Embed Size (px)
Citation preview
Robust protocols for securely expanding randomness anddistributing keys using untrusted quantum devices
Carl A. Miller and Yaoyun Shi
Department of Electrical Engineering and Computer ScienceUniversity of Michigan, Ann Arbor, MI 48109, USA
carlmi,[email protected]
Abstract
Randomness is a vital resource for modern day information processing, especially for cryptog-raphy. A wide range of applications critically rely on abundant, high quality random numbersgenerated securely. Here we show how to expand a random seed at an exponential rate withouttrusting the underlying quantum devices. Our approach is secure against the most general ad-versaries, and has the following new features: cryptographic quality output security, toleratinga constant level of implementation imprecision, requiring only a unit size quantum memoryper device component for the honest implementation, and allowing a large natural class ofconstructions. In conjunct with a recent work by Chung, Shi and Wu (QIP 2014), it also leads torobust unbounded expansion using just 2 multi-part devices. When adapted for distributingcryptographic keys, our method achieves, for the first time, exponential expansion combinedwith cryptographic security and noise tolerance. The proof proceeds by showing that the Rényidivergence of the outputs of the protocol (for a specific bounding operator) decreases linearlyas the protocol iterates. At the heart of the proof are a new uncertainty principle on quantummeasurements, and a method for simulating trusted measurements with untrusted devices.
Contents
1 Background and Summary of Results 1
2 Central Concepts and Proofs 10
3 Further directions 15
A Organization of Appendix 17
B Notation and Definitions 17B.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17B.2 Untrusted Quantum Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18B.3 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
C Mathematical Preliminaries 20
D Quantum Rényi Entropies 21
E An Uncertainty Principle 24
F The Self-Testing Property of Binary Nonlocal XOR Games 27F.1 Definitions and Basic Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27F.2 Decomposition Theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
G Randomness Expansion with Partially Trusted Measurements 35G.1 Devices with Trusted Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35G.2 Devices with Partially Trusted Measurements . . . . . . . . . . . . . . . . . . . . . . . 35G.3 Entanglement with a Partially Trusted Measurement Device . . . . . . . . . . . . . . 36G.4 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
H The Proof of Security for Partially Trusted Devices 39H.1 One-Shot Result: A Device with Known Failure Parameters . . . . . . . . . . . . . . 40H.2 One-Shot Result: Full Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43H.3 Multi-Shot Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43H.4 The Security of Protocol A’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
I Randomness Expansion from an Untrusted Device 47I.1 The Trust Coefficient of a Strong Self-Test . . . . . . . . . . . . . . . . . . . . . . . . . 47I.2 The Security of Protocol R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48I.3 Example: The GHZ game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
J Unbounded expansion 51
K Untrusted-device quantum key distribution 54K.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54K.2 The protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54K.3 Error rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55K.4 Efficient Information Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58K.5 Proof for Corollary 1.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1 Background and Summary of Results
The problem and its motivations. Randomness is an indispensable resource for modern dayinformation processing. Without randomness, there would be no fast randomized algorithms,accurate statistical scientific simulations, fair gaming, or secure cryptography. A wide range ofapplications rely on methods for generating randomness with high quality and in a large quantity.Consider, for example, all the computers and handheld devices that connect to the Internet usingpublic key cryptography like RSA and DSA for authentication and encryption, and that use secretkey cryptography for secure connections. It is probably conservative to estimate that the numberof random bits used each day for cryptography is in the order of trillions.
While randomness seems to be abundant in everyday life, its efficient and secure generationis a difficult problem. A typical random number generator such as the /dev/random/ generatorin Linux kernel, would start with random “seeds”, including the thermal noise of the hardware(e.g. from Intel’s Ivy Bridge processors), system boot time in nanoseconds, user inputs, etc., andapply a deterministic function to produce required random bits. Those methods suffer from atleast three fundamental vulnerabilities.
The first is due to the fact that no deterministic procedure can increase randomness. Thuswhen there is not enough randomness to start with, the output randomness is not sufficient toguarantee security. In particular, if the internal state of the pseudorandom generator is correctlyguessed or is exposed for other reasons, the output would become completely predictable to theadversary. The peril of the lack of entropy has been demonstrated repeatedly [28, 46, 29], moststrikingly by Heninger et al. [29]. They were able to break the DSA secret keys of over 1% of theSSH hosts that they scanned on the Internet, by exploiting the insufficient randomness used togenerate the keys.
The second vulnerability is that the security of current pseudorandom generators are notonly based on unproven assumptions, such as the hardness of factoring the product of two largeprimes, but also assume that their adversaries have limited computational capability. Therefore,they will fail necessarily if the hardness assumptions turn out to be completely false, or the ad-versaries gain dramatic increase in computational power, such as through developing quantumcomputers.
Finally, all those methods rely on trusting the correctness and truthfulness of the generator.The dynamics of market economy leads to a small number of vendors supplying the hardware forrandom number generation. The demand for platform compatibility results in a small number ofgenerating methods. Thus the risk of the generators containing exploitable vulnerabilities or secretbackdoors is necessarily significant. Recent evidence suggest that this is in fact the reality [40].Thus for users demanding highest level of security with the minimum amount of trust, no currentsolution is satisfactory.
Quantum mechanics postulates true randomness, thus provides a promising approach for mit-igating those drawbacks. Applying a sequence of quantum operations can increase entropy evenwhen the operations are applied deterministically, as some quantum operations are inherentlyunpredictable. Indeed, commercial random number generators based on quantum technologyhave started to emerge (e.g. by ID Quantique SA). Furthermore, the randomness produced can beunconditionally secure, i.e. without assumptions on the computational power of the adversary.
However, as classical beings, users of quantum random number generators can not be certainthat the quantum device — the quantum state inside and the quantum operations applied — isrunning according to the specification. How can a classical user ensure that a possibly maliciousquantum device is working properly?
Special relativity and non-local games provide such a possibility. Consider, for example, the
1
x y z
D1 D2 D3
a b c
Figure 1: A three-part device playing the GHZ game. Each part D1, D2, and D3, re-ceives a single bit and outputs a single bit. The input (x, y, z) is drawn uniformly from(0, 0, 0), (0, 1, 1), (1, 0, 1), (1, 1, 0). The device wins if a ⊕ b ⊕ c = x ∨ y ∨ z. No communica-tion among the parts is allowed when the game starts. An optimal classical strategy is for eachpart to output 1, winning with 3/4 probability. An optimal quantum strategy is for the three partsto share the GHZ state 1√
2(|000〉+ |111〉), and for each part to measure σx on input 0, and measure
σy on input 1. This strategy wins with certainty.
celebrated GHZ game [23] illustrated in Fig. (1). It is now known [34, 35] that any quantumstrategy achieving close to the optimal quantum winning probability must be very close to theoptimal strategy itself. Consequently, the output of each component is near perfectly random.Intuitively, one needs only to run the game multiple times (using some initial randomness tochoose the input string for each round) and if the observed winning average is close to the optimalquantum winning probability, then the output should be sufficiently random. Therefore, the truston the quantum device can now be replaced by the (classically verifiable) condition of spatialseparation of the different components. The security of the protocol would eventually rest onspecial relativity, in addition to quantum mechanics. Note that for any cryptographic protocol tobe secure, it is necessary to assume that the components involved cannot communicate with theadversary. Thus throughout the paper we make this assumption on the untrusted device(s) in use.Since intra-device communications involve different pairs of components, we treat its restrictiona separate item for enforcement or trust. Special relativity provides a classically verifiable methodfor enforcing such a restriction. It may not be necessary as there are potentially other alternativesfor achieving this goal, or may not be feasible if the duration of no-communication is too long forthe distance to be practical.
Colbeck and Kent [11, 12] formulated the above framework for untrusted-device randomnessexpansion. Turning the intuition into rigorous proofs turns out to be rather challenging. Classicalsecurity was proved in [41, 22, 42]. While useful, classical security does not guard against quan-tum adversaries, thus is inadequate as quantum computation is becoming a reality. Furthermore,an expansion protocol without quantum security cannot be safely composed with other quan-tum protocols. Vazirani and Vidick [54] were the first to prove quantum security. Furthermore,their protocol expands randomness exponentially. Coudron, Vidick, and Yuen [14] broadened theVazirani-Vidick protocol to allow much more flexibility for the underlying non-local game, butunfortunately they only proved classical security.
To put this in a larger context, the thread of untrusted-device randomness expansion is part ofthe broader area of untrusted-device, or “device-independent,” quantum cryptography. This areawas pioneered by Mayers and Yao [33]. It was also developed in parallel by other researchers,such as Barrett, Hardy and Kent [5], from the perspective of non-locality with inspirations fromEkert [21]. It has now become an important and intensively studied paradigm for understanding
2
the power and limitations of quantum cryptography when the underlying quantum devices areimperfect or even malicious. This area includes two tasks related to randomness expansion. Thefirst is randomness amplification [13], where one wants to obtain near-perfect randomness from aweak random source using untrusted quantum devices (and without any additional randomness).Whereas the current paper focuses on randomness expansion, a companion paper by Chung, Shi(one of us), and Wu studies the amplification problem [10]. The second related task is untrusted-device quantum key distribution (e.g. [53]), where two parties attempt to establish a secure secret keyusing untrusted devices and openly accessible classical communication.
Overview of our results. In this work, we analyze a simple exponentially expanding untrusted-device randomness expansion protocol (referred to as the one-shot protocol). We prove that itsoutput has exponentially (in the input length) small errors, and is secure against the most generalquantum adversaries. More importantly, the protocol accomplishes all of the following additionalfeatures, none of which has been accomplished by previous works.
The first is cryptographic security in the output.1 The error parameters are not only exponentiallysmall in the input length, but are also negligible (i.e. smaller than any inverse polynomial function)in the running time of the protocol (which is asymptotically the number of uses of the device.)This is precisely the condition that the output is suitable for cryptographic applications — thechance for an adversary to tell the difference of using the protocol output from using the idealuniform distribution is negligible as measured against the amount of resource used for runningthe protocol.
Secondly, the protocol is robust, i.e. tolerating a constant level of “noise”, or implementationimprecision. Thus any honest implementation that performs below the optimal level by a smallconstant amount on average will still pass our test with overwhelming probability. For example,we show that any device which wins the GHZ game with probability at least 0.985 will achieveexponential randomness expansion with probability approaching 1. We model noise as the aver-age deviation of a device interaction from an ideal implementation. This “black-box” noise modeldoes not refer to the inner-working of the devices thus is fairly general. This robustness featureenables simplest — e.g. without adding fault-tolerant overhead — practical implementation, thusis desirable especially at this moment of time when even small scale accurate quantum infor-mation processing is still being developed. When fault-tolerant quantum computing techniquesbecome mature, it is conceivable that non-robust protocols will become practical. However, whenthe number of use of a device is not pre-determined, such as in an unbounded expansion to bediscussed below, one cannot set the target error threshold for the fault-tolerant implementation.A robust protocol then remains indispensable.
Third, our protocol requires only a constant size quantum memory for an honest implementation.In between two rounds of interactions, the different components of the device are allowed tointeract arbitrarily. Thus an honest device could establish its entanglement on the fly, and needsonly to maintain the entanglement (with only a constant level of fidelity) for the duration of asingle game. Given the challenge of maintaining coherent quantum states, this feature greatlyreduces implementation complexity.2
Fourth, relying on a powerful observation of Chung, Shi and Wu [10], what they call the Equiv-alence Lemma, we show that one can sequentially compose instances of our one-shot protocol,alternating between two untrusted devices and achieve unbounded length expansion starting with
1We thank Kai-Min Chung and Xiaodi Wu for pointing out this feature of our result.2We note that the small quantum memory requirement can be alternatively achieved by introducing an additional
device component that is required to function as an entanglement creation and distribution component and cannotreceive information from other device components. This model would require a communication restriction throughoutthe protocol. Our protocol, in comparison, have much less, in fact minimal, requirement in communication restrictions.
3
a fixed length seed. The additively accumulating error parameters remain almost identical to theone-shot errors, since they decrease geometrically.
Finally, our protocol allows a large natural class of games to be used. The class consists of allbinary XOR games — games whose inputs and outputs are binary and whose scoring function de-pends on the inputs and the XOR of the outputs — that are strongly self-testing. The latter propertysays that any strategy that is ε-close to optimal in its winning probability must be O(
√ε) close
to a unique optimal strategy in its both its state and its measurements. (We call this “stronglyself-testing” because this error relationship is the best possible.) The class of strong self-tests in-cludes the CHSH game and the GHZ game, two commonly used games in quantum information.Broadening the class of usable games has the benefit of enabling greater design space, as differ-ent implementation technologies may favor different games. For example, the highly accuratetopological quantum computing approach using Majorana fermions is known not to be quantumuniversal [38]. In particular, Deng and Duan [19] showed that for randomness expansion usingMajorana fermions, three qubits are required. Our proof allows the use of Majorana fermions forrandomness expansion through the GHZ game.
We include two applications of our expansion protocols. Our one-shot protocol can be usedas a building block in the Chung-Shi-Wu protocol for randomness amplification. In addition,composing their amplification protocol and our concatenated expansion protocol gives a robust,untrusted-device quantum protocol that converts an arbitrary weak random source into near-perfect output randomness of an arbitrary large length. This composed protocol is rapid andsecure even against quantum attack. It opens the possibility for unconditionally secure cryptog-raphy with the minimum trust on the randomness source and the implementing device.
The second application is to adapt our protocol for untrusted-device quantum key distribu-tions, resulting in a robust and secure protocol that at the same time exponentially expands theinput randomness.
Related works. Prior to our work, the Vazirani-Vidick randomness expansion protocol [54] isthe first and only work achieving simultaneous exponential expansion and quantum security.However, as far as we know from their analysis, the protocol achieves only inverse polynomialsecurity, thus is not appropriate for cryptographic applications. It is not noise-tolerant, requiringthat as the number of games grows, each strategy played by an honest device must approachrapidly to the optimal quantum strategy. It also requires a growing amount of quantum memoryas the output length grows. Those drawbacks limit the practical feasibility of the protocol.
Parallel work on unbounded expansion was done in [15] by Coudron and Yuen3. While weindependently proved that robust unbounded expansion is possible with log∗(N) devices, [15]was the first to claim that (non-robust) unbounded expansion is possible with a constant numberof devices. When we heard of their result, we realized that we also had the means to do thesame, with fewer devices and also the added merit of robustness. (This was based on a resultfrom our independent work in [10], which implies general security for cross-feeding protocols.See Remark 1.8.)
The Vazirani-Vidick protocol for untrusted-device key distribution [53] can be used as a ran-domness expansion protocol with a linear rate of expansion. One could easily use ingredients fromthe same authors’ expansion protocol [54] to reduce the length of the initial randomness used. It isnot clear though if the analysis can be correspondingly strengthened to apply to such an extension.Similarly, as presented and analyzed the protocol does not allow inter-component communicationin-between rounds. It is not clear (when used as a linear expansion protocol) whether their analy-
3This work is not to be confused with the earlier paper by Coudron, Vidick, and Yuen [14] which dealt with classicalsecurity of randomness expansion.
4
sis can be strengthened to allow some in-between-round communications.Distributing cryptographic keys is a foundational primitive for modern day cryptography. Un-
conditional secure quantum protocols for key distributions [6, 21, 32, 31, 8, 47] are among themost powerful applications of quantum information processing. Untrusted-device quantum keydistribution was also the original motivating problem that ushered the area of untrusted-devicequantum cryptography [33, 5], and has been studied by many authors. Most results achieving fullsecurity require a linear number of (non-communicating) devices. Notable exceptions are [3, 44],which, however, suffer from the drawback of weak security parameters, efficiency, and not toler-ating noise. Vazrani and Vidick [53] resolved all those problems at once, achieving full security,robustness, and linear key rate (measured against the running time of the protocol), using one(two-part) untrusted devices (see [53] for a more comprehensive review of the literature.) Ourresult matches those features of [53] with the additional merit of starting with a short (e.g. poly-logarithmic) seed, and our security proof follows a fundamentally different approach.
In an earlier work [35], the present authors characterized the class of all binary XOR games thatare strong self-tests. The characterization is used critically in the current work. While the Vazirani-Vidick protocol for key distribution protocol uses a specific game, the analysis remains valid fora much broader class of games, such as those "randomness generating" games defined in [14], aspointed out to us by Vidick [55]. Since all strong self-testing binary XOR games are randomnessgenerating, the class of games allowed for untrusted-device key distribution is broader in [53]than ours. The class of games allowed in [54] require more special properties and the class ofgames allowed there appear to be incomparable with ours. Note that it is not clear if this lattercomparison is meaningful as our protocol achieves several additional features not in [54].
Noise model. We now move to more technical discussions, starting with the noise model. Differ-ent implementation approaches may have their own appropriate model of noise. In this work asin [10], we model noise in a “black-box” manner, quantifying noise in terms of deviations of theimplementation from an ideal implementation. More specifically, fix two implementations Π andΠ, run on the same input state ρ. Consider the two stochastic processes of input-output pairs
H := 〈(X0, Y0), (X1, Y1), · · · , (XT, YT)〉 and H := 〈(X0, Y0), (X1, Y1), · · · , (XT, YT)〉.
The deviation of Π from Π on ρ, ∆ρ(Π, Π), is a random variable defined on the sample space of H.For h = 〈(xi, yi)〉0≤i≤T, let hi = 〈(xj, yj)〉0≤j≤i. Define
∆ρ(Π, Π | h) = 1T + 1
T
∑i=0‖(Xi, Yi)|hi−1 − (Xi, Yi)|hi−1‖1.
Definition 1.1. Let η ∈ [0, 2]. An implementation Π of a untrusted device protocol is said to have a noiselevel η with respect to another implementation Π on an input set S if on any ρ ∈ S , ∆ρ(Π, Π) ≤ η.
Note that out model includes two types of (possibly adaptive) errors (and convex combinationsof them): that each non-local game is played with a (sufficiently small) constant below the optimalquantum winning probability and that a (sufficiently small) constant fraction of the games areplayed arbitrarily while others are played optimally. Our definition facilitates the application ofAzuma-Hoeffding inequality in establishing our noise-tolerance results.
The one-shot protocol and technical statements of results. Our main protocol (Figure 2) is essen-tially the same as the one used in the classical security results of Coudron, Vidick, and Yuen [14](which is in turn closely related to that of Vazirani-Vidick). The main differences in our versionof the protocol are the class of games used, and most importantly, the allowance of in-between-rounds quantum communications. The games we use involve n parties, with n ≥ 2. Such a game
5
is played by a single device, which consists of n components, where each component has a classicalinput/output interface.4 For any nonlocal game G, let wG denote the highest probability withwhich a quantum strategy can win the game, and let fG = 1−wG denote the smallest possiblefailure probability that can be achieved by a quantum strategy.
Arguments:N : a positive integer (the output length.)η : A real ∈ (0, 1
2 ). (The error tolerance.)q : A real ∈ (0, 1). (The test probability.)
G : An n-player nonlocal game that is astrong self-test [35].
D : An untrusted device (with n compo-nents) that can play G repeatedly andcannot receive any additional infor-mation. In a single use the differentcomponents cannot communicate; inbetween uses, there is no restriction.
D1 D2 Dn
g
result
A diagram of Protocol R. The dotted red lines de-note in-between-round communications.
Protocol R:
1. A bit g ∈ 0, 1 is chosen according to a biased (1− q, q) distribution.2. If g = 1 (“game round”), then an input string is chosen at random from 0, 1n (according
a probability distribution specified by G) and given to D. Depending on the outputs, a“P”(pass) or an “F” (fail) is recorded according to the rules of the game G.
3. If g = 0 (“generation round”), then the input string 00 . . . 0 is given to the device, and theoutput of the first component D1 is determined. If the output of the first component is 0, theevent H (“heads”) is recorded; otherwise the event T (“tails”) is recorded.
4. Steps 1− 3 are repeated N − 1 (more) times.5. If the total number of failures exceeds (1−wG + η) qN, the protocol aborts. Otherwise, the
protocol succeeds. If the protocol succeeds, the output consists of an N-length sequencefrom the alphabet P, F, H, T representing the outcomes of each round.
Figure 2: The Central Protocol R
To produce near perfect random output, we need to apply quantum-proof randomness extrac-tors to the outputs of protocol R. Those are deterministic functions Ext(X, S) on two arguments, Xbeing the source, which in this case is the output of the protocol, and S being the perfectly randomseed. It is known that there are quantum-proof randomness extractors Ext(X, S) that will convertany N bits X that have min-entropy Ω(N) to near perfect output randomness of length Θ(N).
Here are some quantities that describe important properties of a randomness expansion pro-tocol. Let y ≥ 0. We call a normalized classical-quantum state y-ideal if it has ≥ y conditionalmin-entropy. Let εs, εc, λ be reals in [0, 1]. A randomness expansion protocol is said to have a
4We note that the literature on this subject has some differences in terminology. Some authors would use the word“device” in the way that we have used the word “component.”
6
yield of y extractible bits with a soundness error εs if for any device D, the accepting portion of thefinal state is always within trace distance εs of a subnormalized y-ideal state. It is said to have acompleteness error εc if there exists an implementation, referred to as the “ideal” implementation,so that for any implementation within λ-deviation from the ideal, the probability of aborting is al-ways ≤ εc. If both the soundness and the completeness errors are ≤ ε, we simply say the protocolhas an error ε.
Our main result is the following.
Theorem 1.2 (Main Theorem). For any n-player strong self-test G, and any δ > 0, there exist positiveconstants q0, η0, K, b, such that the following hold when Protocol R is executed with parameters q ≤ q0,η ≤ η0.
1. (Soundness.) The yield is at least (1− δ)N extractable bits with a soundness error εs = K exp(−bqN).
2. (Completeness.) For any constant η′, 0 < η′ < η, the protocol tolerates η′/n noise level with acompleteness error εc = exp(−(η − η′)2qN/3).
The difficult part of this result is the soundness claim, which follows from the results ofsection I in the appendix (see Corollary I.6). The completeness claim follows from the Azuma-Hoeffding inequality, and is proved in Remark K.6.
Note that the bits g1, . . . , gN can be generated by O(Nh(q)) uniformly random bits with an er-ror exp(−Ω(qN)), where h denotes the Shannon entropy function. Therefore, when q is chosen tobe small, the protocol needs only ω(log N) initial bits and one device to achieve Ω(N) extractablebits with negligible error.
Corollary 1.3 (One-shot Min-entropy Expansion). For any real ω ∈ (0, 1), setting q = Θ(kω/2k1−ω)
in Theorem 1.2, Protocol R converts any k uniform bits to 2k1−ωextractable bits with exp(−Ω(kω)) sound-
ness and completeness errors.
To obtain near perfect random bits, we apply a quantum-proof strong randomness extractor,in particular one that extracts a source of a linear amount of conditional quantum min-entropy.The parameters of our protocols depend critically on the seed length of such extractors, thus weintroduce the following definition.
Definition 1.4 (Seed Length Index). We call a real ν a seed length index if there exists a quantum-proofstrong extractor extracting Θ(N) bits from a (N, Θ(N)) source with error parameter ε using log1/ν(N/ε)bits of seed. Denote by µ the supremum of all seed length indices.
Such extractors exist with ν ≥ 1/2, e.g., Trevisan’s extractors [52] shown to be quantum-proofby De et al. [17]. Thus µ ≥ 1/2. The definition of soundness error for producing y bits of perfectrandomness is the same for producing extractable random bits, except that the ideal C-Q stateconditioned on Success is the product state of y perfectly random bits and a quantum state. Thefollowing corollary follows directly by composing protocol R and an extractor with ν close to µ.
Corollary 1.5 (One-shot Randomness Expansion). For any ω ∈ (0, µ), setting q = Θ(kω/2kµ−ω) in
Theorem 1.2, Protocol R composed with an appropriate quantum-proof strong extractor converts k bits to2kµ−ω
almost uniform bits with soundness and completeness errors exp(−Ω(kω)).
The next corollary addresses cryptographic security. (Note: In measuring running time, oneround of interaction with the device is considered a unit time.)
7
Corollary 1.6 (Cryptographic Security). With the parameters in Corollary 1.5, the running time of theprotocol is T := Θ(2kµ−ω
). Thus for any λ > 1, setting ω = λ1+λ µ, the errors are exp(−Ω(logλ T)),
which are negligible in T. That is, the protocol with those parameters achieves cryptographic quality ofsecurity (while still exponentially expanding.)
Once we have near perfect randomness as output, we can use it as the input to another in-stance of the protocol, thus expanding further with an accumulating error parameter. As the errorparameters decrease at an exponential rate, they are dominated by the first set of errors.
Corollary 1.7 (Robust Unbounded Randomness Expansion). For all integers N and k, and any realω ∈ (0, µ), k uniformly random bits can be expanded to N output bits with exp(−Ω(kω)) error under aconstant level of noise. The procedure uses O(log∗ N) iterations of Protocol R using O(log∗ N) devices.
Remark 1.8. Fehr et al. [22] discussed the possibility of cross-feeding the outputs of two devices(i.e., giving the output of one device as the input to another, and then vice versa) so as to reducethe O(log∗ N) number of devices to a constant. There is an apparent obstacle for proving securityfor such an approach: once a device produces output, this output is now correlated with the deviceitself. When this output is fed to a second device to produce new output, one needs to show thatthe correlation with the first device does not persist. (If it did, then at the third iteration one wouldbe feeding the first device a seed that was correlated with the first device itself, thus causing aninsecurity.)
Coudron and Yuen [15] solved this composition problem by an improved analysis of theReichardt-Unger-Vazirani protocol [44]. Under this new analysis, the latter protocol turns a uniform-to-device input into a uniform-to-adversary output with sufficiently strong parameters. In combi-nation with the exponentially expanding Vazirani-Vidick protocol [54], this leads to (non-robust)unbounded expansion with 4 two-part devices.
We took a different path by noting that the composition problem can be solved without any ad-ditional processing, by an independent result of Chung, Shi and Wu [10]. Specifically, the Equiv-alence Lemma of [10] states that if a randomness expansion protocol is secure with a globallyrandom input, then it is also automatically secure with any uniform-to-device input. This meansthat the correlation of each device with its own output does not cause a problem. Consequently,unbounded expansion with 2 devices can be achieved by cross-feeding any secure randomnessexpansion protocol.
We therefore have the following corollary, which is a robust improvement of the main result of[15].
Corollary 1.9 (Robust Unbounded Randomness Expansion with 2 Devices). The number of (multi-part) devices used in Corollary 1.7 can be reduced to 2.
We comment on the additional importance of robustness for unbounded expansion. By thenature of unbounded expansion, the accuracy parameter of the devices used cannot be allowed todepend on the length of the output. Thus any imperfection of the device will impose a limit onthe output length, rendering unbounded expansion impossible. Thus robustness is essential forunbounded expansion to be practically useful.
The intuition for the proof of Corollary 1.9 is straightforward: we can cross-feed inputs andoutputs between two devices so that at any stage, a device accepts input that is uniform to itself,and (by the Equivalence Lemma) produces output that is uniform to the other device. The errorsthat occur in cross-feeding add up linearly (by the triangle inequality) and the sum of these errorsconverges. This argument is written out in detail in Appendix J.
8
Application: randomness amplification. To apply our protocol to randomness amplification,we choose q = Θ(1) for those uses of our protocol inside the Chung-Shi-Wu randomness amplifi-cation protocol, which converts a n-bit, min-entropy ≥ k weak source to a near perfectly randomoutput of Θ(k) bits. Then we apply Corollary 1.9 to expand to an arbitrarily long near perfectrandomness.
While the QKD protocol of Vazirani and Vidick [53] can also serve as a building block forthe Chung-Shi-Wu protocol, the use of our protocol has two advantages for in-between-roundscommunications and flexibility of the non-local game used.
Corollary 1.10 (of 1.5,1.9, and [10] — Randomness Amplification). Let ν ∈ [1/2, µ] be a seed lengthindex. For all sufficiently large integer k, any integer n = exp(O(kν2
)), any real ε = exp(−O(kν2)),
any (n, k) source can be converted to an arbitrarily long near perfect randomness with ε soundness andcompleteness errors under a (universal) constant level of noise. The number of devices used is 2O(log1/ν(n/ε)),which in particular does not depend on the output length.
We point out that the number of devices T = T(n, 1/ε) used as a function of the weak sourcelength n and the error parameter ε grows super-polynomially (if µ < 1) or polynomially (ifµ = 1). It remains a major open problem if T(n, 1/ε) can be substantially reduced or even bemade a universal constant. We stress, however, that the limitation imposed by this function isbetter interpreted as limiting the achievable error, instead of computational efficiency. This is be-cause, T could still scale efficiently as a function of the output length. For example, to output Nbits, as long as ε = exp(−O(logν N)), the number of devices is still polynomial in N. There-fore, the question of improving T is the question of broadening the application of the combinedamplification-expansion protocol to settings requiring inverse-polynomial or even cryptographicquality of error.
Application: exponentially expanding key distribution. Suppose that Alice and Bob wouldlike to establish a secrete string in an environment that trusted randomness is a scarce resource,and consequently their initial randomness is much shorter than the desired output length. Aswith other studies on quantum key distribution (QKD), we will sidestep the authentication issue,assuming that the man-in-the-middle attack is already dealt with. A straightforward adaptationof our randomness expansion protocol for untrusted device QKD is for Alice to expand her initialrandomness, then use the expanded, secure randomness to execute the untrusted device QKDprotocol of Vazirani and Vidick [53]. The end result is an exponentially expanding key distributionprotocol. An alternative approach, which is the focus of our new contribution, is to directly adaptour expansion protocol to achieve simultaneously randomness expansion and key distribution.The benefits of doing so is the reduction of the number of untrusted devices from 2 to 1.
We now describe in high level the adaption, the challenges, and our solution. To apply ProtocolR (Fig. 2) to untrusted-device QKD between two parties Alice and Bob, we have Alice interactwith the first component of the device, while Bob interacts with all the other components. Theyshare randomness for executing our protocol, as well as that for later classical post-processingstages. For those game rounds that the bit g is 1, Alice and Bob use the public channel to comparetheir device outputs. Once Protocol R succeeds, they apply an information reconciliation (IR)protocol for agreeing on a common string. To obtain the final key, they then apply the randomnessextraction on this common string. The full protocol Rqkd is provided in Section K. We separate therandomness extraction stage from our protocol as it is standard.
To make the above straightforward idea work, the first technical problem is to ensure thatthe measurement outcomes of Alice and Bob (under an appropriate interpretation) agree on a
9
large fraction (bounded away above 1/2). This is tackled through Azuma-Hoeffding Inequality.Secondly, we need to make sure that IR can be performed without exhausting the min-entropy(through too many bits of communication) or using too much randomness. While this objectivemay seem new in the literature of quantum key distribution, a protocol by Guruswami [24] for aclosely related problem can be adapted to accomplish our goal. In another related work, Smith [48]constructed computationally efficient IR protocols that achieve close to optimal communicationcost. He did not attempt to optimize his use of the randomness, which is too much for us butpossibly can be significantly reduced.
We present the details in Section K and state our main result on key distribution below. Thenotion of soundness and completeness errors are similarly defined: the soundness error is thedistance of the output distribution to a mixture of aborting and an output randomness of a de-sired smooth min-entropy, and the completeness error is the probability of aborting for an honest(possibly noisy) implementation.
Corollary 1.11 (Robust Untrusted-Device Quantum Key Distribution with Short Seed). For anystrong self-test G, there exists a positive constant s such that the following holds. For any δ > 0, thereare positive constants q0, η0, B0, b, c, such that the following assertions hold when Protocol Rqkd (Fig. 7) isexecuted with parameters q ≤ q0, η ≤ η0, and qN ≥ B0.
1. (Soundness.) The protocol obtains a key of (s− δ)N extractable bits with a soundness error εs =exp(−bqN).
2. (Completeness.) For any constant η′, 0 < η′ < η, the protocol tolerates η′ noise level with acompleteness error εc = exp(−c(η − η′)2qN).
The number of initial random bits is O(Nh(q)). In particular, for any ω ∈ (0, 1) and all sufficientlylarge k, 2k1−ω
extractible bits can be distributed using one (multi-part) untrusted quantum device startingwith a seed of k bits, with soundness and completeness errors exp(−Ω(kω)) and tolerating a constant levelof noise.
A final key of length Ω(N) can be obtained by applying a quantum-proof randomness extrac-tor with additional O(logω(N/ε)) bits as the seed for the extractor, where ω can be chosen ≤ 2,and ε is added to the soundness error.
2 Central Concepts and Proofs
While proving classical security of randomness expansion protocols is mainly appropriate ap-plications of Azuma-Hoeffiding inequality, proving quantum security is much more challenging.The proof for the Vazirani-Vidick protocol [54] relies on a characterization of quantum smoothmin-entropy based on the quantum-security of Trevisan’s extractors [17]. We take a completelydifferent approach, without any reference to extractors (for our min-entropy expansion.)
Achieving the results above required developing multiple new techniques. We are hopefulthat some of the ideas in this paper will also find applications elsewhere. We now sketch the maininsights and technical contributions from our proofs. (The proofs are written out in full detail inthe appendix.)
The application of quantum Rényi entropies. A critical challenge in constructing our proofs wasfinding the right measure of randomness. We use the quantum Rényi entropies which were first
10
defined in [30] and further studied in [36, 57]. For any α > 1, and any density matrix ρ and anypositive semidefinite operator σ, let
dα(ρ‖σ) = Tr[(
σ1−α2α ρσ
1−α2α
)α] 1α−1
. (2.1)
and let Dα(ρ‖σ) = log2 dα(ρ‖σ). (The quantity Dα(ρ‖σ) is called the Rényi divergence.) The α-Rényi entropy Hα(A|E) of a bipartite quantum system (A, E) is computed by the maximum of thevalue [−Dα(ρ‖σ)] over all operators σ that are of the form the form σ = IA⊗ σ′, where Tr(σ′) = 1.(See Definition D.2 in the appendix.) The quantum Rényi entropies have a number of interestingproperties (see [36]). For our purposes, they are interesting because if (A, E) is a classical quantumsystem, any lower bound on the Rényi entropy of (A, E) provides a lower bound on the numberof random bits than can be extracted from A. (See Corollary D.9.)
The use of quantum Rényi entropies is delicate because the parameter α must be chosen ap-propriately. If α is too large, the quantum Rényi entropy is not sensitive enough to detect the effectof the game rounds in Protocol R. On the other hand, if α is too close to 1, the bound on extractablebits obtained from Corollary D.9 is not useful. As we will discuss later in this section, it turns outthat it is ideal to choose α such that (α− 1) is proportional to the parameter q from Protocol R.
An uncertainty principle for Rényi entropy. Suppose that Q is a qubit, and E is a quantum systemthat is entangled with Q. Let ρ be a density operator which represents the state of E. Let ρ0, ρ1and ρ+, ρ− represent the states that arise when Q is measured along the 0, 1-basis and the+,−-basis. We prove the following. (See Theorem E.2.)
Theorem 2.1. There is a continuous function Π : (0, 1]× [0, 1]→ R satisfying
lim(x,y)→(0,0)
Π(x, y) = 1 (2.2)
such that the following holds. For any operators ρ0, ρ1, ρ+, ρ− representing states arising from anti-
commutative measurements, if δ =Tr(ρ1+ε
1 )
Tr(ρ1+ε), then
Tr(ρ1+ε+ + ρ1+ε
− )
Tr(ρ1+ε)≤ 2−εΠ(ε,δ). (2.3)
This theorem asserts that if the quantity δ determined by the 0, 1 measurement is small,then the outcome of the +,−-measurement must be uncertain (as measured by the (1 + ε)-Rényi divergence). This parallels other uncertainty principles that have been used in quantumcryptography [51].
Our proof of this result is based on a known matrix inequality for the (2 + 2ε)-Schatten norm.
Certifying randomness from a device with trusted measurements. Let us say that a device withtrusted measurements D is a single-part input-output device which receives a single bit as an input,and, depending on the value of the bit, performs one of two perfectly anti-commutative binarymeasurements on a quantum system. The measurements of the device are trusted, but the state isunknown.
Suppose that we make the following modifications to the procedure that defines Protocol R.
1. Instead of a multi-part binary device, we use a single-part binary device with trusted mea-surements.
11
2. Instead of playing a nonlocal game, at each round we simply use the bit g as input to thedevice and record the output.
Let us refer to this modified version as “Protocol A.” (See section G.1 for a full description.)Note that Protocols A and R both involve conditioning on a “success” event. One of the cen-
tral difficulties we have found in establish quantum security is in determining the impact thatthis conditioning has on the randomness of the device D. In the classical security context, onecan show that once we conditioning on the success event, “most” uses of the device D (in anappropriate sense) generate random outputs. By elementary arguments, the outputs therefore ac-cumulate min-entropy linearly over multiple iterations, and randomness expansion is achieved.Yet carrying this approach over to the quantum context—even with the assumption of trustedmeasurements—seemed to us to be quite difficult.
We have found a successful way to interpret the success/abort events in the quantum context.It involves two adjustments to the classical approach outlined above. First, we use the quantumRényi entropy in place of the smooth min-entropy. (The quantum Rényi entropies have elegantarithmetic properties which make them more amenable to induction.) Secondly, rather than di-rectly considering “success” and “abort” as discrete events, we consider a graded measurement ofperformance which interpolates between the two.
Suppose that E is a quantum system which is initially entangled with D. For the purposes ofthis discussion, let us assume that E and D are maximally entangled and the state ρ = ρE is totallymixed. Then, the state of E after one iteration can be expressed as
ρ := (1− q)ρ+ ⊕ (1− q)ρ− ⊕ qρ0 ⊕ qρ1. (2.4)
Suppose that we are measuring the randomness of this state with respect to a second party whoknows the value of the bit g. Then, an appropriate measure of randomness would be the Rényidivergence Dα(ρ‖σ) with respect to the operator σ := (1 − q)I ⊕ (1 − q)I ⊕ qI ⊕ qI. For theparameter α, it turns out that simply taking α = 1 + q is useful.
Then,
d1+q(ρ‖σ) = Tr[(1− q)ρ1+q
+ + (1− q)ρ1+q− + qρ
1+q0 + qρ
1+q1
]1/q. (2.5)
One could hope that this quantity is strictly smaller than dα(ρ‖I), but this is not always so (for ex-ample, for measurements on a maximally entangled Bell state). But consider instead the modifiedexpression
Tr[(1− q)ρ1+q
+ + (1− q)ρ1+q− + qρ
1+q0 +
(12
)qρ
1+q1
]1/q
. (2.6)
Theorem 2.1 implies that this quantity is always less than C−1d1+q(ρ‖I), where C > 1 is a fixedconstant. (Essentially, this is because if the quantity δ is large, then the introduction of the (1/2)coefficient lowers the value of the expression significantly, and if δ is small, then (2.3) implies thedesired bound.)
If we let
σ := (1− q)I⊕ (1− q)I⊕ qI⊕ 21/qqI, (2.7)
then d1+q(ρ‖σ) is equal to expression (2.6). One can think of the function d1+q(·‖σ) as an error-tolerant measure of performance. The presence of the coefficient 21/q compensates for the loss ofrandomness when the device-failure quantity Tr[ρ1+q
1 ] is large.
12
Now let B denote the output register of Protocol R, and let ΛBE denote the joint state of E andB at the conclusion of the protocol. Let Σ be an operator on BE defined by
Σ = ∑b∈H,T,P,FN
(1− q)(
# of gen.rounds
)q(
# of gamerounds
)2(1/q)·
(# of
failures
)|b〉 〈b| ⊗ I. (2.8)
An inductive argument proves that d1+q(Γ‖Σ) ≤ C−N . This inequality is sufficient to deduce thatthe Rényi entropy of the “success” state Γs grows linearly in N. One can therefore deduce that (forappropriate parameters) the outputs of Protocol A contain a linear number of extractable quantumproof bits.
The reasoning sketched above is given in full detail in Appendix H. In that section, we actuallyprove something stronger: if Protocol A is executed with a partially trusted measurement device(i.e., a measurement device whose measurements are anticommutative only with a certain positiveprobability) then it produces a linear amount of randomness. (See Theorem H.7.) This general-ization, as we will see, is what allows to carry over our results into the fully device-independentsetting.
Simulation results for partially trusted devices. The second central insight that enables ourresults is that nonlocal games simulate partially trusted devices. When certain nonlocal games areplayed–even with a device that is completely untrusted–their outcomes match the behavior of adevice that is partially trusted.
Let us begin by formalizing a class of devices. (Our formalism is a variation on that which hasappeared in other papers on untrusted devices, such as [44].)
Definition 2.2. Let n be a positive integer. A binary quantum device with n components D =(D1, . . . , Dn) consists of the following.
1. Quantum systems Q1, . . . , Qn, and a density operator Φ on Q1 ⊗ . . .⊗Qn which defines the intialstate of the systems.
2. For any k ≥ 0, and any “transcript” T (representing the collective previous inputs and outputsduring previous rounds) a unitary operator UT :
⊗iQi →
⊗iQi and a collection of Hermitian
operators M(b)T,j on Qj satisfying
∥∥∥M(b)T,j
∥∥∥ ≤ 1.
The behavior of the device D is as follows: at round i, the devices first collectively perform theunitary operation UT, and then, according to their inputs bi, each performs binary measurementspecified by the operators Mbi
T,j. (This is a device model that allows communication in betweenrounds.)
Now we define a somewhat more specific type of device. Suppose that E is a single-partbinary quantum device. Then let us say that E is a partially trusted device with parameters (v, h) ifthe measurement operators N(1)
T that E uses on input 1 decompose as
N(1)T = (v)PT + (1− v− h)QT, (2.9)
where PT is perfectly anti-commutative with the other measurement N(0)T , and QT satisfies ‖QT‖ ≤
1 (and is otherwise unspecified). Essentially, the device behaves as follows. On input 0, it per-forms a perfect measurement. On input 1, it does one of the following at random: it performsa perfectly anti-commuting measurement (probability = v), or it performs an unknown measure-ment (probability = 1− v− h), or it ignores its quantum system and merely outputs a perfect coin
13
flip (probability = h). (The second possibility is what we call a “dishonest mistake,” and the thirdis what we call an “honest mistake.”)
We wish to prove that untrusted devices can be simulated by partially trusted devices. Thisagain is an example of a task that is fairly easy in the classical security context but difficult in thequantum context. For example, if one knows that a quantum device performs at a superclassicallevel at a particular nonlocal game, then one knows that its outcomes are at least partly random,thus can be “simulated” by a biased coin flip (or a “partially trusted” coin flip). But to provequantum security one needs a stronger notion of simulation—one that allows for the possibilityquantum side information.
The basis for our simulation result is previous work by the present authors on quantum self-testing [35]. We consider games from the class of strong self-tests which we referred to in section 1.In [35] we proved a criterion for strong self-tests. This criterion is a building block in the followingtheorem.
Theorem 2.3. Let G be a strong self-test, and let D be an (untrusted) binary device with n components.Then, the behavior of D in Protocol R can be simulated by a partially trusted device.
This result is proved in the Appendix as Theorem G.4. We briefly sketch the proof. We canreduce to the case where dimQi = 2 and each measurement operator is projective. After anappropriate choice of basis, we have
M(0)j =
[0 11 0
]M(1)
j =
[0 αjαj 0
](2.10)
with∣∣αj∣∣ = 1. The output of D during a generation round is derived from the measurement
operator M(0)j ⊗ I⊗ . . . ⊗ I, which, under an appropriate basis, can be represented as the block
matrix[
0 I
I 0
]on C2n
. The behavior of D during a game round can be given represented by a
reverse diagonal Hermitian matrix M on C2nwith entries
P1(α1, . . . , αn), P2(α1, . . . , αn), P3(α1, . . . , αn), . . . , P2(α1, . . . , αn), P1(α1, . . . , αn), (2.11)
where Pi are rational functions depending on the game. Using the strong self-testing condition,we show the existence of another reverse diagonal matrix R with entries β1, . . . , β2n−1 , β2n−1 , . . . , β1
which anti-commutes with M(0)j and which satisfies ‖M− R‖+ ‖R‖ = ‖M‖. This implies that M
satisfies the decomposition (2.9) which defines a partially trusted device.Proving the existence of the sequence β1, . . . , β2n−1 is matter of manipulations of complex num-
bers. One surprising aspect of this proof is that depends critically on the fact that G is not only aself-test, but a strong self-test. (See Corollary F.9, which is used in the proof of Theorem F.11.)
The proof of security of Protocol R. We define a third protocol, Protocol A’ (Fig. 4), which is thesame as Protocol A except that a partially trusted measurement device is used. We show thatProtocol A’ produces a linear amount of entropy (Theorem H.7). Protocol R can be simulated byProtocol A’ for an appropriately chosen partially trusted device. This means not only that theprobability distributions of the outputs of the two protocols are exactly the same, but also thatthere is a simulation of the behavior of any external quantum environment that may be possessedby an adversary. Since Protocol A’ produces a linear amount of min-entropy, the same is true ofProtocol R. This completes the proof. (See Theorem I.2.)
14
Numerical bounds. The proof methods we have discussed are sufficient to give actual numericalbounds for the amount of randomness generated by Protocol R. In subsection I.3 we offer a pre-liminary result showing how this is done. Let Π be the actual function that is used in the proof ofTheorem 2.1 (see Theorem E.2). Then, the limiting function
π(y) := limx→0
Π(x, y) (2.12)
is given by the following expression:
π(y) = 1− 2y log y− 2(1− y) log(1− y). (2.13)
That is,
π(y) = 1− 2h(y), (2.14)
where h(y) denotes the Shannon entropy of the vector (y, 1− y).If G is a strong self-test, let vG denote the trust coefficient of G — that is, the largest real number
v such that G simulates a partially trusted device with parameters (v, h). Corollary I.4 asserts thatthe linear output of Protocol R is lower bounded by the quantity π(η/vG). In particular, a positiverate is achieved provided that π(η/vG) > 0. Using (2.13), a positive rate is therefore achieved ifη < 0.11 · vG.
In subsection I.3, we show that vGHZ ≥ 0.14. Therefore, the GHZ game achieves a positivelinear rate provided that η < 0.11 · 0.14 = 0.0154.
3 Further directions
A natural goal at this point is to improve the certified rate of Protocol R. This is important forthe practical realization of our protocols. By the discussion above, this reduces to two simplequestions. First, what techniques are there for computing the trust coefficient vG of a binary XORgame? Second, is it possible to reprove Theorem 2.1 in such a way that the limiting function (??)becomes larger? A related question is to improve the key rate of Protocol Rqkd. The “hybrid”technique of Vazirani and Vidick [53] for mixing the CHSH game with a trivial game with unitquantum winning strategy may extend to general binary XOR games.
It would also be interesting to explore whether Theorem 1.2 could be extended to nonlocalgames outside the class of strong self-tests. Such an extension will not only facilitate the realiza-tion of those protocols, but also will further identify the essential feature of quantum informationenabling those protocols. As the characterization of strong self-tests is critical for our proof, devel-oping a theory of robust self-testing beyond binary XOR games may be useful for our question. Itis also conceivable that there exist fairly broad conditions under which a classical security proof,which is typically much easier to establish, automatically imply quantum security. We consideridentifying such a whole-sale security lifting principle as a major open problem.
A different direction to extend our result is to prove security based on physical principles moregeneral than quantum mechanics, such as non-signaling principle, or information causality [39].
Our protocols require some initial perfect randomness to start with. The Chung-Shi-Wu pro-tocol [10] relaxes this requirement to an arbitrary min-entropy source and tolerates a universalconstant level of noise. However, those were achieved at a great cost on the number of non-communicating devices. A major open problem is if our protocol can be modified to handle non-uniform input.
15
Randomness expansion can be thought of as a “seeded” extractions of randomness from un-trusted quantum devices, as pointed out by Chung, Shi and Wu [10] in their “Physical Random-ness Extractors” framework. Our one-shot and unbounded expansion results demonstrate a trade-off between the seed length and the output length different from that in classical extractors. Recallthat a classical extractor with output length N and error parameter ε requires Ω(log N/ε) seedlength, while our unbounded expansion protocol can have a fixed seed length (which determinesthe error parameter). What is the maximum amount of randomness one can extract from a deviceof a given amount of entanglement (i.e. is the exponential rate optimal for one device)? Whatcan one say about the tradeoff between expansion rate and some proper quantity describing thecommunication restrictions? Answers to those questions will reveal fundamental features of un-trusted quantum devices as a source for randomness extraction, and will hopefully lead to anintuitive understanding of where the randomness come from.
Yet another important direction forward is to prove security in more complicated compositionscenarios than the cross-feeding protocol. As pointed out by Barrett, Colbeck and Kent [4], a de-vice reused may store previous runs’ information thus potentially may cause security problem insequentially composed QKD protocols. While such “memory attack” appears not to be a problemfor sequential compositions of our randomness expansion protocol, it may for other more com-plicated compositions. Thus it is desirable to design untrusted-device protocols and prove theirsecurity under broader classes of compositions.
Acknowledgments We are indebted to Anne Broadbent, Kai-Min Chung, Roger Colbeck, BrettHemenway, Adrian Kent, Thomas Vidick and Xiaodi Wu for useful discussions, to Michael Ben-Or, Qi Cheng, Venkatesan Guruswami, and Adam Smith for pointers to the literature on error-correcting codes and information reconciliation.
16
A Organization of Appendix
Section B defines some notation, establishes the model of quantum devices that we are using, andalso states the full version of the central protocol. Section C proves a few mathematical statements(pertaining to operators and real-valued functions) which are used in the later proofs.
Section D introduces the quantum Rényi entropies Hα(·‖·) and the Rényi divergences Dα(·‖·) [30,57, 36]. We give a definition of smooth min-entropy (see Definition D.3) which is the standard mea-surement of security in the quantum context. The importance of Rényi entropies for our purposesis illustrated by Corollary D.9, which asserts that any lower bound for Rényi entropy implies alower bound for smooth min-entropy. We prove Corollary D.9 by an easy derivative of a knownproof.
In Section E we prove the uncertainty principle (Theorem E.2). The proof is based on a matrixinequality for the Schatten norm. Subsection F reviews some theory for nonlocal games whichcomes from [56] and [35], and derives some new consequences. Section G formalizes the notionof partially trusted measurement devices, and proves (using theory from section F) that strong self-tests can be used to simulate the behavior of such devices.
Section H contains the most technical part of the security proof for randomness expansion.Section H proves that Protocol A’ (see Figure 4) is secure. The proof rests mainly on the uncertaintyprinciple (Theorem E.2). Section I uses the results of section H to deduce the security of ProtocolR (using simulation). Our central result for randomness expansion is stated as Theorem I.2.
Sections J and K provide the supporting proofs for the results on unbounded expansion, ran-domness amplification, and key distribution.
B Notation and Definitions
B.1 Notation
When a sequence is defined, we will use Roman font to refer to individual terms (e.g., h1, . . . , hn)and boldface font to refer to the sequence as a whole (e.g., h). For any bit b, let b = 1− b. For anysequence of bits b = (b1, . . . , bn), let b = (b1, . . . , bn).
We will use capital letters (e.g., X) to denote quantum systems. We use the same letter todenote both the system itself and the complex Hilbert space which represents it.
An n-player binary nonlocal XOR game G consists of a probability distribution
pi | i ∈ 0, 1n (B.1)
on the set 0, 1n, together with an indexed set
ηi ∈ −1, 1 | i ∈ 0, 1n. (B.2)
The quantities pi specify the probability distribution that is used to choose input strings for thegame. The set ηi specifies the score: if the output bits satisfy
⊕oi = 0, then a score of ηi is
awarded; otherwise a score of −ηi is awarded. (See the beginning of section F for a more detaileddiscussion of this definition.) When the score awarded is +1, we say that the players have passed.When the score is −1, we say that the players have failed.
We will write qG to denote the maximum (expected) score that can be achieved by quantumstrategies for the game G. Note that this is different from the maximum passing probability forquantum strategies, which we denote by wG. The two are related by wG =
(1+qG
2
). We will also
write fG for the minimum failing probability, which is given by fG = 1−wG.
17
We write the expression f (x)y (where f is a function) to mean ( f (x))y. Thus, for example, inthe expression
Tr[Z]1/q (B.3)
the (1/q)th power map is applied after the trace function, not before it.If ρ1 : X1 → Y1 and ρ2 : X2 → Y2 are two linear operators, then we denote by ρ1 ⊕ ρ2 the
operator from X1 ⊕ X2 to Y1 ⊕Y2 which maps (x1, x2) to (ρ1(x1), ρ2(x2)).If (B, E) is a bipartite system, and ρ is a density operator on B ⊗ E representing a classical-
quantum state, then we may express ρ as a diagonal-block operator
ρ =
ρ1
ρ2ρ3
. . .ρm
, (B.4)
where ρ1, . . . , ρm denote the subnormalized operators on E corresponding to the basis states of theclassical register B. Alternatively, we may express ρ as ρ = ρ1 ⊕ ρ2 ⊕ . . .⊕ ρm.
We write (log x) to denote the logarithm with base 2, and we write (ln x) to denote the loga-rithm with base e.
B.2 Untrusted Quantum Devices
Let us formalize some terminology and notation for describing quantum devices. (Our formalismis a variation on that which has appeared in other papers on untrusted devices, such as [44].)
Definition B.1. Let n be a positive integer. A binary quantum device with n components D =(D1, . . . , Dn) consists of the following.
1. Quantum systems Q1, . . . , Qn whose initial state is specified by a density operator,
Φ : (Q1 ⊗ . . .⊗Qn)→ (Q1 ⊗ . . .⊗Qn) (B.5)
2. For any k ≥ 0, and any function
T : 0, 1 × 1, 2, . . . , k × 1, 2, . . . , n → 0, 1 (B.6)
a unitary operator
UT : (Q1 ⊗ . . .⊗Qn)→ (Q1 ⊗ . . .⊗Qn) . (B.7)
and a collection of Hermitian operatorsM(b)
T,j : Qj → Qj
b∈0,11≤j≤n
(B.8)
satisfying∥∥∥M(b)
T,j
∥∥∥ ≤ 1.
18
The device D behaves as follows. Suppose that k iterations of the device have already takenplace, and suppose that T is such that T(0, i, j) ∈ 0, 1 and T(1, i, j) ∈ 0, 1 represent the inputbit and output bit, respectively, for the jth player on the ith round (i ≤ k). (T is the transcriptfunction.) Then,
1. The components D1, . . . , Dn collectively perform the unitary operation UT on Q1⊗ . . .⊗Qn.
2. Each component Dj receives its input bit bj, then applies the binary nondestructive measure-ment on Qi given by
X 7→
√√√√I + M
(bj)
T,j
2
X
√√√√I + M
(bj)
T,j
2
(B.9)
X 7→
√√√√I−M
(bj)
T,j
2
X
√√√√I−M
(bj)
T,j
2
, (B.10)
and then outputs the result.
B.3 Simulation
Let us say that one binary quantum device D′ simulates another binary quantum device D if, forany purifying systems E′ and E (for D and D′, respectively), and any input sequence i1, . . . , ik ∈0, 1n, the joint state of the outputs of D together with E is isomorphic to the joint state of theoutputs of D′ together with E′ on the same input sequence. Similarly, let us say that a protocol Xsimulates another protocol Y if, for any purifying systems E and E′ for the quantum devices usedby X and Y, respectively, the joint state of E together with the outputs of X is isomorphic to thejoint state of E’ together with the outputs of Y.
Definition B.2. Let us say that a binary quantum device D is in canonical form if each of its quantumsystems Qj is such that Qj = C2mj for some mj ≥ 1, and each measurement operator pair (M(0), M(1)) =
(M(0)T,j , M(1)
T,j ) has the following 2× 2 diagonal block form:
M(0) =
0 11 0
0 11 0
. . .0 11 0
M(1) =
0 ζ1ζ1 0
0 ζ2
ζ2 0. . .
0 ζmj
ζmj 0
,
19
where the complex numbers ζ` satisfy
|ζ`| = 1 and Im(ζ`) ≥ 0. (B.11)
(Note that the complex numbers ζ` may be different for each transcript H and each player j.)
When we discuss quantum devices that are in canonical form, we will frequently make use ofthe isomorphism C2m ∼= C2 ⊗Cm given by e2k−1 7→ e1 ⊗ ek, e2k 7→ e2 ⊗ ek. (Here, e1, . . . , er denotethe standard basis vectors for Cr.)
The following proposition is easy to prove. (See Lemma 3.4 in the supplementary informationof [35].)
Proposition B.3. Any binary quantum device can be simulated by a device that is in canonical form.
C Mathematical Preliminaries
In this section we state some purely mathematical results that will be used in later sections.
Proposition C.1. Let γ ∈ [0, 1], and let Z, W denote positive semidefinite operators on Cn.
(a) If Z ≤W, then Zγ ≤Wγ.
(b) If Z ≤W and X = W − Z, then
Tr(X1+γ) + Tr(Z1+γ) ≤ Tr(W1+γ). (C.1)
Proof. Part (a) is given by Theoprem 2.6 in [9]. Part (b) follows from part (a) by the followingreasoning:
Tr(W1+γ) = Tr(W ·Wγ) (C.2)= Tr(X ·Wγ) + Tr(Z ·Wγ) (C.3)≥ Tr(X · Xγ) + Tr(Z · Zγ) (C.4)= Tr(X1+γ) + Tr(Z1+γ). (C.5)
This completes the proof.
Proposition C.2. Let U ⊆ Rn, let z ∈ Rn be an element in the closure of U, and let f , g be continuousfunctions from U to R. Suppose that
limx→z
f (x) = 0 (C.6)
and
limx→z
f (x)g(x)
= c. (C.7)
Then,
limx→z
(1 + f (x))1/g(x) = ec. (C.8)
Proof. This can be proved easily by taking the natural logarithm of both sides of (C.8).
20
Proposition C.3. Let U ⊆ Rn and V ⊆ Rm, and assume that V is compact. Let f : U × V → R be acontinuous function. Let z ∈ Rn be an element in the closure of U, and assume that limx→z f (x, y) existsfor every y ∈ V. Then,
limx→z
miny∈V
f (x, y) = miny∈V
limx→z
f (x, y). (C.9)
Proof. Let f be the continuous extension of f to (U ∪ z)×V. Let h(x, y) = f (x, y)− f (z, y).Let δ > 0. For any y ∈ V, since h(z, y) = 0 and h is continuous at (z, y), we can find an εy > 0
such that the values of h on the cylinder(x, y′) | |x− z| < εy, |y′ − y| < εy
(C.10)
are confined to [−δ, δ]. Since V is compact, we can choose a finite set S ⊆ V such that thethe εy-cylinders for y ∈ S cover V. Letting ε = miny∈S εy, we find that the values of h onthe ε-neighborhood of V are confined to [−δ, δ]. Therefore, the minimum of f (x, y) on the ε-neighborhood of V is within δ of miny∈V f (z, y). The desired equality (C.9) follows.
D Quantum Rényi Entropies
We will use the notion of quantum Rényi divergence which is defined in [36].
Definition D.1 ([36]). Let ρ be a density matrix on Cn. Let σ be a positive semidefinite matrix on Cn
whose support contains the support of ρ. Let α > 1 be a real number. Then,
dα(ρ‖σ) = Tr[(
σ1−α2α ρσ
1−α2α
)α] 1α−1
. (D.1)
More generally, for any positive semidefinite matrix ρ′ whose support is contained in Supp σ, let
dα(ρ′‖σ) := Tr
[1
Tr[ρ′]
(σ
1−α2α ρ′σ
1−α2α
)α] 1
α−1
. (D.2)
Let
Dα(ρ′‖σ) = log dα(ρ
′‖σ). (D.3)
Definition D.2. Let AB be a classical-quantum system, and let ρAB be a density operator. Let α > 1 be areal number. Then,
Hα(A | B)ρ|σ := −Dα (ρAB‖IA ⊗ σ) . (D.4)
Equivalently,
Hα(A | B)ρ|σ = − 1α− 1
log
(∑
aTr[(
(σ)1−α2α (ρa
B)(σ)1−α2α
)α]). (D.5)
Define (as in [36]),
Hα(A | B)ρ = maxσ : B→B
σ≥0,Tr(σ)=1
Hα(A | B)ρ|σ. (D.6)
21
Additionally, we will need a definition of smooth min-entropy. There are multiple definitionsof smooth min-entropy that are essentially equivalent. The definition that we will use is not themost up-to-date (see [50]) but it is good for our purposes because it is simple.
Definition D.3. Let AB be a classical-quantumtum system, and let ρAB be a positive semidefinite operator.Let ε > 0 be a real number. Then,
Hεmin(A | B)ρAB = max
‖ρ′−ρ‖1≤ερ′≥0
maxσ : B→B
IA⊗σ≥ρ′
− log(Tr(B)), (D.7)
where the minimization is taken over positive semidefinite operators σ on B.
The smooth min-entropy measures the number of random bits that can be extracted from aclassical source in the presence of quantum information [45]. When it is convenient, we will usethe notation Hε
min(ρAB|B) instead of Hεmin(A|B)ρAB .
Following [16], let us define the relative smooth max-entropy of two operators.
Definition D.4. Let ρ, σ be positive semidefinite operators on Cn such that the support of σ contains thesupport of ρ. Then,
Dmax(ρ‖σ) = log minλ∈Rρ≤λσ
(λ). (D.8)
For any ε ≥ 0,
Dεmax(ρ‖σ) = inf
‖ρ′−ρ‖1≤ερ′≥0
Dmax(ρ′‖σ). (D.9)
The quantity Dεmax is convenient for computing lower bounds on Hε
min. Note that if ψ is anydensity matrix on B,
Hεmin(ρAB|B) ≥ −Dε
max(ρAB‖IA ⊗ ψ). (D.10)
Now we will prove some results about Rényi entropy and smooth min-entropy. (These areeasy derivatives of known results for α = 2 ([20], [49]).)
Proposition D.5. Let α ∈ (1, 2]. Let ρ, σ be positive semidefinite operators on a finite-dimensional Hilbertspace V such that Supp σ ⊇ Supp ρ. Then, there exists a positive semidefinite operator ρ′ such that ρ′ ≤ σand
log∥∥ρ− ρ′
∥∥1 ≤
α− 12· Dα(ρ‖σ) +
12
(D.11)
Proof. Our proof is based on the proof of Lemma 19 in [20] (which, in turn, is based on [49]).For any Hermitian operator H, let P+
H denote projection on the subspace spanned by the positiveeigenvectors of H, and let Tr+(H) = Tr(P+
H HP+H ). Let
δ = Tr+(ρ− σ). (D.12)
Note that, by the construction from the proof of Lemma 15 in [49], there must exist an operator ρ′
such that ρ′ ≤ σ and ‖ρ′ − ρ‖1 ≤√
2δ.
22
Let P = P+ρ−σ, and let P⊥ denote the complement of P. Note that by applying the data pro-
cessing inequality for Dα (see Theorem 5 in [36]) to the quantum operation X 7→ |0〉 〈0| ⊗ PXP +|1〉 〈1| ⊗ P⊥XP⊥, we have
Dα(ρ‖σ) ≥1
α− 1log(
Tr[(
(PσP)1−α2α (PρP)(PσP)
1−α2α
)α(D.13)
+((P⊥(σ)P⊥)
1−α2α (P⊥ρP⊥)(P⊥σP⊥)
1−α2α
)α])(D.14)
≥ 1α− 1
log(
Tr[(
(PσP)1−α2α (PρP)(PσP)
1−α2α
)α])(D.15)
Let σ = PσP and ρ = PρP. We have the following.
Dα(ρ‖σ) ≥1
α− 1log(
Tr[(
σ1−α2α ρσ
1−α2α
) (σ
1−α2α ρσ
1−α2α
)α−1])
(D.16)
Note that ρ ≥ σ by construction, and Z 7→ Zα−1 is a monotone function (see part (a) of Proposi-tion C.1). Therefore we have the following.
Dα(ρ‖σ) ≥1
α− 1log(
Tr[(
σ1−α2α ρσ
1−α2α
) (σ
1−α2α σσ
1−α2α
)α−1])
(D.17)
≥ 1α− 1
log(
Tr[(
σ1−α2α ρσ
1−α2α
)σ
α−1α
])(D.18)
≥ 1α− 1
log (Tr [ρ]) (D.19)
≥ 1α− 1
log δ (D.20)
where in the last line we used the fact that Tr(ρ) ≥ Tr(ρ− σ) = δ. Let ρ′ be a positive semidefiniteoperator satisfying ρ′ ≤ σ and ‖ρ′ − ρ‖1 ≤
√2δ. Then we have
Dα(ρ‖σ) ≥1
α− 1log(∥∥ρ′ − ρ
∥∥21 /2
), (D.21)
which implies the desired result.
Proposition D.6. Suppose that in Proposition D.5, V is the state space of a bipartite quantum system AB,and ρ, σ are classical-quantum operators.5 Then, there exists an operator ρ′ satisfying the conditions ofProposition D.5 such that ρ′ itself is a classical-quantum operator.
Proof. This is an easy consequence of the construction for ρ′ (from the proof of Lemma 15 in [49])which was used in the proof of Proposition D.5.
Corollary D.7. Let ρ, σ be as in Proposition D.5, and let ε > 0. Then,
Dεmax(ρ‖σ) ≤ Dα(ρ‖σ) +
2 log(1/ε) + 1α− 1
. (D.22)
Additionally, if ρ is a classical-quantum operator on a bipartite state, then there exists a classical-quantumoperator ρ′ with ‖ρ′ − ρ‖1 ≤ ε and ρ′ ≥ 0 such that Dmax(ρ′‖σ) satisfies the above bound.
5That is, A is a classical register and ρ, σ have the form ρ = ∑i |ai〉 〈ai| ⊗ ρi and σ = ∑i |ai〉 〈ai| ⊗ σi where a1, . . . , anis a standard basis for A.
23
Proof. Let λ be the quantity on the right side of inequality (D.22). We have
Dα(ρ‖2−λσ) =2 log ε− 1
α− 1. (D.23)
By Proposition D.5, we can find a positive semidefinite operator ρ′ ≤ 2−λσ such that∥∥ρ′ − ρ∥∥
1 ≤ ε. (D.24)
The result follows from the definition of Dεmax.
The next corollaries can be similarly proved.
Corollary D.8. Let AB be a classical-quantum bipartite system, and let ρAB be a density operator. Let σbe a density operator on B. Let ε > 0 and α ∈ (1, 2] be real numbers. Then, for any ε > 0,
Hεmin (A | B)ρ ≥ −Dα (ρ‖IA ⊗ σ)− 2 log(1/ε) + 1
α− 1. (D.25)
Corollary D.9. Let AB be a classical-quantum bipartite system, and let ρAB be a density operator. Letε > 0 and α ∈ (1, 2] be real numbers. Then, for any ε > 0,
Hεmin (A | B)ρ ≥ Hα (A | B)ρ −
2 log(1/ε) + 1α− 1
. (D.26)
E An Uncertainty Principle
In this section, we consider the behavior of the map ρ 7→ Tr[ρ1+ε] when measurements are appliedto a qubit and the operator ρ represents the state of a system that is entangled with the qubit.
For any linear operator A, and any p > 0, let ‖A‖p denote the Schatten p-norm, which isdefined by
‖A‖p = Tr[(A∗A)p/2
]1/p. (E.1)
We begin by quoting the following theorem, which appears as part of Theorem 5.1 in [43].
Theorem E.1. Let X, Y : Cm → Cn be linear operators. Let p ≥ 2 be a real number, and let p′ =1/(1− 1/p). Then,[
12
(‖X + Y‖p
p + ‖X−Y‖pp
)]1/p
≤(‖X‖p′
p + ‖Y‖p′p
)1/p′. (E.2)
Inequality (E.2) may alternatively be expressed as[∥∥∥∥X + Y√2
∥∥∥∥p
p+
∥∥∥∥X−Y√2
∥∥∥∥p
p
]1/p
≤ 21/p−1/2(‖X‖p′
p + ‖Y‖p′p
)1/p′(E.3)
or, ∥∥∥∥X + Y√2
∥∥∥∥p
p+
∥∥∥∥X−Y√2
∥∥∥∥p
p≤ 21−p/2
(‖X‖p′
p + ‖Y‖p′p
)p/p′. (E.4)
24
Let us use the following notation: if
Z : V →W ⊗C2, (E.5)
where V and W are finite dimensional C-vector spaces, and
ρ = Z∗Z, (E.6)
then for any unit vector v ∈ C2, let
ρv = Z∗(IW ⊗ vv∗)Z. (E.7)
We will apply this notation in particular using the vectors |0〉 , |1〉 , |+〉 , |−〉 ∈ C2.
Theorem E.2. There exists a continuous function Π : (0, 1]× [0, 1] → R such that the following condi-tions hold.
1. For any (ε, δ) ∈ (0, 1]× [0, 1], and any linear operators Z : V →W ⊗C2 and ρ = Z∗Z such that
Tr(ρ1+ε1 ) = δ · Tr(ρ1+ε), (E.8)
we must have
Tr(ρ1+ε+ + ρ1+ε
− )
Tr(ρ1+ε)≤
(12
)ε·Π(ε,δ)
. (E.9)
2. The function Π satisfies lim(x,y)→(0,0) Π(x, y) = 1.
3. The function π : [0, 1]→ R defined by
π(y) = limx→0
Π(x, y) (E.10)
is convex, differentiable on (0, 1), and strictly decreasing on (0, 1/2).
Remark E.3. Our proof will show that, in particular, we may assume that the function π is givenby
π(y) = 1− 2(1− y) log(
11− y
)− 2y log
(1y
)(E.11)
= 1− 2h(y), (E.12)
where h denotes the Shannon entropy of the vector (y, 1− y). (We are stating this fact separatelyin order to make Theorem E.2 more portable.)
Proof of Theorem E.2. We begin by constructing the function Π over the smaller domain (0, 1] ×[0, 1
2 ]. Suppose ε ∈ (0, 1] and δ ∈ [0, 12 ], and that Z and ρ are operators satisfying (E.8). Decompose
the operator Z as
Z = X⊗ |0〉+ Y⊗ |1〉 . (E.13)
25
where X, Y : V →W are linear operators. Then we have ρ0 = X∗X, ρ1 = Y∗Y, and
ρ+ =
(X + Y√
2
)∗ (X + Y√2
), (E.14)
ρ− =
(X−Y√
2
)∗ (X−Y√2
), (E.15)
Applying (E.4) with p = 2 + 2ε, and p′ = 1/(1− 1/p) we have the following:
Tr(ρ1+ε+ + ρ1+ε
− ) =
∥∥∥∥X + Y√2
∥∥∥∥2+2ε
2+2ε
+
∥∥∥∥X−Y√2
∥∥∥∥2+2ε
2+2ε
(E.16)
≤ 21−p/2(‖X‖p′
p + ‖Y‖p′p
)p/p′(E.17)
= 21−p/2[(‖X‖p
p
)p′/p+(‖Y‖p
p
)p′/p]p/p′
(E.18)
= 2−ε
[Tr(
ρ1+ε0
) 11+2ε
+ Tr(
ρ1+ε1
) 11+2ε
]1+2ε
(E.19)
Letting
t =Tr(ρ1+ε
0 )
Tr(ρ1+ε)and s =
Tr(ρ1+ε1 )
Tr(ρ1+ε), (E.20)
we have
Tr(ρ1+ε+ + ρ1+ε
− ) ≤ 2−ε[t
11+2ε + s
11+2ε
]1+2εTr(ρ1+ε). (E.21)
Since Tr(ρ1+ε0 ) + Tr(ρ1+ε
1 ) ≤ Tr(ρ1+ε), we have t + s ≤ 1, and therefore the above bound can bereplaced with the following.
Tr(ρ1+ε+ + ρ1+ε
− ) ≤ 2−ε[(1− s)
11+2ε + s
11+2ε
]1+2εTr(ρ1+ε). (E.22)
We have s ≤ δ ≤ 1/2 by assumption, and the function s 7→ (1− s)1
1+2ε + s1
1+2ε is increasing in sover the interval [0, 1/2], and thus we have
Tr(ρ1+ε+ + ρ1+ε
− ) ≤ 2−ε[(1− δ)
11+2ε + δ
11+2ε
]1+2εTr(ρ1+ε). (E.23)
Let Π : (0, 1]× [0, 12 ]→ R be the following function.
Π(ε, δ) = 1−(
1 + 2ε
ε
)log[(1− δ)
11+2ε + δ
11+2ε
](E.24)
Inequality (E.23) implies
Tr(ρ1+ε+ + ρ1+ε
− ) ≤ 2−εΠ(ε,δ)Tr[ρ1+ε], (E.25)
as desired.
26
Evaluating the limit of the function using L’Hospital’s rule yields
limx→0
Π(x, y) = 1 + 2(1− y) log(1− y) + 2y log y. (E.26)
for y ∈ (0, 12 ] (a function which is indeed differentiable and convex) and
lim(x,y)→(0,0)
Π(x, y) = 1. (E.27)
We have defined Π over the limited domain (0, 1]× [0, 12 ]. Extend Π to (0, 1]× [0, 1] by defining
Π(x, y) = Π(x, 1− y). The desired results follow by symmetry.
F The Self-Testing Property of Binary Nonlocal XOR Games
F.1 Definitions and Basic Results
Definition F.1. An n-player binary nonlocal XOR game consists of a probability distribution
pi | i ∈ 0, 1n (F.1)
on the set 0, 1n, together with an indexed set
ηi ∈ −1, 1 | i ∈ 0, 1n. (F.2)
Given any indexed sets pi and ηi satisfying the above conditions, we can conduct an n-player nonlocal game as follows.
1. A referee chooses a binary vector c ∈ 0, 1n according to the distribution pi. For each k,he gives the bit ck as input to the kth player.
2. Each player returns an output bit dk to the referee.
3. The referee calculates the bit
d1 ⊕ d2 ⊕ . . .⊕ dn ⊕(
1− ηc
2
). (F.3)
If this bit is equal to 0, a “pass” has occurred, and a score of +1 is awarded. If this bit is equalto 1, a “failure” has occurred, and a score of −1 is awarded.
We quote some definitions and results from [35] and [56].
Definition F.2. An mixed n-player quantum strategy is a pair(Ψ, M(0)
j , M(1)j
nj=1
)(F.4)
where Ψ is a density matrix on an n-tensor product space V1 ⊗ . . .⊗Vn and M(i)j denotes a linear operator
on Vj whose eigenvalues are contained in −1, 1. A pure n-player quantum strategy is a pair(ψ, M(0)
j , M(1)j
nj=1
)(F.5)
27
which satisfies the same conditions, except that ψ is merely a unit vector on V1 ⊗ . . . ⊗ Vn. A qubitstrategy is a pure quantum strategy in which the spaces Vi are equal to C2 and the operators M(i)
j are allnonscalar.
The score achieved by a quantum strategy at an n-player binary nonlocal XOR game G = (pi, ηi)is the expected score when the qubit strategy is used to play the game G. This quantity can be expressed asfollows. Let M denote the scoring operator for G, which is given by
M = ∑i∈0,1n
piηi M(i1)1 ⊗M(i2)
2 ⊗ · · · ⊗M(in)n . (F.6)
Then, the score for strategy (F.4) at game G is Tr(MΨ). The score for the pure strategy (F.5) is ψ∗Mψ.The optimal score for a nonlocal game is highest score that can be achieved at the game by qubit
strategies. We denote this quantity by qG. (As explained in [35], this is also the highest score that canbe achieved by arbitrary quantum strategies.) A game G is a self-test if there is only one qubit strategy(modulo local unitary operations on the n tensor components of
(C2)⊗n) which achieves the optimal score.
A game G is winnable if qG = 1.For any nonlocal game G = (pi, ηi), define PG : Cn → C by
PG(λ1, . . . , λn) = ∑i∈0,1n
piηiλi11 λi2
2 . . . λinn . (F.7)
Define ZG : Rn+1 → R by
ZG(θ0, θ1, . . . , θn) = ∑i∈0,1n
piηi cos
(θ0 +
n
∑k=1
ikθk
). (F.8)
The two quantities Z f and Pf are useful for expressing quantities related to binary XOR games.We note the following relationships.
ZG(θ0, . . . , θn) = Re[eiθ0 P(eiθ1 , eiθ2 , . . . , eiθn)
]. (F.9)
|PG(eiθ1 , . . . , eiθn)| = maxθ0∈[−π,π]
ZG(θ0, . . . , θn). (F.10)
The functions PG and ZG can be used to calculate qG. This was observed by Werner and Wolfin [56]. We sketch a proof here. (For a more detailed proof, see Proposition 1 in [35].)
Proposition F.3. For any nonlocal binary XOR game G, the following equalities hold.
qG = max|λ1|=...=|λn|=1
∣∣Pg(λ1, . . . , λn)∣∣ (F.11)
= maxθ0,...,θn∈R
Zg(θ0, . . . , θn). (F.12)
Proof sketch. Let (ψ, M(i)j ) be a qubit strategy for G. By an appropriate choice of basis, we may
assume that
M(0)j =
[0 11 0
]and M(1)
j =
[0 ζ jζ j 0
]. (F.13)
where ζ j are complex numbers of length 1. The scoring operator M can be expressed as a reversediagonal matrix whose entries are
PG(ζb11 , . . . , ζbn
n )(b1,...,bn)∈−1,1n
. (F.14)
28
The eigenvalues of a reverse diagonal Hermitian matrix whose reverse-diagonal entries are z1, z2, . . . , z2nis simply±|z1|,±|z2|, . . . ,±|zn|. Therefore the operator norm of M is the maximum absolute valuethat occurs in (F.14).
The value q f is the maximum of the operator norm that occurs among all the scoring operatorsarising from qubit strategies for G. The desired formulas follow.
Proposition F.4. Let G be a nonlocal binary XOR game. Then, G is a self-test if and only if the followingtwo conditions are satisfied.
(A) There is a maximum (α0, . . . , αn) for ZG such that none of α1, . . . , αn is a multiple of π.
(B) Every other maximum of ZG is congruent modulo 2π to either (α0, . . . , αn) or (−α0, . . . ,−αn).
Proof. See Proposition 2 in [35].
The following definition will be convenient in later proofs.
Proposition F.5. Let G be a nonlocal game which is a self-test. Then, G is positively aligned if a maxi-mum for ZG(θ0, . . . , θn) occurs in the region
(θ0, . . . , θn) | 0 < θi < π ∀i ≥ 1 . (F.15)
For any binary XOR self-test G = (pi, ηi), we can construct a positively aligned self-testG′ = (p′i, η′i) by choosing appropriate values b1, . . . , bn ∈ 0, 1,
p′i = pi (F.16)η′i = η(i+b) mod 2. (F.17)
It is easy to see that qG′ = qG.
Definition F.6. Let (ψ, M(i)j ) and (φ, N(i)
j ) be n-player qubit strategies. Then the distance betweenthese two strategies is the quantity
max(‖ψ− φ‖ ∪
∥∥∥M(i)j − N(i)
j
∥∥∥ | j ∈ 1, 2, . . . , n, i ∈ 0, 1)
. (F.18)
(In this formula, the first norm denotes Euclidean distance and second denotes operator norm.) Let G be aself-test. Then, G is a strong self-test if there exists a constant K such that any qubit strategy that achievesa score of qG − ε is within distance K
√ε from a qubit strategy that achieves the score qG.
For any twice differentiable m-variable function F : Rm → R, and any c = (c1, . . . , cm) ∈ Rm,we can define the Hessian matrix for F at c, which is the m× m matrix formed from the secondpartial derivatives
∂2F∂xi∂xj
(c1, . . . , cm) (F.19)
(for i, j ∈ 1, 2, . . . , m).
Proposition F.7. Let G be an n-player self-test. Then the following conditions are equivalent.
1. G is a strong self-test.
2. The function ZG has nonzero Hessian matrices at all of its maxima.
29
3. There exists a constant K > 0 such that any (β0, . . . , βn) ∈ Rn+1 which satisfies
ZG(β0, . . . , βn) ≥ qG − ε
(with ε ≥ 0) must be within distance K√
ε from a maximum of ZG.
Proof. See [35] (especially Proposition 6.1 in the supplementary information).
The following proposition asserts a consequence of the strong self-test condition which will beuseful in later proofs.
Proposition F.8. Let G be a positively-aligned strong self-test. Let H denote the semicircle eiβ | 0 ≤ β ≤π ⊆ C. Then, there exists α ∈ [−π, π] and c ≥ 0 such that the set
Pf (Hn) ⊆ C (F.20)
is bounded by the polar curve
f : [−π, π]→ C (F.21)f (θ) = (qG − c(θ − α)2)eiθ .
Proof. Since G is positively aligned, we may find a maximum (α0, . . . , αn) for ZG such that α1, . . . , αn ∈(0, π). Choose K according to condition (3) from Proposition F.7. Let c = 1/K2 and α = −α0.
Suppose, for the sake of contradiction, that there is a point in the set Pf (Hn) which lies outsideof (F.21). Then, there exists β1, . . . , βn ∈ [0, π] such that
Pf (eiβ1 , . . . , eiβn) = reiθ (F.22)
(with θ ∈ [−π, π]) and
r > qG − c(θ − α)2. (F.23)
Let ε = (1/K2)(θ − α)2. We have
ZG(−θ, β1, . . . , βn) = r > qG − c(θ − α)2 (F.24)= qG − ε, (F.25)
and the distance between (−θ, β1, . . . , βn) and (α0, . . . , αn) is at least |θ − α| = K√
ε. (And, it iseasy to see that (−θ, β1, . . . , βn) is not any closer to any of the other maxima of ZG than it is to(α0, . . . , αn).) This contradicts condition (3) of Proposition F.7.
Corollary F.9. Let G satisfy the assumptions of Proposition F.8. Then, there exists a complex numberγ 6= 0 such that for all ζ1, . . . , ζn ∈ H,
|PG(ζ1, . . . , ζn)− γ|+ |γ| ≤ qG. (F.26)
Proof. Let R ⊆ C be the region enclosed by the polar curve (F.21). Let S = z ∈ C | |z| = qG.We have S ∩ R = qG · eiα. Since the curvature of the curve (F.21) at eiα is strictly greater than1/qG, we can find a circle of radius less than qG which lies inside of S, which is tangent to S atqG · eiα, and which encloses the region R. Then, if we let γ be the center of this circle, we have|z− γ|+ |γ| ≤ qG for all z ∈ R. The desired inequality follows.
30
F.2 Decomposition Theorems
For any unit-length complex number ζ, let us write gζ for the following modified GHZ state:
gζ =1√2(|00 . . . 0〉+ ζ |11 . . . 1〉) . (F.27)
The next theorem uses the canonical form for binary measurements from subsection B.3. Notethat when a collection of four projections P(b,c) is in canonical form over a space C2m, we cannaturally express them as operators on C2 ⊗ Cm via the isomorphism C2m → C2 ⊗ Cm given bye2k−1 7→ e1 ⊗ ek, e2k 7→ e2 ⊗ ek.
Theorem F.10. Let G = (pi, ηi) be a winnable n-player self-test which is such that
1. G is positively aligned, and
2. p00...0 > 0 and η00...0 = 1.
Then, there exists a constant δG > 0 such that the following holds. Let (Φ, M(i)j ) be a quantum strategy
whose measurements are in canonical form with underlying space (C2 ⊗W1)⊗ . . .⊗ (C2 ⊗Wn). Thenthe scoring operator M can be decomposed as
M = δGM′ + (1− δG)M′′, (F.28)
where ‖M′′‖ ≤ 1, and
M′ = (g1g∗1 − g−1g∗−1)⊗ IW1⊗···⊗Wn . (F.29)
Proof. Let
T+ =(θ0, . . . , θn) ∈ Rn+1 | θi > 0 ∀i ≥ 1
, (F.30)
and
T− =(θ0, . . . , θn) ∈ Rn+1 | θi < 0 ∀i ≥ 1
, (F.31)
Let q′G be the maximum value of ZG that occurs on the set [−π, π]n+1 r (T+ ∪ T−). By the criteriafrom Proposition F.4, this set does not include any of the global maxima for the function ZG, andso q′G is strictly smaller than the overall maximum qG = 1. Let
δG = min
p00...0, qG − q′G
, (F.32)
where p00...0 denotes the probability which G associates to the input string 00 . . . 0.First let us address the case where dim Wj = 1 for all j. Then
M(0)j =
[0 11 0
], (F.33)
M(1)j =
[0 ζ jζ j 0
]. (F.34)
31
We can compute the scoring operator M using formula (F.6). When we write this operator asa matrix, using the computational basis for (C2)⊗n in lexicographical order, we obtain a reversediagonal matrix,
M =
a00...0
a00...1
. . .
a11...0a11...1
(F.35)
where
ab1,...,bn = PG(ζ(−1)b1
1 , ζ(−1)b2
2 , . . . , ζ(−1)bn
n ). (F.36)
By canonical form, we have ζ j = eiθj for some θj ∈ [0, π]. Note that can write
|ab1,...,bn | = maxθ0∈R
ZG(θ0, (−1)b1 θ1, (−1)b2 θ2, . . . , (−1)bn θn). (F.37)
By the definition of q′G, all of the values |ab| are bounded by q′G except possibly |a00...0| and |a11...1|,which are both bounded by qG = 1.
We claim that the matrix
N =
a00...0 − δG
a00...1
. . .
a11...0a11...1 − δG
(F.38)
which arises from subtracting δG from the two corner entries of M, has operator norm less thanor equal to 1− δG. Indeed, the operator norm of this Hermitian matrix is the maximum of theabsolute values of its entries, and we already know that all of its entries other than its cornerentries are bounded by q′G ≤ 1− δG. To show that that the absolute values of the corner entriesare bounded by 1− δG, it suffices to write them out in terms of the parameters of the game G: wehave
|a00...0 − δG| = |PG(ζ1, . . . , ζn)− δG| (F.39)
=
∣∣∣∣∣(
∑i∈0,1n
ηi piζi11 ζ i2
2 · . . . ζ inn
)− δG
∣∣∣∣∣ (F.40)
=
∣∣∣∣∣(p0 − δG) + ∑i 6=0
ηi piζi11 ζ i2
2 · . . . ζ inn
∣∣∣∣∣ (F.41)
≤ (p0 − δG) + ∑i 6=0
pi (F.42)
= 1− δG, (F.43)
and likewise for (a11...1 − δG). We conclude that N has operator norm less than or equal to 1− δG.Let M′ = N/(1− δG) and M′′ = (M−N′)/δG, and the desired conditions hold.
The proof for the case in which W1, . . . , Wn are of arbitrary dimension follows by similar rea-soning.
32
Theorem F.11. Let G = (pi , ηi) be a strong self-test which is positively aligned. Then, there existδG > 0 and α ∈ C with |α| = 1 such that the following holds. Let (Φ, M(i)
j ) be a quantum strategywhose measurements are in canonical form with underlying space (C2 ⊗W1)⊗ . . .⊗ (C2 ⊗Wn). Thenthe scoring operator M can be decomposed as
M = δGM′ + (qG − δG)M′′, (F.44)
where ‖M′′‖ ≤ 1, and
M′ = (gαg∗α − g−αg∗−α)⊗ IW1⊗···⊗Wn . (F.45)
Proof. We repeat elements of the proof of Theorem F.10. It suffices to prove our desired decompo-sition for the case in which dim Wi = 1 for all i. Let q′G be the maximum value of ZG that occurson the set [−π, π]n+1 r (T+ ∪ T−) (where T+ and T− are defined by (F.30) and (F.31)). Let γ 6= 0be the constant that is given by Corollary F.9, and let
δG = min|γ|, qG − q′G. (F.46)
We have
M =
a00...0
a00...1
. . .
a11...0a11...1
(F.47)
where
ab1,...,bn = PG(ζ(−1)b1
1 , ζ(−1)b2
2 , . . . , ζ(−1)bn
n ). (F.48)
for some ζ1, . . . , ζn ∈ C such that |ζi| = 1 and Im(ζi) ≥ 0. By Corollary F.9,
|PG(ζ1, . . . , ζn)− γ|+ |γ| ≤ qG, (F.49)
and it is easy to see (by the triangle inequality) that for any c ∈ [0, 1],
|PG(ζ1, . . . , ζn)− cγ|+ |cγ| ≤ qG. (F.50)
Let
N =
a00...0 − δG
|γ| · γa00...1
. . .
a11...0
a11...1 − δG|γ| · γ
(F.51)
The absolute values of the corner entries of this matrix are less than or equal to qG − δG, and theother entries have absolute values less than or equal to q′G ≤ qG − δG. Thus when we set
α = γ/|γ|, (F.52)M′ = (gαg∗α − g−αg∗−α)⊗ IW1⊗···⊗Wn , (F.53)M′′ = (M− δGM′)/(qG − δG), (F.54)
the desired result follows.
33
The operator (gαg∗α − g−αg∗−α) from the statement of Theorem F.11 does not describe a pro-jective measurement. It is convenient to have a decomposition theorem involving a projectivemeasurement. This motivates the next result.
We introduce some additional notation. Let
b : 0, 1, 2, . . . , 2n − 1 → 0, 1n (F.55)
be the function which maps k to its base-2 representation. For any ζ ∈ C with |ζ| = 1, and anyk ∈ 0, 1, 2, . . . , 2n − 1, let
gζ,k =1√2
(|b(k)〉 〈b(k)|+ ζ
∣∣∣b(k)⟩ ⟨b(k)∣∣∣) . (F.56)
Theorem F.12. Let G = (pi , ηi) be a strong self-test which is positively aligned. Then, there existδG > 0 and α ∈ C with |α| = 1 such that the following holds. Let (Φ, M(i)
j ) be a quantum strategywhose measurements are in canonical form with underlying space (C2 ⊗W1) ⊗ . . . ⊗ (C2 ⊗Wn). Letα0 = α and let α1, . . . , α2n−1−1 be any unit-length complex numbers. Then the scoring operator M can bedecomposed as
M = δGM′ + (qG − δG)M′′, (F.57)
where ‖M′′‖ ≤ 1, and
M′ =
[2n−1−1
∑k=0
(gαk ,kg∗αk ,k − g−αk ,kg∗−αk ,k)
]⊗ IW1⊗···⊗Wn . (F.58)
Proof. Again it suffices to prove this result for when dim Wi = 1 for all i. Let q′G be the maximumvalue of ZG that occurs on the set [−π, π]n+1 r (T+ ∪ T−), where T+ and T− are defined by (F.30)and (F.31). Let γ be the constant given by Corollary F.9, let α = γ/|γ|, and let
δG = min|γ| ,(qG − q′G
)/2. (F.59)
Write M as
M =
a00...0
a00...1
. . .
a11...0a11...1
(F.60)
Let
N = M− δG
α0α1
. . .
α2n−1−1α2n−1−1
. . .
α1α0
, (F.61)
34
The corner entries of N have absolute value ≤ qG − δG (by Corollary F.9) and the same holds forthe other anti-diagonal entries by the triangle inequality: for any n ∈ 1, 2, . . . , 2N−1 − 1,∣∣∣ab(n) − δGαn
∣∣∣ ≤ ∣∣∣ab(n)
∣∣∣+ δG ≤ q′G + (qG − q′G)/2 ≤ qG − δG. (F.62)
Thus we let M′′/(qG − δG) and the desired statements hold.
G Randomness Expansion with Partially Trusted Measurements
The goals of this section are to define randomness expansion protocols based on partially trusteddevices, and then to relate these new protocols to Protocol R.
G.1 Devices with Trusted Measurements
We begin by stating a simple protocol that involves a device with trusted measurements.
Definition G.1. A device with trusted measurements consists of the following data.
1. A single quantum system Q in an initial state Φ.
2. For every pair (i, o) of binary strings of equal length, two Hermitian operators M(0)i,o , M(1)
i,o repre-senting the measurements performed on Q when the input and output histories are i and o. Theseoperators are assumed to satisfy (
M(0)i,o
)2=(
M(1)i,o
)2= I (G.1)
and
M(0)i,o M(1)
i,o = −M(1)i,o M(0)
i,o . (G.2)
A protocol for trusted measurement devices is given in Figure 3. Essentially this protocol isthe same as Protocol R, except that we have skipped the process of generating random inputs forthe game rounds, and have instead simply used the biased coin flip g itself as input to the device.
G.2 Devices with Partially Trusted Measurements
Definition G.2. Let v ∈ (0, 1] and h ∈ [0, 1] be real numbers such that v + h ≤ 1. Then a partiallytrusted device with parameters (v, h) consists of the following data.
1. A single quantum system Q in an intial state Φ.
2. For every pair (i, o) of binary strings of equal length, two Hermitian operators M(0)i,o , M(1)
i,o on Q(representing measurements) satisfy the following conditions:
• There exist perfectly anti-commuting measurement pairs (T(0)i,o , T(1)
i,o ) such that M(0)i,o = T(0)
i,o forall i, o, and
• The operator M(1)i,o decomposes as
M(1)i,o = (v)T(1)
i,o + (1− v− h)Ni,o (G.3)
with ‖Ni,o‖ ≤ 1.
35
Protocol A:
Arguments:N = positive integerq ∈ (0, 1)η ∈ (0, 1/2)D = device with trusted measurements
1. A bit g ∈ 0, 1 is chosen according to a biased (1− q, q) distribution. The bit g isgiven to D as input, and an output bit o is recorded.
2. If g = 1 and the output given by D is 0, then the event P (“pass”) is recorded. If g = 1and the output is 1, the event F (“fail”) is recorded.
3. If g = 0 and the output given by D is 0, then the event H (“heads”) is recorded. Ifg = 0 and the output is 0, the event T (“tails”) is recorded.
4. Steps 1 − 3 are repeated N − 1 (more) times. Bit sequences g = (g1, . . . , gN) ando = (o1, . . . , oN) are obtained.
5. If the total number of failures is more than ηqN, the protocol aborts. Otherwise, theprotocol succeeds. If the protocol succeeds, it outputs the bit sequences g and o.
Figure 3: A randomness expansion protocol for a trusted measurement device.
The operators M(0)i,o , M(1)
i,o determine the measurements performed by the device on inputs 0and 1, respectively. Intuitively, a partially trusted device is a device D which always performs atrusted measurement T(0) on input 0, and on input 1, selects one of the three operators (T(1), N, 0)at random according to the probability distribution (v, 1− v− h, h).
We will call the parameter v the trust coefficient, and we will call h the coin flip coefficient.The parameter h measures the extent to which the output of D on input 1 is determined by a faircoin flip. Note that when the input to the device D is 1, then the probability that D gives an outputof 1 is necessarily between h/2 and (1− h/2).
Figure 4 gives a randomness expansion protocol for partially trusted devices. It is the same asProtocol A, except that the trusted device has been replaced by a partially trusted device.
G.3 Entanglement with a Partially Trusted Measurement Device
Suppose that D is a partially trusted measurement device (see Definition G.2) with parameters(v, h). Suppose that E is a quantum system that is entangled with D, and let ρ = ρE denote theinitial state of E. We will use the following notation: let ρ+ and ρ− denote the subnormalizedoperators which represent the states of E when the input bit is 0 and the output bit is 0 or 1,respectively. Let ρP and ρF denote the operators which represent an input of 1 and an output of 0or 1, respectively. Also (using notation from Definition G.2), let us write ρ0 and ρ1 denote the statesof E that would occur if the trusted measurement T(1) was applied to Q (instead of the partiallytrusted measurement M(1)). (Note that T(1) is perfectly anticommuting with M(0).)
The following proposition expresses the possible behavior of the system E.
36
Protocol A’:
Arguments:v = real number such that v ∈ (0, 1].h = real number such that h ∈ [0, 1− v].
N = positive integerq ∈ (0, 1)η ∈ (0, v/2)D = partially trusted device with parameters (v, h).
1. A bit g ∈ 0, 1 is chosen according to a biased (1− q, q) distribution. The bit g isgiven to D as input, and the output bit o is recorded.
2. If g = 1 and the output given by D is 0, then the event P (“pass”) is recorded. If g = 1and the output is 1, the event F (“fail”) is recorded.
3. If g = 0 and the output given by D is 0, then the event H (“heads”) is recorded. Ifg = 0 and the output is 0, the event T (“tails”) is recorded.
4. Steps 1 − 3 are repeated N − 1 (more) times. Bit sequences g = (g1, . . . , gN) ando = (o1, . . . , oN) are obtained.
5. If the total number of failures is greater than (h/2 + η)qN, then the protocol aborts.Otherwise, the protocol succeeds. If the protocol succeeds, it outputs the bit se-quences g and o.
Figure 4: A randomness expansion protocol for a partially trusted device.
Proposition G.3. Let v ∈ (0, 1] and h ∈ [0, 1] be such that v + h ≤ 1. Let D be a partially trusted devicewith parameters (v, h), let E be a quantum system that is entangled with D, and let ρ = ρE. Then,
(h/2)ρ + vρ0 ≤ ρP ≤ (1− h/2)ρ− vρ1 (G.4)
and
(h/2)ρ + vρ1 ≤ ρF ≤ (1− h/2)ρ− vρ0. (G.5)
Proof. Let N be the measurement operator from the decomposition of M(1) given in Definition G.2.Let ρ′ be the subnormalized operator on E which denotes the state that would be produced if Nwere applied to Q and the outcome were 0. Clearly, 0 ≤ ρ′ ≤ ρ. From the decomposition (G.3), ρPis a convex combination of the operators ρ0, ρ′ and (ρ/2):
ρP = vρ0 + (1− v− h)ρ′ + h(ρ/2). (G.6)
Since ρ′ ≤ ρ, we have
ρP ≤ vρ0 + (1− v− h)ρ + h(ρ/2) (G.7)= vρ0 + (1− v− h/2)ρ (G.8)= (1− h/2)ρ + v(ρ0 − ρ) (G.9)= (1− h/2)ρ− vρ1. (G.10)
The other inequalities follow similarly.
37
G.4 Simulation
To any binary XOR game G, we have associated three quantities: qG, wG, and fG. These are re-spectively the optimal quantum score, optimal quantum winning probability, and least quantumfailure probability for G. The quantities are related by wG = (1 + qG)/2 and fG = 1−wG.
Theorem G.4. For any n-player strong self-test G which is positively aligned, there exists δG > 0 suchthat the following holds. For any any n-part binary quantum device D, there exists a partially trusted deviceD′ with parameters qG, δG such that Protocol A’ (with arguments δG, 2fG, N, q, η, D′) simulates ProtocolR (with arguments N, η, q, G, D).
Proof. Choose δG according to Theorem F.12.Consider the behavior of the device D in the first round. We may assume that the measure-
ments performed by D1, . . . , Dn are in canonical form. Write the underlying space as (C2 ⊗W1)⊗· · · ⊗ (C2 ⊗Wn). If g = 0, the measurement performed by D1 is given by the operator
11
. . .1
11
. . .1
⊗ IW1⊗···⊗Wn (G.11)
(where the matrix on the left is an operator on(C2)⊗n, with the basis taken in lexiographic order
as usual).If g = 1 the measurement performed by D is given by the scoring operator M. Theorem F.12
guarantees that for some unit-length complex number α, and for any choices of unit-length com-plex numbers α1, . . . , α2n−1−1, there is a decomposition for M in the form M = δGM′+(qG− δG)M′′
with
M′ =
αα1
. . .
α2n−1−1α2n−1−1
. . .
α1α
⊗ IW1⊗···⊗Wn
and ‖M′′‖ ≤ 1. To simulate the behavior of D with a partially trusted device, we need only chooseα1, . . . , α2n−1−1 so that M′ is perfectly anti-commutative with the operator G.11. This can be done,for example, by setting α1, α2, . . . , α2n−2−1 to be equal to α, and α2n−2 , . . . , α2n−1+1 to be equal to −α.Thus the behavior of the device D in the first round of Protocol R can be simulated by a partiallytrusted device with parameters (δG, 1 − qG) = (δG, 2fG). Similar reasoning shows the desiredsimulation result across all rounds.
38
The following corollary is easy to prove.
Corollary G.5. Theorem G.4 holds true without the assumption that G is positively aligned.
Essentially, the above corollary implies that any security result for Protocol A’ can be convertedimmediately into an identical security result for Protocol R. This will be the basis for our eventualfull proof of randomness expansion.
H The Proof of Security for Partially Trusted Devices
In this section we provide the proof of security for Protocol A’. Our approach, broadly stated, is asfollows: we show the existence of a function T(v, h, η, q, κ) which provides a lower bound on thelinear rate of entropy of the protocol. The main point of our proofs is that, although T depends onseveral variables, it does not depend on the particular device used in Protocol A’. Thus, we have auniform security result.
In principle, our proofs could be used to compute an explicit formula for the function T, butwe have not attempted to do this because the formula might be very complicated. We will insteadobtain a simple compact formula for the limit function lim(q,κ)→(0,0) T(v, h, η, q, κ). This formula issufficient for calculating the asymptotic rate of Protocol A’ in any application where we can take qto be close to 0.
Our proof involves several parameters. For convenience, we include a table here which assignsa name to each parameter (Figure 5.)
N ∈ N number of roundsq ∈ (0, 1) test probabilityt ∈ [0, 1] failure parameterv ∈ (0, 1] trust coefficienth ∈ [0, 1− v] coin flip coefficientη ∈ (0, v/2) error toleranceκ ∈ (0, ∞) failure penaltyr ∈ (0, 1/(qκ)] multiplier for Rényi coefficientε ∈ (0,
√2] error parameter for smooth min-entropy
Figure 5: Variables used in Appendix H.
To avoid unnecessary repetition, we will use the following conventions in this section.
• Unless otherwise stated, we will assume that the variables from Figure 5 are always re-stricted to the domains given. (The reader can assume that all unquantified statements areprefaced by, “for all q ∈ (0, 1], all ε ∈ (0,
√2),” etc.) If we say “F(q, κ) is a real-valued func-
tion,” we mean that it is a real valued function on (0, 1) × (0, ∞). If we say “let x = κq,”we mean that x is a real valued function on (0, 1) × (0, ∞) defined by x(κ, q) = κq. If thedomain of one parameter of a function depends on another variable (as can occur, e.g., forthe variable h) we always include the other variable as a parameter of the function.
• When we discuss a single iteration of Protocol A’, will use notation from subsection G.3: If Dis a partially trusted measurement device, and E is a purifying system for D with initial stateρ = ρE, then ρ = ρH + ρT and ρ = ρP + ρF denote the decompositions that occur for a single
39
use of the device on input 0 and 1, respectively. We denote by ρ+, ρ−, ρ0, ρ1 the respectivestates that would occur if the corresponding fully trusted measurements were used instead.(Note that ρH = ρ+ and ρT = ρ−.) Let ρ denote the operator on E⊕ E⊕ E⊕ E given by
ρ = (1− q)ρH ⊕ (1− q)ρT ⊕ qρP ⊕ qρF. (H.1)
This operator represents the state of E taken together with the input bit and output bit fromthe first iteration of Protocol A’.
• When we discuss multiple iterations of Protocol A’, we will use the following notation: letG and O denote classical registers which consist of the bit sequences g = (g1, . . . , gN) ando = (o1, . . . , on), respectvely. We denote basis states for the joint system GO by |go〉. Wedenote the joint state of the system EGO at the conclusion of Protocol A’ by ΓEGO.
• If D is a partially trusted measurement device, E is a purifying system, and α > 0, then werefer to the quantity
Tr(ρα1)
Tr(ρα)∈ [0, 1] (H.2)
as the α-failure parameter of D. (Note that we used the operator ρ1 in the above expression,not the operator ρF. This parameter measures “honest” failures only.)
• Let Π(x, y) and π(y) denote the functions from Theorem E.2.
H.1 One-Shot Result: A Device with Known Failure Parameters
We begin by proving a one-shot security result under the assumption that some limited informa-tion about the device is available.
Let D be a partially trusted measurement device with parameters v, h, and let E be a purifyingsystem with initial state ρ. Let ρ be the operator on E⊕ E⊕ E⊕ E which represents the joint stateof E together with the input and output of a single iteration of Protocol A’:
ρ = (1− q)ρH ⊕ (1− q)ρT ⊕ qρP ⊕ qρF. (H.3)
We wish to show that the state ρ is more random than the original state ρ. Therefore, we wish toshow that the ratio
d1+γ(ρ‖σ)d1+γ(ρ‖σ)
, (H.4)
for some appropriate γ, σ, σ, is significantly smaller than 1. For simplicity, we will for the timebeing take σ = I for the initial bounding operator. (Later in this section we will generalize thischoice.)
A natural choice of bounding operator for ρ would be
(1− q)I⊕ (1− q)I⊕ qI⊕ qI. (H.5)
Computing d1+γ(ρ‖·) with this bounding operator would yield(1− q)Tr[ρ1+γ
+ ] + (1− q)Tr[ρ1+γ− ] + qTr[ρ1+γ
P ] + qTr[ρ1+γF ]
1/γ(H.6)
40
Computing this quantity would have the effect, roughly speaking, of measuring the randomnessof the output bit of Protocol A’ conditioned on E and on the input bit g. However this is notadequate for our purposes, since it treats “passing” rounds the same as “failing” rounds, and doesnot take into account that the device is only allowed a limited number of failures. (And indeed,this measurement of randomness does not work: if D performs anticommuting measurementson a half of a maximally entangled qubit pair, the divergence quantity d1+γ(ρ‖·) with boundingoperator (H.5) is the same as d1+γ(ρ‖I).)
We will use a slightly different expression to measure the output of Protocol A’. We introducea single cofficient 2−κ (with κ > 0) into the fourth term of the expression:
(1− q)Tr[ρ1+γ+ ] + (1− q)Tr[ρ1+γ
− ] + qTr[ρ1+γP ] + q2−κTr[ρ1+γ
F ]1/γ
(H.7)
The reason for the introduction of the coefficient 2−κ is this: in effect, if a game round occurs andthe device fails, we lower our expectation for the amount of randomness produced. The quantity(H.7) is equal to d1+γ(ρ‖σ) where
σ = (1− q)I⊕ (1− q)I⊕ qI⊕ q2κ/γI. (H.8)
Having chosen the bounding operator σ, we need only to choose the coefficient γ ∈ (0, 1]. Forheuristic reasons, we will take γ to be of the form γ = rqκ, where r ∈ (0, 1/(qκ)].6
Proposition H.1. There is a continuous real-valued function Λ(v, h, q, κ, r, t) such that the followingconditions hold.
1. Let D be a partially trusted measurement device with parameters (v, h), and let E be a purifyingsystem for D. Let γ = rqκ, and let
σ = (1− q)I⊕ (1− q)I⊕ qI⊕ q2κ/γI. (H.9)
Then,
d1+γ(ρ‖σ) ≤ 2−Λ(v,h,q,κ,r,t) · d1+γ(ρ‖I), (H.10)
where t = Tr(ρ1+γ1 )/Tr(ρ1+γ) denotes the (1 + γ)-failure parameter of D.
2. The following limit condition is satisfied:
lim(q,κ)→(0,0)
Λ(v, h, q, κ, r, t) = π(t) +h/2 + vt
r, (H.11)
where π is the function from Theorem E.2.
Proof. We have
d1+γ(ρ‖σ) =(1− q)Tr[ρ1+γ
+ ] + (1− q)Tr[ρ1+γ− ] + qTr[ρ1+γ
P ] + q2−κTr[ρ1+γF ]
1/γ(H.12)
We will compute a bound on this quantity by grouping the first and second summands together,and then by grouping the third and fourth summands together. Note that by Theorem E.2, wehave
Tr[ρ1+γ+ ] + Tr[ρ1+γ
− ] ≤ 2−γΠ(γ,t)Tr[ρ1+γ] (H.13)
6The reason for this choice of interval is that we need γ ≤ 1 for the application of results from section D.
41
Now consider the sum Tr[ρ1+γP ] + 2−κTr[ρ1+γ
F ]. By superaddivity (see Proposition C.1),
Tr[ρ1+γP ] + 2−κTr[ρ1+γ
F ] = Tr[2−κ(ρ1+γ
P + ρ1+γF ) + (1− 2−κ)ρ1+γ
P
](H.14)
≤ Tr[2−κρ1+γ + (1− 2−κ)ρ1+γ
P
]. (H.15)
By Proposition G.3,
Tr[ρ1+γP ] + 2−κTr[ρ1+γ
F ] ≤ Tr
2−κρ1+γ + (1− 2−κ)[ρ− (h/2)ρ− vρ1]1+γ
. (H.16)
Applying the rule (X − Y)1+γ ≤ X1+γ − Y1+γ, followed by the fact that Tr[ρ1+γ1 ] = tTr[ρ1+γ], we
have the following:
Tr[ρ1+γP ] + 2−κTr[ρ1+γ
F ] ≤ Tr
2−κρ1+γ + (1− 2−κ)[ρ1+γ − (h/2)1+γρ1+γ − v1+γρ1+γ1 ]
= Tr
2−κρ1+γ + (1− 2−κ)[ρ1+γ − (h/2)1+γρ1+γ − v1+γtρ1+γ]
=
2−κ + (1− 2−κ)[1− (h/2)1+γ − v1+γt]
Tr[ρ1+γ] (H.17)
=
1− (1− 2−κ)[(h/2)1+γ + v1+γt]
Tr[ρ1+γ]. (H.18)
Combining (H.12), (H.13), and (H.18), we find the following: if we set
λ(v, h, q, κ, r, t) =((1− q)2−γΠ(γ,t) + q
1− (1− 2−κ)[(h/2)1+γ + v1+γt]
)1/γ, (H.19)
then
d1+γ(ρ‖σ) ≤ λ(v, h, q, κ, r, t) · d1+γ(ρ‖I). (H.20)
Therefore setting Λ = − log λ yields (H.10).It remains for us to evaluate the limiting behavior of Λ as (q, κ) → (0, 0). We can rewrite the
formula for λ as
λ(v, h, q, κ, r, t) =(
1 +(1− q)(2−γΠ(γ,t) − 1) + q(2−κ − 1)[(h/2)1+γ + v1+γt]
)1/γ
Applying Proposition C.8 to this expression (with g = γ, and f equal to function enclosed bybraces), we have
ln[
lim(q,κ)→(0,0)
λ(v, h, q, κ, r, t)]
(H.21)
= lim(q,κ)→(0,0)
(1− q)
(2−γΠ(γ,t) − 1
γ
)+
(q(2−κ − 1)
γ
)[(h/2)1+γ + v1+γt] (H.22)
= (1)(− ln 2)π(t) + (− ln 2)(r−1)[(h/2) + vt], (H.23)
which implies (H.11) as desired.
42
H.2 One-Shot Result: Full Strength
Proposition H.1 is not sufficient for our ultimate proof of security because it assumes that addi-tional information (beyond the trust parameters v, h) is is known about the device D. The nextproposition avoids this limitation. (It makes no use of the failure parameters of the device.)
Proposition H.2. There is a continuous real-valued function ∆(v, h, q, κ, r) such that the following condi-tions hold.
1. Let D be a partially trusted measurement device with parameters (v, h), and let E be a purtifyingsystem for D. Let γ = rqκ, and let
σ = (1− q)I⊕ (1− q)I⊕ qI⊕ q2κ/γI. (H.24)
Then,
d1+γ(ρ‖σ) ≤ 2−∆(v,h,q,κ,r) · d1+γ(ρ‖I). (H.25)
2. The following limit condition is satisfied:
lim(q,κ)→(0,0)
∆(v, h, q, κ, r) = mins∈[0,1]
(π(s) +
h/2 + vsr
), (H.26)
where π is the function from Theorem E.2.
Proof. Let Λ be the function from Proposition H.1, and let
∆(v, h, q, κ, r) = mint∈[0,1]
Λ(v, h, q, κ, r, t). (H.27)
Clearly, (H.25) holds by Proposition H.1. Equality (H.26) follows via Proposition C.3.
H.3 Multi-Shot Results
The goal of this subsection is to deduce consequences of Proposition H.2 across multiple iterations.Let ΓEGO denote the joint state of the registers E, G, and O. (Note that Γ is a classical-quantum statewith respect to the partition (GO|E).)
The following proposition follows immediately from Proposition H.2 by induction.
Proposition H.3. Let D be a partially trusted measurement device with parameters (v, w), and let E be apurifying system for D. Let γ = rqκ, and let Φ be the operator on E⊗ G⊗O given by
Φ = IE ⊗
∑g,o∈0,1N
(1− q)∑i(1−gi)q∑i gi 2(∑i gioi)/(qr) |go〉 〈go|
. (H.28)
Then,
D1+γ (ΓEGO‖Φ) ≤ D1+γ (ΓE‖I)− N · ∆(v, h, q, κ, r), (H.29)
where ∆ denotes the function from Proposition H.2.
43
We note the significance of the exponents in (H.28): the quantity ∑Ni=1(1− gi) is the number of
generation rounds that occured in Protocol A’, the quantity ∑Ni=1 gi is the number of game rounds,
and the quantity ∑Ni=1 gioi is the number of times the “failure” event occurred during the protocol.
As stated, Proposition H.3 is not useful for bounding the randomness of ΓEGO because thequantity D1+γ(ΓE‖I) could be arbitrarily large. We therefore prove the following alternate versionof the proposition. The statement is the same, except that we replace IE in (H.28) with ΓE, and weremove the term D1+γ(ΓE‖I) from (H.29).
Proposition H.4. Let D be a partially trusted measurement device with parameters (v, w), and let E be apurifying system for D. Let γ = rqκ, and let Σ be the operator on E⊗ G⊗O given by
Σ = ΓE ⊗
∑g,o∈0,1N
(1− q)∑i(1−gi)q∑i gi 2(∑i gioi)/(qr) |go〉 〈go|
. (H.30)
Then,
D1+γ (ΓEGO‖Σ) ≤ −N · ∆(v, h, q, κ, r), (H.31)
where ∆ denotes the function from Proposition H.2.
Proof. Let Γ = ΓE. Let (D, E′) be the device-environment pair that arises from taking the pair(D, E) and applying the stochastic operation
X 7→ Γ−γ
2+2γ XΓ−γ
2+2γ (H.32)
to the system E. The state ΓE′ of the resulting system E′ satisfies
ΓE′ =Γ1/(1+γ)
K, (H.33)
where K = Tr(Γ1/(1+γ)).By directly applying the definition of Dα (see Definition D.1) we can see that certain diver-
gences of ΓEGO and ΓE′GO can be computed from one another:
D1+γ(ΓE′GO‖Φ) = −1 + γ
γ· log K + D1+γ(ΓEGO‖Σ) (H.34)
D1+γ(ΓE′‖I) = −1 + γ
γ· log K + D1+γ(ΓE‖Γ). (H.35)
Applying Proposition H.3 to (D, E′), we find that
D1+γ(ΓE′GO‖Φ)− D1+γ(ΓE′‖I) ≤ −N∆(v, h, q, κ, r). (H.36)
By (H.34)–(H.35), the same bound holds when E′, Φ, I are replaced E, Σ, Γ. Since D1+γ(ΓE‖Γ) = 0,the desired inequality is obtained.
The following corollary of Proposition H.4 provides final preparation for the proof of the mainresult.
44
Corollary H.5. Let ε > 0. Then, there exists a positive semidefinite operator ΓEGO which is classical withrespect to the systems E and G such that∥∥ΓEGO − ΓEGO
∥∥1 ≤ ε (H.37)
and
Dmax(ΓEGO‖Σ) ≤ −N · ∆(v, h, q, κ, r) +log(2/ε2)
qκr(H.38)
(where ∆ and Σ are as in Proposition H.2 and Proposition H.4, respectively).
Proof. This follows from Corollary D.7.
H.4 The Security of Protocol A’
Let s denote the event that Protocol A’ succeeds, and let ΓsEGO denote the corresponding (subnor-
malized) operator on E⊗ G⊗O.
Proposition H.6. There exists a continuous real-valued function R(v, h, η, q, κ, r) such that the followingholds.
1. Let ε > 0. If Protocol A’ is executed with parameters (v, h, N, q, η, D), then
Hεmin(Γ
sEGO | EG) ≥ N · R(v, h, η, q, κ, r)− log(2/ε2)
qκr. (H.39)
2. The following equality holds:
lim(q,κ)→(0,0)
R(v, h, η, q, κ, r) = mins∈[0,1]
[π(s) +
vs− η
r
](H.40)
Proof. The “success” event for Protocol A’ is defined by the inequality
∑i
gioi ≤ (h/2 + η)qN. (H.41)
Let S ⊆ G ⊗ O be the span of the vectors |go〉 where (g, o) varies over all pairs of sequencessatisfying (H.41). For any operator X on E ⊗ G ⊗O which is classical-quantum with respect to(GO|E), let Xs denote the restriction of X to E ⊗ S. Applying this construction to the operatorsΓEGO, ΓEGO and Σ from Corollary H.5, and using the fact that Dmax and ‖·‖1 are monotonicallydecreasing under restriction to S, we find that
Dεmax(Γ
sEGO‖Σs) ≤ −N · ∆(v, h, q, κ, r) +
log(2/ε2)
qκr. (H.42)
In order to give a lower bound on the smooth min-entropy of ΓsEGO, we need to compute its
divergence with respect to an operator on E ⊗ G ⊗ O that is of the form X ⊗ IO, where X is adensity matrix. Define a new operator Σ′ on E⊗ G⊗O by
Σ′ = ΓE ⊗(
∑(g,o)∈S
(1− q)∑i(1−gi)q∑i gi 2(h/2+η)N/r |go〉 〈go|)
(H.43)
45
(recalling that γ = qκr). Comparing this definition with (H.30) and using the success criterion(H.41), we find that Σ′ ≥ Σs. Therefore, the bound in (H.42) holds also when Σs is replaced by Σ′.
When we let Ψ be the operator on E⊗ G defined by
Ψ = ΓE ⊗ ∑g∈0,1N
(1− q)∑i(1−gi)q∑i gi |g〉 〈g| (H.44)
and rewrite Σ′ as
Σ′ = 2(h/2+η)N/r(Ψ⊗ IO), (H.45)
we find (using the rule Dεmax(X‖Y) = log c + Dε
max(X‖cY)) that
Dεmax(Γ
sEGO‖Ψ⊗ IO) ≤ (h/2 + η)N/r− N · ∆(v, h, q, κ, r)
+log(2/ε2)
qκr.
Since Ψ is a density matrix, we have
Hεmin(Γ
sEGO | EG) ≥ −Dε
max(ΓsEGO‖Ψ⊗ IO). (H.46)
Therefore if we let
R(v, h, η, q, κ, r) = −h/2 + η
r+ ∆(v, h, q, κ, r), (H.47)
condition 1 of the theorem is fulfilled. Condition 2 follows easily from the formula for the limit of∆ (H.26).
A final improvement can be made on the previous result by optimizing the coefficient r.
Theorem H.7. There exist continuous real-valued functions T(v, h, η, q, κ) and E(v, h, η, q, κ) such thatthe following holds.
1. If Protocol A’ is executed with parameters (v, h, N, q, η, D), then for any ε ∈ (0,√
2] and κ ∈ (0, ∞),
Hεmin(Γ
sEGO | EG) ≥ N · T(v, h, η, q, κ)−
(log(√
2/ε)
qκ
)E(v, h, η, q, κ). (H.48)
2. The following equalities hold, where π denotes the function from Theorem E.2.
lim(q,κ)→(0,0)
T(v, h, η, q, κ) = π(η/v), (H.49)
lim(q,κ)→(0,0)
E(v, h, η, q, κ) =−2π′(η/v)
v. (H.50)
Proof. Let
r0 = min
v−π′(η/v)
,1qκ
. (H.51)
Define the function T by
T(v, h, η, q, κ) = R(v, h, η, q, κ, r0). (H.52)
46
By substitution into Proposition H.6, the bound (H.48) will hold when we set E to be equal to2/(r0).
To prove (H.49), note that
lim(q,κ)→(0,0)
r0 =v
−π′(η/v)(H.53)
and therefore
lim(q,κ)→(0,0)
T(v, h, η, q, κ) = mins∈[0,1]
[π(s) + r−1
0 (vs− η)]
(H.54)
= mins∈[0,1]
[π(s)− π′(η/v)(s− η
v)]
(H.55)
The function enclosed by square brackets in (H.55) is a convex function of s (by Theorem E.2) andits derivative at s = η/v is zero. Therefore, a minimum is achieved at s = η/v, and the expressionin (H.55) thus evaluates simply to π(η/v).
Equality (H.50) is immediate. This completes the proof.
I Randomness Expansion from an Untrusted Device
In this section, we will combine the results of previous sections to prove that randomness expan-sion from an untrusted device is possible.
I.1 The Trust Coefficient of a Strong Self-Test
Corollary G.5 proves that if G is a strong self-test, then for some δG > 0, the behavior of anuntrusted device under G can be simulated by a partially trusted device with parameters (δG, 2fG).Let us say that the trust coefficient of G is the largest value of δG which makes such a simulationpossible.
As a consequence of the theory in section F, we have the following formal definition for thetrust coefficient of G.
Definition I.1. Suppose that G is an n-player binary XOR game. Then the trust coefficient of G, denotedvG, is the maximum value of c ≥ 0 such that there exists a Hermitian operator N on
(C2)⊗n satisfying the
following conditions.
1. The square of N is the identity operator on(C2)⊗n.
2. The operator N anticommutes with the operator[
0 11 0
]⊗ I⊗ . . .⊗ I.
3. For any complex numbers ζ1, . . . , ζn ∈ ζ | |ζ| = 1, Im(ζ) ≥ 0, the operator given by
M =
a00...0
a00...1
. . .
a11...0a11...1
, (I.1)
47
where
ab1,...,bn = PG(ζ(−1)b1
1 , ζ(−1)b2
2 , . . . , ζ(−1)bn
n ), (I.2)
satisfies
‖M− cN‖ ≤ qG − c. (I.3)
I.2 The Security of Protocol R
Combining Theorem H.7, Corollary G.5, and the definition from the previous subsection, we havethe following. As with Protocol A’, let us record the outputs of Protocol R as bit sequences G =(g1, . . . , gN) and O = (o1, . . . , oN), where oi = 0 if the outcome of the ith round is H or P, andoi = 1 otherwise. If E is a purifying system for the device D used in Protocol R, then we denote byΓEGO the state of E, G, and O, and by Γs
EGO the subnormalized state corresponding to the “success”event.
Theorem I.2. There exists continuous real-valued functions T(v, h, η, q, κ) and E(v, h, η, q, κ) (with thedomains specified in Figure 5) such that the following statements hold.
1. Let G be an n-player strong self-test. Let D be an untrusted device with n components, and let E bea purifying system for D. Suppose that Protocol R is executed with parameters N, η, q, G, D. Then,for any κ ∈ (0, ∞) and ε ∈ (0,
√2], the following bound holds.
Hεmin(Γ
sEGO | EG) ≥ N · T(vG, 2fG, η, q, κ)−
(log(√
2/ε)
qκ
)E(vG, 2fG, η, q, κ), (I.4)
2. The following limit conditions are satisfied, where π denotes the function from Theorem E.2.
lim(q,κ)→(0,0)
T(v, h, η, q, κ) = π(η/v), (I.5)
lim(q,κ)→(0,0)
E(v, h, η, q, κ) =−2π′(η/v)
v. (I.6)
The following corollary shows that the linear rate of Protocol R can be lower bounded by thefunction π from Theorem E.2.
Corollary I.3. Let η > 0 and δ > 0 be real numbers. Then, there exists positive reals b and q0 such thatthe following holds. If Protocol R is executed with parameters N, η, q, G, D, where q ≤ q0, then
Hεmin(Γ
sEGO | EG) ≥ N · (π(η/vG)− δ), (I.7)
where ε =√
2 · 2−bqN .
Proof. By the limit conditions for T and E, we can find q0, κ0 > 0 sufficiently small and M > 0sufficiently large so that for any q ∈ (0, q0] and κ ∈ (0, κ0],
T(vG, 2fG, η, q, κ) ≥ π(η/vG)− δ/2 (I.8)E(vG, 2fG, η, q, κ) ≤ M. (I.9)
48
Let b = δκ0/(2M), and let ε =√
2 · 2−bqN . Then, provided that q ≤ q0, the output of Protocol Rsatisfies
Hεmin(Γ
sEGO | EG) ≥ N · T(vG, 2fG, η, q, κ0)−
(log(√
2/ε)
qκ0
)E(vG, 2fG, η, q, κ0) (I.10)
≥ N(π(η/vG)− δ/2)−(
bqNqκ0
)M (I.11)
= N(π(η/vG)− δ/2)− (δ/2)N, (I.12)
which simplifies to the desired bound.
The corollary stated above is not quite at full strength. We wish to show that the output registerO has high min-entropy conditioned on any external information — including the original inputsto the device D. The above corollary takes into account the biased coin flips g1, . . . , gN used in theprotocol, but it does not take into account the inputs that are given to D during game rounds.
For each k ∈ 1, . . . , N, let Ik denote a classical register consisting of n bits which records theinput used at the kth rough. Let I be the collection of the all the registers I1, . . . , IN .
Corollary I.4. Let G be a strong self-test, and let η > 0 and δ > 0 be real numbers. Then, there exist posi-tive reals b, K, and q0 such that the following holds. If Protocol R is executed with parameters N, η, q, G, D,where q ≤ q0, then
Hεmin(Γ
sEGIO | EGI) ≥ N · (π(η/vG)− δ), (I.13)
where ε = K · 2−bqN .
Proof. Let δ′ = δ/2. By Corollary I.4, we can find b′ and q0 such that whenever Protocol R isexecuted with q ≤ q0,
Hε′min(Γ
sEGO | EG) ≥ N · (π(η/vG)− δ/2), (I.14)
where ε′ =√
2 · 2−b′qN . By decreasing q0 if necessary, we will assume that q0 < δ/(2n).For each k ∈ 1, 2, . . . , bNδ/(2n)c, let Ik denote the input string that was given to the device D
on the kth game round. If there were fewer than k game rounds, then simply let Ik be the sequence00 . . . 0. Let I denote the collection of the registers I1, . . . , IbNδ/(2n)c.
Let d denote the event that
∑ Gi ≤ Nδ/(2n). (I.15)
(That is, d denotes the event that the number of game rounds is not more than Nδ/2.) By theAzuma-Hoeffding inequality,
P(d) ≤ e−N[δ/(2n)−q0]2/2. (I.16)
Let ε be the sum of ε′ and the quantity on the right of (I.16), and let sd denote the intersection ofthe event d and the success event s. Observe the following sequence of inequalities, where we firstuse the fact that the operator Γsd
EGIO can be reconstructed from the operator ΓsdEGIO
, and then usethe fact that the register I consists of ≤ (Nδ/2) bits.
Hεmin(Γ
sEGIO | EGI) ≥ Hε′
min(ΓsdEGIO | EGI) (I.17)
= Hε′min(Γ
sdEGIO | EGI), (I.18)
≥ Hε′min(Γ
sdEGO | EG)− Nδ/2 (I.19)
≥ Hε′min(Γ
sEGO | EG)− Nδ/2 (I.20)
≥ N · (π(η/vG)− δ), (I.21)
49
as desired.We wish to show that ε is upper bounded by a decaying exponential function of qN (i.e., a
function of the form J · 2−cqN , where J and c are positive constants depending only on δ, η, andG). We already know that ε′ has such an upper bound. The expression on the right side of (I.16)also has such a bound — indeed, it has a bound of the form J · 2−cN , which is stronger. Thereforeε (which is the sum of the aforementioned quantities) is also bounded by a decaying exponentialfunction. This completes the proof.
Remark I.5. Corollary I.4 implies that if π(η/vG) > 0, then (provided q is sufficiently small) apositive linear rate of output entropy is achieved by Protocol R. Using the formula for π fromRemark E.3, this means that a positive linear rate is achieved if η < 0.11 · vG.
Recall that limy→0 π(y) = 1. The next corollary follows easily from Corollary I.4.
Corollary I.6. Let δ > 0 be a real number. Then, there exists positive reals K, b, q0, and η such that thefollowing holds. If Protocol R is executed with parameters N, η, q, G, D, where q ≤ q0, then
Hεmin(Γ
sEGIO | EGI) ≥ N · (1− δ), (I.22)
where ε = K · 2−bqN .
I.3 Example: The GHZ game
Let H denote the 3-player binary XOR game whose polynomial PH is given by
PH(ζ1, ζ2, ζ3) =14(1− ζ1ζ2 − ζ2ζ3 − ζ1ζ3) . (I.23)
This is the Greenberger-Horne-Zeilinger (GHZ) game.
Proposition I.7. The trust coefficient for the GHZ game H is at least 0.14.
For the proof of this result we will need the following lemma (which the current authors alsoused in [35]):
Lemma I.8. Let a, b, c be unit-length complex numbers such that Im(a) ≥ 0 and Im(b), Im(c) ≤ 0. Then,
|1− ab− bc− ca| ≤√
22
. (I.24)
Proof. We have
−1 + ab + bc + ca = (−1 + bc) + a(b + c). (I.25)
The complex number (b+ c) lies at an angle of π/2 (in the counterclockwise direction) from (−1+bc). Since a has nonnegative imaginary part, the angle formed by a(b + c) and (−1 + bc) must bean obtuse or a right angle. Therefore,
|(−1 + bc) + a(b + c)|2 ≤ |−1 + bc|2 + |a(b + c)|2 (I.26)≤ 4 + 4 (I.27)= 8. (I.28)
The desired result follows.
50
Proof of Proposition I.7. We proceed from Definition I.1. Let N be the reverse-diagonal matrix
N =
11
−1−1
−1−1
11
. (I.29)
Clearly, N anticommutes with σx ⊗ I⊗ . . .⊗ I.Let ζ1, ζ2, ζ3 be unit-length complex numbers with nonnegative imaginary part, and let M
be the operator given by (I.1)–(I.2). We wish to show that the operator norm of M − (0.14)N isbounded by qH − 0.14 = 0.86.
Note that∣∣∣∣14 (1− ζ1ζ2 − ζ2ζ3 − ζ1ζ3)− 0.14∣∣∣∣ =
∣∣∣∣0.11− 14(ζ1ζ2 + ζ2ζ3 + ζ1ζ3)
∣∣∣∣ (I.30)
≤ 0.11 + 0.75 (I.31)= 0.86. (I.32)
Also, by applying Lemma I.8,∣∣∣∣14 (1− ζ1ζ2 − ζ2ζ3 − ζ1ζ3)+ 0.14
∣∣∣∣ ≤ ∣∣∣∣14 (1− ζ1ζ2 − ζ2ζ3 − ζ1ζ3)∣∣∣∣+ 0.14 (I.33)
≤√
22
+ 0.14 (I.34)
≤ 0.86. (I.35)
Applying similar arguments shows that every reverse-diagonal entry of (M− 0.14 · N) has abso-lute value bounded by 0.86. This completes the proof.
Remark I.9. By the above result and Remark I.5, we have the following. If η is a positive realsmaller than 0.0154 (= 0.11 · 0.14) and if q > 0 is sufficiently small, then executing Protocol R withthe GHZ game yields a positive linear rate of entropy.
J Unbounded expansion
In this section, we prove a general result, the Composition Lemma (Lemma J.3 below), that im-plies Corollary 1.9 straightforwardly. This general result implies that previously known and ouruntrusted-device protocols for generating randomness using globally uniform inputs can be com-posed sequentially with additive errors, even if only two devices are used. The proof will be short,but it is important to define the error parameters appropriately. We follow [10] on the generalframework for rigorously reasoning about those protocols, but only sketch the necessary elementsand refer interested readers to [10] for a more comprehensive description.
Since we will use the accepted output of a device as the input for another device, we will usethe same syntax for input/output states. A protocol state spaceH is a three-part Hilbert space
H = HC ⊗HD ⊗HE, (J.1)
51
where C, D, E are referred to as the classical, device, and adversary subsystems, respectively. Wealso represent a protocol space by the triple (C, D, E).
We call a subnormalized classical-quantum-quantum state ρ overH a protocol state. Those statesare the accepting (or non-aborting) portion of the normalized states in our protocols. Denote byρ = ρ/Tr(ρ) the corresponding normalized state. Correspondingly, we allow quantum operationsto be trace-non-increasing with the understanding that the missing trace (from the unit) corre-sponds to rejecting (or aborting).
We call a protocol state ρCDE device-uniform, adversary-uniform, or global-uniform if in ρ, C is uni-form with respect to D, or E, or DE, respectively. For any ε ∈ [0, 2], ρ is said to be ε-device-uniform ifthere exists a subnormalized device-uniform state ρD within ε trace-distance to ρ. Similarly defineε-adversary-uniform and ε-global-uniform.
A strong untrusted-device (UD) extractor Π maps protocol states over the input protocol space(X, D, E) to those over the output protocol space (Y, D, XE). In addition, Π is a controlled-operation on DE, controlled by X, and the new adversary subsystem is XE. The device-subsystemD may be divided into multiple device components. The underlying device-adversary spaces arevariables, and the protocol is specified as the composition of a sequence of variable operations forclassically interacting with individual device components, intra-device operations, and device-adversary operations. An implementation specifies the device-adversary Hilbert spaces and assignsvalues to the variable operations. An ideal implementation specifies the device Hilbert spaces andassigns values to all the variable operations, including when the operation involving adversaryspace, the assigned operation is identity on the adversary space.
We call εs a soundness error of Π on a set S of protocol states if for any ρ ∈ S and any compatibleimplementation, Π(ρ) is εs-adversary uniform. We say that on S , Π has a adjustment completenesserror εc tolerating a noise level η, if there exists an ideal implementation, such that for all nor-malized states ρ ∈ S and all implementations within η-deviation from the ideal implementation,the protocol’s final state is within εc trace distance to a normalized adversary-uniform state. Thischange of completeness error is not substantial: εc ≤ 2(εc + εs), and εs ≤ εc.
The Equivalence Lemma of Chung, Shi and Wu [10] states the following.
Theorem J.1 (The Equivalence Lemma [10]). Let Π be a strong UD extractor that has no device-adversary interactions. Then on the set of global-uniform inputs and the set of device-uniform inputs,Π has the same soundness error, adjustment completeness error, and noise tolerating level.
We now formally define the composition of protocols using two devices. The first study ofsuch a composition appears to be in [22], though likely it has been a folklore.
Definition J.2. Let D0 and D1 be two untrusted quantum devices and T ≥ 1 be an integer. A cross-feeding protocol Σ using D0 and D1 consists of a sequence of strong UD extractors Σi, i = 0, 1, ..., T,such that Σi uses Di mod 2 and the output of Σi is used as the input to Σi+1. The input to Σ is the input toΣ0, and the output is that of ΣT.
Furthermore, Π is said to use restorable devices if, for each i, 1 ≤ i ≤ T, between Σi−1 and Σi+1, thereis a device-adversary variable operation Ai on XiDi+1 mod 2E, controlled by Xi.
A cross-feeding protocol is illustrated in Fig. (6). Allowing the device-adversary Ai operationsreduces the technical challenges for practical implementations, since in an honest implementation,Ai can be used to replenish the consumed entanglement. While our wording of “two” deviceswas inspired by a possible implementation of using two physical devices, the inactive devicecan certainly be replaced by a different physical device, since such replacement is one possibleAi operation. The essence of our two device protocol lies in how communication is restricted:
52
Σ0
A0
Σ1
A1
Σ2
A2
· · ·
· · ·
ΣT−1
AT−1
ΣT
AT
XD0
X1 X2 X3 XT−1 XT Y
XD1E
E1 E2 E3 ET−1 ET ET+1
X1D10
D11
X2D21
D20
X3D32
D31
XTDT1−b
DTb
DT+11−b
DT+1b
Figure 6: The tensor network representation of a cross-feeding protocol. Superscripts indicatethat a (device or adversary) subsystem may change after an operation. Each Et includes a copyof X0, ..., Xt−1 to be consistent with the definition of strong UD extractors. The subscript b = Tmod 2.
besides forbidding communication between an active device and its external world — which isalready required for a single-device protocol — the additional constraint is that after an activedevice finishes its work, no information is allowed to travel from the device to the inactive devicebefore the latter becomes active. A single device would not satisfy this latter requirement.
Lemma J.3 (Composition Lemma). Let Σ be a cross-feeding protocol defined above. Assume that foreach i, 0 ≤ i ≤ T, Σi has a soundness error εs,i, and an adjustment completeness error εc,i tolerating anoise level η (set to be the same for all Σi), with respect to device-uniform inputs. Let εs := ∑T
i=0 εs,i andεc := ∑T
i=0 εc,i. Then Σ on states uniform to D0 has a soundness error εs, and an adjustment completenesserror εc tolerating an η level of noise.
In particular, the above statement holds if each Σi has no device-adversary interaction and the parame-ters εs, εc, η are valid on global-uniform inputs.
The soundness proof uses the following two facts, both follow directly from the correspondingdefinitions.
Fact J.4. Let b ∈ 0, 1 and ρ = ρYDb(D1−bE) be adversary-uniform. Then ρ as ρYD1−b(DbE) is device-uniform for D1−b. This remains true for (I ⊗ ADbE)ρ for any operation ADbE on DbE.
Fact J.5. If Π is a strong UD extractor with an ε soundness error, and ρ is δ-device-uniform, Π(ρ) is(ε + δ)-adversary uniform.
Proof. The proof for the device-uniform case follows from a a straightforward inductive proof onthe follow two statements. Denote by εi
s := ∑ij=0 εs,j, and εi
c := ∑ij=0 εc,j.
• (Soundness) On any implementation and any initial input uniform to D0, for each i, 0 ≤ i ≤T, the output of Σi is εi
s-adversary-uniform.
• (Completeness) Fix an ideal implementation for each Σi to achieve the adjustment complete-ness error. For any η-deviated implementation, any normalized initial input uniform to D0,any i, 0 ≤ i ≤ T, the output of Σi is εi
c-close to a normalized adversary-uniform state.
More specifically, for the soundness argument, the base case holds by applying Fact J.5 to Σ0and the assumption that the input is uniform to D0. For the inductive step, by the inductivehypothesis (assuming it holds for i, 0 ≤ i ≤ T − 1) and Fact J.4, the input to Σi+1 is εi
s-device
53
uniform. By Fact J.5, the output is thus εi+1s -adversary uniform. The proof for the completeness
follows from the definition of completeness and triangle inequality.The global-uniform case follows by applying the Equivalence Lemma J.1.
Corollary 1.9 follows by using our robust protocol in Corollary 1.5.
K Untrusted-device quantum key distribution
In this section, we shall first formally define what we mean by a key distribution protocol usinguntrusted quantum devices. We then present Protocol Rkd, a natural adaption of Protocol R foruntrusted-device quantum key distribution, then we prove its correctness (Corollary 1.11.)
K.1 Definitions
A min-entropy untrusted-device key distribution (ME-UD-KD) protocol Πkd is a communication pro-tocol in the following form between two parties Alice and Bob who have access to distinct com-ponents of an untrusted quantum device. Before the protocol starts, they share a string that isuniformly random to the device. They communicate through a public, but authenticated, chan-nel. At each step, both the message they send and the new input to their device components are adeterministic function of the initial randomness, the messages received, and the previous outputof their device component. The protocol terminates with a public bit S, indicating if the protocolsucceeds or aborts, and Alice and Bob each has a private string SA and SB, respectively.
The protocol is said to have an yield N with a soundness error εs if both the following conditionshold.
(a) the joint state (S, SA, E) is εs-close to a state that is a mixture of Abort and one that has Nextractable bits, and
(b) the joint state (S, SA, SB) is εs-close to a state such that SA = SB.
The protocol is said to have a completeness error εc with respect to a non-empty class of un-trusted devices Uhonest, if for any device in this class, the protocol aborts with probability ≤ εc.
If in the above definition, Condition (a) has “N extractable bits" replaced by “N uniformlyrandom bits”, then we call the protocol simply an untrusted-device key distribution protocol withthose parameters.
K.2 The protocol
Protocol Rkd is described in Fig. 7. There are two main steps in the proof for Corollary 1.11. Thefirst is to show that for an appropriate range of the parameters, Protocol R has a soundness andcompleteness error of exp(−Ω(qN)) with the ideal state being that O and B differ in at most a(1/2 − λ) fraction, for a constant λ. The second step is to construct the Efficient InformationReconciliation Protocol that works on the ideal state and for Bob to correct the differences withsome small failure probability. We present those two steps in two separate subsections, which arefollowed by the proof for the Corollary.
54
D1 D2 Dn
Alice Bob
A diagram of Protocol Rkd.
Arguments:G : An n-player nonlocal game that is a
strong self-test [35].D : An untrusted device (with n compo-
nents) that can play G repeatedly andcannot receive any additional informa-tion. Alice interacts with the first com-ponent while Bob interacts the rest of thedevice. No communication is allowedamong the components during Step 1-4of the protocol. All random bits chosenby Alice and Bob together are assumed to be perfectly random to D.
N : a positive integer (the output length.)λ : A real ∈ (0, wG − 1/2). (1/2 − λ is the
key error fraction.)η : A real ∈ (0, 1
2 ). (The error tolerance.)q : A real ∈ (0, 1). (The test probability.)
Protocol:
1. Alice and Bob choose a bit g ∈ 0, 1 according to a biased (1− q, q) distribution.2. If g = 1 (“game round”), then Alice and Bob choose an input string at random from 0, 1n
according the probability distribution specified by G. They give their part(s) of D the cor-responding input bit, exchange their output bits and record a “P” (pass) or an “F” (fail)according to the rules of the game G.
3. If g = 0 (“generation round”), then the input string 00 . . . 0 is given to the device. Alicerecords the output of her device component in the O register for this round. Bob stores inthe B register for this round the unique bit that XOR’ing with the output bit(s) of his devicecomponenent(s) would constitute a win for the game. That is, their bits are the same if andonly if they win the game.
4. Steps 1− 3 are repeated N − 1 (more) times.5. If the total number of failures is more than (1−wG + η)qN, the protocol aborts.6. If not yet aborted, they run the Efficient Information Reconciliation (EIR) Protocol (Fig. 8)
on the registers O and B with the parameters λ and ε = exp(−qN). If the EIR Protocoldoes not abort, the register B is replaced with Bob’s guess B of O. The protocol terminatessuccessfully with Alice and Bob’s version of the key being their N-length sequence fromthe alphabet P, F, H, T representing the outcomes of each round (H and T for 0 and 1,respectively, stored in O and B).
Figure 7: Protocol Rkd
K.3 Error rate
The completeness error is straightforward, so our focus will be on the soundness error.Our result applies to a broader class of games than the strong self-tests.
55
Definition K.1. Let f : (0, 1) → (0, 1) be such that limθ→0 f (θ) = 0. A game G is said to be f -self-testing in probability if there exists an input x0 such that for any θ ∈ (0, 1) and any quantum strategythat wins with probability (1− θ)wG, the game wins on input x0 with probability ≥ (1− f (θ))wG.
The following theorem uses the notion of second-order robust self-test (which in this paper wecall strong self-test) from the paper [35] by Miller and Shi.
Theorem K.2. Let G be a strong self-test. Then there exists a constant C > 0 such that G is C√
θ-self-testing in probability.
Proof. Since G is strongly self-testing, there is a unique quantum strategy which achieves the opti-mal winning probability wG. Let x0 be an input string (which occurs with nonzero probability inG) such that, if the optimal strategy is applied on input x0, the winning probability is at least wG.
If a given quantum strategy for G achieves a score of (1− θ)wG, then by the strong self-testingproperty its probability distribution is C1
√θ-close to that of the optimal strategy, for some constant
C1. The result follows.
Consequently all strong self-tests are O(√
θ)-self-testing in probability.We now fix a game G that is f -self-testing in probability for some function f . Let wi and w0
i ,1 ≤ i ≤ N, denote the chances of winning the ith round game, if the game is played using fullinput distribution or the randomness generating input, respectively. Define the random variables
Wi :=
1 the output at round i is “P” or “H”,0 otherwise.
(K.1)
Theorem K.3. Let G be a game that is f -self-testing in probability for some f . Consider Protocol R (Fig. 2)using G and an arbitrary q ∈ (0, 1). For any λ′, 0 < λ′ < wG − 1/2, there exists η = η(λ′) > 0, suchthat
For any λ ∈ (0, λ′) and any η ∈ (0, η),
P
[ (∑
igi(1−Wi) ≤ (1−wG + η)N
)∧(
∑i
Wi ≤ (1/2 + λ)N
) ](K.2)
≤ exp(− (η − η)2
3qN)+ exp
(− (λ′ − λ)2
2N)
. (K.3)
We will make use of a refined Azuma-Hoeffding inequality [18].
Lemma K.4. Suppose that S1, S2, ..., SN is a Martingale with
|Si+1 − Si| ≤ 1,
andVar [Si+1 − Si | S1, ..., Si] ≤ w,
for all i, 1 ≤ i ≤ N − 1. Then for any ε > 0,
P [SN ≥ εwN] ≤ exp(−ε2 w
2N(
1− 1− w3
ε
)). (K.4)
In particular if ε ≤ 1, we have
P [SN ≥ εwN] ≤ exp(−ε2 w
3N)
. (K.5)
56
Consider
Ti :=i
∑j=1
(gi(1−Wi)− q(1− wi)) . (K.6)
Since E[gi(1−Wi)− q(1− wi) | T1, ..., Ti−1] = 0, and
Var [Ti − Ti−1 | T1, ..., Ti−1] = q(1− wi)[1− q(1− wi)] ≤ q, (K.7)
applying the above Lemma, we have
Corollary K.5. For any ε ∈ (0, 1),
P
[∑
igi(1−Wi)− q ∑
i(1− wi) ≥ εqN
]≤ exp
(−ε2 q
3N)
. (K.8)
Remark K.6 (Completeness error in Theorem 1.2). We take a digression now to show that the aboveCorollary implies the claim on the completeness error in Theorem 1.2. By definition, ProtocolR (Fig. 2) aborts when
∑i
gi(1−Wi) ≥ (1−wG + η)qN. (K.9)
Since winning or passing a game depends on the joint distribution of n interactions, by the defini-tion of the noise-level being η′/n,
∑i|wi −wG| ≤ η′N. (K.10)
Thus Event K.9 implies that
∑i
gi(1−Wi)− q ∑i(1− wi) ≥ ηqN − q ∑
i(wG − wi) ≥ (η − η′)qN. (K.11)
Thus by Corollary K.5, the probability of aborting is ≤ exp(−(η − η′)2qN/3).
Consider now
Si :=i
∑j=1
(Wi − (1− q)w0
i − qwi)
. (K.12)
Then Si is a Martingale with |Si − Si−1| < 1. Thus the following Corollary follows from thestandard Azuma-Hoeffding bound.
Corollary K.7. For any ε > 0,
P
[∑
i
(Wi − (1− q)w0
i − qwi)≤ −εN
]≤ exp
(−ε2
2N)
. (K.13)
We will make use of the following consequence of the f -self-testing property.
Proposition K.8. For any quantum strategy and any θ > 0,
1− w0/wG ≤ f (θ) +1θ(1− w/wG). (K.14)
Proof. If w0/wG ≥ 1− f (θ), LHS ≤ f (θ) ≤ RHS. Otherwise, by definition, w/wG < 1− θ. ThusLHS ≤ 1 ≤ RHS.
57
Proof of Theorem K.3. Fix arbitrary λ, λ′, δ, δ′, θ with 0 < λ < λ′ < wG − 1/2, 0 < δ < δ′, andθ ∈ (0, 1). For ε1, ε2 ∈ (0, 1) to be determined later, define the following two events
E1 := ∑i
gi(1−Wi) > q ∑i(1− wi)− ε1qN, (K.15)
E2 := ∑i(1− gi)W0
i > (1− q)∑i
w0i − ε2(1− q)N. (K.16)
Apply Corollaries (K.5) and (K.7) with ε = ε1 and ε = ε2, respectively, we have
P[E1] ≤ exp(−ε2
13
qN)
, (K.17)
P[E2] ≤ exp(−ε2
22
N)
. (K.18)
Denote the event in Eqn. (K.2) by E. Then
P[E] ≤ P[E1] + P[E2] + P[E ∧ E1 ∧ E2]. (K.19)
Denote by
w :=1N ∑
iwi/wG, and, w0 :=
1N ∑
iw0
i /wG. (K.20)
The event E ∧ E1 ∧ E2 implies
(1− w < (η + ε1)/wG) ∧((1− q)(1− w0) + q(1− w) >
wG − (1/2 + λ + ε2)
wG
). (K.21)
Together with Proposition (K.8), this implies,
(η + ε1) > wG ·[
wG − (1/2 + λ + ε2)
wG− (1− q) f (θ)
]/(1− q
θ+ q)
(K.22)
≥ wG · θ[
wG − (1/2 + λ + ε2)
wG− f (θ)
], (K.23)
for any θ ∈ (0, 1). For any λ, λ′, 0 < λ < λ′ < wG − 1/2, we set ε2 = λ′ − λ, denote by η = η(λ′)the supremum of the R.H.S. of (K.23) for θ ∈ (0, 1). Since f (θ) → 0 when θ → 0, we have η > 0.Thus for any η, if 0 < η < η, setting ε1 = η − η, Event (K.22) does not occur. In such a case, byEqn. (K.19) and Eqn. (K.17,K.18),
P[E] ≤ exp(− (η − η)2
3qN)+ exp
(− (λ′ − λ)2
2N)
. (K.24)
Thus the theorem holds.
K.4 Efficient Information Reconciliation
We now arrive at the problem of resolving differences between Alice and Bob’s keys under thepromise that the differences (referred to as errors) are strictly less than 1/2-fraction. We hope thatthe solution is efficient, not just in term of local computational complexity, but also, most critically,the bits communicated, as well as the number of shared random bits used. This is because any bitcommunicated in this stage will be subtracted from the min-entropy guarantee, and that our goal
58
is to achieve secure quantum key distribution with a short seed. To that end, we define a quantityto describe the limit of surviving fraction of min-entropy. We will relate our task to the previousworks after the definition, but we stress that the solution presented here uses standard methodsand can be seen as an adaptation of Guruswami’s protocol [24] for a closely related problem.
Definition K.9 (Efficient Information Reconciliation). Let λ ∈ (0, 1/2), ε ∈ (0, 1), N, R and Mbe integers, and T be a function on N, λ and ε. An information reconciliation protocol with thoseparameters is a communication protocol between two parties Alice and Bob with the following property. Onany N-bit strings A and B, known to Alice and Bob, respectively, and of Hamming distance |A ⊕ B| ≤(1/2− λ)N, for some λ ∈ (0, 1/2), they start the protocol with a shared R-bit string, communicate Mbits, output strings A′, B′ of N bits from Alice and Bob, respectively, such that A′ and B′ differ with ≤ εprobability. The computation complexity of the protocol is ≤ T.
The protocol is said to be efficient for a constant λ, if R = O(log(N/ε)), M = (1− c)N for someconstant c = c(λ), and T = poly(N, log(1/ε)).
For a fixed constant λ, the residual fraction is the supremum of c(λ) such that an efficient protocolexists.
Smith [48] studied computationally efficient IR with (close to) optimal communication cost((1− h(λ))N). While he did not optimize the length of the shared randomness, it is possible thathis approach can be modified to significantly reduce the stated randomness used. In an earlierwork, Guruswami [24] studied a closely related problem: Alice wants to send a message x throughan adversarial channel that flips at most a (1− λ) fraction of the bits, and the goal is for Bob torecover x with a probability at most a failure parameter ε, by allowing Alice to faithfully send Boban additional and short “side information.” His solution is asymptotically optimal in the lengthof the side information.
Guruswami’s protocol can be readily adapted for solving our problem, by adding to it theidea of Bennett et al. [7] for information reconciliation through one-way communication of theerror syndrome of an appropriately chosen error correcting code. The adapted protocol is notsimultaneously computationally efficient and optimal in communication cost (as it relies on ex-plicit list-decodable codes, which are yet to be made optimal), but is nevertheless asymptoticallyoptimal on the randomness used for one-way protocols. We do not know if optimality in bothcommunication cost and the shared randomness can be achieved through interactive protocolswithout requiring an improved construction of explicit list-decodable codes. For completeness,we describe an adapted instance of Guruswami’s protocol.
The error-correcting code approach of [7] can only deal with < 1/4 relative errors (i.e. λ >1/4). To correct ≥ 1/4 relative errors, we will have to resort to list-decodable binary linear codes.To pin down the actual error, we use an approximate universal hashing [37, 2] to exploit the factthat there is only a polynomial in N number of candidates to examine after list-decoding. We statesome of those results below.
Theorem K.10 (Guruswami [25]). There exists a constant c > 0 such that for any λ ∈ (0, 1/2), andfor an infinite number of integers N > 0, there exists a binary linear code of block length N, relative error1/2 − λ, rate R := Ω(λ3/ log(1/λ)), that can be list-decoded into a list of size exp(O(log 1/λ)) inO(Nc) encoding and decoding time.
There are other constructions (such as [27]) that have different parameters but are still goodfor our purpose.
Theorem K.11 ([37, 2]). For any natural number `, any real ε ∈ (0, 1/2) and all sufficiently large integerM, there exists a distribution on 0, 1M such that any ` bits are ε close to the uniform ` bits in variation
59
distance, and the distribution can be generated using
O(log log M + `+ log 1/ε)
number of random bits and constructed in polynomial in M and log 1/ε time.
Note that an ε-almost 2k-wise independent string of 2Nk bits form an ε-almost pairwise inde-pendent hash function family from 0, 1N to 0, 1k. Thus Theorem K.11 implies the followingcorollary with M = 2Nk and ` = 2k.
Corollary K.12 (of Theorem K.11). For any real ε ∈ (0, 1/2), any integer k ≥ 1 and all sufficientlylarge N, there exists a hash function family from 0, 1N to 0, 1k that is ε-close to a pairwise independenthash function family and uses
O(log N + k + log 1/ε)
number of random bits.
We are ready to present our protocol for Efficient Information Reconciliation and prove itscorrectness.
Arguments:λ : A real ∈ (0, 1/2].
X, Y : Binary strings of length N such that |X⊕Y| ≤ (1/2− λ)N.ε : A failure probability. Equals 0 for λ ∈ (1/4, 1/2].
A : The check matrix of an explicitly constructible (i.e. encoding and decoding in polynomialtime) binary linear error-correcting code C of length N, relative error 1/2− λ, and a linearrate R = R(λ). If λ ∈ (1/4, 1/2), C is uniquely decodable; otherwise C is efficiently list-decodable with a list size L = poly(N, log 1/ε). Such codes exist ([1, 26]).
H : If λ ≤ 1/4, H is an explicitly constructible ε/2-almost pairwise independent hash functionfamily from 0, 1N to 0, 1k, where k = dlog(2L/ε)e. The number of random bits used todraw a random h ∈ H is O(log N + k + log 1/ε). SuchH exists according to Corollary K.12.
Protocol:
1. Alice sends Bob AX ∈ 0, 1(1−R)N .2. If C is uniquely decodable, Bob computes the error syndrome AY + AX = A(X + Y), runs
the decoding algorithm to obtain the unique D with |D| ≤ (1/2−λ)N and AD = A(X +Y).The protocol terminates with Bob outputting Y + D.
3. Otherwise (C is list-decodable with list size L), Bob list-decodes from A(X + Y) to obtain alist ∆1, ∆2, · · · , ∆L, where by the property of C, X + Y = ∆i, for some i, 1 ≤ i ≤ L.
4. Alice and Bob draw a random h ∈ H, and Alice sends Bob h(X). Bob checks if there existsa unique ∆i such that h(Y + ∆i) = h(X). If no, aborts. Otherwise, the protocol terminateswith Bob outputting Y + ∆i.
Figure 8: An Efficient Information Reconciliation protocol
60
Theorem K.13. The Protocol in Fig. 8 is an efficient Information Reconciliation protocol (K.9). In par-ticular, if λ > 1/4, it succeeds with certainty without consuming any randomness. If λ ∈ (0, 1/4], thenumber of shared random bits is O(log N + log 1/ε).
Proof. The length of Alice’s message and the correctness of Bob’s output follow from the propertiesof C. For the case of λ ≤ 1/4, the length of the shared randomness follows from the property ofH.Furthermore, the chance of aborting is no more than the existence of i′ 6= i such that h(Y + Di) =h(Y + Di′). This probability is no more than
LM
+ ε/2 ≤ ε.
K.5 Proof for Corollary 1.11
PROOF OF COROLLARY 1.11. We set s = supλ′<wG−1/2 c(λ′), where c(·) is the residual fraction(Definition K.9), shown to be well-defined by Theorem (K.13). For an arbitrarily small δ > 0, wechoose arbitrary κ ∈ (0, δ). The choice of κ will affect our final error parameter, so for practicalapplications may be chosen to minimize the final error.
Applying Theorem 1.2 with the δ parameter there set to be δ1 := δ− κ, we get parameter upperbounds, q0 and η0, to ensure the soundness and completeness properties for Alice’s output A.
Let λ be such that c(λ) = s− κ. Choose an arbitrary λ′ ∈ (λ, wG − 1/2). Like κ, the choice ofλ′ affects final error parameters. Replace η0 by η(λ′) as determined in Theorem K.3 if the latter issmaller.
Fix arbitrary q, η, N with q ≤ q0 and η ≤ η0. Then the conclusions of both Theorem 1.2 and K.3hold. Therefore, Alice’s output O in Protocol Rkd before information reconciliation has (1− δ +κ)N extractable bits with εs1 = exp(−bqN) soundness error, for b determined in Theorem 1.2. Theinformation reconciliation protocol (8) consumes (1− c(λ))N bits, thus the remaining conditionalmin-entropy in O is
[(1− δ + κ)− (1− c(λ))] · N = [c(λ)− δ + κ] · N = (s− δ)N.
Thus after information reconciliation, Alice’s key has≥ (s− δ)N extractable bits with a soundnesserror εs1.
We now bound the probability of the event E6= that the protocol does not abort and Aliceand Bob’s keys disagree. Let D be the event that |O + B| ≤ (1/2− λ)N. Denote by E the event inEnq. (K.2), that is, the protocol before information reconciliation not aborting yet D is true. Denoteby EIR the event that the Efficient Information Reconciliation Protocol 8 does not abort yet B 6= O.Then
P[E6=] ≤ P[E] + P[EIR|D]. (K.25)
By Theorem K.3, P[E] ≤ the R.H.S. of (K.3), which can be made ≤ exp(−b′qN) for someappropriate constant b′ = b′(η, λ, λ′), possibly by lowering η0 so that it is bounded away from theabove by η. By Theorem K.13, P[EIR|D] ≤ exp(−qN). Thus replacing b by minb, 1, we havethe soundness error exp(−bqN + O(1)).
The completeness error follows from that for randomness expansion protocol, with an addi-tional probability of aborting in information reconciliation. The proof is a standard application ofAzuma-Hoeffding inequality thus we leave the proof for the interested reader.
The number of random bits used in the expansion protocol is O(Nh(q)). That used in theEfficient Information Reconciliation Protocol is either 0 or O(log N/ε), where ε = exp(−qN), thusO(Nh(q) + log N + qN), which is O(Nh(q) + log N) (and is O(Nh(q)) when qN = Ω(1)).
61
References
[1] N. Alon, J. Bruck, J. Naor, M. Naor, and R. M. Roth. Construction of asymptotically good low-rate error-correcting codes through pseudo-random graphs. IEEE Transactions on InformationTheory, 38(2):509–516, 1992.
[2] N. Alon, O. Goldreich, J. HÃestad, and R. Peralta. Simple constructions of almost k-wiseindependent random variables. Random Structures & Algorithms, 3(3):289–304, 1992.
[3] J. Barrett, R. Colbeck, and A. Kent. Unconditionally secure device-independent quantum keydistribution with only two devices. Phys. Rev. A, 86:062326, Dec 2012.
[4] J. Barrett, R. Colbeck, and A. Kent. Memory attacks on device-independent quantum cryp-tography. Phys. Rev. Lett., 110:010503, Jan 2013.
[5] J. Barrett, L. Hardy, and A. Kent. No signaling and quantum key distribution. Phys. Rev. Lett.,95:010503, Jun 2005.
[6] C. Bennett and G. Brassard. Quantum cryptography: public key distribution and coin toss-ing. Proceedings of the IEEE International Conference on Computers Systems and Signal Processing,11:175–179, 1984.
[7] C. H. Bennett, G. Brassard, C. Crépeau, and M.-H. Skubiszewska. Practical quantum obliv-ious transfer. In J. Feigenbaum, editor, Advances in Cryptology—CRYPTO ’91, volume 576 ofLecture Notes in Computer Science, pages 351–366. Springer-Verlag, 1992, 11–15 Aug. 1991.
[8] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. Roychowdhury. A proof of the security ofquantum key distribution. Journal of Cryptology: the journal of the International Association forCryptologic Research, 19(4):381–439, Oct. 2006.
[9] E. A. Carlen. Trace inequalities and quantum entropy: An introductory course. In R. Simsand D. Ueltschi, editors, Entropy and the Quantum, volume 529 of Contemporary Mathematics,pages 73–140, 2009.
[10] K.-M. Chung, X. Wu, and Y. Shi. Physical randomness extractors. arXiv:1402.4797, 2014.
[11] R. Colbeck. Quantum And Relativistic Protocols For Secure Multi-Party Computation. PhD thesis,University of Cambridge, 2006.
[12] R. Colbeck and A. Kent. Private randomness expansion with untrusted devices. Journal ofPhysics A: Mathematical and Theoretical, 44(9):095305, 2011.
[13] R. Colbeck and R. Renner. Free randomness can be amplified. Nature Physics, 8:450–454, 2012.
[14] M. Coudron, T. Vidick, and H. Yuen. Robust randomness amplifiers: Upper and lowerbounds. In P. Raghavendra, S. Raskhodnikova, K. Jansen, and J. D. P. Rolim, editors, Ap-proximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques - 16th In-ternational Workshop, APPROX 2013, and 17th International Workshop, RANDOM 2013, Berkeley,CA, USA, August 21-23, 2013. Proceedings, volume 8096 of Lecture Notes in Computer Science,pages 468–483. Springer, 2013.
[15] M. Coudron and H. Yuen. Infinite randomness expansion and amplification with a constantnumber of devices. arXiv:1310.6755.
62
[16] N. Datta. Min- and max- relative entropies and a new entanglement monotone. IEEE Trans-actions on Information Theory, 55(6):2816–2826, 2009.
[17] A. De, C. Portmann, T. Vidick, and R. Renner. Trevisan’s extractor in the presence of quantumside information. SIAM J. Comput, 41(4):915–940, 2012.
[18] A. Dembo and O. Zeitouni. Large Devitations Techniques and Applications. Springer, 2nd ed.edition, 1997.
[19] D.-L. Deng and L.-M. Duan. Fault-tolerant quantum random-number generator certified bymajorana fermions. Phys. Rev. A, 88:012323, Jul 2013.
[20] F. Dupuis, O. Fawzi, and S. Wehner. Entanglement sampling and applications, May 06 2013.arxiv:1305.1316.
[21] A. K. Ekert. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett., 67:661–663,Aug 1991.
[22] S. Fehr, R. Gelles, and C. Schaffner. Security and composability of randomness expansionfrom Bell inequalities. Phys. Rev. A, 87:012335, Jan 2013.
[23] D. Greenberger, M. Horne, and A. Zeilinger. Going beyond Bell’s theorem. In M. Kafatos,editor, Bell’s Theorem, Quantum Theory, and Conceptions of the Universe, pages 69 – 72. Kluwer,Dordrecht, 1989.
[24] V. Guruswami. List decoding with side information. In IEEE Conference on ComputationalComplexity, page 300. IEEE Computer Society, 2003.
[25] V. Guruswami. Algebraic-geometric generalizations of the Parvaresh-Vardy codes. ECCCReport TR05-132, 2005.
[26] V. Guruswami and P. Indyk. Linear-time encodable/decodable codes with near-optimal rate.IEEE Transactions on Information Theory, 51(10):3393–3400, 2005.
[27] V. Guruswami and A. Rudra. Explicit capacity-achieving list-decodable codes. In J. M. Klein-berg, editor, Proceedings of the 38th Annual ACM Symposium on Theory of Computing, Seattle,WA, USA, May 21-23, 2006, pages 1–10. ACM, 2006.
[28] Z. Gutterman, B. Pinkas, and T. Reinman. Analysis of the linux random number genera-tor. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP ’06, pages 371–385,Washington, DC, USA, 2006. IEEE Computer Society.
[29] N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your Ps and Qs:Detection of widespread weak keys in network devices. In Proceedings of the 21st USENIXSecurity Symposium, 2012.
[30] V. Jaksic, Y. Ogata, Y. Pautrat, and C.-A. Pillet. Entropic fluctuations in quantum statisticalmechanics. an introduction. Quantum Theory from Small to Large Scales: Lecture Notes of the LesHouches Summer School, 95, Aug. 2010.
[31] H.-K. Lo and H. F. Chau. Unconditional security of quantum key distribution over arbitrarilylong distances. Science, 283(5410):2050–2056, 1999.
[32] D. Mayers. Unconditional security in quantum cryptography. J. ACM, 48(3):351–406, 2001.
63
[33] D. Mayers and A. Yao. Quantum cryptography with imperfect apparatus. In Proc. 39th FOCS,pages 503–509, 1998.
[34] M. McKague. Self-testing graph states. arXiv:1010.1989, 2010.
[35] C. A. Miller and Y. Shi. Optimal robust self-testing by binary nonlocal XOR games. In S. Sev-erini and F. G. S. L. Brandão, editors, 8th Conference on the Theory of Quantum Computation,Communication and Cryptography, TQC 2013, May 21-23, 2013, Guelph, Canada, volume 22 ofLIPIcs, pages 254–262. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2013. Full ver-sion: arXiv:1207.1819.
[36] M. Müller-Lennert, F. Dupuis, O. Szehr, S. Fehr, and M. Tomamichel. On quantum Rényientropies: a new definition and some properties, June 26 2013. arXiv:1306.3142. Comment:several conjectures are resolved; see also arXiv:1306.5358 and arXiv:1306.5920.
[37] J. Naor and M. Naor. Small-bias probability spaces: Efficient constructions and applications.SIAM Journal on Computing, 22(4):838–856, 1993.
[38] C. Nayak, S. H. Simon, A. Stern, M. Freedman, and S. Das Sarma. Non-abelian anyons andtopological quantum computation. Rev. Mod. Phys., 80:1083–1159, Sep 2008.
[39] M. Pawłowski, T. Paterek, D. Kaszlikowski, V. Scarani, A. Winter, and M. Zukowski. Infor-mation causality as a physical principle. Nature, 461:1101–1104, 10 2009.
[40] N. Perlroth, J. Larson, and S. Shane. N.S.A. able to foil basic safeguards of privacy on web.The New York Times, September 5, 2013.
[41] S. Pironio, A. Acín, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich, P. Maunz, S. Olm-schenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe. Random numbers certified by Bell’stheorem. Nature, 464:1021–1024, 2010.
[42] S. Pironio and S. Massar. Security of practical private randomness generation. Phys. Rev. A,87:012336, Jan 2013.
[43] G. Pisier and Q. Xu. Non-commutative Lp-spaces. In Handbook of the geometry of Banach spaces,Vol. 2, pages 1459–1517. North-Holland, Amsterdam, 2003.
[44] B. W. Reichardt, F. Unger, and U. Vazirani. Classical command of quantum systems. Nature,496:456–460, April 2013.
[45] R. Renner. Security of Quantum Key Distribution. PhD thesis, ETH, 2005. arXiv:0512258.
[46] T. Ristenpart and S. Yilek. When good randomness goes bad: Virtual machine reset vulnera-bilities and hedging deployed cryptography. In NDSS. The Internet Society, 2010.
[47] P. W. Shor and J. Preskill. Simple proof of security of BB84 quantum key distribution protocol.Phys. Rev. Lett., 85:441–444, 2000.
[48] A. Smith. Scrambling adversarial errors using few random bits, optimal information recon-ciliation, and better private codes. In N. Bansal, K. Pruhs, and C. Stein, editors, Proceedings ofthe Eighteenth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2007, New Orleans,Louisiana, USA, January 7-9, 2007, pages 395–404. SIAM, 2007.
64
[49] M. Tomamichel, R. Colbeck, and R. Renner. A fully quantum asymptotic equipartition prop-erty. IEEE Transactions on Information Theory, 55(12):5840–5847, 2009.
[50] M. Tomamichel, R. Colbeck, and R. Renner. Duality between smooth min- and max-entropies.IEEE Transactions on Information Theory, 56:4674–4681, 2010.
[51] M. Tomamichel and R. Renner. Uncertainty relation for smooth entropies. Physical ReviewLetters, 106:110506, 2011.
[52] L. Trevisan. Extractors and pseudorandom generators. J. ACM, 48(4):860–879, July 2001.
[53] U. Vazirani and T. Vidick. Fully device independent quantum key distribution. In Proceedingsof The 5th Innovations in Theoretical Computer Science (ITCS), 2014. arXiv:1210.1810v2.
[54] U. V. Vazirani and T. Vidick. Certifiable quantum dice: or, true random number generationsecure against quantum adversaries. In H. J. Karloff and T. Pitassi, editors, Proceedings of the44th Symposium on Theory of Computing Conference, STOC 2012, New York, NY, USA, May 19 -22, 2012, pages 61–76. ACM, 2012.
[55] T. Vidick. Personal Communication, 2014.
[56] R. F. Werner and M. M. Wolf. All-multipartite Bell-correlation inequalities for two dichotomicobservables per site. Phys. Rev. A, 64(3):32112, September 2001.
[57] M. M. Wilde, A. Winter, and D. Yang. Strong converse for the classical capacity ofentanglement-breaking channels. arXiv:1306.1586, 2013.
65
![arXiv:1610.02431v1 [cs.CV] 7 Oct 2016homepages.inf.ed.ac.uk/hbilen/assets/pdf/Mahendran16.pdf · puter vision, the community faces the challenge of obtaining sufficiently large quantities](https://img.pdfslide.us/doc/110x75/5f075fbe7e708231d41caa5e/arxiv161002431v1-cscv-7-oct-puter-vision-the-community-faces-the-challenge.jpg)
![Modeling of Solidification of Metal-Matrix Particulate ...user.engineering.uiowa.edu/~becker/documents.dir/FellerCB.pdfHan and Hunt[9,10] found that for a sufficiently small spacing](https://img.pdfslide.us/doc/110x75/601397b12da80a5713504752/modeling-of-solidiication-of-metal-matrix-particulate-user-beckerdocumentsdirfellercbpdf.jpg)
