1 Introduction

Background. A commitment scheme is an important primitive in theoretical cryptography with various applications, for instance to zero-knowledge proofs and multiparty computation, which themselves are fundamentally important concepts in modern cryptography. For a commitment scheme to be secure, it must be hiding and binding. The former means that after the commit phase, the committed value is still hidden from the verifier, and the latter means that the prover (also referred to as committer) can open a commitment only to one value. Unfortunately, a commitment scheme cannot be unconditionally hiding and unconditionally binding at the same time. This is easy to see in the classical setting, and holds as well when using quantum communication [9, 10]. Thus, we have to put some limitation on the capabilities of the dishonest party. One common approach is to assume that the dishonest prover (or, alternatively, the dishonest verifier) has limited computing resources, so that he cannot solve certain computational problems (like factoring large integers). Another approach was suggested by Ben-Or, Goldwasser, Kilian and Wigderson in their seminal paper [2] in the late eighties. They assume that the prover consists of two (or more) agents that cannot communicate with each other, and they show the existence of a secure commitment scheme in this two-prover setting. Based on this two-prover commitment scheme, they then show that every language in NP has a two-prover perfect zero-knowledge interactive proof system (though there are some subtle issues in this latter result, as discussed in [15]).

A simple example of a two-prover commitment scheme, due to [4], is the following. The verifier chooses a uniformly random string \(a \in \{0,1\}^n\) and sends it to the first prover, who sends back \(x := r \oplus a \cdot b\) as the commitment for bit \(b \in \{0,1\}\), where \(r \in \{0,1\}^n\) is a uniformly random string known (only) to the two provers, and where “\(\oplus \)” is bit-wise XOR and “\(\cdot \)” scalar multiplication (of the scalar b with the vector a). In order to open the commitment (to b), the second prover sends back \(y := r\), and the verifier checks the obvious: whether \(y = x \oplus a \cdot b\). It is clear that this scheme is hiding: \(x := r \oplus a \cdot b\) is uniformly random and independent of a no matter what b is, and the intuition behind the binding property is the following. In order to open the commitment to \(b = 0\), the second prover needs to announce \(y = x\); in order to open to \(b = 1\), he needs to announce \(y = x \oplus a\). Therefore, in order to open to both, he must know x and \(x \oplus a\), which means he knows a, but this is a contradiction to the no-communication assumption, because a was sent only to the first prover.

In [4], Crépeau, Salvail, Simard and Tapp show that, as a matter of fact, the security of such two-prover commitment schemes not only relies on the explicit assumption that the two provers cannot communicate, but the security also crucially depends on the information processing capabilities of the dishonest provers. Indeed, they show that a slight variation of the above two-prover commitment scheme (where some slack is given to the verification \(y = x \oplus a \cdot b\)) is secure against classical provers, but is completely insecure if the provers have quantum information processing capabilities and can obtain x and y by means of doing local measurements on an entangled quantum state.Footnote 1 Furthermore, they show that the above two-prover commitment scheme remains secure against such quantum attacks, but becomes insecure against so-called non-signaling provers. The notion of non-signaling was first introduced by Khalfin and Tsirelson [14] and by Rastall [12] in the context of Bell-inequalities, and later reintroduced by Popescu and Rohrlich [11]. Non-signaling provers are restricted solely by the requirement that no communication takes place — no additional restriction limits their information processing capabilities (not even the laws of quantum mechanics) — and thus considering non-signaling provers is the minimal assumption for the two-prover setting to make sense.

This gives rise to the following question. Does there exist a two-prover commitment scheme that is secure against arbitrary non-signaling provers? Such a scheme would truly be based on the sole assumption that the provers cannot communicate. No such scheme is known. Clearly, from a practical point of view, asking for such a scheme may be overkill; given our strong believe in quantum mechanics, relying on a scheme that resists quantum attacks seems to be a safe bet. But from a theoretical perspective, this question is certainly in line with the general goal of theoretical cryptography: to find the strongest possible security based on the weakest possible assumption.

Our Results. In this work, we give strong evidence for a negative answer: we show that there exists no single-round two-prover commitment scheme that is secure against general non-signaling attacks. Our impossibility result is as strong as it can get. We show that for any candidate single-round two-prover commitment scheme that is (almost) perfectly hiding, the binding property can be (almost) completely broken: there exists a non-signaling strategy that allows the dishonest provers to open a commitment to an arbitrary bit (almost) as successfully as the honest provers can open an honestly prepared commitment, i.e., with probability (almost) 1 in case of a perfectly sound scheme. Furthermore, for a restricted but natural class of schemes, namely for schemes that have the same communication pattern as the above example scheme, our impossibility result is tight: for every (rational) parameter \(0 < \varepsilon \le 1\) there exists a perfectly sound two-prover commitment scheme that is \(\varepsilon \)-hiding and as binding as allowed by our negative result (which is almost not binding if \(\varepsilon \) is small).

In the case of multi-round schemes, our impossibility result is limited and applies to perfectly hiding schemes only. Proving the impossibility of non-perfectly-hiding multi-round schemes remains open.

On the positive side, we show the existence of a secure three-prover commitment scheme against non-signaling attacks. Thus, our impossibility result can be circumvented by considering three instead of two provers.

Related Work. Two-prover commitments are closely related to relativistic commitments, as introduced by Kent in [8]. In a nutshell, a relativistic commitment scheme is a two-prover commitment scheme where the no-communication requirement is enforced by having the actions of the two provers separated by a space-like interval, i.e., the provers are placed far enough apart, and the scheme is executed quickly enough, so that no communication can take place by the laws of special relativity. As such, our impossibility result immediately implies impossibility of relativistic commitment schemes of the form we consider (e.g., we do not consider quantum schemes) against general non-signaling attacks.

Very generally speaking, and somewhat surprisingly, the (in)security of cryptographic primitives against non-signaling attacks may have an impact on more standard cryptographic settings, as was recently demonstrated by Kalai, Raz and Rothblum [7], who showed the (computational) security of a delegation scheme based on the security of an underlying multi-party interactive proof system against non-signaling (or statistically-close-to-non-signaling) adversaries.

2 Preliminaries

2.1 (Conditional) Distributions

For the purpose of this work, a (probability) distribution is a function \(p: \mathcal{X} \rightarrow \mathbb {R}\), \(x \mapsto p(x)\), where \(\mathcal{X}\) is a finite non-empty set, with the properties that \(p(x) \ge 0\) for every \(x \in \mathcal{X}\) and \(\sum _{x \in \mathcal{X}} p(x) = 1\). For any subset \(\varLambda \subset \mathcal{X}\), \(p(\varLambda )\) is naturally defined as \(p(\varLambda ) = \sum _{x \in \varLambda } p(x)\), and it holds that

$$\begin{aligned} p(\varLambda ) + p(\varGamma ) = p(\varLambda \cup \varGamma ) - p(\varLambda \cap \varGamma ) \le 1 + p(\varLambda \cap \varGamma ) \end{aligned}$$
(1)

for all \(\varLambda ,\varGamma \subset \mathcal{X}\). A probability distribution is bipartite if it is of the form \(p: \mathcal{X} \times \mathcal{Y} \rightarrow \mathbb {R}\). In case of such a bipartite distribution p(xy), probabilities like \(p(x\!=\!y)\), \(p(x\!=\!f(y))\), \(p(x\!\ne \!y)\) etc. are naturally understood as

$$ p(x\!=\!y) = p(\{(x,y) \in \mathcal{X} \times \mathcal{Y}\,|\,x = y\}) = \mathop {\sum }\limits _{\mathop {x \in \mathcal{X}, y \in \mathcal{Y}}\limits _{\text {s.t. } x = y}} p(x,y) $$

etc. Also, for a bipartite distribution \(p: \mathcal{X} \times \mathcal{Y} \rightarrow \mathbb {R}\), the marginals p(x) and p(y) are given by \(p(x) = \sum _y p(x,y)\) and \(p(y) = \sum _x p(x,y)\), respectively. We note that this notation may lead to an ambiguity when writing p(w) for some \(w \in \mathcal{X} \cap \mathcal{Y}\); we avoid this by writing \(p(x\!=\!w)\) or \(p(y\!=\!w)\) instead, which are naturally understood. The above obviously extends to arbitrary multipartite distributions p(xyz) etc.

A conditional (probability) distribution is a function \(p: \mathcal{X} \times \mathcal{A} \rightarrow \mathbb {R}\), \((x,a) \mapsto p(x|a)\), for finite non-empty sets \(\mathcal{X}\) and \(\mathcal{A}\), such that for every fixed \(a^* \in \mathcal{A}\), the function \(p(x|a^*)\) is a probability distribution in the above sense, which we also write as \(p(x|a\!=\!a^*)\). As such, the above naturally extends to bi- and multipartite conditional probability distributions; e.g., if p(xy|ab) is a conditional distribution then p(x|ab), p(y|ab), \(p(x\!=\!y|a,b)\) etc. are all naturally defined. However, we emphasize that for instance p(x|a) is in general not well defined — unless the corresponding conditional distribution p(b|a) is given, or unless p(x|ab) does not depend on b.

Remark 1

By convention, we write \(p(x|a,b) = p(x|a)\) to express that p(x|ab) does not depend on b, i.e., that \(p(x|a,b_1) = p(x|a,b_2)\) for all \(b_1\) and \(b_2\), and as such p(x|a) is well defined and equals p(x|ab).

A distribution \(\delta (x)\) over \(\mathcal{X}\) is called a Dirac distribution if there exists \(x^* \in \mathcal{X}\) so that \(\delta (x\!=\!x^*) = 1\), and a conditional distribution \(\delta (x|a)\) over \(\mathcal{X}\) is called a conditional Dirac distribution if \(\delta (x|a\!=\!a^*)\) is a Dirac distribution for every \(a^* \in \mathcal{A}\), i.e., for every \(a^* \in \mathcal{A}\) there exists \(x^* \in \mathcal{X}\) so that \(\delta (x\!=\!x^*|a\!=\!a^*) = 1\).

Note that we often abuse notation slightly and simply write p(x) instead of \(p: \mathcal{X} \rightarrow \mathbb {R}\), \(x \mapsto p(x)\); furthermore, we may use p for different distributions and distinguish between them by using different names for the variable, like when we consider the two marginals p(x) and p(y) of a bipartite distribution p(xy). Finally, given two distributions \(p(x_0)\) and \(q(x_1)\) over the same set \(\mathcal{X}\) (and similarly if we use the above convention and denote them by \(p(x_0)\) and \(p(x_1)\) instead), we write \(p(x_0) = q(x_1)\) to denote that \(p(x_0\!=\!w) = q(x_1\!=\!w)\) for all \(w \in \mathcal{X}\). In a corresponding way, equalities like \(p(x_0,x'_0,y) = q(x_1,x'_1,y)\) should be understood; in situations where we feel it is helpful, we may clarify that “\(x_0\) is associated with \(x_1\), and \(x'_0\) with \(x'_1\)”; similarly for conditional distributions.

2.2 Gluing Together Distributions

We recall the definition of the statistical distance.

Definition 1

Let \(p(x_0)\) and \(p(x_1)\) be two distributions over the same set \(\mathcal{X}\).Footnote 2 Then, their statistical distance is defined as

$$ d\bigl (p(x_0),p(x_1)\bigr ) = \frac{1}{2}\cdot \sum _{x\in {\mathcal {X}}}\bigl |p(x_0\!=\!x) - p(x_1\!=\!x)\bigr | \, . $$

The following property of the statistical distance is well known (see e.g. [13]).

Proposition 1

Let \(p(x_0)\) and \(p(x_1)\) be two distributions over the same set \(\mathcal{X}\) with \(d\bigl (p(x_0),p(x_1)\bigr ) = \varepsilon \). Then, there exists a distribution \(p'(x_0,x_1)\) over \(\mathcal{X} \times \mathcal{X}\) with marginals \(p'(x_0) = p(x_0)\) and \(p'(x_1) = p(x_1)\), and such that \(p'(x_0 \!\ne \!x_1) = \varepsilon \).

The following is an immediate consequence.

Lemma 1

Let \(p(x_0,y_0)\) and \(p(x_1,y_1)\) be distributions with \(d\bigl (p(x_0),p(x_1)\bigr ) = \varepsilon \). Then, there exists a distribution \(p'(x_0,x_1,y_0,y_1)\) with marginals \(p'(x_0,y_0) = p(x_0,y_0)\) and \(p'(x_1,y_1) = p(x_1,y_1)\), and such that \(p'(x_0 \!\ne \!x_1) = \varepsilon \) and, as a consequence, \(d\bigl (p'(x_0,y_1),p'(x_1,y_1)\bigr ) \le \varepsilon \).

Proof

We first apply Proposition 1 to \(p(x_0)\) and \(p(x_1)\) to obtain \(p'(x_0,x_1)\), and then we set

$$p'(x_0,x_1,y_0,y_1) = p'(x_0,x_1) \cdot p(y_0|x_0) \cdot p(y_1|x_1) \, .$$

The claims on the marginals and on \(p'(x_0 \!\ne \!x_1)\) follow immediately, and for the last claim we note that

$$\begin{aligned} p'(x_0,y_1)&= p'(x_0 \!=\!x_1) \cdot p'(x_0,y_1|x_0 \!=\!x_1) + p'(x_0 \!\ne \!x_1) \cdot p'(x_0,y_1|x_0 \!\ne \!x_1) \\&= p'(x_0 \!=\!x_1) \cdot p'(x_1,y_1|x_0 \!=\!x_1) + p'(x_0 \!\ne \!x_1) \cdot p'(x_0,y_1|x_0 \!\ne \!x_1) \end{aligned}$$

and

$$\begin{aligned} p'(x_1,y_1)&= p'(x_0 \!=\!x_1) \cdot p'(x_1,y_1|x_0 \!=\!x_1) + p'(x_1 \!\ne \!x_1) \cdot p'(x_1,y_1|x_0 \!\ne \!x_1) \end{aligned}$$

and the claim follows because \(p'(x_1 \!\ne \!x_1) = \varepsilon \).    \(\square \)

Remark 2

Note that due to the consistency of the marginals, it makes sense to write \(p(x_0,x_1,y_0,y_1)\) instead of \(p'(x_0,x_1,y_0,y_1)\). We say that we “glue together” \(p(x_0,y_0)\) and \(p(x_1,y_1)\) along \(x_0\) and \(x_1\).

Remark 3

In the special case where \(p(x_0)\) and \(p(x_1)\) are identically distributed, i.e., \(d\bigl (p(x_0),p(x_1)\bigr ) = 0\), we obviously have \(p(x_0,y_1) = p(x_1,y_1)\).

Remark 4

It is easy to see from the proof of Lemma 1 that the following natural property holds. If \(p(x_0,x_1,y_0,y_1,y'_0,y'_1)\) is obtained by gluing together \(p(x_0,y_0,y'_0)\) and \(p(x_1,y_1,y'_1)\) along \(x_0\) and \(x_1\), then the marginal \(p(x_0,x_1,y_0,y_1)\) coincides with the distribution obtained by gluing together the marginals \(p(x_0,y_0)\) and \(p(x_1,y_1)\) along \(x_0\) and \(x_1\).

3 Bipartite Systems and Two-Prover Commitments

3.1 One-Round Bipartite Systems

Informally, a bipartite system consists of two subsystem, which we refer to as the left and the right subsystem. Upon input a to the left and input \(a'\) to the right subsystem, the left subsystem outputs x and the right subsystem outputs \(x'\) (see Fig. 1, left). Formally, the behavior of such a system is given by a conditional distribution \(q(x,x'|a,a')\), with the interpretation that given input \((a,a')\), the system outputs a specific pair \((x,x')\) with probability \(q(x,x'|a,a')\). Note that we leave the sets \(\mathcal{A}, \mathcal{A}',\mathcal{X}\) and \(\mathcal{X}'\), from which \(a,a',x\) and \(x'\) are respectively sampled, implicit.

If we do not put any restriction upon the system, then any conditional distribution \(q(x,x'|a,a')\) is eligible, i.e., describes a bipartite system. However, we are interested in systems where the two subsystems cannot communicate with each other. How exactly this requirement restricts \(q(x,x'|a,a')\) depends on the available “resources”. For instance, if the two subsystems are deterministic, i.e., compute x and \(x'\) as deterministic functions of a and \(a'\) respectively, then this restricts \(q(x,x'|a,a')\) to be of the form \(q(x,x'|a,a') = \delta (x|a) \cdot \delta (x'|a')\) for conditional Dirac distributions \(\delta (x|a)\) and \(\delta (x'|a')\). If in addition to allowing them to compute deterministic functions, we give the two subsystem shared randomness, then \(q(x,x'|a,a')\) may be of the form

$$q(x,x'|a,a') = \sum _r p(r) \cdot \delta (x|a,r) \cdot \delta (x'|a',r)$$

for a distribution p(r) and conditional Dirac distributions \(\delta (x|a,r)\) and \(\delta (x'|a',r)\). Such a system is called classical or local. Interestingly, this is not the end of the story. By the laws of quantum mechanics, if the two subsystems share an entangled quantum state and obtain x and \(x'\) without communication as the result of local measurements that may depend on a and \(a'\), respectively, then this gives rise to conditional distributions \(q(x,x'|a,a')\) of the form

$$ q(x,x'|a,a') = \big \langle \psi \big | \big (E_x^a \otimes F_{x'}^{a'}\big ) \big |\psi \big \rangle \, , $$

where \(|\psi \rangle \) is a quantum state and \(\{E_x^a\}_x\) and \(\{F_{x'}^{a'}\}_{x'}\) are so-called POVMs. What this exactly means is not important for us; what is important is that this leads to a strictly larger class of bipartite systems. This is typically referred to as a violation of Bell inequalities [1], and is nicely captured by the notion of nonlocal games. A famous example is the so-called CHSH-game [3], which is closely connected to the example two-prover commitment scheme from the introduction, and which shows that the variant considered in [4] is insecure against quantum attacks.

The largest possible class of bipartite systems that is compatible with the requirement that the two subsystem do not communicate, but otherwise does not assume anything on the available resources and/or the underlying physical theory, are the so-called non-signaling systems, defined as follows.

Definition 2

A conditional distribution \(q(x,x'|a,a')\) is called a non-signaling (one-round) bipartite system if it satisfies

$$\begin{aligned} q(x|a,a') = q(x|a) \end{aligned}$$
(NS)

as well as with the roles of the primed and unprimed variables exchanged, i.e.,

$$\begin{aligned} q(x'|a,a') = q(x'|a') \end{aligned}$$
(NS')

Recall that, by the convention in Remark 1, the equality (NS) is to be understood in the sense that \(q(x|a,a')\) does not depend on \(a'\), i.e., that \(q(x|a,a'_1) = q(x|a,a'_2)\) for all \(a'_1,a'_2\), and correspondingly for (NS\('\)).

We emphasize that this is the minimal necessary condition for the requirement that the two subsystems do not communicate. Indeed, if e.g. \(q(x|a,a'_1) \ne q(x|a,a'_2)\), i.e., if the input-output behavior of the left subsystem depends on the input to the right subsystem, then the system can be used to communicate by giving input \(a'_1\) or \(a'_2\) to the right subsystem, and observing the input-output behavior of the left subsystem. Thus, in such a system, communication does take place.

The non-signaling requirement for a bipartite system is — conceptually and formally — equivalent to requiring that the two subsystems can (in principle) be queried in any order. Conceptually, it holds because the left subsystem should be able to deliver its outputs before the right subsystem has received any input if and only if the output does not depend on the right subsystem’s input (which means that no information is communicated from right to left), and similarly the other way round. And, formally, we see that the non-signaling requirement from Definition 2 is equivalent to asking that \(q(x,x'|a,a')\) can be written as

$$ q(x,x'|a,a') = q(x|a) \cdot q(x'|x,a,a') \quad \text {and}\quad q(x,x'|a,a') = q(x'|a') \cdot q(x|x',a,a') $$

for some respective conditional distributions q(x|a) and \(q(x'|a')\). This characterization is a convenient way to “test” whether a given bipartite system is non-signaling without doing the maths.

Clearly, all classical systems are non-signaling. Also, any quantum system is non-signaling.Footnote 3 But there are non-signaling systems that are not quantum (and thus in particular not classical). The typical example is the NL-box (non-local box; also known as PR-box) [11], which, upon input bits a and \(a'\) outputs random output bits x and \(x'\) subject to

$$ x \oplus x' = a \cdot a' \, . $$

This system is indeed non-signaling, as it can be queried in any order: submit a to the left subsystem to obtain a uniformly random x, and then submit \(a'\) to the right subsystem to obtain \(x' := x \oplus a \cdot b\), and correspondingly the other way round.

3.2 Two-Round Systems

We now consider bipartite systems as discussed above, but where one can interact with the two subsystems multiple times. We restrict to two rounds: after having input a to the left subsystem and obtained x as output, one can now input b into the left subsystem and obtain output y, and similarly with the right subsystem (see Fig. 1, right). In such a two-round setting, the non-signaling condition needs to be paired with causality, which captures that the output of the first round does not depend on the input that will be given in the second round.

Fig. 1.
figure 1

A one-round (left) and two-round (right) bipartite system.

Full size image

Definition 3

A conditional distribution \(q(x,x',y,y'|a,a',b,b')\) is called a non-signaling two-round bipartite system if it satisfies the following two causality constraints

$$\begin{aligned} q(x,x'|a,a',b,b') = q(x,x'|a,a') \end{aligned}$$
(C1)
$$\begin{aligned} \text {and}\quad&q(x'|x,y,a,a',b,b') = q(x'|x,y,a,a',b) \end{aligned}$$
(C2)

and the following two non-signaling constraints

$$\begin{aligned}&q(x,y|a,a',b,b') = q(x,y|a,b) \end{aligned}$$
(NS1)
$$\begin{aligned} \text {and}\qquad&q(y|x,x',a,a',b,b') = q(y|x,x',a,a',b) \end{aligned}$$
(NS2)

as well as with the roles of the primed and unprimed variables exchanged.

(C1) captures causality of the overall system, i.e., when considering the left and the right system as one “big” multi-round system. (C2) captures that no matter what interaction there is with the left system, the right system still satisfies causality. Similarly, (NS1) captures that the left and the right system are non-signaling over both rounds, and (NS2) captures that no matter what interaction there was in the first round, the left and the right system remain non-signaling in the second round.

It is rather clear that these are necessary conditions; we argue that they are sufficient to capture a non-signaling two-round system in the full version [6].

3.3 Two-Prover Commitments

We consider two-prover commitments of the following form. To commit to bit b, the two provers \(P\) and \(Q\) receive respective “questions" a and \(a'\) from the verifier V, and they compute, without communicating with each other, respective replies x and \(x'\) and send them to V. To open the commitment, \(P\) and \(Q\) send respectively y and \(y'\). Finally, V performs some check to decide whether to accept or not.

In case of classical provers \(P\) and \(Q\), restricting the opening phase to one round with one-way communication is without loss of generality: one may always assume that in the opening phase \(P\) and \(Q\) simply reveal the shared randomness, and V checks whether x and \(x'\) had been correctly computed, consistent with the claimed bit b. Restricting the commit phase to one round is, as far as we can see, not without loss of generality; we discuss the multi-round case later.

Formally, this can be captured as follows.

Definition 4

A (single-round) two-prover commitment scheme \(\mathsf {Com}\) consists of a probability distribution \(p(a,a')\), two conditional distributions \(p_0(x,x',y,y'|a,a')\) and \(p_1(x,x',y,y'|a,a')\), and an acceptance predicate \(\mathsf {Acc}(x,x',y,y'|a,a',b)\).

We say that \(\mathsf {Com}\) is classical/quantum/non-signaling if \(p_0(x,x',y,y'|a,a')\) and \(p_1(x,x',y,y'|a,a')\) are both classical/quantum/non-signaling when parsed as bipartite one-round systems \(p_b((x,y),(x',y')|a,a')\). By default, any two-prover commitment scheme \(\mathsf {Com}\) is assumed to be non-signaling.

The distribution \(p(a,a')\) captures how V samples the “questions” a and \(a'\), \(p_b(x,x',y,y'|a,a')\) describes the choices of x and \(x'\) and of y and \(y'\), given that the bit to commit to is b, and \(\mathsf {Acc}(x,x',y,y'|a,a',b)\) determines whether V accepts the opening or not. Whether a scheme is classical, quantum or non-signaling captures the restrictions of the honest provers.

Given a two-prover commitment scheme \(\mathsf {Com}\), we define

$$ {\mathrm {Prob}}[\mathsf {Acc}|b] := \sum _{a,a',x,x',y,y'} p(a,a') \cdot p_b(x,x',y,y'|a,a') \cdot \mathsf {Acc}(x,x',y,y'|a,a',b) \, , $$

which is the probability that a correctly formed commitment to bit b is successfully opened.

Definition 5

A commitment scheme \(\mathsf {Com}\) is \(\theta \)-sound if \({\mathrm {Prob}}_p[\mathsf {Acc}|b] \ge \theta \) for \(b \in \{0,1\}\). We say that it is perfectly sound if it is 1-sound.

It will be convenient to write \(p(x_0,x_0',y_0,y_0'|a,a')\) instead of \(p_0(x,x',y,y'|a,a')\) and \(p(x_1,x_1',y_1,y_1'|a,a')\) instead of \(p_1(x,x',y,y'|a,a')\). Switching to this notation, the hiding property is expressed as follows.

Definition 6

\(\mathsf {Com}\) is called \(\varepsilon \)-hiding if \(d\bigr (p(x_0,x_0'|a,a'),p(x_1,x_1'|a,a')\bigl ) \le \varepsilon \) for all \(a,a'\). If \(\mathsf {Com}\) is 0-hiding, we also say it is perfectly hiding.

Capturing the binding property is more subtle. From the classical approach of defining the binding property for a commitment scheme, one is tempted to require that once the commit phase is over and \(a,a',x\) and \(x'\) are fixed, adversarial provers \(\hat{P}\) and \(\hat{Q}\) cannot come up with an opening to \(b = 0\) and simultaneously with an opening to \(b = 1\), i.e., with \(y_0,y'_0\) and \(y_1,y'_1\) such that \(\mathsf {Acc}(x,x',y_0,y'_0|a,a',b\!=\!0)\) and \(\mathsf {Acc}(x,x',y_1,y'_1|a,a',b\!=\!1)\) are both satisfied (except with small probability). However, as pointed out by Dumais, Mayers and Salvail [5], in the context of a general physical theory where y and \(y'\) may possibly be obtained as respective outcomes of destructive measurements (as is the case in quantum mechanics), such a definition is too weak. It does not exclude that \(\hat{P}\) and \(\hat{Q}\) can freely choose to open the commitment to \(b = 0\) or to \(b = 1\), whatever they want, but they cannot do both simultaneously; once they have produced one opening, their respective states got disturbed and the other opening can then not be obtained anymore.

Our definition for the binding property is based on the following game between the (honest) verifier V and the adversarial provers \(\hat{P}\), \(\hat{Q}\).

  1. 1.

    The commit phase is executed: V samples a and \(a'\) according to \(p(a,a')\), and sends a to \(\hat{P}\) and \(a'\) to \(\hat{Q}\), upon which \(\hat{P}\) and \(\hat{Q}\) send x and \(x'\) back to V, respectively.

  2. 2.

    V sends a bit \(b \in \{0,1\}\) to \(\hat{P}\) and \(\hat{Q}\).

  3. 3.

    \(\hat{P}\) and \(\hat{Q}\) try to open the commitment to b: they prepare y and \(y'\) and send them to V.

  4. 4.

    V checks if the verification predicate \(\mathsf {Acc}(x,x',y,y'|a,a',b)\) is satisfied.

We emphasize that even though in the actual binding game above, the same bit b is given to the two provers, we require that the response of the provers is well determined by their strategy even in the case that \(b \ne b'\). Of course, if the provers are allowed to communicate, they are able to detect when \(b \ne b'\) and could reply with, e.g., \(y = y' = \bot \) in that case. However, if we restrict to non-signaling provers, we assume that it is physically impossible for them to communicate with each other and distinguish the case of \(b = b'\) from \(b\ne b'\).

As such, a non-signaling attack strategy against the binding property of a two-prover commitment scheme \(\mathsf {Com}\) is given by a non-signaling two-round bipartite system \(q(x,x',y,y'|a,a',b,b')\), as specified in Definition 3. For any such bipartite system, representing a strategy for \(\hat{P}\) and \(\hat{Q}\) in the above game, the probability that \(\hat{P}\) and \(\hat{Q}\) win the game, in that \(\mathsf {Acc}(x,x',y,y'|a,a',b)\) is satisfied when they have to open to the bit b, is given by

$$ \mathrm {Prob}^*_{q}[\mathsf {Acc}|b] := \sum _{a,a',x,x',y,y'} p(a,a') \cdot q(x,x',y,y'|a,a',b,b) \cdot \mathsf {Acc}(x,x',y,y'|a,a',b) \, . $$

We are now ready to define the binding property.

Definition 7

A two-prover commitment scheme \(\mathsf {Com}\) is \(\delta \)-binding (against non-signaling attacks) if it holds for any non-signaling two-round bipartite system \(q(x,x',y,y'|a,a',b,b')\) that

$$ \mathrm {Prob}^*_{q}[\mathsf {Acc}|0] + \mathrm {Prob}^*_{q}[\mathsf {Acc}|1] \le 1 + \delta \, . $$

In other words, a scheme is \(\delta \)-binding if in the above game the dishonest provers win with probability at most \((1+\delta )/2\) when \(b \in \{0,1\}\) is chosen uniformly at random. If a commitment scheme is binding (for a small \(\delta \)) in the sense of Definition 7, then for any strategy q for \(\hat{P}\) and \(\hat{Q}\), they can just as well honestly commit to a bit \(\hat{b}\), where \(\hat{b}\) is set to 0 with probability \(p_0 = \mathrm {Prob}^*_{q}[\mathsf {Acc}|0]\) and to 1 with probability \(p_1 = 1 - p_0 \approx \mathrm {Prob}^*_{q}[\mathsf {Acc}|1]\), and they will have essentially the same respective success probabilities in opening the commitment to \(b = 0\) and to \(b = 1\).

4 Impossibility of Two-Prover Commitments

In this section, we show impossibility of secure single-round two-prover commitments against arbitrary non-signaling attacks. We start with the analysis of a restricted class of schemes which are easier to understand and for which we obtained stronger results.

4.1 Simple Schemes

We first consider a special, yet natural, class of schemes. We call a two-prover commitment scheme \(\mathsf {Com}\) simple if it has the same communication pattern as the scheme described in the introduction. More formally, it is called simple if \(a',x'\) and y are “empty” (or fixed), i.e., if \(\mathsf {Com}\) is given by p(a), \(p_0(x,y'|a)\), \(p_1(x,y'|a)\) and \(\mathsf {Acc}(x,y'|a,b)\); to simplify notation, we then write y instead of \(y'\). In other words, \(P\) is only involved in the commit phase, where, in order to commit to bit b, he outputs x upon input a, and \(Q\) is only involved in the opening phase, where he outputs y. The non-signaling requirement for \(\mathsf {Com}\) then simplifies to \(p_b(y|a) = p_b(y)\). Recall that by our convention, we may write \(p(x_0,y_0|a)\) instead of \(p_0(x,y|a)\) and \(p(x_1,y_1|a)\) instead of \(p_1(x,y|a)\).

In case of such a simple two-prover commitment scheme \(\mathsf {Com}\), a non-signaling two-prover strategy reduces to a non-signaling one-round bipartite system as specified in Definition  2 (see Fig. 2).

Fig. 2.
figure 2

The adversaries’ strategy q(xy|ab) in case of a simple commitment scheme.

Full size image

As a warm-up exercise, we first consider a simple two-prover commitment scheme that is perfectly hiding and perfectly sound. Recall that formally, a simple scheme is given by p(a), \(p_0(x,y|b)\), \(p_1(x,y|a)\) and \(\mathsf {Acc}(x,y|a,b)\), and the perfect hiding property means that \(p_0(x|a) = p_1(x|a)\) for any a. To show that such a scheme cannot be binding, we have to show that there exists a non-signaling one-round bipartite system q(xy|ab) such that \(\mathrm {Prob}^*_{q}[\mathsf {Acc}|0] + \mathrm {Prob}^*_{q}[\mathsf {Acc}|1]\) is significantly larger than 1. But this is actually trivial: we can simply set \(q(x,y|a,b) := p_b(x,y|a)\). It then holds trivially that

$$\begin{aligned} \mathrm {Prob}^*_{q}[\mathsf {Acc}|b]&= \sum _{a,x,y} p(a) \, q(x,y|a,b) \,\mathsf {Acc}(x,y|a,b)\\&= \sum _{a,x,y} p(a) \,p_b(x,y|a)\, \mathsf {Acc}(x,y|a,b)\\&= {\mathrm {Prob}}_{p}[\mathsf {Acc}|b] \end{aligned}$$

and thus that the dishonest provers are as successful in opening the commitment as are the honest provers in opening an honestly prepared commitment. Thus, the binding property is broken as badly as it can get. The only thing that needs to be verified is that q(xy|ab) is non-signaling, i.e., that \(q(x|a,b) = q(x|a)\) and \(q(y|a,b) = q(y|b)\). To see that the latter holds, note that \(q(y|a,b) = p_b(y|a)\), and because \(\mathsf {Com}\) is non-signaling we have that \(p_b(y|a) = p_b(y)\), i.e., does not depend on a. Thus, the same holds for q(y|ab) and we have \(q(y|a,b) = q(y|b)\). The former condition follows from the (perfect) hiding property: \(q(x|a,b) = p_b(x|a) = p_{b'}(x|a) = q(x|a,b')\) for arbitrary \(b,b' \in \{0,1\}\), and thus \(q(x|a,b) = q(x|a)\).

Below, we show how to extend this result to non-perfectly-binding simple schemes. In this case, we cannot simply set \(q(x,y|a,b) := p_b(x,y|a)\), because such a q would not be non-signaling anymore — it would merely be “almost non-signaling”. Instead, we have to find a strategy q(xy|ab) that is (perfectly) non-signaling and close to \(p_b(x,y|a)\); we will find such a strategy with the help of Lemma 1. In Sect. 4.2, we will then consider general schemes where both provers interact with the verifier in both phases. In this general case, further complications arise.

Theorem 1

Consider a simple two-prover commitment scheme \(\mathsf {Com}\) that is \(\varepsilon \)-hiding. Then, there exists a non-signaling strategy q(xy|ab) such that

$$ {\mathrm {Prob}}_q^* [\mathsf {Acc}|0] = {\mathrm {Prob}}_p [\mathsf {Acc}|0] \quad \text {and}\quad {\mathrm {Prob}}_q^* [\mathsf {Acc}|1] \ge {\mathrm {Prob}}_p [\mathsf {Acc}|1] - \varepsilon \, . $$

If \(\mathsf {Com}\) is perfectly sound, it follows that

$${\mathrm {Prob}}_q^*[\mathsf {Acc}|0]+{\mathrm {Prob}}_q^*[\mathsf {Acc}|1] \ge 1 +(1-\varepsilon )$$

and thus it cannot be \(\delta \)-binding for \(\delta < 1-\varepsilon \).

Proof

Recall that \(\mathsf {Com}\) is given by p(a), \(p_b(x,y|a)\) and \(\mathsf {Acc}(x,y|a,b)\), and we write \(p(x_b,y_b|a)\) instead of \(p_b(x,y|a)\). Because \(\mathsf {Com}\) is \(\varepsilon \)-hiding, it holds that \(d\bigl (p(x_0|a),p(x_1|a)\bigr ) \le \varepsilon \) for any fixed a. Thus, using Lemma 1 for every a, we can glue together \(p(x_0,y_0|a)\) and \(p(x_1,y_1|a)\) along \(x_0\) and \(x_1\) to obtain a distribution \(p(x_0,x_1,y_0,y_1|a)\) such that \(p(x_0\ne x_1|a)\le \varepsilon \), and in particular \(d\bigl (p(x_0,y_1|a), p(x_1,y_1|a)\bigr )\le \varepsilon \).

We define a strategy q for the dishonest provers by setting \(q(x,y|a,b) := p(x_0,y_b|a)\) (see Fig. 3). First, we show that q is non-signaling. Indeed, we have \(q(x|a,b) = p(x_0|a)\) for any b, so \(q(x|a,b) = q(x|a)\), and we have \(q(y|a,b) = p(y_b|a) = p(y_b)\) for any a, and thus \(q(y|a,b) = q(y|b)\).

As for the acceptance probability, for \(b = 0\) we have \(q(x,y|a,0) = p(x_0, y_0|a)\) and as such \({\mathrm {Prob}^*_q [\mathsf {Acc}|0]}\) equals \({\mathrm {Prob}}_p [\mathsf {Acc}| 0]\). For \(b=1\), we have

$$d\bigl (q(x,y|a,1),p(x_1,y_1|a)\bigr ) = d\bigl (p(x_0,y_1|a),p(x_1,y_1|a)\bigr )\le \varepsilon $$

and since the statistical distance does not increase under data processing, it follows that \({\mathrm {Prob}}_p[\mathsf {Acc}|1]\) and \({\mathrm {Prob}}_q^*[\mathsf {Acc}|1]\) are \(\varepsilon \)-close; this proves the claim.    \(\square \)

Fig. 3.
figure 3

Defining the strategy q by gluing together \(p(x_0,y_0|a)\) and \(p(x_1,y_1|a)\).

Full size image

The bound on the binding property in Theorem 1 is tight, as the following theorem shows. The proof is given in the full version [6].

Theorem 2

For all \(\varepsilon \in \mathbb {Q}\) such that \(0 < \varepsilon \le 1\) there exists a classical simple two-prover commitment scheme that is perfectly sound, \(\varepsilon \)-hiding and \((1-\varepsilon )\)-binding against non-signaling adversaries.

4.2 Arbitrary Schemes

We now remove the restriction on the scheme to be simple. As before, we first consider the case of a perfectly hiding scheme.

Theorem 3

Let \(\mathsf {Com}\) be a single-round two-prover commitment scheme. If \(\mathsf {Com}\) is perfectly hiding, then there exists a non-signaling two-prover strategy \(q(x,x',y,y'|a,a',b,b')\) such that

$$ \mathrm {Prob}^*_{q}[\mathsf {Acc}|b] = {\mathrm {Prob}}_p[\mathsf {Acc}|b] $$

for \(b \in \{0,1\}\).

Proof

\(\mathsf {Com}\) being perfectly hiding means that \(d(p(x_0,x_0'|a,a'),p(x_1,x_1'|a,a'))=0\) for all a and \(a'\). Gluing together the distributions \(p(x_0,x_0',y_0,y'_0|a,a')\) and \(p(x_1,x_1',y_1,y'_1|a,a')\) along \((x_0,x_0')\) and \((x_1,x_1')\) for every \((a,a')\), we obtain a distribution \(p(x_0,x_0',x_1,x_1',y_0,y_0',y_1,y_1'|a,a')\) with the correct marginals and \(p((x_0,x_0')\ne (x_1,x_1')|a,a') = 0\). That is, we have \(x_0 = x_1\) and \(x_0' = x_1'\) with certainty. We now define a strategy for dishonest provers as (Fig. 4).

$$q(x,x',y,y'|a,a',b,b') := p(x_0,x_0',y_b,y_{b'}'|a,a') \, . $$

Since \(p(x_0,x_0',y_b,y_b'|a,a') = p(x_b,x_b',y_b,y_b'|a,a')\), it holds that \({\mathrm {Prob}}_q^* [ \mathsf {Acc}| b] = {\mathrm {Prob}}_p [ \mathsf {Acc}| b]\). It remains to show that this distribution satisfies the non-signaling and causality constraints (C1) up to (NS2) of Definition  2. This is done below.

  • For (C1), note that summing up over y and \(y'\) yields \(q(x,x'|a,a',b,b') = p(x_0,x_0'|a,a')\), which indeed does not depend on b and \(b'\).

  • For (NS1), note that \(q(x,y|a,a',b,b') = p(x_0,y_b|a,a') = p(x_b,y_b|a,a') = p(x_b,y_b|a)\), where the last equality holds by the non-signaling property of \(p(x_b,y_b|a,a')\).

  • For (C2), first note that

    $$\begin{aligned} q(x,x',y|a,a',b,b') = p(x_0,x_0',y_b|a,a') \end{aligned}$$
    (2)

    which does not depend on \(b'\). We then see that (C2) holds by dividing by \(q(x,y|a,a',b,b') = p(x_0,y_b|a,a')\).

  • For (NS2), divide Eq. (2) by \(q(x,x'|a,a',b,b') = p(x_0,x_0'|a,a')\)

The properties (C1) to (NS2) with the roles of the primed and unprimed variables exchanged follows from symmetry. This concludes the proof.    \(\square \)

Fig. 4.
figure 4

Defining q from \(p(x_0,x_0',y_0,y_0'|a,a')\) and \(p(x_1,x_1',y_1,y_1'|a,a')\) glued together.

Full size image

The case of non-perfectly hiding schemes is more involved. At first glance, one might expect that by proceeding analogously to the proof of Theorem 3 — i.e., gluing together \(p(x_0,x_0',y_0,y'_0|a,a')\) and \(p(x_1,x_1',y_1,y'_1|a,a')\) along \((x_0,x_0')\) and \((x_1,x_1')\) and defining q the same way — one can obtain a strategy q that succeeds with probability \(1-\varepsilon \) if the scheme is \(\varepsilon \)-hiding. Unfortunately, this approach fails because in order to show (NS1) we use that \(p(x_0,y_1|a,a') = p(x_1,y_1|a,a')\) which in general does not hold for commitment schemes that are not perfectly hiding. As a consequence, our proof is more involved, and we have a constant-factor loss in the parameter.

Theorem 4

Let \(\mathsf {Com}\) be a single-round two-prover commitment scheme and suppose that it is \(\varepsilon \)-hiding. Then there exists a non-signaling two-prover strategy \(q(x,x',y,y'|a,a',b,b')\) such that

$$ \mathrm {Prob}^*_q [\mathsf {Acc}| 0] = {\mathrm {Prob}}_p [\mathsf {Acc}| 0] \quad \text {and}\quad \mathrm {Prob}^*_q [\mathsf {Acc}| 1] \ge {\mathrm {Prob}}_p [\mathsf {Acc}| 1] - 5\varepsilon \, . $$

Thus, if \(\mathsf {Com}\) is perfectly sound, it is at best \((1-5\varepsilon )\)-binding.

To prove this result, we use two lemmas. In the first one, we add the additional assumptions that \(p(x_0|a,a') = p(x_1|a,a')\) and \(p(x_0'|a,a') = p(x_1'|a,a')\). The second one shows that we can tweak an arbitrary scheme in such a way that these additional conditions hold. The proofs are given in the full version [6].

Lemma 2

Let \(\mathsf {Com}\) be a \(\varepsilon \)-hiding two-prover commitment scheme with the additional property that \(p(x_0|a,a') = p(x_1|a,a')\) and \(p(x_0'|a,a') = p(x_1'|a,a')\). Then, there exists a non-signaling \(p'(x_1,x_1',y_1,y_1'|a,a')\) such that

$$d\bigl (p'(x_1,x_1',y_1,y_1'|a,a'),p(x_1,x_1',y_1,y_1'|a,a')\bigr )\le \varepsilon $$

and \(p'(x_1,x_1'|a,a') = p(x_0,x_0'|a,a')\).

As usual, the non-signaling requirement on \(p'(x_1,x_1',y_1,y_1'|a,a')\) is to be understood as \(p'(x_1,y_1|a,a') = p'(x_1,y_1|a)\) and \(p'(x_1',y_1'|a,a') = p'(x_1',y_1'|a')\).

Lemma 3

Let \(\mathsf {Com}\) be a \(\varepsilon \)-hiding two-prover commitment scheme. Then, there exists a non-signaling \(\tilde{p}(x_1,x_1',y_1,y_1'|a,a')\) such that

$$d\bigl (\tilde{p}(x_1,x_1',y_1,y_1'|a,a'),p(x_1,x_1',y_1,y_1'|a,a')\bigr ) \le 2\varepsilon $$

which has the property that \(\tilde{p}(x_1|a,a') = p(x_0|a,a')\) and \(\tilde{p}(x_1'|a,a') = p(x_0'|a,a')\).

With these two lemmas, Theorem 4 is easy to prove.

Proof

(Theorem 4). We start with a \(\varepsilon \)-hiding non-signaling bit-commitment scheme \(\mathsf {Com}\). We apply Lemma 3 and obtain \(\tilde{p}(x_1,x_1',y_1,y_1'|a,a')\) that is \(2\varepsilon \)-close to \(p(x_1,x_1',y_1,y_1'|a,a')\) and satisfies \(\tilde{p}(x_1|a,a') = p(x_0|a,a')\) and \(\tilde{p}(x_1'|a,a') = p(x_0'|a,a')\). Furthermore, by triangle inequality

$$ d\bigl (\tilde{p}(x_1,x_1'|a,a'),p(x_0,x_0'|a,a')\bigr ) \le 3\varepsilon \, . $$

Thus, replacing \(p(x_1,x_1',y_1,y_1|a,a')\) by \(\tilde{p}(x_1,x_1',y_1,y_1'|a,a')\) gives us a \(3\varepsilon \)-hiding two-prover commitment scheme that satisfies the extra assumption in Lemma 2. As a result, we obtain a distribution \(p'(x_1,x_1',y_1,y_1'|a,a')\) that is \(3\varepsilon \)-close to \(\tilde{p}(x_1,x_1',y_1,y_1'|a,a')\), and thus \(5\varepsilon \)-close to \(p(x_1,x_1',y_1,y_1'|a,a')\), with the property that \(p'(x_1,x_1'|a,a') = p(x_0,x_0'|a,a')\). Therefore, replacing \(\tilde{p}(x_1,x_1',y_1,y_1'|a,a')\) by \(p'(x_1,x_1',y_1,y_1'|a,a')\) gives us a perfectly-hiding two-prover commitment scheme, to which we can apply Theorem 3. As a consequence, there exists a non-signaling strategy \(q(x,x',y,y'|a,a')\) with \(\mathrm {Prob}^*_q[\mathsf {Acc}|0] = {\mathrm {Prob}}_p[\mathsf {Acc}|0]\) and \(\mathrm {Prob}^*_q[\mathsf {Acc}|1] \ge {\mathrm {Prob}}_p[\mathsf {Acc}|1]-5\varepsilon \), as claimed.

Remark 5

If \(\mathsf {Com}\) already satisfies \(p(x_0|a,a') = p(x_1|a,a')\) and \(p(x_0'|a,a') = p(x_1'|a,a')\), we can apply Lemma  2 right away and thus get a strategy q with \(\mathrm {Prob}^*_q[\mathsf {Acc}|0] = {\mathrm {Prob}}_p[\mathsf {Acc}|0]\) and \(\mathrm {Prob}^*_q[\mathsf {Acc}|1]\ge {\mathrm {Prob}}_p[\mathsf {Acc}|1] - \varepsilon \). Thus, with this additional condition, we still obtain a tight bound as in Theorem 1.

4.3 Multi-round Schemes

We briefly discuss a limited extension of our impossibility results for single-round schemes to schemes where during the commit phase, there is multi-round interaction between the verifier V and the two provers P and Q. We still assume the opening phase to be one-round; this is without loss of generality in case of classical two-prover commitment schemes (where the honest provers are restricted to be classical). In this setting, we have the following impossibility result, which is restricted to perfectly-hiding schemes.

Theorem 5

Let \(\mathsf {Com}\) be a multi-round two-prover commitment scheme. If \(\mathsf {Com}\) is perfectly hiding, then there exists a non-signaling two-prover strategy that completely breaks the binding property, in the sense of Theorem 3.

A formal proof of this statement requires a definition of n-round non-signaling bipartite systems for arbitrary n. Such a definition can be based on the intuition that it must be possible to query the left and right subsystem in any order. With this definition, the proof is a straightforward extension of the proof of Theorem  3: the non-signaling strategy is obtained by gluing together \(p(\mathbf{x}_0,\mathbf{x}_0'|\mathbf{a},\mathbf{a}')\) and \(p(\mathbf{x}_1,\mathbf{x}_1'|\mathbf{a},\mathbf{a}')\) along \((\mathbf{x}_0,\mathbf{x}_0')\) and \((\mathbf{x}_1,\mathbf{x}_1')\), and setting \(q(\mathbf{x},\mathbf{x}',y,y'|\mathbf{a},\mathbf{a}',b,b') := p(\mathbf{x}_0,\mathbf{x}_0',y_b,y_{b'}'|\mathbf{a},\mathbf{a}')\), where we use bold-face notation for the vectors that collect the messages sent during the multi-round commit phase: \(\mathbf{a}\) collects all the messages sent by the verifier to the prover P, etc.

As far as we see, the proof of the non-perfect case, i.e. Theorem  4, does not generalize immediately to the multi-round case. As such, proving the impossibility of non-perfectly-hiding multi-round two-prover commitment schemes remains an open problem.

5 Possibility of Three-Prover Commitments

It turns out that we can overcome the impossibility results by adding a third prover. We will describe a scheme that is perfectly sound, perfectly hiding and \(2^{-n}\)-binding with communication complexity O(n). We now define what it means for three provers to be non-signaling; since our scheme is similar to a simple scheme, we can simplify this somewhat. We consider distributions q(xyz|abc) where a and x are input and output of the first prover P, b and y are input and output of the second prover Q and c and z are input and output of the third prover R.

Definition 8

A conditional distribution q(xyz|abc) is called a non-signaling (one-round) tripartite system if it satisfies

$$ q(x|a,b,c) = q(x|a) \;\text {,}\quad q(y|a,b,c) = q(y|b) \;\text {,}\quad q(z|a,b,c) = q(z|c) \;\text {,}$$

and

$$q(x,y|a,b,c) = q(x,y|a,b) \text {,}\; q(x,z|a,b,c) = q(x,z|a,c) \text {,}\; q(y,z|a,b,c) = q(y,z|b,c) \text {.}$$

In other words, for any way of viewing q as a bipartite system by dividing in- and outputs consistently into two groups, we get a non-signaling bipartite system.

We restrict to simple schemes, where during the commit phase, only P is active, sending x upon receiving a from the verifier, and during the opening phase, only Q and R are active, sending y and z to the verifier, respectively.

Definition 9

A simple three-prover commitment scheme \(\mathsf {Com}\) consists of a probability distribution p(a), two distributions \(p_0(x,y,z|a)\) and \(p_1(x,y,z|a)\), and an acceptance predicate \(\mathsf {Acc}(x,y,z|a,b)\).

It is called classical/quantum/non-signaling if \(p_b(x,y,z|a)\) is, when understood as a tripartite system \(p_b(x,y,z|a,\emptyset ,\emptyset )\) with two “empty” inputs.

Soundness and the hiding-property are defined in the obvious way. As for the binding property, for a simple three-prover commitment scheme \(\mathsf {Com}\) and a non-signaling strategy q(xyz|abc), let

$$ {\mathrm {Prob}}_q^* [\mathsf {Acc}|b] = \sum _{a,x,y,z} p(a)\cdot q(x,y,z|a,b,b)\cdot \mathsf {Acc}(x,y,z|a,b) \, . $$

We say that \(\mathsf {Com}\) is \(\delta \)-binding if

$${\mathrm {Prob}}_q^* [\mathsf {Acc}|0] + {\mathrm {Prob}}_q^*[\mathsf {Acc}|1] \le 1 +\delta \text{. }$$

Theorem 6

For every positive integer n, there exists a classical simple three-prover commitment scheme that is perfectly sound, perfectly hiding and \(2^{-n}\)-binding. The verifier communicates n bits to the first prover and receives n bits from each prover.

The scheme that achieves this is essentially the same as the example two-prover scheme described in the introduction, except that we add a third prover that imitates the actions of the second. To be more precise: the provers P, Q and R have as shared randomness a uniformly random \(r \in \{0,1\}^n\). The verifier V chooses a uniformly random \(a \in \{0,1\}^n\) and sends it to P. As commitment, P returns \(x := r \oplus a\cdot b\). To open the commitment to b, Q and R send \(y:= r\) and \(z := r\) to V who accepts if and only if \(y = z\) and \(x = y \oplus a\cdot b\).

Before beginning with the formal proof that this scheme has the properties stated in our theorem, we give some intuition. Let a and x be the input and output of the dishonest first prover, P. To succeed, the second prover Q has to produce output \(x\oplus a\cdot b\) where b is the second prover’s input and the third prover R has to produce \(x\oplus a\cdot c\) where c is the third prover’s input. Our theorem implies that a strategy which always produces these outputs must be signaling. Why is that the case?

In the game that defines the binding-property, we always have \(b=c\), but the dishonest provers must obey the non-signaling constraint even in the “impossible” case that \(b\ne c\). Let us consider the XOR of Q’s output and R’s output in the case that \(b\ne c\): we get \((x \oplus a\cdot b) \oplus (x \oplus a\cdot c) = a\cdot b \oplus a\cdot c = a\). But in the non-signaling setting, the joint distribution of Q’s and R’s output may not depend on a. Thus, the strategy we suggested does not satisfy the non-signaling constraint. Let us now prove the theorem.

Proof

(Theorem  6). It is easy to see that the scheme is sound. Furthermore, for every fixed a and b, \(p_b(x|a)\) is uniform, so the scheme is perfectly hiding. Now consider a non-signaling strategy q for dishonest provers. The provers succeed if and only if \(y = z = x \oplus a\cdot b\). Define \(q(a,x,y,z|b,c) = p(a)\cdot q(x,y,z|a,b,c)\). The non-signaling property implies that

$$\begin{aligned} q(y&= x\oplus a\cdot b|a,b,c=0) = q(y = x\oplus a\cdot b|a,b,c=1) \quad \text {and} \end{aligned}$$
(3)
$$\begin{aligned} q(z&= x\oplus a\cdot c | a,b=0,c) = q(z=x\oplus a\cdot c|a,b=1,c) \, . \end{aligned}$$
(4)

It follows that

$$\begin{aligned}&\mathrm {Prob}^*_q[\mathsf {Acc}|0] + \mathrm {Prob}^*_q[\mathsf {Acc}|1]\\&\qquad \qquad = q(y = x\oplus a\cdot b, z = x\oplus a\cdot c|b=0, c=0)\\&\qquad \qquad \qquad \, + q(y = x\oplus a\cdot b, z = x\oplus a\cdot c|b=1, c=1)\\&\qquad \qquad \le \ q(y = x\oplus a\cdot b| b=0, c= 0) + q(z=x\oplus a\cdot c|b=1,c=1)\\&\qquad \qquad = q(y = x\oplus a\cdot b|b=0,c=1) + q(z=x\oplus a\cdot c|b=0,c=1)\\&\qquad \qquad \qquad \, {\text {by Eqs. (3) and (4)}}\\&\qquad \qquad \le 1+q(y = x\oplus a\cdot b, z=x\oplus a\cdot c|b=0,c=1)\, {\text {by Eq. (1)}} \end{aligned}$$

It now remains to upper-bound \(q(y = x\oplus a\cdot b, z=x\oplus a\cdot c|b=0,c=1)\). Since p(a) is uniform and q(yz|abc) is independent of a, we have

$$ q(y=x\oplus a\cdot b, z=x\oplus a\cdot c|b=0,c=1) \le q(y\oplus z = a|b=0,c=1) = \frac{1}{2^n} $$

and thus our scheme is \(2^{-n}\)-binding.    \(\square \)

Remark 6

The three-prover scheme above has the drawback that two provers are involved in the opening phase; as such, there needs to be agreement on whether to open the commitment or not; if there is disagreement then this may be problematic in certain applications. However, P and Q are not allowed to communicate. One possible solution is to have V forward an authenticated “open” or “not open” message from P to Q and R. This allows for some communication from P to Q and R, but if the size of the authentication tag is small enough compared to the security parameter of the scheme, i.e., n, then security is still ensured.