Finite-key effects in multi-partite quantum key distribution protocols

We analyze the security of two multipartite quantum key distribution (QKD) protocols, specifically we introduce an $N$-partite version of the BB84 protocol and we discuss the $N$-partite six-state protocol proposed in arXiv:1612.05585v2. The security analysis proceeds from the generalization of known results in bipartite QKD to the multipartite scenario, and takes into account finite resources. In this context we derive a computable expression for the achievable key rate of both protocols by employing the best-known strategies: the uncertainty relation and the postselection technique. We compare the performances of the two protocols both for finite resources and infinitely many signals.

Quantum Key Distribution (QKD) represents one of the primary applications of quantum information science. Since the proposal of the first QKD protocols [1,2], major advancements have been achieved both on the theoretical and experimental side [3,4]. A QKD protocol provides a systematic procedure through which two honest parties (Alice and Bob) generate a secret shared key, when connected by an insecure quantum channel and an authenticated insecure classical channel. Recently the generalization of such protocols to multipartite schemes has been investigated [5,6]. It has been shown that there are quantum-network configurations [5] or noise regimes [6] in which the execution of a multipartite scheme is advantageous with respect to establishing a multipartite secret key via many independent bipartite protocols. However, the analysis of multipartite QKD protocols has only been carried out in the unrealistic scenario of infinitely many signals exchanged through the quantum channel. We compare the performances of two multipartite QKD protocols, which constitute the N -partite versions of the asymmetric BB84 [1] and the asymmetric six-state protocol [7], and will be denoted as N -BB84 and N -six-state protocol. While the N -six-state protocol was first proposed in [5], the N -BB84 constitutes a novel multipartite QKD protocol. Our analysis is conducted in the practical case of a finite amount of resources (signals) at the N parties' disposal. The action of a potential eavesdropper (Eve) on the insecure quantum channel is not restricted at all, as she is allowed to perform any kind of attack (coherent attacks) on the exchanged signals. What is assumed is that the parties arXiv:1807.04472v3 [quant-ph]

Sep 2018
Finite-key effects in multi-partite quantum key distribution protocols have access to true randomness and that the devices performing measurements on the quantum systems work according to their ideal functionality. The article is structured as follows. In Sec. 1 we extend notions and results of bipartite-QKD security analysis to the multipartite scenario. In Sec. 2 we review the N -six-state protocol and introduce the N -BB84 protocol. Then we obtain a computable expression for their secret key lengths in the case of finite resources. In Sec. 3 we compare the achievable key rates of the two NQKD protocols in the presence of finite and infinite resources. We conclude the article in Sec. 4.

Multipartite QKD: general framework and achievable key length
Throughout the article we refer to the parties involved in an N -partite QKD protocol (NQKD) in the following way: A for Alice, B for the set of N − 1 Bobs, B i for Bob in position i and E for the eavesdropper Eve. The definitions of distance and entropic quantities employed in this Section are given in Appendix A. The aim of an NQKD protocol is to establish a common secret key, sometimes also referred to as conference key, between all N (trusted) parties. We consider the following general NQKD protocol. Although the protocol is presented in an entanglement-based view for clarity, there exists an equivalent prepare-and-measure scheme which requires the adoption of multipartite entangled states only for a small fraction of rounds (see the protocols in Sec. 2). The protocol starts with the distribution of a finite number of signals -described by genuinely multipartite entangled states-over the insecure quantum channel. All parties perform local measurements on their respective quantum systems, collecting classical data. A short pre-shared random key indicates to the parties the type of measurement to be performed on each individual state they hold. In the parameter estimation (PE) step the parties reveal a random sample of the collected data, over the insecure classical channel. This allows them to estimate the noise occurring in the quantum channel and thus to determine the secret key length. At this point the raw keys held by the parties are partially correlated and partially secret. In order to correct the errors in the raw keys, A performs pairwise an information reconciliation procedure with every B i . The procedure consists in some classical communication occurring between A and B i , which allows B i to compute a guess of A's raw key. We will refer to this procedure as error correction (EC). At last the shared raw key is turned into a secret key with privacy amplification (PA). Each party applies the same randomly chosen hash function to his/her raw key, where the final length of the key depends on the error rates observed in PE and the desired level of security. Finally all parties share the same secret key. During the execution of the NQKD protocol, one or more of the described subprotocols might fail to produce the desired output, thus causing the abortion of the entire protocol. In the security analysis this is accounted for by the definition of robustness: Definition 1 [8]. An NQKD protocol is ε rob -robust on ρ AB if, for inputs defined by ρ AB , the probability that the protocol aborts is at most ε rob .
In order to study the effects of finite resources on an NQKD protocol, one needs to extend the concept of ε-security of a key [8] to the multi-partite scenario: Definition 2 [8], [9]. Let ρ ABE be a density operator. Any NQKD protocol, which is ε rob -robust on Tr E [ρ ABE ], is said to be ε tot -secure on ρ ABE if the following inequality holds: where ρ S A S B E is the density operator describing the final keys held by the N parties and Eve's enlarged subsystem H E (including the information of the classical channels), while ρ U is the uniform state on the key space of the N parties: with S the set of possible secret keys.
The total security parameter ε tot quantifies the deviation of the NQKD protocol from an ideal protocol, i.e. one that either outputs a set of perfectly-correlated and fullysecret keys or aborts. In other words, an NQKD protocol is ε tot -secure if it behaves like an ideal protocol except for probability ε tot . With this definition, the parameter that actually accounts for the correctness and secrecy of the protocol when it does not abort, is: ε tot /(1 − ε rob ). An NQKD protocol may deviate from an ideal one if, for instance, its EC procedure fails to correct all the errors between A and B's strings. In particular, if the probability that at least one B i holds a different string than A -after EC-is ε EC , then the NQKD protocol is ε tot -secure, with ε tot ≥ ε EC . Formally, the EC failure probability is defined as: Definition 3 [8]. Let P XK be a probability distribution. Any set of error correction , which is ε rob -robust on P XK , is said to be ε EC -secure on P XK if the following holds: where the guessk i is computed by B i according to protocol EC i , and the probability is computed for inputs (x, k) chosen according to P XK , conditioned on the fact that no EC i aborted.
is ε EC -secure for any probability distribution, it is ε EC -fully secure.
In this article we assume that the NQKD protocol may abort only during the EC procedure. Thus the abortion probability of the chosen set of EC procedures is also the abortion probability of the whole protocol §. The classical communication occurring during EC contains some information about the § Note, however, that a higher global abortion probability for fixed security parameter ε tot may lead to higher key rates.
key. The amount of information about the key that is leaked to E from the insecure classical channel is quantified by the leakage: be a set of EC protocols. The NQKD protocol adopting such a set of protocols for error correction has leakage: where C 1,...,N −1 is the set of (N − 1)-tuples representing all possible communication transcripts allowed by the chosen EC protocols, i.e.:

5)
P C|X=x,K=k is the transcripts' distribution conditioned on A and B's raw keys and H min P C|X=x,K=k is the min-entropy defined on a probability distribution (A.10,A.11).
We now present our results on the achievable key length (Th. 1) and the minimum leakage (Th. 2) of a general ε tot -secure NQKD protocol, which constitute a generalization of analogous results [8, Lemmas 6.4.1 and 6.3.4] valid for bipartite QKD. The general structure of the proofs is derived from the bipartite case, but deals with the new definitions of security and leakage (Def. 2, 3, 4) for multipartite schemes. As in the bipartite case, the security of an NQKD protocol can be inferred by correctness and secrecy (Appendix B). While the correctness of a protocol is determined by its EC procedure, the secrecy is linked to the final-key length via the leftover hashing lemma [8, Corollary 5.6.1]. In fact, in PA the parties map their shared key to another key which is short enough to be secret (i.e. unknown to the eavesdropper Eve). In Th. 1 we present the achievable key length of an ε tot -secure NQKD protocol for a general two-way EC procedure, while typically only the special case of one-way EC is addressed. This is achieved thanks to the result on the information leakage with two-way EC presented in Appendix E [10]. A detailed version of the proofs of Th. 1 and Th. 2 is presented in Appendix B.
Theorem 1 Let:ε > 0, ε EC > 0, ε PA > 0, ε rob ≥ 0 and ρ ABE be a density operator. Let ρ XKE be the output -prior to EC and PA-of an NQKD protocol applied to ρ ABE . If the two-way EC protocol is ε EC -secure and ε rob -robust on the distribution defined by ρ XK , and if PP {EC i },F is the post-processing protocol defined by the set of EC protocols and by the set of two-universal hash functions F with co-domain {0, 1} such that * the secret key length fulfills: then the NQKD protocol is ε tot -secure on ρ ABE , where ε tot is defined as: If one restricts to one-way EC, the same result holds but with theε-environment of the min-entropy defined via the trace distance.
Theorem 2 Given a probability distribution P XK , there exists a 1-way EC protocol that is: ε EC -fully secure, 2(N − 1)ε -robust on P XK , and has leakage: The upper bound in Th. 2 is independent of the EC protocol, thus also bounds the leakage of an optimal 1-way EC protocol which is ε EC -fully secure and 2(N − 1)ε -robust on P XK .

N -BB84 and N -six-state protocol
Here we present the two NQKD protocols whose performance will be investigated in Sec. 3. We introduce the N -BB84 protocol which is the N -partite version of the asymmetric BB84 protocol [1]: (ii) In 1st-type rounds each party measures in the Z-basis, in 2nd-type roundswhich occur with probability p (p 1)-each party measures in the X-basis. The total number of 2nd-type rounds is: m = Lp.
(iii) Parameter estimation: is averaged over m 1st-type rounds randomly chosen by Alice. In the ideal situation: where X ⊗N is averaged over the 2nd-type rounds. Note that in the ideal situation: Q m X = 0 [5]. (iv) The secret key is obtained from the remaining data of n = L − 2m 1st-type rounds.
(v) Classical post-processing: (a) A sends the same EC information to every B i . (b) A and B apply the same two-universal hash function to their corrected data.
L · h(p) bits of preshared secure key are used to mark the 2nd-type rounds.
Remarks: Note that the frequencies Q m AB i and Q m X observed in the PE step are the fraction of discordant Z-outcomes between A and B i and the frequency of the outcome −1 when the parties measure the operator X ⊗N , respectively. In an equivalent prepare-and-measure scheme, Alice directly produces the (N − 1)-qubit projection of the GHZ state according to her fictitious random outcome and distributes it to the Bobs. In particular, she prepares product states if the Z-basis is chosen and multipartite entangled states when the X-basis is picked. Thus the production of multipartite entangled states is only required for Lp rounds, while in all other rounds product states are prepared [5].
We refer to [5] for a detailed description of the steps characterizing the N -six-state protocol. However, the only actual differences with respect to the N -BB84 protocol are that: in the 2nd-type rounds each party measures randomly in the X-or Y -basis and all parties jointly flip their Z-measurement outcomes with probability 1/2. The bits to be flipped can be announced by Alice after the distribution and measurement of the states. These operations enable the implementation of the extended depolarization procedure [5] on the classical data, without adding further quantum gates. The frequencies observed in the PE step of the N -six-state protocol are again Q m AB i and Q m X †, plus Q m Z , i.e. the fraction of rounds in which at least one Bob measured a different Z-outcome than A's. We will refer to the corresponding probabilities as: P AB i , P X and P Z .
The frequencies observed in the PE steps of both protocols enable to quantify the amount of noise occurring in the quantum channel. However, these statistics are collected on finite-size samples, thus they only represent an estimate of the channel's noise. In Appendix C we quantitatively describe how the finite statistics of PE characterize the quantum channel's noise, for both NQKD protocols.

Computable key length
In order to employ the results of Sec. 1 in a performance comparison of the two NQKD protocols one needs to characterize E's knowledge about the key. This is achieved by assigning the noise in the quantum channel to eavesdropping. This means, in practice, that one can bound the unknown entropies with quantities exclusively depending on the noise affecting the quantum channel. In turn, the channel's noise is characterized by the finite PE statistics, as explained above. As a result, we obtain a computable expression for the achievable key length of both protocols, that is an expression solely depending on the observed PE statistics, the desired level of security, and the total number of quantum signals. The techniques we adopt to obtain a computable key length are the following. We employ the uncertainty relation (for smooth entropies) presented in [11] for the N -BB84 protocol, thus showing its first application to NQKD. For the N -six-state protocol we instead employ the Postselection technique (PS) [12] in combination with the Asymptotic Equipartition Property (AEP) [8], and we exploit the symmetries induced by the extended depolarization procedure. We arrive at the computable key lengths of the N -BB84 and N -six-state protocol: Theorem 3 The N -BB84 protocol, with the optimal 1-way EC protocol (which is ε ECfully secure and 2(N −1)ε PE -robust) and where the secret key generated by two-universal † Since the value of X ⊗N must be registered only when an even number of parties measured in the Y basis, m = m/2. See [5] for further details.

Theorem 4
The N -six-state protocol, with the optimal 1-way EC protocol (which is ε EC -fully secure and 2(N − 1)ε PE -robust) and where the secret key generated by twouniversal hashing has length where P X , P AB i and P Z are minimized over the set: For the derivation of Th. 3 and Th. 4, we refer to Appendix D.

Performance comparison
We compare the performances of the two NQKD protocols by studying their secretkey rates, i.e. the fraction of shared secret bits per transmitted quantum signal ( /L). For this purpose we investigate the computable key lengths (2.1) and (2.2) for a given number of parties N and a fixed total security parameter ε tot . In order to carry out a fair comparison, we assume that the PE statistics of both protocols are generated by the same error model.

Error model
We assume that in every distribution round white noise acted on the ideal state and that the action of the noise is the same in every round ‡. The total distributed state over all rounds is a product state: ρ ⊗L AB , where the single-round state is given by: where ν is the noise parameter and |GHZ N is the GHZ state of N qubits: The state (3.1) can be seen as the result of the action of a depolarizing channel on the whole N -qubit system, such that it is diagonal in the GHZ basis [5] and the probabilities P AB i , P X and P Z are given by: For ease of notation we will drop the index i in the probabilities P AB i . We assume that the frequencies Q m AB i , Q m X and Q m Z observed in the PE step of both protocols are linked by the same relations (3.4), (3.5) that hold for the corresponding probabilities.  . Due to the symmetric action of the white noise on the quantum channel: P X = P AB . The N -BB84 asymptotic key rate presents only one curve since it is independent of N .

Infinite resources
In the asymptotic limit of infinitely many rounds (L → ∞), all the correction terms due to finite statistics vanish, as well as all the correction terms due to the ε-security of the key. For instance, the PE frequencies coincide with their corresponding probabilities.
For the assumed error model, the asymptotic key rates of the N -six-state protocol (r 6-state ) and the N -BB84 protocol (r BB84 ) read: where P Z is fixed by (3.5) and the rates have been maximized over the probability p of performing 2nd-type rounds. For N = 2 the rate (3.6) reduces to the asymptotic rate of the bipartite six-state protocol [3], while (3.7) is independent of N -for fixed P AB -and coincides with the asymptotic bipartite BB84 rate [3]. The reason for which (3.7) does not depend on N is that the N -BB84 protocol -unlike the N -six-state-does not completely characterize the state shared by all the parties, thus its asymptotic rate only depends on P AB and P X . For the highly symmetric error model introduced in Subsec. 3.1, it holds: P X = P AB = ν/2 which is independent of the number of parties involved.
In figure 1 we plot the asymptotic rate of both protocols as a function of the probability of discordant raw key bits between A and B i (P AB ), for various numbers of parties N . By noting that the N -six-state protocol outperforms the N -BB84 for equal P AB and any number of parties N , we observe in the N -partite asymptotic scenario that a sixstate-type protocol produces higher rates than a BB84 one, extending known results of the bipartite case [3]. Interestingly, the rate of both protocols does not decrease for an increasing number of parties and fixed P AB . However, one should keep in mind that increasing N for fixed P AB may not be physically reasonable. In fact, according to our error model, if P AB is fixed then also the noise parameter ν (quantifying the amount of depolarization on all N qubits) is fixed, and increasing N with a fixed noise parameter may not describe realistic quantum channels. Consider, for instance, the case in which part of the noise generating P AB is due to the failure of imperfect bipartite gates used for the distribution of the GHZ state. Then an increase of N , obtained by adding gates with the same failure probability, would lead to an increase of P AB [5]. Moreover, the adoption of other error models can lead to key rates decreasing in the number of parties, for fixed P AB . For instance if the noise on the ideal distributed state is modeled as the independent action of the depolarizing map on each B i , i.e. the single-round state reads: then the probabilities of interest are given by: where we dropped the index i in the probabilities P AB i . The asymptotic key rates of the N -BB84 and N -six-state protocol computed with the new probabilities (3.10), (3.11) and (    In figure 3 we compare the key rates of both NQKD protocols for a finite number of signals L transmitted through the quantum channel, with noise discussed in Subsec. 3.1.   The rates are numerically maximized over the parameters: p,ε, ε PE , ε EC , ε PA , with the constraint given by the fixed value of the total security parameter: ε tot = 5 · 10 −9 . We observe that, although for large L the N -six-state still performs better than the N -BB84 protocol, there exists a certain number of rounds -identified by the threshold functionL(Q m AB , N )-below which the N -six-state protocol is outperformed by the N -BB84 protocol. The threshold functionL is defined as: From figure 3a one deduces that the N -six-state protocol is much more sensitive than the N -BB84 if the number of parties is increased, displaying the opposite behavior with respect to the asymptotic case (figure 1). This causes the threshold function to increase with N and fixed Q m AB (figure 4a). On the other hand, the N -six-state protocol is more robust than the N -BB84 protocol when the quantum channels become noisier (figure 3b). As a result the threshold function decreases for increasing noise and fixed N (figure 4b).
We point out that the functionL may not be a physical threshold for the number of rounds above which the N -six-state protocol is more efficient than the N -BB84 protocol, as the achievable key rates depend on quantitatively different estimates. As a matter of fact, it is known [11] that the uncertainty relation employed for the N -BB84 protocol yields tighter bounds compared to the PS technique used for the N -six-state protocol, especially for low values of L. Instead, asymptotically the correction terms introduced by the PS technique and the uncertainty relation vanish †, allowing the N -six-state to outperform the N -BB84 protocol (figure 1). Therefore the crossover between the two key rates atL is mainly caused by the different tightness of the min-entropy bounds † Recall that the correction terms due to PS allow to extend the security of the key against collective attacks to coherent attacks, however in the asymptotic limit these attacks are equivalent [13], thus the PS corrections vanish. used in the two protocols. Moreover, the PS corrections become more pronounced for increasing number of parties, thus explaining the rise of the threshold function with N . Indeed, the reduction in the key length scales quadratically with the dimension d of the Hilbert space of a singlesignal state shared by all N parties. Since we assume that the quantum system held by each party is a qubit, d = 2 N , i.e. the reduction in the key length introduced by the PS technique scales exponentially in N .

Why different strategies?
In Subsec. 3.3 we argued that the N -BB84 protocol outperforms the N -six-state protocol, at low values of L, due to the adoption of tighter bounds on the min-entropy.
One could wonder what would happen if the same strategy were used in obtaining the computable key length for both protocols. Unfortunately, this is not possible: the two strategies employed (uncertainty relation and PS technique) are suited to the particular protocol to which they are applied and they cannot be used in the other protocol. In principle the uncertainty relation may also be used to bound the min-entropy of the N -six-state protocol, but then the additional symmetries due to the extended depolarization procedure would be ignored, such that one ends with the same key length as for the N -BB84 protocol. Conversely, one could employ the PS technique in combination with the AEP to bound the min-entropy of the N -BB84 protocol. The problem in this case would be the lack of information provided by any symmetrization procedure performed on the shared signals. Indeed without any further symmetrization, the degrees of freedom of the shared signals ‡, reduced by the PE observations, would still be too many to find a computable bound to the min-entropy (i.e. a bound that only depends on the PE statistics and on the input parameters).

Conclusion and Outlook
In this paper we presented the first complete finite-key analysis of two N -partite QKD (NQKD) protocols, which can be regarded as the multipartite versions of the BB84 [1] and of the six-state [7] protocol. Although both protocols adopt genuinely multipartite entangled states as resources, these states are only required for a small number of rounds, while in the majority of the cases product states are distributed. In order to study finite-size effects in NQKD schemes, we extended the information theoretic security analysis [8] of bipartite QKD protocols to the multipartite case, taking into account both one-way and two-way error correction protocols. Then we employed the general results on the security of NQKD to investigate the N -six-state protocol [5] and the newly-defined N -BB84 protocol. In particular, we derived analytical formulas for the achievable secret key length of both protocols which only depend on the parameter estimation statistics and on the desired level of security. We achieved this by bounding the knowledge of the eavesdropper about the secret key by means of the best-known strategies adopted in bipartite QKD, namely the uncertainty relation for smooth entropies [11] and the postselection technique [12]. We compared the performance of the two NQKD protocols in the case of finite resources and in the asymptotic limit. We observed that, although the N -six-state protocol reaches higher rates asymptotically, there exists a threshold value for the number of signals below which it is outperformed by the N -BB84 protocol. We argued that this crossover between the rates of the two protocols is caused by the different strategies adopted in obtaining the computable key lengths, and we justified the choice of the strategy for each protocol.
In order to carry out a fairer comparison between the N -six-state protocol and the N -BB84 when the number of available resources is low, it would be desirable to implement tighter bounds for the min-entropy of the former protocol. In any case, the framework of NQKD ε-security developed in this paper may be used for the finitekey analysis of other multipartite QKD protocols. This work is based on the assumptions that the measurement devices are ideal and that the parties have access to true randomness. In order to address more realistic scenarios, one can consider the fact that the measurements in the Z and X bases are not necessarily projective measurements in diagonal bases, but rather generic positive operator-valued measurements. This fact could be easily implemented in our N -BB84 protocol, thanks to the properties of the uncertainty relation [14]. A more drastic approach is represented by device-independent QKD (DIQKD) [15,16], where no assumption is made on the devices except for spatial separation. In this context it is worth mentioning the recent security proof of a multipartite DIQKD protocol [6]. In that protocol security is guaranteed for every violation of a bipartite Bell inequality (CHSH inequality [17]) between one of the parties and the other N − 1. It is not yet known whether security can still be proven for violations of a multipartite Bell inequality (MABK inequality [18][19][20]) that do not necessarily imply CHSH violations.
• The norm · of an operator O is defined as: • P(H) is the set of positive-semidefinite operators on the Hilbert space H.
• The set of possible secret keys shared by the parties is S.
• The set of operators which are ε-close to a given density operator ρ is defined as: if the distance is computed with respect to the trace distance, or as: if the distance is given by the purified distance [21]: whereF (τ, ρ) is called generalized fidelity: Since the purified distance is an upper bound to the trace distance [21], it holds: • We say that ρ X is the operator representation of the probability distribution P X on the set X if: for some orthonormal basis {|x } x .
• We define the set of probability distributions which are ε-close to a given probability distribution P X as those distributions whose operator representation is ε-close to the operator representation of P X , according to (A.1) and (A.2).
• The Rényi zero-entropy H 0 (P XY |Y ) of the probability distribution P XY over the set X × Y is given by [8,22]: where P y X denotes the function P y X : x → P XY (x, y). This entropy was called "max-entropy" in [8].
• The ε-smooth Rényi zero-entropy H ε 0 (P XY |Y ) is defined as [8,23]: If the minimization is performed on B ε, P (P XY ) the corresponding Rényi zero-entropy is denoted as: H ε, P 0 (P XY |Y ). • The Rényi zero-entropy H 0 (ρ) of the density operator ρ is defined as [8]: • The min-entropy of the density operator ρ AB relative to σ B is [8,22]: Note that for H min (ρ AB |σ B ) to exist, a necessary condition is that: supp(ρ B ) ⊆ supp(σ B ). If H B is the trivial space C, then the min-entropy reduces to: where λ max (ρ A ) is the maximum eigenvalue of ρ A .
• The min-entropy of the probability distribution P XY relative to the distribution Q Y is [8]: where ρ XY and σ Y are the operators representations (A.5) of P XY and Q Y , respectively.
• The min-entropy of A conditioned on B of the density operator ρ AB is [8,22,24]: • The ε-smooth min-entropy of A conditioned on B of the state ρ AB is [8,22]: If the maximization is performed on B ε, P (ρ AB ) the corresponding min-entropy is denoted as: H ε, P min (ρ AB |B). • The max-entropy of A conditioned on B of the density operator ρ AB is [22]: where the min-entropy of the r.h.s. is evaluated for a purification ρ ABC of ρ AB .
• The ε-smooth max-entropy of A conditioned on B of the density operator ρ AB is [22]: If the minimization is performed on B ε, P (ρ AB ) the corresponding max-entropy is denoted as: H ε, P max (ρ AB |B).

Appendix B. Further NQKD definitions and theorems' proofs
In this appendix we prove the two results (Th. 1 and Th. 2) presented in Sec. 1. First we show that correctness and secrecy of a protocol are a sufficient condition for security (Def. 2), analogously to the bipartite case [8,9]: Definition 5 [6], [14]. Let ρ ABE be a density operator. Any NQKD protocol, which is ε rob -robust on Tr E [ρ ABE ], is said to be ε -correct on ρ ABE if: where (s A , s B ) are the secret keys generated by the NQKD protocol and the probability is conditioned on the fact that the protocol did not abort.
Note that the definition of robustness of an NQKD protocol is given in Def. 1.
Definition 6 [6], [14]. Let ρ ABE be a density operator. Any NQKD protocol, which is ε rob -robust on Tr E [ρ ABE ], is said to be ε -secret on ρ ABE if: where ρ U is the uniform state on A's key space.
The following lemma holds: Lemma 1 Given an NQKD protocol which is ε -correct and ε -secret, then it is also (ε + ε )-secure.
Proof. From the correctness hypothesis we have: From the secrecy hypothesis we have: Having obtained inequalities (B.3) and (B.4), we are ready to prove the thesis: We now prove the result on the achievable key length of a general NQKD protocol: Proof of Th. 1. In the post-processing protocol PP {EC i },F , the sub-protocol which transforms partially correlated key pairs into fully correlated ones is defined by the set 3) on the classical probability distribution defined by ρ XK , according to Def. 5 the whole NQKD protocol is ε EC -correct on ρ ABE . Thus by Lemma 1 we only need to show that the NQKD protocol is (2ε + ε PA )-secret in order to complete the proof, i.e. : We stress the fact that in Eve's subsystem E we included not only Eve's quantum degree of freedom H E , but also her knowledge about the classical communication H C occurring during error correction (defined by {EC i }) and the classical communication taking place in privacy amplification H F (defined by the set F).
In order to prove (B.6), we start from the result in [8, Corollary 5.6.1] stated in a slightly weaker form: valid ∀ε , where is the number of key bits after privacy amplification. The inequality (B.7) leads to a sufficient condition for (B.6) to be true, namely: therefore we will now focus on proving (B.8), having fixed:ε =ε. We first prove the result without assuming that the classical communication C is oneway, i.e. it may also depend on B's raw keys. Then we show how to achieve a slightly stronger result by assuming one-way classical communication.
(ii) By definition (A.9): H min (ρ XKC |ρ XK ) = − log 2 min λ, where λ is a real parameter satisfying: which yields: where in the last inequality we used the definition of min-entropy for probability distributions (A.11).
Substituting now in (B.10), recalling Def. 4 and using (B.9) yields: By using the assumption (1.6) in the last inequality concludes the proof: where the quantum state is, under the assumption of one-way EC protocols: where the hat· indicates normalized density operators and: which is equivalent to what was obtained in the two-way scenario (B.10) except for the ε-environment of the min-entropy, here defined via the trace distance. Analogous steps to those employed in the first part lead to the claim valid for one-way EC.
Finally, we show how to obtain an upper bound on the leakage of an optimal EC protocol. Parameters:

Proof of
•X : family of setsX i k i ⊆ X parametrized by the index i which identifies B i and by k i ∈ K.
• F: family of hash functions from X to Z.

Protocol:
(i) A receives as input the raw key x ∈ X , while B i receives the raw key k i ∈ K.
(ii) A chooses uniformly at random f ∈ R F and defines z ≡ f (x). Then, A sends the classical message (f, z) to B.
(iii) B i selects the setX i k i corresponding to the key k i he is holding, and defines: PART 1: We first show that the above-defined ECX ,F , for an appropriate choice of the parametersX and F, is 0-robust on P XK , ε EC -fully secure (see Def. 3), and has leakage: Let z EC ≡ max i H 0 (P XK i |K i ) + log 2 (N − 1) + log 2 (1/ε EC ) and let F be a two-universal family of hash functions from X to Z = {0, 1} z EC . Moreover, letX = {X i k i } be the family of sets defined byX i k i ≡ supp(P i,k i X ), where supp(P i,k i X ) denotes the support of the function: P i,k i X : x → P XK i (x, k i ). From the choice of F we know that: and fixed elements x, x ∈ X . Note that the two parametersX , F defining the EC protocol are completely fixed by the marginals distributions P XK i of the given probability distribution P XK . For any given set of raw keys (x, k 1 , . . . , k N −1 ) (not necessarily generated by P XK ), one can bound the probability that the protocol ECX ,F does not abort and outputs a wrong guess for at least one Bob, as: where the third inequality is due to the union bound and the fourth to the chosen set F. Finally, we can bound (B.21) by: which proves that ECX ,F is ε EC -fully secure according to Def. 3. Note that we used (A.6) for the equality and the definition of z EC in the last inequality. If the set of keys (x, k 1 , . . . , k N −1 ) is now generated by the distribution P XK , then x ∈X i k i ∀i since P XK i (x, k i ) = 0 ∀i (otherwise the pair (x, k i ) could not have been generated). Therefore, being f (x) = z true by definition, the setsD i are never empty, thus the EC protocol never aborts, i.e. it is 0-robust (Def. 1) on P XK . Let us now consider the leakage of the protocol ECX ,F . Since it is a one-way EC protocol where the information sent to one Bob is then copied and then sent to all the other Bobs, the leakage reads (Def. 4): For this EC protocol, after having fixed A's key x, the classical communication (f, z) is simply depending on the random choice of f , therefore: P C|X=x = 1/|F|. Substituting in (B.22) yields: which concludes the first part of the proof (B.20).
where the distance between two probability distributions is defined as: We defineī ≡ arg max i H 0 (P XK i |K i ), then (B.23) implies: Let us now consider the protocol ECX ,F whereX and F are fixed by the above-defined . Then, by (B.20) we know that such an EC protocol is ε EC -fully secure and has leakage: where we used (B.24) in the second inequality. The last thing to be shown is that such an EC protocol is also 2(N − 1)ε -robust on the distribution P XK : i.e. the probability that the protocol aborts when initiated with a set of keys (x, k) generated by the distribution P XK is lower or equal than 2(N − 1)ε §. Let us compute the probability of ECX ,F to abort: One of the possibilities forD i not to be empty is x ∈D i ⇔ x ∈X i k i ⇔P XK i (x, k i ) = 0, which is not obvious since x was generated through the distribution P XK . Therefore: By employing the following inequality from probability theory (straightforward proof based on union bound and de-Morgan's law): where Pr(A i ) is the probability of event A i , we are able to recast the r.h.s. of (B.26) as: We now concentrate on computing Pr (x,k i ) P XK i (x, k i ) = 0 P , which is the probability that, having generated the couple (x, k i ) from distribution P XK i , it holds that P XK i (x, k i ) = 0. We employ the fact that by assumption (B.23) the distance between the two involved distributions is bounded by 2ε , which implies that, for instance: Let us focus on the probability of the complementary event: Pr (x,k i ) P XK i (x, k i ) = 0 P . Since this event is a sufficient condition for having P XK i (x, k i ) ≤ 2ε (because of (B.29)), this means that: but the l.h.s of (B.30) can be bounded by: therefore we have: Substituting in (B.28) yields: (B.33) § Note that this EC protocol is defined by the distributionsP XKi which are one by one 2ε -close to the marginals of the distribution P XK defining the EC protocol of part 1, which was shown to be 0-robust on P XK . It is not straightforward to infer -unlike the bipartite case-that the new EC protocol is then (N − 1) · 2ε -robust on P XK .
With this result we can conclude that: Appendix C. Quantifying the channel's noise As anticipated in Sec. 2, one can bound E's knowledge about the secret key by quantifying the noise she introduced in the quantum channel. In this Section we show how the relevant noise parameters of both protocols can be estimated from the finite statistics collected in PE.
In the N -BB84 protocol, the important noise parameters that are subsequently used to characterize E's knowledge are Q n AB i and Q n X , i.e. the frequency of discordant Zoutcomes between A and B i and the frequency of the outcome X ⊗N = −1, respectively. Both frequencies refer to hypothetical measurements performed on the remaining n signals following PE. The goal is to characterize the noise parameters based on what is observed in PE (Q m AB i and Q m X ). This is easily achieved by means of the following Lemma as the relative Hamming weights of the two randomly chosen partitions of R, it holds: where: We denote by (R) m the m-bit string composed by the random variables R 1 , . . . , R m , while (R) n is the n-bit string composed by the remaining entries of R.
Proof. Let's first fix the random bit string R to a given and known string: R ≡ r; thus also its relative Hamming weight is fixed to some real value: Λ M ≡ λ M . Then it holds [25,Theorem 1]: By defining ν = m M , it is immediate to show the following facts for every µ ∈ R: Now one can make use of (C.5) and (C.7) in the following calculation: In order to make use of Lemma 2, we define the following random vectors containing the outcomes of A and B i 's Z-measurement rounds devoted to PE: Analogously, we define the random vectors containing the outcomes of A and B's Xmeasurement rounds: With these definitions, it holds: therefore it is immediate to verify that: (C.14) Since we were able to write the frequencies Q m AB i and Q m X as relative Hamming weights of random vectors, we can apply Lemma 2 and state that: where we used (B.27) and defined: leakage term with quantities depending on the channel's noise.
In this Section we show how to achieve this task for both protocols and how to further characterize the noise via the PE finite statistics, by using the results of Appendix C.
Concerning the notation, for the remainder of the Section we indicate with an apex the number of signals described by the quantum state, and we also indicate as Z the classical system containing A's raw key bits (since in both protocols the raw keys are generated by Z-basis measurements). Thus the quantum state describing the parties' raw keys and E's degree of freedom is indicated as: ρ n ZKE .
Leakage. The leakage of an optimal 1-way EC protocol (1.7) is bounded by the smooth Rényi zero-entropy of the probability distribution of A and B i 's raw keys (A.7). Note that, thanks to (A.4), we can bound such an entropy by: In this way, one can follow the proof of [14,Lemma 3] and show that there exists a probability distribution R n ZK i ∈ B ε PE , P (P n ZK i ) such that the frequency of discordant bits (Q n AB i ) is less or equal than Q m AB i + 2ξ(ε z , n, m), with certainty. Note that this is not true for the distribution P n ZK i , since it holds condition (C.15). This upper limit on the number of discordant bits between A and B i , when the keys are generated by R n ZK i , allows one to bound the Rényi zero-entropy of such a distribution by nh Q m AB i + 2ξ(ε z , n, m) . Finally, since the smooth Rényi entropy of order zero is defined with a minimization over its ε-environment (A.7), one obtains: Combining (D.1) and (D.2) with Th. 2 leads to the desired result. The leakage occurring in the N -BB84 protocol, implemented with the optimal 1-way, ε EC -fully secure and 2(N − 1)ε PE -robust EC protocol, is: Min-entropy. Let ρ n+2m ABE be the pure state describing the whole set of quantum signals and E's quantum system. The state ρ n ZE is then obtained by performing independent Z-measurements on A's subsystems and taking the partial trace over B's ones, after the PE procedure took place on 2m signals. If we now define ρ n XB as the state obtained by performing independent X-measurements on A's subsystems and then taking the partial trace over E, we can employ the uncertainty relation [11]: where q = − log 2 c, with: and P z 1 ⊗ . . . ⊗ P zn , P x 1 ⊗ . . . ⊗ P xn are the projectors implementing the Z-and Xmeasurements on A's subsystems, respectively. In particular, P z i ∈ {P |0 , P |1 } and P x i ∈ {P |+ , P |− }. Therefore one can easily compute the quality factor q in this specific case: q = n ‡.
We can now bound the max-entropy (A.15) of the classical-quantum states ρ n XB by performing the same projective measurement on all B's subsystems and by employing the data processing inequality [24, Theorem 6.2]: which inserted in (D.4) yields: Finally one can bound the max-entropy of the classical state ρ n XX , -i.e. of the probability distribution P n XX -by means of [14, Lemma 3]. As a matter of fact, one can consider the whole set of B as one single Bob with the X-outcomes vector defined as: where the random vectors are defined in (C. 12). Under this classical operation the data processing inequality holds: In this fashion, the PE parameter Q m X is exactly the frequency of discordant bits between X a and X (see its definition in (C.14)). Therefore one can apply [14,Lemma 3]: which combined with (D.9) yields: H ε PE , P max (ρ n XX |X) ≤ nh (Q m X + 2ξ(ε x , n, m)) . (D.11) Finally inserting (D.11) in (D.7) after having fixed:ε = ε PE , yields the desired result: (ε x , n, m))) .

(D.12)
Computable key length. By employing the bounds on the leakage (D.3) and on the min-entropy (D.12) in Th. 1, one obtains the computable key length presented in Th. 3, which only depends on the PE statistics and on the security parameters.
Appendix D.2. N -six-state protocol As anticipated in Subsec. 2.1, the strategy adopted to achieve a computable expression of the N -six-state key length relies on the PS technique [12]. Such a technique allows to prove a given property of a quantum channel, acting on a general multipartite state, by just proving it on inputs consisting of identical and independent copies of a state on a single subsystem. Therefore one can infer the security of a QKD protocol -viewed as a quantum channel-under coherent attacks (arbitrary input) from the security of the ‡ The norm · ∞ evaluates the largest singular value.
same protocol under collective attacks (product state input) [27]. For this reason in the following we restrict E's action to collective attacks, meaning that the quantum state describing the parties' raw keys and E's quantum system is a product state: ρ ⊗n ZKE , and the raw keys' probability distribution is a product distribution: (P ZK ) n . Leakage. We start from the general upper bound stated in (1.7) and employ the finite version of the AEP for probability distributions [28, Theorem 1] to further bound the smooth Rényi zero-entropy (A.7): H ε PE 0 ((P ZK i ) n |K i ) ≤ n H(Z|K i ) + log 2 (5) 2 log 2 (1/(2ε PE )) n (D. 13) where we fixed ε = ε PE as defined in (C.18) and where H(Z|K i ) is the conditional Shannon entropy of P ZK i . Thanks to the symmetries introduced by the extended depolarization procedure [5] each raw key bit is uniform: H(Z) = H(K i ) = 1. These constraints on the probability distribution P ZK i imply that its conditional entropy H(Z|K i ) can be expressed as a function of the only parameter P AB i as follows: H(Z|K i ) = h(P AB i ). Finally, we characterize the probability P AB i through the observed frequency Q m AB i in PE (C.17). In particular, we exploit the composable-security property by adding ε PE to the total security parameter and by maximizing (D.13) over the allowed probabilities. Combining this with Th. 2 leads to the desired result. The leakage occurring in the N -six-state protocol, implemented with the optimal 1-way, ε EC -fully secure and 2(N − 1)ε PE -robust EC protocol, is: leak NQKD EC ≤ n max i h Q m AB i + 2η(ε z , 2, m) + log 2 (5) 2 log 2 (1/(2ε PE )) n + log 2 2(N − 1) ε EC . (D.14) Min-entropy. We can bound the min-entropy of a product state via the finite version of the AEP for quantum states, reported in [29,Equation B7]: Hε min (ρ ⊗n ZE |E) ≥ n S(ρ ZE ) − S(ρ E ) − 5 log 2 (1/ε) n , (D. 15) where S(ρ) is the Von Neumann entropy. The r.h.s. of (D.15) can be recast in terms of the probabilities P X and P Z , by following analogous steps in [5] and by exploiting the symmetries of the single-signal state due to the extended depolarization procedure. Finally, the probabilities P X and P Z are characterized by the PE measurements through (C.17). Thus we can minimize the min-entropy bound over the allowed probabilities while adding the PE failure probability ε PE to the total security parameter. These operations yield: Hε min (ρ ⊗n ZE |E) ≥ n inf Γ PE 1 − P Z 2 − P X log 2 1 − P Z 2 − P X + P X − P Z 2 log 2 P X − P Z 2 + (1 − P Z ) (1 − log 2 (1 − P Z )) − 5 log 2 (1/ε) n (D. 16) where the set Γ PE is defined in (2.3).
Computable key length. By substituting the bounds (D.14) and (D.16) into Th. 1, one obtains the computable key length of the N -six-state protocol when performed under collective attacks. The PS technique [12] allows to extend the security of a protocol against collective attacks, to any kind of attack, by just shortening the key length and introducing a corrective factor on the total security parameter. Consider an NQKD protocol E acting on L-partite systems (the L shared signals), where each of the L constituents has dimension d (in our case each signal describes the state of N qubits, thus d = 2 N ). If E is ε tot -secure against collective attacks, then the protocol E obtained from E by shortening the output of the hashing by "2(d 2 − 1) log 2 (L + 1)" bits is (L + 1) (d 2 −1) ε totsecure against coherent attacks. By applying the PS corrections to the N -six-state key valid for collective attacks, we extend its validity to coherent attacks, yielding the final result: Th. 4.
Thanks to the definition of purified distance we can find an extension of ρ XE , namely ρ XKE , such that it is still ε-close to ρ XKE = Tr C [ρ XKCE ] [30, Corollary 9]. We can assume, without loss of generality, that ρ XKE is classical on X and K and that ρ XK has support contained in the support of ρ XK §. Furthermore, let R XK→XKC be the CPTP recovery map that recovers C from (X, K), i.e.: ρ XKC = R XK→XKC (ρ XK ). Since X, K and C are classical, this map can be chosen to be of the form: x,k,c P C|XK (c|x, k) x| k|Q XK |x |k |x x| ⊗ |k k| ⊗ |c c| (E. 4) where P C|XK is the conditional probability distribution defined by the EC protocol which led to the given state ρ XKCE . According to the definition of min-entropy (A.9), for any Q XK that is classical on X and K we have that: where λ is the minimum real number that satisfies the inequality: x,k,c P C|XK (c|x, k) x| k|Q XK |x |k |x x| ⊗ |k k| ⊗ |c c| ≥ 0 , or equivalently: Because ρ XKCE satisfies the Markov condition C ↔ (X, K) ↔ E, we have: Therefore, defining: and using the fact that CPTP maps cannot increase the distance between states, ρ XKCE is ε-close to ρ XKCE , so that: Furthermore, since supp(ρ XK ) ⊆ supp(ρ XK ), the action of the recovery map is such that supp(ρ C ) ⊆ supp(ρ C ), and hence by [8, Remark 3.1.3] it holds: (E.11) § It is always possible to turn subsystems into classical ones by applying a CPTP map that projects onto the elements of a fixed "classical" basis. Note that such a map cannot increase the distance between states.