Local Randomness: Examples and Application

Abstract

When two players achieve a superclassical score at a nonlocal game, their outputs must contain intrinsic randomness. This fact has many useful implications for quantum cryptography. Recently it has been observed (C. Miller, Y. Shi, Quant. Inf. & Comp. 17, pp. 0595-0610, 2017) that such scores also imply the existence of local randomness — that is, randomness known to one player but not to the other. This has potential implications for cryptographic tasks between two cooperating but mistrustful players. In the current paper we bring this notion toward practical realization, by offering a near-optimal bound on local randomness for the CHSH game, and also proving the security of a cryptographic application of local randomness (single-bit certified deletion).

Device-independent quantum cryptography [8, 10] is based on the observation that any Bell inequality violation guarantees the existence of intrinsic randomness. In particular, the outputs of such an inequality are known to be unpredictable to an arbitrary adversary. Work in this field over more than a decade has culminated in recent proofs of security for quantum key distribution and randomness expansion that are immune to any errors in quantum hardware [22, 23, 11, 13, 7, 5].

It has more recently been observed [12] that when two spatially separated parties violate a Bell inequality, then the outputs of either player must contain some unpredictability to the other player. Whereas global randomness (randomness possessed by both parties) is useful in cryptographic tasks in which two players are cooperating, local randomness (randomness possessed by one party and unknown to the other) is potentially useful in cryptographic settings where the parties are interacting but do not trust one another. This invites an exploration of quantum cryptographic protocols that are immunized both against imperfections in the quantum hardware and (possibly coordinated) cheating by one of the players.

Suppose that a nonlocal game G with complete support¹ is played by two players, Alice and Bob, where Alice’s input and output alphabets are $\mathcal{A}$ and $\mathcal{X}$, respectively, and Bob’s input and output alphabets are $\mathcal{B}$ and $\mathcal{Y}$, respectively. A referee chooses an input pair (a, b) according to a fixed distribution and distributes a to Alice and b to Bob, who return x and y respectively. The results of [12] assert that if the expected score of Alice and Bob’s strategy exceeds the best possible classical score by, then Bob will not be able to guess Alice’s output with probability better than (1 − Ω_G(ε²)), even if he were given Alice’s input. In other words, the pair (a, x) is necessarily more random to Bob than the input letter a alone. This is an example of blind randomness expansion, where the word “blind” is used because one player is blind to the randomness generated by the other. (This can be compared to the notion of “bound randomness” in the three-party setting of [1].)

The results of [12] are highly general but numerically weak. The goals of the current paper are (1) to demonstrate techniques that prove numerically strong bounds on local randomness, and (2) to demonstrate the power of local randomness by proving security for a specific application (one-shot certified deletion). Our study is focused on two example games, the CHSH game and the Magic Square game.

Sections 1–3 review some necessary background and then outline the Navascues-Pironio-Acin (NPA) hierarchy [14], which has been previously used to prove lower bounds on global randomness [15]. The key difference in the case of local randomness is that we must bound the behavior of a party (Bob) who is making two sequential measurements on a single system, rather than a single measurements on two separated systems as in the case of global randomness. Fortunately, the NPA hierarchy can be adapted to handle sequential measurements, as observed in [6, 16]. Using such an adapted approach, we compute a function F such that any superclassical score of s at the CHSH game guarantees that Bob cannot recover Alice’s output with probability greater than F (s). The function F that we obtain is shown to be optimal within a margin of 0.02. (See Figure 1).

Figure 1.

Plot of the upper bound of P₂ against P₁ ∈ (0.75, 0.85).

A downside of the CHSH game is that, even when a perfectly optimal strategy is used by Alice and Bob, Bob still has approximately an 85% chance of guessing Alice’s output bit. For some cryptographic purposes it is more useful for the player to have a bit that approximates a perfect coin flip. In Section 4 we study the Magic Square game. This game is large enough that is computationally difficult to apply the methods from Sections 2–3, and so instead we apply the notion of quantum rigidity, which asserts that certain nonlocal games have unique winning strategies. It was recently shown that the Magic Square game [25] is rigid. We build off of the proof in [25] to show that in any strategy for Magic Square which achieves an expected score of 1 – ε, Alice obtains a bit that Bob cannot guess with probability greater than $1/2+O(\sqrt{\epsilon })$. (See Corollary 3.)

Lastly, in Section 5 we provide an initial application of device-independent local randomness by showing that it enables single-bit certified deletion. In this cryptographic problem, Bob possesses an encrypted bit $\boxed{m}$ which could be read with a key, k, possessed only by Alice, and the goal is for Alice and Bob to interact through classical communication only so that Bob can certifiably delete his copy of $\boxed{m}$. The resulting deleted state must be unreadable even if Bob were to later learn k. We prove that any multi-use device that performs well at the Magic Square game can be used for certified deletion. A formal statement is given in Theorem 4. Roughly, the probability that Bob can recover the bit m after deletion is shown to be no more than $\frac{1}{2}+O(\sqrt{\epsilon })$, where ε denotes the average probability that the device loses the Magic Square game, and the probability that Bob can recover m before deletion is 1 − O(ε).

Our result can be compared to other cryptographic tasks for mistrustful parties in the device-independent setting. Coin-flipping and bit commitment have been proven in the device-independent setting [19, 4, 3] with constant (rather than vanishing) bias. Also, strong cryptographic primitives have been proven under additional assumptions such as limited quantum storage [9, 18, 17] and relativistic assumptions [2]. Exploring the upper limits of device-independence in the mistrustful setting appears to be an interesting open problem.

1 Preliminaries

In this section, we introduce the concepts that formally define nonlocal games and related notations used through out this paper, starting with the definition of a 2-player correlation.

Our notation follows [12]. A 2-player (input-output) correlation is a vector (P (xy|ab)) of nonnegative reals, indexed by $a,b,x,y\in \mathcal{A}\times \mathcal{B}\times \mathcal{X}\times \mathcal{Y}$, satisfying ${\displaystyle {\sum }_{xy}P(xy|ab)=1}$ for all pairs (a, b). We denote by $\mathcal{A}$ the set of all inputs to Alice and by $\mathcal{B}$ the set of all inputs to Bob. The output sets are denoted by $\mathcal{X}$ and $\mathcal{Y}$ for Alice and Bob, respectively. The correlation should satisfy the no-signaling condition, which is that the quantities

$$P(x|a):={\displaystyle {\sum }_{y}P(xy|ab)},P(y|b):={\displaystyle {\sum }_{x}P(xy|ab)}$$ (1)

are independent of b and a, respectively.

A 2-player game is a pair (q, H) where

$$q:\mathcal{A}\times \mathcal{B}\to [0,1]$$ (2)

is a probability distribution and

$$H:\mathcal{A}\times \mathcal{B}\times \mathcal{X}\times \mathcal{Y}\to [0,1]$$ (3)

is a function. If q(a, b) ≠ 0 for all $a\in \mathcal{A}$ and $b\in \mathcal{B}$, the game is said to have a complete support. The expected score associated to such a game for a 2-player correlation (P(xy|ab)) is

$${\displaystyle \sum _{a,b,x,y}q(a,b)H(a,b,x,y)}P(xy|ab).$$ (4)

We extend the notation by writing $q(a)={\displaystyle {\sum }_{b}q(a,b),q(b)}={\displaystyle {\sum }_{a}q(a,b)}$.

A 2-player strategy is a 5-tuple

$$\mathrm{\Gamma }=(D,E,{\left\{{\left\{A_{ax}\right\}}_x\right\}}_a,{\left\{{\left\{B_{by}\right\}}_y\right\}}_b,\mathrm{\Psi })$$ (5)

such that D, E are finite dimensional Hilbert spaces, {{A_ax}_x}_a is a family of $\mathcal{X}$-valued positive operator valued measures (POVMs) on D (indexed by $\mathcal{A}$), {{B_by}_y}_b is a family of $\mathcal{Y}$-valued positive operator valued measures on E, and Ψ is a density operator on D ⊗ E. In this paper, we assume without loss of generality that Ψ is pure, written as Ψ = |ψ〉 〈ψ|, and that the operators A_ax and B_by are all projectors. We say that the strategy Γ achieves the 2-player correlation (P (xy|ab)) if P (xy|ab) = Tr[Ψ(A_ax ⊗ B_by)] for all a, b, x, y.

2 Navascues-Pironio-Acin hierarchy

The Navascues-Pironio-Acin hierarchy, or NPA hierarchy, was introduced to characterize quantum correlations. We briefly sketch the idea behind the hierarchy and refer the reader to [14] for the formal treatment. The NPA hierarchy is an infinite series of conditions which must be satisfied by any quantum correlation.

In the measurement scenario, we assume Alice and Bob share state |ψ〉 and will apply some measurements determined by the inputs. For compatibility with [14], we use a different notation in this section and assume that each output letter is associated to a unique input letter — i.e., each output letter $x\in \mathcal{X}$ is uniquely associated to a single input A(x). If Alice is given input a, then her only valid outputs are those for which A(x) = a.

A behavior P in this measurement scenario is a set of nonnegative values such that ${\displaystyle {\sum }_{x\in A^{-1}(a),y\in B^{-1}(b)}P(x,y)=1}$ for any $a\in \mathcal{A}$, $b\in \mathcal{B}$. (This is essentially the same as a correlation, but more simply expressed.) The definition of a quantum behavior is as follows.

Definition 1

A behavior P is a quantum behavior if there exists a pure state |ψ〉 in a Hilbert space $\mathcal{H}$, a set of measurement operators $\{E_x:x\in \mathcal{X}\}$ for Alice, and a set of measurement operators $\{E_y:y\in \mathcal{Y}\}$ for Bob, such that $\forall x\in \mathcal{X}$ and $\forall y\in \mathcal{Y}$

$$P(x,y)=\langle \psi \left|E_x{E}_y\right|\psi \rangle ,$$ (6)

with the measurement operators E satisfying

1. $E_x^{†}=E_x$ and $E_y^{†}=E_y$,

2. $E_x{E}_{\overline{x}}={\delta }_{x\overline{x}}{E}_{x}ifA(x)=A(\overline{x})$ and $E_y{E}_{\overline{y}}={\delta }_{y\overline{y}}{E}_{y}ifB(y)=B(\overline{y})$,

3. ${\displaystyle {\sum }_{x\in A^{-1}(a)}{E}_x=\mathbb{I}}$ and ${\displaystyle {\sum }_{y\in B^{-1}(b)}{E}_y=\mathbb{I}}$ for all a, and

4. [E_x, E_y] = 0.

The set of all the quantum behaviors is denoted by Q.

The first three properties ensure that the operators E_x and E_y are projectors and define proper measurements. The fourth property ensures that the measurements by Alice and Bob do not interfere with one another. This definition is similar to the definition of a quantum correlation, but is based on commutativity rather than bipartiteness. Under these definitions, every quantum correlation yields a quantum behavior (i.e., by setting $E_x=A_{ax}\otimes \mathbb{I}$, $E_y=\mathbb{I}\otimes B_{by}$) but not necessarily vice versa [20].

The idea of the hierarchy is that if we let $\mathcal{O}$ be any finite set of operators that can be expressed as finite products of elements of the set {E_x}_x ∪ {E_y}_y (for example, E_x or E_xE_y E_y′), then the matrix Γ given by

$${\mathrm{\Gamma }}_{ij}=\langle \psi \left|O_i^{†}{O}_j\right|\psi \rangle$$ (7)

where O_i, O_j vary over the elements of $\mathcal{O}$, must be positive semidefinite. Additionally, there are some independent equalities (which depend on the setting) which must be satisfied by the entries of Γ.

We define a sequence of such matrices (certificates) as follows. Since some of the O_i’s can be expressed in multiple ways as products of operators from {E_x}_x ∪ {E_y}_y, we define the length of the operator to be the minimum number of projectors needed to generate it. For any k ≥ 1, the kth certificate matrix Γ^(k) is the matrix associated to the set $\mathcal{O}$ of all operators of length at most k. The fact that Γ^(k) must be positive semidefinite constrains the possible entries in Γ^(k), and in particular constrains the values P (x, y) = 〈ψ | E_xE_y | ψ〉 which can occur in a quantum behavior. Thus we obtain a hierarchy of constraints on the set of all quantum behaviors.

Measuring the amount of local randomness after a nonlocal game is not as simple as constraining quantum behaviors (Definition 1) since in particular, measurements that Bob uses to guess Alice’s output may not commute with the the measurements he used to play the game. Fortunately, the NPA hierarchy can also be adapted to scenarios which involve sequential measurements [6, 16]. In the next section, we apply an adaptation of the NPA hierarchy to study local randomness for the CHSH game.

3 Local randomness from the NPA hierarchy

The goal of this section is to derive an upper bound on Bob’s probability of guessing Alice’s after playing the CHSH game with her. First, Alice gets input $a\in \mathcal{A}$ and outputs $x\in \mathcal{X}$. Bob gets input $b\in \mathcal{B}$ and outputs $y\in \mathcal{Y}$. Then, Bob gets Alice’s input a and outputs $x\in {\mathcal{X}}^{\prime }$.

As usual, we assume that Alice and Bob share some pure state |ψ〉. Alice’s projective measurement for input a and output x is A_ax. Similarly, the projective measurement operator for input b and output y is B_by.

The winning probability of the CHSH game is

$$\begin{gathered} P_1=1/4(Pr(00|00)+Pr(11|00)+Pr(00|01)+Pr(11|01) \\ +Pr(00|10)+Pr(11|10)+Pr(01|11)+Pr(10|11)), \end{gathered}$$ (8)

where Pr(xy|ab) = 〈ψ|A_axB_by|ψ〉. Since for any input a and b, $A_{a1}=\mathbb{I}-A_{a0}$ and $B_{a1}=\mathbb{I}-B_{b0}$, we can express P₁ in terms of the projectors as

$$P_1=\langle \psi |\left(\frac{3}{4}-\frac{1}{2}{A}_{00}-\frac{1}{2}{B}_{00}+\frac{1}{2}{A}_{00}{B}_{00}+\frac{1}{2}{A}_{00}{B}_{10}+\frac{1}{2}{A}_{10}{B}_{00}-\frac{1}{2}{A}_{10}{B}_{10}\right)|\psi \rangle .$$ (9)

When Bob wants to guess Alice’s output x given a and b, the probability that he can guess correctly is

$$\begin{gathered} P_2 \\ =1/4{\displaystyle \sum _{b,y}(\mathrm{Pr}(0y0|0b)+\mathrm{Pr}(1y1|0b)+\mathrm{Pr}(0y0|1b)+\mathrm{Pr}(1y1|1b))} \end{gathered}$$ (10)

where

$$\begin{gathered} Pr(xy{z}^{\prime }|ab)=\langle \psi |A_{ax}^{†}{B}_{by}^{†}{B^{\prime }}_{\mathit{abx}\prime }^{†}{B}_{\mathit{abx}\prime }^{\prime }{B}_{by}{A}_{ax}|\psi \rangle \\ =\langle \psi |A_{ax}^{†}{B}_{by}^{†}{B}_{\mathit{abx}\prime }^{\prime }{B}_{by}|\psi \rangle . \end{gathered}$$ (11)

The measurement ${\left\{{\left\{B_{\mathit{abx}}^{\prime }\right\}}_{x\prime }\right\}}_{ab}$ is a set of measurements indexed by $(a,b)\in \mathcal{A}\times \mathcal{B}$,² The two measurements {{B_by}_y}_b and ${\left\{{\left\{B_{\mathit{abx}\prime }^{\prime }\right\}}_{x\prime }\right\}}_{ab}$ commute with {{A_ax}_x}_a.

The probability P₂ can be expressed in terms of the projectors as

$$P_2=\frac{1}{4}\langle \psi |S|\psi \rangle$$ (12)

where

$$\begin{gathered} \frac{1}{4}S=\mathbb{I}-\frac{1}{2}(A_{00}+A_{10})-\frac{1}{4}(B_{000}^{\prime }+B_{010}^{\prime }+B_{100}^{\prime }+B_{110}^{\prime }) \\ +\frac{1}{2}(A_{00}{B}_{000}^{\prime }+A_{00}{B}_{010}^{\prime }+A_{10}{B}_{100}^{\prime }+A_{10}{B}_{110}^{\prime }) \\ +\frac{1}{4}(B_{00}{B}_{000}^{\prime }+B_{000}^{\prime }{B}_{00}+B_{10}{B}_{010}^{\prime }+B_{010}^{\prime }{B}_{10}+B_{00}{B}_{100}^{\prime }+B_{100}^{\prime }{B}_{00}+B_{10}{B}_{110}^{\prime }+B_{110}^{\prime }{B}_{10}) \\ -\frac{1}{2}(A_{00}{B}_{00}{B}_{000}^{\prime }+A_{00}{B}_{000}^{\prime }{B}_{00}+B_{00}{B}_{000}^{\prime }{B}_{00})-\frac{1}{2}(A_{00}{B}_{10}{B}_{010}^{\prime }+A_{00}{B}_{010}^{\prime }{B}_{10}+B_{10}{B}_{010}^{\prime }{B}_{10}) \\ -\frac{1}{2}(A_{10}{B}_{00}{B}_{100}^{\prime }+A_{10}{B}_{100}^{\prime }{B}_{00}+B_{00}{B}_{100}^{\prime }{B}_{00})-\frac{1}{2}(A_{10}{B}_{10}{B}_{110}^{\prime }+A_{10}{B}_{110}^{\prime }{B}_{10}+B_{10}{B}_{110}^{\prime }{B}_{10}) \\ +A_{00}{B}_{00}{B}_{000}^{\prime }{B}_{00}+A_{00}{B}_{10}{B}_{010}^{\prime }{B}_{10}+A_{10}{B}_{00}{B}_{100}^{\prime }{B}_{00}+A_{10}{B}_{10}{B}_{110}^{\prime }{B}_{10}. \end{gathered}$$ (13)

Here we use the relation $B_{ab1}^{\prime }=\mathbb{I}-B_{ab0}^{\prime }$ as well.

To derive the semidefinite programming instance, the constraints include the expression of P₁ and the commutation relations. We use the third-order certificate to maximize P₂ for a given P₁ and get the following plot.

The data points from left to right are 1.0115, 0.995645, 0.977018, 0.95783, 0.938371, 0.918742, 0.898992, 0.879149 and 0.859229. The plot above is an upper bound on Bob’s guessing probability. In order to determine how close it is to the actual guessing probability, we will next find a lower bound of the guessing probability.

First note that the optimal strategy for CHSH involves Alice and Bob sharing a Bell state $|{\Phi }^{+}\rangle =\frac{1}{\sqrt{2}}\left(|00\rangle +|11\rangle \right)$, and Alice performing the X or Z measurement when her input is 0 or 1, respectively, and Bob performing the $(X+Z)/\sqrt{2}$ or $(X-Z)/\sqrt{2}$ measurement when his input is 0 or 1, respectively. This strategy achieves a score of $\frac{1}{2}+\frac{\sqrt{2}}{4}$ at CHSH, and moreover Bob can guess Alice’s output given her input with probability $\frac{1}{2}+\frac{\sqrt{2}}{4}$, by simply guessing x ⊕ (a∧b).

Consider the scenario where Alice and Bob share a random coin R. With probability r or 1 − r, the coin R has value 0 or 1, respectively. If R = 0, then Alice and Bob always output 0, and if R = 1, then Alice and Bob play the optimal CHSH strategy. In the former case, Bob can perfectly guess Alice’s output, while in the latter case, he can guess her output with probability $\frac{1}{2}+\frac{\sqrt{2}}{4}$.

Therefore, the expressions of P₁ and P₂ in terms of r for this strategy are

$$P_1(r)=\frac{3}{4}r+\frac{2+\sqrt{2}}{4}(1-r)$$ (14)

and

$$P_2(r)=1\cdot r+\frac{2+\sqrt{2}}{4}(1-r).$$ (15)

Then the expression of P₂ in terms of P₁ is

$$P_2=1+\frac{3\sqrt{2}}{4}-\sqrt{2}{P}_1.$$ (16)

Combining the lower and upper bound, we get the plot in Figure 2.

Figure 2.

Plot of the lower and upper bounds of P₂ against P₁ ∈ (0.75, 0.85).

The optimal (blind) rate curve for CHSH must lie in between the red and blue curves in Figure 2.

4 Local randomness from rigidity

For games with larger alphabets than the CHSH game, using the above adaptation of the NPA hierarchy is more difficult because of the size of the certificates. In the current section we explore how techniques from quantum rigidity can be used to prove blind rate curves. The approach in the current section requires less computation than the NPA hierachy approach, and although the rate curve we achieve lacks the near-optimal properties of our rate curve for CHSH (Figure 1), it is still optimal as the score threshold approaches the optimal quantum score.

We study the Magic Square game, which, like CHSH, is a game with two players, Alice and Bob. The input alphabets for Alice and Bob are $\mathcal{A}=\mathcal{B}=\{0,1,2\}$, and the output alphabets are the sets of bit strings $\mathcal{X}=\{000,011,101,110\}$ for Alice and $\mathcal{Y}=\{100,010,001,111\}$ for Bob. The game is won if the inputs a, b and outputs x, y satisfy x_b = y_a, meaning that the b-th bit of x equals the a-th bit of y.

A strategy for the Magic Square game consists of a pure state $|\psi \rangle \in {\mathcal{H}}_A\otimes {\mathcal{H}}_B$, and projective measurement families {{A_ax}_x}_a on ${\mathcal{H}}_A$ and {{B_by}_y}_b on ${\mathcal{H}}_B$. Note that we can let

$$F_{ab}^z={\displaystyle \sum _{x_b=z}{A}_{ax}}$$ (17)

$$G_{ab}^z={\displaystyle \sum _{y_a=z}{B}_{by}}$$ (18)

$$F_{ab}=F_{ab}^0-F_{ab}^1$$ (19)

$$G_{ab}=G_{ab}^0-G_{ab}^1,$$ (20)

and then the measurements will satisfy Π_aF_ab = I, Π_aG_ab = −I, [F_ab, F_ab′] = 0, [G_ab, G_a′b′] = 0. The measurement operators A_ax and B_by can be recovered from {F_ab}, {G_ab}, and thus to specify a strategy it suffices to specify |ψ〉, {F_ab}, {G_ab}. We refer to the triple (|ψ〉, {F_ab}, {G_ab}) as a reflection strategy for the Magic Square game.

The next proposition asserts that in a high-performing strategy, if Alice measures with F_ab and Bob measures with G_a′b′, with a ≠ a′, b ≠ b′, then the outcome of Alice’s measurement is nearly undetectable to Bob. The proof builds on the recent rigidity proof for the Magic Square game [25].

Proposition 2

Let a, a′, b, b′ ∈ {0, 1, 2}, z ∈ {0, 1} be such that a ≠ a′, b ≠ b′. Let (|ψ〉, {F_ab}, {G_ab}) be a reflection strategy for the Magic Square game which achieves an expected score of 1 − δ. Then, the post-measurement states

$${\text{Tr}}_A\left[(F_{ab}^0\otimes G_{a^{\prime }{b}^{\prime }}^z)|\psi \rangle \langle \psi |(F_{ab}^0\otimes G_{a^{\prime }{b}^{\prime }}^z)\right]$$ (21)

and

$${\text{Tr}}_A\left[(F_{ab}^1\otimes G_{a^{\prime }{b}^{\prime }}^z)|\psi \rangle \langle \psi |(F_{ab}^1\otimes G_{a^{\prime }{b}^{\prime }}^z)\right]$$ (22)

are separated by trace distance at most $O(\sqrt{\delta })$.

Proof

By symmetry, it suffices to address the single case where a = b = 0, a′ = b′ = 1, z = 0, so we will assume those values from now on. From Appendix C in [25], we have the following inequalities:

$$\Vert F_{00}\otimes G_{00}|\psi \rangle -|\psi \rangle \Vert \le O(\sqrt{\delta })$$ (23)

$$\Vert F_{11}\otimes G_{11}|\psi \rangle -|\psi \rangle \Vert \le O(\sqrt{\delta })$$ (24)

$$\Vert F_{00}\otimes G_{11}|\psi \rangle +F_{11}\otimes G_{00}|\psi \rangle \Vert \le O(\sqrt{\delta })$$ (25)

Let $|\psi \rangle ={\displaystyle {\sum }_{ij}{\psi }_{ij}}|ij\rangle$ and let $R:{\mathcal{H}}_A\to {\mathcal{H}}_B$ be defined by $R={\displaystyle {\sum }_{ij}{\psi }_{ij}|j\rangle }\langle i|$. Our goal then translates into the following: we wish to show that

$${\Vert G_{11}^{0}R{F}_{00}^0{R}^{\ast }{G}_{11}^0-G_{11}^{0}R{F}_{00}^1{R}^{\ast }{G}_{11}^0\Vert }_1\le O(\sqrt{\delta }),$$ (26)

or equivalently,

$${\Vert \left(\frac{G_{11}+I}{2}\right)R{F}_{00}{R}^{\ast }\left(\frac{G_{11}+I}{2}\right)\Vert }_1\le O(\sqrt{\delta }),$$ (27)

Observe the following inequalities, where we use inequalities (23)–(25) and the Cauchy-Schwarz inequality ||BC||₁ ≤ ||B||₂ ||C||₂, combined with the fact that ||R||₂ = 1. Let the expression $S{=}_{O(\sqrt{\epsilon })}T$ denote $\left|\right|S-T|{|}_1\le O(\sqrt{\epsilon })$.

$$\begin{array}{c}\left(\frac{G_{11}+I}{2}\right)R{F}_{00}{R}^{\ast }\left(\frac{G_{11}+I}{2}\right)=\frac{1}{4}(G_{11}R{F}_{00}{R}^{\ast }{G}_{11}+G_{11}R{F}_{00}{R}^{\ast }+R{F}_{00}{R}^{\ast }{G}_{11}+R{F}_{00}{R}^{\ast })\\ =O\sqrt{\epsilon }\frac{1}{4}(G_{11}R{F}_{00}{R}^{\ast }{G}_{11}-G_{00}R{F}_{11}{R}^{\ast }-R{F}_{11}{R}^{\ast }{G}_{00}+R{F}_{00}{R}^{\ast })\\ =O\sqrt{\epsilon }\frac{1}{4}(G_{11}R{F}_{00}{R}^{\ast }{G}_{11}-G_{00}R{R}^{\ast }{G}_{11}-G_{11}R{R}^{\ast }{G}_{00}+R{F}_{00}{R}^{\ast })\\ =O\sqrt{\epsilon }\frac{1}{4}(G_{11}R{F}_{00}{R}^{\ast }{G}_{11}-R{F}_{00}{R}^{\ast }{G}_{11}-G_{11}R{F}_{00}{R}^{\ast }+R{F}_{00}{R}^{\ast })\\ =O\sqrt{\epsilon }\left(\frac{I-G_{11}}{2}\right)R{F}_{00}{R}^{\ast }\left(\frac{I-G_{11}}{2}\right).\end{array}$$

Since the operator in the first term in this chain of approximations has orthogonal support from the operator in the last chain, we therefore have

$${\Vert \left(\frac{G_{11}+I}{2}\right)R{F}_{00}{R}^{\ast }\left(\frac{G_{11}+I}{2}\right)\Vert }_1\le O(\sqrt{\epsilon }),$$ (28)

as desired. □

The next corollary follows easily.

Corollary 3

Let $\left(|\psi \rangle ,{\left\{{\left\{A_{ax}\right\}}_x\right\}}_a,{\left\{{\left\{B_{by}\right\}}_y\right\}}_b\right)$ be a strategy for the Magic Square game which achieves an expected score of 1 − δ. Let a, b, b′ ∈ {1, 2, 3} be such that b ≠ b′, and suppose that the strategy is executed on inputs a, b and outputs x, y are obtained. Then the probability that Bob can subsequently guess x_b′ given b′ is no more than $\frac{1}{2}+O(\sqrt{\delta })$.

5 The deletion certification protocol

We next focus on the problem of certified deletion, which we describe as follows. Alice wishes to interact with an untrusted device (D^a) and a second party (Bob) so as to prepare for herself a random bit m and a classical string k, such that after the interaction is complete the following conditions hold:

1. If Alice were to give k to Bob immediately, then Bob could recover the bit m.

2. There is a deletion procedure that Alice and Bob can carry out, involving classical communication only, such that after the protocol is over Bob will not be able to recover m even if he were given k.

Note that this procedure can be used as a form of encryption: if Alice has a predetermined secret message bit y ∈ {0, 1} which she wishes to encrypt, then she can execute the same preparation procedure and then transmit the XOR bit y ⊕ m to Bob. Recovering or deleting y is then equivalent to recovering or deleting m.

Variants of this problem have been studied in other settings (e.g., [21] in a computational setting, [18, 9] in a bounded storage model). Our setting is the device-independent setting, where the honest user Alice does not trust the quantum processes used in the protocol. Our protocol is based on the Magic Square game. We make the following assumptions:

1. Alice and Bob possess an untrusted 2-part device D = (D^a, D^b) which is compatible with the Magic Square game.

2. Alice has the ability to generate private (trusted) randomness.

3. Alice’s device D^a does not communicate information to Bob or to D^b once the protocol is underway.

4. Alice and Bob have the ability to communicate classically.

No assumptions are made about Bob’s behavior — in particular, he may perform arbitrary operations on any quantum information that is contained inside of the device D^b that he possesses.³

It is helpful to change notation from the previous section. The protocol will contain a sequence of inputs to the Magic Square game which will be denoted by $\mathit{v}=(v_1,v_2,\dots ,v_n)=(v_1^a,v_1^b,\dots ,v_n^a,v_n^b)$. The sequence of the outputs will be $\mathit{h}=(h_1,h_2,\dots ,h_n)=(h_1^a,h_1^b,\dots ,h_n^a,h_n^b)$. The initial preparation protocol is given Figure 3.

Figure 3.

The preparation protocol (PREP)

We wish to show first that it is possible for Bob to determine m if he were given k. This is straightforward: if the device D = (D^a, D^b) were such that it wins the Magic Square game with probability 1 at each use, then the protocol in Figure 4 successfully determines m with probability 1 – ε.

Figure 4.

The recovery protocol (REC)

Next we wish to show that there is a protocol which makes m unrecoverable for Bob (even while it allows Bob to know the key k after the protocol is completed, and allows him to have access to all remaining quantum information in the device D^b). We use the protocol DEL in Figure 5, which is also meant to follow the protocol PREP in Figure 3. The protocol has Bob play his side of the Magic Square game and then has Alice check the resulting score. Then at the conclusion of the protocol, Alice reveals the key k to Bob (which is merely a convenience for stating the security of the protocol).

Figure 5.

The deletion protocol (DEL)

Note that at step 4 in Figure 5, the interactions must be done in sequence (i.e., Alice waits to receive $h_i^b$ before revealing $v_{i+1}^b$). Bob can use his device D^b to obtain his outputs, but we do not require that.

The following theorem asserts the security of the deletion protocol DEL. Let SUCC denote the event that Alice “accepts” at step 5 in Figure 5.

Theorem 4

Assume that P (SUCC) > 0 in protocol DEL. Then, the probability that Bob can guess m at the conclusion of the protocol, conditioned on SUCC, is upper bounded by

$$\frac{1}{2}+O(\sqrt{\epsilon +N^{-1/4}})+\frac{e^{-\mathrm{\Omega }(\sqrt{N})}}{P(\mathit{SUCC})}.$$ (29)

For the proof of Theorem 4, we will need the following lemma.

Lemma 5

Let I_i denote indicator variable for the event that the ith round is won. Let

$$I_i^{\prime }=E(I_i|I_{i-1}{I}_{i-2}\cdots I_1),$$ (30)

and $\mathit{let}{\overline{I}}^{\prime }=({\displaystyle {\sum }_i{I}_i^{\prime }})/N$. Then for any μ > 0,

$$Pr(\mathit{SUCC}\wedge ({\overline{I}}^{\prime }<1-\epsilon -\mu ))\le e^{-\frac{N{\mu }^2}{2}}.$$ (31)

Proof

Let $\overline{I}=\left({\displaystyle {\sum }_i{I}_i}\right)/N$. Let

$$Z_i={\displaystyle \sum _{j=1}^i(I_j-I_j^{\prime })}.$$ (32)

Then {Z₀, Z₁, …, Z_N } is a martingale:

$$E(Z_{i+1}|Z_i,\dots ,Z_1)=Z_i+E(I_{i+1}|I_i\cdots I_1)-I_{i+1}^{\prime }=Z_i.$$ (33)

Therefore by Azuma’s inequality, the probability of the event ${\displaystyle {\sum }_i(Z_i)>\mu }$ is upper bounded by $e^{-\frac{N{\mu }^2}{2}}$. The event in inequality (31) implies ${\displaystyle {\sum }_i(Z_i)>\mu }$, and the desired result follows. □

Now we can prove the main theorem of this section.

Proof of Theorem 4

By Corollary 3, for any i and any $c\in \{0,1,2\}\backslash v_i^b$, the probability that Bob can guess the cth bit of $h_i^a$ is upper bounded by $\frac{1}{2}+O(\sqrt{1-I_i^{\prime }})$. Therefore, the probability that Bob can guess m at the conclusion of the protocol DEL is no more than

$$\left[{\displaystyle \sum _{i=1}^N\left(\frac{1}{2}+O(\sqrt{1-I_i^{\prime }})\right)}\right]/N,$$ (34)

which by the concavity of the square root function is upper bounded by

$$\frac{1}{2}+O(\sqrt{1-{\overline{I}}^{\prime }}),$$ (35)

For any μ > 0, we have by Lemma 5,

$$Pr[{\overline{I}}^{\prime }\ge 1-\epsilon -\mu |\mathit{SUCC}]\ge 1-\frac{e^{-N{\mu }^2/2}}{Pr(\mathit{SUCC})},$$ (36)

and therefore, conditioned on SUCC, Bob’s probability of guessing m is upper bounded by

$$\frac{1}{2}+O(\sqrt{\epsilon +\mu })+\frac{e^{-N{\mu }^2/2}}{Pr(\mathit{SUCC})}.$$ (37)

Setting μ = N^−1/4 yields the desired result.