On the security of semi-device-independent QKD protocols

While fully device-independent security in (BB84-like) prepare-and-measure quantum key distribution (QKD) is impossible, it can be guaranteed against individual attacks in a semi-device-independent (SDI) scenario, wherein no assumptions are made on the characteristics of the hardware used except for an upper bound on the dimension of the communicated system. Studying security under such minimal assumptions is especially relevant in the context of the recent quantum hacking attacks wherein the eavesdroppers can not only construct the devices used by the communicating parties but are also able to remotely alter their behavior. In this work, we study the security of a SDIQKD protocol based on the prepare-and-measure quantum implementation of a well-known cryptographic primitive, the random access code (RAC). We consider imperfect detectors and establish the critical values of the security parameters (the observed success probability of the RAC and the detection efficiency) required for guaranteeing security against eavesdroppers with and without quantum memory. Furthermore, we suggest a minimal characterization of the preparation device in order to lower the requirements for establishing a secure key.


Introduction
In standard quantum key distribution (QKD) protocols, the security proofs assume that the parties have access to the correct and exact specifications of the devices used therein. This assumption is rather problematic. First, the principle problem lies at the heart of quantum formalism. Generally, these devices are used for either state preparation or measurement. The quantum formalism provides mathematical abstractions for states and measurements but no direct way to infer about them individually. The only interface for any inference about the states and measurements is via the Born rule which combines states and measurements and yields the probability of outcomes, which is compared to experimental results. So a full characterization of the devices is sufficient to warrant security, but it requires that each device and its components are individually tested several times to gather enough statistics in order to warrant trust. This is an extremely tedious task, instead we end up trusting the manufacturer of the devices, which may be not the best idea. For instance, the supplier can install backdoors that enable him to compromise the security without being detected. Recently a lot of attention has been drawn to NSA which convinced RSA Security to set as a default in their products Dual_EC_DRBG pseudo-random number generator which is in turn known to have such a backdoor [1]. Moreover, even if the manufacturer is honest, recent advances in quantum hacking [2][3][4] show that the adversary can remotely influence the behavior of the devices during the protocol, effectively changing their characteristics thereby hampering the security of the protocol. To cope with this issue, the device-independent (DI) approach has been introduced wherein the key idea is that if the parties violate a Bell (or some Bell-like) inequality then, regardless of how their devices managed to do this, they can establish secure communication. Although the term "DI" was first used in [5], the idea can be tracked back all the way to the original Ekert's paper [6]. Unfortunately, completely DI QKD is extremely arduous to realize in practice and so far no experimental group has been able to do this. The main reason for this is so-called detection efficiency loophole [7], which states that if the probability of registering a particle by the detectors used in the experiment is below a certain (usually very high) critical value, then the results of the experiment are inconclusive, in other words: the possibility of a local-realistic description of its results cannot be ruled out. Ruling out the possibility of these descriptions is a necessary, although not always sufficient, condition for DI security. 1 Another problem faced in this scenario is that it can be applied only to protocols based on entanglement which are much more complicated than their prepare-and-measure counterparts like the BB84 [8].
These two issues are addressed in the semi-device-independent (SDI) approach [9]. Here a prepare-and-measure scenario is considered and again no assumptions are made on the inner specifications and the working of the devices used. Prefix "semi" is warranted by the fact that an upper bound on the dimension of the communicated system is assumed. It was assumed this bound is well justified for both honest and dishonest manufacturer. In latter case, the parties can study the devices delivered and, while it is almost impossible to fully characterize them, it is much easier to establish the effective dimension of the Hilbert space in which the states are being prepared. When the supplier is honest but the protocol is subject to a quantum hacking attack, the limitations on the technology available to the eavesdropper make the task of increasing the channel capacity extremely difficult. In fact, to our knowledge, all the quantum hacking attacks published so far did not increase this capacity. Also, because only one side employs the detectors, the requirements on their efficiency are lower than in the DI case. Another relaxation of the DI paradigm is measurement-device-independent (MDI) scenario [10][11][12], wherein three devices are used: two communicating parties, with perfectly characterized hardware, are sending the particles to the third which makes the measurements. No assumptions are made on the characteristics of the third device. The difference between MDI and SDI scenarios is that the former one is more complicated (i.e., requires more devices and more sophisticated measurements) and does not allow for any changes in the preparation devices (which is a big disadvantage as even small changes can lead to the loss of security [13]). On the other hand, it was shown [10] that MDI scenario thwarts quantum hacking attacks for any efficiency of the detectors.
The aim of this paper is to establish the security condition in the SDI case, i.e., finding the critical values of the security parameters required in order to establish a secure key. In the case of Bell inequalities, given an observed value of detection efficiency (greater than the critical detection efficiency), if the parties witness a Bell violation above a certain threshold, they are sure that the system they share must be non-local (or entangled if quantum theory is assumed). Similarly, we find the threshold above which the SDIQKD protocol is secure based on the threshold value of some observed parameter (for a given certain value of observed detection efficiency). We start by defining the classes of attacks against which we want to be secure. We consider individual attacks in which eavesdropper may or may not have access to quantum memory. Then we take the most basic SDIQKD protocol based on (2 → 1) QRAC [9] and find the security conditions required against such attacks. Next we propose a modification of this protocol (basing it on the (3 → 1) QRAC instead) which substantially reduces these security requirements. Furthermore, we suggest a minimal characterization of the preparation device that substantially lowers the requirements on the security parameters.

Device controlling attacks
In [2][3][4]14], the authors gave a simple description of the device controlling attacks based on the detection efficiency loophole and experimentally demonstrated the same. Assuming that Eve has perfect detectors, while Bob's detectors have an average efficiency of 50%. Eve intercepts the signal sent from Alice to Bob as a part of the BB84 protocol and measures it. Following which Eve encodes her detection results into specially tailored bright pulse of light and resends it to Bob. Because of the physical properties of the signal and the physical implementation of Bob's detectors, Bob obtains an outcome only if he measures in the same basis as Eve. This implies that Bob's detectors work perfectly (with 100% efficiency) conditioned on the even that Eve's and Bob's settings are the same and not work at all otherwise. On an average Bob's detectors work with 50% efficiency which does not raise any suspicions. After the raw key exchange, Bob and Eve have identical bit values and basis choices which after sifting, error correction and privacy amplification made via classical communication allow Eve to get the identical final key as Alice and Bob. In this way Eve, by active control of Bob's detectors, can secretly learn the exchanged key. More about this type of control can be found in [15].
In [13] a different approach is presented. Here Eve apart from exploiting her possibility of interfering during the calibration of Alice's device introduces a slight modification in it.
These examples highlight the need for more general security conditions where Eve is assumed to be substantially powerful, i.e., she can not only design all the devices used in the protocol but can also actively control them. However, there are natural limits to what she can do. Her modifications must not be significant so as to avoid detection. Apart from this, we assume that Eve cannot make the preparation device use additional degree of freedom of the communicated system to encode more information. Hence, in the SDI scenario we assume that the eavesdropper can mold the characteristics of the devices used as well as actively control them during the protocol but cannot increase the dimension of the system sent by Alice.

SDIQKD protocol
The DIQKD protocol bases its security on violation of a Bell inequality [16] associated with the scenario. The key rate, in this case, is maximized by reaching the quantum bound of this inequality. On the other hand, SDIQKD is a prepare-and-measure key distribution protocol wherein the dimension of the communicated system is upper bounded [9]. Specifically, this limitation is only for the dimension of the signal emitted by Alice's device and doesn't hold for what Bob's device is receiving. This minimal restriction is tremendously advantageous for Eve, which in turn captures the fact that in device controlling attacks, the pulse sent by Eve to Bob's laboratory could carry substantially more information than just one bit. The SDIQKD scheme bases its security on beating the classical bound on the winning probability (efficiency) of a related communication complexity task. In [9] the task used was a (2 → 1) quantum random access code (QRAC) [17], a prepare-and-measure quantum implementation of a well-known cryptographic primitive, the random access code (RAC). In a (2 → 1) QRAC Alice encodes her two input bits a 0 , a 1 ∈ {0, 1} into a qubit ρ a 0 ,a 1 . Bob gets an input bit b ∈ {0, 1} and chooses his projective measurements M B b based on it, where B ∈ {0, 1} is the outcome of his measurement. Bob's task is to return B = a b , i.e., guessing the bth bit of Alice. The measure of success in this task is the probability with which Bob is able to guess correctly; we denote it by P B .
The SDIQKD protocol introduced in [9] comprises of many repetitions of (2 → 1) QRAC. In each of them a 0 , a 1 and b were chosen randomly by Alice and Bob, respectively. After this Bob announces his choice of b for each round. The bit a b forms the bit of key for that round. Alice knows it, since it is one of the bits she herself Here the larger boxes represent Alice's and Bob's laboratories of which their preparation and measurement devices, respectively (represented by smaller boxes), are a part of. The thinner lines represent classical communication channels, and thick lines represent quantum communication channels which in this case has a bounded capacity. The SDIQKD protocol contains the (2 → 1) QRAC along with a classical communication channel carrying Bob's input b and the classical post-processing at Alice's end (represented by a small disk) required to output a b using a 0 , a 1 , b as inputs randomly generated. Bob has some information about a b . Probability for Bob to obtain (for fixed settings a 0 , are projective operators such that i∈{0,1} M B=i b = I. The primary security parameter is the average success probability for (2 → 1) QRAC, Parties randomly choose some of the rounds and announce a 0 and a 1 for those rounds in order to estimate P B . Later the parties perform standard error correction and privacy amplification to obtain perfectly correlated, secure bit strings (see Fig. 1). P b is the only security parameter if we consider the ideal case with perfect detectors, i.e., all systems leaving Alice's laboratory are detected at Bob's end. In the case with losses, the average detection efficiency (η avg ) of Bob's detectors forms the other security parameter. It is important to specify how the communicating parties deal with the rounds in which no particle is detected. Although there are other options, here we choose the simplest one: these rounds are discarded from the statistics. This choice enables the parties to have the estimated average success probability close to the optimal one ( 2+ √ 2 4 in the perfect case for (2 → 1) QRAC).

Assumptions and attacks
We make the following assumptions: 1. Eve cannot influence the dimension of the system leaving Alice's laboratory, 2. Eve performs individual attacks, 3. For each bit of the key, Eve's information about it is stored in a bit representing her best guess of this bit, 4. Alice's and Bob's devices are controlled by Eve. She can make detectors work with 100% efficiency if she chooses to. She also can send information to them by hidden side channels. This implies that the states leaving Alice's laboratory can depend on Eve's choice of measurement, while the measurement basis of Bob's device can depend on both Eve's choice of measurement and her outcome, 5. There is no information leakage from the devices. This implies that Eve cannot receive any useful information using hidden side channels. 6. Bob's observed detection efficiency is the same for each of his measurements.
In this part of the paper, we study the security of SDIQKD against two distinct classes of attacks, 1. Intercept/resend (without quantum memory), 2. Delayed measurement (with a qubit of quantum memory).

Intercept/Resend (IR)
Eve intercepts the signal transmitted from Alice to Bob and measures it in a bases chosen based on her input e ∈ {0, 1} (see Fig. 2) [18,19]. Eve's input e represents her guess of input of Bob's input b for that particular round. It is crucial for the security of the protocol that e and b are uncorrelated, in other words that there is no information leaking from Bob's laboratory. However, Eve being able to choose different detection probabilities for rounds when e = b and e = b artificially introduces correlations between e and b at the level of post-selected rounds of the experiment. Here again the thin lines represent classical communication channels, while the thick lines represent the quantum communication channel. The dotted lines represent channel for Eve's active control of Alice's and Bob's devices or equivalently channel for distribution of shared randomness. Notice that only the quantum channel leaving Alice's laboratory has an upper bound on capacity. Finally, as Eve does not have access to quantum memory, she has to output her guess of a b as soon as she intercepts Alice's communicated state. Therefore, classical communication carrying Bob's input b is of no use to her except in classical post-processing Eve uses the measurement M E e and obtains an output bit E ∈ {0, 1}. At this stage, we can write Eve's outcome probabilities as where the first equality is because of the fact that Eve gets her outcome E before Bob inputs b. Here, M E=i e are projection operators such that i∈{0,1} M E=i e = I. In turns out that it is optimal for Eve to send the state ρ a 0 ,a 1 ,e,E=i = M E=i e to Bob, with probability P(E = i|a 0 , a 1 , e) as it represents her best knowledge about Alice's input. In fact, it is the most general strategy. Since we assume that the eavesdropper has full control over Bob's measurements, any unitary transformation of the state can be replaced by a corresponding transformation of the measurement bases.
According to assumption 4 Eve, for an observed value of the average detection efficiency of Bob's detectors η avg can design in advance all the states ρ a 0 ,a 1 As Bob does not know Eve's output, we can obtain the outcome probabilities apparent to Bob, by summing over the values of E which yields Both Eve and Bob are interested in guessing a b ; therefore, we can write these probabilities using a simplified notation as a b |e, b, a 0 , a 1 ).
Next we split Bob's detection efficiency η avg = P(Click) into Here Click signifies occurrence of the event namely Bob's detectors provide an outcome. The other no-click event could occur because of certain malfunction in the setup (the devices or the channel) or an deliberate attempt at hacking the protocol by a malicious third party. Note that different values of η and η e=b , together with assumption 5, imply that the distribution of e must be uniform. At this point Eve maximizes η e=b making it unity as she wants Bob's device to return the outcomes as often as possible when she managed to guess Bob's input correctly. At the same time, she also tries to minimize η. Only thing limiting her in doing so is the observed detection efficiency which can be easily verified by Bob. Since Eve has no control over Bob's settings, P(b) = P(b = e) = 1 2 . This leads to Here the observed success probabilities for Bob and Eve, post-selected to rounds when Bob's detector registered a particle, can be represented as weighted averages over inputs e and b, The parties always abort the protocol if the average success probability P B is lower than the classical maximum winning probability of a (2 → 1) QRAC ( 3 4 ) as no security can be guaranteed in this case even for perfect detectors [9]. Assuming P B > 3 4 , P E > 3 4 , in this region the Shannon's entropy function h(.) is monotonically decreasing, which enables us to simplify h(P B ) < H (P E ) to Therefore, whenever P B (η) is higher than maximal success probability achievable by Eve, P max E (η) protocol is secure. Alice and Bob can rest assure that the protocol is secure if the value of P B (η) is greater than the critical value P C B (η) = 1 2 max{P B (η) + P E (η)}. Now as both P E (η) and P B (η) are simultaneously maximized, this boils down to finding with P e E b = 1 4 a 0 ,a 1 Tr(ρ a 0 ,a 1 ,e M E=a b e ), and the maximization is over all possible measurements of Eve and Bob as well as preparations of Alice. Here we consider two cases: -The general case Assumption 4 implies that Eve could have access to shared randomness which allows her to control both the devices during the protocol. We assume that the shared randomness used by Eve in both Alice's and Bob's device is the same as her input e. In Alice's device this implies that there are eight possible preparations ρ a 0 ,a 1 ,e which depend on Alice's input a 0 , a 1 as well as Eve's shared random bit e. The security condition here is The details of the physical implementation of the attack and the derivation of the condition can be found in "Appendix (i)", -A minimal characterization of preparation device Because of the fact that manipulations in Alice's laboratory are much more difficult for Eve than just taking control over Bob's laboratory by hijacking the signal, we start with an assumption that while Eve can choose Alice's preparations, she cannot modify them during the protocol. This assumption is justifiable as the only reasonable strategy to actively control Alice's device is to use shared randomness (or some classical signal which can be modeled using shared randomness), and Alice can use some of her seed to exhaust correlation between her device and Eve's input (or in case of control via classical signal, Alice could easily bar all input signal as her device's only job is to send information). This lets us denote Alice's preparations as ρ a 0 ,a 1 as now the state leaving Alice's device is only dependent on her inputs a 0 , a 1 and not on Eve's input e or shared randomness. Now as Eve wants to maximize her probability of guessing bth bit of Alice, it is optimal for her to choose the preparations to be mutually unbiased bases (MUBs). This yields the following security condition The details of implementation of the attack and the derivation of the security condition can be found in "Appendix (ii)".

Delayed measurement (DM)
Let us now consider a more general approach with a more powerful Eve who is equipped with a qubit of memory ρ o (per signal) [20,21]. Yet again we deal with two sub-cases whereρ a 0 ,a 1 ,e is a two qubit state. Eve then forwards the first subsystem to Bob, while holding on to the second one. In this way, Eve delays her measurement until Bob publicly announces his setting b (see Fig. 3). Bob's projective measurement M B b,e and Eve's measurement M E e,b are designed by Eve so as to maximize her success probabilities while keeping Bob's success probabilities to a observed value greater than the threshold classical value. Note that since Eve now measures after Bob does, Bob's measurement cannot depend on E. The joint probabilities can be written as Summing over Bob's outcome yields the probability of Eve outcomes In this case, we get same final security condition as (13) details of which are provided in "Appendix (iii)". -A minimal characterization of preparation device The restriction that while Eve can choose the states that leave Alice's laboratory, she cannot alter them during the protocol is still helpful. We find that the optimal states are still the MUBs (29) and the security condition we obtain here is the same as (14).
These results were verified using techniques such as the seesaw method-based semidefinite programming (SDP) [22][23][24] deploying generalized measurements (POVMs) and are plotted in Fig. 4. We conclude that neither quantum memory nor generalized measurements help the eavesdropper. (the thin dotted horizontal line) regardless of the value of η avg . The graphs represent the minimal value of observed success probability P B required in order to guarantee security against (a) Eve with an unrestricted active control of both Alice's preparation device and Bob's measurement and equipped with (DM) or without (IR) quantum memory and, (b) Eve with no active control of Alice's preparation device and equipped with (DM) or without (IR) quantum memory. The plot allows one to infer about level of security provided by the devices. This can be done by comparing the observed operational parameters P B , η avg with P C B (η). If for an observed η avg , P B > P C B (η), then the protocol is secure

Modified SDI protocol
Here we present SDI protocol based on (3 → 1) QRAC which is a straightforward generalization of the (2 → 1) QRAC and study its security against both (IR and DM) attacks. In a (3 → 1) QRAC Alice is given three bits a 0 , a 1 , a 2 ∈ {0, 1} depending on which she sends the state ρ a 0 ,a 1 ,a 2 , while Bob gets a classical trit b ∈ {0, 1, 2} and is required to guess the value of a b . Bob's final output is B ∈ {0, 1} and the success probability is labeled by P B = P(B = a b ). The quantum maximum success probability is 3+ √ 3 6 , whereas the classical maximum remains the same 3 4 . Yet again, the bit a b forms the raw key bit and after classical post-processing yields the final key. Eve wants to learn a b in order to establish the same key with Alice as Bob. We keep the structure, the reasoning and the notation (IR and DM) the same as in the SDI protocol based on (2 → 1) QRAC. In this case, the average detection efficiency of Bob's detector is given by Owing to the fact that P(b = e) = P(b) = 1 3 , Eve's success probability is given by

Alice
Bob Again we branch into two cases (Fig. 5): -The general case Assumption 4 implies that Eve could have access to shared randomness which allows her to control both the devices during the protocol. We assume that the shared randomness used by Eve in both Alice's and Bob's device is the same as her input e. In Alice's device, this implies that there are eight possible preparations ρ a 0 ,a 1 ,a 2 ,e which depend on Alice's input a 0 , a 1 , a 2 as well as Eve's shared random bit e. Under both IR and DM attacks, we have the following security condition In a nutshell, the deviation from (13) could be attributed to the spread of e, b ∈ {0, 1, 2}. As both e, b are considered to be uniformly random, the chances of them being equal are lowered down to P(e = b) 1 3 . The details of the implementation and a brief proof sketch is provided in "Appendix (iv)".
-A minimal characterization of preparation device As manipulations in Alice's laboratory are much more difficult for Eve than just taking control over Bob's laboratory by hijacking the signal, we start with an assumption that while Eve can choose Alice's preparations, she cannot modify them during the protocol. This lets us denote Alice's preparations as ρ a 0 ,a 1 ,a 2 as now the state leaving Alice's device is only dependent on her inputs a 0 , a 1 , a 2 and not on Eve's input e or shared randomness. This yields the following security condition for both IR and DM attacks which is as follows 6 . The graphs represent the minimal value of observed success probability P B required in order to guarantee security against (a) Eve with an unrestricted active control of both Alice's preparation device and Bob's measurement and equipped with (DM) or without (IR) quantum memory and (b) Eve with no active control of Alice's preparation device and equipped with (DM) or without (IR) quantum memory. The plot allows one to infer about level of security provided by the devices. This can be done by comparing the observed operational parameters P B , η avg with P C B (η). If for an observed η avg , P B > P C B (η), then the protocol is secure. Notice the increased tolerance (possibility of a secure protocol) at lower values of detection efficiency (η avg ) as compared to the security offered by the protocol based on (2 → 1) QRAC Fig. 4 where φ(η) = 1 8 4 + (1 + cos α η ) cos β η + 2(1 − η) 1 + 2η sin α η sin β η , Unlike the previous case, if Eve wants to maximize her probability of guessing bth bit of Alice, it is optimal for her to choose the preparations that are not MUBs but converge to MUBs under a specific efficiency condition. The details are provided in "Appendix (v)".
These results were verified using techniques such as the seesaw method-based semidefinite programming (SDP) deploying generalized measurements (POVMs) and are plotted in Fig. 6.

Conclusions
In this paper, we analyzed individual quantum hacking attacks on SDIQKD protocols based on QRACs where eavesdropper can not only design but actively control all (3 → 1) QRAC 0.58 1 3 devices during the protocol. Looking at these types of attacks was motivated by their recent experimental realizations. We study security against two types of quantum eavesdroppers (with and without access to quantum memory) and for two distinct levels of characterizations of the devices (with and without a minimal characterization of the preparation device). We found that access to small quantum memory (a qubit) does not help the eavesdropper to attack the SDIQKD protocol and conjecture that the same holds for other protocols and unlimited memory. As QKD in general is gaining immense popularity [25][26][27][28] and entanglement-based QKD remains commercially nonviable, devices employing prepare-and-measure QKD schemes seem to be natural way forward. Our analysis, other than being robust, deals with worst case scenarios and provides for the everyday naive user a hassle-free way to infer about the security his devices offer. In particular, Figs. 4 and 6 provide a straightforward way to ensure security; namely a user can crosscheck the operational security parameters P B , η avg against P C B (η), and if he finds the P B > P C B (η), he can rest assure without going into further details. Our double-layered results enable such crosschecking for two layers of device specification and may be used according to varying degrees of trust in the provider.
We provide condition for establishing a secure key for SDIQKD based on (2 → 1) QRAC and (3 → 1) QRAC against Eve who has full active control of their devices. Using SDIQKD based on (3 → 1) QRAC lowers the key rate, but the security requirements are significantly lowered. Further, a minimal characterization for the preparation device is provided which lowers the critical detection efficiency all the way down to 50% for (2 → 1) QRAC and to 41.2% for (3 → 1) QRAC. We have listed the critical detection efficiencies for the various cases considered in Table 1. It is known that (2 → 1) RAC and (3 → 1) RAC can also be implemented using entanglement and classical communication, often called the (2 → 1) entanglement assisted RAC (EARAC). These implementations can also be seamlessly used for QKD using the aforementioned method. We conjecture based on numerical evidence that the results derived in this work still hold for (2 → 1) and (3 → 1) EARAC.
We would like to remark that the critical detection efficiency is the efficiency of the whole process taking into the account not only the losses in the device of the receiver but also in the transmission. Therefore, in practice, they will increase with the distance between the parties and the critical detection efficiency of a protocol puts a bound on how far apart the communicating parties can be. For the standard device-independent QKD, this distance is just a couple of kilometers [29]. Using SDI protocols described here, it can be significantly extended. Our results suggest a connection between security and MUB-based encoding decoding schemes, which deserves further exploration. While this work studied security of SDIQKD protocols with constrained capacity (dimension) of the communication channel, security based on other SDI constraints has also shown potential, for instance the oblivious constraint as introduced in [ where Notice that (25) and (26) divide Alice's preparations into two mutually exclusive subsets. Alice's states that maximize P a 0 =a 1 E , ρ 0,0,0 , ρ 0,0,1 , ρ 1,1,0 , ρ 1,1,1 remain the same irrespective of whether Eve was able to correctly guess Bob's input (e = b) or not (e = b) simply because both of Alice's input are the same. This allows Eve to set these states equivalent to the projectors M 0 0 , M 0 1 , M 1 0 , M 1 1 ,, respectively, which in turn allows one to rewrite (24) as Now in order to find the maximum value of (26), consider one of the terms involved Tr ρ 010 M 0 0 + ηM 1 where the equality stems from the fact that M 0 0 = I − M 1 0 . The maximum for this term is reached by setting ρ 010 = M 0 0 which yields the final security condition (13). (ii) W.l.o.g she fixes Alice's preparations to be MUBs which is an optimal set of states for the standard (2 → 1) QRAC. Next w.l.o.g. we characterize Eve's projective measurement using vectors from the same plane as the states in (29) M E=0 e = cos α e 2 |0 + sin α e 2 |1 , and M E e = |M E e M E e |. This allows us to partition (12) into two parts based on different values of e. These parts are independent and, due to symmetry, equal. Therefore, we may rewrite P E (η) as which is Tr M E=0 e=0 (ρ 00 + ρ 01 ) + M E=1 e=0 (ρ 10 + ρ 11 ) Tr M E=0 e=0 (ρ 00 + ρ 10 ) + M E=1 e=0 (ρ 01 + ρ 11 ) .

(iii)
Here the success probability for Eve is Notice that this expression constitutes four independent elements for specific value of the pair (i, j). In order to find P E (η) max , we need to only find the maximizing condition for one term. Lets consider a particular pair (i, j), then the expression for P E (η) max simplifies to P max E (η) = i,1−i yielding the same security condition as (13).

(iv)
In the case when Eve does not have access to quantum memory (IR), we can rewrite (19) in a convenient way as where P a 0 =a 1 =a 2 E is Eve's success probability for the case when all three of the input bits of Alice are equal and P NOT{a 0 =a 1 =a 2 } E is Eve's success probability for the case when the three inputs of Alice are not equal. As Alice's states and Bob's measurement that maximize P a 0 =a 1 =a 2 E remain the same irrespective of the fact whether Eve was able to guess Bob's input correctly or not, we can further rewrite this as Following exactly the same steps as above, this yields the security condition (20).

(v)
We find that the optimal states are where α and β are parameters controlled by Eve. In this case optimal encoding for standard (3 → 1) QRAC is reproduced for α = arccos A straightforward maximization yields the security condition (21).