On the Composition of Two-Prover Commitments, and Applications to Multi-Round Relativistic CommitmentsThis paper is an extended version of our EUROCRPYT 2016 paper. The eprint version is available at https://eprint.iacr.org/2016/113.

# On the Composition of Two-Prover Commitments, and Applications to Multi-Round Relativistic Commitments††thanks: This paper is an extended version of our EUROCRPYT 2016 paper. The eprint version is available at https://eprint.iacr.org/2016/113.

Serge Fehr Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands
{serge.fehr, max.fillinger}@cwi.nl
Max Fillinger Supported by the NWO Free Competition grant 617.001.203.Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands
{serge.fehr, max.fillinger}@cwi.nl
###### Abstract

We consider the related notions of two-prover and of relativistic commitment schemes. In recent work, Lunghi et al. proposed a new relativistic commitment scheme with a multi-round sustain phase that keeps the binding property alive as long as the sustain phase is running. They prove security of their scheme against classical attacks; however, the proven bound on the error parameter is very weak: It blows up double exponentially in the number of rounds.

In this work, we give a new analysis of the multi-round scheme of Lunghi et al., and we show a linear growth of the error parameter instead (also considering classical attacks only). Our analysis is based on a new composition theorem for two-prover commitment schemes. The proof of our composition theorem is based on a better understanding of the binding property of two-prover commitments that we provide in the form of new definitions and relations among them. These new insights are certainly of independent interest and are likely to be useful in other contexts as well.

Finally, our work gives rise to several interesting open problems, for instance extending our results to the quantum setting, where the dishonest provers are allowed to perform measurements on an entangled quantum state in order to try to break the binding property.

## 1 Introduction

#### Two-Prover Commitment Schemes.

We consider the notion of 2-prover commitment schemes, as originally introduced by Ben-Or, Goldwasser, Kilian and Wigderson in their seminal paper [BGKW88]. In a 2-prover commitment scheme, the prover (i.e., the entity that is responsible for preparing and opening the commitment) consists of two agents, and , and it is assumed that these two agents cannot communicate with each other during the execution of the protocol. With this approach, the classical and quantum impossibility results for unconditionally secure commitment schemes [May97, LC97] can be circumvented.

A simple 2-prover bit commitment scheme is the scheme proposed by Crépeau et al[CSST11], which works as follows. The verifier chooses a uniformly random and sends it to , who replies with , where is the bit to commit to, and is a uniformly random string known (only) to and . Furthermore, “” is bit-wise XOR, and “” is scalar multiplication (of the scalar with the vector ). In order to open the commitment (to ), sends to , and checks if . It is clear that this scheme is hiding: The commitment is uniformly random and independent of no matter what is. On the other hand, the binding property follows from the observation that in order to open the commitment to , needs to announce , and in order to open to , he needs to announce . Thus, in order to open to both, he must know and , and thus , which is a contradiction to the no-communication assumption, because was sent to only.

In the quantum setting, where the dishonest provers are allowed to share an entangled quantum state and can produce and by means of performing measurements on their respective parts of the state, the above reasoning for the binding property does not work anymore. Nevertheless, as shown in [CSST11], the binding property still holds (though with a weaker parameter).

#### Relativistic Commitment Schemes.

The idea of relativistic commitment schemes, as introduced by Kent [Ken99], is to take a 2-prover commitment scheme as above and enforce the no-communication assumption by means of relativistic effects: Place and spatially far apart, and execute the scheme fast enough, so that there is not enough time for them to communicate. The obvious downside of such a relativistic commitment scheme is that the binding property stays alive only for a very short time: The opening has to take place almost immediately after the committing, before the provers have the chance to exchange information. This limitation can be circumvented by considering multi-round schemes, where after the actual commit phase there is a sustain phase, during which the provers and the verifier keep exchanging messages, and as long as this sustain phase is running, the commitment stays binding (and hiding), until the commitment is finally opened. Such schemes were proposed in [Ken99] and [Ken05], but they are rather inefficient, and the security analyses are somewhat informal (e.g., with no formal security definitions) and of asymptotic nature. Schemes that require quantum communication were also considered and studied [Ken12, KTHW13, LKB13] but those were all without sustain phase.

More recently, Lunghi et al[LKB15] proposed a new and simple multi-round relativistic commitment scheme, and provided a rigorous security analysis. Their scheme works as follows. The actual commit protocol is the commit protocol from the Crépeau et al. scheme: sends a uniformly random string to , who returns . Then, to sustain the commitment, before has the chance to tell to , sends a new uniformly random string to who replies with , where is another random string shared between and , and the multiplication is in a suitable finite field. Then, to further sustain the commitment, sends a new uniformly random string to who replies with , etc. Finally, after the last sustain round where has been sent to , in order to finally open the commitment, is sent to (by the other prover). See Figure 1. In order to verify the opening, computes inductively in the obvious way, and checks if .

What is crucial is that in round (say for odd ), when preparing , the prover must not know , but he is allowed to know . Thus, the execution must be timed in such a way that between subsequent rounds there is not enough time for the provers to communicate, but they may communicate over multiple rounds.

As for the security of this scheme, it is obvious that the hiding property stays satisfied up to the open phase: Every single message receives is one-time-pad encrypted. As for the binding property, Lunghi et al. prove that the scheme with a -round sustain phase is -binding against classical attacks, where satisfies (this is just the standard Crépeau et al. scheme) and for . Thus, even when reading this recursive formula liberally by ignoring the term, we obtain

 εm≲2m√ε0=2−n2m,

i.e., the error parameter blows up double exponentially in .111Lunghi et al. also provide a more complicated recursive formula for that is slightly better, but the resulting blow-up is still double exponential. In other words, in order to have a non-trivial we need that , the size of the strings that are communicated, is exponential in . This means that Lunghi et al. can only afford a very small number of rounds. For instance, in their implementation where they can manage (beyond that, the local computation takes too long), asking for an error parameter of approximately , they can do rounds.222Note that [LKB15] mentions , but this is an error, as communicated to us by the authors, and as can easily be verified. Also, [LKB15] mentions rounds, but this is because they include the commit round in their counting, and we do not. This allows them to keep a commitment alive for ms.

#### Our Results.

Our main goal is to improve the bound on the binding parameter of the above multi-round scheme. Indeed, our results show that the binding parameter blows up only linearly in , rather than double exponentially. Explicitly, our results show that (for classical attacks)

 εm≤(m+1)⋅2−n2+2.

Using the same and error parameter as in the implementation of Lunghi et al., we can now afford approximately rounds. Scaling up the ms from the Lunghi et al. experiment for rounds gives us a time that is in the order of years. We also show tightness of our bound up to a small constant factor (for even ).

We use the following strategy to obtain our improved bound on . We observe that the first sustain round can be understood as committing on the opening information of the actual commitment, using an extended version of the Crépeau et al. scheme that commits to a string rather than to a bit. Similarly, the second sustain round can be understood as committing on the opening information of that commitment from the first sustain round, etc. Thus, thinking of the version of the scheme, what we have to prove is that if we have two commitment schemes and , and we modify the opening phase of in that we first commit to the opening information (using ) and then open that commitment, then the resulting commitment scheme is still binding; note that, intuitively, this is what one would indeed expect. Given such a composition theorem, we can then apply it inductively and conclude security (i.e. the binding property) of the Lunghi et al. multi-round scheme.

Our main result is such a general composition theorem, which shows that if and are respectively - and -binding (against classical attacks) then the composed scheme is -binding (against classical attacks), under some mild assumptions on and . Hence, the error parameters simply add up; this is what gives us the linear growth. The proof of our composition theorem crucially relies on new definitions of the binding property of 2-prover commitment schemes, which seem to be handier to work with than the definition as for instance used by Lunghi et al. Our definitions formalize the following intuitive requirement: After the commit phase, even if the provers are dishonest, there should exist some bit such that opening the commitment to any other bit fails (with high probability). We show that one of our new definitions is equivalent to the -definition, while the other one is strictly stronger. Our result holds for both definitions, so we not only obtain a better parameter than Lunghi et al. but also with respect to a stronger definition, and thus we improve the result also in that direction.

One subtle issue is that the extended version of the Crépeau et al. scheme to strings, as it is used in the sustain phase, is not a fully secure string commitment scheme. The reason is that for any that may be announced in the opening phase, there exists a string such that ; as such, the provers can commit to some fixed string, and then can still decide to either open the commitment to that string (by running the opening phase honestly), or to open it to a random string that is out of their control (by announcing a random ). We deal with this by also introducing a relaxed version (which we call fairly-binding) of the binding property, which captures this limited freedom for the provers, and we show that it is satisfied by the (extended version of the) Crépeau et al. scheme and that our composition theorem holds for this relaxed version; finally, we observe that the composed fairly-binding string commitment scheme is a binding bit commitment scheme when restricting the domain to a bit.

As such, we feel that our techniques and insights not only give rise to an improved analysis of the Lunghi et al. multi-round scheme, but they significantly improve our understanding of the security of 2-prover commitment schemes, and as such are likely to find further applications.

#### Open Problems.

Our work gives rise to a list of interesting and challenging open problems. For instance, our composition theorem only applies to pairs of commitment schemes of a certain restricted form, e.g., only one prover should be involved in the commit phase (as it is the case in the Crépeau et al. scheme). Our proof crucially relies on this, but there seems to be no fundamental reason for such a restriction. Thus, we wonder if it is possible to generalize our composition theorem to a larger class of pairs of schemes, or, ultimately, to all pairs of schemes (that “fit together”).

In another direction, some of our observations and results generalize immediately to the quantum setting, where the two dishonest provers are allowed to compute their messages by performing measurements on an entangled quantum state, but in particular our main result, the composition theorem, does not generalize. Also here, there seems to be no fundamental reason, and thus, generalizing our composition theorem to the quantum setting is an interesting open problem. Finally, in order to obtain security of the Lunghi et al. multi-round scheme against quantum attacks, beyond a quantum version of the composition theorem, one also needs to prove security against quantum attacks of the (extended version of the) original Crépeau et al. scheme as a (fairly-binding) string commitment scheme.

#### Concurrent Work.

In independent and concurrent work, Chakraborty, Chailloux and Leverrier [CCL15] showed (almost) the same linear bound for the Lunghi et al. scheme, but with respect to the original — and thus weaker — notion of security. Their approach is more direct and tailored to the specific scheme; our approach is more abstract and provides more insight, and our result applies much more generally.

## 2 Preliminaries

### 2.1 Basic Notation

#### Probability Distributions.

For the purpose of this work, a (probability) distribution is a function , , where is a finite non-empty set, with the property that . For specific choices , we tend to write instead of . For any subset , called an event, the probability is naturally defined as , and it holds that

 p(Λ)+p(Γ)=p(Λ∪Γ)+p(Λ∩Γ)≤1+p(Λ∩Γ) (1)

for all , and, more generally, that

 k∑i=1p(Λi)≤p(Λ1∪…∪Λk)+∑i

for all . For a distribution on two (or more) variables, probabilities like , , etc. are naturally understood as

 p(x=y)=p({(x,y)∈X×Y|x=y})=∑x∈X,y∈Ys.t. x=yp(x,y)

etc., and the marginals and are given by and , respectively. Vice versa, given two distributions and , we say that a distribution on two variables is a consistent joint distribution if the two marginals of coincide with and , respectively. We will make use of the following property on the existence of a consistent joint distribution that maximizes the probability that ; the proof is given in the appendix.

###### Lemma 1

Let and be two distributions on a common set . Then there exists a consistent joint distribution such that for all choices of . Additionally, satisfies .

#### Protocols.

In this work, we will consider 3-party (interactive) protocols, where the parties are named , and (the two “provers” and the “verifier”). Such a protocol consists of a triple of -round interactive algorithms for some . Each interactive algorithm takes an input, and for every round computes the messages to be sent to the other algorithms/parties in that round as deterministic functions of its input, the messages received in the previous rounds, and the local randomness. In the same way, the algorithms produce their respective outputs after the last round. We write

 (outP∥outQ∥outV)←(protP(inP)∥protQ(inQ)∥protV(inV))

to denote the execution of the protocol on the respective inputs and , and that the respective outputs and are produced. Clearly, for any protocol and any input , the probability distribution of the output is naturally well defined.

If we want to make the local randomness explicit, we write etc., and understand that is correctly sampled — without loss of generality, we may assume it to be a uniformly random bit string of sufficient length. Furthermore, we write and to express that and use the same randomness, in which case we speak of joint randomness.

We can compose two interactive algorithms and in the obvious way, by applying to the output of . The resulting interactive algorithm is denoted as . Composing the respective algorithms of two protocols and results in the composed protocol . If is a non-interactive algorithm, then is naturally understood as the protocol , and similarly in case is a protocol among and only.

### 2.2 2-Prover Commitment Schemes

###### Definition 1

A 2-prover (string) commitment scheme consists of two interactive protocols and between the two provers and and the verifier , with the following syntactics. The commit protocol uses joint randomness for and and takes a string as input for and (and independent randomness and no input for ), and it outputs a commitment to and some state information to and :

 (stateP∥stateQ∥c)←(comP[ξPQ](s)∥comQ[ξPQ](s)∥comV(∅)).

The opening protocol uses joint randomness and outputs a string or a rejection symbol to , and nothing to and :

 (∅∥∅∥s)←(openP[ηPQ](stateP)∥openQ[ηPQ](stateQ)∥openV(c))

with . The set is called the domain of ; if then we refer to as a bit commitment scheme instead, and we tend to use rather than to denote the committed bit.

###### Remark 1

By convention, we assume throughout the paper that the commitment output by equals the communication that takes place between and the provers during the commit phase. This is without loss of generality since, in general, is computed as a (possibly randomized) function of the communication, which just as well can apply in the opening phase.

###### Remark 2

Note that we specify that and use fresh joint randomness in the opening phase, and, if necessary, the randomness from the commit phase can be “handed over” to the opening phase via and ; this will be convenient later on. Alternatively, one could declare that and re-use the joint randomness from the commit phase.

Whenever we refer to such a 2-prover commitment scheme, we take it as understood that the scheme is complete and hiding, as defined below, for “small” values of and . Since our focus will be on the binding property, we typically do not make the parameters and explicit.

###### Definition 2

A 2-prover commitment scheme is -complete if in an honest execution ’s output of equals and ’s input to except with probability , for any choice of and ’s input .

The standard definition for the hiding property is as follows:

###### Definition 3

A 2-prover commitment scheme is -hiding if for any commit strategy and any two strings and , the distribution of the commitments , , produced as

 (stateP∥stateQ∥cb)←(comP[ξPQ](sb)∥comQ[ξPQ](sb)∥¯¯¯¯¯¯¯¯¯¯comV(∅)),b=0,1

have statistical distance at most . A -hiding scheme is also called perfectly hiding.

Defining the binding property is more subtle. First, note that an attack against the binding property consists of an “allowed” commit strategy and an “allowed” opening strategy for and . Any such attack fixes , the distribution of that is output by after the opening phase, in the obvious way.

What exactly “allowed” means may depend on the scheme and needs to be specified. Typically, in the 2-prover setting, we only allow strategies and with no communication at all between the two provers, but we may also be more liberal and allow some well-controlled communication, as in the Lunghi et al. multi-round scheme. Furthermore, in this work, we focus on classical attacks, where and are classical interactive algorithms as specified in the previous section, with access to joint randomness. But one could also consider quantum attacks, in which the provers can perform measurements on an entangled quantum state. Our main result holds for classical attacks only, and so the unfamiliar reader can safely ignore the possibility of quantum attacks, but some of our insights also apply to quantum attacks.

A somewhat accepted definition for the binding property of a 2-prover bit commitment scheme, as it is for instance used in [CSST11, LKB15, FF15] (up to the factor in the error parameter), is as follows. Here, we assume it has been specified which attacks are allowed, e.g., those where and do not communicate during the course of the scheme.

###### Definition 4

A 2-prover bit commitment scheme is -binding in the sense of if for every allowed commit strategy , and for every pair of allowed opening strategies and , which fix distributions and for ’s respective outputs, it holds that

 p(b0=0)+p(b1=1)≤1+2ε.

In the literature (see e.g. [CSST11] or [LKB15]), the two probabilities and above are usually referred to as and , respectively.

### 2.3 The CHSHn Scheme

Our main example is the bit commitment scheme by Crépeau et al[CSST11] we mentioned in the introduction, and which works as follows. The commit phase instructs to sample and send to a uniformly random , and it instructs to return to , where is the joint randomness, uniformly distributed in , and is the bit to commit to, and the opening phase instructs to send to , and outputs the (smaller) bit that satisfies , and in case no such bit exists. Note that the provers in this scheme use the same randomness in the commit and opening phase; thus, formally, needs to output the shared randomness as . The opening phase uses no fresh randomness.

It is easy to see that this scheme is -complete and perfectly hiding (completeness fails in case ). For classical provers that do not communicate at all, the scheme is -binding in the sense of , i.e. according to Definition 4. As for quantum provers, Crépeau et al. showed that the scheme is -binding; this was recently minorly improved to by Sikora, Chailloux and Kerenidis [SCK14].

We also want to consider an extended version of the scheme, where the bit is replaced by a string in the obvious way (where the multiplication is then understood in a suitable finite field), and we want to appreciate this extension as a 2-prover string commitment scheme. However, it is a priori not clear what is a suitable definition for the binding property, especially because for this particular scheme, the dishonest provers can always honestly commit to a string , and can then decide to correctly open the commitment to by announcing , or open to a random string by announcing a randomly chosen  — any satisfies for some (unless , which almost never happens).333This could easily be prevented by requiring to announce (rather than letting compute it), but we want the information announced during the opening phase to fit into the domain of the commitment scheme.

Due to its close relation to the CHSH game [CHSH69], in particular to the arbitrary-finite-field version considered in [BS15], we will refer to this string commitment scheme as .

## 3 On the Binding Property of 2-Prover Commitment Schemes

We introduce new definitions for the binding property of 2-prover commitment schemes. In the case of bit commitment schemes, they imply Definition 4, as we will show. Although not necessarily simpler, we feel that our definitions are closer to the intuition of what is expected from a commitment scheme, and as such easier to work with. Indeed, the proofs of our composition results are heavily based on our new definitions. Also, our new notions are more flexible in terms of tweaking it; for instance, we modify them to obtain a relaxed notion for the binding property, which captures the binding property that is satisfied by the string commitment scheme .

Throughout this section, when quantifying over attacks against (the binding property of) a scheme, it is always understood that there is a notion of allowed attacks for that scheme (e.g., all attacks for which and do not communicate), and that the quantification is over all such allowed attacks. Also, even though our focus is on classical attacks, Proposition 2 and Theorem 3.1 also apply to quantum attacks.

### 3.1 Defining The Binding Property

Intuitively, we say that a scheme is binding if after the commit phase there exists a string so that no matter what the provers do in the opening phase, the verifier will output either or (except with small probability). We consider two definitions of the binding property which interpret this intuitive requirement in two different ways. In the first definition, which we introduce in this section, is a function of the provers’ (combined) view immediately after the commit phase. In the second one, which we introduce in Section 3.2, is specified by its distribution only. Both of these definitions admit a composition theorem.

###### Definition 5 (Binding property)

A 2-prover commitment scheme is -binding if for every commit strategy there exists a function of the joint randomness and the commitment444Recall that by convention (Remark 1), equals the communication between and the provers during the commit phase. such that for every opening strategy it holds that . In short:

 ∀¯¯¯¯¯¯¯¯¯¯comPQ∃^s(¯ξPQ,c)∀¯¯¯¯¯¯¯¯¯¯¯openPQ:p(s≠^s∧s≠⊥)≤ε. (3)

The string commitment scheme does not satisfy this definition (the bit commitment version does, as we will show): After the commit phase, the provers can still decide to open the commitment to a fixed string, chosen before the commit phase, or to a random string that is out of their control. We capture this by the following relaxed version of the binding property: We allow ’s output to be different from and , but in this case the provers should have little control over : For any fixed target string , it should be unlikely that . Formally, this is captured as follows; we will show in Section 3.4 that is fairly-binding in this sense.

###### Definition 6 (Fairly binding property)

A 2-prover commitment scheme is -fairly-binding if for every commit strategy there exists a function such that for every opening strategy and all functions it holds that . In short:

 ∀¯¯¯¯¯¯¯¯¯¯comPQ∃^s(¯ξPQ,c)∀¯¯¯¯¯¯¯¯¯¯¯openPQ∀s∘(¯ξPQ,¯ηPQ):p(s≠^s∧s=s∘)≤ε. (4)
###### Remark 3

By means of standard techniques, one can easily show that it is sufficient for the (fairly) binding property to consider deterministic provers. In this case, is a function of only, and, in the case of fairly-binding, runs over all fixed strings.

###### Remark 4

Clearly, the binding property implies the fairly binding property. Furthermore, in the case of bit commitment schemes it obviously holds that , and thus the fairly-binding property implies the binding property with a factor-2 loss in the parameter. Furthermore, every fairly-binding string commitment scheme gives rise to a binding bit commitment scheme in a natural way, as shown by the following proposition.

###### Proposition 1

Let be a -fairly-binding string commitment scheme. Fix any two distinct strings and consider the bit-commitment scheme obtained as follows. To commit to , the provers commit to using , and in the opening phase checks if for some bit and outputs this bit if it exists and else outputs . Then, is a -binding bit commitment scheme.

###### Proof

Fix some commit strategy for and note that it can also be used to attack . Thus, there exists a function as in Definition 6. We define

 ^b(¯ξPQ,c)={0 if ^s(¯ξPQ,c)=s01 otherwise

Now fix an opening strategy for , which again is also a strategy against . Thus, we have for any (and in particular or ). This gives us

 p(^b≠b≠⊥) =p(^b=1∧b=0)+p(^b=0∧b=1) =p(^s≠s0∧s=s0)+p(^s=s0∧s=s1) ≤p(^s≠s0∧s=s0)+p(^s≠s1∧s=s1), ≤2ε

and thus is a -binding bit-commitment scheme.∎

###### Remark 5

The proof of Proposition 1 generalizes in a straightforward way to -bit string commitment schemes: Given a -fairly-binding -bit string commitment scheme , for , we define a -bit string commitment scheme as follows: To commit to a -bit string, the provers pad the string with zeros and then commit to the padded string using . In the opening phase, the verifier outputs the first bits of if the remaining bits in are all zeros, and otherwise. Then, is -binding.

### 3.2 The Weak Binding Property

Here, we introduce yet another definition for the binding property. It is similar in spirit to Definition 5, but weaker. One advantage of this weaker notion is that it is also meaningful when considering quantum attacks, whereas Definition 5 is not. In the subsequent section, we will see that for bit commitment schemes, this weaker notion of the binding property is equivalent to Definition 4.

###### Definition 7 (Weak binding property)

A 2-prover commitment scheme is -weak-binding if for all commit strategies there exists a distribution such that for every opening strategy (which then fixes the distribution of ’s output ) there is a consistent joint distribution such that . In short:

 ∀¯¯¯¯¯¯¯¯¯¯comPQ∃p(^s)∀¯¯¯¯¯¯¯¯¯¯¯openPQ∃p(^s,s):p(s≠^s∧s≠⊥)≤ε. (5)

We also consider a related, i.e., “fairly”, version of this binding property, similar to Definition 6.

###### Definition 8 (Fairly weak binding property)

A 2-prover commitment scheme is -fairly-weak-binding if for all commit strategies there exists a distribution such that for every opening strategy (which then fixes the distribution of ’s output ) there is a consistent joint distribution so that for all it holds that . In short:

 ∀¯¯¯¯¯¯¯¯¯¯comPQ∃p(^s)∀¯¯¯¯¯¯¯¯¯¯¯openPQ∃p(^s,s)∀s∘:p(s≠^s∧s=s∘)≤ε. (6)
###### Remark 6

Remarks 3 and 4 also hold for the weak binding properties. Furthermore, it is easy to see that the binding and fairly-binding properties imply their weak counterparts.

###### Proposition 2

Let be a -fairly-weak-binding string commitment scheme and define as in Proposition 1. Then, is a -weak-binding bit commitment scheme.

###### Proof

The proof of Proposition 1 can be easily adapted: Let be as required by Definition 8. We define by taking the marginal of where if , and otherwise. An opening strategy for can also be viewed as a strategy for . As such, there is a joint distribution as required by Definition 7 which we can extend to by setting if , if and otherwise. We define . As in the proof of Proposition 1, one can easily check that holds.

### 3.3 Relations Between The Definitions

Here, we show that in case of bit commitment schemes, the weak binding property as introduced in Definition 7 above is actually equivalent to the -definition. Even though our focus is on classical attacks, the proof immediately carries over to quantum attacks as well.

###### Theorem 3.1

A 2-prover bit-commitment scheme is -binding in the sense of if and only if it is -weak-binding.

###### Proof

First, consider a scheme that is -binding according to Definition 4. Fix a commit strategy and opening strategies and so that and are maximized, where is ’s output when the dishonest provers use opening strategy . Let . Since the scheme is -binding, we have . We define the distribution as and . To see that this is indeed a probability distribution, note that (otherwise, we would have or ) and that . Now we consider an arbitrary opening strategy which fixes a distribution . By definition of and , we have and thus . By Lemma 1, there exists a consistent joint distribution with the property that . We wish to bound . For , it holds that

 p(^b=1−i∧b=i) =p(b=i)−p(^b=b=i) =p(b=i)−min{p(^b=i),p(b=i)} =max{0,p(b=i)−p(^b=i)} ≤ε

and furthermore, there is at most one such that , for if for both and , then which is a contradiction. Thus, we have . This proves one direction of our claim.

For the other direction, consider a scheme that is -binding. Fix and let be a distribution such that for every opening strategy , there is a joint distribution with . Now consider two opening strategies and which give distributions and . We need to bound . There is a joint distribution such that and likewise for . Thus,

 p(b0=0)+p(b1=1) =p(^b=0,b0=0)+p(^b=1,b0=0)+p(^b=0,b1=1)+p(^b=1,b1=1) ≤p(^b=0)+p(^b=1)+p(^b≠b0≠⊥)+p(^b≠b1≠⊥) ≤1+2ε

which proves the other direction.∎

###### Remark 7

By Remark 6, it follows that Definition 5 also implies the -definition. In fact, Definition 5 is strictly stronger (and hence, also strictly stronger than the weak-binding definition). Consider the following (artificial and very non-complete) scheme: In the commit phase, chooses a uniformly random bit and sends it to the provers, and then accepts everything or rejects everything during the opening phase, depending on that bit. Then, , yet a commitment can be opened to (no matter how is defined) with probability .

Since a non-complete separation example may not be fully satisfying, we note that it can be converted into a complete (but even more artificial) scheme. Fix a “good” (i.e., complete, hiding and binding with low parameters) scheme and call our example scheme above the “bad” scheme. We define a combined scheme as follows: At the start, the first prover can request either the “good” or “bad” scheme to be used. The honest prover is instructed to choose the former, guaranteeing completeness. The dishonest prover may choose the latter, so the combined scheme inherits the binding properties of the “bad” scheme: It is binding according to the -definition, but not according to Definition 5.

### 3.4 Security of CHSHn

In this section, we show that is a fairly-binding string commitment scheme.555It is understood that the allowed attacks against are those where the provers do not communicate. To this end, we introduce yet another version of the binding property and show that satisfies this property. Then we show that this version of the binding property implies the fairly-binding property (up to some loss in the parameter, and some mild restrictions on the scheme).

This new binding property is based on the intuition that it should not be possible to open a commitment to two different values simultaneously (except with small probability). For this, we observe that (for classical attacks), when considering a commit strategy , as well as two opening strategies and , we can run both opening strategies simultaneously on the produced commitment with two (independent) copies of , by applying and to two copies of the respective internal states of and ). This gives rise to a joint distribution of the respective outputs and of the two copies of .

###### Definition 9 (Simultaneous opening)

A 2-prover commitment scheme is -fairly-binding in the sense of simultaneous opening666We use “fairly” here to distinguish the notion from a “non-fairly” version with ; however, we do not consider this latter version any further here. if for all , all pairs of opening strategies and , and all pairs of distinct strings, we have .

###### Remark 8

Also for this notion of fairly-binding, it is sufficient to consider deterministic strategies, as can easily be seen.

###### Proposition 3

The string commitment scheme is -fairly-binding in the sense of simultaneous opening.

###### Proof

By Remark 8, it suffices to consider deterministic attack strategies. Fix a deterministic strategy and two deterministic opening strategies and . The strategy specifies ’s output as a function of the verifier’s message . The opening strategies are described by constants and . By definition of , implies and likewise, implies . Therefore, implies . It thus holds that , which proves our claim. ∎

###### Remark 9

It follows directly from (1) that every bit commitment scheme that is -fairly-binding in the sense of simultaneous opening (against classical attacks) is -binding in the sense of (and thus also according to Definitions 7). The converse is not true though: The schemes from Remark 7 again serve as counterexamples.

###### Theorem 3.2

Let be a 2-prover commitment scheme. If is -fairly-binding in the sense of simultaneous opening and is deterministic, then is -fairly-binding.

###### Proof

By Remark 3, it suffices to consider deterministic strategies for the provers. We fix some deterministic commit strategy and an enumeration