A monogamy-of-entanglement game for subspace coset states

We establish a strong monogamy-of-entanglement property for subspace coset states, which are uniform superpositions of vectors in a linear subspace of 𝔽_2^n to which has been applied a quantum one-time pad. This property was conjectured recently by [Coladangelo, Liu, Liu, and Zhandry, Crypto'21] and shown to have applications to unclonable decryption and copy-protection of pseudorandom functions. We present two proofs, one which directly follows the method of the original paper and the other which uses an observation from [Vidick and Zhang, Eurocrypt'20] to reduce the analysis to a simpler monogamy game based on BB'84 states. Both proofs ultimately rely on the same proof technique, introduced in [Tomamichel, Fehr, Kaniewski and Wehner, New Journal of Physics '13].



There are no comments yet.


page 1

page 2

page 3

page 4


Hidden Cosets and Applications to Unclonable Cryptography

In this work, we study a generalization of hidden subspace states to hid...

A Boolean Functions Theoretic Approach to Quantum Hypergraph States and Entanglement

We establish an one-to-one correspondence between the Boolean functions ...

Persistent homology analysis of multiqubit entanglement

We introduce a homology-based technique for the analysis of multiqubit s...

Testing matrix product states

Devising schemes for testing the amount of entanglement in quantum syste...

From Holant to Quantum Entanglement and Back

Holant problems are intimately connected with quantum theory as tensor n...

Quantum Lazy Sampling and Game-Playing Proofs for Quantum Indifferentiability

Game-playing proofs constitute a powerful framework for classical crypto...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Informally, a monogamy game

is a game in which the maximum success probability is tied to the monogamy of entanglement, i.e. limitations on the strength of quantum multipartite correlations. The simplest such game goes as follows. Two players Bob and Charlie aim to prepare a tripartite state

, such that A

is a single qubit and

B and C are arbitrary, and the following holds: given a measurement of A in the standard or Hadamard basis yielding an outcome it is possible to predict both by making a measurement on B only and on C only, given the chosen basis as side information. Monogamy of entanglement expresses itself by the fact that while ignoring C it is possible to win in this game with probability by choosing to be an EPR pair, as soon as C is present the maximum winning probability drops to .

Monogamy games have played an important role in quantum cryptography since some of the first proofs of security of quantum key distribution, which make use of monogamy through uncertainty relations such as , with and

classical random variables that denote the outcome of a measurement of

A in the standard and Hadamard bases respectively [KOA06, TL17]. In this note we study a monogamy game introduced recently in [CLL+21] and called “strong monogamy game” therein. Informally, in the game two players Bob and Charlie cooperate in an attempt to create two copies of a coset subspace state

where is a linear subspace of and are arbitrary, such that given the first copy and a description of it is possible to obtain a vector , while given the other copy and the description of it is possible to obtain a vector , with .111Here it is crucial that is revealed only after the “copying” has taken place, as given and itself it is possible to recover and , . (We describe the game in detail in Section 2.) In [CLL+21] the authors show a sub-exponentially decaying bound on the players’ maximum success probability in a variant of this game where from each copy a pair has to be returned. While the original subspace coset game is more useful for their cryptographic applications they are unable to analyze it. In this paper we show an exponentially decaying bound on the players’ maximum success probability in the original game; as shown in [CLL+21] this implies constructions for uncloneable decryption and copy-protection of pseudorandom functions based on post-quantum indistinguishability obfuscation and one-way functions only. (In contrast, in [CLL+21] the same applications are obtained under the additional, strong assumption of extractable witness encryption. We refer to [CLL+21] for additional discussion.)

Our main result is stated as Theorem 2.1 in Section 2. We first show the theorem directly by following the template introduced in [TFK+13] and adapting it to subspace coset states using some of the arguments from [CLL+21] as well as some new steps. Next, we revisit our proof by making a simple but useful connection between subspace coset states and BB’84 states. (This connection was first used in [VZ21] to analyze a proof of quantum knowledge for subspace coset states.) To explain the connection, let be a subspace spanned by canonical vectors, for some set with complement , and . Let be the indicator vector of , i.e.  if and only if . Let be such that whenever and whenever . Then it is easily verified that

where we write with , the Hadamard gate. Thus coset subspace states for “basis-aligned” subspaces are exactly BB’84 states. This observation leads to a partition of subspace coset states such that subspace coset states in each element of the partition are in -to- correspondence with BB’84 states under a simple unitary permutation of the standard basis, see Claim 5.2 for a precise formulation. While this observation implicitly appears in some of the arguments from [CLL+21], as well as in our direct proof of Theorem 2.1, making it explicit allows us to directly relate the strong monogamy game from [CLL+21] (which we refer to as the “coset-monogamy game”) to a simple variant of the monogamy game from [TFK+13] (which we refer to as the “basis-monogamy game”) whose maximum success probability we bound using a similar technique to the one introduced in their paper. Ultimately this “proof by reduction” is very similar to the direct proof; we include it in the hope that the simple reduction pointed out here will find further uses in the analysis of monogamy games motivated by tasks in quantum cryptography.

In Section 2 we introduce the strong monogamy game (called coset-monogamy game here) and state our main result, Theorem 2.1. In Section 3 we prove our main result. In Section 4 we introduce and analyze our variant of the BB’84-based monogamy game from [TFK+13] (called basis-monogamy game here). Finally in Section 5 we show a reduction from the coset monogamy game to the basis monogamy game.


E.C. would like to thank Anne Broadbent. E.C.’s work is supported by a CGS M scholarship from Canada’s NSERC. T.V. is supported by NSF CAREER Grant CCF-1553477, AFOSR YIP award number FA9550-16-1-0495, MURI Grant FA9550-18-1-0161 and the IQIM, an NSF Physics Frontiers Center (NSF Grant PHY-1125565) with support of the Gordon and Betty Moore Foundation (GBMF-12500028).

2 The coset-monogamy game

The following game is a monogamy game introduced in [CLL+21], where it is called “strong monogamy game” (see Section 4.4 therein). For a linear subspace of and recall the notation

where , with and .

We formulate the game exactly as in [CLL+21, Section 4.4]. The only difference is that we rename into “the adversary”, into “Bob” and into “Charlie”. Thus the game is played between a trusted “challenger” and two untrusted, cooperating players Bob and Charlie. The game is parametrized by an even integer .

Coset-monogamy game.

  1. Preparation: The challenger picks a uniformly random subspace of dimension and two uniformly random elements . The challenger sends to the adversary.

  2. The adversary applies a quantum channel , where and , are arbitrary. The adversary computes . It sends registers B to Bob and C to Charlie, respectively.

  3. Question: The challenger sends the description of , in the form of a basis for it, to both Bob and Charlie.

  4. Answer: Bob returns and Charlie returns .

  5. Winning condition: The adversary, Bob and Charlie win if and only if and , where .

Our main result is a bound on the maximum winning probability of the adversary, Bob and Charlie in the coset-monogamy game.

Theorem 2.1.

Let be an even integer. Let be the adversary, Bob and Charlie’s maximum probability of winning in the coset-monogamy game. Then

We give two proofs of the theorem. Ultimately, both proofs rely on the technique from [TFK+13], and lead to the same numerical bound on the success probability. The difference is that the first proof is direct, while the second proof proceeds by a reduction to a variant of the monogamy game from [TFK+13]. Since the reduction is intuitively clear, and the monogamy game we reduce to, being based on BB’84 states, is easier to analyze, the second proof is conceptually simpler and potentially more general. However, it is less direct.

3 Direct proof

We give a direct proof of Theorem 2.1. The proof proceeds in two steps. In the first step we reduce to the analysis of an extended nonlocal game of the form considered in [JMR+16]. This step is standard in the analysis of monogamy games, and also appears as [CLL+21, Lemma C.6]. We formulate it in Lemma 3.1 below. In the second step we bound the maximum success probability in the extended nonlocal game. This step relies on a technique introduced in [TFK+13] to bound the operator norm of a tripartite operator introduced to model the players’ actions in the game. We describe this step in Section 3.2.

3.1 Reduction to an extended nonlocal game

Write for the set of linear subspaces of of dimension . For write for a fixed set of representatives of the cosets of . In particular, .

Lemma 3.1.

Fix a strategy for the coset-monogamy game, consisting of a channel and for each POVMs for Bob and for Charlie. Let be the probability that this strategy succeeds in the game. Then

where with the EPR pair, and all expectations are uniform averages.

While the first equality is by definition, the second equality is what we refer to as a “reduction to an extended nonlocal game.” This is because the second line can be interpreted as the success probability in the following three-player game: (i) Bob and Charlie prepare a tripartite state such that A is an -qubit register. They give A to Alice and keep B and C respectively. (ii) Alice selects a uniformly random subspace and gives to Bob and Charlie. She measures A using the projective measurement with outcomes . (iii) Bob and Charlie measure their registers using arbitrary POVM and respectively. They win if and only if they obtain outcomes, for Bob and for Charlie, that match Alice’s.


To show the second equality we expand using the definition of

which gives the result. ∎

3.2 Analysis of extended nonlocal game

We need two preliminary lemmas. The first bounds the overlap of operators constructed as sums of coset state projections. We use

to denote the operator norm, i.e. the largest singular value.

Lemma 3.2.

For any , and we have that the overlap


First, note that


a projection onto the subspace spanned by the vectors given by the elements of the coset . Let . Then


where the second equality uses that are orthogonal projectors. Since we have that is a superposition of basis elements in , so is a superposition of basis elements in , giving that the set of over is orthogonal. Thus,


which uses for Hermitian with orthogonal range. Now, for any ,

Plugging this back into (4) completes the proof. ∎

The second lemma is a key bound used in [TFK+13].

Lemma 3.3 (Lemma 2 in [Tfk+13]).

Let be positive semidefinite operators on a Hilbert space. Then

where is any set of mutually orthogonal permutations of , i.e. only has a fixed point if .

We give the permutations we will use to apply Lemma 3.3. For even let

where for a string , denotes its Hamming weight (number of nonzero entries).

Lemma 3.4.

Let be an even integer. Then there are mutually orthogonal permutations of such that the following holds. For each there are exactly permutations such that the number of positions at which and are both is .


We consider the following family. For any and any subsets such that we define as follows. Let . Let . Order the elements of as and those of as . Define to be the symmetric difference of with the set . Note that this corresponds to removing elements from and adding elements from , so . Define as the string that is at the positions given by and elsewhere. Thus, is a permutation of strings of Hamming weight . Moreover, it is direct to verify that if and only if and and by definition and share exactly locations where they are both . Finally, using the Vandermonde identity there are exactly

such permutations, as desired. ∎

Remark 3.5.

Instead of permutations of we can consider the as permutations on the set of subsets of size of a universe of size by fixing an ordering of the elements of the universe and, for any subset, considering the binary string to be the indicator function of the subset.

We are ready to complete our proof of the upper bound on the winning probability of the coset-monogamy game.

Proof of Theorem 2.1.

Fix a strategy for the coset-monogamy game, consisting of a channel and, for each , POVMs for Bob and for Charlie. Let be the probability that this strategy succeeds in the game. Without loss of generality, assume that the POVMs are projective. Using Lemma 3.1,


As in [CLL+21] we decompose the average over the subspaces followed by an average over bases of , and then over subspaces that may be spanned by vectors from the basis. Using the triangle inequality we can bound the winning probability as


We apply Lemma 3.3 using the permutations from Lemma 3.4, where . Applying the lemma,


For any subspaces define the projectors


which satisfy and . Thus


and using Lemma 3.2,


By Lemma 3.4 for there are permutations such that the dimension of is . Plugging (9) back into (6) we thus get

The final bound is provided by Lemma 3.6 stated below. ∎

Lemma 3.6.

For any even integer ,


We bound for any and

which gives

as claimed. ∎

4 The basis-monogamy game

In this section we introduce a monogamy game which we call the basis-monogamy game. While this game is conceptually simpler than the coset-monogamy game introduced in Section 2, in the next section we will show that the latter can be reduced to the former. In this section we focus on the basis-monogamy game, which may be of independent interest, and its analysis.

We formulate the game directly as an extended nonlocal game, that can be seen as a variant of a game introduced in [TFK+13]. Informally, in the game from [TFK+13] two players Bob and Charlie are trying to both be maximally entangled with Alice: they are required to prepare a tripartite state , where A is an -qubit register handed over to Alice and B and C are arbitrary registers kept by Bob and Charlie respectively, such that when Alice measures her qubits in a randomly chosen basis (where as usual denotes a measurement in the standard basis, and a measurement in the Hadamard basis) to obtain a string of outcomes , given as side information Bob and Charlie are able to return strings respectively such that . Our variant of the game introduces two simple modifications: first, is even and is chosen such that , and second, Bob and Charlie are only asked to predict measurement outcomes associated with the standard basis () and Hadamard basis (), respectively. More formally, for an even integer the basis-monogamy game proceeds as follows.

Basis-monogamy game.

  1. Preparation: Bob and Charlie together prepare a state such that A is an -qubit register and B and C are arbitrary. They pass A to Alice and keep registers B and C to themselves, respectively.

  2. Question: Alice chooses uniformly at random conditioned on . Alice measures each qubit of A in the basis indicated by to obtain a string of outcomes . She sends to Bob and Charlie. Let .

  3. Answer: Bob returns a string . Charlie returns a string .

  4. Winning condition: Bob and Charlie win if and only if and .

Naturally this game is slightly easier than the one considered in [TFK+13]. Nevertheless we can use the same proof technique to bound the maximum success probability and obtain the following result.

Theorem 4.1.

Let be an even integer. Let be Bob and Charlie’s maximum probability of winning in the basis-monogamy game. Then

Remark 4.2.

We have that , whereas in [TFK+13] the bound is obtained on the success probability for the variant of the game where Bob and Charlie both have to answer a complete string of measurement outcomes . Since our version of the game is easier, the bound is slightly weaker. We did not attempt to check if the bound we obtain is optimal.


The proof follows very closely the proof of [TFK+13, Theorem 3]. Fix an arbitrary strategy for the game that succeeds with probability . The strategy consists of a state and for each two POVM and respectively. Applying Naimark’s dilation theorem if needed, assume without loss of generality that both families of measurements are projective. For any such that define

Then is a projector. Furthermore we can express the strategy’s success probability as


where the first inequality follows by linearity and the definition of the operator norm and the second inequality follows from 3.3. In the third line we set and are the mutually orthogonal permutations promised by Lemma 3.4.

Note that at this stage we are in a situation that is very similar to the situation at Eq. (6) in the proof of Theorem 2.1. The only difference is that there is a single basis that is the standard basis of (i.e. the coordinate vectors). We make the correspondence between the two situations more explicit in Section 5. Here, for clarity we complete the proof without at all resorting to the notation of subspaces.

Fix an arbitrary pair and let be the set of indices in which and differ. Without loss of generality, assume that has Hamming weight at most ; if not we exchange the roles of and . Let , so that and . Let

so that . Let

where denotes the identity on qubits of register A that do not lie in the set . Similarly, let

where denotes a Hadamard on each of the qubits in . We compute

where for the second line we used that and for the third line that for all and for all . Using that it follows that

where the second inequality is because . Hence for all ,


where in the first equality we used that is a projection, the first inequality uses because for all