A monogamy-of-entanglement game for subspace coset states

We establish a strong monogamy-of-entanglement property for subspace coset states, which are uniform superpositions of vectors in a linear subspace of $\mathbb{F}_2^n$ to which has been applied a quantum one-time pad. This property was conjectured recently by [Coladangelo, Liu, Liu, and Zhandry, Crypto'21] and shown to have applications to unclonable decryption and copy-protection of pseudorandom functions. We present two proofs, one which directly follows the method of the original paper and the other which uses an observation from [Vidick and Zhang, Eurocrypt'20] to reduce the analysis to a simpler monogamy game based on BB'84 states. Both proofs ultimately rely on the same proof technique, introduced in [Tomamichel, Fehr, Kaniewski and Wehner, New Journal of Physics '13].


Introduction
Informally, a monogamy game is a game in which the maximum success probability is tied to the monogamy of entanglement, i.e. limitations on the strength of quantum multipartite correlations. The simplest such game goes as follows. Two players Bob and Charlie aim to prepare a tripartite state ρ ABC , such that A is a single qubit and B and C are arbitrary, and the following holds: given a measurement of A in the standard or Hadamard basis yielding an outcome x ∈ {0, 1} it is possible to predict x both by making a measurement on B only and on C only, given the chosen basis as side information. Monogamy of entanglement expresses itself by the fact that while ignoring C it is possible to win in this game with probability 1 by choosing ρ AB to be an EPR pair, as soon as C is present the maximum winning probability drops to 1 2 + 1 2 √ 2 ≈ 0.854. Monogamy games have played an important role in quantum cryptography since some of the first proofs of security of quantum key distribution, which make use of monogamy through uncertainty relations such as H(Z|B) + H(X|C) ≥ 1, with X and Z classical random variables that denote the outcome of a measurement of A in the standard and Hadamard bases respectively [Koa06,TL17]. In this note we study a monogamy game introduced recently in [CLLZ21] and called "strong monogamy game" therein. Informally, in the game two players Bob and Charlie cooperate in an attempt to create two copies of a coset subspace state where A is a linear subspace of F n 2 and s, s ∈ F n 2 are arbitrary, such that given the first copy and a description of A it is possible to obtain a vector u ∈ A + s = {a + s|a ∈ A}, while given the other copy and the description of A it is possible to obtain a vector v ∈ A ⊥ + s , with A ⊥ = {w : w · u = 0 ∀u ∈ A}. 1 (We describe the game in detail in Section 2.) In [CLLZ21] the authors show a sub-exponentially decaying bound on the players' maximum success probability in a variant of this game where from each copy a pair (u, v) ∈ (A + s) × (A ⊥ + s ) has to be returned. While the original subspace coset game is more useful for their cryptographic applications they are unable to analyze it. In this paper we show an exponentially decaying bound on the players' maximum success probability in the original game; as shown in [CLLZ21] this implies constructions for uncloneable decryption and copy-protection of pseudorandom functions based on post-quantum indistinguishability obfuscation and one-way functions only. (In contrast, in [CLLZ21] the same applications are obtained under the additional, strong assumption of extractable witness encryption. We refer to [CLLZ21] for additional discussion.) Our main result is stated as Theorem 2.1 in Section 2. We first show the theorem directly by following the template introduced in [TFKW13] and adapting it to subspace coset states using some of the arguments from [CLLZ21] as well as some new steps. It is interesting to note that the direct proof does not make much use of the particular structure of the subspaces, rather just the fact that the states are constructed from cosets. As such, it might be possible to generalise this monogamy property to cosets states for a much larger class of groups, such as those in [ACP20]. Next, we revisit our direct proof by making a simple but useful connection between subspace coset states and BB'84 states. (This connection was first used in [VZ21] to analyze a proof of quantum knowledge for subspace coset states.) To explain the connection, let A be a subspace spanned by canonical vectors, where we write |x θ = |x 1 θ 1 · · · |x n θn with |x i θ i = H θ i |x i , H the Hadamard gate. Thus coset subspace states for "basis-aligned" subspaces are exactly BB'84 states. This observation leads to a partition of subspace coset states such that subspace coset states in each element of the partition are in 1-to-1 correspondence with BB'84 states under a simple unitary permutation of the standard basis, see Claim 5.2 for a precise formulation. While this observation implicitly appears in some of the arguments from [CLLZ21], as well as in our direct proof of Theorem 2.1, making it explicit allows us to directly relate the strong monogamy game from [CLLZ21] (which we refer to as the "coset-monogamy game") to a simple variant of the monogamy game from [TFKW13] (which we refer to as the "basis-monogamy game") whose maximum success probability we bound using a similar technique to the one introduced in their paper. Ultimately this "proof by reduction" is very similar to the direct proof; we include it in the hope that the simple reduction pointed out here will find further uses in the analysis of monogamy games motivated by tasks in quantum cryptography.
In Section 2 we introduce the strong monogamy game (called coset-monogamy game here) and state our main result, Theorem 2.1. In Section 3 we prove our main result. In Section 4 we introduce and analyze our variant of the BB'84-based monogamy game from [TFKW13] (called basis-monogamy game here). Finally in Section 5 we show a reduction from the coset monogamy game to the basis monogamy game.

The coset-monogamy game
The following game is a monogamy game introduced in [CLLZ21], where it is called "strong monogamy game" (see Section 4.4 therein). For a linear subspace A of F n 2 and s, s ∈ {0, 1} n recall the notation where X s = X s 1 ⊗ · · · X sn , Z s = Z s 1 ⊗ · · · Z s n with X = 0 1 1 0 and Z = 1 0 0 −1 .
We formulate the game exactly as in [CLLZ21,Section 4.4]. The only difference is that we rename A 0 into "the adversary", A 1 into "Bob" and A 2 into "Charlie". Thus the game is played between a trusted "challenger" and two untrusted, cooperating players Bob and Charlie. The game is parametrized by an even integer n ≥ 2.
1. Preparation: The challenger picks a uniformly random subspace A ⊆ F n 2 of dimension n 2 and two uniformly random elements s, s ∈ F n 2 . The challenger sends |A s,s to the adversary. 4. Answer: Bob returns s 1 ∈ F n 2 and Charlie returns s 2 ∈ F n 2 .
5. Winning condition: The adversary, Bob, and Charlie win if and only if s 1 ∈ A + s and Our main result is a bound on the maximum winning probability of the adversary, Bob, and Charlie in the coset-monogamy game.
Theorem 2.1. Let n ≥ 1 be an even integer. Let q n be the adversary, Bob, and Charlie's maximum probability of winning in the coset-monogamy game. Then Remark 2.2. We have that cos π 8 ≈ 0.924, whereas in [TFKW13] the bound (1/2 + 1/(2 √ 2)) n ≈ 0.854 n is obtained on the success probability for the variant of the game where Bob and Charlie both have to answer a complete string of measurement outcomes y, z ∈ {0, 1} n . Since our version of the game is easier, the bound is slightly weaker. We did not attempt to check if the bound we obtain is optimal.
We give two proofs of the theorem. Ultimately, both proofs rely on the technique from [TFKW13], and lead to the same numerical bound on the success probability. The difference is that the first proof is direct, while the second proof proceeds by a reduction to a variant of the monogamy game from [TFKW13]. Since the reduction is intuitively clear, and the monogamy game we reduce to, being based on BB'84 states, is easier to analyze, the second proof is conceptually simpler and potentially more general. However, it is less direct.

Direct proof
We give a direct proof of Theorem 2.1. The proof proceeds in two steps. In the first step we reduce to the analysis of an extended nonlocal game of the form considered in [JMRW16]. This step is standard in the analysis of monogamy games, and also appears as [CLLZ21, Lemma C.6]. We formulate it in Lemma 3.1 below. In the second step we bound the maximum success probability in the extended nonlocal game. This step relies on a technique introduced in [TFKW13] to bound the operator norm of a tripartite operator introduced to model the players' actions in the game. We describe this step in Section 3.2.

Reduction to an extended nonlocal game
Write G n 2 , n for the set of linear subspaces of F n 2 of dimension n 2 . For A ∈ G n 2 , n write CS(A) for a fixed set of representatives of the cosets of A. In particular, |CS(A)| = 2 n 2 .

Lemma 3.1. Fix a strategy for the coset-monogamy game, consisting of a channel Φ : H
for Charlie. Let q n be the probability that this strategy succeeds in the game. Then ) and all expectations are uniform averages.
While the first equality is by definition, the second equality is what we refer to as a "reduction to an extended nonlocal game." This is because the second line can be interpreted as the success probability in the following three-player game: (i) Bob and Charlie prepare a tripartite state ρ ABC such that A is an n-qubit register. They give A to Alice and keep B and C respectively. (ii) Alice selects a uniformly random subspace A ∈ G n 2 , n and gives A to Bob and Charlie. She measures A using the projective measurement {|A s,s A s,s |} with outcomes (s, s ) ∈ CS(A)×CS(A ⊥ ). (iii) Bob and Charlie measure their registers using arbitrary POVM {B A s } and {C A s } respectively. They win if and only if they obtain outcomes, s for Bob and s for Charlie, that match Alice's.
Proof. To show the second equality we expand using the definition of ρ which gives the result.

Analysis of extended nonlocal game
We need two preliminary lemmas. The first bounds the overlap of operators constructed as sums of coset state projections. We use · to denote the operator norm, i.e. the largest singular value.

Lemma 3.2. For any
a projection onto the subspace spanned by the vectors given by the elements of the coset B + t.
which uses s X s ≤ max s X s for X i Hermitian with orthogonal range. Now, for any s ∈ CS(A), Plugging this back into (4) completes the proof.
The second lemma is a key bound used in [TFKW13].
We give the permutations we will use to apply Lemma 3.3. For n ≥ 2 even let where for a string γ, |γ| denotes its Hamming weight (number of nonzero entries).
Lemma 3.4. Let n be an even integer. Then there are N = n n/2 mutually orthogonal permutations π 1 , . . . , π N of C n,n/2 such that the following holds. For each k ∈ {0, . . . , n 2 } there are exactly n 2 k 2 permutations π j such that the number of positions at which γ and π j (γ) are both 1 is n 2 − k. Proof. Fix n ≥ 2 an even integer, and let k ∈ {1, . . . , n 2 }. Let G n,k be the graph with vertex set C n,n/2 and an edge between any γ, γ ∈ C n,n/2 such that the number of positions at which γ and γ are both 1 is exactly n 2 − k. We claim that the minimum degree d k of G n,k is at least n 2 k 2 . Indeed, for any γ ∈ C n,n/2 we can define distinct γ that are connected to it in G n,k by choosing k locations among the n 2 1 positions of γ, k locations among the n 2 0 positions, and flipping those values. For each edge in G n,k create two directed edges to obtain a directed graphG n,k . InG n,k each vertex has in-degree at least d k , and out-degree at least d k . Thus we can find d k non-overlapping oriented vertex cycle covers ofG n,k , call them c k,1 , . . . , c k,d k . 2 To each such oriented vertex cycle cover associate a permutation π k,i of C n,n/2 in the natural way. By construction for any i = i , π k,i and π k,i are orthogonal.
For k = 0, set π 0,1 to be the identity permutation of C n,n/2 . We observe that for k = k and any i, i it must be that π k,i and π k ,i are orthogonal permutations. This is because two elements of C n,n/2 can be connected by an edge in at most one G n,k . To conclude, use that by the Vandermonde identity we have found a total of  Remark 3.5. For any set X of cardinality n, we can consider the π j as permutations on the collection of subsets of size n 2 , instead of permutations of C n,n/2 . We do this by fixing an ordering of the elements of X, and referring to the subsets by their indicator strings. The set of indicator strings is C n,n/2 , on which π j acts. Below, we apply this remark where the set X in question is a basis of F n 2 , and the subsets are bases of subspaces of dimension n 2 . We are ready to complete our proof of the upper bound on the winning probability of the coset-monogamy game.
Proof of Theorem 2.1. Fix a strategy for the coset-monogamy game, consisting of a channel Φ : H A → H B ⊗ H C and, for each A ∈ G n 2 , n , POVMs {B A s } s∈CS(A) for Bob and {C A s } s ∈CS(A ⊥ ) for Charlie. Let q n be the probability that this strategy succeeds in the game. Using Naimark's theorem as in Lemma 9 of [TFKW13], we may assume that the POVMs are projective. Using Lemma 3.1, As in [CLLZ21] we decompose the average over the subspaces followed by an average over bases of F n 2 , and then over subspaces that may be spanned by n 2 vectors from the basis. Using the triangle inequality we can bound the winning probability as We apply Lemma 3.3 using the permutations π 1 , . . . , π N from Lemma 3.4, where N = n n/2 . Applying the lemma, 2 To show this, find a first cycle cover in an arbitrary way and remove all edges used. This reduces both the out-and in-degrees by exactly 1. Repeat until the minimum degree reaches zero. which satisfy Π A ≤ P and Π B ≤ Q. Thus v|P |v = P Q 2 , (8) and using Lemma 3.2, By Lemma 3.4 for k ∈ {0, . . . , n 2 } there are n/2 k 2 permutations π j such that the dimension of span(γ) ∩ span(π j (γ)) is n 2 − k. Plugging (9) back into (6) we thus get The final bound is provided by Lemma 3.6 stated below.

The basis-monogamy game
In this section we introduce a monogamy game which we call the basis-monogamy game. While this game is conceptually simpler than the coset-monogamy game introduced in Section 2, in the next section we will show that the latter can be reduced to the former. Here we focus on the basis-monogamy game, which may be of independent interest, and its analysis.
We formulate the game directly as an extended nonlocal game, that can be seen as a variant of a game introduced in [TFKW13]. Informally, in the game from [TFKW13] two players Bob and Charlie are trying to both be maximally entangled with Alice: they are required to prepare a tripartite state ρ ABC , where A is an n-qubit register handed over to Alice, and B and C are arbitrary registers kept by Bob and Charlie respectively, such that when Alice measures her n qubits in a randomly chosen basis θ ∈ {0, 1} n (where as usual θ i = 0 denotes a measurement in the standard basis, and θ i = 1 a measurement in the Hadamard basis) to obtain a string of outcomes x ∈ {0, 1} n , given θ as side information Bob and Charlie are able to return strings y, z ∈ {0, 1} n respectively such that x = y = z. Our variant of the game introduces two simple modifications: first, n is even and θ is chosen such that |θ| = n 2 , and second, Bob and Charlie are only asked to predict measurement outcomes associated with the standard basis (θ i = 0) and Hadamard basis (θ i = 1), respectively. More formally, for n an even integer the basis-monogamy game proceeds as follows.
1. Preparation: Bob and Charlie together prepare a state ρ ABC such that A is an n-qubit register and B and C are arbitrary. They pass A to Alice and keep registers B and C to themselves, respectively. Naturally this game is slightly easier than the one considered in [TFKW13]. Nevertheless we can use the same proof technique to bound the maximum success probability and obtain the following result. Proof. The proof follows very closely the proof of [TFKW13, Theorem 3]. Fix an arbitrary strategy for the game that succeeds with probability p n . The strategy consists of a state ρ ABC and for each θ ∈ C n,n/2 = {γ ∈ {0, 1} n : |γ| = n 2 } two POVMs {B θ y } y∈{0,1} T and {C θ z } z∈{0,1} T respectively. Applying Naimark's dilation theorem if needed, assume without loss of generality that both families of measurements are projective. For any θ ∈ {0, 1} n such that |θ| = n 2 define Then Π θ is a projector. Furthermore we can express the strategy's success probability as where the first inequality follows by linearity and the definition of the operator norm and the second inequality follows from 3.3. In the third line we set N = n n/2 and π 1 , . . . , π N are the N mutually orthogonal permutations promised by Lemma 3.4.
Note that at this stage we are in a situation that is very similar to the situation at Eq. (6) in the proof of Theorem 2.1. The only difference is that there is a single basis β, that is the standard basis of F n 2 (i.e. the coordinate vectors). We make the correspondence between the two situations more explicit in Section 5. Here, for clarity we complete the proof without at all resorting to the notation of subspaces.
Fix an arbitrary pair (θ, θ ) and let R be the set of indices in which θ and θ differ. Without loss of generality, assume that θ R has Hamming weight at most |R|/2; if not we exchange the roles of θ and θ . Let S = {i ∈ R : θ i = 0}, so that S ⊆ R and |S| > |R|/2. Let where Id S denotes the identity on qubits of register A that do not lie in the set S. Similarly, let where H S denotes a Hadamard on each of the qubits in S. We compute where for the second line we used that P θ x T P θ z T = δ x T ,z T P θ x T and for the third line that | x S |H S |y S | 2 = 2 −|S| for all x, y and y where the second inequality is because |S| ≥ |R|/2. Hence for all (θ, θ ), where in the first equality we used that Π θ is a projection, the first inequality uses Π θ ≤ P because C θ x T ≤ Id for all x T , the second equality uses that P and Π θ are projections and the last inequality that Π θ ≤ Q. By Lemma 3.4 for any k ∈ {0, . . . , n 2 } there are n/2 k 2 permutations π j such that θ and π j (θ) differ in 2k positions, i.e. such that |R| = 2k. Returning to (10) and using (11) we obtain We conclude using Lemma 3.6.

Reduction to the coset-monogamy game
In this section we show a reduction from the coset-monogamy game to the basis-monogamy game. This gives a second proof of Theorem 2.1, by reduction to Theorem 4.1.
Proposition 5.1. Let n ≥ 2 be an even integer. Let p n be the maximum probability of winning for Bob and Charlie in the basis-monogamy game. Let q n be the maximum probability of winning for the adversary, Bob and Charlie in the coset-monogamy game. Then Proof. Let n ≥ 2 be even. Fix a strategy for the adversary that succeeds with some probability q n ≤ q n in the coset-monogamy game. This strategy is specified by a channel Φ and families of POVM {B A s } s∈F n 2 and {C A s } s∈F n 2 for Bob and Charlie respectively. Here, the POVMs are indexed by subspaces A and return outcomes s ∈ F n 2 . We define a strategy for Bob and Charlie in the basis-monogamy game that succeeds with probability p n = q n . The strategy is as follows: 1. Bob and Charlie prepare n EPR pairs, ρ AA' = |φ + φ + | ⊗n where |φ + = 1 √ 2 (|00 +|11 ) and registers A and A' are n qubits each, containing the n first halves and the n second halves of the EPR pairs respectively. They select a uniformly random basis B = {u 1 , . . . , u n } of F n 2 which they each keep a copy of. Let U B be the unitary of (C 2 ) ⊗n which permutes standard basis vectors as They apply U B to register A' and then compute where ρ ABC is the state defined in (14) and the expectation is over a uniformly random θ ∈ {0, 1} n (as chosen by the challenger) and basis B = {u 1 , . . . , u n } for F n 2 (as chosen by Bob and Charlie). Using Claim 5.2, where A is defined from x, θ and B as in (15), s = i∈T x i u i and s = i∈T x i u i . Thus where the second equality is by definition of B B,θ x T and C (B,θ) x T in (16) and the expectation is over a uniformly random subspace A ⊆ F n 2 of dimension n 2 . Here we used that choosing such an A uniformly at random and returning (A, A ⊥ ) yields the same distribution as choosing a basis B = {u 1 , . . . , u n } and θ ∈ {0, 1} n such that |θ| = n 2 uniformly at random and returning (Span{u i : θ i = 1}, Span{u i : θ i = 0}). In the second line above, the expectation over s, s is uniform over s ∈ A ⊥ and s ∈ A, and in the third line it is uniform over s, s ∈ {0, 1} n ; equality between the second and third lines follows from the definition of |A s,s . The expression in (17) is precisely q n , hence we have shown that p n = q n . Taking the supremum over all strategies in the coset-monogamy game proves the lemma.
The following claim is used in the proof of Proposition 5.1. Proof. First observe that Next we verify that for any x, x ∈ {0, 1} n , where t = i x i u i and t = i x i u i . This completes the proof of the claim as where the first line is by (18), the second by (19), the third by definition of |A , U B , and |0 θ = b∈{0,1} T | i b i e i , and the last is by definition of |A s,s . It remains to show (18). We show the first relation, the second is analogous. Writing X x = y |x + y x| and using the definition of U B we get where we defined y = i y i u i and used linearity. The right-hand side is precisely X x .