Analysis of a High-Dimensional Extended B92 Protocol

Hasan Iqbal¹¹1Email: [email protected] Department of Computer Science and Engineering
University of Connecticut
Storrs, CT 06269 USA Walter O. Krawec Department of Computer Science and Engineering
University of Connecticut
Storrs, CT 06269 USA

Abstract

Quantum key distribution (QKD) allows two parties to establish a shared secret key that is secure against all-powerful adversaries. One such protocol named B92 is quite appealing due to its simplicity but is highly sensitive to channel noise. In this work, we investigate a high-dimensional variant of an extended version of the B92 protocol and show that it can distill a key over high noise channels. The protocol we consider requires that Alice send only three high-dimensional states and Bob only perform partial measurements. We perform an information-theoretic security analysis of our protocol and compare its key rate to that of a high-dimensional BB84 protocol over depolarization and amplitude damping channels.

1 Introduction

The need for perfect security necessitated the development of cryptographic systems where there are no computational constraints on the capabilities of the adversary. Quantum key distribution (QKD) is one such system that is extensively studied and is increasingly maturing to the point of real-world adoption. In QKD, using quantum mechanical properties of communication resources, two parties Alice (A) and Bob (B), following a specified set of steps, generate a shared secret that is secure from an all-powerful adversary Eve (E).

Since the first QKD protocol by Bennett and Brassard in $1984$ (BB84) [1], there have been numerous advances in both theoretical and practical aspects [2, 3, 4]. However, because generating, maintaining, and manipulating quantum resources are exceptionally hard with current technologies, people have strived to create conceptually simpler protocols that also require less quantum resources. For instance, BB84 itself uses four quantum states and two measurement bases. In 1992, Bennett proposed an even simpler QKD protocol called B92, that uses only two non-orthogonal states and measurement bases [5].

The unconditional security of this protocol has been investigated by several authors [6, 7] with continually improving results (for instance, in [7], a noise tolerance of $6.5\%$ is reported). However, B92 is very noise sensitive compared to other protocols like BB84 as was already noted in the original paper [5]. Lucamarini et al. [8], proposed an extended version of B92 (Ext-B92) which added two additional non-informative states to better bound Eve’s information gain. Depending on the user-defined choice for key encoding states, the noise tolerance of that protocol can approach $11\%$ in the asymptotic scenario [8], similar to BB84, and at least $7\%$ in the finite key scenario [9].

These protocols mentioned above use qubits (dimension two systems) as the communication resource between Alice and Bob. However, higher dimensional quantum systems (see [10] for a brief survey) have been shown to have several advantages and interesting properties over qubit-based protocols. Some protocols have been shown to withstand a high channel noise level as the dimension of the system increases [11, 12, 13, 14]. Others exhibit interesting theoretical properties such as the so-called “Round Robin” protocol which can bound Eve’s information based only on the dimension of the system and not necessarily through observing channel noise [15]. In addition to several theoretical results that prove the unconditional security of HD-QKD protocols, the actual technology to implement high-dimensional systems is also becoming more mature with recent high-dimensional protocols proving to be feasible to implement [16, 17, 18, 19, 20]. Thus, it is worth studying protocols that are highly susceptible to noise, like B92 based variants (in our case the extended B92), to see if HD-systems give an advantage.

In this work, we propose a high-dimensional variant of the Ext-B92 protocol of [8]. Keeping in mind that certain high-dimensional states are difficult to create or distinguish, we make sure in our protocol to limit the required state preparations and measurement operations required. In particular, Alice need only be able to send three high dimensional states while Bob need only be able to perform a computational basis measurement (distinguishing any computational state $\{\ket{0},\ket{1},\cdots,\ket{D-1}\}$ ) or be able to perform a partial basis measurement in an alternative basis - this partial measurement need only distinguish a particular superposition state defined in the protocol and need not be capable of distinguishing all $D$ possible states. As far as we are aware, this is a novel high-dimensional QKD protocol.

Despite these limitations on Alice and Bob’s capabilities, we show that these higher dimensional states do help improve noise tolerance in this protocol as the dimension of the system increases which agrees with recent research on high-dimensional BB84. We perform an information-theoretic security analysis and show that it can maintain a positive key rate while withstanding noise levels of $5.35\%$ for qubits (dimension $2$ ) to $15.5\%$ for dimension $2^{14}$ in a depolarizing channel. Thus, we show that higher dimensions can aid in depolarization noise tolerance for a B92 style encoding scheme with (partial) extended test cases in the form of a third basis state being transmitted for testing the channel. Moreover, we consider an amplitude damping channel and show that choosing the distinguished superposition state carefully in a high-dimensional QKD protocol is of significant importance as different choices lead to different noise tolerances.

We make several contributions in this work. First, we describe and analyze a high-dimensional version of the Ext-B92 protocol originally introduced for qubits [8]. We perform an information theoretic security analysis against collective attacks (a powerful class of attacks against QKD protocols) to derive its key-rate in the asymptotic scenario for arbitrary dimensions and channel parameters. Our methods here may have a broader impact in other QKD protocol security analyses, especially for high-dimensional systems with only partial basis measurements or state preparations as with our protocol here. Finally, we evaluate our resulting key rate and compare it with a high-dimensional version of the BB84 protocol, showing how the choice of states to send can greatly affect the key-rate depending on the channel.

2 Notation

For a quantum system $A$ we will use $\rho_{A}$ to denote its density operator. Its von Neumann entropy will be denoted by $S(A)=S(\rho_{A})$ and is defined by $-\tr(\rho_{A}\log\rho_{A})$ . Given a bipartite quantum state $\rho_{AE}$ shared by two systems $A$ and $E$ , we will denote the conditional von Neumann entropy of $A$ given access to $E$ , by $S(A|E)_{\rho}$ . We will often forgo writing the subscript $\rho$ when the context is clear. This conditional entropy is defined as $S(AE)-S(E)$ . The Shannon entropy of $A$ will be denoted by $H(A)$ and the conditional Shannon entropy of two systems $A$ and $B$ , will be denoted by $H(A|B)$ . The binary entropy function will also be represented by $H(p)$ where $H(p)=-p\log(p)-(1-p)\log(1-p)$ for $p\in[0,1]$ . All logarithms presented in this work are base $2$ . For an arbitrary quantum state $\ket{\psi}$ , we use $P(\ket{\psi})$ to denote its projector $\outerproduct{\psi}{\psi}$ . Finally, given a vector $\ket{x}$ and a numerical value such as $\frac{1}{2}$ we sometimes write $\ket{\frac{1}{2}x}$ to mean $\frac{1}{2}\ket{x}$ .

Later, to compute the lower bound of the conditional von Neumann entropy of a classical-quantum state $\rho_{AE}$ , we make use of the following theorem:

Theorem 1.

(From [21]): Let $\mathcal{H}_{A}\otimes\mathcal{H}_{E}$ be a finite dimensional Hilbert space. Consider the following density operator.

\displaystyle\rho_{AE}=\frac{1}{N}\left(\outerproduct{0}{0}_{A}\otimes\sum_{i=1}^{\tau}\outerproduct{e_{i}^{0}}{e_{i}^{0}}+\outerproduct{1}{1}_{A}\otimes\sum_{i=1}^{\tau}\outerproduct{e_{i}^{1}}{e_{i}^{1}}\right),

where $N>0$ is a normalization term, $\tau<\infty$ , and each $\ket{e_{i}^{j}}\in\mathcal{H}_{E}$ (these are not necessarily normalized, nor orthogonal, states; also it might be that $\ket{e_{i}^{j}}\equiv 0$ for some $i$ and $j$ ). Let $n_{i}^{j}=\innerproduct{e_{i}^{j}}{e_{i}^{j}}\geq 0$ . Then:

\displaystyle S(A|E)_{\rho}\geq\sum_{i=1}^{\tau}\left(\frac{n_{i}^{0}+n_{i}^{1}}{N}\right)\cdot S_{i},

where:

\displaystyle S_{i}=\begin{cases}h\Big{(}\frac{n_{i}^{0}}{n_{i}^{0}+n_{i}^{1}}\Big{)}-h(\lambda_{i})&\quad\text{if }n_{i}^{0}>0\text{ and }n_{i}^{1}>0,\\ 0&\quad\text{otherwise.}\end{cases}

and:

\displaystyle\lambda_{i}=\frac{1}{2}+\frac{\sqrt{(n_{i}^{0}-n_{i}^{1})^{2}+4\real^{2}\innerproduct{e_{i}^{0}}{e_{i}^{1}}}}{2(n_{i}^{0}+n_{i}^{1})}.

3 The Protocol

The protocol we propose here is a high-dimensional variant of the Ext-B92 protocol originally described in [8]. In that protocol, two non-orthogonal states, similar to B92, are used for key encoding while two additional states are used for quantum tomography (these four states together come from two distinct bases). In the higher dimensional case we analyze here, we will use two non-orthogonal states for key encoding; for error testing, we adopt a simplification from [9] (done there for the qubit case) and not require users to be able to control two complete bases. More specifically, in our high-dimensional extended B92, Alice sends $\ket{i}$ and $\ket{\phi}=\frac{1}{\sqrt{2}}(\ket{i}+\ket{j})$ to encode classical key bits of $0$ and $1$ respectively, where $\ket{i},\ket{j}$ are fixed and chosen from the $D$ -dimensional computational basis states $\{\ket{0},...,\ket{D-1}\}$ . We ask that Alice send only $\ket{j}$ as the additional uninformative state. Thus, Alice need only be able to prepare and send three distinct quantum states. On Bob’s part, we require his ability to measure in two POVMs. These are $Z=\{\outerproduct{0}{0},...,\outerproduct{D-1}{D-1}\}$ (the complete computational basis) and $X=\{\outerproduct{\phi}{\phi},\mathbb{I}-\outerproduct{\phi}{\phi}\}$ where of course, the identity operator $\mathbb{I}$ is understood to be $D$ -dimensional. Hence, Bob would be able to detect any computational basis state but would only need to detect $\ket{\phi}$ . Our protocol, which we call here HD-Ext-B92, in detail appears in Protocol 1.

Protocol 1 High-dimensional Extended B92 (HD-Ext-B92)

Public Parameters: The dimension of a signal state $D\geq 2$ and the choice of distinct $i,j\in\{0,1,\cdots,D-1\}$ are arbitrary, but are fixed at the start of the protocol and known to all parties (including the adversary).
Quantum Communication Stage: The quantum communication stage of the protocol will repeat the following until a sufficiently large raw-key has been distilled:

1.

Alice chooses randomly whether this round will be a “key-round”, where a raw key bit will attempt to be established, or a “test” round, which will be used for error testing later. If this is a key-round, she will choose a random key bit and if this is $0$ , she will prepare and send the state $\ket{i}$ ; otherwise, she sends the state $\ket{\phi}$ . If this is a test round, she will prepare $\ket{i}$ , $\ket{j}$ , or $\ket{\phi}$ choosing uniformly at random.
2.

Bob measures in either the $Z$ basis or using POVM $X$ . In a key-round, if he uses $Z$ and observes any outcome other than $\ket{i}$ , then he sets his bit to be 1. Otherwise, if he uses POVM $X$ and observes $\mathbb{I}-\outerproduct{\phi}{\phi}$ , then he sets his bit to be 0. All other results are considered inconclusive.
3.

Alice informs Bob over the authenticated channel whether this was a test round or a key-round. If this is a key-round, Bob also tells Alice if his result was inconclusive (in which case both parties discard the iteration). On test-rounds, both parties disclose their choices and measurement outcomes to determine the error rate in the channel. In particular, they will observe those statistics enumerated in Table 1. Note that we will not discard mismatched basis events; i.e., events where Alice and Bob use different bases. Indeed, such events can greatly improve key generation rates [22, 23, 24, 25, 26] and so we use this technique here.

Classical Communication Stage: Alice and Bob will next run an error correction protocol and a privacy amplification protocol resulting in a secret key of size $\ell$ bits (possibly $\ell=0$ if it is determined that Eve has too much information, to be discussed later in this paper, and so parties abort the protocol).

Table 1: Definition of Alice and Bob’s directly observable parameters (

\ket{b}\in\{\ket{0},...,\ket{D-1}\}

)

Parameter	Description of Probability Value
$p_{ib}$	Bob observes $\ket{b}$ conditioned on Alice sending $\ket{i}$ and Bob choosing the $Z$ basis
$p_{jb}$	Bob observes $\ket{b}$ conditioned on Alice sending $\ket{j}$ and Bob choosing the $Z$ basis
$p_{\phi b}$	Bob observes $\ket{b}$ conditioned on Alice sending $\ket{\phi}$ and Bob choosing the $Z$ basis
$p_{i\phi}$	Bob observes $\ket{\phi}$ conditioned on Alice sending $\ket{i}$ and Bob choosing POVM $X$
$p_{j\phi}$	Bob observes $\ket{\phi}$ conditioned on Alice sending $\ket{j}$ and Bob choosing POVM $X$
$p_{\phi\phi}$	Bob observes $\ket{\phi}$ conditioned on Alice sending $\ket{\phi}$ and Bob choosing POVM $X$

4 Security Analysis

In the quantum communication stage of our protocol, Alice and Bob use the quantum channel to establish a raw-key. Because Eve has total control over this channel, she may attack the traveling signals arbitrarily while only respecting the laws of physics. In this paper, we consider collective attacks whereby Eve attacks each round of the protocol independently and identically, but may delay her measurements until the end of the protocol. These are a powerful class of attack which often imply security of general coherent attacks [27, 28], though we leave a complete proof of whether this applies to our protocol as future work.

The goal of our analysis is to obtain a lower bound on the conditional von Neumann entropy $S(A|E)$ , which represents how much entropy is left in Alice’s register $A$ , given Eve’s (quantum) memory $E$ . Then, we will find how much this quantity differs from the conditional Shannon entropy $H(A|B)$ , which represents how much entropy is left in Alice’s register given Bob’s memory $B$ . These two terms will ultimately let us calculate our quantity of interest from this protocol, which is, the key rate $r$ (namely, the number of secret key bits, denoted $\ell$ over the size of the produced raw key denoted $M$ ). To compute the key rate we use the Devetak Winter key-rate [29, 30], which states the key rate $r$ in the asymptotic setting is:

\displaystyle r=\underset{M\rightarrow\infty}{\lim}\frac{\ell}{M}=\inf[S(A|E)-H(A|B)],

(1)

where the infimum is over all collective attacks performed by Eve that fall within the range of observed noise statistics (in our case, those statistics shown in Table 1). Note that the above entropy functions are computed over a single key-round. However $S(A|E)$ is not straightforward to calculate, unlike $H(A|B)$ , because it involves Eve’s quantum memory on which we only have partial information. Nevertheless, we can obtain a lower bound on $S(A|E)$ which will be the main goal of our security analysis.

We begin by modeling the state of the joint quantum system held between Alice, Bob, and Eve at the end of one key-round of the protocol. That is, to compute Equation 1, we need the von Neumann entropy of the resulting density operator conditioned on a key bit being distilled and so we must model the joint quantum state, conditioning on the event that Alice and Bob establish a key bit.

At the beginning of the protocol, Alice decides on her classical bit and sends her qudit accordingly to Bob. If she wants to send classical bit $0$ , she sends a $\ket{i}$ and if she wants to send $1$ , she sends a $\ket{\phi}$ . So when she sends the qudits, her own classical register, denoted by $A$ and the transit register, denoted by $T$ (used to model the traveling qudit), is in the following state:

\displaystyle\rho^{(0)}_{AT}=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\outerproduct{i}{i}_{T}+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\outerproduct{\phi}{\phi}_{T}.

Eve attacks this traveling qudit with a unitary attack operator $U$ , which acts on Hilbert space $\mathcal{H}_{T}\otimes\mathcal{H}_{E}$ . Here, $\mathcal{H}_{E}$ models Eve’s memory space. Assuming her own memory is in an arbitrary but normalized state $\ket{\chi}_{E}$ that resides in $\mathcal{H}_{E}$ , we can describe $U$ ’s action on a basis state $\ket{a}$ as:

\displaystyle U\ket{a}_{T}\otimes\ket{\chi}_{E}=\sum_{b=0}^{D-1}\ket{b,e_{b}^{a}}_{TE},

where $D$ is the dimension of each qudit and each $\ket{e_{b}^{a}}$ is an arbitrary state in Eve’s ancilla. Because $U$ is unitary, we note that the following must hold: $\sum_{b=0}^{D-1}\innerproduct{e_{b}^{i}}{e_{b}^{i}}=1.$ Additionally, by linearity of $U$ we have:

$\displaystyle U\ket{\phi}_{T}$	$\displaystyle=U\frac{1}{\sqrt{2}}(\ket{i}_{T}+\ket{j}_{T})$
	$\displaystyle=\frac{1}{\sqrt{2}}\sum_{b=0}^{D-1}\ket{b}_{T}\otimes(\ket{e_{b}^{i}}_{E}+\ket{e_{b}^{j}}_{E})$
	$\displaystyle=\frac{1}{\sqrt{2}}\sum_{b=0}^{D-1}\ket{b}_{T}\otimes\ket{f_{b}}_{E},$	(2)

where, $\ket{f_{b}}_{E}:=\ket{e_{b}^{i}}_{E}+\ket{e_{b}^{j}}_{E}$ . So the result of Eve’s attack on $\rho^{(0)}_{AT}$ is the following:

	$\displaystyle\rho^{(1)}_{ATE}$	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes U\outerproduct{i}{i}_{T}U^{\dagger}+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes U\outerproduct{\phi}{\phi}_{T}U^{\dagger}$
		$\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes P\left(\sum_{b=0}^{D-1}\ket{b,e_{b}^{i}}_{TE}\right)+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes P\left(\frac{1}{\sqrt{2}}\sum_{b=0}^{D-1}\ket{b}_{T}\otimes\ket{f_{b}}_{E}\right),$

where, recall, $P(\ket{z})=\outerproduct{z}{z}$ is the projection operator. Henceforth, we will forgo writing the subscript for a register when the context is clear. Now, after the qudit arrives at Bob’s lab, he measures the transit register $T$ in either POVM $Z$ or $X$ with equal probability. Let’s consider the case when he uses $X$ and gets the outcome $\mathbb{I}-\outerproduct{\phi}{\phi}$ (we are conditioning on a successful key-round for this analysis). This is the case when Bob sets his key-bit to $0$ , because in a noiseless scenario, this outcome could only be obtained when Alice would have sent an $\ket{i}$ . Let’s define the measurement operator in this case as $M_{0}=\mathbb{I}_{A}\otimes(\mathbb{I}-\outerproduct{\phi}{\phi})\otimes\mathbb{I}_{E}$ . Then the un-normalized post-measurement state, conditioned on him observing $M_{0}$ (again, we are only interested, for the moment, in a successful key distillation round) is:

$\displaystyle\rho_{ATE}^{X}$	$\displaystyle=M_{0}\cdot\rho^{(1)}_{ATE}\cdot M_{0}^{\dagger}$
	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}\otimes P\Big{(}((\mathbb{I}-\outerproduct{\phi}{\phi})\otimes\mathbb{I})\sum_{b}\ket{b,e_{b}^{i}}\Big{)}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}\otimes P\Big{(}\frac{1}{\sqrt{2}}\big{(}(\mathbb{I}-\outerproduct{\phi}{\phi})\otimes\mathbb{I}\big{)}\sum_{b}\ket{b}\otimes\ket{f_{b}}\Big{)}$
	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}\otimes P\Big{(}\sum_{b}\ket{b,e_{b}^{i}}-\frac{1}{2}(\ket{i,e_{i}^{i}}+\ket{i,e_{j}^{i}}+\ket{j,e_{i}^{i}}+\ket{j,e_{j}^{i}})\Big{)}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}\otimes P\Big{(}\frac{1}{\sqrt{2}}\big{(}\sum_{b}\ket{b,f_{b}}-\frac{1}{2}(\ket{i,f_{i}}+\ket{i,f_{j}}+\ket{j,f_{i}}+\ket{j,f_{j}})\big{)}\Big{)}$
	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}\otimes P\Big{(}\sum_{b\neq i,b\neq j}\ket{b,e_{b}^{i}}+\frac{1}{2}(\ket{i}\otimes(\ket{e_{i}^{i}}-\ket{e_{j}^{i}}))-\frac{1}{2}(\ket{j}\otimes(\ket{e_{i}^{i}}-\ket{e_{j}^{i}}))\Big{)}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}\otimes P\Big{(}\frac{1}{\sqrt{2}}\big{(}\sum_{b\neq i,b\neq j}\ket{b,f_{b}}+\frac{1}{2}(\ket{i}\otimes(\ket{f_{i}}-\ket{f_{j}}))-\frac{1}{2}(\ket{j}\otimes(\ket{f_{i}}-\ket{f_{j}}))\big{)}\Big{)}$
	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}\otimes P\Big{(}\sum_{b\neq i,b\neq j}\ket{b,e_{b}^{i}}+\frac{1}{2}\ket{i,g}-\frac{1}{2}\ket{j,g}\Big{)}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}\otimes P\Big{(}\frac{1}{\sqrt{2}}\big{(}\sum_{b\neq i,b\neq j}\ket{b,f_{b}}+\frac{1}{2}\ket{i,h}-\frac{1}{2}\ket{j,h}\big{)}\Big{)},$	(3)

where in the last equality, we have defined $\ket{g}=\ket{e_{i}^{i}}-\ket{e_{j}^{i}}$ and $\ket{h}=\ket{f_{i}}-\ket{f_{j}}$ . Now that Bob has his $X$ basis measurement result at his hand, we can trace out the transit register $T$ and add Bob’s register $B$ to hold his measurement result. Then the resulting state is:

	$\displaystyle\rho_{AEB}^{X}$	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\Big{(}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\outerproduct{g}{g}\Big{)}\otimes\outerproduct{0}{0}_{B}$
		$\displaystyle+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\frac{1}{2}\Big{(}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{2}\outerproduct{h}{h}\Big{)}\otimes\outerproduct{0}{0}_{B}.$

Similarly, if he uses POVM $Z$ and gets outcome $\mathbb{I}-\outerproduct{i}{i}$ , he can be certain in a noiseless scenario that Alice has sent a $\ket{\phi}$ . With the measurement operator $M_{1}:=\mathbb{I}_{A}\otimes(\mathbb{I}-\outerproduct{i}{i})\otimes\mathbb{I}_{E}$ , in this case we get the following un-normalized post-measurement state:

	$\displaystyle\rho_{ATE}^{Z}$	$\displaystyle=M_{1}\cdot\rho^{(1)}_{ATE}\cdot M_{1}^{\dagger}$
		$\displaystyle=\frac{1}{2}\outerproduct{0}{0}\otimes P\Big{(}(\mathbb{I}-\outerproduct{i}{i})\sum_{b}\ket{b,e_{b}^{i}}\Big{)}+\frac{1}{2}\outerproduct{1}{1}\otimes P\Big{(}\frac{1}{\sqrt{2}}(\mathbb{I}-\outerproduct{i}{i})\sum_{b}\ket{b}\otimes\ket{f_{b}}\Big{)}$
		$\displaystyle=\frac{1}{2}\outerproduct{0}{0}\otimes P\Big{(}\sum_{b\neq i}\ket{b,e_{b}^{i}}\Big{)}+\frac{1}{2}\outerproduct{1}{1}\otimes P\Big{(}\frac{1}{\sqrt{2}}\sum_{b\neq i}\ket{b}\otimes\ket{f_{b}}\Big{)}.$

Following a similar procedure as before, we trace out the transit register $T$ and add Bob’s register holding his measurement result. The resulting density operator is:

\displaystyle\rho_{AEB}^{Z}

\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\sum_{b\neq i}\outerproduct{e_{b}^{i}}{e_{b}^{i}}\otimes\outerproduct{1}{1}_{B}+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\frac{1}{2}\sum_{b\neq i}\outerproduct{f_{b}}{f_{b}}\otimes\outerproduct{1}{1}_{B}.

Then the total (still non-normalized) density operator that represents a key-bit generation round, is the following:

$\displaystyle\rho_{AEB}$	$\displaystyle=\rho_{AEB}^{X}+\rho_{AEB}^{Z}$
	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\Big{(}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\outerproduct{g}{g}\Big{)}\otimes\outerproduct{0}{0}_{B}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\frac{1}{2}\Big{(}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{2}\outerproduct{h}{h}\Big{)}\otimes\outerproduct{0}{0}_{B}$
	$\displaystyle+\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\sum_{b\neq i}\outerproduct{e_{b}^{i}}{e_{b}^{i}}\otimes\outerproduct{1}{1}_{B}+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\frac{1}{2}\sum_{b\neq i}\outerproduct{f_{b}}{f_{b}}\otimes\outerproduct{1}{1}_{B}$
	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\Big{(}\big{(}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\outerproduct{g}{g}\big{)}\otimes\outerproduct{0}{0}_{B}+\sum_{b\neq i}\outerproduct{e_{b}^{i}}{e_{b}^{i}}\otimes\outerproduct{1}{1}_{B}\Big{)}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\Big{(}\frac{1}{2}\big{(}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{2}\outerproduct{h}{h}\big{)}\otimes\outerproduct{0}{0}_{B}+\frac{1}{2}\sum_{b\neq i}\outerproduct{f_{b}}{f_{b}}\otimes\outerproduct{1}{1}_{B}\Big{)}.$	(4)

Keeping in mind that, our ultimate goal is to bound Eve’s entropy about Alice’s register, i.e. $S(A|E)$ , in the case where Alice and Bob shares a key-bit, we trace out Bob’s register too, keeping only the registers of Alice and Eve. Thus, we calculate the final required density operator as:

$\displaystyle N\cdot\rho_{AE}$	$\displaystyle=\frac{1}{2}\outerproduct{0}{0}_{A}\otimes\Big{(}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\outerproduct{g}{g}+\sum_{b\neq i}\outerproduct{e_{b}^{i}}{e_{b}^{i}}\Big{)}$
	$\displaystyle+\frac{1}{2}\outerproduct{1}{1}_{A}\otimes\Big{(}\frac{1}{2}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{4}\outerproduct{h}{h}+\frac{1}{2}\sum_{b\neq i}\outerproduct{f_{b}}{f_{b}}\Big{)}$
	$\displaystyle=\outerproduct{0}{0}_{A}\otimes\Big{(}\frac{1}{2}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{4}\outerproduct{g}{g}+\frac{1}{2}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\outerproduct{e_{j}^{i}}{e_{j}^{i}}\Big{)}$
	$\displaystyle+\outerproduct{1}{1}_{A}\otimes\Big{(}\frac{1}{4}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{8}\outerproduct{h}{h}+\frac{1}{4}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{4}\outerproduct{f_{j}}{f_{j}}\Big{)}$
	$\displaystyle=\outerproduct{0}{0}\otimes\Big{(}\sum_{b\neq i,b\neq j}\outerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\outerproduct{e_{j}^{i}}{e_{j}^{i}}+\frac{1}{4}\outerproduct{g}{g}\Big{)}$
	$\displaystyle+\outerproduct{1}{1}\otimes\Big{(}\frac{1}{2}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{4}\outerproduct{f_{j}}{f_{j}}+\frac{1}{8}\outerproduct{h}{h}\Big{)},$	(5)

where the normalization term $N$ can be calculated as:

\displaystyle N

\displaystyle=\sum_{b\neq i,b\neq j}\innerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\innerproduct{e_{j}^{i}}{e_{j}^{i}}+\frac{1}{4}\innerproduct{g}{g}+\frac{1}{2}\sum_{b\neq i,b\neq j}\innerproduct{f_{b}}{f_{b}}+\frac{1}{4}\innerproduct{f_{j}}{f_{j}}+\frac{1}{8}\innerproduct{h}{h}

(6)

Now, using Theorem 1, we may compute the conditional entropy as:

\displaystyle S(A|E)\geq\sum_{b\neq i,b\neq j}\left(\frac{n_{b}^{0}+n_{b}^{1}}{N}\right)s_{b}+\left(\frac{n_{i}^{0}+n_{i}^{1}}{N}\right)s_{i}+(\frac{n_{j}^{0}+n_{j}^{1}}{N})s_{j},

(7)

where:

	$\displaystyle n_{b}^{0}:=\innerproduct{e_{b}^{i}}{e_{b}^{i}},\qquad n_{b}^{1}:=\frac{1}{2}\innerproduct{f_{b}}{f_{b}},\text{ for all $b\neq i,j$}$
	$\displaystyle n_{i}^{0}:=\frac{1}{2}\innerproduct{e_{j}^{i}}{e_{j}^{i}},\qquad n_{i}^{1}:=\frac{1}{8}\innerproduct{h}{h},$
	$\displaystyle n_{j}^{0}:=\frac{1}{4}\innerproduct{g}{g},\qquad n_{j}^{1}:=\frac{1}{4}\innerproduct{f_{j}}{f_{j}}.$

and:

	$\displaystyle s_{b}$	$\displaystyle=H_{2}\left(\frac{n_{b}^{0}}{n_{b}^{0}+n_{b}^{1}}\right)-H_{2}\left(\frac{1}{2}+\frac{\sqrt{(n_{b}^{0}-n_{b}^{1})^{2}+4\times\real^{2}\innerproduct{e_{b}^{i}}{\frac{1}{\sqrt{2}}f_{b}}}}{2(n_{b}^{0}+n_{b}^{1})}\right)$
	$\displaystyle s_{i}$	$\displaystyle=H_{2}\left(\frac{n_{i}^{0}}{n_{i}^{0}+n_{i}^{1}}\right)-H_{2}\left(\frac{1}{2}+\frac{\sqrt{(n_{i}^{0}-n_{i}^{1})^{2}+4\times\real^{2}\innerproduct{\frac{1}{2}e_{j}^{i}}{\frac{1}{2\sqrt{2}}h}}}{2(n_{i}^{0}+n_{i}^{1})}\right)$
	$\displaystyle s_{j}$	$\displaystyle=H_{2}\left(\frac{n_{j}^{0}}{n_{j}^{0}+n_{j}^{1}}\right)-H_{2}\left(\frac{1}{2}+\frac{\sqrt{(n_{j}^{0}-n_{j}^{1})^{2}+4\times\real^{2}\innerproduct{\frac{1}{2}g}{\frac{1}{2}f_{j}}}}{2(n_{j}^{0}+n_{j}^{1})}\right).$

Thus, to find a lower bound on $S(A|E)$ (thus giving us a lower bound on the protocol’s key-rate), we must determine bounds for the inner-products appearing in the above expressions. Of course, these inner products are functions of Eve’s quantum ancilla. We show how to determine suitable bounds on these systems based only on parameters that are directly observable in our protocol during test rounds (see Table 1).

4.1 Parameter Estimation

To calculate the conditional entropy of $\rho_{AE}$ , we need to estimate all the inner products appearing in equation (6). This can be done by connecting these inner products with observable noise statistics that arise from test rounds of Alice and Bob’s quantum communication. Let us see the statistics that can be observed directly in a test round. For example, in a round where Alice sends an $\ket{i}$ or a $\ket{j}$ , Eve attacks with $U$ , and Bob measures in $Z$ ; the probability that Bob gets a particular outcome $\outerproduct{b}{b}$ in $Z$ can be used to estimate partial $Z$ basis channel noise. In the following, by $p_{ib}$ and $p_{jb}$ , we denote the probability that, given that Alice prepares $\ket{i}$ or $\ket{j}$ and Bob measures the transit register in basis $Z$ then the outcome is $\outerproduct{b}{b}$ for a particular $b\in\{0,...,D-1\}$ . (See also Table 1.)

	$\displaystyle p_{ib}$	$\displaystyle=\bra{i}U^{\dagger}(\outerproduct{b}{b}\otimes\mathbb{I})U\ket{i}=\innerproduct{e_{b}^{i}}{e_{b}^{i}}$		(8)
	$\displaystyle p_{jb}$	$\displaystyle=\bra{j}U^{\dagger}(\outerproduct{b}{b}\otimes\mathbb{I})U\ket{j}=\innerproduct{e_{b}^{j}}{e_{b}^{j}}$		(9)

thus giving us $\{n_{b}^{0}\}$ as needed in the entropy equation. Now, we trace the evolution of the quantum system when Alice prepares $\ket{i}$ and Bob measures in POVM $X$ . For example, we can not observe the inner product $\innerproduct{e_{i}^{i}}{e_{j}^{i}}$ directly. But we consider the probability that Alice sends an $\ket{i}$ , Eve attacks with $U$ , and Bob measures in $X$ to find a $\ket{\phi}$ , denoted as $p_{i\phi}$ :

$\displaystyle p_{i\phi}$	$\displaystyle=\bra{i}U^{\dagger}(\outerproduct{\phi}{\phi}\otimes\mathbb{I})U\ket{i}$
	$\displaystyle=\sum_{b,c}\bra{b}\outerproduct{\phi}{\phi}\ket{c}\innerproduct{e_{b}^{i}}{e_{c}^{i}}$
	$\displaystyle=\frac{1}{2}\sum_{b,c}\bra{b}(\outerproduct{i}{i}+\outerproduct{i}{j}+\outerproduct{j}{i}+\outerproduct{j}{j})\ket{c}\innerproduct{e_{b}^{i}}{e_{c}^{i}}$
	$\displaystyle=\frac{1}{2}(\innerproduct{e_{i}^{i}}{e_{i}^{i}}+\innerproduct{e_{i}^{i}}{e_{j}^{i}}+\innerproduct{e_{j}^{i}}{e_{i}^{i}}+\innerproduct{e_{j}^{i}}{e_{j}^{i}})$
	$\displaystyle=\frac{1}{2}(p_{ii}+2\real\innerproduct{e_{i}^{i}}{e_{j}^{i}}+p_{ij}),$	(10)

where, we have used equation (8) for $p_{ii},p_{ij}$ and an elementary property of complex inner products. Notice that, even though we could not observe $\innerproduct{e_{i}^{i}}{e_{j}^{i}}$ , equation (10) will imply:

\displaystyle 2\real\innerproduct{e_{i}^{i}}{e_{j}^{i}}=2p_{i\phi}-p_{ii}-p_{ij}.

(11)

Using this estimation of $\real\innerproduct{e_{i}^{i}}{e_{j}^{i}}$ , we can now estimate the inner product $\innerproduct{g}{g}$ , which appears in the normalizer $N$ in equation (6). This is:

$\displaystyle\innerproduct{g}{g}$	$\displaystyle=(\bra{e_{i}^{i}}-\bra{e_{j}^{i}})(\ket{e_{i}^{i}}-\ket{e_{j}^{i}})$
	$\displaystyle=\innerproduct{e_{i}^{i}}{e_{i}^{i}}-\innerproduct{e_{i}^{i}}{e_{j}^{i}}-\innerproduct{e_{j}^{i}}{e_{i}^{i}}+\innerproduct{e_{j}^{i}}{e_{j}^{i}}$
	$\displaystyle=p_{ii}-2\real\innerproduct{e_{i}^{i}}{e_{j}^{i}}+p_{ij}$
	$\displaystyle=2p_{ii}+2p_{ij}-2p_{i\phi}.$	(12)

Now let’s focus on calculating $\innerproduct{f_{b}}{f_{b}}$ . Remembering that $\ket{f_{b}}=\ket{e_{b}^{i}}+\ket{e_{b}^{j}}$ (See equation (2)), we can easily derive the following:

$\displaystyle\innerproduct{f_{b}}{f_{b}}$	$\displaystyle=(\bra{e_{b}^{i}}+\bra{e_{b}^{j}})(\ket{e_{b}^{i}}+\ket{e_{b}^{j}})$
	$\displaystyle=\innerproduct{e_{b}^{i}}{e_{b}^{i}}+\innerproduct{e_{b}^{i}}{e_{b}^{j}}+\innerproduct{e_{b}^{j}}{e_{b}^{i}}+\innerproduct{e_{b}^{j}}{e_{b}^{j}}$
	$\displaystyle=p_{ib}+2\real\innerproduct{e_{b}^{i}}{e_{b}^{j}}+p_{jb},$	(13)

where we have used equation (8) and (9) for $p_{ib},p_{jb}$ . Now if we look closely at equation $\eqref{evephifbfb}$ , we see that $\innerproduct{f_{b}}{f_{b}}$ is actually directly observable. Because it is the probability that Alice sends a $\ket{\phi}$ , Eve attacks with $U$ , and conditioned on the case that Bob measures in $Z$ , gets an outcome $\ket{b}$ . We denote it by $p_{\phi b}$ and see that:

$\displaystyle p_{\phi b}$	$\displaystyle=\bra{\phi}U^{\dagger}(\outerproduct{b}{b}\otimes\mathbb{I})U\ket{\phi}$
	$\displaystyle=\Big{(}\frac{1}{\sqrt{2}}\sum_{c=0}^{D-1}\bra{c}\otimes\bra{f_{c}}\Big{)}(\outerproduct{b}{b}\otimes\mathbb{I})\Big{(}\frac{1}{\sqrt{2}}\sum_{d=0}^{D-1}\ket{d}\otimes\ket{f_{d}}\Big{)}$
	$\displaystyle=\frac{1}{2}\sum_{c,d=0}^{D-1}\bra{c}\outerproduct{b}{b}\ket{d}\innerproduct{f_{c}}{f_{d}}$
	$\displaystyle=\frac{1}{2}\innerproduct{f_{b}}{f_{b}},$	(14)

and consequently, $\innerproduct{f_{b}}{f_{b}}=2p_{\phi b}$ . So, from equations (13) and (14) we infer the following:

\displaystyle 2\real\innerproduct{e_{b}^{i}}{e_{b}^{j}}=2p_{\phi b}-p_{ib}-p_{jb}.

(15)

Notice that equation (13) and consequently (15), holds for all $b=0,...,D-1$ . So we immediately get $\innerproduct{f_{j}}{f_{j}}$ for normalizer $N$ . Now let’s calculate the last inner product in $N$ which is $\innerproduct{h}{h}$ . First let’s discover the constituent inner products for $\innerproduct{h}{h}$ . Then we will connect each of those to Alice and Bob’s observables.

$\displaystyle\innerproduct{h}{h}$	$\displaystyle=(\bra{f_{i}}-\bra{f_{j}})(\ket{f_{i}}-\ket{f_{j}})$
	$\displaystyle=\innerproduct{f_{i}}{f_{i}}-\innerproduct{f_{i}}{f_{j}}-\innerproduct{f_{j}}{f_{i}}+\innerproduct{f_{j}}{f_{j}}$
	$\displaystyle=\innerproduct{f_{i}}{f_{i}}-2\real\innerproduct{f_{i}}{f_{j}}+\innerproduct{f_{j}}{f_{j}}.$	(16)

Now, let us take advantage of another directly observable quantity. Which is the probability that Bob would measure a $\ket{\phi}$ in the $X$ basis if Alice indeed sent a $\ket{\phi}$ . We denote it as $p_{\phi\phi}$ and see that:

$\displaystyle p_{\phi\phi}$	$\displaystyle=\bra{\phi}U^{\dagger}(\outerproduct{\phi}{\phi}\otimes\mathbb{I})U\ket{\phi}$
	$\displaystyle=\frac{1}{\sqrt{2}}\Big{(}\sum_{b}\bra{b,f_{b}}\Big{)}\big{(}\outerproduct{\phi}{\phi}\otimes\mathbb{I}\big{)}\frac{1}{\sqrt{2}}\Big{(}\sum_{c}\ket{c,f_{c}}\Big{)}$
	$\displaystyle=\frac{1}{4}\Big{(}\sum_{b,c}\big{(}\bra{b}\outerproduct{i}{i}\ket{c}\otimes\innerproduct{f_{b}}{f_{c}}+\bra{b}\outerproduct{i}{j}\ket{c}\otimes\innerproduct{f_{b}}{f_{c}}$
	$\displaystyle+\bra{b}\outerproduct{j}{i}\ket{c}\otimes\innerproduct{f_{b}}{f_{c}}+\bra{b}\outerproduct{j}{j}\ket{c}\otimes\innerproduct{f_{b}}{f_{c}}\big{)}\Big{)}$
	$\displaystyle=\frac{1}{4}(\innerproduct{f_{i}}{f_{i}}+\innerproduct{f_{i}}{f_{j}}+\innerproduct{f_{j}}{f_{i}}+\innerproduct{f_{j}}{f_{j}})$
	$\displaystyle=\frac{1}{4}(\innerproduct{f_{i}}{f_{i}}+2\real\innerproduct{f_{i}}{f_{j}}+\innerproduct{f_{j}}{f_{j}})$
	$\displaystyle=\frac{1}{2}(p_{\phi i}+\real\innerproduct{f_{i}}{f_{j}}+p_{\phi j}).$	(17)

Equation (17) implies that:

\displaystyle\real\innerproduct{f_{i}}{f_{j}}=2p_{\phi\phi}-p_{\phi i}-p_{\phi j}.

(18)

Along with the fact that $\innerproduct{f_{i}}{f_{i}}=2p_{\phi i}$ and $\innerproduct{f_{j}}{f_{j}}=2p_{\phi j}$ from equation (14), we can say from equation (16) and (18) that:

\displaystyle\innerproduct{h}{h}

\displaystyle=4(p_{\phi i}+p_{\phi j}-p_{\phi\phi}).

This concludes the estimation of inner products appearing in the normalizer $N$ of $\rho_{AE}$ in (6). We need to estimate the real parts of three more classes of inner products to calculate each of the $\lambda$ -terms appearing in Theorem 1. These are $\{\real\innerproduct{e_{b}^{i}}{\frac{1}{\sqrt{2}}f_{b}}\}_{b},\real\innerproduct{\frac{1}{2}g}{\frac{1}{2}f_{j}},\real\innerproduct{\frac{1}{2}e_{j}^{i}}{\frac{1}{2\sqrt{2}}h}$ . In the following we connect these inner products to observable statistics. Let’s focus on the first one:

$\displaystyle\real\innerproduct{e_{b}^{i}}{\frac{1}{\sqrt{2}}f_{b}}$	$\displaystyle=\frac{1}{\sqrt{2}}\real(\bra{e_{b}^{i}})(\ket{e_{b}^{i}}+\ket{e_{b}^{j}})$
	$\displaystyle=\frac{1}{\sqrt{2}}\real(\innerproduct{e_{b}^{i}}{e_{b}^{i}}+\innerproduct{e_{b}^{i}}{e_{b}^{j}})$
	$\displaystyle=\frac{1}{\sqrt{2}}(p_{ib}+p_{\phi b}-\frac{p_{ib}}{2}-\frac{p_{jb}}{2}),$	(19)

where we have used the definition of $\ket{f_{b}}$ in the first equality and have used equation (8) and (15) to insert the value of $\real\innerproduct{e_{b}^{i}}{e_{b}^{i}},\real\innerproduct{e_{b}^{i}}{e_{b}^{j}}$ . Now let’s focus on the second inner product $\real\innerproduct{\frac{1}{2}g}{\frac{1}{2}f_{j}}$ :

$\displaystyle\real\innerproduct{\frac{1}{2}g}{\frac{1}{2}f_{j}}$	$\displaystyle=\frac{1}{4}\real(\bra{e_{i}^{i}}-\bra{e_{j}^{i}})(\ket{e_{j}^{i}}+\ket{e_{j}^{j}})$
	$\displaystyle=\frac{1}{4}\real(\innerproduct{e_{i}^{i}}{e_{j}^{i}}+\innerproduct{e_{i}^{i}}{e_{j}^{j}}-\innerproduct{e_{j}^{i}}{e_{j}^{i}}-\innerproduct{e_{j}^{i}}{e_{j}^{j}})$
	$\displaystyle=\frac{1}{4}(p_{i\phi}-\frac{p_{ii}}{2}+\real\innerproduct{e_{i}^{i}}{e_{j}^{j}}-p_{ij}-p_{\phi j}+\frac{p_{jj}}{2}).$	(20)

The value of $\real\innerproduct{e_{i}^{i}}{e_{j}^{i}}$ and $\real\innerproduct{e_{j}^{i}}{e_{j}^{j}}$ is found in $\eqref{eqreiieji}$ and (15) respectively. Furthermore, $\innerproduct{e_{j}^{i}}{e_{j}^{i}}$ is simply $p_{ij}$ because of equation (8). Noticeably, the term $\innerproduct{e_{i}^{i}}{e_{j}^{j}}$ is not observable. We will deal with this a bit later. Now we move on to the last of the necessary inner products for the theorem, $\real\innerproduct{\frac{1}{2}e_{j}^{i}}{\frac{1}{2\sqrt{2}}h}$ .

$\displaystyle\frac{1}{2}\times\frac{1}{2\sqrt{2}}\real\innerproduct{e_{j}^{i}}{h}$	$\displaystyle=\frac{1}{4}\real\bra{e_{j}^{i}}(\ket{f_{i}}-\ket{f_{j}})$
	$\displaystyle=\frac{1}{4}\real\bra{e_{j}^{i}}(\ket{e_{i}^{i}}+\ket{e_{i}^{j}}-\ket{e_{j}^{i}}-\ket{e_{j}^{j}})$
	$\displaystyle=\frac{1}{4}\real(\innerproduct{e_{j}^{i}}{e_{i}^{i}}+\innerproduct{e_{j}^{i}}{e_{i}^{j}}-\innerproduct{e_{j}^{i}}{e_{j}^{i}}-\innerproduct{e_{j}^{i}}{e_{j}^{j}})$
	$\displaystyle=\frac{1}{4}\left(p_{i\phi}-\frac{p_{ii}}{2}+\real\innerproduct{e_{j}^{i}}{e_{i}^{j}}-p_{ij}-p_{\phi j}+\frac{p_{jj}}{2}\right),$	(21)

where the unknown terms $\real\innerproduct{e_{j}^{i}}{e_{i}^{i}}=\real\innerproduct{e_{i}^{i}}{e_{j}^{i}},\real\innerproduct{e_{j}^{i}}{e_{j}^{j}}$ can be found in equations (11) and (15) respectively. In equation (21), we are again faced with a term $\real\innerproduct{e_{j}^{i}}{e_{i}^{j}}$ for which we do not have a direct observation. Now we deal with this term and the other unobservable term from equation (20), which is $\real\innerproduct{e_{i}^{i}}{e_{j}^{j}}$ . Although it is not hard to see, we need to take several steps to find an equation that relates these two inner products. Consider $\innerproduct{f_{i}}{f_{j}}$ which we may expand as:

\displaystyle 2\real\innerproduct{f_{i}}{f_{j}}

\displaystyle=2\real(\innerproduct{e_{i}^{i}}{e_{j}^{i}}+\innerproduct{e_{i}^{i}}{e_{j}^{j}}+\innerproduct{e_{i}^{j}}{e_{j}^{i}}+\innerproduct{e_{i}^{j}}{e_{j}^{j}})

(22)

First let’s deal with the unobservable term $\innerproduct{e_{i}^{j}}{e_{j}^{j}}$ . It is easy to see that, the probability of Alice sending a $\ket{j}$ , Eve attacking with $U$ and Bob measures in $X$ to find a $\ket{\phi}$ , denoted by $p_{j\phi}$ is:

$\displaystyle p_{j\phi}$	$\displaystyle=\bra{j}U^{\dagger}(\outerproduct{\phi}{\phi}\otimes\mathbb{I})U\ket{j}$
	$\displaystyle=\sum_{b,c}\bra{b}\outerproduct{\phi}{\phi}\ket{c}\innerproduct{e_{b}^{j}}{e_{c}^{j}}$
	$\displaystyle=\frac{1}{2}\sum_{b,c}\bra{b}(\outerproduct{i}{i}+\outerproduct{i}{j}+\outerproduct{j}{i}+\outerproduct{j}{j})\ket{c}\innerproduct{e_{b}^{j}}{e_{c}^{j}}$
	$\displaystyle=\frac{1}{2}(\innerproduct{e_{i}^{j}}{e_{i}^{j}}+\innerproduct{e_{i}^{j}}{e_{j}^{j}}+\innerproduct{e_{j}^{j}}{e_{i}^{j}}+\innerproduct{e_{j}^{j}}{e_{j}^{j}})$
	$\displaystyle=\frac{1}{2}(p_{ji}+2\real\innerproduct{e_{i}^{j}}{e_{j}^{j}}+p_{jj}).$	(23)

From equation (23), it is clear that:

\displaystyle 2\real\innerproduct{e_{i}^{j}}{e_{j}^{j}}=2p_{j\phi}-p_{ji}-p_{jj}.

(24)

The value of one of the other three unobservable terms appearing in equation (22), i.e., $\innerproduct{e_{i}^{i}}{e_{j}^{i}}$ can be found in equation (11). However, $\real\innerproduct{e_{i}^{i}}{e_{j}^{j}},\real\innerproduct{e_{i}^{j}}{e_{j}^{i}})$ are unobservable at this point. With the help of equations (11) and (24), we can rewrite equation (22) as:

\displaystyle 2\real\innerproduct{f_{i}}{f_{j}}

\displaystyle=2p_{i\phi}-p_{ii}-p_{ij}+2\real(\innerproduct{e_{i}^{i}}{e_{j}^{j}}+\innerproduct{e_{i}^{j}}{e_{j}^{i}})+2p_{j\phi}-p_{ji}-p_{jj},

(25)

We further notice from equation $\eqref{eq:rfifj}$ ,

\displaystyle 2\real\innerproduct{f_{i}}{f_{j}}=4p_{\phi\phi}-2p_{\phi i}-2p_{\phi j}.

(26)

Then, we equate the previous two equations (25), (26) to ultimately find:

$\displaystyle 4p_{\phi\phi}-2p_{\phi i}-2p_{\phi j}$	$\displaystyle=2p_{i\phi}-p_{ii}-p_{ij}+2\real(\innerproduct{e_{i}^{i}}{e_{j}^{j}}+\innerproduct{e_{i}^{j}}{e_{j}^{i}})+2p_{j\phi}-p_{ji}-p_{jj}$
$\displaystyle\implies 2\real(\innerproduct{e_{i}^{i}}{e_{j}^{j}}+\innerproduct{e_{i}^{j}}{e_{j}^{i}})$	$\displaystyle=4p_{\phi\phi}-2p_{\phi i}-2p_{\phi j}-2p_{i\phi}+p_{ii}+p_{ij}-2p_{j\phi}+p_{ji}+p_{jj}$
$\displaystyle\implies\real(\innerproduct{e_{i}^{i}}{e_{j}^{j}}+\innerproduct{e_{i}^{j}}{e_{j}^{i}})$	$\displaystyle=2p_{\phi\phi}-p_{\phi i}-p_{\phi j}-p_{i\phi}+\frac{p_{ii}}{2}+\frac{p_{ij}}{2}-p_{j\phi}+\frac{p_{ji}}{2}+\frac{p_{jj}}{2}.$	(27)

Let’s define the right-hand side of equation (27) to be $K$ , the value of which may be computed by Alice and Bob based only on observed statistics of the quantum channel. Now we have all the pieces necessary to compute the conditional entropy $S(A|E)$ according to Theorem 1. We minimize $S(A|E)$ given by Equation 7 over the two unobservable values. Note that we minimize over these unobservable quantities as we must assume that Eve choose the attack strategy that gives her the most information. However, her attack must be constrained by the above analysis. These unobservable inner-products are further constrained by Cauchy-Schwarz in that $-\sqrt{p_{ij}\cdot p_{ji}}\leq Re\innerproduct{e_{j}^{i}}{e_{i}^{j}}\leq\sqrt{p_{ij}\cdot p_{ji}}$ and similarly for the other inner product. The sum of these two values is further constrained by Equation 27 (the value $K$ ). With the bound on $S(A|E)$ calculated, we can focus on the Shannon entropy of Alice’s register given Bob’s register, i.e. $H(A|B)$ . To see it clearly, let us remember the density operator $\rho_{AEB}$ in equation (4), where Bob’s register was still in place. From that $\rho_{AEB}$ , we can see that the probability of Alice and Bob sharing different pairs of classical bits $0$ and $1$ is the following:

	$\displaystyle p_{00}$	$\displaystyle=\frac{1}{2N}\Big{(}\sum_{b\neq i,b\neq j}\innerproduct{e_{b}^{i}}{e_{b}^{i}}+\frac{1}{2}\innerproduct{g}{g}\Big{)}=\frac{1}{2N}\Big{(}\sum_{b\neq i,b\neq j}p_{ib}+p_{ii}+p_{ij}-p_{i\phi}\Big{)}$
	$\displaystyle p_{01}$	$\displaystyle=\frac{1}{2N}\sum_{b\neq i}\outerproduct{e_{b}^{i}}{e_{b}^{i}}=\frac{1}{2N}\Big{(}\sum_{b\neq i,b\neq j}p_{ib}+p_{ij}\Big{)}$
	$\displaystyle p_{10}$	$\displaystyle=\frac{1}{2N}\Big{(}\frac{1}{2}\sum_{b\neq i,b\neq j}\outerproduct{f_{b}}{f_{b}}+\frac{1}{4}\outerproduct{h}{h}\Big{)}=\frac{1}{2N}\Big{(}\sum_{b\neq i,b\neq j}p_{\phi b}+(p_{\phi i}+p_{\phi j}-p_{\phi\phi})\Big{)}$
	$\displaystyle p_{11}$	$\displaystyle=\frac{1}{4N}\sum_{b\neq i}\outerproduct{f_{b}}{f_{b}}=\frac{1}{2N}\Big{(}\sum_{b\neq i,b\neq j}p_{\phi b}+p_{\phi j}\Big{)}.$

From $p_{00},p_{01},p_{10},p_{11}$ , it is trivial to compute $H(A|B)$ . From all of this, we may easily compute a lower-bound on the min-entropy $S(A|E)$ and also directly compute $H(A|B)$ thus giving us a lower-bound on the key-rate of this protocol.

4.2 Evaluation

Note that the above security analysis and bound of $S(A|E)$ and $H(A|B)$ , would hold for an arbitrary quantum channel; one need only observe those values listed in Table 1 in order to minimize $S(A|E)$ as described in the previous section. As examples, and to compare with other protocols, we will evaluate our protocol in two different channels, commonly used in QKD protocol evaluation. These are the depolarizing channel and the amplitude damping channel. First, let’s consider the depolarization channel. Given a density operator $\sigma$ acting on a Hilbert space of dimension $D$ , the depolarization channel with parameter $Q$ , denoted here as $\mathcal{E}_{Q}$ acts as follows:

\mathcal{E}_{Q}(\sigma)=\left(1-\frac{D}{D-1}Q\right)\sigma+\frac{Q}{D-1}I.

(28)

To calculate the key rate of our protocol, we calculate the required observable statistics assuming the adversary uses this channel (in particular, the statistics indexed in Table 1). These are easily found to be:

	$\displaystyle p_{ii}$	$\displaystyle=p_{jj}=p_{\phi\phi}=1-Q$
	$\displaystyle p_{ib}$	$\displaystyle=p_{jb}=p_{\phi b}=\frac{Q}{D-1}$
	$\displaystyle p_{i\phi}=p_{j\phi}=p_{\phi i}$	$\displaystyle=p_{\phi j}=\frac{1}{2}\Big{(}1-\frac{DQ}{D-1}\Big{)}+\frac{Q}{D-1}.$

This is sufficient to evaluate the key-rate of our protocol as shown in Figure 1. Note that, as with other high-dimensional QKD protocols, as the dimension of the system increases, the tolerance to depolarization noise also increases. In our numerical evaluations, the noise tolerance approaches $15.5\%$ as the dimension increases thus showing that, as with other high-dimensional QKD protocols, the extended-B92 style scheme can also benefit from higher dimensional systems, at least against this particular channel type.

We also compare with the HD-BB84 protocol [31] which we now state for completeness. Similar to the qubit case, the qudit based HD-BB84 uses two bases, namely, the computational basis $Z=\{\ket{0},\ket{1},...,\ket{D-1}\}$ and another basis denoted by $X$ where $X=\{\ket{x_{0}},\ket{x_{1}},...,\ket{x_{f}}\}$ . We assume the two bases are mutually unbiased. Alice sends basis states from these two bases and Bob measures in $X$ or $Z$ . If both parties chose the $Z$ basis, the result is used for their raw key; otherwise, if both parties choose the $X$ basis, they use this to measure the noise in the quantum channel. The unconditional security of this protocol has been proven [32, 33]. An entropic uncertainty relation presented in [34] can be used to easily derive the following asymptotic key rate $r$ for HD-BB84 assuming a depolarization channel with a noise parameter $Q$ . The final equation reads:

\displaystyle r=\log D-2(H_{2}(Q)+Q\log(D-1)),

The result of this comparison is presented in Figure 2. As expected, BB84 outperforms our protocol. However, this is not surprising as BB84 at the qubit level also outperforms the B92 and Extended B92 protocol. Furthermore, our high-dimensional protocol is not even utilizing two complete bases as HD-BB84 does; instead, we are using a weak version where Alice need only send three states and Bob need only perform partial measurements in the second basis. Note also that we did not choose an optimal basis choice and, indeed, alternative encoding selections for the $X$ state may lead to higher key rates for our HD-Ext-B92 protocol as demonstrated at least for the qubit case [8, 21].

Refer to caption — Figure 1: The key-rate of the HD-Ext-B92 protocol for various dimensions $D$ assuming a depolarization channel. Here the dimension increases from left-to-right from $D=2^{1}$ to $D=2^{5}$ in powers of two. We observe numerically, as the dimension continues to increase, the noise tolerance for this channel tends towards $15.5\%$ .

Another channel of interest is the amplitude damping channel which can be described its Kraus operators:

E_{0}=\left(\begin{array}[]{ccccc}1&0&0&\cdots&0\\ 0&\sqrt{{1-p}}&0&\cdots&0\\ 0&0&\sqrt{{1-p}}&\cdots&0\\ \vdots&\vdots&\vdots&\ddots&\vdots\\ 0&0&0&\cdots&\sqrt{{1-p}}\end{array}\right)

(29)

and:

E_{1}=\left(\begin{array}[]{ccccc}0&\sqrt{{p}}&0&\cdots&0\\ 0&0&0&\cdots&0\\ 0&0&0&\cdots&0\\ \vdots&\vdots&\vdots&\ddots&\vdots\\ 0&0&0&\cdots&0\end{array}\right),\cdots,E_{D-1}=\left(\begin{array}[]{ccccc}0&0&0&\cdots&\sqrt{{p}}\\ 0&0&0&\cdots&0\\ 0&0&0&\cdots&0\\ \vdots&\vdots&\vdots&\ddots&\vdots\\ 0&0&0&\cdots&0\end{array}\right).

(30)

Table 2: Key rates for high-dimensional extended B92 protocol with

D=4

and different choices of

\ket{i}

and

\ket{j}

under an amplitude damping channel with parameter

p=.08

$\ket{\phi}=\frac{1}{\sqrt{2}}(\ket{i}+\ket{j})$	key rate
$\ket{i}=\ket{0},\ket{j}=\ket{1}$	.85
$\ket{i}=\ket{0},\ket{j}=\ket{2}$	.85
$\ket{i}=\ket{1},\ket{j}=\ket{2}$	.29
$\ket{i}=\ket{1},\ket{j}=\ket{3}$	.29

As before, we can compute those observable parameters in Table 1 under this channel and then use our analysis in the previous section to derive a lower-bound on the key-rate of our protocol. We can see that the key rate of our protocol can vary significantly with the choice of basis states, in particular the distinguished $\ket{i}$ and $\ket{j}$ as shown in Table 2. Since these are set by the users, they may choose basis states based on the channel properties to maximize the key rate.

5 Closing Remarks

In this work, we have presented the usage of high-dimensional quantum systems as communication resources between Alice and Bob in the extended B92 protocol, originally introduced in [8] for qubits. When extending that protocol to higher dimensions we took care to attempt to minimize the quantum resources used by parties. In particular, our protocol only requires Alice to send three different states while Bob need only perform partial measurements.

We performed an information theoretic security analysis against collective attacks and evaluated under two different channels, the depolarization channel and the amplitude damping channel. We showed that, as with other high-dimensional protocols, under a depolarization channel the noise tolerance tends to increase with the dimension of the system. For the HD-Ext-B92 protocol, this tolerance eventually converges to 15.5% (as observed by our numerical computations). Under an amplitude damping channel, we showed how the choice of basis states used can greatly affect the key rate of the overall protocol.

Perhaps the biggest open question at the moment is to determine the effects of alternative superposition states on the protocol. We only considered a state of the form $\frac{1}{\sqrt{2}}\ket{i}+\frac{1}{\sqrt{2}}\ket{j}$ . One obvious candidate to consider would be the effect of having Alice send an equal superposition state. Unfortunately, the security analysis of such a protocol proved to be highly difficult, especially when using the technique of mismatched measurements (as we used here). The analysis might be simplified by having Alice send complete basis states instead of only a small subset of basis states in which case alternative proof methods may be applied. We leave this interesting question as future work. We also only performed an asymptotic key rate analysis - performing a finite key analysis, taking into account also, perhaps, less ideal measurement devices, would also be interesting to consider.

References

[1] Charles H Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175. New York, 1984.
[2] Stefano Pirandola, Ulrik L Andersen, Leonardo Banchi, Mario Berta, Darius Bunandar, Roger Colbeck, Dirk Englund, Tobias Gehring, Cosmo Lupo, Carlo Ottaviani, et al. Advances in quantum cryptography. Advances in Optics and Photonics, 12(4):1012–1236, 2020.
[3] Valerio Scarani, Helle Bechmann-Pasquinucci, Nicolas J. Cerf, Miloslav Dušek, Norbert Lütkenhaus, and Momtchil Peev. The security of practical quantum key distribution. Rev. Mod. Phys., 81:1301–1350, Sep 2009.
[4] Akshata Shenoy-Hejamadi, Anirban Pathak, and Srikanth Radhakrishna. Quantum cryptography: Key distribution and beyond. Quanta, 6(1):1–47, 2017.
[5] Charles H Bennett. Quantum cryptography using any two nonorthogonal states. Physical review letters, 68(21):3121, 1992.
[6] Kiyoshi Tamaki, Masato Koashi, and Nobuyuki Imoto. Unconditionally secure key distribution based on two nonorthogonal states. Physical review letters, 90(16):167904, 2003.
[7] Ryutaroh Matsumoto. Improved asymptotic key rate of the b92 protocol. In 2013 IEEE International Symposium on Information Theory, pages 351–353. IEEE, 2013.
[8] Marco Lucamarini, Giovanni Di Giuseppe, and Kiyoshi Tamaki. Robust unconditionally secure quantum key distribution with two nonorthogonal and uninformative states. Physical Review A, 80(3):032327, 2009.
[9] Omar Amer and Walter O Krawec. Finite key analysis of the extended b92 protocol. In 2020 IEEE International Symposium on Information Theory (ISIT), pages 1944–1948. IEEE, 2020.
[10] Daniele Cozzolino, Beatrice Da Lio, Davide Bacco, and Leif Katsuo Oxenløwe. High-dimensional quantum communication: Benefits, progress, and future challenges. Advanced Quantum Technologies, 2(12):1900038, 2019.
[11] Helle Bechmann-Pasquinucci and Wolfgang Tittel. Quantum cryptography using larger alphabets. Physical Review A, 61(6):062308, 2000.
[12] Hoi Fung Chau. Unconditionally secure key distribution in higher dimensions by depolarization. IEEE Transactions on Information Theory, 51(4):1451–1468, 2005.
[13] Lana Sheridan and Valerio Scarani. Security proof for quantum key distribution using qudit systems. Physical Review A, 82(3):030301, 2010.
[14] Chrysoula Vlachou, Walter Krawec, Paulo Mateus, Nikola Paunković, and André Souto. Quantum key distribution with quantum walks. Quantum Information Processing, 17(11):1–37, 2018.
[15] Toshihiko Sasaki, Yoshihisa Yamamoto, and Masato Koashi. Practical quantum key distribution protocol without monitoring signal disturbance. Nature, 509(7501):475–478, 2014.
[16] Fumin Wang, Pei Zeng, Jiapeng Zhao, Boris Braverman, Yiyu Zhou, Mohammad Mirhosseini, Xiaoli Wang, Hong Gao, Fuli Li, Robert W Boyd, et al. High-dimensional quantum key distribution based on mutually partially unbiased bases. Physical Review A, 101(3):032340, 2020.
[17] Nurul T Islam, Charles Ci Wen Lim, Clinton Cahall, Jungsang Kim, and Daniel J Gauthier. Provably secure and high-rate quantum key distribution with time-bin qudits. Science advances, 3(11):e1701491, 2017.
[18] Jacob Mower, Zheshen Zhang, Pierre Desjardins, Catherine Lee, Jeffrey H Shapiro, and Dirk Englund. High-dimensional quantum key distribution using dispersive optics. Physical Review A, 87(6):062322, 2013.
[19] Beatrice Da Lio, Daniele Cozzolino, Nicola Biagi, Yunhong Ding, Karsten Rottwitt, Alessandro Zavatta, Davide Bacco, and Leif K Oxenløwe. Path-encoded high-dimensional quantum communication over a 2 km multicore fiber. arXiv preprint arXiv:2103.05992, 2021.
[20] Catherine Lee, Darius Bunandar, Zheshen Zhang, Gregory R Steinbrecher, P Ben Dixon, Franco NC Wong, Jeffrey H Shapiro, Scott A Hamilton, and Dirk Englund. Large-alphabet encoding for higher-rate quantum key distribution. Optics express, 27(13):17539–17549, 2019.
[21] Walter O. Krawec. Quantum key distribution with mismatched measurements over arbitrary channels. Quantum Information and Computation, 17(3 and 4):209–241, 2017.
[22] Stephen M Barnett, Bruno Huttner, and Simon JD Phoenix. Eavesdropping strategies and rejected-data protocols in quantum cryptography. Journal of Modern Optics, 40(12):2501–2513, 1993.
[23] Shun Watanabe, Ryutaroh Matsumoto, and Tomohiko Uyematsu. Tomography increases key rates of quantum-key-distribution protocols. Physical Review A, 78(4):042316, 2008.
[24] Ryutaroh Matsumoto and Shun Watanabe. Key rate available from mismatched measurements in the bb84 protocol and the uncertainty principle. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 91(10):2870–2873, 2008.
[25] Walter O Krawec. Asymptotic analysis of a three state quantum cryptographic protocol. In 2016 IEEE International Symposium on Information Theory (ISIT), pages 2489–2493. IEEE, 2016.
[26] Kiyoshi Tamaki, Marcos Curty, Go Kato, Hoi-Kwong Lo, and Koji Azuma. Loss-tolerant quantum cryptography with imperfect sources. Physical Review A, 90(5):052314, 2014.
[27] Robert König and Renato Renner. A de finetti representation for finite symmetric quantum states. Journal of Mathematical physics, 46(12):122108, 2005.
[28] Matthias Christandl, Robert König, and Renato Renner. Postselection technique for quantum channels with applications to quantum cryptography. Physical review letters, 102(2):020504, 2009.
[29] Igor Devetak and Andreas Winter. Distillation of secret key and entanglement from quantum states. Proceedings of the Royal Society A: Mathematical, Physical and Engineering Science, 461(2053):207–235, 2005.
[30] Renato Renner, Nicolas Gisin, and Barbara Kraus. Information-theoretic security proof for quantum-key-distribution protocols. Physical Review A, 72(1):012332, 2005.
[31] Nicolas J Cerf, Mohamed Bourennane, Anders Karlsson, and Nicolas Gisin. Security of quantum key distribution using d-level systems. Physical review letters, 88(12):127902, 2002.
[32] Peter W. Shor and John Preskill. Simple proof of security of the bb84 quantum key distribution protocol. Phys. Rev. Lett., 85:441–444, Jul 2000.
[33] Masato Koashi. Simple security proof of quantum key distribution based on complementarity. New Journal of Physics, 11(4):045018, 2009.
[34] Mario Berta, Matthias Christandl, Roger Colbeck, Joseph M Renes, and Renato Renner. The uncertainty principle in the presence of quantum memory. Nature Physics, 6(9):659–662, 2010.