1 Introduction

1.1 Quantum key distribution and the RRDPS scheme

Quantum-physical information processing is different from classical information processing in several remarkable ways. Performing a measurement on an unknown quantum state typically destroys information; it is impossible to clone an unknown state by unitary evolution [1]; quantum entanglement is a form of correlation between subsystems that does not exist in classical physics. Numerous ways have been devised to exploit these quantum properties for security purposes [2]. By far, the most popular and well-studied type of protocol is quantum key distribution (QKD). QKD was first proposed in a famous paper by Bennett and Brassard [3]. Given that Alice and Bob have a way to authenticate classical messages to each other (typically a short key) and that there is a quantum channel from Alice to Bob, QKD allows them to create a random key of arbitrary length about which Eve knows practically nothing. BB84 works with two conjugate bases in a two-dimensional Hilbert space. Many QKD variants have since been described in the literature [4,5,6,7,8,9], using, e.g. different sets of qubit states, EPR pairs, qudits instead of qubits or continuous variables. Furthermore, various proof techniques have been developed [10,11,12,13].

In 2014, Sasaki et al. [14] introduced round-robin differential phase shift (RRDPS), a QKD scheme based on d-dimensional qudits. It has the advantage that it is very noise resilient while being easy to implement using photon pulse trains and interference measurements. One of the interesting aspects of RRDPS is that it is possible to omit the monitoring of signal disturbance. Even at high disturbance, Eve can obtain little information \(I_{\mathrm{AE}}\) about Alice’s secret bit. The value of \(I_{\mathrm{AE}}\) determines how much privacy amplification is needed. As a result of this, the maximum possible QKD rate (the number of actual key bits conveyed per quantum state) is \(1-h(\beta )-I_{\mathrm{AE}}\), where h is the binary entropy function and \(\beta \) the bit error rate.

1.2 Prior work on the security of RRDPS

The security of RRDPS has been discussed in a number of papers [14,15,16,17]. The original RRDPS paper gives an asymptotic upper bound for the privacy amplification,

$$\begin{aligned} I_{\mathrm{AE}}\le h\left( \frac{1}{d-1}\right) \end{aligned}$$
(1)

(Eq. 5 in [14] with photon number set to 1). The security analysis in [14] is based on the Shor–Preskill proof technique [11] and an estimate of the phase error. It is not known how tight the bound (1) is. Ref.  [15] follows [14] and does a more accurate computation of phase error rate, tightening the \(1/(d-1)\) in (1) to 1 / d. In [16], Sasaki and Koashi add noise dependence to their analysis and claim a bound

$$\begin{aligned} I_{\mathrm{AE}}\le h\left( \frac{2\beta }{d-2}\right) \quad \quad \text{ for } \beta \le \frac{1}{2}\cdot \frac{d-2}{d-1} \end{aligned}$$
(2)

and \(I_{\mathrm{AE}}\le h({\textstyle \frac{1}{d-1}})\) for \(\beta \in [{\textstyle \frac{1}{2}}\cdot {\textstyle \frac{d-2}{d-1}},{\textstyle \frac{1}{2}}]\) (see Sect. 5). The analysis in [17] considers only intercept–resend attacks and hence puts a lower bound on Eve’s potential knowledge, \(I_{\mathrm{AE}}\ge 1-h({\textstyle \frac{1}{2}}+{\textstyle \frac{1}{d}})={{\mathcal {O}}}(1/d^2)\).Footnote 1

1.3 Contributions and outline

In this paper, we give a security proof of RRDPS. We give a bound on the required amount of privacy amplification. We use a proof technique inspired by [11, 13] and [10]. We consider the case where Alice and Bob do monitor the channel (i.e. they are able to tune the amount of privacy amplification (PA) as a function of the observed bit error rate) as well as the saturated regime where the leakage does not depend on the amount of noise.

  • We show that the RRDPS protocol is equivalent to a protocol that contains an additional randomization step by Alice and Bob. The randomization consists of phase flips and a permutation of the basis states. We construct an EPR variant of RRDPS with randomization; it is equivalent to RRDPS if Alice creates the EPR pair and immediately does her measurement. The effect of the randomization is that Alice and Bob’s entangled state after Eve’s attack on the EPR pair is symmetrized and can be described using just three real degrees of freedom.

  • We identify Eve’s optimal way of coupling an ancilla to an EPR qudit pair under the constraint that the bit error rate between Alice and Bob does not exceed some value \(\beta \).

  • We consider an attack where Eve applies the above coupling to each EPR qudit pair individually. We compute an upper bound on the statistical distance (after PA) of the full QKD key from uniformity, conditioned on Eve’s ancilla states. From this, we derive how much privacy amplification is needed. The result does not depend on the way in which Eve uses her ancillas, i.e. she may apply a postponed coherent measurement on the whole system of ancillas.

  • We go from qudit-wise attacks to general attacks by using the post-selection technique. This inflicts a penalty \((d^4-1)\log (n+1)\) on the amount of privacy amplification.

  • We compute the von Neumann mutual information between one ancilla state and Alice’s secret bit. This provides a bound on the PA in the asymptotic (long key) regime [12]. Our result is sharper than [14].

  • We provide a number of additional results by way of supplementary information. (i) We show that Eve’s ancilla coupling can be written as a unitary operation on the Bob–Eve system. This means that the attack can be executed even if Eve has no access to Alice’s qudit; this is important especially in the reduction from the EPR version to the original RRDPS. (ii) We compute the min-entropy of one secret bit given the corresponding ancilla. (iii) We compute the accessible information (mutual Shannon entropy) of one secret bit given the corresponding ancilla. These results give some insight into simple attacks that Eve can launch against individual qudits.

In Sect. 2, we introduce notation and post-selection. In Sect. 3, we briefly summarize the RRDPS scheme and discuss the attacker model. Section 4 states the main result: The amount of privacy amplification needed for RRDPS to be secure, (i) at finite key length and (ii) asymptotically. Section 5 compares our results to previous bounds. The remainder of the paper builds towards the proof of the main results. In Sect. 6, we show that the randomization step does not modify RRDPS and we introduce the EPR version of the protocol. In Sect. 7, we impose the constraint that Eve’s actions must not cause a bit error rate higher than \(\beta \), and determine which mixed states of the Alice–Bob system are still allowed. There are only two scalar degrees of freedom left, which we denote as \(\mu \) and V. In Sect. 8, we do the purification of the Alice–Bob mixed state, thus obtaining an expression for the state of Eve’s ancilla. Although the ancilla space has dimension \(d^2\), we show that only a four-dimensional subspace is relevant for the analysis. In Sect. 9, we prove the non-asymptotic main result by deriving an upper bound on the statistical distance between the distribution of the QKD key and the uniform distribution, conditioned on Eve’s ancillas. In Sect. 10, we prove the asymptotic result by computing Eve’s knowledge in terms of von Neumann entropy. “Appendix” provides supplementary information about the leakage in terms of min-entropy loss and accessible information.

2 Preliminaries

2.1 Notation and terminology

Classical random variables (RVs) are denoted with capital letters and their realizations with lowercase letters. The probability that a RV X takes value x is written as \(\mathrm{Pr}[X=x]\). The expectation with respect to RV X is denoted as \({{\mathbb {E}}}_x f(x)=\sum _{x\in {{\mathcal {X}}}}\mathrm{Pr}[X=x]f(x)\). The constrained sum \(\sum _{t,t':t\ne t'}\) is abbreviated as \(\sum _{[tt']}\) and \({{\mathbb {E}}}_{u,v:u\ne v}\) as \({{\mathbb {E}}}_{[uv]}\). The Shannon entropy of X is written as \(\mathsf{H}(X)\). Sets are denoted in calligraphic font. The notation ‘\(\log \)’ stands for the logarithm with base 2. The min-entropy of \(X\in {{\mathcal {X}}}\) is \(\mathsf{H}_{\mathrm{min}}(X)=-\log \max _{x\in {{\mathcal {X}}}}\mathrm{Pr}[X=x]\), and the conditional min-entropy is \(\mathsf{H}_{\mathrm{min}}(X|Y)=-\log {{\mathbb {E}}}_y \max _{x\in {{\mathcal {X}}}}\mathrm{Pr}[X=x|Y=y]\). The notation h stands for the binary entropy function \(h(p)=p\log {\textstyle \frac{1}{p}}+(1-p)\log {\textstyle \frac{1}{1-p}}\). Bitwise XOR of binary strings is written as ‘\(\oplus \)’. The Kronecker delta is denoted as \(\delta _{ab}\). For quantum states, we use Dirac notation. The notation ‘tr’ stands for trace. The Hermitian conjugate of an operator A is written as \(A^{\dag }\). When A is a complicated expression, we sometimes write \((A+\mathrm{h.c.})\) instead of \(A+A^{\dag }\). The complex conjugate of z is denoted as \(z^*\). We use the positive operator valued measure (POVM) formalism. A POVM \({{\mathcal {M}}}\) consists of positive semidefinite operators, \({{\mathcal {M}}}=(M_x)_{x\in {{\mathcal {X}}}}\), \(M_x\ge 0\), and satisfies the condition \(\sum _x M_x={\mathbb {1}}\). The trace norm of A is \(\Vert A\Vert _1=\mathrm{tr}\,\sqrt{A^{\dag }A}\). The trace distance between matrices \(\rho \) and \(\sigma \) is denoted as \(D(\rho ,\sigma )=\frac{1}{2} \left\| \rho -\sigma \right\| _1\); it is a generalization of the statistical distance and represents the maximum possible advantage one can have in distinguishing \(\rho \) from \(\sigma \). The von Neumann entropy of a mixed state \(\rho \) is denoted as \(S(\rho )\) and equals \(-\mathrm{tr}\,\rho \log \rho \).

Consider a bipartite system ‘XE’ where X is a uniform classical random variable and Eve’s part ‘E’ depends on X. The combined quantum-classical state is \(\rho ^{\mathrm{XE}}={{\mathbb {E}}}_x | x \rangle \langle x |\otimes \rho ^{\mathrm{E}}(x)\). The individual parts are in state \(\rho ^{\mathrm{X}}={{\mathbb {E}}}_x| x \rangle \langle x |\) and \(\rho ^{\mathrm{E}}={{\mathbb {E}}}_x\rho ^{\mathrm{E}}(x)\), respectively. The statistical distance between X and a uniform variable given \(\rho (X)\) is a measure of the security of X given \(\rho \). This distance is given by [18]

$$\begin{aligned} {{\mathcal {D}}}(X|\rho ^{\mathrm{E}}(X)){\mathop {=}\limits ^{\mathrm{def}}}D\big ( \rho ^{\mathrm{XE}},\; \rho ^{\mathrm{X}}\otimes \rho ^{\mathrm{E}} \big ) ={\textstyle \frac{1}{2}}\Vert \rho ^{\mathrm{XE}} - \rho ^{\mathrm{X}}\otimes \rho ^{\mathrm{E}}\Vert _1 , \end{aligned}$$
(3)

i.e. the distance between the true quantum-classical state and a state in which Eve’s part is decoupled from X. If the distance is \(\varepsilon \), then it is said that X is \(\varepsilon \)-secure. Statements like (3) that are stated in terms of statistical distance have the advantage of being universally composable [18]. The term privacy amplification is abbreviated as PA.

2.2 Post-selection

In a collective attack, Eve acts on individual qudits. This is not the most general attack. For protocols that obey permutation symmetry, a post-selection argument [19] can be used to show that \(\varepsilon \)-security against collective attacks implies \(\varepsilon '\)-security against general attacks, with \(\varepsilon '=\varepsilon (n+1)^{d^4-1}\), where d is the dimension of the qudit space. Hence, by paying a price in terms of privacy amplification, e.g. changing the usual privacy amplification term \(2\log {\textstyle \frac{1}{\varepsilon }}\) to \(2\log {\textstyle \frac{1}{\varepsilon }}+2(d^4-1)\log (n+1)\), one can ‘buy’ security against general attacks.

3 The RRDPS scheme

We briefly review the RRDPS scheme [14]. For proof-technical reasons, we explicitly include a channel monitoring procedure (step 4); our proof technique needs this step in the non-saturated regime. Step 4 can be omitted if Alice and Bob decide to perform privacy amplification as if Eve causes 50% noise in every qudit.

3.1 The RRDPS protocol

The dimension of the qudit space is d. The basis statesFootnote 2 are denoted as \(| t \rangle \), with time indices \(t\in \{0,\ldots ,d-1\}\). Whenever we use notation ‘\(t_1+t_2\)’, it should be understood that the addition of time indices is modulo d. The number of qudits is denoted as n. We introduce a system parameter L denoting a list length and system parameters \({\tilde{\beta }}\in [0,{\textstyle \frac{1}{2}}]\), \(\eta \ll 1\) related to the tolerated noise level. The RRDPS scheme consists of the following steps.

  1. 1.

    Alice generates a random bitstring \(a\in \{0,1\} ^d\). She prepares the single-photon state

    $$\begin{aligned} | \mu _a \rangle {\mathop {=}\limits ^{\mathrm{def}}}\frac{1}{\sqrt{d}}\sum _{t=0}^{d-1}(-1)^{a_t}| t \rangle \end{aligned}$$
    (4)

    and sends it to Bob.

  2. 2.

    Bob chooses a random integer \(r\in \{1,\ldots ,d-1\}\). Bob performs a POVM measurement \({{\mathcal {M}}}^{(r)}\) described by a set of 2d operators \((M^{(r)}_{ks})_{k\in \{0,\ldots ,d-1\},s\in \{0,1\} }\),

    $$\begin{aligned} M^{(r)}_{ks} = \frac{1}{2}| {\varPsi }^{(r)}_{ks} \rangle \langle {\varPsi }^{(r)}_{ks} |&\quad \quad \quad | {\varPsi }^{(r)}_{ks} \rangle = \frac{| k \rangle +(-1)^s| k+r \rangle }{\sqrt{2}}. \end{aligned}$$
    (5)

    The result of the measurement \({{\mathcal {M}}}^{(r)}\) on \(| \mu _a \rangle \) is an integer \(k\in \{0,\ldots ,d-1\}\) and a bit s which equals \(a_k\oplus a_{k+r}\) if there is no noise/interference.Footnote 3

  3. 3.

    Bob announces k and r over a public but authenticated channel. Alice computes \(s'=a_k\oplus a_{k+r}\). Alice and Bob now have a shared secret bit s.

Steps 1–3 are repeated N times.

  1. 4.

    Alice selects a random subset \({{\mathcal {L}}}\subset [N]\), with \(|{{\mathcal {L}}}|=L\). For the rounds indicated by \({{\mathcal {L}}}\), Alice and Bob publicly compare their values of \(s'\) and s. They continue the protocol only if the number of occurrences \(s\ne s'\) is smaller than \({\tilde{\beta }} L\).

  2. 5.

    Finally, on the remaining \(n=N-L\) bits Alice and Bob carry out the standard procedures of information reconciliation and Privacy Amplification. After PA the size of the key is \(\ell \) bits.

If step 4 is not performed, Alice and Bob have to assume that Eve learns as much as when causing bit error rate \({\textstyle \frac{1}{2}}\). This mode of operation (without monitoring) was proposed in the original RRDPS paper [14].

If Eve causes bit error probability exceeding \(\beta \) (with \(\beta >{\tilde{\beta }}\)), her probability of passing step 4 is exponentially small. Applying the Hoeffding inequality yields an upper bound on the probability of \(\exp [-2L(\beta -{\tilde{\beta }})^2]\). Let \(\eta \ll 1\) be a security parameter. By setting \({\tilde{\beta }}\le \beta -\sqrt{{\textstyle \frac{1}{2L}}\ln {\textstyle \frac{1}{\eta }}}\), we can make sure that an Eve who causes bit error probability exceeding \(\beta \) fails the test except with probability \(\eta \).

In order for \({{\mathcal {L}}}\) to be statistically representative, L needs to be at least of order \(\log \ell \) [20]. We will assume \(L> \log \ell \).

The security of RRDPS is intuitively understood as follows. A measurement in a d-dimensional space cannot extract more than \(\log d\) bits of information. The state \(| \mu _a \rangle \), however, contains \(d-1\) pieces of information, which is a lot more than \(\log d\). Eve can learn only a fraction of the string a embedded in the qudit. Furthermore, what information she has is of limited use, because she cannot force Bob to select specific phases. (i) She cannot force Bob to choose a specific r value. (ii) Even if she feeds Bob a state of the form \(| {\varPsi }^{(r)}_{\ell u} \rangle \), where r accidentally equals Bob’s r, then there is a 50% probability that Bob’s measurement \({{\mathcal {M}}}^{(r)}\) yields \(k\ne \ell \) with random s.

3.2 Attacker model

There is a quantum channel from Alice to Bob. There is an authenticated but non-confidential classical channel between Alice and Bob. We allow Eve to attack individual qudit positions in any way allowed by the laws of quantum physics, e.g. using unbounded quantum memory, entanglement, lossless operations, arbitrary POVMs, arbitrary unitary operators, etc. All bit errors observed by Alice and Bob are assumed to be caused by Eve. Eve cannot influence the random choices of Alice and Bob, nor the state of their (measurement) devices. There are no side channels. This is the standard attacker model for quantum cryptographic schemes.

We will first analyse attacks in which Eve couples an ancilla to each EPR pair individually. Then, we invoke the post-selection method [19] to cover general attacks.

We will see that the leakage becomes constant when \(\beta \) reaches a saturation point. If Alice and Bob are willing to tolerate such a noise level, then channel monitoring is no longer necessary for determining the leakage; they just assume that the maximum possible leakage occurs. (Monitoring is still necessary to determine which error-correcting code should be applied.)

4 Main results

4.1 Non-asymptotic result

Our first result is a non-asymptotic bound on the secrecy of the QKD key z.

Theorem 1

Let \(\mathbf{r}=(r_1,\ldots ,r_n)\) be the values of the parameter r in n rounds of RRDPS and similarly \(\mathbf{k}=(k_1,\ldots ,k_n)\). Let \(z\in \{0,1\} ^\ell \) be the QKD key derived from the n rounds. Let u be the (public) random seed used in the privacy amplification. Let \(\beta \in [0,{\textstyle \frac{1}{2}}]\). Consider a collective attack such that Eve’s probability of causing a bit flip, averaged per qudit, does not exceed \(\beta \). At given \(\mathbf{r},\mathbf{k}\) let \(\rho ^{\mathrm{ZUE}}(\mathbf{r},\mathbf{k})\) denote the quantum-classical state of the variables ZU and Eve’s subsystem ‘E’, which consists of all n ancillas. The security of Z given R, K, U and Eve’s quantum information can be expressed as

$$\begin{aligned} {\textstyle \frac{1}{2}}\big \Vert \rho ^{\mathrm{ZUE}}(\mathbf{r},\mathbf{k})-\rho ^{\mathrm{Z}}(\mathbf{r},\mathbf{k})\otimes \rho ^{\mathrm{UE}}(\mathbf{r},\mathbf{k}) \big \Vert _1 < {\textstyle \frac{1}{2}}\sqrt{2^{ \ell -n(1-2 \log T) }}, \end{aligned}$$
(6)

where T is given by

$$\begin{aligned}&\beta \le \beta _* : \quad T = 2\beta +\sqrt{1-2\beta }\Big [\sqrt{1-2\beta \frac{d-1}{d-2}}+\frac{\sqrt{2\beta }}{\sqrt{d-2}}\Big ] \end{aligned}$$
(7)
$$\begin{aligned}&\beta \ge \beta _* : \quad T=2\beta _*+\sqrt{1-2\beta _*}\Big [\sqrt{1-2\beta _*\frac{d-1}{d-2}}+\frac{\sqrt{2\beta _*}}{\sqrt{d-2}}\Big ] \end{aligned}$$
(8)

and \(\beta _*\) is a saturation value that depends on d as

$$\begin{aligned} \beta _* = \frac{x_d/2}{1+x_d}, \end{aligned}$$
(9)

where \(x_d\) is the solution on (0, 1) of the equation

$$\begin{aligned}&\left( 1-\frac{x}{d-2}\right) ^{\frac{1}{2}}+ \left( 1+\frac{1}{d-2}\right) \left( 1-\frac{x}{d-2}\right) ^{-\frac{1}{2}} \nonumber \\&\quad +\,\frac{1}{\sqrt{d-2}}\left( \sqrt{x}-\frac{1}{\sqrt{x}}\right) -2=0. \end{aligned}$$
(10)

The proof is given in Sect. 9, after several sections that prepare the ground. Theorem 1 holds for attacks in which Eve couples an ancilla to each individual EPR pair (though she may later act in any way whatsoever on the whole set of n ancillas). As explained in Sect. 2.2, by a post-selection argument security against qudit-wise attacks implies security against general attacks, but with a less favourable security parameter. In the case of general attacks, we have to multiply the right-hand side of (6) by \((n+1)^{d^4-1}\). Hence, in order to obtain \(\varepsilon \)-security we have to set \(\ell =n(1-2\log T)-(d^4-1)\log (n+1)-2\log {\textstyle \frac{1}{\varepsilon }}+2\).

Let Alice and Bob use an error-correcting code with codeword size n and syndrome size \(\sigma \). The information reconciliation leaks \(\sigma \) bits of information. (Or consumes \(\sigma \) bits of key material, depending on the information reconciliation procedure). It holds that \(\sigma > nh({\tilde{\beta }})\). Asymptotically \({\tilde{\beta }}\rightarrow \beta \) and \(\sigma \rightarrow nh(\beta )\). The QKD key generation rate is \((\ell -\sigma )/N\), where \(N=n+L\) (see Sect. 3.1), with L the number of qubits spent on channel monitoring (if monitoring is performed at all).

$$\begin{aligned} \text{ rate }= & {} \frac{n}{n+L}(1-2\log T)-\frac{\sigma }{n+L} -(d^4-1)\frac{\log (n+1)}{n+L} \nonumber \\&-\frac{2}{n+L}\log \frac{1}{\varepsilon }+\frac{2}{n+L} \end{aligned}$$
(11)
$$\begin{aligned}\ge & {} \left( 1-\frac{L}{n}\right) (1-2\log T)-\frac{\sigma }{n} -(d^4-1)\frac{\log (n+1)}{n}-\frac{2}{n}\log \frac{1}{\varepsilon }. \end{aligned}$$
(12)

The achieved security level is \(\max \{\varepsilon ,\eta \}\), where \(\eta \) is the probability that the number of bit errors is smaller than \({\tilde{\beta }} L\) when Eve causes bit error probability larger than \(\beta \) (see Sect. 3.1).Footnote 4 It is advantageous to set \(\eta =\varepsilon \).

4.2 Asymptotic result

For asymptotically large n, it has been shown [21], using the properties of smooth Rényi entropies, that \( \Vert \rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} \Vert _1 \le \sqrt{2^{ \ell - n (1 - I_{\mathrm{AE}})}}, \) where \(I_{\mathrm{AE}}\) is the single-qudit von Neumann information leakage, \(I_{\mathrm{AE}}{\mathop {=}\limits ^{\mathrm{def}}}S(E)-S(E|S')\). Here, ‘E’ stands for Eve’s ancilla state and \(S'\) is Alice’s secret bit.

Our second result is a computation of the von Neumann leakage \(I_{\mathrm{AE}}\) for RRDPS.

Theorem 2

The information leakage about the secret bit S’ given R, K and Eve’s quantum state, in terms of von Neumann entropy, is given by:

$$\begin{aligned}&\beta \le \beta _0 : \quad I_{\mathrm{AE}}= (1-2\beta )h\left( \frac{1}{d-2}\cdot \frac{2\beta }{1-2\beta }\right) \end{aligned}$$
(13)
$$\begin{aligned}&\quad \beta \ge \beta _0 : \quad I_{\mathrm{AE}}=(1-2\beta _0)h\left( \frac{1}{d-2}\cdot \frac{2\beta _0}{1-2\beta _0}\right) . \end{aligned}$$
(14)

Here, \(\beta _0\) is a saturation value (different from \(\beta _*\)) given by

$$\begin{aligned} \beta _0=\frac{1}{2}\Big [1+\frac{1}{(d-2)(1-y_d)}\Big ]^{-1}, \end{aligned}$$
(15)

where \(y_d\) is the unique positive root of the polynomial \(y^{d-1}+y-1\).

The proof is given in Sect. 10. The formulation of our main results in terms of statistical distance ensures that the results are universally composable. In Sect. 10, we will see that Theorem 2 is sharper than (2) and hence allows for a higher QKD key generation rate.

5 Comparison with previous analyses

5.1 Phase error

Sasaki and Koashi [16] provided an upper bound on the PA equal to \(h(e^{\mathrm{ph}})\), where \(e^{\mathrm{ph}}\) is the phase error rate. They derived a relation between the phase error rate and the bit error rate, \(e^{\mathrm{ph}}\le \inf _{\lambda \ge 0}[\lambda \beta +\max \{{\varOmega }_-(\nu ,\lambda ),{\varOmega }_+(\nu ,\lambda ) \}]\), where \(\nu \) is the photon number and \({\varOmega }_\pm \) are functions which for \(\nu =1\) reduce to \({\varOmega }_-(1,\lambda )=0\) and \({\varOmega }_+(1,\lambda )={\textstyle \frac{1}{d-1}}-\lambda {\textstyle \frac{d-2}{2(d-1)}}\). At \(\nu =1\) the optimal \(\lambda \) is \({\textstyle \frac{2}{d-2}}\), yielding \(e^{\mathrm{ph}}\le {\textstyle \frac{2\beta }{d-2}}\) and thus an upper bound of \(h({\textstyle \frac{2\beta }{d-2}})\) on the PA.

5.2 Comparison

We first compare our asymptotic result (Theorem 2) to the asymptotic \(h({\textstyle \frac{2\beta }{d-2}})\) of [16]. For all \(\beta \in [0,\beta _0]\) and \(d>2\), it holds that

$$\begin{aligned} (1-2\beta )h({\textstyle \frac{2\beta }{(d-2)(1-2\beta )}}) \le h\left( {\textstyle \frac{2\beta }{d-2}}\right) . \end{aligned}$$
(16)

This is verified as follows. Let \(p_0=2\beta \), \(p_1=1-2\beta \), \(x_0=0\), \(x_1={\textstyle \frac{2\beta }{(d-2)(1-2\beta )}}\). The left-hand side of (16) can be expressed as \(p_0 h(x_0)+p_1 h(x_1)\) and the right-hand side as \(h(p_0 x_0 + p_1 x_1)\). Because h is concave, we have \({{\mathbb {E}}}h(\cdots )\le h({{\mathbb {E}}}\cdots )\).

Fig. 1
figure 1

Saturated PA per qudit as a function of d. Comparison of [14] and our results (Theorems 1 and 2). Our non-asymptotic result is shown for several values of n

Fig. 2
figure 2

Amount of privacy amplification per qudit as a function of \(\beta \), for \(d=10\). Comparison of our Theorem 1 (\(n=10^7\)) and Theorem 2 versus the PA of [16], which equals \(h({\textstyle \frac{2\beta }{d-2}})\) below saturation and \(h(\frac{1}{d-1})\) above saturation

Thus, our von Neumann result is sharper than [16]. It is difficult to pinpoint what causes the difference in tightness.

Note too that our saturation occurs at lower \(\beta \) than in [16], especially for small d.

Our Theorem 1 is non-asymptotic; we cannot compare it to previous results since the previous results are for the asymptotic regime.

Figures 1 and 2 show plots of the PA per qudit. In Fig. 1, the post-selection ‘price’ proportional to \(d^4{\textstyle \frac{\log n}{n}}\) is clearly visible; for large d, the cost is prohibitive. Interestingly, at small d our non-asymptotic result for the saturated PA is sharper than the asymptotic \(h({\textstyle \frac{1}{d-1}})\) [14, 16].

6 Symmetrized EPR version of the protocol

6.1 RRDPS is equivalent to RRDPS with random permutations

We show that inserting a symmetrization step into RRDPS does not affect the protocol. More specifically, the following protocol is equivalent to RRDPS steps 1 to 3. (For brevity, we do not explicitly write down the channel monitoring, information reconciliation and privacy amplification.)

S1 :

Alice picks a random \(a\in \{0,1\} ^d\) and a random permutation \(\pi \).

She prepares \(| \mu _a \rangle ={\textstyle \frac{1}{\sqrt{d}}}\sum _t (-1)^{a_t}| t \rangle \).

S2 :

Alice performs the permutation \(\pi \) on the state \(| \mu _a \rangle \). She sends the result to Bob. After pausing for a while, she sends \(\pi \) to Bob.

S3 :

Eve does something with the state, without knowing \(\pi \). Then, she sends the result to Bob.

S4 :

Bob receives a state and stores it until he receives \(\pi \). Bob applies \(\pi ^{-1}\) to the state.

S5 :

Bob picks a random \(r\in \{1,\ldots ,d-1\}\) and does the \({{\mathcal {M}}}^{(r)}\) POVM. The result is an index \(k\in \{0,\ldots ,d-1\}\) and a bit \(s=a_k\oplus a_{k+r}\). He computes \(\ell =k+r\;\mathrm{mod}\;d\). He announces \(k,\ell \).

S6 :

Alice computes \(s'=a_k\oplus a_\ell \).

The equivalence is shown as follows. After step S2, the state is \({\textstyle \frac{1}{\sqrt{d}}}\sum _t (-1)^{a_t}| \pi (t) \rangle ={\textstyle \frac{1}{\sqrt{d}}}\sum _\tau (-1)^{a_{\pi ^{-1}\tau }}| \tau \rangle \) \(=| \mu _{\pi ^{-1}(a)} \rangle \). Hence, Alice’s process {state preparation followed by \(\pi \)} can be replaced by {acting with \(\pi ^{-1}\) on a followed by state preparation}. Similarly, Bob’s process {apply \(\pi ^{-1}\) to state; pick random r; do \({{\mathcal {M}}}^{(r)}\); send \(k,\ell \)} has exactly the same effect as {pick random r; do \({{\mathcal {M}}}^{(r)}\); apply \(\pi \) to kl; send \(\pi (k),\pi (\ell )\)}. Next, Bob’s computation of \(\pi (k),\pi (\ell )\) can be moved to Alice. Then, Alice’s actions {pick random a; send \(\pi ^{-1}(a)\) to state preparation; send a to step S6} can be replaced by {pick random \(a'\); send \(a'\) to state preparation; send \(\pi (a)\) to step S6}. Finally, in step S6 we use \(\pi (a)_{\pi (k)}=a_k\) and \(\pi (a)_{\pi (\ell )}=a_\ell \).

Remark

In step S3, it is crucial that Eve does not know \(\pi \) at the moment of her manipulation of the state. This will allow us to derive a symmetrized form of the density matrix in Sect. 6.3.

6.2 RRDPS is equivalent to RRDPS with random phase flips

Analogous with Sect. 6.1, it can be seen that adding an extra phase-flipping step to RRDPS does not affect RRDPS. Consider the following protocol.

F1 :

Alice picks a random \(a\in \{0,1\} ^d\) and a random \(c\in \{0,1\} ^d\). She prepares \(| \mu _a \rangle ={\textstyle \frac{1}{\sqrt{d}}}\sum _t (-1)^{a_t}| t \rangle \).

F2 :

Alice performs the phase flips on the state \(| \mu _a \rangle \), according to the rule \(| t \rangle \rightarrow (-1)^{c_t}| t \rangle \) for basis states. She sends the result to Bob. After pausing for a while, she sends c to Bob.

F3 :

Eve does something with the state, without knowing c. Then, she sends the result to Bob.

F4 :

Bob receives a state and stores it until he receives c. Bob applies phase flips c to the state.

F5 :

Bob picks a random \(r\in \{1,\ldots ,d-1\}\) and does the \({{\mathcal {M}}}^{(r)}\) POVM. The result is an index \(k\in \{0,\ldots ,d-1\}\) and a bit \(s=a_k\oplus a_{k+r}\). He computes \(\ell =k+r\;\mathrm{mod}\;d\). He announces \(k,\ell \).

F6 :

Alice computes \(s'=a_k\oplus a_\ell \).

The equivalence to RRDPS is seen as follows. After step F2, the state is \(| \mu _{a\oplus c} \rangle \). Hence, Alice’s process {pick random a; prepare state; flip with c} is equivalent to {pick random a; flip with c; prepare state}. Similarly, Bob’s process {flip with c; pick random r; do \({{\mathcal {M}}}^{(r)}\)} is equivalent to {pick random r; do \({{\mathcal {M}}}^{(r)}\); change s to \(s\oplus c_k\oplus c_\ell \) }. This holds because in the first case Bob obtains \(s=(a\oplus c)_k\oplus (a\oplus c)_\ell =(a_k\oplus a_\ell )\oplus c_k\oplus c_\ell \). Furthermore, Alice’s steps {pick random a; send a to computation of \(s'\) and flipped a to state preparation} are equivalent to {pick random \(a'\); send flipped a to computation of \(s'\) and \(a'\) to state preparation}. The final effect of these transformations of the ‘F’ protocol is that (i) there is no physical phase flipping at all, (ii) Bob needs no quantum memory and (iii) Alice and Bob both obtain a secret bit \((a_k\oplus a_\ell )\oplus c_k\oplus c_\ell \); though not equal to \(a_k\oplus a_\ell \), it is statistically the same.

6.3 EPR version

We introduce a protocol based on EPR pairs that is equivalent to the combined ‘S’ and ‘F’ protocols and hence also equivalent to RRDPS.

E1 :

A maximally entangled two-qudit state is prepared.

$$\begin{aligned} | \alpha _0 \rangle {\mathop {=}\limits ^{\mathrm{def}}}\frac{1}{\sqrt{d}}\sum _{t=0}^{d-1}| tt \rangle . \end{aligned}$$
(17)

One qudit (‘A’) is intended for Alice and one (‘B’) for Bob.

E2 :

Eve does something with the EPR pair. Then, Alice and Bob each receive their own qudit.

E3 :

Alice and Bob pick a random permutation \(\pi \). They both apply \(\pi \) to their own qudit. Then, they forget \(\pi \).

E4 :

Alice and Bob pick a random string \(c\in \{0,1\} ^d\). They both apply phase flips \(| t \rangle \rightarrow (-1)^{c_t}| t \rangle \) to their own qudit. Then, they forget c.

E5 :

Alice performs a POVM \({{\mathcal {Q}}}=(Q_z)_{z\in \{0,1\} ^d}\) on her own qudit, where

$$\begin{aligned} Q_z=\frac{d}{2^d}| \mu _z \rangle \langle \mu _z |. \end{aligned}$$
(18)

This results in a measured string \(a\in \{0,1\} ^d\).

E6 :

Bob picks a random integer \(r\in \{1,\ldots ,d-1\}\) and performs the POVM measurement \({{\mathcal {M}}}^{(r)}\) on his qudit. The result of the measurement is an integer \(k\in \{0,\ldots ,d-1\}\) and a bit s. Bob computes \(\ell =k+r\;\mathrm{mod}\;d\). Bob announces \(k,\ell \).

E7 :

Alice computes \(s'=a_k\oplus a_\ell \).

The equivalence to the protocol in Sect. 6.1 is seen as follows. First, let Alice be the origin of the EPR pair, and let her perform \({{\mathcal {Q}}}\) as soon as she has created the EPR pair. This process is equivalent to preparing a qudit state \(| \mu _a \rangle \) with random a. The only difference is that the EPR protocol allows Eve to couple her ancilla to the AB system instead of only the B system. Hence, the EPR version overestimates Eve’s power. Security of the EPR version implies security of the original RRDPS.Footnote 5 Furthermore, the permutations and phase flips in steps E3,E4 cancel out exactly like in protocols ‘S’ and ‘F’.

Remark

The protocol equivalences in Sects. 6.16.3 can be nicely visualized using diagrammatic techniques [22]. We do not show the protocol diagrams in this paper.

Lemma 1

The hermitian matrices \(Q_z\) as defined in (18) form a POVM, i.e. \(\sum _{z\in \{0,1\} ^d}Q_z={\mathbb {1}}\).

Proof

\(\sum _z| \mu _z \rangle \langle \mu _z |=\) \(\sum _z{\textstyle \frac{1}{d}}\sum _{t,t'=0}^{d-1}(-1)^{z_{t'}+z_{t}}| t \rangle \langle t' |={\textstyle \frac{1}{d}}\sum _{t,t'=0}^{d-1}| t \rangle \langle t' |\sum _z(-1)^{z_{t'}+z_t}\).

Using \(\sum _z(-1)^{z_{t'}+z_t}=2^d\delta _{tt'}\), we get \(\sum _z| \mu _z \rangle \langle \mu _z |={\textstyle \frac{2^d}{d}}\sum _t| t \rangle \langle t |={\textstyle \frac{2^d}{d}}{\mathbb {1}}\). \(\square \)

Alice and Bob’s measurements can be carried out in the opposite order. It is not important whether \({{\mathcal {Q}}}\) is practical or not; it is a theoretical construct which allows us to build an EPR version of RRDPS.

6.4 Effect of the random transforms: state symmetrization

Let \(\rho ^{\mathrm{AB}}=| \alpha _0 \rangle \langle \alpha _0 |\) denote the pure EPR state of Alice and Bob, and let \({\hat{\rho }}^\mathrm{AB}\) be the mixed state of the AB system after Eve’s manipulation in step E2. We write

$$\begin{aligned} {\hat{\rho }}^\mathrm{AB}=\sum _{t,t',\tau ,\tau '\in \{0,\ldots ,d-1\}}{\hat{\rho }}^{tt'}_{\tau \tau '}| t,t' \rangle \langle \tau ,\tau ' |, \end{aligned}$$
(19)

with \({\hat{\rho }}^{\tau \tau '}_{tt'}=({\hat{\rho }}^{tt'}_{\tau \tau '})^*\) and \(\sum _{tt'}{\hat{\rho }}^{tt'}_{tt'}=1\). The effect of step E3 is that the AB state gets averaged over all permutations, i.e. we get the following mapping

$$\begin{aligned}&{\hat{\rho }}^\mathrm{AB} \mapsto {\tilde{\rho }}^{\mathrm{AB}} {\mathop {=}\limits ^{\mathrm{def}}}\frac{1}{d!}\sum _\pi \sum _{t,t',\tau ,\tau '} {\hat{\rho }}^{\pi (t),\pi (t')}_{\pi (\tau ),\pi (\tau ')}| t,t' \rangle \langle \tau ,\tau ' |, \end{aligned}$$
(20)
$$\begin{aligned}&\quad {\mathop {=}\limits ^{\mathrm{def}}}\sum _{t,t',\tau ,\tau '}{\tilde{\rho }}^{tt'}_{\tau \tau '} | t,t' \rangle \langle \tau ,\tau ' |. \end{aligned}$$
(21)

Here, the parameters \({\tilde{\rho }}^{tt'}_{\tau \tau '}\) are invariant under simultaneous permutation of the four indices, i.e. \({\tilde{\rho }}^{\pi (t),\pi (t')}_{\pi (\tau ),\pi (\tau ')}={\tilde{\rho }}^{tt'}_{\tau \tau '}\) for all \(\pi \),t,\(t'\),\(\tau \),\(\tau '\). The consequence is that \({\tilde{\rho }}^{\mathrm{AB}}\) contains only a few degrees of freedom, namely the constants \({\tilde{\rho }}^{ss}_{ss}\), \({\tilde{\rho }}^{ss}_{st}\), \({\tilde{\rho }}^{ss}_{ts}\), \({\tilde{\rho }}^{ss}_{tt}\), \({\tilde{\rho }}^{st}_{st}\), \({\tilde{\rho }}^{st}_{ts}\), \({\tilde{\rho }}^{ss}_{tu}\), \({\tilde{\rho }}^{st}_{su}\), \({\tilde{\rho }}^{ts}_{us}\), \({\tilde{\rho }}^{st}_{us}\), \({\tilde{\rho }}^{st}_{uv}\), where stuv are mutually distinct.

Next, the random phase flips reduce the degrees of freedom even further. Let \(F_c\) be the phase flip operator.

$$\begin{aligned} {\bar{\rho }}^{\mathrm{AB}}&{\mathop {=}\limits ^{\mathrm{def}}}&{{\mathbb {E}}}_{c\in \{0,1\} ^d} F_c{\tilde{\rho }}^{\mathrm{AB}}F_c^{\dag }\end{aligned}$$
(22)
$$\begin{aligned}= & {} {{\mathbb {E}}}_c \sum _{tt'\tau \tau '}{\tilde{\rho }}^{tt'}_{\tau \tau '} (-1)^{c_t+c_{t'}+c_\tau +c_{\tau '}} | t,t' \rangle \langle \tau ,\tau ' | \end{aligned}$$
(23)
$$\begin{aligned}= & {} \sum _{tt'\tau \tau '} | t,t' \rangle \langle \tau ,\tau ' | {\tilde{\rho }}^{tt'}_{\tau \tau '} {{\mathbb {E}}}_c (-1)^{c_t+c_{t'}+c_\tau +c_{\tau '}} \end{aligned}$$
(24)
$$\begin{aligned}&{\mathop {=}\limits ^{\mathrm{def}}}&\sum _{tt'\tau \tau '} | t,t' \rangle \langle \tau ,\tau ' |{\bar{\rho }}^{tt'}_{\tau \tau '}. \end{aligned}$$
(25)

From (24), we see that any time index that occurs an odd number of times will be wiped out, i.e. \({{\mathbb {E}}}_c (-1)^{c_t}=0\). The only surviving degrees of freedom are the four constants \({\bar{\rho }}^{\bullet \bullet }_{\bullet \bullet }\), \({\bar{\rho }}^{\bullet \bullet }_{\circ \circ }\), \({\bar{\rho }}^{\bullet \circ }_{\bullet \circ }\), \({\bar{\rho }}^{\bullet \circ }_{\circ \bullet }\), where \(\bullet \) and \(\circ \) denote distinct arbitrary indices. Note that these constants are real-valued. We can now write

$$\begin{aligned} {\bar{\rho }}^{\mathrm{AB}}= {\bar{\rho }}^{\bullet \bullet }_{\bullet \bullet }\sum _t | tt \rangle \langle tt | +{\bar{\rho }}^{\bullet \bullet }_{\circ \circ }\sum _{[t\tau ]}| tt \rangle \langle \tau \tau | +{\bar{\rho }}^{\bullet \circ }_{\bullet \circ }\sum _{[tt']}| tt' \rangle \langle tt' | +{\bar{\rho }}^{\bullet \circ }_{\circ \bullet }\sum _{[tt']}| tt' \rangle \langle t't |. \nonumber \\ \end{aligned}$$
(26)

Furthermore, the requirement \(\mathrm{tr}\,{\bar{\rho }}^{\mathrm{AB}}=1\) imposes the constraint \(d{\bar{\rho }}^{\bullet \bullet }_{\bullet \bullet }+d(d-1){\bar{\rho }}^{\bullet \circ }_{\bullet \circ }=1\), reducing the number of degrees of freedom to three.

7 Imposing the noise constraint

The channel monitoring restricts the ways in which Eve can alter the AB state. We will determine the most general allowed \({\bar{\rho }}^{\mathrm{AB}}\) that is compatible with bit error rate \(\beta \). (We will later see that it is optimal for Eve to cause the same bit error rate in all rounds. This is due to the concavity of the leakage as a function of the error rate.) We introduce the notation \(P_{aks|r}=\mathrm{Pr}[A=a,K=k,S=s|R=r]\).

Lemma 2

Let Alice and Bob’s bipartite state be \({\bar{\rho }}^{\mathrm{AB}}\), and let them perform the measurements \({{\mathcal {Q}}}\) and \({{\mathcal {M}}}^{(r)}\) respectively. At given r, the joint probability of the outcomes aks is given by

$$\begin{aligned} P_{aks|r}= \frac{1}{2d 2^d}+ \frac{1}{2\cdot 2^d}({\bar{\rho }}^{\bullet \bullet }_{\circ \circ }+{\bar{\rho }}^{\bullet \circ }_{\circ \bullet })(-1)^{s+a_k+a_{k+r}}. \end{aligned}$$
(27)

Proof

\(P_{aks|r}=\mathrm{tr}\,(Q_a\otimes M^{(r)}_{ks}){\bar{\rho }}^{\mathrm{AB}}=\mathrm{tr}\,({\textstyle \frac{1}{2^d}}\sum _{\ell \ell '}(-1)^{a_\ell +a_{\ell '}}| \ell \rangle \langle \ell ' |\otimes \frac{1}{2}\frac{| k \rangle +(-1)^s| k+r \rangle }{\sqrt{2}} \frac{\langle k |+(-1)^s\langle k+r |}{\sqrt{2}}) \sum _{tt'\tau \tau '}{\bar{\rho }}^{tt'}_{\tau \tau '}| t \rangle \langle \tau |\otimes | t' \rangle \langle \tau ' |=\frac{1}{2^d 4}\sum _{tt'\tau \tau '}{\bar{\rho }}^{tt'}_{\tau \tau '}(-1)^{a_t+a_\tau } [\delta _{t'k}+(-1)^s \delta _{t',k+r}] [\delta _{\tau 'k}+(-1)^s \delta _{\tau ',k+r}]=\frac{1}{2^d 4}\sum _{t\tau }(-1)^{a_t+a_\tau }[{\bar{\rho }}^{tk}_{\tau k}+{\bar{\rho }}^{t,k+r}_{\tau ,k+r} +(-1)^s {\bar{\rho }}^{tk}_{\tau ,k+r}+(-1)^s {\bar{\rho }}^{t,k+r}_{\tau k}]\). We use \({\bar{\rho }}^{t\ell }_{\tau \ell }=\delta _{t\ell }\delta _{\tau \ell }{\bar{\rho }}^{\bullet \bullet }_{\bullet \bullet }\) \(+\delta _{\tau t}(1-\delta _{t\ell }){\bar{\rho }}^{\bullet \circ }_{\bullet \circ }\) for the first two terms, setting \(\ell =k\) and \(\ell =k+r\). Since \(k+r\ne k\) we write \({\bar{\rho }}^{tk}_{\tau ,k+r}=\delta _{tk}\delta _{\tau ,k+r}{\bar{\rho }}^{\bullet \bullet }_{\circ \circ } +\delta _{t,k+r}\delta _{\tau k}{\bar{\rho }}^{\bullet \circ }_{\circ \bullet }\), and similarly for \({\bar{\rho }}^{t,k+r}_{\tau k}\). Finally, we use \({\bar{\rho }}^{\bullet \bullet }_{\bullet \bullet }+(d-1){\bar{\rho }}^{\bullet \circ }_{\bullet \circ }=1/d\). (See end of Sect. 6.4.) \(\square \)

We now impose the constraint that a bit error occurs with probability \(\beta \),

$$\begin{aligned} \mathrm{Pr}[S= A_K\oplus A_{K+R}]=1-\beta . \end{aligned}$$
(28)

Here, the random variables are A, R, K, and S.

Theorem 3

The constraint (28) can only be satisfied by a density function of the form

$$\begin{aligned} {\bar{\rho }}^{\mathrm{AB}}= & {} (1-2\beta -V)| \alpha _0 \rangle \langle \alpha _0 | +V\frac{1}{d}\sum _{tt'}| tt' \rangle \langle t' t | \nonumber \\&+\,(2\beta -\mu )\frac{{\mathbb {1}}}{d^2}+\mu \frac{1}{d}\sum _t| tt \rangle \langle tt | \end{aligned}$$
(29)

with \(\mu ,V\in {{\mathbb {R}}}\). Written componentwise,

$$\begin{aligned} {\bar{\rho }}_{\tau \tau '}^{tt'}=\frac{1-2\beta -V}{d}\delta _{t't}\delta _{\tau '\tau }+\frac{V}{d}\delta _{\tau t'}\delta _{\tau ' t} +\frac{2\beta -\mu }{d^2}\delta _{\tau t}\delta _{\tau ' t'} +\frac{\mu }{d}\delta _{t't}\delta _{\tau t}\delta _{\tau 't}. \end{aligned}$$
(30)

Proof

We write \(\mathrm{Pr}[S= A_K\oplus A_{K+R}]=\sum _{akrs}{\textstyle \frac{1}{d-1}}P_{aks|r}\delta _{s,a_k\oplus a_{k+r}}\) and use Lemma 2. This yields \(\mathrm{Pr}[S= A_K\oplus A_{K+R}]={\textstyle \frac{1}{2}}+{\textstyle \frac{d}{2}}({\bar{\rho }}^{\bullet \bullet }_{\circ \circ }+{\bar{\rho }}^{\bullet \circ }_{\circ \bullet })\). The constraint (28) can only be satisfied by setting \({\bar{\rho }}^{\bullet \bullet }_{\circ \circ }+{\bar{\rho }}^{\bullet \circ }_{\circ \bullet }={\textstyle \frac{1-2\beta }{d}}\). We choose \({\bar{\rho }}^{\bullet \bullet }_{\circ \circ }, {\bar{\rho }}^{\bullet \circ }_{\bullet \circ }\) as the two independent degrees of freedom and re-parametrize them as \({\bar{\rho }}^{\bullet \bullet }_{\circ \circ }=(1-2\beta -V)/d\) and \({\bar{\rho }}^{\bullet \circ }_{\bullet \circ }=(2\beta -\mu )/d^2\), where \(\mu ,V\in {{\mathbb {R}}}\) are the new independent degrees of freedom. Substitution into (26) yields (29). \(\square \)

Theorem 3 shows that (at fixed \(\beta \)) there are still two degrees of freedom, \(\mu \) and V, in Eve’s manipulation of the EPR pair. This differs from standard qubit-wise QKD, where the bit error probability completely fixes Eve’s ancilla state.

8 Purification

According to the attacker model, we have to assume that Eve has the purification of the state \({\bar{\rho }}^{\mathrm{AB}}\). The purification contains all information about s that exists outside the AB system.

8.1 The purified state and its properties

We introduce the following notation,

$$\begin{aligned} | \alpha _j \rangle&{\mathop {=}\limits ^{\mathrm{def}}}&\frac{1}{\sqrt{d}}\sum _t e^{i\frac{2\pi }{d} jt}| tt \rangle , \quad \quad j\in \{0,\ldots ,d-1\}, \end{aligned}$$
(31)
$$\begin{aligned} | D_{tt'}^\pm \rangle&{\mathop {=}\limits ^{\mathrm{def}}}&\frac{| tt' \rangle \pm | t't \rangle }{\sqrt{2}} \quad \quad t<t'. \end{aligned}$$
(32)

Lemma 3

The \({\bar{\rho }}^{\mathrm{AB}}\) given in (29) has the following orthonormal eigensystem,

$$\begin{aligned} | \alpha _0 \rangle&\text{ with } \text{ eigenvalue } \lambda _0{\mathop {=}\limits ^{\mathrm{def}}}\frac{2\beta -\mu }{d^2} +\frac{\mu +V}{d}+ 1-2\beta -V \nonumber \\ | \alpha _j \rangle \quad j\in \{1,\ldots ,d-1\}&\text{ with } \text{ eigenvalue } \lambda _1{\mathop {=}\limits ^{\mathrm{def}}}\frac{2\beta -\mu }{d^2}+\frac{\mu +V}{d}\nonumber \\ | D_{tt'}^\pm \rangle \quad (t<t')&\text{ with } \text{ eigenvalue } \lambda _\pm {\mathop {=}\limits ^{\mathrm{def}}}\frac{2\beta -\mu }{d^2}\pm \frac{V}{d}. \end{aligned}$$
(33)

Proof

The term proportional to \({\mathbb {1}}\) in (29) yields a contribution \((2\beta -\mu )/d^2\) to each eigenvalue. First, we look at \(| \alpha _j \rangle \). We have \(\langle \alpha _0 | \alpha _j \rangle =\delta _{j0}\). Furthermore, \(\langle t't | \alpha _j \rangle =\delta _{t't}e^{i\frac{2\pi }{d}jt}/\sqrt{d}\), which gives \((\sum _{tt'}| tt' \rangle \langle t't |)| \alpha _j \rangle =| \alpha _j \rangle \). Similarly we have \((\sum _{t}| tt \rangle \langle tt |)| \alpha _j \rangle =| \alpha _j \rangle \). Next we look at \(| D^\pm _{tt'} \rangle \). We have \(\langle \alpha _0 | D^\pm _{tt'} \rangle =0\) and \(\langle uu | D^\pm _{tt'} \rangle =0\). Hence, the \((1-2\beta -V)\)-term and the \(\mu \)-term in (29) yield zero when acting on \(| D^\pm _{tt'} \rangle \). Furthermore, \(\sum _{uu'}| uu' \rangle \langle u'u | D^+_{tt'} \rangle \) \(=\sum _{uu'}| uu' \rangle \frac{\delta _{ut}\delta _{u't'}+\delta _{ut'}\delta _{u't}}{\sqrt{2}}\) \(=| D^+_{tt'} \rangle \). Similarly, \(\sum _{uu'}| uu' \rangle \langle u'u | D^-_{tt'} \rangle \) \(=\sum _{uu'}| uu' \rangle \frac{\delta _{ut}\delta _{u't'}-\delta _{ut'}\delta _{u't}}{\sqrt{2}}\mathrm{sgn}(u-u')\) \(=-| D^-_{tt'} \rangle \). \(\square \)

In diagonalized form, the \({\bar{\rho }}^{\mathrm{AB}}\) is given by

$$\begin{aligned} {\bar{\rho }}^{\mathrm{AB}}= & {} \lambda _0| \alpha _0 \rangle \langle \alpha _0 |+\lambda _1\sum _{j=1}^{d-1}| \alpha _j \rangle \langle \alpha _j | +\lambda _+\sum _{tt':t<t'}| D_{tt'}^+ \rangle \langle D_{tt'}^+ | \nonumber \\&+\,\lambda _-\sum _{tt':t<t'}| D_{tt'}^- \rangle \langle D_{tt'}^- |. \end{aligned}$$
(34)

The purification is

$$\begin{aligned} | {\varPsi }^{\mathrm{ABE}} \rangle= & {} \sqrt{\lambda _0} | \alpha _0 \rangle \otimes | E_0 \rangle +\sqrt{\lambda _1}\sum _{j=1}^{d-1}| \alpha _j \rangle \otimes | E_j \rangle \nonumber \\&+\,\sqrt{\lambda _+}\sum _{tt':t<t'}| D_{tt'}^+ \rangle \otimes | E_{tt'}^+ \rangle +\sqrt{\lambda _-}\sum _{tt':t<t'}| D_{tt'}^- \rangle \otimes | E_{tt'}^- \rangle , \end{aligned}$$
(35)

where we have introduced orthonormal basis states \(| E_j \rangle \), \(| E_{tt'}^\pm \rangle \) in Eve’s Hilbert space. In “Appendix A”, we give more details on Eve’s unitary operation.

8.2 Eve’s state

Eve waits for Alice and Bob to perform their measurements and reveal k and r.

Lemma 4

After Alice has measured \(a\in \{0,1\} ^d\) and Bob has measured \(k\in \{0,\ldots ,d-1\}\), \(s\in \{0,1\} \), Eve’s state is given by

$$\begin{aligned} \sigma ^{rk}_{as}=\mathrm{tr}\,_\mathrm{AB} \Big [| {\varPsi }^{\mathrm{ABE}} \rangle \langle {\varPsi }^{\mathrm{ABE}} | \frac{Q_a\otimes M^{(r)}_{ks}\otimes {\mathbb {1}}}{P_{aks|r}} \Big ]. \end{aligned}$$
(36)

Proof

The POVM elements \(Q_a\) and \(M^{(r)}_{ks}\) are proportional to projection operators. Hence, the tripartite ABE pure state after the measurement is proportional to \((Q_a\otimes M^{(r)}_{ks}\otimes {\mathbb {1}})| {\varPsi }^{\mathrm{ABE}} \rangle \). It is easily verified that the normalization in (36) is correct: taking the trace in E-space yields \(\mathrm{tr}\,_\mathrm{AB}\mathrm{tr}\,_\mathrm{E}| {\varPsi }^{\mathrm{ABE}} \rangle \langle {\varPsi }^{\mathrm{ABE}} | Q_a\otimes M^{(r)}_{ks}\otimes {\mathbb {1}}\) \(=\mathrm{tr}\,_\mathrm{AB}\;{\bar{\rho }}^{\mathrm{AB}}Q_a\otimes M^{(r)}_{ks}\) \(=P_{aks|r}\). \(\square \)

Lemma 5

It holds that

$$\begin{aligned} \frac{d}{2^d} \sum _{{\mathop {\mathrm{without}\, a_k,a_{k+r}}\limits ^{a_0\cdots a_{d-1}}}} | \mu _a \rangle \langle \mu _a |= & {} \frac{1}{4}{\mathbb {1}}+\frac{1}{4}(-1)^{a_k+a_{k+r}}\Big (| k \rangle \langle k+r |+| k+r \rangle \langle k |\Big ) \end{aligned}$$
(37)
$$\begin{aligned}= & {} M^{(r)}_{k,a_k\oplus a_{k+r}} + \frac{1}{4}\sum _{t:\; t\ne k,k+r}| t \rangle \langle t |. \end{aligned}$$
(38)

Proof

We have \(| \mu _a \rangle \langle \mu _a |=\frac{1}{d}{\mathbb {1}}+\frac{1}{d}\sum _{[t\tau ]}| t \rangle \langle \tau |(-1)^{a_t+a_\tau }\). Summation of the \({\textstyle \frac{1}{d}}{\mathbb {1}}\) term is trivial and yields \(2^{d-2}\cdot \frac{1}{d}{\mathbb {1}}\). In the summation of the factor \((-1)^{a_t+a_\tau }\) in the second term, any summation \(\sum _{a_t}(-1)^{a_t}\) yields zero. The only nonzero contribution arises when \(t=k,\tau =k+r\) or \(t=k+r,\tau =k\); the a-summation then yields a factor \(2^{d-2}\). \(\square \)

Lemma 6

It holds that

$$\begin{aligned} {{\mathbb {E}}}_{a:a_k\oplus a_{k+r}=s'}| \mu _a \rangle \langle \mu _a |= \frac{{\mathbb {1}}}{d}+(-1)^{s'}\frac{| k \rangle \langle k+r |+| k+r \rangle \langle k |}{d}. \end{aligned}$$
(39)

Proof

We have \({{\mathbb {E}}}_{a:a_k\oplus a_{k+r}=s'}| \mu _a \rangle \langle \mu _a | =2^{-(d-1)}\sum _{a_k}\sum _{a_{k+r}}\delta _{a_k\oplus a_{k+r},s'}\cdot \sum _{a\,\mathrm{without}\,a_k,a_{k+r}}| \mu _a \rangle \langle \mu _a |\). For the rightmost summation, we use Lemma 5. Performing the \(\sum _{a_k}\) and \(\sum _{a_{k+r}}\) summations yields (39). \(\square \)

Eve’s task is to guess Alice’s bit \(s'=a_k\oplus a_{k+r}\) from the mixed state \(\sigma ^{rk}_{as}\), where Eve does not know a and s. We define

$$\begin{aligned} \sigma ^{rk}_{s'}={{\mathbb {E}}}_{s,a: a_k\oplus a_{k+r}=s'} [\sigma ^{rk}_{as}]. \end{aligned}$$
(40)

This represents Eve’s ancilla state given some value of Alice’s bit \(s'\). Next we introduce notations that are useful for understanding the structure of \(\sigma ^{rk}_{s'}\). We define, for \(t,t'\in \{0,\ldots ,d-1\}\), non-normalized vectors \(| w_{tt'} \rangle \) in Eve’s Hilbert space as

$$\begin{aligned} | w_{tt'} \rangle {\mathop {=}\limits ^{\mathrm{def}}}\langle tt' | {\varPsi }^{\mathrm{ABE}} \rangle . \end{aligned}$$
(41)

Furthermore, we define angles \(\alpha \) and \(\varphi \) as

$$\begin{aligned} \cos 2\alpha {\mathop {=}\limits ^{\mathrm{def}}}\frac{\langle w_{kk} | w_{k+r,k+r} \rangle }{\langle w_{kk} | w_{kk} \rangle } , \quad \cos 2\varphi {\mathop {=}\limits ^{\mathrm{def}}}\frac{\langle w_{k,k+r} | w_{k+r ,k} \rangle }{\langle w_{k,k+r} | w_{k,k+r} \rangle } \end{aligned}$$
(42)

and vectors \(| A \rangle , | B \rangle , | C \rangle , | D \rangle \)

$$\begin{aligned} \frac{| w_{kk} \rangle }{\sqrt{\langle w_{kk} | w_{kk} \rangle }}= & {} \cos \alpha | A \rangle +\sin \alpha | B \rangle \end{aligned}$$
(43)
$$\begin{aligned} \frac{| w_{k+r,k+r} \rangle }{\sqrt{\langle w_{k+r,k+r} | w_{k+r,k+r} \rangle }}= & {} \cos \alpha | A \rangle -\sin \alpha | B \rangle \end{aligned}$$
(44)
$$\begin{aligned} \frac{| w_{k,k+r} \rangle }{\sqrt{\langle w_{k,k+r} | w_{k,k+r} \rangle }}= & {} \cos \varphi | C \rangle +\sin \varphi | D \rangle \end{aligned}$$
(45)
$$\begin{aligned} \frac{| w_{k+r, k} \rangle }{\sqrt{\langle w_{k+r, k} | w_{k+r, k} \rangle }}= & {} \cos \varphi | C \rangle -\sin \varphi | D \rangle . \end{aligned}$$
(46)

The \(| A \rangle \), \(| B \rangle \), \(| C \rangle \), \(| D \rangle \) are mutually orthogonal and also orthogonal to any vector \(| w_{tt'} \rangle \) (\(t'\ne t\)) with \(\{t,t'\}\ne \{k,k+r\}\).

Theorem 4

The eigenvalues of \(\sigma ^{rk}_{s'}\) are given by

$$\begin{aligned} \xi _0&{\mathop {=}\limits ^{\mathrm{def}}}&\frac{d}{2}\cdot \frac{\lambda _+ + \lambda _-}{2} \end{aligned}$$
(47)
$$\begin{aligned} \xi _1&{\mathop {=}\limits ^{\mathrm{def}}}&{\textstyle \frac{d}{2}}(\lambda _1+\lambda _-) = \beta -{\textstyle \frac{d}{2}}({\textstyle \frac{d}{2}}-1)(\lambda _++\lambda _-) \end{aligned}$$
(48)
$$\begin{aligned} \xi _2&{\mathop {=}\limits ^{\mathrm{def}}}&{\textstyle \frac{d}{2}}\left( \lambda _1+2\frac{\lambda _0-\lambda _1}{d}+\lambda _+\right) =1-\beta - {\textstyle \frac{d}{2}}\left( {\textstyle \frac{d}{2}}-1\right) (\lambda _++\lambda _-), \end{aligned}$$
(49)

and the diagonal representation of \(\sigma ^{rk}_{s'}\) is

$$\begin{aligned} \sigma ^{rk}_{s'}= & {} \xi _0\sum _{\begin{array}{c} t\in \{0,\ldots ,d-1\}\\ t\ne k,t\ne k+r \end{array}} \Big ( \frac{| w_{tk} \rangle \langle w_{tk} |}{\langle w_{tk} | w_{tk} \rangle } + \frac{| w_{t,k+r} \rangle \langle w_{t,k+r} |}{\langle w_{t,k+r} | w_{t,k+r} \rangle } \Big ) \nonumber \\&+\,\xi _2 \frac{\left[ \sqrt{\xi _2-{\textstyle \frac{d}{2}}\lambda _+}| A \rangle +(-1)^{s'}\sqrt{{\textstyle \frac{d}{2}}\lambda _+}| C \rangle \right] [\cdots ]^{\dag }}{\xi _2} \nonumber \\&+\,\xi _1\frac{\left[ \sqrt{\xi _1-{\textstyle \frac{d}{2}}\lambda _-}| B \rangle -(-1)^{s'}\sqrt{{\textstyle \frac{d}{2}}\lambda _-}| D \rangle \right] [\cdots ]^{\dag }}{\xi _1}. \end{aligned}$$
(50)

Proof

We have

$$\begin{aligned} \sigma ^{rk}_{s'}= & {} \mathrm{tr}\,_\mathrm{AB}| {\varPsi }^{\mathrm{ABE}} \rangle \langle {\varPsi }^{\mathrm{ABE}} |{{\mathbb {E}}}_{a: a_k\oplus a_{k+r}=s'}Q_a\otimes {{\mathbb {E}}}_{s|s'}\frac{M^{(r)}_{ks}}{P_{aks|r}}\otimes {\mathbb {1}}\nonumber \\= & {} d 2^d\; \mathrm{tr}\,_\mathrm{AB}| {\varPsi }^{\mathrm{ABE}} \rangle \langle {\varPsi }^{\mathrm{ABE}} |[{{\mathbb {E}}}_{a: a_k\oplus a_{k+r}=s'}Q_a]\otimes \left[ \sum _s M^{(r)}_{ks}\right] \otimes {\mathbb {1}}. \end{aligned}$$
(51)

We use Lemma 6 to evaluate the \({{\mathbb {E}}}_a\) factor. We use \(\sum _s M^{(r)}_{ks}={\textstyle \frac{1}{2}}| k \rangle \langle k |+{\textstyle \frac{1}{2}}| k+r \rangle \langle k+r |\). This allows us to write everything in terms of \(| w_{tt'} \rangle \) states. For \(t=t'\), we have

$$\begin{aligned} | w_{tt} \rangle= & {} \sqrt{\lambda _0/d}| E_0 \rangle +\sqrt{\lambda _1/d} \sum _{j=1}^{d-1}(e^{i\frac{2\pi }{d}})^{jt}| E_j \rangle \end{aligned}$$
(52)
$$\begin{aligned} \langle w_{tt} | w_{tt} \rangle= & {} \lambda _1+\frac{\lambda _0-\lambda _1}{d}, \end{aligned}$$
(53)

and for \(t\ne t'\), we have

$$\begin{aligned} | w_{tt'} \rangle= & {} \sqrt{\lambda _+/2}| E^+_{(tt')} \rangle +\mathrm{sgn}(t'-t)\sqrt{\lambda _-/2}| E^-_{(tt')} \rangle \end{aligned}$$
(54)
$$\begin{aligned} \langle w_{tt'} | w_{tt'} \rangle= & {} (\lambda _+ + \lambda _-)/2. \end{aligned}$$
(55)

The following properties hold (\(t\ne t'\))

$$\begin{aligned}&\langle w_{tt} | w_{tt'} \rangle =0 ,\quad \langle w_{tt} | w_{t't} \rangle =0 \end{aligned}$$
(56)
$$\begin{aligned}&\quad \langle w_{tt} | w_{t't'} \rangle =\frac{\lambda _0-\lambda _1}{d} , \quad \langle w_{tt'} | w_{t't} \rangle =\frac{\lambda _+ - \lambda _-}{2}. \end{aligned}$$
(57)

We get

$$\begin{aligned} \cos 2\alpha = 1-\frac{d \lambda _1}{\lambda _0+(d-1)\lambda _1} , \quad \cos 2\varphi = 1-\frac{2\lambda _-}{\lambda _++\lambda _-} \end{aligned}$$
(58)

After some tedious algebra, the result (50) follows. \(\square \)

Note that the \(\sigma ^{rk}_0\) and \(\sigma ^{rk}_1\) have the same set of eigenvalues: \(2(d-2)\) times \(\xi _0\), and once \(\xi _1\) and \(\xi _2\).

Corollary 1

It holds that

$$\begin{aligned} \frac{\sigma ^{rk}_0+\sigma ^{rk}_1}{2}= & {} \sum _{\begin{array}{c} t\in \{0,\ldots ,d-1\}\\ t\ne k,t\ne k+r \end{array}} \xi _0\cdot \Big ( \frac{| w_{tk} \rangle \langle w_{tk} |}{\langle w_{tk} | w_{tk} \rangle } + \frac{| w_{t,k+r} \rangle \langle w_{t,k+r} |}{\langle w_{t,k+r} | w_{t,k+r} \rangle } \Big ) \\&+\,\left( \xi _2-{\textstyle \frac{d}{2}}\lambda _+\right) | A \rangle \langle A |+{\textstyle \frac{d}{2}}\lambda _+| C \rangle \langle C |\\&+(\xi _1-{\textstyle \frac{d}{2}}\lambda _-)| B \rangle \langle B |+ {\textstyle \frac{d}{2}}\lambda _-| D \rangle \langle D |. \end{aligned}$$

Proof

It follows directly from Theorem 4 by discarding the terms in (50) that contain \((-1)^{s'}\) (the AC and BD crossterms). \(\square \)

Corollary 2

The difference between \(\sigma ^{rk}_0\) and \(\sigma ^{rk}_1\) can be written as

$$\begin{aligned} \frac{\sigma ^{rk}_0-\sigma ^{rk}_1}{2}= & {} \frac{1}{2}\sqrt{d\lambda _+}\sqrt{d\lambda _- + 2(1-\beta ) -\frac{d^2}{2}(\lambda _++\lambda _-)}\Big (| A \rangle \langle C |+| C \rangle \langle A |\Big )\nonumber \\&-\, \frac{1}{2}\sqrt{d\lambda _-}\sqrt{d\lambda _++2\beta -\frac{d^2}{2}(\lambda _++\lambda _-)}\Big (| B \rangle \langle D |+| D \rangle \langle B |\Big ). \end{aligned}$$
(59)

Proof

Using Theorem 4, we see everything except the AC and BD crossterms cancel from (50). \(\square \)

9 Statistical distance; proof of Theorem 1

Now that we have described Eve’s most general allowed state and how it is connected to Alice’s secret bit \(s'\), it is finally time to prove Theorem 1.

Let \(r_i\) be the ‘r’-value in round i and similarly \(k_i\), \(s_i'\). We use the notation \(\mathbf{r}=(r_1,\ldots ,r_n)\), \(\mathbf{k}=(k_1,\ldots ,k_n)\). Let \(x=(s_1',\ldots ,s_n')\). Let \(z\in \{0,1\} ^\ell \) be the QKD key obtained by applying privacy amplification to x, i.e. \(z=\texttt {Ext}(x,u)\), where \(\texttt {Ext}\) is a universal hash function (UHF) and \(u\in {{\mathcal {U}}}\) is public randomness. We write \({{\mathbb {E}}}_u[\cdots ]={\textstyle \frac{1}{|{{\mathcal {U}}}|}}\sum _u(\cdots )\) and \({{\mathbb {E}}}_x[\cdots ]=2^{-n}\sum _{x\in \{0,1\} ^n}(\cdots )\). At given \((\mathbf{r},\mathbf{k})\), the quantum-classical state describing Z, U and Eve’s system ‘E’ is given by

$$\begin{aligned} \rho ^{\mathrm{ZUE}}(\mathbf r,\mathbf k)= & {} \sum _{z}{{\mathbb {E}}}_u| zu \rangle \langle zu |\otimes {{\mathbb {E}}}_x \delta _{z,\texttt {Ext}(u,x)}\bigotimes _{i=1}^n \sigma ^{r_ik_i}_{x_i}. \end{aligned}$$
(60)

The state of the ‘Z’ and ‘UE’ subsystems is

$$\begin{aligned} \rho ^{\mathrm{Z}}(\mathbf{r},\mathbf{k})= & {} \mathrm{tr}\,_{\mathrm{UE}}\rho ^{\mathrm{ZUE}}(\mathbf{r},\mathbf{k}) = 2^{-\ell }\sum _z| z \rangle \langle z | \end{aligned}$$
(61)
$$\begin{aligned} \rho ^{\mathrm{UE}}(\mathbf{r},\mathbf{k})= & {} \mathrm{tr}\,_{\mathrm{Z}}\rho ^{\mathrm{ZUE}}(\mathbf{r},\mathbf{k}) = {{\mathbb {E}}}_u | u \rangle \langle u |\otimes \omega _{\mathrm{av}}(\mathbf{r},\mathbf{k}) \end{aligned}$$
(62)
$$\begin{aligned} \omega _{\mathrm{av}}(\mathbf{r},\mathbf{k})&{\mathop {=}\limits ^{\mathrm{def}}}&\bigotimes _{i=1}^n \frac{\sigma ^{r_ik_i}_0+\sigma ^{r_ik_i}_1}{2}. \end{aligned}$$
(63)

Note that \(\omega _{\mathrm{av}}\) does not depend on u. For notational brevity, we stop explicitly mentioning the r,k dependence from this point on. From (60)–(62), we get

$$\begin{aligned}&\rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} = 2^{-\ell }\sum _z {{\mathbb {E}}}_u | zu \rangle \nonumber \\&\quad \langle zu | \otimes \Big \{ 2^\ell {{\mathbb {E}}}_x\delta _{z,\texttt {Ext}(u,x)}\bigotimes _{i=1}^n \sigma ^{r_ik_i}_{x_i} -\omega _{\mathrm{av}} \Big \} \end{aligned}$$
(64)
$$\begin{aligned}&\quad {\mathop {=}\limits ^{\mathrm{def}}}2^{-\ell }\sum _z {{\mathbb {E}}}_u | zu \rangle \langle zu |\otimes {\varDelta }_{zu}. \end{aligned}$$
(65)

Because of the zu block structure, we have

$$\begin{aligned} \Vert \rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} \Vert _1 = 2^{-\ell }\sum _z {{\mathbb {E}}}_u \Vert {\varDelta }_{zu}\Vert _1. \end{aligned}$$
(66)

Lemma 7

It holds that

$$\begin{aligned} 2^{-\ell }\sum _z{{\mathbb {E}}}_{u}\Vert {\varDelta }_{zu} \Vert _1 \le \mathrm{tr}\,\sqrt{2^{-\ell }\sum _z{{\mathbb {E}}}_{u}{\varDelta }_{zu}^2}. \end{aligned}$$
(67)

Proof

\(2^{-\ell }\sum _z{{\mathbb {E}}}_{u}\Vert {\varDelta }_{zu} \Vert _1=2^{-\ell }\sum _z{{\mathbb {E}}}_{u}\mathrm{tr}\,\sqrt{{\varDelta }_{zu}^2}\) \(=\mathrm{tr}\,2^{-\ell }\sum _z{{\mathbb {E}}}_{u}\sqrt{{\varDelta }_{zu}^2}\). We apply Jensen’s inequality for operator concave functions. \(\square \)

Lemma 8

It holds that

$$\begin{aligned} 2^{-\ell }\sum _z{{\mathbb {E}}}_{u}{\varDelta }_{zu}^2 = \frac{2^\ell -1}{2^n}\bigotimes _{i=1}^n \frac{(\sigma ^{r_i k_i}_0)^2+(\sigma ^{r_i k_i}_1)^2}{2}. \end{aligned}$$
(68)

Proof

From the definition of \({\varDelta }_{zu}\) and \(\omega _{\mathrm{av}}\), we get

$$\begin{aligned} 2^{-\ell }\sum _z{{\mathbb {E}}}_{u}{\varDelta }_{zu}^2= & {} \frac{2^{\ell }}{2^{2n}}\sum _{xyz}{{\mathbb {E}}}_{u}\delta _{z,\texttt {Ext}(x,u)}\delta _{z,\texttt {Ext}(y,u)} \bigotimes _{i=1}^n \sigma ^{r_i k_i}_{x_i}\sigma ^{r_i k_i}_{y_i} +\omega _{\mathrm{av}}^2 \nonumber \\&-\,\omega _{\mathrm{av}}\frac{1}{2^n}\sum _{xz}{{\mathbb {E}}}_{u}\delta _{z,\texttt {Ext}(x,u)}\bigotimes _{i=1}^n\sigma ^{r_i k_i}_{x_i} \nonumber \\&-\,\Big (\frac{1}{2^n}\sum _{xz}{{\mathbb {E}}}_{u}\delta _{z,\texttt {Ext}(x,u)}\bigotimes _{i=1}^n\sigma ^{r_i k_i}_{x_i}\Big )\omega _{\mathrm{av}}. \end{aligned}$$
(69)

We split the \(\sum _{xy}\) sum into a sum with \(y=x\) and a sum with \(y\ne x\). Then we use \(\sum _z \delta _{z,\texttt {Ext}(x,u)}=1\) and \(\sum _z {{\mathbb {E}}}_u\delta _{z,\texttt {Ext}(x,u)}\delta _{z,\texttt {Ext}(y,u)}=2^{-\ell }\) for \(y\ne x\). The latter is the defining property of UHFs. Then, we rewrite \(\sum _{xy:\,y\ne x}\) as \(\sum _{xy}-\sum _{xy}\delta _{xy}\). Finally, after applying \(2^{-n}\sum _x\bigotimes _i \sigma ^{r_i k_i}_{x_i}=\omega _{\mathrm{av}}\), most of the terms cancel and (68) is what remains. \(\square \)

Lemma 9

It holds that

$$\begin{aligned} \frac{(\sigma ^{r k}_0)^2+(\sigma ^{r k}_1)^2}{2}= & {} \sum _{\begin{array}{c} t\in \{0,\ldots ,d-1\}\\ t\ne k,t\ne \ell \end{array}} \xi _0^2 \Big ( \frac{| w_{tk} \rangle \langle w_{tk} |}{\langle w_{tk} | w_{tk} \rangle } + \frac{| w_{t\ell } \rangle \langle w_{t\ell } |}{\langle w_{t\ell } | w_{t\ell } \rangle } \Big ) +\xi _1(\xi _1-{\textstyle \frac{d}{2}}\lambda _-) | B \rangle \langle B | \\&+\,\xi _1{\textstyle \frac{d}{2}} \lambda _-| D \rangle \langle D | +\xi _2(\xi _2-{\textstyle \frac{d}{2}}\lambda _+)| A \rangle \langle A | +\xi _2{\textstyle \frac{d}{2}} \lambda _+ | C \rangle \langle C | \end{aligned}$$

with \(\xi _0,\xi _1,\xi _2\) as defined in Theorem 4.

Proof

It follows directly from Theorem 4. \(\square \)

Lemma 10

The statistical distance between the real and decoupled state can be bounded as

$$\begin{aligned}&{\textstyle \frac{1}{2}}\Vert \rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} \Vert _1 < {\textstyle \frac{1}{2}}\sqrt{2^{\ell -n}}T^n \end{aligned}$$
(70)
$$\begin{aligned}&\quad T {\mathop {=}\limits ^{\mathrm{def}}}2(d-2)\xi _0+\sqrt{\xi _2\left( \xi _2-{\textstyle \frac{d}{2}}\lambda _+\right) }+\sqrt{\xi _2{\textstyle \frac{d}{2}}\lambda _+} \nonumber \\&\qquad +\,\sqrt{\xi _1\left( \xi _1-{\textstyle \frac{d}{2}}\lambda _-\right) }+\sqrt{\xi _1{\textstyle \frac{d}{2}}\lambda _-}. \end{aligned}$$
(71)

Proof

Substitution of Lemma 8 into Lemma 7 gives \(\Vert \rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} \Vert _1\) \(\le \sqrt{\frac{2^\ell -1}{2^n}}\prod _{i=1}^n \mathrm{tr}\,\sqrt{\frac{(\sigma ^{r_i k_i}_0)^2+(\sigma ^{r_i k_i}_1)^2}{2}}\). The trace does not depend on the actual value of \(r_i\) and \(k_i\). We define \(T=\mathrm{tr}\,\sqrt{(\sigma ^{r k}_0)^2+(\sigma ^{r k}_1)^2}/\sqrt{2}\) for arbitrary rk. From Lemma 9, we obtain (71). Finally, we use \(2^\ell -1<2^\ell \). \(\square \)

Remark

We are able to derive a tight bound because the expression \(\mathrm{tr}\,\sqrt{\sigma _0^2+\sigma _1^2}\) is easy to compute without applying any inequalities.

Since Eve is still free to choose the parameters \(\mu \) and V (or, equivalently, \(\lambda _+\) and \(\lambda _-\)), she can choose them such that the trace distance is maximized.

Theorem 5

Eve’s choice that maximizes \(\Vert \rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} \Vert _1\) is given by

$$\begin{aligned} \beta \le \beta _*&: \quad&T = 2\beta +\sqrt{1-2\beta }\Big [\sqrt{1-2\beta \frac{d-1}{d-2}}+\frac{\sqrt{2\beta }}{\sqrt{d-2}}\Big ] \end{aligned}$$
(72)
$$\begin{aligned}&\text{ at } \lambda _-=0, \quad \lambda _+=\frac{4\beta }{d(d-2)} \end{aligned}$$
(73)
$$\begin{aligned} \beta \ge \beta _*&:\quad&T=2\beta _*+\sqrt{1-2\beta _*}\Big [\sqrt{1-2\beta _*\frac{d-1}{d-2}}+\frac{\sqrt{2\beta _*}}{\sqrt{d-2}}\Big ] \end{aligned}$$
(74)
$$\begin{aligned}&\text{ at } \lambda _-=\frac{4\beta _*(\beta -\beta _*)}{d(d-2)(1-2\beta _*)},\;\;\; \lambda _+= \frac{4\beta _*(1-\beta -\beta _*)}{d(d-2)(1-2\beta _*)}. \end{aligned}$$
(75)

Here, \(\beta _*\) is a saturation value that depends on d as follows,

$$\begin{aligned} \beta _* = \frac{x_d/2}{1+x_d}, \end{aligned}$$
(76)

where \(x_d\) is the solution on (0, 1) of the equation

$$\begin{aligned} \left( 1-\frac{x}{d-2}\right) ^{\frac{1}{2}}+ \frac{d-1}{d-2}\left( 1-\frac{x}{d-2}\right) ^{-\frac{1}{2}} +\frac{1}{\sqrt{d-2}}\left( \sqrt{x}-\frac{1}{\sqrt{x}}\right) -2=0. \end{aligned}$$
(77)

Proof

We start from (71). At \(\beta ={\textstyle \frac{1}{2}}\), the expression for T is symmetric in \(\lambda _+\) and \(\lambda _-\). Hence, the overall maximum achievable at any \(\beta \) lies at \(\lambda _+=\lambda _-=\frac{q}{d(d-2)}\) for some as yet unknown q. We have

$$\begin{aligned} T^{\beta ={\textstyle \frac{1}{2}}}_{\mathrm{max}}= \zeta (q,d) {\mathop {=}\limits ^{\mathrm{def}}}q +\sqrt{1-q}\Big (\sqrt{1-\frac{d-1}{d-2}q}+\frac{\sqrt{q}}{\sqrt{d-2}}\Big ). \end{aligned}$$
(78)

On the other hand, we note that substitution of (73) into (71) yields (72), which is precisely of the form \(\zeta (q,d)\) if we identify \(2\beta \equiv q\). Hence, at some \(\beta <{\textstyle \frac{1}{2}}\) it is already possible to achieve \(T=T^{\beta =1/2}_{\mathrm{max}}\), i.e. we have saturation. We note that substitution of (75) into (71) yields (74). The saturation value \(\beta _*\) is found by solving \(\partial \zeta (2\beta ,d)/\partial \beta =0\); after some simplification, this equation can be rewritten as (77) by setting \(x=2\beta /(1-2\beta )\).Footnote 6 \(\square \)

The upper bound on the amount of information that Eve has about \(S'\) is \(2 \log T\). This is a concave function of \(\beta \) (see Fig. 3). Hence, there is no advantage for Eve to cause different error rates in different rounds. For Eve, it is optimal to cause error rate \(\beta \) in every round.

This concludes the proof of Theorem 1.

The optimal \(\lambda _+,\lambda _-\) are plotted in Fig. 5 (“Appendix B”). The expression \(2\log T\) is plotted in Fig. 3.

Fig. 3
figure 3

Leakage \(2\log T\) as a function of the bit error rate for \(d=5\), \(d=10\) and \(d=15\). (This does not include the post-selection term.) A dot indicates the saturation point \(\beta _{*}\)

Lemma 11

The large-d asymptotics of the saturation value \(\beta _*\) is given by

$$\begin{aligned} \beta _* = \frac{1}{4}-\frac{1}{8\sqrt{d-2}}-{{\mathcal {O}}}\left( \frac{1}{(d-2)^{3/2}}\right) , \end{aligned}$$
(79)

which yields

$$\begin{aligned} T= & {} 1+ \frac{1}{2\sqrt{d-2}}-{{\mathcal {O}}}\left( \frac{1}{d-2}\right) \end{aligned}$$
(80)
$$\begin{aligned} \Vert \rho ^{\mathrm{ZUE}}-\rho ^{\mathrm{Z}}\otimes \rho ^{\mathrm{UE}} \Vert _1\le & {} 2^{-{\textstyle \frac{1}{2}}n[1-\frac{1}{\sqrt{d-2}\ln 2}+{{\mathcal {O}}}\left( \frac{1}{d-2}\right) -\frac{\ell }{n}]}. \end{aligned}$$
(81)

Proof

We set \(x_d=1-1/\sqrt{d-2}+a/(d-2)\), where a is supposedly of order 1, and substitute this into (77). This yields \(a={\textstyle \frac{1}{2}}+{{\mathcal {O}}}(1/\sqrt{d-2})\), which is indeed of order 1. Substitution of \(x_d\) into (76) gives (79), and substitution of \(\beta _*\) into (74) gives (80). Finally, substitution of (80) into Lemma 10 yields (81). \(\square \)

10 Von Neumann entropy; Proof of Theorem 2

Using smooth Rényi entropies, it was shown in [12] that, in the large n limit, the von Neumann leakage per qubit is the relevant quantity for determining the required amount of PA.Footnote 7 We denote the leakage from Alice to Eve, in terms of von Neumann entropy, as \(I_{\mathrm{AE}}\). It is given by

$$\begin{aligned} I_{\mathrm{AE}}= & {} S(\sigma ^{RK}_{S'}|RK)- S(\sigma ^{RK}_{S'}|RKS') \nonumber \\= & {} {{\mathbb {E}}}_{rk}[ S(\sigma ^{rk}_{S'})- S(\sigma ^{rk}_{S'}|S') ] \nonumber \\= & {} {{\mathbb {E}}}_{rk}\left[ S(\frac{\sigma ^{rk}_0+\sigma ^{rk}_1}{2})-\frac{S(\sigma ^{rk}_0)+S(\sigma ^{rk}_1)}{2} \right] \nonumber \\= & {} S\Big (\frac{\sigma ^{rk}_0+\sigma ^{rk}_1}{2}\Big )-\frac{S(\sigma ^{rk}_0)+S(\sigma ^{rk}_1)}{2} \quad r,k \text{ arbitrary }. \end{aligned}$$
(82)

In the last line, we used that the eigenvalues of \(\sigma ^{rk}_{s'}\) and \(\sigma ^{rk}_0+\sigma ^{rk}_1\) do not actually depend on r and k. Again \(\lambda _+\) and \(\lambda _-\) can be optimized to Eve’s advantage.

Theorem 6

Eve’s choice that maximizes the von Neumann leakage is given by

$$\begin{aligned} \beta \le \beta _0&:\quad&I_{\mathrm{AE}}= (1-2\beta )h(\frac{1}{d-2}\cdot \frac{2\beta }{1-2\beta }) \end{aligned}$$
(83)
$$\begin{aligned}&\mathrm{at}\;\; \lambda _-=0,\;\;\; \lambda _+=\frac{4\beta }{d(d-2)} \end{aligned}$$
(84)
$$\begin{aligned} \beta \ge \beta _0&: \quad&I_{\mathrm{AE}}=(1-2\beta _0)h(\frac{1}{d-2}\cdot \frac{2\beta _0}{1-2\beta _0}) \end{aligned}$$
(85)
$$\begin{aligned}&\mathrm{at}\;\; \lambda _-=\frac{4\beta _0(\beta -\beta _0)}{d(d-2)(1-2\beta _0)},\;\;\; \lambda _+= \frac{4\beta _0(1-\beta -\beta _0)}{d(d-2)(1-2\beta _0)}. \end{aligned}$$
(86)

Here, \(\beta _0\) is a saturation value that depends on d as follows,

$$\begin{aligned} \beta _0=\frac{1}{2}\Big [1+\frac{1}{(d-2)(1-y_d)}\Big ]^{-1}, \end{aligned}$$
(87)

where \(y_d\) is the unique positive root of the polynomial \(y^{d-1}+y-1\).

Proof

We start from (82). We note that the eigenvalue set of \((\sigma ^{rk}_0+\sigma ^{rk}_1)/2\) largely coincides with that of \(\sigma ^{rk}_0\) and \(\sigma ^{rk}_1\) (Theorem 4 and Corollary 1). What remains of (82) comes entirely from the \(| A \rangle ,| B \rangle ,| C \rangle ,| D \rangle \) subspace,

$$\begin{aligned} I_{\mathrm{AE}}= & {} \xi _1\log \xi _1 +\xi _2\log \xi _2 -\left( \xi _2-{\textstyle \frac{d}{2}}\lambda _+\right) \log \left( \xi _2-{\textstyle \frac{d}{2}}\lambda _+\right) -{\textstyle \frac{d}{2}}\lambda _+\log \left( {\textstyle \frac{d}{2}}\lambda _+\right) \nonumber \\&-\,\left( \xi _1-{\textstyle \frac{d}{2}}\lambda _-\right) \log \left( \xi _1-{\textstyle \frac{d}{2}}\lambda _-\right) -{\textstyle \frac{d}{2}}\lambda _-\log \left( {\textstyle \frac{d}{2}}\lambda _-\right) \nonumber \\= & {} \xi _1 h\left( \frac{d}{2}\cdot \frac{\lambda _-}{\xi _1}\right) + \xi _2 h\left( \frac{d}{2}\cdot \frac{\lambda _+}{\xi _2}\right) . \end{aligned}$$
(88)

We note that (88) is invariant under the transformation \((\beta \rightarrow 1-\beta ; \lambda _+\leftrightarrow \lambda _-)\). At \(\beta =1/2\), we must hence have \(\lambda _+=\lambda _-=\lambda \).

$$\begin{aligned} I_{\mathrm{AE}}^{\beta ={\textstyle \frac{1}{2}}}=g(d,\lambda ) {\mathop {=}\limits ^{\mathrm{def}}}[1-d(d-2)\lambda ]\cdot h\Big (\frac{d\lambda }{1-d(d-2)\lambda }\Big ). \end{aligned}$$
(89)

At \(\beta ={\textstyle \frac{1}{2}}\), the largest leakage that Eve can cause is \(\max _\lambda g(d,\lambda )=g(d,\lambda _*)\).Footnote 8 Next we note that substitution of (86) into (88) yields (85); this has the same form as \(g(d,\lambda )\) (89) if we make the identification \(\lambda d(d-2)=2\beta _0\). Moreover, by setting \(\beta _0={\textstyle \frac{1}{2}} \lambda _* d(d-2)\), Eve achieves the overall maximum leakage \(g(d,\lambda _*)\) already at a value of \(\beta \) smaller than \({\textstyle \frac{1}{2}}\). Since the maximum leakage cannot decrease with \(\beta \), this implies that the maximum leakage saturates at \(\beta =\beta _0\) and stays constant at \(I_{\mathrm{AE}}^{\mathrm{max}}(\beta )=g(d,\lambda _*)\) on the interval \(\beta \in [\beta _0,{\textstyle \frac{1}{2}}]\). The value \(g(d,\lambda _*)\) precisely equals (85). Next we determine the value of \(\beta _0\). Demanding \(\partial g(d,\lambda )/\partial \lambda =0\) at \(\lambda =\lambda _*\) yields

$$\begin{aligned} \log \frac{[1-d(d-1)\lambda _*]^{d-1}}{[1-d(d-2)\lambda _*]^{d-2}\lambda _* d}=0. \end{aligned}$$
(90)

This is equivalent to the polynomial equation \(y^{d-1}+y-1=0\) with \(y\in [0,1]\) if we make the identification \(y=1-\frac{\lambda _* d}{1-\lambda _* d(d-2)}=\frac{1-\lambda _* d(d-1)}{1-\lambda _* d(d-2)}\). (It is readily seen that \(\lambda _*\in [0,{\textstyle \frac{1}{d(d-1)}}]\) implies \(y\in [0,1]\).) This precisely matches (87), because of the optimal choice \(\beta _0={\textstyle \frac{1}{2}} \lambda _* d(d-2)\). By Descartes’ rule of signs, the function \(y^{d-1}+y-1\) has exactly one positive root.

When \(\beta \) is decreased below \(\beta _0\), the location \((\lambda _-,\lambda _+)\) of the maximum of the stationary point of \(I_{\mathrm{AE}}\) leaves the ‘allowed’ triangular region; this happens at a corner of the triangle, \(\lambda _-=0\), \(\lambda _+=\frac{4\beta }{d(d-2)}\). For \(\beta <\beta _0\), this corner yields the highest achievable leakage. Substitution of (84) into (88) yields (83). \(\square \)

This concludes the proof of theorem 2.

Note that the leakage \(I_{\mathrm{AE}}\) is a concave function of \(\beta \). Hence, it is optimal for Eve to cause error rate \(\beta \) in every round.

Remark

From \(y> 0\) and (87), it follows that \(\beta _0<\frac{1}{2}\cdot \frac{d-2}{d-1}\).

Figure 4 shows the von Neumann leakage for three values of d. The optimal \(\lambda _+\),\(\lambda _-\) are plotted in Fig. 5 (“Appendix B”).

Fig. 4
figure 4

Leakage \(I_{\mathrm{AE}}\) in terms of von Neumann entropy (Theorem 2) as a function of the bit error rate, for \(d=5\), \(d=10\) and \(d=15\). A dot indicates the saturation point \(\beta _{0}\)

Lemma 12

The large-d asymptotics of the \(I_{\mathrm{AE}}\) is given by

$$\begin{aligned}&\beta \le \beta _0 : I_{\mathrm{AE}}=\frac{2\beta }{d-2}\log \frac{(d-2)(1-2\beta )e}{2\beta }+{{\mathcal {O}}}(d^{-2}), \end{aligned}$$
(91)
$$\begin{aligned}&\quad \beta \ge \beta _0 : I_{\mathrm{AE}}=\frac{\log d}{d} +{{\mathcal {O}}}\left( \frac{\log \log d}{d}\right) . \end{aligned}$$
(92)

Proof

The result for \(\beta <\beta _0\) follows by doing a series expansion of (83) in the small parameter \(1/(d-2)\). For \(\beta >\beta _0\), we study the equation \(y^{d-1}=1-y\). Let us try a solution of the form \(y=1-\frac{\ln [(d-1)/\alpha ]}{d-1}\) for some unknown \(\alpha \). This yields \(\alpha \cdot \{(1-\frac{\ln [(d-1)/\alpha ]}{d-1})^{d-1}\frac{d-1}{\alpha }\}=\ln \frac{d-1}{\alpha }\). Using the fact that \(\lim _{n\rightarrow \infty }(1-x/n)^n=e^{-x}\), we see that the expression \(\{\cdots \}\) is close to 1 if it holds that \(\ln \frac{d-1}{\alpha }\ll d-1\), and that the equation is then satisfied by \(\alpha ={{\mathcal {O}}}(\ln d)\), which is indeed consistent with \(\ln \frac{d-1}{\alpha }\ll d-1\). Substituting \(\alpha ={{\mathcal {O}}}(\ln d)\) into the expression for y and then into (87) gives \(1-2\beta _0=\frac{1}{\ln d}+{{\mathcal {O}}}(\frac{\ln \ln d}{[\ln d]^2})\). Substituting this result for \(1-2\beta _0\) into (85) finally yields (92). \(\square \)

11 Discussion

We remark on the optimal attack. The \({\bar{\rho }}^{\mathrm{AB}}\) mixed state allowed by the noise constraint has two degrees of freedom, \(\mu \) and V. While this is more than the zero degrees of freedom in the case of qubit-based QKD [12], it is still a small number, given the dimension \(d^2\) of the Hilbert space.

Eve’s attack has an interesting structure. Eve entangles her ancilla with Bob’s qudit. Bob’s measurement affects Eve’s state. When Bob reveals rk, Eve knows which four-dimensional subspace is relevant. However, the basis state \(| k \rangle \) in Bob’s qudit is coupled to \(| A^a_k \rangle \) in Eve’s space (see “Appendix A”), which is spanned by \(d-1\) different basis vectors \(| E^+_{(kt')} \rangle \) (Eq. 96 with \(\lambda _1=0\), \(\lambda _-=0\)), each carrying different phase information \(a_k\oplus a_{t'}\). Only one out of \(d-1\) carries the information she needs, and she cannot select which one to read out. Eve’s problem is aggravated by the fact that the \(| A^a_t \rangle \) vectors are not orthogonal (except at \(\beta ={\textstyle \frac{1}{2}}\)). Note that this entanglement-based attack is far more powerful than the intercept–resend attack studied in [17].