Semi device independence of the BB84 protocol

The BB84 quantum key distribution protocol is semi device independent in the sense that it can be shown to be secure if just one of the users' devices is restricted to a qubit Hilbert space. Here, we derive an analytic lower bound on the asymptotic secret key rate for the entanglement-based version of BB84 assuming only that one of the users performs unknown qubit POVMs. The result holds against the class of collective attacks and reduces to the well known Shor-Preskill key rate for correlations corresponding to the ideal BB84 correlations mixed with any amount of random noise.

The BB84 quantum key distribution protocol is semi device independent in the sense that it can be shown to be secure if just one of the users' devices is restricted to a qubit Hilbert space. Here, we derive an analytic lower bound on the asymptotic secret key rate for the entanglement-based version of BB84 assuming only that one of the users performs unknown qubit POVMs. The result holds against the class of collective attacks and reduces to the well known Shor-Preskill key rate for correlations corresponding to the ideal BB84 correlations mixed with any amount of random noise.

I. BB84 AND DEVICE INDEPENDENCE
Quantum key distribution (QKD) [1,2] protocols allow cooperating users to generate cryptographic keys in such a way that unauthorised eavesdropping can be detected. This is achieved by exploiting features of quantum physics, such as the general inability to measure a quantum state without disturbing it, in a way that guarantees that any attempt at eavesdropping on the protocol will introduce detectable errors.
One of a QKD protocol's differentiating features is the degree to which it is device independent [3][4][5], i.e., the extent to which the protocol can be proved secure independently of assumptions about the internal functioning of the devices in the physical setup. This is of practical interest as device-independent protocols are intrinsically more robust, ensuring that both unintended and maliciously introduced implementation faults are detected automatically. Protocols can range from fully characterised (the exact quantum state preparations and/or measurements must be known) to fully device independent (security is established based only on the detection of Bell-nonlocal [6,7] correlations, independently of the mechanism that produced them). Between these extremes, partially device-independent protocols have also been proposed in which only some of the devices are fully characterised [8][9][10] and in which only a Hilbert space dimension bound is assumed for the source of quantum states [11,12].
The BB84 protocol [13] was originally introduced as a fully characterised protocol. A commonly considered prepare-and-measure version runs as follows. One user ("Alice") generates a string of random bits that she wishes to transmit to another distant user ("Bob"). Alice sequentially encodes each bit onto one of two corresponding orthogonal σ z eigenstates |0 and |1 which she transmits to Bob. In order to be able to detect eavesdropping, Alice inserts instances of the σ x eigenstates |+ and |− , with |± = (|0 ± |1 )/ √ 2, at some random locations in the sequence of quantum states to be transmitted to Bob. Bob measures most of the states he receives from Alice in the σ z = |0 0| − |1 1| basis and the * Erik.Woodhead@icfo.es remaining minority of cases in the σ x = |+ +| − |− −| basis. Afterwards, the record of cases where Alice and Bob used mismatched bases (Alice prepared a σ z state and Bob measured σ x or vice versa) are discarded. The cases where Alice and Bob both used the σ x basis and a randomly chosen subset of cases where they both used the σ z basis are used to estimate the x-and z-basis error rates δ x and δ z and then likewise discarded. Finally, if the error rates are not too high, classical postprocessing allows a (generally shorter) secret key to be generated with the relative errors between Alice's and Bob's versions corrected and with any knowledge of the key by an adversary effectively erased.
There is also an entanglement-based version of BB84, in which a central source prepares and distributes entangled states which Alice, as well as Bob, measures in the σ z and σ x bases. In this case, the initial bitstring is obtained from the measurement results rather than from a separate randomness generation procedure. Since Alice's σ z or σ x measurement can be thought of as effectively preparing a state for Bob [14], there is some equivalence between the two versions of the protocol. In particular, in both versions, one-way classical postprocessing allows a secret key to be extracted at an asymptotic rate given by the Shor-Preskill key rate [15], where is the binary entropy function, depending on the error rates δ x and δ z . Since its original proposal, it has become apparent that the BB84 protocol exhibits a significant degree of device independence. BB84 was first found to be onesided device independent, i.e., the explicit characterisation of one of the devices can be dropped. This was already indicated by some early security results [16][17][18] for the prepare-and-measure version of BB84 which do not explicitly depend on Bob's measurements, and later analyses [19,20] found that the Shor-Preskill key-rate bound (1) still holds at the one-sided-device-independent level if Alice's source prepares the σ z and σ x eigenstates (in the prepare-and-measure version) or just one of the users measures in the σ z and σ x bases (in the entanglement-based version).
Recent analyses have started to exploit results from the mismatched bases cases, which are usually discarded, in order to improve the security certification [21,22], and some authors have further pointed out that this can reduce the level of characterisation required to just a dimension bound for one of the devices. In Ref. [23], it was first shown that the Shor-Preskill rate still holds if no correlations are observed in the mismatched bases cases assuming that Alice performs unknown projective qubit measurements. A similar result was recovered numerically in Ref. [24] for general qubit POVMs on Alice's side, assuming that Bob also performs qubit measurements. The prepare-and-measure version of BB84 was also studied numerically in [25] at a similar level of device independence, where Alice's source prepares unknown pure qubit states and Bob performs unknown projective qubit measurements.
Here, we study the BB84 protocol in this semi-deviceindependent scenario (borrowing the name from [11]), where we assume only that Alice's device acts on a twodimensional Hilbert space. The main result will be an analytic lower bound on the asymptotic secret key rate for the entanglement-based version of BB84 where we allow Alice's measurements to be arbitrary qubit POVMs and Bob's measurements are left uncharacterised. The result holds against the class of collective attacks [17] (i.e., assuming that Alice's and Bob's measurements are always performed on the same entangled state), which is known to imply unconditional security at least if the measurements are memoryless and if the Hilbert-space dimension is bounded [26].
The qubit device assumption is taken here to mean that Alice's result depends only on the measurement of a qubit state. In particular, similar to [27,28], we assume that Alice's measurement result does not depend on additional classical information that could also be available to Bob's device (so-called "shared randomness" [11]). This is necessary as the ideal (entanglementbased) BB84 correlations can be simulated with two shared classical random bits-a special case of what an adversary could prepare with a shared classical bit and an entangled qubit which is completely insecure from a cryptographic perspective. A consequence is that, unusually for a QKD security result, any (nontrivial) lower bound on the key rate cannot be a convex function of the probabilities P (ab | uv) at this level of device independence.

II. SCENARIO AND MAIN RESULT
In the entanglement-based version of the BB84 protocol, Alice and Bob share a state ρ AB on some Hilbert space H A ⊗ H B , on which they can perform POVMs {M In the semi-device-independent level of security that we consider, we assume that dim H A = 2. The state ρ AB and measurements are otherwise treated as unknown.
1 , a convenient summary of the probabilities P (ab | uv) that we will use is given by the eight parameters with · = Tr[ · ρ AB ]. Note that E zz and E xx here are related to the more conventional z-and x-basis error rates δ z and δ x by The full security analysis of the protocol will be undertaken in the next section, but it is worth already sketching a result for the special case where Alice performs rank-one projective measurements since one can be derived directly from the Shor-Preskill rate. In this scenario, where Alice's z and x measurements simply project into orthogonal bases {|0 z , |1 z } and {|0 x , |1 x }, essentially the only relevant parameter differentiating the measurements is the Bloch-sphere angle between them. For some suitable basis whereÂ w = |0 w 0 w | − |1 w 1 w | and ϕ is the (unknown) Bloch-sphere angle betweenÂ z andÂ x . Setting E wx = Â w ⊗B x , linearity of the quantum expectation value implies the relation The conjugate "w basis" introduced here is useful because the (one-sided-device-independent) Shor-Preskill key rate applies to it. Introducing, for convenience, the function , the Shor-Preskill rate can be expressed as From here, it is a simple matter to obtain a key-rate bound depending only on the observed correlations. From the relation (7) between the correlators, we obtain which rearranges to As long as |E xx | ≥ |E zx |, this implies the lower bound for the key rate. More generally, it is clear that the key-rate bound (12) cannot hold against arbitrary POVMs on Alice's side. A simple counterexample is that if we allow Alice to perform the degenerate projective measurement {M it is possible for Alice and Bob to obtain the result a = b = 0 deterministically (which is completely insecure) while observing the correlations E xx = E zz = 1 and E zx = 0 (for which (12) would imply r = 1). Of course, this particular pathological case is easily detected since Alice and Bob could notice that they keep getting the same measurement results. In terms of the parameterisation given above, we thus do not expect (12) to still apply if A z = 1.
There is a significant parameter range in which the rate (12) still holds, though. The main result of this article is that the asymptotic rate (12) still applies, at least against collective attacks, if the correlations satisfy This is proved in the next section. As a special case, we recover the Shor-Preskill rate if there are no correlations in the mismatched bases cases (so that E zx = 0) and if |B x | < |E xx | ≤ 1 − |A z |; the latter constraint reduces to |E xx | > 0 (which is necessary to certify a nonzero key rate anyway) if Alice's and Bob's marginal results are equiprobable (so that A z = B x = 0). In principle, the derivation given in the next section could be pursued further in order to derive a lower bound for the key rate in the case that the condition (13) is not satisfied. There is an easier way of getting a result for this case, though. Since the condition (13) and key rate (12) are device independent on Bob's side, we can simply apply the result they would imply if Bob's measurement operatorB x were scaled down to λB x for some scaling factor 0 ≤ λ ≤ 1. This way, we can use the modified bound taking for λ the highest number between zero and one satisfying

Problem definition
In the worst-case scenario, Alice, Bob, and the adversary Eve share a purification |Ψ ∈ H A ⊗ H B ⊗ H E , prepared by Eve, of the state ρ AB responsible for the observed correlations according to (2). When Alice measures u = z, the system in depending, respectively, on whether Alice gets the result a = 0 or a = 1. (We will in general write, e.g., Ψ as a shorthand for the density operator |Ψ Ψ| associated to some pure state |Ψ .) The normalisations of these states are related to the probabilities with which they are prepared according to Tr[ρ] = P A (0 | z) and Tr[ρ ] = P A (1 | z). The correlation between Alice's result a and the state available to Eve is summarised by the classicalquantum state in terms of Eve's parts ρ E = Tr B [ρ] and ρ E = Tr B [ρ ] of the possible density operators ρ and ρ . We consider the case where the key is extracted from the u = v = z measurement results. In this case, the oneway asymptotic key rate secure against collective attacks is lower bounded by the Devetak-Winter rate [29], which can be expressed as the difference of two entropies In (20) where S(ρ) = − Tr[ρ log 2 (ρ)], when computed on the classical-quantum state (19). The derivation followed in the remainder of this section uses a few mathematical tools (two of which are minor restatements of results in [30]) which are presented here as lemmas. Proofs for these are supplied as appendices to this article.

General proof outline
The starting point is the following relation for the conditional von Neumann entropy, which simplifies the problem to that of lower bounding the fidelity between the marginal states available to Eve. Lemma 1. The conditional von Neumann entropy, computed on the classical-quantum state |0 0| ⊗ ρ E + |1 1| ⊗ ρ E , is lower bounded by in terms of the fidelity F (ρ E , ρ E ) between ρ E and ρ E . Furthermore, for fixed F (ρ E , ρ E ), the right-hand side of (22) is convex in A z and is minimised with A z = 0.
Here, we take the fidelity to be defined by denotes the trace norm of an operator A, for (generally unnormalised) density operators ρ and σ. Note that the minimisation of (22) at A z = 0 allows the bound for the von Neumann entropy to be simplified to though this step is optional, since A z is an observed parameter. The approach we follow involves reducing the problem to considering pure states. To this end, we introduce orthonormal bases {|0 u , |1 u }, u ∈ {z, x}, in which Alice's (qubit Hermitian) POVM elements M (u) a are diagonal. In these bases, Alice's POVMs can be expressed as convex sums Concentrating on the z measurement, we can express the entangled state as for (unnormalised and not necessarily orthogonal) states |α , |α ∈ H B ⊗ H E . The fidelity between Eve's parts α E and α E of the states |α and |α introduced this way can, according to the following relation, be bounded in terms of an operator W B on Bob's Hilbert space.
We approach the problem of lower bounding W B 1 in the following way. Similar to (25), we express the entangled state as for the u = x measurement. In an appropriate phase convention, the diagonalising bases are related by for some angle ϕ. From this and requiring that (25) and (27) are the same state, we extract Introducing the correlators for the pure states and for the operator W appearing in Lemma 2, the relations (30) and (31) implȳ and applying the Cauchy-Schwarz inequality and rearranging, we obtain similar to the outline of the previous section. Finally, sinceB x is the difference of two POVM elements, it satisfies the operator inequalities −1 B ≤B x ≤ 1 B ; this allowsĒ wx to be used as a lower bound on the trace norm W B 1 of W B : from which we finally obtain The remaining problem is to convert (38) into a lower bound on F (ρ E , ρ E ) depending on the observed parameters A u , B v , and E uv which can be used in Lemma 1 (or (23)). Part of the problem is to relate these parameters to the pure-state versionsĒ xx andĒ zx appearing in (38). From the POVM decomposition (24) we can deduce which will allow theĒ uv s to be related to the E uv s and B v s. For the z measurement, we will also need to be able to relate the fidelity F (α E , α E ) in (38) to F (ρ E , ρ E ). For this, we will need the following general bound for the fidelity between mixtures of two states. Lemma 3. Let ρ, σ, τ 0 , and τ 1 be (not necessarily normalised) density operators related by for parameters p 0 , p 1 , q 0 , q 1 ≥ 0. Then,

Alice's x POVM
The u = x measurement is the simplest to handle, since it is not used for key generation, so we deal with it first. Rewriting the decomposition (39) for E xx as 4 , the triangle inequality and the constraint |µ| ≤ 1−|λ| together imply which rearranges to If |E xx | > |B x | then the only way that (45) can be satisfied is if |λ| > 0 and if |Ē xx | ≥ |E xx |. In this case E xx can safely be substituted in place ofĒ xx in the pure-state fidelity bound (38). Otherwise, it is perfectly possible for the x measurement POVM decomposition (43) to be satisfied withĒ xx = 0. In the following, we will assume that |E xx | > |B x |, since (38) becomes trivial otherwise.

Alice's z POVM
The POVM decomposition (24) implies that the states ρ and ρ prepared on H B ⊗ H E are related to α and α by In general, the decomposition (24) for POVMs is not unique, so we have some freedom to choose a decomposition which will simplify the problem of turning the fidelity bound into a lower bound for F (ρ E , ρ E ) depending on observed parameters A u , B v , and E uv . Specifically, the identity implies that one of the POVMs {1 A , 0 A } or {0 A , 1 A } can always be eliminated, meaning we can assume that one of m  (24) is zero without loss of generality. We proceed in two steps, first considering mixtures of the measurements {0 z , 1 z } and {1 z , 0 z }, before accounting for a contribution from one of the measurements {1 A , 0 A } or {0 A , 1 A }. In anticipation, and assuming a contribution from {0 A , 1 A } for example, we reexpress (46) and (47) as where the nonnegative parameters p, p , q, q are related to the m For the contribution from {0 z , 1 z } and {1 z , 0 z }, we set and, applying Lemma 3 and the pure-state fidelity bound (48), we have Introducing the correlator related toĒ zx byĒ zx = (q − q )Ē zx , and using that 4qq ≥ 4qq E 2 xx , which shows that allowing mixtures of the measurements {0 z , 1 z } and {1 z , 0 z } alone will not affect the key-rate formula. Finally, we account for the effect of a contribution from one of the degenerate measurements Assuming first a contribution from {0 A , 1 A }, according to (50) and (51) and using thatρ+ρ = α+α , ρ and ρ are related to the statesρ andρ defined above by Applying Lemma 3 again, Inserting the lower bound (57) for F (ρ E ,ρ E ) and recognising that the lower bound for F (ρ E , ρ E ) becomes The observed parameters and are related toĒ zx by Rearranging forĒ zx and inserting in (62), we obtain or, subtracting E 2 xx − E 2 zx from both sides, By following similar reasoning starting from the decomposition The multiplicative factor 1/p − 1 is nonnegative, so the right-hand side of (70) is nonnegative if Finally, since we are assuming |E xx | > |B x |, the term p(E 2 xx − B 2 x ) is nonnegative and is maximised with p = 1. This implies that (71) is satisfied for all p ≤ 1 if it is satisfied for p = 1, i.e., if which is the condition given in the previous section. If this condition is met then the lower bound can be used for the fidelity in Lemma 1.

IV. CONCLUSION
The preceding section proves that the key rate asymptotically secure against collective attacks for BB84 is lower bounded by if |E xx | > |B x | and if the condition (72) is satisfied. This is never less than the simpler bound (12) claimed in section II. If (72) is not satisfied, device independence on Bob's side still allows the main result to be used with the replacements E xx → λE xx and E zx → λE zx , with the scaling factor λ determined by (16) above. Together, these give a general semi-device-independent security result for the BB84 protocol against collective (and possibly [26] more general) attacks. The traditional set of assumptions used to prove the security of the BB84 protocol can thus be relaxed to a significant degree. It is still necessary to trust that one of the users' measurements are restricted to a two-dimensional Hilbert space, but exact knowledge of the measurements beyond this is not required.
In the scenario considered, aside from the qubit restriction on Alice's side, Alice's and Bob's measurements were allowed to be arbitrary POVMs. One could go further, similar to [27,28], and imagine that Eve may have more detailed knowledge of the measurements. Specifically, the approach followed in this article could probably be modified to allow Eve to know the indices i and j in decompositions of the form M b;j for the POVM elements, although the resulting key rate will probably not include the Shor-Preskill rate as a special case if the adversary is granted this extra power.
Finally, the main result was derived for the entanglement-based version of BB84. It is likely that a similar result should hold for the prepare-and-measure BB84 variant assuming a source which is restricted to emitting qubit states, which was tested in a recent implementation [31]. Adapting the approach followed here for the prepare-and-measure scenario is thus an obvious problem for future work. so that which shows that f is convex. Noticing that f (0) = 0 (or just that f is an even function) implies that x = 0 is the global minimum.

Proof of Lemma 2
A basic property of the trace norm is that W B 1 = Tr[U B W B ] for some unitary operator U B ; furthermore, since W B is Hermitian, U B can also be taken to be Hermitian. From here and using that W = |α α | + |α α|, The final line follows, by Uhlmann's theorem, from noticing that |α and U B ⊗ 1 E |α are purifications of α E and α E .