English

Why quantum bit commitment and ideal quantum coin tossing are impossible

Quantum Physics 2008-02-03 v2

Abstract

There had been well known claims of ``provably unbreakable'' quantum protocols for bit commitment and coin tossing. However, we, and independently Mayers, showed that all proposed quantum bit commitment (and therefore coin tossing) schemes are, in principle, insecure because the sender, Alice, can always cheat successfully by using an EPR-type of attack and delaying her measurements. One might wonder if secure quantum bit commitment and coin tossing protocols exist at all. Here we prove that an EPR-type of attack by Alice will, in principle, break {\em any} realistic quantum bit commitment and {\em ideal} coin tossing scheme. Therefore, provided that Alice has a quantum computer and is capable of storing quantum signals for an arbitrary length of time, all those schemes are insecure. Since bit commitment and coin tossing are useful primitives for building up more sophisticated protocols such as zero-knowledge proofs, our results cast very serious doubt on the security of quantum cryptography in the so-called ``post-cold-war'' applications.

Keywords

Cite

@article{arxiv.quant-ph/9605026,
  title  = {Why quantum bit commitment and ideal quantum coin tossing are impossible},
  author = {Hoi-Kwong Lo and H. F. Chau},
  journal= {arXiv preprint arXiv:quant-ph/9605026},
  year   = {2008}
}

Comments

Replaced to give appropriate reference to D. Mayers' works and to fix a crucial bug in the original proof of the impossibility of ideal quantum coin tossing. Other minor changes are also made to clarify the discussion