Imperfect 1-out-of-2 quantum oblivious transfer: bounds, a protocol, and its experimental implementation

Oblivious transfer is an important primitive in modern cryptography. Applications include secure multiparty computation, oblivious sampling, e-voting, and signatures. Information-theoretically secure perfect 1-out-of 2 oblivious transfer is impossible to achieve. Imperfect variants, where both participants' ability to cheat is still limited, are possible using quantum means while remaining classically impossible. Precisely what security parameters are attainable remains unknown. We introduce a theoretical framework for studying semi-random quantum oblivious transfer, which is shown equivalent to regular oblivious transfer in terms of cheating probabilities. We then use it to derive bounds on cheating. We also present a protocol with lower cheating probabilities than previous schemes, together with its optical realisation.


I. INTRODUCTION
Following the discovery of quantum key distribution in 1984 [1], there arose a general optimism that quantum mechanics may provide a means to perform multiparty computations with information-theoretic security.Despite this early confidence, the history of secure twoparty computations is characterised by mainly negative results.Mayers and Lo [2,3] proved that all one-sided two-party computations are insecure in the quantum setting, meaning that it is impossible to perform important protocols such as bit commitment and oblivious transfer (OT) with information-theoretic security.Nevertheless, imperfect variants of these protocols remain possible, and it has been an interesting and productive open question to determine the optimal security parameters achievable for some important two-party computations.
For many cryptographic primitives, this question has been definitively answered.For strong coin flipping, Kitaev [4] introduced the semi-definite programming formalism to show that the product of Alice's and Bob's cheating probabilities must be greater than 1/2, implying that the minimum cheating probability is at least 1/ √ 2. For weak coin flipping, Mochon [5] showed that the minimum cheating probability is at least 1/2 + for any > 0. In the same paper a protocol achieving this bound is presented, showing that the bound is tight.Chailloux and Kerenidis [6] used these results on weak coin flipping to generate a protocol for strong coin flipping achieving Kitaev's bound.Lastly, for quantum bit commitment, Chailloux and Kerenidis [7] proved that the minimum cheating probability is 0.739, and presented a protocol achieving this bias.Thus, for bit commitment, weak coin flipping, and strong coin flipping the achievability bounds are tight with the known protocols.
For OT on the other hand, the situation is not as clear.Classically, it is impossible to achieve even limited security for OT in the information-theoretic setting, since one party can always cheat with certainty.On the other hand, quantum mechanics allows for imperfect protocols, in which the participants are able to cheat but their abilities are limited.
OT is a fundamental primitive in cryptography.Its importance stems from the fact that it can be used as the foundation for secure two-party computations; with oblivious transfer, all secure two-party computations are possible [8,9].OT exists in many different flavours, all with slightly different definitions and notions of security.It was first introduced informally in 1970 by Wiesner as "a means for transmitting two messages either but not both of which may be received" [10], and subsequently formalised as 1-out-of-2 oblivious transfer (1-2 OT) in [11].In related work, Rabin [12] introduced a protocol (now called Rabin OT), which was later shown by Crépeau [13] to be classically equivalent to 1-2 OT, in the sense that if it is possible to do one, it is possible to use this to implement the other.Various "weaker" variants of OT have also been proposed, most notably Generalised OT, XOR OT and Universal OT [14], but all have been shown to be equivalent to 1-2 OT [15] in the classical setting.The equivalence is believed to also hold in the quantum setting, but the reduction proofs may need to be revised.There is also work by Damgård, Fehr, Salvail and Schaffner [16] who define OT in a slightly different way, and characterise security in terms of information leakage.With these definitions (and their quantum counterparts), the authors describe a 1-2 OT protocol which is secure in the bounded quantum storage model.Spacetime-constrained quantum OT protocols have also been proposed [17], requiring agents at different locations in spacetime, giving constraints on where in spacetime bit values can be obtained.Recently, a device-independent quantum XOR oblivious transfer protocol was proposed [18].The protocol uses a shared entangled state to reveal cheating.
In this paper we consider stand-alone quantum protocols for 1-2 OT, including an experimental implementation of such a protocol, and are concerned only with information-theoretic security.As mentioned above, perfect security in this setting is impossible.The best known lower bound on the achievable bias in 1-2 OT protocols is due to Chailloux, Gutoski and Sikora [19], who show that the minimum cheating probability is at least 2/3 if participants are "semi-honest".With the definition of cheating used in [19], with "semi-honest" participants, this bound is tight.However, the best known OT protocol has a cheating probability of 0.75 if parties are not assumed to be semi-honest [20], meaning that there is a gap between what is known to be achievable, and what is known to be impossible.Narrowing this gap either way -obtaining higher and thus tighter lower bounds on cheating probabilities, or finding concrete protocols with smaller cheating probabilities, leading to lower upper bounds -is the main target of this paper.In order to obtain lower upper bounds, we consider general classes of protocols (either completely general or with some restrictions), but limit the capabilities of adversaries.This therefore provides only lower bounds on cheating probabilities, applicable to all protocols within the considered class.To obtain upper bounds on cheating probabilities, we give a specific protocol, and then consider the most general attacks.This therefore provides an upper bound on achievable cheating probabilities, in the sense that the best protocol can perform at least as well as the specific protocol we give.There is also a subtlety regarding the requirement of semi-honesty, and related to this, to what extent dishonest parties can always obtain the information they would have obtained if they had been honest especially when considering variants of oblivious transfer that are not deterministic.We will return to this below.
Our paper contains four main contributions: 1. We introduce the concept of Semi-random OT and prove a functional equivalence with respect to the cheating probabilities between 1-2 OT and Semirandom OT.We further describe a general framework for Semi-random OT.
2. We use this framework to show that the minimum achievable bound on the cheating probability is 2/3.This agrees with the result in [19] for regular (deterministic) oblivious transfer, but in our case we do not assume that parties are semi-honest.We also increase the lower bound on the minimum achievable cheating probability for 1-2 quantum OT protocols to 0.749 if the states in the final round of the protocol when the parties are honest are pure and symmetric.We parametrise Alice's and Bob's ability to cheat in terms of a single variable F , related to the fidelity of the protocol output states.This parametrisation suggests how to construct schemes when either sender or receiver dishonesty is prioritized.That is, sender and receiver can have different cheating probabilities, and one can derive bounds for such situations.Such a scenario arises in the context of quantum signature schemes [21,22], and the derived bounds may prove useful for understanding the potential application of imperfect OT to signatures.
3. We illustrate our construction by giving an OT protocol relying on unambiguous state elimination (USE) measurements.The protocol improves on previous protocols in the sense that it decreases the cheating probability of the receiver and is easier to implement.It also highlights the connection between USE measurements and 1-2 OT, and provides a new application for this relatively seldom used type of measurement.The security parameters achieved are almost tight with the bounds for protocols using pure symmetric states proven in this paper.In this protocol, one party has a smaller cheating probability than the other.This is not captured by the overall cheating probability, defined as the maximum of the cheating probabilities of either party.Such protocols might however be used for applications where restricting cheating by one party is prioritised.Such a protocol can also be combined with a "trivial" protocol, to achieve a protocol with lower average cheating probability, where both sender and receiver can cheat with probability at most 0.74.This is lower than the bound for protocols using pure symmetric states and constitutes an improvement on previously known protocols.
4. Last, but not least, we present an optical realisation of the protocol we have given.Optimal cheating strategies for each of the parties were also implemented.Our protocol requires honest parties to use only the same experimental components as standard BB84 quantum key distribution.Our setup is slightly different, in order to enable realisation of also optimal cheating strategies in particular for the sender.Cheating requires the sender to prepare an entangled state.The experimental results for both honest and cheating parties agree well with theoretical values, demonstrating that the protocol is feasible.
The paper is organised as follows.We begin in Section II by defining 1-2 OT and Semi-random OT, stating an equivalence between the cheating probabilities for each.In Section III we describe a general framework for Semirandom OT protocols and consider specific undetectable cheating strategies always available to Alice and Bob.We analyse these strategies to lower bound the achievable cheating probabilities for unbounded adversaries in 1-2 OT.In Section IV we first introduce unambiguous measurements, in particular unambiguous state elimination (USE) measurements, and motivate their use in cryptography.We describe a semi-random OT protocol which employs USE measurements and analyse its security in the asymptotic limit.In Section V, we present the experimental implementation of this protocol.

II. DEFINITIONS
Intuitively, 1-2 OT is a two-party protocol in which Alice chooses two input bits, x 0 and x 1 , and Bob chooses a single input bit b.The protocol outputs x b to Bob with the guarantees that Alice does not know b, and that Bob does not know x b⊕1 .A cheating Alice aims to find the value of b, while a cheating Bob aims to correctly guess both x 0 and x 1 .

Definition 1. [20]
A 1-2 quantum OT protocol is a protocol between two parties, Alice and Bob, such that • Alice has inputs x 0 , x 1 ∈ {0, 1} and Bob has input b ∈ {0, 1}.At the beginning of the protocol, Alice has no information about b and Bob has no information about (x 0 , x 1 ).
• At the end of the protocol, Bob outputs y or Abort and Alice can either Abort or not.
• If Alice and Bob are honest, they never Abort, y = x b , Alice has no information about b and Bob has no information about x b⊕1 .
The suprema are taken over all cheating strategies available to Alice and Bob.We note that there are also less common variants of the definition of B OT , all with subtly different cheating implications.Ref. [24] defines cheating in terms of Bob being able to guess the XOR of Alice's bits, while Ref. [19] defines cheating in terms of Bob's ability to guess both bits, while also requiring that Bob can always retrieve a single bit with certainty.The choice of which definition is most appropriate will be largely application dependent.
We define p C := max{A OT , B OT } to be the cheating probability of the protocol.The maximum cheating probability characterises the performance of an OT protocol since protocols with (A OT = 1, B OT = 0.5) are easy to construct.However, for certain applications, keeping track of cheating probabilities for both parties may be relevant.For example, it is conceivable that there are applications for which a protocol with cheating probabilities (0.76, 0.5) may be better than one with (0.75, 0.75), and that protocols with same maximum cheating probability could be ordered with respect to the smaller cheating probability.Note also that our definition of security, while commonly used, differs from that in some other works, for example [23], where security is characterised in terms of the information leakage, or in terms of Bob's ability to guess the output of some function f (x 0 , x 1 ).Nevertheless, our simpler definition makes sense if we are interested only in lower bounds on the cheating probability, since the ability to guess (x 0 , x 1 ) automatically implies the ability to guess f (x 0 , x 1 ) for any f .
In this paper we define a variant of OT, Semi-random OT, which differs from the above 1-2 OT in that Bob does not have any inputs and randomly obtains one of Alice's bit values.More concretely, Semi-random OT is defined below.Definition 2. 1-2 quantum Semi-random OT, or simply Semi-random OT, is a protocol between two parties, Alice and Bob, such that • Alice chooses two input bits (x 0 , x 1 ) ∈ {0, 1} or Abort.
• Bob outputs two bits (c, y) or Abort.
• If Alice and Bob are honest, they never Abort, y = x c , Alice has no information about c and Bob has no information on x c⊕1 .Further, x 0 , x 1 and c are uniformly random bits1 .
• A OT := sup{Pr[Alice correctly guesses c ∧ Bob does not Abort]} = 1 2 + A • B OT := sup{Pr[Bob correctly guesses (x 0 , x 1 ) ∧ Alice does not Abort]} = 1  2 + B The reason for introducing Semi-random OT is that we have found it simpler to work with than 1-2 OT, and the ability to perform Semi-random OT with cheating probabilities A OT and B OT implies being able to perform 1-2 quantum OT with the same cheating probabilities using additional classical communication and processing (See Appendix A).Moreover, in spite of the equivalence in the above sense, semi-random protocols where Bob does not choose which bit he obtains can be subtly different from protocols where Bob can choose his input, in the following sense.In a semi-random protocol, such as the example protocol we give in section IV, Bob obtains Alice's 1st or 2nd bit at random2 .In other words, the protocol is not deterministic, even when parties honestly follow the protocol, and it generally involves a destructive quantum measurement.In order to obtain his "honest" output, Bob needs to irreversibly disturb the quantum state he possesses.In earlier papers [3,19] it is assumed, correctly for their framework, that Bob can always make a non-destructive measurement to obtain the bit of his choice.Bounds derived in this way then do not directly apply to Semi-random OT protocols, where such a measurement does not exist.Nevertheless, semi-random OT can be used to implement "regular" OT, using classical post-processing as described in Appendix A. There are subtle differences when considering how such postprocessing affects lower and upper bounds on cheating.Here we directly obtain the same bound as in [19], but by considering semi-random protocols.Our new technique also enables us to both increase the lower bound for protocols which use symmetric pure states, and to lower the upper bound by constructing a protocol with smaller cheating probabilities averaged over both parties.

III. GENERIC PROTOCOL
In this section we introduce a general framework for Semi-random OT and use it to prove lower bounds on p C .We present undetectable cheating strategies available to Alice and Bob and analyse them to lower bound their cheating probabilities A OT and B OT respectively.We show that for protocols within this framework, it holds that Further, if the states output to Bob by the protocol, when both parties are honest, are pure and symmetric, then We will prove this by bounding Alice's and Bob's cheating probabilities with respect to a single parameter, F , which is related to the fidelity of the output states of the protocol when it is honestly executed.(When either of the parties are dishonest, the output states may naturally be different.)From this we find that there is always a trade-off; as Alice's ability to cheat decreases, Bob's ability increases, and vice versa.For this special case of pure symmetric output states, our result can be improved, giving an increased lower bound on the cheating probabilities.For protocols with pure symmetric output states, this nearly closes the gap between the known lower bounds, and the upper bounds resulting from existing protocols.We note that all 1-2 OT protocols we have seen proposed have output states that are pure and symmetric.Although there is no reason why this must be the case in general, protocols would intuitively often have this property.As we will later show, however, there exist protocols with lower average cheating probabilities than what is possible for protocols where the output states are pure and symmetric.

A. Protocol Framework
We now describe the general framework for Semirandom OT protocols with N rounds of communication between Alice and Bob.This framework is based on Kitaev's construction for strong coin flipping [4] and is useful for analysing the security of Semi-random OT.In Appendix A, we further motivate why this framework is general for Semi-random OT.
1. Bob starts with the state ρ BM and Alice starts with an auxiliary system A initialised to |0 0| A .The overall state is ρ BM A := ρ BM ⊗ |0 0| A .We further suppose that Alice and Bob share the counter variable i, initialised to 1, which tracks the round number of the protocol.
3. Bob sends system M to Alice.

Based on her choice in
Step 2, Alice performs the unitary operation 5. Alice sends system M back to Bob.

Bob performs the unitary operation
7. The index i is incremented by 1.If i = N + 1, the protocol proceeds to Step 8, otherwise it returns to Step 3.

The final output held by Bob is
where and we have used the convention U • ρ = U ρ U † .9. Bob performs a POVM with elements BM } to obtain the value of c and x c .The position of the star " * " determines the value of c, i.e. c = 0 for 0 * and 1 * , while c = 1 for * 0 and * 1.The value of the "non-star" entry is the actual value of x c .For example, the outcome Π 1 * BM denotes that c = 0 and x 0 = 1.
The steps of the framework above describes the actions of Alice and Bob if they are honest, together with the associated outputs, assuming that all measurements are deferred to the end.Of course, Alice's and Bob's actual actions may deviate from the honest protocol description if they are dishonest, but we will see that to obtain our lower bound, this framework is useful.

B. Alice and Bob both honest
For the protocol to be correct if both Alice and Bob are honest, we require the following conditions to hold: For c = 1: These conditions imply that Bob receives either one of Alice's two chosen bits with equal probability, and that the bit received by Bob is correct.

C. Security against Bob
We assume that Bob acts honestly throughout the protocol, until step 9, where he deviates in the final measurement.This is clearly not the most general way of cheating for Bob, but any cheating probability that Bob can achieve by cheating in this restricted way can also be achieved by an unrestricted Bob.We will therefore be able to derive a lower bound on Bob's general cheating probability.Bob, at the beginning of step 9 (measurement), then holds either σ 00 BM , σ 01 BM , σ 11 BM , or σ 10 BM .In order to cheat, Bob wants to guess the exact value of x 0 and x 1 .That is, he wants to know which of the four σ states he holds.To do this, his optimal strategy would be to perform a minimum-error measurement.However, the minimum-error measurement will vary according to the states chosen by any specific implementation of Semi-random OT.Instead, to provide a lower bound on Bob's optimal cheating probability for all protocols described by the framework, we assume that Bob performs a Square Root Measurement (SRM) [25].This may not be his optimal strategy, but it is a valid cheating strategy, and a strategy that Bob can employ without even being caught (since Alice has no way of knowing which measurement Bob performs).Bob's cheating probability is then at least as large as the success probability of the SRM, which is bounded as [26] p where jk, lm ∈ {00, 01, 11, 10} and F is the fidelity, defined as Eqs. ( 5) and ( 6) imply that F (σ jk BM , σ j⊕1,k⊕1 BM ) = 0 (since these states can be perfectly distinguished).Without loss of generality, suppose that σ 00 BM and σ 01 BM are the pair of states with the highest fidelity.Define Then it follows that This result is limited somewhat by the bound on the success probability of the SRM for general states given in Eq. (7).Placing restrictions on the output states of the protocol allows us to tighten this bound.In particular, if {σ 00 BM , σ 01 BM , σ 11 BM , σ 10 BM } forms a symmetric set3 of pure states for which 0 ≤ F ≤ 1/2, then Bob's SRM measurement is successful with probability [27] which gives the tighter bound B pure OT ≥ pSRM succ .(As we will see below, F > 1/2 would mean that Alice's cheating probability is greater than 3/4.)If Bob's ability to cheat does not depend on Alice's random choice of input, it seems likely that most protocols would output symmetric states, and this tighter bound would apply.However, the example protocol we present in section IV, which uses symmetric pure states, can be combined with a trivial protocol, to obtain overall average cheating probabilities which are lower than the bound for protocols using symmetric pure states.This shows that interestingly, protocols using symmetric pure states are not optimal for Semi-Random OT in general.

D. Security against Alice
Suppose Alice is dishonest and aims to guess the value of c output to Bob.In this section we present a cheating strategy that is always available to Alice, and which is always undetectable.We derive Alice's cheating probability given that she performs this specific strategy, and use this to obtain a lower bound for Alice's achievable cheating probability given that she performs some optimal strategy, in the same way we restricted Bob's attacks to obtain a lower bound for his cheating probability.
The strategy that Alice employs intuitively does the following.She chooses the two classical two-bit inputs that correspond to the pair of states among the σ jk BM with the highest fidelity, which we called F above.Then she performs the protocol operations corresponding to either classical input, conditioned on an ancillary qubit which is prepared in a superposition state, and which she keeps.In other words, the global state (before Bob's measurement) will be an entangled superposition, involving the pair of output states σ jk BM with the highest fidelity on Bob's side.Bob then makes the measurement he makes if honest.Conditioned on his outcome, Alice's ancillary qubit is prepared in one of two states.Alice can distinguish between the two states with a success probability determined by the fidelity F between the two states on Bob's side.(Her success probability is greater than 1/2, which would correspond to a random guess by Alice.)This leads us to a bound on Alice's cheating probability that involves the same quantity F as our bound on Bob's cheating probability.
More specifically, Alice can proceed as follows.Let |Ψ BM AE be a purification of ρ BM A , where E denotes the environment.Alice also prepares an additional state √ 2 for use as a control qubit to perform her strategy.Since we consider informationtheoretic security, Alice can do anything allowed within quantum mechanics, including this.The overall state is with Alice in complete control of systems A, E and D.
Without loss of generality, we again assume that the two σ states with the highest fidelity are σ 00 BM and σ 01 BM .A valid cheating strategy available to Alice is as follows.In each Step 4 of the protocol, rather than performing a unitary U x0x1,i M A , Alice instead performs

Defining
Alice's overall operations as BM U 00,1 BM U 01,1 M A , Alice's strategy leads to an output state This strategy is not detectable by Bob, since without access to system D it is as if Alice has performed the honest operations for either x = 00 or x = 01, each with probability 1/2.The states ψ jk are purifications of σ jk BM , and all purifications are related by a unitary operation acting on the purifying system alone.Alice further performs the unitary operation where W AE and W (2 AE are chosen to transform ψ 00 and ψ 01 into φ 00 and φ 01 , such that the latter two states are the purifications of σ 00 BM and σ 01 BM with the highest overlap.This operation is performed so that we can later use Uhlmann's theorem to express Alice's cheating probability in terms of F , as we shall see.The resulting state is In Step 8 of the protocol, Bob performs the POVM {Π z BM } z on |Φ , where z ∈ {0 * , 1 * , * 0, * 1}.Our aim is to discover how well Alice can distinguish between the outcomes c = 0 and c = 1 using a measurement on her D system.The state of system D following Bob's POVM is where i, j ∈ {0, 1}, z ∈ {0 * , 1 * , * 0, * 1}.Eqs. ( 5) and ( 6) can be used to evaluate terms of the form φ jk |Π z BM |φ jk , since The expression for µ D can be further simplified using the following lemma.

E. Result
Previously, the best known lower bound for the cheating probabilities in 1-2 quantum OT was [19] max{A OT , B OT } ≥ 2/3. ( Our results in the previous section reproduce this bound since Our way to obtain this bound differs substantially from [19] in two ways, and this means (as we will show later) that when imposing further restrictions on the class of protocols, we can increase the lower bound.
If we consider protocols where the output states, during an honest execution, are pure and symmetric, then we obtain a tighter lower bound (which cannot be obtained using the technique in [19]).Specifically, we can use Eq. ( 11) to obtain the tighter bound min Protocols using symmetric states may be preferrable due to theoretical or experimental simplicity, and intuitively, one might expect optimal protocols to employ symmetric states.
Finally, another important feature of our bounding method is that our construction quantifies the tradeoffs possible between A OT and B OT , something of importance for applications where one is more interested in a smaller value for one of the two.This exact situation arises in the context of quantum signatures [22], where, in the distribution stage, signing keys are partially distributed in a manner reminiscent of 1-2 OT.In these protocols A OT is prioritised, and it is important that A OT ≈ 0.5 to protect against repudiation attempts.On the other hand, to protect against forging attempts is much simpler, and the requirements on B OT are less strict.The parametrisation of A OT in terms of F suggests that in order to create an imperfect 1-2 OT schemes with a small A , it is necessary to have a protocol which, in the honest case, outputs states that are almost orthogonal.Unfortunately, given A OT ≈ 0.5, our results show that it is necessary to have B OT ≈ 1.This mirrors a similar result for two-party computation [34].

IV. A PROTOCOL FOR OBLIVIOUS TRANSFER
In this section we present a protocol for imperfect quantum oblivious transfer which achieves cheating probabilities of 3/4 and approximately 0.729 for sender and receiver respectively.The protocol uses unambiguous quantum state elimination.

A. Unambiguous Measurements
Suppose that a quantum system is prepared in one of the states ρ x , where x ∈ X , with prior probabilities p x .When retrieving the information stored in ρ x using an "optimal" measurement, what is "optimal" depends heavily on the application.For communication protocols, a minimum-error measurement -one which identifies the state with the smallest probability of error -is just one possibility.For cryptographic protocols, the optimal measurement is often one which returns the largest possible amount of information while simultaneously disturbing the system less than a threshold amount.
A particular class of measurements we are interested in is unambiguous measurements.These measurements give "perfect" information in the sense that, given a successful measurement outcome, one can be certain that the decoded classical information is correct.Unambiguous measurements come in two main flavours: unambiguous state discrimination (USD), and unambiguous state elimination (USE).A successful USD measurement on ρ x would identify x with certainty, but the measurement is generally not successful with probability 1.When the measurement is unsuccessful it does not uniquely determine the state.
USE measurements [35][36][37][38][39][40][41][42][43] on the other hand can more often be successful with probability 1, but only guarantee that x / ∈ Y ⊂ X , i.e. the measurement rules out states rather than definitively identifying the state.Intuitively, it seems that unambiguous measurements are well suited to cryptographic applications -their ability to provide "perfect yet partial" information on the states being sent is often exactly what is needed.More concretely, USD can be seen as very similar to Rabin OT, in which it is desired that the receiver obtains the sender's message with probability 1/2, and otherwise receives nothing with probability 1/2.On the other hand, USE measurements seem closely related to the more common 1-2 OT, in which incomplete but correct information is gained with certainty.Since OT plays a central role in secure two-party computation, it seems likely that unambiguous measurements could also play a role in this developing field.

B. Semi-random OT using Unambiguous State Elimination
In this section, we present an application of USE measurements.We describe a protocol for implementing many runs of Semi-random OT and analyse its security in the asymptotic limit.We again work in the information-theoretic security setting but this time prove upper bounds on the cheating probabilities achievable for Alice and Bob.We show that our protocol performs better than previous protocols, and is almost optimal with respect to the bounds for symmetric pure states derived in the previous section.The protocol proceeds as follows: 2. Alice sends the N two-qubit states to Bob.
3. Bob randomly selects √ N out of the N states he has received and asks Alice to reveal their iden-tity 4 .If Alice declares | + + or | − − , then Bob measures both qubits in the X basis, otherwise he measures both qubits in the Z basis.The protocol aborts if any measurement result does not match Alice's declaration.

The
√ N states used in the previous step are discarded.
5. For each of the N − √ N remaining states, Bob measures the first qubit in the Z basis and the second qubit in the X basis.These measurements consitute two USE measurements (for example, an outcome of |0 on the first qubit rules out |11 ).Following these measurements, Bob can with certainty rule out one element from the set Y 0 = {00, 11}, and one from the set Y 1 = {01, 10}.In this way, for each of the remaining states he can know with certainty exactly one of x 0 and x 1 , but not both.
The result of this protocol is that Alice and Bob have performed N − √ N runs of Semi-random OT, each of which could be used to implement a single instance of 1-2 OT, as per the construction in Appendix A. Below we analyse the cheating probabilities achieved by each instance of Semi-random OT generated by this protocol.
Note that, from a security perspective, the scheme above can be set in the general framework considered in the previous section by defining U = R ⊗ R, where Alice begins with the state |00 and applies either 1, U , U 2 or U 3 to obtain either |00 , | + + , |11 or | − − respectively.The subsequent rounds simply consist of classical communication and measurements, the latter of which can be described as a unitary operation acting on a larger Hilbert space, with state collapse delayed until a protocol output is required.We show that this protocol can be made secure with A OT = 0.75 and B OT ≈ 0.729.

C. Security against Bob
If Bob wants to cheat, then his aim is to correctly guess both x 0 and x 1 for each individual pair.In the asymptotic limit, the fraction of states discarded for testing in Step 3 tends to zero.Since the states are prepared independently, any strategy Bob performs (including general measurements correlated across all N states) cannot have an average success probability (probability of correctly identifying both x 0 and x 1 ) which is greater than the minimum-error measurement on a single state5 .Therefore, in the asymptotic limit we can bound Bob's average cheating probability for each of the N − √ N ≈ N runs by considering the minimum-error measurement on a single state.Since the set S := {|00 , | + + , |11 , | − − } forms a set of symmetric pure states, the minimum-error measurement is the SRM [27].Using this measurement Bob can guess both of Alice's input bits with probability In this case, Bob's optimal strategy is the exact strategy considered in the general scenario in Section III C. (If the tested fraction of states does not tend to zero as N → ∞, then Bob's optimal measurement would be a maximum confidence measurement [32,44], with a success probability increasing with the fraction of tested states, reaching a maximum of 3/4 if at least 1/4 of the states are tested.Bob would then perform the relevant measurement with higher confidence in the result, and if the measurement fails, ask to "test" the state in that position.)

D. Security against Alice
If Alice wants to cheat, her aim is to correctly guess the value of c such that Bob received x c .To do this, she may send states other than the ones in S. In general, Alice will generate ρ AB11B12B21B22...B N 1 B N 2 and send the B systems to Bob, keeping the A system for herself.In Step 3 of the protocol Bob then randomly selects a pair of the qubits he received, say ρ B k1 B k2 , and asks Alice to declare the identity of the state.He does this for √ N of the N pairs.Since we are looking for an upper bound on Alice's capabilities, we assume that she holds a purification Alice must declare a state to Bob that will agree with his measurement outcomes in Step 3. If she can do this with certainty, then the state |Ψ B k1 B k2 A must be of the form where If Alice does not send states in the above form, then she cannot guess Bob's measurement outcomes with certainty, and for asymptotically large N it becomes virtually certain that the protocol will abort.We note that Alice also cannot improve her average cheating probability by using strategies where she uses entanglement not just between the system she keeps and Bob's individual qubit pairs, but where she also introduces entanglement between the different qubit pairs she sends to Bob.Any state for which Alice will deterministically pass a test on the qubits in position B k1 B k2 , can be written as where {|0 A , |1 A , |2 A , |3 A } is an orthonormal basis which may include not just a system Alice holds, but Bob's qubits in other positions than B k1 B k2 .This state is evidently of the form in (31).That is, if Alice is able to deterministically pass a test done on a qubit pair, then this directly limits her average cheating probability for that qubit pair, and this is true for all qubit pairs also when Alice can entangle the qubits she sends to Bob in arbitrary ways.
Essentially, this means that Alice is restricted to the attacks considered in the general protocol analysis in Section III D -attacks that are superpositions of honest operations, and as such are always undetectable by Bob.In fact, it can be proven (see Appendix B) that an optimal strategy for Alice is to prepare which corresponds exactly to the operation given in Eq. (13).Since the overlap between all adjacent states in S is 1/2, Eq. ( 25) implies that Alice can correctly guess the value of c with probability 3/4.The analysis in Appendix B confirms that this is her cheating probability.

E. A combined protocol with lower average cheating probability
One can combine our example scheme, where A OT = 3/4 and B OT = 0.729, with a "trivial" scheme where A OT = 1/2 and B OT = 1, to achieve a scheme where both Alice's and Bob's average cheating probabilities are below 3/4.Note that this is possible because our protocol had different cheating probabilities for sender and receiver.This illustrates that the maximum of the two cheating probabilities does not fully characterise the performance of a protocol, since the smaller cheating probability can become relevant in such combined protocols.As in [19], Alice and Bob execute a weak coin flipping protocol to probabilistically choose between a protocol that is more favourable to Alice, and one that is more favourable to Bob.In [19], it is considered in some detail how to securely compose weak coin flipping and a subsequent OT protocol.In the trivial OT scheme we will use, Alice simply sends Bob both bits, and Bob reads the bit he wants and discards the other, giving A OT = 1/2 and B OT = 1.If our example scheme is chosen with probability p and the trivial scheme chosen with probability 1 − p, the average cheating probabilities become ÃOT = 3p/4 + (1 − p)/2, BOT = 0.729p + (1 − p).(34) Choosing p to set these equal results in a combined scheme where both Alice and Bob can cheat on average at most with probability ÃOT = BOT = p C ≈ 0.74.This is the smallest cheating probability that a concrete protocol can achieve to our knowledge.Interestingly, this is lower than 0.749 both for Alice and Bob, thus proving that protocols using symmetric pure states are not optimal for semi-random oblivious transfer in terms of average cheating probability.

V. EXPERIMENT
A major advantage of the above protocol is that it can be realized using standard BB84 quantum key distribution setup 6 .However, we have implemented the semirandom OT protocol slightly differently to enable also the realization of optimal cheating strategies.Namely, we created the Alice's entangled state with the help of optical multi-qubit quantum logic gates.But still one photon carrying a single qubit stays at Alice's side and the other photon, carrying two qubits travel to Bob's side.

A. Experimental setup
Pairs of 810-nm time-correlated photons were generated using type-II spontaneous parametric downconversion in a β-barium-borate crystal.The photons were guided to the experimental setup depicted in Figure 1a.Primarily, the state of the first of the qubits B chosen by Alice was encoded by quarter-and half-wave plates (QWP, HWP) into the polarization of the signal photon.Then a calcite beam displacer (BD) spatially separated horizontally and vertically polarized components into two parallel beams with a lateral distance of 4 mm.This turns the encoding of the first qubit from polarization to spatial encoding.Wave plates acting on both parallel beams were then used to encode the state of the second qubit B into polarization.In this way, a single photon carried both qubits.
When the basic operation of the semi-random OT was tested, as well as when Bob's cheating strategy was implemented, we utilized the idler photon (the other photon in the pair) only to herald successful generation of the signal photon.When Alice's cheating strategy was studied, the state of Alice's qubit A was encoded into the polarization state of the idler photon.Linear-optical quantum logic gates, shown in Figure 1b, then entangled the input qubits to produce the required state (33).
The two-qubit controlled-phase gate (U CP ) operates on qubits B and introduces an arbitrary phase shift on state |11 .The wave plates in the lower optical path perform the phase shift, the wave plates in the upper path only compensate for the path length difference.Another half-wave plate implements the Hadamard gate acting on the second one of qubits B (encoded in the polarization degree of freedom).The three-qubit controlledcontrolled-phase gate (U CCP ) provides a way to entangle qubit A with qubits B. The beam displacer separates the path of the idler photon according to its polarization into two parallel beams with 6-mm spacing.This extends the Hilbert space, providing room for manipulation.Suitable polarization operations, two-photon interference, and consecutive coincident detection then constitute the U CCP operation.The two-photon interference takes place in the central block of three partiallypolarizing beam splitters (PPBS), the central one with reflectances R H = 0, R V = 2/3 the other two with R H = 2/3, R V = 0.This is the core of the gate operation [45][46][47][48] which is explained in detail under Methods in our previous work [49].The gate is probabilistic and succeeds with theoretical probability 1/9 for phase shifts 0 and π, which are used in the experiment.
Final projective measurements are realised by wave plates, polarizing beam splitters, and single-photon avalanche diodes (SPAD).This enables projection onto an arbitrary product state 7 .Electric signals are processed by coincidence logic.The overall coincidence count rate was roughly 330 counts per second.The experimental integration time was 5 s for each projectivemeasurement setting.

B. Both parties are honest
To test the case when both parties are honest, we set the U CP and U CCP gates to zero phase shift and turned off the Hadamard operation H.
We sequentially prepared states |00 , |++ , |−− , |11 and measured each of them in ZX basis on Bob's side.The probability of Bob correctly receiving one of Alice's bits was estimated to be 0.9943 (9), where the number in the brackets represents one standard deviation at the final decimal place.It means that due to experimental imperfections, there is a small probability (about 0.6%) that Bob obtains an erroneous bit value.Complete experimental data are provided in Table IV of Appendix D. But in an experimental implementation imperfections may cause errors.In our experiment, the average error probability was 0.013 (1).All measured data are provided in Table V of Appendix D.

C. Bob is cheating
Bob's optimal cheating strategy is to perform a minimum-error measurement 8 .In our case, this means measuring the first qubit in the basis and the other in the basis with α = cos(π/8) and β = sin(π/8).Each combination of detector clicks gives Bob a guess of both the Alice's bits.The average experimental value of cheating probability, i.e., the probability of a correct guess of both bits, was 0.718 (5), which is close to the theoretical value of 0.729.Recorded counts are provided in Table VI  In our experiment, Alice's probability of making a correct guess, 0.77, was higher than the theoretical limit 0.75.But there was also a relatively high probability of Bob discovering her cheating (0.059, which is higher than the probability of "false alarm", 0.013, if Alice was honest).These effects are likely caused by imperfect preparation of the state (33).

VI. DISCUSSION
In this paper we introduced Semi-random oblivious transfer (OT) and a general framework useful for its study.We explicitly constructed undetectable cheating strategies available to Alice and Bob and used them to lower-bound the cheating probability for any Semirandom OT protocol within our framework.The derived bounds are directly transferable to standard 1-2 quantum OT, allowing us to obtain the lower bound p C ≥ 2/3, but using different assumptions on cheating strategies than assuming semi-honest adversaries as done by Chailloux et al. [19].Our technique, other than re-deriving the previous bound, allows us to (i) quantify the trade-off between cheating probabilities for different parties, which can be useful for applications where limiting cheating by one party is prioritised and (ii) obtain tighter bounds if we impose further restrictions.In particular, if the states used by honest parties are pure and symmetric, we obtain the bound p C ≥ 0.749, which was not obtained previously.
Our construction provides a simple quantitative relationship between Alice's and Bob's ability to cheat, and gives new bounds in biased settings.In applications more sensitive to sender dishonesty than receiver dishonesty (or vice versa), our parametrisation of A OT and B OT in terms of the fidelity shows explicitly how reductions in one party's ability to cheat will impact the other's cheating probability.To illustrate our construction we presented an OT protocol using unambiguous state elimination measurements to achieve cheating probabilities A OT = 3/4, B OT ≈ 0.729 and therefore p C = 3/4, together with its experimental realisation.The cheating probabilities compare favourably with the previously best known protocol given in Ref. [20] in which A OT = B OT = 3/4.Unlike for the qutrit protocol proposed in [20], in our example protocol, the bound on Alice's cheating probability concerns her average cheating probability.On the other hand, Bob's cheating probability is lower (0.729 against 0.75 in [20]), and above all, our protocol does not require entanglement and can be realised using the same experimental components as BB84 quantum key distribution.A minor modification could render our protocol even more practical.Bob could, before asking Alice to reveal any states, randomly select some qubit pairs and measure them in the same basis, either the X or the Z basis.He then asks Alice to receive these states, but only after he has measured these qubit pairs.If Alice's declaration does not match his measurement results, he again aborts.Bob's test is then only useful if his selected basis matches the basis states used by Alice.Another variation would be for Bob to randomly select which qubit he measured in the X and which in the Z basis.This makes no difference if Alice is limited to using undetectable cheating strategies, but would lead to somewhat improved performance when loss and imperfections are present and in finite-size scenarios, where Alice may choose to employ a cheating strategy that could be detected by Bob with some probability.
Since our example protocol outputs symmetric pure states, the cheating probabilities achieved are almost tight with the bounds proven in this paper for this class of protocols.Combining the example protocol with a trivial protocol, however, an average cheating probability p C ≈ 0.74 for both Alice and Bob is possible.It follows that protocols with pure and symmetric output states are not optimal.There thus remains a gap between the known lower bounds on cheating probabilities for quantum oblivious transfer, and what the lowest achievable cheating probabilities are.
We further note that if two protocols are combined using weak coin flipping, then the parties know which protocol actually got implemented.The bound on cheating probabilities in such combined protocols are therefore also only bounds on average cheating probabilities.For an individual round, the parties are aware that they have higher or lower cheating probabilities.Related to this, cheating probabilities do not fully capture how certain a cheating party can be that the extra information they have dishonestly obtained is correct.In our example protocol, Bob can never be certain that his dishonestly obtained information is correct.He only ever knows that his guess is correct with probability 0.729.Alice, however, can be certain of Bob's bit choice with probability 1/4, and she knows when this occurs.The rest of the time her guess is right with probability 2/3.This is a further advantage of our protocol, compared with the one in [20].To elaborate, if one probabilistically chooses between a trivial protocol where Alice can cheat perfectly and Bob cannot cheat at all (A OT = 1 and B OT = 1/2) and a trivial protocol where Alice cannot cheat at all and Bob can cheat perfectly (A OT = 1/2 and B OT = 1), then the average cheating probabilities for either party are 3/4, but with probability 1/2, either party knows for sure that they can cheat perfectly.When executing the protocol in [20], Alice similarly knows for sure what Bob's bit choice was half the time, and the rest of the time she randomly guesses.In our protocol, Alice is only sure with probability 1/4.Bob, however, cheats with a minimum-error measurement both in our protocol and the one in [20], and is never sure that his guess is correct.Since the states Bob receives in both protocols are linearly dependent, he can never unambiguouosly determine both of Alice's bit values.We also presented an optical realisation of our protocol.The achieved experimental performance parameters agree well with the theoretical values, showing that the protocol is feasible.
Here we prove the following claim (stated below) contained in the main paper.
Proposition 1.The existence of a Semi-random OT protocol with cheating probabilities A OT and B OT is equivalent to the existence of a 1-2 quantum OT protocol with the same cheating probabilities.
To prove this, we begin by giving the definition of a related OT variant called Random OT (ROT), as follows.
Definition 3. Random OT is a protocol between two parties, Alice and Bob, such that • Alice outputs two bits (x 0 , x 1 ) ∈ {0, 1} or Abort.
• Bob outputs two bits (c, y) or Abort.
• If Alice and Bob are honest, they never Abort, y = x c , Alice has no information about c and Bob has no information about x c⊕1 .Further, x 0 , x 1 and c are uniformly random bits.Ref. [20] proved that the existence of a ROT protocol with cheating probabilities A OT and B OT is equivalent to the existence of a 1-2 OT with the same cheating probabilities.Following very similar arguments, in the following subsections we will show that the existence of a Semi-random OT protocol with cheating probabilities A OT and B OT is equivalent to the existence of a ROT with the same cheating probabilities.This, combined with the results in Ref. [20], proves the proposition.

Semi-random OT from ROT
Let P be a ROT protocol with cheating probabilities A OT (P ) and B OT (P ).We construct a Semi-random OT protocol Q with the same cheating probabilities as follows: 1. Alice has inputs (z 0 , z 1 ).
2. Alice and Bob run protocol P to output (x 0 , x 1 ) for Alice and (c, y) for Bob.
3. Alice and Bob abort in Q if and only if they abort in P .Otherwise, Alice sends (z 0 ⊕ x 0 , z 1 ⊕ x 1 ) to Bob.
We now show that Q is a Semi-random OT protocol with cheating probabilities A OT (P ) and B OT (P ).
If Alice and Bob are honest, then by definition we have y = x c and so y = z c .Alice has no information about c and Bob has no information about z c⊕1 , as required.
If Alice is dishonest, she cannot guess c except with probability A OT (P ) since she only receives communications from Bob via protocol P .Therefore A OT (Q) = A OT (P ).
If Bob is dishonest, he holds (z 0 ⊕ x 0 , z 1 ⊕ x 1 ) and aims to guess (z 0 , z 1 ).This is equivalent to Bob guessing (x 0 , x 1 ) which he can do with probability B OT (P ) Therefore B OT (Q) = B OT (P ).

ROT from Semi-random OT
Let P be a Semi-random OT protocol with cheating probabilities A OT (P ) and B OT (P ).We construct a ROT protocol Q with the same cheating probabilities as follows: 1. Alice picks x 0 , x 1 ∈ {0, 1} uniformly at random.

Alice and Bob perform the Semi-random OT proto-
P where Alice inputs x 0 , x 1 .Let (c, y) be Bob's outputs.
3. Alice and Bob abort in Q if and only if they abort in P .Otherwise, the outputs of protocol Q are (x 0 , x 1 ) for Alice and (c, y) for Bob.
The outputs of Q are uniformly random bits (if both parties are honest) since Alice chooses her input at random.Note that, in the definition of ROT, the outputs are only required to be random in the honest case, and no assertions are made when one party acts dishonestly.Therefore Q does indeed implement ROT.From the construction of Q it is also clear that A OT (P ) = A OT (Q) and B OT (Q) = B OT (P ).

Semi-random OT from ROT in the general protocol framework
In order to fully motivate why the protocol framework in section III A is general for Semi-random OT, we here sketch how to recast Semi-random OT, realized by performing ROT together with the classical processing as detailed above in A 1, in the form of our general framework.ROT with classical processing is not immediately in the form of the general protocol framework for Semi-random OT, since in a quantum protocol for ROT, Alice has outputs which she would obtain through a measurement.In the general protocol framework in III A, however, Alice makes no measurements.We also show that the cheating probabilities do not change when the protocol is recast.Suppose therefore that Alice obtains her two output bits in ROT by measuring a part of a quantum system held by her at some point during the protocol.(If desired, this measurement may be deferred to the end of the protocol, using the standard technique for this, closely related to the procedure we will describe below.)Any POVM may be realized as a projective measurement in a suitably enlarged Hilbert space [51], with as many dimensions as outcomes.We will label this Hilbert space C. Suppose therefore that in this possibly enlarged Hilbert space, Alice's four-outcome measurement has measurement operators Π x0,x1 C = |x 0 , x 1 CC x 0 , x 1 |, which are orthonormal projectors on four orthogonal basis states |x 0 , x 1 C for x 0 , x 1 ∈ {0, 1}.(The construction below can easily be extended to the case where Alice's four measurement operators are orthogonal projectors onto more than one basis state, that is, have rank > 1).Now, instead of measuring system C to obtain (x 0 , x 1 ) and sending (z 0 ⊕ x 0 , z 1 ⊕ x 1 ) to Bob, where (z 0 , z 1 ) are Alice's inputs, Alice performs one of the four unitary transforms on system C and an auxiliary system D, where |aux D is a "blank" state that could e.g.be chosen as |0, 0 .The states |0, 0 D , |0, 1 D , |1, 0 D , |1, 1 D form an orthonormal basis for the four-dimensional D system.She then sends system D to Bob, who (if he is honest) can measure this system to obtain (z 0 ⊕ x 0 , z 1 ⊕ x 1 ).
This modified protocol for Semi-random OT is now in the form of the general framework.(If desired, Bob's measurements to obtain (z 0 ⊕ x 0 , z 1 ⊕ x 1 ) and (c, y) can be combined into a single measurement by Bob that directly gives (c, y ).)By no-signalling [28][29][30][31][32], Bob cannot tell whether or not Alice has measured system C. Therefore, Bob's cheating probability remains the same as if an honest Alice simply had measured system C and sent him the state |z 0 ⊕ x 0 , z 1 ⊕ x 1 .Equivalently, Bob's cheating probability is the same as if Alice had measured system C and sent him the classical bits (z 0 ⊕ x 0 , z 1 ⊕ x 1 ).Since the recast Semi-random OT protocol is otherwise the same as the ROT protocol we started with, in particular, how Bob obtains (c, y) remains the same, Alice's cheating probabilities are also equal in both versions of the Semi-random protocol.That is, cheating probabilities remain the same in the version that is in the form of the general framework, and in the version where Alice and Bob perform ROT with classical processing.
Appendix B: Alice's optimal cheating strategy in the example protocol Alice, to pass a test by Bob with certainty, has to send a state of the form where {|1 A , |2 A , |3 A , |4 A } is an orthonormal basis for a system A she retains while sending Bob system B, and Bob measures the first B qubit in the Z basis and the second B qubit in the X basis.It holds that 0 These states are the unnormalised states conditionally prepared on Alice's side, given Bob's measurement outcome.The norm of each of the above states gives the probability for that outcome on Bob's side.That is, it is the probability with which the corresponding state is prepared.
To successfully cheat, Alice needs to determine whether Bob received the first or second bit.Bob obtains the first bit if he obtains (0, +) or (1, −), and the second bit if he obtains (0, −) or (1, +).It so happens that each of these outcome combinations occur with probability 1/2, irrespective of a, b, c, d.The two density matrices Alice needs to distinguish between are ρ 0 and ρ 1 , with which in matrix form, with the basis states ordered Alice's optimal measurement is the Helstrom measurement, given by a projection in the eigenbasis of ρ 0 − ρ 1 .
If Alice obtains an outcome corresponding to a positive eigenvalue, she guesses that Bob obtained the first bit, and if she obtains an outcome corresponding to a negative eigenvalue, then she guesses that Bob obtained the second bit.If Alice obtains an outcome corresponding to a zero eigenvalue, she can guess either the first or second bit, without altering her success probability (conditioned on such an outcome, Bob is equally likely to have obtained the first or second bit).Because the state space on Bob's side is three-dimensional, the situation is effectively three-dimensional on Alice's side too, but it is convenient to keep {|0 A , |1 A , |2 A , |3 A } as a basis.We therefore need to find the eigenvalues of The eigenvalues are where we choose the + sign for λ 3 .The success probability is therefore given by With probability 1/4, she will obtain the outcome "−", and is then sure that Bob obtained the second bit (outcomes (0, −) or (1, +) for Bob).With probability 3/4, she will obtain the outcome "+", and then she guesses that Bob obtained the first bit.Her guess is in this case however only correct with probability 2/3, giving an overall cheating probability of 3/4.
Choosing either |a| or |c| equal to 1/ √ 2 and the other one equal to zero, and either |b| or |d| equal to 1/ √ 2 and the other one equal to zero gives the same cheating probability.These optimal cheating strategies all require only a two-dimensional system on Alice's side.Choosing |a| = |b| = |c| = |d| = 1/2 also gives p cheat = 3/4; these are examples of cheating states with high symmetry.As an example of a suboptimal cheating strategy, choosing three of the parameters equal to 1 √ 3 and the remaining one equal to zero gives p cheat = 1/2(1 + √ 2/3), which is less than 3/4.
First we performed the optimization with all parameters being free and with multiple random initial guesses.From the set of optima we arbitrarily picked the parameter-tuples with θ 1 ≈ 120 • , fixed θ 1 = 120 • and performed the optimization again.We repeated this procedure to gradually fix also φ 1 , θ 2 , φ 2 , β, and ϕ 3 , in this order.The parameters α and θ 3 remained free in the last round of the optimization.The optimal parameters are listed in Tab.I.With these parameters, the complement of E to one is sufficiently small, 1 − E ≈ 8 • 10 −11 .
Next, we initialized the circuit and the input state with the optimal parameters and performed tomography of θ1 120.000 the output quantum state.Employing the maximumlikelihood method [50] we reconstructed the density matrix ρ exp,0 of actually prepared quantum state.Then we numerically maximized the expectation value Σ|U LO (u)ρ exp,0 U † LO (u)|Σ to find the corrective local operations U LO .The optimal U LO not only implements the required local operation to finish the preparation of |Σ , but also compensates for some systematic errors.The parameters of the optimal unitaries are listed in Tab.II.We parametrize U LO = U 1 ⊗ U 2 ⊗ U 3 the same way as in case of V , see Eq. (C1).Note that these parameters are not unique, multiple solutions exist (due to insensitivity to global phase and phase periodicity).
i An arbitrary unitary operation acting on a single polarization qubit can be easily implemented by a sequence of a quarter-wave plate, half-wave plate, and another quarter-wave plate.However, we merged the unitary U LO into final projective measurements.It can be done because the output state is projected at the end onto a state |π and the projection π|U i |η is equivalent to π|η with |π = U † i |π .We found the corresponding wave-plate angles for six-state tomography by means of numerical minimization.They are listed in Tab.III.This optimization reduces the number of components in the experimental setup, reducing experimental imperfections and losses which accumulate with each added component.In this appendix we present the full sets of experimental data.The tables contain measured counts C, relative frequencies (or estimated probabilities) f , and theoretically predicted probabilities p t .Relative frequencies were calculated as a ratio of the number of respective counts to the total number of counts.Digits in parenthesis represent one standard deviation at the final decimal place.The statistical errors were computed using error-propagation and the fact that the count-rates obey Poisson distribution.
Table IV shows data for the case when both parties were honest.Alice sent states |00 , |++ , |−− , |11 and Bob measured in the ZX basis.Table V shows data for Bob's test measurements when he measured the incoming states in the XX or ZZ basis.
Table VI summarizes results for the situation when Alice was honest but Bob was cheating.This means that Bob has been performing square-root measurements.
The situation when Bob was honest but Alice was cheating is recorded in the last two tables.
of Appendix D. measurement outcome did not match Alice's declaration divided by the total number of counts.The relevant data are presented in Table VIII of Appendix D.

TABLE III .
Wave-plate angles for transformed projectors.All numbers are in degrees.

TABLE IV .
Table VII shows the relative frequencies of Alice's correct and incorrect estimates of the values of Bob's bit c.Table VIII shows relative frequencies of different results of Alice's and Bob's measurements in the test phase of the pro-tocol.Theoretically, Bob should only detect | + + or |00 .Measured counts C, relative frequencies f , and corresponding theoretical probabilities pt for the situation when both the parties were honest.|ψB is a state which Alice sends to Bob. Bob measures projection onto |πB .Here, ps is the probability of correct receipt, i.e. Bob gets erroneous bit with probability 1 − ps.

TABLE V .
Data for Bob's test measurements in the case when Alice was honest.Here, pFA is the probability of "false alarm", i.e. the probability that Bob aborts the protocol even if Alice is not cheating.

TABLE VI .
Bob was cheating, Alice was honest.Here, pCE is the probability of Bob correctly estimating the incoming state.

TABLE VII .
Alice was cheating, Bob was honest.The table shows the probabilities of Alice correctly/incorrectly guessing Bob's bit c.

TABLE VIII .
Test measurements for an honest Bob when Alice was cheating.Alice measured her qubit in the Z basis and Bob measured his qubit in the ZZ or XX basis.