From Quantum Bit Commitment To The Reality Of The Quantum State

Quantum mechanics famously enables certain cryptographic tasks that would be classically impossible, among them, distributing a string of bits between two or more players unconditionally securely and enabling a secret to be split and distributed securely. The reason that quantum mechanics empowers cryptography is embodied in a number of no-go results: the fact that an unknown quantum state can’t be cloned; that measuring one observable may disturb another; and so on.

However, one task whose quantum feasibility has had a chequered past is bit commitment (BC). It involves two mistrustful players (usually named “Alice” and “Bob”), such that Alice commits to a bit (0 or 1) by submitting a quantum system as her evidence of commitment, possibly at the end of several rounds of information exchange. Eventually, she unveils the bit. The security requirement is that the evidence should bind Alice, even while her commit bit is hidden from Bob. BC is important because other crypto-tasks, such as remote coin tossing, secure multi-party computation, and zero-knowledge proofs, can be built on top of it. Except by taking recourse to computational assumptions, a trusted third party, or relativistic constraints on signaling [1], BC is not believed to be secure.

It is usually believed that whereas quantum mechanics can’t make BC unconditionally secure, yet it can confer benefits in terms of certain trade-offs between Alice’s and Bob’s cheating probability. The standard proof against quantum BC [2,3] hinges on quantum steering, a type of quantum nonlocality first recognized by E. Schrodinger [4]. This crucially depends on a quantum feature absent in classical physics: that distinct mixtures of states can be indistinguishable under all measurements! A familiar example that an equal-weighted mixture of vertically and horizontally polarized photons is physically indistinguishable from an equal-weighted mixture of a right- circular and left-circular polarized photons.

Although they can’t be found to be different, the two mixtures could be verified to be different, once their preparation information is revealed. The original intuition was that this would be the basis for a BC scheme, with Alice supplying the preparation information as part of her evidence at the time of unveiling her commit bit. It turns out that in a family of theories (not just quantum mechanics) which, in addition to the above indistinguishability property, also allow entanglement, Alice can use entanglement to remotely steer Bob’s system into one or the other mixture. In other words, the hiding condition against Bob makes the scheme fully vulnerable to Alice. One can add complicated layers of encoding or communication to the purported QBC scheme, but, in the end, this basic idea makes this type of scheme insecure.

As it stands, the above argument is actually pretty powerful and tight. But, is the above framework for hiding and unveiling Alice’s bit the most general? Some researchers voiced reservations. While some among them eventually became converts, others remained skeptical [4]. Possibly, the simplest conceivable way to try to go beyond the above framework is to have Alice submit a classical evidence. Trivially, it can’t be steered, making it impervious to the above steering-based attack. But, of course, that doesn’t automatically guarantee security. For one, it seems just like classical BC, which is known not to be unconditionally secure.

However, the classical evidence could be the product of quantum information processing, in particular, of non-commuting quantum measurements by Alice on states prepared by Bob. But then, this allows the possibility that Bob may try to bias the states submitted to Alice. We can hope to eliminate this danger by having Alice prepare the states initially, and then have Bob randomize them in very quantum ways, before retransmitting them back to Alice. Because of subtle and convoluted cat-and-mouse games that can be played in terms what states are actually sent and what operations are actually performed by either party, it isn’t obvious whether security eventually emerges in this extended framework. That such a double-blind scheme for QBC can indeed be made secure, is the argument put forward in [5].

This result is then applied by [5] to a basic issue in the foundations of quantum mechanics. The question of what exactly the quantum state ψ physically signifies has been debated since the birth of quantum theory over a century ago, and recently scrutinized by various authors [6]. Broadly, the question concerns whether ψ is real (ontic, a state of Nature, objective) or epistemic (a state of knowledge, subjective). The security of the above QBC protocol, called P2 in [5] (being the second of three protocols proposed there), is then exploited in [5] to argue that the quantum state is indeed real.

The idea is simply to use the above protocol for committing a bit in tandem with another protocol that would be insecure by itself! In this, Alice transmits one half of her classical evidence (call it M1) as in the above secure protocol. For the other half (call it M0), maximal qubit entanglement distributed by Bob is consumed by Alice to remotely prepare his qubits in Pauli X or Z basis, by measuring her qubits in the same basis, depending on whether she has a 0 or 1 bit in the string M0. Denote by M2 the outcome of this measurement. Her submitted evidence of commitment, which is classical, is the concatenated string M1 + M2.

Now, M1 is simply part of the evidence she would submit in the protocol P2. Bob could use the submitted evidence string M2 together with the state of his qubits to deduce some information about string M0. In so doing, he would gain partial information about M0. This doesn’t make the present scheme (called protocol P3 in [5]) vulnerable towards Bob since the security of protocol P2 implies that even Bob’s full knowledge of the combined string M0 + M1 reveals hardly anything to him about her commitment. On the other hand, the evidence string M1 itself binds Alice by virtue of the security of protocol P2 (We can assume that M1 is at least as long as it is in the stand-alone protocol P2). Thus, protocol P3 is at least as secure as P2.

When Alice makes her commitment at time instant T relative to her local clock and generates the measurement record M2, she knows she has remotely prepared Bob’s qubits in a very definite sense. Namely, she knows that, after time T, there is a certificate (viz., the record M0) which can reproduce M2 on Bob’s qubits with 100% guarantee, in support of the commit bit, whereas no such perfect certificates exist for the non-commit bit.

In this sense, Bob’s state was symmetric with respect to either commitment prior to time T, whereas at T, this symmetry is broken. If P2 were insecure, this broken symmetry would largely be a matter of semantics. However, given its security, this symmetry breaking implies a spacelike influence correlating Alice’s choice and Bob’s state. Since the possibility of a dynamical mechanism underlying this correlation has to be ruled out, we are led to conclude that the quantum state vector reduction, and hence the quantum state itself must be real. We stress that no superluminal signal is received by Bob since he can’t unilaterally detect her commitment, but only verify it.

These findings are described in the article entitled Quantum Bit Commitment and the Reality of the Quantum State, recently published in the journal Foundations of Physics. This work was conducted by R. Srikanth from the Poornaprajna Institute of Scientific Research.


  1. T. Lunghi, J. Kaniewski, F. Bussieres, R. Houlmann, M. Tomamichel, S. Wehner, H. Zbinden. Practical relativistic bit commitment. Phys. Rev. Lett. 115, 030502 (2015)
  2. Mayers, D.: Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett. 78, 3414-3417 (1997) ; Lo, H.-K., Chau, H.F.: Is quantum bit commitment really possible? Phys. Rev. Lett. 78, 3410-3413 (1997).
  3. E. Schrödinger, “Probability relations between separated systems”; Proc. Cambridge Philos. Soc. 32, 446 (1936). Also, see H. M. Wiseman, S. J. Jones, and A. C. Doherty, “Steering, Entanglement, Nonlocality, and the Einstein-Podolsky-Rosen Paradox”; Phys. Rev. Lett. 98, 140402 (2007).
  4. Guang Ping He. Simplified quantum bit commitment using single photon nonlocality. Quantum. Inf. Process. 13, 2195 (2014)
  5. R. Srikanth. Quantum Bit Commitment and the Reality of the Quantum State. Found Phys (2018) 48:92–109.
  6. Leifer, M.S.: Is the quantum state real? an extended review of ψ-ontology theorems. Quanta 3, 67-155 (2014).