Cheat-Penalised Quantum Weak Coin-Flipping

TL;DR

This work introduces cheat-penalised weak coin-flipping (penWCF) and shows that a small cheating penalty $\Lambda$ drastically improves efficiency. It develops an extended point-game framework, including time-dependent and time-independent variants, and provides a numerical algorithm to construct approximate penTIPGs that achieve very small biases with finite resources. By translating approximate penTIPGs into exact penTDPGs and then into penWCF protocols, the paper derives explicit trade-offs among bias, rounds, and qubit memory, with concrete examples such as $\Lambda=0.01$ yielding bias $\epsilon$ around $10^{-8}$ using $24$ qubits and $\mathsf{rc}\approx 10^{16}$. The approach also yields a family of low-space protocols (e.g., with $\mathsf{sc}=24$) and compares favorably to prior cheat-penalised and non-penWCF constructions, suggesting practical avenues for secure quantum multiparty computation. Overall, the work significantly advances the practicality of quantum two-party cryptography by combining a principled penalised model with constructive, numerically-assisted protocol design.

Abstract

Coin-flipping is a fundamental task in two-party cryptography where two remote mistrustful parties wish to generate a shared uniformly random bit. While quantum protocols promising near-perfect security exist for weak coin-flipping -- when the parties want opposing outcomes -- it has been shown that they must be inefficient in terms of their round complexity, and it is an open question of how space efficient they can be. In this work, we consider a variant called cheat-penalised weak coin-flipping in which if a party gets caught cheating, they lose $Λ$ points (compared to $0$ in the standard definition). We find that already for a small cheating penalty, the landscape of coin-flipping changes dramatically. For example, with $Λ=0.01$, we exhibit a protocol where neither Alice nor Bob can bias the result in their favour beyond $1/2 + 10^{-8}$, which uses $24$ qubits and $10^{16}$ rounds of communication (provably $10^{7}$ times better than any weak coin-flipping protocol with matching security). For the same space requirements, we demonstrate how one can choose between lowering how much a malicious party can bias the result (down to $1/2 + 10^{-10}$) and reducing the rounds of communication (down to $25,180$), depending on what is preferred. To find these protocols, we make two technical contributions. First, we extend the point game-protocol correspondence introduced by Kitaev and Mochon, to incorporate: (i) approximate point games, (ii) the cheat-penalised setting, and (iii) round and space complexity. Second, we give the first (to the best of our knowledge) numerical algorithm for constructing (approximate) point games that correspond to high security and low complexity. Our results open up the possibility of having secure and practical quantum protocols for multiparty computation.

Figures (11)

• Figure 1: Comparison of cheat-penalised weak coin flipping protocols in terms of the greatest expected reward, i.e. $\frac{1}{2} + \epsilon$, and the number of qubits used in the protocol. We compare our Protocols (i)--(iii) to that of Ambainis, Buhrman, Dodis and Roehrig ambainis2004multiparty, the Spekkens-Rudolph protocol SR02 (which we extend to the cheat-penalty setting), and Mochon's Dip-Dip-Boom cheat-penalised version Mochon07 (we rigorously derive and extend his heuristic bounds on the bias). Protocols (i)--(iii) are constructed using abstract objects we call cheat-penalised Time-Independent Point Games (penTIPGs). Protocols (i) and (ii) have $\mathsf{rc}=10^{16}$ and $\mathsf{rc}=10^{18}$ respectively and are based on penTIPG 3 which is illustrated in \ref{['Fig:TIPG4_plot']} (not to scale). Protocol (iii) has round complexity $\mathsf{rc}=25,180$ and is based on penTIPG 3. All these penTIPGs and related details appear in other_protocols.
• Figure 2: Graphical depiction (axes not to scale) of the parameters that entirely specify our bias $\epsilon=10^{-10}$ protocol---except for the parameter that controls the trade-off with the round complexity. More precisely, the graph shows the function $h$ of a time-independent point game $(h,v)$ with cheat penalty $\Lambda=0.01$ and approximation error $\varepsilon_{\mathsf{approx}}=10^{-18}$, referenced above as a $(\Lambda,\varepsilon_{\mathsf{approx}})$-penTIPG. The filled circles correspond to positive weights and unfilled circles to negative weights while the radius indicates the magnitude of the weight.
• Figure 3: An example of a horizontally valid transition. The red points along $y=y_1$ are merged into single point at the average $x$-coordinate of the initial two red points. Similarly, blue points along $y=y_2$ are merged into a single point at the average $x$-coordinate of the two initial blue points. Such merge operations are known to always satisfy the validity conditions in Equations \ref{['valid1']} and \ref{['valid2']}.
• Figure 4: The point game problems corresponding to ordinary weak coin-flipping (top) and $\Lambda$-penalty weak coin-flipping (bottom). The points in the initial configurations each have weight $1/2$, and the points in the final configurations each have weight $1$.
• Figure 5: Schematic of a cheat-penalised weak coin-flipping protocol.

Theorems & Definitions (57)

• Theorem 1: WCF protocol--TDPG equivalence (informal; Mochon07)
• Theorem 2: $\Lambda$-penTDPG $\implies$ $\Lambda$-penWCF protocol (\ref{['Thm:LambdaPenTDPG-implies-Lambda-penWCF']} simplified)
• Theorem 3: TDPG--TIPG equivalence (informal Mochon07ACG+14)
• Theorem 4: $\Lambda,\varepsilon_{\mathsf{approx}}$-pen TIPG $\implies$ $\Lambda$-pen TDPG (\ref{['Thm:LambdaPenTIPGtoLambdaPenTDPG']} reformulated)
• Definition 5
• Theorem 6: Existence of $(\Lambda,\varepsilon_{\mathsf{approx}})$-penTIPG (from list_TIPGs)
• Definition 7: $\Lambda$-penWCF protocol with bias $\epsilon$
• Remark 8: $P_{A}^{*},P_{B}^{*}$ can be viewed as probabilities
• Remark 9: $\Lambda$-penWCF without intermediate projectors
• Theorem 10: Primal SDP