Optimal attacks on qubit-based Quantum Key Recycling

Quantum Key Recycling (QKR) is a quantum-cryptographic primitive that allows one to re-use keys in an unconditionally secure way. By removing the need to repeatedly generate new keys it improves communication efficiency. Skoric and de Vries recently proposed a QKR scheme based on 8-state encoding (four bases). It does not require quantum computers for encryption/decryption but only single-qubit operations. We provide a missing ingredient in the security analysis of this scheme in the case of noisy channels: accurate bounds on the privacy amplification. We determine optimal attacks against the message and against the key, for 8-state encoding as well as 4-state and 6-state conjugate coding. We show that the Shannon entropy analysis for 8-state encoding reduces to the analysis of Quantum Key Distribution, whereas 4-state and 6-state suffer from additional leaks that make them less effective. We also provide results in terms of the min-entropy. Overall, 8-state encoding yields the highest capacity.


Quantum Key Recycling
Quantum communication differs significantly from classical communication. On a classical channel it is trivial to read and copy all messages. On a quantum channel, on the other hand, any form of eavesdropping is detectable. This fact has been exploited by cryptographers since the 1980s, most notably by the introduction of Quantum Key Distribution (QKD). However, even before the invention of BB84 another concept was studied: information-theoretically secure re-use of encryption keys. If Bob detects no disturbance on the quantum channel, it may be safe to reuse the encryption key, in stark contrast to e.g. One Time Pad (OTP) encryption on a classical channel. This idea was proposed in the paper "Quantum Cryptography II: How to re-use a onetime pad safely even if P = NP" [1] by Bennett, Brassard and Breidbart in 1982. However, after the discovery of QKD the idea of Quantum Key Recycling (QKR) received very little attention for several decades. The thread was picked up again in 2003 by Gottesman [2] and in 2005 by Damgård, Pedersen and Salvail [3,4]. Gottesman's Unclonable Encryption offers a limited reusability of key material. Damgård et al introduced a full key re-use scheme based on mutually unbiased bases in high-dimensional Hilbert space. A drawback of their scheme is that it requires a quantum computer to perform encryption and decryption. In 2016 Fehr and Salvail [5] anď Skorić and de Vries [6] returned to qubit-based schemes that do not require a quantum computer. Fehr and Salvail [5] used BB84 states and introduced a new proof technique. Their scheme is provably secure when there is very little channel noise.Škorić and de Vries [6] showed that it is advantageous to switch from 4-state conjugate coding to 8-state encoding, and that 8-state encoding is equivalent to applying the Quantum One Time Pad (QOTP) [7,8,9]. Their scheme is designed to work at similar noise levels as QKD. The proof technique of [5] can be directly applied to it, but needs an accurate bound on the required amount of privacy amplification, which was provided only for the noiseless case. The long neglect of QKR is undeserved. In a QKD-equipped world, QKR has an important role to play. The process of repeatedly generating new QKD keys and then using them up with classical OTP encryption is very wasteful of bandwidth. One QKD instance followed by repeated QKR runs is more communication-efficient.

Contributions and outline
• We determine optimal attacks against individual qubits in qubit-based QKR, such that Eve introduces channel noise parametrised by the bit error rate β. We apply the standard Shor-Preskill technique [10] to reformulate state preparation as a measurement on an EPR state. We apply noise symmetrisation [11] to Alice and Bob's noisy EPR state, followed by purification to obtain a worst-case description of Eve's ancilla state. We find optimal POVM measurements by which Eve extracts from her ancilla information about the plaintext, as well as POVMs for attacking the key in the known-plaintext setting. We obtain POVMs for Shannon entropy as well as min-entropy.
• From the optimal POVMs we determine how much privacy amplification is needed: this is dictated by the most powerful attack. We find that it depends on β which attack 'wins'.
-Shannon entropy. For 4-state and 6-state encoding, the winning attack at low β is Eve stealing all qubits and performing a measurement to estimate the plaintext. 1 At larger β, Eve collects ancillas from many QKR rounds and then performs a measurement on all the ancillas that are protected by the same basis key; we show that this attack is (asymptotically) as powerful as the optimal qubit-wise attack on QKD [12]. For 8-state encoding, the QKD-like attack is always the winning one.
The QKR channel capacity of 4-state encoding is always below 6-state. 8 Overall, 8-state encoding requires the least privacy amplification.
• We notice a duality relation in the optimal POVMs for the known-plaintext attack on the key. It turns out that the POVMs which minimise Eve's Shannon entropy are in a sense 'dual' to the POVMs associated with the min-entropy: The min-entropy-POVM for plaintext x is the Shannon-entropy-POVM for plaintext 1 − x. It would be very useful if such dualities hold more generally. While there exists a simple test [13] to check if a POVM is optimal for min-entropy, there is no such test for Shannon entropy.
• As a byproduct of our analysis we find a particularly easy and insightful way to derive the QKD capacity in a scenario where Alice adds artificial preprocessing noise. By identifying conditional channels in Eve's mixed state we are able to simplify the results of [14]. The noise-adding trick can be applied in QKR in exactly the same way as in QKD.
In Section 2 we introduce notation, and briefly recap 8-state QKR. In Section 3 we go to the EPR version of the protocol, apply noise symmetrisation and obtain Eve's state by purification. Attacks on the plaintext are described in Section 4, and known-plaintext attacks on the key in Section 5. We aggregate all the results in Section 6 and we determine the QKR capacities. Insertion of artificial noise is discussed in Section 7.

Notation and terminology
Classical Random Variables (RVs) are denoted with capital letters, and their realisations with lowercase letters. The probability that a RV X takes value x is written as Pr[X = x]. The expec-tation with respect to RV X is denoted as E x f (x) = x∈X Pr[X = x]f (x). The Shannon entropy of an RV X is written as H(X). Sets are denoted in calligraphic font. The notation 'log' stands for the logarithm with base 2. The min-entropy of X ∈ X is H min (X) = − log max x∈X Pr[X = x], and the conditional min-entropy is H min (X|Y ) = − log E y max x∈X Pr[X = x|Y = y]. The notation h stands for the binary entropy function h(p) = p log 1 p + (1 − p) log 1 1−p . Sometimes we will write h({p 1 , . . . , p n }) meaning i p i log 1 pi . Bitwise XOR of binary strings is written as '⊕'. The inverse of a bit b ∈ {0, 1} is written asb = 1 − b. For quantum states we use Dirac notation, with the standard qubit basis states |0 and |1 represented as 1 0 and 0 1 respectively. The Pauli matrices are denoted as σ x , σ y , σ z , and we write σ = (σ x , σ y , σ z ). The standard basis is the eigenbasis of σ z , with |0 in the positive z-direction. We write 1 for the identity matrix. The notation 'tr' stands for trace. The Hermitian conjugate of an operator A is written as A † . When A is a complicated expression, we sometimes write (A+h.c.) instead of A + A † . The complex conjugate of z is denoted as z * . We use the Positive Operator Valued Measure (POVM) formalism. A POVM M consists of positive semidefinite operators, M = (M x ) x∈X , M x ≥ 0, and satisfies the condition x M x = 1. The notation M(ρ) stands for the classical RV resulting when M is applied to mixed state ρ. Consider a bipartite system 'AB' where the 'A' part is classical, i.e. the state is of the form ρ AB = E x∈X |x x| ⊗ ρ x with the |x forming an orthonormal basis. The min-entropy of the classical RV X given part 'B' of the system is [15] Here M denotes a POVM. Let Λ def = x ρ x M x . If a POVM can be found that satisfies the condition 2 [13] ∀ x∈X : then there can be no better POVM (but equally good ones may exist). For states that also depend on a classical RV Y ∈ Y, the min-entropy of X given the quantum state and Y is A simple expression can be obtained when X is a binary variable. Let X ∈ {0, 1}. Then For the Shannon entropy of a classical RV given a quantum system we have If the ensemble (ρ x ) x∈X has a symmetry, i.e. ∀ x∈X ,g∈G : U g ρ x U † g = ρ g(x) for some group G acting on X , and unitary representation U of G, then it suffices [13] to consider only POVMs that obey the same symmetry,

Eight-state Quantum Key Recycling
We briefly review the main properties of the 8-state QKR scheme ("scheme #2" in [6]). A classical bit g ∈ {0, 1} is encoded into a qubit state using one of four possible bases. The basis is labeled b ∈ {0, 1, 2, 3}, and for convenience the notation b = 2u + w is introduced, with u, w ∈ {0, 1}. The labels b and (u, w) are used interchangeably. The encoding of g in basis (u, w) is expressed on the Bloch sphere as a unit vector i.e. the eight corner points of a cube. The corresponding states in Hilbert space are in the z-basis. The angle α is defined as cos α = 1/ √ 3. The four states |ψ uwg , for fixed g, are the Quantum One-Time Pad (QOTP) encryptions of |ψ 00g . The bit error rate (BER) on the quantum channel is denoted as β ∈ [0, 1 2 ]. The key recycling scheme makes use of a Secure Sketch S : {0, 1} n → {0, 1} a , with a > nh(β). (Asymptotically a approaches nh(β)). Furthermore the scheme uses an extractor Ext : {0, 1} n → {0, 1} and a message-independent, key-private [5] MAC function that produces a tag of length λ. The message is µ ∈ {0, 1} . The key material shared between Alice and Bob consists of three parts: a basis sequence b ∈ {0, 1, 2, 3} n , a MAC key K M and a classical OTP K SS ∈ {0, 1} a for protecting the secure sketch. Encryption Alice performs the following steps. Generate random g ∈ {0, 1} n . Compute s = K SS ⊕ S(g) and z = Ext g. Compute the ciphertext c = µ ⊕ z and authentication tag T = M (K M , g||c||s). Prepare the quantum state |Ψ = n i=1 |ψ bigi . Send |Ψ , s, c, T . Decryption (Bob gets |Ψ , s , c , T ). Bob performs the following steps. Measure |Ψ in the b-basis. This yields g ∈ {0, 1} n . Recoverĝ from g and K SS ⊕ s (by the syndrome decoding procedure of the Secure Sketch primitive). Computeẑ = Extĝ andμ = c ⊕ẑ. Accept the messageμ if the syndrome decoding succeeded and T = M (K M ,ĝ||c ||s ). Communicate Accept/Reject to Alice. Key update Alice and Bob perform the following actions. If Bob Accepts, replace K SS . If Bob Rejects, replace K SS and compute the updated key b as a function of b and n fresh secret bits.
In case of Bob accepting the transmission, an -bit message has been communicated while only a ≈ nh(β) bits of key material have been spent. 3 The aim of the current paper is to find out how large is allowed to be as a function of the noise parameter β.

EPR formulation, noise symmetrisation, and purification
Apart from QKR employing the 8-state (QOTP) encoding as described above, we also investigate 4-state (BB84) and 6-state conjugate coding. For the security analysis of qubit-based QKR we piggyback on (i) proof techniques [16] that use e.g. quantum de Finetti [17] to reduce the analysis to individual-qubit attacks; (ii) the proof technique for qubit-based QKR introduced in [5], which can directly be applied to the scheme of [6] provided that correct values are known for the required amount of privacy amplification as a function of the noise parameter β. We study optimal attacks against individual qubits, making use of the standard Shor-Preskill technique [10] and the noise symmetrisation technique introduced by [11].

EPR version of the QKR protocol
We follow the standard Shor-Preskill technique [10] and re-formulate the QKR protocol (Section 2.2) using EPR pairs. The step where Alice prepares the state |Ψ and sends it to Bob is replaced by the following procedure. Alice prepares a two-qubit singlet state. She keeps one qubit ('A') and sends the other qubit ('B') to Bob. Eve is allowed to manipulate the whole 'AB' system 4 in any way, including coupling to ancillas. Then Alice and Bob perform their projective measurements in the correct basis (basis b i for the i'th bit). Let the outcome of Alice's measurement be x ∈ {0, 1}, and Bob's outcome y ∈ {0, 1}. Alice sends e = x ⊕ g to Bob. Bob computesĝ =ȳ ⊕ e, which is guaranteed to equal g if Eve has done nothing (β = 0). 5 Security of this EPR-version of the protocol implies security of the original protocol. Note that the above description is agnostic of the number of bases used in the encoding. We will use the notation B to denote the set of bases in an encoding scheme. For 4-state encoding we write B = {0, 1}, and the states are the spin states | ± z (at b = 0) and | ± x (at b = 1). For 6-state we write B = {1, 2, 3}, with spin states | ± x (at b = 1), | ± y (at b = 2) and | ± z (at b = 3). For 8-state we have B = {00, 01, 10, 11}, and the states are defined in (7). The number of bases is |B|.

Noise symmetrisation
After Eve's interference, the bipartite system held by Alice and Bob is no longer a pure singlet state but a general mixed state ρ AB . As the singlet state is invariant under unitary transformations of the form ρ AB → U ⊗ U ρ AB U † ⊗ U † (where U acts on a single qubit), Alice and Bob are 'allowed' to perform the following sequence of actions. Preparation phase, before the protocol Alice and Bob agree on a single basis b * ∈ B. During the protocol For each bit, just before they execute their measurement • Alice and Bob publicly draw a random number γ ∈ {0, 1, 2, 3}.
• They both apply to their own qubit the Pauli operator σ γ , defined with respect to the b * basis. Here σ 0 is the identity matrix.
These actions have no effect on the original state (the desired singlet) but they dramatically simplify the noise in ρ AB . and |Φ ± = |00 * ±|11 * √ 2 denote the Bell basis states with respect to the b * basis. Let Eve introduce a bit error rate of exactly β between Alice and Bob's measurement results. Then the mixed state of the 'AB' system after the above described symmetrisation procedure is given bỹ Proof: In [18] it was shown that the AB state reduces to the formρ 1}. 6 For the 6-state case it was shown in [11] that these constraints yield (8). We next study the 8-state case. Taking b = b * , the above constraints Without loss of generality we take b * = 00. Then the b = 01 and b = 11 constraints each give, after some algebra, 1 18 Solving for the λ-parameters finally yields λ 1 = λ 2 = λ 3 = β 2 . Note that setting b * ∈ B is important: if the Pauli operators σ γ ⊗ σ γ are chosen with respect to a different basis, then Lemma 3.1 does not necessarily hold. Also note that Lemma 3.1 usually does not hold for 4-state (BB84) conjugate coding. 4-state encoding has fewer noise-related constraints, and hence Eve has more freedom. However, one can imagine a protocol variant where Alice and Bob spend some extra key material 7 in order to agree on qubit positions which they sacrifice for noise testing purposes. With Lemma 3.1 holding for 4-state too, we can now treat all three encoding methods on an equal footing. We will see in Section 6 that even with this advantage given to Alice and Bob for 4-state, the 4-state encoding still performs worst.

Purification
Theρ AB can be purified as follows, under the worst-case assumption that all noise is caused by Eve. Denoting Eve's four-dimensional subsystem as 'E', with orthonormal basis |m i , we can write Alice and Bob know in which basis to measure. They both do a projective measurement on their own subsystem. They measure the spin component in the direction v = (v x , v y , v z ) = (sin θ cos ϕ, sin θ sin ϕ, cos θ). The eigenstates of this measurement are |v = e −iϕ/2 cos θ 2 |0 + e iϕ/2 sin θ 2 |1 (with eigenvalue '0') and |v = −e −iϕ/2 sin θ 2 |0 + e iϕ/2 cos θ 2 |1 (with eigenvalue '1'). We rewrite the state (9) using |v , |v as the basis of the A and B subsystem, A number of things are worth noting about this representation of the purification.
• With probability 1 − β, Alice and Bob's measurement outcomes are opposite. With probability β they are equal.
This structure makes it particularly easy to analyse QKD. See Section 4.4.1.
In the analysis of QKD schemes, it suffices to express (10) only for a single choice of v, because the basis is eventually revealed to Eve. In QKR the basis is not revealed. In our treatment of known plaintext attacks (Section 5) we will need to evaluate (10) for different bases.

Eve's mixed state
After Alice and Bob have performed their measurement, Eve possesses one of the 4|B| pure states ρ coupled to the unknown (to her) classical random variables B, X, Y . The whole system of B, X, Y and E can be represented as a four-part system in the following mixed state, At given x, the probability of y = x is 1 − β. (Before the introduction of noise, the x and y were perfectly anti-correlated.) In Section 5 we will study known plaintext attacks, i.e. Eve knows g and wants to learn the basis b.
If Eve knows that x = 0, then she has to distinguish between the following |B| states, The case x = 1 will not be treated separately as it is analogous to x = 0. M2 Eve couples each qubit individually to an ancilla, and transfers information into the ancilla in such a way that the bit error rate is exactly β. She does this for N transmissions (N 1) before finally performing a measurement on her ancillas.
Attack M1 is the worst case scenario given that Bob does not accept. M2 is the worst case given that Bob accepts N times in a row. Attack M1 has no effect against 8-state encoding (since it is a QOTP), but is important in the case of 4-state and 6-state encoding. Below we briefly recap the results of [6]. In Section 4.4 we will see that the analysis of M2 reduces to the analysis of QKD.

Attack M1 on 4-state encoding
Eve intercepts the whole n-qubit state |Ψ and immediately does a measurement. She subjects each qubit i individually to the spin measurement (σ x + σ z )/ √ 2. The probability distribution of X i given the outcome always consists of the numbers (cos π 8 ) 2 and (sin π 8 ) 2 . In terms of Shannon entropy this corresponds to the following mutual information per qubit, The min-entropy loss per qubit is

Attack M1 on 6-state encoding
Eve's spin measurement is (σ x + σ y + σ z )/ √ 3. The probability distribution for X i given the outcome always consists of the numbers (cos α 2 ) 2 and (sin α 2 ) 2 . This yields I M1,6state 4.4 Attack M2: All Your Basis Are Belong To Us.
Attack M2 is effective because Eve is attacking N qubits that are encrypted with the same key b. Eve collects N ancillas containing partial information about the message bits; these message bits are protected by a total of log |B| key bits. Hence, for large N the key b offers essentially no protection of the information drawn into the ancillas. (On the other hand, the key prevents Eve from absorbing full information into her ancillas. And the key itself does not become known to Eve.) Proof: Let M denote a POVM. We have H( i ) for arbitrary j. For N 1 the bound is tight. The left hand side of (18) is the leakage per qubit. The right hand side is precisely the quantity that determines the security of QKD: the uncertainty about X given a noise-constrained ancilla and the basis B revealed to Eve after she has created the ancilla states. Lemma 4.1 allows us to obtain a tight lower bound on the QKR capacity, namely the QKD capacity, whenever M2 is the dominant attack.

QKD, Shannon entropy
The computation of H(X|BE) for BB84 and 6-state (or more) QKD is well known. Here we combine the two standard approaches: (i) the simplest possible description of the noise, i.e. noise symmetrisation, (ii) specifying optimal measurements instead of bounds based on von Neumann entropy. The results are of course not new, but we present the matter in a particularly clean way which helps when protocol embellishments are considered (e.g. addition of artificial noise, see Section 7).

Informal treatment Eve knows v. Eve does a projective measurement |E
This measurement does not destroy any information. With probability β the outcome is '1'; next Eve can perfectly distinguish between the orthogonal states |E v 00 , |E v 11 and hence learns X with 100% accuracy. With probability 1 − β the outcome is '0'; now Eve has to handle the trickier task of distinguishing between the non-orthogonal |E v 01 and |E v 10 , which have inner product c def = E v 01 |E v 10 = 1−2β 1−β . This is done optimally using a projective measurement in the following orthonormal basis, and has error probability The channel capacity from Alice to Eve is The secrecy capacity is Formal treatment Eve has to guess X from a state ρ v The optimal POVM is given by Q 0 = |E v 00 E v 00 | + |µ 01 µ 01 |, Q 1 = |E v 11 E v 11 | + |µ 10 µ 10 |. This is equivalent to the two-step procedure detailed in the informal treatment above, and yields Eve's knowledge about X is I AE = H(X) − H(X|ρ v XY ), which precisely equals (21).

QKD, min-entropy
Expressed as min-entropy loss, Eve's knowledge is H min (X) − H min (X|ρ v X,X⊕R ) for known v and unknown noise R ∈ {0, 1}. We have 5 Security of the key

Known plaintext attacks on the key
We have to take into account the possibility that Eve knows the plaintext µ. Then Ψ may give Eve information on the (basis) key b. We focus on attacks that lead Bob to Accept. (A Reject causes Alice and Bob to refresh their keys.) We look at the two types of attack available to Eve, K1 Eve intercepts a fraction 3β of the qubits, does a measurement on them, and sends the resulting states on to Bob.
K2 Eve lets every qubit individually interact with an ancilla. She forwards the qubits to Bob.
In attack K1 Eve receives a state ω Bx = |ψ Bx ψ Bx | for known x and unknown B. For attack K2 Eve's view is the mixed state ζ B as defined in (13), for unknown B.
Lemma 5.1 The Shannon entropy of B given ζ B can be written as where max M is maximisation over POVMs (M m ) m∈B . If we impose the symmetry relations ∀ b∈B :

Attack K1, 4-state
Eve scrutinises ω Bx . If x = 0 then the state is either the +x or +z spin state. If x = 1 then the state is either −x or −z. In both cases, the optimal way to distinguish between the states is to measure the spin (σ x − σ z )/ √ 2. Given the measurement outcome, the probabilities for the two key values are (cos π 8 ) 2 and (sin π 8 ) 2 . This holds for x = 0 as well as x = 1. Eve's knowledge about B is The effect on the whole n-bit string is obtained by multiplying (29,30) times 3βn.

Attack K1, 6-state
Consider x = 0. (The analysis for x = 1 is analogous). Eve has to distinguish between the spin states +x, +y, +z using a POVM M = (M b ) b∈{1,2,3} . For the min-entropy the best POVM is given by It yields the following probability distribution for B: For the Shannon entropy the best POVM is of the same form as above but with The effect on the whole n-bit string is obtained by multiplying (31,32) times 3βn.

Attack K2, 4-state
Eve has to distinguish between B = 0 (z-basis) and B = 1 (x-basis) by inspecting her ancilla state ζ B .
Theorem 5.2 In the case of 4-state encoding, the min-entropy of the basis B given the mixed state ζ B is The corresponding POVM M = (M b ) b∈{0,1} is given by Proof: The two expressions between square brackets act on orthogonal two-dimensional subspaces and both have the form of a Pauli operator. It directly follows that the eigenvalues are ± β(1 − 3 2 β) and ±β/ √ 2. Finally we apply (4) with p 0 = p 1 = 1 2 .

Theorem 5.3
In the case of 4-state encoding, the Shannon entropy of the basis B given the mixed state ζ B is Proof: For binary B, the POVM associated with the min-entropy maximises tr M 0 (ζ 0 − ζ 1 ) (see Section 2.1). If we impose the symmetry tr M 0 ζ 1 = tr M 1 ζ 0 then this expression becomes tr (Imposing this symmetry is allowed, see Section 2.1). Hence the optimisation in the min-entropy-POVM is the same as the optimisation in the Shannon-POVM, and we conclude that the POVM associated with the min-entropy also minimises the Shannon entropy. Applying the POVM from Theorem 5.2 to (28) yields (40).

Attack K2, 6-state
Eve has to distinguish between B = 1 (x-basis), B = 2 (y-basis), and B = 3 (z-basis). We define the permutation matrix S as Theorem 5.4 In the case of 6-state encoding, the min-entropy of the basis B given the mixed state ζ B is The associated POVM is and Proof: For b ∈ {1, 2, 3} we have where b + 1 should be read as b + 1 mod 3 ∈ {1, 2, 3}. The matrix Λ as defined in Section 2.1 is given by With some effort it is verified that indeed Λ − ζ b ≥ 0 for b ∈ {1, 2, 3} and β ∈ [0, 1 2 ].
Conjecture 5.5 Consider 6-state encoding. In terms of Shannon entropy, Eve's optimal POVM Q = (Q b ) b∈B for learning as much as possible about B from ζ B is given by with |r as defined by (45), and Evidence: The POVM Q is the 'dual' of M in the sense that it has v replaced by −v. (This fact is not immediately evident. One can also take M and apply it to the state ζ B with v → −v; this is equivalent). It was noticed in [6] that such a 'dual' is the optimal POVM in the case of the intercept attack K1. We have performed numerical POVM optimisations which find a local minimum of the Shannon entropy, starting from 3 10 initial points in POVM space; all combinations of a positive/zero/negative value for each of the 10 degrees of freedom that are left in the POVM after imposing S-symmetry. 8 Furthermore we did a Monte Carlo sampling of 10 11 random POVMs. We did not find a single POVM that performs better than Q. The numerical search did find M and Q, as well as 200 POVMs with Shannon entropy between that of Q and M.
Theorem 5.6 In case of the measurement Q specified in Conjecture 5.5, the entropy of B is given by H(B|Q(ζ B )) = h(p 6 ) + 1 − p 6 (51) Proof: After some algebra it can be seen that tr ζ 3 Q 3 = p 6 . We apply (28) from Lemma 5.1. Some remarks on the case β ≥ 1 3 can be found in the Appendix.
Evidence: Just as in the 6-state case, the POVM for the Shannon entropy is the 'dual' (v → −v) of the POVM associated with the min-entropy. Numerical optimisations (from 3 12 initial points) with imposed symmetry gave us no POVM that performs better than R. The numerical search did find R and M, as well as 168 POVMs with Shannon entropy between that of R and M.
Theorem 5.9 In case of the measurement R specified in Conjecture 5.8, the entropy of B is given by Proof: A brief calculation gives tr ζ uw R uw = p 8 (for all u, w) with p 8 as defined in (61). Then we use (28). Some remarks on the case β ≥ 1 3 can be found in the Appendix.

Putting it all together
The amount of privacy amplification needed in the protocol (Section 2.2, Ext function) is determined by the strongest of the M1, M2, K1, K2 attacks. Below we combine all the results from Sections 4 and 5.     Table 1 shows an overview of the Shannon entropy losses in all the attacks. The individual M1,M2,K1,K2 leakages (and the maximum) are plotted as a function of β in Fig. 1. Fig. 2  6.2 Combined results for min-entropy Table 2 shows an overview of the min-entropy entropy losses in all the attacks. The individual M1,M2,K1,K2 leakages (and the maximum) are plotted as a function of β in Fig. 3. Fig. 4

Addition of artificial noise
The structure evident in the |E v xy vectors (10) allows us to simplify the derivation of the capacity of 6-state/8-state QKD with added artificial noise. (This also applies to attack M2.) In [14] a derivation for 6-state QKD was given without noise symmetrisation, resulting in a lengthy analysis. Moreover, the end result was presented in a less than elegant way. Here we give a shorter derivation, and we present the end result in a very intuitive form. Alice adds artificial noise to X. This is represented as a binary symmetric channel with bit error rate ε. Let ε β def = ε(1 − β) + (1 − ε)β be the bit error rate on the concatenated channel consisting of Alice's noise ε followed by the physical noise β introduced by Eve. The channel capacity from Alice to Bob becomes I AB (ε, β) = 1−h(ε β). Eve's task of distinguishing between the various |E v states is not affected; the weights β and 1−β in (21) do not change. However, Eve's inference about X from her measurement outcomes has additional noise ε: the bit error rate of the 'easy' channel changes from 0 to ε 0 = ε, and the bit error rate of the 'difficult' channel changes from p β to ε p β . Thus the channel from Alice to Eve now has capacity with p β as defined in (20). The secrecy capacity is which is precisely the result of [14] but in simplified form. Fig. 5 shows the optimal noise ε opt (β) as a function of β, and the resulting capacity C opt (β) = C (ε opt (β), β). The original positive-capacity region β ≤ 0.156 is extended to β ≤ 0.162.

Discussion
The fact that M1 is the dominant attack against 4-state and 6-state encoding at low bit error rate, and M2 at larger β, comes as no surprise. The vulnerability of the message is exactly the reason why 8-state encoding was introduced in [6]. And as 8-state protects the message better, it is also not surprising that an attack on the key dominates in the 8-state min-entropy analysis. What we did not know a priori is the relative strength of the β-dependent attacks, and their strength (at large β) compared to M1. Figs. 1 and 3 show complicated behaviour with various intersections of curves.
We were surprised to see M2 'winning' in the 8-state Shannon entropy analysis. With M2 being the relevant attack, a large part of the security analysis becomes identical, or at least very similar, to well known QKD analysis. Hence the trick with Alice's artificial noise is as relevant to QKR as it is to QKD. When the number of qubits (n) is very large, the relevant quantity to look at is Shannon entropy. For small n it is min-entropy. In intermediate cases it is something in between. From our results we conclude that 8-state encoding yields the highest QKR capacity under practically all circumstances.
As topics for future work we see (i) Adaptation of the protocol so that the n-qubit quantum state |Ψ sent by Alice contains the message itself (in privacy-amplified form, as in [2]), instead of a random mask. This would further improve communication efficiency. (ii) Determine the effect of artificial noise on the min-entropy loss in the case of the K2 attack on 8-state encoding. (iii) Determine how tight the bound in Lemma 4.1 (M2 reduces to QKD analysis) is as a function of N .
Proof: On the whole range β ∈ [ 1 3 , 1 2 ] the POVM R gives H(B|R(ζ B )) = log 3, which is the K1 result at β = 1 3 and therefore the minimum possible value. Just as in the 6-state case and in the 8-state for β ≤ 1 3 , the POVM R for the Shannon entropy is the 'dual' (v → −v) of the POVM associated with the min-entropy. Note that at β = 1 3 the POVMs for β ≤ 1 3 and β ≥ 1 3 match, as they should. The leakages for the K1 and K2 attacks up to β = 1 2 are plotted in Figs. 6 and 7. For 4-and 6-state, K2 reaches it maximum at β = 1 2 , whereas in the 8-state case the maximum is reached already at β = 1 3 .