A largely self-contained and complete security proof for quantum key distribution

In this work we present a security analysis for quantum key distribution, establishing a rigorous tradeoff between various protocol and security parameters for a class of entanglement-based and prepare-and-measure protocols. The goal of this paper is twofold: 1) to review and clarify the state-of-the-art security analysis based on entropic uncertainty relations, and 2) to provide an accessible resource for researchers interested in a security analysis of quantum cryptographic protocols that takes into account finite resource effects. For this purpose we collect and clarify several arguments spread in the literature on the subject with the goal of making this treatment largely self-contained. More precisely, we focus on a class of prepare-and-measure protocols based on the Bennett-Brassard (BB84) protocol as well as a class of entanglement-based protocols similar to the Bennett-Brassard-Mermin (BBM92) protocol. We carefully formalize the different steps in these protocols, including randomization, measurement, parameter estimation, error correction and privacy amplification, allowing us to be mathematically precise throughout the security analysis. We start from an operational definition of what it means for a quantum key distribution protocol to be secure and derive simple conditions that serve as sufficient condition for secrecy and correctness. We then derive and eventually discuss tradeoff relations between the block length of the classical computation, the noise tolerance, the secret key length and the security parameters for our protocols. Our results significantly improve upon previously reported tradeoffs.


Introduction
Quantum key distribution (QKD) is a cryptographic task that allows two distant parties, Alice and Bob, to exchange secret keys and communicate securely over an untrusted quantum channel, provided they have access to an authenticated classical channel.The first QKD protocol, BB84, was proposed by Bennett and Brassard [1] more than three decades ago and the last 30 years have witnessed staggering experimental advances, making QKD the first quantum information technology.With the advent of quantum information theory, Ekert [2] offered a fruitful new perspective on quantum key distribution by casting it in terms of quantum entanglement and Bell nonlocality and it was quickly noted that the original BB84 protocol can be seen in this light as well [3].This new perspective was particularly useful for the development of formal security proofs of QKD.
Formalizing the intuitive security arguments accompanying the first protocols has proven to be challenging.Early proofs by Lo and Chau [4], Shor and Preskill [5], and Mayers [6] successfully attacked the problem in the asymptotic limit of infinitely many exchanged quantum signals (and unbounded classical computing power).A later work by Koashi [7] first brought to light that security can be certified using an entropic form [8] of Heisenberg's uncertainty principle [9].However, these works all lacked a convincing treatment of the security tradeoff in a more realistic regime where the number of exchanged signals and the classical computing power (i.e., the length of the bit strings computations are performed on) are necessarily finite, and the final secret key is thus also of finite length.As absolute security is no longer feasible, the first and most crucial question arising in this finite regime is how to properly define approximate security of a cryptographic protocol.Following developments in classical cryptography, Renner [10] extended the concept of composable security to quantum key distribution and established a first security proof for finite key lengths.This security analysis essentially established a tradeoff between different parameters of a quantum key distribution protocol: Robustness: According to the notion of security discussed above, a quantum key distribution protocol can be perfectly secure and completely useless because it always aborts.As an additional requirement we thus impose that the protocol succeeds with high probability when the quantum channel is subject to noise below a specific (and realistic) threshold.This describes the robustness of the protocol against noise, that is, the probability that the protocol returns a nontrivial key for a given noise level.The noise model used should capture the dynamics of the quantum channel in the expected field operation; however, the exact specification of the noise model -and whether the noise is caused by an eavesdropper or just by the undisturbed operation of the channel -is independent of any security considerations and can thus be treated independently.The robustness, and more specifically the values of the channel parameters for which the robustness goes to zero, is an important figure of merit to compare the expected performance of various protocols.
The tradeoffs between these parameters have been significantly improved since Renner's proof [10], in particular by Tomamichel et al. [13] and Hayashi and Tsurumaru [14], so that the proofs are now sufficiently tight to provide security for realistic implementations of quantum key distribution.The present analysis will mostly follow the approach in the former paper [13].
So what justifies us revisiting this problem here?Firstly, we believe that presenting a complete and rigorous security proof in a single article will make the topic of finite size security more accessible to researchers in quantum cryptography.Secondly, thanks to some improvements in the technical derivation and a steamlining of the analysis, our proof yields significantly stronger tradeoff relations between security and performance parameters.It is worth noting here that strengthening theoretical tradeoff relations of a QKD protocol has rather direct implications for practical implementations as it allows for the generation of more secure key at the same noise level without any changes to the hardware.Thirdly, although all the necessary technical ingredients and conceptual insights are present in the literature, we were not able to find a concise security proof for any QKD protocol that satisfies the following two stringent criteria: The second point may appear trivial -but we believe the absence of a complete formalization of all aspects of a protocol found in many research papers presents a major obstacle in verifying the proofs and learning about the security of quantum key distribution and quantum cryptography in general.It is in fact common in much of the present literature to fully formalize some aspects of a security proof while keeping other aspects vague and informal -and this has lead to various misconceptions.
Let us illuminate this issue with an example.It is often argued (e.g. in [15]) that collective attacks (where the eavesdropper attacks every quantum signal exchanged between Alice and Bob in the same way) are optimal for the eavesdropper using symmetry and de-Finetti arguments [16,17].To get such symmetry it is at some point or another used that measurements are performed in a random basis or that a random subset of raw key bits are used for parameter estimation.However, complete security proofs also must allow for the protocol to abort in case certain thresholds are not met, and one is then left to analyze the state of the system conditioned on the fact that the protocol does not abort.This conditioning will in general introduce correlations between the state held by Alice and Bob and the seeds used to choose the measurement bases and parameter estimation subset, violating the strict symmetry assumptions.Even if these correlations are weak in typical cases, they prove problematic since they allow the eavesdropper to slightly influence Alice and Bob's measurement devices 2 , something which is usually explicitly forbidden in security proofs for quantum key distribution with trusted devices.Hence, many simple arguments based on symmetry or independent randomness simply do not go through without modification when the security proof is put under a microscope.
As mentioned above, the early asymptotic proofs fail with Point 1.Moreover, while Renner's analysis [10] gives bounds for finite keys, these are not sufficient to pass Point 1 since the bounds are not strong enough for realistic key lengths. 3More recent security proofs by Tomamichel et al. [13] and Hayashi and Tsurumaru [14] satisfy Point 1, but they are not fully formalized and thus do not satisfy Point 2. 4 In fact, our requirements in Point 2 are very stringent and we are not aware of any security proof that has met this level of rigor, except arguably Renner's thesis [10].A recent security proof for the one-sided device-independent setting [20] satisfies Point 2 but provides a key rate that is not optimal asymptotically.

Results and Outline.
In the present paper, we give a rigorous and largely self-contained security proof for QKD that satisfies the two conditions above.The proof is based on the security analysis in [13] and uses an entropic uncertainty relation [21] as its main ingredient.A few additional technical results and modifications of previous results are needed.We hope that our proof is accessible to all researchers interested in the security of quantum cryptography.As such, our treatment does not require the reader to have prior knowledge of various tricks and security reductions in quantum cryptography, but presumes a solid understanding of the mathematical foundations of quantum information theory.
The remainder of this manuscript is structured as follows.First we introduce necessary notation and concepts in Section 2. In Part I we analyze a class of simple entanglement-based protocols reminiscent of the BBM92 protocol [3].Section 3 formally describes the class of protocols we are using (see also Table 2).Section 4 formally introduces our security definitions and claims.We discuss our results in Section 5 and provide a detailed security proof in Section 6.In Part II we move on to a prepare-and-measure protocol that is essentially equivalent to BB84.Section 7 formally introduces this class of protocols (see also Table 5) and Section 9.3 reduces their security to the security of the entanglement-based protocol.
Note added.After completion of this work a novel and intriguing proof technique (based on Rényi entropy accumulation) has been proposed by Dupuis et al. [22].This technique does not yet seem to yield tradeoffs between security and protocol parameters that match those found in [13] and [14], on which we improve upon here.However, the technique is more versatile and in particular allows to show security of device-independent protocols as demonstrated by Arnon-Friedman et al. [23].Device-independent protocols have the advantage that fewer assumptions on the physical devices used in the protocol are required, but are beyond the scope of this work.

Formalism and notation
We will summarize some concepts necessary for our formal security proofs here, assuming that the reader is familiar with the mathematical foundations of quantum information theory.We refer to [24] for a comprehensive introduction into this mathematical toolkit.Sections 2.1-2.4 are necessary for understanding our main exposition whereas the concepts introduced in Sections 2.5 will be employed only in the security proof.

Quantum systems, states and metrics
Individual quantum systems and the corresponding finite-dimensional Hilbert spaces are denoted by capital letters.The dimension of the system A is denoted by |A|.A joint quantum system AB is defined via the tensor product of the corresponding Hilbert spaces of A and B. We use [m] to denote the set {1, 2, . . ., m} and use A [m] to denote a joint quantum system comprised of quantum systems A 1 A 2 . . .A m .Similarly, if the subscript is a subset of [m], we just refer to the subsystems in the subset.Let us also introduce the notation We write S(A) to denote normalized states on A, i.e., positive semi-definite operators acting on the Hilbert space A with unit trace.A state is called pure if it the corresponding operator has rank 1.We will employ the trace distance between states, which is defined as where P ranges over projectors, i.e. positive semi-definite operators with eigenvalues in {0, 1}.In particular, we have ρ − σ tr = 1 2 ρ − σ 1 , where • 1 denotes the Schatten 1-norm.The trace distance has an immediate physical interpretation [25]: for two states with trace distance ε, the maximum probability of distinguishing them with a single measurement equals 1  2 (1 + ε).We also collect positive semi-definite operators with trace norm not exceeding 1 on A in the set S • (A), and call them sub-normalized states. 5Sub-normalized states will be very convenient for technical reasons as they allow us to represent the state of quantum systems and classical events simultaneously.The following metric is very useful when dealing with sub-normalized states: Definition 1 (Purified distance).For ρ A , σ A ∈ S • (A), we define the generalized fidelity, and the purified distance, The purified distance is a metric on sub-normalized states and satisfies [26, Lemma 2] for every completely positive (CP) trace non-increasing map F. This means in particular that the distance contracts when we apply a quantum channel to both states.An important property of the purified distance [24, Corollary 3.1] is that for any two states ρ A , σ A and any extension ρ AB of ρ A , there exists an extension σ AB with P (ρ AB , σ AB ) = P (ρ A , σ B ). (This property is not true in general for the trace distance.)Moreover, it is related to the trace distance as follows [26,Lemma 6]:

Classical registers and events
We model discrete random variables by finite-dimensional quantum systems, called registers, with a fixed orthonormal basis.For example, let X ∈ X be a random variable with probability law x → P X (x).Then we write the corresponding quantum state as where {|x } x∈X is an orthonormal basis of the space X.Conversely, we write Pr[X = x] ρ = P X (x).
More generally, the classical register might be correlated with a quantum system A, and this is modeled using classical-quantum (cq) states: where we use ρ A|X=x to denote the quantum state on A conditioned on the register X taking the value x.We also write Pr[X = x] ρ = tr{|x x| X ρ XA } = P X (x).This convention is extended to arbitrary events defined on a classical register X, i.e. if Ω : X → {0, 1} is an event, we write a state that is generally sub-normalized.We will also write ρ XA|Ω = Pr[Ω] −1 ρ ρ XA|Ω for the conditional state.For any event Ω : X → {0, 1} we denote its complement on X by ¬Ω.

Quantum channels and measurements
A quantum channel E : A → B is a completely positive trace-preserving (CPTP) map that maps operators on A to operators on B. Prime examples of quantum channels are the trace, denoted tr, and the partial trace over system A, denoted tr A .We will encounter the diamond distance between CPTP maps, which we here define as where the optimization goes over joint states on A and an auxiliary system C, and we can assume without loss of generality that |C| ≤ |A|.The diamond distance also inherits the physical interpretation of the trace distance: for two quantum channels with diamond distance ε, the maximum probability of distinguishing them by preparing a state on the input system and an ancilla system and then measuring the joint system after applying the channel equals where 1 A denotes the identity operator on A. A measurement on A can be represented as a CPTP map M A→X that maps states on a quantum system A to measurement outcomes stored in a register X.The measurement in (9) applied to a bipartite state ρ AB yields where σ XB is now a (normalized) classical-quantum state.Finally, let f : X → Y be a function acting on two sets X and Y.We denote by E f : X → XY the corresponding cptp map that acts on classical registers X and Y of a general cq state.Note that we defined the map such that the input register X is kept intact and the operation is deterministic and invertible.

Universal hash functions
Universal hashing is used (at least6 ) twice in the analysis of the quantum key distribution protocol: first in the error correction step to ensure the correctness of the protocol (Theorem 2), and then in the privacy amplification procedure to guarantee the secrecy of the final key.
Definition 2 (Universal 2 Hashing).Let H = {h} be a family of functions from X to Z.The family H is said to be universal |Z| for any pair of distinct elements x, x ∈ X , when H is chosen uniformly at random in H.
In this work we do not need to specify any particular family of hash functions, and it suffices to note that such families of functions always exist if |X | and |Z| are powers of 2. (See, e.g., [27,28].)

Conditional entropies
Conditional entropies measure the amount of uncertainty present in a random variable from the perspective of an observer with access to correlated side information.Here we are particularly interested in observers that have access to a quantum system that serves as side information, for example the eavesdropper's memory after interfering with the quantum communication during the run of a quantum key distribution protocol.The most common measure of entropy is the Shannon or von Neumann entropy, defined as H(X) ρ := − x∈X P X (x) log P X (x).However, while this entropy has various operational interpretations in the asymptotic limit of infinite repetitions of an information processing task, it is insufficient to describe finite size effects.On the other hand, smooth minand max-entropy allow us to capture such finite size effects and share many properties with the von Neumann entropy.We will not need the full generality of the smooth entropy formalism here and instead refer to [24] for a comprehensive introduction.
Min-and max-entropy are natural generalizations of conditional Rényi entropies [29] to the quantum setting and were first proposed by Renner [10] and König et al. [30].The conditional min-entropy captures how difficult it is for an observer with access to quantum side information to guess the content of a classical register.For a bipartite cq state ρ XB ∈ S(AB), we define where the optimization goes over all generalized measurements on B.
The conditional min-entropy for a cq state is then defined as H min (X|B) ρ := − log p guess (X|B) ρ .For later convenience we introduce the measure more generally for any bipartite, potentially sub-normalized, state: Definition 3 (Min-entropy).For any bipartite state ρ AB ∈ S • (AB), we define Showing equivalence between this definition and the special case of cq states in (12) involves semidefiniteprogramming duality [30] and is outside the scope of this work.We will also encounter the max-entropy, which is a natural dual of the min-entropy in the following sense: Definition 4 (Max-entropy).For any tripartite state ρ AB ∈ S • (AB), we define where ρ ABC is any pure state with tr C {ρ ABC } = ρ AB .
The max-entropy is a measure of the size of the support of X.In particular, we have the following ordering of unconditional entropies: which is a consequence of the monotonicity of the Rényi entropies [29] in the order parameter.Here and throughout this article log denotes the binary logarithm.We will need a slight generalization of the concepts of conditional min-and max-entropy, which takes into account a ball of states close to ρ AB in terms of the purified distance introduced in the previous section.
Definition 5 (Smooth Entropies).For ρ AB ∈ S • (AB) and ε ∈ 0, tr(ρ AB ) , we define In the above definitions we can replace the supremum and infimum with a maximum and minimum, respectively.Roughly speaking, the smooth conditional min-entropy of X given B approximates how much randomness that is uniform for an observer with access to B can be extracted from X. (This will be made formal when discussing the Leftover Hashing Lemma in Section 6.4.)The smooth entropies inherit the duality relation [26].For any pure state ρ ABC ∈ S • (ABC), we have The smooth entropies also satisfy a data-processing inequality (DPI) [26,Theorem 18].For any cq state ρ XB and any completely positive trace-preserving map E B→C , we have This expresses our intuition that performing any processing of the side information can at most increase our uncertainty about X.Moreover, we need a simple chain rule [31, Lemma 11], which states that where X is a (classical) register of dimension |X|.This corroborates our intuition that an additional bit of side information on X cannot decrease our uncertainty about X by more than one bit.
We have defined all these quantities for sub-normalized states so that we can easily treat restrictions to events.Let ρ AXBY ∈ S(ABXY ) be classical on X and Y and let Ω : X × Y → {0, 1} be an event.Then we denote by H(AX ∧ Ω|BY ) ρ the conditional entropy evaluated for the state ρ AXBY ∧Ω .Similarly, H(AX ∧ Ω|B) ρ denotes the smooth conditional min-entropy evaluated for the marginal ρ AXB∧Ω = tr Y {ρ AXBY ∧Ω }.These states are in general sub-normalized.The same notational convention is also used for (smooth) min-and max-entropy.

Entanglement-based protocol 3 Formal description of the entanglement-based protocol
We first focus on class of simple entanglement-based QKD protocols.We give an overview of the protocols in Table 2. Section 3.1 discusses the assumptions that go into our model, Section 3.2 presents the protocol parameters, and the detailed mathematical description of the individual steps follows in Section 3.3.
Let us emphasize that by simple protocols, we mean that we restrict our attention to protocols where the sifting procedure is essentially given for free, meaning that Alice and Bob are assumed to initially share a quantum state on which all the measurements are performed.Relatedly, we also do not allow for strategies where the measurement settings are biased towards a specific value. 7As discussed in Part II, the sifting procedure can be analyzed separately under certain assumptions.

Assumptions of our model
Every mathematical model of physical reality requires some assumptions, and in cryptography it is important to discuss these assumptions since if they are not met by an implementation then the security guarantees derived here are also not applicable to this implementation.

Finite-dimensional quantum systems:
We assume that Alice's and Bob's relevant quantum degrees of freedom can be effectively represented on a finite-dimensional Hilbert space.(This requirement is not strictly necessary to show security but allows us to circumvent some technical pitfalls.)

Sealed laboratories:
We assume that the laboratories of Alice and Bob are spatially separated.This allows us to model joint quantum systems AB shared between Alice and Bob as tensor products of respective local Hilbert spaces A and B.Moreover, an easily overlooked (an in practice hard to ensure) assumption we need is that we control exactly what information is released from Alice and Bob's laboratory.

Random seeds:
We assume that Alice has access to uniform randomness (uniformly random seeds).In practice, the seeds can be produced by a trusted quantum random number generator in Alice's lab.8

Authenticated communication channel:
We assume that Alice and Bob share an authenticated public (classical) communication channel.Everything that is communicated over this channel will be in the public domain and is thus treated as an output of the protocol.The authentication of the classical channel can be obtained with information-theoretic security by tagging every classical message [28].A more detailed discussion of authentication for QKD is beyond the scope of the present work, and the interested reader is referred to Portmann and Renner [34,  Seed for the choice of the measurement bases in the idealized protocol S Π Seed for the choice of the random subset π ∈ Π m,k used for parameter estimation S Ξ Seed for the choice of the measurement bases for the subsystems used for parameter estimation S Θ Seed for the choice of the measurement bases for the subsystems used for key distillation S Hec Seed for the choice of the hash function used in the error correction test S Hpa Seed for the choice of the hash function used in the privacy amplification step S Register corresponding to all the seeds, S = (S Φ , S Π , S Ξ , S Θ , S Hpe , S Hec , S Hpa ).

Deterministic detection:
We further assume that Alice and Bob's measurement devices always output a valid outcome, either 0 or 1.This is unrealistic in practice since it is often the case that detectors will not detect the quantum system (due to losses or imperfect detection efficiency).A simple fix is then to flip a coin and use the resulting bit as the measurement output.Unfortunately, this solution artificially decreases the robustness of the protocol beyond what is usually tolerable in a practical setting.Another much more practical solution consists in discarding these "no detection" events, but this should be done with care and requires extra-assumptions about the measurement devices to prevent various types of side-channel attacks such as that of Lydersen et al. [35].We will discuss this solution in more detail in Part II of this work.

Commuting measurements:
The block length is given by a protocol parameter, m, which will be discussed in Section 3.2.For Alice and Bob to run a protocol with block length m, we need to assume that both can perform up to m measurements (with either one of two possible settings) on their share of the quantum state in such a way that the order in which they do these measurements does not affect the resulting measurement outcome distribution.This is a standard assumption in the model of trusted measurement devices (by opposition to device-independent cryptography) and ensures that there are no memory effects in the measurement devices.More formally, we assume that Alice's and Bob's share of the quantum system can be decomposed into m individual quantum systems, . .B m and that the measurements can be represented as operators acting on the individual subsystems.We model Alice's i-th measurement with setting φ ∈ {0, 1} by a binary generalized measurement {M φ,x Ai } x∈{0,1} acting on subsystem A i .The index x ranges over the two possible outcomes of Alice's measurement.Analogously, Bob's i-th measurement with setting φ ∈ {0, 1} is a binary generalized measurement {M φ,y Bi } y∈{0,1} acting on subsystem B i .The index y ranges over the two possible outcomes of Bob's measurement.

Complementarity of Alice's measurements:
The exact description of the measurement devices will not be relevant for our derivations.However, we will need to assume that Alice's measurements are sufficiently complementary, a property that is encapsulated by the average overlap, c(m, n) that we introduce next.Let m be the block length and n the number of bits used for key extraction (see Section 3.2 for a discussion of the protocol parameters).Let us define and c In an ideal physical implementation of the protocol with complementary measurements (for example in the computational and Hadamard basis), we would have In realistic implementations, its value will be larger.We assume that there exists a reliable upper bound on c i .More precisely, we assume that We always have c i ∈ [0, 1] and the condition c < 1 is necessary to ensure secrecy.As long as the commuting measurement assumption holds, the parameter c can in principle be measured directly in an experiment -even if the operators {M φ,x Ai } φ,x are unknown.9For Bob we do not need to assume a bound on the complementarity parameter.(We only need to assume that the measurements commute, as described in the previous item.)

Protocol parameters and overview
From an information theoretic and mathematical point of view, an entanglement-based QKD protocol is simply a completely positive trace-preserving (CPTP) map composed of local operations and classical communication (LOCC) that takes a bipartite state ρ AB as an input and either aborts or returns two classical binary strings, the keys, which should ideally be identical and independent of the knowledge of any third party having access to a purifying system of ρ AB and to the transcript of the communication performed by the protocol.
We consider protocols qkd_eb m,pe,ec,pa that are parametrized by the block length, m, and the sub-protocols for parameter estimation, error correction and privacy amplification, respectively denoted by pe, ec, and pa.
• The block length, m ∈ N, determines the number of individual quantum systems that are shared between Alice and Bob, and thus available to them for parameter estimation and key extraction.
• Parameter estimation is characterized by a tuple pe = {k, δ}, where k ∈ N, k ≤ m determines the number of quantum systems used for parameter estimation and δ ∈ (0, 1 2 ) is the tolerated error rate.Let us for later convenience also define n := m−k to denote the number of quantum systems used for key generation.
• The error correcting scheme is described by a quintuple ec = {t, r, synd, corr, H ec }.Here, r ∈ N is the length (in bits) of the error correction syndrome.Moreover, synd and corr are functions of the form synd : {0, 1} n → {0, 1} r and corr : {0, 1} n × {0, 1} r → {0, 1} n used to compute the error syndrome and calculate the corrected string, respectively.We do not need to assume anything about the structure of this code.To fix ideas, let us just note that there exist good error correction codes with r ≈ nh(δ), where h is the binary entropy function and δ is the number of errors to be corrected. 10inally, t ∈ N is the length (in bits) of the hash used for verification and H ec := h ec : {0, 1} n → {0, 1} t is a universal 2 family of hash functions.We will see in Theorem 2 that the size t only depends logarithmically on the targeted correctness parameter.Randomization: They agree on a random string Φ ∈ {0, 1} m , a random subset Π ∈ Π m,k , and random hash functions H ec ∈ H ec as well as H pa ∈ H pa .The corresponding uniformly random seeds are denoted S = (S Φ , S Π , S Hec , S Hpa ).
Measurement: Alice and Bob measure the m quantum systems with the setting Φ.They store the binary measurement outcomes in two strings, the raw keys.These are denoted (X, V ) and (Y, W ) for Alice and Bob, respectively.Here V, W are of length k and correspond to the indices in Π, whereas X, Y of length n correspond to indices not in Π.
Parameter Estimation: Alice sends V to Bob, the transcript is denoted C V .Bob compares V and W .If the fraction of errors exceeds δ, Bob sets the flag F pe = ∅ and they abort.Otherwise he sets F pe = and they proceed.
Error Correction: Alice sends the syndrome Z = synd(X) to Bob, with transcript C Z .Bob computes X = corr(Y, Z).
To verify the success of the error correction step, Alice computes the hash T = H ec (X) of length t and sends it to Bob, with transcript C T .Bob computes H ec ( X).If it differs from T , he sets the flag F ec = ∅ and they abort the protocol.Otherwise he sets F ec = and they proceed.
Privacy Amplification: They compute keys K A = H pa (X) and K B = H pa ( X) of length .

Output:
The output of the protocol consists of the keys K A and K B , the seeds S = (S Φ , S Π , S Hec , S Hpa ), the transcript C = (C V , C Z , C T ) and the flags F = (F pe , F ec ).In case of abort, we assume that all registers are initialized to a predetermined value.
Table 2: Simple QKD Protocol.The precise mathematical model is to be found in Section 3.3.
• Privacy amplification is characterized by a tuple pa = { , H pa }, where ∈ N with ≤ n is the length (in bits) of the extracted key and H pa := h pa : {0, 1} n → {0, 1} is a universal 2 family of hash functions.
Note that , the length of the final key, is fixed.It is in principle possible to design adaptive protocols where the final key length is chosen after parameter estimation, but this is beyond the scope of this work.
This allows us to define a family of protocols qkd_eb m,pe,ec,pa in Table 2.Note that any such protocol is simply a completely positive trace-preserving map that maps bipartite quantum states shared between Alice and Bob onto probability distributions of the classical outputs, and we will define their exact operation in Section 3.3.

Exact mathematical model of the protocol
Here we describe in detail the mathematical model underlying the protocol in Table 2.It is worth emphasizing that the eavesdropper does not appear anywhere in this description, but will of course be required when assessing the security of the protocol as discussed in Section 4.

Input: Alice and Bob are given a state ρ AB , where
of m quantum systems of arbitrary, finite dimension.Note that apart from the above structure, the state ρ AB is fully general.The situation is depicted in Figure 1.

Alice public domain Bob
A B

Randomization:
We model the randomization by random seeds (uniform random variables), shared between Alice and Bob over the public authenticated channel.These random seeds are represented by a quantum state ρ S which is assumed to be maximally mixed and independent of ρ AB .The situation after randomization is depicted in Figure 2. Let us now detail the content of the system S.
The first random variable is a random basis choice for each quantum system.This is modeled as a register S Φ in the state where {|φ } φ∈{0,1} m is an orthonormal basis of the space S Φ and φ The total state at the beginning of the protocol is thus of the form ρ AB ⊗ ρ S Φ .
The seed for the choice of the random subset is denoted S Π and is initially in the state where {|π } π∈Π m,k is an orthonormal basis of the space S Π .For any π ∈ Π m,k , we denote its k elements by π i , for i ∈ [k] and we denote by π ∈ [m] the complement of π.
At this point we reorder the measurement settings in S Φ into two parts: the settings to be used for measuring quantum systems in π will be stored in a register S Ξ and the settings to be used for measuring the remaining n quantum systems in π will be stored in a register S Θ .Formally, we consider the function Since S Φ is uniformly random, the resulting state after applying this function and discarding S Φ is of the form where the registers containing S Ξ and S Θ are again uniformly random: The choice of the hash function in the family H ec = {h ec : {0, 1} n → {0, 1} t } and the choice of hash function in the family H pa = {h pa : {0, 1} n → {0, 1} t } are modeled via random seeds Measurement: We split the measurement process into two parts, measuring the systems in the set π and π separately.While this distinction is not relevant for the practical implementation of the protocol, the notation introduced here will be important for the security analysis later.The first measurement concerns the registers in π, which are used for parameter estimation.For any subset π ∈ Π m,k , we define a completely positive trace-preserving map models k binary classical registers storing the measurement outcomes.The map is given by where . This map measures the k subsystems determined by π using the (random) measurement settings stored in the register S Ξ .The results are stored in the classical register V , and the post-measurement state remains in the systems A π .Similarly, we define where . The two maps M π A→V |S Ξ and M π B→W |S Ξ commute since they act on different systems and we write their concatenation as . So far we have considered π to be fixed.The full measurement for parameter estimation instead consults the register S Π and is modeled as a map M AB→V W |S Π S Ξ : ABS Π S Ξ → ABV W S Π S Ξ given by The state of the total system after the measurement required for parameter estimation is thus given by The second measurement concerns the quantum systems used for extracting the secret key.The corresponding measurement maps are defined analogously to the measurements maps above, but now act on the systems determined by π, the complement of π in [m].We define as well as It is evident that all measurements M defined so far mutually commute because they act either on classical registers or on distinct quantum registers.Finally, we define the total measurement map as Of particular interest is the state of the system after measurement and after we discard the quantum systems.This is given by a classical state σ V W XY S Π S Ξ S Θ .This state is of the form where we write Aπ and analogously introduce M θ,x Aπ , M ξ,w Bπ and M θ,y Bπ .The situation after the complete measurement is depicted in Figure 3.
Parameter estimation: We model parameter estimation by a test function acting on the registers V and W and creating a binary flag F pe as follows: Alice public domain Bob  This test can be applied to the states τ ABV W S Π S Ξ S Θ or σ V W XY S Π S Ξ S Θ defined previously.This requires Alice to communicate V to Bob on the authenticated classical channel in order to evaluate the value of pe(v, w) and the transcript of this communication is stored in the variable C V = V .
We are specifically interested in the state τ ABV W S Π S Ξ S Θ F pe = E pe τ ABV W S Π S Ξ S Θ and the corresponding state conditioned on the outcome F pe = , given by We will see that this state is crucial for the security analysis in the next section.Finally, we note that M XY and E pe commute, and thus in particular we find that We then relabel V to C V and keep it around as part of the transcript, while we discard W after performing parameter estimation.The situation after parameter estimation is depicted in Figure 4.

Error correction:
The error correction part of the protocol is split into two parts.The first part consists of the actual error correction procedure, determined by two functions synd and corr that are executed by Alice and Bob, respectively.We do not assume anything about these functions, but rather check their success in the second part by evaluating hash functions.
First Alice computes a syndrome Z = synd(X) and sends it to Bob over the public channel.Bob then computes an estimate X = corr(Y, Z), discarding Y in the process.
Alice and Bob then need to check that the decoding procedure succeeded with high probability by comparing hashes of their respective strings X and X and abort the protocol if they differ.Alice computes a hash of size t (in bits) of X and sends it to Bob, who computes the corresponding hash for X.This test is summarized as a classical map ec acting on registers X, X and S Hec creating a transcript of the hash value C T and a binary flag F ec as follows: These classical functions are modeled using CPTP maps E synd , E corr and E ec , respectively.Applying them to the state where the transcript register C Z contains the value of the syndrome and C T the output of Alice's hash.This process is depicted in Figure 5.  Privacy amplification: Alice and Bob use the seed H pa to choose a hash function, which they then both apply on their raw key to compute K A = H pa (X) and K B = H pa ( X), their respective keys.Formally, the privacy amplification map is defined as:

Alice public domain Bob
Denoting by K A and K B the respective key spaces of Alice and Bob, the final quantum state is Finally, Bob reveals the status of his flag registers.This final step is depicted in Figure 6.

Security of the generated key
For a detailed discussion of the security of quantum key distribution, we refer the reader to Portmann and Renner [34].For our purposes here (consistent with [10] and [34]), we say that our protocol is ∆-secure if is ∆-close to an ideal protocol in terms of the diamond distance.Note in particular that an ideal protocol is allowed to abort, but it will always output a uniformly random shared key in case it does not.Table 3 gives such an ideal protocol, denoted qkd_ideal m,pe,ec,pa designed in such a way that it is close to the original qkd_eb m,pe,ec,pa protocol.
(K A , K B , S, C, F ) = qkd_ideal m,pe,ec,pa ρ AB : Output: If F pe = F ec = , then replace K A and K B by an independent and uniformly distributed random string K of length , i.e. set K A = K B = K.In order to show that the protocol is secure, it thus suffices to show that ∆ m,pe,ec,pa := qkd_eb m,pe,ec,pa − qkd_ideal m,pe,ec,pa (47) = sup is very small for certain choices of parameters k, n, δ, ec and pa.In the latter expression ρ ABE is an arbitrary extension of ρ AB to an auxiliary system E. Without loss of generality we may take |E| = |A||B|, which is sufficient to achieve the supremum.Physically the system E is held by a potential adversary, the eavesdropper.In particular, this assures that E can be assumed finite-dimensional.Hence, we need to show that the trace distance between the protocols' outputs is small for all possible input states ρ ABE .
Let us now fix ρ ABE for the moment.The trace distance in (48) can be simplified by noting that the output of qkd_ideal equals the output of qkd_eb if the protocol aborts.We find qkd_eb m,pe,ec,pa (ρ ABE ) − qkd_ideal m,pe,ec,pa (ρ ABE ) tr where we use ω K A K B SCF E = qkd_eb k,n,δ,ec,pa (ρ ABE ) and define a perfect key χ K A K B as follows: Recall that ω in (50) corresponds to a subnormalized state with trace equal to Pr[F = ( , )] ω .
Our goal in the following is to bound (50) or (49) uniformly in ρ ABE , which implies an upper bound on (48) as well.In order to do this we will employ the following lemma which allows us to split the norm into two terms corresponding to correctness and secrecy.This has been shown, e.g., in [34,Theorem 4.1], but we provide a proof here for completeness.Lemma 1.Let ε ec , ε pa ∈ [0, 1) be two constants.If, for every state ρ ABE ∈ S(ABE) and ω K A K B SCF E = qkd_eb m,pe,ec,pa (ρ ABE ), we have Then, ∆ m,pe,ec,pa ≤ ε ec + ε pa .
Proof.Let us introduce an auxiliary state η Then, applying the triangle inequality to the trace distance in (49) and simplifying the resulting terms, we find Multiplying this with Pr[F = ( , )] ω as in (49) yields the desired implication.
The first condition of the above Lemma 1 ensures that the protocol is ε ec -correct, and the second condition ensures that the protocol ε pa -secret.If both are satisfied, we say that the protocol is (ε ec + ε pa )-secure.In the security proof we can thus verify the two conditions separately.

Results and discussion
We will show the following theorems, which essentially give bounds on the security parameters in terms of the protocol parameters.The first theorem establishes correctness of the protocol.Correctness of the protocol is ensured in the error correction step using hash functions, and consequently correctness can be bounded in term of the length t of the hash that is used.The proof is given in Section 6.1.

Theorem 2.
Consider the protocol qkd_eb m,pe,ec,pa in Section 3 with ec = {t, . ..}.Then for every state ρ AB ∈ S(AB) and ω K A K B SCF = qkd_eb m,pe,ec,pa (ρ AB ) we have The second theorem asserts secrecy.Secrecy is ensured by a combination of the parameter estimation and privacy amplification steps of the protocol, which both introduce an error.There is a tradeoff between these two errors, parametrized by a scalar ν, which ought to be optimized numerically.The proof is given in Sections 6.2-6.4.Theorem 3. Consider the protocol qkd_eb m,pe,ec,pa in Section 3 with pe = {k, δ}, ec = {t, r, . ..} and pa = { , . ..}.Then, for every state ρ ABE and ω K A K B SCF E = qkd_eb k,n,δ,ec,pa (ρ ABE ), we have where the error functions are given as and h(x denotes the binary entropy. Combining Theorems 2 and 3 we see that total error is thus composed of three components, ε pe , ε ec , and ε pa .Let us take a close look at these errors for the case of large m.First, we note that ε ec vanishes asymptotically when we choose t = log(m), or any other slowly growing function of m.To make sure that ε pe vanishes we choose k = √ m and ν = log(m) −1 , for example.For a robust operation at noise level δ it is necessary (and in theory sufficient) that the error correction leakage satisfies r ≈ (m − k)h(δ).Since h(δ + ν) ≈ h(δ) by continuity, we find that ε pa vanishes as long as is positive and grows in m.Since k and log m become negligible compared to m as m gets large, our protocol thus achieves the asymptotically optimal rate by Devetak and Winter [38], with /m = log 1 c − 2h(δ).

Security proof
The purpose of this section is to prove Theorems 2 and 3.

Error correction: Proof of Theorem 2
We wish to upper bound the probability of the protocol not aborting and outputting distinct final keys for Alice and Bob.
Proof of Theorem 2. We consider the following chain of inequalities: The first inequality follows since we ignore the status of the flag F pe .The second inequality is a consequence of the fact X = X implies H pa (X) = H pa (X ).The third inequality follows since Pr[X = X ] σ ≤ 1 and the last one by definition of universal 2 hashing.

Measurements: Uncertainty tradeoff between smooth min-and max-entropy
The crucial bound on the smooth entropy of Alice's measurement outcomes follows by the entropic uncertainty relation, suitably applied.We state the uncertainty relation in a natural form [41,Corollary 7.4]..01,0.025, 0.05, 0.075}, optimized over all protocols.The protocols are required to be ε-secure with ε = 10 −10 and the device parameter is assumed to be c = 0.5.The error correction leakage is approximated to be r = 1.1(m − k)h(δ), see for instance [39].(A more detailed approximation that includes finite-size effects was recently given in [40].)All remaining parameters, i.e. ν, k and t, are optimized numerically to maximize (code available online).The dotted horizontal lines show the corresponding asymptotic limit of the key rate for each value of δ, given as 1 − 2h(δ).The markers indicate the points at which the key rate matches 50% of the asymptotic limit.Proposition 4. Let τ AP RS ∈ S • (AP RS) be an arbitrary state with P a classical register, and set t := tr{τ AP RS }.Furthermore, let ε ∈ [0, √ t) and let q be a bijective function on P that is a symmetry of τ ABCP in the sense that τ ARS,P =p = τ ARS,P =q(p) for all p ∈ P .Then, we have where c q = max p∈P max x,z∈X F Here, σ XP RS = M A→X|P (τ AP RS ) for the map and any set (indexed by p ∈ P ) of generalized measurements {F p,x A } x∈X .A variant of this uncertainty relation was first shown in [41], based on the techniques introduced in [21].We provide a full proof of the uncertainty relation in Appendix A for completeness.In the following corollary we apply it to the situation at hand during our protocol.

Corollary 5.
Consider the protocol qkd_eb m,pe,ec,pa in Section 3 with pe = {k, . ..} applied to a state ρ ABE ∈ S(ABE) and the state σ XY V W S Π S Ξ S Θ F pe E as in (42) that results after measurement and parameter estimation.Define c as in (21).Then, for ε ∈ 0, Pr[F pe = ] σ , we have Proof.Consider the state τ ABV W S Π S Ξ S Θ F pe E∧F pe = defined in (40) and note that it is of the form This is the state of the system after parameter estimation and after measuring V and W , but with the measurement of X and Y (in the basis determined by S Θ ) delayed.In particular we have used the fact that the register S Θ has not yet been touched in the protocol, and is thus independent and uniform and independent even after we consider the event F pe = .
Let us now apply Proposition 4 to this state.For this purpose we equate P = S Π S Ξ S Θ , R = V W E, and S = B.The symmetry is determined by the map q : θ → θ with θi = 1 − θ i , which only acts on S Θ and since this system is uniform and in product with the rest of the state trivially satisfies the symmetry condition of the theorem.The measurement map is then simply M A→X|S Π S Θ and we can calculate Proposition 4 applied to our setup thus yields Finally, the statement of the Proposition follows by applying the measurement map M B→Y |S Π S Θ (and discarding the seed registers) and noting that ) σ by the dataprocessing inequality.

Parameter estimation: Statistical bounds on smooth max-entropy
This section covers the necessary statistical analysis.This is essentially a variation of the analysis in [13], but requires a new tool, Lemma 7, presented in Section 2.2, as we are finding it clearer to do the analysis with sub-normalized states here.We use the following standard tail bound.

Lemma 6. Consider a set of binary random variables
k be an independent, uniformly distributed random variable.Then, Remarkably this bound is valid without any assumption on the distribution of Z.
Consider the following sequence of inequalities: Here, the first inequality holds since A =⇒ B implies Pr[A] ≤ Pr[B] for any events A and B. The first equality follows from the fact that Π is independent of Z.The last equality follows by substituting i∈Π z i = mµ(z) − i∈ Π z i and rearranging the terms appropriately.Now note that the random sums S n := i∈ Π z i can be seen as emanating from randomly sampling without replacement n balls labelled by z i ∈ {0, 1} from a population z with mean µ(z).Serfling's bound [42, Corollary 1.1] then tells us that where we substituted f * n = n−1 m .It is important to note that this bound is independent of µ(z).Thus, substituting this back into (75), we conclude the proof.
With this in hand, we wish to bound the smooth max-entropy of the state when passing the parameter estimation test.Proposition 8. Consider the protocol qkd_eb m,pe,ec,pa in Section 3 with pe = {k, δ} applied to a state ρ AB ∈ S(AB) and the state σ XY F pe in (42) that results after measurement and parameter estimation.For any ν ∈ (0, 1), we first define Then, for any ν ∈ (0, 1 2 − δ] such that ε(ν) 2 < Pr[F pe = ] σ , the following holds: Intuitively, this result is a consequence of the fact that when we pass the parameter estimation test, conditioned on any particular value of Y , the support of X is small as the number of errors (positions where x i = y i ) is bounded (with high probability).
Proof.We use the shorthand p = Pr[F pe = ] σ and n := m − k.Define the event event Ω := 1 i∈[n] 1{X i = Y i } ≥ n(δ + ν) .We show that the statement in (80) holds when p > ε 2 .Using Lemma 6, we find This gives an upper bound on the probability of the unlikely coincidence where the parameter estimation test passes with threshold δ but the fraction of errors between X and Y exceeds the threshold δ by a constant amount.We now want to remove the above unlikely events from our state σ XY F pe ∧F pe = by means of smoothing.Lemma 7 allows to do just that, and we introduce the state σXY F pe that is ε(ν)-close to σ XY F pe ∧F pe = in purified distance and satisfies Pr[Ω] σ = 0. From this we conclude that where the last equality is a consequence of the fact that σ is only supported on F pe = .

Privacy amplification: Proof of Theorem 3
The last main ingredient of our proof is a so-called Leftover Hashing Lemma.It ensures that if the smooth min-entropy of X given some side information B is large, then we can extract randomness from X that is independent of B. The Leftover Hashing Lemma is, up to a slight change of the definition of the smooth min-entropy, due to Renner [10, Corollary 5.6.1].The proof of this exact statement is provided in Appendix B for the convenience of the reader.Proposition 9. Let σ XD ∈ S • (XD) be a classical on X and let H be a universal 2 family of hash functions from X = {0, where χ K = 1 2 id K is the fully mixed state and ω KS H D = tr X E f (σ XD ⊗ρ S H ) for the function f : (x, h) → h(x) that acts on the registers X and S H .
The following technical lemma allows us to bound the smooth conditional min-entropy restricted to events in terms of the unrestricted entropy.Lemma 10.Let ρ ABXY ∈ S • (ABXY ) be classical on X and Y and let Ω : X × Y → {0, 1} be an event with Pr[Ω] ρ > 0.Then, for ε ∈ 0, Pr[Ω] ρ , we have As discussed previously, this implies in particular the existence of an extension ρABXY ∈ S • (ABXY ) that satisfies P (ρ ABXY , ρ ABXY ) ≤ ε.Without loss of generality we can assume that ρABXY is classical on X and Y .(To see this, note that pinching in the computational basis on Y would indeed only decrease the distance between the ρABXY and ρ ABXY , leaving the latter state invariant.)On the state ρABXY we can now define the restriction on the event Ω and find Finally, we proceed in the same fashion as for the first inequality to show that P (ρ ABX∧Ω , ρ ABX∧Ω ) ≤ ε and conclude the proof.
The next proposition builds on Corollary 5 and Proposition 8 and the above Leftover Hashing Lemma to establish the secrecy of the key.

Proposition 11. Let ρ ABE ∈ S(ABE).
Consider the protocol qkd_eb m,pe,ec,pa in Section 3 with pe = {k, δ}, ec = {t, r, . ..} and pa = { , . ..} and the state ω K A K B SCF E = qkd_eb m,pe,ec,pa (ρ ABE ).Define ε(ν) as in (79).Then, for any ν ∈ (0, 1  2 − δ] such that ε(ν) 2 < Pr[F = ( , )] σ , the following holds: where g(ν) )] σ ≤ Pr[F pe = ] σ the condition of Proposition 8 is satisfied and we find that (42) that results after measurement and parameter estimation.Combining this with Corollary 5 yields where we introduced the shorthand q = log 1 c − h(δ + ν).Our goal is to translate this in a condition on the state σ X XC V C Z C T S Π S Ξ S Θ S Hec F pe F ec E as in ( 44) that results after error correction.The following chain of inequalities holds: The first inequality follows by relabeling V to C V and discarding W , an instance of the data-processing inequality.The transcript register C Z contains the syndrome sent from Alice to Bob and the inequality (98) follows by the chain rule in (19), and the fact that log |C Z | = r.The register S Hec in the state ρ S Hec is independent of the other registers.The register C T contains the hash of the raw key X of size log |C T | = t leading to the penultimate inequality.In the last step we used Lemma 10.Summarizing S = (S Π , S Ξ , S Θ , S Hec ) as well as C = (C V , C Z , C T ), and F = (F pe , F ec ) as usual, we can thus more compactly write this as Proposition 9 applied with this bound then immediately yields the desired inequality.

Part II
Prepare-and-measure protocol 7 Formal description of the prepare-and-measure protocol Here we discuss a prepare-and-measure (PM) protocol for QKD, denoted qkd_pm M,m,pe,ec,pa , which is essentially equivalent to BB84 [1], and prove that its security follows from that of the entanglement-based protocol considered in Part I, provided that some additional assumptions are made.Seed for the choice of Alice's measurement bases in the prepare-and-measure protocol Seed for the choice of Bob's measurement bases in the prepare-and-measure protocol S Register corresponding to all the seeds that Alice communicates to Bob after state distribution S = (S Π , S Ξ , S Θ , S Hpe , S Hec ) F si Flag for the sifting procedure in the prepare-and-measure protocol Register corresponding to all the flags, Transcripts of the registers Ω and Σ sent during sifting C Register containing all the communication transcripts, Table 4: Additional nomenclature and notation used in Part II.See also Table 1 Section 7.2 provides the details of the protocol described in Table 5, for the steps where it differs from the entanglement-based protocol.We describe the additional assumptions on the preparation and measurement devices in 7.1 and present a mathematical model of the protocol in 7.3.

Additional assumptions on preparation and measurement devices
The physical equipment of Alice an Bob is modified compared to that of the entanglement-based protocol considered in Part I. Indeed, the main point of implementing a prepare-and-measure protocol is that it is no longer required for Alice and Bob to share an entangled state, a task that remains very challenging if the two parties are a few tens of kilometers apart, which is typical in realistic scenarios where one wants to distribute secret keys at the scale of a metropolitan area.In the prepare-and-measure setup Alice and Bob do not start with an entangled state but instead have access to a quantum channel from Alice to Bob.
The assumption on finite-dimensional quantum systems, sealed laboratories, random seeds and authenticated communication channel discussed in Section 3.1 still apply.The assumption of sealed laboratories in particular implies that the quantum channel between Alice and Bob models all quantum communication leaving Alice's lab.However, we will replace the assumption of commuting measurements, deterministic detection and the complementarity of Alice's measurements.

Alice's preparation:
In every round, indexed by i ∈ [M ], Alice's preparation device takes two bits as input: φ ∈ {0, 1} describing a basis choice and x ∈ {0, 1} describing the bit value within each basis.It produces a quantum state ρ φ,x Ai , ideally corresponding to one of the four BB84 states.The commuting measurement assumption for Alice is replaced with the requirement that these states do not depend on the preparations in previous or later rounds (which is already ensured by our notation).Our next assumption is that the state ρ φ,x Ai does not leak any information about the basis choice φ, i.e., we require that Moreover, instead of the complementarity assumption on the measurements, we require that the prepared states are sufficiently complementary.More precisely, let us define , for states satisfying In case X has not full support we take the generalized inverse (on its support) in the above definition.Our second assumption on Alice's preparation is that for all i ∈ [M ] and some constant c < 1.The constant c is closely related to the constant c that described the complementarity of Alice's measurement in the entanglement-based protocol, as we will see in Corollary 15.
In an ideal implementation of the BB84 protocol, the states ρ φ,r would be single-qubit states given by These states obviously satisfy the assumption in (104) and it is easy to verify that c = 1 2 is a valid bound.We should note that our first assumption is rather strong and for instance does not allow us to assess the security of popular implementations of the BB84 protocol relying on a weak-coherent-state encoding.Since single-photon sources remain expensive and imperfect today, it is indeed tempting to encode each qubit with two polarization modes and replace single-photons by phase-randomized weak-coherent states 11 .For such an implementation, the four BB84 states become linearly independent, and Eq.(104) cannot hold.It is well-known that such implementations are sensitive to "photon-number-splitting" attacks but that solutions exist to restore their security, for instance with the help of decoy states [44].While we believe that our framework could accommodate such modifications (see for instance [45,46]), we do not address this issue here.
Bob's measurement: As for the simple protocol of Part I, we require that Bob's quantum system can be decomposed as . .B M .Bob's measurement device is similar to that of the simple protocol of Part I, but the measurement operators now need to be specified for indices in [M ] and allow for an additional outcome, '∅', corresponding to an inconclusive result.Such an inconclusive result can for instance occur when no detector clicked (photon loss) or when more than 1 detector clicked (dark counts) 12 .
For any i ∈ [M ], we model Bob's measurement on subsystem B i with setting φ ∈ {0, 1} by a ternary generalized measurement {M φ,z Bi } z∈{0,1,∅} acting on B i .The index z ranges over the two conclusive outcomes, 0 and 1, of Bob's measurement as well as the inconclusive outcomes ∅.We require that meaning that the element corresponding to an inconclusive result coincides for both measurements.As will be formalized in Lemma 16, this implies that Bob's measurement map can be interpreted as a two-step process first deciding whether the result is conclusive or not, and then, in the former case, proceeding with the ideal measurement considered in Part I.While this assumption seems quite reasonable for photon detector working in the few photons regime, it usually fails to apply when avalanche photo diodes are accessed in the linear mode, and this was precisely the origin of the "blinding attack" of [35].
In any realistic implementation, Alice and Bob would need to be synchronized so that Bob can keep track of which system he is currently measuring.This is especially relevant in high-loss regimes where Bob's detectors would not click most of the time.Such a synchronization procedure can realized classically, provided that both players have access to an authenticated channel.For simplicity, we ignore this synchronization issue in our model.

Protocol parameters and overview
The protocol qkd_pm M,m,pe,ec,pa is parametrized as qkd_eb m,pe,ec,pa , but with one extra parameter: • The number of individual states prepared and sent through the quantum channel by Alice, M ∈ N. We require that M ≥ m and for optical implementations a typical value for M is 2m η where η is the overall transmittance of the optical channel between Alice and Bob.

Exact mathematical model of the protocol
Here we describe in detail the mathematical model corresponding to the protocol in Table 5, for the steps where it differs from the simple protocol of Part I. 11 If the single-photon polarization qubit states are given by (107), then the four encoded BB84 states are k! (ρ i,j ) ⊗k for i, j ∈ {0, 1}, where α > 0 is the amplitude of the coherent states. 12Indeed, in most experiments, the measurement device is usually implemented with the help of two single-photon detectors, and a conclusive measurement outcome, 0 or 1, will correspond to which detector clicked while inconclusive outcomes occur if none or both of the detectors clicked.Randomization: Alice and Bob respectively choose two random strings Φ A , Φ B ∈ {0, 1} M .Alice also chooses a random string R ∈ {0, 1} M .These private seeds are denoted S Φ A , S Φ B and R. Finally, similarly as in the simple protocol, Alice chooses a random subset Π ∈ Π m,k , and random hash functions H ec ∈ H ec as well as H pa ∈ H pa .These uniformly random seeds are denoted S = (S Π , S Hec , S Hpa ).Sifting: If it exists, Alice publicly announces a set Σ ⊆ Ω, with transcript C Σ of cardinality m, such that Φ A and Φ B coincide on Σ, and sets the flag F si = .Otherwise, she sets F si = ∅ and they abort.The respective binary substrings R and U of R and U restricted to Σ become the raw keys.As in the idealized protocol, they are then reordered and denoted (X, V ) and (Y, W ) for Alice and Bob, respectively.Here V, W are of length k and correspond to the indices in Π, whereas X, Y of length n correspond to indices not in Π.

State
Parameter Estimation: Alice sends V to Bob, the transcript is denoted C V .Bob compares V and W .If the fraction of errors exceeds δ, Bob sets the flag F pe = '∅' and they abort.Otherwise he sets F pe = ' ' and they proceed.
Error Correction: Alice sends the syndrome Z = synd(X) to Bob, with transcript C Z .Bob computes X = corr(Y, Z).
Alice computes the hash T = H ec (X) of length t and sends it to Bob, with transcript C T .Bob computes H ec ( X).If it differs from T , he sets the flag F ec = '∅' and they abort the protocol.Otherwise he sets F ec = ' ' and they proceed.
Privacy Amplification: They compute keys K A = H pa (X) and K B = H pa ( X) of length .

Output:
The output of the protocol consists of the keys K A and K B , the seeds (S Φ B , S Π , S Hec , S Hpa ), the transcript ) and the flags F = (F si , F pe , F ec ).In case of abort, we assume that all registers are initialized to a predetermined value.
Table 5: Realistic Prepare-and-Measure QKD Protocol qkd_pmM,m,pe,ec,pa.The precise mathematical model is described in Section 7.This protocol differs from the entanglement-based protocol in several points: in particular, the input now corresponds to the quantum channel N between Alice and Bob.

Input:
The realistic protocol qkd_pm M,m,pe,ec,pa we consider is a prepare-and-measure protocol, and the role of the input is now played by an (arbitrary) quantum channel N A→B between Alice and Bob.Here . This situation is depicted in Figure 8.
As before, we make the assumption that the input and output of the quantum channel are finite-dimensional.This arguably appears quite restrictive since any complete description of the optical channel would involve infinite-dimensional Fock spaces, with the idea that each of the M systems prepared by Alice corresponds to two polarization modes for instance.However, we point out that we do not require any explicit upper bound on the dimension of the Hilbert spaces occurring in the protocol, and that any physical state necessarily has a bounded energy, which means that it can be arbitrarily well approximated by a quantum state in a finitedimensional Hilbert space of sufficiently large dimension.

Randomization:
The random seeds are modeled similarly as for the idealized version of the protocol.Here, the seed S Φ corresponding to identical measurement settings is not provided directly.Instead, Alice and Bob initially choose independently two strings Φ A , Φ B ∈ {0, 1} M , and it will later be the role of the sifting procedure to produce a set of identical measurement settings Φ.The random choice of the strings Φ A , Φ B is modeled by two registers S Φ A , S Φ B in the state where {|φ A }, {|φ B } are orthonormal bases of S Φ A and S Φ B , respectively.Another difference with the simple protocol of Part I is that Alice also has access to a register R that she will use to choose which state to prepare.This register is modeled similarly as the other seeds as a maximally mixed state: where {|r } is an orthonormal basis of R. The other random seeds ρ S Π , ρ S Hec , ρ S Hpa are identical to the idealized version.This situation is depicted in Figure 9.

Alice public domain Bob
) Alice prepares a public seed S that will later be communicated to Bob through an authenticated classical channel.Alice and Bob also prepare private seeds: R, ΦA for Alice, ΦB for Bob.
Note that while in the simple protocol all the seeds are communicated publicly during a step of the protocol, it is crucially not the case here for the seed R, from which the final key could be immediately inferred.We will see that it is not necessary to communicate the seed S Φ A to Bob since the sifting procedure is performed by Alice.
In a practical implementation, the various random seeds, except for S Φ B would be initially prepared by Alice, and only communicated to Bob when needed (except for R and S Φ A ).In particular, one should wait until the state distribution is over before communicating the value of the chosen subset for parameter estimation or of the various hash functions.

State preparation:
Alice prepares a quantum state on n M systems A ≡ A [n] using the map where ρ r,φ A = M i=1 ρ ri,φi Ai .Applying this map to the seeds in registers R and S Φ A results in the state This situation is depicted in Figure 10.State distribution: Alice sends her register A to Bob through the quantum channel N : A → B. The state shared by Alice and Bob is given by:

Alice public domain Bob
where we defined ρ r,φ B = N ρ r,φ A .This situation is depicted in Figure 11.Measurement: Bob measures each of his M quantum systems in the basis corresponding to Φ B and stores his measurement outcomes, either 0, 1, or ∅ in the case of inconclusive outcomes, in a classical register U taking values in {0, 1, ∅} M .The measurement map M B→U Ω|S Φ B is defined as:

Alice public domain Bob
where ω = ω(u) is the subset of [M ] where u takes values in {0, 1}, namely The state of the total system after Bob's measurement is given by and the situation is depicted in Figure 12.

Alice public domain
Bob Randomness distribution: Bob publicly announces the content of the register S Φ B together with the description C Ω of the set ω of indices corresponding to conclusive measurement results.This situation is depicted in Figure 13.Alice publicly announces the value of the various seeds, S = (S Π , S Hec , S Hpa ).
Sifting: Alice applies the sifting map, a classical map 'sift' defined as follows where Σ is either the first subset of Ω of cardinality m in the lexicographic order where φ A and φ B coincide, if such a set exists, or else it is set to a dummy value, for instance [m].In the first case, the flag F si is set to , otherwise it is set to ∅ and the protocol aborts.The output of the sifting map immediately allows Alice and Bob to compute the value of the seed S Φ which is simply the restriction of either S Φ A or S Φ B to the indices in Σ.This classical map is lifted to give a CPTP map This situation is depicted in Figure 14.We then define a CPTP map E di that discards the systems in R, U and Φ A which do not correspond to the subset Σ and put the remaining systems in registers denoted R , U and Φ of size m, respectively.This situation is depicted in Figure 15.

Alice public domain Bob
Finally, similarly as in the simple protocol of Part I, Alice and Bob use the content of register Π to reorder their raw keys, which become (V, X) for Alice and (W, Y ) for Bob.The situation here is similar to that obtained after measurement in the simple protocol (compare Figures 16 and 3), with the addition of the registers C Σ , C Ω , S Φ B and F si now available in the public domain.

Remaining steps:
The remaining steps are as in the entanglement-based QKD protocol presented in Part I.

Results and Discussion
The security proof should establish that for any input channel N A→B given to qkd_pm M,m,pe,ec,pa , either the protocol outputs secret identical keys, or else it aborts.In the same spirit as the entanglement-based version of Part I, we define the security parameter ∆ M,si,pe,ec,pa := sup where again qkd_ideal M,k,n,δ,si,ec,pa is defined analogously to the entanglement-based case and simply replaces the output of qkd_pm M,m,pe,ec,pa (N A→BE ) with a perfect key in case the protocol does not abort.Here, the channels N A→BE have an additional output that goes to an eavesdropper, and it again suffices to consider maps where E is finite-dimensional.Establishing security thus boils down to showing that this trace distance is small for all such channels.Our strategy is to show that the realistic protocol is equivalent to applying the idealized QKD protocol on a virtual quantum state ρ AB independent from the uniformly distributed random seed S Φ for the measurement settings.If this holds, then the security proof of Part I for the simple protocol applies, and establishes the security of the prepare-and-measure protocol.For this, we need to make explicit assumptions about (i) the state preparation on Alice's side to make sure that no basis information is leaked and (ii) the measurement device on Bob's side to ensure that the invalid measurement results do not depend on the measurement basis.
Under the assumptions in Section 7.1, we show that the prepare-and-measure QKD protocol is secure.
Theorem 13.Let m, pe, ec, pa be such that the protocol qkd_eb m,pe,ec,pa in Section 3 is ε-secure with device parameter c = c .Then qkd_pm M,m,pe,ec,pa is also ε-secure.
As will be shown in Section 9, the security of the prepare-and-measure protocol is a consequence of that of the simple protocol studied in Part I, provided that some additional assumptions are made.
When assessing the performance of the protocol, however, two modifications appear.First, the device parameter (c instead of c) needs to be defined differently since it is no longer a function of the measurement device of Alice, but rather of her preparation device.In an ideal implementation, it is still expected to be equal to 1  2 , as was discussed in Section 7.1.The more important difference is due to the sifting procedure.Indeed, the definition of the secret key rate should now be modified to mean the ration between the key length and the number M of individual states prepared and sent by Alice (instead of the number m in the simple entanglementbased protocol).The means that the secret key rate achieved with the prepare-and-measure protocol is given by The sifting procedure that we have considered here (and described in Section 7.3) is not optimized to maximize the secret key rate (or equivalently the ratio m M ), but rather to simplify the analysis as much as possible.Better sifting procedures are discussed in [19] and could involve not fixing the value of M in advance for instance.
A typical experiment would be characterized by a given overall transmittance η of the optical channel, meaning that approximately ηM photons will be detected by Bob, or in other words, that the expected value of |Ω| is ηM .Given that Alice and Bob's measurement bases will coincide on expectation 50% of the time, we therefore expect that holds asymptotically.
In particular, the secret key rate of the prepare-and-measure protocol is then expected to be equal to η 2 times the secret key rate of the simple protocol displayed in Figure 7.

Security reduction
In Sections 9.1 and 9.2, we discuss some implications of the device assumptions made in Section 7.1.The security reduction to the simple protocol will be addressed in Section 9.3.

Preparation: Assumptions on Alice's device
Consider the four states {ρ x,φ Ai } x,φ∈{0,1} created by Alice in round i of the protocol for some i ∈ [M ].Since these states adhere to the assumptions stated in (104) and (106), the following lemma is applicable: Lemma 14.Let {ρ φ,x A } φ,x ⊂ S(A) where x and φ are taken from discrete sets.Moreover, let {p φ x } x be a probability distribution for each φ such that A for all φ and φ . ( Then there exists a state τ AA ∈ S(AA ) where A ≡ A and a generalized measurement {M φ,x A } x on A for each φ such that Proof.We will explicitly construct the state and measurement as follows.First, let us introduce τ A := x p φ x ρ φ,x A and choose τ AA as its purification on A .Now we choose where the transpose is taken with regards to the Schmidt basis of τ AA .Let us first verify that this constitutes a generalized measurement.Indeed, for every φ, we find Let us now verify the conditions in (124).Since where ρ φ,x AA = |ρ φ,x AA ρ φ,x AA | purifies ρ φ,x A .The first equality readily follows.The second equality can be confirmed by consulting the definitions of c and c in ( 20) and (105), respectively.
Proof.Since the measurement map M B→BΩ only acts on register B, independently of the value Φ B , we have where the state ρ A BEΩ = M B→BΩ (ρ A BE ) is a classical-quantum state: It is straightforward to check that the classical map 'sift' has the following property: for all strings φ A , φ B , θ ∈ {0, 1} M and any subset ω ⊆ [M ], if the sifting succeeds, then Indeed, this is true since the map 'sift' only examines whether Alice and Bob's measurement bases coincide or not, and not their actual value.In particular, if Φ A and Φ B are uniformly distributed, then Φ, the restriction of Φ A to the subset Σ returned by the sifting map when it succeeds, will also be uniformly distributed over the set of strings of length m.
Finally, the discard map E di examines register S Φ A and puts its content, restricted to the subset determined by the sifting map, into register S Φ , and traces over all the systems that do not belong to that subset.The above property of the sifting map ensures that the value of Φ does not depend on Ω.
This establishes that whenever the sifting test passes, the output state takes a tensor product form: This lemma shows in particular that it is legitimate to consider S Φ as a uniform seed, and not as a transcript, hence its notation S Φ instead of C Φ .

Security: reduction to the entanglement-based protocol
We are now ready to prove Theorem 13.
Proof.It is sufficient to consider the case where the sifting procedure succeeds, since otherwise the protocol aborts and its output is trivially secret.For this reason, let us define a slight variant qkd_modified m,pe,ec,pa of the entanglement-based protocol of Part I which differs by taking an additional input register F si ∈ { , ∅}.The variant starts by examining the content of this registers, and either aborts if the flag is set to ∅, or proceeds with the protocol qkd_eb m,pe,ec,pa if the flag is set to .A second difference between qkd_eb m,pe,ec,pa and qkd_modified m,pe,ec,pa is that the randomness for the measurement basis choice is explicitly given as an input.In particular, for any state ρ A BE , it holds that: From it definition, it is immediate that if qkd_eb m,pe,ec,pa is ε-secure, then so is qkd_modified m,pe,ec,pa .Indeed, the only quantitative difference between the two protocol is that the latter one is less robust since it will not output nontrivial keys as soon as the sifting flag is set to ∅.
Our goal is therefore to show that in that case, for any input channel N A→BE , there exists a state ρ A B E F si where A and B consist of m systems such that Let us therefore consider the application of the prepare-and-measure protocol qkd_pm M,m,pe,ec,pa to an arbitrary quantum channel N A→BE .According to the description of the protocol, the classical-quantum state shared by Alice, Bob and Eve after the distribution step is given by some ρ RBES Φ A S Φ B .The assumption made on Alice's preparation shows, as stated in Corollary 15, show that there exist a state τ AA and a measurement map where we defined ρ A BE = N A→BE (τ AA ).The last equality follows from the fact that the maps N A→BE and M A →R|S Φ A trivially commute since they act on distinct systems.After applying the measurement map M B→BΩ promised by Lemma 16, followed by the sifting and discard maps, we obtain where R and B are now restricted to the m indices corresponding to the set Σ provided by the sifting map.Indeed, recall that the discard map E di replaces the M -system registers R and B by m-system registers R and B obtained by tracing over the systems not corresponding to Σ. Since the measurement map M A →R|S Φ A of Alice's system A commutes with E si • M B→BΩ , we obtain: In the mathematical description of the protocol given in Section 7.3, the discard map was applied to registers R, B, but since it commutes with measurement maps on either Alice's or Bob's system, the map can be just as well applied to registers A and U , with outputs denoted A and U , respectively.We deduce that we can replace the map Lemma 17 now shows that which concludes the proof.

Conclusion
We provide a self-contained security proof of QKD detailing all the steps of the protocol and explicitly spelling out all the required assumptions for the security proof to go through.For simplicity, we focussed on a variant of the entanglement-based BBM92 protocol as well as the BB84 protocol and showed that practical secret key rates can be achieved, even for moderately large block size.These results, however, come at the price of several assumptions which are sometimes challenging to enforce in practice.This should not come as a surprise since many simplified implementations are known to be vulnerable to quantum hacking, illustrating that there exist necessary trade-offs between ease of implementation and security guarantees.We believe that there is room for improvement for these trade-offs and that further collaboration between theory and experiment will be essential for achieving this objective.In this context, it is crucial to model the protocols as thoroughly as possible in order to understand what level of security can be obtained, and under which assumptions.
Proof.The condition on ε ensures that all smooth entropies are well-defined.We first introduce the Stinespring dilation isometry of the measurement map M A→X|P .This is the isometry V : A → AXX |P given by V := The remainder of the proof will be concerned with showing the inequality in (158).For this purpose, let us consider the following unitary rotation: that exchanges p with its conjugate, q(p).It clearly acts as a permutation when acting on the classical register P and furthermore we have Q P (τ AP RS )Q † P = τ AP RS due to the symmetry condition that we imposed on q and τ P ARS in the statement of the proposition.Based on this we define the isometry that corresponds to a measurement in the basis determined by q(p) instead of p.We find which shows that the trace non-increasing map V V † (•)V V † coherently undoes the measurement in the basis determined by p and then instead measures in the basis determined by q(p).Now we have the tools at hand to prove the inequality in (158).By the definition of the smooth min-entropy, H ε min (X|P AX R) σ , there exists a state ω P AX R ∈ S(P AX R) and a state σP AXX R ∈ S • (P AXX R) that is ε-close to σ P AXX R in the sense that P (σ P AXX R , σP AXX R ) ≤ ε such that the following inequality holds: Next we consider the CP trace non-increasing map From (161) we learn that F σ P AXX R = σ P XR .Thus, using the fact that the purified distance contracts (3) when we apply F, we find that the state σP XR := F σP AXX R satisfies P (σ P XR , σ P XR ) ≤ P (σ P AXX R , σ P AXX R ) ≤ ε.
(164) Furthermore, applying F on both sides of (162) yields where ωP AX R = p∈P |p p| P ⊗ ωp AX R with ωp AX R = p| ω P AX R |p P .Let us now simplify the right-hand side of this inequality, hoping to capture the incompatibility of the measurements in the basis p versus the basis q(p).First, we note that |z x| X ⊗ |z x| X ⊗ q(p) p P ⊗ F q(p),z A and, hence, we can write To establish ( 168) and (169) we used the fact that L † L ≤ L † L ∞ id = L 2 ∞ id for every linear operator L by definition of the operator norm.The final equality (171) follows from the definition of c q .
Combining this bound with (165) yields Since p∈P tr(ω p R ) = 1 by construction and P (σ P XR , σ P XR ) ≤ ε due to (164), the definition of the smooth entropy implies that where χ K = 1 2 id K is the fully mixed state and ω KS H D = tr X E f (σ XD ⊗ρ S H ) for the function f : (x, h) → h(x) that acts on the registers X and S H .We provide a short proof for the convenience of the reader (see [24,Section 7.3.2]).
Proof.First, by definition of the min-entropy, there exists a state τ D ∈ S(D) such that σ XD ≤ 2 −Hmin(X|D)σ id X ⊗ τ D .Next, note that by definition of the trace distance, we have where where τ D is inverted on its support.We took advantage of the fact that χ K = 1 2 id K is proportional to the identity to simplify the above expression.Combining this with (175), Jensen's inequality thus ensures that Proof.Let σXD ∈ S • (XD) be a state such that H ε min (X|D) σ = H min (X|D) σ and P (σ XD , σ XD ) ≤ ε.Without loss of generality we can assume that σXD is classical on X.Now, the Lemma 18 yields the inequality where we constructed ωKS H D = tr X E f (σ XD ⊗ρ S H ) and bounded tr{σ XD } ≤ 1 to arrive at the second inequality.Using the monotonicity of the purified distance under CPTP maps we conclude that P (ω S H D , ω S H D ) ≤ P (ω KS H D , ω KS H D ) ≤ ε.Finally, exploiting the triangle inequality for the trace norm we find pe,ec,pa ρ AB : Input: Alice and Bob are given a state ρ AB , where A ≡ A [m] and B ≡ B [m] are comprised of m quantum systems each.

Figure 1 :Figure 2 :
Figure 1: State of the classical and quantum systems at the beginning of the protocol.The initial state is denoted ρAB.

Figure 3 :
Figure 3: State of the classical and quantum systems during and after measurement.The measurement can be summarized as a CPTP map ρAB ⊗ ρ S Φ ⊗ ρ S Π → σ V W XY ABS Φ S Π .

Figure 4 :
Figure 4: State of the classical and quantum systems during and after parameter estimation.Parameter estimation is summarized as a CPTP map σV W → σ C V F pe .

Figure 5 :
Figure 5: State of the classical and quantum systems during and after error correction.Error correction is summarized as a CPTP map σXY ⊗ ρ S Hec → σ X XC Z F ec .

Figure 6 :
Figure 6: State of the classical and quantum systems during and after privacy amplification.Privacy amplification is a CPTP map σ X X ⊗ ρ S Hpa → ωK A K B .The complete final state is denoted by ωK A K B SCF .

Figure 7 :
Figure7: This plot shows the maximal secret key rate /m as a function of m for different error thresholds δ ∈ {0.01, 0.025, 0.05, 0.075}, optimized over all protocols.The protocols are required to be ε-secure with ε = 10 −10 and the device parameter is assumed to be c = 0.5.The error correction leakage is approximated to be r = 1.1(m − k)h(δ), see for instance[39].(A more detailed approximation that includes finite-size effects was recently given in[40].)All remaining parameters, i.e. ν, k and t, are optimized numerically to maximize (code available online).The dotted horizontal lines show the corresponding asymptotic limit of the key rate for each value of δ, given as 1 − 2h(δ).The markers indicate the points at which the key rate matches 50% of the asymptotic limit.

(
K A , K B , S, C, F ) = qkd_pm M,m,pe,ec,pa N A→B : Input: Alice and Bob have access to a quantum channel N A→B : A → B where A ≡ A [M ] and B ≡ B [M ] are comprised of M quantum systems.
Preparation: Alice prepares a quantum state ρ R,Φ A A , encoding the string R in the measurement basis corresponding to φ A .State Distribution: Alice sends the state ρ R,Φ A A through the quantum channel N and Bob receives the output state ρ R,Φ A B = N (ρ R,Φ A A ). (In practice, Alice would send the systems one by one, and use the quantum channel M times.)Measurement: Bob measures the M quantum systems with the setting Φ B , and stores his ternary measurement outcomes in a string U ∈ {0, 1, ∅} M , where ∅ denotes an inconclusive measurement result.He also computes the set Ω ⊆ 2 [M ] of indices corresponding to conclusive measurements (In practice, Bob would start measuring the systems as soon as he receives them.)Randomness distribution: Bob publicly announces both the value of Φ B and Ω.The corresponding transcripts are denoted by C Φ B and C Ω , respectively.Alice sends the value of the seeds S = (S Π , S Hec , S Hpa ) to Bob through the authenticated public channel.

ENFigure 8 :
Figure 8: (Input.)Alice and Bob have access to a quantum channel: N : A → B.

Figure 10 :
Figure 10: (State Preparation.)Using her private seeds R and ΦA, Alice prepares system A.

Figure 11 :Figure 12 :
Figure 11: (State Distribution.)Alice sends the system A through the quantum channel N and Bob receives system B.

Figure 13 :
Figure 13: (Randomness distribution.)Bob communicates the both the value of ΦB and Ω to Alice with the authenticated classical channel.Alice publicly announces the value of the various seeds, S = (S Π , S Hec , S Hpa ).

Figure 14 :
Figure 14: (Sifting 1/2.)Using her private randomness ΦA together with the registers Ω and ΦB sent by Bob, Alice computes the set Σ when it exists and sets the value of the flag F si .Both values are then publicly announced.

Figure 15 :
Figure 15: (Sifting 2/2.)Using Σ, Alice (resp.Bob) discards the M − m irrelevant systems of R (resp.U ) and stores the m remaining ones in R (resp.U ).Both Alice and Bob further compute Φ from Σ and either ΦA or ΦB.

Figure 16 :
Figure 16: (Reordering.)Using the content of S Π , Alice reorder their raw keys, R and U , which become respectively (X, V ) and (Y, W ).

Lemma 18 .
) concluding the proof.B Proof of Leftover Hashing Lemma in Proposition 9Our proof of the leftover hashing lemma is based on the following result due to Renner [10, Corollary 5.5.2]:Let σ XD ∈ S • (XD) be a classical on X and let H be a universal 2 family of hash functions from X = {0, 1} n to K = {0, 1} .Moreover, let ρ S H = 1 |H| h∈H |h h| S H be fully mixed.Then,

Table 1 :
Overview of the nomenclature and notation used in Part I.

Table 3 :
An ideal QKD protocol that is close to qkd_ebm,pe,ec,pa.
ABXY , ρ ABXY ) ≤ ε by the monotonicity of the purified distance under trace non-increasing maps.The desired inequality then follows by definition of the smooth min-entropy evaluated for the state with the event Ω.The second inequality follows similarly.By definition of the smooth conditional min-entropy there exists a state ρABX ∈ S • (ABX) and a state σ B ∈ S(B) such that ρABX ≤ 2 −H ε min (AX|B)ρ id AX ⊗ σ B and P (ρ ABX , ρ ABX ) ≤ ε .( H ε min (AX|BY ) ρ and H ε min (AX ∧ Ω|B) ρ ≥ H ε min (AX|B) ρ (91) Proof.Let us start with the first inequality.By definition of the smooth conditional min-entropy there exists a state ρABXY ∈ S • (ABXY ) and a state σ BY ∈ S(BY ) such that ρABXY ≤ 2 −H ε min (AX|BY )ρ id AX ⊗ σ BY and P (ρ ABXY , ρ ABXY ) ≤ ε .(92) Without loss of generality [24, Lemma 6.6] we can assume that ρABXY is classical on X and Y .As such, we have ρABXY ∧Ω ≤ ρABXY and P (ρ ABXY ∧Ω , ρ ABXY ∧Ω ) ≤ P (ρ NA→B Quantum channel between Alice and Bob P ∅→A|RS Φ A Preparation map that returns a state in register A depending on the settings R, S Φ A M Number of states sent by Alice in the prepare-and-measure version Ω Subset of [M ] for which Bob obtains a conclusive measurement result Σ Subset of m indices where Alice and Bob's settings agree and Bob obtained a conclusive outcome ro Reordering map used in the sifting step.R Register for Alice's raw key in the prepare-and-measure protocol U Register for Bob's measurement results in the prepare-and-measure protocol S Φ A (18)|x X ⊗ |x X ⊗ |p p| P ⊗ F p,x A .(154)Now note that the measured state σ XP RS in (153) has a natural purification inσ P P AXX RSD = V τ P P ARSD V † , where(155)|τ P P ARSD = p∈P Pr[P = p] τ |p P ⊗ |p P ⊗ τ ARSD|P =p , (156)where P is isomorphic to P and τ ARSD|P =p is any purification of τ ARS|P =p on a sufficiently large auxiliary system D. (The choice |D| = |A||R||S| ensures that all purifications can be accommodated.)Thisnowallowsustorephraseourtarget inequality.Using the duality relation for smooth min-and max-entropy in(17)together with the fact that H ε min (X|P R) σ = H ε min (X|P R) σ since P is a copy of P , we find that (152) is equivalent toH ε min (X|P R) σ ≥ H ε min (X|P AX RD) σ + logMoreover, the data-processing inequality for the smooth min-entropy in(18)applied for the map tr D yields H ε min (X|P AX RD) σ ≤ H ε min (X|P AX R) σ and thus it in fact suffices to show that13 z∈X |x x| X ⊗ |q(p) q(p)| P ⊗ z| tr A F p∈P id X ⊗ |p p| P ⊗ ωp R .(171) • 1 denotes the Schatten 1-norm.Moreover, by construction of ω KS H D it is evident that ω D|S H =h = ω D = σ D for all h ∈ H. Due to Hölder's inequality for Schatten norms [47, Corollary IV.2.6], we have