Quantum one-time tables for unconditionally secure qubit- commitment

The commodity-based cryptography is an alternative approach to realize conventionally impossible cryptographic primitives such as unconditionally secure bitcommitment by consuming pre-established correlation between distrustful participants. A unit of such classical correlation is known as the one-time table (OTT). In this paper, we introduce a new example besides quantum key distribution in which quantum correlation is useful for cryptography. We propose a scheme for unconditionally secure qubit-commitment, a quantum cryptographic primitive forbidden by the recently proven no-masking theorem in the standard model, based on the consumption of the quantum generalization of the OTT, the bipartite quantum state we named quantum one-time tables (QOTT). The construction of the QOTT is based on the newly analyzed internal structure of quantum masker and the quantum secret sharing schemes. Our qubit-commitment scheme is shown to be universally composable. We propose to measure the randomness cost of preparing a (Q)OTT in terms of its entropy, and show that the QOTT with superdense coding can increase the security level with half the cost of OTTs for unconditionally secure bitcommitment. The QOTT exemplifies an operational setting where neither maximally classically correlated state nor maximally entangled state, but rather a wellstructured partially entangled mixed state is more valuable resource.


Introduction
In a commitment protocol, Alice commits to a secret value by transmitting an encoding of the value to Bob. If Bob cannot access the value until revealed by Alice, the scheme is said to be secure against Bob. On the other hand, if Bob can reject Alice's cheating of revealing a value different from the originally committed value, then the scheme is said to be secure against Alice. An unconditionally and perfectly secure [1] commitment scheme could have many cryptographical applications [2,3]. However, such a commitment protocol is impossible since the perfect securities against Alice and Bob are incompatible. Quantum bit-commitment is an attempt to circumvent this difficulty by using quantum mechanics [4]. However, it was proved [5,6] that an unconditionally secure commitment of a classical value is impossible even with the aid of quantum mechanics unless there is a relativistic structure that imposes causal restrictions between prover and verifier [7][8][9].
To circumvent this difficulty, a new approach called the commodity-based cryptography [10] was developed. Since secure two-party computation is impossible without mutual trust, the suggested idea was to construct cryptographical primitives that consume tradeable resource named the onetime table (OTT). The OTT is a unit of suitably pre-calculated correlation that provides verifiable randomness to mutually mistrustful clients. The OTTs enable unconditionally secure bitcommitment, oblivious transfer [1] and field computation [11]. While the OTT could be established off-line (before a useful primitive protocol begins) by a central server (known as the 'trusted initializer' [1]), also there has been a recent attempt to construct a protocol for establishing the OTT without a third party [12]. Therefore, we can treat the OTTs as a resource stored in the form of correlation regardless of its origin.
The OTTs studied so far are, however, all classical correlations. This raises a natural question that if there is a quantum generalization of the OTT that is more suitable for quantum two-party tasks. In this paper, we construct the quantum one-time table (QOTT) for a universally composable qubit-commitment Qubit-commitment is a quantum cryptographic primitive that is impossible utilizing only pure states because of the recently proven no-go result known as the nomasking theorem [13]. The construction of the QOTT is based on the internal structure of quantum masker reinterpreted as a quantum process that consumes randomness to hide quantum information into bipartite correlations, and its relation with quantum secret sharing protocols [14,15]. From this, we show that the no-masking theorem cannot be extended to mixed states in the way that the no-cloning theorem [16] was extended to the no-broadcasting theorem [17], and that the qualitatively stronger constraint on the strength of viable quantum correlation requires more randomness for masking quantum information.
We suggest the entropy of commodity such as (Q)OTT, named the shared randomness cost, as a measure of the randomness cost of a commodity-based cryptography protocol. We show that our QOTT-based qubit-commitment, which is different from quantum bit-commitment as will be elaborated afterwards, scheme could achieve asymptotically the same shared randomness cost compared to Rivest's OTT-based bitcommitment scheme [1]. When the superdense coding is employed, this implies that the QOTTbased bit-commitment scheme has half the randomness cost of the OTT-based bit-commitment scheme.

Quantum Masker
When it comes to commitment schemes, security against Bob, also known as the hiding property, is important. However, for qubit-commitment schemes, the information being committed to should be also hidden from Alice, otherwise Alice could freely change the information [15]. It is because, from the no-cloning theorem, acquisition of quantum information implies being only one who is holding that information, therefore modification of that information cannot be detected. Therefore it is natural to design a qubitcommitment scheme based on quantum maskers.
Masking quantum information is a quantum process that encodes a quantum state in a bipartite quantum system, while hiding it from both subsystems. Quantum masker was first introduced [13] for pure bipartite states, where entanglement is the only form of correlations. However, there are quantum correlations beyond entanglement [18][19][20] in the case of mixed states. A typical example is quantum discord [21]. We redefine the quantum masker for a general mixed state. Let B(H) be the algebra of bounded operators on a Hilbert space H.
We call such M a (quantum) masker, and we say that M is universal if it masks an arbitrary quantum state. Our main interest is universal quantum masker, so unless remarked otherwise, afterwards every masker is assumed to be universal.
Here, two observations can be made. First, every universal quantum masker is demanded to be an invertible quantum process. Such a process, say Φ M , can always be expressed [22] in terms of a quantum state ω S and a unitary transformation M which maps the input system C and the ancillary system S to the systems A and B such that for every quantum state ρ C with some ancillary state ω S . In the equations given hereunder, system subscripts will be omitted when it is clear from the context. We denote the unitary M as the masking unitary of Φ M and the ancillary state ω S as the safe state of Φ M . This observation implies that masking quantum information is a process that should consume randomness supplied in the form of safe state. This raises natural questions : Is it really possible to mask quantum information when randomness is supplied? If so, how much is needed? Asking this question is appropriate given the demand in computer science and quantum information science for adopting the perspective treating randomness as a resource [22][23][24][25].
The second observation answers these questions. The definition of masking quantum information is equivalent to (2, 2)−threshold quantum secret sharing (QSS) scheme [14,15], thus possible. (See Fig. 1 for examples.) Also, we can see that every purification of a quantum masker is a (2, 3)−threshold QSS scheme, as a consequence of the no-hiding theorem [26]. From the expression (1), a purification of a masking process Φ M can be acquired by purifying its safe state ω S into a purification |Ω SK , with a purifying system K.
We will call such a system as the key system of the quantum masker and the state |Ω SK as the safe-key state.
Before constructing a qubit-commitment scheme based on quantum masking unitaries, we finish this section by introducing some analysis of the randomness cost of quantum maskers. Readers can skip Theorem 2 and still understand the next section. Since any unauthorized subsystem of any (k, n)−threshold QSS scheme hiding d−dimensional quantum state should be in a constant quantum state (regardless of the secret state) with von Neumann entropy no less than log 2 d bits, [27], so the key system of a quantum masker should, too. Since the safe-key state is a pure entangled state, this gives the lower bound of the randomness cost, i.e. the von Neumann entropy of the safe state. In Theorem 2, the minimal randomness costs of masking quantum information into various types of quantum correlations are given. Detailed proofs of all the theorems throughout this paper are provided in Appendix.

Theorem 2.
Let ω S be the safe state of a universal quantum masker Φ M for a d-dimensional quantum system. The von Neumann entropy of ω S is (i) no less than log 2 d bits if there is no other constraint, (ii) strictly larger than log 2 d bits when any output state of Φ M should be separable, and (iii) no less than 2 log 2 d bits when any output state of Φ M should be quantum-classical. (iv) There is no such Φ M that any output state of Φ M is classically correlated.
The part (i) yields the no-masking theorem as its corollary, as there are no universal quantum maskers that consume zero amount of randomness. (ii) and (iii) show that with the more restricted the kind of correlation, the more randomness is required to mask a quantum state, while (iv) implies that quantum correlation is indispensable for masking quantum information. The last result (iv) has an interesting implication for QSS that it is impossible to share a quantum secret among three parties exploiting only genuine tripartite entanglement. It is because a purification of classically correlated bipartite quantum state is always a genuine tripartite entangled state and the converse is also true [28].

Quantum One-Time Tables for Qubit-Commitment
Based on the properties of the quantum masker, we construct a new unit of quantum commodity that can be used for an unconditionally secure qubit-commitment scheme. When commitment schemes are concerned, we will call a scheme bit-commitment scheme if the secret value is classical information, ('bit string'), and if the secret value is a quantum state, we will call it similarly qubit-commitment scheme, even if the state is not 2-dimensional. Note that it is different from quantum bit-commitment scheme, which is a special case of bit-commitment scheme realized with quantum mechanical method. Also, we will call a commitment scheme d−dimensional if the secret value is d−dimensional.
Let us briefly review unconditionally secure classical bit-commitment using the OTT by Rivest . Let p be an arbitrary prime number. The OTT used in Ref. [1] for p−dimensional bit-commitment scheme is a classical bipartite state shared between two parties composed of two parts: (i) two random numbers in Z p , (a, b), generated from each party and their copies respectively kept by Alice and Bob, and (ii) a function of of the two random numbers (a, b) (e.g. product modulo p) hidden and shared between Alice and Bob through the one-time pad (OTP) cipher, e.g. (r, r + a · b) with a random number r ∈ Z p [1]. The piece of information a and b held by respectively Alice and Bob can be interpreted as the reference systems for their own random numbers i.e. maximally correlated with their counterparts.
We generalize the OTT to construct the quantum one-time table (QOTT) by replacing the part (i) with two maximally entangled states, say, |Θ EC and |Ω SK and replacing the part (ii) with a masking unitary M CS→AB , whose safe state has only one nonzero eigenvalue 1/p with degeneracy p for a prime number p, and the QOTP cipher, i.e. X j 1 i 1 Z j 2 i 2 (X and Z are p−dimensional generalized Pauli operators. See Fig. 1) applied on the system K with numbers i 1 , i 2 randomly chosen from Z p and j 1 , j 2 chosen from some J ⊂ Z p . Here, (i 1 , i 2 ) and (j 1 , j 2 ) should be privately informed respectively to Alice and Bob. (See SETUP of Fig. 2.) The QOTT could be considered an entangled state partly shared between Alice and Bob through a (2, 3)−threshold QSS scheme with the system K 'locked' with the hidden Pauli operators so that, using the QOTT, any quantum state can be shared as a quantum secret by employing quantum teleportation.
We propose a qubit-commitment scheme utilizing the QOTT defined above. Although we will introduce a partially credible third party, the "trusted initializer" usually named Ted, to establish the QOTT in the scheme, we can treat the QOTT as a resource independently of its origin. Introducing a third party does not trivialize our problem, which is the case of the commoditybased cryptography, since the trusted initializer never actively mediates clients, i.e. Alice and Bob, by relaying message transmissions.
In our scheme, participants are assumed to be connected to a quantum network, i.e. Alice and Bob, as well as Ted could make use of quantum channels between them. In the following description of the scheme, we fix the masking unitary M CS→AB as the one used in the definition of the QOTT and the entangled state |Ω SK as the safe-key state of the quantum masker. Our scheme consists of three phases SETUP, COM-MIT and REVEAL, and Ted participates only in the SETUP phase and exits the scheme afterwards. (See Fig. 2.) The protocols are given as follows: SETUP: Ted prepares a bipartite state Here, |ii EC is a fixed publicly known d−dimensional maximally entangled state. Ted distributes the systems EA to Alice and the systems BK to Bob. Ted privately informs Alice of the indices (i 1 , i 2 ) and privately informs Bob of the indices (j 1 , j 2 ).
COMMIT: Alice prepares a d−dimensional secret state ρ I in the system I. Alice performs a projective measurement onto the basis {(X a on the systems IE and transmits its outcome (a, b) to Bob.
REVEAL: Alice sends the system A to Bob and reveals the indices i 1 and i 2 . Bob applies the gate Z −j 2 i 2 X −j 1 i 1 on the system K and then applies the unmasking unitary M † AB→CS on AB. Bob checks if the system SK is in the state |Ω SK by implementing a projective measurement {|Ω Ω| SK , 1 SK − |Ω Ω| SK }. If the check is successful, Bob applies X a Z b on the system C and accepts the state in the system C. If not, Bob rejects.
We will call the proposed scheme the initializer (qubit-commitment) scheme.
In order to examine the security of a commitment scheme, the list-approach, the approach that checks if sensible security criteria such as security against Alice and Bob and their perfectness (see the introduction for definitions) hold, is often taken [1,7,9,29]. However, for qubitcommitment schemes the possibility of committing to a part of entangled state before controlling the rest of it and the impossibility of directly opening an unknown quantum state challenge a satisfying definition of security against Alice. Therefore, we adopt the stronger simulation paradigm [29] and set the delayed quantum teleportation protocol as our ideal functionality. The delayed quantum teleportation protocol is same as the usual quantum teleportation except that the classical message is fixed in an earlier stage and only its transmission is delayed to the later point of the protocol. Observe that the delayed quantum teleportation achieves the goal of qubitcommitment. (See the Discussion section. ) We will say that a qubit-commitment scheme is unconditionally secure if it can be shown, without any assumption on computational power, that the scheme's output is indistinguishable from the output of an instance of the ideal functionality unless the probability of Alice passing the REVEAL phase is lower than a certain threshold that can be made arbitrarily small by increasing security parameters. We provide the security proof of the schemes in Appendix.
Theorem 3. The initializer qubit-commitment scheme is unconditionally secure with the security failure probability upper bounded by |J| −1 .
Essentially, Alice can only try to cheat by reporting wrongful indices (i 1 , i 2 ) to Bob in the RE-VEAL phase, which leaves p 2 − 1 possible choices for Alice. Among those p 2 − 1 choices, for 2(p − 1) choices, the success probability of cheating is upper bounded by |J| −1 and for (p−1) 2 choices, the success probability is upper bounded by |J| −2 . When Alice reports the correct indices that she received in the SETUP phase, whatever quantum operation she applies to her systems, the already committed state cannot be changed and the probability of Alice being accepted in the REVEAL phase only can drop when Alice deviates from the protocol.
The security of unconditionally secure qubitcommitment scheme is not threatened by the entanglement attack that forbids a large class of unconditionally secure (in the list-approach sense) quantum bit-commitment schemes [5,6]. Two types of attacks based on the properties of entanglement can be considered. The first is committing to a well-defined quantum state and using the fact that the state shared between Alice and Bob is entangled to alter the already committed state. However, already discussed, reporting wrongful indices leads to vanishing success probability, so Alice is forced to report the correct indices (i 1 , i 2 ). In that case, whatever local operation Alice applies on the system A, it can only decrease the success probability and cannot alter the committed state a bit, because of the duality of quantum maskers. (See Appendix) The second type of entanglement attack is committing to a part of entangled state and using the other part for cheating. The security against this type of attack follows from the fact that our security proof relies on the fact that the scheme is indistinguishable (with arbitrarily high probability) from a delayed quantum teleportation, and in quantum teleportation it is allowed to teleport a part of entangled state. In other words, whatever control Alice applies on her part of entangled state after a part of it is committed to, it would only affect her part of quantum state. Note that this can happen even when Alice simply sends her secret state sacrificing the condition that the state should be hidden from Bob until the RE-VEAL phase begins.
The classical counterpart of committing to a part of entangled state is committing to one of two maximally correlated random variables, for which it is easy to observe that no advantage can be gained from doing that for cheating Bob. See Appendix for more extensive discussion on this type of 'pseudo-attack'. It is important that in qubit-commitment Alice does not reveal the classical description of the quantum state she has committed to, since Alice is allowed to commit to an unknown quantum state, like in quantum teleportation.
We also highlight that Ted learns nothing about the secret quantum state. This observation ensures that even if Ted is malicious, it is impossible for Ted to attain any information about the secret quantum state.

Security
The ideal functionality of our scheme, the delayed quantum teleportation is by definition considered secure. The justification is that in quantum teleportation, we consider the moment when classical communication (the transmission of the outcome of Bell measurement) is done is when the quantum information is transmitted. Therefore, by somehow fixing the classical message to be transmitted and delaying the actual transmission, we can fix the quantum message itself too.
The justification of general forms of Alice's allowed behavior other than the generalized Bell measurement is that even though Alice is demanded to perform the generalized Bell measurement and report the outcome (a, b), to Bob's perspective it is impossible to examine if the generalized Bell measurement was really implemented. Therefore, assuming that an arbitrary subchannel ∆ a,b EA→A was applied to Alice's part of the entangled state for each case of reported (a, b) is the best that Bob can do, and the set of {∆ a,b EA→A } should be regarded as Alice's legitimate input behavior for quantum teleportation. In this case, Bob is considered to receive the system C of (the normalized version of) the entangled state (Here, appending the ancillary state |Ψ AS before applying ∆ a,b EA→A is also assumed as a specific form of Alice's behavior.) Therefore, applying quantum channel Ξ A →A to the system A and measuring the systems AS are all Alice's local operations happening after the decision of indices (a, b), so they have no causal effect to Bob. In this context, the generalized Bell measurement is only a recommended behavior for Alice to securely commit to her intended quantum state. If she deviates from the protocol in the COMMIT phase, it is simply equivalent for her to deciding to commit to another quantum state.
Another way of justifying this approach is observing that, even if there is an ideal qubitcommitment protocol (as a black-box), Alice can still commit to a part of an entangled state and apply local measurement on her part of the entangled state and 'postselect' by refusing to reveal the committed state whenever she gets an unwanted outcome from the measurement. The possibility of this strategy of Alice is inevitable but it has limited probability of success. Note that between two distrusting parties even a single time of refusal to reveal the secret value could lead to the abortion of communication between them.
'Attacks' of this type are actually not newly introduced by quantum mechanical settings, but are generic in any commitment schemeincluding classical bit-commitments. For example, consider the following 'attack' on bitcommitment schemes. Suppose Alice commits to a number between 0 and N − 1 blindly, which means Alice does not know which state she has committed to, but keeps a copy of that number in a locked box. In this case one can say that Alice has committed to a part of maximally correlated N −dimensional classical bipartite state. Later, Alice 'changes' her mind and decides to pretend that she has committed to a particular number, say, 4. Then she opens the locked box hoping that the number is 4-and she succeeds at this 'cheating' with probability 1/N .
One can see that how absurd this 'attack' is and the situation is more or less equivalent to the situation in which Alice commits to a part of an entangled state and measures the rest of it at a later point. Post-processing her part of the entangled state (Ξ A →A in the proof) would not help her either. This is the reason why we do not count this type of 'attacks' (thus, pseudo-attacks) as a security failure but consider a legitimate strategy of Alice, and why we consider the delayed quantum teleportation the ideal functionality of qubit-commitment. From the structure of the security proof, we can see that the initializer scheme is universally composable. It is because the security of the scheme is proved in two steps: (i) Substitute a corrupted participant's behavior with an arbitrary quantum operation that outputs the same data as required in the protocol (ii) Show that the whole quantum state is indistinguishable from the output of the ideal functionality, except the cases with negligibly small probability. It fits the definition of security in the universal composability (UC) framework in [29][30][31][32], in the sense that no arbitrary outer machine (called environment machine in [29]) interacting with the adversary can distinguish the outputs of ideal and real cases. As it was emphasized in [32], since qubitor bit-commitment schemes are used as a basic building block of more complicated cryptographic schemes, it is important to prove its universal composability.

Noise and Feasibility
In experimental aspect, the proposed scheme can be realized with preexisting technologies for quantum teleportation and (k, n)−threshold quantum secret sharing [33][34][35][36], since Ted in our scheme is simply distributing a part of maximally entangled state as a shared quantum secret using a (2, 3)−threshold QSS scheme [14] and the commitment by Alice is done by quantum teleportation. Noise in realistic situations does not help Alice's dishonest behavior as all the noises are indistinguishable from detectable malicious acts of Alice. Imperfections in Bob's measurement device can be statistically distinguishable from malicious acts of Alice.
Any noise happening to the systems possessed by Alice can be considered a part of her behaviors ∆ EA→A and Ξ A →A . Whenever Alice reports the correct indices (i 1 , i 2 ), regardless of the forms of ∆ EA→A and Ξ A →A , the scheme is indistinguishable from the delayed quantum teleportation with noisy apparatus, so the scheme is still secure. When Alice reports wrongful indices, as the upper bound 1/|J| of her success probability does not depend on the specific form of the state Λ ∆,Ξ (See Appendix), the scheme is secure nonetheless. When Bob's measurement device has the probability of of having dark count, which means that with probability the measurement device clicks without proper input, then it only additively increases the probability of accepting the wrong indices at most by . If 1/|J| + can be suppressed to the tolerable failure probability, then the one-shot qubit-commitment is possible. Otherwise, by encoding the secret state using an error correcting code that distributes the state into n systems and implementing the protocol for each system, one can suppress the security failure probability to (1/|J| + ) n , thus the scheme can be run with additional resources.

Shared Randomness Cost
Although the QOTT is an entangled state, one cannot simply say that the entanglement in the QOTT provides the unconditional security because quantum communication is already allowed between Alice and Bob. Ted's role is providing uncertainty. Since in a cryptographic setting, mistrustful participants should assume that each other will retain all the side information of their operations, i.e. every information process is isometry, the whole quantum state will remain pure without a publicly trustful source of randomness e.g. intervention of a trusted third party. Therefore we measure the cost of a commodity in terms of its entropy and will call it the shared randomness cost (SRC).
One can draw an analogy between shared randomness in the commodity-based cryptography framework and entanglement in the LOCC framework, in the aspect that both are resources in the form of quantum correlation that should be prepared beforehand. The QOTT is, however, different from the conventional resources in quantum information science as mixing of QOTTs only makes it more costly. This does not mean that the more mixed the QOTT is, the more useful it is, since randomness that cannot be verified by distrustful parties is useless in cryptographic setting. Calculating the number of 'distillable' QOTTs of an arbitrary bipartite state is an interesting open problem.
We first prove an optimality result of Rivest's scheme. Consider a OTT consisting of two correlated random variables X and Y belonging to Alice and Bob respectively. We impose a few conditions for them to be used for commitment schemes.
In a general commodity-based commitment scheme, Alice encodes her d-dimensional secret message with the random variable X, and sends the encoded message ('commitment') to Bob in the COMMIT phase. In the REVEAL phase, Alice reveals the secret message along with X ('decommitment'). Based on the information Y , Bob either accepts or rejects. For this scheme to work properly, X should be random enough to encode a randomly chosen message and, conditioned on Y , there should be no ambiguity about the acceptance in the REVEAL phase. Acceptance of X should be based on the conditional probability P r(X|Y ), i.e. Bob, who has Y = y, accepts Alice's x only when x P r(X = x |Y = y) is nonzero. For it to be unambiguous, the conditional probability P r(X|Y ) should be uniform on its support. We impose this requirement in the following condition. We let Θ be the characteristic function on the support of the joint probability P r(X = x, Y = y), i.e. Θ(x, y) = 0 when P r(X = x, Y = y) = 0 and Θ(x, y) = 1 when P r(X = x, Y = y) > 0.
Condition (i) : For every x and y, P r(X = x|Y = y) = 1 m Θ(x, y), where m ≥ d is some positive integer.
We remark that Θ(x, y) functions as an indicator showing if Bob with Y = y accepts Alice's claim that X = x .
Second, the success probability of cheating by Alice should be bounded from above by some value that vanishes as the security parameter increases. Let P acc (x |x) be the probability of being accepted by Bob after Alice revealed x even though she actually received x. Note that P acc (x |x) = y Θ(x , y)P r(Y = y|X = x).
Condition (ii) : For every x and x such that x = x , P acc (x |x) < q for some q = o (1).
From these two conditions, we have the following result. See Appendix for proof.

Theorem 4. For an arbitrary OTT (X,Y) satisfying conditions (i) and (ii), P r(X
for every x and y. Hence the SRC of (X,Y) is asymptotically lower bounded by −2 log q + log d. For the case of Rivest's scheme, q = d −1 , and the SRC of the OTT in Rivest's scheme is 3 log d. Therefore Rivest's scheme achieves the bound of Theorem 4. Even though if the Conditions (i) and (ii) encompass every OTT capable of implementing commitment scheme is unclear, at least we can see that Rivest's scheme is optimal among a large class of commodity-based commitment schemes.
We compare the SRC of our scheme to that of a qubit-commitment-via-bit-commitment scheme inspired from Ref. [37], in which Alice sends a quantum state to Bob hidden with the QOTP and commits to the classical OTP part via Rivest's bit-commitment scheme. In this case, the SRC is 6 log 2 d bits for d−dimensional qubitcommitment. The success probability of cheating is at most d −1 for 2(d − 1) cases and d −2 for (d − 1) 2 cases out of d 2 −1 possible cheating strategies. On the other hand, for the scheme introduced here, the SRC is, at minimum, 2 log 2 d + 2 log 2 |J| bits, where |J| is the size of the set of indices used in the scheme. For the given |J|, the success probability of cheating by Alice is similarly at most |J| −1 for 2(d − 1) cases and |J| −2 for (d − 1) 2 cases out of d 2 − 1 possible cheating strategies. To achieve the same level of security with Rivest's scheme, we pick the maximal value |J| = d − 1 and get the asymptotically same level of security with the SRC of 4 log 2 d + o (1). This proves that there exists a quantum commodity that exhibits a cost advantage for the commodity-based quantum cryptography.
The use of the QOTT is not limited to cryptography of quantum information. The initializer scheme can also be used for boosting efficiency of the commodity-based bit-commitment. Since one can commit to 2 bits of classical information by committing to 1 qubit by employing the superdense coding (first Alice encodes classical information into a maximally entangled state through superdense coding before sending a half of the state to Bob and finally commits to the rest of the state), we have an initializer quantum bitcommitment scheme with SRC of log 2 d + log 2 |J| bits, which is strictly smaller compared to the SRC of Rivest's scheme, log 2 d + 2 log 2 |J|, with the same level of security.
As the SRC reduction by the initializer scheme proposed in this work suggests, quantum strategy can reduce the randomness cost for achieving the same level of security by half. We conjecture that, by improving the scheme with a more clever usage of quantum advantage, one can reduce the randomness cost of hiding information too, hence the overall SRC can achieve (asymptotically) 3 log 2 d bits for the commitment of d-dimensional quantum state.
Our qubit-commitment scheme, satisfying general security criteria while preserving coherence of the committed quantum state, has broad applications in the upcoming era of quantum network [38]. One example could be an implementation of a fair version of quantum state exchange [39,40]. If two quantum computers are demanded to generate certain quantum states independently and to be cross-checked afterward [41], one computer should not acquire the other's output state before generating its state. Otherwise, one could learn from the other's state or even try to imperfectly clone [42] the state to pretend to have high computational power. Our qubitcommitment can solve this problem by letting the first revealer persuade the other party that it indeed has generated the quantum state independently without giving the information of the state before receiving the other party's quantum state. In general, qubit-commitment can lift the assumption of asynchronous quantum network [30], i.e. the assumption that only one quantum ma-chine among many connected to a quantum network can be activated at a time, for quantum cryptographical models, since effectively multiple quantum machines can be activated at the same time utilizing qubit-commitment.

Theorem 1.
Let ω S be the safe state of a universal quantum masker Φ M for d-dimensional quantum system. Then, the von Neumann entropy of ω S is lower bounded by log 2 d.
Before proving this theorem we prove a more general result for (k, n)−threshold quantum secret sharing schemes given in [27] in a way that doesn't rely on the strong subadditivity of the von Neumann entropy.
is the quantum map implementing a (k, n)−threshold quantum secret sharing scheme. Then, for any ρ ∈ B(C d ), the marginal state Φ M (ρ) A i of any system A i obtained by tracing out the other n − 1 parties of the n-partite state Φ M (ρ) A 1 ,...,An has the von Neumann entropy of log 2 d or higher.
Proof. As every (k, n)−threshold quantum secret sharing scheme can be purified to a pure (k, 2k − 1)threshold quantum secret sharing scheme [27], we only prove the lemma for that case. In that case, the scheme can be implemented with an isometry M : C d → (C d ) ⊗2k−1 . Consider the input state ρ ∈ S(C d ) in the system C and its purification |Ψ ρ EC with the purification system E.
Since the choice of the authorized set D was arbitrary barring the condition that it contains A i , one can choose the new D as {A i } U , which makes the new U , U . From the same argument we have By averaging two inequalities we have H(E) ≤ H(A i ).
As the system E was defined as the purifying system of the input state ρ and remained intact through the secret sharing process, H(E) = H(ρ). As ρ was arbitrarily chosen, however, we can take H(E) as its maximum value log 2 d.
Note that this result can be considered a stronger version of Theorem 4 in [27]. By noting that a quantum masking process is merely a (2, 2)−threshold quantum secret sharing scheme and the fact that any mixed quantum secret sharing scheme can be obtained by tracing out irrelevant parties of a pure quantum secret sharing state, we can see that the following circuit represents an implementation of a pure (2, 3)−threshold quantum secret sharing scheme among three parties, A, B and K.
Note that |Ψ ρ EC is a purification of the input state ρ and |Ω SK is a purification of the safe state ω S consumed in the hiding process. The lemma says that H(K) ≥ log 2 d, but as H(K) = H(ω S ) we have the proof of the theorem 1. However, as at least one of the pairs AK and BK should be entangled for some pure state ρ, because if all three pairs AB, AK and BK are separable, then the bipartite staet Φ M (ρ) AB should be classically correlated [43], but because of Theorem 4 below, it is impossible to mask quantum information into classically correlated systems. Note that quantum discord D ← (A|K) is zero if and only if the system AK is in a quantum-classical state. Therefore for the given conditions, S(K) must be strictly larger than I (A : B), which is in turn no smaller than log 2 d. As S(S) = S(K), we get the first part of the theorem.
For the second part of the theorem, as D ← (A|B) = 0, the state Φ M (|ψ ψ|) is a quantum-classical (QC) state [44] that has the form, if Tr A (Φ M (|ψ ψ|)) = i q i |σ i σ i | B is the spectral decomposition of the state of the system B independent of the state |ψ ψ|, where M i is some quantum process for each i. Let's say ρ and σ are arbitrary quantum states that have orthogonal support (ρσ = 0). Then we have Tr = 0 for all i such that q i = 0. Therefore for any Hermitian operator H, we can decompose it into the positive part P ≥ 0 and the negative part N ≥ 0 that are mutually orthogonal so that H = P − N . This leads to where we used the fact M i (ρ) 1 = ρ 1 for any positive operator ρ since M i is a CPTP (Completely positive and trace preserving) map. This proves that M i preserves the trace norm on the space of d-dimensional Hermitian operators for all i with q i = 0 so that it is injective. It follows that all M i are invertible quantum maps. From the masking condition, the quantum channel is a randomization scheme [22] and therefore, from the result of the Ref. [22], the Shannon entropy of the probability distribution {q i }, which is smaller than the von Neumann entropy of the safe state ω S as Φ M (|ψ ψ|) = M CS→AB (|ψ ψ| C ⊗ ω S )M † AB→CS , is at least 2 log 2 d.
Indeed the randomness lower bounds proved above are indeed minimums by the existence of 4-qubit masker and quantum one-time pad. Lemma 2. For arbitrary d ≥ 2, universal quantum masker exists for a d-dimensional quantum system that consumes log 2 d bits of randomness.
Proof. The 4-qubit masker can be easily generalized to d-dimensional systems by replacing the 2dimensional controlled-X gates with its d-dimensional generalization given as for x, y = 0, ..., d − 1 and replacing the Hadamard gate with the discrete Fourier transform gate, In this case, the output state for a pure input state |ψ = d−1 i=0 α i |i , is given as For every d ≥ 2, tracing out B 1 B 2 system yields the maximally mixed state for the system A 1 A 2 and vice versa. For general mixed states, from the linearity of quantum processes, the marginal state of the output state will be a mixture of maximally mixed marginal states, which is again the maximally mixed state. This shows that the given quantum process can mask any quantum state. As to the recoverability condition, since this operation consists of unitary operation after the attachment of ancillary system, simple inverse unitary operation followed by tracing out of the ancillary systems recovers the input system.

Lemma 3. Universal quantum masking is impossible without quantum correlation.
Proof. For a universal masking process Φ M , having no quantum correlation in the masked quantum state implies the following expression for any input state ρ C .
where p ij (ρ) is a joint probability distribution for indices i and j linear in the state ρ and {|i A } and {|j B } are respectively eigenbasis of Tr B [Φ M (ρ)] and Tr A [Φ M (ρ)] which are independent of the input state ρ. From the proof of Theorem 2, however, Φ M (ρ) also permits the following expression for any input state ρ.
By letting N i (ρ) := (1/q i ) j p ji (ρ) A |j j| A for every i, we have Im{N i } = Im{M i }. The left hand side, however, is diagonal in the basis {|i A } but the right hand side is an isometric embedding of the space of quantum states {ρ C }, which is a contradiction.
Theorem 3. The initializer qubit-commitment scheme is unconditionally secure. Proof. Although we have adopted the simulation paradigm, we can still check if two important security criteria for commitment schemes are satisfied. Correctness condition, i.e. that when all participants are honest, the outcome state revealed to Bob is the same with the secret state that Alice committed to, is satisfied trivially since M CS→AB and M † CS→AB cancel each other. Security against Bob holds since, without knowledge of indices (i 1 , i 2 ), the state (1 S ⊗ X j 1 i 1 Z j 2 i 2 ) |Ω SK is twirled to ω S ⊗ ω K since i → ij modulo p is a permutation unless j ≡ 0 (mod p). Then, the systems in Bob's possession after the COMMIT phase are in the state (assuming that there is a well-defined secret state) where ρ C is the state that Alice committed to. From the masking property of M , this state is independent of ρ C , therefore the scheme is unconditionally and perfectly concealing. We can also show that the scheme secure against Alice when there is a well-defined secret state in the COMMIT phase. Assume that Alice commits to a pure quantum state |ψ that is in a product state with its environment. However, at a later point in time, suppose that Alice decides to change the already committed state so she applies a quantum channel Ξ A on the system A. But, assuming that Alice reports the correct indices in the REVEAL phase, (otherwise she has arbitrarily small success probability) the output result is always |ψ and the probability of acceptance in the REVEAL is Ψ| AS (Ξ A ⊗ I S )(|Ψ Ψ| AS ) |Ψ AS . Therefore, deviating from the protocol after honestly committing to a certain quantum state only leads to decrease of the success probability and cannot change the committed state even slightly.
Next, we claim that whenever Alice reports the rightful indices (i 1 , i 2 ) which are received from Ted, the unnormalized outcome state in the system C is indistinguishable from an outcome of an instance of the delayed quantum teleportation scheme in which the classical information transmission is faithful but delayed. This means that the classical information (the outcome of the Bell measurement) is irreversibly decided in the initial stage of the scheme but its revelation is delayed to a later point of time. In the delayed quantum teleportation, Alice can teleport a half of a maximally entangled state and measure the other half to collapse the already teleported state between two stages, but this is not necessarily a malicious act but only a manifestation of the nonlocal property of entangled state. The measurement outcome on Alice's side in the delayed quantum teleportation is probabilistic and cannot be deterministically controlled. If it were possible to control it, then Alice can effectively collapse Bob's system into a state beyond the statistics according to Bob's marginal state (of |Θ EC ) without additional transmissions, thus it leads to the violation of the no-signaling theorem. Therefore, we consider the delayed quantum teleportation as our ideal functionality. (See Discussion section of the paper.) In our scheme, once the correct indices (i 1 , i 2 ) are reported to Bob in the REVEAL phase, the generalized Pauli gates on the system K are exactly cancelled out in the REVEAL phase so we can ignore them throughout the whole protocol. Although Alice is demanded to perform the generalized Bell measurement in the COMMIT phase, since Bob cannot examine the behavior of Alice other than the measurement outcomes (a, b), the most general behavior of Alice is applying arbitrary subchannels ∆ a,b : EA → A such that ∆ EA→A = a,b ∆ a,b EA→A is a quantum channel (CPTP map) and reporting corresponding indices (a, b) to Bob. Here the system A can be chosen arbitrarily as it will never We remark here that although the security proof given here does not explicitly use the notion of the min-or max-entropy or the epsilon-delta argument, but since the proof holds for singe-shot implementation of the protocol and that the maximum success probability of cheating is bounded from above by a parameter that can be lowered arbitrarily by employing more resources, we argue that the proof still holds. Note that the proof given by Rivest [1] also does not use the notions of the min-or max-entropy as well. Proof. We first find an upper bound of P r(X). From Condition (ii) we get that y P r(X = x |Y = y)P r(Y = y|X = x) < q m , for any x = x . Note that y Θ(x, y)P r(Y = y|X = x) = 1. By multiplying by Pr(X = x) and summing over x both sides, we get y P r(X = x |Y = y)P r(Y = y) = P r(X = x ) < (1 − P r(X = x )) q m + P r(X = x ) 1 m .
It implies that P r(X = x ) < q m−1+q for any x , thus we found an upper bound of P r(X). Next, we find an upper bound of P r(Y ). We use another expression of Condition (ii), that y Θ(x , y)Θ(x, y)P r(Y = y) < qmP r(X = x), for any x = x , which follows from P r(Y = y|X = x) = P r(X = x|Y = y)P r(Y = y)/P r(X = x) = 1 m Θ(x, y)P r(Y = y)/P r(X = x). Using the upper bound P r(X = x) < q m−1+q , we get, for any distinct x and x , y Θ(x , y)Θ(x, y)P r(Y = y) < q 2 m m − 1 + q .
Condition (i) implies that there are m x's such that Θ(x, y) = 1 for a given y. Therefore, for arbitrary y 0 we can find two x and x such that Θ(x, y 0 ) = Θ(x , y 0 ) = 1. Since the sum of nonnegative terms is always not smaller than individual terms, we get P r(Y = y 0 ) < q 2 m m − 1 + q .
As y 9 was arbitrarily chosen, we get that P r(Y ) < q 2 m m−1+q . Finally, since P r(X = x, Y = y) = P r(X = x|Y = y)P r(Y = y) ≤ 1 m P r(Y = y), we have P r(X = x, Y = y) < q 2 m −1 m m − 1 + q .