Graduate School of Engineering, Mie University, Japan and https://sites.google.com/site/akinorikawachi/ [email protected]://orcid.org/0000-0001-9218-9944JSPS Grant-in-Aid for Scientific Research (A) Nos. 16H01705, 21H04879, (B) No. 17H01695, JSPS Grant-in-Aid for Young Scientists (B) No. 17K12640, and MEXT Quantum Leap Flagship Program (MEXT Q-LEAP) Grant Number JPMXS0120319794.Graduate School of Informatics/Institute for Advanced Study, Nagoya University, [email protected]://orcid.org/0000-0002-2219-3320JSPS Grant-in-Aid for Scientific Research (A) Nos. 16H01705, 21H04879, (B) No. 19H04066, Grant-in-Aid for Transformative Research Areas No. 20H05966 and MEXT Quantum Leap Flagship Program (MEXT Q-LEAP) Grant Number JPMXS0120319794. \CopyrightAkinori Kawachi and Harumichi Nishimura \ccsdesc[500]Theory of computation Quantum computation theory \ccsdesc[500]Theory of computation Computational complexity and cryptography

Acknowledgements.

We thank the anonymous reviewers of ITC 2021 for helpful comments. \hideLIPIcs\EventEditorsStefano Tessaro \EventNoEds1 \EventLongTitle2nd Conference on Information-Theoretic Cryptography (ITC 2021) \EventShortTitleITC 2021 \EventAcronymITC \EventYear2021 \EventDateJuly 23–26, 2021 \EventLocationBertinoro, Italy (Virtual Conference) \EventLogo \SeriesVolume199 \ArticleNo20

Communication Complexity of Private Simultaneous Quantum Messages Protocols

Akinori Kawachi Harumichi Nishimura

Abstract

The private simultaneous messages (PSM) model is a non-interactive version of the multiparty secure computation (MPC), which has been intensively studied to examine the communication cost of the secure computation. We consider its quantum counterpart, the private simultaneous quantum messages (PSQM) model, and examine the advantages of quantum communication and prior entanglement of this model.

In the PSQM model, $k$ parties $P_{1},\ldots,P_{k}$ initially share a common random string (or entangled states in a stronger setting), and they have private classical inputs $x_{1},\ldots,x_{k}$ . Every $P_{i}$ generates a quantum message from the private input $x_{i}$ and the shared random string (entangled states), and then sends it to the referee $R$ . Receiving the messages from the $k$ parties, $R$ computes $F(x_{1},\ldots,x_{k})$ from the messages. Then, $R$ learns nothing except for $F(x_{1},\ldots,x_{k})$ as the privacy condition.

We obtain the following results for this PSQM model. ( $i$ ) We demonstrate that the privacy condition inevitably increases the communication cost in the two-party PSQM model as well as in the classical case presented by Applebaum, Holenstein, Mishra, and Shayevitz [Journal of Cryptology 33(3), 916–953 (2020)]. In particular, we prove a lower bound $(3-o(1))n$ of the communication complexity in PSQM protocols with a shared random string for random Boolean functions of $2n$ -bit input, which is larger than the trivial upper bound $2n$ of the communication complexity without the privacy condition. ( $ii$ ) We demonstrate a factor two gap between the communication complexity of PSQM protocols with shared entangled states and with shared random strings by designing a multiparty PSQM protocol with shared entangled states for a total function that extends the two-party equality function. ( $iii$ ) We demonstrate an exponential gap between the communication complexity of PSQM protocols with shared entangled states and with shared random strings for a two-party partial function.

keywords:

Communication complexity, private simultaneous messages, quantum protocols, secure multi-party computation

category:

\relatedversion

1 Introduction

Background. Communication complexity has been an important research area in theoretical computer science for more than four decades, aiming to understand the communication cost of computing functions in a distributed manner [31, 25]. Since the advent of quantum information science, quantum communication complexity has also been studied intensively to determine the advantage of quantum information processing over its classical counterparts. A number of studies have succeeded in demonstrating the quantum advantages from the early days of quantum complexity theory [7, 28, 8].

Recently, much attention has been given to studying the amount of communication overhead required to preserve privacy in the field of cryptography, particularly, multi-party secure computation (MPC), to explore the optimal communication cost for privacy from the viewpoint of communication complexity [13, 12]. MPC is commonly based on a general network model that has complex communication patterns (e.g., in which each of many parties can freely interact with the other parties bidirectionally) unlike standard models in communication complexity (e.g., in which two parties can exchange messages only with each other). Therefore, many studies have focused on a special class of MPC that has simpler communication patterns, such as private simultaneous messages (PSM) protocols [14, 21, 9, 2, 1].

The two-party version of the PSM model was first proposed by Feige, Kilian, and Naor [14], and was later extended by Ishai and Kushilevitz [21]. In the general setting of the PSM model, we consider $k$ parties $P_{1},\ldots,P_{k}$ and a unique referee $R$ . The party $P_{i}$ has its private input $x_{i}$ , and all parties share a common random string $r$ . Each $P_{i}$ generates message $m_{i}$ from $x_{i}$ and $r$ , and then, sends $m_{i}$ to the referee $R$ only once. Note that each party is not allowed to interact with other parties. The referee $R$ receives the messages $m_{1},\ldots,m_{k}$ , and computes an output value of a predetermined function $F$ . The protocol generally has two properties correctness and privacy: Correctness signifies that the referee can compute $F(x_{1},\ldots,x_{k})$ correctly from the messages $m_{1},\ldots,m_{k}$ , while privacy signifies that the referee $R$ learns nothing except for $F(x_{1},\ldots,x_{k})$ from the received messages $m_{1},\ldots,m_{k}$ in the information-theoretical sense.

In fact, the communication model of PSM protocols coincides with simultaneous message passing (SMP) protocols, which are known as traditional communication models in communication complexity [31, 25]. In the (number-in-hand) SMP model, $k$ parties $P_{1},\ldots,P_{k}$ that share a common random string $r$ (and sometimes entangled states), send their messages $m_{1},\ldots,m_{k}$ computed from individual inputs $x_{1},\ldots,x_{k}$ and the referee computes $F(x_{1},\ldots,x_{k})$ from $m_{1},\ldots,m_{k}$ , as performed in the PSM model. Note that the SMP model does not require the privacy condition unlike the PSM model. The communication complexity of SMP protocols has been widely studied from the viewpoint of classical/quantum information to demonstrate the power of quantum communication [8, 18, 16].

Two-party quantum SMP models were first studied by Buhrman, Cleve, Watrous, and de Wolf [8] in the setting that the two parties do not share any randomness or entanglement. In this model, they demonstrated that the quantum communication complexity of the equality function is exponentially smaller than in the classical case. This result has been strengthened in the literature [4, 15], and Gavinsky [16] demonstrated that there is a relational problem whose quantum communication complexity is exponentially smaller than that of the two-way classical communication model. However, the power of shared entanglement in the SMP model is unclear. In one of the few related studies, Gavinsky, Kempe, Regev, and de Wolf [18] demonstrated that there is a relational problem that has an exponential gap between quantum SMP models with shared entanglement and without shared entanglement. However, the known maximum gap between them for total functions is only a constant multiplicative factor of $2$ [20, 22].

Although various studies have examined quantum versions of MPC so far (e.g., [10, 29, 11]), to the best of the authors’ knowledge, there has been no attempt to analyze quantum communication complexity under the privacy condition in a cryptographic setting, and such analysis is important to understand the advantages of quantum communication in a cryptographic setting.

Contributions. In this paper, we examine the power of quantum communication and shared entanglement under the information-theoretical privacy condition based on a standard communication model, namely, the PSM (or, equivalently, SMP) model. In particular, we propose a quantum counterpart of the classical PSM model called private simultaneous quantum messages (PSQM) model. In the PSQM model, parties $P_{1},\ldots,P_{k}$ which have classical private inputs $x_{1},\ldots,x_{k}$ share a common random string or entangled states in advance, and can send quantum messages to a quantum referee, $R$ . Then, $R$ computes a classical output value $F(x_{1},\ldots,x_{k})$ for a given function $F$ .

In the PSM (and its related) model, there are few results on lower bounds of communication complexity [1, 13, 3]. As one of such results, Applebaum, Holenstein, Mishra, and Shayevitz [1] proved a lower bound $(3-o(1))n$ of the communication complexity for random functions $F_{n}:\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ in the PSM model. In contrast, every function has the trivial upper bound $2n$ in the SMP model (i.e., the PSM model without the privacy condition). This result implies that the privacy condition creates communication overhead in the PSM model for some functions. Our first result demonstrates that this communication overhead is inevitable even if the parties can send quantum messages as in the PSQM model.

Theorem 1.1.

For a $(1-o(1))$ fraction of functions $F_{n}:\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ , the communication complexity of two-party PSQM protocols with shared randomness for $F_{n}$ is at least $3n-2\log{n}-O(1)$ .

We also present a multiparty PSQM protocol for a total function that reduces the amount of quantum communication by half under the condition that the parties share entanglement compared to the case in which they do not share entanglement.

Theorem 1.2.

For any even $n$ and $k$ , there is a total function $F_{n}:(\{0,1\}^{n})^{k}\rightarrow\{0,1\}$ such that the communication complexity of the $k$ -party PSQM protocol with shared entanglement is at most $kn/2$ , while that without shared entanglement is $kn$ .

Actually, this function matches the equality function for the two-party case. It is known that for the equality function, the two-party quantum SMP model with shared entanglement reduces the amount of quantum communication by half compared to the corresponding model without shared entanglement (e.g. [20]). Our result implies that this reduction still holds even if the privacy condition is required.

Moreover, we present a two-party PSQM protocol with shared entanglement for a partial function that reduces the amount of quantum communication exponentially compared to the case in which the parties do not share entanglement.

Theorem 1.3.

There is a partial function $F_{n}:\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ such that the communication complexity of the PSQM protocol with shared entanglement is $O(\log n)$ while that without entanglement is $\Omega(n)$ .

Related Work. There have been several studies on quantum communication complexity with privacy conditions (e.g., [23, 17]), although they differed from a cryptographic setting. For example, Gavinsky and Ito [17] considered the SMP model with privacy; however it considered the information leakage of quantum messages when the input was randomly chosen, while in the cryptographic setting, privacy should be retained for any input.

In a study related to the PSQM model, Brakerski and Yuen [6] constructed a quantum version of decomposable randomized encoding schemes. In fact, decomposable randomized encoding is equivalent to the PSM model from a communication-complexity perspective. They demonstrated how to garble a general quantum circuit on quantum inputs in a decomposable manner via a constant-depth quantum circuit. In contrast, our study focuses on the communication complexity of computing several classical functions on classical inputs in the communication model.

More recently, Morimae [27] investigated relationships between quantum randomized encoding and other quantum protocols including quantum computing verification and blind quantum computing. For example, he proved that a randomized encoding scheme of the BB84 state generation implies a two-round verification scheme of quantum computing with a classical verifier that additionally performs the encoding operation, and that a quantum randomized encoding scheme with a classical encoding operation implies violation of the no-cloning theorem. His target of quantum randomized encoding schemes is similar to that of [6], that is, encoding for quantum circuits on quantum inputs rather than classical functions on classical inputs.

2 Preliminaries

Let $[n]:=\{1,2,\ldots,n\}$ . For any two $m$ -bit strings $x=x_{1}\cdots x_{m}$ and $y=y_{1}\cdots y_{m}$ , the product $x\cdot y$ denotes $\sum_{i\in[m]}x_{i}y_{i}\leavevmode\nobreak\ (\mbox{mod}\leavevmode\nobreak\ 2)$ , and $x\oplus y$ denotes the $m$ -bit string whose $i$ th bit is the XOR of $x_{i}$ and $y_{i}$ .

For any $m$ -bit string $x=x_{1}x_{2}\cdots x_{m}$ , let

{\sf p}(x)=x_{1}+x_{2}\alpha+\cdots+x_{m}\alpha^{m-1}\leavevmode\nobreak\ (\mbox{mod}\leavevmode\nobreak\ {\sf q}_{m})

(1)

be the corresponding polynomial over $\mathbb{F}_{2}$ , where ${\sf q}_{m}$ is some irreducible polynomial of degree $m$ over $\mathbb{F}_{2}$ . Note that ${\sf p}(x)$ is regarded as an element in $\mathbb{F}_{2^{m}}$ , and ${\sf p}$ is a one-to-one correspondence between $\{0,1\}^{m}\setminus\{0^{m}\}$ and the multiplicative group $\mathbb{F}^{*}_{2^{m}}$ .

We assume the reader is familiar with the basics of quantum information and computation such as quantum states and quantum operations (see, e.g, [19, 26]). According to the standard notations, Pauli gates $X$ , $Z$ , and the Hadamard gate $H$ denote

X=\left(\begin{matrix}0&1\\ 1&0\end{matrix}\right),\ \ Z=\left(\begin{matrix}1&0\\ 0&-1\end{matrix}\right),\ \ H=\frac{1}{\sqrt{2}}\left(\begin{matrix}1&1\\ 1&-1\end{matrix}\right),

respectively.

2.1 Private simultaneous quantum messages protocols

Private simultaneous quantum messages (PSQM) protocols are formally defined as follows.

Definition 2.1 (private simultaneous quantum messages (PSQM) protocols).

For positive integers $n,k>0$ , let $n$ be the size parameter and $k$ be the number of parties. Let $F_{n}:\prod_{i=1}^{k}\mathcal{X}_{n,i}\rightarrow\mathcal{Y}_{n}$ . We say that a $(k+1)$ -tuple $\Pi=(P_{1},\ldots,P_{k},R)$ of quantum algorithms is an $\varepsilon$ -error $k$ -party private simultaneous quantum messages (PSQM) protocol if the following holds: given an individual input $x_{i}\in\mathcal{X}_{n,i}$ and shared random string $r$ among $P_{1},\ldots,P_{k}$ , the $i$ th party $P_{i}$ prepares a quantum message, represented as $\rho_{i}=P_{i}(x_{i},r)$ , in a Hilbert space $\mathcal{M}_{n,i}$ called a quantum register, and sends $\mathcal{M}_{n,i}$ (or equivalently $\rho_{i}$ ) to the party $R$ , which is called the referee. Then, the following two properties hold:

1.

(Correctness) The referee $R$ outputs the classical value $F_{n}(x_{1},\ldots,x_{k})\in\mathcal{Y}_{n}$ using the received joint quantum register $\mathcal{M}_{n}:=\bigotimes_{i=1}^{k}\mathcal{M}_{n,i}$ with a probability of at least $1-\varepsilon$ .
2.

((Perfect) Privacy) There exists a quantum algorithm $S_{n}$ , which is called the simulator, such that the output quantum state $S_{n}(F_{n}(x_{1},\ldots,x_{k}))$ is identical to the quantum state in $\mathcal{M}_{n}$ (before $R$ ), namely, $\otimes_{i=1}^{k}\rho_{i}$ .

We say that the protocol is exact when $\varepsilon=0$ .

If the shared random string $r$ is replaced by a predetermined multipartite entangled quantum state $|\Phi\rangle$ among the $k$ parties, we say that $\Pi$ is a PSQM protocol with a shared entangled state $|\Phi\rangle$ , where the algorithms and the properties are similarly defined except that $P_{i}$ prepares the message using its own part of $|\Phi\rangle$ (instead of $r$ ), and that the quantum state in $\mathcal{M}_{n}$ is not a product state of the $k$ local states in $\mathcal{M}_{n,1},\ldots,\mathcal{M}_{n,k}$ any more.

The communication complexity of $\Pi$ is defined by the total length $\log{\dim(\mathcal{M}_{n}})$ of the messages.

Let $C^{psm}_{\varepsilon}(F_{n})$ (resp. $Q^{psm}_{\varepsilon}(F_{n})$ ) be the $\varepsilon$ -error classical (quantum) communication complexity of the problem $F_{n}$ in the PSM (PSQM) model with a shared random string. Let $C^{psm,*}_{\varepsilon}(F_{n})$ (resp. $Q^{psm,*}_{\varepsilon}(F_{n})$ ) be the $\varepsilon$ -error classical (quantum) communication complexity of $F_{n}$ in the PSM (PSQM) model with shared entangled states (the PSM model with shared entangled states is defined similarly to the PSQM model with shared entangled states except that the messages sent to the referee are restricted to classical strings).

3 Communication Lower Bounds of Two-Party PSQM Protocols

In this section, we present the communication lower bounds of random functions for two-party PSQM protocols (Theorem 1.1).

The proof strategy is based on that of the classical case presented by Applebaum et al. [1]. The proof for the classical case considers two independent executions of a PSM protocol. It then evaluated the upper bounds of the collision probability, that is, the probability that the message in the first execution coincides with the one in the second execution, between two independent random messages. Because the collision probability is lower-bounded by the inverse of the size of the message domain, we can obtain the communication lower bound from the upper bound of the collision probability. Note that this argument is not available for quantum messages since they vary infinitely even over a finite number of qubits.

In order to extend the above argument to the case of quantum messages, we use the purity, $\mathrm{tr}\rho^{2}$ , of a quantum message $\rho$ in a PSQM protocol instead of the collision probability. In accordance with its name, the purity is originally a measure of how pure a quantum state is. (For example, any pure state has a purity of $1$ , and the $d$ -dimensional maximally mixed state has $1/d$ .) It is easy to see that the purity of a quantum state $\rho$ is lower-bounded by $1/\dim(\rho)$ , and thus, we can obtain the communication lower bounds for a PSQM protocol by evaluating the upper bound of the purity of the quantum messages, similarly to the collision probability for a PSM protocol.

However, the purity of quantum messages is different from the collision probability between classical messages; thus, we must further adapt the proof technique in [1] to the purity. For example, while the collision probability is analyzed by combinatorial techniques in the proof of [1], we need to analyze the trace $\mathrm{tr}\rho^{2}$ combinatorially by extending the original proof (Claim 2). Also, the proof technique in [1] uses a unique collision (which is obtained from the property called non-degeneracy that random functions have with high probability) between two messages in two independent executions with any fixed shared random string. Instead of the unique collision, we consider weighted collisions defined from the inner product of two quantum messages and extend the original argument for the weighted collisions (Lemma 3.4).

Before discussing the details of the proof, we provide several technical definitions and notation required for the proof of the lower bounds. In this section, we denote ${\cal X}_{n,i}$ by ${\cal X}_{i}$ . We use $\rho(x_{1},x_{2};r)=\rho_{1}(x_{1};r)\otimes\rho_{2}(x_{2};r)$ to the entire quantum message sent from $P_{1}$ and $P_{2}$ on individual inputs $x_{1}\in{\cal X}_{1}$ and $x_{2}\in{\cal X}_{2}$ with a shared random string $r$ to $R$ , where $\rho_{1}(x_{1};r)$ denotes $P_{1}$ ’s message and $\rho_{2}(x_{2};r)$ denotes $P_{2}$ ’s message.

Let $\mu$ be a distribution over $\mathcal{X}_{1}\times\mathcal{X}_{2}$ with marginal distributions $\mu_{1}$ and $\mu_{2}$ . We define $\mathrm{Supp}(\mu)$ for a distribution $\mu$ as a set $\{x:$ . We say that function $F_{n}$ is non-degenerate under distribution $\mu$ if for every distinct $x_{1}\in\mathrm{Supp}(\mu_{1})$ and $x^{\prime}_{1}\in\mathrm{Supp}(\mu_{1})$ , there exists $x_{2}\in\mathrm{Supp}(\mu_{2})$ such that $F_{n}(x_{1},x_{2})\neq F_{n}(x^{\prime}_{1},x_{2})$ and for every distinct $x_{2}\in\mathrm{Supp}(\mu_{2})$ and $x^{\prime}_{2}\in\mathrm{Supp}(\mu_{2})$ there exists $x_{1}$ such that $F_{n}(x_{1},x_{2})\neq F_{n}(x_{1},x^{\prime}_{2})$ . We say that $F_{n}$ is non-degenerate if the above holds when replacing $\mathrm{Supp}(\mu_{1})$ and $\mathrm{Supp}(\mu_{2})$ by $\mathcal{X}_{1}$ and $\mathcal{X}_{2}$ , respectively.

A rectangle $\mathcal{R}$ of size $k\times\ell$ over $\mathcal{X}_{1}\times\mathcal{X}_{2}$ is defined as $((x_{1,1},\ldots,x_{1,k}),(x_{2,1},\ldots,x_{2,\ell}))$ , where $x_{1,i}\in\mathcal{X}_{1},x_{2,j}\in\mathcal{X}_{2}$ for every $i,j$ , $x_{1,i}\neq x_{1,i^{\prime}}$ for every distinct $i,i^{\prime}$ , and $x_{2,j}\neq x_{2,j^{\prime}}$ for every distinct $j,j^{\prime}$ . We say that two rectangles $\mathcal{R}=((x_{1,1},\ldots,x_{1,k}),(x_{2,1},\ldots,x_{2,\ell}))$ and $\mathcal{R}^{\prime}=((x^{\prime}_{1,1},\ldots,x^{\prime}_{1,k}),(x^{\prime}_{2,1},\ldots,x^{\prime}_{2,\ell}))$ are $\mathcal{X}_{1}$ -disjoint (resp. $\mathcal{X}_{2}$ -disjoint) if $x_{1,i}\neq x^{\prime}_{1,i}$ for every $i\in[k]$ (resp. if $x_{2,j}\neq x^{\prime}_{2,j}$ for every $j\in[\ell]$ ). In particular, we say that $\mathcal{R}$ and $\mathcal{R}^{\prime}$ are disjoint if they are either $\mathcal{X}_{1}$ -disjoint or $\mathcal{X}_{2}$ -disjoint.

For a rectangle $\mathcal{R}=((x_{1,1},\ldots,x_{1,k}),(x_{2,1},\ldots,x_{2,\ell}))$ , let $F_{n}[\mathcal{R}]$ be a matrix whose $(i,j)$ -entry is $F_{n}(x_{1,i},x_{2,j})$ , and let $\mu(\mathcal{R})=\sum_{i\in[k],j\in[\ell]}\mu(x_{1,i},x_{2,j})$ . We say that $\mathcal{R}$ is similar to $\mathcal{R}^{\prime}$ if $F_{n}[\mathcal{R}]=F_{n}[\mathcal{R}^{\prime}]$ . We define

\alpha(\mu):=\max_{(\mathcal{R}_{1},\mathcal{R}_{2})}\min\{\mu(\mathcal{R}_{1}),\mu(\mathcal{R}_{2})\},

where the maximum ranges over all pairs of similar disjoint rectangles $(\mathcal{R}_{1},\mathcal{R}_{2})$ . In addition,

\beta(\mu):=\min_{y}\Pr_{(X_{1},X_{2}),(X_{1}^{\prime},X_{2}^{\prime})\sim\mu}\left[\,(X_{1},X_{2})\neq(X_{1}^{\prime},X_{2}^{\prime})\,\middle|\,F_{n}(X_{1},X_{2})=F_{n}(X_{1}^{\prime},X_{2}^{\prime})=y\,\right],

where $(X_{1},X_{2})$ and $(X_{1}^{\prime},X_{2}^{\prime})$ are independent.

We can demonstrate the communication lower bound in Theorem 1.1 from the following main technical lemma combined with an appropriate function $F_{n}$ , which is provided in the study by Applebaum et al. [1].

Lemma 3.1.

For every non-degenerate function $F_{n}:{\cal X}_{1}\times{\cal X}_{2}\rightarrow\{0,1\}$ , we have

Q^{psm}_{0}(F_{n})\geq\max_{\mu}\left(\log(\alpha(\mu)^{-1})+H_{\infty}(\mu)-\log(\beta(\mu)^{-1})\right)-1,

where $\mu$ is taken over all distributions over $\mathcal{X}_{1}\times\mathcal{X}_{2}$ under which $F_{n}$ is non-degenerate, and $H_{\infty}(\mu)$ is the min-entropy of $\mu$ .

From the previous study [1], we can obtain the appropriate function by selecting a function at random, as illustrated in the following theorem.

Theorem 3.2 (Applebaum et al. [1]).

For a $(1-o(1))$ fraction of the functions $F_{n}:\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ , $F_{n}$ is non-degenerate and $\lvert{\mathcal{R}}\rvert\leq 2^{n}\cdot n^{2}$ holds for every pair $(\mathcal{R},\mathcal{R}^{\prime})$ of similar disjoint rectangles.

Considering the uniform distribution $U$ over $\{0,1\}^{n}\times\{0,1\}^{n}$ , the communication lower bound from Lemma 3.1 of PSQM protocols for $F_{n}:\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ is bounded by $\log(\alpha(U)^{-1})+H_{\infty}(U)-\log(\beta(U)^{-1})-1$ . By Theorem 3.2, we can easily see that this bound is $3n-2\log{n}-O(1)$ for a $(1-o(1))$ fraction of the functions $\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ , as given in Theorem 1.1.

Now, we provide the proof of the main technical lemma.

Proof 3.3 (Proof of Lemma 3.1).

From the correctness, the referee $R$ outputs $F_{n}(x_{1},x_{2})$ for the received quantum message $\rho(x_{1},x_{2};r)$ for every $x_{1},x_{2}$ and every $r$ . Without loss of generality, we can assume that $P_{1}$ and $P_{2}$ generate pure states $|\psi_{1}(x_{1};r)\rangle$ and $|\psi_{2}(x_{2};r)\rangle$ with a shared randomness $r$ , respectively.

This assumption is justified as follows. Suppose that $P_{1}$ and $P_{2}$ generate mixed states $\rho_{1}(x_{1};r)$ and $\rho_{2}(x_{2};r)$ as their messages on inputs $x_{1},x_{2}$ and a shared random string $r$ . By the spectral decomposition, we have $\rho_{1}(x_{1};r)=\sum_{i}p_{i}|\psi_{1}^{(i)}(x_{1};r)\rangle\langle\psi_{1}^{(i)}(x_{1};r)|$ and $\rho_{2}(x_{2};r)=\sum_{j}q_{j}|\psi_{2}^{(j)}(x_{2};r)\rangle\langle\psi_{2}^{(j)}(x_{2};r)|.$ The joint message state is

\rho(x_{1},x_{2};r):=\sum_{i,j}p_{i}q_{j}|\psi_{1}^{(i)}(x_{1};r),\psi_{2}^{(j)}(x_{2};r)\rangle\langle\psi_{1}^{(i)}(x_{1};r),\psi_{2}^{(j)}(x_{2};r)|

and its probabilistic mixture over the shared random string $r$ is

\rho(x_{1},x_{2}):=\sum_{r}\pi(r)\rho(x_{1},x_{2};r)=\sum_{i,j,r}p_{i}q_{j}\pi(r)|\psi_{1}^{(i)}(x_{1};r),\psi_{2}^{(j)}(x_{2};r)\rangle\langle\psi_{1}^{(i)}(x_{1};r),\psi_{2}^{(j)}(x_{2};r)|.

Rephrasing the probability distribution $\{\pi(r)p_{i}q_{j}\}_{i,j,r}$ and the pure message states $|\psi_{1}^{(i)}(x_{1};r)\rangle$ , $|\psi_{2}^{(j)}(x_{2};r)\rangle$ to $\{\pi(r)\}_{r}$ and $|\psi_{1}(x_{1};r)\rangle,|\psi_{2}(x_{2};r)\rangle$ respectively, we can assume that they generate pure states as their messages from the beginning.

We denote by $|\psi(x_{1},x_{2};r)\rangle$ their joint state $|\psi_{1}(x_{1};r)\rangle\otimes|\psi_{2}(x_{2};r)\rangle$ . Namely, we set

\rho(x_{1},x_{2};r):=|\psi(x_{1},x_{2};r)\rangle\langle\psi(x_{1},x_{2};r)|=|\psi_{1}(x_{1};r)\rangle\langle\psi_{1}(x_{1};r)|\otimes|\psi_{2}(x_{2};r)\rangle\langle\psi_{2}(x_{2};r)|.

(2)

In addition, we set

\rho(x_{1},x_{2}):=\sum_{r}\pi(r)\rho(x_{1},x_{2};r),

(3)

where $\pi(r)$ denotes the probability that $r$ is selected as a shared random string under the uniform distribution.

As mentioned above, we use the purity as a collision measure of quantum messages in order to obtain lower bounds of quantum message length from upper bounds of the purity. We set $\rho:=\sum_{x_{1},x_{2}}\mu(x_{1},x_{2})\rho(x_{1},x_{2})$ . We then have

	$\displaystyle\frac{1}{\dim(\mathcal{M})}$	$\displaystyle\leq\mathrm{tr}\rho^{2}=\mathrm{tr}\left(\sum_{x_{1},x_{2}}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\right)^{2}$
		$\displaystyle=\mathrm{tr}\sum_{x_{1},x_{2},x^{\prime}_{1},x^{\prime}_{2}}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2}).$		(4)

Then, the purity of $\rho$ is upper-bounded as follows.

Claim 2.

\displaystyle\mathrm{tr}\rho^{2}\leq\beta(\mu)^{-1}\mathrm{tr}\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2}).

The proof of this claim is done by a combinatorial analysis of the trace as a quantum counterpart of the analysis of the collision probability in [1]. The detailed proof will be given in Appendix A.

Next, we consider an upper bound of

\mathrm{tr}\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2}).

(5)

Actually, we show that for every $r$ and $r^{\prime}$ ,

\mathrm{tr}\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\rho(x_{1},x_{2};r)\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2};r^{\prime})

is at most $2\alpha(\mu)2^{-H_{\infty}(\mu)}$ as this implies that Eq. (5) is also at most $2\alpha(\mu)2^{-H_{\infty}(\mu)}$ (by Eq. (3)). This completes the proof of Lemma 3.1 by Claim 2 and Eq. (4).

Now we fix any $r$ and $r^{\prime}$ . From Eq. (2) and the union bound, we have

$\displaystyle\mathrm{tr}\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\rho(x_{1},x_{2};r)\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2};r^{\prime})$
	$\displaystyle=\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}\cdot\lvert\langle\psi_{2}(x_{2};r)\|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}.$
	$\displaystyle\leq\sum_{x_{1}\neq x^{\prime}_{1},x_{2},x^{\prime}_{2}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}\cdot\lvert\langle\psi_{2}(x_{2};r)\|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}.$
	$\displaystyle\ \ \ \ +\sum_{x_{1},x^{\prime}_{1},x_{2}\neq x^{\prime}_{2}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}\cdot\lvert\langle\psi_{2}(x_{2};r)\|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}.$	(6)

It suffices to show that the first term of the right-hand of Eq. (6) is at most $\alpha(\mu)2^{-H_{\infty}(\mu)}$ from the symmetry of $P_{1}$ and $P_{2}$ .

Note that we can regard the referee as a POVM $R=\{R_{y}\}_{y\in\{0,1\}}$ . The following claim demonstrates that the referee is projective in the two-party PSQM setting. (Its proof will be given in Appendix A.)

Claim 3.

The referee $R=\{R_{y}\}_{y\in\{0,1\}}$ is a PVM.

In the classical case of [1], Applebaum et al. used the fact that for every $x_{1}$ and every $r,r^{\prime}$ there exists at most one $z$ such that $|\psi_{1}(x_{1};r)\rangle=|\psi_{1}(z;r^{\prime})\rangle$ if $|\psi_{1}(x_{1};r)\rangle,|\psi_{1}(z;r^{\prime})\rangle$ are classical; that is, either $\langle\psi_{1}(x_{1};r)|\psi_{1}(z;r^{\prime})\rangle=0$ or $\langle\psi_{1}(x_{1};r)|\psi_{1}(z;r^{\prime})\rangle=1$ , which can be derived from the non-degeneracy of $F_{n}$ . However, we cannot demonstrate the same fact for quantum messages. Instead, we can prove the following relaxed version of the fact for quantum messages.

Lemma 3.4.

If $F_{n}$ is non-degenerate, we have

\sum_{z\neq x_{1}}\lvert\langle\psi_{1}(x_{1};r)|\psi_{1}(z;r^{\prime})\rangle\rvert^{2}\leq 1

for every $r,r^{\prime}$ and every $x_{1}$ . Similarly

\sum_{z}\lvert\langle\psi_{2}(x_{2};r)|\psi_{2}(z;r^{\prime})\rangle\rvert^{2}\leq 1

for every $r,r^{\prime}$ and every $x_{2}$ .

The proof of this lemma will be given in Appendix A.

Let $w_{1}(x_{1},x^{\prime}_{1}):=\lvert\langle\psi_{1}(x_{1};r)|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}$ and let $w_{2}(x_{2},x^{\prime}_{2}):=\lvert\langle\psi_{2}(x_{2};r)|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}$ . We say that $x_{1}$ collides with $x^{\prime}_{1}$ if $w_{1}(x_{1},x^{\prime}_{1})>0$ . Similarly, we say that $x_{2}$ collides with $x^{\prime}_{2}$ if $w_{2}(x_{2},x^{\prime}_{2})>0$ .

Now, our final goal is to upper-bound

\sum_{x_{1}\neq x^{\prime}_{1},x_{2},x^{\prime}_{2}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})w_{1}(x_{1},x^{\prime}_{1})w_{2}(x_{2},x^{\prime}_{2}).

(7)

Let $C(x_{1})$ be the set of the elements in $\mathcal{X}_{1}$ with which $x_{1}$ collides except for $x_{1}$ itself. Similarly, let $C(x_{2})$ be the set of the elements in $\mathcal{X}_{2}$ with which $x_{2}$ collides (note that $C(x_{2})$ may contain $x_{2}$ ).

Let $\mathbf{x_{1}}:=(x_{1}:C(x_{1})\neq\emptyset)$ with an arbitrary (e.g., lexicographical) order in $\mathcal{X}_{1}$ . We denote $\mathbf{x_{1}}=(u_{1},u_{2},\ldots,u_{k})$ . Then, we select any element $\mathbf{x_{1}}^{\prime}=(u^{\prime}_{1},u^{\prime}_{2},\ldots,u^{\prime}_{k})$ from $C(u_{1})\times\cdots\times C(u_{k})$ . Note that $u_{i}$ collides with $u^{\prime}_{i}$ and $u_{i}\neq u^{\prime}_{i}$ for every $i$ . Similarly, let $\mathbf{x_{2}}:=(x_{2}:C(x_{2})\neq\emptyset)=(v_{1},v_{2},\ldots,v_{\ell})$ with an arbitrary order in $\mathcal{X}_{2}$ , and we then select any element $\mathbf{x_{2}}^{\prime}=(v^{\prime}_{1},v^{\prime}_{2},\ldots,v^{\prime}_{\ell})$ from $C(v_{1})\times\cdots\times C(v_{\ell})$ .

Then, we can show that for every choice of $\mathbf{x_{1}}^{\prime}$ and $\mathbf{x_{2}}^{\prime}$ , we have

\sum_{i,j}\mu(u_{i},v_{j})\mu(u^{\prime}_{i},v^{\prime}_{j})\leq\alpha(\mu)2^{-H_{\infty}(\mu)}.

The reason is as follows. We consider two rectangles $\mathcal{R}:=(\mathbf{x_{1}},\mathbf{x_{2}})$ and $\mathcal{R}^{\prime}:=(\mathbf{x^{\prime}_{1}},\mathbf{x^{\prime}_{2}})$ . We observe that $R(|\psi_{1}(x_{1};r)\rangle|\psi_{2}(x_{2};r)\rangle)=R(|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle)$ (where $R(|\varphi\rangle)$ denotes the classical value that $R$ outputs on input $|\varphi\rangle$ ) if $x_{1}$ collides with $x^{\prime}_{1}$ and $x_{2}$ collides with $x^{\prime}_{2}$ from the perfect correctness. Therefore, $\mathcal{X}_{1}$ -disjoint rectangles $\mathcal{R}$ and $\mathcal{R}^{\prime}$ are similar; that is, $F_{n}[\mathcal{R}]=F_{n}[\mathcal{R}^{\prime}]$ . Without loss of generality, we can assume that $\mu(\mathcal{R})\leq\mu(\mathcal{R}^{\prime})$ . Hence, we have $\mu(\mathcal{R})\leq\alpha(\mu)$ . Thus, we can see that for random variables $X_{1},X_{2},X^{\prime}_{1},X^{\prime}_{2}$

	$\displaystyle\sum_{i,j}\mu(u_{i},v_{j})\mu(u^{\prime}_{i},v^{\prime}_{j})$	$\displaystyle=\sum_{i,j}\Pr\left[\,(X_{1},X_{2})=(u_{i},v_{j})\wedge(X^{\prime}_{1},X^{\prime}_{2})=(u^{\prime}_{i},v^{\prime}_{j})\,\right]$
		$\displaystyle\leq\max_{(x_{1},x_{2})}\mu(x_{1},x_{2})\sum_{i,j}\Pr\left[\,(X_{1},X_{2})=(u_{i},v_{j})\,\right]$
		$\displaystyle\leq 2^{-H_{\infty}(\mu)}\alpha(\mu).$

Furthermore, it holds for every $i,j$ that

	$\displaystyle\sum_{u^{\prime}_{i}\in C(u_{i}),v^{\prime}_{j}\in C(v_{j})}w_{1}(u_{i},u^{\prime}_{i})w_{2}(v_{j},v^{\prime}_{j})$	$\displaystyle=\sum_{u^{\prime}_{i}\in C(u_{i})}w_{1}(u_{i},u^{\prime}_{i})\left(\sum_{v^{\prime}_{j}\in C(v_{j})}w_{2}(v_{j},v^{\prime}_{j})\right)$
		$\displaystyle\leq\sum_{u^{\prime}_{i}\in C(u_{i})}w_{1}(u_{i},u^{\prime}_{i})\leq 1$

from Lemma 3.4. Thus, we have

	$\displaystyle\sum_{x_{1}\neq x^{\prime}_{1},x_{2},x^{\prime}_{2}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})w_{1}(x_{1},x^{\prime}_{1})w_{2}(x_{2},x^{\prime}_{2})$
		$\displaystyle=\sum_{i,j}\sum_{u^{\prime}_{i}\in C(u_{i}),v^{\prime}_{j}\in C(v_{j})}\mu(u_{i},v_{j})\mu(u^{\prime}_{i},v^{\prime}_{j})w_{1}(u_{i},u^{\prime}_{i})w_{2}(v_{j},v^{\prime}_{j})$
		$\displaystyle\leq\sum_{i,j}\mu(u_{i},v_{j})\mu(\hat{u}_{i},\hat{v}_{j})\sum_{u^{\prime}_{i}\in C(u_{i}),v^{\prime}_{j}\in C(v_{j})}w_{1}(u_{i},u^{\prime}_{i})w_{2}(v_{j},v^{\prime}_{j})$
		$\displaystyle\leq\sum_{i,j}\mu(u_{i},v_{j})\mu(\hat{u}_{i},\hat{v}_{j})$
		$\displaystyle\leq\alpha(\mu)2^{-H_{\infty}(\mu)},$

where $\mu(\hat{u}_{i},\hat{v}_{j})=\max_{u^{\prime}_{i}\in C(u_{i}),v^{\prime}_{j}\in C(v_{j})}\mu(u^{\prime}_{i},v^{\prime}_{j})$ . Eventually, an upper bound of Eq. (7) is $\alpha(\mu)2^{-H_{\infty}(\mu)}$ .

4 Power of Shared Entanglement for Total Functions

In this section, we prove Theorem 1.2, which implies a factor two gap between PSQMs with shared entanglement and without shared entanglement for a total function. The main part of Theorem 1.2 provides a $k$ -party PSQM protocol for a total function $GEQ_{2l}:(\{0,1\}^{2l})^{k}\rightarrow\{0,1\}$ defined by

GEQ_{2l}(x_{1},x_{2},\ldots,x_{k})=\left\{\begin{array}[]{ll}1&(\sum_{j=1}^{k}x_{j}^{1}=\sum_{j=1}^{k}x_{j}^{2}=\cdots=\sum_{j=1}^{k}x_{j}^{2l-1}=\sum_{j=1}^{k}x_{j}^{2l}=0),\\ 0&(\mbox{otherwise}),\end{array}\right.

where each $x_{j}=x_{j}^{1}x_{j}^{2}\cdots x_{j}^{2l-1}x_{j}^{2l}$ is an element of $\{0,1\}^{2l}$ , and the summation is taken over $\mathbb{F}_{2}$ . To reduce the communication complexity from the trivial $2kl$ qubits to $kl$ qubits, we encode half of the input bits by bit flipping of the shared state $\frac{1}{\sqrt{2}}(|0^{k}\rangle+|1^{k}\rangle)$ (called the $k$ -qubit GHZ state) among the $k$ parties, and the other half by phase flipping of the state, by a method similar to superdense coding (e.g., see [26]). More precisely, we exploit an encoding similar to two-party quantum SMP protocols with shared entangled states to compute the equality function [20]. However, this is not sufficient for PSQM protocols. To convert quantum SMP protocols into PSQM protocols, we further use shared randomness among the $k$ parties, and hide the input strings from the referee except for the output of the function $GEQ_{2l}$ . This hiding can be shown to be possible by multiplying a random element in $\mathbb{F}_{2^{2l}}^{*}$ by the element in $\mathbb{F}_{2^{2l}}^{*}$ that corresponds to the input $x_{j}$ .

For the proof of Theorem 1.2, we first consider a PSQM protocol for a finite function. Let $Sum_{2}:(\{0,1\}^{2})^{k}\rightarrow\{0,1\}^{2}$ be

Sum_{2}(x_{1},x_{2},\ldots,x_{k})=\left(\sum_{j=1}^{k}x_{j}^{1},\sum_{j=1}^{k}x_{j}^{2}\right),

where each $x_{j}=x_{j}^{1}x_{j}^{2}$ is an element of $\{0,1\}^{2}$ , and the summation is taken over $\mathbb{F}_{2}$ .

Lemma 4.1.

For any even (resp. odd) $k$ , $Q^{psm,*}_{0}(Sum_{2})\leq k$ (resp. $\leq k+1$ ).

Proof 4.2.

First, we consider the case in which $k$ is even. The quantum protocol is as follows.

Protocol ${\cal P}_{Sum_{2}}$ :

0. All the parties share the entangled state

\frac{1}{\sqrt{2}}\left(\bigotimes_{j=1}^{k}|0\rangle_{Q_{j}}+\bigotimes_{j=1}^{k}|1\rangle_{Q_{j}}\right),

where the single-qubit register $Q_{j}$ is owned by party $P_{j}$ . Moreover, the parties share a $k$ -bit string $r=r_{1}r_{2}\cdots r_{k}$ such that $\sum_{j=1}^{k}r_{j}=0$ .

1. Each party $P_{j}$ applies $Z$ on $Q_{j}$ if $x_{j}^{2}=1$ . The resulting state is

\frac{1}{\sqrt{2}}\left(\bigotimes_{j=1}^{k}|0\rangle_{Q_{j}}+\bigotimes_{j=1}^{k}(-1)^{\sum_{j=1}^{k}x_{j}^{2}}|1\rangle_{Q_{j}}\right).

2. Each party $P_{j}$ applies $X$ on $Q_{j}$ if $x_{j}^{1}\oplus r_{j}=1$ . The resulting state is

\frac{1}{\sqrt{2}}\left(\bigotimes_{j=1}^{k}|x_{j}^{1}\oplus r_{j}\rangle_{Q_{j}}+(-1)^{\sum_{j=1}^{k}x_{j}^{2}}\bigotimes_{j=1}^{k}|x_{j}^{1}\oplus r_{j}\oplus 1\rangle_{Q_{j}}\right).

(8)

3. Each party $P_{j}$ sends $Q_{j}$ to the referee $R$ .

4. $R$ measures quantum registers $Q_{1},Q_{2},\ldots,Q_{k}$ in the basis

\left\{|\Phi(y_{1},y_{2},\ldots,y_{k-1},z)\rangle:=\frac{1}{\sqrt{2}}\left(|y_{1},y_{2},\ldots,y_{k-1},0\rangle+(-1)^{z}|y_{1}\oplus 1,y_{2}\oplus 1,\ldots,y_{k-1}\oplus 1,1\rangle\right)\right\},

and let $y_{1}y_{2}\cdots y_{k-1}z$ be the measurement result.

5. $R$ outputs the two bits $\sum_{j=1}^{k-1}y_{j}$ and $z$ .

Correctness: The second bit of the output of $R$ is $z=\sum_{j=1}^{k}x_{j}^{2}$ , as desired. For the first bit, we consider two cases: (i) $x_{k}^{1}\oplus r_{k}=0$ and (ii) $x_{k}^{1}\oplus r_{k}=1$ . We first consider case (i). Then, $y_{j}=x_{j}^{1}\oplus r_{j}$ for $j=1,2,\ldots,k-1$ , and we thus obtain the desired output

\sum_{j=1}^{k-1}y_{j}=\sum_{j=1}^{k-1}x_{j}^{1}\oplus r_{j}=\sum_{j=1}^{k}x_{j}^{1}\oplus r_{j}=\sum_{j=1}^{k}x_{j}^{1},

where the second inequality originates from $x_{k}^{1}\oplus r_{k}=0$ , and the last equality originates from $\sum_{j=1}^{k}r_{k}=0$ . For case (ii), $y_{j}=x_{j}^{1}\oplus r_{j}\oplus 1$ for $j=1,2,\ldots,k-1$ , and we thus obtain the desired output

\sum_{j=1}^{k-1}y_{j}=\sum_{j=1}^{k-1}x_{j}^{1}\oplus r_{j}\oplus 1=\left(\sum_{j=1}^{k-1}x_{j}^{1}\oplus r_{j}\right)\oplus 1=\sum_{j=1}^{k}x_{j}^{1}\oplus r_{j}=\sum_{j=1}^{k}x_{j}^{1},

where the second equality originates from the fact that $k$ is even, the third equality originates from $x_{k}^{1}\oplus r_{k}=1$ , and the last equality originates from $\sum_{j=1}^{k}r_{k}=0$ .

Privacy: Let the output of $Sum_{2}$ be $(b_{1},b_{2})$ , where $b_{1}=\sum_{j=1}^{k}x_{j}^{1}$ and $b_{2}=\sum_{j=1}^{k}x_{j}^{2}$ . As $R$ has no knowledge about $r_{1},\ldots,r_{k}$ except that the sum is $0$ , we can observe that the quantum state that $R$ receives (represented by Eq. (8)) is taken from the set of $2^{k-2}$ orthogonal pure states

\left\{|\Phi(y_{1},\ldots,y_{k-1},b_{2})\rangle:\leavevmode\nobreak\ \sum_{j=1}^{k-1}y_{j}=b_{1}\right\}

(up to the total phase) uniformly at random. Thus, the simulator can simulate the distribution of the message given the output of $Sum_{2}$ .

In the case in which $k$ is odd, the last party $P_{k}$ prepares an extra two-bit string $x_{k+1}=00$ , and ${\cal P}_{Sum_{2}}$ is run for the $(k+1)$ -party case, where $P_{k}$ also plays the role of the party $P_{k+1}$ .

Next, we present the main lemma for Theorem 1.2.

Lemma 4.3.

For any even (resp. odd) $k$ , $Q^{psm,*}_{0}(GEQ_{2l})\leq kl$ (resp. $\leq(k+1)l$ ).

Proof 4.4.

We only demonstrate the case in which $k$ is even (as the odd case is considered similarly to the proof of Lemma 4.1). The quantum protocol is as follows.

Protocol ${\cal P}_{GEQ_{2l}}$ :

0. All parties share the entangled state

\bigotimes_{i=1}^{l}\left(\frac{1}{\sqrt{2}}\left(\bigotimes_{j=1}^{k}|0\rangle_{Q_{j}^{i}}+\bigotimes_{j=1}^{k}|1\rangle_{Q_{j}^{i}}\right)\right),

where the single-qubit registers $Q_{j}^{1},\ldots,Q_{j}^{l}$ are owned by party $P_{j}$ . Moreover, they share $l$ $k$ -bit strings $r^{i}:=r_{1}^{i}r_{2}^{i}\cdots r_{k}^{i}$ such that $\sum_{j=1}^{k}r_{j}^{i}=0$ ( $i=1,2,\ldots,l$ ), and a non-zero $2l$ -bit string $r^{\prime}=r^{\prime}_{1}r^{\prime}_{2}\cdots r^{\prime}_{2l-1}r^{\prime}_{2l}$ .

1. Each party $P_{j}$ computes the $2l$ -bit string $a_{j}=a_{j}^{1}a_{j}^{2}\cdots a_{j}^{2l}$ defined as ${\sf p}(a_{j})={\sf p}(r^{\prime}){\sf p}(x_{j})$ .

2. Each party $P_{j}$ applies $Z$ on $Q_{j}^{i}$ if $a_{j}^{2i}=1$ . The resulting state is

\bigotimes_{i=1}^{l}\left(\frac{1}{\sqrt{2}}\left(\bigotimes_{j=1}^{k}|0\rangle_{Q_{j}^{i}}+\bigotimes_{j=1}^{k}(-1)^{\sum_{j=1}^{k}a_{j}^{2i}}|1\rangle_{Q_{j}^{i}}\right)\right).

3. Each party $P_{j}$ applies $X$ on $Q_{j}^{i}$ if $a_{j}^{2i-1}\oplus r_{j}^{i}=1$ . The resulting state is

\bigotimes_{i=1}^{l}\left(\frac{1}{\sqrt{2}}\left(\bigotimes_{j=1}^{k}|a_{j}^{2i-1}\oplus r_{j}^{i}\rangle_{Q_{j}^{i}}+(-1)^{\sum_{j=1}^{k}a_{j}^{2i}}\bigotimes_{j=1}^{k}|a_{j}^{2i-1}\oplus r_{j}^{i}\oplus 1\rangle_{Q_{j}^{i}}\right)\right).

(9)

4. Each party $P_{j}$ sends $l$ quantum registers $Q_{j}^{1},\ldots,Q_{j}^{l}$ to $R$ .

5. $R$ measures $kl$ quantum registers $Q_{1}^{1},\ldots,Q_{k}^{1},\ldots,Q_{1}^{l},\ldots,Q_{k}^{l}$ in the basis

B:=\left\{\bigotimes_{j=1}^{l}|\Phi(y_{1}^{i},\ldots,y_{k-1}^{i},z^{i})\rangle:\leavevmode\nobreak\ y_{1}^{i}\cdots y_{k-1}^{i}z^{i}\in\{0,1\}^{k}\leavevmode\nobreak\ \mbox{for every}\leavevmode\nobreak\ i\in[l]\right\},

and let $y_{1}^{i}y_{2}^{i}\cdots y_{k-1}^{i}z^{i}$ ( $i=1,\cdots,l$ ) be the measurement results.

6. $R$ accepts if $\left(\sum_{j=1}^{k-1}y_{j}^{i}\right)=z^{i}=0$ for all $i=1,\cdots,l$ and rejects otherwise.

Correctness: Note that $(\sum_{j=1}^{k}x_{j}^{1},\ldots,\sum_{j=1}^{k}x_{j}^{2l})=(0,\ldots,0)$ if and only if $(\sum_{j=1}^{k}a_{j}^{1},\ldots,\sum_{j=1}^{k}a_{j}^{2l})=(0,\ldots,0)$ , since

{\sf p}\left((\sum_{j=1}^{k}a_{j}^{1},\ldots,\sum_{j=1}^{k}a_{j}^{2l})\right)={\sf p}(r^{\prime}){\sf p}\left((\sum_{j=1}^{k}x_{j}^{1},\ldots,\sum_{j=1}^{k}x_{j}^{2l})\right).

(10)

Now, the correctness of ${\cal P}_{Sum_{2}}$ in Lemma 4.1 also guarantees the correctness of ${\cal P}_{GEQ_{2l}}$ .

Privacy: First, we consider the case in which $GEQ_{2l}(x_{1},x_{2},\ldots,x_{k})=0$ : that is, $(\sum_{j=1}^{k}x_{j}^{1},\ldots,\sum_{j=1}^{k}x_{j}^{2l})=(0,\ldots,0)$ . Then, as demonstrated in Eq. (10), $(a_{1},a_{2},\ldots,a_{k})$ satisfies $(\sum_{j=1}^{k}a_{j}^{1},\ldots,\sum_{j=1}^{k}a_{j}^{2l})=(0,\ldots,0)$ . Moreover, $(a_{1}^{2i-1},a_{2}^{2i-1},\ldots,a_{k}^{2i-1})$ is uniformly randomized by $r^{i}$ in Step 3 under the restriction that the sum is $0$ . Thus, the quantum state that $R$ receives (represented by Eq. (9)) is taken from the set of $2^{(k-2)l}$ orthogonal pure states

\left\{\bigotimes_{i=1}^{l}|\Phi(y_{1}^{i},\ldots,y_{k-1}^{i},0)\rangle:\leavevmode\nobreak\ \sum_{j=1}^{k-1}y_{j}^{i}=0\leavevmode\nobreak\ \mbox{for every}\leavevmode\nobreak\ i\in[l]\right\}

(up to the total phase) uniformly at random. Second, we consider the case in which $GEQ_{2l}(x_{1},x_{2},\ldots,x_{k})=1$ , i.e., $(\sum_{j=1}^{k}x_{j}^{1},\ldots,\sum_{j=1}^{k}x_{j}^{2l})$ is in the set

S:=\{(b_{1},\ldots,b_{2l}):\leavevmode\nobreak\ b_{1}\cdots b_{2l}\in\{0,1\}^{2l}\}\setminus\{(0,\ldots,0)\}.

Then, by Eq. (10), $(a_{1},a_{2},\ldots,a_{k})$ is taken so that $(\sum_{j=1}^{k}a_{j}^{1},\ldots,\sum_{j=1}^{k}a_{j}^{2l})$ can be distributed from $S$ uniformly at random. Moreover, $(a_{1}^{2i-1},a_{2}^{2i-1},\ldots,a_{k}^{2i-1})$ is uniformly randomized by $r^{i}$ in Step 3 under the restriction that the sum remains the same (since $\sum_{j=1}^{k}r_{j}^{i}=0$ ). Thus, the quantum state that $R$ receives (represented by Eq. (9)) is taken from the set of $(2^{2l}-1)2^{(k-2)l}$ orthogonal pure states

B\setminus\left\{\bigotimes_{i=1}^{l}|\Phi(y_{1}^{i},\ldots,y_{k-1}^{i},0)\rangle:\leavevmode\nobreak\ \sum_{j=1}^{k-1}y_{j}^{i}=0\leavevmode\nobreak\ \mbox{for every}\leavevmode\nobreak\ i\in[l]\right\}

(up to the total phase) uniformly at random.

Now Lemma 4.3 provides the upper bound $kn/2$ of Theorem 1.2. The lower bound $kn$ of Theorem 1.2 originates from the lower bound $n$ of the exact (two-party) one-way quantum communication complexity with no shared entanglement of the $n$ -bit equality function (see, e.g., [24, Theorem 5.11]) as it implies that for any $j\in[k]$ , the $j$ th party must send $n$ qubits (considering the one-way communication setting from the $j$ th party with input $x\in\{0,1\}^{n}$ to the group of the referee and the other $k-1$ parties in which one party has input $y\in\{0,1\}^{n}$ and the $k-2$ remaining parties have input $0^{n}$ , the length of the message of the $j$ th party must be $n$ ). This completes the proof of Theorem 1.2.

Actually, the upper bound $kl$ of Lemma 4.3 for $GEQ_{2l}$ is tight when $k$ is even. The matching lower bound $kl$ originates from the lower bound $l$ of the exact one-way quantum communication complexity with shared entanglement of the $2l$ -bit equality function shown by Klauck [24, Theorem 5.12] as it implies that each party must send $l$ qubits.

5 Power of Shared Entanglement for Partial Functions

In this section, we prove Theorem 1.3. We consider the so-called distributed Deutsch-Jozsa problem $DJ_{n}$ introduced by Brassard, Cleve, and Tapp [5]. First we show that $C_{0}^{psm,*}(DJ_{n})=O(\log n)$ . Our PSM protocol is based on the protocol provided in [5], which we modify so that the privacy condition can be satisfied. Second we show $Q_{0}^{psm}(DJ_{n})=\Omega(n)$ by observing that the fact that the exact classical and quantum SMP communication complexities are the same for total functions can be extended to the case of partial functions.

Let $n$ be any power of $2$ . The distributed Deutsch-Jozsa problem $DJ_{n}:\{0,1\}^{n}\times\{0,1\}^{n}\rightarrow\{0,1\}$ , introduced in [5], is defined as

DJ_{n}(x,y)=\left\{\begin{array}[]{ll}1&\mbox{if}\leavevmode\nobreak\ \leavevmode\nobreak\ x=y\\ 0&\Delta(x,y)=n/2,\end{array}\right.

where $\Delta(x,y)$ denotes the Hamming distance between $x=x_{0}x_{1}\cdots x_{n-1}$ and $y=y_{0}y_{1}\cdots y_{n-1}$ .

Lemma 5.1.

There is a PSM protocol with shared entanglement that solves $DJ_{n}$ with probability $1$ , and the classical communication complexity is $2\log n$ .

Proof 5.2.

The PSM protocol is as follows.

Protocol ${\cal P}_{DJ}$ : Let $n=2^{m}$ .

0. $P_{1}$ and $P_{2}$ share the entangled state

\frac{1}{\sqrt{n}}\sum_{i\in\{0,1\}^{m}}|i\rangle_{A}|i\rangle_{B}

and the two prearranged random $m$ -bit strings $r\in\{0,1\}^{m}\setminus\{0^{m}\}$ and $r^{\prime}\in\{0,1\}^{m}$ .

1. $P_{1}$ (resp. $P_{2}$ ) adds phase $(-1)^{x_{i}}$ ( $(-1)^{y_{i}}$ ) to the $m$ -qubit register $A$ ( $B$ ) if the content of $A$ ( $B$ ) is $i$ (where $i\in\{0,1\}^{m}$ is identified as the corresponding non-negative integer). The resulting state is

\frac{1}{\sqrt{n}}\sum_{i\in\{0,1\}^{m}}(-1)^{x_{i}}|i\rangle_{A}(-1)^{y_{i}}|i\rangle_{B}.

2. $P_{1}$ and $P_{2}$ apply the Hadamard gate $H$ for each qubit of their registers $A$ and $B$ , respectively. The resulting state is

\frac{1}{n\sqrt{n}}\sum_{i\in\{0,1\}^{m}}\left((-1)^{x_{i}}\sum_{k\in\{0,1\}^{m}}(-1)^{i\cdot k}|k\rangle_{A}\right)\left((-1)^{y_{i}}\sum_{l\in\{0,1\}^{m}}(-1)^{i\cdot l}|l\rangle_{B}\right).

(11)

3. $P_{1}$ and $P_{2}$ measure $A$ and $B$ in the computational basis, respectively, and let $K$ and $L$ be the resulting bit strings in $\{0,1\}^{m}$ .

4. $P_{1}$ and $P_{2}$ send classical messages $m_{A}$ and $m_{B}$ defined as ${\sf p}(m_{A})={\sf p}(r){\sf p}(K)+{\sf p}(r^{\prime})$ and ${\sf p}(m_{B})={\sf p}(r){\sf p}(L)+{\sf p}(r^{\prime})$ to $R$ , respectively.

5. $R$ accepts if $m_{A}=m_{B}$ and rejects otherwise.

Correctness: Note that the amplitude of $|k\rangle_{A}|l\rangle_{B}$ in Eq. (11) is

\frac{1}{n^{3/2}}\sum_{i\in\{0,1\}^{m}}(-1)^{x_{i}\oplus y_{i}}(-1)^{i\cdot(k\oplus l)}.

(12)

When $x=y$ , Eq. (12) is $0$ if $K\neq L$ . Thus, the event $K=L$ occurs with probability $1$ ; therefore, $R$ always accepts. When $\Delta(x,y)=n/2$ , Eq. (12) is $0$ if $K=L$ . Thus, the event $K\neq L$ occurs with probability $1$ ; therefore, $R$ always rejects.

Privacy: Again, by Eq. (12), if $x=y$ , then $K=L=k$ is obtained with $1/n$ for each $k\in\{0,1\}^{m}$ . Thus, the simulator can simulate the messages by generating the same $m$ -bit string chosen uniformly at random as $P_{1}$ ’s and $P_{2}$ ’s messages. If $\Delta(x,y)=n/2$ , the element ${\sf p}(K)-{\sf p}(L)$ in $\mathbb{F}_{2^{m}}$ is nonzero; thus, the difference between ${\sf p}(r){\sf p}(K)+{\sf p}(r^{\prime})$ and ${\sf p}(r){\sf p}(L)+{\sf p}(r^{\prime})$ is distributed uniformly at random in $\mathbb{F}_{2^{m}}^{*}$ . Moreover, ${\sf p}(K)$ (and ${\sf p}(L)$ ) is distributed uniformly at random in $\mathbb{F}_{2^{m}}$ by multiplying ${\sf p}(r)$ and adding ${\sf p}(r^{\prime})$ . Thus, the simulator can simulate the messages by choosing two different $m$ -bit non-zero strings uniformly at random as $P_{1}$ ’s and $P_{2}$ ’s messages.

Using the result in [7] that $DJ_{n}$ has the exact classical communication complexity $\Omega(n)$ (even in the two-way communication model), we can show that $DJ_{n}$ provides the following exponential separation between exact PSMs with shared entanglement and exact PSQMs without shared entanglement. (Note that Theorem 5.3 implies Theorem 1.3, namely, an exponential gap between $Q^{psm,*}_{0}(DJ_{n})$ and $Q^{psm}_{0}(DJ_{n})$ , as well as between $C^{psm,*}_{0}(DJ_{n})$ and $C^{psm}_{0}(DJ_{n})$ .)

Theorem 5.3.

$C^{psm,*}_{0}(DJ_{n})=O(\log n)$ and $Q^{psm}_{0}(DJ_{n})=\Omega(n)$ .

Proof 5.4.

The upper bound $C^{psm,*}_{0}(DJ_{n})=O(\log n)$ is shown by Lemma 5.1.

The lower bound comes from the fact that both the exact quantum and classical SMP communication complexities of a total function $f$ over $X\times Y$ are equal to the sum of the number of the different row vectors of the communication matrix of $f$ , $M_{f}$ , and the number of the different column vectors of $M_{f}$ (this fact can be found in [30, p.142]). The proof idea is that any two (classical or quantum) messages $m_{x}$ and $m_{x^{\prime}}$ corresponding to different row vectors indexed with input $x$ and $x^{\prime}$ must be perfectly distinguished since there is some column input $y$ such that $M_{f}(x,y)\neq M_{f}(x^{\prime},y)$ (and a similar argument holds for different column vectors), and choosing different messages for such different row vectors or column vectors is sufficient for the referee to compute $f$ exactly. This proof idea also holds for a partial function by replacing the number of the different row (resp. column) vectors by the size of the maximum clique of the graph $G_{1}(M_{f})=(X,E_{1,f})$ (resp. $G_{2}(M_{f})=(Y,E_{2,f})$ ) defined as follows: two rows $x$ and $x^{\prime}$ (resp. columns $y$ and $y^{\prime}$ ) have an edge in $E_{1,f}$ (resp. $E_{2,f}$ ) if and only if there is a column $y$ (resp. row $x$ ) such that $(x,y)$ and $(x^{\prime},y)$ (resp. $(x,y)$ and $(x,y^{\prime})$ ) are in the domain of the partial function $f$ and $M_{f}(x,y)\neq M_{f}(x^{\prime},y)$ (resp. $M_{f}(x,y)\neq M_{f}(x,y^{\prime})$ ).

The above observation implies that the exact quantum and classical SMP communication complexities of the partial function $DJ_{n}$ are the same. By the result in [7], $DJ_{n}$ has the exact classical communication complexity $\Omega(n)$ . This concludes the desired lower bound $Q^{psm}_{0}(DJ_{n})=\Omega(n)$ .

Theorem 5.3 provides an exponential gap between PSMs with shared entanglement and PSQMs without shared entanglement for partial functions; however, it is obtained only in the exact setting, and we do not know whether this exponential gap can be obtained in the bounded-error setting for partial or total functions. However, we can observe that there is a relational problem that has an exponential gap between PSMs with shared entanglement and PSQMs without shared entanglement in the bounded-error setting from the result by Gavinsky et al. [18]. They demonstrated that the problem has an exponentially smaller communication complexity of a classical SMP protocol with shared entanglement than the communication complexity of quantum SMP protocols only with shared randomness, while it is easy to see that their protocol is in fact a PSQM.

6 Conclusion

This paper introduced a quantum analogue of the well-studied PSM model which was called the PSQM model, and provided several initial results in the exact setting. Here we list a number of open problems.

•

Can the lower bound of Theorem 1.1 be extended to the bounded-error setting or to the shared entanglement case?
•

Can any non-trivial communication complexity gap between the PSM model and the PSQM model for some function in the bounded-error setting? How about any non-trivial communication complexity gap between the PSQM model with shared entanglement and the PSQM model without it in the bounded-error setting?
•

The PSQM model in this paper was defined only for perfect privacy. What results are obtained for imperfect privacy? To extend the lower bound of Theorem 1.1 to imperfect privacy, a quantumly tailored modification of [1, Section 5] might be worth considering, while it seems much more complicated than the proof of Theorem 1.1.

References

[1] Benny Applebaum, Thomas Holenstein, Manoj Mishra, and Ofer Shayevitz. The communication complexity of private simultaneous messages, revisited. Journal of Cryptology 33(3), 916–953 (2020).
[2] Amos Beimel, Eyal Kushilevitz, and Pnina Nissim. The complexity of multiparty PSM protocols and related models. Proceedings of 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2018), Part II, 287–318 (2018).
[3] Marshall Ball, Justin Holmgren, Yuval Ishai, Tianren Liu and Tal Malkin. On the complexity of decomposable randomized encodings, or: how friendly can a garbling-friendly PRF be? Proceedings of the 11th Innovations in Theoretical Computer Science Conference (ITCS 2020), 86:1–86:22 (2020).
[4] Ziv Bar-Yossef, T. S. Jayram, and Iordanis Kerenidis. Exponential separation of quantum and classical one-way communication complexity. SIAM Journal on Computing 38(1), 366–384 (2008).
[5] Gilles Brassard, Richard Cleve, and Alain Tapp. Cost of exactly simulating quantum entanglement with classical communication. Physical Review Letters 83, 1874–1877 (1999).
[6] Zvika Brakerski and Henry Yuen. Quantum garbled circuits. arXiv:2006.01085 (2020).
[7] Harry Buhrman, Richard Cleve, and Avi Wigderson. Quantum vs. classical communication and computation. Proceedings of the 30th Annual ACM Symposium on Theory of Computing (STOC 1998), 63–68 (1998).
[8] Harry Buhrman, Richard Cleve, John Watrous, and Ronald de Wolf. Quantum fingerprinting. Physical Review Letters 87, 167902 (2001).
[9] Amos Beimel, Yuval Ishai, Ranjit Kumaresan, and Eyal Kushilevitz. On the cryptographic complexity of the worst functions. Proceedings of the 11th IACR Theory of Cryptography Conference (TCC 2014), 317–342 (2014).
[10] Claude Crépeau, Daniel Gottesman, and Adam Smith. Secure multi-party quantum computation. Proceedings of the 34th Annual Symposium on Theory of Computing (STOC 2002), 643–652 (2002).
[11] Yfke Dulek, Alex B. Grilo, Stacey Jeffery, Christian Majenz, and Christian Schaffner. Secure multi-party quantum computation with a dishonest majority. Proceedings of the 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2020) Part III, 729–758 (2020).
[12] Ivan Damgård, Kasper Green Larsen, and Jesper Buus Nielsen. Communication lower bounds for statistically secure MPC, with or without preprocessing. Proceedings of the 39th Annual International Cryptology Conference (CRYPTO 2019) Part II, 61–84 (2019).
[13] Deepesh Data, Vinod M. Prabhakaran, and Manoj Prabhakaran. Communication and randomness lower bounds for secure computation. IEEE Transactions on Information Theory 62(7), 3901–3929 (2016).
[14] Uriel Feige, Joe Kilian, and Moni Naor. A minimal model for secure computation (extended abstract). Proceedings of the 26th Annual ACM Symposium on Theory of Computing (STOC 1994), 554–563 (1994).
[15] Dmitry Gavinsky. Quantum versus classical simultaneity in communication complexity. IEEE Transactions on Information Theory 65(10), 6466–6483 (2019).
[16] Dmitry Gavinsky. Bare quantum simultaneity versus classical interactivity in communication complexity. Proceedings of the 52nd Annual ACM Symposium on Theory of Computing (STOC 2020), 401–411 (2020).
[17] Dmitry Gavinsky and Tsuyoshi Ito. Quantum fingerprints that keep secrets. Quantum Information and Computation 13(7-8), 583–606 (2013).
[18] Dmitry Gavinsky, Julia Kempe, Oded Regev, and Ronald de Wolf. Bounded-error quantum state identification and exponential separations in communication complexity. SIAM Journal on Computing 39(1), 1–24 (2009).
[19] Masahito Hayashi, Satoshi Ishizuka, Akinori Kawachi, Gen Kimura, and Tomohiro Ogawa. Introduction to Quantum Information Science, Springer (2015).
[20] Rolf T. Horn, A. J. Scott, Jonathan Walgate, Richard Cleve, A. I. Lvovsky, and Barry C. Sanders. Classical and quantum fingerprinting with shared randomness and one-sided error. Quantum Information and Computation 5(3), 258–271 (2005).
[21] Yuval Ishai and Eyal Kushilevitz. Private simultaneous messages protocol with applications. Proceedings of the 5th Israel Symposium on Theory of Computing and Systems (ISTCS 1997), 174–183 (1997).
[22] Roy Kasher and Julia Kempe. Two-source extractors secure against quantum adversaries. Theory of Computing 8(1), 461–486 (2012).
[23] Hartmut Klauck. Quantum and approximate privacy. Theory of Computing Systems 37(1), 221–246 (2004).
[24] Hartmut Klauck. One-way communication complexity and the Nečiporuk lower bound on formula size. SIAM Journal on Computing 37(2), 552–583 (2007).
[25] Eyal Kushilevitz and Noam Nisan. Communication Complexity, Cambridge University Press (1997).
[26] Michael A. Nielsen and Isaac L. Chuang, Quantum Computation and Quantum Information, Cambridge University Press (2000).
[27] Tomoyuki Morimae. Quantum randomized encoding, verification of quantum computing, no-cloning, and blind quantum computing. arXiv:2011.03141 (2020).
[28] Ran Raz. Exponential separation of quantum and classical communication complexity. Proceedings of the 31st Annual ACM Symposium on Theory of Computing (STOC 1999), 358–367 (1999).
[29] Dominique Unruh. Universally composable quantum multi-party computation. Proceedings of 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2010), 486–505 (2010).
[30] Ronald de Wolf. Quantum Computing and Communication Complexity, University of Amsterdam (2001).
[31] Andrew Chi-Chih Yao. Some complexity questions related to distributive computing (preliminary report). Proceedings of the 11th Annual ACM Symposium on Theory of Computing (STOC 1979), 209–213 (1979).

Appendix A Proofs of Claim 2, Claim 3, and Lemma 3.4

In this appendix, we give the detailed proofs of the technical claims and lemma used in the proof of Lemma 3.1.

Proof A.1 (Proof of Claim 2).

For any two quantum states $\rho,\sigma$ , the condition $\rho\sigma=0$ is necessary (and sufficient) for perfect discrimination of the two states (see, e.g., Proposition 5.13 in [19]). Since the referee $R$ perfectly discriminates $\rho(x_{1},x_{2})$ and $\rho(x^{\prime}_{1},x^{\prime}_{2})$ for which $F_{n}(x_{1},x_{2})\neq F_{n}(x^{\prime}_{1},x^{\prime}_{2})$ from the correctness, it must hold that $\rho(x_{1},x_{2})\rho(x^{\prime}_{1},x^{\prime}_{2})=0$ . Then, we have

	$\displaystyle\mathrm{tr}\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2})$
		$\displaystyle=\sum_{y}\mathrm{tr}\sum_{\begin{subarray}{c}(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})\\ F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y\end{subarray}}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2}).$

From the privacy, there exists a quantum state $\rho_{y}$ for each $y$ such that $\rho_{y}=\rho(x_{1},x_{2})$ for every $(x_{1},x_{2})$ for which $F_{n}(x_{1},x_{2})=y$ . Therefore,

	$\displaystyle\sum_{y}\mathrm{tr}\sum_{\begin{subarray}{c}(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})\\ F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y\end{subarray}}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2})$
	$\displaystyle=\sum_{y}\mathrm{tr}\rho_{y}^{2}\sum_{\begin{subarray}{c}(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})\\ F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y\end{subarray}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})$
	$\displaystyle=\sum_{y}\frac{\sum_{\begin{subarray}{c}(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})\\ F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y\end{subarray}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})}{\sum_{F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})}\mathrm{tr}\rho_{y}^{2}\!\!\sum_{F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y}\!\!\!\!\!\!\!\!\!\!\!\!\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})$
	$\displaystyle=\sum_{y}\Pr\left[\,(X_{1},X_{2})\neq(X^{\prime}_{1},X^{\prime}_{2})\,\middle\|\,F_{n}(X_{1},X_{2})=F_{n}(X^{\prime}_{1},X^{\prime}_{2})=y\,\right]\mathrm{tr}\rho_{y}^{2}$
	$\displaystyle\ \ \ \ \ \ \ \ \times\sum_{F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})$
	$\displaystyle\geq\beta(\mu)\sum_{y}\mathrm{tr}\rho_{y}^{2}\sum_{F_{n}(x_{1},x_{2})=F_{n}(x^{\prime}_{1},x^{\prime}_{2})=y}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})$
	$\displaystyle=\beta(\mu)\mathrm{tr}\sum_{x_{1},x_{2},x^{\prime}_{1},x^{\prime}_{2}}\mu(x_{1},x_{2})\rho(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2}).$

Proof A.2 (Proof of Claim 3).

From the privacy, there exists $\rho_{y}$ such that $\rho_{y}=\rho(x_{1},x_{2})$ for every $y\in\{0,1\}$ and every $(x_{1},x_{2})$ for which $F_{n}(x_{1},x_{2})=y$ . From the correctness and the necessary condition of the perfect quantum state discrimination, $\rho_{0}\rho_{1}=0$ must hold. From the spectral decomposition we have $\rho_{y}=\sum_{i}\lambda_{y,i}|\phi_{y,i}\rangle\langle\phi_{y,i}|$ for some orthonormal basis $\{|\phi_{y,i}\rangle\}_{i}$ ( $\lambda_{y,i}>0$ ). Then, we have $\langle\phi_{0,i}|\phi_{1,j}\rangle=0$ for every $i,j$ since $\rho_{0}\rho_{1}=0$ . Therefore, we can assume $R_{0}=\sum_{i}|\phi_{0,i}\rangle\langle\phi_{0,i}|$ and $R_{1}=I-R_{0}$ without loss of generality. This $R=\{R_{y}\}_{y\in\{0,1\}}$ is a PVM.

Proof A.3 (Proof of Lemma 3.4).

We demonstrate that $\lvert\langle\psi_{1}(z;r^{\prime})|\psi_{1}(z^{\prime};r^{\prime})\rangle\rvert^{2}=0$ for every distinct $z,z^{\prime}$ and every $r^{\prime}$ . Assuming this, we can decompose

|\psi_{1}(x_{1};r)\rangle=\sum_{z^{\prime}}\alpha_{z^{\prime}}|\psi_{1}(z^{\prime};r^{\prime})\rangle+\alpha^{\bot}|\psi_{1}^{\bot}\rangle

with orthonormal vectors $\{|\psi_{1}(z^{\prime};r^{\prime})\rangle\}_{z^{\prime}}\cup\{|\psi^{\bot}_{1}\rangle\}$ for some coefficients $\alpha_{z^{\prime}}$ and $\alpha^{\bot}$ . Then, it holds that

	$\displaystyle\sum_{z\neq x_{1}}\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(z;r^{\prime})\rangle\rvert^{2}$	$\displaystyle=\sum_{z\neq x_{1}}\left\lvert\sum_{z^{\prime}}\alpha_{z^{\prime}}^{}\langle\psi_{1}(z^{\prime};r^{\prime})\|\psi_{1}(z;r^{\prime})\rangle+\alpha^{\bot}\langle\psi^{\bot}_{1}\|\psi_{1}(z;r^{\prime})\rangle\right\rvert^{2}$
		$\displaystyle=\sum_{z\neq x_{1}}\lvert\alpha_{z}\rvert^{2}\leq 1.$

Therefore, it suffices to demonstrate $\lvert\langle\psi_{1}(z;r^{\prime})|\psi_{1}(z^{\prime};r^{\prime})\rangle\rvert^{2}=0$ for every distinct $z,z^{\prime}$ and every $r^{\prime}$ . For contradiction, assume that $\lvert\langle\psi_{1}(z;r^{\prime})|\psi_{1}(z^{\prime};r^{\prime})\rangle\rvert^{2}>0$ for some $z,z^{\prime}$ and some $r^{\prime}$ .

From this assumption, we have

|\psi_{1}(z^{\prime};r^{\prime})\rangle=\beta|\psi_{1}(z;r^{\prime})\rangle+\beta^{\bot}|\psi^{\bot}_{1}(z;r^{\prime})\rangle,

where $\beta\neq 0$ and $|\psi^{\bot}_{1}(z;r^{\prime})\rangle$ is orthogonal to $|\psi_{1}(z;r^{\prime})\rangle$ .

We fix $x_{2}$ arbitrarily. Then, we have

|\psi_{1}(z^{\prime};r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle=\beta|\psi_{1}(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle+\beta^{\bot}|\psi^{\bot}_{1}(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle.

Since $R$ is a PVM, we have

R_{F_{n}(z,x_{2})}|\psi_{1}(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle=|\psi_{1}(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle

from the correctness. We also have

|\psi^{\bot}_{1}(z;r^{\prime})\rangle=\gamma|\phi(z;r^{\prime})\rangle+\gamma^{\bot}|\phi^{\bot}(z;r^{\prime})\rangle,

where $|\psi_{1}(z;r^{\prime})\rangle,|\phi(z;r^{\prime})\rangle,|\phi^{\bot}(z;r^{\prime})\rangle$ are orthogonal to each other, and $R_{F_{n}(z,x_{2})}|\phi(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle=|\phi(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle$ , $R_{F_{n}(z,x_{2})}|\phi^{\bot}(z;r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle=0$ .

Therefore, it holds that

\left\lvert\langle\psi_{1}(z;r^{\prime})|\langle\psi_{2}(x_{2};r^{\prime})|R_{F_{n}(z,x_{2})}|\psi_{1}(z^{\prime};r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle\right\rvert^{2}=\lvert\beta\rvert^{2}+\lvert\gamma\rvert^{2}>0.

The value $\lvert\beta\rvert^{2}+\lvert\gamma\rvert^{2}>0$ must be $1$ from the correctness; therefore, $R(|\psi_{1}(z^{\prime};r^{\prime})\rangle|\psi_{2}(x_{2};r^{\prime})\rangle)$ $=F_{n}(z^{\prime},x_{2})$ for every $x_{2}$ and every $r^{\prime}$ . This implies that $F_{n}(z,x_{2})=F_{n}(z^{\prime},x_{2})$ holds for every $x_{2}$ , which contradicts the non-degeneracy of $F_{n}$ . The same argument also works for $x_{2}$ .

$\displaystyle\mathrm{tr}\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\rho(x_{1},x_{2};r)\mu(x^{\prime}_{1},x^{\prime}_{2})\rho(x^{\prime}_{1},x^{\prime}_{2};r^{\prime})$
	$\displaystyle=\sum_{(x_{1},x_{2})\neq(x^{\prime}_{1},x^{\prime}_{2})}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}\cdot\lvert\langle\psi_{2}(x_{2};r)\|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}.$
	$\displaystyle\leq\sum_{x_{1}\neq x^{\prime}_{1},x_{2},x^{\prime}_{2}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}\cdot\lvert\langle\psi_{2}(x_{2};r)\|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}.$
	$\displaystyle\ \ \ \ +\sum_{x_{1},x^{\prime}_{1},x_{2}\neq x^{\prime}_{2}}\mu(x_{1},x_{2})\mu(x^{\prime}_{1},x^{\prime}_{2})\lvert\langle\psi_{1}(x_{1};r)\|\psi_{1}(x^{\prime}_{1};r^{\prime})\rangle\rvert^{2}\cdot\lvert\langle\psi_{2}(x_{2};r)\|\psi_{2}(x^{\prime}_{2};r^{\prime})\rangle\rvert^{2}.$	(6)