24-Hour Relativistic Bit Commitment
Bit commitment is a fundamental cryptographic primitive in which a party wishes to commit a secret bit to another party. Perfect security between mistrustful parties is unfortunately impossible to achieve through the asynchronous exchange of classical and quantum messages. Perfect security can nonetheless be achieved if each party splits into two agents exchanging classical information at times and locations satisfying strict relativistic constraints. A relativistic multi-round protocol to achieve this was previously proposed and used to implement a 2 millisecond commitment time. Much longer durations were initially thought to be insecure, but recent theoretical progress showed that this is not so. In this letter, we report on the implementation of a 24-hour bit commitment based on timed high-speed optical communication and fast data processing only, with all agents located within the city of Geneva. This duration is more than six orders of magnitude longer than before, and we argue that it could be extended to one year and allow much more flexibility on the locations of the agents. Our implementation offers a practical and viable solution for use in applications such as digital signatures, secure voting and honesty-preserving auctions.
Bit commitment is a cryptographic primitive in which a party Alice commits a secret bit to another party Bob, and later reveals it at a time of her choosing. A bit-commitment protocol is secure against a cheating Alice if it guarantees that she cannot reveal, without being caught, another bit than the one she initially committed to an honest Bob. The protocol is also secure against a cheating Bob if it guarantees that no information about the committed bit can be obtained before Alice reveals her commitment. Perfectly secure bit commitment between two mistrustful parties is known to be impossible through the asynchronous exchange of classical or quantum messages Mayers (1997); Lo and Chau (1997); D’Ariano et al. (2007). Arbitrarily long commitments using the exchange of quantum messages are possible if one makes the assumption that any quantum storage used by a dishonest party is bounded Damgård et al. (2005, 2007) and noisy Wehner et al. (2008). The security is however dependant on the parameter of the hardware (loss, detection noise, etc.)
Alternatively, a scheme in which each party is split in two agents was shown to be secure against classical attacks under the assumption that no communication was possible between agents of the same party Ben-Or et al. (1988). Relativistic constraints on the communications between the different parties were suggested to enforce the no-communication assumption Kent (1999), and a protocol using classical and quantum communication was proposed Kent (2012). This protocol was experimentally realised and shown to be secure against classical and quantum attacks, even in the presence of unavoidable experimental imperfections Lunghi et al. (2013); Liu et al. (2014). These protocols are however limited to a single round of communication and therefore to a commitment of at most 21 ms if the agents are all located on Earth.
To overcome this limitation, a new scheme using multiple rounds of classical communication was proposed and shown to be secure against classical attacks Lunghi et al. (2015). This scheme can in principle allow an arbitrary long commitment time by periodically sustaining the carefully timed classical communication between the two parties. The security analysis in Ref. Lunghi et al. (2015) derives the following bound on the probability of a successful cheating attempt:
where is the length of the bit string communicated between the agents of Bob and Alice at each round of the protocol, and is the number of rounds Lunghi et al. (2015). To keep , the length of the messages has to grow exponentially with the number of rounds. Therefore, an arbitrarily long commitment is in practice impossible to achieve. The implementation in Ref. Lunghi et al. (2015) was limited to 6 rounds, yielding a 2 ms bit-commitment with agents separated by 131 km, i.e. between Geneva and Bern. This could have been extended to a maximal value of 212 ms using antipodal locations on earth.
Interestingly, the security bound of Lunghi et al. (2015) was later improved significantly in two independent proofs considering classical attacks Chakraborty et al. (2015); Fehr and Fillinger (2016). In both cases, the bound is linear in the number of rounds. For instance, the bound in Chakraborty et al. (2015) is
These results open the way towards the implementation of much longer commitments. A more recent bound has been derived Pivoluska et al. (2016) showing a small reduction of the required resources.
In this Letter, we present the first experimental realisation of a 24-hour long bit commitment using agents suitably positioned 7 km apart, all within the immediate vicinity of Geneva. This increases the previous commitment time by more than six orders of magnitude compared to what was achieved previously using relativistic protocols Lunghi et al. (2013, 2015).
We first describe the multi-round protocol and its security. The protocol contains a commit, sustain and reveal phases. In the commit phase, the first agent of Bob sends a random -bit string to the first agent of Alice , who replies with the string to commit the bit 0, or to commit the bit 1. Here, ”” is the bitwise XOR operation. The second agent starts the sustain phase by sending to agent , who then returns , where ”” is the multiplication in the Galois field . The third round is again between and , the fourth one between and , and so on. At the k round, the agent sends and replies , for . Finally, to open the commitment, the following sends her commitment and to the corresponding . With the set of questions , the set of answers and the last string , Bob can compute all the previous and verify that the bit he received during the reveal phase is the one committed by the first answer of agent .
To comply with the relativistic constraints, Alice places one agent near each agent of Bob . The distance between the agents of Bob is chosen such that by carefully timing the communication between and , the security can be guaranteed. For our analysis, we consider a situation where Alice is allowed to place her agent at a maximum distance from their corresponding , as shown in Fig. 1(a). To ensure that no communication is possible between the two agents of Alice, we must impose the two following constraints: should answer before a time from the start of the corresponding round, or the protocol is aborted, and agent should start the round time after the start of the previous round, where is the time taken by light to travel the distance and is a chosen time margin. The security is guaranteed if is much greater than the timing uncertainties. Fig. 1(b) shows the relativistic constraints in the case where the agents of Alice are placed at the maximum allowed distance . An agent with a realistic data processing speed will have to place himself closer to answer within . The time between the rounds of each agent of Bob, labelled , is related to , and as . In terms of the distance parameters, this relation becomes:
The number of rounds is set by the spatial configuration, the chosen time margin and the time of commitment . It can be related to as:
We now describe the implementation of the multi-round relativistic protocol. Each agent has a computer (Intel core i3 processor with 4 GB RAM) with a field-programmable gate array (FPGA) card (Xilinx SP605 evaluation board featuring Spartan-6 XC6SLX45T) installed to perform the computing tasks of the multi-round protocol. To ensure an accurate timing of exchange between and , the FPGAs of Bob’s agents are synchronized using local clocks. Specifically, each has access to an oven-controlled crystal oscillator (OCXO) with a nominal frequency of 10 MHz. This frequency is then multiplied inside the FPGA with a phase-locked loop to obtain a 125-MHz reference used to clock the computations steps. The OCXO are disciplined by a Global Positioning System (GPS) receiver, which provides a 1-PPS (one pulse per second) signal aligned to the Coordinated Universal Time (UTC). To make sure the FPGAs stay synchronized with the GPS reference, the 1-PPS signal from the receiver is also sent directly to the FPGA. An error of FPGA cycle (8 ns) on the expected cycles per second between two consecutive pulses from the GPS is tolerated. This uncertainty is sufficiently small to ensure that the relativistic constraints are satisfied.
The agents and are located at the Group of Applied Physics (GAP) of the University of Geneva, while agents and are placed 7.0 km away from the GAP. An optical signal in straight line would take 23.3 to cover this distance. Before starting the protocol, the agents of Alice, and similarly the agents of Bob, share the appropriate size of random data to generate the strings and . The strings to be communicated are transferred from the hard drive to the FPGA using a PCIe Gen1 x1 link. The maximum data transfer rate we can achieve with this system is 200 mega bytes per seconds (MBps). The exchange of the -bit strings between and is performed via a 1 m optical link. We set the length of the strings to bits. With the various latencies in our system and the time needed to compute , we can complete a round in . To account for possible fluctuations in the duration and timing of the rounds, we impose that the agents of Alice answer within 3 from the start of the round and take a margin of 3.3 , such that each round starts before the earliest arrival time of the information from the previous round. Fixing corresponds to a situation where Bob imposes a maximum distance of 450 m to the agents of Alice. The shortest distance we could achieve with our system is limited by and to about 2.8 km.
We performed a 24-hour bit commitment with a security parameter of , which requires rounds, a total of 162 GB of data and an average transfer rate of 0.5 MBps. The amount of time needed to verify the commitment with the CPU of the computer is particularly long due to the computation of the Galois function. In our case, the computing was performed on a standard computer and took 72 hours, which is three times the commitment time . This issue can be solved by using an FPGA to do the computing. We estimate that the verification time of our experiment could be lowered to about 90 minutes with a dedicated FPGA. Moreover, to shorten this time Bob could start the calculation for both bits in parallel of the bit commitment process and check at the end when Alice reveal the bit value.
|[km]||[ Bps]||Data [GB]|
|1||7.0||24 h||162||1 h 26 min|
|1 y||59362||530 h|
|2||10000||24 h||649||0.2||7 s|
|1 y||649||81||44 min|
The protocol could in practice be achieved in a large range of spatial configurations. Table 1 shows the required resources and the security parameter for two different spatial configurations and commitment times. The case 1 corresponds to our experiment, i.e. Bob’s agents located seven kilometres apart and Alice’s agents placed near the agents of Bob. Bit commitments in this regime are the most demanding in terms of resources. Increasing the distance between the agents of Bob effectively reduces the number of rounds, hence reduces the resources needed. The case 2 corresponds to a situation where the agents of Bob are separated by a straight line distance of 10,000 km and impose that the agents of Alice answer within 20 ms from the beginning of the rounds. In 20 ms, light covers a straight line distance of 6000 km. This means that Alice must position her agents within a 3000 km radius from Bob’s agents. In practice, this radius will be smaller, depending on the speed and latency of the communication link between the agents. As an example, Bob could have one agent in the center of the United States of America and one agent in the center of China, and could engage the commitment with agents of Alice located within a large area of these two countries. Indeed, we can imagine networks formed by several interconnected nodes allowing commitments from parties placed all over the world.
The security against a cheating Alice relies on the correct timing of each round with respect to the previous one. In order to exclude attacks on the timing, such as spoofing of the GPS signal, Bob could rely solely on local clocks, provided they have been synchronized before, e.g. with a third clock travelling between the agents. For a margin of 1 ms (case 2), the uncertainty on the frequency of the clocks must be less than for a commitment time of 24 hours and less than for a commitment time of 1 year, which can be achieved with commercially available clocksDiddams et al. (2004).
Our implementation demonstrates long commitment times without the need of large computing power in realistic and potentially useful scenarios. The implementation offers a practical and viable solution for use in applications such as coin tossing http://www.iacr.org/cryptodb/data/paper.php?pubkey=917 (1981), zero-knowledge proofs Damgård (1999), digital signature Boneh and Naor (2000) and secure multi-party computations, including secure votingBroadbent and Tapp (2008) and honesty-preserving auctions Boneh and Naor (2000).
Acknowledgements.We thank Jedrzej Kaniewski for helpful discussions. This work was supported financially by the Swiss NCCR-QSIT.
- Mayers (1997) D. Mayers, “Unconditionally secure quantum bit commitment is impossible,” Phys. Rev. Lett. 78, 3414–3417 (1997).
- Lo and Chau (1997) H.-K. Lo and H. F. Chau, “Is quantum bit commitment really possible?” Phys. Rev. Lett. 78, 3410–3413 (1997).
- D’Ariano et al. (2007) G. M. D’Ariano, D. Kretschmann, D. Schlingemann, and R. F. Werner, “Reexamination of quantum bit commitment: The possible and the impossible,” Phys. Rev. A 76, 032328 (2007).
- Damgård et al. (2005) I. Damgård, S. Fehr, L. Salvail, and C. Schaffner, “Cryptography in the bounded quantum-storage model,” in 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS’05) (2005) pp. 449–458.
- Damgård et al. (2007) I. Damgård, S. Fehr, R. Renner, L. Salvail, and C. Schaffner, “Advances in cryptology - crypto 2007: 27th annual international cryptology conference, santa barbara, ca, usa, august 19-23, 2007. proceedings,” (Springer Berlin Heidelberg, 2007) Chap. A Tight High-Order Entropic Quantum Uncertainty Relation with Applications, pp. 360–378.
- Wehner et al. (2008) S. Wehner, C. Schaffner, and B. M. Terhal, “Cryptography from noisy storage,” Phys. Rev. Lett. 100, 220502 (2008).
- Ben-Or et al. (1988) M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigderson, “Multi-prover interactive proofs: How to remove intractability assumptions,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88 (1988) pp. 113–131.
- Kent (1999) A. Kent, “Unconditionally secure bit commitment,” Phys. Rev. Lett. 83, 1447–1450 (1999).
- Kent (2012) A. Kent, “Unconditionally secure bit commitment by transmitting measurement outcomes,” Phys. Rev. Lett. 109, 130501 (2012).
- Lunghi et al. (2013) T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, A. Kent, N. Gisin, S. Wehner, and H. Zbinden, “Experimental bit commitment based on quantum communication and special relativity,” Phys. Rev. Lett. 111, 180504 (2013).
- Liu et al. (2014) Y. Liu, Y. Cao, M. Curty, S.-K. Liao, J. Wang, K. Cui, Y.-H. Li, Z.-H. Lin, Q.-C. Sun, D.-D. Li, H.-F. Zhang, Y. Zhao, T.-Y. Chen, C.-Z. Peng, Q. Zhang, A. Cabello, and J.-W. Pan, “Experimental unconditionally secure bit commitment,” Phys. Rev. Lett. 112, 010504 (2014).
- Lunghi et al. (2015) T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, S. Wehner, and H. Zbinden, “Practical relativistic bit commitment,” Phys. Rev. Lett. 115, 030502 (2015).
- Chakraborty et al. (2015) K. Chakraborty, A. Chailloux, and A. Leverrier, “Arbitrarily long relativistic bit commitment,” Phys. Rev. Lett. 115, 250501 (2015).
- Fehr and Fillinger (2016) S. Fehr and M. Fillinger, “Advances in cryptology – eurocrypt 2016: 35th annual international conference on the theory and applications of cryptographic techniques, vienna, austria, may 8-12, 2016, proceedings, part ii,” (Springer Berlin Heidelberg, Berlin, Heidelberg, 2016) Chap. On the Composition of Two-Prover Commitments, and Applications to Multi-round Relativistic Commitments, pp. 477–496.
- Pivoluska et al. (2016) M. Pivoluska, M. Pawlowski, and M. Plesch, “Experimentally secure relativistic bit commitment,” arXiv preprint arXiv:1601.08095 (2016).
- Diddams et al. (2004) S. A. Diddams, J. C. Bergquist, S. R. Jefferts, and C. W. Oates, “Standards of time and frequency at the outset of the 21st century,” Science 306, 1318–1324 (2004).
- http://www.iacr.org/cryptodb/data/paper.php?pubkey=917 (1981) http://www.iacr.org/cryptodb/data/paper.php?pubkey=917, ed., Coin Flipping by Telephone (UC Santa Barbara, 1981).
- Damgård (1999) I. Damgård, “Commitment schemes and zero-knowledge protocols,” in Lectures on Data Security, Modern Cryptology in Theory and Practice, Summer School, Aarhus, Denmark, July 1998 (1999) pp. 63–86.
- Boneh and Naor (2000) D. Boneh and M. Naor, “Advances in cryptology — crypto 2000: 20th annual international cryptology conference santa barbara, california, usa, august 20–24, 2000 proceedings,” (Springer Berlin Heidelberg, 2000) Chap. Timed Commitments, pp. 236–254.
- Broadbent and Tapp (2008) A. Broadbent and A. Tapp, “Information-theoretically secure voting without an honest majority,” in Proceedings of the IAVoSS Workshop On Trustworthy Elections (2008).