Optimal bounds for parity-oblivious random access codes

We split our results into four sections. We first present the optimal bounds for parity-oblivious quantum ${\rm{RAC}}{\rm{s}}$ and even-parity-oblivious RACs. We then contrast this to the classical case (section 1.1.2), discuss a violation of a non-contextuality inequality (section 1.1.3), then discuss the security of our optimal quantum ${\rm{RAC}}{\rm{s}}$ in the device-independent model (section 1.1.4).

1.1.1. Quantum RACs and cryptographic security definitions

Formally, a quantum ${\rm{RAC}}$ of n classical bits is simply a set of quantum states $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$. We suppose Alice chooses $x\in \{0,1\}{}^{n}$ uniformly at random, prepares the state ${\rho }_{x}$, and sends ${\rho }_{x}$ to Bob who has a POVM $\{{M}_{0}^{t},{M}_{1}^{t}\}$, where the subscript b of ${M}_{b}^{t}$ serves as his guess for the tth bit of x, denoted x_t, for each index $t\in [n]:= \{1,\ldots ,n\}$. Suppose that x_t can be decoded with success probability $\tfrac{1}{2}(1+{\alpha }_{t})$. Then we say that the bias, or worst-case bias, of the ${\rm{RAC}}$ is

$$\begin{eqnarray*}&&\underset{t\in [n]}{\mathrm{min}}{\alpha }_{t}\end{eqnarray*}$$

and the average-case bias is

$$\begin{eqnarray*}&&\underset{t\sim \mu ([n])}{{\mathbb{E}}}{\alpha }_{t},\end{eqnarray*}$$

where μ is the uniform probability distribution.

We consider two cryptographic variants of quantum ${\rm{RAC}}{\rm{s}}$ in this paper. We are concerned with designing quantum ${\rm{RAC}}{\rm{s}}$ which hide some information about the encoded string x from a potentially cheating Bob. By information being hidden, we mean that there exists no measurement which yields a correct guess with probability greater than that of randomly guessing. In particular, we consider the case where Bob cannot learn the value of

$$\begin{eqnarray*}&&{x}_{S}:= \underset{i\in S}{\displaystyle \oplus }{x}_{i},\end{eqnarray*}$$

for certain choices of subset $S\subseteq [n]$, of Alice's encoded string x. We call the value x_S the S-parity of the string x.

(Parity-oblivious and even-parity-oblivious quantum RACs).

Definition 1 We say that a quantum ${\rm{RAC}}$ $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ is parity-oblivious, denoted PO-RACⁿ, if the receiver can infer no information about x_S for any subset $S\subseteq [n]$ of size 2 or greater, when x is chosen uniformly at random. In other words, for all $S\subseteq [n]$ of size 2 or greater, we have

$$\begin{eqnarray*}&&\displaystyle \frac{1}{{2}^{n-1}}\displaystyle \sum _{x\;:\;{x}_{S}=0}{\rho }_{x}=\displaystyle \frac{1}{{2}^{n-1}}\displaystyle \sum _{x\;:\;{x}_{S}=1}{\rho }_{x}.\end{eqnarray*}$$

We say that a quantum ${\rm{RAC}}$ is even-parity-oblivious, denoted EPO-RACⁿ, if the receiver can infer no information about x_S for any subset $S\subseteq [n]$ of even size, 2 or greater.

Note that the usual treatment of ${\rm{RAC}}{\rm{s}}$ is to analyze the relationships between the number of encoded bits n, the bias α, and the encoding dimension of ${\rho }_{x}$. Here, we are not concerned with the encoding dimension, but rather the ability to achieve cryptographic security in terms of parity-obliviousness.

In this paper, we present the optimal bias for a quantum PO-RACⁿ and show that they perform asymptotically better than the optimal classical version.

(Optimal quantum parity-oblivious random access codes).

Theorem 1 For any integer $n\geqslant 2$, a quantum parity-oblivious random access code of n bits has worst-case bias at most $1/\sqrt{n}$. Moreover, this bound can be achieved using $\lfloor n/2\rfloor$ qubits.

This is in contrast to the classical setting where the optimal average-case bias is provably $1/n$ [SBK⁺09] (discussed further in section 1.1.2).

The main idea of the proof of the upper bound is that quantum encodings can be studied through their close relationship to non-local games. Such connections were noted in [OW10] and in [CKS14] it was shown that certain non-local games are equivalent to quantum encodings in the sense that the optimal average decoding probability is equal to the success probability of the non-local game.

In a non-local game, two non-communicating parties, Alice and Bob, receive some inputs s and t, respectively, according to some probability distribution known to Alice and Bob, and must output a and b, respectively, such that $(s,t,a,b)$ satisfy some specific condition. For example, in the CHSH game [CHSH69], the condition is $a\oplus b=s\cdot t$. The goal is to find the optimal quantum (resp. classical) success probability of satisfying the condition when Alice and Bob are allowed to share some initial quantum state (resp. shared randomness).

We now define a very natural non-local game called the ${\rm{INDEX}}$ game which we use in the analysis in this paper.

Definition 2. [(INDEX game)] The INDEXⁿ game, parameterized by n, is the following non-local game:

• Alice's input: Alice receives a random s from the set $S:= \{0,1\}{}^{n}$.
• Bob's input: Bob receives a random index t from the set $T:= [n]$.
• Winning condition: they win if Alice's output bit a and Bob's output bit b satisfy $a\oplus b={s}_{t}$.

The choice of initial resource state and local measurement operators (that depend on the respective inputs) comprise a strategy. We say that a strategy for the ${{\rm{INDEX}}}^{n}$ game has bias α if

$$\begin{eqnarray*}&&\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\;\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{\rm{Alice\mbox{'}s}}\;{\rm{output}}\;{\rm{}}a{\rm{}}\;{\rm{and}}\;{\rm{Bob\mbox{'}s}}\;{\rm{output}}\;{\rm{}}b{\rm{}}\;{\rm{satisfy}}\;{\rm{}}a\oplus b={s}_{t}]=\displaystyle \frac{1}{2}(1+\alpha ).\end{eqnarray*}$$

We show that even-parity-oblivious ${\rm{RAC}}{\rm{s}}$ with average-case bias are equivalent to the ${\rm{INDEX}}$ game. In other words, any ${\rm{INDEX}}$ game strategy with bias α yields an even-parity-oblivious ${\rm{RAC}}$ with average-case bias α and vice versa.

(Equivalence).

Theorem 2 For any $n\in {\mathbb{N}}$, there exists a quantum even-parity-oblivious RAC of n bits with average-case bias $\alpha$ if and only if there exists a quantum INDEXⁿ strategy with bias $\alpha$.

Noting that the ${\rm{INDEX}}$ game is an XOR game, i.e., the winning condition depends only on the XOR of Alice and Bob's one-bit answers, we use a tight semidefinite programming characterization [CSUU08] to provide the exact optimal quantum bias.

(Optimal quantum INDEX game bias).

Theorem 3 For any $n\in {\mathbb{N}}$, the optimal quantum bias of an INDEXⁿ strategy is $1/\sqrt{n}$.

The above two theorems imply the optimal bounds for even-parity-oblivious RAC.

(Optimal quantum even-parity-oblivious random access codes).

Corollary 1 For any integer $n\geqslant 2$, a quantum even-parity-oblivious random access code of n bits has average-case bias at most $1/\sqrt{n}$. Moreover, this bound can be achieved using $\lfloor n/2\rfloor$ qubits.

Since the worst-case bias of a quantum PO-RAC is obviously upper bounded by the optimal average-case bias of a quantum ${\rm{RAC}}$ hiding only the even parities, theorems 1 and 2 show that every PO-RACⁿ has bias at most $1/\sqrt{n}$.

To prove this upper bound is tight, we give an explicit construction of a quantum PO-RAC of n bits with bias $1/\sqrt{n}$ that uses $\lfloor n/2\rfloor$ qubits and 1 classical bit. This ${\rm{RAC}}$ is based on the notion of hyperbits[PW12] and a proof of Tsirelson's theorem [Tsi87]. We then discuss how to remove the classical bit and make it device-independent (see section 1.1.4 for more details about the device-independent model).

We remark that parity-oblivious and even-parity-oblivious quantum RACs both share the same worst-case and average-case bias of $1/\sqrt{n}$. However, the same is not true if we consider odd-parity-oblivious${\rm{RAC}}{\rm{s}}$, where the parities are hidden for only odd-size subsets (greater or equal to 3). Consider encoding a six-bit string $({x}_{1},\ldots ,{x}_{6})$, where the first three bits are encoded using Chuang's PO-RAC and similarly for the last three bits. It is a straightforward exercise to verify that this is odd-parity-oblivious and that any bit can be decoded with bias $1/\sqrt{3}\gt 1/\sqrt{6}$. We leave finding the optimal bounds for odd-parity-oblivious ${\rm{RAC}}{\rm{s}}$ an open problem.

1.1.2. Parity-oblivious classical RACs

1.1.3. Large non-contextuality inequality violations

1.1.4. Device-independent quantum RACs

Until this point, we have discussed the bias and the parity-obliviousness of a quantum ${\rm{RAC}}$ which are functions of the encoding states $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ only. However, much of the cryptographic analysis in this paper is concerned with how the states ${\rho }_{x}$ are prepared. In this section, we discuss how the security of the ${\rm{RAC}}$ is affected if one cannot trust the quantum apparatus used in the preparation of ${\rho }_{x}$.

The device-independent model of cryptographic security deals with the setting when the devices used in the protocol are not trusted, or are even malicious, being created by the cheaters/eavesdroppers themselves. Many security proofs in this setting are based on quantum non-locality or the no-signalling principle, each having their own limitations which ultimately limits the cheating capabilities for anyone controlling the preparation and/or execution of the quantum devices in the protocol. Recall that the no-signalling principle, which is satisfied by the laws of quantum mechanics, roughly states that it is impossible to send information arbitrarily fast, in particular faster than the speed of light. For example, in a quantum setting, Alice cannot convey information to a distant Bob by simply measuring her half of a shared quantum state.

Obviously, if the preparation of the encoding ${\rho }_{x}$ is as simple as Alice having a quantum device which outputs ${\rho }_{x}$ on input x, then certainly device-independence is not feasible since Bob may control the quantum device and just have it prepare ${\rho }_{x}=| x\rangle \langle x|$ (or some other function of x according to what he wishes to learn). However, the preparation need not be so simple. We now sketch the preparation of the quantum ${\rm{RAC}}{\rm{s}}$ presented in this work to give an idea of how they can be device-independent.

First, Alice creates a bipartite quantum state $| \psi \rangle$ and sends a subsystem to Bob. Afterwards she chooses a string $s\in \{0,1\}{}^{n}$ uniformly at random and measures her half of the state to get an outcome $a\in \{0,1\}$. She then defines ${x}_{t}:= {s}_{t}\oplus a$, for all $t\in [n]$, and Bob's post-measured state is now his encoding of the string x. Since there is no communication from Alice to Bob after Alice chooses s, he must not be able to infer any information about s from his encoding of x. Thus, Bob has limited information of any function of x which contains information about s. For example, Bob cannot learn ${x}_{1}\oplus {x}_{2}$ since

$$\begin{eqnarray*}&&{x}_{1}\oplus {x}_{2}=({s}_{1}\oplus a)\oplus ({s}_{2}\oplus a)={s}_{1}\oplus {s}_{2},\end{eqnarray*}$$

which is hidden by the no-signalling principle. Therefore, even if Bob created the entire state which Alice shares at the beginning, and Alice's measurement, he cannot infer any information about ${x}_{1}\oplus {x}_{2}$, promised only by the no-signalling principle.

Theorem 6. There exists a preparation of an optimal PO-RACⁿ with bias $1/\sqrt{n}$ which is even-parity-oblivious in the device-independent model against a no-signalling Bob.

We prove the above theorem using a small modification of our optimal PO-RACⁿ in section 4. See section 4.3 for more details. Note also that the above theorem implies that there exist optimal even-parity-oblivious RAC which retain their cryptographic property in the device independent model.

In section 2, we prove the equivalence of even-parity-oblivious ${\rm{RAC}}{\rm{s}}$ and ${{\rm{INDEX}}}^{n}$ strategies. In section 3 we discuss the optimal quantum and classical bias of the ${{\rm{INDEX}}}^{n}$ game for any n. We conclude in section 4 by presenting an optimal parity-oblivious quantum ${\rm{RAC}}$ and prove the security for the even-parity-obliviousness in the device-independent model.

Let us fix an even-parity-oblivious ${\rm{RAC}}$ $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ with average-case bias α. Let ${ \mathcal B }$ be the Hilbert space used for the encoding. Our goal is to construct a strategy for ${{\rm{INDEX}}}^{n}$ with bias α. For each ${\rho }_{x}$, we fix a purification $| {\psi }_{x}\rangle$ of ${\rho }_{x}$ in the space ${ \mathcal A }\otimes { \mathcal B }$. For $a\in \{0,1\}$, let ${\boldsymbol{a}}$ be the n-bit string $(a,...,a)$ and $\bar{s}$ be the bit-wise complement of a string s. For $s\in {\{\mathrm{0,1}\}}^{n}$, define the following state

$$\begin{eqnarray*}&&| {{\rm{\Omega }}}_{s}\rangle := \displaystyle \frac{1}{\sqrt{2}}\displaystyle \sum _{a\in \{0,1\}}{| a\rangle }_{{ \mathcal O }}{| {\psi }_{s\oplus {\boldsymbol{a}}}\rangle }_{{ \mathcal A }{ \mathcal B }}=\displaystyle \frac{1}{\sqrt{2}}| 0\rangle | {\psi }_{s}\rangle +\displaystyle \frac{1}{\sqrt{2}}| 1\rangle | {\psi }_{\bar{s}}\rangle ,\end{eqnarray*}$$

where ${ \mathcal O }$ is a qubit register containing the value of a. We would like to show that if Bob has the register ${ \mathcal B }$ of the above state, then he has no information about s. Note that his reduced state is ${\sigma }_{s}:= \tfrac{1}{2}{\rho }_{s}+\tfrac{1}{2}{\rho }_{\bar{s}}$.

The first step is to see that Bob has no information about any parity of s (not even of the values of the singleton bits). Fix an arbitrary, non-empty subset S. For fixed $b\in \{0,1\}$, Bob's reduced state, averaged over all $s\in \{0,1\}{}^{n}$ such that ${s}_{S}=b$, is given by

$$\begin{eqnarray*}&&{\sigma }_{S}^{b}:= \displaystyle \frac{1}{{2}^{n-1}}\displaystyle \sum _{s:{s}_{S}=b}{\sigma }_{s}=\displaystyle \frac{1}{{2}^{n}}\left(\displaystyle \sum _{s:{s}_{S}=b}{\rho }_{s}+\displaystyle \sum _{s:{s}_{S}=b}{\rho }_{\bar{s}}\right).\end{eqnarray*}$$

Note that ${s}_{S}={\bar{s}}_{S}$ when $| S|$ is even and ${s}_{S}={\bar{s}}_{S}\oplus 1$ when $| S|$ is odd. Thus, by defining ${\rho }_{S}^{b}$ in the similar way

$$\begin{eqnarray*}&&{\rho }_{S}^{b}:= \displaystyle \frac{1}{{2}^{n-1}}\displaystyle \sum _{s:{s}_{S}=b}{\rho }_{s}\end{eqnarray*}$$

we can easily verify that ${\sigma }_{S}^{b}={\rho }_{S}^{b}$ when $| S|$ is even and ${\sigma }_{S}^{b}=\displaystyle \frac{1}{2}{\rho }_{S}^{0}+\displaystyle \frac{1}{2}{\rho }_{S}^{1}$ when $| S|$ is odd. Note that since $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ is an even-parity-oblivious ${\rm{RAC}}$, we have by definition that ${\rho }_{S}^{0}={\rho }_{S}^{1}$ for $| S|$ even (otherwise, Bob could measure to learn some information about the even parity). Thus, we have that ${\sigma }_{S}^{0}={\sigma }_{S}^{1}$ for all non-empty subsets S and therefore all the parities are hidden from Bob when given ${\sigma }_{s}$ (when s is chosen uniformly at random). This means that for any non-empty subset S and measurement M, Bob has a maximum probability of 1/2 of successfully guessing s_S from the ${\rm{RAC}}$ $\{{\sigma }_{s}\;:s\in \{0,1\}{}^{n}\}$.

In the following lemma, we prove that if an encoding reveals no information about the parity of any subset, then the encoding reveals no information about the string. This is intuitively an obvious statement that we rigorously prove below.

Lemma 1. If an encoding $\{{\sigma }_{s}\;:s\in \{0,1\}{}^{n}\}$ satisfies ${{\mathbb{E}}}_{s\sim \mu (\{\mathrm{0,1}\}{}^{n})}\mathrm{Pr}[{\rm{learn}}\;{\rm{}}{s}_{S}]=\displaystyle \frac{1}{2}$, for every subset $S\subseteq [n]\setminus \varnothing$, then ${\sigma }_{s}={\sigma }_{{s}^{\prime }}$ for all $s,{s}^{\prime }\in \{0,1\}{}^{n}$.

Proof. Suppose for a contradiction that there exists $s,{s}^{\prime }\in \{0,1\}{}^{n}$ such that ${\sigma }_{s}\ne {\sigma }_{s^{\prime} }$. Then there exists a subset $T\subseteq \{0,1\}{}^{n}$ of size ${2}^{n-1}$ such that ${\sigma }_{T}=\tfrac{1}{{2}^{n-1}}{\sum }_{s\in T}{\sigma }_{s}$ is not equal to ${\sigma }_{\bar{T}}=\tfrac{1}{{2}^{n-1}}{\sum }_{s\in \bar{T}}{\sigma }_{s}$, where $\bar{T}$ denotes the complement of the set T. To see this, take any subset $T\subseteq \{0,1\}{}^{n}$ of size ${2}^{n-1};$ if ${\sigma }_{T}={\sigma }_{\bar{T}}$, then we can find $s\in T$ and ${s}^{\prime }\in \bar{T}$ such that ${\sigma }_{s}\ne {\sigma }_{s^{\prime} }$, since all the ${\sigma }_{i}$ are not equal. We consider the subset ${T}^{\prime }$, where we add $\{{s}^{\prime }\}$ and remove $\{s\}$ from T to obtain ${\sigma }_{{T}^{\prime }}\ne {\sigma }_{\bar{{T}^{\prime }}}$.

This means that there exists a two-outcome measurement $\{{M}_{T},{M}_{\bar{T}}\}$ that outputs 1 if $s\in T$ and −1 otherwise, with positive bias. We now show for a contradiction that this measurement must also output a parity of some non-empty subset with positive bias. Define the function $f\;:\{0,1\}{}^{n}\to \{-1,+1\}$ as the indicator function of T and let b be the expectation over the measurement outcomes when measuring ${\sigma }_{s}$ with $\{{M}_{T},{M}_{\bar{T}}\}$, so $b(s):= \mathrm{Tr}({\sigma }_{s}{M}_{T})-\mathrm{Tr}({\sigma }_{s}{M}_{\bar{T}})$. Then

$$\begin{eqnarray*}&&\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}[b(s)\cdot f(s)]\gt 0.\end{eqnarray*}$$

By taking the Fourier representation of the function, we have

$$\begin{eqnarray*}\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}[b(s)\cdot f(s)] & = & \underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\left[b(s)\cdot \displaystyle \sum _{S\subseteq [n]}\hat{f}(S)\;{(-1)}^{{s}_{S}}\right]\\ & = & \displaystyle \sum _{S\subseteq [n]}\hat{f}(S)\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}[b(s)\cdot {(-1)}^{{s}_{S}}]\gt 0.\end{eqnarray*}$$

Note that $\hat{f}(\varnothing )={\mathbb{E}}[f(s)]=0$, because $| T| =| \bar{T}|$, implying that there exists a non-empty subset S for which

$$\begin{eqnarray*}&&\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}[b(s)\cdot {(-1)}^{{s}_{S}}]\ne 0,\end{eqnarray*}$$

which is a contradiction.□

The above statement means that for each s, we have ${\mathrm{Tr}}_{{ \mathcal O }{ \mathcal A }}| {{\rm{\Omega }}}_{s}\rangle \langle {{\rm{\Omega }}}_{s}| ={\mathrm{Tr}}_{{ \mathcal O }{ \mathcal A }}| {{\rm{\Omega }}}_{0}\rangle \langle {{\rm{\Omega }}}_{0}|$. In particular, for any $s\in \{0,1\}{}^{n}$ there exists a unitary U_s acting on ${ \mathcal O }{ \mathcal A }$ such that $({U}_{s}\otimes I)| {{\rm{\Omega }}}_{0}\rangle =| {{\rm{\Omega }}}_{s}\rangle$. We use the state $| {{\rm{\Omega }}}_{0}\rangle$ to define the ${{\rm{INDEX}}}^{n}$ strategy:

• Alice and Bob share the state $| {{\rm{\Omega }}}_{0}\rangle \in { \mathcal A }\otimes { \mathcal B }$.
• Upon receiving $s\in \{0,1\}{}^{n}$, Alice applies U_s on ${ \mathcal O }{ \mathcal A }$ such that Alice and Bob share $| {{\rm{\Omega }}}_{s}\rangle$. Alice measures register ${ \mathcal O }$ in the computational basis and outputs the measurement outcome a.
• For Alice's input s and output a, Bob has an encoding ${\rho }_{x}$ where $x:= s\oplus {\boldsymbol{a}}$ occurs uniformly at random. Upon receiving $t\in [n]$, Bob measures ${ \mathcal B }$ just as in the ${\rm{RAC}}$ to learn x_t. He outputs b equal to his guess.
• Alice and Bob win the game if $b={s}_{t}\oplus a={x}_{t}$ meaning that they win the game if and only if Bob correctly guesses x_t.

Since the ${\rm{RAC}}$ has average-case bias α, we see that with this ${{\rm{INDEX}}}^{n}$ strategy, they succeed with probability

$$\begin{eqnarray*} & & \underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{\rm{Alice\mbox{'}s}}\;{\rm{output}}\;{\rm{}}a{\rm{}}\;{\rm{and}}\;{\rm{Bob\mbox{'}s}}\;{\rm{output}}\;{\rm{}}b{\rm{}}\;{\rm{satisfy}}\;{\rm{}}a\oplus b={s}_{t}]\\ & = & \underset{x\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{\rm{Bob}}\;{\rm{correctly}}\;{\rm{outputs}}\;{\rm{}}{x}_{t}{\rm{}}\;{\rm{from}}\;{\rm{the}}\;{\rm{}}\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}{\rm{RAC}}]\\ & = & \displaystyle \frac{1}{2}(1+\alpha ),\end{eqnarray*}$$

as desired.

Suppose Alice and Bob have a strategy to win the ${{\rm{INDEX}}}^{n}$ game with bias α with starting state $| \psi \rangle \in { \mathcal A }\otimes { \mathcal B }$. On input $s\in \{0,1\}{}^{n}$, Alice performs on her side the corresponding measurement which generates her outcome a. We assume that a is uniformly random and independent of s (which can be guaranteed by taking the XOR with an independently and uniformly random bit that is shared with Bob). Let ${\rho }_{s,a}$ be the state that Bob has when Alice has input s and outputs a and define the ${\rm{RAC}}$ $\{{\sigma }_{x}\;:x\in \{0,1\}{}^{n}\}$, where ${\sigma }_{x}:= \tfrac{1}{2}{\rho }_{x,0}+\tfrac{1}{2}{\rho }_{\bar{x},1}$ for each $x\in \{0,1\}{}^{n}$. We now show that $\{{\sigma }_{x}\;:x\in \{0,1\}{}^{n}\}$ is an even-parity-oblivious ${\rm{RAC}}$ with average-case bias α. Note that $\tfrac{1}{2}{\rho }_{s,0}+\tfrac{1}{2}{\rho }_{s,1}$ is independent of s by the no-signalling principle. For convenience, define $\rho := \tfrac{1}{2}{\rho }_{s,0}+\tfrac{1}{2}{\rho }_{s,1}$ for any $s\in \{0,1\}{}^{n}$.

• (1)  
  It hides the even parities: let $S\subseteq \{0,1\}{}^{n}$ be a subset of even size and $b\in \{0,1\}$ be an arbitrary bit. Then we have ${x}_{S}={\bar{x}}_{S}$ for any $x\in \{0,1\}{}^{n}$, since $| S|$ is even. Bob's reduced state, averaged over all $x\in \{0,1\}{}^{n}$ such that ${x}_{S}=b$, is given by

  $$\begin{eqnarray*}&&\displaystyle \frac{1}{{2}^{n-1}}\displaystyle \sum _{x:{x}_{S}=b}{\sigma }_{x}=\displaystyle \frac{1}{{2}^{n}}\displaystyle \sum _{x:{x}_{S}=b}{\rho }_{x,0}+\displaystyle \frac{1}{{2}^{n}}\displaystyle \sum _{x:{x}_{S}=b}{\rho }_{\bar{x},1}=\displaystyle \frac{1}{{2}^{n}}\displaystyle \sum _{x:{x}_{S}=b}{\rho }_{x,0}+\displaystyle \frac{1}{{2}^{n}}\displaystyle \sum _{x:{x}_{S}=b}{\rho }_{x,1}=\rho ,\end{eqnarray*}$$

  which is independent of b, thus proving the ${\rm{RAC}}$ is even-parity-oblivious.
• (2)  
  Since Alice and Bob win the ${{\rm{INDEX}}}^{n}$ game with average-case bias α, we know that

  $$\begin{eqnarray*}&&\displaystyle \frac{1}{2}(1+\alpha )=\underset{a\sim \mu (\{0,1\})}{{\mathbb{E}}}\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{\rm{Bob}}\;{\rm{learns}}\;{\rm{}}{s}_{t}\oplus a{\rm{}}\;{\rm{from}}\;{\rm{}}{\rho }_{s,a}].\end{eqnarray*}$$

  By defining $x:= s\oplus {\boldsymbol{a}}$, we can write the above as

  $$\begin{eqnarray*}\displaystyle \frac{1}{2}(1+\alpha ) & = & \underset{a\sim \mu (\{0,1\})}{{\mathbb{E}}}\underset{x\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{\rm{Bob}}\;{\rm{learns}}\;{\rm{}}{x}_{t}{\rm{}}\;{\rm{from}}\;{\rm{}}{\rho }_{x\oplus {\boldsymbol{a}},a}]\\ & = & \underset{x\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{\rm{Bob}}\;{\rm{learns}}\;{\rm{}}{x}_{t}{\rm{}}\;{\rm{from}}\;{\rm{}}{\sigma }_{x}]\end{eqnarray*}$$

  as desired.

Note that in the proof above, we are treating x, the string Alice wishes to encode, as $s\oplus {\boldsymbol{a}}$. We now remark that some of the odd parities of x may not be hidden from Bob. For example, if in the ${\rm{INDEX}}$ game Alice simply outputs $a={s}_{1}\oplus {s}_{2}\oplus {s}_{3}\oplus d$, where d is the uniformly random bit Alice and Bob share to make a independent of s, then we have ${x}_{1}\oplus {x}_{2}\oplus {x}_{3}=d$ and Bob would know this odd parity exactly. However, the even parities of x are equal to those of s which are hidden by the no-signalling principle.

Remark 1. The above equivalence also holds in the classical setting.

The quantum bias of any XOR game can be found efficiently by solving a semidefinite program (SDP) [CSUU08]. The optimization takes place over a matrix indexed by $s\in S$ and $t\in T$ with each entry corresponding to the expectation of the measurement outcome of a fixed game strategy. Such a matrix of inner products can be written as a positive semidefinite matrix and the expectation (or bias) of the game strategy is then an inner product of this matrix and one containing the information of the XOR game.

Specifically, the quantum bias of the ${{\rm{INDEX}}}^{n}$ game can be calculated as the optimal value of either SDP below

$$\begin{eqnarray*}\quad \underline{\mathrm{Primal}\ \mathrm{problem}(P)} & \quad \underline{\mathrm{Dual}\ \mathrm{problem}(D)}\\ \mathrm{supremum}:\quad \langle B,X\rangle & \ {\rm{infimum:}}\quad \langle e,y\rangle \ \\ {\rm{subject}}\;{\rm{to:}}\quad \mathrm{diag}(X)=e\quad & {\rm{subject}}\;{\rm{to:}}\quad \mathrm{Diag}(y)\succcurlyeq B,\\ \qquad \quad X\succcurlyeq 0 & \end{eqnarray*}$$

where

• $\mathrm{diag}(X)$ is the vector on the diagonal of the square matrix X,
• e is the vector of all ones,
• $\mathrm{Diag}(y)$ is the diagonal matrix with the vector y on the diagonal,
• $B:= \displaystyle \frac{1}{2}\left[\begin{array}{cc}0 & A\\ {A}^{\top } & 0\end{array}\right]$, where ${A}_{s,t}:= \displaystyle \frac{{(-1)}^{{s}_{t}}}{n{2}^{n}}$.

For (P), consider the positive semidefinite matrix $X:= {{YY}}^{\top }$, where

$$\begin{eqnarray*}&&Y:= \left[\begin{array}{c}\sqrt{n}\;{2}^{n}A\\ {I}_{T}\end{array}\right].\end{eqnarray*}$$

To show X is feasible in (P), one can check that each diagonal entry of X is equal to 1 from the definition of A above. Note that $\langle B,X\rangle := \sqrt{n}\;{2}^{n}\langle A,A\rangle =1/\sqrt{n}$ proving that the quantum bias is at least $1/\sqrt{n}$ (since the quantum bias is the maximum of $\langle B,X\rangle$ over all feasible X).

For (D), let $y:= \left[\begin{array}{c}u\;{e}_{S}\\ v\;{e}_{T}\end{array}\right]$, where $u,v\gt 0$ (determined later) and e_S and e_T are the vectors of all ones indexed by entries in S and T, respectively. Then

$$\begin{eqnarray*}\mathrm{Diag}(y)\succcurlyeq B\ \Longleftrightarrow \ \left[\begin{array}{cc}{{uI}}_{S} & -\displaystyle \frac{1}{2}A\\ -\displaystyle \frac{1}{2}{A}^{\top } & {{vI}}_{T}\end{array}\right]\succcurlyeq 0\ \Longleftrightarrow \ {{uvI}}_{T}\succcurlyeq \displaystyle \frac{1}{4}{A}^{\top }A=\displaystyle \frac{1}{4{n}^{2}{2}^{n}}{I}_{T}\ \Longleftrightarrow \ {uv}\geqslant \displaystyle \frac{1}{4{n}^{2}{2}^{n}}.\end{eqnarray*}$$

From above, if we set $v:= \displaystyle \frac{1}{2n\sqrt{n}}$ and $u:= \displaystyle \frac{1}{2\sqrt{n}\;{2}^{n}}$, then $y$ is feasible in (D). Since

$$\begin{eqnarray*}&&\langle e,y\rangle ={2}^{n}u+{nv}=\displaystyle \frac{1}{\sqrt{n}},\end{eqnarray*}$$

we know the quantum bias is at most $1/\sqrt{n}$ (since the quantum bias is equal to the minimum of $\langle e,y\rangle$ over all feasible y). Therefore, the quantum bias is exactly $1/\sqrt{n}$, as required.

The ${\rm{INDEX}}$ game turns out to be equivalent to the retrieval game studied in [OW10] which is defined similarly except the first bit of Alice's input is always 0 and the other $n-1$ bits are chosen independently and uniformly at random. To see the equivalence, notice that in the ${\rm{INDEX}}$ game Alice can take her input $s\in \{0,1\}{}^{n}$, define ${s}^{\prime }={\boldsymbol{m}}\oplus s$, where m fixes the specific bit to a specific value, play the retrieval game strategy with input ${s}^{\prime }$ to generate ${a}^{\prime }$, and then output $a:= {a}^{\prime }\oplus m$ (Bob plays the same strategy). Thus, any strategy for the retrieval game with bias α yields a strategy for the ${\rm{INDEX}}$ game with bias α as well. We further remark that the quantum bias of the retrieval game is shown to be $1/\sqrt{n}$ in [OW10] through the use of uncertainty relations. Using this result, and the equivalence to the ${\rm{INDEX}}$ game, we have another proof that the quantum bias of the INDEX game is $1/\sqrt{n}$.

We can assume without loss of generality that Alice and Bob's strategies are deterministic. Define $b\in \{0,1\}{}^{n}$ as the string of potential answers Bob gives, where b_t is the bit that Bob outputs on input $t\in [n]$. Now let us examine Alice's strategy. For a fixed input s, if she outputs 1, they win the game with probability

$$\begin{eqnarray*}&&\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{b}_{t}\ne {s}_{t}]=\displaystyle \frac{1}{n}| b\oplus s{| }_{{\rm{H}}},\end{eqnarray*}$$

where $| x{| }_{{\rm{H}}}$ denotes the Hamming weight of a string $x\in \{0,1\}{}^{n}$. If she outputs 0, they win the game with probability

$$\begin{eqnarray*}&&\underset{t\sim \mu ([n])}{{\mathbb{E}}}\mathrm{Pr}[{b}_{t}={s}_{t}]=1-\displaystyle \frac{1}{n}| b\oplus s{| }_{{\rm{H}}}.\end{eqnarray*}$$

Since their strategies are deterministic, Alice should output the maximum of these two, so

$$\begin{eqnarray*}&&\mathrm{max}\left\{\displaystyle \frac{1}{n}| b\oplus s{| }_{{\rm{H}}},1-\displaystyle \frac{1}{n}| b\oplus s{| }_{{\rm{H}}}\right\}=\displaystyle \frac{1}{2}+\left|\displaystyle \frac{1}{2}-\displaystyle \frac{1}{n}| b\oplus s{| }_{{\rm{H}}}\right|=\displaystyle \frac{1}{2}+\displaystyle \frac{1}{2}\cdot \displaystyle \frac{2}{n}\left|\displaystyle \frac{n}{2}-| b\oplus s{| }_{{\rm{H}}}\right|.\end{eqnarray*}$$

Therefore, the classical bias is precisely$\tfrac{2}{n}{{\mathbb{E}}}_{s\sim \mu (\{\mathrm{0,1}\}{}^{n})}\left|\tfrac{n}{2}-| b\oplus s{| }_{{\rm{H}}}\right|$. Note that this quantity is independent of b, thus we could assume Bob always outputs 0 for every input. The quantity

$$\begin{eqnarray*}&&\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\left|\displaystyle \frac{n}{2}-| b\oplus s{| }_{{\rm{H}}}\right|\end{eqnarray*}$$

corresponds to the mean deviation of the uniform binomial distribution. This is a well studied quantity [Fra45] and we know that

$$\begin{eqnarray*}&&\underset{s\sim \mu (\{0,1\}{}^{n})}{{\mathbb{E}}}\left[\left|\displaystyle \frac{n}{2}-{| b\oplus s| }_{{\rm{H}}}\right|\right]=\sqrt{\displaystyle \frac{n}{2\pi }}\left(1+O\left(\displaystyle \frac{1}{n}\right)\right).\end{eqnarray*}$$

Therefore, the classical bias is $\tfrac{2}{n}\sqrt{\tfrac{n}{2\pi }}\left(1+O\left(\tfrac{1}{n}\right)\right)=\sqrt{\tfrac{2}{\pi n}}\left(1+O\left(\tfrac{1}{n}\right)\right)$, as desired.

Our construction is very similar to a proof of Tsirelson's theorem [Tsi87]. We start by recursively defining the observables ${G}_{n,1},\ldots ,{G}_{n,n}$, for $n\geqslant 2$, which are used to define the actions of Alice and Bob in the PO-RACⁿ. For n = 2 and n = 3, we define

$$\begin{eqnarray*}&&{G}_{\mathrm{2,1}}:= X,\quad {G}_{\mathrm{2,2}}:= Y\qquad {\rm{and}}\qquad {G}_{\mathrm{3,1}}:= X,\quad {G}_{\mathrm{3,2}}:= Y,\quad {G}_{\mathrm{3,3}}:= Z.\end{eqnarray*}$$

We use the n = 3 observables as a base case for a recursive formula:

$$\begin{eqnarray*}n{\rm{}}\;{\rm{even}}\;: & & \quad {G}_{n,i}:= {G}_{n-1,i}\otimes X,\ {\rm{}}\;{\rm{for}}\;{\rm{}}\ i\in \{1,\ldots ,n-1\},\quad {G}_{n,n}=I\otimes Y,\quad \quad \\ n{\rm{}}\;{\rm{odd}}\;: & & \quad {G}_{n,i}:= {G}_{n-2,i}\otimes X,\ {\rm{}}\;{\rm{for}}\;{\rm{}}\ i\in \{1,\ldots ,n-2\},\quad {G}_{n,n-1}=I\otimes Y,\quad {G}_{n,n}=I\otimes Z.\end{eqnarray*}$$

Note that these act on $\lfloor n/2\rfloor$ qubits⁷ , have eigenvalues ±1, and satisfy the anti-commutation relation

$$\begin{eqnarray*}&&\{{G}_{n,i},{G}_{n,j}\}=2{\delta }_{i,j}I.\end{eqnarray*}$$

Define the following operators for $x\in \{0,1\}{}^{n}$ and $t\in [n]$:

$$\begin{eqnarray*}&&{A}_{x}:= \displaystyle \frac{1}{\sqrt{n}}\displaystyle \sum _{i=1}^{n}{(-1)}^{{x}_{i}}{G}_{n,i}\quad {\rm{}}\;{\rm{and}}\;{\rm{}}\quad {B}_{t}:= {G}_{n,t}^{\top }.\end{eqnarray*}$$

Note that ${A}_{x}^{2}=I$, for all $x\in \{0,1\}{}^{n}$, and ${B}_{t}^{2}=I$, for all $t\in [n]$, so each have ±1 eigenvalues.

The PO-RACⁿ protocol is defined below.

• Encoding states: Alice chooses a uniformly random $x\in \{0,1\}{}^{n}$, creates $\lfloor n/2\rfloor$ EPR pairs, and measures the first 'halves' with the observable A_x to get an outcome $a\in \{-1,+1\}$. The second 'halves' now contain the post-measurement state ${\tau }_{x,a}$ and since $\mathrm{Tr}({A}_{x})=0$, each a occurs with 1/2 probability. She sends ${\tau }_{x,a}$ and a to Bob who now has the mixed state
  $$\begin{eqnarray*}&&{\rho }_{x}:= \displaystyle \frac{1}{2}\displaystyle \sum _{a}{\tau }_{x,a}\otimes | a\rangle \langle a| \end{eqnarray*}$$
  encoding the string x.
• Decoding procedure: if Bob wishes to learn x_t, he measures his EPR halves with the observable B_t to get an outcome $b\in \{-1,+1\}$ and also measures to learn a. He computes $c={ab}$ and outputs 0 if $c=+1$, and 1 otherwise.

In the next two lemmas, we show that the worst-case bias of this ${\rm{RAC}}$ is $\tfrac{1}{\sqrt{n}}$ and that it is parity-oblivious, thereby proving lemma 2.

Lemma 3. The quantum RAC $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ has worst-case bias at least $1/\sqrt{n}$.

Proof. We can assume at the beginning of the protocol, Alice and Bob share the maximally entangled state

$$\begin{eqnarray*}&&| \psi \rangle := \displaystyle \frac{1}{\sqrt{{2}^{\lfloor n/2\rfloor }}}\displaystyle \sum _{j=1}^{{2}^{\lfloor n/2\rfloor }}{| j\rangle }_{{ \mathcal A }}{| j\rangle }_{{ \mathcal B }}.\end{eqnarray*}$$

The expectation value of the observable $C={A}_{x}\otimes {B}_{t}$ in this state is given by:

$$\begin{eqnarray*}&&\langle C\rangle =\langle \psi | {A}_{x}\otimes {B}_{t}| \psi \rangle =\displaystyle \frac{1}{\sqrt{n}}\displaystyle \frac{1}{{2}^{\lfloor n/2\rfloor }}\displaystyle \sum _{i=1}^{n}{(-1)}^{{x}_{i}}\underset{={2}^{\lfloor \tfrac{n}{2}\rfloor }{\delta }_{i,t}}{\underbrace{\displaystyle \sum _{j,k=1}^{{2}^{\lfloor n/2\rfloor }}{\langle j| }_{{ \mathcal A }}{\langle j| }_{{ \mathcal B }}\;{G}_{n,i}\otimes {G}_{n,t}^{\top }\;{| k\rangle }_{{ \mathcal A }}{| k\rangle }_{{ \mathcal B }}}}=\displaystyle \frac{{(-1)}^{{x}_{t}}}{\sqrt{n}}\end{eqnarray*}$$

where the third equality is derived from the anti-commutation relation. We can write

$$\begin{eqnarray*}&&\langle C\rangle ={\rm{Pr}}[c=+1]-{\rm{Pr}}[c=-1]=\langle \psi | {A}_{x}\otimes {B}_{t}| \psi \rangle \end{eqnarray*}$$

implying

$$\begin{eqnarray*}&&\mathrm{Pr}[{\rm{Bob}}\;{\rm{outputs}}\;{\rm{0}}]=\mathrm{Pr}[c=+1]=\displaystyle \frac{1}{2}\left[1+\displaystyle \frac{{(-1)}^{{x}_{t}}}{\sqrt{n}}\right]\end{eqnarray*}$$

$$\begin{eqnarray*}&&\mathrm{Pr}[{\rm{Bob}}\;{\rm{outputs}}\;{\rm{1}}]=\mathrm{Pr}[c=-1]=\displaystyle \frac{1}{2}\left[1-\displaystyle \frac{{(-1)}^{{x}_{t}}}{\sqrt{n}}\right].\end{eqnarray*}$$

This proves that

$$\begin{eqnarray*}&&\mathrm{Pr}[{\rm{Bob}}\;{\rm{outputs}}\;{x}_{t}]=\displaystyle \frac{1}{2}\left(1+\displaystyle \frac{1}{\sqrt{n}}\right),\end{eqnarray*}$$

as desired. □

Lemma 4. The quantum RAC $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ is parity-oblivious.

Proof. Protocols involving shared entanglement and sending one classical bit have limited guessing probabilities for functions such as parity [PW12]. In particular, it can be shown that the biases ${\alpha }_{S}$ of learning x_S satisfy

$$\begin{eqnarray*}&&\displaystyle \sum _{S\subseteq \{0,1\}{}^{n}\setminus \varnothing }{\alpha }_{S}^{2}\leqslant 1.\end{eqnarray*}$$

In the ${\rm{RAC}}$ above, we have

$$\begin{eqnarray*}&&\displaystyle \sum _{S:| S| =1}{\alpha }_{S}^{2}\geqslant n\cdot {\left(\displaystyle \frac{1}{\sqrt{n}}\right)}^{2}=1\end{eqnarray*}$$

implying ${\alpha }_{S}=0$ for all S of size 2 or greater, implying it is parity-oblivious. □

This concludes a construction of a quantum PO-RACⁿ with optimal bias. However, we have not yet proved theorem 1 since the encoding dimension is too high. We now discuss a small modification to simultaneously reduce the dimension of the ${\rm{RAC}}$ and to increase its device-independence.

Reducing the dimension of the PO-RACⁿ$\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ is straightforward. First notice that Bob simply takes his measurement outcome and changes it if $a=-1$ to obtain his guess for x_t. We can remove the need for this message if Alice simply changes the value of x for which Bob has the encoding. In other words, instead of sending a to Bob, she just switches every bit of x if $a=-1$. Then Bob's guess b is just as accurate in guessing ${x}_{t}^{\prime }$ where ${x}_{t}^{\prime }={x}_{t}$, if $a=+1$, and $x{^{\prime} }_{t}=\bar{{x}_{t}}$, if $a=-1$. (Note that this is similar to what was done in section 2.2). Therefore, Bob now has an encoding of $x^{\prime}$, which we denote by $\{{\sigma }_{x^{\prime} }\;:x^{\prime} \in \{0,1\}{}^{n}\}$. Notice that ${\sigma }_{x^{\prime} }$ is a state on only $\lfloor n/2\rfloor$ qubits which coincides with the optimal PO-RACⁿ for n = 2 and n = 3 previously discussed.

It is easy to see that this new ${\rm{RAC}}$ has bias at least $1/\sqrt{n}$ by construction. We now argue that this quantum ${\rm{RAC}}$ is still parity-oblivious.

Lemma 5. The quantum RAC $\{{\sigma }_{{x}^{\prime }}\;:x\in \{0,1\}{}^{n}\}$ is parity-oblivious.

Proof. We prove that any S-parity hidden from Bob in the quantum ${\rm{RAC}}$ $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ is still hidden from Bob in the quantum ${\rm{RAC}}$ $\{{\sigma }_{{x}^{\prime }}:{x}^{\prime }\in \{0,1\}\}$. Let ${\tau }_{x,a}$ be Bob's post-measured state immediately after Alice used measurement A_x and received output a. We can write

$$\begin{eqnarray*}&&{\rho }_{x}:= \displaystyle \frac{{\tau }_{x,0}\otimes | 0\rangle \langle 0| }{2}+\displaystyle \frac{{\tau }_{x,1}\otimes | 1\rangle \langle 1| }{2}\quad {\rm{}}\;{\rm{and}}\;{\rm{}}\quad {\sigma }_{x}:= \displaystyle \frac{{\tau }_{x,0}+{\tau }_{\bar{x},1}}{2}.\end{eqnarray*}$$

Fix a subset $S\subseteq [n]$ of size at least 2. Since x_S is hidden from Bob in the ${\rm{RAC}}$ $\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$, we have ${\sum }_{x:{x}_{S}=0}{\rho }_{x}={\sum }_{x:{x}_{S}=1}{\rho }_{x}$. Thus,

$$\begin{eqnarray*}&&\left(\displaystyle \sum _{x:\;{x}_{S}=0}{\tau }_{x,0}\right)\otimes \displaystyle \frac{| 0\rangle \langle 0| }{2}+\left(\displaystyle \sum _{x:\;{x}_{S}=0}{\tau }_{x,1}\right)\otimes \displaystyle \frac{| 1\rangle \langle 1| }{2}\\ &&=\left(\displaystyle \sum _{x:\;{x}_{S}=1}{\tau }_{x,0}\right)\otimes \displaystyle \frac{| 0\rangle \langle 0| }{2}+\left(\displaystyle \sum _{x:\;{x}_{S}=1}{\tau }_{x,1}\right)\otimes \displaystyle \frac{| 1\rangle \langle 1| }{2}\end{eqnarray*}$$

implying that

$$\begin{eqnarray}&&\displaystyle \sum _{x:\;{x}_{S}=0}{\tau }_{x,0}=\displaystyle \sum _{x:\;{x}_{S}=1}{\tau }_{x,0}\quad {\rm{}}\;{\rm{and}}\;{\rm{}}\quad \displaystyle \sum _{x:\;{x}_{S}=0}{\tau }_{x,1}=\displaystyle \sum _{x:\;{x}_{S}=1}{\tau }_{x,1}.\end{eqnarray} \tag{ 1 }$$

Now we can write

$$\begin{eqnarray*}&&\displaystyle \sum _{x:\;{x}_{S}=0}{\sigma }_{x}=\displaystyle \sum _{x:\;{x}_{S}=0}{\tau }_{x,0}+\displaystyle \sum _{x:\;{x}_{S}=0}{\tau }_{\bar{x},1}=\displaystyle \sum _{x:\;{x}_{S}=1}{\tau }_{x,0}+\displaystyle \sum _{x:\;{x}_{S}=1}{\tau }_{\bar{x},1}=\displaystyle \sum _{x:\;{x}_{S}=1}{\sigma }_{x}\end{eqnarray*}$$

using equation (1) implying that the quantum ${\rm{RAC}}$ $\{{\sigma }_{x}\;:x\in \{0,1\}{}^{n}\}$ also hides x_S from Bob. □

Since the quantum PO-RACⁿ$\{{\sigma }_{x}\;:x\in \{0,1\}{}^{n}\}$ has optimal bias and uses only $\lfloor n/2\rfloor$ qubits, this concludes the proof of our main result, theorem 1.

We first point out that our preparation of the PO-RACⁿ$\{{\rho }_{x}\;:x\in \{0,1\}{}^{n}\}$ is not secure in the device-independent model for the following reason. Suppose the measurements are not trusted, in the sense that Bob controls them. Consider the case when Alice's measurement, which depends on x, simply outputs $a:= {x}_{1}\oplus {x}_{2}$. Then, when a is sent to Bob, he now knows some information about the parities of x.

Note that in the preparation of the ${\rm{RAC}}$ $\{{\sigma }_{x^{\prime} }\;:{x}^{\prime }\in \{0,1\}{}^{n}\}$ the even parities of $x^{\prime}$ are hidden from Bob by the no-signalling principle since they are equal to those for x and there is no communication from Alice to Bob in the preparation of ${\sigma }_{x^{\prime} }$ after Alice chooses x. This is the basis for our preparation of a quantum ${\rm{RAC}}$ secure in the device-independent security model.

There is one small caveat however that does not affect the security, but may change how $x^{\prime}$ is generated. That is, it may not be generated uniformly now. Consider the case when Bob controls the measurement and decides to set $a:= {x}_{1}$. Then, ${\sigma }_{x^{\prime} }$ will never be prepared if $x{^{\prime} }_{1}=1$. However, there is an easy fix at the price of adding one classical bit of communication.

Before sending Bob's part of the (supposed) maximally entangled state, Alice can choose a random bit d and send that to Bob as well. (We assume Alice can flip a random coin without being effected from a malicious Bob.) Then Alice takes the XOR of d with her measurement outcome, and proceeds as usual. Bob can easily adjust his guess for ${x}_{t}^{\prime }$ using the value of d.

It is easy to see that this preparation of the PO-RACⁿ$\{{\sigma }_{x^{\prime} }\;:x^{\prime} \in \{0,1\}{}^{n}\}$ hides the even parities, in the device-independent model, against any malicious Bob respecting the no-signalling principle, thus proving theorem 6.

It is not the case that the preparation of the PO-RACⁿ$\{{\sigma }_{x^{\prime} }:x^{\prime} \in \{0,1\}{}^{n}\}$ hides the odd parities as well in the device-independent model. For example, suppose Bob controls the measurement such that $a:= {x}_{1}\oplus {x}_{2}\oplus {x}_{3}$. Then

$$\begin{eqnarray*}&&{x}_{1}^{\prime }\oplus {x}_{2}^{\prime }\oplus {x}_{3}^{\prime }=({x}_{1}\oplus a\oplus d)\oplus ({x}_{2}\oplus a\oplus d)\oplus ({x}_{3}\oplus a\oplus d)=d\end{eqnarray*}$$

for any choice of x. Thus, if Bob controls the measurements, he can make it so that Alice's first three bits always have parity d, of which he knows the value!

We leave it as an open problem to see if there exists a preparation of an optimal PO-RACⁿ that is still parity-oblivious in the device-independent model against either no-signalling or quantum adversaries.