Classical Commitments to Quantum States
by
Ági Villányi
B.S., Massachusetts Institute of Technology, 2021
Submitted to the Department of Electrical Engineering and Computer Science
in partial fulfillment of the requirements for the degree of
MASTER OF SCIENCE
at the
MASSACHUSETTS INSTITUTE OF TECHNOLOGY
May 2024
© 2024 Ági Villányi. All rights reserved.
The author hereby grants to MIT a nonexclusive, worldwide, irrevocable, royalty-free
license to exercise any and all rights under copyright, including to reproduce, preserve,
distribute and publicly display copies of the thesis, or release the thesis under an
open-access license.
Authored by: Ági Villányi
Department of Electrical Engineering and Computer Science
May 17, 2024
Certified by: Anand Natarajan
Assistant Professor of Electrical Engineering and Computer Science, Thesis Supervisor
Accepted by: Leslie A. Kolodziejski
Professor of Electrical Engineering and Computer Science
Chair, Department Committee on Graduate Students
2
Classical Commitments to Quantum States
by
Ági Villányi
Submitted to the Department of Electrical Engineering and Computer Science
on May 17, 2024 in partial fulfillment of the requirements for the degree of
MASTER OF SCIENCE
ABSTRACT
We define the notion of a classical commitment to quantum state scheme, which al-
lows a quantum prover to compute a classical commitment to a quantum state and later
open each qubit of the state in either the standard or Hadamard basis, while limiting com-
munication with the verifier to a classical channel. Our scheme strengthens the notion of
a measurement protocol from [Mah18], which is binding only in the standard basis. We
construct our commitment scheme from the post-quantum Learning With Errors (LWE)
assumption, and rely directly on any noisy trapdoor claw-free function family that satis-
fies the adaptive hardcore bit property first introduced in [Bra+18].
Thesis supervisor: Anand Natarajan
Title: Assistant Professor of Electrical Engineering and Computer Science
3
4
Acknowledgments
Maminak és Papinak (to mom and dad).
This thesis is based on recent work with Sam Gunn (UC Berkeley) and Professors Anand
Natarajan and Yael Tauman Kalai (MIT) [Gun+24]. I am extremely grateful for the endless
support and guidance of my doctoral advisor, Anand, who has taught me everything I
know about quantum information and complexity, and to Yael and Sam for being gener-
ous teachers of cryptography and mentors throughout this project.
5
6
Contents
Title page 1
Abstract 3
Acknowledgments 5
1 Introduction 9
2 Preliminaries 13
2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Quantum Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.2 Gentle Measurement Lemma . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Background 21
3.1 Complexity Theory Primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.1 Classical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.2 Quantum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Self-Reducibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Classical Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3.1 coNP ⊆ IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4 Quantum Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.4.1 BQP ⊆ QPIP1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.4.2 BQP ⊆ QPIP0 assuming LWE . . . . . . . . . . . . . . . . . . . . . . 32
4 Classical Commitments to Quantum States 37
4.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.1 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.2 Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3 Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.4 Construction for Single Qubit States . . . . . . . . . . . . . . . . . . . . . . . 41
7
4.5 Construction of Commitments for Multi-Qubit States . . . . . . . . . . . . . 44
5 Analysis 47
5.1 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2 Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.2.1 Exploiting the Collapsing Property of NTCFs . . . . . . . . . . . . . . 52
5.2.2 Defining the Operational Paulis . . . . . . . . . . . . . . . . . . . . . 57
References 71
8
Chapter 1
Introduction
A computation defines a sequence of steps that evaluates some function f : {0, 1}∗ →
{0, 1}∗ at a given input x ∈ {0, 1}∗. A model of computation formally specifies how
a given computational resource can be used to execute the evaluation. Some examples
of resources include: randomness, non-determinism, or quantum mechanics. Not all
models of computation are physically implementable. For example, if we could build
devices relying on non-determinism, then we could easily output solutions to NP-hard
problems. Deterministic and randomized computation, however, capture classical com-
putation from laptops to GPUs, as formally stated in the extended Church-Turing thesis
[Yao03; Tur37]. The advent of quantum computation challenges this thesis and suggests
that there exist physically implementable classes that are more powerful than classical
randomized computation [BV93].
Dual to a computation is a proof of its correctness. Perhaps surprisingly, it often seems
that verifying that the output of the evaluation is correct is easier than executing the eval-
uation itself. This has had enormous implications in the field of computational complex-
ity theory. The formal relationship between computation and proof lies at the heart of
major open problems, such as the P versus NP question, where P is the complexity class
defining deterministic computations, and NP is the class defining the hardness of verify-
ing them. NP may be thought of as capturing the traditional, axiomatic notion of proofs.
That is, the proof is given as a string of symbols, of which the logical implications can
be deduced by parsing the symbols. Slight modifications of this approach have led to
powerful proof systems beyond NP. For example, allowing for the existence of a proof to
be enough, interaction and randomization can be used to prove statements beyond those
contained in NP. The corresponding complexity class is called IP, for interactive proofs.
In this model, a proof consists of an adaptive interaction between an all-powerful (com-
putationally unbounded) prover P and a classical verifier V that has access to random
coins. A proof now is comprised of the interaction transcript between P and V rather
than the initial string sent by P . This model is so powerful that it allows for efficient
verification of all problems in PSPACE, as shown by the seminal IP = PSPACE result
[Sha92].
9
In the classical setting, many constructions of interactive proofs rely on two notions:
self-reducibility of certain functions (first introduced in [Tra70]) and commitment schemes
(from cryptography). Self-reducibility is the property that a function can be evaluated
at some input x by querying an oracle from a set of instances, S, not containing x. Cer-
tain types of self-reducibility, namely downward and random self-reducibility, are crucial
in interactive proofs because they allow the verifier to reduce some hard problem to an
easier one, by querying P on elements of S. This notion is particularly powerful when
paired with commitment schemes. A commitment scheme is a two-party protocol be-
tween a committer, C and a verifier V that consists of two phases, a COMMIT phase and
an OPEN phase. Informally, to commit to a bit b, C (potentially through interacting with
V without revealing b) prepares a commitment string during the COMMIT phase. During
the OPEN phase, this string is "opened" to send the initial bit b to V . In general, commit-
ment schemes are required to satisfy three properties:
1. (Correctness): In the case of honest parties, V accepts the opening as correct.
2. (Hiding): V does not learn the bit b until revealed by C in the OPEN phase.
3. (Binding): Once the commitment is made, C cannot change their mind. Namely, any
two openings reveal the same bit b.
Many classical interactive proof systems, such as those of the MIP = NEXP result and
also the PCP theorem rely on the binding property of commitments to "lock" the prover to
an encoding of the witness. This encoding often rewrites the original claim into one that
involves a function that satisfies at least one self-reducible property. This then allows the
verifier to test the prover using interaction, despite being much weaker than the prover
[Lun+92; Aro+98].
In the quantum case, the quantum analogue of IP is QIP, which consists of an un-
bounded prover P and BQP verifier V . Remarkably, it was shown in [Jai+09] that QIP =
PSPACE, which implies that QIP is precisely as powerful as IP. This motivates the ques-
tion:
In what setting is there a significant difference between classical and quantum proofs?
It appears that the relationship between classical and quantum proofs is especially un-
clear in the setting of delegation, which is an interactive proof between a weak verifier and
a more powerful yet computationally bounded prover. Here, powerful could mean access
to greater quantities of computational resources, or it could mean a syntactically different
(and allegedly stronger) model of computation, as in the case of quantum delegation. In
either setting, the goal of the verifier is to be convinced that the prover, when asked to
execute a given computation, behaved as it was expected to. A successful delegation pro-
tocol is a two-party protocol between a powerful prover and a weak verifier that satisfies
three properties:
10
1. (Efficiency): An honest prover is computationally efficient, as defined by a given
model of computation.
2. (Completeness): In the case of honest behavior, the verifier is convinced that the
computation was executed properly with high probability.
3. (Soundness): In the case of adversarial tampering, there exists no malicious prover
that convinces the verifier of a false statement with high probability.
An information theoretic delegation protocol is one in which the soundness condition
holds against computationally unbounded provers. In contrast, delegation protocols with
security against computationally bounded parties are referred to as interactive arguments.
The soundness property for delegation requires some mechanism for catching incor-
rect behavior, where correctness is defined by the verifier’s expectations for how the
prover should operate. What distinguishes this from the standard notion of IP is that
completeness is required to hold for an efficient prover. In the classical setting, delega-
tion has been well-studied, and most protocols rely on self-reducible and error-correcting
properties of certain classes of polynomials [GKR15]. In the quantum case, the prob-
lem is well studied when both parties have access to some amount of quantum resource
[FHM18; GKK18]. Classical delegation of quantum computations, however, remains to
be fully understood.
The problem of classical delegation of quantum computations is concerned with con-
structing a proof system for the following scenario: a BPP verifier delegates a computa-
tion to a BQP prover, and the BQP prover wishes to convince the verifier that the output
of the computation is correct. An information-theoretic solution to this question is an
open problem. However, the seminal work of Mahadev’s measurement protocol [Mah18]
provides an interactive argument for verifying all computations in BQP. The measure-
ment protocol is based on the assumed post-quantum hardness of the Learning-with-
Errors (LWE) problem.
More concretely, Mahadev’s result shows that, under computational assumptions,
BQP ⊆ QPIP0, where QPIP0 is the class of efficient classical interactive proofs for BQP.
To show this, it suffices to demonstrate that some BQP-hard problem admits a proof in
QPIP0, assuming LWE. The problem used in [Mah18] is the Local-Hamiltonian problem.
Informally, this problem decides whether the ground state of a k-local Hamiltonian acting
on n qubits is below a threshold α, or above a threshold β, where β− α = poly(n). The
protocol relies on a classical commitment to quantum state scheme that is weakly binding
in the standard basis.
A commitment scheme is central to the success of a measurement protocol [Mah18].
The analogy made by [Mah18; FHM18] is that the binding property of the commitment
enables the verifier to use the prover as its "trusted measurement device" in the stan-
dard and Hadamard bases. By [BL08], measurements of the witness in the standard and
Hadamard bases are sufficient for estimating the ground state energy, and therefore for
solving the LH problem.
11
While a measurement protocol may be viewed as a commitment scheme, it is only
weakly binding, in the following sense. A prover may deviate to another accepting wit-
ness during the protocol, as long as it shows that there exists some witness that causes the
verifier to accept. While this notion of a binding guarantee suffices for verification, it is
insufficient for formalizing the measurement protocol as a commitment scheme. Indeed,
in the Hadamard basis, the prover is free to deviate as long as the deviation commutes
with a standard basis measurement. This is the key research question that we resolve in
this work:
Does there exist a classical commitment to quantum state scheme that is binding in both the
standard and Hadamard bases?
Namely, we present a novel notion for binding in the setting of a quantum commit-
ter and classical receiver and construct a commitment scheme that satisfies it under the
assumption that LWE is post-quantum secure. To the best of our knowledge, our con-
struction is the first to satisfy the strong binding property that we define. We rely on the
measurement protocol as part of our construction.
Roadmap Chapter 2 includes all relevant preliminaries for quantum information and
cryptography. Chapter 3 details background in classical and quantum complexity, as well
as a discussion of self-reducibility. Chapter 4 details our syntax, defines our construction
based on LWE, and formalizes notions of binding for commitments in this setting. Finally
Chapter 5 proves that our scheme satisfies properties of correctness and binding.
12
Chapter 2
Preliminaries
2.1 Notation
We write vectors and bit-strings using lowercase bold letters, denoted by x. Given two bit
strings x, y, their concatenation is represented by (x, y). A Hilbert space is denoted using
H. Parties in interactive protocols are denoted P , C,V . Quantum registers are denoted by
A,B,C, and quantum states are labeled using standard braket notation |ψ⟩, and quantum
operations are repesented using H, CNOT, U, etc.
2.2 Quantum Information
2.2.1 Basics
In the Hilbert space formalism, a universal set of quantum operations are as follows
[NC10]:
 
1 0 0 0
0 1 0 0
CNOT =   (2.1)
0 0 0 1
0 0 1 0
( )
√1 √1
H = 2 21 (2.2)√ −√1
2 2
( )
1 0
T =
0 eiπ/4
(2.3)
We make use of a technique called purification in throughout this work. It is defined
below.
Definition 1 (Purification). [NC10] Given any arbitrary state ρA of a quantum system A, there
exists a second quantum system B that defines a pure state |AB⟩ such that ρA = TrB(|AB⟩⟨AB|).
13
2.2.2 Gentle Measurement Lemma
We use the following infant version of the gentle measurement lemma.
Lemma 2. Let |ψ⟩√be a pure state and Π be a projector such that ⟨ψ|Π|ψ⟩ = 1 − ε. Then
∥Π|ψ⟩ − |ψ⟩∥2 = ε.
Proof. Calculate:
∥Π|ψ⟩ − |ψ⟩∥22 = 1− ⟨ψ|Π|ψ⟩ = ε.
We also use the following version for mixed states.
Lemma 3.√Let ρ be a mixed state and Π be a projector such that Tr[Π
1
ρ] = 1− ε. Then 2∥ρ−
Π[ρ]∥1 ≤ ε.
Proof. This is Lemma 9.4.2 of [Wil11].
Lemma 4. Suppose |ψ1⟩ABC and |ψ2⟩ABC are pure states with A being a single-qubit register,
and U is a unitary acting on register B. Let CUAB denote the controlled version of U, with A
being the control system and B the target. Then
∥CUAB ⊗ IC(|ψ1⟩ − |ψ2⟩)∥2 = ∥ZA ⊗ IBC (|ψ1⟩ − |ψ2⟩)∥2,
where Z is the Pauli Z operator.
Proof. In the following calculation we omit factors of identity that are clear from context.
∥CUAB(|ψ1⟩ − |ψ2⟩)∥
2
2 = ∥|0⟩⟨0|A(|ψ1⟩ − |ψ2⟩) + |1⟩⟨1|A ⊗UB(|ψ1⟩ − |ψ2⟩)∥
2
2
= ∥|0⟩⟨0| 2A(|ψ1⟩ − |ψ2⟩)∥2 + ∥|1⟩⟨1|A ⊗UB(|ψ1⟩ − |ψ2⟩)∥
2
2
= ∥|0⟩⟨0|A(|ψ1⟩ − |ψ2⟩)∥
2
2 + ∥|1⟩⟨1|A ⊗UB(|ψ1⟩ − |ψ2⟩)∥
2
2
= ∥|0⟩⟨0|A(|
2 2
ψ1⟩ − |ψ2⟩)∥2 + ∥|1⟩⟨1|A(|ψ1⟩ − |ψ2⟩)∥2
= ∥|0⟩⟨0|A(|ψ1⟩ − |
2
ψ2⟩)− |1⟩⟨1|A(|ψ1⟩ − |ψ2⟩)∥2
= ∥ZA(|
2
ψ1⟩ − |ψ2⟩)∥2.
Definition 5 (The infinity-norm). The infinity-norm of a matrix A is defined as follows:
( )
n
∥A∥∞ = max ∑ |aij| (2.4)
1≤i≤n j=1
14
2.3 Cryptography
We rely on the Learning-with-Errors cryptographic assumption and the cryptographic
primitive of trapdoor claw-free functions. Moreover, we define classical commitments
schemes.
Learning With Errors
We refer the reader to [Bra+18] for detailed background on the LWE problem.
Definition 6. [Bra+18] Fix a security parameter λ. Let χ = χ(λ) be a distribution defined
over Z, and let n(λ), m(λ), q(λ) ∈ N be integer functions of λ. The LWEn,m,q,χ problem is
to distinguish between (A, As + e( mod q)) and (A, u), where A ← Zn×m nq , s ← Zq , e ←
χm, u← Znq are all chosen uniformly at random.
Noisy Trapdoor Claw-Free Functions
In what follows we define the notion of a noisy trapdoor claw-free function family. This no-
tion is simpler than the notion of a dual-mode noisy trapdoor claw-free function family which
was used for certifiable randomness generation in [Bra+18] and by Mahadev [Mah18] in
her classical verification protocol for QMA. This simpler notion suffices for our work.1
Definition 7. A noisy trapdoor claw-free function (NTCF) family is described by PPT algorithms
(Gen,Eval, Invert,Check,Good) (2.5)
with the following syntax:
Gen(1λ)→ (pk, sk). This PPT key generation algorithm takes as input a security parameter λ
(in unary) and outputs a public key pk and a secret key sk.
We denote by Dpk the domain of the (randomized) function defined by pk, and assume for
simplicity that Dpk is an efficiently verifiable and samplable subset of {0, 1}
n(λ). We denote
by Rpk the range of this (randomized) function.
Eval(pk, b, x)→ y. This PPT algorithm takes as input a public key pk, a bit b ∈ {0, 1} and an
element x ∈ Dpk, and outputs a string y distributed according to some distribution χ =
χpk,b,x.
Invert(sk, y)→ ((0, x0), (1, x1)). This deterministic polynomial time algorithm takes as input a
secret key sk, and an element y in the range Rpk and outputs two pairs (0, x0) and (1, x1)
with x0, x1 ∈ Dpk, or ⊥.
Check(pk, b, x, y)→ 0/1. This deterministic poly-time algorithm takes as input a public key pk,
a bit b ∈ {0, 1}, an element x ∈ Dpk and an element y ∈ Rpk and outputs a bit.
1Our formulation is from [Bar+22] (without the dual-mode requirement).
15
Good(x0, x1, d)→ 0/1. This deterministic poly-time algorithm takes as input two domain ele-
ments x n+10, x1 ∈ Dpk and a string d ∈ {0, 1} . It outputs a bit that characterizes member-
ship in the set:
Goodx0,x := {d : Good(x0, x1, d) = 1} (2.6)1
We specify that Good(x0, x1, d) ignores the first bit of d.
We require that the following properties are satisfied.
1. Completeness:
(a) For all (pk, sk) ∈ Supp(Gen(1λ)), every b ∈ {0, 1}, every x ∈ Dpk, and y ∈
Supp(Eval(pk, b, x)),
Invert(sk, y) = ((0, x0), (1, x1))
such that xb = x and y ∈ Supp(Eval(pk, β, xβ)) for every β ∈ {0, 1}.
(b) For all (pk, sk) ∈ Supp(Gen(1λ)), there exists a perfect matching Mpk ⊆ Dpk × Dpk
such that Eval(pk, 0, x0) ≡ Eval(pk, 1, x1) if and only if (x0, x1) ∈ Mpk.
(c) For all (pk, sk) ∈ Supp(Gen(1λ)), every b ∈ {0, 1} and every x ∈ Dpk,
Pr[Check(pk, b, x, y) = 1] = 1 (2.7)
if and only if y ∈ Supp(Eval(pk, b, x)).
(d) For all (pk, sk) ∈ Supp(Gen(1λ)) and every pair of distinct domain elements x0, x1,
the density of Goodx0,x is 1− negl(λ).1
2. Efficient Range Superposition: For every (pk, sk) ∈ Supp(Gen(1λ)) and every b ∈
{0, 1}, there exists an efficient QPT algorithm to prepare a state |φb⟩ such that:
1 √
|φb⟩ ≡ √ ∑ ppk(b, x, y)|x⟩|y⟩ (2.8)
Dpk x∈Dpk
y∈Rpk
for some negligible function µ(·). Here, ppk(b, x, y) denotes the probability density of y in
the distribution Eval(pk, b, x).
3. Adaptive Hardcore Bit: For every BQP adversary A there exists a negligible function µ
such that for every λ ∈N,
Pr[A(pk) = (y, b, x, d, v) : Check(pk, b, x, y) = 1
∧ d ∈ Goodx0,x ∧ d · (1, x1 0 ⊕ x1) = v] (2.9)
1
≤ + µ(λ),
2
where the probability is over (pk, sk)← Gen(1λ), and where ((0, x0), (1, x1)) = Invert(sk, y).
16
Claim 8. [BCMVV18] There exists a NTCF family assuming the post-quantum hardness of
LWE.
In this work we rely on the fact that every NTCF family is collapsing, as defined below.
Definition 9. A NTCF family (Gen,Eval, Invert,Check,Good) is said to be collapsing if any BQP
adversary A wins in the following game with probability 12 + negl(λ):
1. The challenger generates (pk, sk)← Gen(1λ) and sends pk to A.
2. A(pk) generates a classical value y ∈ Rpk and an (n(λ) + 1)-qubit quantum state σ =
σS ,Z , where the S register contains a single qubit and the Z register contains n(λ) many
qubits.
A sends (y,σ) to the challenger.
3. The challenger does the following:
(a) Apply in superposition the algorithm Check to σ, w.r.t. public key pk and the image
string y, and measure the bit indicating whether the output of Check is 1. If the output
does not equal 1, send ⊥ to A. Otherwise, denote the resulting state by σ′
(b) Choose a random bit b← {0, 1}.
(c) If b = 0 then it send σ′ to A.
(d) If b = 1 then measure the S register of σ′ in the standard basis and send the resulting
state to A.
4. Upon receiving the quantum state (or the symbol ⊥), A outputs a bit b′.
5. A wins if b′ = b
Remark 10. An equivalent definition of collapsing is obtained by replacing Item 3d with the
following: If b = 1 then send to A the state Z [σ′S ]. In this work we use both of these formulations,
since it is sometimes easier to work with one and other times with the other.
Claim 11. [Unr16] Every NTCF family is collapsing.
In what follows we define an extension of the collapsing property and argue that any
NTCF family satisfies it. This extension may appear to be unnatural, but we make use of
it when proving the binding property of our commitment schemes.
Claim 12. For every polynomial ℓ = ℓ(λ), every NTCF family (Gen,Eval, Invert,Check,Good)
is ℓ-extended collapsing, where the ℓ-extended collapsing definition asserts that every BQP adver-
sary A wins in the following extended collapsing game with probability 12 + negl(λ):
1. The challenger generates ℓ independent public keys pk1, . . . pkℓ ← Gen(1
λ) and sends
(pk1, . . . , pkℓ) to A.
17
2. A(pk1, . . . , pkℓ) generates a subset J ⊆ [ℓ], classical values {yj}j∈J where each yj ∈ Rpk ,j
and a |J| · (n(λ) + 1)-qubit quantum state σ = σ{S ,Z } , where each register Sj consistsj j j∈J
of a single qubit and each register Zj consists of n(λ)-qubits.
A sends (J, {yj}j∈J ,σ) to the challenger.
3. The challenger does the following:
(a) For every j ∈ J apply in superposition the algorithm Check to the (Sj,Zj) registers of
σ w.r.t. pkj and yj, and check that the output is 1. If this is not the case send ⊥ to A.
(b) Otherwise, choose a random bit b ← {0, 1} and measure the registers {Sj}j∈J in the
standard basis if and only if b = 1.
(c) Send the resulting state to A.
4. Upon receiving a quantum state (or the symbol ⊥), A outputs a bit b′.
5. A wins if b′ = b
Claim 12 follows from Claim 11 together with a straightforward hybrid argument.
In what follows we define interactive bit commitment schemes as presented in [HR06].
Definition 13 (Interactive Bit-Commitment Schemes). An interactive bit-commitment scheme
consists of algorithms (Commit,Open,Ver) with the following syntax:
• Commit is a PPT interactive protocol between a committer C and a verifier, V. It takes as
input a bit b ∈ {0, 1} and outputs a public commitment string y ∈ {0, 1}m, as well as
private information priv that is known only to the committer C.
• Open is a PPT non-interactive protocol that takes as input a bit b ∈ {0, 1}, the commitment
string y ∈ {0, 1}m, and the private key priv. It outputs a public opening string z ∈ {0, 1}m.
• Val is a PPT non-interactive protocol that takes as input the opening string z, a bit b ∈
{0, 1} and the committed string y. It outputs acc if z is a valid opening string and rej
otherwise.
The protocol associated with the tuple (Commit,Open,Val) is a two-party protocol between a
committer, C, and a verifier, V. Both parties take as input a security parameter 1λ, and C takes
as private input a bit b ∈ {0, 1}. The protocol consists of two phases, a COMMIT phase and an
OPEN phase:
• COMMIT phase:
1. [C ⇌ V] C and V interactively compute (y, priv) ← Commit(1λ, b). C stores priv
locally and V outputs the commitment string y.
• OPEN phase:
18
1. [C→ V] C computes z← Open(b, priv, y) and sends z to V.
2. [V] V runs Val(b, z, y) and outputs the result.
Bit commitment protocols are required to satisfy two properties, hiding and binding.
Informally, hiding requires that the verifier is not able to guess the initial bit b better than
at random. On the other hand, binding says that the committer cannot change their mind
after completing the commitment phase. In the quantum case, we focus on binding and
therefore formally define the classical analogue here.
Definition 14 (Computationally Binding). An interactive bit-commitment scheme
(Commit,Open,Val)
is η-binding if, for all PPT adversaries C∗ and any positive polynomial p, the following holds for
all λ ∈ Z+:
[ ]
C∗Pr A ,V
1
(priv, y) > < η(λ) (2.10)
(priv,y)←({C∗,V}.Commit) p(λ)
where:
AC
∗,V(priv, y) := min Pr [acc← Val(b, z, y)] (2.11)
b∈{0,1} z←C∗.Open(b,y,priv)
The scheme is said to be computationally binding if η = negl(λ).
19
20
Chapter 3
Background
3.1 Complexity Theory Primer
Complexity theory studies which sets of problems can be solved using a given resource.
This is done in part by formalizing statements about various models of computation.
This section introduces complexity theory by giving formal definitions for computational
problems, models of computation, and the hardness of computational problems captured
by a complexity class.
Typically, models of computation and other notions in classical complexity theory are
defined using Turing machines. In the quantum case, however, an analogue of the circuit
model is easier to work with rather than that of Turing machines. Therefore, the proofs
and definitions given here are from a circuit complexity theoretic perspective. Moreover,
we make use of standard notions of reductions and logspace computable functions, as
defined in [AB09].
3.1.1 Classical
In classical computation, a computational problem corresponds to a function that maps fi-
nite inputs to finite outputs. Complexity theory studies the hardness of computing such
functions [AB09].
In this section, we focus on the special case of boolean functions, which describe all
functions of the form [ODo21]:
f : {0, 1}n → {0, 1} (3.1)
Corresponding to a boolean function f is a language, defined by the set:
L f = {x : f (x) = 1} (3.2)
That is, the problem of computing f (x) for some input x is equivalent to deciding
whether x ∈ L f . Complexity theory studies how easily a language L f can be decided
by a given model of computation, such as Boolean circuits.
21
Definition 15 (Boolean Circuit). [AB09] For every n ∈N, a deciding Boolean circuit Cn with n
input bits and and a single output bit is a directed acyclic graph that has n nodes with no incoming
edge and a single node with no outgoing edge, and all other nodes are labeled with a logical gate
G ∈ {NOT, OR, AND}. The size of Cn, |Cn|, is the number of nodes in Cn. The output of Cn
on an input w ∈ {0, 1}n is denoted by Cn(w).
A language may contain inputs of varying length. A given circuit, however, has a
fixed input length. Therefore, complexity classes are defined in terms of circuit families
rather than individual circuits.
Definition 16 (Circuit Family). [AB09] Let S : N→ N be a function, and let Cn be a Boolean
circuit with n input variables. A circuit family with size S(n) is a list {Cn}n∈N such that
|Cn| ≤ S(n) for all n. We say that an S(n)-sized circuit family {Cn}n∈N decides a language L if,
for all x ∈ {0, 1}n:
x ∈ L ⇐⇒ C|x|(x) = 1 (3.3)
Moreover, a circuit-family {Cn} is said to be logspace-uniform if there is a logspace com-
putable function that maps 1n to ⟨Cn⟩ for every n ∈N.
Definition 17. [AB09] A language L is in SIZE(S(n)) if there exists a S(n)-sized circuit family
C that decides L.
Definition 18. [AB09] P/ poly is the set of languages that are decidable by circuit families of
size poly(n):
P/ poly = ∪cSIZE(n
c) (3.4)
Definition 19. [AB09] A language L is said to be in P if there exists a logspace uniform circuit
family {Cn}n∈N of size poly(n) that decides L.
A complexity class, such as P, has notions of hardness contained within it. That is,
there exist some problems in P which are provably at least as hard as any other problem in
P. These problems are given the name P-hard. Moreover, if these problems can be shown
to also be contained in P, then they are called P-complete.
Definition 20 (P-complete). A language A is said to be P-complete if A ∈ P and for every
language B ∈ P, B ≤L A.
P captures a class of problems that can be solved efficiently. Allowing probabilis-
tic transitions yields the complexity class BPP (bounded-error probabilistic polynomial
time), and we refer the reader to [AB09] for a formal definition. Allowing for non-
deterministic transitions yields NP (non-deterministic polynomial time), which captures
the class of problems that can be verified efficiently, given the solution. NP is an example
of a proof system. In the simplest case, a proof system involves two parties, a prover and a
verifier. The goal of the prover is to convince the verifier of some claim. In NP, the setting
is non-interactive, meaning that the prover sends the verifier a proof string and the verifier
22
must output acc or rej without further queries to the prover. In IP, interaction is allowed.
That is, the prover sends the verifier an initial proof string s, and the verifier can then
adaptively select queries to further interrogate the prover. Only at the end of the interac-
tion transcript does the verifier have to output acc or rej. Allowing for interaction greatly
increases the computational power of the system and broadens the class of problems that
have a corresponding proof [AB09; Sip13]. We define these compelxity classes below.
First, we define the notion of a polynomial time PT algorithm, which we make use of
in other definitions.
Definition 21 (Polynomial Time Algorithm). An algorithm is a function that is implemented
by a circuit family {Cn}n∈N with size S(n). An algorithm is said to be polynomial time (PT) if
S(n) = O(nc) for some constant c.
Remark 22. Throughout this work, we often recall a probabilistic generalization of PT, PPT. We
refer to [AB09] for a formal definition.
Definition 23. [Sip13] A verifier for a language L is an algorithm V where:
L = {w|V accepts ⟨w, c⟩ for some string c} (3.5)
A polynomial time verifier is one that runs in polynomial time in the length of w. A language
L is polynomially verifiable if it has a polynomial time verifer.
Definition 24 (NP). [Sip13] A language L is in NP if it has a polynomial time verifier.
In other words, NP captures the class of languages which, when given the solution,
can be efficiently verified. It is well-known that P ⊆ NP: if a problem can be solved
in polynomial time, then the verifier can just run the algorithm to test the solution. The
following theorem generalizes this notion for arbitrary complexity classes:
Theorem 25. Let X, Y be two arbitrary complexity classes. Let A be a language such that, for all
languages B ∈ X, B ≤p A (i.e. A is an X-hard language). Then:
A ∈ Y =⇒ X ⊆ Y (3.6)
Proof. Let f be the efficient function implementing the reduction B ≤p A for all B ∈ X.
Let g be the efficient function in Y that evaluates A. Then any language B ∈ X can be
evaluated by a circuit in Y by composing f with g.
Below we define a generalization of NP. Namely, we define interactive proofs. In
contrast with NP, the verifier here is PPT, and multiple rounds of interaction are allowed.
Definition 26 (IP). [AB09] For every k ∈ Z+, a language L is contained in IP(k) if there exists
a PPT algorithm V such that for any function P, V has a k-round interaction with P such that:
• (Completeness) x ∈ L implies that there exists P such that:
Pr[(P ,V)(x) = 1] ≥ 2/3
23
• (Soundness) x ∈/ L implies that for every arbitrary function P∗:
Pr[(P∗,V)(x) = 0] ≥ 2/3
Here, all probabilities are over the choices of V. The class containing all languages that have
interactive proof systems is defined to be:
IP = ∪c∈Z+IP(n
c) (3.7)
3.1.2 Quantum
Quantum computation relies on the postulates of quantum mechanics to perform calcu-
lations. Quantum mechanics is inherently probabilistic due the measurement postulate.
This notion may be captured by Boolean functions that are not fully defined over their
domain, known as partially defined Boolean functions [KSV02a]:
f : {0, 1}n → {0, 1, udef} (3.8)
A language corresponding to f may be defined as in the classical case. We proceed to
define quantum circuits and their corresponding complexity class below.
Definition 27 (Quantum Circuit). [KSV02a] Fix ε < 1/2 and let f : {0, 1}n → {0, 1}m be a
partially defined boolean function. The circuit C = UT . . . U1 computes f if, for all x:
∑ |⟨F(x), z|U|x, 0N−n⟩|2 ≥ 1− ε (3.9)
z
Here, each Ui is chosen from a universal gate set, such as H, CNOT, T.
Definition 28 (Quantum Circuit Family). Let S : N → N be a function, and let Qn be
a quantum circuit acting on n qubits. A quantum circuit family with size S(n) is a sequence
{Qn}n∈N such that |Qn| ≤ S(n) for all n. We say that an S(n)-sized circuit family {Qn}n∈N
decides a language L if, for all x ∈ {0, 1}n:
x ∈ L ⇐⇒ Pr[Q|x|(x) = 1] ≥ 2/3. (3.10)
A quantum circuit family is uniform if there exists a PT algorithm that generates a description
of the quantum circuit.
Definition 29. A language L is in BQP if there exists a uniform quantum circuit family {Qn}n∈N
of size poly(n) that decides L.
The following complexity class is a direct quantum analogue of NP:
Definition 30 (Quantum Merlin Arthur (QMA)). [KSV02a] A language L belongs to the class
QMA if there exists a QPT algorithm V such that for every x ∈ {0, 1}∗:
24
• (Completeness): x ∈ L =⇒ there exists a poly(n) witness state |ψx⟩ such that
Pr[V(x, |ψx⟩) = 1] ≥ 2/3
• (Soundness): x ∈/ L =⇒ for every poly(n) adversarial witness state |ψ⟩,
Pr[V(x, |ψ⟩) = 1] ≤ 1/3
Similar to how P ⊆ NP, it is also the case that BQP ⊆ QMA. Below we define QPIPk,
which is the class of quantum interactive proofs that is most relevant to this work.
Definition 31 (QPIPk). [Aha+17] Let a proverP be a QPT machine that has access to a quantum
channel EQ that can transmit k qubits for some k ∈ N. Let a verifier V be a hybrid quantum-
classical machine that has access to both a PPT machine and a quantum register Q of k qubits,
as well as a channel EQ that can transmit k qubits. The verifier may perform arbitrary quantum
operations onQ. EQ is shared between V andP , as well as a classical channel EC. Communication
between the two parties consists of sending bits or qubits through their respective channels. A
language L is said have a QPIPk (Quantum Prover Interactive Proof) that is εc-complete and
εs-sound, where |εc − εs| = O(1), if there exists a prover, verifier pair, (P ,V) such that, for all
x ∈ {0, 1}∗:
• (Completeness) If x ∈ L, then Pr[(P ,V)(x) = 1] ≥ εc.
• (Soundness) If x ∈/ L, then for every QPT machine P∗ (with the same specification as P):
Pr[(P∗,V)(x) = 1] ≤ εs.
In what follows, we give definitions for a Hamiltonian, which are used to define a
QMA-hard problem that is central to the verification protocol in [Mah18].
Definition 32 (k-local Hamiltonian). [KSV02a] An operator H is called a k-local Hamiltonian
if it is expressible in the form:
H = ∑ Hj[Sj] (3.11)
j
Here, each term Hj is a Hermitian qubit acting on a set of qubits Sj such that |Sj| ≤ k.
Definition 33 (Quantum k-local Hamiltonian Problem). [KSV02a] Let z = (⟨H⟩, a, b) where
⟨H⟩ is a description of a k-local Hamiltonian H such that k = O(1), 0 ≤ a < b, b− a = Ω(n−α)
(α > 0 is a constant). The Local Hamiltonian problem (LH) is a function F such that:
• F(x) = 1 ⇐⇒ H has an eigenvalue not exceeding a.
• F(x) = 0 ⇐⇒ all eigenvalues of H are greater than b.
Claim 34. [KSV02b] The k-local Hamiltonian problem is QMA-hard.
Corollary 35. The k-local Hamiltonian problem is BQP-hard.
Proof. This follows from BQP ⊆ QMA.
25
3.2 Self-Reducibility
A self-reducible problem is one where an instance can be reduced to other instances of
the same problem [Tra70]. More formally, a self-reducible function f is one which may be
evaluated on an instance x by querying an oracle O for f on inputs other than x. There
are many different types of self-reducibility which play a large role in interactive proof
systems and computational complexity in general. In this section, we focus on downward
self-reducibility and random self-reducibility.
Downward self-reducibility
A downward self-reducible function is one that can be evaluated by querying an oracle
for the function on instances that are strictly smaller than the given instance [HMR23].
Many complete problems in NP and PSPACE are known to be downward self-reducible,
such as SAT [Ko83]. This is fairly easy to see. Suppose an oracle O takes as input a
Boolean formula in n variables, ϕ, and outputs 1 if ϕ is satisfiable and 0 otherwise. The
following procedure determines whether ϕ is satisfiable, without querying O on ϕ di-
rectly: query O on ϕ(0) and ϕ(1), where ϕ(α) is obtained by substituting α for variable
x1 in ϕ. If both are not satisfiable, output 0. Otherwise, query O on ϕ(α0) and ϕ(α1),
where α is a satisfying assignment to variable x1. Continue for all n variables. Since each
query reduces the number of variables from the previous queried instance by exactly one
variable, each new instance is strictly smaller than the previous, therefore meeting the
downward satisfiability condition.
Random self-reducibility
A function f is random self-reducible if, for all inputs x, f (x) can be evaluated by query-
ing an oracle on random instan√ces [FKN90]. One example of such a function is quadratic
residues. Namely, co√mputing x mod N is equivalent to first selecting a random num-√
ber r and computing xr2 mod N, which can be used to recover x mod N by dividing
by r [FKN90]. The use of random self-reducible functions is widespread in computation
complexity, and has immediate applications in the proofs of MIP = NEXP and the PCP
theorem [Lun+92; Aro+98].
26
3.3 Classical Proof Systems
In this section, we show the role that self-reducibility plays in classical proof systems by
recalling a proof of the seminal result that coNP ⊆ IP [Lun+92].
3.3.1 coNP ⊆ IP
In this section, we introduce the complement of NP, known as coNP, as well as a new
model for verification known as interactive proofs, IP. We show that coNP ⊆ IP. #SAT,
as defined below, is a coNP-hard problem. Therefore, by Theorem 25, showing that
coNP ⊆ IP reduces to showing that #SAT ∈ IP. This proof involves the sum-check proto-
col, which is the key ingredient in many other, more complicated proofs. Moreover, the
sum-check protocol exploits the error-correcting properties of certain families of polyno-
mials, as detailed here.
Definition 36 (coNP). A language L is in coNP if there exists a polynomial algorithm V such
that V(x) = 1 ⇐⇒ x ∈/ L.
Definition 37 (SAT).
SAT = {⟨ϕ⟩|ϕ has a satisfying assignment.} (3.12)
Definition 38 (SAT).
SAT = {⟨ϕ⟩|ϕ has no satisfying assignment.} (3.13)
Theorem 39. SAT is coNP-complete.
Proof. Follows from the definition of coNP.
Definition 40 (#SAT). #SAT = {⟨ϕ, k⟩| Boolean formula ϕ has exactly k satisfying assignments.}
Theorem 41. #SAT is coNP-hard.
Proof. To show that #SAT is coNP-hard, we need to show that SAT ≤p #SAT, where
SAT. That is, we need to give a PT-computable function f that constructs a #SAT instance
from an SAT instance. Let ⟨ϕ⟩ be the SAT instance. Since ϕ ∈ SAT, it has no satisfying
assignments. Therefore, define f such that f (⟨ϕ⟩) = ⟨ϕ, 0⟩. f runs in PT.
The task is to show that #SAT ∈ IP. This requires constructing an interactive proof
system between an all-powerful prover P and a BPP verifier V such that, if an instance
x ∈ #SAT, then V accepts with high probability, and if x ∈/ #SAT, then V rejects with high
probability. Recall that for #SAT, an instance takes the form ⟨ϕ, k⟩, where ϕ is a boolean
formula and k ∈ Z+. How can a computationally bounded verifier catch an all-powerful
cheating prover? We discuss two candidate protocols and a final protocol that completes
the proof [Sip13].
27
Inefficient Verifier. Let fϕ(a1, . . . , ai) be the number of satisfying assignments for a for-
mula ϕm,n in m clauses and n variables, partially evaluated by assigning a1, . . . , ai to vari-
ables x1, . . . , xi:
fϕ(a1, . . . , ai) = ∑ fϕ(a1, . . . , an) (3.14)
(ai+1,...,an)∈{0,1}n−i
On no inputs, define fϕ(∅) as returning the following:
fϕ(∅) = ∑ fϕ(a1, . . . an) (3.15)
(a1,...,a )∈{0,1}nn
The downward self-reducibility of fϕ follows immediately from this definition. Namely,
fϕ(∅) can be calculated by querying an oracle for a fϕ(0) and fϕ(1), and summing the re-
sults of the two queries. Each query is strictly smaller that fϕ(∅) by exactly one variable.
This property is exploited in the following interactive protocol.
Let f̂ϕ be the prover’s response when queried for fϕ. Let ϕm,n(a1, . . . , ai) denote an
evaluation of ϕm,n with values a1, . . . , ai substituted in for variables x1, . . . , xi. Given a
boolean formula ϕ, a function fϕ and a number k ∈ Z, we present a correct, sound but
inefficient interactive proof for the following claim:
k = ∑ fϕ(a1, . . . an) (3.16)
(a1,...,an)∈{0,1}n
1. [V → P] If n = 1, V outputs acc if ϕm,1(0) + ϕm,1(1) = k and outputs rej otherwise.
For n ≥ 2, V requests fϕ(∅) from P.
2. [V ← P] P sends f̂ϕ(∅) to V.
3. [V ↔ P] V checks that f̂ϕ(0)+ f̂ϕ(1) = k and outputs rej if not. Otherwise, V repeats
this protocol to prove the following two claims recursively, as follows.
f̂ϕ(0) = ∑ fϕ(0, a2, . . . , an) (3.17)
(a2,...,a )∈{0,1}n−in
f̂ϕ(1) = ∑ fϕ(1, a2, . . . , an) (3.18)
(a2,...,an)∈{0,1}n−i
4. [V ← P] The verifier outputs acc if and only if f̂ϕ(a1, . . . , an) = ϕm,n(a1, . . . , an) for
all (a1, . . . , an) ∈ {0, 1}
n.
While this protocol will catch a cheating prover with probability 1, it is effectively
enumerating over all possible evaluations of the boolean formula, which is not within the
capabilities of a BPP verifier. The next protocol uses randomness to make the protocol
efficient, at the cost of soundness.
28
Insufficient Soundness. Given a boolean formula ϕm,n, a value fϕm,n and a number k ∈
Z, we present a correct, efficient, but unsound interactive proof for the following claim:
k = ∑ fϕ(a1, . . . an) (3.19)
(a1,...,an)∈{0,1}n
1. [V → P] If n = 1, V outputs acc if ϕm,1(0) + ϕm,1(1) = k and outputs rej otherwise.
For n ≥ 2, V asks P for fϕ(∅).
2. [V ← P] P sends f̂ϕ(∅) to V.
3. [V ↔ P] V checks that f̂ϕ(0) + f̂ϕ(1) = k and outputs rej if not. Otherwise, V selects
s← {0, 1} uniformly at random, and recursively proves the following claim:
f̂ϕ(s) = fϕm,n(s) (3.20)
4. [V ← P] The verifier outputs acc if and only if f̂ϕm,n(s1, . . . , sn) = ϕm,n(s1, . . . , sn),
where (s1, . . . , sn) are the random bits selected in the recursive protocol above.
While this protocol is correct and efficient, the verifier outputs rej if k ̸= fϕ with prob-
ability ≥ 12n , as compared to the lower bound required for the definition of IP. Error
correction can help amplify the error sensitivity, as shown in the next section.
Sum-Check Protocol. [Lun+92; Bab+91] The sum-check protocol is a two-party protocol
between an all-powerful prover and a BPP verifier. It is the key ingredient in the coNP ⊆
IP proof, and is defined below.
Definition 42 (Sum-Check Protocol). Given a degree d polynomial in n variables g(x1, . . . , xn),
a prime p ∈ (2n, 22n], and a number k ∈ Z, the sum-check protocol is an interactive proof for
the following claim:
k = ∑ g(a1, . . . , an) (3.21)
(a1,...,a nn)∈{0,1}
In Equation (3.21) and in what follows, all computations are executed mod p. Let gi(a1, . . . , ai)
be the partial sum:
gi(a1, . . . , ai) = ∑ · · · ∑ g(a1, a2, . . . , an) (3.22)
ai+1∈{0,1} an∈{0,1}
Moreover, fix (r , . . . , r ) ∈ Fi−11 i−1 p . Let h(r ,...,r )(x) be the univariate polynomial:1 i−1
h(r1,...,r )(x) = gi−1 i(r1, . . . , ri−1, x) (3.23)
For i = 1, the only input to g1 is x:
29
h0(x) = ∑ g(x, a2, . . . , an) (3.24)
(a2,...,an)∈{0,1}n
h0(0) + h0(1) = k (3.25)
Denote by ĥi(x) to be the prover’s response when queried for hi(x). It is assumed that the
prover’s responses, while potentially incorrect, are noiseless. The protocol proceeds as follows.
1. [V ← P] P sends p to V.
2. [V ↔ P] If n = 1, V outputs acc if and only if g(0) + g(1) = k. If n ≥ 2, V and P repeat
the following for i ∈ [n], where b0 = k:
(a) [V → P] V requests h(r1,...,r )(x) from P.i−1
(b) [V ← P] P sends ĥ(r ,...,r )(x) to V (as coefficients).1 i−1
(c) [V → P] V outputs rej if ĥ(r1,...,ri−1)(0) + ĥ(r1,...,ri−1)(1) ̸= bi−1. Otherwise, V selects
a random element ri ∈ Fp and evaluates:
bi ← ĥi(ri) (3.26)
This step recursively checks the claim that ĥ(r1,...,r )(ri) = hi−1 (r (r ).1,...,ri−1) i
3. [V] V outputs acc if and only if bn = g(r1, . . . , rn).
Claim 43. If Equation (3.21) is false, the verifier V in Definition 42 outputs rej with probability
≥ (1− d )np .
Proof. The proof relies on the following lemma about low-degree polynomials:
Lemma 44. [Bab+91; Sch80] Given a field F, let S ⊂ F be a finite subset of F. Let f : Fm → F
be an m-variate polynomial of combined degree d ≥ 0. Then f cannot vanish in more than d/|S|
fraction of Sm.
If n = 1, the verifier rejects in step 2 with probability 1, since Pr[g(0) + g(1) ̸= k] = 1
if Equation (3.21) is false. For n ≥ 2 assume the hypothesis is true for n− 1. We proceed
by induction on n.
Suppose on round i = n − 1 of the protocol, ĥ(r1,...,r (rn−1) n−1) = hn−1(rn−1). In this
case, by the induction hypothesis, Pr[ĥ(r (0) + ĥ (1) ̸= b ] = 1 and there-1,...,rn) (r1,...,rn) n−1
fore V will output rej with probability 1 at step (2b) in Definition 42. In the case that
ĥ(r ,...,r )(rn−1) ̸= h(r ,...,r )(rn−1), h(r ,...,r )(x) and ĥ1 n−1 1 n−1 1 n−1 (r1,...,r (x) agree on at most dn−1)
points, by Claim 43 with m = 1. Therefore, for a value r picked uniformly at random
from Fp:
30
d
Pr[ĥ(r1,...,r )(r) = hn−1 (r ,...,r (r)] ≤ (3.27)1 n−1) p
It follows that:
d
Pr[ĥ(r ,...,r )(r) ̸= h(r (r)] ≥ 1− (3.28)1 n−1 1,...,rn−1) p
By the induction hypothesis, the verifier successfully rejected in some previous round
with probability (1− dp )
n−1. Therefore, for round n:
( )( )
d d n−1
Pr[rej← V] ≥ 1− 1−
p p
( )n (3.29)d
= 1−
p
Theorem 45. #SAT ∈ IP
Proof. Convert the formula ϕ of m clauses and n variables (x1, . . . , xm) into 3CNF form.
Define the following polynomial:
pϕ(x1, . . . , xm) = ∏ f (aj,1, aj,2, aj,3) (3.30)
1≤j≤m
Where f (aj,1, aj,2, aj,3) is:
(1− (1− aj,1)(1− aj,2)(1− aj,2)) (3.31)
Here, aj,i = xi if literal ℓj,i = xi, and aj,i = 1 − xi if literal ℓj,i = xi. Moreoever,
pϕ(x1, . . . , xj) has degree at most 3m, since there are at most 3m literals in ϕ. If ϕ is not
satisfiable, then pϕ = 0, and otherwise pϕ = 1. This is because ϕ evaluates to 0 if and only
if f (aj,1, aj,2, aj,3) = 0 for some j ∈ [m], which occurs if and only if aj,1 = aj,2 = aj,3 = 0.
Therefore, the claim k = ∑(a ,...,a )∈{0,1}n fϕ(a1, . . . an) can be rewritten as:1 n
k = ∑ pϕ(a1, . . . an) (3.32)
(a1,...,a nn)∈{0,1}
Since p has degree d = O(3m), the sum-check protocol can be directly applied, con-
cluding the proof.
Corollary 46. coNP ⊆ IP.
31
3.4 Quantum Proof Systems
In this section, we present the measurement protocol for quantum verification from [Mah18]
that our result relies on.
3.4.1 BQP ⊆ QPIP1
As analyzed in [Vid20], the Fitzsimons-Morimae Protocol is a protocol for verifying arbi-
trary quantum computations using a weak quantum verifier [FHM18]. More precisely,
the verifier is able to store and measure a single-qubit using σx or σz observables. As
shown in [BL08], estimating the energy of the ground state of a computation Hamilto-
nian can be done using only σx and σz measurements. The protocol in [FHM18] showed
that this is sufficient for verifying all of BQP through a QPIP1 protocol. The QPIP0 pro-
tocol presented in the next section made this possible in the fully classical verifier setting
by employing cryptographic assumptions.
3.4.2 BQP ⊆ QPIP0 assuming LWE
The protocol above relies directly on being able to make trusted measurements (since the
verifier is executing the measurements themselves). In the case of a BPP verifier, the veri-
fier cannot make measurements directly on the ground state. Therefore, the verifier must
delegate measurements to the prover, which is what makes this problem so challenging. The
central idea of [Mah18] is to use cryptographic assumptions to force the prover to make the
measurements that the verifier could make themselves in the Morimae-Fitzsimons pro-
tocol. This is done by forcing the prover to commit to the ground state of a computation
Hamiltonian such that the commitment is classically verifiable. Here we recall the mea-
surement protocol from [Mah18; Bar+22] and formalize it as a weak classical commitment
to quantum state protocol.
Definition 47 (Weak Classical Commitment to Quantum State Scheme). [Bra+18; Mah18]
An weak classical commitment to an ℓ-qubit quantum state is specified by the five algorithms
(GenW,CommitW,OpenW,TestW,OutW)
1. GenW is a PPT algorithm that takes as input the security parameter λ (in unary) and a
string h ∈ {0, 1}ℓ, and outputs a pair (pk, sk) ← GenW(1
λ, h), where pk is referred to as
the public key and sk is referred to as the secret key.
2. CommitW is a QPT algorithm that takes as input a public key pk and a quantum state σ
and outputs a pair (y,ρ) ← CommitW(pk,σ), where y is a classical string, referred to as
the commitment string, and ρ is a quantum state.
3. OpenW is a QPT algorithm that takes as input a bit c ∈ {0, 1} and a quantum state ρ and
outputs a classical string z← OpenW(ρ, c), referred to as the opening string.
32
4. TestW is a polynomial time algorithm that takes as input a public key pk and a pair (y, z),
where y is a commitment string and z is an opening string, and it outputs {acc, rej} ←
TestW(pk, (y, z)).
5. OutW is a polynomial time algorithm that takes as input a secret key sk and a pair (y, z),
where y is a commitment string and z is an opening string, and it outputs a classical string
m ∈ {0, 1}ℓ.
The commitment protocol associated with the tuple (GenW,CommitW,OpenW,TestW,OutW)
is a two party protocol between a QPT committer C which takes as input a quantum state σ, and
a PPT verifier V which takes as input a classical string h ∈ {0, 1}ℓ. Both parties also take as
input the unary security parameter λ. The protocol consists of two phases COMMIT and OPEN,
proceeding as follows:
• COMMIT phase:
1. [C ← V ]: V samples (pk, sk)← Gen (1λW , h) and sends the public key pk to C.
2. [C → V ]: C computes (y,ρ)← CommitW(pk,σ) and sends the commitment string y
to the verifier.
• OPEN phase:
1. [C ← V ]: V samples a random challenge bit c← {0, 1} and sends ct to C.
2. [C → V ]: C sends z← OpenW(ρ, c) to V .
3. If c = 0, V outputs {acc, rej} ← TestW(pk, y, z). If c = 1, V outputs m ←
OutW(sk, y, z).
A measurement protocol acts over registersP ,Y ,Z ,W whereP contains the public com-
ponent of the output of GenW, Y contains the output of CommitW, Z contains the output
of OpenW, and W are additional work registers. Additionally, the commitment protocol
satisfies the following properties for correctness and binding.
Definition 48 (Measurement Protocol Correctness). [Bar+22; Mah18] Let σ(h) denote the
distribution resulting from measuring each qubit i of a quantum state σ in the basis specified by
hi for i ∈ [ℓ]. A measurement protocol is correct if, for all ℓ-qubit quantum states σ and for every
h ∈ {0, 1}ℓ, the following two properties are satisfied:
1. (Test Round Completeness):
 
(pk, sk)← Gen λW(1 , h);
 
Pracc← TestW(pk, y, z) : (y,ρ)← CommitW(pk,σ); = 1− negl(λ) (3.33)
z← OpenW(ρ, 0)]
33
2. (Measurement Round Completeness):
 
 (pk, sk)← Gen
λ
W(1 , h); 
m← OutW(sk, y, z) : (y,ρ)← CommitW(pk,σ); ≈c σ(h) (3.34)
 
z← OpenW(ρ, 1)
Definition 49 (Measurement Protocol Soundness). [Bar+22] A measurement protocol is binding
if there exists a PPT classical algorithm SimGen and a QPT oracle machine Ext such that, for any
cheating BQP committer C∗ with quantum state σ that satisfies that for every h ∈ {0, 1}ℓ:
 
(pk, sk)← GenW(1
λ, h);
 
Pracc← TestW(pk, y, z) : (y,ρ)← C
∗.CommitW(pk,σ); = 1− negl(λ), (3.35)
z← C∗.OpenW(ρ, 0)]
and it holds that for every h ∈ {0, 1}ℓ,
∗ ∗
SimC (1λ, h) ≈c Real
C (1λ, h)
where
∗
• SimC (1λ, h) is the output distribution of the following procedure:
1. Sample (pk, sk)← SimGen(1λ).
2. Execute the commitment round to obtain (y,ρ)← C∗.CommitW(σ).
∗
3. Execute τ ← ExtC (pk, sk, y,ρ).
4. Measure τ in the basis specified by h, where hi = 0 corresponds to the standard basis
and hi = 1 corresponds to the Hadamard, and output these measurement values.
∗
• RealC (1λ, h) is the output distribution of the following procedure:
1. Sample (pk, sk)← Gen (1λW , h).
2. Emulate the commitment round to obtain (y,ρ)← C∗.CommitW(σ).
3. Emulate the opening phase round corresponding to c = 1 to obtain z← C∗.OpenW(ρ, 1).
4. Compute m← OutW(sk, y, z) and output m.
As explained in [Mah18], this scheme is sufficient for verification, since it can be as-
sumed that any violation of the binding guarantee that produces a new committed state
|ψ̃⟩ was the state originally committed to. However, for broader applications of classical
commitment to quantum state schemes, this is not sufficient. In this work, we construct
a fully binding commitment scheme. This lays the foundation for constructing commit-
ments that, in addition to the fully binding property, are also succinct, which has applica-
tions for succinct classical arguments for QMA, as presented in [Gun+24].
In what follows, we define the construction of a measurement protocol for committing
to an ℓ-qubit quantum state, as presented in [Mah18] and [Bar+22].
34
Definition 50 (Measurement Protocol Construction). [Mah18; Bra+18] The construction as-
sumes access to a noisy trapdoor claw-free (NTCF) function family
(GenNTCF,EvalNTCF, InvertNTCF,CheckNTCF,GoodNTCF)
The algorithms (GenW,CommitW,OpenW,TestW,OutW) are defined as follows.
• GenW(1
λ, h) : identical to GenNTCF.
• CommitW(pk, ∑s∈{0,1}ℓ αs|s⟩) :
1. Parse pk = (pk0, pk1, . . . , pkn+1).
2. Apply a unitary UEval that prepares the following state:
1
|ψ⟩ = √ ∑ ∑ |s⟩|x⟩|EvalNTCF(pk, s, x)⟩ (3.36)
2n+1 s∈{0,1}ℓ x∈{0,1}n
3. Measure the Eval register in the standard basis to get a commitment string y =
(y1, . . . , yℓ) and the following state:
| ′ψ ⟩ = ∑ αs|s⟩|xs⟩ (3.37)
s∈{0,1}ℓ
where xs = (xs . . . , xs ) where each xs ∈ Dpk and is such that1 ℓ j j
yj ∈ Supp(EvalNTCF(pkj, sj, xs )).j
• OpenW(|ψ
′⟩, c): measure each qubit i of |ψ′⟩ in the basis c, where c = 0 denotes the standard
basis and c = 1 denotes the Hadamard basis.
• TestW(pk, (y, z)) :
1. Parse z = (s, xs) for some s ∈ {0, 1}
ℓ.
2. Output acc if and only if CheckNTCF(pk, s, xs, y) = 1.
• OutW(sk, (y, z)) :
1. Parse z = (d1, . . . , dℓ).
2. For every i ∈ ℓ: run ((0, x0,i), (1, x1,i)) ← Invert(sk, yi). Compute mi ← di ·
(1, (x0,i ⊕ x1,i)). Output m = (m1, . . . , mℓ) if and only if Good(x0,i, x1,i, di) ̸= 1 for
all i ∈ [ℓ].
35
36
Chapter 4
Classical Commitments to Quantum
States
In this section we formally define a scheme for classical commitments to quantum state,
which builds on the notion of a measurement protocol (Definition 47) in several ways:
• The choice for the basis opening is delayed to the OPEN phase, and is therefore
allowed to be adaptive. Namely, Gen depends only on the security parameter.
• The soundness property of a measurement protocol guarantees that there exists
some underlying quantum state in the space of a cheating committer which, when
measured in the standard and Hadamard bases, is computationally indistinguish-
able from the prover’s final distribution in the protocol. When lifted to a commit-
ment scheme, this means that a cheating committer will succeed with non-negligible
probability, and therefore the scheme is not binding. The binding property for our
scheme is significantly stronger: a cheating prover’s hands are fully tied in both
the standard and Hadamard bases. Our binding definition guarantees that, for
any BQP cheating committer C∗, that commits to an ℓ-qubit quantum state with
C∗.Commit, there exists a single quantum state τ such that for any BQP algorithm
C∗.Open, and any basis opening (b1, . . . , bℓ), the distribution resulting from C
∗.Open
is computationally indistinguishable from measuring τ in the basis (b1, . . . , bℓ).
4.1 Syntax
In what follows we define the syntax of a commitment scheme. The length of the commit-
ment string that commits to an ℓ-qubit quantum state is determined in the key generation
algorithm, and the run-time of all the algorithms grow polynomially with ℓ.
Definition 51. A classical commitment to an ℓ-qubit quantum state is associated with algorithms:
(Gen,Commit,Open,Ver,Out)
37
with the following syntax:
1. Gen is a PPT algorithm that takes as input a security parameter λ and a length parameter ℓ
(both in unary), and outputs a pair (pk, sk) ← Gen(1λ, 1ℓ), where pk is referred to as the
public key and sk is referred to as the secret key.
2. Commit is a BQP algorithm that takes as input a public key pk and an ℓ-qubit quantum
state σ and outputs a pair (y,ρ) ← Commit(pk,σ), where y is a classical string referred
to as the commitment string and ρ is a quantum state.
3. Open is a BQP algorithm that takes as input a quantum state ρ and a basis (b1, . . . , bℓ) ∈
{0, 1}ℓ (where bj = 0 corresponds to opening the j’th bit in the standard basis and bj = 1
corresponds to opening it in the Hadamard basis). It outputs a pair
(z,ρ′)← Open(ρ, (b1, . . . , bℓ)),
where z is a classical bit string referred to as the opening string, and ρ′ is the residual state
(which is sometimes omitted).
4. Ver is a polynomial time algorithm that takes a tuple (sk, y, (b1, . . . , bℓ), z), where sk is a
secret key, y is a commitment string (to the quantum state), (b1, . . . , bℓ) ∈ {0, 1}
ℓ is a
string specifying the opening basis, and z is an opening string. It outputs 0 (if z is not a
valid opening) and outputs 1 otherwise.
5. Out is a polynomial time algorithm that takes a tuple (sk, y, (b1, . . . , bℓ), z) (as above), and
outputs an ℓ-bit string m← Out(sk, y, (b1, . . . , bℓ), z).
The protocol associated with the tuple (Gen,Commit,Open,Ver,Out) is a two party protocol
between a BQP committer C and a PPT verifier V and consists of two phases, COMMIT and
OPEN. During the COMMIT phase, V takes as input security parameter λ and a length parameter
ℓ and C takes in an arbitrary quantum state σ. During the OPEN phase, V takes as input a basis
bit (b1, . . . , bℓ) ∈ {0, 1}
ℓ. The protocol proceeds as follows:
• COMMIT phase:
1. [C ← V ]: V samples (pk, sk)← Gen(1λ, 1ℓ) and sends the public key pk to C.
2. [C → V ]: C computes (y,ρ) ← Commit(pk,σ) and sends the commitment string y
to V .
• OPEN phase:
1. [C ← V ]: V sends an opening basis (b1, . . . , bℓ) to C.
2. [C → V ]: C computes (z,ρ′)← Open(ρ, (b1, . . . , bℓ)) and sends z to V .
38
3. [V ]: V checks that Ver(sk, y, (b1, . . . , bℓ), z) = 1, and if so it outputs
m← Out(sk, y, (b1, . . . , bℓ), z)
as the decommitment. Otherwise, it outputs ⊥.
Remark 52. One could define Open,Ver,Out to operate on one qubit at a time. Namely, one
could define Open to take as input a quantum state ρ an index j ∈ [ℓ] and a basis b ∈ {0, 1}, and
output a pair (z,ρ′) ← Open(ρ, (j, b)), and define Ver and Out to take as input (sk, y, (j, b), z)
and output a bit (indicating accept/reject for Ver and indicating an output bit for Out). In our
constructions in Section 4.3 we first define Open, Ver and Out to operate on one qubit at a time,
and then show how to extend this to a multi-qubit commitment.
4.2 Properties
We require that a commitment scheme satisfies two properties, correctness and binding,
defined below.
4.2.1 Correctness
The correctness property certifies that when all parties are honest, the committer is ac-
cepted by the verifier with high probability.
Definition 53 (Correctness). A classical commitment to an ℓ-qubit quantum state scheme is
correct if for any ℓ-qubit quantum state σ, and any basis b = (b1, . . . , bℓ) ∈ {0, 1}
ℓ,
Real(1λ,σ, b) ≡ σ(b), (4.1)
where σ(b) is the distribution obtained by measuring each qubit j of σ in the basis specified by bj
(standard if bj = 0, Hadamard if bj = 1), and Real(1
λ,σ, b) is the distribution resulting from the
following experiment:
1. Generate (pk, sk)← Gen(1λ, 1ℓ).
2. Generate (y,ρ)← Commit(pk,σ).
3. Compute (z,ρ′)← Open(ρ, b).
4. If Ver(sk, y, b, z) = 0 then output ⊥.
5. Otherwise, output Out(sk, y, b, z).
39
4.2.2 Binding
Our binding guarantee is fully non-adaptive: a cheating committer cannot change the
way they open based on any information they learn after the commitment phase, and that
the opening distribution is consistent with the distribution of a qubit.
Remark 54. To simplify the analysis, we consider only cheating committers that are accepted with
high probability. This can be ensured by repetition. Namely, for every ϵ, δ > 0 by repeating the
( )
log(1/ϵ)
commitment and opening protocol O times, if a cheating committer C∗ is accepted in
δ
all of executions with probability at least ϵ then a random execution is accepted with probability at
least 1− δ. We emphasize that the size of the quantum state, ℓ, grows polynomially as a function
of the security parameter λ.
Definition 55 (Binding). A classical commitment scheme to an multi-qubit quantum state is
said to be computationally binding if there exists a QPT oracle machine Ext such that:
For any QPT algorithm C∗.Commit, any poly(λ)-size quantum state σ, any polynomial ℓ =
ℓ(λ), any basis b = (b1, . . . , bℓ), and any QPT algorithms C
∗
1 .Open and C
∗
2 .Open, the following
holds for every i ∈ {1, 2}:
∗ ∗ η ∗ ∗
RealC .Commit,C1 .Open( , b,σ) ≈ RealC .Commit,C2 .Openλ (λ, b,σ) (4.2)
and
η
RealC
∗.Commit,C∗i .Open
∗ ∗
(λ, b,σ) ≈ IdealExt,C .Commit,Ci .Open(λ, b,σ) (4.3)
(√ )
where η = O δ and
δ = E max Pr[Ver(sk, y, b′, C∗ ′i .Open(ρ, b )) = 0]. (4.4)
(pk,sk)←Gen(1λ,1ℓ) i∈{1,2},
(y,ρ)←C∗. ′Commit(pk,σ) b ∈{b,0,1}
∗ ∗
and where RealC .Commit,Ci .Open(λ, b,σ) is defined as follows:
• (pk, sk)← Gen(1λ, 1ℓ).
• (y,ρ)← C∗.Commit(pk,σ)
1. Compute (z,ρ′)← C∗i .Open(ρ, b).
2. If Ver(sk, y, b, z) = 0 then output ⊥.
3. Otherwise, let m = Out(sk, y, b, z).
4. Output (pk, y, b, m).
IdealExt,C
∗.Commit,C∗i .Open(λ, b,σ) is defined as follows:
40
1. (pk, sk)← Gen(1λ, 1ℓ).
2. (y,ρ)← C∗.Commit(pk,σ).
∗
3. Let τ = ExtCi .OpenA,B (sk, y,ρ).
4. Measure τA in the basis b = (b1, . . . , bℓ) to obtain m ∈ {0, 1}
ℓ.
5. Output (pk, y, b, m).
Remark 56. Throughout this write-up to avoid cluttering of notation we omit the superscript
C∗.Commit from
C∗Real .Commit,C
∗.Open ∗( , b,σ) and IdealExt,C .Commit,C
∗.Open
λ (λ, b,σ),
and denote these by
C∗ ∗Real .Open( Ext,C .Openλ, b,σ) and Ideal (λ, b,σ),
respectively.
√
Remark 57. We prove that our commitment scheme is sound with η ≤ 10 δ. Note that δ is a
bound on the probability that the openings of C∗i .Open are rejected not only on basis b, but also
on basis 0 and 1. We note that for Equation (4.2) we do not need to bound the probability that
C∗i .Open is rejected on basis 0 and basis 1, and indeed we do not bound these probabilities in the
proof (see Lemma 67). The reason we need to bound these probabilities to prove Equation (4.3) is
that our extractor uses the openings of C∗i .Open on basis 0 and 1 to extract the quantum state.
4.3 Constructions
In this section we present our constructions. We first construct a classical commitment
scheme for committing to a single qubit state. This can be found in Section 4.4. Then, we
show a generic transformation that converts any single-qubit commitment scheme into a
multi-qubit commitment scheme. This can be found in Section 4.5. In this scheme the size
of the public key and the size of the commitments grow with the length of the quantum
state committed to. We analyze these schemes in Chapter 5.
4.4 Construction for Single Qubit States
In this section, we describe our commitment scheme for a quantum state that consists
of a single qubit, denoted by α0|0⟩+ α1|1⟩. We use as a building block the commitment
algorithm CommitW from [Mah18] for the multi-qubit case, as given in Definition 50 and
recalled here. This algorithm makes use of a NTCF family
(GenNTCF,EvalNTCF, InvertNTCF,CheckNTCF,GoodNTCF).
41
The public key pk used by CommitW to commit to an ℓ-qubit state is of the form pk =
(pk1, . . . , pk
λ 1
ℓ) where each pkj is a public key generated by GenNTCF(1 ).
The QPT algorithm
 
Commit W (pk1, . . . , pkℓ), ∑ αs|s⟩ S
s∈{0,1}ℓ
outputs the following:
1. A measurement outcome y = (y1, . . . , yℓ), where each yj ∈ Rpk .j
2. A state |φ⟩ such that
|φ⟩ ≡ ∑ αs|s⟩S |xs⟩Z , (4.5)
s∈{0,1}ℓ
where xs = (xs . . . , xs ) where each xs ∈ Dpk and is such that1 ℓ j j
yj ∈ Supp(Eval(pkj, sj, xs )).j
Construction 58 (Commitment Scheme). Our construction uses a noisy trapdoor claw-free
(NTCF) function family (GenNTCF,EvalNTCF, InvertNTCF,CheckNTCF,GoodNTCF) and the algo-
rithm CommitW given in Definition 50. Our algorithms are defined as follows:
• Gen(1λ) :
1. For every i ∈ {0, 1, . . . , n + 1} sample (pki, ski) ← Gen
λ
NTCF(1 ), where n = n(λ)
is such that the domain of each trapdoor claw-free function is a subset of {0, 1}n.
2. Let pk = (pk0, pk1, . . . , pkn+1) and sk = (sk0, sk1, . . . , skn+1).
3. Output (pk, sk).
• Commit(pk, α0|0⟩+ α1|1⟩) :
1. Parse pk = (pk0, pk1, . . . , pkn+1)
2. Compute (y0, |φ0⟩)← CommitW(pk0, α0|0⟩+ α1|1⟩), where
|φ0⟩S ,Z ≡ ∑ αs|s⟩S |xs⟩Z
s∈{0,1}
Here, xs ∈ {0, 1}
n and y0 ∈ Supp(EvalNTCF(pk0, s, xs)) for every s ∈ {0, 1}. Note
that register S consists of 1 qubit and Z consists of n qubits.
1We mention that [Mah18] used a dual mode NTCF family, where each pki is generated either in an
injective mode in a two-to-one mode, depending on the opening basis which is assumed to fixed ahead of
time.
42
3. Apply the Hadamard unitary H⊗(n+1) to |φ0⟩ to obtain
| ⟩ = H⊗(n+1)φ1 S ,Z |φ0⟩
1
≡ √ ∑ (−1)d·(0,x0)( d·(1,x ⊕x )α0 + (−1) 0 1 α1) |d⟩
n+1 S ,Z2 ︸ ︷︷ ︸d∈{0,1}n+1
βd
4. Apply the algorithm CommitW with pk1 to register S of |φ1⟩S ,Z , and for every i ∈
{2, . . . , n + 1} apply CommitW with pki to register Zi of |φ1⟩S ,Z . Denote the output
by (y1, . . . , yn+1) and the resulting state by
1
| ′ ′ ′φ2⟩S ,Z ,Z ′ ≡ √ ∑ βd|d⟩ |x , x , . . . , x ⟩
2n+1
S ,Z 1,d1 2,d2 n+1,dn+1 Z ′
d∈{0,1}n+1
where for every i ∈ {1, . . . , n + 1} and every di ∈ {0, 1},
yi ∈ Supp(EvalNTCF(pki, d
′
i, xi,d )).i
Note that the Z ′ register consists of n · (n + 1) qubits, and we partition these qubits
to registers Z ′1, . . . ,Z
′
n+1, each consisting of n qubits.
5. Rename the register S to Z1 and split the register Z into registers Z2, . . . ,Zn+1 of 1
qubit each. Permute the registers to obtain a state |φ3⟩ such that
1
| ′ ′φ3⟩ ≡ √ ∑ βd|d1⟩
n+1 Z
|x1,d ⟩ ′ . . . |dn+1⟩Z |x1 1 Z n+1 n+1,d ⟩2 n+1
′
1 Z
0,1 n+1 n+1d∈{ }
6. Output (y0, y1, . . . , yn+1) and |φ3⟩.
• Open(|φ⟩, b): If b = 1 (corresponding to an opening in the Hadamard basis) then output
the measurement of |φ⟩ in the standard basis, and if b = 0 (corresponding an opening in the
standard basis) then output the measurement of |φ⟩ in the Hadamard basis.
• Ver(sk, y, b, z):
1. Parse sk = (sk0, sk1, . . . , skn+1).
2. Parse y = (y0, y1, . . . , yn+1).
3. Condition on b:
∗ If (b = 0):
(a) Parse z = (z1, . . . , z
n+1
n+1) where each zi ∈ {0, 1} .
(b) For every i ∈ {1, . . . , n+ 1} compute ((0, x′ ′i,0), (1, xi,1)) = InvertNTCF(ski, yi).
(c) If there exists i ∈ [n + 1] such that zi ∈/ Goodx′i,0,x
′ then output 0.
i,1
43
(d) Else, for every i ∈ [n + 1] let mi = z
′
i · (1, xi,0 ⊕ x
′
i,1).
(e) If CheckNTCF(pk0, m1, (m2, . . . , mn+1), y0) ̸= 1, output 0. Else, output 1
∗ (b = 1):
(a) Parse z = (d1, x
′
1, . . . , d
′
n+1, xn+1) and let d = (d1, . . . , dn+1).
(b) Compute ((0, x0), (1, x1)) = InvertNTCF(sk0, y0).
(c) Verify that:
i. Check ′NTCF(pki, di, xi, yi) = 1 for every i ∈ {1, . . . , n + 1}.
ii. d ∈ Goodx0,x .1
If any of these checks does not hold output 0 and otherwise output 1.
• Out(sk, y, b, z):
1. Parse sk = (sk0, sk1, . . . , skn+1).
2. Parse y = (y0, y1, . . . , yn+1).
3. Condition on b:
∗ If b = 0:
(a) Parse z = (z1, . . . , zn+1).
(b) Compute ((0, x′1,0), (1, x
′
1,1)) = InvertNTCF(sk1, y1).
(c) Output m1 = z
′
1 · (1, x1,0 ⊕ x
′
1,1).
∗ If b = 1:
(a) Compute ((0, x0), (1, x1)) = InvertNTCF(sk0, y0).
(b) Parse z = (d , x′1 1, . . . , d
′
n+1, xn+1) and let d = (d1, . . . , dn+1).
(c) Output m = d · (1, x0 ⊕ x1).
4.5 Construction of Commitments for Multi-Qubit States
One way to extend our single-qubit commitment scheme to a multi-qubit one is to com-
mit to an ℓ-qubit state qubit-by-qubit by generating ℓ key pairs and using the i’th key
pair to commit and open to the i’th qubit. This construction results with key size and
commitment size that grow linearly with ℓ, and is presented below.
Construction 59 (Scheme for Multi-Qubit States). Given any single-qubit commitment scheme
(Gen1,Commit1,Open1,Ver1,Out1) we construct a multi-qubit commitment scheme consisting of
algorithms
(Gen,Commit,Open,Ver,Out)
defined as follows, where we define (Open,Ver,Out) to operate one qubit at a time (see Remark 52):
• Gen(1λ, 1ℓ):
44
1. For every i ∈ [ℓ] sample (pk λi, ski)← Gen1(1 ).
2. Let pk = (pk1, . . . , pkℓ) and sk = (sk1, . . . , skℓ).
3. Output (pk, sk).
• Commit(pk,σ):
1. Parse pk = (pk1, . . . , pkℓ).
2. We assume that σ is an ℓ-qubit state, and we denote the ℓ registers of σ by S1, . . . ,Sℓ.
3. Execute the following steps:
(a) Let ρ0 = σ.
(b) For every j ∈ {1, . . . , ℓ}, apply Commit1 with key pkj to register Sj of the state
ρj−1, obtaining an outcome yj and a post-measurement state (ρj)S1,...,Sℓ,Z1...,Z .j
4. Output (y, (ρℓ)S1...Sℓ,Z1,...Z ), where y = (y1, . . . , yℓ ℓ).
• Open(ρS ...S ,Z ,...Z , (j, bj)):1 ℓ 1 ℓ
1. Apply Open1 with basis bj to registers {Sj,Zj} of ρS ...S ,Z ,...Z , obtaining an out-1 ℓ 1 ℓ
come zj and post-measurement state ρ
′
j .
2. Output (z ′j,ρj).
• Ver(sk, y, (j, bj), zj):
1. Parse sk = (sk1, . . . , skℓ) and y = (y1, . . . , yℓ).
2. Output Ver1(skj, yj, bj, zj).
• Out(sk, y, (j, bj), zj):
1. Parse sk = (sk1, . . . , skℓ), y = (y1, . . . , yℓ).
2. Output mj ← Out1(skj, yj, bj, zj).
45
46
Chapter 5
Analysis
5.1 Correctness
In this section we prove the correctness of Construction 59.
Theorem 60. The multi-qubit commitment scheme described in Construction 59 satisfies the
correctness property given in Definition 53.
Section 4.5 commits to each qubit of a multi-qubit state independently by using the
single-qubit protocol given in construction Construction 58 as a black-box. Therefore, to
prove Theorem 60 it suffices to prove the following theorem.
Theorem 61. The single-qubit commitment scheme described in Construction 58 satisfies the
correctness property given in Definition 53.
We make use of the following lemma about CommitW throughout the proof.
Lemma 62 (Correctness of CommitW). For any ℓ-qubit quantum state |φ⟩ = ∑s∈{0,1}ℓ αs|s⟩S
and any basis b = (b1, . . . , bℓ) ∈ {0}
ℓ ∪ {1}ℓ,
negl(λ)
Real λW(1 , |φ⟩, b) ≡ σ(b) (5.1)
where σ(b) is the distribution obtained by measuring each qubit j of |φ⟩ in the basis specified by
bj (standard if bj = 0, Hadamard if bj = 1), and Real
λ
W(1 , |φ⟩, b) is the distribution resulting
from honestly opening the commitment. Specifically, RealW(1
λ, |φ⟩, b) is defined by:
1. For every i ∈ {0, 1, . . . , ℓ}, sample (pki, ski)← Gen
λ
NTCF(1 ).
2. Compute (y = (y1, . . . , yℓ), |φ
′⟩) ← CommitW((pk1, . . . , pkℓ), |φ⟩), where |φ
′⟩ is of the
same form as Equation (4.5).
3. If b = {0}ℓ:
47
(a) Measure |φ′⟩ in the standard basis to get z = (z1, . . . , zℓ). Parse each zi = (si, xi,s ).i
If CheckNTCF(pki, si, xi,s , yi) ̸= 1 for some i ∈ [ℓ], output ⊥. Otherwise, outputi
s = (s1, s2, . . . , sℓ).
4. If b = {1}ℓ:
(a) Measure |φ′⟩ in the Hadamard basis to get d = (d1, . . . , d ) ∈ {0, 1}
ℓ(n+1)
ℓ . For
each j ∈ [ℓ], compute ((0, xj,0), (1, xj,1)) = InvertNTCF(skj, yj). If dj ∈/ Goodxj,0,xj,1
for some j ∈ [ℓ], output ⊥. Otherwise, output m = (m1, . . . , mℓ), where each mj =
dj · (1, xj,0 ⊕ xj,1).
Proof. This follows directly from the proof of Lemma 5.3 in [Mah18], where the b = {0}ℓ
case corresponds to the Test round and the b = {1}ℓ case corresponds to the Hadamard
round.
Recall that in Construction 58, the final state |ϕ3⟩ is the result of applying CommitW to
the state
1
|ϕ2⟩ = √ ∑ βd|d⟩.
2n+1 d∈{0,1}n+1
in the commitment procedure (pre-measurement).
We now show that the outcome of opening |φ3⟩ in a basis b ∈ {0, 1} is statistically
indistinguishable from measuring the initial state, |ψ⟩, in the basis b. We proceed with the
proof for pure states, which extends to the case of mixed and entangled states by linearity,
and show correctness for each basis separately. We treat the correctness of CommitW as a
black-box. Namely, we make use of Lemma 62 throughout the proof.
Lemma 63 (Opening in the Hadamard basis, b = 1). For any pure single-qubit quantum state
|ψ⟩ = α0|0⟩+ α1|1⟩ and any NTCF family, the distribution over the outcomes of the following
two experiments are statistically indistinguishable under Construction 58:
• Experiment 1. Measure |ψ⟩ in the Hadamard basis and report the outcome.
• Experiment 2. Execute Real(1λ, |ψ⟩, b1 = 1), as described in Definition 53.
Proof. By inspection, it can be seen that the distribution of outcomes obtained from
Real(1λ, |ψ⟩, b1 = 1) here is the same as the outcome obtained from the following proce-
dure:
1. Generate keys (sk0, pk0).
2. Apply the weak commitment once to get y0, |ϕ1⟩ ← CommitW(pk0, |ψ⟩).
3. Apply a Hadamard transform to the state to get |ϕ ⟩ = H⊗(n+1)2 |ϕ1⟩.
4. Execute Real (1λW , |ϕ2⟩, 0
n+1) to obtain an outcome d = (d0, . . . , dn+1).
48
5. Report an outcome d · (1, x0 ⊕ x1), where {(b, xb)}b=0,1 = InvertNTCF(sk0, y0).
By Lemma 62 for standard basis openings, the distribution over d statistically close to
the distribution obtained by measuring |ϕ2⟩ in the standard basis. This, in turn, by con-
struction is equal to the distribution obtained by measuring |ϕ1⟩ in the Hadamard basis.
Finally, by applying Lemma 62 again, this time for Hadamard basis openings, this implies
that the distribution of d · (1, x0 ⊕ x1) is statistically close to the distribution obtained by
measuring |ψ⟩ in the Hadamard basis.
Lemma 64 (Opening in the standard basis, b = 0). For any pure single-qubit quantum state
|ψ⟩ = α0|0⟩+ α1|1⟩ and any NTCF family, the distribution over the outcomes of the following
two experiments are statistically indistinguishable under Construction 58:
• Experiment 1. Measure |ψ⟩ in the standard basis and report the outcome.
• Experiment 2. Execute Real(1λ, |ψ⟩, b1 = 0), as described in Definition 53.
Proof. By inspection, it can be seen that the distribution of outcomes obtained from
Real(1λ, |ψ⟩, b1 = 1) here is the same as the outcome obtained from the following proce-
dure:
1. Generate keys (sk0, pk0).
2. Apply the weak commitment once to get y0, |ϕ1⟩ ← CommitW(pk0, |ψ⟩).
3. Apply a Hadamard transform to the state to get |ϕ ⟩ = H⊗(n+1)2 |ϕ1⟩.
4. Execute Real (1λW , |ϕ2⟩, 1
n+1) to obtain an outcome m = (m0, . . . , mn).
5. If CheckNTCF(pk0, m0, (m1, . . . , mn), y0) = 1, output m0; else, output ⊥.
By Lemma 62, applied in the Hadamard basis case, the outcome m has a distribution
that is statistically close to the outcome of a Hadamard basis measurement of |ϕ2⟩. By
construction, this is equal to the distribution of the outcome of a standard basis measure-
ment of |ϕ1⟩. Finally, by Lemma 62, applied in the standard basis case, the distribution of
a standard outcome of |ϕ1⟩ will pass the check CheckNTCF(pk0, m0, (m1, . . . , mn), y0) with
probability negligibly close to 1, and the bit m0 will be distributed close to the distribution
obtained by measuring |ψ⟩ in the standard basis.
Proof of Theorem 61. The theorem follows immediately from Lemma 63 and Lemma 64.
49
5.2 Binding
In this section we prove the following two theorems.
Theorem 65. The commitment scheme described in Section 4.5 satisfies the binding property
given in Definition 55 (assuming the existence of a NTCF family).
To prove this, we need to prove that the scheme defined in Section 4.5 satisfies Equa-
tion (4.2) and Equation (4.3) of the binding property (Definition 55).
Remark 66. We note that Equation (4.2) only relies on the fact that the underlying NTCF family
is collapsing (as defined in Claim 11), whereas Equation (4.3) relies on the adaptive hardcore bit
property for the the NTCF family from [BCMVV18].
We start by proving that the scheme satisfies Equation (4.2). We actually prove a
stronger version of Equation (4.2), stated below.
Lemma 67. [Stronger version of Equation (4.2)] For any QPT algorithm C∗.Commit and quan-
tum state σ, any purification |φ⟩ of σ, any QPT algorithms C∗1 .Open and C
∗
2 .Open, any b ∈
{0, 1}ℓ, and any efficient unitaries V1 and V2 there exists a negligible function µ = µ(λ) such
that:
E ∥U† †1 UOutCNOTcopy,outUOutU1Vext,1|ψext⟩
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩) (5.2)
−U†U†2 OutCNOTcopy,OutUOutU2Vext,2|ψext⟩∥2 ≤ η + ϵ + µ
where
• ϵ = E ∥V1|ψ⟩ −V2|ψ⟩∥2.
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
√
• = ∑ℓη j=1 2 δj for
δj ≜ E max Pr[Ver(sk, y, (j, bj), zi,j) = 0|
(pk,sk)←Gen(1λ) i∈{1,2}
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩) (5.3)
(z ′i,ρi)←C
∗
i .Open(ρ,b)
Ver(sk, y, (k, bk), zi,k) = 1 ∀k ∈ [j− 1]]
where zi = (zi,j)
ℓ
j=1.
• |ψext⟩ = |0
ℓ⟩ ℓcopy ⊗ |0 ⟩out ⊗ |b⟩basis ⊗ |ψ⟩.
• For every i ∈ {1, 2}, Vext,i = Icopy ⊗ Iout ⊗ Ibasis ⊗Vi.
50
• For every i ∈ {1, 2}, Ui is the unitary defined by applying C
∗
i .Open to the registers open
and basis.
• UOut is the unitary defined by first applying the unitary corresponding to Ver(sk, y, ·, ·) to
registers open and basis, and controlled on Ver accepting, applying the unitary correspond-
ing to Out(sk, y, ·, ·) to registers open and basis, and writing the output on the register
out.
• CNOTcopy,out applies a CNOT to registers copy and out (i.e., it copies register out to regis-
ter copy).
Moreover, C∗1 .Open and C
∗
2 .Open can be QPT given sk1, . . . , skn+1 when opening in the standard
basis and QPT when opening in the Hadamard basis.1 Alternatively, they can be QPT given sk0
when opening in the Hadamard basis and QPT when opening in the standard basis.
Corollary 68. For any QPT algorithm C∗.Commit and quantum state σ, any QPT algorithms
C∗1 .Open and C
∗
2 .Open, and any b ∈ {0, 1}
ℓ,
√ √
∗ 2( δ0+ δ1) ∗
RealC1 .Open(λ, b,σ) ≈ RealC2 .Open(λ, b,σ)
where denoting by Ib = {i ∈ [ℓ] : bi = b},
( )
δb = E max Pr[Ver sk, y, (I , b
|Ib|
b ), zi,I = 0]b
(pk,sk)←Gen(1λ) i∈{1,2}
(y,ρ)←C∗.Commit(pk,σ)
zi←C
∗
i .Open(ρ,b)
where zi,I = (zb i,j)j∈I .b
Moreover, C∗1 .Open and C
∗
2 .Open can be QPT given sk1, . . . , skn+1 when opening in the stan-
dard basis and QPT when opening in the Hadamard basis.
Proof of Corollary 68 Fix any QPT algorithm C∗.Commit and quantum state σ, any al-
gorithms C∗1 .Open and C
∗
2 .Open as in the statement of Corollary 68, and any basis b. For
every i ∈ {1, 2} we slightly change C∗i .Open to C
∗∗
i .Open, as follows: C
∗∗
i .Open(ρ, (j, b))
coherently computes z ← C∗i .Open(ρ, b) and outputs zj if Ver(sk, y, (Ib, bI ), z) = 1, andb
otherwise it outputs ⊥.2 Note that C∗∗i .Open remains a QPT algorithm when opening in
the Hadamard basis since Ver does not use sk when verifying a Hadamard basis opening,
whereas it uses sk1, . . . , skn+1 when opening in the standard basis. Thus C
∗∗
1 .Open and
C∗∗2 .Open satisfy the efficiency conditions of Lemma 67. In addition, note that for every
i ∈ {1, 2},
RealC
∗
i .Open
∗∗
( Cλ, b,σ) ≡ Real i .Open(λ, b,σ).
1This generalization is needed to obtain Corollary 68.
2Note that b = b|II b
|
b
51
where (pk, sk)← Gen(1λ) and (y,ρ)← C∗.Commit(pk,σ). By Lemma 67 for any purifica-
tion |φ⟩ of σ there exists a negligible function µ such that
E ∥U† †1 UOutCNOTcopy,outUOutU1|ψext⟩ −U
†
2 U
†
OutCNOTcopy,outUOutU2|ψext⟩∥2
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
≤ η + µ
(5.4)
where Ui is the unitary defined by C
∗∗
i .Open, and UOut and η are as defined in Lemma 67.√ √
It remains to observe that η ≤ 2 δ0 + 2 δ1, which follows from the the definition of
C∗∗i .Open, which asserts that δj = 0 if there exists k ∈ {1, . . . , j− 1} for which bj = bk.
5.2.1 Exploiting the Collapsing Property of NTCFs
Proof of Lemma 67 The proof proceeds by induction on ℓ.
Base case: ℓ = 1. Fix any QPT algorithm C∗.Commit, a quantum state σ, algorithms
C∗1 .Open and C
∗
2 .Open, basis b ∈ {0, 1}, and efficient unitaries V1 and V2, as in the lemma
statement. Also fix a purification |φ⟩ of σ. Suppose for the sake of contradiction that there
exists a non-negligible ξ = ξ(λ) such that
E ∥U†1 U
†
OutCNOTcopy,outUOutU1Vext,1|ψext⟩
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
−U† †2 UOutCNOTcopy,outUOutU2Vext,2|ψext⟩∥2 ≥ η + ϵ + ξ
We construct a QPT adversary A that uses the QPT committer C∗.Commit, its purified
state |φ⟩, and the unitaries U1, U2, V1, V2, UOut to break the collapsing property of the un-
derlying NTCF family (Definition 9). We break the collapsing property as formulated in
Remark 10. We distinguish between the case that b = 0 and the case that b = 1.
Case 1: b = 0. The adversary A operates as follows:
1. Advserary: Upon receiving a public key pk0 from the challenger, where (pk0, sk0)←
Gen λNTCF(1 ):
(a) For every i ∈ [n + 1] generate (pki, sk
λ
i)← GenNTCF(1 ).
(b) Let pk = (pk0, pk1, . . . , pkn+1).
(c) Compute (y, |ψ⟩)← C∗.Commit(pk, |φ⟩).
(d) Parse y = (y0, y1, . . . , yn+1)
(e) Let |ψ′⟩ = U (|+⟩coin ⊗ |ψext⟩), where
U = |0⟩⟨0|coin ⊗UOutU1Vext,1 + |1⟩⟨1|coin ⊗UOutU2Vext,2
52
Recall that UOut first computes Ver which in Item 3d computes m ∈ {0, 1}
n+1.
UOut stores in register out the output, which is the first bit of m. We denote by
preimage the registers that store the last n bits of m.
(f) Send to the challenger the string y0 and the registers out and preimage of |ψ
′⟩.
Notice that since b = 0, UOut (as possibly U1 and U2) use only the secret keys
(sk1, . . . , skn+1), which A knows, and thus A can efficiently apply the unitary U
to the state |+⟩coin ⊗ |ψext⟩.
2. Challenger: Recall that the challenger applies in superposition the algorithm CheckNTCF
to the state it receives with respect to public key pk0 and the image string y0, and
measures the bit indicating whether the output of CheckNTCF is 1. If this is not the
case it sends ⊥. Otherwise, it chooses a random bit u ← {0, 1} and measures this
state if and only if u = 1. It then sends the resulting state to the adversary.
Note that by the two-to-one nature of the underlying NTCF family, measuring the
entire state is equivalent to measuring only the first qubit of the state, i.e., register
out. Thus, we can assume that the challenger measures only register out if and only
if u = 1.
In addition, note that conditioned on the challenger not outputting ⊥, the state is
projected to Π ′Ver|ψ ⟩ (up to normalization), where Π ′Ver|ψ ⟩ is the state |ψ′⟩ projected
to the challenger accepting the state. Consider the state CNOTu ′copy,outΠVer|ψ ⟩. Note
that this state, with the copy register excluded, is indistinguishable from the state
returned from the challenger conditioned on choosing the random bit u. Thus we
think of the adversary as receiving this state.
3. Adversary: If the adversary receives ⊥ from the challenger, then it outputs a uni-
formly random u′. Note that this occurs with probability at most δ.
Otherwise, the adversary A receives the registers out and preimage from the chal-
lenger (either measured or not, depending on u). The joint state of the adversary
and challenger at this point is CNOTu Π |ψ′copy,out Ver ⟩, where all registers except copy
are held by the adversary. The adversary does the following:
(a) Let
U′ = |0⟩⟨0| ⊗U†U† + |1⟩⟨1| ⊗U†U†Coin 1 out Coin 2 out.
(b) Apply U′ to the adversary’s system, resulting in the joint state
U′CNOTu ′copy,outΠVer|ψ ⟩ =
U′CNOTucopy,outΠVerU|ψext⟩ =
(|0⟩⟨0| U† † uCoin 1 UoutCNOTcopy,outΠVerUoutU1Vext,1
+ |1⟩⟨1|CoinU
†U†2 outCNOT
u
copy,outΠVerUoutU2Vext,2)|ψext⟩
53
(c) Output the measurement of the Coin register in the Hadamard basis, denoted
by u′ (i.e., u′ = 0 if the measurement is |+⟩ and is u′ = 0 if the measurement is
|−⟩).
Consider the states:
U†U† CNOTu † † u1 out copy,outΠVerUoutU1Vext,1|ψext⟩ and U2 UoutCNOTcopy,outΠVerUoutU2Vext,2|ψext⟩
√
Note that for u = 0, these states are (2 δ + ϵ)-close in ∥ · ∥2 distance. This follows from
the fact that by Lemma 2, together with the assumption that the probability that |ψext⟩
opens successfully is ≥ 1− δ, it holds that for every i ∈ {1, 2}:
√
E ∥U†U† Π U † †i out Ver outUiVext,i|ψext⟩ −Ui UoutUoutUiVext,i|ψext⟩∥2 ≤ δ,
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
and from our assumption that
ϵ = E ∥Vext,1|ψext⟩ −Vext,2|ψext⟩∥2.
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
This implies that there exists a negligible function µ such that
E ∥U† †1 UOutCNOTcopy,outUOutU1Vext,1|ψext⟩
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
−U†U†2 OutCNOTcopy,outUOutU2Vext,2|ψext⟩∥2
√
≤ 2 δ + ϵ + µ
√On the other hand, by our contradiction assumption, for u = 1, these two states are
(2 δ + ϵ)-far. This, together with Claim 69 below, implies that A indeed breaks the col-
lapsing property of the underlying NTCF family.
Claim 69. For any two states |ψ0⟩ and |ψ1⟩ such that ∥|ψ0⟩ − |ψ1⟩∥ = ϵ, and for |φ⟩ =
√1 |0⟩|ψ0⟩+ √
1 |1⟩|ψ1⟩, it holds that2 2
ϵ2
Pr[H[φ]→ 1] = .
4
Proof. We calculate
Pr 2[H[φ] 7→ 1] = ∥(⟨1| ⊗ I)H|φ⟩∥
∥ ( )∥
∥ 1 1 ∥2
= ∥(⟨1| ⊗ I) √ |+⟩|ψ0⟩+ √ |−⟩|ψ ⟩ ∥∥ 12 2 ∥
∥ ∥
∥1 1 ∥2
= ∥ |ψ0⟩ − |ψ1⟩∥∥2 2 ∥
1
= 2ϵ .
4
54
Case 2: b = 1. We show how to use the adversary A to break the extended collapsing
game (see Claim 12). The adversary A operates as follows:
1. Upon receiving public keys (pk1, . . . , pkn+1) from the challenger, where (pki, ski)←
GenNTCF(1
λ) for every i ∈ [n + 1], do the following:
(a) Generate (pk0, sk0)← Gen
λ
NTCF(1 ).
(b) Let pk = (pk0, pk1, . . . , pkn+1).
(c) Compute (y, |ψ⟩)← C∗.Commit(pk, |φ⟩).
(d) Parse y = (y0, y1, . . . , yn+1).
(e) Compute ((0, x0), (1, x1)) = InvertNTCF(sk0, y0).
(f) Let J = {j ∈ {2, . . . , n + 1} : x0,j−1 ⊕ x1,j−1 = 1} ∪ {1}.
(g) As in the b = 0 case, define
U = |0⟩⟨0|coin ⊗UOutU1Vext,1 + |1⟩⟨1|coin ⊗UOutU2Vext,2
and prepare the state |ψ′⟩ = U(|+⟩coin ⊗ |ψext⟩).
Note that since b = 1 it holds that |ψ′⟩ can be computed efficiently given sk0
(h) For every j ∈ [J], denote by Xj and Zj the registers in ρ
′ corresponding to dj
and x′j, respectively.
(i) Send J, {yj}j∈J and the registers {Xj,Zj}j∈J of |ψ
′⟩.
2. Recall that the challenger applies in superposition the algorithm Check to the state
it received w.r.t. the image strings {yj}j∈J , where the j’th check is w.r.t pkj, and mea-
sures the bit indicating whether the output of Check is 1. If any of the outputs of
Check are 0, the challenger immediately halts and sends ⊥ to the adversary. Other-
wise, it chooses a random bit u← {0, 1} and applies Zu to every Xj register. It then
sends the resulting state to the adversary.
3. If the adversary receives ⊥, it returns a uniformly random u′. Otherwise, observe
that once the adversary receives the state from the challenger, it is in possession of
all the quantum registers. At this point, they are, up to normalization, in the state
ZuJ Π
′
Ver,J |ψ ⟩, where Z = ∏ Z and Π |ψ′J j∈J X Ver,J ⟩ is the state |ψ′⟩ projected to anj
accepting state.
It then does the following:
(a) Let
U′ = |0⟩⟨0| † †Coin ⊗U1 Uout + |1⟩⟨1|Coin ⊗U
†
2 U
†
out.
55
(b) Apply U′ to its registers, resulting in the state
U′Zu ′J ΠVer,J |ψ ⟩ =
(|0⟩⟨0| †Coin⊗U1 U
†
outZ
u
J ΠVerUoutU1Vext,1 (5.5)
+|1⟩⟨1| † † uCoin⊗U2 UoutZJ ΠVerUoutU2Vext,2(|+⟩Coin ⊗ |ψext⟩)
(c) Output the measurement of the first register of this state in the Hadamard basis,
denoted by u′.
Consider the states:
U† † u1 UoutZJ ΠVerU
† † u
outU1Vext,1|ψext⟩ and U2 UoutZJ ΠVerUoutU2Vext,2|ψext⟩
√
Note that similarly to the b = 0 case, for u = 0 these states are (2 δ + ϵ)-close in ∥ · ∥2
distance. On the other hand, by√our contradiction assumption, together with Lemma 4,
for u = 1, these two states are (2 δ+ ϵ)-far in ∥ · ∥2 distance. This together with Claim 69,
implies that indeed A breaks the collapsing property of the underlying NTCF family.
Induction step: Suppose that the multi-qubit commitment scheme is sound for ℓ− 1 and
we prove that it is sound for ℓ. We need to prove that there exists a negligible function
µ = µ(λ) such that
E ∥U† †1 UOutCNOTcopy,outUOutU1Vext,1|ψext⟩
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
−U† †2 UOutCNOTcopy,outUOutU2Vext,2|ψext⟩∥2
≤ η + ϵ + µ
√
for = ∑ℓη j=1 2 δj and ϵ = E ∥V1|ψ⟩ −V2|ψ⟩∥2.
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
To this end, note that for every i ∈ {1, 2}
U† †i UOutCNOTcopy,outUOutUiVext,i|ψext⟩ =
U†U†i OutCNOTcopyℓ,out CNOTℓ copy U U[1,ℓ−1],out[1,ℓ−1] Out iVext,i|ψext⟩ =
U†i U
†
Out CNOTcopy ,out U
† † †
Out UiVext,iVext,iUi UOut CNOTcopy ,out UOut UiVext,i|ψext⟩ =ℓ ℓ ℓ ℓ [1,ℓ−1] [1,ℓ−1] [1,ℓ−1] [1,ℓ−1]
U† † † †i UOut CNOTcopy ,out UOut Ui Ui UOut CNOTℓ ℓ ℓ copy U U V |ψ ⟩ℓ [1,ℓ−1] [1,ℓ−1],out[1,ℓ−1] Out[1,ℓ−1] i ext,i ext
︸ ︷︷ ︸
V′i
For every i ∈ {1, 2}, denote by
| ′ψi⟩ = V
′
i |ψext⟩
56
By the induction hypothesis, there exists a negligible function µ = µ(λ) such that
E ∥| ′ ⟩ − | ′ψ1 ψ2⟩∥
′
2 ≤ η + µ
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
√
where ′ = ∑ℓ−1η 2 δ + ϵ. Denoting by ϵ′ = η′j 1 j , our base case implies that there exists a=
negligible function ν = ν(λ) such that
E ∥U†U†1 Out CNOT
′
copyℓ,out Uℓ out Uℓ 1V1|ψext⟩ℓ
(pk,sk)←Gen(1λ)
(y,|ψ⟩)←C∗.Commit(pk,|φ⟩)
−U†U† ′1 Out CNOTcopy ,out Uout U1V2|ψℓ ℓ ℓ ext⟩∥2ℓ
√
≤2 δℓ +
′
η + ν
as desired.
5.2.2 Defining the Operational Paulis
In this section we prove that the scheme from Section 4.5 satisfies Equation (4.3) by defin-
ing the operational observables {PX , Pi Z }i i∈[ℓ].
Lemma 70. The commitment scheme described in Section 4.5 satisfies Equation (4.3) from Defi-
nition 55 assuming the underlying NTCF family has the adaptive hardcore bit property.
Proof of Lemma 70 We think of the public and secret keys as being
pk = (pk1, . . . , pkℓ) and sk = (sk1, . . . , skℓ)
where each (pki, ski)← GenNTCF(1
λ), and for every i ∈ [ℓ]
ski = sk and pki = pk
Fix any QPT cheating committer C∗.Commit with auxiliary quantum state σ that commits
to an ℓ-qubit state. Denote by
(y,ρ)← C∗.Commit(pk,σ),
where y = (y1, . . . , yℓ), each yi = (yi,0, y1, . . . , yi,n+1) and each yi,j is in Rpk which isj
the range of the NTCF function Eval(pkj, ·). Fix any QPT algorithm C
∗.Open. We start by
defining the QPT extractor ExtC
∗.Open(sk, y,ρ). We do so in two steps:
57
1. First, we define 2ℓ “operational observables” {PX , PZ }i∈ℓ] such that for every i ∈ [ℓ]i i
and b ∈ {0, 1},
(pk, y, mideal,i,b) ≡ (pk, y, mi,b)
where (pk, sk) ← Gen(1λ, 1ℓ), (y,ρ) ← C∗.Commit(pk,σ), mideal,i,b is obtained by
measuring ρ in the PX basis if b = 1 and measuring it in the PZ basis if b = 0, andi i
mi,b is obtained by computing z← C
∗.Open(ρ, bℓ) and setting mi,b = Out(sk, y, (i, b), zi).
2. We then use these operational observables to extract a state τ . This is done following
the approach of [Mah18; Vid20; Bar+22],
( )
To define these operational observables formally, we add L = ℓ · (n + 1)2 + 1 ancilla
registers to ρ, which we initialize to 0. We denote by
ρExt = ρ⊗ |0
L⟩⟨0L|,
where the first ℓ · (n + 1)2 ancilla registers are denoted by open = (open1, . . . , openℓ), and
2
these registers store the output (z1, . . . , zℓ) generated by Open, where zi ∈ {0, 1}
(n+1)
is stored in openi. The last ℓ ancilla registers are denoted by out = (out1, . . . , outℓ), and
these registers store the output (v1, . . . , vℓ) generated by Out, where vi ∈ {0, 1} is stored
in register outi.
Definition 71. For any (sk, y) and any QPT algorithm C∗.Open we define the operational ob-
servables (PX , PZ )i∈[ℓ] to bei i
P †X = U1Out
†
i,1Zout Outi i i,1U1
and
P † †Z = U0Outi,0Zout Outi i i,0U0
where for every i ∈ [ℓ] and every b ∈ {0, 1},
• Ub is the unitary corresponding to C
∗.Open(·, (b, . . . , b)). The output is recorded in regis-
ters open.
• Outi,b computes Out(sk, y, (i, b), ·) and records the output in the ancilla register outi.
• Zout,i is the Pauli Z operator applied only on the register outi.
The Extractor
We next define the extractor Ext which uses the operational observables {PX , PZ }i i i∈[ℓ],
defined above. For the sake of simplicity, we define Ext to operate on pure states. The
definition easily generalizes to mixed states by linearity.
58
∗
ExtC .Open(sk, y, |φ⟩) operates as follows:
1. Consider the operational observables {PX , PZ }i∈[ℓ] corresponding to (sk, y).i i
2. Prepare the state
1
∑ |r, s⟩Coin ⊗ |0ℓ⟩A ⊗ |φ⟩B.2ℓ
r,s∈{01}ℓ
3. Denote by
Xr
r s
= X ℓ . . . rX 1 s1 and Z
s = Z ℓ . . . Z 11 .ℓ ℓ
Similarly, denote by
Pr
r r s s
X = P
ℓ 1 s ℓ 1
X . . . Pℓ X
and PZ = PZ . . . P .1 ℓ Z1
4. Controlled on the values r, s of the Coin register, apply ZsXr to the A register and
apply Pr PsX Z to the B register to obtain the state
1
∑ |r, s⟩ ⊗ ZsXr|0ℓCoin ⟩A ⊗ Pr s2ℓ XPZ|φ⟩B
r,s∈{0,1}ℓ
5. Apply Hadamard gates H⊗2ℓ to the Coin register in the to obtain the state
1
∑ (−1)r·r
′+s·s′ |r′, s′⟩ s r ℓ r s
4ℓ Coin
⊗ Z X |0 ⟩A ⊗ PXPZ|φ⟩B
r,s,r′,s′∈{0,1}ℓ
where
ℓ ℓ
r · r′ = ∑ r · r′i i mod 2 and s · s′ = ∑ si · s′i mod 2.
i=1 i=1
′ ′
6. Apply Xs Zr to the A register. Note that
s′ ′X Zr ZsXr|0ℓ⟩ =
s′ ′X ZsZr Xr|0ℓ⟩ =
(−1)r·r
′ s′X ZsXrZr
′
|0ℓ⟩ =
r·r′ s′(−1) X ZsXr|0ℓ⟩ =
′ ′ ′
(−1)r·r +s·s ZsXs Xr|0ℓ⟩ =
r·r′+s·s′ ′(−1) ZsXrXs |0ℓ⟩ =
′
(−1)r·r +s·s
′
ZsXr|s′⟩.
59
Therefore the state obtained is
1
∑ |r′, s′⟩ ⊗ ZsXr|s′⟩ ⊗ Pr Ps |φ⟩
4ℓ Coin A X Z B
r,s,r′,s′∈{0,1}ℓ
which is equal to the state
( )
1 1
√ (|0⟩+ |1⟩)
⊗ℓ ⊗ √ ∑ |s′⟩ ⊗ ZsXr|s′⟩A ⊗ Pr sXPZ|φ⟩ .ℓ (2 2)ℓ B2 r,s,s′∈{0,1}ℓ
7. Discard the first ℓ registers to obtain the state
1
√ ∑ |s′⟩ ⊗ ZsXr|s′⟩ ⊗ Pr sA XPZ|φ⟩B.
(2 2)ℓ r,s,s′∈{0,1}ℓ
8. Output the state τA,B that is the reduced state of the above on registers A,B.
We next prove that
√
∗ 10 δ ∗
RealC .Open(λ, b,σ) ≈ IdealExt,C .Open(λ, b,σ). (5.6)
To this end, for a given b ∈ {0, 1}ℓ, denote by
I = {i ∈ [ℓ] : bi = 0} and J = {j ∈ [ℓ] : bj = 1},
so that I and J partition [ℓ].
Next we define a new opening algorithm C∗.Open[ℓ]. We first give a “buggy” definition
of C∗.Open[ℓ], and then show how to fix it in Remark 72. C
∗.Open[ℓ] on input (ρ, b) does
the following:
1. Compute ρ = U†1 0 CNOTcopy ,open U0[ρ], where openI is the register that contains theI I
openings {zi}i∈I , and CNOTcopy ,open copies the content of this register to a freshI I
register denoted by copyI .
2. Measure the registers copyI of ρ1 to obtain {zi}i∈I and denote the resulting state by
ρ2.
3. Compute ρ †3 = U1 CNOTcopy ,open U1[ρ2], where openJ is the register that containsJ J
the openings {zj}j∈J , and CNOTcopy ,open copies the content of this register to aJ J
fresh register denoted by copyJ .
4. Measure the registers copyJ of ρ3 to obtain {zj}j∈J and denote the resulting state by
ρ4.
60
5. Output ((z1, . . . , zℓ),ρ4).
Remark 72. We remark that as written, C∗.Open[ℓ](ρ, b) may be rejected with high probability.
The reason is that, while the standard basis openings of C∗.Open[ℓ] and C
∗.Open are identical,
C∗.Open[ℓ] can completely fail to open in the Hadamard basis, since after computing the standard
basis openings its state becomes U†0 CNOTcopy ,open U0[ρ], with the copyI registers measured.I I
This is a disturbed state and it is no longer clear that computing the Hardamard basis opening on
it will give an accepting opening.
To ensure that C∗.Open[ℓ](ρ, b) is accepted with the same probability as C
∗.Open(ρ, b), up
to negligible factors, we need to ensure that the state after computing the standard basis openings
remains undisturbed, or at least that this disturbance is undetected by the algorithms that compute
the Hadamard basis opening and verify whether this opening is valid. To achieve this we slightly
modify C∗.Open[ℓ] and allow it to compute the standard basis opening using (sk1, . . . , skn+1). We
note that such opening algorithms are allowed in Corollary 68 (which we will later use in our
analysis).
Specifically, C∗.Open[ℓ], rather than placing the output of U0 in the openI registers, which
when measured may disturb the state, we use (sk1, . . . , skn+1) to apply the following post-opening
unitary to each openi register, to ensure that when measured the disturbance will not be noticed.
2
Recall that openi contains a vector z = (z1, . . . , zn+1) ∈ {0, 1}
(n+1) where each z ∈ {0, 1}n+1j .
The post-opening unitary does the following:
1. Coherently compute for every j ∈ [n + 1] the bit mj = zj · (1, x
′ ′ ′
j,0 ⊕ xj,1), where xj,0 and
x′j,1 are the two preimages of yi,j that are computed using skj.
2. Let m = (m1, . . . , mn+1) ∈ {0, 1}
n+1.
Note that if z is a successful opening (i.e., it is accepted) then m is a preimage of yi,0, and
whether a preimage is measured or not is undetectable without knowing sk0, due to the
collapsing property of the underlying NTCF family.
2
3. On an ancila register, compute a super-position over all z′ = (z′1, . . . , z
′
n+1) ∈ {0, 1}
(n+1)
such that for every j ∈ [n + 1] m = z′j j · (1, x
′ ′
j,0 ⊕ xj,1).
4. Swap register openi with the ancila register above, so that now z
′ = (z′ , . . . , z′1 n+1) is in
register openi.
Now we can argue that the residual state after computing the standard basis opening seems undis-
turbed for anyone who does not know sk0 due to the collapsing property of the underlying NTCF
family, and computing the Hadamard opening and verification of it does not use sk0 (and is done
publicly given only pk).
Note that since
δ = E max Pr[Ver(sk, y, b′, C∗.Open(ρ, b′)) = 0].
(pk,sk)←Gen(1λ,1ℓ) b′∈{b,0,1}
(y,ρ)←C∗.Commit(pk,σ)
61
it holds that
E max Pr[Ver(sk, y, b′, C∗.Open[ℓ](ρ, b
′)) = 0] ≤ 2δ. (5.7)
(pk,sk)←Gen(1λ,1ℓ) b′∈{b,0,1}
(y,ρ)←C∗.Commit(pk,σ)
This is the case since the probability that C∗.Open[ℓ](ρ, b) is rejected is bounded by the
sum of the probabilities that C∗.Open(ρ, 0ℓ) is rejected and C∗.Open(ρ, 1ℓ) is rejected.
By Corollary 68, we conclude that for every b ∈ {0, 1}ℓ,
√
C∗.Open 6 δ ∗
Real [ℓ]( , b,σ) ≈ RealC .Openλ (λ, b,σ) (5.8)
This implies that to prover Equation (5.6) it suffices to prove
√
C∗.Open 4 δ ∗
Real [ℓ](λ, b,σ) ≈ IdealExt,C .Open(λ, b,σ) (5.9)
To this end, we first compute the distribution of measurement outcomes on the ex-
tracted state. While in general the input to the extractor is a mixed state ρ, we will per-
form the calculations for a general pure state |φ⟩ instead. The results we obtain will hold
for any pure state |φ⟩. Thus, they will extend by convexity to the post-commitment state
ρ as well, since we can always write ρ = ∑k pk|φk⟩⟨φk| for some collection of pure states
{|φk⟩}.
As a first step in the computation, we remark that for every i, j ∈ [ℓ], it holds that PZi
and PZ commute and PX and PX commute. This follows from the fact that we definedj i j
all the PZ with respect to the same unitary U0 and defined all the PX with respect to thei i
same unitary U1. Thus, for an input state |φ⟩, the output of the extractor can be written
as
1
∑ ′ s r ′ r r s√ s|s ⟩Coin ⊗ Z X |s ⟩A ⊗ P I JX PX P JZ P I |φ⟩ .
(2 2)ℓ I J J
ZI B
r,s,s′∈{0,1}ℓ
Measuring the I registers of A in the standard basis. Now, we imagine measuring
the I registers of A in the standard basis; we denote these registers by AI . When we
measure them we obtain an outcome which we will denote aI . The unnormalized post-
measurement state is obtained by applying the projector I ⊗ |aI⟩⟨aI |A to the state, whereI
the factor of identity acts on all registers other than AI . To calculate what happens, let us
62
examine what happens when we apply the projector |aI⟩⟨aI | to
s
Z I
rI
I XI |s
′
I⟩. Note that
s
⟨a |Z I
r
X II I I |s
′
I⟩ =
∏ s r⟨ai|Z i X i |s′i i i⟩ =
i∈I
∏ s⟨a i ′i|Zi |si ⊕ ri⟩ =
i∈I
∏ ⟨a |(−1)si·aii |s′i ⊕ ri⟩ =
i∈I
∏(−1)si·ai⟨ai||s′i ⊕ ri⟩,
i∈I
where for every i ∈ I, ⟨ai||s
′
i ⊕ ri⟩ is 1 if ai ⊕ ri = s
′
i, and 0 otherwise. This means that if
we obtain an outcome aI , then we force the s
′
I register to be aI ⊕ rI . This means that the
sum over s′ collapses to a sum over s′J , since J is the complement of I. Thus, we obtain
the unnormalized post-measurement state
1
√ ∑ s r r r s s(−1)sI ·aI |aI ⊕ r ⟩ ′ J J ′ I J J IIℓ Coin |sJ⟩ ⊗ |a ⟩I Coin I A ⊗ZJ XJ |sJ⟩ ⊗ P P PZ PZ |φ⟩B(2 2 X X) J I AJ I J J I
r,s∈{0,1}ℓ,s′J∈{0,1}
|J|
Note that
1 s ·a s 1 s ·a s I + (−1)
ai P
(−1) I I P I
Z
= (−1) i i P i = i
2|I|
∑ ZI ∏ ∑ ∏
|I| 2
|I| Zi 2
s i∈II∈{0,1} si∈{0,1} i∈I
and thus the state we obtain after the projection is equal to
1
|a ⊕ r ⟩ ⊗ |s′ ⟩
2|J|
∑ I I J
· 2ℓ/2
r∈{0,1}ℓ,s ,s′ |J|J J∈{0,1}
( ) (5.10)a
s r ir r s
⊗|a ⟩ ⊗ Z J X J |s′ ⟩ ⊗ P I P J P J
I + (−1) PZi
I A J J J X X Z ∏ |φ⟩ .I AJ I J J 2 B
i∈I
I+(−1)ai P
Π ∏ ZDenoting by P = iZI ,aI i∈I 2 , the above projected state is equal to
1
|Ψa ⟩ = |a ⊕ r ⟩ ⊗ |s′ ⟩ ⊗ |a ⟩I 2|J| · 2ℓ/2 ∑ I I CoinI J Coin I AJ I
r∈{0,1}ℓ,s ′J ,sJ∈{0,1}
|J| (5.11)
s
⊗Z J
r
X J ′
rI rJ s
J J |sJ⟩ ⊗ PX PX P
J ΠP |φ⟩ .AJ I J ZJ ZI ,aI B
The square norm of this unnormalized state is the probability that the measurement
returns outcome aI . We now calculate this:
63
1
Pr[aI ] = ∑ ∑ sJ r r∥ Z X J |s′ ⟩ ⊗ P I rJ sJJ J J X PX PZ ΠP | 2φ⟩22|J| · 2ℓ A I J J ZI ,aI B∥J
r∈{0,1}ℓ,s′J∈{0,1}
|J| sJ∈{0,1}
|J|
1
∑ ∑ s ·(s
′
J +rJ) ′ rI r s= ∥ (−1) J |s J J+ r 2
2|J| J J
⟩ ⊗ P P P ΠP |φ⟩ ∥
2 · 2ℓ AJ XI XJ ZJ ZI ,aI B
r∈{0,1}ℓ,s′J∈{0,1}
|J| s |J|J∈{0,1}
1 (s +s′′)·(s′+r ) s
′′
=
2|J| ℓ ∑ ∑ −1 J
s
J J J ⟨ |Π P J P J( ) φ P ΠZ ,a Z Z P |φ⟩2 · 2 I I J J ZI ,aI B
r∈{0,1}ℓ,s′∈{0,1}|J| s ,s′′J J J ∈{0,1}
|J|
1
= ⟨φ|Π Π |φ⟩
22|J|
∑ ∑ PZI ,a PI ZI ,aI B
s′∈{0,1}|J| s ∈{0,1}|J|J J
= ⟨φ|ΠP ΠP |φ⟩B. (5.12)ZI ,aI ZI ,aI
Thus, we have shown that the outcome distribution from the extracted state is identical
to the outcome distribution from measuring the original state |φ⟩.
Measuring the J registers of A in the Hadamard basis. Now, we imagine taking the
standard basis post-measurement state |Ψa ⟩, and then further measuring the J registersI
of A in the Hadamard basis. We denote these registers by AJ and the outcome by aJ . To
obtain the unnormalized post-measurement state after this measurement, we apply the
projector H⊗|J||aJ⟩⟨a |H
⊗|J|
J to the J registers of A. Note that
⟨a |H⊗|J|
s
Z J
rJ
J J XJ |s
′
J⟩ =
s
∏ j
rj
⟨a ′j|HZj Xj |sj⟩ =
j∈J
s
∏ j⟨aj|HZj |s′j ⊕ rj⟩ =
j∈J
∏ sj·(s
′
j⊕r⟨a |H(−1) j
)
j |s
′
j ⊕ rj⟩ =
j∈J
s ′
(−1) j
·(sj⊕rj)
∏ s
′⊕r
√ ⟨aj|(|0⟩+ (−1) j
j |1⟩) =
j∈J 2
1 ′
∏ (s ⊕a )·(s
′⊕r s
(−1) j j j j
) ≜ Jβ
2|J|/2 Jj∈J
Thus we obtain the state
1 s′
∑ r r s|aI ⊕ r ⟩⊗ JI β |s′J⟩⊗ |aI⟩ ⊗H⊗|J||a ⟩ ⊗ P I P J P JJ ΠP |φ⟩ .
2|J| · 2ℓ/2 J AI AJ XI XJ ZJ ZI ,aI B
r∈{0,1}ℓ,s ,s′J J∈{0,1}
|J|
64
Next, we observe that
s′
∑ J |s′
1 ′
⟩ √ ∑ −1 (sJ⊕aJ)·(sJ⊕r )β J J = ( ) J |s′J⟩ (5.13)
s′ 2
|J|
s′J J
= (−1)(sJ⊕aJ)·rJ H⊗|J||sJ ⊕ aJ⟩ (5.14)
Thus, applying Equation (5.14) to simplify the sum over s′J , we can write this as
1
|Ψa ⟩ =I ,aJ ℓ/2 |J| ∑ (−1)
(sJ⊕aJ)·rJ |a ⊕ r ⟩ ⊗ H⊗|J|I I
2 2 Coin
|s
I J
⊕ aJ⟩CoinJ
r∈{0,1}ℓ,sJ∈{0,1}
|J|
r r s
⊗ |a ⊗|J| I J JI⟩A ⊗ H |a ⟩ ⊗ PI J AJ X
P
I X
PZ ΠP |φ⟩ .J j ZI ,aI B
Note that
I + (−1)sj⊕a1 jr PJ Xj
(−1)(sJ⊕aJ)·rJ P = .
2|J|
∑ XJ ∏ 2
r ∈{0,1}|J| j∈JJ
Let us define
I + (−1)sj⊕aj PX
Π jPX ,sJ⊕a = .j J ∏ 2
j∈J
Then we can rewrite |Ψa ⟩ asI ,aJ
1
|Ψa ,a ⟩ = ∑ |a ⊕ r ⟩ ⊗ H⊗|J||s ⊕ a ⟩ ⊗ |a ⟩ ⊗ H⊗|J||a ⟩I J 2ℓ/2 I I CoinI J J Coin I AI JJ AJ
rI∈{0,1}
|I|,sJ∈{0,1}
|J|
r s
⊗ P I Π P JX P ,a ⊕s Z ΠX J J P |φ⟩ .I J J ZI ,aI B
The square norm of this unnormalized state is the probability that the measurement re-
turns outcome aJ . We now calculate this:
∥ ∥
∥ ∥2
2|I| ∥ ∥
Pr[aI , a ∥J ] = ℓ ∥ ∑ H⊗|J|
s
|sJ ⊕ aJ⟩ ⊗Π P
J Π |φ⟩ ∥
2 Coin
P
J X
,aJ⊕sJ Z PJ J ZI ,aI B∥
∥sJ∈{0,1}
|J| ∥
1
∑ Π s∥ P J= P Z Π 2P |φ⟩ ∥2|J| Xj ,aJ⊕sJ J ZI ,aI B
sJ∈{0,1}
|J|
sJ
= E ∥ΠP P Π |φ⟩ ∥2. (5.15)Xj ,a ⊕s Z PZ ,a Bs ∈{0,1}|J| J J J I IJ
This equation can be interpreted operationally as follows: the probability of obtaining an
outcome (aI , aJ) by measuring the extracted state is equal to the probability of obtaining
this outcome by the following procedure acting on |φ⟩:
65
1. First, measure the observables PZ for every i ∈ I on |φ⟩, obtaining an outcome ai I .
s
2. Next, sample a string s ∈ {0, 1}|J|J uniformly at random and apply P
J
Z to the state.J
3. Next, measure the observables PX for every j ∈ J on the state, obtaining an outcomej
uJ .
4. Set aJ = uJ ⊕ sJ and return (aI , aJ).
The proof of Equation (5.9) We first define a new distribution, which we denote by
C∗.Open[ℓ] ∗
R̂eal (λ, b,σ). This distribution is identical to C .OpenReal [ℓ](λ, b,σ) except that it
does not run the Ver algorithm (i.e., it does not run Item 2 of the definition of Real in
Definition 55), and simply sets m = Out(sk, y, b, z). We note that by Lemma 3,
√
C∗.Open[ℓ] 2δ ∗
R̂eal (λ, b, ) ≈ C .Openσ Real [ℓ](λ, b,σ) (5.16)
where recall 2δ is the probability that Ver rejects C∗.Open[ℓ](λ, b,σ) (see Equation (5.7)).
Therefore to prove Equation (5.9) it suffices to prove that
√
C∗.Open[ℓ] 2 δ Ext,C∗R̂eal (λ, b,σ) ≈ Ideal .Open(λ, b,σ) (5.17)
To this end, we first claim that
(pk, y, b, mSim,I) ≡ (pk, y, b, m )R̂eal,I
where (pk, y, b, mSim,I) is distributed by generating
∗
(pk, y, b, m)← IdealExt,C .Open(λ, b,σ)
and outputting (pk, y, b, mI), and (pk, y, b, m ) is distributed by generatingR̂eal,I
C∗.Open
pk, , , ← [ℓ]( y b m) R̂eal (λ, b,σ)
and outputting (pk, y, b, mI). To see why this is true, recall that Equation (5.12) implies
that for a given pk, y, b, the outcome mSim,I , which is equal to aI in the notation used in
that equation, is distributed according to the outcome of measuring PZ on the qubits i ∈ Ii
qubits of the post-commitment state. Moreover, PZ is defined so that it exactly matchesi
the action of R̂eal since both do not run Ver.
Remark 73. We note that the observable PZ was defined with respect to the opening algorithmi
C∗.Open and we are considering R̂eal with respect to the opening algorithm C∗.Open[ℓ]. The
66
observable PZ corresponding to C
∗.Open, when viewed as a unitary, is different from observable
i
corresponding to C∗.Open[ℓ], denoted by P
′
Z , when viewed as a unitary. In particular, recall thati
P = U†Z Out
† Z Out U
i 0 i,0 outi i,0 0
whereas
P′ = U†Z 0 U
† †
i post
Outi,0Zout Outi,0UpostU0,i
where Upost is the unitary that does some post-processing to the openi register to ensure that
measuring it will not disturb the state in a detectable way. Despite the fact that PZ and P
′
i Z arei
different unitaries, on the subspace where the ancila registers are initialized to |0⟩, they are identi-
cal operators. In particular, P′Z preserves the subspace where the ancila registers are initialized toi
|0⟩.
To avoid cluttering of notation, from now on we denote m and m by m .
R̂eal,I Sim,I I
Denote by
ρ′I = ΠPZ ,m [ρ]I I
where ρ is post-commitment state and mI is distributed as mSim,I . We note in the ex-
C∗.Open
periment [ℓ]R̂eal (λ, b,σ), the post state after measuring mI is ρ
′
I . This follows from
Remark 73. We prove that
√
2 δ
(pk, y, b, mI , m ) ≈ (pk, y, b, mI , mSim,J) (5.18)R̂eal,J
where m is obtained as follows:
R̂eal,J
1. Compute zJ ← C
∗.Open[ℓ](ρ
′
I , (J, bJ)).
2. For every j ∈ J let m = Out(sk, y, (j, 1), z )
R̂eal,j j
3. Output m = {m } .
R̂eal,J R̂eal,j j∈J
To describe how mSim,J is obtained, we take the procedure obtained immediately below
Equation (5.15), and apply the definitions of the operational observable PX, to obtain the
following:
1. Sample at random sJ ← {0, 1}
|J|.
s
2. Compute z ∗ J ′J ← C .Open[ℓ](PZ [ρI ], (J, bJ)).J
3. For every j ∈ J let uj = Out(sk, y, (j, 1), zj).
4. For every j ∈ J let mSim,j = uj ⊕ sj.
5. Output mSim,J = (mSim,j)j∈J .
67
To prove Equation (5.18), we rely on the adaptive hardcore bit property. We assume with-
out loss of generality that Open[ℓ] opens in the Hadamard basis honestly, by measuring
the relevant qubits in the standard basis. For every j ∈ J, we denote byOj the n + 1 regis-
ters that are measured to obtain the opening of the j’th committed qubit in the Hadamard
basis.
Proof of Equation (5.18). Let Π [ρ′ ] denote the state ρ′Ver I I projected to
Ver(sk, y, (J, 1|J|),Open(ρ′I , (J, 1
|J|))) = 1.
By Lemma 3,
√
δ
Π [ρ′Ver I ] ≡ ρ
′
I .
Therefore to prove Equation (5.18) it suffices to prove that
(pk, y, b, mI , m
∗ ∗
Real,J) ≈ (pk, y, b, mI , mSim,J) (5.19)
where m∗Real,J is distributed as m except that ρ
′
I is replaced with Π [ρ
′
Ver I ]. Similarly,R̂eal,J
m∗Sim,J is distributed as mSim,J except that ρ
′
I is replaced with Π
′
Ver[ρI ].
To prove Equation (5.19) it suffices to prove that
( ) ( )
pk, y, b, mI , {mj,0}j∈J ≈ pk, y, b, mI , {mj,1 ⊕ 1}j∈J (5.20)
where for every j ∈ J and u ∈ {0, 1},
(z ′ ∗ u ′j,u,ρj,u) = C .Open(PZ ΠVer[ρI ], (j, 1)) and mj,u = Out(sk, y, (j, 1), zj j,u).
We prove that for every j ∈ J,
( ) ( )
pk, sk ′ ′−(j,0), y, b, mI , mj,0,ρj,0 ≈ pk, sk−(j,0), y, b, mI , mj,1 ⊕ 1,ρj,1 , (5.21)
where sk−(j,0) denotes all the secret keys except skj,0. Namely,
( )
sk−(j,0) ≜ sk[ℓ],1, . . . , sk[ℓ],n+1, sk[ℓ]\{j},0 .
We next argue that Equation (5.21) implies Equation (5.20). To this end, we first notice
that P and C∗Z .Open(·, (j, 1)) only touch the registers corresponding to the j’th committedj
qubit. This follows from our assumption that C∗.Open behaves honestly when opening
in the Hadamard basis. This in turn implies that for every u ∈ {0, 1} it holds that ρ′j,u
and ΠVer[ρ′I ] are distributed identically on the registers that do not correspond to the j’th
committed qubit. Thus, Equation (5.21) implies that
( )
pk, sk−(j,0), y, b, mI , mj,0, ΠVer[ρ
′
I ]{O } (5.22)j j∈J\{j}
( )
≈ pk, sk ′−(j,0), y, b, mI , mj,1 ⊕ 1, ΠVer[ρI ]{O } s (5.23)j j∈J\{j}
68
We next note that mj,u is a QPT function of Π ′Ver[ρI ]O and skj. This, together with aj
hybrid argument implies that indeed Equation (5.22) implies Equation (5.20), as desired.
Thus, we focus on proving Equation (5.21). Fix j ∈ J and consider the mixed state
1 1
ρ ′ ′mix,j = ΠVer[ρI ] + PZ Πj Ver[ρ ]2 2 I
Note that this state can be generated efficiently, with probability 1 − δ, from ρ given
(sk[ℓ],1, . . . , sk[ℓ],n+1). In addition, note that ρmix,j is identical to the state Π ′Ver[ρI ] after
measuring it in the PZ basis. Recall that we assume that C
∗.Open behaves honestly on
j
the Hadamard basis. Thus, the (n + 1)2 qubits of this projected state ρmix,j corresponding
to the j’th committed qubit are in superposition over |d ′1, x1⟩ . . . |d
′
n+1, xn+1⟩ such that for
every i ∈ [n + 1], yj,i = Eval(pkj,i, di, x
′
i).
Let
(z∗,ρ∗)← C∗.Open (ρmix,j, (j, 1)) .
By the adaptive hardcore bit property (w.r.t. pkj,0), letting m
∗ = Out(sk, y, (j, 1), z∗),
(pk, sk−(j,0), y, b, mI , m
∗,ρ∗) ≈ (pk, sk−(j,0), y, b, mI , U,ρ
∗) (5.24)
where U is the uniform distribution over {0, 1}. Note that m∗ is a random variable that
with probability 12 is distributed identically to m and with probability
1
j,0 2 is distributed
identically to mj,1. We next argue that Equation (5.24) implies that
(pk, sk ′−(j,0), y, b, mI , mj,0,ρj,0) ≈
(pk, sk−(j,0), y, b, mI , mj,1 ⊕ 1,ρ
′
j,1),
as desired. To this end, suppose for contradiction that there exists a QPT algorithm A and
a non-negligible ϵ > 0 such that
Pr[A(pk, sk−(j,0), y, b, mI , mj,1 ⊕ 1,ρ
′
j,1) = 1]−
Pr[A(pk, sk ′−(j,0), y, b, mI , mj,0,ρj,0) = 1] ≥ ϵ.
Denote by
pu = Pr[A(pk, sk−(j,0), y, b, mI , m
′
j,u,ρj,u) = 1]
and denote by
p′1 = Pr[A(pk, sk−(j,0), y, b, mI , mj,1 ⊕ 1,ρ
′
j,1) = 1]
Note that
1 1
Pr[A(pk, sk ∗ ∗−(j,0), y, b, mI , m ,ρ ) = 1] = p0 + p1.2 2
On the other hand
1 1
Pr[A(pk, sk−(j,0), y, b, mI , U,ρ
′ ′
j,1) = 1] = p2 1
+ p1,
2
69
which by the collapsing property implies that there exists a negligible function µ such
that
1 1
Pr[A(pk, sk−(j,0), y, b, m
∗
I , U,ρ ) = 1] = p
′
1 + p1 ± µ2 2
This contradicts Equation (5.24) since
( ) ( )
1 ′ 1 1 1 1 ϵp1 + p1 ± µ − p
′
0 + p1 = (p1 − p0)− µ ≥ ± µ,2 2 2 2 2 2
which is non-negligible.
70
References
[AB09] Sanjeev Arora and Boaz Barak. Computational Complexity: A Modern Approach.
1st. USA: Cambridge University Press, 2009. ISBN: 0521424267.
[Aha+17] Dorit Aharonov et al. Interactive Proofs for Quantum Computations. 2017. arXiv:
1704.04487 [quant-ph].
[Aro+98] Sanjeev Arora et al. “Proof verification and the hardness of approximation
problems”. In: Journal of the ACM 45.3 (1998), pp. 501–555. DOI: 10 . 1145 /
278298.278306.
[Bab+91] László Babai et al. “Checking computations in polylogarithmic time”. In: Pro-
ceedings of the Twenty-Third Annual ACM Symposium on Theory of Computing.
STOC ’91. New Orleans, Louisiana, USA: Association for Computing Ma-
chinery, 1991, pp. 21–32. ISBN: 0897913973. DOI: 10.1145/103418.103428. URL:
https://doi.org/10.1145/103418.103428.
[Bar+22] James Bartusek et al. Succinct Classical Verification of Quantum Computation.
2022. DOI: 10.48550/ARXIV.2206.14929. URL: https://arxiv.org/abs/2206.
14929.
[BL08] Jacob D. Biamonte and Peter J. Love. “Realizable Hamiltonians for universal
adiabatic quantum computers”. In: Physical Review A 78.1 (July 2008). ISSN:
1094-1622. DOI: 10.1103/physreva.78.012352. URL: http://dx.doi.org/10.
1103/PhysRevA.78.012352.
[Bra+18] Zvika Brakerski et al. “A Cryptographic Test of Quantumness and Certifiable
Randomness from a Single Quantum Device”. In: 59th IEEE Annual Sympo-
sium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7-9,
2018. Ed. by Mikkel Thorup. IEEE Computer Society, 2018, pp. 320–331. DOI:
10.1109/FOCS.2018.00038. URL: https://doi.org/10.1109/FOCS.2018.00038.
[BV93] Ethan Bernstein and Umesh Vazirani. “Quantum complexity theory”. In: Pro-
ceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing.
STOC ’93. San Diego, California, USA: Association for Computing Machin-
ery, 1993, pp. 11–20. ISBN: 0897915917. DOI: 10 . 1145 / 167088 . 167097. URL:
https://doi.org/10.1145/167088.167097.
71
[FHM18] Joseph F. Fitzsimons, Michal Hajdusek, and Tomoyuki Morimae. “Post hoc
Verification of Quantum Computation”. In: Phys. Rev. Lett. 120 (4 Jan. 2018),
p. 040501. DOI: 10.1103/PhysRevLett.120.040501. URL: https://link.aps.org/
doi/10.1103/PhysRevLett.120.040501.
[FKN90] J. Feigenbaum, S. Kannan, and N. Nisan. “Lower bounds on random-self-
reducibility”. In: Proceedings Fifth Annual Structure in Complexity Theory Con-
ference. 1990, pp. 100–109. DOI: 10.1109/SCT.1990.113959.
[GKK18] Alexandru Gheorghiu, Theodoros Kapourniotis, and Elham Kashefi. “Veri-
fication of Quantum Computation: An Overview of Existing Approaches”.
In: Theory of Computing Systems 63.4 (July 2018), pp. 715–808. ISSN: 1433-0490.
DOI: 10.1007/s00224-018-9872-3. URL: http://dx.doi.org/10.1007/s00224-
018-9872-3.
[GKR15] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. “Delegating
Computation: Interactive Proofs for Muggles”. In: J. ACM 62.4 (Sept. 2015).
ISSN: 0004-5411. DOI: 10 . 1145 / 2699436. URL: https : / / doi . org / 10 . 1145 /
2699436.
[Gun+24] Sam Gunn et al. Classical Commitments to Quantum States. 2024. arXiv: 2404.
14438 [quant-ph].
[HMR23] Prahladh Harsha, Daniel Mitropolsky, and Alon Rosen. “Downward Self-Reducibility
in TFNP”. en. In: Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2023.
DOI: 10.4230/LIPICS.ITCS.2023.67. URL: https://drops.dagstuhl.de/entities/
document/10.4230/LIPIcs.ITCS.2023.67.
[HR06] Iftach Haitner and Omer Reingold. “Statistically-Hiding Commitment from
Any One-Way Function.” In: IACR Cryptology ePrint Archive 2006 (Jan. 2006),
p. 436. DOI: 10.1145/1250790.1250792.
[Jai+09] Rahul Jain et al. QIP = PSPACE. 2009. arXiv: 0907.4737 [quant-ph].
[Ko83] Ker-I Ko. “On Self-Reducibility and Weak P-Selectivity”. In: J. Comput. Syst.
Sci. 26.2 (1983), pp. 209–221. DOI: 10.1016/0022-0000(83)90013-2. URL: https:
//doi.org/10.1016/0022-0000(83)90013-2.
[KSV02a] Alexei Y. Kitaev, A. H. Shen, and Mikhail N. Vyalyi. “Classical and Quantum
Computation”. In: Graduate Studies in Mathematics. 2002. URL: https ://api .
semanticscholar.org/CorpusID:265878561.
[KSV02b] Alexei Yu. Kitaev, Alexander H. Shen, and Mikhail N. Vyalyi. Classical and
Quantum Computation. Vol. 47. Graduate Studies in Mathematics. American
Mathematical Society, 2002.
[Lun+92] Carsten Lund et al. “Algebraic methods for interactive proof systems”. In: J.
ACM 39.4 (Oct. 1992), pp. 859–868. ISSN: 0004-5411. DOI: 10 . 1145 / 146585 .
146605. URL: https://doi.org/10.1145/146585.146605.
72
[Mah18] Urmila Mahadev. “Classical Homomorphic Encryption for Quantum Circuits”.
In: 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS
2018, Paris, France, October 7-9, 2018. Ed. by Mikkel Thorup. IEEE Computer
Society, 2018, pp. 332–338. DOI: 10.1109/FOCS.2018.00039. URL: https://doi.
org/10.1109/FOCS.2018.00039.
[NC10] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum
Information. 10th Anniversary Edition. Cambridge University Press, 2010.
[ODo21] Ryan O’Donnell. Analysis of Boolean Functions. 2021. arXiv: 2105.10386 [cs.DM].
[Sch80] J. T. Schwartz. “Fast Probabilistic Algorithms for Verification of Polynomial
Identities”. In: J. ACM 27.4 (Oct. 1980), pp. 701–717. ISSN: 0004-5411. DOI: 10.
1145/322217.322225. URL: https://doi.org/10.1145/322217.322225.
[Sha92] Adi Shamir. “IP = PSPACE”. In: J. ACM 39.4 (Oct. 1992), pp. 869–877. ISSN:
0004-5411. DOI: 10 . 1145 / 146585 . 146609. URL: https : / / doi . org / 10 . 1145 /
146585.146609.
[Sip13] Michael Sipser. Introduction to the Theory of Computation. Third. Boston, MA:
Course Technology, 2013. ISBN: 113318779X.
[Tra70] Boris Trakhtenbrot. “On autoreducibility”. In: Doklady Akademii Nauk SSSR
192 (1970), pp. 1224–1227.
[Tur37] A. M. Turing. “On Computable Numbers, with an Application to the Entschei-
dungsproblem”. In: Proceedings of the London Mathematical Society s2-42.1 (1937),
pp. 230–265. DOI: https : / / doi . org / 10 . 1112 / plms / s2 - 42 . 1 . 230. eprint:
https://londmathsoc.onlinelibrary.wiley.com/doi/pdf/10.1112/plms/s2-
42.1.230. URL: https://londmathsoc.onlinelibrary.wiley.com/doi/abs/10.
1112/plms/s2-42.1.230.
[Unr16] Dominique Unruh. Collapse-binding quantum commitments without random or-
acles. Cryptology ePrint Archive, Paper 2016/508. https://eprint.iacr.org/
2016/508. 2016. URL: https://eprint.iacr.org/2016/508.
[Vid20] Thomas Vidick. Interactions with Quantum Devices (Course). http://users.cms.
caltech.edu/~vidick/teaching/fsmp/fsmp.pdf. 2020.
[Wil11] Mark Wilde. From Classical to Quantum Shannon Theory. arXiv:1106.1445v8.
2011.
[Yao03] Andrew Chi-Chih Yao. “Classical physics and the Church–Turing Thesis”. In:
J. ACM 50.1 (Jan. 2003), pp. 100–105. ISSN: 0004-5411. DOI: 10.1145/602382.
602411. URL: https://doi.org/10.1145/602382.602411.
73