Randomness versus nonlocality in the Mermin-Bell experiment with three parties

The detection of nonlocal correlations in a Bell experiment implies almost by definition some intrinsic randomness in the measurement outcomes. For given correlations, or for a given Bell violation, the amount of randomness predicted by quantum physics, quantified by the guessing probability, can generally be bounded numerically. However, currently only a few exact analytic solutions are known for violations of the bipartite Clauser-Horne-Shimony-Holt Bell inequality. Here, we study the randomness in a Bell experiment where three parties test the tripartite Mermin-Bell inequality. We give tight upper bounds on the guessing probabilities associated with one and two of the parties' measurement outcomes as a function of the Mermin inequality violation. Finally, we discuss the possibility of device-independent secret sharing based on the Mermin inequality and argue that the idea seems unlikely to work.


I. INTRODUCTION
Quantum theory predicts correlations incompatible with any local deterministic model [1,2]. The detection of nonlocal correlations in a Bell experiment thus implies at least some randomness in the measurement outcomes, regardless of the exact physical mechanism by which the correlations are produced, provided that communication between the sites is prohibited. Aside from fundamental interest, this observation is the basis for deviceindependent quantum cryptography protocols, such as device-independent quantum key distribution [3,4] and randomness generation [5][6][7], in which the detection of nonlocal correlations is a necessary condition in order to guarantee the randomness of the generated key bits or random numbers from the perspective of an adversary.
The simplest measure of randomness and typically the easiest to bound is the guessing probability. This is defined as the probability that an additional observer, who may have partial access to the underlying quantum state, can correctly anticipate a given measurement outcome or given set of outcomes in advance. Aside from its direct operational meaning, the guessing probability is a useful quantity in the analysis of device-independent cryptography protocols: security proofs of device-independent protocols frequently depend on a lower bound on the min-entropy (a function of the guessing probability) or the conditional von Neumann entropy (which the minentropy is a lower bound for) [8][9][10][11][12][13]. In the practically most relevant case where the measurements are made on a quantum system, a numeric method for deriving an upper bound on the guessing probability exists, based on a hierarchy of relaxations of the optimisation problem to semidefinite programming problems [14][15][16], for which reliable optimisation algorithms exist.
Since the determination of guessing-probability bounds by numerical means is essentially a solved problem, our interest here is in cases where it is possible to establish a * Erik.Woodhead@icfo.eu tight analytic bound. Currently, only a few tight bounds on the guessing probability are known for the Clauser-Horne-Shimony-Holt (CHSH) [17] inequality. In [6], it was shown that an adverary ("Eve")'s probability of guessing one of one party's (e.g., "Alice"'s) measurement outcomes is bounded by in terms of the CHSH expectation value for ±1-valued measurements A x and B y . More recently, Kaniewski and Wehner [18] have derived the tight upper bound on an average probability P g (A|B 3 ) = P g (A 1 |B 3 ) + P g (A 2 |B 3 ) /2 that the second party ("Bob") is able to guess Alice's measurement outcome without knowing which measurement Alice performed. Beyond the CHSH scenario, guessing-probability bounds have been determined for violations of bipartite and multipartite chained Bell inequalities [19,20]; however these are derived assuming only the no-signalling constraints and they are not generally tight assuming the scenario is restricted to correlations and attacks allowed by quantum physics.
Here, we study the amount of randomness that can be certified in a Bell experiment with three parties showing a violation of Mermin's tripartite Bell inequality [21]. We report tight bounds for the following two cases: • The guessing probability P g (A 1 |E) associated with the measurement outcome at one site, in terms of two independent Mermin expectation values.
• The guessing probability P g (A 1 B 1 |E) associated with measurement outcomes at two sites, for a given violation of one Mermin inequality.
The results, the inequalities (14) and (17), can be found in section II, following a summary of the tripartite scenario we consider. We give the proofs of these in section III in the form of sum-of-squares decompositions for families of Bell operators which correspond to tangents of the bounds, together with quantum strategies that show that they are attainable. We found the sum-of-squares decompositions following an approach similar to [22]. We have also included the no-signalling bounds in appendix A. Finally, in section IV we discuss the prospect of deviceindependent secret-sharing [23], mainly pointing out that the idea seems unlikely to work due to the presence of untrusted parties participating in the Bell test.

II. SCENARIO AND RESULTS
Our results apply to the following adversarial Bell scenario: three cooperating parties, Alice, Bob, and Charlie, and an eavesdropper, Eve, share a quantum state ρ ABCE on some Hilbert space H A ⊗ H B ⊗ H C ⊗ H E . Alice, Bob, and Charlie may each perform one of two measurements indexed x, y, z ∈ {1, 2} on their part of the state, which yield respective outcomes a, b, c ∈ {+, −}. Eve performs a measurement yielding an outcome e, intended to be correlated with one or more of Alice's, Bob's, and Charlie's outcomes. Generally, we will assume, without loss of generality, that Eve's measurement has the same number of outcomes as the number of possible different results that the cooperating parties may obtain that she wishes to distinguish between. The joint correlations are summarised by a table of conditional probabilities a|x is the measurement operator associated with the outcome a when Alice performs the measurement x, and similarly for Bob's, Charlie's, and Eve's measurement operators Π B b|y , Π C c|z , and Π E e . The measurements can be assumed to be projective, since we do not assume any limit on the dimension of the underlying Hilbert space. The state and measurements are all treated as unknown except possibly to Eve.
Eve's goal in this setting is to be able to guess one or more of Alice's, Bob's and/or Charlie's measurement outcomes. The simplest measure of her ability to do so, the guessing probability, is simply the probability that Eve's guess is correct. In the simplest case where Eve aims to guess (say) Alice's x = 1 measurement outcome, the ("local") guessing probability is the probability that Eve's measurement outcome is the same as Alice's, where P AE (ae|x) = bc P (abce|xyz). Other guessing probabilities are straightforward variations of this. For instance, the guessing probability associated with Alice's and Bob's joint outcomes for measurements x, y = 1 is where we label Eve's (four) possible measurement outcomes (++), (+−), (−+), and (−−). Alice, Bob, and Charlie wish to certify that Eve's ability to guess outcomes is limited (in mathematical terms, that guessing probabilities like (5) and (6) must be less than one) using only the information available to them, encapsulated by the marginal distribution P ABC (abc|xyz) = e P (abce|xyz). A necessary but not necessarily sufficient condition for this is that this marginal distribution does not admit a local hidden variable model, i.e., it does not admit a factorisation of the form P ABC (abc|xyz) = λ p λ P A (a|x; λ)P B (b|y; λ)P C (c|z; λ) , (7) which is detected if the marginal distribution P ABC violates a Bell inequality.
Here, we study the amount of randomness that can be certified in this tripartite scenario if a violation of the Mermin-Bell inequality is observed. The Mermin inequality [21] M ≤ 2 holds for local-hidden-variable models, where the Mermin correlator is The Mermin inequality is best known for its association with the Greenberger-Horne-Zeilinger (GHZ) paradox [24]. The maximal quantum (and algebraic) violation M = 4 is attained by measuring A 1 = B 1 = C 1 = σ x and A 2 = B 2 = C 2 = σ y on the GHZ state |Ψ = (|111 + |222 )/ √ 2. Violations greater than 2 √ 2 require entanglement between all three sites [25].
The Mermin expression M can be obtained as the real part of the quantity The imaginary part is also a Mermin expression, equivalent to (8) up to relabelling some of the inputs and outputs. The sum M + = M +M is the correlator appearing in Svetlichny's inequality [26], which was constructed to always require nonlocality (and thus entanglement) between all three parties in order to violate.
Some randomness bounds, quantified by guessing probabilities involving one, two, and three parties, are illustrated in figures 1 and 2 in terms of the Mermin and  The upper bound for P g (A 2 B 2 C 2 |E) was determined numerically at the level 1 + A 2 + AB + AC + BC of the NPA hierarchy.
Svetlichny expectation values. Of these, we were able to find the analytic form of the curve for the local guessing probability P g (A 1 |E) in both cases and the curve for P g (A 1 B 1 |E) in terms of the Mermin expectation value.
For given values of the Mermin or Svetlichny correlators, the corresponding upper bounds on the local guessing probability have the same functional form, for the function in the range 2 √ 2 ≤ x ≤ 4. Both are implied by the tight bound in which the two Mermin expectation values M and M appear as independent parameters. Note that since f is a decreasing function in its argument, (14) is equivalent to stating that holds for all ϕ. The result (14) certifies randomness for values of M and M satisfying 2 For M alone and the Svetlichny combination M + = M + M , randomness for one measurement outcome is certified for M > 2 √ 2 and M + > 4. This is what one would expect, since these are precisely the ranges  that require entanglement between all three parties to attain. At the boundary √ M 2 + M 2 = 4, (14) reduces to P g (A 1 |E) ≤ 1/2, certifying that the measurement outcome must be uniformly random.
In the case that the eavesdropper aims to jointly guess two parties' measurement outcomes, the guessing probability respects the tight bound in the range 2 ≤ M ≤ 4. In this case, we detect randomness as soon as the local bound M ≤ 2 is violated. The maximum possible violation M = 4 implies P g (A 1 B 1 |E) ≤ 1/4, corresponding to the maximum possible randomness. Beyond this we did not find any new tight bounds for violations of the Mermin inequality. The upper bound for the global guessing probability P (A 1 B 1 C 1 |E) in terms of M is exactly the same as (17), while the upper bound for P (A 2 B 2 C 2 |E) (which should attain 1/8 if the Mermin inequality is maximally violated [27,28]) appears to be the solution to the maximisation problem maximise 1 8 1 + 24 cos 3 2 θ 2 αβ + 2 cos(3θ 2 )α 2 + 30β 2 subject to M = 2 cos(3θ 1 ) − 6 cos(θ 1 + 2θ 2 ) α 2 −12 cos(θ 1 − θ 2 )β 2 and 2α 2 + 6β 2 = 1 (18) over α, β, θ 1 , θ 2 ∈ R, which we were unable to signific-antly simplify further (let alone prove). Eq. (17) also does not generalise in terms of M and M in the way that the local-guessing-probability bound does. The upper bound for P g (A 1 B 1 |E) in terms of the Svetlichny combination (illustrated in figure 2) for instance has a different form than (17). This is expected since the localguessing-probability bound is already less than 1 for any violation of the local bound, and we were not much more successful in attempting to identify it analytically than we were for P g (A 2 B 2 C 2 |E) in terms of M . For simplicity we have stated the results (14) and (17) for the guessing probabilities P g (A 1 |E) and P g (A 1 B 1 |E); however symmetries of the Mermin correlator(s) imply that the bounds are the same regardless of what measurements are considered. For the global guessing probabilities there are two inequivalent cases, In figures 1 and 2 we have also included upper bounds on guessing probabilities for which we do not have an exact analytic expression. We derived these numerically by solving the semidefinite programming relaxations at the levels of the Navascues-Pironio-Acín (NPA) hierarchy indicated in the figure captions. We used the arbitraryprecision solver SDPA-GMP [29,30] for this purpose. We have made the code we used to generate the relaxations available online [31].

III. TANGENT BELL EXPRESSIONS
We have claimed that the local and two-party guessing probabilities respect the upper bounds (14) and (17) and that the bounds are tight. The purpose of this section is to prove these claims.

A. General idea illustrated with CHSH
Proving the main results (14) and (17) is equivalent to proving families of linear inequalities corresponding to tangents of the curves. We illustrate the approach using CHSH as an example, for which this has already been done [10,32]. It was shown in [32] that the quantum expectation value of a modified CHSH expression respects the tight upper bound Eq. (19) can be rewritten as an upper bound for A 1 . Assuming that S ≥ 2 and minimising the righthand side over β then produces the tightest possible bound This bound has two key characteristics. First, since the CHSH expression remains unchanged under (for example) the replacements A x → −A x and B y → −B y , the same upper bound holds for − A 1 as well as A 1 . Second, the right-hand side is by construction concave in S, since it is derived by minimising over a family of hyperplanes. Using these properties and that P A (+|x) = (1 + A x )/2 and P A (−|x) = (1 − A x )/2, the result is quickly obtained: where S |a in the third line is the CHSH expectation value conditioned on Eve obtaining the outcome e = a.
In passing, we mention that the bound (3) for for α ≥ 0. The inequality (23) itself is implied by the tight quantum bound derived for the I β α expression in [32], since there is clearly no advantage for the operator B 3 to be different from B 1 in order to maximise the left-hand side.
The same general approach works for the main results of section II. The Mermin expectation values M and M are both symmetric under the transformations A x , C z → −A x , −C z and B y , C z → −B y , −C z . These can be used to map the probability P A (+|1) to P A (−|1) and the probability P AB (++|11) to any of the probabilities P AB (+−|11), P AB (−+|11), and P AB (−−|11), and vice versa. Consequently, in order to derive upper bounds on P g (A 1 |E) and P g (A 1 B 1 |E), we need only derive concave upper bounds for and

B. Local guessing probability linearisation
Similarly to the derivation for CHSH summarised above, the local-guessing-probability bound (14) for which holds for θ in the range π/4 ≤ θ ≤ π/2 and for all ϕ. We can see that (26) is tight by observing that is attained if (for example) the measurements and are performed on the state where |± = (|1 ± |2 )/ √ 2 are the eigenstates of the σ x operator and θ is the same angle as in (26). With this state and measurements, one can readily verify that A 1 = cos(θ) and 1 2 cos(ϕ)M + sin(ϕ)M = 1 + sin(θ), which attain (26).
The linearisation (26) ceases to apply for θ < π/4. It is violated, for instance, by measuring and on a state |Ψ = |χ A |ψ BC , where |χ is any state on Alice's subsystem and Bob and Charlie share the state This strategy yields A 1 = 1 and and the right-hand side of (26) attains cos(θ) + √ 2 sin(θ). Importantly, for θ = π/4, we see that (26) can be attained with a strategy for which Alice's A 1 measurement produces a deterministic outcome.
We prove the linearisation (26) by showing that the operator is positive semidefinite, wherê A sum-of-squares decomposition that shows this is and the coefficients α, β, γ, δ are related to θ and ϕ by where s = ±1 in the last line is the sign The R ± i s have been grouped by whether or not they change sign under the replacements τ : which is a symmetry of (37). The parameters γ and δ are chosen to solve the simultaneous equations  (55) and (56) are nonnegative.
The operators P ± i are then all Hermitian and |P ± i | 2 can be simplified to P ± 2 i . The Python script pa1 mermin sos.py supplied with this article uses the SymPy library [33] to verify symbolically that the sum-of-squares decomposition (40) expands to (37), under the assumption that the operators P ± i are Hermitian and that the conditions (59) and (60) for γ and δ can be satisfied.

C. Two-party guessing probability linearisation
For M ≥ 2, the guessing-probability bound (17) follows from the linearisation where which holds for parameters λ and µ satisfying In the extreme cases λ = 3µ and λ = µ, (62) reduces respectively to which corresponds to the linear part of (17), and to the bound M ≤ 4 for the Mermin correlator itself, where the gradient of (17) is infinite. (Eq. (62) also appears to hold for 0 ≤ λ < µ; however (62) then translates to a lower bound on P AB (++|11), which we did not interest ourselves in.) Eq. (62) is attained with equality by measuring with λ and µ scaled to satisfy λ 2 + 3µ 2 = 1 so that the state is properly normalised. In this case P AB (++|11) and M work out to and these are related by corresponding to the nonlinear part of (17). The condition 3µ ≥ λ ≥ µ and normalisation λ 2 + 3µ 2 = 1 also translate to precisely the ranges 1/4 ≤ P (++|11) ≤ 3/4 and 3 ≤ M ≤ 4 to which the nonlinear part of (17) applies.
With the same state (68) and optimal measurements, we also have P ABC (+++|111) = λ 2 = P AB (++|11). This implies that the upper bound (17) for P g (A 1 B 1 |E) is also the tight upper bound for P g (A 1 B 1 C 1 |E).
The linearisation (62) is equivalent to the operator inequality This is shown by the sum-of-squares decomposition where and The R ±± i s are grouped according to whether they change sign under the replacements Note that we have included an operator, R +− 1 , among the list of R ±± i s that we attempted to construct a sumof-squares decomposition out of, although ultimately we did not use it.

D. Method
We initially determined the upper bounds on the guessing probabilities P g (A 1 |E) and P g (A 1 B 1 |E) numerically in terms of the Mermin expectation value M . It was quickly apparent that the nonlinear parts of the bounds were consistently being attained with anticommuting measurements. From there it was not difficult to guess the optimal states and see that the numeric bounds seemed to coincide with the (at this point, conjectured) analytic forms (14) and (17) given in section II. Experimenting a little, we found that the bounds seemed to be attained respectively at the NPA hierarchy levels 1 + AB + AC and 1 + AB + AC + BC; this told us that we should be able to find sum-of-squares decompositions out of the operators at these levels for the tangents of the bounds.
We searched for sum-of-squares decompositions following a method similar to [22]. The idea is essentially to write the general form of a candidate sum-of-squares decomposition in terms of unknown parameters, assert that it should expand to the operator we want to show is positive semidefinite, and then find parameters for which the assertion becomes true.
Using the tangents of the local-guessing-probability bound as an example, we were searching for a solution to the problem where T is the target expansion (37), for operators P ± i of the form where the c s ij s are unknown real-valued coefficients and the R s j s form a basis of the space of linear combinations of the operators at level 1 + AB + AC with the property for the (conjectured) optimal measurements A x , B y , C z and state |Ψ described in subsection B. Such a basis of R s j s is given by Eqs. (45)-(52).
We have applied some simplifications to the problem above, following [22]. In particular, writing for the potentially more general problem with we have used that it is not restrictive to assume that the coefficients c s ij are real-valued and that the symmetry of the target operator (37) under the transformation τ (58) can be used to block diagonalise the matrix of elements M rs jk . We also applied another simplification: one can choose to set c s ij = 0 for (for instance) i < j or i > j. This corresponds to choosing a Cholesky factorisation of the matrix of elements M s jk = i c s ij c s ik . Expanding the candidate sum-of-squares decomposition on the left-hand side of (95) and requiring operatorby-operator that the left-hand side is zero translates to imposing a number of quadratic equality constraints on the coefficients c s ij . We used a Python module divars.py, which we have included with this article, together with SymPy, to automate this procedure and help simplify the resulting constraints. We then repeatedly searched numerically for solutions to the constraints, guessing and gradually introducing constraints on the coefficients (e.g., trying c s ij = 0 for some coefficient or imposing that two coefficients are equal to each other) until the numeric search seemed to consistently return the same solution. Solving the remaining constraints by hand got us the sum-of-squares decomposition given in subsection B.

IV. ATTACKS AGAINST DEVICE-INDEPENDENT SECRET SHARING
Aside from fundamental interest, a second more practical motivation to conduct the previous analysis was to construct a device-independent secret sharing protocol based on the Mermin inequality. However, we found obstacles to this idea which we describe in the following section.

A. Overview
Secret sharing is a cryptographic task in which a secret (e.g., a cryptographic key) is distributed among two or more parties in such a way that a specified minimum number of parties must work together in order to reconstruct it. Hillery, Bužek, and Berthiaume (HBB) [23] proposed a quantum version of secret sharing, analogous to the concept of quantum key distribution, in which the security of the protocol is guaranteed by quantum physics.
In the three-party scheme of [23], Alice, Bob, and Charlie share a GHZ state |Ψ = 1 √ 2 |111 +|222 and choose inputs x, y, z ∈ {1, 2} and measure A x , B y , and C z , where A 1 = B 1 = C 1 = σ x and A 2 = B 2 = C 2 = σ y . In all cases, Bob's and Charlie's measurement outcomes individually are uncorrelated with Alice's. However, if Alice, Bob, and Charlie all measure σ x , or any one of them measures σ x and the other two measure σ y , then Bob and Charlie can together determine Alice's result from the product of their own measurement results. Quantum secret-sharing protocols can also be devised for more than three parties, but we will discuss explicitly only the three-party version here.
The state and measurements, and resulting correlations, of this protocol are precisely those that maximally violate the Mermin-Bell inequality. For readers familiar with both, it may seem natural to ask whether the security of the HBB scheme can be proved device independently, i.e., without assuming that the participants' devices are necessarily measuring σ x and σ y . There have indeed been proposals to design a device-independent secret-sharing protocol based on the GHZ-paradox or other correlations arising from GHZ states [20,34,35]. However, we found that the HBB scheme is completely insecure from a device-independent point of view. The reason is that the secret-sharing protocol is intended to still work, securely, if either Bob or Charlie (but not both) are dishonest, and this differs from the usual Bell scenario where all the parties participating in the Bell test are trusted.
If (say) Charlie is dishonest, he could attack the protocol in the usual ways considered in the security analyses of device-independent protocols (particularly, he could prepare a different state than the GHZ state and/or arrange for Alice's and Bob's devices to perform different measurements than σ x and σ y ). Moreover, since Charlie is also involved in the parameter estimation (e.g., the estimation of the Mermin expectation value), he could also act in ways that don't respect the normal conditions of a Bell test: 1. Charlie could wait until Bob declares which basis y he measured in before declaring his own input z and output c, and could perform different measurements on his system depending on which input y Bob declared.
2. Charlie could introduce correlations between his choice of input z and the system prepared for the protocol, instead of choosing z randomly and independently, for instance by performing a four-outcome measurement to determine both his input z and output c, or by implementing a hidden-variable model in which the hidden variable λ is correlated with z.
3. Charlie could perform a different measurement to attempt to guess Alice's outcome than he does in the parameter estimation rounds.
The possibility of an attack combining 1 and 3 is already known to be fatal for even the device-dependent HBB scheme (i.e., Charlie can learn Alice's outcome, without being detected, even assuming that Alice and Bob are measuring σ x and σ y ). It and a possible remedy, in which Bob and Charlie are required to declare their outputs before either are allowed to declare their inputs, is discussed in [36].
In the following we describe how a dishonest party could go about attacking an HBB-type protocol, in either the quantum or no-signalling scenarios, without needing to learn Bob's input. We have not attempted to be exhaustive or general; we merely describe the simplest pathological cases that would need to be ruled out, which already show that the situation is much worse for secret sharing in the device-independent scenario.

B. Hidden variable models
Similarly to other device-independent cryptographic protocols, the simplest way a dishonest Charlie could try to attack a secret-sharing protocol would be to attempt to implement a deterministic hidden-variable model replicating the observed correlations. This is possible if the probabilities P (abc|xyz) of the protocol can be expressed in the form P (abc|xyz) = λ p λ|z P A (a|x; λ)P B (b|y; λ)P C (c|z; λ) . (100) Note that, in this case, there is no reason for Charlie to arrange for the hidden variable λ and his own input z to be uncorrelated. (In the language of Bell locality, the socalled "free will" assumption is not justified.) We reflect this in (100) by allowing the probability distribution p λ|z to depend arbitrarily on z. Eq. (100) thus does not have the form of a local hidden-variable model of the kind normally considered in Bell-type theorems, and it is not sufficient for the probabilities P (abc|xyz) to violate a Bell inequality, such as the Mermin inequality, in order to rule out a local hidden-variable model of the form above.
It is easy to show that the existence of a decomposition of the form (100)  for each of the probability distributions P (ab|xy; cz) conditioned on Charlie's different possible outputs and inputs c and z. This gives a bare minimum condition in order for there to be any hope that a device-independent secret-sharing scheme might be secure: at least one of the conditional distributions P (ab|xy; cz) (for some c and z) must be nonlocal. This condition is not met for the GHZ correlations that the HBB protocol is based on: in that case all of the conditional distributions P (ab|xy; cz) exhibit perfect correlation or no correlation at all depending on the inputs, and admit trivial local hidden-variable models. This makes it clear that secret sharing cannot be done securely and device independently using only the correlations of the GHZ paradox.

C. No-signalling attacks
Security analyses of device-independent protocols are sometimes undertaken using only the no-signalling constraints, since this is typically much simpler, though typically at the cost of significantly worse tolerance to noise. We are aware of at least two proposals [20,34] to design device-independent secret-sharing protocols using GHZ states (but not necessarily the GHZ-paradox correlations) using only no-signalling constraints. In this case, the situation is significantly worse, since in the nosignalling scenario, a dishonest Charlie could implement arbitrary steering. More precisely, suppose Charlie wishes to produce the no-signalling distribution P (abc|xyz) in the parameter estimation rounds. If the marginal distribution P (ab|xy) = c P (abc|xyz) can be expressed as a convex sum of no-signalling distributions P (λ) (ab|xy) then Charlie could prepare the extended distribution where ⊥ is an additional input that Charlie can use in the secret bit generation rounds, when he is not asked to publicly disclose his input and outcome. It is easy to verify that the extended distribution (103) still satisfies the no-signalling constraints.
The above observation means that, in the nosignalling scenario, the security or insecurity of a deviceindependent secret-sharing protocol against a dishonest Charlie is determined entirely by the marginal distribution P (ab|xy) between Alice and Bob. If this marginal distribution is in the local polytope then the protocol is completely insecure against no-signalling attacks. A special case worth remarking is that no device-independent secret-sharing protocol based on the GHZ state can be proved secure using only the no-signalling conditions: the marginals of the GHZ state are all separable and the marginal probability distributions will always be in the local polytope, regardless of what or how many measurements are performed by the parties.

D. Outlook
To summarise: we have pointed out that a deviceindependent version of the HBB protocol would be completely insecure against a dishonest party, and that any protocol for which the marginal probability distributions are in the local polytope (for example, any protocol using a GHZ state) cannot be proved secure using only the no-signalling constraints. This does not rule out that a device-independent secret-sharing protocol could be designed, for instance based on different correlations and/or using stronger constraints than only the no-signalling conditions in the security proof. However, one should consider the following points: • It is already known that if one can do quantum key distribution then one can do secret sharing. For instance, Alice could do device-independent key distribution separately with Bob and Charlie and xor the two keys. More generally, secret sharing can be done securely using classical protocols if the parties can do one-time-pad encryption, which happens to be precisely what key distribution schemes are intended to generate cryptographic keys for.
• As with key distribution, or any secure protocol involving parties communicating remotely, the parties would need to authenticate themselves. This is normally done in key distribution using classical authentication schemes which require preshared keys; part of the generated key can then be used to do the authentication the next time. Consequently, it seems to us that one would need to be able to do key distribution anyway in order to do secret sharing, if only to generate the authentication keys needed after the first use of the protocol.
Given these issues, the usefulness of a device-independent secret-sharing protocol that does not reduce to a direct application of device-independent quantum key distribution is unclear to us.

V. CONCLUSION
We considered the Mermin-Bell experiment with three parties and we identified and proved tight upper bounds on the guessing probabilities associated with the measurement outcomes of one and two of the parties. The results are fundamental tradeoffs between the amount of intrinsic randomness and nonlocality, as measured by the violation of the Mermin inequality, imposed by the structure of quantum physics. The linearisations in section III can also be read as inequalities identifying parts of the boundary of the set of quantum correlations. It may be interesting to study how our results generalise to Bell experiments involving more parties. We guessed one possible generalisation of the upper bound (17) for P g (A 1 B 1 |E) to n parties, which can be found in appendix B. We did not attempt to prove it, though we tested the cases for n = 4 and 5 parties numerically.
While we are not aware of an obvious practical application of our results, we believe there is some merit to finding the analytic form of randomness vs. nonlocality tradeoffs more generally where it could be feasible to do so, particularly where the result might be used in the security proof of a device-independent protocol. From this point of view, our work has explored the feasibility of searching for sum-of-squares decompositions for problems somewhat larger than was considered in [22]. The cases where the method is likely to work are probably those where the problem is "simple" in some same key respects as the problems we studied. In particular: it was reasonably easy for us to guess the upper bounds and the states and measurements that attained them, we found that the optimal solution was attained at a level of the hierarchy that was not prohibitively high, and symmetries of the problem allowed us to reduce the number of variables in the searches for sum-of-squares decompositions.
The main text gave tight bounds on the guessing probability assuming all the measurements are performed on a quantum system. The tightest bound that can be derived for the local guessing probability using only the no-signalling constraints is For the two-party guessing probability there are two distinct tight bounds, and as well as the same bounds with M and M swapped. Finally, there are three bounds for the global guessing probability, The same upper bounds hold for P g (A 1 B 2 C 2 |E), P g (A 2 B 1 C 2 |E), and P g (A 2 B 2 C 1 |E). The upper bounds for P g (A 1 B 1 C 2 |E), P g (A 1 B 2 C 1 |E), P g (A 2 B 1 C 1 |E), and P g (A 2 B 2 C 2 |E) are the same except with M and M swapped.
Following an approach similar to [37], the localguessing-probability bound (104) is implied by the eight inequalities Each of these is in turn implied by two positivity constraints. For example, (110) is just stating that The inequalities (110) to (117) sum to which, together with symmetries of the problem, implies (104). The upper bound P g (A 1 B 1 |E) ≤ 3/2−M/4 is similarly implied by the five inequalities (the last of these is just stating that which sum to The second upper bound (106) for P g (A 1 B 1 E) is implied by the inequalities Each of the eight inequalities above can be obtained from up to three positivity constraints. For instance, the left-hand side of (131) is equal to The first two upper bounds (107) and (108) on the three-outcome guessing probability P g (A 1 B 1 C 1 |E) are implied by (105) and (106). Using symmetries of the problem, the remaining inequality (109) reduces to showing that (137) One can readily verify that where A (p) x are the pth party's measurement operators, whose local and quantum bounds are respectively [21] L n = 2 (n−1)/2 if n odd 2 n/2 if n even (145) and Q n = 2 n−1 (146) (although the local bound M n ≤ L n is a facet of the local polytope only for odd n).
The obvious generalisation of the strategy of section III. C is for the n parties to measure where S ⊂ {+, −} ×n is the subset of all vectors of n signs with a nonzero even number of minuses. The state is normalised if In terms of λ and µ, the probability that the first n − 1 parties (or all n of them, for that matter) obtain the result '+' if they measure σ x is and the Mermin expectation value is Relating P A (+|1) = λ 2 to M n yields the dependence P A (1|1) = P n (M n ), where By suitably mixing this strategy with a deterministic strategy with P A (1|1) = 1 and M n = L n , we obtain a strategy for which the guessing probability and Mermin expectation value are related by where Γ n (M n ) = L n (Q n − 1) − (L n − 1)M n L n (Q n − L n ) .
The threshold M th n in (153) is the point where the linear interpolation Γ n (M n ) coincides with the curve P n (M n ) and their derivatives are the same. This occurs at at which point For odd n, we remark that L n = √ Q n and in that case (155) reduces to the average M th n = (L n + Q n )/2 of the local and quantum bounds.
The strategy we have described here shows that the upper bound on the guessing probability cannot be better than (153). For n = 4 and 5 parties, some numerical tests we carried out seemed to support that the upper bound on the guessing probability coincides with (153), although we did not attempt to prove this.