Simple proof of confidentiality for private quantum channels in noisy environments

Complete security proofs for quantum communication protocols can be notoriously involved, which convolutes their verification, and obfuscates the key physical insights the security finally relies on. In such cases, for the majority of the community, the utility of such proofs may be restricted. Here, we provide a simple proof of confidentiality for parallel quantum channels established via entanglement distillation based on hashing, in the presence of noise, and a malicious eavesdropper who is restricted only by the laws of quantum mechanics. The direct contribution lies in improving the linear confidentiality levels of recurrence-type entanglement distillation protocols to exponential levels for hashing protocols. The proof directly exploits the security relevant physical properties: measurement-based quantum computation with resource states and the separation of Bell-pairs from an eavesdropper. The proof also holds for situations where Eve has full control over the input states, and obtains all information about the operations and noise applied by the parties. The resulting state after hashing is private, i.e. disentangled from the eavesdropper. Moreover, the noise regimes for entanglement distillation and confidentiality do not coincide: confidentiality can be guaranteed even in situations where entanglement distillation fails. We extend our results to multiparty situations which are of special interest for secure quantum networks.


I. INTRODUCTION
Secure and private quantum communication is a concept of fundamental importance for emerging quantum technologies.The secure generation of a secret key for the encryption of classical data has received enormous attention in recent years [1][2][3][4][5][6][7], and is believed to be one of the key applications of quantum information science.Security has been shown under ever more general assumptions, finally arriving at device-independent proofs where the devices for secret key expansion are not trustworthy [8][9][10].However, while establishing entanglement between two remote parties served as key ingredient in many security proofs of QKD, most existing proofs are not established by sharpening this intuition, i.e. they follow a more convoluted, tedious, and less straightforward route [2,[11][12][13].
Here we consider the problem of confidential or secure transmission of quantum information via quantum channels, equally important as QKD but far less studied.This task is closely related to the confidential generation of maximally entangled, distributed quantum states.Both are essential ingredients of quantum networks [14][15][16], quantum key agreement protocols [17][18][19], and distributed quantum computation [20].In an idealized, noiseless situation a secure quantum channel, studied in [21][22][23], may be established in terms of teleporation [24] using a perfect Bell-pair.The situation turns out to be far less straightforward in a noisy scenario.Nevertheless, it was shown that private entanglement is feasible when considering noisy channels and perfect operations [25,26], as well as noise in local operations for independent and identically distributed (i.i.d.) [27] and non i.i.d.[28] situations.The latter works consider the recurrencetype entanglement distillation protocols [25,26], which * These authors contributed equally probabilistically increase the fidelity and factor out any eavesdropper with a linear rate of convergence in terms of initial states.
Hashing protocols [29][30][31][32][33][34][35][36] are one-way entanglement distillation protocols (EDP) which overcome these limitations.They are deterministic and converge exponentially fast in terms of initial states towards several copies of a maximally entangled state.This enables for several confidential quantum channels in parallel, crucial for big quantum data transmission [37] and which is in contrast to recurrence-type entanglement distillation protocols.In this paper we provide a proof of confidentiality for hashing protocols in a noisy setting where the eavesdropper has full control over all the initial states.Since the confidentiality of recurrence-type entanglement distillation protocols [25,26] has been shown in similar scenarios [28], this alone is not too surprising, even though hashing enables for exponential confidentiality levels rather than linear ones.Nevertheless, due to the simplicity of the confidentiality proof we clearly identify the relevant elements of physical properties from which the formal claim follows: the purity of the target state for noiseless distillation protocols and the way one deals with noise in measurement-based quantum computation (MBQC) with resource states.We emphasize that both are not exploitable in a noisy gate-based implementation as we illustrate later.The interest of using such characteristics, arguably, goes beyond the direct cryptographic statement they are implying.What is more, we identify a regime of noise where privacy, or equivalently confidentiality, is feasible, whereas distillation is not.Furthermore we show that hashing establishes privacy even when the eavesdropper is provided with information regarding all noise processes occurring in Alice's and Bob's laboratory, which is one step towards device independence for protocols with a quantum output.Early security proofs for QKD [7] rely on fault-tolerant quantum computation to reduce the problem of proving security to a noiseless setting, and utilize quantum random hashing [29] to verify the successful generation of entanglement.In contrast, our approach eliminates the necessity of fault-tolerant quantum computation by exploiting physical properties of MBQC, and we use hashing as an active tool to establish high-fidelity entangled pairs via entanglement distillation rather than verifying them.Other works [1,4,6] also use the existence of (one-way) entanglement distillation protocols.However, earlier works [1,6,7] lack a full treatment of the finite size setting, crucial for realistic regimes [11].In contrast, here we analyse the finite size performance of hashing and explicitly provide confidentiality levels also in noni.i.d.scenarios.Entanglement distillation protocols aim at distilling entanglement from a noisy ensemble of bi-or multipartite quantum states via local operations and measurements.Hashing protocols [29][30][31][32][33][34][35][36] form a specific subset of those protocols, which rely on the concept of likely subspaces [38], used in information theory, and universal hash functions [39], typically applied in the context of privacy amplification.Their operation is usually described on a large, noisy ensemble (called initial states) and one distills in the asymptotic limit a fraction of systems in a maximally entangled state, see Appendix A for more details.However, it was shown that hashing via quantum gates fails in the presence of noise [40].This drawback is overcome by measurement-based quantum information processing [41].There, the desired quantum operation is realized via Bell-measurements between the input quantum state and the input qubits of a resource state, referred to as read-in measurements.Consequently the only source of noise within this computational approach is due to imperfect resource states and noisy Bell-measurements (which can be accounted for by an increased level of the noise acting on the resource state, see [40]).A measurement-based implementation of the hashing protocol, see Appendix A 2, is capable of distilling entanglement for local depolarizing noise (LDN) up to 7% acting on each qubit of the resource state [40].This is due to an observation made in [42]: LDN acting on the input qubits of the resource state can virtually be moved to the initial states.Furthermore, LDN noise acting on the output qubits of the resource state can be assumed to act afterwards, since it commutes with the read-in measurements.These observations provide insights how one deals with LDN in MBQC, a physical characteristic which is not directly usable in quantum circuits, see Appendix A 2. More precisely, for gate-based implementations the situation is more complex and difficult to formalize in a useful way, since noise introduced by quantum gates gets highly correlated on propagating noise through the entire circuit.In a multipartite setting, a measurement-based implementation of the hashing protocol might turn out to be very useful for large scale quantum network architectures which rely on e.g.GHZ states [43].In this paper we will use the terms confidential, secure, privacy, private states and private entanglement.Therefore we want to clarify their relationship and their distinction before using them.A communication channel, either classical or quantum, is referred to as confidential if an eavesdropper can not obtain any information regarding the data being transmitted.Nevertheless, the eavesdropper might change the data during transmission without being detected.Therefore we refer to privacy as the ability of two (or more) parties to establish a confidential communication channel.A communication channel is considered to be secure, if it is confidential and authenticated, where authenticated here means that the eavesdropper can not alter the data without being detected by the parties.In the quantum case we call a state private if it can be used to establish a confidential quantum channel, i.e., a state which is entangled between Alice and Bob but not entangled with the eavesdropper.The term private state was already introduced in the context of QKD for generating classical keys from states with bound entanglement [44] and computing secret key capacities of quantum channels [45].For that purpose [44,45] consider additional systems, known as shield systems, to decouple an eavesdropper from maximally entangled states to generate a secure key between two parties.However, privacy or private states as we consider here, refer to the ability of establishing a confidential quantum channel without the notion of shield systems.The entanglement of such a state is then referred to as private entanglement.For full formal definitions, proofs and supportive information we refer to the supplemental material.However, the confidentiality proof of hashing is self-contained in the main text.

II. RESULTS
We consider two categories of players: protocol participants and Eve, the eavesdropper, from which the participants request their initial states ρ (n) used for distillation.The former, connected via classical authenticated channels, wish to distill m copies of a certain state |ϕ .In the bipartite setting, the state |ϕ might correspond to a perfect Bell-pair [29] whereas in the mutlipartite setting to a specific multipartite state [30][31][32][33][34][35][36] .The latter distributes the initial states via noisy quantum channels and has full control over them.In particular, Eve might be fully entangled with all initial states, which corresponds to the most general scenario how initial states can be distributed.Hashing in its original form assumes initial states of tensor product form, i.e. ρ (n) = ρ ⊗n where ρ is a density operator of a multi-partite quantum state and n is asymptotically large.Furthermore, distillation will only be feasible if the entropy of the initial states is sufficiently low, see e.g.[29] for bipartite hashing.To accommodate these requirements, we propose the following protocol: First the participants agree on a number of desired output systems m and a confidentiality level ε.From these values they compute the number of systems n which are necessary to meet both conditions, assuming the worst case entropy for the initial states.Then, the participants request n + kn systems from Eve subject to distillation.They apply a local twirling operation which ensures that the systems are diagonal within the respective basis (for the bipartite protocol they twirl towards Werner form).Next, they sacrifice kn systems for parameter estimation in order to estimate the actual fi-delity F relative to |ϕ for each system.Depending on their estimate F , they either abort the protocol because the fidelity is outside [F min , F max ] or they continue with a measurement-based implementation of the hashing protocol.Finally they output m systems.When generalizing to arbitrary initial states the protocol will be prepended by a symmetrization step.To formalize our confidentiality criterion we recall some basic terminology introduced in [28].We define the noiseless ideal map F, which takes as input the initial states and outputs, depending on parameter estimation, either the asymptotic state of the hashing protocol, |ϕ ϕ| ⊗m , or some output state, σ ⊥ P E .For example, in a bipartite setting |ϕ ϕ| ⊗m = |B 00 B 00 | ⊗m where The ideal map F abstracts the distillation protocol for an initial state ρ as a process: internally it runs the real protocol for initial state ρ to its very end which succeeds with probability p ρ , and depending on parameter estimation, it either replaces the final state with its asymptotic state, or it outputs whatever state was reached by the protocol, σ ⊥ P E .This approach to define ideal functionality stems from well-established ideas in QKD [46].Formally we define where |ψ P E is a purification of the initial state ρ provided by Eve and p ρ denotes the probability of the protocol succeeding for initial state ρ.The system f distinguishes the accepting from the aborting branch.
To analyze confidentiality taking into account realistic noisy scenarios, we also define the noisy ideal map F α , where α characterizes the level of noise, as where N α denotes the noise process acting on the output qubits of the resource states of hashing.We first clarify the noise processes we assume to act on the resource states of the measurement-based implementation of hashing, which motivate our definition of the ideal noisy map.We observe that there are a number of dominating sources of noise: noise on the resource states, noise on the read-in Bell measurements, and noise on the initial states subject to distillation.
For the noise acting on the resource states we assume i.i.d.local depolarizing noise.This is physically reasonable due to the observations in [47], which shows that i.i.d.local depolarizing noise provides an accurate approximation of noise acting on resource states if these states get generated locally via entanglement distillation.The resource states for the measurement-based implementation of hashing consist only of input and output qubits, see Appendix A 2 for further details.We denote the noise acting on the input qubits and output qubits of the resource states by N in = n j=1 D j (α) and with α ∈ [0, 1] quantifies the level of noise and the subscript j denotes the qubit on which the Pauli operators act on.Furthermore, we can take into account for the noise which the read-in Bell measurements introduce by a lower value of α in N in , which we denote by β, see [40].Hence, we have N in = n j=1 D j (β).Because we can now mathematically shift the noise from the input qubits of the resource states to the initial states, we decompose the ideal noisy map F α as the concatenation of noise acting on the initial states followed by the noiseless ideal hashing protocol and noise acting on the output qubits of the hashing protocol, i.e.F α = N out • F • N in .Because we can take into account for N in in the parameter estimation step of the ideal map F we end up with F α = N α • F, where we have defined N α = N out .This enables us now to precisely define the term confidentiality.In particular, we call the hashing protocol E α ε-confidential, if where ∆ = sup k∈N ∆ ⊗ id k op,1 for a CPTP map ∆ with ∆ op,1 := sup ρ 1≤1 ∆(ρ) 1 and ρ 1 = tr ρρ † denotes the 1−norm of a density operator ρ, see also [48].
Observe that the state |ϕ ϕ| ⊗m in the accepting branch of F α , see (1), is private, i.e., a state which is disentangled from Eve.This motivates the term privacy distillation.We outline the remainder of this paper as follows: We start by estimating the rate of convergence of noiseless bipartite hashing for finitely many i.i.d.initial states.Next, we generalize this result to arbitrary initial states including the eavesdropper's system via the post-selection technique.This will finally imply the confidentiality guarantees for the noisy measurement-based implementation of hashing.The hashing protocol [29] deterministically converges exponentially fast towards several copies of |B 00 for i.i.d.initial states.In particular, we find for the modified (i.e., our proposed) hashing protocol E, taking n + kn initial states ρ, that where x 1 (δ) = 1/a max (g max + δ) log 1 + δ gmax − δ and a max , g max are constants depending on F min and F max .The parameter δ stems from the hashing protocol [29] and affects the number of output systems m = n(1 − S(ρ) − 2δ) where S(ρ) denotes the von Neumann entropy of ρ as well as the rate of convergence governed by (4).For our purposes we choose δ = n −1/5 , see Appendix C. In addition, the right-hand side of (4) approaches zero exponentially fast.Eq. ( 4) can be derived from the following observations, see also Appendix C: The 1−norm induced distance of E(ρ ⊗n+kn ) and F(ρ ⊗n+kn ) is equal to the distance within the ok−branch, because E and F agree on the f ail−branch.The protocol can fail due to three reasons where each type of failure occurs with a certain probability.The first one corresponds to the case that the ensemble of Bell pairs falls outside of the likely subspace and is given by 2 exp(−nx 1 (n −1/5 )).The second one bounds the probability of misidentifying the string by exp(−n 4/5 ln 2), and the third one bounds the failure probability of parameter estimation by 2 exp −(F max − F min ) 2 kn/16 .Nevertheless, (4) is insufficient to prove full cryptographic confidentiality, as it only concerns the systems of the participants and i.i.d.initial states.So the next step is to generalize (4) to arbitrary initial states including the system of Eve which is the topic of the next section.In order to provide an estimate of (3) for bi-and multipartite hashing protocols in terms of i.i.d.initial states, e.g. ( 4), we proceed similar to the approach of [28]: First we relate the distance of the real and ideal map including Eve's purifying system at the beginning of the protocol to the distance between the respective maps concerning the systems of the participants only.Second we use the post-selection technique [46], which implies that the distance between the real and ideal map for any purification of the initial states is bounded by a specific pure state, a purification of the so called de-Finetti Hilbert-Schmidt state.We eliminate the first issue by using an inherent characteristic of noiseless distillation protocols: the target state of such protocols shared between Alice and Bob is pure, provided the parameter estimation is passed.Therefore the state of Alice and Bob is independent of Eve, i.e. there is no residual entanglement to her.We formalize this intuition via the following observation, rigorously proven in Appendix D: If the output of the real and ideal map, i.e.E and F respectively, differ at most ε for a particular initial state ρ, then they differ at most 4 √ ε on any purification |ψ of ρ, i.e.
The next step is to relate non-i.i.d.initial states to i.i.d.initial states.Recall that the post-selection technique is applicable to permutation invariant maps only.Because hashing protocols are not permutation invariant maps, we have to prepend the overall protocol by a symmetrization step in order to apply the post-selection technique.This finally enables us to prove confidentiality of hashing protocols according to (3) via the following theorem.

Theorem 1 (Post-selection-based reduction technique).
Let E s be the real protocol and F s the ideal protocol prepended by a symmetrization step (s) taking n + kn initial states.Let E and F be the sub-protocols after symmetrization.Then we have where d denotes the dimension of an individual system and The parameter d in Theorem 1 corresponds to the dimension of each individual initial state, therefore it is constant for a specific protocol and we have for M participants that d = 2 M .We sketch the proof of Theorem 1 as follows: The postselection technique of [46] implies that bound by evaluating this expression for a particular state, a purification of the de-Finetti Hilbert-Schmidt state.Hence we apply our previous observation, i.e. (5), to that particular initial state which reduces the confidentiality proof to i.i.d.initial states.For the complete proof of Theorem 1 we refer to Appendix E. We now easily conclude confidentiality of the noiseless bipartite hashing protocol prepended by symmetrization by combining Theorem 1 for d = 4 and (4) which leads to Eq. ( 7) analytically proves that arbitrary confidentiality levels can be achieved via the hashing protocol [29] and finally enables us to show confidentiality for a noisy measurement-based implementation of the hashing protocol.
Recall that the resource states, necessary for a measurement-based implementation of the hashing protocol, are subject to LDN acting on all qubits, D(α) = n l=1 D l (α) where D l (α) is defined in Eq. ( 2) and that we include the noise of a noisy Bell-measurement at the read-in in the value of α in (2), see [40].For a more detailed discussion of this noise model we refer to [47] and Appendix A 2. The confidentiality proof for the noisy measurementbased implementation of hashing now concludes by using the following intuition from MBQC with resource states: the LDN on the input qubits can be moved, due to the symmetry of Bell-states, to the initial states whereas LDN acting on the output qubits can be assumed to act after the protocol.Therefore one is left with a noiseless hashing protocol generating pure states affected by LDN.We reiterate that such an approach is not directly applicable in the setting of gate-based implementations.We sharpen this observation as follows: The resource state of the protocol consists only of input and output qubits, see Appendix A 2 and , and according to [42] we can virtually move the noise acting on the input qubits to the initial states provided by Eve.Thus we deal with this part of the noise via a modification of parameter estimation, since the entropy of the initial states increases after virtually moving the noise.The noise acting on the output qubits of the resource states can be assumed to act after the protocol completes, as that noise commutes with the read-in Bell-measurements.This leaves us with a noiseless protocol followed by LDN acting on the output qubits, which just slightly depolarizes the pure Bell-pairs from noiseless hashing.Moreover, this noise stems from the apparatus so this does not jeopardize confidentiality.In particular, because LDN is a CPTP map, the contractivity of the 1−norm implies (see also Appendix F) that where E s,α and F s,α denote the real and the ideal noisy hashing protocol prepended by symmetrization, and noise of strength 1 − α of the form (2) acts on each qubit of the resource state independently and identically.Hence the noisy implementation offers the same confidentiality guarantees as the noiseless implementation, the protocol just simply aborts more often during parameter estimation.
We highlight that the proof of confidentiality for noisy hashing does not require any numeric evidence, whereas the proof in [28] for the distillation protocol [25] relies on numerical simulations.Furthermore the tolerable noise for post-selection is significantly higher, namely of the order of several percent per qubit compared to O(10 −20 ) in [28], although it should be mentioned that the noise models are different and cannot directly be compared.Furthermore we find that there exists a regime of noise for bipartite hashing where privacy, or equivalently confidentiality, is achievable even though distillation is not feasible.For this regime, the privacy regime, hashing decreases the fidelity of each output system relative to |B 00 , i.e., the protocol washes out entanglement rather than distilling it, but nevertheless, any eavesdropper factors out.In contrast, if the noise level is within the distillation regime the fidelity of each output system relative to |B 00 increases, and, as a consequence, any eavesdropper factors out.For private states in the context of QKD a similar observation was made in [44], where it was shown that even though entanglement distillation is not feasible yet secure keys can still be generated from private states with bound entanglement.
It is interesting to qualitatively compare these findings to earlier work: in [27,49] confidentiality aspects were studied in the framework of a gate-based implementation of the entanglement distillation protocol of [25].It was also found that the noise regimes for privacy and distillation do not coincide, but contrary to the results presented here, the privacy regime for the gate based implementation was found to be a subset of the distillation regime.
For more details on those noise regimes we refer to Appendix B.
We consider the scenario where the local apparatus leaks all the information about the noise processes realized (by the noisy resource states of the hashing protocol) to Eve as in [27,28].Theorem 7 of [28] states that if a real protocol E α is ε-confidential, then it is 2 √ ε-confidential if the noise transcripts leak to Eve.The resulting states remain private and enable for confidential quantum channels.The hashing protocol [29] can be generalized to multipartite quantum states [30][31][32][33][34][35][36], which is relevant for distributed quantum computation [20], quantum key agreement protocols [17][18][19] and quantum networks [14][15][16]43].Also for those protocols one shows their confidentiality by following the same line of argumentation, which can be found in Appendix G.

III. DISCUSSION
In summary we have analytically shown that noisy measurement-based implementations of bi-and multipartite hashing protocols establish exponential confidentiality levels.We directly exploited the properties of MBQC with resource states which leads, together with the purity of the asymptotic state of noiseless hashing and the post-selection technique, to a short, straightforward and transparent confidentiality proof.Furthermore, the privacy and distillation regimes do not coincide, similarly to private states with bound entanglement in the context of QKD.In particular, there exists a regime of local i.i.d.noise where privacy is achievable, but distillation is not.In this regime, any eavesdropper is factored out despite no entanglement being distilled.Nevertheless, in both regimes the final states are disentangled from any eavesdropper, which enables for secure quantum channels, if the information regarding the noise processes do not leak to the eavesdropper.If this information leaks to the eavesdropper, confidential quantum channels are still feasible as the resulting states remain private.

ACKNOWLEDGMENTS
This work was supported by the Austrian Science Fund (FWF): P28000-N27, P30937-N27 and SFB F40-FoQus F4012, by the Swiss National Science Foundation (SNSF) through Grant number PP00P2-150579, the Army Research Laboratory Center for Distributed Quantum Information via the project SciNet and the EU via the integrated project SIQS.
Appendix A: Bipartite hashing protocol and its measurement-based implementation In this section of the supplementary material we provide a short review of the biparite hashing protocol [29], we introduce the measurement-based implementation thereof [40] and discuss its advantages over a gate-based approach.
In the following we denote the four Bell-basis states by |B 00 where i ∈ {0, 1} is referred to as the phase bit, j ∈ {0, 1} is referred to as the amplitude bit of |B ij and |B 00 = (|00 + |11 )/ √ 2.

Entanglement distillation via hashing
Entanglement distillation protocols distill a maximally entangled state from several noisy copies provided the initial fidelity, defined as F (ρ, σ) = tr ρ 1/2 σρ 1/2 for density operators ρ and σ where σ = |ϕ ϕ| (the desired target state), is sufficiently high.Several protocols have been proposed for this task, which we divide into two categories depending on the number of systems they utilize within each basic distillation step.In the first group we have recurrence-type protocols [25,26] which work pair-wise, whereas in the second group we have so-called hashing-type protocols [29] that operate, in principle, on the entire ensemble.Common to both classes of protocols is that they utilize local operations, measurements and classical communication.
Recurrence-type protocols are robust against local noise in both the gate-based [50] and measurement-based implementations [42].In contrast, the gate-based implementations of hashing-type protocols are fragile with respect to noise of the local apparatus as we will discuss briefly.
The hashing protocol [29] is an entanglement distillation protocol which operates on a large ensemble of noisy initial states in an iterative manner.In its standard version, the participants assume to receive n copies of an initial state ρ, where ρ is a two qubit density operator diagonal in the Bell-basis.The hashing protocol outputs m = n(1 − S(ρ)) systems in the asymptotic limit where S(ρ) < 1 denotes the von-Neumann entropy of ρ.
At each basic distillation step, which we also refer to as a round, the participants apply local operations according to a string drawn uniformly at random and followed by a controlled NOT into one target state.More precisely, they accumulate the phase and/or amplitude bit i and Hashing protocols rely on two fundamental concepts related to classical coding theory: likely subspace encoding and universal hashing.The idea of likely subspace encoding for ensembles of quantum states was first mentioned, to our knowledge, in [38].There it was proven that an asymptotic ensemble of i.i.d.quantum states ρ ⊗n where ρ = i p i |v i v i | is a density operator which receives almost all its weight from a small subspace spanned by so-called likely sequences More precisely, the probability of finding a particular sequence (j 1 , ..., j n ) that is outside this likely subspace can be made arbitrarily small in terms of the number of copies n of ρ.In case of the hashing protocol the vectors |v i in ρ = i p i |v i v i | of the initial states ρ ⊗n correspond to individual Bell-states |B ij .The original proposal of the likely subspace in [38] relies on the weak law of large numbers, which is an asymptotic statement.Universal hashing [39] is a widely studied concept which turned out especially useful in privacy amplification [51], a critical part in quantum key distribution protocols.Privacy amplification minimizes the amount of information an eavesdropper has with respect to a generated key.For that purpose the participants use so-called universal 2 function families.A family of functions G = {g i : A → B} i∈I is said to be universal 2 if for any x = y ∈ A the probability that g i (x) = g i (y) is at most 1/|B| when g i is chosen uniformly at random from G. One basic distillation step of the hashing protocol comprises the following steps: one participant draws a string s ∈ {0, 1, 2, 3} n (which we also refer to as parity hash string) uniformly at random, corresponding to a universal hash function.Next, the participant classically communicates s to the other participant and both perform, according to s, local operations and bilateral controlled NOTs on their parts of the quantum states.Depending on s t ∈ {0, 1, 2, 3} they bypass (s t = 0) or they accumulate either the amplitude bit j (s t = 1), the phase bit i (s t = 2) or both, amplitude and phase bit i ⊕ j, (s t = 3) for the Bell-pair |B ij indexed by 1 ≤ t ≤ n into the first pair for which s t = 0 via a bilateral controlled NOT.Fi-nally, they measure both parts of this target system using the Z observable which reveals almost one bit of parity information about the remaining ensemble.This basic distillation step is iterated n−m times, thereby collecting sufficient amount of information regarding parities about the remaining quantum systems.The parity information is finally used to restore the systems to the |B 00 ⊗m state.For further detsails on the hashing protocol, we refer the reader to [29].If one considers instead of asymptotic ensembles an initial ensemble of finite size n, bipartite hashing can still be used to distill entanglement.For finitely many initial states slightly fewer systems with a finite infidelity (i.e.there is a non-zero deviation relative to the state |B 00 ⊗m ) will be distilled.More precisely, for finite size hashing the number of output systems is m = n(1 − S(ρ) − 2δ) where the tunable parameter δ characterizes the width of the likely subspace.The parameter δ turns out to be crucial when determining the rate of convergence towards |B 00 ⊗m and we will choose for our purposes δ = n −1/5 .There also exist extensions of the bipartite hashing protocol to a multipartite setting allowing the distillation of two colorable graph states [30], all graph states [31], GHZ states [32,33], CSS states [34] and stabilizer states [35,36].Conceptually those types of protocols rely on the same ideas as bipartite hashing.Again, local parity collecting operations are used to reveal information about the remaining ensemble.They are especially well-suited to distill resource states for measurement-based implementations of particular quantum tasks such as quantum error correction.In the main text we have shown the confidentiality of the hashing protocol for two colorable graph states [30] and we provide a detailed description thereof within this supplementary material.

Measurement-based implementation
One alternative to the gate-based implementation of a quantum circuit is measurement-based quantum computation [52,53].A quantum operation O can be implemented by coupling the input qubits via Bell measurements to a universal resource state, e.g. a 2D cluster state [54].For circuits which contain only gates from the Clifford group and Pauli measurements one can also use an optimized, special purpose resource state of minimal size [41].This resource state will consist of only n + m qubits for a circuit which maps n qubits to m qubits.Hashing protocols, like most other entanglement distillation protocols, belong to this class of circuits and thus allow for such a minimal size measurement-based implementation.The results of the Bell measurements at the read-in determine both the results of the parity measurements of the hashing protocol as well as the Pauli byproduct operators on the final output states.For more informations and examples see [28,55].The noiseless implementation of the hashing protocol produces asymptotically perfect Bell-pairs.Therefore any eavesdropper is factored out, in the limit, guaranteeing perfect confidentiality.But even if i.i.d.local depolarizing noise acts on the quantum gates, any gate-based ap-proach fails [40].This is due to the O(n) bilateral CNOTs within every distillation round, which washes out all information from the initial states.Hence the gate-based implementation of hashing is limited to the noiseless scenario only.This drawback is overcome by a measurement-based approach [40].A measurement-based implementation of the hashing protocol is rather straightforward: a sequence of parity hash strings is drawn uniformly at random by one participant and classically communicated to all other participants.They construct the corresponding resource state according to that particular sequence.This resource state is finally coupled to the initial states via Bell-measurements which implements the hashing protocol in a measurement-based fashion.Since all gates of the hashing protocol are elements of the Clifford group the resource states consist only of input and output qubits, see discussion above.This implies that the resource states are of minimal size and therefore optimal with respect to the number of qubits which need to be stored temporarily.
In [40] it was shown that a measurement-based implementation of the hashing protocol [29] is capable of distilling entanglement for imperfect resource states and imperfect in-coupling Bell-measurements.There the resource states are affected by i.i.d.local depolarizing noise (LDN) of the form D(α) = n l=1 D l (α) acting on all qubits of the resource states where and α characterizes the strength of the noise.In particular, the measurement-based implementation of hashing tolerates up to 7% of noise acting on each qubit of the resource state [40].In [56], it was shown that any local noise process can be brought into a local depolarizing form.This observation also motivated the noise model of local depolarizing noise chosen in [42] to study measurementbased recurrence-type distillation protocols.There it was shown that the measurement-based implementation of recurrence-type distillation protocols is capable of tolerating up to 24% of noise acting on each qubit of the resource state.Furthermore, as studied in [47] to a global phase where σ is a Pauli operator.This enables us to effectively move the noise acting on the input qubits of the resource states to the input state (as we couple the input state to the resource state via Bell-measurements).We emphasize that this holds for LDN of the form D(α) = n l=1 D l (α) and, more importantly, this can not be done within the circuit model even though the gate-based and measurement-based approach to quantum computation are computationally equivalent.In particular, computational equivalence does not necessarily imply equivalent robustness with respect to noise.This observation becomes more clear when one considers the noise processes as being part of the protocol.In the measurement-based scenario with resource states, the observation of [42] implies that the i.i.d.LDN acting on the input qubits of the resource state can effectively be moved to the initial states, see discussion above.The i.i.d.LDN acting on the output qubits can be applied afterwards, because the quantum computation at hand is performed in terms of Bell-measurements at the read-in.This leaves one with a perfect quantum operation on a modifed input state, where i.i.d.LDN is applied, followed by the noise process of the output qubits.In [57] this observation was applied to measurement-based quantum communication, where it was shown that very high error thresholds (of the order of 10 % per qubit) can be obtained.In contrast, in the gate-based approach noise accumulates through repeatedly applying quantum gates.Furthermore, on commuting noise through the gates of a quantum circuit towards the input, the noise processes might get correlated due to commutation relations, maybe ending up in correlated noise rather than i.i.d.LDN acting on the input state.So to summarize, this observation shows that at least for i.i.d.LDN the measurement-and gate-based approach are not equivalent.To summarize, the measurement-based approach permits a noisy implementation of the hashing protocol whereas a standard gate-based implementation fails in the presence of noise.

Appendix B: Noise regimes
In the main text we identified two different regimes of i.i.d.LDN of the form D(α) = n l=1 D l (α), where D l (α) is defined via (A1), acting on the resource states of the measurement-based implementation of hashing: privacy and purification regime.Within the first regime any eavesdropper factors out but no entanglement will be distilled.In particular, for bipartite hashing, the fidelity relative to |B 00 will decrease due to the protocol.In contrast, in the purification regime any eavesdropper is factored out and entanglement is distilled, i.e. the fidelity relative to the target state increases.To see this we recall the conditions on the noise parameters for purification and privacy.The noiseless hashing protocol distills perfect Bell pairs in the asymptotic limit of infinitely many initial states in Werner form as soon as their fidelity exceeds F crit = 0.8107, see [29].In this case the final Bell pairs are private (and thus confidentiality is guaranteed) and F crit can be translated to q crit = (4F crit − 1)/3 ≈ 0.7476.In the noisy case one has two conditions for the noise parameters α and q, which quantify the level of noise on the resource states and the fidelity of the initial states, respectively (see also [42]) for asymptotic ensemble sizes: and Here, (B1) guarantees that the fidelity of the initial states, after the noise from the resource state is mapped to the initial states, see the previous section and [42], exceeds the threshold value q crit .In this case the output pairs will be private.The second condition, (B2), ensures that the fidelity of the output pairs is larger than the fidelity of the input pairs.From this one sees that for privacy one only needs to fulfill (B1), whereas both (B1) and (B2) need to hold for purification.Observe that (B1) is a condition due to the noise acting on the input qubits (thereby increasing the required fidelity of the initial states to succeed hashing) whereas condition (B2) stems from the noise applied to the output qubits (which depolarizes the perfect Bell-pairs produced by noiseless hashing in the asymptotic limit).This means that the parameters α and q are more constrained if one aims for increasing entanglement, as compared to the case of privacy.We summarize these findings in Fig. 1.This observation provides a clear distinction between privacy and purification regime for asymptotic ensembles: Both regimes, purification and privacy, have in common that any eavesdropper factors out due to the protocol but they differ with respect to whether entanglement is distilled or not.This motivates the term quantum privacy distillation for the proposed overall protocol as there are noise regimes where the protocol offers privacy, or equivalently private entanglement, without achieving distillation.
A similar situation arises in the finite size case.Here, the modifications will be that q crit in (B1) is no longer directly related to F crit and that (B2) needs to be modified to Here, q out (n, F ) quantifies the level of noise on the output pairs of the hashing protocol for n initial states with fidelity F .It can be obtained from the bound on the fidelity of the output pairs.There will again be two different regimes, and the purification regime will be smaller than the privacy regime due to the fact that it is more constrained (there are two inequalities to be satisfied, whereas there is only one for confidentiality).
Appendix C: Rate of convergence of noiseless bipartite hashing for i.i.d.initial states Here we provide the proof of Eq. ( 4) of the main text for δ = n −1/5 summarized within the following Theorem.
Theorem 2 (Convergence for i.i.d.initial states).Let E be the real protocol and F the ideal protocol taking n + kn initial states.Furthermore, let x 1 (δ) = 1/a max (g max + δ) log 1 + δ gmax − δ where a max and g max are constants depending on F min and F max .Then Visualization of the different regimes in the α − q plane (only the upper right corner of the entire plane is shown).In the white area neither privacy nor purification is achieved.In the entire colored area privacy is guaranteed, but only in the blue area one has distillation.This means that there is a parameter regime (yellow area), where one has privacy despite the fact that the fidelity of the Bell pairs does not increase during the distillation.
we have for all initial states ρ that Furthermore, the right-hand side of Eq. ( 4) of the main text approaches exponentially fast zero.
Proof.Because the ideal and the real map are identical in the aborting branch, we find for the initial states ρ ⊗n+kn that where σ AB denotes the state of the hashing protocol after n − m rounds and p ρ the success probability for initial state ρ.Thus we need to estimate ε H .Because we twirl the initial states towards Werner form we assume from now on that they are of Werner form.The hashing protocol can fail due to two reasons, see [29]: the string corresponding to the initial states falls outside the likely subspace or, after n − m rounds two or even more configurations are compatible with the total parity information, i.e. they can not be distinguished from each other.
By denoting this failure probabilities by p 1 and p 2 and the corresponding states after the protocol by σ 1 and σ 2 respectively, we find that the total failure probability p f of the hashing protocol satisfies p f = p 1 + p 2 .We also observe that if the parameter estimation was accurate the state after the protocol completes, i.e. σ AB of (C2), is given by More precisely, with probability 1 − p f we are able to restore the output of the hashing protocol to m copies of |B 00 and we end up with probabilities p 1 and p 2 in the state σ 1 and σ 2 respectively.This implies for (C2) that via the triangle inequality for the case whenever parameter estimation is accurate.Additionally the overall protocol can fail due to the following observation: The parameter estimation provides an estimate F for the fidelity F which is accepted by the participants, but F is actually outside the agreed range [F min , F max ].In that case Alice and Bob run hashing even though the protocol will either fail (since the initial fidelity is too low) or the fidelity is too high to provide accurate confidentiality estimates [58].This observation in turn implies that the state after hashing within the ok-branch is maximum far from the asymptotic state of the hashing protocol, i.e.
Nevertheless, the probability of the protocol succeeding for initial state ρ also takes into account for parameter estimation succeeding, i.e. p ρ = p 3 • p where p 3 denotes the probability of parameter estimation succeeding for initial state ρ.Therefore, if Alice and Bob mistakenly run hashing even if they should have aborted we find via (C5) for (C2) that So to summarize we obtain for an arbitrary initial state ρ by combining (C4) and (C6) that Thus we are left to provide upper bounds for (the unknown) probabilities p 1 , p 2 and p 3 respectively, i.e. we need to find p 1 , p 2 and p 3 such that p i ≤ p i for 1 ≤ i ≤ 3 because this implies for (C7) that We derive a bound for the probability of falling outside the likely subspace p 1 via the Bennett inequality [59].
Bennett's inequality [59] states that we have for X 1 , .., X n independent random variables, where |X i | ≤ a almostsurely and the expected value of X i is zero w.l.o.g., that Pr where For the hashing protocol the random variables X i take the values X i (k, l) := − log 2 p kl − S(ρ) where ρ = The i.i.d.assumption implies that all X i are independent and identical distributed (therefore we will subsequently denote them by the random variable X), thus we find σ 2 = 1/n n i=1 VarX i = VarX =: V (F ).Hence we have We observe that the random variable X is bounded.
More precisely, we have 8107 (which is the minimum required fidelity for Werner states by the hashing protocol).The next step is to insert t = nδ, a = a(F ) and σ 2 = V (F ) in (C9) which yields by denoting the lefthand-side of (C9) by p 1 By defining g(F ) = V (F ) a(F ) we rewrite the previous inequality as We observe that (C12) depends on the fidelity F of the initial states which is inappropriate for confidentiality estimates.In order to obtain a bound which is independent of the fidelity of the initial states we use that Alice and Bob only run the hashing protocol if We observe that (C12) is maximized whenever − δ ≥ 0 which follows from log(1 + x) ≥ x x+1 , n > 0 and a(F ) > 0. For that purpose we show that the function y We obtain for the first derivative of y that since log(1+z) ≤ z.Thus (g(F ) + δ) log 1 + δ g(F ) −δ → min whenever g(F ) → max.FIG. 2. Plot of the function g(F ).Observe that g is strictly monotonic decreasing for F ∈ [0.82, 1).
In order to show that (C16) ensures an exponential convergence, as we claim, we need to provide an upper bound for the exponent of (C16), i.e., for the function where δ will be choosen later as n −1/5 as previously.By defining In the following we compute a lower bound y(n) for f (n), i.e. f (n) > y(n) for all n, which is in turn an upper bound for (C16), i.e. p 1 ≤ 2 exp(−f (n)/a max ) ≤ 2 exp(−y(n)/a max ).Using that log(1 + x) > x 1+x/2 for x > 0, see [62], we find from g max > 0 and δ > 0 that Furthermore we have that (g max +δ) log 1 + δ gmax −δ ≥ 0 which implies together with (C19) for (C18) which analytically proves the exponential scaling of the hashing protocol.Furthermore, following the approach of [29], we find that the probability of having two configurations which are compatible with the collected parity information, p 2 , is bounded by 2 −nδ .Thus, inserting δ = n −1/5 gives p 2 < 2 −n 4/5 .Finally we provide an estimate for the probability of accepting initial states from Eve in the case when Alice and Bob should abort the protocol after parameter estimation, i.e. the actual fidelity F is below the minimum required value F min but the estimate F is not, or the actual fidelity F is above F max but the estimate F is not, corresponding to the probability p 3 .For that purpose we perform two-qubit measurements of two Bell-pairs, the first w.r.t. the X ⊗ X and the second w.r.t. the Z ⊗ Z observable.One easily observes that |B 00 is the common +1 eigenstate of both operators.By referring to this measurements as M 1 and M 2 respectively and recalling that the parameter estimation utilizes kn systems we define the random variables F i associated with a pair of Bellpairs for 1 ≤ i ≤ kn/2 which is equal to 1 whenever M 1 and M 2 simultaneously reveal outcome 1 and 0 otherwise.
Recall that the Hoeffding inequality [63] states that we have for X 1 , .., X n i.i.d.random variables where holds for all t and where ∀i : c i ≤ C. Hoeffding's inequality (C23) implies now for the empirical mean holds for all η.More precisely, the probability of estimating an error larger than η via F to E[F ] is decaying exponential in n.So Alice and Bob choose F min and F max and they agree to continue with the hashing protocol whenever F ∈ [F PE − ∆/4, F PE + ∆/4] where In other words, (C25) means that the probability that Alice and Bob continue with the hashing protocol in case they should abort, i.e., the actual fidelity F is outside [F min , F max ], is exponentially small.For example, if the fidelity estimate F is F = F PE +∆/4 (which implies Alice and Bob will run hashing), then the probability that the actual fidelity F satisfies F > F PE + ∆/2 = F max is exponentially bounded.
To summarize, we find for (C2) that Notice that the right-hand side of (C26) is independent of ρ, which completes the proof.

Appendix D: Local closeness implies global closeness
In the main text we formulated the following claim: If the output of the real and ideal map differ at most ε for a particular initial state then they differ at most 4 √ ε for any purification of this initial state.We prove this statement within the following Lemma.Lemma 1.Let E be the real and F be the ideal protocol.Furthermore let ρ be a mixed state shared by the participants of the protocol.
Proof.We observe that The assumption and F(ρ) are equal on the fail branch.Thus we have σ AB − |ϕ ϕ| ⊗m AB 1 ≤ ε/p ρ .Furthermore we find for the application of the real and the ideal protocol to the purification |ψ ABE of ρ AB that This implies for the 1-norm that Employing (D7) in (D6) yields which completes the proof.
Appendix E: Proof of Theorem 1 Proof.Due to the symmetrization we find that E s and F s are permutation invariant maps.Hence applying the post-selection technique of [46] gives where d is determined by the number of participants (see discussion below) and |τ ABE is a purification of the de-Finetti Hilbert-Schmidt state, hence tr E [|τ τ | ABE ] = σ ⊗n+kn AB dµ(σ) =: τ where µ is the measure induced by the Hilbert-Schmidt metric on End(C d ).One easily observes that where E and F denote the subprotocols after symmetrization.As |τ ABE is a purification of τ we can apply Lemma 1 implying for (E1) that where the second inequality stems from Lemma 1 and the last inequality from (E2) which finally shows the claim.
Appendix F: Confidentiality of a noisy measurement-based implementation of the hashing protocol Within this section we prove Eq. ( 8) of the main text.In doing so, we formulate the following Theorem.
Theorem 3. Let E s,α and F s,α be the real and the ideal noisy hashing protocol prepended by symmetrization where noise of strength 1 − α of the form (A1) acts on each qubit of the resource state independent and identical.Then Proof.The resource state necessary for the measurementbased implementation of hashing is pure and minimal in the number of qubits and consists only of input and output qubits, because all quantum gates involved in the hashing protocol are elements of the Clifford group [41].
Hence there are only two different locations at which noise acts: input and output qubits.For the noise acting on the input qubits we use the observation made in [42], which enables us to virtually move the noise from the input qubits to the initial states, thereby increasing their entropy.For the noise acting on the output qubits, as described in the main text, we can safely assume that this noise will act after the protocol completes, leaving us with a noiseless hashing protocol (w.r.t. the output qubits).
We deal with the noise on the input qubits by a slight modification of the parameter estimation step.Recall that Alice and Bob fix F min and F max for parameter estimation and they continue with the hashing protocol whenever their fidelity estimate F is within the interval [F − , F + ] where F ± = F PE ± ∆/4 for F PE = (F max + F min )/2 and ∆ = F max − F min .The noise acting on the input qubits of the resource states increases the entropy of the initial states which forces Alice and Bob to accept less initial states from Eve.By describing the initial states in an i.i.d.setting after the twirl via i.i.d.LDN of the form (A1), i.e. ρ = D 1 (q) |B 00 B 00 |, the parameter estimation interval [F − , F + ] transforms to [q − , q + ] via q ± = (4F ± − 1)/3.According to the previous observation that we can virtually move the noise of level α on the input qubits of the resource states, D 1 (α) and D 2 (α) respectively, to the initial states we consequently describe the initial states as we need to have α 2 q ∈ [q − , q + ] to pass the parameter estimation and run the hashing protocol.Observe that α 2 q transforms to the fidelity F of the initial states, including the noise of the resource state, via α 2 q = (4F − 1)/3.Therefore we modify the parameter estimation to continue with the hashing protocol whenever the estimate of the fidelity F of the initial states satisfies mation according to condition (F2) by the maps E s,α−in and F s,α−in respectively.It follows immediately from the definition of the protocols that we achieve the same confidentiality level of Eq. ( 7) of the main text as for the noiseless protocols, Alice and Bob will just abort the protocol more often.Hence we easily deduce We now extend the confidentiality proof to a full noisy measurement-based implementation of the hashing protocol protocol as follows: Since we can effectively move noise of level α acting on the input qubits of the resource states to the to-be-purified ensemble, the modification (F2) of the parameter estimation extends the confidentiality proof via (F3) to noise acting on the input qubits of the resource state.For noise acting on the output qubits we use the following observation: Because the noise is assumed to be of the form (A1) it is also CPTP.By denoting the noise acting on the output qubits as N α = m j=1 D j;A (α)D j;B (α) where A and B denote Alice's and Bob's parts of the final Bell-pairs, the noisy real protocol and ideal protocol read as E s,α = N α • E s,α−in and F s,α = N α • F s,α−in respectively [64].Hence (F3) and the contractivity of the 1−norm for CPTP maps imply What remains to be dealt with are the Pauli byproduct operators due to the measurement outcomes at the inputs, but since LDN of the form (A1) commutes with the Pauli byproduct operators we do not have to worry about them in the proof of confidentiality, which completes the proof.
Appendix G: Confidentiality of multiparty hashing protocol for two-colorable graph states We start by recalling some basic notation, definitions and properties of graph states.We define the graph state basis |ψ κ1,...,κ N where κ 1 , . . ., κ N ∈ {0, 1} associated with a graph G = (V, E) where N = |V | as the common eigenstate of the correlation operators with eigenvalues (−1) κj for 1 ≤ j ≤ N where the superscript denote the qubit on which the Pauli operator is acting on.We refer to the state |ψ 0,...,0 also as the graph state associated with G = (V, E).Note that the states {|ψ κ1,...,κ N } 1 κ1,...,κ N =0 form a basis of the Hilbert-space (C 2 ) ⊗N .A special class of graph states are so-called twocolorable graph states which correspond to two-colorable graphs.A graph is said to be two-colorable if there exists a mapping f : V → {1, 2} such that for all vertices v ∈ V it holds that f (v) = f (w) for all neighbors w ∈ V of v.The most prominent example of two-colorable graph states are GHZ and cluster states [54].Suppose we want to distill a two-colorable graph state |ψ 0...0 corresponding to a graph G = (V, E) where V = V A ∪ V B , A and B denote the colors and The multipartite hashing protocol assumes asymptotically many i.i.d.initial states ρ diagonal in the graph state basis, i.e. ρ = µ,ν λ µ,ν |ψ µ,ν ψ µ,ν | where µ = (µ 1 , . . ., µ N A ) ∈ {0, 1} N A and ν = (ν 1 , . . ., ν N B ) ∈ {0, 1} N B are multiindices corresponding to color A and B respectively [65].For two-colorable graph states we define multilateral CNOTs on two copies ρ 1 and ρ 2 which enable us to transfer information between the initial states ρ 1 and ρ 2 .More precisely, by applying a CNOT to all particles in V A (V B ) where ρ 1 serves as target(source) and ρ 2 as source (target) a straightforward computation leads to (by denoting this unitary as U 1 ) By exchanging the roles of V A and V B one obtains (by denoting this unitary as U 2 ) Suppose we measure all qubits of the graph state |ψ µ1,...,µ N A ,ν1,...,ν N B belonging to the set V A with the X and all qubits of the set V B with the Z observable.By denoting the outcomes of the X measurements with ξ i ∈ {0, 1} and the outcomes of the Z measurements with ζ j ∈ {0, 1} one immediately finds via (G1) for all 1 ≤ i ≤ N A .In other words, we can use this measurement setting to reveal information about all κ i for 1 ≤ i ≤ N A simultaneously.We refer to this measurements with M 1 .Similarly, by exchanging the roles of V A and V B we obtain information about all ν i for 1 ≤ i ≤ N b .
In the following, we refer to this measurements with M 2 .
The multiparty hashing protocol is now defined as follows [30]: In order to reveal information about color A, i.e. µ, (which we denote as sub-protocol P 1 ) we apply U 1 to a random subset of the n initial states with common target system (thereby accumulating the values corresponding to color A) and perform measurement M 1 on this common system.Similarly, by applying U 2 to a random subset of the initial states with a common target system (thereby accumulating the values corresponding to color B) followed by M 2 on this common system one obtains information about color B, i.e. ν (which we denote as sub-protocol P 2 ).Repeating the sub-protocols P 1 and P 2 sufficiently many times leads to perfect knowledge about the remaining states, i.e. one ends up in a pure state (which we restore to the target state |ψ 0,...,0 ⊗m ).Recall that the overall protocol prepends the multiparty hashing protocol by a twirling and parameter estimation step.The twirling step ensures that the initial states are diagonal within the graph state basis, see [30], whereas the participants use parameter estimation to decide whether the multiparty hashing protocol will succeed or not.Formally, we define the probabilities For example, for a three-qubit state we have a Observe that the values S(a i ) and S(b j ) correspond to the entropies of µ i and ν j within the vectors µ and ν.As shown in [30], the protocol described above is in the asymptotic limit capable of distilling m = n(1 − max 1≤i≤N A S(a i ) − max 1≤j≤N B S(b j )) copies of the state |ψ 0,...,0 .Now we are ready to compute the distance of the real and ideal multiparty hashing protocol for i.i.d.initial states.Intuitively it follows from the same arguments as in the bipartite setting.Theorem 4. Let E be the real and F be the ideal multiparty hashing protocol.Furthermore let ρ be an initial state.Then where Proof.Recall that the multiparty hashing protocol aims to distill several copies of a two-colorable graph state via the sub-protocols P 1 for color A and P 2 for color B from n copies of the initial state ρ = µ,ν |ψ µ,ν ψ µ,ν | where the states |ψ µ,ν correspond to the graph state basis.The crucial observation is that we learn the values of µ and ν corresponding to the colors A and B within n copies of the initial state ρ = µ,ν |ψ µ,ν ψ µ,ν | via the sub-protocols P 1 and P 2 independently.In other words, µ and ν do not get correlated during the protocol execution, i.e. they remain independent.By taking a closer look at P 1 (P 2 ) we infer that also the individual components of µ (ν) remain independent.In particular, the components of µ = (µ 1 , . . ., µ N A ) (ν = (ν 1 , . . ., ν N B )) remain distinct during the protocol, i.e. for each i the value µ i is independent of µ k for all k = i (for each j the value ν j is independent of ν k for all k = j).This is due to the fact that U 1 (U 2 ) operates component-wise on µ (ν) [66].Keeping this observations in mind, it is straightforward to provide finite size estimates for the fidelity of the state after the protocol relative to |ψ 0,...,0 .Observe that the hashing protocol fails if either P 1 or P 2 fails which implies for the failure probability p f of the hashing protocol p f ≤ p P1 +p P2 where p P1 and p P2 denote the failure probabilities of sub-protocol P 1 and P 2 respectively.First we discuss the failure probability of sub-protocol P 1 .This sub-protocol can fail due to three reasons, similar as in the bipartite setting: the initial states do not belong to the likely subspace or, after the sub-protocol has finished, two or more configurations are compatible with the collected parity information, or the protocol is continued mistakenly after parameter estimation, i.e. the parties should have aborted but continued the multiparty hashing protocol to its very end.To provide an estimate for the probability that the initial states fall outside the likely subspace w.r.t.sub-protocol P 1 we define for color A the random variables X (i) (b) for 1 ≤ i ≤ N A which take the values with probability a (b) i .In order to learn µ, we observe that a specific µ = (µ 1 , . . ., µ N A ) belongs to the likely subspace L whenever each µ i belongs to its likely subspace L i , i.e.
Consequently Pr (µ / ∈ L) ≤ Pr (µ i / ∈ L i ) . (G10) We estimate Pr (µ i / ∈ L i ) via Hoeffding's inequality [63].In order to apply Hoeffding's inequality we need to make sure that λ µ,ν = 0 for all µ and ν after twirling, as the the random variables X (i) (b) of (G8) need to be bounded.We achieve this by mixing each individual initial state with a small, but defined, portion of the identity operator.From this we observe that the random variables X (i) have zero where C = max 1≤i≤N A C i .Note that (G12) is independent of i, which implies for (G10) that Observe that C = max 1≤i≤N A C i still depends on the initial states.Due to parameter estimation one finds another constant C > C independent of the initial states.The probability of not being able to distinguish between two or more configurations is, for a particular component of µ, again 2 −nδ , as for the bipartite case.Hence inserting δ = n −1/4 gives that the probability of misidentifying a specific µ i where 1 ≤ i ≤ N A is bounded by 2 −n 3/4 .Therefore the probability of misidentifying µ is bounded by N A 2 −n 3/4 .We point out that also in the multipartite setting a parameter estimation step is crucial in order to ensure distillation.For that purpose we find that the states after twirling and mixing are diagonal within the graph state basis, i.e. of the form where all λ µ,ν = 0.The goal of parameter estimation is to provide estimates a i and b j for the probability distributions a i and b j of (G5) and (G6) for all 1 ≤ i ≤ N A and 1 ≤ j ≤ N B .The concrete boundaries for which the participants continue with hashing depends on the target state of the protocol.However, it suffices to estimate λ µ,ν for all µ and ν which we denote by λ µ,ν .Observe that we have to determine in total 2 N coefficients, where N denotes the number of participants and is constant.This can be done via measurements on kn systems of ρ according to the observables of the correlation operators (G1).Indeed, the expected values of the correlation operators are sufficient to determine the coefficients λ µ,ν for all µ and ν within ρ = µ,ν λ µ,ν |ψ µ,ν ψ µ,ν |.Now one can apply Hoeffding's inequality to exponentially bound the probabilities that the estimates λ µ,ν of λ µ,ν have a distance larger than some fixed η > 0 (which corrsponds to the accuracy of our estimate λ µ,ν ) similar to the bipartite case.From this we deduce that the probability of continuing with the hashing protocol mistakenly is exponentially small in terms of the number n of initial states.
In summary, via the same argument as in the bipartite case (i.e. the previous estimates are upper bounds for the real failure probabilities, see (C3), (C4) and (C8)), the probability that sub-protocol P Observe that Eq. (G7) is restricted to i.i.d.initial states rather than arbitrary initial states and does not take into account Eve's purification of the initial states.But since Theorem 1 of the main text is also applicable to the multiparty hashing protocol, we eliminate these issues and immediately infer for the multiparty hashing protocol prepended by symmetrization by using (G7) that The proof of (G15) is simple: Theorem 1 of the main text applies to the multiparty hashing protocol with d = 2 M , where M denotes the number of participants.Hence (G7) implies (G15) via Theorem 1 of the main text.

FIG. 1 .
FIG. 1.Visualization of the different regimes in the α − q plane (only the upper right corner of the entire plane is shown).In the white area neither privacy nor purification is achieved.In the entire colored area privacy is guaranteed, but only in the blue area one has distillation.This means that there is a parameter regime (yellow area), where one has privacy despite the fact that the fidelity of the Bell pairs does not increase during the distillation.

Fig. 3 .FIG. 3 .
Fig.3.Observe that we have moved the noise from Bob's to Alice's side due to the symmetry of Bell-states.Thus
mean and that |X (i) | ≤ max b∈0,1 | log 2 a (b) i | + S(a i ) =: C i after mixing.Therefore the Hoeffding inequality implies Pr t where k denotes the index of the initial state within ρ ⊗n and i the i−th component of µ.Inserting t = nδ in (G11) together with δ = n −1/4 yields Pr (µ i / ∈ L i ) = Pr n k=1 each individual pair into one target system via several controlled NOTs.Recall that such a bilateral controlled NOT transforms a tensor product of two Bell-states |B i1j1 and |B i2j2 to the tensor-product state |B i1⊕i2j1 |B i1j1⊕j2 .Next, the parties measure the target Bell-pair which is determined by the string.This measurement reveals essentially one bit of parity information about the remaining ensemble, thereby purifying it (as the mixedness of a state can be interpreted as a lack of classical information).The basic distillation step is iterated several times and in the end a fraction of purified systems remains.