 Hello everyone, my name is Jun Yan from Jina University. The title of my talk today is Quantum Computationally Predicted Binding Commitments with Application in Quantum Zero Knowledge Arguments for MP. Let me first state our main results. We know that quantum secure when we function implies quantum bit commitment with computational binding. It is well known that with quantum binding, the committed value is no longer unique. It could be a superposition. So it is natural to ask what happens if we compose quantum bit commitment in parallel to get a string commitment. Then what binding property can satisfy? This open question turns out to be notoriously hard. And so in this work, we prove the following computational practice binding property. We show that any polynomial time bounded standard cannot open commitment in two ways, so as to satisfy two inconsistent predicts respectively. This is the first non-trivial quantum computational stream binding that is both useful and can be instantiated with minimal complexity assumption. And if we plug quantum bit commitment in Bloom's protocol, we will get the first quantum zero knowledge arguments for MP solely based on quantum secure when we function. And the main technical part of this work that is in establishing this computational practice binding property. We make an initial step towards answering this open question. Now let me make it in more detail. This is the tentative synopsis of my talk. I will first give an overview of our work. Then I will introduce two main results, two main concepts. We introduce this work namely pattern predict and the predict binding. Next I will talk about some related and concurrent work which is followed by a big technical detail. And last is take away. So let's begin and overview of this work. First recall bit commitment. A bit commitment scheme is a two-state interactive protocol between a sender and a receiver, satisfying, hiding, and binding property. The hiding property states that the receiver cannot guess the committed bit during the commit stage, while the binding property states the sender cannot change the committed bit later in a reveal stage. So bit commitment can be viewed as an electronic realisation of a locked box. With quantum bit commitment as started in this work, we allow both quantum computation and quantum communication. This is in contrast to the classical bit commitment, secure against quantum attacks or post quantum bit commitment. By quantum theory, both the statistically hiding and the statistically binding quantum bit commitment is impossible either. Now let me introduce a generic quantum bit commitment scheme. We call it a generic code. Any quantum bit commitment can be converted into this form. It can be represented by an ensemble of unitary quantum circle Q0, Q1. To commit a bit B, the sender will first perform QB, unitary circuit QB on quantum registers C and R, which consists of a bunch of Q bits initialised in state 0. After performing QB, C and R will be entangled somehow. In a commit stage, the sender will send the commitment register C to the receiver. We see the scheme is hiding if the state of C looks the same whether a bit 0 is committed or a bit 1 is committed. Later in a reveal stage, the sender will send the commitment register R together with bit B to the receiver, who will apply the inverse of QB on C and R to check if they return to all 0 states. We see the scheme is binding, or only binding equivalently, if any polynomial time bounding sender cannot open an honest commitment to B as Y-B. This quantum bit commitment scheme of the generic form has several nice properties. First, it is non-interactive in a sense that in both a last commit and a reveal stage, a single quantum message is sent. Second, it can be based on quantum scale when we function. Third, it's the only security implies the full security. So that's why only binding and binding are equivalent. Fourth, it is information theoretic sheet binding. In a sense that the opening through the entanglement is unique. This property will play an important role in our constructions as shall be seen later. And there may be more nice properties waiting for us to discover. It is well known that the general binding of QBC is weak, this is because a cheating sender may mount the following superposition attack. It can commit to a superposition of 0 and 1 in an arbitrary way. This half 0 and half 1 can be tuned arbitrarily. In this regard, the committed value is no longer classically unique, possibly a superposition. And understanding the binding when QBC is composed in parallel to commit a stream is notoriously hard. Maybe the most famous application of bit commitments are zero-knowledge. Here, let's see Bloom's zero-knowledge protocol. The pruer wants to conveniently verify that the common input graph contains a Hamiltonian cycle. To this end, the pruer will first send commitments of PiG to the verifier. The verifier will randomly choose a permutation. The verifier will then respond with a challenge either 0 or 1. And last, when the bit B is 0, challenge is 0, the pruer will send the permutation pi plus keys to open all commitments so that the verifier will check the open graph is indeed PiG. In the other case, when the bit B is 1, the pruer will try to open a Hamiltonian cycle. And the verifier will check that indeed a Hamiltonian cycle is opened. So the main question that motivates this graph is as follows. We ask ourselves the following question. What happens if we plug a generic statistically-hiding computational binding QPC scheme in Bloom's protocol? This is not trivial to answer by noting that the quantum rewinding is generally impossible and that the quantum binding is generally weak. But this question is important because if it is possible, then we have several benefits. First, it can reduce the number of rounds from polynomial to just 3 solely based on quantum-secure-one-way function, thanks to the non-interactivity of the QPC. Second, this can circumvent barriers only known for classical constructions, thanks to the information theoretic streak binding of the QPC. After some exploration, we have both old news and bad news. Good news is, Wacht's quantum rewinding technique works as well towards establishing the statistical zero-knowledge property in our setting. And the bad news is, the wave binding of QPC may deteriorate the computational soundness. This is because it could be a superposition of exponentially many graphs committed by the receiver. To answer these questions, we obtained our results as follows. Let me restate it. We composed a generic computationally binding quantum bit-commitment scheme in parallel, which gives rise to a quantum string commitment scheme such that it satisfies a non-trivial computational binding. We call a predict binding property, and it can be used to establish the security of Bloom's protocol. In the second part of this talk, let me introduce two important concepts we introduced in this work, namely pattern predict and predict binding. They are motivated by the soundness analysis of Bloom's protocol. The motivation of pattern predict in Bloom's protocol and the verify final verification induces two predicts corresponding to two different challenges. This inspired us to define pattern predict as follows. Informally, for string str to satisfy a pattern predict, it should exhibit a certain pattern somewhere. Formally, it is given by a triplet of polynomial time algorithms, well, t and s, such that given a witness w, the algorithm well check its validity. T w will output a subset, which indicates which portion of the string is for two examples. And sw is just the pattern to check. So for string to satisfy a pattern predict p, if there exists a witness w, such that w is valid, and the projection of str on tw is just the pattern sw. We highlight that here, the witness w may not be computable in polynomial time, given a string str. And we remark that our pattern predict contains the polynomial time decidable predict as a special case. Now, let's see how this pattern predict connects to the predicts induced by Bloom's protocol. Corresponding to zero, a challenge zero, we define product p zero as follows. The witness is just the permutation. And t on input pi, we simply output the whole set because all bit commitments are open. And s on input pi will output pi g, the permutated graph, to check. Corresponding to the challenge one, the predict p one is as follows. As a witness, it's just a Hamiltonian cycle. And t on input h will coordinate corresponding to h of h. And s h will output all ones because edges correspond to one, it adjacent the matrix of the input graph. So the motivation of practical binding with formalization is as follows. In Bloom's protocol, the two predicts of the verifier induces two projectors or subspaces as follows. Corresponding to the challenge zero, the verifier operation is a binary projective measurement represented by the project p zero of this form. Basically, it requires that whenever the permutations pi, then all bit commitments should be open as pi g. Recall that the quantum circuit to commit a string s is given by the tensor product of qsi. This is because we commit a string in a bitwise fashion. Corresponding to the challenge one, the measurement is represented by the project p one of this form. Basically, it requires that whenever the Hamiltonian cycle locates at h, then all bit commitments determined by h should be opened as all ones. Here, all the registers for the commitment check are not fixed, they are determined by h. For someness, we need to show that subspace is p zero, it's almost orthogonal to p one. After any efficiently realizable u, let performing on space subspace induced by registers other than the commitment registers. Namely, the u does not touch the commitment register c. So this inspires us to define practical binding as follows. That p zero p one to be two inconsistent projects. Namely, any string can satisfy at most one of them. Pictorially, p zero and p one do not intersect. For example, in Bloom's protocol, projects p zero p one are inconsistent with the input graph g is not Hamiltonian. Informally, project binding with respect to p zero p one, if the sender can open commitments so that the revealed value, possibly a superposition, satisfy p zero with probability one, then the sender cannot open the same commitments so that the revealed value satisfy p one with non-negligible probability. This is formally given by this quantity be non-negligible. This c is an arbitrary state, then on which we first apply p zero, followed by any efficiently realizable u that does not touch commitments, which is followed by p one and the resulting vector should be negligible. We say project binding. If project binding with respect to any pair of inconsistent projects, our main result is parallel compensation of a generally computationally binding quantum bit commitment scheme, gives rise to a quantum computationally project binding stream commitment scheme. There are two caveats for our results. First, the QPC scheme is of the generic form, which is easy to handle technically. Second, we actually did not prove the full project binding, namely with respect to an arbitrary inconsistent project pair. Rather, we require that for at least one project, a fixed portion of the stream is needed to check in order to decide whether stream satisfy this project. Anyway, our project binding is more than enough for our application, and we expect it can be further extended to the full project binding in the future. Now, let me mention some related and concurrent work. Previously, we know nothing about the binding for the parallelization of a general QPC that is computationally binding. Uru studied collapse binding QPC, but a general QPC cannot be collapsed binding. Previously, some quantum stream commitments with specific computational binding properties that are useful or proposed, including F binding and Q binding. However, neither of them can be instantiated with well-founded assumptions. There are also two concurrent works, which also realize quantum binding commitment with simpler exchanged quantum states, and with more desirable properties than ours, including extractability and equivocality, however, and they are solely based on quantum-secure 1-way functions. And these properties may result in wider applications in theory. However, they achieve better properties at the cost of extremely high load complexity, as high as polynomial number of rounds. And their constructions are more complex than our quantum-big commitment scheme of the generic form. Now, let me talk about some technical details towards establishing a practical binding. In one sentence, we find a more clever way to sum possibly exponentially many terms within a superposition to overcome the general exponential curves. So I will give a pictorial illustration. It turns out that our goal is to bound a superposition of this form. This is a projection on P1 of a superposition that satisfies P0. We view it as a root of a binary tree. For each term in a superposition, it can be viewed as a leaf of this binary tree. And by the quantum bit on its binding, each leaf can be bound by the binding element epsilon. If we try to bound our goal through all these leaves by simply calling triangle inequality of the wax norm, then since they are exponentially many leaves, this may incur an exponential multiplicative factor, which is intolerable in security analysis. So for our purpose, we need to take another approach. Specifically, we should bound each internal node where it's two children. For this root, its left child corresponds to the superposition that satisfies P0 and with prefix 0. For its right child, its genes with prefix 1. It turns out that we can bound a root by the summation of its two children plus an additive error epsilon using triangle inequality and quantum bit on its binding. In turn, each of its two children can finally be bound by their children respectively. For example, this left child can be bound by its left child with prefix 0.0 and its right child with prefix 0.1. And its right child bounded by its left child with prefix 1.0 and its right child with prefix 1.1 plus another additive error epsilon. We can bound through these trees from the root to the leaves in this way. And it turns out that the error can only close linearly in the depth of this tree. So in this way, we can bound this by a negligible probability of quantity, the takeaway. I would like to mention two points. The first, our work shows that a generic computationally binding quantum bit commitment scheme, whose binding is that weak, but which has several nice properties that classical computationally binding bit commitments do not have, could be useful in quantum cryptography. Second, it is now trivial to establish the binding property of the parallel computationally binding quantum bit commitment scheme. Okay, this is the end of my talk. Thanks for your listening.