Device-Independent Bit Commitment based on the CHSH Inequality

Bit commitment and coin flipping occupy a unique place in the device-independent landscape, as the only device-independent protocols thus far suggested for these tasks are reliant on tripartite GHZ correlations. Indeed, we know of no other bipartite tasks, which admit a device-independent formulation, but which are not known to be implementable using only bipartite nonlocality. Another interesting feature of these protocols is that the pseudo-telepathic nature of GHZ correlations -- in contrast to the generally statistical character of nonlocal correlations, such as those arising in the violation of the CHSH inequality -- is essential to their formulation and analysis. In this work, we present a device-independent bit commitment protocol based on CHSH testing, which achieves the same security as the optimal GHZ-based protocol. The protocol is analyzed in the most general settings, where the devices are used repeatedly and may have long-term quantum memory. We also recast the protocol in a post-quantum setting where both honest and dishonest parties are restricted only by the impossibility of signaling, and find that overall the supra-quantum structure allows for greater security.


I. INTRODUCTION
The security of cryptographic protocols, whether quantum or classical, depends on the satisfaction of certain assumptions. These include the integrity of each party's lab and their having a trusted source of randomness to make the random choices called for by the protocol. Beyond these, classical protocols will also usually include assumptions regarding the computational power of dishonest parties. The security of quantum protocols, in contrast, is based only on the validity of quantum theory. Nevertheless, to harness this validity, assumptions regarding the implementation must be made. Most protocols make many such assumptions, including regarding the internal workings of the devices used in the implementation, e.g. specifying the Hilbert space dimension of the quantum systems used and the bases of the measurements performed. Protocols of this type are said to be device-dependent. Clearly, it is desirable to base security on a minimum number of assumptions, as this facilitates its evaluation. The aim of the device-independent approach to quantum cryptography [1,2] is to do just that by doing away with a maximum number of assumptions regarding the implementation.
More specifically, a cryptographic protocol is said to be device-independent if its security can be guaranteed without making assumptions about the internal workings of the devices used in its implementation. This can be achieved by carrying out Bell tests on entangled systems. The level of security is then deduced from the observed amount of nonlocality. In particular, each device is treated as a black box with knobs and registers for selecting and displaying (classical) inputs and outputs. For instance, in device-independent quantum key-distribution a high violation of the CHSH inequality [3] guarantees that an eavesdropper will have no information about the (post-processed) key [2,[4][5][6][7][8][9][10]. In contrast, in the (device-dependent) entanglement-based version of the BB84 protocol it has been shown that if the source dispenses qudits instead of qubits then security can be utterly compromised [11,12]. Indeed, recent hacking attacks on quantum key-distribution systems, such as those of [13,14], exploit device-dependent modes of failure and would not be successful in device-independent settings.
In addition to quantum key-distribution, device-independent protocols have been introduced for diverse tasks such as randomness generation [15][16][17][18][19][20][21], the self-testing of quantum computers [1,8,11,22], state estimation [23][24][25][26][27], genuine multipartite entanglement certification [28], and entanglement quantification [29]. However, until recently it was not known whether the scope of the device-independent approach also covers protocols in the distrustful cryptography class, where the parties do not trust each other and may have conflicting goals. Problems in this class present us with an extra challenge in device-independent settings as compared to tasks such as quantum-key distribution. Namely, how to allow remote distrustful parties to certify the presence of nonlocality without collaborating. In [30] it was shown that imperfect bit commitment 1 admits a device-independent formulation, and, since bit commitment may serve as a primitive for coin flipping, so does coin flipping (a device-independent coin flipping protocol, not based on bit commitment, was also introduced in [35]). Whether these results extend to all problems in the distrustful cryptography class remains an open question.
A notable feature of the protocols of [30,35] is that they are based on GHZ correlations [36,37]. Indeed, bit commitment and coin flipping are the only examples we have of bipartite tasks, which admit a device-independent formulation, but which are not known to admit one based on CHSH testing (i.e. sequential tests of the CHSH inequality), or, more generally, on some other bipartite Bell inequality testing. This is especially interesting in light of Reichardt et al.'s recent demonstration [8] that CHSH testing can provide the basis for many device-independent applications in the most general settings where the devices have long-term quantum memory.
In [30,35], the pseudo-telepathic nature of GHZ correlations is exploited to circumvent the unique difficulties associated with distrustful cryptography, specifically, the fact that different parties have conflicting goals and do not trust each other. Quantum pseudo-telepathy is the term coined for the phenomenon of always winning in nonlocal games, which classically (i.e. without sharing entanglement) can only be won part of the time. A famous example is the GHZ game [38]. In particular, pseudo-telepathy entails perfect correlations. In [30] pseudo-telepathy is used to allow Bob to verify the presence of nonlocal correlations (GHZ correlations) and at the same time to verify Alice's commitment (that the token of her commitment is consistent with the value of the bit she reveals). Crucially, Bob uses the same measurements to verify both the presence of nonlocality and the commitment.
Unfortunately, pseudo-telepathy is absent in the CHSH setting [39], and so it is a priori unclear whether bipartite distrustful cryptographic tasks can be based on CHSH testing -which is the case for all other examples of bipartite tasks that are known to admit a device-independent formulation. Beyond a theoretical interest, this question is also practically motivated, since manipulating tripartite entanglement, as would be required in a GHZ-based protocol, is obviously more difficult than manipulating EPR pairs, as would be required in a CHSH-based protocol.
In this work we present a device-independent bit commitment protocol, based on CHSH testing, which achieves the same security as that of [30]: (In the limit of an infinite number of tests) Alice's control equals cos 2 ( π 8 ) 0.8536, while Bob's information gain equals 0.75. This shows that pseudo-telepathy is not only inessential for device-independent distrustful cryptography, but that its absence does not necessarily impact security. Specifically, we show how to guarantee that the devices have no way of telling whether they are used as part of the nonlocality testing phase or the verification of the commitment; this being the crucial element on which security hinges.
Our security analysis covers the case of imperfect devices (i.e. the CHSH inequality is not maximally violated) and is carried out in the most general settings where memory effects (the dependence of a measurement outcome not only on the setting, but also on previous settings and outcomes) are taken into account.
It should be noted that in our protocol the reveal time is fixed and cannot be chosen at will by Alice. Strictly speaking, the protocol is thus not a bit commitment protocol. Nevertheless, depending on the application, it may still be used as a primitive. For example, our protocol can be used to implement coin flipping. The restriction on the reveal time can be lifted at the price of increasing Alice's cheating probability (see Appendix B), or by working in the large office scenario where instead of a pair of boxes there are many pairs (see Appendix C).
We also study the problem in a post-quantum world where both dishonest and honest parties are restricted only by the impossibility of signaling. This helps us identify the contribution of different resources to security. On the one hand, we might expect such a world to offer less security since a dishonest party would have access to stronger correlations. On the other hand, we might expect the converse, since the protocol itself could be modified to make use of these stronger correlations (in particular, pseudo-telepathy is restored in this setting). It turns out that on the balance this allows for more security.
The paper is structured as follows. We begin in Section II by defining the problem of bit commitment, and making explicit exactly what we mean by device-independence. Next, in Section III, we present the protocol, followed by the proofs of Alice's and Bob's securities in Sections IV and V, respectively. We conclude with a summary in Section VI. In Appendix A we present the post-quantum version of our protocol. Appendices B and C present modifications of the protocol where Alice can freely choose the reveal time.

A. Bit commitment
Bit commitment is a cryptographic primitive comprising two remote, distrustful parties. Party A, usually referred to as Alice, commits a bit to party B, usually referred to as Bob, such that following her commitment Alice cannot change its value and Bob is unable to learn it until she chooses to reveal it. Classically, if the dishonest party's computational power is unlimited, they can cheat perfectly. Quantumly, the dishonest party cannot cheat perfectly [33], though perfect bit commitment is still impossible [31,32].
A bit commitment protocol consists of two phases: the commit phase in which Alice sends Bob some token of her commitment, and the reveal phase in which Alice reveals to Bob the value of the committed bit. The probability with which dishonest Alice is able to control the value of the bit she wants to reveal following the commit phase, without being caught cheating by Bob, is referred to as Alice's control, which we will denote by P cont = 1 2 (p 0 + p 1 ). Here p 0 (p 1 ) is Alice's probability of successfully revealing 0 (1) and the factor of 1 2 is due to the implicit assumption that she is equally likely to wish to reveal 0 as 1. Similarly, dishonest Bob's probability of correctly learning the value of the bit before the reveal phase is referred to as Bob's information gain, which we will denote by P gain . In a perfect bit commitment protocol P cont = P gain = 1 2 . A protocol is said to be balanced if P cont = P gain . Quantumly, in any balanced protocol P cont = P gain > ∼ 0.739, with the bound being saturable [34].

B. Device-independence
In this subsection we make more concrete exactly what we mean by device-independence. We make the following standard assumptions.
1. Alice and Bob have access to boxes, each with a knob for selecting a classical input s and a register for displaying a classical output r. Entering an input always results in an output (i.e. we do not consider losses).
2. Alice and Bob, whether honest or dishonest, are restricted by quantum theory.
3. The boxes may be prevented at will from communicating with one another.
4. Alice and Bob each have a trusted source of randomness.

No information leaks out of an honest party's lab.
Suppose now that an honest party has a pair of boxes 0 and 1. Assumptions 2 and 3 imply that the probability of outputting r 0 and r 1 when inputting s 0 and s 1 into boxes 0 and 1, respectively, is given by where ρ is some joint quantum state and Π r i |s i is the POVM element corresponding to inputting s i and outputting r i . This is the only constraint on the boxes' behavior. Specifically, a dishonest party may choose the state ρ and the POVM elements Π r i |s i as best suits them. The boxes may also have internal memories, clocks, gyroscopes, etc., allowing a dishonest party to program them such that their behavior depends on their location, their past trajectories, the time at which inputs are fed, or any other aspect of their past history. In the following, we will consider situations where boxes are sent from one party to the other. By this, we do not mean that actual measurement devices are sent (though it is easier to present and formulate our results in this way). Instead, what we mean is that quantum states, or classical information, encoding instructions for the measurement devices, are exchanged between the parties, such that in an honest execution of the protocol the same state ρ and the POVM elements Π r i |s i characterizing the behavior, say, of Alice's box before the transmission of quantum information, will characterize the behavior of Bob's box after receiving the transmission.
Finally, we wish to emphasize that spacelike related measurements are not necessary in order to prevent the boxes from communicating (i.e. assumption 3). We may equally well shield each box (see [5,16] for a discussion of this point). This observation is important because (i) in our protocol many of the measurements are not spacelike related; (ii) relativistic causality is by itself sufficient for perfect bit commitment (whether purely classical [40] or quantum [41]), albeit at the cost of assigning at least one party two remote secure labs.

III. THE PROTOCOL
Before we go on to present the protocol, we fix notation. In the following we will consider a pair of four-input, {0, 1, 2, 3}, two-output, {0, 1}, boxes. The random variables designating the input and output corresponding to the k th use of box i will be labeled by S i k and R i k , respectively, with a specific realization (i.e. a specific value which they may assume) being labeled by lower-case letters s i k and r i k . Similarly, the random strings corresponding to k consecutive uses of box i will be labeled by S i k and R i k . We define We will refer to a specific realization w k = {w 1 , . . . , w k } as the history of the protocol. Finally, |0 (|1 ) will be taken to represent the positive (negative) eigenstate of σ z . The protocol is based on EPR-state correlations. In an ideal implementation, the boxes are supposed to give rise to a violation of 2 √ 2 of the CHSH inequality in the sense that r 0 n , r 1 n , s 0 n , s 1 n =0, 1 In addition, the boxes are supposed to output r 0 n = r 1 n given the pairs of inputs s 0 n = i, s 1 n = i+2 mod 4 (i = 0, 1, 2, 3). These correlations can be quantumly realized by preparing N qubits, each in the |φ + = 1 √ 2 (|00 + |11 ) state. The inputs 0, 1, 2, and 3 of box 0 correspond to the measurements σ x , σ z , σ π/4 , and σ 3π/4 , respectively, where σ θ = cos θσ z + sin θσ x . The inputs 0, 1, 2, and 3 of box 1 correspond to the measurements σ π/4 , σ 3π/4 , σ x , and σ z , respectively.
Since we would also like to consider the noisy case, we do not assume in the following that the parties have perfect resources, i.e. the boxes are expected to give rise to a CHSH violation I < 2 √ 2 and the outcomes r 0 n , r 1 n for the pairs of inputs s 0 n = i and s 1 n = i + 2 mod 4 are not perfectly correlated. We consider a family of protocols. Each protocol in the family is specified by a parameter N > 1 and a series of fixed times t i (i = 1, . . . , N + 1) with t i−1 < t i < t i+1 . For a given N and choice of t i , the protocol proceeds as follows: 1. Random selection -At time t a < t 1 Bob picks uniformly at random, and in private 2 , a number n ∈ {1, . . . , N } and two input strings s 0 n ∈ {0, 1} n and s 1 n ∈ {0, 1} n . At each of the n times t i he feeds s 0 i and s 1 i into boxes 0 and 1, respectively. He uses the corresponding output strings r 0 n and r 1 n to compute the observed CHSH violationĪ where is the CHSH indicator function 3 at step k. Bob then comparesĪ n (w n ) to some previously agreed threshold I th . IfĪ n (w n ) < I th he aborts the protocol. Otherwise, he flips a classical coin. Denote its outcome by c. At time t b < t n+1 he sends box c to Alice.
2. Commit phase -Let b be the value of the bit Alice wishes to commit. Alice inputs s c n+1 = b + 2 into her box. She selects uniformly at random a classical bit a, and at time t c (t b < t c < t n+1 ) sends Bob the classical bit q = r c n+1 ⊕ ab as a token of her commitment.
3. Reveal phase -At time t d (t c < t d < t n+1 ) Alice sends Bob b and r c n+1 . If b and r c n+1 are not received before t n+1 Bob aborts. Otherwise, Bob checks whether q = r c n+1 or q = r c n+1 ⊕ b. If both relations are not satisfied, he aborts. Else at time t n+1 > t d he inputs sc n+1 = s c n+1 − 2 = b into his box and verifies that rc n+1 = r c n+1 . If this last test fails, he aborts.
We note that in an honest execution of the protocol, Bob may end up aborting the protocol in the random selection phase even when the settings are ideal. Moreover, Bob will never know if his having to abort is due to Alice having been dishonest or due to the boxes having exhibited a statistically unlikely behavior. This is just a by-product of the statistical nature of the protocol, which is of course absent in the limit that N → ∞. However, if Bob does not abort the protocol in the random selection phase, then (assuming ideal settings and an honest execution) he will not abort it in the reveal phase and will always learn the correct value of the bit committed by Alice. In contrast, if there are physical imperfections present, such as noise or a misalignment of the measurement axes, then there is a non-vanishing probability that Bob will abort the protocol in the reveal phase even when Alice is honest. This is true of any practical formulation (i.e. a formulation accommodating imperfections), and has nothing to do with the protocol being device-independent.
We have required that Bob's measurements, including the one in the reveal phase, take place at fixed times t i 4 . This is in order to ensure that the box Bob keeps cannot tell whether it is being measured in the random selection phase or in the reveal phase (unless Bob picked n = N ). Otherwise, Alice may program the boxes such that in the random selection phase they maximally violate the CHSH inequality, while in the reveal phase they behave deterministically, thereby allowing her to cheat perfectly. Specifically, the intervals t i+1 − t i must be sufficiently long to allow the following sequence of operations: (i ) the sending of quantum information from Bob to Alice, (ii ) Alice's measurement of the quantum system received from Bob, (iii ) the sending of classical information from Alice and its receipt by Bob, and (iv ) Bob's measurement of the quantum system remaining in his possession at t i+1 .
As mentioned earlier, since the reveal time cannot be chosen at will, strictly speaking, the protocol is not a bit commitment protocol. Nevertheless, depending on the application, it may still be used as a primitive. For example, our protocol may be used to implement coin flipping. The restriction on the reveal time can be lifted at the price of increasing Alice's control (see Appendix B), or by working in the large office scenario (see Appendix C).

IV. ALICE'S SECURITY
In the following, when considering the n + 1 th measurement of the boxes, i.e. the measurements taking place in the commit and reveal phases, we drop the subscript n + 1 on the s i n+1 and r i n+1 .

A. Bob's information gain
Alice only receives a single box from Bob and does not verify the CHSH violation. Bob's most general cheating strategy is therefore to prepare Alice's box in an entangled state with an ancillary system in his possession. Since in the commit phase Bob receives from Alice a single classical bit q, Bob will perform one out of a pair of two-outcome measurements on his ancillary system to infer Alice's input s c (and consequently the committed bit b = s c − 2). We denote Bob's binary input and output by m and g, where m = 0 (m = 1) corresponds to the measurement he carries out when Alice sends q = 0 (q = 1), and g is his guess of s c . The probability P (g | r c , s c , m) of obtaining the output g, given the input m, explicitly depends on Alice's input-output pair s c and r c (or, what is the same thing, on b and r c ) because Bob's ancillary system and Alice's box are entangled. Bob's information gain is therefore given by: where S denotes the set of all cheating strategies. Note that since Alice is honest she picks b and a fully at random and so for any pair b and a P (b, a) = 1 4 . From normalization and the no-signaling constraints (i.e. r 1 =0, 1 P (r 0 , r 1 | s 0 , 0) = r 1 =0, 1 P (r 0 , r 1 | s 0 , 1) and r 0 =0, 1 P (r 0 , r 1 | 2, s 1 ) = r 0 =0, 1 P (r 0 , r 1 | 3, s 1 )) we obtain that P (s 1 , 0|2, s 1 ) + P (0, 1|3, s 1 ) + P (1, 1|3, s 1 ) ≤ 1 and P (0, 0 | 2, 0) + P (1, 0 | 2, 1) ≤ 1, implying that P gain ≤ 3 4 .

B. Bob's optimal cheating strategy
Bob's optimal cheating strategy is to prepare Alice's box such that r c = s c −2 and guess b = q. Since Alice is honest q equals r c (and thus equals b = s c − 2) 75% of the time. Alternately, Bob can employ a device-dependent strategy (i.e. where Alice's measurements are those prescribed by the protocol). In this strategy Bob actually prepares the boxes as prescribed by the protocol. Noting that the measurement settings which correspond to sc = 0 and s c = 2 are identical, Bob inputs 0 into his box. Since q equals Alice's outcome 75% of the time, Bob always treats it as her output. If his outcome equals q Bob guesses that Alice input 2, otherwise, he guesses that she input 3. Whenever Alice inputs 2, Bob's guess is correct. Whenever Alice inputs 3, Bob's guess is correct only half of the time. Bob's information gain is thus seen to equal the optimum, as well as the result of [30].

V. BOB'S SECURITY
This section is divided into three. In Subsections A and B we consider the case where the boxes at the n + 1th iteration (i.e. after Bob's CHSH estimation) are known to be characterized by a fixed Bell violation I ≥ I th . As we will see in Subsection C, this is equivalent to considering the asymptotic limit in which the number of tests Bob carries out tends to infinity. Specifically, in Subsection A we derive an upper bound on Alice's control, given the CHSH expectation value I, and in Subsection B we present an optimal cheating strategy which saturates it. Finally, in Subsection C we use the bound derived in Subsection A to derive an upper bound on Alice's control in the general case where Bob carries out an arbitrary number of tests. In the limit that this number tends to infinity we recover the bound of Subsection A.
A. Alice's control in the asymptotic limit Most generally, in the commit phase Alice carries out a two-outcome measurement on the systems in her possession: box c, which she received from Bob, and possibly some ancillary system with which the boxes may be entangled. The result of the measurement determines the value of q she sends Bob. In the reveal phase she then performs one out of four possible two-outcome measurements, depending on the value of q and whether she wishes to reveal 0 or 1, in order to determine r c . We note, however, that when she wishes to reveal 0 the last measurement is redundant because q must equal r c . Alice therefore does not lose anything by always performing in the reveal phase one out of the two measurements corresponding to her wishing to reveal 1. This implies that without loss of generality these two measurements may be combined with the measurement in the commit phase to form a single four-outcome measurement in the commit phase. This measurement decides the two values of r c , and simultaneously the value of q. To sum up, in the commit phase Alice carries out a four-element POVM M c = {M c kl } (k, l = 0, 1) acting on H c , such that if she wishes to reveal 0 (1) she sends Bob q = k in the commit phase and r c = k (r c = l) in the reveal phase.
To obtain Alice's control, we must maximize the above expression under the constraint that the CHSH expectation value is no less than I th . This translates to the following optimization problem where Q = H c , ρ, {Π c i|j }, M c c and Π c r|s is the POVM element corresponding to inputting s into box c and obtaining the output r. Problems of this type can be relaxed to a hierarchy of semi-definite programming (SDP) problems, using the method introduced in [42,43]. This hierarchy provides increasingly tighter upper bounds on the solution of the original problem, which are guaranteed to converge to it at a sufficiently high order. We have solved the second order SDP relaxation of Eq. (7). In the next subsection we present a cheating strategy which saturates it (up to 10 −8 -the numerical accuracy of the SDP solver), implying that the second order relaxation already converges. Fig. 1 presents Alice's control as a function of the CHSH expectation value.
B. Alice's optimal cheating strategy in the asymptotic limit We present below an optimal cheating strategy, in which it suffices for Alice to perform a single two-outcome measurement, rather than a four-outcome one as described in the previous subsection. The strategy proceeds as follows. Alice prepares the boxes such that each contains one qubit out of a pair in the maximally entangled state |φ + = 1 √ 2 (|00 + |11 ). Box 0 is prepared such that inputting 0 and 1 gives rise to the measurements σ 2θ and σ z , respectively, where σ α = cos ασ z + sin ασ x . Box 1 is prepared such that inputting 0 and 1 gives rise to the measurements σ 2θ−ϕ and σ 4θ−ϕ , respectively. If Alice receives box 0 (1) she measures σ 3θ−ϕ (σ θ ). That is, she always measures along an axis midway between Bob's measurement axes in zx-plane (see Fig. 2). She then sends Bob values of b and r c equal to the result of her measurement. Pairs of measurements along axes, differing by an angle of θ, in the zx-plane (since |φ + is invariant under rotations in the zx-plane) give rise to correlated outcomes with probability cos 2 θ 2 . Therefore, irrespectively of whether Alice reveals 0 or 1 (or, what is the same thing, whether Bob inputs 0 or 1), her cheating probability equals Of course the values of θ and ϕ are restricted by the constraint on the value of the CHSH violation. For the measurements above we have For a given value of θ the maximum violation is obtained for ϕ opt = arccos 2 cos (2θ) + sin 2 (2θ) By plugging ϕ opt into Eq. (9), and using Eq. (8) to obtain θ as a function of P cont , we obtain I as a function of P cont . The resulting curve saturates the SDP obtained curve in Fig. 1.

C. Alice's control in the general case of an arbitrary number of tests
For any given value of n, Alice's control is a function of the CHSH expectation value E(I(W n+1 )|w n ) characterizing the behavior of the devices at step n + 1 given the history w n . Alice's control can therefore be expressed as where Θ(Ī n (w n ) − I th ) is the unit step function, ensuring that only histories, such that the observed CHSH violation is no less than the threshold I th , contribute. The partitioning of the sum into two is due to the fact that the boxes may have internal counters keeping track of the number of times they have been tested. Since the N + 1 th use of the boxes, if occurring at all (i.e. if Bob picks N ), necessarily occurs in the reveal phase, it is never part of the CHSH testing. Therefore, in an optimal cheating strategy Alice will program the boxes such that in their N + 1 th use they behave deterministically. For each history w n with n ≤ N − 2 we can define the set of all compatible histories w N −1 that could have occurred had Bob carried out N − 1 repetitions instead of n. Alice's control can therefore be re-expressed as Let K(w N −1 ) denote the last repetition, up to and including the N − 1 th repetition, of the compatible history w N −1 for which the observed CHSH violation is no less than I th , i.e.
We can bound Alice's control probability as follows: where we have used the fact that Θ(Ī n (w n ) − I th ) = 0 for all n such that K(w N −1 ) < n ≤ N − 1; the inequality being due to the possibility of histories for which Θ(Ī n (w n ) − I th ) = 0 for at least one value of n < K(w N −1 ).
where in the second sum in the first line we have used the concavity of C, in the first sum in the second line the fact that K 0 − 1 ≤ (N − 1)C(I th ), and where π k (ε) is the set of all histories satisfyinḡ In Appendix D we show that the probability of occurrence of π k (ε) is bounded by where D = 4 + 2 √ 2, and so Making use of this last inequality, we finally get that Note that if we choose the behavior of ε such that in the limit N → ∞ it decays more slowly than N −1/2 , then lim N →∞ Q(ε) → 0 and the bound tends to C(I th ). For finite N it seems unlikely that the bound is saturable, since Q(ε) is non-vanishing. Fig. 3 presents the results of numerical solutions of Eq. (19) for different values of N for N . In particular, in the limit N → ∞ Alice's control tends to cos 2 π 8 , recovering the result of [30].

VI. SUMMARY
Distrustful cryptography presents unique challenges in device-independent settings, which are absent in nondistrustful cryptographic tasks, such as quantum key-distribution. In particular, since the parties do not trust each other and may have conflicting goals, they cannot work together to certify the presence of nonlocality. In [30,35] this problem was circumvented by making use of the pseudo-telepathic nature of GHZ correlations, but pseudo-telepathy is absent in a CHSH setting. In this work we have shown that pseudo-telepathy is not essential for doing deviceindependent distrustful cryptography. This was achieved by reformulating the device-independent bit commitment protocol of [30], such that it relies on sequential testing of the CHSH inequality (instead of the single-shot testing of GHZ correlations), but (in the asymptotic limit) nevertheless achieves the same security. The security analysis was therefore carried out in the most general settings, where the devices may have long-term quantum memory.
Strictly speaking, the protocol we have presented is not a bit commitment protocol since Alice cannot choose the reveal time at will. This by itself is not necessarily a problem. For example, it does not prevent the protocol from being used to implement coin flipping. However, if we would like Alice to have the freedom to choose the reveal time, then we can do so either, as shown in Appendix B, at the price of increasing her control, or, as shown in Appendix C, at the price of using additional resources, i.e. by working in the large office scenario, where the parties have access to many pairs of boxes, which can be measured in parallel. Our work opens the door for real-life implementation of device-independent bit commitment and coin flipping. The protocol of [30] requires the ability to reliably produce particles in a GHZ state and to store, manipulate, and transmit them while maintaining their coherence. The protocol presented here, on the other hand, only requires manipulation of bipartite entanglement which is simpler given state-of-the-art technology.
Finally, we point out that the techniques developed in this work are not especially tailored for device-independent bit commitment, and we expect them to be useful, and possibly even essential, for other distrustful cryptographic tasks, such as non-bit commitment-based device-independent coin flipping, and device-independent oblivious transfer.  [46] and SeDuMi [47] were used to solve the SDP problem Eq. (7).

APPENDIX A
We present a device-independent bit commitment protocol using a PR box [48].
We have seen that reformulating the GHZ-based protocol of [30] to be CHSH-based comes at the price of pseudotelepathy. Indeed, quantum theory does not allow for pseudo-telepathy in a two-party, two-input setting [39]. However, in a post-quantum world -in which both dishonest and honest parties are restricted only by the no-signaling constraints -pseudo-telepathy is restored. It is interesting to ask what would happen to our protocol if we were to adapt it to such a world. On the one hand, we might expect such a world to offer less security since a dishonest party would now have access to stronger correlations. On the other hand, we might expect the converse, since the protocol itself can be modified to make use of these stronger correlations. We will see that on the balance this allows for more security 5 .
A PR box is a post-quantum, bipartite, two-input, two-output resource, which achieves the algebraic bound of the CHSH inequality, while at the same time satisfying the no-signaling constraints. Up to local relabeling of the inputs and outputs, the PR box satisfies In the following, it will be convenient to think of the PR box as consisting of a pair of two-input, two-output boxes, one in the possession of Alice, and the other in the possession of Bob. The PR-based protocol is essentially a simplified version of our earlier protocols with the first step (statistical estimation of the CHSH violation and random selection of the box used to encode Alice's commitment) omitted, and with the verification of nonlocal correlations and Alice's commitment being performed at the same time. This last possibility follows from pseudo-telepathy, as in the protocol of [30].
We assume that at the start of the protocol Alice has box 0 and Bob has box 1. The protocol proceeds as follows: 1. Commit phase -Alice inputs into her box the value of the bit she wishes to commit. She then selects uniformly at random a classical bit a, and sends Bob another classical bit, q = r 0 ⊕ (as 0 ), as a token of her commitment.

Alice's security
We recall that in the quantum case (both in the GHZ-based and CHSH-based formulations) Alice's security relies only on the no-signaling constraints. Since we are still working in a non-signaling setting, Alice's security will remain unchanged, i.e. Bob's information gain is upper-bounded by 3 4 . The proof proceeds exactly as in Subsection IV.A, except that the instead of inputting 2 and 3, Alice inputs 0 and 1.

Bob's security
Recall that in a device-independent scenario dishonest Alice can prepare the boxes in any state she wishes, possibly entangled with ancillary systems in her possession. Since in the commit phase Alice sends a classical bit q as a token of her commitment, without receiving any information from Bob, without loss of generality we may assume that she decides on the value of q before the start of the protocol, and accordingly prepares the boxes to maximize P cont . Furthermore, since Alice's cheating probability is invariant under the simultaneous relabeling q → q ⊕ 1 and r 0 → r 0 ⊕ 1, no value of q is preferable, and we may assume that she sends q = 0.

APPENDIX B
In this appendix we consider a modification of the protocol, such that the reveal time can be chosen at will. This comes at the price of increasing Alice's control. The protocol proceeds as follows: 1. Random selection -At time t a < t 1 Bob picks uniformly at random, and in private, a number n ∈ {1, . . . , N } and two input strings s 0 n ∈ {0, 1} n and s 1 n ∈ {0, 1} n . At each of the n times t i he feeds s 0 i and s 1 i into boxes 0 and 1, respectively. He uses the corresponding output strings r 0 n and r 1 n to compute the observed CHSH violation,Ī n (w n ), and compares it to some previously agreed threshold I th . IfĪ n (w n ) < I th , he aborts the protocol. Otherwise, he flips two classical coins. Denote their outcomes by c and d. At time t b < t n+1 he sends box c to Alice. At time t n+1 , he inputs sc n+1 = d into boxc.
2. Commit phase -Let b be the value of the bit Alice wishes to commit. Alice inputs s c n+1 = b+2 into her box. She then selects uniformly at random a classical bit a, and at time t c > t b sends Bob the classical bit q = r c n+1 ⊕ ab as a token of her commitment.
We will not derive here the dependence of Alice's control on the number of pairs N + 1. Instead, we will show that it is upper-bounded by that of the original protocol (Section III). To see this, consider another protocol, identical to the one above in all except that instead of using the inputs and outputs of all the pairs (bar the one chosen for the commitment) to estimate the CHSH violation, Bob uses only those of the first n − 1 pairs (Alice is of course aware of this and of the numbering of the pairs). Clearly, the new protocol can only increase Alice's control. Now we note that this protocol would be identical to that of the sequential case, up to the fact that the reveal time can be chosen at will 7 , if box i of pair k were to have full information about the inputs and outputs of all the i th boxes of the first k − 1 pairs. Clearly, such a modification can only increase Alice's control.
We therefore conclude that Alice's control in the sequential case provides an upper bound on her control in the large office scenario.
It is straightforward to show that Z k (W k ) = k∆ k (W k ) is a martingale (i.e. E(Z k+1 (W k+1 )|W k )) = Z k (W k )). Moreover, for any history w k we have that where D = 4 + 2 √ 2 = 1 − cos 2 ( π 8 ) −1 ; the 4 coming from the I (w k+1 ) term and the 2 √ 2 from the E (I (W k+1 | w k )) term. The Azuma-Hoeffding inequality [50] then tells us that where π k (ε) is defined to be the union of all histories w k satisfying ∆ k (w k ) ≥ ε.