Experimental unconditionally secure bit commitment
Abstract
Bit commitment is a fundamental cryptographic task that guarantees a secure commitment between two mutually mistrustful parties and is a building block for many cryptographic primitives, including coin tossing [1, 2], zeroknowledge proofs [3, 4], oblivious transfer [5, 6] and secure twoparty computation [7]. Unconditionally secure bit commitment was thought to be impossible [8, 9, 10, 11, 12, 13] until recent theoretical protocols that combine quantum mechanics and relativity were shown to elude previous impossibility proofs [14, 15, 16, 17]. Here we implement such a bit commitment protocol [17]. In the experiment, the committer performs quantum measurements using two quantum key distribution systems [18] and the results are transmitted via freespace optical communication to two agents separated with more than km. The security of the protocol relies on the properties of quantum information and relativity theory. We show that, in each run of the experiment, a bit is successfully committed with less than cheating probability. Our result demonstrates unconditionally secure bit commitment and the experimental feasibility of relativistic quantum communication.
Shanghai Branch, Hefei National Laboratory for Physical Sciences at Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei, Anhui 230026, P. R. China.
Department of Signal Theory and Communications, University of Vigo, E36310 Vigo, Spain.
Shandong Institute of Quantum Science and Technology Co., Ltd, Jinan, Shandong 250101, P. R. China.
Departamento de Física Aplicada II, Universidad de Sevilla, E41012 Sevilla, Spain.
These authors contributed equally to the paper.
Bit commitment is a cryptographic protocol between two distrustful parties. It has two phases. In the first (commit), the committer, Alice, carries out actions that commit her to a particular bit value . In the second (reveal), Alice, if she so chooses, gives the receiver, Bob, information that unveils . Bit commitment must be concealing and binding. It is concealing if Bob cannot learn before Alice unveils it, and it is binding if Alice cannot change once she has committed to it.
In classical cryptography, bit commitment is achieved by utilising computational complexity assumptions such as, for instance, the difficulty of factoring large numbers. However, the security of such schemes can be broken using a quantum computer[19]. Indeed, it can be proven that unconditionally secure bit commitment is impossible using only classical resources. The same holds true even if Alice and Bob are allowed to use quantum resources in a nonrelativistic scenario [8, 9, 10, 11, 12, 13]. For this reason, quantum bit commitment schemes rely on physical assumptions as, for example, that the attacker’s quantum memory is noisy [20]. Interestingly, the picture changes dramatically if we take into account the signalling constraints implied by the Minkowski causality in a relativistic context. Then, assuming that quantum mechanics is correct and that spacetime is approximately Minkowskian, it has been shown that there are bit commitment protocols offering unconditional security [16, 17, 21].
The protocol [17] implemented in our experiment involves six parties: Alice and her agents and , and Bob and his agents and . They are distributed in three locations which are almost aligned, as illustrated in Fig. 1a. The protocol has the following five steps:

The protocol itself starts when Bob sends Alice signals (e.g., phaserandomised weak coherent pulses) prepared in either horizontal, vertical, diagonal or antidiagonal polarised states, which Bob selects independently and randomly for each signal.

To commit to the bit value (), Alice measures all the incoming signals in the rectilinear (diagonal) polarisation basis. Then, she uses a public channel to notify Bob which signals she has detected. Also, she encrypts her measurement results with the onetime pad (OTP) [24] using the secret keys and , and sends them to and .

To unveil the commitment, agents and decrypt the measurement results received from Alice and send them to Bob’s agents and , respectively.

To verify the commitment, Bob compares the results submitted by and . If they are different, Bob rejects the commitment. Otherwise, he estimates a lower bound, , for the number of single photons sent in the rectilinear basis and detected by Alice. Likewise, Bob does the same with the signals he sent in the diagonal basis. Let () be the total number of errors in the rectilinear (diagonal) basis. Only when both and () Bob accepts the commitment as 0 (1), for some prefixed parameters and previously agreed by Alice and Bob.
The protocol described above is perfectly concealing. This is so because the communication between Alice and her agents and is guaranteed by the OTP. Also, Bob’s knowledge of Alice’s detected events does not give him any information about her committed bit. See Appendix A for a discussion of the security of the protocol against a dishonest Bob. There is also proven that the protocol is binding. Indeed, it can be shown that Alice’s cheating probability rapidly approaches zero when increases, given that is not too large. In our experiment, this results in a total cheating probability below . Note, moreover, that this value comes from a very simple upper bound for the cheating probability, which may not be tight. In reality, therefore, the cheating probability may be significantly lower.
In the verification step of the protocol it is also important to determine the latest time instant in which Alice could have made her commitment, given that Bob accepted the revealed bit. We denote this quantity as . From the geographical distribution of the different parties involved in the protocol, it is straightforward to obtain an upper bound for this quantity. This is illustrated in Fig. 2. Here, denotes the distance between parties and in the protocol, represents the time instant where Bob sends Alice his first signal, and () is the time instant where agent () receives the last signal from agent (). These parameters are directly observed in the protocol. Furthermore, suppose, for the moment, that and is large (to guarantee a small cheating probability) and thus the total number of signals sent by Bob is also large. In this scenario, it can be shown that
(1) 
where denotes the speed of light in vacuum. A proof of a more general version of this statement can be found in Appendix C.
The protocol can also guarantee that the commitment is not performed in certain space points, e.g., in the locations of agents and . For this, Bob may verify the conditions , with , which assures the latter.
We performed a field test of the protocol among the three geographically separated laboratories shown in Fig. 1a. One important detail to consider in the experiment is that a higher transmission speed reduces the earliest time where Alice may reveal her committed bit, and thus it can also reduce the value of and . According to Eq. (1), this also decreases . The optical communication speed in a freespace channel is times higher than in a fiber channel. Therefore, in our experiment, we choose a freespace channel for the communication between Alice and her agents. The distance between Alice/Bob’s lab and ’s lab is about 9.3 km, and the distance between Alice/Bob’s lab and ’s lab is about km. The angle of Alice is around degrees.
When an experimental run starts, triggered by a GPS signal, Bob randomly prepares phaserandomised weak coherent pulses in four different polarisation states and sends them to Alice. As shown in Fig. 1b, the random pulsed optical signals are emitted from four diodes at a repetition frequency of MHz. These diodes are controlled by random numbers generated off line by quantum random number generators (QRNGs). The central wavelength of all laser diodes is nm, and the average photon number is adjusted to per pulse. In order to send more signals within a certain time interval, we utilise two parallel BB84 systems in the experiment. In each run, Bob sends two sequences of pulses within s. The delay between the time when Bob sends his first signal and the triggered GPS signal is measured as s, which is taken as the initial time, .
Alice uses a HWP to choose the measurement basis and two SPDs to implement the measurement. When she selects the rectilinear basis, bit is committed, whereas when she chooses the diagonal basis, bit is committed. The detection efficiency, dark count rate and dead time of each SPD are, respectively, , cps and ns. The total detection efficiency of the measurement setup is around , including a transmission and collection efficiency of together with the SPD’s detection efficiency. An FPGA board is used to record and process the detection information. When one detector clicks, the FPGA board records which detector has clicked and the time instant when this happened. When both detectors click, the FPGA board records the information of one of them randomly chosen. If there are two detection events in a ns time interval, the later detection event’s information is dropped. This last procedure is implemented to keep a dishonest Bob from attacking Alice’s detection device. Meanwhile, the FPGA board also sends all the detection timing information to Bob through 1 GHz optical communication. This step is needed to keep a dishonest Alice from cheating [17].
Next, Alice encrypts all her data using the OTP and sends it to her agents and via 1 GHz optical communication. The secret keys and for OTP have been generated using a QRNG and shared between Alice and her agents off line. In order to communicate through a long distance freespace channel, Alice uses erbium doped fiber amplifiers (EDFAs) to amplify the optical signals to an average power of mW for the Alice channel, and W for the Alice channel. Kepler telescopes with aperture of mm and mm are used to send the amplified signals to agents and , respectively. Cassegrain telescopes with aperture of mm are used by both agents to receive the signals. In order to achieve a stable and highly efficient freespace optical channel, we employ the acquiring, pointing and tracking (APT) technique in both the transmitter and the receiver. The optical signals are then collected into a multimode fiber with a diameter of m. At the output of the fiber, we observe an average power of more than W, which is high enough for a classical optical detector.
and decrypt the optical signals using their own respective secret keys as illustrated in Fig. 1c. After receiving all the data sent by Alice, they forward the decrypted information to agents and via 1 GHz optical communication, respectively, to unveil the committed bit value. Then, and compare the information received together with Bob. If the data sent by and is not equal, Bob rejects the commitment. Otherwise, he calculates the parameters , , and following the procedure described in Appendix B. Only when these parameters satisfy the conditions described in the verification step of the protocol, Bob accepts the commitment. Meanwhile, with the help of their own GPSs, and record the arrival time of the signals sent by and . Based on this timing information, Bob and his agents determine according to Eq. (1). All the communications between Alice’s and Bob’s agents use a bandwidth of 1 GHz.
We performed the experiment times, in half of which Alice commits to the bit value and in the other half she commits to . The results are shown in Tab. 1. In each run, Alice detects around pulses. The total bit error rate is around when the commitment basis coincides with the preparation basis. This error is mainly due to the optical baseline error and the detector’s dark counts.
The time interval between commit and unveil is about s for all the trails. As unveiling time, which we denote as , we consider the instant where sends the first signal to , since in our experiment this always happens before sends a signal to . From these results, Bob can also conclude that the commitment was not done in the locations of or .
Both quantum mechanics and relativity have changed our understanding of the universe. Our experiment shows for the first time that when we combine them we can solve a fundamental problem with many practical applications, and for which there is no solution using only one of them on their own. Our work demonstrates that quantum relativistic communication is experimentally feasible, and opens a promising new field for research with technological applications.
Acknowledgments
We acknowledge insightful discussions with XiangBin Wang, Chang Liu, Jing Lin, Yang Li, YaLi Mao, and Vicente Martin. This work has been supported by the National Fundamental Research Program (under Grant No. 2013CB336800, 2011CB921300 and 2011CBA00300), the NNSF of China, the CAS. AC was supported by the Project No. FIS201129400 (MINECO, Spain). MC acknowledges support from the European Regional Development Fund (ERDF), the Galician Regional Government (projects CN2012/279 and CN 2012/260, Consolidation of Research Units: AtlantTIC).
Exp  Exp  Exp  Exp  Exp  Exp  Exp  Exp  

Bit committed  
Bit deduced  
(s)  
(s)  
(s)  
(s) 
Appendix A Security analysis
In this Appendix we analyse the security of the bit commitment protocol implemented. For this, we use the security proof technique introduced in [21]. However, while [21] considers an errorfree case and assumes that Bob sends Alice singlephoton pulses, here we analyse the practical situation where the signals prepared by Bob are phaserandomised weak coherent pulses and the error rate of the singlephoton contributions is below a certain prefixed value (see the definition of the protocol in the paper).
We begin by introducing some technical definitions. A bit commitment protocol is concealing if Bob cannot learn any information about the committed bit before Alice unveils it, except with a minuscule probability . And, it is binding if Bob has a guarantee that [21, 25] , where () represents the probability that Bob accepts Alice’s commitment to be (). Note that the binding condition in quantum bit commitment protocols is slightly different from that used in classical schemes, which typically requires that either or is very small after the commit phase. See [21, 25] for a detailed discussion related to this issue. We say that a commitment is secure, with , if it is concealing and binding.
In the next two sections we demonstrate that the bit commitment protocol implemented [17] is perfectly concealing (i.e., ) and binding, with given by Eq. (A.1). We begin by proving its security against a dishonest Alice.
a.1 Security against a dishonest Alice:
The main technical result of this section is Claim 1 below. It states that the bit commitment protocol considered in the paper is binding, with approximating zero when increases, given that the tolerated value is not too large. This result applies to the general global command model introduced in [21, 26], where it is assumed that Alice’s agents and may receive a global command to decide which bit value unveil. For instance, and could decide to reveal either or depending on some global news simultaneously available to both of them.
Claim 1: The bit commitment protocol described in the paper is binding, with
where the function is the binary Shannon entropy function, denotes the tolerated error rate of the protocol, represents the minimum number of single photons prepared in the rectilinear basis (and also in the diagonal basis) that Alice needs to detect, and and are the probabilities that the estimation of the terms and is incorrect.
Proof.
The first fact to notice is that all multiphoton pulses sent by Bob are insecure. This is so because a dishonest Alice may perform a quantum nondemolition measurement of the total number of photons contained in each signal. Whenever she observes a multiphoton state, she can measure one photon in the rectilinear basis and another photon in the diagonal basis. Then she sends both results to her agents and . With this information, and assuming the global command model, and can always make . From now on, therefore, we will consider only the singlephoton states sent by Bob and detected by Alice. These are the only contributions that can make the security parameter close to zero.
To prove the security of the singlephoton pulses sent by Bob we consider a virtual qubit idea. Instead of preparing a singlephoton BB84 state, Bob prepares its purification. That is, one can think of Bob actually having a qubit on his side. Then, he generates a signal by first preparing an entangled state of the combined system of his virtual qubit and the qubit that he is sending Alice in say a singlet state. He subsequently measures his virtual qubit, thus preparing a BB84 state. This virtual scheme is completely equivalent to the original one in terms of its security. More precisely, we will consider that Bob prepares singlet states and sends one qubit from each of these states to Alice, while he keeps the other qubit. Now, in principle, Bob may keep his virtual qubits in a quantum memory and delay his measurement on them. Only after Alice’s agents and have given all their results to agents and , Bob selects at random virtual qubits and measures them in the rectilinear basis. Likewise, he measures the remaining qubits in the diagonal basis.
Now, we need to introduce some further notations [21]. Let denote the quantum state shared by Bob and the agents and before the commitment is revealed. Also, let () represent the map applied by agent () with the intention to open the bit value . Importantly, the map () is restricted to act only on the subsystem hold by (). These two maps produce respectively the output bit strings and , which are given to agents and . As described above, only after and have received, respectively, and , Bob decides which virtual qubits he measures in the rectilinear basis and which ones are measured in the diagonal basis. In so doing, we can naturally split the bit string into two substrings , where () contains those bits of associated with events where Bob measures the corresponding virtual qubit in the rectilinear (diagonal) basis. Likewise, Bob does the same with the bit string . Also, we split Bob’s system into and . The first (second) subsystem represents those virtual qubits that Bob measures in the rectilinear (diagonal) basis. That is, we have and . Moreover, let the quantum operation , with and , correspond to measuring all qubits from subsystem using the basis . That is, and denote the measurements implemented by Bob in the virtual protocol. The quantum operation is not performed in the protocol. However, we will use it for the purposes of the security proof. The result of applying () to Bob’s subsystem () is a bit string that we shall denote as (). Finally, let () be the operation that Bob uses to check if the results declared by agent () are consistent with committing to a bit value .
Using precisely the same arguments of [21], it is easy to show that the security parameter is upper bounded by the probability that tries to unveil the bit value , tries to unveil the bit value , and both results are accepted by Bob given that he makes a separately decision for each of these two agents. Next, we calculate an upper bound for this probability. For this, let be the classical state after Bob, and have made all their measurements (with trying to unveil the bit value , with ), i.e.,
(3) 
where we already used the fact that . With this notation, we have that can be expressed as
(4) 
Now, in order to evaluate Eq. (4), we introduce two further quantities. In particular, let be the probability that passes the test, and let be the state conditioned on passing. That is,
(5)  
This means that Eq. (4) can be equivalently written as
(6) 
The term on the r.h.s. of Eq. (6) represents the probability that passes the test conditioned on Bob accepting the result declared by . In order for to pass the test, we need that (see the definition of the protocol in the paper). This condition is equivalent to require that the Hamming distance between and is less or equal than . That is, to pass the test needs to correctly guess at least bits from the bit string . Then, using a result from [27] we can obtain a simple upper for the probability that passes the test,
(7)  
where denotes the conditional minentropy evaluated on the state . To prove Eq. (7) note that
(8) 
where denotes the Hamming distance between the bit strings and . From [27] we have that . Similarly, let denote a substring of of size , with . The probability that guesses correctly and fails in the remaining bits of is upper bounded by
(9) 
where in the inequality we have used the fact that . Then, if we take into account all the possible substrings contained in , we have that
(10) 
Now, we employ the uncertainty relation introduced in [28]. It states that
(11) 
where represents the maxentropy evaluated on the state
(12) 
As already mentioned previously, note that the operation is not performed in the protocol. However, we can estimate its result. Combining this result with Eqs. (6)(7) we find that
(13) 
The next step is to evaluate the quantity . For this, let denote the total number of errors detected in the declaration of (in the rectilinear basis) conditioned on passing. That is, we have that . Then, using Serfling inequality [29] for random sampling without replacement we find that
(14) 
with . That is, Eq. (A.1) represents an upper bound for the probability of finding more than errors between the bit strings and given that we observed errors between the bit strings and .
Now, we define the binary event as
(15) 
and we use the same techniques employed in [21]. In particular, it can be shown that
(16) 
where denotes again the binary Shannon entropy function. Now, from [30] we have that
(17) 
Combining these results with Eq. (13), we obtain that
(18)  
where the parameter is given by Eq. (A.1). Finally, if we take into account that and, moreover, that when and pass the test then , we obtain
(19)  
After composing the errors related to the estimation of the parameters and we obtain Eq. (A.1). ∎
In Tab. 1 in the paper we have that , , and we select . Using Eq. (A.1) we obtain, therefore, that , where the parameter that minimises Eq. (A.1) is . Since the protocol is perfectly concealing (see next section), this implies that the committed bits are secure, with .
Let us remark that the upper bound given by Eq. (A.1) may not be tight, specially when the number of errors increases. However, since the error rate of our experiment is very low, this bound is enough for our purposes and we use it for simplicity. One way to improve this result would be to find a tighter upper bound for the l.h.s. of Eq. (7). If, moreover, this bound is written in terms of the minentropy then all the security arguments used above could be applied directly. In reality, therefore, the total cheating probability in the experiment may be significantly lower than .
a.2 Security against a dishonest Bob:
Clearly, if the probability that Alice detects Bob’s signals is independent of the measurement basis selected, the bit commitment protocol implemented is perfectly concealing. This is so because Alice only informs Bob about which signals she has actually detected and her communication with agents and is encoded with the onetimepad (OTP) [24]. This means that the probability that a dishonest Bob guesses Alice’s committed bit correctly is .
It is therefore essential for any experimental realisation of the protocol to guarantee that Alice’s detection probability is independent of her measurement choice. To illustrate this point, below we discuss briefly some potential cheating strategies that a dishonest Bob may try to implement to obtain the committed bit. They exploit different imperfections of Alice’s threshold detectors that result in a detection probability that depends on Alice’s basis selection.
Exploiting double clicks: Due to the background noise (i.e., the dark counts of the detectors together with other possible background contributions) Alice may occasionally observe a simultaneous click in her two detectors. Similar to the situation in quantum key distribution, double clicks should not be discarded by Alice but they should be assigned to a random click, as we do in our experiment. Otherwise, a dishonest Bob may exploit double clicks to obtain the committed bit. For instance, he could send Alice a very strong pulse in say horizontal polarisation. Clearly, if Alice uses the rectilinear basis to measure the incoming pulse, she will observe a click in the detector associated to horizontal polarisation. However, if she uses the diagonal basis, she will observe a double click. If double clicks are discarded, then Bob will learn the committed bit when Alice informs him about which pulses she detected.
Exploiting the deadtime of Alice’s detectors: Similar to the previous case, a dishonest Bob may also exploit the deadtime of Alice’s detectors to produce, or not to produce, a click depending on the measurement basis. For instance, Bob may send Alice two strong pulses prepared in say horizontal and vertical polarisation, respectively, and separated by a time interval less than the deadtime. Then, if Alice uses the rectilinear basis, both signals will produce a click. However, if she uses the diagonal basis, the first signal generates a double click, while the second signal remains undetected due to the deadtime of the detectors. As above, when Alice informs Bob about which signals she detected he learns the committed bit.
Even if Alice only accepts clicks which are separated by a time interval greater than the deadtime of her detectors, a dishonest Bob can obtain the committed bit. For instance, Bob may send Alice three consecutive strong pulses in the time instants , and slightly after , where represents the deadtime of the detectors. Moreover, suppose that the first signal is prepared in horizontal polarisation, while the second and the third signals are prepared in vertical polarisation. Then, if Alice uses the rectilinear basis, she will observe a click in the first two instants. And she will report Bob a detected event only in the first instant (since the first two instants are separated by a time interval smaller than and, therefore, she discards the second click). However, if she uses the diagonal basis, she will observe a double click in both the first and last instant. The second signal is never detected due to the deadtime of the detectors. Again, the information about Alice’s detected events (in particular, whether or not the third signal is detected) reveals Bob the committed bit.
To avoid this type of attacks and guarantee that the detection probability of Alice is independent of her measurement choice, Alice needs to ensure that her measurement results originate from events where both detectors were active. One simple solution to this problem is to actively control the deadtime. That is, every time Alice observes a click in any of her detectors, she disable both detectors for a time period equal to the deadtime. Alternatively, Alice may also postselect only those clicks that happened after a time period of at least without seeing any click. This last condition guarantees that the postselected clicks occurred when both detectors were active. Indeed, this is the solution that we implemented in the experiment, where the postselection of data is performed in real time in an FPGA.
Appendix B Estimation of the parameters , , and
In this Appendix we show how to estimate the foregoing parameters, which are used by Bob in the verification step of the protocol to decide whether or not he accepts Alice’s commitment.
We begin by introducing some notations. Let () denote the conditional probability that Bob sends Alice a signal containing two or more photons, given that he selected the rectilinear (diagonal) basis. In the bit commitment protocol considered, Bob sends Alice phaserandomised weak coherent pulses of intensity . This means that and satisfy
(20) 
where the parameter denotes an upper bound for the intensity fluctuations of the laser diode.
Let () be the total number of signals sent by Bob in the rectilinear (diagonal) basis. And, let () represent the total number of multiphoton signals sent by Bob when he selects the rectilinear (diagonal) basis. The parameters and are not directly observed in the experiment but they can be estimated. Using ChernoffHoeffding inequality for i.i.d. random variables [31, 32], we have that
(21) 
except with error probability given by
(22) 
Here, is the KullbackLeibler divergence between Bernoulli distributed random variables [33]. Similarly, we obtain that , except with error probability given by
(23) 
Finally, let () denote the total number of signals declared as detected by Alice when Bob selected the rectilinear (diagonal) basis. Combining the results above, we have that
(24) 
expect with error probability . To derive Eq. (B) we have assumed the worse case scenario where all multiphoton signals sent by Bob are actually declared as detected by Alice. The parameters , , and are observed in the experiment, the probabilities and are fixed by Bob’s state preparation process, and the terms and can be obtained using Eqs. (22)(23) for any given value of the tolerated error probabilities and . These quantities are shown in Tab. 2 for the experiment reported in the paper.
The calculation of and is straightforward. We consider a worse case scenario where all the errors observed are assumed to affect only the single photon signals sent by Bob. That is, () is directly given by the total number of errors in the rectilinear (diagonal) basis.
In the experiment reported in the paper and . According to Eq. (20), this means that .
Exp  

Exp  
Exp  
Exp  
Exp  
Exp  
Exp 