Demonstration of Free-space Reference Frame Independent Quantum Key Distribution

Quantum key distribution (QKD) is moving from research laboratories towards applications. As computing becomes more mobile, cashless as well as cardless payment solutions are introduced, and a need arises for incorporating QKD in a mobile device. Handheld devices present a particular challenge as the orientation and the phase of a qubit will depend on device motion. This problem is addressed by the reference frame independent (RFI) QKD scheme. The scheme tolerates an unknown phase between logical states that varies slowly compared to the rate of particle repetition. Here we experimentally demonstrate the feasibility of RFI QKD over a free-space link in a prepare and measure scheme using polarisation encoding. We extend the security analysis of the RFI QKD scheme to be able to deal with uncalibrated devices and a finite number of measurements. Together these advances are an important step towards mass production of handheld QKD devices.


Introduction
Quantum key distribution promises secure communications based not on the hardness of a mathematical problem but on the laws of physics [1,2,3]. The main effort in the development of QKD is directed towards long range communication, mostly fibre-based [4,5,6,7,8,9] as well as in free space [10,11,12,13]. A prospective new application of QKD is in securing short range line of sight communications between a terminal and a handheld device (see Fig 1a) [14,15]. Current mobile payment techniques, e.g. Near Field Communications, have a range of security challenges including eavesdropping. Similar considerations apply to securing Wi-Fi access points. We believe that future handheld QKD systems can address these security challenges and provide a high degree of wireless security.
One of the unique problems faced by handheld QKD is the fact that the relative orientation of the emitter and the receiver is variable. In previous works this problem has been addressed by using entanglement [16] or by encoding information on angular momenta [17], which are invariant under rotation. The Reference Frame Independent QKD scheme proposed in [18] does not require entanglement and allows the use of polarisation encoding without the need for alignment of the qubit reference frames. In this scheme the qubits are prepared and measured in three mutually unbiased bases. Only one of those bases, on which the key is encrypted, needs to be stable. The two other bases are allowed to drift slowly and are used to estimate the security parameters of the quantum channels. The requirement for one basis to be stable is met in most practical implementations. In the case of free-space polarisation-based encoding, the stable basis is the circular polarisation, which is rotation independent. Fig 1b shows the bases used by the emitter (Alice) X A , Y A , Z A and the receiver (Bob) X B , Y B , Z B for an undetermined relative orientation. The use of additional bases compared to e.g. BB84 enables the reference frame independence of the scheme.
In order to demonstrate the feasibility of such a protocol we implement a prepare and measure scheme based on faint pulses and analyse the security of the channel. In addition to the reference frame independence implied by the protocol, we develop a theoretical analysis that allows us to take into account deviations from the ideal perpendicular preparation and measurement bases. This is similar in spirit to device independent QKD (e.g. [19]). Although we cannot claim to achieve full device independence, which generally requires entanglement, we are able to deal with device imperfections and uncalibrated devices within our selected model. In any QKD scheme the number of measurements available for the parameter estimation step is finite. Parameters obtained from the measurements are estimates with a non-zero variance, which impacts the secure key fraction as discussed in [20,21,22]. In our security analysis we take this into account to derive a secret key fraction. In this article, section 2 describes the experimental setup we used to implement a RFI protocol, while in section 3 we analyse the security of the quantum channel including the influence of finite size effects, imperfectly calibrated devices and mismatched detector efficiencies. In section 4 we discuss our results.

Experimental setup
In the prepare and measure RFI protocol, Alice needs to be able to randomly pick a light polarisation state out of three different bases, i.e. horizontal/vertical, antidiagonal/diagonal, left circular/right circular, corresponding to X, Y and Z basis. This is implemented by activating one of six 850 nm VCSEL laser diodes. Their respective polarisations are separately engineered before their optical beams are combined in a common mode. They are electrically driven by a pattern generator with six individually controllable outputs. Each output generates 0.5 ns pulses and their amplitudes are adjusted so that the average photon number per pulse at Alice's output is the same for all the lasers. Random bit sequences allowing only one of the six lasers to be active every 4 ns (i.e., 250 × 10 6 pulses per second) are programmed in the pattern generator's memory. Engineering of the polarisations is performed by a set of polarising beam splitters (PBS), and waveplates (see Fig 2). At first the polarisation of the VCSELs is ill-defined but it is filtered by the polarisation beam splitters with an extinction ratio of about 13 dB. The outputs of the polarising beam splitters are polarised either horizontally or vertically depending on which laser is active. One of the PBS output's polarisation is left unchanged. The output of another PBS passes through a 22.5 • rotated λ /2 waveplate resulting in diagonal/antidiagonal polarisations. The output of the last PBS is directed towards a 45 • rotated λ /4 waveplate resulting in left/right circular polarisations. The waveplate used in this a) Figure 1: a) A mobile QKD terminal communicating with a stationary QKD terminal. The mobile terminal is free to rotate. b) Poincaré sphere representation of Alice and Bob's reference frames. The Z basis (circular polarisation), represented by black vectors, is shared by Alice and Bob and is used as the key basis. Alice's X and Y bases (horizontal/vertical and diagonal/antidiagonal), represented by red vectors, are aligned with the Poincaré sphere's axes. Bob's X and Y bases, represented in blue, are rotated with respect to Alice's. A rotation of the terminal by the angle φ results in a rotation on the Poincaré sphere by 2φ .  Figure 2: Experimental implementation of RFI QKD with the layout of the emitter (Alice's device) and the receiver (Bob's device). On Alice's side, unpolarised light is produced by six laser diodes directed towards the two inputs of three polarising beam splitters. The outputs of the polarising beam splitters are polarised either horizontally or vertically depending on which laser is active. One of the outputs passes through a 22.5 • rotated λ /2 waveplate resulting in diagonal/antidiagonal polarisations. Another PBS output is directed towards a 45 • rotated λ /4 waveplate resulting in left/right circular polarisations. The last polarising beam splitter output's polarisation is left unchanged. The three resulting beams are combined with two non-polarising beam splitters. The spatial profile of the combined beams is filtered with a 1 mm pinhole, while the direction profiles are filtered with a 5 µm pinhole between two lenses. Finally, light passes through a spectral filter and a neutral density filter reducing the intensity to single photon level. After the output of the emitter, a rotating λ /2 waveplate is used to simulate a rotation between the emitter and the receiver. The optical arrangement of the receiver is similar to the emitter except that optical fibres leading to the detectors are mounted instead of the lasers. Both Alice and Bob's device are mounted on a 10 cm by 10 cm metal plate and the distance between the two is slightly above 1 m. The compactness of our assembly can be seen in the insets.
experiment are achromatic but we estimate their retardance at 850 nm to be 0.535 and 0.265 (+/-0.05) for the half and quarter waveplates respectively. Those discrepancies together with the PBS extinction ratio are responsible for the biasing of the bases that are discussed in the theoretical section. After preparing the polarisations the three resulting beams are combined with two non-polarising beam splitters. The spatial profile of the combined beams is filtered with a 1 mm pinhole, while the direction profiles are filtered with a 5 µm pinhole between two lenses. Finally, light passes through a neutral density filter reducing the intensity down to below 0.05 photons per pulse. After the output of the emitter, a rotating λ /2 waveplate is used to simulate a rotation between the emitter and the receiver. The photons then travel through free space for slightly more than a meter to the measurement terminal. At the input of the measurement device, a spectral filter with 10 nm passband and 0.7 maximum transmission is used to reduce background noise. The optical arrangement of the receiver is similar to the emitter except that it is used in reverse. The common optical mode is divided in three beams by the non-polarising beam splitters and waveplates are used before the PBSs to allow measurements in the three bases. Thus, the measurement basis is passively selected by the path of the photon, making it perfectly random. The six PBS outputs are coupled with approximately 0.8 efficiency to multimode optical fibres leading to single photon detectors. The photo detectors are silicon avalanche photodiodes with 0.45 efficiency at 850 nm, 400 dark counts per second, a timing resolution of 600 ps and 50 ns dead time. Their firing times as well as a clock pulse coming from the pattern generator are continuously recorded by a counting card. In post processing, we eliminate all the counts that happened when another detector was still in its dead time, i.e. whenever two counts happen within 60 ns. Bitrates could possibly be increased by using detection events in other detectors during a given detector's deadtime, but the implications on security are unexplored. The remaining number of counts for a measurement duration of 1 s is approximately 2 × 10 6 out of the 250 × 10 6 weak pulses generated. The experiment is performed in the dark and owing to spectral filtering background noise is negligible compared to detector dark counts. Finally, by matching recorded detection times with the original random patterns we can construct a 6 x 6 matrix (see Fig 3a) corresponding to the number of times one of the six detectors fired when one of the six lasers was active. The number of counts is maximal if the emitting and receiving polarisations are the same, it is minimal if they are opposite and it is approximately half of the maximum for all the other polarisations. This matrix constitutes the raw data of the security analysis. The counts in this matrix will be used for two different purposes. Half of the counts when both the sending and the measurement basis were Z are set aside as the raw key. The remaining half with all other counts forms the basis of the parameter estimation. The raw key length for each 1 s interval is approximately 2 × 10 5 . In order to demonstrate the robustness of our QKD scheme against reference frame rotations, we insert a half wave plate on a rotating mount in the free space optical path between the two terminals. Varying the optic axis angle of the half wave plate simulates rotations of Alice's device. For each angle, a measurement is taken similar to that presented in Fig 3a. A comparison between measurement data and the 6 x 6 matrix predicted for ideal preparation and detection is shown in Fig 3b. The matching detector count patterns in Fig 3b already suggest that a quantum channel between the terminals is established, but in order to claim the possibility of quantum key distribution we need to analyse the results more rigorously.

Secure Key Fraction
The security of the RFI QKD protocol is discussed in [18]: Two parameters are estimated from the measurements: the quantum bit error rate Q and a rotation invariant quantity C (see Appendix B). While this analysis gives a good intuition why the scheme is reference frame independent, it does not take into account factors that can impact the key rate negatively in a real world setting, such as non-orthogonality of the measurement directions or finite size Figure 3: Results of the normalised detector count matrix for the implemented reference frame independent quantum key distribution protocol. Each matrix square represents the number of counts on the specified detector, when the specified polarisation was prepared. a) With the two reference frames aligned, corresponding preparation and measurement bases are almost completely correlated, with measurements between mutually unbiased bases showing almost no correlation. This indicates almost perfect transmission through the quantum channel. b) Comparison of ideal (I) and measured data (M) for six further reference frames, with angle of misalignment shown. While the counts contributing to the correlator C ZZ remain largely independent of the rotation angle, others contribute a periodic dependence to correlators C XX , C XY , C Y X and C YY . Counts contributing to the non-zero correlators C XZ , C Y Z , C ZX and C ZY indicate that the X, Y and Z directions are not perpendicular.
effects. In this section we derive the secure key fraction in the qubit subspace based on a model of the device including imperfect calibration of preparation and measurement bases, non uniform detector efficiencies and also the effect of a finite number of measurements.
In general the calculation of the secret key fraction can be posed as an inference problem: given the measurements and a device model what is the maximum amount of information an eavesdropper can possess about the distributed key? We first introduce a simplified expression for the secure key fraction, then consider a model of our QKD system and minimise the secure key fraction subject to constraints derived from the model and the measurements. The secure key fraction can be reduced from the ideal 100% due to leakage of information at two stages in the protocol [23]. During the quantum stage information can leak to an eavesdropper, while during error correction a certain minimum amount of information needs to be exchanged over a classical channel. The two terms of the following expression [24] for the secret key fraction reflect the impact of those two information leaks where S(·|·) denotes the conditional von Neumann entropy, H(·|·) the conditional Shannon entropy, χ A are the classical bit values at terminal A, χ B are the classical bit values at terminal B and ρ E denotes the density matrix of the eavesdropper. The first term describes the entropy of the key bits χ A given the eavesdropper's information, we will call this "usable entropy", S U . The second term is the minimum necessary information to successfully perform error correction at the Shannon limit. In any real world implementation this number has to be multiplied by a factor larger than one to account for non-ideal error correction schemes. The main objective of the parameter estimation step is to find the minimum usable entropy given the constraints set by the measurements. These constraints also take into account the uncertainties associated with a finite number of performed measurements. Additionally the parameter estimation step provides information about the bit error rate, which is needed for error correction and thus an estimate for the second term. In our analysis we assume that the measurement results are produced by a two qubit density matrix ρ AB shared between parties A and B. The usable entropy can be expressed as (see Appendix C) where S (A||B) denotes the relative entropy and the super-operator with the projector on the bit values at terminal A defined as To estimate the usable entropy we have to establish a model for our quantum key distribution system. This consists of a model of the quantum channel, embodied in the density matrix, along with a model of the terminal devices. The secret key fraction can be obtained as the minimum over all channel and device parameters that are consistent with the performed measurements. For a finite number of measurements the constraints will possess a statistical uncertainty that has to be taken into account in the minimisation procedure. As we are looking for an upper bound for the usable entropy it suffices to consider a simplified density matrix (see Appendix D), guaranteed to give a lower usable entropy than the full density matrix. The usable entropy for this density matrix becomes with the eigenvalues of the density matrix η 1 = η 2 = 1/4(1 − λ 1 ), η 3 = 1/4(1 + λ 1 − 2λ 2 ) and η 4 = 1/4(1 + λ 1 + 2λ 2 ) and h(x) = −x log 2 x − (1 − x) log 2 (1 − x). With perfectly calibrated and aligned devices no additional model parameters have to be taken into account. Imperfect measurement devices can lead to a large number of additional parameters, such as nonorthogonalities in the preparation and measurement bases and detector efficiencies, which can be collected into the vector α (for the details of the model see Appendix E). The usable entropy is obtained as the minimum over all parameters α, λ 1/2 The parameters have to obey the constraints imposed by the observations where m is a matrix containing all relevant detector counts, q is the corresponding probability of observing a detector count according to the device model (see Appendix E), the f i are the functions defining the different constraints, the δ f i are their corresponding variances and σ is chosen to give a certain probability that the estimated usable entropy is too high. In our parameter estimation step we use a set of 21 constraints (see Appendix F) consisting of 9 correlation functions C AB , A, B = X,Y, Z, the six probabilities that a photon was prepared in a certain polarisation direction P A± , A = X,Y, Z and the six probabilities to detect in a certain detector D B± , B = X,Y, Z. For each function f i we can give the standard deviation δ f i (see Appendix F). To obtain the secret key fraction we need to subtract the observed relative entropy in the key basis from the usable entropy The full set of measurements enables us to calculate a reference frame independent key rate.
From the detector counts we can construct 9 correlation functions where the m AB ±± are the four different detector counts given that the qubit was prepared in direction A± and detected in direction B±. In the case of orthonormal preparation and measurement bases these can be directly identified with the qubit correlation functions. A secret key fraction can be obtained as the minimum key rate over all density matrices consistent with the observed correlators. In the BB84 protocol [25,24] only two correlators, e.g. C XX and C ZZ , are used as constraints. When the reference frames are rotated C XX will drop and so will the secret key fraction. The RFI QKD scheme uses the four correlators C XX , C XY , C Y X , C YY as well as C ZZ . While each individual correlator may decrease under reference frame rotations, the combination C = C 2 XX +C 2 XY +C 2 Y X +C 2 YY ideally stays constant, enabling reference frame independent secret key fractions. In order to treat imperfect preparation and measurement we have to depart from the assumption of orthonormal bases and include a more detailed detector model. Each preparation and each detector are associated with a direction on the Poincaré sphere, given by a unit vector. Since we aim to use the z-basis for the key bits we can identify two preparation directions with the ±z direction on the Poincaré sphere, without overestimating the secret key fraction. Each direction is parametrised by two variables (e.g. azimuth and polar angle), resulting in a total of 20 free parameters (see Appendix E). Different absorption may occur in the preparation channels, and similarly detectors may have different efficiencies. With six possible preparation directions and six possible detection direction this adds another set of 12 parameters. The quantum channel can be represented by a two parameter two qubit density matrix in a simplification over the more commonly employed Bell diagonal density matrix (see Appendix D). This results in a model with 34 free parameters. The secret key fraction is then obtained as the minimum over all parameters that fulfil the constraints imposed by the measurements, e.g. from the correlators C AB ; in our case a set of 21 constraints. For the number of detector counts approaching infinity the constraints are equalities, but for a finite number of observations the value can lie within an interval determined by the number of counts and the desired uncertainty. A small number of counts will lead to larger uncertainty in the correlation function and therefore to lower results for the secret key fraction.

Results and Discussion
Our main result is that the secret key fraction remains above 0.2 for all rotation angles even in the presence of device imperfections, see U-RFI in  Figure 4: Keyrates as a function of the physical waveplate rotation angle for two reference frame independent and 4 different BB84 protocols. U-RFI labels the reference frame independent keyrate assuming uncalibrated devices. It is obtained from numerical minimisation over the full set of model parameters subject to constraints imposed by the measurements. The blue dots correspond to the minimised key rate neglecting the variance coming from the finite number of measurements. The blue bars indicate the result obtained by allowing for an uncertainty in the estimate of the constraints of three times the standard deviation. The remaining curves are obtained from the same data but with a simplified model, assuming orthogonality within bases and total perpendicularity between bases. RFI labels the keyrate for the reference frame independent protocol as outlined in [18]. XX, XY, YX and YY label the keyrates for the BB84 protocol using the respective correlator pairs C ZZ and C XX , C ZZ and C XY , and so on. keyrate we make a comparison with established protocols: the BB84 protocol and the RFI QKD protocol as proposed by Laing, Scarani, Rarity and O'Brien [18]. For the sake of comparison we assume that in these protocols both preparation bases and measurement bases are perfect, i.e. the measured correlation functions are indeed the qubit correlation functions of the underlying density matrix. A summary of the calculation of the BB84 and RFI QKD key rates can be found in Appendix A and Appendix B. We clearly see in Fig 4 that while the BB84 key rate drops to zero for certain angles the RFI QKD key rate remains non-zero for all rotation angles. The plot also shows that for certain angles the RFI secret key fraction estimate is too optimistic compared to the U-RFI rates. This happens due to non-orthogonal measurement directions, which are not taken into account in the RFI QKD security analysis. The distinct peaks in the secret key fraction coincide with the peaks visible in the secret key fraction calculated for the BB84 protocols, as outlined above. This can be understood in the following way: The secret key fraction we calculate depends on the correlators C AB , A, B = X,Y, Z. The correlator C ZZ is linked to the qubit error rate. The correlators C XX , C XY , C Y X , C YY are related to monitoring the eavesdropping. If the absolute value of one of these correlators is large then eavesdropping in the key basis is small, even if other correlators are relatively small. This also makes the secret key fraction larger then the RFI keyrate for some angles. In the region between the peaks no individual correlator is large and only their combination gives a positive secret key fraction. In the presence of alignment errors some of the contributing correlators may be small and as a result the secret key fraction drops.
During each transmission of one second we set aside approximately 2 × 10 5 raw key bits. After obtaining the correct secret key fraction from the parameter estimation step we can perform the privacy amplification step by applying the appropriate 2-universal hash function (e.g. a Toeplitz matrix [26]) to the raw key and obtain a secure key. With a secret key fraction of around 0.25 we arrive at an approximate key rate of 5 × 10 4 s −1 . In the current implementation of our scheme potential security loop holes exist due to side channels [27], the most obvious one coming from the use of six different lasers in the preparation stage. While this loophole can be plugged by using a single laser and a 1 x 6 optical switch further analysis of the impact of side channels on the key rate is required (e.g. the effect of photon number statistics [28] or detector characteristics [29] on our scheme).
Nevertheless we are able to give an estimate of the impact of photon number statistics on the key rate in our scheme. Without employing decoy states we have to assume that in pulses which contain more than one photon and which are contributing to the raw key all information is lost to the eavesdropper. Our photon source generates weak coherent pulses with a rate of 250 MHz and an average photon number of 0.05 per pulse. In order to assess the impact of a hypothetical photon number splitting attack we have to characterise the quantum channel. An important quantity is the accessible loss [30] in the quantum channel, i.e. the part of the loss that is, in principle, under the control of the eavesdropper. Due to the short range free space transmission no absorption occurs between Alice and Bob. A small amount of absorption (coupling efficiency≈ 0.8) can be attributed to the mode mismatch between sender and receiver and could be manipulated by an eavesdropper. All other losses occur in the Bob device and are inaccessible losses. Starting from a 250 MHz pulse rate and 0.05 photons per pulse we arrive at a raw single photon rate of 12.5 MHz. The recorded photon count rate is 2 MHz, giving a total absorption of η=0. 16. The accessible part of the absorption is η A = 0.8, while the inaccessible part, containing absorption in filters, losses in optical components and finite detector efficiency contributes η I = 0.2, so that η = η A η I . The rate of two photon pulses according to Poisson statistics is 0.3 MHz. The remaining single photons after a photon number splitting attack will still experience the inaccessible losses, so that the total number of recorded detector clicks associated with two photon pulses is 60 kHz. Of these photons only a fraction contributes to the raw key. For our setup that fraction is 0.1. For a key distribution lasting one second we estimate that an eavesdropper can at most have information about 6000 key bits out of 2 × 10 5 key bits, or the secure key fraction has to be reduced by approximately 0.03, due to the probabilistic nature of the photon source, only slightly modifying our secret key fraction.
In summary, we have shown the feasibility of reference frame independent key distribution using off the shelf bulk optical components in a compact assembly. Our setup uses passive components and can readily be transferred to a miniaturised version using integrated optics on a chip [31,32]. Our analysis employed in the parameter estimation step obviates the need for precise alignment of the preparation and measurement qubit bases. The achievable key rates are sufficient to distribute hundreds of 256 bit keys within 1 second. In order to realise a handheld QKD device additional functionality, like steering of the emitted photons towards a receiver needs to be implemented. Possible solutions include movable mirrors, movable lenses or phased arrays. Overall, the work presented here paves the way for massproduced handheld QKD devices.

Appendix A. Keyrate for BB84
For the calculation of the keyrate for the BB84 protocol we follow [24], with the difference that we use two parameters for the quantum channel, the correlation functions C XX and C ZZ . The secure key fraction for the BB84 protocol is given by under the constraints This can be solved analytically to give Alternatively other correlators than C XX can be used to obtain a keyrate. In the case of misaligned reference frames the correlators C XY or C Y X may give a more favourable keyrate.

Appendix B. RFI QKD
Reference frame independent quantum key distribution was introduced in [18]. The scheme solves the problem of aligning reference frames between two partners in a quantum key distribution protocol if one stable direction exists (e.g. in polarisation encoding physical rotation does not influence the circular polarisation direction). The stable direction is used for encoding the qubits, while perpendicular directions are used for parameter estimation. It is sufficient to consider two quantities constructed from the qubit correlation functions: the bit error rate and the quantity with the qubit correlation functions given by where ρ is the two qubit density matrix. Under rotations around the z axis the Pauli matrices transform σ x → σ x cos α + σ y sin α and σ y → σ y cos α − σ x sin α, with the rotation angle given by α. One can see that the quantity C stays invariant under these kind of rotations. The secret key fraction can be shown to be a function of C and Q. For Q 0.159 the secret key fraction becomes

Appendix C. Conditional Entropy decreases under Projective Measurement
A quantum communication channel between parties Alice (A) and Bob (B) can be described by the density matrix ρ AB . In general this density matrix will not be pure due to noise, errors and the action of an eavesdropper. In order to prove security of the communication channel we have to assume all deviations from the ideal case are due to an eavesdropper. The combined state of ρ AB and an eavesdropper can then be expressed as the pure state where the λ i are the eigenvalues of ρ AB , |Φ i > AB are the corresponding eigenfunctions and |ν i > are an orthogonal basis for the state of the eavesdropper. Note that the dimension of the Hilbert space of the eavesdropper equals the dimensions of ρ AB . The density matrices in the subspaces can then be obtained as and The reduced density matrix of the eavesdropper equals the reduced density matrix of Alice and Bob up to a unitary transformation Let us consider the entropy of the key bits χ A given that the eavesdropper knows the state of the system χ E , S(χ A |χ E ). We can rewrite the conditional entropy as With X being the classical value of Alice's qubit we can write If Alice prepares key bit 0 with probability p 0 and key bit one with probability p 1 we can write the corresponding density matrices E 0 , E 1 with the help of the projection operators as Since unitary transformations do not change the entropy we can replace ρ AB with ρ E in the calculation of entropies We can use where F is any function and we used We can therefore write Since the P x project onto orthogonal subspaces we can use (see Nielsen and Chuang, p.518 [33]) to write The equality holds if the projectors P x project onto orthogonal subspaces and acts as an upper bound on the usable entropy otherwise. The conditional entropy therefore becomes Introducing the projective measurement 16) we can write Since P is a projective measurement this simplifies further to the relative entropy We now want to investigate how a further projective measurement influences the relative entropy. Introducing with the projection operators L i . We consider the relative entropy before and after the projective measurement L For commuting operations PL = L P (C. 21) and using that the relative entropy of two density matrices decreases or stays the same under completely positive trace preserving maps [34] we obtain if the operations L and P commute.

Appendix D. Simplified density matrices for parameter estimation
We can use the inequality above to simplify the model density matrix for parameter estimation. Starting from the full two qubit density matrix with 15 free parameters we can apply a series of projective measurements, to arrive at a simpler density matrix with fewer parameters that is guaranteed to give a smaller value for the usable entropy. The individual projective measurement super-operators are and the corresponding Liouvillian If we use the z basis for the key bits then the measurement operator becomes with the projector on the bit values at terminal A defined as Demonstration of Free-space Reference Frame Independent Quantum Key Distribution 15 It can be shown that for all density matrices ρ. After applying all the projective measurements to a general density matrix the simplified density matrix takes the form This density matrix can now be used in models for parameter estimation.

Appendix E. Device model
We want to construct a model for the probability of registering a detector count in the detector measuring in basis B, direction V , provided the bit was prepared in basis A, direction U, p AB UV . The probability of observing a count in a detector given a certain preparation is proportional to where t 1 and t 2 account for the preparation and detection efficiencies. The projectorsP AU ,P BV are along a certain preparation or measurement direction, given by a unit vector n AX or r BŶ P AU = 1 2 (1 + n AU · σ A ) ,P BV = 1 2 (1 + r BV · σ B ) , Demonstration of Free-space Reference Frame Independent Quantum Key Distribution 16

Appendix F. Detector counts and correlation functions
The calculation of the secret key fraction is based on a minimisation subject to a number of constraints. In our implementation we use a total of 21 constraints. Each constraint and its corresponding standard deviation can be calculated from the raw detector counts obtained in the parameter estimation process. The first set of constraints is given by the 9 correlation functions This gives us a total of 21 constraints derived from the raw detector counts to be used in the calculation of the secret key fraction.