Content deleted Content added
Jmichael ll (talk | contribs) mNo edit summary |
Link suggestions feature: 3 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links |
||
| (One intermediate revision by one other user not shown) | |||
Line 21:
===Coin flipping===
Suppose [[Alice and Bob]] want to resolve some dispute via '''[[coin flipping]]'''. If they are physically in the same place, a typical procedure might be:
# Alice "calls" the coin flip,
Line 88:
environment that, instead of corrupting ''C'', corrupts ''R'' instead. Additionally it runs a copy of ''S''. Messages received from ''C'' are fed into ''S'', and replies from ''S'' are forwarded to ''C''.
The environment initially tells ''C'' to commit to a message ''m''. At some point in the interaction, ''S'' will commit to a value ''m′''. This message is handed to ''R'', who outputs ''m′''. Note that by assumption we have ''m' = m'' [[with high probability]]. Now in the ideal process the simulator has to come up with ''m''. But this is impossible, because at this point the commitment has not been opened yet, so the only message ''R'' can have received in the ideal process is a "receipt" message. We thus have a contradiction.
==Construction==
Line 118:
Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol.
In 1991 [[Moni Naor]] showed how to create a bit-commitment scheme from a [[cryptographically secure pseudorandom number generator]].<ref>{{cite web|url=http://citeseer.ist.psu.edu/context/22544/0 |title=Citations: Bit Commitment using Pseudorandom Generators - Naor (ResearchIndex) |publisher=Citeseer.ist.psu.edu |access-date=2014-06-07 |url-access=registration}}</ref> The construction is as follows. If ''G'' is a pseudo-random generator such that ''G'' takes ''n'' bits to 3''n'' bits, then if Alice wants to commit to a bit ''b'':
*Bob selects a random 3''n''-bit vector ''R'' and sends ''R'' to Alice.
Line 259:
It is an interesting question in [[quantum cryptography]] if ''unconditionally secure'' bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties of [[quantum mechanics]], as in the protocols for [[Quantum key distribution|unconditionally secure key distribution]].
However, this is impossible, as Dominic Mayers showed in 1996 {{xref|(see this citation:<ref>Brassard, Crépeau, Mayers, Salvail: [https://arxiv.org/abs/quant-ph/9712023 A brief review on the impossibility of quantum bit commitment]</ref> for the original proof)}}. Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the [[Schmidt decomposition]], effectively defeating the binding property.
One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.<ref>A. Kent: [https://arxiv.org/abs/quant-ph/9906103 Secure classical Bit Commitment using Fixed Capacity Communication Channels]</ref> More generally, Mayers' proof applies only to protocols that exploit [[quantum physics]] but not [[special relativity]]. Kent has shown that there exist unconditionally secure protocols for bit commitment that exploit the principle of [[special relativity]] stating that information cannot travel faster than light.<ref>{{Cite journal|last=Kent|first=A.|date= 1999|title=Unconditionally Secure Bit Commitment|journal=Phys. Rev. Lett.|language=en|volume=83|issue=7|pages=1447–1450|doi=10.1103/PhysRevLett.83.1447|arxiv=quant-ph/9810068|bibcode=1999PhRvL..83.1447K|s2cid=8823466}}</ref>
| |||