Tightness

In the case thatk(S)>1, we instead randomly select one of the at most

k(S) strings y◦ that satisfy Extr(y◦, c) = s◦ = 1−˜s. Then, conditioned on

a, y◦ is still independent of y given yˆ, so that Proposition 4.16 still applies,

and we can argue as above, except that we get a factor k(S) blow-up from

p(s6= ˜s∧s= 1−s˜)≤k(S)·p(y6= ˆy∧y=y◦).

Finally, for the case m > 1, we first pick a random s◦ ∈ D\ {˜s}, and

then choose y◦ such thatExtr(y◦, c) =s◦, uniquely or at random, depending

of k(S). Conditioned on a, y◦ is still independent ofy givenyˆ, and therefore

Proposition 4.16 still applies, but now we get an additional factor (|D| −1) blow-up from p(s6= ˜s∧s6=⊥)≤(|D| −1)p(s6= ˜s∧s=s◦).

Remark 4.18. Theorem 4.17 allows us to slightly improve the bound we obtain in Remark 4.14 on the Lunghi et al. multi-round commitment scheme. By The- orem 4.13, we can composeminstances of CHSHn to obtain a m·2−(n−1)/2_- fairly-weak-binding string-commitment scheme. Then, we can compose the Crépeau et al. bit commitment scheme (i.e., the bit-commitment version of

CHSHn), which is2−(n−1)-weak-binding, with this fairly-weak-binding string- commitment scheme; by Theorem 4.17, this composition, which is the Lunghi et al. multi-round bit-commitment scheme, is m·2−(n−1)/2_{+ 2}−(n−1)

-weak- binding.

Finally, for completeness, we point out that the composition theorem also applies to two ordinary binding or weak-binding commitment schemes.

Theorem 4.19. Let(S,S0_{)be an eligible pair of 2-prover commitment schemes,}

where S is ε-binding and S0 _{is δ-binding. Then, the composition S ?S}0 _is

(ε+δ)-binding. The same holds for the weak-binding property.

Proof. The proof is almost the same as in Theorem 4.11 or Theorem 4.13, respectively, except that now there are no s◦ and y◦, and in the end we can

simply conclude that

p(s6= ˆs∧s6=⊥)≤p(s6= ˆs∧s6=⊥ ∧s= ˜s) +p(s6= ˜s∧s6=⊥)

≤p(˜s6= ˆs∧˜s6=⊥) +p(y6= ˆy∧y6=⊥)

≤ε+δ ,

where the second inequality holds since y =⊥ implies thats =Extr(y, c) =

⊥.

4.4

Tightness

We now show that our composition result is nearly tight for CHSHq. Let

CHSHq_m be the m-fold composition of CHSHq with itself, as defined in Re- mark 4.5. We show that if q =p2k for some prime p, this composed scheme can be ε-weak-binding as a bit-commitment scheme only if ε_& 1₄mpq−1_{. A}

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 58PDF page: 58PDF page: 58PDF page: 58

slightly weaker result was proved in [BC16], which shows that ε _& 1₆m2−n/2

forq= 2n withneven.7 _{Furthermore, we show that, as a string-commitment}

scheme, CHSHn_m can be ε-fairly-weak-binding only if ε_& 1₂mpq−1 _{(forq =}

p2k).

Lemma 4.20. Consider functions Xq, Yq :Fq×Rq → Fq where Rq is some

finite set. Let

λq = max Xq,Yq

p(Xq(a, r) +Yq(s, r) =a·s) (4.1)

where a,s andrare selected uniformly at random. It holds that:

1. There areXq andYq such thatp(Xq(a, r) +Yq(s, r) =a·s) =λq forall

a, s∈Fq.

2. If q =p2k _{for some prime p, we have λ} q = Ω

p

q−1

. Otherwise, we haveλq = Ω q−2/3.

Proof. FixX_q0 andY_q0 that achieve the maximum in Equation (4.1). We show that there also are functionsXqandYq such that foranyaands,p(Xq(a, r) +

Yq(s, r) = a·s) =λq: Without loss of generality,Xq0 andYq0 depend only on

a and s, not on r. Intuitively, Xq and Yq do the following: they randomize their inputs a and s by adding uniformly random elementsra, rs ∈ Fq, then

applyX0

q andYq0, and finally remove the random terms again from the output. Formally, we let

Xq(a,(ra, rs)) =Xn0(a+ra)−ars−rars

Yq(a,(ra, rs)) =Yn0(s+rs)−ras

Forraandrsuniformly random, we havep(Xq0(a+ra)+Yq0(s+rs) =as+ars+

rars+sra) =λq. Thus, it is easy to see thatp(Xq(a,(ra, rs))+Yq(s,(ra, rs)) =

as) =λq.

The functionsXq andYq in Equation (4.1) describe classical strategies for the CHSHq game and λq is the maximal winning probability that classical players can achieve in this game. As shown in [BS15], it holds that λq = Ω pq−1

forq=p2k_{, andλ}

q = Ω q−2/3otherwise.

The following lemma can be seen as a generalization of Theorem 3.12 to string-commitment schemes. Intuitively, it bounds the winning probability of the provers in the following game: First, they have to produce a commitment. Then, they receive a uniformly random string s◦ and, in order to win, they

have to open the commitment to s◦. The winning probability in this game

is at most ε+ 2−n_{, when the scheme is anε-fairly-weak-bindingn-bit string-} commitment scheme.

7_{The paper statesε} &13m2

−n/2_{, but their binding definition isp}

0+p1≤1+ε; to convert

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 59PDF page: 59PDF page: 59PDF page: 59

4.4. TIGHTNESS 55

Lemma 4.21. Let S be an ε-fairly-weak-binding commitment scheme with domain D. Fix a possible commit strategy comP QforS and, for eachs◦∈D,

a possible opening strategy open_{P Q}(s◦). Let p(s|s◦)be the output distribution

of S if the provers use comP Q and openP Q(s◦). Let p(s◦) be the uniform

distribution over D. Then,p(s=s◦) =Ps◦∈Dp(s◦)p(s=s◦|s◦)≤ε+|D|−

1_.

Proof. Let p(ˆs) be a distribution that satisfies Equation (3.4) for the com- mit strategycomP Q. Now consider any consistent joint distributionp(s,sˆ|s◦).

Here, consistency also means that p(ˆs|s◦) =p(ˆs). Thus, for a uniformly ran-

dom s◦, p(ˆs =s◦) =|D|−1. By theε-fairly-weak-binding property of S, we

have

ε≥p(s6= ˆs∧s=s◦)≥p(s=s◦)−p(ˆs=s◦) =p(s=s◦)− |D|−1

and thus our claim follows.

With the help of the lemma above, is easy to see thatλqlimits the binding parameter of the one-round schemeCHSHq: IfP sendsXn(a, r)andQsends

Yn(s◦, r) for uniformly random r, then we havep(s = s◦|a 6= 0) = λq, and thus p(s =s◦) ≥λq −q−1 for every s◦. Thus, by Lemma 4.21,CHSHq can

be ε-fairly-weak-binding only ifε≥λq−2q−1. We now show that this bound scales approximately linearly with the number of rounds.

Theorem 4.22. Let λq as in Lemma 4.20. For odd m, the CHSHqm com-

mitment scheme can be ε-fairly-weak-binding as a string-commitment scheme only if ε≥(m+ 1)λq 2 − m2₋₁ λ2 q 8 −(m+ 1)q −1_. If m=o λ−1 q

, it holds that ε≥Ω(mλq). If, furthermore, q =p2k, we have

ε≥Ω mpq−1

; otherwise, ε≥Ω mq−2/3.

Proof. Let Xq(a, r) and Yq(b, r) be functions as in Lemma 4.20. We define a commit strategy comP Q and an opening strategy openP Q(s◦) for every s◦

which aims to open to s◦.

We assume that the provers havemuniformly randomri∈Fqand(m+1)/2 uniformly random inputs r_i0, iodd, forXq andYq as shared randomness. We write ci = (ai, xi) for the communication between the verifier and the active prover in round i, where the xi are specified below. The dishonest provers exchange their communications as fast as possible, so in round i + 2, the active prover knows c1, . . . , ci. Let y0 = s◦ and for i > 0, let yi such that

Extr(yi, ci) = yi−1. Such a yi exists and is unique ifai 6= 0. We only specify our strategy for the case where the verifier’s messages ai are all non-zero and assume that the provers fail to open tos◦otherwise. One can computeyifrom

c1, . . . , ci, so in roundi+ 2, the active prover can computeyi.

If in any roundi, the commitment is(ai, ri+ai·yi−1), the provers can open

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 60PDF page: 60PDF page: 60PDF page: 60

The strategy described below is such that the provers have(m+ 1)/2chances to bring about this situation with probabilityλq.

• Round 1 (commit): P produces a “fake commitment” x1=Xq(a1, r01).

• Roundi, ieven: Qcomputesy_i0₋₁=Yq(yi−2, ri0−1), hoping thatxi−1+

y_i0₋₁ =ai−1·yi−2, i.e., yi0−1 = yi−1. He honestly commits to yi0−1 by

computingxi=ai·yi0−1+ri.

• Roundi+ 1,ieven: P checks ifyi−1=y0i−1. If yes, both provers proceed

honestly from this round on, i.e., they follow the honest strategy for

CHSHq

m in all subsequent rounds.8 If not, P again produces a “fake commitment” xi+1=Xq(ai+1, ri0+1).

• Roundm+ 1: Qsendsy0_m=Yq(ym−1, r0m)toV.

By definition, it holds that y_i0₋₁ = yi−1 if and only if Xq(ai−1, ri0−1) +

Yq(yi−2, ri0−1) =ai−1·yi−2, which happens with probabilityλq. In this case, we have ci = (ai, ri+ai·yi−1), so the provers can indeed open to s◦ by

proceeding honestly (ignoring completeness errors for now).

By definition ofXq,Yq, andλq, if the provers use the strategyopen_{P Q}(s◦),

then for λ= 1−(1−λq)(m+1)/2≥ (m+ 1)λq 2 − _{(m+ 1)/2} 2 λ2_q = (m+ 1)λq 2 − m2−1λ2_q 8 we have p(s= s◦|a1, . . . , am 6= 0) = λ. Thus, p(s =s◦)≥ λ−mq−1 for all

s◦. Applying Lemma 4.21, we conclude that the scheme can beε-fairly-weak-

binding only if ε≥λ−(m+ 1)q−1≥ (m+ 1)λq 2 − m2−1λ2q 8 −(m+ 1)q −1 which is in Ω(mλq)ifm=o λ−q1 . Finally, we have Ω(mλq) = Ω m p q−1 if

q=p2k andΩ(mλq) = Ω mq−2/3otherwise, by claim 2 of Lemma 4.20. From the analysis in the above proof, we can also derive a version of the theorem for the bit-commitment scheme described in Proposition 3.11.

Corollary 4.23. For even m, the commitment scheme CHSHq

m can be ε-

binding as a bit-commitment scheme only if

ε≥ mλq 4 − (m2_−2m)λ2 q 16 −(m+ 1)q −1_.

If m=o λ−_q1, it holds thatε≥Ω(mλq). Ifq=p2k, we have ε≥Ω mpq−1 and if it is odd, ε≥Ω mq−2/3

. 8_{Qcan computey}

i−1in roundi+ 2and thus he too knows whether the provers should

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 61PDF page: 61PDF page: 61PDF page: 61

4.4. TIGHTNESS 57

Proof. LetcomP =comP(0), i.e.,P produces an honest commitment to0. Let

open_{P Q}(0) =open_{P Q}, i.e., the honest opening strategy. Since the provers play honestly, they are successful with probability at least 1−(m+ 1)q−1.

ForopenP Q(1), lets◦such thatExtr(s◦, c1) = 1. The provers then use the

strategy in the proof of Theorem 4.22 to produce a fake commitment c1 and

open it to s◦. Then, we have

p(b= 1|a1, . . . , am6= 0)≥ mλq 2 − (m2_−2m)λ2 q 8 −q −1 and thus, p(b= 1)≥ mλq 2 − (m2_−2m)λ2 q 8 −(m+ 1)q −1_. It follows that p(b= 0) +p(b= 1)≥1 +mλq 2 − (m2_−2m)λ2 q 8 −(m+ 1)q −1

and, by Theorem 3.12, the scheme can be ε-weak-binding only if

ε≥ mλq 4 − (m2_−2m)λ2 q 16 −(m+ 1)q −1_.

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 63PDF page: 63PDF page: 63PDF page: 63

Chapter 5

Towards Quantum Safety

5.1

Introduction

In Chapter 4, we proved composition theorems for two-prover commitment schemes. Those theorems crucially rely on the assumption that dishonest provers can only use classical shared randomness, and not entangled quan- tum states: The definition of our (strong) binding property does not apply if the provers use quantum entanglement instead of classical randomness. While the weak binding property is well-defined for adversaries with quantum capa- bilities, our proof of the composition theorem for this binding property, i.e., Theorem 4.13, still requires that we can assume without loss of generality that the adversaries’ strategy is deterministic. This is not true if we consider adversaries with quantum capabilities.

In this chapter, we take some steps towards arguing that the Lunghiet al. scheme is binding for provers with quantum capabilities.

In Section 5.4, we show thatCHSHq _{satisfies the fairly-weak-binding def-} inition as a string-commitment scheme even when the adversaries can share entangled quantum states. Our intuitive argument in Chapter 4 thus suggests that CHSHq

m also satisfies the binding property with parameter linear in m for such adversaries. However, since our composition theorem only applies to classical provers, this intuition remains without a rigorous proof.

Approaching the problem from another direction, we introduce an analogue of the strong binding definition for the quantum case, and prove a composition theorem using this definition which applies to quantum provers. However, we currently do not know if CHSHq (or any other scheme) satisfies this stronger definition. Thus, the question whether there exists a multi-round scheme bind- ing for quantum adversaries remains open.

529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger 529291-L-bw-Fillinger Processed on: 27-2-2019 Processed on: 27-2-2019 Processed on: 27-2-2019

Processed on: 27-2-2019 PDF page: 64PDF page: 64PDF page: 64PDF page: 64

In document Two-Prover Bit-Commitments: Classical, Quantum and Non-Signaling (Page 60-67)