Classical and Quantum Strategies for Two-Prover Bit Commitments Claude Cr´ epeau 1⋆ , Louis Salvail 2 , Jean-Raymond Simard 1 , and Alain Tapp 3 1 School of Computer Science, McGill University, Montr´ eal, QC, Canada. {crepeau,jrsimard}@cs.mcgill.ca 2 BRICS, Dept. of Computer Science, ˚ Arhus University, ˚ Arhus, Denmark. salvail@brics.dk 3 D´ epartement d’Informatique et R.O., Universit´ e de Montr´ eal, Montr´ eal, QC, Canada. tappa@iro.umontreal.ca Abstract. First we show that the assumption behind the Two-Prover Zero-knowledge Interactive proof of BenOr, Goldwasser, Kilian and Wigderson [5] is too weak and need be made more precise to preserve soundness of their construction. Secondly, we introduce a Two-Prover Zero-knowledge Interactive proof similar to theirs and demonstrate that classically it is equally secure as the original but however, we later show that if the provers are allowed to share quantum entanglement, they are able to successfully prove false statements to the verifier with probability nearly one. Then we show that another variation of the original scheme of BGKW is secure against quantum provers. Finally we investigate the possibility of using this two-prover bit commitment scheme in order to achieve three applications : zero-knowledge proofs, quantum Oblivious Transfer and mutual identification. 1 Introduction The notion of Multi-Prover Interactive proofs was introduced by BenOr, Goldwasser, Kilian and Wigderson [5] together with the Zero-knowledge property of such proofs. In the Two-prover scenario, we have two provers, Peggy and Paula, that are allowed to share arbitrary information before the proof, but they become physically separated and isolated during the execution of the proof in order to prevent them from communicating. The Two-prover Interactive proofs of BGKW rely on their construction of a bit commitment scheme, information theoretically secure under the assumption that the provers cannot communi- cate. We refer the reader to their paper [5] to understand the application of this bit commitment scheme to construction of Two-prover Interactive proofs. We solely focus on their bit commitment scheme. Despite the impossibility theorems of Mayers [19] and of Lo and Chau [18] the possibility of information theoretically secure bit commitment schemes in the two-prover model is not excluded in the quantum model while the provers cannot communicate. Indeed, the computations required to cheat the binding condition of a quantum bit commitment scheme cannot in general be performed by the two provers without ability to communicate classically or exchange quantum systems. In this paper we consider two important questions regarding two-prover bit commitment schemes. The first is whether certain bit commitment schemes are secure classically but insecure if the provers are allowed to share quantum entanglement. The second is whether bit commitment schemes may be secure despite the fact that the provers can share quantum entanglement and perform arbitrary local quantum computations. ⋆ Supported in part by Qu´ ebec’s MDER, FQRNT, Canada’s NSERC, MITACS, CIAR and the Bell University Laboratories.