Abstract
We propose a new cryptographic resource, secure modulo zero-sum randomness, as a resource to implement a task of secure modulo summation, and its quantum protocol. Secure modulo summation is the calculation of modulo summation \(Y_1+\cdots + Y_m\) when m players have their individual variables \(Y_1,\ldots , Y_m\) with keeping the secrecy of the individual variables. Secure modulo zero-sum randomness is a set of m variables \(X_1, \ldots , X_m\) held by m players that satisfy the zero sum condition \(X_1+\cdots + X_m=0\) with a certain security condition. This paper explains the relation between these two concepts and proposes a quantum verifiable protocol for secure modulo summation. The advantage for quantum protocol is the verifiability based on self-testing, which does not need to trust measurement devices and can be realized by using a statistical concept, significance level, while any classical method needs to trust several components of the protocol. Then, we propose various cryptographic applications for secure modulo zero-sum randomness. We also compare our quantum verifiable protocol with the conventional method for secure modulo summation.
Similar content being viewed by others
Data availability
Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.
Code availability
The authors declare that there are no custom codes in the manuscript. The mathematical algorithms are included within the paper.
Notes
A similar discussion is given [69, Appendix].
References
Chor, B., Kushilevitz, E.: A communication-privacy tradeoff for modular addition. Inf. Process. Lett. 45(4), 205–210 (1993)
Chor, B., Shani, N.: The privacy of dense symmetric functions. Comput. Complex. 5(1), 43–59 (1995)
Naor, M., Shamir, A.: Visual cryptography, advances in cryptology. Eurocrypt Proc. LNCS 950, 1–2 (1995)
Kafri, O., Keren, E.: Encryption of pictures and shapes by random grids. Opt. Lett. 12(6), 377–379 (1987)
Broadbent, A., Fitzsimons, J.F., Kashefi, E.: Universal blind quantum computation. In: Proceedings of the 50th Annual IEEE Symposium on Foundation of Computer Science, p. 517 (2009)
Morimae, T., Fujii, K.: Blind quantum computation for Alice who does only measurements. Phys. Rev. A 87, 050301(R) (2013)
Hayashi, M., Morimae, T.: Verifiable measurement-only blind quantum computing with stabilizer testing. Phys. Rev. Lett. 115, 220502 (2015)
Barz, S., Kashefi, E., Broadbent, A., Fitzsimons, J.F., Zeilinger, A., Walther, P.: Demonstration of blind quantum computing. Science 335, 303 (2012)
Barz, S., Fitzsimons, J.F., Kashefi, E., Walther, P.: Experimental verification of quantum computation. Nat. Phys. 9, 727 (2013)
Marshall, K., Jacobsen, C.S., Schäfermeier, C., Gehring, T., Weedbrook, C., Andersen, U.L.: Continuous-variable quantum computing on encrypted data. Nat. Commun. 7, 13795 (2016)
Huang, H.-L., Zhao, Q., Ma, X., Liu, C., Su, Z.-E., Wang, X.-L., Li, L., Liu, N.-L., Sanders, B.C., Lu, C.-Y., Pan, J.-W.: Experimental blind quantum computing for a classical client. Phys. Rev. Lett. 119(5), 050503 (2017)
Buhrman, H., Christandl, M., Schaffner, C.: Complete insecurity of quantum protocols for classical two-party computation. Phys. Rev. Lett. 109, 160501 (2012)
Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing, In: Proceedings IEEE International Conference on Computers, Systems and Signal Processing (Bangalore, India, 1984), pp. 175–179
Mayers, D., Yao, A.: in Foundations of Computer Science, 1998. Proceedings. 39th Annual Symposium on (IEEE, 1998) pp. 503–509
Mayers, D., Yao, A.: Quantum Inf. Comput. 4, 273 (2004)
Acín, A., Brunner, N., Gisin, N., Massar, S., Pironio, S., Scarani, V.: Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98, 230501 (2007)
Pironio, S., Acín, A., Brunner, N., Gisin, N., Massar, S., Scarani, V.: Device-independent quantum key distribution secure against collective attacks. New J. Phys. 11, 045021 (2009)
Shi, R.H., Mu, Y., Zhong, H., Cui, J., Zhang, S.: Secure multiparty quantum computation for summation and multiplication. Sci. Rep. 6, 19655 (2016)
Zhang, C., Situ, H., Huang, Q., Yang, P.: Multi-party quantum summation without a trusted third party based on single particles. Int. J. Quantum Inf. 15(2), 1750010 (2017)
Yang, H.Y., Ye, T.Y.: Secure multi-party quantum summation based on quantum Fourier transform. Quantum Inf. Process. 17(6), 129 (2018)
Zhang, C., Razavi, M., Sun, Z., Huang, Q., Situ, H.: Multi-party quantum summation based on quantum teleportation. Entropy 21, 719 (2019)
McKague, M.: In: Theory of Quantum Computation, Communication, and Cryptography: 6th Conference, TQC 2011, pp. 104–120. Springer, Berlin Heidelberg (2011)
McKague, M., Mosca, M.: In: Theory of Quantum Computation, Communication, and Cryptography: 5th Conference, TQC 2010 (Springer, 2010) pp. 113–130
McKague, M., Yang, T.H., Scarani, V.: J. Phys. A Math. Theor. 45, 455304 (2012)
Li, X., Wang, Y., Han, Y., Gao, F., Wen, Q.: Self-testing of symmetric three-qubit states, arXiv:1907.06397 (2019)
Hayashi, M., Hajdusek, M.: Self-guaranteed measurement-based blind quantum computation. Phys. Rev. A 97, 052308 (2018)
Šupć, I., Bowles, J.: Self-testing of quantum systems: a review. Quantum 4, 337 (2020)
Bancal, J.-D., Redeker, K., Sekatski, P., Rosenfeld, W., Sangouard, N.: Self-testing with finite statistics enabling the certification of a quantum network link, arXiv:1812.09117 (2018)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a complete theorem for protocols with honest majority. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computation (STOC’87), pp. 218–229 (1987)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Complete theorem for non-cryptographic fault-tolerant distributed computation. In: Proceedings of the 20th Annual Symposium on Theory of Computation (STOC’88), pp. 1–10 (1988)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the 21st Annual ACM Symposium on Theory of computing (STOC 1989), pp. 73–85 (1989)
Ishai, Y., Ostrovsky, R., Seyalioglu, H.: Identifying cheaters without an honest majority. In: Proceedings of the 9th Theory of Cryptography Conference (TCC 2012), Lecture Notes in Computer Science 7194, pp. 21–38, Springer (2012)
Xu, R., Morozov, K., Takagi, T.: On cheater identifiable secret sharing schemes secure against rushing adversary. In: Proceedings of the 8th International Workshop on Security (IWSEC 2013), Lecture Notes in Computer Science 8231, pp. 258–271, Springer (2013)
Roy, P.S., Adhikari, A., Xu, R., Morozov, K., Sakurai, K.: An efficient \(t\)-cheater identifiable secret sharing scheme with optimal cheater resiliency, Cryptology Eprint Archive 2014/628 (2014)
Xu, R., Morozov, K., Takagi, T.: Cheater identifiable secret sharing schemes via multi-receiver authentication. In: Proceedings of the 9th International Workshop on Security (IWSEC 2014), Lecture Notes in Computer Science 8639, pp. 72–87, Springer (2014)
Adhikari, A., Morozov, K., Obana, S., Roy, P.S., Sakurai, K., Xu, R.: Efficient threshold secret sharing schemes secure against rushing cheaters. In: Proceedings of the 9th International Conference on Information Theoretic Security (ICITS 2016), Lecture Notes in Computer Science 10015, pp. 3–23, Springer (2016)
Hayashi, M., Koshiba, T.: Universal construction of cheater-identifiable secret sharing against rushing cheaters without honest majority, to appear in Proc. 2018 IEEE Symposium on Information Theory (ISIT 2018). Also available in arXiv:1701.04470 (2017)
Dolev, D., Dwork, C., Waarts, O., Yung, M.: Perfectly secure message transmission. J. ACM 40(1), 17–47 (1993)
Agarwal, S., Cramer, R., de Haan, R.: Asymptotically optimal two-round perfectly secure message transmission, Advances in Cryptology—CRYPTO 2006, Lecture Notes in Computer Science 4117, pp. 394–408, Springer (2006)
Kurosawa, K., Suzuki, K.: Truly efficient 2-round perfectly secure message transmission scheme. IEEE Trans. Inf. Theory 55(11), 5223–5232 (2009)
Spini, G., Zémor, G.: Perfectly secure message transmission in two rounds. In: Proceedings of the 14th Theory of Cryptography Conference (TCC2016-B), Lecture Notes in Computer Science 9985, pp. 286–304, Springer (2016)
Jaggi, S., Langberg, M., Katti, S., Ho, T., Katabi, D., Médard, M.: Resilient network coding in the presence of byzantine adversaries. In: Proceedings of the IEEE INFOCOM 2007, Anchorage, AK, pp. 616–624 (2007)
Jaggi, S., Langberg, M., Katti, S., Ho, T., Katabi, D., Medard, M., Effros, M.: Resilient network coding in the presence of byzantine adversaries. IEEE Trans. Inf. Theory 54(6), 2596–2603 (2008)
Jaggi, S., Langberg, M.: Resilient network coding in the presence of eavesdropping byzantine adversaries. In: Proceedings of 2007 IEEE International Symposium on Information Theory (ISIT 2007), Nice, France, pp. 541–545 (2007)
Yao, H., Silva, D., Jaggi, S., Langberg, M.: Network codes resilient to jamming and eavesdropping. IEEE/ACM Trans. Netw. 22(6), 1978–1987 (2014)
Hayashi, M., Cai, N.: Asymptotically secure network code for active attacks and its application to network quantum key distribution arXiv:2003.12225 (2020)
Franklin, M., Wright, R.N.: Secure communication in minimal connectivity models. J. Cryptol. 13(1), 9–30 (2000)
Shi, H., Jiang, S., Safavi-Naini, R., Tuhin, M.A.: On optimal secure message transmission by public discussion. IEEE Trans. Inf. Theory 57(1), 572–585 (2011)
Koshiba, T., Sawada, S.: Public discussion must be back and forth in secure message transmission. In: Proceedings of the 13th International Conference on Information Security and Cryptology (ICISC 2010), Lecture Notes in Computer Science 6829, pp. 325–337, Springer (2011)
Garay, J.A., Ostrovsky, R.: Almost-everywhere secure computation. Advances in Cryptology—EUROCRYPT 2008, Lecture Notes in Computer Science 4965, pp. 307–323, Springer (2008)
Gordon, S.D., Hazay, C., Katz, J., Lindell, Y.: Complete fairness in secure two-party computation. In: 40th STOC, pp. 413–422 (2008)
Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: CRYPTO’90 (LNCS 537), pp. 77–93, Springer (1990)
Gordon, S.D., Katz, J.: Partial fairness in secure two-party computation. In: EUROCRYPT’10, Springer (LNCS 6110) (2010)
Krawczyk, H.: New hash functions for message authentication, EUROCRYPT’95, Lecture Notes in Computer Science 921, pp. 301–310, Springer (1995)
Maurer, U.M.: A unified and generalized treatment of authentication theory. In: Proceedings of the 13th Annual Symposium on Theoretical Aspects of Computer Science (STACS’96), Lecture Notes in Computer Science 1046, pp. 387–398. Springer (1996)
Gray, R.M.: Toeplitz and circulant matrices: a review. Found. Trends Commun. Inf. Theory 2(3), 155–239 (2006)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, pp. 136–145 (2001)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols, Version of December 2018. Available at https://eprint.iacr.org/2000/067.pdf
Goldreich, O.: Foundations of Cryptography, Basic Applications, vol. 2. Cambridge University Press, Cambridge (2009)
Fujii, K., Hayashi, M.: Verifiable fault tolerance in measurement-based quantum computation. Phys. Rev. A Rapid Commun. 96, 030301(R) (2017)
Lehmann, E.L., Romano, J.P.: Testing Statistical Hypotheses. Springer, Berlin (2005)
Hayashi, M.: Secure modulo sum via multiple access channel. In: Proceedings of 2021 IEEE International Symposium on Information Theory (ISIT), Melbourne, Victoria, Australia, 12–20 July 2021, pp. 1397–1402; arXiv:1812.10862
Coladangelo, A., Goh, K.T., Scarani, V.: All pure bipartite entangled states can be self-tested. Nat. Commun. 8, 15485 (2017)
Kaniewski, J., Šupić, I., Tura, J., Baccari, F., Salavrakos, A., Augusiak, R.: Maximal nonlocality from maximal entanglement and mutually unbiased bases, and self-testing of two-qutrit quantum systems. Quantum 3, 198 (2019)
Sarkar, S., Saha, D., Kaniewski, J., Augusiak, R.: Self-testing quantum systems of arbitrary local dimension with minimal number of measurements, arXiv: 1909.12722
Hayashi, M.: Group Representation for Quantum Theory. Springer, Berlin (2017)
Hayashi, M., Ishizaka, S., Kawachi, A., Kimura, G., Ogawa, T.: Introduction to Quantum Information Science, Graduate Texts in Physics, Springer (2014). (Originally published from Kyoritsu Shuppan in 2012 with Japanese.)
Markham, D., Krause, A.: A simple protocol for certifying graph states and applications in quantum networks. Cryptography 4, 3 (2020)
Acknowledgements
MH is supported in part by the National Natural Science Foundation of China (Grant No. 62171212) and Guangdong Provincial Key Laboratory (Grant No. 2019B121203002), a JSPS Grant-in-Aids for Scientific Research (A) No. 17H01280 and for Scientific Research (B) No. 16KT0017, and Kayamori Foundation of Information Science Advancement No. K27-XX-467. TK is supported in part by a JSPS Grant-in-Aids for Scientific Research (A) No. 21H04879, and for Challenging Exploratory Research No. 19K22849 and MEXT Quantum Leap Flagship Program (MEXT Q-LEAP) Grant Nos. JPMXS0118067285 and JPMXS0120319794.
Author information
Authors and Affiliations
Contributions
All the authors contributed equally.
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A Summary of Appendix
The first aim of this appendix is providing the security proof for our quantum verifiable protocol to generate secure modulo zero-sum randomness. The second aim of this appendix is providing a quantum verifiable protocol to generate secure modulo zero-sum randomness with general dimension when the measurement device is trusted.
The appendix is organized as follows. First, as the preparation of the first aim, Appendix 1 evaluates the performance of the classical random sampling. Then, Appendix 1 reviews the existing result of self-testing of Bell state. By using these discussions, Appendix 1 shows the security of our quantum verifiable protocol to generate secure modulo zero-sum randomness, which is presented in Sect. 7. That is, we show Theorems 11 and 12 of the mainbody. Then, Appendix 1 presents a quantum verifiable protocol to generate secure modulo zero-sum randomness with general dimension when the measurement device is trusted.
Appendix B Classical random sampling
Proof
We consider \(n+1\) binary random variables \(X_1, \ldots , X_{n+1}\) taking values in \(\{0,1\}\). We randomly choose n variables among \(X_1, \ldots , X_{n+1}\) and observe them. We denote the remaining variable by Y. Let Z be the number of 1 among observed variables. \(\square \)
Lemma 3 of [26, Appendix C] is rewritten as follows.
Proposition 14
With significance level \(\alpha \), we have For any constants \(c_1\), \(p*\) and \(\alpha \), there exists a constant \(c_2\) such that with significance level \(\alpha \), we have
In other words, the probability \(Pr\Big ( p_* - \frac{c_1}{\sqrt{n}} \le \frac{Z}{n}\le p_* + \frac{c_1}{\sqrt{n}}\Big ) \) is greater than \(\alpha \); condition (B1) holds.
When \(p_*\) is zero, we prepare a different type of evaluation as follows.
Proposition 15
With significance level \(\alpha \ge \frac{k+1}{n+1}\), we have
That is, for any constants \(c_1\) and \(\alpha \), there exists a constant \(c_2\) such that with significance level \(\alpha \), we have
In other words, the probability \(Pr\Big ( \frac{Z}{n}\le \frac{c_1}{n}\Big ) \) is greater than \(\alpha \), condition (B3) holds.
Proof
We denote the number of 1 among \(X_1, \ldots , X_{n+1}\) by the variable X. We assume that \(P(X=x)=P_x\). Then, we have
That is,
Thus, we have
Hence,
and
Since \(\frac{1}{n+1}\le \cdots \le \frac{k}{n+1} \le \frac{k+1}{n+1}\) and \(1 \ge \frac{k+1}{n+1}\), we have
The condition \((1-p) +p \frac{k+1}{n+1} \ge \alpha \) is equivalent to the condition \( 1 -\alpha \ge p( 1- \frac{k+1}{n+1}) = p \frac{n -k}{n+1 }\), which is rewritten as \( (1 -\alpha )\frac{n+1 }{n -k} \ge p\). Under this condition, we have
Combining (B10) and (B11), we obtain the desired statement. \(\square \)
In this paper, we need to combine several statements with a certain significance level. The following lemma is useful for this aim.
Lemma 16
We assume the following. When the test \(A_i\) is passed, the property \(B_i\) holds with significance level \(\alpha \) for \(i=1,2\). Then, the properties \(B_1\) and \(B_2\) hold with significance level \(\alpha \) when the tests \(A_1\) and \(A_2\) are passed. In other words, if the probability to pass the tests \(A_1\) and \(A_2\) is greater than \(\alpha \), the resultant state passing the tests \(A_1\) and \(A_2\) satisfies the properties \(B_1\) and \(B_2\).
Proof
Lemma 16 is shown as follows. Let \(\{P_\theta \}_{\theta \in \Theta }\) be the set of possible distributions. In the quantum setting, when we fix the measurements, dependently of the measurements and input states, we have the distribution \(P_\theta \) over the measurement outcomes. Let \(\mathcal{A}_i\) be the set of events to satisfy \(A_i\) for \(i=1,2\). When the property \(B_i\) holds under the parameter \(\theta \), we write \(B_i(\theta )=1\). Otherwise, we write \(B_i(\theta )=0\).
The assumption implies that
Hence,
which implies the desired statement. \(\square \)
Appendix C Self-testing of Bell sate
To discuss the verification of the GHZ state, we review the existing result for self-testing of the Bell state by [26]. To fit our use, we consider the case when the Bell state is given as \(\frac{1}{\sqrt{2}}(\vert 00\rangle _p+\vert 11\rangle _p)\).
We choose sufficiently large Hilbert spaces \(\mathcal{H}_1''\) and \(\mathcal{H}_2''\) so that the state on the composite system is the pure state \(\vert \psi ''\rangle \). Let \({\mathsf {X}}''_i\), \({\mathsf {Z}}''_i\), \({\mathsf {A}}(0)''_i\), \({\mathsf {A}}(1)''_i\) be operators on \(\mathcal{H}_i\) for \(i=1,2\).
Proposition 17
When
there exist a constant \(c_3\) and isometries \(U_1:\mathcal{H}_1''\rightarrow \mathcal{H}_1\) and \(U_2:\mathcal{H}_2''\rightarrow \mathcal{H}_2\) such that the isometry \(U=U_1U_2\) satisfies
Equation (C3) follows from Proposition 1 of [26]. While Eq. (C4) does not appear in Proposition 1 of [26], it can be shown by using (E40) and (E41) of Lemma 9.
Now, we apply Proposition 17 to the case when we prepare \(6m+1\) copies of the initial state and split them randomly into 6 groups and one final copy. The procedure is described as follows and is denoted by Protocol 11:
We apply Conditions (C5) and (C6) to Propositions 14 and 15 . Since \(\frac{c_2}{n}\le \frac{c_2}{\sqrt{n}}\), combining Proposition 17, we obtain the following proposition.
Proposition 18
For significance level \(\alpha \) and a constant \(c_1\), there exists a constant \(c_4\) to satisfy the following condition. When the test given in Protocol 11 is passed, we can guarantee, with significance level \(\alpha \), that there exist isometries \(U_1:\mathcal{H}_1''\rightarrow \mathcal{H}_1\) and \(U_2:\mathcal{H}_2''\rightarrow \mathcal{H}_2\) such that the isometry \(U=U_1U_2\) satisfies
In other words, if the probability to pass Protocol 11 is greater than \(\alpha \), there exist isometries \(U_1:\mathcal{H}_1''\rightarrow \mathcal{H}_1\) and \(U_2:\mathcal{H}_2''\rightarrow \mathcal{H}_2\) such that resultant state passing Protocol 11 satisfies conditions (C7) and (C8).
Appendix D Security proof for quantum verifiable protocol to generate secure modulo zero-sum randomness
Proof of Theorem 11 of the mainbody
Now, we show Theorem 11 of the mainbody by using Lemma 16, Propositions 15, and 18 , which are shown in Appendices. Before, we need to be careful in handling several statements with a certain significance level. As shown in Lemma 16, when several statements hold with significance level \(\alpha \), we obtain all of them simultaneously with significance level \(\alpha \).
First, we find the following. Condition (11) of the mainbody implies that relation (14) of the mainbody holds with significance level \(\alpha \).
Assume that \(S_1\) is composed of \(j_1, \ldots , j_l\). We focus on the quantum system of Player j and the quantum system of group \(S_1\). The latter system is spanned by the basis
It is also spanned by \( \vert z\rangle _{S_1;p} := \vert z\rangle _{j_1;p} \cdots \vert z\rangle _{j_l;p} =\frac{1}{\sqrt{2}}(\vert 0\rangle _{S_2}+(-1)^z\vert 1\rangle _{S_1})\). We define \({\mathsf {Z}}_{S_1}:= \vert 0\rangle _{S_1}~_{S_1}\langle 0\vert -\vert 1\rangle _{S_1}~_{S_1}\langle 1\vert \) and \({\mathsf {X}}_{S_1}:= \vert 0\rangle _{S_1}~_{S_1}\langle 1\vert +\vert 0\rangle _{S_1}~_{S_1}\langle 1\vert \). Similarly, we define \({\mathsf {Z}}_{S_2}\) and \({\mathsf {X}}_{S_2}\). While the measurement \({\mathsf {Z}}_{S_1}\) can be done by the measurement \({\mathsf {Z}}_{j_1}, \ldots , {\mathsf {Z}}_{j_l}\), the measurement \({\mathsf {X}}_{S_1}\) can be done only by the measurement \({\mathsf {X}}_{k}\) for any \(k \in S_1\). The same observation holds for \({\mathsf {Z}}_{S_2}\) and \(\mathsf {X}_{S_2}\). Therefore, our GHZ \(\vert GHZ\rangle _p\) can be considered as \(\frac{1}{\sqrt{2}}( \sum _{z} \vert z\rangle _{p} \vert z\rangle _{S_1;p} \vert z\rangle _{S_2;p} )\).
When they measure \({\mathsf {Z}}_{S_2}\), they obtain the outcome z and apply the unitary \({\mathsf {X}}_j^{-z }\), the resultant state is the Bell state \(\frac{1}{\sqrt{2}}(\sum _{z} \vert z\rangle _{j;p} \vert z\rangle _{S_1;p} )\). When we measure \({\mathsf {X}}_{j}\) and \({\mathsf {X}}_{S_1}\) to the system in the state \(\frac{1}{\sqrt{2}}( \sum _{z} \vert z\rangle _{j;p} \vert z\rangle _{S_1;p} \vert z\rangle _{S_2;p} )\), the measurement outcome does not depend on the measurement outcome of \({\mathsf {Z}}_{S_2}\). Therefore, we can consider that the measurements on the \(j_1,j,m+j_1,m+j,2m+j_1,2m+j,3m+j_1,3m+j\)-th groups can be considered as the measurement required in Proposition 18. Now, we denote the real operator on the final group by using \(''\). The real quantum system of Player j, the groups \(S_1\) and \(S_2\) are denoted by \(\mathcal{H}_j\), \(\mathcal{H}_{S_1}\), and \(\mathcal{H}_{S_2}\).
Using Proposition 18, we can guarantee, with significance level \(\alpha \), that there exist a constant \(c_2\) and isometries \(U_j:\mathcal{H}_j''\rightarrow \mathcal{H}_j\) and \(U_{S_1}:\mathcal{H}_{S_1}''\rightarrow \mathcal{H}_{S_1}\) such that
We apply the same discussion to the case with switching \(S_1\) and \(S_2\). Then, we can guarantee, with significance level \(\alpha \), that there exists isometry \(U_{S_2}:\mathcal{H}_{S_2}''\rightarrow \mathcal{H}_{S_2}\) such that
We define two projections
where \(*\) expresses the sum for \(x_1,x_2,x_3\) under the condition \(x_1+x_2+x_3=0\). Then, we have \(\vert GHZ\rangle _p~_p\langle GHZ\vert =P_1 P_2\). Hence, for \(U=U_{j}U_{S_1}U_{S_2}\), using (D5), we have
Applying Proposition 15 to \({P}''_1\) and \({P}''_2\), with significance level \(\alpha \) and a constant \(c_2'\), we have
for \(i=1,2\). Due to Lemma 16, combining (D1),(D2), (D3), (D4), (D7), (D8), and (D9), with significance level \(\alpha \), we have
Hence,
Let \({\tilde{P}}_{X_j,X_{S_1},X_{S_2},E}\) be the joint distribution when Players apply the ideal measurements \(U_j^\dagger {\mathsf {Z}}_jU_j\), \(U_{S_1}^\dagger {\mathsf {Z}}_{S_1}U_{S_1}\), and \(U_{S_2}^\dagger {\mathsf {Z}}_{S_2}U_{S_2}\). With significance level \(\alpha \), we have
Therefore, with significance level \(\alpha \), we have (D12). Hence, we obtain the desired statement. \(\square \)
Proof of Theorem 12 of the mainbody
Now, we show Theorem 11 of the mainbody by using Lemma 16, Propositions 15, and 18 , which are shown in Appendices. We apply Proposition 18 to the case with \({\mathsf {X}}_i\), \({\mathsf {X}}_j\), \({\mathsf {Z}}_i\), and \({\mathsf {Z}}_j\) for \(i \ne j\). With significance level \(\alpha \), we can guarantee that there exist a constant \(c_2\) and isometries \(U_i:\mathcal{H}_i''\rightarrow \mathcal{H}_i\) and \(U_j:\mathcal{H}_j''\rightarrow \mathcal{H}_i\) such that
With significant level \(\alpha \), we have (D13) with any \(i\ne j\). Then, using the projections \({\tilde{P}}_1\) and \({\tilde{P}}_2\) defined in (4) and (5), we have \(\vert GHZ\rangle _p~_p\langle GHZ\vert ={\tilde{P}}_1 {\tilde{P}}_2\). Hence, for \(U=U_{j}U_{S_1}U_{S_2}\), using (D5), we have
Applying Proposition 15 to \({\tilde{P}}''_1\) and \({\tilde{P}}''_2\), with significance level \(\alpha \) and a constant \(c_2'\), we have
for \(i=1,2\).
Due to Lemma 16, combining (D13), (D14), (D15), and (D16), with significance level \(\alpha \), we have
Hence,
When we apply the measurement based on a POVM \(M=\{M_i\}\) to the system whose state is \(\rho \), we denote the output distribution by \(\mathcal{P}_\rho ^M\). For any POVM \(M=\{M_i\}\), we have
We denote the POVM corresponding to the ideal observables \({\mathsf {Z}}_1, \ldots , {\mathsf {Z}}_m\) (the real observables \({\mathsf {Z}}_1'', \ldots , {\mathsf {Z}}_m''\)) by \(M_{ideal}\) (\(M_{real}\)). When we apply the measurement based on the POVM \(M_{ideal}\) (\(M_{real}\)) to the system whose state is \(\sigma \), we denote the output distribution by \(P_{X_1,\ldots ,X_m}^{M_{ideal}}\) (\(P_{X_1,\ldots ,X_m}^{M_{real}}\)). Since
we have
Since (D13) and (D16) hold with significance level \(\alpha \), combining (D19) and (D21), we have
Thus, we obtain the desired statement. \(\square \)
Appendix E Extension of quantum protocol for secure modulo zero-sum randomness to case with \({\mathbb {F}}_q\)
Now, we extend our quantum protocol for secure modulo zero-sum randomness to the case with \({\mathbb {F}}_q\). The following discussion assumes trusted measurement devices. Our protocol with untrusted measurement devices cannot be extended to the case with \({\mathbb {F}}_q\).
When we employ a general finite field \({\mathbb {F}}_q\), the phase basis \(\{ \vert z\rangle _p \}_{z\in {\mathbb {F}}_q}\) is defined as [67, Section 8.1.2]
where \( \vert x\rangle \) expresses the computational basis, \(\omega := \exp {\frac{2\pi i}{p}}\) and \(\mathrm {tr}y\) for \(y\in {\mathbb {F}}_q\) is \(\mathrm {Tr}M_y\) where \(M_y\) denotes the multiplication map \(x \mapsto yx\) with the identification of the finite field \({\mathbb {F}}_q\) with the vector space \({\mathbb {F}}_p^t\).
Then, the phase GHZ state \( \vert GHZ\rangle _p:= \frac{1}{\sqrt{q}}\sum _{z \in {\mathbb {F}}_q} \vert z,\ldots , z \rangle _{p}\) is calculated as
When all the players apply measurement on the computational basis and the initial state is \(\vert GHZ\rangle _p\), the sum of m outcomes is zero and \(m-1\) outcomes are subject to the uniform distribution. Hence, these outcomes satisfy the conditions of secure modulo zero-sum randomness. That is, when the initial state is guaranteed to be \(\vert GHZ\rangle _p\), it is guaranteed that the outcomes are secure modulo zero-sum randomness.
When we trust measurement devices, we can employ the following protocol to verify the state \(\vert GHZ\rangle _p\).
Theorem 19
Assume that \(\alpha > \frac{1}{2n+1}\) in Protocol 12. If the test is passed, with significance level \(\alpha \), we can guarantee that the resultant state \(\sigma \) on each remaining system satisfies
In other words, if the probability to pass the test is greater than \(\alpha \), the resultant state passing the test satisfies condition (D24).
In the above case, the significance level is the maximum passing probability when malicious Bob sends incorrect states so that the resultant state \(\alpha \) does not satisfy Eq. (D24).
The proof of the theorem is given below. From the theorem and the relation between the fidelity and trace norm [68, (6.106)], we can conclude the verifiability: if they passed the test, they can guarantee that
with significance level \(\alpha \). Therefore, when \(P_{ideal}\) is the ideal distribution of secure modulo zero-sum randomness and \(P_{real}\) is the real distribution obtained via the measurement with respect to the computation basis, we have
Proof of Theorem 19
We choose a new coordinate \({\bar{x}}_1, \ldots , {\bar{x}}_m\) as \({\bar{x}}_1=x_1+\cdots +x_m\) and \({\bar{x}}_i=x_i\) for \(i=2, \ldots , m\). We denote the unitary corresponding to this coordinate conversion by U. When a matrix D is applied in the computation basis, the conversion on phase basis is given by \((D^{-1})^T\). Since
we have
We denote the projection to \(U^\dagger I\otimes \vert 0,\ldots ,0 \rangle _p~_p\langle 0,\ldots ,0\vert U\) and \(U^\dagger \vert 0 \rangle \langle 0\vert \otimes I^{\otimes m-1} U\) by \({\tilde{P}}_1\) and \({\tilde{P}}_2\), respectively. Then, we find that
Also, we find that \({\tilde{P}}_1\) and \({\tilde{P}}_2\) are the projections to the subspaces accepting the phase basis check and the computational basis check, respectively.
We randomly choose one remaining system. Let A be the random permutation of \({\tilde{P}}_1^{\otimes n}\otimes {\tilde{P}}_2^{\otimes n} \otimes (I-\vert GHZ\rangle _p~_p \langle GHZ \vert )\), which expresses the event that they accept the test and the state on the remaining system is orthogonal to the state \(\vert GHZ\rangle _p~_p \langle GHZ \vert \). We define the projection \({\bar{P}}_i:={\tilde{P}}_i-{\bar{P}}_0\), where \({\bar{P}}_0:=\vert GHZ\rangle _p~_p \langle GHZ \vert \) for \(i=1,2\). Also, we define the projection \({\bar{P}}_3:= I- \vert GHZ\rangle _p~_p \langle GHZ \vert -{\bar{P}}_1-{\bar{P}}_2\). Then, we have 4 orthogonal projections \({\bar{P}}_0,{\bar{P}}_1,{\bar{P}}_2,{\bar{P}}_3\).
Then, we have
where \({\bar{P}}_{v}\), \(C_1(v)\), and \(C_2(v)\) are defined by using the number \(N_i(v)\) of i in v as
and
Then, we find that the maximum eigenvalue of A is \(\frac{1}{2n+1}\).Footnote 2 Since we have \(\Vert A\Vert \le \frac{1}{2n+1}\), any initial state \(\rho \) satisfies \(\mathrm {Tr}\rho A \le \frac{1}{2n+1}\).
Now, we assume that the probability accepting the test is less than \(\alpha \). Then, under the condition that they accept the test, the probability of the event orthogonal to the state \(\vert GHZ\rangle _p~_p \langle GHZ \vert \) is upper bounded by \(\frac{1}{\alpha }\cdot \frac{1}{2n+1}\). Hence, we obtain the desired statement. \(\square \)
Rights and permissions
Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Hayashi, M., Koshiba, T. Quantum verifiable protocol for secure modulo zero-sum randomness. Quantum Inf Process 21, 291 (2022). https://doi.org/10.1007/s11128-022-03639-x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11128-022-03639-x