 Thank you. In a bit commitment scheme is a cryptographic primitive that's used, for example, in zero-knowledge proofs and multi-party computation. We have Alice, the verifier, and Bob, the prover. Bob has selected the value of some bit B, and but he does not yet want Alice to know that value. On the other hand, he wants to convince Alice that he can change his mind about that later on. So he sends a commitment. And Alice should not be able to learn the value of B from that commitment. That's called the hiding property of the scheme. And when it's time to reveal the value, he sends an opening. From the commitment and the opening, Alice can compute the value B and also perform some check to see if Bob prepared the commitment honestly. That means if, for example, he commits to zero, then changes his mind and tries to open to one, Alice will detect that and can abort the protocol. That's called the binding property of the bit commitment scheme. Information theoretic security is impossible for bit commitment schemes. And that also holds when the two parties can use quantum communication. So we either have to make computational hardness assumptions or bound the quantum memory that the two parties have, or one final option that was suggested by Ben Orr, Goldwasser Kilian, and Wichtersen in 1988, is to split up the prover into multiple entities that can't communicate with each other. Let's see how such a multi-prover scheme might look. On the top, we have the two provers and they both know the value of the bit B that they want to commit to and they have some shared randomness R. But during the protocol, they can't communicate with each other. Now the protocol works as follows. A select, Alice selects some random message A and sends it to Bob. Bob computes B times A, so just scalar multiplication, and XORs that with this randomness. So that's essentially one time pad encryption. So Alice can learn nothing about the bit B ahead of time. To open, Charlie sends the bit B together with the randomness and then Alice can compute the XOR of both messages, basically decrypting the one time pad and then she can check if the outcome is B times A as it should be. Okay, we saw that the scheme is hiding, let's see why it's binding. Suppose now we have dishonest provers, still with shared randomness, but they can communicate and if Charlie wants to open the commitment to zero, then what he has to do is send the same message as Bob. If he wants to open to one, then he has to send the message from Bob XOR with A. But if he can send both of those messages, it follows that he knows A. And but Alice did not tell him A, Bob can't tell him A. So the only way he can know A is by a very lucky guess. And therefore the scheme is binding. So now we have a bit commitment scheme that is secure based only on the noncommunication assumption or maybe not, as Kripo, Savaii, Sima and Tapp pointed out. What they pointed out was that this proof assumes the provers only have shared randomness. However, the security of bit commitment schemes depends on the resources that the dishonest provers have. For example, we can consider shared randomness as we did before. Also quantum entanglement or general non-signaling systems which are basically only restricted by the noncommunication condition. So basically if we want to say that a bit commitment scheme is secure based only on the noncommunication assumption, then it has to be secure in that third setting. What Kripo at all showed was that the scheme we just saw is binding against classical adversaries, binding against quantum adversaries, but non-binding against non-signaling adversaries. And also if we tweak that scheme a little bit, we get one that is binding against classical adversaries but it already fails in the quantum setting. And furthermore, there is no scheme known at all that is binding in the non-signaling setting. So what we are asking ourselves is, is it even possible to have a scheme that is binding in that setting? And we have an impossibility result for the two-prover case or surprisingly a positive result for three-provers. Before getting into that, I need to define more formally what non-signaling means. So this box here is a bipartite non-signaling system and it has on the left and on the right it has one input and one output. And what the non-signaling condition means is that the input-out behavior on the left is independent of what goes in on the right and vice versa. More formally, that means if we take the marginal distribution of the first output variable, then it's independent of the second input variable and vice versa for the other side. However, the output variables can be correlated in arbitrary ways. So let's see an example of a non-signaling box. We have some input A and the output on the left is a uniformly random X. So clearly that's also independent of B. And the output on the right is B times A X odd with X. So something, X or something uniformly random, so clearly that's independent of A. So the box is non-signaling. However, if we X all the two outputs, we always get B times A. So if you recall, that's exactly the acceptance condition of the scheme we just saw. So if the dishonest provers have a box like this, they can always break that scheme. Now what I'd like to show you is our impossibility result for a restricted class of bid-commitment schemes, which we call simple schemes. What that means is that the communication works exactly as in the scheme we saw. Alice sends some message A. Bob replies with some message X sub B. That's dependent on the bid he wants to commit to. And to open, Charlie sends the bid B together with Y sub B. Now since Charlie does not know A, his message must be distributed independently of A. And finally, Alice has an acceptance predicat to check if she should accept or reject that commitment. Now we want bid-commitment schemes to have the following properties. First, soundness, which just means if everybody's honest, then Alice will accept in the end. The hiding condition, which means that conditioned on any A, X0 and X1 need to be statistically close so that Alice can't get much information about B ahead of time. We say that a scheme is perfectly hiding if the two variables are distributed identically. Now we have the binding condition, which is a bit more complicated. So in the binding game, we now have two provas that are still non-signaling. And Alice sends a message A to Bob. But Bob does not yet know at this point what bid the commitment should be open to later on. And then Alice sends the bid B to Charlie and basically tells him, I want you to open the commitment to that bid. And then Charlie has to produce and then the provas win if Charlie can't produce such an opening and they lose if they can't. Now the provas play according to some non-signaling strategy Q and we write P0 of Q for the probability that they can successfully open to zero and P1 for the probability that they can successfully open to one. And we say that the scheme is delta binding if those two probabilities sum up to no more than one plus delta. Our first impossibility result is that if a simple bid commitment scheme is perfectly hiding, then it also is completely non-binding, which means that the dishonest provas can always win. So to prove this, the two boxes up here are the strategies for the honest provas and the Y has to be always independent of A because of the no communication condition. And now from these two boxes, we construct a strategy for the dishonest provas, which basically just adds a switch that tells the box to output X0 and Y0 or X1 and Y1. If the two provas have this box, then they can clearly perfectly emulate the honest provas and thus they always win. So the only thing that we need to check is that this is non-signaling. So first on the right, we get the output Y0 or Y1, but in any case, that's distributed independently of A. And on the left side, we either get output X0 or X1, but by the hiding condition, it follows that X0 and X1 are distributed identically. And so we learn nothing about B and thus the box is non-signaling. The dishonest provas can use it and they always win. So a natural follow-up question is, what about non-perfect schemes? Maybe we can weaken the hiding property just a little bit and get a big improvement in the binding property. What might encourage us here is that the proof before crucially relies on the perfectly hiding condition because if the scheme is only almost perfectly hiding, then it's also only almost non-signaling, but almost non-signaling is not good enough. However, it turns out that that's not true. So if the scheme is epsilon hiding, then it is at best one minus epsilon binding. So if this epsilon is small, then the provas can win almost all of the time. As a tool, we use the following technical lemma, which I'm not going to prove. And it states that if we have two distributions, X0, Y0 and X1, Y1, so that the marginal distributions X0 and X1 are close to each other, then we can glue all four variables together into one big distribution so that X0, Y1 is statistically close to X1, Y1. Let's see how to use this. So the two boxes are again the strategies of the honest provas. And the epsilon hiding condition says that X0 and X1 are statistically close. So we apply the gluing lemma and get a distribution of all four variables. And then we build this box as follows. On the left, we always output X0. On the right, we output the input B and get Y0 or Y1 depending on B. Let's first check that this is non-signaling. On the right side, it's S before, the Y0 and Y1 are always independent of A. And on the left, we always output X0 anyway, so that's clearly independent of B. And now how does it hold up against the bit commitment scheme? First, in the case that the provas have to open to zero, then they always win because well, the output distribution is X0, Y0, which is exactly like that of the honest provas. And in the case that B is one, the output distribution is X0, Y1, but that's statistically close to X1, Y1. So the behavior of the dishonest provas is statistically close to the behavior of the honest provas. So Alice has only a small chance to decide if the provas are honest or not. And we also had a result for more general schemes where both provas communicate in the commitment phase and in the opening phase. And we still have the result that perfectly hiding schemes are completely non-binding. And also, if they are epsilon hiding, they can at best be one minus five epsilon binding. So we have some loss there. We can go even further and look at multi-round schemes where the commitment phase takes multiple rounds of communication. We still have the same result for the perfectly hiding case, but we couldn't find anything for epsilon hiding. And finally, for the positive result I promised, a three provas scheme, it works almost exactly like the two provas scheme, except that, well, we have the third provar here. He looks like Charlie, and he also has to have the same output as Charlie. And otherwise, Alice won't accept. We claim that this is secure against non-signaling adversaries. And I won't give a full proof now, but the reason is suppose that we have adversaries that can break the scheme and always output the right thing. So what happens if in the binding game, we give them different inputs? So Alice sends A to Bob, get X and gets message X back. Then she sends zero to Charlie one, and he replies with X because he wants to open to zero. And then she's, but instead she sends one to Charlie two, and he sends back X, X or A because he wants to open to one. But now if they do that, they both together somehow must now A. So basically from Bob learning A, Bob learns A, but they somehow also learn A that violates the non-signaling condition. So to sum up, in the non-signaling case, all perfectly hiding schemes are not binding at all. In the run around case, that also extends to schemes that are not perfectly hiding. And finally, for the simple schemes, we have a tight bound that can't be improved upon. And we get a security by adding a thought prover. The remaining open questions are, if it's possible to improve the bound for general schemes, and if we can do anything in the multi-round case. Thank you.