Composably secure device-independent encryption with certified deletion

We study the task of encryption with certified deletion (ECD) introduced by Broadbent and Islam (2020), but in a device-independent setting: we show that it is possible to achieve this task even when the honest parties do not trust their quantum devices. Moreover, we define security for the ECD task in a composable manner and show that our ECD protocol satisfies conditions that lead to composable security. Our protocol is based on device-independent quantum key distribution (DIQKD), and in particular the parallel DIQKD protocol based on the magic square non-local game, given by Jain, Miller and Shi (2020). To achieve certified deletion, we use a property of the magic square game observed by Fu and Miller (2018), namely that a two-round variant of the game can be used to certify deletion of a single random bit. In order to achieve certified deletion security for arbitrarily long messages from this property, we prove a parallel repetition theorem for two-round non-local games, which may be of independent interest.


Introduction
Consider the following scenario: Alice wants to send a message to Bob that is secret from any third party. She may do this by sending Bob a ciphertext which contains the message encrypted with a secret key, such that when the key is revealed to Bob he may learn the message. Now suppose after sending the ciphertext Alice decides that she does not want Bob to learn the message after all, but she cannot prevent the secret key from eventually being revealed to him. So Alice wants to encrypt the message in such a way that she can ask Bob for a deletion certificate if she changes her mind. If Bob sends a valid deletion certificate, Alice can be convinced that Bob has indeed deleted his ciphertext and cannot hereafter learn the message even if the secret key is revealed to him. In this scenario Alice is not actually forcing Bob to delete the ciphertext, but she is making sure that he cannot simultaneously convince her that he has deleted the ciphertext, and also learn the message.
An encryption scheme for the above scenario is called encryption with certified deletion (ECD) and was introduced by Broadbent and Islam [BI20]. It is easy to see that ECD cannot be achieved with a classical ciphertext: since classical information can always be copied, any deletion certificate Bob sends to Alice can only convince her that he has deleted one copy of it -he may have kept another copy to decrypt from, when he learns the key. However, quantum states cannot in general be copied, and are disturbed by measurements. So if Bob has a quantum ciphertext that he cannot copy, and needs to perform a measurement on it to produce a deletion certificate, the state may be disturbed to such an extent that it is no longer possible to recover the message from it, even with the key.
The no-cloning property and the fact that measurements disturb quantum states have been useful for various cryptographic tasks, such as quantum key distribution (QKD) [BB84] and unforgeable quantum money [Wie83]. The concept of revocable timed-release encryption -a task which has some similarities to encryption with certified deletion -was studied by Unruh [Unr14], who showed it can be achieved with quantum encodings. Another related task of tamper-evident delegated quantum storage -here Alice wants to store data that she encrypts using a short key on a remote server, so that she can retrieve it later and also detect if the server has tampered with it -was studied by van der Vecht, Coiteaux-Roy andŠkorić [VCRŠ20]. Lütkenhaus, Marwah and Touchette [LMT20] studied a different form of delegated storage, where Alice commits to a single random bit that Bob can learn at some fixed time, or she can erase, using a temporarily trusted third party. Finally, the ECD task itself, as mentioned before, was introduced by Broadbent and Islam, who achieved it using Wiesner's encoding scheme [Wie83].
All of the works mentioned above are in the device-dependent setting, where the honest parties trust either the quantum states that are being used in the protocol, or the measurement devices, or both. However, in general a sufficiently powerful dishonest party may make the quantum state preparation and measurement devices used in a protocol behave however they want. As it turns out, with some mild assumptions it is possible to achieve certain cryptographic tasks even in this scenario. There is a long line of works studying the device-independent security of QKD [PAB+09,AFDF+18,JMS20]. Device-independent protocols for two-party cryptographic tasks such as coin flipping [ACK+14], bit commitment [SCA+11,AMP+16] and XOR oblivious transfer [KST22] have also been shown. Fu and Miller [FM18] studied the task of sharing between two parties a single random bit, which can be certifiably deleted, in the device-independent setting.
A desirable property of cryptographic protocols is that they should be composable, meaning that if a protocol is used as part of a larger protocol to achieve some more complex task, then security of the larger protocol should follow from the security of its constituent protocols. While it is possible to achieve composable security of various cryptographic tasks such as QKD [BOHL+05,PR14], this is in general not so easy to achieve for many examples, such as the others mentioned above.

Our contributions
Informally stated, our main contributions in this work are: 1. We define the ECD task and its security in a composable manner.
2. We give a quantum protocol (with information-theoretic security) for the ECD task that satisfies certain properties of correctness, completeness and secrecy, even when the honest parties do not trust their own quantum devices.
3. We show how to prove that a protocol that satisfies the above properties achieves the ECD task in a composably secure manner.
The reason we do not combine items 2 and 3 above to make the claim that we give a protocol that achieves the ECD task in a composably secure manner is because the notion of deviceindependence itself has not been precisely formalized in a composable manner yet. So item 3 in the device-independent setting is conditional on a conjecture that we shall soon explain (though note that even without this conjecture, our proof already shows that the protocol is indeed composably secure in the standard device-dependent setting, i.e. if one imposes the condition that the honest parties are performing trusted measurements). In contrast, our proof that our protocol satisfies the security properties in item 2 holds under standard device-independent conditions, without additional conjectures.
Our composable security definition uses the framework of Abstract Cryptography introduced by Maurer and Renner [MR11]. In the Abstract Cryptography framework, a resource is an abstract system with an interface available to each party involved, to and from which they can supply some inputs and receive some outputs. A protocol uses some resources (meaning it interacts with the interfaces of such resources) in order to construct new resources. The protocol is said to construct the new resource in a composably secure manner if it is not possible to tell the ideal resource apart from the protocol acting on the resources it uses, under certain conditions. As such, a composable security definition for a cryptographic task would be the description of a reasonable (in the sense of being potentially achievable by actual protocols) ideal functionality or resource corresponding to that task, and a composable security proof for a protocol for this task would show that the constructed resource and ideal resource are indistinguishable.
We model the notion of a device-independent resource in the Abstract Cryptography framework as a resource which supplies some black boxes representing quantum states to the honest parties, and the honest parties may press some buttons on these boxes to obtain some classical outputs. However, the resource allows the boxes themselves to be chosen by a dishonest third party Eve, and they produce the outputs by implementing whatever states and measurements Eve wants.
Strictly speaking, to avoid the memory attack in the device-independent setting described in [BCK13], some additional constraints need to be placed on the registers that the measurements act on. Namely, one has to impose the condition that the measurements cannot access any registers storing private information from previous (potentially unrelated) protocols. Such a condition is implicitly imposed, albeit not always obvious, in the standard (device-dependent) framework for Abstract Cryptography [MR11,PR14], where the measurements are assumed to be fully characterized (and thus the registers which the measurements act on can be specified to be independent of previous protocols). However, the question of precisely formalizing this condition in the deviceindependent setting has not been completely resolved, and is currently a topic of active research. For the purposes of this work, we consider the technical treatment of this subject to be beyond our scope, and for ease of presentation we shall proceed under the assumption that it will be possible to find an appropriate such formulation in the device-independent setting. That is, we shall assume the following somewhat informal conjecture and prove our main theorem conditional on it.
Conjecture 1. The quantum "boxes" typically considered in the device-independent setting can be unknown state and measurements, and in fact even the dimension of the systems are unspecified. If these state and measurements regardless achieve a winning probability for the game that is close to its optimal winning probability, then self-testing tells us that the state and measurements are close to the ideal state and measurements for that game, up to trivial isometries. For DIQKD, this means in particular that the measurement outputs of the devices given the inputs are random, i.e., they cannot be predicted by a third party even if they have access to the inputs used. This lets us use the outputs of the devices to produce a secret key.
Parallel DIQKD protocol. We make use of the parallel DIQKD protocol given by Jain, Miller and Shi [JMS20], and its subsequent simplification given by Vidick [Vid17], based on the magic square non-local game. In the magic square game, henceforth deonoted by MS, Alice and Bob respectively receive trits x and y, and they are required to output 3-bit strings a and b, which respectively have even parity and odd parity, and satisfy a[y] = b [x]. The classical winning probability of MS is 8/9, whereas the quantum winning probability is 1. The [JMS20] protocol works as follows: Alice and Bob have boxes which can play l many instances of MS. Using trusted private randomness, Alice and Bob generate i.i.d. inputs x, y for each of their boxes and obtain outputs a, b (which are not necessarily i.i.d.). The inputs x, y are then publicly communicated. Alice and Bob select a small subset of instances on which to communicate their outputs and test if the MS winning condition is satisfied (up to some error tolerance) on those instances. If this test passes, then they go ahead and select their common bits a[y] = b [x] from all the instances -they can do this since Alice has a, Bob has b, and they both have x, y -as their raw secret key (some privacy amplification of the raw key is required in order to get the final key). Otherwise, the protocol aborts.
If the MS winning condition is satisfied on the test instances with high probability, then selftesting says that the states and measurements are close to the ideal ones for MS; but this property is not directly used in the security proof. In the version of the security proof given by [Vid17], instead a guessing game variant MSE of MS, involving three players Alice, Bob and Eve, is considered. MSE is the same as MS on Alice and Bob's parts, and additionally, Eve also gets Alice and Bob's inputs and has to guess Alice and Bob's common bit. It can be shown that MSE cannot be won with probability 1 by all three players, and in particular if Alice and Bob's winning condition is satisfied, then Eve cannot guess their common bit with high probability. Now making use of a parallel repetition theorem for the MSE game, which first requires a small transformation called anchoring in order to make the parallel repetition proof work, we can say that Eve's guessing probability for the shared bit in l many instances of MSE, is exponentially small in l. Since Alice and Bob's winning condition is satisfied on a random subset of instances, we can say it is satisfied on all instances with high probability by making use of a sampling lemma. Hence Eve's guessing probability for the raw key is exponentially small in l. Now using the operational interpretation of min-entropy, this means that the min-entropy of the raw key conditioned on Eve's quantum system is linear in l, and we can use privacy amplification to get a final key that looks almost uniformly random to Eve.
Using DIQKD for ECD. It is easy to see how to use DIQKD to achieve the encryption aspect of ECD -Alice and Bob can perform the DIQKD protocol to share a secret key, and then Alice can encrypt the message by one-time padding it with the key, and send it to Bob. This certainly achieves security against Eve if Bob is honest. However, in the ECD scenario, unlike in the QKD scenario, Bob may not be honest, and hence the QKD security proof may not apply, since it requires him to honestly follow the protocol. Moreover, it is not clear how to achieve the certified deletion aspect of ECD this way. Instead, we do the following for our ECD protocol: we make Alice obtain the inputs x, y for MS from the trusted temporarily private randomness source, and obtain the raw key by herself using her boxes and the inputs, but she does not reveal the inputs to Bob (who hence does not have the raw key). She then one-time pads the message with the final key obtained from the raw key and sends the resulting ciphertext to Bob. Bob cannot decrypt the message at this time since he does not have the raw key, but he can get the key from his boxes and decrypt as soon as the temporarily private randomness source reveals x, y to him. Hence in order to achieve certified deletion security, Alice needs to make Bob do some operation on his boxes which destroys his ability to learn the raw key even if he gets x, y.
We also note that for technical reasons, Alice actually needs to one-time pad the message with an extra uniformly random string u that she gets from the randomness source, in addition to the final key. This makes no difference to Bob's ability to decrypt the message when all the randomness is revealed by the source or in certified deletion (since u is revealed at the end), but it does potentially make a difference at intermediate stages in the protocol. Such an extra one-time pad is also used by [BI20] in their protocol.
Achieving certified deletion security. Fu and Miller [FM18] made the following observation about the magic square game: suppose Alice does the measurement corresponding to x and Bob does the measurement corresponding to y ′ on the MS shared state, then if Bob is later given x he can guess a[y ′ ] perfectly as b [x] from his output. But if Bob has indeed performed the y ′ measurement, then he cannot guess the value of a[y] for some y ̸ = y ′ , even given x. In fact this property holds in a device-independent manner, i.e., if Alice and Bob have boxes implementing some unknown state and measurements which are compatible with MS, and Alice and Bob input x and y ′ into their boxes and get outputs that satisfy the MS winning condition with probability close to 1, then Bob cannot later perfectly guess a[y] given x, y. Now consider a 2-round variant of MS, which we shall call MSB: in the first round, Alice and Bob are given x, y ′ and are required to output a, b ′ that satisfy the MS winning condition; in the second round, Bob is given x, y such that y ̸ = y ′ and he is required to produce a bit equal to a [y]. We note that Bob can use his first round input, his first round measurement outcome, and his half of the post-measured shared state in order to produce the second round output. The [FM18] observation implies that the winning probability of MSB is less than 1.
Using the same anchoring trick as in MSE, we can prove a parallel repetition theorem for the 2-round MSB game. Now to achieve certified deletion, Alice gets i.i.d. y ′ ̸ = y for all l instances from the randomness source, and if she wants Bob to delete his ciphertext, she sends Bob y ′ and asks for b ′ as a deletion certificate. If the b ′ sent by Bob satisfies a[y ′ ] = b ′ [x] (up to some error tolerance) then Alice accepts his deletion certificate. Due to the parallel repetition theorem for MSB, if Bob's deletion certificate has been accepted, then his guessing probability for a[y], i.e., the raw key, given x, y, is exponentially small in l. Due to privacy amplification, the final key looks uniformly random to Bob, and thus the message is secret from him. We note that certified deletion security should be against Bob and Eve combined rather than just Bob, as a dishonest Bob could collude with Eve in order to try and guess the message. This is fine for our security proof approach, as we can consider Bob and Eve combined as a single party for the purposes of the MSB game.
Remark 1. Many security proofs for DIQKD work in the sequential rather than parallel setting. In the sequential setting, Alice and Bob provide inputs to and get outputs from each instance of their boxes sequentially, which limits the kinds of correlations that are possible between the whole string of their inputs and outputs. While this is easy to justify for DIQKD when Alice and Bob are both honest, justification is harder for the ECD scenario where Bob may be dishonest and need not use his boxes sequentially, so that more general correlations between his inputs and outputs are possible. Hence a parallel rather than sequential security proof is crucial for us.

Proving composable security
To prove composable security for our protocol, we need to show that a distinguisher cannot tell the protocol apart from the ideal ECD functionality, when it is constrained to interact with the ideal functionality via a simulator acting on the dishonest parties' interfaces. That is, for any possible behaviour of the dishonest parties in the real protocol, we need to construct a simulator such that the above is true. This needs to be done for all possible combinations of honest/dishonest parties involved, and here we only describe the idea for the case when Bob is dishonest and the dishonest third party Eve is present.
Our simulator construction is inspired by the composable security proofs of QKD [BOHL+05,PR14]: it internally simulates the real protocol using whatever outputs it gets from the ideal functionality, so that the distinguisher is able to get states on the dishonest parties' side similar to what it would have gotten in the real protocol. However, the ideal functionality is only supposed to reveal the message m to Bob at the end (if either Alice did not ask for a deletion certificate, or Alice asked for a deletion certificate and Bob did not produce a valid one), and since the simulator needs to simulate the real protocol before this time, it has to instead release a dummy ciphertext that does not depend on the message. Hence we require that the states on the dishonest parties' side corresponding to m and the dummy ciphertext in the protocol be indistinguishable, if the message has not been revealed. This is related to the security notions of ciphertext indistinguishability and certified deletion security considered in [BI20]. But these properties hold only as long as the protocol does not actually reveal m. If m is actually revealed at the end, the simulator needs to fool the distinguisher into believing it originally released the ciphertext corresponding to m. This is where the extra one-time pad u we use comes in handy: the simulator can edit the value on the one-time pad register to a value compatible with the true message m.
Overall, our security proof is fairly "modular": our simulator construction for dishonest Bob and Eve works for any protocol in which the extra u OTP is used and which satisfies the ciphertext indistinguishability and certified deletion security properties (jointly called secrecy). For other combinations of honest/dishonest parties, the proof works for any protocol that satisfies notions of completeness and correctness, even for devices with some small noise. Completeness here means that if all parties are honest then the protocol aborts with small probability, and Bob's deletion certificate is accepted by Alice with high probability; correctness means that an honest Bob can recover the correct message from the quantum ciphertext with high probability.

Proving parallel repetition for 2-round games
As far as we are aware, our proof of the parallel repetition theorem for the MSB game is the first parallel repetition result for 2-round games, which may be of independent interest. First we clarify what we mean by a 2-round game: in the literature, boxes that play multiple instances of a game, whether sequentially or in parallel, are sometimes referred to as multi-round boxes, and certainly the nomenclature makes sense in the sequential setting. However, the two rounds for us are not two instances of the same game -they both constitute a single game and in particular, the outputs of the second round are required to satisfy a winning condition that depend on the inputs and outputs of the first round. Alice and Bob share a single entangled state at the beginning of the game, and the second round outputs are obtained by performing a measurement that can depend on the first round inputs and outputs in addition to the second round inputs, on the postmeasured state from the first round. This is what we refer to as a 2-round game; it can be viewed as a specific type of interactive game.
We actually prove a parallel repetition theorem for a wider class of 2-round games than just the anchored MSB game; namely, what we call product-anchored games. This captures elements of both product games and anchored games, whose parallel repetition has been studied for 1-round games [JPY14, BVY15, BVY17, JK21] (although we consider only a specific form of anchoring which is true of the MSB game -anchored distributions can be more general), and our proof is inspired by techniques from proving parallel repetition for both product and anchored 1-round games. We call a 2-round game product-anchored iff the first round inputs x, y are from a product distribution, and in the second round, only Bob gets an input z which takes a special value ⊥ with constant probability such that the distribution of x, y conditioned on z =⊥ is the same as their marginal distribution, and otherwise z = (x, y ′ ) (where y ′ may be arbitrarily correlated with x, y). The first and second round outputs are (a, b) and b ′ respectively. 1 We use the information theoretic framework for parallel repetition established by [Raz95,Hol07]: we consider a strategy S for l instances of the game G, condition on the event E of the winning condition being satisfied on some C ⊆ [l] instances, and show that if Pr[E] is not already small, then we can find another coordinate in i ∈ C where the winning probability conditioned on E is bounded away from 1. For 1-round games (where there is no z i ), this is done in the following way: Alice and Bob's overall state in S conditioned on E is considered; this state depends on Alice and Bob's inputs -suppose it is |φ⟩ x i y i when Alice and Bob's inputs in the i-th coordinate are (x i , y i ). We then argue that there exists some coordinate i and unitaries {U x i } x i , {V y i } y i acting on Alice and Bob's registers respectively, such that the operator U x i ⊗ V y i brings some shared initial state close to the state |φ⟩ x i y i . (In the product case, this shared initial state would be a superposition of the states |φ⟩ x i y i , weighted according to the distributions of x i and y i .) Hence, unless the winning probability in the i-th coordinate is bounded away from 1, Alice and Bob can play a single instance of G by sharing this initial state, performing U x i , V y i on it on inputs (x i , y i ), and giving the measurement outcome corresponding to the i-th coordinate on the resulting state; the winning probability of this strategy would then be higher than the optimal winning probability of G -a contradiction.
For 2-round games, the state conditioned on success depends on all three inputs x i y i z i , and Alice and Bob obviously cannot perform unitaries U x i and V y i z i in order to produce their first round outputs, since Bob has not received z i yet. However, we observe that Alice and Bob don't actually need the full |φ⟩ x i y i z i state in order to produce their first round outputs -they only need a state whose A i B i registers, containing their first round outputs, are close to those of |φ⟩ x i y i z i . We observe that |φ⟩ x i y i ⊥ is indeed such a state. In fact, in the unconditioned state, given x i y i , all of Alice's registers as well as all of B are independent of z i , as the second round unitary depending on z i does not act on these registers (the second round unitary may use B as a control register, but that does not affect the reduced state of B). Conditioning on the high probability event E does not disturb the state too much, and by chain rule of mutual information, we can argue that there exists an i such that Alice's registers and B in φ x i y i z i are close to those in φ x i y i (i.e., averaged over z i ). Since z i =⊥ with constant probability, this means that these registers are indeed close in φ x i y i z i 1 In this notation we switch around the roles of y, y ′ , b, b ′ as compared to our definition of MSB. We do this in order to make our notation more compatible with standard parallel repetition theorems. As this definition refers to a wider class of games than just MSB, we hope this will not cause any confusion. and φ x i y i ⊥ .
Conditioned on z i =⊥, the situation in the first round is identical to the product case; we can argue the same way as in the product parallel repetition proof by [JPY14] that there exist Now we use the fact that Alice's registers and B are close in φ x i y i z i and φ x i y i ⊥ once again to argue that there exist unitaries {W x i y i z i } x i y i z i acting on Bob's registers except B that take |φ⟩ x i y i ⊥ to |φ⟩ x i y i z i . We notice that W x i y i z i is in fact just W y i z i , because either z i contains x i or it can just be the identity, which means Bob can use W y i z i as his second round unitary. Moreover, these unitaries commute with the measurement operator on the A i B i registers, hence W y i z i , acting on the post-measured |φ⟩ x i y i ⊥ also takes it to the post-measured |φ⟩ x i y i z i . Thus the distribution Bob would get by measuring B ′ i after applying W y i z i on his post A i B i measurement state is close to the correct distribution of B ′ i conditioned on any values (a i , b i ) obtained in the first round measurement. This gives a strategy S ′ for a single instance of G, where U x i , V y i are the first round unitaries and W y i z i is Bob's second round unitary.

Organization of the paper
In Section 2 we formally describe the ideal ECD functionality we consider, and state our precise result regarding it. In Section 3 we provide definitions and known results for the quantities used in our proofs. In Section 4, we describe the variants of the magic square non-local games and state the parallel repetition theorems for them that we use. In Section 5 we give our real ECD protocol and prove various intermediate results that help establish its composable security, which is done in Section 6. Finally, in Section 7 we provide the proofs for the parallel repetition theorems stated in Section 4.

Composable security definition for ECD
In this section, we define the precise functionality we aim to achieve, in terms of the Abstract Cryptography framework. We then state our main result regarding achieving this functionality.

Abstract cryptography
We first briefly state the concepts and definitions we require from the Abstract Cryptography framework. Note that this is not intended to be a complete introduction to all aspects of the framework, as that would be fairly extensive and outside the scope of this work -if more indepth or pedagogical explanations are required, refer to e.g. [MR11, PR14, VPR19].

Resources, converters, and distinguishers
In this framework, a resource is an abstract system with an interface available to each party, to and from which they can supply some inputs and receive some outputs. Qualitatively, the idea of this framework is to model how protocols convert some "real" resources available to the various parties into more "ideal" functionalities for some cryptographic tasks. To formalize this notion, let us lay out the basic setup. We first assume that there is a fixed set Q of parties that can choose to be either honest or dishonest. As an example, in QKD this set Q can be taken to consist of Eve only, while Alice and Bob are always honest. As another example, for two-party "distrustful" cryptographic tasks such as oblivious transfer or bit commitment, Q consists of both Alice and Bob, who can each potentially be dishonest. For our certified deletion protocol, we will take this set Q to consist of Bob and Eve only; Alice is always honest.
Having fixed this set Q, we introduce the following notation: (F P ) P ⊆Q is a tuple indexed by subsets P ⊆ Q, where for each P ⊆ Q (i.e. each possible subset of the potentially-dishonest parties), F P denotes the resources available when the parties P are behaving dishonestly. Notice that this means we often work with tuples of resources rather than just a single specific resource; this is intended to capture the notion that these resources may have different functionalities depending on whether each of the parties is behaving honestly or dishonestly. (In principle one might want to consider only tuples (F P ) P ⊆Q where the resource F P is the same regardless of the subset P of dishonest parties. However, this sometimes turns out to be overly restrictive, hence for generality we allow ourselves the flexibility to consider tuples where each resource F P is different for different subsets P .) With this in mind, let F real P P ⊆Q denote the resource tuple describing the "real" functionalities available to the various parties. Analogously, let F ideal P P ⊆Q denote the resource tuple describing the "ideal" functionalities we would like to achieve. In order to do so, we would informally like our protocol to "interact with" F real P P ⊆Q in such a way that it is transformed to F ideal P P ⊆Q . To turn this into a full security definition, we now discuss the notion of converters, which can interact with a resource to produce a new resource.
A converter is an abstract system with an "inner" and "outer" interface, with the inner interface being connected to the resource interfaces, and the outer interface becoming the new interface of the resulting resource. If P is a subset of the parties and we have a converter χ P that connects to their interfaces in a resource F, we shall denote this as χ P F or Fχ P (the ordering has no significance except for readability). Each converter describes how that party interacts with its interfaces in F, producing a new set of inputs and outputs "externally" (i.e. at the outer interface). If we have (for instance) a protocol with converters Π A and Π B for parties A and B, for brevity we shall use Π AB to denote the converter obtained by attaching both the converters Π A and Π B . An important basic example of converters arises from protocols themselves, which we shall now describe more thoroughly (also refer to Figure 1 for a schematic depiction).
Explicitly, we shall model a protocol as a tuple P = (Π A , Π B , . . . ) of converters, one for each party. When trying to convert a real resource tuple F real P P ⊆Q to an ideal resource tuple , these converters would have inner interfaces that connect to F real {} (i.e. the real resource for the case when all parties choose to behave honestly), while their outer interfaces are required to have the same structure as those in F ideal {} . (For the purposes of formalizing protocols we will not need to consider the resources for the cases where some parties behave dishonestly; we shall return to discussing such behaviour when introducing the security definitions shortly below.) We give a schematic depiction of this in Figure 1.
Finally, we shall require the concept of distinguishers. Given two resources F and F ′ , a distinguisher is a system that interacts with the interfaces of these resources, and then produces a single bit G (which can be interpreted as a guess of which resource it is interacting with). For a given distinguisher, let P G|F be the probability distribution it produces on G when supplied with F, and Figure 1: Schematic depiction of protocols interacting with a real resource, in a scenario with only two parties Alice and Bob (labelled as A, B). In the diagram on the left, F real {} denotes the real resources available when all parties are honest (i.e. the set of dishonest parties P is the empty set {}). The "inner" interfaces of the protocol converters Π A , Π B attach to the interfaces of F real {} , converting it to a resource with interfaces given by the "outer" interfaces of Π A , Π B (shown in blue here). The resulting resource can be variously denoted as discussed in the main text. In the diagram on the right, F ideal {} denotes the desired ideal resource when all parties are honest. We require the outer interfaces of the protocol converters Π A , Π B to have the same structure as those of F ideal {} , i.e. the interfaces shown in blue have the same structure in both the left and right diagrams. We describe more precisely in the rest of this section (see e.g. Definition 1) how to formalize a notion that the resources in the left and right diagrams are "close" to each other.
analogously for F ′ . Its distinguishing advantage λ between these two resources is defined to be The main way we shall make use of this concept is as a method to formalize how "close" two resources are to each other -if the distinguishing advantage between the two resources is small for any possible distinguisher, it seems reasonable to say these resources are "close". This notion of closeness also has important operational implications, as we shall explain later in Section 2.1.3.

Security definitions
With these concepts, we can now discuss the security definitions in this framework. Suppose that as mentioned above, we have a resource tuple F real P P ⊆Q describing the real functionalities available to the various parties, and a protocol P with inner interfaces connecting to F real {} , with the informal goal of constructing a more idealized resource tuple F ideal P P ⊆Q . We would like to formalize the notion of having achieved a sufficiently "good" conversion from F real To do so, we use the following approach: for each possible subset P ⊆ Q of the potentially-dishonest parties, consider the scenario where all parties in P choose to behave dishonestly. In such a scenario, it makes sense to consider the resource Π P F real P (here, P denotes the set complement of P with respect to the set of all parties, not just with respect to Q) 2 -this is the Figure 2: Schematic depiction of one case in Definition 1, in a scenario with only two parties Alice and Bob (labelled as A, B). Shown here is the case where P = {B}, i.e. only Bob is being dishonest. On the left, we have the real resource F real B with the protocol Π A attached (this captures the notion that Alice is performing her protocol honestly). On the right, we have the ideal resource F ideal B with a simulator Σ B attached (the role of the simulator is described in the main text). Note that both the left and right sides have outer interfaces with the same structure. Definition 1 requires both sides to be "λ-close" in the sense that the distinguishing advantage between them is at most λ for any distinguisher. Similarly, Definition 1 also requires "λ-closeness" for any other subset P of the potentially dishonest parties and the corresponding analogously defined resources. (In fact the case P = {}, i.e. none of the parties are dishonest, is basically depicted in Figure 1 -Definition 1 requires the left and right resources in that figure to also be "λ-close".) resource obtained when the parties in P interact with the real resource F real P using the protocol converters Π P "as intended", while the parties in P do not implement the protocol converters since they are behaving dishonestly. (We give a schematic depiction of this in the left diagram in Figure 2.) As a first attempt, we could try saying that this resource Π P F real P should be required to be "close to" the resource F ideal P , i.e. the ideal resource for the case where all parties in P behave dishonestly. Furthermore, a natural notion of "closeness" between resources is to say that the maximum possible distinguishing advantage is small, as discussed above. Unfortunately, this idea does not quite work by itself, because the interfaces for the dishonest parties P in the resource Π P F real P are simply those of the real resource F real P (since no converters have been attached to those interfaces), which could generally be very different from those of the ideal resource F ideal P .
The solution for overcoming this issue turns out to be allowing the attachment of an additional converter Σ P (referred to as a simulator) to the interfaces of the dishonest parties P in F ideal P , and only requiring Π P F real P to be "close to" F ideal P Σ P rather than F ideal P . (We depict this in Figure 2.) At first sight, this appears to be a rather contrived approach, since there seems to be no purpose to this simulator other than as an artificial method to make the interfaces of F ideal P the same as those of Π P F real P . However, we shall return to this point in the next section (after formalizing these security notions as Definition 1 below), and explain how this apparently contrived concept in fact leads to powerful operational implications.
We now present the full security definition we use, which formalizes the above discussions and clarifies the quantifier ordering (also see Figure 2 for an example of one case in the definition): Definition 1. For a scenario in which there is some set Q of potentially dishonest parties, we say that P constructs F ideal within distance λ iff the following holds: for every P ⊆ Q, there exists a converter Σ P which connects to their interfaces in F ideal P , such that for every distinguisher, the distinguishing advantage between Π P F real P and F ideal P Σ P is at most λ. The converters Σ P shall be referred to as simulators.
Remark 2. We have stated Definition 1 slightly differently from [MR11], in which an individual simulator is required for each dishonest party. A security proof satisfying Definition 1 could be converted into one satisfying the [MR11] definition by modifying the choice of F ideal P P ⊆Q to one that (for every P containing more than one party) explicitly includes quantum channels between the dishonest parties P , which would allow for individual simulators that communicate using these quantum channels in order to effectively implement the simulator Σ P in Definition 1. From the perspective of [MR11], this would basically reflect the inability of a protocol to guarantee that the dishonest parties cannot communicate with each other. For subsequent ease of describing the simulators, in this work we shall follow Definition 1 as stated, instead of the exact definition in [MR11].

Operational implications
The operational implications 3 of Definition 1 can be seen by considering the composition of protocols satisfying this definition. Namely, suppose we have a protocol P that constructs F ideal To do so, let us pick any P ⊆ Q and focus on the scenario where the parties P are dishonest. Now take any event in this scenario that could be considered a "failure" in the larger protocol (we impose no restrictions on the nature of a failure, except that it be a well-defined event), and suppose the larger protocol also comes with a proof that for any strategy by the dishonest parties, the probability of this failure event is upper-bounded by some p 0 when using the ideal resource F ideal P . In that case, one implication of Definition 1 being satisfied is that the probability of this failure event (in the larger protocol) is still at most p 0 + λ even when F ideal P P ⊆Q is replaced by the protocol P applied to F real P P ⊆Q . This follows from the following observations. Firstly, since the bound p 0 for the functionality F ideal P holds for any strategy by the dishonest parties, it must in particular hold when they implement the simulator Σ P , i.e. it holds if they are using F ideal P Σ P instead of F ideal P . Secondly, since the distinguishing advantage between F ideal P Σ P and Π P F real P is at most λ according to Definition 1, the probability of the failure event cannot differ by more than λ between them (otherwise the event would serve as a way to distinguish the two cases with advantage greater than λ). In other words, the replacement has not increased the maximum probability of the failure event by more than λ -we highlight again that this failure event could have been chosen to be any arbitrary event; hence this is a very powerful operational statement.
From this argument, we can also gain insight into the purpose of the apparently contrived simulators Σ P in Definition 1. Basically, they represent some operations that the dishonest parties could have performed using only the ideal resource F ideal P . While these operations are not necessarily 3 A more abstract composability notion given by this definition is that if several protocols satisfying this definition are composed, the "error" λ of the resulting larger protocol can be bounded by simply by adding those of the sub-protocols; see [MR11] for further details.
the "optimal" ones they could do in order to "attack" F ideal P , the fact remains that they are valid operations for the dishonest parties, and are hence subject to the bound p 0 on the failure probability. Critically, this was enough for the rest of the argument above to carry through, even though the simulator Σ P may be carrying out some complicated operations that have no correspondence to any sort of reasonable "attack" on F ideal P . Such arguments are not uncommon in simulator-based notions of security (even outside the Abstract Cryptography framework), the shared underlying idea being typically that the real behaviour could have been reproduced (or approximated) by taking only the ideal behaviour and applying some operations to it, hence it essentially suffices to only consider the ideal behaviour. (In the context of our specific protocol, we shall briefly discuss this further in Remark 8 of Sec. 6.1.) There is a technicality in the above argument, namely that in order for the reasoning to be valid, the bound p 0 (for the larger protocol P ′ using F ideal P ) must be derived for a class of dishonest-party strategies that includes the simulator Σ P , in order for the bound to hold for F ideal P Σ P as well. This means that if a more "powerful" simulator is used in Definition 1, then the bound p 0 must be proved against a more "powerful" class of strategies. In particular, for instance the simulators Σ P we construct in this work assume that the dishonest parties P collaborate to some extent (when there are multiple dishonest parties), which means that to apply the above operational interpretation, the bound p 0 for the larger protocol must be valid against collaborating dishonest parties. However, we note that this is more of a consideration for the larger protocol P ′ , rather than the protocol P in Definition 1 itself.

Ideal ECD functionality
We work in a setting with three parties: Alice who is always honest, and Bob and Eve who may independently be honest or dishonest. The inputs for Alice and honest Bob into the functionality are: where for the purposes of applying the AND function to the binary symbols {✗ , ✓ }, ✗ is interpreted as 0.
The times corresponding to the inputs and outputs must satisfy In particular, we shall call a functionality an ideal ECD functionality if it produces the above inputs and outputs at any points in time satisfying the above constraints. We have strict inequality only between t 4 and t 5 because this is necessary in any real protocol for achieving the functionality.
We now describe how the honest inputs and outputs are to be interpreted. Alice and Bob's output O is to detect interference by Eve. If O = ⊥ then the protocol stops and no further inputs are fed in or outputs are received. Alice's input M is self-explanatory: this is the secret message that she potentially wants Bob to learn. Alice's decision D is her later decision about whether she wants Bob to learn M : some time after inputting the message but strictly before the time t 5 when the message is supposed to be revealed, Alice inputs D = 1 if she does not want Bob to learn M ; otherwise she inputs D = 0. D is directly output to Bob some time after Alice inputs it. The output F to Alice is only produced if D = 1, and this indicates whether Bob has produced a valid deletion certificate (although the deletion certificate itself is not part of the ideal functionality). If Bob is honest then he always produces a valid certificate if Alice asks him to, and F is always ✓ . Finally, the output M to Bob is a function of M , D and F : if D = 0, i.e., Alice wanted him to learn the message, or F = ✗ , i.e., he did not produce a valid deletion certificate, then M = M ; otherwise it is the dummy string 0 n . Now we come to the inputs and outputs of dishonest parties, which are the following: The times corresponding to these inputs and outputs must satisfy the following ordering with respect to the previously specified times: Eve's input O E is similar to what she has in the ideal key distribution functionality that is achieved by quantum key distribution (see e.g. [PR14]). She has the ability to interfere in a way that makes the honest parties abort the protocol. If Bob is honest then Eve's choice of O E directly gets output to Alice and Bob as O and the protocol stops if O E = ⊥. However, if O E = ⊤, then the protocol continues and Eve gets nothing other than D as further outputs, and in particular she is not able to learn the message. We include D as an output for Eve because we cannot prevent her from learning this in our actual protocol. Dishonest Bob also has an input O B that he can use to make the protocol abort: Alice and Bob's output O is ⊥ if either one of Bob and Eve inputs ⊥. We include this input for Bob because in the real protocol we cannot prevent Bob from deliberately sabotaging whatever test Alice and Bob are supposed to perform in order to detect interference from Eve, so that the output is O = ⊥. 4 Finally, Bob's input F indicates whether he has decided to produce a valid deletion certificate and hence lose his ability to learn the message or not, and this is directly output to Alice. Honest Bob does not have this functionality, as he simply always deletes his information if requested by Alice.
The final ECD n functionality, parametrized by the message length n, is depicted in Figure 3 in the four possible combinations of honest and dishonest Bob and Eve. A security proof of a protocol for ECD n with security parameter λ will consist of showing that the protocol constructs the functionality depicted in Figure 3 within distance λ as per Definition 1.
(d) Alice, dishonest Bob and dishonest Eve Figure 3: Ideal ECD n functionality in four cases. The times at which various events occur satisfy t ′

Achievability result
Before stating the result about our protocol constructing the ideal ECD functionality, we clarify what resources are used by the protocol, and what assumptions are needed on said resources.
Resources used.
is compatible with one instance of the magic square game MS. These boxes are "untrusted", in the sense that Eve 5 supplies them to Alice and Bob after having chosen the states in the boxes and the measurements they perform.
(ii) A trusted temporarily private randomness source R, which if used by Alice by time t 1 , makes public all the randomness it supplied at some time t 4 < t ′ 5 ≤ t 5 .
(iii) A trusted private randomness source R P with Alice (which does not make public the randomness it supplies to Alice).
(iv) An authenticated classical channel C between Alice and Bob, which faithfully transmits all classical messages sent between them, but also supplies copies of the messages to Eve; the channel only needs to be active until time t 4 .
Assumptions about quantum boxes. We make the following standard assumptions about the boxes (B 1 , B 2 ) for device-independent settings: (i) The boxes cannot access any registers storing private information from previous protocols, and this restriction continues to hold if the boxes are re-used in future protocols.
(ii) When held by an honest party, the boxes do not broadcast the inputs supplied to them and outputs obtained.
(iii) There is a tripartite tensor-product structure across the state in the B 1 boxes, the state in the B 2 boxes, and Eve's side-information. 6 (iv) Whenever Bob is dishonest, he can "open" his boxes and directly perform arbitrary operations or measurements on the quantum state they contained. (This matches the allowed dishonest behaviours in other DI protocols for two-party cryptographic tasks [ACK+14, SCA+11, AMP+16, KST22,FM18].) The first assumption here is to address the memory attack of [BCK13], as mentioned in the introduction (an alternative possibility would be to require that this is the first time the devices are used, and the devices are destroyed afterwards, though this is rather impractical). The second assumption is a basic one that is rather necessary to do any cryptography at all, and the third is a standard nonlocal-game scenario that could be enforced in principle by spatial separation between the parties.
Additionally, however, we also impose the following assumption: (v) Whenever Bob is honest (but the boxes are supplied by a potentially dishonest Eve), he is able to enforce that his l boxes B 2 1 . . . B 2 l satisfy no-signalling conditions between themthis could, for instance, be supported by physical "shielding" measures between the boxes that prevent the input to each box from leaking to other boxes. This implies that for any subset T ⊆ [l], there is a well-defined notion of Bob supplying inputs to only the boxes specified by T and immediately receiving the corresponding outputs, with the rest of the inputs to be supplied later (such a procedure is required in our protocol). Furthermore, this no-signalling constraint also implies that the overall output distribution across all the rounds will be unaffected by which subset T of inputs Bob supplies first. This condition is rather stronger than the typical requirements in the device-independent setting (for non-IID situations, at least). However, it appears to be necessary to ensure security against dishonest Eve in our protocol, though it could be omitted if we instead aim for a more limited functionality similar to [BI20] that does not consider security against an eavesdropper, or potentially it could be worked around using some ideas developed in [KT22]. We defer further discussion of this point to Section 2.4 below.
When Eve and Bob are honest, we assume that the boxes (B 1 1 . . . B 1 l , B 2 1 . . . B 2 l ) play MS l with an i.i.d. strategy, although they may do so ε/2-noisily. That is, each box independently wins MS with probability 1 − ε/2 instead of 1, for some ε > 0.
Theorem 2. Assuming Conjecture 1, there exists a universal constant ε 0 ∈ (0, 1) such that for any ε ∈ (0, ε 0 ], λ ∈ (0, 1] and n ∈ N, there is a protocol that constructs the ECD n functionality depicted in Figure 3, within distance λ, using only the resources R, C and (B 1 We reiterate here from Section 1.1 that in the above theorem, Conjecture 1 is not required to show intermediate security properties (see Lemmas 25-27), but only to show that these properties lead to composable security. Furthermore, even without that conjecture, our proof is sufficient to show that the protocol is composably secure in the standard device-dependent setting at least.
Remark 3. The resources we use put some constraints on the timings achievable in the ECD n functionality. For example, if R makes the randomness used by Alice public at time t ′ 5 , then t 4 and t 5 must satisfy t 4 < t ′ 5 ≤ t 5 . Similarly, the delay between t 3 and . t 3 , t ′ 4 and t 4 depend on the time taken to transmit information between Alice and Bob using C.

Implications of security definitions and assumptions
A number of points regarding our definition of the ideal functionality, the composable security framework, the resources used, and what they mean for security, need further clarification. We do this below.
• While the message D from Alice indicates whether she would like Bob to delete his ciphertext, the final decision of whether Bob actually does so is entirely up to him. Because of this, one could consider a variant protocol and ideal functionality definition where this message D is omitted. However, it is easy to see that our security proof also proves the security of this variant (one way to see this would be to note that it is basically equivalent to the distinguisher always selecting D = 1, and since our security proof needs to cover any distinguisher strategy, in particular it also includes this possibility).
• In line with the Abstract Cryptography framework, we have defined the ideal functionality above for all four combinations of honest/dishonest Bob and Eve. In particular, we remark that in the case where both Bob and Eve are dishonest, this framework does not explicitly specify whether they collaborate with each other -the framework is a priori neutral about this possibility. However, in our proof, the simulator we construct to satisfy Definition 1 for this case does involve some collaboration between them. This does not affect the abstract definition, but we reiterate that it has implications for the operational interpretation as described in Section 2.1. Specifically, to "safely" use our protocol in place of the ideal ECD functionality in a larger protocol, the bounds on failure probabilities in the larger protocol when Bob and Eve are dishonest must at least hold for the case where Bob and Eve collaborate enough to implement the simulator we constructed.
• Our protocol is clearly unable to guarantee the absence of communication between Bob and Eve when both are dishonest. Hence while we did not explicitly specify a communication channel between them in the ideal functionality, we do implicitly allow for the possibility.
(As previously mentioned, our security proof proceeds without explicitly including such a channel in the ideal functionality, because we have stated Definition 1 using joint simulators for the dishonest parties.) • We imposed a condition that honest Bob's boxes satisfy no-signalling conditions between them. This is required for our security proof in the case where Bob is honest and Eve is dishonest, because it relies on the existence of a single distribution P AB|XY that describes the Alice-Bob input-output behaviour regardless of the order in which Bob supplies his inputs (essentially because in our proof here we use a sampling lemma that requires the underlying distribution to be independent of the sampled subset). 7 (An analogous condition is not required for Alice because she supplies all her inputs at once in our protocol.) However, if we were to instead restrict ourselves to a more restricted two-party functionality that omits Eve from the scenario considered here (i.e. similar to [BI20], which does not model a thirdparty eavesdropper), then this condition would be unnecessary, due to the discussion in the next point.
• In contrast, whenever Bob is dishonest, we do not require an analogous condition -this is consistent with the fact that we allow dishonest Bob to "open" his boxes and perform arbitrary operations on the states within. This is not a problem for our security proof against dishonest Bob, because the distribution P AB|XY in that context is not quite a fixed inputoutput distribution for "abstract" boxes, but rather describes the conditional distribution of the strings AB when dishonest Bob produces B using some operation chosen depending on a string Y which he learns over several steps (although Alice is indeed obtaining A by just supplying X as input to her boxes). In particular, in that proof it is acceptable for there to be a different distribution P AB|XY for each possible order in which Bob learns the string Y . (From a physical standpoint, the order in which Bob learns Y does impose some timeordering constraints on the parts of B that he produces before learning all of Y ; however, it seems difficult to make use of such constraints in the proof. Hence we simply use the fact that for each possible order in which Bob learns Y , there is a resulting distribution P AB|XY which falls within the larger set of correlations captured in the parallel-repetition framework.) • Ideally, we would like to have a protocol for ECD that does not require private randomness on Alice's side. This is because if Alice had access to randomness that remains private unless she chooses to communicate it, she could simply one-time pad her message with a random string to generate the ciphertext, then refuse to reveal the random string to Bob later if she decides she does not trust him. However, our current protocol does involve some private randomness, due to a technical point in our security proof: we prove security by means of an anchored parallel repetition theorem, where only part of Alice's input is revealed to Bob or Eve. This seems to be a limitation of parallel proof techniques that have been given so farparallel QKD security proofs also have this requirement [JMS20,Vid17], and for essentially this reason, there have been no parallel security proofs of device-independent randomness expansion. Still, the advantage of our protocol over the trivial protocol with private randomness we just described is that in the trivial protocol, Alice needs to communicate with Bob at the moment when she decides whether the message should be revealed or not, whereas this is not required in our protocol: Alice can simply rely on the temporarily private randomness source to reveal all the information that Bob needs for decryption, and the randomness that Alice got from the private randomness source is not needed for decryption. In other words, we can suppose Alice does not even have a communication channel with Bob after a certain point, in which case the trivial protocol does not work. (Overall, this issue is somewhat due to the formalization we chose here for "leaking the decryption key" in the composable framework -in contrast, in the game-based framework of [BI20], one simply declares what is to be counted as part of the decryption key.)

Alternative security definition
In order to provide an easier comparison to previous works, we now describe an alternative set of security definitions that could be considered, in a framework that is more similar to that considered in [BI20]. However, as the setup we consider is an extended version of that considered in [BI20], some changes as compared to the definitions in that work are necessary -we elaborate on those changes after presenting these modified definitions. (These security definitions are somewhat similar to some intermediate properties in our composable security analysis, but our purpose in stating them here is mainly to ease comparison with [BI20]. Some features of this definition are similar to [GMP22], which also featured interactive encryption schemes.) As we are aiming for information-theoretic security, we present various conditions below in terms of trace distance (rather than distinguishability with respect to a computationally bounded adversary).
Alternative Definition 1. A device-independent ECD protocol involves two parties Alice and Bob and a potential third-party "eavesdropper" Eve, out of which Alice always behaves honestly while Bob and Eve might behave dishonestly. It consists of an encryption phase, followed by an optional certified deletion phase, and finally a decryption phase. These phases have the following structure, where we let Q B denote a register that Bob holds and updates arbitrarily over the course of each phase (there is no loss of generality in using a single register for this purpose, because we do not bound its dimension), and analogously we have a register Q E for Eve. (As for Alice, she is always honest in this scenario, hence in the following we only state the registers she is supposed to hold at the end of each phase.) • In the encryption phase, Alice and Bob begin with boxes of the form described in Section 2.
and whenever Bob is honest and the certified deletion phase occurs, we have (2) • The protocol is λ EC -correct if for any choice of message m, whenever Bob is behaving honestly, we have and furthermore, if the certified deletion phase occurs, then at all times after F is produced (including after Alice releases the decryption key R), we have (letting ω Q B Q E |⊤✓ (m) denote the state produced at that point in time when the chosen message value is m, conditioned on O = ⊤ and F = ✓ ) Secondly, whenever Bob is behaving honestly (while Eve may not be), at all times after O is produced, we have (where ω Q E |⊤ (m) is defined analogously to above) As compared to the security definitions in [BI20], the above definitions may appear somewhat elaborate. However, this is necessary in some form due to the additional features we intend to incorporate here as compared to that work (such as security against an eavesdropper Eve, as well as the DI security guarantee), which in particular have required us to include in our protocol some additional interaction rounds and a flag O to test for eavesdropping, as compared to [BI20]. Since their protocol involves comparatively few rounds of interaction, they were able to present their definitions using an explicitly denoted individual channel for each round; however, such a presentation would quickly become unwieldy for our protocol. Hence in the above definition we have simply described the processes in terms of "interactive procedures", which are to be implicitly understood as some sequence of channels performed by the relevant parties, and we have introduced the registers Q B , Q E to account for dishonest Bob and/or Eve arbitrarily updating their registers over that process. (A similar approach has been used in other recent work on encryption protocols with interaction; see for instance Definition 5.8 in [GMP22].) To aid understanding, we now qualitatively describe the intuition behind each of the requirements in the above definition, and compare them to [BI20].
Firstly, the completeness conditions (1)-(2) simply reflect the notion that when various parties are behaving honestly, the corresponding flags should take the "accept" value with high probability. More specifically, (1) states that when there is no eavesdropping, the flag O takes value ⊤ with high probability (this has no counterpart in [BI20], which does not check for eavesdropping); while (2) basically ensures that when Bob validly deletes his information, the flag F takes value ✓ with high probability (this corresponds to Eq. (37) in [BI20], though here we slightly modify the condition to account for the O flag).
Next, the correctness condition (3) is also straightforward: it simply requires that when Bob behaves honestly, then regardless of how Eve acts, the probability that Bob decrypts to the wrong message and the flag O is set to the "accept" value is small. This is the same as the definition of correctness provided in Section 5.2 of [BI20].
Finally, the secrecy condition is the one which appears most different from [BI20]. Qualitatively, (4) and (5) are meant to correspond respectively to the notions of ciphertext indistinguishability and certified deletion security in [BI20]: each of these notions informally describes some idea of an adversary trying to distinguish between an encryption of the actual message versus an encryption of the all-zero string 0 n . 8 In [BI20], those definitions could be presented using a small number of explicitly denoted channels applied by the adversary, due to the small number of communication rounds in their protocol. However, our protocol involves too many rounds for this to be a practical description. We hence instead impose conditions in terms of the trace distance between the states produced in the two cases, and require these conditions to hold over the relevant timeframes. Due to the operational interpretation of trace distance as distinguishing advantage, this corresponds to a bound on the probability of an adversary successfully distinguishing the two cases (up to some technicalities about conditioning on the OF flag values), hence having implications that are qualitatively similar to the [BI20] definitions of ciphertext indistinguishability and certified deletion security. Lastly, (6) is meant to ensure an analogous notion of indistinguishability from Eve's perspective even if she tries to eavesdrop on the devices, which is an aspect that was not considered in [BI20] and hence has no counterpart in that work.
In the remainder of this work, we will mostly focus on proving security in the abstract cryptography framework; however, we shall also include discussion of this alternative definition at several points (see Remark 6 and Section 5.5) to aid understanding and comparison to previous work. For instance, when we present our full ECD protocol later (Protocol 1), the descriptions are phrased in terms of the abstract cryptography resources explained in Sections 2.1-2.3, but we also include below the protocol description (in Remark 6) an explanation of how the registers in the protocol correspond to the registers described in this alternative definition. For now, we just highlight and briefly discuss a particularly significant point: in the alternative definition presented above, there is a decryption key R that is revealed in the decryption phase. In the context of the abstract cryptography framework, this register R is instead formalized as the randomness Alice obtains from the temporarily private randomness source described in Section 2.3, which is revealed to all parties at some fixed later time -this is how we have chosen to formalize (in that framework) the notion that this "decryption key" value might be revealed to Bob and/or Eve after the certified deletion phase.
Fact 3. For joint distributions P XY and P X ′ Y ′ on the same sets, Fact 4. For two distributions P X and P X ′ on the same set and an event E on the set, The following result is a consequence of the well-known Serfling bound.

Quantum information
The ℓ 1 distance between two quantum states ρ and σ is given by The fidelity between two quantum states is given by The Bures distance based on fidelity is given by ℓ 1 distance, fidelity and Bures distance are related in the following way.
Fact 7 (Fuchs-van de Graaf inequality). For any pair of quantum states ρ and σ, Consequently, For two pure states |ψ⟩ and |ϕ⟩, we have Fact 8 (Uhlmann's theorem). Suppose ρ and σ are mixed states on register X which are purified to |ρ⟩ and |σ⟩ on registers XY , then it holds that where the maximization is over unitaries acting only on register Y . Due to the Fuchs-van de Graaf inequality, this implies that there exists a unitary U such that Fact 9. For a quantum channel E and states ρ and σ, The entropy of a quantum state ρ on a register Z is given by We shall also denote this by H(Z) ρ . For a state ρ Y Z on registers Y Z, the entropy of Y conditioned on Z is given by The conditional Hartley entropy of Y given Z is defined as where supp(ρ Y Z ) is the projector on to the support of ρ Y Z . For a classical distribution P Y Z , this reduces to H 0 (Y |Z) P Y Z = log sup z |{y : P Y Z (y, z) > 0}| .
For 0 ≤ δ ≤ 2, the δ-smoothed versions of the above entropies are defined as Fact 10. For any state ρ XY Z and any 0 ≤ δ ≤ 2, The relative entropy between two states ρ and σ of the same dimensions is given by D(ρ∥σ) = Tr(ρ log ρ) − Tr(ρ log σ).
The mutual information between Y and Z with respect to a state ρ on Y Z can be defined in the following equivalent ways: The conditional mutual information between Y and Z conditioned on X is defined as Mutual information can be seen to satisfy the chain rule A state of the form is called a CQ (classical-quantum) state, with X being the classical register and Y being quantum. We shall use X to refer to both the classical register and the classical random variable with the associated distribution. As in the classical case, here we are using ρ Y |x to denote the state of the register Y conditioned on X = x, or in other words the state of the register Y when a measurement is done on the X register and the outcome is x. Hence ρ XY |x = |x⟩⟨x| X ⊗ ρ Y |x . When the registers are clear from context we shall often write simply ρ x .
Fact 12. For a CQ state ρ XY where X is the classical register, H ∞ (X|Y ) ρ is equal to the negative logarithm of the maximum probability of guessing X from the quantum system ρ Y |x , i.e., where the maximization is over the set of POVMs with elements indexed by x.
For CQ states, the expression for relative entropy for ρ XY and σ XY given by Accordingly, the conditional mutual information between Y and Z conditioned on a classical register X, is simply

2-universal hashing
Definition 2. A family H of functions from X to Z is called a 2-universal family of hash functions iff where the probability is taken over the choice of h uniformly over H.
2-universal hash function families always exist if |X | and |Z| are powers of 2, i.e., bit strings of some fixed length (see e.g. [CW79]). We shall denote a family of 2-universal hash functions from {0, 1} s to {0, 1} n by H(s, n). 9 2-universal hash functions are used for privacy amplification in cryptography. For privacy amplification against an adversary with quantum side information, the following lemma is used.
Fact 13 (Leftover Hashing Lemma, [Ren05]). The CQ state ρ CKH E , where C is an n-bit classical register, K is an s-bit classical register, and H is a classical register of dimension |H(s, n)|, is defined as Then for any ε ∈ [0, 1),

The magic square game & its parallel repetition
In a 2-player k-round game G, Alice and Bob share an entangled state at the beginning of the game. In the j-th round, they receive inputs (x j , y j ) and produce outputs (a j , b j ) respectively. They can do this by performing measurements that depend on the inputs and outputs of all rounds up to the j-th, on the post-measured state from the previous round. Each round has an associated predicate V j which is a function of all inputs and outputs up to the j-th round. Alice and Bob win the game iff  . . x j , y 1 . . . y j , a 1 . . . a j , b 1 For a k-round game G, let G l denote the l-fold parallel repetition of it, and let G t/l denote the following game: • For j = 1 to k, in the j-th round, Alice and Bob receive x j 1 , . . . , x j l and y j 1 , . . . , y j l as inputs.
• For j = 1 to k, in the j-th round, Alice and Bob output a j 1 , . . . , a j l and y j 1 . . . , y j l .
• Alice and Bob win the game iff ( A parallel repetition threshold theorem gives an upper bound on the winning probability of G t/l which is exponentially small in l, for sufficiently high values of t/l. In the magic square game, 9 Strictly speaking, in our applications of this concept we shall need to use bitstrings of variable length (up to some upper bound l) as inputs to the hash functions. This can be handled simply by noting that there are 2 l+1 − 1 bitstrings of length less than or equal to l. Hence there is an injective mapping from such bitstrings to bitstrings of length l + 1, and we can then apply 2-universal hash families designed for the latter (note that the mapping leaves all conditional entropies invariant because it is injective).
We introduce two variants of the magic square game: a 3-player 1-round version where Alice and Bob's distributions are product and are anchored w.r.t. the third player Eve's input, and a 2-player 2-round version where Alice and Bob's first round inputs are product and anchored w.r.t. Bob's second round input. We shall make use of parallel repetition threshold theorems for both these kinds of games.

2-player 2-round MSB α
MSB α is defined as follows: • In the first round, Alice and Bob receive inputs x ∈ {0, 1, 2} and y ′ ∈ {0, 1, 2} independently and uniformly at random. In order to prove Lemma 14, we shall make use of a result due to [FM18]. Proof of Lemma 14. Since z = (x, y) with probability 1 − α > 0, it suffices to show that the probability of winning the game for z = (x, y) is at most 1 − c B for some c B > 0. If z =⊥, the game being played is just the standard magic square game, which can be won with probability 1. √ δ} over all possible δ. Since 1 2 +9 √ δ is continuous in δ and has value less than 1 at δ = 0, this maximum must be less than 1. In fact the maximum is obtained at the intersection of 1 − δ and 1 2 + 9 √ δ for δ ∈ [0, 1], where the value is ∼ 0.997.
We prove more a general version of Theorem 16 in Section 7.
We prove a more general version of Theorem 18 in Section 7. Note that it is possible to use the result of [BVY15,BVY17] for k-player anchored games to get a version of Theorem 18 with worse parameters; we provide a different proof in order to improve the parameters.

ECD protocol
Our ECD protocol, which uses the resources C, R, R P and (B 1 1 . . . B 1 l , B 2 1 . . . B 2 l ) ε , is given in Protocol 1. To be specific, Protocol 1 describes the steps performed by Alice and honest Bob; we have highlighted the steps that a dishonest Bob need not perform in red. 10 We have also indicated 10 We assume Bob sends b T and b ′ T generated in some arbitrary manner to Alice in lines 7 and 25 even if he is dishonest, so as not to give himself away as dishonest, which is why these have not been highlighted in red.
in green steps that occur at specific times corresponding to the ideal functionality. The parameters l, α, γ in the protocol need to satisfy conditions specified in Section 5.4. The function syn used in the protocol is specified by Fact 20 later (it is basically the syndrome of an appropriate errorcorrecting code). Alice gets x S , y S and y ′ T uniformly at random such that y i ̸ = y ′ i for each i, from R 4: Alice supplies x S as inputs to her boxes corresponding to S and uniformly random inputs from R P to the rest of her boxes, recording the outputs from the subset S as a string a S 5: Alice sends (T, y T ) to Bob using C 6: Bob inputs y T into his boxes corresponding to T and gets output b T 7: Bob sends b T to Alice using  Alice sends 0 to Bob using C 22: else 23:

24:
Bob inputs y ′ T into his boxes corresponding to T and gets output b ′ T

25:
Bob sends b ′ T to Alice using C 26: if the test passes then Bob inputs y S∩T to his boxes corresponding to S ∩ T , uniformly random inputs to the boxes corresponding to S, and records the outputs from S ∩ T as b S∩T 34:

35:
Bob uses K B and syn(K A ) = C 2 ⊕ u 2 to compute a guess K A for K A

36:
At time t 5 , Bob outputs M = C 1 ⊕ h( K A ) ⊕ u 1 37: else 38: At time t 5 , Bob outputs M = 0 n Remark 5. Protocol 1 can be modified so that instead of step 23, Alice sends y ′ T to Bob in either step 5 or 15. It may be desirable to do this if we want to achieve the alternative ECD task discussed in Section 2.4, where Bob makes the deletion decision himself, so as not to include an unnecessary round of interaction (since that version will not include the communication in steps 21 and 23 at all). Because of the OTPs with u 1 and u 2 , as we discuss later, sending y ′ T earlier has no effect on security.
Remark 6. We explain here how the above Protocol 1 description should be viewed in the context of the alternative security definitions in Section 2.5.
In the encryption phase of that definition, Alice is supposed to produce and store registers O, R and P . With respect to the Protocol 1 description, these should be viewed as follows: O is simply the value O generated in step 9, R consists of the values (x S , y S , y ′ T , S, T, h, u 1 , u 2 ) obtained from the temporarily private randomness source R over the course of the encryption phase (which are later revealed in step 31 for decryption, as we would expect), and P consists of the values (y ′ T , x S , y S , a S ) (for potential later use in the certified deletion phase). As for Bob, he is supposed to end up with a ciphertext state in his register Q B : with respect to the Protocol 1

description, this ciphertext state consists of the register C in step 15 together with the quantum state in his half of the boxes. (If Bob is honest, he holds no other registers in Q B ; if he is dishonest then Q B holds a state which he has been updating arbitrarily over the course of the encryption phase using the messages exchanged.) Eve's side-information register Q E consists of her original quantum side-information on the boxes, as well as all messages exchanged between Alice and Bob.
In the certified deletion phase of that definition, the register P used by Alice and Bob is as described above, and the register F produced by Alice is simply the flag F generated in step 27 of the Protocol 1 description.
Finally, in the decryption phase of that definition, the decryption key R is again as described above, and similarly for the ciphertext state that Bob uses to decrypt the message. His decrypted value M for the message corresponds to step 36 of the Protocol 1 description.

Notation
We shall introduce some notation that will be used in the rest of the section and the composable security proof. Firstly, note that even though for ease of presentation in the protocol, we have indicated Alice getting R step by step from R, in reality she could have gotten it all in step 3 and here we shall consider her having done so. We do not use any registers for the randomness Alice got from R P as this is not relevant in the protocol or the security proof.
Consider the following state shared by Alice, Bob and Eve after step 8 of the protocol, when Alice has produced the abort decision O but has not sent it to Bob yet: Here the ciphertext register C = C 1 C 2 and the flag register F -which are initialized to default values -are with Alice, as is the randomness R received from R. The answer B T Alice got from Bob is with both Alice and Eve, but for the sake of brevity we only explicitly specify the copy with Eve. A, B, E are the quantum registers held by Alice, Bob and Eve. We shall assume B E includes T Y T that Bob (and Eve) got from Alice, and A B includes Alice and Bob's copies of B T . Finally, we shall assume B contains the register K B on which Bob would obtain his raw key, if he were honest. Further states in the protocol are obtained from φ by passing some registers from Alice to Bob (and Eve) and local operations on the registers possessed by Alice or jointly Bob and Eve.
At times t 2 and t 3 the message M = m and the deletion decision D = 0/1 enter the protocol, and we shall specify these parameters when talking about states from these points on -although the message dependence is only on the C register, so we may drop the M dependence when talking about other registers. We use the following notation to denote states at various times in the protocol conditioned on various events (all the states are conditioned on outputting ⊤ at time t 1 , though we only mention this in the first one, since the protocol only continues after t 1 under this condition): We shall use p ⊤ to denote the probability of outputting ⊤ at time t 1 , which is clearly the probability of ρ within φ. 11 Let p ✓ |⊤ denote the probability of Alice outputting ✓ at time t 4 conditioned on outputting ⊤ at time t 1 , for message M = m and D = 1, i.e., the probability of σ(m, 1) within ρ 2 (m, 1). This probability is independent of m, as we shall argue in Lemma 24.

Completeness and correctness
We now prove some lemmas which, in the context of the alternative security definitions in Section 2.5, will imply the completeness and correctness properties (as we shall discuss in Section 5.5). In the context of our composable security analysis (in Section 6), however, these will just be intermediate results in the full composable security proof.

Moreover, if Bob is honest and D = 1 (i.e. Alice requests a deletion certificate), then regardless of Eve, we have
Proof. Since each element of [l] is included in S independently with probability (1 − α), we see from the Chernoff bound that the probability of outputting ⊥ due to |S| < γl is bounded by for the choice of α. Moreover, for our choice of l the above quantity is at most 1 2 . Conditioned on |S| ≥ γl, the behaviour of the boxes on T is independent of S. For any i ∈ [l], let W i denote the indicator variable for the event a i [y i ] = b i [x i ]. Since each instance of MS is won with probability at least 1 − ε/2 by honest boxes, the probability of aborting due to a i [ Hence overall, p ✓ |⊤ is independent of m in general (see Lemma 24 below), but it is easy to see why this is so for honest Bob: his behaviour in Phase 2 is entirely independent of m. To lower bound p ✓ |⊤ , let W i be defined as before, and let W ′ i be the indicator variable for the event that when Bob inputs y ′ i into his box and gets output b ′ i , they satisfy a i [y As the marginal distributions of y i and y ′ i are exactly the same, W ′ i and W i are identically distributed. Recall that W i is the same variable regardless of when the inputs are provided and the outputs obtained, so we can consider doing the y ′ T measurement on φ. p ⊤ is the probability of the event when all the measurements are done on φ. Let p ✓ denote the probability of Since the distribution of S is independent of the W i -s and W ′ i -s, from Lemma 6, This gives us Now simply observe that p ✓ = p ⊤ p ✓ |⊤ , which gives us the required result. Note that here we required that upon receiving y ′ T , Bob produces b ′ T by the same procedure by which he produced b T upon receiving y T , which is his honest behaviour (even though the boxes themselves are untrusted), but we did not assume that the procedure actually implements anything close to the ideal MS measurements. A dishonest Bob, on the other hand, may produce b ′ T by some different procedure, and hence this bound does not apply to him. Further analysis will be done assuming α, γ, l satisfy the conditions of Lemma 19, though we shall not state it explicitly in each case.
The correctness of Protocol 1, i.e., the fact that Bob is able to produce the correct message if D = 0 and he is honest, uses the following fact.
Fact 20 ([Ren05], Lemma 6.3.4). Suppose Alice and Bob respectively hold random variables K A , K B ∈ {0, 1} s . Then for 0 < δ ≤ 1, there exists a protocol in which Alice communicates a single message syn(K A ) of at most H δ 0 (K A |K B ) + log(1/λ EC ) bits to Bob, after which Bob can produce a guess K A that is equal to K A with probability at least 1 − (δ + λ EC )/2. Lemma 21. There is a choice of C 2 = syn(K A ) of length h 2 (2ε)l + log(1/λ EC ) bits, such that K A produced by honest Bob in step 35 of Phase 3 of the protocol is equal to K A with probability at least 1 − (2 · 2 −2ε 2 γl /p ⊤ + λ EC /2), where h 2 is the binary entropy function.
Proof. Define the random variables W i as in the proof of Lemma 19. First observe that ρ 1 is the state conditioned on the event (9) after the measurements are done on φ. 12 Let ρ 1 be the state conditioned on the event when all the measurements are done on φ. Note that ρ 1 is also equal to ρ 1 conditioned on the event E (since the event E is a stricter condition than the event (9)). We shall now argue that ρ 1 and ρ 1 are close in trace distance, by showing that the event E occurs with some sufficiently high probability in the state ρ 1 .
To do so, we follow exactly the same argument structure as in the proof of Lemma 19, except with the event E in place of the event (10). With respect to the state immediately after the measurements are done on φ, let p E denote the probability of the event E, and let p E|⊤ denote the probability of the event E conditioned on the event (9). (Note that p E|⊤ is also precisely the probability of the event E with respect to the state ρ 1 .) With this notation, we obtain analogous inequalities to the Lemma 19 proof: where the inequality in the second line is again due to Lemma 6. Since we also again have p E = p E|⊤ p ⊤ , the above bound gives p E|⊤ ≥ (p ⊤ − 2 −2ε 2 γl )/p ⊤ = 1 − 2 −2ε 2 γl /p ⊤ . In other words, we have shown that the probability of the event (11) in the state ρ 1 is at least 1 − 2 −2ε 2 γl /p ⊤ . Recalling that 12 Note that we previously defined ρ 1 to be the state produced by the following sequence of steps: perform the measurements on T , then condition on a particular event, then perform the measurements on T . However, this is where we use the condition imposed on honest Bob's boxes that the order of measurements does not change the distribution: because of that condition, we can equivalently consider ρ 1 to be the state where all the measurements are performed before the event is conditioned on. ρ 1 is the state conditioned on that event, from the definition of the 1-norm distance it immediately follows that ∥ρ 1 − ρ 1 ∥ 1 ≤ 2(1 − p E|⊤ ) ≤ 2 · 2 −2ε 2 γl /p ⊤ .
In ρ 1 , the K B thus obtained differs from K A in at most 2ε|S| many indices. The number of |S|bit binary strings that can disagree with K B in at most 2ε|S| places is at most 2 h 2 (2ε)|S| ≤ 2 h 2 (2ε)l . Hence, and this implies that the (2 · 2 −2ε 2 γl /p ⊤ )-smoothed entropy of ρ 1 is at most h 2 (2ε)l. Hence by Fact 20, we get the required result. 13

Secrecy
We now prove some lemmas which, in the context of the alternative security definitions in Section 2.5, will imply the secrecy property (as we shall discuss in Section 5.5). In the context of our composable security analysis (in Section 6), however, these will just be intermediate results in the full composable security proof.
Specifically, we prove two lower bounds for the (smoothed) min-entropy of K A in the states ρ and σ, conditioned on Bob and Eve's side information and the randomness R. These will later allow us to show secrecy of the protocol via the Leftover Hashing Lemma.
Lemma 22. If Bob plays honestly and p ⊤ ≥ 2 · 2 −2ε 2 γl , then the state ρ 1 where c E α , d E are the constants from Theorem 18, and Proof. We follow the proof approach of [Vid17] for the protocol in [JMS20]. First we shall bound By Theorem 18, the winning probability of MSE t/l on the original state shared by Alice, Bob and Eve is at most 2 −d E (c E α −2ε) 3 α 2 l . We first consider the state ρ 1 defined in the proof of Lemma 21, i.e. this original state conditioned on the event (11). Denoting the probability of this conditioning event as p E , we can bound the winning probability of MSE t/l on the state ρ 1 as 13 Strictly speaking, in order to actually implement the [Ren05] protocol (Fact 20), it is not sufficient to only have the upper bound H δ 0 (K A |K B ) ≤ h2(2ε)l. Rather, for each value of K B Bob needs to know the set of K A values such that Pr[K A |K B ] > 0, where the probability is with respect to some distribution in the δ-ball that attains H0(K A |K B ) = h2(2ε)l. The proof we give here indeed characterizes this set, namely the set of K A that differ from K B in at most 2εl indices, so it is possible to apply that protocol.
By construction, in ρ 1 there is always some subset of S with size at least (1 − 2ε)|S| on which W i = 1 for each i. Hence whenever V i = 1 for all i ∈ S, MSE t/l is won. This implies Pr ρ 1 i∈S But the probability of V i = 1 for all i ∈ S is the probability that Eve is able to guess a i [y i ] given x i y i for all i ∈ S. Hence from Fact 12, We now relate this to the state of interest ρ 1 (i.e. the state conditioned only on the event (|S| ≥ γl) ∧ ( i∈T W i ≥ (1 − ε)|T |)) by recalling that ∥ρ 1 − ρ 1 ∥ 1 ≤ δ ⊤ as shown in the proof of Lemma 21, and hence the δ ⊤ -smoothed min-entropy of ρ 1 is at least the above value as well. Furthermore, since the Serfling bound in the form of Lemma 6 also implies p E ≥ p ⊤ − 2 −2ε 2 γl (this addresses a minor issue in the [Vid17] proof, which just replaced p E with p ⊤ directly), we have Finally, the other parts of R besides SX S Y S are T (which Eve already has in E), Y ′ T , H and U 1 U 2 . But K A is independent of Y ′ T given SY S (since K A is produced by a measurement in Alice's boxes only, which has no relation to Bob's string Y ′ T apart from the values SY S used to specify which bits of Alice's input to include in K A ), and H and U 1 U 2 are independent of everything else (since by construction they are drawn uniformly and independently of all other registers here). Hence giving Eve these extra registers in R makes no difference. Lastly, to handle C 2 and B T (which are not independent of K A ), we simply note that C 2 is at most h 2 (2ε)l + log(1/λ EC ) bits and B T is at most 2γl bits, hence by Fact 10 we get the desired result.
For proving the next bound, we shall need the following fact, which is easily proven by a summation relabelling: Fact 23. Consider a CQ state ρ ZQ where Z is an s-bit classical register. If we select an independent uniformly random U ∈ {0, 1} s and generate a register C = Z ⊕ U , then the resulting global state, is equal to When applying this fact, we shall take U to correspond to (U 1 , U 2 ) in Protocol 5, which is basically a one-time pad. Intuitively, Fact 23 expresses a symmetry 14 between the "ciphertext" and the "padding string" when applying a one-time pad -while we usually think of the ciphertext as taking the value Z ⊕ U and the padding string as taking the independent uniform value U , this fact implies that we have an exactly equivalent situation by thinking of the ciphertext as taking the value U and the padding string as taking the value Z ⊕ U . We use this to prove the following lemma (for all possible behaviours by Bob and Eve -note that while dishonest Bob does not have to honestly report the "raw" outcomes of measurements on his states, such behaviour can simply be absorbed into the strategy he uses to generate B and B T ): Lemma 24. The probability p ✓ |⊤ is independent of the message m. Furthermore, letting R ′ denote all the registers in R except U 1 , the state σ K A CR ′ BB T E satisfies where c B α , d B are the constants from Theorem 16.
Proof. Recall that U was initially generated as a uniformly random value independent of all the other registers, and that it is not revealed to Bob and Eve until the final time t 5 . Also, by Fact 23, we know that at the point at which C is generated, the global state remains the same if we swap the roles of the registers C and U . This means that it is perfectly equivalent to instead consider the following "virtual" process: Bob and Eve generate an independent uniformly random value in the register C, and this is used to generate a register U = (M ⊕ h(K A ) ⊕ C 1 , syn(K A ) ⊕ C 2 ) which is given to Alice only (until time t 5 ). We stress that this virtual process does not correspond to a physical procedure which is actually performed, but it produces exactly the same state as the original protocol, so it is valid to study it in place of the original protocol.
With this process in mind, it is clear that p ✓ |⊤ is independent of m, since the only register that depends on m at that point is always with Alice and not acted upon. We shall now prove where R ′′ denotes all the registers in R except U 1 U 2 . From there the desired bound would follow by subtracting the number of bits in U 2 , via Fact 10.
Under the virtual process, the register C is locally generated from the joint system of Bob and Eve, without access to any of Alice's registers. Hence we can proceed as in the proof of Lemma 22, this time by considering the game MSB t/(1−γ)l α for t = (1 − ε)(1 − γ)l on the set T = [l] \ T between Alice and the joint system of Bob and Eve. In this case, however, an important difference is that we allow the output distribution to depend on which subset T is supplied first (this information is implicitly included in R ′′ ). This works because Alice's accept condition at this point is directly the condition that enough rounds are won on the entire set, instead of a small test subset. In particular, this means that for each input order we can directly study the corresponding state conditioned on accepting, without relating it to some "nearby" state that is independent of the input order (this was the only part of the Lemma 22 proof that required the condition on honest Bob's boxes, in order to apply the Serfling bound).
However, even apart from the |S| ≥ γl conditioning (whose probability is included in p ⊤ ), the input distribution in T is not quite right for MSB t/(1−γ)l . To see this, let us recap the distribution in the actual protocol of the sets S and T conditioned on |S| ≥ γl, according to step 2: • Let P ST denote the distribution of the variables S and T in the actual protocol, where S ⊆ [l] is generated by choosing each index independently with probability (1 − α). Let E 1 denote the event that |S| ≥ γl when S is drawn according to P S , and P ST |E 1 is the joint distribution of S and T conditioned on this event (in which case T is a uniformly random subset of S).
To relate this to the game MSB t/(1−γ)l α (for arbitrary t), we would like to consider the game to be played on T , and consider S ∩ T to specify the subset of T on which Alice and Bob get nontrivial inputs. However, since in P ST |E 1 the subset S was drawn first and T was then drawn as a subset of it, this somewhat affects the distribution of S ∩ T within T (in that S ∩ T is not distributed according to choosing each index in T independently with probability (1 − α)). To obtain sets ST with a distribution suitable for MSB t/(1−γ)l α in the preceding sense, we could instead consider the following distribution: Now let E 2 be the event that when S and T are drawn according to Q ST , T is a subset of S; Q ST |E 2 is the distribution conditioned on this event. Since S and T are independent in Q ST , the distribution Q ST |E 2 can be equivalently described as first choosing S followed by T according to their respective distributions, and then conditioning on T ⊆ S -but from this, we see that in fact Q ST |E 2 is just the same distribution as P ST |E 1 (note that T ⊆ S implicitly includes the condition |S| ≥ γl, since T always has size γl).
Since conditioning on an event with probability q cannot increase probabilities by more than a factor of 1/q, we see that when studying the protocol we can compensate for using the actual distribution P ST |E 1 (i.e. Q ST |E 2 ) instead of the "correct game With this, we return to the topic of bounding the min-entropy. The state σ is conditioned on the first round of MSB t/(1−γ)l α winning, as well as the initial conditioning of outputting ⊤. The probability of winning both the first and second rounds on an unconditioned state with an unconditioned input distribution is at most which yields the desired bound (noting that log(1 − α) > −1 since we took the condition α < 1 2 in Lemma 19 to be satisfied). We get the min-entropy instead of smoothed min-entropy here (and we do not need an explicit lower bound on p ⊤ p ✓ |⊤ , unlike Lemma 22) because Alice checks the condition on the entire T instead of a test subset, so we do not need to consider a "nearby" state in place of the actual conditional state.

Parameter choices
Take any values of α ∈ (0, 1 2 ) and ε ∈ (0, 1) satisfying To construct this more explicitly, we could focus on a fixed choice of α (say, α = 0.4), in which case there clearly exists ε 0 such that min{d (by noting the behaviour of both sides as ε 0 → 0). This value is then a valid choice of ε 0 in Theorem 2, since (14) would then be satisfied for any ε ∈ (0, ε 0 ] (using that fixed choice of α). Now take some λ com , λ CI , λ EC ∈ (0, 1] and some desired message length n, and choose l large enough such that when setting the following conditions are satisfied: firstly, γ < 1 2 , secondly, and lastly, The conditions γ < 1 2 and (16) ensure that the conditions on γ, l for Lemma 19 are satisfied. Since the choice of γ in (15) satisfies γ → 0 as l → ∞, these conditions can always be satisfied by taking sufficiently large l. Furthermore, given that (14) holds, for any n the conditions (17) will be satisfied at sufficiently large l, because all the γl terms are independent of l for this choice of γ.
For these parameter choices, together with a choice of syndrome satisfying Lemma 21 for the specified λ EC value, the described ECD protocol satisfies the following security properties (which hold independently of Conjecture 1). They are qualitatively similar to the notions of completeness, correctness and secrecy laid out in the alternative definition in Section 2.5: we discuss in Section 5.5 how they imply that the properties in that alternative definition are indeed satisfied, whereas in Section 6 we use these results to prove composable security.

Lemma 26. Given parameter choices satisfying (14)-(17), if Bob is honest, then for any specific message value M = m we have
Proof. Observe that conditioned on O = ⊤ in step 10 of the protocol (so that Bob gets the value C 1 = m ⊕ h(K A ) ⊕ U 1 from Alice, where m is the specific message value we discuss here), honest Bob's final value M = C 1 ⊕ h( K A ) ⊕ U 1 will be equal to m whenever his guess K A matches Alice's value K A . Hence conditioned on O = ⊤, the probability that his final value M differs from m (i.e. Pr[ M ̸ = m|O = ⊤]) is at most the probability that his guess was wrong, i.e. K A ̸ = K A . Recalling that we chose parameters such that γ ≥ log(8/λ EC )/(2ε 2 l), Lemma 21 tells us for honest Bob, the probability that which gives the desired result.
Lemma 27. Given parameter choices satisfying (14)-(17), we have for any specific message value M = m: and if Bob plays honestly, Proof. We first prove the expression for ρ 1 , which is under the assumption that Bob plays honestly. Observe that if p ⊤ < 2 · 2 −2ε 2 γl , then we are already done since we chose γ ≥ log(8/λ CI )/(2ε 2 l).
Hence we can take p ⊤ ≥ 2 · 2 −2ε 2 γl , in which case we can put together the bound in Lemma 22 with the first of the bounds on n in (17) to get Let S be a register storing the value of the hash h(K A ). Recalling that γ ≥ log(8/λ CI )/(2ε 2 l), the Leftover Hashing Lemma then implies The state on these registers is independent of the value of M . Now for any message value m, let E m denote the map that generates the ciphertext register C 1 = m ⊕ s by reading s off the register S and then tracing it out. By the properties of the one-time pad, we know that This yields the desired result: using Fact 9 in the last line.
For σ, it is again easier to analyze the situation by using Fact 23 to switch to the virtual process of C being a uniformly random value and U being set to U = (M ⊕ h(K A ) ⊕ C 1 , syn(K A ) ⊕ C 2 ). We then follow a similar argument as above: by Lemma 24 and the second bound on n in (17), we have where R ′ denotes all the registers in R except U 1 . DefiningÊ m the same way as E m above, except with the output register being U 1 instead of C 1 , we follow the same line of reasoning and obtain (In fact, a tighter bound of λ CI /(p ⊤ p ✓ |⊤ ) holds here since the min-entropy bound for σ is not smoothed, but we shall not track this detail.)

Security under the alternative definition
From the above properties, it is not difficult to show that the required properties for the alternative security definition in Section 2.5 are satisfied. Firstly, the completeness requirements (1)-(2) are precisely the properties shown in Lemma 25. Next, the correctness requirement (3) is precisely the property shown in Lemma 26.
As for the secrecy requirements (4)-(6), we first observe that (4) trivially holds over the required duration (i.e. until the decryption key is released), because the only point in the encryption phase that potentially depends on the message is the value M ⊕ h(K A ) ⊕ U 1 in step 15, but by Fact 23 this register is in fact also independent of the message (until U 1 is released) since U 1 serves as a one-time-pad that is kept secret until being released in the decryption key R. As for the requirement (5), it also trivially holds before the decryption key R is released, for the same reason; whereas after that point, it is ensured by the first bound in the Lemma 27 statement (together with the fact that any further processing of Bob and/or Eve's registers cannot increase that trace distance, by the data-processing inequality). Finally, an analogous argument holds for the requirement (6): it trivially holds before the decryption key R is released, and afterwards it is ensured by the second bound in the Lemma 27 statement.

Composable security proof
In this section, we prove our main security result, which implies Theorem 2. The argument essentially only depends on Fact 23 and Lemmas 25-27, without requiring the details of the analysis leading up to those lemmas.
Theorem 28. Assuming Conjecture 1, there exists a universal constant ε 0 ∈ (0, 1) such that for any ε ∈ (0, ε 0 ], λ com , λ CI , λ EC ∈ (0, 1] and n ∈ N, there exist parameter choices for Protocol 1 such that it constructs the ECD n functionality from the resources R, C and (B 1 As noted in the previous section, using the value of ε 0 specified there allows us to choose parameters such that (14)-(17) are satisfied, in which case Lemmas 25-27 hold and we can use them in our subsequent proof. To prove composable security according to Definition 1, we need to consider the four possible combinations of honest/dishonest Bob and Eve's behaviours, and for each case bound the distinguishing probability between the real functionality with the honest parties performing the honest protocol, versus the ideal functionality with some simulator attached to the dishonest parties' interfaces. We shall construct appropriate simulators and argue that for a distinguisher interacting with either scenario, the states held by the distinguisher in the two scenarios differ in ℓ 1 distance by at most 2λ = 4λ com + 2λ CI + 2λ EC at all times. This implies the distinguishing advantage is bounded by λ via Fact 9, since the process of the distinguisher producing a value on the guess register G can be viewed as a channel applied to the states it holds.
Note that it suffices to consider only the points where output registers are released to the distinguisher, since by Fact 9, any operations the distinguisher performs between these points cannot increase the ℓ 1 distance. Furthermore, we observe that for classical inputs, it is not necessary to bound the distinguishability for all possible input distributions that the distinguisher could supply -it suffices to find a bound that holds for all specific values that could be supplied as input, since by convexity of the ℓ 1 norm, the same bound would hold when considering arbitrary distributions over those input values. In particular, for the subsequent arguments we shall assume the distinguisher supplies a specific value m for the input M , and we shall split the analysis into different cases for the two possible values for the input D.
Remark 7. In the following proofs, we shall construct simulators by explicitly using Fact 23, but an alternative approach appears possible, which we sketch out here. First, observe that the use of the one-time pad U in Protocol 1 is in fact a composably secure realization of a functionality we could call a trusted-sender channel with delay, which is defined in exactly the same way as the channel with delay in [VPR19], except that only the recipient is potentially dishonest. 15 If we now view Protocol 1 as sending the value (M ⊕ h(K A ), syn(K A )) through a composably secure implementation of a trusted-sender channel with delay, we can safely assume that the C register gives no information to the dishonest parties about Alice's outputs until the final step, which may be a helpful perspective to keep in mind when considering the proofs below. Essentially, our approach below has the simulator in the composable security proof for the trusted-sender channel with delay "built into" the argument directly, by repeated use of Fact 23.
Since in this section we are proving results in the Abstract Cryptography framework, we shall now explicitly refer to various actions in the Protocol 1 description as being performed by the protocols Π A and Π B rather than Alice and Bob (recall the discussion in Remark 4).

Dishonest Bob and Eve
The distinguisher's task in this case is to distinguish Π A F real BE and F ideal BE Σ BE . As mentioned in the introduction, intuitively speaking we shall choose the simulator Σ BE here to run the honest protocol internally with a "virtual" simulated instance of the protocol Π A (and a "dummy" version of the protocol's inputs on Alice's interfaces, which we shall soon describe) -the construction here is in fact rather similar to the QKD analysis in [PR14]; the example described there may be instructive in helping to understand our construction.
To give a broad overview (the detailed description will subsequently follow; see also Figure 4), the simulator begins by following the actions of Π A in Protocol 1: it accepts the boxes from Eve, generates S and T the same way as step 2, generates inputs the same way as in step 3 and supplies them to the boxes, etc -in particular, on step 7 it accepts some value of b T supplied at Bob's interface 16 , then performs the checks in step 8, and so on. A small difference occurs in step 10, where an output value O is produced by Π A that would normally be sent out to Alice's interface on Π A ; here however the simulator is instead supposed to be connected to F ideal BE on that interface, and hence we shall instead make the simulator supply the value O as the input values O B and O E on the relevant interfaces in the ideal functionality (this is again a very similar construction to the QKD analysis in [PR14]). Upon reaching step 14 we encounter a notable obstacle: the simulator does not have access to the true message value m supplied to Alice's interface on F ideal BE Σ BE (since the simulator is only attached to Bob and Eve's interfaces in F ideal BE ). Hence what it does at that step is that it instead acts as though the message had a dummy value 0 n , and releases a corresponding ciphertext C 1 = 0 n ⊕u 1 (where u 1 is the uniformly random value drawn in step 13). In our security proof below, we will be showing that despite this substitution, the distinguisher still cannot easily distinguish Π A F real BE and F ideal BE Σ BE . Proceeding onwards in a similar fashion, the last notable point is that if in the final steps the values of D and F are such that ideal functionality releases the true message value m, then the simulator will use m to set the value on the register U 1 to m⊕h(k A )⊕u 1 instead, before releasing it as part of R 17 -the idea here is that by setting U 1 to this value, the simulator makes it "retroactively" consistent with having encrypted the true message value m in the previously released ciphertext C 1 using U 1 as a one-time-pad, despite the fact that C 1 was originally generated as a dummy value C 1 = 0 n ⊕ u 1 . At the end of this section (see Remark 8), we briefly discuss some informal intuition of some concepts captured by this simulator construction.
With the broad picture in mind, we now give the full description of the simulator's actions, with a schematic depiction in Figure 4. Furthermore, after each step in the description, we derive bounds on the distinguishability of the real and ideal functionalities up to that point.
• The simulator accepts the input states from the outer interface corresponding to Eve, and performs an internal simulated instance of Π A from the ECD protocol (producing a value 16 For the purpose of the distinguishability argument, the value supplied here is chosen by the distinguisher; our full security analysis below will cover any possible such choice when trying to distinguish Π A F real BE and F ideal BE Σ BE . 17 Note that the simulator is not constrained to use the actual resources of the ECD protocol. In particular, it does not have to use a temporarily private randomness source, which is why in some of the cases we describe, the value of R the simulator reveals at the outer interface does not describe the randomness used by the simulated Π A . Step 26 Figure 4: Schematic for the case of dishonest Bob and Eve, in which we require a simulator Σ BE (depicted as the dashed region; refer to the main text for more description of the simulator's actions) acting on the ideal functionality F ideal BE . As before in the honest functionality, the F input and output is provided only if D = 1, and the simulator only sends y ′ T if D = 1 as well. The version of R the simulator releases has U 1 set to m ⊕ h(k A ) ⊕ u 1 .
(T, y T ) which it outputs at the outer interfaces for Bob and/or Eve, and accepting a value b T supplied at the outer interface for Bob, which it uses in its simulated instance of Π A ), until step 10. The inner interface of the simulator then feeds the output O of that step as the values O B and O E to the ideal functionality, which releases the same value O to the distinguisher (and also the simulator, though the simulator does not need it).
Π A F real BE and F ideal BE Σ BE are perfectly indistinguishable throughout this process, since no message value has been chosen yet, and hence the states produced by Π A F real BE and F ideal BE Σ BE are identical.
• If O =⊥, the simulator stops here, apart from releasing its register R at the end. Otherwise, it continues on with its simulated instance of Π A from the ECD protocol, except that at the step where C 1 is to be generated, it instead prepares C 1 by generating an independent and uniformly random u 1 and setting C 1 = u 1 . Furthermore, the simulator does not initialize a register U 1 yet -this is valid because after generating C 1 , the register U 1 is not needed at any point in the ECD protocol until the last step. The simulator then proceeds until it receives D from the ideal functionality at the inner interface.
By Fact 23, it is easily seen that the states produced by Π A F real BE and F ideal BE Σ BE remain perfectly indistinguishable throughout these steps: we can equivalently consider the virtual process where Π A F real BE initializes the register C 1 with the independent uniform value u 1 , exactly as F ideal BE Σ BE did. (The distinguisher does not yet have access to U 1 , the only register which differs between Π A F real BE and F ideal BE Σ BE under this virtual process.) • If D = 0, the simulator receives the message m at the inner interface and sets U 1 = m ⊕ h(k A ) ⊕ u 1 , then it outputs the register R at the outer interfaces.
Through this process, the distinguisher only receives D followed by R. Since it already knows D, the former is trivial, and we only need to bound the distinguishability after receiving R. At this point, the state produced by Π A F real BE is such that U 1 was initialized with the independent uniform value u 1 , and C 1 with the value m ⊕ h(k A ) ⊕ u 1 . In comparison, the state produced by F ideal BE Σ BE is such that C 1 was initialized with the independent uniform value u 1 and U 1 was initialized with the value m ⊕ h(k A ) ⊕ u 1 . Applying Fact 23, the situations for Π A F real BE and F ideal BE Σ BE are hence exactly equivalent.
• If D = 1, the simulator releases y ′ T at the outer interfaces, then receives an input b ′ T . Using this value, it runs step 26, and feeds the output F of that step to the ideal functionality. Depending on the value of F , it performs one of the following actions: -If F = ✗ , the simulator does the same as in the D = 0 case: it receives the message m at the inner interface and sets U 1 = m ⊕ h(k A ) ⊕ u 1 , then it outputs the register R at the outer interfaces.
-If F = ✓ , the simulator sets U 1 = 0 n ⊕ h(k A ) ⊕ u 1 , then it outputs the register R at the outer interfaces.
Through this process, the distinguisher receives (D, y ′ T ), supplies an input b ′ T , then receives F followed by R. By Fact 23, it is again easily seen that the states produced by Π A F real BE and F ideal BE Σ BE remain perfectly indistinguishable up until R is released, because as long as the distinguisher does not have access to R (and hence U 1 ), we can consider the virtual process where both Π A F real BE and F ideal BE Σ BE initialized C 1 with the independent uniform value u 1 .
After R is released, we note that the conditional states for the O =⊥ component are perfectly indistinguishable, because in that component all the registers are independent of the message (possibly by being set to "blank" values). Also, the conditional states for F = ✗ are perfectly indistinguishable, by the same argument as in the D = 0 case above. As for the conditional states for F = ✓ , the states produced by Π A F real BE and F ideal BE Σ BE are σ CR BB T E (m, 1) and σ CR BB T E (0 n , 1) respectively -the former holds by definition, while the latter can be understood by noting the simulator set the values C 1 = u 1 and U 1 = 0 n ⊕ h(k A ) ⊕ u 1 , but by Fact 23 the values on C 1 and U 1 can be swapped, which would then result in the state σ CR BB T E (0 n , 1).
Overall, the distinguisher's states produced by Π A F real BE and F ideal BE Σ BE at this point are respectively of the form where ω and ψ are appropriate conditional states for O =⊥ and F = ✗ (as argued above, these states are the same in the two scenarios), and p ✓ |⊤ is the same in both scenarios (by Lemma 24). The only components that differ in the two scenarios are the σ terms, hence by Lemma 27 we see that the ℓ 1 distance between the states is bounded by 2λ CI .
Remark 8. Informally, one piece of intuition captured by the above simulator construction is that we are showing there exists a process that can (given access to Bob and Eve's interfaces in F ideal BE ) closely reproduce the real behaviour Π A F real BE , without having access to Alice's actual message m until/unless the ideal resource F ideal BE reveals it in the final steps. This in particular serves to formalize the notion that the real behaviour Π A F real BE does not "leak unwanted information about m" (though we highlight that as discussed in Section 2.1.3, satisfying the full Definition 1 condition automatically guards against a much broader class of possible "flaws"). This form of reasoning also lies behind other simulator-based arguments outside of Abstract Cryptography, for instance in the security analysis of protocols for zero-knowledge proofs.

Dishonest Bob and honest Eve
Since Eve has no inputs to the protocol after the initial step, the argument for this case is essentially the same as the preceding section, just with E traced out.

Honest Bob and dishonest Eve
• The simulator accepts the input states from the outer interface corresponding to Eve, and performs internal simulated instances of Π A and Π B from the ECD protocol until step 10. The inner interface of the simulator then feeds the output O of that step as the value O E to the ideal functionality, which releases the same value O to the distinguisher (and also the simulator, though the simulator does not need it).
value u 1 , exactly as F ideal E Σ E did. (The distinguisher does not yet have access to U 1 , the only register which differs between Π AB F real E and F ideal E Σ E under this virtual process.) • If D = 0, the simulator continues on with its simulated instances of Π A and Π B until those protocols are finished, upon which the simulator sets U 1 = 0 n ⊕ h(k A ) ⊕ u 1 and releases R at the outer interface.
Through this process, the distinguisher receives D followed by R M . (There is no F output for D = 0.) The distinguisher supplies no inputs, so we can suppose without loss of generality that it applies no operations on its systems through this process, and we only need to bound the distinguishability after R M is released.
We Overall, the distance between the states from Π AB F real E and F ideal E Σ E at this point is By Lemma 27, the second term is bounded by 2λ CI . As for the first term, we have applying Lemma 26 in the last line. Adding the two bounds, we arrive at a final bound of 2λ CI + 2λ EC .
• If D = 1, the simulator continues on with its simulated instances of Π A and Π B : it releases y ′ T and b ′ T , then sets U 1 = 0 n ⊕ h(k A ) ⊕ u 1 and finally releases R at the outer interface.
Through this process, the distinguisher receives (D, y ′ T ) (at t 3 ), then b ′ T followed by F (at t 4 ), and finally R M (at t 5 ). The distinguisher supplies no inputs, so we can suppose without loss of generality that it applies no operations on its systems through this process, and we only need to bound the distinguishability after R M is released. Also, D is trivial since the distinguisher chose it, and so is M since here it is always set to 0 n , so we shall ignore these registers.
We note that the conditional states for the O =⊥ component at this point are perfectly indistinguishable, because in that component all the registers are independent of the message (possibly by being set to "blank" values). Also, for the F = ✓ component the conditional states produced by 1) respectively, where the latter can be understood by again using Fact 23 to swap the values on the C 1 and U 1 registers.
Overall, the states produced by Π AB F real E and F ideal E Σ E at this point are respectively of the form where ω is an appropriate conditional state (as argued above, it is the same in both scenarios), and where ψ are appropriate conditional states, and p ✓ |⊤ is the same in both scenarios (by Lemma 24). The ℓ 1 distance between the two expressions is bounded by where we have applied Lemmas 25 and 27 (for the latter we use the fact that B can contain a copy of Y ′ T B ′ T , and apply Fact 9).

Honest Bob and Eve
In this case there are no dishonest parties, so the simulator is trivial and our task is simply to bound the distinguishability between Π ABE F real and F ideal .
• We first consider the situation up until D is supplied.
Through this process, the distinguisher releases O, then supplies M and D. When O is released, the states produced by Π ABE F real and F ideal are (1 − p ⊤ ) |⊥⟩⟨⊥| O + p ⊤ |⊤⟩⟨⊤| O and |⊤⟩⟨⊤| O respectively, where p ⊤ is computed with respect to the honest behaviour in the ECD protocol. Then Lemma 25 implies the ℓ 1 distance between them is bounded by After that, Π ABE F real and F ideal do not release any outputs during the steps described here, hence the distance between the states cannot increase.
• If D = 0: The distinguisher receives D followed by M . (There is no F output for D = 0.) D is trivial since the distinguisher chose it, so we only need to bound the distinguishability after M is released. The states produced by Π ABE F real and F ideal at this point are respectively (filling in the register M with a "blank value" ϕ in the case where O =⊥ for Π ABE F real ): and the ℓ 1 distance between them is upper bounded by applying Lemmas 25 and 26 in the last line.
• If D = 1: The distinguisher receives D, followed by F and M . D is trivial, and no inputs occur between F and M , so we only need to bound the distinguishability after M is released. The states produced by Π ABE F real and F ideal at this point are respectively (filling in the registers M F with a "blank value" ϕ in the case where O =⊥ for Π ABE F real ): applying Lemma 25.
7 Parallel repetition theorems 7.1 Parallel repetition theorem for 2-round 2-player product-anchored game Definition 3. A 2-round 2-player non-local game is called a product-anchored game with anchoring probability α iff • Alice and Bob get (x, y) ∈ X × Y from a product distribution as their first round inputs.
• Alice and Bob produce (a, b) ∈ A × B as their first round outputs.
• Bob gets z =⊥ with probability α and z = (x, y ′ ) with probability 1 − α, as his second round input, such that the distribution of (x, y) conditioned on z =⊥ is the same as the marginal distribution of (x, y). (Alice has no input.) • Bob produces b ′ as his second round output. (Alice has no output.) • Alice and Bob win the game iff V(x, y, a, b) and V ′ (x, y, z, a, b, b ′ ) are both satisfied.
Theorem 29. Let G be a 2-round 2-player non-local product-anchored game satisfying the conditions above with parameter α. Then for δ > 0 and t = (ω * (G) + η)l, We shall use the following results in order to prove the theorem.
..U l be a probability distribution over T × U l × V, and let E be any event. Then, .
Using the above fact, we prove the following lemma that we shall use later.
Lemma 32. Suppose P ST and P S ′ T ′ R ′ are distributions such that for some t * , we have for some t * , Proof. Note that Similarly, where in the second inequality we have used Fact 31. Combining all this, and using Fact 5, This proves item (i).
Using this we get, where we have used Fact 5 in the last inequality.
Next, note that we can apply Fact 31 to get a bound because the marginal distribution on the first two variables is P ST in both terms, which satisfies P ST (s, t * ) = P T (t * )P S (s) = α·P S (s) for all s. But since by definition we have P ST R ′′ = P ST P R ′ |S ′ T ′ , we can rewrite the bound as follows: Using this we get, Therefore, using (18) and (19), This proves item (ii).
Finally, we shall use the following two facts.
Fact 33 ([JPY14], Lemma III.1). Suppose ρ and σ are CQ states satisfying ρ = δσ + (1 − δ)σ ′ for some other state σ ′ . Suppose Z is a classical register of size |Z| in ρ and σ such that the distribution on Z in σ is P Z , then Fact 34 (Quantum Raz's Lemma, [BVY15]). Let ρ XY and σ XY be two CQ states with X = X 1 . . . X l being classical, and σ being product across all registers. Then, Proof of Theorem 29. Consider a strategy S for l copies of G (it may correspond to G l or G t/l -it doesn't really matter): before the game starts, Alice and Bob share an entangled state on registers Here A, B, B ′ will be the registers in which the outputs are measured in the computational basis, and A, B, B ′ are registers onto which the contents of A, B, B ′ are copied -we can always assume the outputs are copied since they are classical. Alice and Bob apply unitaries based on their first round inputs XY to their respective halves of this entangled state and measure in the computational basis to obtain their first round outputs. We define the following pure state to represent the inputs, outputs and other registers in the protocol at this stage: where we have used Z to denote Bob's second round input, which is either ⊥ or (x, y ′ ). We have included the Z Z registers in this state even though Bob has not received the z input yet; the state in the entangled registers has no dependence on z however. Here P AB|xy (a, b) is the probability of Alice and Bob obtaining outputs (a, b) on inputs (x, y) in the first round.
In the actual protocol, the AB registers are measured on |ρ⟩, and the subsequent unitary Bob applies on the B ′ B ′ E B registers can depend on his first round output, as well as both his inputs. We represent the state of the protocol at this state by: Note that |σ⟩ is related to |ρ⟩ by a unitary on the B ′ B ′ E B registers that is controlled on the registers Y ZB, which is why the marginal distribution of AB is the same in |ρ⟩ and |σ⟩. Note that even though no operations explicitly dependent on x are done in the second round, the distribution of Let ω * (G) = 1 − ε. To prove the theorem, we shall use the following lemma (whose proof is given later).
in a strategy S for l copies of G (here X, Y are the first round inputs, A, B first round outputs, and V the first round predicate; Z is the second round input, B ′ the second round output, and V ′ the second round predicate).
The theorem follows from the above lemma using standard arguments as in e.g.
[Rao08] -we shall reproduce here the proof given in that work, with some additional elaborations. We only need to prove the upper bound on ω * (G t/l ); the one for ω * (G l ) then follows immediately by setting η = 1 − ω * (G l ).
Consider any strategy for playing l parallel instances of G. We begin by proving the following claim: for any γ ∈ (0, 1), if we set n to be a value satisfying and pick a uniformly random subset C ⊆ [l] of size n, the expected probability of winning all the instances on the chosen subset satisfies Note that there is indeed a (unique) value of n satisfying the required condition, specifically To prove this claim, let I 1 , I 2 , . . . I n be a sequence of random variables obtained by drawing elements from [l] uniformly at random without replacement (in this argument, random variables will be denoted in bold, while specific values they can take will be denoted without bolding). For each j ∈ [n], we define a random variable C j = (I 1 , I 2 , . . . I j ), i.e. its value is the tuple formed by the first j elements of the sequence. In a minor abuse of terminology, we will sometimes call the tuple C j a subset of [l], and we define W j to be the event that all instances in C j are won. With this interpretation, observe that C n is a uniformly random subset of size n, and hence our goal is just to prove a bound on Pr[W n ] (since this would be equal to EC Pr[E C ] in (21)). Next, for each j ∈ [n] we define L j to be an event on C j , as follows: it is the event that C j takes a value C j such that Pr[E C j ] ≤ (1 − ε + 191γ/α) n , i.e. the probability of winning all games on that particular subset C j is "low". 18 Also, let H j be the complementary event that C j takes a value C j such that Pr[E C j ] > (1 − ε + 191γ/α) n , i.e. the winning probability is "high".
With these events, we can write Pr[W n ] = Pr[W n ∧ L n ] + Pr[W n ∧ H n ] and bound the individual terms. The first term is simply upper bounded by (1 − ε + 191γ/α) n due to the definition of L n . To bound the second term, we argue as follows for each j ∈ [n]. Observe that if we consider any fixed value C j for the random variable C j , this also fixes a value C j−1 for the "preceding" tuple C j−1 , and furthermore, winning all instances of the game on C j implies winning all instances on C j−1 . With this, the event W j always implies the event W j−1 , and so we can write W j = W j ∧ W j−1 . It also tells us that for each value C j we have Pr[E C j ] ≤ Pr[E C j−1 ], from which we see that the event H j always implies the event H j−1 , and we can write H j = H j ∧ H j−1 . Hence for each j ∈ [n] we have where for ease of notation we introduce trivial "always-true" events W 0 and H 0 . Applying this relation repeatedly, we arrive at Hence it suffices to bound Pr[W j ∧ H j |W j−1 ∧ H j−1 ] for each j, which we shall do by upper bounding it with Pr[W j |W j−1 ∧ H j−1 ] and applying Lemma 35. In more detail: note that conditioned on H j−1 , by definition C j−1 takes a value C j−1 satisfying Pr[E C j−1 ] > (1 − ε + 191γ/α) n , and this is the same as log(1/ Pr[E C j−1 ]) < γ 2 l − n · log(|A| · |B| · |B ′ |) by the defining property (20) for n. Substituting this into the bound in Lemma 35 gives (since |C j−1 | ≤ n) With this, we can apply Lemma 35 to write Pr[W j |W j−1 ∧ H j−1 ] ≤ 1 − ε + 191γ/α (recalling that C j can be viewed as being generated from C j−1 by drawing a uniformly random i / ∈ C j−1 and appending it). Since this bound holds for every j ∈ [n], we get Pr[W n ∧ H n ] ≤ (1 − ε + 191γ/α) n , which yields the claimed bound (21). 18 A slightly different perspective that may help in understanding the definition of this event is that for each j ∈ [n], we can define an indicator variable V L j as follows: V L j is a function of Cj, taking value 1 if Cj takes a value Cj such that Pr[EC j ] ≤ (1 − ε + 191γ/α) n , and taking value 0 otherwise. (Note that this is a well-defined function of Cj because we have fixed a particular strategy for playing the game, and hence Pr[EC j ] is a function of Cj only.) The event Lj is then exactly the event V L j = 1.
Finally, to use this to prove the bound on ω * (G t/l ) for t = (1 − ε + η)l, we set γ = αη 764 , which gives n < (1 − ε + η)l. If t = (1 − ε + η)l games are won, we can pick a random subset of size n out of the (1 − ε + η)l won games, and say that the probability of winning (1 − ε + η)l games is upper bounded by the probability of winning on this random subset. Therefore we have, where the last inequality follows from the bound (21) (note that the binomial-coefficient terms are independent of the summations and could hence be factored out). We can simplify the second factor in the above expression as where in the last inequality we have used the expression for n. Putting this into (22) we get, which proves the theorem after substituting the value of n.
To prove Lemma 35, we shall first define the correlation-breaking random variables D i G i for each i ∈ [l] as follows: D i is a uniformly random bit, and G i takes value X i Y i or Z i respectively depending on whether D i is 0 or 1. With this, XY Z are independent conditioned on DG: to see this, first note that the distribution on XY ZDG is independent across instances, so it suffices to prove that for each i, X i Y i Z i are independent conditioned on D i G i . Observe that conditioned on D i = 0, the value of X i Y i is fixed by G i , so X i Y i are trivially independent conditioned on G i . Whereas conditioned on D i = 1, the value of Z i is fixed by G i , so it suffices to show that X i Y i is independent conditioned on Z i . This is indeed true because conditioned on Z i =⊥, the distribution of X i Y i is equal to their marginal distribution, which is product; whereas conditioned on any other value of Z i , the value of X i is fixed by Z i , so X i is trivially independent of Y i .
Let |ρ⟩ dg and |σ⟩ dg denote the states |ρ⟩ and |σ⟩ conditioned on DG = dg, which simply means that the distribution of XY Z used is conditioned on dg.
Conditioned on DG = dg, we define the state |φ⟩ dg , which is |σ⟩ dg conditioned on success in C, i.e., the event E C as defined in Lemma 35: where γ dg is the probability of winning in C conditioned on DG = dg, in S; γ dg averaged over dg is then Pr[E C ]. It is easy to see that P XY ZABB ′ |E C ,dg is the distribution on the registers XY ZABB ′ in |φ⟩ dg , and EP DG|E C P XY ZABB ′ |E C ,dg is P XY ZABB ′ |E C .
In the remainder of the proof, we shall use the following notation. For i ∈ [l], we shall use respectively conditioned on. We shall use similar notation for other variables and subsets of [l] as well. |φ⟩ ⊥,d −i g −i will be used to refer to |φ⟩ conditioned on Z i =⊥, We shall use the following lemma, whose proof we give later, to prove Lemma 35. In the statement of this lemma, and in the proofs henceforth, we shall refer to δ C and E C as just δ and E for brevity.
Lemma 36. Let δ be δ C as defined in Lemma 35. If δ ≤ α 2 8 , then using Proof of Lemma 35. Note that if δ ≥ α 2 /8, the upper bound in Lemma 35 is trivial. So we shall only prove the lemma in the case that δ ≤ α 2 /8 using Lemma 36. Using Lemma 36, we give a strategy S ′ for a single copy of G as follows: • Alice and Bob share log |C| uniform bits, for each i ∈ C, P R i |E,⊥ as randomness, and for each R i = r i , the state |φ⟩ ⊥r i as entanglement, with Alice holding registers X C X C E A A C A C and Bob holding registers • Alice and Bob use their shared randomness to sample i ∈ C uniformly, and in the first round, apply U i x i r i , V i y i r i on their parts of the shared entangled state according to their shared randomness from P R i |E,⊥ and their first round inputs.
• Alice and Bob measure the A i , B i registers of the resulting state to give their first round outputs.
• Bob applies W i y i z i r i to his half of the shared entangled state after the first round according to his second round input and the shared randomness.
• Bob measures the B ′ i register of the resulting state to give his second round output.
We shall first do the analysis assuming Alice and Bob have the distribution denote the conditional distribution Alice and Bob get after the first round (note that A i B i are actually independent of Z i given X i Y i , but we are still writing Z i in the conditioning), and denote their conditional distribution after the second round. Since is obtained by measuring the same registers of |φ⟩ x i y i ⊥r i , from item (ii) of Lemma 36 and Fact 9 we have, Combining this with item (iii) of the lemma we have, By similar reasoning, we have from item (iv), Combining these with item (i), then we overall have, Since Pr[T i = 1|E] is the probability of that the distribution P α , then the winning probability of our constructed strategy is more than which is a contradiction. Therefore we must have E i∈C Pr[T i = 1|E] ≤ 1 − ε + 191 √ δ α .
Proof of Lemma 36. Closeness of distributions. Applying Fact 30 with T, V being trivial and U i = X i Y i Z i we get, recalling we are taking δ to be the value δ C defined in Lemma 35. In particular, the last line of the above equation is obtained by recalling that we have required δ ≤ α 2 /8, which implies |C| ≤ l/2.
Also, applying Fact 30 again with U i the same, T = X C Y C Z C DG and V = A C B C B ′ C , and where the last line is obtained by conditioning on values D i = 0 and D i = 1. Now, the bound (23) allows us to apply item (ii) of Lemma 32, with X i Y i = S, Z i = T , R i = R, and the corresponding variables conditioned on E being the primed variables in the lemma statement. This gives Applying (23) and (24) to the terms on the right-hand side yields item (i) of the lemma.
Existence of unitaries U i x i r i and V i y i r i . We first note (log(1/γ dg ) + log(|A| |C| · |B| |C| · |B ′ | |C| )) ≤ log 1/ E P DG|E γ dg + |C| · log(|A| · |B| · |B ′ |) = log(1/ Pr[E]) + |C| · log(|A| · |B| · |B ′ |) = δl, where the first inequality is from (7), and to get the second inequality we have used Fact 33 on the states φ dg and σ dg (with z being |x C y C z C dg is product across X C and the rest of the registers, since dg is being conditioned on. Hence using Quantum Raz's Lemma, where we have used Pinsker's inequality in the final step. Using Jensen's inequality on the above we then have, Since B(·, ·) always lies between 0 and 1, changing the distribution over which its expectation value is taken can only increase the expectation value by at most the ℓ 1 -distance between the distributions. This lets us write where to get the last step we use the fact that (23) implies Finally, since P Z i (⊥) = α, we have, By Uhlmann's theorem, there exist unitaries {U i x i r i } x i r i acting on the registers Now note that we have an upper bound of 2 Using this we get, and the fact that In the fourth line of the above calculation, we have upper bounded P X i |⊥ P R i |E,⊥ − P X i R i |E,⊥ 1 by P X i Y i |⊥ P R i |E,⊥ − P X i Y i R i |E,⊥ 1 since we get the distributions P X i |⊥ P R i |E,⊥ and P X i R i |E,⊥ respectively by tracing out the Y i registers of P X i Y i |⊥ P R i |E,⊥ and P X i Y i R i |E,⊥ ; also, we have upper bounded by similar reasoning. Putting the above bound in (28) we get, Now, the quantity we actually want to bound is almost the same as the above expression, except we have to take the expectation over the distribution P X i Y i R i |E rather than P X i Y i R i |E,⊥ . Since the ℓ 1 -distance term always lies between 0 and 2, changing the distribution over which the expectation is taken can only increase the expectation value by at most 2 times the distance between the two distributions. Thus we can write where to get the third line we used item (i) of Lemma 32 to bound P X i Y i R i |E − P X i Y i R i |E,⊥ 1 , and in the next line we have used (24) and (23) to bound the trace distances. This proves item (ii) of the lemma.
Existence of unitaries W i y i z i r i . Note that σ Z C X C X C A C A C B C B C E A |dg is product across Z C and the rest of the registers, since they were product in ρ, and σ is obtained from ρ by a unitary that acts on the other registers, only using Z C as a control register (this is also true if we include Y C Y C along with X C X C A C A C B C B C E A , but we don't need to do this). Therefore, by the same analysis In the third line of the above calculation, we have noted that (P , and we have used item (i) of Lemma 32 (with X i Y i = S, Z i = T, R i = R, and the conditioned variables being the corresponding primed variables) to bound the latter. In the fourth line, we have used (24) and (23) to bound the trace distances.
Applying the Fuchs-van de Graaf inequality on (32) and tracing out registers besides A i B i gives us Since the A i B i registers are classical, the trace distance in the above expression can be interpreted as the distance between the distributions P A i B i |E,x i y i z i r i and P A i B i |E,x i y i ⊥r i . Therefore we have, which is item (iii) of the lemma.
To get item (iv) of the lemma, we use the Fuchs-van de Graaf inequality on (32) but don't trace out any registers, and then we use Uhlmann's theorem as before, which gives us unitaries Since z i is either ⊥, in which case the unitary W i x i y i z i r i can just be identity, or z i contains x i , W i x i y i z i r i is in fact just W i y i z i r i . Let O A i B i be the channel that measures the A i B i registers and records the outcomes. This clearly commutes with W i y i z i r i . Therefore, Using this and Fact 9 on (33) along with item (iii) we get, This proves item (iv).

Parallel repetition theorem for 1-round 3-player product-anchored game
We call a 1-round 3-player product-anchored iff Alice and Bob's marginal input distribution is a product distribution, and Eve's input takes value either z = (x, y) or z =⊥ such that p(x, y, ⊥) = α · p(x, y). Note that this is also a special type of anchoring on Charlie's side, but this definition will be sufficient for our purposes.
Theorem 37. Let G be a 1-round 3-player non-local product-anchored game with parameter α. Then for δ > 0 and t = (ω * (G) + η)l, ω * (G l ) = 1 − (1 − ω * (G)) 3 Ω α 2 l log(|A|·|B|·|C|) ω * (G t/l ) = 1 − η 3 Ω α 2 l log(|A|·|B|·|C|) . Proof sketch. Defining the correlation-breaking variables D i G i the same way as in the 2-player 2round case, we have that conditioned on DG = dg, Alice's inputs are in product with Bob and Eve's systems in the state of a strategy for l copies of G; the analogous statements hold for Bob and Eve's inputs as well. As in the case of the 2-round game, we condition on the success event E on a subset C, and define |φ⟩ to be the state of the protocol conditioned on E. Defining R i and the quantity δ the same way, the lemma analogous to Lemma 36 in this case is the following.
Lemma 38. If δ = O(ε 2 α 2 ), the following conditions hold: α ; (ii) For each i ∈ C, there exist unitaries U i The proof of item (i) in Lemma 38 is exactly the same as in Lemma 36. The existence of unitaries U i x i r i and V i y i r i in item (ii) is shown in exactly the same way. The existence of Eve's unitaries W i z i r i is shown in a way similar to the existence of the second round unitaries in Lemma 36, and using the fact that Eve's inputs are in product with Alice and Bob's systems in the original state, conditioned on dg.
Using Lemma 38, we can give a strategy for a single copy of G where Alice, Bob and Eve share P R i |E,⊥ as randomness and |φ⟩ ⊥r i as entanglement, and apply the unitaries U i x i r i , V i y i r i and W i z i r i on receiving inputs (x i , y i , z i ).