 Hi, I'm Neil Vitansky, and I'll tell you about my work with Tsekawa Kersky on classical binding for quantum commitments. So commitments are one of the most basic group of graphic primitives that are very often used in the design of protocols. And let me remind you what those are exactly. So in commitments we have a sender and the receiver that interact in two phases. In the first phase, the sender commits to a message M and in the opening phase, it can open this commit. And the basic properties we asked are hiding, which means that before the opening phase, the committed message is hidden and binding, which says that the commitment can only be open with single message. So the properties could be either computational or statistical, although not at the same time. In this work, we're interested in quantum commitments. Specifically, we're still thinking about committing to classical messages, but the communication and the parties are quite. And as it turns out, for quantum commitments, the question of binding becomes rather complicated. The classical notion of binding is generally considered impossible due to what we call superposition tax. Specifically, consider, for example, a malicious sender who creates a superposition of messages, say zero and one, and execute data sender but in superposition. Then right before it opens, it measures the message register. And only then it sends the open. So, if the receiver is a unitary, then the message sheet is not really fixed after the commitment. It is in fact uniformly random. There does seem to be an easy way out of this. For example, we can just have the receiver measure the entire committee and thus effectively make the channel classical, the commitment classical. And this indeed works, at least for statistically binding committee. So what's the catch. So the point is that by forcing the commitment to be classical, we might be missing out on features that can only be achieved quantity. And one own example, or quantum commitments are really superior to classical ones is that they can be constructed non interactively from one way functions that is secure one way functions. And this is not known classically and in fact it is subject to black box. However, the corresponding quantum commitments, please the one that we have now are at the same time in fear to classical commitment. We satisfy weaker binding guarantee. In particular the commitment message is not fixed by the commitment. And this also makes them harder to use an analyst. The question is whether this price is necessary, or perhaps we can have the best of both worlds. So, in this work, we essentially show that we can achieve the best of both worlds. So let me tell you about each of our contributions. So we first define classical binding for quantum commitments, which has a similar guarantee to that of classical. And in particular the commitment fixes the message intuitively this notion can replace classical commitments and applications or protocols without really changing the proof. And we demonstrate this for classical zero knowledge protocols like GW. And show that we can actually achieve a statistically binding version of this notion, not interactively from one refunction. So we indeed get the best of both worlds. Finally, we also explore a statistically hiding version of this notion, and we show that is in fact impossible. And in this talk, I will focus on the definition and the construction, which are really our main contributions. So start by introducing our definition. And I'm going to focus on the non interactive setting, although the notion itself also makes sense for interactive. And the basic idea behind the definition is as follows. So we saw that if the receiver makes no measurements, then a superposition attack is unavoidable. On the other hand, we said that we don't want to measure everything and make the commitment entirely classical. So the natural thing is perhaps to allow for partial measuring. So the rule is that on one hand, it will suffice for fixing the message. And on the other hand, it will leave the commitment sufficiently quantum to achieve superior features, those superior features that were asked. Okay, so now I'll go into the definition step by step, and I'll start from the syntax of the committee. Here the sender takes it in with the classical message M and perhaps some on Cilla, and it outputs a quantum commitment C, together with a possibly quantum decommitment D. The receiver is then going to apply some unitary and measure part of the result. And this will result in some classical spring called R. And also a residual quantum state that we're going to call here. Now let us talk about the opening phase. Here we have a verifier, which is a quantum algorithm that takes the message M, the decommitment state, and the quantum receiver state Q, as well as the classical measurement are. And if everything was done, honestly, then the verifier is going to accept. Okay, so this is the syntax. And now we'd like to discuss the security requirements, namely hiding and binding. And actually computational binding is defined here in the standard way analogously to classical commitments. So I'm going to focus on our notion of classical mind. So, here we're going to consider the following expert. In the commitment phase, we're given an adversarily chosen one commitment called C star, which is perhaps created with some entangled states that's going to S star, which the sender keeps for itself. Then the receiver is applied, making his partial measurement R and keeps the residual quantum state Q. And what happens in the opening phase is the following. So, we have an unbounded quantum equivocator. Okay, and this quantum equivocator gets those quantum registers before originally kept by the malicious sender and generated together with the commitment. And we also going to allow it to get the result of the receivers measure. This only strengthens the definition. It also makes sense without. In any case, the equivocator then generates a message and star together with the commitment formation this star intuitively was the goal of breaking whatever binding was created in the commitment. So, what's exactly the guarantee here. So, the commitment should guarantee that the equivocator basically fails and specifically, we want the measurement are to fix a single message M, which is only a function of our the classical spring are the result of the measure. So that any opening to a different message and star is going to be rejected by the verifier with overwhelming probability. So, in this sense, it is classically binding. There's a single message fixed by the commitment, and it is impossible to later day for truth. So, this is the definition. And we think it's quite natural. And in fact, let me mention that a somewhat similar notion is considered by Bartussek et al. They don't talk about constructing it, but rather applying it specifically they show that it can be used for example, in the construction of malicious oblivious transfer from one. Okay. So, now I would like to tell you a little bit about our about our construction to choose the notion of classical binding, non interactively from one way. Okay. So, the starting point is not always classical commitments for more functions, which have two messages or not the interactive. Let me remind you what those are. So, here the receiver starts from sending a free and bit random stream to the center of college X. And the center is now going to commit to its beat be as follows. It's going to use a pseudo random generator that expands and bits to free in bits. And it's going to add and see for this generator called s and send the corresponding PRG image, G of s. And it's going to sort it with the receiver message X, or not, according to the BTB. Okay, so if the BTB is one is going to explore the receivers message X. And zero is not going to do, I think, not to go to sort anything. And this is the commit. And the opening is simply the BTB and the seed. Okay, and this really allows to verify the structure of the commitment. This is what the verifier will do. Okay. So, this commitment. It's easy to see that it's hiding because commitments are always pseudo random, regardless of the BTB. And is also binding, as long as the receivers message X satisfies certain properties specifically shouldn't be the X or of any two PRG images. And by the way we chose our parameters PRG is sufficiently expanding its images very sparse. So this is only going to happen with negligible probability. So, let's move to our quantum commitment. The basic idea is to use the fact that it is quantum to sort of the randomized the receiver message X. So, specifically, we're going to do the following. So we're going to have the sender create a uniform superposition over all string X or receiver string X, and compute the corresponding in our commitment in superposition for each one of them. And indeed, if the center acted honestly, then measuring the state is going to result in a random receiver message X, and the proper nor creation. And the hope is that using our quantum power. We can also check that the center indeed generates a proper state. So there are a few steps we need to make for this idea to work. So let's see what those are. So, first of all, notice that as is this commitment that we created is not really hiding. The problem is that, for example, when we commit to zero, then the second register, the super random register is completely independent from the X register, okay, in terms of product. And in the case that we're committing to one we're going to be very much entangled. So this will allow us to easily distinguish the two. So we need to do something here, and we're going to change the construction as follows, we basically aimed it for each string X, we will use a fresh your G state. Okay, and it turns out that using a pairwise independent hash function is in fact sufficient here. Specifically, we use a lemma by, by Zandri, it essentially says that the composition of your G and a pairwise independent hash is perfectly indistinguishable from a random function, given a single quantum query. Okay, and this state that described our commitment can indeed be generated using a single quantum query with such an outcome. The more interesting part is really binding. So what can we claim about that. So for that we have to address what kind of measurements the receiver makes and how the opening is verified right. So let me make you two basic observations. So, first, if we don't measure anything, then given the BTB and the harsh function age, we can compute the commitment measure and find out whether it really had your right form, or not, or rather whether it was close to having the right form. The second thing is that if the commitment did, in fact, have the right form, and we didn't perform this test but rather measured it directly in the computational basis, then we would simply get a proper in our commitment, right. X will be distributed like a random receiver message, and accordingly will get binding. The point of course is that we want both these things at the same time. So let me tell you how we're going to achieve that. So, in our final construction, the center's commitment is simply going to be the commitment we just saw, but repeated many times in parallel independently. Okay, so just the parallel repetition of the commitment that we just saw. And when the receiver gets this commitment is going to do the following. It's going to flip random bit for each one of the copies and decide whether it's going to measure it in the computational basis, or not measure it at all just keep the corresponding state. And the commitment then consists of the bit and all the ashes from all the copies, and we need to say how does verification look like. So, here we're going to test that all the unmeasured commitment really have the correct structure, and you're going to on compute and measure. And for the measure commitments, we're simply going to verify them as we would verify no or screen. Okay. And what's going on here intuitively is that the correctness test for random subset of these commitments essentially ensures that many more commitments were properly structured. And nothing measured them over binding with kicking. So, formalizing this of course require requires cares because in an adversarial commitment, all of these parallel commitments are really going to be entangled and we don't know exactly how. And the way we formally prove this is by a reduction to quantum interactive poofs, and where we can basically invoke a general per repetition theorem for quantum interactive poofs, like it ties and walk. Okay. So this is the commitment. The last thing I want to know about it is that in fact, the commitment itself is perhaps quantum. But the deconmitment is completely classical. And this is another advantage that this commitment has over previous. Okay. So, let me summarize. So quantum commitments can be as binding as classical ones. Okay, but at the same time, also superior. And specifically we show that they can be obtained non interactively from one refund. So the question is, of course, which other interesting features in such one commitments have. And perhaps another interesting question is whether we can apply similar ideas for example such during the mutation for other primitives, or perhaps in totally different setting maybe complexity theoretic settings. So this is it for this time. Thank you for listening.