Semi device independence of the BB84 protocol

Erik Woodhead

doi:10.1088/1367-2630/18/5/055010

1. BB84 and device independence

Quantum key distribution (QKD) [1, 2] protocols allow cooperating users to generate cryptographic keys in such a way that unauthorised eavesdropping can be detected. This is achieved by exploiting features of quantum physics, such as the general inability to measure a quantum state without disturbing it, in a way that guarantees that any attempt at eavesdropping on the protocol will introduce detectable errors.

One of a QKD protocol's differentiating features is the degree to which it is device independent [3–5] i.e., the extent to which the protocol can be proved secure independently of assumptions about the internal functioning of the devices in the physical setup. This is of practical interest as device-independent protocols are intrinsically more robust, ensuring that both unintended and maliciously introduced implementation faults are detected automatically. Protocols can range from fully characterised (the exact quantum state preparations and/or measurements must be known) to fully device independent (security is established based only on the detection of Bell-nonlocal [6, 7] correlations, independently of the mechanism that produced them). Between these extremes, partially device-independent protocols have also been proposed in which only some of the devices are fully characterised [8–10] and in which only a Hilbert space dimension bound is assumed for the source of quantum states [11, 12].

The BB84 protocol [13] was originally introduced as a fully characterised protocol. A commonly considered prepare-and-measure version runs as follows. One user ('Alice') generates a string of random bits that she wishes to transmit to another distant user ('Bob'). Alice sequentially encodes each bit onto one of two corresponding orthogonal ${\sigma }_{{\rm{z}}}$ eigenstates $| 0\rangle$ and $| 1\rangle$ which she transmits to Bob. In order to be able to detect eavesdropping, Alice inserts instances of the ${\sigma }_{{\rm{x}}}$ eigenstates $| +\rangle$ and $| -\rangle$ , with $| \pm \rangle =(| 0\rangle \pm | 1\rangle )/\sqrt{2}$ , at some random locations in the sequence of quantum states to be transmitted to Bob. Bob measures most of the states he receives from Alice in the ${\sigma }_{{\rm{z}}}=| 0\rangle \langle 0| -| 1\rangle \langle 1|$ basis and the remaining minority of cases in the ${\sigma }_{{\rm{x}}}=| +\rangle \langle +| -| -\rangle \langle -|$ basis. Afterwards, the record of cases where Alice and Bob used mismatched bases (Alice prepared a ${\sigma }_{{\rm{z}}}$ state and Bob measured ${\sigma }_{{\rm{x}}}$ or vice versa) are discarded. The cases where Alice and Bob both used the ${\sigma }_{{\rm{x}}}$ basis and a randomly chosen subset of cases where they both used the ${\sigma }_{{\rm{z}}}$ basis are used to estimate the x- and z-basis error rates ${\delta }_{{\rm{x}}}$ and ${\delta }_{{\rm{z}}}$ and then likewise discarded. Finally, if the error rates are not too high, classical postprocessing allows a (generally shorter) secret key to be generated with the relative errors between Alice's and Bob's versions corrected and with any knowledge of the key by an adversary effectively erased.

There is also an entanglement-based version of BB84, in which a central source prepares and distributes entangled states which Alice, as well as Bob, measures in the ${\sigma }_{{\rm{z}}}$ and ${\sigma }_{{\rm{x}}}$ bases. In this case, the initial bitstring is obtained from the measurement results rather than from a separate randomness generation procedure. Since Alice's ${\sigma }_{{\rm{z}}}$ or ${\sigma }_{{\rm{x}}}$ measurement can be thought of as effectively preparing a state for Bob [14], there is some equivalence between the two versions of the protocol. In particular, in both versions, one-way classical postprocessing allows a secret key to be extracted at an asymptotic rate given by the Shor–Preskill key rate [15],

$\begin{eqnarray}&&r\geqslant 1-h({\delta }_{{\rm{x}}})-h({\delta }_{{\rm{z}}}),\end{eqnarray} \tag{ 1 }$

where $h(x)=-x\;{\mathrm{log}}_{2}(x)-(1-x){\mathrm{log}}_{2}(1-x)$ is the binary entropy function, depending on the error rates ${\delta }_{{\rm{x}}}$ and ${\delta }_{{\rm{z}}}$ .

Since its original proposal, it has become apparent that the BB84 protocol exhibits a significant degree of device independence. BB84 was first found to be one-sided device independent, i.e., the explicit characterisation of one of the devices can be dropped. This was already indicated by some early security results [16–18] for the prepare-and-measure version of BB84 which do not explicitly depend on Bob's measurements, and later analyses [19, 20] found that the Shor–Preskill key-rate bound (1) still holds at the one-sided-device-independent level if Alice's source prepares the ${\sigma }_{{\rm{z}}}$ and ${\sigma }_{{\rm{x}}}$ eigenstates (in the prepare-and-measure version) or just one of the users measures in the ${\sigma }_{{\rm{z}}}$ and ${\sigma }_{{\rm{x}}}$ bases (in the entanglement-based version).

Recent analyses have started to exploit results from the mismatched bases cases, which are usually discarded, in order to improve the security certification [21, 22], and some authors have further pointed out that this can reduce the level of characterisation required to just a dimension bound for one of the devices. In [23] it was first shown that the Shor–Preskill rate still holds if no correlations are observed in the mismatched bases cases assuming that Alice performs unknown projective qubit measurements. A similar result was recovered numerically in [24] for general qubit POVMs on Alice's side, assuming that Bob also performs qubit measurements. The prepare-and-measure version of BB84 was also studied numerically in [25] at a similar level of device independence, where Alice's source prepares unknown pure qubit states and Bob performs unknown projective qubit measurements.

Here, we study the BB84 protocol in this semi-device-independent scenario (borrowing the name from [11]), where we assume only that Alice's device acts on a two-dimensional Hilbert space. The main result will be an analytic lower bound on the asymptotic secret key rate for the entanglement-based version of BB84 where we allow Alice's measurements to be arbitrary qubit POVMs and Bob's measurements are left uncharacterised. The result holds against the class of collective attacks [17] (i.e., assuming that Alice's and Bob's measurements are always performed on the same entangled state), which is known to imply unconditional security at least if the measurements are memoryless and if the Hilbert-space dimension is bounded [26].

The qubit device assumption is taken here to mean that Alice's result depends only on the measurement of a qubit state. In particular, similar to [27, 28], we assume that Alice's measurement result does not depend on additional classical information that could also be available to Bob's device (so-called 'shared randomness' [11]). This is necessary as the ideal (entanglement-based) BB84 correlations can be simulated with two shared classical random bits—a special case of what an adversary could prepare with a shared classical bit and an entangled qubit which is completely insecure from a cryptographic perspective. A consequence is that, unusually for a QKD security result, any (nontrivial) lower bound on the key rate cannot be a convex function of the probabilities P(ab ∣ uv) at this level of device independence.

2. Scenario and main result

In the entanglement-based version of the BB84 protocol, Alice and Bob share a state ${\rho }_{\mathrm{AB}}$ on some Hilbert space ${{ \mathcal H }}_{{\rm{A}}}\otimes {{ \mathcal H }}_{{\rm{B}}}$ , on which they can perform POVMs $\{{M}_{0}^{(u)},{M}_{1}^{(u)}\}$ and $\{{N}_{0}^{(v)},{N}_{1}^{(v)}\}$ indexed by measurement choices $u,v\in \{{\rm{z}},{\rm{x}}\}$ and yielding results $a,b\in \{0,1\}$ with probability

$\begin{eqnarray}&&P({ab}| {uv})=\mathrm{Tr}[({M}_{a}^{(u)}\otimes {N}_{b}^{(v)}){\rho }_{\mathrm{AB}}].\end{eqnarray} \tag{ 2 }$

In the semi-device-independent level of security that we consider, we assume that $\mathrm{dim}{{ \mathcal H }}_{{\rm{A}}}=2$ . The state ${\rho }_{\mathrm{AB}}$ and measurements are otherwise treated as unknown. Setting ${\hat{A}}_{u}={M}_{0}^{(u)}-{M}_{1}^{(u)}$ and ${\hat{B}}_{v}={N}_{0}^{(v)}-{N}_{1}^{(v)}$ , a convenient summary of the probabilities $P({ab}| {uv})$ that we will use is given by the eight parameters

$\begin{eqnarray}&&{A}_{u}=\langle {\hat{A}}_{u}\otimes {{\mathbb{1}}}_{{\rm{B}}}\rangle ,\end{eqnarray} \tag{ 3 }$

$\begin{eqnarray}&&\quad {B}_{v}=\langle {{\mathbb{1}}}_{{\rm{A}}}\otimes {\hat{B}}_{v}\rangle ,\end{eqnarray} \tag{ 4 }$

$\begin{eqnarray}&&\quad {E}_{{uv}}=\langle {\hat{A}}_{u}\otimes {\hat{B}}_{v}\rangle ,\end{eqnarray} \tag{ 5 }$

with $\langle \ \cdot \ \rangle =\mathrm{Tr}[\ \cdot \ {\rho }_{\mathrm{AB}}]$ . Note that ${E}_{{\rm{zz}}}$ and ${E}_{{\rm{xx}}}$ here are related to the more conventional z- and x-basis error rates ${\delta }_{{\rm{z}}}$ and ${\delta }_{{\rm{x}}}$ by ${E}_{{uu}}=1-2{\delta }_{u}$ .

The full security analysis of the protocol will be undertaken in the next section, but it is worth already sketching a result for the special case where Alice performs rank-one projective measurements since one can be derived directly from the Shor–Preskill rate. In this scenario, where Alice's z and x measurements simply project into orthogonal bases $\{| {0}_{{\rm{z}}}\rangle ,| {1}_{{\rm{z}}}\rangle \}$ and $\{| {0}_{{\rm{x}}}\rangle ,| {1}_{{\rm{x}}}\rangle \}$ , essentially the only relevant parameter differentiating the measurements is the Bloch-sphere angle between them. For some suitable basis $\{| {0}_{{\rm{w}}}\rangle ,| {1}_{{\rm{w}}}\rangle \}$ conjugate to $\{| {0}_{{\rm{z}}}\rangle ,| {1}_{{\rm{z}}}\rangle \}$ , we may write

$\begin{eqnarray}&&{\hat{A}}_{{\rm{x}}}=\mathrm{cos}(\varphi ){\hat{A}}_{{\rm{z}}}+\mathrm{sin}(\varphi ){\hat{A}}_{{\rm{w}}},\end{eqnarray} \tag{ 6 }$

where ${\hat{A}}_{{\rm{w}}}=| {0}_{{\rm{w}}}\rangle \langle {0}_{{\rm{w}}}| -| {1}_{{\rm{w}}}\rangle \langle {1}_{{\rm{w}}}|$ and φ is the (unknown) Bloch-sphere angle between ${\hat{A}}_{{\rm{z}}}$ and ${\hat{A}}_{{\rm{x}}}$ . Setting ${E}_{{\rm{wx}}}=\langle {\hat{A}}_{{\rm{w}}}\otimes {\hat{B}}_{{\rm{x}}}\rangle$ , linearity of the quantum expectation value implies the relation

$\begin{eqnarray}&&{E}_{{\rm{xx}}}=\mathrm{cos}(\varphi ){E}_{{\rm{zx}}}+\mathrm{sin}(\varphi ){E}_{{\rm{wx}}}.\end{eqnarray} \tag{ 7 }$

The conjugate 'w basis' introduced here is useful because the (one-sided-device-independent) Shor–Preskill key rate applies to it. Introducing, for convenience, the function

$\begin{eqnarray}&&\phi (x)=1-\tfrac{1}{2}(1+x)\;{\mathrm{log}}_{2}(1+x)-\tfrac{1}{2}(1-x)\;{\mathrm{log}}_{2}(1-x)\end{eqnarray} \tag{ 8 }$

(related to the binary entropy by $\phi (x)=h\left(\tfrac{1}{2}\pm \tfrac{1}{2}x\right)$ ), the Shor–Preskill rate can be expressed as

$\begin{eqnarray}&&r\geqslant 1-\phi ({E}_{{\rm{wx}}})-\phi ({E}_{{\rm{zz}}}).\end{eqnarray} \tag{ 9 }$

From here, it is a simple matter to obtain a key-rate bound depending only on the observed correlations. From the relation (7) between the correlators, we obtain

$\begin{eqnarray}| {E}_{{\rm{xx}}}| & \leqslant & | \mathrm{cos}(\varphi )| | {E}_{{\rm{zx}}}| +| \mathrm{sin}(\varphi )| | {E}_{{\rm{wx}}}| \\ & \leqslant & \sqrt{{E}_{{\rm{zx}}}^{\phantom{{\rm{zx}}}2}+{E}_{{\rm{wx}}}^{\phantom{{wx}}2}},\end{eqnarray} \tag{ 10 }$

which rearranges to

$\begin{eqnarray}&&{E}_{{\rm{wx}}}^{\phantom{{wx}}2}\geqslant {E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{E}_{{\rm{zx}}}^{\phantom{{\rm{zx}}}2}.\end{eqnarray} \tag{ 11 }$

As long as $| {E}_{{\rm{xx}}}| \geqslant | {E}_{{\rm{zx}}}|$ , this implies the lower bound

$\begin{eqnarray}&&r\geqslant 1-\phi \left(\sqrt{{E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}-{E}_{{\rm{zx}}}^{\phantom{{zx}}2}}\right)-\phi ({E}_{{\rm{zz}}})\end{eqnarray} \tag{ 12 }$

for the key rate.

More generally, it is clear that the key-rate bound (12) cannot hold against arbitrary POVMs on Alice's side. A simple counterexample is that if we allow Alice to perform the degenerate projective measurement $\{{M}_{0}^{({\rm{z}})},{M}_{1}^{({\rm{z}})}\}=\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}$ , it is possible for Alice and Bob to obtain the result $a=b=0$ deterministically (which is completely insecure) while observing the correlations ${E}_{{\rm{xx}}}={E}_{{\rm{zz}}}=1$ and ${E}_{{\rm{zx}}}=0$ (for which (12) would imply r = 1). Of course, this particular pathological case is easily detected since Alice and Bob could notice that they keep getting the same measurement results. In terms of the parameterisation given above, we thus do not expect (12) to still apply if ${A}_{{\rm{z}}}=1$ .

There is a significant parameter range in which the rate (12) still holds, though. The main result of this article is that the asymptotic rate (12) still applies, at least against collective attacks, if the correlations satisfy $| {E}_{{\rm{xx}}}| \gt | {B}_{{\rm{x}}}|$ and

$\begin{eqnarray}&&{E}_{{\rm{xx}}}^{\phantom{{xx}}2}+{E}_{{\rm{zx}}}^{\phantom{{zx}}2}\leqslant 1-2| {A}_{{\rm{z}}}-{E}_{{\rm{zx}}}{B}_{{\rm{x}}}| +{A}_{{\rm{z}}}^{\phantom{z}2}.\end{eqnarray} \tag{ 13 }$

This is proved in the next section. As a special case, we recover the Shor–Preskill rate

$\begin{eqnarray}&&r\geqslant 1-\phi ({E}_{{\rm{xx}}})-\phi ({E}_{{\rm{zz}}})\end{eqnarray} \tag{ 14 }$

if there are no correlations in the mismatched bases cases (so that ${E}_{{\rm{zx}}}=0$ ) and if $| {B}_{{\rm{x}}}| \lt | {E}_{{\rm{xx}}}| \leqslant 1-| {A}_{{\rm{z}}}| ;$ the latter constraint reduces to $| {E}_{{\rm{xx}}}| \gt 0$ (which is necessary to certify a nonzero key rate anyway) if Alice's and Bob's marginal results are equiprobable (so that ${A}_{{\rm{z}}}={B}_{{\rm{x}}}=0$ ).

In principle, the derivation given in the next section could be pursued further in order to derive a lower bound for the key rate in the case that the condition (13) is not satisfied. There is an easier way of getting a result for this case, though. Since the condition (13) and key rate (12) are device independent on Bob's side, we can simply apply the result they would imply if Bob's measurement operator ${\hat{B}}_{{\rm{x}}}$ were scaled down to $\lambda {\hat{B}}_{{\rm{x}}}$ for some scaling factor 0 ≤λ ≤1. This way, we can use the modified bound

$\begin{eqnarray}&&r\geqslant 1-\phi \left(\lambda \sqrt{{E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{E}_{{\rm{zx}}}^{\phantom{{zx}}2}}\right)-\phi ({E}_{{\rm{zz}}}),\end{eqnarray} \tag{ 15 }$

taking for λ the highest number between zero and one satisfying

$\begin{eqnarray}&&{\lambda }^{2}({E}_{{\rm{xx}}}^{\phantom{{xx}}2}+{E}_{{\rm{zx}}}^{\phantom{{zx}}2})=1-2| {A}_{{\rm{z}}}-{\lambda }^{2}{E}_{{\rm{zx}}}{B}_{{\rm{x}}}| +{A}_{{\rm{z}}}^{\phantom{z}2}.\end{eqnarray} \tag{ 16 }$

3. Proof of main result

3.1. Problem definition

In the worst-case scenario, Alice, Bob, and the adversary Eve share a purification $| {\rm{\Psi }}\rangle \in {{ \mathcal H }}_{{\rm{A}}}\otimes {{ \mathcal H }}_{{\rm{B}}}\otimes {{ \mathcal H }}_{{\rm{E}}}$ , prepared by Eve, of the state ${\rho }_{\mathrm{AB}}$ responsible for the observed correlations according to (2). When Alice measures u=z, the system in ${{ \mathcal H }}_{{\rm{B}}}\otimes {{ \mathcal H }}_{{\rm{E}}}$ is projected to the (unnormalised) state

$\begin{eqnarray}&&\rho ={\mathrm{Tr}}_{{\rm{A}}}[({M}_{0}^{({\rm{z}})}\otimes {{\mathbb{1}}}_{\mathrm{BE}}){\rm{\Psi }}]\end{eqnarray} \tag{ 17 }$

or

$\begin{eqnarray}&&{\rho }^{\prime }={\mathrm{Tr}}_{{\rm{A}}}[({M}_{1}^{({\rm{z}})}\otimes {{\mathbb{1}}}_{\mathrm{BE}}){\rm{\Psi }}],\end{eqnarray} \tag{ 18 }$

depending, respectively, on whether Alice gets the result a = 0 or a = 1. (We will in general write, e.g., Ψ as a shorthand for the density operator $| {\rm{\Psi }}\rangle \langle {\rm{\Psi }}|$ associated to some pure state $| {\rm{\Psi }}\rangle$ .) The normalisations of these states are related to the probabilities with which they are prepared according to $\mathrm{Tr}[\rho ]={P}_{{\rm{A}}}(0| {\rm{z}})$ and $\mathrm{Tr}[{\rho }^{\prime }]={P}_{{\rm{A}}}(1| {\rm{z}})$ . The correlation between Alice's result a and the state available to Eve is summarised by the classical-quantum state

$\begin{eqnarray}&&{\tau }_{A{\rm{E}}}=| 0\rangle \langle 0| \otimes {\rho }_{{\rm{E}}}^{\phantom{^{\prime} }}+| 1\rangle \langle 1| \otimes {\rho }_{{\rm{E}}}^{\prime },\end{eqnarray} \tag{ 19 }$

in terms of Eve's parts ${\rho }_{{\rm{E}}}^{\phantom{^{\prime} }}={\mathrm{Tr}}_{{\rm{B}}}[\rho ]$ and ${\rho }_{{\rm{E}}}^{\prime }={\mathrm{Tr}}_{{\rm{B}}}[{\rho }^{\prime }]$ of the possible density operators ρ and ${\rho }^{\prime }$ .

We consider the case where the key is extracted from the $u=v={\rm{z}}$ measurement results. In this case, the one-way asymptotic key rate secure against collective attacks is lower bounded by the Devetak–Winter rate [29], which can be expressed as the difference of two entropies

$\begin{eqnarray}&&r=H(A| {\rm{E}})-H(A| B).\end{eqnarray} \tag{ 20 }$

In (20), $H(A| B)$ is the Shannon entropy of Alice's outcome conditioned on Bob's and can either be computed directly or approximated by $H(A| B)\leqslant h({\delta }_{{\rm{z}}})=\phi ({E}_{{\rm{zz}}})$ . The main problem, and the main goal of this section, is to derive a lower bound for the conditional von Neumann entropy $H(A| {\rm{E}})$ , which is given by

$\begin{eqnarray}H(A| {\rm{E}}) & = & S({\tau }_{A{\rm{E}}})-S({\tau }_{{\rm{E}}})\\ & = & S({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }})+S({\rho }_{{\rm{E}}}^{\prime })-S({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }}+{\rho }_{{\rm{E}}}^{\prime }),\end{eqnarray} \tag{ 21 }$

where $S(\rho )=-\mathrm{Tr}[\rho \;{\mathrm{log}}_{2}(\rho )]$ , when computed on the classical-quantum state (19).

The derivation followed in the remainder of this section uses a few mathematical tools (two of which are minor restatements of results in [30]) which are presented here as lemmas. Proofs for these are supplied as appendices to this article.

3.2. General proof outline

The starting point is the following relation for the conditional von Neumann entropy, which simplifies the problem to that of lower bounding the fidelity between the marginal states available to Eve.

Lemma 1. The conditional von Neumann entropy, computed on the classical-quantum state $| 0\rangle \langle 0| \otimes {\rho }_{{\rm{E}}}^{\phantom{^{\prime} }}+| 1\rangle \langle 1| \otimes {\rho }_{{\rm{E}}}^{\prime }$ , is lower bounded by

$\begin{eqnarray}&&H(A| {\rm{E}})\geqslant \phi ({A}_{{\rm{z}}})-\phi \left({\sqrt{{A}_{{\rm{z}}}^{\phantom{z}2}+4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}}}^{}\right)\end{eqnarray} \tag{ 22 }$

in terms of the fidelity $F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ between ${\rho }_{{\rm{E}}}^{\phantom{^{\prime} }}$ and ${\rho }_{{\rm{E}}}^{\prime }$ . Furthermore, for fixed $F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ , the right-hand side of (22) is convex in ${A}_{{\rm{z}}}$ and is minimised with ${A}_{{\rm{z}}}=0$ .

Here, we take the fidelity to be defined by $F(\rho ,\sigma )={\parallel \sqrt{\rho }\sqrt{\sigma }\parallel }_{1}$ , where ${\parallel A\parallel }_{1}=\mathrm{Tr}[| A| ]=\mathrm{Tr}[\sqrt{{A}^{\dagger }A}]$ denotes the trace norm of an operator A, for (generally unnormalised) density operators ρ and σ. Note that the minimisation of (22) at ${A}_{{\rm{z}}}=0$ allows the bound for the von Neumann entropy to be simplified to

$\begin{eqnarray}&&H(A| {\rm{E}})\geqslant 1-\phi (2F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })),\end{eqnarray} \tag{ 23 }$

though this step is optional, since ${A}_{{\rm{z}}}$ is an observed parameter.

The approach we follow involves reducing the problem to considering pure states. To this end, we introduce orthonormal bases $\{| {0}_{u}\rangle ,| {1}_{u}\rangle \}$ , $u\in \{{\rm{z}},{\rm{x}}\}$ , in which Alice's (qubit Hermitian) POVM elements ${M}_{a}^{(u)}$ are diagonal. In these bases, Alice's POVMs can be expressed as convex sums

$\begin{eqnarray}&&\{{M}_{0}^{(u)},{M}_{1}^{(u)}\}={m}_{1}^{(u)}\{{0}_{u},{1}_{u}\}+{m}_{2}^{(u)}\{{1}_{u},{0}_{u}\}+{m}_{3}^{(u)}\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}+{m}_{4}^{(u)}\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}\end{eqnarray} \tag{ 24 }$

of the four projective measurements $\{{0}_{u},{1}_{u}\}$ , $\{{1}_{u},{0}_{u}\}$ , $\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}$ , and $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ for convex coefficients satisfying ${m}_{i}^{(u)}\geqslant 0$ and ${\displaystyle \sum }_{i}{m}_{i}^{(u)}=1$ . (Here, ${0}_{u}$ and ${1}_{u}$ are shorthand for $| {0}_{u}\rangle \langle {0}_{u}|$ and $| {1}_{u}\rangle \langle {1}_{u}|$ , and ${{\mathbb{1}}}_{{\rm{A}}}$ and ${{\mathbb{0}}}_{{\rm{A}}}$ denote the identity and null operators on ${{ \mathcal H }}_{{\rm{A}}}$ .)

Concentrating on the z measurement, we can express the entangled state as

$\begin{eqnarray}&&| {\rm{\Psi }}\rangle =| {0}_{{\rm{z}}}\rangle | \alpha \rangle +| {1}_{{\rm{z}}}\rangle | {\alpha }^{\prime }\rangle \end{eqnarray} \tag{ 25 }$

for (unnormalised and not necessarily orthogonal) states $| \alpha \rangle ,| {\alpha }^{\prime }\rangle \in {{ \mathcal H }}_{{\rm{B}}}\otimes {{ \mathcal H }}_{{\rm{E}}}$ . The fidelity between Eve's parts ${\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }}$ and ${\alpha }_{{\rm{E}}}^{\prime }$ of the states $| \alpha \rangle$ and $| {\alpha }^{\prime }\rangle$ introduced this way can, according to the following relation, be bounded in terms of an operator ${W}_{{\rm{B}}}$ on Bob's Hilbert space.

Lemma 2. The fidelity between Eve's partial traces ${\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }}$ and ${\alpha }_{{\rm{E}}}^{\prime }$ of the pure states $| \alpha \rangle$ and $| {\alpha }^{\prime }\rangle$ satisfies

$\begin{eqnarray}&&2F({\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }},{\alpha }_{{\rm{E}}}^{\prime })\geqslant {\parallel {\text{}}{W}_{{\rm{B}}}\parallel }_{1},\end{eqnarray} \tag{ 26 }$

where ${W}_{{\rm{B}}}={\mathrm{Tr}}_{{\rm{E}}}[{\text{}}W]$ and $W=| \alpha \rangle \langle {\alpha }^{\prime }| +| {\alpha }^{\prime }\rangle \langle \alpha |$ .

We approach the problem of lower bounding ${\parallel {W}_{{\rm{B}}}\parallel }_{1}$ in the following way. Similar to (25), we express the entangled state as

$\begin{eqnarray}&&| {\rm{\Psi }}\rangle =| {0}_{{\rm{x}}}\rangle | \beta \rangle +| {1}_{{\rm{x}}}\rangle | {\beta }^{\prime }\rangle \end{eqnarray} \tag{ 27 }$

for the $u={\rm{x}}$ measurement. In an appropriate phase convention, the diagonalising bases are related by

$\begin{eqnarray}&&\quad | {0}_{{\rm{z}}}\rangle =\mathrm{cos}\left(\tfrac{\varphi }{2}\right)| {0}_{{\rm{x}}}\rangle -\mathrm{sin}\left(\tfrac{\varphi }{2}\right)| {1}_{{\rm{x}}}\rangle ,\end{eqnarray} \tag{ 28 }$

$\begin{eqnarray}&&| {1}_{{\rm{z}}}\rangle =\mathrm{sin}\left(\tfrac{\varphi }{2}\right)| {0}_{{\rm{x}}}\rangle +\mathrm{cos}\left(\tfrac{\varphi }{2}\right)| {1}_{{\rm{x}}}\rangle \end{eqnarray} \tag{ 29 }$

for some angle φ. From this and requiring that (25) and (27) are the same state, we extract

$\begin{eqnarray}&&| \beta \rangle =\mathrm{cos}\left(\tfrac{\varphi }{2}\right)| \alpha \rangle +\mathrm{sin}\left(\tfrac{\varphi }{2}\right)| \alpha ^{\prime} \rangle ,\end{eqnarray} \tag{ 30 }$

$\begin{eqnarray}&&\quad | \beta ^{\prime} \rangle =-\mathrm{sin}\left(\tfrac{\varphi }{2}\right)| \alpha \rangle +\mathrm{cos}\left(\tfrac{\varphi }{2}\right)| \alpha ^{\prime} \rangle .\end{eqnarray} \tag{ 31 }$

Introducing the correlators

$\begin{eqnarray}&&\quad {\bar{\bar{E}}}_{{\rm{zx}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}({\alpha }_{{\rm{B}}}^{\phantom{^{\prime} }}-{\alpha }_{{\rm{B}}}^{\prime })],\end{eqnarray} \tag{ 32 }$

$\begin{eqnarray}&&{\bar{\bar{E}}}_{{\rm{xx}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}({\beta }_{{\rm{B}}}^{\phantom{^{\prime} }}-{\beta }_{{\rm{B}}}^{\prime })]\end{eqnarray} \tag{ 33 }$

for the pure states and

$\begin{eqnarray}&&{\bar{\bar{E}}}_{{\rm{wx}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}{\text{}}{W}_{{\rm{B}}}]\end{eqnarray} \tag{ 34 }$

for the operator W appearing in lemma 2, the relations (30) and (31) imply

$\begin{eqnarray}&&{\bar{\bar{E}}}_{{\rm{xx}}}=\mathrm{cos}(\varphi ){\bar{\bar{E}}}_{{\rm{zx}}}+\mathrm{sin}(\varphi ){\bar{\bar{E}}}_{{\rm{wx}}},\end{eqnarray} \tag{ 35 }$

and applying the Cauchy–Schwarz inequality and rearranging, we obtain

$\begin{eqnarray}&&{\bar{\bar{E}}}_{{\rm{wx}}}^{\phantom{{wx}}2}\geqslant {\bar{\bar{E}}}_{{\rm{xx}}}^{\phantom{{xx}}2}-{\bar{\bar{E}}}_{{\rm{zx}}}^{\phantom{{zx}}2},\end{eqnarray} \tag{ 36 }$

similar the outline of the previous section. Finally, since ${\hat{B}}_{{\rm{x}}}$ is the difference of two POVM elements, it satisfies the operator inequalities $-{{\mathbb{1}}}_{{\rm{B}}}\leqslant {\hat{B}}_{{\rm{x}}}\leqslant {{\mathbb{1}}}_{{\rm{B}}};$ this allows ${\bar{\bar{E}}}_{{\rm{wx}}}$ to be used as a lower bound on the trace norm ${\parallel {W}_{{\rm{B}}}\parallel }_{1}$ of ${W}_{{\rm{B}}}$ :

$\begin{eqnarray}&&{\bar{\bar{E}}}_{{\rm{wx}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}{\text{}}{W}_{{\rm{B}}}]\leqslant {\parallel {\text{}}{W}_{{\rm{B}}}\parallel }_{1}{\parallel {\hat{B}}_{{\rm{x}}}\parallel }_{\infty }\leqslant {\parallel {\text{}}{W}_{{\rm{B}}}\parallel }_{1},\end{eqnarray} \tag{ 37 }$

from which we finally obtain

$\begin{eqnarray}&&4F{({\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }},{\alpha }_{{\rm{E}}}^{\prime })}^{2}\geqslant {\bar{\bar{E}}}_{{\rm{xx}}}^{\phantom{{xx}}2}-{\bar{\bar{E}}}_{{\rm{zx}}}^{\phantom{{zx}}2}.\end{eqnarray} \tag{ 38 }$

The remaining problem is to convert (38) into a lower bound on $F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ depending on the observed parameters A_u, B_v, and E_uv which can be used in lemma 1 (or (23)). Part of the problem is to relate these parameters to the pure-state versions ${\bar{\bar{E}}}_{{\rm{xx}}}$ and ${\bar{\bar{E}}}_{{\rm{zx}}}$ appearing in (38). From the POVM decomposition (24) we can deduce

$\begin{eqnarray}&&{E}_{{uv}}=({m}_{1}^{(u)}-{m}_{2}^{(u)}){\bar{\bar{E}}}_{{uv}}+({m}_{3}^{(u)}-{m}_{4}^{(u)}){B}_{v},\end{eqnarray} \tag{ 39 }$

which will allow the ${\bar{\bar{E}}}_{{uv}}{\rm{s}}$ to be related to the E_uvs and B_vs. For the z measurement, we will also need to be able to relate the fidelity $F({\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }},{\alpha }_{{\rm{E}}}^{\prime })$ in (38) to $F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ . For this, we will need the following general bound for the fidelity between mixtures of two states.

Lemma 3. Let $\rho$ , $\sigma$ , ${\tau }_{0}$ , and ${\tau }_{1}$ be (not necessarily normalised) density operators related by

$\begin{eqnarray}&&\quad \rho ={p}_{0}{\tau }_{0}+{p}_{1}{\tau }_{1},\end{eqnarray} \tag{ 40 }$

$\begin{eqnarray}&&\sigma ={q}_{0}{\tau }_{0}+{q}_{1}{\tau }_{1}\end{eqnarray} \tag{ 41 }$

for parameters ${p}_{0},{p}_{1},{q}_{0},{q}_{1}\geqslant 0$ . Then,

$\begin{eqnarray}&&F{(\rho ,\sigma )}^{2}\geqslant {\left(\sqrt{{p}_{0}{q}_{0}}{\parallel {\tau }_{0}\parallel }_{1}+\sqrt{{p}_{1}{q}_{1}}{\parallel {\tau }_{1}\parallel }_{1}\right)}^{2}+{\left(\sqrt{{p}_{0}{q}_{1}}-\sqrt{{p}_{1}{q}_{0}}\right)}^{2}F{({\tau }_{0},{\tau }_{1})}^{2}.\end{eqnarray} \tag{ 42 }$

3.3. Alice's ${\rm{x}}$ POVM

The $u={\rm{x}}$ measurement is the simplest to handle, since it is not used for key generation, so we deal with it first. Rewriting the decomposition (39) for ${E}_{{\rm{xx}}}$ as

$\begin{eqnarray}&&{E}_{{\rm{xx}}}=\lambda {\bar{\bar{E}}}_{{\rm{xx}}}+\mu {B}_{{\rm{x}}},\end{eqnarray} \tag{ 43 }$

with $\lambda ={m}_{1}^{({\rm{x}})}-{m}_{2}^{({\rm{x}})}$ and $\mu ={m}_{3}^{({\rm{x}})}-{m}_{4}^{({\rm{x}})}$ , the triangle inequality and the constraint $| \mu | \leqslant 1-| \lambda |$ together imply

$\begin{eqnarray}&&| {E}_{{\rm{xx}}}| \leqslant | \lambda | | {\bar{\bar{E}}}_{{\rm{xx}}}| +(1-| \lambda | )| {B}_{{\rm{x}}}| ,\end{eqnarray} \tag{ 44 }$

which rearranges to

$\begin{eqnarray}&&| \lambda | (| {\bar{\bar{E}}}_{{\rm{xx}}}| -| {E}_{{\rm{xx}}}| )\geqslant (1-| \lambda | )(| {E}_{{\rm{xx}}}| -| {B}_{{\rm{x}}}| ).\end{eqnarray} \tag{ 45 }$

If $| {E}_{{\rm{xx}}}| \gt | {B}_{{\rm{x}}}|$ then the only way that (45) can be satisfied is if $| \lambda | \gt 0$ and if $| {\bar{\bar{E}}}_{{\rm{xx}}}| \geqslant | {E}_{{\rm{xx}}}|$ . In this case ${E}_{{\rm{xx}}}$ can safely be substituted in place of ${\bar{\bar{E}}}_{{\rm{xx}}}$ in the pure-state fidelity bound (38). Otherwise, it is perfectly possible for the ${\rm{x}}$ measurement POVM decomposition (43) to be satisfied with ${\bar{\bar{E}}}_{{\rm{xx}}}=0$ . In the following, we will assume that $| {E}_{{\rm{xx}}}| \gt | {B}_{{\rm{x}}}|$ , since (38) becomes trivial otherwise.

3.4. Alice's ${\rm{z}}$ POVM

The POVM decomposition (24) implies that the states ρ and ${\rho }^{\prime }$ prepared on ${{ \mathcal H }}_{{\rm{B}}}\otimes {{ \mathcal H }}_{{\rm{E}}}$ are related to α and ${\alpha }^{\prime }$ by

$\begin{eqnarray}&&\;\rho ={m}_{1}^{({\rm{z}})}\alpha +{m}_{2}^{({\rm{z}})}\alpha ^{\prime} +{m}_{3}^{({\rm{z}})}(\alpha +\alpha ^{\prime} ),\end{eqnarray} \tag{ 46 }$

$\begin{eqnarray}&&\rho ^{\prime} ={m}_{1}^{({\rm{z}})}\alpha ^{\prime} +{m}_{2}^{({\rm{z}})}\alpha +{m}_{4}^{({\rm{z}})}(\alpha +\alpha ^{\prime} ).\end{eqnarray} \tag{ 47 }$

In general, the decomposition (24) for POVMs is not unique, so we have some freedom to choose a decomposition which will simplify the problem of turning the fidelity bound

$\begin{eqnarray}&&4F{({\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }},{\alpha }_{{\rm{E}}}^{\prime })}^{2}\geqslant {E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}-{\bar{\bar{E}}}_{{\rm{zx}}}^{\phantom{{zx}}2}\end{eqnarray} \tag{ 48 }$

into a lower bound for $F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ depending on observed parameters A_u, B_v, and E_uv. Specifically, the identity

$\begin{eqnarray}&&\{{0}_{{\rm{z}}},{1}_{{\rm{z}}}\}+\{{1}_{{\rm{z}}},{0}_{{\rm{z}}}\}=\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}+\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}\end{eqnarray} \tag{ 49 }$

implies that one of the POVMs $\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}$ or $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ can always be eliminated, meaning we can assume that one of ${m}_{3}^{{\rm{z}}}$ and ${m}_{4}^{{\rm{z}}}$ in (24) is zero without loss of generality.

We proceed in two steps, first considering mixtures of the measurements $\{{0}_{{\rm{z}}},{1}_{{\rm{z}}}\}$ and $\{{1}_{{\rm{z}}},{0}_{{\rm{z}}}\}$ , before accounting for a contribution from one of the measurements $\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}$ or $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ . In anticipation, and assuming a contribution from $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ for example, we re-express (46) and (47) as

$\begin{eqnarray}&&\rho =p(q\alpha +q^{\prime} \alpha ^{\prime} ),\end{eqnarray} \tag{ 50 }$

$\begin{eqnarray}&&\quad \rho ^{\prime} =p(q^{\prime} \alpha +q\alpha ^{\prime} )+p^{\prime} (\alpha +\alpha ^{\prime} ),\end{eqnarray} \tag{ 51 }$

where the nonnegative parameters p, ${p}^{\prime }$ , q, ${q}^{\prime }$ are related to the ${m}_{i}^{({\rm{z}})}{\rm{s}}$ by $p={m}_{1}^{({\rm{z}})}+{m}_{2}^{({\rm{z}})}$ , ${p}^{\prime }={m}_{4}^{({\rm{z}})}$ , ${pq}={m}_{1}^{({\rm{z}})}$ , and ${{pq}}^{\prime }={m}_{2}^{({\rm{z}})}$ and satisfy $p+{p}^{\prime }=q+{q}^{\prime }=1$ .

For the contribution from $\{{0}_{{\rm{z}}},{1}_{{\rm{z}}}\}$ and $\{{1}_{{\rm{z}}},{0}_{{\rm{z}}}\}$ , we set

$\begin{eqnarray}&&\quad \bar{\rho }=q\alpha +q^{\prime} \alpha ^{\prime} ,\end{eqnarray} \tag{ 52 }$

$\begin{eqnarray}&&\quad \bar{\rho }^{\prime} =q^{\prime} \alpha +q\alpha ^{\prime} ,\end{eqnarray} \tag{ 53 }$

and, applying lemma 3 and the pure-state fidelity bound (48), we have

$\begin{eqnarray}4F{({\bar{\rho }}_{{\rm{E}}}^{\phantom{^{\prime} }},{\bar{\rho }}_{{\rm{E}}}^{\prime })}^{2} & \geqslant & 4{qq}^{\prime} +{(q-q^{\prime} )}^{2}4F{({\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }},{\alpha }_{{\rm{E}}}^{\prime })}^{2}\\ & \geqslant & 4{qq}^{\prime} +{(q-q^{\prime} )}^{2}({E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}-{\bar{\bar{E}}}_{{\rm{zx}}}^{\phantom{{\rm{zx}}}2}).\end{eqnarray} \tag{ 54 }$

Introducing the correlator

$\begin{eqnarray}&&{\bar{E}}_{{\rm{zx}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}({\bar{\rho }}_{{\rm{B}}}^{\phantom{^{\prime} }}-{\bar{\rho }}_{{\rm{B}}}^{\prime })],\end{eqnarray} \tag{ 55 }$

related to ${\bar{\bar{E}}}_{{\rm{zx}}}$ by ${\bar{E}}_{{\rm{zx}}}=(q-{q}^{\prime }){\bar{\bar{E}}}_{{\rm{zx}}}$ , and using that $4{{qq}}^{\prime }\geqslant 4{{qq}}^{\prime }{E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}$ ,

$\begin{eqnarray}4F{({\bar{\rho }}_{{\rm{E}}}^{\phantom{^{\prime} }},{\bar{\rho }}_{{\rm{E}}}^{\prime })}^{2} & \geqslant & (4{qq}^{\prime} +{(q-q^{\prime} )}^{2}){E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{\bar{E}}_{{\rm{zx}}}^{\phantom{{zx}}2}\\ & = & {(q+q^{\prime} )}^{2}{E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{\bar{E}}_{{\rm{zx}}}^{\phantom{{\rm{zx}}}2}\end{eqnarray} \tag{ 56 }$

or

$\begin{eqnarray}&&4F{({\bar{\rho }}_{{\rm{E}}}^{\phantom{^{\prime} }},{\bar{\rho }}_{{\rm{E}}}^{\prime })}^{2}\geqslant {E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}-{\bar{E}}_{{\rm{zx}}}^{\phantom{{zx}}2},\end{eqnarray} \tag{ 57 }$

which shows that allowing mixtures of the measurements $\{{0}_{{\rm{z}}},{1}_{{\rm{z}}}\}$ and $\{{1}_{{\rm{z}}},{0}_{{\rm{z}}}\}$ alone will not affect the key-rate formula.

Finally, we account for the effect of a contribution from one of the degenerate measurements $\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}$ or $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ . Assuming first a contribution from $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ , according to (50) and (51) and using that $\bar{\rho }+{\bar{\rho }}^{\prime }=\alpha +{\alpha }^{\prime }$ , ρ and ${\rho }^{\prime }$ are related to the states $\bar{\rho }$ and ${\bar{\rho }}^{\prime }$ defined above by

$\begin{eqnarray}&&\rho =p\bar{\rho },\end{eqnarray} \tag{ 58 }$

$\begin{eqnarray}&&\quad \rho ^{\prime} =p^{\prime} \bar{\rho }+\bar{\rho }^{\prime} .\end{eqnarray} \tag{ 59 }$

Applying lemma 3 again,

$\begin{eqnarray}&&F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}\geqslant {{pp}}^{\prime }{\parallel \bar{\rho }\parallel }_{1}^{\phantom{1}2}+{pF}{({\bar{\rho }}_{{\rm{E}}}^{\phantom{^{\prime} }},{\bar{\rho }}_{{\rm{E}}}^{\prime })}^{2}.\end{eqnarray} \tag{ 60 }$

Inserting the lower bound (57) for $F({\bar{\rho }}_{{\rm{E}}}^{\phantom{^{\prime} }},{\bar{\rho }}_{{\rm{E}}}^{\prime })$ and recognising that

$\begin{eqnarray}&&p{\parallel \bar{\rho }\parallel }_{1}={\parallel \rho \parallel }_{1}={P}_{{\rm{A}}}(0| {\rm{z}})=(1+{A}_{{\rm{z}}})/2,\end{eqnarray} \tag{ 61 }$

the lower bound for $F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ becomes

$\begin{eqnarray}&&4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}\geqslant \left(\tfrac{1}{p}-1\right){(1+{A}_{{\rm{z}}})}^{2}+{{pE}}_{{\rm{xx}}}^{\phantom{{xx}}2}-p{\bar{E}}_{{\rm{zx}}}^{\phantom{{zx}}2}.\end{eqnarray} \tag{ 62 }$

The observed parameters

$\begin{eqnarray}&&{E}_{{\rm{zx}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}({\rho }_{{\rm{B}}}^{\phantom{^{\prime} }}-{\rho }_{{\rm{B}}}^{\prime })]\end{eqnarray} \tag{ 63 }$

and

$\begin{eqnarray}&&{B}_{{\rm{x}}}=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}({\rho }_{{\rm{B}}}^{\phantom{^{\prime} }}+{\rho }_{{\rm{B}}}^{\prime })]=\mathrm{Tr}[{\hat{B}}_{{\rm{x}}}({\bar{\rho }}_{{\rm{B}}}^{\phantom{^{\prime} }}+{\bar{\rho }}_{{\rm{B}}}^{\prime })]\end{eqnarray} \tag{ 64 }$

are related to ${\bar{E}}_{{\rm{zx}}}$ by

$\begin{eqnarray}&&{E}_{{\rm{zx}}}=p{\bar{E}}_{{\rm{zx}}}-{p}^{\prime }{B}_{{\rm{x}}}.\end{eqnarray} \tag{ 65 }$

Rearranging for ${\bar{E}}_{{\rm{zx}}}$ and inserting in (62), we obtain

$\begin{eqnarray}&&4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}\geqslant \left(\tfrac{1}{p}-1\right){(1+{A}_{{\rm{z}}})}^{2}+{{pE}}_{{\rm{xx}}}^{\phantom{{xx}}2}-p{\left(\tfrac{1}{p}{E}_{{\rm{zx}}}+\left(\tfrac{1}{p}-1\right){B}_{{\rm{x}}}\right)}^{2}\end{eqnarray} \tag{ 66 }$

or, subtracting ${E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}-{E}_{{\rm{zx}}}^{\phantom{{\rm{zx}}}2}$ from both sides,

$\begin{eqnarray}&&4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}-({E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{E}_{{\rm{zx}}}^{\phantom{{zx}}2})\geqslant \left(\tfrac{1}{p}-1\right)[{(1+{A}_{{\rm{z}}})}^{2}-p({E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{B}_{{\rm{x}}}^{\phantom{x}2})-{({E}_{{\rm{zx}}}+{B}_{{\rm{x}}})}^{2}].\end{eqnarray} \tag{ 67 }$

By following similar reasoning starting from the decomposition

$\begin{eqnarray}&&\quad \rho =\bar{\rho }+p^{\prime} \bar{\rho }^{\prime} ,\end{eqnarray} \tag{ 68 }$

$\begin{eqnarray}&&\rho ^{\prime} =p\bar{\rho }^{\prime} ,\end{eqnarray} \tag{ 69 }$

assuming a contribution from $\{{{\mathbb{1}}}_{{\rm{A}}},{{\mathbb{0}}}_{{\rm{A}}}\}$ instead of $\{{{\mathbb{0}}}_{{\rm{A}}},{{\mathbb{1}}}_{{\rm{A}}}\}$ , we obtain the same result as (67) except with the sign changes ${A}_{{\rm{z}}}\to -{A}_{{\rm{z}}}$ and ${B}_{{\rm{x}}}\to -{B}_{{\rm{x}}}$ . The worst of the two bounds obtained this way is

$\begin{eqnarray}&&4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}-({E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{E}_{{\rm{zx}}}^{\phantom{{zx}}2})\geqslant \left(\tfrac{1}{p}-1\right)[1-2| {A}_{{\rm{z}}}-{E}_{{\rm{zx}}}{B}_{{\rm{x}}}| +{A}_{z}^{\phantom{z}2}\\ &&\;p({E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{B}_{{\rm{x}}}^{\phantom{x}2})-({E}_{{\rm{zx}}}^{\phantom{{zx}}2}+{B}_{{\rm{x}}}^{\phantom{x}2})]\phantom{\rule{0ex}{2.16ex}}.\end{eqnarray} \tag{ 70 }$

The multiplicative factor $1/p-1$ is nonnegative, so the right-hand side of (70) is nonnegative if

$\begin{eqnarray}&&p({E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{B}_{{\rm{x}}}^{\phantom{x}2})+({E}_{{\rm{zx}}}^{\phantom{{zx}}2}+{B}_{{\rm{x}}}^{\phantom{x}2})\leqslant 1-2| {A}_{{\rm{z}}}-{E}_{{\rm{zx}}}{B}_{{\rm{x}}}| +{A}_{{\rm{z}}}^{\phantom{z}2}.\end{eqnarray} \tag{ 71 }$

Finally, since we are assuming $| {E}_{{\rm{xx}}}| \gt | {B}_{{\rm{x}}}|$ , the term $p({E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{B}_{{\rm{x}}}^{\phantom{x}2})$ is nonnegative and is maximised with p = 1. This implies that (71) is satisfied for all $p\leqslant 1$ if it is satisfied for p = 1, i.e., if

$\begin{eqnarray}&&{E}_{{\rm{xx}}}^{\phantom{{xx}}2}+{E}_{{\rm{zx}}}^{\phantom{{zx}}2}\leqslant 1-2| {A}_{{\rm{z}}}-{E}_{{\rm{zx}}}{B}_{{\rm{x}}}| +{A}_{{\rm{z}}}^{\phantom{z}2},\end{eqnarray} \tag{ 72 }$

which is the condition given in the previous section. If this condition is met then the lower bound

$\begin{eqnarray}&&4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}\geqslant {E}_{{\rm{xx}}}^{\phantom{{\rm{xx}}}2}-{E}_{{\rm{zx}}}^{\phantom{{zx}}2}\end{eqnarray} \tag{ 73 }$

can be used for the fidelity in lemma 1.

4. Conclusion

The preceding section proves that the key rate asymptotically secure against collective attacks for BB84 is lower bounded by

$\begin{eqnarray}&&r\geqslant \phi ({A}_{{\rm{z}}})-\phi \left(\sqrt{{A}_{{\rm{z}}}^{\phantom{z}2}+{E}_{{\rm{xx}}}^{\phantom{{xx}}2}-{E}_{{\rm{zx}}}^{\phantom{{zx}}2}}\right)-\phi ({E}_{{\rm{zz}}})\end{eqnarray} \tag{ 74 }$

if $| {E}_{{\rm{xx}}}| \gt | {B}_{{\rm{x}}}|$ and if the condition (72) is satisfied. This is never less than the simpler bound (12) claimed in section 2. If (72) is not satisfied, device independence on Bob's side still allows the main result to be used with the replacements ${E}_{{\rm{xx}}}\to \lambda {E}_{{\rm{xx}}}$ and ${E}_{{\rm{zx}}}\to \lambda {E}_{{\rm{zx}}}$ , with the scaling factor λ determined by (16) above. Together, these give a general semi-device-independent security result for the BB84 protocol against collective (and possibly [26] more general) attacks. The traditional set of assumptions used to prove the security of the BB84 protocol can thus be relaxed to a significant degree. It is still necessary to trust that one of the users' measurements are restricted to a two-dimensional Hilbert space, but exact knowledge of the measurements beyond this is not required.

In the scenario considered, aside from the qubit restriction on Alice's side, Alice's and Bob's measurements were allowed to be arbitrary POVMs. One could go further, similar to [27, 28], and imagine that Eve may have more detailed knowledge of the measurements. Specifically, the approach followed in this article could probably be modified to allow Eve to know the indices i and j in decompositions of the form ${M}_{a}^{(u)}={\sum }_{i}{p}_{i}{M}_{a;i}^{(u)}$ and ${N}_{a}^{(v)}={\sum }_{j}{q}_{j}{N}_{a;j}^{(v)}$ for the POVM elements, although the resulting key rate will probably not include the Shor–Preskill rate as a special case if the adversary is granted this extra power.

Finally, the main result was derived for the entanglement-based version of BB84. It is likely that a similar result should hold for the prepare-and-measure BB84 variant assuming a source which is restricted to emitting qubit states, which was tested in a recent implementation [31]. Adapting the approach followed here for the prepare-and-measure scenario is thus an obvious problem for future work.

Acknowledgments

Stefano Pironio suggested it would be interesting to study BB84 as a semi-device-independent protocol back in early 2013 and offered helpful criticism of a draft of this article. This work is supported by the Spanish MINECO (Severo Ochoa grant SEV-2015-0522 and FOQUS FIS2013-46768-P), the Generalitat de Catalunya (SGR 875), the Fundació Privada Cellex, and the EU project QITBOX.

Appendix

A.1. Proof of lemma 1

The conditional von Neumann entropy satisfies $H(A| {\rm{E}})\geqslant H(A| {\mathrm{EE}}^{\prime })$ for any extension ${{ \mathcal H }}_{{\rm{E}}}\otimes {{ \mathcal H }}_{{{\rm{E}}}^{\prime }}$ of Eve's Hilbert space ${{ \mathcal H }}_{{\rm{E}}}$ . We use this to replace the (unnormalised) density operators ${\rho }_{{\rm{E}}}^{\phantom{^{\prime} }}$ and ${\rho }_{{\rm{E}}}^{\prime }$ appearing in the classical-quantum state (19) with purifications $| \psi \rangle$ and $| {\psi }^{\prime }\rangle ;$ by Uhlmann's theorem (which still holds for unnormalised states), these can be chosen such that $\langle \psi | {\psi }^{\prime }\rangle =F({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })$ . We this way obtain

$\begin{eqnarray}H(A| {\rm{E}}) & \geqslant & S(\psi )+S(\psi ^{\prime} )-S(\psi +\psi ^{\prime} )\\ & = & h({P}_{{\rm{A}}}(0| {\rm{z}}))-h({\lambda }_{+}),\end{eqnarray} \tag{ 75 }$

where

$\begin{eqnarray}&&{\lambda }_{\pm }=\tfrac{1}{2}\pm \tfrac{1}{2}\sqrt{{({\parallel \psi \parallel }_{1}-{\parallel {\psi }^{\prime }\parallel }_{1})}^{2}+4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}}\end{eqnarray} \tag{ 76 }$

are the eigenvalues of $\psi +{\psi }^{\prime }$ . Recognising that

$\begin{eqnarray}{\parallel \psi \parallel }_{1}-{\parallel \psi ^{\prime} \parallel }_{1} & = & {\parallel \rho \parallel }_{1}-{\parallel \rho ^{\prime} \parallel }_{1}\\ & = & {P}_{{\rm{A}}}(0| {\rm{z}})-{P}_{{\rm{A}}}(1| {\rm{z}})\\ & = & {A}_{{\rm{z}}},\end{eqnarray} \tag{ 77 }$

we obtain

$\begin{eqnarray}&&H(A| {\rm{E}})\geqslant \phi ({A}_{{\rm{z}}})-\phi \left(\sqrt{{A}_{{\rm{z}}}^{\phantom{z}2}+4F{({\rho }_{{\rm{E}}}^{\phantom{^{\prime} }},{\rho }_{{\rm{E}}}^{\prime })}^{2}}\right),\end{eqnarray} \tag{ 78 }$

which is the lower bound claimed in the statement of lemma 1.

The right-hand side of (78) has the form

$\begin{eqnarray}&&f(x)=\phi (x)-\phi (\sqrt{{x}^{2}+{y}^{2}}),\end{eqnarray} \tag{ 79 }$

where we treat y as a fixed parameter and x should satisfy ${x}^{2}+{y}^{2}\leqslant 1$ . We show that this function is convex by lower bounding its second derivative. First, the first and second derivatives of ϕ are

$\begin{eqnarray}&&\quad {\phi }^{\prime }(x)=-\displaystyle \frac{1}{2}\;{\mathrm{log}}_{2}\;\left(\displaystyle \frac{1+x}{1-x}\right)\end{eqnarray} \tag{ 80 }$

and

$\begin{eqnarray}&&{\phi }^{\prime\prime }(x)=-\displaystyle \frac{1}{\mathrm{ln}(2)}\displaystyle \frac{1}{1-{x}^{2}}.\end{eqnarray} \tag{ 81 }$

Applying the product rule, the first and second derivatives of f are

$\begin{eqnarray}&&{f}^{\prime }(x)={\phi }^{\prime }(x)-{\phi }^{\prime }\left(\sqrt{{x}^{2}+{y}^{2}}\right)\displaystyle \frac{x}{\sqrt{{x}^{2}+{y}^{2}}}\end{eqnarray} \tag{ 82 }$

and

$\begin{eqnarray}&&{f}^{\prime\prime }(x)={\phi }^{\prime\prime }(x)-{\phi }^{\prime\prime }\left(\sqrt{{x}^{2}+{y}^{2}}\right)\displaystyle \frac{{x}^{2}}{{x}^{2}+{y}^{2}}-{\phi }^{\prime }\left(\sqrt{{x}^{2}+{y}^{2}}\right)\displaystyle \frac{{y}^{2}}{{({x}^{2}+{y}^{2})}^{3/2}}.\end{eqnarray} \tag{ 83 }$

Using that $\mathrm{ln}\left(\tfrac{1+| x| }{1-| x| }\right)\geqslant 2| x|$ , the last term can be replaced with

$\begin{eqnarray}&&-{\phi }^{\prime }\left(\sqrt{{x}^{2}+{y}^{2}}\right)\displaystyle \frac{{y}^{2}}{{({x}^{2}+{y}^{2})}^{3/2}}\geqslant \displaystyle \frac{1}{\mathrm{ln}(2)}\displaystyle \frac{{y}^{2}}{{x}^{2}+{y}^{2}},\end{eqnarray} \tag{ 84 }$

so that

$\begin{eqnarray}f^{\prime \prime} (x) & \geqslant & \displaystyle \frac{1}{\mathrm{ln}(2)}\left[-\displaystyle \frac{1}{1-{x}^{2}}+\displaystyle \frac{1}{1-{x}^{2}-{y}^{2}}\displaystyle \frac{{x}^{2}}{{x}^{2}+{y}^{2}}+\displaystyle \frac{{y}^{2}}{{x}^{2}+{y}^{2}}\right]\\ & = & \displaystyle \frac{1}{\mathrm{ln}(2)}\left[-\displaystyle \frac{1}{1-{x}^{2}}+\displaystyle \frac{1-{y}^{2}}{1-{x}^{2}-{y}^{2}}\right]\\ & = & \displaystyle \frac{1}{\mathrm{ln}(2)}\displaystyle \frac{{x}^{2}{y}^{2}}{(1-{x}^{2})(1-{x}^{2}-{y}^{2})}\\ & \geqslant & 0,\end{eqnarray} \tag{ 85 }$

which shows that f is convex. Noticing that ${f}^{\prime }(0)=0$ (or just that f is an even function) implies that x = 0 is the global minimum.

A.2. Proof of lemma 2

A basic property of the trace norm is that ${\parallel {W}_{{\rm{B}}}\parallel }_{1}=\mathrm{Tr}[{U}_{{\rm{B}}}{W}_{{\rm{B}}}]$ for some unitary operator ${U}_{{\rm{B}}}$ ; furthermore, since ${W}_{{\rm{B}}}$ is Hermitian, ${U}_{{\rm{B}}}$ can also be taken to be Hermitian. From here and using that $W=| \alpha \rangle \langle {\alpha }^{\prime }| +| {\alpha }^{\prime }\rangle \langle \alpha |$ ,

$\begin{eqnarray}\parallel {\text{}}{W}_{{\rm{B}}}{\parallel }_{1} & = & \mathrm{Tr}[{U}_{{\rm{B}}}{W}_{{\rm{B}}}]\\ & = & \mathrm{Tr}[({U}_{{\rm{B}}}\otimes {{\mathbb{1}}}_{{\rm{E}}})W]\\ & = & 2\mathrm{Re}[\langle \alpha | {U}_{{\rm{B}}}\otimes {{\mathbb{1}}}_{{\rm{E}}}| \alpha ^{\prime} \rangle ]\\ & \leqslant & 2| \langle \alpha | {U}_{{\rm{B}}}\otimes {{\mathbb{1}}}_{{\rm{E}}}| \alpha ^{\prime} \rangle | \\ & \leqslant & 2F({\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }},{\alpha }_{{\rm{E}}}^{\prime }).\end{eqnarray} \tag{ 86 }$

The final line follows, by Uhlmann's theorem, from noticing that $| \alpha \rangle$ and ${U}_{{\rm{B}}}\otimes {{\mathbb{1}}}_{{\rm{E}}}| {\alpha }^{\prime }\rangle$ are purifications of ${\alpha }_{{\rm{E}}}^{\phantom{^{\prime} }}$ and ${\alpha }_{{\rm{E}}}^{\prime }$ .

A.3. Proof of lemma 3

We introduce purifications $| {\chi }_{0}\rangle$ and $| {\chi }_{1}\rangle$ of ${\tau }_{0}$ and ${\tau }_{1}$ such that $F({\tau }_{0},{\tau }_{1})=\langle {\chi }_{0}| {\chi }_{1}\rangle$ . In terms of these, note that

$\begin{eqnarray}&&\quad | \psi \rangle =\sqrt{{p}_{0}}| {\chi }_{0}\rangle | {\gamma }_{0}\rangle +\sqrt{{p}_{1}}| {\chi }_{1}\rangle | {\gamma }_{1}\rangle ,\end{eqnarray} \tag{ 87 }$

$\begin{eqnarray}&&| \phi \rangle =\sqrt{{q}_{0}}| {\chi }_{0}\rangle | {\delta }_{0}\rangle +\sqrt{{q}_{1}}| {\chi }_{1}\rangle | {\delta }_{1}\rangle ,\end{eqnarray} \tag{ 88 }$

where $\{| {\gamma }_{0}\rangle ,| {\gamma }_{1}\rangle \}$ and $\{| {\delta }_{0}\rangle ,| {\delta }_{1}\rangle \}$ are orthonormal bases, are purifications of ρ and σ. Using Uhlmann's theorem and expanding, the fidelity between ρ and σ is lower bounded by

$\begin{eqnarray}F(\rho ,\sigma ) & \geqslant & | \langle \psi | \phi \rangle | \\ & = & \left|\displaystyle \sum _{{ij}}\sqrt{{p}_{i}{q}_{j}}\langle {\chi }_{i}| {\chi }_{j}\rangle \langle {\gamma }_{i}| {\delta }_{j}\rangle \right|\\ & = & \left|\displaystyle \sum _{{ij}}\sqrt{{p}_{i}{q}_{j}}F({\tau }_{i},{\tau }_{j}){U}_{{ji}}\right|\\ & = & | \mathrm{Tr}[{UT}]| ,\end{eqnarray} \tag{ 89 }$

where U and T are the matrices of elements ${U}_{{ji}}=\langle {\gamma }_{i}| {\delta }_{j}\rangle$ and ${T}_{{ij}}=\sqrt{{p}_{i}{q}_{j}}F({\tau }_{i},{\tau }_{j})$ . By exploiting the freedom to choose the bases $\{| {\gamma }_{0}\rangle ,| {\gamma }_{1}\rangle \}$ and $\{| {\delta }_{0}\rangle ,| {\delta }_{1}\rangle \}$ , U can be made to be any 2 × 2 unitary matrix. Maximising the right-hand side over U, we obtain

$\begin{eqnarray}&&F(\rho ,\sigma )\geqslant {\parallel T\parallel }_{1},\end{eqnarray} \tag{ 90 }$

with

$\begin{eqnarray}T=\left[\begin{array}{cc}\sqrt{{p}_{0}{q}_{0}}{\parallel {\tau }_{0}\parallel }_{1} & \sqrt{{p}_{0}{q}_{1}}F({\tau }_{0},{\tau }_{1})\\ \sqrt{{p}_{1}{q}_{0}}F({\tau }_{0},{\tau }_{1}) & \sqrt{{p}_{1}{q}_{1}}{\parallel {\tau }_{1}\parallel }_{1}\end{array}\right],\end{eqnarray} \tag{ 91 }$

in which we inserted that $F({\tau }_{i},{\tau }_{i})={\parallel {\tau }_{i}\parallel }_{1}$ .

In general, the trace norm of a 2 × 2 matrix $M=\left[\begin{array}{ll}\alpha & \beta \\ \gamma & \delta \end{array}\right]$ is given by

$\begin{eqnarray}&&{\parallel M\parallel }_{1}=\sqrt{T+2\sqrt{D}},\end{eqnarray} \tag{ 92 }$

where

$\begin{eqnarray}&&T=| \alpha {| }^{2}+| \beta {| }^{2}+| \gamma {| }^{2}+| \delta {| }^{2},\end{eqnarray} \tag{ 93 }$

$\begin{eqnarray}&&\sqrt{D}=| \alpha \delta -\beta \gamma | \end{eqnarray} \tag{ 94 }$

are respectively the trace of $| M{| }^{2}={M}^{\dagger }M$ and the root of its determinant. Applying this to obtain an explicit expression for the trace norm of (91) and using that $F({\tau }_{0},{\tau }_{1})\leqslant \sqrt{{\parallel {\tau }_{0}\parallel }_{1}}\sqrt{{\parallel {\tau }_{1}\parallel }_{1}}$ produces the result

$\begin{eqnarray}&&F{(\rho ,\sigma )}^{2}\geqslant {\left(\sqrt{{p}_{0}{q}_{0}}{\parallel {\tau }_{0}\parallel }_{1}+\sqrt{{p}_{1}{q}_{1}}{\parallel {\tau }_{1}\parallel }_{1}^{}\right)}^{2}+\left(\sqrt{{p}_{0}{q}_{1}}\right.-{\left.\sqrt{{p}_{1}{q}_{0}}\right)}^{2}F{({\tau }_{0},{\tau }_{1})}^{2}.\end{eqnarray} \tag{ 95 }$

Semi device independence of the BB84 protocol

Article metrics

Author e-mails

Author affiliations

Dates

Abstract

1. BB84 and device independence

2. Scenario and main result

3. Proof of main result

3.1. Problem definition

3.2. General proof outline

3.3. Alice's ${\rm{x}}$ POVM

3.4. Alice's ${\rm{z}}$ POVM

4. Conclusion

Acknowledgments

Appendix

A.1. Proof of lemma 1

A.2. Proof of lemma 2

A.3. Proof of lemma 3

Semi device independence of the BB84 protocol

Article metrics

Share this article

Author e-mails

Author affiliations

Dates

Abstract

1. BB84 and device independence

2. Scenario and main result

3. Proof of main result

3.1. Problem definition

3.2. General proof outline

3.3. Alice's {\rm{x}} POVM

3.4. Alice's {\rm{z}} POVM

4. Conclusion

Acknowledgments

Appendix

A.1. Proof of lemma 1

A.2. Proof of lemma 2

A.3. Proof of lemma 3

3.3. Alice's ${\rm{x}}$ POVM

3.4. Alice's ${\rm{z}}$ POVM