Composable security in relativistic quantum cryptography

Relativistic protocols have been proposed to overcome some impossibility results in classical and quantum cryptography. In such a setting, one takes the location of honest players into account, and uses the fact that information cannot travel faster than the speed of light to limit the abilities of dishonest agents. For example, various relativistic bit commitment protocols have been proposed. Although it has been shown that bit commitment is sufficient to construct oblivious transfer and thus multiparty computation, composing specific relativistic protocols in this way is known to be insecure. A composable framework is required to perform such a modular security analysis of construction schemes, but no known frameworks can handle models of computation in Minkowski space. By instantiating the systems model from the Abstract Cryptography framework with causal boxes, we obtain such a composable framework, in which messages are assigned a location in Minkowski space (or superpositions thereof). This allows us to analyze relativistic protocols, and derive novel possibility and impossibility results. We show that (1) coin flipping can be constructed from the primitive channel with delay, (2) biased coin flipping, bit commitment and channel with delay are all impossible without further assumptions, and (3) it is impossible to improve a channel with delay. This implies in particular non-composability of all proposed relativistic bit commitment protocols, as well as non-composability of (quantum, but non-relativistic) biased coin flipping protocols.


Introduction
What this paper is about.We address construction of resources1 (like coin flipping and bit commitment) in relativistic quantum cryptography, and security definitions that are robust under composition of resources.We prove constructibility and impossibility results.By "relativistic" we mean basic special relativity: Minkovski space-time with limited signalling speed.
A cryptographic resource: bit commitment.To illustrate the need for a composable anlysis of relativistic cryptography, we focus on bit commitment protocols, which has garned a lot of interest in recent years [1,2,9,10].Bit commitment is a crucial cryptographic primitive, from which we can construct oblivious transfer [3], multi-party computation [3], coin flipping [11], and zero-knowledge proofs [12].
Definition 1 (Bit commitment, informal definition).A bit commitment protocol (BC) between two players (say Alice and Bob) involves two phases.In the commit phase, Alice commits to a bit a ∈ {0, 1} with Bob by exchanging information with him.In the open phase, Alice chooses to open her commitment to Bob and reveals her bit to him through an exchange of information.

BC a open comm a
Alice Bob Intuitively speaking, security of bit commitment has two requirements: • Hiding: when Alice is honest, Bob has no information about a before the open phase.
• Binding: when Bob is honest, Alice must not be able to change the value of a between the commit and open phases without him detecting her dishonesty.
These requirements can be formalized under different security definitions.Not all models of security of bit commitment are composable: for example the -weakly binding definition of [10] is not.There, Alice is allowed to commit to a bit without knowing its value, which if used as a subroutine in a coin flipping protocol, would allow dishonest players to perfectly correlate the coin flips from different coins.In this work, we model security such that the constructed bit commitment resource can be securely composed with arbitrary protocols.Let us first overview some known results.

Impossiblity of classical bit commitment.
In 2001, Canetti and Fischlin showed that composably secure bit commitment without any assumptions is impossible [13].They proved this for a quantum non-relativistic setting through a classical man-in-the-middle attack (MITM).Consider a cheating Alice simultaneously running two BC protocols: one with Bob, in which she is the committer, and one with Charlie, in which she is the receiver.She can commit to Charlie's bit with Bob by simply forwarding their messages to each other during the commit phase.This allows Alice to commit to a bit without even knowing its value, and neither Bob nor Charlie would detect this.Such a situation is dangerous because when a scheme susceptible to a MITM attack is used in construction of another cryptographic resource, the resulting resource may no longer satisfy the ideal security guarantees.We will see how this affects the construction of coin flipping resources in Section 3.2.Note that this proof does not imply the impossibility of composably secure BC in either quantum or relativistic settings.

Impossibility of quantum bit commitment.
To the best of our knowledge, quantum bit commitment has not been previously analyzed in a composable framework.Using a stand-alone definition with information-theoretic security, Mayers, and Lo and Chau [14][15][16] independently showed between 1996 and 1997 that no secure quantum bit commitment protocol can be constructed without any assumptions (for example regarding the operations that the parties can perform on their systems) because due to Uhlmann's theorem, if Bob cannot distinguish between the commitment to a 0 or a 1, then there exists a unitary on Alice's system allowing her to change the commitment from 0 to 1.

Relativistic protocols
One turns to relativistic protocols in the hope of avoiding such attacks by imposing relativistic causal constraints on agents located in Minkovski space-like no-signalling between space-like separated agents and a maximum propagation speed for signals.An example is Kent's 2012 relativistic BC protocol [1], which is immune to the Mayers-Lo-Chau attack, since the sender splits into two space-like separated agents who can no longer perform suitable unitaries on their joint systems.Like other relativistic BC protocols, this protocol implements a timed commitment, which is secure only within a time window given by the time taken by light to travel between remote agents.However, it only satisfies a non-composable, weakly-binding security definition [10].As we will see, this protocol is susceptible to a man-in-the-middle attack and therefore cannot be securely run as a subroutine in arbitrary protocols.
Composability of relativistic protocols.In relativistic settings, the existing negative results are obtained by analyzing specific examples of protocols and attacks where composition fails [10].However, without an overall coherent framework for modelling composability in relativistic cryptography, it is impossible to obtain general positive and negative results.
Overview and scope of our results.Here we introduce a framework for modelling composable cryptographic security in the presence of classical, quantum and no-signalling adversaries, and apply it to prove new positive and negative results in relativistic quantum cryptography, as illustrated in Fig. 1.We do this by modelling the abstract information-processing systems of the abstract cryptography framework [5] as causal boxes [6].We analyse three cryptographic resources, defined in Section 2: channel with delay (CD), coin flipping (CF, including biased variations) and bit commitment (BC).
Construction results.We show that an unbiased coin flipping resource CF can be constructed from a channel with delay resource, CD (Theorem 1).For comparison, Blum's protocol [11], constructs a weaker biased coin flipping resource from a bit commitment resource [17].We provide an explicit protocol to construct CF from CD and prove its security.

Impossibility results.
In Theorem 2 we show that composably secure coin flipping is impossible even in the relativistic case without additional assumptions (e.g. the presence of a shared resource such as CD).Impossibility of channel with delay follows from the previous result Figure 1: Summary of our results.We assume Minkovski space-time with limited speed of signalling.Existing results in black and new results (obtained in this paper) in blue and red.An arrow R → S stands for "given resource R, it is possible to construct resource S through a protocol between distrusting agents that uses unauthenticated communication alone; a cross on a resource means that it is impossible to construct such resource using (unauthenticated) communication alone."All results are applicable to classical, quantum and relativistic protocols with classical, quantum or non-signalling adversaries.Our framework can also model superpositions of causal orders of message exchanges.
(Corollary 3).This result covers in particular non-composability of Kent's protocol and of multi-round protocols for arbitrarily long commitments (e.g., [2]).Impossibility of bit commitment follows from Blum's construction [11,17] (Corollary 4).We then show that given a number of copies of CD it is not possible to construct a CD with a larger commitment window, by using communication alone (Theorem 5).It follows that it is impossible to increase the effective commitment time of a relativistic BC resource.These impossibility results apply irrespective of whether the protocol is classical, quantum or non-signalling.
Our framework can also be applied to situations where agents exchange a superposition of different numbers of messages in a superposition of orders in time, and provides an operational formalism for studying indefinite causal structures.

Framework
2.1 Composable security: the abstract cryptography framework [5] Let us review the basics of the abstract cryptography framework [5] .The following definitions are adapted from [18] for the case of protocols between two mutually distrusting parties (e.g., bit commitment, coin flipping) and have been simplified for our purposes.We refer the reader to [5] and [18] for more general definitions and further examples.The building blocks of the framework are cryptographic resources, converters (e.g.protocols) and a notion of distance (distinguishability) between resources.
Definition 2 (Cryptographic resource [18]).A resource is an (abstract) system with interfaces i ∈ {A, B}, each accessible to a user i (and their trusted agents) providing them with certain controls.
Each resource R = (R, R A , R B ), is defined by three functionalities: R when both parties are honest and R i when party i ∈ {A, B} is dishonest.
A central element of cryptography is the transformation of resources through agent-run protocols: for example, the one-time-pad protocol constructs a secure channel from an authenticated channel.This is formalized through the notion of converters which map one resource to another resource.[18]).Converters are systems with an inside and an outside interface.The inside interface connects to an interface i of a resource R, and the outside interface becomes the new interface of the constructed resource,

Definition 3 (Converter
The sequences of arrows at the interfaces between objects represent (arbitrary) rounds of communication.For simplicity, we may omit the indices, S = αβRγ, so that converters to the left of the resource (α, β) are implicitly connected to Alice's interface, and converters on the right (γ) are connected to Bob's.

Distinguishing resources.
The cryptographic security of a resource is quantified in terms of distinguishability from a corresponding ideal resource (Fig. 3).For example, the ideal resource "random bit generator", S, would be a black box that generates and outputs a uniformly random bit at a time t which is independent of everything outside the box.A specific practical implementation R of this functionality could be a quantum protocol: prepare a qubit in state 1 √ 2 (|0 + |1 ) state, measure it in the Z-basis and output the measurement result at time t.Treated as black boxes, both resources R and S output a uniformly random classical bit and cannot be distinguished by an outsider.For more complex resources, we may ask: distinguishability from whose perspective?Here, the traditional notion of an adversary is generalized to an arbitrary distinguisher which models not only possible adversarial behaviour but also the whole environment of a cryptographic protocol.In other words, a distinguisher models information-processing steps that could take place before, after or during the protocol under consideration.Definition 4 (Distinguishing advantage [18].).A distinguisher (Figure 3) for two resources R, S is a system D with two interfaces: an inside interface that connects to all the interfaces of a resource, R or S, and an outside interface that outputs a single bit: 0 to guess that the resource was R and 1 to guess that it was S. If its probability of guessing correctly is p D distinguish (R, S), then the distinguishing advantage of D is defined as d D (R, S) := 2 p D distinguish (R, S) − 1.

Real System
Ideal System Distinguisher Distinguisher ≈ 0, 1 0, 1 Figure 3: Security in terms of distinguishers.Composable security of a real resource is defined in terms of the success probability of a class of distinguishers (for example computationally bounded or unbounded, classical, quantum or non-signalling) in distinguishing the real resource from the ideal functionality.A distinguisher, modelling all the environment of a resource, is given blackbox access to either the real or the ideal resources and a complete description of the input-output behaviour of both systems and must guess which one it was interacting with by outputting either a 0 or a 1.

Classes of distinguishers.
Changing the power of the distinguisher (e.g., computationally bounded or unbounded, classical, quantum or non-signalling) results in different metrics and different levels of security [18].For example, classical encryption protocols are only computationally secure.This means that while such a classical resource may be perfectly indistinguishable from an ideal encryption functionality when considering only computationally bounded distinguishers, they could be easily distinguished using computationally unbounded (or quantum) distinguishers.
Remark 1.The distinguishing advantage is a pseudo-metric on the space of resources satisfying the identity, symmetry and triangle inequality properties.It is non-increasing under composition [18], i.e. d D (αR, αS) ≤ d D (R, S) for any converter α and resources R, S.
Cryptographic security of protocols.We want to address questions such as "does a protocol Π construct the ideal resource S from an initial resource R?" A two-player protocol Π = (Π A , Π B ) is essentially a pair of converters that can be connected to the interfaces of the completely honest functionality R original resource R = (R, R A , R B ). Security of the construction must be modelled for three cases: when both players are honest and when either one of them is dishonest.In the honest case, one simply requires that the composition of Alice's and Bob's honest protocols with the original resource R, Π A R Π B (the "real system"), is close to indistinguishable from the ideal functionality S. When Alice is dishonest, the protocol Π A is removed in the corresponding real system, because we do not know what protocol a dishonest player would follow.On the "real" side we now have R A Π B .On the ideal side, we have S A , but R A Π B and S A cannot be compared: they are trivially distinguishable since Alice's interface of R A Π B is different from her interface of S A .
To allow for the comparison and define security against dishonest Alice, we require the existence of a converter σ A which when connected to Alice's interface of S A makes these two systems close to indistinguishable.Note that connecting this simulator σ A only makes Alice weaker, since any operation performed by the simulator could equivalently be performed by an adversary connected directly to the interface of the ideal resource.Further, the simulator's behaviour is independent of the internal workings of the ideal functionality S A .The analysis is analogous for dishonest Bob2 .
Definition 5 (Composable cryptographic security [18]).A protocol Π = (Π A , Π B ) constructs S = (S, S A , S B ) from R = (R, R A , R B ) within a distance , with respect to a set D of distinguishers and a set S Π A , Π B of converters, if the following conditions hold: R S When both parties are honest, the functionality constructed by the protocol must be When Alice is dishonest and Bob is honest, the resulting system must be ε-simulatable by connecting a converter σ A (called a simulator) to Alice's interface of S A .
We then say that R is a stronger resource than S.An impossibility result with the same parameters has the form: there exists no protocol Π For construction results, a strong statement has the form "we can easily construct S from R, and we can easily simulate any cheating behaviour, such that even a very powerful distinguisher could not tell apart our construction from the ideal functionality."Therefore, ideally we would want S to be restricted to converters that are easy to implement physically, and we want the set of distinguishers D to be as general as possible.
For impossibility results, a strong statement has the form "we can always easily distinguish any functionality constructed from R the constructed functionality from S, even if we allow for very powerful protocols and simulators."Therefore, we try to make S to be as general as possible, and we restrict D to correspond to efficient or otherwise easy to implement distinguishers.

Asymmetric variations.
In some settings, we may want to give more power to one of the players.This is the case for blind computation results [19][20][21], where for example Bob represents a client with limited computational power and Alice a powerful server (which may for example perform arbitrary quantum operations).
In other examples, we may want to restrict hones players to use efficient protocols, while allowing the simulators of dishonest behaviour to be arbitrary.In these and other cases, we can adjust the sets for Π A , Π A , σ A , σ B and D to suit the scenario.For the results in this paper, this will not be necessary.

Cryptography in relativistic settings: the causal boxes framework [6]
The abstract cryptography framework [5] follows a top-down approach to modelling cryptographic security starting from the highest level of abstraction and proceeding downwards, introducing at each level only the minimum necessary specifications.The composability of abstract systems in the abstract cryptography framework makes it possible to provide a general, composable security definition, which is independent from the models of communication or computation.It can then be instantiated with whatever model is needed -here, causal boxes to model relativistic cryptography.
Causal boxes [6] are a way to model information-processing systems which may interact with each other in arbitrary ways, so long as they respect causality (Fig. 5a).In broad lines, a causal box Φ is a system with input and output wires which may carry quantum or classical information.A concrete example is a physical box containing some optical elements (like beam-splitters) and connected to optical fiber cables: each wire may carry several messages at different times (or even in a superposition of different times).A single instance of a message is modelled as a quantum state in the joint Hilbert space H ⊗ T , where H is the space of the actual message and T is a quantum version of space-time, specifying when and where the message was sent. 3 In the simple cases where a message ρ is sent at a well-defined space-time coordinate P , we can simply represent it as a pair (ρ, P ).In this paper we only need to consider such cases.
Causality condition.Causality requires that outputs produced at space-time point P ∈ T can depend only on inputs produced in its causal past, P ≺ P (at this stage, T could be any set of points equipped with any partial order to represent causality).In general, a causal box is a map from the space of the inputs to the space of the outputs that respects this notion of causality. 4omposition of causal boxes may be done in series, in parallel or through (feedback) loops (Fig. 5a), and arbitrary composition of causal boxes results in a causal box.For further information, see [6]; for the purposes of this work, the description provided here suffices.
Minkovski space-time.In this paper we apply the formalism of causal boxes to Minkovski spacetime T , where each coordinate corresponds to a vector P = (x, t) with three dimensions of space and one of time.In special relativity, T has a natural partial order, " In this case we say that space-time point P 1 is in the causal past of Q 2 .If two points are not ordered, we say that they are space-like separated.The causal diamond of a pair of space-time points, P 1 ≺ P 2 , denoted by D(P 1 , P 2 ) is the intersection of the future light cone of P 1 with the past light cone of P 2 .This represents the maximal space-time region that can be affected by events at P 1 and also affect events at P 2 (Fig. 5b).In the following, we assume that all players involved in a relativistic cryptographic protocol initially agree upon a coordinate system to represent all space-time points.
Range of causal boxes.Causal boxes can model not only quantum processes, but also nonsignalling systems with quantum and classical inputs (for example, PR-boxes are causal boxes) [6].This will be useful in security proofs, for example to cover very powerful adversaries, so let us denote by C the set of all allowed causal boxes in T .

Ideal functionalities
We may now define the ideal functionalities of the cryptographic resources relevant to our results.

Channel with Delay (CD)
In special relativity, unless two agents meet at the exact same space-time location to exchange messages, there is necessarily a finite communication delay between them.A channel with delay is a cryptographic primitive between two parties based on this physical intuition: Alice sends a message and Bob receives it unaltered with some delay.
Definition 6 (Channel with delay).A channel with delay CD = (CD, CD A , CD B ) between a sender Alice and a receiver Bob is a resource characterized by: • analogously, for every location B i , a region B D i that contains it, satisfying For every i ∈ I, the trusted region of the channel is defined as the set of all space-time points whose causal past contains all of A D i and causal future contains all of B D i , that is the set {P : The trusted region of a CD is a subset of region where both players can be sure that the information in the channel remains secure; as we will see, it is the region where the CD can be composed to form other resources such as CF (Section 3.1).For now and in the interest of simplicity, we can model messages sent at a superposition of different locations through Alice's protocols that use superpositions of different uses CD i of a channel. 5elation to relativistic bit commitment protocols.The relativistic protocols existing in the literature, including Kent's protocol [1] do not claim to implement a bit commitment resource that follows Definition 1, but rather a particular instance of channel with delay.This is due to the following reasons: 1.The "open" input for Alice and "commit" output for Bob are lacking.2. The commitment is not arbitrary as decided by Alice (which is the case of the ideal BC in definition 1), but are rather a timed commitment, restricted by the time taken by light to travel between the remote agents involved in the protocol.This must be decided in advance by all players.3. The protocols assign fixed space-time locations to agents (verified by an agent of the other team).It follows that our results for channel with delay also apply to the existing relativistic protocols for "bit commitment."Arbitrarily long commitments have been achieved using novel multi-round schemes both in the relativistic case [2] as well as in the quantum case (in the bounded [22] and noisy storage [23] models).However, these schemes are only weakly binding and it follows from our impossibility results ahead that they are not composably secure without additional assumptions.

Coin Flipping (CF)
Suppose that two mutually distrusting parties Alice and Bob, who are located far away from each other, wish to resolve a dispute.They could do this by flipping a fair coin and base their decision on the outcome of the coin flip.However neither party could flip the coin independently for this purpose as the other party can never trust this outcome.To solve this problem, they require a clever cryptographic protocol that allows them to trust the coin flip outcome even though they don't trust each other.But even before coming up with a protocol, they must first define the functionality they would like the protocol to construct.
They have different ways of doing so depending on how strong they want the constructed resource to be.The strongest resource is a fair and unbiased coin flipping, where both players get a uniformly random bit c, even if they try to cheat.A weaker variation is a biased coin flipping, where a dishonest player can try to bias the bit that the other receives.For other variations see Appendix B. The interface for dishonest Alice can also contain any of these functionalities.We refer to a coin flipping resource as singly or doubly biased accordingly.The biased functionality could be defined differently depending on the mechanism through which a dishonest player biases the other player's output.An example is the definition used in [17].All the results presented here also hold for the functionality defined in [17].

Constructibility results
Channel with delay constructs coin flipping.It was shown in [17] that a 1/2-biased coin flipping resource can be perfectly constructed from a bit commitment resource (Definition 1), by using Blum's protocol [11].Here we show that it is in fact possible to construct an even stronger resource (an unbiased coin flipping) from a channel with delay.
Theorem 1 (Construction CD → CF ).Given a classical channel with delay resource CD with a non-empty trusted region, there exists a classical protocol Π CD→CF = {Π A , Π B } that perfectly constructs an unbiased coin flipping resource CF.
The constructed and ideal resources are indistinguishable for any distinguisher in C (including quantum and non-signalling distinguishers).Cheating behaviour can be simulated with local operations and classical communication.
The protocol is described in Definition 8, and the security proof is given in Appendix A. Definition 8 (Protocol Π CD→CF ).Given a channel with delay CD = (CD, CD A , CD B ) with a non empty trusted region, we define the following honest protocol Π CD→CF = (Π A , Π B ): 1. Alice picks a uniformly random bit, a and sends it through CD from her space-time location A i .Bob receives this bit from CD at his location B i .
2. Bob's agent, Bill meets Alice's agent, Amy at P in the trusted region to pass on Bob's uniformly random bit, b.
3. Alice (or her agent) runs the protocol Π A to compute a ⊕ b = c and outputs this value at some point P A F P .
4. Bob computes a ⊕ b = c using his protocol, Π B and outputs the result at a point Clearly our protocol Π CD→CF cannot construct a coin flipping resource given a channel with an empty trusted region : in such a case, at least one of the simulators σ A or σ B would not exist.

Impossibility results
Impossibility of coin flipping.In the previous section, we showed that an unbiased coin flipping can be constructed from a suitable channel with delay.Here we show that in the absence of any such shared resource, it is impossible to construct any biased or unbiased coin flipping resource solely through the exchange of messages.The proof idea is sketched in Figure 6 and the full proof can be found in Appendix A. Our proof generalizes the method used in the abstract cryptography framework to prove the analogous result for the non-relativistic case [5].
Theorem 2 (Impossibility of CF).It is impossible to construct, with < 1 6 (1 − p), a p-biased Coin Flipping resource between two mutually distrusting parties solely through the exchange of messages through any relativistic or non-relativistic protocol, be it classical, quantum or non-signalling.
A classical distinguisher suffices to tell apart the ideal functionality from any construction given by a protocol in C.
Intuition behind Theorem 4: the role of authentication.When no resources are shared by the parties involved in a bit commitment protocol, authentication of messages is no longer guaranteed: it is impossible for the receiver to tell whether a message received is from the original committer or a third party, as their behaviours are completely symmetric from his/her perspective.Sharing a cryptographic resource breaks the symmetry between the original committer who can access the resource and any other party who can not do so and makes the task possible (Theorem 1).
At this point, one may wonder why authentication of messages is a requirement for the composable security of bit commitment.Authentication is closely related to the man in the middle attack (MITM) where a dishonest committer can simply forward messages between the honest receiver and a third party and in turn commit to a bit without knowing its value and without the knowledge of the receiver.When a bit commitment protocol that is susceptible to the MITM attack is used as a subroutine to construct a coin flipping resource using Blum' protocol [11], the constructed coin flipping resource would no longer be secure i.e. it would not satisfy the functionality defined in Definition 7.For example, if Alice and Bob used such a coin flipping resource and Charlie and Danielle used another such resource, dishonest Alice and Charlie (without Bob and Danielle's knowledge) can communicate such that the outcomes of both resources are always perfectly correlated.But the coin flipping functionality requires the outcome of each resource to be independently generated, so an insecure resource of the kind described above would not allow multiple pairs of players to settle disputes independently.
Impossibility of BC and CD.Combined with Theorem 1 and Blum's construction [17], this implies impossibility of constructing any channel with delay or any commitment functionality (timed or arbitrarily long) given no initial shared resources.

Corollary 3 (Impossibility of CD).
It is impossible to construct, with < 1 12 , a channel with delay resource with non-empty trusted regions between two mutually distrusting parties solely through the exchange of messages through any classical, quantum or relativistic protocol.
A classical distinguisher suffices to tell apart the ideal functionality from any construction given by a protocol in C.
Proof.Follows directly from the impossibility of CF in Theorem 2 together with the construction of unbiased CF from CD (Theorem 1).(c) must be satisfied.The composition (1) of the system on the l.h.s. of (c) (Π A ) with that on the l.h.s. of (b) (Π B ) yields the system on the l.h.s. of (a) (Π A Π B ) which gives the condition (d) for the corresponding right hand sides (2) with σ AB = σ B σ A .To prove impossibility, we show in Appendix A that for any causal order of the messages c, c , b and b , the best possible classical, quantum or non-signalling strategy of σ leads to a distinguishing advantage of at least 3 = 1 2 (1 − p) between CF B σ CF A and CF in (d).Note that if the parties had access to a shared resource R, a condition analogous to (d) could not be obtained by composing (b) and (c), and the same impossibility proof would no longer be applicable.
Remark 4. Note that Corollary 3 is obtained through proof by reduction.If one applies the proof method of Theorem 2 directly to prove the impossibility of CD (by obtaining an analogue of Figure 6d for CD), one will see that the proof no longer holds for CDs for which the dishonest regions A D i and B D i have a non-zero overlap i.e. it is possible to construct a CD with overlapping dishonest regions without additional assumptions.Based on this observation and the impossibility result of Corollary 3 which implies the non-composability of existing bit commitment schemes, we conjecture that these schemes construct a CD functionality with overlapping dishonest regions.However, as seen in the constructibility result of Section 3.1, it is not possible to construct CF (or any other cryptographic resource) from a CD with overlapping dishonest regions.For such a resource, there exists no time window within which it can be guaranteed that the information in the channel was safe from both dishonest players.
Corollary 4 (Impossibility of BC).It is impossible to construct, with < 1  12 , a bit commitment resource between two mutually distrusting parties solely through the exchange of messages through any classical, quantum or relativistic protocol.This rules out both arbitrarily long and timed commitments.
A classical distinguisher suffices to tell apart the ideal functionality from any construction given by a protocol in C.
Proof.Follows directly from the impossibility of CF in Theorem 2 together with the construction of 1 2 -biased CF from BC using Blum's protocol [17].
Impossibility of improving a channel with delay.We show that it is not possible to use several channels with delay to construct, in a composably secure way, a better channel with delay: the trusted region of the constructed channel will be smaller than the trusted region of at least one of the individual channels used.In fact, the result is even stronger: the minimum distance between the dishonest regions of the constructed channel will be smaller than the minimum distance between the dishonest regions of at least one of the channels used.This means the maximal space-time region within which the information in the channel is guaranteed to be secure from both dishonest parties cannot be increased even with n copies of a channel.In the context of relativistic bit commitment this implies that it is not possible to increase the time within which the commitment is both hiding and binding even if n timed commitment resources are given.The proof can be found in Appendix A.
Theorem 5 (Impossibility of extending CD).Given n uses of channels with delay CD 1 ,...,CD n between Alice and Bob, it is impossible to construct with ≤ 1 2 a channel CD between the two parties with a trusted region that is strictly larger than the trusted region of any of the individual channels used.
This holds for all protocols in C. The distinguishers given here must be able to reproduce the protocols (for example, for classical honest protocols, classical distinguishers suffice to tell apart the constructed and ideal functionalities).

Discussion
The general framework for modelling composable security of relativistic quantum protocols developed here naturally lends itself to the study of novel possibility and impossibility results in relativistic cryptography and could provide key insights into classifying possible and impossible information-processing tasks.
Composability issues raised previously.Composability issues with Kent's 2012 protocol [1] have been briefly discussed in [10].Firstly, it must be noted that the security definition used in the discussion of [10] (in their Appendix B) is composable only in a limited sense, in that it guarantees that a bit commitment protocol satisfying the security definition can be composed with itself to give secure string commitment.The definition requires that there exist a classical register containing the value of the committed bit and the joint state of the parties is conditioned on the value in this register.It however doesn't require that this value be known to the committer.It is hence susceptible to the MITM attack and cannot guarantee security under arbitrary composition with other protocols.Further, it is argued in [10] that as compared to the non-composable weakly binding security definition, this stronger, "composable" definition cannot be satisfied by protocols that do not assume the presence of some external system inaccessible to either party.For example, bit commitment in the bounded and noisy storage models can satisfy this stronger definition because they assume such an environment.However, our results show that the MITM attack makes these protocols non-composable even when we assume presence of such an external system.In fact, it is the presence of such an external, inaccessible system that allows a dishonest committer to outsource her commitment choice.This is irrespective of the reliability or size of the quantum storage available to the adversary.Thus the protocols in the bounded/noisy storage models are also susceptible to MITM.[6] can model superpositions of messages exchanged in a superposition of orders in (space-)time (e.g. the quantum switch [24]) by assigning different space-time stamps (or superpositions thereof) to different messages.Combining this with the abstract cryptography framework [5] as done in this paper allows us to model security for cryptographic protocols involving indefinite causal structures and dynamic ordering of messages.While here we focused mostly on known functionalities, the logical next step is to apply our formalism to new resources that make use of quantum superpositions of causal orders.

Indefinite causal structures. The causal boxes formalism
The framework strictly adheres to a global notion of order: any output can only depend on inputs produced in its causal past and this valid globally for all causal boxes.In contrast to this approach, the process matrix formalism [25,26] also models indefinite causal structures that violate causal inequalities [27] and are not compatible with any global ordering.As far as we know, even for processes that do not admit a causal explanation, no inconsistencies have been found with other physical laws.Thus it is not known whether many of the causal structures modelled by this framework correspond to physically realizable processes [28].
In contrast, all causal orders implementable with causal boxes are physically realizable by definition (even if the exact processes and distributions are not, for example in the case of PR-boxes).Causal boxes are a physically motivated framework for understanding indefinite causal structures through their use in operational, information-processing tasks.A comparison of the systems modelled by each framework could provide insights into the properties of physical causal structures and help identify physical principles that govern causal structures found in nature [29,30].
Error tolerance.Realistic protocols, like those implemented with quantum preparations and measurements, always come with a small probability of error (for example, in Kent's protocol as in QKD schemes, this depends on the number of quantum states exchanged between the parties).One could be tempted to think that our impossibility results only hold for ideal resources, and it could actually be possible to build approximate functionalities, like a CD with a small probability of error.However, our results are robust under error tolerance.To see this, consider a resource CD ε that is ε-close to CD according to the distinguishing distance.By the triangle inequality, if a real protocol implements a resource that is ∆-distinguishable from the ideal CD, it will be at least (∆ − ε)-distinguishable from CD ε .For example, for an unbiased CF, we have ∆ = 1  6 , so it is still impossible to perfectly build any CF that has an error tolerance smaller than that.
Minimal resources for constructions.Our results show that existing bit commitment protocols [1,2] cannot construct the target resource BC from an initial resource R (here R was void and only exchange of non-authenticated messages in Minkovski space was taken for granted).Nevertheless, we may still look for alternative initial resource R that allow the same protocols do construct BC.For example, taking R as the assumption (or assurance) that dishonest players cannot interact with third parties would make most these protocols composably secure.To formalize this within the framework, one has to model such assumptions as resources -and explore their functionalities.It would be interesting to explore the minimal resources necessary to make existent protocols secure for construction of BC.It could be for example that all initial resources that allowed for this have undesirable consequences (like allowing for functionalities widely believed to be impossible).
Alternative space-time.We proved that taking our background physical theory to be special relativity (in the sense of Minkovski space-time with a finite speed of signalling) is not sufficient to make bit commitment possible.This holds when special relativity is combined with classical, quantum and more general non-signalling theories.One possible direction for exploration would be to apply our framework to theories with a space-time T that features a different causal order (one example could be general relativity) and test whether composable bit BC from communication alone is possible in such a theory.Alternatively we could even try to reverse-engineer this problem, and ask which causal properties of a space-time structure T could allow for BC [31].
Figure 7: Conditions for constructibility of a fair and unbiased coin flipping resource CF from a channel with delay resource CD with a non empty trusted region.

A.2 Impossibility results
Theorem 2 (Impossibility of CF).It is impossible to construct, with < 1 6 (1 − p), a p-biased Coin Flipping resource between two mutually distrusting parties solely through the exchange of messages through any relativistic or non-relativistic protocol, be it classical, quantum or non-signalling.
A classical distinguisher suffices to tell apart the ideal functionality from any construction given by a protocol in C.
Proof.For the construction to be valid, all conditions of Figure 6 must hold.AS explained in the figure caption, the first step is to combine the three conditions and use the triangle inequality to obtain Figure 6d, which we reproduce here for commodity: Next we will show that for any causal order of the messages c, c , b and b in Figure 6d, the best possible classical, quantum or non-signalling strategy of σ leads to a distinguishing advantage of at least 3 = 1 2 (1 − p) between CF b B σCF b A and CF b .We present here only the optimal strategyit is a straight-forward if tedious calculation to verify that all other causal orderings and possible input-output correlations in each case do not yield a lower distinguishing advantage.
The simulator's task is to ensure to the best of its capabilities that c A o and c B o are equal.The casual order of the messages that provide σ with the maximum information to achieve this task is the one depicted by the directed acyclic graph (DAG) 6 in Figure 8 This distinguishing advantage is equal to zero only when p = 1 (totally biased coin) and thus, for a non-trivial p, it is not possible to make the distinguishing advantage arbitrarily small.Remark 5.The proof of Claim 2 is completely general and applies to quantum and non-signalling protocols as well.The apparent "classicality" of the proof is due to the fact that all inputs and outputs are classical bits as per the definition of the functionalities used.However, we only talk about the input-output correlations produced by the simulator σ and not the internal machinery used to produce these correlations, which could be classical, quantum or non-signalling and the impossibility holds for all classical, quantum and non-signalling strategies that σ could adopt to produce these correlations.A particular input-output correlation could be generated through many different strategies but it turns out in this particular case that there exists a simple classical strategy that perfectly produces these correlations (look at the value of c and set b = b = c all the time), which is why we use correlations produced by σ and strategy adopted by σ quite interchangeably.But one must keep in mind that this in no way restricts the simulator to classical strategies.
Theorem 5 (Impossibility of extending CD).Given n uses of channels with delay CD 1 ,...,CD n between Alice and Bob, it is impossible to construct with ≤ 1 2 a channel CD between the two parties with a trusted region that is strictly larger than the trusted region of any of the individual channels used.
This holds for all protocols in C. The distinguishers given here must be able to reproduce the protocols (for example, for classical honest protocols, classical distinguishers suffice to tell apart the constructed and ideal functionalities).
Proof.To construct a channel CD between Alice and Bob given n uses CD 1 ...CD n of channels between Alice and Bob, the conditions given in Figure 9 must be satisfied such that is a small, non-negative number ∀ distinguishers D ∈ D. We make no assumptions regarding the order of the space-time points(/region) P I , P 1 ...P n , Q 1 ...Q n , R and P F in Figure 9 except for the constraints given by the definition of the channel with delay functionalities involved, namely that: P I ≺ P F , P i ≺ Q i ∀i ∈ {1, 2, .., n}.This is because by definition, the output of a channel with delay can only be produced in the causal future of the point where it receives its input.We also do not restrict the channels to transmitting only classical information -each instance of a channel with delay here can carry a single classical or quantum bit.
Let a be the classical/quantum bit to be sent through the resultant channel CD .In general, this can be achieved by sending the classical/quantum bits a 1 , ..., a n through the channels CD 1 ,...,CD n respectively and exchanging any other classical or quantum information which we denote by b Figure 9: Conditions for building a channel with delay CD out of n channels with delay CD 1 , . . ., CD n .
Figure 10: Example of the construction of a channel CD from two channels CD 1 and CD 2 with circular dishonest regions.For the construction to be possible, the red semi-circle is part of Alice's dishonest region for the constructed channel which must enclose the gray circles around P 1 and P 2 and a part of the region R while the blue semi-circle which represents Bob's dishonest region for CD must either completely include the grey circle around Q 1 or that around Q 2 .In both cases the trusted region is reduced (in fact, for this particular example, no trusted region exists for the constructed channel while clearly a non-empty trusted region exists for channel CD 2 ).
within the space-time region R ∈ D(P, T ).The information b could consist of any number of classical or quantum bits exchanged between Alice and Bob (Figure 10).We assume that the bits a 1 , ..., a n and the information b are all required to uniquely determine a, and no subset of of M = {a 1 , ..., a n , b} can give away information about the bit a.If this was not the case and say some subset S ⊂ M could be used to uniquely determine a, there would be no point sending the remaining information in M \S, so we could simply remove those resources from the construction.Let us now analyse the security conditions.
(a) When both parties are honest: It is possible to satisfy the condition of Figure 9a for suitable choice of messages and space-time points such that the honest delay of the constructed channel is larger than that of any of the channels used.The problem only arises when the players are dishonest (which in general they could be).
(b) When the receiver (Bob) is dishonest: In the real protocol of Figure 9b, dishonest Bob can now access the outputs of the channels CD i B at the dishonest locations Q i respectively.On the ideal side, the simulator σ B can access the output a of the ideal functionality CD B possibly at P F ≺ P F .Let b sent be the set of all messages in b sent by Alice (to Bob) and b rec to be the set of all messages received by Alice (from Bob) such that b sent ∪ b rec = b and let R sent and R rec with R sent ∪ R rec = R be the corresponding set of space-time points.Now at least one of a 1 , ..., a n , b sent must depend on the bit a, if not, none of the messages sent would depend on a and it would not be possible to perfectly recover a given all the messages in M .
Hence, a suitable σ B could possibly exist if and only if Condition (I) or Condition (II) or both hold.
(c) When the committer (Alice) is dishonest: In the real protocol of Figure 9c, dishonest Alice can input a i to CD i A from the corresponding dishonest locations P i .On the ideal side, the simulator, σ A can possibly delay the input a to the ideal functionality CD A to the spacetime point P I P .Since all of M = {a 1 , ..., a n , b} are required to perfectly recover a and no strict subset of them will give any information about a, a suitable simulator σ A exists in Figure 9c if and only if both Conditions (III) and (IV) hold7 .
From the above analysis, Conditions (III) and (IV) must be satisfied for the existence of an appropriate σ A and at least one of Conditions (I) and (II) must be satisfied for the existence of an appropriate σ B .Hence, if Conditions (I), (III) and (IV) or Conditions (II), (III), (IV) could be satisfied simultaneously, the construction would be possible.However, Conditions (II) and (IV) together imply that P F ≺ P I which would result in a constructed channel CD with no trusted region.Thus we rule out this option and focus on the first option i.e., satisfying Conditions (I), (III) and (IV).
Condition (III) states that P i ≺ P I ∀i ∈ {1, ..., n}.This means that for each i, any possible P i at which a dishonest sender can send an input into the channel CD i A , there should be a point P I P i from which a dishonest sender must be allowed to send an input into the constructed channel CD A which leads to Condition (V).An example for the special case of circular dishonest regions is illustrated in Figure 10.
• Condition (V): Alice's dishonest regions corresponding to each of the channels CD i must lie entirely within Alice's dishonest region for the constructed resource CD .
Condition (I) states that ∃i ∈ {1, ..., n} such that P F ≺ Q i which leads to Condition (VI).
• Condition (VI): Bob's dishonest region for at least one of the channels CD i must be entirely contained within his dishonest region for the channel CD .
In particular, let this be the case when i = j for some j ∈ {1, ..., n} i.e.Bob's dishonest region for the channel CD j lies entirely within his dishonest region for CD .Alice's dishonest region for this j th channel also lies completely within her dishonest region for CD by Condition (V).Thus for this particular channel, both Alice's and Bob's dishonest regions lie entirely within their respective dishonest regions for the constructed channel CD and the shortest distance between Alice's and Bob's dishonest regions for CD must be less than that of CD j .As a consequence, the trusted region for the constructed channel must be smaller than the trusted region of the j th channel and the constructed channel cannot have a trusted region that is larger than that of every channel used.
If this is the case, all three Conditions (I), (III) and (IV) can in principle be satisfied and there can exist Simulators σ A and σ B such that Π constructs CD from CD 1 ,..,CD n for a suitably small .However, the constructed resource will have a smaller trusted region as compared to at least one of the channels CD i used.
In the case that neither of Conditions (I), (III) and (IV) or Conditions (II), (III) and (IV) are satisfied simultaneously, the construction would no longer be secure.This is because either σ B cannot access the ideal channel's output on time and would at best guess a value a guess for the bit a and generate a 1 , ..., a n , b sent according to this guess (and possibly the inputs b rec ) or σ A does not receive all inputs a 1 , ..., a n , b sent on time and can again only guess a value for a to be input into CD A at P I .
In Figure 9b, a distinguisher that is given black-box access to the real and ideal systems and a description of the honest protocols could prepare and send a classical/quantum bit8 a at P I through the left interface and the messages in b rec in R rec through the right interface.It could then run the protocol Π A internally to generate the messages a 1 , ..., a n , b sent from the bit a and check (at some point in the joint causal future of the relevant points) if a 1 , ..., a n , b sent and the messages a 1 , ..., a n , b obtained at the right interface are the same.Note that the encryption scheme has to be deterministic so that Π B to perfectly decrypt a in the original honest protocol to work.Since the messages a 1 , ..., a n , b are generated by encrypting Sim B 's guess a guess of a which is completely independent of the actual value of a, such a distinguisher yields a distinguishing advantage of at least ≥ 1/2.
Similarly, in Figure 9c, the distinguisher could input the messages {a 1 , ..., a n , b sent } at the left interface and receive b rec at the left interface and a at the right interface.It could then run the protocol Π B to decrypt the messages {a 1 , ..., a n , b} to obtain a classical/quantum bit a and check if this is equal to a that was obtained at the right interface.Again, by the same argument, this would lead to a distinguishing advantage of at least ≥ 1/2.
Hence the distinguishers required in this impossibility proof are as strong as the protocols used.For example, if the protocol Π = {Π A , Π B } was classical, the corresponding distinguishers would also be classical.Remark 6.Since for at least one of the channels used (say the j th one), the dishonest regions of both parties is contained within the corresponding dishonest regions of the constructed channel, the minimum distance between the dishonest regions of the constructed channel must be less than the minimum distance between the dishonest regions of the j th channel.This means the maximal space-time region within which the information in the channel is guaranteed to be secure from both dishonest parties cannot be increased even with n copies of a channel.In the context of relativistic bit commitment this implies that it is not possible to increase the time within which the commitment is both hiding and binding even if n timed commitment resources are given.

B Extra results
In Section 2.3.2, the dishonest functionalities of the unbiased resource CF were varied to define the weaker, p-biased resource CF b .Here we define another such variation, the unfair coin flipping resource CF uf and prove that it is a stronger resource than a p-biased resource.Then, by reduction, Claim 2 implies the impossibility of unfair coin flipping without any assumptions.may also receive the abort input and it forwards c with probability (1 − p) and the flipped bit c with probability p if it receives ⊥ from the unfair CF resource and forwards only c otherwise.The construction is perfect because the probability distribution for obtaining the outputs c and c from the real system is the same as the probability distribution for obtaining the outputs c and c from the ideal system and hence the two are perfectly indistinguishable.The argument for dishonest Alice is identical.
Figure 11: Constructibility of a p-biased CF resource from an unfair CF resource.We have dropped the space-time labels corresponding to the messages to avoid unnecessary annotations, but it is easy to see that there exist space-time labels for each message involved such that the above construction is satisfied.
a), (b) and (c) do not all hold.The strength of a security proof depends on the range of the class S of simulators and protocols and the class D of distinguishers used in the security definition:

Figure 5 :
Figure 5: a. Causal boxes are information processing systems that respect causality and are closed under composition (serial, parallel or loops).Arbitrary composition of the causal boxes Φ, Ψ and Λ is a causal box Ω. b.Minkovski space-time.The causal diamond of the space-time points A and B (shaded in gray) with A ≺ B is denoted by D(A, B).In this figure, point C ∈ D(A, B) and point D is space-like separated from A since the future light cone of neither of the points completely contains the future light cone of the other.

Definition 7 (
Coin flipping, CF).A fair and unbiased coin flipping resource, CF = {CF, CF A , CF B } is a cryptographic resource between two agents Alice and Bob, defined as: CF : Alice receives a uniformly random bit c at location P , and Bob receives the same bit at location P .CF A and CF B : identical to CF .CF (c, P ) (c, P ) Alice Bob By varying the functionalities for dishonest parties, we obtain weaker resources.For example, a p-biased coin flipping functionality for dishonest Bob is defined as: CF b B : Dishonest bob receives his coin flip output c in advance at location P 1 and at location P 2 P 1 he may input a bit b conditioned on the value of c. Alice receives a bit c A o a location P P 2 : with probability p she receives c A o = b, else c A o = c.Causality requirement: P 1 ≺ P 2 ≺ P .CF b B p (c o ∈ {c, b}, P ) (c, P 1 ) (b ∈ {0, 1}, P 2 ) P 2 ≺ P

Remark 3 .
The bias of a coin flip (where the coin is modelled as a binary random variable C) is defined as b(C) = 1 − 2P C (c = 1) where P C (c = 1) is the probability that the outcome of the coin flip equals 1.A p-biased coin flipping resource can produce a maximum bias of p on the honest party's output for any biasing strategy of the dishonest party i.e. |b(C o )| ≤ p ∈ [0, 1].

Figure 6 :
Figure6: Impossibility of coin flipping: proof sketch.For a p-biased Coin Flipping to be -constructible solely through the exchange of messages, conditions (a)-(c) must be satisfied.The composition (1) of the system on the l.h.s. of (c) (Π A ) with that on the l.h.s. of (b) (Π B ) yields the system on the l.h.s. of (a) (Π A Π B ) which gives the condition (d) for the corresponding right hand sides (2) with σ AB = σ B σ A .To prove impossibility, we show in Appendix A that for any causal order of the messages c, c , b and b , the best possible classical, quantum or non-signalling strategy of σ leads to a distinguishing advantage of at least 3 = 1 2 (1 − p) between CF B σ CF A and CF in (d).Note that if the parties had access to a shared resource R, a condition analogous to (d) could not be obtained by composing (b) and (c), and the same impossibility proof would no longer be applicable.
, where σ can learn the values of c and c first and accordingly correlate the values of b and b which are then input to CF b A and CF b B respectively.In this case, the best possible strategy that the simulator could adopt would be one where it produces the input-output correlations b = b = c or b = b = c all the time.The probability that c A o equals c B o for such a strategy (say, b = b = c) is:P (c A o = c B o ) = P (c A o = c B o |c = c ).P (c = c ) + P (c A o = c B o |c = c ).P (c = c ) c A o = c B o |c = c ,both biased).P (both biased) + P (c A o = c B o |c = c , A biased).P (A biased) + P (c A o = c B o |c = c , B biased).P (B biased) + P (c A o = c B o |c = c , none biased).P (none biased)] p 2 + 0.p(1 − p) + 1.p(1 − p) + 0.(1 − p) An LOCC distinguisher connected to CF b B σ CF b A or CF b can access the two outputs produced at the outer interfaces of these systems.If the distinguisher guesses CF b B σ CF b A every time the two outputs differ in value and CF b B σ CF b A or CF b with uniform probability every time the two outputs are equal, the distinguishing advantage would be:

Figure 8 :
Figure 8: The causal ordering of inputs and outputs of simulator σ (see Figure 6d) that provide it the maximum information about the outputs c o and c o .C, C , B and B (∈ {0, 1}) represent the random variables of which the corresponding lower case alphabets are specific instances of.In addition, B and B may causally influence each other, but this does not offer any advantage to σ because the optimal strategy is where both b and b depend on c (or c ).
When both parties are honest, the outcomes of the unfair resource CF uf are never equal to ⊥ and the protocols Π A and Π B simply forward the bit c received at the inner interface to their outer interface.This is a perfect construction since CF uf = CF b .The simulator Sim B for dishonest Bob simply forwards c received at its inner interface to its outer interface and sets b = c if it receives ⊥ at the outer interface and b = c otherwise.Now the protocol Π A

Remark 2. A possibility result for
is dishonest and Alice is honest, the resulting system must be ε-simulatable by connecting a converter σ B to Bob's interface of S B . a construction R → S with parameters (ε, S, D) is a statement of the form: there exists a protocol Π D i .Honest Bob receives the message at B i .
the channel is defined by the following functionalities.CD i : Honest Alice inputs a qubit a into the channel at location A i , that is the input message is (a, A i ).Honest Bob receives a at B i .CD i A : Dishonest Alice inputs (a, A i ) at any point A i in the region A B : Honest Alice inputs (a, A i ) at A i .Dishonest Bob receives the message at any point B i in the region B D i .