A monogamy-of-entanglement game with applications to device-independent quantum cryptography

We consider a game in which two separate laboratories collaborate to prepare a quantum system and are then asked to guess the outcome of a measurement performed by a third party in a random basis on that system. Intuitively, by the uncertainty principle and the monogamy of entanglement, the probability that both players simultaneously succeed in guessing the outcome correctly is bounded. We are interested in the question of how the success probability scales when many such games are performed in parallel. We show that any strategy that maximizes the probability to win every game individually is also optimal for the parallel repetition of the game. Our result implies that the optimal guessing probability can be achieved without the use of entanglement. We explore several applications of this result. Firstly, we show that it implies security for standard BB84 quantum key distribution when the receiving party uses fully untrusted measurement devices, i.e. we show that BB84 is one-sided device independent. Secondly, we show how our result can be used to prove security of a one-round position-verification scheme. Finally, we generalize a well-known uncertainty relation for the guessing probability to quantum side information.


I. INTRODUCTION
Apart from their obvious entertainment value, games among multiple (competing) players often provide an intuitive way to understand complex problems.For example, we may understand Bell inequalities in physics [4], or interactive proofs in computer science [5], as a game played by a referee against multiple provers [16,21].Here we investigate a simple quantum multiplayer game whose analysis enables us to tackle several open questions in quantum cryptography.

A. Monogamy Game
We consider a game played among three parties: Alice, Bob and Charlie (these players should be seen as operating in three different laboratories).In this game, Alice takes the role of a referee and is assumed to be honest whereas Bob and Charlie form a team determined to beat Alice.A monogamyof-entanglement game G consists of a list of measurements, M θ = {F θ x } x∈X , indexed by θ ∈ Θ, on a d-dimensional quantum system.
Preparation Phase: Bob and Charlie agree on a strategy and prepare an arbitrary quantum state ρ ABC , where ρ A has dimension d.They pass ρ A to Alice and hold on to ρ B and ρ C , respectively.After this phase, Bob and Charlie are no longer allowed to communicate.Question Phase: Alice chooses θ ∈ Θ uniformly at random and measures ρ A using M θ to obtain the measurement outcome, x ∈ X .She then announces θ to Bob and Charlie.Answer Phase: Bob and Charlie independently form a guess of x by performing a measurement (which may depend on θ) on their respective shares of the quantum state.Winning Condition: The game is won if both Bob and Charlie guess x correctly.
From the perspective of classical information processing, our game may appear somewhat trivialafter all, if Bob and Charlie were to provide some classical information k to Alice who would merely apply a random function f θ , they could predict the value of x = f θ (k) perfectly from k and θ.In quantum mechanics, however, the well-known uncertainty principle [25] places a limit on how well observers can predict the outcome x of incompatible measurements.
To exemplify this, we will in the following focus on the game G BB84 in which Alice measures a qubit in one of the two BB84 bases [7] to obtain a bit x ∈ {0, 1} and use p win (G BB84 ) to denote the probability that Bob and Charlie win, maximized over all strategies.(A strategy is comprised of a tripartite state ρ ABC , and, for each θ ∈ Θ, a measurement on B and a measurement on C.) Then, if Bob and Charlie are restricted to classical memory (i.e., they are not entangled with Alice), it is easy to see that they win the game with an (average) probability of at most 1/2 + 1/(2 √ 2) ≤ p win (G BB84 ). 1n a fully quantum world, however, uncertainty is not quite the end of the story as indeed Bob and Charlie are allowed to have a quantum memory.To illustrate the power of such a memory, consider the same game played just between Alice and Bob.As Einstein, Podolsky and Rosen famously observed [19]: If ρ AB is a maximally entangled state, then once Bob learns Alice's choice of measurement θ, he can perform an adequate measurement on his share of the state to obtain x himself.That is, there exists a strategy for Bob to guess x perfectly.Does this change when we add the extra player, Charlie?We can certainly be hopeful as it turns out that quantum entanglement is "monogamous" [56] in the sense that the more entangled Bob is with Alice, the less entangled Charlie can be.In the extreme case where ρ AB is maximally entangled, even if Bob can guess x perfectly every time, Charlie has to resort to making an uninformed random guess.As both of them have to be correct in order to win the game, this strategy turns out to be worse than optimal.
An analysis of this game thus requires a tightrope walk between uncertainty on the one hand, and the monogamy of entanglement on the other.The following result is a special case of our main result (which we explain further down); a slightly weaker bound had been derived in [14], and the exact value had first been proven by Christandl and Schuch [15]. 2 Result (informal): We find p win (G BB84 ) = 1/2 + 1/(2 √ 2) ≈ 0.85.Moreover, this value can be achieved when Bob and Charlie have a classical memory only.
Interestingly, we thus see that monogamy of entanglement wins out entirely, canceling the power of Bob and Charlie's quantum memory -the optimal winning probability can be achieved without any entanglement at all.In fact, this strategy results in a higher success probability than the one in which Bob is maximally entangled with Alice and Charlie is classical.In such a case the winning probability can be shown to be at most 1/2.In spirit, this result is similar to (but not implied by) recent results obtained in the study of non-local games where the addition of one or more extra parties cancels the advantage coming from the use of entanglement [29].
To employ the monogamy game for quantum cryptographic purposes, we need to understand what happens if we play the same game G n times in parallel.The resulting game, G ×n , requires both Bob and Charlie to guess the entire string x = x 1 . . .x n of measurement outcomes, where x j , j ∈ [n], is generated by measuring ρ Aj (ρ Aj is the quantum state provided by Bob and Charlie in the j-th round of the game) in the basis M θj , and θ j ∈ Θ is chosen uniformly at random.Strategies for Bob and Charlie are then determined by the state ρ A1...AnBC (with each A j being d-dimensional) as well as independent measurements on B and C that produce a guess of the string x, for each value of θ = θ 1 . . .θ n ∈ Θ n .In the following, we say that a game satisfies parallel repetition if p win (G ×n ) drops exponentially in n.Moreover, we say that it satisfies strong parallel repetition if this exponential drop is maximally fast, i.e. if p win (G ×n ) = p win (G) n .
Returning to our example, Bob and Charlie could repeat the strategy that is optimal for a single round n times to achieve a winning probability of p win (G BB84 ), but is this really the best they can do?Even classically, analyzing the n-fold parallel repetition of games or tasks is typically challenging.Examples include the parallel repetition of interactive proof systems (see e.g.[26,49]) or the analysis of communication complexity tasks (see e.g.[34]).In a quantum world, such an analysis is often exacerbated further by the presence of entanglement and the fact that quantum information cannot generally be copied.Famous examples include the analysis of the "parallel repetition" of channels in quantum information theory (where the problem is referred to as the additivity of capacities) (see e.g.[24,55]), entangled non-local games [30], or the question whether an eavesdropper's optimal strategy in quantum key distribution (QKD) is to perform the optimal strategy for each round.Fortunately, it turns out that strong parallel repetition does hold for our monogamy game.
2)) n .More generally, for all monogamy-of-entanglement games using incompatible measurements, we find that p win (G ×n ) decreases exponentially in n.This also holds in the approximate case where Bob and Charlie are allowed to make a small fraction of errors.
Our proofs are appealing in their simplicity and use only tools from linear algebra, inspired by techniques proposed by Kittaneh [33].Note that, in the more general case, we obtain parallel repetition, albeit not strong parallel repetition.

One-Sided Device Independent Quantum Key Distribution
Quantum key distribution (QKD) makes use of quantum mechanical effects to allow two parties, Alice and Bob, to exchange a secret key while being eavesdropped by an attacker Eve [7,20].In principle, the security of QKD can be rigorously proven based solely on the laws of quantum mechanics [46,51,54]; in particular, the security does not rely on the assumed hardness of some computational problem.However, these security proofs typically make stringent assumptions about the devices used by Alice and Bob to prepare and measure the quantum states that are communicated.These assumptions are not necessarily satisfied by real-world devices, leaving the implementations of QKD schemes open to hacking attacks [41].
One way to counter this problem is by protecting the devices in an ad-hoc manner against known attacks.This is somewhat unsatisfactory in that the implementation may still be vulnerable to unknown attacks, and the fact that the scheme is in principle provably secure loses a lot of its significance.
Another approach is to try to remove the assumptions on the devices necessary for the security proof; this leads to the notion of device-independent (DI) QKD.This line of research can be traced back to Mayers and Yao [47] (see also [1,2]).After some limited results (see, e.g., [23,45]), the possibility of DI QKD has recently been shown in the most general case by Reichhardt et al. in [50] and by Vazirani and Vidick in [62].In a typical DI QKD scheme, Alice and Bob check if the classical data obtained from the quantum communication violates a Bell inequality, which in turn ensures that there is some amount of fresh randomness in the data that cannot be known by Eve.This can then be transformed into a secret key using standard cryptographic techniques like information reconciliation and randomness extraction.
While this argument shows that DI QKD is theoretically possible, the disadvantage of such schemes is that they require a long-distance detection-loophole-free violation of a Bell inequality by Alice and Bob.This makes fully DI QKD schemes very hard to implement and very sensitive to any kind of noise and to inefficiencies of the physical devices: any deficiency will result in a lower observed (loophole free) Bell inequality violation, and currently conceivable experimental parameters are insufficient to provide provable security.Trying to find ways around this problem is an active line of research, see e.g.[10,22,38,40,48].
Here, we follow a somewhat different approach, not relying on Bell tests, but making use of the monogamy of entanglement.Informally, the latter states that if Alice's state is fully entangled with Bob's, then it cannot be entangled with Eve's, and vice versa.As a consequence, if Alice measures a quantum system by randomly choosing one of two incompatible measurements, it is impossible for Bob and Eve to both have low entropy about Alice's measurement outcome.Thus, if one can verify that Bob has low entropy about Alice's measurement during the run of the scheme, it is guaranteed that Eve's entropy is high, and thus that a secret key can be distilled.
Based on this idea, we show that the standard BB84 QKD scheme [7] is one-sided DI.This means that only Alice's quantum device has to be trusted, but no assumption about Bob's measurement device has to be made in order to prove security.Beyond that it does not communicate the measurement outcome to Eve, Bob's measurement device may be arbitrarily malicious.
• Application to QKD (informal): We show that the BB84 QKD scheme is secure in the setting of fully one-sided device independence and provide a complete security analysis for finite key lengths.
One-sided DI security of BB84 was first claimed in [61].However, a close inspection of their proof sketch, which is based on an entropic uncertainty relation with quantum side information, reveals that their arguments are insufficient to prove full one-sided DI security (as confirmed by the authors).It needs to be assumed that Bob's measurement device is memoryless.The same holds for the follow up work [9,59] of [61].
Despite the practical motivation, our result is at this point of theoretical nature.This is because, as in all contemporary fully DI schemes, our analysis here (implicitly) assumes that every qubit sent by Alice is indeed received by Bob, or, more generally, whether it is received or not does not depend on the basis it is to be measured in; this is not necessarily satisfied in practical implementations -and some recent attacks on QKD take advantage of exactly this effect by blinding the detectors whenever a measurement a For comparison, this proof achieves maximum noise tolerance and key rate for BB84.See also [9].b Combining our results with results on self-testing in [38,58], one can reduce the assumption to memoryless for Alice.c This loss of a factor 1 2 is due to sifting when moving from BBM92 to BB84. in a basis not to Eve's liking is attempted [41].We remark here that this unwanted assumption can be removed in principle by a refined analysis along the lines of Branciard et al. [9] 3 .While this leads to a significantly lower key rate, the analysis in [9] suggests that the loss tolerance for one-sided DI QKD is higher than for fully DI QKD.More precisely, while DI QKD requires a detection-loophole-free violation of a Bell inequality, for one-sided DI QKD a loophole-free violation of a steering inequality is sufficient, and such a violation has recently been shown [64].
Our analysis of BB84 QKD with one-sided DI security admits a noise level of up to 1.5%.This is significantly lower than the 11% tolerable for standard (i.e.not DI) security.We believe that this is not inherent to the scheme but an artifact of our analysis.Improving this bound by means of a better analysis is an open problem (it can be slightly improved by using a better scheme, e.g., the six-state scheme [11]).Nonetheless, one-sided DI QKD appears to be an attractive alternative to DI QKD in an asymmetric setting, when we can expect from one party, say, a server, to invest in a very carefully designed, constructed, and tested apparatus, but not the other party, the user, and/or in case of a star network with one designated link being connected with many other links.
A comparison to other recent results on device-independent QKD is given in Table I.The noise tolerance is determined using isotropic noise.

Position Verification
Our second application is to the task of position verification.Here, we consider a 1-dimensional setting where a prover wants to convince two verifiers that he controls a certain position, pos.The verifiers are located at known positions around pos, honest, and connected by secure communication channels.Moreover, all parties are assumed to have synchronized clocks, and the message delivery time between any two parties is assumed to be proportional to the distance between them.Finally, all local computations are assumed to be instantaneous.
Position verification and variants thereof (like distance bounding) is a rather well-studied problem in the field of wireless security (see e.g.[14]).It was shown in [14] that in the presence of colluding adversaries at different locations, position verification is impossible classically, even with computational hardness assumptions.That is, the prover can always trick the verifiers into believing that he controls a position.The fact that the classical attack requires the adversary to copy information, initially gave hope that we may circumvent the impossibility result using quantum communication [13,31,32,43,44].However, such schemes were subsequently broken [37] and indeed a general impossibility proof holds [12]: without any restriction on the adversaries, in particular on the amount of pre-shared entanglement they may hold, no quantum scheme for position verification can be secure.This impossibility proof was constructive but required the dishonest parties to share a number of EPR pairs that grows doubly-exponentially in the number of qubits the honest parties exchange.Using port-based teleportation, as introduced by Ishizaka and Hiroshima [27,28], this was reduced by Beigi and König [3] to a single exponential amount.On the other hand, there are schemes for position verification that are provably secure against adversaries that have no pre-shared entanglement, or only hold a couple of entangled qubits [3,12,13,37].
However, all known schemes that are provably secure with a negligible soundness error (the maximal probability that a coalition of adversaries can pass the position verification test for position pos without actually controlling that specific position) against adversaries with no or with bounded pre-shared entanglement are either multi-round schemes, or require the honest participants to manipulate large quantum states.
• Application to Position Verification (informal): We present the first provably secure oneround position verification scheme with negligible soundness error in which the honest parties are only required to perform single qubit operations.We prove its security against adversaries with an amount of pre-shared entanglement that is linear in the number of qubits transmitted by the honest parties.

Entropic Uncertainty Relation
The final application of our monogamy game is to entropic uncertainty relations with quantum side information [8].Our result is in the spirit of [17,61] which shows an uncertainty relation for a tripartite state ρ ABC for measurements on A, trading off the uncertainty between the two observers B and C as in our monogamy game.
• Application to Entropic Uncertainty Relations: For any two general (POVM) measurements, {N 0 x } x and {N 1 x } x , we find , where c = max x,z The entropies are evaluated for the post-measurement state ρ XBCΘ , where X is the outcome of the measurement {N θ x } x , where Θ ∈ {0, 1} is chosen uniformly at random.

C. Outline
The remainder of this manuscript is structured as follows.In Section II, we introduce the basic terminology and notation used throughout this work.In Section III, we discuss the monogamy game and prove a strong parallel repetition theorem.Here, we also generalize the game to include the case where Bob and Charlie are allowed to have some errors in their guess and show an upper bound on the winning probability for the generalized game.Sections IV, V and VI then apply these results to prove security for one-sided device independent QKD, a one-round position verification scheme and an entropic uncertainty relation.

II. TECHNICAL PRELIMINARIES A. Basic Notation and Terminology
Let H be an arbitrary, finite dimensional Hilbert space.L(H) and P(H) denote linear and positive semi-definite operators on H, respectively.Note that an operator A ∈ P(H) is in particular Hermitian, meaning that A † = A. The set of density operators on H, i.e., the set of operators in P(H) with unit trace, is denoted by S(H).For A, B ∈ L(H), we write A ≥ B to express that A − B ∈ P(H).When operators are compared with scalars, we implicitly assume that the scalars are multiplied by the identity operator, which we denote by 1 H , or 1 if H is clear from the context.A projector is an operator P ∈ P(H) that satisfies P 2 = P .A POVM (short for positive operator valued measure) is a set {N x } x of operators N x ∈ P(H) such that x N x = 1, and a POVM is called projective if all its elements N x are projectors.We use the trace distance as a metric on density operators ρ, σ ∈ S(H).

B. The Schatten ∞-Norm
For L ∈ L(H), we use the Schatten ∞-norm L := L ∞ = s 1 (L), which evaluates the largest singular value of L. It is easy to verify that this norm satisfies L 2 = L † L = LL † .Also, for A, B ∈ P(H), A coincides the largest eigenvalue of A, and A ≤ B implies A ≤ B .Finally, for block-diagonal operators we have A ⊕ B = max{ A , B }.We will also need the following norm inequality.
holds for an arbitrary linear operator L. By taking the norm we arrive at In particular, if A, A ′ , B, B ′ ∈ P(H) satisfy A ′ ≥ A and B ′ ≥ B then applying the lemma twice (to the square roots of these operators) gives For projectors the square roots can be omitted.
One of our main tools is the following Lemma 2, which bounds the Schatten norm of the sum of n positive semi-definite operators by means of their pairwise products.We derive the bound using a construction due to Kittaneh [33], which was also used by Schaffner [53] to derive a similar, but less general, result.
We call two permutations π : There always exists a set of N permutations of [N ] that are mutually orthogonal (for instance the N cyclic shifts).
Proof.We define X = [X ij ] as the N × N block-matrix with blocks given by X ij = δ j1 √ A i .Then, the matrices X † X and XX † are easy to evaluate, namely, (X † X) ij = δ i1 δ j1 i A i , as well as XX † and Next, we decompose XX † = D 1 + D 2 + . . .D N , where the matrices D k are defined by the permutations π k , respectively, as Note that the requirement that the permutations are mutually orthogonal ensures that XX † = k D k .Moreover, since the matrices D k are constructed such that they contain exactly one non-zero block in each row and column, they can be transformed into a block-diagonal matrix by a unitary rotation.Hence, using the triangle inequality and unitary invariance of the norm, we get A special case of the above lemma states that C. CQ-States, and Min-Entropy where {|x } x∈X is a fixed basis of H X , {p x } x∈X is a probability distribution, and ρ x B ∈ S(H B ).For such a state, X can be understood as a random variable that is correlated with (potentially quantum) side information B.
If λ : X → {0, 1} is a predicate on X , then we denote by Pr ρ [λ(X)] the probability of the event λ(X) under ρ; formally, Pr ρ [λ(X)] = x p x λ(x).We also define the state ρ XB|λ(X) , which is the state of the X and B conditioned on the event λ(X).Formally, For a CQ-state ρ XB ∈ S(H X ⊗ H B ), the min-entropy of X conditioned on B [51] can be expressed in terms of the maximum probability that a measurement on B yields the correct value of X, i.e. the guessing probability.Formally, we define [35] H min (X|B) ρ := − log p guess (X|B) ρ , where p guess (X|B) ρ := max Here, the optimization is taken over all POVMs {N x } x on B, and here and throughout this paper, log denotes the binary logarithm.
In case of a CQ-state ρ XBΘ with classical X, and with additional classical side information Θ, we can write ρ XBΘ = θ p θ |θ θ| ⊗ ρ θ XB for CQ states ρ θ XB .The min-entropy of X conditioned on B and Θ then evaluates to H min (X|BΘ) ρ = − log p guess (X|BΘ) ρ , where p guess (X|BΘ) ρ = θ p θ p guess (X|B) ρ θ . ( An intuitive explanation of the latter equality is that the optimal strategy to guess X simply chooses an optimal POVM on B depending on the value of Θ. An overview of the min-entropy and its properties can be found in [51,57]; we merely point out the chain rule here: for a CQ-state ρ XBΘ with classical X and Y , where Y is over an arbitrary set Y with cardinality |Y|, it holds that H min (X|BY ) ρ ≥ H min (X|B) ρ − log |Y|.

III. PARALLEL REPETITION OF MONOGAMY GAMES
In this section, we investigate and show strong parallel repetition for the game G BB84 .Then, we generalize our analysis to allow arbitrary measurements for Alice and consider the situation where Bob and Charlie are allowed to make some errors.But to start with, we need some formal definitions.Definition 1.A monogamy-of-entanglement game G consists of a finite dimensional Hilbert space H A and a list of measurements M θ = {F θ x } x∈X on a H A , indexed by θ ∈ Θ, where X and Θ are finite sets.We typically use less bulky terminology and simply call G a monogamy game.Note that for any positive integer n, the n-fold parallel repetition of G, denoted as G ×n and naturally specified by ..,xn for θ 1 , . . ., θ n ∈ Θ, is again a monogamy game.Definition 2. We define a strategy S for a monogamy game G as a list where If S is a strategy for game G, then the n-fold parallel repetition of S, which is naturally given, is a particular strategy for the parallel repetition G ×n ; however, it is important to realize that there exist strategies for G ×n that are not of this form.In general, a strategy S n for G ×n is given by an arbitrary state ρ A1...AnBC ∈ S(H ⊗n A ⊗ H B ⊗ H C ) (with arbitrary H B and H C ) and by arbitrary POVM elements on H B and H C , respectively, not necessarily in product form.
The winning probability for a game G and a fixed strategy S, denoted by p win (G, S), is defined as the probability that the measurement outcomes of Alice, Bob and Charlie agree when Alice measures in the basis determined by a randlomly chosen θ ∈ Θ and Bob and Charlie apply their respective POVMs {P θ x } x and {Q θ x } x .The optimal winning probability, p win (G), maximizes the winning probability over all strategies.The following makes this formal.Definition 3. The winning probability for a monogamy game G and a strategy S is defined as The optimal winning probability is where the supremum is taken over all strategies S for G.
In fact, due to a standard purification argument and Neumark's dilation theorem, we can restrict the supremum to pure strategies (cf.Lemma 9 in Appendix A).

A. Strong Parallel Repetition for GBB84
We are particularly interested in the game G BB84 and its parallel repetition G ×n BB84 .The latter is given by H A = (C 2 ) ⊗n and the projectors The following is our main result.Theorem 3.For any n ∈ N, n ≥ 1, we have Proof.We first show that this guessing probability can be achieved.For n = 1, consider the following strategy.Bob and Charlie prepare the state |φ := cos π 8 |0 + sin π 8 |1 and send it to Alice.Then, they guess that Alice measures outcome 0, independent of θ.Formally, this is the strategy The optimal winning probability is thus bounded by the winning probability of this strategy, and the lower bound on p win implied by Eq. ( 6) follows by repeating this simple strategy n times.
To show that this simple strategy is optimal, let us now fix an arbitrary, pure strategy S n = {ρ A1...AnBC , P θ x , Q θ x }.From the definition of the norm, we have tr(M ρ ABC ) ≤ M for any M ≥ 0. Using this and Lemma 2, we find where the optimal permutations π k are to be determined later.Hence, the problem is reduced to bounding the norms Π θ Π θ ′ , where θ ′ = π k (θ).The trivial upper bound on these norms, 1, leads to p win (G ×n BB84 , S n ) ≤ 1.However, most of these norms are actually very small as we see below.For fixed θ and k, we denote by T the set of indices where θ and θ ′ differ, by T c its complement, and by t the Hamming distance between θ and θ ′ (hence, t = |T |).We consider the projectors where |x θ T is |x θ restricted to the systems corresponding to rounds with index in T , and 1 T c is the identity on the remaining systems.
Since Π θ ≤ P and Π θ ′ ≤ Q, we can bound Π θ Π θ ′ 2 ≤ P Q 2 = P Q P using Lemma 1.Moreover, it turns out that the operator P Q P has a particularly simple form, namely where we used that P θ x P θ z = δ xz P θ x and | x θ T |y θ ′ T | 2 = 2 −t .The latter relation follows from the fact that the two bases are diagonal to each other on each qubit with index in T .From this follows directly that P Q P = 2 −t .Hence, we find Π θ Π θ ′ ≤ √ 2 −t .Note that this bound is independent of the strategy and only depends on the Hamming distance between θ and θ ′ .
To minimize the upper bound in (7), we should choose permutations π k that produce tuples (θ, θ ′ = π k (θ)) with the same Hamming distance as this means that the maximization is over a uniform set of elements.A complete mutually orthogonal set of permutations with this property is given by the bitwise XOR, π k (θ) = θ ⊕ k, where we interpret k as an element of {0, 1} n .Using this construction, we get exactly n t permutations that create pairs with Hamming distance t, and the bound in Eq. ( 7) evaluates to Since this bound applies to all pure strategies, Lemma 9 concludes the proof.

B. Arbitrary Games, and Imperfect Guessing
The above upper-bound techniques can be generalized to an arbitrary monogamy game, G, specified by an arbitrary finite dimensional Hilbert space H A and arbitrary measurements {F θ x } x∈X , indexed by θ ∈ Θ, and with arbitrary finite X and Θ.The only additional parameter relevant for the analysis is the maximal overlap of the measurements, . This is in accordance with the definition of the overlap as it appears in entropic uncertainty relations, e.g. in [36].Note also that in the case of G BB84 , we have c(G BB84 ) = 1 2 .In addition to considering arbitrary monogamy games, we also generalize Theorem 3 to the case where Bob and Charlie are not required to guess the outcomes perfectly but are allowed to make some errors.The maximal winning probability in this case is defined as follows, where we employ an argument analogous to Lemma 9 in order to restrict to pure strategies.Definition 4. Let Q = {(π q B , π q C )} q be a set of pairs of permutations of X , indexed by q, with the meaning that in order to win, Bob and Charlie's respective guesses for x must form a pair in {(π q B (x), π q C (x))} q .Then, the optimal winning probability of G with respect to Q is where the supremum is taken over all pure strategies S for G.
We find the following upper bound on the guessing probability, generalizing the upper bound on the optimal winning probability established in Theorem 3.
Theorem 4. For any positive n ∈ N, we have Recall that in case of G BB84 , we have |Q| = 1, |Θ| = 2, and c(G BB84 ) = 1 2 , leading to the bound stated in Theorem 3.
Proof.We closely follow the proof of the upper bound in Theorem 3.For any pure strategy S n = {ρ A1...AnBC , P θ x , Q θ x }, we bound where we introduce . We now fix θ and θ ′ and bound the norms A θ q A θ ′ q .Let T be the set of indices where θ and θ ′ differ.We choose which satisfy B ≥ A θ q and C ≥ A θ ′ q .Hence, from Lemma 1 we obtain x,y ℓ∈T x,y ℓ∈T It remains to find suitable permutations π k and substitute the above bound into (8).Again, we choose permutations with the property that the Hamming distance between θ and π k (θ) is the same for all θ ∈ Θ n .It is easy to verify that there are n t |Θ| − 1) t permutations for which the (θ-independent) Hamming distance between θ and π k (θ) is t.Hence, which concludes the proof.
One particularly interesting example of the above theorem considers binary measurements, i.e.X = {0, 1}, where Alice will accept Bob's and Charlie's answers if and only if they get less than a certain fraction of bits wrong.More precisely, she accepts if d(x, y) ≤ γ n and d(x, z) ≤ γ ′ n, where d(•, •) denotes the Hamming distance and y, z are Bob's and Charlie's guesses, respectively.In this case, we introduce the set Q n γ,γ ′ that contains all pairs of permutations (π q B , π q C ) on {0, 1} n of the form π q B (x) = x ⊕ k, π q C (x) = x ⊕ k ′ , where q = {k, k ′ }, and k, k ′ ∈ {0, 1} n have Hamming weight at most γn and γ ′ n, respectively.For γ, γ ′ ≤ 1/2, one can upper bound |Q n γ,γ ′ | ≤ 2 nh(γ)+nh(γ ′ ) , where h(•) denotes the binary entropy.We thus find Similarly, if we additionally require that Charlie guesses the same string as Bob, we analogously define the corresponding set Q n γ , with reduced cardinality, and

IV. APPLICATION: ONE-SIDED DEVICE-INDEPENDENT QKD
In the following, we assume some familiarity with quantum key distribution (QKD).For simplicity, we consider an entanglement-based [20] variant of the BB84 QKD scheme [7], where Bob waits with performing the measurement until Alice tells him the right bases.This protocol is impractical because it requires Bob to store qubits.However, it is well known that security of this impractical version implies security of the original, more practical BB84 QKD scheme [6].It is straightforward to verify that this implication also holds in the one-sided device-independent setting we consider here.
The entanglement-based QKD scheme, E-QKD, is described in Figure 1.It is (implicitly) parameterized by positive integers 0 < t, s, ℓ < n and a real number 0 ≤ γ < 1 2 .Here, n is the number of qubits exchanged between Alice and Bob, t is the size of the sample used for parameter estimation, s is the leakage (in bits) due to error correction, ℓ is the length (in bits) of the final key, and γ is the tolerated error in Bob's measurement results.Furthermore, the scheme makes use of a universal 2 family F of hash functions F : {0, 1} n−t → {0, 1} ℓ .
A QKD protocol is called perfectly secure if it either aborts and outputs an empty key, K = ⊥, or it produces a key that is uniformly random and independent of Eve's (quantum and classical) information E + gathered during the execution of the protocol.Formally, this means that the final state must be of the form , where µ K is a 2 ℓ -dimensional completely mixed state, and It is well known and has been proven in various ways that E-QKD is δ-secure (with small δ) with a suitable choice of parameters, assuming that all quantum operations are correctly performed by Alice and Bob.We now show that the protocol remains secure even if Bob's measurement device behaves arbitrarily and possibly maliciously.The only assumption is that Bob's device does not communicate with Eve after it received Alice's quantum signals.This restriction is clearly necessary as there would otherwise not be any asymmetry between Bob and Eve's information about Alice's key.Note that the scheme is well known to satisfy correctness and robustness; hence, we do not argue these here.
Theorem 5. Consider an execution of E-QKD, with an arbitrary measurement device for Bob.Then, for any ε > 0, protocol E-QKD is δ-secure with Note that with an optimal error correcting code, the size of the syndrome for large n approaches the Shannon limit s = nh(γ).The security error δ can then be made negligible in n with suitable choices of parameters if log(1/β • ) > 2h(γ), which roughly requires that γ ≤ 0.015.Hence, the scheme can tolerate a noise level up to 1.5% asymptotically. 4he formal proof is given below.The idea is rather simple: We consider a gedankenexperiment where Eve measures her system, using an arbitrary POVM, with the goal to guess X.The execution of E-QKD then pretty much coincides with G ×n BB84 , and we can conclude from our results that if Bob's measurement outcome Y is close to X, then Eve must have a hard time in guessing X.Since this holds for any measurement she may perform, this means her min-entropy on X is large and hence the extracted key K is secure.
be the state before Alice and Bob perform the measurements on A and B, respectively, where system E is held by the adversary Eve.Here, the random variable Θ contains the choice of basis for the measurement, whereas the random variable T contains the choice of subset on which the strings are compared (see the protocol description in Fig. 1.)Moreover, let ρ ΘT XY E be the state after Alice and Bob measured, where -for every possible value θ -Alice's measurement is given by the projectors {|x θ x θ |} x , and Bob's measurement by an arbitrary but fixed POVM {P θ x } x .As a gedankenexperiment, we consider the scenario where Eve wants to guess the value of Alice's raw key, X. Eve wants to do this during the parameter estimation step of the protocol, exactly after Alice broadcast T but before she broadcasts X T . 5For this purpose, we consider an arbitrary measurement strategy of Eve that aims to guess X.Such a strategy is given by -for every basis choice, θ, and every choice of sample, τ -a POVM {Q θ,τ x } x .The values of θ and τ have been broadcast over a public channel, and are hence known to Eve at this point of the protocol.She will thus choose a POVM depending on these values to measure E and use the measurement outcome as her guess.
For our gedankenexperiment, we will use the state, ρ ΘT XY Z , which is the (purely classical) state that results after Eve applied her measurement on E. Let ε > 0 be an arbitrary constant.By our results from Section III, it follows that for any choices of {P θ x } x and {Q θ,τ x } x , we have Pr , where d rel denotes the relative Hamming distance.This uses the fact that Alice's measurement outcome is independent of T , and T can in fact be seen as part of Eve's system for the purpose of the monogamy game.We now construct a state ρΘT XY E as follows. ρΘT where Ω denotes the event Ω = {d rel (X, Y ) ≤ d rel (X T , Y T ) + ε}, and we take σ T ΘXY E to be an arbitrary state with classical Θ, T , X and Y for which d rel (X, Y ) = 1, and hence d rel (X T , Y T ) = 1.Informally, the event Ω indicates that the relative Hamming distance of the sample strings X T and Y T determined by T was representative of the relative Hamming distance between the whole strings, X and Y , and the state ρΘT XY E is so that this is satisfied with certainty.By construction of ρΘT XY E , we have and by Hoeffding's inequality, Moreover, note that the event d rel (X T , Y T ) ≤ γ implies d rel (X, Y ) ≤ γ + ε under ρΘT XY E .Thus, for every choice of strategy {Q θ,τ x } x by the eavesdropper, the resulting state ρΘT XY Z , obtained by applying {Q θ,τ x } x to E, satisfies The second inequality follows from the definition of ρ, in particular the fact that Pr σ [d rel (X, Y ) ≤ γ +ε] = 0.
Next, we introduce the event Γ = {d rel (X T , Y T ) ≤ γ}, which corresponds to the event that Bob does not abort the protocol.Expanding the left hand side of (11) to Pr ρ[Γ] • Pr ρ[Z = X|Γ] and observing that Pr ρ[Γ] does not depend on the strategy {Q θ,τ x } x , we can conclude that where α ≥ 0 is determined by Pr ρ[Γ] = β αn .Therefore, by definition of the min-entropy, H min (X|ΘT E, Γ) ρ ≥ n(1−α) log(1/β).(This notation means that the min-entropy of X given Θ, T and E is evaluated for the state ρΘT XY E|Γ , conditioned on not aborting.)By the chain rule, it now follows that Here, the min-entropy is evaluated for the state ρXΘT XT SE that is constructed from ρXΘT E by calculating the error syndrome and copying X T from X as done in the prescription of the protocol.In particular, ∆(ρ XΘT XT SE , ρ XΘT XT SE ) ≤ e −2ε 2 t .Finally, privacy amplification with universal 2 hashing applied to the state ρXΘT XT SE ensures that the key K satisfies [51, Corollary 5.5.2] And, in particular, recalling that Pr ρ[Γ] = β αn , we have Using β = 2 h(γ+ε) β • and applying Lemma 10 in Appendix B concludes the proof.

V. APPLICATION II: A ONE-ROUND POSITION-VERIFICATION SCHEME
The scheme we consider is the parallel repetition of the simple single-qubit scheme that was analyzed in the setting of no pre-shared entanglement in [12].The analysis shows that the soundness error of the one-round single-qubit scheme is bounded by roughly 89%, and it is suggested to repeat the scheme sequentially in order to reduce this soundness error.We now show that also the parallel repetition has an exponentially small soundness error. 6Finally, we use a simple observation from [3] to argue that the scheme is also secure against adversaries with a linearly bounded amount of entanglement.
The scheme, parameterized by a positive integer n, consists of the following steps.
1. V 0 and V 1 agree on random x, θ ∈ {0, 1} n .V 0 prepares a quantum system Q of n qubits in the state ) ⊗n and sends it to P .V 1 sends θ to P , so that both arrive at P 's claimed position pos at the same time.
3. If V 0 and V 1 receive x ′ at the respective time consistent with pos, and if x ′ = x, then V 0 and V 1 accept; otherwise, they reject.
It is straightforward to verify that this protocol is correct, meaning that the verifiers accept honest P at position pos with certainty (assuming a perfect setting with no noise, etc.).
Proposition 6.The above position verification scheme is 2 ) n -sound against adversaries (E 0 , E 1 ) that hold no entangled state at the time they receive Q and θ, respectively.
We stress that a restriction on the entanglement is necessary, as with unbounded entanglement the general impossibility result from [12] applies.In fact, for the specific scheme considered here, already n shared EPR-pairs are sufficient to break it, as shown in [32].Below, we will extend the security of the scheme to a setting where the adversaries share at most αn entangled qubits, for any constant α 0.22.
We also point out that our adversary model (with linearly bounded entanglement) is stronger than the one considered by Beigi and König [3] for their schemes: their model not only prohibits quantum communication between the adversaries before they obtain the initial messages from the verifiers (in order to prevent the exchange of entangled states), but also afterwards.Here, we allow full quantum communication between the adversaries after they have received the initial respective messages Q and θ.
Proof (sketch).As the colluding dishonest parties E 0 and E 1 share no entanglement, the most general attack is of the following form, where we may assume E i to be located between V i and the position pos, for i ∈ {0, 1}.Upon receiving the n-qubit system Q (in state H θ |x ) from V 0 , the adversary E 0 applies an isometry H Q → H B ⊗ H C to Q in order to obtain a bipartite system B and C, and forwards C to E 1 .
Adversary E 1 , upon receiving θ from V 1 , simply forwards θ to E 0 . 7Then, when E 0 receives θ from E 1 , he measures B (using an arbitrary measurement that may depend on θ) and sends the measurement outcome x ′ 0 ∈ {0, 1} n to V 0 , and, similarly, when E 1 receives system C from E 0 , he measures C and sends the measurement outcome x ′ 1 ∈ {0, 1} n to V 1 .The probability ε that V 0 and V 1 accept is then given by the probability that x ′ 0 = x = x ′ 1 .From a standard purification argument it follows that the probability ε does not change if in the first step of the protocol, instead of sending Q in state H θ |x , V 0 prepares n EPR pairs, sends one half of each pair towards P and only at some later point in time measures the remaining n qubits in the basis {H θ |y } y∈{0,1} n to obtain x ∈ {0, 1} n .
Let us now consider the state |ψ ABC ∈ H A ⊗ H B ⊗ H C , consisting of system A with the n qubits that V 0 kept, and the systems B and C obtained by applying the isometry to the qubits E 0 received from V 0 .Since the isometry is independent of θ -E 0 needs to decide on it before he finds out what θ is -so is the state |ψ ABC .It is clear that in order to pass the position verification test the adversaries must win a restricted version of the game G ×n BB84 . 8Therefore, the probability ε that x ′ 0 = x = x ′ 1 is bounded by p win (G ×n BB84 ).Our Theorem 3 thus concludes the proof.The security of the position verification scheme can be immediately extended to adversaries that hold a linear amount of shared entanglement.
Corollary 7. The above position verification scheme is d 2 ) n -sound against adversaries (E 0 , E 1 ) that share an arbitrary (possibly entangled) state η E0E1 , such that dim η E0E1 = d, at the time they receive Q and θ, respectively.Thus, for any α strictly smaller than log( 12 + 1 2 √ 2 ), for instance for α = 0.2, the position verification scheme has exponentially small soundness error (in n) against adversaries that hold at most αn pre-shared entangled qubits.
Corollary 7 is an immediate consequence of Proposition 6 above and of Lemma V.3 of [3].The latter states that ε-soundness with no entanglement implies (d • ε)-soundness for adversaries that pre-share a d-dimensional state.This follows immediately from the fact that the pre-shared state can be extended to a basis of the d-dimensional state space, and the uniform mixture of all these basis states gives a non-entangled state (namely the completely mixed state).As a consequence, applying the attack, which is based on the entangled state, to the setting with no entanglement, reduces the success probability by at most a factor of d.
By the results on imperfect guessing (see Section III B), at the price of correspondingly weaker parameters, the above results extend to a noise-tolerant version of the scheme, where it is sufficient for x ′ to be close, rather than equal, to x for V 0 and V 1 to accept.

VI. APPLICATION III: ENTROPIC UNCERTAINTY RELATION
Let ρ be an arbitrary state of a qubit and Θ a uniformly random bit.Then, we may consider the min-entropy of X, where X is the outcome when ρ is measured in either one of two bases with overlap c, as determined by Θ.For this example, it is known that [18,53] A similar relation follows directly from results by Maassen and Uffink [42], namely where, H max denotes the Rényi entropy [52] of order 1 2 .Recently, entropic uncertainty relations have been generalized to the case where the party guessing X has access to quantum side information [8].However, note that a party that is maximally entangled with the state of the system to be measured can always guess the outcome of X by applying an appropriate 7 This is where the restriction of no entanglement comes into play.If the adversaries shared entanglement their most general strategy would be to perform some joint operation on the respective part of the entangled state and the data they have just received.The impossibility result states that in a scenario with an unlimited amount of entanglement no position verification scheme can be secure. 8The extra restriction comes from the fact that they have no access to the qubits kept by V 0 and so the reduced state on those must be fully mixed.It turns out that this restriction does not affect the optimal winning probability.
measurement (depending on Θ) on the entangled state.Thus, there cannot be any non-trivial stateindependent bound on the entropies above conditioned on quantum side information.Nonetheless, if two disjoint quantum memories are considered, the following generalization of ( 14) was shown.For an arbitrary tripartite state ρ ABC and X measured on A as prescribed above, one finds [61] H min (X|BΘ) ρ + H max (X|CΘ) ρ ≥ − log c .
In the following, we show a similar generalization of the uncertainty relation in (13) to quantum side information.
Theorem 8. Let ρ ABC be a quantum state and Θ a uniformly random bit.Given two POVMs {F 0 x } and {F 1 x } with overlap c := max x,z F 0 x F where the quantities are evaluated for the post-measurement state Proof.First, recall that the min-entropy is defined as (cf.Eq. ( 2)) 2 −Hmin(X|BΘ)ρ = p guess (X|BΘ) ρ = max {P θ x } x,θ p x,θ tr(ρ x,θ B P θ x ) = max where we used the fact that the post-measurement states given by ( 16) satisfy p x,θ ρ x,θ BC = 1 2 tr A F θ x ρ ABC .In the following argument, we restrict ourselves to the case where the optimal guessing strategies for the min-entropy, {P θ x } for Bob and {Q θ x } for Charlie, are projective.To see that this is sufficient, note that we can always embed the state ρ XBC into a larger system ρ XB ′ C ′ such that the optimal POVMs on B and C can be diluted into an equivalent projective measurement strategy on B ′ and C ′ , respectively.The data-processing inequality of the min-entropy then tells us that H min (X|BΘ) ≥ H min (X|B ′ Θ) and H min (X|CΘ) ≥ H min (X|C ′ Θ), i.e., it is sufficient to find a lower bound on the smaller quantities, for which the optimal strategy is projective.
Note that, for n measurements, each in a basis chosen uniformly at random, the above result still only guarantees one bit of uncertainty.In fact, an adaptation of the proof of Theorem 8 yields the bound This bound can be approximately achieved using a state that is maximally entangled between A and B with probability 1 2 and maximally entangled between A and C otherwise.This construction ensures that both conditional min-entropies are low and we thus cannot expect a stronger result.This is in stark contrast to the situation with classical side information in (13) and the alternative uncertainty relation (15), where the lower bound on the uncertainty can be shown to scale linearly in n (cf.[61,63]).Due to this restriction, we expect that the applicability of Theorem 8 to quantum cryptography is limited.

VII. CONCLUSION
We introduce the notion of a monogamy-of-entanglement game, and we show a general parallel repetition theorem.For a BB84-based example game, we actually show strong parallel repetition, and that a non-entangled strategy is sufficient to achieve the optimal winning probability.Our results have various applications to quantum cryptography.
It remains open to understand which monogamy-of-entanglement games satisfy strong parallel repetition.Another open question is whether (or in what cases) a concentration theorem holds, which states that with high probability the fraction of won executions in a parallel repetition cannot be much larger than the probability of winning a single execution.
With respect to our applications, an interesting open problem is to increase the noise level that can be tolerated for one-sided device-independent security of BB84.It is not clear at all that the rather low noise level of 1.5% we obtain in our analysis is inherent; this may very well be an artifact of our technique.Finally, it would be interesting to extend our analysis to incorporate channel losses following the work of Branciard et al. [9].As suggested there, we expect that such an analysis would reveal a higher tolerance for losses as compared to fully DI QKD.
Let H X be a Hilbert space of dimension |X | and with basis {|x } x , and let |ψ 0 be an arbitrary, fixed vector in H X .We now set | φ = |ϕ ⊗ |ψ 0 ∈ H A ⊗ H B ⊗ H C ⊗ H X as well as P θ

TABLE I .
Comparison of Recent Fully and Partially Device-Independent Security Proofs for QKD.
and H B and H C are arbitrary finite dimensional Hilbert spaces.Furthermore, for all θ ∈ Θ, {P θ x } x∈X and {Q θ x } x∈X are POVMs on H B and H C , respectively.A strategy is called pure if the state ρ ABC is pure and all the POVMs are projective.