UNIVERSITY OF CALGARY
Point Games in Quantum Weak Coin Flipping Protocols
by
Edouard Pelchat
A THESIS
SUBMITTED TO THE FACULTY OF GRADUATE STUDIES
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE
DEGREE OF MASTER OF SCIENCE
DEPARTMENT OF COMPUTER SCIENCE
CALGARY, ALBERTA
AUGUST, 2013
c Edouard Pelchat 2013
Abstract
Two parties, wishing to establish a shared random bit at a distance, must solve a problem known as coin flipping. Classical two-party secure computations such as coin flipping
are impossible in the information theoretic setting. However quantum information allows
for the possibility of unconditional security. Mochon defines a model of secure two-party
computations, point games, to show the existence of optimal quantum weak coin flipping
protocols in [29]. His ground-breaking result is widely accepted, but its proof is very complicated, has never been validated, and remains poorly understood despite the efforts of several
researchers [12, 25, 35].
In this thesis we use analytical and mathematical methods to study point games. We
discover several new primitives, and construct new building blocks to define a new family of
point games. We present a new truncation technique that is simpler, more efficient, is more
intuitive, and achieves better results than the best previously known. We provide concrete
examples of these point games. We analyze Mochon’s optimal point games, and we identify
the key elements of their construction that are not specified. We also provide a new recursion
technique that achieves better results than the one proposed by Mochon. Furthermore, we
construct simple and elegant point games using binomial coefficients. Our point games are
simpler than Mochon’s, since his point games are constructed using techniques in mathematical analysis. Studying point games with new techniques may lead to a simpler formalism of
two-party secure computations, and to more efficient protocols.
i
Acknowledgements
First of all, I want to thank my supervisor, Peter Høyer, who introduced me to the field of
quantum computing. During my stay at the University of Calgary, Peter taught me the importance of striving for simple and intuitive solutions to problems. I am very grateful for the
productive discussions that we had and the guidance he provided me. I also thank my thesis
committee — Lisa Higham, and Gilad Gour — for taking time out of their busy schedules
to read my thesis and provide useful feedback. A special thanks to my colleagues Cătălin
Dohotaru, for helping me familiarize myself with various subjects in quantum computing,
and Jonathan Ghallagher, for his helpful discussions. Finally, I thank my family for their
love and support.
ii
Table of Contents
Abstract . . . . . . . . . . . . . . . . . . . .
Acknowledgements . . . . . . . . . . . . . .
Table of Contents . . . . . . . . . . . . . . . .
List of Tables . . . . . . . . . . . . . . . . . .
List of Figures . . . . . . . . . . . . . . . . . .
List of Symbols . . . . . . . . . . . . . . . . .
1
Introduction . . . . . . . . . . . . . . . .
1.1 Coin Flipping Defined . . . . . . . . . .
1.2 Quantum Information Basics . . . . . . .
1.2.1 The Qubit . . . . . . . . . . . . .
1.2.2 Multiple Qubits . . . . . . . . . .
1.2.3 Measurement . . . . . . . . . . .
1.2.4 Matrix Properties . . . . . . . . .
1.3 Quantum Strategy . . . . . . . . . . . .
1.3.1 Protocol . . . . . . . . . . . . . .
1.3.2 Kitaev’s Formalism . . . . . . . .
1.3.3 Point Games Overview . . . . . .
1.4 Previous Work . . . . . . . . . . . . . .
1.5 Overview of Thesis . . . . . . . . . . . .
1.5.1 Original Contributions . . . . . .
2
Preliminaries . . . . . . . . . . . . . . .
2.1 Point Games Defined . . . . . . . . . . .
2.1.1 Components . . . . . . . . . . . .
2.1.2 Transitive properties . . . . . . .
2.1.3 Visual Representation . . . . . .
2.1.4 Coin Flipping Point Games . . .
2.2 Fundamental Transitions . . . . . . . . .
2.2.1 Simplified Inequalities . . . . . .
2.2.2 Manipulating Transitions . . . . .
2.2.3 Combining Transitions . . . . . .
2.2.4 Restricted Transitions . . . . . .
2.3 Simple Point Games . . . . . . . . . . .
3
Point Game Analysis . . . . . . . . . . .
3.1 Point Games with Bias greater than 23 .
3.1.1 Spekkens and Rudolph Protocol .
3.1.2 Symmetric Point Games . . . . .
3.1.3 Extended Symmetric Point Game
3.2 Analysis of Transitions . . . . . . . . . .
3.2.1 Tight Transitions . . . . . . . . .
3.2.2 Standard Transitions . . . . . . .
3.3 Optimal Transitions . . . . . . . . . . .
3.3.1 Construction . . . . . . . . . . .
iii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
i
ii
iii
v
vi
viii
1
2
3
4
4
5
5
5
6
8
8
11
13
13
15
15
15
18
21
22
23
23
27
29
30
32
35
35
35
37
40
42
43
48
53
54
3.3.2 Binomials . . . . . . . . . .
4
Point Games with Arbitrarily Small
4.1 Catalyst Points . . . . . . . . . . .
4.2 Ladders Defined . . . . . . . . . . .
4.3 Infinite Ladders . . . . . . . . . . .
4.3.1 The Single Ladder . . . . .
4.3.2 Binomial Ladders . . . . . .
4.4 Finite Ladders . . . . . . . . . . . .
4.4.1 Previously-known Ladders .
4.4.2 Single Ladder . . . . . . . .
4.4.3 Binomial Ladders . . . . . .
4.5 Recursion . . . . . . . . . . . . . .
5
Conclusion . . . . . . . . . . . . . .
5.1 Future Work . . . . . . . . . . . . .
Bibliography . . . . . . . . . . . . . . .
. . .
Bias
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
iv
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
. 66
. 66
. 68
. 70
. 70
. 72
. 78
. 80
. 88
. 92
. 96
. 102
. 102
. 104
List of Tables
3.1
A binomial transition of degree n is defined by the nth row of Pascal’s triangle. 59
4.1
The axis point distribution’s probabilities for a one-shot ladder. . . . . . . .
v
88
List of Figures and Illustrations
1.1
1.2
2.10
2.11
2.12
2.13
2.14
Kitaev’s weak coin flipping protocol. . . . . . . . . . . . . . . . . . . . . . .
A basic transition combined with its inverse (left) gives a binomial transition
(right). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The linear recursion (left) and our improved recursion (right). . . . . . . . .
The optimal triple ladder. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to truncate an optimal triple ladder. . . . . . . . . . . . . . . . . . . . .
1 3 3
, . . . . . . . . . . . . . . . .
A configuration
containing
a single
point
2 4 4
The point 38 54 , 0 is raised to 83 45 , 1 in a single step. . . . . . . . . . . . . .
A point distribution contained in the vertical line of coordinate 1. . . . . . .
A transition connecting two configurations. . . . . . . . . . . . . . . . . . . .
A point game (right) that achieves the desired final configuration (center)
from an initial configuration (left). . . . . . . . . . . . . . . . . . . . . . . .
A raise p [x1 , y] → p [x2 , y]. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A split (p1 + p2 ) [x, y] → p1 [x1 , y] + p2 [x2 , y]. . . . . . . . . . . . . . . . . . .
A merge p1 [x1 , y] + p2 [x2 , y] → p1 + p2 [x, y]. . . . . . . . . . . . . . . . . . .
An extra raise may (right) or may not (left) alter a transition’s significant
operator monotone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
An equidistant split (p1 + p2 ) [x, y] → p1 [x − δ, y] + p2 [x + δ, y]. . . . . . . .
An equidistant merge p2 [x − δ, y] + p1 [x + δ, y] → (p1 + p2 ) [x, y]. . . . . . .
An equal probability split 2 [x, y] → 1 [x − γ, y] + 1 [y, x + δ]. . . . . . . . . .
A trivial point game with endpoint 1 [1, 1]. . . . . . . . . . . . . . . . . . . .
Bob flips the coin (left) or Alice flips the coin (right). . . . . . . . . . . . . .
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
The Spekkens and Rudolph point game with undefined parameters. . . . . .
The Spekkens and Rudolph balanced coin flipping point game. . . . . . . . .
A symmetric point game with a single split on an axis. . . . . . . . . . . . .
A raise and a perpendicular split are interchangeable. . . . . . . . . . . . . .
The symmetric equivalent of the Spekkens and Rudolph point game. . . . . .
A symmetric point game with three points on an axis. . . . . . . . . . . . . .
A symmetric point game with n + 1 points on an axis. . . . . . . . . . . . .
The weight curve of a valid merge. . . . . . . . . . . . . . . . . . . . . . . .
The weight curve of a tight split. . . . . . . . . . . . . . . . . . . . . . . . .
A weight curve of a tight split shifted outwards (left) and shifted inwards (right).
A combination of weight curves with non-trivial validity. . . . . . . . . . . .
The AIW of a merge combined with its inverse. . . . . . . . . . . . . . . . .
The AIW of a merge combined with its shifted inverse. . . . . . . . . . . . .
A standard transition (1, −3, 1, 2). . . . . . . . . . . . . . . . . . . . . . . . .
The decomposition of a standard transition into standard merges and splits.
An example for a prefix sum of standard merges. . . . . . . . . . . . . . . .
A valid combination of a merge and its shifted inverse. . . . . . . . . . . . .
A valid transition (red) with a negative prefix sum of standard merges. . . .
1.3
1.4
1.5
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
vi
7
9
10
10
11
16
16
17
19
22
24
24
26
30
31
31
32
32
33
36
37
38
39
41
41
42
44
45
45
46
47
47
48
49
51
53
54
3.19
3.20
3.21
3.22
3.23
3.24
3.25
An invalid transition (red) with a negative prefix sum of standard merges.
The inverse of a valid merge (left) shifted outwards (right). . . . . . . . . .
A valid merge is also valid when shifted to its minimal set of coordinates. .
A split is never valid when shifted to its minimal set of coordinates. . . . .
A standard raise (left) and a standard merge (right). . . . . . . . . . . . .
A transition defined by (1, −2, 1). . . . . . . . . . . . . . . . . . . . . . . .
A transition defined by (1, −3, 3, −1). . . . . . . . . . . . . . . . . . . . . .
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
A loop of probability p. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
A ladder composed of a combination of loops. . . . . . . . . . . . . . . . . . 69
The invalid (red) and the valid (blue) hinge lines of a ladder. . . . . . . . . . 70
We modify the symmetric extended point game to obtain a ladder . . . . . . 71
The undefined single ladder. . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
A single ladder with dual-endpoints. . . . . . . . . . . . . . . . . . . . . . . 73
A single ladder with single endpoint. . . . . . . . . . . . . . . . . . . . . . . 73
A single ladder with added loops. . . . . . . . . . . . . . . . . . . . . . . . . 75
The optimal double ladder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
The double ladder contains a single ladder. . . . . . . . . . . . . . . . . . . . 78
The optimal triple ladder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
A polynomial ladder where k = 4, j0 = 4, Γ = 13, and point probabilities are
defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
A polynomial ladder where k = 4, j0 = 4, Γ = 13, and all loop probabilities
are defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Undefined loop probabilities of a polynomial ladder where k = 4 and Γ approaches infinity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
An invalid one-shot ladder where k = 4, = 18 , z ∗ = 5, and Γ = 16. . . . . . 89
An efficient single ladder where Γ = 11
. . . . . . . . . . . . . . . . . . . . . . 90
2
. . . . . . . . . . . . . . . 91
A truncated single polynomial ladder where Γ = 11
2
A single ladder decomposed into blocks. . . . . . . . . . . . . . . . . . . . . 93
The combination of transitions in a block matrix. . . . . . . . . . . . . . . . 93
A block defined by the binomial (1, −2, 1). . . . . . . . . . . . . . . . . . . . 93
The binomial block of degrees 4. . . . . . . . . . . . . . . . . . . . . . . . . . 94
The binomial block of degrees 5. . . . . . . . . . . . . . . . . . . . . . . . . . 94
The rung of an infinite double ladder achieved with binomial blocks. . . . . . 95
The infinite double ladder is composed of two series of binomial blocks. . . . 95
An efficient triple ladder defined by binomial blocks. . . . . . . . . . . . . . . 96
An efficient triple ladder with invalid (red) and valid (blue) hinge
. . . 97
0 lines.
0
,
. 98
Mochon’s proposed linear recursion achieves an endpoint of 1 0 +
00 0 +00 .
The first linear recursive step of the optimal double ladder. . . . . . . . . . . 99
We expand an inner point game by a factor of 2. . . . . . . . . . . . . . . . . 100
A recursion with incremental values of λ0 . . . . . . . . . . . . . . . . . . . . 101
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.30
vii
.
.
.
.
.
.
.
55
55
56
56
58
59
59
List of Symbols, Abbreviations and Nomenclature
Symbol
Definition
AIW
Average Increase in Weight
GCD
Greatest Common Divisor
SDP
Semidefinite Program
SR
Spekkens and Rudolph
viii
Chapter 1
Introduction
This thesis deals with a model of secure two-party computations known as point games.
Unconditionally secure two-party computations are impossible in the classical information
theoretic setting [39]. The fact that quantum information allows for unconditionally secure
cryptographic primitives [6] is one of the more interesting results in cryptography from
the last century. Mochon defines the point game model in [29] to prove the existence or
quantum weak coin flipping protocols with arbitrarily small bias. This model is important for
cryptography since it also provides the possibility of finding optimal protocols for other secure
two-party computations. However, Mochon’s paper is very complicated and the formalisms
he defines to create the point game model have not yet been simplified, despite the efforts
of several researchers [12, 25, 35].
Mochon posted his tour-de-force to arxiv and then got a job in
the Finance industry. No one understands Mochon’s paper and
Mochon has disappeared. Chailloux and others are attempting
to decypher it. I’ve looked into it a bit and got nowhere.
(Gus Gutoski [18])
The status of the paper by Mochon is quite peculiar. It is an 80page long paper, extremely technical and never peer-reviewed.
(Loı̈ck Magnin [25])
Someone will simplify [Mochon’s] paper. Someone else will simplify that paper. Then finally, it might be understandable.
(André Chailloux [13])
1
There have not been significant efforts to understand the point game model, since without
a simpler formalism, point games may only lead to impractical protocols [25]. However,
understanding point games may give us new insights on the formalism, which would allow
us to simplify it. If a simple formalism is discovered, a comprehensive understanding of
point games will be crucial to developing efficient, optimal protocols. In this thesis we use
analytical and mathematical methods to define several primitives and building blocks that
are useful for constructing point games. The original contributions of this thesis are the
result of joint work with my supervisor, Peter Høyer. We provide an overview of our findings
in Section 1.3.3.
1.1 Coin Flipping Defined
Coin flipping is a cryptographic primitive where two parties establish a shared uniformly
random bit [10], using only a classical information channel. We imagine two people, Alice and
Bob, flipping a coin over the phone. If the coin flip comes up heads, Alice wins. If it comes up
tails, Bob wins. Unconditionally secure classical coin flipping is obviously impossible, since if
Alice announces the outcome, then Bob must trust her honesty. Let the winning probability
of two parties be PA and PB . The bias of a coin flip is given by max(PA , PB ) − 12 . A coin
flipping protocol is balanced if both parties share the same winning probability. Any attempt
to alter the bias of a coin flip is considered cheating. Cryptographic one-way functions are
used to enforce bit commitment, which prevents cheating. The security of these functions
however, depends on the validity of computational assumptions such as “Integer factorization
cannot be done in polynomial time.” Like other computational assumptions in cryptography,
factorization is easy for a quantum party [34], whom therefore could cheat against a classical
party.
A coin flipping protocol is quantum if both parties additionally have access to a quantum communication channel. Parties cannot share a predefined entangled state since coin
2
flipping would be trivial. Quantum coin flipping protocols are useful since their security is
independent of computational assumptions. We define two types of quantum coin flipping
protocols.
Definition 1.1. A quantum coin flipping protocol is strong if the desired outcome of both
parties is unknown.
Definition 1.2. A quantum coin flipping protocol is weak if the desired outcome of both
parties is known and each party is allowed to increase the winning probability of the other.
For example, a strong coin flipping protocol might be used for a soccer game kickoff since
each player may prefer to choose the starting half or may prefer to start with the ball. A
weak coin flipping protocol might be used in a divorce settlement where each possession is
split between Alice and Bob in a series of coin flips. Bob may want to keep his dog while
Alice desperately wants to get rid of it. Strong coin flipping is at least as hard as weak coin
flipping. In this thesis, we only explore weak coin flipping protocols.
A quantum coin flipping protocol consists of a series of quantum messages ending in a
single state. If both parties agree on the result, it is output. If not, the protocol is aborted.
We only analyze protocols where at most one party is cheating since the protocol will always
be aborted if both parties are cheating.
1.2 Quantum Information Basics
In this section we present the fundamental properties of quantum information that are used
in the thesis. In fact, the concepts presented here are only required to understand the
protocol of Section 1.3. The discussion of point games does not require an understanding
of the material covered in this section. Comprehensive references on quantum information
are [20, 31].
3
1.2.1 The Qubit
A qubit is the quantum analogue of a classical bit. Just as a classical bit represents a
classical mechanical state of either 0 or 1, a qubit represents a quantum mechanical state,
which is a two-dimensional complex vector state. We define the standard basis by two linearly
independent column vectors 10 and 01 , which span the state space. These vectors are
expressed in Dirac notation by |0i and |1i in order to simplify the expression of quantum
states. A qubit may be in either a state |0i, |1i, or a superposition of both. In its most
general form, a qubit is expressed as
|ψi = α|0i + β|1i
for values α, β ∈ C such that |α|2 + |β|2 = 1. This constraint ensures that all qubits have a
norm of 1. The norm of a qubit is given by
k|ψik =
p
hψ|ψi,
where the row vector hψ| is the conjugate transpose of |ψi. The values of α and β relate to
the probabilistic nature of quantum information. When a qubit is measured in the standard
basis {|0i, |1i}, the state |0i is obtained with |α|2 probability, and the state |1i is obtained
with |β|2 probability.
1.2.2 Multiple Qubits
A combination of n classical bits expresses one of 2n possible states. Since a qubit is expressed
by a vector in a two-dimensional complex Hilbert space, a collection of n qubits is expressed
by a vector in a 2n dimensional complex Hilbert space and is given by
|ψi = |ψ1 i ⊗ |ψ2 i ⊗ . . . ⊗ |ψn i ∈ H2 ⊗ H2 ⊗ . . . ⊗ H2 = H2n .
A collection of qubits combine through their tensor product, for example the qubits |ψi =
α|0i + β|1i and |φi = δ|0i + γ|1i combine to form
|ψi ⊗ |ψi = αδ|00i + αγ|01i + βδ|10i + βγ|11i,
4
where |00i is a simplified notation for |0i ⊗ |0i and the values are normalized such that
|α|2 + |β|2 + |δ|2 + |γ|2 = 1.
1.2.3 Measurement
Extracting information from a quantum state is probabilistic in nature. In the context of
this thesis, it suffices to know that measuring a qubit |ψi with the basis {|φ0 i, |φ1 i} results
in the state |φi i with probability |hψ|φi i|2 .
1.2.4 Matrix Properties
In this subsection we present matrix properties that are used in Section 2.1.2. A comprehensive reference on matrices may be found in [9].
Definition 1.3. A matrix M is unitary if M ∗ M = M M ∗ = I, where M ∗ is its conjugate
transpose and I is the identity matrix.
Definition 1.4. A matrix is Hermitian if it is its own conjugate transpose.
Definition 1.5. A symmetric matrix M ∈ Rn×n is positive semidefinite if hx|M |xi is nonnegative for any vector |xi ∈ Rn .
A matrix is nonnegative if all of its elements are greater than or equal to zero. There
are several methods to determine whether a matrix is positive semidefinite. For example, a
matrix M is positive semidefinite if all of its eigenvalues are nonnegative, or if M = B T B
for an invertible matrix B. We use the notation M 0 to denote that M is a positive
semidefinite matrix.
1.3 Quantum Strategy
The quantum coin flipping protocol used in this thesis was first presented in [22], and was
then extended in [29]. In this section we present the protocol described in [29], we briefly
5
introduce the origin of the point game model, and we describe the kind of point games
that are explored in this thesis. A more detailed presentation of the material contained in
Sections 1.3.1 and 1.3.2 may also be found in [29].
1.3.1 Protocol
In this subsection we summarize the coin flipping protocol, initially described by Kitaev
in [22], that is presented by Mochon in [29]. Mochon shows how to map a point game into
a protocol of this form, and vice-versa. There is no clear relation between a point game and
its equivalent protocol, but some intuition of point games is provided in Section 2.3.
Let A, B, and M be finite dimensional Hilbert spaces corresponding to the qubits of
Alice and Bob, and of the message space shared between both parties. We assume that
each player only has access to their own space and the shared message space. Since we are
defining a weak coin flipping protocol, we say that Alice wins on output 0 and Bob wins on
output 1. The protocol consists of a series of n messages between both parties, where each
message is created by a unitary, as illustrated in Figure 1.1. The initial state of the protocol
is defined by
|ψ0 i = |ψA,0 i ⊗ |ψM,0 i ⊗ |ψB,0 i,
and each unitary is of the form
Ui =



UA,i ⊗ IB
if i is odd,


IA ⊗ UB,i
if i is even,
where UA,i ∈ A ⊗ M, UB,i ∈ M ⊗ B, and 0 < i ≤ n. The final state is given by
|ψn i = Un Un−1 . . . U1 |ψ0 i.
Alice performs a measurement on A with {ΠA,0 , ΠA,1 } and Bob performs a measurement
on B with {ΠB,0 , ΠB,1 }. They each output 0 or 1 according to their measurement. The
value becomes the output of the protocol if both results are equal, otherwise the protocol is
aborted.
6
Alice (A) Message (M)
···
Bob (B)
···
|ψ0 i
···
U1
···
···
|ψ1 i
U2
···
|ψ2 i
···
U3
···
···
..
.
..
.
..
.
···
···
· · · |ψ i
n
|ψA,n i
|ψ3 i
|ψB,n i
Figure 1.1: Kitaev’s weak coin flipping protocol.
7
1.3.2 Kitaev’s Formalism
This thesis deals exclusively with the point game model defined in [29]. Mochon uses Kitaev’s
formalism from [22] to define the bias of a protocol as a dual-SDP. He then defines certificates
for protocols to simplify the optimization problem. The point game model is then derived
using certain monotonicity requirements of positive semidefinite matrices. Mochon defines
a mapping between the optimization problem and the point games, and also defines the
inverse mapping. Several researchers, including [12, 25, 35], have attempted to validate
and simplify Mochon’s extended formalism and mappings with great difficulty. Moreover,
although Mochon defines point games with arbitrarily small bias, he does not convert these
into protocols since the inverse mapping is too complicated [25]. Kitaev’s formalism and
Mochon’s construction of point games are outside of the scope of this thesis.
1.3.3 Point Games Overview
Several researchers, including [12, 25, 35], have analyzed Mochon’s paper. The majority of
their work relating to Mochon’s paper has dealt with his formalisms and mappings rather
than his model of point games, since Mochon’s point games only serve as a proof that
protocols with arbitrarily small bias exist. Although the inverse mapping from point games to
protocols leads us to believe the resulting protocol would be impractical [25], it is important
to validate Mochon’s claims of optimal point games. Furthermore, understanding point
games may lead to a new understanding of the formalism that describes secure two-party
computations. For example, we see evidence in this thesis that suggests point games may
be solved using techniques in graph theory or combinatorics. If an efficient mapping to
protocols is found, efficient point games will become crucial to constructing coin flipping
protocols with arbitrarily small bias. In this subsection we present an overview of ideas
presented in this thesis. The figures are too technical to understand at this point and should
only give an idea of the results we obtain.
8
5δ
5δ
(1)
(1)
4δ
4δ
(1)
(2)
(2)
(1)
(3)
3δ
3δ
(3)
2δ
2δ
(1)
(1)
δ
δ
Figure 1.2: A basic transition combined with its inverse (left) gives a binomial transition
(right).
The point game model consists of a set of points that are displaced with transitions, as
defined in Section 2.1.1. Not all transitions are valid since a coin flipping protocol cannot
decrease in bias after a round of communication. The validity requirements of transitions
are given in Section 2.1.2. Point games are represented with simple, intuitive figures that are
used throughout the thesis. We define new methods to analyze and compare the efficiency
of transitions in Section 3.2.1. In order to find optimal transitions, we restrict the search
space by defining the standard setting in Section 3.2.2. We define a family of transitions
in Section 3.3 that are very useful when constructing point games. An example of such a
transition is shown in Figure 1.2.
Infinite structures known as ladders are used to obtain better endpoints in point games.
We show how to obtain optimal ladders in Section 4.3, and how make them finite and
efficient in Section 4.4.3. We analyze Mochon’s ladders and offer several new insights on
their construction in Section 4.4.1. Furthermore, we argue that key elements in Mochon’s
construction of ladders are missing. We examine Mochon’s proposed recursion and define a
new recursion technique in Section 4.5 that achieves better results. A comparison of both
recursion techniques is shown in Figure 1.3. Using our new family of transitions, we define
a family of optimal infinite ladders such as the one in Figure 1.4. We define a simple and
intuitive truncation technique, shown for the ladder of Figure 1.4 in Figure 1.5, that achieves
9
better results and allows us to easily think of infinite optimal ladders in a finite setting.
6
6
1.0
5
6
4
6
3
6
0.5
2
6
1
6
1
6
2
6
3
6
4
6
5
6
6
6
0
0
0.5
1.0
Figure 1.3: The linear recursion (left) and our improved recursion (right).
12
4
11
4
10
4
9
4
8
4
7
4
6
4
5
4
4
4
3
4
2
4
1
4
..
225
.
120 −735
56 −384 721
21 −175 365
−64 160
3
−15 56
1
−365 384 −120
−160 175 −56
−56 64 −21
13
1
−721 735 −225
1
−13 15
−3
−1
(1)
−1
−1
(1)
1
4
2
4
3
4
4
4
5
4
6
4
7
4
8
4
9
4
10
4
11
4
Figure 1.4: The optimal triple ladder.
10
12
4
1
1
4
−2
1
∅
−2 1
1 −2
∅ −1
3
−2 3
−1
1
2
20
−2 1 1 ∅ −3
−2 1 1
−3 2
−1
1
∅
35
−2 3
−1−1 2
−2 3
−1−1 2
−1
1 −2
−3 2
1 1 ∅
−3 2
1
−2
∅ −1−1 2 −1
3
−1 2
−1
1
∅ −3 2
10
∅
−1
2
−1
Figure 1.5: How to truncate an optimal triple ladder.
1.4 Previous Work
In this section we review some of the most important developments in the study of quantum
coin flipping. The study of quantum cryptographic primitives originates from the knowledge
that quantum information allows for secure communication within the information theoretic
setting. The first major breakthrough in the field was the discovery of unconditionally
secure quantum key distribution [6, 38]. There were several attempts to discover secure bit
commitment, which would have resulted in many two-party secure computation protocols [5,
40], but it was later proven that secure bit commitment [24, 26] and any two-party secure
computation [16, 23] were impossible.
Classical coin flipping was first presented in [10] and was shown to be an important
cryptographic primitive in [39]. However, classical coin flipping protocols cannot prevent
cheating in the information theoretic setting, as shown in [10]. The first quantum protocol
to prevent a cheating party from obtaining a winning probability of 1 was presented in [2] and
had a bias of 0.4143. Another strong coin flipping protocol with a bias of
11
1
4
was discovered
in [3]. Its bias was shown to be optimal for a certain family of protocols in the same paper.
Several other strong coin flipping protocols were discovered in [30, 36], none of which could
achieve a better bias. It was later proven in [22] that strong coin flipping protocols could
not achieve a lower bias than
bound of bias between
1
4
and
√1
2
√1
2
− 12 . Whether strong coin flipping protocols have a lower
−
1
2
remains an open question and there is strong evidence
to support both extremes.
Weak coin flipping was first presented in [37] with a protocol that achieved a bias of
√1
2
− 12 . This protocol coincidentally shared the lower bound of strong coin flipping proposed
in [22] and was generalized for a class of protocols in [4]. Another protocol was independently
discovered in [21] and achieved a bias of approximately 0.239. Weak coin flipping protocols
with a bias of
1
6
were later found in [27, 28]. It was also shown in [3] that both weak and strong
coin flipping protocols with bias required at least O log log 1 rounds of communication.
Although weak coin flipping cannot achieve zero bias with a finite number of messages,
a constructive proof of weak coin flipping protocols with arbitrarily small bias was given
in [29]. The proof used a new formalism of two-party adversarial games based on the theory
of convex cones and operator monotone functions presented in [22].
This major breakthrough led to a flurry of research. Based on the ideas from [29], a
strong coin flipping protocol using a weak coin flipping subroutine was shown to achieve a
bias arbitrarily close to
√1
2
−
1
2
in [14] and optimal quantum bit commitment with a bias
arbitrarily close to 0.239 was shown in [15]. More practical loss-tolerant protocols with high
biases were given in [1, 7, 11] and partially noise-tolerant protocols in [8]. Protocols were
considered in [32], taking into account every aspect of their physical implementation. General
bounds on coin flipping protocols have been given in [19], with the aim of unifying weak,
strong, and classical coin flipping protocols. Several PhD theses, including [12, 25, 35],
have attempted to simplify the proofs from [29] and have attempted find more efficient
protocols with arbitrarily small bias. However, their proofs remain overly complicated and
12
do not realize the potential of the point game model. To this day, the breakthrough results
from [29] remain unpublished.
1.5 Overview of Thesis
Chapter 2 introduces the concepts that are used in the thesis by formally defining point
games and their fundamental properties. In Chapter 3 we define the limit of a family of
point games, present analysis techniques, and introduce optimal constructions. In Chapter 4
we present a family of optimal point games that contain infinite structures, we present
methods to truncate these structures efficiently, and we show how to recurse finite point
games to achieve an arbitrarily small bias. An overview of point games and the progression
of topics contained in the thesis are presented in Section 1.3.3.
1.5.1 Original Contributions
The original contributions of this thesis are the result of joint work between my supervisor,
Peter Høyer, and I. The main original contributions are
• In Section 3.3 we prove that optimal standard transitions are defined by binomial coefficients. We provide a new method to determine the validity of a
family of transition by solving a saturated set of equations in polynomial-time.
• In Section 4.3 we define a family of ladders that are optimal. We extend
Mochon’s work in [29] and use our optimal standard transitions to achieve
this goal. We show that such ladders can achieve endpoints with an arbitrarily
small increase in bias.
• In Sections 4.4.2 and 4.4.3 we show how to obtain optimally truncated ladders
using sets of transitions defined by binomials. We prove that our truncated
ladders are more efficient than the best previously known from [29].
13
• In Section 4.4.1 we argue that finite point games achieving an arbitrarily small
bias have not yet been proven to exist. We analyze the point games presented
in [29] and provide several new insights on their construction.
• In Section 4.5 we define a new recursion technique that is more efficient than
the previous best from [29].
We attempted to find a way to determine the validity of an arbitrary transition based
solely on certain binomial properties. Whether such a method exists is an open question,
and is posed in Section 5.1. If one does exist however, it would be possible to map the dualSDP which finds protocols for secure two-party computations into a model defined only by
binomials instead of polynomials. Such a result could pave the way for a new understanding
of general SDPs.
14
Chapter 2
Preliminaries
In this chapter we formally define the concepts that are required in the study of weak coin
flipping protocols of this thesis. We present the concept of point games which express secure
two-party computations and we explain their monotonicity properties. Both the point games
and their equivalent protocols are derived from Kitaev’s formalisms [22], briefly introduced
in Section 1.3.
2.1 Point Games Defined
Point games are a discrete formulation of secure two-party computations based on Kitaev’s
formalisms. A point game is defined by an initial, a final and a sequence of intermediate
configurations, each described by a set of points and connected by transitions. In this section
we define each component of the point game, we formalize its validity requirements, we
provide an illustrated analogue to the formal definitions, and we specify the characteristics
of a coin flipping point game.
2.1.1 Components
In this subsection we formally define the components of point games and provide a simple
example for each definition. The visual representation of point games is explored in greater
detail in Section 2.1.3, and an example of a simple point game is given in Figure 2.5.
Definition 2.1. A point, denoted by p [x, y], is a positive probability p with an associated
pair of nonnegative rational coordinates (x, y).
Since a point is expressed by a pair of nonnegative rational coordinates, a point game’s
domain is represented by the quadrant of a two-dimensional Cartesian system. For example,
15
5
4
4
4
1
2
3
4
2
4
1
4
1
4
2
4
3
4
4
4
5
4
Figure 2.1: A configuration containing a single point
5
4
4
4
1
2
5
4
4
4
3
4
3
4
2
4
2
4
1
4
1
8
1
4
2
4
3
4
3
8
4
4
Figure 2.2: The point
a point of probability
1
2
1
2
1
4
5
,
0
is raised to
4
and coordinates
3 3
,
4 4
,3
4 4
.
3
8
1
8
5
4
3
8
3
1
4
1
2
3
8
2
4
3
4
4
4
5
4
5
,
1
in a single step.
4
is represented in Figure 2.1. We also note
that a point’s probability may be scaled by a positive factor. Therefore a probability may
be greater than 1.
Definition 2.1. A configuration is the set of all points in the point game, at a given step.
The sum of probabilities, for all points in a configuration, is the same for all configurations
within a point game. For example, two configurations of a single point game, separated by
a single step, are presented in Figure 2.2.
Definition 2.2. A nonnegative one-dimensional space is a line if it only contains a set of
points with a common coordinate.
16
5
4
4
4
3
4
2
4
1
4
1
4
2
4
3
4
5
8
1
4
1
16
1
16
4
4
5
4
Figure 2.3: A point distribution contained in the vertical line of coordinate 1.
By definition, a line is either vertical or horizontal. A line is an axis if it contains the
coordinate (0, 0).
Definition 2.3. A point distribution is a set of points contained in a line of a configuration.
For example, a point distribution is given in Figure 2.3. We use a measure to quantify
the distribution of probability in a line.
Definition 2.4. Let f (x) be a monotonically increasing function. The weight is the summation over all points in a line
weight =
X
f (x)px ,
x∈line
where px is a point’s probability and x is a point’s coordinate in the line.
For example, the weight of the point distribution in Figure 2.3, for the monotonically
increasing function f (x) = x, is given by
X
1
1
3
1
5
53
1
+
+
+ 1
= .
xpx = 0
16
4
16
4
4
8
64
x∈line
P
Definition 2.5. Let weight =
x∈line xpx . The bias is the summation of weight for all
parallel lines in a configuration
bias =
X
1
xpx − .
2
x∈line
X
parallel lines∈config
17
The end bias of a point game is the bias of its final configuration. A bias is either vertical
or horizontal, since the summation is over all parallel lines. For example, the vertical bias of
the configuration in Figure 2.3 is equal to
1
16
53
64
and its horizontal bias is given by
1
1
5
1 +
1 +
1 +
1 = 1.
16
4
8
Definition 2.6. A transition designates an action performed on a point distribution which
alters one or more of its points but preserves the overall probability so that
X
px =
xbefore
X
px .
(2.1)
xafter
A transition is valid if
X
f (x)px ≤
X
f (x)px ,
xafter
xbefore
for all monotonically increasing functions f (x) which take a point’s coordinate x as input.
The validity requirements of a transition are explored in greater detail in Section 2.1.2. A
transition from one point distribution to another is done in a single step. Multiple transitions may be performed in the same step, but any two configurations with distinct point
distributions on the same line must be separated by at least a step. The set of all transitions
contained in a line is often simply called a line. A transition is represented by an arrow.
The transition that connects both configurations in Figure 2.2 is shown in Figure 2.4 and
expressed as 12 [0, 1] + 18 34 , 0 + 21 54 , 0 → 12 [0, 1] + 81 43 , 0 + 12 45 , 1 .
A set of transitions is connected if there exists a path from the starting point of one
transition to the endpoint of all transitions in the set.
2.1.2 Transitive properties
Not all transitions are valid. The bias of a point game is nondecreasing for each step. We
mention in Section 1.3 that our point games express dual-SDPs, in which the semidefinite
positive matrices are monotonically increasing. We therefore require that two successive
matrices be monotonically increasing for all operator monotone functions. In this subsection
18
5
4
4
4
1
2
3
4
2
4
3
8
1
4
1
8
1
4
2
4
3
4
4
4
5
4
Figure 2.4: A transition connecting two configurations.
we present the characteristics of operator monotone functions that are relevant to our analysis
of point games. We argue that transitions must satisfy certain monotonicity criteria to be
valid components of point games.
Definition 2.7. A function f (x) is operator monotone if f (B)−f (A) is positive semidefinite
for all Hermitian matrices A and B such that B − A is positive semidefinite.
Let f be a real function with domain S, let U be a unitary, and let D = diag(λ1 , λ2 , . . . , λn )
be a diagonal matrix of rank n such that every eigenvalue of D is contained in S. We define
f (D) = diag(f (λ1 ), f (λ2 ), . . . , f (λn )) and f (U f (D)U ∗ ) = U f (D)U ∗ . Given any Hermitian
matrix A, there exists a unitary U such that A = U DU ∗ and f (A) = U f (D)U ∗ [9]. We
define two functions f (x) = 1 and f (x) = x, which are trivially operator monotone.
Lemma 2.1. The function f (x) = − x1 is operator monotone over the domain (0, ∞).
Proof. The proof is given in [9]. Let B A 0. We know that
1
1
I B − 2 AB − 2
1
1
I B 2 A−1 B 2
B −1 A−1 ,
which is true because of our assumption.
19
We shift the domain of this operator monotone, by adding a term λ strictly greater than
0, to obtain
f (x) = −
1
,
x+λ
which operates on (−λ, ∞). We restrict the domain to [0, ∞). Let the functions f (x) and
g(x) be operator monotone. Any combination
af (x) + bg(x)
is also operator monotone if both a and b are greater or equal to 0. We combine the operator
1
with the proper scalar values to obtain
monotones f (x) = 1 and f (x) = − x+λ
1−
λ
x
=
.
x+λ
x+λ
Definition 2.8. A function f (x) is operator convex if for all Hermitian matrices A and B
of same order,
(1 − λ)f (A) + λf (B) − f ((1 − λ)A + λB)
is positive semidefinite for all real values of λ such that 0 ≤ λ ≤ 1 [9].
The functions f (x) = 1, x, and
x
x+λ
are important since they are also operator convex,
and since any operator monotone is a linear combination of these three functions [29]. As
shown in [9], any operator monotone is expressible under the integral form
Z
f (x) = α + βx +
0
∞
λ
1
−
2
λ +1 λ+x
du(λ),
(2.2)
where α is real, β is greater or equal to 0, and the integral is a positive value. A real-valued
function f is monotonically increasing if f (x) ≤ f (y) whenever x ≤ y. All operator monotone
functions are monotonically increasing. A transition acts as an increasing monotone function
on a point distribution since the weight of the resulting point distribution must be at least
equal to that of the original point distribution for all increasing monotone functions.
20
Definition 2.9. Let f (x) be a monotonically increasing function. The increase in weight of
a transition from a point distribution A to B is the difference between the weight of B and
the weight of A
∆weight(f ) =
X
f (x)px −
x∈A
X
f (x)px .
(2.3)
x∈B
We conclude from Equation 2.2 that a transition is valid if and only if its increase in
1
weight is nonnegative for f (x) = 1, f (x) = x, and f (x) = − x+λ
for all λ greater than 0.
Therefore, a transition from a point distribution A to a point distribution B is valid if both
A and B contain the same overall probability and the weight of B is greater or equal to
that of A for all increasing monotone functions. Conserving the probability in a transition
ensures that the operator monotone f (x) = 1 is satisfied. The operator monotone f (x) = x
1
is satisfied when λ approaches infinity. Therefore, we
is satisfied if and only if f (x) = − x+λ
determine that a point game is valid if and only if every line in the point game preserves
probability and satisfies
X
xbefore
X px
px
≥
x+λ x
x+λ
(2.4)
after
for all λ greater than 0.
We see that every operator monotone is a combination of functions f (x) = 1, f (x) = x,
1
and f (x) = − x+λ
, for λ greater than 0. Since the first two functions are derived from the
1
later, it suffices to evaluate the increase in weight of a transition for f (x) = − x+λ
and for
all λ greater than 0. Therefore, a transition is only valid if Equation 2.4 is satisfied for all λ
greater than 0.
2.1.3 Visual Representation
Point games are a useful interpretation of secure two-party computations because they are
expressed with simple illustrations. In this subsection we use the concepts introduced in
Section 2.1.1 to define a simple representation of point games.
A point game has an initial configuration and a desired final configuration. Our goal is
21
6
4
5
4
4
4
3
4
2
4
1
4
1
2
6
4
5
4
4
4
3
4
2
4
1
4
1
2
1
4
2
4
3
4
4
4
5
4
6
4
6
4
5
4
4
4
3
4
2
4
1
4
(1)
1
4
2
4
3
4
4
4
5
4
1
2
1
4
6
4
1
4
2
4
1
4
1
4
3
4
4
4
5
4
6
4
Figure 2.5: A point game (right) that achieves the desired final configuration (center) from
an initial configuration (left).
to find a set of valid transitions that will achieve the desired final configuration. A point
game is represented by this set of transitions, as shown for example in Figure 2.5. We gain
an intuitive understanding of the validity of point games with this simple representation.
Transitions are represented by arrows that connect the point distributions in one configuration to the next. The start and endpoint of an arrow correspond to the points of two
distinct configurations. We annotate arrows with the probability of both points, since a transition conserves probability. The set of points contained in the initial and final configuration
are represented by a dot.
2.1.4 Coin Flipping Point Games
Since we are only interested in point games that correspond to coin flipping protocols, we
must restrict the possible initial and final configurations. In this subsection we define the
configurations that correspond to coin flipping point games and argue how transitions are
assigned by both parties.
The initial configuration contains only two points of probability 21 , located at the coordinates (1, 0) and (0, 1). The final configuration contains a single point of probability 1,
located at a pair of coordinates (x, y) where
1
2
≤ x ≤ 1 and
1
2
≤ y ≤ 1. The initial and
final configurations of our point games are chosen to satisfy the properties of coin flipping
22
protocols presented in Section 1.1. We allow one player control of the vertical transitions,
while the other has control of the horizontal transitions. This ensures both parties have equal
input in the point game. Points of equal probability and symmetric coordinates are initially
required to prevent either player from gaining an unfair advantage from the initial bias they
control. The value of the probability is arbitrary and can be scaled to any positive value.
The coordinates could also be changed, but their values are chosen to easily determine the
coin flipping bias, since the coordinates of the final point are directly related to both players’
winning probability. Both parties begin with a winning probability PA = PB = 21 , since the
initial configuration is
1
2
[0, 1] + 12 [1, 0]. Therefore, the bias is initially zero and is increased
by the subsequent transitions in the point game. We say that Alice performs all vertical
transitions, while Bob performs all horizontal transitions. The endpoint of a coin flipping
point game is expressed by 1 [PA , PB ], where PA and PB are the winning probabilities of
Alice and Bob as defined in Section 1.1.
2.2 Fundamental Transitions
We define point games in Section 2.1 and argue that any valid point game can be mapped into
a protocol as defined in Section 1.3.1. The validity requirements presented in Section 2.1.2
allow us to determine whether a point game is valid simply by examining its transitions. In
this section we argue that any point game is composed of three fundamental transitions and
that their validity depends on simplifier requirements. We show how to manipulate these
transitions and how to combine them in order to gain insight on the validity of point games.
2.2.1 Simplified Inequalities
1
Since any operator monotone function is a combination of functions f (x) = 1, x, and − x+λ
,
as shown in Section 2.1.2, any transition is a combination of three fundamental transition
derived from the same functions. In this subsection we present the fundamental transitions
23
(p)
y
x1
x2
Figure 2.6: A raise p [x1 , y] → p [x2 , y].
(p1 )
y
x1
(p2 )
x
x2
Figure 2.7: A split (p1 + p2 ) [x, y] → p1 [x1 , y] + p2 [x2 , y].
of point games, first presented in [29], and argue that the validity of each transition is
determined by a simple inequality. We show that each of these inequalities is also derived
from the general inequality of Equation 2.4.
The raise p [x1 , y] → p [x2 , y], shown in Figure 2.6, is valid if and only if its increase in
weight is positive for f (x) = 1. Therefore, a raise increases the weight of a point distribution
for all monotonically increasing functions and is valid for all values p, y, and x1 greater or
equal to 0, such that x1 < x2 .
Theorem 2.1. The split (p1 + p2 ) [x, y] → p1 [x1 , y] + p2 [x2 , y], such that x1 ≤ x2 as shown
in Figure 2.7, is valid if and only if its increase in weight is nonnegative for f (x) = − x1 , or
equivalently
p1 + p2
p1
p2
≥
+ .
x
x1 x2
(2.5)
Proof. We know from Equation 2.4 that the split is valid if and only if the general inequality
p1
p2
p1 + p2
≥
+
x+λ
x1 + λ x2 + λ
24
(2.6)
is satisfied for all λ greater than 0. Equation 2.6 implies Equation 2.5, since the inequality
must be satisfied when λ approaches 0. We must also show that satisfying Equation 2.5 will
satisfy Equation 2.6 for all λ greater than 0. We factor the terms in Equation 2.6 to obtain
(x1 x2 + x1 λ + x2 λ + λ2 )(p1 + p2 ) ≥ (xx2 + xλ + x2 λ + λ2 )p1 + (xx1 + xλ + x1 λ + λ2 )p2 .
Notice the term λ2 cancels itself. By factoring each side by
1
,
xx1 x2
and with some simplifica-
tion, we obtain
1
1
1
+ x1 x2 λ (p1 p2 ) ≥
+ xx2 λ p1 +
+ x1 xλ p2 .
x
x1
x2
Bringing the terms to one side
1
1
1
1
0 ≥ p1
− + ((xx2 ) − (x1 x2 ))λ + p2
− + ((x1 x) − (x1 x2 ))λ ,
x1 x
x2 x
and with further simplification
1
1
0 ≥ p1 (x − x1 )
+ x2 λ
+ p2 (x − x2 )
+ x1 λ
.
x1 x
xx2
We determine whether the function
1
1
+ x1 λ
+ x2 λ
+ p2 (x − x2 )
f (λ) = p1 (x − x1 )
x1 x
xx2
is increasing or decreasing by taking the first derivative of λ
f 0 (λ) = p1 (x − x1 )x2 + p2 (x − x2 )x1 = p1 x2 x + p2 x1 x − (p1 + p2 )x1 x2 .
Since we assume Equation 2.5 is satisfied, we know that f 0 (λ) is less than or equal to 0.
Therefore, f (λ) is non-increasing. By observation, the value of f (λ) is maximal when λ
approaches 0. Therefore, Equation 2.5 implies Equation 2.6.
Theorem 2.2. The merge p1 [x1 , y] + p2 [x2 , y] → p1 + p2 [x, y], such that x1 ≤ x2 as shown
in Figure 2.8, is valid if and only if its increase in weight is nonnegative for f (x) = x, or
equivalently
p 1 x1 + p 2 x 2
≤ x.
p1 + p2
25
(2.7)
(p1 )
y
x1
(p2 )
x
x2
Figure 2.8: A merge p1 [x1 , y] + p2 [x2 , y] → p1 + p2 [x, y].
Proof. We know from Equation 2.4 that the merge is valid if and only if the general inequality
p1
p2
p1 + p2
+
≥
x1 + λ x2 + λ
x+λ
(2.8)
is satisfied for all λ greater than 0. Equation 2.8 implies Equation 2.7, since the inequality
must be satisfied when λ approaches infinity. We must also show that satisfying Equation 2.7
will satisfy Equation 2.8 for all λ greater than 0. We determine whether the function
f (λ) =
p1
p2
p1 + p2
+
−
x1 + λ x2 + λ
x+λ
is increasing or decreasing by taking the first derivative of λ
f 0 (λ) = (p1 + p2 )x − p1 x1 − p2 x2 .
Since we assume Equation 2.7 is satisfied, we know that f 0 (λ) is greater or equal to 0.
Therefore, f (λ) is non-decreasing. By observation, the value of f (λ) is minimal when λ
approaches infinity. Therefore, Equation 2.7 implies Equation 2.8.
Any transition is a combination of merges, splits, and raises since these transitions are
1
derived from the functions f (x) = 1, f (x) = x, and f (x) = − x+λ
which span the space of all
operator monotone functions, as shown in Section 2.1.2. Whenever a single transition type
is contained in a line, we use the simplified inequalities of this subsection to determine the
validity of the line.
26
2.2.2 Manipulating Transitions
An arbitrary transition’s validity is rarely obvious. Some manipulations of transitions have
a known effect on their validity. By manipulating known transitions, such as those of Section 2.2.1, we are able to create transitions with a known validity. In this subsection we
present original concepts of inversion, compression, scaling, and shifting. We also present
several constraints that valid transitions must satisfy.
A transition is scaled by a real positive value c if every probability contained in a transition
is multiplied by c. Scaling a transition does not affect its validity, which is trivially observed
from
X
xbefore
X cpx
cpx
−
=c
x+λ x
x+λ
after
X
xbefore
px
−
x+λ x
X
px
x+λ
!
.
after
A transition is shifted by a real value δ if the coordinate of every point contained in the
transition is increased by δ and each coordinate remains nonnegative. An outwards shift
refers to a positive δ, while an inwards shift refers to a negative δ. A shifted transition’s
validity is determined by
X
xbefore
X
px
px
≥
x+δ+λ x
x+δ+λ
after
for all λ greater than 0, or equivalently, by
X
xbefore
X px
px
≥
x+λ x
x+λ
after
for all λ greater than δ. Shifting a raise does not affect its validity since it is always valid.
Shifting a merge does not affect its validity either, since a merge is valid if and only if
Equation 2.4 is satisfied when λ approaches infinity. Since a split’s validity is determined
when λ approaches 0, shifting an invalid split outwards might make it valid. Similarly,
shifting a valid split inwards might make it invalid.
A transition is compressed if its probabilities are not altered and the space between each
point is reduced by a single factor greater than 0 and smaller than 1. Similarly, we expand
a transition by increasing the space between each point with a single factor greater than 1.
27
Definition 2.10. Let T be a transition of the form
P
sition is the shifted inverse of T if it is of the form
P
xbefore
xafter
px [x, c] →
P
xafter
px [x + δ, c] →
px [x, c]. A tran-
P
xbefore
px [x + δ, c],
and if every value of x + δ is greater or equal to 0.
The inverse of a valid transition has a negative increase in weight for all monotonically
increasing functions. The inverse of a raise is called a drop. A valid transition cannot contain
more drops than raises.
Lemma 2.2. A transition is invalid if
X
xpx >
xbefore
X
xpx .
xafter
Proof. A valid transition must satisfy the inequality in Equation 2.4 for all λ greater than
0, and therefore
!
X
px xλ +
xafter
X
xbefore
px
Y
y
!
≥
X
xafter
y6=x
Y
px
y6=x
y
+
X
px xλ
xbefore
must be valid when λ approaches infinity. We take the first derivative of λ to obtain
X
xpx ≤
X
xpx .
(2.9)
xafter
xbefore
Therefore, a transition is invalid if more probability is dropped than raised.
Lemma 2.3. Let A be a point distribution such that every point in A has a positive coordinate. There does not exist a valid transition from A to a point distribution B which contains
a point at coordinate 0.
This lemma is true since Equation 2.4 cannot be solved if there exists an xafter equal to 0.
The concepts of inversion, scalability, and compressibility are used in our analysis of point
games of Sections 3.2 and 3.3. The lemmas presented in this subsection also allow us to
easily recognize invalid transitions.
28
2.2.3 Combining Transitions
Transitions contained in a single line combine to form a single transition. In some cases
it is advantageous to think of transitions separately, and in other cases to consider their
combination. In this subsection we argue that each transition’s validity depends on a single
operator monotone function. We argue that a combination of transitions defined by the same
operator monotone function must satisfy the same simplified inequality.
A transition from any point distribution with two or more points to a point distribution
containing a single point is a combination of merges. It is therefore valid if and only if its
increase in weight is nonnegative for the operator monotone f (x) = x, or equivalently
X
px x ≤ pafter xafter .
xbefore
A transition from a single point to a point distribution with two or more points is a combination of splits. It is therefore valid if and only if its increase in weight is nonnegative for
the operator monotone f (x) = − x1 , or equivalently
X px
pbefore
≥
.
xbefore x
x
after
A transition is only valid if its increase in weight is positive for a specific operator monotone function. We call this function a transition’s significant operator monotone, and is
1
expressed as f (x) = − x+λ
for a nonnegative value of λ. In Section 2.1.2, we argue that a
1
transition’s validity is determined by evaluating its increase in weight for f (x) = − x+λ
, for
all possible values of λ. In Section 2.2.1, we present transitions with significant operator
monotones of f (x) = 1, f (x) = x, and f (x) = − x1 . There are ways of combining transitions
such that the significant operator monotone is known. For example, combining a raise with
a merge may create a merge or it may create a merge combined with a split, depending on
the raise’s coordinates, as shown in Figure 2.9.
We present combinations of transitions with known significant operator monotones in
Section 3.3. A simple method of determining an arbitrary transition’s significant operator
29
4δ
4δ
(1) (1)
3δ
3δ
(1)
(1)
+
2δ
(1)
=
(1) +
= (1)
2δ
(1) (2)
(1)
δ
(1)
=
1
2
+
(1)
1
2
(1)
δ
Figure 2.9: An extra raise may (right) or may not (left) alter a transition’s significant
operator monotone.
monotone remains an open question.
2.2.4 Restricted Transitions
Since any transition is a combination of merges, splits, and raises, understanding the individual limits of these transitions is useful. In this subsection we fix the coordinates and the
probabilities of splits and merges to determine the inequalities these restricted transitions
must satisfy.
An equidistant split (p1 + p2 ) [x, y] → p1 [x − δ, y] + p2 [x + δ, y], shown in Figure 2.10, is
valid if and only if
δ≤
(p2 − p1 )x
.
(p1 + p2 )
(2.10)
Equation 2.10 is derived from Equation 2.5. We notice the split’s validity depends on its
spacing δ and its coordinate x. Let the split’s probability p2 be greater than p1 . There exists
an outwards shift that makes the split valid for a fixed value of δ.
An equidistant merge p2 [x − δ, y] + p1 [x + δ, y] → (p1 + p2 ) [x, y], shown in Figure 2.11,
is valid if and only if p2 is greater or equal to p1 and x is greater or equal to δ. The validity
of an equidistant merge does not depend on its spacing δ or its coordinate x. The merge
may be shifted by any nonzero factor and will maintain its validity as long as its set of
coordinates remains nonnegative. An equal probability merge 1 [x − γ, y] → 1 [x + δ, y] +
2 [x, y] is therefore valid if and only if δ is greater or equal to γ.
30
y
(p1 )
(p2 )
x
x−δ
x+δ
Figure 2.10: An equidistant split (p1 + p2 ) [x, y] → p1 [x − δ, y] + p2 [x + δ, y].
y
(p1 )
(p2 )
x
x−δ
x+δ
Figure 2.11: An equidistant merge p2 [x − δ, y] + p1 [x + δ, y] → (p1 + p2 ) [x, y].
An equal probability split 2 [x, y] → 1 [x − γ, y]+1 [y, x + δ], shown in Figure 2.12, is valid
if and only if x is strictly greater than γ and
γ≤
xδ
.
x + 2δ
(2.11)
This transition must satisfy Equation 2.4, and therefore
2
1
1
δx − γx − 2δγ
−
−
=
≥ 0.
x x+δ x−γ
x(x + δ)(x − γ)
Since x(x + δ)(x − γ) is positive by definition, an equal probability split must satisfy Equation 2.11. We notice if δ approaches 0, the maximal value of γ approaches δ.
The equal probability and equal distance transitions described in this section are used in
our analysis of Section 3.2.2 and the point games of Chapter 4.
31
y
(1)
(1)
x
x−γ
x+δ
Figure 2.12: An equal probability split 2 [x, y] → 1 [x − γ, y] + 1 [y, x + δ].
1
1
2
1
2
1
Figure 2.13: A trivial point game with endpoint 1 [1, 1].
2.3 Simple Point Games
In this section we present simple coin flipping point games that contain only merges and
raises, and achieve trivial endpoints. We argue that transitions may be interpreted as actions
performed by parties and we determine that splits are required to achieve better endpoints.
We select a finite set of connected merges, splits, and raises such that each line may
contain at most one type of transition. The only valid point game achievable with raises
has an endpoint of 1 [1, 1], as shown in Figure 2.13. This point game is equivalent to the
protocol where no coin is flipped and either Alice or Bob chooses the outcome. Let Alice
choose the outcome. She may decide to make herself win with certainty, and therefore fix
PA to 1. Otherwise, she must decide to make herself lose and fix PB to 1.
Two additional point games with endpoints 1 1, 21 or 1 21 , 1 , shown in Figure 2.14,
are achievable with raises and merges. They are the optimal point games for this set of
32
1
1
2
1
2
1
1
2
1
2
1
2
1
2
1
2
1
2
1
1
Figure 2.14: Bob flips the coin (left) or Alice flips the coin (right).
transitions since a merge may only be performed on a point distribution containing two or
more points. One of the two initial points must therefore be raised until it reaches a line
that is shared with the other. The merge achieves the smallest end bias when the equality
of Equation 2.7 is satisfied. These point games are equivalent to the protocols where either
Alice or Bob flips a coin and announces the outcome to the other party. Let Alice flip the
coin and announce the outcome. She may chose to ignore the coin flip and succeed with
probability 1. Otherwise, she must be honest and announce the proper outcome of the coin
flip, in which case Bob has a winning probability of 12 .
We show in Section 2.1.4 that Alice performs all vertical transitions, while Bob performs
all horizontal transitions. We also argue that the endpoint of a valid point game is expressed
by 1 [PA , PB ]. The values of PA and PB are equal to the horizontal and vertical biases of the
final configuration when f (x) = x. Therefore, we must evaluate the increase in weight of a
transition for f (x) = x to determine its effect on the end bias. A merge does not increase
the vertical or the horizontal bias of a point game, but a raise does. Let Alice perform a
raise. The horizontal bias of the point game is increased, and therefore so is Bob’s winning
probability. A merge may be interpreted as a coin flip, and a raise may be interpreted as
trusting the outcome of a coin flip announced by another party. The merge itself has no
cheating power, only the raise diminishes a party’s winning probability. Sikora provides a
similar interpretation of transitions by defining “point raising as receiving a message, point
33
merging as generating a message, and point splitting as checking a message via quantum
measurement” [35].
To minimize the winning probability of both parties, we must minimize the increase in
bias created by raises. This is accomplished by allowing both parties to perform coin flips.
The split increases the bias by a smaller amount then the raise. It also creates a point
distribution from which both parties may perform merges and raises. Therefore, splits act as
the cheat detection mechanism for our point games. The endpoint 1 21 , 12 could be achieved
if a point game containing only merges were possible. This is provably impossible due to
the lower bound of quantum coin flipping presented in [23, 26]. Therefore, we must find a
combination of merges, splits, and raises which achieves an endpoint while minimizing the
increase in bias of these transitions.
34
Chapter 3
Point Game Analysis
In this chapter we start by presenting a family of point games that achieve a bias greater
than 32 . We then present new analysis techniques to measure both the validity and optimality
of transitions. We conclude by presenting a family of transitions that are optimal.
3.1 Point Games with Bias greater than
2
3
Section 2.3 shows that merges are preferable to splits, and that splits are preferable to raises
when constructing point games. The validity of a point game containing at most one type
of transition per line is easily determined, since fundamental transitions have a well-known
effect on the bias of a point game, as shown in Section 2.2. In this section we present a point
game that is equivalent to the protocol from [37], we introduce the concept of symmetric
point games and provide the optimal point game where splits are only contained in the axes.
3.1.1 Spekkens and Rudolph Protocol
The Spekkens and Rudolph protocol, defined in [37], is a quantum coin flipping protocol that
achieves winning probabilities (PA , PB ) such that PA PB = 21 . In this subsection we define a
point game that achieves the same winning probabilities.
We create a valid point game using a single split on one of the axes, as shown in Figure 3.1.
Since merges do not increase the bias for f (x) = x, we select a single raise to maximize the
number of merges.
35
1
1
2
(p2 )
p2 +
1
2
z
(p2 )
(p1 )
x
1
y
Figure 3.1: The Spekkens and Rudolph point game with undefined parameters.
We sequence the transitions in the order they are applied
1
[1, 0] → p1 [x, 0] + p2 [y, 0] ,
2
p2 [y, 0] → p2 [y, 1] ,
1
1
[0, 1] + p2 [y, 1] → p2 + [x, 1] ,
2
2
1
p2 + [x, 1] + p1 [x, 0] → 1 [x, z] .
2
Notice the bias is only increased by the first and second transitions. The initial split
must satisfy both the probability conservation of Equation 2.1 and the simplified inequality
of Equation 2.5. The raise is inherently valid and the two merges must both satisfy Equation 2.7. By establishing a set of equations from these constraints, and setting one of the
variables as an undefined constant, we determine any set of parameters which make this
point game valid. We define the set of equations
1
p 1 + p2 = ,
2
p1 p 2
1
+
≤ ,
x
y
2
1
p2 y ≤ (p2 + )x,
2
1
(p2 + ) ≤ z.
2
To determine the minimum end bias of this point game, we treat the inequalities as equalities
since any excess increase in weight from a transition will only increases the end bias. Solving
36
1
1
2
√
2−1
2
√ 2
2
√1
2
√
√
2+ 2
2
√1
2
1
1+
√
2−1
2
2
Figure 3.2: The Spekkens and Rudolph balanced coin flipping point game.
this system of equations for an indeterminate x gives
2x − 1
,
2x
1−x
p2 =
,
2x
x
y=
1 − x,
1
z=
.
2x
p1 =
Notice xz will always be equal to 21 . The point game is therefore equivalent to the SRprotocol. Since we are defining a balanced coin flipping protocol, we require that x be equal
to z and therefore
1
x= √ .
2
The resulting point game is given in Figure 3.2.
3.1.2 Symmetric Point Games
In this subsection we define a family of point games such that for each horizontal transition,
there is an identical a vertical transition. We show an example and argue that such point
games can achieve any endpoint obtained with a balanced coin flipping point game.
Definition 3.1. A point game is symmetric if for every point p [x, y] there is a point p [y, x].
37
y
(p2 )
(p2 )
1
x
(p2 )
(p1 )
(p1 )
(p2 )
x
1
y
Figure 3.3: A symmetric point game with a single split on an axis.
Visually, the point game is symmetric over the diagonal line x = y. We create a valid
symmetric point game containing a single split on each axis, as shown in Figure 3.3. It
suffices to solve all horizontal transitions, given by
1
p1 + p2 = ,
2
1
p 1 p2
+
≤ ,
x
y
2
x
p2 y ≤ .
2
We solve this set of equations by substituting the inequalities with equalities to obtain
√
1 ± 4x − 3
p2 =
,
√4
1 1 ± 4x − 3
(3.1)
p1 = −
,
2
4
x
.
y=
2p2
Due to the square root in Equation 3.1, x must be greater or equal to 34 . Setting x equal
to
3
4
results in a valid transition since y is greater than 1. Since the point game is symmetric,
the coordinate x is both the vertical and horizontal coordinate of the endpoint. Therefore,
the resulting endpoint is 1 34 , 34 . We note that the minimum end bias of this point game
coincides with the lower bound for strong coin flipping defined in [4].
38
6
4
6
4
5
4
1
2
4
4
5
4
4
4
3
4
1
2
3
4
2
4
1
4
1
4
1
4
2
4
3
4
1
4
4
4
5
4
2
4
1
4
6
4
1
4
1
4
2
4
3
4
1
4
4
4
5
4
6
4
Figure 3.4: A raise and a perpendicular split are interchangeable.
Lemma 3.1. A balanced coin flipping point game where each line contains at most a raise,
a merge, or a split achieves an end bias greater or equal to 34 .
Proof. Point games that do not contain splits are presented in Section 2.3 and only achieve
a balanced coin flipping point game bias of 1. A split may only occur in one of two places,
either before or after a raise. If the split occurs on the axis, the best point game is that
of Figure 3.3. A raise followed by a perpendicular split can be interchanged, as shown in
Figure 3.4. A split, which occurs after a merge in the same line, is useless since it either
cancels the merge or replaces it with a raise. Therefore, the best possible point game is that
of Figure 3.3.
It is possible that the point game of Figure 3.3 represents a strong coin flipping protocol.
Mochon states that point games follow a reverse time order, since the protocol begins with
the point game’s endpoint and works its way back to its initial configuration [29]. Sikora’s
interpretation of point games, presented in Section 2.3, states that “point raising [may be
thought of] as receiving a message, point merging as generating a message, and point splitting
as checking a message via quantum measurement” [35]. Therefore, the interpretation of the
point game from Figure 3.3 is very similar to the strong coin flipping protocol presented
in [3]. Whether there exists a family of point games that can be mapped into strong coin
39
flipping protocols, with lower bound of either
3
4
or
√1 ,
2
remains an open question.
Lemma 3.2. For every valid point game with endpoint 1 [x, x], there exists a valid symmetric
point game that achieves the same endpoint.
Proof. Given a valid point game with endpoint 1 [x, x], we obtain its reflection by reflecting
all points and transitions along the diagonal line y = x. We divide the probabilities of both
the original point game and its reflection by two. We combine both point games to obtain
a valid point game with endpoint 1 [x, x], since
1
2
[x, x] is its own reflection. For example, we
combine the SR point game with its reflection to obtain the point game of Figure 3.5.
Only symmetric point games are examined in this thesis, since they can achieve the end
bias of any balanced coin flipping protocol, and since they are easier to analyze. We examine
a point game with a point distribution of three points on the axis, shown in Figure 3.6, and
define its set of constraints
1
p1 + p2 + p3 = ,
2
p 1 p2 p 3
p 1 + p2 + p3 ≥
+
+ ,
x
y
z
p3 z ≤ (p2 + p3 )x,
(p2 + p3 )y ≤
x
.
2
Since we define a system of four equations and six variables, we are required to make assumptions to define the parameters. We use an optimization algorithm to determine that
the optimal point game is the symmetric equivalent of the SR point game seen in Figure 3.5.
3.1.3 Extended Symmetric Point Game
In this subsection we generalize the symmetric point game of Figure 3.6 for any number of
connected splits on the axis.
The point game of Figure 3.7 is defined by a set of constraints containing n + 1 equations and 2n variables. Since the optimization algorithm we use has a running time that is
40
√
1+
√
2−1
4
2
√
1
4
1
2−1
4
√
2−1
4
√ 2
4
√1
2
√
√ 2+ 2
4
1
4
1
√1
2
1+
√
2−1
4
2
Figure 3.5: The symmetric equivalent of the Spekkens and Rudolph point game.
(p3 )
z
y
(p2 )
(p3 )
(p3 )
(p2 )
1
x
(p2 )
(p3 )
(p1 )
(p1 )
(p2 )
x
1
y
z
Figure 3.6: A symmetric point game with three points on an axis.
41
in
in−1
in−2
i3
i2
i1
1
i0
i0
1 i1 i2 i3
in−2
in
Figure 3.7: A symmetric point game with n + 1 points on an axis.
exponential in the number of free variables, we require a different method to determine the
optimal endpoint of this point game. The optimal endpoint, when n approaches infinity, is
1 23 , 23 as shown in [29] for a similar point game. Mochon argues that the outermost point
has a probability approaching 0 and is raise to a pair of coordinates approaching (∞, ∞).
The point then progressively collects the probability contained in the axes until it reaches its
final location. The endpoint’s coordinates are determined by integrating the point’s increase
in probability over an infinite number of points.
3.2 Analysis of Transitions
The bias of a point game is determined by the set of transitions that defines it. Combinations
of transitions are only valid if their increase in weight is positive for a specific operator
monotone function, as shown in Section 2.2.3. This significant operator monotone is unknown
for arbitrary transitions other than those defined in Section 2.2.3. We require a better
understanding of combined transitions to search for near-optimal point games efficiently
since we cannot determine the validity of a transition with certainty without knowing its
significant operator monotone. In this section we define the set of transitions that increase
42
the bias of a point game by minimal amounts, we provide a novel method of analyzing
a transition based on its increase in weight for all significant operator monotones, and we
describe a new set of transitions that is used in the construction of near-optimal point games.
3.2.1 Tight Transitions
We minimize the bias of a point game by minimizing the increase in weight of its transitions.
In this subsection we present the concept of a weight curve, which visually depicts the increase
in weight of a transition for all significant operator monotones, we provide the characteristics
of weight curves for two classes of transitions, and we show how to use a transition’s weight
curve to evaluate its optimality. Although determining the weight curve of a transition is
equivalent to determining its significant operator monotone, we argue that the weight curves
resulting from certain manipulations of known transitions are predictable.
Definition 3.2. A transition is tight if it is valid and if there exists a monotonically increasing function f (x) such that
X
f (x)px =
xbefore
X
f (x)px .
(3.2)
xafter
A valid transition from a point distribution A to a point distribution B is tight if there
does not exist an attainable point distribution C that is identical to B for all points but
one which has a smaller coordinate. We say that a point distribution B is attainable from
a point distribution A if there exists a valid transition from A to B. Merges that satisfy
the equality of Equation 2.7 and splits that satisfy the equality of Equation 2.5 are tight
transitions. We indicate in Section 2.3 that tight transitions are preferable because any
excess increase in weight will also increase the end bias of the point game. A merge or a
split, that is not tight, is a tight transition combined with a raise. A raise increases the
weight of a point distribution for all monotonically increasing functions by definition, and
should always be avoided if possible. The point games we present in Section 3.1 require
43
∆weight(λ)
0.5
0
0
0.5
1.0
1.5
λ
Figure 3.8: The weight curve of a valid merge.
raises to create point distributions outside of the axes. In Section 4.3, we show how to create
point games containing only tight transitions.
A combination of different transition types is valid if and only if the increase in weight
is nonnegative for a significant operator monotone, as shown in Section 2.2.3. Such a transition is tight if and only if Equation 3.2 is satisfied for its significant operator monotone.
Determining whether an arbitrary transition is tight is therefore an optimization problem.
1
An arbitrary transition’s significant operator monotone is expressed as f (x) = − x+λ
, for an
unknown λ greater or equal to 0. It is therefore useful to consider a transition’s increase in
weight over all possible λ, when it is combined with other transitions.
The weight curve of a transition is defined by
∆weight(λ) =
X
xbefore
X px
px
−
x+λ x
x+λ
after
for all values of λ greater or equal to 0. A weight curve provides a visual representation
of a transition’s increase in weight over for all possible significant operator monotones. A
weight curve is valid if and only if the increase in weight is nonnegative for all values of λ.
Each transition has a unique weight curve, but transitions that share the same significant
operator monotone have similar weight curves. The visual representation of a valid merge’s
weight curve is given in Figure 3.8.
Both the merge and the raise have a weight curve that satisfies |∆weight(λ1 )| ≥ |∆weight(λ2 )|
for all values λ1 and λ2 such that 0 < λ1 ≤ λ2 . A split’s weight curve is different since its
44
∆weight(λ)
0.030
0.015
0
0
λ0
2
4
λ
6
Figure 3.9: The weight curve of a tight split.
∆weight(λ)
∆weight(λ)
0.030
0.030
0.015
0.015
0
0
2
4
6
λ
2
λ0 λ0
4
6
λ
λ0
−0.015
−0.015
Figure 3.10: A weight curve of a tight split shifted outwards (left) and shifted inwards (right).
increase in weight may approach 0 as λ approaches 0. A tight split’s weight curve is given in
Figure 3.9. Shifting a split changes its increase in weight when λ approaches 0. Shifting the
transition outwards or inwards will result in the weight curves from Figure 3.10. Therefore,
the split’s validity is dependent on its set of coordinates. A split has a value λ0 greater or
equal to 0, for which the absolute value of its increase in weight is maximized. We know that
|∆weight(λ1 )| ≥ |∆weight(λ2 )| whenever λ0 ≤ λ1 ≤ λ2 , and |∆weight(λ2 )| ≥ |∆weight(λ1 )|
whenever 0 < λ1 ≤ λ2 ≤ λ0 . Shifting a split also shifts the value of λ0 , as shown in
Figure 3.10.
45
∆weight(λ)
0.030
0.015
0
2
4
6
λ
−0.015
−0.030
Figure 3.11: A combination of weight curves with non-trivial validity.
Inverting a transition reflects its weight curve along the horizontal axis. Combining
transitions also combines their weight curves. It is sometimes difficult to determine if a
combination of weight curves is valid, since we must verify that the increase in weight is
nonnegative over an infinite number of points. It is even more difficult to determine if
a combination of weight curves is tight. For example, the validity of a combination of
transitions shown in Figure 3.11 is not obvious.
A transition’s weight curve may be used to determine its increase in weight, given a
specific value of λ. It may also be used to compare the optimality of transitions.
Definition 3.3. The average increase in weight of a transition is the area of its weight curve
divided by the total probability. It is used to measure the optimality of a valid transition and
is given by
P
AIW =
xafter
P
px ln |x| − xbefore px ln |x|
.
ptotal
(3.3)
Equation 3.3 is obtained by taking the integral of a weight curve, from λ approaching 0
46
∆weight(λ)
0.5
3
0
0.5
1.0
1.5
λ 2 (1)
(1)
1
−0.5
Figure 3.12: The AIW of a merge combined with its inverse.
∆weight(λ)
0.5
4
(1)
3
0
0.5
1.0
1.5
λ 2 (1)
1
−0.5
Figure 3.13: The AIW of a merge combined with its shifted inverse.
to λ approaching ∞,
1
=
1
ptotal
Z
∞
X px
px
−
dλ
ptotal 0+ x
x+λ x
x+λ
before
after
∞
X
X
px ln |x + λ| −
px ln |x + λ| .
X
xbefore
xafter
0+
A small AIW indicates that the transition will have little effect on the bias when combined
with an arbitrary transition. We note that the AIW approaches infinity if a point is contained
in the axis. It is therefore often useful to shift the transition, such that the minimum
coordinate is equal to 1, in order to obtain a more significant value. The AIW allows us to
compare the optimality of different transitions. We show how altering a transition affects
its AIW. A merge combined with its inverse is the identity operation and has a AIW of 0,
as shown in Figure 3.12. Shifting the split outwards results in a tight transition with an
increased AIW, as shown in Figure 3.13.
A valid point game, that achieves a nontrivial endpoint, contains transitions defined
47
5δ
(2)
4δ
(1)
3δ
(3)
2δ
(1)
δ
Figure 3.14: A standard transition (1, −3, 1, 2).
by different significant operator monotones. It is therefore useful to consider the AIW of
transitions when constructing point games. We show in Chapter 4 that known near-optimal
point games only contain transitions with small AIWs.
3.2.2 Standard Transitions
Section 3.2.1 provides a new method of analyzing and visualizing transitions, but does not
provide a way to determine their validity. In this subsection we present the standard model
which is used to restrict the solution space and construct the point games of Chapter 4.
We present several properties of valid standard transitions and prove that any transition is
standard for multiples of a specific spacing.
Definition 3.4. A point game, or a line, is standard if its points only have coordinates that
are multiples of a constant δ greater than 0.
A transition is standard if it is contained in a standard line. We use the standard notation
to express standard transitions, as shown for an example in Figure 3.14. This notation shows
the flow of probability in the segments of a line between points. A positive probability denotes
a raise and a negative probability denotes a drop.
Standard notation does not provide the set of coordinates of a transition, since we omit
the initial zeros and tailing zeros from the notation. We call multiples of (−1, 1) standard
48
6δ
6δ
(1)
5δ
5δ
4δ
(1)
(1)
4δ
(1)
3δ
3δ
(2)
(3)
2δ
2δ
(1)
(1)
δ
δ
Figure 3.15: The decomposition of a standard transition into standard merges and splits.
splits and multiples of (1, −1) standard merges. The degree of a standard transition is the
number of coefficients in its standard notation.
Since a point is defined by a pair of rational coordinates, it is possible to obtain the GCD
between the coordinates of any set of points. The GCD of points in a line is the spacing δ
of a standard line. Since every point is contained in the standard line, we decompose the
transition into a set of raises and drops with equal spacing δ. Any transition is therefore
expressible in standard notation. If Equation 2.9 is satisfied, we know that the number of
raises is at least equal to the number of drops. If their numbers are equal, it is possible to
decompose the transition into a set of standard merges and splits. The set of standard merges
and splits is obtained by replacing the raise, or drop, at either extremity of the transition
with a merge, or split, and subtracting its probability from the adjacent segment. This step
is repeated for the next raise or drop. We show an example of this process in Figure 3.15.
Lemma 3.3. A standard transition containing an equal number of raises and drops is invalid
if it is composed of more standard splits than standard merges.
Proof. A standard merge p [x, y] + p [x + 2δ, y] → 2p [x + δ, y] must satisfy
p
p
2p
+
−
≥0
x + λ x + 2δ + λ x + δ + λ
for all λ greater than 0. By simplifying this inequality we find that a standard merge is valid
49
if and only if
2pδ 2
≥ 0.
(x + λ)(x + δ + λ)(x + 2δ + λ)
By itself, a standard merge is always valid since 2δ 2 is greater than 0 by definition. A
standard split is invalid by itself since it must satisfy
−2pδ 2
≥0
(x + λ)(x + δ + λ)(x + 2δ + λ)
for all λ greater than 0. A combination of standard merges and splits must satisfy
X
xmerges
X
2pδ 2
2pδ 2
−
≥0
(x + λ)(x + δ + λ)(x + 2δ + λ) x
(x + λ)(x + δ + λ)(x + 2δ + λ)
(3.4)
splits
P
for all λ greater than 0. When λ approaches infinity, we require that xmerges p be greater
P
or equal to xsplits p. Therefore, the number of standard splits cannot be greater than the
number of standard merges. As λ increases, the difference between pairs of xmerges and xsplits
becomes increasingly insignificant. Visually, increasing the value of λ is equivalent to shifting
the standard splits and merges to converging coordinates. When λ approaches infinity, the
set of coordinates of every transition is identical.
We now define the concept of prefix sums which is used to determine the validity of standard transitions. A transition’s set of coordinates S is the union of the pairs of coordinates
from its initial point distribution and its final point distribution. We say that a positive
instance of a transition is the transition shifted by an interval. Similarly, a negative instance
of a transition is the transition’s inverse shifted by an interval. For example, all of the merges
and splits in Figure 3.16 share an identical set of coordinates, shifted by various spacings. We
say that any merge is a positive instance of the standard merge 1 [x, δ] + 1 [x, 3δ] → 2 [x, 2δ],
and any split is a negative instance of the same standard merge.
Let x1 , x2 , . . . , xn be the sequence of instances in a given line, ordered in increasing values
of S. Each xi is equal to the sum of positive instances minus the sum of negative instances
50
7δ
(2)
6δ
5δ
(3)
(1)
4δ
3δ
(2)
(1)
2δ
δ
Figure 3.16: An example for a prefix sum of standard merges.
for a specific S, while n is the number of unique S. In this example, we define
x1 = 1,
x2 = −2,
x3 = −1,
x4 = 3,
x5 = 2.
The prefix sum of a transition is the sequence y1 , y2 , . . . , yn , where yi is the sum of prefixes
of xi such that
y i = x1 + x2 + . . . + xi .
51
In this example, the prefix sum of standard merges is
y1 = 1,
y2 = 1 − 2 = −1,
y3 = 1 − 2 − 1 = −2,
y4 = 1 − 2 − 1 + 3 = 1,
y5 = 1 − 2 − 1 + 3 + 2 = 3.
We say that a prefix sum is positive if each yi , where 1 ≤ i ≤ n, is nonnegative. A prefix
sum is negative otherwise. In this example, the prefix sum of standard merges is negative
since both y2 and y3 are negative.
Lemma 3.4. A combination of standard merges and splits is valid if the prefix sum of
standard merges is positive.
Proof. We show in Lemma 3.3 that a standard split is invalid by itself and that a standard
merge is valid by itself. We also show that a combination of standard splits and merges must
satisfy Equation 3.4 for all λ greater than 0. The combination of a single merge 1 [x1 , y] +
1 [x1 + 2δ, y] → 2 [x1 + δ, y] with its shifted inverse 2 [x2 + δ, y] → 1 [x2 , y] + 1 [x2 + 2δ, y] is
valid if and only if
2δ 2
2δ 2
−
≥0
(x1 + λ)(x1 + δ + λ)(x1 + 2δ + λ) (x2 + λ)(x2 + δ + λ)(x + 2δ + λ)
is satisfied for all λ greater than 0. Therefore, the combination is only valid if x2 is greater
or equal to x1 and the prefix sum of standard merges is positive, as shown in Figure 3.17.
Combining additional standard merges does not make the transition invalid, and the
prefix sum of standard merges remains positive. Since a combination of standard merges
P
P
and splits is invalid if xsplits p is greater than xmerges p, as shown in Lemma 3.3, a valid
transition is composed of at least as many merges than splits. By induction, if we can pair
each standard split with a standard merge that has a smaller set of coordinates, then the
prefix sum of standard merges is positive and the transition is valid.
52
x2 + 2δ
x1 + 2δ
(1)
x2 + δ
x1 + δ
(1)
x2
x1
Figure 3.17: A valid combination of a merge and its shifted inverse.
3.3 Optimal Transitions
Finding transitions with small AIWs is equivalent to finding transitions that have little
impact on the bias of a point game, as shown in Section 3.2.1. In this section we construct
optimal transitions in a standard line, we show how to determine the validity of a standard
transition by solving a linear set of equations, and we present several new properties of valid
standard transitions.
We define a family of transitions which we call basic. These transitions are an important
original contribution since shifting, scaling, or compressing these transitions does not affect
their validity. Shifting a basic transition outwards decreases its increase in weight for all
λ. Since we show in Section 3.2.1 that inverting a transition reflects its weight curve along
the horizontal axis, combining a basic transition with its shifted inverse creates a new basic
transition with a smaller AIW. We show that basic transitions are optimal in a standard line
when their probabilities are defined by certain binomial coefficients. As the degree of these
transitions approaches infinity, their AIW approaches 0. The binomial transitions presented
in this section are used to construct the optimal ladders of Section 4.3.2. We also prove a
new method of determining the validity of a standard transition by solving a linear set of
equations.
53
∆weight(λ)
8
3
0.1
7
3
(1)
2 (1)
0
0.5
1.0
1.5
λ
5
3
4
3
(1)
1
−0.1
Figure 3.18: A valid transition (red) with a negative prefix sum of standard merges.
3.3.1 Construction
In this subsection, we show that valid transitions do not always give a positive prefix sum
of standard merges. We analyze a family of transitions with useful properties, and we show
how they are obtained.
We begin by analyzing a transition that does not give a positive prefix sum of standard
merges but is a valid transition nonetheless in Figure 3.18. Although the prefix sum is not
positive, the first merge’s weight curve compensates for the invalid combination of the second
merge and the split. If we increase the invalid combination’s probability by a large enough
factor, the first merge’s contribution to the combined weight curve becomes insignificant and
the resulting weight curve resembles that of a split combined with its inverse shifted to a
higher set of coordinates, as shown in Figure 3.19.
We show in Section 3.2.1 that a merge combined with its inverse is the identity operation
and that this transition has an AIW of 0. Shifting the inverse by a positive interval increases
the combined transition’s AIW by a proportional amount. As the shift’s interval approaches
0, so does the combined transition’s AIW.
The inverse of a valid merge has an identical weight curve to that of the merge, but
reflected along the horizontal axis. Therefore, the resulting split has a λ0 equal to 0 and
satisfies |∆weight(λ1 )| ≥ |∆weight(λ2 )| whenever 0 < λ1 ≤ λ2 . Shifting the split outwards
54
∆weight(λ)
8
3
0.2
7
3
(10)
2 (10)
0
0.5
1.0
λ
1.5
5
3
4
3
(1)
1
−0.2
Figure 3.19: An invalid transition (red) with a negative prefix sum of standard merges.
∆weight(λ)
∆weight(λ)
0.05
0.01
0
0
2
4
6
λ
2
−0.05
−0.01
−0.10
−0.02
4
6
λ
Figure 3.20: The inverse of a valid merge (left) shifted outwards (right).
does not alter the value of λ0 if λ0 is equal to 0, as shown in Figure 3.20.
Definition 3.5. A weight curve is monotone if |∆weight(λ1 )| is greater or equal to |∆weight(λ2 )|
for all values of λ1 and λ2 such that 0 < λ1 ≤ λ2 .
Definition 3.6. A transition is basic if its weight curve is monotone for all possible shifts.
A basic transition always begins with a raise since it must be valid when its coordinates are
shifted to their minimal nonnegative set. For example, a valid merge 1 [x, 1]+1 [x, 3] → 2 [x, 2]
is basic since its weight curve is valid and monotone when shifted to 1 [x, 0]+1 [x, 2] → 2 [x, 1],
as shown in Figure 3.21.
However, a valid split 2 [x, 6] → 1 [x, 5] + 1 [x, 8], which has a monotone weight curve, is
no longer valid when shifted to 2 [x, 1] → 1 [x, 0] + 1 [x, 3], as shown in Figure 3.22. Since
there exists an xafter equal to 0, Equation 2.4 is not satisfied when λ approaches 0.
55
∆weight(λ)
10
3
2
5
1
(1)
0
0
0.5
1.0
1.5
x
λ
Figure 3.21: A valid merge is also valid when shifted to its minimal set of coordinates.
∆weight(λ)
500
3
0
0.25
0.50
0.75
λ 2
(1000)
1
(1)
−500
x
Figure 3.22: A split is never valid when shifted to its minimal set of coordinates.
56
Theorem 3.1. The combination of a valid basic transition and its shifted inverse is valid if
and only if the sum of coordinates of the inverse is greater or equal to that of the original
transition.
Proof. This theorem is similar to Lemma 3.4, but is generalized for all basic transitions
instead of only standard transitions. A transition combined with its inverse, shifted by a
spacing δ, is valid if and only if
X
xbefore
X
X px
X
px
px
px
+
≥
+
x+λ x
x+δ+λ x
x+λ x
x+δ+λ
after
after
before
for all λ greater than 0, or equivalently
X
xbefore
X px
X
X
px
px
px
−
≥
−
x+λ x
x+λ x
x+δ+λ x
x+δ+λ
after
before
(3.5)
after
for all λ greater than 0. By observation, we conclude that Equation 3.5 is valid if and only
if δ is greater or equal to 0.
The inverse of a valid transition has a negative increase in weight for all values of λ
greater than 0, since inverting a transition reflects its weight curve along the horizontal
axis, as shown in Section 3.2.1. Combining a valid transition with its inverse, as shown in
Theorem 3.1, decreases the valid transition’s weight curve for all values of λ. The resulting
transition consequently has a smaller AIW than the original transition. The process of
combining a valid transition and its inverse is repeated to obtain near-optimal transitions,
as shown in Section 3.3.2.
3.3.2 Binomials
A basic transition is useful when constructing point games because its validity is independent
of its set of coordinates. The transition is therefore valid even when it is scaled, shifted,
or compressed to meet the needs of the point game. In this subsection we present basic
standard transitions derived from Theorem 3.1, we prove their optimality, and we present a
57
3δ
3δ
2δ
2δ
(1)
(1)
δ
δ
Figure 3.23: A standard raise (left) and a standard merge (right).
new method of determining the validity of an arbitrary transition by solving a linear set of
equations.
The simplest valid basic transition is the raise (1), and combining it with its inverse
shifted by a single spacing gives a merge (1, −1), as shown in Figure 3.23. Since the merge is
basic, combining it with its inverse results in a transition known to be valid from Lemma 3.4,
as shown in Figure 3.24. By repeating this process again, we obtain a transition that does
not give a positive prefix sum of standard merges, as shown in Figure 3.25, but is valid
nonetheless. We effectively predict the subsequent transitions obtained through this process,
since we are creating binomial coefficients of the form
(−1)
k+1
n
n!
= (−1)k+1
,
k
k!(n − k)!
where n is the degree of the transition and k is the coefficient’s position in the standard
notation. These transitions, in standard notation, are expressed by the lines of Pascal’s
triangle shown in Table 3.1. A comprehensive reference on binomial coefficients may be
found in [17].
These transitions are ideal for building near-optimal point games since they are basic and
their AIW decreases as n increases. They are in fact the optimal basic transitions of any
standard line. The inverse is shifted by the smallest possible interval and shifting it further
outwards would increase the transition’s AIW. We cannot decrease the transition’s AIW by
adding a split since Lemma 3.3 must be satisfied. Adding an invalid combination of merges
and splits may result in a valid transition with a smaller AIW, but the resulting transition
58
4δ
4δ
(1)
(1)
3δ
3δ
(2)
(1)
2δ
2δ
(1)
δ
δ
Figure 3.24: A transition defined by (1, −2, 1).
5δ
5δ
(1)
4δ
(1)
4δ
(1)
(2)
3δ
(3)
3δ
(2)
(1)
2δ
(3)
2δ
(1)
(1)
δ
δ
Figure 3.25: A transition defined by (1, −3, 3, −1).
n = 1:
n = 2:
1
1
n = 3:
1
n = 4:
1
n = 5:
n = 6:
1
1
-2
-3
-4
-5
-1
1
3
6
10
-1
-4
-10
1
5
-1
Table 3.1: A binomial transition of degree n is defined by the nth row of Pascal’s triangle.
59
would not be basic.
Definition 3.7. A transition is binomial if it is expressed in standard notation, as a sequence
of binomial coefficients with alternating sign of the form n1 , − n2 , n3 , . . . , (−1)n+1 nn .
The inverse of a binomial transition n1 , − n2 , n3 , . . . , (−1)n+1 nn is the transition
− n1 , n2 , − n3 , . . . , (−1)n nn . Any combination of binomial transitions is valid and basic,
since combining any number of basic transitions results in a weight curve that satisfies
|∆weight(λ1 )| ≥ |∆weight(λ2 )| whenever λ2 is greater or equal to λ1 .
Theorem 3.2. A standard transition of degree n is valid and basic if it is composed of at
least as many binomial transitions of degree i than its shifted inverse, for all i such that
0 < i ≤ n.
Proof. We show in Section 3.3.1 that a transition is basic if its weight curve satisfies
|∆weight(λ1 )| ≥ |∆weight(λ2 )|
for all values of λ1 and λ2 such that 0 < λ1 ≤ λ2 , and for all possible shifts. Basic transitions
are useful since they maintain their validity for any possible shift. In Section 3.2.2, we
show that any transition is contained in a standard line and is therefore composed of a set of
standard transitions. We show in Section 2.2.3, that any valid transition may be decomposed
into a set of merges, raises, and splits since their significant operator monotones span the
space of all operator monotone functions. We show in Section 3.3.1 that both the merge and
the raise are basic, and that the split is not. In this theorem, we show which combinations
of transitions containing splits are basic.
We show in Lemma 3.4 that a transition is invalid if it is composed of less standard
merges than its inverse. Similarly, we can prove that a transition is invalid if it is composed
of less valid transitions than their inverses. Therefore, we require at least as many binomial
transitions of degree i than its inverse, for all i such that 0 < i ≤ n.
60
A transition is only basic if it has a positive prefix sum of a basic transition, as shown in
Section 3.3.1. A transition has a positive prefix sum of a binomial transition if there are at
least as many binomial transitions of degree i than its inverse, for all i such that 0 < i ≤ n.
This is easily proven by recursion, since each binomial transition of degree i has a positive
prefix sum of binomial transitions of degree i − 1, as shown in Section 3.3.2.
We look at an example of a standard transition (a, b, c, d, e, f ) and show how to determine
its validity based on Theorem 3.2. To determine whether there are more raises than drops,
61
we subtract multiples of (1, −1) from the vector until we are left with a remainder.
    

a
a
0
    

    

 b  −a b + a
    

    

    

c  0   c 
 − =


    
d  0   d 
    

    

e  0   e 
    

    

f
0
f

 
 

0
0
0

 
 


 
 


b + a  b + a  
0

 
 


 
 


 
 

 c  −b − a c + b + a

−
=



 
 
 d   0  

d

 
 


 
 

 e   0  

e

 
 


 
 

f
0
f





..
.

0
0
0

 
 


 
 







0
0
0

 
 


 
 


 
 

0
0
0

 
 


=
−


 
 


 
 

0
0
0

 
 


 
 


e + d + c + b + a  e + d + c + b + a  
0

 
 


 

 
a+b+c+d+e+f
f
−e − d − c − b − a
Since we subtract an equal number of raises and drops from the transition, a positive
remainder indicates an excess of raises and a negative remainder indicates an excess of drops.
Therefore, a non-negative remainder indicates there are at least as many raises as drops. A
transition is composed of at least as many raises as splits if and only if
a + b + c + d + e + f ≥ 0.
62
(3.6)
The same process is applied to determine if there are at least as many merges as splits by
subtracting multiples of (1, −2, 1).

 
  
0
a
a

 
  

 
  
 b  −2a b + 2a

 
  

 
  

 
  
c  a   c − a 

=
 −

 
  
d  0   d 

 
  

 
  
e  0   e 

 
  

 
  
f
0
f

 
 

0
0
0

 
 


 
 


b + 2a  b + 2a  
0

 
 


 
 


 
 

 c − a  −2b − 4a c + 2b + 3a

=
−


 
 

 d   +b + 2a   d − b − 2a 

 
 


 
 




 e  
e
0

 
 


 
 

f
0
f

0



0

..
.

0

 
 


 
 







0
0
0

 
 


 
 


 
 

0
0
0

 
 


−
=


 
 

d + 2c + 3b + 4a  d + 2c + 3b + 4a  

0

 
 


 
 

 e − c − 2b − 3a  −2d + 4c + 6b + 8a e + 2d + 3c + 4b + 5a

 
 


 
 

f
d + 2c + 3b + 4a
f − d − 2c − 3b − 4a
At this point, we are left with a transition of degree 2, which is a valid merge if e+2d+3c+
4b + 5a ≥ f − d − 2c − 3b − 4a. This inequality is identical to Equation 3.6, since subtracting
multiples of (1, −2, 1) also subtracts multiples of (1, −1). Satisfying this inequality does not
guarantee that the transition is valid, since we do not know if we subtracted more positive
multiples than negative multiples of (1, −2, 1). We therefore subtract another multiple of
63
the binomial transition and ignore its last coefficient to obtain

 



0
0

 

0





 
 


 
0
0
 







0

 




 
0
0
 


 
=
.

−
0
 


 



0
0

 



e + 2d + 3c + 4b + 5a 
 


 



  e + 2d + 3c + 4b + 5a 
0
 





f − d − 2c − 3b − 4a
−2e − 4d − 6c − 8b − 10a
6a + 5b + 4c + 3d + 2e + f
A transition is composed of at least as many merges as splits if and only if
6a + 5b + 4c + 3d + 2e + f ≥ 0.
To determine whether there are more positive instances than negative instances of a
binomial transition, we subtract instances of a binomial transition of one degree higher since
a binomial transition of degree n greater than 1 is composed of exactly one positive instance
and one negative instance of the binomial transition of degree n − 1. The inequalities for all
binomial transitions are generalized in Equation 3.7.
Corollary 3.3. Let (c1 , c2 , . . . , cn ) be a standard transition of degree n. The transition is
valid and basic if c1 is greater than 0 and

n−1
n−2
...
 0
0

 n
n−1
...
 1
1

 ..
..
..
 .
.
.


2n−2
2n−1
...
n−1
n−1
   
  c1  0

  
 
1  
 c  0
1 
  2  
..   ..  ≥  ..  .
   
. 
  .  .
    
n−1
cn
0
n−1
0
0
(3.7)
The transition is guaranteed to start with a raise since we impose the constraint c1 > 0.
We show in Section 3.3.1 that this is a requirement of basic transitions. If Equation 3.7 is
satisfied, there is a positive prefix sum of binomial transitions of degree n − 1 since there are
at least as many binomial transitions of degree i than inverses, for 1 ≤ i ≤ n − 1. We show
in Section 3.3.2 that a binomial transition of degree n is composed of exactly one binomial
64
transition of degree n − 1 and one of its inverse. Since c1
2n−1
n−1
+ c2
2n−2
n−1
+ . . . + cn
n−1
n−1
≥0
is satisfied, we subtract at most one multiple of the inverse, after the same multiple of the
valid transition. Without this restriction, it is easy to show that this corollary is not valid.
For example the transition (−1, 3, −1) is not basic, yet

   
1 1 1 −1 0

   
3 2 1  3  ≥ 0

   

   
6 3 1
−1
0
is satisfied.
65
Chapter 4
Point Games with Arbitrarily Small Bias
In this chapter we use the analysis and construction techniques presented in the previous
chapter to give a detailed guide on how to obtain point games with an arbitrarily small
cheating bias. Since it is shown in [3] that a coin flipping protocol with zero bias would
require an infinite number of rounds of communication, a point game with zero bias would
require an infinite number of points. It is unclear what a point represents in an actual
protocol, but it is clear from Section 2.3 that the number of points in a point game is
proportional to the number of messages in its equivalent protocol. We analyze the point
games presented in [29] and argue that no finite point game with arbitrarily small cheating
bias has yet been proven to exist, since those presented in the paper require an infinite
number of points and such point games cannot be mapped into protocols. We provide a
detailed analysis of a structure, known as a ladder, that is used to minimize the bias of a
point game. We present a new family of optimal infinite ladders and provide a new method
to efficiently truncate these ladders. A new recursion method, more efficient than the one
presented in [29], is also provided.
4.1 Catalyst Points
We prove in Section 3.1.3 that a point game defined by a sequence of splits, followed by
raises and merges, can only achieve a bias greater than 23 . A smaller bias is only achievable
by eliminating the isolated raises from the point game, which is not possible with the initial
configuration defined in Section 2.1.4. In this section we define a new type of point that
allows us to create new point distributions which may lead to point games with a smaller
end bias. We also present a structure that contains such points.
66
Definition 4.1. A point is catalyst if it exists in both the initial and final configuration of
a point game.
Catalyst points are a valid component of point games since their presence does not
affect the difference in bias between the initial and final configurations. If a transition is
performed on a catalyst point in an intermediary step, than the inverse of that transition
must be performed by the final step. We know from Section 3.2.1, that a transition combined
with its inverse has an average increase in weight of 0. A balanced coin flipping point game
may only contain a symmetric set of catalyst points, since the vertical and horizontal biases
of the initial configuration must remain equal.
Catalyst points allow us to create new point distributions and perform transitions that
could not be performed in a point game otherwise. It is possible to achieve a smaller end
bias by performing transitions with smaller AIWs. A catalyst point is only useful if it is
displaced from its initial pair of coordinates in an intermediary step. We note that a catalyst
point must also have positive coordinates to be useful, since Lemma 2.3 shows that a catalyst
point cannot be displaced if it is contained in an axis. Because a catalyst point must return
to its initial pair of coordinates by the final step, we are able to identify a set of connected
transitions that conserves the catalyst point’s probability and forms a closed pattern. An
example of such a set of transitions is given in Figure 4.1 and is defined by
{(p [x, y] →
p [x, y + δ]),
(p [x, y + δ] → p [x + δ, y + δ]),
(4.1)
(p [x + δ, y + δ] →
p [x + δ, y]),
(p [x + δ, y] →
p [x, y])}.
Definition 4.2. A set of transitions is a loop if the incoming probability of each point is
equal to the outgoing probability.
A single loop is never valid by itself, but when combined with the proper set of loops and
transitions, it becomes a useful tool for constructing point games. In this chapter we only use
67
y+δ
p
y
x x+δ
Figure 4.1: A loop of probability p.
loops that are defined by Equation 4.1 for a real value p, a positive set of coordinates (x, y),
and a positive spacing δ since they are simple and easy to use. A positive probability in
this loop denotes a clockwise rotation and a negative probability denotes a counterclockwise
rotation of probability. Note that a negative probability in a transition from Equation 4.1
simply signifies that the direction of the arrow is reversed.
4.2 Ladders Defined
In this section we present a structure that combines loops, known as a ladder. We present
several properties of the ladder and introduce how to use such structures to reduce the bias
of a point game.
A ladder is a symmetric set of loops that allows us to achieve better endpoints. We
combine instances of the loop defined in Equation 4.1, so that the raise contained in one
loop compensates for the drop in another, as shown in Figure 4.2. An explicit example of a
ladder is provided in Figure 4.7. A ladder is not a valid structure by itself since it is entirely
composed of loops, which we know are invalid. Therefore, the invalid lines of a ladder require
an additional input.
Definition 4.3. A point contained in a ladder is called a hinge if it is the lowest point in
an invalid line.
68
7
3
−p7 p4
6
3
−p6 p3
5
3
−p4
−p5 p2
4
3
−p3 p7
p1
−p2 p6
3
3
−p1 p5
2
3
1
3
1
3
2
3
3
3
4
3
5
3
6
3
7
3
Figure 4.2: A ladder composed of a combination of loops.
By definition, the set of all hinges is symmetric. A line containing a hinge is called a
hinge line. By construction, there are as many valid as there are invalid hinge lines in a
ladder, as shown for example in Figure 4.3.
To simplify our analysis of ladders, the only lines of a ladder we combine with other
transitions are its hinge lines. In this chapter we define τ as the coordinate of the outwardmost hinge line. We must combine an invalid hinge line with a raise to make it valid.
The amount of probability raised is determined by the hinge line’s decrease in weight. The
decrease in weight is minimal if we make every line after coordinate τ tight. We say that a
ladder has a single-hinge if it only contains a single hinge line and its symmetric opposite.
Scaling every loop probability of a ladder by a common positive factor does not affect
the validity of its lines, which is obvious from our observations in Section 2.2.2. A ladder is
optimal if the set of invalid hinge lines it contains has the smallest AIW for all ladders with
identical hinge line coordinates. In other words, there does not exist a ladder with hinge
lines defined by an identical set of coordinates, such that the AIW of each line is smaller.
Necessarily, every line of an optimal ladder, that does not contain a hinge, must be tight.
69
−p7 p4
−p6 p3
−p5 p2
p1
−p4
−p3 p7
−p2 p6
τ
−p1 p5
τ
Figure 4.3: The invalid (red) and the valid (blue) hinge lines of a ladder.
4.3 Infinite Ladders
In this section we introduce ladders that contain an infinite number of loops and argue that
only such ladders may be optimal. We present a family of ladders that are optimal and are
constructed using binomial transitions.
4.3.1 The Single Ladder
The optimal point game of Section 3.1.3, shown in Figure 3.7, is impractical since its parameters are obtained from an under-defined set of equations. In this subsection we present
a single-hinge ladder that achieves the same endpoint and we define all of its parameters.
The point game of Section 3.1.3 is optimal when the number of points on the axis approaches infinity and the spacing between each point approaches 0. The point game is
therefore approximately standard for a δ approaching 0. We modify this point game, by
shifting some of its raises away from the axes, to obtain the pattern in Figure 4.4. We
restrict the parameters of this point game by forming a ladder with a set of loops, as shown
in Figure 4.5.
We say that a ladder, such as the one from Figure 4.5, is single if it is contained in
70
..
.
1
1
Figure 4.4: We modify the symmetric extended point game to obtain a ladder
5
2
p3
4
2
p2
3
2
2
2
1
2
..
−p3
p1
1
2
.
−p2
−p1
1
2
1
2
2
2
3
2
4
2
5
2
Figure 4.5: The undefined single ladder.
71
a standard point game of spacing δ greater than 0 and all of its loops contain a point at
coordinates (δx, δx), for integers x such that
τ
δ
≤ x. We define the loop probabilities of the
ladder in Figure 4.7 to determine the endpoint of the point game. The raise, combined with
the invalid hinge line at coordinate 1, is fixed by the probability of the initial configuration.
The set of probabilities {p1 , p2 } must therefore be defined to obtain a valid transition in the
line of coordinate 1. We maximize the value of p1 in order to minimize the pair of coordinates
of the endpoint, as shown previously in this section. We show in Section 4.4.2 that a single
ladder cannot be truncated if its loop probabilities increase along the diagonal. The value
of p2 must therefore be smaller or equal to that of p1 . We solve the set of equations
1
+ p2 − 2p1 ≥ 0,
2
p1 ≥ p2 ,
to obtain p1 = p2 = 21 , which is a valid solution since the prefix sum of standard merges in the
line is positive. We repeat the loop probabilities p1 and p2 for every loop along the diagonal
since transitions of the form (1, −1, 1, −1) are valid according to Lemma 3.4. We use the
valid hinge lines of the ladder to create a split and send probability inwards in order to obtain
the point game of Figure 4.6. This point game does not contain a valid final configuration
however, since it contains two endpoints. We present in Section 4.5 how to achieve a single
endpoint from a point game with two endpoints, by using recursion. Without recursion
however, we shift the ladder outwards, we compress its loops, and we scale its probabilities
to obtain the point game of Figure 4.7. Notice we achieve the optimal endpoint 1 23 , 32 from
Section 3.1.3 with our simplest ladder.
4.3.2 Binomial Ladders
It is difficult to find ladders, and transitions that connect to their hinges, which form optimal
point games. In this subsection we present a new optimization problem which consists of
finding an intermediate configuration containing a dual-endpoint. We define a new standard
72
6
2
5
2
1
2
4
2
1
2
− 21
1
2
1
2
.
− 12
1
2
3
2
2
2
..
1
2
− 12
− 12
1
2
1
2
2
2
3
2
4
2
5
2
6
2
Figure 4.6: A single ladder with dual-endpoints.
7
3
1
6
3
2
3
−1
1
4
3
−1
1
1
−1
2
1
3
1
2
1
3
.
−1
1
5
3
3
3
..
2
3
3
3
4
3
5
3
6
3
7
3
Figure 4.7: A single ladder with single endpoint.
73
ladder that achieves such a configuration, and we generalize this ladder for all standard
spacings
1
x
where x is an integer greater than 1. Furthermore, we define a method of solving
the parameters of such ladders using a linear set of equations defined by binomial coefficients.
We say that a configuration has a dual-endpoint if it only contains a set of two symmetric
points and a symmetric set of catalyst points. A valid point game cannot contain a dualendpoint configuration { 21 [x, y] , 12 [x, y]} where both x and y are smaller or equal to 12 , since
a final configuration of 1 21 , 12 would be achievable with recursion, as shown in Section 4.5.
Therefore, a valid point game may only contain a dual-endpoint configuration where x is
strictly greater than 1 − y, since x and y must be less than or equal to 1, and x + y ≥ 1. If
a dual-endpoint configuration is found such that x is arbitrarily close to 1 − y, then a point
game with arbitrarily small bias is achievable with recursion, as shown in Section 4.5.
We show in Section 4.3.1 that a single ladder’s valid hinge line is used to form an equal
probability split in Figure 4.6. We show in Section 2.2.4 that such a transition must satisfy
the inequality
γ≤
xδ
,
x + 2δ
for x equal to 1 and δ equal to 12 . We notice the difference between δ and γ approaches 0
as δ approaches 0. By reducing δ and maintaining the split at a distance δ from the axis,
we create a dual-endpoint configuration where x is closer to 1 − y. This is accomplished by
compressing the ladder, since δ is equal to the spacing of each loop, and using additional
loops to keep the split at a distance δ from the axis. For example, we divide δ by two and
obtain the ladder in Figure 4.8.
This set of transitions is not valid however since the line at coordinate 1 is composed
of more standard splits than merges, which is invalid according to Lemma 3.4. We must
therefore add a new set of loops to make this line valid. Increasing the probability of
the outwards most loop would make the line valid, but would require a single ladder with
increasing probabilities. Such a ladder cannot be truncated, as shown in Section 4.4.2.
74
7
3
2
6
3
−2
2
4
3
1
.
−2
2
5
3
3
3
..
−2
1
(1)
−1
2
3
−1
1
3
(1)
1
3
2
3
3
3
4
3
5
3
6
3
7
3
Figure 4.8: A single ladder with added loops.
Furthermore, the resulting line at coordinate 1 would not be tight. Instead of adding a raise
to the line, we add a merge to create a tight transition. We fix this merge’s probability in
order to create a positive prefix sum for a binomial transition. This probability is determined,
as shown in Corollary 3.3, by

1


 6



 21


 56


126


252
satisfying
1
1
1
1
5
4
3
2
15
10
6
3
35
20 10 4
70
35 15 5
126 56 21 6
 
0
1
1
  

  

  

1
  −1  0
  

  

1  −1  0
 ≥  .

  

 


1  −1 
 0
  

2 + p 0
1
  


  
0
−p
1


(4.2)
This inequality is satisfied when p is equal to 2 since the prefix sum of (1, −2, 1) is positive.
75
The loop probabilities are similarly defined for the line at coordinate 32 , by satisfying

1
1


 6
5



 21 15


 56 35


126 70


252 126
 
0

  

  

  
1
  1  0

  

  
1  −4  0

 ≥  ,

  
 −4  0
1

  

  


 
1 6 + p
 0

  
−p
0
1
1
1
1 1
4
3
2
10
6
3
20 10 4
35 15 5
56 21 6

1

(4.3)
such that p is equal to 5. We use Equation 3.7 to solve every subsequent line, in increasing
order of coordinates, and we obtain the ladder contained in Figure 4.9. We notice this ladder
contains a single ladder with an additional support, as shown in Figure 4.10. We determine
the optimal ladder, where δ is equal to 41 , using Equation 3.7 and obtain the ladder contained
in Figure 4.11.
Equation 3.7 allows us to determine the optimal ladder for any spacing x1 , where x is an
integer greater or equal to 2. We say that a single-hinge ladder is a k-ladder if it is symmetric
and each line of coordinate x, where x is a multiple of δ such that τ ≤ x ≤ Γ, contains k + 1
points located at coordinates (x, x + δ), (x, x + 2δ), . . . , (x, x + (k + 1)δ). We solve the loop
probabilities of a k-ladder by satisfying

2k+1
2k
 0
0

 2k+2 2k+1
 1
1

 ..
..
 .
.


3k−1
3k
k−1
k−1
...
...
..
.
...

 
  c1  0
  

  
1 
c


0
2 
1 
≥ 
..   ..   .. 

  
. 
  .  .


  
k−1
c
0
2k+2
k−1
0
0

(4.4)
for a k equal to 1δ −1 and the appropriate set of constants c1 , c2 , . . . , ck+1 . We define c1 equal to
1, and c2 , c3 , . . . , ck+1 = −1 for the line at coordinate 1. We solve the lines sequentially from
lowest to highest coordinate using Equation 4.4. The value of k determines the coordinates of
the dual-endpoint configuration since the final split is of equal probability. As k approaches
infinity, the coordinates of the dual-endpoint approach {(1 − k1 , k1 ), ( k1 , 1 − k1 )}.
76
12
3
..
−35
.
11
3
−27
64
10
3
−20
−64
49
35
9
3
−14
−49
36
27
8
3
−9
−36
25
20
7
3
−5
−25
16
14
6
3
−2
−16
9
9
5
3
−9
4
5
4
3
1
3
3
−4
1
(1)
2
−1
2
3
−1
1
3
(1)
1
3
2
3
3
3
4
3
5
3
6
3
7
3
8
3
9
3
10
3
Figure 4.9: The optimal double ladder.
77
11
3
12
3
7
3
−5
6
3
4
3
.
−7
−2 −2
−2
−7 5
−2
−2
−2 2
1
−2
5
3
3
3
..
1
(1)
−1
2
3
−1
1
3
(1)
1
3
2
3
3
3
4
3
5
3
6
3
7
3
Figure 4.10: The double ladder contains a single ladder.
4.4 Finite Ladders
Point games with infinite ladders cannot be mapped into protocols since we require point
games to be discrete. We must therefore cutoff a ladder at a certain distance Γ. In this
section we present the best previously-known ladders and provide several new insights on
their construction. We present a new efficient truncation for single ladders. We generalize
this truncation technique to achieve an efficient truncated ladder for any k-ladder and we
present several possibilities to achieve different sets of hinge lines.
We say that a ladder is truncated if it only contains a finite number of loops. A truncated
ladder is not optimal since we can always reduce the AIW of its invalid hinge lines by
increasing the value of Γ. We say that a truncated ladder is efficient if we cannot reduce
the AIW of its invalid hinge lines by modifying the ladder’s loop probabilities. An example
of an efficient ladder is given in Figure 4.16.
78
12
4
..
.
225
11
4
120 −735
10
4
56 −384 721
9
4
21 −175 365
−721 735 −225
8
4
−64 160
3
−365 384 −120
7
4
−15
−160 175 −56
56
6
4
13
−56
64
15
−3
−21
5
4
1
4
4
1
−13
1
(1)
−1
3
4
−1
2
4
−1
1
4
(1)
1
4
2
4
3
4
4
4
5
4
6
4
7
4
8
4
9
4
10
4
Figure 4.11: The optimal triple ladder.
79
11
4
12
4
4.4.1 Previously-known Ladders
Two constructions of truncated ladders are presented by Mochon in [29], which we call
polynomial ladders and one-shot ladders. Although the single-hinge ladders presented in
Section 4.3.2 share the same structure as the polynomial ladders, their loop probabilities
and their truncation share no resemblance. In this subsection we redefine the polynomial
ladders from [29] and present several new insights to argue that they are not efficient ladders.
We also redefine the one-shot ladders from the same paper and argue that, although they
provide a constructive proof for point games with arbitrarily small cheating bias, no finite
point game with arbitrarily small cheating bias has yet been proven to exist.
Mochon uses techniques in mathematical analysis to create his formalism of secure twoparty computations. Some of these techniques carry over to his description of point games,
such as his description of ladders as infinite series, the use of monotonic functions, and
the many integrations and differentiations in his proofs. A comprehensive reference on
mathematical analysis may be found in [33].
The polynomial ladder is contained in a standard point game of spacing and is defined
by a set of points with coordinates (x + i, x) and associated probability
Qk−2
k Qk
x
x
x
x
Γ+a− j0 − b − −C(−1)
a=1 Γ + a − − i
b=1 j0 − b − − i
, (4.5)
Qk
j=−k,j6=i,j6=0 (j − i)
where x is an integer such that
1
≤ x ≤ Γ, i is an integer such that −k ≤ x ≤ k but is
not equal to 0, k is an integer equal to −1 , j0 and Γ are integers greater than k, and C is a
constant greater than 0.
A positive value indicates an incoming probability, while a negative value indicates an
outgoing probability. Since the point game is symmetric, Equation 4.5 defines both the
points of the horizontal and vertical transitions of the point game. It is shown in [29] that
n
X
Q
i=1
f (xi )
= 0,
j6=i (xj − xi )
80
(4.6)
for a polynomial f (x) of degree k < n − 1, and that
X
Q
i
−f (xi )
[xi ]
j6=i (xj − xi )
(4.7)
gives a valid transition. Notice this summation gives a point distribution of points p [x, c],
where p may be positive or negative, and c is a constant. Equation 4.5 is obtained by
replacing the polynomial in Equation 4.7 with the terms
upper truncation
lower truncation
=
=
k Y
x
x
Γ+a− −i Γ+a−
,
(4.8)
x
x
− i j0 − b −
.
(4.9)
a=1
k−2
Y
j0 − b −
b=1
These terms ensure that the probability of points not contained in the ladder is equal to 0,
as shown in Figure 4.12. A valid ladder is obtained for any positive integer k and any integer
Γ, each of which must be greater than 1. For example, we set k equal to 4 and Γ equal to
14 to obtain the set of points in Figure 4.12. Notice the factors from the lower truncation
term of Equation 4.9 increase as the point moves further away from the coordinates (0, 0).
Similarly the factors from the upper truncation term of Equation 4.8 decrease as the point
moves further away from the coordinates (0, 0). The denominator of Equation 4.5 is the
same for all points in the same diagonal line of slope one. The legend in Figure 4.12 shows
how to increment, or decrement, the absolute values of factors when moving from one point
to the next.
We determine the set of transitions that defines the point game of Figure 4.12 by fixing
the loop probabilities. The sum of outgoing probabilities at each point must be equal to the
sum of incoming probabilities, both of which must be equal to the probability of the point
defined by Equation 4.5. The probability of a point that is only contained in a single loop
must necessarily be equal to the loop’s probability. We trivially assign the loop probabilities
in the outer layer of the ladder. We then proceed to assign the probabilities of loops that
share a point with loops that are already defined by solving a trivial sum of probabilities
with a single indeterminate. This process is repeated until all of the loops are defined, to
81
obtain the ladder of Figure 4.13. We notice the polynomial factors that define the point
probabilities are easily determined if at least one point is defined. The dividing term of the
polynomial is identical for all points in a diagonal line of slope one. The upper and lower
truncation terms are altered by incrementing or decrementing their absolute values, as shown
in the legend of Figure 4.12.
Notice that none of the lines in Figure 4.13 are tight, which indicates that the truncated
polynomial ladder is not optimal. There is no obvious method of altering the loop probabilities such that each transition is tight and the ladder remains valid. We analyze the ladder
when Γ approaches infinity by defining the loop probabilities shown in Figure 4.14 with
Q
k
x=1 (Γ + x − 4) (Γ + x − 4) (3 · 2)(−1 · −2)
,
p1 =
(1 · 2 · 3 · 5 · 6 · 7 · 8)
Q
k
(Γ
+
x
−
4)
(Γ
+
x
−
5)
(2 · 1)(−2 · −3)
x=1
p2 =
,
(1 · 2 · 3 · 5 · 6 · 7 · 8)
Q
k
(Γ
+
x
−
4)
(Γ
+
x
−
8)
(−1 · −2)(−5 · −6)
x=1
a =
,
(1 · 2 · 3 · 5 · 6 · 7 · 8)
Q
k
(Γ
+
x
−
4)
(Γ
+
x
−
7)
(−1 · −2)(−4 · −5)
−
x=1
− a,
b =
(−1 · 1 · 2 · 4 · 5 · 6 · 7)
Q
k
(Γ
+
x
−
4)
(Γ
+
x
−
6)
(−1 · −2)(−3 · −4)
x=1
c =
− b.
(−2 · −1 · 1 · 3 · 4 · 5 · 6)
When Γ approaches infinity, we notice that p1 is approximately equal to p2 since they
share the same lower truncation term and dividing factor. Since a ladder may be scaled by
any positive factor, we set p1 equal to 1 and approximate p2 to 1 as well. We must also scale
all other loop probabilities by the same positive factor. We obtain the value of a by dividing
Q
k
(Γ
+
x
−
4)
(Γ
+
x
−
8)
(−1 · −2)(−5 · −6)(1 · 2 · 3 · 5 · 6 · 7 · 8)
x=1
Q
a =
k
(1 · 2 · 3 · 5 · 6 · 7 · 8)
(Γ
+
x
−
4)
(Γ
+
x
−
8)
(3 · 2)(−1 · −2)
x=1
Q
k
x=1 (Γ + x − 4) (Γ + x − 8)
u 3.
= Q
k
x=1 (Γ + x − 4) (Γ + x − 4)
We apply the same method to obtain the other loop probabilities of the ladder and observe
82
(3 4 5 6)(1 2 3 4)(−8 −9)(−10 −11)
(−2 −1· 1 · 3 4 5 6)
(4 5 6 7)(1 2 3 4)(−7 −8)(−10 −11)
(2 3 5 6)(1 2 3 4)(−9 −10)(−10 −11)
13
4
(−3 −2 −1· · 2 3 4 5)
(5 6 7 8)(1 2 3 4)(−6 −7)(−10 −11)
(· 1 2 3 · 5 6 7 8)
(0 1 2 3)(2 3 4 5)(−11 −12)(−9 −10)
(−3 −2 −1· · 2 3 4 5)
(6 7 8 9)(2 3 4 5)(−5 −6)(−9 −10)
(· 1 2 3 · 5 6 7 8)
12
4
×
(7 8 9 10)(3 4 5 6)(−4 −5)(−8 −9)
(· 1 2 3 · 5 6 7 8)
11
4
(8 9 10 11)(4 5 6 7)(−3 −4)(−7 −8)
(· 1 2 3 · 5 6 7 8)
10
4
9
4
(−1 · 1 2 · 4 5 6 7)
(9 10 11 12)(5 6 7 8)(−2 −3)(−6 −7)
(· 1 2 3 · 5 6 7 8)
8
4
7
4
6
4
5
4
|0| |−| |0| |+|
4
4
3
4
|+| |0| |−| |0|
2
4
|−| |0| |+| |0|
|0| |+| |0| |−|
1
4
1
4
2
4
3
4
4
4
5
4
6
4
7
4
8
4
9
4
10
4
11
4
12
4
13
4
Figure 4.12: A polynomial ladder where k = 4, j0 = 4, Γ = 13, and point probabilities are
defined.
83
13
4
18480
−55440
−337920
293760
293760
12
4
97200
−293760
11
4
259200 −1043280 1061760
−293760
55440
10
4
443520 −2119680 2504880
−1061760 337920
−18480
9
4
498960 −3049200 4266000
−2504880 1043280
−97200
8
4
308880 −3041280 5385600
−4266000 2119680 −259200
7
4
−1750320 4878720
−5385600 3049200 −443520
6
4
−4878720 3041280 −498960
2779920
5
4
617760
4
4
617760
−2779920 1750320 −308880
617760
(1166880)
−617760
3
4
−617760
2
4
−617760
1
4
(1166880)
1
4
2
4
3
4
4
4
5
4
6
4
7
4
8
4
9
4
10
4
11
4
12
4
Figure 4.13: A polynomial ladder where k = 4, j0 = 4, Γ = 13, and all loop probabilities are
defined.
84
13
4
8
4
7
4
.
−b
6
4
c
5
4
4
4
..
a
p2
p2
p2
−c
(p1 )
−a
b
−p2
3
4
−p2
2
4
−p2
1
4
(p1 )
1
4
2
4
3
4
4
4
5
4
6
4
7
4
8
4
Figure 4.14: Undefined loop probabilities of a polynomial ladder where k = 4 and Γ approaches infinity.
that it is identical to our infinite binomial ladder of Figure 4.11. Notice the ratio between
the probability at (1, 0) and (1 + , ) approaches 1 as Γ approaches infinity, since the lower
truncation term of Equation 4.9 and the dividing factor of Equation 4.5 are identical for both
points, and the upper truncation term of Equation 4.8 is nearly identical for both points.
We note however, that the probability at (1, 0) is strictly greater than at (1 + , ). Since
the upper truncation term is approximately the same for every point on the hinge line when
Γ approaches infinity, we determine the ratio between the loop probabilities using the lower
truncation term and the dividing factor, which are independent of Γ.
We now look at the endpoints achievable with polynomial ladders. The dual-endpoint
configuration resulting from a polynomial ladder is determined by the split (p1 + p2 ) 1, 1 →
p1 1 − x, 1 + p2 1 + 1 , 1 , for probabilities p1 and p2 defined by Equation 4.5, and gener-
85
alized as
p1 =
p2 =
(Γ+k)! Γ!
(k
Γ! (Γ−k)!
− 1)!(k − 2)!(−1)k−2
(2k)!
k
(Γ+(k−1))! (Γ−1)!
(k −
(Γ−1)! (Γ−(k+1))!
(2k)!
k
,
1)!(k − 2)!(−1)k−2
.
We determine the values of p1 and p2 by generalizing the probability of points at coordinates
(0, 1) and (0 + , 1 + ). These probabilities are given by Equation 4.5 and depend only on
the values of k and Γ. The lower bound of x is obtained by substituting the values of p1 and
p2 into Equation 2.5, to obtain
x≥
(Γ + k)(k + 1)
.
(Γ + k)(k + 1) + (Γ − k)
The one-shot ladder combines the polynomial ladder with a point distribution on the
axes to achieve a dual-endpoint configuration. As the distance between points decreases,
and the width of the ladder increases, the endpoints approach a single pair of coordinates.
In a final step, both points are simply raised to a common point. This ladder is useful since
a single endpoint with arbitrarily small bias is provably achievable with only one instance of
a k-ladder. The point game containing a one-shot ladder is defined by a set of points on the
axes with coordinates (0, x) and associated probability
Q
Qk−1 z∗
k
x
−C(−1)k
(Γ
+
a)
Γ
+
a
−
−b
a=1
b=1
Qx+k
x
j=−x−k,j6=x (j)
z∗
−b−
and points with coordinates (x + i, x) and associated probability
Q
Qk−1 z∗
k
x
x
x
C(−1)k
Γ
+
a
−
−
i
Γ
+
a
−
−
b
−
−
i
a=1
b=1
Qx+k
x
(x + i) j=−x−k,j6=x,j6=x+i (j − (x + i))
where x is an integer such that
z∗
x
,
z∗
−b−
(4.10)
x
,
≤ x ≤ Γ, i is an integer such that −k ≤ x ≤ k but is not
equal to 0, k is a positive integer, −1 is an integer greater than 1, Γ is an integer greater
than −1 , z ∗ is an integer smaller than −1 , and C is a constant greater than 0. These points
follow the same convention as those from the polynomial ladders and their probabilities are
86
also similarly derived. Unlike the polynomial ladders however, not all sets of parameters
{z ∗ , k, Γ, } result in a valid point game. Visually, a one-shot ladder resembles the point
game of Figure 4.15. We notice the point game contains symmetric endpoints at coordinates
{(z ∗ − k, z ∗ ), (z ∗ , z ∗ − k)} and that
Qk−1
k Qk
z∗
z∗
Γ+a− C(−1)
b=1 (−b + k)(−b)
a=1 Γ + a − − k
Q
z∗
(z ∗ − k) x+k
j=−x−k,j6=x,j6=x+i (j − (x + i))
Q
Qk−1 z∗
z∗
k
x
x
Γ C(−1)k
(Γ
+
a)
Γ
+
a
−
−
b
−
b
−
X
a=1
b=1
,
=
Q
x+k
x
(j)
∗
j=−x−k,j6=x
x=z
is always satisfied, ensuring that the dual-endpoints contain the same amount of probability
as the probability contained in the axes. Both points are raised to (z ∗ , z ∗ ) in order for the
point game to contain a single endpoint. The point game is valid, given a value of k, when
Γ approaches infinity and approaches 0 for
z∗ ≥
k+1
,
2k + 1
as shown in [29]. Given Equation 4.10, we notice that the probability at a point (0, x1 ) is
strictly greater than the probability at a point (0, x2 ) for any integers x1 and x2 such that
z ∗ ≤ x1 < x2 ≤ Γ. Given an arbitrary set of values {z ∗ , k, Γ, }, the combination of point
splits on either axis is likely invalid since we require a sufficiently large Γ for the sum of
probabilities above the coordinate (0, 1) to be greater than the sum below and we require a
sufficiently small for the split to be valid, as shown in Section 2.2.4. For example, setting
{z ∗ = 58 , k = 4, Γ = 16, = 18 }, as shown in Figure 4.15, results in an axis containing the
points of Table 4.1. Furthermore, the point game of Figure 4.15 is invalid for any value of
Γ since the endpoints are below the line defined by x + y = 1, which is shown to be invalid
in Section 4.3.2. For a possibility of obtaining a valid one-shot ladder, we would either need
to increase the value of z ∗ or decrease the value of .
This point distribution is not attainable from the initial configuration since there is more
probability below (0, 8) than above. The difference in probability between successive points
87
coordinates
(0, 5)
(0, 6)
(0, 7)
(0, 8)
(0, 9)
(0, 10)
probability
1.5 · 106
4.4 · 105
1.4 · 105
5.0 · 104
1.8 · 104
6.5 · 103
coordinates
(0, 11)
(0, 12)
(0, 13)
(0, 14)
(0, 15)
(0, 16)
probability
2.3 · 103
8.1 · 102
2.6 · 102
7.5 · 10
1.7 · 10
2.4
Table 4.1: The axis point distribution’s probabilities for a one-shot ladder.
becomes less significant as Γ approaches infinity. Equation 4.7 guarantees that all lines in a
one-shot ladder, that are not axes, are valid. There might not be a valid truncated one-shot
ladder with arbitrarily small cheating bias, since no discrete solution of this point game is
given in [29].
4.4.2 Single Ladder
The single ladder, first presented in Section 4.3.1, is simple and easy to combine with other
transitions to form a valid point game. In this subsection we present an efficient truncated
single ladder for any Γ greater than 1. We argue that the polynomial single ladder is not
efficient and we compare the AIW of both ladders.
We truncate the single ladder of Figure 4.7 at a coordinate Γ, where
Γ
δ
is an integer strictly
greater than δ −1 . Since the line at coordinate Γ contains a single raise, it will be valid for
any positive probability. We set the probability of the outermost loop to an arbitrary value,
for example 1. A single probability remains undefined in the line of coordinate Γ − δ and its
transition, 1 [Γ, Γ − δ] + p [Γ − 3δ, Γ − δ] → (p + 1) [Γ − 2δ, Γ − δ], is tight when p is equal
to 2 since it satisfies the equality of Equation 2.7. A single probability is left undefined
in the line at coordinate Γ − 2δ and its transition, 3 [Γ − δ, Γ − 2δ] + p [Γ − 4δ, Γ − 2δ] →
(p + 2) [Γ − 3δ, Γ − 2δ] + 1 [Γ, Γ − 2δ], is tight when p is equal to 3 since the prefix sum of
standard merges is positive and there are as many standard merges as standard splits. We
fix the remaining undefined loop probabilities by satisfying a positive prefix sum of standard
merges for each line and obtain the ladder of Figure 4.16.
88
16
8
15
8
14
8
13
8
12
8
11
8
10
8
9
8
8
8
7
8
6
8
5
8
4
8
3
8
2
8
1
8
1
8
2
8
3
8
4
8
5
8
6
8
7
8
8
8
9
8
10
8
11
8
12
8
13
8
14
8
15
8
16
8
Figure 4.15: An invalid one-shot ladder where k = 4, = 18 , z ∗ = 5, and Γ = 16.
89
11
2
1
10
2
4
7
2
5
6
2
−6
7
4
2
−7
8
3
2
−3
.
..
−4
−5
6
5
2
1
2
−2
3
8
2
2
2
−1
2
9
2
−8
9
(10)
−9
(10)
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
2
10
2
Figure 4.16: An efficient single ladder where Γ =
90
11
2
11
.
2
11
2
2
10
2
−2
10
9
2
−10
30
8
2
70
7
2
140
6
2
−252
420
4
2
−420
660
3
2
2
2 (1430)
−660
990
1
2
−30
−140
252
5
2
.
..
−70
−990
(1430)
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
2
10
2
11
2
Figure 4.17: A truncated single polynomial ladder where Γ =
11
.
2
A constant incrementation of loop probabilities is the optimal solution for a truncated
single ladder since every valid line of the ladder, other than the line at coordinate Γ, is
tight. We also achieve the smallest AIW for the invalid hinge line, given a fixed value of Γ.
As Γ approaches infinity, the ladder becomes arbitrarily close to the infinite single ladder
of Figure 4.7. We compare our efficient truncated single ladder with the single polynomial
ladder defined in Section 4.4.1, and shown in Figure 4.17.
We argue that the polynomial ladder is not efficient since none of its lines are tight. We
show that our truncated single ladder achieves a smaller AIW for the line at coordinate
1. Since a point is contained on the axis, both point games have an AIW that approaches
infinity, as shown in Section 3.2.1. To differentiate between the two values, we shift both
transitions by a spacing of 1 to obtain an AIW, from Equation 3.3, of approximately 3.39·10−2
91
for our single ladder, which is better than the value of 6.31 · 10−2 obtained for the polynomial
ladder. Our truncation of single ladders requires considerably less loops to obtain a better
AIW. For example, when truncated at Γ equal to 52 , it achieves an AIW of approximately
6.28 · 10−2 when shifted by the same spacing.
4.4.3 Binomial Ladders
Truncating a binomial ladder is more difficult than truncating a single ladder, since there
are more loop probabilities to fix for the same number of constraints. We cannot truncate a
binomial ladder using the same method as in Section 4.4.2, since each line of a k-ladder is
defined by an equation of k variables. In this subsection we define a fundamental structure
contained in the ladders of Section 4.3.2 which we call the binomial block. We introduce
truncated ladders that are only composed of binomial blocks and present the decreasing
series of scalar values for an efficient k-ladder, and for any value of k. A clear method of
combining binomial blocks to obtain the same hinge lines as the ladders from Section 4.3.2
remains an open question.
We decompose the single ladder of Figure 4.7 into sets of loops, as shown in Figure 4.18.
Notice a single set of loops is repeated along the diagonal. Let us refer to one of these sets
as a block. We express the block by a matrix


1 −1 0

,
0 −1 1
where each column is a set of transitions contained in a line of the point game. We notice
the first row of the matrix is defined by a binomial transition of degree 2. Since a ladder is
symmetric, the second row is its inverse shifted by a single space. We define another block
using a binomial transition of degree 3 as


1 −2 1 0 

.
0 −1 2 −1
92
1
∅
1
∅
−1
1
∅
−1
∅
−1
Figure 4.18: A single ladder decomposed into blocks.
4δ
4δ
4δ
4δ
(2)
3δ
(1)
3δ
(2)
3δ
= (1)
+
2δ
(1)
= (1)
+
(1)
2δ
(1)
2δ
(2)
(1)
δ
3δ
2δ
(1)
(2)
δ
δ
δ
Figure 4.19: The combination of transitions in a block matrix.
Since we desire a square block however, we define the entries of the matrix as multiples of
a binomial transition of degree 2. By combining these transitions, as shown in Figure 4.19,
we obtain the block of Figure 4.20.
A block is binomial if it is defined by a matrix


 b1 b2 . . . b n 0 
,

0 b1 b2 . . . bn
where b1 , b2 , . . . , bn are the coefficients of a binomial transition of degree n and the entries
of the matrix are multiples of a binomial transition of degree n − 1. For example, binomial
blocks of degree 4 and 5 are given in Figures 4.21 and 4.22.
−1
1
∅
1
∅
−1
∅
−1
1
1 −2 1 0
0 −1 2 −1
Figure 4.20: A block defined by the binomial (1, −2, 1).
93
1
−2
1
∅
−2
3
∅
−1
1
∅
−3
2
∅
−1
2
−1
1 −3 3 −1 0
0 −1 3 −3 1
Figure 4.21: The binomial block of degrees 4.
−1
3
−3
1
∅
3
−8
6
∅
−1
−3
6
∅
−6
3
1
∅
−6
8
−3
∅
−1
3
−3
1
1 −4 6 −4 1 0
0 −1 4 −6 4 −1
Figure 4.22: The binomial block of degrees 5.
We notice the odd columns of the matrix represent valid lines, while the even columns
represent invalid lines. This is an important consideration when constructing truncated
ladders using binomial blocks. When combining binomial blocks, we assign scalar values to
all of the loop probabilities in a block. We show that it is possible to obtain any optimal
ladder of Section 4.3 using only such combinations. The first rung of the double ladder,
shown in Figure 4.9, is obtained with an increasing series of scalars, as shown in Figure 4.23.
Both ladders are not identical however. To obtain the same loop probabilities at the bottom
of the ladder, we define a combination of binomial blocks of degree 1 and of degree 2, as
shown in Figure 4.24.
The series of scalars used in Figures 4.23 and 4.24 are increasing, since the ladders
they define are infinite. Binomial blocks are useful for determining efficient truncations of
ladders. The decreasing series of binomial blocks that defines the truncated single ladder
from Section 4.4.2 is identical to the series presented in the same section. Binomial blocks are
particularly useful when defining efficient k-ladders where k is greater than 1. For example,
94
14
−1
10
−1
1
∅
14
1
∅ −1
−1
1
−1
1
∅
2
−1
1
−1
1
−1
1
∅ −1
1
−1
1
1
∅ −1
6
−1
∅
34
1
16
16
14
1
2
Figure 4.23: The rung of an infinite double ladder achieved with binomial blocks.
14
−1
9
−1
1
∅
∅ −1
−1
1
−1
1
∅
2
−1
1
−1
1
−1
1
∅ −1
1
−1
1
1
∅ −1
5
∅
−1
2
1
1
∅
1
∅
−1
1
∅
−1
1
∅
−1
∅
−1
2
1
1
2
2
Figure 4.24: The infinite double ladder is composed of two series of binomial blocks.
95
1
1
4
−2
1
∅
−2 1
1 −2
∅ −1
3
−2 3
−1
1
2
20
−2 1 1 ∅ −3
−2 1 1
−3 2
−1
1
∅
35
−2 3
−1−1 2
−2 3
−1−1 2
−1
1 −2
−3 2
1 1 ∅
−3 2
1
−2
∅ −1−1 2 −1
3
−1 2
−1
1
∅ −3 2
10
∅
−1
2
−1
Figure 4.25: An efficient triple ladder defined by binomial blocks.
an efficient truncated triple ladder is presented in Figure 4.25 and is obtained by defining
a decreasing series of binomial blocks of degree 3. By combining the loop probabilities, we
obtain the ladder of Figure 4.26. We notice that the rungs of the ladder are tight.
The decreasing series of binomial blocks, for an efficient k-ladder defined by n blocks of
degree k, is defined by the scalar values
k−1
k
k+1
k+n−1
,
,
,...,
.
k−1
k−1
k−1
k−1
Binomial blocks are a simple and elegant method to construct efficient truncated ladders.
We know that the optimal series of scalars is defined by binomial coefficients. However,
the set of hinges created by this truncation technique is new, and the best possible set of
transitions to attach to the ladder remains an open question.
4.5 Recursion
Mochon expresses the possibility of recursing a point game with dual-endpoints, such as his
polynomial ladders, but does not provide any proof or example of recursion. In this section,
we prove that it is possible to achieve a better endpoint than Mochon proposes, by using a
96
12
4
1
−2
4
−10
7
10
−28
23
−60
54
1
11
4
−1
10
4
−7
2
−23
10
−1
28
−4
9
4
20
8
4
−90 105
35
−54
7
4
−70 125
−105 60
−10
6
4
−125 90
35
−20
5
4
−35
−35
70
4
4
3
4
2
4
1
4
1
4
2
4
3
4
4
4
5
4
6
4
7
4
8
4
9
4
10
4
11
4
12
4
Figure 4.26: An efficient triple ladder with invalid (red) and valid (blue) hinge lines.
97
1.0
1 − ǫ′′
0.5
ǫ′
0
0
0.5
ǫ′
1 − ǫ′′ 1.0
Figure 4.27: Mochon’s proposed linear recursion achieves an endpoint of 1
0
0 +00
0
, 0 +
00 .
new recursion technique.
Given a polynomial ladder with endpoints { 12 [1 − 00 , 0 ] , 21 [0 , 1 − 00 ]}, where 0 < 00 <
0 < 1, Mochon claims that “the slope
0
00
of the step should converge to one as k approaches
infinity” [29]. Therefore, Mochon’s recursion would resemble Figure 4.27 and achieve an
0
0
endpoint of 1 0 +
00 , 0 +00 . This endpoint is the intersection between
y =1−
00
x
0
and
y=
0
(1 − x) .
00
We give an example of the first recursive step for the optimal double ladder of Figure 4.9
in Figure 4.28. We include the ladders’ endpoints, but we omit the actual ladders from the
figure to avoid confusion. The second point game is simply compressed by a factor of 12 . The
next recursive step will be
1
4
the size of the original point game. As the number of steps
98
6
6
5
6
4
6
3
6
2
6
1
6
1
6
2
6
3
6
4
6
5
6
6
6
Figure 4.28: The first linear recursive step of the optimal double ladder.
approaches infinity, the endpoint approaches 1
2
2
,
.
3 3
However, we can achieve better endpoints since Mochon compresses the inner point game
but does not take its position in the outer point game into account.
Lemma 4.1. The inequality
X
xbefore
X px
px
≥
x+λ x
x+λ
after
is satisfied for all values of λ greater than λ0 if and only if
X
xbefore
X px
px
≥
cx + λ x
cx + λ
after
is satisfied for all values of λ greater than cλ0 , where c > 0.
The proof of this lemma is trivial, since we simply factor the term c−1 into the inequality.
However, the lemma is very important for our recursion. The inner point game of Figure 4.28
is a compressed version of the outer point game. Since it is located within the outer point
game, it must satisfy the inequality
X
xbefore
X
px
px
≥
x+λ+δ x
x+λ+δ
after
99
6
12
6
6
5
12
λ0 =
1
3
5
6
4
12
4
6
3
12
3
6
2
12
2
6
1
12
1
6
1
12
2
12
3
12
4
12
5
12
λ0 =
6
12
1
6
2
6
3
6
4
6
2
3
5
6
6
6
Figure 4.29: We expand an inner point game by a factor of 2.
for all λ greater than 0, where δ is the spacing between the axis of the outer and inner point
games. Equivalently, the point game must satisfy
X
xbefore
X px
px
≥
x+λ x
x+λ
after
for all λ greater than δ. We may expand the inner point game of Figure 4.28, as shown
in Figure 4.29. According to Lemma 4.1, this point game must satisfy Equation 2.4 for all
values of λ greater than
2
3
instead of 13 . We show in Section 3.3.1 that the validity of basic
transitions only depends on Equation 2.4 being valid when λ approaches infinity. Therefore,
increasing the minimum value of λ does not affect the validity of basic transitions. However,
the validity of the final split in our ladders depends on Equation 2.4 being valid when λ
approaches its minimum value. Since we increase this value for each recursive step, our
recursion resembles Figure 4.30.
100
1.0
0.5
0
0
0.5
1.0
Figure 4.30: A recursion with incremental values of λ0 .
101
Chapter 5
Conclusion
In this thesis we analyzed the point game model of secure two-party computations. We
defined several new primitives and building blocks for constructing point games. We defined
a new family of optimal infinite ladders. We presented a simple, intuitive, and efficient
truncation technique that achieves better results than the best previously known. We showed
how to obtain near-optimal, finite point games using ladders from this family with a new
recursion technique that achieves better results. We discovered that point games may be
solved using binomials instead of polynomials. We analyzed Mochon’s optimal point games,
we provided several new insights on their construction, and we identified the key elements
that are not specified in their proofs.
5.1 Future Work
In this thesis we presented a collection of new and useful ideas. Some of these ideas require
additional exploration and we believe that solutions to the following problems would be very
useful to our understanding of the point game model.
• Given a truncated binomial ladder from Section 4.4.3, what is the best set of
transitions we could attach to its hinges?
• Which family of point games can be mapped into strong coin flipping protocols?
• It is unclear what the optimal sequence of steps is for the recursion of Section 4.5.
102
• Is there a way to determine the significant operator monotone for an arbitrary
transition?
103
Bibliography
[1] Nati Aharon, Serge Massar, and Jonathan Silman. Family of loss-tolerant quantum coinflipping protocols. Physical Review A, 82:052307 (7 pages), 2010. arXiv:1006.1121v1,
doi:10.1103/PhysRevA.82.052307.
[2] Dorit Aharonov, Amnon Ta-Shma, Umesh V. Vazirani, and Andrew C. Yao. Quantum
bit escrow. In Proceedings on 32nd Annual ACM Symposium on Theory of Computing
(STOC 2000), pages 705–714, 2000. arXiv:quant-ph/0004017, doi:10.1145/335305.
335404.
[3] Andris Ambainis. A new protocol and lower bounds for quantum coin flipping. In
Proceedings on 33rd Annual ACM Symposium on Theory of Computing (STOC 2001),
pages 134–142, 2001. arXiv:quant-ph/0204022, doi:10.1145/380752.380788.
[4] Andris Ambainis. Lower bound for a class of weak quantum coin flipping protocols.
2002. arXiv:quant-ph/0204063.
[5] Amos Beimel, Tal Malkin, and Silvio Micali.
party secure computation.
The all-or-nothing nature of two-
In Proceedings of the 19th Annual International Con-
ference on Cryptology (CRYPTO 1999), pages 80–97. Springer-Verlag, 1999. doi:
10.1007/3-540-48405-1_6.
[6] Charles Bennett and Gilles Brassard. Quantum cryptography: Public key encryption and coin tossing. In Proceedings on IEEE International Conference on Computer
Systems and Signal Processing, pages 175–179, 1984. URL: http://www.cs.ucsb.edu/
∼chong/290N-W06/BB84.pdf.
[7] Guido Berlı́n, Gilles Brassard, Félix Bussières, and Nicolas Godbout. Fair loss-tolerant
quantum coin flipping. Physical Review A, 80:062321 (11 pages), 2009. arXiv:0904.
104
3945v2, doi:10.1103/PhysRevA.80.062321.
[8] Guido Berlı́n, Gilles Brassard, Félix Bussières, Nicolas Godbout, Joshua A. Slater, and
Wolfgang Tittel. Experimental loss-tolerant quantum coin flipping. Nature Communications, 2:561 (7 pages), 2011. arXiv:0904.3946, doi:10.1038/ncomms1572.
[9] Rajendra Bhatia. Matrix Analysis, volume 169 of Graduate Texts in Mathematics.
Springer-Verlag, 1997.
[10] Manuel Blum. Coin flipping by telephone. In Allen Gersho, editor, Advances in cryptology: A report on CRYPTO ’81, pages 11–15. ECE Report No 82-04, University of
California, 1981. URL: http://www.cs.cmu.edu/∼mblum/research/pdf/coin/.
[11] André Chailloux. Improved loss-tolerant quantum coin flipping. In Proceedings of the
10th Asian Conference on Quantum Information Science (AQIS 2010), 2010. arXiv:
1009.0044v3.
[12] André Chailloux. Quantum coin flipping and bit commitment: Optimal bounds, practical
constructions and computational security. PhD thesis, LRI, Université Paris Sud and
LIAFA, Université Paris VII, 2011. URL: http://tel.archives-ouvertes.fr/tel-00607890.
[13] André Chailloux, 2012. Presentation given at the Fifteenth Annual Conference on
Quantum Information Processing (QIP 2012).
[14] André Chailloux and Iordanis Kerenidis. Optimal quantum strong coin flipping. In
Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science
(FOCS 2009), pages 527–533, 2009. arXiv:0904.1511v1, doi:10.1109/FOCS.2009.
71.
[15] André Chailloux and Iordanis Kerenidis. Optimal bounds for quantum bit commitment.
2011. arXiv:1102.1678.
105
[16] Giacomo M. D’Ariano, Dennis Kretschmann, Dirk Schlingemann, and Reinhard F.
Werner. Reexamination of quantum bit commitment: The possible and the impossible. Physical Review A, 76:032328 (27 pages), 2007. arXiv:quant-ph/0605224,
doi:10.1103/PhysRevA.76.032328.
[17] Ronald L. Graham, Donald E. Knuth, and Oren Patashnik. Concrete Mathematics: A
Foundation for Computer Science. Addison-Wesley, 2nd edition, 1994.
[18] Gus Gutoski, 2013. Lecture notes on Selected Advanced Topics in Quantum Information. URL: https://cs.uwaterloo.ca/∼gmgutosk/crypto-lec-1.pdf.
[19] Esther Hänggi and Jürg Wullschleger. Tight bounds for classical and quantum coin
flipping. In Yuval Ishai, editor, Proceedings of the 8th Conference on Theory of Cryptography (TCC 2011), volume 6597, pages 468–485. Springer, 2011. arXiv:1009.4741v2,
doi:10.1007/978-3-642-19571-6_28.
[20] Gregg Jaeger. Quantum Information: An Overview. Springer, 2007.
[21] Iordanis Kerenidis and Ashwin Nayak. Weak coin flipping with small bias. Information
Processing Letters, 89:131–135, 2004. arXiv:quant-ph/0206121, doi:10.1016/j.ipl.
2003.07.007.
[22] Alexei Kitaev, 2003. Presentation given at the Sixth Annual Conference on Quantum
Information Processing (QIP 2003). Slides and video available at Mathematical Sciences
Research Institute (MSRI). URL: http://www.msri.org/realvideo/ln/msri/2002/qip/
kitaev/1/index.html.
[23] Hoi-Kwong Lo.
Insecurity of quantum secure computations.
Physical Review A,
56:1154–1162, 1997. arXiv:quant-ph/9611031v2, doi:10.1103/PhysRevA.56.1154.
[24] Hoi-Kwong Lo and Hoi F. Chau. Why quantum bit commitment and ideal quantum coin
tossing are impossible. Physica D: Nonlinear Phenomena, 120:177–187, 1998. arXiv:
106
quant-ph/9711065, doi:10.1016/S0167-2789(98)00053-0.
[25] Loı̈ck Magnin. Two-player interaction in quantum computing: cryptographic primitives
and query complexity. PhD thesis, LRI, Université Paris Sud, 2011. URL: http://tel.
archives-ouvertes.fr/tel-00676922.
[26] Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Physical Review Letters, 78:3414–3417, 1997. arXiv:quant-ph/9605044v2, doi:10.1103/
PhysRevLett.78.3414.
[27] Carlos Mochon. Quantum weak coin-flipping with bias of 0.192. In Proceedings of
the 45th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2004),
pages 2–11, 2004. arXiv:quant-ph/0403193v2, doi:10.1109/FOCS.2004.55.
[28] Carlos Mochon. Large family of quantum weak coin-flipping protocols. Physical Review
A, 72:022341 (16 pages), 2005. arXiv:quant-ph/0502068v2, doi:10.1103/PhysRevA.
72.022341.
[29] Carlos Mochon. Quantum weak coin flipping with arbitrarily small bias. 2007. arXiv:
0711.4114v1.
[30] Ashwin Nayak and Peter Shor. Bit-commitment-based quantum coin flipping. Physical Review A, 67:012304 (11 pages), 2003. arXiv:quant-ph/0206123, doi:10.1103/
PhysRevA.67.012304.
[31] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information. Cambridge Series on Information and the Natural Sciences. Cambridge University
Press, 2000.
[32] Anna Pappa, André Chailloux, Eleni Diamanti, and Iordanis Kerenidis. Practical quantum coin flipping. Physical Review A, 84:052305 (5 pages), 2011. arXiv:1106.1099v2,
doi:10.1103/PhysRevA.84.052305.
107
[33] Walter Rudin. Principles of Mathematical Analysis. International Series in Pure and
Applied Mathematics. McGraw-Hill, 3rd edition, 1964.
[34] Peter W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual IEEE Symposium on Foundations of Computer Science (FOCS 1994), pages 124–134, 1994. arXiv:quant-ph/9508027, doi:
10.1109/SFCS.1994.365700.
[35] Jamie Sikora.
Analyzing quantum cryptographic protocols using optimization tech-
niques. PhD thesis, University of Waterloo, 2012. URL: http://uwspace.uwaterloo.
ca/bitstream/10012/6760/1/Sikora Jamie.pdf.
[36] Robert W. Spekkens and Terry Rudolph. Degrees of concealment and bindingness in
quantum bit commitment protocols. Physical Review A, 65:012310 (10 pages), 2001.
arXiv:quant-ph/0106019, doi:10.1103/PhysRevA.65.012310.
[37] Robert W. Spekkens and Terry Rudolph. Quantum protocol for cheat-sensitive weak
coin flipping. Physical Review Letters, 89:227901 (4 pages), 2002. arXiv:quant-ph/
0202118v2, doi:10.1103/PhysRevLett.89.227901.
[38] Stephen Wiesner. Conjugate coding. ACM SIGACT News, 15:78–88, 1983. doi:
10.1145/1008908.1008920.
[39] Andrew C. Yao. Protocols for secure computations. In Proceedings of the 23rd Annual
IEEE Symposium on Foundations of Computer Science (FOCS 1982), pages 160–164,
1982. doi:10.1109/SFCS.1982.88.
[40] Andrew C. Yao. Security of quantum protocols against coherent measurements. In
Proceedings on 27th Annual ACM Symposium on Theory of Computing (STOC 1995),
pages 67–75, 1995. doi:10.1145/225058.225085.
108