Multi-partite squash operation and its application to device-independent quantum key distribution

The squash operation, or the squashing model, is a useful mathematical tool for proving the security of quantum key distribution systems using practical (i.e., non-ideal) detectors. At the present, however, this method can only be applied to a limited class of detectors, such as the threshold detector of the Bennett-Brassard 1984 type. In this paper we generalize this method to include multi-partite measurements, such that it can be applied to a wider class of detectors. We demonstrate the effectiveness of this generalization by applying it to the device-independent security proof of the Ekert 1991 protocol, and by improving the associated key generation rate. For proving this result we use two physical assumptions, namely, that quantum mechanics is valid, and that Alice's and Bob's detectors are memoryless.

The squash operation, or the squashing model, is a useful mathematical tool for proving the security of QKD systems using practical (i.e., non-ideal) detectors [11,12]. Once its existence is proved for a given practical detector, one can incorporate it into a conventional type of security proof where receivers have ideal qubit detectors, and automatically obtains a new proof that remains valid even if the practical detectors are used. The squash operation literally squashes an incoming state a qubit, and also has a property that, when followed by qubit measurements, it acts exactly the same way as the practical detector. In security proofs, there is no loss of generality in supposing that the squash operation is conducted by the attacker, and as the result of that, the security of a protocol using practical detectors is reduced to that using ideal qubit detectors.
A type of squash operation was first assumed in the security proof by Gottesman et al. [13], however, its existence was only conjectured, no proof was given. The first proof was given by one of the present authors and Tamaki [11], for the case of the threshold detector of the BB84 type measurement. This result was also verified independently by Beaudry, Moroder, and Lütkenhaus [12]. There were also attempts toward constructing squash operations for a wider class of practical detectors. For example, Ref. [12] gave an explicit condition for the existence of a squash operation, and used it to show positive and negative results on the six-state protocol. In Ref. [14], one of the present authors discussed whether symmetries of a given detector can imply the existence of the squash operation corresponding to it, and also showed that the above result on the BB84 type measurement is valid even for multi-mode cases. However, for other types of detectors, e.g., homodyne measurements, the squash operation is not known to exist.
In this paper, we demonstrate that the situation changes drastically by considering a generalized case where multi-partite measurements are involved. That is, while all previous studies on the squash operation were concerned only with detectors used by a single player, we here consider a generalization including global measurements performed jointly by two players or more, such as the Clauser-Horne-Shimony-Holt (CHSH) measurement [15], used e.g. in the E91 protocol. This approach allows us to relax mathematical conditions required for the existence of the squash operation, such that they can be fulfilled for a wider class of detectors. Perhaps this is most easily illustrated by considering the CHSH measurement as an example. If one regards the CHSH measurement as a mixture of local x, z-basis measurements performed by Alice and Bob, there are two basis for each player, which together yield four conditions that the squash operation has to satisfy. On the contrary, if one regards the same measurement as one global measurement, there is no basis choice, and thus only one condition required for the existence of the squash operation.
As an evidence of the effectiveness of this generalization, we apply it to the E91 protocol using any detectors, and show that it achieves the same high key generation rate as in the same protocol implemented with ideal qubit detectors. In other words, we show that the E91 protocol achieves the device-independent security, and simultaneously the high key generation rate R as in the ideal device-dependent implementation: R = 1 − (1 + f ec )h(p), with p being quantum error rate (QBER), h(p) the binary entropy, and f ec the efficiency of error correction. Hence when the optimal error correcting code with f ec = 1 is available, one can generate the secret key with QBER up to 11%. This key rate is higher than in any of the existing literature on device-independent QKD [16][17][18][19][20], and in fact the highest known for any QKD protocols with oneway post-processing, including device-dependent ones. For obtaining this result, we use two physical assumptions. Namely, we assume that quantum mechanics is valid, and that Alice's and Bob's detectors are memoryless, i.e., different detectors operate on different Hilbert spaces. In comparison with the existing literature, our assumptions are weaker than that of Ref. [16], where collective attacks are assumed, but stronger than in Refs. [18][19][20], where detectors are not necessarily memoryless, and also stronger than in Ref. [17], which does not assume quantum mechanics.
Our security proof of the E91 protocol proceeds as follows. In the first step, we convert the E91 protocol using arbitrary detectors into a simplified version where uncharacterized qubit detectors are used. For this purpose we borrow the technique used in Ref. [16], and the result is that, without loss of security, we may restrict ourselves to a protocol where Alice and Bob use qubit detectors, parameterized by complex numbers α, β. In the next step, we eliminate the α, β-dependence by applying a bipartite squash operation F α,β , which is designed such that the CHSH measurement, jointly performed by Alice and Bob, is transformed to the phase error measurement of the BB84 type, also jointly performed by the two players. F α,β is also designed so that it leaves Alice's sifted-key measurement unchanged. As a consequence, the original E91 protocol is transformed to the BB84 protocol, which can readily be shown secure by referring to the existing literature, e.g., [8,[21][22][23].
The crucial observation here is that the minimum entropy of Alice's sifted key depends only on the results of Alice's sifted-key measurement, and of the CHSH measurements on sample pulses. No other measurements affect the sifted key as they are performed locally and remotely from it. Hence for proving the security of the E91 protocol, it suffices to find a squash operation that properly transforms the CHSH and Alice's sifted-key measurement. While the previous formulation based on the one-partite squash operation demands four conditions, corresponding to Alice's and Bob's choices of x, z basis, which cannot be fulfilled in general, the bipartite generalization demands only two. This is why this new setting realizes the security proofs that were not possible previously.

II. REVIEW OF CONCEPTS REGARDING QUANTUM KEY DISTRIBUTION AND THE SECURITY
In this section, we clarify the notation and concepts to be used in this paper. In particular, we explain the secu-rity criteria of QKD protocols, and review the previous method of the squash operation, restricted to one-partite measurement.
A. ε-security and the smooth minimum entropy For the sake of simplicity, we restrict ourselves to entanglement-based QKD protocols. Also for the sake of simplicity, we assume that the secret key length is constant; i.e., we only consider the type of protocols where Alice and Bob decide whether the protocol is aborted or not, by checking the measurement results of randomly chosen sample pulses, and when it continues, the generated secret key has a fixed bit length l. Such protocols can typically be described as follows.
By checking the measurement results of sample pulses I smp , they decide whether they continue or abort the protocol.
If they continue, Alice lets her measurement results of sifted key pulses I sif be her sifted key u.
5. (Alice's privacy amplification) Alice randomly selects hash function f pa and announces it to Bob. She then inputs her sifted key u to f pa and obtains her secret key k = f pa (u) of l bits, and stores it in H K .
6. (Bob's post-processing) Alice calculates syndrome of her sifted key u, and announces it to Bob. Bob lets his measurement results of sifted key pulses I sif be his sifted key u ′ . He corrects errors in u ′ using syndrome, and by inputting the outcome to a hash function f pa , his secret obtains his secret key.
In what follows, we denote all data announced in the public channel by a random variable V , Alice's secret key by K, and the final state corresponding to the initial state by ρ ABE . Eve eavesdrops information regarding the secret key K by referring to V and measuring her substate in H E . The security against this attack is usually analyzed by defining the ideal state, and then evaluating how close it is with the actual state. It is customary to define the ideal state to be where Alice's secret key K seen from Eve is the perfectly uniform random source, i.e., ρ K mix ⊗ ρ V E with ρ K mix = 2 −l 2 l −1 k=0 |k k|. It is also customary to use the trace distance for evaluating the closeness with the actual state.

Definition 1
We say that a given QKD protocol is εsecure if the following relation holds for an arbitrary attack by Eve: As shown in Ref. [24], this definition of security satisfies universal composability.
As emphasized by Renner [21], in evaluating the trace distance d 1 (ρ KV E |V E), it is useful to consider the smooth minimum entropy H ε ′ min (ρ UV E |V E) of sifted key U , because it allows the use of mathematical tools similar to those of the Shannon theory. This property is sufficient for bounding the trace distance from above, i.e., Lemma 1 If function f pa,V for privacy amplification is randomly chosen from a universal 2 function family [25], then for any (sub-normalized) sifted key state ρ UV E , Here we denoted hash function f pa by f pa,V in order to emphasize that it is determined uniquely by the public communication V . We note that there is a useful generalization for this lemma using dual universal 2 functions [26,27], which allows the use of practically useful hash functions [28]. According to this lemma, once a lower bound on H ε ′ min (ρ UV E |V E) is obtained for a given protocol, its security follows immediately. For example, if one can somehow prove that holds for an arbitrary attack by Eve, then Lemma 1 guarantees that condition (1) of Definition 1, and thus the protocol is ε-secure.
As we restrict ourselves to entanglement-based protocols in this paper, once Eve fixes the initial state ρ ABE , the state ρ UV E describing Alice's sifted key and Eve is uniquely determined, as well as ρ KV E describing Alice's sifted key and Eve. This fact can be used to simplify the notation to some extent. Define a (not necessarily trace preserving) completely positive map Π sif for describing Alice's sifted key generation, Π pa for her privacy amplification, and Π sec = Π pa •Π sif for secret key generation. Then ρ UV E can be denoted as ρ UV E = Π sif (ρ ABE ), ρ KV E = Π sec (ρ ABE ). Here we use a convention that ρ U,V =v ′ ,E = ρ K,V =v ′ ,E = 0 when protocol is aborted and no secret key is generated (i.e., v ′ denotes a record of public communication that includes "abort"). We also use the notations, ρ KV E * , ρ UV E * , Π sec, * , Π sif, * , with symbol * specifying the protocol or game used. For example, ρ KV E PR1 is the final state generated by Protocol 1 (PR1) from the initial state ρ ABE , i.e., ρ KV E PR1 = Π PR1,sec (ρ ABE ). In these notations, condition (1) of Definition 1 can be rewritten as Similarly, eq. (3), which is a sufficient condition for (4), can be rewritten as B. Previous method using squash operations As mentioned in Introduction, the squash operation is a mathematical tool that translates the security of a given QKD system using practical detectors into that of qubit-based protocol. In this subsection we review this method, based on the results of Ref. [11]. For the sake of simplicity, we will continue to restrict ourselves to entanglement-based protocols, although the method presented below can also be applied to one-way protocols, Consider a QKD system where Alice's and Bob's detectors are not necessarily ideal qubit detectors, and denote the Hilbert space of their input by H M . For instance, for the threshold detector (see, e.g., Ref. [11]), H M is the Fock space representing multi-photons. For the sake of simplicity, we will further assume that measurement basis c is chosen from {x, z}, and that the measurement outcome is r ∈ {±1}. We denote the corresponding POVM in H M by M (r|c). For later convenience, we also define operator M (c) := M (+1|c) − M (−1|c). In this setting, the squash operation is defined as follows.
Definition 2 (1-partite squash operation) A squash operation is a quantum operation (i.e., a trace-preserving and completely positive (TPCP) map) F : H M → H 2 , satisfying, where X, Z denote the Pauli matrices of the x, z basis.
Here, F † denotes the Hermitian conjugate of F , i.e., the operator satisfying tr(M F (ρ)) = tr(F † (M )ρ) for arbitrary state ρ and measurement M . Definition 2 demands that measuring any state with an arbitrary basis c ∈ {x, z} using M (c) = M (+1|c) − M (−1|c) is equivalent to performing squash operation F on the state and then measuring the resulting qubit state with the Pauli operators X, Z. If such operation F exists, all measurements in Protocol 1 performed by Alice and Bob using M (r|c) (c ∈ {X, Z}) can be decomposed into F followed by the normal qubit measurements using X, Z. In security proofs, there is no loss of generality in supposing that F is conducted by the attacker, so the security of Protocol 1 above can be reduced to that of the following protocol [11].
Same as Protocol 1 except 1. Eve generates quantum state ρĀB E , where HĀ and HB consists of qubit spaces. Then she sends its sub-states in HĀ and HB to Alice and Bob, respectively.

Alice (Bob) measures pulse i using the Pauli operators X
In terms of the trace distance and the smooth minimum entropy, we have the following relations.

Lemma 2 Let ρ KV E
PR1 and ρ KV E PR2 be the final states generated as a result of Protocol 1 and 2, respectively, then we have Similarly, let ρ UV E PR1 and ρ UV E PR2 be the sifted-key states generated by Protocol 1 and 2, respectively, then In Appendix A, we give a formal proof of this lemma. According to Lemma 2, once the squash operation F is shown to exist for a given detector M (r|c), any security proof of a qubit-based protocol remains valid even when the qubit detectors are replaced with M (r|c). In other words, once F is known to exist for a practical detector M (r|c), it always suffices to consider the simplified case where the ideal qubit detectors are used; all analyses related with M (r|c) become unnecessary. This is the advantage of considering the squash operation.

III. MULTI-PARTITE SQUASH OPERATIONS
As we have seen in the previous section, once the squash operation F is shown to exist for a practical detector M (r|c), it can serve as a very useful tool for analyzing protocols involving M (r|c). At the present, however, F is shown to exist for a relatively limited class of detectors, e.g., the threshold detector of the BB84 type measurement [11,12,14], and of the six-state measurement with a passive basis choice [12]. There are even impossibility results: There is no F for the six-state measurement with an active basis choice [12]. Macroscopic symmetry of a detector cannot by itself guarantee the existence of the corresponding F [14].
In the rest of this paper, we show that this situation changes drastically by considering a generalized setting where multi-partite measurements are involved. That is, while all previous studies of the squash operation were concerned with a detector used by a single player, we here consider a generalization including measurements performed jointly by two players or more, such as the Bell and the CHSH measurements. This approach allows us to relax mathematical conditions required for the existence the squash operation, such that they can be fulfilled for a wider class of measurements.

A. Definition
We begin by writing down the definition for the multipartite case. This is a simple generalization of the onepartite squash operation of the previous subsection. Consider a situation where n players P 1 , . . . , P n agree on a basis choice c and perform (possibly non-local) n-partite measurements in the Hibert state H P1 ⊗ · · · ⊗ H Pn using operator M (r|c) to obtain an outcome r. Here the basis choice c can be a list (c 1 , . . . , c n ) consisting of P i 's choices c i , but is not limited to this type. More generally, it may also specify non-local measurements, such as the CHSH measurement, denoted by c = CHSH. We assume that c is chosen from a predetermined set C. We also assume there are measurement operators m(r|c) defined for the same variables r, c, which operate in n-qubit spaces H P1 ⊗ · · ·⊗H Pn . In this setting, the multi-partite squash operation is defined as follows.

Definition 3 (n-partite squash operation)
The squash operation for n-partite measurements M (r|c) and m(r|c) is a quantum operation F : H P1 ⊗ · · · ⊗ H Pn →H P1 ⊗ · · · ⊗H Pn which satisfies for all basis choices c ∈ C. In order to illustrate how this generalization allows us to relax the conditions imposed on the squash operation, we consider as an example of the E91 protocol, where players A and B use uncharacterized qubit measurements with complex parameters α, β satisfying |α| = |β| = 1. Before discussing these operators under the generalized scenario, it should be noted that, under the previous scenario of the one-partite squash operation, any attempts fails for reducing them to the normal qubit measurements (i.e., those with α = β = √ −1). That is, one cannot construct F α satisfying F † α (Z) = Z and F † α (X) = X α for an arbitrary value of α. This can readily be shown, e.g., by using the method developed in [12].
Now, under the generalized scenario, we reinterpret the problem as follows. In the present E91 protocol, there are only two types of quantum measurements that affect ρ UV E , namely, Alice's sifted-key measurement and the CHSH measurement (14) which is jointly performed by Alice and Bob. This is because the sifted key U is the result of measurement Z A ⊗ I B , conditioned on that of M α,β (CHSH). No other measurements affect H min (ρ UV E |V E) as they are performed locally and remotely from Z A ⊗ I B and M α,β (CHSH). Hence if we can somehow construct a squash operation F AB α,β that transforms Z A ⊗ I B and M α,β (CHSH) into simpler measurements, say Z A ⊗ I B and m(CHSH), then H min (ρ UV E |V E) can also be evaluated using a simpler protocol using Z A ⊗ I B and m(CHSH).
As we will prove in Theorem 2 of Section V D, this is indeed possible. There exists F AB α,β satisfying where X A and X B are the normal Pauli operators in the x basis: . This means that F AB α,β converts the CHSH measurement into the phase error measurement X A ⊗ X B of the BB84 type, and simultaneously preserves Alice's measurement Z A ⊗ I B of sifted key U . Hence as a result, the security of the E91 protocol using qubit measurements, Z A , X A α , Z B , X B β , is reduced to that of the BB84 protocol, which has been fully analyzed in the existing literature, e.g., [8,[21][22][23]. This is the main idea for our security proof.
Before closing this argument, we remark that there are gaps in the treatment of measurement M α,β (CHSH) that have to be filled. In the above argument, we implicitly assumed that measurement M α,β (CHSH) was performed as a global measurement, i.e., as a projective measurement with respect to entangled eigenstates, similar to the Bell states, with eigenvalues ∈ −1/ √ 2, 1/ √ 2 . On the other hand, in the actual E91 protocol, the same measurement is implemented as an ensemble of zz, zx, xz, xxbasis measurements locally performed by Alice and Bob. This clearly differs from the global measurement above in that i) The eigenvalues are restricted to ±1.
ii) The basis choice c AB ∈ {zz, zx, xz, xx} of Alice and Bob's local measurements is revealed to Eve.
The first gap can be closed by considering POVM Next, in order to demonstrate the effectiveness of the multi-partite squash operation introduced in the previous section, we apply this method to the device-independent security proof of the E91 protocol. We show that the E91 protocol achieves the device-independent security, and simultaneously the high key generation rate R as in the ideal device-dependent implementation: R = 1 − (1 + f ec )h(p), with p being quantum error rate (QBER), h(p) the binary entropy, and f ec the efficiency of error correction.

A. Description of the Ekert 1991 protocol
The E91 protocol is described as follows.

Assumptions
We use two assumptions for the security proof in the subsequent sections. The first assumption is that quantum mechanics is valid. The second assumption is for detectors. Recall that we only consider the type of protocol where Eve prepares the initial state first, and Alice and Bob measure it using N detectors respectively, with N denoting the number of raw key bits. In this setting we assume that these 2N detectors are memoryless, or uncorrelated with each other.
The precise description of the second condition is as follows. Let us use variable P ∈ {A, B} to denote players Alice and Bob. We assume that the Hilbert space representing player P 's incoming state is clustered as H P = H P 1 ⊗ · · · ⊗ H P N , and that detector i ∈ {1, . . . , N } operates only in subspace H P i . In other words, we assume that the i-th detector of player P takes the form where c denotes the basis choice, r ∈ {±1} the output, and I P i the identity operator of H P i . We emphasize here that M P i with different P or i may be different from each other. In what follows we consider the situation where this conditions is guaranteed somehow, e.g., by shielding or separating detectors from each other.
We also restrict ourselves to the case where each detector M P i always outputs value r ∈ {±1}, and there is no inconclusive events, i.e., Note this is not a new physical assumption, since any M P i can be transformed to this type, e.g., by making it a rule that player P assigns a random number ±1 to output c when detector i says inconclusive. where iii. If S is less than a given predetermined threshold S 0 , Bob announces that the protocol is aborted. (c) Generation of the sifted key: Alice lets her measurement results of sifted key pulses I sif be sifted key u, and stores it in H U .

(Alice's post-processing) Alice calculates syn-
drome v syn of her sifted key for error correction, and announces it to Bob. We assume that the syndrome length |v syn | satisfy |v syn | ≤ l syn . Alice also selects a universal hash function f cor randomly with output length |f cor (·)| = ⌈log(1/ε cor )⌉, and announces f cor along with the hash value f cor (u) of sifted key u. Alice selects another universal hash function f pa with output length l randomly, calculates secret key k = f pa (u), and stores it in H K .

(Bob's post-processing)
Bob measures his sifted key pulses in the z ′ basis to obtain his sifted key, and obtains corrected key u ′ by performing bit error correction using syndrome v syn . Then he verifies its correctness by checking if the hash value f cor (u ′ ) of Bob's sifted key equals f cor (u) sent from Alice. If they differ the protocol is aborted; otherwise he obtains secret key of l bits by applying a privacy amplification on the sifted key.

Remarks on the protocol besides security
In Steps 2 and 4(a), Alice and Bob choose sample and sifted key pulses randomly, and if they fail to assign enough numbers of pulses, the protocol is aborted. This abortion due to pulse selections occurs probabilistically and independently of Eve's choice of the initial state ρ ABE . This probability can be bounded by using the Chernoff bound (see, e.g., [29], Theorem 4.5) as Parameter S, calculated in Step 3 (b), corresponds to the average of outcomes of the CHSH measurements. That is, according to constructions of Step 2 and 3, obtaining S is equivalent to measuring each sample pulse i ∈ I smp using ) with the outcome s i , and then calculating the average S = (l smp ) −1 i∈Ismp s i . In what follows, we will often call S the CHSH parameter.

B. Security of the above protocol
Theorem 1 The E91 protocol above is ε-secure. That is, let ρ KV E E91 be the final state generated by the E91 Protocol (or Game 0) on the input of initial state ρ ABE , consisting of secret key K, public communication V , and Eve's substate in H E . Then we have when the secret key length l is chosen to be with µ ′ defined by and h(p) being the binary entropy: This theorem can be obtained by using the leftover hashing lemma (Lemma 1), and letting ε ′ = ε/3 in the following lemma.
Lemma 3 Let ρ UV E E91 be the state generated as a result of Steps 1 through 4 of the E91 Protocol (or Game 0) on the input of initial state ρ ABE , and U be the random variable denoting the sifted key. Then ρ UV E E91 satisfies, for an arbitrary value of 0 < ε ′ ≤ 1, where The proof of this lemma is given in the next section.

C. Key generation rate for the qubit-based implementation
In the ideal implementation of Ekert 1991 protocol, the entanglement source always generates the Bell state which is then sent to Alice and Bob, and measured using (presumable) single photon detectors. In this setting, it is customary to rotate Bob's x, z bases by 45 degrees with respect to those of Alice's, such that S attains its maximum value 2 √ 2 when channels are noiseless. It is also customary to choose Bob's z ′ basis to be aligned with Alice's z basis, so that their sifted keys match for the noiseless case. When channels are noisy, e.g, the depolarizing channels with error rate p, the average of S is and the bit error rate p sif of sifted key equals p.
Corollary 1 In the above setting using single photon detectors, the asymptotic key generation rate R := lim n→∞ n/N satisfies where f ec is the efficiency of error correction, i.e., asymptotic syndrome length is l syn = f ec h(p). This value of R equals the key rate of the qubit-based E91 protocol in depolarizing channels, and is the highest known for the device-independent protocol known at the present.

V. PROOF OF LEMMA 3
The rest of this paper is devoted to the proof of Lemma 3. Our goal is to obtain a lower bound of H ε min (ρ UV E E91 |V E), with ρ UV E a sifted key state generated by Alice and Bob in Procotol 1, the E91 protocol. As the direct analysis of such a practical system is usually cumbersome, we will use an indirect approach. We convert the protocol to simpler procedures called games, which are defined as quantum operation which output a final state ρ UV E on the input of initial state ρ ABE . We use this terminology because some of the converted procedures can no longer be considered as a communication protocol; e.g., in Games 1, . . . , 4 below, a substitute player Charlie alone plays both of Alice's and Bob's parts, and there is no communication.
In the proof below, we start from the E91 protocol, also called Game 0, and repeat converting it to Games 1, 2, . . . , until we reach Game n, which is simple enough to analyze directly. Games i will also be abbreviated as Gi in what follows. In order to be able to bound the minimum entropy H ε ′ min (ρ UV E E91 |V E) of Game 0 by those of other games, we design the conversions such that the minimum entropy of Game i is not larger than that of the preceding game, Game i − 1, possibly with a constant offset term l i ≥ 0.
That is, we design conversions from Game i − 1 to i such that is satisfied for all 1 ≤ i ≤ n. Here ρ UV E Gi denotes the sifted key state generated as the result of Game i, on the input of ρ ABE , i.e., ρ UV E Gi = Π Gi,sif (ρ ABE ). In this setting, it is immediate that the minimum entropy of the original protocol is bounded by that of Game n as Hence if a lower bound is obtained for the final Game n, then that of the E91 protocol follows automatically. This type of situation is often described as 'the security of the original protocol is reduced to that of Game n'. We note that this approach using game transformations is not essentially new, and is implicit in the previous literature, such as [8,21]. In our proof below, Game 0 is the E91 protocol (Protocol 1), and we convert it to simpler Games i (i ≥ 1) satisfying relation (29), until we reach Game 4, a security game of the BB84 protocol.
A. Definition of the security game and the basic strategy of our proof As the first step, we define the following game.

(CHSH test) Charlie measures sample pulses
. The results are recorded as (r A,i , r B,i ) ∈ {±1} 2 . Then he calculates the CHSH parameter S using (17) and (18), and if it is less than S 0 , he announces to Eve that the protocol is aborted. ii) For pulses that are neither samples nor sifted key, basis choices and measurement results are omitted.
iii) Charlie does not measure Bob's sifted key pulses. iv) Charlie does not reveal basis choices of sample pulses, syndrome v syn and hash value f cor (u) to Eve, and keeps them secret.
It is straightforward to see that the first three modifications do not affect the output state ρ UV E , nor the minimum entropy H ε ′ min (ρ UV E |V E). On the other hand, the fourth modification can affect ρ UV E , since it erases some information available to Eve through public communication V , which is related with sifted key U as well as basis choice of sample pulses. In order to compensate the effect on H ε ′ min (ρ UV E |V E) due to this lack of information properly, we borrow results of Ref. [21] and prove the following lemma.
Lemma 4 For an arbitrary initial state ρ ABE , we have Note that this is an example of inequality (29). The proof of this lemma is given in Appendix B.

B. Reduction to a qubit-based game
By borrowing the argument of Ref. [16], we may assume, without loss of generality, that input pulses of Alice and Bob are all qubits.
Lemma 5 (c.f., Ref. [16], Lemma 1) It is not restrictive to suppose that Eve sends to Alice and Bob a mixture ρ AB = α,β p α,β ρ α,β of two-qubit states, together with a classical ancilla (known to her) that carries the values α, β, and determines which measurements M A α (c A ) and M B β (c B ) are to be used on ρ α,β .
A proof sketch of this Lemma is given in Appendix C. For the complete proof, we ask the reader to see Ref. [16], Section 2.4. This lemma states that, there is no loss of security (i.e., H min (ρ UV E |V E) does not increase), even if we restrict ourselves to the case where Eve generates a two-qubit state, accompanied by random variables α, β, which are then measured by Alice and Bob using opera- given in Eqs. (11), (12), with α, β being complex numbers satisfying |α| = |β| = 1. Thus the security of Game 1 can be reduced to that of the following game, where parameters µ, ν are defined by vectors {|Ψ ±1 , |Φ ±1 } are the Bell states defined by and U µν is a unitary transform, defined by This form of M α,β (CHSH) shows that its measurement is equivalent to: i) applying unitary transform U −1 µν , ii) next performing the Bell state measurement, and then iii) outputting ±|µ| when |Ψ ±1 are measured, and ±|ν| when |Φ ±1 . Note here that parameters |µ|, |ν| satisfy and thus |µ|, |ν| ≤ 1 √ 2 . Hence it follows that Game 2 is equivalent to Game 2' defined below. That is, on the input of an arbitrary initial state ρ ABE , the outputs of Protocol 2 and 2' are the same: 2 (1 + ab|ν|). If the average S = (l smp ) −1 i∈Ismp s i is below the threshold value S 0 , he announces that the protocol is aborted.

D. Bipartite squash operation
The CHSH measurement M α,β (±1|CHSH) of Game 2' still depends on parameters α and β, chosen arbitrarily by Eve. Our next step is to eliminate this α, βdependence by converting them to a measurement consisting of the normal Pauli operators. For this purpose, we introduce below a bipartite squash operation, F α,β , corresponding to M α,β (±1|CHSH).
Theorem 2 For any α,β satisfying (41), there exists a squash operation F α,β satisfying Hence where m(±1|CHSH) is defined by and m(±1|xx) is the projection operators for the xx-basis measurement: The proof of this theorem is given in Appendix D. This theorem says that M α,β (±1|CHSH) can be rewritten as the squash operation F α,β followed by m(±1|CHSH), and that Z A ⊗ I B is invariant under F α,β . Note that, by definition (45), m(±1|CHSH) can be viewed as a weighted sum of operator m(±1|xx), which detects phase errors in the squashed qubit pair, and I A ⊗ I B , which corresponds to noise generated by the receiver. By using this relation, Game 2' can be further rewritten as follows. (c) Charlie applies U −1 µiνi and squash operations F αi,βi to qubit pairs i ∈ {1, . . . , N } given by Eve, where µ i := µ(α i , β i ), ν i := ν(α i , β i ).
3. (CHSH test) Charlie measures sample pulse i ∈ I smp using POVM m(±1|xx), and records the result as p i = ±1. If p i = a, he lets s i = b with probability , where a, b ∈ {±1}. If the average S = (l smp ) −1 i∈Ismp s i is below the threshold value S 0 , he announces that the protocol is aborted. Now the whole quantum operation performed by Charlie in Step 1 can be regarded as a bipartite squash operation. Thus we can apply the same argument as in Section II B, and reduce this game to the following one where there is no squash operation. Or in terms of the minimum entropy, we obtain the following lemma.
The inequality of the third line is due to the fact that the states after Step 1 of Game 2" are a subset of those of Game 3.

E. Reduction to the BB84 game
As mentioned above, the output of POVM measurement m(±1|CHSH) consists of two factors, namely, a phase error detection factor ± 1 √ 2 due to projection 1 √ 2 m(±1|xx), and a noise factor ± 1 The noise factors of different pulses i, j ∈ I smp are independent with each other, so their average over pulses i ∈ I smp converges to zero for sufficiently large sample number l smp = |I smp |. Hence parameter S, or the average of measurement results of m(±1|CHSH), also converges to that of measurement 1 √ 2 m(±1|xx). To put it more precisely, we have the following lemma.
Proof: Define a random variable t i := s i − 1 √ 2 p i . It is easy to see that their expected value is zero, t i = 0, for ∀i ∈ I smp . Also, it is straightforward to show that t i , t j of different pulses i, j are independent with each other, and that their differences satisfy |t i − t i−1 | ≤ 2(1 + √ 2). Thus we can apply the Azuma-Hoeffding inequality to their average (see, e.g., Theorem 12.4, [29]), and obtain the lemma.
Therefore, even when Charlie does the CHSH test by checking S ′ := ( √ 2l smp ) −1 i∈Ismp p i instead of S, the output state ρ UV E is approximately the same. In order to minimize the probability of the disastrous case where the approximation S ′ becomes larger than S, we introduce a margin δS. Then the minimum entropy of Game 3 can be bounded by this new game: The proof of this lemma is given in Appendix E. By construction of POVM m(±1|xx), parameter S ′ evaluated in Game 4 is connected with the average phase error Q of squashed qubits as , or otherwise generate the sifted key by measuring sifted key pulses. Hence by applying the existing security proofs of the BB84 protocol [8,[21][22][23], we can bound H ε ′ /2 min (ρ UV E G4 |E) from below. For example, by using a simple formula derived in [23] for the finite length case, we obtain the following lemma.

Lemma 10
The output of Game 4, ρ UV E G4 , satisfies Proof: We follow the gedankenexperiment approach used in the security proof of [23]. Suppose that Alice and Bob perform x basis measurement on all the squashed qubits, and denote Alice's measurement result by W and Bob's by W ′ . Then their maximum entropy is bounded by the threshold Q tol of phase error rate of sample bits as with µ defined in (25). Combining this inequality with the uncertainty relation for smooth entropies derived in [30] H ε ′ /2 we obtain the lemma. Here we used the notation H

VI. CONCLUSION
We proposed a generalization of the squash operations involving multi-partite measurements, and demonstrated that it can allows us to prove the security of a wider class of QKD systems than previously possible. In particular, we applied this method to prove the device-independent security of the Ekert 1991 protocol, and showed that it achieves the same high key generation rate as in the same protocol implemented with ideal qubit detectors..
Possible future directions will be to investigate whether the techniques developed here can be applied to the cases where detectors are not memoryless, and to where two way classical communications are used for post processing.
parts; V 1 describing basis choice of sample bits, syndrome v syn and hash value f cor (u), and V 2 describing all the remaining part . Then by using Eq. (3.21) of Ref. [21], and noting that V 1 can be described in 2l smp + l syn + log 2 1 εcor bits, we have By noting that F 2 is a classical random variable, and by slightly modifying Lemma 3.1.9 of Ref. [21], we have From (B1) and (B2), we obtain the lemma.
Appendix C: Proof of Lemma 5 In this section we give a proof sketch of Lemma 5. For the complete proof, we ask the reader to see Section 2.4 of Ref. [16]. Also keep in mind that we here only discuss Alice's detector, because the proof for Bob's detector can be given in exactly the same way.
Hence Game 1 can be rewritten in the form where Charlie prepares ancillas ξ for all detectors, and then measures the initial state ρ ABE together with ξ using projections P (r|c) satisfying (C3). We further modify this game such that ξ is prepared by Eve, instead of Charlie, and call it Game 1'. In this case, the value of minimum entropy min ρ ABE H min (ρ UV E |V E), realized in this modified game, is never larger than in Game 1, since Eve has a larger choice of ρ ABE . Additionally, Game 1' can also be considered as a limited case of Game 1 where Charlie's measurements are P (r|c). Thus, as long as our goal is to bound min ρ ABE H min (ρ UV E |V E) from below, there is no loss of generality in assuming that Charlie's detector are projections P (r|c) satisfying (C3).
By introducing operators A c := P (+1|c) − P (−1|c) for c = x, z, this condition can be rewritten as A x 2 = A z 2 = I MM ′ , for which the following lemma can be applied.
Lemma 12 (Ref. [16], Lemma 2) Let A x and A z be Hermitian operators with eigenvalues equal to ±1 acting on a Hilbert space H of finite or countable infinite dimension. Then we can decompose the Hilbert space H as a direct sum such that dim(H 2 α ) ≤ 2 for all α, and such that both A x and A z act within H 2 α , that is, if |ψ ∈ H 2 α , then A x |ψ ∈ H 2 α and A z |ψ ∈ H 2 α .
Hence operators A c , as well as P (r|c), can all be block diagonalized to two-qubit subspaces labeled by α. Hence P (r|c) can be decomposed as a projective measurement that specifies subspace α, followed by qubit measurements performed in H α . This means that the index α may be considered as a classical variable conveyed from Eve to the legitimate player. This concludes the proof of Lemma 5.