Experimental Quantum Multiparty Communication Protocols

Massimiliano Smania, Ashraf M. Elhassan, Armin Tavakoli & Mohamed Bourennane

Physics department, Stockholm University, S-10691, Stockholm, Sweden

These authors contributed equally to this work

Quantum information science breaks limitations of conventional information transfer, cryptography and computation by using quantum superpositions or entanglement as resources for information processing. Here, we report on the experimental realization of three-party quantum communication protocols using single three-level quantum system (qutrit) communication: secret sharing, detectable Byzantine agreement, and communication complexity reduction for a three-valued function. We have implemented these three schemes using the same optical fiber interferometric setup. Our realization is easily scalable without sacrificing detection efficiency or generating extremely complex many-particle entangled states.

Introduction

Many tasks in communications, computation, and cryptography can be enhanced beyond classical limitations by using quantum resources. Such quantum technologies often rely on distributing strongly correlated data that cannot be reproduced with classical theory i.e. it violates a Bell inequality[1]. To violate a Bell inequality, the parties involved in the scheme must share an entangled quantum state on which they perform suitable local measurements returning outcomes that can be locally processed and communicated by classical means. Such entanglement-assisted schemes have been shown successful in a wide variety of information processing tasks, including secret sharing for which additional security features are enabled, detectable Byzantine Agreement for which a classically unsolvable task can be solved, and reduction of communication complexity for which optimal classical techniques are outperformed. Let us shortly introduce these three communication protocols.

Secret sharing is a cryptographic primitive that can conceptually be regarded as a generalization of quantum key distribution[2, 3]. Secret sharing schemes have wide applications in secure multiparty computation and management of keys in cryptography. In such schemes, a message (secret) is divided in shares distributed to recipient parties in such a way that some number of parties must collaborate in order to reconstruct the message. However, the security of classical secret sharing relies on limiting assumptions of the computation power available to an adversary. Quantum cryptography introduces the concept of unconditional security, and can improve security beyond classical constraints. Quantum secret sharing protocols have been proposed with parties sharing a multipartite qubit entangled state[4, 5] where their security is linked to Bell inequality violations.

A fundamental problem in fault-tolerant distributed computing is to achieve coordination between computer processes in spite of some processes randomly failing due to e.g. crashing, transmission failure or distribution of incorrect information in the network. For example, such coordination applies to the problem of synchronizing the clocks of individual processes in distributed networks, which is pivotal in many technologies including data transfer networks and telecommunication networks. A method to achieve synchronization is to use interactive consistency algorithms in which all nonfaulty processes reach a mutual agreement about all the clocks[6]. Interactive consistency is achieved through solving the problem of Byzantine agreement, which can be solved only if less than one-third of the processes are faulty[7]. However, for most applications, it is sufficient to consider a scenario called detectable Byzantine agreement (DBA), where the processes either achieve mutual agreement or jointly exit the protocol. Several quantum protocols based on multipartite entanglement have been proposed for achieving the DBA even in the presence of one-third or more faulty processes, thus breaking the classical limitation[8, 9, 10].

In communication complexity problems (CCPs), separated parties performing local computations exchange information in order to accomplish a globally defined task, which is impossible to solve single-handedly. Here, we consider the situation in which one would like to maximize the probability of successfully solving a task with a restricted amount of communication[11]. Such studies aim, for example, at speeding-up a distributed computation by increasing the communication efficiency, or at optimizing VLSI circuits and data structures[12]. Quantum protocols involving multipartite entangled states have been shown to be superior to classical protocols for a number of CCPs[13, 14].

Quantum multiparty communication protocols that require only sequential communication of single qubits and no shared multipartite entanglement have been proposed for secret sharing [15] and CCP [16], and CCP using the quantum Zeno effect [17]. Very recently generalizations to d-level quantum system (called a qudit) have been proposed. These protocols are multiparty quantum secret sharing[18] and a quantum solution to the DBA, which can then be used to achieve clock synchronization in the presence of an arbitrary number of faulty processes by efficient classical means of communications[19]. Beside experimentally realizing these protocols, we propose and demonstrate a new single qudit protocol for a multiparty CCP, that outperforms any classical counterpart.

Although the mentioned information processing tasks cover very different topics; cryptography, synchronization, and communication complexity, we will show that the quantum schemes that distribute these correlated data sets uphold strong similarities and the differences emerge from the classical processing of the correlated data required to execute these protocols.

Our single qudit communication protocols hold several experimental advantages in scalability over the corresponding entanglement-assisted schemes. While entanglement-assisted protocols typically require the preparation of a high fidelity -partite -level entangled quantum state, the single qudit protocols earn their name from requiring only the preparation of a single qudit independently of the number of parties, , involved in the protocol. Furthermore, in the likely case of parties using non-ideal detectors with efficiencies , entanglement-assisted protocols require detections and therefore succeed with an exponentially decreasing probability, approximately , while single qudit protocols only require a single detection which succeeds with probability , independently of .

Communication protocols

In this report, we will present for the first time the experimental realization of quantum communication protocols, secret sharing, DBA and clock synchronization, and reduction of communication complexity in a multipartite setting involving three parties, Alice, Bob and Charlie, communicating three-level quantum states (qutrits). We will now very briefly present these protocols.

Secret Sharing

Alice (a.k.a. the distributor) prepares the initial qutrit state and applies her action on the state according to her input data , where and are two pseudo-random independent numbers in the set , and operators and are given by

(1) | |||

(2) |

Then she sends the qutrit to Bob, who according to his input data acts on the qutrit with operator , and sends the state to Charlie who acts on the qutrit with operator , where are his input data. Finally, Charlie performs a measurement on the qutrit in the Fourier basis , obtaining a trit outcome (see Fig. 1). In random order, the parties then announce their data , and if condition is verified, the round is treated as valid and equation produces the shared secret. Otherwise if the qutrit is not in an eigenstate of the measurement operator at the time of measurement. Thus, the outcome is random and the run is discarded. At this point all users should publicly announce , and for a relevant number of runs and estimate the quantum trit error rate (QTER) defined as . Finally, to reconstruct the shared secret at least two users are required to collaborate [18].

Secret sharing schemes can be subjected not only to eavesdropping attacks but also to attacks from parties within the scheme. Examples are known in which such attacks can breach the security of secret sharing schemes [20]. In the supplementary material we outline a scheme enforcing security that can, at the cost of a lower efficiency, arbitrarily minimize the impact of such attacks. Furthermore, we mention that the full security can be obtained from device independent implementations of entanglement based quantum key distribution [21]. However, to our knowledge, there are no device-independent protocols for secret sharing. In our proposed protocol we assume that the users have control over the devices.

Detectable Byzantine Agreement

In order to solve the DBA problem, the three processes (i.e. parties) need to share data in the form of lists of numbers subject to specific correlations, and the distribution must be such that the list held by process is known only to where . Quantum mechanics provides methods to generate and securely distribute such data. In this case, Alice’s state preparation and each user’s action are the same as in the previous protocol, except for and being bits instead of trits. The difference is in the data processing part: if the measurement outcome is “0”, the parties reveal and if condition is satisfied, the round is treated as valid. It follows that they now hold one of the data sets from which the DBA can be solved[19].

Communication Complexity Reduction

In the single qutrit protocol for reducing communication complexity, the distributor supplies Alice, Bob and Charlie with two pseudo-random trits each, , and . Each party’s pair can be mapped into an integer by defining , with . The distributor promises the parties that and asks Charlie to guess the value of function given that only two (qu)trits may be communicated in total. After the state preparation, Alice acts with (with defined as in Eq. (1)) and sends the qutrit to Bob, who applies before forwarding it to Charlie. Finally, after applying , Charlie performs a measurement on the resulting state . This state is an element of the Fourier basis, so a measurement in this basis will output the correct value of function with (ideally) unit probability.

The CCP is to maximize the success probability of guessing correctly, with the given communication restrictions. We have just seen that this success probability, save for experimental errors, is with our quantum protocol. However, it can be shown (see supplementary material) that the optimal classical protocol achieves only a success probability of , which is clearly inferior to that of the quantum protocol.

Experimental Realization

We have realized the three above-mentioned communication protocols with the same optical setup reported in Fig. 2. The setup is based on a three-arm Mach-Zehnder-like interferometer built with optical fibers and a retro-reflective mirror (this configuration is a practical solution to the natural phase-drift problem which affects every Mach-Zehnder interferometer, further complicated here by the fact that we have three paths). The information transmitted between users is encoded in relative phase differences between the three states constituting the qutrit. The state preparation is carried out by sending light pulses from a nm diode laser (ID300 by ID Quantique) to the first 3x3 coupler of the Mach-Zehnder interferometer. The laser repetition rate is kHz. The outcome after the second coupler is a superposition of the three paths, so that the optical phase of each pulse of the qutrit can be individually modulated with commercial phase modulators (COVEGA Mach-10 Lithium Niobate Modulators). The delays in the interferometer are ns and ns. On the way to the mirror, users passively let pass the qutrit through while after the reflection Charlie, Bob and Alice sequentially act on the qutrit with a combination of operators and (see Eqs. (1) and (2)). After passing through the three arms on their way back, the three pulses recombine at the first coupler and depending on their relative phases, yield different interference counts at the single photon detectors (Princeton Lightwaves PGA600). These gated detectors provide quantum efficiency and approximately dark count probability. Importantly, in order to prevent possible eavesdropping attacks, each pulse is attenuated to single photon level by a digital variable attenuator (OZ Optics DA-100) at Charlie’s station output. We would like to emphasize that phase modulators are polarization sensitive, and for this reason they include a horizontal polarizer at the output port. Therefore, controlling polarization throughout the setup is crucial. We thus choose to use polarization maintaining fiber components for all three parties’ stations. However, in order to make the configuration more realistic, links between users are standard single mode fibers. Therefore, polarization controllers have been placed after these fiber links. Finally, the whole experiment was controlled by an FPGA card that worked both as master clock and trigger source, for the electronics driving laser and phase modulators, and for the single photon detectors.

For future and practical implementations of these communication protocols, one needs to use a bright true or heralded single photon source, integrated optics interferometer, and high quantum efficiency superconducting single photon detectors.

Results

Each protocol setting was run times per second (i.e. laser triggers) and the collected data was used to calculate the QTER. Due to the substantial loss from the setup itself (mainly in the phase modulators) and to the detection efficiency, the final amount of runs with detection was per setting. Our results for secret sharing and DBA experiments are reported in Tab. 1 and in Tab. 2 respectively. We can easily see that QTER for the secret sharing and DBA protocols are always below . Our results are better than other results obtained with entanglement-based two-party quantum key distribution protocols [23], and QTER clearly are below the security threshold of qutrit based quantum key distribution [22]. Therefore secure communication can be obtained with this configuration [18]. Consistently, CCP experimental results, of which a sample of obtained data is reported in Tab. 3, show success probabilities always above , therefore proving the superiority of the quantum protocol to any classical protocol (limited to % success probability).

The primary source of QTER is the so called “dark counts”. Our detectors’ average dark count probabilities, measured with runs, are , and per trigger for detectors 0, 1 and 2 respectively. Considering our measurements, these dark counts contribute up to half of the QTER. Other important systematic contributions to the QTER are due to the phase drift affecting the interferometer. This phase drift causes two problems: it slightly changes the relative phases from the desired settings and it forces a recalibration of the phases before each experiment. Both these contributions can be quantified, by propagating phase errors in interference equations (see supplementary material), to be approximately each to QTERs.

Alice | Bob | Charlie | Counts | QTER | ||||||

D | D | D | [%] | |||||||

0 | 0 | 0 | 0 | 2 | 0 | 2 | 7 | 5 | 210 | 5.41 |

1 | 0 | 0 | 0 | 1 | 0 | 2 | 7 | 6 | 261 | 4.74 |

2 | 0 | 2 | 1 | 2 | 2 | 0 | 375 | 15 | 26 | 9.86 |

0 | 1 | 2 | 2 | 1 | 0 | 0 | 391 | 10 | 29 | 9.07 |

1 | 1 | 0 | 1 | 2 | 1 | 0 | 336 | 7 | 23 | 8.20 |

2 | 1 | 1 | 1 | 1 | 1 | 1 | 7 | 373 | 22 | 7.21 |

0 | 2 | 2 | 0 | 0 | 1 | 2 | 16 | 13 | 313 | 8.48 |

1 | 2 | 2 | 2 | 2 | 2 | 2 | 19 | 8 | 248 | 9.82 |

2 | 2 | 1 | 0 | 1 | 1 | 1 | 9 | 284 | 22 | 9.84 |

1 | 0 | 0 | 2 | 2 | 0 | random | 102 | 98 | 94 | 65.31 |

2 | 2 | 0 | 0 | 0 | 0 | random | 89 | 75 | 71 | 62.13 |

Alice | Bob | Charlie | Counts | QTER | ||||||
---|---|---|---|---|---|---|---|---|---|---|

D | D | D | [%] | |||||||

0 | 0 | 1 | 0 | 1 | 0 | 2 | 16 | 11 | 337 | 7.42 |

1 | 0 | 0 | 0 | 0 | 0 | 1 | 16 | 320 | 19 | 9.86 |

2 | 0 | 1 | 0 | 0 | 0 | 0 | 347 | 13 | 20 | 8.68 |

0 | 1 | 0 | 1 | 0 | 1 | 0 | 363 | 13 | 20 | 8.33 |

1 | 1 | 1 | 1 | 0 | 1 | 2 | 11 | 17 | 333 | 7.76 |

2 | 1 | 0 | 1 | 1 | 1 | 0 | 309 | 9 | 13 | 6.65 |

0 | 2 | 1 | 1 | 0 | 0 | 1 | 7 | 277 | 19 | 8.58 |

1 | 2 | 0 | 2 | 1 | 2 | 2 | 9 | 18 | 274 | 8.97 |

2 | 2 | 1 | 2 | 0 | 2 | 0 | 300 | 7 | 26 | 9.91 |

Alice | Bob | Charlie | T | Counts | SP | ||
---|---|---|---|---|---|---|---|

D | D | D | [%] | ||||

0 | 1 | 8 | 0 | 350 | 7 | 28 | 90.91 |

0 | 2 | 1 | 1 | 8 | 284 | 23 | 92.53 |

1 | 5 | 0 | 2 | 14 | 14 | 255 | 90.11 |

1 | 6 | 2 | 0 | 337 | 5 | 29 | 90.84 |

2 | 7 | 3 | 1 | 13 | 268 | 16 | 90.24 |

2 | 0 | 4 | 2 | 10 | 2 | 204 | 94.44 |

3 | 2 | 4 | 0 | 302 | 8 | 22 | 90.96 |

3 | 1 | 8 | 1 | 8 | 358 | 22 | 92.27 |

4 | 8 | 3 | 2 | 10 | 13 | 269 | 92.12 |

4 | 5 | 0 | 0 | 332 | 12 | 21 | 90.96 |

5 | 6 | 1 | 1 | 21 | 370 | 19 | 90.24 |

5 | 4 | 6 | 2 | 14 | 18 | 297 | 90.27 |

6 | 2 | 1 | 0 | 298 | 3 | 28 | 90.30 |

6 | 8 | 7 | 1 | 6 | 297 | 18 | 92.52 |

7 | 3 | 5 | 2 | 6 | 13 | 232 | 92.43 |

7 | 0 | 2 | 0 | 264 | 12 | 12 | 91.67 |

8 | 2 | 2 | 1 | 7 | 385 | 31 | 90.40 |

8 | 8 | 8 | 2 | 13 | 11 | 229 | 90.51 |

Conclusion

We have experimentally realized three-party quantum communication protocols using single qutrit communication: secret sharing, detectable Byzantine agreement, and communication complexity reduction for a three-valued function. We have implemented for the fist time these three protocols using the same optical fiber interferometric setup. Our novel protocols are based on single quantum system communication rather than entanglement. Moreover, the number of detectors (detector noise) used in our schemes is independent of the number of parties participating in the protocol. Our realization is easily scalable without sacrificing detection efficiency or generating extremely complex many-particle entangled states. These breakthrough and advances make multiparty communication tasks feasible. They become technologically comparable to quantum key distribution, so far the only commercial application of quantum information. Finally, our methods and techniques can be generalized to other communication protocols. These protocols can also be easily adapted for other encodings and physical systems.

## References

- [1] Bell J.S. On the Einstein-Podolsky-Rosen paradox. Physics 1966; 1: 195–200.
- [2] Bennett C.H., Brassard G. Quantum cryptography: Public key distribution and coin tossing. Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing.(Bangalore, India 1984); 175–179.
- [3] Ekert A.K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 1991; 67: 661-663.
- [4] Żukowski M., Zeilinger A., Horne M. A., Weinfurter H. Quest for GHZ states. Acta Phys. Pol. 1998; 93: 187–195.
- [5] Hillery M., Buẑek V., Berthiaume A. Quantum secret sharing. Phys. Rev. A 1999; 59: 1829-1834.
- [6] Lamport L., Melliar-Smith M. Synchronizing clocks in the presence of faults. J. ACM 1985; 32: 52–78.
- [7] Lamport L., Shostak R., Pease M. The Byzantine generals problem. ACM Trans. Programming Languages and Syst. 1982;4: 382–401.
- [8] Fitzi M., Gisin N., Maurer U. A quantum solution to the Byzantine agreement problem. Phys. Rev. Lett.2001; 87: 217901–1.
- [9] Cabello A. Solving the liar detection problem using the four-qubit singlet state. Phys. Rev. A 2003; 68: 012304–1.
- [10] Gaertner S., Bourennane M., Kurtsiefer C., Cabello A., Weinfurter H. Experimental demonstration of a quantum protocol for Byzantine Agreement and Liar Detection. Phys. Rev. Lett.2008; 100: 070504–1.
- [11] Yao A. C.-C. Some Complexity Questions Related to Distributive Computing. Proceedings of the 11th Annual ACM Symposium on Theory of Computing, (Atlanta, USA 1979); 209–213
- [12] Kushilevitz E., Nisan N. Communication Complexity, (Cambridge University Press, New York, 1997).
- [13] Cleve R., Buhrman H. Substituting quantum entanglement for communication. Phys. Rev. A 1997; 56: 1201–1204.
- [14] Brukner Č., Żukowski M., Zeilinger A. Quantum Communication Complexity Protocol with Two Entangled Qutrits. Phys. Rev. Lett. 2002; 89: 197901-1.
- [15] Schmid C., Trojek P., Bourennane M., Kurtsiefer C., Żukowski M. Weinfurter H. Experimental Single Qubit Quantum Secret Sharing Phys. Rev. Lett. 2005; 95: 230505-1.
- [16] Trojek P., Schmid C., Bourennane M., Brukner C., Żukowski M., Weinfurter H. Experimental quantum communication complexity Phys. Rev. A 2005; 72: 050305–1.
- [17] Tavakoli A., Anwer H., Hameedi A., Bourennane M. Quantum communication complexity using the quantum Zeno effect. Phys. Rev. A 2015; 92: 012303–1.
- [18] Tavakoli A., Herbauts I., Zukowski M., Bourennane M. Quantum Secret Sharing with a Single d-level System. Phys. Rev. A 2015; 92: 030302–1.
- [19] Tavakoli A., Cabello A., Zukowski M., Bourennane M. Quantum Clock Synchronization with a Single Qudit. Sci. Rep. 2015; 5: 7982–1.
- [20] He G. P. Comment on âExperimental Single Qubit Quantum Secret Sharingâ. Phys. Rev. Lett. 2007; 98: 028901-1.
- [21] Acin A., Brunner N., Gisin N., Massar S., Pironio S, Scarani V. Device-Independent Security of Quantum Cryptography against Collective Attacks. Phys. Rev. Lett. 2007; 98: 230501-1.
- [22] Cerf N., Bourennane M., Karlsson A., Gisin N. Security of quantum key distribution using d-level systems. Phys. Rev. Lett.2002; 88: 127902–1.
- [23] Gröblacher S., Jennewein T., Vaziri A., Weihs G., Zeilinger A. Experimental quantum cryptography with qutrits. New Journal of Physics 2006; 8: 75–1.

Supplementary Information is linked to the online version of the paper at www.nature.com/nature.

Acknowledgements This work was supported by the Swedish Research Council.

Author contribution M.B. initiated and proposed the project. M.S .and A.M.E. design, performed the experiment, and analyzed the data. A.T. carried out the theoretical calculation for the CCP and scheme enforcing security of secret sharing protocols. All the authors discussed the results and wrote the manuscript.

Competing interests statement The authors declare that they
have no competing financial interests.

Correspondence and requests for materials should be addressed to M.B. (e-mail: boure@fysik.su.se).

Experimental Quantum Multiparty Communication Protocols

Supplementary Material

Massimiliano Smania, Ashraf M. Elhassan, Armin Tavakoli & Mohamed Bourennane

Physics department, Stockholm University, S-10691, Stockholm, Sweden

These authors contributed equally to this work

## Appendix A Scheme enforcing security

In secret sharing schemes one may face attacks from cheating parties within the scheme. Since in a three party scheme, it is not meaningful to have more than one cheater, let us assume that the cheating party is Bob who attempts to access Alice’s secret. Since Bob is involved in the scheme, he may employ a sophisticated strategy based on e.g. a quantum memory and an entangled ancilla state which can allow him to pass the standard security check undetected. The success of any such strategy must in some manner depend on Bob gaining information on some local data () of Alice and Charlie. However, as the three parties announce their data in random order Bob cannot always succeed with his cheating, and thus we can upper bound the probability of Bob successfully cheating in a single round by . Here, we will outline a privacy amplification scheme that allows Alice and Charlie to arbitrarily minimize Bob’s chances of inferring the secret.

The standard protocol is repeated many times and some rounds are used to estimate the QTER. Assuming the QTER does not imply any security breach, this leaves successful rounds. We let , , be the private data of Alice, Bob and Charlie respectively in the ’th such round, and we let be the measurement outcome of Charlie in the round. All parties then map their trits into a single trit by setting with . The new data now satisfies . Unless Bob successfully cheats in all rounds, which happens with a probability , he can infer no knowledge on the private data of Alice or Charlie. Thus, the number of rounds that warrants the cheating success probability to be no higher than is i.e. at the cost of repeating the protocol several times, the cheating probability can be arbitrarily minimized. If we consider an example of a known (G. P. He, Phys. Rev. Lett. 2007; 98: 028901-1.) such cheating attack in a three party secret sharing protocol in which Bob was found to have cheating success probability per round of , and we require that , then we find that we need rounds to achieve this level of security.

## Appendix B Communication Complexity Reduction: classical bound

The quantum protocol for communication complexity reduction presented in our paper uses a single qutrit and achieves the ideal success probability of . We will now prove that our quantum protocol is superior to any classical one.

To find the best classical protocol, we can without loss of generality consider only deterministic strategies and disregards mixtures of such. Alice has to send the value of some three-valued function to Bob, and similarly, Bob has to send the value of some three-valued function to Charlie, who outputs a final guess of determined by a three-valued function . All such functions take the form

(3) |

with suitable choices of coefficients . Therefore, we write

(4) |

where we have emphasized the dependence of the coefficients on the received data from subsequent parties. However, we must have since otherwise, the strategy is randomized. It is straightforward to find that this implies that only one of the coefficients can be non-zero, and that its value must be either or . Therefore, we find that

(5) |

for some set subject to . Evidently, we should choose such that the contribution from to the task function is correct. Then, since are uniformly distributed and we are promised that , there are nine different sets of which only sums to , only sums to and the remaining seven sets sum to . Therefore, let and which yields

(6) |

In conclusion, the optimal classical success probability is , which is clearly inferior to the unitary one for the quantum protocol.

## Appendix C Encoding Settings

In Tables S1 and S2, we report encoding settings used by Alice, Bob and Charlie for the three experiments. We write directly the angular phase shifts to be applied to the three state qutrits exchanged among the users.

Secret sharing & DBA | |||||||
---|---|---|---|---|---|---|---|

Settings | Alice | Bob & Charlie | |||||

0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |

0 | 1 | 0 | 0 | ||||

0 | 2 | 0 | 0 | ||||

1 | 0 | 0 | 0 | 0 | |||

1 | 1 | 0 | 0 | 0 | 0 | ||

1 | 2 | 0 | 0 | 0 | |||

2 | 0 | 0 | 0 | 0 | |||

2 | 1 | 0 | 0 | 0 | |||

2 | 2 | 0 | 0 | 0 | 0 |

Table S1: Angular phase shifts for secret sharing and DBA experiments. Alice’s settings look different compared to Bob’s and Charlie’s, but they are actually just the same settings multiplied by a global phase. This is due to our particular setup configuration. All these settings belong to mutually unbiased bases for three dimensions.

Communication Complexity Reduction | ||||||
---|---|---|---|---|---|---|

Settings | Alice | Bob & Charlie | ||||

0 | 0 | 0 | 0 | 0 | 0 | 0 |

1 | 0 | 0 | ||||

2 | 0 | 0 | ||||

3 | 0 | 0 | ||||

4 | 0 | 0 | ||||

5 | 0 | 0 | ||||

6 | 0 | 0 | ||||

7 | 0 | 0 | ||||

8 | 0 | 0 |

Table S2: Angular phase shifts for the communication complexity reduction experiment. As in the previous table, Alice’s settings are the same as Bob’s and Charlie’s save for a global phase.

## Appendix D Three-arms Interferometer Output Probabilities

We write here the output probabilities for a three-arms interferometer.

(7) | ||||

(8) | ||||

(9) |

where and are phase differences relative to the reference arm.