On the impossibility of coin-flipping in generalized probabilistic theories via discretizations of semi-infinite programs

Coin-flipping is a fundamental cryptographic task where a spatially separated Alice and Bob wish to generate a fair coin-flip over a communication channel. It is known that ideal coin-flipping is impossible in both classical and quantum theory. In this work, we give a short proof that it is also impossible in generalized probabilistic theories under the Generalized No-Restriction Hypothesis. Our proof relies crucially on a formulation of cheating strategies as semi-infinite programs, i.e., cone programs with infinitely many constraints. This introduces a new formalism which may be of independent interest to the quantum community.

In this paper we consider the possibility of cryptography in theories more general than quantum or classical theory. One may ask why this is a worthwhile endeavour, and for this we give several reasons. The first reason is to future-proof current results which is important in the context of cryptography. While developing quantum cryptography and computation, the community quickly came to realize that classical cryptography results need to be reevaluated for the new quantum era. Since results in quantum cryptography typically rely on the validity of quantum mechanics being a faithful description of nature, these too all have to reevaluated if quantum theory is one day superseded by a new theory, regardless of how minor or radical the departure from quantum mechanics is. Another reason is to gain a better understanding of results in quantum theory. For instance, it is insightful to sit back and think about what parts of quantum theory were needed to prove a result. Did we require entanglement? Were we just assuming these states are in superposition? Can we reprove this only assuming the No-Signalling Principle? By answering such questions, we gain a better understanding of quantum mechanics itself as well as the resources necessary for performing particular tasks.
In this and many other works in cryptography, optimization theory is a key ingredient in the analysis. On a high level, we want to maximize how much someone can "cheat" a protocol, whereby it is understood that the inability to cheat translates into security, and vice versa. The goal is often to design protocols which minimize cheating. We, however, take the opposite approach in this work and prove a limitation on designing any protocol for a particular task, namely coin-flipping, discussed below.
Coin-flipping-Coin-flipping is the cryptographic task where Alice and Bob generate a random bit b over a communication channel such that, when Alice and Bob are honest, both output the same bit b and this bit is uniformly random [11]. Coin-flipping is a primitive that is used mainly for building larger, more sophisticated cryptographic protocols in the two-party setting, and hence an understanding of its properties, along with its security limitations, is important.
More formally the coin-flipping task is as follows. Suppose Alice has a set of strategies (basically, a description of how she interacts with Bob) given by the set A and Bob has a set of strategies given by the set B. We do not just consider deterministic strategies but also those that occur as the result of some measurement procedure. We denote the probability of a pair of strategies occurring as Prob(A, B) which is between 0 and 1 for all A ∈ A and B ∈ B.
A coin-flipping protocol consists of the following: • A triple of strategies for Alice (A 0 , A 1 , A abort ) which correspond to the measurement outcomes of some deterministic strategy A det , • A triple of strategies for Bob (B 0 , B 1 , B abort ) which correspond to the measurement outcomes of some deterministic strategy B det , The conditions above ensure that the protocol behaves as expected, that the bit b is uniform and shared between Alice and Bob. Ideally, we wish that neither Alice nor Bob can cheat by digressing from protocol and disturbing the conditions given by (1). However, this may not be the case, and as such, we need to measure this disturbance. The security measure in coin-flipping is given by the amount a dishonest Alice or a dishonest Bob can bias the output distribution away from uniform. To make this formal, we define the symbols: • P * Alice,b : The maximum probability that dishonest Alice can force honest Bob to accept the outcome b.
• P * Bob,b : The maximum probability that dishonest Bob can force honest Alice to accept the outcome b.
• : The bias of the coin-flipping protocol defined as := max{P * Alice,0 , P * Alice,1 , P * Bob,0 , P * Bob,1 } − 1/2. (2) arXiv:1901.04876v1 [quant-ph] 15 Jan 2019 We wish to design protocols such as to minimize , with a perfect protocol having = 0. In classical and quantum theory, this is known to be impossible [23,32]. In this work, we show that under some assumptions on A and B, can be lower bounded by a positive constant, thus showing near-perfect coin-flipping is impossible in any theory satisfying those assumptions. To study the range of possible , we need to study the four quantities P * Alice,0 , P * Alice,1 , P * Bob,0 , and P * Bob,1 . Let us first consider P * Bob,0 . We can write this succinctly by the rudimentary optimization problem: This optimization problem exactly captures how much Bob can force Alice to output 0 maximized over all physical strategies he can perform. Before studying this problem using optimization theory, we require a mathematical structure on the quantities involved. We now discuss such a structure which is given by the study of Generalized Probabilistic Theories.
Generalized Probabilistic Theories (GPTs)-To study (3) more generally than quantum and classical theory we require a more general setting for physical theories. Here we work in the framework of generalized probabilistic theories which formalizes any physical theory with an operational description. There have been many approaches to GPTs, see, for example, [8,14,15,20,21,33,34,38,39] for introductions to these frameworks. GPTs have been successfully used for studying cryptography [5,7,8,10,25,40,42] and computation [6,9,17,24,[27][28][29][30][31] in theories more general than quantum theory. We, however, do not actually need to introduce the full framework of GPTs for the purposes of this work. Instead, we just consider the structure that any such theory would impose on the sets of strategies for Alice and Bob. As mentioned above, we do not just want to consider the strategies which occur deterministically, but those which may correspond to obtaining a particular outcome in some experiment. That is, given a strategy A ∈ A for Alice and a strategy B ∈ B for Bob we obtain a probability Prob(A, B) that these two strategies jointly occur. In particular there is always a 'zero-strategy' 0 ∈ A such that Prob(0, B) = 0 for all B ∈ B. Conceptually, one can think of this as Alice aborting the protocol, or simply not taking part in the first place.
First, we assume that these spaces of strategies are convex where we interpret convex combinations as probabilistic mixtures. That is, we assume that is in the set A and represents the strategy where with probability p Alice uses strategy A 1 and with probability 1 − p Alice uses strategy A 2 . Given this understanding of the convex structure, the calculated probabilities must satisfy and similarly for convex combinations of Bob's strategies. This means that a strategy for Alice induces a linear functional on the space of strategies for Bob (and vice versa).
Rather than working directly with the spaces of strategies A and B we work with operational equivalence classes of strategies. We say that two strategies A 1 and A 2 are operationally equivalent if and similarly for Bob's strategies. We denote these equivalence classes asÃ andB. Note that our earlier assumptions imply thatÃ and B are both convex sets in some vector space V which are bounded and have non-empty interior. Moreover, we assume that the vector space V is finite-dimensional. This assumption is typically made in the study of GPTs for technical convenience. It can however be motivated by the idea that in a tomographic characterization of the strategies of Alice, one can only, in practice, perform a finite number of different experiments and therefore we must characterize the strategies by a finite number of probabilities.
Following a standard argument on the representations of linear functionals on finite-dimensional vector spaces, one can show that we can always write probabilities as From now on we takeÃ as the set of Alice's strategies (similarlyB as the set of Bob's strategies) and hence drop the tildes for convenience as the strategy representation should be clear from context. We can now rewrite the optimization problem (3) in the form Due to the convex structure of the set B, this is a convex optimization problem. However, since we want to prove general bounds on cheating, we require more structure on the sets A and B for our analysis.
A physical assumption-Clearly some assumption on the sets A and B is required to prove anything meaningful. For example, consider any physical theory and restrict both Alice and Bob to a set of strategies that areclose to their honest strategies. This allows us to define a (rather boring) GPT in which ideal coin-flipping is possible up to some small error. To avoid GPTs with these unnecessary restrictions, we make the assumption that any mathematically feasible strategy for Bob can be physically realized.
To formally define this lack of restriction for Bob, we start with defining two important quantities studied in convex analysis. The polar set of the set C is given as and its dual cone is given as Notice we have B ⊆ A * ∩ A o and A ⊆ B * ∩ B o because every choice of strategies for Alice and Bob yields a proper probability.
We can now define our physical assumption. To support this assumption, one can argue that if Alice knows that her set of strategies is given as A then to be able to guarantee security against Bob she should not make any assumptions about what Bob can do. In other words, we also maximize over all physical theories, which in this case translates to allowing Bob to have the largest set of strategies as possible. This is closely related to the (standard) No-Restriction Hypothesis [14] which is a commonly used assumption in the study of GPTs that can be expressed as the idea that all mathematically possible measurements are physically allowed. Here we generalize this idea to the level of arbitrary strategies.
One could equally well consider Bob's perspective and assume the Generalized No-Restriction Hypothesis for Alice, i.e. A = B * ∩ B o . Surprisingly these two assumptions are not equivalent, see Fig. 1 for an example of this fact. However, for the purposes of this work we need to only assume it for one party. We henceforth assume it for Bob, but by symmetry the following arguments can be adapted to the case where it is assumed instead for Alice.
Optimization analysis-Under this assumption we can now clean up the optimization problem for Bob (8) as: This type of optimization problem is called a semiinfinite program since the variable B is finite-dimensional but there are infinitely many constraints. (Note that this class is not the same as the more popular class of optimization problems called semidefinite programs.) Semi-infinite programming has a rich theory, see for example [41], although it has yet to be used to study quantum theory or its generalizations, as far as we are aware. where we optimize instead using a discretization of the infinite set A. To this end, we define a mesh, denoted here as A δ , parameterized by a fineness measure δ > 0, such that it has the following properties: • A δ is finite, contains a basis for V , and is contained in A; • ∀A ∈ A, ∃X ∈ A δ such that X − A 2 ≤ δ.
Note that such a discretization always exists since A is bounded.
We now consider the discretized version of this optimization problem defined to optimize using A δ instead, as shown below First note that we have P * Bob,0 ≤ P δ Bob,0 since it relaxes (12) as A δ ⊆ A. Furthermore, since there are finitely many constraints, this is a (traditional) cone program making it easier to analyze. Recently there have been several applications of cone programming to the study of GPTs [3,16,22,25,40,42] and to quantum theory [4,18,26,36,43].
As expected, as one decreases δ (the fineness measure of the mesh), we have that A δ becomes a better approximation of the set A. In particular, we have the lemma below.
Proof. We first show that the feasible region of (13) is bounded. To this end, we define the function which is finite since A δ is finite. It can be easily checked that this is a norm (since A δ contains a basis) and is bounded for all B satisfying the constraints of (13).
Since all norms are equivalent in finite-dimensional vector spaces, we know there exists a τ > 0 such that B 2 ≤ τ for all B feasible in (13). Fix B feasible in (13) and A ∈ A. We now wish to scale B by some constant c > 0 to ensure A, cB ≤ 1 (and thus cB is feasible in (12)). Then for X ∈ A δ δ-close to A, we have Thus, 1 1 + τ δ B is feasible in (12). This implies that Taking limits finishes the proof.
We now prove a lower bound on the product of Alice's cheating probability and the relaxation of Bob's cheating probability. This is the key step in proving our main result which takes advantage of the simplified structure of the relaxed problem.
exists since B has nonempty interior by construction. Then B := 1 2 B satisfies B ∈ int(A * ) and B , X < 1 for all X ∈ A δ . This is known as a strictly feasible solution. Since P δ Bob,0 is bounded from above by Eq. (18), the strong duality theorem for cone programming (see, for example, [12]) states that P δ Bob,0 is equal to min y X ≥0 X∈A δ y X : and this problem attains an optimal solution {y X }. Thus, we have P δ Bob,0 = X∈A δ y X . Define (20) Notice that A ∈ A by convexity and A− 1 by the constraints in (19). Suppose Alice uses A as her strategy to force Bob to accept outcome 0. Then we have since B 0 ∈ B ⊆ A * and A 0 , B 0 = 1/2 from Eq. (1).
By combining the two lemmas, we have that P * Alice,0 · P * Bob,0 ≥ 1/2, and therefore the maximum of the two probabilities is at least 1/ √ 2. This gives the same lower bound on the bias Kitaev gave for the case of quantum theory [23] which was later reproved by Gutoski and Watrous using a representation of quantum strategies [19].
Theorem 4. Any coin-flipping protocol in a GPT satisfying the Generalized No-Restriction Hypothesis for Bob (and/or Alice) satisfies ≥ 1/ √ 2 − 1/2 ≈ 0.207. In particular, either Alice or Bob can force an outcome with probability at least 1/ √ 2.
Since quantum theory satisfies the Generalized No-Restriction Hypothesis for both Alice and Bob [19], we have another proof that coin-flipping is impossible in quantum theory.
Discussion-What is perhaps unusual about our main result is that we have found a numerical lower bound that holds for any GPT satisfying the Generalized No-Restriction Hypothesis for Alice and/or Bob. Typically results in the study of GPTs either show something is possible or impossible, or consider a specific GPT (whose structure can be exploited). This is relevant for cryptographic purposes as well. If our result was simply saying that perfect coin-flipping is impossible, then this does not rule out the existence of protocols with small bias, which would be enough for all intents and purposes. Theorem 4 says that near perfect protocols cannot exist either. Moreover, the constant lower bound shows that the security of coin-flipping protocols cannot be boosted in the sense that a protocol with bias < 1/2 cannot be used in a composition to reduce the bias arbitrarily close to 0.
The main technique in this work is our treatment of semi-infinite programs, in particular, how we discretized them into cone programs. We hope that our use of semiinfinite programs will raise awareness of this formalism for future uses in quantum theory and physics by breaking roadblocks when formulating difficult problems as optimization problems.
Future work-This bound on coin-flipping is (asymptotically) achievable in quantum theory using a protocol which is classical apart from quantum subroutines [13]. This quantum subroutine is a black-box implementation of quantum weak coin-flipping-a similarly defined task but with less stringent security requirements. The history of finding the best quantum weak coin-flipping protocol culminated in the work of Mochon [35]. This unpublished paper is 80 pages long and, even though it has been simplified [1] (see also [37]), is still not well understood. (Recent progress has been made however in the work [2].) Mochon's work relies on point games (developed by Kitaev), a notion which is dual, in a sense, to protocols (specified in this work as the pair of triples ((A 0 , A 1 , A abort ), (B 0 , B 1 , B abort )). Even though point games are mysterious in the context of quantum theory, perhaps our generalization to the framework of GPTs will shed light. In fact, there is one immediate similarity to this work. A major step in Mochon's proof is the reduction from time-dependent point games to timeindependent point games. This, in a nutshell, strips away all the 'time-dependent' information of the protocol. Our framework and proof, on the other hand, completely strips away all notion of time as it does not explicitly rely on the round-to-round strategy descriptions, and thus might make this point game reduction simpler, or even trivial.
In short, if one were to develop GPT weak coin-flipping protocols with small bias, then the lower bound presented in this work might be achievable by imitating the quantum protocol. It would be interesting to see which GPTs allow for secure weak coin-flipping, whether it is proved using point games, semi-infinite programming, or another yetto-be-discovered method.