Device-independent two-party cryptography secure against sequential attacks

The goal of two-party cryptography is to enable two parties, Alice and Bob, to solve common tasks without the need for mutual trust. Examples of such tasks are private access to a database, and secure identification. Quantum communication enables security for all of these problems in the noisy-storage model by sending more signals than the adversary can store in a certain time frame. Here, we initiate the study of device-independent (DI) protocols for two-party cryptography in the noisy-storage model. Specifically, we present a relatively easy to implement protocol for a cryptographic building block known as weak string erasure and prove its security even if the devices used in the protocol are prepared by the dishonest party. DI two-party cryptography is made challenging by the fact that Alice and Bob do not trust each other, which requires new techniques to establish security. We fully analyse the case of memoryless devices (for which sequential attacks are optimal) and the case of sequential attacks for arbitrary devices. The key ingredient of the proof, which might be of independent interest, is an explicit (and tight) relation between the violation of the Clauser–Horne–Shimony–Holt inequality observed by Alice and Bob and uncertainty generated by Alice against Bob who is forced to measure his system before finding out Alice’s setting (guessing with postmeasurement information). In particular, we show that security is possible for arbitrarily small violation.


I. INTRODUCTION
Quantum key distribution [BB84,Eke91] (QKD) allows two honest parties, Alice and Bob, to protect their communication from a nosy eavesdropper.Yet, there are many other tasks that Alice and Bob may wish to solve, in which they themselves do not trust each other and secure identification is one such example.Here, Alice wants to identify herself to Bob without revealing her password.Bit commitment and oblivious transfer constitute other well-known examples of such tasks.
It is intuitive that security for two-party cryptographic protocols is more difficult to achieve than for QKD, since Alice and Bob cannot help each other to check on the eavesdropper.Instead, every party has to fend for himself.It turns out that even using quantum communication Alice and Bob cannot achieve security without making additional assumptions [May97,LC97,Lo97,Col07]. Usually one relies on computational assumptions, i.e. that solving a computational puzzle requires a large amount of computing resources, namely more than is available to the adversary.Instead of relying on computational assumptions, however, it is possible to make physically motivated assumptions, for example that the adversary's ability to store information is limited.Introducing such storage restrictions was pioneered by Maurer [Mau91], who considered imposing a restriction on the adversary's ability to store classical bits known as the bounded-storage model.Unfortunately, the fact that (i) classical storage is cheap and plentiful and (ii) the gap between what the honest parties need to implement the protocol and what a dishonest party needs to break it is only polynomial [Cac97], renders this model less practical.In contrast, storing quantum information reliably is an extremely difficult problem, motivating the so-called boundedquantum storage [DFSS05, DFR + 07] or more generally noisy-storage model [WST08,KWW12].The noisy-storage model admits protocols that require no quantum storage for the honest execution and that can be implemented in a manner similar to QKD using BB84 [WST08, KWW12, DFW15], six-state [BFW14] or continuous variable [FSW15] encodings.Significantly, security can always be achieved as long as the number of qubits n sent in the protocol is only slightly larger than the number of qubits r that the adversary can store, that is, whenever r n − O(log n) [DFW15], which is essentially optimal.First implementations of bit commitment [NJM + 12] and oblivious transfer [ENG + 14] in the noisy-storage model have been demonstrated.Note that there exist other assumptions that make two-party cryptography possible, e.g. that the two parties are given access to guaranteed additional resources [Riv99,Cré97,WNI03], or that they must delegate agents who cannot communicate during the protocol (which might be motivated by special relativity) [BGKW88, Ken99, Ken05, Sim07, CSST11, Ken11, Ken12, KTHW13,Kan15].The noisy-storage model is particularly interesting since in contrast to computational or relativistic assumptions, security is preserved even if the assumption is invalidated at a later point.That is, security cannot be broken retroactively if the adversary acquires a larger quantum storage device in the future, making this assumption completely future-proof.
One of the central questions in (quantum) cryptography is finding the minimal assumptions which are sufficient to guarantee security.For example in the standard QKD scenario we assume that the quantum channel between Alice and Bob is untrusted (i.e. it is fully controlled by the eavesdropper) but the devices used by Alice and Bob inside their laboratories are fully characterised.Already early on, however, it was recognized that violation of a Bell inequality is intimately linked to cryptographic security [Eke91].Mayers and Yao [MY98,MY04] went on to realise that quantum states can be self-tested, i.e. that certain quantum properties can be verified by a purely classical user, which started the field of device-independent (DI) quantum cryptography.In DI cryptography instead of assuming that we know how the devices work, we simply test them during the protocol by using them to exhibit Bell nonlocality [BCP + 14].DI cryptography has been one of the most active research topics within quantum cryptography, predominantly in the context of QKD [BHK05, AGM06, ABG + 07, BCK13, RUV13, VV14, MS14a, MS14b, ARKP15] and randomness expansion or amplification [CK11, PAM + 10, VV12, CVY13, BPPP14, MS14a,MS14b].
DI two-party cryptography, on the other hand, remains a largely unexplored territory.Security of a protocol for imperfect coin flipping and bit commitment has been analysed in the DI regime [SCA + 11, AMPS16].Significantly, the setting considered by these works is different: since the authors do not impose any extra assumptions, they cannot hope to reach the perfect primitive so they aim for an imperfect implementation instead.Moreover, Adlam and Kent have recently proposed a DI relativistic bit commitment protocol [AK15], which allows security for a fixed amount of time under the assumption that each party is split into space-like separated agents.
Here, we take the very first step in proving DI security for two-party cryptographic protocols in the noisy-storage model.That is, we establish the security of these protocols even if the devices are not trusted under some extra assumptions (either we require the devices to behave identically in every round or we require the attack of the dishonest party to be sequential).To accomplish this, there are a number of conceptual as well as technical hurdles to cross.
1.In QKD Alice and Bob are always honest, while Eve is always trying to break the protocol.In DI QKD it is therefore natural to give the power to prepare the devices to Eve.Analogously, we will assume here that all the devices used in the protocol are always prepared by the dishonest party.
2. In the following section we will see that the protocol we start with uses quantum communication between Alice and Bob.This means that the adversary who prepared the devices will receive quantum communication coming back from the devices.This is in sharp contrast to DI QKD, in which Eve prepares the devices -with which she is possibly entangled -and then Alice and Bob simply push buttons on the devices to perform measurements.That is, there is no quantum communication going back to Eve.This feature introduces a significant difference between the security analysis of DI QKD and DI two-party cryptography protocol considered here and requires us to develop novel proof techniques.

A. Results
To establish DI security of two-party protocols, we will establish the DI security for a universal two-party primitive known as weak string erasure (WSE) [KWW12].The most convenient manner of describing a new primitive is to specify its input-output behaviour.Such an abstract description is known as the ideal functionality and the ideal functionality of WSE is explained in Fig. 1.Universality means that a secure implementation of WSE can be used to construct any other two-party cryptographic primitive.In particular, the well-known primitive of bit commitment can be obtained from WSE using classical post-processing.Since classical post-processing is trusted in the model of DI quantum cryptography, this means that once we construct a DI protocol for WSE, we have obtained a protocol for any primitive that can be obtained from WSE using classical post-processing.Moreover, the final security bound (1) immediately implies the device-independent security of an oblivious transfer protocol in the bounded storage model (for details see Section 4. We propose a DI protocol for WSE whose security is certified by the violation of the Clauser-Horne-Shimony-Holt (CHSH) [CHSH69] inequality (see Section II B 1 for details).We make the assumption that it is always the dishonest party that produced the devices.However, we will argue that dishonest Alice cannot gain any advantage by preparing Bob's devices so only the case of dishonest Bob requires detailed analysis.Before the protocol begins Bob provides Alice with two separate devices: a source of bipartite quantum states, combined with a measurement devices, plus one additional measurement devices that Alice can use for testing (see Fig. 2).According to the ideal specification this setup should be capable of producing the maximal violation of the CHSH inequality.In the protocol, Alice will use a switch to either send a quantum state to the test device or to Bob.That is, she sometimes uses her devices to violate the CHSH inequality (the test rounds) while sometimes she only measures one of the particles and passes the other one to Bob (the live rounds).Intuitively, observing a high CHSH violation in the test rounds implies that measurements performed by the devices are The main device prepares an EPR pair |ΨAB , measures the A system in either the computational (θ = 0) or Hadamard (θ = 1) basis (chosen uniformly at random) to produce x ∈ {0, 1}, while the B system is sent to the switch.Now, Alice chooses to either perform a test or play a live round.Whenever she decides to execute a test (with probability q), the switch directs B to the test device, and she performs a CHSH test between the main device and the test device.That is, she chooses a random input t ∈ {0, 1} and checks the CHSH condition x ⊕ y = θ • t on the outputs x, y ∈ {0, 1}.Whenever, she decides to play a live round (with probability 1 − q) she uses the switch to send B to Bob, who measures the incoming qubit in either the computational (θ = 0) or Hadamard (θ = 1) basis (chosen uniformly at random) to produce z ∈ {0, 1}, respectively.
After n live rounds, both parties wait time ∆t, which enforces the storage assumption, after which Alice announces her basis string θ n = θ1θ2 . . .θn.At the end Alice holds a random string x n = x1x2 . . .xn, while Bob has an index set I = {j ∈ [n] : θj = θ j } and a substring xI := (xj)j∈I.
incompatible, which leads to uncertainty (against a classical adversary) in the live rounds.For completeness, let us stress the importance of the assumption that Alice has full control over the switch, i.e. she is free to choose which rounds are used for testing and which rounds are used in the protocol (sometimes referred to as the free will assumption).This assumption is crucial from the theoretical point (it implies that the sample used to assess the performance of the devices cannot be influenced by the dishonest party, which is important since in many cases even limited influence may completely break the security), but it is also reasonable from a practical point of view (a switch is a simple enough device to be prepared by Alice herself).
In the dishonest scenario we allow Bob to prepare all the devices and in addition he receives quantum communication from Alice during the protocol as depicted in Fig. 3. Here, we analyse two distinct security models.

• Memoryless devices (against an arbitrary attack)
We call a device memoryless if its behaviour is identical every time it is used and there are no correlations between different uses.This is a convenient assumption because for such devices the observed CHSH violation β is a welldefined quantity and can be estimated to arbitrary precision.As explained in Fig. 1 the goal of WSE is to generate a string X n that Bob is at least partially ignorant about as quantified by the min-entropy H min (X n |Bob).In case of Bob whose quantum storage is restricted to be of dimension at most d we show that  or equivalently where f (β) is a simple function plotted in Fig. 4 and log ≡ log 2 .Thus, to achieve security against such an adversary it suffices to choose n large enough to guarantee nf (β) − log d > 0. For adversaries whose quantum storage is noisy rather than bounded the analysis is slightly more involved and can be found in Section II C 1 (explicit security bound in Proposition 5).In either case positive min-entropy rate implies that the protocol can be used for constructing more complicated primitives like bit commitment or oblivious transfer.

• General devices against a sequential attack
In case of devices with memory (whose behaviour may change during the protocol and in particular there might be correlations between different rounds) the analysis is more involved both from the conceptual and technical point of view.First, we must realise that we cannot in advance test the devices (to estimate their quality) and use the results to make a security statement simply because the behaviour of the devices might change in time.In particular, it is clear that the devices must not know whether they are currently being tested or not.Therefore, the test rounds and the live rounds must be interspersed and we can only make a security statement about the combined performance.
In this case the test rounds must be explicitly included in the protocol and we adapt the simplest solution in which before every round Alice flips a biased coin and either plays a test round (with probability q) or a live round (with probability 1 − q).After n rounds she computes the fraction of successful CHSH rounds f CHSH and checks whether it exceeds some previously chosen threshold γ.Note that estimating f CHSH plays the role of estimating β in the memoryless scenario: once the devices are allowed to have memory and change behaviour from round to round, β is no longer a well-defined quantity and f CHSH is the best approximation thereof.If f CHSH ≥ γ she declares the protocol to have terminated successfully, otherwise she aborts.Intuitively, what we want to avoid is the situation in which Alice believes that the protocol has terminated correctly but nevertheless Bob actually knows the entire string x n and we denote such an event by F (failure).Suppose n rounds are executed with parameters q ∈ [0, 1] and γ ∈ [ 3 4 , 1].We call an attack sequential if after every round Bob is required to produce a classical outcome and his guess for that round is required to be a (classical) post-processing of that outcome combined with the basis information and any information from the previous rounds (see Section II C 2 for a more detailed explanation).It is worth noting that this assumption removes the need to restrict Bob's storage capabilities: since he is forced to commit to his guess immediately after the round is over, storing the quantum system does not help).We show that in the sequential scenario the probability of failure is bounded by where α min (q, γ) can be easily calculated for any (valid) choice of q and γ (cf.Fig. 5).Alternatively, we can write Pr[F ] in terms of the probability of passing the test p pass and the probability of successfully guessing the entire "live" string (restricted to sequential guessing strategies, see Section II B 2 for a precise definition) conditioned on passing the test p seq guess (X L |Bob, pass) Our analysis is tight in the sense that it identifies correctly the pairs (q, γ) for which security is possible, i.e. we show that α min (q, γ) < 1 unless q = 0 (Alice never tests), q = 1 (Alice never plays a live round) or γ = 3 4 (the threshold can be achieved by a classical strategy).This means that the probability of the devices performing well in the test rounds and failing to implement a secure WSE decays exponentially in the total number of rounds.The technique we use to prove this result is generic and can be applied to any situation in which the combined performance of two (or more) games is assessed (as long as there is some non-trivial trade-off between them).
These two contributions should be seen as steps towards a security proof against the most general attack.The memoryless model might be of independent interest since it captures the case of devices which are faulty rather than malicious (e.g.due to some misalignment of optical components); such scenarios are usually modelled as permanent deviations from the ideal specification rather than time-dependent ones.

II. METHODS
In Section II A we present the original protocol for WSE using trusted devices, in Section II B we introduce the relevant quantities and prove some technical lemmas, in Section II C 1 we formalise the scenario of memoryless devices and prove security statement (1) and in Section II C 2 we analyse the case of arbitrary devices against sequential attacks and prove security claim (2).

A. The original WSE protocol for trusted devices
To build intuition, let us first describe the original protocol for WSE [KWW12], which works under the assumption that the devices used by Alice and Bob are perfect and prepared in a trustworthy fashion.We sketch out a simple security argument and discuss how to make the protocol device-independent.Note that there exist more sophisticated arguments which give better security guarantees but they seem to be more difficult to adapt to the DI scenario.
Protocol 1: WSE in the noisy-storage model where H is the Hadamard gate, and sends it to Bob. (Note that this just a sequence of n randomly chosen BB84 [BB84] states.) (2) Bob chooses a uniform n-bit string θ n ∈ {0, 1} n and measures the j-th qubit in the computational (if θ j = 0) or Hadamard (if θ j = 1) basis.
(3) Alice waits a fixed amount of time (to enforce the restriction on Bob's quantum memory) and then sends θ n to Bob.
(4) Bob determines the index set as and obtains the corresponding substring x I .
Correctness of this protocol is easy to verify because the string x n is chosen uniformly at random by Alice and with high probability Bob measures roughly half of the qubits in the correct basis.Security for honest Bob is a direct consequence of the fact that the index set is determined by the positions at which θ j ⊕ θ j = 0. Since θ n is chosen uniformly at random by Bob, every index set is equally likely (and Alice is fully ignorant about it).Therefore, the only non-trivial scenario is the case of honest Alice.
Let ρ X n Θ n B be the state of the protocol after step (1), where X n and Θ n are the classical random variables generated by Alice and B is the quantum system received by Bob.The memory bound forces Bob to put the B subsystem through a quantum channel which outputs a classical register K and a quantum register Q, which gives rise to ρ X n Θ n KQ .Since Θ n is eventually announced to Bob, our goal is to find a lower bound on H min (X n |KQΘ n ).In the bounded-storage model we can use the following chain rule In case of noisy storage the argument is slightly more involved (see Section II C 1 for details) but again the task reduces to establishing uncertainty against a classical adversary.This is possible because generating random BB84 states is equivalent to creating EPR pairs and measuring them in either computational or Hadamard basis and we know that outcomes of incompatible measurements cannot be predicted (perfectly) by a classical adversary.Indeed, it has been shown (Eq.( 18) in Ref. [KWW12]) that the resulting conditional min-entropy satisfies Note that this bound is tight and is achieved if Bob measures every received qubit in the intermediate basis {|α 0 , |α 1 }, where In case of trusted devices placing a lower bound on H min (X n |KΘ n ) is possible because we know exactly the measurement operators on Alice's side.The main challenge in the DI scenario is to prove a lower bound which relies solely on properties that can be certified device-independently.Our approach follows the intuition that observing a Bell violation implies incompatibility of local observables which is sufficient to guarantee uncertainty.Previously, this approach has been used successfully in proving security of DI QKD [TH13, LPT + 13].

B. Preliminaries
For an integer n ∈ N let [n] := {1, 2, . . ., n}.Throughout this paper we assume that all random variables are discrete (they take a finite number of values) and that all quantum systems are finite-dimensional.Let H be a (finite-dimensional) Hilbert space and let L(H)/H(H) be the set of linear/Hermitian operators acting on H.The Schatten ∞-norm of an operator X is denoted by ||X||.The square root of a positive semidefinite operator X, denoted by √ X, is defined as the unique positive semidefinite operator Y satisfying Y 2 = X.The modulus of an operator X, denoted by |X|, is defined as It is easy to verify that for arbitrary operators X and Y we have The commutator of X and Y is defined as [X, Y ] = XY −Y X, while the anticommutator is defined as {X, Y } = XY +Y X.

The CHSH inequality
In 1964 John Bell showed that measuring quantum systems leads to stronger-than-classical correlations [Bel64].In 1969 Clauser, Horne, Shimony and Holt spelt out the simplest scenario in which this can be observed [CHSH69].Let H A and H B be Hilbert spaces and let A 0 , A 1 ∈ H(H A ) and B 0 , B 1 ∈ H(H B ) be binary observables.The CHSH operator is defined as and the CHSH value equals β = tr(W ρ AB ), where ρ AB is a bipartite quantum state on H A ⊗ H B .It is known that there exist a state and observables that yield β = 2 √ 2. On the other hand, if we restrict ourselves to classical systems (which can be enforced by requiring the observables to commute, i.e. [A 0 , A 1 ] = [B 0 , B 1 ] = 0) we can only reach β = 2.This scenario can be equivalently cast as a two-player game in which Alice receives x, Bob receives y (both chosen uniformly at random) and are required to output a and b, respectively.The game is won if a ⊕ b = x • y and it is straightforward to show that the winning probability of this game p win and the CHSH value β are related by Therefore, the optimal classical winning probability equals 3 4 , while the optimal quantum winning probability equals

Guessing with postmeasurement information
We start by defining the guessing probability and min-entropy for a classical-quantum (cq) state (we denote the quantum register by B to be consistent with the protocol in which it is the dishonest Bob who faces the task of guessing).
Definition 1.Let ρ XB be a cq-state where ρ B x are (normalised) quantum states and x p x = 1.The optimal guessing probability of X given access to B is defined as where the maximisation is taken over all POVMs.The conditional min-entropy of X given B is defined as Note that computing the guessing probability can be written as a semidefinite program, i.e. it can be computed efficiently (in the input dimension).For a classical probability distribution P XY the expression simplifies to Alternatively, this maximisation can be written more compactly as where the maximisation is taken over deterministic functions f : Y → X .It can be shown [Weh08] that the min-entropy is additive on tensor products, i.e. given two uncorrelated cq-states ρ X1B1 ⊗ ρ X2B2 we have We also need the notion of smooth min-entropy.
Definition 2. For ε ≥ 0 let B ε (ρ XB ) be the ball of cq-states of radius ε around ρ XB , i.e. σ XB ∈ B ε (ρ XB ) iff σ XB is a cq-state and where || • || 1 denotes the trace norm (Schatten 1-norm).Then, the smooth min-entropy of a cq-state ρ XB is defined as Security analysis of two-party cryptography in the bounded or noisy storage model leads to the task of guessing with postmeasurement information originally considered by Ballester, Wehner and Winter [BWW08].Let ρ XY B be a tripartite ccq-state, where X is a classical register taking values in X , Y is a classical register taking values in Y and B is the quantum system of Bob.In the postmeasurement information scenario Bob is forced to measure his subsystem B to obtain some classical information F before learning Y .Later he learns the postmeasurement information Y and must produce a guess for X.We will later show that without loss of generality we can assume that the outcomes of Bob's measurement (i.e. the possible values of F ) are labelled by functions f : Y → X such that Bob's optimal guess upon receiving y is f (y).Equivalently we can think of the outcome of the measurement as a sequence of guesses: one for every possible value of the postmeasurement information.The optimal guessing probability of X given access to B with Y as postmeasurement information is defined as where the maximisation is taken over all POVMs with |X | |Y| outcomes labelled by functions f : Y → X and the star ( * ) indicates that Y is only available after the measurement.The conditional min-entropy of X given B with Y as postmeasurement information is defined as This is a useful formulation because defining which is equivalent to the standard guessing probability p guess (F |B) for the (unnormalised) state Therefore, this problem can also be solved efficiently using semidefinite programming techniques [BWW08].Moreover, just like in the standard guessing scenario, the min-entropy is additive over tensor products, i.e. given two uncorrelated ccq-states ρ X1Y1B1 ⊗ ρ X2Y2B2 we have The following proposition gives an alternative (but equivalent) formulation of the min-entropy with postmeasurement information.
Proposition 1.Let ρ XY B be a ccq-state and let P be the set of tripartite probability distributions over X, Y and K which can be obtained by measuring subsystem B, i.e.P XY K ∈ P iff there exists a measurement {N k } k such that Then, the following relation holds p guess (X|BY * ) = sup Proof.Let us first show that the left-hand side is never larger than the right-hand side.Let {M f } f be the POVM which saturates the left-hand side and let P XY F be the resulting probability distribution.Then To prove the other direction consider an arbitrary measurement {N k } k (with a finite number of outcomes) which leads to the probability distribution P XY K .For every value of k we define a function g k : Y → X such that This allows us construct a new measurement whose outcomes are labelled by functions f : Y → X Using this measurement gives p guess (X|BY * ) ≥ x,y,f x=f (y) By considering measurements that approach the optimal guessing probability we conclude that Eq. ( 8) holds.In particular, this implies that the supremum can be replaced by a maximum.
The final security statement in the scenario of devices with memory is phrased in terms of sequential guessing probability.Intuitively, this corresponds to the situation in which Bob is required to guess a sequence of random variables but before each guess he gains access to an extra "advice variable".
Definition 4. Let P X1X2...XnY1Y2...Yn be a probability distribution of 2n variables, where X j and Y j take values in some arbitrary finite sets X and Y, respectively.The sequential guessing probability of where the maximisation is taken over deterministic functions {f j } j such that f j : Y ×j → X .
The sequential character of this quantity makes it meaningful to talk about a subset of rounds, e.g. the probability of successfully guessing the first j variables p seq guess (X j |Y j ) is a well-defined quantity that depends only on P X j Y j .This stands in contrast to the usual guessing probability in which evaluating the probability of successfully guessing the first bit requires the knowledge of the complete set of "advice variables".Thanks to this property the sequential guessing probability behaves well under conditioning p seq guess (X n |Y n ) = p seq guess (X n−1 |Y n−1 ) • p guess (X n |Y n , S), where the second term is just the standard guessing probability of the last bit conditional on event S, which corresponds to (sequentially) guessing the first n − 1 bits correctly.

Relation between transmitting classical information and uncertainty against noisy storage
Let F : L(H Qin ) → L(H Qout ) be a quantum channel (a completely positive, trace preserving map) and suppose we want to use it to transmit k bits of information.The following definition captures how well this can be achieved.
Definition 5.The optimal probability of successfully transmitting k bits of information through the channel F is defined as where {ρ x } x represents the encoding procedure (a set of 2 k normalised states on Q in ) while {M x } x is the decoding measurement (a measurement on Q out with 2 k outcomes).
The following lemma by König, Wehner and Wullschleger relates the success probability to the maximal decrease in entropy in the noisy storage setting [KWW12].
Lemma 1 (Lemma II.2, [KWW12]).Let F : L(H Qin ) → L(H Qout ) be a CPTP map.Consider an arbitrary ccq-state ρ XT Q and define where id stands for the identity channel.For any ε > 0 we have

Trade-off between non-locality and uncertainty against classical adversaries
As mentioned before a crucial component of our analysis is the trade-off between how well a pair of devices can perform in the CHSH test and how unpredictable the output of a single device is against a classical adversary.It turns out that such a (tight) trade-off can be established by finding the right measure of incompatibility of binary observables.In our previous work we have used the effective anticommutator as a measure of incompatibility [KTW14].Unfortunately, this quantity does not allow us to bound uncertainty against classical side information (see Appendix A for a counterexample) so here we consider a more refined quantity: the absolute effective anticommutator.Proposition 2 shows that observing a CHSH violation places an upper bound on the absolute effective anticommutator.
Proposition 2. Let ρ AB ∈ H(H A ⊗ H B ) be a bipartite quantum state and let A 0 , A 1 ∈ H(H A ) and B 0 , B 1 ∈ H(H B ) be observables.The absolute effective anticommutator on Alice's side is defined as The CHSH value of the setup is defined as β := tr(W ρ AB ) for The following relation holds Proof.The proof is a sequence of elementary inequalities (either at the level of numbers or operators).We will repeatedly use the Cauchy-Schwarz inequality, which says that for arbitrary operators X and Y we have We start by setting X † = W √ ρ AB and Y = √ ρ AB which gives Writing out W 2 explicitly gives Let us first focus on the first three terms.Upperbounding A 2 0 and A 2 1 by 1 gives Writing the identity in the eigenbasis of the anticommutator {A where the last inequality comes from upperbounding B 2 0 and B 2 1 by 1 (note that |λ k | ≤ 2).We have therefore established that We bound the second term by its (operator) modulus Neglecting the anticommutator term in inequality (6) leads to To upperbound tr |[A 0 , A 1 ]|ρ A we again use the Cauchy-Schwarz inequality with Using the Cauchy-Schwarz inequality one last time with Since the left-hand side of Eq. ( 14) equals 4ε 2 + combining it with inequalities (10), ( 11), ( 12) and (13) gives Taking a square root leads to the desired result.
It is easy to verify that this relation is in fact tight (it suffices to consider projective rank-1 measurements on the maximally entangled state of two qubits).In Proposition 3 we show that the absolute effective anticommutator being small implies uncertainty against classical adversaries.
Proposition 3. Let ρ AK be a quantum-classical state and let A 0 and A 1 be two observables acting on the register A.
Measuring the observable chosen by a uniformly random register Θ and storing the outcome in the register X leads to the following probability distribution.
Then, the guessing probability satisfies Proof.Let the effective anticommutator conditional on K = k be ε k = 1 2 tr {A 0 , A 1 }ρ A k .As shown in Ref. [KTW14] the guessing probability averaged over the two bases satisfies Averaging over different values of K where we have used the concavity of the square root.For any Hermitian operator A we have | tr(Aρ)| ≤ tr(|A|ρ) which implies Therefore, the final bound is It turns out that this relation is tight and can be saturated by the same setup as before, which implies that the resulting trade-off between the CHSH violation and uncertainty against classical adversaries is tight.

Security definitions for WSE
Let X n be the classical register representing the n-bit string given to Alice and let I be the classical register representing the subset of indices given to Bob.Using the notation introduced in Section I security for honest Alice means that Bob should find it difficult to guess the entire string X n .Definition 6.Let B be the register containing all the information that Bob might acquire during the protocol.Let S A be the set of states on registers X n , B that (dishonest) Bob may enforce at the end of the protocol.A WSE protocol is (λ, ε)-secure for honest Alice if the smooth min-entropy satisfies Security for honest Bob, on the other hand, requires that the string X n takes a particular value (which Alice cannot influence anymore) and that Alice remains ignorant about the index set I that Bob received.
Definition 7. Let S B be the set of states on registers X n , I, A that (dishonest) Alice may enforce at the end of the protocol.A WSE protocol is (perfectly) secure for honest Bob if every state σ X n IA ∈ S B can be written as for some cq-state σ X n A .

C. Protocol for DI WSE and security analysis
Since DI security can only be certified by observing some Bell violation we must make two modifications to Protocol 1: (i) we have to turn it into an entanglement-based scheme and (ii) we must introduce some way of testing the devices.The protocol we propose requires four devices in total: three for Alice and one for Bob.Below we describe the devices available to Alice.
1.The source emits bipartite quantum states ρ AB .According to the ideal specification, it should emit the maximally entangled state of two qubits, i.e.
The main device performs one out of two binary measurements represented by observables A 0 , A 1 .According to the ideal specification, these should correspond to the computational and Hadamard basis measurements, 3. The test device performs one out of two binary measurements represented by observables B 0 , B 1 .According to the ideal specification, these should correspond to The only device available to Bob is a measurement device with two settings whose ideal specification coincides precisely with that of the main device of Alice (so that the outcome are identical if the measurement settings coincide).

Security analysis for memoryless devices
We call a device memoryless if it acts in the same manner every time we use it: the source always emits the same state and the measurement devices always perform the same measurements (and there are no correlations between different uses).This greatly simplifies the security analysis for several reasons: (i) we may assume that the state, measurement operators (and all quantities derived from them) are well-defined objects, (ii) probabilities can be estimated (to arbitrary precision) by repeating the experiment multiple times and (iii) testing can be completely separated from the actual protocol.In particular, the last point means that testing can be done beforehand and does need to be explicitly included in the protocol.In our protocol Alice tests her three devices by using them to violate the CHSH inequality.More specifically, she estimates the CHSH value We know that if β ≤ 2 (no violation is observed), no security can be guaranteed and the devices cannot be used for device-independent cryptography.Therefore, from now on we assume that β > 2. While no finite set of statistical data allows Alice to determine the exact value of β, she can estimate it to arbitrary precision which is sufficient for our analysis.Since dealing with finite statistics is not the main focus of this paper, we assume that she can actually determine β exactly.
Recall that Proposition 2 establishes a connection between the observed CHSH violation and the local incompatibility of observables (on either side).Since the test device will not take part in the actual protocol, we want to estimate the incompatibility of the main device.If ε + is the absolute effective anticommutator of the main device then from Proposition 2 we know that Our goal is to show that having an upper bound on ε + suffices to prove security (for honest Alice) of the following DI WSE protocol.
Protocol 2: DI WSE in the bounded/noisy storage model (1) Alice uses the source to generate n bipartite states.She chooses a uniform n-bit string θ n ∈ {0, 1} n and uses the main device to measure the A register generated in the j-th run with θ j as the input.All the B registers are passed to Bob.
(2) Bob chooses a uniform n-bit string θ n ∈ {0, 1} n and measures the j-th subsystem using θ j as the input to his measurement device.
(3) Alice waits a fixed amount of time (this waiting time motivates the restriction on Bob's quantum memory) and then sends θ n to Bob.
(4) Bob determines the index set as and obtains the corresponding substring x I .
It is easy to see that if the devices comply with the ideal specification, this is exactly the entanglement-based variant of Protocol 1, hence, correctness follows straightforwardly.Security argument for honest Bob is closely related to the simulation argument given in the original paper [KWW12] so we just describe it informally.The correct way of defining the string X n is by lifting the noisy memory restriction, i.e. we allow Bob to store all the states, wait until the receipt of the basis information and only then perform all the measurements in the correct bases.This uniquely specifies the state σ X n A needed for Definition 7. At the same time Bob generates a random n-bit string θ n and determines the index set I through relation (17).It is easy to check that this results in a uniform distribution over all possible subsets uncorrelated from the outside world (because θ n was chosen uniformly at random).
Security analysis for honest Alice turns out to be more challenging.
Proposition 4. Protocol 2 executed against Bob whose quantum storage is bounded to be of dimension at most d implements WSE which is (λ, ε)-secure for honest Alice for ε = 0 and where Proof.Using the source n times produces ρ A n B n = n j=1 ρ Aj Bj .Alice measures all her subsystems using the main device (which produces ρ X n Θ n B n = n j=1 ρ Xj Θj Bj ) and then Bob measures his subsystems to obtain K (which gives P X n Θ n K ).It is important to emphasise that this final probability distribution is no longer of product form because Bob's measurement can introduce correlations between different rounds.First note that from Proposition 1 we have where the left-hand side is evaluated on the probability distribution P X n Θ n K , while the right-hand side is evaluated on the quantum state ρ X n Θ n B n .Because this quantum state is of tensor product form we have where the first equality comes from the fact that the min-entropy is additive over tensor products (see Eq. ( 7)) and the second simply expresses the fact that all the rounds are identical.Now we need the bound the entropy produced while measuring a single copy of ρ AB .Suppose that Bob measures the subsystem B to produce a classical random variable K.
From Proposition 3 we know that the min-entropy of the probability distribution P XKΘ satisfies Since this bound is valid for all measurements that Bob might perform, it also holds for the optimal measurement which achieves H min (X|BΘ * ) = H min (X|KΘ) (see Proposition 1).Therefore, we also have Combining expressions (18), ( 19) and ( 20) gives Finally, including the quantum memory of Bob (of dimension d) leads to Clearly, if the dimension of Bob's memory is fixed, choosing large enough n brings the min-entropy rate arbitrarily close to h(ε + ).
Proposition 5. Protocol 2 executed against Bob whose quantum storage is represented by a quantum channel F implements WSE which is (λ, ε)-secure for honest Alice, where ε > 0 is an arbitrary positive constant and Proof.Applying Lemma 1 to Eq. (21) (identify X n ↔ X and KΘ n ↔ T ) gives Since in the noisy storage scenario K, Q out and Θ n are the only registers available to Bob this coincides precisely with Definition 6.

Security analysis for general devices against sequential attacks
As mentioned before in order to test devices that might behave differently in different rounds one must intersperse the test rounds with the live rounds.The natural solution is to introduce a biased coin-flip at the beginning of every round whose outcome determines whether the following round will be a test round (with probability q) or a live round (with probability 1 − q).In the previous scenario test rounds happened entirely within Alice's laboratory (using the three devices provided by Bob) and only live rounds required Alice and Bob to interaction.To make the sequential analysis conceptually simpler we give Bob even more power and allow him to operate the test box (the device used for the CHSH test), i.e. if Alice wants to play a test round she simply sends the second input (the one she would previously use for the test device) to Bob who comes back with the outcome.Note that in this model the second part of the quantum state generated by the source always ends up with Bob (regardless of whether it is a test round or a live round), which brings us closer to the familiar scenario of two-player nonlocal games as shown in Fig. 6.
Let us stress that the interaction with the main device is always the same: regardless of whether the j-th round is a test round or a live round Alice always inputs a uniformly random bit θ j .This guarantees that the device remains ignorant whether it is currently being tested or used for a live round.On the other hand, Bob's interaction does depend on the type of round performed.Let q j be the bit which specifies whether the j-th round is a live round (q j = 0) or a test round (q j = 1).If Alice decides to test the devices, she will choose a random bit t j and request Bob to use it as an input in the CHSH game and return the outcome y j .On the other hand, if Alice decides to play a live round, she will simply announce Alice θ x Bob t/θ y/k Fig. 6.The key to the security proof against sequential attacks is to combine the CHSH game between the main device and the test device with the postmeasurement game between the main device and Bob's device.As already noted in [Weh08], if the postmeasurement game can be won perfectly, then the CHSH inequality cannot be violated.Here, we establish a complete trade-off between winning the CHSH game and the postmeasurement game.If the CHSH game can be won well, then the probability for Bob to succeed in the postmeasurement guessing game is low and hence the min-entropy about Alice's resulting string given classical information is high.every round live round (Qj = 0) test round (Qj = 1) Qj, Θj, Xj Kj Tj, Yj it to Bob and (according to the original protocol) she will not expect a response.Indeed, in the most general adversarial scenario Bob would leave his quantum system untouched and only at the end of the protocol (immediately before the memory bound) would he measure his entire system to produce some classical information k.Once he has received the basis information, he computes his guess as a deterministic function of k and θ 1 , θ 2 , . . ., θ n .In the sequential model we force Bob to produce some classical side information k j in every round and we require that his guess in the j-th round is a deterministic function (chosen before the protocol begins) of k j , θ j and any information from the previous rounds.In other words, for the j-th round (which we assume to be a live round) the probability of winning equals Pr[X j = f j (K j , Θ j )], where f j : (K × {0, 1}) ×j → {0, 1} is an arbitrary function chosen by Bob before the protocol begins.The summary of random variables generated in each round is presented in Table 1.Note that in this model the requirement of immediately producing the relevant classical information essentially replaces the need to restrict Bob's storage capabilities.The fact that success (or failure) can be assessed immediately after every round makes such a model well-suited for a standard martingale-style analysis.It turns out that the only quantum component of such an analysis is the trade-off between the winning probabilities of the live round and the test round denoted by p L and p T , respectively.Conveniently, we have already investigated this trade-off since both probabilities can be bounded through the absolute effective anticommutator ε + .More specifically, since the probability of passing the test p T is related to the CHSH violation β inequality (9) implies On the other hand, probability of winning the test round cannot exceed the optimal guessing probability of a classical adversary.Therefore, inequality (15) implies Combining inequalities ( 22) and (23) and treating ε + as a parameter taking values in [0, 1] we determine the admissible pairs (p L , p T ).The optimal trade-off is plotted in Fig. 7.The protocol takes three parameters: the probability of testing q ∈ [0, 1], the CHSH threshold γ ∈ [ 3 4 , 1] and the number of rounds n ∈ N. At the end of the protocol Alice calculates the fraction of successful CHSH rounds denoted by f CHSH .If f CHSH < γ she aborts the protocol, otherwise she declares the execution correct.The security statement in this model is simply a bound on the probability that Alice believes the protocol has terminated correctly and all the guesses of Bob (X j ⊕ Y j ⊕ Θ j T j ⊕ 1)Q j (number of successful test rounds within the first l rounds).
Let L := {j ∈ [n] : Q j = 0} be the set of live rounds and for j ∈ L let G j be the event corresponding to Bob guessing the outcome correctly, i.e.G j ⇐⇒ X j = f j (K j , Θ j ). (24) Moreover, let H l be the event of guessing all the live rounds within the first l rounds The failure event is defined as a conjunction of exceeding the CHSH threshold and Bob guessing all the live bits correctly allows us to identify the last term with the sequential guessing probability conditioned on passing the test.Indeed, since and assuming that Bob has chosen the optimal set of functions {f j } j , we see that with Y j = (K j , Θ j ) being the j-th advice variable.
Another important open question is the analysis of devices with memory.In our analysis we have assumed that Bob's attack is sequential.Unfortunately, we know that sequential attacks are not always optimal (even if Alice's behaviour is sequential, see Appendix C for a simple counterexample).A security proof for devices with memory in this scenario is arguably the most important open question related to DI two-party cryptography.
Finally, we note that in the realm of the noisy-storage model there are much more sophisticated analyses [DFW15], which do not rely on the fact that we will first bound the adversary's information about the string X n when he is holding classical information, and subsequently relate this to his information about X n including quantum information.Instead, one establishes a direct link between the adversary's quantum information and his uncertainty about X n [DFW15].It remains an interesting open question whether these techniques can be applied in the DI setting.

Fig. 4 .
Fig.4.Lower bound on the min-entropy rate f (β) as a function of the CHSH violation β.Crucially, we have f (β) > 0, whenever β > 2. This means that security can be achieved for arbitrarily small violation of the CHSH inequality.

Fig. 5 .
Fig.5.Values of the decay rate αmin(q, γ) calculated numerically as a function of q for various values of γ.

Fig. 7 .
Fig. 7.The (tight) trade-off between the winning probabilities of live and test rounds.

)
Before we delve into the proof, let us show why finding an upper bound on Pr[F ] is equivalent to proving security claim (3).Let P be the event of passing, i.e.P ⇐⇒ S n ≥ γR n and let p pass := Pr[P ].Writing Pr[F ] = p pass • Pr[H n |P ] [KWW12]he ideal functionality of WSE[KWW12]: Alice gets a randomly chosen bit string X n while Bob obtains a randomly chosen subset of indices I ⊆ [n] = {1, 2, . . ., n} and the bits of X n corresponding to the indices in I, denoted by XI.Security means that if Bob is honest, then Alice cannot learn the index set I. That is, she does not learn which bits of the string X n are known to Bob.Conversely, if Alice is honest, then Bob finds it difficult to guess the entire string quantified by a lower bound on the min-entropy Hmin(X n |Bob) ≥ λn (equivalent to an upper bound on the guessing probability pguess(X n |Bob) ≤ 2 −λn ), where λ is a real parameter specified by the ideal functionality.Whenever λ > 0, WSE is useful for constructing other cryptographic primitives like bit commitment.We defer formal definitions until Section II B 5.
[KWW12]st Bob prepared all the devices.This means that the state generated by the source can be chosen arbitrarily by Bob, and similarly he can adjust the measurements performed by the main and test device.Alice has control of the correctly functioning switch to decide whether she wants to test or perform a live round.Honest Alice proceeds as before, however, Bob is not restricted to performing BB84 measurements on the returning quantum states.In sharp contrast to DI QKD, the dishonest party thus receives quantum communication coming back from the devices, which calls for new techniques.As we will show below, it will be enough to consider the case where Bob measures the resulting quantum states to obtain some classical information.We will then establish a bound on the min-entropy that Bob has about the string x n , given this classical information k and the basis information received later.Using standard methods[KWW12], we can then turn this into a security statement in the noisy-storage model.

Table 1 .
The random variables generated in the j-th round.In every round Alice chooses the round type Qj, generates a random input Θj and obtains an outcome Xj.If Qj = 0 (live round) Bob generates some classical information Kj (taking values in K).On the other hand, if Qj = 1 (test round) Alice generates another random input Tj and passes it to Bob who must produce an output Yj.