Graphical Methods in Device-Independent Quantum Cryptography

We introduce a framework for graphical security proofs in device-independent quantum cryptography using the methods of categorical quantum mechanics. We are optimistic that this approach will make some of the highly complex proofs in quantum cryptography more accessible, facilitate the discovery of new proofs, and enable automated proof verification. As an example of our framework, we reprove a recent result from device-independent quantum cryptography: any linear randomness expansion protocol can be converted into an unbounded randomness expansion protocol. We give a graphical exposition of a proof of this result and implement parts of it in the Globular proof assistant.


Introduction
Graphical methods have long been used in the study of physics and computation. In physics, this can be traced back at least as far as Penrose's use of diagrams [35]. During the last decade of the twentieth century, rigorous methods for graphical reasoning in monoidal categories were developed by Joyal, Street, and others [25,38]. When Abramsky and Coecke proposed monoidal categories as an alternative foundation for quantum physics [2], they were able to draw from these technical developments to introduce an elaborate graphical language for reasoning about quantum mechanical concepts. Since then, the use of rigorous graphical methods has been extended widely, ranging from foundations [2] to quantum algorithms [41], quantum error correction [7], and beyond [9,12]. The great success of graphical methods in the quantum sciences is largely due to their ability to deal with elaborate concepts in a simple way. This is especially true when compared to the standard methods involving linear operators acting on Hilbert space.
Quantum cryptography, the study of cryptographic protocols that are based on quantum mechanical principles, 1 is an ideal candidate for graphical analysis. Indeed, proofs in quantum cryptography are often long and complicated even when the central idea of the proof is relatively clear. Pictures are regularly used as a conceptual aid in discussions of quantum cryptography but it would be beneficial -both for accessibility and for mathematical rigor -if proofs themselves could be expressed as pictures. For this reason, the field of quantum cryptography can benefit from the abstract methods of categorical quantum mechanics [10,11].
To our knowledge the use of graphical methods to formalize quantum cryptography is fairly new, although the literature provides some useful beginnings. Graphical security proofs for quantum key distribution (one of the original problems in the field) have been presented in [13,14,24], although these are not yet at the level of security that has been proved through non-graphical means. Meanwhile, the literature has a number of formal treatments of cryptography that are not primarily based on graphical reasoning. (One important example is [8], which has a focus similar to the current paper. See also [23,28,34,39]).
One of the recent major achievements of quantum cryptography is the development of device-independent security proofs [29]. In such proofs, not only the adversary but also the quantum devices are untrusted, and allowed to exhibit uncharacterized behavior. Protocols in this field always include a classical test of the quantum devices which lead to a "succeed" or "abort" event at the end of the protocol, and we must prove that if the protocol "succeeds," then the desired cryptographic task has been securely carried out. Deviceindependence is a desirable level of security for quantum cryptography (in particular because it accounts for arbitrary noise or imperfection in the quantum hardware) and it will be our focus in this paper.
As a specific problem to study, we consider device-independent randomness expansion. Research over the last decade has led to a proof that random numbers can be generated with devices that are completely untrusted [3,5,15,17,18,20,30,31,36,37,40]. Precisely, two untrusted quantum devices, together with a perfectly random seed of length N , can be manipulated by a classical user to generate a perfectly random output of size f (N ) > N with negligible error. See [1] for a gentle introduction to this topic and [32] for a discussion of a possible implementation.
Recent work [8,17,31] showed an extension: one can take two copies of such a randomness expansion protocol (using different pairs of devices for each copy) and cross-feed them to produce an arbitrarily large quantity of random bits from a fixed-length seed. Proving the security of this extension is not easy (indeed, the paper containing the first proof [16] was 36 pages long). Here, we give a proof of this extension (based on [8,31]) using a graphical language. Explicitly, we prove that any secure protocol for linear randomness expansion implies a secure protocol for unbounded randomness expansion. The proof is based on formal graphical reasoning and is fairly compact.
A great benefit of graphical proofs is they are also highly amenable to computer verification. The Globular proof assistant software [4] carries out category-theoretic proofs, using diagrams that are easily compatible with [10,11]. To further demonstrate the utility of our work we implemented the proof of unbounded randomness expansion in Globular. The proof is available as a video at [22]. This paper is organized as follows. In Section 2 we formalize a language for dealing with quantum processes, building on [10,11] and adding some new elements. Section 3 provides the formal basis for quantum cryptographic protocols that are based on untrusted devices. In Section 4 we give the proof that linear randomness expansion implies unbounded randomness expansion, and comment on our use of computer-assisted proof software. We conclude and discuss future work in Section 5.
We note that the recent preprint [26] also addresses graphical proofs of quantum cryptography with a different focus (device-dependent quantum key distribution). The graphical concepts in the present paper and in [26] were developed independently, and we expect that there will be a useful synergy between the two papers.

Our contributions
The picture-language in this paper is based primarily on [10,11]. We have added some new elements in order to enable quantum cryptographic proofs. Here are some of the additions: 1. Diagrams versus sets. Whereas a diagram in the language of [10,11] represents a quantum process, we have expanded this to allow diagrams with uncharacterized elements to represent sets of processes. This is especially useful in the device-independent context for expressing security statements (see Definition 2.2).
2. Approximation. We use the symbol = to denote that the state represented by one diagram is approximately equal to the state represented by another. This allows proofs via chains of approximations.
(This feature was also independently used in [26].) 3. Duplication of states. We define the "duplication" of a classical-quantum state (see subsection 2.3), a convenient shorthand which encompasses both copying of classical states and purification of quantum states.

4.
A graphical formalization of device-independence. We give a graphical formalization of what it means precisely for a protocol to be device-independent (subsection 3.2).

Fundamentals
In this section, we cover useful graphical techniques and concepts, building on [10,11]. First, we describe the graphical language of categorical quantum mechanics. Next, we introduce a notion of distance between diagrams. Finally, we define the process of duplicating states. For further details the reader is encouraged to consult [10,11] or the more recent [12] for categorical quantum mechanics, and [42] for notions of distance relevant to quantum information theory.

The graphical language of categorical quantum mechanics
Throughout, O denotes a collection of finite-dimensional Hilbert spaces, each with a fixed orthonormal basis. We assume that O is closed under tensor products (i.e., if V, W ∈ O then V ⊗ W ∈ O) and that O contains the space C n for every non-negative integer n. We sometimes refer to the elements of O as types or registers.
We say that f is a process of type V → W if f is a linear operator whose domain is V and whose range is W . It is represented by a box labelled f whose input and output wires are labelled with the types V and W as follows.
Note that diagrams are read from bottom to top. The identity operator is a process represented by a box-less diagram (below, left). The composition and tensor product of processes are respectively represented by the vertical and horizontal composition of diagrams (below, center and right).
Note that two processes can be vertically composed only if their types are compatible. A process with no input wires is a state. A state v of type V should be interpreted as a vector in V and is represented by the first diagram below. The conjugate, transpose, and conjugate-transpose (i.e., adjoint) of v are also depicted below (second, third, and fourth diagram respectively) .
A process with no output wires is called an effect. A process with no input and no output is a number, and is represented simply by a diamond with a label on it indicating its value. A spider is a process drawn as follows, The diagram (4) denotes the vector e e ⊗ e ⊗ e ∈ W ⊗ W ⊗ W , where the sum is taken over the standard basis of W . Because they will play an important role below, we will also introduce the uniform vector, which is denoted by a gray node: Thus, the diagram on the left side of (5) denotes the vector To graphically distinguish them for their classical counterparts, quantum states, effects, and processes are drawn with thick lines as in the respective diagrams below.
mixed state is only required to satisfy i v i 2 ≤ 1. Unless otherwise specified, the word "state" refers to a normalized mixed state.
A linear map Q → C is a quantum effect if it maps all states to the interval [0, 1] -that is, if whenever Ψ is a quantum state of Q, (In the more conventional framework [42], effects correspond to positive semidefinite operators on Q with operator norm less than or equal to one.) The effect Q → C given by w → w, i e i ⊗ e i , where {e i } denotes the standard basis of Q, is denoted by (9) A causal quantum process Σ from a register Q to another register R is a linear homomorphism such that for any state Ψ of Q ⊗ Q, the diagram below represents a state. (In the conventional framework, causal quantum processes correspond to completely positive trace-preserving maps.) A stochastic quantum process is one that satisfies the same condition, with the weaker requirement that the diagram above is a subnormalized quantum state. Unless otherwise specified, the phrase word "quantum process" refers to a stochastic quantum process. A pure process is quantum process of the form ψ ψ Ψ = (11) Note that pure processes map pure subnormalized states to pure subnormalized states.
If Ψ is a state of QR, we denote the partial trace over R as follows: A diagram in which every element is specified as an explicit linear map is itself a linear map (obtained by composition and tensor product). A diagram in which some elements are unlabelled denotes a set of linear maps. For example, the diagram Q denotes the set of all (normalized mixed) states of Q. A single unlabelled wire denotes the set of all identity In general, a diagram denotes the set of all processes that can be expressed in the form shown in the diagram. We will use the picture element to denote an arbitrary element of [0, 1].

Approximations
In what follows, we will need to be able to discuss the distance between certain processes. We therefore define a relation between diagrams which captures the appropriate metric. (This metric is half of the diamond norm distance -see [42] for further details).
Definition 2.1. If c, d, and are real numbers, we write c = d if |c − d| ≤ . Now let Σ and Σ be two processes of the same type. We write Σ = Σ if for all states Ψ and effects β, Note that the above definition remains equivalent if the phrase "for all states Ψ" is replaced by "for all pure states Ψ." If we restrict the processes Σ and Σ to be states (i.e., to have no inputs) then Σ = Σ if Σ and Σ differ by no more than 2 in trace distance. It can be verified that the notion of approximation defined above satisfies the triangle inequality: if Σ = Σ and Σ = δ Σ , then Σ = +δ Σ . Next we generalize the notion of distance between processes to a notion of distance between sets of processes. (A similar notion of approximation appears in the non-graphical formalism of [28].) Definition 2.2. Let A and B be two sets of processes, all of which have the same type. We write Note that the symbol = is used to denote a relation between numbers, a relation between processes, and a relation between sets of processes. However, it will always be clear from the context whether numbers, processes, or sets of processes are being compared so that no ambiguity should arise from this slight abuse of notation.

Duplication
We now introduce the notion of duplicate states, which is closely related to the notion of purification of quantum states (see section 2.5 of [33]).
If Ψ is a subnormalized classical-quantum state of a quantum register CQ, then we can write Ψ = where P is the linear map defined by Then, the canonical duplicate state of Ψ is given by (See equation (48) in the appendix for an expression for this state in a more conventional form.) Note that More generally, a state Ψ of CQQC is a duplicate state (or simply duplication) of Ψ if (18) holds (with Ψ replaced by Ψ ) and Ψ has the form Ψ = i e i ⊗ ψ i ⊗ e i , where each ψ i is a pure subnormalized state of QQ.
Duplicate states have the following universality property: for any subnormalized classical-quantum state Φ of CQRD, where R is a quantum register and D is a classical register, such that there exists a causal process α from QC to RD satisfying The following proposition follows from standard techniques and is proved in Appendix A.
Let Ψ be a state on CQQC that is a duplicate of Ψ. Then, there exists a causal process α from QC to RD satisfying Proof. By the universality property noted above, it suffices to prove this with Ψ replaced by the canonical duplicate state Ψ of Ψ. By Proposition 2.3, the canonical duplicate state Σ of the state on the left side of (21) satisfies Σ = 2 √ Ψ . There is a causal process α from QC to RD such that Applying the same process to Ψ yields a state that is within distance √ 2 from Φ.

Untrusted quantum processes
An untrusted quantum process is represented by a diagram in which all of the quantum processes are unlabelled and all of the classical processes are labelled. We discuss an example of such processes and then give a definition of the more specific class of device-independent quantum protocols.

Example: Quantum strategies for nonlocal games
A nonlocal game is a game played by k ≥ 2 parties in which the players are given random inputs X 1 , . . . , X k , respectively, according to some fixed joint probability distribution, and they produce outputs A 1 , . . . , A k , and these outputs are scored as L(X 1 , . . . , X k , A 1 , . . . , A k ), where L is a deterministic function that maps to {0, 1}. An example (the Clauser-Horne-Shimony-Holt game) is given below. The registers X, A, B, Y are classical bit registers (each isomorphic to C 2 ).
The effect at the top denotes the map C {0,1} 4 → C given by (p xaby ) → a⊕b=x∧y p xaby . This game is a common building block for device-independent protocols (including in particular the randomness expansion results that we will consider in section 4).

Device-independent quantum protocols
Now we are ready to formalize the notion of a protocol in the device-independent setting. Historically, a quantum protocol is device-independent if all of its quantum processes are untrusted and uncharacterized (whereas strictly "classical" aspects, such as timing, non-communication, and computation, are still trusted). This definition can be traced back to early papers such as Mayers and Yao [29] and Ekert [19]. There is some room for interpretation as to exactly which quantum processes are allowed in device-independence, and we offer a specific formalism here. (Our treatment can be compared to the non-graphical formalization of device-independent protocols in section 4 of [8].) For simplicity our definition is for a 2-device protocol, but it could easily be generalized to an N -device protocol.
Definition 3.1. A device-independent protocol with 2 quantum devices is a diagram of the form where S is constructed from the following subdiagrams.
1. Communication between devices. An untrusted process transferring information (one way) from one of the two quantum registers to the other: Note that every device-independent protocol has two representations: one is as a diagram (including some unlabelled elements) and the other is as a set of processes from CQ 1 Q 2 to CQ 1 Q 2 . (We may use the label S to refer to either representation.) Device-independent protocols can be composed (e.g., the output quantum states of one protocol can be given as inputs to another, which corresponds to re-using the devices from the first protocol in the second).

Randomness expansion 4.1 Linear randomness expansion
We can now phrase security results on device-independent randomness expansion [15] in terms of diagrams. A device-independent randomness expansion protocol accepts a seed and returns a larger output. Security results for such protocols consist of asserting that if the seed is uniformly random, then except with negligible probability, the output is also uniformly random.
The protocols that we consider for randomness expansion consist of iterating 2 untrusted devices many times, and sometimes at random playing a nonlocal game (such as the CHSH game) to test that the devices are behaving properly (see Figure 2 in [31] for an example). For the purposes of our discussions here, we need only to assert that secure randomness expansion protocols exist.
A simple way to assert security for a 2-device randomness expansion protocol R is to say that replacing the output with a true uniformly random state has a negligible effect, i.e., (Here we have compressed the two device states of R into a single thick wire, and we are using the labels M and N as a shorthand for C M and C N .) But it is preferable to have a stronger assertion: we wish to know that the output of the protocol is also approximately uniform when conditioned on the seed and on any quantum information entangled with the devices. The following theorem captures this stronger assertion. 1. Soundness.
Proof. This is a special case of results from, e.g., section 2 of [31]. 2 "Soundness" asserts that the protocols R(N ) must either produce random numbers or fail. "Completeness" asserts that there exist processes which will make R(N ) succeed with probability approaching 1.
The following corollary will be a key step in our proof of unbounded randomness expansion. Whereas Theorem 4.1 assumes that the state of the devices is destroyed, the next lemma addresses the case where the device-state is preserved. In any diagram, let C denote the set of all causal processes (with input and output types as implied by the diagram). , a protocol is presented which includes a parameter q > 0 such that the protocol obtains Ω(N ) random bits from a seed of size O(N q log q + log 2 N ), with error O(2 −Ω(qN ) ). By taking q to be some sufficiently small constant we obtain Theorem 4.1.
Proof. Let δ be as in Theorem 4.1, let N be a positive integer, and let r ∈ R(N ). We have for any pure state Γ. We construct a duplication of the state on the right side of the above equation. The effect r (34) can be written as denote the controlled pure process Then, is a duplication of the state Γ r Likewise, the state is a duplication of the state on the right side of (33). Therefore by Corollary 2.4, there is a causal process c such that The desired result follows (with = √ 2δ).
Additionally, we note the following alternative form of the completeness assertion for R(N ). The next lemma asserts that the set of all possible classical outputs of the spot-checking protocol must contain a state that is close the uniform state on C 2N . (This is similar to the use of "adjustment completeness error" in [31].) Proof. Combining the soundness and completeness claims in Theorem 4.1, we have The desired result follows, with ζ = 2δ.

Unbounded randomness expansion
Now we discuss a graphical proof of unbounded (rather than linear) randomness expansion. We begin with the following elementary remarks.

Remark 4.4 (Causality).
A process T is causal if and only if the process of applying T and then discarding its output wires is equal to the process of merely discarding the input wires, e.g., T = Remark 4.5 (Deleting copies of uniform states). Uniform states absorb terminations, e.g.,

=
We would like to apply the spot-checking protocol and lemma repeatedly, in order to obtain unbounded randomness expansion. Naively stacking R(N ) operations atop one another does not work, but [8,17,31] observed that we can still obtain unbounded randomness via spot-check by employing two pairs of devices and alternating which pair is employed in the protocol. (In effect, one proves that the second application of the protocol wipes out any correlation with the first device, which may then be used in the third step to erase correlation with the second, and so on.) We prove the following lemma (which will be a building block for a later induction proof). For the remainder of this section, let = (M ) be the error function from Lemma 4.2.   There is a function λ = λ(N ) ∈ 2 −Ω(N ) such that for any N, k ≥ 1, Proof. By Remark 4.5, we can add a terminated branch to the left-hand side of Equation (45) so that we can apply Lemma 4.8.
We next apply Remark 4.4 (causality) followed by Remark 4.5.
The set of processes described by the rightmost diagram consist of a uniform state of dimension 4 k N together with a subnormalized state of X, as desired. Let λ(N ) = ∞ i=0 (2 i N ), which upper bounds the error term γ(N, k). Note that for any nonnegative function f on the set {0, 1, 2, . . . , } Thus λ ∈ 2 −Ω(N ) . This completes the proof. Theorem 4.9 asserts soundness for S k (N ). Completeness for S k (N ) follows easily from Lemma 4.3 and fact (46) above.

Formalization
In addition to their intuitive appeal, the graphical structures of categorical quantum mechanics are amenable to computer formalization. In the long term, this will be critically important for managing the complexity of medium and large scale security proofs. In this respect, computers can play a number of roles including validation and verification, copying and reuse, and proof search and discovery.
As part of our investigations, we have produced a (semi-)formal verification of our proof using the Globular proof assistant [4] for the case k = 2. The reader can find and explore the Globular proof at [21], and a video is available at [22]. The Globular proof assistant [4] provides a system for creating string diagrams proofs, based on the perspective of higher-dimensional re-writing. In this project we used the system to prototype our arguments, and found the tool quite useful despite a few rough edges.
In Globular, one begins by declaring generators, atomic components which can be joined together into more complex diagrams. These generators come in several dimensions; strings in dimension 1 (classical, quantum), processes in dimension 2 (e.g., the spot-check protocols), and equations in dimension 3 (e.g., the spot-check lemma, the causality principle). More general protocols are complex two-dimensional diagrams. Proofs become three-dimensional diagrams, though we often think of them in as a "movie" of slices which traces through the diagrams of the proof.
In this case, we used Globular to prototype the proof of Theorem 4.9. In particular, we used it to prototype and validate the general strategy of our proof in the case k = 2. Figure 1 shows part of the sequence of Globular diagrams in our proof of Theorem 4.9 for k = 2; the entire proof involved 66 steps. We found several significant benefits to building proofs in Globular. As diagrams become more complex, our ability to manipulate them with pen and paper is limited. Globular automates the management of diagrams, allowing for easy reuse and undo.
The proof assistant also "type-checks" the user, admitting only valid constructions and proof. This allows the user to explore the space of possible diagrams and proofs without accidentally introducing errors. This will be particularly important for learning because it permits a focus on concepts over calculation.
More generally, formalization serves to identify gaps in our reasoning. In this case, we first identified the graphical form of the spot-check lemma (Lemma 4.2) and the final form of Theorem 4.9. By trying to prove the theorem in Globular we first validated the back-and-forth approach described in the proof of our theorem, but also showed that it was insufficient to yield our desired result. This, in turn, helped to identify the role of causality in our argument.
Overall, we found the Globular proof assistant to be quite helpful in prototyping and managing our arguments, although some issues limit its practical application. For example, three steps are needed to pass from step 63 to step 66 (see above), despite the fact that the two diagrams are more-or-less identical. This problem reifies as diagrams become more complicated; in our proof, 24 steps of sliding operations were needed between the second and third applications of the spot-check protocol. Improvements to such tools, both in underlying computation and representation and in user interface would be valuable areas for future research.

Conclusion
Our graphical proof of unbounded expansion was based on two central steps: one was the application of the spot-checking lemma (Lemma 4.2), and the other was the principle of causality. Causality is an elementary step in symbolic proofs for quantum information, but in the case of our graphical proof it is an important manipulation.
We have used the tools of categorical quantum mechanics to give a streamlined proof that unbounded randomness expansion can be obtained via the spot-checking protocol. We hope to have convinced the reader of the usefulness and potential of graphical methods in quantum cryptography for proof exposition. Also, when graphical proofs are appropriately created they also open the door to automated proof-checking. Our experience using the Globular proof assistant can be seen as interesting case study in the usefulness of the software and we hope that our experience can motivate future work.
Our goal for later work is to develop a language for quantum cryptography that allows a wide range of translation of old results and proofs of new results. Some proofs (including unbounded randomness expansion) seem easiest to understand in graphical form, while others (such as Proposition 2.3) may be most accessible as algebraic proofs. Thus an ideal framework would allow easy translation back and forth between algebraic and graphical expositions.
where {c i } is the standard basis for c i and M i are positive semidefinite operators on Q 1 , where Q = Q 1 ⊗ Q 1 . Then, the duplicated state of Ψ is given by where Vec(X) denotes the vector ij x ij |q i q j , where {q i } denotes the standard basis for Q 1 and X = ij x ij |q i q j |. If Φ is such that and therefore if we let we have as desired.