dorsal/arxiv
View SchemaWhy Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible
| Authors | H. -K. Lo, H. F. Chau |
|---|---|
| Categories | |
| ArXiv ID | quant-ph/9711065 |
| URL | https://arxiv.org/abs/quant-ph/9711065 |
| DOI | 10.1016/S0167-2789(98)00053-0 |
| Journal | Physica D120 (1998) 177-187 |
Abstract
There had been well known claims of unconditionally secure quantum protocols for bit commitment. However, we, and independently Mayers, showed that all proposed quantum bit commitment schemes are, in principle, insecure because the sender, Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen (EPR) type of attack and delaying her measurements. One might wonder if secure quantum bit commitment protocols exist at all. We answer this question by showing that the same type of attack by Alice will, in principle, break any bit commitment scheme. The cheating strategy generally requires a quantum computer. We emphasize the generality of this ``no-go theorem'': Unconditionally secure bit commitment schemes based on quantum mechanics---fully quantum, classical or quantum but with measurements---are all ruled out by this result. Since bit commitment is a useful primitive for building up more sophisticated protocols such as zero-knowledge proofs, our results cast very serious doubt on the security of quantum cryptography in the so-called ``post-cold-war'' applications. We also show that ideal quantum coin tossing is impossible because of the EPR attack. This no-go theorem for ideal quantum coin tossing may help to shed some lights on the possibility of non-ideal protocols.
{
"annotation_id": "8778ad15-3ae9-404e-ba21-4a2ec2fc8128",
"date_created": "2026-03-02T18:02:41.045000Z",
"date_modified": "2026-03-02T18:02:41.045000Z",
"file_hash": "483b34aa151f0aad7857524b78ff9d5b1d462460e046ea161617881a95cd49c0",
"private": false,
"record": {
"abstract": "There had been well known claims of unconditionally secure quantum protocols\nfor bit commitment. However, we, and independently Mayers, showed that all\nproposed quantum bit commitment schemes are, in principle, insecure because the\nsender, Alice, can almost always cheat successfully by using an\nEinstein-Podolsky-Rosen (EPR) type of attack and delaying her measurements. One\nmight wonder if secure quantum bit commitment protocols exist at all. We answer\nthis question by showing that the same type of attack by Alice will, in\nprinciple, break any bit commitment scheme. The cheating strategy generally\nrequires a quantum computer. We emphasize the generality of this ``no-go\ntheorem\u0027\u0027: Unconditionally secure bit commitment schemes based on quantum\nmechanics---fully quantum, classical or quantum but with measurements---are all\nruled out by this result. Since bit commitment is a useful primitive for\nbuilding up more sophisticated protocols such as zero-knowledge proofs, our\nresults cast very serious doubt on the security of quantum cryptography in the\nso-called ``post-cold-war\u0027\u0027 applications. We also show that ideal quantum coin\ntossing is impossible because of the EPR attack. This no-go theorem for ideal\nquantum coin tossing may help to shed some lights on the possibility of\nnon-ideal protocols.",
"arxiv_id": "quant-ph/9711065",
"authors": [
"H. -K. Lo",
"H. F. Chau"
],
"categories": [
"quant-ph"
],
"doi": "10.1016/S0167-2789(98)00053-0",
"journal_ref": "Physica D120 (1998) 177-187",
"title": "Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible",
"url": "https://arxiv.org/abs/quant-ph/9711065"
},
"schema_id": "dorsal/arxiv",
"source": {
"execution_id": "14d6de04-0fcc-4f41-993e-bfef59b87de8",
"id": "arXiv Dataset IDs",
"type": "Model",
"variant": "snapshot-2026-03-01",
"version": "0.1.0"
},
"user_id": 1000002
}