1 Introduction

The aim of quantum key distribution is to establish a shared key between two parties, commonly called Alice and Bob, that is unknown to any third party, commonly called Eve. To achieve this goal, Alice and Bob can share an entangled quantum state and use the correlated outcomes of measurements on this state to generate a secure key pair via a postprocessing protocol. If Eve has tampered with the shared state, Alice and Bob either notice this and abort the protocol, or are able to generate a secure key pair anyway [1,2,3]. In device-independent quantum key distribution (DIQKD) we assume that Eve not only has control over the shared state, but is also able to manipulate the devices that Alice and Bob use to measure the state. As long as the devices are not manipulated in a way that sends information out of Alice’s and Bob’s laboratories through channels other than those controlled by Alice and Bob, there are still protocols that allow for the generation of a shared secret key [4,5,6,7,8].

In the device-independent context, the devices of Alice and Bob are treated as black boxes and modeled by a conditional probability distribution \(P_{AB|XY}\). Alice and Bob can give inputs x and y, respectively, to the box, and receive outputs a and b with probability \(P_{AB|XY}(ab|xy)\). We will often write P(ab|xy) instead of \(P_{AB|XY}(ab|xy)\) when the random variables A, B, X and Y are implicitly understood. In the device-dependent case, the inputs correspond to the choice of measurement basis and the outputs to the results of the measurement. We will denote the sets of possible inputs by \(\mathcal {X}\) and \(\mathcal {Y}\), and the sets of outputs by \(\mathcal {A}\) and \(\mathcal {B}\). If the inputs and outputs are strings of length n, i.e., they are of the form \(\mathcal {X}= \hat{\mathcal {X}}^n\) (where \(\hat{\mathcal {X}}\) denotes some set of possible single-round inputs) and analogously for \(\mathcal {Y}\), \(\mathcal {A}\) and \(\mathcal {B}\), we call \(P_{AB|XY}\) an n-round box. If \(Q_{\hat{A}\hat{B}|\hat{X}\hat{Y}}\) is a box with inputs and outputs in \(\hat{\mathcal {X}},\hat{\mathcal {Y}},\hat{\mathcal {A}},\hat{\mathcal {B}}\), we denote by \(Q^{\otimes n}_{AB|XY}\) the n-round iid box with

$$\begin{aligned} Q^{\otimes n}(ab|xy) = \prod _{i=1}^n Q(a_ib_i|x_iy_i). \end{aligned}$$
(1)

Not all boxes \(P_{AB|XY}\) describe processes that are physically possible if we assume that no information can leave the laboratories of Alice and Bob. All boxes must then be such that Bob gains no information about Alice’s input from his output, and vice versa. We refer to boxes satisfying this constraint as non-signaling:

Definition 1

A box \(P_{AB|XY}\) is non-signaling if

$$\begin{aligned} \forall b,y,x,x' \qquad \sum _a P(ab|xy)&= \sum _a P(ab|x'y) \end{aligned}$$
(2)
$$\begin{aligned} \forall a,x,y,y' \qquad \sum _b P(ab|xy)&= \sum _b P(ab|xy'). \end{aligned}$$
(3)

If we furthermore assume that the boxes are described by quantum theory, we can describe the distribution \(P_{AB|XY}\) by some quantum state shared between Alice and Bob and some POVMs describing their measurements.

Definition 2

A box \(P_{AB|XY}\) is quantum if there are Hilbert spaces \(\mathcal {H}_A\), \(\mathcal {H}_B\), a state \(\rho _{AB} \in \textrm{End}\left( \mathcal {H}_A \otimes \mathcal {H}_B\right) \), for each x a POVM \(\left\{ E^{a,x} | a \right\} \) on \(\mathcal {H}_A\) and for each y a POVM \(\left\{ F^{b,y} | b \right\} \) on \(H_B\) such that

$$\begin{aligned} P(ab|xy) = \textrm{tr}\left[ \rho _{AB} \left( E^{a,x} \otimes F^{b,y}\right) \right] . \end{aligned}$$
(4)

The set of quantum boxes is a proper subset of the set of non-signaling boxes. That both sets are not identical is demonstrated by the Popescu–Rohrlich box [9].

When constructing DIQKD security proofs, often the analysis would be simplified if there were some form of reduction from general box behavior to the iid case, as it is substantially easier to construct security proofs for the latter (as achieved in, e.g., [5, 6, 10]). To find such a reduction, so-called de Finetti theorems may be a promising tool, as they have previously been used to achieve this goal in the case of device-dependent QKD [3, 11]. De Finetti theorems allow us to relate the entries of an arbitrary permutation-invariant box to the entries of a de Finetti box (a convex combination of iid boxes). De Finetti theorems where originally developed for random variables [12] and then extended to quantum states [3, 13,14,15] and boxes [16, 17]. For example, in [16] it was shown that for each set of single-round inputs \(\hat{\mathcal {A}}\) and outputs \(\hat{\mathcal {X}}\) there exists a de Finetti box \(\tau _{A|X}\) such that for all permutation-invariant boxes \(P_{A|X}\) it holds that

$$\begin{aligned} \forall a\in \mathcal {A},\, x\in \mathcal {X}\qquad P(a|x) \le (n+1)^{|\hat{\mathcal {X}}|(|\hat{\mathcal {A}}|-1)} \tau (a|x). \end{aligned}$$
(5)

(Here we treat the inputs and outputs of Alice and Bob as lumped together to a single-round input and output.)

However, the de Finetti theorems for boxes derived in, e.g., [16, 17] have the drawback that the de Finetti boxes cannot be restricted to the quantum set even if the original permutation-invariant boxes are quantum. This creates an obstacle for applications, because many existing DIQKD security proofs under the iid assumption exploit the properties of the quantum set [5, 6, 10]. This implies that such proofs cannot be combined with the de Finetti theorems in [16, 17] to obtain security against non-iid attacks, as those de Finetti theorems involve boxes that are not in the quantum set. (It is true that one could aim to derive a security proof for all iid behaviors in the non-signaling rather than quantum set, then apply the de Finetti theorems of [16, 17] to obtain security against non-iid attacks. However, this would give lower asymptotic key rates and noise tolerance compared to security proofs against quantum attackers, because non-signaling behaviors yield a significantly larger class of possible attacks.) Ideally, we would like to find a de Finetti theorem that can extend the iid security proofs against quantum attackers in [5, 6, 10] to cover non-iid quantum attackers, while preserving the asymptotic key rates and noise tolerance from those proofs, similar to the situation for device-dependent QKD [11]. While we do not fully achieve this goal in this work, we do obtain a de Finetti theorem that allows a partial reduction to the iid case (in a sense described in Sect. 3), and we also highlight some concrete difficulties that may be faced when aiming for a full reduction.

Regarding other existing approaches for reductions to the iid case, we note that for DIQKD protocols that use only one-way communication for error correction [3], a proof technique known as the entropy accumulation theorem (EAT) [18] can be used to essentially reduce the analysis of non-iid (but time-ordered) boxes to the iid scenario [8]. Alternatively, the techniques in [19, 20] can be used to obtain security proofs for such protocols even when the boxes accept all inputs in parallel, though the resulting asymptotic key rates are lower than in the iid case. There are, however, protocols that don’t only use one-way error correction (broadly referred to as advantage distillation protocols [3, 10, 21,22,23,24], such as the Cascade protocol [25] or the repetition-code protocol [3, 21]), and these protocols do not admit a security proof via those approaches.Footnote 1 The significance of these protocols in DIQKD is that under an iid assumption, it has been shown [10] that they can achieve higher noise tolerances than one-way error correction (i.e., they can achieve positive key rates even when the key rate given by one-way error correction is zero), analogous to results for device-dependent QKD [3, 23, 24]. However, for device-dependent QKD these improved noise tolerances can be lifted to the non-iid case using de Finetti arguments as mentioned above, whereas in DIQKD such an argument is currently missing—in fact, there are currently no security proofs for DIQKD advantage distillation protocols against non-iid attacks. Finding a way to resolve this would be useful in, for instance, tackling a foundational question of characterizing which non-local box behaviors can be used for DIQKD [26] (analogous to the question of bound information in device-dependent QKD [27]), since advantage distillation can have higher noise tolerances than one-way error correction.

Our main result in this work consists of two de Finetti theorems for Clauser–Horne–Shimony–Holt (CHSH) symmetric quantum boxes (see Definition 4), such that the de Finetti box is quantum as well. We further show how the first de Finetti theorem could be used in the security proofs of DIQKD protocols, yielding a partial reduction to the iid case.

The rest of this paper is structured as follows: In Sect. 2.1, we show the first de Finetti theorem (Theorem 6). It is similar to Eq. (5) and shows that the entries of a CHSH symmetric quantum box are upper bounded, up to a factor polynomial in n, by the entries of a fixed quantum de Finetti box. In Sect. 2.2, we then show the second de Finetti theorem (Theorem 11), which is closer to the original de Finetti theorems for random variables and quantum states. It states that the marginal of the first k rounds of a n-round CHSH symmetric quantum box is close to (and not just upper bounded by) a quantum de Finetti box. Our results in this section rely on the existence of appropriate threshold theorems (see, e.g., Theorem 7). A natural question is whether it is possible to derive them without using the threshold theorems; however, we show in Appendix B that proving a de Finetti theorem of the first form is essentially equivalent to proving a threshold theorem; hence, it would be a result of comparable difficulty.

In light of this, our results cannot currently be used as an alternative method to prove threshold theorems. However, our focus is more on the application of these results for DIQKD security proofs. Hence, in Sect. 3, we present an application of the first de Finetti theorem to bound the diamond distance between two channels acting on boxes. The diamond distance measures how well these two channels can be distinguished by an attacker. Since the security of a DIQKD protocol is related to the diamond distance between the protocol and an ideal channel [28, 29], bounds on the diamond distance can be useful in DIQKD security proofs. We show that to prove security of a DIQKD protocol against arbitrary (so-called coherent [30]) quantum attacks it is sufficient to prove security against an adversary who holds an extension of a fixed quantum de Finetti box (Theorem 15). However, this extension may not be quantum itself and can only be restricted to the non-signaling set.

In Sect. 4, we show that the result from Sect. 3 cannot be strengthened to restrict the attacker further to collective attacks [30] (attacks where the black box can be described by an iid quantum state and iid measurements for Alice and Bob, see Definition 16). For this, we construct two channels that cannot be distinguished at all using boxes compatible with collective attacks, but can be distinguished if arbitrary quantum boxes are available (Theorem 17). This shows that the theorem from Sect. 3 cannot be immediately used to conclude security against coherent attacks from security against collective attacks.

2 De Finetti Theorems for Boxes with CHSH Symmetry

2.1 The First de Finetti Theorem

Let us first define de Finetti boxes and CHSH symmetry:

Definition 3

A n-round box \(\tau _{AB|XY}\) is called de Finetti if it is the convex combination of iid boxes.

Definition 4

An n-round box \(P_{AB|XY}\) with single-round inputs and outputs in \(\hat{\mathcal {A}}=\hat{\mathcal {B}}=\hat{\mathcal {X}}=\hat{\mathcal {Y}}=\{0,1\}\) is called CHSH symmetric if

$$\begin{aligned} P(ab|xy) = P(a'b'|x'y') \qquad \text { whenever }\left\Vert a\oplus b \oplus xy\right\Vert _0 = \left\Vert a'\oplus b' \oplus x'y'\right\Vert _0.\nonumber \\ \end{aligned}$$
(6)

Here \(\left\Vert x\right\Vert _0\) denotes the number of nonzero entries of a n-bit string x.

If for an index i we have \(a_i\oplus b_i = x_iy_i\), we say that the CHSH game is won in round i [31]. Thus, Definition 4 basically states that a box is CHSH symmetric if its entries P(ab|xy) only depends on how many indices the CHSH game was won. Our definition of CHSH symmetry differs slightly from the one in [16], where it is only required that \(P(ab|xy)=P(a'b'|x'y')\) whenever \(a\oplus b \oplus xy = a'\oplus b' \oplus x'y'\). Our definition agrees with the definition in [16] for permutation symmetric boxes—essentially, we have implicitly incorporated the constraint of permutation symmetry into Definition 4 itself.

Of course, an attacker can initially manipulate the boxes of Alice and Bob such that they do not possess CHSH symmetry. However, Alice and Bob can run the following procedure to enforce CHSH symmetry: First Alice chooses a random permutation \(\pi \) and transmits it to Bob over the authenticated channel; then, Alice and Bob permute their inputs and outputs according to \(\pi \). If we view the original box as a conditional probability distribution \(P_{ABE|XYZ}\) for Alice, Bob and Eve we can view \(\pi \) as additional knowledge \(E'\) of Eve and describe the box after \(\pi \) has been applied by \(\tilde{P}_{ABEE'|XYZ}\). Alice and Bob will not require \(\pi \) for the remainder of the protocol and can now discard it; therefore, in the rest of our discussion we do not include it in the marginal of the Alice–Bob boxes, whereas on Eve’s component we will simply absorb \(E'\) into E and no longer explicitly denote it. Then the marginal \(\tilde{P}_{AB|XY}\) has permutation symmetry. To go from permutation symmetry to CHSH symmetry Alice and Bob apply the depolarization protocol described in appendix A of [32] to each round. If the box in the honest implementation of the DIQKD protocol has CHSH symmetry, it is unchanged by this depolarization protocol. It is important to note that only the marginal box of Alice and Bob has CHSH symmetry after this protocol: From the perspective of Eve, who knows the permutation \(\pi \) and the random bits chosen in the depolarization protocol in [32], the box may not have CHSH symmetry. However, we highlight that in the case of device-dependent QKD, this did not prevent constructing a security proof via de Finetti arguments [11], and hence, there still remains the possibility of a similar result for DIQKD.

It was shown in [16] that a de Finetti theorem holds for CHSH symmetric boxes:

Theorem 5

(Corollary 6 in [16]). For each number n of rounds, there is an n-round CHSH symmetric de Finetti box \(\tau _{AB|XY}\) such that for all CHSH symmetric boxes \(P_{AB|XY}\) it holds that

$$\begin{aligned} P(ab|xy) \le (n+1)\tau (ab|xy). \end{aligned}$$
(7)

Theorem 5 was derived for all CHSH symmetric boxes \(P_{AB|XY}\), even if they are not quantum. However, the de Finetti box \(\tau _{AB|XY}\) constructed in the theorem is also not quantum. The main result we derive in this section is a de Finetti theorem for quantum CHSH symmetric boxes, hence resolving this issue:

Theorem 6

For each number n of rounds, there is an n-round CHSH symmetric quantum de Finetti box \(\tau _{AB|XY}\) such that for all CHSH symmetric quantum boxes \(P_{AB|XY}\) it holds that

$$\begin{aligned} P(ab|xy) \le (n+1)^2 \tau (ab|xy). \end{aligned}$$
(8)

The maximal probability with which any single-round quantum box can win the CHSH game is \(w = \frac{2+\sqrt{2}}{4}\) [33]. This value is called the quantum value of the CHSH game. To prove Theorem 6, we need the following specialization of a theorem from [34] to the CHSH case. It says that the probability that the fraction of won CHSH games is larger than a certain threshold (namely the value of the CHSH game) is exponentially small in n. Such theorems are commonly referred to as threshold theorems.Footnote 2

Theorem 7

(Theorem 5 in [34]). Let \(P_{AB|XY}\) be an n-round box with single-round inputs and outputs in \(\{0,1\}\). Let \(\mu \) be the uniform probability distribution on \(\{0,1\}^2\) and \(K = ||A\oplus B \oplus XY \oplus \textbf{1}||_0\) the number of won instances of the CHSH game. Let \(w = \frac{2+\sqrt{2}}{4}\) the quantum value of the CHSH game. Then for \(k > wn\)

$$\begin{aligned} \textrm{Pr}_{P_{AB|XY},\mu ^{\otimes n}}[K \ge k] \le e^{-nD(k/n,1-k/n||w,1-w)}, \end{aligned}$$
(9)

where \(\textrm{Pr}_{P_{AB|XY},\mu ^{\otimes n}}\) denotes the probability measure in which X and Y are sampled from \(\mu ^{\otimes n}\) and A and B are sampled using \(P_{AB|XY}\) and

$$\begin{aligned} D(p,1-p||q,1-q) = p \ln \left( \frac{p}{q}\right) + (1-p) \ln \left( \frac{1-p}{1-q}\right) \end{aligned}$$
(10)

denotes the relative entropy.

Note that the box \(P_{AB|XY}\) in Theorem 7 does not have to be CHSH symmetric. However, if \(P_{AB|XY}\) is CHSH symmetric then we can describe it completely by \(n+1\) parameters \(\{p_0,p_1,\dots ,p_n\}\), which we define as follows: For each \(k \in \{0,\ldots ,n\}\), take any \(a,b,x,y \in \{0,1\}^n\) such that \(k = ||a\oplus b \oplus xy \oplus \textbf{1}||_0\) (in other words, abxy win exactly k instances of the CHSH game). Then define

$$\begin{aligned} p_k = \left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n P(ab|xy). \end{aligned}$$
(11)

By CHSH symmetry, all combinations of abxy with the same value of k have the same value of P(ab|xy), so the expression (11) is indeed well defined. The normalization factor \(\left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n\) is chosen to give these parameters a simple interpretation: namely, \(p_k\) is in fact equal to the probability of winning exactly k CHSH games for the box P(ab|xy) (regardless of the input distribution). To see this, notice that for fixed x, y and k there are exactly \(\left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n\) pairs ab such that \(k = ||a\oplus b \oplus xy \oplus 1||_0\) [16]. Therefore, for any probability measure \(\mu \) on the n-round inputs x and y, we indeed have

$$\begin{aligned} \textrm{Pr}_{P_{AB|XY},\mu }[K=k]&= \sum _{\begin{array}{c} a,b,x,y \\ k = ||a\oplus b \oplus xy \oplus \textbf{1}||_0 \end{array}} P(ab|xy)\mu (xy) \nonumber \\&= \sum _{xy} \left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n \frac{p_k}{\left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n} \mu (xy)\\&= p_k\nonumber \end{aligned}$$
(12)

where in the second equality we used that the summand does not depend on a and b, and for a fixed x and y there are \(\left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n\) possible a and b with \(\left\Vert a\oplus b\oplus xy\oplus \textbf{1}\right\Vert _0=k\). Theorem 7 then implies

$$\begin{aligned} \sum _{l \ge k} p_l \le e^{-nD(k/n,1-k/n||w,1-w)}. \end{aligned}$$
(13)

To prove Theorem 6, we need one further ingredient:

Lemma 8

Let \(a,b \in \mathbb {R}\) with \(a < b\) and \(f:[a,b]\rightarrow \mathbb {R}^+_0\) be a concave function that attains its maximum at some \(x^* \in [a,b]\). Then \( \forall n \in \mathbb {N}\),

$$\begin{aligned} \frac{1}{n+1}(b-a)f(x^*)^n \le \int _a^b f(x)^n\textrm{d}x \le (b-a)f(x^*)^n \end{aligned}$$
(14)

The proof is given in Appendix . Now we are ready to prove Theorem 6:

Proof of Theorem 6

Let \(w = \frac{2+\sqrt{2}}{4}\) be the quantum value of the CHSH game and define for \(p\in [1-w,w]\) the single-round box \(Q(p)_{\hat{A}\hat{B}|\hat{X}\hat{Y}}\) as

$$\begin{aligned} Q(p)(ab|xy) = {\left\{ \begin{array}{ll} p/2 &{}\text { if } a\oplus b = xy \\ (1-p)/2 &{}\text { if } a\oplus b \ne xy \end{array}\right. } \end{aligned}$$
(15)

Now set

$$\begin{aligned} \tau _{AB|XY} = \frac{1}{2w-1}\int _{1-w}^w Q(p)_{AB|XY}^{\otimes n} \textrm{d}p. \end{aligned}$$
(16)

\(\tau _{AB|XY}\) is quantum because each \(p \in [1-w,w]\) \(Q(p)_{AB|XY}^{\otimes n}\) is quantum. Further \(\tau _{AB|XY}\) is de Finetti by construction. Let \(a,b,x,y \in \{0,1\}^n\) and let \(k=\left\Vert a\oplus b \oplus xy \oplus \textbf{1}\right\Vert _0\) be the number of won CHSH games of abxy. Let \(\alpha = k/n\) and set

$$\begin{aligned} f(p) = \frac{1}{2} p^\alpha (1-p)^{1-\alpha }. \end{aligned}$$
(17)

Then

$$\begin{aligned} \tau (ab|xy) = \frac{1}{2w-1} \int _{1-w}^w 2^{-n}p^k(1-p)^{n-k} \textrm{d}p = \frac{1}{2w-1}\int _{1-w}^w f(p)^n\textrm{d}p. \end{aligned}$$
(18)

Note that

$$\begin{aligned} f'(p) = \left( \frac{\alpha }{p}-\frac{1-\alpha }{1-p}\right) f(p) \end{aligned}$$
(19)

and

$$\begin{aligned} f''(p)&= \left[ \left( \frac{\alpha }{p}-\frac{1-\alpha }{1-p}\right) ^2-\frac{\alpha }{p^2}-\frac{1-\alpha }{(1-p)^2}\right] f(p) \nonumber \\&= -\frac{\alpha (1-\alpha )}{p^2(1-p)^2} f(p) < 0. \end{aligned}$$
(20)

Therefore, f is concave and its maximum on the interval [0, 1] occurs at \(p=\alpha \).

Since f is concave, we can apply Lemma 8 to Eq. (18) and get

$$\begin{aligned} \tau (ab|xy) \ge \frac{1}{n+1}\sup _{p\in [1-w,w]} f(p)^n. \end{aligned}$$
(21)

Now we turn to the box \(P_{AB|XY}\). Following the earlier notation, let \(p_k\) denote the probability of winning exactly k CHSH games with this distribution. We observe that

  • If \(\alpha > w\), then the threshold Theorem 7 implies

    $$\begin{aligned} p_k \le e^{-nD(\alpha ,1-\alpha ||w,1-w)}. \end{aligned}$$
    (22)

  • If \(\alpha < 1-w\), we can use the threshold theorem to get a bound on the minimal number of won games, because the CHSH game has the property that winning exactly k games is just as hard as losing exactly k games (and thus winning \(n-k\) games). Hence, we have

    $$\begin{aligned} p_k \le e^{-nD(\alpha ,1-\alpha ||1-w,w)}. \end{aligned}$$
    (23)

  • If \(\alpha \in [1-w,w]\), we can rewrite the trivial bound \(p_k \le 1\) in the form

    $$\begin{aligned} p_k \le 1 = e^{-nD(\alpha ,1-\alpha ||\alpha ,1-\alpha )}. \end{aligned}$$
    (24)

Hence, we can summarize the implications of the threshold theorem as

$$\begin{aligned} p_k \le \sup _{p \in [1-w,w]} e^{-nD(\alpha ,1-\alpha ||p,1-p)}. \end{aligned}$$
(25)

We can simplify the term in the supremum by inserting the definition of relative entropy:

$$\begin{aligned} e^{-nD(\alpha ,1-\alpha ||p,1-p)} = \left( \frac{p}{\alpha }\right) ^{\alpha n} \left( \frac{1-p}{1-\alpha }\right) ^{(1-\alpha ) n} = \frac{f(p)^n}{f(\alpha )^n}. \end{aligned}$$
(26)

Now recall that by Eq. (11), P(ab|xy) is related to \(p_k\) by

$$\begin{aligned} P(ab|xy) = \frac{p_k}{2^n\left( {\begin{array}{c}n\\ k\end{array}}\right) }. \end{aligned}$$
(27)

It is a well-known identity of the Beta function that

$$\begin{aligned} \left( {\begin{array}{c}n\\ k\end{array}}\right) ^{-1}= & {} (n+1)\int _0^1 t^k(1-t)^{n-k} \textrm{d}t = 2^n (n+1)\int _0^1 f(p)^n \textrm{d}p \nonumber \\\le & {} 2^n (n+1) f(\alpha )^n \end{aligned}$$
(28)

where for the last inequality we used Lemma 8 and the fact that the maximum of f on [0, 1] is \(f(\alpha )\). Inserting Eq. (28) followed by Eqs. (25)–(26) into Eq. (27) gives

$$\begin{aligned} P(ab|xy) \le (n+1)p_kf(\alpha )^n \le (n+1) \sup _{p \in [1-w,w]} f(p)^n. \end{aligned}$$
(29)

Combining Eqs. (21) and (29) yields \(P(ab|xy) \le (n+1)^2\tau (ab|xy)\), as desired.    \(\square \)

The arguments in the proof of Theorem 6 are not specific to CHSH symmetry. In fact, in Appendix B we show that we get such a de Finetti theorem whenever a threshold theorem analogous to Theorem 7 holds.

2.2 The Second de Finetti Theorem

The de Finetti theorem discussed in the previous section is similar to the de Finetti theorems for boxes shown in [16]; they show that the entries of some given box are upper bounded by the entries of a de Finetti box. The original de Finetti theorems for random variables and quantum states are of a different flavor: They show that the marginal on the first k rounds of an arbitrary n-round permutation-invariant state is close to a de Finetti state if \(k \ll n\). In this section, we show a theorem of this type for CHSH symmetric boxes. We use the following distance measure on the space of boxes:

Definition 9

Let \(P_{A|X}\) and \(Q_{A|X}\) be two boxes with the same input set \(\mathcal {X}\) and output set \(\mathcal {A}\). Their distance is

$$\begin{aligned} \left\Vert P_{A|X}-Q_{A|X}\right\Vert = \max _{x \in \mathcal {X}} \sum _{a \in \mathcal {A}} |P(a|x)-Q(a|x)|. \end{aligned}$$
(30)

This distance is just the \(\ell ^1\) distance of the probability distributions of a, maximized over the input x. To state the de Finetti theorem, we need to introduce the notion of the marginal of an n-round box. In general, this marginal may not be well defined without some kind of non-signaling condition across different rounds (since otherwise the output distribution of one round could potentially depend on the input in another round). However, it turns out that for CHSH symmetric boxes this is indeed well defined, as we now show.

Lemma 10

Let \(P_{AB|XY}\) be an n-round CHSH symmetric quantum box and let \(1 \le k \le n\) be an integer. Then the expression

$$\begin{aligned}{} & {} P^k(a_1\ldots a_k,b_1\ldots b_k|x_1\ldots x_k,y_1\ldots y_k)\nonumber \\{} & {} \quad :=\sum _{\begin{array}{c} a_{k+1}\ldots a_n\\ b_{k+1}\ldots b_n \end{array}}P(a_1\ldots a_n,b_1\ldots b_n|x_1\ldots x_n,y_1\ldots y_n) \end{aligned}$$
(31)

is independent of the choice of \(x_{k+1}\ldots x_{n}\) and \(y_{k+1}\ldots y_{n}\), and we shall refer to it as the marginal of the first k rounds. Furthermore, \(P^k_{AB|XY}\) is a CHSH symmetric quantum box (of k rounds).

Proof

We shall use the notation \(a=(a_1\ldots a_k)\) and \(a' = (a_{k+1}\ldots a_{n})\), and define \(b,b',x,x',y,y'\) analogously. To see that \(P^k_{AB|XY}\) is independent of the choice of \(x'\) and \(y'\), we calculate

$$\begin{aligned} P^k(ab|xy)&= \sum _{a'b'} P(aa',bb'|xx',yy') \nonumber \\&= \sum _{a'b'} P(aa',b(b'\oplus x'y')|x0,y0) \nonumber \\&= \sum _{a'b'} P(aa',bb'|x0,y0), \end{aligned}$$
(32)

where in the second equality we used the CHSH symmetry of \(P_{AB|XY}\) and in the third equality we shifted the summation variable \(b'\) by \(x'y'\).

To see the CHSH symmetry of \(P^k_{AB|XY}\), note that by CHSH symmetry of \(P_{AB|XY}\), \(P(aa',bb'|x0,y0)\) only depends on \(a\oplus b\oplus xy\) and \(a' \oplus b'\). Hence, \(P^k(ab|xy)\) only depends on \(a\oplus b\oplus xy\). Furthermore, the permutation invariance of \(P_{AB|XY}\) immediately implies that \(P^k_{AB|XY}\) is also permutation-invariant, and hence, we conclude that \(P^k_{AB|XY}\) is CHSH symmetric. Finally, the fact that \(P^k_{AB|XY}\) is a quantum box immediately follows from the fact that \(P_{AB|XY}\) is quantum. \(\square \)

Now we can state the de Finetti theorem:

Theorem 11

Let \(P_{AB|XY}\) be an n-round CHSH symmetric quantum box and let \(P^{k}_{AB|XY}\) be the marginal of the first k rounds as defined in Eq. (31). There is a k-round CHSH symmetric quantum de Finetti box \(\tau _{AB|XY}\) such that

$$\begin{aligned} \left\Vert P^k_{AB|XY}-\tau _{AB|XY}\right\Vert \le \left( C\sqrt{\ln (n/k)}+4\right) \sqrt{\frac{k}{n}} + \frac{4k}{n} = \mathcal {O}\left( \sqrt{\ln (n/k)\frac{k}{n}}\right) \nonumber \\ \end{aligned}$$
(33)

with \(C = \frac{2}{\sqrt{2-\sqrt{2}}}\approx 2.6\).

For the proof of Theorem 11, we first note that the distance between two CHSH symmetric boxes is just the \(\ell ^1\) distance between the distributions of the wins and losses of the CHSH game, which are independent from the input into the box.

Lemma 12

Let \(P_{AB|XY}\) and \(Q_{AB|XY}\) be CHSH symmetric n-round boxes and \(W = A\oplus B \oplus XY \oplus \textbf{1} \in \{0,1\}^n\) be the random variable that indicates in which rounds the CHSH game was won. Let \(P_W\) and \(Q_W\) the distribution of W. Then

$$\begin{aligned} \left\Vert P_{AB|XY}-Q_{AB|XY}\right\Vert = \left\Vert P_W-Q_W\right\Vert _1. \end{aligned}$$
(34)

Proof

For all xy

$$\begin{aligned} P(ab|xy) = 2^{-n}P_W(a\oplus b\oplus xy \oplus \textbf{1}) \end{aligned}$$
(35)

so

$$\begin{aligned} \sum _{a,b}|P(ab|xy)-Q(ab|xy)| = \sum _{a,w}2^{-n}|P_W(w)-Q_W(w)| = \left\Vert P_W-Q_W\right\Vert _1.\nonumber \\ \end{aligned}$$
(36)

\(\square \)

Another ingredient for the proof of Theorem 11 is a bound on the \(\ell ^1\)-distance between two binomial distributions:

Lemma 13

Let \(k \in \mathbb {N}\) and \(p,q \in (0,1)\). Denote by \(P=\textrm{Binom}(k,p)\) and \(Q = \textrm{Binom}(k,q)\) the binomial distributions with k trials and success probabilities p and q. Then

$$\begin{aligned} \left\Vert P-Q\right\Vert _1 \le 2\sqrt{\frac{n}{\min \{q,1-q\}}} |p-q|. \end{aligned}$$
(37)

Proof

Denote by \(P_0\) and \(Q_0\) the Bernoulli distributions with success probability p and q, respectively. We use Pinsker’s inequality and the reverse Pinsker’s inequality (Lemma 4.1 in [36]) to calculate

$$\begin{aligned} \left\Vert P-Q\right\Vert _1&\le \sqrt{2D(P||Q)}&\qquad \text { Pinsker's inequality}\nonumber \\&= \sqrt{2nD(P_0||Q_0)}&\qquad \text { additivity of relative entropy} \nonumber \\&\le \sqrt{\frac{n\left\Vert P_0-Q_0\right\Vert _1^2}{\min \{q,1-q\}}}&\qquad \text { reverse Pinsker's inequality}\nonumber \\&= 2\sqrt{\frac{n}{\min \{q,1-q\}}} |p-q|. \end{aligned}$$
(38)

\(\square \)

Now we are ready to prove the de Finetti theorem:

Proof of Theorem 11

Denote by \(p_N\) the probability that Alice and Bob win exactly N CHSH games on the box \(P_{AB|XY}\). Then \(W=A\oplus B \oplus XY \oplus \textbf{1}\) has a permutation-invariant distribution \(P_W\) with

$$\begin{aligned} \sum _{w: \sum _i w_i = N} P_W(w) = p_N. \end{aligned}$$
(39)

By the de Finetti theorem for random variables [12], we have

$$\begin{aligned} \left\Vert P^k_W - \sum _{N=0}^n p_N \textrm{Binom}\left( k,\frac{N}{n}\right) \right\Vert \le \frac{4k}{n}, \end{aligned}$$
(40)

where \(P^k_W\) denotes the distribution of the first k bits of W.

For \(p \in [0,1]\), denote by \(Q(p)_{\hat{A}\hat{B}|\hat{X}\hat{Y}}\) the single-round box with CHSH winning probability p. Then by Lemma 12 and Eq. (40),

$$\begin{aligned} \left\Vert P^k_{AB|XY} - \sum _{N=0}^n p_N Q\left( \frac{N}{n}\right) ^{\otimes k} \right\Vert \le \frac{4k}{n} \end{aligned}$$
(41)

The box \(\sum _{N=0}^n p_N Q\left( \frac{N}{n}\right) ^{\otimes k}\) is CHSH symmetric and de Finetti, but not quantum. The problems are the terms with \(N > nw\) and \(N < n(1-w)\), where \(w = \frac{2+\sqrt{2}}{4}\). We define a quantum CHSH symmetric de Finetti box as

$$\begin{aligned} \tau _{AB|XY} = \sum _{N=0}^n p_N {\left\{ \begin{array}{ll} Q(w)^{\otimes k} &{} \text { if } N > wn \\ Q\left( \frac{N}{n}\right) ^{\otimes k}&{} \text { if } N \in [(1-w)n, wn] \\ Q(1-w)^{\otimes k} &{} \text { if } N < (1-w) n\end{array}\right. }. \end{aligned}$$
(42)

We will show

$$\begin{aligned} \left\Vert \tau _{AB|XY} - \sum _{N=0}^n p_N Q\left( \frac{N}{n}\right) ^{\otimes k}\right\Vert \le \left( C\sqrt{\ln (n/k)}+4\right) \sqrt{\frac{k}{n}}. \end{aligned}$$
(43)

The statement of Theorem 11 then follows by combining this bound and the bound in Eq. (41) using the triangle inequality.

Let \(\delta >0\). We split the sum in the definition of \(\tau _{AB|XY}\) to obtain

$$\begin{aligned} \left\Vert \tau _{AB|XY} - \sum _{N=0}^n p_N Q\left( \frac{N}{n}\right) ^{\otimes k}\right\Vert&\le \sum _{N \in [wn,n]} p_N \left\Vert Q(w)^{\otimes k} - Q\left( \frac{N}{n}\right) ^{\otimes k}\right\Vert \nonumber \\&+ \sum _{N \in [0,(1-w)n]} p_N \left\Vert Q(1-w)^{\otimes k} - Q\left( \frac{N}{n}\right) ^{\otimes k}\right\Vert \nonumber \\&\le \sum _{N \in [wn, (w+\delta )n]} p_N \left\Vert Q(w)^{\otimes k} -Q(w+\delta )^{\otimes k}\right\Vert \nonumber \\&+ \sum _{N \in [(1-w-\delta )n, (1-w)n]} p_N \left\Vert Q(1-w)^{\otimes k} -Q(1-w-\delta )^{\otimes k}\right\Vert \nonumber \\&+2\sum _{N\in [0,(1-w-\delta )n]\cup [(w+\delta )n,n]} p_N \end{aligned}$$
(44)

where in the last line we used \(\left\Vert P_{AB|XY}-Q_{AB|XY}\right\Vert \le 2\) for all normalized boxes \(P_{AB|XY}\) and \(Q_{AB|XY}\). We start by bounding the terms with \(N \in [wn, (w+\delta )n]\) and \(N \in [(1-w-\delta )n, (1-w)n]\) using Lemma 13:

$$\begin{aligned}&\left\Vert Q(w)^{\otimes k} -Q(w+\delta )^{\otimes k}\right\Vert \le \frac{2}{\sqrt{1-w}}\sqrt{k}\delta = 2C\sqrt{k}\delta \end{aligned}$$
(45)

where we used \(\frac{2}{\sqrt{1-w}} = \frac{4}{\sqrt{2-\sqrt{2}}}=2C\). Analogously we find

$$\begin{aligned} \left\Vert Q(1-w)^{\otimes k} -Q(1-w-\delta )^{\otimes k}\right\Vert \le 2C\sqrt{k}\delta \end{aligned}$$
(46)

so that by \(\sum _N p_N =1\)

$$\begin{aligned}&\sum _{N \in [wn, (w+\delta )n]} p_N \left\Vert Q(w)^{\otimes k} -Q(w+\delta )^{\otimes k}\right\Vert \nonumber \\&\quad + \sum _{N \in [(1-w-\delta )n, (1-w)n]} p_N \left\Vert Q(1-w)^{\otimes k} -Q(1-w-\delta )^{\otimes k}\right\Vert \nonumber \\&\le 2C\sqrt{k}\delta . \end{aligned}$$
(47)

Now we turn to the terms with \(N>(w+\delta )n\) and \(N<(1-w-\delta )n\). By the threshold theorem for the CHSH game (Theorem 7), it holds that

$$\begin{aligned} \sum _{N > (w+\delta )n}p_N&\le e^{-nD(w+\delta , 1-w-\delta ||w,1-w)} \end{aligned}$$
(48)
$$\begin{aligned}&\le e^{-2n\delta ^2} \end{aligned}$$
(49)

where in the last step we used Pinsker’s inequality, i.e \(D(p,1-p||q,1-q) \ge 2 |p-q|^2\). Analogously also

$$\begin{aligned} \sum _{N<(1-w-\delta )n}p_N \le e^{-2n\delta ^2}. \end{aligned}$$
(50)

Putting together the bounds for \(N \in [wn, (w+\delta )n]\) and \(N>(w+\delta )n\), we find

$$\begin{aligned} \left\Vert \tau _{AB|XY} - \sum _{N=0}^n p_N Q\left( \frac{N}{n}\right) ^{\otimes k}\right\Vert&\le 2C\sqrt{k}\delta + 4e^{-2n\delta ^2}. \end{aligned}$$
(51)

Now we choose

$$\begin{aligned} \delta = \frac{1}{2}\sqrt{\frac{\ln (n/k)}{n}} \end{aligned}$$
(52)

and obtain

$$\begin{aligned} \left\Vert \tau _{AB|XY} - \sum _{N=0}^n p_N Q\left( \frac{N}{n}\right) ^{\otimes k}\right\Vert \le \left( C\sqrt{\ln (n/k)}+4\right) \sqrt{\frac{k}{n}}. \end{aligned}$$
(53)

This completes the proof. \(\square \)

The choice of \(\delta \) in Eq. (52) is not optimal, and it does not give the minimal possible error term in Theorem 11. However, the improvement that can be achieved by choosing \(\delta \) optimally does not change the \(\mathcal {O}\left( \sqrt{\ln (n/k) k/n}\right) \) behavior. To see this, choose

$$\begin{aligned} \delta = \frac{1/2\sqrt{\ln (n/k)}+\beta }{\sqrt{n}} \end{aligned}$$
(54)

for some \(\beta > -\sqrt{\ln (n/k)}/2\). Then the error term is given by

$$\begin{aligned} \epsilon :=2C\sqrt{k}\delta + 4e^{-2n\delta ^2} = \left( C\sqrt{\ln (n/k)} + 2C\beta +4e^{-2\beta ^2-2\beta \sqrt{\ln (n/k)}}\right) \sqrt{k/n}.\nonumber \\ \end{aligned}$$
(55)

The optimal \(\beta \) is such that \(C' = 2C\beta +4e^{-2\beta ^2-2\beta \sqrt{\ln (n/k)}}\) is minimized. A numerical optimization indicates that for \(\ln (n/k)=0\) the minimum of \(C'\) is achieved at \(\beta = 0\), so \(C'=4\). As \(\ln (n/k)\) increases the minimum of \(C'\) decreases slowly, at \(\ln (n/k) = 10\) it is given by \(C' \approx 2.03\), and at \(\ln (n/k)=100\) by \(C' \approx 0.96\). As \(\ln (n/k) \rightarrow \infty \), it converges \(C' \rightarrow 0\), which can be seen by choosing \(\beta = \left( \ln (n/k)\right) ^{-1/4}\). Regardless of the choice of \(\beta \), the error is always at least \(C\sqrt{\ln (n/k)k/n}\).

3 Applications

In this section, we show how our first de Finetti theorem (Theorem 6) has applications in DIQKD security proofs, by first using it to derive a bound on channel distinguishability, then discussing its implications for security proofs. This result and the proof of it are analogous to theorem 25 in [16], except that we use Theorem 6 as the de Finetti theorem, rather than the statement in Eq. (5). We remark that the works [19, 20] also used threshold theorems (of somewhat different forms) to obtain DIQKD security proofs. However, as discussed in Introduction, their proof techniques currently only apply to protocols using one-way error correction and yield lower asymptotic key rates compared to the iid case. In contrast, the results we derive here could be applied to all protocols having the appropriate symmetry properties. While they currently do not yield a full reduction to the iid case, our hope is that it would be possible to develop them further to obtain security proofs that are more generally applicable and yield higher asymptotic key rates compared to [19, 20], as was the case for de Finetti theorems in device-dependent QKD [11].

3.1 Bound on the Diamond Distance Between Channels

Here we consider channels on boxes of the following form: A channel \(\mathcal {E}\) that acts on boxes of the form \(P_{A|X}\) and outputs a random variable R as its result is described by a probability distribution \(P^\mathcal {E}_{X}\) on \(\mathcal {X}\) and a conditional probability distribution \(P^\mathcal {E}_{R|AX}\) which determines the result R given A and X. When acting on \(P_{A|X}\), the channel produces a distribution on R given by

$$\begin{aligned} \mathcal {E}(P_{A|X})(r) = \sum _{x,a} P^\mathcal {E}_{X}(x)P_{A|X}(a|x)P^\mathcal {E}_{R|AX}(r|ax). \end{aligned}$$
(56)

This definition is general enough to capture all protocols in a parallel DIQKD scenario, where all bits of the n-bit input \(\mathcal {X}\) are entered at the same time into the box. It does not cover all protocols that are possible in a sequential DIQKD scenario [8], where some of the input bits are only given to the box after some output bits have been received. In such a sequential scenario, it is in principle possible to construct channels where the input to the box in some round depends on the output of the box in previous rounds.

If we consider boxes \(P_{AE|XZ}\), where the additional EZ interface is held by Eve, we can also apply the channel \(\mathcal {E}\) only to the AX interface to obtain a box with input Z and outputs R and E. We will denote this box by \(\left( \mathcal {E}\otimes \textrm{id}\right) (P_{AE|XZ})_{RE|Z}\).

We define the distance between two channels \(\mathcal {E}\) and \(\mathcal {F}\) by how well Eve can distinguish the boxes \(\left( \mathcal {E}\otimes \textrm{id}\right) (P_{AE|XZ})_{RE|Z}\) and \(\left( \mathcal {F}\otimes \textrm{id}\right) (P_{AE|XZ})_{RE|Z}\) if she is also given access to R. Then she can choose her input Z dependent on R. This leads to the following definition [16, 37]:

Definition 14

Let \(\mathcal {E}\) and \(\mathcal {F}\) be two channels acting on boxes of the form \(P_{A|X}\). The distinguishability of \(\mathcal {E}\) and \(\mathcal {F}\) using the box \(P_{AE|XZ}\) is given by

$$\begin{aligned}&\left\Vert \left( \mathcal {E}-\mathcal {F}\right) \otimes \textrm{id}\left( P_{AE|XZ}\right) \right\Vert \nonumber \\&= \sum _{r}\max _z\sum _e \left| \sum _{a,x} P_{AE|XZ}(ae|xz) \left( P^\mathcal {E}_{X}(x)P^\mathcal {E}_{R|AX}(r|ax)-P^\mathcal {F}_{X}(x)P^\mathcal {F}_{R|AX}(r|ax) \right) \right| . \end{aligned}$$
(57)

We define the diamond distance between the channels with respect to some set \(\mathcal {P}\) of boxes to be the following:

$$\begin{aligned}&||\mathcal {E}-\mathcal {F}||_\Diamond ^\mathcal {P}= \sup _{P_{AE|XZ} \in \mathcal {P}} \left\Vert \left( \mathcal {E}-\mathcal {F}\right) \otimes \textrm{id}\left( P_{AE|XZ}\right) \right\Vert . \end{aligned}$$
(58)

Similarly to the usual diamond distance between quantum channels, the above definition of diamond distance with respect to some set \(\mathcal {P}\) is a measure of how distinguishable the channels are with respect to a distinguisher that can only use boxes from \(\mathcal {P}\). Simple choices of \(\mathcal {P}\) include, for instance, the sets of quantum or non-signaling boxes. For the following main theorem of this section we will, however, take \(\mathcal {P}\) to be the set of quantum boxes \(P_{ABE|XYZ}\) such that the marginal \(P_{AB|XY}\) has CHSH symmetry, and denote the diamond distance with respect to this \(\mathcal {P}\) as \(||\mathcal {E}-\mathcal {F}||_\Diamond ^{\textrm{quantum,CHSH}}\). Note that if the action of the channels \(\mathcal {E},\mathcal {F}\) can be described by Alice and Bob first performing the depolarizing procedure described above, this restriction causes no change in the diamond distance as compared to choosing \(\mathcal {P}\) to be the entire set of quantum boxes \(P_{ABE|XYZ}\).

Theorem 15

Let \(\mathcal {E}\) and \(\mathcal {F}\) two channels on n-round boxes of the form \(P_{AB|XY}\), and let \(\tau _{AB|XY}\) be the de Finetti box from Theorem 6. Then

$$\begin{aligned} ||\mathcal {E}-\mathcal {F}||_\Diamond ^{\textrm{quantum,CHSH}} \le (n+1)^2 \sup _{\tau _{ABE|XYZ}} \left\Vert (\mathcal {E}-\mathcal {F})\otimes \textrm{id}(\tau _{ABE|XYZ})\right\Vert \end{aligned}$$
(59)

where the supremum is taken over all non-signaling boxes that have the marginal \(\tau _{AB|XY}\).

Proof of Theorem 15

Let \(P_{ABE|XYZ}\) be a quantum box whose marginal \(P_{AB|XY}\) has CHSH symmetry. Let \(R_{AB|XY}\) be such that

$$\begin{aligned} \tau _{AB|XY} = \frac{1}{(n+1)^2}P_{AB|XY} + \left( 1-\frac{1}{(n+1)^2}\right) R_{AB|XY}. \end{aligned}$$
(60)

By Theorem 6 all entries of \(R_{AB|XY}\) are positive. Because the non-signaling condition is linear and \(\tau _{AB|XY}\) and \(P_{AB|XY}\) are non-signaling, \(R_{AB|XY}\) is also non-signaling. Now we define an extension \(\tau _{ABE|XYZ}\) of \(\tau _{AB|XY}\) as follows: The box has one more possible outcome for Eve then the box \(P_{ABE|XYZ}\). We will call this additional outcome \(e^*\). The box \(\tau _{ABE|XYZ}\) then works as follows: With probability \((n+1)^{-2}\), the box acts just like \(P_{ABE|XYZ}\), and with probability \(1-(n+1)^{-2}\), it always returns \(e^*\) to Eve and acts like \(R_{AB|XY}\) for Alice and Bob. Formally, this is given by

$$\begin{aligned} \tau (abe|xyz) = {\left\{ \begin{array}{ll} \frac{1}{(n+1)^2}P(abe|xyz) &{} \text { if } e \ne e^* \\ \left( 1-\frac{1}{(n+1)^2}\right) R(ab|xy) &{}\text { if } e =e^* \end{array}\right. }. \end{aligned}$$
(61)

Since \(\tau _{ABE|XYZ}\) is the linear combination of two non-signaling boxes, it is non-signaling itself. Furthermore, by Eq. (60) it is an extension of \(\tau _{AB|XY}\). Finally, it holds that

$$\begin{aligned}&||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(\tau _{ABE|XYZ})|| \nonumber \\&= \sum _r \max _z \sum _e \left| \sum _{a,b,x,y} \tau (abe|xyz) \left( P^\mathcal {E}(xy)P^\mathcal {E}(r|abxy) - P^\mathcal {F}(xy)P^\mathcal {F}(r|abxy)\right) \right| \nonumber \\&\ge \sum _r \max _z \sum _{e \ne e^*} \left| \sum _{a,b,x,y} \tau (abe|xyz) \left( P^\mathcal {E}(xy)P^\mathcal {E}(r|abxy) - P^\mathcal {F}(xy)P^\mathcal {F}(r|abxy)\right) \right| \nonumber \\&= (n+1)^{-2}\sum _r \max _z \sum _{e \ne e^*} \left| \sum _{a,b,x,y} P(abe|xyz) \left( P^\mathcal {E}(xy)P^\mathcal {E}(r|abxy) - P^\mathcal {F}(xy)P^\mathcal {F}(r|abxy)\right) \right| \nonumber \\&=(n+1)^{-2}||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(P_{ABE|XYZ})||. \end{aligned}$$
(62)

Hence, for all \(P_{ABE|XYZ}\)

$$\begin{aligned} ||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(P_{ABE|XYZ})|| \le (n+1)^2\sup _{\tau _{ABE|XYZ}} ||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(\tau _{ABE|XYZ})||.\nonumber \\ \end{aligned}$$
(63)

Taking the supremum over all \(P_{ABE|XYZ}\) with CHSH symmetric marginal \(P_{AB|XY}\) yields the claim. \(\square \)

3.2 Implications for DIQKD Security Proofs

Theorem 15 can be seen as a version of the postselection theorem for quantum channels [11]. It allows us to bound the distance between two channels by the distinguishability of the channels when Eve is restricted to extensions of a fixed de Finetti box. This could potentially be a useful tool in security proofs of DIQKD protocols, because a protocol can be defined to be secure if its diamond distance to an ideal protocol is small [28, 29]. In particular, Theorem 15 implies that to prove security against coherent quantum attacks, it is sufficient to prove security for the case where the marginal of Alice and Bob is given by \(\tau _{AB|XY}\), and Eve possesses a non-signaling extension of this box. This helps to simplify the task of a DIQKD security proof, because it means that it suffices to analyze (extensions of) the specific box \(\tau _{AB|XY}\), which has the convenient property of being a convex combination of iid quantum boxes.

However, there is a caveat: Although the box \(\tau _{AB|XY}\) is quantum, the extensions \(\tau _{ABE|XYZ}\) in the theorem statement here are allowed to be general non-signaling boxes. Furthermore, we will show in the next section that an adversary who has access to arbitrary non-signaling extensions of \(\tau _{AB|XY}\) can actually be strictly better at distinguishing channels than an adversary who has only access to collective attack boxes. Hence, Theorem 15 does not immediately yield security against coherent attacks from security against collective attacks —still, since it does allow a “partial” reduction to the latter (namely, allowing us to focus on extensions of a quantum de Finetti box \(\tau _{AB|XY}\)), it may still simplify DIQKD security proofs.

We also remark that for our second de Finetti theorem (Theorem 11), we currently do not have in mind an explicit application of it in DIQKD security proofs. Still, we presented it in this work in case it has applications in other contexts—for instance, it might be useful in proving properties that only depend on the box \(P_{AB|XY}\) itself, rather than involving its extensions as in DIQKD security proofs. It is also more similar to the original de Finetti theorem for classical random variables, or the early versions for quantum states developed in, e.g., [14].

4 Difficulties in Bounding the Diamond Distance by Restriction to Collective Attacks

Theorem 15 shows that to bound the diamond distance between two channels \(\mathcal {E}\) and \(\mathcal {F}\) it is sufficient to restrict the attacker to non-signaling extensions of a fixed de Finetti box. There are many desirable strengthenings of this result: For example, one could restrict the attacker only to quantum extensions of the de Finetti box. One could also further restrict the attacker to use only quantum extensions of iid boxes, instead of the fixed de Finetti box. Finally, one could also restrict the attacker to collective attack boxes (defined below), as would be desirable to conclude security against coherent attacks directly from security against collective attacks. In this section, we will see that a theorem like Theorem 15 does not hold for this strongest restriction; more precisely, we show that it is impossible for the bound (59) to hold if the supremum is instead restricted to collective attack boxes (which we define later below). It remains open whether such a theorem holds for one of the other strengthenings mentioned above, or whether a reduction to collective attacks in a somewhat different form is possible. (We note that the answers to these questions do not straightforwardly follow from existing no-go theorems on non-signaling privacy amplification [38, 39], since in our result \(\tau _{AB|XY}\) is restricted to a convex combination of quantum distributions rather than non-signaling distributions.)

We start by defining the boxes that an attacker is allowed to use in collective attacks. While there is potentially some flexibility in defining this, here we use a definition that essentially corresponds to the boxes considered in the security proofs of [5, 10], up to a collective measurement on Eve’s side information:

Definition 16

An n-round quantum box \(P_{ABE|XYZ}\) is a collective attack box if there are

  • single-round Hilbert spaces \(\mathcal {H}_A\) and \(\mathcal {H}_B\) for Alice and Bob and a Hilbert space \(\mathcal {H}_E\) for Eve and

  • a state \(\rho _{ABE} \in \textrm{End}\left( \mathcal {H}_A^{\otimes n} \otimes \mathcal {H}_B^{\otimes n} \otimes \mathcal {H}_E\right) \) such that the marginal \(\rho _{AB}\) is iid and

  • for each x a POVM \(\{E^{a,x} \in \textrm{End}(\mathcal {H}_A)|a\}\) on \(\mathcal {H}_A\), for each y a POVM \(\{F^{b,y} \in \textrm{End}(\mathcal {H}_B)|b\}\) on \(\mathcal {H}_B\) and for each z a POVM \(\{G^{e,z} \in \textrm{End}(\mathcal {H}_E)|e\}\) on \(\mathcal {H}_E\)

such that

$$\begin{aligned} P(abe|xyz) = \textrm{tr}\left[ \rho _{ABE} \left( E^{a_1,x_1} \otimes \ldots \otimes E^{a_n,x_n} \otimes F^{b_1,y_1} \otimes \ldots \otimes F^{b_n,y_n} \otimes G^{e,z} \right) \right] .\nonumber \\ \end{aligned}$$
(64)

We remark on two aspects of the above definition. Firstly, note that we assume the Hilbert spaces of Alice and Bob can be split into n rounds, but assume no internal structure of Eve’s Hilbert space. However, since the state \(\rho _{AB}\) is iid and thus has an iid purification, the state \(\rho _{ABE}\) is related by a local operation on Eve’s system to this iid purification. Since we assume nothing about \(G^{e,z}\) except that it is a valid POVM, we can absorb this local operation into \(G^{e,z}\) and thus describe any collective attack box also with a state \(\rho _{ABE}\) that is iid. Collective attack boxes can thus be seen as boxes that are essentially iid, up to Eve performing a local operation on her systems followed by a joint measurement. Secondly, the fact that the definition inherently incorporates this measurement means that Eve’s system is forced to be a box rather than a genuine quantum state. However, for the purposes of computing diamond distance, this in fact does not make a difference (as long as arbitrary POVMs \(G^{e,z}\) are allowed in the definition)—observe that the process of a distinguisher producing a guess for the channel can be described as it performing a POVM on its systems, and the optimal such POVM essentially induces a valid choice of \(G^{e,z}\) in the above definition.

A crucial observation on collective attack boxes is the following: Consider the box \(P^{e,z}_{AB|XY}\) which described the outcomes of Alice and Bob conditioned on Eve inputting z and getting outcome e. It is given by

$$\begin{aligned} P^{e,z}_{AB|XY}(ab|xy)&= \frac{P_{ABE|XYZ}(abe|xyz)}{P_{E|Z}(e|z)} \nonumber \\&= \textrm{tr}\left[ \rho ^{e,z}_{AB} \left( E^{a_1,x_1} \otimes \ldots \otimes E^{a_n,x_n} \otimes F^{b_1,y_1} \otimes \ldots \otimes F^{b_n,y_n} \right) \right] \end{aligned}$$
(65)

where \(\rho ^{e,z}_{AB}\) is a valid state,

$$\begin{aligned} \rho ^{e,z}_{AB} = \frac{\textrm{tr}_E\left[ \rho _{ABE}\left( \textrm{id}_A\otimes \textrm{id}_B\otimes G^{e,z}\right) \right] }{\textrm{tr}\left[ \rho _{ABE}\left( \textrm{id}_A\otimes \textrm{id}_B\otimes G^{e,z}\right) \right] }. \end{aligned}$$
(66)

Because \(\sum _a E^{a,x} = \sum _b F^{b,y} = \textrm{id}\), we see that \(P^{e,z}_{AB|XY}\) is not only non-signaling between Alice and Bob, but also between the individual rounds. This means that for example \(\sum _{a_1} P^{e,z}_{AB|XY}(a_1a_2\ldots a_nb|xy)\) does not depend on \(x_1\).

The following main result of this section exploits this insight:

Theorem 17

For each \(n>1\), there exist two channels \(\mathcal {E}\) and \(\mathcal {F}\) acting on n-round boxes of the form \(P_{AB|XY}\) such that \(||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(P_{ABE|XYZ})|| = 0\) for all collective attack boxes \(P_{ABE|XYZ}\), but \(||\mathcal {E}-\mathcal {F}||_\Diamond ^{\textrm{quantum,CHSH}} \ne 0\).

Theorem 17 shows that a statement like Theorem 15 cannot hold if we maximize only over collective attack boxes instead of all non-signaling extensions of the fixed de Finetti box (not even for, say, an exponential prefactor instead of \((n+1)^2\)). This shows that an attacker who has access to any non-signaling extension of the fixed de Finetti box is stronger than an attacker who has only access to collective attack boxes.

In the proof of Theorem 17, we will use that all collective attack boxes are non-signaling between the rounds of Alice and Bob, and that the non-signaling condition is linear. The following lemma will be crucial. It states that for each linear subspace of the probability distributions on some set, there are two channels (which act on probability distributions, not yet on boxes) that cannot be distinguished by any probability distribution in the linear subspace:

Lemma 18

Let \(\mathcal {X}\) be some finite set. We treat the unnormalized probability distributions on \(\mathcal {X}\) as an orthant of an \(|\mathcal {X}|\)-dimensional real vector space. Let \(\mathcal {P}\) be some linear subspace in this vector space, and \(Q = (Q(x))_{x\in \mathcal {X}} \not \in \mathcal {P}\). Then there are two conditional probability distributions \(P^\mathcal {E}_{R|X}\) and \(P^\mathcal {F}_{R|X}\) such that the following holds: Denote for a probability distribution P on \(\mathcal {X}\) by \(\mathcal {E}(P)\) and \(\mathcal {F}(P)\) the distributions on \(\mathcal {R}\) which are obtained by first sampling x using P and the sampling r using \(P^\mathcal {E}_{R|X}\) and \(P^\mathcal {F}_{R|X}\), i.e., \(\mathcal {E}(P)(r)=\sum _x P(x)P^\mathcal {E}(r|x)\). Then

$$\begin{aligned} \mathcal {E}(P)=\mathcal {F}(P) \end{aligned}$$
(67)

for all \(P \in \mathcal {P}\) and

$$\begin{aligned} \mathcal {E}(Q) \ne \mathcal {F}(Q). \end{aligned}$$
(68)

Proof

There exists a vector \(\Delta = (\Delta _x)_{x\in \mathcal {X}}\) with \(|\Delta _x| \le 1\) for all x and \(\Delta \cdot P = 0\) for all \(P \in \mathcal {P}\) and \(\Delta \cdot Q \ne 0\). Take \(\mathcal {R}= \{0,1\}\) and

$$\begin{aligned} P^\mathcal {E}(0|x)&= \frac{1+\Delta _x}{2} \end{aligned}$$
(69)
$$\begin{aligned} P^\mathcal {E}(1|x)&= \frac{1-\Delta _x}{2} \end{aligned}$$
(70)
$$\begin{aligned} P^\mathcal {F}(0|x)&= \frac{1-\Delta _x}{2} \end{aligned}$$
(71)
$$\begin{aligned} P^\mathcal {F}(1|x)&= \frac{1+\Delta _x}{2}. \end{aligned}$$
(72)

Then for P any probability distribution on \(\mathcal {X}\)

$$\begin{aligned} ||\mathcal {E}(P)-\mathcal {F}(P)||_1&= \sum _r \left| \sum _x P(x) (P^\mathcal {E}(r|x) - P^\mathcal {F}(r|x)) \right| \nonumber \\&= |P\cdot \Delta | + |P \cdot (-\Delta )|\nonumber \\&= 2|P\cdot \Delta |. \end{aligned}$$
(73)

Hence, for all \(P \in \mathcal {P}\)

$$\begin{aligned} ||\mathcal {E}(P)-\mathcal {F}(P)||_1=0 \end{aligned}$$
(74)

and

$$\begin{aligned} ||\mathcal {E}(Q)-\mathcal {F}(Q)||_1\ne 0. \end{aligned}$$
(75)

\(\square \)

We will now construct two channels \(\mathcal {E}\) and \(\mathcal {F}\) that act on boxes \(P_{A|X}\) (i.e., we consider only Alice) that cannot be distinguished by any collective attack box, but that can be distinguished by a certain quantum box that is not a collective attack box. We will then see how to modify this construction to include Bob and to ensure that the box used to distinguish both channels has CHSH symmetry on the marginal of Alice and Bob.

Lemma 19

For each \(n>1\), there are two channels \(\mathcal {E}\) and \(\mathcal {F}\) that act on n-round boxes \(P_{AE|XZ}\) such that \(||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(P_{AE|XZ})|| = 0\) for all collective attack boxes \(P_{AE|XZ}\), but \(||\mathcal {E}-\mathcal {F}||_\Diamond ^{\textrm{quantum,CHSH}} \ne 0\)

Proof

We first construct the channels \(\mathcal {E}\) and \(\mathcal {F}\), then show that Eve cannot distinguish them if she is restricted to collective attack boxes, and finally show that there is a quantum box (naturally not a collective attack box) that can be used to distinguish both channels. We construct the channels \(\mathcal {E}\) and \(\mathcal {F}\) as follows, depending on a parameter \(m>n/2\). For both channels, Alice does the following steps:

  1. 1.

    She enters uniformly random inputs \(x_1,\ldots ,x_n\) into the inputs of her box.

  2. 2.

    She collects the outputs \(a_1,\ldots ,a_n\).

  3. 3.

    She calculates

    $$\begin{aligned} t = \sum _{i=1}^m x_i \end{aligned}$$
    (76)

    and

    $$\begin{aligned} w = \sum _{i=m+1}^n a_i. \end{aligned}$$
    (77)

Now consider the linear subspace \(\mathcal {P}\) of probability distributions on the (wt) given by the linear constraints

$$\begin{aligned} \frac{P(w,t)}{2^{-m}\left( {\begin{array}{c}m\\ t\end{array}}\right) } = \frac{P(w,t')}{2^{-m}\left( {\begin{array}{c}m\\ t'\end{array}}\right) } \end{aligned}$$
(78)

for all \(w,t,t'\) and take a \(Q \not \in \mathcal {P}\) (a specific Q will be constructed below). Alice constructs the channels \(\mathcal {E}\) and \(\mathcal {F}\) by applying the conditional probability distributions \(P^\mathcal {E}_{R|WT}\) and \(P^\mathcal {F}_{R|WT}\) from Lemma 18 to her result (wt) from step 3.

Now we prove that Eve cannot distinguish \(\mathcal {E}\) and \(\mathcal {F}\) if she uses a collective attack box \(P_{AE|XZ}\). For this, we use that for all e and z \(P^{e,z}_{A|X}\) is non-signaling between the rounds of Alice. In particular, the outputs of the rounds \(m+1,\ldots n\) cannot depend on the inputs in the rounds \(1,\ldots ,m\), so W and T are independent when generated using \(P^{e,z}_{A|X}\). Hence,

$$\begin{aligned} \frac{P^{e,z}_{WT}(wt)}{{2^{-m}\left( {\begin{array}{c}m\\ t\end{array}}\right) } } = P^{e,z}_{W|T}(w|t) = P^{e,z}_{W|T}(w|t') = \frac{P^{e,z}_{WT}(wt')}{{2^{-m}\left( {\begin{array}{c}m\\ t'\end{array}}\right) } } \end{aligned}$$
(79)

The box \(P^{e,z}\) therefore satisfies Eq. (78), and hence, \(||(\mathcal {E}-\mathcal {F})(P^{e,z}_{A|X})||=0\) by Lemma 18. Since this holds for all e and z, we have also \(||(\mathcal {E}-\mathcal {F})\otimes \textrm{id}(P_{AE|XZ})|| = 0\).

Finally we construct a box \(Q_{A|X}\) that allows Eve to distinguish the channels \(\mathcal {E}\) and \(\mathcal {F}\) with a nonzero advantage over guessing. Notice that here Eve does not keep any system (neither quantum not classical) for herself and can distinguish the channels only from their result R. \(Q_{A|X}\) can then be an arbitrary conditional probability distribution. Take \(Q_{A|X}\) such that the result is surely \(a=(1,1,\ldots ,1)\) if \(\sum _{i} x_i > n/2\) and surely \(a=(0,0,\ldots ,0)\) otherwise. Then if \(t > n/2\),

$$\begin{aligned} \frac{Q_{WT}(n-m,t)}{2^{-m}\left( {\begin{array}{c}m\\ t\end{array}}\right) } = Q_{W|T}(n-m|t) = 1, \end{aligned}$$
(80)

and if \(t < m-n/2\),

$$\begin{aligned} \frac{Q_{WT}(n-m,t)}{2^{-m}\left( {\begin{array}{c}m\\ t\end{array}}\right) } = Q_{W|T}(n-m|t) = 0 \end{aligned}$$
(81)

so Eq. (78) does not hold. \(\square \)

Now we can adapt the statement of Lemma 19 to prove Theorem 17.

Proof of Theorem 17

First we generalize the construction in Lemma 19 to boxes for which also Bob has an input, i.e., boxes of the form \(P_{AB|XY}\). For this, we take the channels \(\mathcal {E}\) and \(\mathcal {F}\) such that they act like in Lemma 19 on Alice’s inputs and outputs, and give an arbitrary input Y and ignore the output B for Bob. Clearly, both channels still cannot be distinguished with collective attack boxes, but can be distinguished by a box \(Q_{AB|XY}\), which acts like the box \(Q_{A|X}\) from Lemma 19 on A and X and arbitrarily on B and Y. However, \(Q_{AB|XY}\) does not have CHSH symmetry. Using the depolarizing procedure in [32], we can construct a box \(\tilde{Q}_{ABE|XY}\) such that the marginal \(\tilde{Q}_{AB|XY}\) has CHSH symmetry and there is an output \(e^*\) for Eve (corresponding to the case in which the depolarizing protocol does nothing), such that \(\tilde{Q}^{e^*}_{AB|XY} = Q_{AB|XY}\). Then to distinguish \(\mathcal {E}\) and \(\mathcal {F}\) using \(\tilde{Q}_{ABE|XY}\) Eve first checks E. If \(E=e^*\), she distinguishes \(\mathcal {E}\) and \(\mathcal {F}\) as in Lemma 19; otherwise, she just guesses randomly. Because the probability that \(E=e^*\) is nonzero, we have \(\left\Vert (\mathcal {E}-\mathcal {F})\otimes \textrm{id}(\tilde{Q}_{ABE|XY})\right\Vert > 0\). \(\square \)

Several remarks are in order. Firstly, the diamond norm \(||\mathcal {E}-\mathcal {F}||_\Diamond ^{\textrm{quantum,CHSH}}\) between the channels \(\mathcal {E}\) and \(\mathcal {F}\) from Theorem 17 is exponentially small in n, because Eve only tries to distinguish \(\mathcal {E}\) and \(\mathcal {F}\) in the case when the depolarizing protocol does nothing. This means that while a theorem in the same form as Theorem 15 cannot hold for collective attack boxes, it is entirely possible that there is, for example, a theorem that yields a bound of the form

$$\begin{aligned} ||\mathcal {E}-\mathcal {F}||_\Diamond ^{\textrm{quantum,CHSH}} \le f(n) \sup _{P_{ABE|XYZ}} \left\Vert (\mathcal {E}-\mathcal {F})\otimes \textrm{id}(P_{ABE|XYZ})\right\Vert + g(n),\nonumber \\ \end{aligned}$$
(82)

where \(g(n)\rightarrow 0\) as \(n\rightarrow \infty \). Such a result could be sufficient to allow security proof reductions to collective attacks.

Secondly, the results of this section relied only on the fact that collective attack boxes are non-signaling between the rounds. This property arose entirely from the fact that Alice and Bob’s measurements act on different Hilbert spaces in different rounds, and hence also hold more generally, i.e., even if the measurements in each round are different, or the states are entangled across rounds. This seems to suggest that in DIQKD, imposing an assumption that different rounds have different Hilbert spaces may already be a fairly strong restriction by itself,Footnote 3 even if we allow many other non-iid behaviors across states in different rounds, such as classical correlations or even entanglement. (In fact, security proof reductions to the iid case under this assumption were indeed previously studied in [40, 41], though the latter was restricted to one-way protocols.) Whether this assumption seems reasonable may depend on the protocol—for instance, it seems unsatisfactory if each honest party has to use a single device for all inputs/outputs (as in [8], which used the EAT to avoid this assumption for one-way protocols), but if each honest party has access to n devices that are “well isolated” from each other, it might be more plausible.

Thirdly, we remark that all sequential DIQKD protocols naturally fulfill a certain form of non-signaling constraints between the individual rounds of Alice and Bob: Alice and Bob’s inputs in one round cannot influence the outputs in preceding rounds. Theorem 17 does not rule out that a result like Theorem 15 exists for channels with such a sequential structure. However, preserving such a sequential structure for the purposes of a security proof appears rather incompatible with permutation symmetry, so exploiting such sequential structures might require different techniques from those used in this paper.

5 Conclusion

In this paper, we proved two de Finetti theorems for quantum conditional probability distributions with CHSH symmetry. The advantage of these theorems over similar de Finetti theorems [16, 17] is that the de Finetti boxes are in the quantum set. The first de Finetti theorem states that the entries of a CHSH symmetric box are upper bounded, up to a polynomial factor in n, by the entries of a fixed de Finetti box. This theorem is actually not restricted to boxes with CHSH symmetry but can be applied to arbitrary symmetries if a corresponding threshold theorem is available. The second de Finetti theorem states that the marginal of the first k rounds of an n round CHSH symmetric box is close to (and not just upper bounded by) a de Finetti box.

We further showed that the first de Finetti theorem can be used to obtain a bound on the diamond distance between two channels acting on boxes. Specifically, an attacker who tries to distinguish two channels \(\mathcal {E}\) and \(\mathcal {F}\) can be restricted to non-signaling extensions of a fixed quantum de Finetti box without decreasing the distinguishability between both channels by more than a polynomial factor. Because the security of DIQKD protocols is defined in terms of the distance between the channel given by the protocol and an ideal channel, this statement might be useful in security proofs. However, our theorem does not immediately allow to conclude security against coherent attacks from security against collective attacks: A straightforward strengthening of it to bound the diamond distance between two channels by the distinguishability using collective attack boxes does not hold. Based on some insights in our proof approach, we speculate that in DIQKD, assuming that boxes in different rounds act on different Hilbert spaces may already be a fairly strong constraint, even if we allow correlations or entanglement between states in different rounds.