Measurement-device-independent quantification of entanglement for given Hilbert space dimension

We address the question of how much entanglement can be certified from the observed correlations and the knowledge of the Hilbert space dimension of the measured systems. We focus on the case in which both systems are known to be qubits. For several correlations (though not for all), one can certify the same amount of entanglement as with state tomography, but with fewer assumptions, since nothing is assumed about the measurements. We also present security proofs of quantum key distribution without any assumption on the measurements. We discuss how both the amount of entanglement and the security of quantum key distribution (QKD) are affected by the inefficiency of detectors in this scenario.


Introduction
Entanglement is an essential resource in many quantum information processing and quantum communication applications. Therefore, the certification of entanglement plays an important role in the suite of tests that certify the serviceability of quantum devices.
Most entanglement witnesses discussed in the literature rely on the knowledge of both the Hilbert-space dimension of the systems under study and the measurements being performed. For instance, the criterion σ x ⊗ σ x + σ z ⊗ σ z > 1 is an entanglement witness provided the systems are indeed qubits and the measurements are exactly complementary; failure to comply with any of these assumptions may lead to false positives [1,2,3]. However, there exist "device-independent" (DI) entanglement witnesses: any violation of a Bell inequality [4,5], read in the context of quantum theory, certifies the presence of some entanglement under the sole assumption of no-signaling.
Thus, the certification of entanglement depends on the level of characterization of the devices. At one extreme, the DI level requires almost no characterization, but is restricted to correlations that violate a Bell inequality and is experimentally demanding since the Bell violation must be loophole-free. The other extreme level, which we call "tomographic" since it shares the same assumptions as state tomography, is much more versatile and has been routinely implemented for years, at the price of requiring more trust.
Between these two extremes, various semi-device-independent levels can be defined by relaxing some of the assumptions (Figure 1). This paper deals with one such relaxation: the dimensionality of the systems is trusted but the measurements are not. Entanglement certification with known dimension was first introduced by Moroder and Gittsovich [6], who discussed how to certify the presence of entanglement and derived analytical conditions for some cases. We describe certifiable lower bounds on the amount of entanglement. For the case of bipartite qubits, we show that in several relevant cases one certifies as much entanglement (in terms of concurrence) as with tomography, but with fewer assumptions.
In terms of entanglement being a resource for quantum key distribution (QKD), we derive security bounds for implementations of the BB84 and the six-state protocols that use entangled qubits. Similar work was done for the BB84 protocol in [7], as well as in the recent, independent work [8]. This work fits in the broad class of "measurement-deviceindependent" (MDI) approaches, in which all the imperfections of the measurement devices and detectors don't need to be modelled. The most famous MDI scheme is one for QKD, that does not require entanglement but rather post-selects it [9,10]. A different MDI scheme for entanglement certification [11,12] requires a modification of the usual setups [13]: measurement settings are not chosen with classical inputs but with local quantum states; the latter must then be well characterized.
We finally stress that our work is different from the series of works devoted to "dimension witnesses", where the main goal is to establish that some observed statistics cannot be obtained by measuring low-dimensional systems (whether entangled or not).
The dimension witnesses that are also Bell inequalities definitely certify entanglement, but as should be clear from the discussion above, this is not what we are aiming at. Rather, one of our goals is to certify entanglement with statistics that don't violate any Bell inequality, thanks to the additional dimensional constraints ‡. In the semi-device-independent category one finds: (iv) the MDI Entanglement Witness of [11,12], that requires the use of known local quantum states instead of classical inputs; (iii) steering [15], in which Alice's box is tomographically known while Bob's box is fully unknown; (ii) the case of known dimensions considered here. Besides (ii), Ref. [6] introduced further layers of assumptions on the measurements leading all the way to tomography; ref. [16] studied two black boxes with dimensions d×?.

General framework
We want to find how much entanglement (if any) is needed to reproduce a set of measurement statistics, p := p(ab|xy), under the constraint that ρ ∈ L H d ⊗ H d for fixed d and d . Local uncorrelated ancillas are free resources, i.e. the local measurements can be POVMs. However, classical shared randomness is not a free resource: all correlations must be accounted for by the allowed dimensions §.
In general, the amount of entanglement certifiable by observing measurement statistics p for a fixed dimension of the Hilbert space, denoted by e(p), is given by: ‡ In particular, the recent work of Navascués and coworkers [14] fits in this category: in the examples where they claim to certify entanglement, it's because they are using a Bell inequality. That being said, it can't be excluded that some of the tools developed there could find a broader application. § If we were to fix the dimensions but leave classical shared randomness free, only statistics that violate Bell inequalities would certify entanglement, thus this level of characterisation would not detect entanglement where the fully DI level doesn't. Previous works have considered the question of quantifying entanglement in this context [17,18].
is an entanglement monotone of the bipartite state ρ, such as the negativity [19] for any arbitrary d and d or the concurrence [20] for the case of d = d = 2.
Here, the optimization runs over all states ρ and measurements Π a x and Π b y which are compatible with the statistics p(a, b|x, y).
The structure of the problem resembles many optimisation problems encountered in this field. As it often happens, the number of parameters is large enough to make analytical solutions cumbersome: even for the simpler problem of certifying the existence of entanglement, without quantification, Moroder and Gittsovich could solve explicitly only few-parameter classes [6]. Moreover, since the set of quantum statistics for fixed dimension is not convex [21,22], the optimisation is not a semi-definite program.
Fortunately, heuristic numerical optimisations are reliable if the number of parameters is not too large. In the following section, we will show explicit solutions of this problem for d = d = 2. Higher dimensional cases can be addressed similarly by solving (1) for the negativity.

Explicit examples on bipartite qubits states
For the rest of the paper, we focus on two-qubit states. We base our figure of merit on concurrence C(ρ) [20] which is defined by: where e 1 ,e 2 ,e 3 and e 4 are the eigenvalues of √ ρρ √ ρ such that e 1 ≥ e 2 ≥ e 3 ≥ e 4 andρ = (σ y ⊗ σ y )ρ(σ y ⊗ σ y ). It is well known that the concurrence is an entanglement monotone that satisfies 0 ≤ C(ρ) ≤ 1, C(ρ) = 0 iff ρ is separable, and C(ρ) = 1 iff ρ is maximally entangled. It is also related to the entanglement of formation by where h is binary entropy [20]. The task is now to solve the optimisation (1) for d = d = 2 and E(ρ) = C(ρ). In the following sections, we describe the result of this optimization for several choices of statistics p.

Well-known correlations from dichotomic measurements
We consider first some statistics with binary outcomes a, b ∈ {−1, +1}. Specifically, we consider three families that can be obtained by suitable projective measurements on the two-qubit state unitarily equivalent to the Werner state ρ W = W |Φ These statistics are achievable from ρ W with Π a x=0 = 1 . These statistics violate the CHSH Bell-type inequality for W > 1 √ 2 : in that range, entanglement can be certified in a DI way.
• The BB84 family is defined as . These statistics can be obtained with shared randomness of dimension 4, therefore no DI certification of entanglement is possible.
Let us now see what can be said when these statistics are supplemented with the assumption that the measured state is a two-qubit state. Before turning to our approach, we check sufficient criteria for the existence of entanglement from Ref. [6]. Concretely, when there are two measurements per party and unbiased marginals, as in p CHSH and p BB84 , one can use item (4) in Proposition 2 of Ref. [6]: entanglement is certified if For both the CHSH and the BB84 family, this criterion certifies entanglement when W > 1 2 . For p six-states , that has three measurements per party, one can use Eq. (46) of Ref. [6] for n = 3 and d = 2: for unbiased marginals, this criterion reads |det(D 3 )| > 1 27 with D 3 the 3 × 3 correlations matrix again defined by [D 3 ] xy = A x B y . The result is that p six-states certifies qubit entanglement for W > 1 3 . Given that ρ W is separable for W ≤ 1 3 , this is also a necessary condition: in other words, p six-states detects the whole range of Werner state entanglement without knowing the measurements. We turn now to our approach, which not only certifies the existence of entanglement, but puts a lower bound on its amount. In Appendix A we describe the constraint that the relation p(a, b|x, y) = Tr[ρ · Π a x ⊗ Π b y ] imposes on the two-qubit state ρ for p BB84 and p six-states . The optimization (1) is the performed by minimizing C(ρ) numerically over the remaining free parameters. The result is plotted in Figure 2. We observe that c(p CHSH ) = c(p BB84 ) over all the range of W : the fact of using a Bell inequality does not provide any advantage in this example. Also, we find that c(p six-states ) = C(ρ W ): moving to the tomographic level would not improve the certification if the state was actually ρ W .
A last remark on these three families: for W = 1, it is known that p CHSH provides a DI self-testing of |Φ + and the corresponding measurements [23]. The constraints we found readily imply that, if one adds the qubit assumption, also p BB84 and p six-states self-test |Φ + and the corresponding measurements (see Appendix A for an explicit proof).
Having warmed up with what are arguably the most studied families of correlations, we turn to use our method on three other examples.

A slice in the CHSH polytope
The first example remains with two measurements and binary outcomes: in the 8dimensional CHSH polytope, we consider the two-dimensional triangle bounded by the family p CHSH and by a deterministic point (in particular then, all the probability points but the p CHSH line have biased marginals). Other properties in this triangle were studied in Ref. [22]. Our result for the existence of entanglement ( Figure 3) shows more clearly the difference with DI certification and the improvement over Eq. (46) of [6]. , bounds the set of quantum correlations that can be achieved with two qubits: this set is clearly not convex and even some classical correlations are excluded. Our calculation provides the blue solid line: points above that line certify entanglement if the system is two qubits. On the line joining P 0 and P 1 , representing the family p CHSH , entanglement is certified for W > 1 2 , as proved already in Fig. 2. Eq. (46) of [6] certifies the existence of entanglement only for points above the green dashed curve if the system is two qubits.

A SIC-POVM
For the last example, we assume that both Alice and Bob perform a single measurement, that of a four-outcome symmetric, informationally complete, positive operator valued measure (SIC-POVM) [24]. Concretely, let us use the SIC-POVM defined by We consider the statistics p S (θ) = ψ(θ)|Σ a ⊗ Σ b |ψ(θ) arising when both Alice and Bob measure the SIC-POVM on their half of a pure non-maximally entangled states of two qubits |ψ(θ) = cos(θ)|00 + sin(θ)|11 , with θ ∈ [0, π/4]. On the one hand, by definition of a SIC-POVM, at the tomographic level these measurement statistics can be used to reconstruct the state exactly: thus, entanglement is certified for all θ > 0. On the other hand, since there is only one measurement per party, there is no hope of any DI certification of entanglement.
If we assume only the dimension, the statistics do certify entanglement for a large range of θ, but become achievable with a POVM on separable states for small values of θ (see Figure 4). Thus, the family p S (θ) is such that tomography certifies more entanglement than the sole assumption of qubits, thus adding to similar examples in Section III E of Ref. [6].

Detection loophole for entanglement quantification
The last example of statistics that we study deals with the detection loophole. Typically mentioned in the context of DI Bell experiments, the loophole can appear at any level of characterization of the devices. Concretely, it was noticed in 2007 by Skwara and coworkers that it may actually apply to entanglement certification at the tomographic level [25]. In their study, they considered detecting entanglement by the optimal entanglement witness in the absence of losses; then added the conservative assumption that all the nondetection events were hiding actual outcomes that would have contributed negatively to the entanglement witnessing. In this framework, they found sufficient criteria to detect entanglement and conjectured that it would be impossible to certify entanglement if Alice's and Bob's detection efficiencies were A = B < 2 3 . In our formalism, the study of the detection loophole for entanglement certification is much more direct: we simply treat the no-detection event as another outcome (as we'll highlight later, things are subtler for adversarial scenarios like cryptography).
We base our case study on the BB84 family p BB84 , assuming that we would observe those statistics with perfect detectors. The third outcome 0 is assigned to the events in which neither detector clicked: now a, b ∈ {−1, +1, 0}. If now both Alice's detector have efficiency A and both Bob's detectors efficiency B , and the firing of a detector is an uncorrelated process, the observed three-outcome statistics would be As before, we now assume that these statistics have actually been observed, without any characterisation of the detectors, nor any information about the physical process that generated them apart from the fact that it was a three-outcome POVM on qubits. The resulting lower-bound on the concurrence c(p) is plotted in Fig. 2 for some choices of A = B . The result shows that the amount of entanglement that can be certified decreases with the efficiency, but the presence of entanglement is certified irrespective of the efficiency (numerically proved for ≥ 1 10 ) if the dimensionality is known.

Applications to quantum key distribution
The first unconditional security proofs of QKD protocols were obtained by modeling the signals as qubits and by assuming the best-suited measurements (for both BB84 and six-states, complementary bases). We work at this elementary level to show that very similar performances can be certified even if the knowledge about the measurements is removed. We are of course aware that practical security proofs have gone a long way towards a more realistic modeling of both the signals and the measurements [26,27]: as a future project, it will be interesting to see if the approach started here can also be used to remove assumptions from these more sophisticated descriptions.

Framework
In order to make this text readable, we need to explain quickly how the security bound is found (we work with the same tools as Appendix A of [26]). The goal of a security proof is to estimate the information that the eavesdropper may have. Asymptotically, Eve's information per qubit is given by χ(A : E) = S(ρ E ) − a p(a)S(ρ a E ) where a are the outcomes of Alice's key measurement, S(·) denotes von Neumann entropy. This holds for the most powerful Eve, one that holds a purification of ρ AB . Thus, given ρ AB , one has to write down a purification |ψ ABE , then trace Bob out and compute χ(A : E), this latter step requiring the knowledge of what Alice's key measurements are. The parameters of the protocol may not determine ρ AB fully: one may have to maximise Eve's information over all states compatible with the observation. Ultimately, the figure of merit is the secret key fraction r = 1 − h(Q) − χ(A : E) where h(Q) is binary entropy and Q is the Quantum Bit Error Rate (QBER) in the key bits.
If one knows only the dimension, the constraints on the state are given by p and we don't know anything about which measurement is actually performed to obtain the key. The certifiable secret key fraction is then be given by the optimisation where λ j and |φ j AB denotes the eigenvalues and eigenstates of ρ AB respectively. It is customary to assume that the key is obtained from the measurements A 0 and B 0 , whence the QBER is given by Q = p(a = b|0, 0).

Application to the BB84 and six-states protocols
At the tomographic level of characterization, the six-state protocol is tomographically complete, so one actually knows ρ AB ; in BB84, there remains one free parameter over which to optimize. If the error fractions are the same in all bases, for BB84 one obtains the well-known result while the the six-state protocol has the slightly higher yield Measurement-device-independent quantification of entanglement for given Hilbert space dimension11 Six−states (POVM) Figure 5. Secret key fraction against Q. For both the BB84 and the six-states protocols, the results of optimisation (8) yield r BB84 = r six-states = r BB84 ; the slightly higher curve is the tomographic yield of the six-state protocol (10). Figure 5 shows the results of optimisation (8) for the BB84 and six-states protocols, for the observed statistics p BB84 and p six-states respectively (see Appendix B for the constraints that they imply; notice that Q = 1−W 2 ). We find r BB84 = r BB84 : the relaxation of assumption on measurement does not affect the secret key fraction in the BB84 protocol. This result had been obtained analytically thanks to the special properties of p BB84 [7] and has been recently re-derived in a parallel work [8]. These analytical derivations are possible thanks to the high symmetry of the BB84 protocol and can in fact be made with by assuming only that Alice measures a qubit, while Bob's system has arbitrary dimension.
For the six-states protocol, the relaxation of the assumption on the measurements brings the secret key fraction down to match that of BB84: r six-states = r BB84 . In this case, inspection shows that the optimum is achieved by measuring the state and B 0 given by the two-outcome POVM Π b=±1 y=0 = 1±W σz 2 . A thorough study of the effect of imperfect detection in QKD goes beyond the scope of this paper. Indeed, in the presence of losses in the channel, the signals can't be assumed to be qubits, as we are doing here: there should be at least a third state, representing the leakage. Besides, BB84 is by definition a protocol with binary output, so we can't use the three-outcomes p noisy BB84 as such. One should either define a modified protocol, or process the data to obtain two outcomes in an optimal way. For a preliminary study, we consider the two-outcome statistics obtained from p noisy BB84 upon sending all the '0' to '+1' (see Appendix B for details). The main result is that, for W = 1, r = 0 for 87%. Above this efficiency, for a given Q it is possible to find a key rate r slightly larger than r BB84 , an effect also seen in standard security proofs when local noise is added [28].

Conclusion
We study how much entanglement can be certified when knowing the statistics and the dimension of the Hilbert space of the measured systems, but nothing about the measurements. For the case of two qubits, the amount that can be certified is similar, and in several cases identical, to that which can be certified by tomography, but with fewer assumptions. We also showed how to apply the same level of characterisation in the simplest level of security proofs in quantum key distribution. In the case considered here, the detection inefficiency does not affect the certification of the presence of entanglement, but does affect the more quantitative certifications.
Appendix A. Supplementary Information: Constraints on the state imposed by p BB84 and p six-states Appendix A.1. General parametrisation We consider measurements with settings x, y and binary outcomes a, b ∈ {−1, +1}.
From the knowledge that the measured systems are qubits, every measurement is a priori a POVM with elements Π a x = γ a x 1 + a η Ax 2 σ Ax and Π b y = γ b y 1 + b η By 2 σ By with γ + x/y + γ − x/y = 1 and σ Ax/By ≡n Ax/By · σ. Thus When the marginals are unbiased, i.e. P (a|x) = P (b|y) = 1 2 , we can work without loss of generality with states of the form and for the case of measurements with 3 settings, m A (y) = m B (y) = 0. Note that the choice of σ y is completely arbitrary and the reason why m A/B (y) are left free (instead of m A/B (x) or m A/B (z)) is due to the parametrisation of the measurements in the following section. Now, given a state ρ( m A , m B , T ) with Bloch vectors m A/B correlation matrix T , it's immediate that ρ(− m A , − m B , T ) is also a valid state, and so is their equal weighted mixture ρ(0, 0, T ) which has the form: (of course, if the marginals were biased, such a state would not reproduce the observed statistics to start with). Indeed, the condition of unbiased marginals implies that all the observations are determined by the correlation matrix T ij = Tr[σ i ⊗ σ j ρ]. Besides, if ρ( m A , m B , T ) is separable, then so are ρ(− m A , − m B , T ) and a fortiori ρ(0, 0, T ). Then, if all ρ(0, 0, T ) that reproduce the observed statistics must be entangled, there cannot be any ρ( m A , m B , T ) that reproduces the statistics and is separable. Conversely, if one separable ρ(0, 0, T ) does reproduce the observed statistics, then we know that the statistics can be reproduced by a separable state and there is no need to find others for our purpose.
Appendix A.2. Case 1: six-state statistics The six-state statistics p six-states are given by with x, y ∈ {0, 1, 2}. This immediately constrains all the POVMs to have γ + x/y = γ − x/y = 1 2 . It would also constrain the state to be such that Tr[ρσ Ax ⊗ 1] , = , Tr[ρ1 ⊗ σ By ] , = , 0 for all the measurements, but we won't use this fact since we can directly use the form (A.3) of ρ due to the fact that the marginals are unbiased. Now we have to describe the constraints on the correlations t AxBy . Since the state is left arbitrary, without loss of generality we can fix the measurement operators, A x := a aΠ a x andB y := a bΠ b y , to be: Inserting the above expressions in (A.4), we can obtain T ij = Tr[ρσ i ⊗ σ j ] for all i, j ∈ {x, y, z}: Measurement-device-independent quantification of entanglement for given Hilbert space dimension16 But |T zz | ≤ 1: this implies immediately η A0 = η B0 = 1 and T zz = 1. In turn, this means that T zx = T xz = T zy = T yz = 0. Indeed, if T zx = λ, then Tr[ρσ z ⊗ (cos θσ z + sin θσ x )] = cos θ + λ sin θ, which is always larger than 1 for θ small enough if λ = 0.
In conclusion: under the knowledge that the systems are qubits, the ideal case W = 1 of both the BB84 and the six-state statistics provide a self-testing of the state |Φ + and the projective measurements A 0 = B 0 = σ z , A 1 = B 1 = σ x , and for the six-state case A 2 = B 2 = σ y .

Appendix B. Supplementary Information: BB84 protocol with imperfect detectors efficiency
We consider the BB84 protocol in the case where the detectors efficiencies, A and B , are not perfect. Also, we study a possible strategy that the outcomes, a and b, are printed as "+1" when the detector does not click. Moreover, for simplicity, we fix A = B . Hence, we arrive at the following observed correlations: Notice that the Quantum Bit Error Rate, Q, is given by: Also, in this case, the marginals are no longer unbiased and is given by P (a/b = +1|x/y) − P (a/b = −1|x/y) = 1 − . Hence, the parametrisation of the measurements and state in the previous sections are no longer valid. Here, we have to consider all possible bipartite qubits states given by: Since the state is left free, without loss of generality, we can consider measurements with POVM elements of the form: The only additional requirement to ensure the validity of the measurements is that each POVM elements defined above must be constrained to be positive semi-definite.
With the state and the measurements well defined, we can now write down the constraints on the state given the observed correlations given in equations (B.1) to (B.4). Using the same method employed in previous section, we arrive at the following constraints: Hence, we can perform the minimisation of the function 1 − h(Q) − χ(A : E) over the free parameters; α 1/2 , β 1/2/3 , γ 1/2 , δ 1/2/3 , m A/B (y), T xy , T yy , T zy , T yx and T yz such that the POVM elements and the state are positive semi-definite with different values of W and . The optimal result of the minimisation result will give the secret key rate for any particular values of observed Q for a particular detectors efficiencies of the experimental setup, . Under such analysis, we assume that an Eavesdropper Eve does not have the information of when the detectors fail to click and she is not allowed cause loss in the quantum channel between Alice and Bob i.e. Eve's only resource is the purification of the joint state between Alice and Bob. Even with such optimism, the result in FIG.  B1 (right) shows that if the detectors have efficiencies, ≤ 0.87, no secret keys can be established between Alice and Bob via BB84 protocol assuming the signal states are qubits.   Notice that in FIG. B1 (left), the results suggest that a higher secret key rate can be obtained with lower detector efficiency for a given value of Q. This is due the assumption that Eve does not have the knowledge and control over the events of "no detection". This implies that a contribution of Q is purely due to these events of "no detection" which do not give Eve any information on Alice's keys. Taking this into account, for a given (or a lack of) attack by Eve, a higher value of gives a lower secret key rate, as shown in FIG. B1 (right).