Monte Carlo approach to the evaluation of the security of device-independent quantum key distribution

We present a generic study on the information-theoretic security of multi-setting device-independent quantum key distribution (DIQKD) protocols, i.e. ones that involve more than two measurements (or inputs) for each party to perform, and yield dichotomic results (or outputs). The approach we develop, when applied in protocols with either symmetric or asymmetric Bell experiments, yields nontrivial upper bounds on the secure key rates, along with the detection efficiencies required upon the measuring devices. The results imply that increasing the number of measurements may lower the detection efficiency required by the security criterion. The improvement, however, depends on (i) the choice of multi-setting Bell inequalities chosen to be tested in a protocol, and (ii) either a symmetric or asymmetric Bell experiment is considered. Our results serve as an advance toward the quest for evaluating security and reducing efficiency requirement of applying DIQKD in scenarios without heralding.

where η A,B are efficiencies of Alice's and Bob's measuring devices, respectively.The symmetric case denotes equally non-ideal measurements by Alice and Bob when the information carriers are of the same type of particles (e.g., entangled photon pairs); the asymmetric case denotes ideal-versus-non-ideal measurements when they are not of the same type of particles (e.g., entangled atom-photon pairs [49][50][51] with which Alice measures the atoms and Bob measures the photons).In general, it is a simple way to come up with a DIQKD protocol out of the BT by adding to Bob one more measurement which coincides with one of Alice's measurements along, say, the ẑ-axis, and using this pair of measurements to generate keys.
In this paper, we develop a Monte Carlo approach to evaluating upper bounds on the secure key rates in multi-setting two-output DIQKD protocols against collective attacks.We consider both symmetric and asymmetric detection setups in BT and key generation.The threshold efficiency of the CHSH-based protocol is found to be approximately 85.8% in the asymmetric setup, less than the well-known 92.4% in the symmetric setup [7].The threshold efficiency of the I 3322 -based protocol is estimated to be approximately 83.6% in the asymmetric setup, as well as those of a large family of multi-setting-inequality-based protocols being estimated to be less than 92.4%, too.A remark here is that it is the modeling of undetected events presented in [7] that we take to use in this paper to evaluate the eavesdropping information.There have been literatures wherein different modelings are used (for instance, see [52][53][54][55][56] for recent methods to evaluating the eavesdropping).In general, taking account of more input-output statistics of undetected events, e.g., adding one more output to each party to register the undetected event, may yield slightly higher key rates.
The key rates can be further improved by considering partially entangled states and noisy-preprocessing techniques (see, e.g., [56]), thus the resulting threshold efficiencies may be improved as well.
The paper is structured as follows.We first describe the general setup for DIQKD protocols with undetected events taken into account.We then present the evaluation of key rates by developing a formalism in which the mutual information and eavesdropping information are put in a same index.It is followed by an explicit procedure of a Monte Carlo approach, along with case studies of the CHSH-and I 3322 -based [57] protocols and the BB84-type protocol [58].The efficiencies and critical error rates are estimated with Bell diagonal states.More protocols with other multi-setting Bell inequalities are also studied.We proceed beyond the 2 × 2-dimensional subspaces and generalize the Monte Carlo approach to arbitrarily high-dimensional systems.The paper ends with a summary and outlook.

A. General setup
Let us assume the measurements used in the security proof be projective ones.To justify the use, note that if one uses the positive-operator-valued measures (POVMs) to perform measurements, they can readily be transformed to projectors by the Naimark theorem.Obviously, projective measurements become POVMs when undetected events are taken into account (see, e.g., Eq. (4) below ).In general scenarios, the projectors are not necessary to be of rank one.By requiring that measurement must produce, for instance, two distinct outcomes, the projectors could be of rank two or higher (see, e.g., Eq. ( 23) below).
Consider bipartite Hilbert spaces of dimension d × d and a measurement set M = {1, 2, ..., m}.Given projectors respectively for Alice and Bob, the joint correlation is computed as P (a, b|i, j) = tr(p ui ⊗ p(b) vj ρ AB ) quantum mechanically, where Alice chooses her i-th measurement, getting result a, Bob chooses his j-th measurement, getting result b, ρ AB denotes the state shared by Alice and Bob, and u i , v j are unitary transformations in SU (d) group.Let us tacitly assume, when u i , v j take unit identity 1 1, that one can have p(a) An m-setting d-dimensional Bell inequality, denoted by I mmdd , can be expressed as with ω ab ij 's coefficients properly chosen to make the inequality nontrivial, i.e., violated in quantum mechanics.The inequality holds for all local-hidden variable models [34].Let us denote quantum violation as with respect to some ρ AB .It should be noted that a large family of Bell inequalities reach their maximum quantum violations under very particular sets of measurements (e.g., Bell multi-port measurements [59]) but for the sake of generality we maintain u i , v j as arbitrary unitary transformations.
To model undetected events in experiment outputting dichotomic results 0 and 1, let us assign the undetected with 0, and so with an η detection efficiency the projectors become non-ideal, reading actually p(0) with τ = u i , v j .The term (1 − η) is due to the undetected events 0 and 1, both of which happen with probability 1 − η and according to the model should then be assigned 0, contributing to the actual p(0) .Applying (4) to joint correlations P (a, b|i, j) of Alice and Bob yields (see also [60]) where δ denotes the Kronecker function, and P A,B are marginals.

B. Evaluation of key rates
We choose to take the information-theoretic key rate to analyze the security.One needs to first evaluate the eavesdropping information I E and the mutual information I AB , and then attain in the infinite-length limit the key rate R = I AB − I E [61].Let us stress, however, that the use of Bell diagonal states in what follows is a strong assumption on the security, and that in our approach finding optimal states that maximize Eve's information may not be guaranteed for more-than-two-input scenarios in general.Hence the R's evaluated below serves as upper bounds on the key rates.
To compute I E , one needs to optimize the Holevo quantity χ = S(ρ E ) − S(ρ E|0 ) + S(ρ E|1 ) 2, where S(ρ) is the von Neumann entropy, ρ E denotes Eve's reduced state, and ρ E|a denotes Eve's normalized conditional state upon Alice's measurement p(a) u .Since there exists an overall distilled pure state |ψ⟩ ABE from which ρ E and ρ AB can be attained in a reduction way, one has S(ρ E ) = S(ρ AB ).The fact that instead of all possible bipartite states it suffices to consider the Bell-diagonal state [6,7], reading , and i Λ i = 1, leads to S(ρ E|0 ) = S(ρ E|1 ).To get further simplification, note that ρ E|a is of rank two, with eigenvalues (which are derived in the xẑ-plane in [7]; see also [62]) with respect to Alice's measurements p(0,1) With all these combined, the Holevo quantity becomes χ = H( ⃗ Λ) − h(Λ ± ), with the classical Shannon entropy H(⃗ x) := − i x i log 2 x i and the binary entropy h(y Because the measurements may not be faithfully performed, the Holevo quantity should be presumed to be maximized, or equivalently, taking into account the monotonicity of h(y), the Λ − (or Λ + ) should be presume to be minimized (or maximized).Let and we find θ, φ ∈ {0, π/2, π}.
It follows that χ has three extrema: (1) Let B be the set of all parameters in Bell-diagonal states, and B Q ⊆ B be a subset that corresponds to some particular value of quantum violation Q.The eavesdropping information is found to be In other words, one can thus have a Q-dependent I E .
To compute I AB , one needs first to get the quantum bit error rate (QBER) ε := tr[(p with ε = Λ 2 + Λ 3 for the Bell-diagonal state.It is well acceptable that one can assume Λ 1 = Λ 2 due to the preparation of states in practice, getting the QBER equal in the ẑ-and x-axes.Hence one gets the mutual entropy Γ = 1 − h(ε).
Despite that the ε, or Γ, in general, is irrelevant to Q, it is vital in our approach that one must define a Q-dependent mutual information, in order to evaluate the key rate.
To the end, let B Γ be a subset that corresponds to some particular value of mutual entropy Γ.As such, the states in B Γ will yield a domain of quantum violation, namely, Then some Q Γ must exist in the domain such that I E reaches a local maximum: For all pairs (Q Γ , Γ), there must be a mapping, namely, which can thus be used as a Q-dependent I AB .
It is here remarked, for one thing, that in computing I AB , non-ideal efficiencies (i.e., undetected events) should be taken into account; but in computing I E the efficiencies should be presumed ideal, because Eve gets the most information when Alice faithfully performs measurements in order to try with Bob to generate keys.For another, as derived above, one can have both I E and I AB dependent on Q; however, the state ⃗ Λ ∈ B that yields I E (Q) is not required to be the same as the state ⃗ Λ ′ ∈ B that yields I AB (Q).If, instead, one requires the states that yield Q to be the same in computing I E (Q) and I AB (Q), as well as specifying Alice's measurements in evaluating Eve's conditional states (i.e., replacing the maximization (12) with a Holevo quantity that corresponds to that Alice always measuring along the ẑ-axis), then the protocol reduces to a BB84 protocol in which the device-independent feature is lost (see the example below; also [6,7]).

C. Procedure of the Monte Carlo approach
The procedure is summarized in Table .I. Once the key rate is attained, it is immediate to derive a number of critical values, e.g., the maximum QBER and the threshold efficiency for a selected protocol.

D. Case studies
We illustrate our approach in two examples, alongside a reduction to the BB84 protocol.Record the pair (Q, χ). 5 Repeat steps 1 through 4 sufficiently many times to collect the data of pairs (Q, χ), the upper bound of which corresponds then to the eavesdropping information IE(Q).6 Randomly generate a Bell-diagonal state ρ ′ AB and compute the QBER ε, from which to get the mutual entropy Γ. 7 Compute the quantum violation Q of the Bell inequality P with ρ ′ AB .8 Record the pair (Q, Γ). 9 Repeat steps 6 through 8 sufficiently many times to collect the data of pairs (Q, Γ), from which, together with the definition ( 16), one can determine the mutual information IAB(Q).10 Evaluate the key rate R = IAB(Q) − IE(Q) with respect to any Q.
Following the Monte Carlo procedure, we pin down I E (Q) and I AB (Q), as shown in Figs.1(a) through 1(d).The argument is as follows.First, it is immediate to see from the figure that for each Q there corresponds to non-unique χ, and the I E (Q) serves as the upper bound.Then, for each Γ there corresponds to non-unique Q and, according to the definition ( 16), the I AB (Q) should be taken at a value of Q at which I E (Q) reaches a local maximum.In the CHSH case, I E always decreases with the increase of Q, meaning that for each Γ, it is the Q min Γ that yields a maximum I E .The I AB (Q) is henceforth pinned down.
The critical QBER corresponds to the cross point from which we find ε cr ≃ 7.15%.The threshold efficiency can be attained when there is no legitimate data of I AB above the I E curve any more.Here, we find η min ≃ 92.4% and 85.8% for symmetric and asymmetric Bell experiments, respectively.
Obviously, the curves in Fig. 1 match the analytic results derived in [6,7]; namely, the eavesdropping information and, with the QBER associated with Q, the mutual information The critical QBER and threshold efficiency can then be verified by letting R = 0.As mentioned in Introduction, if one adds one more output to register the undetected events, the input-output statistics with maximally entangled states can yield a slightly lower threshold efficiency down to approximately 90.8% [53], and via the convex-combination method [56] an efficient upper bound on the key rate implies a threshold efficiency as approximately 89.2%.

The I3322-based protocol
For multi-input-two-output scenarios there is in general no nontrivial low-dimensional subspaces, the key rate evaluated with Bell-diagonal states is actually an estimated one.The I 3322 inequality reads P = P 11 + P 12 + P 13 + The red points represent the data of (Q, χ), the upper boundary of which pins down the IE(Q).The blue points represent the data of (Q, Γ), the upper boundary of which pins down the IAB(Q) (see the main text for the reason).For the CHSH-based protocol: in (a), (b), and (c), we take the symmetric setup with η = 100%, 96%, 92.4%, respectively; in (d), we take the asymmetric setup with η = 85.8%.For the I3322-based protocol: in (e), (f), and (g), we take the symmetric setup with η = 100%, 96%, 93.8%, respectively; in (h), we take the asymmetric setup with η = 83.6%.The dashed curves in the last four figures are analytic results of the CHSH-based protocol, plotted for the sake of comparison.A distinct feature appears in the I 3322 scenario, however.Note that the cross point (Q, I E ) = (Q, I AB ) varies with respect to efficiency.For instance, in the asymmetric setup, one can get (Q, I E ) = (Q, I AB ) ≃ (0.104, 0.678), (20) as η = 1, yielding ε cr ≃ 5.86%; and as η ≃ 83.6%, yielding ε cr ≃ 8.22%.Along with an advantage over the threshold efficiency, i.e., 83.6% here for the I 3322 case versus 85.8% for the CHSH case, it is shown that in DIQKD protocols the I 3322 inequality seems more suitable than the CHSH inequality in the asymmetric setup, just as it indeed is in asymmetric BT [48].It is henceforth implied that more measurements may indeed have distinct merits in asymmetric DIQKD.Shown in Table II are results with various other Bell inequalities.These inequalities reach quantum maxima with the maximally entangled state [30].The explicit expressions of the inequalities are shown in Table III.In [56], a couple of multi-setting protocols proposed in [60] are studied via the convex-combination method.Therein the threshold efficiencies are shown to be improved.Nevertheless, one protocol there involves a more-than-two-output Bell inequality and the other protocol there involves a Bell inequality whose violation requires high-dimensional quantum states.We have not studied the two protocols due to scope issues.

Reduction to the BB84 protocol
As the aforementioned, the DIQKD protocol will reduce to the BB84 protocol if one specifies Alice's measurements.In Fig. 2, it is shown that in each step one randomly selects a Bell-diagonal state from which to get the (Q, Γ) pair and the (Q, χ ′ ) pair, where χ ′ is attained by fixing Alice's measurements in evaluating ρ E|a along the ẑ-axis.The Monte Carlo procedure then yields the mutual and eavesdropping information as in the BB84 protocol.Note that the cross point (Q, I E ) = (Q, I AB ) ≃ (0.05, 0.50) leads to the well-known critical QBER ≃ 11%.

E. Beyond 2 × 2 subspaces
To have more precise estimates of the key rate, i.e., to lower the upper bounds obtained in 2 × 2 subspaces, one is required to consider arbitrarily high dimensional Hilbert spaces producing dichotomic outputs under unfaithful measurements with non-ideal efficiencies.It is then straightforward to generalize the Monte Carlo procedure in Table I to make it work for high dimensions.The steps are similar as those in Table I, except for a few quantities which must be adapted for high-dimensional states.The relevant equations are listed below.
p(0 ξ ) We would like to elaborate now.Some steps in Table I remain unchanged, except the following ones.For step 2, one needs to consider a high-dimensional state ρ AB = i,j,m,n C ij;mn |i⟩⟨j| A ⊗ |m⟩⟨n| B .The coefficients C ij;mn must satisfy constraints such that the generated key, obtained by measurements in the basis of key generation, is random.A possible example could be ρ Due to the two-output feature of the protocol, some measuring results for the key should be denoted as 0 and the others as 1 (indexed by ξ in (22); see the remarks below for detail).Other examples could be |ψ⟩ etc., or their convex combinations.The Holevo quantity can then be computed via (29).
For step 3, to compute Q of a two-output Bell inequality P, the projectors with respect to a certain ξ are constructed in (23).With the above high-dimensional ρ AB , one can have the quantum violation, i.e., (24).For step 5, the eavesdropping information is attained in (30) by numerating all possible q a 's.The constraints ξ−1 a=0 q a = d−1 a=ξ q a = 1/2 correspond to the requirement of randomness upon the key.
For steps 6 and 7, similarly, one considers a high-dimensional ρ ′ AB and compute the error rate in (25) from which to get the mutual entropy under non-ideal efficiencies, i.e., (27).The quantum violation is computed with ρ ′ AB .After collecting sufficient data, one can have the mutual information (31) in step 9.
Finally, for step 10, one have attained a set of key rates (32) with various ξ's and d's.An efficient upper bound of the key rate in the protocol is then taken as the minimum.
Further remarks are in order.First, equations ( 22)-( 23) are defined so because the dimensions of the systems used should be presumed unknown while in measurements dichotomic results ±1 should always be attained.One thus needs to numerate all possible divisions, here indicated by ξ's, each of which denotes that the first ξ dimensions yield result 0 and the remaining dimensions yield result 1 (or equivalently, through (23), the first ξ dimensions yield result +1 and the remaining dimensions yield result −1).The divisions have included all possible reordering of results ±1 since swap operations are among the unitary transformations.Bell inequalities of probabilistic form P, because of (23), can be equivalent to inequalities of correlation form in which measurements of each party produce ±1.For instance, the I violated with a 3 × 3-or 4 × 4-dimensional entangled state.Going beyond the 2 × 2-dimensional subspaces in the security analysis is henceforth very nontrivial (see also [60]).
Second, it is similar, as with the 2 × 2 subspaces, to model undetected events and to compute the error rates and mutual entropy, which are all associated with outputs ±1.In computing the Holevo quantity, however, it is essential to distinguish each dimension, in order to have the eavesdropping maximized whereby to pin down the I (ξ) AB Q (ξ) .In analogy to considering Bell-diagonal states B and B Q in the previous section, the S in (31) represents a set of high-dimensional states shared between Alice and Bob and the S Q ( ⃗ ζ) represents a subset of S that leads to some particular Q (ξ) in the BT, with ⃗ ζ the parameters in the state in analogy to ⃗ Λ in Bell-diagonal states.After pinning down a Q-dependent I (ξ) AB Q (ξ) in (31), which follows the definition (16), one can get a provisional upper bound on the key rate with respect to certain ξ and d.

III. SUMMARY AND OUTLOOK
We have presented a Monte Carlo approach to evaluating information-theoretic security of DIQKD protocols.We have been able to asymptotically compute the key rates with the eavesdropping information and mutual information in terms of a same index, i.e., the Q, via associating the QBER of the key with quantum violation of the Bell inequality.From the key rates, the critical QBERs and efficiencies of a family of protocols have been evaluated.The approach not only applies to scenarios with extremal efficiencies as in our case studies but also to those with general ones, and can subsequently be extended to multi-output protocols.Our results show that in either the symmetric or the asymmetric setup of the protocols not so many established multi-setting Bell inequalities, except for the I 3322 inequality so far among the family of inequalities we have considered, have better performance than the CHSH inequality.Hence it is a nontrivial task that one needs to select or build Bell inequalities for multi-setting protocols.The merits of the approach include: (i) the procedure is quite efficient, as it can reproduce the exact key rate in the CHSH-based protocol, while in general protocols it yields upper bounds on the key rates, and (ii) the asymmetric setups are closer to practical scenarios, since the nodes in a quantum network, for instance, usually have unequal detection efficiencies.
A couple of open questions remain.In our case studies, the eavesdropping information decreases as quantum violation increases; hence always the upper bound of mutual entropy should the mutual information correspond to.It remains an open question, then, of whether there are any counterexamples where I E (Q) takes reversed monotonicity; we conjecture there might be in protocols with more-than-two outputs.One more question is whether there are quantum algorithms to speed up the matrix diagonalization in evaluating the Holevo quantity for large d.

FIG. 1 .
FIG. 1. (Color online)The χ and Γ figures with respect to Q under various detection efficiencies in the CHSH-and I3322-based protocols.The red points represent the data of (Q, χ), the upper boundary of which pins down the IE(Q).The blue points represent the data of (Q, Γ), the upper boundary of which pins down the IAB(Q) (see the main text for the reason).For the CHSH-based protocol: in (a), (b), and (c), we take the symmetric setup with η = 100%, 96%, 92.4%, respectively; in (d), we take the asymmetric setup with η = 85.8%.For the I3322-based protocol: in (e), (f), and (g), we take the symmetric setup with η = 100%, 96%, 93.8%, respectively; in (h), we take the asymmetric setup with η = 83.6%.The dashed curves in the last four figures are analytic results of the CHSH-based protocol, plotted for the sake of comparison.

( 4 )FIG. 2 .
FIG. 2. (Color online) (a)The χ and Γ figures with respect to Q in the CHSH-based protocol with Alice's measurements specified.The red points represent the data of (Q, χ ′ ) (see the main text for the definition) from which to pin down the IE(Q).The blue points represent the data of (Q, Γ) from which to pin down the IAB(Q).The dashed curves are analytic results of the BB84 protocol, plotted for the sake of comparison.(b) The R figure with respect to ε.The yellow points represent the date of (ε, Γ − max{χ1, χ2, χ3}).The (black) lower boundary represents the key rate of the BB84 protocol.The (green) curve denotes the key rate of the CHSH-based protocol.

TABLE I .
Monte Carlo procedure to evaluating an upper bound on the secure key rate in the DIQKD protocol.DIQKD protocol in which the Bell test and key generation are specified.2 Randomly generate a Bell-diagonal state ρAB and compute the Holevo quantity χ = max{χ (k) |k = 1, 2, 3}. 3 Compute the quantum violation Q of the Bell inequality P with ρAB. 4

TABLE II .
[30]mated values of critical QBERs and efficiencies of protocols with various Bell inequalities in symmetric and asymmetric detection setups.The indices of the inequalities are similar to those in[30].