Practical Quantum Retrieval Games
Abstract
Complex cryptographic protocols are often constructed from simpler buildingblocks. In order to advance quantum cryptography, it is important to study practical buildingblocks that can be used to develop new protocols. An example is quantum retrieval games (QRGs), which have broad applicability and have already been used to construct quantum money schemes. In this work, we introduce a general construction of quantum retrieval games based on the hidden matching problem and show how they can be implemented in practice using available technology. More precisely, we provide a general method to construct (1outofk) QRGs, proving that their cheating probabilities decrease exponentially in . In particular, we define new QRGs based on coherent states of light, which can be implemented even in the presence of experimental imperfections. Our results constitute a new tool in the arsenal of the practical quantum cryptographer.
In cryptography, the ability to transmit and process quantum information allows us to build cryptographic protocols with properties that are impossible to obtain in a classical setting Bennett and Brassard (1984); Wiesner (1983); Chailloux and Kerenidis (2009); Hillery et al. (1999). Although several such examples are known, exploring new quantum cryptographic protocols and developing the necessary tools to realize them in practice remains an important challenge Pappa et al. (2014); Donaldson et al. (2016); Lunghi et al. (2013); Tang et al. (2014); Erven et al. (2014); Bash et al. (2015).
Several quantum cryptography protocols, notably those for quantum key distribution Bennett and Brassard (1984), quantum signature schemes Wallden et al. (2015); Arrazola et al. (2015), oblivious transfer Erven et al. (2014), and positionbased cryptography Buhrman et al. (2014) , can be constructed from the same basic buildingblocks. For instance, it is remarkable that several of these quantum protocols require only that one party is capable of preparing and transmitting the qubit states and , while the receiving party measures them in the corresponding bases. Once this basic buildingblock is established, more complex protocols can be designed and established. These states, known as the BB84 states Bennett and Brassard (1984), play a central role in practical quantum cryptography, because preparing and measuring them is a task that can be done routinely in experiments.
In the effort to advance quantum cryptography and quantum communication, it is important to examine similar practical buildingblocks that can potentially be used to construct new protocols or even improve existing ones. One example is quantum retrieval games (QRGs), which were introduced in Ref. Gavinsky (2012) and have been used as buildingblocks for quantum money schemes Gavinsky (2012); Pastawski et al. (2012); Georgiou and Kerenidis (2015). QRGs are a generalization of quantum state discrimination, which is a fundamental problem in quantum information with many applications in cryptography. Therefore, just as with state discrimination, QRGs could potentially be useful in many contexts related to quantum cryptography and quantum communication. Nevertheless, in the general case, QRGs require that the parties prepare complex quantum states of large dimension and perform difficult operations on them, making their implementation challenging.
In this work, we focus on a particular class of QRGs that we call hidden matching QRGs, which were first introduced in Ref. Gavinsky (2012). We extend the results of Ref. Gavinsky (2012) by considering (1outofk) QRGs and providing a canonical construction for them. We also bound the cheating probability and show that it decays exponentially with . Inspired by this construction, we build a new set of QRGs based on coherent states of light, which can be implemented with available technology. We also examine the role of experimental imperfections such as limited visibility, dark counts and loss, showing that the desired properties of the QRGs can still be attained, especially in the case of large .
I Quantum retrieval games
In this section, we review definitions and known results from Refs. Gavinsky (2012); Georgiou and Kerenidis (2015); Pastawski et al. (2012) regarding quantum retrieval games that will be useful for the results presented in this work.
In a quantum retrieval game (QRG), Alice is given an bit string selected at random according to some probability distribution . She encodes into a quantum state and sends it to Bob. Bob’s goal is to measure in order to provide a correct answer to a given question about with the highest possible probability. Formally, a question about is modelled as a relation. For a set of inputs and a set of answers , a relation corresponds to a subset of . Consequently, for a given input and a relation , we say that an answer is correct if . This leads to the following definition of a quantum retrieval game.
Definition 1.
Let and be respectively the set of inputs and answers. Let also be a relation and be an ensemble of states and their a priori probabilities. Then the tuple is called a quantum retrieval game (QRG). For a given , an answer is correct if .
The basic setting of a QRG is illustrated in Figure 1. Notice that minimumerror state discrimination, i.e. the task of correctly identifying the value of from a measurement of with the smallest probability of error, corresponds to the particular case where . Therefore, QRGs can be seen as a generalization of state discrimination, but in the case of QRGs, the goal is to determine some information related to , though not necessarily itself.
In the most general case, Bob’s strategy is defined as a POVM with , , and where each element is uniquely identified with an answer . The problem of finding the maximum probability of giving a correct answer for a given QRG can be cast as a semidefinite program (SDP) given by
subject to  
The solution to this SDP, i.e. the maximum probability of giving a correct answer to the QRG, is called the physical value of the game Gavinsky (2012). Although the physical value of a QRG can always be calculated in principle, it is often preferable to work with a related quantity known as the selective value . It arises by relaxing the condition on the POVM elements to instead of , which can intuitively be understood as allowing postselection in the measurement. Formally, the selective value is defined as the solution of the optimization problem
subject to  
Notice that , so an upper bound on the selective value gives also an upper bound on the physical value of the game Pastawski et al. (2012). The following is a simple expression for directly calculating the selective value of a QRG.
Theorem 1.
In general, for a particular choice of the sets and , there are many possible relations . Thus, we can imagine a situation where Bob can choose among many different relations, but is limited in his ability to give a correct answer to all of them. This leads to a natural generalization of QRGs.
Definition 2.
Let be respectively the set of inputs and answers, and let be an ensemble of states. Let also be different relations and define the QRGs as before according to these relations. Finally, let be such that if and only if for all . Then the tuple is called a QRG. Additionally, is called a QRG if it holds that

for all

.
We refer to as the winning probability and to as the cheating probability.
We also refer to QRGs as (1outofk) QRGs. Notice that in (1outofk) QRGs it is possible for Bob to provide a correct answer for any relation with high probability, but it is hard for him to give correct answers to many relations simultaneously. This property makes them useful buildingblocks for cryptography.
i.1 Hidden matching QRGs
We now focus on a particular class of QRGs which we call hidden matching QRGs. A perfect matching on the set , with an even number, is a partitioning of into disjoint pairs of numbers. For instance, the three possible matchings for the case are , , and . A matching on can be represented as a graph with edges, where no two edges share a node in common. We call this the matching graph of . This is illustrated in Fig. 2.
In hidden matching QRGs, the set of possible inputs is the set of bit strings, i.e. , with an even number. Alice encodes her inputs into the pure states
(1) 
where is the th bit of the string and she prepares each state with probability .
The set of possible answers is the set of tuples , where and . Finally, the relation is defined as , where is a perfect matching of . In other words, Bob wins the game if he can correctly determine the parity of two bits of that are joined by an edge in the matching .
The hidden matching problem was first introduced in Ref. BarYossef et al. (2004) in the context of communication complexity. In that work, it was shown that for any matching there exists a measurement by Bob that can provide a correct answer with certainty. To do so, he measures the states in the basis
(2) 
with . Bob can always provide a correct value because the outcome only occurs if and similarly, only occurs if .
On the other hand, it was shown in Ref. Gavinsky (2012) that for the case , it is not possible to give a correct answer with certainty for two different matchings simultaneously. More precisely, it was shown that there exists a hidden matching QRG. Interestingly, another QRG was proposed in Ref. Pastawski et al. (2012) where Alice encodes her input into sequences of BB84 states.
Moreover, it was shown in Ref. Georgiou and Kerenidis (2015) that if the winning and cheating probabilities satisfy the condition
(3) 
then a QRG could be repeated times in order to construct a new QRG with winning probability exponentially close to 1 and cheating probability exponentially close to 0. Similarly, it is possible to build (1outofk) QRGs from (1outof2) QRGs by simply combining the smaller QRGs to form a larger one Georgiou and Kerenidis (2015).
However, the problem with this approach is that in a practical setting, due to experimental imperfections, the winning probability may decrease compared to the ideal case to the point that the QRG is no longer suitable in a cryptographic context. Moreover, the winning probability of a (1outofk) QRG constructed from (1outof2) QRGs will generally decrease with , making this approach less appealing for larger values of . Therefore, it is important to consider the direct construction of (1outofk) QRGs for which the winning probability remains high while the cheating probability decreases significantly in . In the following, we generalize the result of Ref. Gavinsky (2012) to the case of (1outofk) hidden matching QRGs and show that the probability of correctly answering all relations decreases exponentially in the number of relations , while the winning probability remains unchanged.
In order for these properties to hold, the matchings (and therefore the relations) that we choose to define the QRG must satisfy certain conditions. Consider again the case and suppose that we want to build a (1outof3) QRG from the three possible matchings. From Ref. Gavinsky (2012) we know that Bob can give a correct answer for two of the relations with probability at most . Would the probability of answering all three relations be even lower than this?
It turns out that this is not the case, since knowing a correct answer to any two relations allows Bob to give a correct answer for the third one with certainty. To see this, suppose for instance that Bob knows that and , i.e. he knows that and . From this he can compute , which allows him to give a correct answer for the remaining relation. It is easy to see that this is true for any two different relations and therefore adding a third relation in this case does not decrease Bob’s chances to answer all relations correctly.
We can understand this more easily by looking at the matching graphs. Suppose we have different matchings . As illustrated in Fig. 3, we can “join” the matching graphs by constructing a new graph that includes all edges from the original graphs. We call this the joint graph. We can make a connection between the existence of closed cycles in the joint graph and the possibility of constructing a (1outofk) QRG from these matchings.
Observation 1.
Let be different matchings of the set and let be the relations obtained from them in a hidden matching QRG. Let also be the joint graph obtained from the corresponding matching graphs. If there exists a cycle in the joint graph such that each edge in the cycle belonged to a different matching graph, then there exists a set of correct answers for relations that allows Bob to provide a correct answer for the th relation with certainty.
Proof: A cycle is a closed loop formed by traversing nodes connected by edges, starting and ending in the same node. Suppose that there exists a cycle in the joint graph formed by edges that originally belonged to different matching graphs. Furthermore, without loss of generality, assume that the cycle begins and ends in node and that the sequence of edges is .
Now suppose that Bob knows a correct answer to the relations formed from matchings that include the edges . This means that Bob also knows the values and by taking the modulo 2 sum of these, he obtains the value of . This allows him to provide a correct answer to the remaining relation, since . ∎
The above observation tells us that to construct (1outofk) QRGs, we must choose the matchings carefully in order avoid cycles in the joint graph. This leads us to the following definition.
Definition 3.
A set of matchings are called independent if their corresponding joint graph does not have any cycles whose edges correspond to different matchings.
We now show that the probability of giving correct answers to all relations in a (1outofk) hidden matching QRG decays exponentially in provided that the matchings used are independent.
Theorem 2.
Let be a (1outofk) hidden matching QRG, where the different matchings are independent. Then the winning probability and the cheating probability satisfy
(4)  
(5) 
Proof: Recall that the states used in a hidden matching QRG are
(6) 
with corresponding density matrices and each state is prepared with probability . As discussed before, for hidden matching QRGs, it is possible to give a correct answer for any given relation with certainty, so we have that .
We want to use the result of theorem 1 to calculate the selective value of the game. It holds that
(7) 
and
(8) 
The operators take the form
(9) 
and
(10) 
where is the entry of the th row and th column of the matrix representation of . In a (1outofk) hidden matching QRG, if and only if for all and if and only if and , where is the matching defining the relation . Each relation induces a constraint on the possible values of . Since the matchings are independent, each individual relation cuts down by half the number of strings that satisfy . Therefore, for every , the total number of strings satisfying is equal to .
From this we can easily calculate the diagonal elements of to be . Let and define the set . Then it holds that for all since we must have that . From an identical argument as in Observation 1, if the edges in can form a path that connects two nodes , this fixes the value of . Let be the set of all such edges . Finally, for any other edge that has no constraints, for half of the values of and for the other half. Thus, we can conclude that
(11) 
Each answer defines a graph of nodes with edges . This graph can be divided into subgraphs, where each subgraph is defined by all edges that form a connected path. By construction, these subgraphs are disconnected from each other. Thus, for any two nodes and that belong to different subgraphs, Eq. (11) implies that , which means that must be blockdiagonal in the subgraphs. Moreover, since is positive, each block must also be positive. The largest possible block has dimension and from Eq. (11), its trace is equal to , so its largest possible eigenvalue is . This is also the largest possible eigenvalue of , so we have that
(12) 
Since the physical value of the game is upper bounded by the selective value, we conclude that
(13) 
as desired. ∎
From this theorem, we know that we can construct (1outofk) QRGs as long as we can create hidden matching QRGs that have independent matchings. We now provide a method of constructing sets of independent matchings.
Suppose we start with a set of independent matchings on a graph with nodes. We can create a new set of independent matchings on a graph with nodes in the following way: Take the joint graph of the independent matchings and generate an isomorphic graph by simply relabelling all the nodes. For each node in the first graph, make a new edge by connecting it to a unique node in the second graph. This new collection of edges forms a new matching, so we have matchings in total on a larger graph with nodes.
To see that these matchings must be independent, notice that the new matching is built by connecting nodes from two separate graphs, each of which is the joint matching graph of independent matchings. By definition of independent matchings, there are no closed cycles in either of these two graphs, so we cannot create a closed cycle by adding an edge between them. Therefore, the matchings must be independent.
Using this method, we can provide explicit examples of independent matchings. If we start with the case and the two independent matchings and , we can apply the canonical construction to obtain independent matchings with . This is illustrated in Fig. 4. Every matching in this construction has the property that the distance between any two nodes connected by an edge is constant. More precisely, the edges in each matching are of the form with As we discuss in section II, this feature greatly helps in their implementation.
Alternatively, we can start with a set of 3 independent matchings for , namely , and . As seen in Fig. 5, using the method of the canonical construction we can obtain independent matchings for and .
In summary, we have outlined a method of constructing (1outofk) QRGs from the hidden matching problem and shown that their cheating probability decreases exponentially with . In order to achieve this, the matchings used must be independent and we provide a constructive method of generating independent matchings. In the next section, we study how these QRGs can be implemented in practice.
Ii Coherentstate QRGs
An implementation of (1outofk) hidden matching QRGs faces two main challenges: the high dimensionality of the quantum states and the complex measurement by Bob. For the constructions we have outlined in the previous section, the dimension of the states scales exponentially with , namely as for the canonical construction. On the other hand, Bob must be able to perform different measurements corresponding to each possible matching, each of which involves projections onto coherent superpositions of pairs of basis states. Given these obstacles, we propose new QRGs based on coherent states of light. These games use a signal structure developed in Ref. Arrazola and Lütkenhaus (2014) with a mapping of the qubit signals into the coherent state signals following the procedures of Ref. Arrazola and Lütkenhaus (2014).
In this construction, the states
are mapped to a sequence of coherent states
(14) 
where is the total mean photon number, which is a freely chosen parameter. We consider the modes to be separated in time on a single spatial mode, i.e. they are timebin modes. Notice that the bit values of are encoded in the phase of the corresponding coherent state and all coherent states have the same amplitude, namely .
The measurement by Bob is carried out by first applying a permutation of the optical modes. The purpose of this is to pair modes together according to the matching, which are later used as input to a balanced beam splitter. More precisely, for every , Bob pairs modes and that later interfere in a balanced beamsplitter. He then measures the output modes with two singlephoton threshold detectors, which are labelled and .
If the incoming states to the beam splitter are
(15) 
the output states are
(16) 
Therefore, for each possible value of , the output states are either a vacuum state (which never produces a click), or a weak coherent state with amplitude , which creates a click with nonzero probability. In the ideal case, only one detector can click if while only the other detector can click if . Thus, whenever there is a click, Bob can provide a correct answer to the relation corresponding to his chosen matching. In fact, it is possible to obtain many clicks corresponding to different elements of the matching, and they all correspond to a correct answer. The only issue that can arise is that no clicks occur, in which case Bob gets no information and has to guess the answer at random. The probability that at least one click occurs, i.e. the winning probability, can be calculated from the photon statistics of the states, leading to the expression
(17) 
In general, it is difficult to perform an arbitrary permutation of a large number of optical modes. However, in our case, if we focus on (1outofk) hidden matching QRGs built from the canonical construction, all relevant matchings have the property that the distance between nodes connected by an edge is constant. For example, for a (1outof3) QRG with , in the matching illustrated in Fig. 4, all nodes connected by an edge have distance 1. Similarly, for they have distance 2 and for they have distance 4. In general, the distance between all nodes connected by an edge in a matching is .
From an implementation’s point of view, this means that Bob only needs the ability to selectively displace incoming modes by a fixed amount of time. He can achieve this by using an active optical switch, which directs incoming pulses into either one of two arms of an interferometer. The path length of the long arm of the interferometer is set to differ from the short one in exactly the amount needed to displace the pulse in time, allowing him to interfere the intended pulses. If Bob wants an answer for a different relation, he only has to change the path length of the long arm of the interferometer. The setup is illustrated in Fig. 6.
Although the optical switch in Bob’s system is an active optical element that requires fast switching, it can be achieved using MachZehnder switching. Additionally, notice that in this setup, Alice has the ability to prepare states corresponding to very large values of , so the scalability of the system is mostly limited by the interferometer, where there will be a limit to the length of the long arm that can be achieved while maintaining stability. Despite this fact, this configuration can be used to implement (1outofk) QRGs for values of that exceed what could be feasibly done in a qubit implementation.
It must be noted that coherentstate QRGs are not identical to those studied in section I. Nevertheless, as shown in Ref. Arrazola and Lütkenhaus (2014), the coherentstate version of quantum communication protocols retain the essential properties of the original ones. We can show this explicitly by directly calculating the semidefinite program (SDP) corresponding to the coherentstate QRGs to obtain a value for the cheating probability. Recall that the cheating probability is the probability that Bob gives a correct answer to all relations. Thus, the SDP corresponds to the problem
subject to  
where the states are the same as in Eq. (16), and where if and only if for all . The value of this SDP can be calculated numerically, but for large values of it becomes computationally demanding since the dimension of the states and the number of variables of the SDP grow very quickly. For this reason, we have calculated values of the cheating probability for a (1outof2) QRG obtained from the canonical construction and a (1outof3) QRG for the case using the matchings of Fig. 5. These are shown respectively in Figs. 7 and 8.
As it can be seen in Figs. 7 and 8, by choosing the value of the parameter appropriately, it is possible to achieve large gaps between the winning and cheating probability of the QRG. For example, in the case of the (1outof2) QRG, the gap is large enough to satisfy the condition of Ref. Georgiou and Kerenidis (2015).
As mentioned in section I, experimental imperfections may not permit a large enough difference between the winning and error probabilities. In particular, in a cryptographic context, an adversary is limited only by quantum mechanics and can therefore always achieve the cheating probability, whereas the winning probability of an honest player may be limited by experimental imperfections. Thus, understanding the role of imperfections is crucial for practical applications of QRGs.
ii.1 Experimental imperfections
In the implementation of coherentstate QRGs there are two main sources of imperfections: the combined effect of transmission loss and detector efficiency, as well the limited visibility of the interferometer, to which we associate the parameters and respectively. Dark counts are not significant, since we are dealing with coherent states with parameter , while dark count probabilities of less than can be easily obtained.
The effect of loss and limited efficiency is to change the parameter of the states to , with . This leads to a reduction in the probability of observing at least one photon, which in turn reduces the winning probability. Additionally, if the visibility of the interferometer is limited, it is possible for the wrong detector to click at each time slot (leading to an incorrect answer) or for both to detectors click, in which case Bob has to guess the answer at random and can also make a mistake.
In the presence of these imperfections, we can write the output of the beamsplitter at each time slot as the state
(18) 
with and where we assume the first mode corresponds to the correct detector. Hence, large values of imply that the interference works properly and most of the photons go to the correct output mode. Notice that can be related to the usual visibility reported in experiments, which is given by .
The probability that there is a click in the correct detector is
(19) 
and the probability of obtaining a click in the wrong detector is
(20) 
Over the entire run of the experiment, Bob may give an incorrect value if no clicks occur. The probability that this happens is given by
(21) 
For simplicity, we consider the case where Bob selects at random between all slots where at least one click occurs, even if they were double clicks. When there are double clicks, Bob simply guesses an answer at random. Notice that this gives us a lower bound on the winning probability that would be obtained if Bob discards double clicks at one time slot if single clicks occurred at another time slot.
In this case, the probability of giving a wrong answer when there is at least one click is equal to the probability of giving a wrong answer for a single time slot given that there was a click in that slot, since these probabilities are equal for each slot. Thus, the probability of error given that there is at least one click is
(22) 
Combining these expressions we have that the winning probability is
(23) 
In Figs. 9, 10 and 11 we show the effect of loss and limited visibility on the winning probability of a (1outof2) QRG with and a (1outof3) QRG with . The curves for the winning probability apply to both and , since they are almost identical and indistinguishable in a single plot. As it can be seen from the figures, both limited visibility and efficiency decrease the winning probability, but even in the presence of realistic imperfections, it is possible to beat the bound of Ref. Georgiou and Kerenidis (2015) for the case and to achieve a significant gap compared to the cheating probability in the case . However, this is no longer true for larger values of the imperfections.
Thus, in order to experimentally demonstrate a QRG that can be used as a buildingblock in cryptographic applications, it will be necessary either to use very efficient detectors, low channel loss and high visibility interference, or to move to larger values of where the cheating probability decreases exponentially while the winning probability remains mostly unchanged. Moving to larger values of is something that can be done straightforwardly in our approach.
Iii Discussion
We have given a general method of constructing (1outofk) quantum retrieval games (QRGs) and we have shown that their cheating probability decreases exponentially in while the winning probability, in the ideal case, remains unchanged. Inspired by this, we have defined new QRGs based on coherent states of light. These QRGs can be implemented using only sequences of phasemodulated coherent states and linear optics with active switching. Such an implementation may be challenging, particularly in terms of achieving fast switching and an adjustable path difference in the interferometer, but it should be possible to realize with current technology, even for large values of .
While (1outofk) QRGs may be constructed from (1outof2) QRGs, this requires winning probabilities very close to 1 and small error probabilities, which may not be possible to achieve simultaneously in a practical setting. Similarly, using many (1outof2) QRGs to build (1outof2) QRGs with better parameters requires meeting conditions that may not be attainable in the presence of imperfections. Thus, our direct construction is probably a more desirable path as one can obtain large differences between the winning and error probabilities even in the presence of imperfections.
From the point of view of applications, QRGs have already been used as buildingblocks for quantum money schemes and therefore our results bring the experimental realization of such schemes closer to fruition. Additionally and perhaps most importantly, they constitute a new tool in the arsenal of the practical quantum cryptographer, which may prove useful in situations where we want participants to have access to certain information of their choice but not to all available information. Such situations arise for example in twoparty cryptography and quantum signature schemes, where our results may be useful to build new practical protocols.
J.M. Arrazola would like to thank A. Ignjatovic and I. Kerenidis for useful discussions. M. Karasamanis is thankful for the hospitality of the Institute for Quantum Computing during a summer research term, in the course of which this research was performed. We acknowledge support from the Mike and Ophelia Lazaridis Fellowship, IQC Summer URA, NSERC Discovery Grant, Industry Canada, Army Research Laboratory W911NF1520061, Singapore Ministry of Education (partly through the Academic Research Fund Tier 3 MOE2012T31009) and the National Research Foundation of Singapore, Prime Minister’s Office, under the Research Centres of Excellence programme.
References
 Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175–179.
 Wiesner (1983) S. Wiesner, Sigact News 15, 78 (1983).
 Chailloux and Kerenidis (2009) A. Chailloux and I. Kerenidis, in Foundations of Computer Science, 2009. FOCS’09. 50th Annual IEEE Symposium on (IEEE, 2009), pp. 527–533.
 Hillery et al. (1999) M. Hillery, V. Bužek, and A. Berthiaume, Phys. Rev. A 59, 1829 (1999).
 Pappa et al. (2014) A. Pappa, P. Jouguet, T. Lawson, A. Chailloux, M. Legré, P. Trinkler, I. Kerenidis, and E. Diamanti, Nature Communications 5, 3717 (2014).
 Donaldson et al. (2016) R. J. Donaldson, R. J. Collins, K. Kleczkowska, R. Amiri, P. Wallden, V. Dunjko, J. Jeffers, E. Andersson, and G. S. Buller, Physical Review A 93, 012329 (2016).
 Lunghi et al. (2013) T. Lunghi, J. Kaniewski, F. Bussières, R. Houlmann, M. Tomamichel, A. Kent, N. Gisin, S. Wehner, and H. Zbinden, Phys. Rev. Lett. 111, 180504 (2013).
 Tang et al. (2014) Z. Tang, Z. Liao, F. Xu, B. Qi, L. Qian, and H.K. Lo, Phys. Rev. Lett. 112, 190503 (2014).
 Erven et al. (2014) C. Erven, N. Ng, N. Gigov, R. Laflamme, S. Wehner, and G. Weihs, Nature Communications 5 (2014).
 Bash et al. (2015) B. A. Bash, A. H. Gheorghe, M. Patel, J. L. Habif, D. Goeckel, D. Towsley, and S. Guha, Nature Communications 6 (2015).
 Wallden et al. (2015) P. Wallden, V. Dunjko, A. Kent, and E. Andersson, Phys. Rev. A 91, 042304 (2015).
 Arrazola et al. (2015) J. M. Arrazola, P. Wallden, and E. Andersson, arXiv preprint arXiv:1505.07509 (2015).
 Buhrman et al. (2014) H. Buhrman, N. Chandran, S. Fehr, R. Gelles, V. Goyal, R. Ostrovsky, and C. Schaffner, SIAM Journal on Computing 43, 150 (2014).
 Gavinsky (2012) D. Gavinsky, in Computational Complexity (CCC), 2012 IEEE 27th Annual Conference on (IEEE, 2012), pp. 42–52.
 Pastawski et al. (2012) F. Pastawski, N. Y. Yao, L. Jiang, M. D. Lukin, and J. I. Cirac, Proceedings of the National Academy of Sciences 109, 16079 (2012).
 Georgiou and Kerenidis (2015) M. Georgiou and I. Kerenidis, in LIPIcsLeibniz International Proceedings in Informatics (Schloss DagstuhlLeibnizZentrum fuer Informatik, 2015), vol. 44.
 BarYossef et al. (2004) Z. BarYossef, T. S. Jayram, and I. Kerenidis, in Proceedings of the ThirtySixth Annual ACM Symposium on Theory of Computing (2004), pp. 128–137.
 Arrazola and Lütkenhaus (2014) J. M. Arrazola and N. Lütkenhaus, Phys. Rev. A 89, 062305 (2014).
 Arrazola and Lütkenhaus (2014) J. M. Arrazola and N. Lütkenhaus, Phys. Rev. A 90, 042335 (2014).