Unconditionally-Secure and Reusable Public-Key Authentication

Abstract

We present a quantum-public-key identification protocol and show that it is secure against a computationally-unbounded adversary. This demonstrates for the first time that unconditionally-secure and reusable public-key authentication is possible in principle with (pure-state) public keys.

Appendices

Appendices

1.1 Proof of Sufficiency of Individual Attacks

Consider the following non-cryptographic, \((t+1)\)-round interactive protocol (or game) between Evelyn and Bobby (neither of whom is considered adversarial, hence we distinguish these two players from Eve and Bob), denoted \(\mathcal {L} = \mathcal {L}(\varPhi )\), where

$$\begin{aligned} \varPhi = (\varPhi _1,\varPhi _2,\ldots ,\varPhi _{t+1}) \end{aligned}$$

(60)

and the \(\varPhi _i\) are quantum operations (super-operators) that specify Evelyn’s actions in the game (the quantities \(r\) and \(t\) are as defined previously):

• \((1')\) Bobby chooses a uniformly random \(x\in \{1,2,\ldots ,2r+1\}\) and sends a qubit in the state \(| 0 \rangle \) to Evelyn (who can ignore this qubit—it carries no significant information).

• \((2')\) For \(i = 1,2,\ldots , t\) \(\{\)

  • \(\diamond \) Evelyn performs the quantum operation \(\varPhi _i\) on her system, and then sends one qubit to Bobby.

  • \(\diamond \) Bobby performs the unitary gate \(u_{\phi _x}\) on the qubit received from Evelyn and sends it back to Evelyn.\(\}\)

• \((3')\) Bobby chooses a uniformly random \(b \in \{0,1\}\) and sends a qubit in the state \(| 0 \rangle + (-1)^b e^{i \phi _x}| 1 \rangle \) to Evelyn.

• \((4')\) Evelyn performs the quantum operation \(\varPhi _{t+1}\) on her system, and then sends one qubit to Bobby.

• \((5')\) Bobby measures the received qubit in the computational basis \(\{| 0 \rangle , | 1 \rangle \}\), getting outcome 0 or 1 (corresponding to \(| 0 \rangle \) and \(| 1 \rangle \) respectively); he tests whether this outcome equals \(b\).

The following proposition is straightforward to prove:

Proposition 5

The probability that Eve, using \(t\) black boxes \(u_{\phi _{x_j}}\), causes Bob’s equality test to pass in a particular iteration \(j\) of the protocol in Sect. 2.1 is at most

$$\begin{aligned} \alpha {:}= \max _{\varPhi } {\mathrm {Pr}}[{\mathrm {Bobby's \ equality \ test \ passes \ in }}\, \mathcal {L}(\varPhi )], \end{aligned}$$

(61)

where \(\varPhi \) ranges over all \((t+1)\)-tuples of admissible quantum operations that Evelyn can apply in the game \(\mathcal {L}\).

Now consider the parallel \(s\)-fold repetition of \(\mathcal {L}\), which we denote \(\mathcal {L}^{\Vert s} = \mathcal {L}^{\Vert s} (\varPhi ')\), where now \(\varPhi '\) denotes Evelyn’s quantum operation in \(\mathcal {L}^{\Vert s}\). The following proposition is also straightforward to prove:

Proposition 6

The probability that Eve fools Bob on the first attempt using \(t\) black boxes per \(x\)-value in the protocol in Sect. 2.1 is at most

$$\begin{aligned} \alpha '{:}= \max _{\varPhi '} {\mathrm {Pr}}[{\mathrm {all \ of \ Bobby's \ equality \ tests \ pass \ in}} \ \mathcal {L}^{\Vert s}(\varPhi ')], \end{aligned}$$

(62)

where \(\varPhi '\) ranges over all \((t+1)\)-tuples of admissible quantum operations that Evelyn can apply in the game \(\mathcal {L}^{\Vert s}\).

Therefore, in order to prove that it is sufficient to consider individual (as opposed to coherent) attacks by Eve, it suffices to show that \(\alpha ' = \alpha ^s\).

In Ref. [12], the above game is viewed as an interaction between a \((t+1)\)-round (non-measuring) strategy and a (compatible) measuring co-strategy; Evelyn’s operations \(\varPhi \) form the non-measuring strategy and Bobby’s actions form the measuring co-strategy (technically, Steps \((1')\), \((3')\), and \((4')\) would have to be slightly modified in order to fit the co-strategy formalism: in Steps \((1')\) and \((3')\), Bobby should make his random choices in superposition and use the quantum registers storing these choices as a control register whenever requiring these random values subsequently; in Step \((4')\), Bobby should only make one final measurement whose outcome indicates whether the equality test passes; we assume that these modifications have been made).

For all \(i\), let \(\mathcal {X}_i\) and \(\mathcal {Y}_i\) be the input and output spaces, respectively, of Evelyn’s quantum operation \(\varPhi _i\) in \(\mathcal {L}\), i.e. \(\varPhi _i: \mathrm {L}\left( \mathcal {X}_i\right) \rightarrow \mathrm {L}\left( \mathcal {Y}_i\right) \), where \(\mathrm {L}\left( \mathcal {X}_i\right) \) is the space of all linear operators from the complex Euclidean space \(\mathcal {X}_i\) to itself (and likewise for \(\mathrm {L}\left( \mathcal {Y}_i\right) \)). Let \(\mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \) denote the set of all positive semidefinite operators in \(\mathrm {L}\left( \mathcal {Y}\otimes \mathcal {X}\right) \), where \(\mathcal {Y}= \mathcal {Y}_1 \otimes \mathcal {Y}_2 \otimes \cdots \otimes \mathcal {Y}_{t+1}\) (and similarly for \(\mathcal {X}\)). For any Euclidean space \(\mathcal {Z}\), let \(\mathbb {I}_{\mathcal {Z}}\) denote the identity operator \(\mathcal {Z}\).

Reference [12] shows that Evelyn’s strategy can be equivalently expressed by a single positive semidefinite operator in \(\mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \) while Bobby’s measuring co-strategy can be expressed by the collection \(\{B_0, B_1\}\) of two positive semidefinite operators in \(\mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \), where, without loss of generality, we assume that \(B_0\) corresponds to the measurement outcome indicating that Bobby’s test for equality in Step \((5')\) passes. We briefly note that these positive semidefinite operators are the Choi-Jamiołkowski representations of quantum operations corresponding to the players’ actions. A more general version of the following theorem is proved in Ref. [12]:

Theorem 7

(Interaction output probabilities [12]). For any non-measuring strategy \(X\in \mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) \) of Evelyn, the probability that Bobby’s equality test passes is \(\text {Tr}(B_0^\dagger X)\).

Using Theorem 7, it is shown, in the proof of Theorem 3.3 of Ref. [12], that the maximal probability with which Bobby’s measuring co-strategy can be forced to output the outcome corresponding to \(B_0\) by some (compatible) strategy of Evelyn’s can be expressed as a semidefinite (optimization) program (see Ref. [18] for a relevant review of semidefinite programming). Thus \(\alpha \) and \(\alpha '\) can be expressed, respectively, as solutions to the following semidefinite programs \(\pi _{\alpha }\) and \(\pi _{\alpha '}\):

$$\begin{aligned} \begin{array}{cc} \underline{\pi _\alpha } &{} \underline{\pi _{\alpha '}} \\ \text {maximize:} \;\text {Tr}(B_0^\dagger X) &{} \text {maximize:} \;\text {Tr}((B_0^{\otimes s})^\dagger X)\\ \text {subject to:} \;\text {Tr}_{\mathcal {Y}} (X) = \mathbb {I}_{\mathcal {X}}, &{} \quad \text {subject to:} \;\text {Tr}_{\mathcal {Y}'} (X) = \mathbb {I}_{\mathcal {X}'},\\ X \in \mathrm {Pos}\left( \mathcal {Y}\otimes \mathcal {X}\right) &{} \qquad \quad \qquad X\in \mathrm {Pos}\left( \mathcal {Y}' \otimes \mathcal {X}'\right) , \end{array} \end{aligned}$$

where, for all \(i\), \(\mathcal {X}_i' = \mathcal {X}_i^{\otimes s}\) and \(\mathcal {X}' = \mathcal {X}_1' \otimes \mathcal {X}_2' \otimes \cdots \otimes \mathcal {X}_{t+1}'\) (and similarly for \(\mathcal {Y}_i'\) and \(\mathcal {Y}'\)). We note that the first constraint in each semidefinite program above codifies the property of trace-preservation for the quantum operation corresponding to \(X\), while the second constraint codifies the property of complete positivity (see Ref. [18] for details). Furthermore, it is shown in Ref. [12] that such semidefinite programs (arising from interactions between strategies and compatible co-strategies) satisfy the condition of strong duality, which means that the solution to each semidefinite program above coincides with that of its dual.

In Ref. [13], the following theorem is proven:

Theorem 8

(Condition for product rule for semidefinite programs [13]). Suppose that the following two semidefinite programs \(\pi _1\) and \(\pi _2\) satisfy strong duality:

$$\begin{aligned} \begin{array}{cc} \underline{\pi _1} &{} \underline{\pi _2}\\ \text {maximize:}\;\, {\mathrm {Tr}}(J_1^\dagger W) &{} \text {maximize:}\;\,{\mathrm {Tr}}(J_2^\dagger W) \\ \text {subject to:}\; \,\varPsi _1 (W) = C_1, &{} \qquad \text {subject to:}\; \,\varPsi _2 (W) = C_2,\\ W\in \mathrm {Pos}\left( \mathcal {W}_1\right) &{} \qquad W\in \mathrm {Pos}\left( \mathcal {W}_2\right) , \end{array} \end{aligned}$$

where \(\varPsi _1: \mathrm {L}\left( \mathcal {W}_1\right) \rightarrow \mathrm {L}\left( \mathcal {Z}_1\right) \) and \(\varPsi _2: \mathrm {L}\left( \mathcal {W}_2\right) \rightarrow \mathrm {L}\left( \mathcal {Z}_2\right) \), for complex Euclidean spaces \(\mathcal {W}_1, \mathcal {Z}_1, \mathcal {W}_2, \mathcal {Z}_2\), and \(J_1 \in \mathrm {L}\left( \mathcal {W}_1\right) \) and \(J_2\in \mathrm {L}\left( \mathcal {W}_2\right) \) are Hermitian. Let \(\alpha (\pi _1)\) and \(\alpha (\pi _2)\) denote the semidefinite programs’ solutions. If \(J_1\) and \(J_2\) are positive semidefinite, then the solution to the following semidefinite program, denoted \(\pi _1 \otimes \pi _2\), is \(\alpha (\pi _1 \otimes \pi _2) = \alpha (\pi _1) \alpha (\pi _2)\):

$$\begin{aligned} \begin{array}{ll} &{}\underline{\pi _1 \otimes \pi _2} \\ \text {maximize:} \;\, &{}{\mathrm {Tr}}( (J_1\otimes J_2)^\dagger W)\\ \text {subject to:}\; \, &{}\varPsi _{1} \otimes \varPsi _2 (W) = C_1 \otimes C_2,\\ &{}W\in \mathrm {Pos}\left( \mathcal {W}_1 \otimes \mathcal {W}_2\right) . \end{array} \end{aligned}$$

Since \(B_0\) is positive semidefinite and \(\pi _{\alpha '} = \pi _\alpha ^{\otimes s}\) (using the associativity of \(\otimes \)), Theorem 8 can be applied \((s-1)\) times in order to prove that \(\alpha ' = \alpha ^s\) as required. See Ref. [12] for a similar approach, based on ideas in Ref. [19]. The idea of expressing the acceptance probability of a quantum interactive proof system as a semidefinite program first appeared in Ref. [20].

Note that this argument, combined with the arguments in the main body of the paper, shows that both the serial and parallel versions of our identification protocol are secure.

1.2 Proof of Proposition 3

Two facts hold without loss of generality:

• the POVMs \(\{E_{w,0}, E_{w,\pi }\}\), for all \(w\), may be assumed to be covariant, i.e. \(E_{w,\pi } = V_\pi E_{w,0} V_\pi ^\dagger \) (to see this, note that any not-necessarily-covariant POVM \(\{F_{w,0}, F_{w,\pi }\}\) gives the same average probability of successfully guessing \(\theta \), given \(w\), as the covariant POVM \(\{E_{w,0}, E_{w,\pi }\}\) defined by \(E_{w,0} = (F_{w,0} + V_\pi ^\dagger F_{w, \pi } V_\pi )/2\));

• each \(E_{w,0}\) has support only on \(\text {sp}( \mathcal {O}_w)\) and thus \(E_{w,0} + E_{w,\pi } = I_{\text {sp}( \mathcal {O}_w)}\), where \(I_{\text {sp}( \mathcal {O}_w)}\) is the identity operator on \(\text {sp}( \mathcal {O}_w)\).

To compute a basis of \(\text {sp}( \mathcal {O}_w)\), we now further define the system \(R'\) in the proof of Lemma 1 to consist of exactly \(t+1\) qubits and the states \(| c_h \rangle \), \(h=0,1,\ldots ,t\), to be all those computational basis states whose labels have Hamming weight 1 (thus \(q = 2t+1\), which is larger than necessary, but simplifies the structure of the POVMs). The total subspace

$$\begin{aligned} S \equiv \text {sp}\left( \{|S^t_j\rangle \}_{j=0,\ldots ,t} \otimes \{|c_h\rangle \}_{h=0,1,\ldots ,t} \otimes \{| 0 \rangle , | 1 \rangle \}\right) \end{aligned}$$

(63)

supporting \(| \psi _{RS}(\phi ,\theta ) \rangle \) breaks up into mutually orthogonal subspaces \(S_w\) of weight \(w\), i.e., spanned by computational basis states whose labels have Hamming weight \(w\):

$$\begin{aligned} S_1&= \text {sp}\left( |S^t_0\rangle \otimes \{| c_h \rangle \}_h \otimes | 0 \rangle \right) \end{aligned}$$

(64)

$$\begin{aligned} S_k&= \text {sp}\left( |S^t_{k-1}\rangle \otimes \{| c_h \rangle \}_h \otimes | 0 \rangle , |S^t_{k-2}\rangle \otimes \{| c_h \rangle \}_h \otimes | 1 \rangle \right) , \end{aligned}$$

(65)

$$\begin{aligned} S_{t+2}&= \text {sp}\left( |S^t_t\rangle \otimes \{| c_h \rangle \}_h \otimes | 1 \rangle \right) , \end{aligned}$$

(66)

for \(k=2,3,\ldots , t+1\). Thus, for each \(w\), we will do the following:

• write \(P_w\) in the basis in which \(S_w\) is expressed in Eqs. (64), (65), (66),

• derive an expression for \(P_w |\psi _{RS}(0,0)\rangle \) (which is proportional to \(| \varPsi _w \rangle \)) in order to find a basis for \(\text {sp}( \mathcal {O}_w) = \text {sp}\{| \varPsi _w \rangle ,V_\pi | \varPsi _w \rangle \}\) (which fully supports \(E_{w,0}\)), and

• derive the form of \(E_{w,0}\) and thus, by covariance, the form of the POVM \(\{E_{w,0},E_{w,\pi }\}\) in each subspace \(S_w\).

Recalling Eq. (40), it will be convenient to let \(\alpha _{j,h}\equiv b_j g_{j,h}\) and so

$$\begin{aligned} | \psi _R(0) \rangle = \sum _{j,h} \alpha _{j,h} |S^t_j\rangle |c_h\rangle . \end{aligned}$$

(67)

w=1:

Writing

$$\begin{aligned}&\quad P_1 | \psi _{RS}(0,0) \rangle \end{aligned}$$

(68)

$$\begin{aligned}&= \left( \sum _{h} |S^t_0\rangle \langle S^t_0 |\otimes | c_h \rangle \langle c_h |\otimes | 0 \rangle \langle 0 |\right) | \psi _R(0) \rangle {(| 0 \rangle +| 1 \rangle )}/{\sqrt{2}} \end{aligned}$$

(69)

$$\begin{aligned}&=|S^t_0\rangle \left( \sum _h [(\langle S^t_0 |\langle c_h || \psi _R(0) \rangle )/\sqrt{2}]|c_h\rangle \right) | 0 \rangle \end{aligned}$$

(70)

$$\begin{aligned}&=|S^t_0\rangle \left( \sum _h [\alpha _{0,h}/\sqrt{2}]|c_h\rangle \right) | 0 \rangle , \end{aligned}$$

(71)

we see that \(V_{\pi }|\varPsi _1\rangle = |\varPsi _1\rangle \) so that \(E_{1,0} = E_{1,\pi } = |\varXi _{0}\rangle | 0 \rangle \langle \varXi _0 |{\langle 0 | }\), where \(|\varXi _{0}\rangle \) is a state such that

$$\begin{aligned} |\varXi _{0}\rangle \propto |S^t_0\rangle \sum _h [\alpha _{0,h}/\sqrt{2}]|c_h\rangle . \end{aligned}$$

(72)

We note that getting the outcome corresponding to this POVM element does not give any information about \(\theta \); we arbitrarily assign a guess of “\(\theta = 0\)” to this outcome, without affecting optimality (since \(\theta \) is a priori uniformly distributed).

\(\underline{w \in \{2,3,\ldots ,t+1\}:}\)

Similarly, we can write

$$\begin{aligned}&\quad P_w |\psi _{RS}(0,0)\rangle \end{aligned}$$

(73)

$$\begin{aligned}&=|S^t_{w-1}\rangle \left( \sum _h [\alpha _{w-1,h}/\sqrt{2}]|c_h\rangle \right) | 0 \rangle + \end{aligned}$$

(74)

$$\begin{aligned}&\quad |S^t_{w-2}\rangle \left( \sum _h [\alpha _{w-2,h}/\sqrt{2}]|c_h\rangle \right) | 1 \rangle . \end{aligned}$$

(75)

Chiribella et al. [17] show that \(E_{w,0}\) may be assumed to have rank 1 without loss of generality. Thus \(E_{w,0}\) may be written \(|\eta _w\rangle \langle \eta _w |\), where

$$\begin{aligned} | \eta _w \rangle&= a | \varXi _{w-1} \rangle | 0 \rangle + b | \varXi _{w-2} \rangle | 1 \rangle , \end{aligned}$$

(76)

for some complex coefficients \(a\) and \(b\), such that \(|a|^2 + |b|^2 = 1\), where \(|\varXi _{w-1}\rangle \) and \(|\varXi _{w-2}\rangle \) are states such that, for \(j=0,1,\ldots ,t\),

$$\begin{aligned} |\varXi _{j}\rangle \propto \sum _h \frac{\alpha _{j,h}}{\sqrt{2}}|S^t_j\rangle |c_h\rangle . \end{aligned}$$

(77)

We have (using covariance to get \(E_{w,\pi }\))

$$\begin{aligned}&\quad E_{w,0} + E_{w,\pi } \end{aligned}$$

(78)

$$\begin{aligned}&= 2(|a|^2| \varXi _{w-1} \rangle | 0 \rangle {\langle \varXi _{w-1} | }{\langle 0 | } + |b|^2| \varXi _{w-2} \rangle | 1 \rangle {\langle \varXi _{w-2} | }{\langle 1 | }). \end{aligned}$$

(79)

But

$$\begin{aligned}&\quad E_{w,0} + E_{w,\pi } \end{aligned}$$

(80)

$$\begin{aligned}&= I_{\text {sp}(\mathcal {O}_w)} \end{aligned}$$

(81)

$$\begin{aligned}&= | \varXi _{w-1} \rangle | 0 \rangle {\langle \varXi _{w-1} | }{\langle 0 | } + | \varXi _{w-2} \rangle | 1 \rangle {\langle \varXi _{w-2} | }{\langle 1 | }. \end{aligned}$$

(82)

Equating the two expressions implies that

$$\begin{aligned} | \eta _w \rangle = \frac{1}{\sqrt{2}} (| \varXi _{w-1} \rangle | 0 \rangle + e^{i \varphi _w}| \varXi _{w-2} \rangle | 1 \rangle ), \end{aligned}$$

(83)

for some phase \(\varphi _w\). But we must have \(\varphi _w = 0\) since \(E_{w,0}\) corresponds to the guess “\(\theta = 0\)”.

\(\underline{w=t+2:}\)

Similar to the case \(w=1\) and using the definition from Eq. (77), we have \(E_{t+2,0}=E_{t+2,\pi } = |\varXi _t\rangle | 1 \rangle \langle \varXi _t |{\langle 1 | }\). We assign the guess “\(\theta =\pi \)” to getting the outcome corresponding to this POVM element.

To summarize, the elements of the overall POVM \(\{E_0,E_\pi \}\) describing the measuring-and-guessing strategy may be expressed

$$\begin{aligned} E_0&= |\varXi _{0}\rangle | 0 \rangle \langle \varXi _0 |{\langle 0 | } +\sum _{w=2}^{t+1}| w,+ \rangle \langle w,+ | \end{aligned}$$

(84)

$$\begin{aligned} E_\pi&= \sum _{w=2}^{t+1}| w,- \rangle \langle w,- | +|\varXi _t\rangle | 1 \rangle \langle \varXi _t |{\langle 1 | }, \end{aligned}$$

(85)

where

$$\begin{aligned} |w,\pm \rangle \equiv \frac{1}{\sqrt{2}} (| \varXi _{w-1} \rangle | 0 \rangle \pm | \varXi _{w-2} \rangle | 1 \rangle ). \end{aligned}$$

(86)

1.3 Proof of Theorem 1, Assuming Eq. (15)

For security with error \(\epsilon \), we require

$$\begin{aligned} r(1 - c/(2r+1)^2)^s < \epsilon , \end{aligned}$$

(87)

which, by taking the logarithm of both sides, is equivalent to

$$\begin{aligned} s > \log (\epsilon /r)/\log (1 - c/(2r+1)^2). \end{aligned}$$

(88)

Using the series expansion \(\log (1 - x) = -(x + x^2/2 + x^3/3 + \cdots )\), the right-hand side of Eq. (88) is upper-bounded by

$$\begin{aligned} (2r+1)^2\log (r/\epsilon )/c, \end{aligned}$$

(89)

from which the theorem follows.

1.4 Proof of Proposition 4

This maximization problem is very similar to that in Ref. [11], where it was required to maximize \(\langle \zeta |M'_t |\zeta \rangle \) over all states \(| \zeta \rangle \in \text {sp}\{| j \rangle :j=0,1,\ldots ,t \}\) for

$$\begin{aligned} M'_t = \sum _{j=0}^{t-1} |j+1\rangle \langle {j} | +|{j}\rangle \langle {j+1} |. \end{aligned}$$

(90)

In fact, in light of Eq. (40), the phase estimation problem in Ref. [11] may be viewed as the same as the one we consider, but where Eve does not have access to the register \(R'\). (Indeed, our optimal success probability cannot be less than that in Ref. [11], since at the very least Eve can forgo the use of the ancillary register \(R'\).) Finally, below, we show that our optimal success probability is exactly equal to that obtained in Ref. [11].

Let \(\alpha _{j,h}^\star \) denote the optimal values for our maximization problem, and let \(M_t^\star \), \(|\psi _R(0)^\star \rangle \), and \(|\varXi _{j}^\star \rangle \) denote the values of \(M_t\), \(|\psi _R(0)\rangle \), and \(|\varXi _{j}\rangle \) at those optimal values. Note that \(\{|\varXi _{j}\rangle : j=0,1,\ldots ,t\}\) is orthonormal for all values of \(\alpha _{j,h}\), thus \(\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) is orthonormal. Consider now optimizing \({\langle \psi | }M_t^\star | \psi \rangle \) over all unit vectors \(| \psi \rangle \in \text {sp}\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) for fixed \(M_t^\star \); denote the optimal \(| \psi \rangle \) as \(| \psi ^\star \rangle \). It must be that

$$\begin{aligned} {\langle \psi ^\star | }M_t^\star | \psi ^\star \rangle \ge {\langle \psi _R(0)^\star | }M_t^\star | \psi _R(0)^\star \rangle , \end{aligned}$$

(91)

since \(| \psi _R(0)^\star \rangle \in \text {sp}\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) by inspecting Eqs. (67) and (77). Now note that the coefficients of \(| \psi ^\star \rangle \) with respect to the basis \(\{|\varXi _{j}^\star \rangle : j=0,1,\ldots ,t\}\) must be precisely those coefficients of the optimal \(| \zeta \rangle \) with respect to the standard orthonormal basis \(\{| j \rangle :j=0,1,\ldots ,t \}\) found in Ref. [11]; otherwise, substituting the coefficients of \(| \psi ^\star \rangle \) would give a higher maximum than that in Ref. [11]. (The argument works because, in both cases, the orthonormal basis is fixed for the optimization.) Therefore, we have, as in Ref. [11],

$$\begin{aligned} | \psi ^\star \rangle \propto \sum _{j=0}^t \sin \left[ \frac{(j+1)\pi }{t+2}\right] |\varXi _j\rangle . \end{aligned}$$

(92)