Simple security proof of quantum key distribution based on complementarity

We present an approach to the unconditional security of quantum key distribution protocols based on a complementarity argument. The approach is applicable to, but not limited to, every case that has been treated via the argument by Shor and Preskill based on entanglement distillation, with a benefit of decoupling of the error correction from the privacy amplification. It can also treat cases with uncharacterized apparatuses. We derive a secure key rate for the Bennett–Brassard-1984 protocol with an arbitrary source characterized only by a single parameter representing the basis dependence.


Introduction
The aim of quantum key distribution (QKD) is to distribute a secret key between two distant parties, Alice and Bob, under the intervention by a third party, Eve. For any protocol of QKD, it is vital to have a proof of the unconditional security, which is the robustness against any kind of attack allowed by the law of physics, since it is the main advantage of QKD over classical schemes aiming at the same task. One of the well-known strategies for the security proof is the argument [1] given by Shor and Preskill, in which a reduction to an entanglement distillation protocol (EDP) based on Calderbank-Shor-Steane (CSS) quantum error correcting codes (QECC) [2,3] is used to show that the information leak on the final key is negligible. This approach has turned out to be quite versatile due to the simplicity of the idea: for example, the original proof for the BB84 protocol [4] has been extended [5,6] to cover the B92 protocol [7]. On the other hand, invoking the CSS-QECC in the proof requires us to choose a method for error correction and a method for privacy amplification carefully such that they correspond to a quantum code, which sometimes causes complication [8]. Decoupling of the error correction and the privacy amplification can be made by encrypting the former [9], but only when it satisfies a constraint coming from the CSS-QECC.
If we look back to the first proof [10] of unconditional security by Mayers, we notice that it also has its own merits. One disadvantage, the complexity of the proof, was recently remedied by a simple proof [11] by Koashi and Preskill based on the same spirit, namely, reduction to a two-party protocol by omitting one of the legitimate users by a symmetry argument. In this line of approach, the error correction and the privacy amplification are decoupled from the beginning, and we can just use any conventional scheme for the error correction. The proof also has a peculiar and useful property, which allows the use of basis-independent uncharacterized sources or detectors. For example, if we use an ideal detector, the source can be anything as long as it does not reveal which basis is used in the BB84 protocol. We can still use the same formula for the key rate, indicating that any fault in the source can be automatically caught in the form of an increase in the observed bit error rates. Unfortunately, the argument of omitting one party relies heavily on the symmetry of the BB84 protocol, and it cannot be applied to the protocols with no such symmetry.
In this paper, we present a general approach to the unconditional security based on an complementarity argument, extending the spirit initiated in the first proof by Mayers and applying tools developed in the proof by Lo and Chau [12] and the one by Shor and Preskill [1]. The new approach has the same advantages in the Mayers-Koashi-Preskill argument, while retaining the versatility of the Shor-Preskill argument. In fact, in any protocol having a proof that relies on the Shor-Preskill argument, we can decouple the error correction and the privacy amplification just by encrypting the former, thereby relieve it from the constraint of CSS-QECC. The new approach allows us to solve security problems with imperfect devices that were beyond either of the previous arguments. As an example, we derive a key rate formula for the BB84 protocol with an arbitrary source, the properties of which are unknown except for a bound on the fidelity between the averaged states for the two bases. Our proof also provides an insight into the recently predicted phenomenon of secure key from bound entanglement [13].
This paper is organized as follows. In section 2, we describe our main result, a simple security proof based on complementarity. After the main idea 3 is explained, we prove a security statement in terms of the fidelity and the trace distance to the ideal key. As an example of applications, we apply the proof to the BB84 protocol with uncharacterized sources in section 3. In section 4, we reproduce the key rate for the six-state protocol. Then we conclude this paper in section 5.

Description of the actual protocol
Most of the QKD protocols can be equivalently described by an entanglement-based protocol, in which Alice and Bob share a pair of quantum systems H A ⊗ H B after discarding other systems used for the parameter estimation via random sampling tests. (Here and henceforth, we refer to a quantum system by its Hilbert space.) The state ρ 0 of H A ⊗ H B at this point is not completely specified and may be highly correlated among subsystems due to Eve's intervention, but the results of the tests may give a set of promises on the possible state. For example, in the case of the Shor-Preskill proof (we call it the Shor-Preskill case below), H A ⊗ H B is composed of N pairs of shared qubits, and there is a promise that the following statements hold except for an exponentially small probability: suppose that each qubit is measured on z or x basis. Then the number n bit of qubits showing the bit error (σ z ⊗ σ z = −1) satisfies n bit /N δ bit , and the number n ph with the phase error (σ x ⊗ σ x = −1) satisfies n ph /N δ ph . Here, δ bit and δ ph are determined from the results of the test. Here we consider more general cases, in which the size of H A ⊗ H B is arbitrary. We give a proof for the unconditional security of the protocols having the following form: Actual protocol. Alice and Bob make measurements on H A and H B , respectively. Through an encrypted classical communication consuming r bits of secret key, they agree on an N -bit reconciled key κ rec , except for a small failure probability ζ . In the binary vector space on N bits, one party chooses a linearly independent set {V k } k=1,...,N −m of N -bit sequences randomly and announces it. The kth bit of the final key κ fin is defined as scalar product κ rec · V k .
The definition of κ rec should be chosen depending on how the error correction is done. For example, if Bob's N -bit sifted key κ Bsif is regarded as the correct one and Alice tries to correct the error in her key κ Asif relative to κ Bsif , we may simply define κ rec to be Bob's sifted key, κ rec = κ Bsif . In a more complicated case, κ rec may coincide neither with κ Asif nor κ Bsif . After the error correction, Alice and Bob will obtain N -bit reconciled keys κ Arec and κ Brec , respectively, where κ Arec = κ Brec = κ rec holds with probability no less than 1 − ζ . Then they proceed to the privacy amplification to shorten their key by m bits. In the actual protocol above, we adopt a protocol of privacy amplification based on announcing random bit sequences {V k } k=1,...,N −m , which is simple in a theoretical point of view. Alice calculates {κ Arec · V k } k=1,...,N −m to determine her (N − m)-bit final key κ A , and Bob calculates {κ Brec · V k } k=1,...,N −m to determine his final key κ B . Note that κ A = κ B = κ fin holds except for probability ζ . The net secret key gain of the actual protocol is G = N − r − m bits, since it produces (N − m) bits of new secret key by consuming r bits of secret key.

Basic idea of the security proof
Here, we give an overview of our security proof, taking the Shor-Preskill case as an example. The core of our approach is to regard κ rec as the outcome of z-basis measurements on N virtual 4 qubits K ⊗N . In the Shor-Preskill case, we may just identify H B with K ⊗N . Next, we ask how we could have predicted the N -bit outcome X if the N qubits had been measured in the x basis. In the Shor-Preskill case, we could have measured H A on the x basis to obtain an N -bit outcome µ. The random sampling tests assure that this outcome coincides with X within ∼ N δ ph -bit errors, namely, the conditional entropy is bounded as The fact that Alice can predict X well means that the z-basis outcome κ rec , which is an observable complementary to X, should be hard to predict due to the uncertainty principle.
If we were allowed to use the entropic uncertainty relation [15] here, we could say holds for the uncertainty of κ rec from Eve's point of view. Then, Eve will have negligible information on the final key κ fin after the privacy amplification with m = N [h(δ ph ) + ]. Since the error correction consumes r = N [h(δ bit ) + ] bits of secret key, we will arrive at the familiar asymptotic net key gain Of course, we cannot use the entropic uncertainty relation in the security proof, since it does not necessarily apply to every possible attack made by Eve. Instead, we use simple properties of the vector binary space to derive the same key rate in the security proof in section 2.4.

Main theorem
In this subsection, we state a general security statement applicable to the actual protocol. In order to include the cases other than the Shor-Preskill case, we generalize the meaning of the statement in section 2.2 that Alice has a good prediction of X, which is an observable complementary to κ rec . First, we choose a kind of squashing [16] operation, such as a quantum operation that converts state ρ on H A ⊗ H B to state (ρ) on H R ⊗ K ⊗N , where H R stands for a virtual ancillary system. Let X be the N -bit sequence obtained as the outcome of x-basis measurements on K ⊗N . We further consider a measurement M R on H R , and define µ to be its outcome. As we have seen, in the Shor-Preskill case we may choose to be a trivial operation 0 that just changes the definition as H A ∼ = H R and H B ∼ = K ⊗N , and take M R to be the x-basis measurement. But the security proof here allows almost free choices of and M R , except for the following requirement: Assumption 1. The application of followed by the standard z-basis measurement on K ⊗N is equivalent to the measurement of κ rec on H A ⊗ H B in the actual protocol.
Within this constraint, it is even allowed to take involving collective operations over H A and H B . That is to say, Alice is allowed to communicate with Bob freely over a quantum channel when we ask how well they can predict the value of X, as long as the observable X and the reconciled key κ rec in the actual protocol form a pair of complementary observables. The next step is to rephrase the condition H (X|µ) N ξ appearing in the rough sketch in section 2.2 into a more rigorous and flexible form: There exists a set T µ of N -bit sequences with cardinality |T µ | 2 N ξ for each µ, such that the pair of measurement outcomes (µ, X) satisfies X ∈ T µ except for an exponentially small probability η. Now, we can state the main theorem about the security of the actual protocol. Let p(κ) be the probability that the (N − m)-bit final key κ fin in the actual protocol takes a specific value κ, and ρ E (κ) be the quantum state of Eve's system when κ fin = κ. The property of the final key in relation to Eve is then completely described by the quantum state where we have assumed that the final key κ fin has been written on a quantum system with a Hilbert space of dimension 2 N −m with an orthonormal basis {|κ c } κ . The theorem will be stated on how this state is close to a quantum state for the ideal key in terms of fidelity [17,18]

Theorem. If assumptions 1 and 2 hold for m
If we can further assume that Eve only has a classical variable E, the mutual information The proof will be given in the next subsection, and here we make a few remarks. This theorem can be used as follows. First, we choose and M R under assumption 1. Next, combined with the promises obtained from the random sampling tests, we obtain a value of ξ with which assumption 2 holds. Then, the theorem assures that the secure key gain of at least G = N − r − N (ξ + ) is achievable. For a good key gain, and M R should be chosen such that ξ is as small as possible.
In our approach, the imperfection in the final key in the actual protocol is stated in terms of two parameters; ζ for the disagreement between Alice's and Bob's key, and η for the nonuniformity and the leak to Eve. Considering the feature of decoupling between the error correction and the privacy amplification, we believe it is best to leave as it is, but for convenience we also represent the imperfection in terms of a single parameter describing the closeness to an ideal (N − m)-bit secret key. Let |κ A a |κ B b |κ c be the state where the value of Alice's final key is κ A , Bob's is κ B , and κ is the value of κ fin = κ rec · V k on which Alice and Bob tried to agree with failure probability ζ . Then we can write the final state of the actual protocol as Let us define state τ as the one obtained after Alice's and Bob's keys in τ fin are replaced with κ From equation (8), we have On the other hand, since tr ab (τ ) = ρ fin by definition, we have Let τ ideal be a state for the ideal secret key defined by Obviously, we have Since the theorem gives tr|ρ fin − ρ ideal | 2 Combined with equation (10), we obtain

Proof of the main theorem
As an alternative to the actual protocol, let us introduce protocol 1 as follows: Protocol 1. Apply operation and discard H R . For the N qubits K ⊗N , measure each qubit on z basis to determine the N -bit key κ rec . Choose a linearly independent set {V k } k=1,...,N −m randomly, and announce it to Eve. Let κ rec · V k be the kth bit of the final key κ fin .
Thanks to assumption 1, Eve's knowledge on κ fin in the actual protocol is the same as that on κ fin obtained from protocol 1. That is to say, if we begin with the same initial state, both procedures end up in the same state ρ fin of equation (3).
In order to show that Eve has negligible information on κ fin , we consider yet another protocol, which carries out a phase error correction and will soon be shown to be equivalent to protocol 1. Define operator The new protocol is defined as follows: If we measured K ⊗N on the x-basis before step (c), the outcome X would be one of 2 N ξ candidates T µ except for probability η (assumption 2). Each measurement of x (W j ) in step (c) gives a random parity bit X · W j , which intuitively works as a syndrome bit in a code for correcting phase errors. For every wrong candidate of X, the probability of sharing the correct parity bit is exactly one half. As a result, one random parity bit almost halves the number of 7 candidates. Hence, as in the hushing method of EDP [19], by knowing m = N (ξ + ) random parity bits we can derive an estimate X * of X with an exponentially small failure probability Pr (X * = X) η ≡ η + 2 −N . Then, if we measured K ⊗N on the x basis after the phase flip in step (d), the outcome would be X − X * , which is 0 except for probability η . This implies that the state σ of the qubits after step (d) is a nearly-pure state σ satisfying where |0 ⊗N x is the x-basis eigenstate for X = 0. The equivalence of the two protocols is easily seen. In protocol 2, the operators { z (V k )} commute with z (X * ) and with x (W j ) since V k · W j = 0. Hence, we can omit steps (c) and (d) and still obtain the same final key. We further notice that M R is now redundant, and the choosing method of {V k } can be simplified to a random selection. Noting that { z (V k )} can also be obtained through a z-basis measurement on each qubit, we are lead to protocol 1.
Let σ qubits,E be the state of the qubits and Eve's system E after step (d). Since tr E (σ qubits,E ) = σ , we can pick a state ρ E of Eve's system such that holds. From equation (17), we have When we proceed to step (e) with state σ qubits,E , we should obtain state ρ fin due to the equivalence of the actual protocol, protocol 1 and protocol 2. Instead, if we apply step (e) to state |0 ⊗N x 0 ⊗N x | ⊗ ρ E , the final state is easily calculated to be ρ ideal . Since the fidelity never decreases in step (e), we have F(ρ fin , ρ ideal ) 1 − η . On the other hand, the statement on the mutual information in the theorem immediately follows from S(σ ) h(η ) + N η .

Security of the BB84 protocol with uncharacterized sources
In this section, we discuss the security of the BB84 protocol when the light source is uncharacterized except for a few promises, as an application of the security proof.

BB84 with a basis-independent uncharacterized source
This is the case where Alice uses a basis-independent uncharacterized source and Bob uses an ideal detector in the BB84 protocol, which was analyzed in [11]. Let ρ ab acting on H Q be the state of Alice's source for the basis a = 0, 1 and the bit value b = 0, 1. Alice chooses basis a randomly, and then with probability p ab (note that p a0 + p a1 = 1), Alice sends out ρ ab to a quantum channel, which may be tampered with by Eve. Bob receives a qubit state on K B from the channel, on which he conducts the ideal zor x-basis measurement depending on his random basis choice a = 0, 1, respectively. Subsequently, they make a and a public. After repeating this many times, they randomly sample events with a = a to determine the observed error rates δ a for a = 0, 1. Bob randomly picks N outcomes from the unsampled data with a = a = 0 to define κ rec . Alice obtains κ rec with the help of a secret communication from Bob consuming r = N [h(δ 0 ) + ] bits of secret key. (The portion with a = a = 1 can be handled similarly.) The basis-independent source satisfies ρ 0 = ρ 1 , where ρ a ≡ p a0 ρ a0 + p a1 ρ a1 . Then, we can find a state χ on H S ⊗ H Q and measurements M a on H S with positive operator valued measure (POVM) elements {F a0 , F a1 }, such that tr S [(F ab ⊗ 1 Q )χ] = p ab ρ ab . We are thus allowed to 8 consider an equivalent protocol in which Alice prepares χ and conducts measurement M a on H S to determine her bit value b. This new protocol takes the form of the actual protocol by defining For the security proof, we choose = 0 , and assume M R to be M 1 applied on each H S . In order to establish a statement like assumption 2, we need to know the relation between the outcome of M 1 and the outcome of the x-basis measurement on K B . Fortunately, this is exactly the same pair of measurements used in determining the error rate δ 1 . Hence, assumption 2 holds with ξ = h(δ 1 ) + , and we obtain the asymptotic net key gain Note that everything we need in the actual protocol is δ 0 and δ 1 . There is no need to know the identities of χ and M a , and hence no need to characterize the source to determine ρ ab , as long as it is guaranteed to be basis independent. We also note that a similar argument with the roles of Alice and Bob exchanged leads to a security proof with uncharacterized detectors with a basis-independent efficiency [20].

BB84 with an arbitrary source
The main theorem allows us to prove unconditional security in the general case of ρ 0 = ρ 1 . Of course, we need to know something about the source states since the protocol is entirely insecure if ρ 0 and ρ 1 are orthogonal. A natural choice is to assume that we know a single parameter , which determines a lower bound on the fidelity between the two states Note that for F < 1, we can still find two pure states |χ 0 and |χ 1 in H S ⊗ H Q satisfying χ 0 |χ 1 = 1 − 2 such that for each value of a, there is a POVM measurement M a = {F a0 , F a1 } on H S satisfying tr S [(F ab ⊗ 1 Q )|χ a χ a |] = p ab ρ ab . For a special case where H S includes a qubit as a subsystem and M 0 and M 1 are the standard xand z-basis measurements on that qubit, Gottesman et al [16] derived a secure key rate along the line of the Shor-Preskill argument, which allows a positive key gain up to < 0.029. Here, we can derive a better key rate formula for arbitrary states {ρ ab }. Let us consider an equivalent protocol in which Alice chooses the basis a by measuring a 'quantum coin' [16] described by a qubit K C . If she prepares H S ⊗ H Q ⊗ K C in state | ≡ (|χ 0 |0 z C + |χ 1 |1 z C )/ √ 2 and measures K C on z basis, the outcome a is random and H S ⊗ H Q is prepared in state |χ a . Then she conducts measurement M a on H S to prepare ρ ab with probability p ab . In order to prove security, we follow the same argument as in the basisindependent case up to the point where we need to know the relation between the outcome of M 1 and that of x-basis measurement on K B . Unfortunately, we have no direct clue this time. The expected error rate δ ph in this fictitious set of measurements is no longer equal to δ 1 , since the former is taken for a = 0 and the latter is for a = 1.
In order to determine upper bounds on δ ph , let us consider the following scenario. Alice starts from | ⊗L , and she immediately sends the L copies of system H Q into the channel. After Eve's attack, Bob receives the qubits K ⊗L B . For every pair of systems H S ⊗ K B , Bob may choose a randomly, but regardless of its value, measurement M 1 and x-basis measurement are applied to determine whether there is an error (t = 1) or not (t = 0). Finally, Alice measures the coin K C on z basis to determine a. Let us denote the empirical probability for the L events by r (·). For example, r (t = 1|a = 0) is the number of events with (t = 1, a = 0) divided by that of events with a = 0.

9
The rate δ ph can be regarded as an error rate in a fair sampling from the events with a = a = 0. Since a has no effect in the above scenario, it can also be regarded as a fair sampling from the events with a = 0. We thus have δ ph ∼ = r (t = 1|a = 0). Similarly, δ 1 ∼ = r (t = 1|a = 1). Since r (a = 0) ∼ = 1/2, we have Now, we describe two methods of deriving bounds on δ ph . The first one is to apply the main theorem in section 2.3 formally to the coins, regarding K ⊗L C as K ⊗N in the theorem. Since C 1 x || 2 = , it is guaranteed that we can distill a secret key of length L(1 − h( ) − ) from the z-basis measurement results. This implies that even with the knowledge of each t, the entropy of the outcomes a should be larger than L(1 − h( ) − ). Hence, in the asymptotic limit we have which shows that δ ph = δ 1 for = 0 and δ ph becomes larger when > 0. If we write the maximum of δ ph under the above first inequality as f (δ 1 , ), the key gain is given by This key gain is positive only for < 0.056. The second method is more complicated, but gives a better rate. We assume that for each event, Alice draws a random binary variable s with a small probability of being s = 1. If s = 0, she just follows the above scenario, but if s = 1, she measures the coin K C in x basis instead of z basis. Letā be the outcome of this x-basis measurement, and define r x, j ≡ r (ā = 1|s = 1, t = j) and r z, j ≡ r (a = 0|s = 0, t = j) for j = 0, 1. Since C 1 x || 2 = , we have Note that r x, j is determined from the outcomes of x-basis measurements applied to random samples from the qubits with t = j, and r z, j is from the z-basis outcomes for the rest of the qubits. This problem of random sampling was analyzed in [5], and it was shown that for all > 0, except for an exponentially small probability, there exists a qubit state ρ such that |r z, j − 0 z |ρ|0 z | < and |r x, j − 1 x |ρ|1 x | < . We thus obtain the following relation in the asymptotic limit: Combining it with r (t = 1) ∼ = (δ 1 + δ ph )/2, r z,1 ∼ = δ ph /(δ 1 + δ ph ), r z,0 ∼ = (1 − δ ph )/(2 − δ 1 − δ ph ), and equation (27), we obtain We can now take f (δ 1 , ) to be the maximum of δ ph under equation (29), and obtain a better key rate with equation (26). Now the region of positive key gain extends to < 0.146, or F(ρ 0 , ρ 1 ) > 1/2. Since Alice and Bob do not use the outcomeā, this measurement can be omitted. Hence, in the actual BB84 protocol, they only have to discard a small portion of events. From Eve's point of view, Alice could have measuredā for the discarded events, and it is enough to apply the above security proof.

Security of the six-state protocol
In this section, we derive the well-known key rate for the six-state protocol [21,22] using our framework based on complementarity. The reason why we take up this example is the fact that the six-state protocol uses the correlation between the bit errors and the phase errors to improve the key rate. Since the complementarity argument treats the two kinds of errors separately, it may not be easy to see how it can incorporate such a correlation. The solution is, as we will see, to use the freedom of choosing a collective operation satisfying assumption 1.
In the six-state protocol, Alice and Bob can share N pairs of qubits with a promise that is stronger than the one in the BB84 protocol. Suppose that each qubit pair is measured on the Bell basis, which reveals the values of the pair of observables σ z ⊗ σ z and σ x ⊗ σ x at the same time. Let r jk be the fraction among the N pairs that has resulted in σ z ⊗ σ z = (−1) j and σ x ⊗ σ x = (−1) k . In the BB84 protocol, we only have good estimates for r bit ≡ r 10 + r 11 (the bit error rate) and r ph ≡ r 01 + r 11 (the phase error rate). In the six-state protocol, the additional set of measurements on the y basis further give a good estimate of r 00 + r 11 , and thus each of the four values {r jk } is estimated. The asymptotic key rate is then given [22] by which is larger than the rate G = N [1 − h(r bit ) − h(r ph )] of the BB84 protocol whenever r ph = r 11 /r bit , namely, when there is a correlation between the bit errors and the phase errors.
The key rate of equation (30) is derived using the argument in section 2 by choosing the operation and measurement M R as follows. For each qubit pair (let us call them K A and K B ), prepare an auxiliary qubit K C in state |0 C , and apply a controlled-NOT gate U CNOT between K B (control) and K C (target), which effectively copies the z-basis value of K B onto K C since (31) The operation is defined as this procedure followed by identifying K ⊗N Since the controlled-NOT gates do not affect the z-basis outcomes of qubits K ⊗N B , assumption 1 is obviously satisfied by choosing Bob's z-basis outcomes as κ rec . For measurement M R , we assume that each of the qubit pair K A ⊗ K C is measured on the Bell basis.
Let us see how the outcome of the Bell measurement on K A ⊗ K C is correlated to that of the x-basis measurement on K B . When the initial state of which means that the initial state | AB is faithfully transferred to the qubit pair K A ⊗ K C . When which means that the phase-flipped state (1 ⊗ σ z )| AB is faithfully transferred to the qubit pair K A ⊗ K C in this case. Hence, if the initial N pairs had no phase errors (r ph = 0), each measured value of σ x ⊗ σ x in the Bell measurement on K A ⊗ K C would have exactly told us the corresponding bit value in the sequence X, namely, σ x ⊗ σ x = 1 and −1 implies the bit values 0 and 1, respectively. But when we do have phase errors initially, for such Nr ph pairs the correspondence is reversed, namely, σ x ⊗ σ x = 1 and −1 implies the bit values 1 and 0, respectively. Since we do not exactly know which of the N pairs have phase errors initially, we have the candidates T µ for the sequence X as many as the number of the phase-error patterns. Here, the measured value of σ z ⊗ σ z in the Bell measurement on K A ⊗ K C helps us to narrow down the possible phase-error patterns, combined with the values of r 01 and r 11 that are estimated through the y-basis measurements in the six-state protocol. There must be Nr 11 pairs with phase errors among the Nr bit pairs that have resulted in σ z ⊗ σ z = −1, and the rest of the N (1 − r bit ) pairs should include Nr 01 phase-error pairs. Hence, the number of the phaseerror patterns is approximately given by 2 N ξ with which reproduces the key rate of equation (30).

Conclusion
We have described a method of proving unconditional security, which unifies two major previous approaches and retains the advantages in both of them. We have also shown that the new method can solve a problem which eluded the previous approaches. The proof relies on the observation that Alice can guess the z-basis outcomes of virtual N qubits with r -bit uncertainty in the actual protocol, and Alice and Bob can guess the x-basis outcomes with mbit uncertainty in an equivalent protocol. The 'excess' over the uncertainty limit, N − r − m, amounts to the key gain. Note that if they share a maximally entangled state (MES), Alice alone can guess for both of the bases. The condition for the secrecy is weaker than that since it allows her to collaborate with Bob nonlocally for the x basis, through any operation satisfying assumption 1. This difference is considered to be a reason for the gap between distillable entanglement and secret key gain [13]. In fact, examples in [13] are constructed by applying a nonlocal 'twisting' operation to ρ AB ⊗ ρ A B , where ρ AB is an MES. Their twisting operations do not change the outcome of z-basis measurement on H B , which can be regarded as κ rec . Hence, we can define to be the reverse of the twisting followed by 0 , which satisfies assumption 1. This shows that the present method potentially gives a key rate exceeding the amount of distillable entanglement. The exact relation of the present method to the distillable entanglement and the distillable secret key is discussed elsewhere [23]. The relation of our approach to other security approaches [24]- [26] is also an interesting issue.