Continuous-variable measurement-device-independent quantum key distribution: Composable security against coherent attacks
Cosmo Lupo, Carlo Ottaviani, Panagiotis Papanastasiou, Stefano, Pirandola

TL;DR
This paper provides a rigorous security analysis of continuous-variable measurement-device-independent quantum key distribution, demonstrating its potential for high-rate secure communication over metropolitan distances even against the most general attacks.
Contribution
It extends security proofs for CV MDI QKD to finite-size scenarios against coherent attacks, improving secret key rate estimates with new theoretical tools.
Findings
CV MDI QKD can achieve nonzero secret key rates after 10^7-10^9 signals
The protocol is secure against the most general coherent attacks in finite-size regimes
High key rates are feasible on metropolitan scales despite loss and noise
Abstract
We present a rigorous security analysis of Continuous-Variable Measurement-Device Independent Quantum Key Distribution (CV MDI QKD) in a finite size scenario. The security proof is obtained in two steps: by first assessing the security against collective Gaussian attacks, and then extending to the most general class of coherent attacks via the Gaussian de Finetti reduction. Our result combines recent state-of-the-art security proofs for CV QKD with new findings about min-entropy calculus and parameter estimation. In doing so, we improve the finite-size estimate of the secret key rate. Our conclusions confirm that CV MDI protocols allow for high rates on the metropolitan scale, and may achieve a nonzero secret key rate against the most general class of coherent attacks after 10^7-10^9 quantum signal transmissions, depending on loss and noise, and on the required level of security.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Continuous-variable measurement-device-independent quantum key distribution: Composable security against coherent attacks
Cosmo Lupo, Carlo Ottaviani, Panagiotis Papanastasiou, Stefano Pirandola
Department of Computer Science, University of York, York YO10 5GH, UK
Abstract
We present a rigorous security analysis of Continuous-Variable Measurement-Device Independent Quantum Key Distribution (CV MDI QKD) in a finite size scenario. The security proof is obtained in two steps: by first assessing the security against collective Gaussian attacks, and then extending to the most general class of coherent attacks via the Gaussian de Finetti reduction. Our result combines recent state-of-the-art security proofs for CV QKD with new findings about min-entropy calculus and parameter estimation. In doing so, we improve the finite-size estimate of the secret key rate. Our conclusions confirm that CV MDI protocols allow for high rates on the metropolitan scale, and may achieve a nonzero secret key rate against the most general class of coherent attacks after quantum signal transmissions, depending on loss and noise, and on the required level of security.
I Introduction
Quantum communication technologies, and in particular quantum key-distribution (QKD), are rapidly progressing from research laboratories towards real-world implementations. The ultimate goal is building a network of quantum devices (quantum internet) enabling unconditionally secure communications on the global scale QI1 ; QI2 ; QI3 ; QI4 . To this end, QKD has been recently extended to a scenario where two honest users (Alice and Bob) exploit the mediation of an untrusted relay, operated by the eavesdropper (Eve), to establish a secure communication channel MDI ; CV-MDI . This remarkable feature is made possible by the working mechanism of the relay itself, which activates secret correlations on the users’ remote stations by performing Bell detection on the incoming signals and publicly announcing the results CV-MDI . This architecture has been called measurement-device independent (MDI) QKD because, as such, the security of the communication does not rely on the assumption that the measurement devices (which are more exposed to side-channel attacks than other devices) are trusted MDI ; CV-MDI .
Protocols exploiting quantum continuous variables (CV) have attracted considerable attention, for their potential of boosting the communication rate and for their employability across mid-range (metropolitan) distances CV-MDI ; Comm . The key rates achievable by CV QKD protocols are not far from the ultimate repeater-less bound for private communication, which, for a lossy line of transmissivity is bits per use PLOB . The security of CV QKD, which is very well established under Gaussian attacks and in the asymptotic regime RMP , has been recently generalized to the most general class of coherent attacks as well as to the finite-size setting Lev1 ; Lev2 ; FF1 ; FF2 ; FF3 . In this landscape, the problem of establishing the secret key rates achievable by CV MDI QKD in the finite-size setting has not been yet explicitly addressed.
In this paper we fill this gap and provide a rigorous composable-security proof of the CV MDI QKD protocol proposed in Ref. CV-MDI (this proof can then be extended to tripartite 3MDI and multipartite CV MDI protocols multik ). The security of CV MDI QKD against collective attacks can be obtained along the lines of Ref. Lev1 . Then, the extension to the most general class of coherent attacks can be obtained by exploiting the recently introduced Gaussian de Finetti reduction Lev2 . Here we apply to CV MDI QKD and improve the proof techniques of Ref. Lev1 :
We present a simpler analysis of parameter estimation that holds under general coherent attacks. Our analysis exploits the recently proven optimality of Gaussian attacks in the finite-size scenario Lev2 to simplify parameter estimation. 2. 2.
We show that in CV MDI protocols, the parameter estimation routine can be performed locally by the legitimate users with almost no public communication. 3. 3.
We improve the secret-key rate estimates of Ref. Lev1 by exploiting a new entropic inequality.
The paper develops as follows. We start in Section II by reviewing the CV MDI QKD protocol of Ref. CV-MDI . Section III is devoted to our new results about parameter estimation and its statistical analysis. In Section IV we present an improved estimation of the secret key rate obtained by applying a new entropic inequality. A comparison with previous works is presented in Section V. To make our results more concrete, numerical examples are presented in Section VI. We finally discuss the relation between security proof and experimental realization and possible improvements in Section VII. Finally, conclusions are presented in Section VIII.
II Description of the protocol
In this section, we review the CV MDI QKD protocol introduced in Ref. CV-MDI .
The protocol develops in five steps (see Fig. 1):
Coherent states preparation. Alice and Bob locally prepare coherent states, whose complex amplitudes and are drawn i.i.d. from circular symmetric, zero-mean Gaussian distributions with variance and , respectively NOTAvacuum . The initial random variables of Alice and Bob are respectively denoted as , . 2. 2.
Operations of the relay. The coherent states are sent to the relay. For each pair of coherent states received the relay publicly announces a complex value . 3. 3.
Parameter estimation. Alice and Bob estimate the covariance matrix (CM) of the variables . 4. 4.
Conditional displacements. Alice and Bob define the displaced variables and such that
[TABLE]
where , for each , is an affine functions of . As shown in Ref. io , the optimal choice is to define the functions as
[TABLE]
where NOTAmean
[TABLE]
We remark that the parameters , can be computed directly from the estimated CM. 5. 5.
Classical post-processing. The variables , represent the local raw keys of Alice and Bob, respectively. To conclude the protocol, the raw keys , are post-processed for error correction and privacy amplification. We assume without loss of generality that error reconciliation is on Alice’s raw key.
The CV MDI QKD protocol described above has two main characteristic features. The first is that Alice and Bob does not apply any measurement, as the only measurement is performed by the untrusted relay. This property defines the protocol as MDI MDI ; CV-MDI . The second feature is that the correlations between Alice and Bob are generated through the variable announced by the relay. As explained in details in Ref. io , this property allows Alice and Bob to do parameter estimation with a negligible amount of public communication NOTApergliidioti . Therefore, they can exploit the whole raw key for both parameter estimation and secret key extraction.
Finally we remark that, although the variables and have in principle infinite cardinality, in practice they are always specified by a finite number of digits. Furthermore, for the finite-size analysis of the protocol (as well as for other practical issues), one needs to map the unbounded and continuous variables , to some discrete and bounded variables , . The mappings , can be realized by an Analog to Digital Conversion (ADC) algorithm. We therefore assume that and are discrete variables with cardinality (i.e., bits per quadrature).
III Parameter estimation
In this Section we discuss how Alice and Bob can estimate the CM of the variables . Without loss of generality we can assume that these variables have zero mean and the CM has the form
[TABLE]
where , and
[TABLE]
Clearly, the entries on the principal diagonal of (14) can be estimated locally by either Alice and Bob. It remains to estimate the off diagonal term . This can be done in three different ways:
The traditional way is that Alice and Bob exchange part of the data via a public channel to estimate the correlation terms and . Clearly, in order to do so they have to disclose part of the raw key, thus reducing the final secret-key rate. Suppose that, over a total of signals exchanged, Alice and Bob use signals for parameter estimation, thus allowing an error in the estimation of the order of . Then only the remaining signals remain available for secret key extraction (i.e., error correction and privacy amplification). 2. 2.
As noted in Ref. Lev1 (see also Pacher ) a rough estimate of the signal-to-noise ratio is sufficient for Alice and Bob to run the error correction routine before performing parameter estimation. Then, a verification step is done to ensure that the initial estimate was accurate enough. In this way Alice and Bob can exploit virtually all the raw data for key generation. 3. 3.
For our MDI protocol Alice and Bob can exploit the relations (see Section II)
[TABLE]
to obtain
[TABLE]
where we have defined
[TABLE]
Since the variances , and the covariance can be locally computed by the users, then this implies that Alice and Bob can do parameter estimation without publicly announcing their local data NOTApergliidioti . In conclusion, in this way Alice and Bob can exploit all their raw data for both parameter estimation and secret key extraction.
Here we follow the latter approach because, in contrast with the first approach and in analogy with the second one, it requires only a constant (and hence negligible) amount of public communication. Furthermore, the third approach exploits the very structure of the MDI protocol and therefore appears to be the most natural in this context.
III.1 Statistical analysis of parameter estimation
We are then left with the problem of estimating the confidence interval associated with the statistical estimation of the CM of . It is worth stressing that this is a remarkably complex problem in the case of general collective attacks (see Ref. Lev1 ). By contrast, this task becomes straightforward under the assumption of collective Gaussian attacks. Unlike other authors Lev2010 ; Jouguet2012 ; Usenko , our analysis of parameter estimation under collective Gaussian attacks does not rely on the central limit theorem and is therefore mathematically rigorous in the finite-size setting (see instead Ref. Panos ; China1 for a statistical analysis of parameter estimation in CV MDI QKD that exploits the central limit theorem).
Our analysis is based on the assumption that the are Gaussian variables. This assumption comes with no loss of generality because:
- •
The variables are Gaussian by definition of the protocol;
- •
The optimality of Gaussian attacks in the finite-size scenarion has been established in Ref. Lev2 . This implies that the variables can be assumed to be Gaussian without loss of generality;
- •
In principle, the variables are not necessarily Gaussian. Notwithstanding, by inverting Eqs. (18)-(21) we can write as linear combinations of and . Since the latter are assumed to be Gaussian, and since a linear combination of Gaussian variables is also Gaussian, it follows that are Gaussian variables too.
First consider the estimation of, say, , whose estimator is the empirical variance . Given that are i.i.d. Gaussian variables NOTAadc , then the empirical variance is distributed (up to rescaling) according to a chi-squared distribution. Therefore, a confidence interval can be readily obtained applying the cumulative distribution function of the chi-squared distribution, or tail bounds for it.
Second, consider the estimation of the correlation . We apply the identity
[TABLE]
whose estimator
[TABLE]
is distributed as the sum of chi-squared variables. Therefore, for each chi-squared variable, we can compute a confidence interval, and then obtain a confidence interval for the quantities , , and in (14) by error propagation.
An explicit calculation of the confidence intervals is presented in Appendix C.
IV Improved rate estimation
The security proof against collective or Gaussian attacks can be obtained along the lines of Ref. Lev1 . Here we present an improved estimation of the conditional smooth min-entropy obtained by applying a new entropic inequality.
We assume without loss of generality that the reconciliation is on Bob’s variable . The number of (approximately) secret bits that can be extracted from the raw key is lower bounded by the smooth min-entropy of , conditioned on the quantum state of the eavesdropper as well as on the classical variable Renner :
[TABLE]
where we have also subtracted the information leakage due to error correction. The security parameter comprises of three terms: comes from the leftover hash lemma, is the smoothing parameter entering the smooth conditional min-entropy, and is the error in the error correction routine. Since conditioning does not increase the entropy, for any purification of we have
[TABLE]
which implies
[TABLE]
A crucial point of the security proof is the estimation of the conditional smooth min-entropy . Here we present an approach that yields a bound on the min-entropy that is tighter than the one of Lev1 . For collective (or collective Gaussian) attacks, the state is a tensor-power, i.e., . On the other hand, the state that is actually used for key generation is the one conditioned upon error correction being successful. Because error correction has a non-zero failure probability, the conditional state is no longer guaranteed to be a tensor-power. Indeed, the conditioned state has the form
[TABLE]
where is a projector operator (projecting on the subspace in which error correction does not abort), and is the probability of successful error correction. Let us recall that the security parameter can be interpreted as the probability that the protocol is not secure (see Appendix A for a review). Therefore, the probability that the protocol is not secure, given that it does not abort, cannot be larger than . This suggests a relation of the form
[TABLE]
As a matter of fact we can prove the following
Theorem 1
Given two states and such that for some projector operator and , then
[TABLE]
The proof is presented in Appendix B.
Theorem 1 implies that the state can still be assumed to be a tensor-power upon replacing and shortening the secret key by bits, that is,
[TABLE]
The conditional smooth min-entropy of the tensor-power state can be estimated using the Asymptotic Equipartition Property (AEP), which yields a bound in terms of the von Neumann conditional entropy Tomamichel :
[TABLE]
where
[TABLE]
is also a function of the dimensionality parameter .
The next step in the security proof is to estimate the conditional entropy
[TABLE]
Let us first consider the estimation of the mutual information . We remark that the latter is upper bounded by the mutual information with the variable , i.e., , since the ADC algorithm cannot increase the mutual information. In turn, the property of extremality of Gaussian states Wolf ; Raul allows us to write the bound , where is a Gaussian state with same CM as .
To conclude, we notice that the quantity is the number of (non necessarily secret) bits of common information shared by Alice and Bob after the error correction routine. Ideally, in the limit of large block size, ADC with arbitrarily large precision, and perfect operations, this quantity is expected to be equal to , where is the mutual information between Alice and Bob. Therefore we can put
[TABLE]
where the efficiency parameter accounts for all the sources of non-ideality in the protocol. The inequality , where is the Gaussian state with same first and second moments, follows from Ref. Raul . Notice that is also a function of and .
In conclusion, the results presented in this section, combined with the security proof of Lev1 , yield the following lower bound on the secret key rate:
[TABLE]
where and are the empirical estimates for the mutual informations, and is the probability of error in parameter estimation.
V Comparison with previous security proof
Our expression for the rate in Eq. (39) can be compared to the analogous expression given in Theorem 1 of Ref. Lev1 . The first difference between the two expressions is in the term proportional to (that is the leading correction term in our finite-size analysis), which in Ref. Lev1 is replaced by NOTAtypo
[TABLE]
It is clear that , where for small values of and the difference is dominated by the term . We emphasize that the fact that with our approach we obtain a smaller finite-size correction follows from the application of the new min-entropy inequality of Theorem 1.
The expression for the rate in Ref. Lev1 also includes an additional error term , scaling as . In our formulation this terms does no appear and has been somehow incorporated in the efficiency factor . We believe that our approach provides a better way to model what is done in experimental implementations of the protocol. We remark that is the leading finite-size correction term in the analysis of Ref. Lev1 .
Finally, we exploit the Gaussian assumption to compute the confidence intervals for parameter estimation. The result (see Appendix C) is that the elements of the CM can be estimated up to a relative error of the order of
[TABLE]
with a given overall probability of error smaller than . This result is comparable with that of Ref. Lev1 : the reason is that, although Ref. Lev1 considers general collective attacks, the analysis of the parameter estimation is effectively reduced to the Gaussian setting by applying a randomization technique. Although we obtain finite-size correction related to parameter estimation that are quantitatively similar to Ref. Lev1 , our statistical analysis is much simpler. This is due to the fact that we exploit the assumption of a Gaussian attack which has been proven to come without loss of generality even in the finite-size setting Lev2 .
VI Numerical examples
The expression in Eq. (39), together with the parameter estimation analysis of Section III, allows us to compute the estimated secret-key directly from experimental data for any Gaussian attack (and then extend to general attacks using the results of Ref. Lev2 ). In this Section, as an example, we compute the rate as function of loss and block size for the case of an entangling cloner attack (depicted in Figure 2). We consider two settings:
symmetric attacks in which both communication lines from Alice to the relay and from Bob to the relay are wiretapped with a beam-splitter with equal transmissivity ; 2. 2.
asymmetric attacks where the relay is assumed very close to Alice station, .
In both cases, following Ref. CV-MDI , the eavesdropper collects all the loss from the communication lines, and the variable is the outcome of a perfect Bell detection performed at the relay. These kinds of attacks have been characterized thoroughly in Ref. CV-MDI , where the asymptotic rate (in the limit of infinite block size) has been computed as:
[TABLE]
where the mutual informations are bounded by the results of parameter estimation. In our example we choose the conservative value Beta1 ; Beta2 ; Beta3 ; Beta4 . (Notice that in principle the factor is a function of and , but for the sake of illustration we assume it to be constant.)
Putting , we obtain
[TABLE]
and the covariances of mutually conjugate quadratures vanish. We also have and
[TABLE]
where , are the excess noise variances and are the thermal noise that Eve injects in the links respectively (see Eq. (1) of Ref. CV-MDI ). The only non-vanishing displacement coefficients are
[TABLE]
that imply
[TABLE]
and . Finally, applying Eq. (94) we obtain
[TABLE]
and similarly, from Eq. (93),
[TABLE]
with (see Appendix C).
For collective Gaussian attacks, Eq. (39) is rewritten as
[TABLE]
where . In Figs. 3, 4 this rate is plotted vs the block size , for different values of the transmissivities and excess noise for error correction efficiency of . The plots are obtained putting , , hence obtaining an overall security parameter . We also put : with this choice of the error in the Shannon entropy due to the ADC is less than . The rate is then obtained by maximizing over the value of modulation .
For coherent attacks, by applying the results of Ref. Lev2 we obtain
[TABLE]
where is the number of signals used for the energy test, and .
In Figs. 3, 4 this rate is plotted vs the block size , for different values of the transmissivities and excess noise, for error correction efficiency of . The plots are obtained for chosen in such a way to obtain . The rate is then obtained by maximizing over and the modulation and for .
VII Discussion
In the case of coherent attacks, the major bottleneck limiting the rate of secret bits generation per second comes from the classical post-processing, and in particular the active symmetrization routine, due to the typically large size of the data set. While it has been conjectured that such an active symmetrization might not be actually needed Lev2 , it remains an open theoretical problem to find a security proof that does not require to perform such a computationally costly operation.
Here we present two arguments supporting the conjecture that the active symmetrization routine may not be actually performed in any experimental realization of the protocol:
The active symmetrization routine consists in Alice and Bob multiplying their local raw keys by a random matrix. Since the matrix is invertible and publicly known, such an operation cannot by any means increase the secret key length. Therefore, we deduce that the same secret key rate might be achieved even without performing the symmetrization routine; 2. 2.
The symmetrization routine is also instrumental for the energy test. After the symmetrization operation, Alice and Bob estimate the expectation value of the energy from only a relatively small part of the raw key. We notice that Alice and Bob can obtain an even better estimate of the mean energy from the whole raw key. This suggests that the symmetrization step might be avoided without affecting the energy test.
In summary, these two arguments suggest that the requirement of performing the symmetrization routine might be a artifact of the particular technique used to prove the security and therefore might not be strictly required in a practical realization of the protocol.
VIII Conclusions
We have presented a rigorous assessment of the security of CV MDI QKD in the finite-size regime. Our results are obtained by applying and modifying the results of Ref. Lev1 , also exploiting the Gaussian de Finetti reduction recently introduced in Ref. Lev2 , together with new results on parameter estimation and a new min-entropy inequality. Because of this improvements, our estimate on the secret-key rate is improved with respect to results of Lev1 ; Lev2 .
In doing this, we have shown that for our MDI protocol all the raw data can be used for both parameter estimation and secret key extraction. Such a unique feature is a consequence of the fact that correlations between Alice and Bob are encoded in the variable that is publicly announced by the relay — even though such a variable does not contain information about the secret key (see Ref. io ). It might be possible that for the same reason the security analysis of MDI QKD can be further simplified, in particular the energy test and active symmetrization routines. It is worth remarking that standard one-way protocols, in both direct and reverse reconciliation, can be simulated by an MDI one, simply by assigning the relay to either Alice and Bob CV-MDI . For this reason, this unique property of MDI QKD can be readily extended to the one-way setting io .
Our statistical analysis of parameter estimation is fully composable and does not rely on the central limit theorem (and therefore is mathematically rigorous in the finite-size setting). Notwithstanding, we do not expect that our approach gives tight bounds on the statistical error induced by parameter estimation. In fact, tighter bounds may be obtained following a different approach, for example by invoking the central limit theorem as in Ref. Panos ; China1 .
We have shown that it is in principle possible to generate secret key against the most general class of coherent attacks for block sizes of the order of , depending on loss and noise, and on the required level of security. Therefore, our results indicate that a field demonstration of CV MDI QKD might be feasible with currently available technologies. In particular, our composable security analysis confirms that CV MDI protocols allow for high QKD rates on the metropolitan scale, thus confirming the results of the asymptotic analysis first discussed in Ref. CV-MDI .
Note added: after the completion of this work, other authors have independently presented a security analysis of CV MDI QKD obtained by exploiting entropic uncertainty relations China2 . Although directly applicable to obtain security against coherent attacks, this approach is known to provide bounds on the secret key rate that in general are not tight.
Acknowledgements.
This work was supported by the Innovation Fund Denmark within the Quantum Innovation Center Qubiz and the EPSRC Quantum Communications hub (EP/M013472/1). C.L. acknowledges the valuable scientific support received from the Quantum Physics and Information Technology Group (QPIT) of the Technical University of Denmark (DTU), and is specially grateful to Anthony Leverrier for insightful comments and discussions.
Appendix A Operational interpretation of the security parameter
Ideally, in QKD one would like to obtain a shared key that is truly random and secret to the eavesdropper. The final state of a protocol that successfully distributes perfectly secret bits would be represented by a density operator of the form
[TABLE]
In reality, one can only hope to get as close as possible to such an ideal scenario. Let denote the final state of a given QKD protocol. The extent to which the state approximates the ideal one is often quantified in terms of the trace distance,
[TABLE]
The trace distance has several desiderable properties for a good security quantifier TCC ; Renner ; Composable . In particular, here we discuss its interpretation in terms of the probability that the generated key is secret. It is well known that the operational meaning of the trace distance is related to the problem of quantum state discrimination Helstrom . Suppose one is given a black box containing either or , each with probability . Then any measurement strategy, compatible with the principles of quantum mechanics, allows one to distinguish between the two states up to an error probability NOTA-a
[TABLE]
Let us define a binary random variable with probability distribution . As a matter of fact characterizes the distinguishability of the states and , that is, between the output of the given QKD protocol and an ideal, perfectly secure one. For example, if the state happens to coincide with the ideal one, we have . On the other hand, if the state can be perfectly distinguished from the ideal one, .
Putting we can write
[TABLE]
Therefore, the probability distribution of the variable characterizing the output of the QKD protocol is the convex sum of the probability distribution associated to the ideal output state and the probability associated to a state that can be perfectly distinguished from the ideal one. In conclusion, such a convex sum decomposition of allows us to interpret as the probability that the output of the QKD protocol is indistinguishable from the ideal one, and thus, for all practical purposes is itself perfectly secure. In other words, the probability that the output of the protocol is not perfectly secure is smaller than . Assuming the worst case scenario, below we put equal to the probability that the key is not secret.
Taking abstraction on the state and focusing on the protocol itself, this same reasoning is extended to the direct comparison of two protocols and , formally represented as completely positive maps, via the diamond norm
[TABLE]
where the supremum is over all input states and the maps are extended to including an ancillary system.
Appendix B Some properties of smooth entropy
One of the main tools for quantifying the security of QKD is the conditional smooth min-entropy. In this Appendix we review some of the main definitions and properties (see Renner ; Tomamichel for the proofs) and derive a useful inequality in Proposition 6 that is applied for our security proof.
Definition 2
[Conditional min-entropy] The min-entropy of conditioned on of the bipartite state is
[TABLE]
where is the identity operator and is a subnormalized state.
Here we are interested in the conditional min-entropy of classical-quantum (CQ) states of the form . In this case the conditional min-entropy can be written in terms of the maximum guessing probability:
[TABLE]
where is a quantum channels.
The following holds:
Lemma 1
Let be a CQ state and a subset of . We define the projector operator , and the state , with . The following inequality holds:
[TABLE]
Proof: By applying the characterization of the min-entropy in terms of the guessing probability we obtain:
[TABLE]
The smooth conditional min-entropy of is defined as the maximum min-entropy in a neighborhood of :
Definition 3** (Smooth conditional min-entropy)**
The smooth conditional min-entropy of conditioned on of the state is
[TABLE]
where is a ”smoothing state” such that , with denoting the trace distance.
Remark 4
Here we have defined the entropy smoothing using the trace distance as in Ref. Renner instead of the purified distance as done in Ref. Tomamichel .
Remark 5
For a CQ state it is sufficient to consider smoothing states that are classical on the same support as Tomamichel . Therefore there exists a CQ states such that and
[TABLE]
Lemma 2
Let us consider two CQ states and such that , and a projector operator . Then where and .
Proof. First notice that the trace distance between the two CQ states reads
[TABLE]
and that implies
[TABLE]
We then have
[TABLE]
where in the first inequality we have applied the triangular inequality and in the last one we have applied Eqs. (70)–(71).
We are now ready to present a ”smoothed” version of Lemma 1:
Proposition 6
Let be a CQ state and a subset of . We define the projector , and the (normalized) state , where . The following inequality relates the conditional smooth min-entropies of and :
[TABLE]
Proof. Let be a CQ state such that . Lemma 2 implies that . We then upper bound the conditional smooth min-entropy of as follows:
[TABLE]
where in the first inequality we have applied the fact that is -close to , in the second inequality we have applied Lemma 1, the first equality is obtained choosing a that verifies Eq. (69) with , and the last inequality is obtained from Eq. (71).
B.1 Dealing with the non-zero probability that the protocol aborts
The assumption that the state is a tensor product is justified for collective attacks. However, since error correction has non-zero probability of aborting, one should consider the conditional probability of obtaining a secret key given the protocol did not abort. Unfortunately, the state conditioned on the protocol not aborting is no longer guaranteed to have a tensor product structure.
The state , that describes the correlations between Bob’s output measurement and Eve, is a classical-quantum (CQ) state of the form:
[TABLE]
where is the probability of a sequence of symbols and is the corresponding conditional state of Eve. The protocol does not abort only on a given subset of the sequences , therefore the state for a non-aborting protocol reads
[TABLE]
where is a projector operator, and is the normalization factor.
Proposition 6 in Section B yields a simple relation between the conditional smooth min-entropies of and , namely
[TABLE]
where is interpreted as the probability that the protocol does no abort.
Appendix C Tail bounds
The cumulative distribution function of the chi-squared variable with degrees of freedom is , where is the Euler Gamma function, and is the lower incomplete Gamma function.
To bound the cumulative distribution function we can use, for example, the tail bounds:
[TABLE]
(These bounds are derived from the Chernoff bound using the fact that distribution of is sub-exponential with parameters ).
A direct application of these bounds yields
[TABLE]
together with similar bounds for the quantities , , , .
We also obtain
[TABLE]
and analogously
[TABLE]
This implies
[TABLE]
with
[TABLE]
and
[TABLE]
where , and are defined in Eqs. (23)-(25).
For example, putting
[TABLE]
we finally obtain
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1) H. J. Kimble, Nature 453 , 1023 (2008).
- 2(2) S. Pirandola and S. L. Braunstein, Nature 532 , 169 (2016).
- 3(3) S. Pirandola et al., Nature Photon. 9 , 641 (2015).
- 4(4) U. L. Andersen, J. S. Neergaard-Nielsen, P. van Loock, A. Furusawa, Nature Phys. 11 , 713 (2015).
- 5(5) S. L. Braunstein, S. Pirandola, Phys. Rev. Lett. 108 , 130502 (2012); H.-K. Lo, M. Curty, B. Qi, Phys. Rev. Lett. 108 , 130503 (2012).
- 6(6) S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, U. L. Andersen, Nature Photon. 9 , 397 (2015).
- 7(7) S. Pirandola, C. Ottaviani, C. S. Jacobsen, G. Spedalieri, S. L. Braunstein, S. Lloyd, T. Gehring, U. L. Andersen, Nature Photon. 9 , 776 (2015).
- 8(8) S. Pirandola, R. Laurenza, C. Ottaviani, L. Banchi, Nature Commun. 8 , 15043 (2017). See also ar Xiv:1510.08863 (2015).
