The Quantum Chernoff Divergence in Advantage Distillation for QKD and DIQKD

Mikka Stasiuk Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, N2L3G1 Waterloo, Ontario, Canada Norbert Lütkenhaus Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, N2L3G1 Waterloo, Ontario, Canada Ernest Y.-Z. Tan Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, N2L3G1 Waterloo, Ontario, Canada

Abstract

Device-independent quantum key distribution (DIQKD) aims to mitigate adversarial exploitation of imperfections in quantum devices, by providing an approach for secret key distillation with modest security assumptions. Advantage distillation, a two-way communication procedure in error correction, has proven effective in raising noise tolerances in both device-dependent and device-independent QKD. Previously, device-independent security proofs against IID collective attacks were developed for an advantage distillation protocol known as the repetition-code protocol, based on security conditions involving the fidelity between some states in the protocol. However, there exists a gap between the sufficient and necessary security conditions, which hinders the calculation of tight noise-tolerance bounds based on the fidelity. We close this gap by presenting an alternative proof structure that replaces the fidelity with the quantum Chernoff divergence, a distinguishability measure that arises in symmetric hypothesis testing. Working in the IID collective attacks model, we derive matching sufficient and necessary conditions for the repetition-code protocol to be secure (up to a natural conjecture regarding the latter case) in terms of the quantum Chernoff divergence, hence indicating that this serves as the relevant quantity of interest for this protocol. Furthermore, using this security condition we obtain some improvements over previous results on the noise tolerance thresholds for DIQKD. Our results provide insight into a fundamental question in quantum information theory regarding the circumstances under which DIQKD is possible.

I Introduction

Quantum key distribution (QKD) [1, 2] is founded on the goal of extracting secret keys from measurement correlations between quantum systems. Much of QKD research is focused on “device-dependent” protocols, where it is assumed that devices execute quantum operations within specified tolerances. However, implementations of device-dependent QKD may suffer from attacks that leverage discrepancies between the physical devices and the models in the security proofs, undermining the security of such implementations [3, 4, 5]. Device-independent (DI) QKD [6, 7] is an alternative that seeks to surmount this weakness by deriving security proofs with only minimal assumptions on the devices involved. This is made possible by taking advantage of quantum correlations that violate a Bell inequality [8, 9], which can allow for the production of secret keys even without characterizing the measurements performed by the devices [6, 7]. In effect, DIQKD lacks various vulnerabilities of device-dependent QKD that arose from requiring detailed characterization of the device measurements.

However, the improved security prospects come at the cost of DIQKD having worse noise and loss tolerances than device-dependent QKD. Furthermore, there is a foundational question of more precisely characterizing the circumstances under which DIQKD is possible, as it has been shown for instance that not all correlations that violate Bell inequalities can be used for DIQKD [10]. Hence a direction of interest in current DIQKD research is to find methods that improve the noise tolerance beyond the values in existing protocols. Thus far, some methods that have been proposed include noisy pre-processing [11, 12, 13, 14, 15] (where trusted noise is added to the trusted parties’ raw measurement outputs), random key measurements [16, 14] (where random measurement choices are selected for key generation), random postselection [17] (where some rounds are randomly discarded based on the measurement outcomes), and advantage distillation [18, 19] (where a two-way communication procedure is substituted into the error correction step of the protocol). Some of these methods were also previously studied in the context of device-dependent QKD [20, 21, 22, 23, 24]. Our work focuses on enhanced performance of DIQKD by means of the last technique, i.e. advantage distillation.

Under the assumption of independent and identically distributed (IID) collective attacks, previous works [18, 19] have studied the noise tolerance of DIQKD when implementing an advantage distillation protocol known as the repetition-code protocol. In particular, in [18] a sufficient condition was derived for this protocol to be secure, based on the fidelity between some states that arise in the protocol. A conjectured fidelity-based necessary condition for security also exists [19], but it does not match the aforementioned sufficient condition. This gap between the sufficient and necessary conditions presents difficulties in characterizing the noise tolerance of the protocol — for instance, in [19] a semidefinite programming (SDP) algorithm was developed to compute arbitrarily tight bounds on the fidelity, but the resulting noise tolerance improvements were limited by the fact that these fidelity-based conditions do not provide an exact characterization of when the protocol is secure.

Hence in this work, we aim to address this issue by investigating relevant quantities that could replace the role of fidelity in those security proofs, ideally yielding matching sufficient and necessary conditions. Specifically, an interesting candidate is the quantum Chernoff divergence [25, 26, 27], defined for arbitrary quantum states $\rho$ and $\sigma$ as

\xi(\rho,\sigma)\coloneqq-\log\left(\inf_{0<s<1}\operatorname{Tr}\left(\rho^{s}\sigma^{1-s}\right)\right).

(1)

For easier comparison to the previous fidelity-based results, in this work we instead mainly present our results in terms of the argument of the logarithm in the above expression, which can be referred to as the non-logarithmic quantum Chernoff divergence (NQCD):

Q(\rho,\sigma)\coloneqq\inf_{0<s<1}\operatorname{Tr}\left(\rho^{s}\sigma^{1-s}\right).

(2)

The characteristic property of the quantum Chernoff divergence is that it describes the asymptotic behaviour of the trace distance (and hence distinguishing probability [28]) between many IID copies of the states $\rho,\sigma$ ; more precisely, the following relation holds (see Theorem 2.2 of [25] and Eq. (1) of [26]):

-\log Q(\rho,\sigma)=\lim_{k\rightarrow\infty}\left(-\frac{1}{k}\log\frac{1-d\left(\rho^{\otimes k},\sigma^{\otimes k}\right)}{2}\right).

(3)

Our main finding in this work is that by using this fundamental property of the NQCD, we can derive security conditions for the repetition-code protocol. Specifically, we obtain a sufficient condition (in terms of the NQCD) for device-independent security of the repetition-code protocol against IID collective attacks. Furthermore, we also derive a necessary condition for security of the protocol, which matches the sufficient condition up to a natural conjecture regarding the structure of Eve’s optimal attack. Hence our results indicate that the NQCD is the central quantity of interest for studying the security of this protocol. (We remark that while the focus of our work is on DIQKD, our results also serve to generalize the findings of [22] for device-dependent QKD to a broader class of device-dependent QKD protocols; we discuss this further in Sec. III.1.)

Using this condition, we obtain lower bounds on the noise tolerance of some DIQKD scenarios under the depolarizing-noise model, achieving improvements of up to $2.7\%$ compared to the fidelity-based condition [18, 19], and an improvement of $0.23\%$ compared to the best previous noise tolerances [29] (note that the protocol in that work only uses one-way error correction, but it implements both noisy pre-processing and random key measurements). While the latter improvement is fairly small, this arises mainly from the fact that the existing techniques to evaluate the NQCD in the device-independent setting do not yield very tight bounds. Since our work highlights the NQCD as the critical quantity that characterizes security of the repetition-code protocol (in the IID collective attacks setting, at least), future study of this protocol could be focused on developing better techniques to bound this quantity, which should improve the noise tolerances further.

II Protocol description

We outline a general DIQKD protocol between two trusted parties. These two parties, Alice and Bob, possess $M_{A}$ and $M_{B}$ possible measurement choices, indexed by $x\in\{0,...,M_{A}-1\},\;y\in\{0,...,M_{B}-1\}$ . We shall often refer to the labels $x,y$ as Alice and Bob’s inputs, in the sense that they can be viewed as classical inputs Alice and Bob supply to the devices in order to specify which measurement is performed. In each round, an untrusted source Eve sends Alice and Bob each a part of some entangled state, and retains some extension of the state for herself as side-information. Alice and Bob then choose some inputs $x,y$ to supply to their devices, which measure the state and provide some outputs, that are recorded in registers $\hat{A}_{x}$ and $\hat{B}_{y}$ for Alice and Bob respectively. Following the QKD protocol structure outlined in [21], after collecting outputs from sufficiently many rounds, Alice and Bob use some subset of their data to perform parameter estimation, in which they decide whether to accept or abort the protocol. If they accept, some or all of the remaining rounds are then used to generate the final key, using some classical post-processing steps we describe below. We shall focus only on protocols where all measurements are binary-outcome and there is only a single pair of measurements used for key generation, which we shall take to correspond to the labels $x=y=0$ .

We perform the security analysis in the IID collective attacks setting, where it is assumed that all states and measurements are IID. In this case, it is enough to consider Alice, Bob and Eve’s single round composite state, written as $\sigma_{ABE}$ , where $E$ denotes Eve’s purification of Alice and Bob’s states. Also, we shall denote the hermitian operators describing the measurements for inputs $x,y$ as $A_{x},B_{y}$ respectively (not to be confused with the registers $\hat{A}_{x},\hat{B}_{y}$ that store the outputs). When the key-generating measurements are performed, the resulting state produced between the three parties is a classical-classical-quantum state of the form

\sum_{ab}\operatorname{Pr}(\hat{A}_{0}=a,\hat{B}_{0}=b)\ket{ab}\!\bra{ab}_{\hat{A}_{0}\hat{B}_{0}}\otimes\sigma_{E|ab},

(4)

where $\sigma_{E|ab}$ is Eve’s single-round state conditioned on Alice and Bob performing the key-generating measurements and getting output values $\hat{A}_{0}=a,\hat{B}_{0}=b$ .

To simplify the security proof, we also impose a symmetrization step¹¹1For the protocol we consider, this symmetrization step can be omitted in practice without significantly affecting the sufficient conditions for security, but it may affect the necessary conditions — we elaborate on this point in Sec. IV., which involves Alice publicly communicating to Bob a uniformly random bit $T$ , followed by having each of them XOR their output value with $T$ . Let $\widetilde{A}_{x}$ and $\widetilde{B}_{y}$ . denote Alice and Bob’s registers respectively that store the symmetrized values (for inputs $x$ and $y$ ), i.e. so we have $\widetilde{A}_{x}=\hat{A}_{x}\oplus T$ and $\widetilde{B}_{y}=\hat{B}_{y}\oplus T$ . We shall use $\operatorname{Pr}(ab|xy)$ to denote the probability distribution on registers $\widetilde{A}_{x}\widetilde{B}_{y}$ , i.e. the distribution of output values after symmetrization, conditioned on the input pair $x,y$ being used.

With this notation, when the key-generating measurements are performed, the composite state between the three parties after symmetrization is

\sum_{ab}\operatorname{Pr}(ab|00)\ket{ab}\!\bra{ab}_{\widetilde{A}_{0}\widetilde{B}_{0}}\otimes\rho_{ET|ab},

(5)

where $\rho_{ET|ab}$ denotes Eve’s single-round state conditioned on $\widetilde{A}_{0}=a,\widetilde{B}_{0}=b$ , and is given by

\rho_{ET|ab}=\frac{1}{2}\sigma_{E|ab}\otimes\ket{0}\!\bra{0}_{T}+\frac{1}{2}\sigma_{E|\overline{a}\overline{b}}\otimes\ket{1}\!\bra{1}_{T},

(6)

where $\overline{a}$ denotes $a\oplus 1$ and similarly for $\overline{b}$ . The symmetrization step enables the outcome probabilities $\operatorname{Pr}(ab|00)$ for the key-generating measurements to be written in terms of a single parameter: the quantum bit error rate (QBER) $\epsilon$ , which we define in this context to be the probability that $\widetilde{A}_{0}\neq\widetilde{B}_{0}$ . Explicitly, we have $\text{Pr}(01|00)=\text{Pr}(10|00)=\frac{\epsilon}{2}$ and $\text{Pr}(00|00)=\text{Pr}(11|00)=\frac{1-\epsilon}{2}$ .

We focus on deriving the conditions for security in the asymptotic limit of infinitely many rounds. In this setting, we can make the simplifying assumption (see e.g. [21, 30] for further discussion) that the condition for the parameter-estimation step to accept is that the statistical estimates for the probability distribution $\operatorname{Pr}(ab|xy)$ exactly match the values for an honest implementation of the protocol. Under the IID assumption, these estimates are arbitrarily accurate given enough rounds, which implies (by the arguments in [21, 30]) that for the asymptotic analysis we can focus only on states producing the same distribution $\operatorname{Pr}(ab|xy)$ as in an honest implementation.

We now present the repetition-code protocol for advantage distillation, following the description in e.g. [21]. First, Alice and Bob gather the outputs from their devices over some number of key-generating rounds, which we shall denote as $N$ . They split the $N$ rounds into blocks of $k$ rounds and execute the following procedure on each individual block. Focusing on one block, let $\widetilde{\mathbf{A}}_{0}$ and $\widetilde{\mathbf{B}}_{0}$ denote Alice and Bob’s (symmetrized) values respectively for this block. For this block, Alice independently generates a uniform random bit $C\in\{0,1\}$ and sends $\mathbf{M}=\widetilde{\mathbf{A}}_{0}\oplus(C,...,C)$ to Bob, who computes $\widetilde{\mathbf{B}}_{0}\oplus\mathbf{M}$ . If $\widetilde{\mathbf{B}}_{0}\oplus\mathbf{M}=(C^{\prime},...,C^{\prime})$ for some bit $C^{\prime}\in\{0,1\}$ , then Bob accepts the block and sends a bit $D=1$ to Alice. Otherwise, he rejects the block and sends $D=0$ . (Note that this accept/reject value is for individual blocks, not the overall protocol.) After performing this procedure across all the blocks, Alice and Bob respectively keep the strings of $C$ and $C^{\prime}$ values from the accepted blocks. Alice and Bob then perform a one-way error-correction procedure on these strings, and implement privacy amplification to produce their final key (see [21] for details).

Let $\mathbf{ET}$ denote Eve’s side information (including the symmetrization bits) across all rounds of one block, and let $H(\cdot)$ denote the von Neumann entropy. It was shown in [21, 31] that if the values $C,C^{\prime}$ produced in each block satisfy the Devetak–Winter condition

H(C|\mathbf{ETM};D=1)-H(C|C^{\prime};D=1)>0,

(7)

then the above procedure achieves a positive secret key rate in the asymptotic limit of infinitely many rounds $N$ . Conversely, the results in [20] for binary symmetric channels imply (see also the discussion in [22]) that if in each block, Eve can use her registers $\mathbf{ETM}$ to construct a guess $C^{\prime\prime}$ for the bit $C$ that satisfies

\displaystyle\operatorname{Pr}(C\neq C^{\prime\prime}|D=1)\leq\operatorname{Pr}(C\neq C^{\prime}|D=1),

(8)

then the repetition-code protocol as described above²²2Note that in particular, this means Alice and Bob perform the one-way error-correction procedure on the strings of $C,C^{\prime}$ bits “directly”, without further processing them first. We leave for future work the question of whether such processing (for instance, possibly applying the block-processing procedure iteratively) could further improve the noise tolerance. cannot achieve a positive asymptotic secret key rate. Hence in our work, we shall focus on studying conditions under which (7) holds (implying positive asymptotic keyrate is achievable) or (8) holds (implying positive asymptotic keyrate is not achievable).

III Results

In this section, we first present the sufficient and necessary conditions for security as Theorems 1 and 2 respectively. After that, we compute the improvement in noise tolerance with these new findings, and compare our results to noise tolerances computed for one-way protocols as well as the previous fidelity-based security condition.

III.1 Security conditions

Our first result is a sufficient condition for the repetition-code protocol to be secure (the proof of this theorem is given in Appendix A, based on an approach similar to [22, 18]):

Theorem 1.

For the DIQKD repetition-code protocol described above, if Eve’s single-round conditional states as described in (5)–(6) satisfy

\displaystyle Q(\rho_{ET|00},\rho_{ET|11})>\frac{\epsilon}{1-\epsilon},

(9)

then there exists some value $k_{\mathrm{min}}$ such that protocol achieves positive asymptotic keyrate as long as the block size $k$ is at least $k_{\mathrm{min}}$ .

We note that there is a subtle limitation in the above statement. Specifically, with our proof approach, we currently do not have an explicit value for the minimum block size $k_{\mathrm{min}}$ in the theorem statement, unlike the previous fidelity-based results in [18]. This is because our proof relies on a particular function $g(k)$ (see Appendix A) which is known to converge to $0$ in the large- $k$ limit [25, 26, 27]; however, the current known convergence bounds [32] for this function have a dependence on the dimension and minimal nonzero eigenvalues of the states $\rho_{ET|00},\rho_{ET|11}$ . In the context of DIQKD, we do not know the dimensions or eigenvalues of these states, which prevents us from finding an explicit value for $k_{\mathrm{min}}$ . Doing so would require a modification of the bounds in [32] to remove their dependence on these parameters; we leave this for future work.

While the full proof of Theorem 1 is deferred to Appendix A, we present here an informal outline of the main ideas:

Informal proof outline:.

Observe that conditioned on $D=1$ and the public message taking some value $\mathbf{M}=\mathbf{m}$ , Eve’s side-information state for the four possible values $(0,0),\,(0,1),\,(1,0)$ and $(1,1)$ for $(C,C^{\prime})$ takes the form $\rho_{\mathbf{ET}|\mathbf{mm}},\,\rho_{\mathbf{ET}|\mathbf{m\overline{m}}},\,\rho_{\mathbf{ET}|\mathbf{\overline{m}m}}$ and $\rho_{\mathbf{ET}|\mathbf{\overline{m}\overline{m}}}$ respectively, where $\mathbf{\overline{m}}$ denotes the bitflip of $\mathbf{m}$ , and

\rho_{\mathbf{ET}|\mathbf{mm}}=\rho_{ET|m_{1}m_{1}}\otimes...\otimes\rho_{ET|m_{k}m_{k}},

(10)

where the states $\rho_{ET|m_{j}m_{j}}$ refer to the single-round states as defined in the formula (6).

We now need to quantify Eve’s uncertainty about the value $C$ , in the sense of lower-bounding $H(C|\mathbf{ETM};D=1)$ in the condition (7). To do so, we first informally note that the cases where $C\neq C^{\prime}$ are rare for large block sizes³³3The case where $C\neq C^{\prime}$ corresponds to scenarios where every round in Alice’s block is flipped during key distillation. For large block sizes, this happens far less often., which lets us remove them using a suitable continuity bound (in the full proof in Appendix A, this is formalized via the bound (27)). This allows us to focus mainly on Eve’s information when $C=C^{\prime}$ . Conditioned on this, the classical-quantum state (with Eve’s side-information) for each accepted block takes the following form:

\widetilde{\rho}_{C\mathbf{ET}}=\frac{1}{2}\ket{0}\!\bra{0}_{C}\otimes\rho_{\mathbf{ET}|\mathbf{mm}}+\frac{1}{2}\ket{1}\!\bra{1}_{C}\otimes\rho_{\mathbf{ET}|\mathbf{\overline{m}\overline{m}}}.

(11)

(Note that $\widetilde{\rho}_{C\mathbf{ET}}$ as defined above has a dependence on the message $\mathbf{m}$ , which we will not explicitly write in the notation for the state.) This is the state we focus on in the main part of the proof. Conveniently, it has the following property:

Lemma 1.

Consider the state $\widetilde{\rho}_{C\mathbf{ET}}$ as defined in (11), for some block size $k$ . Let us define the following state:

\overline{\rho}_{C\mathbf{ET}}=\frac{1}{2}\ket{0}\!\bra{0}_{C}\otimes\rho_{ET|00}^{\otimes k}+\frac{1}{2}\ket{1}\!\bra{1}_{C}\otimes\rho_{ET|11}^{\otimes k},

(12)

where $\rho_{ET|00},\rho_{ET|11}$ are Eve’s single-round conditional states as described in (5)–(6). Then

H(C|\mathbf{ET})_{\widetilde{\rho}}=H(C|\mathbf{ET})_{\overline{\rho}}.

(13)

The point of this lemma is that it allows us to focus on simplified states of the form in (12), since they have the same entropies $H(C|\mathbf{ET})$ as those of the form (11). In particular, observe that conditioned on each value of $C$ , the side-information registers $\mathbf{ET}$ have a convenient tensor-power form — this is what allows us to later reduce the analysis to the NQCD, by using the characteristic property (3). (As an alternative to this lemma, we remark that the state (12) could also be viewed as arising naturally in a modified version of the repetition-code protocol; we describe some details of this in Appendix C.) We prove Lemma 1 in Appendix B by exploiting the unitary invariance of the von Neumann entropy: basically, we observe that there is a unitary $U_{X}$ that transforms $\rho_{ET|ii}$ to $\rho_{ET|\overline{i}\overline{i}}$ . For a given message $\mathbf{m}$ , we can use this to construct a unitary acting on $\mathbf{ET}$ that transforms the state $\widetilde{\rho}_{C\mathbf{ET}}$ to $\overline{\rho}_{C\mathbf{ET}}$ , which gives the desired result.

The remaining task in the proof to essentially to find a lower bound on $H(C|\mathbf{ET})_{\overline{\rho}}$ , by using the specific structure of $\overline{\rho}_{C\mathbf{ET}}$ . The approach we use for this is similar to the proof in [18], but instead of using a fidelity-based lower bound on the conditional entropy $H(C|\mathbf{ET})_{\overline{\rho}}$ , we use one that involves the NQCD between $\rho_{ET|00}$ and $\rho_{ET|11}$ . This bound on $H(C|\mathbf{ET})_{\overline{\rho}}$ in terms of $Q(\rho_{ET|00},\rho_{ET|11})$ allows us to prove that whenever $Q(\rho_{ET|00},\rho_{ET|11})$ satisfies the theorem condition (9), the entropy $H(C|\mathbf{ETM};D=1)$ must be larger than $H(C|C^{\prime};D=1)$ at sufficiently large block size $k$ , hence implying positive asymptotic keyrate is achievable (by the condition (7)). ∎

We now turn to the necessary conditions for security, which we shall also present in terms of $Q(\rho_{ET|00},\rho_{ET|11})$ . Specifically, we prove the following almost-complementary result to Theorem 1 (with the proof given in Appendix D):

Theorem 2.

For the DIQKD repetition-code protocol described above, if Eve’s single-round conditional states as described in (5)–(6) satisfy $\rho_{ET|01}=\rho_{ET|10}$ and

Q(\rho_{ET|00},\rho_{ET|11})\leq\frac{\epsilon}{1-\epsilon},

(14)

then regardless of block size $k$ , the protocol does not achieve a positive asymptotic keyrate.

Observe that Theorems 1 and 2 yield almost complementary sufficient and necessary conditions for security of the repetition-code protocol, except for the extra condition $\rho_{ET|01}=\rho_{ET|10}$ in the latter. As a speculative consideration, if we were to conjecture that Eve’s states can be taken to satisfy this condition without loss of generality, then the conditions would indeed become exactly complementary. We remark that it does seem plausible to conjecture that Eve can indeed always perform an operation on her side-information such that this condition is fulfilled (while keeping the states $\rho_{ET|00},\rho_{ET|11}$ unchanged), because it essentially corresponds to having Eve “erase” her side-information whenever Alice and Bob did not get the same output value. In fact, this property indeed holds for the device-dependent QKD protocols considered in [22], and was used in their security proof. However, it does not straightforwardly generalize to DIQKD (as discussed in [19]), and hence proving this conjecture in this setting would require further work.

Again, while we defer the full proof of Theorem 2 to Appendix D, we informally outline some main ideas here:

Informal proof outline:.

Our approach is similar to the proof of Proposition 3 in [19], but again with the relevant quantity being the NQCD rather than the fidelity. We begin the same observations as in the Theorem 1 proof, considering the four possible values for $(C,C^{\prime})$ and the corresponding side-information states (10). However, one difficulty encountered here as compared to the Theorem 1 proof is that the continuity argument we previously used to remove the $C\neq C^{\prime}$ cases does not seem sharp enough to give a nontrivial result in this case. This is essentially the reason for the additional condition in Theorem 2 that Eve’s states satisfy $\rho_{ET|01}=\rho_{ET|10}$ ; this condition ends up allowing us to remove the $C\neq C^{\prime}$ cases from the analysis (the same approach was used in [19]).

With those cases removed, the proof again reduces to studying states of the form (11). By following a similar argument as in Lemma 1, we also reduce the analysis to states of the form (12). We then exploit the tensor-power structure of Eve’s side-information states in (12), to show that Eve can produce a guess $C^{\prime\prime}$ for $C$ such that the probability of her guess being wrong is upper bounded in terms of $Q(\rho_{ET|00},\rho_{ET|11})$ . With this, we show that whenever the condition (14) holds, the guess $C^{\prime\prime}$ satisfies the condition (8) (regardless of block size $k$ ), implying that positive asymptotic keyrate cannot be achieved. ∎

We highlight that while we have presented these theorems for the DI setting, they are in fact valid as security conditions for the repetition-code protocol in the device-dependent setting as well, because the proofs for these theorems by themselves do not make use of any properties specific to the DI setting. In particular, in that context our results can be viewed as an extension of the results in [22] for device-dependent qubit protocols — for such protocols, our above theorems in fact reduce to precisely the same security conditions as those derived in [22]. However, our results are more general in that they also apply for this repetition-code procedure performed using higher-dimensional qudits, as long as the measurements only have two outcomes. (While qudit protocols were also investigated in [22], a different form of advantage distillation procedure was considered for those protocols, hence those results are not directly comparable to ours.)

As a comparison, we now state the results derived in previous works (for the DI setting) that were instead based on the fidelity $F(\rho_{ET|00},\rho_{ET|11})$ . First, Theorem 1 of [18] states that a sufficient condition for the protocol to achieve positive asymptotic keyrate (for large enough $k$ ) is

\displaystyle F(\rho_{ET|00},\rho_{ET|11})^{2}>\frac{\epsilon}{1-\epsilon}.

(15)

Furthermore, Proposition 3 of [19] states⁴⁴4In fact, Proposition 3 of [19] also covers a variant of the fidelity known as the “pretty-good fidelity” [33, 34, 35], but our subsequent discussions regarding the condition (16) are also valid for the pretty-good fidelity, as it is also lower bounded by $Q(\rho_{ET|00},\rho_{ET|11})$ [34]. that if Eve’s conditional states satisfy $\rho_{ET|01}=\rho_{ET|10}$ and

F(\rho_{ET|00},\rho_{ET|11})\leq\frac{\epsilon}{1-\epsilon},

(16)

then the protocol cannot achieve positive asymptotic keyrate (for any $k$ ).

Note that unlike our result, these conditions are not perfectly “complementary” to each other, as the fidelity term is squared in one but not the other. Furthermore, note that whenever the fidelity-based sufficient condition (15) holds, our sufficient condition (9) automatically holds as well, due to the inequality $Q(\rho_{ET|00},\rho_{ET|11})\geq F(\rho_{ET|00},\rho_{ET|11})^{2}$ (Eq. (32) in [27]). Similarly, whenever the fidelity-based condition (16) holds, our condition (14) automatically holds as well, by the inequality $Q(\rho_{ET|00},\rho_{ET|11})\leq F(\rho_{ET|00},\rho_{ET|11})$ (Eq. (28) in [27]). Hence any conclusion that could have been drawn about the security of the repetition-code protocol using the conditions (15) and (16) could also have been drawn using our conditions (9) and (14), but not necessarily vice versa. In this sense, our results serve as an improvement over the fidelity-based conditions.

III.2 Resulting noise tolerances

We now use our results to compute the noise tolerances for 2-output distributions for a varying number of measurement settings, using the depolarizing noise model. Explicitly, this means that $\operatorname{Pr}(ab|xy)$ (recall that this denotes the distribution after symmetrization) is of the following form:

\operatorname{Pr}(ab|xy)=(1-2q)\operatorname{Pr}_{\mathrm{target}}(ab|xy)+\frac{q}{2},

(17)

where $q\in[0,\frac{1}{2}]$ is the depolarizing noise parameter, and $\Pr_{\mathrm{target}}$ is some target distribution (after symmetrization) described by the relevant measurement choice. We now present the three scenarios we consider: in all cases, the target distributions are generated by performing the specified measurements on the maximally entangled Bell state $\ket{\Phi^{+}}=\frac{1}{\sqrt{2}}(\ket{00}+\ket{11})$ (in the following, $X$ and $Z$ denote the Pauli $X$ and $Z$ observables respectively).

1.

Alice and Bob have two measurement settings each, described by

$\displaystyle A_{0}=Z,\;A_{1}=X,\;B_{0}=\frac{X+Z}{\sqrt{2}},\;B_{1}=\frac{X-Z}{\sqrt{2}}.$ (18)

This corresponds to choosing the measurements such that they maximize the violation of the CHSH inequality [8] on $\ket{\Phi^{+}}$ . These measurements have the drawback that even in the absence of noise, we have $\epsilon\neq 0$ because the key-generating measurements $A_{0},B_{0}$ do not produce perfectly correlated outputs.
2.

Alice and Bob have two and three measurement settings respectively, described by

$\begin{gathered}A_{0}=B_{0}=Z,\\ A_{1}=X,\;B_{1}=\frac{X+Z}{\sqrt{2}},\;B_{2}=\frac{X-Z}{\sqrt{2}}.\end{gathered}$ (19)

With this, the key-generating measurements $A_{0},B_{0}$ achieve $\epsilon=0$ in the absence of noise, while the measurements $A_{0},A_{1},B_{1},B_{2}$ are equivalent to case 1 up to relabelling. This scenario was studied in the basic DIQKD protocol proposed in [6], as well as many subsequent works [11, 12, 13, 36] (sometimes with slight modifications).
3.

Alice and Bob each have 4 measurement settings, described by

$\displaystyle A_{0}=Z,\;A_{1}=\frac{X+Z}{\sqrt{2}},\;A_{2}=X,\;A_{3}=\frac{X-Z}{\sqrt{2}},$ (20)

and $B_{j}=A_{j}$ for all $j\in\{0,1,2,3\}$ . This case can be viewed as a combination of the Mayers-Yao self-test [37] with the measurements in case 1. Alternatively, it can be viewed as having Alice and Bob both perform all the measurements listed in case 1.

To compute the maximum tolerable noise for the new security condition in Theorem 2, it is necessary to establish a lower bound on $Q(\rho_{ET|00},\rho_{ET|11})$ in terms of some quantity which we can bound in the device-independent context. One such convenient quantity is the trace distance $d(\rho_{ET|00},\rho_{ET|11})$ , which is related to $Q(\rho_{ET|00},\rho_{ET|11})$ by the following inequality (Eq. (9) in [26]), similar to the Fuchs–van de Graaf inequality:

Q(\rho_{ET|00},\rho_{ET|11})\geq 1-d(\rho_{ET|00},\rho_{ET|11}).

(21)

Importantly, as noted in [18], there exists a technique to compute upper bounds on $d(\rho_{ET|00},\rho_{ET|11})$ for DI protocols. Namely, by the operational interpretation of trace distance (see e.g. [28]), it can be written as $d(\rho_{ET|00},\rho_{ET|11})=2P_{g}(\rho_{ET|00},\rho_{ET|11})-1$ , where $P_{g}(\rho_{ET|00},\rho_{ET|11})$ is the distinguishing probability between the states $\rho_{ET|00},\rho_{ET|11}$ . This probability can equivalently be viewed as Eve’s probability of guessing Alice and Bob’s single-round measurement outcomes (using her side-information $ET$ ) conditioned on Alice and Bob getting the same outcomes, and an SDP technique for securely bounding such probabilities in device-independent protocols was developed in [38]. Hence to find the maximum noise value for which we can prove the protocol is secure, our approach is to apply the technique in [38] to bound the right-hand-side of (21) as a function of $q$ , and find the intersection of the resulting curve with the right-hand-side of (9).

With this, we obtained the noise tolerances shown below for the three scenarios. As some points of comparison, we also include some results obtained in previous works, which we describe in more detail below.

Case 1:	$7.71\%$
Case 2:	$8.18\%$
Case 3:	$9.56\%$
Basic one-way protocol in [6]:	$7.14\%$
Previous highest threshold [29]:	$9.33\%$
Upper bound from [10]:	$13.69\%$

From the above list, we see that case 3 gives the best noise tolerances out of the cases we have considered. Regarding the other results we presented for comparison, the value of $7.14\%$ is the noise tolerance of the basic one-way protocol proposed in an early DIQKD work [6]. As for the value of $9.33\%$ , this was the noise tolerance obtained in [29], which is the highest value achieved thus far amongst all previous works — we highlight that our best result (case 3) surpasses this value, albeit only by a small amount. Interestingly, the protocol studied in that work only involves one-way error correction, but it achieved high noise tolerances by using the noisy pre-processing and random key measurement techniques in tandem. Finally, the last value we listed above is an upper bound derived in [10] on the noise tolerances achievable by a wide family of DIQKD protocols, including the advantage distillation protocol we study here (for any of the three cases). We see that our results are still quite far from saturating this upper bound, so it remains unclear how tight this upper bound is.

To more specifically compare the three cases we considered to the works [6] and [29], we note that the analysis in the former was based on the same measurement settings as in case 2 here, and the latter is also based on a similar scenario, except with one additional measurement setting for Bob. Hence the scenario we considered here that is most similar to those works is essentially case 2, in which our result outperforms the noise tolerance obtained in [6] but not that in [29]. In principle, for a fairer comparison to our results, one could analyze the noise tolerances of the protocols in those works when considering the measurement settings in case 3 (which was the scenario giving the best noise tolerances in our work). However, this scenario was not analyzed in those works, because their proof approaches relied on a specialized reduction to qubit states that does not seem easy to apply for case 3. Hence this would not be a straightforward question to resolve, and we leave it for future work.

It may also be of interest to compare our results to the previous works [18, 19] based on the fidelity-based security condition (15), which did explore all three cases considered here. We first briefly review those previous approaches: the fidelity-based condition (15) was first presented in [18], where noise tolerances were computed using the Fuchs–van de Graaf inequality:

F(\rho_{ET|00},\rho_{ET|11})\geq 1-d(\rho_{ET|00},\rho_{ET|11}),

(22)

with $d(\rho_{ET|00},\rho_{ET|11})$ being bounded using the SDP technique in [38]. Subsequently, the work [19] improved on this approach by developing an SDP algorithm to directly compute arbitrarily tight lower bounds on $F(\rho_{ET|00},\rho_{ET|11})$ , resulting in increased noise tolerance as compared to using the indirect bound (22). We note, however, that for 2-input 2-output protocols in particular, a different sufficient security condition was also derived in [18] (see Corollary 1 in that work), based on the trace distance directly:

\displaystyle 1-d(\rho_{ET|00},\rho_{ET|11})>\frac{\epsilon}{1-\epsilon}.

(23)

For such protocols, the noise tolerances found in [18] via this condition (using the SDP technique of [38] to bound $d(\rho_{ET|00},\rho_{ET|11})$ ) turned out to be better than those obtained by applying the fidelity-based condition (15) with the SDP algorithm of [19].

In light of the above points, we see that for case 1 (which is a 2-input 2-output protocol), our approach here can only yield the same noise tolerance as that obtained in [18] using the condition (23). This is because we only used the bound (21) to check whether our sufficient security condition (9) is satisfied, in which case this becomes equivalent to checking the condition (23). Therefore, the noise tolerance value of $q\approx 7.71\%$ we obtained for this case is the same as that obtained in [18]. (Alternatively, if the measurement settings for this case are modified to optimize the noise tolerance instead of the CHSH value, the noise tolerance can be improved to $q\approx 9.1\%$ as noted in [18].)

In the remaining cases, however, we can anticipate an improvement in our results compared to [18], recalling that it only used the inequality (22) (which is of basically the same form as the inequality (21) we used here) to check whether the fidelity-based condition (15) is satisfied. On the other hand, the approach in [19] was to bound the fidelity directly and check whether the condition (15) is satisfied, and hence it is not a priori clear whether our approach would be able to outperform it, since we have only bounded $Q(\rho_{ET|00},\rho_{ET|11})$ indirectly using (21). Still, it turned out in the end that our results did indeed yield an improvement over the latter. Explicitly, for case 2 our noise tolerance value of $q\approx 8.18\%$ is an improvement of $2.1\%$ and $1.1\%$ over the results in [18] and [19], respectively. As for case 3, our noise tolerance value of $q\approx 9.56\%$ is an increase of $2.7\%$ and $1.3\%$ over the results in [18] and [19], respectively.

IV Discussion and conclusion

In this work, we have shown that the NQCD can be used to obtain a sufficient condition for security of the repetition-code advantage distillation protocol in DIQKD, for the scenario of IID collective attacks. Furthermore, it also gives a precisely complementary necessary condition for security, up to a conjecture regarding the structure of Eve’s attack. This strongly indicates that the NQCD should be the central quantity to consider in analyzing the security of this protocol, allowing us to focus our attention on this quantity in subsequent study of this topic. In particular, resolving that conjecture would imply that when considering the question of whether this protocol allows secret key generation (against IID collective attacks), it suffices to study the value of $Q(\rho_{ET|00},\rho_{ET|11})$ .

Regarding the explicit noise tolerance thresholds given by this security condition, in this work we did not find an approach to bound $Q(\rho_{ET|00},\rho_{ET|11})$ directly in the DI setting, and instead bounded it indirectly using the trace distance, which is not necessarily optimal. However, our results in Sec. III.2 show that even with this limitation, our approach already suffices to certify that advantage distillation can outperform one-way protocols (under the assumption of IID collective attacks), even when using the noisy pre-processing and random key measurement techniques.

Still, there is a significant gap between the results we obtained and the upper bounds on noise tolerance derived in [10], and hence there still remains potential for further improvement. In particular, if tighter lower bounds on $Q(\rho_{ET|00},\rho_{ET|11})$ were established, we would be able to further increase our noise tolerance thresholds. To this end, one could aim to develop a numerical algorithm that can compute arbitrarily tight lower bounds on $Q(\rho_{ET|00},\rho_{ET|11})$ in the DI setting, similar to the approach developed in [19] for bounding the fidelity. However, such an algorithm would face the difficulty that it is not currently known whether there exists a measurement on Eve’s registers that leaves $Q(\rho_{ET|00},\rho_{ET|11})$ invariant — this property, which does hold for the fidelity, was essential to the approach in [19]. Nevertheless, the development of a numerical algorithm that calculates the equivalent for $Q(\rho_{ET|00},\rho_{ET|11})$ remains an avenue for further study, which could potentially improve the noise tolerance thresholds.

A relevant consideration for further research is the minimum block size $k$ required to yield a positive key rate with our new security condition. One drawback of the proof approach in this work, as noted in Sec. III.1, is that it does not provide explicit bounds on this minimum block size. Resolving this issue would require finding a lower bound on the conditional entropy $H(C|\mathbf{ET})_{\overline{\rho}}$ in terms of $Q(\rho_{ET|00},\rho_{ET|11})$ only, without any dependence on the system dimensions. The lower bound we use in our security proof is reliant on a function $g(k)$ (see Appendix A) whose only known lower bound is dimension-dependent [32]. To explicitly compute the minimum required block sizes in the DI setting, one would need to find a dimension-independent lower bound on $g(k)$ (possibly at the cost of changing its asymptotic scaling behaviour with respect to $k$ , though such a change is not an issue for our proof), or possibly use an entirely different proof approach.

For the security conditions we derived in this work, the symmetrization bits $\mathbf{T}$ played an important role in reducing our analysis to states of the special form (12). However, we note that it has been shown that if the repetition-code protocol is secure with the symmetrization procedure, then it is still secure without the symmetrization procedure [18, 39]. In particular, this implies that our sufficient security condition is still valid even in the latter setting (more precisely: if the condition (9) holds for the protocol with symmetrization, then the protocol without symmetrization is secure). On the other hand, this does potentially affect the necessary security condition — in principle, it might be possible that there exists an attack for Eve when symmetrization is performed, but not when it is omitted. This would imply that our sufficient and necessary conditions no longer match exactly for the protocol without symmetrization. We leave for future work the question of whether this is indeed the case, as well as whether the conjecture regarding Eve’s states in the necessary condition can be resolved. (On the other hand, for the modified version of the repetition-code protocol that we describe in Appendix C, the symmetrization step indeed does not affect either the necessary or sufficient conditions, as we discuss in that appendix.)

In this work, we have focused on the repetition-code protocol because in the device-dependent case, it is the protocol that has achieved the highest noise tolerances thus far [40]. However, a possible direction to investigate in future work would be other advantage distillation protocols, for instance as described in [23, 24]. In such protocols, the NQCD might no longer be the main quantity of interest: for the repetition-code protocol, it has a structure that yields tensor-power states similar to those considered when studying the NQCD, but this may not be the case for other advantage distillation protocols.

Finally, it would be ideal if our results could be extended to the coherent attack setting. One difficulty faced in this setting is that by eliminating the IID assumption, the single-round probability distributions $\operatorname{Pr}(ab|xy)$ and conditional states $\sigma_{E|ab}$ (and consequently $\rho_{ET|ab}$ ) would no longer be well-defined without conditioning on all previous input and output values. Also, the tensor product structure of $\rho_{\mathbf{ET}|\mathbf{mm}}$ would no longer hold, in which case it unclear whether it would be possible to extend our analysis based on the NQCD (whose nature is ingrained in distinguishing tensor-power states) to this regime.

Acknowledgements.

We thank Joseph M. Renes and Marco Tomamichel for helpful discussions. Financial support for this work has been provided by the Natural Sciences and Engineering Research Council of Canada (NSERC) Alliance, and Huawei Technologies Canada Co., Ltd. Computations were performed with the NPAHierarchy function in QETLAB [41], using the CVX package [42, 43] with solver MOSEK [44].

References

Bennett and Brassard [1984] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in Proceedings of International Conference on Computers, Systems and Signal Processing, Bangalore, India, 1984 (IEEE Press, New York, 1984) p. 175.
Ekert [1991] A. K. Ekert, Quantum cryptography based on Bell’s theorem, Physical Review Letters 67, 661 (1991).
Fung et al. [2007] C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, Phase-remapping attack in practical quantum-key-distribution systems, Physical Review A 75, 032314 (2007).
Gerhardt et al. [2011] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, Full-field implementation of a perfect eavesdropper on a quantum cryptography system, Nature Communications 2, 349 (2011).
Jain et al. [2015] N. Jain, B. Stiller, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, Risk Analysis of Trojan-Horse Attacks on Practical Quantum Key Distribution Systems, IEEE Journal of Selected Topics in Quantum Electronics 21, 168 (2015).
Pironio et al. [2009] S. Pironio, A. Acín, N. Brunner, N. Gisin, S. Massar, and V. Scarani, Device-independent quantum key distribution secure against collective attacks, New Journal of Physics 11, 045021 (2009).
Scarani [2012] V. Scarani, The device-independent outlook on quantum physics (lecture notes on the power of Bell’s theorem), Acta Physica Slovaca 62, 347 (2012).
Clauser et al. [1969] J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt, Proposed Experiment to Test Local Hidden-Variable Theories, Physical Review Letters 23, 880 (1969).
Brunner et al. [2014] N. Brunner, D. Cavalcanti, S. Pironio, V. Scarani, and S. Wehner, Bell nonlocality, Reviews of Modern Physics 86, 419 (2014).
Farkas et al. [2021] M. Farkas, M. Balanzó-Juandó, K. Łukanowski, J. Kołodyński, and A. Acín, Bell Nonlocality Is Not Sufficient for the Security of Standard Device-Independent Quantum Key Distribution Protocols, Physical Review Letters 127, 050503 (2021).
Ho et al. [2020] M. Ho, P. Sekatski, E. Y.-Z. Tan, R. Renner, J.-D. Bancal, and N. Sangouard, Noisy Preprocessing Facilitates a Photonic Realization of Device-Independent Quantum Key Distribution, Physical Review Letters 124, 10.1103/physrevlett.124.230502 (2020).
Woodhead et al. [2021] E. Woodhead, A. Acín, and S. Pironio, Device-independent quantum key distribution with asymmetric CHSH inequalities, Quantum 5, 443 (2021).
Sekatski et al. [2021] P. Sekatski, J.-D. Bancal, X. Valcarce, E. Y.-Z. Tan, R. Renner, and N. Sangouard, Device-independent quantum key distribution from generalized CHSH inequalities, Quantum 5, 444 (2021).
Masini et al. [2022] M. Masini, S. Pironio, and E. Woodhead, Simple and practical DIQKD security analysis via BB84-type uncertainty relations and Pauli correlation constraints, Quantum 6, 843 (2022).
Brown et al. [2021] P. Brown, H. Fawzi, and O. Fawzi, Device-independent lower bounds on the conditional von Neumann entropy, arXiv:2106.13692 [quant-ph] (2021).
Schwonnek et al. [2021] R. Schwonnek, K. T. Goh, I. W. Primaatmaja, E. Y.-Z. Tan, R. Wolf, V. Scarani, and C. C.-W. Lim, Device-independent quantum key distribution with random key basis, Nature Communications 12, 10.1038/s41467-021-23147-3 (2021).
Xu et al. [2022] F. Xu, Y.-Z. Zhang, Q. Zhang, and J.-W. Pan, Device-Independent Quantum Key Distribution with Random Postselection, Physical Review Letters 128, 110506 (2022).
Tan et al. [2020a] E. Y.-Z. Tan, C. C.-W. Lim, and R. Renner, Advantage Distillation for Device-Independent Quantum Key Distribution, Physical Review Letters 124, 020502 (2020a).
Hahn and Tan [2021] T. Hahn and E. Y.-Z. Tan, Fidelity Bounds for Device-Independent Advantage Distillation, arXiv:2105.03213v1 [quant-ph] (2021).
Maurer [1993] U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Transactions on Information Theory 39, 733 (1993).
Renner [2005] R. Renner, Security of Quantum Key Distribution, Ph.D. thesis, ETH Zürich (2005).
Bae and Acín [2007] J. Bae and A. Acín, Key distillation from quantum channels using two-way communication protocols, Physical Review A 75, 012334 (2007).
Myhr et al. [2009] G. O. Myhr, J. M. Renes, A. C. Doherty, and N. Lütkenhaus, Symmetric extension in two-way quantum key distribution, Physical Review A 79, 042329 (2009).
Myhr [2011] G. O. Myhr, Symmetric extension of bipartite quantum states and its use in quantum key distribution with two-way postprocessing, arXiv:1103.0766v1 [quant-ph] (2011).
Nussbaum and Szkoła [2009] M. Nussbaum and A. Szkoła, The Chernoff lower bound for symmetric quantum hypothesis testing, The Annals of Statistics 37, 1040 (2009).
Audenaert et al. [2007] K. M. R. Audenaert, J. Calsamiglia, R. Muñoz-Tapia, E. Bagan, L. Masanes, A. Acin, and F. Verstraete, Discriminating States: The Quantum Chernoff Bound, Physical Review Letters 98, 160501 (2007).
Audenaert et al. [2008] K. M. R. Audenaert, M. Nussbaum, A. Szkoła, and F. Verstraete, Asymptotic Error Rates in Quantum Hypothesis Testing, Communications in Mathematical Physics 279, 251 (2008).
Nielsen and Chuang [2010] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information (Cambridge University Press, New York, 2010).
Tan et al. [2020b] E. Y.-Z. Tan, P. Sekatski, J.-D. Bancal, R. Schwonnek, R. Renner, N. Sangouard, and C. C.-W. Lim, Improved DIQKD protocols with finite-size analysis, arXiv:2012.08714v2 [quant-ph] (2020b).
George et al. [2021] I. George, J. Lin, and N. Lütkenhaus, Numerical calculations of the finite key rate for general quantum key distribution protocols, Physical Review Research 3, 013274 (2021).
Devetak and Winter [2005] I. Devetak and A. Winter, Distillation of secret key and entanglement from quantum states, Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 461, 207 (2005).
Audenaert et al. [2012] K. M. R. Audenaert, M. Mosonyi, and F. Verstraete, Quantum state discrimination bounds for finite sample size, Journal of Mathematical Physics 53, 122205 (2012).
Luo and Zhang [2004] S. Luo and Q. Zhang, Informational distance on quantum-state space, Physical Review A 69, 032106 (2004).
Audenaert [2014] K. M. R. Audenaert, Comparisons between quantum state distinguishability measures, Quantum Information and Computation 14, 31 (2014).
Iten et al. [2017] R. Iten, J. M. Renes, and D. Sutter, Pretty Good Measures in Quantum Information Theory, IEEE Transactions on Information Theory 63, 1270 (2017).
Arnon-Friedman et al. [2018] R. Arnon-Friedman, F. Dupuis, O. Fawzi, R. Renner, and T. Vidick, Practical device-independent quantum cryptography via entropy accumulation, Nature Communications 9, 459 (2018).
Mayers and Yao [1998] D. Mayers and A. Yao, Quantum cryptography with imperfect apparatus, in Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280) (1998) pp. 503–509.
Thinh et al. [2016] L. P. Thinh, G. de la Torre, J.-D. Bancal, S. Pironio, and V. Scarani, Randomness in post-selected events, New Journal of Physics 18, 035007 (2016).
Scarani and Renner [2008] V. Scarani and R. Renner, Security Bounds for Quantum Cryptography with Finite Resources, in Theory of Quantum Computation, Communication, and Cryptography, edited by Y. Kawano and M. Mosca (Springer Berlin Heidelberg, Berlin, Heidelberg, 2008) pp. 83–95.
Khatri and Lütkenhaus [2017] S. Khatri and N. Lütkenhaus, Numerical evidence for bound secrecy from two-way postprocessing in quantum key distribution, Physical Review A 95, 042320 (2017).
Johnston [2016] N. Johnston, QETLAB: A MATLAB toolbox for quantum entanglement, version 0.9, http://qetlab.com (2016).
Grant and Boyd [2014] M. Grant and S. Boyd, CVX: Matlab Software for Disciplined Convex Programming, version 2.1, http://cvxr.com/cvx (2014).
Grant and Boyd [2008] M. Grant and S. Boyd, Graph implementations for nonsmooth convex programs, in Recent Advances in Learning and Control, Lecture Notes in Control and Information Sciences, edited by V. Blondel, S. Boyd, and H. Kimura (Springer-Verlag Berlin Heidelberg, 2008) pp. 95–110, https://web.stanford.edu/~boyd/papers/graph_dcp.html.
MOSEK ApS [2019] MOSEK ApS, The MOSEK optimization toolbox for MATLAB manual. Version 8.1. (2019).
Winter [2016] A. Winter, Tight Uniform Continuity Bounds for Quantum Entropies: Conditional Entropy, Relative Entropy Distance and Energy Constraints, Communications in Mathematical Physics 347, 291 (2016).
Briët and Harremoës [2009] J. Briët and P. Harremoës, Properties of classical and quantum Jensen-Shannon divergence, Physical Review A 79, 052311 (2009).

Appendix A Proof of Theorem 1

Proof.

We modify the proof of Theorem 1 in [18] to replace the fidelity with the NQCD. Our goal is to show that the Devetak–Winter condition (7) (i.e. $H(C|\mathbf{ETM};D=1)-H(C|C^{\prime};D=1)>0$ ) is satisfied. To begin, we first note that conditioned on the block being accepted ( $D=1$ ), the probability that $C\neq C^{\prime}$ is

\displaystyle\operatorname{Pr}(C\neq C^{\prime}|D=1)=\frac{\epsilon^{k}}{\epsilon^{k}+(1-\epsilon)^{k}}.

(24)

For ease of notation, let us use $\delta_{k}$ to denote the right-hand-side of the above expression, i.e.

\displaystyle\delta_{k}\coloneqq\frac{\epsilon^{k}}{\epsilon^{k}+(1-\epsilon)^{k}}.

(25)

(Note that $\delta_{k}\to 0$ as $k\to\infty$ .) With this notation, the term $H(C|C^{\prime};D=1)$ in the Devetak–Winter condition can be written as

\displaystyle H(C|C^{\prime};D=1)=h\left(\delta_{k}\right),

(26)

where $h$ is the binary entropy function.

Now turning to the $H(C|\mathbf{ETM};D=1)$ term in the Devetak–Winter condition, we note that since $H(C|\mathbf{ETM};D=1)=\sum_{\mathbf{m}}\operatorname{Pr}(\mathbf{M}=\mathbf{m}|D=1)H(C|\mathbf{ET};\mathbf{M}=\mathbf{m}\text{ and }D=1)$ , it suffices to lower-bound the entropies $H(C|\mathbf{ET};\mathbf{M}=\mathbf{m}\text{ and }D=1)$ conditioned on each value of $\mathbf{m}$ . It was shown in [18] (see Eq. (S5) of the Supplemental Material for that work) that by using a continuity bound (Lemma 2 of [45]) to bound the contributions from cases where $C\neq C^{\prime}$ , the following bound holds:

\displaystyle H(C|\mathbf{ET};\mathbf{M}=\mathbf{m}\text{ and }D=1)\geq H(C|\mathbf{ET})_{\widetilde{\rho}}-\delta_{k}-(1+\delta_{k})h\left(\frac{\delta_{k}}{1+\delta_{k}}\right),

(27)

where $\widetilde{\rho}_{C\mathbf{ET}}$ is the state defined in (11).

Next, we note that by applying Lemma 1 followed by a bound that relates conditional entropies to trace distance (Theorem 14 of [46]), we have

\displaystyle H(C|\mathbf{ET})_{\widetilde{\rho}}=H(C|\mathbf{ET})_{\overline{\rho}}\geq 1-d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right).

(28)

Hence it suffices to upper bound the trace distance in the last expression. This brings us to the core part of our proof: the characteristic property of the NQCD (as shown in Theorem 2.2 of [25] and Eq. (1) of [26]) is that it is related to the trace distance $d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)$ by

\ln Q\left(\rho_{ET|00},\rho_{ET|11}\right)=\lim_{k\rightarrow\infty}\left(\frac{1}{k}\ln\frac{1-d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)}{2}\right).

(29)

Let us define $g(k)$ to be the difference between the argument in the right-hand-side of the above expression and its limiting value (basically, $g(k)$ quantifies how fast the above limit converges):

g(k)\coloneqq\frac{1}{k}\ln\frac{1-d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)}{2}-\ln Q\left(\rho_{ET|00},\rho_{ET|11}\right),

(30)

in which case $\lim_{k\rightarrow\infty}g(k)=0$ due to (29). With this, we can write the trace distance in terms of $g(k)$ and $Q\left(\rho_{ET|00},\rho_{ET|11}\right)$ as $d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)=1-2e^{kg(k)}Q\left(\rho_{ET|00},\rho_{ET|11}\right)^{k}$ . It follows that $Q\left(\rho_{ET|00},\rho_{ET|11}\right)$ can be related to the conditional entropy of $\overline{\rho}_{C\mathbf{ET}}$ by

H\left(C|\mathbf{ET}\right)_{\overline{\rho}}\geq 2e^{kg(k)}Q\left(\rho_{ET|00},\rho_{ET|11}\right)^{k}.

(31)

Putting together the above inequalities and the formula (26), it follows that

\displaystyle\frac{H(C|\mathbf{ETM};D=1)}{H(C|C^{\prime};D=1)}\geq\frac{1}{h\left(\delta_{k}\right)}\left(2e^{kg(k)}Q\left(\rho_{ET|00},\rho_{ET|11}\right)^{k}-\delta_{k}-(1+\delta_{k})h\left(\frac{\delta_{k}}{1+\delta_{k}}\right)\right).

(32)

It was shown in [18] (see Eq. (S11) in the Supplemental Material of that work) that the term $\frac{1}{h(\delta_{k})}\left(-\delta_{k}-(1+\delta_{k})h\left(\frac{\delta_{k}}{1+\delta_{k}}\right)\right)$ approaches $-1$ as $k\rightarrow\infty$ . Therefore, it would be sufficient to show that the term $\frac{1}{h(\delta_{k})}e^{kg(k)}Q\left(\rho_{ET|00},\rho_{ET|11}\right)^{k}$ limits to some value strictly larger than $1$ as $k\to\infty$ , since this would mean we have $H(C|\mathbf{ETM};D=1)\geq H(C|C^{\prime};D=1)$ for sufficiently large $k$ .

Let $\beta=\frac{\epsilon}{1-\epsilon}\in[0,1)$ , so the theorem condition $Q(\rho_{ET|00},\rho_{ET|11})>\frac{\epsilon}{1-\epsilon}$ can be written as $Q\left(\rho_{ET|00},\rho_{ET|11}\right)>\beta$ . Recall that by construction $g(k)$ satisfies $\lim_{k\rightarrow\infty}g(k)=0$ , which means that for any strictly positive value $M$ , we will have $g(k)\geq-M$ for all sufficiently large $k$ . Specifically, if we pick $M=(\ln Q\left(\rho_{ET|00},\rho_{ET|11}\right)-\ln\beta)/2$ (which is strictly positive since $Q\left(\rho_{ET|00},\rho_{ET|11}\right)>\beta$ ), then there exists $N_{1}\in\mathbb{N}$ such that for all $k>N_{1}$ we have

g(k)\geq-\frac{\ln Q\left(\rho_{ET|00},\rho_{ET|11}\right)-\ln\beta}{2}.

(33)

Furthermore, notice that $\delta_{k}\leq\beta^{k}$ , and that there exists $N_{2}\in\mathbb{N}$ such that for all $k>N_{2}$ , we have $\beta^{k}<\frac{1}{2}$ . Hence for all $k>N_{2}$ , we can upper bound $h(\delta_{k})$ in terms of $\beta$ via $h(\delta_{k})\leq h\left(\beta^{k}\right)\leq 2\beta^{k}\log_{2}\left({1}/{\beta^{k}}\right)$ (that last inequality follows from the fact that $h(x)\leq 2x\log_{2}(1/x)$ for $x\in[0,1/2]$ ). Putting these together, we see that for all $k>\max\{N_{1},N_{2}\}$ we have

$\displaystyle\frac{e^{kg(k)}Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}}{h(\delta_{k})}$	$\displaystyle\geq\frac{e^{kg(k)}Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}}{2k\beta^{k}\log_{2}\left(\frac{1}{\beta}\right)}$	(34)
	$\displaystyle=\frac{e^{k\left(g(k)+\ln Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)-\ln\beta\right)}}{2k\log_{2}\left(\frac{1}{\beta}\right)}$	(35)
	$\displaystyle\geq\frac{e^{k\left({\ln Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)-\ln\beta}\right)/{2}}}{2k\log_{2}\left(\frac{1}{\beta}\right)}.$	(36)

Since as noted above we have $\ln Q\left(\rho_{ET|00},\rho_{ET|11}\right)-\ln\beta>0$ from the theorem condition $Q\left(\rho_{ET|00},\rho_{ET|11}\right)>\beta$ , it is clear that the lower bound becomes strictly larger than $1$ as $k\to\infty$ , which is the desired result. (In fact, the lower bound becomes arbitrarily large as $k$ increases. This reflects the fact that for the repetition-code protocol, informally speaking we can expect that the ratio between $H(C|\mathbf{ETM};D=1)$ and $H(C|C^{\prime};D=1)$ should become arbitrarily large as the block size $k$ increases, because at large block sizes the repetition-code protocol is more effective at “distilling” the Alice-Bob correlations over the Alice-Eve correlations.) ∎

Appendix B Proof of Lemma 1

Proof.

Let us define the unitary operator $U_{X}=\operatorname{id}_{E}\otimes X$ , where $X$ denotes the Pauli- $X$ operator. Importantly, observe that from the definition of the $\rho_{ET|ii}$ states, the unitary $U_{X}$ takes $\rho_{ET|ii}$ to $\rho_{ET|\overline{i}\overline{i}}$ . For any string $\mathbf{m}\in\mathbb{Z}_{2}^{k}$ , we define the unitary operator $U^{(\mathbf{m})}=\otimes_{i=1}^{k}U_{X}^{m_{i}}$ . Observe that for the states $\rho_{\mathbf{ET}|\mathbf{mm}}$ as defined in (10), the unitary $U^{(\mathbf{m})}$ takes $\rho_{\mathbf{ET}|\mathbf{mm}}$ to $\rho_{ET|00}^{\otimes k}$ and $\rho_{\mathbf{ET}|\mathbf{\overline{m}}\mathbf{\overline{m}}}$ to $\rho_{ET|11}^{\otimes k}$ .

Furthermore, note that for each $\mathbf{m}\in\mathbb{Z}_{2}^{k}$ , the unitary operator $\widetilde{U}^{(\mathbf{m})}=\operatorname{id}_{C}\otimes U^{(\mathbf{m})}$ transforms $\widetilde{\rho}_{C\mathbf{ET}}$ to $\overline{\rho}_{C\mathbf{ET}}$ (recall that the former state implicitly has a dependence on $\mathbf{m}$ ). Due to the unitary invariance of the von Neumann entropy, this means we have $H(C\mathbf{ET})_{\widetilde{\rho}}=H(C\mathbf{ET})_{\overline{\rho}}$ and $H(\mathbf{ET})_{\widetilde{\rho}}=H(\mathbf{ET})_{\overline{\rho}}$ . Applying the definition of conditional von Neumann entropy, we get

H(C|\mathbf{ET})_{\widetilde{\rho}}=H(C\mathbf{ET})_{\widetilde{\rho}}-H(\mathbf{ET})_{\widetilde{\rho}}=H(C\mathbf{ET})_{\overline{\rho}}-H(\mathbf{ET})_{\overline{\rho}}=H(C|\mathbf{ET})_{\overline{\rho}}.

(37)

This proves the claim. ∎

Appendix C Modified repetition-code protocol

We consider a modification of the repetition-code protocol where Alice and Bob perform the same operations as specified in the main text, but the condition for accepting a block is stricter: we require that Bob’s string satisfies $\widetilde{\mathbf{B}}_{0}\oplus\mathbf{M}=(C^{\prime},...,C^{\prime})$ for some $C^{\prime}\in\{0,1\}$ just as in the standard version, but also that Alice and Bob’s strings $\widetilde{\mathbf{A}}_{0},\widetilde{\mathbf{B}}_{0}$ are also both constant bit-strings (i.e. each of them is either an all- $0$ or all- $1$ string). This would require both Alice and Bob to make a public announcement: for instance, we can say that in each block Alice announces $D_{A}=1$ if and only if $\widetilde{\mathbf{A}}_{0}$ is a constant bit-string, while Bob announces $D_{B}=1$ if and only if $\widetilde{\mathbf{B}}_{0}\oplus\mathbf{M}=(C^{\prime},...,C^{\prime})$ for some $C^{\prime}\in\{0,1\}$ and $\widetilde{\mathbf{B}}_{0}$ is a constant bit-string. Alice and Bob can then set $D=1$ (i.e. accept the block) if and only if $D_{A}=D_{B}=1$ .

In the context of the security proofs, the condition for $D=1$ (i.e. accepting the block) is now stricter, which allows us to perform some simplifications in the proofs. We begin by noting that by the same arguments as in the starting parts of the proofs in Appendices A and D, it suffices to study the states conditioned $\mathbf{M}=\mathbf{m}$ for each possible value of $\mathbf{m}$ . However, with this modified condition for accepting the block, we see that there are only two possible values of $\mathbf{M}$ when $D=1$ , namely $\mathbf{M}=(0,\dots,0)$ and $\mathbf{M}=(1,\dots,1)$ . Focusing first on the former case, we list the scenarios corresponding to the four possible values of $(C,C^{\prime})$ , conditioned on $\mathbf{M}=(0,\dots,0)$ and $D=1$ (using the fact that the relation $\mathbf{M}=\widetilde{\mathbf{A}}_{0}\oplus(C,\dots,C)$ is equivalent to $\widetilde{\mathbf{A}}_{0}=\mathbf{M}\oplus(C,\dots,C)$ , and analogously for Bob with $\widetilde{\mathbf{B}}_{0}$ and $C^{\prime}$ ):

1.

Alice generated $C=0$ and Bob computed $C^{\prime}=0$ . In this case, since $\mathbf{M}=(0,\dots,0)$ , Alice’s string must be $\widetilde{\mathbf{A}}_{0}=\mathbf{M}\oplus(C,\dots,C)=(0,\dots,0)$ , and since $D=1$ , Bob’s string must be $\widetilde{\mathbf{B}}_{0}=\mathbf{M}\oplus(C^{\prime},\dots,C^{\prime})=(0,\dots,0)$ .
2.

Alice generated $C=0$ and Bob computed $C^{\prime}=1$ . In this case, since $\mathbf{M}=(0,\dots,0)$ , Alice’s string must be $\widetilde{\mathbf{A}}_{0}=\mathbf{M}\oplus(C,\dots,C)=(0,\dots,0)$ , and since $D=1$ , Bob’s string must be $\widetilde{\mathbf{B}}_{0}=\mathbf{M}\oplus(C^{\prime},\dots,C^{\prime})=(1,\dots,1)$ .
3.

Alice generated $C=1$ and Bob computed $C^{\prime}=0$ . In this case, since $\mathbf{M}=(0,\dots,0)$ , Alice’s string must be $\widetilde{\mathbf{A}}_{0}=\mathbf{M}\oplus(C,\dots,C)=(1,\dots,1)$ , and since $D=1$ , Bob’s string must be $\widetilde{\mathbf{B}}_{0}=\mathbf{M}\oplus(C^{\prime},\dots,C^{\prime})=(0,\dots,0)$ .
4.

Alice generated $C=1$ and Bob computed $C^{\prime}=1$ . In this case, since $\mathbf{M}=(0,\dots,0)$ , Alice’s string must be $\widetilde{\mathbf{A}}_{0}=\mathbf{M}\oplus(C,\dots,C)=(1,\dots,1)$ , and since $D=1$ , Bob’s string must be $\widetilde{\mathbf{B}}_{0}=\mathbf{M}\oplus(C^{\prime},\dots,C^{\prime})=(1,\dots,1)$ .

Now observe that scenarios 1–4 correspond to Eve holding conditional states $\rho_{ET|00}^{\otimes k},\rho_{ET|01}^{\otimes k},\rho_{ET|10}^{\otimes k}$ and $\rho_{ET|11}^{\otimes k}$ respectively, due to the values of Alice and Bob’s strings in each scenario. Recall we want to quantify Eve’s uncertainty about $C$ , in the form of a lower bound on $H(C|\mathbf{ET};\mathbf{M}=(0,\dots,0)\text{ and }D=1)$ . If we now informally ignore scenarios 2 and 3 as they occur with low probability for large $k$ (to see how to rigorously remove these cases, see the bound (27) in Appendix A, or the bound (38) in Appendix D based on the condition $\rho_{ET|01}=\rho_{ET|10}$ ), we see that the state across the registers $C\mathbf{ET}$ (conditioned on $\mathbf{M}=(0,\dots,0)\text{ and }D=1$ ) would be precisely of the form (12), as claimed. Hence informally speaking, Eve’s task is then reduced to distinguishing between the states $\rho_{ET|00}^{\otimes k}$ and $\rho_{ET|11}^{\otimes k}$ , which are $k$ copies of two different quantum states, a situation in which the NQCD naturally arises. The remainder of the analysis for this case proceeds the same way as in Appendices A or D, although here we already have that the state on $C\mathbf{ET}$ is of the form (12).

To finish the argument, we consider the other possible value of $\mathbf{M}$ when the block is accepted, i.e. $\mathbf{M}=(1,\dots,1)$ . Repeating the above analysis shows that the scenarios 1–4 instead correspond to Eve holding conditional states $\rho_{ET|11}^{\otimes k},\rho_{ET|10}^{\otimes k},\rho_{ET|01}^{\otimes k}$ and $\rho_{ET|00}^{\otimes k}$ respectively, in which case (again, after removing scenarios 2 and 3) the state across the registers $C\mathbf{ET}$ is again of the form (12) except for a bitflip on the $C$ register. Since that bitflip does not affect the conditional entropy (in the Appendix A proof) or the probability that Eve can guess $C$ (in the Appendix D proof), we see that the state (12) is again basically the relevant state to consider for this case.

One interesting aspect of this modified protocol is that we do not need to use Lemma 1 in its security analysis, since by the above arguments we can focus on the state (12) without invoking Lemma 1. Note that this lemma is essentially the only part of the proofs in Appendices A or D that relies on explicitly analyzing the symmetrization bits $\mathbf{T}$ , apart from the fact that they ensure the outcome distribution in each round has the form $\text{Pr}(01|00)=\text{Pr}(10|00)=\frac{\epsilon}{2}$ , $\text{Pr}(00|00)=\text{Pr}(11|00)=\frac{1-\epsilon}{2}$ . This implies that for this modified protocol, if it could be otherwise enforced that the outcome distribution takes that form without using symmetrization bits (e.g. by a suitable analysis of the parameter-estimation step in the IID asymptotic limit), then the symmetrization step could be omitted without affecting the sufficient or necessary security conditions, apart from the minor modification of phrasing them in terms of the states $\sigma_{E|ab}$ in (4) rather than the states $\rho_{E|ab}$ in (5)–(6).

Appendix D Proof of Theorem 2

Proof.

Our goal will be to show that the inequality (8) (i.e. $\operatorname{Pr}(C\neq C^{\prime\prime}|D=1)\leq\operatorname{Pr}(C\neq C^{\prime}|D=1)$ ) holds, in which case the asymptotic keyrate cannot be positive. First note that as observed in (24)–(25), we have $\operatorname{Pr}(C\neq C^{\prime}|D=1)=\delta_{k}$ . Next, we use a result from [19]: using the operational relation between trace distance and distinguishing probability, it was shown in that work (as Eq. (70)) that given the condition $\rho_{ET|01}=\rho_{ET|10}$ , for any message value $\mathbf{m}$ Eve can produce a bit $C^{\prime\prime}$ such that

\displaystyle\operatorname{Pr}(C\neq C^{\prime\prime}|D=1\text{ and }\mathbf{M}=\mathbf{m})\leq\frac{1}{2}\left(1-\left(1-\delta_{k}\right)d\left(\rho_{\mathbf{ET|mm}},\rho_{\mathbf{ET|\overline{m}\overline{m}}}\right)\right).

(38)

Due to the invariance of the trace distance under unitary transformations, the same argument as in the proof of Lemma 1 can be applied to see that $d\left(\rho_{\mathbf{ET|mm}},\rho_{\mathbf{ET|\overline{m}\overline{m}}}\right)=d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)$ . Furthermore, the “Fuchs–van de Graaf-type” inequality derived as Eq. (9) in [26] relates this to the NQCD via $d\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)\geq 1-Q\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)$ . Lastly, since $\rho_{ET|00}^{\otimes k}$ and $\rho_{ET|11}^{\otimes k}$ are both tensor-power states, it can be straightforwardly shown from the definition of the NQCD that $Q\left(\rho_{ET|00}^{\otimes k},\rho_{ET|11}^{\otimes k}\right)=Q\left(\rho_{ET|00},\rho_{ET|11}\right)^{k}$ (more generally, this is a property of the NQCD that holds for all tensor-power states, and was important in proving its relevance to the topic of symmetric quantum hypothesis testing [26, 27]). Putting together the above relations, we see that the inequality (38) implies

	$\displaystyle\operatorname{Pr}(C\neq C^{\prime\prime}\|D=1\text{ and }\mathbf{M}=\mathbf{m})$	$\displaystyle\leq\frac{1}{2}\left(1-\left(1-\delta_{k}\right)\left(1-Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}\right)\right)$		(39)
		$\displaystyle=\frac{1}{2}\left(\delta_{k}+\left(1-\delta_{k}\right)Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}\right).$		(40)

Since the above bound holds for every $\mathbf{m}$ , we have that $\operatorname{Pr}(C\neq C^{\prime\prime}|D=1)$ is also upper bounded by the expression (40). Together with (24)–(25), we hence see that Eve’s bit $C^{\prime\prime}$ satisfies the inequality $\operatorname{Pr}(C\neq C^{\prime\prime}|D=1)\leq\operatorname{Pr}(C\neq C^{\prime}|D=1)$ (and thus the asymptotic keyrate cannot be positive) whenever

\displaystyle\frac{1}{2}\left(\delta_{k}+(1-\delta_{k})Q\left(\rho_{ET|00},\rho_{ET|11}\right)^{k}\right)\leq\delta_{k}.

(41)

However, rearranging the above condition shows that it is in fact just equivalent to

\displaystyle Q\left(\rho_{ET|00},\rho_{ET|11}\right)\leq\left(\frac{\delta_{k}}{1-\delta_{k}}\right)^{\frac{1}{k}},

(42)

and since

\displaystyle\left(\frac{\delta_{k}}{1-\delta_{k}}\right)^{\frac{1}{k}}=\left(\frac{\epsilon^{k}}{(1-\epsilon)^{k}}\right)^{\frac{1}{k}}=\frac{\epsilon}{1-\epsilon},

(43)

this is the desired result. ∎

$\displaystyle\frac{e^{kg(k)}Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}}{h(\delta_{k})}$	$\displaystyle\geq\frac{e^{kg(k)}Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}}{2k\beta^{k}\log_{2}\left(\frac{1}{\beta}\right)}$	(34)
	$\displaystyle=\frac{e^{k\left(g(k)+\ln Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)-\ln\beta\right)}}{2k\log_{2}\left(\frac{1}{\beta}\right)}$	(35)
	$\displaystyle\geq\frac{e^{k\left({\ln Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)-\ln\beta}\right)/{2}}}{2k\log_{2}\left(\frac{1}{\beta}\right)}.$	(36)

	$\displaystyle\operatorname{Pr}(C\neq C^{\prime\prime}\|D=1\text{ and }\mathbf{M}=\mathbf{m})$	$\displaystyle\leq\frac{1}{2}\left(1-\left(1-\delta_{k}\right)\left(1-Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}\right)\right)$		(39)
		$\displaystyle=\frac{1}{2}\left(\delta_{k}+\left(1-\delta_{k}\right)Q\left(\rho_{ET\|00},\rho_{ET\|11}\right)^{k}\right).$		(40)