Security bound of cheat sensitive quantum bit commitment

Cheat sensitive quantum bit commitment (CSQBC) loosens the security requirement of quantum bit commitment (QBC), so that the existing impossibility proofs of unconditionally secure QBC can be evaded. But here we analyze the common features in all existing CSQBC protocols, and show that in any CSQBC having these features, the receiver can always learn a non-trivial amount of information on the sender's committed bit before it is unveiled, while his cheating can pass the security check with a probability not less than 50%. The sender's cheating is also studied. The optimal CSQBC protocols that can minimize the sum of the cheating probabilities of both parties are found to be trivial, as they are practically useless. We also discuss the possibility of building a fair protocol in which both parties can cheat with equal probabilities.

Q uantum bit commitment (QBC) is a two-party cryptography including the following phases. In the commit phase, Alice (the sender of the commitment) decides the value of the bit b (b 5 0 or 1) that she wants to commit, and sends Bob (the receiver of the commitment) a piece of evidence, e.g., some quantum states. Later, in the unveil phase, Alice announces the value of b, and Bob checks it with the evidence. The interval between the commit and unveil phases is sometimes called the holding phase. A QBC protocol is called unconditionally secure if any cheating can be detected with a probability arbitrarily close to 1. Here Alice's cheating means that she wants to change the value of b after the commit phase, while Bob's cheating means that he tries to learn b before the unveil phase.
QBC is an essential primitive for building quantum multi-party secure computations and other ''post-cold-war era'' multi-party cryptographic protocols 1,2 . Unfortunately, it is widely believed that unconditionally secure QBC is impossible 3,4 . This result, known as the Mayers-Lo-Chau (MLC) no-go theorem, was considered as putting a serious drawback on quantum cryptography.
To evade the problem, the concept ''cheat sensitive quantum bit commitment (CSQBC)'' was proposed [5][6][7][8][9][10] , where the probability for detecting the cheating does not need to be arbitrarily close to 1. Instead, it merely requires the probability to be nonzero. With this loosen security requirement, many insecure QBC protocols can be regarded as secure CSQBC. Therefore, at the first glance it seems that CSQBC will be very easy to achieve.
But intriguingly, here we will show that there still exists boundary for the security of a typical class of CSQBC. Especially, Bob can always feel free to measure the quantum states to learn b, while he stands at least 50% chances to escape Alice's detection.

Results
Common features of CSQBC. By checking the existing CSQBC protocols 5-10 , we find that they all share the following common features (note that the names Alice and Bob are used reversely in Refs. 7,9,10): (1) During the holding phase, the receiver Bob owns a quantum system Y encoding Alice's committed bit b.
(Y can either be prepared by the sender Alice, or be prepared by Bob and sent to Alice, who returns it to Bob after performing some certain operations according to her choice of b. It also does not matter whether Alice prepared and kept another quantum system entangling with Y.) (2) Bob knows the definitions of r B 0 and r B 1 directly before the end of the commit phase. (That is, these definitions are either clearly stated by the protocol, or announced to Bob by Alice classically. Bob does not need to perform operations on any quantum system to gain knowledge of these definitions.) Here r B 0 and r B 1 are the density matrices of Bob's Y corresponding to b 5 0 and b 5 1, respectively. (3) To detect Bob's cheating, at the unveil phase Alice can check whether the state of Y is intact. (It does not matter whether the entire Y or only a small part can be checked.) (4) To detect Alice's cheating, at the unveil phase Bob can learn a nontrivial amount of information on the value of b from Y, even without any help from Alice.
The last feature indicates that there exists at least one operation known to Bob, which can output a bit b9 when being applied on Y, and b9 5 b should occur with a probability larger than 1/2. As a result, there must be r B 0 =r B 1 . This is a main difference from the original QBC, where there is generally r B 0^r B 1 so that it can be unconditionally secure against dishonest-Bob.
The original purpose of CSQBC having these features is as follows. Alice's cheating strategy suggested in the MLC no-go theorem is based on the Hughston-Jozsa-Wootters (HJW) theorem 11 , which applies to the case r B 0^r B 1 . Therefore with feature (4), i.e., r B 0 =r B 1 , Alice's cheating becomes detectable so that the MLC no-go theorem can be evaded. On the other hand, if Bob takes advantages of r B 0 =r B 1 and performs measurements to discriminate the committed bit b, the quantum state will be disturbed. In this case, with feature (3) Bob's cheating will be detected with a certain probability when Alice asks him to return the quantum state and checks wether it remains undisturbed, so that the goal of CSQBC can be met. But with a rigorous quantitative analysis on the probability of detecting Bob's cheating, we will find that it is always not sufficiently large when Bob applies some specific measurements. Therefore any CSQBC protocol having the above four features will be bounded by the security limit below.
Notations and Bob's cheating strategy. According to Eq. (9.22) of Ref. 12 where the maximization is taken over all positive operators P # I, with I being the identity operator. The above feature (2) of CSQBC guarantees that Bob knows how r B 0 and r B 1 are defined. Thus he can find the positive projectors P 5 P m that maximizes tr P r B 0 {r B 1 À Á À Á . If r B 0 stands a higher probability to be projected successfully than r B 1 when applying P m , then we takes P 0 ; P m and P 1 ; I 2 P m . Otherwise we takes P 0 ; I 2 P m and P 1 ; P m . Feature (1) ensures that Bob owns the system Y encoding Alice's committed bit b during the holding phase. Therefore, by applying the positive operatorvalued measure (POVM) P { 0 P 0 ,P { 1 P 1 n o on Y, Bob can discriminate between r B 0 and r B 1 and learn Alice's committed b with the maximal probability allowed by D r B 0 ,r B 1 À Á . To analyze rigorously the probability for Bob to escape Alice's detection with this POVM, let H be the global Hilbert space constructed by all possible states of Y (either b 5 0 or 1). Since P 0 , P 1 are positive projectors, there exists an orthonormal basis {je i ae} of H (the following proof remains valid regardless whether {je i ae} is known to Alice or Bob), in which P 0 , P 1 can be expressed as ð Þ i E 's to be equal, so that Eq. (3) still applies.
The security bound on Bob's cheating. As elaborated in the 1st subsection of Methods section, when dishonest-Bob applies the on Y, we find that the probability for Bob's cheating to pass Alice's detection successfully is and the amount of mutual information he obtained is Here h(a) ; 2a The minimum P B 5 50% can be reached when Alice chooses a 5 0.5. Thus we come to the conclusion that Bob can always learn Alice's committed b with the maximal probability allowed by the trace distance between r B 0 and r B 1 , while his cheating stands at least 50% chance to escape Alice's detection.
It may look weird that FIG. 1 seems to indicate that the more amount of information that Bob obtains, the easier he can pass Alice's detection. But we must note that the amount of Bob's information is not chosen by himself. Instead, it is determined by the value of a that Alice chooses. That is, once Alice determines which state is used for encoding her committed bit, the maximum amount of information that Bob can obtain is also fixed.
On the other hand, the above result indicates that Alice should make a as close to 0.5 as possible, so that Bob's information and successful cheating probability can be minimized. However, note that she has to choose the initial state Eq. (3) within the range restricted by the protocol. Due to the feature (4) of CSQBC, the trace distance D r B 0 ,r B 1 À Á has to be nonzero, Therefore, generally a cannot be made very close to 0.5, as we will see in the examples below.
Examples. In the CSQBC protocol in Ref. 5, Bob's system Y is a single qubit, whose state is either j0ae or j2ae (j1ae or j1ae) when Alice commits b 5 0 (b 5 1). Here j0ae and j1ae are orthogonal to each other, Then Bob's operation for maximally discriminating r B 0 and r B 1 is to measure Y in the basis {je (0) ae, je (1) ae}, i.e., he applies the projector P 0 5 je (0) ae AEe (0) j. When the projection is successful (unsuccessful), he takes b9 5 0 (b9 5 1) as the decoded result. With this method, Another example can be found in Ref. 13, where we illustrated how our above cheating strategy applies on the CSQBC protocol in Ref. 9. This protocol looks more complicated than the one in Ref. 5, as the committed bit b is encoded with many qubits, instead of a single one. The authors of Ref. 9 merely analyzed the individual attack of the receiver (note that they used the names Alice and Bob reversely) where the qubits are measured one by one. Then it is concluded that the cheating can be detected with a probability arbitrarily close to 1. But as we shown above, instead of individual measurements, the dishonest receiver can apply a two-element POVM on the entire state encoding the committed bit. When this state consists of many qubits, each basis vector je i ae of the Hilbert space H is a multi-level state describing all qubits. Thus the projectors P 0 , P 1 in Eq. (2) are actually collective measurements. The detailed form of P 0 , P 1 is given in Eq.
(2) of Ref. 13. As a result, it was further elaborated there that this collective measurement is as effective as individual measurements on learning the committed bit, while it causes much less disturbance on the multi-qubit state. Once again, the probability for the cheater to escape the detection was shown 13 to be not less than 50%. With the increase of the qubit number n, this probability can even be arbitrarily close to 100%.
Alice's cheating strategy. Alice's cheating strategy used in the MLC no-go theorem requires the condition r B 0^r B 1 , which no longer holds in CSQBC. Nevertheless, she can still apply the same strategy in CSQBC and try her luck. To give a detailed description of the strategy, first let us model the coding method in CSQBC more precisely. For generality, consider that in the protocol, besides Bob's system Y, there is another system E. Alice's different committed values of b is encoded with different states of the combined system E fl Y. System E is kept at Alice's side during the commit and holding phases, and is required to be sent to Bob at the unveil phase to justify Alice's commitment. Let r EB 0 and r EB 1 denote the density matrices of E fl Y corresponding to b 5 0 and b 5 1, respectively. Note that in all existing CSQBC protocols 5-10 , there is no such a system E. But we include it here, so that the model can cover more protocols that may be proposed in the future. In this scenario, Alice's cheating strategy is as follows. At the beginning of the protocol she introduces an ancillary system W which is a copy of E fl Y. Since the fidelity where the maximization is over all purifications jQ 0 ae of r EB 0 and jQ 1 ae of r EB 1 into W fl E fl Y, Alice finds the real and positive jy 0 ae, jy 1 ae that reach the maximum, i.e., Then she prepares the initial state of W fl E fl Y as where the normalization constant She uses this state to complete the rest of the commit protocol. With this method, the value of b is not determined during the commit phase.
In the unveil phase, Alice decides whether she wants to unveil b 5 0 or b 5 1. Then she simply uses jy c ae as jy b ae to complete the Therefore, in any specific CSQBC protocol, the Alice's exact cheating probability can be calculated once the definition of r EB 0 , r EB 1 is known.
The optimal protocols are trivial. Now we will try to find the CSQBC protocols which can optimally detect the cheating of both parties, i.e., minimizing the sum of Alice's and Bob's cheating probabilities. Note that Eq. (4) depends on the specific value of a in the state Eq. (3) that Alice chooses in a single run of the protocol, while F r EB 0 ,r EB 1 À Á in Eq. (13) is the statistical result of all the legitimate states allowed by the protocol. Thus it is hard to compare Eq. (13) and Eq. (4) directly and give a general result without knowing the details on the composition of r EB b in a specific protocol. Fortunately, in all existing CSQBC protocols 5-10 , there is no system E. The form of the states of Bob's system Y alone carries all the information of b. Thus the trace distance D r EB 0 ,r EB For any protocol of this kind (as well as protocols having system E but still satisfying D r EB 0 ,r EB , as elaborated in the 2nd subsection of Method, where we obtain and These two equations suggest that P A and P B cannot be minimized simultaneously in the same protocol, because reducing P A requires a higher D r B 0 ,r B 1 À Á , while it will result in a higher P B at the same time. Moreover, we must note that the above P A and P B are obtained assuming that the actions of both parties in the protocol will always be checked. But this is impossible, because they share the same system W fl E fl Y. In the unveil phase, either Bob will measure E fl Y to check Alice's action, or he is required to return Y to Alice who checks his action. These cannot be done simultaneously. Suppose that in a CSQBC protocol, Bob's action is checked with probability f (0 # f # 1), and Alice's action is checked with probability 1 2 f. When one's action is not checked, he/she can cheat successfully with probability 1. Thus the cheating probabilities P A and P B should be replaced by and respectively. Combining them with Eqs. (14) and (15), we find Since 0 # f # 1 and 0ƒD r B 0 ,r B 1 À Á ƒ1, we find another security lower bound of CSQBC To find the optimal protocol that can reach this bound, we plot the lower bound of P Ã A zP Ã B as a function of D r B 0 ,r B , f 5 1. Type (A) protocols mean that r B 0 and r B 1 are orthogonal so that P Ã A reaches its minimum 1/2. However, r B 0 and r B 1 can be distinguished perfectly and Bob's action is never checked. Thus P Ã B~1 , i.e., he can always learn Alice's committed b with reliability 1 and never get caught. In type (B) protocols, r B 0~r B 1 so that Bob learns nothing about b. But Alice's action is never checked so that she can unveil b as whatever she wants, with a successful cheating probability P Ã A~1 . Therefore, we can see that these optimal protocols are all trivial as they are  completely insecure against one of the parties. Thus they do not seem to have any practical usage.
The fair protocol. Since the protocols that can minimize P Ã A zP Ã B all look useless, let us consider the protocol satisfying P Ã A~P Ã B so that it is fair for both parties, and try to minimize P Ã A , P Ã B in this case. From Eq. (37) we can see that the inequality Eq. (15) can become equality when a 2~a 2 , i.e., all the states allowed to be chosen in the protocol for committing the same b value should have the same a value. Also, note that the lowest bounds in Eqs. (14) and (18) 1 . Therefore, only the above optimal protocols can reach these bound. For this reason, to calculate P Ã A precisely in other protocols, we should use Eq. (13) instead of Eq. (14). To compute F r EB 0 ,r EB 1 À Á in Eq. (13), for simplicity we consider only the protocols in which there are then Combining them with Eqs. (13), (16), (17) and (15) (the latter becomes equality once we choose a 2~a 2 ), then by solving P Ã Any protocol satisfying this equation is fair for both parties. Now let us find the minimal value of P Ã A~P Ã B . Substituting this f into Eq. (17), we obtain By solving dP Ã A da~0, we find that the minimal cheating probabilities in such protocols are P Ã A~P Ã B~0 :904, which can be obtained when a^0:885, i.e., ffiffi ffi a p^0 :941^cos 19:85 0 ð Þ. In this case f^0:469.
A simple protocol having these parameters is: Alice sends Bob the state cos(19.85u) j0ae 6 sin(19.85u) j1ae (sin(19.85u) j0ae 6 cos(19.85u) j1ae) if she wants to commit b 5 0 (b 5 1). In the unveil phase, with probability f^0:469 Bob returns the state and Alice checks whether it remains undisturbed, with probability 1{f^0:531 Bob measures the state and checks whether it agrees with the value of Alice unveiled b.
Nevertheless, there is the difficulty in finding a method for deciding which party will be checked in a single run of the protocol. Dishonest Alice (Bob) would like to decrease 1 2 f (f) so that P Ã A P Ã B À Á can be raised. Thus they do not trust each other and may not collaborate. The CSQBC protocol in Ref. 5 adopts a process called ''the game'' to handle this problem, which is very similar to quantum coin flipping (QCF) protocols 14 . However, Ishizaka 15 showed that this process provides extra security loophole to Bob, so that there is a cheating strategy for him to learn b with reliability 61.79% (which is lower than what can be obtained with our cheating strategy, as calculated in the Examples section) while passing Alice's check with probability 100% (which is higher than that of our strategy). It was further shown in Ref. 16 that due to the inexistence of ideal blackboxed QCF, any CSQBC protocol based on biased QCF cannot be secure. Therefore, it remains unclear how to build a fair CSQBC protocol with P Ã A~P Ã B while minimizing P Ã A and P Ã B .

Discussion
In summary, we showed that any CSQBC protocol having the above four features is subjected to the security bound Eq. (6). Protocols satisfying D r EB 0 ,r EB is further bounded by Eq. (19). Note that the insecurity of QCF-based CSQBC protocols (e.g., Refs. 5, 6) was already pinpointed out in Refs. 15,16. But our proof also applies to the non-QCF-based ones.
Our result should not be simply considered as a generalization of the MLC no-go proof. Instead, it is a complement. This is because the MLC no-go proof applies to QBC protocol with r B 0^r B 1 . But as pointed out in Ref. 9, CSQBC does not need to satisfy this requirement so that it may evade the MLC theorem. On the contrary, our proof works for the case r B 0 =r B 1 , thus it fills the gap where the MLC proof left. Meanwhile, the MLC theorem concentrates on the cheating of Alice. It does not exclude the existence of protocols which is unconditionally secure against dishonest Bob only. On the other hand, our result shows that Bob can always cheat in CSQBC regardless Alice is honest or not.
It will be interesting to study whether there can be CSQBC protocols without the above four features. It seems that Kent's relativistic QBC [17][18][19] and our recent proposals 20,21 do not satisfy feature (1), while the protocol in Ref. 22 does not have feature (2), as elaborated in Ref. 23. However, these works are aimed to achieve the original QBC, instead of CSQBC. Also, Refs. 20-23 have not gained wide recognition yet. Thus it is still an open question whether it is possible to build non-relativistic CSQBC protocols which are not limited by the above security bounds, without relying on computational and experimental constraints.

Methods
Calculating Bob's cheating probability. Consider the POVM {P { 0 P 0 , P { 1 P 1 } defined in Eq. (2). After Bob applies it on Y, there can be two outcomes.
(I) The projection outcome is P 0 . Then Bob takes b9 5 0 as his decoded result of Alice's committed bit b. With Eqs. (2) and (3) we yield Thus this case will occurs with the probability while the resultant state of W fl Y is As described in feature (3) of CSQBC, at the unveil phase Alice may require Bob to return Y and check whether it remains intact in its initial state. The maximal probability for Alice to find out that Bob has already projected jW fl Yae ini into jW fl Yae I is bounded byp Thus the total probability for (case (I) occurred) AND (Alice failed to detect Bob's cheating) is (II) The projection outcome is P 1 . Then Bob takes b9 5 1 as his decoded result of Alice's b. Now www.nature.com/scientificreports SCIENTIFIC REPORTS | 5 : 9398 | DOI: 10.1038/srep09398 Obviously, this case will occurs with the probability Meanwhile, the resultant state of W fl Y in this case is The maximal probability for Alice to find out that Bob has already projected jW fl Yae ini into jW fl Yae II is bounded bỹ Thus the total probability for (case (II) occurred) AND (Alice failed to detect Bob's cheating) is Taking both cases (I) and (II) into consideration, the overall probability for Bob's cheating to pass Alice's detection successfully is Meanwhile, since the projection outcome will either be P 0 or P 1 with the probabilities p I and p II 5 1 2 p I , respectively, Bob's b9 will match Alice's b with the probability p I or 1 2 p I too. Note that h(1 2 p I ) 5 h(p I ). Thus the amount of mutual information that Bob obtains with this POVM is Bounding the cheating probabilities with trace distance. Suppose that there are many states allowed to be chosen randomly for committing b 5 0 in the protocol, each of which takes the form of Eq. i 's. Bob applies the optimal POVM to decode b. Then Eq. (3) indicates that he can learn b correctly with probability a, i.e., the average of a. Meanwhile, it is well-known that the maximal probability for discriminating two density matrices r B 0 , r B 1 is 1zD r B 0 ,r B 1 À Á À Á 2. Therefore Since Eq. (4) shows that Bob's average cheating probability for these states is we have Similar discussion is also valid for the states for committing b 5 1, except that a should be replace by b 5 1 2 a. But Eq. (38) remains the same because Eq. (4) satisfies P B (1 2 a) 5 P B (a). On the other hand, since 12 from Eq. (13) we yield