Upper bound on device-independent quantum key distribution with two way classical postprocessing under individual attack

Device-independent quantum key distribution (DI-QKD) can guarantee the security even with untrusted devices. Unfortunately, conventional DI-QKD protocols can tolerate low noises only and require high detection efficiencies to achieve positive key rates. To improve the noise robustness, one promising solution is implementing the two-way classical postprocessing, which has the advantage of reducing the bit errors. In this paper, we study the DI-QKD with B-step two-way classical postprocessing under individual attacks. We adopt the tool of convex combination attack, i.e. an optimal individual attack, to upper bound the Devetak-Winter key rate. We show that, by using the B-step procedure, our protocol can tolerate detection efficiencies as low as 81.0% and depolarising noise of 0.799, which is better than the thresholds for the protocol with one-way error correction. This result can serve as the lower bounds on the critical noise and detection efficiency for the scenarios under general attacks. Our work justifies the advantage of two-way classical postprocessing for DI-QKD, thus offering a step towards its applications.


Introduction
Quantum key distribution (QKD) promise information-theoretical security for communication based on the laws of quantum physics [28]. Device-independent QKD (DI-QKD) [1,10,18], the security of which is based on the violation of a Bell inequality [8], allows the users to realize QKD even without the trust on the quantum devices. Device-independent security relies on the fact that more a quantum state is nonlocal, less an eavesdropper can correlated with the state. In DI-QKD, no assumptions on the dimensions of quantum systems or the internal working of the quantum devices are made. The security assumption only requires a trusted random number generator and two secure physical locations for Alice and Bob to guarantee that no unwanted information can leak to the outside [22].
Several theoretical efforts have advanced the developments of DI-QKD for different scenarios [3,6,13,17,22,[24][25][26][27]29]. Benefited from the theoretical progresses in reducing the required efficiency and enhancing the tolerance on noise, three concurrent proof-of-concept DI-QKD experiments have been carried out, based on trapped ions [19], trapped atoms [30] and photonic setup [14], respectively. However, in practice, the realistic DI-QKD systems both suffer from the noise and require sufficiently large detection efficiency to achieve a positive key.
One possible solution to improve the noise robustness for experimental realisation is the two-way classical postprocessing [4,12,16]. In traditional QKD, the main advantage of the two-way classical postprocessing is reducing the bit error rates to a certain amount, e.g. less than a noise threshold, such that a secret key can be distilled asymptotically via a one-way classical postprocessing protocol. In the case of DI-QKD, the protocol with advantage distillation [26] has been shown to be particularly useful under the assumption of collective attacks.
In this paper, by using the convex combination (CC) attack [11] which is an optimal individual attack, we develop a technique for upper bounding the asymptotic Devetak-Winter key rate [9] of DI-QKD protocols with two-way classical postprocessing. Different from the advantage distillation [26], we consider the B-step protocol proposed in [12,16], where Alice and Bob perform the xor operation locally on their two bits and then retain one bit or discard both dependent on the xor result. We use a local deterministic model to characterize the local and non-local part of correlations in the CC attack, which quantifies Eve's ability to learn the output of Alice measurement. Applying the B-step procedure, we show that our protocol can potentially decrease the required minimal detection efficiency and the maximal allowed depolarising noise. Particularly, the key rate upper bound is positive if the detection efficiency is larger than 81.0% or if the depolarising noise coefficient is larger than 0.799, which outperforms the standard one-way classical postprocessing protocol [22].
Notice that since the probability of the local correlation being shared in the CC attack can be maximized by using a linear programming, it can provide a direct method to upper-bound the key rates and predict the zero-key regions of DI-QKD [15]. Therefore, our analysis can serve as the lower bounds on the critical noise and detection efficiency when considering the DI-QKD with B-step protocol under the cases of collective or coherent attacks. We expect that the CC attack [11] can be an efficient tool to bound the secret key rate for general DI-QKD protocols.

Protocol description
Formally, in a general DI-QKD protocol, two parties, Alice and Bob, have access to a bipartite quantum state ρ AB . The protocol consists of N rounds. In each round, Alice chooses a measurement labelled by x ∈ {1, 2} and Bob chooses a measurement labelled by y ∈ {1, 2, 3} to measure their own part of state ρ AB respectively. Without loss of generality, we assume that each of Alice's (Bob's) measurements has 2 possible outcomes a ∈ {0, 1} (b ∈ {0, 1}). Denoting the positive-operator-valued-measures associated with Alice's and Bob's measurements by A a|x and B b|y . Then, the joint distribution of Alice's and Bob's outputs with respective to measurement settings can be described by: The protocol we consider here requests that Alice and Bob use a fraction of rounds corresponding to the measurement bases (x,ȳ) = (2, 3) as the key generation rounds and the rest as the test rounds to test the non-local correlation. We also focus on cases where the key-generating measurements have symmetrised outcomes, in the sense that P AB (0, 1|x,ȳ) = P AB (1, 0|x,ȳ) = ξ/2 and P AB (0, 0|x,ȳ) = P AB (1, 1|x,ȳ)= (1 − ξ)/2 for some ξ ⩽ 1/2 (if ξ ⩾ 1/2, one can simply let Bob flip his bits). The symmetrised outcomes can always be achieved via a symmetrisation step, where Alice generates a uniformly random bit T in each round and publicly sends it to Bob, with both of them flipping their measurement outcome values if and only if T = 1.
Before distilling the key, our protocol will further introduce a B-step procedure [12,16]. In the traditional QKD, the B step has been found useful in increasing the tolerance to the quantum bit errors. Here, we discuss the application of this method in DI-QKD. Alice and Bob first randomly permute all their raw keys Ax and Bȳ. Then, Alice and Bob apply an XOR operation between two pair bits (a 1 , b 1 ) and (a 2 , b 2 ), and obtain the results µ A = a 1 ⊕ a 2 and µ B = b 1 ⊕ b 2 . They compare the results µ A , µ B via two-way classical communication. If µ A ̸ = µ B , Alice and Bob discard the two pairs (a 1 , b 1 ) and (a 2 , b 2 ); otherwise, they keep one pair bits.
After the two-way classical postprocessing, Alice and Bob have reached an agreement on the rounds which are accepted to generate raw keys. They then follow the standard one-way error-correction and privacy amplification procedure, which allows one to employ the Deveteck-Winter rate [9] to generate secure keys.
In order to upper-bound the key rate, we apply the CC attack [11] to the DI-QKD protocols introduced above. In CC attack, Eve knows the form of the state ρ AB and the measurements {A a|x }, {B b|y }, such that she can make use of these knowledge to distribute the quantum correlations to Alice and Bob in each round. In particular, Eve distributes local deterministic correlations p L AB (a, b|x, y) with overall probability q L , and she distributes a nonlocal quantum correlation p NL AB (a, b|x, y) with probability 1 − q L . Eventually, the observed correlation of Alice and Bob takes the form: Since Alice and Bob will announce their inputs (x, y) for every round, Eve knows the outcomes e = (a, b) in all rounds in which she distributes a local correlation p L AB (a, b|x, y). For the rounds where Eve distributes a nonlocal correlation, we suppose that Eve has no information about Alice's and Bob's outcomes, i.e. e =?. Finally, Alice, Bob and Eve share a distribution which reads: where δ is the Kronecker delta.

Local deterministic model of P L (a, b|x, y)
In this subsection, we are going to find the maximum of q L among all possible decompositions [5,23] of the form equation (2). This quantity, denoted q L max , defines the local content of the distribution P(a, b|x, y). The local model p L AB (a, b|x, y) is chosen as follows. Let λ = (a 1 , define an assignment: of outputs a x and b y for each of the inputs x = 1, 2 and y = 1, 2, 3. Let d λ denote the corresponding deterministic behavior [7]: There are 2 5 possible output assignments and therefore 2 5 such local deterministic behaviors. Then, a local behavior p L AB (a, b|x, y) can be written as a CC of these deterministic points, with q λ ⩾ 0 and λ q λ = 1. For the non-local model p NL AB (a, b|x, y), we restrict it to be quantum [7,20,21], To find the maximal q L max , let us define probabilities AB (a, b|x, y) and q λ = q L q λ . It can be verified that: Therefore, the linear program reads: s.t. p L AB (a, b|x, y) + p NL AB (a, b|x, y) = P AB (a, b|x, y) p NL AB (a, b|x, y) ∈ Q.
Using the Navascués-Pironio-Acín (NPA) hierarchy [7,20,21], we can obtain the local content of P AB (a, b|x, y) in a device-independent way. We denote the k th level by Q k . Since the NPA hierarchy forms a sequence of outer approximations to the set of quantum correlations, Q ⊆ Q 1 ⊆ · · · ⊆ Q k , the relaxed local part provides a upper bound on the true local part, i.e, q L max ⩽ q L max (k). As a quick example, we consider the local content q L max for different detection efficiency η ∈ [0, 1] of the following case: the source generates a maximally entangled state |ψ AB ⟩ = (|00⟩ + |11⟩)/ √ 2 and the measurements are such that the CHSH inequality is maximally violated. Note that for a loophole-free Bell test with inefficient detectors, one has to take into account all measurement outcomes produced by the devices to close the detection loopholes. A simple strategy is that Alice and Bob view their no-detection outcomes as a '1' outcome [1,22]. The result is shown in figure 1. Numerical bounds are computed at a NPA relaxation level k = 2, 3. It could be seen that, taking k = 2 is enough to tightly bound the quantum set [2,20,21]. When the detection efficiency is less than 0.828, the local content q L max is equal to 1, which means that the correlation P AB (a, b|x, y) between Alice and Bob is local such that Eve will learn all the information about the outcomes of Alice and Bob.

Key rate based on B-step
Let us note first that within the CC attack, in the non-local rounds which happen with probability q NL min = 1 − q L max , Eve distributes a non-local correlation with entries p NL ab , shared by Alice and Bob. In contrast, whenever she distributes a local correlation with probability equal to the local weight q L , she perfectly knows the outcome of Alice and Bob. Hence, denoting by p L ab the resulting correlation within the local rounds, the overall tripartite correlation (in the key generation rounds) reads: where the random variable of Eve, e, consists of two bits (one for Alice and one for Bob) and an extra outcome '?' represents her lack of knowledge. Now, we consider the above correlation after the B-step procedure. Let (a s , b s ) denote outcomes of the survived round and (a d , b d ) denote outcomes of the discarded round. It is obvious that if both of the two selected rounds come from the local part, Eve will learn all the information about the survived round. If the survived round is from the nonlocal part while the discarded part from the local part, or vice versa, Eve will learn that e = a d and a s = µ ⊕ e such that all the information about the survived round will be leaked. Therefore, the only secure situation is that both of the two selected rounds come from the non-local part. This makes Eve has no information about the survived round, i.e. a s = µ⊕? =?. Denote the case where the two selected rounds are form the non-local part as '??' . Then, the correlation after the B-step procedure conditioned on a non-local correlation, i.e. P AB (a, b|E =??, x, y) (un-normalized), can be written as: Here, ξ NL is the QBER for the non-local part and ξ NL = p NL 01 + p NL 10 . Tracing out Bob, we then obtain the desired marginal distribution P AE (a|E =??, x, y) (un-normalized) shared by Alice and Eve after the B-step: Hence, the desired entropy of Alice's outcomes conditioned on Eve, H(A|E =??, accept), is fully defined only by the case when Eve distributes a non-local correlation, and reads: Thus, the final bound on the Devetak-Winter key rate [9] is given by: where H(A|B, accept) is the cost of one-way error correction, and can be written as: where the term 1 2 [(1 − ξ) 2 + ξ 2 ] represents the fraction of rounds that are kept after post-selection. The advantage by applying B-step is the quantum bit error rate ξ can be significantly reduced, and a net increase in the key generation may occur. As a comparison, for the protocol without B-step, the final bound on the key rate can be obtained directly form equation (9). By tracing out Bob in equation (9), the correlation shared between Alice and Eve can be represented by: such that the conditional entropy H(A|E) is given by: and the final upper bounded key rate without B-step is:

Simulation
In the simulation, we first focus on the threshold efficiency of the detection devices. We here consider the state is a non-maximally entangled state |ψ(θ)⟩ = cos(θ)|00⟩ + sin(θ)|11⟩, where θ ∈ [0, π/2]. For simplicity, we restrict measurements to be projective within the x-z plane of the Bloch-sphere, i.e. measurements in the form of Π(ϕ) = cos (ϕ)σ z + sin (ϕ)σ x , where ϕ ∈ [−π, π], and denote Alice and Bob's measurements by: With the above notations, Alice and Bob's joint probability can be expressed as P AB (a, b|x, y) = We numerically compare the protocol with and without the B-steps and the results are shown in figure 2. In the simulation, the key rate upper bounds are computed with NPA level 2. We find that when using the protocol with B-step, a positive key rate upper bound is obtained when the detection efficiency is larger than 81%. In contrast, without the B-step, the key rate upper bound is positive only if detection efficiency is larger than η = 90.7%.
We also consider a depolarising noise model for the noisy qubit state: We find that the protocol with B-step could tolerate the depolarising noise of V ⩾ 0.799, while without B-step, the protocol only tolerates V ⩾ 0.83, as shown in figure 3.
In appendix, we consider another decomposition of the observed distribution P AB (a, b|x, y) where the nonlocal part p NL AB (a, b|x, y) is chosen by varying η → 1 and V → 1. This decomposition means that if the  devices are noiseless, Eve will not learn any information of the outcomes. By using this kind of decomposition, we find that the critical detection efficiency in this case is around 68.3% (see appendix for details).

Conclusion and discussion
In this paper, we have upper bounded the DI-QKD with two-way communication. We select the B-step protocol where the survived events have lower errors compared with the standard protocol. Our security analysis uses the framework of CC attack where Eve randomly distributes a local or nonlocal correlation to Alice and Bob. By using an alternative decomposition of the observed quantum correlation, one could directly restrict the conditional entropy H(A|E). Finally, a significant reduction of the threshold detection efficiency and depolarising noisy is achieved if we focus on the CC attack models, which implies the potential advantage of the B-step processing in DI-QKD. In general, one can apply the B-step procedure two or more times to obtain a better noise tolerance. Whether the advantage by applying more B steps such that the protocol tolerates the most noises remains to be explored. Moreover, as the B-step procedure costs half of the keys that Alice and Bob have had at hands, more B-step procedures will significantly lower the overall key rate. Finally, we remark that our techniques can be applied to other DI-QKD protocols, such as the protocols with noisy preprocessing [13] or random postselection [29], to find out the limited detection efficiency or depolarising noisy for positive keys. Note that the CC attack belongs to the class of individual attacks, thus it permits an upper bound on the key rate of the protocol under general attacks [15]. To obtain a tight lower bound, one needs to consider the collective attacks [26] and the coherent attacks. Particularly, in the general non-i.i.d. attacks, namely the coherent attacks [3,27], the raw keys, r n = r 1 , r 2 , . . . , r n , is produced by an non-i.i.d. process. Then, each r i may depend not only on i th round of the protocol but also on everything that happened in previous rounds. For the protocol with two way communication [12,16,26], Alice and Bob have to randomly keep one of the selected two pairs of outcomes. Consequently, Eve might potentially learn more information of the survived rounds from the discarded ones. It is foreseen that the security analysis against coherent attacks is more challenging. Nonetheless, we recently noticed that there had been important theory developments towards this direction [31].
Note added. A recent work that uses the CC attack to bound general DI-QKD protocols by Karol Łukanowski et al will appear soon [15].

Data availability statement
All data that support the findings of this study are included within the article (and any supplementary files). Figure A1. Upper bounded key rate as a function of detection efficiency η, where the blue solid curve stand for the decomposition used in the main text and the red solid curve is the protocol where the nonlocal part is chosen by varying η → 1.
In order to find the maximal q L max , we have the following linear program: where the first constraint is to enforce Eve to distribute on average the observed correlation P AB (a, b|x, y), while the other constraints ensure {q λ } to constitute a valid probability vector. As figure A1 shows, by optimizing all the parameters, we find that this new decomposition provides a critical detection efficiency of 68.3%. In fact, this improvement comes from relaxing the ability of Eve. Noted that when considering the non-maximally entangled state |ψ(θ)⟩ = cos(θ)|00⟩ + sin(θ)|11⟩, it was proven the local content of the non-maximally entangled state is [5,23] Therefore, in this new decomposition, Eve could still use some local correction to simulate the nonlocal part p NL AB (a, b|x, y).