Simple, Near-Optimal Quantum Protocols for Die-Rolling

Abstract

Die-rolling is the cryptographic task where two mistrustful, remote parties wish to generate a random D-sided die-roll over a communication channel. Optimal quantum protocols for this task have been given by Aharon and Silman (New Journal of Physics, 2010) but are based on optimal weak coin-flipping protocols that are currently very complicated and not very well understood. In this paper, we first present very simple classical protocols for die-rolling that have decent (and sometimes optimal) security, which is in stark contrast to coin-flipping, bit-commitment, oblivious transfer, and many other two-party cryptographic primitives. We also present quantum protocols based on the idea of integer-commitment, a generalization of bit-commitment, where one wishes to commit to an integer. We analyze these protocols using semidefinite programming and finally give protocols that are very close to Kitaev’s lower bound for any $D\ge 3$. Lastly, we briefly discuss an application of this work to the quantum state discrimination problem.

1. Introduction

Die-rolling is the two-party cryptographic primitive in which two spatially separated parties, Alice and Bob, wish to agree upon an integer $d\in \left[D\right]:=\{1,\dots ,D\}$, generated uniformly at random, over a communication channel. When designing die-rolling protocols, the security goals are:

• Completeness: If both parties are honest, then their outcomes are the same, uniformly random, and neither party aborts.
• Soundness against cheating Bob: If Alice is honest, then a dishonest (i.e., cheating) Bob cannot influence her protocol outcome away from uniform.
• Soundness against cheating Alice: If Bob is honest, then a dishonest (i.e., cheating) Alice cannot influence his protocol outcome away from uniform.

We note here that Alice and Bob start uncorrelated and unentangled. Otherwise, Alice and Bob could each start with half of the following maximally entangled state

$$\frac{1}{\sqrt{D}}\sum _{d\in \left[D\right]}{|d\rangle }_{\mathcal{A}}{|d\rangle }_{\mathcal{B}}$$

(1)

and measure in the computational basis to obtain a perfectly correlated, uniformly random die-roll. Thus, such a primitive would be trivial if they were allowed to start entangled.

Die-rolling is a generalization of a well-studied primitive known as coin-flipping [1], which is the special case of die-rolling when $D=2$. In this paper, we analyze die-rolling protocols in a similar fashion that is widely adopted for coin-flipping protocols [2,3,4,5,6,7,8]. That is, we assume perfect completeness and calculate the soundness in terms of the cheating probabilities, as defined by the symbols:

$P_{B,d}^{*}$:	The probability with which cheating Bob’s attempt to force honest Alice to accept the outcome $d\in \left[D\right]$ happens to succeed.
$P_{A,d}^{*}$:	The probability with which cheating Alice’s attempt to force honest Bob to accept the outcome $d\in \left[D\right]$ happens to succeed.

We are concerned with designing protocols that minimize the maximum of these 2D quantities since a protocol is only as good as its worst cheating probability. Coincidentally, all of the protocols we consider in this paper have the property that all of Alice’s cheating probabilities are equal and similar for a cheating Bob. Therefore, for brevity, we introduce the following shorthand notation:

$$P_A^{*}:=max\{P_{A,1}^{*},\dots ,P_{A,D}^{*}\}\mathrm{and}{P}_B^{*}:=max\{P_{B,1}^{*},\dots ,P_{B,D}^{*}\}.$$

(2)

When $D=2$, the security definition for die-rolling above aligns with that of strong coin-flipping. For strong coin-flipping, it was shown by Kitaev [9] that any quantum protocol satisfies $P_{A,1}^{*}{P}_{B,1}^{*}\ge 1/2$ and $P_{A,2}^{*}{P}_{B,2}^{*}\ge 1/2$, implying that at least one party can cheat with probability at least $1/\sqrt{2}$. It was later shown by Chailloux and Kerenidis [6] that all four cheating probabilities can be made arbitrarily close to $1/\sqrt{2}$ by using optimal quantum protocols for weak coin-flipping as discovered by Mochon [5].

As pointed out in [10], Kitaev’s proof for the lower bound on coin-flipping extends naturally to die-rolling; it can be shown that, for any quantum die-rolling protocol, we have

$$P_{A,d}^{*}{P}_{B,d}^{*}\ge \frac{1}{D}$$

(3)

for any $d\in \left[D\right]$. This implies the lower bound

$$max\{P_A^{*},P_B^{*}\}\ge 1/\sqrt{D}.$$

(4)

In fact, extending the optimal coin-flipping protocol construction in [6], it was shown by Aharon and Silman [10] that for $D>2$, it is possible to find quantum protocols where the maximum of the 2D probabilities is at most $1/\sqrt{D}+\delta$, for any $\delta >0$.

The optimal protocols in [6,10] are not explicit as they rely on using Mochon’s optimal weak coin-flipping protocols as subroutines. Moreover, Mochon’s protocols are very complicated and not given explicitly, although they have been simplified [11].

The best known explicit quantum protocol for die-rolling, of which we are aware is given in [10]. It uses three messages and has cheating probabilities

$$P_A^{*}:=\frac{D+1}{2D}\mathrm{and}{P}_B^{*}:=\frac{2D-1}{D^2}.$$

(5)

These probabilities have the attractive property of approximating Kitaev’s lower bound in the limit, but since $P_A^{*}\to 1/2$ as $D\to \infty$, the maximum cheating probability is quite large. (The protocols considered in this paper have a much different form than these protocols.)

This motivates the work in this paper, which is to find simple and explicit protocols for die-rolling that approximate Kitaev’s lower bound (4).

1.1. Simple Classical Protocols

We first show that simple classical protocols exist with decent security.

Protocol 1 (Classical protocol).

• Alice and Bob agree on a parameter $m\in \left[D\right]$. (In other words, the value m is fixed and known to both Alice and Bob.)
• Bob chooses a subset $S\subseteq \left[D\right]$ with $\left|S\right|=m$, uniformly at random, and sends S to Alice. If $\left|S\right|\ne m$, Alice aborts.
• Alice selects $d\in S$ uniformly at random and tells Bob her selection. If $d\notin S$, Bob aborts.
• Both parties output d.

We see that this is a valid die-rolling protocol as each party outputs the same value $d\in \left[D\right]$ and each value occurs with equal probability. As for the cheating probabilities, it is straightforward to see that

$$P_A^{*}=\frac{m}{D}\mathrm{and}{P}_B^{*}=\frac{1}{m}.$$

(6)

Besides being extremely simple, this protocol has the following interesting properties:

• The product $P_{A,d}^{*}{P}_{B,d}^{*}=1/D$, for any $d\in \left[D\right]$, saturates Kitaev’s lower bound for every $d\in \left[D\right]$.
• For D square and $m=\sqrt{D}$, we have $P_A^{*}=P_B^{*}=1/\sqrt{D}$, yielding an optimal protocol!
• If D is not square, then one party has a cheating advantage, i.e., $P_A^{*}\ne P_B^{*}$.

Note that to minimize $max\{P_A^{*},P_B^{*}\}$, it does not make sense to choose m greater than $\lceil \sqrt{D}\rceil$ or less than $\lfloor \sqrt{D}\rfloor$ (where we use the notation $\lfloor x\rfloor$ to denote the greatest integer y satisfying $y\le x$ and the notation $\lceil x\rceil$ to denote the least integer y satisfying $y\ge x$). We can see that for $D=3$, $D=7$, or $D=8$, for example, choosing the ceiling is better, while, for $D=5$ or $D=10$, choosing the floor is better. Thus, we keep both the cases and summarize the overall security of the above protocol in the following lemma.

Lemma 1.

For $D\ge 2$, there exists a classical die-rolling protocol satisfying

$${\displaystyle \frac{1}{\sqrt{D}}}\le max\{P_A^{*},P_B^{*}\}=min\left\{{\displaystyle \frac{\lceil \sqrt{D}\rceil }{D}},{\displaystyle \frac{1}{\lfloor \sqrt{D}\rfloor }}\right\},$$

(7)

which is optimal when D is square.

Note that the special case of $D=2$ has either Alice or Bob able to cheat perfectly, which is the case for all classical coin-flipping protocols. However, Kitaev’s bound on the product of cheating probabilities is still (trivially) satisfied. For $D=3$, we can choose $m=2$ to obtain $max\{P_A^{*},P_B^{*}\}=2/3$ proving that even classical protocols can have nontrivial security, which is vastly different than the $D=2$ case. The values of $max\{P_A^{*},P_B^{*}\}$ from Label (7) for $D\in \{2,\dots ,10\}$ are later presented in

Table 1. Values of our bounds (as truncated percentages) for various protocols and values of D. We see that the quantum protocol performs very well, even for D as small as 3.

D	2	3	4	5	6	7	8	9	10
Explicit Protocol in [10]	$75\%$	$66\%$	$62\%$	$60\%$	$58\%$	$57\%$	$56\%$	$55\%$	$55\%$
Our Classical Protocol	$100\%$	$66\%$	$50\%$	$50\%$	$50\%$	$42\%$	$37\%$	$33\%$	$33\%$
Our Quantum Protocol	$75\%$	$60\%$	$50\%$	$46\%$	$44\%$	$40\%$	$36\%$	$33\%$	$32\%$
Kitaev’s lower bound	$70\%$	$57\%$	$50\%$	$44\%$	$40\%$	$37\%$	$35\%$	$33\%$	$31\%$

.

We are not aware of other lower bounds for classical die-rolling protocols apart from those implied by Kitaev’s bounds above. We see that sometimes classical protocols can be optimal, for example when D is square. We now consider how to design (simple) quantum protocols and see what levels of security they can offer.

1.2. Simple Quantum Protocols

Many of the best known explicit protocols for strong coin-flipping are based on the idea of bit-commitment [4,8,12,13]. Optimal protocols are known for bit-commitment as well [14], but are again based on weak coin-flipping and are thus very complicated.

In this paper, we generalize the above simple, explicit protocols such that Alice commits to an integer instead of a bit. More precisely, our quantum protocols have the following form.

Protocol 2 (Quantum protocol). A quantum die-rolling protocol based on the idea of integer-commitment, denoted here as $\mathrm{DRIC}$, is defined as follows:

• Alice and Bob agree on a set of states $\{|{\psi }_1\rangle ,\dots ,|{\psi }_D\rangle \}\subset \mathcal{A}\otimes \mathcal{B}$. (In other words, the states are fixed and known to both Alice and Bob.)
• Alice chooses a random $a\in \left[D\right]$ and creates the state $|{\psi }_a\rangle \in \mathcal{A}\otimes \mathcal{B}$ and sends the subsystem $\mathcal{B}$ to Bob.
• Bob sends a uniformly random $b\in \left[D\right]$ to Alice.
• Alice reveals a to Bob and sends him the subsystem $\mathcal{A}$.
• Bob checks if $\mathcal{A}\otimes \mathcal{B}$ is in state $|{\psi }_a\rangle$ using the measurement $\{{\mathsf{\Pi }}_a:=|{\psi }_a\rangle \langle {\psi }_a|,{\mathsf{\Pi }}_{abort}:=I-{\mathsf{\Pi }}_a\}$. Bob accepts/rejects a based on his measurement outcome.
• If Bob does not abort, Alice and Bob output $d:=(a+b)\mathrm{mod}D+1\in \left[D\right]$.

The special case of $D=2$ yields the structure of the simple, explicit coin-flipping protocols mentioned above. Indeed, these protocols are very easy to describe. One needs only the knowledge of the D states $|{\psi }_a\rangle$ and, implicitly, the systems they act on, $\mathcal{A}$ and $\mathcal{B}$.

We start by formulating the cheating probabilities of a $\mathrm{DRIC}$-protocol using semidefinite programming. Once we have established the semidefinite programming cheating strategy formulations, we are able to analyze the security of $\mathrm{DRIC}$-protocols. Furthermore, we are able to analyze modifications to such protocols and the corresponding changes in security.

In this paper, we present a $\mathrm{DRIC}$-protocol with near-optimal security. We develop this protocol in several steps described below.

The first step is to start with a protocol with decent security. To do this, we show how to create a $\mathrm{DRIC}$-protocol with the same cheating probabilities as in Protocol 1.

Proposition 1.

There exists a $\mathrm{DRIC}$-protocol with the same cheating probabilities as in Protocol 1, namely

$$P_A^{*}=\frac{m}{D}\mathrm{and}{P}_B^{*}=\frac{1}{m},$$

(8)

recalling that $m\in \left[D\right]$ is a parameter fixed by the protocol.

The second step is to give a process that (approximately) balances the maximum cheating probabilities of Alice and Bob. We accomplish this by modifying the protocol in order to decrease the overall maximum cheating probability (while possibly increasing lesser cheating probabilities).

Proposition 2.

If there exists a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$, then there exists a $\mathrm{DRIC}$-protocol with maximum cheating probability

$$max\{P_A^{*},P_B^{*}\}\le \frac{Dmax\{\beta ,\alpha \}-min\{\beta ,\alpha \}}{D|\beta -\alpha |+D-1}\le max\{\beta ,\alpha \}.$$

(9)

Moreover, the last inequality is strict when $\alpha \ne \beta$ yielding a strictly better protocol.

By combining the above two propositions, we are able to obtain the main result of this paper.

Theorem 1.

For any $D\ge 2$, there exists a (quantum) $\mathrm{DRIC}$-protocol satisfying

$$\frac{1}{\sqrt{D}}\le max\{P_A^{*},P_B^{*}\}\le min\left\{{\displaystyle \frac{D+\lfloor \sqrt{D}\rfloor }{D(\lfloor \sqrt{D}\rfloor +1)}},{\displaystyle \frac{1+\lceil \sqrt{D}\rceil }{D+\lceil \sqrt{D}\rceil }}\right\},$$

(10)

which is strictly better than Protocol 1 when D is not square.

Since $min\left\{{\displaystyle \frac{D+\lfloor \sqrt{D}\rfloor }{D(\lfloor \sqrt{D}\rfloor +1)}},{\displaystyle \frac{1+\lceil \sqrt{D}\rceil }{D+\lceil \sqrt{D}\rceil }}\right\}\approx {\displaystyle \frac{1}{\sqrt{D}}}$ for large D, this bound is very close to optimal. To compare numbers, we list the values for $D\in \{2,\dots ,10\}$, below.

Related literature. Quantum protocols for a closely related cryptographic task known as string-commitment have been considered [15,16,17,18,19]. Technically, this is the case of integer-commitment when $D=2^n$ (if the string has n bits). It is worth noting that the quantum protocols considered in this paper are quite similar, but the security definitions are very different. Roughly speaking, the references above are concerned with quantum protocols where Alice is able to “cheat” on a bits and Bob is able to “learn” b bits of information about the n bit string. Multiple protocols and security trade-offs are given in the above references.

The use of semidefinite programming has been very valuable in the study of quantum cryptographic protocols (see, for example, [5,7,8,9,20,21]). Roughly speaking, if one is able to formulate cheating probabilities as semidefinite programs, then the problem of analyzing cryptographic security can be translated into a concrete mathematical problem. Moreover, one then has the entire theory of semidefinite programming at their disposal. This is the approach taken in this work, in order to shine new light on a cryptographic task using the lens of semidefinite programming.

Moreover, the techniques developed in this paper may find new applications in the study of other cryptographic primitives. For a simple example, if one changes the definition of the die-rolling primitive such that non-uniform honest outcome probabilities are allowed, then our approach can easily handle this modification. Future research involves studying how these techniques can be applied to other security definitions as well, such as bounding the total variation distance between a “dishonest” outcome distribution and the ”honest” uniform distribution.

1.3. Kitaev’s Lower Bound and the Quantum State Discrimination Problem

The security analysis of $\mathrm{DRIC}$-protocols has many similarities to the quantum state discrimination problem. Suppose you are given a quantum state $\rho \in \{{\rho }_1,\dots ,{\rho }_n\}$ with respective probabilities $p_1,\dots ,p_n$. The quantum state discrimination problem is to determine which state you have been given (by means of measuring it) with the maximum probability of being correct. We only briefly discuss this problem in this work; the interested reader is referred to the survey [22] and the references therein.

We give a very short proof of Kitaev’s lower bound for the special case of $\mathrm{DRIC}$-protocols. Afterwards, we show that it can be generalized to show the following bound for the quantum state discrimination problem.

Proposition 3.

If given a state from the set $\{{\rho }_1,\dots ,{\rho }_n\}$, with respective probabilities $\{p_1,\dots ,p_n\}$, then there exists a measurement to learn which state was given with success probability at least ${\lambda }_{min}\left({\left({\sum }_{i=1}^n{W}_i^{-1}\right)}^{-1}\right)$ for any positive definite Hermitian $\{W_1,\dots ,W_n\}$ satisfying $\langle W_i,{\rho }_i\rangle \le 1$, for all $i\in \left[n\right]$. Here, ${\lambda }_{min}$ denotes the smallest eigenvalue of a Hermitian matrix.

Note that the above proposition is indeed independent of the $p_i$s and could thus probably be strengthened. However, we use cryptographic reasoning to argue that this bound can be tight.

1.4. Paper Organization.

In Section 2, we develop the semidefinite programming cheating strategy formulations for Alice and Bob. In Section 3, we exhibit a $\mathrm{DRIC}$-protocol and then use the semidefinite programming formulations to prove Proposition 1, that the protocol has the same cheating probabilities as in Protocol 1. Section 4 shows how to balance the probabilities in a $\mathrm{DRIC}$-protocol by showing how to reduce Bob’s cheating and then how to reduce Alice’s. Combining these yields a proof of Proposition 2. Lastly, in Section 5, we give a short proof of Kitaev’s lower bound when applied to $\mathrm{DRIC}$-protocols and then generalize it to the quantum state discrimination problem to prove Proposition 3.

2. Semidefinite Programming Cheating Strategy Formulations

In this section, we use the theory of semidefinite programming to formulate Alice and Bob’s maximum cheating probabilities for a $\mathrm{DRIC}$-protocol. The formulations in this section are a generalization of those for bit-commitment (see [8] and the references therein for details about this special case).

2.1. Semidefinite Programming

Semidefinite programming is the theory of optimizing a linear function over a positive semidefinite matrix variable subject to finitely many affine constraints. A semidefinite program (SDP) can be written in the following form without loss of generality:

$$p^{*}:=\underset{X}{sup}\{\langle C,X\rangle :\mathsf{\Phi }\left(X\right)=B,X⪰0\},$$

(11)

where $\mathsf{\Phi }$ is a linear transformation, C and B are Hermitian, and $X⪰Y$ means that $X-Y$ is (Hermitian) positive semidefinite. Note that we are using the Hilbert–Schmidt inner product $\langle A,B\rangle =Tr\left(A^{*}B\right)$, where $A^{*}$ is the conjugate-transpose of A.

Associated with every SDP is a dual SDP:

$$d^{*}:=\underset{Y}{inf}\{\langle B,Y\rangle :{\mathsf{\Phi }}^{*}\left(Y\right)=C+S,S⪰0,Y\mathrm{is}\mathrm{Hermitian}\},$$

(12)

where ${\mathsf{\Phi }}^{*}$ is the adjoint of $\mathsf{\Phi }$.

We refer to the optimization problem (11) as the primal or primal SDP and to the optimization problem (12) as the dual or dual SDP. We say that the primal is feasible if there exists an X satisfying the (primal) constraints

$$\mathsf{\Phi }\left(X\right)=B\mathrm{and}X⪰0,$$

(13)

and we say the dual is feasible if there exists $(Y,S)$ satisfying the (dual) constraints

$${\mathsf{\Phi }}^{*}\left(Y\right)=C+S,S⪰0,\mathrm{and}Y\mathrm{is}\mathrm{Hermitian}.$$

(14)

Furthermore, if we have X positive definite, then the primal is said to be strictly feasible and if we have S positive definite, then the dual is said to be strictly feasible.

Semidefinite programming has a rich and powerful duality theory. In particular, we use the following:

Weak duality:	If the primal and dual are both feasible, then $p^{*}\le d^{*}$.
Strong duality:	If the primal and dual are both strictly feasible, then $p^{*}=d^{*}$ and both attain an optimal solution.

For more information about semidefinite programming and its duality theory, the reader is referred to [23].

2.2. Cheating Strategy Formulations

To study a fixed $\mathrm{DRIC}$-protocol, it is convenient to define the following reduced states

$${\rho }_a:={Tr}_{\mathcal{A}}\left(|{\psi }_a\rangle \langle {\psi }_a|\right)$$

(15)

for all $a\in \left[D\right]$. We show that they appear in both the case of cheating Alice and cheating Bob.

Cheating Bob. To see how Bob can cheat, notice that he only has one message that he sends to Alice. Thus, he must send $b\in \left[D\right]$ to force the outcome he wishes. For example, if he wishes to force the outcome d, he would send b such that $d=(a+b)\mathrm{mod}D+1$. Therefore, he must extract the value of a from $\mathcal{B}$ to accomplish this. Suppose that he measures $\mathcal{B}$ with the measurement

$$\{M_1,\dots ,M_D\},$$

(16)

where the outcome of the measurement corresponds to Bob’s guess for a. If Alice chose $a\in \left[D\right]$, he succeeds in cheating if his guess is correct, which happens with probability

$$\langle M_a,{\rho }_a\rangle .$$

(17)

Since the choice of Alice’s integer a is uniformly random, we can calculate Bob’s optimal cheating probability as

$$P_B^{*}=max\left\{\frac{1}{D}\sum _{a\in \left[D\right]}\langle M_a,{\rho }_a\rangle :\sum _{a\in \left[D\right]}{M}_a=I_{\mathcal{B}},M_a⪰0,\forall a\in \left[D\right]\right\},$$

(18)

noting that the variables being optimized over correspond to a POVM measurement. Note that the maximum is attained since the set of feasible $(M_1,\dots ,M_D)$ forms a compact set.

Now that Bob’s optimal cheating probability is stated in terms of an SDP, we can examine its dual as shown in the lemma below.

Lemma 2.

For any $\mathrm{DRIC}$-protocol, we have

$$P_B^{*}=min\left\{Tr\left(X\right):X⪰\frac{1}{D}{\rho }_a,\forall a\in \left[D\right]\right\}.$$

(19)

Proof. 

One can check using the definitions (11) and (12) that the optimization problem (19) is the dual of Label (18). Defining $M_a=\frac{1}{D}{I}_{\mathcal{B}}$, for all $a\in \left[D\right]$, yields a strictly feasible solution for the primal. In addition, $X=I_{\mathcal{B}}$ is a strictly feasible solution for the dual. Thus, by strong duality, both the primal and dual attain an optimal solution and their optimal values are the same.  ☐

We refer to the optimization problem (18) as Bob’s primal SDP and to the optimization problem (19) as Bob’s dual SDP. The utility of having dual SDP formulations is that any feasible solution yields an upper bound on the maximum cheating probability. Proving upper bounds on cheating probabilities would otherwise be a very hard task.

Cheating Alice. If Alice wishes to force Bob to accept outcome $d\in \left[D\right]$, she must convince him that the state in $\mathcal{A}\otimes \mathcal{B}$ is indeed $|{\psi }_a\rangle$, where a is such that $d=(a+b)\mathrm{mod}D+1$. Note that this choice of a is determined after learning b from Bob, which occurs with uniform probability.

To quantify the extent to which Alice can cheat, we examine the states Bob has during the protocol. We know that Bob measures and accepts a with the measurement operator ${\mathsf{\Pi }}_a:=|{\psi }_a\rangle \langle {\psi }_a|$. Let $(a,\mathcal{A})$ be Alice’s last message. Then, Bob’s state at the end of the protocol is given by a density operator ${\sigma }_a$ acting on $\mathcal{A}\otimes \mathcal{B}$, which is accepted with probability $\langle {\sigma }_a,|{\psi }_a\rangle \langle {\psi }_a|\rangle$. Note that Alice’s first message $\mathcal{B}$ is in state $\sigma :={Tr}_{\mathcal{A}}\left({\sigma }_a\right)$ which is independent of a (since Alice’s first message does not depend on a when she cheats). Thus, the states under Bob’s control are subject to the constraints

$${Tr}_{\mathcal{A}}\left({\sigma }_a\right)=\sigma ,\forall a\in \left[D\right],Tr\left(\sigma \right)=1,\sigma ,{\sigma }_1\dots ,{\sigma }_D⪰0.$$

(20)

(Note that $Tr\left({\sigma }_a\right)=1$, for all $a\in \left[D\right]$, is implied by the constraints above, and is thus omitted.) On the other hand, if Alice maintains a purification of the states above, then, using Uhlmann’s Theorem [24], she can prepare any set of states satisfying conditions (20).

Thus, we have

$$P_A^{*}=max\left\{\frac{1}{D}\sum _{a\in \left[D\right]}\langle {\sigma }_a,|{\psi }_a\rangle \langle {\psi }_a|\rangle :{Tr}_{\mathcal{A}}\left({\sigma }_a\right)=\sigma ,\forall a\in \left[D\right],Tr\left(\sigma \right)=1,\sigma ,{\sigma }_1\dots ,{\sigma }_D⪰0\right\}.$$

(21)

Again, since the set of feasible $(\sigma ,{\sigma }_1,\dots ,{\sigma }_D)$ is compact, the above SDP attains an optimal solution.

Similar to the case of cheating Bob, we can view the dual of Alice’s cheating SDP above as shown in the lemma below.

Lemma 3.

For any $\mathrm{DRIC}$-protocol, we have

$$P_A^{*}=min\left\{s:s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,I_{\mathcal{A}}\otimes Z_a⪰\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|,\forall a\in \left[D\right],Z_a\hspace{0.17em}\mathrm{is}\hspace{0.17em}\mathrm{Hermitian}\right\}.$$

(22)

Proof. 

It can be checked that Label (22) is in fact the dual of Label (21). By defining $\sigma$ and each ${\sigma }_1,\dots ,{\sigma }_D$ to be completely mixed states, we have that the primal is strictly feasible. By defining $s=D+1$ and each $Z_1,\dots ,Z_D$ to be equal to $I_{\mathcal{B}}$, we have that the dual is strictly feasible as well. The result now holds by applying strong duality. ☐

We refer to the optimization problem (21) as Alice’s primal SDP and the optimization problem (22) as Alice’s dual SDP.

Note that every solution feasible in Alice’s dual SDP has $Z_a$ being positive semidefinite, for all $a\in \left[D\right]$. We can further assume that each $Z_a$ is positive definite if we sacrifice the attainment of an optimal solution. This is because we can take an optimal solution $(s,Z_1,\dots ,Z_D)$ and consider $(s+\epsilon D,Z_1+\epsilon I_{\mathcal{B}},\dots ,Z_D+\epsilon I_{\mathcal{B}})$, which is also feasible for any $\epsilon >0$, and $s+\epsilon D$ approaches $s=P_A^{*}$ as $\epsilon$ decreases to 0.

Next, we use an analysis similar to one found in [20,25] to simplify the constraint $I_{\mathcal{A}}\otimes Z_a⪰|{\psi }_a\rangle \langle {\psi }_a|$ when $Z_a$ is positive definite. Since $X\to ZX{Z}^{-1}$ is an automorphism of the set of positive semidefinite matrices for any fixed positive definite Z, we have

$$I_{\mathcal{A}}\otimes Z_a⪰\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|\iff I_{\mathcal{A}\otimes \mathcal{B}}⪰(I_{\mathcal{A}}\otimes Z_a^{-1/2})\left(\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|\right)(I_{\mathcal{A}}\otimes Z_a^{-1/2}).$$

(23)

Note that since the quantity on the right is positive semidefinite with rank at most 1, its largest eigenvalue is equal to its trace, which is equal to

$$\frac{1}{D}\langle I_{\mathcal{A}}\otimes Z_a^{-1},|{\psi }_a\rangle \langle {\psi }_a|\rangle =\frac{1}{D}\langle Z_a^{-1},{Tr}_{\mathcal{A}}\left(|{\psi }_a\rangle \langle {\psi }_a|\right)\rangle =\frac{1}{D}\langle Z_a^{-1},{\rho }_a\rangle .$$

(24)

Thus, we can rewrite Label (23) as

$$I_{\mathcal{A}}\otimes Z_a⪰\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|\iff \frac{1}{D}\langle Z_a^{-1},{\rho }_a\rangle \le 1\iff \langle Z_a^{-1},{\rho }_a\rangle \le D.$$

(25)

Therefore, we have the following lemma.

Lemma 4.

For any $\mathrm{DRIC}$-protocol, we have

$$P_A^{*}=inf\left\{s:s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,\langle Z_a^{-1},{\rho }_a\rangle \le D,\forall a\in \left[D\right],Z_a\mathrm{is}\mathrm{positive}\mathrm{definite},\forall a\in \left[D\right]\right\}.$$

(26)

We also refer to the optimization problem (26) as Alice’s dual SDP and we distinguish them by equation number.

3. Finding a Decent DRIC-Protocol

In this section, we exhibit a $\mathrm{DRIC}$-protocol that has the same cheating probabilities as Protocol 1:

$$P_B^{*}=\frac{1}{m}\mathrm{and}{P}_A^{*}=\frac{m}{D}.$$

(27)

To do this, define $T_m$ to be the subsets of $\left[D\right]$ of cardinality m and note that $|T_m|=\left(\begin{array}{c}D\\ m\end{array}\right)$. Consider the following states

$${\displaystyle |{\psi }_a\rangle :={\displaystyle \frac{1}{\sqrt{\left(\begin{array}{c}D-1\\ m-1\end{array}\right)}}}\sum _{S\in T_m:a\in S}|S\rangle |S\rangle \in \mathcal{A}\otimes \mathcal{B},}$$

(28)

for $a\in \left[D\right]$, where $\mathcal{A}=\mathcal{B}={\mathbb{C}}^{|T_m|}$. Notice that

$${\rho }_a:={Tr}_{\mathcal{A}}\left(|{\psi }_a\rangle \langle {\psi }_a|\right)={\displaystyle \frac{1}{\left(\begin{array}{c}D-1\\ m-1\end{array}\right)}}\sum _{S\in T_m:a\in S}|S\rangle \langle S|.$$

(29)

We now use the cheating SDPs developed in the previous section to analyze the cheating probabilities of this protocol.

Cheating Bob. To prove that Bob can cheat with probability at least $1/m$, suppose he measures his message from Alice in the computational basis. He then obtains a random subset $S\in T_m$ such that $a\in S$. He then guesses which integer is a and responds with the appropriate choice for b to get his desired outcome. He succeeds if and only if his guess for a (from the m choices in S) is correct. This strategy succeeds with probability $1/m$. Thus, $P_B^{*}\ge 1/m$.

To prove Bob cannot cheat with probability greater than $1/m$, notice that $X={\displaystyle \frac{1}{D\left(\begin{array}{c}D-1\\ m-1\end{array}\right)}}{I}_{\mathcal{B}}$ satisfies

$$X⪰\frac{1}{D}{\rho }_a,\forall a\in \left[D\right],$$

(30)

and thus is feasible in Bob’s dual Label (19). Therefore, $P_B^{*}\le Tr\left(X\right)=1/m$, as desired.

Cheating Alice. Alice can cheat by creating the maximally entangled state

$$|T_m\rangle :=\frac{1}{\sqrt{|T_m|}}\sum _{S\in T_m}|S\rangle |S\rangle \in \mathcal{A}\otimes \mathcal{B}$$

(31)

and sending $\mathcal{B}$ to Bob. After learning b, she sends a such that $(a+b)\mathrm{mod}D+1$ is her desired outcome. She also sends $\mathcal{A}$ to Bob (without altering it in any way). Thus, her cheating probability is precisely the probability of her passing Bob’s cheat detection, which is

$$\langle {\mathsf{\Pi }}_a,|T_m\rangle \langle T_m|\rangle =\langle |{\psi }_a\rangle \langle {\psi }_a|,|T_m\rangle \langle T_m|\rangle ={\left|\langle T_m|{\psi }_a\rangle \right|}^2=\frac{m}{D}.$$

(32)

Therefore, this cheating strategy succeeds with probability $m/D$, proving $P_A^{*}\ge m/D$.

To prove this strategy is optimal, we use Alice’s dual SDP (26). Define

$$Z_a:={\displaystyle \frac{1}{D}}\sum _{S\in T_m:a\in S}|S\rangle \langle S|+\epsilon \sum _{S\in T_m:a\notin S}|S\rangle \langle S|,$$

(33)

where $\epsilon$ is a small positive constant. $Z_a$ is invertible and we can write

$$Z_a^{-1}:=D\sum _{S\in T_m:a\in S}|S\rangle \langle S|+{\displaystyle \frac{1}{\epsilon }}\sum _{S\in T_m:a\notin S}|S\rangle \langle S|.$$

(34)

We see that each $Z_a$ satisfies $\langle Z_a^{-1},{\rho }_a\rangle =D$, for all $a\in \left[D\right]$. In addition,

$$Z_a⪯{\displaystyle \frac{1}{D}}\sum _{S\in T_m:a\in S}|S\rangle \langle S|+\epsilon I_{\mathcal{B}},$$

(35)

thus

$$\sum _{a\in \left[D\right]}{Z}_a⪯{\displaystyle \frac{1}{D}}\sum _{a\in \left[D\right]}\sum _{S\in T_m:a\in S}|S\rangle \langle S|+\epsilon D{I}_{\mathcal{B}}=\left({\displaystyle \frac{m}{D}}+\epsilon D\right)I_{\mathcal{B}}.$$

(36)

Thus, $s={\displaystyle \frac{m}{D}}+\epsilon D$ satisfies

$$s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,$$

(37)

proving $P_A^{*}\le s={\displaystyle \frac{m}{D}}+\epsilon D$, for all $\epsilon >0$. Therefore, $P_A^{*}=m/D$, as desired.

4. Balancing Alice and Bob’s Cheating Probabilities

This section is comprised of two parts. We first focus on reducing Bob’s cheating probabilities, and then Alice’s.

4.1. Building New Protocols That Reduce Bob’s Cheating

We start with a lemma.

Lemma 5.

If there exists a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$, then there exists another $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}={\alpha }^{\prime }$ and $P_B^{*}={\beta }^{\prime }$, where

$${\beta }^{\prime }\le (1-t)\beta +\frac{t}{D}and{\alpha }^{\prime }\le (1-t)\alpha +t$$

(38)

for any $t\in (0,1)$.

Proof. 

To prove this lemma, fix a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$ defined by the states $|{\psi }_a\rangle \in \mathcal{A}\otimes \mathcal{B}$, for $a\in \left[D\right]$. Extend each of the Hilbert spaces $\mathcal{A}$ and $\mathcal{B}$ by another basis vector $|\perp \rangle$ and denote these Hilbert spaces by ${\mathcal{A}}^{\prime }$ and ${\mathcal{B}}^{\prime }$, respectively. In short, ${\mathcal{A}}^{\prime }:=\mathcal{A}\oplus \mathrm{span}\left\{|\perp \rangle \right\}$ and ${\mathcal{B}}^{\prime }:=\mathcal{B}\oplus \mathrm{span}\left\{|\perp \rangle \right\}$. Note that

$$\langle \perp ,\perp |{\psi }_a\rangle =0,\mathrm{for}\mathrm{all}a\in \left[D\right].$$

(39)

We now analyze the cheating probabilities of Alice and Bob in the new $\mathrm{DRIC}$-protocol defined by the states

$$|{\psi }_a^{\prime }\rangle :=\sqrt{1-t}|{\psi }_a\rangle +\sqrt{t}|\perp ,\perp \rangle \in {\mathcal{A}}^{\prime }\otimes {\mathcal{B}}^{\prime },\mathrm{for}\mathrm{all}a\in \left[D\right].$$

(40)

That is, for a fixed value $t\in (0,1)$, we compute the new cheating probabilities. For this, note that

$${\rho }_a^{\prime }:={Tr}_{\mathcal{A}}\left(|{\psi }_a^{\prime }\rangle \langle {\psi }_a^{\prime }|\right)=(1-t){\rho }_a+t|\perp \rangle \langle \perp |,$$

(41)

where ${\rho }_a:={Tr}_{\mathcal{A}}\left(|{\psi }_a\rangle \langle {\psi }_a|\right)$.

Intuitively, Alice can cheat more if the states ${\rho }_a$ are “close” to each other and Bob can cheat more if they are “far apart”. What this protocol modification does is make all the states closer together (by increasing the value of t), which increases Alice’s cheating probability, but, in doing so, decreases Bob’s. We show below how the cheating probabilities change and how to choose a good value for $t>0$.

Cheating Bob. Let X be an optimal solution to Bob’s dual Label (19) for the original protocol. Thus, $Tr\left(X\right)=\beta$ and $X⪰\frac{1}{D}{\rho }_a$, for all $a\in \left[D\right]$.

To upper bound Bob’s cheating probability in the new protocol, we show that

$$X^{\prime }:=(1-t)X+\frac{t}{D}|\perp \rangle \langle \perp |$$

(42)

is feasible for Bob’s dual for the new protocol. We have

$$X^{\prime }=(1-t)X+\frac{t}{D}|\perp \rangle \langle \perp |⪰\frac{1-t}{D}{\rho }_a+\frac{t}{D}|\perp \rangle \langle \perp |=\frac{1}{D}{\rho }_a^{\prime }$$

(43)

for all $a\in \left[D\right]$. Thus, $X^{\prime }$ is feasible, proving that $P_B^{*}\le Tr\left(X^{\prime }\right)=(1-t)\beta +t/D$ for the new protocol.

Cheating Alice. We now repeat the same process for Alice. Let $(s,Z_1,\dots ,Z_D)$ be a feasible solution for Alice’s dual SDP (26) for the original protocol. That is, $s{I}_{\mathcal{B}}⪰{\sum }_{a\in \left[D\right]}{Z}_a$ and each positive definite $Z_a$ satisfies $\langle Z_a^{-1},{\rho }_a\rangle \le D$, for each $a\in \left[D\right]$. Define

$$Z_a^{\prime }:=\delta Z_a+\epsilon |\perp \rangle \langle \perp |,$$

(44)

for $a\in \left[D\right]$, and for fixed $t\in (0,1)$,

$$\epsilon :={\displaystyle \frac{s(1-t)+t}{D}}>0\mathrm{and}\delta :=(1-t)+\frac{t}{s}>0.$$

(45)

Notice that

$${\left(Z_a^{\prime }\right)}^{-1}={\displaystyle \frac{1}{\delta }}{Z}_a^{-1}+{\displaystyle \frac{1}{\epsilon }}|\perp \rangle \langle \perp |.$$

(46)

To show the analogous constraints are satisfied with $Z_a^{\prime }$, recall that $\langle |\perp \rangle \langle \perp |,{\rho }_a\rangle =0$ for all $a\in \left[D\right]$. Using this, we have

$$\langle {\left(Z_a^{\prime }\right)}^{-1},{\rho }_a^{\prime }\rangle ={\displaystyle \frac{1}{\delta }}\langle Z_a^{-1},{\rho }_a^{\prime }\rangle +{\displaystyle \frac{1}{\epsilon }}\langle |\perp \rangle \langle \perp |,{\rho }_a^{\prime }\rangle \le {\displaystyle \frac{D(1-t)}{\delta }}+{\displaystyle \frac{t}{\epsilon }}=D.$$

(47)

To finish the proof of feasibility, note that

$$\sum _{a\in \left[D\right]}{Z}_a^{\prime }=\delta \sum _{a\in \left[D\right]}{Z}_a+\epsilon D|\perp \rangle \langle \perp |⪯\delta s{I}_{\mathcal{B}}+\epsilon D|\perp \rangle \langle \perp |⪯s^{\prime }{I}_{{\mathcal{B}}^{\prime }},$$

(48)

where $s^{\prime }:=s(1-t)+t$. Since s can be taken to be arbitrarily close to $\alpha$, we have

$$P_A^{*}\le (\alpha +{\epsilon }^{\prime })(1-t)+t$$

(49)

for all ${\epsilon }^{\prime }>0$, finishing the proof. ☐

Note that this lemma is useful when $\beta >\alpha$. In this case, one can choose

$$t={\displaystyle \frac{\beta -\alpha }{(1-1/D)+(\beta -\alpha )}}\in (0,1)$$

(50)

to equate the upper bounds. If $\alpha >\beta$, then no choice of $t\in (0,1)$ will make the two upper bounds in Lemma 5 equal. We summarize in the following corollary.

Corollary 1.

If there exists a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$, with $\beta >\alpha$, then there exists another $\mathrm{DRIC}$-protocol with maximum cheating probability

$$max\{P_A^{*},P_B^{*}\}\le \frac{D\beta -\alpha }{D\beta -D\alpha +D-1}<\beta .$$

(51)

4.2. Building New Protocols That Reduce Alice’s Cheating

In this subsection, we show how to reduce Alice’s cheating probabilities in a $\mathrm{DRIC}$-protocol.

Lemma 6.

If there exists a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$, then there exists another $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}={\alpha }^{\prime }$ and $P_B^{*}={\beta }^{\prime }$ where

$${\beta }^{\prime }\le (1-t)\beta +tand{\alpha }^{\prime }\le (1-t)\alpha +\frac{t}{D},$$

(52)

for any $t\in (0,1)$.

Proof. 

To prove this lemma, fix a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$ defined by the states $|{\psi }_a\rangle \in \mathcal{A}\otimes \mathcal{B}$, for $a\in \left[D\right]$. Extend each of the Hilbert spaces $\mathcal{A}$ and $\mathcal{B}$ by the set of orthogonal basis vectors $\{|{\perp }_a\rangle :a\in [D\left]\right\}$, and denote these new Hilbert spaces by ${\mathcal{A}}^{\prime }$ and ${\mathcal{B}}^{\prime }$, respectively. In other words,

$${\mathcal{A}}^{\prime }:=\mathcal{A}\oplus \mathrm{span}\{|{\perp }_1\rangle ,\dots ,|{\perp }_D\rangle \}\mathrm{and}{\mathcal{B}}^{\prime }:=\mathcal{B}\oplus \mathrm{span}\{|{\perp }_1\rangle ,\dots ,|{\perp }_D\rangle \}.$$

(53)

Note that

$$\langle {\perp }_{a^{\prime \prime }},{\perp }_{a^{\prime }}|{\psi }_a\rangle =0,\mathrm{for}\mathrm{all}a,a^{\prime },a^{\prime \prime }\in \left[D\right].$$

(54)

Again, we analyze the cheating probabilities of Alice and Bob in the new $\mathrm{DRIC}$-protocol defined by the states

$$|{\psi }_a^{\prime }\rangle :=\sqrt{1-t}|{\psi }_a\rangle +\sqrt{t}|{\perp }_a\rangle |{\perp }_a\rangle \in {\mathcal{A}}^{\prime }\otimes {\mathcal{B}}^{\prime }$$

(55)

for $a\in \left[D\right]$. The reduced states are

$${\rho }_a^{\prime }:=(1-t){\rho }_a+t|{\perp }_a\rangle \langle {\perp }_a|$$

(56)

for $a\in \left[D\right]$, recalling that ${\rho }_a:={Tr}_{\mathcal{A}}\left(|{\psi }_a\rangle \langle {\psi }_a|\right)$. We now analyze the cheating probabilities of this new protocol as a function of $t\in (0,1)$.

Intuitively, this protocol modification works in the opposite manner of the last. Here, we are making the states farther apart as to decrease Alice’s cheating at the expense of increasing Bob’s.

Cheating Bob. Let X be an optimal solution for Bob’s dual SDP (19) for the original protocol. Define

$$X^{\prime }:=(1-t)X+\frac{t}{D}\sum _{a\in \left[D\right]}|{\perp }_a\rangle \langle {\perp }_a|,$$

(57)

which can easily be seen to be feasible in the dual SDP for the new protocol. Thus, we have $P_B^{*}\le Tr\left(X^{\prime }\right)=(1-t)\beta +t$.

Cheating Alice. Let $(s,Z_1,\dots ,Z_D)$ be a feasible solution for Alice’s dual SDP (26) for the original protocol. That is, $s{I}_{\mathcal{B}}⪰{\sum }_{a\in \left[D\right]}{Z}_a$ and each positive definite $Z_a$ satisfies $\langle Z_a^{-1},{\rho }_a\rangle \le D$, for each $a\in \left[D\right]$.

Define

$$Z_a^{\prime }:=\delta Z_a+\epsilon |{\perp }_a\rangle \langle {\perp }_a|+\zeta \sum _{c\in \left[D\right],c\ne a}|{\perp }_c\rangle \langle {\perp }_c|$$

(58)

for positive constants $\delta ,\epsilon ,\zeta$ to be specified later. Note that $\langle {\sum }_{c\in \left[D\right],c\ne a}|{\perp }_c\rangle \langle {\perp }_c|,{\rho }_a^{\prime }\rangle =0$, for all $a\in \left[D\right]$.

We have $Z_a^{\prime }$ is invertible and we can write its inverse as

$${\left(Z_a^{\prime }\right)}^{-1}=\frac{1}{\delta }{Z}_a^{-1}+\frac{1}{\epsilon }|{\perp }_a\rangle \langle {\perp }_a|+\frac{1}{\zeta }\sum _{c\in \left[D\right],c\ne a}|{\perp }_c\rangle \langle {\perp }_c|,$$

(59)

which satisfies

$$\langle {\left(Z_a^{\prime }\right)}^{-1},{\rho }_a^{\prime }\rangle =\frac{1}{\delta }\langle Z_a^{-1},{\rho }_a^{\prime }\rangle +\frac{1}{\epsilon }\langle |{\perp }_a\rangle \langle {\perp }_a|,{\rho }_a^{\prime }\rangle \le \frac{D(1-t)}{\delta }+\frac{t}{\epsilon }.$$

(60)

Also note that

$$\begin{array}{ccc}\hfill \sum _{a\in \left[D\right]}{Z}_a^{\prime }& =& \delta \sum _{a\in \left[D\right]}{Z}_a+\epsilon \sum _{a\in \left[D\right]}|{\perp }_a\rangle \langle {\perp }_a|+\zeta \sum _{a\in \left[D\right]}\sum _{c\in \left[D\right],c\ne a}|{\perp }_c\rangle \langle {\perp }_c|\hfill \end{array}$$

(61)

$$\begin{array}{cc}⪯& \delta s{I}_{\mathcal{B}}+(\epsilon +\zeta (D-1))\sum _{a\in \left[D\right]}|{\perp }_a\rangle \langle {\perp }_a|\hfill \end{array}$$

(62)

$$\begin{array}{cc}⪯& s^{\prime }{I}_{{\mathcal{B}}^{\prime }},\hfill \end{array}$$

(63)

where $s^{\prime }:=max\{\delta s,\epsilon +\zeta (D-1)\}$. Setting

$$\epsilon =(1-t)s+\frac{t}{D}>0\mathrm{and}\delta =(1-t)+\frac{t}{Ds}>0,$$

(64)

we get $\langle {\left(Z_a^{\prime }\right)}^{-1},{\rho }_a^{\prime }\rangle \le D$ and $s^{\prime }=(1-t)s+t/D+\zeta (D-1)$. Since s can be taken to be arbitrarily close to $\alpha$, and $\zeta$ arbitrarily close to 0, we have $P_A^{*}\le (\alpha +{\epsilon }^{\prime })(1-t)+t/D+{\epsilon }^{\prime }(D-1)$ for all ${\epsilon }^{\prime }>0$, finishing the proof. ☐

As opposed to Lemma 5, the above lemma is useful when $\alpha >\beta$. Similarly, if $\beta >\alpha$, then no choice of $t\in (0,1)$ will make the two upper bounds in Lemma 6 equal.

By symmetry, we have the following corollary.

Corollary 2.

If there exists a $\mathrm{DRIC}$-protocol with cheating probabilities $P_A^{*}=\alpha$ and $P_B^{*}=\beta$, with $\alpha >\beta$, then there exists another $\mathrm{DRIC}$-protocol with maximum cheating probability

$$max\{P_A^{*},P_B^{*}\}\le \frac{D\alpha -\beta }{D\alpha -D\beta +D-1}<\alpha .$$

(65)

Note that if $\alpha =\beta$, the quantity $\frac{D\alpha -\beta }{D\alpha -D\beta +D-1}$ is equal to $\alpha (=\beta )$. Thus, we still have

$$max\{P_A^{*},P_B^{*}\}\le \frac{D\alpha -\beta }{D\alpha -D\beta +D-1}$$

(66)

holding, although no protocol modification is necessary. Therefore, Proposition 2 now follows from combining Corollaries 1 and 2 and the comment above.

5. Kitaev’s Lower Bound and Quantum State Discrimination

We start this section with a short proof of Kitaev’s lower bound for $\mathrm{DRIC}$-protocols.

5.1. Kitaev’s Lower Bound

Let $(s,Z_1,\dots ,Z_D)$ be an optimal solution for Alice’s dual SDP (22), i.e.,

$$P_A^{*}=s,s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,\mathrm{and}{I}_{\mathcal{A}}\otimes Z_a⪰\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|,\mathrm{for}\mathrm{all}a\in \left[D\right].$$

(67)

Note that from the last constraint in the SDP, we require that $Z_a$ is positive semidefinite for all $a\in \left[D\right]$. We may assume that $s{I}_{\mathcal{B}}={\sum }_{a=1}^D{Z}_a$, without loss of generality, since we can always increase $Z_1$ to make this the case. i.e., we can redefine $Z_1\to Z_1+\left(s{I}_{\mathcal{B}}-{\sum }_{a\in \left[D\right]}{Z}_a\right)$, which maintains the same value for s and still satisfies all of the constraints. Define the matrices $M_a:=\frac{1}{s}{Z}_a$ for all $a\in \left[D\right]$. We see that this is feasible for Bob’s cheating SDP (18). We thus have that

$$P_B^{*}\ge \frac{1}{D}{\sum }_{a=1}^D\langle {\rho }_a,M_a\rangle =\frac{1}{sD}{\sum }_{a=1}^D\langle {\rho }_a,Z_a\rangle =\frac{1}{sD}{\sum }_{a=1}^D\langle |{\psi }_a\rangle \langle {\psi }_a|,I_{\mathcal{A}}\otimes Z_a\rangle \ge \frac{1}{s{D}^2}{\sum }_{a=1}^D\langle |{\psi }_a\rangle \langle {\psi }_a|,|{\psi }_a\rangle \langle {\psi }_a|\rangle ,$$

(68)

implying that $P_A^{*}{P}_B^{*}\ge 1/D$, which is precisely Kitaev’s lower bound for die-rolling.

Remark 1.

This proof is slightly different than Kitaev’s original proof, which involves combining Bob’s and Alice’s optimal dual solutions. The above proof takes an optimal dual solution for Alice, and then creates a valid cheating strategy for Bob. This new perspective could shed light on the nature of dual solutions and their role in creating point games (which are still regarded as being quite mysterious). Point games are beyond the scope of this work; the interested reader is referred to [5,7,11] for further details.

5.2. Quantum State Discrimination

Consider now a $\mathrm{DRIC}$-protocol but Alice chooses $a\in \left[D\right]$ with probably $p_a$ (instead of uniformly at random). Then, the amount Bob can cheat in this modified protocol exactly corresponds to the success probability of a quantum state discrimination (QSD) problem.

We can easily modify the optimization problem (18) to see that the optimal success probability in the QSD problem is given by

$$\beta :=max\left\{\sum _{a\in \left[D\right]}{p}_a\langle M_a,{\rho }_a\rangle :\sum _{a\in \left[D\right]}{M}_a=I_{\mathcal{B}},M_a⪰0,\forall a\in \left[D\right]\right\},$$

(69)

where we denote the optimal value as $\beta$ (to distinguish its context from cryptographic security for the moment).

Consider again Alice’s dual SDP (22)

$$\alpha :=min\left\{s:s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,I_{\mathcal{A}}\otimes Z_a⪰\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|,\forall a\in \left[D\right],Z_a\mathrm{is}\mathrm{Hermitian}\right\}.$$

(70)

Then, repeating the proof of Kitaev’s lower bound above, we get that $\beta \alpha \ge 1/D$. We can bound $\beta$ by bounding $\alpha$:

$$\begin{array}{ccc}\hfill \alpha & =& min\left\{s:s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,I_{\mathcal{A}}\otimes Z_a⪰\frac{1}{D}|{\psi }_a\rangle \langle {\psi }_a|,\forall a\in \left[D\right],Z_a\mathrm{is}\mathrm{Hermitian}\right\}\hfill \end{array}$$

(71)

$$\begin{array}{cc}=& inf\left\{s:s{I}_{\mathcal{B}}⪰\sum _{a\in \left[D\right]}{Z}_a,\langle Z_a^{-1},{\rho }_a\rangle \le D,\forall a\in \left[D\right],Z_a\mathrm{is}\mathrm{positive}\mathrm{definite},\forall a\in \left[D\right]\right\}\hfill \end{array}$$

(72)

$$\begin{array}{cc}=& inf\left\{{\lambda }_{max}\left(\sum _{a\in \left[D\right]}{Z}_a\right):\langle Z_a^{-1},{\rho }_a\rangle \le D,\forall a\in \left[D\right],Z_a\mathrm{is}\mathrm{positive}\mathrm{definite},\forall a\in \left[D\right]\right\},\hfill \end{array}$$

(73)

where ${\lambda }_{max}$ denotes the largest eigenvalue of a Hermitian matrix. Since ${\lambda }_{max}\left(A\right)={\left({\lambda }_{min}\left(A^{-1}\right)\right)}^{-1}$ for A positive definite, we have

$$\alpha ={\left(sup\left\{{\lambda }_{min}\left({\left({\sum }_{a\in \left[D\right]}{Z}_a\right)}^{-1}\right):\langle Z_a^{-1},{\rho }_a\rangle \le D,\forall a\in \left[D\right],Z_a \mathrm{is} \mathrm{positive} \mathrm{definite},\forall a\in \left[D\right]\right\}\right)}^{-1},$$

(74)

which implies

$$\frac{1}{\alpha D}=sup\left\{{\lambda }_{min}\left({\left({\sum }_{a\in \left[D\right]}\left(D{Z}_a\right)\right)}^{-1}\right):\langle Z_a^{-1},{\rho }_a\rangle \le D,\forall a\in \left[D\right],Z_a \mathrm{is} \mathrm{positive} \mathrm{definite},\forall a\in \left[D\right]\right\}.$$

(75)

Proposition 3 now follows by defining $W_a:={\left(D{Z}_a\right)}^{-1}$ for all $a\in \left[D\right]$.

We briefly discuss how Proposition 3 can be tight. We see that, if we view the QSD problem from the perspective of a cheating Bob in a $\mathrm{DRIC}$-protocol, then the (non)tightness of Proposition 3 is exactly characterized by the (non)tightness of Kitaev’s lower bound above. Thus, the examples of $\mathrm{DRIC}$-protocols saturating Kitaev’s lower bound, i.e., $P_B^{*}{P}_A^{*}=1/D$, yield instances of the QSD problem where Proposition 3 is tight.

6. Conclusions

We have shown simple, near-optimal protocols exist for die-rolling. In contrast to many other cryptographic primitives, sometimes classical protocols are optimal. When the presented classical protocols are not optimal, we can find an improvement using quantum protocols.

Open problems include studying die-rolling under different security definitions. For example, one may wish to see how far from uniform the outcome probabilities can me made in total variation distance, or some other metric. Another option is to see how secure the protocols are against forcing subsets of integers. Indeed, the classical protocols presented in this work can allow a cheating party to force an integer from a chosen subset. This security notion is needed when each party has a number of desired outcomes. For an example, there are many desired outcomes when playing roulette online. Is there a simple modification that would provide security in this scenario?