The Composition Theorem - Two-Prover Bit-Commitments: Classical, Quantum and Non-Signaling

5.5.1 The Composition Operation

Besides considering adversaries with quantum capabilities, this composition theorem also differs from the previous one in that it composes a weak-binding and binding scheme to produce a weak-binding scheme. The structure of the proof is somewhat different as well: In the proof of the classical composition theorem, we composed a “small” S (in the sense that only one prover com- municates with the verifier in the commit phase and only the other in the

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 75PDF page: 75PDF page: 75PDF page: 75

5.5. THE COMPOSITION THEOREM 71

opening phase) with a “big” S0_{. In the proof of our composition theorem for}

the quantum case, we instead compose a “big” Swith a smallS0_{. This requires}

a slightly different definition of eligible pairs(S,S0₎_{where some properties of} S andS0 _{are reversed:}

Definition 5.13. Let S and S0 _{be two 2-prover string-commitment schemes}

with domains D andD0, respectively. We call the pair (S,S0₎_eligible _{if they}

are both classical (i.e., no quantum communication or computation is required on the part of the honest verifier and provers) and the following two properties hold, or they hold with the roles of P andQexchanged.

1. The commit phase of S is a protocol comP QV that involves communi-

cation between P and V only. The commit phase of S0 _{is a protocol}

com0_{P QV} that involves communication between Q and V only and the opening phase is a protocol open0_{P QV} involving communication between

P andV only.

2. The last round ofopen_{P QV} is of the following simple form:Qsends some

y∈D0 toV who computes the output deterministically ass=Extr(y,c¯)

where¯c consists of all communication in the previous rounds (including the commit phase). We call this messageythefinal opening information. Furthermore, we specify that the possible attacks onS are so thatP andQ

do not communicate during the course of the commit phase, but there may be some limited communication during the opening phase. The possible attacks onS0 _{are so that}_P _and_Q_{do not communicate during the course of the entire}

execution of the scheme.

The composition operation S?S0 _{is defined in the same way as in the}

classical setting: instead of sending the opening informationyin the last round, the provers instead useS0_{to commit to}_y_{and then open the commitment. We}

define the possible attacks(comP Q,open00P Q)onS?S0to be those wherecomP Q is a commit strategy forSandopen00_{P Q}can be decomposed asopen0_{P Q}◦com0_{P Q}◦

ptoq◦open∗_{P Q}whereptoqallowsP to send a quantum state toQ,open∗_{P Q}is an opening strategy forS excluding the last round. For any input stateρP Q,

com0_{P Q}(ρP Q)is a commit strategy andopen0_{P Q}is an opening strategy forS0_.

5.5.2 The Composition Theorem

In the following composition theorem, we take it as understood that the assumed respective binding properties of S andS0 _{hold with respect to a well-}

defined respective classes of possible attacks.

Theorem 5.14. Let(S,S0₎_{be an eligible pair of 2-prover commitment schemes,}

and assume that S is ε-fairly-weak-binding and that S0 _is _δ_{-fairly-binding.}

Then, their composition S00 ₌ _S_?_S0 _{is a} ₍_ε₊_k₍_S₎_·_δ₎_{-fairly-weak-binding}

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 76PDF page: 76PDF page: 76PDF page: 76 Proof. We first consider the case wherek(S) = 1. We fix an arbitrary possible

strategy (comP,open00P Q) againstS00, where open

P Q is of the formopen

P Q =

open0_{P Q}◦com0_{P Q}◦ptoq◦open∗_{P Q}. We decompose and reassemble the strategy into strategies againstS and S0_{. The strategy for}_S0 _{uses a shared quantum}

stateρP Q of appropriate size and works by executingcom0P Q(ρP Q)and then

open0P Q. By the δ-fairly-binding property of S0, there exists a measurement

Eval= {Myˆ}yˆ depending only on com0P Q which Q can apply after com such that p(y 6= ˆy∧y =y◦)≤δ for every y◦, where y is the output ofopenP QV. This holds for every possible shared quantum state ρP Q, and in particular for the ones generated as follows: Let σP QV be the quantum state after an execution ofcomP QV andopen∗P QV. This execution involves sending classical messagesc¯between the provers and the verifier. Thus, we may writeσP QV =

P ¯

cp(¯c)σ

P QV. Writing p(y,yˆ|c¯) for the distribution of the output and the measurement outcome when using the shared quantum state ρP Q =σcP Q¯ , it holds that p(y6= ˆy∧y=y◦|¯c)≤δ.

Note thatcomP is a commit strategy forS. As such, by the weak-binding property ofS, there exists a distributionp(ˆs), only depending oncomP, so that Definition 3.9 is satisfied for every opening strategyopenQforS. In particular, this holds for the following opening strategy:

1. The provers executeopen∗P Q.

2. Qsimulates an execution ofcom0_Q and performs the measurement Eval

with resultyˆ. 3. Qsendsyˆto V.

By theε-fairly-weak binding property ofS, there is a consistent joint distributionp(s,sˆ)such that for everys◦,p(˜s6= ˆs∧˜s=s◦)≤εwhere ˜s=Extr(ˆy,¯c).

Let y◦(¯c) be such that Extr(y◦,¯c) = s◦ (or some default value if no such y◦

exists). Since we assume that k(S) = 1, there is only one possible value for

y◦(¯c). Recalling thats=Extr(y,¯c), it holds that

p(ˆs6=s∧s=s◦) =p(ˆs6=s∧s=s◦∧s= ˜s) +p(ˆs6=s∧s=s◦∧s6= ˜s)

≤p(ˆs6= ˜s∧s˜=s◦) +p(Extr(y,c¯)6=Extr(ˆy,¯c)∧Extr(y,c¯) =s◦) ≤p(ˆs6= ˜s∧˜s=s◦) + X ¯ c p(¯c)p(y6= ˆy∧y=y◦(¯c)|¯c) ≤ε+δ

and in the case thatk(S)>1, it is easy to see that we can upper-bound this probability with ε+k(S)δ.

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 77PDF page: 77PDF page: 77PDF page: 77

Chapter 6

Bit-commitment with

Non-signaling Adversaries

6.1 Introduction

In this chapter, we shift our focus to the no-communication assumption. Specif- ically, we consider if (1-round) two-prover bit-commitment schemes can be se- cure based on the sole assumption that the provers cannot communicate. In the previous chapters, we imposed some limit on the resources that the provers could use to correlate their behaviour. In Chapters 3 and 4, we assumed that the provers can only use classical shared randomness and in Chapter 5, we considered provers that can use an entangled quantum state to correlate their actions. But even for single-round schemes, the assumptions on the provers’ resources can make a difference for the security of the scheme. The CHSHq

scheme is binding for classical provers, and also against quantum provers, al- beit with a weaker parameter. However, in [CSST11], it is shown that there exists a bit-commitment scheme that is binding in the classical setting, but not in the quantum setting. The scheme in question is essentially an error-tolerant version of CHSH2n_{: instead of requiring that}_x₊_y ₌_a_·_b_{, we require that}

when we parse x+y anda·bas bit-strings, 85% of the positions are equal. This condition means that for 85% of indices i ∈ {1, . . . , n}, the CHSH

winning condition xi ⊕yi = ai·b has to be satisfied. In other words, the provers can open to an arbitrary bit if, in a series of CHSH games, they can win 85% of the time. Since there is a strategy that wins a CHSH game with probability ≈85% using quantum entanglement (see Section 5.2.4), there is a high probability that dishonest provers in the quantum setting can open to any bit they want. Furthermore, as discussed in Section 1.4.4,CHSHq _{is insecure} against arbitrary non-signalling provers.

Thus, it is natural to ask if there is a commitment scheme whose binding 73

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 78PDF page: 78PDF page: 78PDF page: 78

property require only the assumption that the provers can not transmit any information to one another, i.e., that it is truly based on the non-signaling assumption only.

We answer this question in the negative. If a commitment scheme is perfectly hiding, then it is possible for non-signaling adversaries to perfectly emu- late the behavior of the honest provers, thus breaking the binding property. If it is close to perfectly hiding, they can act in a way that is hard to distinguish from the behavior of honest provers, and thus, cheating provers can succeed with near-certainty.

We also show a positive result: there exists athree-prover bit commitment scheme that is perfectly hiding and binding with a strong parameter. We prove this result by describing a three-prover commitment scheme with these properties: The first two provers execute theCHSHq_{protocol with the verifier.} The third prover has to send the same output as the second one to the verifier.

6.2 Bipartite Systems and Two-Prover Commit-

In document Two-Prover Bit-Commitments: Classical, Quantum and Non-Signaling (Page 77-81)