On the impossibility of coin-flipping in generalized probabilistic theories via discretizations of semi-infinite programs
Jamie Sikora, John H. Selby

TL;DR
This paper proves that ideal coin-flipping is impossible in generalized probabilistic theories under the Generalized No-Restriction Hypothesis, using a novel semi-infinite programming approach to model cheating strategies.
Contribution
It introduces a new formalism of semi-infinite programs for analyzing cheating strategies in cryptographic tasks within generalized probabilistic theories.
Findings
Coin-flipping impossible in classical, quantum, and generalized probabilistic theories.
Semi-infinite programs effectively model cheating strategies.
New formalism may benefit future cryptographic and quantum information research.
Abstract
Coin-flipping is a fundamental cryptographic task where a spatially separated Alice and Bob wish to generate a fair coin-flip over a communication channel. It is known that ideal coin-flipping is impossible in both classical and quantum theory. In this work, we give a short proof that it is also impossible in generalized probabilistic theories under the Generalized No-Restriction Hypothesis. Our proof relies crucially on a formulation of cheating strategies as semi-infinite programs, i.e., cone programs with infinitely many constraints. This introduces a new formalism which may be of independent interest to the quantum community.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
On the impossibility of coin-flipping in generalized probabilistic theories
via discretizations of semi-infinite programs
Jamie Sikora
Perimeter Institute for Theoretical Physics, Waterloo, Ontario, Canada, N2L 2Y5
John H. Selby
Perimeter Institute for Theoretical Physics, Waterloo, Ontario, Canada, N2L 2Y5
Abstract
Coin-flipping is a fundamental cryptographic task where a spatially separated Alice and Bob wish to generate a fair coin-flip over a communication channel. It is known that ideal coin-flipping is impossible in both classical and quantum theory. In this work, we give a short proof that it is also impossible in generalized probabilistic theories under the Generalized No-Restriction Hypothesis. Our proof relies crucially on a formulation of cheating strategies as semi-infinite programs, i.e., cone programs with infinitely many constraints. This introduces a new formalism which may be of independent interest to the quantum community.
In this paper we consider the possibility of cryptography in theories more general than quantum or classical theory. One may ask why this is a worthwhile endeavour, and for this we give several reasons. The first reason is to future-proof current results which is important in the context of cryptography. While developing quantum cryptography and computation, the community quickly came to realize that classical cryptography results need to be reevaluated for the new quantum era. Since results in quantum cryptography typically rely on the validity of quantum mechanics being a faithful description of nature, these too all have to reevaluated if quantum theory is one day superseded by a new theory, regardless of how minor or radical the departure from quantum mechanics is. Another reason is to gain a better understanding of results in quantum theory. For instance, it is insightful to sit back and think about what parts of quantum theory were needed to prove a result. Did we require entanglement? Were we just assuming these states are in superposition? Can we reprove this only assuming the No-Signalling Principle? By answering such questions, we gain a better understanding of quantum mechanics itself as well as the resources necessary for performing particular tasks.
In this and many other works in cryptography, optimization theory is a key ingredient in the analysis. On a high level, we want to maximize how much someone can “cheat” a protocol, whereby it is understood that the inability to cheat translates into security, and vice versa. The goal is often to design protocols which minimize cheating. We, however, take the opposite approach in this work and prove a limitation on designing any protocol for a particular task, namely coin-flipping, discussed below.
Coin-flipping— Coin-flipping is the cryptographic task where Alice and Bob generate a random bit over a communication channel such that, when Alice and Bob are honest, both output the same bit and this bit is uniformly random Blu81 . Coin-flipping is a primitive that is used mainly for building larger, more sophisticated cryptographic protocols in the two-party setting, and hence an understanding of its properties, along with its security limitations, is important.
More formally the coin-flipping task is as follows. Suppose Alice has a set of strategies (basically, a description of how she interacts with Bob) given by the set and Bob has a set of strategies given by the set . We do not just consider deterministic strategies but also those that occur as the result of some measurement procedure. We denote the probability of a pair of strategies occurring as which is between [math] and for all and .
A coin-flipping protocol consists of the following:
- •
A triple of strategies for Alice which correspond to the measurement outcomes of some deterministic strategy ,
- •
A triple of strategies for Bob which correspond to the measurement outcomes of some deterministic strategy ,
satisfying
[TABLE]
The conditions above ensure that the protocol behaves as expected, that the bit is uniform and shared between Alice and Bob. Ideally, we wish that neither Alice nor Bob can cheat by digressing from protocol and disturbing the conditions given by (1). However, this may not be the case, and as such, we need to measure this disturbance. The security measure in coin-flipping is given by the amount a dishonest Alice or a dishonest Bob can bias the output distribution away from uniform. To make this formal, we define the symbols:
- •
: The maximum probability that dishonest Alice can force honest Bob to accept the outcome .
- •
: The maximum probability that dishonest Bob can force honest Alice to accept the outcome .
- •
: The bias of the coin-flipping protocol defined as
[TABLE]
We wish to design protocols such as to minimize , with a perfect protocol having . In classical and quantum theory, this is known to be impossible LC97a ; Kit03 . In this work, we show that under some assumptions on and , can be lower bounded by a positive constant, thus showing near-perfect coin-flipping is impossible in any theory satisfying those assumptions.
To study the range of possible , we need to study the four quantities , , , and . Let us first consider . We can write this succinctly by the rudimentary optimization problem:
[TABLE]
This optimization problem exactly captures how much Bob can force Alice to output [math] maximized over all physical strategies he can perform. Before studying this problem using optimization theory, we require a mathematical structure on the quantities involved. We now discuss such a structure which is given by the study of Generalized Probabilistic Theories.
Generalized Probabilistic Theories (GPTs)— To study (3) more generally than quantum and classical theory we require a more general setting for physical theories. Here we work in the framework of generalized probabilistic theories which formalizes any physical theory with an operational description. There have been many approaches to GPTs, see, for example, hardy2001quantum ; barrett2007information ; Ludwig ; davies1970operational ; randall1970approach ; Piron64 ; Mackey ; chiribella2010probabilistic ; hardy2011reformulating for introductions to these frameworks. GPTs have been successfully used for studying cryptography sikora2018simple ; selby2018make ; lami2018ultimate ; barnum2011information ; barnum2008nonclassicality ; barrett2007information ; barrett2005no and computation krumm2018quantum ; barnum2018oracles ; garner2018interferometric ; barrett2017computational ; lee2016deriving ; lee2016bounds ; lee2016generalised ; lee2015computation ; lee2017higher in theories more general than quantum theory. We, however, do not actually need to introduce the full framework of GPTs for the purposes of this work. Instead, we just consider the structure that any such theory would impose on the sets of strategies for Alice and Bob.
As mentioned above, we do not just want to consider the strategies which occur deterministically, but those which may correspond to obtaining a particular outcome in some experiment. That is, given a strategy for Alice and a strategy for Bob we obtain a probability that these two strategies jointly occur. In particular there is always a ‘zero-strategy’ such that for all . Conceptually, one can think of this as Alice aborting the protocol, or simply not taking part in the first place.
First, we assume that these spaces of strategies are convex where we interpret convex combinations as probabilistic mixtures. That is, we assume that
[TABLE]
is in the set and represents the strategy where with probability Alice uses strategy and with probability Alice uses strategy . Given this understanding of the convex structure, the calculated probabilities must satisfy
[TABLE]
and similarly for convex combinations of Bob’s strategies. This means that a strategy for Alice induces a linear functional on the space of strategies for Bob (and vice versa).
Rather than working directly with the spaces of strategies and we work with operational equivalence classes of strategies. We say that two strategies and are operationally equivalent if
[TABLE]
and similarly for Bob’s strategies. We denote these equivalence classes as and .
Note that our earlier assumptions imply that and are both convex sets in some vector space which are bounded and have non-empty interior. Moreover, we assume that the vector space is finite-dimensional. This assumption is typically made in the study of GPTs for technical convenience. It can however be motivated by the idea that in a tomographic characterization of the strategies of Alice, one can only, in practice, perform a finite number of different experiments and therefore we must characterize the strategies by a finite number of probabilities.
Following a standard argument on the representations of linear functionals on finite-dimensional vector spaces, one can show that we can always write probabilities as
[TABLE]
From now on we take as the set of Alice’s strategies (similarly as the set of Bob’s strategies) and hence drop the tildes for convenience as the strategy representation should be clear from context.
We can now rewrite the optimization problem (3) in the form
[TABLE]
Due to the convex structure of the set , this is a convex optimization problem. However, since we want to prove general bounds on cheating, we require more structure on the sets and for our analysis.
A physical assumption— Clearly some assumption on the sets and is required to prove anything meaningful. For example, consider any physical theory and restrict both Alice and Bob to a set of strategies that are -close to their honest strategies. This allows us to define a (rather boring) GPT in which ideal coin-flipping is possible up to some small error. To avoid GPTs with these unnecessary restrictions, we make the assumption that any mathematically feasible strategy for Bob can be physically realized.
To formally define this lack of restriction for Bob, we start with defining two important quantities studied in convex analysis. The polar set of the set is given as
[TABLE]
and its dual cone is given as
[TABLE]
Notice we have and because every choice of strategies for Alice and Bob yields a proper probability.
We can now define our physical assumption.
Definition 1. The Generalized No-Restriction Hypothesis for Bob states that .
To support this assumption, one can argue that if Alice knows that her set of strategies is given as then to be able to guarantee security against Bob she should not make any assumptions about what Bob can do. In other words, we also maximize over all physical theories, which in this case translates to allowing Bob to have the largest set of strategies as possible.
This is closely related to the (standard) No-Restriction Hypothesis chiribella2010probabilistic which is a commonly used assumption in the study of GPTs that can be expressed as the idea that all mathematically possible measurements are physically allowed. Here we generalize this idea to the level of arbitrary strategies.
One could equally well consider Bob’s perspective and assume the Generalized No-Restriction Hypothesis for Alice, i.e. . Surprisingly these two assumptions are not equivalent, see Fig. 1 for an example of this fact. However, for the purposes of this work we need to only assume it for one party. We henceforth assume it for Bob, but by symmetry the following arguments can be adapted to the case where it is assumed instead for Alice.
Optimization analysis— Under this assumption we can now clean up the optimization problem for Bob (8) as:
[TABLE]
This type of optimization problem is called a semi-infinite program since the variable is finite-dimensional but there are infinitely many constraints. (Note that this class is not the same as the more popular class of optimization problems called semidefinite programs.) Semi-infinite programming has a rich theory, see for example Shapiro2009 , although it has yet to be used to study quantum theory or its generalizations, as far as we are aware.
For our needs, it suffices to look at relaxations of where we optimize instead using a discretization of the infinite set . To this end, we define a mesh, denoted here as , parameterized by a fineness measure , such that it has the following properties:
- •
is finite, contains a basis for , and is contained in ;
- •
.
Note that such a discretization always exists since is bounded.
We now consider the discretized version of this optimization problem defined to optimize using instead, as shown below
[TABLE]
First note that we have since it relaxes (12) as . Furthermore, since there are finitely many constraints, this is a (traditional) cone program making it easier to analyze. Recently there have been several applications of cone programming to the study of GPTs selby2018make ; sikora2018simple ; fiorini2014generalized ; JP17 ; bae2016structure ; lami2018ultimate and to quantum theory GSU13 ; BCJRWY14 ; LP15 ; NST16 ; SW17 .
As expected, as one decreases (the fineness measure of the mesh), we have that becomes a better approximation of the set . In particular, we have the lemma below.
Lemma 2. .
Proof.
We first show that the feasible region of is bounded. To this end, we define the function
[TABLE]
which is finite since is finite. It can be easily checked that this is a norm (since contains a basis) and is bounded for all satisfying the constraints of (13). Since all norms are equivalent in finite-dimensional vector spaces, we know there exists a such that for all feasible in .
Fix feasible in and . We now wish to scale by some constant to ensure (and thus is feasible in ). Then for -close to , we have
[TABLE]
Thus, is feasible in (12). This implies that
[TABLE]
Taking limits finishes the proof. ∎
We now prove a lower bound on the product of Alice’s cheating probability and the relaxation of Bob’s cheating probability. This is the key step in proving our main result which takes advantage of the simplified structure of the relaxed problem.
Lemma 3. , for all .
Proof.
Let which exists since has nonempty interior by construction. Then satisfies and for all . This is known as a strictly feasible solution. Since is bounded from above by Eq. (18), the strong duality theorem for cone programming (see, for example, BV ) states that is equal to
[TABLE]
and this problem attains an optimal solution . Thus, we have . Define
[TABLE]
Notice that by convexity and by the constraints in (19). Suppose Alice uses as her strategy to force Bob to accept outcome [math]. Then we have
[TABLE]
since and from Eq. (1). ∎
By combining the two lemmas, we have that , and therefore the maximum of the two probabilities is at least . This gives the same lower bound on the bias Kitaev gave for the case of quantum theory Kit03 which was later reproved by Gutoski and Watrous using a representation of quantum strategies GW07 .
Theorem 4. Any coin-flipping protocol in a GPT satisfying the Generalized No-Restriction Hypothesis for Bob (and/or Alice) satisfies . In particular, either Alice or Bob can force an outcome with probability at least .
Since quantum theory satisfies the Generalized No-Restriction Hypothesis for both Alice and Bob GW07 , we have another proof that coin-flipping is impossible in quantum theory.
Discussion— What is perhaps unusual about our main result is that we have found a numerical lower bound that holds for any GPT satisfying the Generalized No-Restriction Hypothesis for Alice and/or Bob. Typically results in the study of GPTs either show something is possible or impossible, or consider a specific GPT (whose structure can be exploited). This is relevant for cryptographic purposes as well. If our result was simply saying that perfect coin-flipping is impossible, then this does not rule out the existence of protocols with small bias, which would be enough for all intents and purposes. Theorem 4 says that near perfect protocols cannot exist either. Moreover, the constant lower bound shows that the security of coin-flipping protocols cannot be boosted in the sense that a protocol with bias cannot be used in a composition to reduce the bias arbitrarily close to [math].
The main technique in this work is our treatment of semi-infinite programs, in particular, how we discretized them into cone programs. We hope that our use of semi-infinite programs will raise awareness of this formalism for future uses in quantum theory and physics by breaking roadblocks when formulating difficult problems as optimization problems.
Future work— This bound on coin-flipping is (asymptotically) achievable in quantum theory using a protocol which is classical apart from quantum subroutines CK09 . This quantum subroutine is a black-box implementation of quantum weak coin-flipping–a similarly defined task but with less stringent security requirements. The history of finding the best quantum weak coin-flipping protocol culminated in the work of Mochon Moc07 . This unpublished paper is pages long and, even though it has been simplified ACGKM15 (see also NST15 ), is still not well understood. (Recent progress has been made however in the work ARW18 .) Mochon’s work relies on point games (developed by Kitaev), a notion which is dual, in a sense, to protocols (specified in this work as the pair of triples . Even though point games are mysterious in the context of quantum theory, perhaps our generalization to the framework of GPTs will shed light. In fact, there is one immediate similarity to this work. A major step in Mochon’s proof is the reduction from time-dependent point games to time-independent point games. This, in a nutshell, strips away all the ‘time-dependent’ information of the protocol. Our framework and proof, on the other hand, completely strips away all notion of time as it does not explicitly rely on the round-to-round strategy descriptions, and thus might make this point game reduction simpler, or even trivial.
In short, if one were to develop GPT weak coin-flipping protocols with small bias, then the lower bound presented in this work might be achievable by imitating the quantum protocol. It would be interesting to see which GPTs allow for secure weak coin-flipping, whether it is proved using point games, semi-infinite programming, or another yet-to-be-discovered method.
Acknowledgements.
Acknowledgements– We thank Martin Plávala, Giulio Chiribella, and Howard Barnum for helpful discussions. This research was supported in part by Perimeter Institute for Theoretical Physics. Research at Perimeter Institute is supported by the Government of Canada through the Department of Innovation, Science and Economic Development Canada and by the Province of Ontario through the Ministry of Research, Innovation and Science.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Dorit Aharonov, André Chailloux, Maor Ganz, Iordanis Kerenidis, and Loïck Magnin. A simpler proof of existence of quantum weak coin flipping with arbitrarily small bias. SIAM Journal of Computing , 45(3):633–679.
- 2[2] Atul Singh Arora, Jérémie Roland, and Stephan Weis. Quantum weak coin flipping. ar Xiv preprint ar Xiv:1811.02984 , 2018.
- 3[3] Joonwoo Bae, Dai-Gyoung Kim, and Leong-Chuan Kwek. Structure of optimal state discrimination in generalized probabilistic theories. Entropy , 18(2):39, 2016.
- 4[4] Somshubhro Bandyopadhyay, Alessandro Cosentino, Nathaniel Johnston, Vincent Russo, John Watrous, and Nengkun Yu. Limitations on separable measurements by convex optimization. IEEE Transactions on Information Theory , 61(6):3593–3604, 2015.
- 5[5] Howard Barnum, Oscar CO Dahlsten, Matthew Leifer, and Ben Toner. Nonclassicality without entanglement enables bit commitment. In Information Theory Workshop, 2008. ITW’08. IEEE , pages 386–390. IEEE, 2008.
- 6[6] Howard Barnum, Ciarán M Lee, and John H Selby. Oracles and query lower bounds in generalised probabilistic theories. Foundations of physics , 48(8):954–981, 2018.
- 7[7] Howard Barnum and Alexander Wilce. Information processing in convex operational theories. Electronic Notes in Theoretical Computer Science , 270(1):3–15, 2011.
- 8[8] Jonathan Barrett. Information processing in generalized probabilistic theories. Physical Review A , 75(3):032304, 2007.
