Fidelity of quantum strategies with applications to cryptography

We introduce a definition of the fidelity function for multi-round quantum strategies, which we call the strategy fidelity, that is a generalization of the fidelity function for quantum states. We provide many properties of the strategy fidelity including a Fuchs-van de Graaf relationship with the strategy norm. We also provide a general monotinicity result for both the strategy fidelity and strategy norm under the actions of strategy-to-strategy linear maps. We illustrate an operational interpretation of the strategy fidelity in the spirit of Uhlmann's Theorem and discuss its application to the security analysis of quantum protocols for interactive cryptographic tasks such as bit-commitment and oblivious string transfer. Our analysis is general in the sense that the actions of the protocol need not be fully specified, which is in stark contrast to most other security proofs. Lastly, we provide a semidefinite programming formulation of the strategy fidelity.


Review of quantum strategies
In this paper we consider multiple-round interactions between two parties involving the exchange of quantum information. There is a natural asymmetry between the parties as only one of the parties can send the first message or receive the final message. Since we are not concerned about optimizing the number of messages exchanged, without loss of generality both of these tasks are done by the same party, which, for convenience, we call Bob. Let us call the other party Alice. The interaction between Alice and Bob decomposes naturally into a finite number r of rounds (see Figure 1). Such interactions are conveniently described by the formalism of quantum strategies introduced in Ref. [GW07]. We closely follow that formalism here with the exception that we consider two mathematically different objects: strategies and pure strategies. Pure strategies are implemented using linear isometries and preserve their final memory space, while strategies trace out the final memory space. The object we call a strategy is called a non-measuring strategy in Ref. [GW07]. For additional details on quantum strategies, one may refer to [GW07,CDP09,Gut09].
Definition 1 (Pure strategy and pure co-strategy). Let r ≥ 1 and let X 1 , . . . , X r , Y 1 , . . . , Y r , Z r , W r be complex Euclidean spaces and, for notational convenience, let X r+1 := C and Z 0 := C. An r-round pure strategyÃ having input spaces X 1 , . . . , X r , output spaces Y 1 , . . . , Y r , and final memory space Z r , consists of: 1. complex Euclidean spaces Z 1 , . . . , Z r−1 , called intermediate memory spaces, and 2. an r-tuple of linear isometries (A 1 , . . . , A r ) of the form A i : An r-round pure co-strategy having input spaces Y 1 , . . . , Y r , output spaces X 1 , . . . , X r , and final memory space W r , consists of: 1. complex Euclidean intermediate memory spaces W 0 , . . . , W r−1 , 2. a pure quantum state |β ∈ X 1 ⊗ W 0 , called the initial state, and 3. an r-tuple of linear isometries (B 1 , . . . , B r ) of the form B i : A pure strategy and a pure co-strategy are said to be compatible when the input spaces of one are the output spaces of the other, and vice versa. The final state of the interaction betweenÃ andB is denoted by |ψ(Ã,B) := (I Zr ⊗ B r )(A r ⊗ I W r−1 ) · · · (I Z 1 ⊗ B 1 )(A 1 ⊗ I W 0 )|β ∈ Z r ⊗ W r .
In order to extract classical information from the interaction it suffices to permit Alice and Bob to measure their respective parts of the final state |ψ(Ã,B) .

Co-Strategy
. . . . . . Figure 1: An r-round interaction between a pure strategy of Alice (the linear isometries above the dashed line) and a pure co-strategy of Bob (the linear isometries below the dashed line). Arrows crossing the dashed line represent messages exchanged between the parties, while horizontal arrows represent private memory.
A pure strategyÃ specified by linear isometries (A 1 , . . . , A r ) can be represented by a single isometrỹ where X i...j is short for X i ⊗ · · · ⊗ X j and Y i...j is short for Y i ⊗ · · · ⊗ Y j . We abuse the notation 1Ã here and elsewhere in the paper by using it to denote both a pure strategy and the linear isometry representing it, and we do the same for pure co-strategiesB, discussed next. A pure co-strategyB specified by the initial state |β and linear isometries (B 1 , . . . , B r ) can be represented by a single isometrỹ Note that two pure strategies that are represented by the same linear isometry are effectively indistinguishable, and the same holds true for pure co-strategies.
Any one party is not affected by what the other party does with their final memory space. Hence, from the point of view of that party, the other party can trace it out. In view of this, a strategy A is obtained from a pure strategyÃ by tracing out the final memory space Z r and a co-strategy B is obtained from a pure co-strategyB by tracing out the final memory space W r . Multiple pure strategies (co-strategies) can yield the same strategy (co-strategy), and we call any such pure strategy (co-strategy) a purification. We will use tildes to indicate purifications.
Just as a pure strategy and a pure co-strategy can be specified by linear isometriesÃ andB, respectively, their corresponding strategy A and co-strategy B can be specified by quantum channels In turn, both of these channels can be specified using their Choi-Jamiołkowski representations, but, due to the asymmetry between strategies and co-strategies, it is convenient to specify the latter one using the Choi-Jamiołkowski representation of its adjoint map. Thus, we can represent a strategy A by J(Φ A ) and a co-strategy B by J(Ψ * B ), both of which are positive semidefinite operators acting on Y 1...r ⊗ X 1...r . In a similar abuse of notation as mentioned before, we refer to J(Φ A ) as the strategy A and to J(Ψ * B ) as the co-strategy B.
For compatible pure strategyÃ and pure co-strategyB, let denote the reduced state of the final memory space W r ofB after the interaction betweenÃ andB. Since this state is the same for all purifications of A, we omit the tilde above A in this notation.

The definition of strategy fidelity
Recall that the fidelity F(P, Q) between two positive semidefinite operators P and Q is defined as When applied to density operators ρ, ξ, the fidelity function F(ρ, ξ) is a useful distance measure for quantum states. We would like to construct a generalization of the fidelity function that can serve as a useful distance measure for quantum strategies. Just as the trace norm ρ − ξ Tr quantifies the distinguishability of quantum states, the strategy norm S − T ⋄r studied in [Gut12] quantifies the distinguishability of quantum strategies S and T having the same input and output spaces. In other words, S − T ⋄r is proportional to the maximum bias with which an interacting pure co-strategyB can distinguish S from T . Another expression for this maximum bias can be derived as follows. Let W r be the final memory space ofB and let ρ S (B), ρ T (B) be the reduced states of this final memory space after an interaction betweenB and S, T , respectively, as defined in (1). It is clear that the maximum bias with which S can be distinguished from T is proportional to the maximum over all suchB with which the final state ρ S (B) can be distinguished from ρ T (B), which is precisely Remark 2. All purificationsB of B are equivalent up to a unitary acting on W r . Thus, unitarily invariant distance measures between ρ S (B) and ρ T (B) (including the trace distance and the fidelity) depend only upon B and not upon the specific purificationB.
The strategy norm is defined so that In light of this observation, we define the strategy fidelity by replacing the maximization of the trace distance between ρ S (B) and ρ T (B) with the minimization of the fidelity between ρ S (B) and ρ T (B).
Definition 3 (Strategy fidelity). For any r-round strategies S and T having the same input and output spaces, the strategy fidelity is defined as where the minimization is over all compatible co-strategies B and the states ρ S (B), ρ T (B) are as defined in (1).
In the following discussion, we argue that this definition is a meaningful one by proving analogues of the Fuchs-van de Graaf inequalities and Uhlmann's Theorem for the strategy fidelity, among many other properties.
Remark 4. The same definition of fidelity has been considered for the case of channels [BDR05]. In that setting, they establish several properties which we generalize to the strategy setting.
First, let us observe that the fidelity for quantum states is recovered as a special case of the strategy fidelity when S, T are one-round strategies with no input (that is, X 1 = C) and only one output message. To see this, observe that one-round strategies such as S, T are simply states ρ, ξ acting on Y 1 . Bob's most general pure co-strategy is an isometryB : Y 1 → W 1 . In this case the effect of Bob's purified strategyB is cancelled in the computation of F r (S, T ) so that

Basic properties of the strategy fidelity
We now list several other properties of the strategy fidelity, all of which immediately hold using the corresponding properties of the fidelity of quantum states.
• (Fuchs-van de Graaf inequalities for strategies) For any r-round strategies S and T , it holds that • (Symmetry) For any r-round strategies S and T , it holds that F r (S, T ) = F r (T, S).
• (Joint concavity) For any r-round strategies S 1 , . . . , S n and T 1 , . . . , T n , and nonnegative scalars λ 1 , . . . , λ n satisfying n i=1 λ i = 1, we have We later discuss that the strategy version of the Fuchs-van de Graaf inequalities is crucial to our cryptographic applications. This was also used implicitly in [CDP + 13].

Monotonicity of the strategy fidelity and the strategy norm
The fidelity for quantum states is known to be monotonic under channels, meaning that for any choice of states ρ, ξ and channel Φ [BCF + 96]. It was observed in Ref. [BDR05] that the fidelity function of quantum channels (that aligns with our definition of strategy fidelity for a 1-round interaction) is also monotonic under composition (both left and right) with another channel. That is, and for all channels Φ, Ψ : L(X ) → L(Y) and ∆ into L(X ) and ∆ ′ on L(Y). However, there are other physical maps on channels that cannot in general be written as a composition with another channel. Chiribella, D'Ariano, and Perinotti call such mappings supermaps and characterize them in Ref. [CDP08]. Thus, the natural generalization of monotonicity of the kind described above would be the analogous statement involving supermaps. We provide an even stronger result concerning monoticity of the strategy fidelity using the following definition.
Definition 6. A strategy supermap is a completely positive linear map (with respect to Choi-Jamiołkowski representations) that maps r-round strategies to r ′ -round strategies. It is understood that r-round strategies are for some choice of input spaces X 1 , . . . , X r and output spaces Y 1 , . . . , Y r and r ′ -round strategies are for some choice of input spaces X ′ 1 , . . . , X ′ r ′ and output spaces The definition of strategy supermaps are inspired by physically realizable maps from r-round strategies to r ′ -round strategies studied by Chiribella, D'Ariano, and Perinotti [CDP09]. Our result, however, is purely mathematical and does not require strategy supermaps to be physically realizable.
Theorem 7 (Monotonicity of the strategy fidelity). For all natural numbers r, r ′ , all r-round strategies S, T , and all strategy supermaps Υ from r-round strategies to r ′ -round strategies, it holds that We can also prove a similar monotonicity result for the strategy norm. By analogy with the fidelity, the trace norm is known to be monotonic under channels, meaning that Φ(X) Tr ≤ X Tr for all operators X and all channels Φ [Rus94]. Similarly, the diamond norm can be shown to be monotonic under composition (both left and right) with channels, meaning that for all linear maps Φ : L(X ) → L(Y) and all channels ∆ into L(X ) and ∆ ′ on L(Y). As with the fidelity function for quantum channels, defined in Ref. [BDR05], monotonicity of the diamond norm under arbitrary supermaps has not yet been observed, nor has monotonicity of the strategy norm under strategy supermaps. We now establish a monotonicity result for the strategy norm, defined below.
Definition 8 (Strategy norm [Gut12]). Consider X 1 , . . . , X r and Y 1 , . . . , Y r as input and output spaces of r-round strategies, respectively. The strategy norm of a Hermitian operator H acting on Y 1...r ⊗ X 1...r is defined as where the maximization is over all positive semidefinite operators B 0 , B 1 acting on Y 1...r ⊗ X 1...r such that B 0 + B 1 is an r-round co-strategy having input spaces Y 1 , . . . , Y r and output spaces X 1 , . . . , X r .
Given H as a difference of two r-round strategies S and T , Definition 8 implies Eqn. (2).
Theorem 9 (Monotonicity of the strategy norm). For all natural numbers r, r ′ , all Hermitian operators H acting on Y 1...r ⊗ X 1...r and strategy supermaps Υ from r-round strategies to r ′ -round strategies, it holds that

Operational interpretation (min-max properties)
Here we propose an operationally motivated generalization of Uhlmann's Theorem [Uhl76] to the strategy fidelity. In so doing we elucidate the need for a min-max theorem. Recall that Uhlmann's Theorem for quantum states asserts that the fidelity F(ρ, ξ) between any two quantum states ρ and ξ, acting on X , is given by where |φ , |ψ ∈ X ⊗ Y are any purifications of ρ, ξ and the maximization is over all unitaries U acting on Y alone. Intuitively, F r (S, T ) should quantify the extent to which any purificationsS,T of two strategies S, T can be made to look the same by acting only on the final memory space Z r . It follows immediately from the definition of the strategy fidelity and Uhlmann's Theorem that where, again, the maximization is over all unitaries U acting on Z r alone. Notice the order of minimization and maximization in (5). This could be viewed as a competitive game between Alice (who plays according to S or T ) and Bob (who plays according to any arbitrary co-strategy B) in which Bob is trying to distinguish S from T and Alice is trying to make S and T look the same. To these ends, Bob chooses his strategy B so as to minimize the overlap | ψ(S,B)|ψ(T ,B) |; given such a choice B for Bob, Alice's responds with a unitary U that maximizes this overlap.
The problem is that Alice's choice of U may depend upon Bob's co-strategy B. The task of distinguishing S from T should depend only upon S and T -Alice should not be granted the ability to tweak S or T after she has acquired knowledge of Bob's specific choice of distinguishing co-strategy B. From an operational perspective, it would be much more desirable if the order of minimization and maximization in (5) were reversed. Alice should select her unitary U so as to make S look as much as possible like T before Bob selects his distinguishing co-strategy B. Thus, we require a type of min-max theorem.
The set of all co-strategies B for Bob is compact and convex [GW07], but it is not at all clear that the objective function in (5) is convex in B; we show later (Lemma 16) that this is indeed the case. However, the set of all unitaries U for Alice is not a convex set. One might think that we could extend the domain of maximization to the convex hull of the unitaries in the hopes that there is a saddle point (U, B) with U unitary. Unfortunately, saddle points do not in general occur at extreme points of the domain, so we are not guaranteed that such a unitary saddle point exists. Thus, a min-max theorem for the strategy fidelity involving unitaries is not so easily forthcoming.
However, if we allow Alice to apply a general quantum channel, we are able to obtain a min-max result, as stated below.
where the minimum is over all r-round pure co-strategiesB and the maximum is over all quantum channels Ξ acting on Z r alone.
Note that similar min-max results are derived in [BDR05] and [CDP + 13]. It will be convenient to define the following quantum channel.
Definition 11. A strategy fidelity-achieving channel Ξ is a channel which attains the maximum in (6), above.

Semidefinite programming formulation of strategy fidelity
It was shown in [Gut12] that the strategy norm has a semidefinite programming formulation. Also, the fidelity of quantum states has semidefinite programming formulations, see [Wat09,Wat13] for examples. It is natural to ask whether the strategy fidelity has such a formulation. We answer this question in the affirmative, below.
Theorem 12 (Semidefinite programming formulation of strategy fidelity). Fix any purificationsS andT of r-round strategies S and T , respectively. Then F r (S, T ) 2 is equal to the optimal objective function value of the following semidefinite program: where the variables R j are Hermitian acting on Y 1...j ⊗ X 1...j for each j ∈ {1, . . . , r}, and h.c. denotes the Hermitian conjugate.

Applications to two-party quantum cryptography
Since the seminal work of Wiesner [Wie83] and Bennett and Brassard [BB84], there has been much interest in knowing the advantages, and limitations, of quantum protocols for cryptographic tasks. Due to the interactive setting of such protocols, the use of quantum strategy analysis has proven to be useful. In [GW07], it was shown how to rederive Kitaev's lower bound for coin-flipping [Kit02]. In [CDP + 13], it was shown how to find a simple proof of the impossibility of interactive bit-commitment. Here, we find a similar proof of this and extend the argument to oblivious string transfer.
In this paper, we present our ideas using the machinery we have developed for the strategy fidelity. In particular, we show that the strategy version of the Fuchs-van de Graaf inequalities (Eqn. (4)) are of central importance in providing security lower bounds. In fact, due to the nature of the strategy norm and strategy fidelity, we are able to bound the security without even specifying the entire protocol! This is in stark contrast to many other security proofs/models studied, for example in [Kit02, SR01, Amb01, NS03, ABDR04, KN04, GW07, CK09, CK11, CKS13, CKS14, NST15, NST16, CGS16,Sik16] where Alice and Bob's actions are assumed to be fully specified (and known to cheating parties). We note that our proposed security model is implicit in the bit-commitment security bounds in [CDP + 13] and in the channel setting in [BDR05].
In this paper, we show the impossibility of ideal quantum protocols for interactive bit-commitment and oblivious string transfer.

Interactive bit-commitment
In bit-commitment, we require Alice and Bob to interact over two communication stages: • Commit Phase: Alice chooses a uniformly random bit a and interacts with Bob using an r-round pure strategyÃ a .
• Reveal Phase: Alice sends a to Bob and continues her interaction with him (so that Bob can test if she has cheated).
• Cheat Detection: Bob, knowing which pure strategyB he has used, measures to check if the final state is consistent with Alice's pure strategyÃ a . He aborts the protocol if this measurement detects the final state is not consistent with Alice's pure strategyÃ a . If Alice is honest, he never aborts.
Protocols are designed with the intention to achieve the following two important properties of interest: • Binding: Alice cannot change her mind after the Commit Phase and reveal the other value of a (without being detected by Bob).
• Hiding: Bob cannot learn Alice's bit a before she reveals it during the Reveal Phase.
Finding a protocol with perfect binding and hiding properties is known to be impossible [May97, LC97, LC98]. However, these security proofs rely on an assumption that we do not make, that honest Bob's actions are specified beforehand (and thus known to Alice).
We define the cheating probabilities of Alice and Bob as follows: B BC : The maximum probability with which a dishonest Bob can learn an honest Alice's committed bit a ∈ {0, 1} after the Commit Phase. A BC : The maximum probability with which Alice can change her commitment from 0 to 1 (or from 1 to 0) before the Reveal Phase.

Remark 13. Note that in the definition of cheating Alice above, we do not assume Alice knows Bob's actions. It could even be the case that Bob's sole purpose is to choose a co-strategy such as to minimize A BC .
Cheating Bob wishes to distinguish between one of two uniformly randomly chosen strategies. We know from [Gut12] that In Section 5, we show that An interesting observation is that this only depends on Alice's honest strategies, not Bob's. Thus, by the Fuchs-van de Graaf inequalities for strategies (Proposition 5), we have the following tradeoff lower bound.

Moreover, we have that Alice or Bob can cheat with probability at least
Note that this is a similar bound to the one obtained in [CDP + 13] for the interactive setting and exactly the same as in [BDR05] in the channel setting.
We remark that, when Alice and Bob's actions are completely specified, optimal protocols are known [CK11].

1-out-of-2 interactive oblivious string transfer
This is an interactive cryptographic task between Alice and Bob where Bob has two bit-strings 2 (x 0 , x 1 ) and Alice wishes to learn one of the two in the following manner: • Alice chooses a uniformly random bit a which corresponds to her choice of which string she wishes to learn, and interacts with Bob via the r-round pure strategyÃ a .
• For every (x 0 , x 1 ), Bob uses a pure co-strategyB x 0 ,x 1 , such that Alice learns the string x a with certainty by measuring her private space Z r at the end of the protocol.
Note that we do not assume any structure on how Bob behaves other than the consistency condition above. For example, x 0 and x 1 may be the result of another protocol of which Alice is not part, and thus she does not even know the distribution from which they are drawn. Again, Bob's strategy may be such that, conditioned on the above requirements, he just wants to foil Alice's cheating, as defined below.
We define the cheating probabilities of Alice and Bob as follows: B OT : The maximum probability with which a dishonest Bob can learn an honest Alice's choice bit a. A OT : The maximum probability with which a dishonest Alice can learn x 0 after learning x 1 with certainty, or vice versa.
Cheating Bob behaves the exact same as in a bit-commitment protocol. Thus his cheating probability is again In Section 5, we show the following bound on cheating Alice: This yields the same bound as in bit-commitment, below.
Theorem 15. In any interactive quantum protocol for 1-out-of-2 oblivious string transfer, we have that Moreover, we have that Alice or Bob can cheat with probability at least 9− √ 17 8 ≈ 61%.
Note that in the case where Bob has two bits (i.e., the strings have bit-length 1), an optimal security trade-off between Alice and Bob is known [CGS16]: However, this assumes perfect knowledge of Alice and Bob's honest strategies. Thus, our bound for cheating Alice is a bit weaker, but has the added benefit of only depending on her honest strategies.

Technical lemmas and the strategy generalization of Uhlmann's Theorem
In this section we prove two lemmas that allow us to establish nontrivial properties of the strategy fidelity. These lemmas are used to prove the strategy generalization of Uhlmann's Theorem (Theorem 10) and to provide a semidefinite programming formulation of the strategy fidelity (Theorem 12).
Before we proceed, let us introduce some notation. Let Y i...j X i ′ ...j ′ be short for Y i...j ⊗ X i ′ ...j ′ . Let L(X ), U(X ), Her(X ), Pos(X ), and Dens(X ) be, respectively, the set of all linear, unitary, Hermitian, positive semidefinite, and density operators acting on X . Let K(X ) be the convex hull of U(X ), namely, the set of all operators K ∈ L(X ) such that K ≤ 1. Suppose X and Y are two complex Euclidean spaces with fixed standard basis. Given a linear operator A : X → Y written in the standard basis as Note that the inner product above depends on B but not on its purificationB. This exemplifies what we stated earlier as Remark 2.
Proof of Lemma 16. The proof mirrors that of Ref. [GW07,Theorem 5]. The main difference is that here we compute an inner product between two distinct vectors |ψ(S,B) , (K ⊗ I Wr )|ψ(T ,B) (both being normalized if K is unitary) arising from the distinct pure strategiesS,T for Alice, whereas the proof of Ref. [GW07,Theorem 5] computes a similar inner product between two identical, subnormalized vectors. Further clarification of that proof is given in Ref. [Gut09]; we draw upon both of the references [GW07,Gut09] for the present proof.

Lemma 17. Let S, T be r-round strategies and letS,T be any purifications of S, T . It holds that
where the minimum is over all compatible r-round co-strategies B for Bob and the maximum is over all K ∈ K(Z r ) acting on the final memory space Z r for Alice.
Proof. By applying Lemma 16 to Eqn. (5), we get where the maximum is over all U ∈ U(Z r ). The advantage of this identity is that the objective function is linear in U . Since linear functions are also convex and since the maximum of a convex function over a compact convex set is always achieved at an extreme point, the above quantity does not change if we replace the maximization over unitaries with the maximization over the convex hull of the unitaries. Namely, where the maximization is over all K ∈ K(Z r ). By a standard min-max theorem from convex analysis (see, for example, [Roc70]), we may reverse the order of optimization, concluding the proof. Now, with Lemmas 16 and 17 at our disposal, we proceed to prove the strategy generalization of Uhlmann's Theorem.
Proof of Theorem 10. From Lemma 17, it follows that We square this inequality and apply Lemma 16 to obtain Let us defineK = I Zr − K * K (noting that K * K I Zr ) and which is a quantum channel as its Kraus representation {K,K} satisfies K * K +K * K = I Zr . Since   due to Eqn. (5) and the fact that Uhlmann's Theorem also holds replacing unitaries with channels. Hence, the inequality (9) is in fact an equality due to the max-min inequality.

Monotonicity
Recall that strategy supermaps Υ map r-round strategies to r ′ -round strategies and they are linear and completely positive. For our results, we need certain properties of the adjoints of strategy supermaps. To this end, we first prove the following lemma.
Proof. If X 0 satisfies X, S = 1 for all strategies S, then X also satisfies X, S ′ ≤ 1 for all S ′ such that 0 S ′ S for some strategy S. Thus, from Ref. [GW07] 3 , we have that there exists a co-strategy B such that X B. For any pair of compatible strategy S and co-strategy B, we have B, S = 1 [GW07], therefore, we have X, S = B, S for all strategies S. Next, if we consider where dim(Y 1...r ) is the product of the dimensions of spaces Y 1 , . . . , Y r , then this is a valid strategy. Then we get that X and B have the same trace. Since 0 X B, we have that X = B, which completes the proof.
We can now provide an important property of the adjoint of strategy supermaps.
Lemma 19. If Υ is a strategy supermap from r-round strategies to r ′ -round strategies, then Υ * is a costrategy supermap 4 from r ′ -round co-strategies to r-round co-strategies.
Proof. Let B be an r ′ -round co-strategy. Then have have that Υ * (B), S = B, Υ(S) = 1 for all r-round strategies S. Since Υ is completely positive, so is Υ * , implying that Υ * (B) is positive semidefinite. From Lemma 18, we have that Υ * (B) is an r-round co-strategy, as required.

Monotonicity of the strategy fidelity
We now provide a proof of Theorem 7.
Proof of Theorem 7. Since Υ is completely positive, we can let where the minimum is over all r ′ -round co-strategies B ′ for Bob and the maximum is over all unitaries U ′ ∈ U(Z r M) on the final memory space Z r M for Alice. The quantity (10) can only decrease if we restrict the domain of maximization to unitaries of the form U ⊗ I M for some U ∈ U(Z r ), thus As the image under Υ * of the set of all r ′ -round co-strategies is a subset of the set of all r-round co-strategies (by Lemma 19), the quantity (11) can only decrease if we extend the domain of minimization to all r-round co-strategies B for Bob: as desired.

Monotonicity of the strategy norm
Proof of Theorem 9. By the definition of the strategy norm, Definition 8, we have Note that Υ * is both linear and completely positive. Thus, given B ′ 0 , B ′ 1 0 such that B ′ 0 + B ′ 1 is an r ′round co-strategy, we have that B 0 := Υ * (B ′ 0 ) 0 and B 1 := Υ * (B ′ 1 ) 0 and, by Lemma 19, B 0 + B 1 is an r-round co-strategy. But the image under Υ * of the set of all r ′ -round co-strategies may be a strict subset of the set of all r-round co-strategies, hence the inequality in the above expression.

Semidefinite programming formulation for strategy fidelity
In this section, we use Lemma 17 to prove Theorem 12. From Lemma 17, we have that |T , and B is Bob's co-strategy. By defining From [GW07, Corollary 7], we know that B must satisfy B = Q r ⊗ I Yr for some (Q 1 , . . . , Q r ) satisfying . . , r}. Thus, φ(K) can be formulated as a semidefinite program. Its dual can be written as α(K) := max t : tI X 1 Tr Y 1 (R 1 ), R j ⊗ I X j+1 Tr Y j+1 (R j+1 ), for j ∈ {1, . . . , r − 1}, R r C , where R j ∈ Her(Y 1...j ⊗ X 1...j ). Since this has a strictly feasible solution, as does the primal, we know α(K) = φ(K) by strong duality and α(K) attains an optimal solution. We now let M = I Zr K K * I Zr and set M 0 to get K ≤ 1. We can check that C is a linear function in M (since M is Hermitian). Thus, we have that the strategy fidelity can be written as in Theorem 12.

Alice's cheating in interactive bit-commitment and oblivious string transfer
In this section we show that Alice can cheat with probability F r (A 0 , A 1 ) 2 in either bit-commitment or oblivious string transfer. The cheating has the same flavour in both cases: Alice will follow the protocol honestly, then try to change her state as to make it look like she chose the other strategy from the beginning. Suppose Alice uses pure strategyÃ a and Bob uses pure co-strategyB. For brevity, define for each a ∈ {0, 1} the following states |ψ a := |ψ(Ã a ,B) and σ a := (Ξ a ⊗ I Wr )(|ψ a ψ a |) where Ξ a is the strategy fidelity-achieving channel (from Definition 11) such that ψā|σ a |ψā ≥ F r (A 0 , A 1 ) 2 .
Note that the aim of Ξ a is to get σ a as close as possible to |ψā ψā|.

Bit-commitment
When we study interactive bit-commitment, we are applying the strategy/co-strategy formalism to only the commit phase. From the above discussion, Alice can create the state σ a ∈ Dens(Z r ⊗ W r ) to try to change her commitment from a toā. Then Alice continues her actions to "reveal"ā in the Reveal Phase, as does Bob (even though Bob's actions are not specified to Alice). We just assume that this entire process is done by a unitary Uā acting on Z r ⊗ W r . Then, Bob has a projective measurement {Π accept , Π reject } which accepts Uā|ψā with certainty, thus leading to a non-destructive measurement. Thus, we have (I Zr ⊗ Π accept )Uā|ψā = Uā|ψā .
This implies that (I Zr ⊗ Π accept ) Uā|ψā ψā|U * a . However, Alice's actions have led to them sharing Uāσ a U * a at the end of the protocol. So, we have that Alice successfully revealsā with probability A BC ≥ I Zr ⊗ Π accept , Uāσ a U * a ≥ Uā|ψā ψā|U * a , Uāσ a U * a = |ψā ψā|, σ a ≥ F r (A 0 , A 1 ) 2 using Eqn. (13), as desired.

Oblivious string transfer
We can assume Alice uses a projective measurement {Π a z } to learn her desired string. Note that since x a is learned with certainty, this is a non-destructive measurement, as in the bit-commitment analysis above. That is, we have Π a xa ⊗ I Wr |ψ(Ã a ,B x 0 ,x 1 ) = |ψ(Ã a ,B x 0 ,x 1 ) for all a and (x 0 , x 1 ). Again, this implies Π a xa ⊗ I Wr |ψ(Ã a ,B x 0 ,x 1 ) ψ(Ã a ,B x 0 ,x 1 )|.
Thus, after learning x a , she can create the state σ a (defined above) to try to learn xā. (Here, theB in the definition of σ a isB x 0 ,x 1 .) Then she measures as if she had used pure strategyÃā (that is, using {Πā z }) to try to learn xā. Then, using (14) and the definitions in (12), we have A OT ≥ Πā xā ⊗ I Wr , σ a ≥ ψā|σ a |ψā ≥ F r (A 0 , A 1 ) 2 , as desired.