Lecture Notes in Computer Science 7582: Editorial Board

Lecture Notes in Computer Science 7582
Commenced Publication in 1973

Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Kazuo Iwama Yasuhito Kawano
Mio Murao (Eds.)
Theory of Quantum
Computation,
Communication,
and Cryptography
7th Conference, TQC 2012

Tokyo, Japan, May 17-19, 2012
Revised Selected Papers
13
Volume Editors
Kazuo Iwama
Kyoto University
Yoshida-Honmachi, 606-8501 Kyoto, Japan
E-mail: iwama@kuis.kyoto-u.ac.jp
Yasuhito Kawano
NTT
3-1 Morinosato Wakamiya, 243-0198 Atsugi-shi, Kanagawa, Japan
E-mail: kawano.yasuhito@lab.ntt.co.jp
Mio Murao
University of Tokyo
7-3-1 Hongo, 113-0033 Bunkyo-ku, Tokyo, Japan
E-mail: murao@phys.s.u-tokyo.ac.jp
ISSN 0302-9743 e-ISSN 1611-3349

ISBN 978-3-642-35655-1 e-ISBN 978-3-642-35656-8
DOI 10.1007/978-3-642-35656-8
Springer Heidelberg Dordrecht London New York
Library of Congress Control Number: 2012954155
CR Subject Classification (1998): F, D, C.2, G.1-2, E.3, J.2
LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues
© Springer-Verlag Berlin Heidelberg 2013

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply,
even in the absence of a specific statement, that such names are exempt from the relevant protective laws
and regulations and therefore free for general use.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
Preface
The Conference on Theory of Quantum Computation, Communication, and

Cryptography (TQC) is an annual meeting on theoretical aspects of quantum in-
formation processing. The goal of the conference is to foster developments in this
rapidly growing, interdisciplinary field by providing a forum for the presentation
and discussion of original research.
The seventh iteration of TQC was held during May 17–19, 2012, at the Uni-
versity of Tokyo, Japan. It included invited talks, contributed talks, and a poster
session, as well as a rump session consisting of short talks on recent developments.
Authors of selected contributed talks were invited to submit a paper to these
proceedings.
TQC 2012 would not have been possible without the contributions of nu-
merous individuals and organizations, and we sincerely thank them for their
support.
In putting together the scientific program, we were very grateful for the hard
work and advice of the Program Committee, listed herein. We also appreciate
the help of the following additional reviewers: Johan Aaberg, Normand Beaudry,
Jop Briet, Anne Broadbent, Nicolas Brunner, Andrew Childs, Fernando de Melo,
Frédéric Dupuis, Dmitry Gavinsky, Masahito Hayashi, Rahul Jain, Zhengfeng Ji,
Elham Kashefi, Takeshi Koshiba, Lea Kraemer, Troy Lee, Yi-Kai Liu, Frederic
Magniez, Damian Markham, Christopher Portmann, Joe Renes, Giannicola
Scarpa, Cyril Stark, Xiaoming Sun, Marco Tomamichel, and Shigeru Yamashita.
Thanks should also go to the local organization team including students of Mio
Murao’s research group, University of Tokyo.
We would like to thank the invited speakers, Andris Ambainis, Fernando
Brandao, Sergey Bravyi, Yuji Hasegawa, Masahito Hayashi, John Watrous, and
Michael Wolf, for their contributions to the program.
We would like to thank the members of the Conference Series Steering Com-
mittee, Wim van Dam, Michele Mosca, Martin Roetteler, and Vlatko Vedral, for
their important advice.
TQC 2012 was made possible by financial support from the Japan Society for
the Promotion of Science (JSPS) and the University of Tokyo; we thank these
organizations for their important contributions.
Finally, we would like to thank Springer for publishing the proceedings of
TQC in the Lecture Notes in Computer Science series.
August 2012 Kazuo Iwama

Yasuhito Kawano
Mio Murao
Organization
Program Committee
Patrick Hayden McGill University, Canada
Susana Huelga University of Ulm, Germany
Kazuo Iwama Kyoto University, Japan (Chair)
Masato Koashi University of Tokyo, Japan
Barbara Kraus University of Innsbruck, Austria
Francois Le Gall University of Tokyo, Japan
Serge Masser ULB, Belgium
Kae Nemoto NII, Japan
Harumichi Nishimura Osaka Prefecture University, Japan
Robert Raussendorf University of British Columbia, Canada
Renato Renner ETH, Switzerland
Barry Sanders University of Calgary, Canada
Mario Szegedy Rutgers University, USA
Yasuhiro Takahashi NTT, Japan
Andreas Winter University of Bristol, UK and
National University of Singapore, Singapore
Ronald de Wolf CWI, The Netherlands
Shengyu Zhang Chinese University of Hong Kong, Hong Kong
Organizing Committee
Yasuhito Kawano NTT, Japan (Co-chair)
Mio Murao University of Tokyo, Japan (Co-chair)
Table of Contents
New Protocols and Lower Bounds for Quantum Secret Sharing with
Graph States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Jérôme Javelle, Mehdi Mhalla, and Simon Perdrix
A Quantum Protocol for Sampling Correlated Equilibria
Unconditionally and without a Mediator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Iordanis Kerenidis and Shengyu Zhang
An All-But-One Entropic Uncertainty Relation, and Application to
Password-Based Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Niek J. Bouman, Serge Fehr, Carlos González-Guillén, and
Christian Schaffner
Optimal Counterfeiting Attacks and Generalizations for Wiesner’s

Quantum Money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Abel Molina, Thomas Vidick, and John Watrous
Simulating Equatorial Measurements on GHZ States with Finite

Expected Communication Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Gilles Brassard and Marc Kaplan
Testing Quantum Circuits and Detecting Insecure Encryption . . . . . . . . . 74

Bill Rosgen
Search by Quantum Walks on Two-Dimensional Grid without

Amplitude Amplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Andris Ambainis, Artūrs Bačkurs, Nikolajs Nahimovs,
Raitis Ozols, and Alexander Rivosh
The Effects of Free Will on Randomness Expansion . . . . . . . . . . . . . . . . . . 98
Dax Enshan Koh, Michael J.W. Hall, Setiawan, James E. Pope,
Artur Ekert, Alastair Kay, and Valerio Scarani
Semi-device-independent QKD Based on BB84 and a CHSH-Type
Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Erik Woodhead, Charles Ci Wen Lim, and Stefano Pironio
On Some Special Cases of the Entropy Photon-Number Inequality . . . . . 116

Smarajit Das, Naresh Sharma, and Siddharth Muthukrishnan
VIII Table of Contents
Quantum Security Analysis via Smoothing of Renyi Entropy

of Order 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Masahito Hayashi
Applying a Generalization of Schur-Weyl Duality to Problems in

Quantum Information and Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Iman Marvian and Robert W. Spekkens
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

New Protocols and Lower Bounds
for Quantum Secret Sharing with Graph States
Jérôme Javelle2, Mehdi Mhalla1,2 , and Simon Perdrix1,2

1
CNRS
2
LIG, Grenoble University, France
Abstract. We introduce a new family of quantum secret sharing pro-

tocols with limited quantum resources which extends the protocols pro-
posed by Markham and Sanders [14] and Broadbent, Chouha, and Tapp
[2]. Parametrized by a graph G and a subset of its vertices A, the proto-
col consists in: (i) encoding the quantum secret into the corresponding
graph state by acting on the qubits in A; (ii) use a classical encoding to
ensure the existence of a threshold. These new protocols realize ((k, n))
quantum secret sharing i.e., any set of at least k players among n can re-
construct the quantum secret, whereas any set of less than k players has
no information about the secret. In the particular case where the secret
is encoded on all the qubits, we explore the values of k for which there
exists a graph such that the corresponding protocol realizes a ((k, n))
secret sharing. We show that for any threshold k ≥ n − n0.68 there ex-
ists a graph allowing a ((k, n)) protocol. On the other hand, we prove
79
that for any k < 156 n there is no graph G allowing a ((k, n)) protocol.
As a consequence there exists n0 such that the protocols introduced by
Markham and Sanders in [14] admit no threshold k when the secret is
encoded on all the qubits and n > n0 .
Keywords: Quantum Cryptography, Secret Sharing, Graphs, Graph

States.
1 Introduction
Secret sharing schemes were independently introduced by Shamir [20] and Blak-
ley [1] and extended to the quantum case by Hillery [10] and Gottesman [4,7]. A
quantum secret sharing protocol consists in encoding a secret into a multipartite
quantum state. Each of the players of the protocol has a share which consists of
a subpart of the quantum system and/or classical bits. Authorized sets of play-
ers are those that can recover the secret collectively using classical and quantum
communications. A set of players is forbidden if they have no information about
the secret. The accessing structure is the description of the authorized and for-
bidden sets of players. The encrypted secret can be a classical bit-string or a
quantum state.
A threshold ((k, n)) quantum secret sharing protocol [10,4,7] is a protocol by
which a dealer distributes shares of a quantum secret to n players such that any
K. Iwama, Y. Kawano, and M. Murao (Eds.): TQC 2012, LNCS 7582, pp. 1–12, 2013.

c Springer-Verlag Berlin Heidelberg 2013
2 J. Javelle, M. Mhalla, and S. Perdrix
subset of at least k players is authorized, while any set of less than k players
is forbidden. It is assumed that the dealer has only one copy of the quantum
secret he wants to share. A direct consequence of the no-cloning theorem [22]
is that no ((k, n)) quantum secret sharing protocol can exists when k ≤ n2
– otherwise two distinct sets of players can reconstruct the secret implying a
cloning of the quantum secret. On the other hand, for any k > n2 a ((k, n))
protocol has been introduced in [4] in such a way that the dimension of each
share is proportional to the number of players. The unbounded size of the share is
a strong limitation of the protocol, as a consequence several schemes of quantum
secret sharing using a bounded amount of resources for each player have been
introduced [14,2,13]. In [14] a quantum secret sharing scheme using particular
quantum states, called graph states, and such that every player receives a single
qubit, has been introduced. The graph-state-based protocols are also of interest
because graph states are at the forefront in terms of implementation and have
emerged as a powerful and elegant family of entangled states [9,21].
Only few threshold quantum secret sharing schemes have been proved in the
literature to be achievable using graph states: ((3, 5)) can be done using a C5
graph (cycle with 5 vertices) [14], and for any n, an ((n, n)) protocol using the
complete graph can be done, up to some constraints on the quantum secret [15].
Independently [2] introduced an ((n, n)) protocol for any n. This protocol is
based on the GHZ state [8] which is locally equivalent to a complete graph state
[9].
We introduce a new family of secret sharing protocols using graph states.
Like in [14] the quantum secret is encoded into a graph state shared between
the players, but in order to obtain threshold protocols, an additional round is
added to the protocol. This round consists in encrypting the quantum secret
with a classical key which is then shared between the players using a classical
secret sharing protocol. This technique extends the one presented in [2] in which
the secret is partially encrypted and then shared using a fixed quantum state,
namely the GHZ state which is equivalent to the complete graph state. The
technique which consists in encrypting the quantum secret before to encode it
into a larger state is also used in [16] in such a way that some players have a
classical share but no quantum share.
The family of protocols we introduce in the present paper is parametrized by
a pair (G, A) where G = (V, E) is a graph and A is a non empty set of vertices of
the graph. We explore the possible values of k for which there exists a pair (G, A)
leading to a ((k, n)) protocol. One of our main results is to introduce an infinite
family of graphs which can realize any ((k, n)) protocol when k > n − n0.68 . This
result proves that graph states secret sharing can be used not only for ((n, n))
protocols, but also for any threshold larger than n−n0.68 . The second main result
of the paper is the proof that there is no graph G such that (G, V ) realizes a
79
((k, n)) protocols when k < 156 n. This lower bound also applies in the protocol
introduced by Markham and Sanders. Moreover, it suggests that secret sharing
protocols with a threshold closed to half of the players cannot be achieve with
shares of bounded size.
New Protocols and Lower Bounds for Quantum Secret Sharing 3
In terms of communication complexity, the protocols we introduce use a max-

imal share of one qubit and two classical bits (using an ideal classical secret
sharing scheme) for a one-qubit secret. In the literature, upper bounds for the
information rate (size of the secret divided by the the size of the largest share)
for general accessing structures have been derived in [18] and the analysis of
different access structures have been studied in [19]. Independently, a hybrid
classical-quantum construction of quantum secret sharing has been recently pro-
posed in [6] where they optimize the quantum communication complexity when
the size of the secret is greater than the number of players, and as a consequence,
when the size of the shares is unbounded.
This paper is organized as follows. First, we present the schemes for sharing a
classical (cQSS) or quantum (qQSS) secret using graph states as defined in [14].
We show that these cQSS protocols are perfect (every set of players is either
authorized or forbidden), and we provide a graphical characterization of the
accessing structures for both cQSS and qQSS protocols. Then, we extend these
protocols and define a new family of perfect quantum secret sharing protocol
(qQSS*). Finally, we prove upper and lower bounds for qQSS* threshold schemes:
in section 3 we build a family of protocols that realize any ((k, n)) threshold
scheme for k > n − n0.68; and in section 4, we prove that no qQSS* protocol can
79
realize ((k, n)) threshold scheme for k < 156 n. As a consequence, we derive an
impossibility result for the existence of qQSS protocols.
2 Graph State Secret Sharing

2.1 Sharing a Classical Secret Using a Graph State
For a given graph G = (V, E) with vertices v1 , . . . , vn , the corresponding graph
state |G is a n-qubit quantum state defined as
1
|G = √ (−1)q(x) |x (1)
2n x∈{0,1}n
where q(x) is the number of edges in the induced subgraph G(x) = ({vi ∈ V | xi =
1}, {(vi , vj ) ∈ E | xi = xj = 1}).
Graph states have the following fundamental fixpoint property: given a graph
G, for any vertex u ∈ V ,
Xu ZN (u) |G = |G (2)
= |x → |x̄, Z = |x → (−1) |x

x
where N (u) is the neighborhood of u in G, X
are one-qubit Pauli operators and ZA = u∈A Zu is a Pauli operator act-
ing
on the qubits in A. As a consequence, for any subset D ⊆ V of vertices,
u∈D Xu ZN (u) |G = |G. Since X and Z anti-commute and Z = X = I,
2 2

(−1)|D∩Odd(D)| XD ZOdd(D) |G = Xu ZN (u) |G = |G (3)
u∈D
where Odd(D) := {v ∈ V s.t. |N (v) ∩ D| = 1 mod 2} is the odd neighborhood of

D. On occasion use of the graph G as subscript (NG , OddG ) will avoid ambiguity.
We study a family of quantum protocols for sharing a classical secret (cQSS)
parametrized by a graph G and a non empty subset A of the vertices of the
graph. This family of protocols has been introduced in [14]. Obviously, sharing
a classical bit can be done using a classical scheme, like [20], instead of using
a quantum state. It has been shown recently this family of cQSS protocols can
be simulated by purely classical schemes [11]. However, the study of the cQSS
protocols, and in particular the characterization of their accessing structure (see
corollary 1) are essential for the next sections where the sharing of a quantum
secret is considered.
To share a classical secret s ∈ {0, 1} between n players, the dealer prepares
the state |Gs = ZA s
|G where |G is a graph state on n qubits, ZA0
is the identity
1
and ZA consists in applying the Pauli operator Z on each qubit of A. The dealer
sends each player i the qubit qi of |Gs . Regarding the reconstruction of the
secret, a set B of players can recover the secret if and only if tr(ρB (0)ρB (1)) = 0,
i.e. if the set of players can distinguish perfectly between the two states ρB (0)
and ρB (1), where ρB (s) = trV \B (|Gs
Gs |) is the state of the subsystem of the
players in B. On the other hand, a set B of players has no information about
the secret if and only if ρ(0) and ρ(1) are indistinguishable, i.e. ρ(0) = ρ(1).
Sufficient graphical conditions for a set to be authorized or forbidden have
been proved in [12]:
Lemma 1 ([12]). Given a cQSS protocol (G, A), for any B ⊆ V ,

– If ∃D ⊆ B s.t. D ∪ Odd(D) ⊆ B and |D ∩ A| = 1 mod 2 then B is authorized.
– If ∃C ⊆ V \ B s.t. Odd(C) ∩ B = A ∩ B then B is forbidden.
According to the previous lemma, for a given set of players B ⊆ V , if ∃D ⊆ B

s.t. D ∪ Odd(D) ⊆ B and |D ∩ A| = 1 mod 2 then B can recover the secret. More
precisely, the players in B perform a measurement of their qubits according to the
observable (−1)|D∩Odd(D)|XD ZOdd(D) . This measurement produces a classical
outcome s ∈ {0, 1} which is the reconstructed secret [12].
We prove that the sufficient graphical conditions are actually necessary con-
ditions, and that the cQSS protocols are perfect, i.e. any set of players is either
authorized or forbidden.
Theorem 1. Given a graph G = (V, E) and A ⊆ V , for any B ⊆ V , B satisfies

exactly one of the two properties:
i. ∃D ⊆ B, D ∪ Odd(D) ⊆ B and |D ∩ A| = 1 mod 2
ii. ∃C ⊆ V \ B, Odd(C) ∩ B = A ∩ B
Proof. For a given B ⊆ V , let ΓB be the cut matrix induced by B, i.e. the sub-
matrix of the adjacency matrix Γ of G such that the columns of ΓB correspond
to the vertices in B and its rows to the vertices in V \ B. ΓB is the matrix
representation of the linear function which maps every X ⊆ B to ΓB .X =
Odd(X) ∩ (V \ B), where the set X is identified with its characteristic column
vector. Similarly, ∀Y ⊆ V \ B, ΓV \B .Y = Odd(Y ) ∩ B where ΓV \B = ΓBT since Γ
is symmetric. Moreover, notice that for any set X, Y ⊆ V , |X ∩Y | mod 2 is given

by the matrix product Y T .X where again sets are identified with Ttheir
column
vector representation. Equation (i) is satisfied iff ∃D s.t. (A∩B) .D = 10
ΓB

T
(A∩B)T | 1 0 | 1
which is equivalent to rank (A∩B) = rank ΓB | 0 = rank =
ΓB
ΓB | 0T
rank(ΓB ) + 1. Thus (i) is true iff π(B) = 1 where π(B) := rank (A∩B) ΓB −
rank(ΓB ). Similarly equation (ii) is satisfied iff ∃C s.t. ΓV \B .C = A ∩ B iff
rank(ΓV \B |A ∩ B) = rank(ΓV \B ). Thus (ii) is true iff π(B) = 0. Since for any
B ⊆ V , π(B) ∈ {0, 1} it comes that either (i) is true or (ii) is true.
Corollary 1. Given a graph G = (V, E), the cQSS protocol (G, A) is perfect
and
B is authorized ⇔ ∃D ⊆ B, D ∪ Odd(D) ⊆ B and |D ∩ A| = 1 mod 2
B is forbidden ⇔ ∃C ⊆ V \ B, Odd(C) ∩ B = A ∩ B
2.2 Sharing a Quantum Secret
Following [14], the cQSS protocols are extended to qQSS schemes for sharing
a quantum secret |φ = α |0 + β |1. Given a graph G and A a non empty
subset of vertices, the dealer prepares the quantum state |Gφ = α |G0 + β |G1 .
Notice that the transformation |φ → |Gφ is a valid quantum evolution – i.e.
an isometry – whenever |G0 is orthogonal to |G1 which is guaranteed by A =
∅. Then, the dealer sends each player i the qubit qi of |Gφ . Regarding the
reconstruction of the secret, it has been proved in [14], that a set B of players can
recover the quantum state |φ if and only if B can reconstruct a classical secret
in the two cQSS protocols (G, A) and (GΔA, A), where GΔA = (V, EΔ(A × A))
and XΔY = (X ∪ Y ) \ (X ∩ Y ) is the symmetric difference. In other words
GΔA is obtained by complementing the edges of G incident to two vertices in
A. We introduce an alternative characterization of authorized sets of players
(those who are able to reconstruct a quantum secret) which does not involved
the complemented graph GΔA:
Theorem 2. Given a graph G = (V, E), a set B of players is authorized in the

qQSS protocol (G, A) if and only if B is authorized and V \ B is forbidden in
the protocol cQSS (G, A).
Proof. First notice that for any X, if |X ∩ A| = 1 mod 2 then OddGΔA (X) =
OddG (X)ΔA. Thus for any X, Y , if |X ∩ A| = 1 mod 2, OddGΔA (X) ∩ Y =
∅ ⇐⇒ (OddG (X)ΔA) ∩ Y = ∅ ⇐⇒ (OddG (X) ∩ Y )Δ(A ∩ Y ) = ∅ ⇐⇒
OddG (X) ∩ Y = A ∩ Y .
(⇒) Assume that B can reconstruct the quantum secret, so B can reconstruct
the classical secret in GΔA. Thus ∃D ⊆ B s.t. OddGΔA (D) ∩ (V \ B) = ∅. Ac-
cording to the previous remark, it implies that OddG (D) ∩ V \ B = A ∩ (V \ B),
so V \ B cannot reconstruct the secret.
(⇐) Assume V \ B cannot recover the classical secret and B can. So ∃C ⊆ B
s.t. OddG (C) ∩ B = A ∩ B. If |C ∩ A| is even, let C := CΔD where |D ∩ A|
is odd and OddG (D) ∩ B = ∅. Such a set D exists since B can reconstruct
the classical secret in G. If |C ∩ A| is odd, then let C := C. In both cases,
|C ∩ A| = 1 mod 2 and OddG (C ) ∩ B = A ∩ B, so according to the previ-
ous remark, OddGΔA (C ) ∩ B = ∅, as a consequence B is authorized secret
in GΔA.
In any pure quantum secret sharing protocol a set of players can reconstruct a
quantum secret if and only if its complement set of players has no information
about the secret (see [7]). As a consequence:
Corollary 2. Given a qQSS protocol (G, A), a set B of players is forbidden if

and only if B is forbidden and V \ B is authorized in the protocol cQSS (G, A).
Sets of players that can reconstruct the secret and those who have no information
about the secret admit simple graphical characterisation thanks to the simple
reduction to the classical case. However, unlike the cQSS case, there is a third
kind of set players, those who can have some information about the secret but not
enough to reconstruct the secret perfectly. For instance for any n > 1 consider
the qQSS protocol (Kn , {v1 , . . . , vn }) where Kn is the complete graph on the n
vertices v1 , . . . vn . For any set B of vertices s.t. |B| = 0 and |B| = n, both B and
V \ B cannot reconstruct a classical secret in the corresponding cQSS protocol,
so B cannot reconstruct the quantum secret perfectly but has some information
about the secret.
Corollary 3. Given a graph G = (V, E), the qQSS protocols (G, A) and
(GΔA, A) have the same accessing structure. In particular, the protocols (G, V )
and (G, V ) have the same accessing structure, where G is the complement graph
of G.
2.3 Threshold Schemes

Given a graph G = (V, E) on n vertices and a non empty A ⊆ V , the accessing
structures of the qQSS protocol (G, A) can be characterized. For secret sharing
protocols, it is often interesting to focus on ((k, n)) threshold protocols. In [7], it
has been proved that if the dealer is sending a pure quantum state to the players,
like in the qQSS protocols, then the threshold, if there exists, should be equal
to n+1
2 where n is the number of players. This property which is derived from
the no-cloning theorem, is very restrictive. It turns out that there is a unique
threshold for which a qQSS protocol is known. This protocol is a ((3,5)) scheme
using as graph the cycle graph on 5 vertices. However, in general a qQSS protocol
corresponds to a ramp secret sharing scheme [17] where any set of players smaller
than n − k is forbidden and any set greater than k is authorized.
In this section we show how these ramp schemes can be turned into threshold
schemes by adding a classical secret sharing round. First we define graphical
properties that are used to characterize the access structures, then we prove
that it is possible to build quantum threshold schemes by defining the protocols
qQSS* that encodes the quantum secret in a subset of vertices A. Finally we
motivate the analysis of the case where the secret is encoded on all the vertices
by giving a reduction from the general case where A is an arbitrary non empty
subset of vertices.
Definition 1. Given a graph G = (V, E) of order n and A ⊆ V a non empty
subset of vertices. Let κQ (G, A) be the minimal
such that for any B ⊆ V , if
|B| >
then ∃CB , DB ⊆ B such that: |DB ∩ A| = 1 mod 2, Odd(DB ) ⊆ B and
Odd(CB ) ∩ B = A ∩ B. We also define κQ (G, A) = n − κQ (G, A).
Theorem 3. Given a graph G over n vertices, a non empty subset of vertices
A, and an integer k > κQ (G, A), there exists an ((k + c, n + c)) quantum secret
sharing protocol for any c ≥ 0 in which the dealer sends one qubit to n players
and uses a (k + c)-threshold classical secret sharing scheme on the n + c players.
The rest of the section is dedicated to define a family of protocols called qQSS*
satisfying the theorem.
Inspired by the work of Broadbent, Chouha and Tapp [2], we extend the qQSS
scheme adding a classical reconstruction part. In [2], a family of unanimity – i.e.
the threshold is the number of players – quantum secret sharing protocols have
been introduced. They use a GHZ state which is equivalent to the graph state
|Kn where Kn is the complete graph on n vertices. We extend this construction
to any graph, using also a more general initial encryption of the quantum secret.
Quantum Secret Sharing with Graph States and Classical Recon-
struction (qQSS*). Given a graph G = (V, E), a non empty A ⊆ V ,
and k > κQ (G, A), suppose the dealer wishes to share the quantum secret
|φ = α |0 + β |1.
– Encryption. The dealer chooses uniformly at random bx , bz ∈ {0, 1}.
and
apply X bx Z bz on |φ.The resulting state is |φ = α |bx + β(−1)bz bx .
– Graph State Embedding. The dealer embeds |φ to the n-qubit state
α |Gbx + β(−1)bz |Gbx .
– Distribution. The dealer sends each player i the qubit qi . Moreover using
a classical secret sharing scheme with a threshold k, the dealer shares the
bits bx , bz .
– Reconstruction. The reconstruction of the secret for a set B of players s.t.
|B| ≥ k is in 3 steps: first the set DB such that D ∪ Odd(D) ⊆ B and |D ∩ A|
is odd, is used to add an ancillary qubit and put the overall system in an
appropriate state; then CB such that Odd(C) ∩ (V \ B) = A ∩ (V \ B), is
used to disentangled the ancillary qubit form the rest of the system; finally
the classical bits bx and bz are used to recover the secret:
– (a) The players in B applies on their qubits the isometry UDB := |0 ⊗
P0 + |1 ⊗ P1 where Pi are the projectors associated with observable ODB =
I+(−1)i O
(−1)|DB ∩Odd(DB )| XDB ZOdd(DB ) , i.e. Pi := DB
. The resulting state

bz
2
is α |bx ⊗ |Gbx + β.(−1) bx ⊗ |Gbx .
– (b) The players in B apply the controlled unitary map ΛVCB = |0
0| ⊗
I + |1
1| ⊗ VCB , where VC := (−1)|C∩Odd(C)|XC ZOdd(C)ΔA . The resulting

state is α |bx ⊗ |G + β.(−1)bz bx ⊗ |G = α |bx + β.(−1)bz bx ⊗ |G.
– (c) Thanks to the classical secret sharing scheme, the players in B recover
the bits bx and bz . They apply X bx and then Z bz for reconstructing the
quantum secret α |0 + β |1 on the ancillary qubit.
Note that this reconstruction method can be used for the qQSS protocols defined
in [12] and for which the reconstruction part was not explicitly defined.
Lemma 2. Given a graph G = (V, E), a non empty A ⊆ V , and k > κQ (G, A),
the corresponding qQSS* protocol is a ((k, n)) secret sharing protocol, where
n = |V |.
Proof. The classical encoding ensures that any set of size smaller then k is forbid-
den. ODB is acting on the qubits DB ∪Odd(DB ) ⊆ B. Moreover Pi |Gs = |Gs if
i = s and 0 otherwise, so the

application of the isometry UDB produce the state
α |bx ⊗ |Gbx + β.(−1)bz bx ⊗ |Gbx . Regarding step b of the reconstruction,
since Odd(C) ∩ (V \ B) = A ∩ (V \ B), C ∪ (Odd(C)ΔA) ⊆ B, so VC is acting

on
the qubits in B. Moreover VC produces the states α |bx + β.(−1)bz bx ⊗ |G.
Finally the classical secret scheme guarantees that the players in B have access
to bx and bz so that they reconstruct the secret.
Proof of Theorem 3. The correctness of the qQSS* protocol implies that
given a graph G = (V, E) of order n, a non empty A ⊆ V , and k > κQ (G, A),
the corresponding qQSS* protocol is a ((k, n)) secret sharing protocol. In order
to finish the proof of Theorem 3 this protocol is turned into a ((k + c, n + c))
protocol for any c ≥ 0. The qQSS* protocol is modified as follows, following the
technique used in [16]. During the distribution stage, the dealer shares bx and bz
with all the n + c players with a threshold k + c, but sends a qubit of the graph
state to only n players chosen at random among the n + c players. During the
reconstruction, a set of k + c players must contain at least k players having a
qubit. These k players use the reconstruction steps (a) and (b) and then the last
step (c) is done by all the k + c players.
In the next sections, we focus on the protocols of the form (G, V ), where G =
(V, E). This restriction is motivated by the fact that, for any (G, A), there exists
a graph G = (V , E ) such that κQ (G , V ) = κQ (G, A). In other words:
Theorem 4. If (G, A) realizes a ((k, n)) qQSS* protocol, then there exists G =
(V , E ) such that (G , V ) realizes a ((k +
, n +
)) qQSS* protocol, where
=
2n − 2k + 1.
Proof. Let G = (V , E ) be the graph G = (V, E) augmented with an indepen-
dent set X of size n − k and a clique Y of size n − k + 1, such that every vertex
in Y is connected to the all the vertices in X ∪ (V \ A).
Let B ⊆ V s.t. |B| = 2n − k + 1. Since |B ∩ V | ≥ k, ∃C, D ⊆ B ∩ V s.t.

|D ∩ A| = 1[2], Odd(D) ∩ V ⊆ B ∩ V , and (Odd(C) ∩ V \ B) ∩ V = (A ∩
V \ B) ∩ V . We construct C , D ⊆ V s.t. |D | = 1 mod 2, Odd(D ) ⊆ B and

Odd(C ) ∩ V \ B = V \ B as follows:
– if |D| = 1 mod 2 then |D ∩ V \ A| = 0[2] so Odd(D) ∩ Y = ∅, thus D := D.
– if |D| = 0 mod 2 and B ∩ X = ∅, then Y ⊆ Odd(D) and for any x ∈ X ∩ B,
Odd(D ∪ {x}) = Odd(D)ΔN (x) ⊆ B, so D := D ∪ {x}.
– if |D| = 0 mod 2 and B ∩ X = ∅, then B = V \ X, so for any u ∈ V ,
Odd({u}) ⊆ B, thus D := {u}.
– if |C| = 0 mod 2 then Odd(C) ∩ V \ B = A ∩ V \ B, thus for any y ∈ Y ∩ B,
Odd(C ∪ {y}) ∩ V \ B = V \ B, so C := C ∪ {y}.
– if |C| = 1 mod 2 and X ∩ B = ∅ then for any (x, y) ∈ (X ∩ B) × (Y ∩ B),
Odd(C ∪ {x} ∪ {y}) ∩ V \ B = V \ B, so C := C ∪ {x} ∪ {y}.
– if |C| = 1 mod 2, and X ∩ B = ∅ then V \ B = X, so for any y ∈ Y ,
Odd({y}) ∩ V \ B = V \ B, so C := {y}.
In the following, for any G = (V, E), we consider protocols of the form (G, A)
where A = V , as a consequence A is omitted in the notations e.g., κQ (G) (resp.
κQ (G)) denotes κQ (G, V ) (resp. κQ (G, V )).
3 Building ((n − n0.68 , n))-qQSS* Protocols
We give a construction of an infinite family of quantum secret sharing schemes

log(3)
((k, n)) where k = n − n log(5) < n − n0.68 . To achieve this, we build a family of
graphs Gi such that, for all i, κQ (Gi ) ≥ n0.68 , where n is the order of Gi . This
construction can be defined recursively from cycle over 5 vertices (C5 ) which
has been used in Markham and Sanders [14] to build a ((3,5)) quantum secret
sharing protocol.
We recall the definition of the lexicographic product • between two graphs.
Given G1 = (V1 , E1 ) and G2 = (V2 , E2 ), G1 • G2 = (V, E) is defined as V :=
V1 ×V2 and E := {((u1 , u2 ), (v1 , v2 )) | (u1 , v1 ) ∈ E1 or (u1 = v1 ∧(u2 , v2 ) ∈ E2 )}.
In other terms, the graph G is a graph G1 which vertices are replaced by copies
of the graph G2 , and which edges are replaced by complete bipartitions between
two copies of the graph G2 .
Lemma 3. For any two graphs G1 , G2 , κQ (G1 • G2 ) ≥ κQ (G1 ).κQ (G2 ).
Proof. First we show that for any set B ⊆ V of size k with k = n1 n2 −

κQ (G1 )κQ (G2 ) + 1 there exists a set DB such that |DB | = 1 mod 2, Odd(DB ) ⊆
B. For any set B ⊆ V and any vertex v1 ∈ V , let B2 (v1 ) = {v2 ∈
V2 s.t. (v1 , v2 ) ∈ B} and B1 = {v1 ∈ V1 s.t. |B2 (v1 )| > κQ (G2 )}. We
claim that for all set B ⊆ V of size |B| = k, the size of the set B1 verifies
|B1 | > κQ (G1 ). By contradiction, notice that B = v2 ∈B2 (v1 ),v1 ∈V1 {(v1 , v2 )}.

Therefore: |B| = |V | − v1 ∈B1 |V2 \ B2 (v1 )| − v1 ∈V1 \B1 |V2 \ B2 (v1 )|. Thus
|B| ≤ n1 n2 − |V1 \ B1 |.κQ (G2 ) ≤ k − 1 if |B1 | < κQ (G1 ). Now we consider
any set B ⊆ V of size |B| = k. As |B1 | ≥ k1 , there exists a set D1 ⊆ B1
with |D1 | = 1 mod 2 and D1 ∪ Odd(D1 ) ⊆ B1 . Furthermore for any v1 ∈ B1 ,
|B2 (v1 )| > κQ (G2 ) and thus there exists D2 (v1 ) ⊆ B2 (v1 )) with |D2 (v1 )| =
1 mod 2 and D2 (v1 ) ∪ Odd(D2 (v1 )) ⊆ B2 (v1 ) and there exist C2 (v1 ) ⊆ B2 (v1 )
with V2 \ B2 (v1 ) ⊆ Odd(C2 (v1 ))). Let C20 (v1 ) = C2 (v1 ) if |C2 (v1 )| = 0 mod 2
and C20 (v1 )ΔD2 (v1 ) otherwise, and let C21 (v1 ) = C20 (v1 )ΔD2 (v1 ). We partition
V1 in 4 subsets and define for any vertex v1 a set S2 (v1 ) ⊆ V2 as follows
⎧
⎪ If v1 ∈ D1 ∩ (V1 \ Odd(D1 ))
⎪
⎨
, S2 (v1 ) = D2 (v1 )
If v1 ∈ D1 ∩ Odd(D1 ) , S2 (v1 ) = C21 (v1 ))
⎪
⎪ If v1 ∈ V1 \ (D1 ∩ (V1 \ Odd(D1 ))) , S2 (v1 ) = ∅
⎩
If v1 ∈ V1 \ (D1 ∩ Odd(D1 )) , S2 (v1 ) = C20 (v1 )

Consider the set DB

= v1 ∈V1 {v1 } × S 2 (v1 ),

DB ⊆ B
and |DB | = v1 ∈D1 ∩(V1 \D1 ) |D 2 (v1 )| + v1 ∈D1 ∩Odd( D1 ) |C2
1
(v1 )|

+ v1 ∈V1 \D1 ∩Odd(D1 ) |C2 (v1 )|. Therefore |DB | = |D1 | = 1 mod 2. For
0
each v = (v1 , v2 ) ∈ V \ B, |NG (v) ∩ DB | = |NG2 (v2 ) ∩ S2 (v1 )| +

u1 ∈NG1 (v1 ) |S2 (u1 )|. If v1 ∈ V1 \ D1 , then |S2 (v1 )| = 0 mod 2, thus
|NG (v) ∩ DB | = |NG2 (v2 ) ∩ S2 (v1 )| + |NG1 (v1 ) ∩ D1 | mod 2. Furthermore,
if v1 ∈ V1 \ D1 , |NG2 (v2 ) ∩ S2 (v1 )| = |NG1 (v1 ) ∩ D1 | = 0 mod 2 and if
v1 ∈ Odd(D1 ), |NG2 (v2 ) ∩ S2 (v1 )| = |NG1 (v1 ) ∩ D1 | = 1 mod 2. Therefore
|NG (v) ∩ DB | = 0 mod 2 which implies that DB ∪ Odd(DB ) ⊆ B. Furthermore,
we use the property of the lexicographic product G1 • G2 = G1 • G2 . From
Corollary 3 and Theorem 3, κQ (G1 ) = κQ (G1 ) and κQ (G2 ) = κQ (G2 ).

Therefore, in G1 • G2 there exists a set DB such that its odd neighborhood

in the complementary graph satisfies OddG1 •G2 (DB ) ∩ V \ B = ∅ thus

OddG1 •G2 (DB ) ∩ V \ B = V \ B and DB is a valid CB (as used in Definition 1)
to define an ((k, n)) qQSS* protocol.
Theorem 5. For all i ∈ N∗ , the graph C5 •i = C5 • C5 • · · · • C5 realizes a

i times
log(3)
((n, n − n log(5) + 1)) protocol (with n = 5 ). i
C5 •i
C5 •i+1 = C5 •i C5 •i
C5 •i C5 •i
Proof. An induction from Lemma 3 gives κQ (C5 •i ) ≥ κQ (C5 )i . Since κQ (C5 ) =
3, κQ (C5 •i ) ≥ 3i . We have |C5 •i | = 5i , so, thanks to Theorem 3, the graph C5 •i
log(3)
realizes a ((n − n log(5) + 1, n)) protocol (with n = 5i ).
4 Lower Bound
By the no-cloning theorem, this is not possible to get two separated copies of the
secret starting from only one copy. Thus, if we consider a quantum secret sharing
protocol with parameters ((k, n)) we must have k > n2 . We derive here less trivial
lower bounds for the qQSS* protocols and for the qQSS protocols defined in [14].
Lemma 4. If G = (V, E) realizes a qQSS* ((k, n)) protocol, then for any set
B ⊆ V of size k, there exists a set X ⊆ B such that |X| ≤ 23 (n − k + 1) and
either (X ∪ Odd(X) ⊆ B and |X| = 1 mod 2) or B ⊆ Odd(X).
Proof. First, let ΓB ∈ Mk,n−k (F2 ) be a cut matrix of G corresponding to the
cut (B, V \ B). We can see ΓB as the linear map that maps a set D ⊆ B to its
odd neighborhood in V \ B: Consequently, any set D with D ∪ Odd(D) ⊆ B
corresponds to a linear combination of the columns of the matrix ΓB which
equals the null vector. Therefore, {D ⊆ B, D ∪ Odd(D) ⊆ B} = Ker(ΓB ),
and t = dim(Ker(ΓB )) = k − dim(Im(ΓB )) ≥ 2k − n. As |XΔY | = |X| +
|Y | mod 2, the sets D1 = {D ⊆ B, |D| = 1 mod 2 and D ∪ Odd(D) ⊆ B}
and C1 = {C ⊆ B, C ∪ (V \ (C)) ⊆ B} are two affine subspaces having the
same vector subspace D0 = {D ⊆ B, |D| = 0 mod 2 and D ∪ Odd(D) ⊆ B}.
The dimension of D0 is t − 1, therefore, by gaussian elimination its exists a set
X0 ⊆ B, |X0 | = t − 1 such that there exists sets C1 ∈ C1 and D1 ∈ D1 satisfying
X0 ∩ C1 = X0 ∩ D1 = ∅. Thus |C1 ∪ D1 | ≤ k − t + 1 ≤ n − k + 1. Therefore
2|D1 ∪ C1 | = |D1 | + |C1 | + |D1 ΔC1 | ≤ 2(n − k + 1) which implies that one of the
three sets have cardinality smaller than 2(n − k + 1). as D1 ∪ Odd(D1 ) ⊆ B and
|D1 | = 1 mod 2, C1 ∪ (V \ Odd(C1 )) ⊆ B and (D1 ΔC1 ) ∪ (V \ (D1 ΔC1 )) ⊆ B
at least one of the has a cardinality smaller than 2(n − k + 1)/3
Using this lemma and a counting argument we prove the following lower bound:
Theorem 6. There exists no graph G that has a ((k, n)) qQSS* protocol with
k < n2 + 157
n
.
Proof. We consider a graph G = (V, E) which realizes a ((k, n)) secret sharing
protocol. Any set D ⊆ V , with |D| = 1 mod 2 satisfies |D ∪ Odd(D)| ≥ n −
k + 1, otherwise B = V \ (D ∪ Odd(D) of size greater than k would not be
authorized. Consequently, given a set D, with |D| = 1 mod 2, there exists at
k−1
most n−(n−k+1)
k−(n−k+1)
= 2k−n−1 sets B of size k containing D ∪ Odd(D). Similarly,
for any set C ⊆ V , |C ∪ (V \ Odd(C))| ≥ n − k + 1, otherwise B = Odd(C) \ C of
size greater than k would not be authorized. Therefore, given a set C ⊆ V the
number of sets B of size k containing C and such that C ∪ (V \ Odd(C)) ⊆ B
k−1
is at most 2k−n−1 . With Lemma 4, each set B ⊆ V of size k contains either a
set D with D ∪ Odd(D) ⊆ B of size odd or a set C with C ∪ (V \ Odd(C)) ⊆ B
such that |D| ≤ 23 (n − k + 1) or |C| ≤ 23 (n − k + 1). Thus by counting twice
all the sets of cardinality smaller then 23 (n − k + 1) we can upper bound the
23 (n−k+1) n k−1
set of possible cuts of size k with nk ≤ 2 i=1 i 2k−n−1 . The previous
inequality implies that k > n2 + 157
n
when n → ∞.
The previous theorem directly implies that the protocols defined in [14] admit
no threshold k when the secret is encoded on all the qubits and the number of
players satisfies n > 79.
Corollary 4. For any graph G = (V, E) with |V | ≥ 79, (G, V ) is not a threshold
qQSS protocol.
Proof. By Gottesman’s characterization [7] a qQSS protocol has a threshold

((k, 2k − 1)). Moreover, k ≥ n/2 + n/157 using the previous lower bound. There-
fore k ≤ 159/4 and the number of players n = 2k − 1 ≥ 79.
References
1. Blakley, G.R.: Safeguarding cryptographic keys. In: AFIPS Conference Proceed-
ings, vol. 48, pp. 313–317 (1979)
2. Broadbent, A., Chouha, P.R., Tapp, A.: The GHZ state in secret sharing and
entanglement simulation. arXiv:0810.0259 (2008)
3. Browne, D.E., Kashefi, E., Mhalla, M., Perdrix, S.: Generalized flow and determinism
in measurement-based quantum computation. New Journal of Physics 9, 250 (2007)
4. Cleve, R., Gottesman, D., Lo, H.-K.: How to Share a Quantum Secret. Phys. Rev.
Lett. 83, 648–651 (1999)
5. Ekert, A.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67,
611 (1991)
6. Fortescue, B., Gour, G.: Reducing the quantum communication cost of quantum
secret sharing. arXiv:1108.5541 (2011)
7. Gottesman, D.: On the Theory of Quantum Secret Sharing. Phys. Rev. A 61, 04231
(2000); also quant-ph/9910067
8. Greenberger, D.M., Horne, M.A., Zeilinger, A.: Going beyond Bells theorem. In:
Bells Theorem, Quantum Theory, and Conceptions of the Universe, pp. 69–72
(1989)
9. Hein, M., Eisert, J., Briegel, H.J.: Multi-party entanglement in graph states. Phys-
ical Review A 69, 062311 (2004); quant-ph/0307130
10. Hillery, M., Buzek, V., Berthiaume, A.: Quantum Secret Sharing Phys. Rev. A 59,
1829 (1999); arXiv/9806063
11. Javelle, J., Mhalla, M., Perdrix, S.: Classical versus Quantum Graph-based Secret
Sharing arXiv:1109.4731 (2011)
12. Kashefi, E., Markham, D., Mhalla, M., Perdrix, S.: Information Flow in Secret Shar-
ing Protocols. In: DCM 2009: Elec. Proc. Theor. Comp. Sci., vol. 9, p. 87 (2009)
13. Keet, A., Fortescue, B., Markham, D., Sanders, B.C.: Quantum secret sharing with
qudit graph states. Phys. Rev. A 82, 062315 (2010)
14. Markham, D., Sanders, B.C.: Graph states for quantum secret sharing. Physical
Review A 78, 042309 (2008)
15. Markham, D., Sanders, B.C.: Erratum: Graph states for quantum secret sharing.
Phys. Rev. A 78, 042309 (2008); Phys. Rev. A 83, 019901(E) (2011)
16. Nascimento, A., Mueller-Quade, J., Imai, H.: Improving quantum secret-sharing
schemes. Phys. Rev. A 64, 042311 (2001)
17. Ogawa, T., Sasaki, A., Imamoto, M., Yamamoto, H.: Reducing the quantum com-
munication cost of quantum secret sharing. Phy. Rev. A 72, 032318 (2005)
18. Sarvepalli, P.: Bounds on the information ate of quantum secret sharing. Phys.
Rev. A 83, 042324 (2011)
19. Sarvepalli, P., Raussendorf, R.: Matroids and Quantum Secret Sharing Schemes
Phys. Rev. A 81, 052333 (2010)
20. Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613
(1979)
21. Raussendorf, R., Briegel, H.: A one-way quantum computer. Phys. Rev. Let. 86,
5188 (2001)
22. Wootters, W.K., Zurek, W.H.: A Single Quantum Cannot be Cloned. Nature 299,
802–803 (1982)
A Quantum Protocol
for Sampling Correlated Equilibria
Unconditionally and without a Mediator
Iordanis Kerenidis1 and Shengyu Zhang2

1
Laboratoire d’Informatique Algorithmique: Fondements et Applications,
Univ. Paris Diderot 7, and CNRS, Centre for Quantum Technologies, Singapore
jkeren@liafa.jussieu.fr
2
Department of Computer Science and Engineering and The Institute of Theoretical
Computer Science and Communications, The Chinese University of Hong Kong
syzhang@cse.cuhk.edu.hk
Abstract. A correlated equilibrium is a fundamental solution concept

in game theory that enjoys many desirable mathematical and algorith-
mic properties: it can achieve more fair and higher payoffs than a Nash
equilibrium and it can be efficiently computed for a vast class of games.
However, it requires a trusted mediator to assist the players in sampling
their moves, which is a major drawback in many practical applications.
A computational solution to this problem was proposed by Dodis,
Halevi and Rabin [DHR00]. They extended the original game by adding
a preamble stage, where the players communicate with each other and
then they perform the original game. For this extended game, they show
that the players can achieve payoffs at least as high as in any correlated
equilibrium, provided that the players are computationally bounded and
can communicate before the game.
The introduction of cryptography with computational security in game
theory is of great interest both from a theoretical and more importantly
from a practical point of view. However, the main game-theoretic ques-
tion remained open: can we achieve any correlated equilibrium for 2-
player games without a trusted mediator and also unconditionally?
In this paper, we provide a positive answer to this question. We show
that if the players can communicate via a quantum channel before the
game, then for 2-player games, payoffs at least as high as in any cor-
related equilibrium can be achieved, without a trusted mediator and
unconditionally. This provides another example of a major advantage of

Most of the work was done when the authors visited Centre of Quantum Technologies
(CQT), Singapore in early January, 2011, under the support of CQT. I.K.’s research
was also supported by French projects ANR-09-JCJC-0067-01, ANR-08-EMER-012
and the project QCS (grant 255961) of the E.U. S.Z.’s research was supported
by China Basic Research Grant 2011CBA00300 (sub-project 2011CBA00301), Re-
search Grants Council of Hong Kong (Project no. CUHK418710, CUHK419011),
and benefited from research trips under the support of China Basic Research Grant
2007CB807900 (sub-project 2007CB807901).

14 I. Kerenidis and S. Zhang
quantum information processing: quantum communication enables play-

ers to achieve a real correlated equilibrium unconditionally, a task which
is impossible in the classical world.
More precisely, we prove that for any correlated equilibrium p of a
strategic game G, there exists an extended game (with a quantum com-
munication initial stage) Q with an efficiently computable approximate
Nash equilibrium σ, such that the expected payoff for both players in σ
is at least as high as in p.
The main cryptographic tool used in the construction is the quantum
weak coin flipping protocol of Mochon [Moc07].
1 Introduction
Game theory is a research area of great importance that studies the behavior
of two or more players, when interacting with each other in order to achieve
individual goals. It has found far reaching applications in the fields of economics,
biology, computer science, sociology, political sciences, the study of Internet and
stock markets, among others.
Most games fall into two broad categories: 1) Strategic games, where all play-
ers choose their strategies simultaneously or without knowing the other players’
moves. The payoffs depend on the joint strategy that is performed by all play-
ers, and the game is usually described in a matrix form when there are only
two players. 2) The extensive games, where the players take turns in making
moves. Examples of strategic games include the Battle of the Sexes, Prisoner’s
Dilemma, Vickrey auction, etc. Examples of extensive games include chess, the
eBay auction system, etc.
In order to study stable behaviors in games, the concept of an equilibrium has
been put forward [vNM44]. A Nash equilibrium, the most fundamental notion
of an equilibrium, is a joint strategy of all players, such that no player has any
incentive to change her own strategy given that all other players retain theirs.
One of the seminal results in this area is that every game with finite players and
finite strategies has a mixed Nash equilibrium [vNM44, Nas51], i.e. one where
the strategy of each player is a distribution over deterministic strategies. Note
that these distributions are uncorrelated across different players and hence, each
player can sample independently her strategy.
Even though the importance of Nash equilibria is undisputed, there are some
drawbacks. First, the recent breakthrough results by [DGP09, CDT09] have
shown that finding a Nash equilibrium is a computationally hard problem. To
make matters worse, in many games there are more than one Nash equilibrium
and it is really unclear whether the players will end up in one of them, and if
yes, which one and how. Note that in many cases these equilibria are not fair,
and thus different players have a preference for a different equilibrium.
Let us see a simple example, the Battle of the Sexes. A couple needs to decide
where to go for holidays. Partner A prefers Amsterdam to Barcelona, and Partner
B prefers Barcelona to Amsterdam. But both players prefer going to the same
place than ending up in different places; see the following payoff Table, where
A Quantum Protocol for Sampling Correlated Equilibria 15
the pair of numbers in each entry represents the payoffs of the two partners in
order.
Amsterdam Barcelona
Amsterdam (4,2) (0,0)
Barcelona (0,0) (2,4)
So where should they go? There are two pure Nash equilibria in the above game.
They both go to Amsterdam, and hence have payoffs 4 and 2 respectively, or
both go to Barcelona and have payoffs 2 and 4 respectively. Even though these
are Nash equilibria, none of them is fair, causing the battle of the sexes. There is
actually a third Nash equilibrium, a mixed one, where each player independently
flips a coin and decides to go to their preferred place with probability 2/3 and
to the preferred place of the other player with probability 1/3. In this case, the
expected payoff is the same for both players and equal to 4/3. Even though this
is a fair equilibrium, it is pretty inefficient, since now both players have payoff
even less than in the case of the unfair pure equilibrium. Moreover, there is a
5/9 chance the couple goes in different places, which they really do not prefer.
One simple way to rectify all of these problems is the introduction of the
notion of a correlated (Nash) equilibrium [Aum74]. In such an equilibrium, we
allow the strategies of the players to be drawn from a correlated distribution p,
and same as for a Nash equilibrium, we require that each player has no incentive
to deviate given the current sample of his strategy and the information of the
distribution p (but not the sampled strategies of the other players). There are
many nice properties of these equilibria. First, they form a superset of Nash
equilibria and hence they always exist. Moreover, it is not hard to exhibit games
with a correlated equilibrium which enjoys fairness and whose social welfare (i.e.
the total payoff of the players) is arbitrarily better than that of any Nash equi-
librium. Second, unlike Nash equilibria, it is computationally easy to compute
an optimal correlated equilibrium by solving an LP, for many types of games,
including constant-player, polymatrix, graphical, hypergraphical, congestion, lo-
cal effect, scheduling, facility location, network design and symmetric games
[PR08, VNRT07]. In our previous example, a correlated equilibrium is the strat-
egy where with probability 1/2 the couple goes to Amsterdam or to Barcelona.
The expected payoff for each player is then 3 and the couple is equally happy.
However, in general it is hard to sample from a correlated distribution. In
fact, even for the case of two players and the distribution of the correlated equi-
librium being just one fair coin, it is well known that without any computational
assumptions, it is impossible to achieve just that; actually in any classical pro-
tocol one player has a strategy to get his/her desired outcome with probability
1. A canonical solution to this problem is to introduce a trusted mediator, who
in this case flips the fair coin. However, for many real life scenarios, trusted
mediators are simply not available.
A computational solution to this problem was proposed by Dodis, Halevi and
Rabin [DHR00], who showed that classical cryptographic protocols can provide
an elegant way to achieve a correlated equilibrium under standard computational
hardness assumptions. Both in their paper and in ours, by achieving a correlated

equilibrium, we mean that the players achieve payoffs which are at least as high
as the ones in the correlated equilibrium, but not that they necessarily sample
the joint strategies with the distribution according to the correlated equilibrium.
It is an open question if this stronger property is achievable.
More specifically, for any strategic game where the correlated equilibrium can
be efficiently computed, Dodis et al. do the following: Before playing the game,
the players communicate in order to sample a joint strategy from the equilibrium
distribution, in such a way that each player at the end of the protocol only knows
her strategy and has no information about the other players’ moves apart from
the fact that they come from the equilibrium distribution. The privacy and
correctness of this procedure are guaranteed by the fact that the players are
computationally bounded and the assumption that a primitive, equivalent to
Oblivious Transfer, exists. Then, the players play the original game. Since they
have no information about the other players’ strategies and the joint strategy
is sampled from a correlated equilibrium of the original game, they have no
incentive to deviate. In other words, being honest during the communication
phase and playing the move that resulted from the communication phase is a
Nash equilibrium of the new extended game that achieves payoff equal to the
correlated equilibrium of the original game. The introduction of cryptography
in game theory is a very promising idea that nevertheless needs to be used with
caution due to the many nuances in the two models. Note, last, that the use
of cryptography by Dodis et al. provides a solution only when one is willing to
accept the notion of computational equilibria, which are very different than the
equilibria used by game theorists. Since then, a series of works have studied
the relation between cryptography and game theory [FS02, LMPS04, IML05,
ADGH06].
In our paper we show that, in fact, one need not resort to computational equi-
libria, if we allow the players to communicate via a quantum channel instead of
a classical one. This provides another example of a major advantage of quantum
information processing: quantum communication enables players to achieve a
real correlated equilibrium. Note that we only make the communication before
the game quantum but the game itself remains a classical one.
A priori, it is not clear that quantum communication can provide any sig-
nificant advantage, since we know that Oblivious Transfer, the primitive that
Dodis, Halevi and Rabin need for their construction, is impossible even in the
quantum world [Lo97]. We overcome this problem by providing a new way to
extend any game with an efficient correlated equilibrium into a new game that
has an efficient Nash equilibrium achieving equal or even better payoffs (up to
an arbitrarily small ε). The construction is based on the existence of a weaker
primitive, called Weak Coin Flipping. This primitive is impossible classically
without any computational assumptions. In the quantum world, however, Mo-
chon [Moc07] has showed in a powerful result that there exists a quantum coin
flipping protocol, where player A prefers Head and player B prefers Tail (which
is exactly the case in the Battle of the Sexes), such that if one player plays the
honest strategy, then no matter how the other player plays, the bias of the coin
cannot exceed an arbitrarily small ε.
Let us first focus on a subset of all correlated equilibria, that we call Nash-
support correlated equilibria, where the distribution is over joint strategies that
are pure Nash equilibria. Such correlated equilibria exist whenever the game has
pure Nash equilibria and in many cases are optimal. For example, in the Battle of
the Sexes, and more generally in all coordination games, the optimal correlated
equilibrium is a uniform distribution over the two pure Nash equilibria.
As in Dodis et al., we construct an extended game, in which the players first
exchange messages, then play the original game by choosing strategies. A Nash
equilibrium in the extended game is a sequence of moves of all players such that
no unilateral deviation by one player can increase her payoff. At a high level,
the new game we construct has the following stages: 1) Communication stage:
the players use as a subroutine the quantum weak coin flipping protocol in order
to sample a joint strategy from the distribution of the original Nash-support
correlated equilibrium. 2) Game stage: the players play the original game and
their payoff is the same as in the original game.
It is not hard to see that being honest during the communication stage and
playing the strategy that corresponds to the sampled Nash equilibrium is an
approximate Nash equilibrium and it achieves payoff (almost) equal to the cor-
related equilibrium of the original game. Let us assume that one of the players
is dishonest while the other is playing the honest strategy. The cheating player
can deviate during the coin flipping process but this only increases his payoff by
at most ε by the security of the coin flipping protocol. Then, he can deviate by
not playing the suggested strategy, but since the suggested strategy is a Nash
equilibrium, he cannot increase his payoff.
Theorem 1. For any Nash-support correlated equilibrium p of a game G with
at most n strategies for each player, there exists an extended game Q with an
-Nash equilibrium σ computable in time poly(n, 1/δ, 1/ ), such that the expected
payoffs for both players in σ is at least as high as in p minus δ.
For general correlated equilibria, we further extend our game as follows. Since
we do not preserve privacy of the moves, it may be to someone’s advantage
to change their strategy instead of following the suggestion. We remedy this
situation by adding a final stage to the game and by using the usual “Punishment
for Deviation” method. Therefore, in 3) Checking stage: the players submit an
Accept/Reject move, where a player plays Reject if the strategy of the other
player during the second stage is not equal to the suggested one. The payoff of
the players is equal to the one in the original game if they both play Accept in
the last phase, and 0 otherwise. Note that we do not need the Accept/Reject
moves to be simultaneous and that without loss of generality we assume that all
payoffs are in [0, 1].
Again, it is not hard to see that being honest during the communication stage
and playing the suggested move is an approximate Nash equilibrium for this
game and it achieves payoff equal to the correlated equilibrium of the original
game. Let us assume that one of the players is dishonest while the other is
playing the honest strategy. The cheating player can deviate during the coin
flipping process but this will only increase his payoff by at most an ε fraction
by the security of the coin flipping protocol. Then, in the second stage, he can
deviate by not playing the suggested strategy, but then his payoff will be 0 since
the honest player will play Reject in the Checking stage. Hence, there is no
significant advantage for any player to deviate from the honest strategy.
Theorem 2. For any correlated equilibrium p of a game G with at most n strate-
gies for each player, there exists an extended game Q with an -Nash equilibrium
σ computable in time poly(n, 1/δ, 1/ ), such that the expected payoffs for both
players in σ is at least as high as in p minus δ.
Let us make a more detailed comparison with the results of Dodis, Halevi and
Rabin [DHR00]. They describe an extended game, first introduced by Barany
[Bár92], that involves a communication stage and then the game stage. In the
communication stage, they securely compute a functionality that they call Cor-
related Element Selection. This consists of two players sampling a joint strategy
from a correlated distribution, with the extra privacy property that at the end
each player knows only his/her own move. Then, in the second stage, the players
play the original game. If a player catches the other one cheating during the
communication stage, then he plays his minmax move in the second stage, i.e.
the move that minimizes the other players’ payoff.
On one hand, in our protocol, the communication stage achieves something
weaker. We sample from the correlated distribution in a way that at the end,
both players know the joint strategy. By removing the privacy constraint we are
able to achieve the sampling using the weaker primitive of Weak Coin Flipping.
A nice property of our procedure is that the honest player is guaranteed to
have an output, regardless of the dishonest player’s strategy. For the case of
the Nash-support correlated equilibria, we do not have to resort to the minmax
punishment, since even if the honest player catches the other player cheating, he
can still play the suggested move. In the case of general correlated equilibria, we
need to be more explicit in our punishment by adding the Accept/Reject stage,
in order to dissuade the players from deviating from the suggested move.
On the other hand, we achieve something much stronger than before, which
is that we do not make any assumptions about the computational power of
the players. Hence we are able to use quantum communication to achieve a
real correlated equilibrium for a large array of different types of games with
unconditionally powerful players and without a trusted mediator.
A few remarks are in order for this extra checking stage that we add in the
case where the correlated equilibrium has support on joint strategies that are
not Nash equilibria. First, note that all the equilibria remain unchanged, since
we specified the payoffs of any joint strategy with a Reject move as 0. Hence,
sampling a correlated equilibrium in the new game is equivalent to sampling
a correlated equilibrium in the original game. This means that the quantum
advantage comes from the sampling part and not due to the checking part.
For a fair comparison, we can also augment the classical game with the choice
of Accept/Reject. It is not hard to see that the players still cannot sample a
correlated equilibrium in this new game; otherwise they would have been able
to do a strong coin flipping which is impossible.
Second, in many practical situations, breaking preagreed rules is considered
losing (and thus given the least payoff) automatically. Many games in sports
are of this nature. For example, when the referee tosses a coin to decide the
side of the court for each team, both teams know the outcome of this random
process and are not allowed to disagree no matter the outcome; otherwise the
team will be claimed to lose by the referee immediately. Moreover, in extensive
games, the checking phase is already implicitly present. In the middle of a chess
game, only a subset of moves is compatible with the stage of the game and hence
if a player decides to play some other move, then the other player will Reject
either immediately or at the end of the game. Hence, adding an Accept/Reject
stage only makes explicit what is implicitly present in any game, that if a player
breaks the rules then the other one rejects the outcome of the game.
Third, our Accept/Reject stage is not simultaneous. One has to be very careful
with adding simultaneous moves to a game, since two players can flip a fair coin
with a simultaneous move where each plays one of two possible moves at random.
If the two moves are the same then the coin is Head and if different the coin is
Tail. Here, we do not add the ability to play simultaneously.
Fourth, one may wonder why the honest player would prefer to reject and
receive 0 payoff — she could instead choose to accept even though the other
player cheated and receive a possibly positive payoff. Note that this is not a defect
of our protocol, rather, it is an inherent property of Nash equilibria in extensive
games. As explained in Dodis et al. where there was again a punishment step,
the Nash equilibrium property requires merely local optimality by considering
the scenario where at most one player deviates from the protocol; nothing is
guaranteed if both players cheat. Moreover, the insistence of the honest player
to punish the cheater forces the other player not to cheat in the first place (or to
stop cheating if the game is repeated). One possible way to remedy the situation
would be to consider subgame perfect equilibria, however neither our protocol
nor the one in Dodis et al. has this property.
Note that our protocol does not provide a quantum algorithm to compute a
Nash equilibrium. However, it almost renders this question moot. Instead of a
quantum algorithm to compute a Nash equilibrium, there is a quantum protocol
where the players can generate a correlated equilibrium, which enjoys desirable
properties such as fairness and higher payoff.
Since our protocol uses quantum channels, one may wonder whether the power
of two-way quantum communication enables us to achieve any quantum equilib-
rium with payoff higher than any classical correlated equilibrium. This is actually
not possible: Any quantum protocol eventually generates a joint strategy s ac-
cording to some correlated distribution p. If the players’ behaviors in the protocol
form a Nash equilibrium, then the resulting distribution p is a quantum corre-
lated equilibrium of the quantized game, because otherwise the players would
like to change their behaviors in the last step. By an observation in [Zha12], p

is also a (classical) correlated equilibrium of the original (classical) game, which
the present paper already gives a way to generate.
2 Preliminaries
Game Theory. In a classical strategic game with n players, labeled by {1, 2, . . . , n},
each player i has a set Si of strategies. We use s = (s1 , . . . , sn ) to denote the
joint strategy selected by the players and S = S1 × . . . × Sn to denote the set
of all possible joint strategies. Each player i has a utility function ui : S → R,
specifying the payoff or utility ui (s) to player i on the joint strategy s. For
simplicity of notation, we use subscript −i to denote the set [n] − {i}, so s−i is
(s1 , . . . , si−1 , si+1 , . . . , sn ), and similarly for S−i , p−i , etc.
In a classical extensive game with perfect information, the players take moves
in turns and all players know the entire history of all players’ moves. An extensive
game can be transformed into strategic form by tabulating all deterministic
strategies of the players, which usually results in an exponential increase in size.
A game is [0, 1]-normalized if all utility functions are in [0, 1]. Any game can
be scaled to a normalized one. For a fair comparison, we assume that all games
in this paper are normalized.
A Nash equilibrium is a fundamental solution concept in game theory. Roughly,
it says that in a joint strategy, no player can gain more by changing her strategy,
provided that all other players keep their current strategies unchanged.
Definition 1. A pure Nash equilibrium is a joint strategy s = (si , . . . , sn ) ∈ S
satisfying
ui (si , s−i ) ≥ ui (si , s−i ), ∀i ∈ [n], ∀si ∈ Si .
Pure Nash equilibria can be generalized by allowing each player to independently

select her strategy according to some distribution, leading to the following con-
cept of mixed Nash equilibrium.
Definition 2. A (mixed) Nash equilibrium (NE) is a product probability distri-
bution p = p1 × . . . × pn , where each pi is a probability distributions over Si ,
satisfying

p−i (s−i )ui (si , s−i ) ≥ p−i (s−i )ui (si , s−i ), ∀i ∈ [n], ∀si , si ∈ Si with pi (si ) > 0.
s−i s−i
Definition 3. A correlated equilibrium (CE) is a probability distribution p over

S satisfying

p(si , s−i )ui (si , s−i ) ≥ p(si , s−i )ui (si , s−i ), ∀i ∈ [n], ∀si , si ∈ Si .
s−i s−i
If the correlated equilibrium is a distribution over pure Nash equilibria, then we

call it a Nash-support correlated equilibrium.
We will also need an approximate version of equilibrium, which basically says

that no Player i can gain much by changing the suggested strategy si . Depending
on whether we require the limit of the gain for each possible si in the support
of p or on average of p, one can define worst-case and average-case approximate
equilibrium. It turns out that the average-case one, as defined below, has many
nice properties, such as being the limit of a natural dynamics of minimum regrets
([VNRT07], Chapter 4) and hence it is the one we will use.
Definition 4. An ε-correlated equilibrium is a probability distribution p over S
satisfying
Es←p [ui (si (si ), s−i )] ≤ Es←p [ui (si , s−i )] + ε,
for any i and any function si : Si → Si . An ε-correlated equilibrium p is an

ε-Nash equilibrium if it is a product distribution p = p1 × · · · × pn .
We can also define equilibria for extensive games by defining the corresponding
equilibria on their strategic form.
Cryptography. We provide the formal definition of a weak coin flipping protocol.

Definition 5. A weak coin flipping protocol between Alice and Bob is a protocol
where Alice and Bob interact and at the end, Alice outputs a value cA ∈ {0, 1}
and Bob outputs a value cB ∈ {0, 1}. If cA = cB , we say that the protocol outputs
c = cA . If cA = cB then the protocol outputs c = ⊥.
An (a, ε)-weak coin flipping protocol (W CF (a, ε)) has the following properties:
– If c = a, we say that Alice wins. If c = 1 − a, we say that Bob wins.
– If Alice and Bob are honest then Pr[Alice wins] = Pr[Bob wins] = 1/2.
– If Alice cheats and Bob is honest then PA∗ = Pr[Alice wins] ≤ 1/2 + ε.
– If Bob cheats and Alice is honest then PB∗ = Pr[Bob wins] ≤ 1/2 + ε.
PA∗ and PB∗ are the cheating probabilities of Alice and Bob. The cheating prob-
ability of the protocol is defined as max{PA∗ , PB∗ }.
Note that in the definition the players do not abort, since a player that wants
to abort can always declare victory rather than aborting without reducing the
security of the protocol.
We will use the following result by Mochon.
Proposition 1. [Moc07] For every ε > 0 and a ∈ {0, 1}, there exists a quantum
W CF (a, ε) protocol P .
Moreover, the protocol uses a number of qubits and rounds which is polynomial
in 1ε . Note that this is a weaker definition of a usual coin flip, since here, we assign
a winning value for each player. Even though each player cannot bias the coin
towards this winning value, he or she can bias the coin towards the losing value
with probability 1. Weak coin flipping is possible using quantum communication,
though for the √ strong coin flipping the optimal cheating probability for any
protocol is 1/ 2 [Kit03, CK09].
In the following section we will use weak coin flipping as a subroutine for
the following cryptographic primitive, that enables two players to jointly sample
from a correlated distribution, in a way that no dishonest player can force a
distribution which is far from the honest one.
Definition 6. A Correlated Strategy Sampling protocol between two players P1
and P2 is an interactive protocol where the players receive as input a game G with
an efficiently computable correlated equilibrium1 p and at the end, P1 outputs a
joint strategy s = (s1 , s2 ) ∈ S1 ×S2 and P2 outputs a joint strategy s = (s1 , s2 ) ∈
S1 × S2 . If s = s , we say the protocol outputs s = (s1 , s2 ). If s = s then we say
the protocol outputs ⊥.
An (ε, δ)-Correlated Strategy Sampling procedure satisfies the following prop-
erties:
1. If both players follow the honest strategy, then they both output the same
joint strategy s = (s1 , s2 ), where s ← ph for some distribution ph , s.t.
for both i ∈ {1, 2}, Es←ph [ui (s)] ≥ Es←p [ui (s)]−δ
2. If Player 1 is dishonest and Player 2 is honest (similarly for the other case),
then Player 2 outputs a joint strategy s distributed according to some q, s.t.
Es←q [u2 (s)] ≥ Es←ph [u2 (s)] − ε, Es←q [u1 (s)] ≤ Es←ph [u1 (s)] + ε.
Note again, that similar to the case of the weak coin flip, the players do not
abort, since a player that wants to abort can always choose the joint strategy
that is best for him rather than aborting without reducing the security of the
protocol.
3 The Extended Game

For simplicity, we consider a two-player strategic game G with at most n strate-
gies for each player, but our results easily extend to more players. We describe
how to derive an extended game Q from any such G.
Similar to the DHR extended game, we assume that the players can communi-
cate with each other before they start playing the game, but now via a quantum
channel. In this preamble stage they perform a quantum protocol that we call
Correlated Strategy Sampling.
In the following section we show how to implement this procedure uncondi-
tionally, using a Weak Coin Flipping subroutine with bias ε = O(ε/ log n).
Then, we extend the original game G to a 2-stage game, where the first stage
is identical to the game G and for the second stage, which we call the Checking
stage, the available moves for each player are Accept or Reject. We define the
payoff for any joint strategy where some player outputs Reject in the second
stage to be 0.
1
A correlated equilibrium p is efficiently computable if there is a Turing machine that,
on an input game, output p in time polynomial in the input size.
Extended Game Q
1. Communication Stage: The two players perform the Correlated Strat-

egy Sampling procedure for the game G and correlated equilibrium p.
2. Game Stage: The two players play the original game G.
3. Checking Stage: The two players each play a move from the set {A, R}.
We can now restate and prove our main theorem.
Theorem 2. For any correlated equilibrium p of the game G with at most n

strategies for each player, and for any ε, δ > 0, there exists an extended game Q
with an ε-Nash equilibrium σ that can be computed in time poly(n, 1/δ, 1/ε) and
such that the expected payoff for both players in σ is at least as high as the one
in p minus δ.
Proof. We describe Player 1’s strategy in the ε-Nash equilibrium σ as follows

(Player 2’s strategy is symmetric): In the Communication Stage, Player 1 is
honest and obtains an output s = (s1 , s2 ). In the Game Stage, he plays the
move s1 . In the Checking Stage, he plays A if Player 2’s move in the Game
Stage was s2 and R otherwise.
Let us show that this is indeed an ε-Nash equilibrium. A dishonest player
(assume Player 1) can try to increase his payoff by first deviating from the
protocol in the Communication Stage. If Player 2 outputs a joint strategy s =
(s1 , s2 ) then we know from the security of the Correlated Strategy Sampling
procedure that this is a sample from a distribution q s.t.
Es←q [u1 (s)] ≤ Es←ph [u1 (s)] + ε. (1)
Hence, if Player 1 is dishonest during Stage 1 and then plays s1 in Stage 2,

then his gain is at most ε. If he decides to change his move, then the honest
player would play R in Stage 3, so his payoff would be 0. Overall, no matter
what strategy the dishonest player follows he cannot increase his payoff more
than ε from the honest strategy mentioned above, and hence this strategy is an
ε-approximate Nash equilibrium.
Note that from the security of the Correlated Strategy Sampling procedure we
also have
Es←q [u2 (s)] ≥ Es←ph [u2 (s)] − ε. (2)
Hence, we have the following interesting corollary
Corollary 1. In the extended game Q, the expected payoff of the honest player
will not decrease by more than ε, no matter how the dishonest player deviates,
unless the dishonest player makes both players’ payoff equal to 0.
In other words, the honest strategy remains an equilibrium even if the objective
of a player is not to maximize his own payoff but rather maximize the difference
between the players’ payoffs.
In the special case of a Nash-support correlated equilibrium, the extended

game consists only of the first two stages. Similarly to the general case, we can
prove that the honest strategy is an approximate Nash equilibrium. Note that
now, the reason the dishonest player cannot increase his payoff by deviating
from the suggested joint strategy is because the joint strategy is a pure Nash
equilibrium, which, by definition, leaves each player no incentive to deviate even
if she knows the other players’ pure strategies to be played. Hence we do not
need the checking stage.
4 The Correlated Strategy Sampling Procedure

Let us first describe the intuition behind our procedure. First, we think of all
distributions as uniform distributions over a multiset of joint strategies of size K,
and hence sampling a joint strategy is equivalent to uniformly sampling a number
in [K]. Then, we sample sequentially log K bits. At each step, the players declare
the value of the bit they prefer, by calculating their expected payoffs conditioned
on the already sampled bits. If the players agree on the value, then this is the
sampled bit. If they disagree, then they perform a weak coin flip in order to
sample the bit. The fact that the weak coin flip is almost perfect, implies that
no dishonest player can bias the distribution by a lot.
We now provide the technical details. In a two-player game G with at most
n strategies for each player, let p be an efficiently computable correlated equi-
librium that the players know and aim to generate. A typical scenario is that
p is the lexicographically first correlated equilibrium that maximizes the total
payoff. If the distribution is not uniform we can emulate it by a uniform dis-
tribution p̄ on a multiset S of joint strategies of size K = 2k ∈ [n/δ, 2n/δ] for
some integer k, such that the distance between the two distributions is at most
δ. We can equivalently think of the distribution p̄ as a distribution on {0, 1}k by
associating each element s̄ ∈ {0, 1}k with an element s ∈ S.
Let p̄h be the distribution on {0, 1}k that arises from our procedure when both
players are honest and q̄ the distribution of the honest player’s output when the
other player is dishonest. The distributions p̄h and q̄ naturally give rise to the
distributions ph and q on the set of joint strategies (where the probability of s
in ph is the sum of the probabilities according to p̄h of the elements in {0, 1}k
that correspond to s).
For a probability distribution μ over X = X1 × · · · × Xk , we use the standard
notation μ(·|xm+1 ...xk ) to denote the conditional distribution on X1 × · · · × Xm ,
i.e. μ conditioned on the last k − m variables being xm+1 ...xk . We also use
μ(x1 ...xm ) to denote the probability in the marginal distribution on the first
m variables. By x ← μ, we mean to draw a sample x from distribution μ. Let
sign(a) be the function which is 1 if a ≥ 0 and −1 if a < 0. The protocol appears
in the following figure.
(ε, δ)-Correlated Strategy Sampling Protocol
Input: A game G with at most n strategies for each player, and an efficiently
computable correlated equilibrium p.
1. Each Player i computes locally the equilibrium p and emulates p by a
uniform distribution p̄ on a multiset of joint strategies (i.e. on {0, 1}k ),
with k = O(log n).
2. for j = 1 to k
(a) Each Player i computes and announces his preference aji =
sign Es̄j+1 ...s̄k ←p̄h (·|s̄1 ...s̄j−1 0) [ui (s)]−Es̄j+1 ...s̄k ←p̄h (·|s̄1 ...s̄j−1 1) [ui (s)] .
(b) if aj1 aj2 = −1,
Run W CF (aj1 , ε/k). Let the outcome of Player i be s̄ji ∈ {0, 1}.
else
Set s̄j1 = s̄j2 to be their commonly desirable value.
3. Each Player i outputs s according to the jointly flipped coins s̄ = s̄1i ...s̄ki .
Analysis. First, if both players are honest then their expected utility is at least
as high as in the original CE, up to an additive error δ due to the precision of
using k bits to emulate p. If in all rounds they flip a fair coin then their expected
utility is exactly the same as in p. If at some round they both agree on a preferred
value then this increases both players expected utility.
We now prove that no dishonest player can increase his utility by much. Let
us assume without loss of generality that Player 1 is dishonest and Player 2 is
honest. We prove that after round m,
Claim. For any m = 1, ..., k, we have

(q̄(s̄1 · · · s̄m ) − p̄h (s̄1 · · · s̄m )) p̄h (s̄m+1 · · · s̄k |s̄1 · · · s̄m )u1 (s)
s̄1 ···s̄m s̄m+1 ···s̄k
ε
≤ (q̄(s̄1 · · · s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 )) p̄h (s̄m · · · s̄k |s̄1 · · · s̄m−1 )u1 (s) + .
k
s̄1 ···s̄m−1 s̄m ···s̄k
(3)
The proof is in Appendix. Adding the inequalities in the claim for all m, we have

(q̄(s̄1 · · · s̄k ) − p̄h (s̄1 · · · s̄k ))u1 (s) ≤ ε.
s̄1 ···s̄k
By going back to the space of joint strategies we have Es←q [u1 (s)] ≤
Es←ph [u1 (s)] + ε.
Moreover, for the honest player we have, by a similar argument (changing u1
to u2 , /k to − /k, and changing the direction of the inequality in Claim 4), it
is also easy to show the claimed Eq.(2).
The same analysis holds when Player 2 is dishonest. Also, it is easy to see that
the complexity of the protocol is polynomial in n/δ and 1/ε. This completes the
proof of our main theorem.
A final remark is that the same protocol can be used for general k-player
games. In each round, some players prefer s̄m to be 0 and some players prefer
1. We can then let two representatives, one from each group, to do the weak
coin flipping, at the end of which the representatives announce the bits. If one
representative lies, then the other reject in the third stage. The previous analysis
then easily applies to this scenario as well.
References
[ADGH06] Abraham, I., Dolev, D., Gonen, R., Halpern, J.: Distributed computing
meets game theory: robust mechanisms for rational secret sharing and multiparty
computation. In: Proceedings of the Twenty-fifth Annual ACM Symposium on
Principles of Distributed Computing, pp. 53–62 (2006)
[Aum74] Aumann, R.: Subjectivity and correlation in randomized strategies. Journal
of Mathematical Economics 1, 67–96 (1974)
[Bár92] Bárány, I.: Fair distribution protocols or how the players replace fortune. Math-
ematics of Operations Research 17, 327–340 (1992)
[CDT09] Chen, X., Deng, X., Teng, S.: Settling the complexity of computing two-player
nash equilibria. Journal of the ACM 56(3) (2009)
[CK09] Chailloux, A., Kerenidis, I.: Optimal quantum strong coin flipping. In: The
50th Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp.
527–533 (2009)
[DGP09] Daskalakis, C., Goldberg, P., Papadimitriou, C.: Computing a nash equilib-
rium is PPAD-complete. SIAM Journal on Computing 39(1), 195–259 (2009)
[DHR00] Dodis, Y., Halevi, S., Rabin, T.: A Cryptographic Solution to a Game Theo-
retic Problem. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 112–130.
Springer, Heidelberg (2000)
[FS02] Feigenbaum, J., Shenker, S.: Distributed algorithmic mechanism design: recent
results and future directions. In: Proceedings of the 6th International Workshop
on Discrete Algorithms and Methods for Mobile Computing and Communications,
pp. 1–13 (2002)
[IML05] Izmalkov, S., Micali, S., Lepinski, M.: Rational secure computation and ideal
mechanism design. In: Proceedings of the 46th Annual IEEE Symposium on Foun-
dations of Computer Science, pp. 585–595 (2005)
[Kit03] Kitaev, A.: Quantum coin-flipping. Presentation at The 6th Workshop on
Quantum Information Processing, QIP 2003 (2003)
[LMPS04] Lepinski, M., Micali, S., Peikert, C., Shelat, A.: Completely fair SFE and
coalition-safe cheap talk. In: Proceedings of the Twenty-third Annual ACM Sym-
posium on Principles of Distributed Computing, pp. 1–10 (2004)
[Lo97] Lo, H.-K.: Insecurity of quantum secure computations. Physical Review A 56(2)
(1997)
[Moc07] Mochon, C.: Quantum weak coin flipping with arbitrarily small bias.
arXiv:0711.4114 (2007)
[Nas51] Nash, J.: Non-cooperative games. The Annals of Mathematics 54(2), 286–295
(1951)
[PR08] Papadimitriou, C.H., Roughgarden, T.: Computing correlated equilibria in
multi-player games. Journal of the ACM 55(3) (2008)
[vNM44] von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behav-
ior. Princeton University Press (1944)
[VNRT07] Vazirani, V., Nisan, N., Roughgarden, T., Tardos, É.: Algorithmic Game
Theory. Cambridge University Press (2007)
[Zha12] Zhang, S.: Quantum strategic game theory. In: Proceedings of the 3rd
Innovations in Theoretical Computer Science, pp. 39–59 (2012); earlier at
arXiv:1012.5141 and QIP 2011
A Proof of Claim 4
For the convenience of notation, we sometimes write u1 (s̄) to mean u1 (s) where s
corresponds s̄. First by expanding the probability to marginal times conditional
probabilities, we have

(q̄(s̄1 · · · s̄m ) − p̄h (s̄1 · · · s̄m )) p̄h (s̄m+1 · · · s̄k |s̄1 · · · s̄m )u1 (s)
s̄1 ···s̄m s̄m+1 ···s̄k

= q̄(s̄1 · · · s̄m−1 ) q̄(s̄m |s̄1 ...s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 ) p̄h (s̄m |s̄1 ...s̄m−1 )
s̄1 ···s̄m−1 s̄m s̄m
1
· p̄h (s̄ m+1
· · · s̄ |s̄ · · · s̄ )u1 (s).
k m
s̄m+1 ···s̄k
For those s̄1 · · · s̄m−1 that the two players have the same preference on s̄m , the
best for Player 1 is then just to follow the honest protocol. Thus the correspond-
ing part in the inequality in Claim 4 is true even without the /k term. For
the rest s̄1 · · · s̄m−1 , the two players have different preferences; without loss of
generality, assume that Player 1 prefers s̄m to be 0. Then the best for Player 1
raising her utility is to try to bias s̄m in the coin flipping to 0 as much as pos-
sible. By the security of the weak coin flipping (which holds against a dishonest
player that may possess a quantum auxiliary input, hence includes the situation
where the dishonest player may try to entangle the different executions of the
coin flips), the above quantity is at most
1
q̄(s̄1 ...s̄m−1 ) + p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 0s̄m+1 ...s̄k )
2 k
s̄1 ...s̄m−1 s̄m+1 ...s̄k
1
+ q̄(s̄1 ...s̄m−1 ) − p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 1s̄m+1 ...s̄k )
2 k
s̄m+1 ...s̄k
1
− p̄h (s̄1 ...s̄m−1 ) p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 0s̄m+1 ...s̄k )
2
s̄m+1 ...s̄k
1
1
− p̄h (s̄ ...s̄ m−1
) p̄h (s̄m+1 ...s̄k |s̄1 ...s̄m )u1 (s̄1 ...s̄m−1 1s̄m+1 ...s̄k )
2
s̄m+1 ...s̄k

= (q̄(s̄1 · · · s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 )) p̄h (s̄m |s̄1 ...s̄m−1 )
s̄1 ···s̄m−1 s̄m

p̄h (s̄m+1 · · · s̄k |s̄1 · · · s̄m )u1 (s) + q̄(s̄1 ...s̄m−1 )
k
s̄m+1 ···s̄k s̄1 ...s̄m−1
1
p̄h (s̄ m+1
...s̄ |s̄ ...s̄ )
k m
s̄m+1 ...s̄k
· [u1 (s̄1 ...s̄m−1 0s̄m+1 ...s̄k ) − u1 (s̄1 ...s̄m−1 1s̄m+1 ...s̄k )].
ε
≤ (q̄(s̄1 · · · s̄m−1 ) − p̄h (s̄1 · · · s̄m−1 )) p̄h (s̄m · · · s̄k |s̄1 · · · s̄m−1 )u1 (s)+ .
1
k
s̄ ···s̄
m−1 m k s̄ ···s̄
where we used the fact that p̄h (s̄m |s̄1 ...s̄m−1 ) = 1/2 in the equality, and the fact
that the game is [0, 1]-normalized in the inequality.
An All-But-One Entropic Uncertainty Relation,
and Application to Password-Based Identification
Niek J. Bouman1 , Serge Fehr1 ,

Carlos González-Guillén2,3, and Christian Schaffner4,1
1
Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands
2
Depto. de Matemática Aplicada, Technical University of Madrid, Spain
3
IMI, Universidad Complutense de Madrid, Spain
4
University of Amsterdam (UvA), The Netherlands
Abstract. Entropic uncertainty relations are quantitative characteriza-

tions of Heisenberg’s uncertainty principle, which make use of an entropy
measure to quantify uncertainty. We propose a new entropic uncertainty
relation. It is the first such uncertainty relation that lower bounds the
uncertainty in the measurement outcome for all but one choice for the
measurement from an arbitrary (and in particular an arbitrarily large) set
of possible measurements, and, at the same time, uses the min-entropy
as entropy measure, rather than the Shannon entropy. This makes it
especially suited for quantum cryptography.
As application, we propose a new quantum identification scheme in
the bounded-quantum-storage model. It makes use of our new uncer-
tainty relation at the core of its security proof. In contrast to the original
quantum identification scheme proposed by Damgård et al. [4], our new
scheme also offers some security in case the bounded-quantum-storage
assumption fails to hold. Specifically, our scheme remains secure against
an adversary that has unbounded storage capabilities but is restricted to
(non-adaptive) single-qubit operations. The scheme by Damgård et al.,
on the other hand, completely breaks down under such an attack.
1 Introduction
In this work1 , we propose and prove a new general entropic uncertainty relation.
Entropic uncertainty relations are quantitative characterizations of Heisenberg’s
uncertainty principle, which make use of an entropy measure (usually Shannon
entropy) to quantify uncertainty. Our new entropic uncertainty relation dis-
tinguishes itself from previously known uncertainty relations by the following
collection of features:
1. It uses the min-entropy as entropy measure, which is a stronger type of un-

certainty than Shannon entropy. Since min-entropy allows for privacy am-
plification, such entropic uncertainty relations are useful tools in quantum
cryptography.
1
The full version of this paper can be found online [2].

30 N.J. Bouman et al.
2. It lower bounds the uncertainty in the measurement outcome for all but one
choice for the measurement from an arbitrary, and in particular arbitrarily
large, family of possible measurements. This is clearly stronger than typical
entropic uncertainty relations that lower bound the uncertainty on average
(over the choice of the measurement).
3. The measurements can be chosen to be qubit-wise measurements, in the
computational or Hadamard basis, and thus the uncertainty relation is ap-
plicable to settings that can be implemented using current technology.
To the best of our knowledge, no previous entropic uncertainty relation satisfies

(1) and (2) simultaneously, let alone in combination with (3). Indeed, as pointed
out in the recent overview article by Wehner and Winter [13], little is known
about entropic uncertainty relations for more than two measurement outcomes,
let alone when considering min-entropy.
In the remainder of this introduction, we explain the statement of our new
uncertainty relation and we discuss an application: we propose a new password-
based quantum identification scheme, whose security (in the bounded-quantum-
storage model) relies on the new uncertainty relation.
Our Result Explained. To better understand our new uncertainty relation, we

find it helpful to first discuss a simpler variant, which does not satisfy (1), and
which follows trivially from known results. Fix an arbitrary family {B1 , . . . , Bm }
of bases for a given quantum system (i.e., Hilbert space). The maximum overlap
of such a family is defined as c := max{|
φ|ψ| : |φ ∈ Bj , |ψ ∈ Bk , 1 ≤ j < k ≤
m}, and we write d := − log(c2 ). Let ρ be an arbitrary quantum state of that
system, and let X denote the measurement outcome when ρ is measured in one
of the bases. We model the choice of the basis by a random variable J, so that
H(X|J = j) denotes the Shannon entropy of the measurement outcome when
ρ is measured in basis Bj . It follows immediately from Maassen and Uffink’s
uncertainty relation [8] that H(X|J = j) + H(X|J = k) ≥ − log(c2 ) = d for any
j = k. As a direct consequence, there exists a choice j for the measurement so
that H(X|J = j) ≥ d2 for all j ∈ {1, . . . , m} with j = j . In other words, for any
state ρ there exists j so that unless the choice for the measurement coincides
with j , which happens with probability at most maxj PJ (j), there is at least
d/2 bits of entropy in the outcome X.
Our new high-order entropic uncertainty relation shows that this very state-
ment essentially still holds when we replace Shannon by min-entropy, except that
j becomes randomized: for any ρ, there exists a random variable J , independent
of J, such that2
d
Hmin(X|J = j, J = j ) ∀ j = j ∈ {1, . . . , m}
2
no matter what the distribution of J is. Thus, unless the measurement J co-
incides with J , there is roughly d/2 bits of min-entropy in the outcome X.
2
The approximate inequality will be made rigorous in the main body.
An All-But-One Entropic Uncertainty Relation, and Application 31
Furthermore, since J is independent of J, the probability that J coincides with

J is at most maxj PJ (j), as is the case for a fixed J .
Note that we have no control over (the distribution of) J . We can merely
guarantee that it exists and is independent of J. It may be insightful to interpret
J as a virtual guess for J, guessed by the party that prepares ρ, and whose goal
is to have little uncertainty in the measurement outcome X. The reader may
think of the following specific way of preparing ρ: sample j according to some
arbitrary distribution J , and then prepare the state as the, say, first basis vector
of Bj . If the resulting mixture ρ is then measured in some basis Bj , sampled
according to an arbitrary (independent) distribution J, then unless j = j (i.e.,
our guess for j was correct), there is obviously lower bounded uncertainty in
the measurement outcome X (assuming a non-trivial maximum overlap). Our
uncertainty relation can be understood as saying that for any state ρ, no matter
how it is prepared, there exists such a (virtual) guess J , which exhibits this very
behavior: if it differs from the actual choice for the measurement then there is
lower bounded uncertainty in the measurement outcome X. As an immediate
consequence, we can for instance say that X has min-entropy at least d/2, except
with a probability that is given by the probability of guessing J, e.g., except
with probability 1/m if the measurement is chosen uniformly at random from
the family. This is clearly the best we can hope for.
We stress that because the min-entropy is more conservative than the Shannon
entropy, our high-order entropic uncertainty relation does not follow from its
simpler Shannon-entropy version. Neither can it be deduced in an analogue way;
the main reason being that for fixed pairs j = k, there is no strong lower bound
on Hmin(X|J = j) + Hmin(X|J = k), in contrast to the case of Shannon entropy.
1
More precisely and more generally, the average uncertainty |J| j H min(X|J =
j) does not allow a lower bound higher than log |J|. To see this, consider the
following example for |J| = 2 (the example can easily be extended to arbitrary
|J|). Suppose that ρ is the uniform mixture of two pure states, one giving no
uncertainty when measured in basis j, and the other giving no uncertainty when
measured in basis k. Then, Hmin(X|J = j) = Hmin(X|J = k) = 1 and so is
their average. For a similar reason, we cannot hope to get a good bound for all
but a fixed choice of j ; the probabilistic nature of J is necessary (in general).
Hence, compared to bounding the average uncertainty, the all-but-one form of
our uncertainty relation not only makes our uncertainty relation stronger in that
uncertainty for all-but-one implies uncertainty on average (yet not vice versa),
but it also allows for more uncertainty.
Note that by using asymptotically good error correcting codes, one can con-
struct families {B1 , . . . , Bm } of bases that have a large value of d, and thus
for which our uncertainty relation guarantees a large amount of min-entropy.
These families consist of qubit-wise measurements in the computational or the
Hadamard basis, and thus are implementable with current technology.
The proof of our new uncertainty relation is rather involved. First, we extend
a technique used in (the journal version of) [3], which is based on a norm inequal-
ity for the sum of orthogonal projectors, and then we combine this with some
involved probability reasoning to prove the existence of the random variable J

as required.
Application. As an application of our entropic uncertainty relation, we propose

a new quantum identification scheme. Informally, the goal of (password-based)
identification is to prove knowledge of a possibly low-entropy password w, with-
out giving away any information on w (beyond what is unavoidable).
It is known (see [4]) that any quantum identification scheme can be broken
by a dishonest participant having unbounded quantum storage and unbounded
quantum-computation capabilities. Damgård et al. [4] showed the existence of
such an identification scheme3 in the bounded-quantum-storage model (BQSM),
where an upper bound is assumed on the number of qubits that the dishonest
server can store. If, however, this assumption fails to hold, then the security of the
scheme of Damgård et al. breaks down completely. Hence, it would actually be
desirable to have an identification scheme for which unbounded quantum storage
and unbounded quantum-computation capabilities are necessary to break it. Our
new scheme can be appreciated as a first step towards achieving this, in that
large quantum storage and non-trivial quantum computation capabilities are
necessary for a successful attack. A disadvantage of our scheme is that it only
offers security in case of a perfect quantum source, which emits precisely one
qubit when triggered (i.e., there is no multi-photon emission or the like). Since
current technology only admits (close to) perfect quantum sources under “lab
conditions,” our scheme is currently mainly of theoretical interest.
Our uncertainty relation gives us the right tool to prove security of the new
quantum identification scheme in the BQSM. Additionally, we prove security
of our new scheme in the so-called single-qubit-operations model (SQOM), i.e.,
against a dishonest server that has unbounded quantum-storage capabilities and
can reliably store all the qubits communicated during the course of the scheme,
but is restricted to single-qubit operations and measurements (i.e., cannot oper-
ate on several qubits coherently). Proving security of our scheme in the SQOM
is non-trivial.
2 Preliminaries
We write D(H) for the set of all density matrices on Hilbert space H.
Definition 1 (Min-Entropy [10,7]). For any density matrix ρXE ∈ D(HXE )
with classical X, the min-entropy of X when given HE is defined as
Hmin(X|E) := − log pguess (X|E)

where the guessing probability pguess (X|E) := max{Mx } x PX (x) tr(Mx ρxE ) is
the maximal success probability of guessing X by a positive operator-valued mea-
surement {Mx } of E.
3
Actually, [4] proposed two such schemes: QID and QID+ . QID offers security against
impersonation attacks, and QID+ additionally offers security against man-in-the-
middle attacks but is not truly password-based. In this work, we focus on imperson-
ation attacks only (with truly password-based security).
For classical random variables X and Y , the conditional min-entropy

Hmin(X|Y
) simplifies to H(X|Y ) = − log y PY (y) maxx PX|Y (x|y) =
− log y maxx PXY (x, y).
√
For a matrix ρ, the trace norm is defined as ρ1 := tr ρρ∗ , where ρ∗ denotes
the Hermitian transpose of ρ.
Definition 2 (Trace Distance [9]). The trace distance between two density
matrices ρ, σ ∈ D(H) is defined as δ(ρ, σ) := 12 ρ − σ1 .
2 ρ − σ1 ≤ ε, we use
1
If two states ρ and σ are ε-close in trace distance, i.e.
ρ ≈ε σ as shorthand.
Definition 3 (Distance to Uniform). For a density matrix ρXE ∈ D(HX ⊗

HE ) with classical X, the distance to uniform of X given E is defined as
dunif (X|E) := 12 ρXE − ρU ⊗ ρE 1 ,
dim(HX ) IX .
1
where ρU :=
Definition 4 (Conditional Independence [4]). For a density matrix on

D(HX ⊗ HY ⊗ HE ) with classical X and Y for which the random variable X
is independent of the quantum subsystem E when given the random variable Y ,
we write ρX↔Y ↔E , i.e.,

ρX↔Y ↔E := PXY (x, y)|x
x| ⊗ |y
y| ⊗ ρyE .
x,y
3 Formal Statement and Proof of the Main Result

To obtain our entropic uncertainty relation that lower bounds the min-entropy of
the measurement outcome for all but one measurement, we first state an uncer-
tainty relation that expresses uncertainty by means of the probability measure
of given sets.
As above, {B1 , . . . , Bm } is an arbitrary but fixed family of bases for the state
space H of a quantum system, and c denotes the maximum overlap. For simplic-
ity, we restrict our attention to an n-qubit system, such that H = (C2 )⊗n for
n ∈ N, but our results immediately generalize to arbitrary quantum systems.
Theorem 5 (Theorem 4.18 in [12]). Let ρ be an arbitrary state of n qubits.

For j ∈ [m], let Qj (·) be the distribution of the outcome when ρ is measured in
the Bj -basis. Then, for any family {Lj }j∈[m] of subsets Lj ⊂ {0, 1}n, it holds
that
Qj (Lj ) ≤ 1 + c (m − 1) · max |Lj ||Lk |.
j
=k∈[m]
j∈[m]
A special case of Theorem 5, obtained by restricting the family of bases to

{B+ , B× } with B+ = {|x}x∈{0,1}n and B× = {H ⊗n |x}x∈{0,1}n (i.e., either the
computational or Hadamard basis for all qubits), is an uncertainty relation that
was proven and used in the original paper about the BQSM [3]. The proof of
Theorem 5 (Appendix A.2) goes along similar lines as the proof in the jour-
nal version of [3] for the special case outlined above. It is based on the norm
inequality (see Appendix A.1)

A1 + . . . + Am ≤ 1 + (m − 1) · max Aj Ak
j
=k∈[m]
for arbitrary orthogonal projectors A1 , . . . , Am , where · denotes the operator

norm.
We can reformulate Theorem 5 in terms of a “good event” E with lower
bounded probability, and if it occurs, then the measurement outcome has high
min-entropy. The statement is obtained by choosing the sets Lj in Theorem 5
appropriately (see Appendix A.3).
Because we now switch to entropy notation, it will be convenient to work with
a measure of overlap between bases that is logarithmic in nature and expressed
relative to the number n of qubits. Hence, we define δ := − n1 log(c2 ) .
Corollary 6. Let ρ be an arbitrary n-qubit state, let J be a random variable
over [m], and let X be the outcome when measuring ρ in basis BJ .4 Then, for
any 0 < < δ/4, there exists an event E such that

Pr[E|J = j] ≥ (m − 1) − (2m − 1) · 2−n
j∈[m]
δ
and Hmin(X|J = j, E) ≥ − 2 n
2
for j ∈ [m] with PJ|E (j) > 0.
We will now state and prove our main result.
Theorem 7 (Our New Uncertainty Relation). Let ρ be an arbitrary n-
qubit state, let J be a random variable over [m], and let X be the outcome when
measuring ρ in basis BJ . Then, for any 0 < < δ/4, there exists a random
variable J such that (1) J and J are independent and (2) there exists an event
Ω with Pr[Ω] ≥ 1 − 2 · 2−n such that5
δ
Hmin(X|J = j, J = j , Ω) ≥ − 2 n − 1
2

for all j, j ∈ [m] with j = j and PJJ |Ω (j, j ) > 0.
Proof (of Theorem 7). From Corollary

6 we know that for any 0 < < δ/4,
there exists an event E such that j∈[m] Pr[E|J = j] = m − 1 − α, and thus
−n
j∈[m] Pr[Ē|J = j] = 1 + α, for −1 ≤ α ≤ (2m − 1)2 . We make the case
distinction between α = 0, α > 0 and α < 0. We will only proof the case α = 0
4
I.e., PX|J (x|j) = Qj (x), using the notation from Theorem 5.
5
Instead of introducing such an event Ω, we could also express the min-entropy bound
by means of the smooth min-entropy of X given J = j and J = j .
here; the other two cases are proved in Appendix A.4, by reducing them to
the case α = 0 by “inflating” and “deflating” the event E appropriately. The
approach for the case α = 0 is to define J in such way that E ⇐⇒ J = J ,
i.e., the event J = J coincides with the event E. The min-entropy bound from
Corollary 6 then immediately translates to Hmin(X|J = j, J = J) ≥ (δ/2−2 )n,
and to Hmin(X|J = j, J = j ) ≥ (δ/2 − 2 )n for j = j with PJJ (j, j ) > 0, as
we will show. What is not obvious about the approach is how to define J when
it is supposed to be different from J, i.e., when the event E occurs, so that in
the end J and J are independent.
Formally, we define J by means of the following conditional probability dis-
tributions:

1 if j = j
PJ |JX Ē (j |j, x) :=
0 if j = j

0 if j = j
PJ |JXE (j |j, x) := Pr[Ē|J=j ]
Pr[E|J=j] if j = j
We assume for the moment that the denominator in the latter expression does
not vanish for any j; we take care of the case where it does later. Trivially,
PJ |JX Ē is a proper distribution, with non-negative probabilities that add up to
1, and the same holds for PJ |JXE :
¯ = j]
Pr[E|J
PJ |JX Ē (j |j, x) = PJ |JX Ē (j |j, x) = = 1,
Pr[E|J = j]
j ∈[m] j ∈[m]\{j} j ∈[m]\{j}

where we used that j∈[m] Pr[E|J ¯ = j] = 1 (because α = 0) in the last equality.
Furthermore, it follows immediately from the definition of J that E¯ =⇒ J = J
and E =⇒ J = J . Hence, E ⇐⇒ J = J , and thus the bound from Corollary 6
translates to Hmin(X|J = j, J = J) ≥ (δ/2 − 2 )n. It remains to argue that J
is independent of J, and that the bound also holds for Hmin(X|J = j, J = j )
whenever j = j .
The latter follows immediately from the fact that conditioned on J = J
(which is equivalent to E), X, J and J form a Markov chain X ↔ J ↔ J ,
and thus, given J = j, additionally conditioning on J = j does not change
the distribution of X. For the independence of J and J , consider the joint
probability distribution of J and J , given by
PJJ (j, j ) = PJ JE (j , j) + PJ J Ē (j , j)
= PJ (j)Pr[E|J = j]PJ |JE (j |j) + PJ (j)Pr[Ē|J = j]PJ |J Ē (j |j)
= PJ (j)Pr[Ē|J = j ],
where the last equality follows by separately analyzing the cases j = j and
j= j . It follows immediately that the marginal distribution of J is PJ (j ) =

j PJJ (j, j ) = Pr[E|J = j ], and thus PJJ = PJ · PJ .
¯
What is left to do for the case α = 0is to deal with the case where there
exists j ∗ with Pr[E|J = j ∗ ] = 0. Since j∈[m] Pr[Ē|J = j] = 1, it holds that
Pr[Ē|J = j] = 0 for j = j ∗ . This motivates to define J as J := j ∗ with

probability 1. Note that this definition directly implies that J is independent
from J. Furthermore, by the above observations: E ⇐⇒ J = J . This concludes
the case α = 0; the rest of the proof is found in Appendix A.4.
4 A New Quantum Identification Scheme

The goal of (password-based) identification is to “prove” knowledge of a password
w (or PIN) without giving w away. More formally, given a user U and a server
S that hold a pre-agreed password w, the user wants to convince the server that
he indeed knows w, but in such a way that he gives away as little information
on w as possible in case he is actually interacting with a dishonest server. We
use the security definitions of [4].
Definition 8 (Correctness). An identification protocol is said to be ε-correct
if, after an execution by honest U and honest S, S accepts with probability 1 − ε.
Definition 9 (Server Security). An identification protocol for two parties U,
S is ε-secure for the server S against (dishonest) user U∗ if the following holds:
whenever the initial state of U∗ is independent of W , then there exists a ran-
dom variable W (possibly ⊥) that is independent of W such that if W = W
then S accepts with probability at most ε. Furthermore, the common state ρW E
after execution of the protocol (including S’s announcement to accept or reject)
satisfies
ρW W E|W
=W ≈ε ρW ↔W ↔E|W
=W .
Definition 10 (User Security). An identification protocol for two parties U,
S is ε-secure for the user U against (dishonest) server S∗ if the following holds:
If the initial state of S∗ is independent of W , then its state E after execution of
the protocol is such that there exists a random variable W that is independent
of W and such that
ρW W E|W
=W ≈ε ρW ↔W ↔E|W
=W .
Our new identification scheme, Q-ID, is shown below, where F is a universal

class of functions6 from {0, 1}n to {0, 1} and G is a strongly universal class
of functions from [m] to {0, 1}. We use the following simple construction for
the family {B1 , . . . , Bm } of bases. For a suitable binary code C ⊂ {0, 1}n of
size m, minimum distance d and encoding function c : [m] → C, the basis Bj
measures qubit-wise in the computational or the Hadamard basis, depending
on the corresponding coordinate of c(j). The maximum overlap of the family
obtained this way is directly related to the minimum distance d of C, namely
δ = − n1 log(c2 ) = d/n.
6
A class of functions F is called universal, if for any distinct x, y ∈ X , it holds that
Pr[f (x) = f (y)] ≤ 2− when picking f uniformly from F. The class is called strongly
universal, if the random variables F (x) and F (y) are independent and uniform if F
is uniform in F.
Protocol Q-ID
(1) U picks x ∈ {0, 1}n at random and sends H c(w) |x to S.
(2) S measures in basis c(w). Let x be the outcome.
(3) U picks f ∈ F randomly and independently and sends it to S
(4) S picks g ∈ G randomly and independently and sends it to U
(5) U computes and sends z := f (x) ⊕ g(w) to S
(6) S accepts if and only if z = z where z := f (x ) ⊕ g(w)
It is easy to see that Q-ID perfectly satisfies correctness. It is unconditionally

secure against an arbitrary dishonest user U∗ .
−
Theorem 11. Q-ID is ε-secure for the server with ε = m 2 2 .
The proof of this claim can be found in the full version [2]. In the BQSM, we
achieve the following security for the user.
Theorem 12. Let S∗ be a dishonest server whose quantum memory is at most
q qubits at Step (3) of Q-ID. Then, for any 0 < κ < δ/4, Q-ID is ε-secure for
the user with
1
ε = 2− 2 ((δ/2−2κ)n−1−q−) + 4 · 2−κn .
The proof follows quite easily from our new uncertainty relation and vitally
relies on its all-but-one feature. We show the first (and most important) part of
the proof below, the rest of the proof can be found in Appendix A.5. To prove
Theorem 12 we will use the following lemma.
Lemma 13. For any density matrix ρ on HXY E with classical X and Y and E
consisting of q qubits, it holds that
Hmin(X|Y E) ≥ Hmin(X|Y ) − q.
The proof of this lemma can be found in the full version [2].
Proof (of Theorem 12). We consider and analyze a purified version of Q-ID where
∗
in step (1) instead of sending |X
c to S for a uniformly distributed X, U prepares
−n/2 ∗
a fully entangled state 2 x |x|x and sends the second register to S while
keeping the first. Then, in step (3) when the memory bound has applied, U mea-
sures his register in the basis c(W ) in order to obtain X. Note that this procedure
produces exactly the same common state as in the original (non-purified) version
of Q-ID. Thus, we may just as well analyze this purified version.
The state of S∗ consists of his initial state and his part of the EPR pairs, and
may include an additional ancilla register. Before the memory bound applies,
S∗ may perform any unitary transformation on his composite system. When
the memory bound is applied (just before step (3) is executed in Q-ID), S∗ has
to measure all but q qubits of his system. Let the classical outcome of this
measurement be denoted by y, and let E be the remaining quantum state of
at most q qubits. The common state has collapsed to a (n + q)-qubit state and
depends on y; the analysis below holds for any y. Next, U measures his n-qubit
part of the common state in basis c(W ); let X denote the classical outcome of this
measurement. By our new uncertainty relation (Theorem 7) and subsequently
applying the min-entropy chain rule that is given in Lemma 13 (to take the q
stored qubits into account) it follows that there exists W , independent of W ,
and an event Ω that occurs at least with probability 1 − 2 · 2−κn , such that
Hmin(X|E , W = w, W = w , Ω) ≥ (δ/2 − 2κ)n − 1 − q.
for any w, w such that w = w .

It remains to show via privacy amplification that this bound implies the claim,
this is done in Appendix A.5.
Before stating our user-security result in the single-qubit-operations model
(SQOM), we briefly introduce this model; the motivations behind the model
and its full description are given in [2]. A dishonest server S∗ in the SQOM
may reliably store the n-qubit state |xc(w) = |x1 c(w)1 ⊗ · · · ⊗ |xn c(w)n received
in Step (1) of Q-ID. At the end of the scheme, in Step (5), it may choose an
arbitrary sequence θ = (θ1 , . . . , θn ), where each θi describes an arbitrary or-
thonormal basis of C2 , and measure each qubit |xi c(w)i in basis θi to observe
yi ∈ {0, 1}. The choice of θ may depend on all the classical information gathered
during the execution of the scheme, but we assume here a non-adaptive setting
where θi does not depend on yj for i = j, i.e., S∗ has to choose all of θ before
performing any measurement. Under these restrictions, we achieve the following
security result.
Theorem 14. Let S∗ be a dishonest server with unbounded quantum storage
that is restricted to single-qubit operations, as specified above. Then, for any
0 < β < 14 , Q-ID is ε-secure for the user with
1 1 1 2
ε ≤ 12 2 2 − 4 ( 4 −β)d + m 2
2 2 exp(−2dβ )
The proof is quite involved. Since the dishonest server can store all the qubits and
then decide in the end how to measure them, depending on all the information
obtained during the scheme, standard tools like privacy amplification are not
applicable. The proof, which relies on a certain minimum-distance property of
random binary matrices and makes use of Diaconis and Shahshahani’s XOR
inequality [5], can be found in the full version [2].
Acknowledgments. NJB is supported by an NWO Open Competition grant.
CGG is supported by Spanish Grants I-MATH, MTM2008-01366, QUITEMAD
and QUEVADIS. CS is supported by an NWO VENI grant.
References
1. Bhatia, R.: Matrix Analysis. Springer, New York (1997)
2. Bouman, N.J., Fehr, S., González-Guillén, C., Schaffner, C.: An all-but-one entropic
uncertainty relation, and application to password-based identification (2011), full
version http://arxiv.org/abs/1105.6212
3. Damgård, I., Fehr, S., Salvail, L., Schaffner, C.: Cryptography in the bounded
quantum-storage model. In: 46th Ann. IEEE FOCS, pp. 449–458 (2005); also in
SIAM Journal on Computing 37(6),1865–1890 (2008)
4. Damgård, I.B., Fehr, S., Salvail, L., Schaffner, C.: Secure Identification and QKD
in the Bounded-Quantum-Storage Model. In: Menezes, A. (ed.) CRYPTO 2007.
LNCS, vol. 4622, pp. 342–359. Springer, Heidelberg (2007)
5. Diaconis, P.: Group Representations in Probability and Statistics. Lecture Notes
— Monograph series, vol. 11. Inst. of Math. Stat., Hayward (1988)
6. Kittaneh, F.: Norm inequalities for certain operator sums. Journal of Functional
Analysis 143(2), 337–348 (1997)
7. König, R., Renner, R., Schaffner, C.: The operational meaning of min-and max-
entropy. IEEE Tran. Inf. Th. 55(9), 4337–4347 (2009)
8. Maassen, H., Uffink, J.B.M.: Generalized entropic uncertainty relations. Phys. Rev.
Lett. 60(12), 3 (1988)
9. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information,
1st edn. Cambridge University Press (2000)
10. Renner, R.: Security of Quantum Key Distribution. PhD thesis, ETH Zürich
(Switzerland) (September 2005), http://arxiv.org/abs/quant-ph/0512258
11. Renner, R., König, R.: Universally Composable Privacy Amplification Against
Quantum Adversaries. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 407–425.
12. Schaffner, C.: Cryptography in the Bounded-Quantum-Storage Model. PhD thesis,
University of Aarhus (Denmark) (September 2007)
13. Wehner, S., Winter, A.: Entropic uncertainty relations—a survey. New J. of
Phys. 12(2) (2010)
A Proofs
A.1 A Useful Norm Inequality (Proposition 16)
Before stating the inequality, we recall some basic properties of the operator
norm A := sup A|ψ, where the supremum is over all norm-1 vectors |ψ ∈
H. First of all, it is easy to see that

A 0

0 B = max {A, B} .
Also, from the fact that A = sup |

ψ|A|ϕ|, where the supremum is over all
norm-1 |ψ, |ϕ ∈ H, it follows that A∗ = A, where A∗ is the Hermitian
transpose of A, and thus that for Hermitian matrices A and B:
AB = (AB)∗ = B ∗ A∗ = BA .
Furthermore, if A is Hermitian then A = λmax (A) := max{|λj | :

λj an eigenvalue of A}. Finally, the operator norm is unitarily invariant, i.e.,
A = U AV for all A and for all unitary U, V .
Lemma 15. Any two n × n matrices X and Y for which the products XY and
Y X are Hermitian satisfy
XY = Y X
Proof. For any two n × n matrices X and Y , XY and Y X have the same eigen-
values, see e.g. [1, Exercise I.3.7]. Therefore, XY = λmax (XY ) = λmax (Y X) =
Y X.
We are now ready to state and prove the norm inequality. We recall that an
orthogonal projector P satisfies P 2 = P and P ∗ = P .
Proposition 16. For orthogonal projectors A1 , A2 , . . . , Am , it holds that

A1 + . . . + Am ≤ 1 + (m − 1) · max Aj Ak .
1≤j<k≤m
The case m = 2 was proven in [3], adapting a technique by Kittaneh [6]. We

extend the proof to an arbitrary m.
Proof. Defining
⎛ ⎞ ⎛ ⎞
A1 A2 · · · Am A1 0 ··· 0
⎜0 0 ··· 0 ⎟ ⎜ A2 0 ··· 0⎟
⎜ ⎟ ⎜ ⎟
X := ⎜ . .. .. ⎟ and Y := ⎜ . .. .. ⎟
⎝ .. . . ⎠ ⎝ .. . .⎠
0 0 ··· 0 Am 0 ··· 0
yields
⎛ ⎞ ⎛ ⎞
S 0 ··· 0 A1 A1 A2 · · · A1 Am
⎜0 0 ··· 0⎟ ⎜ A2 A1 A2 · · · A2 Am ⎟
⎜ ⎟ ⎜ ⎟
XY = ⎜ . .. .. ⎟ , and Y X = ⎜ . .. .. .. ⎟
⎝ .. . .⎠ ⎝ .. . . . ⎠
0 0 ··· 0 Am A1 Am A2 · · · Am
where S := A1 + A2 + . . . + Am . The matrix Y X can be additively decomposed

into m matrices according to the following pattern
⎛ ⎞ ⎛ ⎞ ⎛ ⎞
∗ 0∗ 0 ∗
⎜ ∗ ⎟ ⎜ 0 ⎟ ⎜∗ 0 ⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
YX =⎜ ⎟+⎜ ⎟ + ... + ⎜ ⎟
··
··
··
··
··
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
·
·
·
·
·
⎝ ∗ ⎠ ⎝ 0 ∗⎠ ⎝ 0 ⎠
∗ ∗ 0 ∗0
where the ∗ stand for entries of Y X and for i = 1, . . . , m the ith star-pattern
after the diagonal pattern is obtained by i cyclic shifts of the columns of the
diagonal pattern.
XY and Y X are Hermitian and thus we can apply Lemma 15. Then, by
applying the triangle inequality, the unitary invariance of the operator norm
and the facts that for all j = k : Aj = 1, Aj Ak = Ak Aj , we obtain the
desired statement.
A.2 Proof of Theorem 5

For j ∈ [m], we define the orthogonal
projectors A := x∈Lj |xj
x|j . Using
j
the spectral decomposition of ρ = w λw |ϕw

ϕw | and the linearity of the trace,
we have

Qj (Lj ) = tr(Aj ρ) = λw tr(Aj |ϕw
ϕw |)
j∈[m] j∈[m] j∈[m] w

= λw
ϕw |A |ϕw =
j
λw
ϕw | A |ϕw
j
w j∈[m] w j∈[m]

j j k

≤ A A A ,
≤ 1 + (m − 1) · j
=max
k∈[m]
j∈[m]
where the last inequality is the norm inequality

! (Proposition 16 in Appendix A.1).
To conclude, we show that Aj Ak ≤ c |Lj ||Lk |. Let us fix j = k ∈ [m]. Note
that by the restriction on the overlap of the family of bases {Bj }j∈[m] , we have
that |
x|j |yk | ≤ c holds for all x, y ∈ {0, 1}n. Then, with the sums over x and y
understood as over x ∈ Lj and y ∈ Lk , respectively,
2
j k 2
A A |ψ = |xj
x|j |yk
y|k |ψ

x y
2 2

=
|xj
x| j |yk
y| k |ψ
=

x| j |yk
y| k |ψ

x y x y

2
2

≤
x|j |yk
y|k |ψ ≤ c2
y|k |ψ ≤ c2 Lj Lk .
x y x y
The third equality follows from Pythagoras, the first inequality holds by triangle
! |
x|j |yk |, and the last follows
inequality, the second inequality by the bound on
from Cauchy-Schwarz. This implies Aj Ak ≤ c |Lj ||Lk | and finishes the proof.

A.3 Proof of Corollary 6

For j ∈ [m] define
" #
S j := x ∈ {0, 1}n : Qj (x) ≤ 2−(δ/2−)n
j
to be the sets of strings with small probabilities and denote by Lj := S their
complements7 . Note that for all x ∈ Lj , we have that Qj (x) > 2−(δ/2−)n and
therefore |Lj | < 2(δ/2−)n . It follows from Theorem 5 that

Qj (S j ) = (1 − Qj (Lj )) ≥ m − (1 + (m − 1) · 2−n )
j∈[m] j∈[m]
= (m − 1) − (m − 1)2−n .
7
Here’s the mnemonic: S for the strings with S mall probabilities, L for Large.
We define E := {X ∈ S J ∧ QJ (S J ) ≥ 2−n } to be the event that X ∈ S J and at

the same time the probability that this happens is not too small. Then Pr[E|J =
j] = Pr[X ∈ S j ∧ Qj (S j ) ≥ 2−n |J = j] either vanishes (if Qj (S j ) < 2−n ) or
else equals Qj (S j ). In either case, Pr[E|J = j] ≥ Qj (S j ) − 2−n holds and thus
the first claim follows by summing over j ∈ [m] and using the derivation above.
Furthermore, let p = maxj PJ (j), then

Pr[Ē] = PJ (j)Pr[Ē|J = j] ≤ p Pr[Ē|J = j]
j∈[m] j∈[m]

≤ p(m − ( Qj (S j ) − 2−n )) ≤ p(1 + (2m − 1) · 2−n ),
j∈[m]
and Pr[E] ≥ (1 − p) − p(2m − 1) · 2−n

Regarding the second claim, in case J = j, we have
−(δ/2−)n
Qj (x) 2
Hmin(X|J = j, E) = − log maxj j j ≥ − log
x∈S Q (S ) Qj (S j )
= (δ/2 − )n + log(Qj (S j )).
As Qj (S j ) ≥ 2−n by definition of E, we have
Hmin(X|J = j, E) ≥ (δ/2 − 2 )n.
A.4 Remainder of the Proof of Theorem 7

What remains to prove are the cases where α = 0. We start with the case α > 0.
The idea is to “inflate” the event E so that α becomes
0, i.e., to define an event E

that contains E (meaning that E =⇒ E ) so that j∈[m] Pr[E |J = j] = m − 1,
and to define J as in the case α = 0 (but now using E ). Formally, we define E
as the disjoint union E = E ∨ E◦ of E and an event E◦ . The event E◦ is defined
by means of Pr[E◦ |E, J = j, X = x] = 0, so that E and E◦ are indeed disjoint,
and Pr[E◦ |J = j, X = x] = α/m, so that indeed

Pr[E |J = j] = (Pr[E|J = j] + Pr[E◦ |J = j])
j∈[m] j∈[m]
= (m − 1 − α) + α = m − 1 .
We can now apply the analysis of the case α = 0 to conclude the existence of
J , independent of J, such that J = J ⇐⇒ E and thus (J = J ) ∧ E¯◦ ⇐⇒
E ∧ Ē◦ ⇐⇒ E. Setting Ω := Ē◦ , it follows that
Hmin(X|J = j, J = J , Ω) = Hmin(X|J = j, E) ≥ (δ/2 − 2 )n ,
where Pr[Ω] = 1 − Pr[E◦ ] = 1 − α/m ≥ 1 − (2m − 1)2−n /m ≥ 1 − 2 · 2−n .

Finally, using similar reasoning as in the case α = 0, it follows that the same
bound holds for Hmin(X|J = j, J = j , Ω) whenever j = j . This concludes the

case α > 0.
Finally, we consider the case α < 0. The approach is the same as above,
but now E is obtained by “deflating” E. Specifically, we define E by means
of Pr[E |Ē, J = j, X = x] = Pr[E |Ē] = 0, so that E is contained in E, and
Pr[E |E, J = j, X = x] = Pr[E |E] = m−1−α
m−1
, so that

Pr[E |J = j] = Pr[E |E] · Pr[E|J = j] = m − 1 .
j∈[m] j∈[m]
Again, from the α = 0 case we obtain J , independent of J, such that the event
J = J is equivalent to the event E .
It follows that
Hmin(X|J = j, J = J ) = Hmin(X|J = j, E ) = Hmin(X|J = j, E , E)

≥ Hmin(X|J = j, E) − log(P [E |E, J = j]) ≥ (δ/2 − 2 )n − 1 ,
where the second equality holds because E =⇒ E, the first inequality holds
because additionally conditioning on E increases the probabilities of X condi-
tioned on J = j and E by at most a factor 1/P [E |E, J = j]), and the last
inequality holds by Corollary 6) and because P [E |E, J = j]) = m−1−α
m−1
≥ 12 ,
where the latter holds since α ≥ −1. Finally, using similar reasoning as in the
previous cases, it follows that the same bound holds for Hmin(X|J = j, J = j )
whenever j = j . This concludes the proof.
A.5 Remainder of the Proof of Theorem 12
We will use the following theorem.

Theorem 17 (Privacy amplification, [10,11]). Let ρXE be a hybrid state
with classical X. Let g : R × X → {0, 1} be a universal hash function, and let
R be uniformly distributed over R, independent of X and E. Then K = g(R, X)
satisfies
1 1
dunif (K|RE) ≤ · 2− 2 (Hmin(X|E)−) .
2
Because U chooses F independently at random from a 2-universal family, privacy
amplification guarantees that
dunif (F (X)|E F,W = w, W = w )

1 1
≤ ε := · 2− 2 ((δ/2−2κ)n−1−q−) + 2 · 2−κn ,
2
for any w, w such that w = w . Recall that Z = F (X) ⊕ G(W ). By security of
the one-time pad it follows that
dunif (Z|E F G, W = w, W = w ) ≤ ε , (1)

for any w, w such that w = w . To prove the claim, we need to bound,
δ(ρW W E|W
=W , ρW ↔W ↔E|W
=W )
= 12 ρW W E F GZ|W
=W − ρW ↔W ↔E F GZ|W
=W 1
≤ 12 ρW W E F GZ|W
=W − ρW W E F G|W
=W ⊗ 2− I1
+ 12 ρW W E F G|W
=W ⊗ 2− I − ρW ↔W ↔E F GZ|W
=W 1 (2)
where the equality follows by definition of trace distance (Definition 2) and the
fact that the output state E is obtained by applying a unitary transformation to
the set of registers (E , F , G, W , Z). The inequality is the triangle inequality;
in the remainder of the proof, we will show that both terms in (2) are upper
bounded by ε .
2 ρW W E F GZ|W
=W
1
− ρW W E F G|W
=W ⊗ 2− I1

= PW W |W
=W (w, w ) dunif (Z|E F G, W = w, W = w ) ≤ ε ,
w
=w
where the latter inequality follows from (1). For the other term, we reason as
follows:
2 ρW W E F G|W
=W
1
⊗ 2− I − ρW ↔W ↔E F GZ|W
=W 1

= 1
2 PW W |W
=W (w, w ) ρw,w −
E F G|W
=W ⊗ 2 I − ρE F GZ|W
=W 1
w
w
=w

= 1
2 PW W |W
=W (w, w ) ρw,w −
E F G|W
=W ⊗ 2 I
w
=w

− PW |W ,W
=W (w |w )ρw ,w
E F GZ|W
=W 1
w
s.t. w
=w

= 1
2 PW |W
=W (w ) PW |W ,W
=W (w|w )ρw,w −
E F G|W
=W ⊗ 2 I
w w
s.t. w
=w

− PW |W ,W
=W (w |w )ρw ,w
E F GZ|W
=W PW |W ,W
=W (w|w )1
w w
s.t. w
=w s.t. w
=w

= 1
2 PW W |W
=W (w, w ) ρw,w − w,w
E F G|W
=W ⊗ 2 I − ρE F GZ|W
=W 1
w
=w

= PW W |W
=W (w, w ) dunif (Z|E F G, W = w, W = w ) ≤ ε ,
w
=w
where the first equality follows by definition of conditional independence and by

a basic property of the trace distance; the third and fourth equality follow by
linearity of the trace distance. The inequality on the last line follows from (1).
This proves the claim.
Optimal Counterfeiting Attacks
and Generalizations
for Wiesner’s Quantum Money
Abel Molina1, , Thomas Vidick2, , and John Watrous1,

1
Institute for Quantum Computing and School of Computer Science
University of Waterloo
2
Computer Science and Artificial Intelligence Laboratory
Massachusetts Institute of Technology
Abstract. We present an analysis of Wiesner’s quantum money scheme,

as well as some natural generalizations of it, based on semidefinite pro-
gramming. For Wiesner’s original scheme, it is determined that the op-
timal probability for a counterfeiter to create two copies of a bank note
from one, where both copies pass the bank’s test for validity, is (3/4)n
for n being the number of qubits used for each note. Generalizations in
which other ensembles of states are substituted for the one considered
by Wiesner are also discussed, including a scheme recently proposed by
Pastawski, Yao, Jiang, Lukin, and Cirac, as well as schemes based on
higher dimensional quantum systems. In addition, we introduce a vari-
ant of Wiesner’s quantum money in which the verification protocol for
bank notes involves only classical communication with the bank. We
show that the optimal probability with which a counterfeiter can suc-
ceed in two independent verification√ attempts, given access to a single
valid n-qubit bank note, is (3/4 + 2/8)n . We also analyze extensions of
this variant to higher-dimensional schemes.
1 Introduction
Wiesner’s protocol for quantum money [36] was a formative idea in quantum
information processing. In this protocol, a bank generates a bank note composed
of n qubits: each qubit is initialized to a state chosen uniformly at random
from the set {|0 , |1 , |+ , |−}, and this choice of states is kept secret by the
bank. The bank can later check the authenticity of a given note by performing a
measurement on each of its qubits, in accordance with its secret record of their
original states. (Each bank note is labeled with a unique serial number, so that all
of the bank notes in circulation may be treated independently.) The security of
Wiesner’s scheme rests on the principle that quantum states cannot be cloned—
that is, a malicious attacker, given access to a fixed supply of authentic bank

Supported by NSERC, MITACS, a Mike and Ophelia Lazaridis Graduate Fellow-
ship, and a David R. Cheriton Graduate Scholarship.

Supported by the National Science Foundation under Grant No. 0844626.

Supported by NSERC, CIFAR, and MITACS.

46 A. Molina, T. Vidick, and J. Watrous
notes, cannot generate a larger quantity of valid bank notes than those to which
he was initially given access.
Although Wiesner’s scheme was introduced almost three decades ago, to the
best of our knowledge no rigorous analysis with explicit bounds on the security
of the scheme exists in the literature. The intuition that the scheme’s security
follows from the no-cloning principle appears in [20], and quantitatively one
should be able to obtain exponential security guarantees from results such as
proofs of the security of the BB84 quantum key exchange protocol [6,30,24] or of
uncloneable encryption [17]. In this paper we prove tight bounds on the security
of Wiesner’s quantum money scheme, through a simple and easily extended
argument based on semidefinite programming.
We consider the specific situation in which a counterfeiter, given access to a
single authentic bank note, attempts to create two bank notes having the same
serial number that independently pass the bank’s test for validity. We will call
such attacks simple counterfeiting attacks. Our first main result is the following.
Theorem 1. The optimal simple counterfeiting attack against Wiesner’s quan-

tum money scheme has success probability exactly (3/4)n , where n is the number
of qubits in each bank note.1
Other types of attacks are not analyzed in this paper, but we must note their
existence! For instance, a counterfeiter might use several distinct bank notes
in an attempt to copy one of them, or a counterfeiting attempt might involve
multiple interactions with the bank. By substituting one of two qubits of a Bell
state for each qubit of a bank note, for example, a counterfeiter can succeed in
passing the bank’s test for validity with probability 2−n , and then conditioned
on having succeeded the counterfeiter will be guaranteed to hold a second valid
bank note.2 One would therefore expect that the bank would charge a small
fee for testing validity, for otherwise counterfeiters have a positive incentive to
attack the protocol. Generally speaking, an analysis of attacks of this nature
would seem to require a limit on the number of verification attempts permitted,
or the specification of a utility function that weighs the potential gain from
counterfeiting against the costs for multiple verifications. We expect that the
semidefinite programming methods used to prove Theorem 1 would be useful for
analyzing such attacks, but we do not investigate this question further in this
paper.
We also consider simple counterfeiting strategies against quantum money
schemes that generalize Wiesner’s original scheme. These are the schemes ob-
tained by varying the set of possible states that a quantum bank note may store,
as well as the underlying probabilities for those states. We show that there is
1
Wiesner [36] in fact arrived at a similar bound, but through a not-so-rigorous argu-
ment!
2
Lutomirski [22] considered a related scenario where the bank kindly provides coun-
terfeiters with access to a bank note’s post-measurement qubits, regardless of
whether validity was established. He proved that O(n) verification attempts are
sufficient to break the protocol in this setting.
Optimal Counterfeiting Attacks and Generalizations 47
a scheme based on the repetition of a 4-state single-qubit scheme (i.e., having

the same structure as Wiesner’s) for which the optimal simple counterfeiting
attack has success probability (2/3)n , which is optimal among all schemes of
that form. Furthermore, we observe that any money scheme based on the use
of d-dimensional bank notes is subject to a simple counterfeiting attack with
success probability at least 2/(d + 1), and we describe a scheme for which this
is the best one can do.
One drawback of Wiesner’s money scheme is that, not only does it involve
communicating with a centralized bank in order to establish the authenticity
of a given bank note,3 but it also requires quantum communication: bank notes
have to be sent to the bank for verification. Gavinsky [16] recently introduced an
alternative scheme in which bank notes can be authenticated using only classical
communication with the bank.
We consider the following procedure for classical verification of an n-qubit
bank note, constructed as in Wiesner’s scheme. The bank sends the user a ran-
dom challenge c ∈ {0, 1}n. An honest user should measure the i-th qubit in the
computational basis if ci = 0, or in the Hadamard basis if ci = 1, and send the
measurement outcomes b ∈ {0, 1}n to the bank. The bank validates the bank
note if and only if bi describes the correct outcome whenever ci corresponds to
the basis in which qubit i was encoded, for each i ∈ {1, . . . , n}. (We note that a
similar scheme was independently proposed in [28], and that both schemes share
the same structure as the protocol originally introduced by Gavinsky [16].)
Our second main result is then the following.
Theorem 2. For the classical-verification analogue of Wiesner’s quantum money

scheme,
√the optimal
n simple counterfeiting attack has success probability exactly
3/4 + 2/8 , for n being the number of qubits in each bank note.
As for Theorem 1, our proof of Theorem 2 follows from the use of semidefinite
programming techniques. In addition we show that, contrary to the quantum-
verification setting, the classical-verification analogue of Wiesner’s scheme is
optimal as long as one considers only qubits: either changing the bases used to
encode each qubit or increasing the number of possible bases will not improve
the scheme’s security against simple counterfeiting attacks. We also consider
a natural generalization of this scheme to bank notes made of d-dimensional
qudits, and prove that the optimal simple
√ counterfeiting attack against it has
success probability exactly (3/4 + 1/(4 d))n .
Related Work. The no-cloning theorem [37] states that there is no perfect quan-
tum cloning machine. This impossibility result relies on two assumptions: that
we are trying to clone all possible states (of a given dimension), and that we are
trying to do so perfectly. Relaxing either or both assumptions opens the way for
a fruitful exploration of the possibility of approximate cloning machines. Most
3
There has also been work in recent years on creating quantum money schemes that
do not require any communication with the bank in order to verify a bank note, but
this is only possible under computational assumptions [15,23,1].
work in this area focuses on obtaining universal cloners—required to work for

all possible input states—but that may not be perfect.
To quantify the quality of a cloner, one has to settle on a figure of merit. Two
main figures have been considered: the minimum (or, alternately, the average)
overlap between one of the two output clones with the input state, or the joint
overlap of both output clones with a tensor product of the input state with
itself.4 Bužek and Hillery [9] determined the optimal universal qubit cloner in
the first case, while Werner [35] solved the general problem with respect to the
second figure of merit.
In the setting of quantum money, however, the first assumption is also relaxed:
a counterfeiter only needs to be successful in cloning the specific states that are
used to create the bank notes. Work in this direction includes that of Bruß
et al. [8], who determined the optimal cloner for the states used in Wiesner’s
original money scheme, and for the first figure of merit discussed above. While
in this work we consider the second figure of merit, which is the one appropriate
to the context of quantum money, our results can easily be extended to the first.
We use a semidefinite programming formulation of the problem, in which one
can numerically determine the success probability of an optimal cloner, given any
desired possible set of input states and underlying distribution. The connection
between cloning of quantum states and semidefinite programming was observed
by Audenaert and De Moor [5], and has been used in the study of cloning by
other researchers. (See, for instance, the survey of Cerf and Fiurášek [10].) The
formulation that we use is closely related to one used in [26], and can also be
seen as a special case of a semidefinite programming framework for more general
quantum strategies developed in [18].
Recent work of Pastawski et al. [28] contains an analysis of a 6-state variant of
Wiesner’s money scheme, obtaining a tight bound of (2/3)n on optimal simple
counterfeiting attacks. In addition, they show that the scheme can be made
error-tolerant—the bank will accept a bank note as long as say 99% of the qubit
measurements are correct, allowing for the money state to be slightly perturbed
and still undergo a successful authentication.5 They also consider a classical-
verification variant of the scheme that is similar to (but somewhat less efficient
than) the one we propose, obtaining exponential security guarantees. Pastawski
et al. [28] also show that auxiliary access to the bank’s verification procedure
does not help, provided the only information returned by the bank is a single bit,
indicating success or failure. Intuitively speaking, this situation may be reduced
to one in which the cloner has no access to such a verification oracle simply by
guessing; most verification attempts will result in failure (for otherwise we would
already have a successful cloner), and so the bits returned cannot contain very
much information.
4
In both cases, the specific distance measure used can also be varied. For instance,
the trace distance and the Hilbert-Schmidt distance on density matrices have been
considered.
5
Our analysis can also be extended to this setting; see Section 3.4 for more details.
Gavinsky [16] also considers more general attacks against his money scheme
with classical verification. Compared to his scheme, ours (like the one in [28]) is
somewhat simpler. For instance, Gavinsky’s protocol requires the user to perform
two-qubit measurements. We prove stronger security bounds, albeit against more
restricted kinds of attacks: Gavinsky obtains security bounds of the form 2−n
c
for some constant c < 1.

Aaronson and Christiano [3] consider general types of attacks against quantum
money schemes in a generic setting. They sketch a proof of how it is possible to
obtain protocols secure against a very general class of attacks based on protocols
secure against simple counterfeiting attacks, as analyzed in our paper. (They also
refer to a forthcoming paper by Aaronson [2], which is to include further details
on this argument.)
2 Preliminaries
We assume the reader is familiar with the basics of quantum information theory,
and suggest Nielsen and Chuang [27] to those who are not. The purpose of this
section is to summarize some of the notation and basic concepts we make use of,
and to highlight a couple of concepts that may be less familiar to some readers.
The lecture notes [34] may be helpful to readers interested in further details on
these topics.
2.1 Basic Notation, States, Measurements and Channels
For any finite-dimensional complex Hilbert space X we write L(X ) to denote

the set of linear operators acting on X , Herm(X ) to denote the set of Hermitian
operators acting on X , Pos(X ) to denote the set of positive semidefinite operators
acting on X , Pd(X ) to denote the set of positive definite operators acting on
X , and D(X ) to denote the set of density operators acting on X . For Hermitian
operators A, B ∈ Herm(X ) the notations A ≥ B and B ≤ A indicate that A − B
is positive semidefinite, and the notations A > B and B < A indicate that A− B
is positive definite.
Given operators A, B ∈ L(X ), one defines the inner product between A and
B as
A, B = Tr(A∗ B). For Hermitian operators A, B ∈ Herm(X ) it holds that
A, B is a real number and satisfies

A, B =
B, A. For every choice of finite-
dimensional complex Hilbert spaces X and Y, and for a given linear mapping of
the form Φ : L(X ) → L(Y), there is a unique mapping Φ∗ : L(Y) → L(X ) (known
as the adjoint of Φ) that satisfies
Y, Φ(X) =
Φ∗ (Y ), X for all X ∈ L(X ) and
Y ∈ L(Y).
A register is a hypothetical device that stores quantum information. Associ-
ated with a register X is a finite-dimensional complex Hilbert space X , and each
quantum state of X is described by a density operator ρ ∈ D(X ). Qubits are reg-
isters for which dim(X ) = 2. A measurement of X is described by a set of positive
semidefinite operators {Pa : a ∈ Σ} ⊂ Pos(X ), indexed by a finite non-empty
set of measurement outcomes Σ and satisfying the constraint a∈Σ Pa = 1X
(the identity operator on X ). If such a measurement is performed on X while

it is in the state ρ, each outcome a ∈ Σ is obtained with probability
Pa , ρ. A
quantum channel is a completely positive and trace-preserving linear mapping
of the form Φ : L(X ) → L(Y) that describes a hypothetical physical process that
transforms each state ρ of a register X into the state Φ(ρ) of another register Y.
The identity channel that does nothing to a register X is denoted 1L(X ) .
2.2 Linear Mappings on Spaces of Operators
Let d = dim(X ) and assume a fixed orthonormal basis {|1 , . . . , |d} of X has
been selected. With respect to this basis, one defines the Choi-Jamiolkowski
operator J(Φ) ∈ L(Y ⊗ X ) of a linear mapping Φ : L(X ) → L(Y) as

J(Φ) = Φ(|i
j|) ⊗ |i
j| .
1≤i,j≤d
The mapping J is a linear bijection from the space of mappings of the form
Φ : L(X ) → L(Y) to L(Y ⊗ X ). It is well-known that Φ is completely positive
if and only if J(Φ) ∈ Pos(Y ⊗ X ), and that Φ is trace-preserving if and only if
TrY (J(Φ)) = 1X [11,19]. It is also well-known, and easy to verify, that
$

φ| Φ(|ψ
ψ|) |φ = φ ⊗ ψ J(Φ) φ ⊗ ψ (1)
for any choice of vectors |ψ ∈ X and |φ ∈ Y, with complex conjugation taken
with respect to the standard basis.
2.3 Semidefinite Programming
Semidefinite programming is a topic that has found several interesting appli-

cations within quantum computing and quantum information theory in recent
years. Here, we provide just a brief summary of semidefinite programming that
is narrowly focused on the aspects of it that we use. More comprehensive dis-
cussions can be found in [32,21,12,7], for instance.
A semidefinite program is a triple (Φ, A, B), where
1. Φ : L(X ) → L(Y) is a Hermiticity-preserving linear mapping, and

2. A ∈ Herm(X ) and B ∈ Herm(Y) are Hermitian operators,
for some choice of finite-dimensional complex Hilbert spaces X and Y. We asso-

ciate with the triple (Φ, A, B) two optimization problems, called the primal and
dual problems, as follows:
Primal problem Dual problem
maximize:
A, X minimize:
B, Y
subject to: Φ(X) = B, subject to: Φ∗ (Y ) ≥ A,
X ∈ Pos(X ). Y ∈ Herm(Y).
The optimal primal value of this semidefinite program is
α = sup{
A, X : X ∈ Pos(X ), Φ(X) = B},
and the optimal dual value is
β = inf{
B, Y : Y ∈ Herm(Y), Φ∗ (Y ) ≥ A}.
(It is to be understood that the supremum over an empty set is −∞ and the
infimum over an empty set is ∞, so α and β are well-defined values in R ∪
{−∞, ∞}. In this paper, however, we will only consider semidefinite programs
for which α and β are finite.)
It always holds that α ≤ β, which is a fact known as weak duality. The
condition α = β, which is known as strong duality, does not hold for every
semidefinite program, but there are simple conditions known under which it
does hold. The following theorem provides one such condition (that has both a
primal and dual form).
Theorem 3 (Slater’s theorem for SDPs). Let (Φ, A, B) be a semidefinite

program and let α and β be its optimal primal and dual values.
1. If β is finite and there exists a positive definite operator X ∈ Pd(X ) for which
Φ(X) = B, then α = β and there exists an operator Y ∈ Herm(Y) such that
Φ∗ (Y ) ≥ A and
B, Y = β.
2. If α is finite and there exists a Hermitian operator Y ∈ Herm(Y) for which
Φ∗ (Y ) > A, then α = β and there exists a positive semidefinite operator
X ∈ Pos(X ) such that Φ(X) = B and
A, X = α.
In words, the first item of this theorem states that if the dual problem is feasible
and the primal problem is strictly feasible, then strong duality holds and the
optimal dual solution is achievable. The second item is similar, with the roles of
the primal and dual problems reversed.
3 Wiesner’s Quantum Money and Simple Generalizations

Wiesner’s quantum money scheme, and straightforward generalizations of it,
may be modeled in the following way. An ensemble of pure quantum states E =
{(pk , |ψk ) : k = 1, . . . , N } is fixed, and assumed to be known to all (including
any would-be counterfeiters). When preparing a bank note, the bank randomly
selects each key k ∈ {1, . . . , N } with probability pk . The bank note’s quantum
system is initialized to the state |ψk , and the note is labeled by a unique serial
number. The bank records the serial number along with the secret key k.
When an individual wishes to verify a bank note, she brings it to the bank.
The bank looks up the key k and measures the note’s quantum state with respect
to the projective measurement {Π, 1− Π}, for Π = |ψk
ψk |. The measurement
outcome associated with Π causes the bank note to be declared valid, while the
outcome associated with 1 − Π causes the bank note to be declared invalid.
A simple counterfeiting attack against a scheme of the form just described

attempts to create two copies of a bank note from one, and is considered to be
successful if both copies independently pass the bank’s verification procedure.
We take the original bank note’s quantum state to be stored in a register X
having associated Hilbert space X . The registers storing the quantum states
corresponding to the two copies of the bank note produced by the counterfeiter
will be called Y and Z. The Hilbert spaces Y and Z associated with these registers
are taken to be isomorphic to X , but will retain distinct names for the sake of
our analysis.
Mathematically speaking, a simple counterfeiting attack is described by a
quantum channel Φ transforming X to (Y, Z), taking the state ρ ∈ D(X ) to
the state Φ(ρ) ∈ D(Y ⊗ Z). In order to be physically realizable, at least in an
idealized sense, the channel Φ must correspond to a completely positive and
trace preserving linear mapping of the form Φ : L(X ) → L(Y ⊗ Z). Conditioned
on the bank having chosen the key k, the probability of success for an attack
described by Φ is given by
ψk ⊗ ψk | Φ(|ψk
ψk |) |ψk ⊗ ψk . Averaging over the
possible choices of k, the overall success probability of a counterfeiting attack is

N
pk
ψk ⊗ ψk | Φ(|ψk
ψk |) |ψk ⊗ ψk . (2)
k=1
3.1 An SDP Formulation of Simple Counterfeiting Attacks

We now describe how the optimal success probability of a counterfeiting strat-
egy, which is represented by the supremum of the probability (2) over all valid
channels Φ : L(X ) → L(Y ⊗ Z), may be represented by a semidefinite program.
A similar semidefinite programming formulation may be found in [5,10,26], for
instance.
The formulation makes use of the Choi-Jamiolkowski representation J(Φ) of
a given channel Φ, as described in Section 2. Combining the characterization
of all such representations that correspond to quantum channels given there
together with (1) and the expression (2), it is not hard to see that the optimal
success probability of any simple counterfeiting strategy is given by the following
semidefinite program:
Primal problem Dual problem

maximize:
Q, X minimize: Tr(Y )
subject to: TrY⊗Z (X) = 1X subject to: 1Y⊗Z ⊗ Y ≥ Q
X ∈ Pos(Y ⊗ Z ⊗ X ) Y ∈ Herm(X )
where

N

$
Q= pk ψk ⊗ ψk ⊗ ψk ψk ⊗ ψk ⊗ ψk .
k=1
(The dual problem is obtained from the primal problem in a routine way, as
described in Section 2.)
Because the primal and dual problems are both strictly feasible (as follows
by taking X and Y to be appropriately chosen multiples of the identity, for
example), it follows from Theorem 3 that the optimal values for the primal and
dual problems are always equal, and are both achieved by feasible choices for X
and Y .
3.2 Analysis of Wiesner’s Original Scheme (Single-Qubit Case)
To analyze Wiesner’s original quantum money scheme, we begin by considering

the single-qubit (or n = 1) case. The analysis of the scheme for arbitrary values
of n will follow from known results concerning product properties of semidefinite
programs, as is described later in Section 3.4.
In the single-qubit case, Wiesner’s quantum money scheme corresponds to the
ensemble %
1 1 1 1
E= , |0 , , |1 , , |+ , , |− ,
4 4 4 4
which yields the operator
1
Q= (|000
000| + |111
111| + |+ + +
+ + +| + |− − −
− − −|)
4
in the semidefinite programming formulation described above. We claim that the
optimal value of the semidefinite program in this case is equal to 3/4. To prove
this claim, it is sufficient to exhibit explicit primal and dual feasible solutions
achieving the value 3/4. For the primal problem, the value 3/4 is obtained by
the solution X = J(Φ), for Φ being the channel
Φ(ρ) = A0 ρA∗0 + A1 ρA∗1 ,
where ⎛ ⎞ ⎛ ⎞
3 0 0 1
1 ⎜ 0 1⎟ 1 ⎜ 1 0⎟
A0 = √ ⎜ ⎟ and A1 = √ ⎜ ⎟.
12 ⎝0 1⎠ 12 ⎝1 0⎠
1 0 0 3
For the dual problem, the value 3/4 is obtained by the solution Y = 38 1X , whose
feasibility may be verified by computing Q = 3/8.
3.3 Optimal Single-Qubit Schemes
It is natural to ask if the security of Wiesner’s original scheme can be improved

through the selection of a different ensemble E in place of the one considered
in the previous section. The answer is “yes,” as follows from our analysis of
Wiesner’s original scheme together with the results of [28], wherein the authors
consider the ensemble
& 1 1 1 1 |0 +i|1 1 |0 −i|1 '
E= 6 , |0 , 6 , |1 , 6 , |+ , 6 , |− , 6 ,
1 √
2
, 6 , √2 .
The operator Q that one obtains is given by

1
Q= 1L(Y) ⊗ 1L(Z) ⊗ T (Π) (3)
rank(Π)
for Π being the projection onto the symmetric subspace of Y ⊗ Z ⊗ X and T
being the transposition mapping with respect to the standard basis of X .
The optimal value of the corresponding semidefinite program is 2/3. Indeed,
a primal feasible solution achieving the value 2/3 is given by X = J(Φ) for Φ
being the channel
Φ(ρ) = A0 ρA∗0 + A1 ρA∗1 ,
where ⎛ ⎞ ⎛ ⎞
2 0 0 0
1 ⎜0 1⎟ 1 ⎜ 1 0⎟
A0 = √ ⎜⎝
⎟ and A1 = √ ⎜ ⎟.
6 0 1⎠ ⎝
6 1 0⎠
0 0 0 2
(This channel is the optimal qubit cloner of Bužek and Hillery [9].) A dual feasible
solution achieving the bound 2/3 is given by Y = 13 1X (with this solution’s
feasibility following from a calculation of Q = 1/3).
It is interesting to note that the same bound 2/3 can be obtained by a four-
state ensemble
" #
E = 14 , |τ1 , 14 , |τ2 , 14 , |τ3 , 14 , |τ4 ,
where {|τ1 , . . . |τ4 } are any four states forming a single qubit SIC-POVM [29].
The operator Q corresponding to any such ensemble is identical to the one (3)
from the six-state ensemble above, and therefore yields the same optimal value
for the semidefinite program.
The schemes just mentioned are the best possible single qubit schemes. To
see this, one may simply consider the performance of Φ (i.,e., the Bužek–Hillery
cloner), for which it follows by a direct calculation that
2

ψ ⊗ ψ| Φ(|ψ
ψ|) |ψ ⊗ ψ =
3
for every state |ψ. This shows that the optimal primal value, and therefore the
optimal counterfeiting probability, is always at least 2/3.
3.4 Parallel Repetitions of Generalized Wiesner Schemes

Wiesner’s original scheme may be viewed as the n-fold parallel repetition of
a scheme wherein the spaces X , Y, and Z each represent a single qubit, and
where the initial state of each bank note is a state chosen uniformly from the
set {|0 , |1 , |+ , |−}. That is, the preparation and verification of each n-qubit
bank note is, from the bank’s perspective, equivalent to the independent prepa-
ration and verification of n single-qubit bank notes; and a successful counterfeit-
ing attack is equivalent to a successful counterfeiting attack against all n of the
single-qubit notes. The value of n plays the role of a security parameter, given
that it becomes increasingly hard to successfully counterfeit n single-qubit bank
notes in a row, without failure, as n grows large.
Now, there is nothing that forces a counterfeiter to attempt to counterfeit an
n-qubit bank note by treating each of its n qubits independently. However, it
is easily concluded from the semidefinite programming formulation above that
a counterfeiter gains no advantage whatsoever by correlating multiple qubits
during an attack. This, in fact, is true for arbitrary choices of the ensemble E,
as follows from a general result of Mittal and Szegedy [25] regarding product
properties of some semidefinite programs. (In our case, this property follows
from the fact that the operator Q defining the objective function in the primal
problem is always positive semidefinite.)
In greater detail, let us consider the n-fold repetition of a scheme, in which a
single repetition of the scheme gives rise to a semidefinite program determined
by Q ∈ Pos(Y ⊗ Z ⊗ X ). Let us write Xj , Yj , and Zj to denote copies of
the spaces X , Y, and Z that represent the j-th repetition of the scheme, for
j = 1, . . . , n, and let us write X ⊗n = X1 ⊗ · · · ⊗ Xn , Y ⊗n = Y1 ⊗ · · · ⊗ Yn ,
and Z ⊗n = Z1 ⊗ · · · ⊗ Zn . The semidefinite program that describes the optimal
simple counterfeiting attack probability for the n-fold repetition is as follows:
Primal problem
$
maximize: W Q⊗n W ∗ , X
subject to: TrY ⊗n ⊗Z ⊗n (X) = 1X ⊗n
X ∈ Pos(Y ⊗n ⊗ Z ⊗n ⊗ X ⊗n )
Dual problem
minimize: Tr(Y )
subject to: 1Y ⊗n ⊗Z ⊗n ⊗ Y ≥ W Q⊗n W ∗
Y ∈ Herm(X ⊗n )
In this semidefinite program, W is a unitary operator representing a permutation
of Hilbert spaces:
W |(y1 ⊗ z1 ⊗ x1 ) ⊗ · · · ⊗ (yn ⊗ zn ⊗ xn )
= |(y1 ⊗ · · · ⊗ yn ) ⊗ (z1 ⊗ · · · ⊗ zn ) ⊗ (x1 ⊗ · · · ⊗ xn ) ,
for all choices of |xj ∈ Xj , |yj ∈ Yj , and |zj ∈ Zj , for j = 1, . . . , n.
If the optimal value of the semidefinite program is α in the single-repetition
case, then the optimal value of the semidefinite program for the n-fold repetition
case is necessarily αn . This may be proved by considering the primal and dual
solutions
X = W (X1 ⊗ · · · ⊗ Xn )W ∗ and Y = Y1 ⊗ · · · ⊗ Yn ,
for X1 , . . . , Xn being optimal primal solutions and Y1 , . . . , Yn being optimal dual
solutions for the single-repetition semidefinite program. The values obtained by
these solutions are both αn . Primal feasibility of X is straightforward, while dual

feasibility of Y follows from the fact that A ≥ B ≥ 0 implies A⊗n ≥ B ⊗n for all
positive semidefinite A and B.
3.5 Threshold Results

One may also consider noise-tolerant variants of Wiesner’s scheme, as was done
in [28]. In the setting discussed in the previous subsection, where n repetitions of
a particular scheme are performed, we may suppose that the bank’s verification
procedure declares a bank note valid whenever at least t out of n repetitions
succeed, for some choice of t < n, as opposed to requiring that all n repetitions
succeed.
One might hope that a similar analysis to the one in the previous subsection
leads to an optimal counterfeiting probability of
n
αj (1 − α)n−j (4)
j
t≤j≤n
for such a scheme, for α being the optimal counterfeiting probability for a single
repetition. This is the probability of successful counterfeiting when each repe-
tition is attacked independently. In general, however, this bound may not be
correct: the main result of [26] demonstrates a related setting in which an anal-
ogous bound does not hold, and explains the obstacle to obtaining such a bound
in general.
However, for some schemes, including Wiesner’s original scheme and all of the
other specific schemes (including the classical verification ones in Section 4.2)
discussed in this paper, this bound will be correct. Letting d = dim(X ), the
specific assumptions that we require to obtain the bound (4) are that

N
1
pk |ψk
ψk | = 1, (5)
d
k=1
and that Y = αd 1X is an optimal dual solution to the single-repetition semidefi-

nite program (from which it follows Q = αd ).
To prove that these requirements are sufficient, let us introduce the following
notation. We will write Q1 in place of Q to denote the operator that specifies
the semidefinite program representing a successful counterfeiting attack, and we
will also define

N

$
Q0 = pk (1Y⊗Z − |ψk ⊗ ψk
ψk ⊗ ψk |) ⊗ ψk ψk ,
k=1
which has a complementary relationship to Q1 ; it represents a failure to coun-

terfeit in a given repetition. The semidefinite program describing the optimal
counterfeiting probability for the n-fold repetition scheme, where successes in t
repetitions are required for a validation, is then as follows:
Primal problem
maximize:
W RW ∗ , X
subject to: TrY ⊗n ⊗Z ⊗n (X) = 1X ⊗n
X ∈ Pos(Y ⊗n ⊗ Z ⊗n ⊗ X ⊗n )
Dual problem
minimize: Tr(Y )
subject to: 1Y ⊗n ⊗Z ⊗n ⊗ Y ≥ W RW ∗
Y ∈ Herm(X ⊗n )
where
R= Q a1 ⊗ · · · ⊗ Q an .
a1 ,...,an ∈{0,1}
a1 +···+an ≥t
To prove that the optimal value of this semidefinite program is given by the ex-
pression (4), it suffices to exhibit primal and dual feasible solutions achieving this
value. As for the standard n-fold repetition case described in the previous sub-
section, it holds that X = W (X1 ⊗ · · ·⊗ Xn )W ∗ is a primal feasible solution that
achieves the desired value, where again X1 , . . . , Xn are optimal primal solutions
to the single-repetition semidefinite program. (This solution simply corresponds
to an attacker operating independently and optimally in each repetition.) For
the dual problem, we take
Y = R 1X ⊗n ,
which is clearly dual-feasible. The condition (5) implies that
1
Q0 = 1Y⊗Z⊗X − Q1 ,
d
and a consideration of spectral decompositions of the commuting operators Q0
and Q1 reveals that

1 n j
R = n α (1 − α)n−j ,
d j
t≤j≤n
which establishes the required bound.
3.6 Optimal Schemes in Higher Dimensions

We have observed that the best single-qubit variant of Wiesner’s quantum money
scheme has an optimal counterfeiting probability of 2/3, and we know that the n-
fold parallel repetition of this scheme has an optimal counterfeiting probability of
(2/3)n . Thus, bank notes storing a quantum state of dimension d = 2n can have
an optimal counterfeiting probability of (2/3)n . It is natural to ask whether one
can do better, using a scheme that is not given by the n-fold parallel repetition
of a single qubit scheme.
The answer is that there are better schemes (provided n > 1). More generally,
for every d representing the dimension of the state stored by a quantum bank
note, there exist schemes whose optimal counterfeiting probability is equal to
2/(d + 1), which is the best that is possible: Werner’s quantum cloning map
[35] will always succeed in counterfeiting any quantum bank note of dimension
d with probability 2/(d + 1). The following proposition shows that there exists
a scheme that matches this bound in all dimensions d.
Proposition 1. Let E = {pk , |ψk } be any ensemble of d-dimensional states for
which the operator

N

$
Q= pk ψk ⊗ ψk ⊗ ψk ψk ⊗ ψk ⊗ ψk
k=1
is given by
1
Q = 1L(Cd ) ⊗ 1L(Cd ) ⊗ T (Π), (6)
rank(Π)
where T is the transposition mapping with respect to the standard basis of Cd
and Π is the orthogonal projector onto the symmetric subspace of Cd ⊗ Cd ⊗ Cd .
Then no simple counterfeiting strategy can succeed against the money scheme
derived from E with probability greater than 2/(d + 1).
Before proving the proposition, we note that any ensemble E obtained from a
complex projective (3, 3)-design (also known as a quantum 3-design [4]) satis-
fies (6), and thus leads to an optimal d-dimensional money scheme. This also
suggests that one might obtain more efficient schemes (i.e., involving less possi-
ble states for each part of the note) with security properties similar to the ones
described here if approximate designs are considered instead.
Proof (of Proposition 1). Because we are looking for an upper bound on the max-
imum counterfeiting probability, it suffices to construct a good feasible solution
Y to the dual SDP described in Section 3.1. We will choose Y = Q1X , which
is a feasible dual solution with corresponding objective value Tr(Y ) = dQ. We
indicate how results from [13] may be used to show that Q = 2/(d(d + 1)),
proving the proposition.
The operator Q commutes with all operators of the form U ⊗ U ⊗ U , where
U is any unitary acting on Cd . In Section VI.A of [13] it is shown that any
such operator can be written as a linear combination of six conveniently chosen
Hermitian operators S+ , S− , S0 , S1 , S2 , S3 (for a definition see Eqs. (25a)–(25f)
of [13]). For our operator Q we obtain the decomposition
1 1 d + 2
Q = S+ + S0 + S1 , (7)
rank(Π) 3 6
where
1+V 1
S+ = − X + XV + V X + V XV ,
2 2(d + 1)
1
S0 + S1 = X + XV + V X + V XV ,
d+1
V is the operator that permutes the first two registers on which Q acts, and X
the partial transpose of the operator permuting the last two registers. Moreover,
as shown in [13], S+ and S0 are mutually orthogonal projections, S0 S1 = S1 S0 =
S1 , S+ S1 = S1 S+ = 0, and S12 = S0 . Hence, the decomposition (7) shows that
the operator norm of Q satisfies
1 d+2 2
Q = = ,
rank(Π) 3 d(d + 1)
d+2
as rank(Π) = 3 .
4 Money Schemes with Classical Verification

In this section we introduce a natural variant of Wiesner’s scheme, as well as
higher-dimensional generalizations of it, in which the verification is done through
classical communication with the bank. To distinguish the corresponding bank
notes from the ones discussed in the previous section, we will call them tickets.6
4.1 Description of Quantum Tickets

A quantum ticket is defined in the same way as a bank note: it is a quantum
state |ψk , where k is a secret key kept by the bank, together with a unique
serial number. We consider schemes in which the classical verification proce-
dure has the following simple form. The user first identifies herself to the bank
by announcing her ticket’s serial number. The bank then sends her a classical
“challenge” c ∈ C chosen uniformly at random, where C is some fixed finite set.
Depending on c, an honest user will perform a measurement Πc = {Πca }a∈A on
her ticket, and report the outcome a to the bank. The bank then looks up the
secret key k associated with the user’s ticket, and accepts a if and only if the
triple (a, c, k) falls in a fixed, publicly known set S of valid triples.7
A simple counterfeiting attack against such a scheme will attempt to use just
one quantum ticket in order to successfully answer two independent challenges
from the bank. Such a counterfeiter may be modeled by a collection of POVMs
Ac1 c2 = {Aac11ca22 }a1 a2 , and its success probability is

N
1
pk
ψk | Aac11ca22 |ψk , (8)
|C|2 c ,c
k=1 1 2 (a1 ,a2 ):
(a1 ,c1 ,k)∈S
(a2 ,c2 ,k)∈S
6
As we will see, successful verification of a ticket necessarily entails its destruction.
This is unavoidable, as shown in [16]. One may still concatenate together many
tickets, each equipped with its own serial number, to create a single bank note.
The bank note will then be able to go through as many verification attempts as it
contains tickets.
7
For instance, the bank could accept all “plausible” answers, i.e., all a such that
ψk | Πca |ψk > 0. This condition ensures that honest users are always accepted.
which is the “classical-verification” analogue of (2). By letting registers Y and Z

contain the answers a1 and a2 respectively, and X contain the counterfeiter’s in-
put (the state |ψk and the two challenges c1 , c2 ), the problem of maximizing (8)
over all possible counterfeiting strategies can be cast as a semidefinite program
of the same form as the one introduced in Section 3.1, with the corresponding
operator Q defined as

N
1
Q= pk |a1 |a2 |c1 , c2 , ψk
a1 |
a2 |
c1 , c2 , ψk | .
|C|2 c ,c
k=1 1 2 (a1 ,a2 ):
(a1 ,c1 ,k)∈S
(a2 ,c2 ,k)∈S
As Q is diagonal on the first 4 registers, without loss of generality an optimal

solution X to the primal problem may be taken to be block-diagonal,

X = |a1 , a2 , c1 , c2
a1 , a2 , c1 , c2 | ⊗ Xca11ca22 ,
a1 ,a2 ,c1 ,c2
and the SDP constraints are immediately seen to exactly enforce that {Xca11ca22 }a1 a2
is a POVM for every (c1 , c2 ).
We note that the problem faced by the counterfeiter can be cast as a special
instance of the more general state discrimination problem. Indeed, the counter-
feiter’s goal is to distinguish between the following: for every pair of possible
answers (a1 , a2 ), there is a mixed state corresponding to the mixture over all
states |c1 |c2 |Ψk that for which (a1 , a2 ) would be a valid answer. (Each state
is weighted proportionally to the probability of the pair (c1 , c2 ) of being chosen
as challenges by the bank, and of |Ψk being chosen as a bank note.) As such,
the fact that the optimal counterfeiting strategy can be cast as a semidefinite
program follows from similar formulations for the general state discrimination
problem (as the ones considered in e.g. [14]).
4.2 Analysis of a Simple Class of Qudit Schemes

We further restrict our attention to a natural class of extensions of the classical-
verification variant of Wiesner’s scheme described in the introduction. The
schemes
" 0
we consider
# are"parametrized
1
by
#a dimension d and two fixed bases
e , . . . , e0 and e , . . . , e1 of C d 8
. Each scheme is defined as
0 d−1 0 d−1
the n-fold parallel
repetition of a basic scheme in which N = 2d, the states
|ψ(t,b) are the ebt for t ∈ {0, . . . , d − 1} and b ∈ {0, 1}, the random challenge
is a bit c ∈ {0, 1}, and the valid answers are a = t if b = c, and any a if b = c.
Valid answers may be provided by an honest user who measures his ticket in
the basis corresponding to c. By writing out the corresponding operator Q and
constructing a feasible solution to the dual SDP, we show the following lemma,
from which Theorem 2 follows directly.
8
It is easy to see that increasing the number of bases will only result in weaker
security: indeed, the more the bases the less likely it is that the bank’s randomly
chosen challenge will match the basis used to encode each qudit.
Lemma 1. For every simple counterfeiting attack against the n-qudit

classical-verification scheme described above, the success probability is at most
$ 0 1

3 √
+ c n
, where c = max s,t
e |e 2 is the effective overlap.9
4 4 s t
If d = 2, there is always a counterfeiting strategy that achieves this bound.
Proof. We first analyze simple counterfeiting attacks against the basic single-
qudit scheme. Note that if both challenges from the bank are identical, the
counterfeiter can answer both correctly with probability 1 by making the appro-
priate measurement on his qubit.
By symmetry, it suffices to consider the case where the first challenge is c1 = 0
and the second is c2 = 1. In this case the operator Q becomes
1
$
d−1
Q= |s
s|Y ⊗ |t
t|Z ⊗ e0s e0s X + |e1t
e1t |X .
2d s,t=0

$
$
For s, t ∈ {0, . . . , d−1}, let Vs,t = e0s e0s X + e1t e1t X . As Q is block-diagonal,
the dual SDP is

minimize: Tr Y
1
subject to: Y ≥ Vs,t (for all s, t) (9)
2d
Y ∈ Herm(Cd ).

Vs,t is a rank-2 Hermitian matrix whose eigenvalues are 1 ±
e0s |e1t . Hence,
√
Y =√1+2d c 1 is a feasible solution to the dual problem with objective value
(1 + c)/2, leading to an upper bound on√the best counterfeiting strategy with
overall success probability at most 3/4 + c/4.
To finish the proof of the upper bound it suffices to note that the SDP has
the same parallel repetition property as was described in Section 3.4.
Finally, we show the “moreover” √ part of the claim. Relabeling the vectors if
necessary, assume √ |
e |e
0 1
0 0 | = c. Let |u0 be the eigenvector of V0,0 with largest
eigenvalue 1 + c, and |u1 √ the eigenvector with smallest eigenvalue. Using the
observation that |
e01 |e11 | = c, it may be checked that
X = |0, 0
0, 0| ⊗ |u0
u0 | + |1, 1
1, 1| ⊗ |u1
u1 |
is a feasible solution to the primal SDP √ corresponding to (9) (as expressed in
Section 3.1) with
√ objective value (1 + c)/2, proving that the optimum of (9)
is exactly (1 + c)/2.
4.3 A Matching Lower Bound

Let d be a fixed dimension. We introduce a quantum ticket scheme for which
the upper bound derived in the previous section is tight. For d = 2 our scheme
9
For any two bases of Cd , c ≥ 1/d, and this is achieved for a pair of mutually unbiased
bases. This quantity also arises naturally in the study of uncertainty relations (see
e.g. [31]), of which our result may be seen as giving a special form.
recovers the one that is derived from Wiesner’s original quantum money. Let Xd
and Zd be the generalized Pauli matrices, acting as Xd : |i → |(i + 1) mod d
and Zd : |i → ω i |i, where ω = e2iπ/d . Let F be the quantum Fourier transform
over Zd ,
1 ij
F : |i → √ ω |j ,
d j
"
# 0
and note" Xd = F Zd F † . Let e0t be the basis

that
# 1

0
et =
defined by (Xd )t |0 =
|t, and et 1
the Fourier-transformed basis et = F et = (Zd ) F |0 for ev-
t
ery t. Then
0 1

es |et =
s|F |t = √1
d
for every s, t: the corresponding overlap is c = 1/d.√Lemma 1 shows that the
optimal cloner achieves success at most 3/4 + 1/(4 d). The following lemma
states a matching lower bound.
Lemma 2. There is a cloner for the n-qudit ticket scheme described
above
n that
successfully answers both challenges with success probability 34 + 4√
1
d
.
Proof. We describe a cloner that acts independently on each qudit, succeeding
with probability 34 + 4√
1
d
on each qudit.10 Let
√ −1/2
|ψ = 2 + 2/ d (|0 + F |0),
# Xd Zd |ψ.
s t
and for every (s, t) let Ps,t be the rank
1 1projector on the unit " vector
As a consequence of Schur’s lemma, s,t d Ps,t = 1, so that Ps,t /d is a POVM.
The cloner proceeds as follows: if the challenge is either 00 or 11, he measures
in the corresponding basis and sends the resulting outcome as answer to both
challenges. In this case he is always correct. In case the challenge is either 01 or
10, he measures the ticket using the POVM {Ps,t /d}, and uses s as answer to the
challenge “0” and t as answer to the challenge “1”. Because the two challenges
are distinct, only one of them corresponds to the actual basis in which the ticket
was encoded.

Without loss of generality assume this is the “0” basis, so that the
ticket is e0s = |s. The probability that the cloner obtains the correct outcome
s is
1 1

s| X s Z t |ψ 2
Tr Ps,t |s
s| = d d
d t d t
1 2
=
0| Zdt |ψ
d t
2
=
0|ψ .
To conclude, it suffices to compute

0|ψ 2 = 1 2 1 1
√
0|0 +
0|F |0 = 1+ √ .
2 + 2/ d 2 d
10
The analysis is very similar to one that was done in [33], in a different context but
for essentially the same problem.
Acknowledgments. We thank Scott Aaronson for his question11 on Theo-

retical Physics Stack Exchange that originated the results in this paper as an
answer, and Peter Shor for pointing out the connection between the channel
representing an optimal attack on Wiesner’s quantum money, and the optimal
cloners studied in [8] and [9]. JW thanks Debbie Leung and Joseph Emerson
for helpful discussions. AM thanks Michael Grant and Stephen Boyd for their
creation of the CVX software.
References
1. Aaronson, S.: Quantum copy-protection and quantum money. In: Proceedings of

the 24th Annual IEEE Conference on Computational Complexity, pp. 229–242
(2009)
2. Aaronson, S.: On the security of private-key quantum money (in preparation, 2012)
3. Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Proceed-
ings of the 44th Annual ACM Symposium on Theory of Computing (2012)
4. Ambainis, A., Emerson, J.: Quantum t-designs: t-wise independence in the quan-
tum world. In: Proceedings of the 22nd Annual IEEE Conference on Computational
Complexity, pp. 129–140 (2007)
5. Audenaert, K., De Moor, B.: Optimizing completely positive maps using semidef-
inite programming. Physical Review A 65, 30302 (2002)
6. Bennett, C., Brassard, G.: Quantum cryptography: Public key distribution and
coin tossing. In: Proceedings of the IEEE International Conference on Computers,
Systems, and Signal Processing, pp. 175–179 (1984)
7. Boyd, S., Vandenberghe, L.: Convex Optimization. Cambridge University Press
(2004)
8. Bruß, D., Cinchetti, M., D’Ariano, G., Macchiavello, C.: Phase covariant quantum
cloning. Physical Review A 62, 012302 (2000)
9. Bužek, V., Hillery, M.: Quantum copying: Beyond the no-cloning theorem. Physical
Review A 54(3), 1844–1852 (1996)
10. Cerf, N., Fiurášek, J.: Optical quantum cloning. Progress in Optics, ch.6, vol. 49,
pp. 455–545. Elsevier (2006)
11. Choi, M.-D.: Completely positive linear maps on complex matrices. Linear Algebra
and Its Applications 10(3), 285–290 (1975)
12. de Klerk, E.: Aspects of Semidefinite Programming – Interior Point Algorithms and
Selected Applications. Applied Optimization, vol. 65. Kluwer Academic Publishers,
Dordrecht (2002)
13. Eggeling, T., Werner, R.: Separability properties of tripartite states with U ⊗U ⊗U
symmetry. Physical Review A 63(4), 042111 (2001)
14. Eldar, Y., Megretski, A., Verghese, G.: Designing optimal quantum detectors
via semidefinite programming. IEEE Transactions on Information Theory 49(4),
1007–1012 (2003)
15. Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Shor, P.: Quantum money from
knots. Available as arXiv.org e-Print 1004.5127 (2010)
16. Gavinsky, D.: Quantum money with classical verification. Available as arXiv.org
e-Print 1109.0372 (2011)
11
See http://cstheory.stackexchange.com/questions/11363/
17. Gottesman, D.: Uncloneable encryption. Available as arXiv.org e-Print quant-

ph/0210062 (2002)
18. Gutoski, G., Watrous, J.: Toward a general theory of quantum games. In: Proceed-
ings of the 39th Annual ACM Symposium on Theory of Computing, pp. 565–574
(2007)
19. Jamiolkowski, A.: Linear transformations which preserve trace and positive
semidefiniteness of operators. Reports on Mathematical Physics 3(4), 275–278
(1972)
20. Lo, H., Spiller, T., Popescu, S.: Introduction to Quantum Computation and Infor-
mation. World Scientific Publishing Company (1998)
21. Lovász, L.: Semidefinite programs and combinatorial optimization. Recent Ad-
vances in Algorithms and Combinatorics (2003)
22. Lutomirski, A.: An online attack against Wiesner’s quantum money. Available as
arXiv.org e-Print 1010.0256 (2010)
23. Lutomirski, A., Aaronson, S., Farhi, E., Gosset, D., Hassidim, A., Kelner, J., Shor,
P.: Breaking and making quantum money: toward a new quantum cryptographic
protocol. In: Proceedings of Innovations in Computer Science (ICS), pp. 20–31
(2010)
24. Mayers, D.: Unconditional security in quantum cryptography. Journal of the
ACM 48, 351–406 (2001)
25. Mittal, R., Szegedy, M.: Product Rules in Semidefinite Programming. In: Csuhaj-
Varjú, E., Ésik, Z. (eds.) FCT 2007. LNCS, vol. 4639, pp. 435–445. Springer,
Heidelberg (2007)
26. Molina, A., Watrous, J.: Hedging bets with correlated quantum strategies. Avail-
able as arXiv.org e-Print 1104.1140 (2011)
27. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information.
Cambridge University Press (2000)
28. Pastawski, F., Yao, N.Y., Jiang, L., Lukin, M.D., Cirac, J.I.: Unforgeable noise-
tolerant quantum tokens. Available as arXiv.org e-Print 1112.5456 (2011)
29. Renes, J., Blume-Kohout, R., Scott, A., Caves, C.: Symmetric informationally
complete quantum measurements. Journal of Mathematical Physics 45, 2171–2180
(2004)
30. Shor, P., Preskill, J.: Simple proof of security of the BB84 quantum key distribution
protocol. Physical Review Letters 85(2), 441–444 (2000)
31. Tomamichel, M., Renner, R.: Uncertainty relation for smooth entropies. Physical
Review Letters 106, 110506 (2011)
32. Vandenberghe, L., Boyd, S.: Semidefinite programming. SIAM Review 38(1), 49–95
(1996)
33. Vidick, T., Wehner, S.: Does ignorance of the whole imply ignorance of the parts?
Large violations of noncontextuality in quantum theory. Physical Review Let-
ters 107, 030402 (2011)
34. Watrous, J.: Lecture notes on Theory of Quantum Information (2011),
http://www.cs.uwaterloo.ca/~ watrous/CS766/
35. Werner, R.: Optimal cloning of pure states. Physical Review A 58, 1827–1832
(1998)
36. Wiesner, S.: Conjugate coding. SIGACT News 15(1), 78–88 (1983)
37. Wootters, W., Zurek, W.: A single quantum state cannot be cloned. Nature 299,
802–803 (1982)
Simulating Equatorial Measurements
on GHZ States with Finite Expected
Communication Cost
Gilles Brassard1 and Marc Kaplan2

1
Département d’informatique et de recherche opérationnelle
Université de Montréal, C.P. 6128, Succursale Centre-ville
Montréal, Québec, H3C 3J7 Canada
2
Laboratoire Traitement et Communication de l’Information, Telecom ParisTech
23 Avenue d’Italie, 75013 Paris
Abstract. The communication cost of simulating probability distribu-

tions obtained by measuring quantum states is a natural way to quantify
quantum non-locality. While much is known in the case of bipartite en-
tanglement, little has been done in the multipartite setting. In this paper,
we focus on the GHZ state. Specifically, equatorial measurements lead
to correlations similar to the ones obtained when measuring Bell states.
We give a protocol to simulate these measurements on the n-partite GHZ
state using O(n2 ) bits of communication on average.
1 Introduction
The issue of non-locality in quantum physics was raised in 1935 by Einstein,
Podolsky and Rosen [6]. Thirty years later, John Bell proved that quantum
physics yields correlations that cannot be reproduced by classical local hidden
variable theories [2]. This momentous discovery led to the more general question
of quantifying quantum non-locality. Not only is this question relevant for the
foundations of quantum physics, but it is directly related to our understanding
of the computational power of quantum resources.
A natural quantitative approach to non-locality is to study the amount of
resources required to reproduce probabilities obtained by measuring quantum
states. In this paper, we consider the simulation of these distributions using
classical communication. This approach was introduced independently by several
authors [9,4,11]. It led to a series of results, culminating with the protocol of
Toner and Bacon to simulate von Neumann measurements on Bell states with a
single bit of communication [12]. Later, Regev and Toner extended this result by
giving a simulation of binary von Neumann measurements on arbitrary bipartite
states using two classical bits [10].
We focus here on multipartite entanglement, and more specifically on GHZ
states [8]. Unlike the bipartite case, which has been the topic of intensive inves-
tigation, the simulation of multipartite entanglement is still teeming with major
open problems.

66 G. Brassard and M. Kaplan
The easiest situation arises in the case of equatorial measurements on a GHZ

state because all the marginal probability distributions obtained by tracing out
one or more of the parties are uniform. Hence, it suffices in this case to simulate
the n-partite correlation, henceforth called the full correlation. (Once this has
been achieved, all the marginals can easily be made uniform [7].) Making the
best of this observation, Bancal, Branciard and Gisin have given a protocol to
simulate equatorial measurements on the tripartite and fourpartite GHZ states
at an expected cost of 10 and 20 bits of communication [1]. However, the amount
of communication entailed by their protocol is unbounded in the worst case.
More recently, Branciard and Gisin impoved this in the tripartite case with a
protocol using 3 bits of communication in the worst case [3].
This problem was also investigated on the lower bound side. Broadbent,
Chouha and Tapp proved an n log n lower bound on the worst case commu-
nication complexity of simulating measurements on n-partite GHZ states [5].
This result holds for equatorial measurements. Moreover, the proof of the lower
bound is based on a separation between classical and quantum communication
complexity. This confirms the intuition that this problem is related to the com-
putational power of GHZ states.
In this paper, we give a protocol to simulate equatorial measurements on the
n-partite GHZ state. For any measurements, our protocol has an expected cost
of O(n2 ) bits of communication, where the expectation is taken over the inner
randomness of the protocol.
The paper is organized as follows. In the Section 2, we give the structure of the
distribution arising from equatorial measurements on GHZ states, and then show
how to simulate it. The main technical tool that we use is a protocol to sample
uniform vectors on connected subsets of the circle. We call this task Uniform
Vector Sampling. The protocol to sample those vectors is given in Section 3.
2 Simulating Equatorial Measurements

We consider the family of GHZ states |Ψn = √12 (|0n +|1n ), and the distribution
generated by the following process: n players each receive a qubit of |Ψn . Each
one then apply a bipartite measurement to its share. Let oi ∈ {−1, 1} denote the
output of the ith player. The problem is to simulate the probability distribution
over the player’s output using hidden variables and communication.
The measurement operators corresponding to equatorial measurements are
on the equator of the Bloch sphere and therefore, can be parametrized by a
single polar angle. Denote αi the angle corresponding to the ith player’s mea-
surement. It is known that the distribution arising from such measurements is
fully characterized by the full correlation (see e.g. [1]).
Proposition 1. The distributions of the outputs {oi } is characterized by the
following relations:
(n n
– The full correlation E [ i=1 o)i ](= cos(* i=1 αi ).
– The marginal distributions E i∈S oi = 0 for all S [n].
Simulating Equatorial Measurements on GHZ States 67
We denote S 2 the sphere in dimension 3 and S 1 the sphere in dimension 2.

A vector on S 1 is parametrized by a single polar angle, or equivalently a real
number modulo 2π. An interval on S 1 is a connected subset of S 1 or equivalently
of R/2πZ.
Our simulation is based on a procedure to sample uniform vectors on inter-
vals of S 1 , when the description of this subset is shared among several players.
For k, n ≥ 1, we introduce the following task, called Uniform Vector Sampling
and denoted UVS(n, k).The n players each receive the angles α1 , . . . , αn , re-
spectively. Denote α = ni=1 αi . Each player computes a message depending on
his input and on a public random variable r and sends it to)a referee. At the end,
*
the referee has to output a uniform angle θ on the interval α − π/2k , α + π/2k .
Notice that no player has a complete description of this interval. We measure
the communication cost of a protocol for UVS by considering the total length of
all messages sent from the players to the referee.
Theorem 1. For any n, k ≥ 1, there exists a protocol for UVS(n, k) with ex-
pected communication cost at most n(n + k).
We now show how to simulate equatorial measurement on GHZ states, given a

protocol for UVS. Toner and Bacon proposed a simulation of binary measure-
ments on Bell states, using a single bit of communication. In the bipartite case,
the correlation between the player’s output is a scalar product of two vectors on
S 2 . We sketch their protocol. For a vector a ∈ S 2 , denote S + (a) the half sphere
centered on a, S + (a) = {λ ∈ S 2 :
a, λ}. Let sgn be the function defined for
x ∈ R by sgn(x) = 1 if x ≥ 0, and −1 otherwise. Toner and Bacon prove the
following theorem.
Theorem 2 ([12]). Let a, b be vectors in S 2 , and λ1 , λ2 be uniformly distributed
on S + (a). Then
E[sgn
λ1 + λ2 , b] =
a, b.
To complete the simulation, it suffices to notice that shared uniform vectors
on S + (a) can be sampled efficiently by players using shared randomness and
communication, even if only one player has a full description of a. The idea is
to first sample a uniform random vector on the sphere, and then the player that
knows a tells the other if he has to flip the random vector in order to get a vector
in S + (a). This requires to send a single bit of communication.
Ourn−1 simulation is based on the following observation. Consider d =
n−1
(cos i=1 αi , sin i=1 αi , 0) and an = (cos αn , − sin αn , 0). These are unit vec-
tors on S 1 , embeded
n in R3 to apply Theorem 2. For these vectors, we have
d, an = cos i=1 ai . Therefore, if λ1 and λ2 are two vectors sampled uniformly

on S + (d), Theorem 2 gives E[sgn
λ1 + λ2 , an ] = cos i αi .
We now describe the simulation in more details. The players are denoted
A1 , . . . , An . Before receiving their inputs, they prepare a shared variable r, used
for UVS. In addition, they prepare shared uniform random bits bi ∈ {−1, +1}
for i = 1, . . . , n − 1. In our simulation, we only need to apply Uniform Vector
Sampling with k = 1.
1. For i = 1, . . . , n − 1, the players Ai run the protocol for UVS(n − 1, 1),

sending their messages to An .
2. Using
+ the messages he received, , An sets θ1 uniform on the interval
n−1 n−1
i=1 α i − π/2, i=1 αi + π/2 .
3. The players repeat steps 1 and 2 to allow An to sample another angle θ2
with the same distribution.
4. Player An samples u1 and u2 uniformly on [−1, 1] and for i = 1, 2, sets
ϕi = arccos ui
λi = (cos θi cos ϕi , sin θi cos ϕ1 , sin ϕi ).
5. For i = 1, . . . , n − 1, the player
(Ai outputs
oi = bi .
n−1
6. The player An outputs on = i=1 b i · sgn
λ1 + λ2 , an , where we defined
an = (cos αn , − sin αn , 0).
After step 3, player An has
+ the complete description, of two angles θ1 and θ2
n−1 n−1
uniformly distributed on i=1 αi − π
2 , π
i=1 αi + 2 . The purpose of step 4 is
to transform these angles into uniform random vectors on S + (d), where d is the
n−1
vector with coordinates (cos n−1 i=1 αi , sin i=1 αi , 0). Since d is on the equator,
it is sufficient to assign a random latitude to the vectors whose longitudes are
θ1 and θ2 . Finally, after steps 5 and 6, we have
-
E oi = 0 for any S [n],
i∈S
-n
E oi = E[sgn
λ1 + λ2 , an ]
i=1

n
= cos αi by Theorem 2.
i=1
Sampling the angles θ1 and θ2 , can be done with O(n2 ) expected bits of commu-
nication. Therefore, the whole protocol can be done with O(n2 ) expected bits of
communication.
3 Uniform Vector Sampling

The goal of this section is to prove Theorem 1. Observe that the simulation
presented in the previous section only uses the case k = 1. Nevertheless, the proof
that we give is inductive and proves the stronger statement given in Section 2.
The Base Case: n = 1

For n = 1, there is a single input α1 . Fix k ≥ 1. Let δ be chose uniformly at
random on S 1 . The player sends
& π π π '
t = min i ∈ N : δ + i k−1 ∈ [α1 − k , α1 + k ]
2 2 2
π
to the referee, who computes θ = δ + t 2k−1 . The resulting angle θ is uniformly
distributed on [α1 − 2k , α1 + 2k ]. Notice that since t ∈ [2k − 1], the length of the
π π
message is at most k.
The Induction Step

Let n > 1. The following Lemma is the main technical tool that we use for
the induction. It explains how to generate uniformly distributed variables from
specific non-uniform ones. We first prove Lemma 1, and then use it to prove the
induction.
Lemma 1. Let Di− denote the uniform distribution on [0, 1/2i ] and Di+ denote
the uniform distribution on [1 − 1/2i , 1]. Let D be the distribution on t defined
by the following procedure:
– Pick an integer i ≥ 0 with probability 1/2i+1 , and r uniform in {−1, +1}.
– If r = −1, sample t1 , t2 ∼ Di− .
– Otherwise, sample t1 , t2 ∼ Di+ .
– Set t = t1 + t2 .
Then D is the uniform distribution on [0, 1].
Proof. Denote Ui− = [0, 1/2i ] and Ui+ = [1 − 1/2i , 1]. We define the density
functions associated to the distributions Di+ and Di− ,

2i if x ∈ Ui+ , 2i if x ∈ Ui− ,
fi+ (x) = and fi− (x) =
0 otherwise, 0 otherwise.
By definition, the density ρi of t1 + t2 for a fixed i is
1 +
ρi = (f ∗ fi+ + fi− ∗ fi− ),
2 i
where ∗ denotes the convolution product of two functions. By direct calculation,
we have
⎧
⎪
⎨2
2(i+1)
x if x ∈ [0, 1/2i+1 ],
− −
(fi ∗ fi )(x) = 2 i+2
−2 2(i+1)
x if x ∈ [1/2i+1 , 1/2i ],
⎪
⎩
0 otherwise.
and
(fi+ ∗ fi+ )(x) = (fi− ∗ fi− )(1 − x).
Let ρ denote the density of the distribution D. We now calculate ρ(x). Notice
that f0− = f0+ , and for i > 0, fi− and fi+ have disjoint supports. Assume that
1 1
0.8 0.8
0.6 0.6
0.4 0.4
0.2 0.2
0.2 0.4 0.6 0.8 1 0.2 0.4 0.6 0.8 1
Fig. 1. The density functions fi+ and fi− , for i ≤ 3 and i ≤ 8. Each density function is
scaled down by the probability of sampling it in Lemma 1. f0+ and f0− are equal. The
dashed curves represent the sum of the represented density functions.
x < 1/2 (the other case is similar). In that case, fi+ (x) = 0 for any i > 0. Let

j = max{j : x ∈ [0, 1/2j ]} and notice that fi− (x) = 0 for any i > j. We have
∞
1
ρ(x) = i+1
ρi (x)
i=0
2
1 1
j
1 1 +
= · (f0 ∗ f0+ )(x) + (f − ∗ fi− )
2 2 2 i=0 2i+1 i
.j−1 /
1 1 2(i+1) 1
=x+ 2 x + j+1 (2j+2 − 22(j+1) x)
2 i=0 2i+1 2
0j−1 1

=x+ 2i x + 1 − 2j x
i=0
= x + (2 − 1)x + 1 − 2j x
j
=1
which concludes the proof of the Lemma.
We now prove the induction step. The induction hypothesis is that for any k ≥ 1,
it is possible for n−1 players to each send a message
to anotherk party
n−1such that khe
outputs an angle θ uniformly distributed on [ n−1 i=1 αi − π/2 , i=1 αi + π/2 ].
Before receiving their inputs, the players prepare the following random
elements:
– an integer j ≥ 0 chosen with probability p(j) = 1/2j+1 ,

– b uniform in {−1, +1},
– the random elements required to run UVS(n − 1, k + j + 1),

– the random elements required to run UVS(1, k + j + 1).
The protocol proceeds as follows. The n − 1 players first players send to the
referee the messages corresponding to UVS(n − 1, k + j + 1). The referee uses
n−1 n−1
them to prepare θ1 uniform on [ i=1 αi − π/2k+j+1 , i=1 αi + π/2k+j+1 ]. The
n-th player sends to the referee the message corresponding to UVS(1, k + j + 1).
The referee uses it to prepare θ2 uniform on [αn − π/2k+j+1 , αn + π/2k+j+1 ].
Finally, the referee outputs

π 1
θ = θ1 + θ 2 + b · k 1 − j .
2 2
We
)nnow analyze the protocol and * prove that θ is uniform on the interval
n
i=1 αi − π/2 k
, i=1 αi + π/2 k
. To apply Lemma 1, we need to rescale the
random variables θ1 and θ2 . We split the term b · 2πk (1 − 21j ) in two parts and
think of each as a shift of θ1 and θ2 in a direction that depends on the bit b.
Each angle is shifted in the same direction.
− − + +
Let v1,j and v2,j be uniform random variables on [0, 1/2j ] and v1,j and v2,j be
uniform random variables on [1 − 1/2 , 1]. Let T1,j denote the random variable
j
θ1|j , that is, the random variable generated by UVS(n − 1, k + j + 1) for a fixed
value of j. The shifted random variable T1,j + b 2k+1 π
1 − 21j is uniform
+ n−1 ,
n−1
– either on i=1 αi − π/2 k+1
, i=1 αi − π/2 k+1
+ π/2 k+j
if b = −1,
+ ,
n−1 n−1
– or on i=1 αi + π/2
k+1
− π/2k+j , i=1 αi + π/2k+1 if b = +1.
+ −
Using, v1,j and v1,j , we can rewrite
n−1 −
π 1 αi − π/2k+1 + v1,j · π/2k if b = −1
T1,j + b k+1 1 − j = i=1 n−1
i=1 αi − π/2 + v1,j · π/2k
k+1 +
2 2 if b = +1
− +
Similarly, let T2,j denote the random variable θ2|j . Using v2,j and v2,j , it can be
written
−
π 1 αn − π/2k+1 + v2,j · π/2k if b = −1
T2,j + b k+1 1 − j =
2 2 αn − π/2 k+1
+ v2,j · π/2k if b = +1
+
For the sum, we get the expression

n
π 1
θ = T1,j + T2,j + b · k 1 − j = αi − π/2k + vj,b · π/2k−1
2 2 i=1
+ + −
where vj,b is the sum of v1,j and v2,j if b = +1 and the sum of v1,j and
−
v2,j if b = −1. According to Lemma 1, when taking the expectation over j
and
)n b, vj,b is uniform
n on [0, 1].kIn
* consequence, θ is uniform on the interval
i=1 αi − π/2 k
, i=1 αi + π/2 .
It remains to bound the expected length of messages. Denote ln,k the expected
sum of the messages length. We already know that l1,k ≤ k for any k. Fix n > 1.
Analyzing our protocol, we get the induction:
1
ln,k = (ln−1,k+j+1 + l1,k+j+1 ),
2j+1
j≥0
1 k+j+1
≤ ln−1,k+j+1 + ,
2j+1 2j+1
j≥0 j≥0
1
≤ ln−1,k+j+1 + k.
2j+1
j≥0
The induction hypothesis is that ln−1,k+j+1 ≤ (n − 1)(n + k + j). We plus this

expression and get
(n − 1)(nk + j)
ln+1,k ≤ + k,
2j+1
j≥0
≤ (n − 1)(n + k + 1) + k,
≤ n(n + k),
which concludes the proof.
4 Conclusion
We gave a protocol to simulate equatorial measurements on the n-partite GHZ
state, using O(n2 ) bits on average. Our protocol is in two parts. Firstly, we re-
duce the problem to sampling vectors on regions of the S 1 . Secondly, we give a
procedure called Uniform Vector Sampling to sample the vectors. This scheme
is inspired by the protocol of Toner and Bacon to simulate von Neumann mea-
surements on Bell States.
Our work leads to an obvious question. Is it possible to transform our protocol
into a protocol that is bounded in the worst case? To solve this question, it
enough to give a protocol for UVS that use bounded communication in the worst
case. Uniform Vector Sampling could also be considered as a task of independent
interest or be applied in other contexts.
Our work, like others on the same topic, considers only equatorial measure-
ments. The simulation of more general measurements is an intriguingly hard
question. The main difference is that they lead to non-uniform marginals. In
the bipartite case, an analogous problem arises when considering non-maximally
entangled states. It may seem that modifying local marginals is easy once the
correlation is simulated. Unfortunately, local transforms usually also modify the
full correlation.
Aknowledgement. We thank Nicolas Gisin, Cyril Branciard and Claude Gravel

for interesting discussions.
G. B. is supported in part by Canada’s Natural Sciences and Engineering Re-
search Council of Canada (Nserc), the Institut transdisciplinaire d’informatique
quantique (Intriq), the Canada Research Chair program, the Canadian Insti-
tute for Advanced Research (Cifar) and the QuantumWorks Network.
M. K. is supported by Anr Chist-Era Hypercom.
References
1. Bancal, J.-D., Branciard, C., Gisin, N.: Simulation of equatorial von Neumann
measurements on GHZ states using nonlocal resources. Advances in Mathematical
Physics 2010, 293245 (2010)
2. Bell, J.S.: On the Einstein-Podolsky-Rosen paradox. Physics 1, 195–200 (1964)
3. Branciard, C., Gisin, N.: Quantifying the nonlocality of GHZ quantum correlations
by a bounded communication simulation protocol. Physical Review Letters 107,
020401 (2011)
4. Brassard, G., Cleve, R., Tapp, A.: Cost of exactly simulating quantum entangle-
ment with classical communication. Physical Review Letters 83, 1874–1877 (1999)
5. Broadbent, A., Chouha, P.R., Tapp, A.: The GHZ state in secret sharing and
entanglement simulation. In: Proceedings of the Third International Conference
on Quantum, Nano and Micro Technologies, pp. 59–62 (2009)
6. Einstein, A., Podolsky, B., Rosen, N.: Can quantum-mechanical description of
physical reality be considered complete? Physical Review 47, 777–780 (1935)
7. Gisin, N.: Personal communication (2010)
8. Greenberger, D.M., Horne, M.A., Zeilinger, A.: Going beyond Bell’s theorem. In:
Kafatos, M. (ed.) Bell’s Theorem, Quantum Theory and Conceptions of the Uni-
verse, pp. 69–72. Kluwer Academic, Dordrecht (1989)
9. Maudlin, T.: Bell’s inequality, information transmission, and prism models. In:
Biennial Meeting of the Philosophy of Science Association, pp. 404–417 (1992)
10. Regev, O., Toner, B.: Simulating quantum correlations with finite communication.
In: Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer
Science, pp. 384–394 (2007)
11. Steiner, M.: Towards quantifying non-local information transfer: finite-bit non-
locality. Physics Letters A 270, 239–244 (2000)
12. Toner, B., Bacon, D.: Communication cost of simulating Bell correlations. Physical
Review Letters 91, 187904 (2003)
Testing Quantum Circuits
and Detecting Insecure Encryption
Bill Rosgen
Centre for Quantum Technologies, National University of Singapore

bill.rosgen@nus.edu.sg
Abstract. We show that the computational problem of testing the be-

haviour of quantum circuits is hard for the class QMA of problems that
can be verified efficiently with a quantum computer. This result general-
izes techniques previously used to prove the hardness of other problems
on quantum circuits. We use this result to show the QMA-completeness of
a weak version of the problem of detecting the insecurity of a symmetric-
key quantum encryption system or alternately the problem of determin-
ing when a quantum channel is not private.
1 Introduction
Testing the behaviour of a computational system is a problem central to the

study of quantum computing. This is the problem faced by an experimentalist
who has implemented a quantum computation and wants to check that the im-
plementation behaves (approximately) correctly on all input states. An efficient
solution to this problem would allow for the verification that a circuit provided
by an untrusted party correctly implements some desired operation. Unfortu-
nately we show in a general model that even a weak version of this problem is
likely to be computationally intractable. The problem we consider is, given a
quantum circuit, to decide between two cases: either the circuit acts in the de-
sired way on all input states or the circuit misbehaves, acting in some malicious
way on a large subspace of input states. This problem is QMA-hard even when
both the desired and malicious behaviours are known in advance (i.e. are a part
of the problem definition).
The class QMA is the set of all (promise) problems that can be verified up
to bounded error on a quantum computer. Several problems are known to be
complete for QMA: these problems can be thought of as alternate characteriza-
tions of the class as they capture exactly the power of the model. The first of
these complete problems is the problem of determining the ground state energy
of a local Hamiltonian [11]. The problem of determining if local descriptions of a
quantum system are consistent is also known to be QMA-complete [12], though
only under Turing reductions. Other problems related to finding ground states
of physical systems are also complete for QMA [16,17].
A different set of QMA-complete problems involve quantum circuits. The first
of these is the Non-identity check problem [10]: given a unitary quantum circuit

Testing Quantum Circuits and Detecting Insecure Encryption 75
as input, the problem is to decide if there is an input on which the circuit acts non-
trivially or if the circuit is close to the identity for all input states. The problem
of determining if a circuit is close to an isometry (i.e. a reversible transformation
that maps pure states to pure states) is also known to be QMA-complete [15].
In this paper we generalize the hardness proofs of [10,15] to show the QMA-
hardness of testing the properties of the outputs of quantum circuits. Specifically,
we define the circuit testing problem, which has as parameters two uniformly
generated families of quantum circuits C0 and C1 . The problem is to decide,
given an input circuit C, whether C acts like circuits from the family C0 on
a large input subspace, or whether C acts like circuits from C1 for all input
states. It is important to note that the circuit families C0 , C1 are part of the
problem definition: each choice of circuit families gives a different problem and
an algorithm for a specific one of these problems may depend on these families
in a non-uniform way. The main result of the paper is a proof that this circuit
testing problem is QMA-hard for any circuit families C0 , C1 for which the problem
is well-defined. Using this result we reprove the QMA-hardness of non-identity
check and non-isometry testing as well as proving the hardness of a few other
circuit problems. This is done by choosing specific families C0 and C1 for which
these problems reduce to the associated circuit testing problems.
We then apply the hardness result to the problem of detecting insecure quan-
tum encryption. This is the problem of deciding, given a quantum circuit that
takes as input a quantum state as well as a classical key, whether this circuit
is close to a perfect encryption scheme (i.e. a private quantum channel [2,4]),
or whether there is a large subspace of input states that the circuit does not
encrypt. To prove hardness, we argue that this problem contains as a special
case an instance of the circuit testing problem. Finally, we give a QMA verifier
for this problem to prove that it is QMA-complete.
2 Preliminaries
Throughout the paper the set of density matrices on a Hilbert space H is denoted
D(H) while T(H, K) is is the set of channels that map D(H) to D(K). To
measure the distance between states we will make extensive use of the trace
norm, X tr , which for a linear operator X is given by the sum of the absolute
values of the singular values of X. One important property of the trace distance
ρ − σtr is that it does not increase under the application of quantum channels.
We will also need the intuitive property that two states that are close together
in the trace norm produce similar measurement outcomes: this follows from the
fact that an expression involving the trace norm gives the maximum probability
that states can be distinguished [9].
Lemma 1. Let X ∈ L(H) satisfy 0 ≤ X ≤ 1. Then tr(Xρ) ≤ tr(Xσ) +
ρ − σtr
In addition to the trace norm, we will also need a distance measure on quantum
channels. Such a measure is given by the diamond norm, which for a linear map
76 B. Rosgen
Φ : L(H) → L(K) is defined as Φ = supX∈L(H⊗H) (Φ ⊗ 1H )(X)tr / X tr .

In the case that Φ is the difference of two completely positive maps, we may
replace the supremum in the definition with a maximization over pure states in
the space H ⊗ H [14]. As in the case of the trace norm, the diamond norm can
be used to characterize the distinguishability of two quantum channels: here the
reference system captures the fact that the optimal strategy to distinguish two
channels may need entanglement.
Since we consider computational problems on quantum channels, we must
specify how they are to be given as input. For this we use the mixed-state circuit
model [1], where circuits are composed of some (universal) collection of the usual
unitary gates, plus a gate that introduces ancillary qubits in the |0 state and
a gate that traces out (i.e. discards) qubits. For simplicity we assume that all
Hilbert spaces we encounter are composed of qubits, though this is not essential
to our results. We use this circuit model because it can (approximately) represent
any quantum channel and in the case of efficient quantum circuits the size of this
representation polynomial in the number of input qubits. Using circuits does not
(significantly) restrict the applicability of our hardness results: they apply also
in any model that can efficiently simulate the circuit model.
2.1 QMA
A promise problem P = (Pyes , Pno ) ∈ QMA if there is a quantum poly-time
verifier V such that
1. if x ∈ Pyes , then there exists a witness ρ such that Pr[V accepts ρ] ≥ 1 − ε,
2. if x ∈ Pno , then for any state ρ, Pr[V accepts ρ] ≤ ε.
The exact value of ε is not significant: any ε < 1/2 that is at least an inverse
polynomial suffices [13].
Let P be an arbitrary promise problem in QMA, and let x be an arbitrary
input string. Our goal will be to encode the QMA-hard problem of deciding P
into the problem of detecting an insecure encryption circuit. To do this it will
be convenient to represent the verifier as a unitary circuit V , which represents
the algorithm of the verifier in a QMA protocol on some input x. We may “hard-
code” the input string x into the circuit for V , since the circuit V needs only to
be efficiently generated given x. The algorithm implemented by the verifier in
an arbitrary QMA protocol is as follows: the verifier receives a witness state |ψ,
applies the unitary V on the witness state and any ancillary qubits needed, and
finally measures the first output qubit to decide whether or not to accept. Any
qubits not measured are traced out. One of the main results of this paper is a
reduction from an arbitrary QMA verifier to the problem of testing the behaviour
of quantum circuits.
2.2 Private Quantum Channels

Quantum channels that are secure against eavesdroppers are those channels for
which the input state cannot be determined by the output. These channels can
also be viewed as encryption systems: the key is the environment, which, when
combined with the output state, allows the input to be recovered. We restrict
attention to the private channels that allow the input to be recovered not with
the quantum state of the environment but instead with a classical key that can
be pre-shared between two parties. These channels, called private channels, were
introduced and studied in [2,4].
An important example of a private quantum channel is the completely depo-
larizing channel. This is the channel Ω that maps any input to the completely
mixed state. This channel can be efficiently implemented by applying a ran-
dom Pauli operator to each qubit. In order to use the completely depolarizing
channel as a private channel we must add a key. This can be done by apply-
ing a key-selected Pauli operator to each of the input qubits. We will refer to
this channel as Ωk when a specific key is used. Notice that if Ωk ∈ T(H), then
|k| = 2 log dim H, i.e. we use two key bits for each encrypted qubit. In the case of
a perfect encryption channel this key rate is optimal [2,4,5]. When k is unknown
and uniformly distributed, the channel Ωk is identical to Ω, i.e. if the key k is
uniformly distributed in {1, . . . , K} we have k Ωk /K = Ω.
We use the following definition of a private quantum channel (i.e. secure en-
cryption).
Definition 2. Let E be a channel that takes inputs k ∈ {1, . . . , K} and a state
in H and produces an output in K, where dim H ≤ dim K. For fixed k we write
Ek (·) = E(k, ·). E is ε-private if
1. There exists a polynomial-size circuit D : {1, . . . , K} ⊗ D(K) → D(H) such
that for all k Dk ◦ Ek − 1H ≤ ε.
2. Without k, the output of E is random, i.e. k Ek /K − Ω ≤ ε.
The use of the diamond norm in this definition is significant: we require that
both conditions hold even for part of an entangled state. Specifically, a chan-
nel satisfying this definition both preserves any entanglement encrypted state
and remains secure even against an entangled eavesdropper. We use this strong
definition because one of the main results of the paper is a hardness result: distin-
guishing secure and insecure encryption is hard even when the secure encryption
is promised to be secure in this model. Our results are also true in the weaker
model using the trace norm.
This definition is a strengthened version of the model used by Ambainis and
Smith [3], who define security in a similar way, but only against adversaries
that are not entangled with the input state. The model considered by Hayden
et al. [8] uses a stronger bound involving the operator norm under which our
hardness result does not apply, as it is ultimately derived from the definition of
QMA, and the probability that the Verifier in a QMA protocol can be made to
accept is more naturally modelled by the trace norm.
3 Testing Circuits
The problem of testing the behaviour of a circuit can be informally stated as:
given a circuit C decide if the circuit acts like some known circuit C0 on a large
78 B. Rosgen
subspace of the input or if the circuit acts like some other known circuit C1
on the whole input space. We use uniform circuit families C0 and C1 as it is
important that the circuits C, C1 , and C2 agree on input and output spaces.
Problem 3 (Circuit Testing). Let 0 < ε < 1, 0 < δ ≤ 1, and C0 , C1 be two

uniform families of quantum circuits. The input is a circuit C ∈ T(X , Y). Let
C0 , C1 be the circuits from C0 and C1 that take as input states on X . The promise
problem is to decide between:
Yes: There exists a subspace S of X with dim S ≥ (dim X )1−δ such that for
any reference space R and any ρ ∈ D(S ⊗ R),
(C ⊗ 1R )(ρ) − (C0 ⊗ 1R )(ρ)tr ≤ ε.
No: C − C1 ≤ ε, i.e. for any R, ρ ∈ D(H ⊗ R),
(C ⊗ 1R )(ρ) − (C1 ⊗ 1R )(ρ)tr ≤ ε.
When the values of ε, δ, C0, and C1 are important we will refer to this problem
as CT(ε, δ, C0 , C1 ).
This problem is well-defined only for families C0 and C1 that do not violate
the promise, i.e. any circuits whose output is not too close together. These are
the circuits C0 and C1 such that there does not exist a subspace T of X of
size dim T ≥ dim X δ such that for any input states ρ ∈ D(T ⊗ R) we have
(C0 ⊗ 1R )(ρ) − (C1 ⊗ 1R )(ρ)tr ≤ 2ε, i.e. there does not exist a large subspace
of pure states on which C0 and C1 produce output that is close together. This
condition can be difficult to verify but for many families of circuits it is easy to
see that they are not too close together. As an example, the application of this
hardness result to detecting insecure encryption takes C0 as the identity and
C1 as the completely depolarizing channel, and these two circuits never agree
on pure states. We show that this problem is QMA-hard for any circuit families
that satisfy this condition.
Note the special case δ = 1: here the CT problem asks if there are any inputs
on which the circuit C behaves like C0 or if it behaves like C1 for all inputs. In
this case the problem is well-defined for any families C0 and C1 that do not agree
on the whole space (up to error 2ε).
Concerning the parameters ε and δ, we may choose ε = 2−p for any polynomial
p using an amplification result for QMA [13] and we may choose δ any constant
satisfying 0 < δ ≤ 1.
3.1 Testing Circuits Is QMA-Hard
To show the hardness of CT we reduce from an arbitrary problem in QMA. This

involves embedding the verifier in a QMA protocol into an instance of CT with
the property that the resulting circuit runs C0 if the Verifier can be made to
accept and runs C1 if the Verifier cannot be made to accept.
Formalizing this notion, let P be an arbitrary promise problem in QMA and

let x be an input string. The QMA-complete problem is to decide whether or
not x ∈ Pyes . Since P ∈ QMA, there exists some unitary circuit V : H ⊗ A → K
which can be constructed efficiently from x such that if x ∈ Pyes , there exists a
pure state |ψ ∈ H such that measuring the first qubit of V (|ψ ⊗ |0) results in
|1 with probability at least 1 − ε, whereas if x ∈ Pno , then for any state |ψ a
measurement of V (|ψ ⊗ |0) results in |1 with probability at most ε. By using
standard error-reduction techniques for QMA, we may take ε to be negligible
in the size of the circuit for V [13]. Notice that the restriction to pure witness
states |ψ can be made without loss of generality by a convexity argument.
Our goal is to show that CT is hard for as many choices of parameters as
possible. To this end, let δ > 0 be constant
√ and let C0 and C1 be uniform circuit
families on which the problem CT(3 ε, δ, C0 , C1 ) is well-defined. These are any
families Ci = {Ci,n : n ≥ 1}, where the circuit Ci,n takes an n qubit input state,
such that for any n the circuits C0,n and C1,n do not produce outputs that are
too close together on some large subspace of pure input states. In particular, we
require that for all n, there does not exist a subspace T of the n-qubit input
space X with dim T ≥ dim X δ such that for any states ρ ∈ D(T ⊗ R) we have
√
(C0 ⊗ 1R )(ρ) − (C1 ⊗ 1R )(ρ)tr ≤ 6 ε.
The key idea to the reduction is that we construct a circuit that takes an input
state and applies the unitary V to a portion of it, makes a ‘copy’ of the output
bit with a controlled-not gate, and then applies V ∗ . If the result of the QMA
protocol would have been the verifier accepting (i.e. the copy of the output qubit
is measured in the |1 state), then we apply the circuit C0 . On the other hand,
if the output qubit was in the |0 state, we apply the circuit C1 . The resulting
circuit applies C0 if and only the input is a state the Verifier in the QMA proof
system accepts. In order to guarantee that the subspace of accepting states is
large enough, we add dummy input qubits that are ignored by the circuit V
but are acted on by either C0 or C1 . By adding enough of these qubits, we can
ensure that if V accepts at least one state then the result is a large subspace of
accepted states.
The full construction of the circuit produced by the reduction is shown in
Figure 1. Before describing the circuit, we fix notation: let C0 and C1 be circuits
drawn from C0 and C1 implementing transformations in T(X , Y ), where X =
F ⊗ H and Y = F ⊗ K, using the 2 spaces H,3K from the QMA Verifier for P .
Further, we may let dim F = dim H(1−δ)/δ , since we are free to take any
polynomial number of input qubits to C0 and C1 . We also assume without loss
of generality that these circuits are implemented by circuits that apply unitary
circuits mapping X ⊗ A → Y ⊗ G, where the space A holds any ancillary qubits
needed by the circuit (initially in the |0 state) and the space G represents the
qubits traced out at the end of the computation. Any mixed-state circuit can be
efficiently transformed into a circuit of this form by moving the introduction of
ancillary qubits to the start of the circuit and delaying any partial traces to the
end of the circuit. We may also assume that both the circuit V and the circuits
80 B. Rosgen

ρ s
U0 U1
V V∗
|0
|0 c s X s
?
Fig. 1. Circuit output by the reduction. V is the unitary circuit applied by the original
QMA verifier and Ui is the unitary circuit obtained from Ci by removing the gates that
introduce ancillary qubits and trace out qubits.
C0 and C1 use ancillary spaces A, G of the same size, by simply padding the
circuits using a smaller space with unused ancillary qubits.
Let C be the circuit in Figure 1. This circuit takes as input a quantum state
ρ on the space X = F ⊗ H. This circuit first applies V to the portion of ρ
in H as well as any needed ancillary qubits in the space A. Next, the circuit
makes a classical copy of the ‘output bit’ of V , which is used as a control for
the application of the circuits C0 and C1 . The circuit V ∗ is then applied, so that
the result (provided that V accepts or rejects with high probability) is a state
that is close to the input state plus a qubit that indicates whether V accepts
or rejects the input state. The circuit then applies C0 if V accepts and C1 if V
rejects. These circuits use the same ancillary space A as the circuits V and V ∗ ,
but as long as the Verifier V either accepts of rejects the input state with high
√ these ancillary qubits will be returned to the |0 state, up to trace
probability,
distance 2 ε.
Before proving the correctness of the reduction, it will be convenient to write
down some of the states produced by running the constructed circuit C. Let ρ
be an arbitrary input state in D(H ⊗ F ) and let |ψ ∈ H ⊗ F ⊗ R be a purifi-
cation of ρ. The order of the spaces H and F has been changed for notational
convenience. Applying the unitary V to the portion of |ψ in H results in the
state
|φ = (V ⊗ 1F ⊗ 1R )(|ψ ⊗ |0),
where the |0 qubits are in the space A. Then, there exist states |φ0 , |φ1 on all
but the first qubit of K ⊗ F ⊗ R such that
! √
|φ = 1 − p|0 ⊗ |φ0 + p|1 ⊗ |φ1
where 0 ≤ p ≤ 1 is exactly the probability that the Verifier accepts in the original
protocol on input trF ρ. Applying the controlled-not gate results in
! √
|φ = 1 − p|00 ⊗ |φ0 + p|11 ⊗ |φ1 .
We then bound the trace distance of |φ to |0|ψ and |1|ψ. In the case of
|0|ψ we have
! √
|φ
φ | − |0
0| ⊗ |φ
φ|tr = 2 1 − |
φ |0φ| = 2 1 − (1 − p)2 < 3 p, (1)
2
and in the similar case of |1|ψ we have

! !
|φ
φ | − |1
1| ⊗ |φ
φ|tr = 2 1 − |
φ |1φ|2 = 2 1 − p2 < 3 1 − p. (2)
These two equations show that, when p is close to 0 or 1, the fact that we make a
classical copy of the output qubit does not have a large effect on the state of the
system. (This fact can also be argued from the Gentle Measurement Lemma [18].)
The remainder of the circuit then applies V ∗ and, depending on the value of the
control qubit, one of C0 and C1 . We consider two cases, which are argued in two
separate propositions.
Proposition 4. If x ∈ Pyes , then there exists a subspace S of X with dim S ≥
dim X 1−δ such that for any reference system R and any |ψ ∈ S ⊗ R
√
(C ⊗ 1R )(|ψ
ψ|) − (C0 ⊗ 1R )(|ψ
ψ|tr ≤ 3 ε.
Proof. If x ∈ Pyes , then there is some input state |ψ on which the Verifier
accepts with probability p ≥ 1 − ε. Applying the remainder of the circuit, up to
the partial trace, to the state |1|φ results in the state |1 ⊗ (U1 ⊗ 1R )(|ψ ⊗ |0).
Tracing out the space G as well as the copy of the output qubit, results in exactly
the state trG (U1 ⊗ 1R )(|ψ
ψ| ⊗ |0
0|)(U1∗ ⊗ 1R ) = (C1 ⊗ 1R )(|ψ
ψ|). This is
not quite equal to the output of the constructed circuit C, however, as we have
replaced the state |φ with the state |1|φ. However, using the monotonicity of
the trace norm under quantum operations, the remainder of the circuit cannot
increase the norm, and so by Equation (2) we have
! √
(C ⊗ 1R )(|ψ
ψ|) − (C0 ⊗ 1R )(|ψ
ψ|)tr ≤ 3 1 − p ≤ 3 ε. (3)
It remains to show that this occurs on a large subspace of X = H ⊗ F. Since

we have assumed the Verifier V accepts with high probability on the state |ψ,
this implies that there is some state |γ ∈ H for which V also accepts with
probability at least 1 − ε, as V ignores the qubits in F . Then, since |ψ was
arbitrary, Equation (3) also applies to |γ ⊗ |ξ ∈ H ⊗ F for any state |ξ ∈ F .
The subspace S of states whose
2 reduced state3 on H is equal to |γ has dimension
dim F . Then, since dim F = dim H(1−δ)/δ , we have
dim X = dim H ⊗ F ≤ dim F δ/(1−δ) dim F = dim F 1/(1−δ) ,
which implies that dim F ≥ dim X 1−δ , as required. Thus, when x ∈ Pyes the
Verifier V can be made to accept, and so the result is a yes instance of CT.
The remaining case is when x ∈ Pno , i.e. the Verifier V rejects every state with
high probability.
82 B. Rosgen
√
Proposition 5. If x ∈ Pno then C − C1 ≤ 3 ε.
Proof. This proof is similar to the proof of Proposition 4. If x ∈ Pno , then V

accepts any state |ψ with probability p ≤ ε. If we consider applying V ∗ and the
remainder of the circuit to the state |0|φ, the result is (C1 ⊗ 1R )(|ψ
ψ|),
similarly to the previous case. Once again, we do not run the the circuit
on this state, but the state |φ which is very close to it. Once again we
apply the monotonicity of the trace norm and Equation √ (1) to show that
√
(C ⊗ 1R )(|ψ
ψ|) − (C1 ⊗ 1R )(|ψ
ψ|)tr ≤ 3 p ≤ 3 ε. Since this equation
√ R and all states |ψ, this proves that if x ∈ Pno ,
applies for all reference systems
then we have C − C1 ≤ 3 ε.
Taken together, these two proposition prove the hardness of the CT problem.
Note once again that in order for the CT problem to be well defined (i.e. the
set of ‘yes’ instances does not intersect the set of ‘no’ instances) we require that
circuits from the two families are not too close together on any large subspaces
of pure inputs. See the discussion following Problem 3 for a technical condition
that is equivalent to this requirement. It is straightforward to verify that the
reduction is efficient.
Theorem 6. CT(ε, δ, C0 , C1 ) is QMA-hard for any 0 < ε < 1 with ε ≥ 2−p for
some polynomial p, any constant 0 < δ ≤ 1, and any uniform circuit families C0 ,
C1 for which the problem is well-defined.
3.2 Applications
In this section we apply Theorem 6 to prove the hardness of some new and old
problems.
The first problem we consider is a slightly generalized version of the prob-
lem Non-identity Check [10], who show that it is QMA-complete. Our ver-
sion of the problem differs in that we do not require that the input circuit C
is unitary. We do require, however, that if C deviates from the identity, then it
does so in a way similar to some efficient unitary circuit U . This restriction is
not needed for hardness but it is not clear that the problem is in QMA without
it.
Problem 7 (Mixed Non-identity Check [10]). Let 0 < ε < 1. On input
C ∈ T(X , X ):
Yes: C − 1 ≥ 2 − ε and there exists an efficient unitary U such that on
some pure state |ψ ∈ X we have C(|ψ
ψ|) − U |ψ
ψ|U ∗ tr ≤ ε and
U |ψ
ψ|U ∗ − |ψ
ψ|tr ≥ 2 − ε.
No: C − 1 ≤ ε.
The QMA-hardness of this problem follows from Theorem 6 and the fact that
CT(ε, 1, U, 1) is a special case of the problem, where U is any uniform family of
quantum circuits that are not close to the identity (one example are the circuits
that apply Pauli X to the first qubit).
The next problem we consider is the problem of detecting whether a (mixed-

state) circuit is close to an isometry, which was shown to be QMA-complete
in [15].
Problem 8 (Non-isometry [15]). Let 0 < ε < 1/2. On input a circuit C ∈
T(X , Y):
Yes: There exists |ψ ∈ X such that (Φ ⊗ 1X )(|ψ
ψ|)∞ ≤ ε,
No: For all |ψ ∈ X , (Φ ⊗ 1X )(|ψ
ψ|)∞ ≥ 1 − ε.
Theorem 6 shows the QMA-hardness of this problem, as CT(ε, 1, Ω, 1) is a special
case, where Ω is the completely depolarizing channel. The norm ·∞ used in
this problem is the operator norm.
We can also apply Theorem 6 to show the hardness of the problem of deter-
mining if a channel has a pure fixed point. This problem can be stated as follows.
Problem 9 (Pure Fixed Point). Let 0 < ε < 1. On input a circuit C ∈

T(X , X ):
Yes: There exists |ψ ∈ X such that C(|ψ
ψ|) − |ψ
ψ|tr ≤ ε
No: For any |ψ ∈ X , C(|ψ
ψ|) − |ψ
ψ|tr ≥ 2 − ε
The QMA-hardness of this problem follows from the fact that CT(ε, 1, 1, Ω) is
a special case.
4 Detecting Insecure Encryption

In this section we consider the problem of detecting when a two-party symmetric
key quantum encryption system is insecure. We first use Theorem 6 to show
that this problem is hard, and then give a QMA-verifier to show that it is QMA-
complete.
Problem 10 (Detecting Insecure Encryption). For 0 < ε < 1 and 0 < δ ≤

1 an instance of the problem consists of a quantum circuit E that takes as input
a quantum state as well as a m classical bits, such that for each k ∈ {0, 1}m the
circuit implements a quantum channel Ek ∈ T(H, K) with dim K ≥ dim H. The
promise problem is to decide between:
Yes: There exists a subspace S of H with dim S ≥ dim H1−δ such that for any
reference space R, any ρ ∈ D(S ⊗ R), and any key k, (Ek ⊗ 1R )(ρ) − ρtr ≤
ε.
No: E is an ε-private channel, i.e. Ω − 21m k∈{0,1}m Ek ≤ ε, where Ω is the
completely depolarizing channel in T(H, K), and there exists a polynomial-
size quantum circuit D such that for all k we have Dk ◦ Ek − 1H ≤ ε.
For specific values of ε and δ, we refer to this problem as DIε,δ .
Theorem 11. DIε,δ is QMA-hard for all 0 < ε < 1/2 and all 0 < δ ≤ 1.
84 B. Rosgen
Proof. Let Ek = {Ωk,n } where Ωk,n is the n-qubit channel that applies the
kth Pauli operator to the input qubits. Averaging over all keys k results in
the completely depolarizing channel on n qubits. Then, Theorem 6 implies that
CT(ε, δ, 1k , Ek ) is hard for QMA, where 1k is the channel that discards the key
k and does nothing to the quantum input. The problem CT(ε, δ, 1k , Ek ) is a
modification of the problem CT to include both a quantum input as well as a
classical input k. This is done by including k as part of the quantum input that
is immediately measured in the computational basis. CT(ε, δ, 1k , Ek ) remains
hard after this modification.
The QMA-hardness of DIε,δ then follows from the fact that the problem of de-
tecting insecure encryption is CT(ε, δ, 1k , Ek ) with a weakened promise. Since the
sets of ‘yes’ instances of the two problems are identical, we need only verify the
‘no’ instances. Let the circuit C ∈ T(H, K) be a ‘no’ instance of CT(ε, δ, 1k , Ek )
and let Ck (·) = C(|k
k| ⊗ ·) be the circuit defined by hardcoding the ‘key’
portion of the input space. Then, for any input ρ and any key k, we have
Ck − Ωk ≤ ε, since this follows for the versions of these circuits without
a hardcoded key (which is just a restriction of the input space). The triangle
inequality then implies Ω − k Ck /2m ≤ k Ωk − Ck /2m ≤ ε, which is
the property required by ‘no’ instances of DI. To see further that the output of
Ck can be decrypted with knowledge of k, observe that Ωk−1 ◦ Ωk = 1, and so
−1
Ω ◦ Ck − 1 = Ω −1 ◦ Ck − Ω −1 ◦ Ωk ≤ Ck − Ωk ≤ ε,
k k k
which implies that instances of CT(ε, δ, 1k , Ek ) are equivalent to instances of

DIε,δ .
4.1 QMA Protocol

To test the security of an encryption system in QMA the Verifier needs a tool to
compare two quantum states. Such a tool is provided by the swap test, introduced
in [6], though here we essentially use it to test the purity of quantum states as
is done in [7]. The swap test is an efficient procedure that makes the projective
measurement onto the symmetric and antisymmetric subspaces of a bipartite
space. Let W be the swap operation on H ⊗ H, i.e. W (|ψ⊗|φ) = |φ⊗|ψ for all
|ψ, |φ ∈ H. The swap test performs the two-outcome projective measurement
given by the projection onto the symmetric subspace, (1H⊗H + W )/2, and the
projection onto the antisymmetric subspace, (1H⊗H − W )/2.
Given two pure states |ψ, |φ, the swap test returns the symmetric outcome
2
with probability (1 + |
ψ|φ| )/2. Applied to mixed states ρ, σ the result is sym-
metric with probability (1 + tr(ρσ))/2 [7]. This implies that given two copies the
swap test can estimate the purity of a state.
The idea behind the protocol is that if the encryption system specified by
E is insecure then, regardless of the key, it acts trivially on some subspace of
the input. In this case a proof consists of two copies of some pure state in this
subspace. The Verifier runs E on both of these states and tests that they have
not been changed by with the swap test. In the case that the circuit is insecure,
this proof state will cause the Verifier to obtain the symmetric outcome with
probability approaching 1.
If E represents a secure encryption system, then without knowledge of the key,
the output of E is close to the completely mixed state, regardless of the input
state. In this case the Verifier performs the swap test on two highly mixed states
and the result is antisymmetric with probability close to 1/2. This protocol can
be formalized as follows.
Protocol 12. On input a circuit E : {1, . . . , K}⊗D(H) → D(K), an instance of
DIε,δ , as well as a quantum proof |φ in D((H ⊗ R)⊗2 ) (where dim R = dim H):
1. The Verifier generates random keys k1 , k2 ∈ {1, . . . , K}.
2. The Verifier applies (Ek1 ⊗ 1R ) ⊗ (Ek2 ⊗ 1R ) to the state |φ.
3. The Verifier applies the swap test, accepting if the outcome is symmetric.
The space R appears in this protocol, but Problem 10 places no upper bound on
this space, by the properties of the diamond norm, we may take dim R = dim H
without loss of generality.
Proposition 13. For 0 < ε < 1/8, Protocol 12 is a QMA protocol for DIε,δ .
exists a state |ψ ∈ H ⊗ R

Proof. If E is a ‘yes’ instance of DIε,δ , then there
such that for any key k ∈ {1, . . . , K} we have Êk (|ψ
ψ|) − |ψ
ψ| tr ≤ ε,
where throughout this proof we use the shorthand notation Êk = Ek ⊗ 1R . Let
the input state be |φ = |ψ ⊗ |ψ. Fixing notation further, let Êk (|ψ
ψ|) = σk .
Applying Êk1 ⊗ Êk2 to |ψ ⊗ |ψ results in a state σk1 ⊗ σk2 that satisfies
σk1 ⊗ σk2 − |ψ
ψ| ⊗ |ψ
ψ|tr ≤ 2ε,
which follows from the triangle inequality. Then, since the state |ψ
ψ| ⊗ |ψ
ψ|
is symmetric and the swap test performs a projective measurement, Lemma 1
implies that the swap test returns the symmetric outcome on σk1 ⊗ σk2 with
probability at least 1 − 2ε. This implies that when the circuit E is not secure
the Verifier accepts with high probability.
It remains to show that when the circuit E is a ‘no’ instance of DIε,δ the
Verifier
K does not accept any proof state with high probability. In this case

k=1 Ek − Ω /K ≤ ε. Once more, a straightforward argument using the
triangle inequality can
be used to argue that the tensor product of two copies
satisfies the equation k,j=1 Ek ⊗ Ej − Ω ⊗ Ω /K 2 ≤ 2ε. This implies that
K
regardless of the proof state |ψ the input to the swap test is within trace dis-
tance 2ε of the completely mixed state. On such a state, Lemma 1 implies
that the swap test returns the symmetric outcome with probability at most
1/2 − tr[(1K / dim K)2 ]/2 + 2ε = 1/2 − 1/(2 dim K) + 2ε, and so the probability
the Verifier accepts is bounded above by 1/2 + 2ε. Thus, when ε < 1/8, there is
a constant gap between the acceptance probabilities in the two cases.
Combining the previous Proposition with Theorem 11 we obtain the main result.
Theorem 14. For 0 < ε < 1/8 and 0 < δ ≤ 1, the problem DIε,δ is QMA-
complete.
86 B. Rosgen
Acknowledgements. I am grateful for discussions with Markus Grassl,

Matthew McKague, and Lana Sheridan. BR is supported by the Centre for
Quantum Technologies, which is funded by the Singapore Ministry of Education
and National Research Foundation.
References
1. Aharonov, D., Kitaev, A., Nisan, N.: Quantum circuits with mixed states. In: Proc.
30th STOC, pp. 20–30 (1998)
2. Ambainis, A., Mosca, M., Tapp, A., de Wolf, R.: Private quantum channels. In:
Proc. 41st FOCS, pp. 547–553 (2000)
3. Ambainis, A., Smith, A.: Small Pseudo-random Families of Matrices: Derandomiz-
ing Approximate Quantum Encryption. In: Jansen, K., Khanna, S., Rolim, J.D.P.,
Ron, D. (eds.) RANDOM 2004 and APPROX 2004. LNCS, vol. 3122, pp. 249–260.
4. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev.
A 67(4), 042317 (2003)
5. Braunstein, S., Lo, H.K., Spiller, T.: Forgetting qubits is hot to do (1999)
(unpublished manuscript)
6. Buhrman, H., Cleve, R., Watrous, J., de Wolf, R.: Quantum fingerprinting. Phys.
Rev. Lett. 87(16), 167902 (2001)
7. Ekert, A.K., Alves, C.M., Oi, D.K., Horodecki, M., Horodecki, P., Kwek, L.C.:
Direct estimations of linear and nonlinear functionals of a quantum state. Phys.
Rev. Lett. 88(21), 217901 (2002)
8. Hayden, P., Leung, D., Shor, P.W., Winter, A.: Randomizing quantum states: con-
structions and applications. Commun. Math. Phys. 250, 371–391 (2004)
9. Helstrom, C.W.: Detection theory and quantum mechanics. Inform. Control 10(3),
254–291 (1967)
10. Janzing, D., Wocjan, P., Beth, T.: “Non-identity-check” is QMA-complete. Int. J.
Quantum Inf. 3(3), 463–473 (2005)
11. Kempe, J., Kitaev, A., Regev, O.: The complexity of the local Hamiltonian problem.
SIAM J. Comput. 35(5), 1070–1097 (2006)
12. Liu, Y.-K.: Consistency of Local Density Matrices Is QMA-Complete. In: Dı́az, J.,
Jansen, K., Rolim, J.D.P., Zwick, U. (eds.) APPROX 2006 and RANDOM 2006.
LNCS, vol. 4110, pp. 438–449. Springer, Heidelberg (2006)
13. Marriott, C., Watrous, J.: Quantum Arthur-Merlin games. Comp. Compl. 14(2),
122–152 (2005)
14. Rosgen, B., Watrous, J.: On the hardness of distinguishing mixed-state quantum
computations. In: Proc. 20th CCC, pp. 344–354 (2005)
15. Rosgen, B.: Testing Non-isometry Is QMA-Complete. In: van Dam, W., Kendon,
V.M., Severini, S. (eds.) TQC 2010. LNCS, vol. 6519, pp. 63–76. Springer,
Heidelberg (2011)
16. Schuch, N., Cirac, I., Verstraete, F.: Computational difficulty of finding matrix
product ground states. Phys. Rev. Lett. 100(25), 250501 (2008)
17. Schuch, N., Verstraete, F.: Computational complexity of interacting electrons and
fundamental limitations of density functional theory. Nat. Phys. 5(10), 732–735
(2009)
18. Winter, A.: Coding theorem and strong converse for quantum channels. IEEE T.
Inform. Theory 45(7), 2481–2485 (1999)
Search by Quantum Walks on Two-Dimensional
Grid without Amplitude Amplification
Andris Ambainis, Artūrs Bačkurs, Nikolajs Nahimovs,

Raitis Ozols, and Alexander Rivosh
Faculty of Computing, University of Latvia, Raina bulv. 19, Riga, LV-1586, Latvia
Abstract. We study search by quantum walk on a finite two di-

mensional
√ grid. The algorithm of Ambainis, Kempe, Rivosh [AKR05]
uses O( N log N ) steps and√finds √ a marked location with probability
O(1/ log N ) for grid of size N × N . This probability is small, thus
[AKR05] needs amplitude amplification to get √ Θ(1) probability. The am-
plitude amplification adds
√ an additional O( log N ) factor to the number
of steps, making it O( N log N ).
In this paper, we show that despite a small probability
√ to find a
marked√location, the probability to be within O( N ) neighbourhood
(at O( 4 N ) distance) of the marked location is
√ Θ(1). This allows to skip
amplitude amplification step and leads to O( log N ) speed-up.
1 Introduction
Quantum walks are quantum counterparts of random walks [Amb03, Kem03].

They have been useful to design quantum algorithms for a variety of problems
[CC+03, Amb04, Sze04, AKR05, MSS05, BS06]. In many of those applications,
quantum walks are used as a tool for search.
To solve a search problem using quantum walks, we introduce marked loca-
tions corresponding to elements of the search space we want to find. We then
perform a quantum walk on search space with one transition rule at unmarked
locations and another transition rule at marked locations. If this process is set
up properly, it leads to a quantum state in which marked locations have higher
probability than unmarked ones. This method of search using quantum walks
was first introduced in [SKW03] and has been used many times since then.
We study spatial search on a finite two-dimensional
√ √ grid [Ben02, AA03, AKR05].
In this problem, we have a grid of size N × N on which some locations are
marked. In one time step, we are allowed to examine the current location or
move one step on the grid. The task is to find a marked location.
Ambainis et al. [AKR05]
√ showed that this problem can be solved via quantum
walk. Namely, after O( N log N ) steps a quantum walk on 2D grid with one
or two marked locations reaches a state that is significantly different from the

AB and RO are supported by FP7 FET-Open project QCS. AA, NN
and AR are supported by the European Social Fund within the project
2009/0216/1DP/1.1.1.2.0/09/APIA/VIAA/044.

88 A. Ambainis et al.
state of a quantum walk with no marked location. If this state is measured,

the probability to obtain a marked location is O(1/ log N ). This probability is
small, thus [AKR05]√ uses amplitude amplification. Amplitude amplification
√ adds
an additional O( log N ) factor to the number of steps, making it O( N log N ).
In case of two-dimensional grid it is logical to examine not only the marked
location but also its close neighbourhood. We show that despite
√ a small probabil-
ity to find√marked location, the probability to be within O( N ) neighbourhood,
i.e. at O( 4 N ) distance from the marked location,
√ is Ω(1). This allows us to skip
amplitude amplification step and leads to O( log N ) speed-up.
Similar speed-up has been already achieved by other research groups, by dif-
ferent methods. Their approaches to this problem are based on modification of
the original algorithm [Tul08] or both the algorithm and the structure of the
grid [KM+10]. !
Our result shows that the improvement of the running time to O( N log N )
can be achieved without any modifications to the quantum algorithm, with just
a simple classical post-processing.
2 Quantum Walks in Two Dimensions

√ √
Suppose we have N items√arranged on a two dimensional lattice of size N × N .
We will also denote n = N . The locations on the lattice are labelled by their x
and y coordinate as (x, y) for x, y ∈ {0, . . . , n − 1}. We assume that the grid has
periodic boundary conditions. For example, going right from a location (n − 1, y)
on the right edge of the grid leads to the location (0, y) on the left edge of the
grid.
To define a quantum walk, we add an additional ”coin” register with four
states, one for each direction: | ⇑, | ⇓, | ⇐ and | ⇒. At each step we perform
a unitary transformation on the extra register and then evolve the system ac-
cording to the state of the coin register. Thus, the basis states of quantum walk
are |i, j, d for i, j ∈ {0, . . . , n − 1}, d ∈ {⇑, ⇓, ⇐, ⇒} and the state of quantum
walk is given by:

|ψ(t) = (αi,j,⇑ |i, j, ⇑ + αi,j,⇓ |i, j, ⇓+ (1)
i,j
αi,j,⇐ |i, j, ⇐ + αi,j,⇒ |i, j, ⇒)
A step of the coined quantum walk is performed by first applying I × C, where

C is unitary transform on the coin register. The most often used transformation
on the coin register is the Grover’s diffusion transformation D:
⎛ ⎞
−1 1 1 1
1 ⎜ 1 −1 1 1 ⎟
D= ⎜ ⎟ (2)
2 ⎝ 1 1 −1 1 ⎠
1 1 1 −1
Search by Quantum Walks on Two-Dimensional Grid 89
Then, we apply the shift transformation S:
|i, j, ⇑ → |i, j − 1, ⇓
|i, j, ⇓ → |i, j + 1, ⇑
(3)
|i, j, ⇐ → |i − 1, j, ⇒
|i, j, ⇒ → |i + 1, j, ⇐
Notice that after moving to an adjacent location we change the value of the direc-
tion register to the opposite. This is necessary for the quantum walk algorithm
of [AKR05] to work.
We start quantum walk in the state
1
|ψ(0) = √ |i, j, ⇑ + |i, j, ⇓ + |i, j, ⇐ + |i, j, ⇒
2 N i,j
It can be easily verified that the state of the walk stays unchanged, regardless of
the number of steps. To use quantum walk as a tool for search, we ”mark” some
locations. In unmarked locations, we apply the same transformations as above. In
marked locations, we apply −I instead of D as the coin flip transformation. The
shift transformation remains the same in both marked and unmarked locations.
If there are marked locations, the state of this
√ process starts to deviate from
|ψ(0). It has been shown [AKR05] that after O( N log N ) steps the inner prod-
uct
ψ(t)|ψ(0) becomes close to 0.
In case of one or two marked locations [AKR05] algorithm finds a marked
location with O(1/ log N ) probability. For multiple marked locations this is not
always the case. There exist marked location configurations for which quantum
walk fails to find any of marked locations [AR08].
3 Results
In this paper we examine a single marked location case only. However, we note
that numerical experiments give very similar results in the case of multiple
marked locations. √ √
√ an N × N grid with one marked location. The [AKR05] al-
Suppose we have
gorithm takes O( N log N ) steps and finds the marked location with O(1/ log N )
probability. The algorithm then uses amplitude amplification √ to get Θ(1) prob-
ability. The amplitude amplification
√ adds an additional O( log N ) factor to the
number of steps, making it O( N log N ).
Performing numerical experiments with [AKR05] algorithm, we have noticed
that probability to be close to the marked location is much higher than probabil-
ity to be far from the marked location. Figure 1 shows probability distribution
by distance from the marked location for 1024 × 1024 √ grid on logarithmic scale.
We have measured the √ probability within O( N ) neighbourhood of the
marked location (at O( 4 N ) distance)1 for different grid sizes (figure 2) and
have made the following conjecture:
1 √
Another logical choice of the size of the neighbourhood would be O( N log N ) - the
number of steps of [AKR05] algorithm.
Fig. 1. Probability by distance, one marked location, grid size 1024 × 1024, logarithmic
scale
√
Hypothesis
√ 1. The probability to be within O( N ) neighbourhood, i.e. at
O( 4 N ) distance, of the marked location is Θ(1).
In the next section we present a strict analytical proof of the conjecture.

This allows us to replace amplitude amplification with a√classical post-
processing step. After the measurement we classically
√ check O( N ) neighbour-
√
hood of the outcome. This requires extra O( N ) steps but removes
√ O( log N )
factor. Therefore, the running time of the algorithm stays O( N log N ).
Before going into details of the proof, we would like to give the reader some
understanding of the final state of the algorithm (state before the measurement).
Denote P r[0] the probability to find a marked location and P r[R] the probability
√
to be at distance R from the marked location. For small R values (R & N ),
the numerical experiments indicate that:
P r[0]
P r[R] ≈
R2
There are 4R points at the distance R from the marked location
√ (we use Manhat-
tan or L1 distance). Thus, the total probability to be within N neighbourhood
of the marked location is:
√
Fig. 2. Probability to be within N neibourghood from the marked location
√ √

4
N 4
N
P r[0] 1
S= 4R × O = P r[0] × O = P r[0] × O(log N ).
R2 R
R=1 R=1
As probability to find the marked location is O(1/ log N ), we have

1
S=O × O(log N ) = const.
log N
4 Proofs
In this section, we show

√
Theorem 1. We can choose t = O( N log N ) so that, if we run a quantum
walk with one marked location (i, j) for t steps and measure the final state, the
probability of obtaining a location (i , j ) with |i − i | ≤ N and |j − j | ≤ N as
the measurement result is Ω( )2 .
2
Here, |i − i | ≤ N and |j − j | ≤ N should be interpreted “modulo N ”: |i − i | ≤ N
if (i − i ) mod N ∈ {−N , −N + 1, . . . , N }.
The proof of Theorem 1 consists of two steps. First, in Lemma 1, we√derive an

approximation for the state of quantum walk, at the time t = O( N log N )
when the state of quantum walk has the biggest difference from the starting
state. Then, in section 5, we use this approximation to derive our main result,
via a sequence of algebraic transformations and approximations.
4.1 Approximation of the State of the Quantum Walk
Let √ √
N −1
N−1
|ψ = αtj,j ,d |j, j , d
j=0 j =0 d
be the state of the quantum walk after t steps.

√
Lemma 1. We can choose t = O( N log N ) so that for any set
√
S ⊆ {0, ..., N − 1}2 ,
we have

|αtj,j ,⇑ |2 ≥ C 2 (f (j, j ) − f (j − 1, j ))2 + o(1)
(j,j )∈S (j,j )∈S
where
1
f (j, j ) = ω kj+lj ,
(k,l)
=(0,0)
2 − cos 2kπ
√
N
− cos 2lπ
√
N
2πi
√
ω=e N and C = Θ( √N 1log N ).
Proof. We will repeatedly use the following lemma.

m m
Lemma 2. [BV] Let |ψ = i=1 αi |i and |ψ = i=1 βi |i. Then, for any set
S ⊆ {1, 2, . . . , m},

|αi |2 − |βi |2 ≤ 2ψ − ψ .
i∈S
We recast the algorithm for search on the grid as an instance of an abstract

search algorithm [AKR05]. An abstract search algorithm consists of two unitary
transformations U1 and U2 and two states |ψstart and |ψgood . We require the
following properties:
1. U1 = I − 2|ψgood
ψgood | (in other words, U1 |ψgood = −|ψgood and, if |ψ is
orthogonal to |ψgood , then U1 |ψ = |ψ);
2. U2 |ψstart = |ψstart for some state |ψstart with real amplitudes and there
is no other eigenvector with eigenvalue 1;
3. U2 is described by a real unitary matrix.
The abstract search algorithm applies the unitary transformation (U2 U1 )T to

the starting state |ψstart . We claim that under certain constraints its final state
(U2 U1 )T |ψstart has a sufficiently √ inner product with |ψgood .
√ large
For the quantum walk on N × N grid,
1 1 1 1
|ψgood = |i, j, ⇑ + |i, j, ⇓ + |i, j, ⇐ + |i, j, ⇒,
2 2 2 2
where i, j is the marked location and
√
N −1
1
|ψstart = √ (|i, j, ⇑ + |i, j, ⇓ + |i, j, ⇐ + |i, j, ⇒) .
2 N i,j=0
Since U2 is described by a real-value matrix, its eigenvectors (with eigenvalues

−
that are not 1 or -1) can be divided into pairs: |Φ+
j and |Φj , with eigenvalues
iθj −iθj
e and e , respectively. In the case of the walk on the 2-dimensional grid,
these eigenvalues were calculated in Claim 6 of [AKR05]:
Claim 1. Quantum walk on the 2-dimensional grid with no marked locations has
N −1 pairs of eigenvalues e−iθj that are √ not equal to 1 or -1. These values can be
indexed by pairs (k, l), k, l ∈ {0, 1, . . . , N −1}, (k, l) = (0, 0). The corresponding
eigenvalues are equal to e±iθk,l , where θk,l satisfies cos θk,l = 12 (cos √ 2πk
N
2πl
+cos √N
).
−
We use |Φ+ k,l and |Φk,l to denote the corresponding eigenvectors. According to
[MPA10, pages 3-4], these eigenvectors are equal to |Φ+ k,l = |ξk ⊗ |ξl ⊗ |vk,l ,
+
√
N −1 ki 1
|Φ− −
k,l = |ξk ⊗ |ξl ⊗ |vk,l where |ξk = i=0 ω √ 4
N
|i,
⎡ ⎤ ⎡ ⎤
e−iθk,l − ωk ω k − eiθk,l
i ⎢ e−iθk,l − ω −k ⎥ i ⎢ ω −k − eiθk,l ⎥
|vk,l
+
= √ ⎢ −iθ ⎥, −
|vk,l = √ ⎢ ⎥
2 2 sin θk,l ⎣ e k,l − ωl ⎦ 2 2 sin θk,l ⎣ ω l − eiθk,l ⎦ .
e−iθk,l − ω −l ω −l − eiθk,l
The order of directions for the coin register is: | ⇓, | ⇑, | ⇒, | ⇐. The sign of
−
|vk,l has been adjusted so that
1 1 −
√ |Φ+
k,l + √ |Φk,l = |ξk ⊗ |ξl ⊗ |δ (4)
2 2
where |δ = 12 | ⇓ + 12 | ⇑ + 12 | ⇒ + 12 | ⇐.
We can assume that |ψgood = |0 ⊗ |0 ⊗ |δ. This gives us an expression of
|ψgood in terms of the eigenvectors of U2 :
1
|ψgood = √ |ξk ⊗ |ξl ⊗ |δ
N k,l
1 1 1

−
= √ |ψstart + √ |Φ+
k,l + √ |Φk,l .
N (k,l)
=(0,0)
2N 2N
Using the results from [AKR05], we can transform this into an expression for the
final state of our quantum search algorithm. According
√ to the first big equation
in the proof of Lemma 5 in [AKR05], after t = O( N log N ) steps, we get a
|φf inal
final state |ψ such that |ψ − |φf inal = o(1), where |φf inal = φf inal and
1 1
−
|φf inal = √ |ψstart + √ ak,l |Φ+
k,l + bk,l |Φk,l (5)
N 2N (k,l)
=(0,0)
and
i α + θk,l i −α + θk,l
ak,l = 1 + cot + cot ,
2 2 2 2
i α − θk,l i −α − θk,l
bk,l = 1 + cot + cot .
2 2 2 2

We now replace (j,j )∈S |αtj,j ,d |2 by the corresponding sum of squares of am-
plitudes for the state |φf inal . By Lemma 2, this changes the sum by an amount
that is o(1).
1
From [AKR05], we have α = Θ( √N log N
), min θk,l = Θ( √1N ) and max θk,l =
π − Θ( √N ). Hence, we have ±α + θk,l = (1 + o(1))θk,l and we get
1

1 1 θk,l
|φf inal = √ |ψstart + √ 1 + i(1 + o(1)) cot k,l +
|Φ+
N 2N 2
(k,l)
=(0,0)

1 θk,l
√ 1 − i(1 + o(1)) cot |Φ−
k,l . (6)
2N 2
|ψf inal
This means that |ψf inal − |φf inal = o(1) where |ψf inal = ψf inal and
1 θk,l +
|ψf inal = |ψgood + √ i cot |Φk,l − |Φ−
k,l . (7)
2N 2
(k,l)
=(0,0)
Again, we can replace a sum of squares of amplitudes for the state |φf inal by
the corresponding sum for |ψf inal and, by Lemma 2, the sum changes by an
amount that is o(1).
We now estimate the amplitude of |j, j , ⇑ in |ψf inal . We assume that (j, j ) =
(0, 0). Then, the amplitude of |j, j , ⇑ in |ψgood is 0. Hence, we can evaluate the
amplitude of |j, j , ⇑ in
1 θk,l +
√ i cot (|Φk,l − |Φ−
k,l ) (8)
2N 2
(k,l)
=(0,0)
√ √
and then divide the result by Θ( log N ), because ψf inal = Θ( log N ).
From the definitions of |Φ± ±
k,l and |vk,l ,
⎡ ⎤
2 cos θk,l − 2ω k
1 + 1 − i ⎢ 2 cos θk,l − 2ω −k ⎥
√ |vk,l − √ |vk,l = ⎢ ⎥.
2 2 4 sin θk,l ⎣ 2 cos θk,l − 2ω l ⎦
2 cos θk,l − 2ω −l
−k
The amplitude of | ⇑ in this state is 2 sin θk,l (cos θk,l − ω
i
). The amplitude
lj
of |j in |ξk is √
4
1
N
ω kj . The amplitude of |j in |ξl is 4 N ω . Therefore, the
√1

amplitude of |j, j , ⇑ in √1 |Φ+ − √1 |Φ− is
2 k,l 2 k,l
1 i
√ ω kj+lj (cos θk,l − ω −k )
N 2 sin θk,l
and the amplitude of |j, j , ⇑ in (8) is
1 θj i
√ i cot · (cos θk,l − ω −k )ω kj+lj .
2N (k,l)
=(0,0) 2 2 sin θk,l
θk,l θ
By using sin θk,l = 2 sin 2 , we get that the amplitude of |j, j , ⇑ is
cos k,l
2
0 1
1 1 cos θk,l kj+lj 1 k(j−1)+lj
√ − 2 θk,l ω + θ
ω =
2 (k,l)
=(0,0) 4N sin 2 sin2 k,l2
0 1
1 1 1
kj+lj kj+lj k(j−1)+lj
√ 2ω − θk,l
(ω −ω ) , (9)
2 (k,l)
=(0,0) 4N sin2 2
with the equality following from cos 2x = 1 − 2 sin2 x.

We can decompose the sum into two sums, one over all the first components,
one over all the second components. The first component of the sum in (9) is
close to 0 and, therefore, can be omitted. Hence, we get that the amplitude of
|j, j , ⇑ in the unnormalized state
|ψf inal can be approximated by

1 1 1 1
√ (−ω kj+lj + ω k(j−1)+lj ) = Θ · (f (j − 1, j ) − f (j, j )).
2 4N sin2 θk,l N
(k,l)=(0,0) 2
To obtain the amplitude of |j, j , ⇑ in |ψf inal , this should be divided by ψf inal
√
which is of the order Θ( log N ). This implies Lemma 1.
5 Bounds on the Probability of Being Close to the

Marked Location
We start by√performing some rearrangements in the expression f (j, j ).
Let n = N and S be the set of all pairs (k, l) such as k, l ∈ {0, 1, . . . , n − 1},
except for (0, 0). We consider
1
f (j, j ) = ω kj+lj
(k,l)∈S
2 − cos n − cos n
2kπ 2lπ

cos 2(kj+lj )π
+ sin 2(kj+lj )π
i
n n
= . (10)
(k,l)∈S
2 − cos 2kπ
n − cos 2lπ
n
2(l−N )π
Since the cosine function is periodic with period 2π, we have cos 2lπ n = cos n .
Hence, we can replace the summation over S by the summation over
& & :n; :n ;''
S = (k, l)|k, l ∈ − , 1, . . . , −1 \ {(0, 0)}.
2 2
This implies that the imaginary part of (10) cancels out because terms in the
sum can be paired up so that, in each pair, the imaginary part in both terms
has the same absolute value but opposite sign. Namely:
– If none of k, l, −k and −l is equal to n2 , we pair up (k, l) with (−k, −l).
– If none of k and −k is equal to 0 or n2 , we pair up (− n2 , k) with (− n2 , −k)
and (k, − n2 ) with (−k, − n2 ).
– The terms (− n2 , 0), (0, − n2 ) and (− n2 , − n2 ) are left without a pair. This does
not affect the argument because the imaginary part is equal to 0 in those
terms.
Hence, we have

cos 2(kj+lj )π
n
f (j, j ) = .
(k,l)∈S
2 − cos 2kπ
n − cos n
2lπ
We define a function g(j, j ) = f (j, j ) − f (j − 1, j ). By Lemma 1, Cg(j, j ) is

a good approximation
√ for the amplitude of |j, j , ⇑ in the state of the quantum
walk after t = O( N log N ) steps.
Lemma 3
g 2 (j, j ) = Ω(n2 ln M )
0<j ,j<M
where M = n and = Ω(1), and = 1 − Ω(1).
The proof of the lemma can be found in [AB+11]. Together with Lemma 1, this
implies that the sum of amplitudes of |j, j , ⇑, 0 < j , j < M is Ω( log
log n ) − o(1).
M
log M
Since log N = , this would complete the proof of Theorem 1.
References
[AA03] Aaronson, S., Ambainis, A.: Quantum search of spatial regions. In: Proc.
44th Annual IEEE Symp. on Foundations of Computer Science (FOCS),
pp. 200–209 (2003)
[AB+11] Ambainis, A., Backurs, A., Nahimovs, N., Ozols, R., Rivosh, A.: Search by
quantum walks on two-dimensional grid without amplitude amplification.
arXiv:quant-ph/1112.3337, 22 pages (2011)
[Amb03] Ambainis, A.: Quantum walks and their algorithmic applications. Interna-
tional Journal of Quantum Information 1, 507–518 (2003)
[Amb04] Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J.
Comput. 37(1) 2007, 210–239 (2007, 2001)
[AKR05] Ambainis, A., Kempe, J., Rivosh, A.: Coins make quantum walks faster. In:
Proceedings of SODA 2005, pp. 1099–1108 (2005)
[AR08] Ambainis, A., Rivosh, A.: Quantum Walks with Multiple or Moving Marked
Locations. In: Geffert, V., Karhumäki, J., Bertoni, A., Preneel, B., Návrat,
P., Bieliková, M. (eds.) SOFSEM 2008. LNCS, vol. 4910, pp. 485–496.
[Ben02] Benioff, P.: Space searches with a quantum robot. In: Quantum Com-
putation and Information, Washington, DC. Contemp. Math., vol. 305,
pp. 1–12. Amer. Math. Soc., Providence (2002)
[BS06] Buhrman, H., Spalek, R.: Quantum Verification of Matrix Products. In: Pro-
ceedings of 17th Annual ACM-SIAM Symposium on Discrete Algorithms
(SODA 2006), Miami, Florida, pp. 880–889 (2006)
[BV] Bernstein, E., Vazirani, U.: Quantum complexity theory. SIAM Journal on
Computing 26, 1411–1473 (1997)
[CC+03] Childs, A.M., Cleve, R., Deotto, E., Farhi, E., Gutmann, S., Spielman, D.A.:
Exponential algorithmic speedup by a quantum walk. In: Proceedings of the
35th ACM STOC, pp. 59–68 (2003)
[CG04] Childs, A., Goldstone, J.: Spatial search and the Dirac equation. Physical
Review A 70, 042312 (2004)
[Gro96] Grover, L.: A fast quantum mechanical algorithm for database search. In: Pro-
ceedings of the 28th ACM STOC, Philadelphia, Pennsylvania, pp. 212–219.
ACM Press (1996)
[Kem03] Kempe, J.: Quantum random walks - an introductory overview. Contempo-
rary Physics 44(4), 302–327 (2003)
[KM+10] Krovi, H., Magniez, F., Ozols, M., Roland, J.: Finding Is as Easy as De-
tecting for Quantum Walks. In: Abramsky, S., Gavoille, C., Kirchner, C.,
Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010. LNCS, vol. 6198,
pp. 540–551. Springer, Heidelberg (2010)
[Mey96] Meyer, D.A.: From quantum cellular automata to quantum lattice gases.
Journal of Statistical Physics 85, 551–574 (1996)
[MPA10] Marquezino, F.L., Portugal, R., Abal, G.: Mixing times in quantum walks
on two-dimensional grids. arxiv:1006.4625
[MSS05] Magniez, F., Santha, M., Szegedy, M.: An O(n1.3 ) quantum algorithm for
the triangle problem. In: Proceedings of SODA 2005, pp. 1109–1117 (2005);
SIAM J. Comput. 37(2), 413–424 (2007)
[SKW03] Shenvi, N., Kempe, J., Whaley, K.B.: A quantum random walk search al-
gorithm. Physical Review A 67(5), 052307 (2003)
[Sze04] Szegedy, M.: Quantum speed-up of Markov Chain based algorithms. In:
Proceedings of IEEE FOCS 2004, pp. 32–41 (2004)
[Tul08] Tulsi, A.: Faster quantum-walk algorithm for the two-dimensional spatial
search. Phys. Rev. A 78, 012310 (2008)
The Effects of Free
Will on Randomness Expansion
Dax Enshan Koh1 , Michael J.W. Hall2 , Setiawan3 , James E. Pope4 ,

Artur Ekert1,4 , Alastair Kay1,5 , and Valerio Scarani1,3
1
Centre for Quantum Technologies, National University of Singapore, 3 Science
Drive 2, Singapore 117543
2
Centre for Quantum Computation and Communication Technology
(Australian Research Council), Centre for Quantum Dynamics, Griffith University,
Brisbane, QLD 4111, Australia
3
Department of Physics, National University of Singapore, 2 Science Drive 3,
Singapore 117542
4
Mathematical Institute, University of Oxford, 24-29 St Giles’, OX1 3LB, UK
5
Keble College, Parks Road, Oxford, OX1 3PG, UK
Abstract. One of the assumptions of Bell’s Theorem is the existence of

experimental free will, meaning that measurement settings can be chosen
perfectly at random. With the advent of quantum information, the viola-
tion of a Bell inequality constitutes evidence of the lack of an eavesdrop-
per in cryptographic scenarios such as key distribution and randomness
expansion. Relaxing the free will assumption changes the bounds on an
eavesdropper. We consider a no-signalling model with reduced free will
and bound the eavesdropper’s capabilities in the randomness expansion
setting. We compare the case where the only allowable probability dis-
tributions are ones that are factorizable with the case where any general
probability distribution is allowed, explicitly giving optimal no-signalling
models for maximal violation.
1 Introduction
Randomness is a vital resource in many applications. Quantum mechanics has

long been known to provide intrinsic randomness, but recently it has been no-
ticed that Bell tests allow us to go further: specifically, they provide quantitative
bounds for the available amount of randomness that is generated [1]. Moreover,
these bounds are device-independent, in the sense that they are obtained only
from the observed statistics, without the need to describe the physical system
or the measurements. One can assume the validity of quantum physics in order
to obtain better bounds, but remarkably, bounds can be obtained even with-
out that assumption in a fully black-box scenario (this is the scenario which we
consider in this paper).
In this randomness expansion protocol, a pre-established stock of randomness
(for instance, a string of random bits) is used to make measurement selections
in a series of Bell tests. The outcomes of the tests are used to generate further

The Effects of Free Will on Randomness Expansion 99
private randomness, which is verified by the violation of the local bound of a

Bell inequality [2]. To certify the private randomness produced, it is crucial to
not only determine what we call the maximum guessing probability G (defined
below), but also to ensure that an adversary cannot somehow fake this bound.
Whilst this is the case when two parties Alice and Bob have complete free will,
i.e. they can randomly and independently select their measurements, we show
that such guarantees cannot be made if the Bell violation has been obtained
from a local hidden variable model with relaxed free will. This is because it then
might be possible to fake what would otherwise be interpreted as non-classical
correlations even if the underlying model is deterministic and no-signalling [3,4].
This means that if Alice and Bob wrongly assume that they have complete free
will, then they can be fooled into thinking that their observed outputs are not
predetermined whenever they observe a Bell violation, when in fact their choice
of inputs could have been manipulated and the data could have existed even
before the Bell test is carried out.
Whilst it may not seem likely that nature would systematically conspire to
restrict the free will of experimenters just to deceive them into thinking that
observed outputs are not predetermined, it is entirely possible that a human
adversary would want to do just that. Now, in order to “randomly and inde-
pendently” choose measurement settings, Alice and Bob could rely on their own
free will, though in practice, it is more practical and efficient if they use random
number generators (RNGs). Hence, the lack of complete free will would corre-
spond to the manipulation of these RNGs by an adversary in such a way that
they deliberately introduce patterns undetected by standard statistical tests.
These considerations have practical consequences not only in the generation of
randomness, but also in the security of quantum key distribution based on Bell
inequalities [1].
The free will assumption has been discussed recently in the literature with
different attempts to quantify free will [4,5,6]. Free will seems to be a rather
critical resource for the violation of Bell inequalities to have the meaning that
one usually reads from them: indeed, using a suitable measure for measurement
independence, it has been shown that only 14 percent of measurement indepen-
dence needs to be given up in order to reproduce singlet state correlations with
a classical strategy [3].
An operational way of quantifying randomness involves the use of the notion
of guessing probability: a process has large randomness if it is hard to guess its
outcomes. Here we establish bounds on the average probability of guessing an
outcome of a Bell test, for a given amount of free will, using a variant of Hall’s
relaxed Bell inequalities [7].
2 Overview
We work in the simplest scenario of two parties with two inputs and two outputs
each, characterized by the Clauser-Horne-Shimony-Holt (CHSH) inequality [8].
The devices that Alice and Bob use are treated as black boxes, potentially pre-
pared by an adversary. The inputs are labelled Aj and Bk respectively, where
100 D.E. Koh et al.
j, k ∈ {0, 1}, and the outputs are labelled a, b ∈ {0, 1}. The CHSH test is re-
peated a large number of times, yielding a probability distribution of the outputs
(O) {pO (a, b|Aj , Bk )}, which we assume to be non-signalling. In terms of these
probabilities, the CHSH correlation function E can be defined as

E= (−1)a+b+jk pO (a, b|Aj , Bk ). (1)
a,b,j,k∈{0,1}
We impose the condition that the probability of each of the inputs (I) pI are
equally likely, i.e. pI (Aj , Bk ) = 14 for all j, k ∈ {0, 1}, which means that unless
one has knowledge of the underlying variables, one will be unable to detect any
deviations of these probabilities from the uniform distribution ( 14 , 14 , 14 , 14 ).
We describe the adversary’s control over the inputs and outputs by an under-
lying variable λ, which could describe both classical and quantum states, and
underlying conditional probability densities pO (a, b|Aj , Bk , λ) and ρ(λ|Aj , Bk ),
which
< are related to {pO (a, b|Aj , Bk )} by Bayes’ theorem: pO (a, b|Aj , Bk ) =
dλ pO (a, b|Aj , Bk , λ)ρ(λ|Aj , Bk ). By summing over b and a respectively, we
(A) (B)
obtain the marginals pO (a|Aj , λ) and pO (b|Bk , λ). Note that the marginal
(A) (B)
probability pO is independent of Bk and pO is independent of Aj because of
the no-signalling assumption. The guessing probability G(λ) for a given underly-
ing variable λ would then be the maximum over all these marginal probabilities.
The guessing probability, for Alice, Bob or any observer without access to the
underlying variables, is the weighted average of G(λ) over λ, i.e.
=
G = dλ ρ(λ)G(λ), (2)
where ρ(λ) is the probability distribution of the underlying variable λ. Note that
G takes values in the closed interval [ 12 , 1], where G = 12 (G = 1) means that the
underlying model is indeterministic (deterministic).
For a given Bell violation, tight bounds for G have been calculated in the lit-
erature [9] for the case of complete free will. In order to formulate the relaxation
of free will, we define a free will parameter, P , as the maximum probability that
a particular pair of measurement settings is chosen, maximized over all control
variables λ, i.e.
P = max pI (Aj , Bk |λ). (3)
j,k,λ
This quantifies the maximum deviation of pI (Aj , Bk |λ) from the uniform dis-
tribution. For a 2-party-2-setting protocol, P takes values in the interval [ 14 , 1];
P = 14 corresponds to the case of complete free will, while P = 1 corresponds to
the case of maximal measurement dependence, as in [10]. Any value of P greater
than 14 indicates that Alice’s and Bob’s choices of inputs are not completely
random, even though they might think they are.
We choose this definition because it relates directly to probabilities that a
pair of inputs are chosen for a given underlying variable. While being more nat-
ural for our model, this differs from that given in [3], which involve conditional
probability distributions of the underlying variable given the measurement in-

puts. Nevertheless, a correspondence between the two can be found via Bayes’
Theorem. From these definitions, we obtain the following theorem (proved in the
Appendix):
Theorem 1. The maximum possible Bell violation S(G, P ), for an average

maximum guessing probability G and free will parameter P , for any no-signalling
model with pI (Aj , Bk ) = 14 (i.e. all inputs are equally likely), is

4 − 8(2G − 1)(1 − 3P ) P ≤ 13
S(G, P ) = . (4)
4 P ≥ 13
From Theorem 1, we can get an estimation of an adversary’s knowledge of Alice’s

and Bob’s bits as measured by G, given that we know the Bell violation S ∗ that
Alice and Bob observe as well as the free will parameter P . Also, the theorem
implies that the bound is always tight, i.e. for any G and P , there exists a no-
signalling model for which the Bell violation is equal to S(G, P ) (See Appendix
for explicit constructions of these models). In particular, suppose that Alice and
Bob measure a Bell violation S ∗ . If S ∗ ≤ S(1, P ), then Alice and Bob know
that the key bits could have been completely pre-programmed before the Bell
measurements were carried out. On the other hand, if S ∗ > S(1, P ), then Alice
and Bob can conclude that some indeterminism has been introduced into the
model, and that the guessing probability is less than unity. They can then use
Eq. (4) to determine an upper bound for the guessing probability G. For the case
P ≥ 13 , we have S(1, P ) = 4, which implies that G = 1, i.e. an adversary can
use a deterministic protocol to achieve maximal Bell violation. The case where
P ≤ 13 is more interesting because only in this case is the upper bound on the
maximum guessing probability for a given Bell violation S ∗ nontrivial. From Eq.
(4), a tight upper bound for G is
%
1 4 − S∗ 1
G ≤ min 1+ ,1 ,P < . (5)
2 8(1 − 3P ) 3
The observed Bell violation and degree of free will thus give a tight upper bound
on the guessing probability (Fig. 1), from which the tradeoff between the degree
of free will can be seen.
Note that our motivation for determining the guessing probability is for the
task of randomness expansion [1]. For this purpose, Pironio et al. character-
ize the randomness of outputs A, B ∈ {0, 1} conditioned on inputs X, Y ∈
{0, 1} by the min-entropy for a single run, defined to be H∞ (AB|XY ) =
− log2 maxa,b,x,y pO (a, b|x, y). which is clearly bounded below by − log2 G. For
experimental estimation of a Bell violation, a Bell test must be performed
on the devices many times in succession. This means that we must bound
the min-entropy over a series of n runs, encapsulated by an input string
s = (xn , y n ) and an output string r = (an , bn ), where xn = (x1 , x2 , · · · , xn )
determines the input xi to be made on run i, similarly for y n , an and bn .
102 D.E. Koh et al.
1.0 a , a
1 2
0.9
b1 b2
Value of S
GS ,P
0.8
ai : 2.0
bi : 2.8
c2
c1 ci : 3.3
0.7 di : 3.9
General
0.6 Factorizable
d1 d2
0.25 0.30 0.35 0.40 0.45 0.50 0.55

P
Fig. 1. (Colour online) Tight upper bound for the guessing probability G(S ∗ , P ) for no-
signalling
√ models, for the (arbitarily chosen) CHSH violations S ∗ = 2 (dotted), S ∗ =
∗ ∗
2 2 ≈ 2.8 (light dashed),
√ S = 3.3 (heavy dashed) and S = 3.9 (solid), from Eq. (5) and
∗ ∗
(7). S = 2 and S = 2 2 correspond to the local deterministic bound, and the Tsirelson
bound respectively. For each pair of lines of the same type, the bound for the general case
(purple) is always strictly greater than the bound for the factorizable case (red), except
when equality holds for G = 12 or 1. As S ∗ increases to 4, the graphs approach the vertical
lines at P = 13 and P = 12 for the general and factorizable cases respectively.
The min-entropy is then defined as H∞ (R|S) = − log2 maxr,s P (r|s). If we as-

sume that an adversary can only perform a collective attack without memory,
i.e. that the devices behave ( independently and identically at each run, then
P (r|s) = P (an bn |xn y n ) = i P (ai bi |xi yi ) by independence and so H∞ (R|S) =
−n log2 maxai ,bi ,xi ,yi P (ai bi |xi yi )) ≥ −n log2 G. This can then be used to bound
the Bell violation as described in [1].
So far, we have not placed any restrictions on the probability distribution
pI (Aj , Bk |λ). Indeed, if an adversary has quantum technology at her disposal,
then she would be able to generate the most general of such distributions. But
unless this is so, one should impose that the probability distributions are factoriz-
(A) (B)
able, i.e. the joint probability pI (Aj , Bk |λ) = pI (Aj |λ)pI (Bk |λ) is a product
of local distributions. Note that while a non-factorizable distribution can always
be made factorizable by utilizing more hidden variables, this changes the value of
P . Also, to implement the non-factorizable case without using local hidden vari-
ables requires a quantum state, but only measurements in one basis, so in some
sense, we never see any ‘quantumness’. Indeed, in this case, our calculations above
hold. Now, imposing the factorizability condition changes the upper bound for the
Bell violation. We show in the appendix that for the factorizable case,

4 − 4(2G − 1)(1 − 2P ) P ≤ 12
Sfac (G, P ) = . (6)
4 P ≥ 12
As expected, this does not exceed the bound in the more general case. For an
observed Bell violation S ∗ , we obtain
%
1 4 − S∗ 1
Gfac ≤ min 1+ ,1 ,P < . (7)
2 4(1 − 2P ) 2
It is seen (Fig. 1) that when 14 < P < 13 , the bound for G is less in the factorizable
case than in the general case. Hence, unless non-factorizable distributions for the
inputs are supplied, we can put lower bounds on the guessing probability. Also, it
takes a larger value of P in order to produce PR box i.e. S ∗ = 4 [11] correlations
for the factorizable case.
Note that for P = 14 corresponding to the case of complete free will, the
bounds for G for both the general and factorizable cases, from Eq. (5) and (7),
∗
reduce to the result in [1]: G ≤ 32 − S4 .
For deterministic strategies, i.e. G = 1, this gives S(1, P ) = min{24P −
4, 4} and Sfac (1, P ) = min{8P, 4}, representing a lower bound on any optimal
indeterministic strategy (Fig. 2). Any point above the graph must correspond
to a G < 1 strategy. In other words, any adversary would be forced to introduce
some indeterminism in the model, thus decreasing her guessing probability, if she
wishes for a given P to violate Bell inequality greater than S(1, P ) or Sfac (1, P )
respectively.
General
Factorizable
S
2
1 1 1
4 3 2
P
Fig. 2. Graph of maximal Bell violation S(1, P ) versus P for no-signalling deterministic
(i.e. G = 1) models, showing both general (dashed) and factorizable (solid) cases, which
are plots of Eq. (4) and (6). In the region 14 < P < 13 , an adversary with access to only
factorizable distributions cannot produce as large a Bell violation as one with access
to general distributions. Any point above the graphs S(1, P ) must correspond to an
indeterministic model.
104 D.E. Koh et al.
3 Concluding Remarks
We have shown that for no-signalling models, the bound for the guessing proba-
bility increases as the degree of free will of Alice and Bob decreases. This allows
us to put an upper bound on the guessing probability of an adversary given that
the amount of free will and Bell violation are known.
In the above work we have specified the maximum device-independent bound
on an eavesdropper Eve’s maximum guessing probability, assuming she has ac-
cess to devices that can produce any non-signalling distribution (including PR
boxes etc.). It is of course worth asking how these bounds would be reduced in
the more realistic setting where Eve has access only to quantum devices, and
what Eve’s optimal quantum strategy would be to achieve the new bounds.
A natural extension of this work is to ask whether the local strategies employed
here could be used to take advantage of a key distribution scheme, where an
eavesdropper fakes a Bell violation to undermine the security that Alice and
Bob believe is in their key. One could explicitly state a procedure that employs
a Bell test for a subset of the total runs in n experiments, yet generates a key
from a disjoint subset, akin to the Ekert protocol [12].
Acknowledgements. This work is supported by the National Research Foun-

dation and the Ministry of Education, Singapore. MJWH is supported by the
ARC Centre of Excellence CE110001027. JEP acknowledges support from an
EPSRC postgraduate studentship.
A Proof of Bell Violation Bounds and Optimal Models

(A) (B)
To obtain Eq. (4) and Eq. (6), we define mj = pO (0|Aj , λ), nk = pO (0|Bk , λ),
where j, k ∈ {0, 1}. Hence, G(λ) = max{m0 , m1 , n0 , n1 , 1 − m0 , 1 − m1 , 1 − n0 ,
1 − n1 }.
Let cjk = pO (0, 0|Aj , Bk , λ). Therefore, pO (0, 1|Aj , Bk , λ) = mj − cjk and
pO (1, 0|Aj , Bk , λ) = nk − cjk , from which it follows from normalization that
pO (1, 1|Aj , Bk , λ) = 1 + cjk − mj − nk .
The method to evaluate a tight upper bound for a Bell violation for a prob-
ability< distribution pO (a, b|Aj , Bk , λ) is given in [7]. By Eq. (B3) of [7], E ≤
4 − 2 dλ J(λ), where J(λ) = ρ(λ|A0 , B0 )|m0 − n0 | + ρ(λ|A0 , B1 )|m0 − n1 | +
ρ(λ|A1 , B0 )|m1 − n0 | + ρ(λ|A1 , B1 )|m1 + n1 − 1|, where ρ(λ|Aj , Bk ) is the prob-
ability distribution of λ given inputs Aj , Bk .
An upper bound for E corresponds to a lower bound for J(λ). From the
definition of J(λ), J(λ) ≥ (|m0 − n0 | + |m0 − n1 | + |m1 − n0 | + |m1 + n1 −
1|) minj,k ρ(λ|Aj , Bk ). Consider the expression K = |m0 −n0 |+|m0 −n1 |+|m1 −
n0 | + |m1 + n1 − 1|. By applying the triangle inequality to the first and second
terms and to the third and fourth terms, we obtain K ≥ |n0 − n1 | + |n0 + n1 − 1|.
Similarly, applying the triangle inequality to the first and third terms and to the
second and fourth terms gives K ≥ |m0 − m1 | + |m0 + m1 − 1|.
Since G(λ) was defined as the maximum of a set of 8 elements, it has to

be equal to at least one of them: m0 , m1 , n0 , n1 , 1 − m0 , 1 − m1 , 1 − n0 ,
1 − n1 . We consider each of these cases separately to find a lower bound for
K. To this end, suppose G(λ) = n0 . Then n0 ≥ n1 , 1 − n1 , which implies that
K ≥ n0 − n1 + n0 + n1 − 1 = 2G(λ) − 1. By symmetry, this inequality for K also
holds in the cases G(λ) = n1 , m0 or m1 . Likewise a similar argument holds for
G(λ) = 1 − n0 . By symmetry arguments, the same inequality for K holds for all
candidates for G(λ). Hence, J(λ) ≥ (2G(λ) − 1) minj,k ρ(λ|Aj , Bk ).
By Bayes’ Theorem and our assumption that pI (Aj , Bk ) = 14 , we obtain
=
E ≤ 4 − 8 dλ (2G(λ) − 1)ρ(λ) min pI (Aj , Bk |λ) (8)
j,k
General Case: Using the definition of P in Eq. (3), for P ≥ 13 , we could

choose pI (Aj , Bk |λ) = (P, Q, Q , 0) for some Q, Q ≤ P , in some order, for each
j, k ∈ {0, 1}. Then minj,k pI (Aj , Bk |λ) = 0, from which it follows that E = 4.
For 14 ≤ P < 13 , for some P , P , P ≤ P , we could choose pI (Aj , Bk |λ) =
(P, P , P , P ) in some order. Without loss of generality, taking P ≤ P , P
gives us P = minj,k pI (Aj , Bk |λ) = 1 − P − P − P ≥ 1 − 3P > 0. We could
choose pI (Aj , Bk |λ) such that minj,k pI (Aj , Bk |λ) = 1−3P . With this minimum,
the expression in Eq. (4) is obtained.
(A) (B)
Factorizable Case: We could write pI (Aj , Bk |λ) = pI (Aj |λ)pI (Bk |λ). Hence,
minimizing the above quantity entails minimizing each term in the product. Defin-
(A) (B)
ing P1 = maxj,λ {pI (Aj |λ)} and P2 = maxk,λ {pI (Bk |λ)}, the minimum of
pI (Aj , Bk |λ) is (1−P1 )(1−P2 ) = 1+P −(P1 +P2 ), where we have used P = P1 P2 .
Hence, we maximize P1 + P2 subject to the conditions P1 P2 = P and P1 , P2 ≤ 1.
Table 1. Optimal indeterministic model with guessing probability G in the general

case, for 14 ≤ P ≤ 13
λ Aj Bk P (Aj , Bk |λ) P (00|Aj , Bk , λ) P (11|Aj , Bk , λ) P (01|Aj , Bk , λ) P (10|Aj , Bk , λ)

A0 B0 P G 1−G 0 0
A0 B1 P G 1−G 0 0
λ1
A1 B0 P G 1−G 0 0
A1 B1 1 − 3P 2G − 1 0 1−G 1−G
A0 B0 P G 1−G 0 0
A0 B1 P G 1−G 0 0
λ2
A1 B0 1 − 3P 1−G 1−G 0 2G − 1
A1 B1 P 0 0 1−G G
A0 B0 P G 1−G 0 0
A0 B1 1 − 3P 1−G 1−G 2G − 1 0
λ3
A1 B0 P G 1−G 0 0
A1 B1 P 0 0 G 1−G
A0 B0 1 − 3P 1−G 1−G 2G − 1 0
A0 B1 P G 1−G 0 0
λ4
A1 B0 P 1−G G 0 0
A1 B1 P 0 0 1−G G
106 D.E. Koh et al.
The optimal values of P1 and P2 are found to be P1 , P2 = (1, P ) for P ≥ 12 and

( 12 , 2P ) for P ≤ 12 in some order. These values give the bound in Eq. (6).
Since the bounds are tight in every stage of the proof, it implies that we can
always construct a no-signalling model where equality holds. This is explicitly
shown in Table 1 for P ≤ 13 . A P ≥ 13 model can be obtained in a similar way,
for example, by replacing the third column of Table 1 by the values, in the same
order, ((P, Q, Q , 0), (Q , P, 0, Q), (Q, 0, P, Q ), (0, Q , Q, P )), for any Q, Q ≤ P
that satisfies Q + Q + P = 1. When P ≥ 12 and Q = 0, we get an optimal model
for the factorizable case. Replacing the third column of Table 1 by the values, in
the same order, ((P, P, 12 − P, 12 − P ), ( 12 − P, P, 12 − P, P ), (P, 12 − P, P, 12 − P ),
( 12 − P, 12 − P, P, P )) gives an optimal P ≤ 12 model for factorizable distributions.
References
1. Pironio, S., et al.: Nature 464, 1021 (2010)
2. Bell, J.S.: Physics 1, 195 (1964)
3. Hall, M.J.W.: Phys. Rev. Lett. 105, 250404 (2010)
4. Barrett, J., Gisin, N.: arXiv:1008.3612v2 (2011)
5. Colbeck, R., Renner, R.: arXiv:1105.3195v2 (2011)
6. Kofler, J., Paterek, T., Brukner, C.: Phys. Rev. Lett. 73, 022104 (2006)
7. Hall, M.J.W.: Phys. Rev. A. 84, 022102 (2011)
8. Clauser, J.F., et al.: Phys. Rev. Lett. 23, 880 (1969)
9. Masanes, L., Pironio, S., Acin, A.: Nature Commun. 2, 238 (2011)
10. Brans, C.: Int. J. Theoret. Phys. 27, 219 (1988)
11. Popescu, S., Rohrlich, D.: Found. Phys. 24, 379 (1994)
12. Ekert, A.: Phys. Rev. Lett. 67, 661 (1991)
Semi-device-independent QKD
Based on BB84 and a CHSH-Type Estimation
Erik Woodhead1 , Charles Ci Wen Lim2 , and Stefano Pironio1

1
Laboratoire d’Information Quantique, CP 225, Université Libre de Bruxelles,
Boulevard du Triomphe, B-1050 Brussels, Belgium
2
Group of Applied Physics, University of Geneva, 1211 Geneva, Switzerland
Abstract. Device-independent quantum key distribution (QKD) aims

to certify the security of a cryptographic key generated between two
parties based only on the violation of a Bell inequality. This strongest
possible form of QKD requires the manipulation of entanglement, and
is thus impossible to implement in a one-way (“prepare and measure”)
scheme. Here, we introduce a semi-device-independent QKD scheme in
the prepare-and-measure configuration where the only assumption is a
bound on the dimension of the Hilbert space, and prove its security
against collective attacks. Our scheme can be understood as a modifica-
tion of the original BB84 protocol where an extra CHSH-type estimation
is carried out by Bob on the qubits sent by Alice.
1 Introduction
Quantum key distribution (QKD) is a family of cryptographic protocols, the

first of which was proposed by Bennett and Brassard in 1984 [1], where the aim
is to certify the secure generation of a cryptographic key between two distant
parties based on fundamental limits imposed by quantum mechanics, rather than
assumptions about a potential eavesdropper’s computational power.
To date however, standard security proofs of QKD protocols require unre-
alistic assumptions to be made about their real world implementation, in par-
ticular that the devices employed prepare precisely the states and/or perfom
precisely the measurements that the protocols require. In practice, however, any
real world implementation of a QKD scheme will inevitably deviate from the
ideal theoretical description. While it may in principle be possible to adapt ex-
isting security proofs to the implementation imperfections, the analysis is likely
to be highly non-trivial. In recent years, a more elegant approach to this problem
has appeared, where the security of new QKD schemes is proved based on fewer
assumptions regarding the functioning of the devices employed. The ultimate
goal in this direction is so-called device-independent quantum key distribution
(DIQKD), where the security of a QKD scheme is certified based only on the
violation of a Bell inequality, requiring no assumptions to be made about the
internal working of the devices [2–8]. While this approach obviously overcomes
the practical problem of implementation imperfections, it is also interesting from

108 E. Woodhead, C.C.W. Lim, and S. Pironio
a conceptual point of view, as it bases the security of QKD on a minimal set of

assumptions.
As the security of DIQKD is based on quantum nonlocality, fully device-
independent QKD requires the manipulation of shared entanglement. It is there-
fore impossible to devise a fully device-independent prepare-and-measure QKD
scheme (in which one party, Alice, sends quantum states and the other party,
Bob, performs measurements on them). Any prepare-and-measure QKD scheme
will therefore require at least some additional assumptions to be made about
the devices in Alice’s and Bob’s possession. In this work, we analyse an in-
termediate case between conventional QKD and fully device-independent QKD,
called semi-device-independent QKD, consisting of a prepare-and-measure QKD
scheme whose security depends only on the assumption that all the states emit-
ted by Alice’s device at each iteration of the protocol are contained in a two
dimensional Hilbert space. Our scheme can be understood as a variant of the
original BB84 protocol, but where Bob’s device may perform two additional mea-
surements, intended to permit a characterization of Alice’s device via a CHSH-
inspired test. We prove the security of our scheme against collective attacks.
Conceptually, our security analysis can be divided into two parts:
1. State characterization, where the value of a CHSH-inspired correlator,

adapted to the prepare-and-measure scenario, is used to place a lower bound
on the angle between Alice’s “bases”, in a sense that will be explained in
more detail later, and
2. The security proof proper, where information from the state characterization
and the measured quantum bit error rates (QBERs) are used to derive a
lower bound on the secure keyrate.
These steps are described in subsequent sections, following a brief description of

the QKD scheme in the notation we will use throughout the remainder of this
paper.
Note that a similar scheme has already been proposed by Pawlowski and
Brunner, who proved its security against individual attacks [9].
2 Semi-device-independent QKD Protocol

(x)
We assume Alice can send one of four density matrices ρa , all contained in
some two-dimensional Hilbert space, where a ∈ {0, 1} represents a bit and we
loosely think of x ∈ {0, 1} as a choice of basis. In an ideal implementation the
(x) (0) (0)
ρa would be BB84 states, with {ρ0 , ρ1 } corresponding to e.g. the σz basis
(1) (1)
and {ρ0 , ρ1 } to the σx basis, thouch we do not assume they necessarily are,
or even that pairs of states forming a “basis” are really orthogonal. Bob receives
these states and randomly performs one of four two-outcome measurements on
each one, indexed by y ∈ {0, 1, 2, 3}. We note the corresponding POVM elements
(y)
Mb , where b ∈ {0, 1} are the possible outcomes. Measurements y = 2 and y = 3
are intended for key generation and should ideally be aligned with the bases
Semi-device-independent QKD Based on BB84 109
x = 0 and x = 1 respectively, while measurements y = 0 and y = 1 are intended

for state characterization and should ideally be performed in the intermediate
bases √12 (σz ± σx ), though again we do not assume this for the purpose of our
security analysis. By sacrificing a subset of their results, Alice and Bob estimate
) (x) (y) *
the table of conditional probabilities P (b | axy) = Tr ρa Mb . Note that for
collective attacks any adversary’s interaction with the quantum communication
between Alice and Bob may be absorbed into Bob’s POVM elements.
Of the cases where Bob performed measurement y = 2 or y = 3, those where
x + 2 = y are discarded. The remaining results are used to estimate a quantum
bit error rate (QBER) Q(x) in each “basis” x = y − 2. The results not used to
estimate the QBERs are used to generate the raw key, to which error correction
and privacy amplification will ultimately be applied.
The cases where Bob performed measurement y = 0 or y = 1 are used to
estimate the value of the (CHSH-inspired) correlator
1
S= (−1)a+b+xy P (b | axy) . (1)
2
abxy
(As this is the only use of these cases, all results where measurement y = 0 or
y = 1 are performed should be used to estimate this correlator.)
We now proceed to describe how a characterization of Alice’s states can be
extracted from the correlator S, before deriving a lower bound on the secure
keyrate.
3 State Characterization
Using the identity ) *

Tr AB = 2
Φ+ |A ⊗ B T |Φ+ , (2)
we can rewrite the observed probabilities as the averages of operators in the |Φ+
state: $ (y)T
a ⊗ Mb
P (b | axy) = 2 ρ(x) Φ+
. (3)
Substituting (3) into (1), we find that we may express the correlator as
$
S = A0 ⊗ B0T + A0 ⊗ B1T + A1 ⊗ B0T − A1 ⊗ B1T Φ+ , (4)
where
(x) (x)
Ax = ρ0 − ρ1 , (5)
(y) (y)
By = M0 − M1 . (6)
Note that −1 ≤ Ax , By ≤ 1. Proceeding in a manner analogous to the derivation

of the Tsirelson bound, we find
$
S 2 ≤
OΦ+ + [A0 , A1 ] ⊗ [B0 , B1 ]T Φ+ , (7)
where

O = A02 + A12 ⊗ (B0T )2 + (B1T )2

+ A02 − A12 ⊗ {B0 , B1 }T + {A0 , A1 } ⊗ (B0T )2 − (B1T )2 . (8)
In order to place an upper bound on

OΦ+ , note that
OΦ+ ≤ maxρ
Oρ .
Rearranging the terms in (8),
2 2
O = A0 + A1 ⊗ (B0T )2 + A0 − A1 ⊗ (B1T )2

+ A02 − A12 ⊗ {B0 , B1 }T
2 2
≤ A0 + A1 ⊗ 1 + A0 − A1 ⊗ 1 + A02 − A12 ⊗ 21

= 2 A02 + A12 + A02 − A12 ⊗ 1 . (9)
Because the operators A0 and A1 are traceless, we can express them as linear
combinations of the Pauli operators:
A0 = p̄ · σ̄ , (10)
A1 = q̄ · σ̄ , (11)
for vectors p̄ and q̄ with p̄, q̄ ≤ 1. Then,

A02 + A12 + A02 − A12 = p̄2 + q̄2 + p̄2 − q̄2 1
≤ 21 . (12)
Using this in (9), we see that

OΦ+ ≤ 4. Therefore,
$
[A0 , A1 ] ⊗ [B0 , B1 ]T Φ+ ≥ S 2 − 4 . (13)
We now reapply (2) to the left hand side of (13), obtaining

) *
2 Tr [A0 , A1 ][B0 , B1 ] ≥ S − 4 .
1 2
(14)

Since ) [A0*, A1 ] , )
[B0 , B1 ] ≤ 21, and using that for arbitrary operators A and
*
B, Tr AB ≤ Tr A B ∞ , we obtain separate constraints for the As and Bs:
) *
Tr [A0 , A1 ] ≥ S 2 − 4 , (15)
) *

Tr [B0 , B1 ] ≥ S − 4 .
2
(16)
Finally, setting [A0 , A1 ] = 2i(p̄ × q̄) · σ̄, we have
p̄ × q̄ ≥ S 2 /4 − 1 . (17)

√
Note that in the ideal case where S = 2 2, this implies p̄ = q̄ = 1 and
p̄ · q̄ = 0, in which case we certify that Alice was emitting (pure) BB84 states.
In general, we extract a lower bound on the angle between the two bases:
|sin(θ)| ≥ S 2 /4 − 1 . (18)
4 Approach to Bounding the Keyrate

Assuming one-way postprocessing from Alice to Bob, a lower bound on the
asymptotic secure keyrate against collective attacks is given by the Devetak-
Winter bound [10]
r ≥ H(A|E) − H(A|B) . (19)
Here, H(A|B) is the conditional Shannon entropy, defined entirely in terms of
the probability distribution observed between Alice and Bob. H(A|E) is the con-
ditional von Neumann entropy in a given “basis” x, calculated on the classical-
quantum state
(x) (x) (x)
ρABE = 12 |0
0| ⊗ ρ0 + |1
1| ⊗ ρ1 , (20)
(x)
where the states ρa are shared by Bob and Eve and obey the same commutation
relations as those in (15).
4.1 Useful Intermediate Results

A simple way to obtain a lower bound on H(A|E) – though not a tight one –
is to use that the Shannon entropy is lower bounded by the min-entropy, which
has a simple expression in terms of the trace distance:
Lemma 1. Let ρAB be a classical quantum state of the form
) *
ρAB = 12 |0
0| ⊗ ρ + |1
1| ⊗ τ . (21)
Then,
Hmin (A|B) = 1 − log 1 + δ(ρ, τ ) , (22)
) *
where δ(ρ, τ ) = 2 ρ − τ 1 = 2 Tr |ρ − τ | is the trace distance between ρ and τ
1 1
(and log ≡ log2 throughout this paper).

This result can be derived from the known relation bewteen the min-entropy
and guessing probability [11] and the Helstrom bound [12], though we also give
our own proof here.
Proof. By definition, the conditional min-entropy of this state is
" #
Hmin (A|B) = max sup λ ∈ R : 2−λ 1A ⊗ σB ≥ ρAB . (23)
σB
The part we need to bound is

2−λ 1A ⊗ σB − ρAB

= |0
0| ⊗ 2−λ σB − 12 ρ + |1
1| ⊗ 2−λ σB − 12 τ ≥ 0 . (24)
This implies both 21−λ σB ≥ ρ and 21−λ σB ≥ τ . The tightest fit is obtained by
setting
21−λ σB = 12 (ρ + τ ) + 12 |ρ − τ | . (25)
We determine λ by taking the trace of both sides, which concludes the proof of
(22).
Thus, we obtain a lower bound on H(A|E) in a particular basis x if we determine

(x) (x) (x)
an upper bound on the trace distance 12 Ax,E 1 = δ ρ0,E , ρ1,E , where ρa,E =
(x) (x)
TrB [ρa ] is the part of ρa accessible to Eve.
While the 12 Ax,E 1 are not directly accessible to Alice and Bob, the
(x) (x)
2 Ax,B 1 = δ ρ0,B , ρ1,B are directly related to the quantum bit error rates
1
Q(x) . From the Helstrom bound [12],
2 Ax,B 1 ≥ |1 − 2Q(x)| .
1
(26)
The following lemma will allow us to put an upper bound on the 12 AE,x 1 given
lower bounds on the 12 AB,x 1 , which will produce a lower bound on Hmin (A|E).
Lemma 2. Let X = x̄ · σ̄ and Z = z̄ · σ̄ be two Pauli-type operators contained
in the same two dimensional Hilbert space H2 , with H2 ⊂ HA ⊗ HB , where HA
and HB are two arbitrary Hilbert spaces whose tensor product is of dimension at
least two. In the case where x̄ and z̄ are unit vectors,
4 XA 1 + 14 ZB 12 ≤ 1 + |cos(θ)| ,

1 2
(27)
where XA = TrB [X], ZB = TrA [Z], and θ is the angle between X and Z, such
that x̄ · z̄ = cos(θ).
Proof. Let P ∈ HA and Q ∈ HB be projective operators such that 12 XA 1 =
Tr[P XA ] and 12 ZB 1 = Tr[QZB ]. We also define P⊥ = 1A −P and Q⊥ = 1B −Q,
with 1A and 1B the identity operators respectively in HA and HB . Then,
2 XA 1 = Tr[P ⊗ 1B X] = − Tr[P⊥ ⊗ 1B X] ,

1
(28)
2 ZB 1 = Tr[1A ⊗ QZ] = − Tr[1A ⊗ Q⊥ Z] .
1
(29)
Because X and Z are traceless and have their support entirely in H2 , clearly
only the traceless part of the projections of P ⊗ 1B , P⊥ ⊗ 1B , 1A ⊗ Q, and
1A ⊗ Q⊥ into H2 matter, which means that we can reduce the LHS of (27) to
4 XA 1 + 14 ZB 12 = (p̄ · x̄)2 + (q̄ · z̄)2 ,

1 2
(30)
with a yet-to-be-determined constraint on the vectors p̄ and q̄.
We will now determine the constraint in question. The derivation that follows
is largely inspired by the proof of result (23) of [13]. We choose two orthogonal
but otherwise arbitrary unit vectors ū and v̄, and an orthonormal basis {|0, |1}
of H2 such that
p̄ · ū = Tr[P ⊗ 1B σz ] = − Tr[P⊥ ⊗ 1B σz ] , (31)
q̄ · v̄ = Tr[1A ⊗ Qσx ] = − Tr[1A ⊗ Q⊥ σx ] . (32)
Then,

|q̄ · v̄| = 2 Re[
0|1A ⊗ Q|1]

= 2 Re[
0|P ⊗ Q|1] + 2 Re[
0|P⊥ ⊗ Q|1]

≤ 2
0|P ⊗ Q|1 + 2
0|P⊥ ⊗ Q|1
! !
≤ 2
P ⊗ Q0
P ⊗ Q1 + 2
P⊥ ⊗ Q0
P⊥ ⊗ Q1 , (33)
where we use the notation

Ok =
k|O|k.√Now, for√any
√ positive
√ x, y, z, w ∈
√ √
R, the Cauchy-Schwarz inequality implies x y + z w ≤ x + z y + w.
Applying this to the last line of (33) yields

|q̄ · v̄| ≤ 2
P ⊗ Q0 +
P⊥ ⊗ Q1
P⊥ ⊗ Q0 +
P ⊗ Q1 . (34)

Similarly, starting from |q̄ · v̄| = Tr[1A ⊗ Q⊥ σx ] and repeating the above steps,
we obtain

|q̄ · v̄| ≤ 2
P ⊗ Q⊥ 0 +
P⊥ ⊗ Q⊥ 1
P⊥ ⊗ Q⊥ 0 +
P ⊗ Q⊥ 1 . (35)
Adding these and applying the Cauchy-Schwarz inequality in the same manner
as before we finally obtain

|q̄ · v̄| ≤
P ⊗ 1B 0 +
P⊥ ⊗ 1B 1
P⊥ ⊗ 1B 0 +
P ⊗ 1B 1
!
= (1 + p̄ · ū)(1 − p̄ · ū)
!
= 1 − (p̄ · ū)2 , (36)
or
(p̄ · ū)2 + (q̄ · v̄)2 ≤ 1 . (37)
This bound holds for all pairs ū, v̄ of othogonal unit vectors.
It is worth pointing out at this stage that, by identifying X = σz and Z = σx
in the derivation of (37), we have already demonstrated the special case of (27)
where cos(θ) = 0:
4 XA 1 + 4 ZB 1 ≤ 1 .
1 2 1 2
(38)
Note that the content of (38) is identical to that of results (23) and (24) of
[13]. Indeed, it is easy to see that the information gain G defined by (9) therein
is bounded by the trace distace between the states received by Eve. We may
express this as G ≤ 12 XE 1 . Using this and the bound |1 − 2Q| ≤ 12 ZB 1 on
the QBER in the Z basis, we have
G2 + (1 − 2Q)2 ≤ 1 , (39)
or !
G ≤ 2 Q(1 − Q) . (40)
Conversely, (40) is satisfied for all POVMs Bob and Eve could perform, including
those which saturate the bounds on Q and G.
We now show that the left hand side of (30) is bounded by 1 + |cos(θ)|. This
is accomplished by choosing two orthogonal unit vectors ū and v̄, such that
x̄ = λū + μv̄ , (41)

z̄ = μū + λv̄ , (42)
with
+! ! ,
λ= 1
2 1 − cos(θ) ,
1 + cos(θ) + (43)
+! ! ,
μ = 12 1 + cos(θ) − 1 − cos(θ) . (44)
With these definitions one may verify that x̄ = z̄ = 1 and x̄ · z̄ = cos(θ), as
required. Then,

(p̄ · x̄)2 + (q̄ · v̄)2 = λ2 (p̄ · ū)2 + (q̄ · v̄)2 + μ2 (q̄ · ū)2 + (p̄ · v̄)2

+ 2λμ (p̄ · ū)(p̄ · v̄) + (q̄ · ū)(q̄ · v̄)
≤ λ2 + μ2 + 2|λμ|
= (λ + |μ|)2
= 1 + |cos(θ)| . (45)

Applying this result yields, for example,

1
2 A
0,E 1 ≤ |cos(θ)| + 4Q(1) (1 − Q(1) ) . (46)
4.2 Result
We now have all the ingredients necessary to put a lower bound on the keyrate.
Combining the results of the previous subsection, and considering the keyrate
generated just from the basis x = 0 as an example, we obtain the bound
+ ,
r(0) ≥ 1 − log 1 + |cos(θ)| + 4Q(1) (1 − Q(1) ) − h(Q(0) ) , (47)
where an upper bound on |cos(θ)| is obtained via (18), h(x) denotes the binary
entropy, and we have used that H(A|B) ≤ h(Q(0) ).
It should be noted that the asymptotic keyrate derived here is far from opti-
mal. The main reason for this is that we have opted to bound the min-entropy,
due to its simple expression (22) in terms of the trace distance between the
states it is defined on. Another limitation is that (27) is not a tight inequality,
except in the case where 12 XA 1 = 12 ZB 1 . We believe it is possible to derive
significantly better bounds, more in line with those known for BB84 or based on
entropic uncertainty relations. This will form the subject of future work.
Acknowledgements. We acknowledge support from the National Centre of

Competence in Research QSIT, the Swiss NanoTera project QCRYPT, the FP7
Marie-Curie IAAP QCERT project, the European EU FP7 QCS project, the
CHIST-ERA DIQIP project, the Interuniversity Attraction Poles Photonics@be
Programme (Belgian Science Policy). E. W. acknowledges support from the
Fonds pour la formation à la Recherche dans l’Industrie et dans l’Agriculture
(F.R.I.A.). S. P. acknowledges the Brussels-Capital Region for a BB2B grant.
References
1. Bennett, C.H., Brassard, G.: Quantum cryptography: Public key distribution and
coin tossing. In: Proceedings of IEEE International Conference on Computers,
Systems and Signal Processing, Bangalore, India, vol. 11, pp. 175–179 (1984)
2. Ekert, A.K.: Quantum cryptography based on bell’s theorem. Phys. Rev. Lett. 67,
661–663 (1991)
3. Mayers, D., Yao, A.: Self testing quantum apparatus. Quantum Info. Comput. 4,
273–286 (2004)
4. Barrett, J., Hardy, L., Kent, A.: No signaling and quantum key distribution. Phys.
Rev. Lett. 95, 010503 (2005)
5. Acı́n, A., Brunner, N., Gisin, N., Massar, S., Pironio, S., Scarani, V.: Device-
independent security of quantum cryptography against collective attacks. Phys.
Rev. Lett. 98, 230501 (2007)
6. Pironio, S., Acı́n, A., Brunner, N., Gisin, N., Massar, S., Scarani, V.: Device-
independent quantum key distribution secure against collective attacks. New Jour-
nal of Physics 11(4), 045021 (2009)
7. Masanes, L., Pironio, S., Acı́n, A.: Secure device-independent quantum key distri-
bution with causally independent measurement devices. Nature Communications 2,
283 (2011)
8. Hanggi, E., Renner, R.: Device-independent quantum key distribution with com-
muting measurements (September 2010)
9. Pawlowski, M., Brunner, N.: Semi-device-independent security of one-way quantum
key distribution. Phys. Rev. A 84, 010302 (2011)
10. Devetak, I., Winter, A.: Distillation of secret key and entanglement from quantum
states. Proceedings of the Royal Society A: Mathematical, Physical and Engineer-
ing Science 461(2053), 207–235 (2005)
11. Konig, R., Renner, R., Schaffner, C.: The operational meaning of min- and max-
entropy. IEEE Transactions on Information Theory 55(9), 4337–4347 (2009)
12. Helstrom, C.W.: Quantum Detection and Estimation Theory. Academic Press,
New York (1976)
13. Fuchs, C.A., Gisin, N., Griffiths, R.B., Niu, C.S., Peres, A.: Optimal eavesdropping
in quantum cryptography. I. Information bound and optimal strategy. Phys. Rev.
A 56(2), 1163–1172 (1997)
On Some Special Cases
of the Entropy Photon-Number Inequality
Smarajit Das1 , Naresh Sharma1 , and Siddharth Muthukrishnan2

1
School of Technology and Computer Science,
Tata Institute of Fundamental Research, Mumbai 400 005
2
Department of Physics and Astronomy, University of Southern California,
Los Angeles, CA 90089 USA
{smarajit,nsharma}@tifr.res.in, muthukri@usc.edu
Abstract. We show that the Entropy Photon-Number Inequality (EPnI) holds

where one of the input states is the vacuum state and for several candidates of
the other input state that includes the cases when the state has the eigenvectors as
the number states and either has only two non-zero eigenvalues or has arbitrary
number of non-zero eigenvalues but is a high entropy state. We also discuss the
conditions, which if satisfied, would lead to an extension of these results.
Keywords: entropy photon number inequality, bosonic channels.
1 Introduction
The Entropy Photon Number Inequality (EPnI) was conjectured by Guha et. al. [1].
EPnI has a classical analogue called Entropy power inequality which is stated as fol-
lows. Let X and Y be independent random variables with densities and h(X) be the
differential entropy of X, then
e2h(X+Y ) ≥ e2h(X) + e2h(Y ) (1)
holds. It was first stated by Shannon in Ref. [2] and the proof was given by Stam and
Blachman [3,4].
The EPnI has some important consequences in quantum information theory. In par-
ticular, if this conjecture is true, then one would be able to establish the classical ca-
pacity of certain bosonic channels [1,5]. EPnI is shown to imply two minimum output
entropy conjectures, which would suffice to prove the capacity of several other channels
such as the thermal noise channel [5] and the bosonic broadcast channel [6,7].
The statement of the inequality is as follows. Let a and b be the photon annihilation
operators and let the joint state of the modes associated with a and b be the product state,
i.e., ρAB = ρA ⊗ ρB , where ρA and ρB are the density operators associated with the
a and b modes respectively. For the beam-splitter with inputs a and b and output c with
transmissivity η and reflectivity 1 − η respectively, the annihilation operator evolution
is given by !
√
c = ηa + 1 − ηb, (2)

On Some Special Cases of the Entropy Photon-Number Inequality 117
The EPnI is now stated as
g −1 [S(ρC )] ≥ ηg −1 [S(ρA )] + (1 − η)g −1 [S(ρB )] , (3)
where
g(x) = (x + 1) log(x + 1) − x log(x) (4)
is the von Neumann entropy of the thermal state with mean photon-number x, and
S(ρ) = −Tr(ρ log ρ) is the von Neumann entropy.
In this paper, we prove the EPnI for the case of ρB to be the vacuum state, ρA having
its eigenvectors as the number states and either having two nonzero eigenvalues or high
von Neumann entropy with arbitrary number of eigenvalues. There are other candidates
as well for which some special cases EPnI hold and these are mentioned later.
2 The Beam-Splitter Transformation

We obtain the output density matrix ρC from the beam-splitter transformations. The
annihilation operators for the two outputs are
√ !
c = ηa + 1 − ηb, (5)
! √
d = e ( 1 − ηa − ηb),
ιφ
(6)
where [a, a† ] = [b, b† ] = [c, c† ] = [d, d† ] = I and [a, b] = [a, c] = [a, d] = 0 and so on.
We assume that the inputs density operators are diagonal in the number state basis and
hence,
∞ ∞
ρAB = xi yj |iA |jB
i|A
j|B , (7)
i=0 j=0
where xi and yj are the ith and jth eigenvalues of A and B respectively, |iA and |jB
are the Fock number states for the systems A and B respectively. Any state |iA |jB
can be written as (see Ref. [8] for example)
(a† )i (b† )j
|iA |jB = √ √ |0A |0B . (8)
i! j!
√ √ √ √
From (5) and (6), we get a† = ηc† + 1 − ηeιφ d† and b† = 1 − ηc† − ηeιφ d† .
Using these with (8), we get the transformation
√ † √ √ √
B.S. ( ηc + 1 − ηeιφ d† )i ( 1 − ηc† − ηeιφ d† )j
|iA |jB −−→ √ √ |0C |0D , (9)
i! j!
where B.S. indicates the action of the beam splitter. Using the fact that the operators c†
and d† commute and the binomial expansion, we get
i j
B.S. 1 l i j i−k+l j−l+k
|iA |jB −−→ √ √ e ι(k+l)φ
(−1) η 2 (1 − η) 2
i! j! k=0 l=0 k l
(c† )(i+j)−(k+l) (d† )k+l |0C |0D . (10)
118 S. Das, N. Sharma, and S. Muthukrishnan
Incorporating the action of c† and d† on the vacuum states of C and D, we get
i j
B.S. 1 i j i−k+l j−l+k
|iA |jB −−→ √ √ eι(k+l)φ (−1)l η 2 (1 − η) 2
i! j! k=0 l=0 k l
!
[(i + j) − (k + l)]!(k + l)! |(i + j) − (k + l)C |k + lD . (11)
Hence, we arrive at the expression for ρCD as
∞
∞
1 ι[(k+l)−(k +l )]φ
i j i j
l+l i j
ρCD = xi yj e (−1)
i!j! k l
i=0 j=0 k=0 l=0 k =0 l =0

i j i− k+k + l+l l+l k+k
η 2 2 (1 − η)j− 2 + 2
k l
! !
[(i + j) − (k + l)]!(k + l)! [(i + j) − (k + l )]!(k + l )!
|(i + j) − (k + l)C |k + lD
(i + j) − (k + l )|C
k + l |D . (12)
Now, tracing out system D, we get
∞
∞
1
i j i j
l+l i j i j
ρC = xi yj (−1)
i=0 j=0
i!j!
k l k l
k=0 l=0 k =0 l =0
l+l k+k
i− k+k l+l
η 2 + 2 (1 − η)j− 2 + 2 [(i + j) − (k + l)]!(k + l)!
|(i + j) − (k + l)
(i + j) − (k + l)| δk+l,k +l . (13)
We now consider the special case when ρB is a vacuum state. Let the set of all prob-
∞
ability vectors (with infinite length) be denoted by P and if x ∈ P, then i=0 xi = 1
and xi ≥ 0 ∀ i ≥ 0. Then (13) reduces to
∞

ρC = zi |iC
i|C , (14)
i=0
x ) M (η, x ), M : [0, 1] × P → P is a transformation given by

where z = Mη (x
∞
k
zi = η i (1 − η)k−i xk . (15)
i
k=i
Hence, (3) reduces to
g −1 {H[Mη (x
x )]} ≥ ηg −1 [H(x
x )] . (16)
Note that this equation is expected to hold for all x ∈ P and η ∈ [0, 1]. The inequality
x) = [1, 0, ...] implying H[M0 (x
is trivially true for η = 0 since M0 (x x )] = 0, and for
η = 1 since M1 (x x) = x .
3 ρA Is Two-Dimensional in the Number State Basis and ρB Is the

Vacuum State
Let
Hb (p) −p log(p) − (1 − p) log(1 − p) (17)
to be the binary entropy of a two-point probability distribution [p, 1 − p] with 0 ≤

p ≤ 1. Let the eigenvalues of ρA given by the probability vector x = [1 − α, α, 0, ...].
Therefore, H(xx ) = Hb (α) and H[Mη (xx )] = Hb (ηα). We now prove (16) for the above
case.
Lemma 1. For all η ∈ [0, 1] and α ∈ [0, 1], we have
g −1 [Hb (ηα)] ≥ ηg −1 [Hb (α)] . (18)
with equality if and only if η ∈ {0, 1} or α = 0.
Proof. One can see that g −1 [Hb (ηα)] = ηg −1 [Hb (α)] if η ∈ {0, 1} or α = 0. In all
other cases, we show that
g −1 [Hb (ηα)] > ηg −1 [Hb (α)] . (19)
Let f (β) g −1 [Hb (β)]. The Lemma is equivalent to showing that f (β)/β is
a strictly decreasing function in 0 < β ≤ 1. Note that since g(β) = Hb (β) +
2 [log(2) − Hb (1/2 + β/2)] and log(2) > Hb (1/2 + β/2) for all β ∈ (0, 1), hence
g(β) > Hb (β) for all 0 < β < 1. Since g is one-to-one and increasing, we have
g −1 [Hb (β)] < β for all 0 < β < 1 or f (β) < β for all 0 < β < 1.
It is not difficult to see that
d f (β) log {(1 − β)[1 + f (β)]}

= + , (20)
dβ β β 2 log 1+f (β)
f (β)
and since, using f (β) < β for all 0 < β < 1, it follows that (1 − β)[1 + f (β)] < 1 for
all 0 < β < 1, hence, f (β)/β is a strictly decreasing function in 0 < β ≤ 1.
Recall that if the distribution of a random variable X is Binomial, denoted by

Bin(L, η) ∈ P, then Bin(L, η, k) Pr{X = k} = Lk η k (1 − η)L−k if k ∈
{0, 1, ..., L} and is zero otherwise.
Let the two non-zero entries of the probability vector x N,P be at the N -th and P -th
position, i.e., xN = 1 − α, xP = α and let z N,P = Mη (xxN,P ).
) 2. For* all η ∈ [0,

Lemma ∈ [0,
) 1], αN,P * 1] and L ≥ 1, we have
g −1 H(zz N,P ) ≥ ηg −1 H(x x ) .
Proof. The proof can be found in Appendix A.

4 ρA Has Number States as Eigenvectors and ρB Is the Vacuum

State
We have observed that the EPnI holds when ρA has two non-zero eigenvalues with
eigenvectors as the number states and ρB is a vacuum state. We now consider the case
when ρA has number states as the eigenvectors and could have arbitrary number of
nonzero eigenvalues and ρB is the vacuum state. We derive some necessary and suffi-
cient conditions for this inequality to hold.
We first note that Mη [Mη (x x ) ∀ η, η ∈ [0, 1] and x ∈ P. To prove this,
x )] = Mηη (x
let y = Mη (x x ), z = Mη (yy ) and note that
∞
k i
zi = η (1 − η)k−i yk (21)
i
k=i
j ∞
k i j
(η )k (1 − η ) xj
j−k
= η (1 − η)k−i (22)
i k
k=i j=k
∞
j−i

j i j−i
(η − ηη )k−i (1 − η )
j−k
= (ηη ) xj (23)
j=i
i k − i
k−i=0
∞
j
= (ηη )i (1 − ηη )j−i xj (24)
j=i
i
To simplify the notation, let us define

H(η, x ) H(Mη x) (25)
−1
h(η, x ) g [H(η, x )] . (26)
As M1 is an identity transformation, we sometimes write H(x x ) for H(1, x ) and h(x
x)
for h(1, x ). Note that h(1, x ) = g −1 [H(x
x )] and therefore, (16) can be rephrased as
h(η, x )
≥ h(1, x). (27)
η
It is not difficult to see that if (16) holds, then h(η, x )/η is a decreasing function in η.
To see this, let η ≤ η and δ = η /η where 0 ≤ δ ≤ 1. Then
h(η , x ) h[δ, Mη (x x)] 1

= (28)
η δ η
h[1, Mη (x x )]
≥ (29)
η
h(η, x )
= . (30)
η
As h(η, x )/η is differentiable, we have
d h(η, x ) dH(η, x )
=η − H(η, x ) + log [1 + h(η, x )] . (31)
dη η dη
Lemma 3. Let Mη : [0, 1] × P → P be the transformation given by (15). The following

are equivalent:
(i) h(η, x ) ≥ ηh(1, x ) ∀ x ∈ P, ∀ η ∈ (0, 1], (32)

d h(η, x )
(ii) ≤0 ∀ x ∈ P, ∀ η ∈ (0, 1], (33)
dη η
d h(η, x )
(iii) ≤0 ∀ x ∈ P. (34)
dη η η=1
Proof. It is clear from (30) that (i) and (ii) are equivalent. Furthermore, (ii) implies
(iii) since (iii) is a special case of (ii). We prove that (iii) implies (ii). Note that
x )]
d h[β, Mη (x d h(ηβ, x )
= (35)
dβ β β=1 dβ β β=1

d h(θ, x )
= η2 . (36)
dθ θ θ=η
Now (iii) implies that
d h(θ, x )
≤0 (37)
dθ θ θ=η
and hence, (ii) follows using (36).
We now state EPnI in (16) in the form of an entropic inequality, i.e., an inequality
involving Shannon entropy of discrete probability distributions. By Lemma 3, (16) is
equivalent to
dH(η, x )
η − H(η, x ) + log [1 + h(η, x )] ≤ 0. (38)
dη
The above can be expressed as

+ x)
dH(η,x
,
g eH(η,xx)−η dη − 1 ≥ H(η, x ). (39)
Note that g(1/β − 1) = Hb (β)/β ∀ β ∈ [0, 1] and hence, (16) is equivalent to showing
that
+ dH(η,xx)
,
Hb e−H(η,xx )+η dη
H(η, x ) ≤ x)
dH(η,x
. (40)
e−H(η,xx)+η dη
For the two dimensional case with η = 1, x = [α, 1 − α, 0, ...], α ∈ [0, 1], H(η, x ) −
ηdH(η, x )/dη = − log(α), H(x x) = Hb (α), and substituting this in (40), we get
Hb (α)
Hb (α) ≤ , (41)
α
which is true. This gives a short proof of (16) for this special case. Evaluating (40)
at η = 1 gives an interesting expression that depends only on the distribution x . It is
shown in (16) that

dH(η, x) ∞
xi
x)
Θ(x =− ixi log , (42)
dη η=1
i=1
xi−1
and hence, (40) reduces to

) *
Hb e−H(xx)+Θ(xx)
x) ≤
H(x . (43)
e−H(xx )+Θ(xx)
The above inequality involves only entropies and another function Θ of the distribution
but, to the best of our knowledge, has never been studied before in the literature.
We now show that if (16) is true, then it implies that
dH(η, x )
η ≤ 1, (44)
dη
dH(η, x )
η ≤ H(η, x ). (45)
dη
If (16) holds, then using Lemma 3, we have
H(η, x ) − ηdH(η, x )/dη ≥ log [1 + h(η, x )] .
As log [1 + h(η, x )] ≥ 0, we have H(η, x ) − ηdH(η, x )/dη ≥ 0, which proves (45).

Using Lemma 3 again, we have
ηdH(η, x )/dη − H(η, x ) + log [1 + h(η, x )] ≤ 0.
It is enough to prove that H(η, x ) − log [1 + h(η, x )] ≤ 1, i.e.,
1 + g −1 [H(η, x )] ≥ eH(η,xx )−1 . (46)
We first consider the case when 0 ≤ H(η, x ) ≤ 1. Then eH(η,xx)−1 ≤ 1. Therefore,

1 + g −1 [H(η, x )] ≥ eH(η,xx)−1 and (44) holds.
Now consider H(η, x ) ≥ 1. Hence, it is enough to prove that 1 + g −1 (x) ≥ ex−1 ∀
x ≥ 1, or, x + 1 ≥ g(ex − 1) ∀ x ≥ 0. Simplifying, we can show that this is equivalent
to showing that r(e−x ) ≥ 0, where r : [0, 1] → R and
r(x) = x + (1 − x) log(1 − x). (47)
Note that r(0) = 0 and dr(x)/dx = − log(1−x) ≥ 0 ∀ x ∈ [0, 1]. Therefore, r(x) ≥ 0
∀ x ∈ [0, 1] and (44) follows.
(44) and (45) are the necessary conditions for (16) to hold. We now show that they
both hold under general conditions.
Lemma 4. For all η ∈ [0, 1] and x ∈ P, the following hold:
dH(η, x )
η < 1, (48)
dη
dH(η, x )
η ≤ H(η, x) (49)
dη
x) = [1, 0, ...].
with equality if and only if Mη (x
Proof. The proof can be found in Appendix B.
x ) is sufficiently large.
We now show that (16) holds if H(x
Lemma 5. For a given η ∈ (0, 1), x ∈ P, (16) holds if H(x
x ) is large enough.
Proof. Using (39), we need to show that

+ ,
g eH(η,xx)−ηdH(η,xx)/dη − 1 ≥ H(η, x ). (50)
We have
+ , a
g eH(η,xx)−ηdH(η,xx)/dη − 1 > H(η, x ) + δ − e−H(η,xx)+ηdH(η,xx)/dη (51)
b
> H(η, x ) + δ − e−H(η,xx)+1 ≥ H(η, x ) (52)
where in a, we use the inequality that g(ex − 1) ≥ x + 1 − e−x and we use Lemma 4
to get ηdH(η, x )/dη < 1 − δ for some δ > 0, in b, we use ηdH(η, x )/dη < 1 and the
last inequality would hold if H(η, x ) ≥ 1 − log(δ) or if H(η, x ) is large enough.
We now show that if H(x x ) is large, then so is H(η, x ) for η ∈ (0, 1). Define
H(η, x )
q(η, x ) . (53)
η
Differentiating w.r.t. η, we get using (49),

> ?
dq(η, x ) 1 dH(η, x )
= 2 η − H(η, ) ≤ 0.
x (54)
dη η dη
Hence, q(η, x ) is a decreasing function of η and H(η, x ) ≥ ηH(x

x ). Similarly, using
(48), we get
= 1 = 1
dβ
dH(β, x ) < (55)
η η β
x ) + log(η).
H(η, x ) > H(x (56)
Hence, H(η, x ) ≥ max {ηH(x x ), H(x

x ) + log(η)}. This shows that if H(x x) is large,
then so is H(η, x ) and hence, (16) would hold for any η ∈ (0, 1] for large H(x
x ).
5 Discussion
Entropy Photon-Number Inequality (EPnI) conjecture has been settled in the affirmative
when one of the input states is the vacuum state and for several candidates of the other
input state that includes the cases when the state has the eigenvectors as the number
states and either has only two non-zero eigenvalues or has arbitrary number of non-zero
eigenvalues but is a high entropy state. Using Fannes’ inequality [9,10], one can easily
check that the EPNI holds even if the two input states with one in vacuum state and the
other state having two non-zero eigenvalues in the number state basis, are perturbed by
a small amount as long as the dimension of the new states after perturbation remains
finite.
References
1. Guha, S., Erkemen, B.I., Shapiro, J.H.: The Entropy Photon-Number Inequality and its Con-
sequences. Open Problems Session, ITA, UCSD (2008)
2. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423,
623–655 (1948)
3. Stam, A.J.: Some inequalities satisfied by the quantities of information of Fisher and Shan-
non. Inf. Contr. 2, 101–112 (1959)
4. Blachman, N.M.: The convolution inequality for entropy powers. IEEE Trans. Inf. Theory 11,
267–271 (1965)
5. Giovannetti, V., Guha, S., Lloyd, S., Maccone, L., Shapiro, J.H., Yuen, H.P.: Classical capac-
ity of the lossy bosonic channel: The exact solution. Phys. Rev. Lett. 92, 027902 (2004)
6. Guha, S., Shapiro, J.H., Erkmen, B.I.: Classical capacity of bosonic broadcast communica-
tion and a minimum output entropy conjecture. Phys. Rev. A 76, 032303 (2007)
7. Guha, S., Shapiro, J.H., Erkmen, B.I.: Capacity of the bosonic wiretap channel and the en-
tropy photon-number inequality. In: Proceedings of IEEE International Symposium on In-
formation Theory, pp. 91–95 (2008)
8. Gerry, C., Knight, P.: Introductory Quantum Optics. Cambridge University Press (2004)
9. Fannes, M.: A continuity property of the entropy density for spin lattice systems. Commun.
Math. Phys. 31, 291–294 (1973)
10. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge
University Press (2000)
A Appendix: Proof of Lemma 2

Proof. By Lemma 1, we have
g −1 [Hb (ηα)] ≥ ηg −1 [Hb (α)] . (57)
Note that g is one-one and and strictly increasing, therefore g −1 is also strictly increas-
ing. Therefore, it is enough to prove that
H(zz N,P ) ≥ H(zz 0,1 ). (58)
as H(zz 0,1 ) = Hb (ηα) and H(x

x N,P ) = Hb (α). We first show that
H(zz 0,P ) ≥ H(zz 0,1 ). (59)

Note that
) *
H(zz 0,P ) =f α, (1 − η)P + αH [Bin(P, η)] , (60)
where
f (α, x) = − [(1 − α) + αx] log [(1 − α) + αx] − (1 − x)α log(α) + x log(x)α. (61)
It is not difficult to show that f (x) is a decreasing function of x. Note that H [Bin(P, η)]
increases with P . Since H(x x0,P ) is a sum of two functions each of which increases with
P , (59) follows.
Next, we show that for all N, P ≥ 0, we have
H(zz N +1,P +1 ) ≥ H(zz N,P ). (62)
Note first that Bin(N + 1, η) = (1 − η)Bin(N, η) + ηBin+1 (N, η), where if X has
distribution Bin+1 (N, η), then Pr{X = k + 1} = Bin(N, η, k) ∀ k. This implies that
z N +1,P +1 = (1 − η)zz N,P + ηzz N,P

+1 , (63)
where we define z N,P

+1 similarly. Using H(z z N,P ) = H(zz N,P
+1 ), it is not difficult to show
that
) * + ,
H(zz N +1,P +1 ) = H(zz N,P ) + (1 − η)D z N,P ||zz N +1,P +1 + ηD z N,P +1 ||zz N +1,P +1 ,
(64)
where D(·||·) is the relative entropy that is always non-negative and hence, (62) follows.
Assume w.l.o.g. that P > N . Applying (59) repeatedly followed by (62), we get
H(zz N,P ) ≥ H(zz 0,P −N ) ≥ H(zz 0,1 ). (65)
The result follows.
B Appendix: Proof of Lemma 4

x) and using
Proof. Let z = Mη (x
dzi
η = izi − (i + 1)zi+1 , (66)
dη
we get
∞
dH(η, x ) dzi
−η =η [1 + log(zi )] (67)
dη i=0
dη
∞
zi
= izi log (68)
i=1
z i−1
∞
a zi−1
≥ izi 1 − (69)
i=1
zi
= −1, (70)
where in a, we have used the inequality that log(x) ≥ 1 − 1/x for all x ≥ 0 with
equality if and only if x = 1. If z is such that zi = 0 ∀ i, then it is impossible to have
an equality in a since equality would imply zi−1 = zi ∀ i and this would imply that
∞
i=0 zi is unbounded.
If z has a finite number of nonzero values say z = [z0 , z1 , ..., zL−1 , 0, ...], then (70)
can be further tightened as
dH(η, x )
η ≤ 1 − LzL−1 . (71)
dη
Hence, (44) holds.

We now prove (49) or equivalently
∞

zi
Θ(zz ) = − izi log ≤ H(zz ). (72)
i=1
zi−1
Let us define a sequence of probability distributions {zz (L) }, L = 0, 1, ..., where z (L)
has length L + 1 and z (L) = [(1 − zL )zz (L−1) , zL ] and z (0) = [1]. It is easy to see that
the following recurrence relations hold

1 − zL
Θ(zz (L) ) = (1 − zL )Θ(zz (L−1) ) + LzL log zL−1 (73)
zL
H(zz (L) ) = (1 − zL )H(zz (L−1) ) + Hb (zL ). (74)
Define
Ξ(zz (L) ) Θ(zz (L) ) − H(zz (L) ). (75)
Using the recurrence relations in (73) and (74), we get

1 − zL
Ξ(zz (L) ) = (1 − zL )Ξ(zz (L−1) ) + LzL log zL−1 − Hb (zL ). (76)
zL
We now claim that

Ξ(zz (L) ) ≤ L log(1 − zL ). (77)
We prove this by induction. It is easy to check that Ξ(zz ) = log(1 − z1 ). Let (77)
z (1)
hold for L − 1, L > 1. Then we have

1 − zL
Ξ(zz (L) ) = (1 − zL )Ξ(zz (L−1) ) + LzL log zL−1 − Hb (zL ) (78)
zL
a
≤ (L − 1)(1 − zL ) log(1 − zL−1 ) + (L − 1)zL log (zL−1 )

1 − zL
+ LzL log − Hb (zL ) (79)
zL
b
= −(L − 1)d(zL , zL−1 ) + L log(1 − zL ) (80)
≤ L log(1 − zL ), (81)
where in a, we have used the induction hypothesis and the fact that
zL log(zL−1 ) ≤ 0, in b,

x 1−x
d(x, y) = x log + (1 − x) log (82)
y 1−y
is the relative entropy between [x, 1 − x] and [y, 1 − y] and is always nonnegative.
(49) now follows from (77) since log(1 − zL ) ≤ 0. The equality condition follows
straightforwardly.
Quantum Security Analysis
via Smoothing of Renyi Entropy of Order 2
Masahito Hayashi1,2
1
Graduate School of Mathematics, Nagoya University
2
Centre for Quantum Technologies, National University of Singapore
masahito@math.nagoya-u.ac.jp
http://www.math.nagoya-u.ac.jp/~ masahito/index_e.html
Abstract. It is known that the security evaluation can be done by

smoothing of Rényi entropy of order 2 in the quantum setting when
we apply universal2 hash functions. This fact can be extended to the
case when we apply ε-almost dual universal2 hash functions, which is
a generalized concept of universal2 hash functions. Demonstrating the
smoothing of Rényi entropy of order 2, we derived security bounds for
universal composability and mutual information criterion under the con-
dition in the quantum setting.
1 Introduction
Evaluation of secrecy is one of important topics in classical and quantum in-
formation theory. In order to increase the secrecy, we apply a hash function.
Bennett et al. [4] and Håstad et al. [14] proposed to use universal2 hash func-
tions for privacy amplification and derived two universal hashing lemma, which
provides an upper bound for the universal composability based on Rényi entropy
of order 2. Renner [6] extended their idea to the quantum case and evaluated the
secrecy with universal2 hash functions based on a quantum version of conditional
Rényi entropy order 2.
In order to apply Renner’s two universal hashing lemma to a realistic setting,
Renner [6] attached the smoothing to min entropy, which is smaller than the
above quantum version of conditional Rényi entropy order 2 in the classical
case. That is, he proposed the application of universal hashing lemma to a state
approximating the true state. In this method, it is not easy to find a suitable
approximating state. Hayashi [11] found such a suitable approximating state in
the sense of Rényi entropy order 2. That is, he applied the smoothing to Rényi
entropy order 2. Then, he evaluated the universal composability criterion after
universal2 hash functions based on Rényi entropy order 1+s. Since Rényi entropy
order 2 gives a tighter security bound than the min entropy, the smoothing for
Rényi entropy order 2 yields a better security bound than the min entropy.
Indeed, it has been showed that the method [11] yields the optimal exponential
decreasing rate in the n-fold independent and identical case.
However, in other cases (quantum case and classical case with the mutual
information criterion), no study attached the smoothing to the quantum version

Quantum Security Analysis via Smoothing of Renyi Entropy of Order 2 129
of conditional Rényi entropy order 2. The purpose of this paper is to attach

the smoothing to the quantum version of conditional Rényi entropy order 2.
and to obtain an evaluation for secret key generation from correlated random
number in two kinds of criteria (universal composability and the modified mutual
information) in the quantum settings. As our result, first, we obtain a lower
bound of the exponential decreasing rate with the quantum i.i.d. settings for
secret key generation when Alice and Bob share the same random number and
Eve has a correlated random number, i.e., the secret key generation without
error correction.
Indeed, the obtained evaluation can be applied to a more general case. Re-
cently, Tsurumaru et al [13] proposed the concept “ε-almost dual universal hash
functions” as a generalization of linear universal hash functions. This concept is
defined for a family of hash functions. On the other hand, Dodis and Smith [7]
proposed the concept “δ-biased family” for a family of random variables. The
concept “ε-almost dual universal hash functions” can be converted to a part
of “δ-biased family”[7,13]. Indeed, Dodis et al.[7] and Fehr et al.[8] showed a
security lemma (9). Employing this conversion and the above security lemma,
Tsurumaru et al [13] obtained a variant of two universal hashing lemma for “ε-
almost dual universal hash functions”. This lemma can be regarded as a kind of
generalization of two universal hashing lemma by Renner [6]. Therefore, our eval-
uation can be applied to the class of “ε-almost dual universal hash functions”,
which is a wider class of hash function.
The remaining part of this paper is the following. In section 2, we introduce
the information quantities for evaluating the security and derive several useful
inequalities. We also give a clear definition for security criteria. In section 3,
according to Tsurumaru et al [13], we introduce several class of hash functions
(universal2 hash functions and ε-almost dual universal2 hash functions). We
clarify the relation between ε-almost dual universal2 hash functions and δ-biased
family. We also explain an ε-almost dual universal2 version of Renner’s two
universal hashing lemma [6, Lemma 5.4.3](Lemma 10) based on Lemma for δ-
biased family given by Dodis et al.[7] and Fehr et al.[8].
In section 4, we attach the smoothing to the obtained upper bound and obtain
a security upper bound under the universal composability criterion, which is the
main result of this paper. In section 5, we derive an exponential decreasing rate
when we simply apply hash functions and there is no error between Alice and
Bob. All proofs are omitted and are given in [16]. Further analysis are also
presented in [16].
2 Preparation
2.1 Information Quantities for Single System
In order to discuss the quantum case, we prepare several useful properties of
information quantities in single quantum system: First, we define the following
quantities:
130 M. Hayashi
D(ρσ) := Tr ρ(log ρ − log σ) (1)

1+s −s
ψ(s|ρσ) := log Tr ρ σ (2)
1+s 1+s
ψ(s|ρσ) := log Tr ρ 2 σ −s/2 ρ 2 σ −s/2 (3)
with s ∈ R. Then, we obtain the following lemma:

Lemma 1. The functions s → ψ(s|ρσ), ψ(s|ρσ) are convex.
For a proof for ψ(s|ρσ), see Hayashi [9, Exercises 2.24]. For ψ(s|ρσ), see
Hayashi [16].
Since lims→0 1s ψ(s|ρσ) = D(ρσ), and lims→0 1s ψ(s|ρσ) = D(ρσ), we ob-
tain the following lemma.
ψ(s|ρσ) ψ(s|ρσ)
Lemma 2. s and s are monotone increasing concerning s ∈ R. In
particular,
sD(ρσ) ≤ ψ(s|ρσ) (4)

sD(ρσ) ≤ ψ(s|ρσ) (5)
for s > 0.
For any quantum operation Λ, the following information processing inequalities
D(Λ(ρ)Λ(σ)) ≤ D(ρσ), ψ(s|Λ(ρ)Λ(σ)) ≤ ψ(s|ρσ) (6)
hold for s ∈ (0, 1][9, (5,30),(5.41)]. However, this kind of inequality does not fold
for ψ(s|ρσ) in general.
2.2 Information Quantities in Composite System
Next, we prepare several information quantities in a composite system HA ⊗HE ,

in which, HA is a classical system spanned by the basis {|a}. In the following,
a sub-state ρ is not necessarily normalized and is assumed to satisfy Tr ρ ≤ 1.
A
composite sub-state ρ is called a c-q state when it has a form ρ = ρA,E =
a P (a)|a
a| ⊗ ρa with P (a) ≥ 0, in which the conditional state ρa is
A E A E
normalized. Then, the von Neumann entropies and Renyi entropies are given as
H(A, E|ρA,E ) := −Tr ρA,E log ρA,E

H(E|ρE ) := −Tr ρE log ρE
−1
H1+s (A, E|ρA,E ) := log Tr (ρA,E )1+s
s
−1
H1+s (E|ρE ) := log Tr (ρE )1+s
s
with s ∈ R. When we focus on the total system of a given density ρA,E and
the density matrix ρ describes the state on the composite system HA ⊗ HE ,
H(A, E|ρA,E ) and H1+s (A, E|ρ) are simplified to H(ρ) and H1+s (ρ).
A quantum version of the conditional entropy and two kinds of quantum
versions of conditional Renyi entropy are given for s ∈ R:
H(A|E|ρ) := H(A, E|ρ) − H(E|ρE )

−1
H1+s (A|E|ρ) := log Tr ρ1+s (IA ⊗ (ρE )−s )
s
−1 1+s 1+s
H 1+s (A|E|ρ) := log Tr ρ 2 (IA ⊗ (ρE )−s/2 )ρ 2 (IA ⊗ (ρE )−s/2 ).
s
These quantities can be written in the following way:
H(A|E|ρ) = log |A| − D(ρρAmix ⊗ ρ )

E
(7)
1
H1+s (A|E|ρ) = log |A| − ψ(s|ρρAmix ⊗ ρ )
E
(8)
s
1
H 1+s (A|E|ρ) = log |A| − ψ(s|ρρA
mix ⊗ ρ ).
E
(9)
s
When we replace ρE by another normalized state σ E on HE , we obtain the

following generalizations:
H(A|E|ρσ E ) := log |A| − D(ρρAmix ⊗ σ )

E
1
H1+s (A|E|ρσ E ) := log |A| − ψ(s|ρρAmix ⊗ σ )
E
s
1
H 1+s (A|E|ρσ E ) := log |A| − ψ(s|ρρA
mix ⊗ σ ).
E
s
Then, we obtain
H(A|E|ρσ E ) = H(A|E|ρ) + D(ρE σ E ) ≥ H(A|E|ρ). (10)
Using Lemma 2, we obtain the following lemma.
Lemma 3. H1+s (A|E|ρσ E ) and H 1+s (A|E|ρσ E ) are monotone decreasing

concerning s ∈ R. In particular,
H(A|E|ρσ E ) ≥ H1+s (A|E|ρσ E ), (11)

H(A|E|ρσ ) ≥ H 1+s (A|E|ρσ )
E E
(12)
and
H1+s (A|E|ρσ E ) ≤ H 1+s (A|E|ρσ E ) (13)
for s > 0.
132 M. Hayashi
When we apply a quantum operation Λ on HE , since it does not act on the

classical system A, (6) implies that
H(A|E||Λ(ρ)Λ(σ E )) ≥ H(A|E|ρσ E ) (14)

H1+s (A|E|Λ(ρ)Λ(σ )) ≥ H1+s (A|E|ρσ ).
E E
(15)
When we apply the function f to the classical random number a ∈ A,

H(f (A), E|ρ) ≤ H(A, E|ρ), i.e.,
H(f (A)|E|ρ) ≤ H(A|E|ρ). (16)
For a deeper analysis, we introduce another information quantity φ(s|A|E|ρA,E ):
φ(s|A|E|ρA,E ) := log Tr E (Tr A (ρA,E )1/(1−s) )1−s

= log Tr E ( P A (a)1/(1−s) ρa1/(1−s) )1−s . (17)
a
Taking the limit s → 0, we obtain
dφ(s|A|E|ρA,E ) φ(s|A|E|ρA,E )
|s=0 = lim
ds s→0 s
=H(E|A|ρ A,E
) − H(E|ρ A,E
) + H(A|ρA,E ) = −H(A|E|ρA,E ). (18)
Then, we obtain the following lemma:

Lemma 4. The relation
s
max sH1+s (A|E|ρA,E σ E ) = −(1 + s)φ( |A|E|ρA,E ) (19)
σ 1+s
holds for s ∈ (0, ∞). The maximum can be realized when
σ E = (Tr A (ρA,E )1+s )1/(1+s) /Tr E (Tr A (ρA,E )1+s )1/(1+s) .
For a proof, see Hayashi [16].
2.3 Criteria for Secret Random Numbers

Next, we introduce criteria for quantifying information leaked to the system HE .
Using the trace norm, we can evaluate the secrecy for the state ρA,E as follows:
d1 (A : E|ρA,E ) := ρA,E − ρA ⊗ ρE 1 . (20)
Taking into account the randomness, Renner [6] defined the following criteria
for security of a secret random number:
d1 (A|E|ρA,E ) := ρA,E − ρA

mix ⊗ ρ 1 ,
E
(21)
which is called the universal composability.

Renner[6] defined the conditional L2 -distance from uniform of ρ relative to a

state σ on HE :
d2 (A : E|ρσ)
:=Tr ((I ⊗ σ −1/4 )(ρ − ρA
mix ⊗ ρ )(I ⊗ σ
E −1/4 2
))
1
=Tr ((I ⊗ σ −1/4 )ρ(I ⊗ σ −1/4 ))2 − Tr (σ −1/4 ρE σ −1/4 )2
|A|
1
=e−H 2 (A|E|ρσ) − Tr (σ −1/4 ρE σ −1/4 )2
|A|
Using this value, we can evaluate d1 (A : E|ρ) as follows [6, Lemma 5.2.3] when
the state σ is a normalized state on HE :
! !
d1 (A : E|ρ) ≤ |A| d2 (A : E|ρ|σ). (22)
3 Ensemble of Hash Functions

3.1 Ensemble of General Hash Functions
In this section, we focus on an ensemble {fX } of hash functions fX from A to B,
where X is a random variable identifying the function fX . In this case, the total
information
of Eve’s system is written as (E, X). Then, by using ρfX (A),E,X :=
X
a∈f −1 (b),x P (x)|b
b| ⊗ ρa ⊗ |x
x|, the universal composability is written as
E
X
d1 (fX (A)|E, X|ρfX (A),E,X ) =ρfX (A),E,X − ρB

mix ⊗ ρ
E,X
1

X
= P (x)ρ fX=x (A),E
− ρmix ⊗ ρE 1
B
=EX ρfX (A),E − ρB

mix ⊗ ρ 1 .
E
(23)
We say that a function ensemble F is ε-almost universal2 [1,2,13], if, for any
pair of different inputs a1 ,a2 , the collision probability of their outputs is upper
bounded as
ε
Pr [fX (a1 ) = fX (a2 )] ≤ . (24)
|B|
The parameter ε appearing in (24) is shown to be confined in the region
|A| − |B|
ε≥ , (25)
|A| − 1
and in particular, an ensemble {fX } with ε = 1 is simply called a universal2
function ensemble.
Two important examples of universal2 hash function ensembles are the
Toeplitz matrices (see, e.g., [3]), and multiplications over a finite field (see, e.g.,
[1,4]). A modified form of the Toeplitz matrices is also shown to be universal2 ,
which is given by a concatenation (X, I) of the Toeplitz matrix X and the iden-
tity matrix I [12]. The (modified) Toeplitz matrices are particularly useful in
134 M. Hayashi
practice, because there exists an efficient multiplication algorithm using the fast
Fourier transform algorithm with complexity O(n log n) (see, e.g., [5]).
The following lemma holds for any universal2 function ensemble.
Lemma 5 (Renner [6, Lemma 5.4.3]). Given any composite c-q sub-state
ρA,E on HA ⊗HE and any normalized state σ E on HE . Any universal2 ensemble
of hash functions fX from A to {1, . . . , M } satisfies
EX d2 (fX (A) : E|ρA,E σ E ) ≤ e−H 2 (A|E|ρ σE )

A,E
. (26)
More precisely, the inequality
EX e−H 2 (fCX (A)|E|ρ σ )

A,E E
1 −H 2 (A|E|ρA,E σE ) 1 ψ(1|ρA,E σE )

≤(1 − )e + e (27)
M M
holds.
3.2 Ensemble of Linear Hash Functions

Tsurumaru and Hayashi[13] focused on linear functions over the finite field F2 .
Now, we treat the case of linear functions over a finite field Fq , where q is a
power of a prime number p. We assume that sets A, B are Fnq , Fm q respectively
with n ≥ m, and f are linear functions over Fq . Note that, in this case, there is
a kernel C corresponding to a given linear function f , which is a vector space of
n − m dimensions or more. Conversely, when given a vector subspace C ⊂ Fnq of
n − m dimensions or more, we can always construct a linear function
fC : Fnq → Fnq /C ∼
= Flq , l ≤ m. (28)
That is, we can always identify a linear hash function fC and a code C.
When CX = Ker fX , the definition of ε-universal2 function ensemble of (24)
takes the form
∀x ∈ Fnq \ {0}, Pr [fX (x) = 0] ≤ q −m ε, (29)
which is equivalent with
∀x ∈ Fnq \ {0}, Pr [x ∈ CX ] ≤ q −m ε. (30)
This shows that the ensemble of kernel {CX } contains sufficient information for
determining if a function ensemble {fX } is ε-almost universal2 or not.
For a given ensemble of codes {CX }, we define its minimum (respectively, max-
imum) dimension as tmin := minX dim CX (respectively, tmax := maxr∈I dim CX ).
Then, we say that a linear code ensemble {CX } of minimum (or maximum) di-
mension t is an ε-almost universal2 code ensemble, if the following condition is
satisfied
∀x ∈ Fnq \ {0}, Pr [x ∈ CX ] ≤ q t−n ε. (31)
In particular, if ε = 1, we call {CX } a universal2 code ensemble.
3.3 Dual Universality of a Code Ensemble

Based on Tsurumaru and Hayashi[13], we define several variations of the uni-
versality of an ensemble of error-correcting codes and the linear functions as
follows.
First, we define the dual code ensemble {CX }⊥ of a given linear code ensemble
{CX } as the set of all dual codes of CX . That is, {CX }⊥ = {CX ⊥
}. We also
introduce the notion of dual universality as follows. We say that a code ensemble
{CX } is ε-almost dual universal2 , if the dual ensemble C ⊥ is ε-almost universal2 .
Hence, a linear function ensemble {fX } is ε-almost dual universal2, if the kernels
CX of fX form an ε-almost dual universal2 code ensemble.
An explicit example of a dual universal2 function ensemble (with ε = 1)
can be given by the modified Toeplitz matrices mentioned earlier [10], i.e., a
concatenation (X, I) of the Toeplitz matrix X and the identity matrix I. This
example is particularly useful in practice because it is both universal2 and dual
universal2 , and also because there exists an efficient algorithm with complexity
O(n log n).
With these preliminaries, we can present the following theorem as an extension
of [13, Theorem 2] to the case of the finite field Fq :
Theorem 1. Any universal2 linear function ensemble {fX } over the finite field
Fq is q-almost dual universal2 function ensemble.
3.4 Permuted Code Ensemble

In order to treat an example of ε-almost universal2 functions, we consider the
case when the distribution is invariant under permutations of the order in Fnq .
Now, Sn denotes the symmetric group of degree n, and σ(i) = j means that
σ ∈ Sn maps i to j, where i, j ∈ {1, . . . , n}. The code σ(C) is defined by
{xσ := (xσ(1) , . . . , xσ(n) )|x = (x1 , . . . , xn ) ∈ C}. Then, we introduce the per-
muted code ensemble {σ(C)}σ∈Sn of a code C. In this ensemble, σ obeys the
uniform distribution on Sn
For an element x = (x1 , . . . , xn ) ∈ Fnq , we can define the empirical distribution
px on Fq as px (a) := #{i|xi = a}/n. So, we denote the set of the empirical
distributions on Fnq by Tq,n . The cardinality |Tq,n | is bounded by (n + 1)q−1 .
Similarly, we define Tq,n +
:= Tq,n \ {10 }, where 10 is the deterministic distribution
on 0 ∈ Fq . For given a code C ⊂ Fnq , we define
q n #{x ∈ C|px = p}
εp (C) := . (32)
|C|#{x ∈ Fnq |px = p}
and
ε(C) := max
+
εp (C). (33)
p∈Tq,n
Then, we obtain the following lemmas, which are generalization of lemmas in

[13] to the case of the finite field Fq .
136 M. Hayashi
Lemma 6. The permuted code ensemble {σ(C)}σ∈Sn of a code C is ε(C)-almost

universal2 .
Proof. For any non-zero element x ∈ Fnq , we fix an empirical distribution p :=

px . Then, x belongs to σ(C) with the probability #{x∈F
#{x∈C|px =p}
n |p =p} . That is, the
x q
probability that x belongs to σ(C) is less than ε(C)|C|

qn .
Lemma 7. For any t ≤ n, there exists a t-dimensional code C ∈ Fnq such that
ε(C) < (n + 1)q−1 . (34)
Proof. Let {CX }X be a universal2 code ensemble. Then, any p ∈ Tq,n

+
satisfies
EX εp (CX ) ≤ 1. The Markov inequality yields
1
Pr{εp (CX ) ≥ |Tq,n |} ≤ (35)
|Tq,n |
and thus
|Tq,n | − 1
Pr{∃p ∈ Tq,n
+
, εp (CX ) ≥ |Tq,n |} ≤ . (36)
|Tq,n |
Hence,
1
Pr{∀p ∈ Tq,n
+
, εp (CX ) < |Tq,n |} ≥ . (37)
|Tq,n |
Therefore, there exists a code C satisfying the desired condition (34).
3.5 δ-Biased Ensemble: Classical Case

Although the contents of this section has a overlap with Tsurumaru and
Hayashi[13], we explain the relation with δ-biased ensemble of random variables
{WX }, which has been introduced by Dodis and Smith[7] because the relation
is too complicated. For a given δ > 0, an ensemble of random variables {WX }
on Fnq is called δ-biased when the inequality
EX (EWX (−1)x·WX )2 ≤ δ 2 (38)
holds for any x ∈ Fnq .

We denote the random variable subject to the uniform distribution on a code
C ∈ Fnq , by WC . Then,

/ C⊥
0 if x ∈
EWC (−1)x·WC = (39)
1 if x ∈ C ⊥ .
Using the above relation, as is suggested in [7, Case 2], we obtain the following
lemma.
Lemma 8. When the l-dimensional code ensemble {CX } ! is ε-almost dual uni-
versal, the ensemble of random variables {WCX } on Fnq is εq −m -biased.
In the following, we treat the case of A = Fnq . Given a composite state ρA,E
on HA ⊗ HE and AP on A, we define another
a distribution
W
composite state
ρ A,E
∗ P := w P (w) a P (a)|a + w
a + w| ⊗ ρE
W W
a . Then, we obtain the
following.
Lemma 9 ([8, Theorem 3.2]). For any c-q sub-state ρA,E on HA ⊗ HE and
any normalized state σ E on HE , a δ-biased ensemble of random variables {WX }
on A satisfies
EX d2 (A : E|ρA,E ∗ P WX σ E ) ≤ δ 2 e−H 2 (A|E|ρ σE )

A,E
. (40)
More precisely,
1 −H 2 (A|E|ρA,E σE )
EX d2 (A : E|ρA,E ∗ P WX σ E ) ≤ δ 2 (1 − )e . (41)
M
Indeed, applying Lemma 9 to the concept of “ε-almost dual universal”, we obtain

the following lemma.
Lemma 10. Given a c-q sub-state ρA,E on HA ⊗ HE and a normalized state

σ E on HE . When {CX } is an m-dimensional and ε-almost dual universal2 code
ensemble, the ensemble of hash functions {fCX }C∈C satisfies
EX d2 (fCX (A) : E|ρA,E σ E ) ≤ εe−H 2 (A|E|ρ σE )

A,E
. (42)
More precisely,
EX e−H 2 (fCX (A)|E|ρ σ )

A,E E
1 −H 2 (A|E|ρA,E σE ) 1 ψ(1|ρA,E σE )

≤ε(1 − )e + e . (43)
M M
For a proof for the binary case, see Tsurumaru and Hayashi [13], and for the
general case, see Hayashi [16].
Lemma 10 essentially coincides with Lemma 9. However, the concept “δ-
biased” does not concern a family of linear hash functions while the concept
“ε-almost dual universal2 ” does it because the former is defined for the family of
random variables. That is, the latter is a generalization of universal2 linear hash
functions while the former does not. Hence, Lemma 9 cannot directly provide the
performance of linear hash functions. Lemma 10 gives how small the leaked in-
formation is after the privacy amplification by linear hash functions. Therefore,
in the following section, using Lemma 10 we treat the exponential decreasing
rate when we apply the privacy amplification by ε-almost dual universal2 linear
hash functions.
138 M. Hayashi
4 Security Bounds with Rényi Entropy

Similar to Renner [6], combining (22) and Lemma 10, we obtain the following
security bound based on the Renyi entropy order 2. Indeed, Renner [6] showed
the following inequality with ε = 1 when the ensemble of linear hash functions
{fX }X is universal2 .
Lemma 11. Given a normalized state σ on HE and c-q sub-states ρA,E and
ρ
A,E
on HA ⊗ HE . When an ensemble of linear hash functions {fX }X from A
to {1, . . . , M } is ε-almost dual universal2 , we obtain
√ 1 1
EX d1 (fX (A) : E|ρA,E ) ≤ εM 2 e− 2 H 2 (A|E|ρ σ )
A,E E
(44)
√ 1
− 1 A,E
σ E
EX d1 (fX (A) : E|ρ A,E
) ≤2ρ − ρ 1 + εM 2 e 2 H 2 (A|E|ρ )
. (45)
For a proof, see Hayashi [16].
In order to obtain a better upper bound for EX d1 (fX (A) : E|ρA,E ), we
have to choose a suitable ρ in (45). Choosing a suitable state ρ with the
condition ρ − ρ 1 ≤ c is called smoothing. Renner [6] applies smoothing to
min-entropy Hmin (A|E|ρA,E σ E ) := − log (IA ⊗ σ E )−1/2 ρA,E (IA ⊗ σ E )−1/2 .
However, H 2 (A|E|ρA,E σ E ) is larger than Hmin (A|E|ρA,E σ E ). Hence, the
smoothing for H 2 (A|E|ρA,E σ E ) yields a better bound for EX d1 (fX (A) :
E|ρA,E ) than the smooth min entropy. In fact, Hayashi [11] applies the smooth-
ing to H 2 (A|E|ρA,E σ E ) in the classical case. In the following, applying the
same kind of smoothing to the quantum case, we obtain the following lemma.
Lemma 12. Given any c-q sub-state ρA,E on A and HE and any normalized
state σ E on HE . When an ensemble of linear hash functions {fX }X from A to
{1, . . . , M } is ε-almost dual universal2 , we obtain
√ √
EX d1 (fX (A) : E|ρA,E ) ≤ (4 + v ε)M s/2 e− 2 H1+s (A|E|ρ σ ) ,
s A,E E
(46)
for s ∈ (0, 1], where v is the number of eigenvalues of σ.
Further, the inequalities with ε = 1 hold when the ensemble of linear hash
functions {fX }X is universal2 .
The next step is the choice of a suitable σ E . The optimal σ E is given in Lemma
4. Hence, the combination of Lemmas 4 and 12 yields the following lemma.
Lemma 13. Further, when ρA,E is normalized,

√ √ 1+s
EX d1 (fX (A) : E|ρA,E ) ≤ (4 + v ε)M s/2 e 2 φ( 1+s |A|E|ρ )
s A,E
(47)

for s ∈ (0, 1], where v is the number of eigenvalues of Tr A ρ 1+s
.
5 Asymptotic Evaluation
Next, we consider the case when our state is given by the n-fold independent
and identical state ρ, i.e., ρ⊗n . In this case, we focus on the optimal generation
rate
G(ρA,E )
%
log Mn
:= sup lim lim d1 (fn (An ) : En |(ρ A,E n
) )=0 .
{(fn ,Mn )} n→∞ n n→∞
As is shown in [15,6], the amount is calculated to
G(ρ) = H(A|E|ρ). (48)
In order to treat the speed of this convergence, we focus on the exponentially

decreasing rate (exponent) of d1 (fn (A) : E|ρ⊗n ) for a given R. Due to Lemma
12, when a function ensemble fXn from An to {1, . . . , (enR )} is ε(n)-almost
universal2 and ε(n) increases polynomially at most,
−1
lim inf log EXn d1 (fXn (An ) : En |(ρA,E )⊗n ) ≥ eφ,q (ρA,E |R), (49)
n→∞ n
where
1+s s s
eφ,q (ρA,E |R) := max − φ( |ρA,E ) − R
0≤s≤1 2 1+s 2
1 t
= max1 − φ(t|ρA,E ) − R.
0≤t≤ 2 2(1 − t) 2(1 − t)
6 Conclusion
We have derived an upper bound of exponential decreasing rate for the leaked
information in the mutual information criterion and the universal composability
in the quantum case when we apply a family of ε-almost dual univeresal2 hash
functions for privacy amplification. Although the class of families of ε-almost
dual univeresal2 hash functions larger than the class of families of univeresal2
linear hash functions, our bounds is quite similar to the known bound [11,12].
Hence, the obtained result suggests a possibility of the existence of an effective
privacy amplification protocol with a smaller complexity than known privacy
amplification protocols.
Acknowledgments. The author is grateful to Dr. Toyohiro Tsurumaru for a

helpful comments. He is also grateful to the referee of the first version of [13] for
informing the literatures [7,8]. He also is partially supported by a MEXT Grant-
in-Aid for Young Scientists (A) No. 20686026 and Grant-in-Aid for Scientific
Research (A) No. 23246071. He is partially supported by the National Institute
of Information and Communication Technolgy (NICT), Japan. The Centre for
Quantum Technologies is funded by the Singapore Ministry of Education and
the National Research Foundation as part of the Research Centres of Excellence
programme.
140 M. Hayashi
References
1. Carter, J.L., Wegman, M.N.: Universal Classes of Hash Functions. J. Comput.
System Sci. 18, 143–154 (1979)
2. Wegman, M.N., Carter, J.L.: New Hash Functions and Their Use in Authentication
and Set Inequality. J. Comput. System Sci. 22, 265–279 (1981)
3. Mansour, Y., Nisan, N., Tiwari, P.: The Computational Complexity of Universal
Hashing. In: STOC 1990, Proceedings of the Twenty-second Annual ACM Sympo-
sium on Theory of Computing, pp. 235–243 (1990)
4. Bennett, C.H., Brassard, G., Crepeau, C., Maurer, U.M.: Generalized privacy am-
plification. IEEE Transactions on Information Theory 41, 1915–1923 (1995)
5. Golub, G.H., Van Loan, C.F.: Matrix Computation, 3rd edn. The John Hopkins
University Press (1996)
6. Renner, R.: Security of Quantum Key Distribution. PhD thesis, Dipl. Phys. ETH,
Switzerland, 2005; arXiv:quantph/0512258 (2005)
7. Dodis, Y., Smith, A.: Correcting Errors Without Leaking Partial Information. In:
STOC 2005, pp. 654–663 (2005)
8. Fehr, S., Schaffner, C.: Randomness Extraction Via δ-Biased Masking in the Pres-
ence of a Quantum Attacker. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948,
pp. 465–481. Springer, Heidelberg (2008)
9. Hayashi, M.: Quantum Information: An Introduction. Springer (2006)
10. Hayashi, M.: Upper bounds of eavesdropper’s performances in finite-length code
with the decoy method. Physical Review A 76, 012329 (2007); Physical Review A
79, 019901(E) (2009)
11. Hayashi, M.: Tight exponential evaluation for universal composablity with privacy
amplification and its applications. arXiv:1010.1358 (2010)
12. Hayashi, M.: Exponential decreasing rate of leaked information in universal random
privacy amplification. IEEE Transactions on Information Theory 57(6), 3989–4001
(2011)
13. Tsurumaru, T., Hayashi, M.: Dual universality of hash functions and its applica-
tions to quantum cryptography. arXiv:1101.0064 (2011)
14. Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A Pseudorandom Generator
from any One-way Function. SIAM J. Comput. 28, 1364 (1999)
15. Devetak, I., Winter, A.: Distillation of secret key and entanglement from quantum
states. Proc. R. Soc. Lond. A, 461, 207–235 (2005)
16. Hayashi, M.: Classical and quantum security analysis via smoothing of Renyi en-
tropy of order 2. arXiv:1202.0322 (2012)
Applying a Generalization
of Schur-Weyl Duality to Problems
in Quantum Information and Estimation
Iman Marvian1,2 and Robert W. Spekkens1

1
Perimeter Institute for Theoretical Physics, Waterloo, Ontario, Canada
2
Institute for Quantum Computing, University of Waterloo, Waterloo, Ontario,
Canada
Abstract. Schur-Weyl duality is a powerful tool in representation the-

ory which has many applications to quantum information theory. We
provide a generalization of this duality and demonstrate some of its ap-
plications. In particular, we use it to develop a general framework for the
study of a family of quantum estimation problems wherein one is given n
copies of an unknown quantum state according to some prior and the goal
is to estimate certain parameters of the given state. In particular, we are
interested to know whether collective measurements are useful and if so
to find an upper bound on the amount of entanglement which is required
to achieve the optimal estimation. In the case of pure states, we show
that commutativity of the set of observables that define the estimation
problem implies the sufficiency of unentangled measurements.
1 Introduction
Schur-Weyl duality is a very powerful tool in representation theory which has
many applications to quantum information and quantum algorithms (see [1]
and [2] for a review). Here, we present a novel generalization of Schur-Weyl
duality which has an interesting natural physical interpretation. Based on this
generalization, we develop a general framework for the study of a family of
quantum estimation problems. The proof of the results, more examples and
discussions of these results can be found in [3].
2 Preliminaries
Consider the following representation of the unitary group U(d) on (Cd )⊗n .
∀V ∈ U(d) : Q(V )|i1 ⊗ · · · ⊗ |in = V |i1 ⊗ · · · ⊗ V |in (1)
For a subgroup H of U(d) we denote the group {Q(V ) : V ∈ H} by Q(H)
and we call it the collective action of H on (Cd )⊗n . Consider also the canonical
representation of the symmetric group of degree n, Sn , on (Cd )⊗n
∀s ∈ Sn : P(s)|i1 ⊗ · · · ⊗ |in = |is−1 (1) ⊗ · · · ⊗ |is−1 (n) (2)
We denote the group {P(s) : s ∈ Sn } by P(Sn ).

142 I. Marvian and R.W. Spekkens
Using these notations we can express Schur-Weyl duality in the following form
Theorem 1. (Schur-Weyl duality) The following two algebras are commu-

tants of one another in End((Cd )⊗n )
1. Alg{Q(U(d))}, the complex algebra spanned by Q(U(d)).
2. Alg {P(Sn )}, the complex algebra spanned by P(Sn ).
In other words, the subgroups Q(U(d)) and P(Sn ) are dual reductive pairs in
GL((Cd )⊗n ) [1].
This theorem implies that there is a one-to-one correspondence between the
irreps of the group U(d) which show up in representation Q(U(d)) and the
irreps of the group Sn which show up in representation P(Sn ). Furthermore,
the theorem implies that the action of Q(U(d)) × P(Sn ) is multiplicity-free on
(Cd )⊗n [1].
3 Generalization of Schur-Weyl Duality

For any subgroup G of U(d) let G denotes the centralizer of G in U(d) i.e. the
set of all elements of U(d) which commutes with all elements of G. Also denote
the centralizer of the centralizer of G by G ≡ (G ) . Then in general G ⊆ G .
We call a unitary group G a gauge group if G = G .
Equivalently, one can think of a gauge group as the set of all unitaries in
End(Cd ) which commute with a set of operators in End(Cd ). For an algebra
A of operators in End(Cd ) we denote the gauge group formed by all unitaries
which commute with A by GA and call it the gauge group of A. Note that if A
is a finite dimensional von-Neumann algebra, i.e. it is closed under adjoint and
it includes the identity operator, then GA uniquely specifies A in the following
sense: A is exactly the set of all operators in End(Cd ) which commute with GA .
In [3] we present a simple characterization of gauge groups. For instance, in
the case of d = 2 it turns out that the set of all gauge groups can be classified in
the following three types: i) the group {eiθ I : θ ∈ (0, 2π]} where I is the identity
operator , ii) the group U(2), and iii) the group
{eiθ0 |0
0| + eiθ1 |1
1| : θ0 , θ1 ∈ (0, 2π]}
for any arbitrary orthonormal basis {|0, |1}.

Now we present a generalization of Schur-Weyl duality for the case of gauge
groups. We use the following notation in the statement of the theorem: For a
subgroup H of U(d) we denote H ×n to be the group H ×n ≡ {U1 ⊗ · · · ⊗ Un :
Ui ∈ H}. Also, let
H ×n , P(Sn ) denote the group acting on (Cd )⊗n which is
generated by the two groups H ×n and P(Sn ) = {P(s) : s ∈ Sn }.
Theorem 2. (Generalization of Schur-Weyl duality) Suppose G and G

are one another’s centralizers in the group of unitaries U(d). Then the following
two algebras are commutants of one another in End((Cd )⊗n )
Applying a Generalization of Schur-Weyl Duality 143
1. Alg{Q(G)}, the complex algebra spanned by Q(G).

2. Alg {(G )×n , P(Sn )}, the complex algebra spanned by
(G )×n , P(Sn ).
In other words, the subgroups Q(G) and
(G )×n , P(Sn ) are dual reductive pairs
in GL((Cd )⊗n ).
This implies that there is a one-to-one correspondence between the irreps of the
group G which show up in representation Q(G) on (Cd )⊗n and the irreps of the
group
(G )×n , P(Sn ) which show up in this space. Furthermore, the theorem
implies that the representation of Q(G) ×
(G )×n , P(Sn ) is multiplicity-free on
(Cd )⊗n . Note that in the specific case of G = U(d) this theorem reduces to the
standard form of Schur-Weyl duality, i.e. theorem 1.
3.1 Duality within the Symmetric and Antisymmetric Subspaces

In the special case where the support of operators are restricted to the sym-
⊗n
metric or anti-symmetric subspaces of) Cd *, theorem 2 has an interesting
corollary. Let Π± be the projector to (Cd )⊗n ± , the symmetric (respectively
antisymmetric) subspace of (Cd )⊗n . Then one can prove that
Theorem 3. Suppose G and G are one another’s centralizers in the group of
unitaries U(d).
) Then *the following two algebras are the commutants of one an-
other in End( (Cd )⊗n ± )
1. Alg{Π± Q(G)Π± }, the complex algebra spanned by Π± Q(G)Π± .

2. Alg{Π± Q(G )Π± }, the complex algebra spanned by Π± Q(G )Π± .
In other
) d ⊗nwords,
* Π± Q(G)Π± and Π± Q(G )Π± are dual reductive pairs in
GL( (C ) ±
).
Applying theorem 3 for GA the gauge group of a von Neumann algebra A one
can show that for any given operator Π± M Π± which commutes with Q(GA )
there is an operator M̃± in the permutationally invariant subalgebra of A⊗n
such that
Π± M̃± Π± = Π± M Π± .
However, this argument is not constructive and for a given M it is not clear
how we can find such an operator M̃± with this property. In the following the-
orem, we introduce a completely positive unital super-operator which does this
transformation.
Theorem 4. Let GA ⊆ U(d) be the gauge group of a von Neumann algebra
A ⊆ End(Cd ). Then there exists a super-operator L± from End (Cd )⊗n to itself
such that i) L± is unital and completely positive, ii) the image of L± is in the
permutationally invariant subalgebra of A⊗n and iii) if Π± M Π± commutes with
Q(GA ) then Π± L± (M )Π± = Π± M Π± . An instance of such a super-operator
is given by
I⊗n − Φ± (I⊗n )
L± (·) ≡ Φ± (·) + tr(·) (3)
dn
with @
Φ± (·) ≡ p−1 ⊗n
μ,± Pμ [TGA (Π± (·)Π± )]Pμ (4)
μ
where μ labels all the irreps of GA which show up in the representation Q(GA ),
Pμ is the projector
to the subspace of (Cd )⊗n associated to irrep μ, pμ,± ≡
⊗n
tr Pμ TGA (Π± ) and the summation in Eq. (4) is over all the irreps μ for which
pμ is nonzero.
In the next section we present a very interesting consequence of this result.
4 Promoting Global Symmetry to a Local Symmetry
For an arbitrary operator M ∈ End(Cd )⊗n we say that M has global symmetry
with respect to the subgroup H of U(d) if it is invariant under the collective
action of H, i.e.,
⊗n
∀V ∈ H : V ⊗n M V † = M. (5)
In other words, M has global symmetry with respect to H iff M ∈ Comm{Q(H)}.
Similarly, we say that M has local symmetry with respect to H if it is invariant
under the local action of H, i.e.,
∀V ∈ H and ∀k : 0 ≤ k ≤ n − 1, (6)
⊗k ⊗(n−k−1) ⊗k † ⊗(n−k−1)
(I ⊗V ⊗I )M (I ⊗V ⊗I )=M
In other words, M has local symmetry with respect to H iff M ∈ Comm(H ×n ).

Note that any operator which has local symmetry with respect to H automat-
ically also has global symmetry with respect to H but the converse implication
does not necessarily hold. Indeed, generally the condition of local symmetry is
much stronger than that of global symmetry.
The most general type of measurements that can be performed on a quantum
system can be described by a POVM (positive operator-valued
measure) (See
e.g. [5,6]). Consider a POVM M : σ(Ω) → End (Cd )⊗n . Here, Ω denotes the
space of outcomes of the measurement. This is a measure space equipped with a
σ-algebra of subsets, denoted by σ(Ω). The elements of the σ-algebra are subsets
of Ω, where B ⊆ Ω corresponds to the event that the outcome of measurement
is an element of B.
We say a POVM M : σ(Ω) → End (Cd )⊗n has global/local symmetry
with respect to the group H ⊆ U(d) if for any B ∈ σ(Ω), the operator M (B)
has global/local symmetry with respect to H, i.e. it satisfies Eq.(5) or Eq.(6)
respectively. Again, typically the local symmetry condition on a measurement
is a much more restrictive condition. In particular, it turns out that the local
symmetry of a measurement with respect to a non-trivial group can put an
upper bound on the amount of entanglement or interactions which are required
to implement it (see [3]). In fact, one can show
Proposition 1. (Commutative Algebras) Let GA be the gauge group of the

commutative von Neumann algebra A ⊆ End(Cd ). Then any measurement on
(Cd )⊗n which has local symmetry with respect to GA can be realized by measuring
a set of observables which generate A on each system individually followed by a
classical processing of the outcomes.
Therefore to implement a measurement which has local symmetry with respect
to the gauge group GA of a commutative algebra A one does not need any
entanglement or adaptive measurement.
In the following corollary we see how in the case of gauge symmetries using
the generalization of Schur-Weyl duality and in particular theorem 4, one can
promote global symmetry of a measurement to a local symmetry (for states
whose support is restricted to the symmetric or anti-symmetric subspace).
Corollary 1. (Symmetry of Measurements) Let GA be the gauge group of
a von Neumann algebra A ⊆ End(Cd ). Then for any POVM M : σ(Ω) →
End((Cd )⊗n ) which has global symmetry with respect to GA there is a POVM
with local symmetry with respect to GA (i.e. M̃ : σ(Ω) → A⊗n ) which has exactly
the same statistics for all states whose supports are confined to the symmetric
(anti-symmetric) subspace. In particular, one can choose M̃± = L± (M ) where
L± is the super-operator defined in theorem 4.
In other words, if the assumptions of this theorem hold we can promote a global
symmetry of measurement to a local symmetry.
Since the locally symmetric measurements typically are a much smaller class of
measurements, this technique will be particularly useful in quantum estimation
problems where one seeks to find the measurement that optimizes some figure
of merit.
Note that for any given measurement with a global symmetry GA there are
many different other measurements which will have exactly the same statistics
on all states whose support are restricted to the symmetric/anti-symmetric sub-
spaces. These measurements may require different amounts of entanglement to
be implemented. The advantage of finding a measurement with local symmetry
with respect to GA in this set of equivalent measurements is that one can easily
put an upper bound on the amount of entanglement which is required to imple-
ment it. In particular, note that the combination of proposition 1 and corollary
1 implies that if a measurement has global symmetry with respect to GA the
gauge group of a commutative algebra A then among all possible measurements
which can simulate this measurements on states with support in symmetric/anti-
symmetric subspace there is one which does not need any entanglement to be
realized.
In the next section we see how this result is particularly useful in the study
of multi-copy estimation problems.
5 Multi-copy Estimation Problems

We start by a simple example of multi-copy estimation problems.
5.1 Example
A very simple example of a multi-copy estimation problem is the one considered
by Hayashi et al. [4]. A pure state in Cd is chosen uniformly according to the
Haar measure, and n copies of the state are prepared. The goal is to estimate the
expectation value of an observable A for the state. Hayashi et al. have shown
that for a squared-error figure of merit, the optimal estimation scheme is to
simply measure the observable A separately on each system and then perform a
classical processing on the data gathered in these measurements.
Our generalization of Schur-Weyl duality can be used to provide a very el-
ementary proof of this result. It can also be used to simplify the solution of
estimation problems that are much more complicated, as we shall show.
5.2 General Framework

We begin by setting up a general framework for such problems.
Suppose Alice randomly chooses a state ρ from the density operators in
End(Cd ) according to the probability density function p and then prepares n
copies of this state and sends them to Bob through an ideal quantum channel1 .
Here, the density p is defined relative to dρ a reference measure on the space of
mixed states which is invariant under unitary transformations.2 Bob’s goal is to
estimate some parameter(s) of state ρ. So upon receiving n systems he performs
a measurement and generates some outcome in the outcome space Ω where Ω
is a measure space, i.e. a set equipped with a σ-algebra σ(Ω) of subsets. The
elements of the σ-algebra are subsets of Ω, where B ⊆ Ω corresponds to the
event that Bob’s measurement outcome is an element of B. The outcome space
Ω can be continuous (in the case of general estimation problems) or discrete (in
the case of decision problems).
In an arbitrary estimation strategy, Bob measures the n systems he has
received and possibly does some post-processing on the outcome, ultimately
generating an output in the set Ω. The entire strategy, which combines the mea-
surement and the data processing, can be described by a POVM M : σ(Ω) →
End((Cd )⊗n ).
Therefore, the most general figure of merit which evaluates the performance
of different strategies in an estimation problem is a function which assigns real
numbers to all POVMs M : σ(Ω) → End((Cd )⊗n ). Equivalently, in the case of
the multi-copy estimation problems we are considering here, the most general
figure of merit can be described as a real functional which acts on the two variable
function
qM (B|ρ) = tr M (B)ρ⊗n ,
the conditional probability that, using the strategy described by POVM M :
σ(Ω) → End((Cd )⊗n ), the event B ∈ σ(Ω) happens given that Alice has chosen
1
In [3] we present a generalization of this scenario where the channel in the middle
can be noisy.
2
For example we can use the measure induced by the Hilbert-Schmidt inner product
defined in [7].
the state ρ ∈ supp(p) and has sent state ρ⊗n to Bob (here, supp(p) denotes the
support of the distribution p).
This describes the most general figure of merit one can define for the multi-
copy estimation problems we are considering here. However, in the particular
cases where for example the goal is to estimate some parameter of ρ, say the
expectation value of some observable for state ρ, one might use a figure of merit
which only depends on the conditional probability of outcomes for different val-
ues of that parameter. Here, we think of the parameter as a random variable
defined as a function of the state Alice chooses each time (The state is random
and so any function of the state can be thought of as a random variable). Let
s : supp(p) → R be an arbitrary function from states in supp(p) to real numbers.
Then this function will map the random state ρ chosen by Alice to a random
real variable S = s(ρ). Then if Bob’s goal is to estimate the value of parameter
s(ρ) for the state ρ which Alice has chosen each time (or to make a decision
based on the value of this parameter) a reasonable family of figures of merit to
evaluate Bob’s performance can be expressed as functionals of
qM (B|S ∈ Δ),
where Δ is an interval of R. This is the conditional probability that, using the
strategy described by POVM M : σ(Ω) → End((Cd )⊗n ), event B happens given
that the value of the random variable S is in Δ.
On the other hand, one can imagine the situations where, for example, the
cost for wrong estimation of a parameter S not only depends on the estimated
value of S and its actual value but also depends on the value of some other
parameter say S where S is the random variable induced by the function s :
supp(p) → R acting on the random state Alice chooses. For instance, one may
imagine situations where the cost of wrong estimation of a parameter S depends
also on the energy of state tr(ρH) where H is the Hamiltonian. So in this case
s (X) = tr (XH) defines a relevant parameter to evaluate the performance of
the estimation procedure.
In general, let − →s (·) = s(1) (·), · · · , s(l) (·) be a set of functions where each
s (1)
(i)
(·) is a functionfrom supp(p) to R. Then based on the set of functions −
→
s (·) =
s (·), · · · , s (·) we can define a set of random variables S , · · · , S
(l) (1) (l)
where
the random variable S (i) is s(i) (ρ) where ρ is the random state Alice has chosen
at each round. So a general figure of merit can be expressed as a functional of
→ −
− →
qM (B| S ∈ Δ),
→
−
where Δ is an l-dimensional interval of Rl . This is the conditional probability
that with Bob’s strategy described by POVM M : σ(Ω) → End((Cd )⊗n ) event
→
− →
−
B happens given the value of the random variables S are in Δ.
→
− →
−
The other reason to consider qM (B| S ∈ Δ) for more than one parameter
S (i) is to study the cases where Bob is interested in estimating more than one
parameter of the state.
Note that by having larger number of parameters l we can describe more and
more general types of figure of merit. In general, if d is the dimension of Cd
Fig. 1. The multi-copy estimation problem (see below)
then the set of all (normalized) density operators can be specified by d2 − 1

parameters. So having l = d2 − 1 parameters is sufficient to specify the exact
density operator Alice has chosen each time, and so l = d2 − 1 parameters are
sufficient to describe the most general form of figures of merit one can imagine
for this problem (one can think of matrix elements of a density operator in a
particular basis as different parameters). However, generally, having a figure of
merit which can be defined using less than d2 − 1 parameters, makes it easier to
find the optimal estimation procedure.
To summarize, in the multi-copy estimation problem we are considering here,
qM (B|ρ) has the maximal information required to evaluate the figure of merit
of the strategy described by the POVM M . In other words, if for two different
strateges described by POVMs M : σ(Ω) → End((Cd )⊗n ) and M : σ(Ω) →
End((Cd )⊗n ) it holds that
qM (B|ρ) = qM (B|ρ) (7)
for all B ∈ σ(Ω) and ρ ∈ supp(p) then they will have exactly the same per-
formance in the estimation problem with respect to any figure of merit. On the
→ −
− →
other hand, qM (B| S ∈ Δ) has generally less information i.e. it can be obtained
by a coarse-graining of qM (B|ρ) but not typically vice versa. However, in many
reasonable figures of merit one does not need to specify qM (B|ρ) to specify the
→ −
− →
figure of merit of the measurement M ; it is sufficient to specify qM (B| S ∈ Δ). If
this is the case, then even if Eq. (7) doesn’t hold, as long as the weaker constraint
− → − → − → − →
qM B| S ∈ Δ = qM B| S ∈ Δ (8)
→
−
holds for all B ∈ σ(Ω) and for all l-dimensional intervals Δ which are assigned
nonzero probability, then the two strategies yield the same performance for the
figure of merit of interest (See Fig. 1). Eq. (8) states that learning the outcome
→
−
of measurement M is precisely as informative about the parameter S as learning

the outcome of measurement M .
We now present our main results (The proofs are presented [3].).
Theorem 5. Let A ⊆ End(Cd ) be a von Neumann algebra, and let GA be the
gauge group associated with it. Then assuming that:
1. The prior p has support only on the pure states and

2. The prior p and the vector of parameters −
→s have the gauge group GA as a
symmetry, i.e.

∀ρ ∈ supp(p), ∀V ∈ GA : p(ρ) = p V ρV † , and − →
s (ρ) = −
→
s V ρV †
then for any given measurement with POVM M : σ(Ω) → End((Cd )⊗n ), there
is another measurement with POVM M : σ(Ω) → End((Cd )⊗n ) whose image is
entirely confined to A⊗n (i.e., M : σ(Ω) → A⊗n ), such that M is as informative
→
−
about S as M is, i.e.,
− → − → − → − →
qM B| S ∈ Δ = qM B| S ∈ Δ (9)
→
−
for all B ∈ σ(Ω) and all l-dimensional intervals Δ which are assigned nonzero
probability.
An instance of the measurement described in theorem 5 is M ≡ L+ (M ), where
L+ is the unital super-operator defined in theorem 4. In [3] we present a gener-
alization of this result to a family of priors which are nonzero on mixed states.
We now make explicit what our main theorem implies for multi-copy estima-
tion problems.
Corollary 2. If the figure of merit for a strategy M in the n-copy estimation

→
− →
−
problem can be expressed as a functional of qM (B| S ∈ Δ) for some set of
parameters − →
s , then if the assumptions of the theorem 5 hold for an algebra A,
it follows that the POVM elements of the optimal measurement can be chosen
to be in A⊗n .
Corollary 2 implies that the optimal measurement has the gauge group GA as a
local symmetry. Then, in the special case wherein the algebra A is commutative,
by proposition 1, it follows that the optimal measurement can be implemented
by measuring a set of observables which generates A separately on each of the
n systems and then performing a classical processing on the outcomes.
This result can be applied to the example we considered in section 5.1: The
figure of merit of the problem, i.e. the mean squared error of the estimation of
the value of tr(ρA), can be expressed as a functional of q(B|tr(ρA)) (see [3] for
more discussion). So by defining the algebra A to be the algebra generated by the
identity and the operator A, we can easily see that the prior which is uniform
according to the Haar measure and the parameter s(ρ) ≡ tr(ρA) satisfy the
conditions of theorem 5. Therefore, from the above result we can immediately
infer that the optimal estimation can be achieved by measuring operator A
individually on each system and then performing a classical processing on the
outcomes of these measurements. But, we also now that this is true under much
more general conditions: the prior need not be the Haar measure and the figure
of merit need not be squared mean error as long as they satisfy the conditions
of theorem 5. For example, the figure of merit could be the mutual information
between the estimated values of the parameter and its actual values, or it could
be the expected cost for an arbitrary cost function that depends only on A
[3]. For all of these cases, the figure of merit for an estimation strategy M is
a functional of qM (B|S ∈ Δ) and so from the above results we know that the
optimal estimation can be realized by measuring the observable A individually
on each copy and then performing a classical processing on the outcomes of these
measurements.
Given that the class of estimation problems for which our results apply is
very large, they represent a dramatic expansion, relative to previously known
results, in the scope of problems for which we can easily determine the optimal
measurement. Furthermore, in previous results where independent measurements
on each copy were shown to be optimal, such as Ref. [4], the reasoning was
rather ad hoc. It was not clear what feature of the estimation problem implied
the sufficiency of such measurements. By contrast, our approach follows a clear
methodology – we are determining the consequences of the gauge symmetries
of the estimation problem. Our results establish a sufficient condition for the
optimality of independent measurements, , i.e. the lack of any need for adaptive
or entangled measurements. It is that the set of single-copy observables that are
needed to define the estimation problem form a commutative set. In a slogan,
the commutativity of the observables defining the estimation problem imply the
adequacy of independent measurements.
5.3 Example: Decision Problem for a Single Qubit

Suppose we are given n copies of qubit state ρ, a density operator in End(C2 ).
For b ∈ 0, 1, define
αb αb
|ψ(θ, b) ≡ cos |0 + eiθ sin |1
2 2
where α0 and α1 are distinct angles in the range [0, π) and where θ ∈ [0, 2π).
Assume the single-copy prior p(ρ) is as follows: the state is drawn from the
set {|ψ(θ, b)} where θ is uniformly distributed over [0, 2π) and b has uniform
distribution over {0, 1}. The goal is to get information about the value of the bit
b using n copies of state given according to this single-copy prior (this example
is a decision problem). For instance, one might be interested to determine the
value of the bit b with minimum probability of error. In general, we assume the
goal is to generate an outcome in the outcome set Ω with σ-algebra σ(Ω) and
the performance of different strategies are evaluated by a figure of merit which

can be expressed as a functional acting on q(B|b = b0 ), i.e., the probability of
event B ∈ σ(Ω) while the value of b is b0 ∈ {0, 1}.
In this case, the parameter to be estimated is defined by
s(|ψ(θ, b)
ψ(θ, b)|) = b.
Adopting the convention that |0 and |1 are eigenstates of the Pauli observable
σz , it is clear that the prior p and the parameter to be estimated, s, are both

invariant under unitaries of the form eiφ eiφσz where φ, φ ∈ [0, 2π), which de-
scribe phase shifts or rotations about the axis ẑ. As we have seen in the section
3 this group is a gauge group. The algebra that corresponds to the commutant
of this gauge group is A = Alg{σz , I}. Finally, since the figure of merit depends
only on q(B|b = b0 ) the assumptions of corollary 2 are satisfied (Note that since
s(|ψ(θ, b)
ψ(θ, b)|) = b, b can be thought as the random variable defined by pa-
rameter s acting on states.). Therefore, we can infer that to achieve the optimal
estimation, it suffices to consider POVMs inside the algebra A⊗n and since A
is commutative, it suffices to measure σz on each system individually. In other
words, all the information we can get from the state |ψ(θ, b)⊗n about the value
of b we can also get from the mixed state [cos2 (αb )|0
0| + sin2 (αb )|1
1|]⊗n .
Note, however, that if one acquires some information about θ, then this in-
formation can be useful for estimating b: In the extreme case where we know
the exact value of θ, we can perform the Helstrom measurement [11] for dis-
tinguishing the two pure states |ψ(θ, 0)⊗n and |ψ(θ, 1)⊗n . So one estimation
strategy is to use some of the qubits to estimate θ and then use this information
to choose an optimal measurement for estimating b using the rest of qubits. But
our result shows that by this strategy one cannot get more information than
what one gets by ignoring θ and measuring σz on individual systems. [Note that
this result also implies that to get information about θ from each system we nec-
essarily disturb its information about b. This can be interpreted as an example
of information-disturbance tradeoff.]
6 Other Applications
This generalization of Schur-Weyl duality can have other applications in quan-
tum information. Here, we just point out one of these applications in finding
noiseless subsystems.
Suppose one is going to send quantum information through a noisy qubit
channel, where the noise is described by a unitary that is sampled at random, but
wherein the same unitary acts on each qubit. This happens when, for example,
the noise varies slowly compared to the interval between the qubits as they
pass down the channel (or that it varies little on the distance scale between the
qubits in the case of a quantum memory), in which case one can assume that
the same random unitary is applied to all n qubits. Then it turns out that, due
to the symmetry of the noise, it is possible to encode classical and quantum
information in the n qubit system in such a way that it remains unaffected by
the noise [8,9,10]. To see this, note that under these assumptions, the noise is
described by the group Q(U(2)). Any state in the commutant of Q(U(2)) is
invariant under the noise. Furthermore, any state in the span of P(Sn ) has this
property as well. Now using Schur-Weyl duality one can conclude that the span
of P(Sn ) is equal to the commutant of Q(U(2)) and therefore every state which
is unaffected by this type of noise is in the span of P(Sn ).
In a more general model, the system sent through the channel may have
other degrees of freedom which can potentially be used to send quantum infor-
mation. In other words, the Hilbert space describing each particle sent through
the channel is not C2 but it is C2 ⊗ H where the finite dimensional Hilbert
space H describes another degree of freedom which is invariant under the noise
in the channel. Clearly, in this case, one cannot use the usual form of Schr-Weyl
duality to find the noiseless subsystems. But, as we have explained in [3], our
generalization of Schur-Weyl duality can be used to specify these subsystems.
References
1. Goodman, R., Wallach, N.R.: Representations and Invariants of the Classical
Groups Cambridge University Press (1998)
2. Harrow, A.: Applications of coherent classical communication and the Schur
transform to quantum information theory. PhD thesis, MIT, Arxiv preperint
arXiv:quant-ph/0512255 (2005)
3. Marvian, I., Spekkens, R.W.: A generalization of Schur-Weyl duality with applica-
tions in quantum estimation, arXiv:1112.0638
4. Hayashi, A., Horibe, M., Hashimoto, T.: Phys. Rev. A 73, 062322 (2006)
5. Holevo, A.: Probabilistic and Statistical Aspects of Quantum Theory. Scuola Nor-
male Superiore, Monographs (2011)
6. Chiribella, G.: Optimal estimation of quantum signals in the presence of symmetry.
PhD thesis, University of Pavia, Pavia, Italy (2006)
7. Zyczkowski, K., Sommers, H.J.: J. Phys. A 34, 7111–7125 (2001), quant-
ph/0012101
8. Zanardi, P., Rasetti, M.: Phys. Rev. Lett. 79, 3306 (1997); Zanardi, P.: Phys. Rev.
A 63, 012301 (2000)
9. Knill, E., et al.: Phys. Rev. Lett. 84, 2525 (2000); Kempe, J., et al.: Phys. Rev. A
63, 042307 (2001)
10. Bartlett, S.D., Rudolph, T., Spekkens, R.W.: Phys. Rev. Lett. 91, 027901 (2003)
11. Helstrom, C.W.: Quantum detection and estimation theory. Academic Press (1976)
Author Index
Ambainis, Andris 87 Marvian, Iman 141

Mhalla, Mehdi 1
Bačkurs, Artūrs 87 Molina, Abel 45
Bouman, Niek J. 29 Muthukrishnan, Siddharth 116
Brassard, Gilles 65
Nahimovs, Nikolajs 87
Das, Smarajit 116 Ozols, Raitis 87
Ekert, Artur 98 Perdrix, Simon 1

Pironio, Stefano 107
Fehr, Serge 29 Pope, James E. 98
Rivosh, Alexander 87
González-Guillén, Carlos 29
Rosgen, Bill 74
Hall, Michael J.W. 98 Scarani, Valerio 98
Hayashi, Masahito 128 Schaffner, Christian 29
Setiawan, 98
Javelle, Jérôme 1 Sharma, Naresh 116
Spekkens, Robert W. 141
Kaplan, Marc 65
Kay, Alastair 98 Vidick, Thomas 45
Kerenidis, Iordanis 13 Watrous, John 45
Koh, Dax Enshan 98 Woodhead, Erik 107
Lim, Charles Ci Wen 107 Zhang, Shengyu 13

Lecture Notes in Computer Science 7582: Editorial Board

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture Notes in Computer Science 7582: Editorial Board

Uploaded by

Copyright:

Available Formats

Lecture Notes in Computer Science 7582

Commenced Publication in 1973

7th Conference, TQC 2012

ISSN 0302-9743 e-ISSN 1611-3349

Library of Congress Control Number: 2012954155

CR Subject Classification (1998): F, D, C.2, G.1-2, E.3, J.2

LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues

© Springer-Verlag Berlin Heidelberg 2013

The Conference on Theory of Quantum Computation, Communication, and

August 2012 Kazuo Iwama

Optimal Counterfeiting Attacks and Generalizations for Wiesner’s

Simulating Equatorial Measurements on GHZ States with Finite

Testing Quantum Circuits and Detecting Insecure Encryption . . . . . . . . . 74

Search by Quantum Walks on Two-Dimensional Grid without

On Some Special Cases of the Entropy Photon-Number Inequality . . . . . 116

Quantum Security Analysis via Smoothing of Renyi Entropy

Applying a Generalization of Schur-Weyl Duality to Problems in

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Jérôme Javelle2, Mehdi Mhalla1,2 , and Simon Perdrix1,2

Abstract. We introduce a new family of quantum secret sharing pro-

Keywords: Quantum Cryptography, Secret Sharing, Graphs, Graph

In terms of communication complexity, the protocols we introduce use a max-

2 Graph State Secret Sharing

Xu ZN (u) |G = |G (2)

= |x → |x̄, Z = |x → (−1) |x

where Odd(D) := {v ∈ V s.t. |N (v) ∩ D| = 1 mod 2} is the odd neighborhood of

Lemma 1 ([12]). Given a cQSS protocol (G, A), for any B ⊆ V ,

According to the previous lemma, for a given set of players B ⊆ V , if ∃D ⊆ B

Theorem 1. Given a graph G = (V, E) and A ⊆ V , for any B ⊆ V , B satisﬁes

is symmetric. Moreover, notice that for any set X, Y ⊆ V , |X ∩Y | mod 2 is given

2.2 Sharing a Quantum Secret

Theorem 2. Given a graph G = (V, E), a set B of players is authorized in the

Corollary 2. Given a qQSS protocol (G, A), a set B of players is forbidden if

2.3 Threshold Schemes

Let B ⊆ V  s.t. |B| = 2n − k + 1. Since |B ∩ V | ≥ k, ∃C, D ⊆ B ∩ V s.t.

V  \ B) ∩ V . We construct C  , D ⊆ V  s.t. |D | = 1 mod 2, Odd(D ) ⊆ B and

3 Building ((n − n0.68 , n))-qQSS* Protocols

We give a construction of an inﬁnite family of quantum secret sharing schemes

Lemma 3. For any two graphs G1 , G2 , κQ (G1 • G2 ) ≥ κQ (G1 ).κQ (G2 ).

Proof. First we show that for any set B ⊆ V of size k with k = n1 n2 −

each v = (v1 , v2 ) ∈ V \ B, |NG (v) ∩ DB | = |NG2 (v2 ) ∩ S2 (v1 )| +

Proof. By Gottesman’s characterization [7] a qQSS protocol has a threshold

Iordanis Kerenidis1 and Shengyu Zhang2

Abstract. A correlated equilibrium is a fundamental solution concept

quantum information processing: quantum communication enables play-

hardness assumptions. Both in their paper and in ours, by achieving a correlated

like to change their behaviors in the last step. By an observation in [Zha12], p

ui (si , s−i ) ≥ ui (si , s−i ), ∀i ∈ [n], ∀si ∈ Si .

Pure Nash equilibria can be generalized by allowing each player to independently

Definition 3. A correlated equilibrium (CE) is a probability distribution p over

If the correlated equilibrium is a distribution over pure Nash equilibria, then we

We will also need an approximate version of equilibrium, which basically says

Es←p [ui (si (si ), s−i )] ≤ Es←p [ui (si , s−i )] + ε,

for any i and any function si : Si → Si . An ε-correlated equilibrium p is an

Cryptography. We provide the formal deﬁnition of a weak coin ﬂipping protocol.

3 The Extended Game

1. Communication Stage: The two players perform the Correlated Strat-

We can now restate and prove our main theorem.

Theorem 2. For any correlated equilibrium p of the game G with at most n

Proof. We describe Player 1’s strategy in the ε-Nash equilibrium σ as follows

Es←q [u1 (s)] ≤ Es←ph [u1 (s)] + ε. (1)

Hence, if Player 1 is dishonest during Stage 1 and then plays s1 in Stage 2,

In the special case of a Nash-support correlated equilibrium, the extended

= |x → |x̄, Z = |x → (−1) |x

Let B ⊆ V s.t. |B| = 2n − k + 1. Since |B ∩ V | ≥ k, ∃C, D ⊆ B ∩ V s.t.

V \ B) ∩ V . We construct C , D ⊆ V s.t. |D | = 1 mod 2, Odd(D ) ⊆ B and

ui (si , s−i ) ≥ ui (si , s−i ), ∀i ∈ [n], ∀si ∈ Si .

Es←p [ui (si (si ), s−i )] ≤ Es←p [ui (si , s−i )] + ε,

for any i and any function si : Si → Si . An ε-correlated equilibrium p is an

Furthermore, since J is independent of J, the probability that J coincides with

involved probability reasoning to prove the existence of the random variable J

dunif (X|E) := 12 ρXE − ρU ⊗ ρE 1 ,

for arbitrary orthogonal projectors A1 , . . . , Am , where · denotes the operator

Pr[Ē|J = j] = 0 for j = j ∗ . This motivates to deﬁne J as J := j ∗ with

for any w, w such that w = w .

Also, from the fact that A = sup |

Furthermore, if A is Hermitian then A = λmax (A) := max{|λj | :

We deﬁne E := {X ∈ S J ∧ QJ (S J ) ≥ 2−n } to be the event that X ∈ S J and at

and Pr[E] ≥ (1 − p) − p(2m − 1) · 2−n

As Qj (S j ) ≥ 2−n by deﬁnition of E, we have

Hmin(X|J = j, J = J , Ω) = Hmin(X|J = j, E) ≥ (δ/2 − 2 )n ,

where Pr[Ω] = 1 − Pr[E◦ ] = 1 − α/m ≥ 1 − (2m − 1)2−n /m ≥ 1 − 2 · 2−n .

bound holds for Hmin(X|J = j, J = j , Ω) whenever j = j . This concludes the

Hmin(X|J = j, J = J ) = Hmin(X|J = j, E ) = Hmin(X|J = j, E , E)

dunif (F (X)|E F,W = w, W = w )

dunif (Z|E F G, W = w, W = w ) ≤ ε , (1)

for any w, w such that w = w . To prove the claim, we need to bound,