Parallel Device-Independent Quantum Key Distribution

Abstract

A prominent application of quantum cryptography is the distribution of cryptographic keys that are provably secure. Recently, such security proofs were extended by Vazirani and Vidick (Physical Review Letters, 113, 140501, 2014) to the device-independent (DI) scenario, where the users do not need to trust the integrity of the underlying quantum devices. The protocols analyzed by them and by subsequent authors all require a sequential execution of N multiplayer games, where N is the security parameter. In this work, we prove unconditional security of a protocol where all games are executed in parallel. Besides decreasing the number of time-steps necessary for key generation, this result reduces the security requirements for DI-QKD by allowing arbitrary information leakage of each user’s inputs within his or her lab. To the best of our knowledge, this is the first parallel security proof for a fully device-independent QKD protocol. Our protocol tolerates a constant level of device imprecision and achieves a linear key rate.

1. Introduction

Key Distribution (KD) is a task where two parties establish a common secret by communicating through a public channel. It is a necessary step for symmetric key cryptography (i.e., for protocols that require a shared secret) in a setting where a secure communication channel is initially not available. Thus KD is a primitive foundational to information security.

Information theoretically secure KD is impossible for classical protocols (i.e., protocols that exchange bits). Thus all classical solutions must necessarily rely on computational assumptions. Widely used protocols, such as the Diffie-Hellman-Merkle key exchange protocol [11] and those making use of digital signatures (e.g., as in the implementation of Secure Sockets Layer) all rely on the computational security of public key cryptography. The hardness assumptions underlying all known public key cryptography are mathematically unproven. The practical security of these solutions are being challenged on the one hand by the rapidly increasing and widely available high performance computing power, and on the other hand, by new insights into the design flaws. For example, Adrian et al. [1] recently showed how Diffie-Hellman-Merkle could fail in practice. A further threat to all widely used public-key-based KD protocols is that they are not secure against quantum cryptanalysis. With universal quantum computer within sight [10] and quantum-resilient protocols yet to emerge, these challenges call for alternative and fundamentally more secure solutions for KD.

Quantum mechanics provides such a solution. The quantum key distribution (QKD) protocol of Bennett and Brassard [7] and its several subsequent variants have been proved to be unconditionally secure (i.e., against a computationally all-powerful adversary) [19, 18, 26, 25, 6]. Experimental networks implementing QKD have been developed and deployed with increasingly large scales. With the rapid advances of quantum information technologies, QKD protocols may be widely adopted in the near future.

A major challenge for QKD (and other quantum information tasks) is that quantum information is extremely fragile. How could a user of a QKD protocol be sure that the quantum devices are operating according to the specifications? This consideration motivates the field of device-independent (DI) quantum cryptography, pioneered by Ekert [13] and Mayers and Yao [20]. The goal of DI quantum cryptography is to develop protocols and prove security in a strictly black-box fashion, with the only trusted assumption being that quantum physics is correct and complete, and that the users have the ability to restrict information transmission. The field has seen enormous success in recent years, including the achievement of fully device-independent and robust security proofs for QKD [30, 21, 3, 12, 2].

All the known secure DI-QKD protocols are sequential in the following sense. Alice and Bob share a two-part quantum device $D=(D_1,D_2)$, each of which is treated as a black box which accepts classical inputs and returns classical outputs. Alice creates a random input $X_1$, gives it to her device $D_1$, and receives an output $A_1$. Meanwhile, Bob gives a random input $Y_1$ to his device $D_2$ and receives an output $B_1$. This process is repeated sequentially N times to obtain $X_1,\hspace{0.17em}\dots \hspace{0.17em},X_N$, $Y_1,\hspace{0.17em}\dots \hspace{0.17em},Y_N$, $A_1,\hspace{0.17em}\dots \hspace{0.17em},A_N$, $B_1,\hspace{0.17em}\dots \hspace{0.17em},B_N$. (These data are then used to determine whether a certain Bell inequality has been violated, and if so, these registers are then postprocessed using information reconciliation and privacy amplification to obtain the final shared key.) The sequential assumption means specifically that output A_i is recorded before the device gains knowledge of $X_{i+1}$.

The question addressed by the current paper is the following: is the sequential assumption in DI-QKD necessary? We show that, in fact, it can be removed: we prove robust DI-QKD in a more general model where there is no time-ordering assumption on the generation of the outputs $A=(A_1,\hspace{0.17em}\dots \hspace{0.17em},A_N)$ and $B=(B_1,\hspace{0.17em}\dots \hspace{0.17em},B_N)$. The devices may be treated as black boxes which receive their input sequences $X=(X_1,\hspace{0.17em}\dots \hspace{0.17em},X_N)$ and $Y=(Y_1,\hspace{0.17em}\dots \hspace{0.17em},Y_N)$ all at once and return output sequences $A_1,\hspace{0.17em}\dots \hspace{0.17em},A_N$ and $B_1,\hspace{0.17em}\dots \hspace{0.17em},B_N$ all at once (parallel repetition). In particular, we do not require the assumption that $A_i$ is independent of $X_{i+1}$. The only necessary assumption is that the inputs $X_1,\hspace{0.17em}\dots \hspace{0.17em},X_N$ are uniformly random conditioned on any information outside of Alice’s lab, and the inputs $Y_1,\hspace{0.17em}\dots \hspace{0.17em},Y_N$ are uniformly random conditioned on any information outside of Bob’s lab.

Broadening the model for device-independence allows for more flexible implementations of quantum key distribution — in particular, our result shows that before quantum key distribution takes place, arbitrary interaction can be allowed between each player’s input sequence and his or her device. (Indeed, the input sequences can even be re-used from previous experiments, provided that they are completely unknown to the other player and the adversary when the protocol begins.) Our model also allows for any of the Bell experiments in the DI-QKD procedure to be performed simultaneously, which may open the door to faster implementations.

Our work addresses a general theoretical question: what are the minimal assumptions necessary to generate a uniformly random secret between two players? The main result shows that, if we can assume perfect private randomness and trusted classical computation for each player, then Bell nonlocality itself is enough to generate shared keys of arbitrary length.

1.1. The protocol and technical statements

All DI protocols use nonlocal games as building blocks. For our protocol, we use the Magic Square game.

Definition 1.1. The Magic Square game (MSG) is a two-player game in which the input alphabet for both players is $\mathcal{X}=\mathcal{Y}=\{1,2,3\}$, the output alphabet for the first player is $\mathcal{A}=\{000,011,101,110\}$ (the set of all 3 bit strings of even parity), and the output alphabet for the second player is $\mathcal{B}=\{001,010,100,111\}$ (the set of all 3 bit strings of odd parity). The inputs are chosen according to a uniform distribution, and the game is won if the inputs x, y and the outputs a, b satisfy $a_y=b_x$.

The Magic Square game has optimal quantum winning probability 1 and optimal classical winning probability 8/9.

For our device model, we assume that Alice and Bob possess an untrusted two-part quantum device $D=(D_1,D_2)$. The device $D_1$ receives input from the set ${\mathcal{X}}^N$, where N is a positive integer, and gives an output in the set ${\mathcal{A}}^N$. The device $D_2$ receives input from the set ${\mathcal{Y}}^N$ and yields output in the set ${\mathcal{B}}^N$.

Our parallel DI-QKD protocol, MagicQKD, is given in Figure 1. Alice and Bob are the parties who wish to share a key, and Eve is an adversary. It is assumed that the untrusted devices $(D_1,D_2)$ are initially in a pure state with Eve’s side information E (which is the worst-case scenario) and that Eve has access to any communications between Alice and Bob during the protocol. The security parameter N is the number of instances of Magic Square played. The parameter $ϵ$ is a positive rational number. In our proof we show that there is some fixed positive value $ϵ:={ϵ}_0$ (not given explicitly) such that the protocol achieves a positive linear rate of key distribution as N tends to infinity.

Figure 1:

A protocol for key distribution.

Our security proof is based on the following assumptions for the protocol MagicQKD.

Assumption 1. The behavior of the devices $D_1$, $D_2$ and the system E is modeled by quantum physics.

Assumption 2. Alice and Bob have the ability to generate perfect private randomness at steps 1, 2, and 3.

Assumption 3. Any information broadcast by Alice is perfectly received by both Bob and Eve, and any information broadcast by Bob is perfectly received by both Alice and Eve.

Assumption 4. Aside from broadcasts by the players, no information is transmitted from Alice’s laboratory (which contains $D_1$, X, A, R) or from Bob’s laboratories (which contains $D_2$, Y, B, S) once the protocol has started.

Let AliceKey denote the raw key $R_1,\hspace{0.17em}\dots \hspace{0.17em},R_{ϵN}$ possessed by Alice at the end of the protocol MagicQKD, let BobKey denote the raw key $S_1,\hspace{0.17em}\dots \hspace{0.17em},S_{ϵN}$ possessed by Bob, and let Eve denote all information possessed by Eve at the conclusion of the protocol (including her side information E and any information obtained by eavesdropping). Let Γ denote the final state of MagicQKD, and let SUCC denote the event that the protocol succeeds. Then, the smooth min-entropy $H_{min}^{\delta }(AliceKey|Eve,SUCC)$ measures the number of uniformly random bits that can be extracted from AliceKey in Eve’s presence, while the smooth zero-entropy $H_0^{\delta }(AliceKey|BobKey,SUCC)$ measures the least number of bits that Alice needs to publicly reveal in order for Bob to perform information reconciliation and reconstruct AliceKey (see section 3 for details). Therefore, to show security for a quantum key distribution protocol, it suffices to show that the difference between the former quantity and the latter quantity is lower bounded by $\Omega (N)$, for some negligible error term $\delta :=\delta (N)$.

Our main result is the following.

Theorem 1.2. There exists a constant $ϵ:={ϵ}_0>0$ and functions $\delta :=\delta (N)\in 2^{-\Omega (N)}$ and $R(N)\in \Omega (N)$ such that the following always holds for protocol MagicQKD: either

$$\mathbf{P}(SUCC)<\delta$$ (1)

or

$$H_{min}^{\delta }(AliceKey|Eve,SUCC)-H_0^{\delta }(AliceKey|Bobkey,SUCC)\ge R(N).$$ (2)

The proof of this theorem is given in Subsection 5.2. This theorem establishes both robustness and a linear rate for MagicQKD. (The data ${ϵ}_0$, δ, R are are not given explicitly and are left for future work.)

We note that in the protocol we have assumed that all entanglement shared by the devices ($D_1$, $D_2$) is shared before the protocol begins. Practically this may be difficult, since it may require a quantum memory size that grows with N. A model which requires less quantum memory is shown in Figure 2, where the entanglement is periodically updated during step 1 of MagicQKD from an outside entanglement source. (The source and its channels are both untrusted, and the only assumption is that the communication is one-way.) Fortunately this case is also covered by our analysis: a device which behaves as in Figure 2 is equivalent to one in which all transmissions from the entanglement source are sent in advance, and are stored in the components $D_1$ and $D_2$. This illustrates the generality of the parallel model.

Figure 2:

A device model in which Alice’s and Bob’s device receive entanglement from an external source. The dashed arrows indicate public one-way communication.

If we measure time by the number of prepare-and-measure steps executed by the devices, then a speed-up over sequential DI-QKD occurs in Figure 2 if the devices are capable of winning multiple rounds of the Magic Square game at a single iteration. Quantifying how this speed-up affects the key rate (and also how it increases demands on the devices) is a topic for further research.

1.2. Security analysis and proof techniques

In order to achieve secure parallel DI-QKD, there are two challenges that must be met simultaneously. The first is that the parallel scenario opens up the possibility of correlated cheating strategies by the devices (with correlations going both “forward” and “backward” between rounds) and one must show a linear amount of entropy in the key bits despite such strategies. The second is that the linear rate of entropy in the raw key must not only be positive; it must be larger than the amount of entropy that is lost during information reconciliation.

To meet these challenges we made two specific choices in MagicQKD, which differentiate our protocol from protocols for sequential DI-QKD. The first is that we use the Magic Square game, which has special properties for parallel DI-QKD (discussed below). The second is that the raw keys are only computed from a randomly chosen subset of the rounds. This allows us to decrease the amount of information that is revealed to Eve during the protocol, and is a necessary assumption for our security proof.

The central challenge when moving from the sequential setting to the parallel setting is the possibility of new correlations in the behavior of $D_1$ and $D_2$ on separate games. These correlations can have counter-intuitive properties: for example, Fortnow gave an example of a two-player game G such that $w_c(G^2)>w_c{(G)}^2$, where w_c denotes the optimal score for classical players and $G^2$ denotes the game G repeated twice in parallel (see Appendix A in [15]). The same could not be true in the sequential setting – the optimal score for G repeated twice in sequence must be exactly $w_c{(G)}^2$. Thus the parallel assumption opens up new demands for cheating and requires new techniques.

A technique that has been highly successful for the parallel repetition problem is based on bounding the amount of information that players learn about one another’s inputs when we condition on events that depend on a limited number of other games [24]. This technique was brought into the quantum context in [8, 16, 9, 4], and allows the proofs of exponentially vanishing upper bounds for the quantum winning probability of $G^N$ for certain broad classes of games. A useful consequence of this technique, which is implicit in [8, 16, 9, 4], is that for some games G the behavior of parallel players on a randomly chosen subset of rounds cannot be much better than the behavior of sequential players.

We apply this technique for parallel repetition to prove security for MagicQKD. Specifically, we show that the collision entropy $H_2(AliceKey|Eve)$ (which, as a well known fact, provides a lower bound on $H_{min}^{ϵ}(AliceKey|Eve)$) can be expressed in terms of the winning probability of the “doubled” version of the Magic Square game (MGuess) shown in Figure 5. In this expanded game, players Alice, Bob, Alice′, and Bob′ try to win the Magic Square game while also trying to guess one another’s inputs and outputs. By the techniques of [8, 16, 9, 4], the probability of winning this doubled game on $ϵN$ randomly chosen rounds in an N-fold parallel repetition is not much more than the probability of winning $ϵN$ instances of the games independently. This fact is the basis for our security claim.

Figure 5:

A game with 6 players.

We also make use of a technique from sequential device-independent quantum cryptography [21, 12]: each time players who are generating random numbers fail at a single instance of a game, we introduce additional artificial randomness to compensate for the failure (here represented by the register T in Figure 6). This artificial randomness (which is useful for induction) is used only for intermediate steps in the proof and is removed before the final security claim. This aspect of the proof is important for proving noise tolerance in MagicQKD.

Figure 6:

A protocol for generating a shared key.

We note that our proof makes use of all of the following properties of the Magic Square game: (1) it is perfectly winnable by a quantum strategy, (2) its input distribution is uniform, and (3) an optimal strategy yields perfectly correlated random bits between Alice and Bob. (As a consequence of (3), there is a positive rate of min-entropy in the raw key bits in MagicQKD, while the communication cost for information reconciliation tends to 0 when the noise tolerance is lowered, thus enabling a positive key rate.) The Magic Square game is the simplest game that we know of which satisfies all of these properties. A natural next step is to study which other games can be used for parallel DI-QKD.

After our result was publicized, Thomas Vidick [31] sketched an alternate proof of DI-QKD, using a strengthened parallel repetition result that appeared after our result [5]. Vidick’s approach uses the class of “anchored” games introduced in 2015 [4]. With this approach one can replace Alice′ and Bob′ in MGuess with a single party, and a lower bound on $H_{min}$ (rather than $H_2$) follows via parallel repetition. The protocol in [31] is a version of our protocol which retains the crucial features discussed above. A comparison between the rates achieved by these two approaches is a topic for further research.

Organization.

Section 2 establishes notation for our proofs. Section 3 provides the basis for our interpretation of collision entropy as the winning probability of a “doubled” game. Section 4 defines the doubled Magic Square game and proves an upper bound on its winning probability. Section 5 gives the proof of the central security claims. The appendix proves supporting propositions, including the parallel repetition result derived from [8, 16, 9, 4].

2. Notation and Preliminaries

Some of the notation in this section is based on [27]. If T is a finite set, let Perm(T) denote the set of permutations of T. If $t\in T$, then we write can $T\backslash \left\{t\right\}$ to denote the complement of t, or if the set T is understood from the context, we simply write t for $T\backslash \left\{t\right\}$.

Let $\mathcal{D}(T)$ denote the set of probability distributions on the finite set T, and let $\mathcal{S}(T)$ denote the set of subnormalized probability distributions. If p, $q\in \mathcal{S}(T)$ are subnormalized distributions let

$$\Delta (p,q)=\frac{1}{2}\left(\sum _{t\in T}|p(t)-q(t)|+|x-y|\right)$$ (3)

where $x:={\sum }_{t\in T}p(t)$ and $y:={\sum }_{t\in T}q(t)$ respectively. The function ∆ is a metric on $\mathcal{S}(T)$.

If $x_1,\hspace{0.17em}\dots \hspace{0.17em},x_N$ and $y_1,\hspace{0.17em}\dots \hspace{0.17em},y_N$ are binary sequences, let Ham(x, y) denote the Hamming distance between x and y. The following lemma will be useful in a later proof. For any $t\in [0,1]$, let H(t) denote the Shannon entropy quantity: $H(t)=-t\log t-(1-t)\log (1-t)$.

Proposition 2.1. For any $c\in [0,1/2]$ and any positive integer N, let $L_{c,N}$ denote the number of N-length binary strings whose sum is less than or equal to cN. Then, $L_{c,N}\le 2^{NH(c)}$.

Proof. We have $L_{c,N}={\sum }_{0\le i\le cN}{(}_i^N)$. The desired inequality is given in Theorem 1.4.5 in [29].

2.1. Quantum states and operations

A quantum register (or simply register ) is a finite-dimensional complex Hilbert space with a fixed orthonormal basis. We use Roman letters (e.g., B) to denote quantum registers. Given two quantum registers Q, Q′, we will sometimes write QQ′ for the tensor product $Q\otimes Q\prime$.

If $\mathcal{S}$ is a finite set, an $\mathcal{S}$-valued quantum register is quantum register that has a fixed isomorphism with ${ℂ}^{\mathcal{S}}$. If Q is a quantum register, let $\mathcal{L}(Q)$, $\mathcal{H}(Q)$, $\mathcal{P}(Q)$, $\mathcal{S}(Q)$, and $\mathcal{D}(Q)$, denote, respectively, the sets of linear, Hermitian, positive semidefinite, subnormalized positive semidefinite (trace ≤ 1) and normalized positive semidefinite operators on Q. A state of Q is an element of $\mathcal{D}(Q)$. Elements of $\mathcal{S}(Q)$ are referred to as subnormalized states of Q. A reflection is a Hermitian operator whose eigenvalues are contained in $\{-1,1\}$.

For any quantum register Q, the symbol $I^Q$ denotes the identity operator on I, and $U^Q$ denotes the completely mixed state $I^Q/(\dim (Q))$.

If Q, Q′ are quantum registers, the set $\mathcal{L}(Q)$ has a natural embedding into $\mathcal{L}(Q\otimes Q\prime )$ by tensoring with $I_{Q\prime }$. We use this embedding implicitly: if $T\in \mathcal{L}(Q)$ and $\Phi \in \mathcal{D}(Q\otimes Q\prime )$, then $T(\Phi )$ denotes $(T\otimes I_{Q\prime })\Phi$.

Note that if Q is a $\mathcal{Q}$-valued register and R is an $\mathcal{R}$-valued register, then any function $f:\mathcal{Q}\to \mathcal{R}$ determines a process from Q to R via

$$Z\leftrightarrow \sum _{r\in \mathcal{R}}|r\rangle \langle r|\cdot \langle q\left|Z\right|q\rangle .$$ (4)

We may denote this process by the same letter, f.

A copy of a register Q is a register Q′ with the same dimension with a fixed isomorphism $Q\prime \cong Q$. If $\Gamma \in \mathcal{P}(\Gamma )$ is a state, then the canonical purification of $\Gamma$ is the projector $\Phi$ on $Q\otimes Q\prime$ onto the one-dimensional space spanned by $\left(\sqrt{\Gamma }\otimes I_{Q\prime }\right)({\sum }_i{e}_i\otimes e_i)\in Q\otimes Q\prime$, where the sum is taken over all standard basis elements $e_i$. We then have ${\Phi }^Q=\Gamma$ and ${\Phi }^{Q\prime }={\Gamma }^{\top }=\overline{\Gamma }$ under the fixed isomorphism $Q\cong Q\prime$.

A measurement on a register Q is an indexed set ${\left\{M_i\right\}}_{i\in \mathcal{I}}\subseteq \mathcal{P}(Q)$ which sums to the identity. A measurement strategy on Q is a collection of measurements on Q that all have the same index set.

We will use lower case Greek letters (e.g., γ) to denote complex vectors, and either uppercase Greek letters (e.g., $\Gamma$) or Roman letters to denote Hermitian operators on finite-dimensional Hilbert spaces. If $\Gamma$ is a Hermitian operator on a tensor product space $W\otimes V$, then ${\Gamma }^V$ denotes the operator

$${\Gamma }^V:={\text{Tr}}_W\Gamma .$$ (5)

Alternatively we may write ${\Gamma }^{\widehat{W}}$ for ${\text{Tr}}_W\Gamma$. If T is a projector on W, let

$${\Gamma }_T=(I\otimes T)\Gamma (I\otimes T)$$ (6)

and if $\text{Tr}({\Gamma }_T)\ne 0$, let ${\Gamma }_{|T}={\Gamma }_T/\text{Tr}({\Gamma }_T)$.

If R is a register whose values are real numbers, and ψ is a classical state of R, then ${\mathbb{E}}_{\psi }[R]$ denotes the expected value of R. If µ is a probability distribution on a finite set $\mathbb{Z}$, and $f:\mathbb{Z}\to ℝ$ is a function, then ${\mathbb{E}}_{z\leftarrow \mu }[f(z)]$ denotes the expected value of $f(z)$ under µ.

If $\Phi$ is a positive semidefinite operator, then ${\Phi }^r$ denotes the operator that arises from applying the function

$$f(x)=\{\begin{array}{rr}\hfill x^r& \hfill \text{if}\hspace{0.17em}x>0\\ \hfill 0& \hfill \text{if}\hspace{0.17em}x=0.\end{array}$$ (7)

to the eigenvalues of $\Phi$.

We make free use of the following shorthands. If $x_1,\hspace{0.17em}\dots \hspace{0.17em},x_N$ is a sequence, then the boldface letter x denotes ($x_1,\hspace{0.17em}\dots \hspace{0.17em},x_N$). If $X_1,\hspace{0.17em}\dots \hspace{0.17em},X_N$ are quantum registers, then X denotes $X_1{X}_2\hspace{0.17em}\dots \hspace{0.17em}{X}_N$. We write $X_{i\dots j}$ for the registers $X_i{X}_{i+1}\cdots X_j$. If $\left\{Y_i^j\right\}$ is an array of registers, then $Y_i={\left\{Y_i^j\right\}}_i$ and $Y^j={\left\{Y_i^j\right\}}_i$. The expression $X_{\widehat{i}}$ denotes the set ${\left\{X_k\right\}}_{k\ne i}$.

2.2. Distance measures

If ${\Gamma }_1$, ${\Gamma }_2\in \mathcal{D}(Q)$ for some quantum register Q, let

$$\Delta ({\Gamma }_1,{\Gamma }_2)=\frac{1}{2}{\Vert {\Gamma }_1-{\Gamma }_2\Vert }_1$$ (8)

$$F({\Gamma }_1,{\Gamma }_2)={\Vert \sqrt{{\Gamma }_1}\sqrt{{\Gamma }_2}\Vert }_1$$ (9)

$$P({\Gamma }_1,{\Gamma }_2)=\sqrt{1-F{({\Gamma }_1,{\Gamma }_2)}^2}.$$ (10)

For ${\Lambda }_1$, ${\Lambda }_2\in \mathcal{S}(Q)$, let $[{\Lambda }_i]$ denote the density operator¹ ${\Lambda }_i\oplus (1-\text{Tr}({\Lambda }_i))$. Let

$$\Delta ({\Lambda }_1,{\Lambda }_2)=\Delta ([{\Lambda }_1],[{\Lambda }_2])$$ (11)

$$F({\Lambda }_1,{\Lambda }_2)=F([{\Lambda }_1],[{\Lambda }_2])$$ (12)

$$P({\Lambda }_1,{\Lambda }_2)=P([{\Lambda }_1],[{\Lambda }_2])$$ (13)

The functions P (purified distance) and ∆ (generalized trace distance) are metrics on $\mathcal{S}(Q)$, and $\Delta \le P\le \sqrt{2\Delta }$. If ${\Lambda }_1$ and ${\Lambda }_2$ are both pure, then $P=\Delta$. Both quantities P and ∆ satisfy data processing inequalities. (See Chapter 3 in [27]).

2.3. Games

An n-player nonlocal game G with input alphabets ${\mathcal{X}}^1,\hspace{0.17em}\dots \hspace{0.17em},{\mathcal{X}}^n$ and output alphabets ${\mathcal{A}}^1,\hspace{0.17em}\dots \hspace{0.17em},{\mathcal{A}}^n$ is a probability distribution

$$p:\prod _i{\mathcal{X}}^i\to [0,1]$$ (14)

together with a predicate

$$L:\prod _i{\mathcal{X}}^i\times \prod _i{\mathcal{A}}^i\to \{0,1\}.$$ (15)

Such a game is free if p is a uniform distribution. Let $G^N$ denote the N-fold parallel repetition of G (i.e., the game with input alphabets ${({\mathcal{X}}^i)}^N$, output alphabets ${({\mathcal{A}}^i)}^N$, probability distribution $p(\mathbf{x})=p({\mathbf{x}}_1)\cdot \dots \cdot p({\mathbf{x}}_n)$, and predicate $L(\mathbf{x},\mathbf{a})={\wedge }_{i=1}^{N}L({\mathbf{x}}_i,{\mathbf{a}}_i)$.

A measurement strategy for a game G is a family ${\left\{{\left\{M_{\mathbf{a}|\mathbf{x}}\right\}}_{\mathbf{a}}\right\}}_{\mathbf{x}}$ of $\mathcal{A}$-valued measurements, indexed by $\mathcal{X}$, on a quantum register $Q=Q_1\otimes \cdots \otimes Q_n$, where each measurement operator $M_{\text{a}|\text{x}}$ is given by

$$M_{\text{a}|\text{x}}=M_{a^1|x^1}^1\otimes \dots \otimes M_{a^n|x^n}^n$$ (16)

where ${\left\{M_{a^i|x^i}^i\right\}}_{a^i}$ is a measurement on $Q^i$.

It is helpful to describe a parallel repeated game as a process. In Figure 3, we introduce the parallel repetition process $\text{Par(}N,G,\mathbf{M},\Phi )$ associated to a game G. The process Par includes a final step which shuffles the different instances of the game according to a randomly chosen permutation.

Figure 3:

A process defining the parallel repetition of a game.

For any G, let $w(G)$ denote the supremum quantum score of G (i.e., the supremum of $\mathbf{P}(W_1=1)$ in $\text{Par}(1,G,\mathbf{M},\Phi )$ taken over all initial states $\Phi \in \mathcal{D}(C)$ and all measurements strategies M).

We will typically refer to states arising from processes as follows: the initial state will be denoted by ${\Gamma }^0$, and ${\Gamma }^i$ will refer to the state that occurs after step i. The symbol $\Gamma$ will denote the final state.

The following proposition asserts that if G is a free game, then the winning probability in a small number of rounds in Par is not much better than that which could be achieved by sequential players. This fact is implicit in the entropy approach to parallel repetition given in [8, 16, 9, 4]. Since we are not aware of a statement in the literature in the form that we will need, we have given a proof in Appendix C (see Theorem C.6).

Proposition 2.2. Suppose that G is a free nonlocal game. Then, the registers $W_1,\hspace{0.17em}\dots \hspace{0.17em},W_N$ at the conclusion of process Par satisfy

$$\mathbf{P}(W_1=W_2=\dots =W_k=1)\le {\left[w(G)+O_G(\sqrt{k/N})\right]}^k.$$ (17)

for any $k\in \{1,2,\hspace{0.17em}\dots \hspace{0.17em},N\}$.

For our purposes, it is crucial not only that the bound in (17) is an exponential function, but also that its base approaches w(G) as $k/N$ approaches zero.

3. Entropy quantities

Definition 3.1. Let QR be a bipartite quantum register, and let $\Gamma$ be a subnormalized state of QR. Then,

$$h_{min}{(Q|R)}_{\Gamma }=\underset{\begin{array}{l}\sigma \in \mathcal{S}(R)\\ I_Q\otimes \sigma \ge \Gamma \end{array}}{\min }\text{Tr(}\sigma \text{)}$$ (18)

$$h_2{(Q|R)}_{\Gamma }=\text{Tr}[\Gamma {({\Gamma }^R)}^{-1/2}\Gamma {({\Gamma }^R)}^{-1/2}].$$ (19)

Let

$$h_{min}^{\delta }{(Q|R)}_{\Gamma }=\underset{\Gamma \prime }{\min }{h}_{\min }{(Q|R)}_{\Gamma \prime }$$ (20)

where $\Gamma \prime$ varies over all subnormalized states of QR that are within distance $\delta$ from $\Gamma$ under the purified distance metric P.

Note that we can equivalently let the minimization in (20) be taken only over the the states of QR that have trace no larger than $\text{Tr}(\Gamma )$, since if $\text{Tr}(\Gamma \prime )$ were larger than $\text{Tr}(\Gamma )$, then the scalar multiple $[\text{Tr}(\Gamma )/\text{Tr}(\Gamma \prime )]\Gamma \prime$ would be at least as close to $\Gamma$ as was the original state $\Gamma \prime$ (see Lemma A.1).

Definition 3.2. For any subnormalized state $\Lambda$ of a quantum register T, let

$$h{(T)}_{\Lambda }=2^{\text{Tr[}\Lambda \log \Lambda \text{]}}.$$ (21)

and let

$$h(Q|R)=\frac{h(QR)}{h(R)}.$$ (22)

Additionally, we define some entropy quantities for probability distributions.

Definition 3.3. If p is a probability distribution on a set S, let

$$h{(S)}_p=\prod _{s\in S}p{(s)}^{p(s)}.$$ (23)

If q is a subnormalized probability distribution on a set $S\times T$, let

$$h_0{(S|T)}_q={\left(\underset{t}{\max }\left|\right\{s\in S|q(s,t)>0\}|\right)}^{-1}.$$ (24)

Let

$$h_0^{\delta }{(S|T)}_q=\underset{q\prime }{\max }{h}_0{(S|T)}_{q\prime },$$ (25)

where $q\prime$ varies over all subnormalized probability distributions on $S\times T$ such that $\Delta (q,q\prime )\le \delta$.

Similar to the definition of smooth min-entropy, in (25), we can equivalently assume that the minimization is taken over distributions that are dominated by q (i.e., $q\prime \le q$). For all the entropy quantities specified so far in this subsection, we let $H_{*}^{*}(\cdot |\cdot )=-\log h_{*}^{*}(\cdot |\cdot )$. (Thus, for example, $H_{min}^{\delta }(Z|Y)=-\log h_{min}^{\delta }(Z|Y)$.)

If $\Gamma$ is a classical-quantum state of a bipartite register $ZQ$, and B is a subset of the range $\mathcal{Z}$ of Z, then ${\Gamma }_B:={\Gamma }_{P_B}$, where $P:{ℂ}^{\mathcal{Z}}\to {ℂ}^{\mathcal{Z}}$ denotes the projector onto the subspace spanned by B, and let ${\Gamma }_{|B}={\Gamma }_{{|P}_B}$. When the state is implicit from the context, we may write

$$H_{min}{(Z|Q)}_B\hspace{1em}\text{and}\hspace{1em}{H}_{min}(Z|Q,B)$$ (26)

to denote, respectively,

$$H_{min}{(Z|Q)}_{{\Gamma }_B}\hspace{1em}\text{and}\hspace{1em}{H}_{min}{(Z|Q)}_{{\Gamma }_{|B}},$$ (27)

and we can use similar notation for the other conditional entropies defined above.

Some of the applications of these quantities are as follows. Assume that Z is a classical register. The quantity $H_{min}(Z|Y)$ (quantum conditional min-entropy) is a measure of the number of bits that can be extracted from Z in the presence of an adversary who possesses Y (see, e.g., [28]). The quantity $H(Z|Y)$ (von Neumann entropy) measures the number of bits that can be extracted in the case in which multiple copies of the state ZY are available (see Chapter 11 in [23]). The quantity $H_2(Z|Y)$ is the conditional collision entropy. In the case where Y is a trivial register, the quantity $H_2(Z|Y)$ is the negative logarithm of the probability that two independent samples of Z will agree. An interpretation of the case where Y is nontrivial will be explained in the next subsection.

If Z, Y are classical registers with a joint distribution q, then the quantity $H_0(Z|Y)$ is a measure of the minimum number of bits needed to reconstruct the state Y from Z. This can be understood as follows: let $M>H_0(Z|Y)$, and let $R=\{r:\mathcal{Z}\to {({\mathbb{Z}}_2)}^M\}$ be a 2-universal hash function family.² Suppose that Alice possesses Z = z and Bob possesses Y = y, and Alice chooses $r\in R$ uniformly at random and reveals r and r(z) to Bob. Then, except with probability at most $2^{M-H_0(Z|Y)}$, there will be only one value in the set $\{z|q(z,y)>0\}$ which maps to r(z) under r, and thus Bob can uniquely determine z.

Collision entropy and min-entropy are related by the following proposition (see subsection 6.4.1 in [27]):

Proposition 3.4. For any quantum registers RS, any normalized classical-quantum state $\Gamma$ of RS, and any $\delta >0$,

$$H_{min}^{\delta }{(R|S)}_{\Gamma }\ge H_2{(R|S)}_{\Gamma }-\log (2/{\delta }^2).$$ (28)

3.1. An operational interpretation of collision entropy for measurements on a pure entangled state

If $\Gamma$ is a classical-quantum state of a register $ZY$, then a common way to describe $h_2{(Z|Y)}_{\Gamma }$ is that it is the likelihood that an adversary who possesses Y can guess Z via the pretty good measurement ${\left\{{({\Gamma }^Y)}^{-1/2}{\Gamma }_Z{\hspace{0.17em}}_{=z}{({\Gamma }^Y)}^{-1/2}\right\}}_z$. We present an alternative interpretation which is useful for measuring the randomness obtained from measurements on an entangled state. The following proposition refers to the process Guess shown in Figure 4.

Figure 4:

A process for guessing measurement outcomes via a purification

Proposition 3.5. Let ${\Gamma }^1$, ${\Gamma }^2$, ${\Gamma }^3$ denote the states that occur after steps 1, 2, and 3, respectively, in the process $Guess({\Phi }_i,{\left\{P_j\right\}}_j)$. Then,

$${\mathbf{P}}_{{\Gamma }^3}(J=J\prime )=h^2{(J|V\prime )}_{{\Gamma }^2}.$$ (29)

Proof. The states ${({\Gamma }^2)}^{JV\prime }$ and ${({\Gamma }^3)}^{JJ\prime }$ are given by

$${({\Gamma }^2)}^{JV\prime }=\sum _j|j\rangle \langle j|\otimes \overline{\sqrt{\Phi }{P}_j\sqrt{\Phi }}$$ (30)

$${({\Gamma }^3)}^{JJ\prime }=\sum _{j,j\prime }|jj\prime \rangle \langle jj\prime |\text{Tr}\overline{[\sqrt{\Phi }{P}_j\sqrt{\Phi }{P}_{j\prime }]}$$ (31)

and thus

$$h_2{(J|V\prime )}_{{\Gamma }^2}=\sum _j\text{Tr}[\overline{\sqrt{\Phi }{P}_j\sqrt{\Phi }{\Phi }^{-1/2}\sqrt{\Phi }{P}_j\sqrt{\Phi }{\Phi }^{-1/2}}]$$ (32)

$$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}=\sum _j\text{Tr}[\overline{\sqrt{\Phi }{P}_j\sqrt{\Phi }{P}_j}]$$ (33)

$$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}={\mathbf{P}}_{{\Gamma }^3}[J=J\prime ],$$ (34)

as desired.

4. The Magic Square Guessing Game

In this section we consider the 6-player game described in Figure 5. In this game, two pairs of players (Alice and Bob, and $\text{Alice}\prime$ and $\text{Bob}\prime$) each play the Magic Square game and their inputs and outputs are compared. There are also additional players Charlie and $\text{Charlie}\prime$ who receive a random bit and always produce the same output letter. (Note that none of the outputs $\text{Bob}\prime$, Charlie, and $\text{Charlie}\prime$ are used in the scoring rule — these players are present merely because their inputs are used in the scoring rule.)

In the game, Alice and Bob are attempting to win the Magic Square game, while $\text{Alice}\prime$ and $\text{Bob}\prime$ are simultaneously attempting to guess Alice’s input, Bob’s input, and Alice’s key bit. However, a failure by Alice and Bob at winning the Magic Square game is forgiven if it happens that Charlie and $\text{Charlie}\prime$ have the same output. (This last rule has the effect of making the game easier to win. It underlies the robustness property of our security proof for MagicQKD.)

It is obvious that $w(\text{MGuess})\le 1/9$, since the probability that Alice’s and Bob’s inputs match those of $\text{Alice}\prime$ and $\text{Bob}\prime$ is $1/9$. We will prove that in fact w(MGuess) is less than $1/9$ minus a positive constant. This will be crucial for establishing a nonzero key rate for MagicQKD.

The proof of the next proposition is given in the appendix. Roughly speaking, the proposition holds because rigidity for the Magic Square game [32] implies that any near-optimal strategy by Alice and Bob involves Alice and Bob performing approximate Pauli measurements on two approximate EPR pairs shared between them. The outcomes of such measurements are not guessable by an outside party (even with entanglement). Therefore it is impossible for Alice and Bob to achieve a near-perfect score at the Magic Square game while at the same time allowing $\text{Alice}\prime$ to guess Alice’s outcomes.

Proposition 4.1. Let MGuess denote the game in Figure 5. Then,

$$w(MGuess)\le (1/9)-\mathrm{0.00035.}$$ (35)

Proof. See Appendix B.

5. Security Proof

In the current section we give the proof of Theorem 1.2. Our approach can be roughly understood as follows: our upper bound on the winning probability of MGuess implies, using parallel repetition, that the collision entropy of Alice’s and Bob’s inputs $X_{1\dots ϵN}{Y}_{1\dots ϵN}$ together with Alice’s key bits $R_{1\dots ϵN}$ is substantially more than that of Alice’s and Bob’s inputs alone (for small $ϵ$). It follows that, even when we condition on $X_{1\dots ϵN}{Y}_{1\dots ϵN}$ and all of the adversary’s other information, an amount of entropy that is linear in N remains in $R_{1\dots ϵN}$ (Proposition 5.5). On the other hand, a classical statistical argument shows that the rate of noise between Alice’s key bits $R_{1\dots ϵN}$ and Bob’s key bits $S_{1\dots ϵN}$ vanishes as $ϵ\to 0$ (Proposition 5.6). Combining these facts allows us to deduce inequality (2).

5.1. An Intermediate Protocol

In order to show that Alice’s raw key in MagicQKD is sufficiently random, we begin by analyzing the entropy produced by the related protocol MagicKey in Figure 6. In MagicKey, we use an idea from our previous work on randomness expansion [21, 22]: when Alice and Bob fail to win the Magic Square game, we compensate by artificially introducing randomness. In [12], this artificial randomness is represented by additional registers that have some prescribed entropy, and we adopt the same style here (by including the registers $T_1,\hspace{0.17em}\dots \hspace{0.17em},T_N$). We use these auxilliary registers to establish a lower bound on collision entropy, and the registers will subsequently be dropped.

We begin with the following proposition, which addresses the amount of collision entropy that is collectively contained in Alice’s and Bob’s inputs, Alice’s key register, and the auxiliary registers $T_i$.

Theorem 5.1. Let $\Gamma$ be the final state of MagicKey. Then,

$$h_2{(X_{1\dots ϵN}{Y}_{1\dots ϵN}{R}_{1\dots ϵN}{T}_{1\dots ϵN}|EF)}_{\Gamma }\le {(w(MGuess)+O(\sqrt{ϵ}))}^{ϵN}.$$ (36)

Note that in the above statement, we are conditioning not only on the register $E$ but also on the permutation register $F$.

Proof. We prove this result via an application of Proposition 3.5. Upon an appropriate unitary embedding, we may also assume $E=C\prime D\prime$, where $C\prime$, $D\prime$ are copies of C, D, and that $\Phi$ is the canonical purification of ${\Phi }^{CD}$. Suppose that the process Par(N, MGuess, M, $\Phi$) is executed with the measurement strategy³

$$\mathbf{M}=\{P_{\mathbf{a}}^{\mathbf{x}}\otimes Q_{\mathbf{b}}^{\mathbf{y}}\otimes I\otimes \overline{P_{\mathbf{a}\prime }^{\mathbf{x}\prime }}\otimes \overline{Q_{\mathbf{b}\prime }^{\mathbf{y}\prime }}\otimes I\},$$ (37)

For any m-subset Z of $\{1,2,\hspace{0.17em}\dots \hspace{0.17em},N\}$, the probability that ${\wedge }_{i\in Z}{W}_i=1$ after step 4 in the process Par(N, MGuess, M, $\Phi$) is the same as the value of

$$h_2(\{X_i{Y}_i{R}_i{T}_i|i\in Z\}|E)$$ (38)

after step 6 in MagicKey. The average of the former quantity over all $(ϵN)$-subsets is equal to the value of $\mathbf{P}(W_1\wedge W_2\wedge \cdots \wedge W_{ϵN})$ at the conclusion of Par(N, MGuess, M, $\Phi$), while the average of the latter quantity is equal to the expression on the lefthand side of (36). The desired result follows from Theorem 2.2.

Next we deduce an upper bound on smooth min-entropy, focusing just on the registers $R_{1\dots ϵN}{T}_{1\dots ϵN}$. For compatibility with later derivations, we will take the error parameter to be $2\exp (-{ϵ}^{4}N)$.

Corollary 5.2. The following inequality holds:

$$H_{min}^{2\exp (-{ϵ}^{4}N)}{(R_{1\dots ϵN}{T}_{1\dots ϵN}|X_{1\dots ϵN}{Y}_{1\dots ϵN}EF)}_{\Gamma }\ge \Omega (ϵ)N.$$ (39)

Proof. By Proposition 3.4, we have

$$H_{min}^{2\exp (-{ϵ}^{4}N)}{(X_{1\dots ϵN}{Y}_{1\dots ϵN}{R}_{1\dots ϵN}{T}_{1\dots ϵN}|EF)}_{\Gamma }\ge ϵN[\log \frac{1}{w(\text{MGuess})}-O(\sqrt{ϵ})]-2(\log e){ϵ}^{4}N$$

By Proposition 4.1, $\log [1/w(\text{MGuess})]>\log (1/9)$, and this bound can be simplified to

$$H_{min}^{2\exp (-{ϵ}^{4}N)}{(X_{1\dots ϵN}{Y}_{1\dots ϵN}{R}_{1\dots ϵN}{T}_{1\dots ϵN}|EF)}_{\Gamma }\ge N[(\log 9)ϵ+\Omega (ϵ)].$$

When we condition on the registers $X_{1\dots ϵN}{Y}_{1\dots ϵ}$, whose support has size $9^{ϵN}=2^{Nϵ\log 9}$, we obtain the bound (39).

In the next subsection, we will address conditioning on the event SUCC. For the time being it is helpful to condition on a related event. For any $\delta >0$, let WIN (δ) denote the event that the bit strings $R_{1\dots ϵN}$ and $S_{1\dots ϵN}$ differ in at most $\delta (ϵN)$ places. (That is, $WIN(\delta )$ denotes the event that the proportion of wins among the first $ϵN$ rounds is at least $1-\delta$.) Consider the event WIN(2ϵ). We have

$$H_{min}^{2\exp (-{ϵ}^{4}N)}{(R_{1\dots ϵN}{T}_{1\dots ϵN}|X_{1\dots ϵN}{Y}_{1\dots ϵN}EF)}_{{\Gamma }_{WIN(2ϵ)}}\ge \Omega (ϵ)N.$$ (40)

We assert that a lower bound in the same form holds when the registers $T_{1\dots ϵN}$ are omitted.

Corollary 5.3. The subnormalized state ${\Gamma }_{WIN(2ϵ)}$ satisfies

$$H_{min}^{2\exp (-{ϵ}^{4}N)}(R_{1\dots ϵN}|X_{1\dots ϵN}{Y}_{1\dots ϵN}EF)\ge \Omega (ϵ)N.$$ (41)

Proof. The distribution of the registers $T_{1\dots ϵN}$ under the subnormalized state ${\Gamma }_{WIN2(ϵ)}$ is supported only on binary strings of Hamming weight less than $2{ϵ}^{2}N$. Thus, by Proposition 2.1, these registers are supported on a set of size less than or equal to $2^{H(2ϵ)ϵN}$. Therefore we can drop the registers $T_{1\dots ϵN}$ from the lefthand side of (40) and and deduct $H(2ϵ)ϵN$ from its righthand side, and the inequality is preserved. Since the term $H(2ϵ)ϵN$ is dominated by $\Omega (ϵ)N$, it may be ignored and the desired result follows.

5.2. Device-Independent Quantum Key Distribution

We now turn our attention toward the protocol MagicQKD (Figure 1). We will prove that MagicQKD generates a positive key rate. Our final statement will use the registers

$$AliceKey:=R_{1\dots ϵN}$$ (42)

$$\hspace{0.17em}BobKey:=S_{1\dots ϵN}$$ (43)

$$\hspace{1em}\hspace{0.17em}\hspace{0.17em}Eve:=X_{1\dots ϵN}{Y}_{1\dots ϵN}{R}_{1\dots {ϵ}^{2}N}{S}_{1\dots {ϵ}^{2}N}EF.$$ (44)

The registers Eve denote the information possessed by Eve at the conclusion of MagicQKD.

We begin by translating Corollary 5.3 into a statement about the success event for MagicQKD. Let SUCC denote the event that MagicQKD succeeds, and let $SUCC\prime$ denote the event that MagicQKD succeeds and the event $WIN(2ϵ)$ occurs.

Lemma 5.4. The events $SUCC\prime$ and SUCC satisfy

$$\mathbf{P}(SUCC\wedge \neg SUCC\prime )\le e^{-2{ϵ}^{4}N}.$$ (45)

Proof. We assume $\mathbf{P}(\neg WIN(2ϵ))>0$ (since otherwise the desired assertion is obvious). We have

$$\mathbf{P}(SUCC\wedge \neg SUCC\prime )=\mathbf{P}(SUCC\wedge \neg WIN(2ϵ))$$ (46)

$$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{0.17em}\hspace{1em}\hspace{1em}\hspace{1em}=\mathbf{P}(\neg WIN(2ϵ))\cdot \mathbf{P}(SUCC|\neg WIN(2ϵ))$$ (47)

We consider the second factor in (47). Let $W_i$ denote the indicator variable for the event that the ith game is won. After conditioning on $\neg WIN(2ϵ)$, the only way that SUCC can occur is if the average of the variables $W_1,\hspace{0.17em}\dots \hspace{0.17em},W_{{ϵ}^{2}N}$ exceeds that of $W_1,\hspace{0.17em}\dots \hspace{0.17em},W_{ϵN}$ by at least $ϵ$. By ([14], Theorem 1 and Section 6), if an ${ϵ}^{2}N$-subset S is chosen at random from a set of Boolean values T of size $ϵN$, then the probability that the average of S will exceed that of T by more than $ϵ$ is at most $e^{-2{ϵ}^2({ϵ}^{2}N)}$. This yields the desired bound.

As a consequence of Lemma 5.4, we have $\Delta ({\Gamma }_{SUCC},{\Gamma }_{SUCC\prime })\le 2\exp (-2{ϵ}^{4}N)$, and therefore $P({\Gamma }_{SUCC},{\Gamma }_{SUCC\prime })\le \sqrt{4\exp (-2{ϵ}^{4}N)}=2\exp (-{ϵ}^{4}N)$. Since $SUCC\prime \Rightarrow WIN(2ϵ)$, ${\Gamma }_{SUCC\prime }$ also satisfies inequality (41) from Corollary 5.3. We therefore have by the triangle inequality that the state ${\Gamma }_{SUCC}$ satisfies

$$H_{min}^{4\exp (-{ϵ}^{4}N)}(R_{1\dots ϵN}|X_{1\dots ϵN}{Y}_{1\dots ϵN}EF)\ge \Omega (ϵ)N.$$ (48)

Conditioning also on the registers $R_{1\dots {ϵ}^{2}N}{S}_{1\dots {ϵ}^{2}N}$ decreases the quantity on the lefthand side of (48) by at most $2{ϵ}^{2}N\le o(ϵ)N$, and thus we obtain the following result.

Proposition 5.5. The state ${\Gamma }_{SUCC}$ at the conclusion of MagicQKD satisfies

$$H_{min}^{4\exp (-{ϵ}^{4}N)}(AliceKey|Eve)\ge \Omega (ϵ)N.$$ (49)

Meanwhile, by definition, the registers AliceKey and BobKey in the state ${\Gamma }_{SUCC\prime }$ differ in at most $2{ϵ}^{2}N$ places, and thus by Proposition 2.1, we have

$$H_0{(AliceKey|BobKey)}_{SUCC\prime }\le NϵH(2ϵ)$$ (50)

$$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{0.17em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\le No(ϵ)$$ (51)

Applying Lemma 5.4 yields the following.

Proposition 5.6. The state ${\Gamma }_{SUCC}$ at the conclusion of MagicQKD satisfies

$$H_0^{2\exp (-2{ϵ}^{4}N)}(AliceKey|BobKey)\le o(ϵ)N.$$ (52)

We can now prove our main result.

Proof of Theorem 1.2. Let

$$\delta =2e^{-{ϵ}^{4}N/3}.$$ (53)

If $P(SUCC)\ge \delta$, then, by Propositions A.3 and A.4 in the appendix,

$$H_{min}^{\delta }(AliceKey|Eve,SUCC)-H_0^{\delta }(AliceKey|BobKey,SUCC)$$ (54)

$$\ge H_{min}^{{\delta }^3/2}{(AliceKey|Eve)}_{SUCC}-H_0^{{\delta }^2}{(AliceKey|BobKey)}_{SUCC}-\log (1/\delta )$$ (55)

$$\ge N\Omega (ϵ)-No(ϵ)-[(\log e){ϵ}^{4}N/3+1]$$ (56)

$$\ge N\Omega (ϵ).$$ (57)

where in lines (55)–(56), we used the fact that the terms ${\delta }^3/2$ and ${\delta }^2$ are at least as large as the respective error terms in Propositions 5.5 and 5.6. We now simply fix $ϵ:={ϵ}_0>0$ to be sufficiently small that the function denoted by $\Omega (ϵ)$ in (57) is positive, and the proof is complete.

A. Supporting Proofs for Entropy Measures

The following two lemmas bound the amount that the purified distance $P(\sigma ,\lambda )$ can increase under scalar multiplication of the two states $\sigma ,\lambda$. We address a case where the scalar multiplication makes the trace of the two states equal, and also a case where scalar multiplication normalizes the larger of the two states.

Lemma A.1. Let Q be a quantum register, let λ, $\sigma \in \mathcal{S}(Q)$, and let $r=\text{Tr}(\lambda )$, $s=\text{Tr}(\sigma )$. Suppose that $s\ge r>0$. Then,

$$P((r/s)\sigma ,\lambda )\le P(\sigma ,\lambda ).$$ (58)

Proof. Let $\Lambda$, $\Sigma$ be the normalizations of $\lambda ,\sigma$. Using the Cauchy-Schwartz inequality, we have the following.

$$F(\sigma ,\lambda )=\sqrt{(1-r)(1-s)}+\sqrt{rs}{\Vert \sqrt{\Lambda }\sqrt{\Sigma }\Vert }_1$$ (59)

$$=\sqrt{(1-r)+r{\Vert \sqrt{\Lambda }{\sqrt{\Sigma }}_1\Vert }_1}\sqrt{(1-s)+s{\Vert \sqrt{\Lambda }{\sqrt{\Sigma }}_1\Vert }_1}$$ (60)

$$\le \sqrt{(1-r)+r{\Vert \sqrt{\Lambda }{\sqrt{\Sigma }}_1\Vert }_1}\sqrt{(1-r)+r{\Vert \sqrt{\Lambda }{\sqrt{\Sigma }}_1\Vert }_1}$$ (61)

$$=F((r/s)\sigma ,\lambda ),$$ (62)

Inequality (58) follows.

Lemma A.2. Under the assumptions of Lemma A.1, the following inequality also holds.

$$P(\sigma /s,\lambda /s)\le \sqrt{(2/s)P(\sigma ,\lambda )}.$$ (63)

Proof. Note that the quantity

$$\Delta (c\sigma ,c\lambda )=c{\Vert \sigma -\lambda \Vert }_1+c\left|\text{Tr}\sigma \text{-Tr}\lambda \right|$$ (64)

is linear in c. We have

$$P(\sigma /s,\lambda /s)\le \sqrt{2\Delta (\sigma /s,\lambda /s)}\le \sqrt{(2/s)\Delta (\sigma ,\lambda )}\le \sqrt{(2/s)P(\sigma ,\lambda )},$$ (65)

as desired.

Now we use Lemma A.2 to address how smooth min-entropy behaves under normalization.

Proposition A.3. Let $\sigma \in \mathcal{S}(QR)$ be a nonzero state, let $\Sigma$ be its normalization, and let $\delta >0$. Then,

$$H_{min}^{\delta }{(Q|R)}_{\Sigma }\ge H_{min}^{{\delta }^2\text{Tr}(\sigma )/2}{(Q|R)}_{\sigma }-\text{log}(1/\text{Tr}(\sigma )).$$ (66)

Proof. Let $s=\text{Tr}(\sigma )$. Find a state $\sigma \prime$ satisfying satisfying $\text{Tr}(\sigma \prime )\le s$ and $P(\sigma \prime ,\sigma )\le {\delta }^{2}s/2$ such that

$$H_{min}{(Q|R)}_{\sigma \prime }=H_{min}^{{\delta }^{2}s/2}{(Q|R)}_{\sigma }.$$ (67)

(See the discussion following Definition 3.1.) The conditional min-entropy of $\sigma \prime /s$ is then given by the expression on the righthand side of (66), and by Lemma A.2,

$$P(\sigma \prime /s,\sigma /s)\le \sqrt{2P(\sigma \prime ,\sigma )/s}\le \delta .$$ (68)

Inequality (66) follows.

The next proposition similarly addresses how $H_0^{\delta }$ behaves under normalization.

Proposition A.4. Let q be a nonzero subnormalized probability distribution on $S\times T$, where S, T are finite sets, and let s be the norm of q. Let $\delta >0$. Then,

$$H_0^{\delta }{(S|T)}_{q/s}=H_0^{s\delta }{(S|T)}_q.$$ (69)

Proof. This is immediate from the linearity of the distance function ∆.

B. Proof of Proposition 4.1

Our proof builds off of steps from the proof of rigidity for the Magic Square game [32]. We will reproduce the fact that any near-optimal strategy for the Magic Square must involve approximately anti-commuting measurements, and use that fact to deduce inequality (35).

Let $\left\{F_x^a\right\}$, $\left\{G_y^b\right\}$, $\left\{F{\prime }_x^a\right\}$ be the measurements used by Alice, Bob, and $\text{Alice}\prime$, respectively, which we will assume (without loss of generality) to be projective, and let $\Phi$ denote their shared state, which we will assume to be pure: $\Phi =\varphi {\varphi }^{\ast }$. For i, $j\in \{1,2,3\}$, let $F_{ij}$ denote the reflection operator

$$F_{ij}=\sum _{\begin{array}{l}a\in \mathcal{X}\\ a_j=0\end{array}}{F}_i^a-\sum _{\begin{array}{l}a\in \mathcal{X}\\ a_j=1\end{array}}{F}_i^a,$$ (70)

define $F_{ij}^{\prime }$ similarly in terms of $\left\{F{\prime }_x^a\right\}$, and let

$$G_{ij}=\sum _{\begin{array}{l}b\in \mathcal{X}\\ b_i=0\end{array}}{G}_j^b-\sum _{\begin{array}{l}b\in \mathcal{Y}\\ b_i=1\end{array}}{G}_j^b.$$ (71)

Note that $F_{ij}$ and $F_{ik}$ always commute and $F_{i1}{F}_{i2}{F}_{i3}=I$, that $G_{ij}$ and $G_{kj}$ always commute and $G_{1j}{G}_{2j}{G}_{3j}=-I$, and similar relationships hold for $F_{ij}^{\prime }$.

Let

$$\delta =\mathbf{P}(A_Y\ne B_X)$$ (72)

$${\delta }_{ij}=\mathbf{P}(A_Y\ne B_X|X=i,Y=j)$$ (73)

and

$$ϵ=\mathbf{P}(A_Y\ne A{\prime }_{Y\prime }|X=X\prime ,Y=Y\prime ),$$ (74)

$${ϵ}_{ij}=\mathbf{P}(A_Y\ne A{\prime }_{Y\prime }|X=X\prime =i,Y=Y\prime =j).$$ (75)

Note that

$$\mathbf{P}(L=1)\le \mathbf{P}(X=X\prime ,Y=Y\prime )\mathbf{P}(Z=Z\prime \vee A_Y=B_X|X=X\prime ,Y=Y\prime )$$ (76)

$$=(1/9)(1-\delta /2),$$ (77)

and also

$$\mathbf{P}(L=1)\le \mathbf{P}(X=X\prime ,Y=Y\prime )\mathbf{P}(A_Y=A{\prime }_{Y\prime }|X=X\prime ,Y=Y\prime )$$ (78)

$$=(1/9)(1-ϵ).$$ (79)

Thus,

$$\mathbf{P}(L=1)\hspace{1em}\le \hspace{1em}(1/9)-(1/9)\text{max}\{ϵ,\delta /2\},$$ (80)

and to complete the proof it suffices to find a general lower bound for max $\{ϵ,\delta /2\}$.

Note that for any i, $j\in \{1,2,3\}$,

$$\mathbf{P}(A_Y\ne B_X|X=i,Y=j)=(1-{\varphi }^{*}{F}_{ij}\otimes G_{ij}\varphi )/2$$ (81)

$$={\Vert \varphi -(F_{ij}\otimes G_{ij})\varphi \Vert }^2/4,$$ (82)

and thus

$$\Vert \varphi -(F_{ij}\otimes G_{ij})\varphi )\Vert =2\sqrt{{\delta }_{ij}}.$$ (83)

By similar reasoning,

$$\Vert \varphi -(F_{ij}\otimes F_{ij}^{\prime })\varphi )\Vert =2\sqrt{{ϵ}_{ij}}.$$ (84)

We exploit the approximate anti-commutativity relations for $\left\{F_{ij}\right\}$ which are proven in [32]. We have the following.

$$\Vert (F_{11}{F}_{22})\varphi -(F_{11}\otimes G_{22})\varphi \Vert \le 2\sqrt{{\delta }_{22}}$$

$$\Vert (F_{11}{F}_{22})\varphi -(G_{22}{G}_{11})\varphi \Vert \le 2(\sqrt{{\delta }_{22}}+\sqrt{{\delta }_{11}})$$

$$\Vert (F_{11}{F}_{22})\varphi -(G_{12}{G}_{32}{G}_{31}{G}_{21})\varphi \Vert \le 2(\sqrt{{\delta }_{22}}+\sqrt{{\delta }_{11}})$$

$$\Vert (F_{11}{F}_{22})\varphi -(F_{21}{F}_{31}{F}_{32}\otimes G_{12})\varphi \Vert \le 2(\sqrt{{\delta }_{22}}+\sqrt{{\delta }_{11}}+\sqrt{{\delta }_{32}}+\sqrt{{\delta }_{31}}+\sqrt{{\delta }_{21}})$$

$$\Vert (F_{11}{F}_{22})\varphi -(F_{21}{F}_{33}\otimes G_{12})\varphi \Vert \le 2(\sqrt{{\delta }_{22}}+\sqrt{{\delta }_{11}}+\sqrt{{\delta }_{32}}+\sqrt{{\delta }_{31}}+\sqrt{{\delta }_{21}})$$

$$\Vert (F_{11}{F}_{22})\varphi -(F_{21}\otimes G_{12}{G}_{33})\varphi \Vert \le 2(\sqrt{{\delta }_{22}}+\sqrt{{\delta }_{11}}+\sqrt{{\delta }_{32}}+\sqrt{{\delta }_{31}}+\sqrt{{\delta }_{21}}+\sqrt{{\delta }_{33}})$$

$$\Vert (F_{11}{F}_{22})\varphi -(-F_{21}\otimes G_{12}{G}_{13}{G}_{23})\varphi \Vert \le 2(\sqrt{{\delta }_{22}}+\sqrt{{\delta }_{11}}+\sqrt{{\delta }_{32}}+\sqrt{{\delta }_{31}}+\sqrt{{\delta }_{21}}+\sqrt{{\delta }_{33}})$$

$$\Vert (F_{11}{F}_{22})\varphi -(-F_{21}{F}_{23}{F}_{13}{F}_{12})\varphi \Vert \le 2\sum _{ij}\sqrt{{\delta }_{ij}}$$

$$\Vert (F_{11}{F}_{22})\varphi -(-F_{22}{F}_{11})\varphi \Vert \le 2\sum _{ij}\sqrt{{\delta }_{ij}}$$

$$\Vert (F_{11}{F}_{22})\varphi +(F_{22}{F}_{11})\varphi \Vert \le 2\sum _{ij}\sqrt{{\delta }_{ij}}.$$

By the concavity of the square root function, this yields

$$\Vert (F_{11}{F}_{22})\varphi +(F_{22}{F}_{11})\varphi \Vert \le 18\sum _{ij}\sqrt{{\delta }_{ij}}/9.$$

$$\le 18\sqrt{\sum _{ij}{\delta }_{ij}/9}$$

$$=18\sqrt{\delta }.$$ (85)

We also have the following, in which we make use of the approximate compatibility of the measurements $\left\{F_{ij}\right\}$ and the measurements $\left\{F_{ij}^{\prime }\right\}$.

$$\Vert (F_{11}{F}_{22}\otimes I)\varphi -(F_{11}\otimes F_{22}^{\prime }\otimes I)\varphi \Vert \le 2\sqrt{{ϵ}_{11}}$$ (86)

$$\Vert (F_{11}{F}_{22}\otimes I)\varphi -(G_{11}\otimes F_{22}^{\prime }\otimes I)\varphi \Vert \le 2\sqrt{{ϵ}_{11}}+2\sqrt{{\delta }_{22}}$$ (87)

$$\Vert (F_{11}{F}_{22}\otimes I)\varphi -(G_{11}\otimes F_{22}\otimes I)\varphi \Vert \le 4\sqrt{{ϵ}_{11}}+2\sqrt{{\delta }_{22}}$$ (88)

$$\Vert (F_{11}{F}_{22}\otimes I)\varphi -(F_{22}{F}_{11}\otimes I)\varphi \Vert \le 4\sqrt{{ϵ}_{11}}+4\sqrt{{\delta }_{22}},$$ (89)

Combining (89) via the triangle inequality with (85) (and using the fact that $(F_{22}{F}_{11}\otimes I)\varphi$ is a unit vector) yields

$$2\le 18\sqrt{\delta }+4\sqrt{{ϵ}_{11}}+4\sqrt{{\delta }_{22}}$$ (90)

By symmetry, we likewise have the following for any i, j, $i\prime$, $j\prime \in \{1,2,3\}$ with $i\ne i\prime$, $j\ne j\prime$:

$$2\le 18\sqrt{\delta }+4\sqrt{{ϵ}_{ij}}+4\sqrt{{\delta }_{i\prime j\prime }}$$ (91)

Averaging all such inequalities and exploiting the concavity of the square root function, we obtain

$$2\le 18\sqrt{\delta }+4\sqrt{ϵ}+4\sqrt{\delta },$$ (92)

which implies

$$1\le 11\sqrt{\delta }+2\sqrt{ϵ}.$$ (93)

From (93), we can compute a lower bound on $\text{max}\{ϵ,\delta /2\}$. If $ϵ\le \delta /2$, then,

$$1\le 11\sqrt{\delta }+\sqrt{2\delta }$$ (94)

which yields

$$\delta /2\ge (1/2)\cdot {(11+\sqrt{2})}^{-2},$$ (95)

while if $ϵ\ge \delta /2$, similar reasoning yields

$$ϵ\ge (1/2)\cdot {(11+\sqrt{2})}^{-2}.$$ (96)

Therefore,

$$\text{max}\{ϵ,\delta /2\}\ge (1/2)\cdot {(11+\sqrt{2})}^{-2}.$$ (97)

Substituting this value into (80), we find

$$\mathbf{P}(L=1)\le (1/9)-(1/18)\cdot {(11+\sqrt{2})}^{-2}$$ (98)

$$\le (1/9)-0.00035,$$ (99)

as desired.

C. Randomly chosen rounds in parallel repetition of a free game

In this appendix, we prove that in a parallel repetition of a free game, the performance of the players on a small number of randomly chosen rounds is not much better than their performance would have been in a sequential scenario. Our proof is a rearrangement of elements from [8, 16, 9, 4].

For any state ρ of a bipartite system QR, the mutual information between Q and R and is given by

$$I{(Q:R)}_{\rho }=H(QR)-H(Q)-H(R).$$ (100)

Let $S(\rho ||\sigma )=\text{Tr}[\rho \text{log}\rho ]-\text{Tr[}\rho \text{log}\sigma ]$ denote the relative entropy function. The following relationship holds:

$$I{(Q:R)}_{\rho }=S(\rho ||{\rho }^A\otimes {\rho }^B)$$ (101) (102)

Also, the relative entropy function is related to the purified distance as follows: if α, β are density operators, then

$$P(\alpha ,\beta )\le \sqrt{S(\alpha ||\beta )}.$$ (103)

(This follows from, e.g., Lemma 5 in [17].)

Throughout this section, we assume that a free game $G=(\mathcal{X},\mathcal{A},p,L)$, with $w(G)>0$, has been fixed. (Thus we avoid any need to note the influence of G on error terms.)

C.1. Preliminaries

Our first result asserts (roughly) that if a state γ of a bipartite system TQ is dominated by a small scalar multiple of a state that is uniform on T, then $H{(T|Q)}_{\gamma }$ must be close to $\text{log}|T|$.

Lemma C.1. Let γ be a classical-quantum state of a bipartite system TQ such that

$$\gamma \le \lambda (U_T\otimes {\gamma }^Q),$$ (104)

where λ denotes a real number. Then,

$$H{(T|Q)}_{\gamma }\ge \text{log}\left|T\right|-2\text{log}(1/\lambda )$$ (105)

Proof. We have $H{(T|Q)}_{\gamma }=H{(T)}_{\gamma }-I{(T:Q)}_{\gamma }$. It is obvious that the quantity $H{(T)}_{\gamma }$ is at least $\text{log}|T|-\text{log}(1/\lambda )$ since the eigenvalues of γ^T do not exceed $\lambda /|T|$. Thus we need only prove that $I{(T:Q)}_{\gamma }\le \text{log}(1/\lambda )$.

We can write

$$I(T:Q)=S(\gamma ||{\gamma }^T\otimes {\gamma }^Q).$$ (106)

Note that the quantity

$$S(\gamma ||U_T\otimes {\gamma }^Q)-S(\gamma ||{\gamma }^T\otimes {\gamma }^Q)$$ (107)

is equal to $S(U_T||{\gamma }^T)$, which is nonnegative, and therefore

$$I(T:Q)\le S(\gamma ||U_T\otimes {\gamma }^Q).$$ (108)

We therefore have the following, using the fact that the logarithm function is operator monotone:

$$I(T:Q)\le S(\gamma ||U_T\otimes {\gamma }^Q)$$ (109)

$$=\text{Tr}[\gamma \text{log}\gamma ]-\text{Tr}[\gamma \text{log}(U_T\otimes {\gamma }^Q)]$$ (110)

$$\le \text{Tr}[\gamma \text{log}\gamma ]-\text{Tr}[\gamma \text{log}(\gamma /\lambda )]$$ (111)

$$=\text{log}(1/\lambda ),$$ (112)

as desired.

By definition, if two pure bipartite states ψ, $\varphi \mathcal{D}(Q\otimes R)$are such that $P({\psi }^Q,{\phi }^Q)=\delta$, then there is a unitary automorphism of R which maps φ to a state that is within ∆-distance δ from ψ. The next lemma asserts that if these bipartite states have some additional structure, then we can find such a unitary automorphism that is similarly structured.

Lemma C.2. Suppose that S, $S\prime$, Q, R are registers, where S is a copy of $S\prime$, and that ψ, φ are pure states on $SS\prime QR$ that are supported on $\text{Span}\{e\otimes e\}\otimes Q\otimes R$, where e varies over the standard basis elements of S,$S\prime$. Let $\delta =P({\psi }^{SQ},{\varphi }^{SQ})$. Then, there exists an $S\prime$-controlled unitary operator U on $S\prime \otimes R$ such that $\Delta (U\psi ,\varphi )=\delta$.

Proof. Write $\psi =u{u}^{\ast }$, $\varphi =v{v}^{\ast }$ with

$$u=\sum _{e,f,g}(m_{fg}^e)e\otimes e\otimes f\otimes g$$ (113)

$$v=\sum _{e,f,g}(n_{fg}^e)e\otimes e\otimes f\otimes g,$$ (114)

where e, f, g vary over the standard basis elements of S, Q, R, respectively. The fidelity $F({\psi }^{SQ},{\varphi }^{SQ})$ is then given by the expression

$$\sum _e{\Vert (M^e)*(N^e)\Vert }_1,$$ (115)

where $M^e={[m_{fg}^e]}_{fg}$ and $N^e={[n_{fg}^e]}_{fg}$ denote linear operators from R to Q. Find unitary operators $U^e:R\to R$ such that

$$\text{Tr}[U^e(M^e)*(N^e)]={\Vert (M^e)*(N^e)\Vert }_1.$$ (116)

Then, the controlled operator ${\sum }_{e}e{e}^{\ast }\otimes U^e$ on $S\prime \otimes R$ satisfies the desired condition.

Now we prove a proposition about states that approximate the behavior of players in a free nonlocal game. (The statement of this proposition is based in particular on the statement of Lemma 4.3 in [9].)

Proposition C.3. Let X, $X\prime$ denote $\mathcal{X}$-valued registers, let A denote an $\mathcal{A}$-valued register, and let $Q=Q^1{Q}^2\cdots Q^n$ denote a n-partite register. Let ψ be a pure state of $XX\prime QA$ given by $\psi =u{u}^{\ast }$,

$$u=\sum _{x\in \mathcal{X}}\sqrt{\mu (x)}|xx\rangle \otimes u_x,$$ (117)

where µ is a probability distribution on $\mathcal{X}$ and each u_x is a unit vector in QA, and suppose that

$$H{(X^k|X^{\widehat{k}}X{\prime }^{\widehat{k}}{Q}^{\widehat{k}}{A}^{\widehat{k}})}_{\psi }\ge \text{log}\left|{\mathcal{X}}^k\right|-\delta$$ (118)

for all k ∈ {1, 2, …, n}. Then,

$${\mathbb{E}}_{\psi }[L(X,A)]\le w(G)+O(\sqrt{\delta }).$$ (119)

Proof. Case 1: Assume that δ = 0.

Then, the state of $X^k{(XX\prime QA)}^{\widehat{k}}$ is uniform on $X^k$. Making use of Lemma C.2, we can find unitary automorphisms $U_{x^k\to y^k}^k$ on $Q^k{A}^k$ for any $x^k$, $y^k\in {\mathcal{X}}^k$ such that

$$U_{x^k\to y^k}^k{u}_{x^1{x}^2\cdots x^k\cdots x^n}=u_{x^1{x}^2\cdots y^k\cdots x^n}.$$ (120)

The expected score ${\mathbb{E}}_{\psi }[L(X,A)]$ can be achieved at the game G by having the n-players share some state of the form $u_x{u}_x^{*}$ with $x\in \mathcal{X}$, receiving an input sequence $y^1\dots y^n\in \mathcal{X}$, each applying the unitary $U_{x^k\to y^k}^k$ to their subsystem, and then measuring $A^k$ to determine their output. This is a valid quantum strategy, and so ${\mathbb{E}}_{\psi }[L(X,A)]$ cannot exceed w(G).

Case 2: General case.

Note that

$$I{(X^k:{(XX\prime QA)}^{\widehat{k}})}_{\psi }\le \delta ,$$ (121)

or equivalently,

$$S({\psi }^{X^k{(XX\prime QA)}^{\widehat{k}}}\Vert {\psi }^{X^k}\otimes {\psi }^{{(XX\prime QA)}^{\widehat{k}}})\le \delta .$$ (122)

Therefore

$$P({\psi }^{X^k{(XX\prime QA)}^{\widehat{k}}},{\psi }^{X^k}\otimes {\psi }^{{(XX\prime QA)}^{\widehat{k}}})\le O(\sqrt{\delta }).$$ (123)

Also, since $H{(X^k)}_{\psi }\ge \text{log}|{\mathcal{X}}^k|-\delta$ and $I(X^k:X^{1\dots (k-1)})\le \delta$, the chain rule implies $H{(X)}_{\psi }\ge \text{log}|\mathcal{X}|-O(\delta )$, and therefore the distribution of µ is within purified distance $O(\sqrt{\delta })$ from a uniform distribution. Thus,

$$P({\psi }^{X^k{(XX\prime QA)}^{\widehat{k}}},U_{X^k}\otimes {\psi }^{{(XX\prime QA)}^{\widehat{k}}})\le O(\sqrt{\delta }).$$ (124)

We will reduce to Case 1 via the use of a “decoupling” procedure. Let Y, $Y\prime$ denote $\mathcal{X}$-valued registers. Let Ψ be the state of $XX\prime YY\prime AQ$ such that $XX\prime AQ$ are in state ψ and each register $Y^{k}Y{\prime }^k$ is in a Bell state. Consider the following two-step process carried out on the state Ψ by player k. For simplicity, let $Playe{r}^k={(XX\prime YY\prime AQ)}^k$.

1. (Swap.) Swap the state of the registers $X^{k}X{\prime }^k$ with the state of the registers $Y^{k}Y{\prime }^k$.

2. (Recover.) The state of the registers $X^{k}Playe{r}^{\widehat{k}}$ is now

   $$(U_{X^k})\otimes \left({\Psi }^{Playe{r}^{\widehat{k}}}\right).$$ (125)

   Using inequality (124) and Lemma C.2, apply an ${X\prime }^k$-controlled unitary operator $V^k$ to the register ${(X\prime YY\prime AQ)}^k$ to bring the registers $Playe{r}^{1\dots n}$ to a state that is within purified distance $O(\sqrt{\delta })$ from state Ψ.

Denote this process (which takes place on the registers Player^k) by the symbol ${\mathcal{U}}^k$. The state ${\mathcal{U}}^k(\Psi )$ is within purified distance $O(\sqrt{\delta })$ from Ψ. At the same time — since the registers $X^{k}Playe{r}^{\widehat{k}}$ are not used in step 2 — we have $H(X^k|Playe{r}^{\widehat{k}})=\text{log}|\mathcal{X}|$ under the state ${\mathcal{U}}^k(\Psi )$.

Applying the data processing inequality and the triangle inequality, the state

$${\mathcal{U}}^1\circ {\mathcal{U}}^2\circ \cdots \circ {\mathcal{U}}^n(\Psi ).$$ (126)

is within ∆-distance $O(\sqrt{\delta })$ from Ψ, and it also satisfies

$$H(X^k:Playe{r}^{\widehat{k}})=\text{log}\left|\mathcal{X}\right|$$ (127)

for all k. The desired result therefore follows from Case 1.

C.2. The Pure Parallel Repetition Process

We study the parallel repetition process given in Figure 7 (PureParallel). This PureParallel process is similar to the process Par in Figure 3, except that it assumes the strategy used by the players involves a pure state and projective measurements, and that they obtain their input symbols from a maximally entangled state.

Figure 7:

A parallel repetition process with entangled inputs and a pure initial state.

For each $i\in \{1,2,\hspace{0.17em}\dots \hspace{0.17em},n\}$ and $t\in \{1,2,\hspace{0.17em}\dots \hspace{0.17em},N\}$, let $Playe{r}_t^i$ denote the registers of which player i has knowledge at the conclusion of step (t + 4):

$$Playe{r}_t^i=X^{i}X{\prime }^i{A}^i{C}^i{X}_{i\dots t}^{\widehat{i}}{A}_{i\dots t}^{\widehat{i}}P.$$ (128)

Then, following our convention, $Playe{r}_t^{\widehat{i}}$ denotes the registers of which players 1, 2, …, i − 1, i + 1, …, n have knowledge at conclusion of step (t + 4):

$$Playe{r}_t^{\widehat{i}}=X^{\widehat{i}}X{\prime }^{\widehat{i}}{A}^{\widehat{i}}{C}^{\widehat{i}}{X}_{i\dots t}^i{A}_{i\dots t}^{i}P.$$ (129)

The next proposition asserts that, if the probability of winning the first t rounds is not too unlikely, then these players possess only a limited amount of information about player i’s input on the (t + 1)st round. The lower bound that we choose for the winning probability in the first t rounds can be somewhat arbitrary; we will take it to be w(G)^2t.

Proposition C.4. Suppose that $\mathbf{P}(W_{1\dots t}=\mathbf{1})\ge w{(G)}^{2t}$ in PureParallel. Then, for any $i\in \{\mathbf{1},2,\hspace{0.17em}\dots \hspace{0.17em},n\}$, the state ${\Gamma }^{t+4}$ that occurs after step t + 4 satisfies

$$H(X_{t+1}^i|Playe{r}_t^{\widehat{i}},W_{1\dots t}=\mathbf{1})\ge \text{log}|{\mathcal{X}}^i|-O(t/N).$$ (130)

Proof. Note that in the state ${\Gamma }^{t+4}$ , the registers $X^i$ are uniformly distributed relative to $X^{\widehat{i}}$ $X{\prime }^{\widehat{i}}$ $A^{\widehat{i}}$ $C^{\widehat{i}}$P. Since the conditional state ${\Gamma }_{|W_{1\dots t}=1}^{t+4}$ satisfies

$${(w(G))}^{2t}\cdot {\Gamma }_{|W_{1\dots t}=1}^{t+4}\le {\Gamma }^{t+4},$$ (131)

we have by Lemma C.1 that

$$H(X^i|X^{\widehat{i}}X{\prime }^{\widehat{i}}{A}^{\widehat{i}}{C}^{\widehat{i}}P,W_{1\dots t}=\mathbf{1})\ge N\text{log}|{\mathcal{X}}^i|-O(t).$$ (132)

The registers $X_{1\dots t}^i{A}_{1\dots t}^i$ have a range of size 2^O(t), and so when we additionally condition on them we obtain

$$H(X_{(t+1)\dots N}^i|Playe{r}_t^{\widehat{i}},W_{1\dots t}=\mathbf{1})\ge N\text{log}|{\mathcal{X}}^i|-O(t),$$ (133)

which implies

$$\sum _{j=t+1}^{N}H(X_j^i|Playe{r}_t^{\widehat{i}},W_{1\dots t}=\mathbf{1})\ge N\text{log}|{\mathcal{X}}^i|-O(t).$$ (134)

By permutation symmetry, the value of every term in the summation in (134) is the same.⁴ Therefore,

$$H(X_{t+1}^i|Playe{r}_t^{\widehat{i}},W_{1\dots t}=\mathbf{1})\ge [N\text{log}|{\mathcal{X}}^i|-O(t)]/(N-t)$$ (135)

$$\ge \text{log}|{\mathcal{X}}^i|-O(t/N),$$ (136)

as desired.

We will use the previous proposition to prove by induction an upper bound on the probability that $W_{1\dots t}=\mathbf{1}$.

Proposition C.5. Suppose that $\mathbf{P}(WIN(t))\ge w{(G)}^{2t}$. Then,

$$\mathbf{P}(W_{1\dots (t+1)}=\mathbf{1})\le \mathbf{P}(W_{1\dots (t+1)}=\mathbf{1})\cdot (w(G)+O(\sqrt{t/N})).$$ (137)

Proof. Consider the state of the PureParallel protocol after step t + 4. By Proposition C.4, the expected value of the quantity

$$H(X_{t+1}^i|Playe{r}_t^{\widehat{i}}{X}_{1\dots t}=x_{1\dots t},A_{1\dots t}=a_{1\dots t},P=\sigma ,W_{1\dots t}=\mathbf{1}),$$ (138)

when $x_{1\dots t}$, $a_{1\dots t}$, σ vary according to the distribution given by the state ${\Gamma }_{|W_{1\dots t}=1}^{t+4}$, is lower bounded by $\text{log}|{\mathcal{X}}^i|-O(t/N)$. Additionally, the state of the registers $Playe{r}_t^{1\dots n}$ when conditioned on any such values $X_{1\dots t}=x_{1\dots t}$, $A_{1\dots t}=a_{1\dots t}$, P = σ, is a pure state. By Proposition C.3 and the concavity of the square root function, the probability of the players winning the (t + 1)st game under the distribution ${\Gamma }_{|W_{1\dots t}=1}^{t+4}$ is no more than $w(G)+O(\sqrt{t/N})$, as desired.

Theorem C.6. For any $t\in \{1,2,\hspace{0.17em}\dots \hspace{0.17em},N\}$,

$$\mathbf{P}(W_{1\dots t}=1)\le {(w(G)+O(\sqrt{t/N}))}^t.$$ (139)

Proof. Let E denote the function represented by O on the righthand side of inequality (137). We apply induction on t. The base case is obvious. For the inductive step, assume that

$$\mathbf{P}(W_{1\dots t}=\mathbf{1})\hspace{1em}\le \hspace{1em}{(w(G)+E(\sqrt{t/N}))}^t$$ (140)

holds for a given value of $t\in \{1,2,\hspace{0.17em}\dots \hspace{0.17em},N-1\}$. If $\mathbf{P}(W_{1\dots t}=\mathbf{1})\ge {(w(G))}^{2t}$, then

$$\mathbf{P}(W_{1\dots t}=\mathbf{1})<{(w(G))}^{2t}$$ (141)

$$\le {(w(G))}^{t+1},$$ (142)

and there is nothing to prove. If $\mathbf{P}(W_{1\dots t}=\mathbf{1})\ge {(w(G))}^{2t}$, then by Proposition C.5,

$$\mathbf{P}(W_{1\dots t}=\mathbf{1})\le {(w(G)+E(\sqrt{t/N}))}^{t+1},$$ (143)

which completes the proof.