Receiver-Device-Independent Quantum Key Distribution Protocols

We discuss quantum key distribution protocols and their security analysis, considering a receiver-device-independent (RDI) model. The sender's (Alice's) device is partially characterized, in the sense that we assume bounds on the overlaps of the prepared quantum states. The receiver's (Bob's) device requires no characterisation and can be represented as a black-box. Our protocols are therefore robust to any attack on Bob, such as blinding attacks. In particular, we show that a secret key can be established even when the quantum channel has arbitrarily low transmission by considering RDI protocols exploiting sufficiently many states. Finally, we discuss how the hypothesis of bounded overlaps can be naturally applied to practical devices.


I. INTRODUCTION
Quantum key distribution (QKD) [1,2] allows two users to establish a secret key via a quantum channel and an authenticated but public classical channel. QKD, together with the one time pad method, provides a secure method of communication with information-theoretical security [3]. Indeed, unlike classical schemes, the security of QKD protocols is physical: it only relies on some knowledge about the functioning of the devices controlled by the communicating parties and the general laws of quantum mechanics. Nevertheless, different approaches require different levels of detail in how the devices are modeled [4][5][6][7]. The "standard" approach presumes a full description of different elements in the setup. Such QKD systems are available commercially and can reach high rates over long distances.
However, relying on a detailed quantum model for characterizing the devices may open backdoors that quantum hackers can exploit. Indeed a mathematical model always represents (at best) an idealization of a practical device. For example, the well-known "blinding attacks" exploit the fact that standard models for describing photon detectors typically fail when the intensity of the incoming light falls outside their working range [8,9]. When a fair-sampling type assumption is used on top of this, the door is open to attacks where an eavesdropper Eve obtains full information about the key, without introducing any detectable level of errors (fair sampling assumes that the occurrence of no-detection events is independent of the choice of the measurement setting [10][11][12]).
This motivates the investigation of the stronger, device-independent (DI) approach. Here, devices are viewed as classically controlled black boxes, and the security of QKD protocols can be demonstrated [13][14][15][16] assuming only that (i) the devices can be described accurately within quantum mechanics, and (ii) no information about the secret key leaks out of the laboratories of Alice and Bob (the two communicating parties). While this approach represents, in principle, the perfect solution to counter any hacking attack, its practical implementa-tion is highly challenging, requiring the distribution of high-quality entanglement and notably high detection efficiencies (the best current protocol demands 68.5% [17]). First proof-of-principle experiments have recently been reported [17][18][19], but any practical implementation of DI QKD is arguably still far out of reach.
Beyond the standard (device-dependent) approach and the DI one, there exists a broad range of models that can be considered, where some of the devices are fully (or partially) characterized, while others are treated as black boxes. The most well-known is arguably the measurement-DI (MDI) approach [20,21], which has been extensively studied and realized experimentally achieving record distances (see, e.g., [22][23][24][25]).
In parallel, another approach has been investigated, considering an asymmetric scenario where one of the end parties is trusted, while the other one is fully untrusted. Referred to as "one-sided DI", this model was first proposed in Ref. [26]. Establishing a connection to quantum steering, Ref. [27] then investigated the practical limitations of such a protocol, in particular the resilience to noise and losses. Unfortunately, an implementation turns out to be challenging, as the requirements in terms of detection efficiencies (> 65.9%) are only slightly relaxed compared to the full DI model. Other works [28,29], following up on Ref. [26], discussed the implementation in a prepare-and-measure scenario. While considering the effect of noise and finite-size data, these works do however not take into account the effect of losses. Instead, a fair-sampling type assumption is made, which opens the door to blinding attacks, as in standard protocols; see, e.g., [30]. Hence these results cannot be applied to a practical QKD setup (where losses are unavoidable) without sacrificing the one-sided DI security. Finally, another approach, termed semi-DI [31][32][33], considered a prepareand-measure scenario assuming an upper bound on the dimension of the prepared quantum systems. Again, these protocols are unpractical, requiring detection efficiencies comparable to the full DI model [34].
In this work we present QKD protocols that achieve one-sided DI security and that are amenable to a practical prepare-and-measure implementation. We refer to arXiv:2111.04351v2 [quant-ph] 8 Jul 2022 these protocols as being "receiver-device-independent" (RDI). A specific example of such a protocol was recently presented, along with an experimental realisation, in the companion paper [35]. Here, we present a more general class of RDI-QKD protocols and provide a detailed theoretical analysis, investigating the possibilities and limits of QKD in RDI scenarios.
We thereby consider a prepare-and-measure scenario, where the sender (Alice) uses a partially characterized device, while the receiver (Bob) uses an untrusted device. The protocol being black-box on Bob's side, it is therefore inherently secure against attacks on the receiver, notably blinding attacks [8,9]. On Alice's side, the characterisation we require consists in providing bounds on the (complex) overlaps of the prepared states (given formally by a Gram matrix). We moreover discuss how this hypothesis can be naturally applied to practical devices.
In practice, the RDI scenario can be quite naturally motivated. Consider for instance a large company communicating with an end-user. The latter has essentially no means to test their cryptographic device, which is therefore conveniently treated as a black-box. On the other hand, the company has access to advanced technology and technical expertise, and can therefore regularly test and characterize their cryptographic device. We note that the MDI approach is not applicable to this scenario, as both Alice and Bob require a trusted device (while trust is then relaxed on an intermediate relay station).
The paper is organized as follows. In Section II we present the scenario of RDI QKD and discuss the key assumptions that are made, before outlining the RDI-QKD themselves in Section III. In Section IV we present a detailed security analysis. In the noiseless case we present an analytical security proof, showing that our protocols can achieve the maximal distance possible in an RDI scenario. Specifically, we show that it is possible to obtain a positive key rate for any transmission η > 1/n, where n denotes the states prepared by Alice, and corresponds also to the number of measurements performed by Bob. Our protocols can therefore accomodate any amount of losses in principle (by considering sufficiently many states), and are optimal in terms of robustness to losses, as no secret key can be obtained when η ≤ 1/n [30]. When noise is present, the security analysis relies on semidefinite programming, for which we adapt the method introduced in Ref. [36], providing lower bounds on the key rate. Then, in Section V, we discuss the practical relevance of our RDI approach, in particular how bounds on the overlaps (Gram matrix) can be estimated and justified in practice. Finally, in Section VI we discuss how our protocol compares to other QKD protocols and scenarios.

II. SCENARIO
We consider a prepare-and-measure scenario as shown in Fig. 1. Alice sends, over a public quantum channel, one state out of a set of n states {|ψ x } n−1 x=0 . Bob chooses among n measurements labelled by y = 0, . . . , n − 1. All measurements have binary outputs b = 0, 1. After many rounds, Alice and Bob can estimate the probability distribution p(b|x, y). Bob's measurement device is completely uncharacterized and can be seen as a black box with an input y and an output b. The black box feature is a requirement if we aim to design a protocol robust to attacks where Eve controls Bob's device. The key assumption we make on the setup is about Alice's preparations. Namely, we assume that all inner-products γ ij = ψ i |ψ j are bounded. These assumptions do not fix the total dimension of the Hilbert space and only partially characterize Alice's device.
The assumption that Alice prepares pure states with known inner-products γ ij simplifies the presentation and analysis of the protocol, but is evidently impossible to fulfil exactly in practice. In Sec. V we revisit this assumption on Alice's preparation device and show how the presence of noise, unavoidable in experiments, can also be analyzed within our framework in several ways. In particular, we show that the general situation where the preparation device is subject to fluctuating noise, which remains within a certain parameter window, can be analyzed by taking inequality constraints on (the real and imaginary parts of) the values γ ij .
Besides the assumption on Alice's preparation device, specific to our protocol, we also make the standard QKD assumptions, also made in the DI scenario: (i) Alice's input x and Bob's measurement setting y are completely uncorrelated from Eve; (ii) Eve only has access to the classical and quantum communication specified by the protocol, she cannot gather any additional information about x and y; (iii) We assume the validity of quantum physics. In the following, Eve is restricted to collective attacks. She interacts with each round independently and can store her system in a quantum memory.
As we will see, a lower bound on the raw secret key rate, can be computed solely from the observed statistics p(b|x, y), given that the setup satisfies the assumptions detailed above. For some ideal cases (no noise), we derive analytical bounds. More generally, e.g. in the presence of noise, we obtain bounds via semi-definite programming (SDP) adapting the methods introduced in Ref. [36].

III. PROTOCOLS
In this section we describe the general structure of the RDI-QKD protocols we consider and give a family of concrete examples.

A. General structure
We begin by presenting the general structure of our RDI-QKD protocols.
Consider a given ensemble of states {|ψ x } n−1 x=0 that Alice is able to prepare and binary measurements {B 0|y , B 1|y } n−1 y=0 that Bob can perform. We can now define protocols with a general structure as follows, where the steps 1 and 2 are repeated sufficiently many times in order to guarantee a final key of desired length.

RDI-protocol
Steps to generate a secret key between Alice and Bob.
Alice and Bob share an authenticated classical channel as well as a quantum channel. Steps 1 and 2 are repeated sufficiently many times, before proceeding to steps 3 and 4.

1.
Raw key generation 1: Alice randomly chooses a pair of integers r = (r0, r1) with 0 ≤ r0 < r1 ≤ n − 1 and a bit k = 0, 1. According to her choice she sends the state |ψx=r k over the quantum channel to Bob. 2: Bob randomly chooses an integer y with 0 ≤ y ≤ n − 1 and performs the binary measurement {B 0|y , B 1|y } on the state received from Alice.

Sifting
Alice and Bob use the classical channel to communicate. Bob tells Alice to discard the round. Bob asks Alice to reveal r.

5:
Alice reveals r. 6: if y = r0 or y = r1 then 7: Bob tells Alice the round is conclusive. Bob tells Alice to discard the round.

Error correction and privacy amplification
This structure defines a broad class of protocols specified by the choices of n, the states {|ψ x } n−1 x=0 , and the measurements {B 0|y , B 1|y } n−1 y=0 . In general, the idea is to choose states and measurements such that, in Step 2.7, Bob can readily infer from the observed outcome b what the key bit k of Alice is. Below we will describe in more detail some specific examples, which will clarify the principles behind the RDI protocols we describe.
Here, we are not going to describe the classical steps 3 and 4 in detail, as under the assumption of collective attacks these steps can be performed with standard techniques. In step 3 Alice and Bob reveal their registers for a subset of rounds chosen at random, allowing them to estimate the probability p(b|x, y). In step 4, Alice and Bob perform standard one-way error correction followed by privacy amplification protocols, enabling them to extract the final secret key from the raw key available after step 2. Detail of such protocols can be found in the reviews of Refs. [4,7]. For the security analysis presented in the next section we thus focus on the raw key, under the assumption of collective attacks and a known probability distribution p(b|x, y). The security analysis under coherent attacks is left for future work.

B. Ideal qubit protocol
We describe a class of protocols based on qubit states and measurements. As we will see later, these protocols can be considered ideal in the sense of being optimal from the point of view of robustness to loss. At this point, however, we present the protocol in the case of no loss and no noise.
Alice prepares states from a set of n single-qubit states for some given θ. Following the general protocol outlined above, to encode the raw key bit Alice chooses a pair of integers r = (r 0 , r 1 ) with 0 ≤ r 0 < r 1 ≤ n − 1, among n 2 possible pairs. For a key bit k, Alice sets x = r k . Note that every state x can encode the bit value 0 or 1. Alice sends |ψ x=r k via the quantum channel to Bob. Bob has y = 0, . . . , n−1 measurements and each measurement has a binary output b = 0, 1. The output b = 1 corresponds to a projection onto |ψ y while b = 0 corresponds to the projection on the orthogonal subspace 1 − |ψ y ψ y |. If Bob observes b = 0, he can with certainty exclude the state x = y. We refer to the rounds where b = 0 as conclusive rounds. If the round is conclusive, Bob asks Alice to reveal r. If y = r 0 or y = r 1 , Bob is able to infer the raw key bit and announces to Alice that the round is successful; otherwise he tells Alice to discard the round. The security analysis of this protocol in the presence of noise and loss, is described below in Section IV B. Moreover, in Section IV C we show that this protocol is optimal within RDI-QKD protocols in the sense that it yields a positive key rate for any η > 1 n , arbitrarily close to the threshold of 1/n beyond which no secret key can be established [30].

C. Towards practical protocols
While the above ideal qubit protocol is useful to test the limits of model, the RDI approach can also be used quite naturally, and give good protocols, in more realistic setups.
Firstly, the requirement that Alice prepares pure states is not necessary. Indeed, the case of mixed states can naturally be encompassed by considering purifications of the states Alice prepares. We discuss how to take into account the overlap assumption on Alice's device in this case in Section V A.
Secondly, the qubit protocol described above can be adapted quite naturally to an optical setup, where a dimension bound on the states Alice prepares is unrealistic. This is because only the overlaps of the prepared states is required (their Gram matrix), but not their Hilbert space dimension. One can therefore consider a protocol where polarized coherent states of light are prepared, as reported recently in the companion paper [35]. Therein a proof-of-principle implementation of such a protocol was reported, achieving finite-size key over a 4.8km optical fiber.

IV. SECURITY ANALYSIS
Eve's information about the secret bit k is bounded by assuming that the Gram matrix G of the set of encoding states is fully characterized and that the probabilities p(b|x, y) are perfectly estimated by Alice and Bob. The Gram matrix G is a Hermitian matrix whose entries are given by We do not bound the dimension of the Hilbert space associated to the system sent by Alice. However, under the assumption that Alice prepares pure states the rank of the Gram matrix equals the dimension of the subspace spanned by these states. Recall that this assumption is not indispensable for our analysis, and will be relaxed in Sec. V. Furthermore, no characterization of the exact encoding, transmission channel nor measurement device is needed. Eve can correlate herself to the states prepared by Alice, she can design Bob's measurement device by the means of an ancilla and a unitary operation, and she can use a quantum memory to keep her ancilla until the end of the classical post-processing (cf. Fig. 1). In fact, she can keep her ancilla until any later time and wait until the reconciliation between Alice and Bob is over in order to perform a measurement allowing her to extract as much information as possible about the secret bit k.
The asymptotic key rate (per round) is lower bounded by [37] [H(k|Eve, succ) − H(k|Bob, succ)] p(succ), where H(k|Eve(Bob), succ) is the entropy of k conditional on Eve(Bob) and the fact that a round is not discarded, and p(succ) is the probability that a round is not discarded. Bob's entropy can be upper-bounded as H(k|Bob, succ) ≤ h 2 (QBER), where h 2 (·) is the binary entropy and QBER is the quantum bit error rate. Eve's conditional entropy can be lower-bounded by the conditional min entropy which is in a one-to-one relation with the maximal probability p g (e = k|succ) that Eve guesses the bit k correctly [38] if the round was not discarded. Combing the two arguments, we can lower bound the key rate by the quantity The QBER and p(succ) are extracted from the observed statistics p(b|x, y) while the guessing probability p g (e = x|succ) needs to be upper bounded in order to give a lower bound on R. Note that p(succ) > 0: if p(succ) = 0 there is no raw key generation and hence nothing for Eve to guess. The guessing probability is given by where M b|y are Bob's measurement operators with b = 0, 1 and y = 0, . . . , n − 1, and E k|r are Eve's measurement operators with k = 0, 1 and r = 0, . . . , n 2 − 1.
p R (r), p Y (y) and p K (k) are the probabilities of choosing the inputs r, y and k. Hence, r p R (r) = k p K (k) = y p Y (y) = 1, p K (k) ≥ 0 ∀k, p Y (y) ≥ 0 ∀y and p R (r) ≥ 0 ∀r. Here we will always we take the input probabilities to be uniformly random over all inputs. As already mentioned, the dimension of the problem is not bounded, so without loss of generality we can, using Naimark's dilation theorem, assume that Bob's and Eve's measurements are projectors satisfying the following properties: The last property comes from the fact that Bob and Eve act on two different Hilbert spaces. Note that we do not perform any fair-sampling type assumption on Bob's measurement. The cases were no clicks are recorded at Bob will be included in one of the outputs b; see Section IV.B.

A. Semidefinite programming approach
Since p(succ) is extracted from the observed statistics, to upper bound p g (e = k|succ) we need just to upper bound p(e = k, succ). To do this, we will use the method presented in [36]. In particular, we use the approach described therein which provides a semidefinite programming (SDP) hierarchy giving increasingly tight outer approximations of the set of quantum correlations in discrete prepare-and-measure scenarios compatible with a given Gram matrix. The hierarchy is known to converge to the actual set of quantum correlations, whereas for a fixed level it provides a tractable method of bounding the guessing probability over correlations compatible with the observed statistics. This problem would, without the hierarchy, be computationally intractable since no bound on the Hilbert space dimension is assumed.
Let {S i } s−1 i=0 be a set of measurement operators and define the moment matrix Γ of size ns × ns as where {|ê x } n−1 x=0 is an orthonormal basis of R n and we recall that n is the number of states prepared by Alice. The sub-blocks Γ xx are defined as where { |ê i } s−1 i=0 is an orthonormal basis of R s . It is easily shown that the moment matrix Γ is positive semidefinite.
The elements of the set {S i } s−1 i=0 are monomials of the operators B b|y and E e|µ . This set of operators can be chosen arbitrarily but the aim is to have as many linearly independent operators as possible in the moment matrix. By taking all monomials of measurement operators up to a given order, we can define different levels of the hierarchy. The first two levels are given, e.g., by the two following sets of operators: and the levels S n for n > 2 can likewise be defined inductively. Ref. [36] proved that as n goes to infinity (i.e., in the infinite level limit), the hierarchy converges to the set of quantum correlations. For the sake of clarity, we define Γ ST xx := ψ x | S † T |ψ x with S, T ∈ S and x, x = 0, ..., n − 1. The SDP upper bounding p(e = x, succ) is given by The overlap constraint between the set of states is enforced by Eq. (10b). Eq. (10c) enforces the moment matrix Γ to be compatible with the observed correlations p(b|x, y). In Eq. (10d) F k are hermitian matrices and f k complex coefficients which are defined in order to encode the constraints on Bob's and Eve's operators given by Eq. (6), as well as the constraints between elements of Γ xx implied by the fact that Γ ST xx = Γ S T xx whenever S † T = S † T (cf. Prop. 4 of Ref. [39]).

B. Security analysis of the ideal qubit protocol
Here, we will analyze the security of the idealized qubit protocol presented in Section III B, including in the presence of loss and noise. We will model noise by the means of a depolarizing channel with parameter λ ∈ [0, 1], which replaces the transmitted state with a maximally mixed state with probability λ [40]. Loss is modeled by a binary erasure channel [40] with erasure probability (1−η), η ∈ [0, 1]. Such a model of loss assumes that loss is orthogonal with respect to the encoding, which is typically the case if one considers, e.g., the polarization of photons for the encoding of the secret bit.
The Gram matrix G corresponding to the set of states (1) prepared by Alice is given by FIG. 2. Raw key rate for our RDI-QKD protocol. The graph shows the lower bound on the raw key rate R as a function of the transmission for different number of states and QBER's. For n states, the noiseless protocol has a positive key rate down to η = 1/n, which is the minimal transmission for which this is possible in any prepare-and-measure scenario. The protocol is also tolerant to noise in state preparation.
with i, j = 1, ..., n. The probability distribution is then given by Given the Gram matrix G of (11) and the observed probability distribution one can upper bound the secret key rate as shown previously. Figure 2 shows the raw key rate as a function of the transmission η for different QBER's and values of n. For each η we numerically optimized over θ to obtain the optimal R. We notice that the lower-bound on the key rate goes asymptotically to zero as η → 1/n. This is optimal because at η = 1/n, Eve can break the security by intercepting the states sent by Alice and forcing Bob's detector according to her outcome and Bob's input (see Section IV C). Therefore, for any prepare-and-measure protocol, the key rate is null for η ≤ 1/n. Interestingly, B92 [41] is a special case of the proposed protocol with n = 2 and a fixed θ = π 4 . Under the same assumptions, our protocol outperforms B92 with respect to the transmission and the noise tolerance, see Fig. 3. Also, BB84 [42] under the same assumptions is outrun by our protocol with 3 states.

C. Analytical bounds
In this section we prove analytically that, if Alice prepares sufficiently many states, the protocol can in prin- ciple tolerate arbitrary small transmission η. First, with an explicit attack from Eve we lower bound the transmission η required to have R > 0. (Proposition 1). Secondly, we show that this bound is tight as long as G is chosen to obey an additional natural condition (Proposition 2). That is, for any transmission η exceeding the threshold, Eve is unable to guess the secret bit with certainty in all rounds, giving rise to a positive key rate.
Transmission loss in the line (scaling with distance) and finite detection efficiency are the bottlenecks in most QKD protocols. Both effects give rise to a loss channel and contribute to the total transmission η. In this section we assume that this loss is the only imperfection in the setup. This captures the main limiting factor of real QKD setups and allows us to derive relatively simple analytical bounds. We assume that loss is orthogonal with respect to the secret bit encoding, such that with probability η the system sent by Alice is lost and Bob observes a third outcome (e.g., a no-click event b = ∅). Bob then attributes it the value b = 1, such that the rounds where the system sent by Alice is lost are rejected in the protocol.
In this case any protocol with a Gram matrix G ij = ψ i |ψ j with i, j = 0, . . . , n − 1 and the honest measurements B 1|y = |ψ y ψ y | with B 0|y = 1 − B 1|y leads to measurement probabilities with x, y = 0, . . . , n − 1. One notes that with such probabilities p(0|x = y) = 0: Bob's bits are perfectly correlated to Alice's after the sifting, i.e. h 2 (QBER) = 0. For the following, we define λ min (G) as the minimal non-zero eigenvalue of the Gram matrix G. Proposition 1. Given a Gram matrix G ∈ C n×n and measurement probabilities of Eq. (13), a necessary condition for R > 0 is that η > 1 n−λmin(G) .
Proof. Let us assume that with probability q Eve intercepts the state sent by Alice and makes an unambiguous state exclusion measurement M i = µ(1 − |ψ i ψ i |) with i = 0, . . . , n − 1, µ ∈ [0, 1] and M n = 1 − n−1 i=0 M i . If Eve obtains an outcome i < n, she can exclude with certainty the state |ψ i , whereas if she gets the outcome n she cannot conclude anything. In order to have as many conclusive outcomes as possible Eve maximizes µ under the constraint M n ≥ 0: The first constraint in Eq. (14) is satisfied if the eigenvalues of n−1 i=0 |ψ i ψ i | are all larger than (nµ−1) µ . But the eigenvalues of i |ψ i ψ i | coincide with the nonzero eigenvalues of the Gram matrix G. Hence, the above maximization is satisfied if (nµ−1) µ ≤ λ min (G). This leads to an optimal µ * = 1 n−λmin(G) and p(i|x) = µ * (1−|G xi | 2 ). The result i of Eve's measurement is then sent to Bob's detector which only outputs b = 0 if y = i, i.e. p(b = 0|y, i) = δ y,i . The resulting probability observed by Bob is With probability (1 − q) Eve does not intercept the message, and Bob's detector is instructed to perform the ideal measurement p(b = 0|x, y) = (1 − |G xy | 2 ). Eve wants to remain undetected and hence needs to reproduce the expected statistics of Eq. (13). Her attack must thus satisfy the equality for all x, y. This implies that Eve can not intercept the message more often than in a fraction q = 1−η 1−µ * of rounds. In particular, if q = 1−η 1−µ * ≥ 1 or η ≤ 1 n−λmin(G) she can intercept the message in every round resulting in p(y = i|succ) = p g (e = k|succ) = 1 and R = 0.
More generally, this attack gives a lower bound on Eve's guessing probability as p g (e = k|succ) ≥ q + (1 − q) 1 2 with equality if p g (e = k|succ) = 1 2 for the honest implementation at η = 1.
For the considered family of protocols the proposed attack allows Eve to guess the secret bit k of Alice perfectly whenever one has η ≤ 1 n−λmin(G) . The converse question is whether, for any transmission exceeding this value, there exists a protocol (with a given n and λ min (G)) yielding a strictly positive key rate. We will now show that this is indeed the case by considering a qubit protocol with rank(G) = 2, as discussed in Sec. III B.
Proof. Since in our case h 2 (QBER) = 0, from Eq. (4) one sees that the condition R > 0 is equivalent to p g (e = k|succ) < 1, that is Eve can not always guess the secret bit with certainty. Thus, we want to prove p g (e = k|succ) < 1. To do so we will proceed by assuming p g (e = k|succ) = 1 and reach a contradiction.
To start, it is convenient to replace our prepare-andmeasure scenario by an equivalent entanglement-based scenario. Alice prepares an entangled state sends out A and measures A in the computational basis {|x x|} n−1 k=0 to obtain x. Since the states {|ψ x } x span a 2-dimensional space, by the Schmidt theorem the state |Φ AA ∈ C 2 ⊗ C 2 is a two qubit state.
Without loss of generality an attack performed by Eve starts with an isometry U mapping A onto systems B and E of arbitrary dimension In addition Eve chooses a set of binary measurements {B 0|y , B 1|y } acting on B. The combinations of the isometry and the measurements on B define the measurements on the system A via Furthermore these measurements are constrained to satisfy ψ x | M b|y |ψ x = p(b|x, y) by the probabilities observed by Alice and Bob in Eq. (13). From ψ y | M 0|y |ψ y = 0, one concludes that M 0|y ∝ 1 − |ψ x ψ x |.
Any of the remaining probabilities ψ x =y | M 0|y |ψ x =y implies This form of M 0|y is very restrictive for Eve. In particular, it projects |Φ AA into a product state with p(b = 0|y) = 1 n x p(b = 0|x, y). This identity can be put in the form (23) From here we can define the marginal state of Alice and Eve conditional to Bob measuring y and obtaining 0 ρ (0|y) Remarkably, Eve's state is no longer influenced by any manipulations done by Alice, and in particular by her measurement result x. That is, conditionally on y Eve's state is independent of x. This means that after the sifting Eve can only guess x perfectly (p g (e = k|succ) = 1), if she can guess y perfectly. Formally, ≥ 0. (28) By recursion we obtain the bound on the average probability of the b = 0 outcome. With the help of Eq. (13) this bound can be written as This bound is, however, worse that the one in the statement of the theorem. Let us now show how to match the two. For this we consider a thought experiment where Alice prepares some pure state As M 0|y = η ψ ⊥ y ψ ⊥ y is proportional to projector on a state, one has, analogously to Eqs. (22)-(23), with the same state Ψ (0|y) BE . Hence the marginal state ρ (0|y) E are also the same, and satisfy We can now repeat the arguments of Eqs. (28)- (29) to obtain the bound y p(0|y) ≤ 1, valid for the sum of probabilities coming from any state ρ A . Choosing the state which maximizes the bound max ρ A tr ρ A ( y M 0|y ) = y M 0|y , one obtains where we used the fact that G and y |ψ y ψ y | have the same eigenvalues. Hence, having p g (e = k|succ) = 1 and η > 1 n−λmin(G) is impossible, which concludes the proof.
Propositions 1 and 2 imply that, for any transmission η, there exists a RDI-QKD protocol involving n > 1 η different measurements performed by Bob which yields a positive key rate. In particular, as follows from the proof of Propostion 2, this is achieved by the ideal qubit protocol of Sec. III B by choosing λ min (G) < n − 1 η . Conversely, in the RDI setting where Bob can do n different measurements labeled by the settings y, Eve can always perform a "blinding" attack and obtain a perfect copy of Bob's registers. To do so she performs one of the possible measurements y at random, records the outcome e, and sends a copy of e and y to Bob's detector. When Bob performs his measurement with a setting y, the detector reveals b = e if y = y and pretends that the system was lost b = ∅ otherwise. Since p(y = y|y) = 1/n, for η < 1 n Eve is left with a perfect copy of Bob's registers (b, y) whenever the detection is successful b = ∅. D. Importance of the choice of the Gram matrix As we saw in the previous section, if one chooses the n states {|ψ x } x well then one can obtain R > 0, and thus a positive key rate, whenever η > 1/n. In this section, we show that it is indeed important to choose the Gram matrix constraining the preparations with some care. In particular, we show that for a seemingly natural choice of Gram matrix the critical transmission, below which no key can be obtained, is significantly worse: Alice and Bob will not be able to provide a nontrivial lower bound on the key rate if there is more than 50% loss, i.e. if η > 1/2.
We assume thus that Alice prepares a set of n quantum states compatible with the Gram matrix G xx = ψ x |ψ x = d with d ∈ (0, 1) for all x = x and that the observed statistics are given by Eq. (13). Since rank(G) = n, the states she prepares are necessarily linearly independent. As a result, there exists an unambiguous state discrimination (USD) measurement [43]. Because of the symmetry, we consider an equiprobable USD and the probability of a conclusive discrimination is given by the smallest eigenvalue of the Gram matrix which is in our case equal to 1 − d [44].
We assume that Eve performs an intercept-resend attack such that with a probability 0 ≤ q ≤ 1 she performs USD and forces Bob's detection, and with a probability 1 − q she leaves the state untouched and guesses at random. Given that x = y, if Eve attacks the USD is conclusive with a probability 1 − d and if she does not intercept the state Bob gets b = 0 with a probability η(1 − d 2 ). Eve wants her attack to remain unnoticed and this fixes the probability q of intercepting the state to The probability that Eve successfully guesses the secret bit is then given by Eve thus has entire knowledge of the secret bit string, i.e., p g (e = k|succ) = 1, for η = 1 1+d > 1 2 . Hence, considering identical real overlaps prevents Alice and Bob from obtaining a positive key rate for more than 50% loss.

V. BRIDGING THE GAP BETWEEN THE PROTOCOLS AND PRACTICAL IMPLEMENTATIONS
Our receiver-device independent setting assumes the characterization of Alice's state preparation device, given by the Gram matrix Alice G.
When Alice prepares pure states, as we have assumed so far, the Gram matrix gives an exhaustive description of the state preparation for our purpose. That is, in the considered RDI setting, additional information on the states does not help restricting Eve further. In particular, any common unitary transformation or isometry on the states can be cancelled by Eve and does not affect the attacks she can perform. In practice the pure state assumption is always an idealization. Here, we discuss how a more realistic model of Alice's setup can be analysed with our protocols.

A. Mixed state models
Here we consider the setting where Alice's preparation device sends out a mixed state ρ x for each possible value of x. That is the preparation box is modeled by a set of mixed states An ensemble of mixed states of a system A can be jointly purified onto a larger system A ⊗ A aux to obtain a set of pure states {|ψ x } n−1 x=0 with |ψ x ∈ H A ⊗ H Aaux and ρ x = tr Aaux |ψ x ψ x | ∀ x.
Because the system A aux remains inside Alice's lab by assumption, any security guarantee obtained for a Gram matrix G {|ψx } induced by the set of pure states {|ψ x } n−1 x=0 is valid for the original mixed states. In this case one is interested in finding the best-case purification maximizing the key rate. This gives a straightforward way to apply our protocols to noisy preparation devices modeled by Eq. (38). The resulting bounds are not necessarily tight, because in the analysis the purifying system A aux is given to the eavesdropper, but are secure.
An interesting open question is whether there exists a compressed representation of the mixed state ensemble {ρ x } n−1 x=0 , analogous to the Gram matrix, that specifies all the relations between the states useful for our purpose. Notably, in the case of two states the fidelity between them F (ρ 0 , ρ 1 ) precisely corresponds to the maximal fidelity between their purifications (see e.g. [45]). However, for larger ensembles the knowledge of pairwise fidelities is known to be insufficient to characterize the joint purification [46]. As a simple example note that even in the case of three pure states the pairwise fidelities disregard the complex phases of the Gram matrix entries, which can be crucial for the security analysis as we have seen in Section IV D.

B. Fully characterized correlated noise models
Next, let us consider the general situation where Alice's preparation device is well described by pure states that are however subject to noise, e.g., coming from drifts and fluctuations of some parameters (laser amplitude, phase noise etc). In such a case the preparation box is modelled by a parametric set of states where p(λ) is the distribution of the noise parameter λ.
In contrast to Eq. (38), this model allows for correlated noise affecting the preparation device for all measurement settings. Notably, the model in Eq. (39) reduces to Eq. (38) when the hidden variable λ = (λ 0 , . . . , λ n−1 ) is composed of random variables λ x that only influence the preparation for the respective setting x and are distributed independently. Each set of pure states labeled by λ corresponds to a Gram matrix G(λ). Here, it is important to realize that the correlations p(b|x, y) observed by Alice and Bob do not constrain each λ (unless the distribution p(b|x, y) is extremal) but are only respected on average, i.e. p(b|x, y) = dλ p(λ) p(b|x, y, λ) for some hidden p(b|x, y, λ). Hence, one cannot simply verify the security of the protocol for each G(λ). Instead, we recover a pure state situation by explicitly including the hidden noise parameter λ in the state. That is, we consider Alice preparing states of the form with the "label" states for the hidden noise parameter respecting λ|µ = δ(λ − µ). By doing so we give the noise label λ to Eve who can control it coherently but is bound to respect our noisy model of the device given by p(λ). It is straightforward to see that the resulting Gram matrix for the states {|ψ x } n−1 x=0 is simply the average Consequently, verifying the security of the protocol for G guarantees its security for the original model.

C. Partially characterized correlated noise models
In some situations the full model with the knowledge of the distribution p(λ) might not be appropriate, as it requires a complete, precise characterization of the noise mechanisms present. Instead one can only guarantee (with the desired level of confidence) that in each round the preparation device obeys to the model where Λ specifies the range of possible λ. From there we can recover the previous case by noting that any realization of such model corresponds to the states {|ψ x } n−1 x=0 in Eq. (41) for some probability density p(λ) on Λ. The resulting average Gram matrix then necessarily belongs to the set where the hat G Λ denotes the convex hull of the set G Λ . In principle, it remains to determine the worst case G inside the set, with respect to the key rate it implies, in order to guarantee the security for the noise model. Practically, this problem is however computationally hard. And instead of solving it directly it is convenient to further relax the constraints on G to a form that one can easily include in the security analysis described in Section IV. This can be done by constraining each entry of the Gram matrix G ij independently. Concretely, the set G Λ can be relaxed to a collection of constraints on the real and imaginary parts of each entry of the matrices G ∈ G Λ . Being linear these constraints remain valid for the convex hull set G Λ . Most importantly, they are very simple to include in the SDP. The equality constraint Γ 11 ij = G ij in Eq. (10b) translates in two inequalities on the real and imaginary part of Γ for i = j Through the SDP the Gram matrix is constraint to be positive semidefinite. Hence, the set of states described by the Gram matrix which maximizes p g (e = k|succ) remains physical.

VI. COMPARISON TO OTHER QKD MODELS
In this section we present a brief comparison of our RDI protocols with other models for partially DI QKD.
Let us start with the one-sided DI model first proposed in Ref. [26]. The model applies to a prepare-andmeasure scenario, where the receiver is untrusted (as in the RDI model), while the sender uses a fully characterized device. Ref. [26] demonstrates security with the help of generalized tripartite uncertainty relations, but no practical considerations are discussed. Subsequent works [28,29] discussed the practical requirements of such an approach, considering the effect of noise and finite-size data; see also Refs [47,48] for similar analysis based on different proof techniques. However, the effect of losses is either not discussed [26,47], or their analysis is based on a fair sampling type assumption [28,29,48], where the detection of the photon is assumed to be independent from the choice of measurement made by the receiver. Note that the fair sampling assumption allows one to attribute the non-detection events to a filter applied on the system before the measurement and essentially discard the no-click events in the security analysis [12]. In practice, however, such an assumption is hard to justify in adversarial scenarios like QKD, as it opens the door to blinding attacks exploiting the fact that Eve can steer Bob's detector to click or not depending on the measurement setting [8]. Therefore, the results of Ref. [28,29] (and also [47,48]) cannot be applied to a practical QKD setup without sacrificing the one-sided DI security. Another notable point is that the security analysis of [28,29] relies on an entropic uncertainty relation for a pair of measurements. In the prepare-and-measure setting this approach thus applies to protocols where Alice prepares four states (grouped in two pairs of orthogonal states), and Bob performs two measurements. It is unclear to us whether such an approach can tackle more general protocols [49], with more states and measurements. Indeed, these cases are important, as the number of measurements of Bob must become large in order to accommodate for low transmissions. Notably, the protocols that we analyze here using the overlap method, where Alice prepares an increasing number of qubit states, can allow for an arbitrarily low transmission.
The one-sided DI model can also be investigated in an entanglement-based scheme where one of the parties is trusted while the other is considered as a black-box [26]. This approach was discussed in Ref. [27], establishing a connection with the effect of quantum steering. Here, both noise and losses are taken into account. The requirements in terms of detection efficiency are high (η > 65.9%), hence providing only minor improvements over the DI model. In practice, entanglement-based onesided DI QKD has never been implemented.
Our RDI protocols therefore provide a number of improvements over previous works on the one-sided DI scenario. First, our protocols are shown to be secure in a prepare-and-measure scenario taking into account both noise and losses; note that the companion paper [35] considers also finite-size effect for the proof-of-principle experiment. In particular, RDI protocols can in principle allow for an arbitrarily low transmission, as we discussed. Compared to the approach of Ref. [27], the experimental realisation is greatly simplified, as no source of entanglement is necessary, and much lower detection efficiencies can be tolerated. Moreover, in our case, the characterized party (Alice) acts as a sender, while in the one-sided model Alice holds a measurement device. Having to trust a preparation device instead of a measurement device is arguably an advantage.
Another SDI approach presented in Ref. [31,32] shares more similarities with our approach. The authors consider prepare-and-measure scenario where Alice's device is assumed to prepare quantum states of bounded Hilbert space dimension (for instance qubits), while Bob's device is completely black-box. This represents a very different type of assumption on the preparations, which is however arguably difficult to justify in practice; indeed a photon is not a qubit, and has many other degrees of freedom than (say) polarisation [50]. In this sense, we believe that our RDI approach is more naturally tailored to experiments, as it can deal with systems of arbitrary (possibly infinite) dimension. Another important advantage in practice, is the robustness to losses. Indeed, dimension-based SDI protocols are also sensitive to detection-loophole-type attacks and thus require detection efficiencies comparable to Bell tests [34]. This renders their practical implementation challenging. To the best of our knowledge, no experiment has been reported so far. Another related approach was developed in Ref. [33], considering an entanglement-based QDK setup assuming only the dimension of the entangled state prepared by the source. Again, practical implementation is challenging due to high detection efficiency requirements.
Finally, we compare our RDI model to the MDI approach [20,21]. Both approaches aim at relaxing trust on the measurement device. While we do this in the prepare-and-measure scenario, the MDI model considers an additional party (Charlie), located in between Alice and Bob and who acts as a relay. Charlie's (measurement) device is then fully untrusted, while Alice's and Bob's (preparation) devices must be well characterized. In practice, a strong advantage of the MDI approach is its robustness to losses, leading to record-distance experiments [22][23][24][25]. In a scenario where both end parties, Alice and Bob, have means to characterize and test their devices (or good reasons to believe the devices function correctly), the MDI approach is a good choice. However, in a scenario where one of the parties does not have the resources (or the expertise) for testing and characterizing their device (or reasons not to trust their devices, for instance a possible malfunctioning due to ageing), the RDI approach provides a good solution. In contrast, the MDI approach cannot be used here, as Bob's (nor Alice's) device can be described by a black-box; some level of trust on both Alice and Bob will always be required in the MDI case.

VII. CONCLUSION
We have discussed QKD protocols considering a receiver-device-independent (RDI) model. We presented a security analysis and investigated limitations of these protocols. Notably, we showed that our protocols can in principle allow for an arbitrarily low transmission (detection efficiency). We also provided a detailed discussion concerning the relevance of our approach in a practical context, in particular discussing how the overlap assumption can be justified. These results complement a recent (companion) paper, where a proof-of-principle RDI QKD experiment has been reported [35].
To conclude, we discuss a number of open questions. A first interesting question is to derive stronger bounds on the secret key rate. This may be possible using techniques recently developed in Ref. [51] providing lower bounds on the conditional von Neumann entropy (in-stead of the conditional min-entropy, as we consider here) from observed data. Elements from the approach used in Ref. [52] might also be useful here.
Another question is to turn our asymptotic key rate into a finite key length when a finite number of systems are exchanges between Alice and Bob. A natural route towards this goal consists in using the entropy accumulation theorem [53], although it is still unclear whether this approach can be adapted to the prepare-and-measure scenario.
An important direction to pursue is to look for RDI protocols that can achieve long distance and are practical. Here we presented protocols that can tolerate the minimum possible transmission (depending on the number of measurements n made by Bob) in the RDI model. In practice, the drawback of our protocols is the sifting, which, for large n, renders the protocols inefficient. Developing more efficient protocols would represent sig-nificant progress.
Finally, we note our approach shares similarities with the recent work of Ref. [54], where the author investigates correlations in a prepare-and-measure scenario with bounded distrust in the preparations. Specifically, the fidelity of the prepared states with respect to some reference state is lower bounded. Hence the distance between the actual and ideal states is bounded. In our approach we bound the distance between the prepared states via their pairwise overlaps.