme was proposed in 2 but the binding security of the scheme can be attacked by sending entangled states. In 1993, a BCJL scheme was presented 3 and it was believed provably secure over a period of time until a cheating strategy was put forward by Mayers 4 . Later, Mayers, Lo, and Chau separately presented the no-go theorem and proved that the unconditional secure QBC protocol is impossible [5][6][7] . Subsequently, a series of studies on extending the framework of the no-go theorem and further proof of the impossibility of QBC has been presented [8][9][10][11][12][13] . Since no-go theorem was presented, most of QBC protocols cannot realize the unconditional security anymore, especially the binding security.
The later researches focus on exploring QBC with practical security and constructing the QBC protocols evading the no-go theorem type attack. In no-go theorem, Alice prepares a series of entangled states, sends half to Bob and keeps the other half not measured in the commitment phase. In the unveil phase, Alice can apply a local unitary transformation on the remaining half qubits to rotate her commitment. It can be seen that the requirement of the no-go theorem type attack is hardly realized in practice. There are several QBC protocols proposed under the physical hypothesis, such as the bounded-quantum-storage model 14,15 , noisy-storage model [16][17][18] , technological limitations on non-demolition measurements 19 and relativistic QBC protocols 20- 22 . In addition, since the algorithm needs at least O(2 2n ) size of memory space to store the matrix of the unitary transformation 23 , where n is the security parameter of the QBC, Song and Yang 24 constructed a practical QBC protocol with physical security. On the other hand, although the correctness of the no-go theorem is not doubted, the framework of the theorem may not cover all the types of QBC protocols 25 . People try to construct QBC protocols to resist the attack presented by the no-go theorem 26-30 . We are inspired by counterfactual quantum cryptography 31 and try to construct a QBC protocol immune to no-go theorem type attack based on the counterfactual property. The counterfactual quantum key distribution Figure 1. Architecture of N09 and SCQBC protocols. The setup is a modification based on a Michelson-type interferometer. The single-photon source S emits an optical pulse containing only one photon. The pulse is then transmitted through the optical circulator C and split into two pulses by the beam splitter BS. The two light paths a and b are the arms of the Michelson-type interferometer, and the length of the path a is adjusted by an optical delay OD. The pulse transmitted through path a is reflected by the Faraday mirror FM 0 and back to the BS. The pulse transmitted through path b travels to Bob's site. If the pulse is horizontally polarized, it passes through the polarizing beam splitter PBS, or it is reflected by PBS and passes through the optical loop OL. The arrival time to the optical switch SW of the different polarized pulses is different. Only when the SW is controlled in the correct time will the pulse reach the detector D 2 . Otherwise, the pulse will be reflected by FM 1 and return to Alice's site. The back-pulse from path b and the pulse from path a are combined at the BS and interfered to lead the detector D 0 to click. as Bob's, she controls the SW at the suitable time. In this case, the interference is destroyed and there are three occasions for the single photon. (i) Detector D 0 clicks. The photon travels via path a and then is reflected by the BS to the detector D 0 . (ii) Detector D 1 clicks. The photon travels via path a and then passes through the BS to the detector D 1 . (iii) Detector D 2 clicks. The photon travels via path b and is controlled by the SW to the detector D 2 .
In N09 protocol, when the detector D 0 or D 2 clicks, Alice and Bob announce the detected and initial polarization states. When the detector D 1 clicks, Alice compares the detected polarization with the initial polarization: if they are inconsistent, she announces the detection; otherwise, she keeps secret. Only the clicks of D 1 are the generation of the secret keys, in which situation the information carriers are only transmitted in Bob's site rather than the quantum channel. We find that if Alice and Bob keep their measurement results secret, the information obtained by them is not asymmetric. Inspired by the counterfactual property, we proposed a SCQBC protocol. Then tease out the relationship between the two parties' bits and the response of the detectors: (i) D 0 clicks. Whether the bits chosen by Alice and Bob are consistent or not, the event that the detector D 0 clicks can happen. Although Bob knows the detection, he never knows Alice's bit. (ii) D 1 clicks. Only when the chosen bits are inconsistent, it is possible that D 1 clicks. In this case, Bob knows Alice's bit but the information carrier is never transmitted through the quantum channel, which is counterfactual. (iii) D 2 clicks. Only when the chosen bits are inconsistent, it is possible that D 2 clicks. Ideally, S is a single-photon source and there is only one photon in the system. If Bob's detectors do not click, he knows D 2 clicks and what Alice's bit is. In addition, Alice also knows Bob's bit. A secure QBC protocol needs to be both concealing and binding. The events that D 0 clicks can guarantee the concealing, in which Bob cannot know Alice's bits. The events that D 1 or D 2 clicks can be the evidence of the commitment and guarantee the binding, in which Bob knows Alice's bit exactly and Alice's change of these bits can be easily detected.
Before the SCQBC protocol, there are three time parameters to be determined, as follows: Δt 0 , the time that a photon spends from the source S through the polarizing beam splitter PBS to the optical switch SW, where the optical path of the photon is S → C → BS → PBS → SW → D 2 ; Δt 1 : the time that a photon spends from the source S through the optical loop OL to the optical switch SW, where the optical path is S → C → BS → OL → SW → D 2 ; Δt 2 , the time that a photon spends from the source S, reflected by FM 1 to Bob's site again, where the optical path is S → C → BS → PBS(OL) → FM 1 → OL(PBS) → BS → D 1 (D 0 ). Note that Δt 2 is also the time that a photon spends from the source S, reflected by FM 0 to Bob's detectors, where the optical path is S → C → BS → FM 0 → BS → D 1 (D 0 ). Alice and Bob perform tests to measure the time parameters by sending and detecting some quantum states. To be specific, Bob sends a series of states |H〉 or |V〉 to Alice and tells her what the states are before sending. Then, Alice tries to control the optical switch SW in proper time to make detector D 0 , D 1 , D 2 click, respectively. Through this test, three time parameters can be measured.

Protocol 1 Semi-counterfactual quantum bit commitment. Commit phase.
1. Alice and Bob set up devices according to Fig. 1, where the beam splitter BS is a standard half-transparent and half-reflecting mirror. They share four security parameters m, n, k and N.

Alice generates m bit strings randomly and uniformly with the length of N. Each sequence is represented as
3. Bob generates m bit strings randomly and uniformly with the length of N. Each sequence is represented as

For each sequence of states, Alice verifies whether the detection of D 2 is approximately N/4. If the proportion is incongruent, she believes that Bob cheated and she aborts. For each sequence of states, Bob selects k bits to be verified, then asks Alice to publish the corresponding values of a j
i ( ) and the response of the detector D 2 . 7. Alice chooses a random bit x ∈ {0, 1} as her committed bit. Then she selects n bits from the N − k bits except the verified bits, which satisfies Unveil phase.

correctness. The commit bit
. It is oblivious that when both two parities execute the SCQBC honestly, all of the devices used are ideal and perfect, Bob can obtain the correct commit bit.
In a secure BC protocol, Alice chooses a commit bit x and gives a piece of evidence to Bob. The key point is that Bob cannot recover the commit bit by the evidence and Alice cannot change the commit bit without detection due to the limitation of the evidence. For SCQBC protocol, the evidence is the data detected by D 1 and D 2 , in which situation that Bob knows exactly that . When the detector D 1 clicks, the particle generated by Bob is not transmitted through the quantum channel but carries the information of , which satisfies the counterfactual property. When the detector D 2 clicks, the particle generated by Bob is transmitted through the quantum channel to Alice's side with the information of , which is a factual phenomenon. Above all, some particles carrying evidence information are transmitted in the channel while others are not. It is the reason why Protocol 1 is defined as the semi-counterfactual quantum bit commitment rather than counterfactual protocol.

Security analysis
Basic ideas. A bit comparison function with two participants can be realized by the counterfactual setup. In the bit-comparison function module, Alice and Bob first randomly choose a bit, respectively, then compare the values though sending and detecting the photons using the setup in Fig. 1. There are three results of comparison: (i) Both participants can confirm the bit chosen by each other, and he (she) also knows that the other one have confirmed his (her) bit; (ii) Bob confirms Alice's bit while Alice knows nothing; (iii) they both know nothing. Suppose there are two critical parameters p and q, where p is the ratio that Bob confirms the value of Alice's bit among n bits, q is the ratio that Alice knows that Bob confirms her bit. Then the parameters satisfy 0 ≤ q < p < 1 may achieve a secure BC protocol. The specific explanation is as follows.
In the BC protocol, Bob should have a piece of evidence to detect whether Alice cheats. p > 0 guarantees the information content of the evidence not to be zero. Since concealing security requires that Bob cannot obtain the committed bit before the unveil phase, Bob should not know all of Alice's bits correctly, i.e., p < 1. Then, 0 < p < 1, and a BC protocol can satisfy the concealing security by choosing appropriate security parameter n. If Alice cheats and tries to alter one bit in the unveil phase, her best choice is to select a bit that she cannot distinguish whether Bob confirms rather than the bit in the first kind. For each sequence, there are approximately (1 − p)n qubits that Bob cannot judge. If p = q, Alice can accurately alter the bit in part that Bob really does not know without detection. If q < p, the range of bits that can be altered by Alice is larger than that Bob cannot distinguish, and her attack may be caught. Therefore, q < p is the necessary condition of the binding security.
In the SCQBC protocol, parameters p and q depends on the response of the detectors. The concrete analysis is as follows. Bob sends single-photon states |H〉 and |V〉 representing the bit value "0" and "1. " After transferring through the beam splitter BS, the initial states become where a and b represent the mode towards Bob's Faraday mirror FM 0 and the mode towards Bob's site, respectively, seen in Fig. 1. t and r are the transmissivity and reflectivity of the BS, respectively. Both φ 0 and φ 0 can be denoted a Fock , the state φ collapses to one of the two states, , due to Alice's measurement with probability t and r, respectively. The state | | 1 0 a b goes past the BS again and becomes + t i r 0 1 1 0 , where the subscripts 0 and 1 represent the path containing D 0 and D 1 , respectively. Therefore, the total probability that D 0 detects the photon is r 2 and the probability that D 1 detects the photon is rt.
, one of the paths introduces the π phase and the initial state becomes   Table 1. When the detector D 1 or D 2 clicks (detector D 0 does not click), Bob confirms that Alice's bit is the same as his. It can be seen that When D 0 clicks, it can be seen that Then, the probability that Bob guesses Alice's bit a j i ( ) correctly is When the detector D 2 clicks, Alice confirms Bob has obtained her bit. Therefore, Binding security. If Alice tries to attack the binding of the BC framework, her general strategy is to alter odd bits for each sequence in the unveil phase. For each sequence which is in connection with the commitment x, she can distinguish that there are approximately qn bits confirmed by Bob. Alice's optimal strategy is to alter one bit in the range of the other (1 − q)n bits. Among the (1 − q)n bits, only (1 − p)n bits are not known by Bob. Therefore, the probability that Alice alters one bit without detection in one sequence is For an m-sequence BC protocol, one of the cheating strategies for Alice is to commit "0" with the number of m/2 while committing "1" with the number of m/2 in the commit phase, and changing half of the sequences in the unveil phase. Then, the probability of Alice changing the committed bit without detection is p(Aatler) m/2 . Since p(Aatler) < 1, p(Aatler) m/2 can be exponentially small and the protocol can satisfy the binding security by choosing appropriate security parameter m.
Concealing security. In the bit-comparison function module, there is a percentage p that Bob confirms the values of Alice's bits. For those bits he cannot confirm, he may just guess. Then, he has a larger probability p′ > p to guess the value correctly. For a sequence of qubits, Bob makes sure the commitment value has a probability of p′ n . Given m qubit strings, the probability that Bob has no idea about the commitment value is (1 − p′ n ) m . Defining ε as the probability that Bob ascertains the commitment value, If Bob does not confirm the commitment value from the protocol, he just guesses with a probability 1/2. Therefore, the probability that Bob obtains the right commitment value is Then, the advantage of Bob breaking the concealing security is According to Binomial Theorem, m i Since 0 < p′ < 1 and the parameters m and n are usually larger than 100, p′ n is exponentially small, then the higher order terms of p′ n is going to be negative. Therefore, − ′ can be exponentially small and the protocol can satisfy the concealing security by choosing appropriate security parameters m and n.

Security of ScQBc against general attacks
In this subsection, we analyze the possible attacks for the protocol. A cheating Alice tries to change the committed bit in the unveil phase without being discovered, while a cheating Bob tries to learn more information of the committed bit during the commit phase. The schematic of SCQBC is relatively simple and there exist only a few attacks.
Concealing against Bob's cheating strategies. In SCQBC, the operations of Bob is sending and detecting the photons. Bob controls the emission device of SCQBC. If he wants to cheat and obtain more information about the committed bit, his strategy is either changing an optimal device or sending the illegal states.
Illegal-state attack. If Bob sends illegal single-photon states with different polarizations, such as |+〉 or |−〉, it just influences the photons transmitted or reflected by PBS. Moreover, it can never make Bob learn more information, which is an ineffective attack.
Bob may attack by sending illegal multi-photon states. When multiple photons are transferred in the scheme, the number of photons detected by D 2 will be larger than n/4. In Step 6 of SCQBC, Alice verifies the detection of D 2 and this attack can be discovered by the check.
For another illegal-state attack, Bob can prepare entangled states and send one of the particles to Alice. In general, sending entangled states leads the sender to obtain more information about the measurement of the receiver in other QBC protocols. However, the data are encoded with orthogonal single-photon states in our SCQBC protocol. Sending entangled states cannot make Bob obtain more information than single-photon states. However, the measurement is just single-photon detection without choosing the basis. Bob, however, can easily distinguish whether Alice detects the photon because he sends single-photon states and the state is either detected by him or by Alice. There is no secret measurement basis or secret measurement results that must be stolen by entanglement. Therefore, preparing entangled states is a superfluous cheating strategy and there is no advantage for Bob.
Optimal-device attack. It can be seen from Eq. 11 that the advantage of a cheating Bob is influenced by the parameter p′. According to Eq. 6, the parameter p′ is determined by the reflectivity of the beam splitter BS. A cheating Bob may not be using a standard half-transparent and half-reflecting mirror in the protocol. Assuming that the transmissivity of the illegal BS is t′, then clicks of D 2 are approximately t′/2. Different beam splitters lead different clicks of D 2 . This attack can also be detected by the check in Step 6 of SCQBC.
There is a particular optimal-device attack for Bob. That is, he replaces the standard half-transparent and half-reflecting mirror with n′ BS, as seen in Fig. 2, where the architecture was fist proposed to increase the efficiency of counterfactual QKD in ref. 32 . Clearly, the probability that D 2 clicks is ′ t n . In order to make the attack unfound by Alice, the transmissivity of each BS of Bob is taken as = − ′ t 2 n 1/ . In this attack, if Alice chooses a different bit from that of Bob's, i.e.
, so that she reflects the photon back, it will make the detector D 0 click with certainty. On the other hand, when • The photon is detected by the detector D 0 , which occurs with probability P 0 = rr + trrt + ttrrtt + … + (r 2 ) [t 2(n′-1) ], where r = 1 − t is the reflectivity of each BS.
• The photon is detected by any of the D 1 detectors. The total probability is = − − P P P 1 www.nature.com/scientificreports www.nature.com/scientificreports/ Since Alice has the equal probability 1/2 to choose either the same bit or a different bit, then D 0 clicks with probability . Therefore, Bob can always pass the security in step 6 of the protocol.
In this attack, Bob assumes . We can find that the error rate that Bob makes a wrong guess on Alice's bit is The relation of the error rate and the number of the BS is shown in Fig. 3. In theory, for a finite N value chosen in SCQBC protocol, Bob can find a sufficiently high yet finite value of n′, so that err ≪ 1/N. That is, with the above strategy he can learn all the N bits that Alice chosen in step 2 with less than 1 bit of error in average. Then Bob can eventually learn Alice's committed bit with a non-trivial probability. However, the attack is limited by two techniques and there exist the strategies against the attack in corresponding of the two limitations.
• The manufacturing technique of the beam splitter. In the attack, the accuracy requirement of the transmissivity of each BS is very high, which is = − ′ t 2 n 1/ . Even though the accuracy meets the requirement of the attack, there is a physical extremes of the transmissivity, which leads a finite n′ actually. Give the upper limit of the transmissivity and n′, there exists a finite value N to guarantee the concealing of SCQBC protocol.
• The technique of controlling the length of the arms in multiple interferometers. In the preparation of SCQBC, Bob and Alice should adjust the optical path a and b to make the equipment as an interferometer when . But in the attack, Bob needs to adjust the optical path a 1 and b 1 , a 2 and b 2 ,…, a n′ and b n′ , respectively. As long as setting a certain number of photons in the adjustment process, Bob can hardly use a few photons to adjust n′ arms and not be detected by Alice.
Alice's cheating strategies. All of the cheating strategies can be divided into two categories, i.e. entangled attack and non-entangled attack. For Alice with no ability of entanglement, she is the receiver in SCQBC protocol and there are few available attacks. Because Alice cannot change the initial states, she can only employ a new set of measuring equipment or cheat by returning the illegal states, i.e., intercept attack and intercept/resend attack. However, these two attacks always lead to different click ratios of Bob's detectors and can be discovered by Bob. www.nature.com/scientificreports www.nature.com/scientificreports/ The second is a cheating Alice with the ability of entanglement. The most general and famous attack is the no-go theorem attack. However, Alice has neither enough particles nor information to perform this attack. The specific analysis follows.
Intercept attack. For the states transferred to Alice in the legal SCQBC protocol, some are detected by Alice while others are reflected by FM 1 to Bob. A cheating Alice who performs an intercept attack can choose to detect all the states and reflect none to Bob; that is, she controls the optical switch SW both at the times Then, once the initial states are transmitted through the beam splitter BS, the detector D 2 clicks and the probability of that is t = 1/2. When the detector D 2 clicks, Alice knows that Bob confirms her bit with q = t = 1/2. According to Eq. 8, a larger q makes Alice a higher probability of attack. However, since the photons are either detected by Alice or Bob, Bob can easily discover the different detection ratios and discover the cheating Alice. Therefore, Alice should select only a few of the photons to intercept.
Assuming Alice selects n 0 bits to intercept, for these n 0 photons she controls the optical switch SW both at the times Then, the number of photons detected by D 2 is tn 0 , the number of photons detected by D 0 is r 2 n 0 , and the number of photons detected by D 1 is rtn 0 . For other n − n 0 photons, Alice randomly controls SW according to her bit. Assume . The detection probability of each detector for these n − n 0 states is shown in Table 1 and the clicks of the three detectors are listed in Table 2.
Therefore, the total clicks for detectors D 0 , D 1 , and D 2 are When Alice does not intercept, the probability of altering one bit without detection is p(Aalter) = 5/6. Since 0 < p′(Aalter) < 1 and n 0 > 0, it can be seen that ′ < < . A cheating Alice implementing an intercept attack has a larger probability of being detected by Bob than altered-straightway Alice. Then, this is not an effective attack.
Intercept/resend attack. When Alice performs an intercept attack, the numerator and denominator of p′(Aalter) are both decreased, and the decrease of the numerator is larger than that of the denominator. Then, it makes the successful attack probability even less than no interception and it is not an effective attack. Next, we analyze another similar attack, i.e., an intercept/resend attack. Alice controls the optical switch SW both at the times When she detects each photon, she immediately sends another photon with the same polarization back to Bob's site. This strategy can increase the clicks of detector D 0 , which may make Alice a larger probability of executing a successful attack. However, if Alice intercepts and resends all of the photons transmitted through the beam splitter BS, the numbers of photons detected by D 0 and D 1 are the same, which is different from the original ratio, and is detected by Bob. Therefore, Alice should select only a few photons and resend them back.
Assuming that Alice selects ′ n 0 bits to intercept and resend, for these ′ n 0 photons she controls the optical switch SW both at the times + Δ t t j i ( ) 0 and + Δ t t j i ( ) 1 . Then, she resends the ′ tn 0 states back to Bob. The number of photons detected by D 2 is ′ tn 0 , the number of photons detected by D 0 is ′ + ′ r n t n 2 0 2 0 , and the number of photons detected by D 1 is ′ rtn 2 0 . For other − ′ n n 0 photons, she randomly controls SW according to her bit. Assume . The detection probability of each detector for these − ′ n n 0 states is shown in Table 1 and the clicks of the three detectors are listed in Table 3.
Therefore, the total clicks for detectors D 0 , D 1 , and D 2 are  Since Alice resends ′ n 0 photons, the total clicks are β β α bits, there are ′ n /2 0 bits intercepted and resent by Alice. The indexes of intercepted bits are the same as those of resent bits. According to Table 1, the bits that Alice knows that Bob confirms are exactly those detected by D 2 . For the intercepted ′ n /2 0 bits, since the same indexes of states are resent back to Bob, Alice has no idea whether Bob confirms. For the resent ′ n /2 0 bits, Alice cannot know whether Bob confirms either for the same reason. For the legal − ′ n n 0 bits, only − ′ t n n ( )/2 0 bits are detected by D 2 and Alice knows Bob confirms. Therefore, when she alters one bit of a sequence, the altering range is also + ′ − − ′ n n tn n /2 ( ) /2 0 0 . Only N ( 1 ) = bits are not confirmed by Bob, and Alice changing these bits would not be detected. Therefore, the probability that Alice alters one bit without detection by this attack is It can be seen that p″(Aalter) < p(Aalter). The intercept/resend attack makes Alice being detected by Bob a larger probability, and it is not an effective attack either.
Reflection attack. There is another special intercept/resend attack, denoted as reflection attack. In this attack, Alice does not choose her bit in the commit phase for each bit. When Alice does nothing with the switch SW, the setup constitutes a Michelson interferometer and D 0 clicks. In this case, Bob has no idea about Alice's bit. Then Alice can lie about her value, while Bob has zero probability to detect it. However, the verification in Step 6 makes this attack fail. The security analysis of the attack is as follows.
For each N-bit string a (i) , Alice follows the protocol honestly for (N − l) bits, except for l bits. l is a tiny percentage of N, usually is one or several bits. Otherwise, the cheating will make the incorrect clicks of the detector D 0 . If all of l bits are chosen to be the verified bits, the reflection attack does not work. The probability that Alice alters one bit without detection in one sequence is If there are at least one bit in the remain N − k bits, Alice's reflection attack cannot be detected, the probability of which is Then, when Alice applies the reflection attack in one sequence, the probability of the successful cheating is The probability of Alice changing the committed bit without detection is p(Ref) m/2 . It can be seen that a larger k leads a more secure protocol. Although 5/6 < Pr(RA) and the reflection attack is more efficient than changing the bit directly, it satisfies Pr(RA) < 1, the protocol can satisfy the binding security by choosing a larger security parameter m to make p(Ref) m/2 be exponentially small.
No-go-theorem attack. The framework of the no-go theorem is described as follows 6 .

Alice chooses the committed bit ∈
x {0,1} and she prepares the state