Security proof for round-robin differential phase shift QKD

We give a security proof of the ‘round-robin differential phase shift’ (RRDPS) quantum key distribution scheme, and we give a tight bound on the required amount of privacy amplification. Our proof consists of the following steps. We construct an EPR variant of the scheme. We show that the RRDPS protocol is equivalent to RRDPS with basis permutation and phase flips performed by Alice and Bob; this causes a symmetrization of Eve’s state. We identify Eve’s optimal way of coupling an ancilla to an EPR qudit pair under the constraint that the bit error rate between Alice and Bob should not exceed a value β\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\beta $$\end{document}. As a function of β\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\beta $$\end{document}, we derive, for non-asymptotic key size, the trace distance between the real state and a state in which no leakage exists. We invoke post-selection in order to go from qudit-wise attacks to general attacks. For asymptotic key size, we obtain a bound on the trace distance based on the von Neumann entropy. Our asymptotic result for the privacy amplification is sharper than existing bounds. At low qudit dimension, even our non-asymptotic result is sharper than existing asymptotic bounds.


Introduction
1.1 Quantum Key Distribution and the RRDPS scheme Quantum-physical information processing is different from classical information processing in several remarkable ways.Performing a measurement on an unknown quantum state typically destroys information; It is impossible to clone an unknown state by unitary evolution [1]; Quantum entanglement is a form of correlation between subsystems that does not exist in classical physics.Numerous ways have been devised to exploit these quantum properties for security purposes [2].By far the most popular and well studied type of protocol is Quantum Key Distribution (QKD).QKD was first proposed in a famous paper by Bennett and Brassard in 1984 [3].Given that Alice and Bob have a way to authenticate classical messages to each other (typically a short key), and that there is a quantum channel from Alice to Bob, QKD allows them to create a random key of arbitrary length about which Eve knows practically nothing.BB84 works with two conjugate bases in a two-dimensional Hilbert space.Many QKD variants have since been described in the literature [4,5,6,7,8,9], using e.g.different sets of qubit states, EPR pairs, qudits instead of qubits, or continuous variables.Furthermore, various proof techniques have been developed [10,11,12,13].In 2014, Sasaki, Yamamoto and Koashi introduced Round-Robin Differential Phase-Shift (RRDPS) [14], a QKD scheme based on d-dimenional qudits.It has the advantage that it is very noise resilient while being easy to implement using photon pulse trains and interference measurements.One of the interesting aspects of RRDPS is that it is possible to omit the monitoring of signal disturbance.Even at high disturbance, Eve can obtain little information I AE about Alice's secret bit.The value of I AE determines how much privacy amplification is needed.As a result of this, the maximum possible QKD rate (the number of actual key bits conveyed per quantum state) is 1 − h(β) − I AE , where h is the binary entropy function and β the bit error rate. 1

Prior work on the security of RRDPS
The security of RRDPS has been discussed in a number of papers [14,16,17,18].The original RRDPS paper gives an upper bound for asymptotic key length, (Eq. 5 in [14] with photon number set to 1).The security analysis in [14] is based on an entropic inequality for non-commuting measurements.There are two issues with this analysis.First, the proof is not written out in detail.Second, it is not known how tight the bound is.
Ref. [16] follows [14] and does a more accurate computation of phase error rate, tightening the 1/(d − 1) in (1) to 1/d.In [17] Sasaki and Koashi add β-dependence to their analysis and claim a bound and 1  2 ].The analysis in [18] considers only intercept-resend attacks, and hence puts a lower bound on Eve's potential knowledge,

Contributions and outline
In this paper we give a security proof of RRDPS in the case of coherent attacks.We give a bound on the required amount of privacy amplification.We adopt a proof technique inspired by [11], [13] and [10].We consider the case where Alice and Bob do monitor the channel (i.e. they are able to tune the amount of privacy amplification (PA) as a function of the observed bit error rate) as well as the saturated regime where the leakage does not depend on the amount of noise.
-We show that the RRDPS protocol is equivalent to a protocol that contains an additional randomisation step by Alice and Bob.The randomisation consists of phase flips and a permutation of the basis states.We construct an EPR variant of RRDPS-with-randomisation; it is equivalent to RRDPS if Alice creates the EPR pair and immediately does her measurement. 3The effect of the randomisation is that Alice and Bob's entangled state after Eve's attack on the EPR pair is symmetrised and can be described using just four real degrees of freedom.-We identify Eve's optimal way of coupling an ancilla to an EPR qudit pair under the constraint that the bit error rate between Alice and Bob does not exceed some value β. -We consider an attack where Eve applies the above coupling to each EPR qudit-pair individually.We compute an upper bound on the statistical distance of the full QKD key (after PA) from uniformity, conditioned on Eve's ancilla states.From this we derive how much privacy amplification is needed.The result does not depend on the way in which Eve uses her ancillas, i.e. she may apply a postponed coherent measurement on the whole system of ancillas.-We compute the von Neumann mutual information between one ancilla state and Alice's secret bit.This provides a bound on the leakage in the asymptotic (long key) regime [12].Our result is sharper than [14].-We provide a number of additional results by way of supplementary information.(i) We show that Eve's ancilla coupling can be written as a unitary operation on the Bob-Eve system.This means that the attack can be executed even if Eve has no access to Alice's qudit; this is important especially in the reduction from the EPR version to the original RRDPS.(ii) We compute the min-entropy of one secret bit given the corresponding ancilla.(iii) We compute the accessible information (mutual Shannon entropy) of one secret bit given the corresponding ancilla.The min-entropy and accessible-information results are relevant for collective attacks.
In Section 2 we introduce notation and briefly summarise the RRDPS scheme, the attacker model, and extraction of classical information from (mixed) quantum states.Section 3 states the main result: the amount of privacy amplification needed for RRDPS to be secure, (i) at finite key length and (ii) asymptotically.The remainder of the paper builds towards the proof of these results, and provides supplementary information about the leakage in terms of min-entropy loss and accessible (Shannon) information.
In Section 4 we show that the randomisation step does not modify RRDPS, and we introduce the EPR version of the protocol.In Section 5 we impose the constraint that Eve's actions must not cause a bit error rate higher than β, and determine which mixed states of the Alice-Bob system are still allowed.There are only two scalar degrees of freedom left, which we denote as µ and V .
In Section 6 we do the purification of the Alice-Bob mixed state, thus obtaining an expression for the state of Eve's ancilla.Although the ancilla space has dimension d 2 , we show that only a four-dimensional subspace is relevant for the analysis.In Section 7 we prove the non-asymptotic main result by deriving an upper bound on the statistical distance between the distribution of the QKD key and the uniform distribution, conditioned on Eve's ancillas.In Section 8 we prove the asymptotic result by computing Eve's knowledge in terms of von Neumann entropy.In Section 9 we study collective attacks.Section 10 compares our results to previous bounds.

Notation and terminology
Classical Random Variables (RVs) are denoted with capital letters, and their realisations with lowercase letters.The probability that a RV X takes value x is written as Pr[X = x].The expectation with respect to RV X is denoted as Bitwise XOR of binary strings is written as '⊕'.The Kronecker delta is denoted as δ ab .For quantum states we use Dirac notation.The notation 'tr' stands for trace.The Hermitian conjugate of an operator A is written as A † .When A is a complicated expression, we sometimes write (A + h.c.) instead of A + A † .The complex conjugate of z is denoted as z * .We use the Positive Operator Valued Measure (POVM) formalism.A POVM M consists of positive semidefinite operators, M = (M x ) x∈X , M x ≥ 0, and satisfies the condition The trace distance between matrices ρ and σ is denoted as D(ρ, σ) = 1 2 ρ − σ 1 ; it is a generalisation of the statistical distance and represents the maximum possible advantage one can have in distinguishing ρ from σ.Consider a uniform classical variable X and a mixed state ρ(X) that depends on X.The combined quantum-classical state is E x |x x| ⊗ ρ(x).The statistical distance between X and a uniform variable given ρ(X) is a measure of the security of X given ρ.This distance is given by [19] D(X|ρ(X)) i.e. the distance between the true quantum-classical state and a state in which the quantum state is decoupled from X.The term Privacy Amplification is abbreviated as PA.

(Min-)entropy of a classical variable given a quantum state
The notation M(ρ) stands for the classical RV resulting when M is applied to mixed state ρ.Consider a bipartite system 'AB' where the 'A' part is classical, i.e. the state is of the form ρ AB = E x∈X |x x|⊗ρ x with the |x forming an orthonormal basis.The min-entropy of the classical RV X given part 'B' of the system is [20] H min (X|ρ X ) = − log max Here If a POVM can be found that satisfies the condition4 [21] ∀ x∈X : then there can be no better POVM for guessing X (but equally good POVMs may exist).For states that also depend on a classical RV Y ∈ Y, the min-entropy of X given the quantum state and Y is A simpler expression is obtained when X is a binary variable.Let X ∈ {0, 1}.Then X ∼ (p 0 , p 1 ) : This generalizes in a straightforward manner for states that depend on multiple classical RVs.The Shannon entropy of a classical variable given a measurement on a quantum state is given by The 'accessible information' is defined as the mutual information H(X) − H(X|ρ X ).In contrast to the min-entropy case, there is no simple test analogous to (5) which tells you whether a local minimum in ( 8) is a global minimum.

The RRDPS scheme in a nutshell
The dimension of the qudit space is d.The basis states5 are denoted as |t , with time indices t ∈ {0, . . ., d − 1}.Whenever we use notation "t 1 + t 2 " it should be understood that the addition of time indices is modulo d.The RRDPS scheme consists of the following steps.
Alice and Bob now have a shared secret bit s.
This procedure is repeated multiple times.
To detect eavesdropping, Alice and Bob can compare a randomly selected fraction of their secret bits.If this comparison is not performed, Alice and Bob have to assume that Eve learns as much as when causing bit error rate β = 1 2 .This mode of operation (without monitoring) was proposed in the original RRDPS paper [14].Finally, on the remaining bits Alice and Bob carry out the standard procedures of information reconciliation and privacy amplification.
The security of RRDPS is intuitively understood as follows.A measurement in a d-dimensional space cannot extract more than log d bits of information.The state |µ a , however, contains d − 1 pieces of information, which is a lot more than log d.Eve can learn only a fraction of the string a embedded in the qudit.Furthermore, what information she has is of limited use, because she cannot force Bob to select specific phases.(i) She cannot force Bob to choose a specific r value.(ii) Even if she feeds Bob a state of the form |Ψ (r) u , where r accidentally equals Bob's r, then there is a 1  2 probability that Bob's measurement M (r) yields k = with random s.

Attacker model; channel monitoring
There is a quantum channel from Alice to Bob.There is an authenticated but non-confidential classical channel between Alice and Bob.We allow Eve to attack individual qudit positions in any way allowed by the laws of quantum physics, e.g. using unbounded quantum memory, entanglement, lossless operations, arbitrary POVMs, arbitrary unitary operators etc.All bit errors observed by Alice and Bob are assumed to be caused by Eve.Eve cannot influence the random choices of Alice and Bob, nor the state of their (measurement) devices.There are no side channels.This is the standard attacker model for quantum-cryptographic schemes.We consider the following channel monitoring technique.Alice and Bob test the bit error rate for each combination (a, k) separately, demanding that for each (a, k) the observed bit error rate does not exceed β < β. 7 Furthermore they test if k is uniform for every a.Since Eve has no control over r, passing these tests implies that for all (a, k, r) the bit error probability does not exceed β with overwhelming probability. 8he number of 'sacrificed' qudits required to implement all the tests on the bit error rate is of order 2 d • d • log κ, where κ is the length of the final key [15].We will assume that n is chosen sufficiently large to ensure d2 d log κ n.We will analyze an attack in which Eve couples an ancilla to each EPR pair individually in the same way, i.e. causing the same bit error probability (β).This looks like a serious restriction on Eve.However, it will turn out (Section 7) that the leakage is a concave function of β, which means that it is sub-optimal for Eve to use different ways of coupling for different EPR pairs.We will see that the leakage becomes constant when β reaches a saturation point.If Alice and Bob are willing to tolerate such a noise level, then channel monitoring is no longer necessary for determining the leakage; they just assume that the maximum possible leakage occurs.(Monitoring is still necessary to determine which error-correcting code should be applied.)Note that for large d it becomes impractical to determine the bit error rate for each combination (a, k) individually due to the exponential factor 2 d ; the saturation value of the leakage should be assumed.

Main results
Our first result is a non-asymptotic bound on the secrecy of the QKD key.
Theorem 1 Let r = (r 1 , . . ., r n ) be the values of the parameter r in n rounds of RRDPS, and similarly k = (k 1 , . . ., k n ).Let z ∈ {0, 1} be the QKD key derived from the n rounds.Let u be the (public) random seed used in the privacy amplification.Let ω(z, u, r, k) be the joint state of Eve's n ancillas.The distance of Z from uniformity, given all Eve's available information, classical and quantum, can be bounded as where T is given by and β * is a saturation value that depends on d as where x d is the solution on (0, 1) of the equation For asymptotically large n, it has been shown [19], using the properties of smooth Rényi entropies, that , where I AE is the single-qudit von Neumann information leakage S(E) − S(E|S ).Here 'E' stands for Eve's ancilla state and S is Alice's secret bit.Our second result is a computation of the von Neumann leakage I AE for RRDPS.

Theorem 2
The information leakage about the secret bit S' given R, K and Eve's quantum state, in terms of von Neumann entropy, is given by: Here β 0 is a saturation value (different from β * ) given by where y d is the unique positive root of the polynomial y d−1 + y − 1.
The theorems are proven in Sections 7 and 8.The formulation of the security in terms of statistical distance ensures that the results are Universally Composable.In Section 8 we will see that Theorem 2 is sharper than (2) and hence allows for a higher QKD rate /n.

RRDPS is equivalent to RRDPS with random permutations
We show that inserting a symmetrisation step into RRDPS does not affect the protocol.More specifically, the following protocol is equivalent to RRDPS.The equivalence is shown as follows.After step S2, the state is 1 . Hence Alice's process {state preparation followed by π} can be replaced by {acting with π −1 on a followed by state preparation}.Similarly, Bob's process {apply π −1 to state; pick random r; do M (r) ; send k, } has exactly the same effect as {pick random r; do M (r) ; apply π to k, l; send π(k), π( )}.Next, Bob's computation of π(k), π( ) can be moved to Alice.Then, Alice's actions {pick random a; send π −1 (a) to state preparation; send a to step S6} can be replaced by {pick random a ; send a to state preparation; send π(a) to step S6}.Finally, in step S6 we use π(a) π(k) = a k and π(a) π( ) = a .Remark.In step S3 it is crucial that Eve does not know π at the moment of her manipulation of the state.This will allow us to derive a symmetrised form of the density matrix in Section 4.3.

RRDPS is equivalent to RRDPS with random phase flips
Analogous with Section 4.1, it can be seen that adding an extra phase-flipping step to RRDPS does not affect RRDPS.Consider the following protocol.The equivalence to RRDPS is seen as follows.After step F2 the state is |µ a⊕c .Hence Alice's process {pick random a; prepare state; flip with c} is equivalent to {pick random a; flip with c; prepare state}.Similarly, Bob's process {flip with c; pick random r; do M (r) } is equivalent to {pick random r; do M (r) ; change s to s ⊕ c k ⊕ c }.This holds because in the first case Bob obtains s = (a ⊕ c) k ⊕ (a ⊕ c) = (a k ⊕ a ) ⊕ c k ⊕ c .Furthermore, Alice's steps {pick random a; send a to computation of s and flipped a to state preparation} are equivalent to {pick random a ; send flipped a to computation of s and a to state preparation}.The final effect of these transformations of the 'F' protocol is that (i) there is no physical phase flipping at all, (ii) Bob needs no quantum memory, and (iii) Alice and Bob both obtain a secret bit (a k ⊕ a ) ⊕ c k ⊕ c ; though not equal to a k ⊕ a , it is statistically the same.

EPR version
We introduce a protocol based on EPR pairs that is equivalent to the combined 'S' and 'F' protocols, and hence also equivalent to RRDPS.
E1 A maximally entangled two-qudit state is prepared.
One qudit ('A') is intended for Alice, and one ('B') for Bob.E2 Eve does something with the EPR pair.Then Alice and Bob each receive their own qudit.E3 Alice and Bob pick a random permutation π.They both apply π to their own qudit.Then they forget π.E4 Alice and Bob pick a random string c ∈ {0, 1} d .They both apply phase flips |t → (−1) ct |t to their own qudit.Then they forget c.
E5 Alice performs a POVM Q = (Q z ) z∈{0,1} d on her own qudit, where This results in a measured string a ∈ {0, 1} d .E6 Bob picks a random integer r ∈ {1, . . ., d − 1} and performs the POVM measurement M (r)  on his qudit.The result of the measurement is an integer k ∈ {0, . . ., d − 1} and a bit s. Bob computes = k + r mod d. Bob announces k, .E7 Alice computes s = a k ⊕ a .
The equivalence to the protocol in Section 4.1 is seen as follows.First, let Alice be the origin of the EPR pair, and let her perform Q as soon as she has created the EPR pair.This process is equivalent to preparing a qudit state |µ a with random a.The only difference is that the EPR protocol allows Eve to couple her ancilla to the AB system instead of only the B system.Hence the EPR version overestimates Eve's power.Security of the EPR version implies security of the original RRDPS.9Furthermore, the permutations and phase flips in steps E3,E4 cancel out exactly like in protocols 'S' and 'F'.Remark: The protocol equivalences is Sections 4.1-4.3can be nicely visualised using diagrammatic techniques [22].We do not show the protocol diagrams in this paper.

Lemma 1
The hermitian matrices Q z as defined in (20) form a POVM, i.e. z∈{0,1} d Q z = 1. Proof: Alice and Bob's measurements can be carried out in the opposite order.It is not important whether Q is practical or not; it is a theoretical construct which allows us to build an EPR version of RRDPS.

Effect of the random transforms: state symmetrisation
Let ρ AB denote the pure EPR state of Alice and Bob, and let ρAB be the mixed state of the AB system after Eve's manipulation in step E2.We write ρAB = t,t ,τ,τ ∈{0,...,d−1} with ρττ tt = (ρ tt τ τ ) * and tt ρtt tt = 1.The effect of step E3 is that the AB state gets averaged over all permutations, i.e. we get the following mapping Next, the random phase flips reduce the degrees of freedom even further.Let F c be the phase flip operator.
From (26) we see that any time index that occurs an odd number of times will be wiped out, i.e.E c (−1) ct = 0.The only surviving degrees of freedom are the constants ρss ss , ρss tt , ρst st and ρst ts (all with t = s and arbitrary s, t).Note that all four constants all real-valued.

Imposing the noise constraint
The channel monitoring restricts the ways in which Eve can alter the AB state without being detected.We will determine the most general allowed ρAB that is compatible with bit error rate β for all values of (a, k, r, s).(We will later see that it is optimal for Eve to cause the same bit error rate in all rounds.This is due to the concavity of the leakage as a function of the error rate.)We introduce the notation Lemma 2 Let Alice and Bob's bipartite state be ρAB , and let them perform the measurements Q and M (r) respectively.At given r, the joint probability of the outcomes a, k, s is given by Proof: ].We now impose the constraint that the event s = s occurs with probability β for all combinations (a, k, r), Theorem 3 The constraint (29) can only be satisfied by a density function of the form Proof: We rewrite the constraint (29) as Then we use the fact that ρAB depends only on four real-valued constants, which we write as = ρst ts (with s = t and arbitrary s, t).In terms of these constants, the probability (28) is expressed as Theorem 3 shows that (at fixed β) there are only two degrees of freedom, µ and V , in Eve's manipulation of the EPR pair.

Purification
According to the attacker model we have to assume that Eve has the purification of the state ρAB .The purification contains all information that exists outside the AB system.

The purified state and its properties
We introduce the following notation, Lemma 3 The ρAB given in (30) has the following orthonormal eigensystem, The term proportional to 1 in (30) yields a contribution (2β − µ)/d 2 to each eigenvalue.
First we look at |α j .We have α 0 |α j = δ j0 .Furthermore t t|α j = δ t t e i In diagonalised form the ρAB is given by The purification is where we have introduced orthonormal basis states |E j , |E ± tt in Eve's Hilbert space.In Appendix A we give more details on Eve's unitary operation.

Eve's state
Eve waits for Alice and Bob to perform their measurements and reveal k and r.
Proof: The POVM elements Q a and M In the summation of the factor (−1) at+aτ in the second term, any summation at (−1) at yields zero.The only nonzero contribution arises when t = k, τ = k +r or t = k +r, τ = k; the a-summation then yields a factor 2 d−2 .

Lemma 6 It holds that
and the diagonal representation of σ rk s is Proof: We have We use Lemma 6 to evaluate the E a factor.We use s M (r) ks = 1 2 |k k| + 1 2 |k + r k + r|.This allows us to write everything in terms of |w tt states.For t = t we have and for t = t we have The following properties hold (t = t ) w tt |w tt = 0 , w tt |w t t = 0 (60) We get After some tedious algebra the result (54) follows.
Corollary 1 It holds that Proof: Follows directly from Theorem 4 by discarding the terms in (54) that contain (−1) s (the AC and BD crossterms).

Corollary 2
The difference between σ rk 0 and σ rk 1 can be written as Proof: Using Theorem 4, we see everything except the AC and BD crossterms cancel from (54).

Statistical distance; proof of Theorem 1
Now that we have described Eve's most general allowed state, and how it is connected to Alice's secret bit s , it is time to prove Theorem 1.Let r i be the 'r'-value in round i and similarly k i , s i .We use the notation r = (r 1 , . . ., r n ), k = (k 1 , . . ., k n ).Let x = (s 1 , . . ., s n ).Let z ∈ {0, 1} be the QKD key obtained by applying privacy amplification to x, i.e. z = Ext(x, u), where Ext is a universal hash function (UHF) and u ∈ U is public randomness.At given (r, k) the quantum-classical state describing the whole system is We take the z-averaged of ω, Note that ω av does not depend on u.Furthermore we define the 'ideal' decoupled state as and we introduce the notation ∆(z, u, r, k) = ω(z, u, r, k) − ω av (r, k).
We look at the security of Z given r, k, U and ω(Z, U, r, k).We follow definition (3) and write Z's distance from uniformity as Proof: This follows from the block structure of ρ − ρ id .The list of eigenvalues of ρ − ρ id is obtained by combining the individual eigenvalue lists of the ∆(z, u, r, k) for all combinations (z, u).
Lemma 8 It holds that Proof: We apply Jensen's inequality.
Lemma 9 It holds that Proof: From the definition of ω and ω av we get Proof: Follows directly from Theorem 4.

Lemma 11
The statistical distance between the real and ideal state can be bounded as Proof: Substitution of Lemma 9 into Lemma 8 into Lemma 7 gives ρ(r, k) . The trace does not depend on the actual value of r i and k i .
Corollary 3 Let ε be a small constant.The distance ρ(r, k) − ρ id (r, k) 1 can be made equal to ε by setting Remark.Corollary 3 provides a tighter bound on the QKD rate than similar statements based on Rényi-2 entropy.We are able to compute the square root in tr σ 2 0 + σ 2 1 , whereas in Rényi-2 entropy Jensen's inequality is used to bound the trace as Since Eve is still free to choose the parameters µ and V (or, equivalently, λ + and λ − ) she can choose them such that ρ(r, k) − ρ id (r, k) 1 is maximized.
Theorem 5 Eve's choice that maximises ρ(r, k) − ρ id (r, k) 1 is given by Here β * is a saturation value that depends on d as follows, where x d is the solution on (0, 1) of the equation Proof: We start from (75).At β = 1 2 the expression for T is symmetric in λ + and λ − .Hence the overall maximum achievable at any β lies at λ + = λ − = q d(d−2) for some as yet unknown q.We have On the other hand, we note that substitution of (77) into (75) yields (76), which is precisely of the form ζ(q, d) if we identify 2β ≡ q.Hence, at some β < 1 2 it is already possible to achieve T = T β=1/2 max , i.e. we have saturation.We note that substitution of (79) into (75) yields (78).The saturation value β * is found by solving ∂ζ(2β, d)/∂β = 0; after some simplification, this equation can be rewritten as (81) by setting x = 2β/(1 − 2β). 10   The upper bound on the amount of information that Eve has about S is 2 log T .This is a concave function of β (see Fig. 1).Hence there is no advantage for Eve to cause different error rates in different rounds.For Eve it is optimal to cause error rate β in every round.This concludes the proof of Theorem 1.

Lemma 12
The large-d asymptotics of the saturation value β * is given by which yields Proof: We set , where a is supposedly of order 1, and substitute this into (81).This yields a , which is indeed of order 1.Substitution of x d into (80) gives (83), and substitution of β * into (78) gives (84).Finally, substitution of (84) into Lemma 11 yields (85).

Von Neumann entropy
Here we prove Theorem 2. Using smooth Rényi entropies it was shown in [12] that, in the large n limit, the von Neumann leakage per qubit is the relevant quantity for determining the required amount of PA. 11 We denote the leakage from Alice to Eve, in terms of von Neumann entropy, I AE .
10 After some rewriting it can be seen that ( 81) is equivalent to a complicated 6th order polynomial equation.We have not yet been able to prove that the solution on (0, 1) is unique.Our numerical solutions however indicate that this is the case. 11By applying Jensen's inequality once more to lemma 8, we can move the trace into the square root and get an expression which is equivalent to lemma 4.4 in [19].After this point the proof structure from [19] can be followed.Thus the Von Neumann leakage is also an asymptotic case of our statistical distance result Theorem 1.

It is given by
In the last line we used that the eigenvalues of σ rk s and σ rk 0 + σ rk 1 do not actually depend on r and k.Again λ + and λ − can be optimized to Eve's advantage.
Theorem 6 Eve's choice that maximizes the von Neumann leakage is given by Here β 0 is a saturation value that depends on d as follows, where y d is the unique positive root of the polynomial y d−1 + y − 1.
Proof: We start from (86).We note that the eigenvalue set of (σ rk 0 + σ rk 1 )/2 largely coincides with that of σ rk 0 and σ rk 1 (Theorem 4 and Corollary 1).What remains of (86) comes entirely from the |A , |B , |C , |D subspace, We note that (92) is invariant under the transformation (β At β = 1 2 , the largest leakage that Eve can cause is max λ g(d, λ) = g(d, λ * ). 12 Next we note that substitution of (90) into (92) yields (89); this has the same form as g(d, λ) (93) if we make the identification λd(d − 2) = 2β 0 .Moreover, by setting β 0 = 1 2 λ * d(d − 2), Eve achieves the overall maximum leakage g(d, λ * ) already at a value of β smaller than 1  2 .Since the maximum leakage cannot decrease with β, this implies that the maximum leakage saturates at β = β 0 and stays ], which interval coincides with the region allowed by the constraints on µ, V .The function g has a single maximum at some point λ * .
This is equivalent to the polynomial equation ) This precisely matches (91), because of the optimal choice . By Descartes' rule of signs, the function y d−1 + y − 1 has exactly one positive root.When β is decreased below β 0 , the location (λ − , λ + ) of the maximum of the stationary point of I AE leaves the 'allowed' triangular region; this happens at a corner of the triangle, λ − = 0, . For β < β 0 this corner yields the highest achievable leakage.Substitution of (88) into (92) yields (87).This concludes the proof of theorem 2. Note that the leakage I AE is a concave function of β.Hence it is optimal for Eve to cause error rate β in every round.

Collective attacks
By way of supplementary information we present a number of results about collective attacks.These are attacks on individual qudits, i.e.Eve performs the same measurement on every individual ancilla that she holds.First, this teaches us which kind of measurement is informative for Eve.Second, it quantifies the gap between what is provable for general attacks and what is provable for more restricted attacks.We compute leakage in terms of min-entropy loss and in terms of accessible (Shannon) information.Since min-entropy is a very conservative measure we will see that the min-entropy loss exceeds the leakage found in Theorems 1 and 2. The main interest is in Eve's measurement itself.The accessible information is the relevant quantity when Eve's quantum memory is short-lived, forcing her to perform a measurement on her ancillas before she has observed Alice and Bob's usage of the QKD key.As expected, the accessible information will turn out to be smaller than the leakage of Theorems 1 and 2.
Lemma 14 For all r, k the choice for λ + and λ − that maximizes the trace distance 1 2 σ rk 0 − σ rk which gives Proof: From Corollary 2 it is easy to see that In Appendix B we derive the λ + , λ − that maximize (101) while keeping all eigenvalues nonnegative.
Remark.The optimal choice for λ + ,λ − has the same form for all three optimizations that we have performed.The only difference is the saturation value.Although (99) is shown in a simplified form one can manipulate it to the same form as (79) and (90) with β sat instead of β * or β 0 .
Fig. 3 shows the optimal λ + and λ − together with the constraints on the λ parameters for all three optimizations.The lower dots in the figure correspond to β = 1 2 .For all three information measures the optimum moves towards the top corner of the triangle for decreasing β.For β values below the saturation point the optimum is the top corner, with λ − = 0 and λ 1 = 0.
Knowing the optimal values for λ + and λ − , we compute the min-entropy leakage.Theorem 7 The min-entropy of the bit S given R, K and the state σ RK S is Proof: Eq. ( 7) with X uniform, X → S , Y → (R, K) becomes In the last step we omitted the expectation over r and k since the trace distance does not depend on r, k.Substitution of (100) into (104) gives the end result.
Corollary 4 Eve's optimal POVM T rk = (T rk 0 , T rk 1 ) for maximising the min-entropy leakage is given by Proof: The trace distance in Lemma 14 is the sum of the positive eigenvalues of σ rk 0 − σ rk 1 .In the space spanned by |A , |B , |C , |D , the optimal T 0 consists of the projection onto the space spanned by the eigenvectors corresponding to the positive eigenvalues.These eigenvectors are . The matrix that projects onto them is In order to satisfy the constraint T 0 + T 1 = 1 and symmetry, half the identity matrix in the remaining d 2 − 4 dimensions has to be added to T 0 .We mention, without showing it, that (105) satisfies the test (5).
As expected, the min-entropy loss decreases as the dimension of the Hilbert space grows.We see that the entropy loss saturates at β = β sat ; hence RRDPS is secure up to arbitrarily high noise levels.Fig. 4 shows the min-entropy leakage as a function of β.

Accessible Shannon information
Lemma 15 Let X ∈ X be a uniformly distributed random variable.Let Y ∈ Y be a random variable.Let ρ xy be a quantum state coupled to the classical x, y.The Shannon entropy of X given a state ρ XY that has to be measured (for unknown X and Y ) is given by Proof: We have H(X|ρ XY ) = min M H(X|Z), where Z is the outcome of the POVM measurement M. Z is a classical random variable that depends on X and Y .We can write H(X|Z) = H(X) − H(Z) + H(Z|X).Since X is uniform, and Z is an estimator for X, the Z is uniform as well.
where in the last step we used the definition of σ rk s .Finally, the Shannon entropy of a binary variable is given by the binary entropy function h, where h(1 − p) = h(p).From Corollary 5 we see that the POVM T rk associated with the min-entropy also optimizes the Shannon entropy: maximizing the guessing probability tr G rk s σ rk s minimizes the Shannon entropy.Theorem 8 The Shannon entropy of Alice's bit S given the state σ RK AS , R and K is: Proof: The min-entropy result (102,103) can be written as H min (S |RKσ RK S ) = − log tr T rk s σ rk s , so we already have an expression for tr T rk s σ rk s .Substitution of T rk for G rk in (107) yields the result.
Since the optimal POVM for min-and Shannon entropy are the same, saturation occurs at the same point (β = β sat ).

Comparison with previous analyses
Our Theorem 1 is non-asymptotic; we cannot compare it to previous results since the previous results are for the asymptotic regime.Figs. 6 and 7 show our results versus previous bounds on the leakage.It is clear that our on Neumann result is sharper than [17] for all β and d.Interestingly, our non-asymptotic result for the saturated leakage is sharper than the asymptotic [17] for d ≤ 22.Note too that saturation occurs at lower β (especially for small d) than reported in [17].
Proof: Follows directly from (113) by tracing out Eve's space and using the inner product A a τ |A a t = (1 − 2β) for τ = t.From Bob's point of view, what he receives is a mixture of the |µa state and the fully mixed state.The interpolation between these two is linear in β.Note that the parameters µ, V are not visible in ρ B a .

B Optimization for the min-entropy
Here we prove that (98,99) maximizes (101).We first show that (101) is concave and obtain the optimum for β ≥ βsat.Then we take into account the constraints on the eigenvalues and derive the optimum for β < βsat.Unconstrained optimization.For notational convenience we define = dλ − w 1 + dλ + w 2 . (119) Next we compute the derivatives, Setting both these derivatives to zero yields a stationary point of the function.Setting In the steps above, we have multiplied our derivatives by λ + , λ − , w 1 and w 2 ; this has introduced spurious zeros that now need to be removed.From (120,121) it is easily seen that λ + = 0 and λ − = 0 are never stationary points since the derivatives diverge near these values.Furthermore, we find that substitution of (127) into the derivatives does not yield two zeros.Expression (126) is the only stationary point.As the function value lies higher there than in other points, we conclude that σ rk 0 − σ rk 1 1 is concave.Constrained optimization.The optimization problem is constrained by the fact that the λ eigenvalues are nonnegative.For β ≥ βsat the stationary point satisfies the constraints and hence is the optimal choice for β ≥ βsat.For β < βsat the stationary point has λ − < 0, i.e. it lies outside the allowed region.Because of the concavity the highest function value which satisfies the constraints occurs at λ 0 = 0, λ 1 = 0, λ + = 0 or λ − = 0.It is easily seen that λ 0 ≥ 0 implies λ + ≤ Clearly (129) is the larger of the two and therefore the optimal choice.

S1
Alice picks a random a ∈ {0, 1} d and a random permutation π.She prepares |µ a = 1 √ d t (−1) at |t .S2 Alice performs the permutation π on the state |µ a .She sends the result to Bob.After pausing for a while, she sends π to Bob.S3 Eve does something with the state, without knowing π.Then she sends the result to Bob.S4 Bob receives a state and stores it until he receives π. Bob applies π −1 to the state.S5 Bob picks a random r ∈ {1, . . ., d − 1} and does the M (r) POVM.The result is an index k ∈ {0, . . ., d − 1} and a bit s = a k ⊕ a k+r .He computes = k + r mod d.He announces k, .S6 Alice computes s = a k ⊕ a .

F1
Alice picks a random a ∈ {0, 1} d and a random c ∈ {0, 1} d .She prepares |µ a = 1 √ d t (−1) at |t .F2 Alice performs the phase flips on the state |µ a , according to the rule |t → (−1) ct |t for basis states.She sends the result to Bob.After pausing for a while, she sends c to Bob.F3 Eve does something with the state, without knowing c.Then she sends the result to Bob.F4 Bob receives a state and stores it until he receives c. Bob applies phase flips c to the state.F5 Bob picks a random r ∈ {1, . . ., d − 1} and does the M (r) POVM.The result is an index k ∈ {0, . . ., d − 1} and a bit s = a k ⊕ a k+r .He computes = k + r mod d.He announces k, .F6 Alice computes s = a k ⊕ a .

1 + 1 d
ks are proportional to projection operators.Hence the tripartite ABE pure state after the measurement is proportional to (Q a ⊗ M (r) ks ⊗ 1)|Ψ ABE .It is easily verified that the normalisation in (40) is correct: taking the trace in E-space yields tr AB tr E |Ψ ABE Ψ ABE |Q a ⊗ M (r) ks ⊗ 1 = tr AB ρAB Q a ⊗ M (r) ks = P aks|r .Lemma 5 It holds that d 2 d a 0 •••a d−1 without a k ,a k+r |µ a µ a | = a k +a k+r |k k + r| + |k + r k| (We have |µ a µ a | = 1 d [tτ ] |t τ |(−1) at+aτ .Summation of the 1 d 1 term is trivial and yields 2 d−2 • 1 d 1.

)
We split the xy sum into a sum with y = x and a sum with y = x.Then we use z δ z,Ext(x,u) = 1 and z E u δ z,Ext(x,u) δ z,Ext(y,u) = 2 − for y = x.The latter is the defining property of UHFs.Then we rewrite xy: y =x as xy − xy δ xy .Finally, after applying 2 −n x i σ riki xi = ω av , most of the terms cancel and (72) is what remains.Lemma 10 It holds that

Fig. 1
Fig. 1 Upper bound on the information leakage as a function of the bit error rate for d = 5, d = 10 and d = 15 (Theorem 1).A dot indicates the saturation point β * .

Fig. 2 1 )
Fig. 2 Mutual information between Alice and Eve in terms of von Neumann entropy as a function of the bit error rate, for d = 5, d = 10 and d = 15 (Theorem 2).A dot indicates the saturation point β 0 .

Fig. 3
Fig. 3 Optimal choice of λ + and λ − at d = 10 for statistical distance (left line), min-entropy (middle line) and von Neumann entropy (right line).The dashed triangle represents the region for which the eigenvalues λ + , λ − and λ 1 are non-negative.The black dots indicate the optimum at β = 1 2 (dots inside the triangle) and β ≤ β * , βsat, β 0 (upper corner of the triangle).Not shown in this plot is the λ 0 ≥ 0 constraint which cuts off the upper left corner of the triangle for β > 2βsat.

Fig. 4
Fig. 4 Min-entropy leakage as a function of the bit error rate for d = 5, d = 10 and d = 15.A dot indicates the saturation point βsat.

Fig. 5
Fig. 5 Accessible Shannon entropy as a function of β for d = 5, d = 10 and d = 15.A dot indicates the saturation point βsat.