Self-testing of a single quantum device under computational assumptions

Self-testing is a method to characterise an arbitrary quantum system based only on its classical input-output correlations, and plays an important role in device-independent quantum information processing as well as quantum complexity theory. Prior works on self-testing require the assumption that the system's state is shared among multiple parties that only perform local measurements and cannot communicate. Here, we replace the setting of multiple non-communicating parties, which is difficult to enforce in practice, by a single computationally bounded party. Specifically, we construct a protocol that allows a classical verifier to robustly certify that a single computationally bounded quantum device must have prepared a Bell pair and performed single-qubit measurements on it, up to a change of basis applied to both the device's state and measurements. This means that under computational assumptions, the verifier is able to certify the presence of entanglement, a property usually closely associated with two separated subsystems, inside a single quantum device. To achieve this, we build on techniques first introduced by Brakerski et al. (2018) and Mahadev (2018) which allow a classical verifier to constrain the actions of a quantum device assuming the device does not break post-quantum cryptography.

round interaction between a classical verifier and a quantum prover, at the end of which the verifier decides to either "accept" or "reject" the prover. Informally, the guarantee provided by the protocol is the following: Theorem (Informal). A prover's strategy in the protocol is described by a quantum state and the measurements that the prover makes on the state to obtain the (classical) answers received by the verifier. If a computationally bounded prover is accepted by the verifier with probability 1 − ε, then there exists an isometry V such that for a universal constant c > 0 and under the isometry V : (i) the prover's state is O(ε c )-close (in trace distance) to a Bell pair, (ii) (a subset of) the prover's measurements are O(ε c )-close to single-qubit measurements in the computational or Hadamard basis, where the measurement bases are chosen by the verifier. Here, "closeness" is measured in a distance measure suitable for measurements acting on a state.
We emphasize that the theorem not only guarantees the preparation of an entangled state by the prover, but also the implementation of specific measurements on it. As such, it provides a complete analogue of foundational self-testing results for the CHSH inequality [SW87,MYS12].
The proof of our main result builds on techniques introduced in recent works [Mah18, BCM + 18, GV19] to allow a classical verifier to leverage post-quantum cryptography to control a computationally bounded quantum prover. Because they are relevant for understanding the proof of our results, we now give a brief overview of these works and explain their relation to self-testing.
In [Mah18], Mahadev gives the first protocol to classically verify a delegated quantum computation with a single untrusted quantum prover. The central ingredient in Mahadev's verification protocol is a "measurement protocol" that allows the verifier to force the prover to report classical outcomes obtained by performing certain measurements on a quantum state that the prover has "committed to" using classical information. The main guarantee of the measurement protocol is this: if the prover is accepted in the protocol, there exists a quantum state such that the distribution over the prover's answers could have been produced by performing the requested measurements on this state. In other words, all of the prover's answers must be self-consistent in the sense that they could have originated from performing different measurements on (copies of) the same quantum state.
To verify a quantum computation, the statement that the prover's answers are consistent with measurements on a quantum state is sufficient, as the existence of a quantum state with the right properties can certify the outcome of the quantum computation (this is due to Kitaev's "circuit-to-Hamiltonian" construction, which we do not explain here). However, in this work we seek to make a stronger statement: we want to certify that the prover actually constructed the desired quantum state and performed the desired measurements on it (up to an isometry). While the honest prover in Mahadev's protocol does indeed construct the desired quantum state, the protocol does not guarantee that an arbitrary prover must do, too. Hence, our self-testing protocol is stronger in the sense that it allows for a more stringent characterisation of the prover's actions, namely its actual states and measurements. 2 To emphasize the difference, we note that the guarantee of Mahadev's protocol does not directly imply that a successful prover must have performed any quantum computation; the guarantee is only that, if the correct state preparation and measurements were to be performed, the outcome would be as claimed by the prover.
Another closely related work is that of Brakerski et al. [BCM + 18], who give a protocol between a classical verifier and a quantum prover that allows the verifier to generate certified information-theoretic randomness, again assuming that the prover does not break the LWE assumption; in other words, their protocol generates information-theoretic randomness from a computational assumption. For this, the authors show that two of the prover's measurements must be maximally incompatible, as defined by a quantity that they call the "overlap". Informally, one can think of two maximally incompatible measurements as being close to a computational and Hadamard basis measurement, up to some global change of basis. Hence, this result already resembles self-testing in the sense that the verifier can make a statement about the actual measurements used by the prover. In particular, it does serve as a "test of quantumness" for the prover.
Building on [BCM + 18] and using techniques from [Mah18], Gheorghiu and Vidick construct a protocol for a task that they call verifiable remote state preparation (RSP) [GV19]. They consider a set of single-qubit pure states {|ψ 1 , . . . , |ψ n }. 3 Under the same LWE assumption as before, the protocol enables the verifier to certify that the prover has prepared one of these states, up to a global change of basis (i.e., some isometry V that is applied to all |ψ i ). More precisely, the verifier cannot decide beforehand on a particular |ψ i , but after executing the protocol, the verifier knows which |ψ i the prover has prepared, and the distribution over i can be made uniform. The prover, on the other hand, does not know which |ψ i he has prepared.
This result resembles a self-testing statement even more than that of [BCM + 18] because it explicitly characterises a family of single-qubit quantum states, one of which is certified to be present in the prover's space. However, it differs from a standard self-testing statement in that it is defined for a family of states, not an individual state: because the prover's isometry V is arbitrary, any individual state |ψ i can be mapped to another arbitrary state. Hence, what is certified in RSP is not any individual state, but the relationships (e.g., orthogonality) between different states in some family. Alternatively, one can also take the view that RSP characterises the relationships between the prover's states and measurements. We return to this issue in more detail in Section 1.1. The idea of certifying a family of states has also been considered by Cojocaru et al. [CCKW19], who call this notion "blind self-testing". They analyze a different protocol under a restricted adversarial model and conjecture that their protocol yields similar guarantees as [GV19] for single-qubit states and tensor products of single-qubit states.
This lengthy overview of previous works makes explicit a progression towards the task that we tackle here, that of genuine self-testing of a single quantum device. We note that this presentation clearly benefits from hindsight, and that none of the cited works mentions any relation to self-testing; indeed, the results are too weak to be used in this setting. In particular, none of the previous works provides a sufficiently strong guarantee on the measurements performed by the quantum device and goes beyond the setting of a single qubit, which is arguably the main technical challenge. Indeed, moving from a single-qubit state to an entangled two-qubit state means that the verifier has to enforce a tensor product structure on the prover's space, which is one of the main difficulties in our soundness proof (Section 4). On a technical level, it requires the certification of compatibility relations between different measurements meant to act on different qubits. Additionally, having two qubits instead of one prevents us from using Jordan's lemma, a standard tool in self-testing also used in [GV19], to characterise the prover's measurements; in Section 4.7, we show how to characterise the prover's measurements using a different method starting with a partial characterisation of the prover's measurements, using that to partially characterise the prover's states, which in turn is used for a stronger partial characterisation of the measurements, etc., until we reach the full statement that shows that the prover makes single-qubit measurements on a Bell pair.

Self-testing in the multi-and single-prover settings
In this section, we give a brief overview of the standard multi-prover self-testing scenario, and explain how it can be extended to a single prover. For more details on the multi-prover scenario, see [ŠB19] or [Sca19,Chapter 7]. For simplicity, let us consider the case of two provers A and B, with Hilbert spaces H A and H B , respectively. Hence, the total Hilbert space is H A ⊗ H B . The verifier interacts with A and B by sending questions and receiving answers. The question-answer correlations can be described by a family of probability distributions {p(a, b|x, y)} x,y , where for each choice of questions x and y sent to A and B, respectively, p(a, b|x, y) is a probability distribution over their answers a and b. We say that a quantum state |ψ AB ∈ H A ⊗ H B is compatible with the correlations p(a, b|x, y) if there are local measurements {P Definition 1.1 (Self-testing of states, informal). The correlations p(a, b|x, y) self-test a state |φ AB if for any state |ψ AB compatible with these correlations, there exists a local isometry V = V A ⊗ V B (with V A only acting on H A , and V B only acting on H B ) such that V |ψ AB = |φ AB |Aux for some ancillary state |Aux .
A more operational view of this statement is that it must be possible to "extract" the state |φ AB from |ψ AB only by performing local operations. The condition that the isometry must be local is crucial: if we would allow a global isometry, we could map any state |ψ AB to the desired state |φ AB . In the two-prover case, the notion of a local isometry is natural, since the separation between the two provers induces a tensor product structure H = H A ⊗ H B on the global Hilbert space H. In contrast, for a single prover no such tensor product structure exists and we cannot define local isometries in a meaningful way.
In Definition 1.1, we only dealt with the provers' state, not his measurements. A stronger notion of self-testing is to characterise both the provers' state and measurements. This is the version of self-testing originally considered by Mayers and Yao [MY04], and we will see that it can be meaningfully extended to the single-prover setting.
Definition 1.2 (Self-testing of states and measurements, informal). The correlations p(a, b|x, y) self-test a state |φ AB and measurements {M y )|φ AB |Aux , for some ancillary state |Aux .
The first condition is the same as in Definition 1.1. The second condition roughly says that the "physical" measurements {P y } act on the desired state |φ AB . Self-testing of states and measurements still has meaning in the single-prover setting. In this setting, one can imagine that the verifier sends both questions x and y to the same prover, and the prover replies with two answers a and b. To compute his answers, the prover prepares a quantum state |ψ and, on inputs x, y, performs a measurement {P (a,b) x,y } a,b to obtain answers a, b. Definition 1.3 (Self-testing for a single prover, informal). The correlations p(a, b|x, y) self-test a state |φ and measurements {K (a,b) x,y } a,b if for any state |ψ and measurements {P (a,b) x,y } a,b that realise the correlations p(a, b|x, y), there exists an isometry V such that x,y |φ |Aux , for some ancillary state |Aux ∈ H . This definition is rather informal because whenever the number of possible questions and answers is fixed and independent of the security parameter (as is the case in this paper), single-round question-answer correlations p(a, b|x, y) alone cannot be sufficient: a prover can always succeed in the protocol simply by answering the verifier's questions according to a look-up table; such a prover is classical and does not actually perform any computation. Therefore, our protocol will have multiple rounds of interaction between the verifier and the prover: the questions and answers in the initial "setup rounds" will involve a public key that scales with the security parameter; then, in the last round, the verifier observes question-answer correlations p(a, b|x, y) similar to standard self-testing, i.e., with a fixed question and answer length. Instead of using multi-round interaction, one could also try to build a single-round protocol with questions that depend on the security parameter (e.g., the question would include a public key). A number of recent works have shown that under the (quantum) random oracle assumption, the protocol for certifying the quantumness of a prover from [BCM + 18] and the verification protocol from [Mah18] can be adapted to this single-round setting [ACGH19, CCY19, BKVV20]. We leave it for future work to investigate whether the interaction in our protocol can also be removed with the random oracle assumption.
To obtain a statement that is more similar to the two-prover scenario, we consider the stronger constraint that the desired measurements have a tensor product form K (a,b) y . In particular, this means that answer a only depends on question x and b only depends on y, and it enforces a natural tensor product structure on the prover's space. 4 Specifically, we define Hilbert spaces H A , H B and H and deduce the existence of an isometry V from the prover's physical space H to H A ⊗ H B ⊗ H such that under the isometry, the measurements operators P (a,b) x,y act on |ψ in the same way that tensor product measurement operators of the form M (a) acts only on H B , and |φ AB is the state that we are self-testing for (e.g., a Bell state). Definition 1.4 (Self-testing of tensor product strategies for a single prover, informal). The correlations p(a, b|x, y) self-test a state |φ AB and measurements {M x,y } a,b on H that realise the correlations p(a, b|x, y), there exists an Again, this definition is informal for the same reason as for Definition 1.3. A formal statement of such a single-prover self-testing result with a tensor product structure is given in Theorem 4.42, the main result of this paper.

Cryptographic primitives
The main cryptographic primitive underlying our self-testing protocol is a so-called extended noisy trapdoor claw-free function family (ENTCF family). ENTCF families were introduced by Mahadev in [Mah18], building on the construction of noisy trapdoor claw-free function families by Brakerski et al. in Here, we only give a brief informal description of the main properties of an ENTCF family (see Section 2.2 for references and details).
An ENTCF family consists of two families F and G of function pairs. A function pair (f k,0 , f k,1 ) ∈ F is called a claw-free pair and is indexed by a public key k. Similarly, an injective pair is a pair of functions (f k,0 , f k,1 ) ∈ G, also indexed by a public key k. Informally, the most important properties are the following: (i) For fixed k ∈ K F , f k,0 and f k,1 are bijections with the same image, i.e., for every y in their image there exists a unique pair (x 0 , x 1 ), called a claw, such that f k,0 (x 0 ) = f k,1 (x 1 ) = y.
(ii) Given a key k ∈ K F for a claw-free pair, it is quantum-computationally intractable (without access to trapdoor information) to compute both a preimage x i and a single generalised bit of x 0 ⊕ x 1 (i.e., d · (x 0 ⊕ x 1 ) for any non-trivial bit string d), where (x 0 , x 1 ) forms a valid claw. This is called the adaptive hardcore bit property.
(iii) For fixed k ∈ K G , f k,0 and f k,1 are injective functions with disjoint images.
(iv) Given a key k ∈ K F ∪K G , it is quantum-computationally hard (without access to trapdoor information) to determine the "function type", i.e., to decide whether k is a key for a claw-free or an injective pair. This is called injective invariance.
(v) For every key k ∈ K F ∪ K G , there exists a trapdoor t k , which can be sampled together with k and with which (ii) and (iv) are computationally easy.

Our self-testing protocol
We now give an informal description of our self-testing protocol with the honest prover behaviour and provide some intuition for its soundness. A full description of the protocol is given in Figure 1, and for a more detailed overview of the soundness proof, see the introduction to Section 4. On a very high level, one can view the protocol as first executing the RSP protocol from [GV19] twice in parallel to prepare two qubits in the provers space. Then, the prover is asked to perform an entangling operation on these two qubits. Because the prover does not know which states the qubits are in, and the entangling operation acts differently on different states, to pass the checks in the protocol the prover has to apply the entangling operation honestly.
In more detail, the protocol begins with the verifier sampling two uniformly random bits θ 1 , θ 2 , each bit denoting a basis choice (either the computational or the Hadamard basis). The case where both bits denote the Hadamard basis will be the one where the prover prepares a Bell pair, whereas the other basis choices serve as tests that prevent the prover from cheating. Depending on these basis choices, the verifier then samples two key-trapdoor pairs (k 1 , t k1 ) and (k 2 , t k2 ) from the ENTCF family: for the computational basis, it samples an injective pair, and for the Hadamard basis a claw-free pair. The verifier sends the keys to the prover and keeps the trapdoors private.
The honest prover treats the two keys separately. For each key k i , he prepares the state Here, X is the domain of the ENTCF family. Note that even though the prover does not know which kind of function (claw-free or injective) he is dealing with, the definition of ENTCF families still allows him to construct this state. The prover now measures both image registers (i.e., the registers storing "f ki,b (x)"), obtains images y 1 , y 2 , and sends these to the verifier. (In the terminology of [Mah18], this is called a "commitment".) Depending on the choice of function family by the verifier, the prover's post-measurement state has one of two forms: if the verifier sampled the key k i from the injective family, the post-measurement state is a computational basis state: where x b is the unique preimage of y i . If the key k i belongs to a claw-free family, the post-measurement state is a superposition over a claw: where (x 0 , x 1 ) form a claw, i.e., f k,0 (x 0 ) = f k,1 (x 1 ) = y. At this point, the verifier selects a round type, either a "preimage round" or a "Hadamard round", uniformly at random and sends the round type to the prover. For a preimage round, the honest prover measures his entire state in the computational basis and returns the result; the verifier checks that the prover has indeed returned correct preimages for the submitted y 1 , y 2 . The preimage round is an additional test that is required for us to leverage the adaptive hardcore bit property, but we do not discuss this further in this overview.
For a Hadamard round, the honest prover measures both of his preimage registers (i.e., the registers containing "x b ") in the Hadamard basis, obtains two bit strings d 1 , d 2 , and sends these to the verifier. This results in the following states (using the notation from above): ) if k i belongs to a claw-free family. (1.4) Note that the phase in the second case is exactly the adaptive hardcore bit from the definition of ENTCF families. At this point, the verifier selects two additional bases q 1 , q 2 uniformly at random (again from either the computational or Hadamard basis), and sends these to the prover. In analogy to self-testing, we call these bases "questions". The honest prover now applies a CZ gate (an entangling two-qubit gate that applies a σ Z operation to the second qubit if the first qubit is in state |1 ) to its state |ψ 1 |ψ 2 . In the case where both θ 1 and θ 2 specify the Hadamard basis, this results in a Bell state (rotated by a single-qubit Hadamard gate). The prover measures the individual qubits of the resulting state in the bases specified by q 1 , q 2 . The outcomes v 1 , v 2 are returned to the verifier. The verifier can use the prover's answers y 1 , y 2 , d 1 , d 2 and her trapdoor information t k1 , t k2 to determine which state CZ|ψ 1 |ψ 2 the prover should have prepared. The verifier accepts the prover if his answers v 1 , v 2 are consistent with making the measurements specified by q 1 , q 2 on the honest prover's state CZ|ψ 1 |ψ 2 .

Soundness proof
We now give a brief intuition for the soundness of the protocol; the actual soundness proof is given in Section 4. Let us first consider a version of the protocol where the prover is not supposed to perform a CZ operation. As noted before, this would be (a simplified version of) the RSP protocol [GV19], executed twice in parallel. For the purposes of this overview, let us assume that the only way for the prover to pass these two parallel executions of the RSP protocol is to treat each execution separately, i.e., use a tensor product Hilbert space H 1 ⊗ H 2 and execute each instance of the RSP protocol on a different part of the space (enforcing such a tensor product structure is reminiscent of the classic question of parallel repetition [Raz98] and is actually one of the main difficulties in our soundness proof, but we leave the details of this for Section 4). It now follows from the security of the RSP protocol that the prover must have prepared one of {|0 , |1 , |+ , |− } in each part of his space (up to a "local" change of basis for each space), but he does not know which one. Now consider how a CZ operation acts on these different states: if both states are Hadamard basis states (e.g., |+ |− ), the CZ operation will entangle them and produce a Bell state (rotated by a single-qubit Hadamard gate); in contrast, if at least one of the states is a computational basis state (e.g., |1 |− ), the resulting state will still be a product state of computational and Hadamard basis states (albeit a different one). This means that in the latter case, the CZ operation essentially only relabels the states. Therefore, if the verifier adapts her checks to account for the relabelling, in the latter case the guarantees from the RSP protocol still hold. Because the prover does not know which bases the verifier has selected, we can extend these guarantees to the case of two Hadamard basis states, too.
We stress that this only provides a rough intuition, and that the actual proof proceeds quite differently from this because we cannot just assume the existence of a tensor product structure on the prover's Hilbert space. Deducing this tensor product structure poses technical difficulties. In two-prover self-testing proofs, the first step is to show that the measurement operators used by each prover approximately satisfy certain relations, e.g. anti-commutation. Because the measurement operators of different provers act on different Hilbert spaces, they exactly commute. Combining the approximate relations from the first step with the exact commutation relations, one can show that the prover's measurement operators must be close to some desired operators, e.g. the Pauli operators. This last "rounding step" typically uses Jordan's lemma or a stability theorem for approximate group representations [GH17]. In our case, we cannot show exact commutation relations between operators -commutation can only be enforced via the protocol, which tolerates a small failure probability. Hence, we are only able to show approximate commutation relations, which prevents us from applying Jordan's lemma or the result of [GH17]. We therefore develop an alternative approach to "rounding" the prover's operators that only requires approximate commutation and leverages the cryptographic assumptions. This method might also be useful for other applications that require a very tight "cryptographic leash" on a quantum prover.

Discussion
Self-testing has developed into a versatile tool for quantum information processing and quantum complexity theory and presents one of the strongest possible black-box certification techniques of quantum devices. The standard self-testing setting involves multiple non-communicating quantum provers, which is difficult to enforce in practice. The main contribution of this paper is the construction of a self-testing protocol that allows a classical verifier to certify that a single computationally bounded quantum prover has prepared a Bell state and measured the individual qubits of the state in the computational or Hadamard basis, up to a global change of basis applied to both the state and measurements. This means that we are able to certify the existence of entanglement in a single quantum device. 5 Due to the interactive nature of our protocol, this certification remains valid even if it turned out that any quantum computation is classically simulable, i.e., BQP = BPP. 6 It therefore constitutes a "test of quantumness" in the sense of [BCM + 18] and differs from proposals for testing quantum supremacy such as [BFNV19], which only certify the "quantumness" of a device under the assumption that BQP = BPP. 7 Existing multi-prover self-testing protocols are typically based on non-local games, e.g., the CHSH game [MYS12]. Our self-testing protocol follows a more "custom" approach guided by the available cryptographic primitives. While this enables us to construct a single-prover self-test for single-qubit measurements on a Bell state, arguably the most important quantum state for many applications, it does not allow us to extend the result to other states for which multi-prover self-tests are known [CGS17]. To better make use of the extensive existing self-testing literature, it would be desirable to construct a procedure that allows for the "translation" of multi-prover non-local games to single-prover games with computational assumptions. In classical cryptography, similar attempts have been made to construct single-prover argument systems from multi-prover proof systems using fully homomorphic encryption [ABOR00, KRR14,DHRW16].
Another approach to constructing single-prover self-tests for a larger class of states might be to strengthen Mahadev's measurement protocol [Mah18] from guaranteeing the existence of a state compatible with the measurement results to certifying that the prover actually has prepared this state. As a step in this direction, the second author and Zhang recently showed that Mahadev's protocol is a classical proof of quantum knowledge [VZ20]. The concept of a proof of quantum knowledge, first introduced in [BG20, CVZ20] for the setting of a quantum verifier and extended to the setting of a classical verifier in [VZ20], is still less stringent than a self-test and in particular lacks the strong characterisation of the prover's measurements that we obtain in self-testing.
Beyond the conceptual appeal of gaining more fine-grained control over untrusted quantum devices, our self-testing protocol presents a first step towards translating multi-prover protocols for applications such as delegated computation [RUV13,CGJV19], randomness expansion [Col06,VV12,MS17], or secure multiparty quantum computation [CGS02, BCG + 06] to a single-prover setting. There are already computationally secure single-prover protocols for delegated quantum computation [Mah18] and randomness expansion [BCM + 18]; however, establishing a more general link between self-testing-based multi-prover protocols and computationally secure single-prover protocols is still desirable: it might lead to conceptually simpler singleprover protocols and will be useful for constructing single-prover protocols for other applications without resorting to a low-level cryptographic analysis. For example, using our self-testing theorem in a black-box way, the first author and others have recently constructed a protocol for device-independent quantum key distribution (DIQKD) [MDCAF20]. In contrast to previous DIQKD protocols, which rely on a non-communication similar to the one in standard self-testing, this new DIQKD protocol requires no non-communication assumption and more closely models how DIQKD protocols are expected to be implemented experimentally. Crucially, the security analysis of this DIQKD protocol can be reduced to our self-testing theorem without any intricate cryptographic analysis involving computational hardness assumptions.
We believe that, in a similar vein, our protocol will also serve as a useful building block for other future protocols for computationally bounded quantum devices, in the same way that self-testing for EPR pairs in the multi-prover scenario has proved to be a versatile tool in physics, cryptography, and complexity theory.
Organisation. The paper is organised as follows. In Section 2, we give preliminary definitions and technical lemmas, most importantly involving the state-dependent distance between operators. In Section 3, we describe our self-testing protocol and show that it has completeness negligibly close to 1, i.e., that there exists an honest prover that is accepted with all but negligible probability. In Section 4, we show that our protocol is sound, meaning that any prover that is accepted with high probability must use states and measurements close to the desired ones. The main result that formalises this statement is Theorem 4.42.

Preliminaries
This section establishes a number of definitions and technical lemmas that we will use in the soundness proof in Section 4. We assume basic familiarity with quantum mechanics and start with a description of the notation in this paper. On a first reading of this paper, we recommend skipping most of the preliminary section and only referring back to the relevant results when they are referenced in the soundness proof. The most relevant parts for a first reading are Section 2.2, Definition 2.10, Definition 2.14, Lemma 2.21, and Lemma 2.25.
We use H to denote an arbitrary finite-dimensional Hilbert space, and use indices to differentiate between distinct spaces. For A ∈ L(H) and p ∈ N, the Schatten p-norm is ). An observable on H is a Hermitian linear operator on H. A binary observable is an observable that only has eigenvalues ∈ {−1, 1}. For a binary observable O and b ∈ {0, 1}, we denote by O (b) the projector onto the (−1) b -eigenspace of O. For any procedure which takes a quantum state as input and produces a bit (or more generally an integer) as output, e.g., by measuring the input state, we denote the probability distribution over outputs b on input state ψ by Pr[b | ψ].
The self-testing protocol that we will introduce in Section 3 has a security parameter λ. The quantities in the rest of the paper are typically families indexed by this security parameters, but we leave this implicit most of the time.

Extended trapdoor claw-free functions
As mentioned in Section 1.2, we rely on a cryptographic primitive called extended noisy trapdoor claw-free function families (ENTCF families) [BCM + 18, Mah18], a brief description of which was also given in Section 1.2. We refer the reader to [Mah18,section 4] for the formal definition of ENTCF families, and we will use the notation therein throughout the rest of this paper. 8 For the construction of ENTCF families from the Learning with Errors problem [Reg09], see [BCM + 18, section 4] and [Mah18, Section 9]. These works also give the conditions which parameters in the construction need to satisfy. Security of our protocol holds under the same conditions. Since the conditions are quite involved, we do not reproduce them here. For convenience, we define the following maps that "decode" the output of an ENTCF.  (ii) For a key k ∈ K G and a y ∈ Y, we defineb(k, y) by the condition y ∈ ∪ x Supp(f k,b(k,y) (x)). (This is well-defined because f k,1 and f k,2 form an injective pair.) (iii) For a key k ∈ K G ∪ K F and a y ∈ Y, we definex b (k, y) by the condition y ∈ Supp(f k,b (x b (k, y))), and ). For k ∈ K G , we also use the shorthandx(k, y) =xb (k,y) (k, y).

Efficiency and computational indistinguishability
In this section, we define what it means for actions performed by a quantum device, e.g., unitaries or measurements, to be efficient. We also define the notion of computational indistinguishability for quantum states. In these definitions, we make the dependence on the security parameter λ explicit for the sake of clarity.
(i) We call a family of unitaries {U λ ∈ U(H λ )} λ∈N efficient if there exists a (classical) polynomial-time Turing machine M that, on input 1 λ , outputs a description of a circuit (with a fixed gate set) that implements the unitary.
(ii) We call a family of isometries {V λ : is efficient.
Lemma 2.4. Let A be an efficient binary observable. Then, the isometry Proof. Let U be the unitary associated with A. We can construct the desired isometry as follows: first, we apply U to |ψ . Then, we apply a CNOT gate with the first qubit of U |ψ being the control, and an ancillary qubit in state |0 being the target. Finally, we apply U † . To see that this indeed implements the correct isometry, note that and that the CNOT gate can be written as Lemma 2.5. Let A 1 and A 2 be efficient commuting binary observables. Then A 1 A 2 is also an efficient binary observable.
Proof. Let U 1 , U 2 be the efficient unitaries such that We define the unitary U by the following circuit: Since we can write the binary observables Using this, the orthogonality of the projectors, and the anticommutation of σ Z and σ X , the lemma follows by a direct calculation.
Lemma 2.6. Let U 1 , U 2 be efficient unitaries on H. Then, are observables and there exists an efficient procedure that, given a state ψ ∈ D(H), outputs a bit b with Proof. The fact that both operators are observables, i.e., Hermitian, is immediate. We construct the following efficient procedure: given ψ, we (efficiently) prepare |ψ ∈ H ⊗ H , a purification of ψ (this is only to simplify the calculation). Because U 1 and U 2 are efficient unitaries, so are controlled versions of U 1 and U 2 . Therefore, using an ancilla in the state |0 +|1 √ 2 as the control qubit, we can efficiently prepare the state Measuring the last qubit in the Hadamard basis produces the desired distribution: Proof. Since C and D are efficient binary observables, they are also efficient unitaries by definition. Hence, the result follows from Lemma 2.6 with U 1 = CD and U 2 = DC.

Definition 2.8. We call two (families of) states ψ, ψ ∈ D(H) computationally indistinguishable up to O(δ)
if for any efficient procedure (called a distinguisher) that takes as input ψ or ψ and produces an output bit b, we have (2.12) We use the notation ψ c ≈ δ ψ . (2.13) The following lemma states the simple fact that for an efficient measurement, the post-measurement states of two indistinguishable states must also be indistinguishable. (2.14) Proof. The proof is a simple reduction: given an efficient distinguisher D that distinguishes a∈A M (a) ψM (a) and a∈A M (a) ψ M (a) with advantage δ, the following distinguisher D is efficient and distinguishes ψ and ψ with advantage δ: given ψ or ψ , D applies the isometry associated with the measurement {M (a) } a∈A , traces out the pointer register to create a∈A M (a) ψM (a) or a∈A M (a) ψ M (a) , and runs the distinguisher D on this state.

Distance measures
In self-testing, the verifier wants to make statements about the states and measurements used by quantum provers. The verifier can never make an "absolute" statement about any of the prover's measurements (i.e., one that only depends on the prover's measurement operators, not the state), since the only information available to the verifier is the prover's classical output, which he generates by applying his measurement operators to his state. Therefore, to make statements about the prover's operators, it is helpful to define a state-dependent distance between operators. Informally, if the state-dependent distance between two operators is small, this means that the two operators act on the state in the same way. A more detailed motivation of the state-dependent distance can be found in [Vid11, section 4.1], and a useful collection of many of its properties is given in [NW19, section 4.5].
Definition 2.10 (State-dependent inner product and norm). Let H be a finite-dimensional Hilbert space and A, B ∈ L(H) be linear operators on H. Let ψ ∈ Pos(H). We define the state-dependent (semi) inner product of A and B w.r.t ψ as This induces the state-dependent (semi) norm Remark 2.11. The state dependent (semi) norm can also be expressed as a Schatten 2-norm (commonly called the Hilbert-Schmidt norm): (2.17) Lemma 2.12. The state-dependent semi inner product satisfies the properties of a semi inner product.
Proof. We check the required properties.
(i) Symmetry: (2.18) (ii) Linearity in the second argument: follows directly from the linearity of the trace.
(iii) Positive semi-definite: Because ψ is positive, so is AψA † . Therefore, Remark 2.13. The Cauchy-Schwarz inequality holds for semi inner products, so we have (2.20) We will frequently make statements about two quantities (e.g., two linear operators) being approximately equal. The following definition introduces a short-hand notation for making such statements more compactly.
Definition 2.14 (Approximate equality). We overload the symbol "≈" in the following ways (leaving the dependence on the security parameter implicit in the quantities on the left): (2.21) (ii) Operators: For A, B ∈ L(H), we define: (2.22) (We will most frequently use this for (possibly subnormalised) quantum states A, B ∈ Pos(H).) (iii) Operators on a state: For A, B ∈ L(H) and ψ ∈ Pos(H), we define: If we write ≈ 0 , we mean that the quantities are negligibly close. All asymptotic statements are understood to be in the limits ε → 0 and λ → ∞.
Remark 2.15. Note that we use a mixed convention, where the difference for states and operators is squared, but the difference for complex numbers is not. This is so that we have with the same index on both sides.

Properties of the state-dependent distance
The following lemma will be useful for showing that two operators are close in the state-dependent distance, up to an isometry.
Lemma 2.16. Let H 1 , H 2 be Hilbert spaces with dim(H 1 ) ≤ dim(H 2 ) and V : H 1 → H 2 an isometry. Let A and B be binary observables on H 1 and H 2 , respectively, ψ 1 ∈ Pos(H 1 ), ψ 2 ∈ Pos(H 2 ), and ε ≥ 0. Then: Proof. We first show the first relation. By the definition of the state-dependent distance, we need to show that Expanding the left hand side yields: For the first term, note that V V † 2 = V V † , so V V † is a projector and in particular less than or equal to 1. Therefore, we have where we used B 2 = 1 and V † V = 1 in the last line. Note that since this also upper-bounds the absolute value. The second term equals Tr[ψ 1 ] because A 2 = 1. For the third and fourth terms, we can rewrite (2.34) Therefore, we can combine the third and fourth term and have , which completes the proof of the first relation. The second relation follows analogously from the expansion (2.39) Lemma 2.17 (Relation between state-dependent and operator norms). Let ψ ∈ Pos(H) with Tr[ψ] ≤ 1 and C ∈ L(H) a linear operator. Then we have: It is a standard result from linear algebra that for any Hermitian linear operator A: φ|A|φ . (2.42) Since C † C is Hermitian and |ψ i normalised, this implies The second inequality, C † C ∞ ≤ C ∞ , follows immediately from the standard properties AB ∞ ≤ A ∞ B ∞ and A † ∞ = A ∞ for any linear operators A, B ∈ L(H). We will require two further miscellaneous properties of the state-dependent distance.
(i) Since ψ is positive, we have ψ = ψ 1/2 ψ 1/2 . Therefore, we can use C † C ≤ 1 in the following bound: The implication from left to right in the lemma follows because each term in the sum is O(ε) by assumption and there are constantly many terms. The implication from right to left follows because each The following two lemmas state that if the outcome of measuring a binary observable on a state is almost certain, then the observable is close to identity on the state. Informally, this can be viewed as a variant of the gentle-measurement lemma (see e.g. [Wil11, lemma 9.4.1]) expressed in the formalism of the state-dependent distance.
Proof. Using the fact that O is a binary observable, we can expand Inserting the definition of O and using Tr M (a) ψ ≥ 0 for all a for the inequality, as well a M (a) = 1 for the last equality, we get (2.56) Inserting this and using the assumption Tr M (a ) ψ ≈ ε Tr[ψ]: (2.57) We will often use the previous lemma together with the following simple statement: Lemma 2.20. Let O be a binary observable on H and ψ ∈ Pos(H). Then: Proof. This follows immediately from the fact that since O is a binary observable, we have The main feature of the state-dependent distance is that if two operators are close in the state-dependent distance, we can replace one operator by the other acting on either side of the state. The following two lemmas formalise this replacement step. In addition to replacing operators with one another, we will also need to replace states, as shown in Lemma 2.21(ii).
(i) We show the first relation, the second one is analogous. We rewrite the expression as an inner product and apply the Cauchy-Schwarz inequality (Remark 2.13): In the last line, we used C † ψ ≤ C † ∞ = C ∞ from Lemma 2.17 and C ∞ = O(1) by assumption.
(ii) By Hölder's inequality: Proof. We show the first relation, the second one is analogous. Suppose A ≈ ε,ψ B. By Hölder's inequality, we have A self-testing statement always involves showing the existence of an isometry V from the prover's Hilbert space into some larger Hilbert space (see Section 1.1). The main technical difficulty that arises from this is that the application of V † , i.e., the mapping from the larger space to the smaller space, cannot be inverted in general: V V † = 1. The following two lemmas deal with how the state-dependent distance behaves under the application of an isometry.
Lemma 2.23. Let H 1 , H 2 be Hilbert spaces with dim(H 1 ) ≤ dim(H 2 ), V : H 1 → H 2 an isometry, and A and B binary observables on H 1 and H 2 , respectively. Then, the following holds for any ψ ∈ Pos(H 1 ): Proof. We prove each relation in turn.

Proof of the first relation.
Using V † V = 1: Since ψ is positive, we have ψ = ψ 1/2 ψ 1/2 : is a projector and in particular less than or equal to 1. Since the expression has the form Tr M V V † M † , we can bound it as: Since we are assuming V AV † ≈ ε,V ψV † B: Proof of the second relation. By Lemma 2.16, we only need to show This follows immediately from the replacement (Lemma 2.21(i)), the assumption V † BV ≈ ε,ψ A, and the fact that A 2 = 1. Proof.

Proof of the first relation. For any binary observable
This means that

Proof of the second relation.
Similarly to the first case, we have The result then follows from 1 − V V † V ψV † = 0.

Lifting state-dependent operator relations using computational indistinguishability
The following lemma collects a number of statements that allow us to replace computationally indistinguishable states with one another in the state-dependent distance. This means that if two states are computationally indistinguishable and a state-dependent operator relation holds for one of the states, we can "lift" this relation to the other state, provided the operators are efficient. We will make use of this many times throughout the rest of the paper.
(i) Since A is efficient, the procedure that makes the measurement {A (0) , A (1) } and outputs the result is efficient. The probability of outputting 0 given state ρ is Tr A (0) ρ . Therefore, by the definition of computational indistinguishability (Definition 2.8), we have By Lemma 2.6 and Definition 2.8, we also have The result follows by the triangle inequality.
(v) We first remark that the result of (ii) does not directly apply here, since V † BV is in general not a binary observable. Let U ∈ U(H ) be an efficient unitary such that , which is without loss of generality since we can add extra dimensions to H if necessary). Then by Lemma 2.6 and because we can efficiently prepare the state |0 k 0 k |, there exists an efficient procedure that outputs a bit b with By the assumption ψ c ≈ δ ψ , we therefore have Since we are assuming A ≈ ε,ψ V † BV , it now suffices to show Multiplying out the expression on the left hand side and using that we can move |0 k and 0 k | past A ⊗ 1 k , we get Expanding the right hand side of Equation (2.96), one gets the same terms, except for Tr V † BV ψV † BV instead of 1. However, using the assumption A ≈ ε,ψ V † BV and the replacement lemma (Lemma 2.21) twice: The last equality is true because A squares to identity and ψ is normalised.
(vi) Let U be as in (v), again assuming without loss of generality that dim(H) divides dim(H ). By the same reasoning as in (v), we have As a first step, we show V V † ≈ ε 1/2 ,ψ 1. For this, observe that since V † V = 1: Using that B 2 = 1, V † V = 1, and ψ is normalised: For the other two traces, we can use the replacement lemma (Lemma 2.21) to replace V AV † with B: This allows us to show Equation (2.100) as follows. On the one hand we have from expanding as in Lemma 2.16: Using V V † ≈ ε 1/2 1 and the replacement lemma (Lemma 2.21): On the other hand, expanding in the same manner as in Equation (2.106): The result follows from the triangle inequality.

Self-testing protocol
In this section, we introduce the self-testing protocol and describe the behaviour of an honest prover that succeeds with probability negligibly close to 1. The protocol is described in detail in Figure 1, an informal description was already given in the introduction (Section 1.3).
Let λ be a security parameter and (F, G) an ENTCF family.
3. The verifier receives y 1 , y 2 ∈ Y from the prover.
4. The verifier selects a round type ∈ {preimage round, Hadamard round} uniformly at random and sends the round type to the prover.
(1, 1) Set flag ← fail Bell if one of the following is true: Figure 1: The self-testing protocol. Some of the verifier's checks, such as that for (θ1, θ2) = (1, 0),û(k1, y1, d1) must equal v1 ⊕b(k2, y2), not v1, might look counter-intuitive. They are defined this way because the verifier must effectively "decode" the CZ gate that the honest prover applies. For the honest prover behaviour, see the proof of Proposition 3.1.

Completeness of self-testing protocol
Proposition 3.1. There is an efficient quantum prover that is accepted in the self-testing protocol with probability negligibly close to 1 (as a function of the security parameter).
Proof. We describe the honest strategy. Given keys k 1 , k 2 , the prover initially treats each key separately (i.e., it prepares a product state). For each k i , the prover prepares the state 1 2 · |X | b∈{0,1} x∈X , y∈Y f ki,b (x)(y)|b |x |y . (3.1) Preparing this state can be efficiently done (up to negligible error) using the Samp procedure from the definition of ENTCF families ([BCM + 18, definition 3.1] and [Mah18, definition 4.2]). The prover then measures the two "image registers" (i.e., the ones where y is stored) to obtain images y 1 , y 2 ∈ Y and sends these back to the verifier. The post-measurement for each i ∈ {1, 2} is If the verifier selects a preimage round, the prover measures both registers in the computational basis and returns the result. From the states in Equation (3.2) it is clear that the prover succeeds with probability negligibly close to 1 in the preimage round.
If the verifier selects a Hadamard round, the prover measures both "x-registers" in the Hadamard basis to obtain strings d 1 , d 2 and returns these to the verifier. We introduce the shorthand b i =b(k i , y i ) and Now the prover applies a controlled-Z gate (CZ) between the two qubits (with i = 1 being the control and i = 2 being the target qubit). This results in the state (again up to global phases) with the (Hadamard-rotated) Bell states When the prover receives questions q 1 , q 2 ∈ {0, 1} from the verifier, he measures each qubit individually in the computational (if q i = 0) or Hadamard (if q i = 1) basis and returns the outcomes v 1 , v 2 . For the first three cases in Equation (3.4), it is easy to see that the prover will be accepted. For the last case, this follows from (3.7) The goal of this section is to prove the soundness of the self-testing protocol in Figure 1, i.e., to show that any computationally bounded prover that succeeds in the protocol must have prepared a Bell state and measured the individual qubits in the computational or Hadamard basis, up to a global change of basis. This statement is made formal in Theorem 4.42. All statements in this section are under the assumption that no efficient quantum device can break the LWE assumption [Reg09] (for the same parameters as those used in [BCM + 18] and [Mah18]). Informally, the main steps of the soundness proof are the following: 1. We first formalise the actions of a quantum prover as a device (Section 4.1). A device is essentially a collection of states and measurements used by the prover to compute his answers to the verifier. These states and measurements are the ones that the verifier can characterise with the self-testing protocol. We then express the success probability of a device in terms of its states and measurements in section 4.2.
2. In the self-testing protocol, the verifier chooses which type of function (claw-free or injective) to use. We show that because it is computationally hard to determine the function type given only the key, different states prepared by the prover for different key choices are computationally indistinguishable. This will allow us to use different key choices to characterise different aspects of the prover's behaviour, and "lift" these characterisations to another key choice using the lifting lemma (Lemma 2.25).
3. We show that different observables used by the prover either anti-commute (Section 4.5) or commute (Section 4.6) on the prover's state. 9 4. In the self-testing protocol, the prover gets two questions indicating the measurement bases for the first and second "qubit" (though at this point in the proof, we do not yet have a characterisation of the prover's states in terms of qubits). Depending on whether the bases for both "qubits" are the same or different, the prover's measurements are described by different observables, which we call "nontilde observables" if the questions are the same, and "tilde observables" if they are different. To fully characterise the prover's measurements, we need to characterise both tilde and non-tilde observables. In particular, to analyse the "Bell case" in the protocol, the tilde observables are required. For technical reasons, characterising non-tilde observables is easier. Hence, the next step is to characterise the non-tilde observables as follows: (i) We define an isometry V S (Definition 4.27), which is a single-prover version of the two-prover "swap isometry" in [MYS12]. The isometry is defined in terms of the prover's non-tilde observables. This is the isometry for which we will show that it maps the prover's states and observables to the desired Bell states and two-qubit Pauli observables.
(ii) We show that under this isometry, the prover's observables on the first "qubit" are close to Pauli observables (Equation (4.88) and Lemma 4.30).
(iii) We use this characterisation of the observables to obtain a characterisation of the prover's first qubit in the "test case" of the self-testing protocol (Lemmas 4.31 and 4.32).
(iv) We use the characterisation of the prover's first qubit to show that the prover's observables on the second qubit are also approximately equal to Pauli observables (Lemma 4.33). 10 10 The main difficulty in dealing with observables on the second "qubit" is the following: the isometry V S is defined in terms of the prover's non-tilde observables Z 1 , X 1 , Z 2 , X 2 . In the isometry, the observables Z 1 and X 1 are applied first, followed by the observables Z 2 and X 2 (in addition to other operations involving ancilla qubits). This means that the observables Z 2 and X 2 do not act directly on the prover's state |ψ , but on a state of the form X 1 Z 1 |ψ . This prevents us from using the commutation and anti-commutation relations derived in step 3 directly, since they are in the state-dependent distance with respect to |ψ . Already having a characterisation of Z 1 , X 1 and the prover's "first qubit" allows us to extend these commutation and anti-commutation relations to a state of the form X 1 Z 1 |ψ .

5.
We show that non-tilde observables and tilde observables are approximately equal on the state (Lemma 4.35), and hence tilde observables are also close to Pauli observables under the isometry V S (Corollary 4.36).
6. We use the characterisation of the prover's observables to also characterise the prover's second "qubit" in the "test case" (Lemma 4.39). The computational indistinguishability of the verifier's basis choices allows us to extend this characterisation to the Bell case (Corollary 4.40).
7. The characterisation of both of the prover's "qubits" allows us to show that products of the prover's observables are close to tensor products of Pauli observables (Lemma 4.41).
8. Using this characterisation of products of observables, we can show that in the Bell case, the prover must have produced a Bell pair and measured its individual qubits in the computational or Hadamard basis (Theorem 4.42).

Devices
We model the actions of a general prover by a "device". This formalises all possible actions that can be taken by the prover to compute his answers y 1 , y 2 , d 1 , d 2 , and v 1 , v 2 to the verifier. By Naimark's theorem, up to adding dimensions to the prover's Hilbert space, we can assume without loss of generality that the prover only performs projective measurements (instead of more general POVMs).
In the context of the self-testing protocol, ψ (θ1,θ2) is the prover's state after returning y 1 , y 2 for the case where the verifier makes basis choices θ 1 , θ 2 . Each ψ (θ1,θ2) also implicitly depends on the specific keys chosen by the verifier (not just the key type); all the statements we make hold on average over key choices.
(ii) A projective measurement Π on H D ⊗ H Y : This is the measurement used by the prover to compute his answer (b 1 , x 1 ; b 2 , x 2 ) in the preimage challenge.
This is the measurement used by the prover to compute his answer (d 1 , d 2 ) in the Hadamard challenge. We use an additional Hilbert spaces H R to record the outcomes of measuring M and write the postmeasurement state after applying M to ψ (θ1,θ2) as . (4.5) In the context of the self-testing protocol, given questions q 1 , q 2 , the prover will measure {P q1,q2 } and return the outcomes v 1 , v 2 as his answer.

Marginal measurements
In the standard self-testing scenario for a single Bell pair (as in e.g. [MYS12]), each prover returns a single bit. Therefore, for a fixed question, the measurement performed by each prover can be described by a binary observable. In contrast, in the single-prover setting, the prover sees both questions at once. Hence, for fixed questions q 1 , q 2 , its measurements are described by the 4-outcome measurements {P (v1,v2) q1,q2 } v1,v2 . We relate the single-prover scenario to the two-prover scenario by defining marginal observables. These intuitively correspond to the observables used by each prover in the two-prover setting. However, in the single-prover setting, the observable used to obtain the first answer bit v 1 can also depend on the second question bit q 2 . Therefore, there are two different sets of marginal observables: the "non-tilde observables", which result from marginalising over projectors with q 1 = q 2 ; and the "tilde observables", which result from marginalising over projectors with q 1 = q 2 . A formal definition follows.
1,1 , Remark 4.5. By the same reasoning as in Lemma 2.3, all of the above are efficient binary observables.

Partial post-measurement states
In Equation (4.4), we defined the prover's post-measurement state as :=σ (θ 1 ,θ 2 ) y 1 ,y 2 ; d 1 ,d 2 ⊗|y 1 , y 2 ; d 1 , d 2 y 1 , y 2 ; d 1 , d 2 | R . (4.7) Depending on the values of y 1 , y 2 , d 1 , d 2 , the prover has to give different answers v 1 , v 2 to the verifier in order to be accepted in the self-testing protocol. For the analysis, it will be useful to split the state σ (θ1,θ2) according to these correct answers. A formal definition follows.
Here, σ (1,s1; 1,s2) is that part of the state for which s 1 is the accepted sum v 1 ⊕ v 2 on question (0, 1), and s 2 is the accepted sum on question (1, 0). In particular, for the honest prover, we have (after tracing out the classical registers Y and R): We now prove a simple technical lemma which we will frequently use in the soundness proof. Tr (4.13) Proof. Fix θ 1 , θ 2 , and i.
Proof. This follows immediately by combining Lemmas 2.19 and 4.8.

Success probabilities of a device
During the self-testing protocol, the verifier applies certain checks to the answers given by the prover. If the prover fails these checks, the verifier sets flag to fail Pre , fail Test , or fail Bell . Here, we relate the probabilities that the prover passes these checks to the states and measurements used in the definition of devices (Definition 4.1). .
(i) From the self-testing protocol, the definition of the Chk-procedure (Definition 2.1), and the fact that the verifier chooses bases θ 1 , θ 2 and questions q 1 , q 2 uniformly at random, it is clear that uniformly at random. Considering the self-testing protocol and the definition of σ (1,s1; 1,s2) , the result now follows as in (i).
Remark 4.11. Throughout the entire soundness proof, we will implicitly assume that for the device D under consideration, the quantities γ P (D), γ T (D), and γ B (D) are bounded away from 1 by a non-negligible amount. Indeed, in the case where one of these quantities is 1 − negl(λ), our soundness result (Theorem 4.42) trivially holds. To see this, note that in this case, for any constant c ≥ 0, Therefore, recalling that the definition of approximate equality (Definition 2.14) always includes a term negl(λ), we see that ρ ≈ γ P (D) c +γ T (D) c +γ B (D) c σ holds for any two (potentially subnormalised) quantum states ρ and σ, since the trace distance ρ − σ 1 is always at most 2 = O(1). Hence, the statements of Theorem 4.42 are trivially satisfied.

Reduction to perfect device
The purpose of this section is to show that for the rest of the soundness proof, we can restrict ourselves to devices that pass the preimage round of the protocol with probability 1 − negl(λ). This is primarily a technical convenience that simplifies the arguments in later parts of the proof.
The following lemma says that for any efficient device D, there exists another efficient perfect device D , which uses the same measurements as D, and whose initial state is close to the initial state of D. Since we are ultimately interested in characterising the states and measurements of a device, this will allow us to first replace the arbitrary device by a perfect one, characterise the states and measurements of the perfect device, and finally argue that this characterisation also applies (up to some error) to the arbitrary device. , which uses the same measurements Π, M, P and whose states S = ψ (θ1,θ2) satisfy for any θ 1 , θ 2 ∈ {0, 1}: (4.28) Proof. The idea of the proof is the same as in [Mah18, claim 7.2] and [GV19, Lemma 3.9]. We give a construction of D as follows: D first prepares the states ψ (θ1,θ2) as D does. D then applies the efficient unitary U Π associated with the measurement Π: Now D coherently evaluates the (efficient) Chk-function on the Y -register of Π (b1,x1; b2,x2) ψ (θ1,θ2) Π (b1,x1; b2,x2) and the new register containing b i , x i . If Chk succeeds, D applies U † to the state, traces out the ancillary register R, and uses this as ψ (θ1,θ2) . Otherwise, D repeats the process up to polynomially (in the security parameter) many times, and aborts if the Chk procedure never succeeds. Since γ P (D) is defined as the maximum failure probability of the preimage check on one of the two qubits, and the Chk procedure fails if the preimage check fails on either qubit, the probability of the Chk procedure failing is at most 2 γ P (D) by a union bound. Hence, recalling Remark 4.11, the probability that Chk fails polynomially many times is negligible. (We remark that the prover described by D has to run this checking procedure before actually returning the images y, y to the verifier.) It is clear that D is efficient and perfect. Fix θ 1 , θ 2 . We need to show ψ (θ1,θ2) − ψ (θ1,θ2) 1 ≈ γ P (D) 1/2 0. Since the probability of the Chk to succeed is at least 1 − 2 γ P (D), by the gentle measurement lemma (see e.g. [Wil11, lemma 9.4.1]), the post-measurement state after Chk has succeeded is O(γ P (D) 1/2 )-close in trace distance to U (|0 2(1+|X |) 0 2(1+|X |) | R ⊗ ψ (θ1,θ2) )U † . Because the trace distance is unitarily invariant, this implies that the state ψ (θ1,θ2) is also O(γ P (D) 1/2 )-close in trace distance to ψ (θ1,θ2) .

Lifting relations from one basis choice to another
A lot of the leverage that the verifier has over the prover stems from the fact that the prover does not know the verifier's basis choices θ 1 , θ 2 . In particular, the prover does not know whether he is in the "Bell case" θ 1 = θ 2 = 1, where the honest prover prepares an entangled state, or in the "test case" θ 1 = θ 2 , where the honest prover prepares a product state. The test case is useful as a testing procedure because the two bits that the prover has to return as an answer in the Hadamard round are determined by the y 1 , y 2 and d 1 , d 2 that the prover returned in the previous rounds. Using the trapdoor, the verifier can check each answer individually. In contrast, in the Bell case, only the sum of both answers is checked by the verifier.
In the soundness proof, we often want to "lift" approximate-equality relations that we can certify for one of the test cases, e.g. θ 1 = 0, θ 2 = 1, to any other choices of θ 1 , θ 2 . Intuitively, this is possible because the prover does not know which case it is in, so it cannot adapt its behaviour accordingly. We have already shown in Lemma 2.25 that we can lift relations from one state to another if the states are computationally indistinguishable and the relation only involves efficient quantities. Therefore, we only need to show that the different σ (θ1,θ2) are computationally indistinguishable, which we do in the following simple lemma.
Proof. The values for θ i directly indicate whether k i ∈ K G or k i ∈ K F . Therefore, a procedure that correctly guesses θ 1 , θ 2 with probability non-negligibly larger than 1/4 would violate the injective invariance property of the ENTCF family [Mah18,definition 4.3]. The same reasoning applies for ψ (θ1,θ2) .

Uniform normalisation and answers
In Definition 4.6, we defined the partial post-measurement states σ (θ1,v1; θ2,v2) . In this section we show that in the test case (i.e., θ 1 = θ 2 ), the normalisation of a certain marginalisation of these states is uniform, i.e., the same for both v = 0 and v = 1. This is a weaker statement than showing that the normalisation of σ (θ1,v1; θ2,v2) itself (without marginalising) is uniform, but it will be sufficient. The proof reduces the uniform normalisation to the adaptive hardcore bit property of the ENTCF family (informally, item (ii) in the list in Section 1.2). Tr σ (0,v1; 1,1) . (4.29) Proof. We show the first relation, the second one is analogous. Assume for the sake of contradiction that for some non-negligible positive µ(λ). Here, we assumed for concreteness that the left hand side is positive, but the proof is easily seen to also hold for the case where the left hand side is smaller than a non-negligible negative function by flipping the final bit in the output of the procedure A below. We want to show that this contradicts the adaptive hardcore bit property. To this end, we define the following efficient procedure A: A is given a key k 1 ∈ K F and samples another key and a trapdoor (k 2 , t k2 ) ← Gen G (1 λ ). A first prepares the state ψ (θ1,θ2) by performing the same operations as the device D, obtaining y 1 , y 2 in the process; this is efficient because D is efficient. Then, A performs the preimage measurement Π, obtaining outcomes (b 1 , x 1 ) and (b 2 , x 2 ). Finally, it measures M , obtaining outcomes d 1 , d 2 . Again, these measurements are efficient because D is efficient. A outputs the tuple (b 1 , x 1 , d 1 ,b(k 2 , y 2 )). Note that since A has access to t k2 , computingb(k 2 , y 2 ) is efficient.
We now argue that this indeed breaks the adaptive hardcore bit property. Because the device D is perfect, the preimage measurement yields a correct preimage with probability negligibly close to 1. Then, by the collapsing property [GV19, Lcemma A.7], the states before and after the preimage measurement are computationally indistinguishable. Since M is an efficient measurement, this means that the outcome distributions obtained by measuring M directly on ψ (θ1,θ2) and measuring M on the post-measurement state after having measured Π must be negligibly close. Hence, y 1 , y 2 , d 1 , d 2 obtained by A have the same distribution (up to negligible difference) as the images and equation strings obtained by the device D. Using the definition of σ (1,v1; 0,v2) , this means that on average over A's distribution over k i , y i , d i : Pr û(k 1 , y 1 , d 1 ) = v 1 ⊕b(k 2 , y 2 ) = Tr v2 σ (1,v1; 0,v2) . (4.31) Combining this with the assumption in Equation (4.30), we see that A's output (b 1 , x 1 , d 1 ,b(k 2 , y 2 )) is "correct" (i.e., in the set H k1 in [BCM + 18, definition 3.1(iv)]) with non-negligible advantage.
As a corollary to the above lemma, we can also show that for a device that succeeds with high probability in the test case, the answers returned on question q = 1 (i.e., a Hadamard basis measurement) must be close to uniform.

Anti-commutation relations
The goal of this section is to prove the following proposition.
The proof is given at the end of this section. We first show a number of auxiliary lemmas.
Proof. To simplify the notation, we show this for i = 1; the proof for i = 2 is analogous. First note that because Z 1 is efficient, by Lemmas 2.4, 2.9, and 4.14, the states b Z are computationally indistinguishable for different θ 1 , θ 2 . Because X 1 is an efficient binary observable, by the lifting lemma (Lemma 2.25(i)) and the indistinguishability of σ (θ1,θ2) (Lemma 4.14), it suffices to show the lemma for a particular choice of θ 1 , θ 2 .
For the proof of Proposition 4.17, Lemma 4.18 will not be sufficient. We will need the stronger statement that e.g. b,v2 Tr is small for every v 1 , not just their sum. This is shown in Lemma 4.21. For the proof, we have to make use of the preimage test, which will enable us to relate the statement of Lemma 4.21 to the adaptive hardcore bit property. This is achieved with the following lemma.
Lemma 4.19. We define the following projectors, which project onto the correct preimage answer (for given keys k 1 , k 2 ):Π We denote their marginals bỹ Note that each term in the sum is positive, so the statement also holds for any sums over subsets of b, y i , d i .
Proof. We show this for i = 1, the proof for i = 2 is analogous. Inserting the definition of the state-dependent norm and multiplying out the terms, we find that the left hand side of Equation (4.45) equals b,d1,d2 where we definedΠ i,y1,y2 ⊗ |y 1 , y 2 y 1 , y 2 | . (4.47) We treat each term in turn: (4.49) Therefore, for a perfect device:Π We can therefore bound the third term as follows: Tr Z 1,d1,d2 is a projector (and therefore Z (b) 1,d1,d2 ≤ 1), and the M (d1,d2) are orthogonal projectors that sum to 1. Therefore, we can apply the replacement lemma (Lemma 2.21(i)) and use Equation (4.50) to find: For the last line, we used thatΠ is actually independent of b, so we can perform the sums b Z (b) d1,d2 = 1 for any d 1 , d 2 , and d1,d2 M (d1,d2) = 1, and finally use the cyclicity of the trace andΠ (0)Π(1) = 0.
Let us consider (θ 1 , θ 2 ) = (0, 1). Since D is a perfect device (i.e., fails the preimage test with negligible probability) andΠ (b) 1 projects onto the correct preimage answer with the first bit being b, it follows from Definition 4.6 that d1,d2 Therefore, from the definition of γ T (Equation (4.19)) we have that b,d1,d2 Tr Z To conclude, we need to extend the statement to any choice of θ 1 , θ 2 . For this, we use the same reasoning as in the proof of the lifting lemma (Lemma 2.25). Specifically, we observe that there exists an efficient procedure A that, given a state ψ, estimates the l.h.s. of Equation (4.52): the procedure A first (efficiently) measures { b2,x2 Π (b,x1 ; b2,x2) } b,x1 , records the bit b, and discards x 1 . Since we are dealing with a perfect device, this measurement returns a correct preimage x 1 =x b (k 1 , y 1 ) with overwhelming probability, and hence produces a post-measurement state negligibly close toΠ  M (d1,d2) . Finally, the procedure A measures Z to obtain a bit b and outputs 1 if b = b , and 0 otherwise. By construction, it is clear that this estimates the l.h.s. of Equation (4.52). Since the procedure A is efficient, its probability of returning 1 must be negligibly close for the computationally indistinguishable input states ψ (θ1,θ2) , as otherwise A could be used to distinguish these states with non-negligible advantage. It follows that the l.h.s. of Equation (4.52) must be negligibly close for different ψ (θ1,θ2) , so Equation (4.52) holds for all θ 1 , θ 2 .
The following is a purely technical lemma that will be required for the proof of Lemma 4.21.
Comparing the definition of γ P (Equation (4.17)) and the definition of Y b2 , the right hand side has to be negligibly close to 0 for a perfect device.
We are now in a position to show that the statement of Lemma 4.18 also holds if we do not sum over both v 1 and v 2 , but only over the v i associated with a computational basis measurement.
Proof. We show the first relation, the proof of the second is analogous. Define the shorthand (4.57) First note that by Lemma 4.18, we have χ (0) + χ (1) ≈ γ T (D) 1/2 0. Therefore, to show this lemma, it suffices to show Inserting the definition of σ (1,v1; 0,v2) , we have We would know like to use Lemma 4.19 to replace terms of the form ZM by terms of the form M Π. More specifically, we need to show: . (4.60) Due to the sums in Lemma 4.19, we cannot apply the replacement lemma (Lemma 2.21) directly to show Equation 4.60. However, we can use the Cauchy-Schwarz inequality in a very similar manner as in the proof of Lemma 2.21. We give the full details in Lemma 4.22 afterwards. ExpandingΠ y1,y2 and using Lemma 4.20 with the replacement lemma (Lemma 2.21) to discard the cross-terms, 11 It now suffices to show ξ (0) ≈ 0 ξ (1) . For the sake of contradiction, assume ξ (0) − ξ (1) ≥ µ for a nonnegligible positive µ. As in the proof of Lemma 4.15, we assume that the left hand side is positive for concreteness; if ξ (0) − ξ (1) ≤ −µ, the proof also holds, but we have to flip the final bit in the output tuple of the procedure A below. We show that this enables us to construct an efficient procedure A that breaks the adaptive hardcore bit property [BCM + 18, definition 3.1(4.)].
The procedure A takes as input a key k ∈ K F . It sets k 1 := k and samples (k 2 , t k2 ) ← Gen K G (1 λ ). It then uses k 1 , k 2 to construct the state ψ (1,0) in the same way as the device D, which is efficient by assumption. In the process, it obtains images y 1 and y 2 . It now performs the projective measurement {Π (b1,x1; b2,x2) }, obtaining outcome (b 1 , x 1 ; b 2 , x 2 ). Next, A performs the measurement M , obtaining outcomes d 1 , d 2 . Finally, A measures X 1 to get an outcome u. Since the device D is efficient, all measurements performed by A are efficient. Because A sampled k 2 itself, it has access to the trapdoor, so it can efficiently computeb(k 2 , y 2 ). The output of A is the tuple (b 1 , x 1 , d 1 , u ⊕b(k 2 , y 2 )).
We prove the remaining step from the previous lemma.
11 To be precise, here one uses the fact that X is a binary observable and {M (d 1 ,d 2 ) } forms a measurement to derive the required operator norm upper bound for the replacement lemma. This proceeds exactly as in the derivation of Equation (4.51).

Lemma 4.22. With the notation from the previous lemma,
Proof. To simplify the notation, we use the shorthand y = (y 1 , y 2 ), d = (d 1 , d 2 ), and S y = {d 1 |û(k 1 , y 1 , d 1 ) = v 1 ⊕b(k 2 , y 2 )}. Then, we have (To see this, one can simply insert Definition 2.10 to write the r.h.s. in terms of traces, and cancel crossterms.) Applying the triangle inequality and the Cauchy-Schwarz inequality for the state-dependent inner product, we find Since each term in the sum is non-negative, we can extend the sum from d 1 ∈ S y to all d 1 . Applying the standard Cauchy-Schwarz inequality, we obtain: Using the fact that X 1,yd is a binary observable and therefore squares to identity, and that the projectors in a measurement sum to identity, it is easy to check that b,y1,y2,d1,d2 The remaining term is bounded by Lemma 4.19: This lemma enables us to prove the main result of this section, Proposition 4.17, which establishes the anti-commutation of X i and Z i .

Commutation relations
Having shown that operators on the same "qubit" (i.e., with the same i) anti-commute, we now turn to commutation relations. We have frequently referred to operators with different i as acting on different "qubits", but pointed out in the overview at the start of Section 4 that this intuition is not yet justified, since we do not yet have a characterisation of the prover's state in terms of qubits. In this section, we make an important step towards showing that the intuition of different i's corresponding to different qubits is indeed valid: we show that observables with different i (approximately) commute. This is clearly required if we want to think of the observables as acting on different qubits, since observables on different qubits necessarily commute.
Proof. For simplicity, we restrict ourselves to proving the first relation; the other one is analogous. Since Z i , X i are efficient, by the lifting lemma (Lemma 2.25(iii)) and the indistinguishability of σ (θ1,θ2) (Lemma 4.14), it suffices to show the statement for σ (0,1) . We will split this state as σ (0,1) = v1,v2 σ (0,v1; 1,v2) and apply Corollary 4.9 to each part, i.e., replace X i and Z i by ±1.
Remark 4.25. This proof relies on the fact that there is a basis choice for which there is only one accepted answer for both Z 1 and X 2 (or Z 2 and X 1 ). For the tilde observables, we would have to show approximate commutation ofZ 1 ,Z 2 , andX 1 ,X 2 , since these cases are not covered in Lemma 4.23. However, there are no basis choices for which there is only one accepted answer for bothX 1 andX 2 , since for the honest prover, the basis choice (1, 1) results in an entangled state by application of a CZ gate. This prevents us from applying this proof to [X 1 ,X 2 ]. Instead, our strategy will be to first show that the non-tilde observables can be rounded to Pauli observables, and then show that tilde and non-tilde observables are approximately equal (on the device's state), implying that the tilde observables can also be rounded to Pauli observables.

Approximate equality of non-tilde observables and Pauli observables
The goal of this section is to show that on the states σ (θ1,θ2) , the non-tilde observables Z i , X i used by the prover are close to the respective Pauli matrices σ Z , σ X (under some isometry). The proof of this follows the steps outlined in item (4.) of the introduction to Section 4.
Definition 4.26. To simplify the notation, we write if there exists a constant c > 0 such that We also use this notation for the other approximate equalities in Definition 2.14.
The convenient feature of this notation is that when we use the replacement lemma (Lemma 2.21), we do not need to change the subscript.
The important results from the preceding sections are the commutation-and anti-commutation relations for the non-tilde observables, which hold for any θ 1 , θ 2 ∈ {0, 1} and can be expressed with the shorthand notation as (Proposition 4.17) We now define the "swap isometry". This is the isometry which will map the prover's states and observables to the desired Bell states and single-qubit Pauli observables.
Definition 4.27 (Swap isometry, [MYS12]). Given a device D = (S, Π, M, P ) with Hilbert space H, we define the swap isometry V S : H → C 4 ⊗ H as Proof. It can be verified by a simple calculation that the following circuit implements the swap isometry: We remark that this circuit is almost identical to that in [MYS12], but instead of applying Z i and X i to different parts of the state (which only makes sense if we have a Hilbert space with a tensor product structure), we apply all of them in sequence on the same Hilbert space. Also note that the swap isometry introduces an asymmetry between the observables Z 1 , X 1 , which are applied first, and the observables Z 2 , X 2 , which are applied afterwards.
Our goal is to show that under the swap isometry, the prover's observables Z i , X i are mapped to singlequbit Pauli observables. The following lemma collects the results of conjugating single-qubit Pauli observables by the swap isometry. Informally, the remainder of this section shows that in the state-dependent distance, the right hand sides of the equalities in Lemma 4.29 are close to Z 1 , X 1 , Z 2 , and X 2 , respectively.
Having established a characterisation of the prover's operators Z 1 and X 1 , we now use this to partially characterise the prover's state. In particular, we will show that in the test case, the swap isometry maps the prover's state to a product state, where the first qubit is in the computational or Hadamard basis, depending on the verifier's basis choice (Lemma 4.31). We will then show that the auxiliary states that the prover holds in addition to the first qubit must be computationally indistinguishable to the prover (Lemma 4.32). This is similar to the result of [GV19] (but with fewer different single-qubit states).
Proof. We show the first relation. The second one is analogous (but simpler, because we have V † S (σ Z ⊗ 1 2 ⊗ 1)V S = Z 1 (Equation (4.88)), whereas the corresponding statement for X 1 only holds approximately (Lemma 4.30)).
By Lemmas 4.30 and 2.18(ii), we have (4.99) By Lemma 2.24, this implies Using this, the definition of γ T (Equation (4.19)), and the replacement lemma (Lemma 2.21(i)) we get v1,v2 Using (a simple extension of) Corollary 4.9 combined with Lemma 2.20, this means that Hence, by Lemma 2.22, we get yields the result.
Proof. We first prove the first relation, the proof of the second one is analogous and we briefly comment on it at the end.  where µ(λ) is non-negligible. Define
Proof of the second relation. The proof is analogous to that of the first relation. Assuming a measurement {Λ (0) , Λ (1) } for distinguishing { v2 α (0,v1; 0,v2) } v1 , one chooses and calculates the distinguishing advantage analogously to the first part.
At this point, we have established a characterisation of the prover's observables Z 1 and X 1 as well as of its state in the test case. As outlined in the introduction to Section 4, we will now use these results to show that the prover's observables Z 2 and X 2 are also close to Pauli observables (under the swap isometry V S ).
Proof of the first relation. By Lemmas 4.14 and 4.32, we have This implies since any distinguisher D for the latter problem can be used to construct a distinguisher D for the former problem: given V S σ (θ1,θ2) V † S or 1 2 1 2 ⊗ α, D first applies the inverse of the unitary extension of V S . D then measures the ancillary registers used for the unitary extension: if the result is not the all-zero string, D guesses that it was given 1 2 1 2 ⊗ α; if the result is the all-zero string, D runs D on the post-measurement state. Then, the advantage of D in distinguishing the states in Equation (4.113) will be at least the advantage of D in distinguishing the state in Equation (4.114). 12 The binary observables 1 2 ⊗ σ Z ⊗ 1 and Z 2 as well as the isometry V S are all efficient. Therefore, by Lemma 2.25(v) we can replace σ (θ1,θ2) by V † S 1 2 1 2 ⊗ α V S in the statement of this lemma, 13 so we need to (4.115) By Lemma 2.16, it suffices to show Using the cyclicity of the trace, V † S V S = 1, and Equation (4.90) to expand V † S (1 2 ⊗ σ Z ⊗ 1)V S , we get: At this point, we would like to replace the right-most operator V S (1 + (−1) a Z 1 )V † S by 1 + (−1) a σ Z ⊗ 1 2 ⊗ 1. For this, we need We delay the proof of this statement until Lemma 4.34 and continue with the main argument here. Because for any a ∈ {0, 1}, the operator norm of the other operators inside the trace is constant, we can use Equation (4.118) and the replacement lemma (Lemma 2.21(i)) to obtain: To see why this is the case, first consider the case where D's measurement of the ancilla qubits for the unitary extension does not yield the all-zero string. In this case, D will always guess correctly, since applying the inverse of the unitary extension of V S to V S σ (θ 1 ,θ 2 ) V † S will result in the ancilla qubits being 0 with probability 1 by definition of the unitary extension. In the case where D does measure the all-zero string in the ancilla registers, the post-measurement state will be one of the two states in Equation (4.114), so running D on the post-measurement state yields a non-negligible advantage by assumption.
13 Strictly speaking, Lemma 2.25(v) only applies to normalised states, whereas V † S 1 2 1 2 ⊗ α V S can be subnormalised. However, one can check that the proof of Lemma 2.25(v) goes through for subnormalised states, too. Alternatively, one can also renormalise V † S 1 2 1 2 ⊗ α V S , apply Lemma 2.25(v), and then note that dropping the normalisation factor (which is at least 1) can only decrease the state-dependent distance between any two operators with respect to that state.
The right-most operator only acts non-trivially on the first qubit, so we can commute it past the state and use the cyclicity of the trace. = 1 4 a∈{0,1} (4.119) Now we would like to commute the right-most X a 1 with Z 2 . We need the proof of which is given in Lemma 4.34. We therefore have (using Lemma 2.21 as above): (4.119) ≈ R 1 4 a∈{0,1} Using X 2 1 = 1, [Z 1 , Z 2 ] = 0, and Z 2 2 = 1: Using Equation (4.118) in the same manner as above: Tr (1 + (−1) a σ Z ⊗ 1 2 ⊗ 1) 2 1 2 1 2 ⊗ α (4.123) Using a (1 + (−1) a σ Z ⊗ 1 2 ⊗ 1) 2 = 4 · 1 and the normalisation of α: This proves the first relation in the lemma, Proof of the second relation. The proof is similar to the first case. As in the first case, the proof reduces to showing For the proof, we will need the relation which is analogous to Equation (4.118) and will be shown in Lemma 4.34. We proceed with proving Equation (4.125). Throughout the proof, we will always use the replacement lemma (Lemma 2.21(i)) to replace operators with one another. Expanding V † S (1 2 ⊗ σ X ⊗ 1)V S using Equation (4.91): Using Equation (4.118) to replace V S (1 + (−1) a Z 1 )V † S with (1 + (−1) a σ Z ⊗ 1 2 ⊗ 1) and commuting it past the state: Using Equation (4.126) to replace V S X 1 V † S with σ X ⊗ 1 2 ⊗ 1 and commuting it past the state: Anti-commuting Z 2 and X 2 (this can be shown analogously to Equation (4.120), making use of Proposition 4.17): Since Z 2 is a binary observable, b (1 + (−1) b Z 2 ) 2 = 4 · 1. Therefore, summing over b yields: Commuting X 2 and X a 1 , then replacing V S X a 1 V † S with σ a X ⊗ 1 2 ⊗ 1 using Equation (4.126) and commuting it past the state: We have σ 2 X = 1. We can also commute X 2 and Z 1 using the analogous statement of Equation (4.120) with reversed indices. Then we obtain (using X 2 2 = 1): This expression is identical to Equation (4.122), so the result follows.
The following lemma shows the steps that we skipped in the proof above.
Lemma 4.34. With the notation from the proof of Lemma 4.33, we show the following statements: (4.128) (iii) Equation (4.120): Proof.
(ii) First note that by the triangle inequality for the state-dependent norm, it suffices to show the following two relations individually: (4.133) The first relation follows from 1 by Equation (4.113) and the lifting lemma (Lemma 2.25(vi)). The second relation follows by the same reasoning used for (i), making use of Equation (4.88).

Approximate equality of tilde observables and Pauli observables
The preceding section establishes that on the states σ (θ1,θ2) , the non-tilde operators are approximately equal to the corresponding Pauli operators. However, to certify Bell states, we need the prover to perform measurements where its two "qubits" are measured in different bases, i.e., use measurement operators from P 0,1 and P 1,0 . The observables associated to these mixed-basis projectors are the tilde observables. Recall that for the tilde observables, we cannot get the required commutation relations, as explained in Section 4.6. This prevents us from using the argument that we used for the non-tilde observables. Instead, we will show that on the state, the tilde and non-tilde observables are approximately equal. Using the triangle inequality for the state-dependent distance, we can then conclude that the tilde observables are also close to Pauli observables (under the same isometry V S and in the state-dependent distance).

Products of observables
We have shown in Corollary 4.36 that on the state, the tilde observables are approximately equal to the corresponding Pauli matrices, under the isometry V S . To certify that the prover has a Bell state, we want to show that the prover must possess, up to the isometry V S , a joint eigenstate of σ Z ⊗ σ X and σ Z ⊗ σ X , since the only such eigenstates are the Bell states (with the second qubit in the Hadamard basis). Therefore, we have to be able to "round" not just individual tilde observables to Pauli matrices, but also products of tilde observables. That is, we have to show, that e.g.Z 1X2 is approximately equal to σ Z ⊗ σ X ⊗ 1 under the isometry V S . Note that this does not directly follow from the above, since we can only round operators next to the state. For example, we know from the previous section (ignoring the isometry for this explanation) thatZ 1 ≈ R,σ (θ 1 ,θ 2 ) σ Z ⊗ 1 2 ⊗ 1 andX 2 ≈ R,σ (θ 1 ,θ 2 ) 1 2 ⊗ σ X ⊗ 1. To deal with the productZ 1X2 , we can use Lemma 2.18(i) to obtainZ 1X2 ≈ R,σ (θ 1 ,θ 2 )Z 1 (1 2 ⊗ σ X ⊗ 1) .
However, now we cannot make use of Lemma 2.18(i) again, since the operatorZ 1 that we wish to round is multiplied on the right by another operator 1 2 ⊗ σ X ⊗ 1, which, if one writes out the definition of the state-dependent distance, effectively sits in between the state andZ 1 . In other words, we would require a version of Lemma 2.18(i) where the operator C in that lemma is multiplied on the right of A and B, but this does not hold.
To overcome this problem, we rely on a characterisation of the states σ (θ1,θ2) that we can deduce from the relations for the non-tilde observables derived in the previous sections. The following lemmas, which are extensions of Lemmas 4.31 and 4.32, establish this characterisation. Proof. We give the proof for the first relation, the second one can be shown analogously. Most of the proof is analogous to that of Lemma 4.31, and we only sketch it here. Starting from Lemma 4.33, by the same steps as in Lemma 4.31 we get (4.143) By Lemma 4.31 and the replacement lemma (Lemma 2.21(ii); to see that this also allows us to replace the state in this case, it is enough to write out the definition of the state-dependent distance as a trace):  The analogous relation of course also holds for α (0,v1; 1,v2) andα (0,v1; 1,v2) : α (0,v1; 1,v2) ≈ R |(−) v2 (−) v2 | ⊗α (0,v1; 1,v2) . (4.149) The proof of the following lemma is very similar to that of Lemma 4.32, but we give the full proof for the sake of completeness.
We are now in a position to prove the statement about products of observables that we mentioned at the beginning of this section.