Quantum verifiable protocol for secure modulo zero-sum randomness

Abstract

We propose a new cryptographic resource, secure modulo zero-sum randomness, as a resource to implement a task of secure modulo summation, and its quantum protocol. Secure modulo summation is the calculation of modulo summation \(Y_1+\cdots + Y_m\) when m players have their individual variables \(Y_1,\ldots , Y_m\) with keeping the secrecy of the individual variables. Secure modulo zero-sum randomness is a set of m variables \(X_1, \ldots , X_m\) held by m players that satisfy the zero sum condition \(X_1+\cdots + X_m=0\) with a certain security condition. This paper explains the relation between these two concepts and proposes a quantum verifiable protocol for secure modulo summation. The advantage for quantum protocol is the verifiability based on self-testing, which does not need to trust measurement devices and can be realized by using a statistical concept, significance level, while any classical method needs to trust several components of the protocol. Then, we propose various cryptographic applications for secure modulo zero-sum randomness. We also compare our quantum verifiable protocol with the conventional method for secure modulo summation.

Appendices

Appendix A Summary of Appendix

The first aim of this appendix is providing the security proof for our quantum verifiable protocol to generate secure modulo zero-sum randomness. The second aim of this appendix is providing a quantum verifiable protocol to generate secure modulo zero-sum randomness with general dimension when the measurement device is trusted.

The appendix is organized as follows. First, as the preparation of the first aim, Appendix 1 evaluates the performance of the classical random sampling. Then, Appendix 1 reviews the existing result of self-testing of Bell state. By using these discussions, Appendix 1 shows the security of our quantum verifiable protocol to generate secure modulo zero-sum randomness, which is presented in Sect. 7. That is, we show Theorems 11 and 12 of the mainbody. Then, Appendix 1 presents a quantum verifiable protocol to generate secure modulo zero-sum randomness with general dimension when the measurement device is trusted.

Appendix B Classical random sampling

Proof

We consider \(n+1\) binary random variables \(X_1, \ldots , X_{n+1}\) taking values in \(\{0,1\}\). We randomly choose n variables among \(X_1, \ldots , X_{n+1}\) and observe them. We denote the remaining variable by Y. Let Z be the number of 1 among observed variables. \(\square \)

Lemma 3 of [26, Appendix C] is rewritten as follows.

Proposition 14

With significance level \(\alpha \), we have For any constants \(c_1\), \(p*\) and \(\alpha \), there exists a constant \(c_2\) such that with significance level \(\alpha \), we have

$$\begin{aligned} \begin{aligned} p_* - \frac{c_2}{\sqrt{n}} \le&Pr\Big ( Y =1 \Big \vert p_* - \frac{c_1}{\sqrt{n}} \le \frac{Z}{n}\le p_* + \frac{c_1}{\sqrt{n}}\Big ) \\ \le&p_* + \frac{c_2}{\sqrt{n}} \end{aligned} \end{aligned}$$

(B1)

In other words, the probability \(Pr\Big ( p_* - \frac{c_1}{\sqrt{n}} \le \frac{Z}{n}\le p_* + \frac{c_1}{\sqrt{n}}\Big ) \) is greater than \(\alpha \); condition (B1) holds.

When \(p_*\) is zero, we prepare a different type of evaluation as follows.

Proposition 15

With significance level \(\alpha \ge \frac{k+1}{n+1}\), we have

$$\begin{aligned} Pr( Y =1\vert Z\le k) \le \frac{k}{ \alpha (n+1)}+\frac{1 -\alpha }{ \alpha (n -k)}. \end{aligned}$$

(B2)

That is, for any constants \(c_1\) and \(\alpha \), there exists a constant \(c_2\) such that with significance level \(\alpha \), we have

$$\begin{aligned} Pr \Big ( Y =1 \Big \vert \frac{Z}{n}\le \frac{c_1}{n} \Big )\le \frac{c_2}{n}. \end{aligned}$$

(B3)

In other words, the probability \(Pr\Big ( \frac{Z}{n}\le \frac{c_1}{n}\Big ) \) is greater than \(\alpha \), condition (B3) holds.

Proof

We denote the number of 1 among \(X_1, \ldots , X_{n+1}\) by the variable X. We assume that \(P(X=x)=P_x\). Then, we have

$$\begin{aligned} Pr(Z=z,Y=y) = P_{z+y} \frac{{n \atopwithdelims ()z}}{{n+1 \atopwithdelims ()z+y}}. \end{aligned}$$

(B4)

That is,

$$\begin{aligned} Pr(Z=z,Y=0)&=P_{z} \frac{n -z+1}{n+1 } \end{aligned}$$

(B5)

$$\begin{aligned} Pr(Z=z,Y=1)&=P_{z+1} \frac{z+1}{n+1}. \end{aligned}$$

(B6)

Thus, we have

$$\begin{aligned} Pr(Z=z) = P_{z}\frac{n -z+1}{n+1 } +P_{z+1} \frac{z+1}{n+1}. \end{aligned}$$

(B7)

Hence,

$$\begin{aligned}&Pr(Z \le k, Y=1) = \sum _{z=0}^k P_{z+1} \frac{z+1}{n+1}, \end{aligned}$$

(B8)

and

$$\begin{aligned} \frac{Pr(Z\le k,Y=1) }{Pr(Z\le k) }= \frac{\sum _{z=0}^k P_{z+1} \frac{z+1}{n+1}}{(\sum _{z=0}^k P_{z} ) +P_{k+1} \frac{k+1}{n+1}}. \end{aligned}$$

(B9)

Since \(\frac{1}{n+1}\le \cdots \le \frac{k}{n+1} \le \frac{k+1}{n+1}\) and \(1 \ge \frac{k+1}{n+1}\), we have

$$\begin{aligned}&\max _{(P_z)_{z=0}^{n+1}} \bigg \{ \frac{\sum _{z=0}^k P_{z+1} \frac{z+1}{n+1}}{(\sum _{z=0}^k P_{z} ) +P_{k+1} \frac{k+1}{n+1}} \bigg \vert (\sum _{z=0}^k P_{z} ) +P_{k+1} \frac{k+1}{n+1} \ge \alpha \bigg \} \nonumber \\&\quad =\max _{p} \bigg \{ \frac{(1-p) \frac{k}{n+1}+p \frac{k+1}{n+1}}{(1-p)+p \frac{k+1}{n+1}} \bigg \vert (1-p)+p \frac{k+1}{n+1} \ge \alpha \bigg \} \end{aligned}$$

(B10)

The condition \((1-p) +p \frac{k+1}{n+1} \ge \alpha \) is equivalent to the condition \( 1 -\alpha \ge p( 1- \frac{k+1}{n+1}) = p \frac{n -k}{n+1 }\), which is rewritten as \( (1 -\alpha )\frac{n+1 }{n -k} \ge p\). Under this condition, we have

$$\begin{aligned} \begin{aligned}&\frac{(1-p) \frac{k}{n+1}+p \frac{k+1}{n+1}}{(1-p)+p \frac{k+1}{n+1}} =\frac{\frac{k}{n+1}+p \frac{1}{n+1}}{(1-p)+p \frac{k+1}{n+1}}\\&\quad \le \frac{\frac{k}{n+1}+(1 -\alpha )\frac{n+1 }{n -k} \frac{1}{n+1}}{\alpha }\\&\quad = \frac{\frac{k}{n+1}+\frac{1 -\alpha }{n -k} }{\alpha } = \frac{k}{ \alpha (n+1)}+\frac{1 -\alpha }{ \alpha (n -k)}. \end{aligned} \end{aligned}$$

(B11)

Combining (B10) and (B11), we obtain the desired statement. \(\square \)

In this paper, we need to combine several statements with a certain significance level. The following lemma is useful for this aim.

Lemma 16

We assume the following. When the test \(A_i\) is passed, the property \(B_i\) holds with significance level \(\alpha \) for \(i=1,2\). Then, the properties \(B_1\) and \(B_2\) hold with significance level \(\alpha \) when the tests \(A_1\) and \(A_2\) are passed. In other words, if the probability to pass the tests \(A_1\) and \(A_2\) is greater than \(\alpha \), the resultant state passing the tests \(A_1\) and \(A_2\) satisfies the properties \(B_1\) and \(B_2\).

Proof

Lemma 16 is shown as follows. Let \(\{P_\theta \}_{\theta \in \Theta }\) be the set of possible distributions. In the quantum setting, when we fix the measurements, dependently of the measurements and input states, we have the distribution \(P_\theta \) over the measurement outcomes. Let \(\mathcal{A}_i\) be the set of events to satisfy \(A_i\) for \(i=1,2\). When the property \(B_i\) holds under the parameter \(\theta \), we write \(B_i(\theta )=1\). Otherwise, we write \(B_i(\theta )=0\).

The assumption implies that

$$\begin{aligned} \max \{ P_\theta ( \mathcal{A}_i)\vert B_i(\theta )=0 \} \le \alpha . \end{aligned}$$

(B12)

Hence,

$$\begin{aligned}&\max \{ P_\theta (\mathcal{A}_1 \cap \mathcal{A}_2)\vert B_1(\theta )=0 \hbox { or } B_2(\theta )=0\} \nonumber \\&\quad =\max (\max \{ P_\theta (\mathcal{A}_1 \cap \mathcal{A}_2)\vert B_1(\theta )=0 \} , (\max \{ P_\theta (\mathcal{A}_1 \cap \mathcal{A}_2)\vert B_2(\theta )=0\} ) \nonumber \\&\quad \le \max (\max \{ P_\theta (\mathcal{A}_1 )\vert B_1(\theta )=0 \} , \max \{ P_\theta (\mathcal{A}_2)\vert B_2(\theta )=0\} ) \nonumber \\&\quad \le \alpha , \end{aligned}$$

(B13)

which implies the desired statement. \(\square \)

Appendix C Self-testing of Bell sate

To discuss the verification of the GHZ state, we review the existing result for self-testing of the Bell state by [26]. To fit our use, we consider the case when the Bell state is given as \(\frac{1}{\sqrt{2}}(\vert 00\rangle _p+\vert 11\rangle _p)\).

We choose sufficiently large Hilbert spaces \(\mathcal{H}_1''\) and \(\mathcal{H}_2''\) so that the state on the composite system is the pure state \(\vert \psi ''\rangle \). Let \({\mathsf {X}}''_i\), \({\mathsf {Z}}''_i\), \({\mathsf {A}}(0)''_i\), \({\mathsf {A}}(1)''_i\) be operators on \(\mathcal{H}_i\) for \(i=1,2\).

Proposition 17

When

$$\begin{aligned}&\langle \psi ''\vert {\mathsf {X}}''_1 {\mathsf {X}}''_2\vert \psi ''\rangle \ge 1-\epsilon , \quad \langle \psi ''\vert -{\mathsf {Z}}''_1 {\mathsf {Z}}''_2 \vert \psi ''\rangle \ge 1-\epsilon , \end{aligned}$$

(C1)

$$\begin{aligned}&\langle \psi ''\vert {\mathsf {A}}(0)''_1({\mathsf {X}}''_2-{\mathsf {Z}}''_2)+{\mathsf {A}}(1)''_1({\mathsf {X}}''_2+{\mathsf {Z}}''_2) \vert \psi ''\rangle \ge 2\sqrt{2}- \epsilon , \end{aligned}$$

(C2)

there exist a constant \(c_3\) and isometries \(U_1:\mathcal{H}_1''\rightarrow \mathcal{H}_1\) and \(U_2:\mathcal{H}_2''\rightarrow \mathcal{H}_2\) such that the isometry \(U=U_1U_2\) satisfies

$$\begin{aligned} \Vert U {\mathsf {X}}''_1 U^\dagger - {\mathsf {X}}_1 \Vert&\le c_3 \epsilon ^{1/2}, ~ \Vert U {\mathsf {Z}}''_1 U^\dagger - {\mathsf {Z}}_1 \Vert \le c_3 \epsilon ^{1/2} \end{aligned}$$

(C3)

$$\begin{aligned} \Vert U {\mathsf {X}}''_2 U^\dagger - {\mathsf {X}}_2 \Vert&\le c_3 \epsilon ^{1/2}, ~ \Vert U {\mathsf {Z}}''_2 U^\dagger - {\mathsf {Z}}_2 \Vert \le c_3 \epsilon ^{1/2} . \end{aligned}$$

(C4)

Equation (C3) follows from Proposition 1 of [26]. While Eq. (C4) does not appear in Proposition 1 of [26], it can be shown by using (E40) and (E41) of Lemma 9.

Now, we apply Proposition 17 to the case when we prepare \(6m+1\) copies of the initial state and split them randomly into 6 groups and one final copy. The procedure is described as follows and is denoted by Protocol 11:

We apply Conditions (C5) and (C6) to Propositions 14 and 15 . Since \(\frac{c_2}{n}\le \frac{c_2}{\sqrt{n}}\), combining Proposition 17, we obtain the following proposition.

Proposition 18

For significance level \(\alpha \) and a constant \(c_1\), there exists a constant \(c_4\) to satisfy the following condition. When the test given in Protocol 11 is passed, we can guarantee, with significance level \(\alpha \), that there exist isometries \(U_1:\mathcal{H}_1''\rightarrow \mathcal{H}_1\) and \(U_2:\mathcal{H}_2''\rightarrow \mathcal{H}_2\) such that the isometry \(U=U_1U_2\) satisfies

$$\begin{aligned} \Vert U {\mathsf {X}}''_1 U^\dagger - {\mathsf {X}}_1 \Vert&\le \frac{c_4}{n^{1/4}}, ~ \Vert U {\mathsf {Z}}''_1 U^\dagger - {\mathsf {Z}}_1 \Vert \le \frac{c_4}{n^{1/4}} \end{aligned}$$

(C7)

$$\begin{aligned} \Vert U {\mathsf {X}}''_2 U^\dagger - {\mathsf {X}}_2 \Vert&\le \frac{c_4}{n^{1/4}}, ~ \Vert U {\mathsf {Z}}''_2 U^\dagger - {\mathsf {Z}}_2 \Vert \le \frac{c_4}{n^{1/4}}. \end{aligned}$$

(C8)

In other words, if the probability to pass Protocol 11 is greater than \(\alpha \), there exist isometries \(U_1:\mathcal{H}_1''\rightarrow \mathcal{H}_1\) and \(U_2:\mathcal{H}_2''\rightarrow \mathcal{H}_2\) such that resultant state passing Protocol 11 satisfies conditions (C7) and (C8).

Appendix D Security proof for quantum verifiable protocol to generate secure modulo zero-sum randomness

Proof of Theorem 11 of the mainbody

Now, we show Theorem 11 of the mainbody by using Lemma 16, Propositions 15, and 18 , which are shown in Appendices. Before, we need to be careful in handling several statements with a certain significance level. As shown in Lemma 16, when several statements hold with significance level \(\alpha \), we obtain all of them simultaneously with significance level \(\alpha \).

First, we find the following. Condition (11) of the mainbody implies that relation (14) of the mainbody holds with significance level \(\alpha \).

Assume that \(S_1\) is composed of \(j_1, \ldots , j_l\). We focus on the quantum system of Player j and the quantum system of group \(S_1\). The latter system is spanned by the basis

$$\begin{aligned} \vert x\rangle _{S_1}:= \frac{1}{2^{(l-1)/2}} \sum _{x_{j_1}, \ldots , x_{j_l}: x_{j_1}+ \cdots + x_{j_l}=x} \vert x_{j_1}\rangle _{j_1} \cdots \vert x_{j_l}\rangle _{j_l}. \end{aligned}$$

It is also spanned by \( \vert z\rangle _{S_1;p} := \vert z\rangle _{j_1;p} \cdots \vert z\rangle _{j_l;p} =\frac{1}{\sqrt{2}}(\vert 0\rangle _{S_2}+(-1)^z\vert 1\rangle _{S_1})\). We define \({\mathsf {Z}}_{S_1}:= \vert 0\rangle _{S_1}~_{S_1}\langle 0\vert -\vert 1\rangle _{S_1}~_{S_1}\langle 1\vert \) and \({\mathsf {X}}_{S_1}:= \vert 0\rangle _{S_1}~_{S_1}\langle 1\vert +\vert 0\rangle _{S_1}~_{S_1}\langle 1\vert \). Similarly, we define \({\mathsf {Z}}_{S_2}\) and \({\mathsf {X}}_{S_2}\). While the measurement \({\mathsf {Z}}_{S_1}\) can be done by the measurement \({\mathsf {Z}}_{j_1}, \ldots , {\mathsf {Z}}_{j_l}\), the measurement \({\mathsf {X}}_{S_1}\) can be done only by the measurement \({\mathsf {X}}_{k}\) for any \(k \in S_1\). The same observation holds for \({\mathsf {Z}}_{S_2}\) and \(\mathsf {X}_{S_2}\). Therefore, our GHZ \(\vert GHZ\rangle _p\) can be considered as \(\frac{1}{\sqrt{2}}( \sum _{z} \vert z\rangle _{p} \vert z\rangle _{S_1;p} \vert z\rangle _{S_2;p} )\).

When they measure \({\mathsf {Z}}_{S_2}\), they obtain the outcome z and apply the unitary \({\mathsf {X}}_j^{-z }\), the resultant state is the Bell state \(\frac{1}{\sqrt{2}}(\sum _{z} \vert z\rangle _{j;p} \vert z\rangle _{S_1;p} )\). When we measure \({\mathsf {X}}_{j}\) and \({\mathsf {X}}_{S_1}\) to the system in the state \(\frac{1}{\sqrt{2}}( \sum _{z} \vert z\rangle _{j;p} \vert z\rangle _{S_1;p} \vert z\rangle _{S_2;p} )\), the measurement outcome does not depend on the measurement outcome of \({\mathsf {Z}}_{S_2}\). Therefore, we can consider that the measurements on the \(j_1,j,m+j_1,m+j,2m+j_1,2m+j,3m+j_1,3m+j\)-th groups can be considered as the measurement required in Proposition 18. Now, we denote the real operator on the final group by using \(''\). The real quantum system of Player j, the groups \(S_1\) and \(S_2\) are denoted by \(\mathcal{H}_j\), \(\mathcal{H}_{S_1}\), and \(\mathcal{H}_{S_2}\).

Using Proposition 18, we can guarantee, with significance level \(\alpha \), that there exist a constant \(c_2\) and isometries \(U_j:\mathcal{H}_j''\rightarrow \mathcal{H}_j\) and \(U_{S_1}:\mathcal{H}_{S_1}''\rightarrow \mathcal{H}_{S_1}\) such that

$$\begin{aligned}&\Vert U_j {\mathsf {X}}''_j U_j^\dagger - {\mathsf {X}}_j \Vert \le c_2 n^{-1/4}, ~ \Vert U_j {\mathsf {Z}}''_j U_j^\dagger - {\mathsf {Z}}_j \Vert \le c_2 n^{-1/4}, \end{aligned}$$

(D1)

$$\begin{aligned}&\Vert U_{S_1} {\mathsf {X}}''_{S_1} U_{S_1}^\dagger - {\mathsf {X}}_{S_1} \Vert \le c_2 n^{-1/4}, \end{aligned}$$

(D2)

$$\begin{aligned}&\Vert U_{S_1} {\mathsf {Z}}''_{S_1} U_{S_1}^\dagger - {\mathsf {Z}}_{S_1} \Vert \le c_2n^{-1/4} . \end{aligned}$$

(D3)

We apply the same discussion to the case with switching \(S_1\) and \(S_2\). Then, we can guarantee, with significance level \(\alpha \), that there exists isometry \(U_{S_2}:\mathcal{H}_{S_2}''\rightarrow \mathcal{H}_{S_2}\) such that

$$\begin{aligned} \begin{aligned} \Vert U_{S_2} {\mathsf {X}}''_{S_2} U_{S_2}^\dagger - {\mathsf {X}}_{S_2} \Vert&\le c_4 \sqrt{c_1} n^{-1/4}, \\ \Vert U_{S_2} {\mathsf {Z}}''_{S_2} U_{S_2}^\dagger - {\mathsf {Z}}_{S_2} \Vert&\le c_4 \sqrt{c_1} n^{-1/4}. \end{aligned} \end{aligned}$$

(D4)

We define two projections

$$\begin{aligned} P_1&:=\sum _{*} \vert x_1\rangle _{j}\vert x_2\rangle _{S_1} \vert x_3\rangle _{S_2} ~_{j}\langle x_1 \vert ~_{S_1}\langle x_2 \vert ~_{S_2}\langle x_3 \vert \nonumber \\&=\frac{1}{2}(I+{\mathsf {Z}}_{j} {\mathsf {Z}}_{S_1} {\mathsf {Z}}_{S_2}) \end{aligned}$$

(D5)

$$\begin{aligned} P_2&:= \sum _{z}\vert z\rangle _{j;p}\vert z\rangle _{S_1;p} \vert z\rangle _{S_2;p} ~_{j;p}\langle z \vert ~_{S_1;p}\langle z \vert ~_{S_2;p}\langle z \vert \nonumber \\&=\frac{1}{4}(I+{\mathsf {X}}_{j} {\mathsf {X}}_{S_1})(I+ {\mathsf {X}}_{j}{\mathsf {Z}}_{S_2})\nonumber \\&=\frac{1}{4}(I+{\mathsf {X}}_{j} {\mathsf {X}}_{S_1}+ {\mathsf {X}}_{j}{\mathsf {Z}}_{S_2}+ {\mathsf {X}}_{S_1}{\mathsf {Z}}_{S_2}), \end{aligned}$$

(D6)

where \(*\) expresses the sum for \(x_1,x_2,x_3\) under the condition \(x_1+x_2+x_3=0\). Then, we have \(\vert GHZ\rangle _p~_p\langle GHZ\vert =P_1 P_2\). Hence, for \(U=U_{j}U_{S_1}U_{S_2}\), using (D5), we have

$$\begin{aligned}&\Vert U^\dagger P_1U -P_1'' \Vert =\Vert P_1-U P_1''U^\dagger \Vert \nonumber \\&\quad \le \frac{1}{2} \big (\Vert {\mathsf {Z}}_j-U_j {\mathsf {Z}}_j''U_j^\dagger \Vert +\Vert {\mathsf {Z}}_{S_1}-U_{S_1} {\mathsf {Z}}_{S_1}''U_{S_1}^\dagger +\Vert {\mathsf {Z}}_{S_2}-U_{S_2} {\mathsf {Z}}_{S_2}''U_{S_2}^\dagger \Vert \big ) \end{aligned}$$

(D7)

$$\begin{aligned}&\Vert U^\dagger P_2 U -P_2'' \Vert =\Vert P_2-U P_2''U^\dagger \Vert \nonumber \\&\quad \le \frac{1}{2} \big (\Vert {\mathsf {Z}}_j-U_j {\mathsf {Z}}_j''U_j^\dagger \Vert +\Vert {\mathsf {Z}}_{S_1}-U_{S_1} {\mathsf {Z}}_{S_1}''U_{S_1}^\dagger \Vert +\Vert {\mathsf {Z}}_{S_2}-U_{S_2} {\mathsf {Z}}_{S_2}''U_{S_2}^\dagger \Vert \big ) . \end{aligned}$$

(D8)

Applying Proposition 15 to \({P}''_1\) and \({P}''_2\), with significance level \(\alpha \) and a constant \(c_2'\), we have

$$\begin{aligned} \mathrm {Tr}\sigma (I-P''_i) \le \frac{c_2'}{n} \end{aligned}$$

(D9)

for \(i=1,2\). Due to Lemma 16, combining (D1),(D2), (D3), (D4), (D7), (D8), and (D9), with significance level \(\alpha \), we have

$$\begin{aligned}&\mathrm {Tr}\sigma U^\dagger (I-\vert GHZ\rangle _p~_p\langle GHZ\vert )U \nonumber \\&\quad \le \mathrm {Tr}\sigma U^\dagger ((I-P_1)+(I-P_2))U\nonumber \\&\quad \le \mathrm {Tr}\sigma ( U^\dagger (I-P_1)U+ U^\dagger (I-P_2)U ) \nonumber \\&\quad \le \mathrm {Tr}\sigma ( (I-P_1'')+ (I-P_2'') ) +\Vert U^\dagger P_1U -P_1'' \Vert +\Vert U^\dagger P_2U -P_2'' \Vert \nonumber \\&\quad \le \frac{2c_2'}{n}+3 c_2 n^{-1/4}. \end{aligned}$$

(D10)

Hence,

$$\begin{aligned} \Vert \sigma -U^\dagger \vert GHZ\rangle _p~_p\langle GHZ\vert U\Vert _1 \le \sqrt{\frac{2c_2'}{n}+3 c_2 n^{-1/4}}. \end{aligned}$$

(D11)

Let \({\tilde{P}}_{X_j,X_{S_1},X_{S_2},E}\) be the joint distribution when Players apply the ideal measurements \(U_j^\dagger {\mathsf {Z}}_jU_j\), \(U_{S_1}^\dagger {\mathsf {Z}}_{S_1}U_{S_1}\), and \(U_{S_2}^\dagger {\mathsf {Z}}_{S_2}U_{S_2}\). With significance level \(\alpha \), we have

$$\begin{aligned}&\Vert P_{X_j,E}-P_{X_j}P_{E}\Vert _1\nonumber \\&\quad \le \Vert {\tilde{P}}_{X_j,E}-{\tilde{P}}_{X_j}P_{E}\Vert _1 +\Vert {\tilde{P}}_{X_j,E}-P_{X_j,E}\Vert _1 +\Vert {\tilde{P}}_{X_j}-P_{X_j}\Vert _1 \nonumber \\&\quad \le \Vert \sigma -U^\dagger \vert GHZ\rangle _p~_p\langle GHZ\vert U\Vert _1 +2\Vert {\mathsf {Z}}_j-U_j {\mathsf {Z}}_j''U_j^\dagger \Vert \nonumber \\&\quad \le \sqrt{\frac{2c_2'}{n}+3 c_2 n^{-1/4}} +2c_2 n^{-1/4}. \end{aligned}$$

(D12)

Therefore, with significance level \(\alpha \), we have (D12). Hence, we obtain the desired statement. \(\square \)

Proof of Theorem 12 of the mainbody

Now, we show Theorem 11 of the mainbody by using Lemma 16, Propositions 15, and 18 , which are shown in Appendices. We apply Proposition 18 to the case with \({\mathsf {X}}_i\), \({\mathsf {X}}_j\), \({\mathsf {Z}}_i\), and \({\mathsf {Z}}_j\) for \(i \ne j\). With significance level \(\alpha \), we can guarantee that there exist a constant \(c_2\) and isometries \(U_i:\mathcal{H}_i''\rightarrow \mathcal{H}_i\) and \(U_j:\mathcal{H}_j''\rightarrow \mathcal{H}_i\) such that

$$\begin{aligned}&\Vert U_i {\mathsf {X}}''_i U_i^\dagger - {\mathsf {X}}_i \Vert \le c_2 n^{-1/4}, ~ \Vert U_j {\mathsf {X}}''_j U_j^\dagger - {\mathsf {X}}_j \Vert \le c_2 n^{-1/4} ,\nonumber \\&\Vert U_i {\mathsf {Z}}''_i U_i^\dagger - {\mathsf {Z}}_i \Vert \le c_2 n^{-1/4}, \Vert U_j {\mathsf {Z}}''_j U_j^\dagger - {\mathsf {Z}}_j \Vert \le c_2 n^{-1/4}. \end{aligned}$$

(D13)

With significant level \(\alpha \), we have (D13) with any \(i\ne j\). Then, using the projections \({\tilde{P}}_1\) and \({\tilde{P}}_2\) defined in (4) and (5), we have \(\vert GHZ\rangle _p~_p\langle GHZ\vert ={\tilde{P}}_1 {\tilde{P}}_2\). Hence, for \(U=U_{j}U_{S_1}U_{S_2}\), using (D5), we have

$$\begin{aligned}&\Vert U^\dagger {\tilde{P}}_1U -{\tilde{P}}_1'' \Vert =\Vert {\tilde{P}}_1-U {\tilde{P}}_1''U^\dagger \Vert \nonumber \\&\quad \le \frac{1}{2} \sum _{i=1}^m \Vert {\mathsf {Z}}_i-U_i {\mathsf {Z}}_i''U_i^\dagger \Vert , \end{aligned}$$

(D14)

$$\begin{aligned}&\Vert U^\dagger {\tilde{P}}_2 U -P{\tilde{P}}_2'' \Vert =\Vert {\tilde{P}}_2-U {\tilde{P}}_2''U^\dagger \Vert \nonumber \\&\quad \le \frac{1}{2} \sum _{i:i\ne j}(\Vert {\mathsf {Z}}_j-U_j {\mathsf {Z}}_j''U_j^\dagger \Vert +\Vert {\mathsf {Z}}_{i}-U_{i} {\mathsf {Z}}_{i}''U_{i}^\dagger \Vert ) \nonumber \\&\quad = \frac{m-1}{2}\left( \Vert {\mathsf {Z}}_j-U_j {\mathsf {Z}}_j''U_j^\dagger \Vert +\frac{1}{2} \sum _{i:i\ne j} \Vert {\mathsf {Z}}_{i}-U_{i} {\mathsf {Z}}_{i}''U_{i}^\dagger \Vert \right) . \end{aligned}$$

(D15)

Applying Proposition 15 to \({\tilde{P}}''_1\) and \({\tilde{P}}''_2\), with significance level \(\alpha \) and a constant \(c_2'\), we have

$$\begin{aligned} \mathrm {Tr}\sigma (I-{\tilde{P}}''_i) \le \frac{c_2'}{n} \end{aligned}$$

(D16)

for \(i=1,2\).

Due to Lemma 16, combining (D13), (D14), (D15), and (D16), with significance level \(\alpha \), we have

$$\begin{aligned}&\mathrm {Tr}\sigma U^\dagger (I-\vert GHZ\rangle _p~_p\langle GHZ\vert )U \nonumber \\&\quad \le \mathrm {Tr}\sigma U^\dagger ((I-{\tilde{P}}_1)+(I-{\tilde{P}}_2))U \nonumber \\&\quad \le \mathrm {Tr}\sigma ( U^\dagger (I-P_1)U+ U^\dagger (I-P_2)U ) \nonumber \\&\quad \le \mathrm {Tr}\sigma ( (I-{\tilde{P}}_1'')+ (I-{\tilde{P}}_2'') ) +\Vert U^\dagger {\tilde{P}}_1U -{\tilde{P}}_1'' \Vert +\Vert U^\dagger {\tilde{P}}_2U -{\tilde{P}}_2'' \Vert \nonumber \\&\quad \le \frac{2 c_2'}{n} +\frac{m+2(m-1)}{2} c_2 n^{-1/4}. \end{aligned}$$

(D17)

Hence,

$$\begin{aligned} \Vert \sigma -U^\dagger \vert GHZ\rangle _p~_p\langle GHZ\vert U\Vert _1 \le \sqrt{\frac{2 c_2'}{n} +\frac{3m-2}{2} c_2 n^{-1/4} }. \end{aligned}$$

(D18)

When we apply the measurement based on a POVM \(M=\{M_i\}\) to the system whose state is \(\rho \), we denote the output distribution by \(\mathcal{P}_\rho ^M\). For any POVM \(M=\{M_i\}\), we have

$$\begin{aligned}&\Vert \mathcal{P}_{\sigma }^{M}-\mathcal{P}_{\vert GHZ\rangle _p~_p\langle GHZ\vert }^{M} \Vert _1 \nonumber \\&\quad \le \sum _{i} \mathrm {Tr}M_i \vert \sigma - \vert GHZ\rangle _p~_p\langle GHZ\vert \vert \nonumber \\&\quad = \Vert \sigma - \vert GHZ\rangle _p~_p\langle GHZ\vert \Vert _1 \nonumber \\&\quad \le \sqrt{\frac{2 c_2'}{n} +\frac{3m-2}{2} c_2 n^{-1/4}} . \end{aligned}$$

(D19)

We denote the POVM corresponding to the ideal observables \({\mathsf {Z}}_1, \ldots , {\mathsf {Z}}_m\) (the real observables \({\mathsf {Z}}_1'', \ldots , {\mathsf {Z}}_m''\)) by \(M_{ideal}\) (\(M_{real}\)). When we apply the measurement based on the POVM \(M_{ideal}\) (\(M_{real}\)) to the system whose state is \(\sigma \), we denote the output distribution by \(P_{X_1,\ldots ,X_m}^{M_{ideal}}\) (\(P_{X_1,\ldots ,X_m}^{M_{real}}\)). Since

$$\begin{aligned} P_{X_1,\ldots , X_m}^{M_{real}} =P_{X_1}^{M_{real}} P_{X_2\vert X_1}^{M_{real}} \cdots P_{X_m\vert X_1,\ldots , X_{m-1}}^{M_{real}} -P_{X_1,\ldots , X_m}^{M_{ideal}} , \end{aligned}$$

(D20)

we have

$$\begin{aligned}&\Big \Vert \mathcal{P}_{\sigma }^{M_{real}}-\mathcal{P}_{\sigma }^{M_{ideal}} \Big \Vert _1 = \Big \Vert P_{X_1,\ldots , X_m}^{M_{real}}-P_{X_1,\ldots , X_m}^{M_{ideal}} \Big \Vert _1 \nonumber \\&\quad = \sum _{i=1}^m\Big \Vert P_{X_1}^{M_{real}} P_{X_2\vert X_1}^{M_{real}} \cdots P_{X_i\vert X_1,\ldots , X_{i-1}}^{M_{real}} \cdots P_{X_m\vert X_1,\ldots , X_{m-1}}^{M_{ideal}} \nonumber \\&-P_{X_1}^{M_{real}} P_{X_2\vert X_1}^{M_{real}} \cdots P_{X_i\vert X_1,\ldots , X_{i-1}}^{M_{ideal}} \cdots P_{X_m\vert X_1,\ldots , X_{m-1}}^{M_{ideal}}\Big \Vert _1 \nonumber \\&\quad = \sum _{i=1}^m\Big \Vert P_{X_1}^{M_{real}} P_{X_2\vert X_1}^{M_{real}} \cdots P_{X_i\vert X_1,\ldots , X_{i-1}}^{M_{real}}\nonumber \\&\quad - P_{X_1}^{M_{real}} P_{X_2\vert X_1}^{M_{real}} \cdots P_{X_i\vert X_1,\ldots , X_{i-1}}^{M_{ideal}} \Big \Vert _1 \nonumber \\&\quad = \sum _{i=1}^m \max _{x_1,\ldots ,x_{i-1}} \Big \Vert P_{X_i\vert X_1=x_1,\ldots , X_{i-1}=x_{i-1}}^{M_{real}} -P_{X_i\vert X_1=x_{1},\ldots , X_{i-1}=x_{i-1}}^{M_{ideal}} \Big \Vert _1 \nonumber \\&\quad = \sum _{i=1}^m \max _{x_1,\ldots ,x_{i-1}} \Vert U_j {\mathsf {Z}}''_j U_j^\dagger - {\mathsf {Z}}_j \Vert \le m c_2 n^{-1/4}. \end{aligned}$$

(D21)

Since (D13) and (D16) hold with significance level \(\alpha \), combining (D19) and (D21), we have

$$\begin{aligned}&\Vert P_{X_1,\ldots X_m}- P_{X_1,\ldots X_m\vert ideal} \Vert _1\nonumber \\&\quad \le \Vert \mathcal{P}_{\sigma }^{M_{real}} -\mathcal{P}_{\vert GHZ\rangle _p~_p\langle GHZ\vert }^{M_{ideal}} \Vert _1 \nonumber \\&\quad \le \Vert \mathcal{P}_{\sigma }^{M_{real}}-\mathcal{P}_{\sigma }^{M_{ideal}} \Vert _1 + \Vert \mathcal{P}_{\sigma }^{M_{ideal}} -\mathcal{P}_{\vert GHZ\rangle _p~_p\langle GHZ\vert }^{M_{ideal}} \Vert _1 \nonumber \\&\quad \le \sqrt{\frac{2 c_2'}{n} +\frac{3m-2}{2} c_2 n^{-1/4}} +m c_2 n^{-1/4}. \end{aligned}$$

(D22)

Thus, we obtain the desired statement. \(\square \)

Appendix E Extension of quantum protocol for secure modulo zero-sum randomness to case with \({\mathbb {F}}_q\)

Now, we extend our quantum protocol for secure modulo zero-sum randomness to the case with \({\mathbb {F}}_q\). The following discussion assumes trusted measurement devices. Our protocol with untrusted measurement devices cannot be extended to the case with \({\mathbb {F}}_q\).

When we employ a general finite field \({\mathbb {F}}_q\), the phase basis \(\{ \vert z\rangle _p \}_{z\in {\mathbb {F}}_q}\) is defined as [67, Section 8.1.2]

$$\begin{aligned} \vert z\rangle _p := \frac{1}{\sqrt{q}} \sum _{x\in {\mathbb {F}}_q} \omega ^{-\mathrm {tr}xz} \vert x\rangle , \end{aligned}$$

where \( \vert x\rangle \) expresses the computational basis, \(\omega := \exp {\frac{2\pi i}{p}}\) and \(\mathrm {tr}y\) for \(y\in {\mathbb {F}}_q\) is \(\mathrm {Tr}M_y\) where \(M_y\) denotes the multiplication map \(x \mapsto yx\) with the identification of the finite field \({\mathbb {F}}_q\) with the vector space \({\mathbb {F}}_p^t\).

Then, the phase GHZ state \( \vert GHZ\rangle _p:= \frac{1}{\sqrt{q}}\sum _{z \in {\mathbb {F}}_q} \vert z,\ldots , z \rangle _{p}\) is calculated as

$$\begin{aligned} \vert GHZ\rangle _p= \frac{1}{\sqrt{q^{m-1}}} \sum _{x_1,\ldots ,x_m\in {\mathbb {F}}_q: x_1+\cdots +x_m=0} \vert x_1,\ldots ,x_m \rangle . \end{aligned}$$

(D23)

When all the players apply measurement on the computational basis and the initial state is \(\vert GHZ\rangle _p\), the sum of m outcomes is zero and \(m-1\) outcomes are subject to the uniform distribution. Hence, these outcomes satisfy the conditions of secure modulo zero-sum randomness. That is, when the initial state is guaranteed to be \(\vert GHZ\rangle _p\), it is guaranteed that the outcomes are secure modulo zero-sum randomness.

When we trust measurement devices, we can employ the following protocol to verify the state \(\vert GHZ\rangle _p\).

Theorem 19

Assume that \(\alpha > \frac{1}{2n+1}\) in Protocol 12. If the test is passed, with significance level \(\alpha \), we can guarantee that the resultant state \(\sigma \) on each remaining system satisfies

$$\begin{aligned} \mathrm {Tr}\sigma \vert GHZ\rangle _p~_p \langle GHZ \vert \ge 1 -\frac{1}{\alpha (2n+1)}. \end{aligned}$$

(D24)

In other words, if the probability to pass the test is greater than \(\alpha \), the resultant state passing the test satisfies condition (D24).

In the above case, the significance level is the maximum passing probability when malicious Bob sends incorrect states so that the resultant state \(\alpha \) does not satisfy Eq. (D24).

The proof of the theorem is given below. From the theorem and the relation between the fidelity and trace norm [68, (6.106)], we can conclude the verifiability: if they passed the test, they can guarantee that

$$\begin{aligned} \Vert \sigma - \vert GHZ\rangle _p~_p \langle GHZ \vert \Vert _1 \le \frac{1}{\sqrt{\alpha (2n+1)}} \end{aligned}$$

(D25)

with significance level \(\alpha \). Therefore, when \(P_{ideal}\) is the ideal distribution of secure modulo zero-sum randomness and \(P_{real}\) is the real distribution obtained via the measurement with respect to the computation basis, we have

$$\begin{aligned} \Vert P_{real}-P_{ideal} \Vert _1 \le \frac{1}{\sqrt{\alpha (2n+1)}}. \end{aligned}$$

(D26)

Proof of Theorem 19

We choose a new coordinate \({\bar{x}}_1, \ldots , {\bar{x}}_m\) as \({\bar{x}}_1=x_1+\cdots +x_m\) and \({\bar{x}}_i=x_i\) for \(i=2, \ldots , m\). We denote the unitary corresponding to this coordinate conversion by U. When a matrix D is applied in the computation basis, the conversion on phase basis is given by \((D^{-1})^T\). Since

$$\begin{aligned} \left( \left( \begin{array}{ccccc} 1 &{} &{} &{} 0 \\ 1 &{} 1 &{} &{} \\ \vdots &{} \ddots &{} &{} \\ 1 &{} 0 &{} &{} 1 \end{array} \right) ^{-1} \right) ^{T} = \left( \begin{array}{ccccc} 1 &{} -1 &{}\cdots &{} -1 \\ &{} 1 &{} &{} 0 \\ &{} &{}\ddots &{} \\ 0&{} &{} &{} 1 \end{array} \right) , \end{aligned}$$

(D27)

we have

$$\begin{aligned} U\vert GHZ\rangle _p= \vert 0 \rangle \vert 0 , \ldots , 0\rangle _p. \end{aligned}$$

(D28)

We denote the projection to \(U^\dagger I\otimes \vert 0,\ldots ,0 \rangle _p~_p\langle 0,\ldots ,0\vert U\) and \(U^\dagger \vert 0 \rangle \langle 0\vert \otimes I^{\otimes m-1} U\) by \({\tilde{P}}_1\) and \({\tilde{P}}_2\), respectively. Then, we find that

$$\begin{aligned} {\tilde{P}}_1{\tilde{P}}_2= \vert GHZ\rangle _p~_p \langle GHZ \vert . \end{aligned}$$

(D29)

Also, we find that \({\tilde{P}}_1\) and \({\tilde{P}}_2\) are the projections to the subspaces accepting the phase basis check and the computational basis check, respectively.

We randomly choose one remaining system. Let A be the random permutation of \({\tilde{P}}_1^{\otimes n}\otimes {\tilde{P}}_2^{\otimes n} \otimes (I-\vert GHZ\rangle _p~_p \langle GHZ \vert )\), which expresses the event that they accept the test and the state on the remaining system is orthogonal to the state \(\vert GHZ\rangle _p~_p \langle GHZ \vert \). We define the projection \({\bar{P}}_i:={\tilde{P}}_i-{\bar{P}}_0\), where \({\bar{P}}_0:=\vert GHZ\rangle _p~_p \langle GHZ \vert \) for \(i=1,2\). Also, we define the projection \({\bar{P}}_3:= I- \vert GHZ\rangle _p~_p \langle GHZ \vert -{\bar{P}}_1-{\bar{P}}_2\). Then, we have 4 orthogonal projections \({\bar{P}}_0,{\bar{P}}_1,{\bar{P}}_2,{\bar{P}}_3\).

Then, we have

$$\begin{aligned} A= \sum _{v \in \{0,1,2,3\}^{2n_1+1}} \frac{\vert C_1(v)\vert }{\vert C_2(v)\vert } {\bar{P}}_{v}, \end{aligned}$$

(D30)

where \({\bar{P}}_{v}\), \(C_1(v)\), and \(C_2(v)\) are defined by using the number \(N_i(v)\) of i in v as

$$\begin{aligned} {\bar{P}}_{v}&:= {\bar{P}}_{v_1}\otimes \cdots \otimes {\bar{P}}_{v_{2n_1+1}} \end{aligned}$$

(D31)

$$\begin{aligned} C_2(v)&:= {2n_1+1 \atopwithdelims ()N_0(v)N_1(v)N_2(v)N_3(v)} \end{aligned}$$

(D32)

and

$$\begin{aligned} C_1(v) := \Bigg \{v' \Bigg \vert \begin{array}{ll} {\bar{P}}_{v'} \\ \le {\tilde{P}}_1^{\otimes n}\otimes {\tilde{P}}_2^{\otimes n} \otimes (I-\vert GHZ\rangle _p~_p \langle GHZ \vert ),\\ v' \hbox { is given as a permutation of }v \end{array} \Bigg \}. \end{aligned}$$

(D33)

Then, we find that the maximum eigenvalue of A is \(\frac{1}{2n+1}\).² Since we have \(\Vert A\Vert \le \frac{1}{2n+1}\), any initial state \(\rho \) satisfies \(\mathrm {Tr}\rho A \le \frac{1}{2n+1}\).

Now, we assume that the probability accepting the test is less than \(\alpha \). Then, under the condition that they accept the test, the probability of the event orthogonal to the state \(\vert GHZ\rangle _p~_p \langle GHZ \vert \) is upper bounded by \(\frac{1}{\alpha }\cdot \frac{1}{2n+1}\). Hence, we obtain the desired statement. \(\square \)