Estimating the privacy of quantum-random numbers

We analyze the information an attacker can obtain on the numbers generated by a user by measurements on a subsystem of a system consisting of two entangled two-level systems. The attacker and the user make measurements on their respective subsystems, only. Already the knowledge of the density matrix of the subsystem of the user completely determines the upper bound on the information accessible to the attacker. We compare and contrast this information to the appropriate bounds provided by quantum state discrimination.


Introduction
Random numbers have wide applications [1], ranging from Monte Carlo simulations [2] via lotteries and gambling to classical and quantum cryptography protocols [3,4,5,6].For most of these tasks, the privacy of the generated numbers, that is the condition that the random numbers are neither predictable by any model, nor that an attacker can obtain information that allows him to at least partially predict them, plays a crucial role.
A quantum random number generator (QNRG) offers at least theoretically the possibility to create such unpredictable random numbers [7,8], due to the physical nature of their generation process and the inherent indeterminism of quantum theory.Typical examples of QRNG implementations are photons on a beam splitter [9], homodyne measurements of the vacuum [10], or laser phase noise [11].
However, real life implementations of QRNG usually suffer from imperfections that open the door for an attacker to get at least partial information about the generated numbers.In this article, we employ an elementary two-qubit model for such a nonideal QRNG to determine how much information an attacker can maximally gain by exploiting the imperfections of a QRNG.
We emphasize that our model can be easily implemented experimentally.In order to implement our model experimentally, two conditions have to be fulfilled: (i) The control and entanglement of two qubit systems.(ii) The tomography of both qubits.Fortunately, can be achieved readily.Over the past years, a wide range of experiments controlling and measuring two qubit systems have been demonstrated, ranging from superconducting qubits [12], over trapped ions [13,14] and Rydberg atoms [15], to entangled photons [16].Tomography has also been demonstrated for different systems [17,18].

Formulation of problem
For this purpose, we consider the model of a QRNG depicted in Figure 1 which consists of a single qubit system A, that is prepared in a quantum state ˆ A .The user performs projective measurements in the direction of the unit vector e A on the Bloch sphere of the system A. To each of the two possible outcomes he assigns a bit value a, with a = 0 or a = 1.We denote the probability that the user obtains the bit value a for the measurement direction e A by W e A (a).
Since the user wants to extract a maximum of entropy, his measurement is chosen in a way, that the measurement outcomes, and thus the assigned bit values, have equal probability.In the ideal case, the state ˆ A would be a pure state, but due to imperfections it is in general assumed to be a mixed state.By extending the system with a qubit environment B, we can purify ˆ A to a pure state |Ψ in the system A + B.
In the worst case, an attacker, who wants to gain as much knowledge about the generated random numbers as possible, knows or might even have prepared the complete state |Ψ .The attacker is also aware of the user's measurement, and can perform a The question the user has to ask then is: How much information can the attacker gain from his own measurement result b about the user's random bit a?

Mutual information and entanglement
We quantify this information using the mutual information [4,19,20] that a measurement on the system B can provide about the measurement outcome in the system A, and vice versa.Here, W e A ,e B (a, b) is the joint probability of getting the measurement results a and b.We note, that for a separable state |Ψ s , the measurement results in both subsystems are independent of each other, that is the joint probability is given by the product of the marginals for all combinations of measurement results a and b and the logarithm and hence the mutual information both vanish, that is In order to achieve a non-vanishing mutual information, the two subsystems A and B must be entangled.Indeed, we shall show that the entanglement between the two subsystems plays a crucial role for the mutual information.
We gain a deeper insight into the role of the entanglement, by noting from (1) that the mutual information depends only on the measurement probabilities, which result from the measurement operators of the user and the attacker as well as from the state of the complete system.
Since, we want to model a quantum random number generator, the user chooses the measurement such that a uniform distribution arises.The user's measurement is therefore fixed with respect to the state of the subsystem of the user.The mutual information is then only dependent on the measurement of the attacker and the state of the complete system.
To obtain the maximal mutual information, the attacker has to choose his measurement accordingly.The requirements of a constant distribution for the user and the maximal mutual information for the attacker reduce the number of degrees of freedom and the mutual information can only depend on the entanglement of the two subsystems.

Discussion of the literature
The question raised in this article of how private the random numbers generated in a non-ideal QRNG are, is of course not completely new.There already exist different approaches [21,22,23,24,25,26] that allow to estimate the unpredictability of the "raw" random numbers generated in a non-ideal QRNG.All strategies have in common that one tries to find a lower bound to the min-entropy of a long sequence of raw random numbers.This quantity is then used by a randomness extractor to produce a shorter, but unpredictable sequence of "perfect" random numbers [27,28,29].
One approach is to model the setup and its imperfections, and then calculate the min-entropy from this model [21,22].However, in many cases this is quite a difficult task, and one has to make sure that the model is a good description of the experimental implementation.
Semi-device independent QRNGs [23,24,25,26], in which states are prepared and measured in random bases in order to make Bell-like tests on the raw data represent a different approach.Here, the violation of certain (in-)equalities, for example Bell inequalities [30], of these data then certifies the non-classicality of the physical process, and determines a lower bound on the min-entropy.This procedure has the advantage that one does not need a specific model of the QRNG, while only certain weaker assumptions on the preparation and/or the measurement devices have to be fulfilled.
Our approach is very much in the line of Ref. [21] but much more specific.In comparison to the latter paper, we discuss how much information an attacker can get, and how this information depends on the measured quantum state and the chosen measurements.This approach gives us the possibility to show how the attacker can gain information, and how the user of the QRNG can protect himself against it.
Another difference of our approach is that we use the mutual information as the quantity of interest instead of the min-entropy.However, our results could also be easily formulated in terms of the latter.

Outline
Our article is organized as follows: In Section 2, we consider the case of fixed projective measurement directions in both the system and the environment, and derive a general expression for the mutual information.We then focus in Section 3 on the case of a QRNG, where the user selects his measurement in such a way that the bit a is uniformly distributed, and obtain the maximal information any attacker can gain.Finally, in Section 4 we conclude by summarizing our results and providing a short outlook.
In order to keep our article self-contained while focused on the essential ideas we have included additional material and extensive calculations in three appendices.In Appendix A and Appendix B we evaluate explicitly the constraints on three parameters that fully define the mutual information.Moreover, we dedicate Appendix C to a detailed derivation of the maximal mutual information.Appendix D is devoted to extending the user's measurement strategy.

Mutual information for projective measurements
In this section we derive a general expression for the mutual information in our QRNG model for the case, when only projective measurements are performed on both A and B. We discuss the dependence of the mutual information on the entanglement of the two qubit subsystems as well as on the measurement directions.The results provided in this section will serve as the foundation of our analysis of the worst case presented in Section 3.

States of system and subsystems
We start from the pure two-qubit state representing the state of the combined system of A and B by complex coefficients Ψ ij , which can be interpreted as the elements of a 2 × 2 matrix Ψ.We quantify the entanglement between the two subsystems of the state |Ψ by the concurrence which can take values between zero, for |Ψ being a separable state, and one, when |Ψ is a maximally entangled state.When we trace out the subsystem B(A), we obtain the reduced density operator of the subsystem A(B), which can be written in the form Here, the vector a A(B) denotes the Bloch vector of the reduced subsystem ˆ A(B) , and σA(B) is the vector of Pauli matrices.We note that for the two density operators ˆ A and ˆ B , which are derived from the same common pure state |Ψ , the eigenvalues and thus the lengths of the respective Bloch vectors have to be the same [4], that is |a A | = |a B |.These lengths are furthermore related to the concurrence, (5), by Alternatively, we can relate these lengths to the purity of the density operator of the subsystem.From ( 8), we find the relation between the purity and the concurrence.

Projective measurements and probabilities
So far we have concentrated on the state of the combined system.We now analyze measurements on the subsystems.
For this purpose we assume that the user makes a projective measurement described by the projection operators while the attacker performs a projective measurement given by the operators with a = 0, 1 and b = 0, 1.
The probability W e A (a) to find the bit a given that the user measures in the direction e A and the system is in the state |Ψ follows from the Born rule as Analogously, the probability W e B (b) to obtain b provided the attacker measures in the direction e B takes the form By inserting (11) and ( 12) into ( 13) and ( 14) respectively, and exploiting ( 6) and ( 7), we find the marginal probabilities for the subsystem of the user, and for the subsystem of the attacker.The joint probability W e A ,e B (a, b) to find the values a and b, provided the measurements are in the directions e A and e B , is given by and with the definitions of the projection operators, ( 11) and ( 12), this probability takes the form where we have introduced the matrix accounting for the correlation between the two subsystems.

Bias and correlation
So far, we have defined the state and the measurement operators for our two-qubit model.We are now in the position to calculate the mutual information for a general pure two qubit state |Ψ and projective measurements in both subsystems.

Definitions
Inserting the probabilities, ( 15), ( 16) and ( 18), back into the definition of the mutual information, (1), we find where we have introduced the three parameters Here, α and β quantify the bias in the measurement outcome on the subsystem A and B, respectively, which can be seen by comparing the definition of these parameters with the marginal probabilities (15) and (16).Moreover, κ reflects the influence of the correlation between the two subsystems on the joint measurement.The three parameters are not independent of each other.The bias parameters α and β both depend on the density operators of their respective subsystem, which are in general not independent, since both derive from a common entangled pure state.The parameter κ also depends on this pure state, as well as on the measurement directions, which also enter in the bias parameters.
In the following we will derive a constraint on these three parameters.For this purpose, we first derive an explicit expression for K 2.3.2.Constraints A general state |Ψ , given by ( 4), can always be written in the form due to the Schmidt decomposition [4], where we have introduced new basis sets {|↑ , |↓ } in both subsystems A and B. Note that in the state |↑ |↑ , in general the spins do not have to point into the same direction anymore.
In Appendix A, we derive the expression for the correlation matrix.
From the definition of the concurrence, (5), we obtain Together with ( 8) and the normalization condition λ 1 + λ 2 = 1, we arrive at and When we insert (25) and ( 26) into the correlation matrix, (19), we obtain Furthermore, by calculating the density matrices ˆ A and ˆ B with help of ( 6) and (22), and comparing the result with (7), we find a A(B) = (0, 0, |a A |) , that is the Bloch vectors point along the z-axis of their respective subsystem.
We are now in the position to calculate the three parameters α, β and κ.From their definition, (21), we obtain for the correlation parameter, as well as and for the bias of the user and the attacker, respectively.
In Appendix B we prove that (28), ( 29) and (30) lead to the constraint For any fixed parameter α, that is for a fixed measurement direction of the user, the equality in (31) describes an ellipse in the κ-β-plane.All valid combinations of the parameters β and κ therefore have to lie inside or on the boundary of this ellipse.

Special cases
We conclude our discussion by considering the two extreme limits of the concurrence C: (i) a separable bipartite state, and (ii) a maximally entangled state.
For any separable state, that is C = 0, the constraint becomes which is only fulfilled for κ = αβ.
As a consequence, we find that the logarithm of ( 20) vanishes leading us to as one would expect.
In the other extreme, when the state |Ψ is maximally entangled, that is C = 1, the bias parameters vanish in both subsystems, that is α = β = 0, and the correlation is bounded by Inserting these values into (20), the mutual information takes the form which after performing the summation reads For κ = ±1, we get allowing the attacker to obtain complete information about the user's random bit, independent of the user's measurement choice.We emphasize that for a maximally entangled state the user cannot prevent the attacker from finding out his random bit.

Worst-case scenario
In the preceding section we have derived a general expression for the mutual information of a two-qubit system which depends on the concurrence and the measurements performed relatively to the reduced density matrices on both subsystems.We now discuss special measurement strategies of user and attacker and highlight the important role of entanglement in our scheme.Throughout this section we consider the worst case for the user, that is the attacker somehow knows the user's measurement directions, as well as the complete state |Ψ .

User's choice of measurement direction
For a QRNG, a user would naturally maximize the entropy of the bits and therefore choose his measurements in such a way that he obtains uniformly distributed bits with According to (15) this requirement translates into condition for the user's measurement.Geometrically, this prescription means e A ⊥ a A , that is the measurement is perpendicular to the Bloch vector of ˆ A .There are infinitely many vectors e A that fulfill this condition.Throughout this section, we consider this situation with a fixed e A but generalize it slightly in Appendix D by allowing random measurements corresponding to two different e A , which are both perpendicular to a A .
When we substitute (38) into (20), we obtain the mutual information The parameters κ and β are not independent, but constrained by the equation corresponding to an ellipse with the semi-major and semi-minor axes coinciding with the κ and β axes, which follows directly from (31) for α = 0.

Maximum of mutual information
In order to guarantee the secrecy of his random bits, the user has to address the question: What is the maximal information following from (39) any attacker can obtain about the bit a for the given setting?

Exact expression
Since the mutual information is a convex function in the κβ-plane, its maximum has to lie on the boundary of the ellipse.In Figure 2 we show that the mutual information is maximized on the intersection of the ellipse given by the constraint, (40), and the κ-axis.These points lead to the two conditions and C = 0.9, respectively.Due to the shape of the mutual information, its maximal value is found on the intersection between the ellipse and the κ-axis, independent of the concurrence.For increasing concurrences C the mutual information at this intersection increases.Thus, the maximal mutual information increases with increasing concurrence.b) Mutual information along the ellipses parameterized by an angle ϕ and corresponding to the same values of the concurrences C as in a).The angle ϕ is chosen such that ϕ = 0 corresponds to the intersection between the ellipse and the positive κ-axis.For symmetry reasons, we only parameterize the ellipse from ϕ = 0 to ϕ = π.The mutual information is maximal for the attacker choosing his measurement for the parameter ϕ = 0 or ϕ = π, that is at the intersections of the ellipse with the κ-axis, independent of the concurrence C.
The condition on the attacker's bias, (41), means that the measurement direction of the attacker e B is perpendicular to the Bloch vector a B of his subsystem.Hence, the attacker will also obtain a uniform distribution of his bits.As for the user, there are infinitely many measurement directions, which fulfill this condition.
The second condition, (42), together with ( 28), ( 29) and (38), poses the requirement e A,x e B,x − e A,y e B,y = ±1 (43) on the choice of the attacker's measurement, which restricts the attacker's measurement to two directions.He can either choose e B = (e A,x , −e A,y , 0) or e B = (−e A,x , e A,y , 0).As a result, by inserting (41) and ( 42) into (39), we find and after performing the summations the maximal mutual information an attacker can Worst-case scenario for the user who chooses a measurement such that he obtains uniformly distributed bits.The attacker selects his measurements as to maximize the mutual information.The corresponding mutual information I max increases for increasing values of the concurrence C (horizontal axis on the bottom) and decreases with increasing purity P of the state ˆ A of the user (horizontal axis on the top).Close to a pure state, that is P = 1, the decrease is linear.
gain by performing a measurement on the environment reads This expression is the central result of our article.We note, that we can also find the this result analytically.This rather lengthy calculation is shown in detail in Appendix C.
It is interesting to note that a similar equation holds true if the user switches between different measurements.In Appendix D we discuss this scenario in detail.
Figure 3 shows the maximal mutual information, (45), in its dependence on both the concurrence and the purity.The more the two systems are entangled, that is the less pure the state of the user, the more information can be gained from one measurement result about the other.

Asymptotic expressions If the complete state |Ψ is only weakly entangled corresponding to C
1, we can perform a Taylor expansion of the logarithm to second order and thus approximate (45) by Hence, for small concurrences C the maximal mutual information only grows quadratically, and there is almost no mutual information.The additional information on the more probable bit is almost compensated by the less information about the less probable bit.Thus, for small concurrences C, the information an attacker can gain is almost negligible, providing a certain robustness of such a QRNG scheme against small entanglement between the QRNG's system and the environment.
From the viewpoint of the user, (47) means that the mutual information decreases linearly with the purity for P 1. Indeed, when we substitute the connection, (10) between P and C 2 into (47) we find On the other hand, for values of C 1 the mutual information grows rapidly with increasing C, since the positive term in ( 45) is weighted with a high probability, while the factor decreasing the mutual information is far less probable.
We finally remark that in our scheme the user needs to know the state ˆ A of subsystem, which in general can be obtained by state tomography.The connection, (10), between the concurrence and the purity of the user's subsystem then allows the user to find an upper bound on the privacy of his data.

Binary entropy
We note that (45) enjoys an elementary interpretation, based on the binary entropy for a probability p. Indeed, (45) can be written as The first term on the right-hand side corresponds to the entropy of the user's random number without any correlation to another measurement result.This value is one, due to the fact that the user's bit is equally distributed.
The second term on the right-hand side, which subtracts from the user's entropy, is the conditional entropy of the user's bit, when the attacker's bit is known.This contribution corresponds to the entropy that remains, even when the attacker has made a measurement, and therefore reduces the information he can gain.Interestingly, this entropy corresponds to a binary entropy, with probabilities Hence, the concurrence C is a measure of the deviation from a uniform binary distribution.For a vanishing concurrence the user's bit is equally likely for any value of the attacker's bit, while with increasing concurrence the probability of having coincidental results between the user's and the attacker's outcome increases.

Privacy of the quantum random numbers and quantum state discrimination
We conclude our discussion of the worst case scenario by taking a different point of view on the privacy of the random numbers generated by a QRNG.Indeed the question of how much information an attacker can maximally gain can also be considered as a quantum state discrimination task [31,32,33].By performing a measurement on the subsystem A, the state of the attacker in the subsystem B is a pure state, depending on the outcome a of the measurement performed on the subsystem A. The task of the attacker is to discriminate his two states.
When the two states are orthogonal, the attacker can always perform a measurement, which allows him to discriminate between the two states with certainty.In general, however, the two states are not orthogonal and therefore there is no measurement that can decide unambiguously between the two cases.
It is well known, that the maximal mutual information accessible in this case is bounded from above and below by the inequalities The upper bound is the well known Holevo bound [4] χ with ˆ B|a ≡ |ψ a B ψ a | and the Shannon entropy where λ k denote the eigenvalues of the density operator ˆ .The lower bound for the maximal accessible information, proposed by Josza, Robb and Wootters [34], is given by with the subentropy We now consider the state discrimination task for our problem of the QRNG in the worst-case scenario.As a first step, we show that the states the attacker obtains are not orthogonal, as long as the combined state |Ψ , defined in (4), is not maximally entangled.
For the measurement outcome a, the user finds the state with an arbitrary but fixed phase ϕ.
Therefore the state |ψ a B in the subsystem B, conditioned on the measurement result a, reads where the probability W e A (a) = 1/2, given by ( 14), in the denominator ensures normalization.
We recall the state |Ψ in the Schmidt decomposition, (22), and find for the state in the subsystem B, conditioned that the user has measured the bit a.
For |a A | > 0 the scalar product between the two states |ψ 0 B and |ψ 1 B , following from (59), does not vanish, and these two states are not orthogonal.
In the next step, we calculate the bounds given by ( 53) and (55).Since the entropy vanishes for a pure state, the Holevo bound is given by the Shannon entropy of the state ˆ B of the attacker S(ˆ B ).
With the explicit formulas (25) and (26) for the eigenvalues λ k and the definition of the Shannon entropy S(ˆ ), (54), we find for the Holevo bound.Since the subentropy also vanishes for pure states, the maximal accessible information is given by the subentropy Q(ˆ B ) of the attacker's density matrix.By using the eigenvalues, ( 25) and ( 26), of this state, together with the definition of Q(ˆ ), (56), we obtain (62) for the maximal accessible information.
In Figure 4 we compare our result for the maximal mutual information, (45), with the Holevo bound, (61), and the minimal accessible information, (62).The result of our worst case considerations, (45), is thus between the two bounds as expected.However, our result is strictly lower than the Holevo bound except for the boundary values C = 0 and C = 1, and therefore an improvement for the user over just assuming the Holevo bound.This advantage originates from the fact, that the Holevo bound is only dependent on the maximal information contained of the state ˆ B in the subsystem B, independent of the composition of this state, that is of exact form of the states |ψ 0 B and |ψ 1 B .The Holevo bound is only tight if |ψ 0 B and |ψ 1 B are identical or orthogonal, which is only fulfilled if the pure state |Ψ of the combined system is either separable or maximally entangled.In all the cases in between the Holevo bound is cannot tight.Our result, (45), is exact, and therefore takes the measurement of the user and hence the exact form of |ψ 0 B and |ψ 1 B into account.

Conclusions and Outlook
We are now in the position to summarize our results and provide a short outlook.Throughout this article we have discussed the privacy of random numbers created by a non-ideal QRNG represented by a single qubit system coupled to another qubit system that models the environment an attacker may have access to and which is due to the fact that the user cannot prepare a perfectly pure quantum state.
We have provided an upper bound, (45), on how much information the attacker can gain about the user's random bit.From this expression, we conclude that the limiting factor on this bound is the entanglement between the QRNG system and its environment, quantified by the concurrence.We emphasize that our upper bound holds without any further restrictions on the user's or attacker's measurement scheme.
Moreover, we have shown that our scheme can be interpreted in terms of quantum state discrimination.This point of view allows us to compare the result to the known bounds.Since our worst case analysis is exact, our result improves the well-known Holevo bound in this special case.
We emphasize that our results can directly be applied to different QRNG realizations.Furthermore, our analysis can be extended to generalized measurements, such as POVMs, and measurement strategies, which may lead to a further reduction of the maximal mutual information.This extension also allows us to include the effects of detector efficiencies into our existing model.With these modifications our model will constitute an elementary yet useful tool to estimate the maximal information the attacker can gain on the numbers created by QRNGs.We will also be able to extend our model to self-testing QRNG devices, by further including the state tomography directly into the measurement protocol.Finally we might improve existing lower bounds on the min-entropy.These topics, however, go beyond the scope of the present article and will be addressed in a future publication.
By introducing spherical coordinates in both subsystems A and B, that is the parameters of (B.1), (B.2) and (B.3) can be rewritten as by bringing the second term on the right hand side of (B.5) to the left hand side and squaring the resulting equation.Since we have cos x ≤ 1 for all x, we furthermore find which is equivalent to Solving (B.6) and (B.7) for cos θ A and cos θ B , respectively, and inserting these relations into (B.10)gives which can be rewritten as Note, that for a fixed parameter α, this inequality describes the area enclosed by an ellipse in the κ-β-plane, where the shape and orientation of the ellipse are determined by α and the concurrence C. we can simplify (C.4) and find According to the log sum inequality [20] we have Hence, we finally have proofing the convexity of the mutual information.

Appendix C.2. Extrema
Due to the convexity of the mutual information, the maximum of the mutual information lies on the boundary of the ellipse.Hence, it is sufficient to restrict ourselves to the constraint κ C which is an equality instead of an inequality.We can parametrize the ellipse by an angle ϕ, such that we have We will now calculate the partial derivatives of the mutual information with respect to κ and β.For the derivative with respect to κ, we find This derivative has roots at β = 0 and κ = 0. Unfortunately, it is not obvious from an analytical point of view that those are the only two extrema.However, numerical simulations show, that these are the only ones.
For κ = 0 it follows from (C.1), that the mutual information vanishes for every value of β.Since the mutual information cannot be negative, κ = 0 represents a minimum of the mutual information.

Appendix C.3. Maximum
We finally proof that β = 0 is indeed a maximum of the mutual entropy.In order to do so, we take a look at the second order derivative with equality if and only if C = 0. Thus, the extremum β = 0 corresponds to a maximum.

Figure 1 .
Figure 1.Model of a quantum random number generator based on two entangled qubit systems and viewed from the user a) and the attacker b).a) The user sees a mixed state ˆ A and makes a projective measurement yielding a random bit a. b) The attacker deals with the complete system A + B in which the mixed state ˆ A is purified to |Ψ .The user still performs a measurement on ˆ A to obtain the bit a, while the attacker carries out a measurement on ˆ B to receive a bit b.The question is: How much information about a can the attacker obtain from his result b?

Figure 2 .
Figure 2. Geometric determination of the absolute maximum of the mutual information I according to (39) under the constraint (40).a) The mutual information (top) is shown in its dependence on the correlation κ of the two systems and the bias β in the measurement of the attacker.The ellipses in the κ-β-plane (bottom) enclose all the possible combinations of κ and β that can be achieved by any measurement direction e B of the attacker.The eccentricities of these ellipses are determined solely by the concurrence C quantifying the degree of entanglement between the qubits of the user and the attacker.The green, black and red ellipses correspond to C = 0.3, C = 0.7 and C = 0.9, respectively.Due to the shape of the mutual information, its maximal value is found on the intersection between the ellipse and the κ-axis, independent of the concurrence.For increasing concurrences C the mutual information at this intersection increases.Thus, the maximal mutual information increases with increasing concurrence.b) Mutual information along the ellipses parameterized by an angle ϕ and corresponding to the same values of the concurrences C as in a).The angle ϕ is chosen such that ϕ = 0 corresponds to the intersection between the ellipse and the positive κ-axis.For symmetry reasons, we only parameterize the ellipse from ϕ = 0 to ϕ = π.The mutual information is maximal for the attacker choosing his measurement for the parameter ϕ = 0 or ϕ = π, that is at the intersections of the ellipse with the κ-axis, independent of the concurrence C.

2 Figure 3 .
Figure3.Worst-case scenario for the user who chooses a measurement such that he obtains uniformly distributed bits.The attacker selects his measurements as to maximize the mutual information.The corresponding mutual information I max increases for increasing values of the concurrence C (horizontal axis on the bottom) and decreases with increasing purity P of the state ˆ A of the user (horizontal axis on the top).Close to a pure state, that is P = 1, the decrease is linear.

Figure 4 .
Figure 4. Comparison between the maximal mutual information I max , (45), the Holevo bound χ H , (61), and the lower bound χ JRW for the maximal mutual information accessible, (62).The maximal mutual information for a projective measurement lies between the Holevo bound and the lower bound for the maximal mutual information for all values of the concurrence except as one would expect.Except for the boundaries C = 0 and C = 1 the mutual information is strictly lower than the Holevo bound.

√ 1 − C 2
sin ϕ. (C.16) Inserting these two equations back into (C.1), the mutual information becomes a function only dependent on a single parameter ϕ.In order to maximize this function, we calculate the derivative with respect to ϕ: