z institute of informatics, national quantum information
TRANSCRIPT
Upper bounds on device-independent quantum key distribution
Matthias Christandl∗
QMATH, Department of Mathematical Sciences, University of Copenhagen,Universitetsparken 5, 2100 Copenhagen Ø, Denmark
Roberto Ferrara†
Lehr- und Forschungseinheit fur Nachrichtentechnik,Technische Universitat Munchen, 80339 Munich, Germany
Karol Horodecki‡
Institute of Informatics, National Quantum Information Centre,Faculty of Mathematics, Physics and Informatics,University of Gdansk, 80-308 Gdansk, Poland and
International Centre for Theory of Quantum Technologies, University of Gdansk, 80-952 Gdansk, Poland(Dated: April 27, 2021)
Quantum key distribution (QKD) is a method that distributes a secret key to a sender and areceiver by the transmission of quantum particles (e.g. photons). Device-independent quantum keydistribution (DIQKD) is a version of QKD with a stronger notion of security, in that the sender andreceiver base their protocol only on the statistics of input and outputs of their devices as inspiredby Bell’s theorem. We study the rate at which DIQKD can be carried out for a given bipartitequantum state distributed between the sender and receiver or a quantum channel connecting them.We provide upper bounds on the achievable rate going beyond upper bounds possible for QKD. Inparticular, we construct states and channels where the QKD rate is significant while the DIQKD rateis negligible. This gap is illustrated for a practical case arising when using standard post-processingtechniques for entangled two-qubit states.
Introduction. Quantum key distribution (QKD) of-fers the possibility to distribute a perfectly secure keyamong two parties via quantum communication [1]. Theparties can later use this key for perfectly secure com-munication. Whereas theoretically, the security of QKDis very well understood, the experimental implementa-tions remain challenging. This is because it is difficult toverify that the theoretical models and the experimentalimplementations fit together. In practice, the exploita-tion of differences between model and implementationare known as side channels, and it is here that quantumcommunication opens a can of worms [2]. QKD is thusdependent on the exact known specifications of the de-vices used: it is device-dependent.
Ekert’s scheme for QKD merely verified by the vio-lation of a Bell inequality opens up the possibility ofdevice-independent QKD (DIQKD), as the violation ofa Bell inequality can be argued by the obtained correla-tions alone (under the assumption of appropriate timingof the signals). In recent years, DIQKD has been put ona firm footing [3–12]. However, it should be said that adevice purchased from an adversarial vendor emphasizesother types of loopholes, for instance, the hidden storageand later unwanted release of the bits generated [13–15].
Whereas security proofs for both QKD and DIQKDare involved, e.g., since channel noise needs to be esti-mated and the eavesdropper might carry out non-i.i.d.attacks, upper bounds on the optimal rate can be ob-tained with a Shannon-theoretic approach. In the caseof QKD, the corresponding rates are the key rate K(ρ)
of a bipartite state ρ shared among the communicatingparties [16, 17] and the private capacity P(Λ) of a quan-tum channel Λ [18]. Interestingly, these rates can indeedbe achieved in the actual QKD setting, e.g. by use of thepost-selection technique [19]. For the first upper boundson DIQKD rates see [20].
In this paper, we consider the natural DIQKD variantsKDI(ρ) and PDI(Λ). Since DIQKD has a higher securitydemand than QKD, one has the trivial bounds KDI(ρ) ≤K(ρ) and PDI(Λ) ≤ P(Λ).
Our main results are upper bounds on the DIQKDrates that go beyond the bounds implied by QKD,thereby pointing out a fundamental difference betweenstandard and device-independent QKD. We illustrate thebounds with an example where the QKD rate is constantbut, remarkably, the DIQKD rate is vanishingly low. Wewill also discuss a practical example with an explicit gap.In the following we introduce the setting before present-ing and illustrating the main results.
Communication rates in quantum cryptography.Every QKD and DIQKD protocol consists of preparing,exchanging and measuring quantum particles, followedby the post-processing of the measurement data result-ing in the final key. Note that these are not necessarilyseparate stages, but may be interwoven. Most QKD pro-tocols, however, can be modeled as an establishment ofn independent copies of a bipartite quantum state ρ be-tween the communicating parties Alice and Bob, followedby a protocol consisting of local operations and publiccommunication (LOPC). For simplicity, we will assume
arX
iv:2
005.
1351
1v3
[qu
ant-
ph]
26
Apr
202
1
2
that all Hilbert spaces are finite-dimensional. This pro-tocol results in a final key secret against an eavesdropperholding the purification of ρ⊗n and a copy of all classicalcommunication. When maximizing over possible LOPCprotocols, one obtains the key rate K(ρ).
If Alice and Bob have control over their measurementapparatuses, there exist effective methods to verify thatthey indeed have n independent copies of ρ, even if theadversary interferes with the quantum communication.Thus K(ρ) also has the practical relevance as a QKDrate and not only information-theoretic meaning [19].
Instead of modeling the distribution of the quantumparticles by a density matrix ρ, one might also model it asarising from a quantum channel Λ, a completely-positivetrace-preserving linear map. This scenario, which resultsin the private capacity P(Λ) is more general but morecumbersome to treat. Therefore, we will focus on thedensity matrix paradigm, yet also state our results in thechannel paradigm.
Note that in most practical protocols, in QKD but es-pecially in DIQKD, measurements are performed on sin-gle copies of ρ by POVMs {Axa}a and {Byb }b. We denotethe measurement choices by x and y, respectively, andthe outcomes by a and b. If an eavesdropper does not in-terfere with the measurement, this results in n indepen-dent and identical samples of the conditional probabilitydistribution
p(a, b|x, y) := tr[(Axa ⊗Byb )ρ].
Classical post-processing then leads to the final secret keyagainst an eavesdropper who holds the purification of thestate ρ⊗n as well as a transcript of all public communica-tion. We note that the distribution of the measurementchoice p(x, y) = p(x)p(y) is usually fixed (e.g. uniform)so that the samples are actually drawn from the distri-bution p(a, b, x, y) = p(a, b|x, y)p(x, y), rather than fromp(a, b|x, y). The choice of measurements and their distri-bution is denoted by M. We denote the correspondingQKD rate when maximizing over POVMs by K(1)(ρ), in-dicating that the measurement acts on one copy of thestate. Note that
K(1)(ρ) ≤ K(ρ).
In DIQKD, in contrast to QKD, Alice and Bob knowneither the measurement operators performed by theirapparatus nor the states measured. In particular, eventhough they can verify that they have n independentcopies of p(a, b|x, y), it might not be possible to inferthat the underlying quantum process respects the inde-pendent nature. Namely, it might not be possible toprove that the measurements {Axa}a and {Byb }b were in-deed carried out independently on independent copies ofρ, rather than some more complicated procedure. Evenassuming that the device indeed performed n identical in-dependent measurements on an identical quantum state,
leading to what we call the DIQKD rate
KDI(ρ)
leaves open the possibility for different measurements aswe will explain in the following. We emphasize that it ispossible, yet unproven, that this rate can be achieved in arealistic DIQKD setting, as recent research indicates [8,21] (cf. research on quantum de Finetti theorems [22–24]). Since knowing less about the apparatus can onlydecrease the rate, we have
KDI(ρ) ≤ K(1)(ρ) ≤ K(ρ). (1)
In the following, we will provide upper bounds that im-prove on this bound and exploit them to present a gapbetween KDI(ρ) and K(ρ).
Upper bounds on DIQKD. Assume now that thePOVMs {Axa}a and {Byb }b are optimal for KDI(ρ) (suchPOVMs exist by compactness, since the Hilbert spacesare finite-dimensional). Note that there might exist adifferent state ρ′ and different measurements {A′xa}a and{B′yb}b leading to the same distribution
p(a, b|x, y) := tr[(Axa ⊗Byb )ρ] = tr
[(A′
xa ⊗B′
yb )ρ′
].
In this case, we write (M, ρ) ≡ (M′, ρ′). We thus see thatthe maximal achievable key rate for ρ is also achievablefor ρ′. We thus have
KDI(ρ) ≤ KDI(ρ′).
Combining this bound with Eq. (1) we find that
KDI(ρ) ≤ supM
inf(M′,ρ′):
(M,ρ)≡(M′,ρ′)
K(ρ′). (2)
A proof based on the formal definitions of the involvedrates is given in the Supplementary Material.
We will now give a construction of examples, where(M, ρ) ≡ (M′, ρ′). For this, note that transposing Bob’ssystem does not change the probabilities
tr[(Axa ⊗Byb )ρ] = tr
[(Axa ⊗ (Byb )T )ρΓ
].
Here, T denotes the transpose and Γ the partial trans-pose. The density matrix ρ can lose the property of beingpositive semi-definite after partial transposition. For theequation above to be valid, we thus require ρΓ ≥ 0, inwhich case ρ is said to be PPT (Positive under PartialTransposition). PPT states are the only known exam-ples of bound-entangled states, that is, entangled statesfrom which no pure entanglement can be extracted at apositive rate [25]. Still, they form a rich class of states, in-cluding states from which a secret key can be extractedat positive rates [17, 26] (similar results are known forchannels [27–29]). There are even examples of PPT en-tangled states that violate Bell inequalities [30]. Whenrestricting to PPT states ρ, we therefore find
KDI(ρ) ≤ min{K(ρΓ),K(ρ)}. (3)
3
To see the significance of the above result, it is impor-tant to note, that there are PPT states for which K(ρ) ishigh, but K(ρΓ) is low [17, 31]. This implieas a gap viathe above inequality and therefore a fundamental differ-ence between device-dependent and device-independentsecrecy.
We now provide an example of states exhibiting thisgap. Aiming at constructions with relatively few qubits,we further develop the results of [31, 32] (see also theSupplementary Material). In general, this gap holds forall those examples of PPT states that are close to privatebits, but that after partial transposition become close toseparable states [17, 31–34].
Examples. We consider the 2d×2d dimensional statesfrom [31] which are of the form
ρd :=1
2
(1− p)
√XX† 0 0 (1− p)X
0 pY 0 00 0 pY 0
(1− p)X† 0 0 (1− p)√X†X
,with X and Y to be chosen later, satisfying ‖X‖1 =‖Y ‖1 = 1. The qubit systems are called the key systemsand the qudits are called the shield systems. By theprivacy-squeezing technique of [26], this state has at leastas much key as the key obtained by measuring
ρBell :=1
2
(1− p) 0 0 (1− p)
0 p 0 00 0 p 0
(1− p) 0 0 (1− p)
,which is a Bell diagonal state. A lower bound on this keyis given by the Devetak-Winter protocol [16], which wasalso derived in [35, Eq. (22)] and reads
KD(ρBell) ≥ 1−H((
1− p, p2,p
2
)),
where H is the Shannon entropy.In order for ρd to be PPT, we choose Y =
1d
∑d−1i=0 |ii〉〈ii| and X = 1/(d
√d)∑d−1i,j=0 uij |ij〉〈ji|, with
uij being complex numbers of modulus 1√d
such that
U =∑ij uij |i〉〈j| is a unitary matrix [32]. In particu-
lar, one can take U to be the Fourier transform or (if dis a power of two) a tensor power of the Hadamard ma-trix. We also choose p = 1√
d+1. To conclude, we derived
the lower bound K(ρd) ≥ 1−H((√
d, 12 ,
12
)/(√d+ 1)
),
while the upper bound K(ρΓd ) ≤ 1√
d+1was computed as
part of [36, Supplementary material, Corollary 40]. Seealso Theorem 2 in the Supplemental Material, where [37]is used.
A quick check reveals that K(ρd) > K(ρΓd ) for all d ≥
24, i.e. for all states ρd with at least three qubits and aqutrit in the shield at each side. In particular, ρ25 is thusa 12 qubit state, which proves the separation between the
device-dependent and the device-independent key. For 20qubits of shield per side, we arrive at a state which hasK(ρ220) ≥ 0.98 and K(ρΓ
220) ≤ 1/(210 + 1) ∼ 10−3.
Remark. At first, this does not seem to be a practicalexample. Note, however that using the common subrou-tine advantage distillation on ρ⊗nd yields the same lowerand upper bounds as ρdn . Our results thus directly con-cern the amount of key distilled after advantage distilla-tion [38] on the key part of 20 copies of ρ2 if we makesure that the other 20 qubits of shield do not get in thehands of the eavesdropper. In particular, we see thatwhereas in QKD, the obtained bit in this setting is se-cure, the upper bound tells us that this bit is not securein a device-independent setting. Therefore the state, andparticularly any of its parts, including the shield, cannotbe tested independently of the device. The quantum op-eration of removing a system (in our case, the shield)from the reach of the eavesdropper is based on trust inthe quantum memories and cannot be certified by classi-cal correlations alone.
Device-Independent Entanglement Measures. Im-plicit in the upper bound on K(ρΓ) was the use of therelative entropy of entanglement Er. In this context,it is therefore natural to introduce device-independententanglement measures. In analogy to Eq. (2), for anyentanglement measure E we define
E↓(ρ) := supM
inf(N ,σ)≡(M,ρ)
E(σ) ≤ E(ρ), (4)
where we use the down arrow to indicate the optimizationover Eve’s implementation of the device, in close analogyto the down arrow used in the intrinsic information [39],where also an optimization over Eve’s action is carriedout. Notice that E↓(|ψ〉〈ψ|) = E(|ψ〉〈ψ|) because all purestates are self-testable [40]. If E is either the distillablekey K or an upper bound on it, it then follows that
KDI ≤ K↓ ≤ E↓ ≤ E. (5)
In particular, for E being the squashed entanglement Esq
or the relative entropy of entanglement Er, we obtain
KDI ≤ min{E↓sq, E
↓r }.
In the example above, the relative entropy bound wasimplicitly used together with E↓
r (ρ) ≤ Er(ρΓ) for PPT
states ρ. Note that fixing a choice of M in E↓ also pro-duces a device-independent entanglement measure of adistribution.
Device-Independent Private Capacity. The ideas pre-sented so far can also be applied to the private capacityP(Λ) of a channel Λ. They are thus useful in the mostgeneral setting, where, for instance, the optical fiber it-self is modelled and not only the states produced whenusing the optical fiber.
4
There are different natural versions of the private ca-pacity depending on whether assistance by public com-munication is restricted to being one-way (P1) or whethergeneral two-way communication is allowed (P2). In theinformation-theoretic setting, the setting without pub-lication communication (P0) is also meaningful. Withincreased power comes increased rate, and thus
P0 ≤ P1 ≤ P2.
The device-independent private capacity also has threeanalogous versions PDI
i , i = 0, 1, 2 corresponding towhether two-way, one-way or no public communication isgiven to Alice and Bob outside the devices. Additionally,there will be different classes of adversarial devices, de-pending on whether we consider adversaries that, besidesthe quantum channel, use two-, one- or no-way publiccommunication inside the devices to produce the stateto be measured. Arguably, allowing less classical com-munication in the device than the one used by Alice andBob is physically unsound, but can be used as a mathe-matical tool to reach some upper bounds. Thus, we canrestrict ourselves to adversarial devices that use no pub-lic communication, which can only make the rates larger.Similarly, we also consider i.i.d. devices that do not usememory between the input states of different channeluses. Again, these are not realistic implementations ofa device delivered by an adversary but merely a toolto provide upper bounds. Indeed, in practical scenar-ios the provided devices will often be from a cooperatingrather than an adversarial party. These devices will usequantum memories at Alice and Bob and even classicalcommunication outside the classical input-output roundswhere communication is allowed, to maximize the key. Inthe Supplementary Material, we explore the various ratesobtained when considering different classes of devices al-lowed to the adversary and the different variants of publiccommunications that are allowed to the intended parties.
We now introduce the class of i.i.d. devices that use nei-ther public communication nor memory between channeluses. A device for a channel Λ from Alice to Bob is givenby a tuple (M, ρ,Λ) of measurements M on Alice andBob’s side, a bipartite state ρ (half of which is the inputto the channel), and a channel Λ. The conditional prob-ability distribution is then obtained, as shown in Fig. 1,via
p(ab|xy) = tr[(id⊗Λ)(ρ) ·Mxa ⊗M
yb ].
We again write (N , σ,Λ′) ≡ (M, ρ,Λ) for devices thatproduce the same distribution. As in the case of entan-glement measures for states, we can use any channel en-tanglement measure E(Λ) to define a device-independentversion
E↓(Λ) ≡ E↓0(Λ) := supM,ρ
inf(N ,σ,Λ′)≡(M,ρ,Λ)
E(Λ′) (6)
x1 a1 x2 a2
σ σ
Λ Λ ϑ ϑy1 b1 y2 b2
FIG. 1. An i.i.d. device with no public communication and nomemory in channel-based DIQKD (left) and the introductionof the partial transpose (right). We introduce this class ofdevices as IDI0 in the Supplementary Material.
(see [41, 42] for the channel generalizations of Esq andEr respectively, as well as [43] for the use of the latter).See also [44].
The above quantities give rise to quantities P↓i which
will be upper bounds on the actual device-independentprivacy capacities. When combining them with an upperbound Pi ≤ E we obtain (here illustrated with i = 2):
PDI2 (Λ) ≤ P↓
2(Λ) ≤ E↓(Λ). (7)
Also here, we can now apply the partial transpose idea.In order to do so, we introduce the partial transpose mapϑ (ϑ(ρ) = ρT ). If a channel Λ is such that ϑ ◦ Λ is alsoa channel (i.e. Λ completely positive and completely co-positive), then any device for Λ can be transformed intoa device for ϑ ◦ Λ with the same statistics as shown inFigure 1. The consequence is analogous to Equation (3)(for i=2):
PDI2 (Λ) ≤ P2(ϑ ◦ Λ) ≤ E(ϑ ◦ Λ). (8)
This bound can be used to show that there is a gap be-tween the private capacity and the device-independentprivate capacity, as there exist examples of channels forwhich P2(Λ) is large, but P2(ϑ ◦ Λ) small [43].
Discussion. We have derived general upper boundson the generation of device-independent key. For thesake of completeness, we provide a detailed definition ofdevice-independent key rates [8, 9] in the SupplementalMaterial. Using the upper bounds, we have shown thata gap can exist between the device-dependent (or stan-dard) and device-independent distillable key. In fact, thegap can be shown to be maximally large, meaning thatsome states and channels support secret key generation,but at most a negligible amount of device-independentsecret key. The construction has been obtained for aclass of states and channels that have zero distillable en-tanglement or quantum capacity and that are known asPPT states or channels. We leave it as an interestingchallenge to lower the dimension of such examples.
Notice that the partial transpose approach has previ-ously led to upper bounds on Bell non-locality in termsof faithful measures of entanglement [34], taking inspira-tion on upper bounds on key repeater rates [31]. In [36],bounds on the key repeater rate were given beyond the
5
use of the partial transpose idea, leading to a connectionwith distillable entanglement. We hope that a similar re-sult can be obtained connecting the device-independentdistillable key and private capacity to the distillable en-tanglement and the quantum capacity, respectively [36],potentially leading to bounds for non-PPT states andchannels.
One may regard the gap ∆K(ρ,M)] := K(ρ) −KDI(ρ,M) as a measure of trust towards a device (ρ,M)(and analogously for quantum channels). For example,∆K is zero for the singlet with CHSH testing, meaningthat this device does not need to be trusted, and thesame may hold for all pure states. However, this is notthe case for some bound-entangled states for which ourresults prove that ∆K is non-zero. Obtaining similarresults for the multipartite case of conference key agree-ment is an interesting open problem.
Note. After concluding the research on this article,we became aware of the independent but closely re-lated work [45], where a conjecture is formulated thatbound-entangled states have zero device-independent keyagainst quantum adversary [45] (see in this context therelated results in case of non-signaling adversaries [46]).Our work can be regarded as supporting evidence for thisconjecture.
Acknowledgements. MC acknowledges financial sup-port from the European Research Council (ERC GrantAgreement No. 337603 and 81876) and VILLUMFONDEN via the QMATH Centre of Excellence (GrantNo. 10059). RF was supported by the Bundesmin-isterium fur Bildung und Forschung (BMBF) throughGrant 16KIS0857 and thanks Jed Kaniewski for use-ful discussions. KH acknowledges the support of theNational Science Centre grant Sonata Bis 5 UMO-2015/18/E/ST2/00327, and partial support by the Foun-dation for Polish Science through the IRAP project, co-financed by the EU within the Smart Growth Opera-tional Programme (contract no. 2018/MAB/5).
∗ [email protected]† [email protected]‡ [email protected]
[1] C. H. Bennett and G. Brassard, Theoretical ComputerScience 560, 7–11 (2014).
[2] V. Makarov, New Journal of Physics 11, 065003 (2009).[3] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).[4] J. Barrett, L. Hardy, and A. Kent, Phys. Rev. Lett. 95,
010503 (2005), arXiv:quant-ph/0405101.[5] A. Acın, N. Brunner, N. Gisin, S. Massar, S. Pironio,
and V. Scarani, Phys. Rev. Lett. 98, 230501 (2007),arXiv:quant-ph/0702152.
[6] D. Mayers and A. Yao, in Proceedings 39th AnnualSymposium on Foundations of Computer Science (Cat.No.98CB36280) (IEEE, 1998) pp. 503–509.
[7] U. Vazirani and T. Vidick, Physical Review Letters 113,140501 (2014), erratum: 116, 089910(E) (2016).
[8] R. Arnon-Friedman, F. Dupuis, O. Fawzi, R. Renner,and T. Vidick, Nature Communications 9, 459 (2018).
[9] G. Murta, S. B. van Dam, J. Ribeiro, R. Hanson, andS. Wehner, Quantum Science and Technology 4, 035011(2019).
[10] B. Hensen, H. Bernien, A. E. Dreau, A. Reiserer, N. Kalb,M. S. Blok, J. Ruitenberg, R. F. L. Vermeulen, R. N.Schouten, C. Abellan, W. Amaya, V. Pruneri, M. W.Mitchell, M. Markham, D. J. Twitchen, D. Elkouss,S. Wehner, T. H. Taminiau, and R. Hanson, Nature526, 682 (2015).
[11] M. Giustina, M. A. Versteegh, S. Wengerowsky, J. Hand-steiner, A. Hochrainer, K. Phelan, F. Steinlechner,J. Kofler, J.-A. Larsson, C. Abellan, W. Amaya,V. Pruneri, M. W. Mitchell, J. Beyer, T. Gerrits, A. E.Lita, L. K. Shalm, S. W. Nam, T. Scheidl, R. Ursin,B. Wittmann, and A. Zeilinger, Physical Review Letters115, 250401 (2015).
[12] L. K. Shalm, E. Meyer-Scott, B. G. Christensen, P. Bier-horst, M. A. Wayne, M. J. Stevens, T. Gerrits, S. Glancy,D. R. Hamel, M. S. Allman, K. J. Coakley, S. D.Dyer, C. Hodge, A. E. Lita, V. B. Verma, C. Lam-brocco, E. Tortorici, A. L. Migdall, Y. Zhang, D. R.Kumor, W. H. Farr, F. Marsili, M. D. Shaw, J. A.Stern, C. Abellan, W. Amaya, V. Pruneri, T. Jennewein,M. W. Mitchell, P. G. Kwiat, J. C. Bienfang, R. P. Mirin,E. Knill, and S. W. Nam, Physical Review Letters 115,250402 (2015).
[13] J. Barrett, R. Colbeck, and A. Kent, Phys. Rev. Lett.110, 010503 (2013), arXiv:1201.4407.
[14] M. Curty and H.-K. Lo, npj Quantum Information 5, 1(2019).
[15] C. H. Bennett, “private communication,” (2019).[16] I. Devetak and A. Winter, Proceedings of the Royal Soci-
ety A: Mathematical, Physical and Engineering Sciences461, 207–235 (2005), quant-ph/0306078.
[17] K. Horodecki, M. Horodecki, P. Horodecki, and J. Op-penheim, Physical Review Letters 94, 160502 (2005),quant-ph/0309110.
[18] I. Devetak, IEEE Transactions on Information Theory51, 44 (2005).
[19] M. Christandl, R. Konig, and R. Renner, Physical Re-view Letters 102, 020504 (2009).
[20] E. Kaur, M. Wilde, and A. Winter, New Journal ofPhysics 22, 023039 (2020).
[21] R. Arnon-Friedman, Reductions to IID in Device-independent Quantum Information Processing,Ph.D. thesis, ETH Zurich, Switzerland (2018),arXiv:1812.10922 [quant-ph].
[22] M. Christandl, R. Konig, G. Mitchison, and R. Ren-ner, Communications in Mathematical Physics 273, 473(2007).
[23] R. Renner, Security of Quantum Key Distribution, Ph.D.thesis, ETH Zurich (2005), arXiv:quant-ph/0512258[quant-ph].
[24] R. Renner, Nature Physics 3, 645–649 (2007).[25] M. Horodecki, P. Horodecki, and R. Horodecki, Physical
Review Letters 80, 5239–5242 (1998), quant-ph/9801069.[26] K. Horodecki, M. Horodecki, P. Horodecki, and J. Op-
penheim, IEEE Transactions on Information Theory 55,1898–1929 (2009), quant-ph/0506189.
6
[27] K. Horodecki, M. Horodecki, P. Horodecki, D. Leung,and J. Oppenheim, IEEE Transactions on InformationTheory 54, 2604–2620 (2008), arXiv:quant-ph/0608195.
[28] K. Horodecki, M. Horodecki, P. Horodecki, D. Leung,and J. Oppenheim, Phys. Rev. Lett. 100, 110502 (2008),arXiv:quant-ph/0702077.
[29] K. Horodecki, D. Leung, H.-K. Lo, and J. Oppen-heim, Phys. Rev. Lett. 96, 070501 (2006), arXiv:quant-ph/0510067.
[30] T. Vertesi and N. Brunner, Nature Communications 5(2014), 10.1038/ncomms6297.
[31] S. Bauml, M. Christandl, K. Horodecki, andA. Winter, Nature Communications 6, 6908 (2015),arXiv:1402.5927.
[32] K. Horodecki, L. Pankowski, M. Horodecki, and P. Ho-rodecki, IEEE Transactions on Information Theory 54,2621–2625 (2008), quant-ph/0506203.
[33] K. Horodecki, General paradigm for distilling classicalkey from quantum states - on quantum entanglement andsecurity, Ph.D. thesis, University of Warsaw (2008).
[34] K. Horodecki and G. Murta, Physical Review A 92,010301 (2015).
[35] A. Acın, J. Bae, E. Bagan, M. Baig, L. Masanes, andR. Munoz-Tapia, Physical Review A 73, 012327 (2006).
[36] M. Christandl and R. Ferrara, Physical Review Letters119, 220506 (2017).
[37] K. Horodecki, M. Horodecki, P. Horodecki, and J. Op-penheim, Physical Review Letters 94, 200501 (2005),quant-ph/0404096.
[38] U. M. Maurer, IEEE Transactions on Information Theory39, 733 (1993).
[39] U. M. Maurer and S. Wolf, IEEE Transactions on Infor-mation Theory 45, 499 (1999).
[40] A. Coladangelo, K. T. Goh, and V. Scarani, NatureCommunications 8, 15485 (2017).
[41] M. Takeoka, S. Guha, and M. M. Wilde, Nature Com-munications 5, 5235 (2014).
[42] S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi,Nature Communications 8, 15043 (2017).
[43] M. Christandl and A. Muller-Hermes, Communicationsin Mathematical Physics 353, 821–852 (2017).
[44] G. Smith, J. M. Renes, and J. A. Smolin, Physical Re-view Letters 100, 170502 (2008).
[45] R. Arnon-Friedman and F. Leditzky, “Upper bounds ondevice-independent quantum key distribution rates anda revised Peres conjecture,” (2020), arXiv:2005.12325[quant-ph].
[46] M. Winczewski, T. Das, and K. Horodecki, “Limita-tions on device independent secure key via squashed non-locality,” (2019), arXiv:1903.12154 [quant-ph].
[47] M. Christandl, R. Konig, and R. Renner, Physical Re-view Letters 102, 020504 (2009).
LOWER BOUNDS ON KEY
In this Section, we derive and discuss in more detail theprevious results and the states that we use to derive ourlower bounds on the distillable key, used in the examplein the main text.
We parametrize Bell diagonal states as follows
ρBell :=1
2α+ 2β
α 0 0 γ0 β δ 00 δ β 0γ 0 0 α
.A lower bound on the distillable key obtained from mea-suring Bell diagonal states states was derived in [35,Eq. (22)] using Maurer’s advantage distillation [38] andthe Devetak-Winter [16] protocols. These states wereconsidered in [35] where they where parametrized asλ1 = α + γ, λ2 = α − γ, λ3 = β + δ, λ4 = β − δ.The values λ1, . . . , λ4 are the actual eigenvalues of thestate and the probabilities of the Bell states. The lowerbound found in [35, Eq. (22)] is
K(ρ⊗mBell) ≥ 1− h(ε)−
− (1− ε)h(
1− λmeq
2
)− εh
(1− λmdif
2
)= 1− h(ε)
− (1− ε)h(αm − γm
2αm
)− εh
(βm − δm
2βm
)(9)
=: KmAD−DW(ρBell)
where h(x) = −x log2 x− (1−x) log2(1−x) is the binaryentropy and
ε =(λ3 + λ4)m
(λ1 + λ2)m + (λ3 + λ4)m=
βm
αm + βm
λeq =|λ1 − λ2|λ1 + λ2
=γ
α, λdif =
|λ3 − λ4|λ3 + λ4
=δ
β.
For convenience we named the achieved rate aboveKm
AD−DW(ρBell), where AD-DW stands for Advantage-Distillation Devetak-Winter. The bound can be simpli-fied by recalling the following property of the entropy(H((p1, . . . , pd)) = −
∑pi log2 pi):
h(p) + ph(q) + (1− p)h(r)
= H((pq, p(1− q), (1− p)r, (1− p)(1− r))
for all p, q, r ∈ [0, 1] (p is the probability of a control bitfor another bit in either probability q or r). We thus havethat Eq. (9) can be rewritten to
KmAD−DW(ρBell) =
1−H(
(αm + γm, αm − γm, βm + δm, βm − δm)
2αm + 2βm
).
Note that the bound is invariant under multiplication bya constant of α, β, γ and δ. Also notice that this lowerbound is the same as the the single-copy lower bound of
ρBell,m :=1
2αm + 2βm
αm 0 0 γm
0 βm δm 00 δm βm 0γm 0 0 αm
. (10)
7
Namely, we have
KmAD−DW(ρBell) = K1
AD−DW(ρBell,m). (11)
Corollary 1. Consider the following 2d×2d “block Belldiagonal” state
ρ =
A1 0 0 C0 B1 D 00 D† B2 0C† 0 0 A2
, (12)
such that ‖A1‖1 = ‖A2‖1 =: α, ‖B1‖1 = ‖B2‖1 =: β,2α + 2β = 1. Let γ := ‖C‖1, δ := ‖D‖1, then for allintegers m
K(ρ⊗m) ≥
1−H(
(αm + γm, αm − γm, βm + δm, βm − δm)
2αm + 2βm
).
(13)
Proof. Consider the classical-classical-quantum (ccq)state obtained by computing the purification (the stateof the eavesdropper) of ρ, tracing the qudit part, andthen measuring the qubit part in the standard basis. Bythe privacy-squeezing technique of [26], the ccq state ofρ is the same as the ccq state of
ρps =
‖A1‖1 0 0 ‖C‖1
0 ‖B1‖1 ‖D‖1 00 ‖C†‖1 ‖B2‖1 0
‖C†‖1 0 0 ‖A2‖1
. (14)
Therefore any protocol that distills key only from theccq state will produce the same amount of key for bothstates. The advantage distillation protocol [38] and theDevetak-Winter protocol [16] are among these protocolsand, in particular, they are the protocols used in [35]to obtain the lower bound Eq. (13) on the key of ρps.Therefore Eq. (13) holds for ρ.
Alternatively, we would like to bring attention to thefact that advantage distillation can be performed beforeprivacy squeezing, leading to the same result. Indeed, asshown in [17], using advantage distillation directly on thequbits of the states in Corollary 1 results in
ρm =
A⊗m1 0 0 C⊗m
0 B⊗m1 D⊗m 00 D†⊗m B⊗m2 0
C†⊗m 0 0 A⊗m2
. (15)
Privacy-squeezing ρm then results in ρBell,m fromEq. (10). Then Corollary 1 follows from Eq. (11). Inthis sense, privacy squeezing commutes with advantagedistillation for these states.
UPPER BOUNDS ON PARTIAL-TRANSPOSEKEY
In this section, we derive and discuss in detail the up-per bound on the distillable key of ρΓ for a class of “blockBell diagonal” states (Corollary 1) that are PPT. We usethis upper bound in the example shown in the main text.
Theorem 2. Let ρABA′B′ be a PPT block Bell diagonalstate of the form
ρABA′B′ =
αA1 0 0 C
0 βB1 0 00 0 βB2 0C† 0 0 αA2
, (16)
with A1, A2, B1, B2 separable states and 2α + 2β = 1.Then
K(ρΓ) < 2β, (17)
where ρΓ = id⊗ T (ρ) is the partial-transposed state.
Proof. We first observe that ρΓ is a state, since ρ ∈ PPT .Next, ρΓ can be expressed as a convex combination of twostates
ρΓ = 2αρ′corr + 2βρ′acorr
where
ρ′corr =1
2|00〉〈00| ⊗AΓ
1 +1
2|11〉〈11| ⊗AΓ
2
is a separable state, and
ρ′acorr =1
2
0 0 0 00 BΓ
1 CΓ 00 C†Γ BΓ
2 00 0 0 0
is a state that becomes separable after dephasing eitherof the qubits. In particular, the relative entropy of en-tanglement for these states reads
Er(ρ′corr) = 0,
because the state is separable, and
Er(ρ′acorr) ≤ 1,
because the relative entropy is non-lockable [37] and de-phasing a qubit can be done by applying a unitary, pickedat random between the identity and the Pauli Z. The non-lockability property then assures that Er does not dropdown under a von-Neumann measurement by more thanthe entropy of the random variable that samples the uni-tary transformation [26, Theorem 3]. Since the relativeentropy after the random unitary is zero, it could nothave been more than h( 1
2 ) = 1 before it. We thus havethat
K(ρΓ) ≤ Er(ρΓ) ≤ 2βEr(ρ
′acorr) ≤ 2β,
where we used the facts that K ≤ Er [17, 26] and thatEr is convex.
8
0.42 0.44 0.46 0.48 0.50
0.0
0.2
0.4
0.6
0.8
1.0
FIG. 2. The shaded region is the set of pairs (a, α) ∈ [0, 1]×[0.415, 0.5] leading to the gap between the device-independentkey KDI and the device-dependent one K, for states of theform of Equation (18), according to the parametrization γ =αa and β = 1
2− α.
GAP EXAMPLE
Recall that from the main text it follows that a suffi-cient condition for a PPT state to exhibit a gap KDI(ρ) <K(ρ) is that K(ρΓ) < K(ρ). We show below a sufficientcondition for a wide class of states.
Theorem 3. Let ρABA′B′ be a PPT block Bell diagonalstate of the form
ρABA′B′ =
αA1 0 0 C
0 βB1 0 00 0 βB2 0C† 0 0 αA2
, (18)
with A1, A2, B1, B2 separable states and 2α + 2β = 1.Let γ = ‖C‖, then the condition
H(α− γ, α+ γ, β, β) < 2α (19)
implies a gap KDI(ρ) < KD(ρ).
Proof. The result directly follows from Corollary 1 (form= 1) and Theorem 2 and from what is said above. Thecondition 1−H(α− γ, α+ γ, β, β) > 2β is equivalent toEquation (19) via 2α+ 2β = 1.
The sufficient condition given in Equation (19) can befurther expressed with 2 parameters only, utilizing thenormalization condition 2α + 2β = 1. We therefore ex-press γ = αa with α ∈ [0, 1] and β = (1−2α)/2, obtaining
x1A
a1 x2A
a2 xnA
an
σ σ σ
B B By1 b1 y2 b2 yn bn
FIG. 3. The strongest restriction on the devices of the ad-versary in the case of state-based device-independent QKD.This device is a special case of the most general device shownin Fig. 6, which covers both state- and channels-based set-tings. Each round is an i.i.d. copy of the same measurementsN = {Ax
a, Byb } on the same state σ. A cLOPC protocol
around this device as in Fig. 4 is a particular qLOPC pro-tocol on σ⊗n.
the equivalent condition as a function of α and a:
H
((1 + a)α, (1− a)α,
1
2− α, 1
2− α
)< 2α. (20)
The allowed region of parameters (a, α) that satisfy theabove condition is presented in Figure 2.
THE STATE DISTILLABLE KEY
The set of bipartite local measurements M of a de-vice is a collection of POVMs for Alice and POVMs forBob. Together with a quantum state ρ, the result ofmeasuring such POVMs will be a conditional probabil-ity distribution with two inputs and two outputs, creat-ing equivalence classes of devices that generate the samedistribution. Recall that we denote this condition as(M, ρ) ≡ (N , σ). Additionally, an ε distance betweenconditional distributions will induce a ε distance betweendevices which we can denote with (M, ρ) ≈ε (N , σ). Itis enough, for example, to consider the distance
d(p, p′) = supx,y‖p(·|x, y)− p′(·|x, y)‖1 ≤ ε.
Informally, the device-independent distillable key of astate it is a supremum over all possible measurementsMover the finite key rates κ achieved by the best protocolon any device compatible with (M, ρ), all in an appropri-ate asymptotic limit of blocklength and security/distanceparameter. This process is sufficiently general to includethe recently proposed protocols of [8] and realistic futureprotocols. However, for our purpose of upper boundingthis quantity, considering all the compatible devices atevery blocklength is exceedingly cumbersome. To sim-plify the treatment, as mentioned in the main text, wedefine, as a relaxation, the larger device-independent dis-tillable key KDI, where we limit to compatible i.i.d. de-vices. These are shown in Fig. 3.
9
A⊗n
cLOPC
xn an
cLOPC
k
σ⊗n
yn bn k
B⊗n
FIG. 4. A device-independent protocol will use cLOPC togenerate the classical inputs xn and yn to n copies of thedevice (N = {Ax
a, Byb }, σ), and process the outputs an and
bn. The composition of the measurements and the cLOPCprotocols is a qLOPC protocol acting on the state σ as adevice-dependent protocol.
Our definition follows the style of [17, 31, 33]. The keyof a device is defined as:
KDI(M, ρ) := infε>0
limn→∞
κDI,εn (M, ρ) (21)
where
κDI,εn (M, ρ) := supΠ
inf(N ,σ)≈ε(M,ρ)
κεn(Π((N , σ)⊗n)
)(22)
is the maximal key rate achieved for any security param-eter ε, blocklength or number of copies n, and measure-ment M chosen by Alice and Bob.
Π is a protocol composed of classical local operationsand public communication (cLOPC) acting on n iden-tical copies of the device (N , σ), which composed withthe measurement, results in a protocol of quantum localoperations and public communication (qLOPC), as dis-played in Fig. 4. κεn(Π, (N , σ)) is the amount of ε-perfectkey rate achieved at the output; since our result does notdepend on its expression which also varies with the se-curity criteria, for an explicit definition of κεn we referto [8, 17, 31, 33] and references therein. The key of astate is then the maximum over the choice of measure-ments
KDI(ρ) := supM
KDI(M, ρ). (23)
KDI(ρ) is the largest operationally justified definitionof the device-independent key. This definition assumesthat Alice and Bob have determined the best measure-ment for the state ρ and allows the attacker to optimizeover all the classical information. At the same time,KDI(ρ) restricts the attacker to i.i.d. device attacks, cor-responding to the so-called collective attack in the caseof device-dependent quantum key distribution. Althoughthere is currently no analog of the quantum de Finettitheorem for device-independent QKD [21–23], it is possi-ble that general attacks and i.i.d. attacks are also equallypowerful in the device-independent scenario. [8] showsthat this is the case for the CHSH game.
To obtain our bounds, we relax into non-operationalrates. We further weaken the adversary by taking awayhis knowledge about the public information, which is pos-sible because the cLOPC protocol with the measurementforms a particular qLOPC protocol. Namely, we havethat the finite rate of Eq. (22) satisfies for all devices(N , σ) and cLOPC protocols Π
κεn(Π((N , σ)⊗n)
)≤ sup
Π′∈qLOPCκεn(Π′(σ⊗n)
)(24)
where Π′ in the right-hand side are now qLOPC protocolsindependent of the measurement N . Notice that
κεn(σ) := supΠ′∈qLOPC
κεn(Π′(σ⊗n)
)(25)
is the best device-dependent finite rate which asymptot-ically leads to the device-dependent distillable key
K(ρ) := infε>0
limn→∞
κεn(ρ) (26)
in the style of [17, 31, 33]. By taking infimum over devices(N , σ) on both sides of Eq. (24) we obtain
κDI,εn (M, ρ) ≤ inf(N ,σ)≈ε(M,ρ)
κεn(σ).
Taking further the infimum over ε and limit of large n in,we obtain
KDI(M, ρ) ≤ infε>0
limn→∞
inf(N ,σ)≈ε(M,ρ)
κεn(σ). (27)
We summarize the proof of the above inequality inLemma 4 below. The main result which follows fromthe above inequality (see Theorem 6 below) reads
KDI(ρ) ≤ K↓(ρ) := supM
inf(N ,σ)≡(M,ρ)
K(σ). (28)
Before we proceed with the proof of the above statementwe prove Eq. (27).
Lemma 4.
KDI(M, ρ) ≤ infε>0
limn→∞
inf(N ,σ)≈ε(M,ρ)
κεn(σ) (29)
where κεn(σ) is the finite parameter device-dependent rateof Eq. (25).
Proof. By simple max-min inequality we can swap theorder of the optimization to get an upper bound, and bythen relaxing to all device-dependent protocols we have
κDI,εn (M, ρ)
:= supΠ∈
cLOPC
inf(N ,σ)≈ε(M,ρ)
κεn(Π((N , σ)⊗n)
)(30)
≤ inf(N ,σ)≈ε(M,ρ)
supΠ∈
cLOPC
κεn(Π((N , σ)⊗n)
)
10
≤ inf(N ,σ)≈ε(M,ρ)
supΠ′∈
qLOPC
κεn(Π′(σ⊗n)
)(31)
= inf(N ,σ)≈ε(M,ρ)
κεn(σ) (32)
where the rates in Equations (31) and (32) are the samerates introduced in Equations (25) and (26). The re-laxation of the protocols in Equation (31) is clear anddisplayed in Figure 4; the measurement N acts like afixed pre-processing on the state, and thus for any pro-tocol Π acting on the devices, the composition of Π withthe n measurements N is just a particular protocol act-ing on n-copies of the state σ. Removing this constraintcan only increase the rate. Plugging in the definition atEq. (21), we thus have
KDI(M, ρ) ≤ infε>0
limn→∞
inf(N ,σ)≈ε(M,ρ)
κεn(σ) (33)
and the proof is concluded.
Before proving the main result of this section we needa technical observation.
Observation 5. The max-min inequality is also valid as alimsup-inf inequality. Namely, for any sequence of func-tions fn(x), we have
limn→∞
infxfn(x) ≤ inf
xlimn→∞
fn(x) (34)
Indeed, we can rewrite the limit superior using infimumand supremum, and then use max-min inequality fol-lowed by the commutation of two infima:
limn→∞
infxfn(x) = inf
n≥0supm≥n
infxfn(x)
≤ infn≥0
infx
supm≥n
fn(x)
= infx
limn→∞
fn(x).
We are ready to prove the main result.
Theorem 6. For any bipartite state ρ it holds
KDI(ρ) ≤ K↓(ρ) := supM
inf(N ,σ)≡(M,ρ)
K(σ). (35)
Proof. We use Lemma 4 as our starting point and useObservation 5
KDI(M, ρ) ≤ infε>0
limn→∞
inf(N ,σ)≈ε(M,ρ)
κεn(σ) (36)
≤ infε>0
inf(N ,σ)≈ε(M,ρ)
limn→∞
κεn(σ). (37)
We can always restrict the infimum to devices that areexactly equal to the original box, this only reduces theset of devices
KDI(M, ρ) ≤ infε>0
inf(N ,σ)≡(M,ρ)
limn→∞
κεn(σ). (38)
Λ Λ Λ
FIG. 5. A general LOPC protocol for channel Λ. At the be-ginning and after each channel use, Alice and Bob are allowedto perform an LOPC operation to prepare the input for thenext channel use. In device-independent QKD, the quantumparts of the LOPC protocols are hidden behind the devices,and only classical protocols can occur outside the devices.
Since the infimum over devices is now independent of thesecurity parameter, we can now simply commute the twoinfima
KDI(M, ρ) ≤ inf(N ,σ)≡(M,ρ)
infε>0
limn→∞
κεn(σ) (39)
= inf(N ,σ)≡(M,ρ)
K(σ) (40)
reaching the claim.
CHANNEL PRIVATE CAPACITY WITHTWO-WAY, ONE-WAY OR NO CLASSICAL
COMMUNICATION
The same idea presented in this paper for states alsoworks for the private (or secret) capacity P(Λ) of a chan-nel Λ, and thus for the most general setting for QKD,which includes, for example, modelling the optical fiberitself instead of the states produced across the opticalfiber.
We mentioned that the private capacity has differ-ent versions, namely the two-way (P2), one-way (P1),or direct (P0) private capacities depending on whethertwo-way (LOPC2) or one-way classical communication(LOPC1), or only local operations (“0-way” communica-tion, LOPC0 = LO) are allowed in the privacy protocol(practical protocols might still need communication forpractical purposes, like testing, outside/around the pri-vacy protocol). With increasing power comes increasingrates and thus P0 ≤ P1 ≤ P2. These device-dependentprivate capacities are all defined as
Pi(Λ) := infε>0
limn→∞
πεi,n(Λ), (41)
where πεi,n(Λ) is the largest ε-perfect key rate obtainedby the best privacy protocol (with i-way communication)that uses n identical copies of Λ. A general protocolaround n i.i.d. copies of Λ is displayed in Figure 5.
In the device-independent channel setting, given achannel Λ from Alice to Bob, we define an honest de-vice for Λ as a tuple (M, ρ,Λ), where ρ is a bipartite
11
x1 a1 x2 a2 xn an
σ
y1 b1 y2 b2 yn bn
FIG. 6. This device is the most general way an adversarycould implement any device in DIQKD, whether the honestimplementation is i.i.d., state-based, channel-based, or nei-ther. Single lines are quantum systems; double lines are classi-cal systems; xi, yi are the inputs, and ai, bi the outputs of thedevice. This device is almost the most general case allowedby the entropy-accumulation theorem (EAT) [8]. Indeed, anentropy-accumulation channel (EAC) [8] is obtained by join-ing such a device with the inputs generated by a Markov chainand copying the inputs as additional outputs.
state of Alice and the input to the channel, and M isa device measurement of Alice and Bob (the output ofthe channel). The conditional probability distribution isthen obtained via
p(M,ρ,Λ)(ab|xy) = tr[(id⊗Λ)(ρ) ·Mx
a ⊗ Myb
],
and we have the same definitions of equality and distancefor two devices. Again we define
(M, ρ,Λ) ≡ (M′, ρ′,Λ′),(M, ρ,Λ) ≈ε (M′, ρ′,Λ′)
as the conditions
p(M,ρ,Λ) = p(M′,ρ′,Λ′),
p(M,ρ,Λ) ≈ε p(M′,ρ′,Λ′).
At this point, recall that we can distinguish betweenthe classical communication used by Alice and Bob out-side the device in the classical distillation protocol andthe communication used by Eve inside the device to pro-duce the quantum states to be measured. We will thusdefine various classes of devices. Notice that all theclasses of devices that we will define are a special caseof the devices in Fig. 6 where the adversary is allowed todo anything in between the rounds and is only required toprovide two pairs of classical input-outputs. We remarkon this because the devices of Fig. 6 are part of the so-called entropy-accumulation channels for which the bestinformation-theoretic tool currently available obtains thelargest achieved device-independent key rates [8].
We denote DI0, DI1 and DI2 the devices where thechannel is i.i.d., memory is allowed, and respectively usenone, one-way or two-way public communication betweenthe input-output rounds. Notice that this communi-cation does not happen between Alice and Bob givingtheir classical inputs and receiving their classical outputs(which would not allow for device independence), but ei-ther before the inputs are given or after the outputs areobtained. The largest of the classes, DI2, is displayed in
x1 a1 x2 a2
Λ Λ
y1 b1 y2 b2
FIG. 7. A DI2 device, a channel device on i.i.d. copies ofthe channel Λ that uses two-way public communication andmemory between the rounds to generate the input state forthe channel uses. To obtain the other DIj devices, restrictthe classical communication (double lines). To get the IDIjdevices, remove the memory (single lines) connecting the in-put/output rounds to the next channel input. The cLOPCprotocols used by Alice and Bob to distill the key connectto the classical lines in this diagram, i.e., by connecting thecLOPC protocol to the input-output rounds as done in Fig. 4
x1 a1 x2 a2
Λ Λ
y1 b1 y2 b2
FIG. 8. A DI0 device, a restriction of DI2 devices where theadversary is not allowed to use classical communication be-tween the two sides of the device in the preparation of thestates with the i.i.d. channel Λ. Here the input state is gen-erated at each round from a quantum memory, while in themain text, we are also restricted to single-copy i.i.d. states(IDI0 devices). Both lead to the same bound. A cLOPCprotocol around this device is still a particular qLOPC pro-tocol around Λ⊗n.
Fig. 7. The DIj devices can still share memory locallyat Alice and Bob across each round. Thus we can fur-ther restrict the adversary as mentioned above and definethe (i.i.d.-device independent) variants IDI0, IDI1, andIDI2, where the devices are i.i.d. and are not allowedmemory or communication from one round to the next.Notice that the i.i.d. assumption in the case of channelsis much stronger and is unnatural compared to the statecase because even if the channel itself in the device isi.i.d., the device might be not-i.i.d. because of the in-put state. In general, even Alice and Bob need to usenon-i.i.d input states to achieve the private capacity [44].In contrast, in the state case, the de Finetti reductionshows that we can assume i.i.d input states without lossof generality [24, 47]. Therefore our use of IDI0 devicesis purely technical. Figure 8 displays the class of devices
12
DI0, and cutting the lines connecting the input-outputmeasurement with the next round produces IDI0.
We can now define the corresponding device-independent private capacity for each choice of adversar-ial devices and each choice of available communication toAlice and Bob. In order to do that, we want to changeπεi,n, as for the state scenario, and define for i, j = 0, 1, 2
PDIji (M, ρ,Λ) := infε>0
limn→∞
πDIj ,εi,n (M, ρ,Λ), (42)
where πDIj ,εi,n will be the largest key rate optimized over
privacy protocols, this time also including a minimiza-tion over the possible devices in DIj that are compatiblewith the honest device. Again, the upper bounds thatwe are interested in are upper bounds for all these ca-pacities, and thus for simplicity, it will suffice to focuson just the i.i.d. devices IDIj . This will allow us to de-
fine just πIDIj ,εi,n , which is less cumbersome than defining
πDIj ,εi,n . The largest of these capacities is PIDI02 , since
i.i.d. devices, larger i and smaller j make for larger rates.Private capacities with j < i are arguably less mean-ingful because they allow less classical communicationbetween the devices than is permitted to Alice and Bob.Therefore, they should be considered for completenessand more as mathematical tools.
Each device-independent private capacity PDIji or
PIDIji is upper bounded by a device-dependent capac-ity, as a consequence of defining and upper bounding thecorresponding finite rates as follows. Each choice of i and
j defines the finite key rates rates πDIj ,εi,n and π
DIj ,εi,n , both
bounded by a device-dependent finite key rate, by mak-ing the device-independent protocol, together with thestate and measurement of the device, a specific device-dependent protocol:
πDIj ,εi,n (M, ρ,Λ)
≤ πIDIj ,εi,n (M, ρ,Λ) (43)
:= supΠ∈cLOPCi
inf(N ,σ,Λ′)∈IDIj
(N ,σ,Λ′)≈ε(M,ρ,Λ)
κεn(Π, (N , σ,Λ′)) (44)
≤ inf(N ,σ,Λ′)∈IDIj
(N ,σ,Λ′)≈ε(M,ρ,Λ)
supΠ∈cLOPCi
κεn(Π, (N , σ,Λ′)) (45)
≤ inf(N ,σ,Λ′)∈IDIj
(N ,σ,Λ′)≈ε(M,ρ,Λ)
supΠ′∈qLOPCmax{i,j}
κεn(Π′,Λ′) (46)
= inf(N ,σ,Λ′)∈IDIj
(N ,σ,Λ′)≈ε(M,ρ,Λ)
πεmax{i,j},n(Λ′) (47)
≤ inf(N ,σ,Λ′)∈IDIj
(N ,σ,Λ′)≈ε(M,ρ,Λ)
πε2,n(Λ′) (48)
where κεn is the rate of achieved ε-perfect key, while πε`,n isthe device-dependent finite rate already optimized over`-way protocols acting on n copies of Λ′. Taking the
PIDI00
PIDI10
PIDI20
PIDI01
PIDI11
PIDI21
PIDI02
PIDI12
PIDI22
P↓12
P↓00
≤
≤
≤
≤
≤
≤
≤
≤
P↓22
P↓01
≤
≤
≤
≤
≤
≤
≤
≤
P↓02
≤
≤
≤
≤
≤
FIG. 9. Relationship between the device-independent channelcapacities.
limits, and with the same arguments as Equation (28),gives upper bounds of the device-independent capacities
PDIji in terms of optimized device-dependent capacitiesPmax{i,j}:
PDIji (M, ρ,Λ) ≤ inf(N ,σ,Λ′)∈IDIj
(N ,σ,Λ′)≡(M,ρ,Λ)
Pmax{i,j}(Λ′), (49)
and in particular, with ` := max{i, j},
PDIji (Λ) := supM,ρPDIji (M, ρ,Λ) (50)
≤ P↓j` (Λ) := sup
M,ρinf
(N ,σ,Λ′)∈IDIj(N ,σ,Λ′)≡(M,ρ,Λ)
P`(Λ′) (51)
≤ P↓02 (Λ) (52)
Remark. Notice that we did not prove that PDIji ≤ P↓ji ,
the crucial step being (46). Take the example of i = 1and j = 2: Alice and Bob are allowed only one-way com-munication, whereas the devices could use two-way com-munication. The possibility of PDI21 > P↓2
1 means thatthe added power of two-way communication could allowthe device to switch to a channel Λ′ with bad one-wayprivate capacity, e.g., P1(Λ′) = 0. However, to mimic thestatistics of the original channel, some key needs to beextracted using the two-way communication increasingPDI21 but not P↓2
1 . Still, this could be a better attackthan simply finding the worst replacement using onlyone-way communication.
In other words, we could have the following situation.We could have PDI21 (Λ) > 0, in particular P1(Λ) > 0,meaning that the channel has good and verifiable one-way private capacity. At the same time we could have achannel Λ′ with P1(Λ) = 0 and P2(Λ) > 0 that can simu-late Λ with two-way communication. This, in particular,would mean that in order to simulate Λ with Λ′ some keymust be distilled with two-way communication.
We can then define different variants of the device-independent entanglement measures of channels, namelyfor a measure E(Λ) we can define different device-independent optimizations E↓0 , E↓1 and E↓2 depending
13
on the communication allowed in the device. Since, asan argument to the entanglement measure we are con-cerned with only one copy of the channel, the devices inthe optimization in E↓j are IDIj devices. Then, any up-per bound Pmax{i,j} ≤ E leads to a device-independent
upper bound PDIji ≤ E↓j .We can finally make the same use of the partial trans-
pose map, which we denote with ϑ (ϑ(ρ) = ρT ). If achannel Λ is such that ϑ ◦ Λ is also a channel, then anydevice for Λ can be transformed into a device for ϑ ◦ Λwith the exact same statistics; the case of IDI0 is shownin Figure 1. The consequence is the analogous of Eq. (3):
PDIji (Λ) ≤ Pmax{i,j}(ϑ ◦ Λ) ≤ P2(ϑ ◦ Λ), E↓j (ϑ ◦ Λ),(53)
which is the claim of the main text. We would like to re-call the conclusion from the main text, that it is enoughto consider fully i.i.d. devices because the transpositionmap itself is i.i.d., meaning that the n-fold transpositionis a tensor product of single channel transpositions. Ex-amples of channels for which P1(Λ) is large but P2(ϑ◦Λ)is small can be found in [43].