Improving device-independent weak coin flipping protocols

TL;DR

This work advances device-independent weak coin flipping by introducing self-testing of untrusted boxes and abort-phobic composition to reduce bias below the previous best $0.33664$, achieving $0.29104$ under two continuity conjectures. It leverages GHZ-based DI protocols, robust self-testing results, and SDP/linear programming to bound cheating probabilities and model abort-driven improvements via cheat vectors. A key technical contribution is a linear-programming method to bound the performance of a single remaining device after testing $n-1$ of $n$, underpinning the asymptotic security analyses. The work also shows how polarity-based compositions extend to other DI tasks, providing a framework for combining self-testing with novel composition rules to yield practical DI cryptographic primitives.

Abstract

Weak coin flipping is the cryptographic task where Alice and Bob remotely flip a coin but want opposite outcomes. This work studies this task in the device-independent regime where Alice and Bob neither trust each other, nor their quantum devices. The best protocol was devised over a decade ago by Silman, Chailloux, Aharon, Kerenidis, Pironio, and Massar with bias $\varepsilon \approx 0.33664$, where the bias is a commonly adopted security measure for coin flipping protocols. This work presents two techniques to lower the bias of such protocols, namely self-testing and abort-phobic compositions. We apply these techniques to the SCAKPM '11 protocol above and, assuming a continuity conjecture, lower the bias to $\varepsilon \approx 0.29104$. We believe that these techniques could be useful in the design of device-independent protocols for a variety of other tasks. Independently of weak coin flipping, en route to our results, we show how one can test $n-1$ out of $n$ devices, and estimate the performance of the remaining device, for later use in the protocol. The proof uses linear programming and, due to its generality, may find applications elsewhere.

Figures (7)

• Figure 1: Cheat vectors for \ref{['Alg:AliceSelfTests']} and \ref{['Alg:BobSelfTests']}. Observe how compared to \ref{['Fig:cheatVectors_ProtocolP']}, the abort probabilities in \ref{['Fig:cheatVectors_ProtocolQ']} are higher making it more suitable for abort-phobic compositions.
• Figure 2: Standard composition of weak coin flipping protocols. Subprotocols only have two outcomes depending on the coin flip. Coloured labels indicate probabilities of outcomes for cheating Alice (blue) and cheating Bob (red).
• Figure 3: Abort phobic composition for weak coin flipping protocols. Subprotocols have three possible outcomes including abort. Aborting in any subprotocol directly leads to aborting the whole protocol. Coloured labels indicate probabilities of outcomes for cheating Alice (blue) and cheating Bob (red). In the security analysis of cheating Bob, we need to optimise over the cheat vectors $(v_{A},v_{B},v_{\perp})\in\mathbb{C}_{B}$.
• Figure 4: \ref{['Alg:AliceSelfTests']} broken into two phases: the self-testing phase and the remaining protocol. Above, $\Omega$ denotes the outcome that the self-test phase succeeded and $\bar{\Omega}$ that it failed. ${\cal{P}}^{\epsilon}$ denotes continuation of the remaining protocol to output $A,B$ or $\perp$ (abort).
• Figure 5: Suppose for protocol ${\cal{Z}}$, one knows $p^*_A({\cal{Z}})=\alpha$ and $p^*_B({\cal{Z}})=\beta$ where $\alpha>\beta$.

Theorems & Definitions (29)

• Theorem 1
• Proposition 2: Informal. See AliceSelfTests for a formal statement
• Definition 4: $\mathbb{C}_A,\mathbb{C}_B$; Alice and Bob's cheat vectors
• Corollary 5
• Definition 6
• Claim 7
• Lemma 8
• proof
• Lemma 9: Security of SCF
• Proposition 10