DDevice Independent Quantum Private Query
Arpita Maitra , Goutam Paul and Sarbani Roy Indian Institute of Management Calcutta, India.Email: [email protected] Indian Statistical Institute, Kolkata.Email: [email protected] Indian Institute of Technology Kharagpur, India.Email: [email protected]
In Quantum Private Query (QPQ), a client obtains values corresponding to his query only andnothing else from the server and the server does not get any information about the queries. Gio-vannetti et al. (Phys. Rev. Lett., 2008) gave the first QPQ protocol and since then quite a fewvariants and extensions have been proposed. However, none of the existing protocols are deviceindependent, i.e., all of them assume implicitly that the entangled states supplied to the client andthe server are of certain form. In this work, we exploit the idea of a local CHSH game and connectit with the scheme of Yang et al. (Quantum Inf. Process., 2014) to present the concept of deviceindependent QPQ protocol for the first time.
I. INTRODUCTION
During the last two decades, Quantum Key Distribu-tion (QKD) has remained the main theme of quantumcryptography. In recent times, however, several otherquantum cryptographic primitives are being exploredand Quantum Private Query (QPQ) is one of them. InQPQ, a client issues queries to a database and obtainsthe real values without knowing anything else about thedatabase, whereas the server should not gain any infor-mation about the queries. Here, we assume that Bobis the database holder or server and Alice is the client.The first protocol in this domain had been proposed byGiovannetti et al. [1] followed by [2] and [3]. However,those scheme are highly theoretical and difficult for im-plementation. For implementation purpose, Jakobi etal. [4] came out with a QPQ protocol which was based onSARG04 quantum key distribution protocol [5]. In 2012,Gao et al. [6] proposed a flexible generalization of [4].Rao et al. [7] suggested two more efficient modificationsof classical post-processing in the protocol of Jakobi etal. In 2013, Zhang et al. [8] proposed a QPQ protocolbased on counterfactual QKD scheme [9]. In 2014, Yanget al. came out with a flexible QPQ protocol [10] whichwas based on B92 quantum key distribution scheme [11].This domain is gradually improving. It is evident fromthe large number of published literatures [12–15] in therecent two years.The security of all those protocols is defined on thebasis of the following facts.(a) Bob knows the whole key which would be used forthe encryption of the database.(b) Alice knows a fraction of bits of the key.(c) Bob does not get any information about the posi-tion of the bits which are known to Alice.Thus, it is vary natural that in QPQ protocol, thereis no need for an outsider adversary. Unlike QKD, here,one of the legitimate parties is playing the role of anadversary. Alice tries to extract more information about the raw key bits, whereas Bob tries to know the positionof the bits known to Alice.We identify that the security of all the existing proto-cols are based on the fact that Bob relies his devices, i.e.,the source which supplies the qubits and the detectorswhich measure the qubits. Thus, similar to the QKDprotocols, trustworthiness of the devices are implicit inthe security proofs of the protocols. In the current work,we try to understand if we remove such trustworthinessfrom the devices like Device Independent QKD [16–20].In DI-QKD, a statistical test known as Bell test [21]or CHSH test [22] is performed to verify whether theshared entangled states between the legitimate partiesare maximally entangled. If the states are maximally en-tangled, then QKD protocol provides unconditional secu-rity. However, the test has to be performed non-locally.In other words, two distant parties (Alice and Bob) haveto be involved in CHSH test.Very recently, Lim et al. [23] proposed a DI-QKDscheme where they exploit the idea of local CHSH test.In local CHSH test, the sender performs CHSH test at hisor her end in the motivation towards certifying whetherthe states, going to be used for QKD, are maximally en-tangled.In case of QPQ, we identify that if the states sharedbetween Bob and Alice are not in a certain form, thenAlice can always apply some strategies which help herto extract more information about the raw key bits thanwhat is suggested by the protocol. Thus, it is necessaryfor Bob to certify whether the states are in the desiredform. Motivated by the idea of local CHSH test by Limet al. [23], we, here, propose a protocol which providesthis certification. The value obtained from the test willdepend upon the predefined success probability of Aliceabout the raw key bits. In other words, how much infor-mation about the key has to be allowed to Alice by theprotocol.Here, we work on the QPQ protocol presented by Yanget al. [10]. Note that this protocol [10] can be per- a r X i v : . [ qu a n t - ph ] M a y formed by a certain kind of mixed state also (namely,( | , φ (cid:105) (cid:104) , φ | + | , φ (cid:105) (cid:104) , φ | ) / II. REVISITING THE PROTOCOL OF [10]
In this section we revisit the protocol for quantum pri-vate query proposed in [10]. The protocol exploits theidea of B92 quantum key distribution scheme. There aretwo phases in the protocol, namely, key generation andprivate query. In the key generation phase, Bob and Al-ice share entangled states of the form √ ( | (cid:105) B | φ (cid:105) A + | (cid:105) B | φ (cid:105) A ), where, | φ (cid:105) A = cos ( θ ) | (cid:105) + sin ( θ ) | (cid:105) and | φ (cid:105) A = cos ( θ ) | (cid:105) − sin ( θ ) | (cid:105) . Here, subscript B standsfor Bob and subscript A stands for Alice. θ may varyfrom 0 to π . After receiving the qubits from Bob, Aliceannounces the position of the qubits that have ultimatelyreached at the end of Alice. Bob discards the lost pho-tons. After post selection, Bob measures his qubits in {| (cid:105) B , | (cid:105) B } basis, whereas Alice measures her qubits ei-ther in {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } basis or in {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } basisrandomly. If the measurement result of Alice gives (cid:12)(cid:12) φ ⊥ (cid:11) ,she concludes that the raw key bit at Bob’s end mustbe 1. If it would be (cid:12)(cid:12) φ ⊥ (cid:11) , the raw key bit must be 0.Bob and Alice execute classical post-processing so thatAlice’s information on the key reduces to one bit or more.Bob knows the whole key, whereas Alice generally knowsseveral bits of the key.In the private query phase, if Alice knows the j th bitof the key K and wants to know the i th element of thedatabase, she declares the integer s = j − i . Bob shifts K by s and hence gets a new key, say K . Bob encryptshis database by this new key K with one-time pad andsends the encrypted database to Alice. Alice decrypts thevalue with her j th key bit and gets the required element of the database.The security of the protocol comes from the fact thatAlice knows the final key partially. Thus, even if shegets access to the whole encrypted database, she can notobtain the full information about the database. Now, wewill calculate the success probability of Alice to guess abit in raw key.As Bob measures his qubits only in {| (cid:105) B , | (cid:105) B } basis,he will get either | (cid:105) with probability or | (cid:105) with proba-bility . When Bob gets | (cid:105) , Alice should get | φ (cid:105) . If shechooses {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } basis, she will get | φ (cid:105) with prob-ability 1 and never gets (cid:12)(cid:12) φ ⊥ (cid:11) . However, if she chooses {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } basis, she will get either | φ (cid:105) with proba-bility cos θ or (cid:12)(cid:12) φ ⊥ (cid:11) with probability sin θ . We formalizeall the conditional probabilities in the following table. Cond. Probability of AliceA= | φ (cid:105) A= (cid:12)(cid:12)(cid:12) φ ⊥ (cid:69) A= | φ (cid:105) A= (cid:12)(cid:12)(cid:12) φ ⊥ (cid:69) B = 0 . . . cos θ . sin θB = 1 . cos θ . sin θ . . According to the protocol, when Alice gets (cid:12)(cid:12) φ ⊥ (cid:11) , sheoutputs 1. And when she gets (cid:12)(cid:12) φ ⊥ (cid:11) , she outputs 0. Thus,the success probability of Alice to guess a bit in raw keycan be written as Pr( A = B )= Pr( A = 0 , B = 0) + Pr( A = 1 , B = 1)= Pr( B = 0) . Pr( A = 0 | B = 0) + Pr( B = 1) . Pr( A = 1 | B = 1)(1)= 12 . Pr( A = φ ⊥ | B = 0) + 12 . Pr( A = φ ⊥ | B = 1) . From the above table, we can see that the success prob-ability of Alice becomes sin θ . III. BIASED CHOICE OF ALICE’S BASIS
Suppose, Bob trusts the source, i.e., he believes thatthe states shared between Alice and him are of thecertain form [10]. Let, the source supplies some arbi-trary entangled states ( α | (cid:105) B | φ (cid:105) A + β | (cid:105) B | φ (cid:105) A ), where | α | = ( + (cid:15) ) and | β | = ( − (cid:15) ) to Bob. Suppose, Alicehas this information and also the information about thevalues of α and β . In this case, she chooses the basis asfollows. • {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } with probability − (cid:15) . • {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } with probability + (cid:15) .Her success probability can be calculated from the fol-lowing table. Cond. Probability of AliceA= | φ (cid:105) A= (cid:12)(cid:12)(cid:12) φ ⊥ (cid:69) A= | φ (cid:105) A= (cid:12)(cid:12)(cid:12) φ ⊥ (cid:69) B = 0 1 . ( 12 − (cid:15) ) 0 (cos2 θ ) · (cid:16)
12 + (cid:15) (cid:17) (sin2 θ ) · (cid:16)
12 + (cid:15) (cid:17) B = 1 (cos2 θ ) · (cid:16) − (cid:15) (cid:17) (sin2 θ ) · (cid:16) − (cid:15) (cid:17) · (cid:16)
12 + (cid:15) (cid:17) Following Eq. (1), it becomes ( + 2 (cid:15) ) sin θ .Thus, if Alice and Bob do not share the entangledstates of the certain kind, then Alice can always extractmore information about the raw key bit following thesuggested strategy. The biasing on the bases of Alice de-pends on the values of α and β . For example, if α = − (cid:15) and β = + (cid:15) , then Alice chooses {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } withprobability + (cid:15) and chooses {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } with prob-ability − (cid:15) .To mitigate such problem, Bob has to remove his trustfrom the devices and has to perform some local test athis end to become sure that the states shared betweenthem are of the specific form [10]. As we consider theentanglement version of the QPQ protocol, we suggesta local statistical test which is actually CHSH test per-formed locally. The difference is that for this test, we donot require the perfect CHSH value. The value dependson the value of θ .However, when the states are of the form given in [10],then the above strategy does not help Alice to extractmore information about the raw key bit. Let Bob andAlice share the entangled states of the specific form andAlice chooses her measurement bases {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } and {| φ (cid:105) A , (cid:12)(cid:12) φ ⊥ (cid:11) A } with probability − (cid:15) and + (cid:15) respec-tively. In this case, following Eq. (1), the success proba-bility becomes sin θ .Thus, it will be necessary for Bob to certify that thoseshared states are of the certain form. In the followingsection we propose a protocol which certify this. Thus,Bob no longer requires to put trust on the source as wellas the detectors. By performing a test which is almostlike CHSH test at his end, he first checks whether thestates follow the desired property. Conditioning on thesuccess of the test, Bob proceeds for QPQ. Here, we con-sider detectors with unit efficiency. However, for practi-cal implementation of the suggested protocol, one has toconsider the detectors with non-unit efficiency.One may wonder why we have not chosen quantumstate tomography to check whether the states are of thecertain form. The reason is that tomography would re-quire an infinite number of states to achieve perfect ac-curacy. On the other hand, choosing a different avenueof local CHSH game, we are able to analyse the securityof our protocol for finite number of states. IV. OUR PROTOCOL AND LOCAL CHSHGAME
Before describing the proposed protocol, we first enu-merate the assumptions required for the security of theprotocol. Those are summarized as follows.1. Devices are causally independent, i.e., each use ofthe device is independent of the previous use. This as-sumption implies that the devices are memoryless.2. Alice and Bob’s laboratories are perfectly securedi.e., no information is leaked from their laboratories.3. All the detectors at Bob’s end have unit efficiency i.e., he always gets conclusive outcomes.Our protocol is described in Algorithm 1. For brevity,we write γn and (1 − γ ) n instead of (cid:100) γn (cid:101) and (cid:98) (1 − γ ) n (cid:99) respectively.
1. Bob starts with n number of entangled states.2. Bob divides the given entangled pairs into two sets. Oneis Γ CHSH and another is Γ
QPQ . The set Γ
CHSH contains γn number of entangled states, whereas Γ QPQ contains (1 − γ ) n number of the entangled states for0 < γ < i ∈ { , · · · , γn } (a) Bob chooses x i ∈ { , } and y i ∈ { , } uniformlyat random.(b) If x i = 0, he measures the first particle of theentangled state in {| (cid:105) , | (cid:105)} basis and if x i = 1, hemeasures that in {| + (cid:105) , |−(cid:105)} basis.(c) Similarly, if y i = 0, Bob measures the secondparticle of the entangled state in {| ψ (cid:105) , (cid:12)(cid:12)(cid:12) ψ ⊥ (cid:69) } basis andif y i = 1, he measures that in {| ψ (cid:105) , (cid:12)(cid:12)(cid:12) ψ ⊥ (cid:69) } basis.(d) The output is recorded as a i ( b i ) ∈ { , } for thefirst (second) particle. The encoding for a i ( b i ) is asfollows. • For the first particle of each pair, a i = 0 if themeasurement result is | (cid:105) or | + (cid:105) ; it is 1 if theresult would be | (cid:105) or |−(cid:105) . • For the second particle of each pair, b i = 0 if themeasurement result is | ψ (cid:105) or | ψ (cid:105) ; it is 1 if themeasurement result would be (cid:12)(cid:12)(cid:12) ψ ⊥ (cid:69) or (cid:12)(cid:12)(cid:12) ψ ⊥ (cid:69) , then b i = 1.(e) Testing: For the test round i ∈ Γ CHSH , define Y i = (cid:40) a i ⊕ b i = x i ∧ y i otherwise.
4. If γn (cid:80) i Y i < (sin θ (sin ψ +sin ψ )+cos ψ − cos ψ )+ ,Bob aborts the protocol.5. Conditioning on the event that the local CHSH test atBob’s end has been successful, Bob proceeds for thesubset Γ QPQ and sends one halves of the remaining(1 − γ ) n number of entangled pairs to Alice.6. Alice performs the private query phase as in [10]. Algorithm 1:
Our Proposed protocol, Π Note that we are dealing with several bases, namely, { φ , φ ⊥ } , { φ , φ ⊥ } , { ψ , ψ ⊥ } and { ψ , ψ ⊥ } . It shouldbe clarified that where { φ , φ ⊥ } , { φ , φ ⊥ } bases are cho-sen by Alice for QPQ protocol, { ψ , ψ ⊥ } and { ψ , ψ ⊥ } bases are chosen by Bob to perform local CHSH test.Here, we consider | ψ (cid:105) = cos ψ | (cid:105) + sin ψ | (cid:105) and | ψ (cid:105) = cos ψ | (cid:105) + sin ψ | (cid:105) .In the QPQ protocol of [10], Bob measures his parti-cles in {| (cid:105) , | (cid:105)} basis only. Hence, the protocol can beperformed by the mixed states also. One may think thatfor the local CHSH game, here, it is sufficient to measurethe first particle of Bob in {| (cid:105) , | (cid:105)} basis only as Bobdoes not need to test coherence (purity) of the states.However, note that our proposal for local CHSH gamelies on the top of the QPQ protocol presented by Yanget al [10]. One can replace the QPQ part by any otherentanglement based QPQ protocol which might not be FIG. 1: The value of Pr( a i ⊕ b i = x i ∧ y i ) with respect to θ performed by mixed states. Hence, it is necessary to use {| + (cid:105) , |−(cid:105)} basis in proposed CHSH test.Next, we analyze case by case situation of the proposedCHSH like test. Let Bob obtains the entangled states ofthe form √ ( | (cid:105) B | φ (cid:105) A + | (cid:105) B | φ (cid:105) A ). We calculate theconditional probabilities for each case and present thosein a tabular form in Table I.Since Pr( x i , y i ) = for all x i , y i , multiplying each indi-vidual probability in Table I by gives the correspondingjoint probabilities. We have Pr( a i ⊕ b i = x i ∧ y i ) =Pr(( x i , y i ) = (0 ,
0) & (( a i , b i ) = (0 , OR (1 , x i , y i ) = (0 ,
1) & (( a i , b i ) = (0 , OR (1 , x i , y i ) = (1 ,
0) & (( a i , b i ) = (0 , OR (1 , x i , y i ) = (1 ,
1) & (( a i , b i ) = (0 , OR (1 , . Adding the joint probabilities for the correspondingrows, we find that the above quantity is equal to [sin θ (sin ψ + sin ψ ) + (cos ψ − cos ψ )] + .In Fig. 1, we plot the joint probability asa function of θ , for the angles ( ψ , ψ ) = { ( π , π ) , (3 π , π ) , (9 π , π ) } . A magnified view ofthe plot for the region from θ = π to θ = π appears onthe right part of the figure. From the plot it is observedthat when θ = π , the joint probability reaches the valueequal to cos π . V. SECURITY ANALYSIS
In this section, we prove the security of the proposedprotocol. In earlier section, we showed that if the sharedentangled states are not in a certain form, then Alicemay extract more information than what is suggested by
TABLE I: Conditional probability of ( a i , b i ) given ( x i , y i )( x i , y i ) ( a i , b i ) Pr (( a i , b i ) | ( x i , y i ))(0, 0) (0, 0) cos ( θ − ψ )(0, 1) sin ( θ − ψ )(1, 0) cos ( θ + ψ )(1, 1) sin ( θ + ψ )(0, 1) (0, 0) cos ( θ − ψ )(0, 1) sin ( θ − ψ )(1, 0) cos ( θ + ψ )(1, 1) sin ( θ + ψ )(1, 0) (0, 0) cos ( θ ) cos ψ (0, 1) cos ( θ ) sin ψ (1, 0) sin ( θ ) sin ψ (1, 1) sin ( θ ) cos ψ (1, 1) (0, 0) cos ( θ ) cos ψ (0, 1) cos ( θ ) sin ψ (1, 0) sin ( θ ) sin ψ (1, 1) sin ( θ ) cos ψ the protocol. So, at the beginning of the protocol eitherBob has to trust devices blindly (device dependent as-sumption on which the security of the existing protocolsdepends) or he needs to test some statistical property bymeasuring the given entangled states (device indepen-dent assumption). The security of the proposed protocolcomes from the following result. Theorem 1.
If for a random subset Γ CHSH ⊂{ , · · · , n } of size γn , where, γ > , the fraction of theinputs ( x i , y i ), i ∈ Γ CHSH , which satisfy the CHSH con-dition i.e., ( a i ⊕ b i = x i ∧ y i ) is equal to (sin θ (sin ψ +sin ψ ) + cos ψ − cos ψ ) + − δ , then for the remainingsubset Γ QP Q ⊂ { , · · · , n } of size (1 − γ ) n , a fraction ofinputs ( x i , y i ) , i ∈ Γ QP Q , which satisfy the CHSH con-dition, is also equal to (sin θ (sin ψ + sin ψ ) + cos ψ − cos ψ ) + − δ with a negligible statistical deviation ν .Here, δ = (cid:113) γn ln (cid:15) CHSH and ν = (cid:113) ( γn +1)2 γ (1 − γ ) n ln (cid:15) QPQ , (cid:15) CHSH and (cid:15)
QP Q are negligi-bly small value.
In the second result, we show that when n is sufficientlylarge, then conditioned on the success of the above localCHSH test, one may proceed for QPQ protocol proposedby Yang et al. [10] for the remaining subset Γ QP Q . Theorem 2.
Conditioning on the event that local CHSHtest has been successful for the subset Γ CHSH , Bob canproceed for the QPQ protocol for the remaining subset Γ QP Q securely when n → ∞ . In [10], the authors consider the security issues for twocases: (a) dishonest Alice and honest Bob and (b) honestAlice and dishonest Bob. As the second phase of ourprotocol is the same as QPQ protocol proposed by Yang et al. [10], the security issues for the second part of thecurrent protocol remains the same.
VI. DISCUSSION AND CONCLUSION
In this current draft, we propose a device independentscenario in quantum private query. Exploiting the ideaof local CHSH test we show how Bob can remove histrust from devices. The proposed protocol is divided intwo distinct parts. In the first part, Bob performs localCHSH test at his end. Conditioning on the event thatthe local CHSH test has been successful, Bob proceedsfor QPQ protocol. We here worked on the QPQ protocolproposed by Yang et al. [10]. However, one can exploitany entanglement based QPQ protocol for the secondphase of our proposed scheme. Here, we assume the de-tectors have unit efficiency. However, it remains openwhat would happen if the detectors are imperfect, i.e.,having non-unit efficiency. To the best of our knowledge,the proposed protocol is the first device independent pro-tocol in the domain of quantum private query. [1] V. Giovannetti, S. Lloyd, L. Maccone,
Phys. Rev. Lett. , , 230502, 2008.[2] V. Giovannetti, S. Lloyd, L. Maccone, I EEE T. Inform.Theory , , 3465 2010.[3] L. Olejnik, Phys. Rev. A , , 022313, 2011.[4] M. Jakobi, C. Simon, N. Gisin, J. D. Bancal, C. Bran-ciard, N. Walenta, H. Zbinden, Phys. Rev. A , , 022301,2011.[5] V. Scarani, A. Ac´ın, G. Ribordy, N. Gisin, Phys. Rev.Lett. , , 057901, 2004.[6] F. Gao, B. Liu, Q. Y. Wen, H. Chen, Opt. Express , ,17411, 2012.[7] M. V. Panduranga Rao, M. Jakobi, Phys. Rev. A , ,012331, 2013.[8] J. L. Zhang, F. Z. Guo, F. Gao, B. Liu, Q. Y. Wen, Phys.Rev. A , , 022334, 2013.[9] T. G. Noh, Phys. Rev. Lett. , , 23050, 2009.[10] Y. G. Yang, S. J. Sun, P. Xu, J. Tiang, Quantum Inf.Process , , 805–813, 2014.[11] C. H. Bennett, Phys. Rev. Lett. ,
68 (21) , 3121–3124,1992.[12] C. Y. Wei, F. Gao, Q. Y. Wen, T. Y. Wang,
Sci. Rep. , , 7537, 2014.[13] P. Chan, I. Lucio-Martinez, X. Mo, C. Simon, W. Tittel, Sci. Rep. , , 5233, 2014.[14] F. Gao, B. Liu, W. Huang, Q. Y. Wen, IEEE. J. Sel.Top. Quant. , , 6600111, 2015.[15] B. Liu, F. Gao, W. Huang, Sci. China-Phys. Mech. As-tron. , , 100301, 2015.[16] D. Mayers, A. C. C. Yao, In Proceedings of the 39thAnnual Symposium on Foundations of Computer Science(FOCS98) (IEEE Computer Society, Washington, DC),503, 1998.[17] A. Ac´ın, N. Gisin, L. Masanes. Phys. Rev. Lett. New J. of Phys.
Phys. Rev. A , 042339, 2006.[20] A. Ac´ın, N. Brunner, N. Gisin, S. Massar, S. Pironio, V.Scarani,
Phys. Rev. Lett. , 230501, 2007.[21] J. S. Bell, Physics , , 195, 1964.[22] J. F. Clauser, M. A. Horne, A. Shimony, R. A. Holt, Phys. Rev. Lett. , , 880, 1969.[23] C. C. Wen Lim, C. Portmann, M. Tomamichel, R. Ren-ner, N. Gisin, Phys. Rev X , , 031006, 2013.I[24] J. Silman, A. Chailloux, N. Aharon, I. Kerenidis, S. Piro-nio, S. Massar, Phys. Rev. Lett. , , 220501, 2011.[25] N Aharon, S Massar, S Pironio, J Silman, New J. Phys. , , 025014, 2016.[26] J. Kaniewski, S. Wehner, New J. Phys. , , 055004, 2016.[27] J. Ribeiro, L. P. Thinh, J. Kaniewski, J. Helsen, S.Wehner, arXiv:1606.08750 [quant-ph], 2016.[28] J. Ribeiro, G. Murta, S. Wehner, arXiv:1609.08487[quant-ph], 2016.[29] W. Hoeffding, J. Am. Stat. Assoc , , 13, 1963.[30] R. J. Serfling, Ann. Stat. , , 39, 1974. VII. APPENDIX A: LEMMAS AND PROOFS
Lemma 1. (Chernoff-Hoeffding [29]) Let X = n (cid:80) i X i be the average of n independent random variables X , X , · · · , X n with values [0 , , and let E [ X ] = n (cid:80) i E [ X i ] be the expectation value of X , then for any δ > , we have Pr [ | X − E [ X ] | ≥ δ ] ≤ exp( − δ n ) . Lemma 2. (Serfling [30]) Let { x , x , · · · , x n } be a listof values in [ a, b ] (not necessarily distinct). Let x = n (cid:80) i x i be the average of these random variables. Let k be the number of random variables X , X , · · · , X k cho-sen from the list without replacement. Then for any valueof δ > , we have Pr [ | X − x | ≥ δ ] ≤ exp (cid:16) − δ kn ( n − k +1)( b − a ) (cid:17) , where X = k (cid:80) i X i . Lemma 3. ( [23], Corollary to Serfling Lemma) Let X = { x , x ...x n } be a list of (not necessarily distinct)values in [0 , with the average µ X = n (cid:80) i =1 x i . Let T be a subset of X of size t with average µ T = t (cid:80) i ∈ T x i .Let K be the remaining subset of X with size k (i.e., t + k = n ). If the average of the subset K is µ K = n − t (cid:80) i ∈ K x i , then for any value of (cid:15) > , we have Pr (cid:16) | µ K − µ T | ≥ (cid:113) n ( t +1)2 t ( n − t ) ln (cid:15) (cid:17) ≤ (cid:15). Proof of Theorem 1 : Proof.
We define a random variable Y i as follows: Y i = 1,if a i ⊕ b i = x i ∧ y i ; 0 otherwise. Now, we choose a randomsubset Γ CHSH ⊂ { , · · · , n } of size γn for any γ > Y = γn (cid:80) i ∈ Γ CHSH Y i . Here, Y is called observedaverage value. Let the expected value of Y for that subsetbe E ( Y ) = (sin θ (sin ψ + sin ψ ) + cos ψ − cos ψ ) + . Then applying Chernoff bound (Lemma 1) we getPr [ | Y − E ( Y ) | ≥ δ ] ≤ exp( − δ γn ) . Let (cid:15)
CHSH be a negligibly small value. Equatingexp( − δ γn ) with (cid:15) CHSH we can find the value of δ = (cid:113) γn ln (cid:15) CHSH .Again, we consider the remaining subset Γ
QP Q ⊂{ , · · · , n } of size (1 − γ ) n and define Y (cid:48) = − γ ) n (cid:80) i ∈ Γ QPQ Y i . Now, from Lemma 3, it can beshown that Pr( | Y − Y (cid:48) | ≥ ν ) ≤ exp (cid:16) − γ ν ( n − γn ) n ( γn +1) n (cid:17) . Let (cid:15)
QP Q be a negligibly small value. Then, equatingthe R.H.S with (cid:15)
QP Q , we get ν . Proof of Theorem 2 : Proof.
In asymptotic limit, i.e., when n → ∞ , the ex-pressions for δ and ν tend to 0. This implies that inasymptotic case, Y = Y (cid:48) = E ( Y ). Thus by calculatingthe value of Y for the subset Γ CHSH , Bob can certifythat entangled states for the subset Γ