Multiuser Commitment over Noisy Channels^†^†thanks: R. Chou is with the Department of Computer Science and Engineering at The University of Texas at Arlington, Arlington, TX. M. Bloch is with the School of Electrical and Computer Engineering at The Georgia Institute of Technology, Atlanta, GA. This work was supported in part by NSF grant CCF-2401373. Part of this work has been presented at the 58th Annual Allerton Conference on Communication, Control, and Computing [1]. Emails : [email protected], [email protected]

Rémi A. Chou and Matthieu R. Bloch

Abstract

We consider multi-user commitment models that capture the problem of enabling multiple bidders to simultaneously submit auctions to verifiers while ensuring that i) verifiers do not obtain information on the auctions until bidders reveal them at a later stage; and, ii) bidders cannot change their auction once committed. Specifically, we assume that bidders and verifiers have access to a noiseless channel as well as a noisy multiple-access channel or broadcast channel, where inputs are controlled by the bidders and outputs are observed by verifiers. In the case of multiple bidders and a single verifier connected by a non-redundant multiple-access channel, we characterize the commitment capacity region when bidders are not colluding. When the bidders are colluding, we derive an achievable region and a tight converse for the sum rate. In both cases our proposed achievable commitment schemes are constructive. In the case of a single bidder and multiple verifiers connected by a non-redundant broadcast channel, in which verifiers could drop out of the network after auctions are committed, we also characterize the commitment capacity region. Our results demonstrate how commitment schemes can benefit from multi-user protocols, and develop resilience when some verifiers may become unavailable.

Index Terms:

Commitment, noisy channels, multiple-access channels, broadcast channel, information-theoretic security.

I Introduction

Commitment without the need for a trusted third party can be traced back to Blum’s coin-flipping problem [2]. More generally, a two-party commitment problem involves a bidder, Alice, and a verifier, Bob, and operates in two phases. In the first phase, called the commit phase, Alice sends Bob information to commit to a message $M$ , representing a bid in an auction that must remain concealed from Bob. In the second phase, called the reveal phase, Alice reveals a message $M^{\prime}$ to Bob, who must determine whether $M^{\prime}$ is the message that Alice committed to in the commit phase. The protocol must be binding in the sense that, in the reveal phase, Alice cannot make Bob believe that she committed to a message $M^{\prime}\neq M$ . It is well-known that information-theoretic concealment guarantees cannot be achieved over noiseless communication channels, e.g., [3]. However, when a noisy channel is available as a resource, both concealment and binding requirements can be obtained under information-theoretic guarantees, i.e., when Alice and Bob are not assumed to be computationally limited, for some class of noisy channels called non-redundant [4].

Most of the literature on information-theoretic commitments focuses on two-party scenarios that involve a single bidder and a single verifier, e.g., [5, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], characterizing commitment capacity under increasingly complex channel models. We study here instead two specific multi-user commitment settings: one in which a verifier interacts with $L$ bidders, each committing to individual messages, and another in which a bidder commits to $B$ verifiers, some of whom may drop out after the commit phase. The motivation for our first setting is to explore whether a multi-bidder protocol can outperform single-bidder protocols and time-sharing when multiple bidders wish to commit to individual messages. Our motivation to consider multiple verifiers in our second setting, is to ensure positive commitment rates even if a verifier drops out of the network after the commit phase, which would be impossible with a single verifier.

In our first setting, $L$ bidders and the verifier have access to a noiseless public communication channel and a noisy discrete memoryless multiple-access channel with $L$ inputs. Each input of the multiple-access channel is controlled by a distinct bidder and the verifier observes the output of the channel. Similar to a two-party setting, the protocol consists of a commit phase and a reveal phase. Here, the concealment requirement is that the verifier must not learn, in an information-theoretic sense, information about any message of any bidder after the commit phase. The protocol must also be information-theoretically binding in the sense that, during the reveal phase, a bidder cannot make the verifier believe that it committed to another message than the one committed to in the commit phase. For this setting, we consider both the cases of colluding and non-colluding bidders. The non-colluding bidders case corresponds to a scenario in which the bidders do not trust each other and do not want to exchange information with one another. For instance, this would be the case when the bidders commit to messages sent to an auctioneer. Under a non-redundancy condition on the multiple-access channel, we derive the capacity region for the non-colluding bidders case, and an achievable region and the sum-rate capacity for the colluding bidders case. In both cases, our achievability scheme is constructive and relies on distributing hashing with two-universal hash functions [16] for the concealment guarantees. The bindingness of our achievability scheme hinges on the non-redundancy property of the multiple access channel akin to the two-party commitment in [4]. The characterization of the sum-rate capacity relies on the polymatroidal properties of our achievability region. Additionally, we demonstrate through a numerical example that, for some channels, using a multi-bidder protocol can outperform using single-bidder protocols, e.g., [4], and time-sharing.

In our second setting, a single bidder can interact with $B$ verifiers through a noiseless public communication channel and a noisy discrete memoryless broadcast channels with $B$ outputs. The input of the channel is controlled by the bidder and each output is observed by a verifier. Similar to our first setting, the protocol consists of a commit phase and a reveal phase, and must guarantee information-theoretic bindingness and concealment. Our results demonstrate that introducing multiple verifiers can mitigate situations in which verifiers could drop out of the network after the commit phase, as long as one verifier is available during the reveal phase to validate the committed message. For this setting, we derive the commitment capacity under a non-redundancy property of the channel.

As a byproduct of independent interest, we show a simple sufficient condition, in terms of injectivity of the transition probability matrix of the channel, to guarantee channel non-redundancy. Additionally, we prove that, for channels whose input alphabet is at most three, our sufficient condition is also necessary, and thus equivalent to the non-redundancy characterization in [4].

The remainder of the paper is organized as follows. After a review of notation in Section II, we develop an auxiliary result in Section III, offering a sufficient condition to guarantee non-redundancy and an alternative characterization of non-redundant channels with input alphabet of cardinality at most three. We formally introduce our multiuser commitment models in Section IV along with the associated results. We delegate the proofs to Section V and Section VI to streamline the presentation. Finally, we provide concluding remark in Section VII.

II Notation

For $a,b\in\mathbb{R}$ , define $\llbracket a,b\rrbracket\triangleq[\lfloor a\rfloor,\lceil b\rceil]\cap\mathbb% {N}$ . Unless specified otherwise, random variables and their realizations are denoted by uppercase and corresponding lowercase letters, respectively, e.g., $x$ is a realization of the random variable $X$ . A Discrete Memoryless Channel (DMC) with input alphabet $\mathcal{X}$ , output alphabet $\mathcal{Y}$ , and transition probability $W$ is denoted by $(\mathcal{X},\mathcal{Y},W)$ . Additionally, for $x\in\mathcal{X}$ , $W_{x}$ denotes the output distribution of the channel when the input is $x$ . The probability simplex for distributions defined over the set $\mathcal{X}$ is denoted by $\mathcal{P}(\mathcal{X})$ . For a DMC $(\mathcal{X},\mathcal{Y},W)$ and a distribution $p\in\mathcal{P}(\mathcal{X})$ , $W\circ p$ denotes the distribution of the channel output when the input is distributed according to $p$ . $\|\cdot\|$ denotes the $\ell_{1}$ -norm. For two distributions $p,q\in\mathcal{P}(\mathcal{X})$ , the variational distance between $p$ and $q$ is denoted by $\mathbb{V}(p,q)\triangleq\frac{1}{2}\|p-q\|$ . The indicator function is denoted by $\mathds{1}\{\omega\}$ , which is equal to $1$ if the predicate $\omega$ is true and $0$ otherwise.

III Non-Redundant Channels

[4] introduced the concept of non-redundant channel as follows. A DMC $(\mathcal{X},\mathcal{Y},W)$ is non-redundant if

\displaystyle\exists\eta>0,\forall x\in\mathcal{X},\forall p\in\mathcal{P}(% \mathcal{X})\text{ s.t. }p(x)=0,\|W_{x}-W\circ p\|\geqslant\eta.

(1)

The following proposition offers a sufficient condition for a channel to be non-redundant. We will then show that this condition is also necessary for a channel to be non-redundant in the case of an input alphabet with cardinality smaller than or equal to three.

Proposition 1.

A DMC $(\mathcal{X},\mathcal{Y},W)$ is non-redundant if

W\circ p=W\circ q\Rightarrow p=q.

Proof.

We first show that a channel is non-redundant if and only if¹¹1This fact is implicitly assumed true in [4], we prove it here for completeness.

\displaystyle\forall x\in\mathcal{X},\forall p\in\mathcal{P}(\mathcal{X})\text% { s.t. }p(x)=0,W_{x}\neq W\circ p.

(2)

The fact that (1) implies (2) follows from the definition. Assume now that (2) holds. For $x\in\mathcal{X}$ , define the functional

	$\displaystyle f_{x}:\Delta(\mathcal{X}\setminus\{x\})$	$\displaystyle\to\mathbb{R}_{+}$
	$\displaystyle p$	$\displaystyle\mapsto\\|W_{x}-W\circ p\\|,$

where $\Delta(\mathcal{X}\setminus\{x\})$ is the set of distributions in $\mathcal{P}(\mathcal{X})$ with supports included in $\mathcal{X}\setminus\{x\}$ . For any $p_{1},p_{2}\in\Delta(\mathcal{X}\setminus\{x\})$ , the triangle inequality ensures that

	$\displaystyle\absolutevalue{f(p_{1})-f(p_{2})}$	$\displaystyle=\absolutevalue{\\|W_{x}-W\circ p_{1}\\|-\\|W_{x}-W\circ p_{2}\\|}$
		$\displaystyle\leqslant\\|{W\circ p_{1}-W\circ p_{2}}\\|$
		$\displaystyle\leqslant\\|p_{1}-p_{2}\\|,$

so that $f_{x}$ is continuous on $\Delta(\mathcal{X}\setminus\{x\})$ . Since $\Delta(\mathcal{X}\setminus\{x\})$ is a subset of $\mathbb{R}^{\absolutevalue{\mathcal{X}}-1}$ that is closed and bounded, it is compact and there exists $p_{x}\in\Delta(\mathcal{X}\setminus\{x\})$ such that

\displaystyle\inf_{p\in\Delta(\mathcal{X}\setminus\{x\})}f_{x}(p)=f_{x}(p_{x}).

Setting $\eta=\min_{x\in\mathcal{X}}f_{x}(p_{x})$ shows that (1) holds, so that (1) and (2) are indeed equivalent.

Finally, if the channel is such that $W\circ p=W\circ q\Rightarrow p=q$ , then (2) follows directly and the channel is non-redundant. ∎

Proposition 2.

If $\absolutevalue{\mathcal{X}}\leqslant 3$ , a DMC $(\mathcal{X},\mathcal{Y},W)$ is non-redundant if and only if

W\circ p=W\circ q\Rightarrow p=q.

Proof.

By Proposition 1, it only remains to show that $W\circ p=W\circ q\Rightarrow p=q$ is a necessary condition for non-redundancy. By contraposition, assume now that the channel is such that there exist two distinct distributions $p,q\in\mathcal{P}(\mathcal{X})$ such that $W\circ p=W\circ q$ . Define $\mathcal{S}\triangleq\{x\in\mathcal{X}:p(x)>q(x)\}$ , which is not empty since $p$ and $q$ are distinct so that $|\mathcal{S}|\geqslant 1$ . Define the distributions

	$\displaystyle\tilde{p}(x)$	$\displaystyle\triangleq\frac{p(x)-q(x)}{\sum_{u\in\mathcal{S}}(p(u)-q(u))},% \forall x\in\mathcal{S},$
	$\displaystyle\tilde{q}(x)$	$\displaystyle\triangleq\frac{q(x)-p(x)}{\sum_{u\in\mathcal{S}^{c}}(q(u)-p(u))}% ,\forall x\in\mathcal{S}^{c},$

which have disjoint support, and note that $\sum_{u\in\mathcal{S}}(p(u)-q(u))=\sum_{u\in\mathcal{S}^{c}}(q(u)-p(u))$ . Then, we have

	$\displaystyle W\circ p=W\circ q$
	$\displaystyle\Leftrightarrow\forall y\in\mathcal{Y},\sum_{x\in\mathcal{S}}W(y\|% x)(p(x)-q(x))=\sum_{x\in\mathcal{S}^{c}}W(y\|x)(q(x)-p(x))$
	$\displaystyle\Leftrightarrow\forall y\in\mathcal{Y},\sum_{x\in\mathcal{S}}W(y\|% x)\tilde{p}(x)=\sum_{x\in\mathcal{S}^{c}}W(y\|x)\tilde{q}(x).$

Since $\absolutevalue{\mathcal{X}}\leqslant 3$ , either $|\mathcal{S}|=1$ or $|\mathcal{S}^{c}|=1$ and we can assume without loss of generality that $\mathcal{S}=\{x^{*}\}$ and $\tilde{p}(x^{*})=1$ . Hence, $W_{x^{*}}=\sum_{x\in\mathcal{X}\setminus\{x^{*}\}}W(y|x)\tilde{q}(x)$ and the channel is redundant as per (2). ∎

Proposition 2 provides an alternative characterization of the non-redundant condition but the result cannot be extended to the case $|\mathcal{X}|>3$ . Indeed, the channel with $\absolutevalue{\mathcal{X}}=4$ , $\absolutevalue{\mathcal{Y}}=3$ , and

\displaystyle W=\left[\begin{array}[]{ccc}1&0&0\\ 1/2&1/2&0\\ 1/2&0&1/2\\ 0&1/2&1/2\\ \end{array}\right]

(7)

corresponds to a non-redundant channel since the rows define the extreme points of a polytope but the input distributions $(0.5,0,0,0.5)$ and $(0,0.5,0.5,0)$ induce the same output distribution.

IV Multi-User Commitment Models and Main Results

In Section IV-A, we present a multi-bidder single-verifier model and our results for both colluding and non-colluding bidders settings. In Section IV-B, we present a single-bidder multi-verifier model and our results for this model.

IV-A Multi-Bidder Single-Verifier Model and Results

Refer to caption — Figure 1: Multi-bidder single-verifier commitment over a multiple-access channel.

We first consider the model illustrated in Figure 1, in which $L\in\mathbb{N}^{*}$ bidders want to commit messages to a single verifier using a noiseless channel and a noisy multiple access channel. We set $\mathcal{L}\triangleq\llbracket 1,L\rrbracket$ . The multiple-access channel is characterized by $L$ finite input alphabets $(\mathcal{X}_{\ell})_{\ell\in\mathcal{L}}$ , a finite output alphabet $\mathcal{Y}$ , and a transition probability $p_{Y|X_{1},\cdots,X_{L}}$ . To simplify notation, we denote the Cartesian product of the input alphabets by $\mathcal{X}_{\mathcal{L}}\triangleq\bigtimes_{{\ell}\in\mathcal{L}}\mathcal{X}% _{\ell}$ , a generic input by $X_{\mathcal{L}}\triangleq(X_{\ell})_{\ell\in\mathcal{L}}$ where $X_{\ell}$ , ${\ell}\in\mathcal{L}$ , is defined over $\mathcal{X}_{\ell}$ , and $p_{Y|X_{\mathcal{L}}}\triangleq p_{Y|X_{1},\cdots,X_{L}}$ . For any $x_{\mathcal{L}}\in\mathcal{X}_{\mathcal{L}}$ , define $W_{x_{\mathcal{L}}}:y\mapsto p_{Y|X_{\mathcal{L}}}(y|x_{\mathcal{L}})$ .

We assume throughout that the multiple access channel $W$ is non-redundant by adapting the definition in (2), i.e.,

\displaystyle\forall x_{\mathcal{L}}\in\mathcal{X}_{\mathcal{L}},\forall p_{X_% {\mathcal{L}}}\in\mathcal{P}(\mathcal{X}_{\mathcal{L}})\text{ s.t. }p_{X_{% \mathcal{L}}}(x_{\mathcal{L}})=0,W_{x_{\mathcal{L}}}\neq\sum_{x^{\prime}_{% \mathcal{L}}\in\mathcal{X}_{\mathcal{L}}}p_{X_{\mathcal{L}}}(x^{\prime}_{% \mathcal{L}})W_{x^{\prime}_{\mathcal{L}}}.

(8)

The bidders interactively use the noiseless and noisy channels to commit their messages (commit phase) and reveal their messages (reveal phase). We distinguish two modes of operation, depending on whether the bidders collude or not.

IV-A1 Colluding bidders

For $({R_{\ell}})_{{\ell}\in\mathcal{L}}$ , a $((2^{n{R_{\ell}}})_{{\ell}\in\mathcal{L}},n)$ commitment scheme with colluding bidders consists of:

•

For every ${\ell}\in\mathcal{L}$ , a sequence $a_{\ell}\in\mathcal{A}_{\ell}\triangleq\llbracket 1,2^{nR_{\ell}}\rrbracket$ that Bidder $\ell$ wishes to commit to;
•

A noiseless communication channel between the bidders and the verifier;
•

Local randomness $S\in\mathcal{R}$ available at the bidders;
•

Local randomness $S^{\prime}\in\mathcal{R}^{\prime}$ available at the verifier.

The scheme then operates as follows:

(i)

Commit phase: Define $a_{\mathcal{L}}\triangleq(a_{\ell})_{{\ell}\in\mathcal{L}}$ . For channel use $i\in\llbracket 1,n\rrbracket$ , the bidders send $X_{\mathcal{L},i}(a_{\mathcal{L}},S,M^{\prime}_{1:i-1,1:r_{i-1}})$ over the channel, where $M^{\prime}_{1:i-1,1:r_{i-1}}\triangleq(M^{\prime}_{\alpha,\beta})_{\alpha\in% \llbracket 1,i-1\rrbracket,\beta\in\llbracket 1,r_{i-1}\rrbracket}$ (with the convention $M^{\prime}_{1:i-1,1:r_{i-1}}=\emptyset$ when $i=0$ ) represents messages previously received from the verifier as described next. Then, the bidders engage in $r_{i}$ rounds of noiseless communication with the verifier, i.e., for $j\in\llbracket 1,r_{i}\rrbracket$ , the bidders send $M_{i,j}(a_{\mathcal{L}},S,M^{\prime}_{1:i,1:j-1})$ and the verifier replies $M^{\prime}_{i,j}(S^{\prime},M_{1:i,1:j},Y^{i})$ , where $Y^{i}\triangleq(Y_{1},Y_{2},\ldots,Y_{i})$ and $M_{1:i,1:j}\triangleq(M_{\alpha,\beta})_{\alpha\in\llbracket 1,i\rrbracket,% \beta\in\llbracket 1,j\rrbracket}$ . We denote the collective noiseless communication between the bidders and the verifier by $M$ , i.e., $M\triangleq(M^{\prime}_{1:n,1:r_{n}},M_{1:n,1:r_{n}})$ . Define $V\triangleq(Y^{n},M,S^{\prime})$ as all the information available at the verifier at the end of the commit phase.
(ii)

Reveal phase: The bidders reveal $(a_{\mathcal{L}},S)$ to the verifier. The verifier performs a test $\beta(V,a_{\mathcal{L}},S)$ that returns $1$ if the sequence $a_{\mathcal{L}}$ is accepted and $0$ otherwise.

The collusion of the bidders is reflected in the randomness $S$ common to all bidders and the fact that bidders know each other’s messages in the commit phase.

Definition 1.

A rate-tuple $(R_{\ell})_{\ell\in\mathcal{L}}$ is achievable if there exists a sequence of $((2^{n{R_{\ell}}})_{{\ell}\in\mathcal{L}},n)$ commitment schemes such that for any $\tilde{S}\in\mathcal{R}$ , $a_{\mathcal{L}},a_{\mathcal{L}}^{\prime}\in\mathcal{A}_{\mathcal{L}}$ such that $a_{\mathcal{L}}\neq a^{\prime}_{\mathcal{L}}$ ,

$\displaystyle\lim_{n\to\infty}\mathbb{P}[\beta(V,a_{\mathcal{L}},S)=0]$	$\displaystyle=0,\text{ (correctness) }$	(9)
$\displaystyle\lim_{n\to\infty}I(A_{\mathcal{L}};V)$	$\displaystyle=0,\text{ (concealment)}$	(10)
$\displaystyle\lim_{n\to\infty}\mathbb{P}[\beta(V,a_{\mathcal{L}},S)\!=\!1\!=\!% \beta(V,a_{\mathcal{L}}^{\prime},\tilde{S})]$	$\displaystyle=0.\text{ (bindingness)}$	(11)

The set of all achievable rate-tuples is the capacity region, and the supremum, over all achievable rate-tuples $(R_{\ell})_{{\ell}\in\mathcal{L}}$ , of the sum-rates $\sum_{{\ell}\in\mathcal{L}}R_{\ell}$ is the sum-rate capacity.

(9) means that the verifier accepts the revealed sequences $a_{\mathcal{L}}$ as long as the bidders are honest. (10) ensures that the verifier gains no information about the committed sequences $a_{\mathcal{L}}$ prior to the reveal phase. (11) ensures that the bidders cannot convince the verifier to accept sequences other than those initially committed to.

Our main results is a partial characterization of the capacity region for colluding bidders. In the following, for any $\mathcal{T}\subseteq\mathcal{L}$ , we write the sum-rate of the bidders in $\mathcal{T}$ as $R_{\mathcal{T}}\triangleq\sum_{{\ell}\in\mathcal{T}}R_{\ell}$ .

Theorem 1.

For the case of colluding bidders, the following region is achievable:

\bigcup_{p_{X_{\mathcal{L}}}\in{\mathcal{P}}(\mathcal{X}_{\mathcal{L}})}\{(R_{% \ell})_{{\ell}\in\mathcal{L}}:R_{\mathcal{T}}\leqslant H(X_{\mathcal{T}}|Y),% \forall\mathcal{T}\subseteq\mathcal{L}\}.

Moreover, the sum-rate capacity is $\max_{p_{X_{\mathcal{L}}\in{\mathcal{P}}(\mathcal{X}_{\mathcal{L}})}}H(X_{% \mathcal{L}}|Y).$

Proof.

See Section V-A. ∎

The following example demonstrates that, for some channels, having a multi-bidder coding scheme, rather than doing time-sharing with single-bidder coding schemes as in [4], can increase the sum-rate of the bidders.

Example 1.

Suppose $L=2$ and $\mathcal{X}_{1}=\mathcal{X}_{2}=\mathcal{Y}=\{0,1\}$ . Consider the following transition probability matrices

$\displaystyle W$	$\displaystyle=\left[\begin{array}[]{ccc}W(0\|0,0)&W(1\|0,0)\\ W(0\|0,1)&W(1\|0,1)\\ W(0\|1,0)&W(1\|1,0)\\ W(0\|1,1)&W(1\|1,1)\\ \end{array}\right],$	(16)
$\displaystyle W_{1}$	$\displaystyle=\left[\begin{array}[]{ccc}W(0\|0,0)&W(1\|0,0)\\ W(0\|0,1)&W(1\|0,1)\end{array}\right],$	(19)
$\displaystyle W_{2}$	$\displaystyle=\left[\begin{array}[]{ccc}W(0\|0,0)&W(1\|0,0)\\ W(0\|1,0)&W(1\|1,0)\end{array}\right],$	(22)

and suppose that the corresponding channels are non-redundant.

The transition probability matrix $W_{i}$ , $i\in\{1,2\}$ , corresponds to the situation in which only Bidder $(1-i)$ uses the channel $W$ and $X_{i}$ is constant and equal to $0$ , i.e., when the distribution of $X_{i}$ is $p_{X_{i}}^{\star}$ defined by $(p_{X_{i}}^{\star}(0),p_{X_{i}}^{\star}(1))\triangleq(1,0)$ . For the problem of commitment as described in Definition 1, let $\Sigma(W)$ be the sum-rate capacity for the channel $W$ and $C(W_{i})$ , $i\in\{1,2\}$ , be the commitment capacity for the channel $W_{i}$ . For convenience, we write $H_{p}(X_{1}X_{2}|Y)$ to indicate that $(X_{1},X_{2})$ is distributed according to $p$ . Then, from Theorem 1, we have

$\displaystyle\Sigma(W)$	$\displaystyle=\max_{p_{X_{1}X_{2}}}H(X_{1}X_{2}\|Y)$
	$\displaystyle\geqslant H_{p^{\star}}(X_{1}X_{2}\|Y)$
	$\displaystyle=H_{p^{\star}}(X_{1}\|Y)+H_{p^{\star}}(X_{2}\|YX_{1})$
	$\displaystyle=C(W_{1})+H_{p^{\star}}(X_{2}\|YX_{1})$
	$\displaystyle\geqslant C(W_{1}),$	(23)

where the first inequality holds with $p^{\star}\in\operatorname*{arg\,max}_{p_{X_{1}}p_{X_{2}}^{\star}}H(X_{1}|Y)$ . Similar to (23), we have $\Sigma(W)\geqslant C(W_{2})$ such that

\displaystyle\Sigma(W)\geqslant\max(C(W_{1}),C(W_{2})).

(24)

Equation (24) indicates that using time-sharing with a single bidder over $W_{1}$ and $W_{2}$ cannot outperform a multi-bidder coding scheme over $W$ .

We now provide a numerical example to show that the inequality in (24) can be strict, demonstrating that using $W$ with a multi-bidder coding scheme achieves a larger sum rate than using time-sharing with a single bidder over $W_{1}$ and $W_{2}$ . Specifically, consider the following channels

$\displaystyle W$	$\displaystyle=\left[\begin{array}[]{ccc}1/4&3/4\\ 1/2&1/2\\ 1/2&1/2\\ 1/2&1/2\\ \end{array}\right],$	(29)
$\displaystyle W_{1}$	$\displaystyle=\left[\begin{array}[]{ccc}1/4&3/4\\ 1/2&1/2\end{array}\right],$	(32)
$\displaystyle W_{2}$	$\displaystyle=\left[\begin{array}[]{ccc}1/4&3/4\\ 1/2&1/2\\ \end{array}\right].$	(35)

Note that the kernel of the matrices $W$ , $W_{1}$ , and $W_{2}$ contain only the zero vector, hence, by Proposition 1, the three channels are non-redundant. Then, from Theorem 1, we numerically find that

\Sigma(W)>1.9647\textnormal{ bits/channel use}>0.9512\textnormal{ bits/channel% use}>\max(C(W_{1}),C(W_{2})).

IV-A2 Non-colluding bidders

For $({R_{\ell}})_{{\ell}\in\mathcal{L}}$ , a $((2^{n{R_{\ell}}})_{{\ell}\in\mathcal{L}},n)$ commitment scheme for non-colluding bidders consists of:

•

For every ${\ell}\in\mathcal{L}$ , a sequence $a_{\ell}\in\mathcal{A}_{\ell}\triangleq\llbracket 1,2^{nR_{\ell}}\rrbracket$ that Bidder $\ell$ wants to commit to;
•

Local randomness $S_{\ell}\in\mathcal{R}_{\ell}$ at Bidder $\ell\in\mathcal{L}$ ;
•

Local randomness $S^{\prime}_{\ell}\in\mathcal{R}_{\ell}^{\prime}$ , $\ell\in\mathcal{L}$ , at the verifier where $S^{\prime}_{\ell}$ is only used in the interactive noiseless communication with Bidder $\ell\in\mathcal{L}$ during the commit phase.

The scheme then operates as follows:

(i)

Commit phase: We adopt the same notation as in Section IV-A1. For each $\ell\in\mathcal{L}$ , for $i\in\llbracket 1,n\rrbracket$ , Bidder $\ell$ sends $X_{l,i}(a_{\ell},S_{\ell},M^{\prime}_{l,1:i-1,1:r_{i-1}})$ over the channel and engage in $r_{i}$ rounds of noiseless communication with the verifier, i.e., for $j\in\llbracket 1,r_{i}\rrbracket$ , Bidder $\ell$ sends $M_{l,i,j}(a_{\ell},S_{\ell},M^{\prime}_{l,1:i,1:j-1})$ and the verifier replies $M^{\prime}_{l,i,j}(S^{\prime}_{\ell},M_{l,1:i,1:j},Y^{i})$ . We denote the collective noiseless communication between Bidder $\ell\in\mathcal{L}$ and the verifier by $M_{\ell}$ and define $M\triangleq(M_{\ell})_{{\ell}\in\mathcal{L}}$ . Define $V_{\ell}\triangleq(Y^{n},M_{l},S^{\prime}_{\ell})$ for $\ell\in\mathcal{L}$ and $V_{\mathcal{L}}\triangleq(V_{l})_{{\ell}\in\mathcal{L}}$ .
(ii)

Reveal phase: Bidder $\ell\in\mathcal{L}$ reveals $(a_{\ell},S_{\ell})$ to the verifier. For each ${\ell}\in\mathcal{L}$ , the verifier performs a test $\beta_{\ell}(V_{\ell},a_{\ell},S_{\ell})$ , ${\ell}\in\mathcal{L}$ , that returns $1$ if the sequence $a_{\ell}$ is accepted and $0$ otherwise.

Unlike the case of colluding bidders, the bidders here only have access to their own message and local randomness. Additionally, in the reveal phase, the acceptance test performed by the verifier is now done individually for each bidder rather than for all the bidders jointly.

Definition 2.

A rate-tuple $(R_{\ell})_{\ell\in\mathcal{L}}$ is achievable if there exists a sequence of $((2^{n{R_{\ell}}})_{{\ell}\in\mathcal{L}},n)$ commitment schemes such that for any ${\ell}\in\mathcal{L}$ , $\tilde{S}_{\ell}\in\mathcal{R}_{\ell}$ , $a_{\mathcal{L}},a_{\mathcal{L}}^{\prime}\in\mathcal{A}_{\mathcal{L}}$ such that $a_{\mathcal{L}}\neq a^{\prime}_{\mathcal{L}}$ ,

	$\displaystyle\lim_{n\to\infty}\mathbb{P}[\beta_{\ell}(V_{\ell},a_{\ell},S_{% \ell})=0]$	$\displaystyle=0,\text{ (correctness) }$
	$\displaystyle\lim_{n\to\infty}I(A_{\mathcal{L}};V_{\mathcal{L}})$	$\displaystyle=0,\text{ (concealment)}$
	$\displaystyle\lim_{n\to\infty}\mathbb{P}[\beta_{\ell}(V_{\ell},a_{\ell},S_{% \ell})\!=\!1\!=\!\beta_{\ell}(V_{\ell},a^{\prime}_{\ell},\tilde{S}_{\ell})]$	$\displaystyle=0.\text{ (bindingness)}$

The correctness, concealment, and bindingness requirements in Definition 2 can be interpreted similarly to those in the colluding bidders setting discussed in Section IV-A1. Note that since $V_{\ell}$ , ${\ell}\in\mathcal{L}$ , depends on $Y^{n}$ , which depends on all bidder inputs to the channel, $I(A_{\mathcal{L}};V_{\mathcal{L}})$ is not necessarily equal to $\sum_{{\ell}\in\mathcal{L}}I(A_{\ell};V_{\ell})$ , and therefore the concealment requirement from Definition 1 cannot be simplified. Our main result is a complete characterization of the capacity region for non-colluding bidders. Again, for any $\mathcal{T}\subseteq\mathcal{L}$ , we set $R_{\mathcal{T}}\triangleq\sum_{{\ell}\in\mathcal{T}}R_{\ell}$ .

Theorem 2.

Define the set of product input distributions

\displaystyle\mathcal{P}^{\textup{I}}(\mathcal{X}_{\mathcal{L}})\triangleq\{p_% {X_{\mathcal{L}}}\in\mathcal{P}(\mathcal{X}_{\mathcal{L}}):p_{X_{\mathcal{L}}}% =\textstyle\prod_{{\ell}\in\mathcal{L}}p_{X_{\ell}}\}.

For the case of non-colluding bidders, the capacity region is

\bigcup_{p_{X_{\mathcal{L}}}\in{\mathcal{P}^{\textup{I}}}(\mathcal{X}_{% \mathcal{L}})}\{(R_{\ell})_{{\ell}\in\mathcal{L}}:R_{\mathcal{T}}\leqslant H(X% _{\mathcal{T}}|Y),\forall\mathcal{T}\subseteq\mathcal{L}\}.

Moreover, the sum-rate capacity is $\max_{p_{X_{\mathcal{L}}\in{\mathcal{P}^{\textup{I}}}(\mathcal{X}_{\mathcal{L}% })}}H(X_{\mathcal{L}}|Y).$

Proof.

See Section V-A. ∎

Similar to the scenario with colluding bidders, the following example illustrates that, for some channels, a multi-bidder coding scheme can again outperform a time-sharing approach that utilizes single-bidder coding schemes as in [4].

Example 2.

Suppose $L=2$ . Consider the non-redundant channels $W$ , $W_{1}$ , and $W_{2}$ in (16), (19), (22). For the problem of commitment as described in Definition 2, let $\Sigma^{\textup{I}}(W)$ be the sum-rate capacity for the channel $W$ and $C(W_{i})$ , $i\in\{1,2\}$ , be the commitment capacity for the channel $W_{i}$ . Using Theorem 2, similar to (24), we have

\displaystyle\Sigma^{\textup{I}}(W)\geqslant\max(C(W_{1}),C(W_{2})).

(36)

Next, we numerically show that the inequality (36) can be strict such that using $W$ with a multi-bidder coding scheme achieves a larger sum rate than using time-sharing with a single bidder over $W_{1}$ and $W_{2}$ . Specifically, for the non-redundant channels $W$ , $W_{1}$ , and $W_{2}$ in (29), (32), (35), we have

\Sigma^{\textup{I}}(W)>1.9645\textnormal{ bits/channel use}>0.9512\textnormal{% bits/channel use}>\max(C(W_{1}),C(W_{2})).

IV-B Single-Bidder Multi-Verifier Model and Results

We now consider the model illustrated in Figure 2, in which a single bidder attempts to commit a message to $B\in\mathbb{N}^{*}$ verifiers using a noiseless channel and a noisy broadcast channel. The verifiers are indexed in the set $\mathcal{B}\triangleq\llbracket 1,B\rrbracket$ and are assumed non-colluding. The broadcast channel is characterized by a finite input alphabet $\mathcal{X}$ , $B$ finite output alphabets $(\mathcal{Y}_{b})_{b\in\mathcal{B}}$ , and a transition probability $p_{Y_{\mathcal{B}}|X}$ , where we use the same notation as in Section IV-A. For any $b\in\mathcal{B}$ , we also consider the channel $W^{(b)}\triangleq(\mathcal{X},\mathcal{Y}_{b},p_{Y_{b}|X})$ . Throughout this section, we assume that $W^{(b)}$ is non-redundant for any $b\in\mathcal{B}$ .

For $R\in\mathbb{R}_{+}$ , a $(2^{n{R}},n)$ commitment scheme consists of:

•

A sequence $a\in\mathcal{A}\triangleq\llbracket 1,2^{nR}\rrbracket$ that the bidder wants to commit to;
•

A noiseless public channel between the bidder and the verifiers;
•

Local randomness $S\in\mathcal{R}$ at the bidder;
•

Local randomness $S^{\prime}_{b}\in\mathcal{R}_{b}^{\prime}$ , $b\in\mathcal{B}$ , at Verifier $b$ .

The scheme then operates in two phases as follows:

1.

Commit phase: We use the same notation as in Section IV-A. For $i\in\llbracket 1,n\rrbracket$ , the bidder sends $X_{i}(a,S,(M^{\prime}_{b,1:i-1,1:r_{i-1}})_{b\in\mathcal{B}})$ over the channel and engage in $r_{i}$ rounds of noiseless communication with the verifiers, i.e., for $j\in\llbracket 1,r_{i}\rrbracket$ and $b\in\mathcal{B}$ , the bidder sends $M_{b,i,j}(a,S,M^{\prime}_{b,1:i,1:j-1})$ and Verifier $b$ replies $M^{\prime}_{b,i,j}(S^{\prime}_{b},M_{b,1:i,1:j},Y_{b}^{i})$ .

We denote the collective noiseless communication between the bidder and Verifier $b\in\mathcal{B}$ by $M_{b}$ and define $M\triangleq(M_{b})_{b\in\mathcal{B}}$ . For $b\in\mathcal{B}$ , define $V_{b}\triangleq(Y_{b}^{n},M,S^{\prime}_{b})$ .
2.

Reveal phase: Suppose that some verifiers may have dropped out of the network after the commit phase and $\mathcal{A}\subset\mathcal{B}$ is the set of available verifiers with $|\mathcal{A}|\geqslant 1$ . The bidder reveals $(a,S)$ and chooses a verifier $b^{\star}\in\mathcal{A}$ . Verifier $b^{\star}$ performs a test $\beta(V_{b^{\star}},a,S)$ that returns $1$ if the sequence $a$ is accepted and $0$ otherwise.

Definition 3.

A rate $R$ is achievable if there exists a sequence of $(2^{n{R}},n)$ commitment schemes such that for any $\tilde{S}\in\mathcal{R}$ , $a,a^{\prime}\in\mathcal{A}$ such that $a\neq a^{\prime}$ ,

$\displaystyle\lim_{n\to\infty}\max_{b\in\mathcal{B}}\mathbb{P}[\beta(V_{b},a,S% )=0]$	$\displaystyle=0,\text{ (correctness) }$	(37)
$\displaystyle\lim_{n\to\infty}\max_{b\in\mathcal{B}}I(A;V_{b})$	$\displaystyle=0,\text{ (concealement) }$	(38)
$\displaystyle\lim_{n\to\infty}\max_{b\in\mathcal{B}}\mathbb{P}[\beta(V_{b},a,S% )\!=\!1\!=\!\beta(V_{b},a^{\prime},\tilde{S})]$	$\displaystyle=0.\text{ (bindingness) }$	(39)

The supremum of all achievable rates is the commitment capacity.

The correctness, concealment, and bindingness requirements in Definition 3 can be interpreted similarly to those in the settings discussed in Section IV-A.

Our main result for the multi-verifier commitment setting is to characterize the commitment capacity as follows.

Theorem 3.

The commitment capacity is

\max_{p_{X}\in{\mathcal{P}}(\mathcal{X})}\min_{b\in\mathcal{B}}H(X|Y_{b}).

Proof.

See Section VI. ∎

Theorem 3 shows that that a non-zero commitment capacity can still be achievable, even if all but one verifier drop out of the network after the commit phase.

Example 3.

Assume that the bidder and the $B$ verifiers are connected through $B$ parallel channels that are non-redundant and identical. By Theorem 3, if all but one verifier drop out after the commit phase, the commitment capacity is $\max_{p_{X}\in{\mathcal{P}}(\mathcal{X})}H(X|Y_{1})$ , which can be non-zero for some non-redundant channels, e.g., the channel in (32).

V Proof of Theorem 1 and Theorem 2

V-A Achievability scheme

The achievability proofs for the two theorems are similar, differing only in the set of allowed input distributions to the channel. To simultaneously capture both proofs, we define

\displaystyle\bar{\mathcal{P}}(\mathcal{X}_{\mathcal{L}})\triangleq\begin{% cases}\mathcal{P}^{\textup{I}}(\mathcal{X}_{\mathcal{L}})&\text{if the bidders% are non-colluding}\\ \mathcal{P}(\mathcal{X}_{\mathcal{L}})&\text{if the bidders are colluding}\end% {cases}.

Fix $p_{X_{\mathcal{L}}}\in\bar{\mathcal{P}}(\mathcal{X}_{\mathcal{L}})$ . Define $q_{X_{\mathcal{L}}Y}\triangleq p_{X_{\mathcal{L}}}p_{Y|X_{\mathcal{L}}}$ . Consider $X_{\mathcal{L}}^{n}$ distributed according to $p^{\otimes n}_{X_{\mathcal{L}}}$ .

Commit Phase: Bidder ${\ell}\in\mathcal{L}$ commits to $a_{\ell}$ as follows.

•

Bidder $\ell$ sends the sequence $X^{n}_{\ell}$ over the multiple access channel $W$ . The verifier observes $Y^{n}$ .
•

The verifier chooses a function $G_{\ell}:\mathcal{X}^{n\mu}_{\ell}\to\{0,1\}^{\eta n}$ at random in a family of two-universal hash functions with $\mu>\eta>0$ , and sends $G_{\ell}$ to Bidder $\ell$ over the noiseless channel.
•

Bidder $\ell$ selects a set $\mathcal{S}_{\ell}\subset\llbracket 1,n\rrbracket$ of size $|\mathcal{S}_{\ell}|=\mu n$ uniformly at random and sends $G_{\ell}(X^{n}_{\ell}[\mathcal{S}_{\ell}])$ and $\mathcal{S}_{\ell}$ to the verifier over the noiseless channel. Let $T_{\ell}$ be the corresponding sequence observed by the verifier.
•

Bidder $\ell$ sets $\bar{X}_{\ell}^{n}\triangleq{X}_{\ell}^{n}[(\bigcup_{{\ell}\in\mathcal{L}}% \mathcal{S}_{\ell})^{c}]$ and $\bar{n}\triangleq n-|\bigcup_{{\ell}\in\mathcal{L}}\mathcal{S}_{\ell}|$ . It then chooses a function $F_{\ell}:\mathcal{X}^{\bar{n}}_{\ell}\to\{0,1\}^{r_{\ell}}$ at random in a family of two-universal hash functions, and sends $F_{\ell}$ and $E_{l}\triangleq a_{\ell}\oplus F_{\ell}(\bar{X}_{\ell}^{n})$ over the noiseless channel.

Reveal Phase: Bidder ${\ell}\in\mathcal{L}$ reveals $a_{\ell}$ as follows.

•

Bidder $\ell$ sends $X_{\ell}^{n}$ and $a_{\ell}$ to the verifier over the noiseless channel.
•
The verifier tests that
1. (i)
  
  $(X_{\mathcal{L}}^{n},Y^{n})\in\mathcal{T}_{\epsilon}^{n}(q_{X_{\mathcal{L}}Y})$ ;
2. (ii)
  
  $T_{\ell}=G_{\ell}(X^{n}_{\ell}[\mathcal{S}_{\ell}]),\forall\ell\in\mathcal{L}$ ;
3. (iii)
  
  $a_{\ell}=E_{\ell}\oplus F_{\ell}(\bar{X}^{n}_{\ell}),\forall\ell\in\mathcal{L}$ ;
and outputs 1 if all conditions are satisfied, and 0 else.

V-A1 Definitions

The following notions of typicality will prove useful. Let $\epsilon>0$ . For $x^{n}_{\mathcal{L}}\in\mathcal{X}_{\mathcal{L}}^{n}$ , define

	$\displaystyle\mathcal{T}^{n}_{W,\epsilon}({x}_{\mathcal{L}}^{n})$	$\displaystyle\triangleq\left\{y^{n}\in\mathcal{Y}^{n}:\forall x_{\mathcal{L}},% \forall y,\left\|\sum_{i=1}^{n}\frac{\mathds{1}\{(x_{\mathcal{L}},y)\!=\!(x_{% \mathcal{L},i},y_{i})\}}{n}\!-\!W_{x_{\mathcal{L}}}(y)\sum_{i=1}^{n}\frac{% \mathds{1}\{x_{\mathcal{L}}\!=\!x_{\mathcal{L},i}\}}{n}\right\|\!\leqslant\!% \epsilon\right.$
		$\displaystyle\phantom{--}\left.\text{ and }W_{x_{\mathcal{L}}}(y)=0\implies% \sum_{i=1}^{n}\frac{\mathds{1}\{(x_{\mathcal{L}},y)\!=\!(x_{\mathcal{L},i},y_{% i})\}}{n}=0\right\}.$

Define also

	$\displaystyle\mathcal{T}_{\epsilon}^{n}(q_{X_{\mathcal{L}}Y})$	$\displaystyle\triangleq\left\{(x_{\mathcal{L}}^{n},y^{n})\in\mathcal{X}_{% \mathcal{L}}^{n}\times\mathcal{Y}^{n}:\forall x_{\mathcal{L}},\forall y,\left\|% \sum_{i=1}^{n}\frac{\mathds{1}\{(x_{\mathcal{L}},y)\!=\!(x_{\mathcal{L},i},y_{% i})\}}{n}-q_{X_{\mathcal{L}}Y}(x_{\mathcal{L}},y)\right\|\leqslant\epsilon\right.$
		$\displaystyle\phantom{--}\left.\text{ and }q_{X_{\mathcal{L}}Y}(x_{\mathcal{L}% },y)=0\implies\sum_{i=1}^{n}\frac{\mathds{1}\{(x_{\mathcal{L}},y)\!=\!(x_{% \mathcal{L},i},y_{i})\}}{n}=0\right\}.$

V-A2 Correctness

When the parties are not cheating, standard typicality arguments [17] show that $\lim_{n\to\infty}\mathbb{P}[(X_{\mathcal{L}}^{n},Y^{n})\in\mathcal{T}_{% \epsilon}^{n}(q_{X_{\mathcal{L}}Y})]=1$ . Consequently, part (i) of the verifier test passes, while part (ii) and (iii) are automatically true, so that the verifier estimates $a_{\mathcal{L}}$ with vanishing probability of error in the reveal phase in the absence of cheating.

V-A3 Concealment

Define $V^{\prime}\triangleq(\mathcal{S}_{\mathcal{L}},G_{\mathcal{L}},F_{\mathcal{L}}% ,T_{\mathcal{L}},Y^{n})$ and $V\triangleq(V^{\prime},E_{\mathcal{L}})$ , where $\mathcal{S}_{\mathcal{L}}\triangleq(\mathcal{S}_{\ell})_{\ell\in\mathcal{L}}$ , $G_{\mathcal{L}}\triangleq(G_{\ell})_{\ell\in\mathcal{L}}$ , $F_{\mathcal{L}}\triangleq(F_{\ell})_{\ell\in\mathcal{L}}$ , $T_{\mathcal{L}}\triangleq(T_{\ell})_{\ell\in\mathcal{L}}$ , $E_{\mathcal{L}}\triangleq(E_{\ell})_{\ell\in\mathcal{L}}$ . Note that $V$ captures all the information available to the verifier at the end of the commit phase. Define also $K_{\mathcal{L}}\triangleq(F_{\ell}(\bar{X}^{n}_{l}))_{\ell\in\mathcal{L}}$ , which represents the sequence of hashes used to protect the committed strings by the bidders, and $\bar{Y}^{n}\triangleq Y^{n}[\mathcal{S}^{c}]$ , where $\mathcal{S}\triangleq\bigcup_{{\ell}\in\mathcal{L}}\mathcal{S}_{\ell}$ . Then, we have

$\displaystyle I(A_{\mathcal{L}};V)$	$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}I(A_{\mathcal{L}};E_{\mathcal{L}% })+I(A_{\mathcal{L}};V^{\prime}\|E_{\mathcal{L}})$
	$\displaystyle\leqslant I(A_{\mathcal{L}};E_{\mathcal{L}})+I(A_{\mathcal{L}}E_{% \mathcal{L}};V^{\prime})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{=}}I(A_{\mathcal{L}};E_{\mathcal{L}% })+I(A_{\mathcal{L}}K_{\mathcal{L}};V^{\prime})$
	$\displaystyle=I(A_{\mathcal{L}};E_{\mathcal{L}})+I(K_{\mathcal{L}};V^{\prime})% +I(A_{\mathcal{L}};V^{\prime}\|K_{\mathcal{L}})$
	$\displaystyle\leqslant I(A_{\mathcal{L}};E_{\mathcal{L}})+I(K_{\mathcal{L}};V^% {\prime})+I(A_{\mathcal{L}};V^{\prime}K_{\mathcal{L}})$
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{=}}I(A_{\mathcal{L}};E_{\mathcal{L}% })+I(K_{\mathcal{L}};V^{\prime})$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{\leqslant}}r_{\mathcal{L}}-H(E_{% \mathcal{L}}\|A_{\mathcal{L}})+I(K_{\mathcal{L}};V^{\prime})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{=}}r_{\mathcal{L}}-H(K_{\mathcal{L}% })+I(K_{\mathcal{L}};V^{\prime})$
	$\displaystyle=r_{\mathcal{L}}-H(K_{\mathcal{L}})+I(K_{\mathcal{L}};F_{\mathcal% {L}}\bar{Y}^{n})$
	$\displaystyle\phantom{--}+I(K_{\mathcal{L}};\mathcal{S}_{\mathcal{L}}G_{% \mathcal{L}}T_{\mathcal{L}}Y^{n}[\mathcal{S}]\|F_{\mathcal{L}}\bar{Y}^{n})$
	$\displaystyle\leqslant r_{\mathcal{L}}-H(K_{\mathcal{L}})+I(K_{\mathcal{L}};F_% {\mathcal{L}}\bar{Y}^{n})$
	$\displaystyle\phantom{--}+I(F_{\mathcal{L}}\bar{Y}^{n}K_{\mathcal{L}};\mathcal% {S}_{\mathcal{L}}G_{\mathcal{L}}T_{\mathcal{L}}Y^{n}[\mathcal{S}])$
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{=}}r_{\mathcal{L}}-H(K_{\mathcal{L}% })+I(K_{\mathcal{L}};F_{\mathcal{L}}\bar{Y}^{n}),$	(40)

where

(a)

holds by the chain rule and the definition of $V$ ;
(b)

holds by the definition of $E_{\mathcal{L}}$ ;
(c)

holds by independence between $A_{\mathcal{L}}$ and $(V^{\prime},K_{\mathcal{L}})$ ;
(d)

holds with $r_{\mathcal{L}}\triangleq\sum_{{\ell}\in\mathcal{L}}r_{\ell}$ ;
(e)

holds by the definition of $E_{\mathcal{L}}$ ;
(f)

holds by independence between $(F_{\mathcal{L}},\bar{Y}^{n},K_{\mathcal{L}})$ and $(\mathcal{S}_{\mathcal{L}}G_{\mathcal{L}}T_{\mathcal{L}}Y^{n}[\mathcal{S}])$ .

Then, we upper bound the right-hand side of (40) using the version of the leftover hash lemma in Lemma 1, and we lower bound the min-entropies [18] appearing in Lemma 1 using Lemma 2.

Lemma 1 (Distributed leftover hash lemma, e.g., [19, Lemma 3]).

Consider a sub-normalized non-negative function $p_{X_{\mathcal{L}}Z}$ defined over $\bigtimes_{\ell\in\mathcal{L}}\mathcal{X}_{l}\times\mathcal{Z}$ , where $X_{\mathcal{L}}\triangleq(X_{\ell})_{\ell\in\mathcal{L}}$ and, $\mathcal{Z}$ , $\mathcal{X}_{l}$ , $\ell\in\mathcal{L}$ , are finite alphabets. For $\ell\in\mathcal{L}$ , let $F_{\ell}:\{0,1\}^{n_{\ell}}\longrightarrow\{0,1\}^{r_{\ell}}$ , be uniformly chosen in a family $\mathcal{F}_{\ell}$ of two-universal hash functions. For any $\mathcal{T}\subseteq\mathcal{L}$ , define $r_{\mathcal{T}}\triangleq\sum_{i\in\mathcal{T}}r_{i}$ . Define also ${F}_{\mathcal{L}}\triangleq(F_{\ell})_{\ell\in\mathcal{L}}$ and $F_{\mathcal{L}}(X_{\mathcal{L}})\triangleq\left(F_{\ell}(X_{\ell})\right)_{{% \ell}\in\mathcal{L}}$ . Then, for any $q_{Z}$ defined over $\mathcal{Z}$ such that $\textup{supp}(q_{Z})\subseteq\textup{supp}(p_{Z})$ , we have

\displaystyle\mathbb{V}({{p}_{F_{\mathcal{L}}(X_{\mathcal{L}})F_{\mathcal{L}}Z% }},p_{U_{\mathcal{K}}}p_{U_{\mathcal{F}}}p_{Z})\leqslant{{{\sqrt{{% \displaystyle\sum_{\begin{subarray}{c}{\mathcal{T}\subseteq\mathcal{L}},{% \mathcal{T}\neq\emptyset}\end{subarray}}}2^{r_{\mathcal{T}}-H_{\infty}(p_{X_{% \mathcal{T}}Z}|q_{Z})}}}}},

(41)

where $p_{U_{\mathcal{K}}}$ and $p_{U_{\mathcal{F}}}$ are the uniform distributions over $\llbracket 1,2^{r_{{\mathcal{L}}}}\rrbracket$ and $\llbracket 1,\prod_{\ell\in\mathcal{L}}|\mathcal{F}_{\ell}|\rrbracket$ , respectively, and for any $\mathcal{T}\subseteq\mathcal{L},\mathcal{T}\neq\emptyset$ ,

H_{\infty}(p_{X_{\mathcal{T}}Z}|q_{Z})\triangleq-\log\displaystyle\max_{\begin% {subarray}{c}{x_{\mathcal{T}}\in\mathcal{X}_{\mathcal{T}}}\\ z\in\textup{supp}(q_{Z})\end{subarray}}\frac{p_{X_{\mathcal{T}}Z}(x_{\mathcal{% T}},z)}{q_{Z}(z)}.

Lemma 2 ([19, Lemma 4]).

Let $(\mathcal{X}_{\ell})_{\ell\in\mathcal{L}}$ be $L$ finite alphabets and define for $\mathcal{T}\subseteq\mathcal{L}$ , $\mathcal{X}_{\mathcal{T}}\triangleq\bigtimes_{\ell\in\mathcal{T}}\mathcal{X}_{\ell}$ . Consider the random variables $X^{n}_{\mathcal{L}}\triangleq({X}^{n}_{\ell})_{\ell\in\mathcal{L}}$ and $Z^{n}$ defined over $\mathcal{X}_{\mathcal{L}}^{n}\times\mathcal{Z}^{n}$ with probability distribution $q_{X^{n}_{\mathcal{L}}Z^{n}}\triangleq q^{\otimes n}_{X_{\mathcal{L}}Z}$ . For any $\epsilon>0$ , there exists a subnormalized non-negative function $w_{X^{n}_{\mathcal{L}}Z^{n}}$ defined over $\mathcal{X}^{n}_{\mathcal{L}}\times\mathcal{Z}^{n}$ such that $\mathbb{V}(q_{X^{n}_{\mathcal{L}}Z^{n}},w_{X^{n}_{\mathcal{L}}Z^{n}})\leqslant\epsilon$ and

\displaystyle\forall\mathcal{T}\subseteq\mathcal{L},H_{\infty}(w_{X^{n}_{% \mathcal{T}}Z^{n}}|q_{Z^{n}})\geqslant nH({X_{\mathcal{T}}}|Z)-n\delta_{% \mathcal{T}}(n),

where $\delta_{\mathcal{T}}(n)\triangleq(\log(\lvert\mathcal{X}_{\mathcal{T}}\rvert+3% ))\sqrt{\frac{2}{n}(L+\log(\frac{1}{\epsilon}))}$ .

Let $\epsilon>0$ . By Lemma 2, there exists a subnormalized non-negative function $w_{\bar{X}^{n}_{\mathcal{L}}\bar{Y}^{n}}$ such that $\mathbb{V}(q_{\bar{X}^{n}_{\mathcal{L}}\bar{Y}^{n}},w_{\bar{X}^{n}_{\mathcal{L% }}\bar{Y}^{n}})\leqslant\epsilon$ and

\displaystyle\forall\mathcal{T}\subseteq\mathcal{L},H_{\infty}(w_{\bar{X}^{n}_% {\mathcal{T}}\bar{Y}^{n}}|q_{\bar{Y}^{n}})\geqslant\bar{n}H({X_{\mathcal{T}}}|% Y)-\bar{n}\delta_{\mathcal{T}}(\bar{n}),

(42)

where $\delta_{\mathcal{T}}(\bar{n})\triangleq(\log(\lvert\mathcal{X}_{\mathcal{T}}% \rvert+3))\sqrt{\frac{2}{\bar{n}}(L+\log(\frac{1}{\epsilon}))}$ . Then, we have

	$\displaystyle\mathbb{V}(q_{K_{\mathcal{L}}F_{\mathcal{L}}\bar{Y}^{n}},p_{U_{% \mathcal{K}}}p_{U_{\mathcal{F}}}q_{\bar{Y}^{n}})$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{\leqslant}}\mathbb{V}(q_{K_{% \mathcal{L}}F_{\mathcal{L}}\bar{Y}^{n}},w_{K_{\mathcal{L}}F_{\mathcal{L}}\bar{% Y}^{n}})+\mathbb{V}(w_{K_{\mathcal{L}}F_{\mathcal{L}}\bar{Y}^{n}},p_{U_{% \mathcal{K}}}p_{U_{\mathcal{F}}}q_{\bar{Y}^{n}})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{\leqslant}}\epsilon+\mathbb{V}(w_{K% _{\mathcal{L}}F_{\mathcal{L}}\bar{Y}^{n}},p_{U_{\mathcal{K}}}p_{U_{\mathcal{F}% }}q_{\bar{Y}^{n}})$
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{\leqslant}}\epsilon+\mathbb{V}(w_{K% _{\mathcal{L}}F_{\mathcal{L}}\bar{Y}^{n}},p_{U_{\mathcal{K}}}p_{U_{\mathcal{F}% }}w_{\bar{Y}^{n}})+\mathbb{V}(p_{U_{\mathcal{K}}}p_{U_{\mathcal{F}}}w_{\bar{Y}% ^{n}},p_{U_{\mathcal{K}}}p_{U_{\mathcal{F}}}q_{\bar{Y}^{n}})$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{\leqslant}}2\epsilon+\mathbb{V}(w_{% K_{\mathcal{L}}F_{\mathcal{L}}\bar{Y}^{n}},p_{U_{\mathcal{K}}}p_{U_{\mathcal{F% }}}w_{\bar{Y}^{n}})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{\leqslant}}2\epsilon+{{{\sqrt{{% \displaystyle\sum_{\begin{subarray}{c}{\mathcal{T}\subseteq\mathcal{L}},{% \mathcal{T}\neq\emptyset}\end{subarray}}}2^{r_{\mathcal{T}}-H_{\infty}(w_{\bar% {X}^{n}_{\mathcal{T}}\bar{Y}^{n}}\|q_{\bar{Y}^{n}})}}}}}$
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{\leqslant}}2\epsilon+{{{\sqrt{{% \displaystyle\sum_{\begin{subarray}{c}{\mathcal{T}\subseteq\mathcal{L}},{% \mathcal{T}\neq\emptyset}\end{subarray}}}2^{r_{\mathcal{T}}-\bar{n}H({X_{% \mathcal{T}}}\|Y)+\bar{n}\delta_{\mathcal{T}}(\bar{n})}}}}},$		(43)

where

(a)

and (c) hold by the triangle inequality;
(b)

and (d) hold by the data processing inequality and because $\mathbb{V}(q_{\bar{X}^{n}_{\mathcal{L}}\bar{Y}^{n}},w_{\bar{X}^{n}_{\mathcal{L% }}\bar{Y}^{n}})\leqslant\epsilon$ ;
(e)

holds by Lemma 1;
(f)

holds by (42).

We conclude from (43) and [20, Lemma 2.7] that concealment holds with $(r_{l})_{{\ell}\in\mathcal{L}}$ such that for any $\mathcal{T}\subseteq\mathcal{L}$ , $\lim_{n\to\infty}\frac{r_{\mathcal{T}}}{n}\leqslant H(X_{\mathcal{T}}|Y)-\delta$ , $\delta>0$ .

V-A4 Bindingness

We will use the following lemma from [4].

Lemma 3 (Adapted from [4]).

Let $\delta,\sigma>0$ . Consider $x^{n}_{\mathcal{L}},\tilde{x}^{n}_{\mathcal{L}}\in\mathcal{X}_{\mathcal{L}}^{n}$ such that $d_{H}(x^{n}_{\mathcal{L}},\tilde{x}^{n}_{\mathcal{L}})\geqslant\sigma n$ and a non-redundant multiple access channel $W$ . Then,

\lim_{n\to\infty}W^{\otimes n}_{x^{n}_{\mathcal{L}}}(\mathcal{T}^{n}_{W,% \epsilon}(\tilde{x}_{\mathcal{L}}^{n}))=0.

In the reveal phase, if the verifier observes $\tilde{x}^{n}_{\mathcal{L}}$ , then, by Lemma 3, a successful joint typicality test at the verifier requires $d_{H}(\tilde{x}^{n}_{\mathcal{L}},{x}^{n}_{\mathcal{L}})\leqslant{O(n^{\alpha})}$ , for some $\alpha<1$ . This implies that Test (ii) at the verifier in the reveal phase can only succeed with a probability at most

	$\displaystyle 2^{-Ln\eta}\sum_{i=0}^{d_{H}(\tilde{x}^{n}_{\mathcal{L}},{x}^{n}% _{\mathcal{L}})}{n\choose i}$	$\displaystyle\leqslant 2^{-Ln\eta}\cdot 2^{H_{b}(O(n^{\alpha-1}))}$
		$\displaystyle\leqslant 2^{-Ln\eta}\cdot 2^{O(n^{\alpha}\log n)}$
		$\displaystyle\xrightarrow{n\to\infty}0,$

where $H_{b}$ denotes the binary entropy.

V-A5 Achievable region and sum-rate

For any $p_{X_{\mathcal{L}}}\in\bar{\mathcal{P}}(\mathcal{X}_{\mathcal{L}})$ , we have shown the achievability of

\displaystyle\mathcal{R}(p_{X_{\mathcal{L}}})\triangleq\{(R_{\ell})_{{\ell}\in% \mathcal{L}}:R_{\mathcal{T}}\leqslant H(X_{\mathcal{T}}|Y),\forall\mathcal{T}% \subseteq\mathcal{L}\}.

Next, define the set function

	$\displaystyle f_{p_{X_{\mathcal{L}}}}:2^{\mathcal{L}}$	$\displaystyle\to\mathbb{R}$
	$\displaystyle\mathcal{T}$	$\displaystyle\mapsto H(X_{\mathcal{T}}\|Y),$

where $2^{\mathcal{L}}$ denotes the power set of $\mathcal{L}$ . $f_{p_{X_{\mathcal{L}}}}$ is normalized, i.e., $f_{p_{X_{\mathcal{L}}}}(\emptyset)=0$ , non-decreasing, i.e., $\forall\mathcal{S},\mathcal{T}\subseteq\mathcal{L}$ , $\mathcal{S}\subseteq\mathcal{T}\implies f_{p_{X_{\mathcal{L}}}}(\mathcal{S})% \leqslant f_{p_{X_{\mathcal{L}}}}(\mathcal{T})$ , and submodular because for $\mathcal{U},\mathcal{V}\subseteq\mathcal{L}$ , we have

	$\displaystyle f_{p_{X_{\mathcal{L}}}}(\mathcal{U}\cup\mathcal{V})+f_{p_{X_{% \mathcal{L}}}}(\mathcal{U}\cap\mathcal{V})$
	$\displaystyle=H(X_{\mathcal{U}}\|Y)+H(X_{\mathcal{V}\backslash\mathcal{U}}\|YX_{% \mathcal{U}})+H(X_{\mathcal{U}\cap\mathcal{V}}\|Y)$
	$\displaystyle=H(X_{\mathcal{U}}\|Y)+H(X_{\mathcal{V}\backslash\mathcal{U}}\|YX_{% \mathcal{U}})+H(X_{\mathcal{V}}\|Y)-H(X_{\mathcal{V}\backslash\mathcal{U}}\|YX_{% \mathcal{U}\cap\mathcal{V}})$
	$\displaystyle\leqslant H(X_{\mathcal{U}}\|Y)+H(X_{\mathcal{V}}\|Y)$
	$\displaystyle=f_{p_{X_{\mathcal{L}}}}(\mathcal{U})+f_{p_{X_{\mathcal{L}}}}(% \mathcal{V}),$

where the inequality holds because $H(X_{\mathcal{V}\backslash\mathcal{U}}|YX_{\mathcal{U}})\leqslant H(X_{% \mathcal{V}\backslash\mathcal{U}}|YX_{\mathcal{U}\cap\mathcal{V}})$ since conditioning reduces entropy.

Hence, by [21], the rate-tuple $(f_{p_{X_{\mathcal{L}}}}(\llbracket l,L\rrbracket)-f_{p_{X_{\mathcal{L}}}}(% \llbracket l+1,L\rrbracket))_{{\ell}\in\mathcal{L}}$ is achievable and so is the sum-rate $f_{p_{X_{\mathcal{L}}}}(\llbracket 1,L\rrbracket)=H(X_{\mathcal{L}}|Y)$ . Hence, the following sum-rate is achievable

R_{\mathcal{L}}=\max_{p_{X_{\mathcal{L}}\in\bar{\mathcal{P}}(\mathcal{X}_{% \mathcal{L}})}}H(X_{\mathcal{L}}|Y).

V-B Converse

We provide here the converse proof for Theorem 2. This proof, particularly Lemma 5, draws on techniques from [4, 12]. The converse proof for the sum-rate in Theorem 1 follows in a similar manner. We note that we do not obtain a complete characterization of the capacity region when bidders collude, as Lemma 4 below is only valid for the non-colluding bidders case.

Lemma 4.

Consider the non-colluding bidders case. For $\ell\in\mathcal{L}$ , $(A_{\ell},S_{\ell})-(M_{\ell},X_{\ell}^{n})-(Y^{n},S^{\prime}_{\ell})$ forms a Markov chain.

Proof.

For ${\ell}\in\mathcal{L}$ , $i\in\llbracket 1,n\rrbracket$ , $j\in\llbracket 1,r_{i}\rrbracket$ , define $\bar{M}_{l,1:i,1:j}\triangleq(M_{l,1:i,1:j},M^{\prime}_{l,1:i,1:j})$ and $\bar{M}_{l,1:i}\triangleq\bar{M}_{l,1:i,1:r_{i}}$ . We have

	$\displaystyle I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}\|\bar{M}_{l,1:n}X^{n}_{% \ell})$		(44)
	$\displaystyle=I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{% M}_{l,n,1:r_{n}}X^{n}_{\ell})$
	$\displaystyle=I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{% M}_{l,n,1:r_{n}-1}M_{l,n,r_{n}}M^{\prime}_{l,n,r_{n}}X^{n}_{\ell})$
	$\displaystyle\leqslant I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}M^{\prime}_{l,% n,r_{n}}\|\bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}M_{l,n,r_{n}}X^{n}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}I(A_{\ell}S_{\ell};Y^{n}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}M_{l,n,r_{n}}X^{n}_{% \ell})$
	$\displaystyle\leqslant I(A_{\ell}S_{\ell}M_{l,n,r_{n}};Y^{n}S^{\prime}_{\ell}\|% \bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}X^{n}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{=}}I(A_{\ell}S_{\ell};Y^{n}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}X^{n}_{\ell})$		(45)
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{\leqslant}}I(A_{\ell}S_{\ell};Y^{n}% S^{\prime}_{\ell}\|\bar{M}_{l,1:n-1}X^{n}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{=}}I(A_{\ell}S_{\ell};Y^{n-1}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}X^{n}_{\ell})$
	$\displaystyle\leqslant I(A_{\ell}S_{\ell}(X_{l})_{n};Y^{n-1}S^{\prime}_{\ell}\|% \bar{M}_{l,1:n-1}X^{n-1}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{=}}I(A_{\ell}S_{\ell};Y^{n-1}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}X^{n-1}_{\ell})$		(46)
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{\leqslant}}I(A_{\ell}S_{\ell};S^{% \prime}_{\ell})$
	$\displaystyle=0,$

where

(a)

holds because $M^{\prime}_{l,n,r_{n}}$ is a function of $(S^{\prime}_{\ell},M_{l,1:n,1:r_{n}},Y^{n})$ ;
(b)

holds because $M_{l,n,r_{n}}$ is a function of $(A_{\ell},S_{\ell},M^{\prime}_{l,1:n,1:r_{n}-1})$ ;
(c)

holds by repeating $r_{n}-1$ times the steps between (44) and (45);
(d)

holds because $Y_{n}-(\bar{M}_{l,1:n-1},X^{n},Y^{n-1},S^{\prime}_{\ell})-(A_{\ell},S_{\ell})$ forms a Markov chain;
(e)

holds because $(X_{l})_{n}$ is a function of $(A_{\ell},S_{\ell},M^{\prime}_{l,1:n-1,1:r_{n-1}})$ ;
(f)

holds by repeating $n-1$ times the steps between (44) and (46).

∎

Lemma 5.

For the non-colluding case, there exist $\hat{A}_{l}(V_{\mathcal{L}},X_{l}^{n})$ , $\ell\in\mathcal{L}$ , such that

\lim_{n\to\infty}\mathbb{P}[\hat{A}_{l}(V_{\mathcal{L}},X_{l}^{n})\neq{A}_{l}]% =0,\forall\ell\in\mathcal{L}.

Proof.

Let $\ell\in\mathcal{L}$ and $\delta,\gamma>0$ . We suppose that Bidder $\ell$ behaves honestly during the commit phase. Define for any ( $a_{\ell}$ , $s_{\ell}$ , $x_{\ell}^{n}$ , $m_{\ell}$ )

$\displaystyle f(a_{\ell},s_{\ell})$	$\displaystyle\triangleq\mathbb{E}_{Y^{n}M_{\ell}S^{\prime}_{\ell}\|A_{\ell}=a_{% \ell},S_{\ell}=s_{\ell}}[\mathds{1}\{\beta_{\ell}(Y^{n},M_{\ell},S^{\prime}_{% \ell},a_{\ell},s_{\ell})\}],$	(47)
$\displaystyle\mathcal{G}(a_{\ell})$	$\displaystyle\triangleq\{s_{\ell}:f(a_{\ell},s_{\ell})>1-\gamma\},$	(48)
$\displaystyle F(x_{\ell}^{n},m_{\ell}\|a_{\ell},s_{\ell})$	$\displaystyle\triangleq\mathbb{E}_{Y^{n}S^{\prime}_{\ell}\|M_{\ell}=m_{\ell},X^% {n}_{\ell}=x^{n}_{\ell},S_{\ell}=s_{\ell}}[\mathds{1}\{\beta_{\ell}(Y^{n},m_{% \ell},S^{\prime}_{\ell},a_{\ell},s_{\ell})\}],$	(49)
$\displaystyle F(x_{\ell}^{n},m_{\ell}\|a_{\ell})$	$\displaystyle\triangleq\max_{s_{\ell}\in\mathcal{G}(a_{\ell})}F(x_{\ell}^{n},m% _{\ell}\|a_{\ell},s_{\ell}),$	(50)
$\displaystyle\bar{F}(x_{\ell}^{n},m_{\ell}\|a_{\ell})$	$\displaystyle\triangleq\max_{a_{\ell}^{}\neq a_{\ell}}F(x_{\ell}^{n},m_{\ell}% \|a_{\ell}^{}),$	(51)

and consider

\hat{a}_{\ell}(x^{n}_{\ell},m_{\ell})\in\operatorname*{arg\,max}_{a_{\ell}}F(x% ^{n}_{\ell},m_{\ell}|a_{\ell}).

Then, we have

	$\displaystyle\mathbb{P}[\hat{a}_{\ell}(X^{n}_{\ell},M_{\ell})\neq a_{\ell}]$
	$\displaystyle=\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}[\mathds{1}\{% \hat{a}_{\ell}(X^{n}_{\ell},M_{\ell})\neq a_{\ell}\}]$
	$\displaystyle\leqslant\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}[\bar% {F}(X_{\ell}^{n},M_{\ell}\|a_{\ell})+1-{F}(X_{\ell}^{n},M_{\ell}\|a_{\ell})]$
	$\displaystyle=\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}\bar{F}(X_{% \ell}^{n},M_{\ell}\|a_{\ell})+\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell% }}[1-{F}(X_{\ell}^{n},M_{\ell}\|a_{\ell})],$		(52)

where the inequality holds because if $\hat{a}_{\ell}(x^{n}_{\ell},m_{\ell})\neq a_{\ell}$ , then ${F}(x_{\ell}^{n},m_{\ell}|a_{\ell})\leqslant\max_{a_{\ell}^{*}\neq a_{\ell}}F(% x^{n}_{\ell},m_{\ell}|a_{\ell}^{*})=\bar{F}(x_{\ell}^{n},m_{\ell}|a_{\ell})$ , so that $\mathds{1}\{\hat{a}_{\ell}(x^{n}_{\ell},m_{\ell})\neq a_{\ell}\}\leqslant\bar{% F}(x_{\ell}^{n},m_{\ell}|a_{\ell})+1-{F}(x_{\ell}^{n},m_{\ell}|a_{\ell})$ .

We next upper bound the second term in the right-hand side of (52). We have

	$\displaystyle\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}F(X_{\ell}^{n}% ,M_{\ell}\|a_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}\mathbb{E}_{X_{\ell}^{n}M_{\ell}% S_{\ell}\|A_{\ell}=a_{\ell}}F(X_{\ell}^{n},M_{\ell}\|a_{\ell})$
	$\displaystyle\geqslant\sum_{s_{\ell}\in\mathcal{G}(a_{\ell})}p_{S_{\ell}\|A_{% \ell}=a_{\ell}}(s_{\ell})\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell},S_% {\ell}=s_{\ell}}F(X_{\ell}^{n},M_{\ell}\|a_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{\geqslant}}\sum_{s_{\ell}\in% \mathcal{G}(a_{\ell})}p_{S_{\ell}\|A_{\ell}=a_{\ell}}(s_{\ell})\mathbb{E}_{X_{% \ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell},S_{\ell}=s_{\ell}}F(X_{\ell}^{n},M_{\ell}\|% a_{\ell},s_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{=}}\sum_{s_{\ell}\in\mathcal{G}(a_{% \ell})}p_{S_{\ell}\|A_{\ell}=a_{\ell}}(s_{\ell})\mathbb{E}_{Y^{n}S^{\prime}_{% \ell}M_{\ell}\|S_{\ell}=s_{\ell},A_{\ell}=a_{\ell}}[\mathds{1}\{\beta(Y^{n},M_{% \ell},S^{\prime}_{\ell},a_{\ell},s_{\ell})\}]$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{=}}\sum_{s_{\ell}\in\mathcal{G}(a_{% \ell})}p_{S_{\ell}\|A_{\ell}=a_{\ell}}(s_{\ell})f(a_{\ell},s_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{>}}\sum_{s_{\ell}\in\mathcal{G}(a_{% \ell})}p_{S_{\ell}\|A_{\ell}=a_{\ell}}(s_{\ell})(1-\gamma)$
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{\geqslant}}(1-\delta\gamma^{-1})(1-% \gamma),$		(53)

where

(a)

holds by marginalization;
(b)

holds by (50);

(c)

holds because, for any ( $a_{\ell}^{\dagger}$ , $s_{\ell}^{\dagger}$ ), we have

	$\displaystyle\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell},S_{\ell}=s_{% \ell}}F(X_{\ell}^{n},M_{\ell}\|a_{\ell}^{\dagger},s_{\ell}^{\dagger})$
	$\displaystyle\stackrel{{\scriptstyle(i)}}{{=}}\mathbb{E}_{X_{\ell}^{n}M_{\ell}% \|A_{\ell}=a_{\ell},S_{\ell}=s_{\ell}}\mathbb{E}_{Y^{n}S^{\prime}_{\ell}\|M_{% \ell}=M_{\ell},X^{n}_{\ell}=X^{n}_{\ell},S_{\ell}=s_{\ell}}[\mathds{1}\{\beta_% {\ell}(Y^{n},M_{\ell},S^{\prime}_{\ell},a_{\ell}^{\dagger},s_{\ell}^{\dagger})\}]$
	$\displaystyle\stackrel{{\scriptstyle(ii)}}{{=}}\mathbb{E}_{X_{\ell}^{n}M_{\ell% }\|A_{\ell}=a_{\ell},S_{\ell}=s_{\ell}}\mathbb{E}_{Y^{n}S^{\prime}_{\ell}\|M_{% \ell}=M_{\ell},X^{n}_{\ell}=X^{n}_{\ell},S_{\ell}=s_{\ell},A_{\ell}=a_{\ell}}[% \mathds{1}\{\beta(Y^{n},M_{\ell},S^{\prime}_{\ell},a_{\ell}^{\dagger},s_{\ell}% ^{\dagger})\}]$
	$\displaystyle=\mathbb{E}_{X_{\ell}^{n}Y^{n}S^{\prime}_{\ell}M_{\ell}\|S_{\ell}=% s_{\ell},A_{\ell}=a_{\ell}}[\mathds{1}\{\beta(Y^{n},M_{\ell},S^{\prime}_{\ell}% ,a_{\ell}^{\dagger},s_{\ell}^{\dagger})\}]$
	$\displaystyle\stackrel{{\scriptstyle(iii)}}{{=}}\mathbb{E}_{Y^{n}S^{\prime}_{% \ell}M_{\ell}\|S_{\ell}=s_{\ell},A_{\ell}=a_{\ell}}[\mathds{1}\{\beta(Y^{n},M_{% \ell},S^{\prime}_{\ell},a_{\ell}^{\dagger},s_{\ell}^{\dagger})\}],$		(54)

where

(i)

holds by (49);
(ii)

holds because $A_{\ell}-(M_{\ell},X^{n}_{\ell},S_{\ell})-(Y^{n},S^{\prime}_{\ell})$ forms a Markov chain since $I(A_{\ell};Y^{n}S^{\prime}_{\ell}|M_{\ell}X^{n}_{\ell}S_{\ell})\leqslant I(A_{% \ell}S_{\ell};Y^{n}S^{\prime}_{\ell}|M_{\ell}X^{n}_{\ell})=0$ by Lemma 4;
(iii)

holds by marginalization over $X^{n}_{\ell}$ .

(d)

holds by (47);
(e)

holds by (48);

(f)

holds because

	$\displaystyle\mathbb{P}[\mathcal{G}(a_{\ell})]$	$\displaystyle=\mathbb{P}[f(a_{\ell},S_{\ell})>1-\gamma]$
		$\displaystyle=1-\mathbb{P}[1-f(a_{\ell},S_{\ell})\geqslant\gamma]$
		$\displaystyle\stackrel{{\scriptstyle(i)}}{{\geqslant}}1-\frac{\mathbb{E}_{S_{% \ell}\|A_{\ell}=a_{\ell}}[1-f(a_{\ell},S_{\ell})]}{\gamma}$
		$\displaystyle\stackrel{{\scriptstyle(ii)}}{{\geqslant}}1-\delta\gamma^{-1},$

where

(i)

holds by Markov’s inequality;
(ii)

holds because by the correctness condition, for any $a_{\ell}$ and for $n$ large enough, we have $\mathbb{E}_{S_{\ell}|A_{\ell}=a_{\ell}}f(a_{\ell},S_{\ell})\geqslant 1-\delta.$

We now upper bound the first term in the right-hand side of (52). We have

	$\displaystyle\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}[\bar{F}(X_{% \ell}^{n},M_{\ell}\|a_{\ell})]$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}\mathbb{E}_{X_{\ell}^{n}M_{\ell}% \|A_{\ell}=a_{\ell}}[{F}(X_{\ell}^{n},M_{\ell}\|a_{\ell}^{},s_{\ell}^{})]$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{=}}\mathbb{E}_{S_{\ell}\|A_{\ell}=a_% {\ell}}\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell},S_{\ell}=S_{\ell}}[{% F}(X_{\ell}^{n},M_{\ell}\|a_{\ell}^{},s_{\ell}^{})]$
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{=}}\mathbb{E}_{S_{\ell}\|A_{\ell}=a_% {\ell}}\mathbb{E}_{Y^{n}S^{\prime}_{\ell}M_{\ell}\|S_{\ell}=S_{\ell},A_{\ell}=a% _{\ell}}[\mathds{1}\{\beta(Y^{n},M_{\ell},S^{\prime}_{\ell},a_{\ell}^{},s_{% \ell}^{})\}]$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{\leqslant}}\delta,$		(55)

where

(a)

holds with $(a_{\ell}^{*},s_{\ell}^{*})$ such that $\bar{F}(X_{\ell}^{n},M_{\ell}|a_{\ell})={F}(X_{\ell}^{n},M_{\ell}|a_{\ell}^{*}% )={F}(X_{\ell}^{n},M_{\ell}|a_{\ell}^{*},s_{\ell}^{*})$ ;
(b)

holds by marginalization over $S_{\ell}$ ;
(c)

holds by (54);
(d)

holds by the bindingness condition.

Finally, by (52), (53), and (55), we have

\mathbb{P}[\hat{a}_{\ell}(X^{n}_{\ell},M_{\ell})\neq a_{\ell}]\xrightarrow{n% \to\infty}0.

Since $M_{\ell}$ is part of $V_{\mathcal{L}}$ , the lemma follows. ∎

Finally, for $U$ uniformly distributed over $\llbracket 1,n\rrbracket$ and independent of all other random variables, for any $\mathcal{T}\subseteq\mathcal{L}$ , we have

$\displaystyle nH(X_{\mathcal{T}}\|Y)$	$\displaystyle=nH(X_{\mathcal{T},U}\|Y_{U})$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{\geqslant}}nH(X_{\mathcal{T},U}\|Y_{% U}U)$
	$\displaystyle=\sum_{i=1}^{n}H(X_{\mathcal{T},i}\|Y_{i})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{\geqslant}}\sum_{i=1}^{n}H(X_{% \mathcal{T},i}\|Y^{n}X^{i-1}_{\mathcal{T}})$
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{=}}H(X^{n}_{\mathcal{T}}\|Y^{n})$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{\geqslant}}H(X^{n}_{\mathcal{T}}\|V_% {\mathcal{L}})$
	$\displaystyle=H(X^{n}_{\mathcal{T}}{A}_{\mathcal{T}}\|V_{\mathcal{L}})-H({A}_{% \mathcal{T}}\|X^{n}_{\mathcal{T}}V_{\mathcal{L}})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{\geqslant}}H(X^{n}_{\mathcal{T}}{A}% _{\mathcal{T}}\|V_{\mathcal{L}})-H({A}_{\mathcal{T}}\|\hat{A}_{\mathcal{T}})$
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{\geqslant}}H({A}_{\mathcal{T}}\|V_{% \mathcal{L}})-o(n)$
	$\displaystyle=H({A}_{\mathcal{T}})-I({A}_{\mathcal{T}};V_{\mathcal{L}})-o(n)$
	$\displaystyle\stackrel{{\scriptstyle(g)}}{{\geqslant}}H({A}_{\mathcal{T}})-o(n)$
	$\displaystyle=nR_{\mathcal{T}}-o(n),$	(56)

where

(a)

, (b), and (d) hold because conditioning reduces entropy;
(c)

holds by the chain rule;
(e)

holds with $\hat{A}_{\mathcal{T}}\triangleq(\hat{A}_{l})_{{\ell}\in\mathcal{T}}$ from Lemma 5 and the data processing inequality;
(f)

holds by Lemma 5 and Fano’s inequality;
(g)

holds by the concealment requirement.

VI Proof of Theorem 3

VI-A Achievability

Fix $p_{X}\in{\mathcal{P}}(\mathcal{X})$ . Define $q_{XY_{\mathcal{B}}}\triangleq p_{X}p_{Y_{\mathcal{B}}|X}$ . Consider $X^{n}$ distributed according to $p^{\otimes n}_{X}$ .

Commit Phase: The bidder commits to $a$ as follows.

•

The bidder sends the sequence $X^{n}$ over the channel $W$ . Verifier $b\in\mathcal{B}$ observes $Y_{b}^{n}$ .
•

Verifier $b\in\mathcal{B}$ chooses a function $G_{b}:\mathcal{X}^{n\mu}\to\{0,1\}^{\eta n}$ at random in a family of two-universal hash functions with $\mu>\eta>0$ , and sends $G_{b}$ to the bidder over the noiseless channel.
•

The bidder selects a set $\mathcal{S}\subset\llbracket 1,n\rrbracket$ with size $|\mathcal{S}|=\mu n$ uniformly at random and then sends $G_{b}(X^{n}[\mathcal{S}])$ and $\mathcal{S}$ to Verifier $b\in\mathcal{B}$ over the noiseless channel. Let $T_{b}$ be the corresponding sequence observed by Verifier $b$ .
•

The bidder chooses a function $F:\mathcal{X}^{\bar{n}}\to\{0,1\}^{r}$ at random in a family of two-universal hash functions, and sends $F$ and $E\triangleq a\oplus F(\bar{X}^{n})$ over the noiseless channel, where $\bar{X}^{n}\triangleq{X}^{n}[\mathcal{S}^{c}]$ and $\bar{n}\triangleq n-|\mathcal{S}|$ .

Reveal Phase: Suppose that $\mathcal{A}\subset\mathcal{B}$ is the set of available verifiers with $|\mathcal{A}|\geqslant 1$ . The bidder chooses an arbitrary index $b^{\star}\in\mathcal{B}$ and the bidder reveals $a$ as follows.

•

The bidder sends $X^{n}$ and $a$ to the verifier over the noiseless channel.
•
The verifier tests that
1. (i)
  
  $(X^{n},Y_{b^{\star}}^{n})\in\mathcal{T}_{\epsilon}^{n}(q_{XY_{b^{\star}}})$ ;
2. (ii)
  
  $T_{b^{\star}}=G_{b^{\star}}(X^{n}[\mathcal{S}])$ ;
3. (iii)
  
  $a=E\oplus F(\bar{X}^{n})$ ;
and outputs 1 if all conditions are satisfied, and 0 else.

Due to the similarity with the achievability proof of Theorem 1, we only highlight the main steps of the proof.

VI-A1 Correctness

When the parties are not cheating, standard typicality arguments [17] show that, for any $b\in\mathcal{B}$ , $\lim_{n\to\infty}\mathbb{P}[(X^{n},Y_{b})\in\mathcal{T}_{\epsilon}^{n}(q_{XY_{% b}})]=1$ . Consequently, part (i) of the reveal phase test passes, while part (ii) and (iii) are automatically true, so that the verifier estimates $a$ with vanishing probability of error in the reveal phase in the absence of cheating.

VI-A2 Concealment

Let $b\in\mathcal{B}$ . Define $V_{b}^{\prime}\triangleq(\mathcal{S},G_{\mathcal{B}},F,T_{\mathcal{B}},Y_{b}^{% n})$ , where $G_{\mathcal{B}}\triangleq(G_{b})_{b\in\mathcal{B}}$ and $T_{\mathcal{B}}\triangleq(T_{b})_{b\in\mathcal{B}}$ , and $V_{b}\triangleq(V_{b}^{\prime},E)$ . Also define $K\triangleq F(\bar{X}^{n})$ and $\bar{Y}_{b}^{n}\triangleq Y_{b}^{n}[\mathcal{S}^{c}]$ . Then, we have

\displaystyle I(A;V_{b})\leqslant r-H(K)+I(K;F\bar{Y}_{b}^{n}),

(57)

where (57) can be shown similar to (40). Next, we upper bound the right-hand side of (57) using Lemmas 1 and 2.

Let $\epsilon>0$ . By Lemma 2, there exists a subnormalized non-negative function $w_{\bar{X}^{n}\bar{Y}_{b}^{n}}$ such that $\mathbb{V}(q_{\bar{X}^{n}\bar{Y}_{b}^{n}},w_{\bar{X}^{n}\bar{Y}_{b}^{n}})\leqslant\epsilon$ and

\displaystyle H_{\infty}(w_{\bar{X}^{n}\bar{Y}_{b}^{n}}|q_{\bar{Y}_{b}^{n}})% \geqslant\bar{n}H(X|Y_{b})-\bar{n}\delta(\bar{n}),

(58)

where $\delta(\bar{n})\triangleq(\log(\lvert\mathcal{X}\rvert+3))\sqrt{\frac{2}{\bar{% n}}(1+\log(\frac{1}{\epsilon}))}$ . Then, similar to (43), using Lemma 1, one can show that, for any $b\in\mathcal{B}$ ,

	$\displaystyle\mathbb{V}(q_{KF\bar{Y}_{b}^{n}},p_{U_{\mathcal{K}}}p_{U_{% \mathcal{F}}}q_{\bar{Y}_{b}^{n}})$	$\displaystyle\leqslant 2\epsilon+\sqrt{2^{r-\bar{n}H(X\|Y_{b})+\bar{n}\delta(% \bar{n})}}$
		$\displaystyle\leqslant 2\epsilon+\sqrt{2^{r-\bar{n}\min_{b\in\mathcal{B}}H(X\|Y% _{b})+\bar{n}\delta(\bar{n})}}.$		(59)

From (59) and [20, Lemma 2.7], we conclude that the concealment requirement (38) holds with $r$ such that $\lim_{n\to\infty}\frac{r}{n}\leqslant\min_{b\in\mathcal{B}}H(X|Y_{b})-\delta$ , $\delta>0$ .

VI-A3 Bindingness

In the reveal phase, if the verifier observes $\tilde{x}^{n}$ , then, by Lemma 3, a successful joint typicality test at the verifier requires $d_{H}(\tilde{x}^{n},{x}^{n})\leqslant{O(n^{\alpha})}$ , for some $\alpha<1$ . This implies that Test (ii) at the verifier in the reveal phase can only succeed with a probability at most $2^{-n\eta}\cdot 2^{O(n^{\alpha}\log n)}$ , which vanishes to zero as $n\to\infty$ .

VI-B Converse

Due to the similarity with the converse proof of Theorem 2, we again only highlight the main steps of the proof.

We begin by proving Lemma 6, which is a counterpart to Lemma 4. Although the proofs of these two lemmas are similar, we provide a detailed explanation here to clarify how the same technique can be applied in a multi-verifier setting, with some modifications based on the definitions in Section IV-B.

Lemma 6.

Fix $b\in\mathcal{B}$ . Then, for $(A,S)-(M,X^{n})-(Y_{b}^{n},S^{\prime}_{b})$ forms a Markov chain.

Proof.

For $i\in\llbracket 1,n\rrbracket$ , $j\in\llbracket 1,r_{i}\rrbracket$ , define $M_{1:i,1:j}\triangleq(M_{b,1:i,1:j})_{b\in\mathcal{B}}$ , $M^{\prime}_{1:i,1:j}\triangleq(M^{\prime}_{b,1:i,1:j})_{b\in\mathcal{B}}$ , $\bar{M}_{1:i,1:j}\triangleq(M_{1:i,1:j},M^{\prime}_{1:i,1:j})$ , $\bar{M}_{1:i}\triangleq\bar{M}_{1:i,1:r_{i}}$ , $b\in\mathcal{B}$ . We have

	$\displaystyle I(AS;Y_{b}^{n}S^{\prime}_{b}\|\bar{M}_{1:n}X^{n})$
	$\displaystyle\leqslant I(AS;Y_{\mathcal{B}}^{n}S^{\prime}_{\mathcal{B}}\|\bar{M% }_{1:n}X^{n})$		(60)
	$\displaystyle=I(AS;Y_{\mathcal{B}}^{n}S^{\prime}_{\mathcal{B}}\|\bar{M}_{1:n-1}% \bar{M}_{n,1:r_{n}-1}M_{n,r_{n}}M^{\prime}_{n,r_{n}}X^{n})$
	$\displaystyle\leqslant I(AS;Y_{\mathcal{B}}^{n}S^{\prime}_{\mathcal{B}}M^{% \prime}_{n,r_{n}}\|\bar{M}_{1:n-1}\bar{M}_{n,1:r_{n}-1}M_{n,r_{n}}X^{n})$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}I(AS;Y_{\mathcal{B}}^{n}S^{% \prime}_{\mathcal{B}}\|\bar{M}_{1:n-1}\bar{M}_{n,1:r_{n}-1}M_{n,r_{n}}X^{n})$
	$\displaystyle\leqslant I(ASM_{n,r_{n}};Y_{\mathcal{B}}^{n}S^{\prime}_{\mathcal% {B}}\|\bar{M}_{1:n-1}\bar{M}_{n,1:r_{n}-1}X^{n})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{=}}I(AS;Y_{\mathcal{B}}^{n}S^{% \prime}_{\mathcal{B}}\|\bar{M}_{1:n-1}\bar{M}_{n,1:r_{n}-1}X^{n})$		(61)
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{\leqslant}}I(AS;Y_{\mathcal{B}}^{n}% S^{\prime}_{\mathcal{B}}\|\bar{M}_{1:n-1}X^{n})$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{=}}I(AS;Y_{\mathcal{B}}^{n-1}S^{% \prime}_{\mathcal{B}}\|\bar{M}_{1:n-1}X^{n})$
	$\displaystyle\leqslant I(ASX_{n};Y_{\mathcal{B}}^{n-1}S^{\prime}_{\mathcal{B}}% \|\bar{M}_{1:n-1}X^{n-1})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{=}}I(AS;Y_{\mathcal{B}}^{n-1}S^{% \prime}_{\mathcal{B}}\|\bar{M}_{1:n-1}X^{n-1})$		(62)
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{\leqslant}}I(AS;S^{\prime}_{% \mathcal{B}})$
	$\displaystyle=0,$

where

(a)

holds because $M^{\prime}_{n,r_{n}}$ is a function of $(S^{\prime}_{\mathcal{B}},M_{1:n,1:r_{n}},Y_{\mathcal{B}}^{n})$ ;
(b)

holds because $M_{n,r_{n}}$ is a function of $(A,S,M^{\prime}_{1:n,1:r_{n}-1})$ ;
(c)

holds by repeating $r_{n}-1$ times the steps between (60) and (61);
(d)

holds because $(Y_{\mathcal{B}})_{n}-(\bar{M}_{1:n-1},X^{n},Y_{\mathcal{B}}^{n-1},S^{\prime}_% {\mathcal{B}})-(A,S)$ ;
(e)

holds because $X_{n}$ is a function of $(A,S,M^{\prime}_{1:n-1,1:r_{n-1}})$ ;
(f)

holds by repeating $n-1$ times the steps between (60) and (62).

∎

Using Lemma 6, similar to Lemma 5, one can obtain the following lemma.

Lemma 7.

Fix $b\in\mathcal{B}$ . There exists $\hat{A}(V_{b},X^{n})$ such that

\lim_{n\to\infty}\mathbb{P}[\hat{A}(V_{b},X^{n})\neq{A}]=0.

Finally, using Lemma 7, similar to (56), for any $b\in\mathcal{B}$ , one can show that $nH(X|Y_{b})\geqslant nR-o(n)$ , which implies

\displaystyle n\min_{b\in\mathcal{B}}H(X|Y_{b})\geqslant nR-o(n).

VII Concluding Remarks

We investigated multi-user commitment in two distinct settings. In the first setting, a verifier interacts with $L$ bidders, each committing to individual messages. This setting explores whether a multi-bidder protocol can outperform single-bidder protocols and time-sharing. Our results answer this question positively, and establish the sum-rate capacity when the bidders are colluding and the capacity region when they are non-colluding. In the second setting, a single bidder can interact with multiple verifiers. Our results characterize the commitment capacity, showing that positive commitment rates can still be achieved even if some verifiers drop out of the network after the commit phase, a scenario where commitment would otherwise be impossible with only a single verifier.

References

[1] R. Chou and M. R. Bloch, “Commitment over multiple-access channels,” in 58th Annual Allerton Conference on Communication, Control, and Computing (Allerton), 2022, pp. 1–6.
[2] M. Blum, “Coin flipping by telephone a protocol for solving impossible problems,” ACM SIGACT News, vol. 15, no. 1, pp. 23–27, 1983.
[3] I. Damgård, J. Kilian, and L. Salvail, “On the (im) possibility of basing oblivious transfer and bit commitment on weakened security assumptions,” in International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 1999, pp. 56–73.
[4] A. Winter, A. C. Nascimento, and H. Imai, “Commitment capacity of discrete memoryless channels,” in IMA International Conference on Cryptography and Coding. Springer, 2003, pp. 35–51.
[5] C. Crépeau, “Efficient cryptographic protocols based on noisy channels,” in International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 1997, pp. 306–317.
[6] I. Damgård, S. Fehr, K. Morozov, and L. Salvail, “Unfair noisy channels and oblivious transfer,” in Theory of Cryptography Conference. Springer, 2004, pp. 355–373.
[7] H. Imai, K. Morozov, A. C. Nascimento, and A. Winter, “Efficient protocols achieving the commitment capacity of noisy correlations,” in IEEE International Symposium on Information Theory, 2006, pp. 1432–1436.
[8] F. Oggier and K. Morozov, “A practical scheme for string commitment based on the Gaussian channel,” in IEEE Information Theory Workshop, 2008, pp. 328–332.
[9] C. Crépeau, R. Dowsley, and A. C. Nascimento, “On the commitment capacity of unfair noisy channels,” IEEE Transactions on Information Theory, vol. 66, no. 6, pp. 3745–3752, 2020.
[10] A. C. Nascimento, J. Barros, S. Skludarek, and H. Imai, “The commitment capacity of the Gaussian channel is infinite,” IEEE Transactions on Information Theory, vol. 54, no. 6, pp. 2785–2789, 2008.
[11] H. Tyagi and S. Watanabe, “Converses for secret key agreement and secure computing,” IEEE Transactions on Information Theory, vol. 61, no. 9, pp. 4809–4827, 2015.
[12] M. Hayashi and N. A. Warsi, “Commitment capacity of classical-quantum channels,” IEEE Transactions on Information Theory, vol. 69, no. 8, pp. 5083–5099, 2023.
[13] A. J. Budkuley, P. Joshi, M. Mamindlapally, and A. K. Yadav, “On reverse elastic channels and the asymmetry of commitment capacity under channel elasticity,” IEEE Journal on Selected Areas in Communications, vol. 40, no. 3, pp. 862–870, 2022.
[14] A. K. Yadav, M. Mamindlapally, and A. Budkuley, “Wiretapped commitment over binary channels,” in 2024 IEEE International Symposium on Information Theory (ISIT). IEEE, 2024, pp. 3528–3533.
[15] R. A. Chou and M. R. Bloch, “Retractable commitment over noisy channels,” in IEEE Information Theory Workshop (ITW), 2023, pp. 260–265.
[16] J. L. Carter and M. N. Wegman, “Universal classes of hash functions,” Journal of computer and system sciences, vol. 18, no. 2, pp. 143–154, 1979.
[17] G. Kramer, “Topics in multi-user information theory,” Foundations and Trends® in Communications and Information Theory, vol. 4, no. 4–5, pp. 265–444, 2008.
[18] R. Renner, “Security of quantum key distribution,” International Journal of Quantum Information, vol. 6, no. 01, pp. 1–127, 2008.
[19] R. A. Chou, “Distributed secret sharing over a public channel from correlated random variables,” IEEE Transactions on Information Theory, 2024.
[20] I. Csiszár and J. Körner, Information theory: Coding theorems for discrete memoryless systems. Cambridge University Press, 2011.
[21] J. Edmonds, “Submodular functions, matroids, and certain polyhedra,” Combinatorial Structures and Their Applications, 1970.

	$\displaystyle\absolutevalue{f(p_{1})-f(p_{2})}$	$\displaystyle=\absolutevalue{\\|W_{x}-W\circ p_{1}\\|-\\|W_{x}-W\circ p_{2}\\|}$
		$\displaystyle\leqslant\\|{W\circ p_{1}-W\circ p_{2}}\\|$
		$\displaystyle\leqslant\\|p_{1}-p_{2}\\|,$

$\displaystyle\Sigma(W)$	$\displaystyle=\max_{p_{X_{1}X_{2}}}H(X_{1}X_{2}\|Y)$
	$\displaystyle\geqslant H_{p^{\star}}(X_{1}X_{2}\|Y)$
	$\displaystyle=H_{p^{\star}}(X_{1}\|Y)+H_{p^{\star}}(X_{2}\|YX_{1})$
	$\displaystyle=C(W_{1})+H_{p^{\star}}(X_{2}\|YX_{1})$
	$\displaystyle\geqslant C(W_{1}),$	(23)

	$\displaystyle f_{p_{X_{\mathcal{L}}}}(\mathcal{U}\cup\mathcal{V})+f_{p_{X_{% \mathcal{L}}}}(\mathcal{U}\cap\mathcal{V})$
	$\displaystyle=H(X_{\mathcal{U}}\|Y)+H(X_{\mathcal{V}\backslash\mathcal{U}}\|YX_{% \mathcal{U}})+H(X_{\mathcal{U}\cap\mathcal{V}}\|Y)$
	$\displaystyle=H(X_{\mathcal{U}}\|Y)+H(X_{\mathcal{V}\backslash\mathcal{U}}\|YX_{% \mathcal{U}})+H(X_{\mathcal{V}}\|Y)-H(X_{\mathcal{V}\backslash\mathcal{U}}\|YX_{% \mathcal{U}\cap\mathcal{V}})$
	$\displaystyle\leqslant H(X_{\mathcal{U}}\|Y)+H(X_{\mathcal{V}}\|Y)$
	$\displaystyle=f_{p_{X_{\mathcal{L}}}}(\mathcal{U})+f_{p_{X_{\mathcal{L}}}}(% \mathcal{V}),$

	$\displaystyle I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}\|\bar{M}_{l,1:n}X^{n}_{% \ell})$		(44)
	$\displaystyle=I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{% M}_{l,n,1:r_{n}}X^{n}_{\ell})$
	$\displaystyle=I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{% M}_{l,n,1:r_{n}-1}M_{l,n,r_{n}}M^{\prime}_{l,n,r_{n}}X^{n}_{\ell})$
	$\displaystyle\leqslant I(A_{\ell}S_{\ell};Y^{n}S^{\prime}_{\ell}M^{\prime}_{l,% n,r_{n}}\|\bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}M_{l,n,r_{n}}X^{n}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(a)}}{{=}}I(A_{\ell}S_{\ell};Y^{n}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}M_{l,n,r_{n}}X^{n}_{% \ell})$
	$\displaystyle\leqslant I(A_{\ell}S_{\ell}M_{l,n,r_{n}};Y^{n}S^{\prime}_{\ell}\|% \bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}X^{n}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(b)}}{{=}}I(A_{\ell}S_{\ell};Y^{n}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}\bar{M}_{l,n,1:r_{n}-1}X^{n}_{\ell})$		(45)
	$\displaystyle\stackrel{{\scriptstyle(c)}}{{\leqslant}}I(A_{\ell}S_{\ell};Y^{n}% S^{\prime}_{\ell}\|\bar{M}_{l,1:n-1}X^{n}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(d)}}{{=}}I(A_{\ell}S_{\ell};Y^{n-1}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}X^{n}_{\ell})$
	$\displaystyle\leqslant I(A_{\ell}S_{\ell}(X_{l})_{n};Y^{n-1}S^{\prime}_{\ell}\|% \bar{M}_{l,1:n-1}X^{n-1}_{\ell})$
	$\displaystyle\stackrel{{\scriptstyle(e)}}{{=}}I(A_{\ell}S_{\ell};Y^{n-1}S^{% \prime}_{\ell}\|\bar{M}_{l,1:n-1}X^{n-1}_{\ell})$		(46)
	$\displaystyle\stackrel{{\scriptstyle(f)}}{{\leqslant}}I(A_{\ell}S_{\ell};S^{% \prime}_{\ell})$
	$\displaystyle=0,$

	$\displaystyle\mathbb{P}[\hat{a}_{\ell}(X^{n}_{\ell},M_{\ell})\neq a_{\ell}]$
	$\displaystyle=\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}[\mathds{1}\{% \hat{a}_{\ell}(X^{n}_{\ell},M_{\ell})\neq a_{\ell}\}]$
	$\displaystyle\leqslant\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}[\bar% {F}(X_{\ell}^{n},M_{\ell}\|a_{\ell})+1-{F}(X_{\ell}^{n},M_{\ell}\|a_{\ell})]$
	$\displaystyle=\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell}}\bar{F}(X_{% \ell}^{n},M_{\ell}\|a_{\ell})+\mathbb{E}_{X_{\ell}^{n}M_{\ell}\|A_{\ell}=a_{\ell% }}[1-{F}(X_{\ell}^{n},M_{\ell}\|a_{\ell})],$		(52)