UNIVERSITY OF CALGARY. Point Games in Quantum Weak Coin Flipping Protocols. Edouard Pelchat A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES

Transcription

1 UNIVERSITY OF CALGARY Point Games in Quantum Weak Coin Flipping Protocols by Edouard Pelchat A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE CALGARY, ALBERTA AUGUST, c Edouard Pelchat

2 Abstract Two parties, wishing to establish a shared random bit at a distance, must solve a problem known as coin flipping. Classical two-party secure computations such as coin flipping are impossible in the information theoretic setting. However quantum information allows for the possibility of unconditional security. Mochon defines a model of secure two-party computations, point games, to show the existence of optimal quantum weak coin flipping protocols in [9]. His ground-breaking result is widely accepted, but its proof is very complicated, has never been validated, and remains poorly understood despite the efforts of several researchers [,, ]. In this thesis we use analytical and mathematical methods to study point games. We discover several new primitives, and construct new building blocks to define a new family of point games. We present a new truncation technique that is simpler, more efficient, is more intuitive, and achieves better results than the best previously known. We provide concrete examples of these point games. We analyze Mochon s optimal point games, and we identify the key elements of their construction that are not specified. We also provide a new recursion technique that achieves better results than the one proposed by Mochon. Furthermore, we construct simple and elegant point games using binomial coefficients. Our point games are simpler than Mochon s, since his point games are constructed using techniques in mathematical analysis. Studying point games with new techniques may lead to a simpler formalism of two-party secure computations, and to more efficient protocols. i

3 Acknowledgements First of all, I want to thank my supervisor, Peter Høyer, who introduced me to the field of quantum computing. During my stay at the University of Calgary, Peter taught me the importance of striving for simple and intuitive solutions to problems. I am very grateful for the productive discussions that we had and the guidance he provided me. I also thank my thesis committee Lisa Higham, and Gilad Gour for taking time out of their busy schedules to read my thesis and provide useful feedback. A special thanks to my colleagues Cătălin Dohotaru, for helping me familiarize myself with various subjects in quantum computing, and Jonathan Ghallagher, for his helpful discussions. Finally, I thank my family for their love and support. ii

4 Table of Contents Abstract i Acknowledgements ii Table of Contents iii List of Tables v List of Figures vi List of Symbols viii Introduction Coin Flipping Defined Quantum Information Basics The Qubit Multiple Qubits Measurement Matrix Properties Quantum Strategy Protocol Kitaev s Formalism Point Games Overview Previous Work Overview of Thesis Original Contributions Preliminaries Point Games Defined Components Transitive properties Visual Representation Coin Flipping Point Games Fundamental Transitions Simplified Inequalities Manipulating Transitions Combining Transitions Restricted Transitions Simple Point Games Point Game Analysis Point Games with Bias greater than Spekkens and Rudolph Protocol Symmetric Point Games Extended Symmetric Point Game Analysis of Transitions Tight Transitions Standard Transitions Optimal Transitions Construction iii

5 .. Binomials Point Games with Arbitrarily Small Bias Catalyst Points Ladders Defined Infinite Ladders The Single Ladder Binomial Ladders Finite Ladders Previously-known Ladders Single Ladder Binomial Ladders Recursion Conclusion Future Work Bibliography iv

6 List of Tables. A binomial transition of degree n is defined by the nth row of Pascal s triangle. 9. The axis point distribution s probabilities for a one-shot ladder v

7 List of Figures and Illustrations. Kitaev s weak coin flipping protocol A basic transition combined with its inverse (left) gives a binomial transition (right) The linear recursion (left) and our improved recursion (right) The optimal triple ladder How to truncate an optimal triple ladder [. A configuration containing a single point, ] [ The point, ] [ is raised to, ] in a single step A point distribution contained in the vertical line of coordinate A transition connecting two configurations A point game (right) that achieves the desired final configuration (center) from an initial configuration (left) A raise p [x, y] p [x, y] A split (p + p ) [x, y] p [x, y] + p [x, y] A merge p [x, y] + p [x, y] p + p [x, y] An extra raise may (right) or may not (left) alter a transition s significant operator monotone An equidistant split (p + p ) [x, y] p [x δ, y] + p [x + δ, y] An equidistant merge p [x δ, y] + p [x + δ, y] (p + p ) [x, y] An equal probability split [x, y] [x γ, y] + [y, x + δ] A trivial point game with endpoint [, ] Bob flips the coin (left) or Alice flips the coin (right) The Spekkens and Rudolph point game with undefined parameters The Spekkens and Rudolph balanced coin flipping point game A symmetric point game with a single split on an axis A raise and a perpendicular split are interchangeable The symmetric equivalent of the Spekkens and Rudolph point game A symmetric point game with three points on an axis A symmetric point game with n + points on an axis The weight curve of a valid merge The weight curve of a tight split A weight curve of a tight split shifted outwards (left) and shifted inwards (right).. A combination of weight curves with non-trivial validity The AIW of a merge combined with its inverse The AIW of a merge combined with its shifted inverse A standard transition (,,, ) The decomposition of a standard transition into standard merges and splits. 9. An example for a prefix sum of standard merges A valid combination of a merge and its shifted inverse A valid transition (red) with a negative prefix sum of standard merges.... vi

8 .9 An invalid transition (red) with a negative prefix sum of standard merges... The inverse of a valid merge (left) shifted outwards (right) A valid merge is also valid when shifted to its minimal set of coordinates.... A split is never valid when shifted to its minimal set of coordinates A standard raise (left) and a standard merge (right) A transition defined by (,, ) A transition defined by (,,, ) A loop of probability p A ladder composed of a combination of loops The invalid (red) and the valid (blue) hinge lines of a ladder We modify the symmetric extended point game to obtain a ladder The undefined single ladder A single ladder with dual-endpoints A single ladder with single endpoint A single ladder with added loops The optimal double ladder The double ladder contains a single ladder The optimal triple ladder A polynomial ladder where k =, j =, Γ =, and point probabilities are defined A polynomial ladder where k =, j =, Γ =, and all loop probabilities are defined Undefined loop probabilities of a polynomial ladder where k = and Γ approaches infinity An invalid one-shot ladder where k =, ɛ =, 8 z = ɛ, and Γ = An efficient single ladder where Γ = A truncated single polynomial ladder where Γ = A single ladder decomposed into blocks The combination of transitions in a block matrix A block defined by the binomial (,, ) The binomial block of degrees The binomial block of degrees The rung of an infinite double ladder achieved with binomial blocks The infinite double ladder is composed of two series of binomial blocks An efficient triple ladder defined by binomial blocks An efficient triple ladder with invalid (red) and valid (blue) hinge lines Mochon s proposed linear recursion achieves an endpoint of [ ] ɛ ɛ, ɛ +ɛ ɛ +ɛ The first linear recursive step of the optimal double ladder We expand an inner point game by a factor of A recursion with incremental values of λ vii

9 List of Symbols, Abbreviations and Nomenclature Symbol AIW GCD SDP SR Definition Average Increase in Weight Greatest Common Divisor Semidefinite Program Spekkens and Rudolph viii

10 Chapter Introduction This thesis deals with a model of secure two-party computations known as point games. Unconditionally secure two-party computations are impossible in the classical information theoretic setting [9]. The fact that quantum information allows for unconditionally secure cryptographic primitives [] is one of the more interesting results in cryptography from the last century. Mochon defines the point game model in [9] to prove the existence or quantum weak coin flipping protocols with arbitrarily small bias. This model is important for cryptography since it also provides the possibility of finding optimal protocols for other secure two-party computations. However, Mochon s paper is very complicated and the formalisms he defines to create the point game model have not yet been simplified, despite the efforts of several researchers [,, ]. Mochon posted his tour-de-force to arxiv and then got a job in the Finance industry. No one understands Mochon s paper and Mochon has disappeared. Chailloux and others are attempting to decypher it. I ve looked into it a bit and got nowhere. (Gus Gutoski [8]) The status of the paper by Mochon is quite peculiar. It is an 8- page long paper, extremely technical and never peer-reviewed. (Loïck Magnin []) Someone will simplify [Mochon s] paper. Someone else will simplify that paper. Then finally, it might be understandable. (André Chailloux [])

11 There have not been significant efforts to understand the point game model, since without a simpler formalism, point games may only lead to impractical protocols []. However, understanding point games may give us new insights on the formalism, which would allow us to simplify it. If a simple formalism is discovered, a comprehensive understanding of point games will be crucial to developing efficient, optimal protocols. In this thesis we use analytical and mathematical methods to define several primitives and building blocks that are useful for constructing point games. The original contributions of this thesis are the result of joint work with my supervisor, Peter Høyer. We provide an overview of our findings in Section.... Coin Flipping Defined Coin flipping is a cryptographic primitive where two parties establish a shared uniformly random bit [], using only a classical information channel. We imagine two people, Alice and Bob, flipping a coin over the phone. If the coin flip comes up heads, Alice wins. If it comes up tails, Bob wins. Unconditionally secure classical coin flipping is obviously impossible, since if Alice announces the outcome, then Bob must trust her honesty. Let the winning probability of two parties be P A and P B. The bias of a coin flip is given by max(p A, P B ). A coin flipping protocol is balanced if both parties share the same winning probability. Any attempt to alter the bias of a coin flip is considered cheating. Cryptographic one-way functions are used to enforce bit commitment, which prevents cheating. The security of these functions however, depends on the validity of computational assumptions such as Integer factorization cannot be done in polynomial time. Like other computational assumptions in cryptography, factorization is easy for a quantum party [], whom therefore could cheat against a classical party. A coin flipping protocol is quantum if both parties additionally have access to a quantum communication channel. Parties cannot share a predefined entangled state since coin

12 flipping would be trivial. Quantum coin flipping protocols are useful since their security is independent of computational assumptions. We define two types of quantum coin flipping protocols. Definition.. A quantum coin flipping protocol is strong if the desired outcome of both parties is unknown. Definition.. A quantum coin flipping protocol is weak if the desired outcome of both parties is known and each party is allowed to increase the winning probability of the other. For example, a strong coin flipping protocol might be used for a soccer game kickoff since each player may prefer to choose the starting half or may prefer to start with the ball. A weak coin flipping protocol might be used in a divorce settlement where each possession is split between Alice and Bob in a series of coin flips. Bob may want to keep his dog while Alice desperately wants to get rid of it. Strong coin flipping is at least as hard as weak coin flipping. In this thesis, we only explore weak coin flipping protocols. A quantum coin flipping protocol consists of a series of quantum messages ending in a single state. If both parties agree on the result, it is output. If not, the protocol is aborted. We only analyze protocols where at most one party is cheating since the protocol will always be aborted if both parties are cheating.. Quantum Information Basics In this section we present the fundamental properties of quantum information that are used in the thesis. In fact, the concepts presented here are only required to understand the protocol of Section.. The discussion of point games does not require an understanding of the material covered in this section. Comprehensive references on quantum information are [, ].

13 .. The Qubit A qubit is the quantum analogue of a classical bit. Just as a classical bit represents a classical mechanical state of either or, a qubit represents a quantum mechanical state, which is a two-dimensional complex vector state. We define the standard basis by two linearly ( ) ( ) independent column vectors and, which span the state space. These vectors are expressed in Dirac notation by and in order to simplify the expression of quantum states. A qubit may be in either a state,, or a superposition of both. In its most general form, a qubit is expressed as ψ = α + β for values α, β C such that α + β =. This constraint ensures that all qubits have a norm of. The norm of a qubit is given by ψ = ψ ψ, where the row vector ψ is the conjugate transpose of ψ. The values of α and β relate to the probabilistic nature of quantum information. When a qubit is measured in the standard basis {, }, the state is obtained with α probability, and the state is obtained with β probability... Multiple Qubits A combination of n classical bits expresses one of n possible states. Since a qubit is expressed by a vector in a two-dimensional complex Hilbert space, a collection of n qubits is expressed by a vector in a n dimensional complex Hilbert space and is given by ψ = ψ ψ... ψ n H H... H = H n. A collection of qubits combine through their tensor product, for example the qubits ψ = α + β and φ = δ + γ combine to form ψ ψ = αδ + αγ + βδ + βγ,

14 where is a simplified notation for and the values are normalized such that α + β + δ + γ =... Measurement Extracting information from a quantum state is probabilistic in nature. In the context of this thesis, it suffices to know that measuring a qubit ψ with the basis { φ, φ } results in the state φ i with probability ψ φ i... Matrix Properties In this subsection we present matrix properties that are used in Section... A comprehensive reference on matrices may be found in [9]. Definition.. A matrix M is unitary if M M = MM = I, where M is its conjugate transpose and I is the identity matrix. Definition.. A matrix is Hermitian if it is its own conjugate transpose. Definition.. A symmetric matrix M R n n is positive semidefinite if x M x is nonnegative for any vector x R n. A matrix is nonnegative if all of its elements are greater than or equal to zero. There are several methods to determine whether a matrix is positive semidefinite. For example, a matrix M is positive semidefinite if all of its eigenvalues are nonnegative, or if M = B T B for an invertible matrix B. We use the notation M to denote that M is a positive semidefinite matrix.. Quantum Strategy The quantum coin flipping protocol used in this thesis was first presented in [], and was then extended in [9]. In this section we present the protocol described in [9], we briefly

15 introduce the origin of the point game model, and we describe the kind of point games that are explored in this thesis. A more detailed presentation of the material contained in Sections.. and.. may also be found in [9]... Protocol In this subsection we summarize the coin flipping protocol, initially described by Kitaev in [], that is presented by Mochon in [9]. Mochon shows how to map a point game into a protocol of this form, and vice-versa. There is no clear relation between a point game and its equivalent protocol, but some intuition of point games is provided in Section.. Let A, B, and M be finite dimensional Hilbert spaces corresponding to the qubits of Alice and Bob, and of the message space shared between both parties. We assume that each player only has access to their own space and the shared message space. Since we are defining a weak coin flipping protocol, we say that Alice wins on output and Bob wins on output. The protocol consists of a series of n messages between both parties, where each message is created by a unitary, as illustrated in Figure.. The initial state of the protocol is defined by ψ = ψ A, ψ M, ψ B,, and each unitary is of the form U A,i I B U i = I A U B,i if i is odd, if i is even, where U A,i A M, U B,i M B, and < i n. The final state is given by ψ n = U n U n... U ψ. Alice performs a measurement on A with {Π A,, Π A, } and Bob performs a measurement on B with {Π B,, Π B, }. They each output or according to their measurement. The value becomes the output of the protocol if both results are equal, otherwise the protocol is aborted.

16 Alice (A) Message (M) Bob (B) ψ U ψ U ψ U ψ... ψ n ψ A,n ψ B,n Figure.: Kitaev s weak coin flipping protocol. 7

17 .. Kitaev s Formalism This thesis deals exclusively with the point game model defined in [9]. Mochon uses Kitaev s formalism from [] to define the bias of a protocol as a dual-sdp. He then defines certificates for protocols to simplify the optimization problem. The point game model is then derived using certain monotonicity requirements of positive semidefinite matrices. Mochon defines a mapping between the optimization problem and the point games, and also defines the inverse mapping. Several researchers, including [,, ], have attempted to validate and simplify Mochon s extended formalism and mappings with great difficulty. Moreover, although Mochon defines point games with arbitrarily small bias, he does not convert these into protocols since the inverse mapping is too complicated []. Kitaev s formalism and Mochon s construction of point games are outside of the scope of this thesis... Point Games Overview Several researchers, including [,, ], have analyzed Mochon s paper. The majority of their work relating to Mochon s paper has dealt with his formalisms and mappings rather than his model of point games, since Mochon s point games only serve as a proof that protocols with arbitrarily small bias exist. Although the inverse mapping from point games to protocols leads us to believe the resulting protocol would be impractical [], it is important to validate Mochon s claims of optimal point games. Furthermore, understanding point games may lead to a new understanding of the formalism that describes secure two-party computations. For example, we see evidence in this thesis that suggests point games may be solved using techniques in graph theory or combinatorics. If an efficient mapping to protocols is found, efficient point games will become crucial to constructing coin flipping protocols with arbitrarily small bias. In this subsection we present an overview of ideas presented in this thesis. The figures are too technical to understand at this point and should only give an idea of the results we obtain. 8

18 δ δ δ δ δ () () () () () () δ δ δ δ δ () () () () Figure.: A basic transition combined with its inverse (left) gives a binomial transition (right). The point game model consists of a set of points that are displaced with transitions, as defined in Section... Not all transitions are valid since a coin flipping protocol cannot decrease in bias after a round of communication. The validity requirements of transitions are given in Section... Point games are represented with simple, intuitive figures that are used throughout the thesis. We define new methods to analyze and compare the efficiency of transitions in Section... In order to find optimal transitions, we restrict the search space by defining the standard setting in Section... We define a family of transitions in Section. that are very useful when constructing point games. An example of such a transition is shown in Figure.. Infinite structures known as ladders are used to obtain better endpoints in point games. We show how to obtain optimal ladders in Section., and how make them finite and efficient in Section... We analyze Mochon s ladders and offer several new insights on their construction in Section... Furthermore, we argue that key elements in Mochon s construction of ladders are missing. We examine Mochon s proposed recursion and define a new recursion technique in Section. that achieves better results. A comparison of both recursion techniques is shown in Figure.. Using our new family of transitions, we define a family of optimal infinite ladders such as the one in Figure.. We define a simple and intuitive truncation technique, shown for the ladder of Figure. in Figure., that achieves 9

19 better results and allows us to easily think of infinite optimal ladders in a finite setting..... Figure.: The linear recursion (left) and our improved recursion (right) () () Figure.: The optimal triple ladder.

20 Figure.: How to truncate an optimal triple ladder.. Previous Work In this section we review some of the most important developments in the study of quantum coin flipping. The study of quantum cryptographic primitives originates from the knowledge that quantum information allows for secure communication within the information theoretic setting. The first major breakthrough in the field was the discovery of unconditionally secure quantum key distribution [, 8]. There were several attempts to discover secure bit commitment, which would have resulted in many two-party secure computation protocols [, ], but it was later proven that secure bit commitment [, ] and any two-party secure computation [, ] were impossible. Classical coin flipping was first presented in [] and was shown to be an important cryptographic primitive in [9]. However, classical coin flipping protocols cannot prevent cheating in the information theoretic setting, as shown in []. The first quantum protocol to prevent a cheating party from obtaining a winning probability of was presented in [] and had a bias of.. Another strong coin flipping protocol with a bias of was discovered

21 in []. Its bias was shown to be optimal for a certain family of protocols in the same paper. Several other strong coin flipping protocols were discovered in [, ], none of which could achieve a better bias. It was later proven in [] that strong coin flipping protocols could not achieve a lower bias than. Whether strong coin flipping protocols have a lower bound of bias between and to support both extremes. remains an open question and there is strong evidence Weak coin flipping was first presented in [7] with a protocol that achieved a bias of. This protocol coincidentally shared the lower bound of strong coin flipping proposed in [] and was generalized for a class of protocols in []. Another protocol was independently discovered in [] and achieved a bias of approximately.9. Weak coin flipping protocols with a bias of were later found in [7, 8]. It was also shown in [] that both weak and strong coin flipping protocols with bias ɛ required at least O ( log log ɛ ) rounds of communication. Although weak coin flipping cannot achieve zero bias with a finite number of messages, a constructive proof of weak coin flipping protocols with arbitrarily small bias was given in [9]. The proof used a new formalism of two-party adversarial games based on the theory of convex cones and operator monotone functions presented in []. This major breakthrough led to a flurry of research. Based on the ideas from [9], a strong coin flipping protocol using a weak coin flipping subroutine was shown to achieve a bias arbitrarily close to in [] and optimal quantum bit commitment with a bias arbitrarily close to.9 was shown in []. More practical loss-tolerant protocols with high biases were given in [, 7, ] and partially noise-tolerant protocols in [8]. Protocols were considered in [], taking into account every aspect of their physical implementation. General bounds on coin flipping protocols have been given in [9], with the aim of unifying weak, strong, and classical coin flipping protocols. Several PhD theses, including [,, ], have attempted to simplify the proofs from [9] and have attempted find more efficient protocols with arbitrarily small bias. However, their proofs remain overly complicated and

22 do not realize the potential of the point game model. To this day, the breakthrough results from [9] remain unpublished.. Overview of Thesis Chapter introduces the concepts that are used in the thesis by formally defining point games and their fundamental properties. In Chapter we define the limit of a family of point games, present analysis techniques, and introduce optimal constructions. In Chapter we present a family of optimal point games that contain infinite structures, we present methods to truncate these structures efficiently, and we show how to recurse finite point games to achieve an arbitrarily small bias. An overview of point games and the progression of topics contained in the thesis are presented in Section..... Original Contributions The original contributions of this thesis are the result of joint work between my supervisor, Peter Høyer, and I. The main original contributions are In Section. we prove that optimal standard transitions are defined by binomial coefficients. We provide a new method to determine the validity of a family of transition by solving a saturated set of equations in polynomial-time. In Section. we define a family of ladders that are optimal. We extend Mochon s work in [9] and use our optimal standard transitions to achieve this goal. We show that such ladders can achieve endpoints with an arbitrarily small increase in bias. In Sections.. and.. we show how to obtain optimally truncated ladders using sets of transitions defined by binomials. We prove that our truncated ladders are more efficient than the best previously known from [9].

23 In Section.. we argue that finite point games achieving an arbitrarily small bias have not yet been proven to exist. We analyze the point games presented in [9] and provide several new insights on their construction. In Section. we define a new recursion technique that is more efficient than the previous best from [9]. We attempted to find a way to determine the validity of an arbitrary transition based solely on certain binomial properties. Whether such a method exists is an open question, and is posed in Section.. If one does exist however, it would be possible to map the dual- SDP which finds protocols for secure two-party computations into a model defined only by binomials instead of polynomials. Such a result could pave the way for a new understanding of general SDPs.

24 Chapter Preliminaries In this chapter we formally define the concepts that are required in the study of weak coin flipping protocols of this thesis. We present the concept of point games which express secure two-party computations and we explain their monotonicity properties. Both the point games and their equivalent protocols are derived from Kitaev s formalisms [], briefly introduced in Section... Point Games Defined Point games are a discrete formulation of secure two-party computations based on Kitaev s formalisms. A point game is defined by an initial, a final and a sequence of intermediate configurations, each described by a set of points and connected by transitions. In this section we define each component of the point game, we formalize its validity requirements, we provide an illustrated analogue to the formal definitions, and we specify the characteristics of a coin flipping point game... Components In this subsection we formally define the components of point games and provide a simple example for each definition. The visual representation of point games is explored in greater detail in Section.., and an example of a simple point game is given in Figure.. Definition.. A point, denoted by p [x, y], is a positive probability p with an associated pair of nonnegative rational coordinates (x, y). Since a point is expressed by a pair of nonnegative rational coordinates, a point game s domain is represented by the quadrant of a two-dimensional Cartesian system. For example,

25 ( ) Figure.: A configuration containing a single point [, ]. ( ) ( ) ( 8) ( ) ( 8 8) ( 8) Figure.: The point 8 [, ] is raised to 8 [, ] in a single step. a point of probability and coordinates (, ) is represented in Figure.. We also note that a point s probability may be scaled by a positive factor. Therefore a probability may be greater than. Definition.. A configuration is the set of all points in the point game, at a given step. The sum of probabilities, for all points in a configuration, is the same for all configurations within a point game. For example, two configurations of a single point game, separated by a single step, are presented in Figure.. Definition.. A nonnegative one-dimensional space is a line if it only contains a set of points with a common coordinate.

26 ( 8) ( ) ( ) ) ( Figure.: A point distribution contained in the vertical line of coordinate. By definition, a line is either vertical or horizontal. A line is an axis if it contains the coordinate (, ). Definition.. A point distribution is a set of points contained in a line of a configuration. For example, a point distribution is given in Figure.. We use a measure to quantify the distribution of probability in a line. Definition.. Let f(x) be a monotonically increasing function. The weight is the summation over all points in a line weight = x line f(x)p x, where p x is a point s probability and x is a point s coordinate in the line. For example, the weight of the point distribution in Figure., for the monotonically increasing function f(x) = x, is given by ( ) ( ) ( ) ( ) xp x = + + x line Definition.. Let weight = x line xp x. ( ) ( ) ( + ) ( ) 8 =. The bias is the summation of weight for all parallel lines in a configuration bias = parallel lines config x line xp x. 7

27 The end bias of a point game is the bias of its final configuration. A bias is either vertical or horizontal, since the summation is over all parallel lines. For example, the vertical bias of the configuration in Figure. is equal to ( ) ( ) ( ) ( ) + + and its horizontal bias is given by ( ) ( ) + ( ) ( ) =. 8 Definition.. A transition designates an action performed on a point distribution which alters one or more of its points but preserves the overall probability so that A transition is valid if x before p x = x before f(x)p x x after p x. (.) x after f(x)p x, for all monotonically increasing functions f(x) which take a point s coordinate x as input. The validity requirements of a transition are explored in greater detail in Section... A transition from one point distribution to another is done in a single step. Multiple transitions may be performed in the same step, but any two configurations with distinct point distributions on the same line must be separated by at least a step. The set of all transitions contained in a line is often simply called a line. A transition is represented by an arrow. The transition that connects both configurations in Figure. is shown in Figure. and expressed as [, ] + [, ] [ +, ] [, ] + [, ] [ +, ]. 8 8 A set of transitions is connected if there exists a path from the starting point of one transition to the endpoint of all transitions in the set... Transitive properties Not all transitions are valid. The bias of a point game is nondecreasing for each step. We mention in Section. that our point games express dual-sdps, in which the semidefinite positive matrices are monotonically increasing. We therefore require that two successive matrices be monotonically increasing for all operator monotone functions. In this subsection 8

28 ( ) ( 8) ( 8) Figure.: A transition connecting two configurations. we present the characteristics of operator monotone functions that are relevant to our analysis of point games. We argue that transitions must satisfy certain monotonicity criteria to be valid components of point games. Definition.7. A function f(x) is operator monotone if f(b) f(a) is positive semidefinite for all Hermitian matrices A and B such that B A is positive semidefinite. Let f be a real function with domain S, let U be a unitary, and let D = diag(λ, λ,..., λ n ) be a diagonal matrix of rank n such that every eigenvalue of D is contained in S. We define f(d) = diag(f(λ ), f(λ ),..., f(λ n )) and f(uf(d)u ) = Uf(D)U. Given any Hermitian matrix A, there exists a unitary U such that A = UDU and f(a) = Uf(D)U [9]. We define two functions f(x) = and f(x) = x, which are trivially operator monotone. Lemma.. The function f(x) = x is operator monotone over the domain (, ). Proof. The proof is given in [9]. Let B A. We know that I B AB I B A B B A, which is true because of our assumption. 9

29 We shift the domain of this operator monotone, by adding a term λ strictly greater than, to obtain f(x) = x + λ, which operates on ( λ, ). We restrict the domain to [, ). Let the functions f(x) and g(x) be operator monotone. Any combination af(x) + bg(x) is also operator monotone if both a and b are greater or equal to. We combine the operator monotones f(x) = and f(x) = x+λ with the proper scalar values to obtain λ x + λ = x x + λ. Definition.8. A function f(x) is operator convex if for all Hermitian matrices A and B of same order, ( λ)f(a) + λf(b) f(( λ)a + λb) is positive semidefinite for all real values of λ such that λ [9]. The functions f(x) =, x, and x x+λ are important since they are also operator convex, and since any operator monotone is a linear combination of these three functions [9]. As shown in [9], any operator monotone is expressible under the integral form f(x) = α + βx + ( λ λ + ) du(λ), (.) λ + x where α is real, β is greater or equal to, and the integral is a positive value. A real-valued function f is monotonically increasing if f(x) f(y) whenever x y. All operator monotone functions are monotonically increasing. A transition acts as an increasing monotone function on a point distribution since the weight of the resulting point distribution must be at least equal to that of the original point distribution for all increasing monotone functions.

30 Definition.9. Let f(x) be a monotonically increasing function. The increase in weight of a transition from a point distribution A to B is the difference between the weight of B and the weight of A weight(f) = f(x)p x f(x)p x. (.) x A x B We conclude from Equation. that a transition is valid if and only if its increase in weight is nonnegative for f(x) =, f(x) = x, and f(x) = x+λ for all λ greater than. Therefore, a transition from a point distribution A to a point distribution B is valid if both A and B contain the same overall probability and the weight of B is greater or equal to that of A for all increasing monotone functions. Conserving the probability in a transition ensures that the operator monotone f(x) = is satisfied. The operator monotone f(x) = x is satisfied if and only if f(x) = x+λ is satisfied when λ approaches infinity. Therefore, we determine that a point game is valid if and only if every line in the point game preserves probability and satisfies for all λ greater than. x before p x x + λ x after p x x + λ (.) We see that every operator monotone is a combination of functions f(x) =, f(x) = x, and f(x) =, for λ greater than. Since the first two functions are derived from the x+λ later, it suffices to evaluate the increase in weight of a transition for f(x) = x+λ and for all λ greater than. Therefore, a transition is only valid if Equation. is satisfied for all λ greater than... Visual Representation Point games are a useful interpretation of secure two-party computations because they are expressed with simple illustrations. In this subsection we use the concepts introduced in Section.. to define a simple representation of point games. A point game has an initial configuration and a desired final configuration. Our goal is

31 ( ) ( ) () ( ) ( ) ( ) ( ) Figure.: A point game (right) that achieves the desired final configuration (center) from an initial configuration (left). to find a set of valid transitions that will achieve the desired final configuration. A point game is represented by this set of transitions, as shown for example in Figure.. We gain an intuitive understanding of the validity of point games with this simple representation. Transitions are represented by arrows that connect the point distributions in one configuration to the next. The start and endpoint of an arrow correspond to the points of two distinct configurations. We annotate arrows with the probability of both points, since a transition conserves probability. The set of points contained in the initial and final configuration are represented by a dot... Coin Flipping Point Games Since we are only interested in point games that correspond to coin flipping protocols, we must restrict the possible initial and final configurations. In this subsection we define the configurations that correspond to coin flipping point games and argue how transitions are assigned by both parties. The initial configuration contains only two points of probability, located at the co- ordinates (, ) and (, ). The final configuration contains a single point of probability, located at a pair of coordinates (x, y) where x and y. The initial and final configurations of our point games are chosen to satisfy the properties of coin flipping

32 protocols presented in Section.. We allow one player control of the vertical transitions, while the other has control of the horizontal transitions. This ensures both parties have equal input in the point game. Points of equal probability and symmetric coordinates are initially required to prevent either player from gaining an unfair advantage from the initial bias they control. The value of the probability is arbitrary and can be scaled to any positive value. The coordinates could also be changed, but their values are chosen to easily determine the coin flipping bias, since the coordinates of the final point are directly related to both players winning probability. Both parties begin with a winning probability P A = P B =, since the initial configuration is [, ] + [, ]. Therefore, the bias is initially zero and is increased by the subsequent transitions in the point game. We say that Alice performs all vertical transitions, while Bob performs all horizontal transitions. The endpoint of a coin flipping point game is expressed by [P A, P B ], where P A and P B are the winning probabilities of Alice and Bob as defined in Section... Fundamental Transitions We define point games in Section. and argue that any valid point game can be mapped into a protocol as defined in Section... The validity requirements presented in Section.. allow us to determine whether a point game is valid simply by examining its transitions. In this section we argue that any point game is composed of three fundamental transitions and that their validity depends on simplifier requirements. We show how to manipulate these transitions and how to combine them in order to gain insight on the validity of point games... Simplified Inequalities Since any operator monotone function is a combination of functions f(x) =, x, and x+λ, as shown in Section.., any transition is a combination of three fundamental transition derived from the same functions. In this subsection we present the fundamental transitions

33 y (p) x x Figure.: A raise p [x, y] p [x, y]. y (p ) (p ) x x x Figure.7: A split (p + p ) [x, y] p [x, y] + p [x, y]. of point games, first presented in [9], and argue that the validity of each transition is determined by a simple inequality. We show that each of these inequalities is also derived from the general inequality of Equation.. The raise p [x, y] p [x, y], shown in Figure., is valid if and only if its increase in weight is positive for f(x) =. Therefore, a raise increases the weight of a point distribution for all monotonically increasing functions and is valid for all values p, y, and x greater or equal to, such that x < x. Theorem.. The split (p + p ) [x, y] p [x, y] + p [x, y], such that x x as shown in Figure.7, is valid if and only if its increase in weight is nonnegative for f(x) = x, or equivalently p + p x p x + p x. (.) Proof. We know from Equation. that the split is valid if and only if the general inequality p + p x + λ p x + λ + p x + λ (.)

34 is satisfied for all λ greater than. Equation. implies Equation., since the inequality must be satisfied when λ approaches. We must also show that satisfying Equation. will satisfy Equation. for all λ greater than. We factor the terms in Equation. to obtain (x x + x λ + x λ + λ )(p + p ) (xx + xλ + x λ + λ )p + (xx + xλ + x λ + λ )p. Notice the term λ cancels itself. By factoring each side by xx x, and with some simplification, we obtain ( ) ( ) ( ) x + x x λ (p p ) + xx λ p + + x xλ p. x x Bringing the terms to one side ( p ) x x + ((xx ) (x x ))λ ( + p ) x x + ((x x) (x x ))λ, and with further simplification ( )) ( ( )) p ((x x ) x x + x λ + p (x x ) + x λ. xx We determine whether the function ( )) ( ( )) f(λ) = p ((x x ) x x + x λ + p (x x ) + x λ xx is increasing or decreasing by taking the first derivative of λ f (λ) = p (x x )x + p (x x )x = p x x + p x x (p + p )x x. Since we assume Equation. is satisfied, we know that f (λ) is less than or equal to. Therefore, f(λ) is non-increasing. By observation, the value of f(λ) is maximal when λ approaches. Therefore, Equation. implies Equation.. Theorem.. The merge p [x, y] + p [x, y] p + p [x, y], such that x x as shown in Figure.8, is valid if and only if its increase in weight is nonnegative for f(x) = x, or equivalently p x + p x p + p x. (.7)

35 y (p ) (p ) x x x Figure.8: A merge p [x, y] + p [x, y] p + p [x, y]. Proof. We know from Equation. that the merge is valid if and only if the general inequality p x + λ + p x + λ p + p x + λ (.8) is satisfied for all λ greater than. Equation.8 implies Equation.7, since the inequality must be satisfied when λ approaches infinity. We must also show that satisfying Equation.7 will satisfy Equation.8 for all λ greater than. We determine whether the function f(λ) = p x + λ + p x + λ p + p x + λ is increasing or decreasing by taking the first derivative of λ f (λ) = (p + p )x p x p x. Since we assume Equation.7 is satisfied, we know that f (λ) is greater or equal to. Therefore, f(λ) is non-decreasing. By observation, the value of f(λ) is minimal when λ approaches infinity. Therefore, Equation.7 implies Equation.8. Any transition is a combination of merges, splits, and raises since these transitions are derived from the functions f(x) =, f(x) = x, and f(x) = x+λ which span the space of all operator monotone functions, as shown in Section... Whenever a single transition type is contained in a line, we use the simplified inequalities of this subsection to determine the validity of the line.

36 .. Manipulating Transitions An arbitrary transition s validity is rarely obvious. Some manipulations of transitions have a known effect on their validity. By manipulating known transitions, such as those of Section.., we are able to create transitions with a known validity. In this subsection we present original concepts of inversion, compression, scaling, and shifting. We also present several constraints that valid transitions must satisfy. A transition is scaled by a real positive value c if every probability contained in a transition is multiplied by c. Scaling a transition does not affect its validity, which is trivially observed from x before cp x x + λ x after cp x x + λ = c ( x before p x x + λ x after p x x + λ A transition is shifted by a real value δ if the coordinate of every point contained in the transition is increased by δ and each coordinate remains nonnegative. An outwards shift refers to a positive δ, while an inwards shift refers to a negative δ. A shifted transition s validity is determined by x before for all λ greater than, or equivalently, by p x x + δ + λ x after x before p x x + λ x after p x x + δ + λ p x x + λ for all λ greater than δ. Shifting a raise does not affect its validity since it is always valid. Shifting a merge does not affect its validity either, since a merge is valid if and only if Equation. is satisfied when λ approaches infinity. Since a split s validity is determined ). when λ approaches, shifting an invalid split outwards might make it valid. Similarly, shifting a valid split inwards might make it invalid. A transition is compressed if its probabilities are not altered and the space between each point is reduced by a single factor greater than and smaller than. Similarly, we expand a transition by increasing the space between each point with a single factor greater than. 7

37 Definition.. Let T be a transition of the form x before p x [x, c] x after p x [x, c]. A transition is the shifted inverse of T if it is of the form x after p x [x + δ, c] x before p x [x + δ, c], and if every value of x + δ is greater or equal to. The inverse of a valid transition has a negative increase in weight for all monotonically increasing functions. The inverse of a raise is called a drop. A valid transition cannot contain more drops than raises. Lemma.. A transition is invalid if xp x > xp x. x before x after Proof. A valid transition must satisfy the inequality in Equation. for all λ greater than, and therefore ( ) p x xλ + p x y ( ) p x y + p x xλ x after x before y x x after y x x before must be valid when λ approaches infinity. We take the first derivative of λ to obtain xp x xp x. (.9) x before x after Therefore, a transition is invalid if more probability is dropped than raised. Lemma.. Let A be a point distribution such that every point in A has a positive coordinate. There does not exist a valid transition from A to a point distribution B which contains a point at coordinate. This lemma is true since Equation. cannot be solved if there exists an x after equal to. The concepts of inversion, scalability, and compressibility are used in our analysis of point games of Sections. and.. The lemmas presented in this subsection also allow us to easily recognize invalid transitions. 8