Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Quantum Key Distribution (QKD), and more generally Quantum Cryptography, implied a change of paradigm in security. Before the conception of QKD in 1984 [1], most cryptographic applications based their security on reasonable assumptions on the eavesdropper’s computational power plus unproven assumptions on the computational complexity of some problems. In QKD, however, security is mainly based on a physically motivated assumption: the honest parties, Alice and Bob, and the eavesdropper, Eve, are constrained by the laws of quantum physics. Still, this is not the only assumption needed for security proofs of QKD. First of all, the honest parties should have a good physical characterization and control of the devices used in the protocol. Moreover, the security proof also requires a pair of minimal assumptions essential to make the cryptographic scenario meaningful: no information leaks Alice and Bob’s laboratories, and the honest parties have a source of trusted randomness and trusted devices to process and store the information generated during the protocol execution.

The main goal of Device-Independent Quantum Key Distribution (DIQKD) [24] is to design protocols whose security proof requires no detailed knowledge of the physical devices used for generating correlations. That is, apart from unavoidable assumptions on the security of the honest parties’ locations and the reliability of the devices they use for information processing, which in a way are inherent to the very definition of the cryptographic scenario, only the general validity of quantum theory is needed for security. In this scenario, the only possible security certificate is the one proposed by Ekert [5], see also [2, 6]: the observation of a Bell inequality violation. There are three main motivations to consider the device-independent scenario. First, from a purely theoretical point of view, DIQKD involves fewer assumptions and, thus, implies a stronger security. More generally, identifying the minimal set of physical assumptions needed for secure key distribution is a fundamental problem in cryptography. Second, from an applied point of view, the implementation of DIQKD schemes is more robust to imperfections since their security proof is independent of the devices’ details. However, it requires a long-distance detection-loophole-free Bell inequality violation, which at present is an experimental challenge (see however [7]). Finally, DIQKD, as the works on self testing techniques [8, 9], opens Quantum Cryptography to the unreliable, yet non-adversarial, provider scenario, as any device compatible with the protocol requirements is secure.

In this work we discuss a general formalism to prove the security of DIQKD protocols [10] (see also [11]). The security proof is completely general and can be applied to any protocol associated to a Bell inequality. The key element in the construction is a bound on the min-entropy of the raw key from the estimated Bell inequality violation. Compared to previous approaches [12], the proof exploits the constraints imposed by quantum theory, which significantly increases the efficiency of the protocols. For instance, when applied to the protocol of Ref. [3], based on the Clauser-Horne-Shimony-Holt (CHSH) Bell inequality [13], security can be guaranteed up to a quantum-bit error rate (QBER) of approximately 5 %.

The security proof, however, needs a requirement which limits its applicability from a practical point of view: all the events generating the raw-key symbols must be causally disconnected. There are different possibilities to meet this requirement. First, one can relax the device-independent character of the protocol and assume that the measuring apparatuses have no internal memory. Of course, the no-memory assumption is present in any of the security proofs for standard QKD [1]. The requirement can also be fulfilled in a device-independent manner if the honest parties have access to separated devices. For instance, if all raw-key symbols are defined by space-like separated events, special relativity warrants their causal independence. However, space-like separation is not necessarily required for the generation of the raw-key symbols. It is sufficient that the parties are able to shield each of these devices and prevent any unwanted information exchange among them when generating the raw-key symbols. This assumption is similar to the one that the honest parties are capable of preventing information leakage from their laboratories, without which the the cryptographic scenario would not make sense.

2 Bell Inequalities and DIQKD Protocols

The class of protocols we consider are variations of Ekert’s QKD protocol [5, 14]. Alice and Bob share a quantum channel that distributes entangled states and they both have a quantum apparatus to measure their incoming particles. These apparatuses take an input (the measurement setting) and produce an output (the measurement outcome). We label the inputs and outputs \(x\) and \(a\) for Alice, and \(y\) and \(b\) for Bob, and assume that they take a finite set of possible values.

The first step of the protocol consists in measuring the pairs of quantum systems distributed to Alice and Bob. In most of the cases (say \(N\)), the inputs are set to fixed values \(x_i =x_\mathrm {raw}\) and \(y_i =y_\mathrm {raw}\) and the corresponding outputs \(\mathbf{a}= (a_1, \ldots a_N)\) and \(\mathbf{b}= (b_1, \ldots b_N)\) constitute the two versions of the raw key. In the remaining systems, which represent a small random subset of all measured pairs (of size say \(N_\mathrm {est}\approx \sqrt{N}\)), the inputs \(x,y\) are chosen uniformly at random. From these \(N_\mathrm {est}\) pairs, Alice and Bob determine the relative frequencies \(q(ab|xy)\) with which the outputs \(a\) and \(b\) are obtained when using inputs \(x\) and \(y\). These relative frequencies quantify the degree of non-local correlations between Alice and Bob’s system through the violation of the Bell inequality associated to the DIQKD protocol. This Bell inequality is defined by a linear function \(g\) of the input-output correlations \(q(ab|xy)\):

$$\begin{aligned} g = \sum _{a,b,x,y} g_{abxy} q(ab|xy) \le g_\mathrm {loc}, \end{aligned}$$
(1)

where \(g_{abxy}\) are the coefficients defining the Bell inequality and \(g_\mathrm{loc}\) is its local bound. A particular example of a Bell inequality is the CHSH inequality [13]

$$\begin{aligned} g_\mathrm {chsh} = \sum _{a,b,x,y} (-1)^{a+b+xy} q(ab|xy) \le 2, \end{aligned}$$
(2)

where \(a,b,x,y\in \{0,1\}\).

After this initial “measure and estimate” phase, the rest of the protocol is similar to any other QKD protocol. Alice publishes an \(N_\mathrm {pub}\)-bit message about \(\mathbf{a}\), which is used by Bob to correct his errors \(\mathbf{b \rightarrow b'}\), such that \(\mathbf{b' =a}\) with arbitrarily high probability. Alice and Bob then generate their final secret key \(\mathbf{k}\) by applying a 2-universal random function to \(\mathbf {a}\) and \(\mathbf {b'}\), respectively [15].

3 Generation of the Raw-Key Symbols

In the DIQDK approach, we do not assume that the devices behave according to predetermined specifications. Yet, we must first specify how we model the \(N\) pairs of systems used to generate the raw key. These \(N\) pairs are eventually all measured using the inputs \(x=x_\mathrm {raw}\) and \(y=y_\mathrm {raw}\), but since they where initially selected at random and each of them could have been part of the \(N_\mathrm {est}\) pairs used to estimate the Bell violation, we must also consider what would have happened for any other inputs \(x\) and \(y\). Let therefore \(P(\mathbf {ab}| \mathbf {xy})\) denote the prior probability to obtain outcomes \(\mathbf{a}\) and \(\mathbf{b}\) if measurements \(\mathbf{x}=(x_1, \ldots , x_N)\) and \(\mathbf{y}=(y_1, \ldots , y_N)\) are made on these \(N\) pairs. This unknown probability distribution characterizes the initial system at the beginning of the protocol.

In the theoretical model needed for the security proof of Ref. [10], the \(N\) bits of the raw key are viewed as arising from \(N\) commuting measurements on a joint quantum system \(\rho _{\mathcal{A}\mathcal{B}}\). That is, the probabilities \(P(\mathbf {ab}|\mathbf {xy})\) can be written as

$$\begin{aligned} P(\mathbf{ab }|\mathbf xy ) = \mathrm{tr }[\rho _{{\mathcal{A}\mathcal{B}}}\, \prod _{i=1}^N A_i(a_i|x_i) B_i(b_i|y_i)], \end{aligned}$$
(3)

where \(A_i(a_i|x_i)\) are operators describing the measurements performed by Alice on her \(i\)th system if she select input \(x_i\) (they thus satisfy \(A_i(a_i|x_i)\ge 0\) and \(\sum _{a_i} A_i(a_i|x_i)=1\!\!1\)), where, similarly, \(B_i(b_i|y_i)\) are operators describing the measurements by Bob, and where these measurement operators satisfy the commutation relations

$$\begin{aligned}{}[A_i(a|x),B_j(b|y)]=0 \end{aligned}$$
(4)

and

$$\begin{aligned}{}[A_i(a|x),A_j(a'|x')]=[B_i(b|y),B_j(b'|y')]=0 \end{aligned}$$
(5)

for all \(i,j\) and \(a,a',b,b',x,x'\). Apart from the conditions (4) and (5), the state \(\rho _{AB}\) and the operators \(A_i(a_i|x_i)\) and \(B_i(b_i|y_i)\) are arbitrary and unspecified. The only constraint on them is that they should return measurement probabilities (3) compatible with the statistics of the \(N_\mathrm {est}\) randomly selected pairs, characterized by the observed Bell-inequality violation \(g\).

In quantum theory, measurement operators that commute represent compatible measurements that do not influence each other and which can be performed independently of each other. The commutation relations (4) between the operators \(A_i(a_i|x_i)\) describing Alice’s measurement devices and the operators \(B_i(b_i|y_i)\) describing Bob’s measurement devices are thus a necessary part of any DIQDK model; security cannot be guaranteed without them.

The commutation relations (5) between the operators \(A_i(a_i|x_i)\) within Alice’s location, and the commutation relations between the operators \(B_i(b_i|y_i)\) within Bob’s location, represent, on the other hand, additional constraints specific to the model discussed here. As already mentioned these commutation relations are satisfied in an implementation in which the \(N\) bits of the raw key are generated by \(N\) separate and non-interacting pairs of devices used in parallel. Let’s elaborate more on this point.

In the extreme adversarial scenario where the provider of the devices is not trusted (e.g., if the provider is the eavesdropper itself), this independence condition can be guaranteed by shielding the \(N\) devices in such a way that no communication between them occurs during the measurement process. One could also consider a setup where the measurements performed by the \(N\) devices define space-like separated events. However, even in a space-like separated configuration, the ability to shield the devices is required if the provider of the devices is untrusted, as we cannot guarantee through other means that the devices do not send directly unwanted information to the adversary. But, then, the ability to shield the devices is already sufficient by itself to guarantee (5).

In a more practical implementation where the raw key is generated by repeatedly performing measurements in sequence on a single pair of devices, the commutation relation (5) expresses the condition that the functioning of the devices should not depend on any internal memory storing the quantum states and measurement results obtained in previous rounds. In the most general DIQKD model, the quantum devices could possess a quantum memory such that the state of the system after the \(i\)th measurement is passed to the successive round \(i+1\) (this state could also contain classical information about the measurement inputs and outputs of step \(i\)). If \(\rho ^i_{\mathcal{A}\mathcal{B}}\) denotes the state of the system before measurement \(i\), the unormalised state passed to round \(i+1\) in the event that Alice and Bob use inputs \(x_i\) and \(y_i\) and obtain outputs \(a_i\) and \(b_i\) would then be \(\tilde{A}^\dagger _i(a_i|x_i)\tilde{B}^\dagger _i(b_i|y_i)\rho _{\mathcal{A}\mathcal{B}}^i\tilde{A}_i(a_i|x_i)\tilde{B}_i(b_i|y_i)\) where \(\tilde{A}_i(a|x)\) and \(\tilde{B}_i(b_i|x_i)\) are generalized measurement operators describing Alice’s and Bob’s measurements and satisfying \(\sum _{a} \tilde{A}_i(a|x)\tilde{A}_i^\dagger (a|x)=\sum _{b} \tilde{B}_i(b|y)\tilde{B}_i^\dagger (b|y)=I\). In such a model, the probabilities \(P(\mathbf{ab }|\mathbf xy )\) are then given by

$$\begin{aligned} P(\mathbf{ab }|\mathbf xy ) = \mathrm{tr }[\prod _{i=N}^{1} \tilde{A}^\dagger _{i}(a_i|x_i) \tilde{B}^\dagger _{i}(b_i|y_i) \times \rho _{{\mathcal{A}\mathcal{B}}}\, \prod _{i=1}^N \tilde{A}_i(a_i|x_i) \tilde{B}_i(b_i|y_i)], \end{aligned}$$
(6)

where \(\rho _{\mathcal{A}\mathcal{B}}\) denotes the initial state at the beginning of the protocol, and the order in the products is relevant. Imposing commutation relations between all operators pertaining to different rounds corresponds to neglect the causal order in (6) due to memory effects. We then recover a model of the form (3) by defining \(A_i(a|x)=\tilde{A}_i(a|x)\tilde{A}_i^\dagger (a|x)\) and \(B_i(b|y)=\tilde{B}_i(b|y)\tilde{B}_i^\dagger (b|y)\).

4 Security Proof

We are now in position to review the bound on the secret key rate derived in [10]. This bound can be achieved against an unrestricted eavesdropper Eve for any QKD protocol satisfying the description (3), (4) and (5). The information available to Eve can be represented by a quantum system that is correlated with the Alice and Bob’s systems. We denote by \(\rho _{\mathcal{A}\mathcal{B}\mathcal{E}}\) the corresponding \((2N+1)\)-partite state, with \(\mathrm {tr}_\mathcal{E}\,\rho _{\mathcal{A}\mathcal{B}\mathcal{E}}=\rho _{\mathcal{A}\mathcal{B}}\). This state describes the \(2N+1\) systems at the beginning of the protocol. After the \(N\) systems of Alice have been measured, the joint state of Alice and Eve is described by the classical-quantum state

$$\begin{aligned} \rho _{{\mathcal{A}}{\mathcal{E}}}=\sum _{\mathbf {a}} P(\mathbf {a}|\mathbf {x}_\mathrm {raw}) |\mathbf {a}\rangle \!\langle \mathbf {a}|\otimes \rho _{\mathcal{E}|\mathbf {a}}, \end{aligned}$$
(7)

where \(\rho _{\mathcal{E}|\mathbf {a}}\) is the reduced state of Eve conditioned on Alice having observed the outcomes \(\mathbf {a}\).

The length of the secret key \(\mathbf{k}\) obtained by processing the raw key \(\mathbf{a}\) with an error correcting protocol and a 2-universal random function is, up to terms of order \(\sqrt{N}\), lower bounded by \(H_\mathrm {min}(\mathbf{a}|\mathcal{E}) - N_\mathrm {pub}\), where \(H_\mathrm {min}(\mathbf{a}|\mathcal{E})\) is the min-entropy of \(\mathbf a\) conditioned on Eve’s information for the state (7) and \(N_\mathrm {pub}\) is the length of the message published by Alice in the error-correcting phase. It is shown in [16] that the length of the public message necessary for correcting Bob’s errors is \(N_\mathrm {pub} = N H(a|b)\), up to terms of order \(\sqrt{N}\). The quantity \(H(a|b)\) is the conditional Shannon entropy [16], defined by

$$\begin{aligned} H(a|b) = \sum _{a,b} -P(a,b) \log _2 P(a|b), \end{aligned}$$
(8)

where \(P(a,b)=1/N \sum _{i=1}^N \sum _{a_i,b_i} P(a_i=a,b_i=b)\) is the average probability with witch the pair of outcomes \(a\) and \(b\) are observed. Computing the key rate of the DIQKD protocol, thus essentially amounts to determine the min-entropy \(H_\mathrm {min}(\mathbf{a}|E)\). A bound on this quantity can be derived as a function of the estimated Bell violation \(g\).

Consider first the simpler case of one pair of systems (\(N=1\)) uncorrelated to the adversary and characterized by the joint probabilities

$$\begin{aligned} P(ab|xy) = \mathrm{tr }[\rho \, A(a|x) B(b|y)]. \end{aligned}$$
(9)

If \(P(a|x_\mathrm {raw})<1\) for all \(a\), then the outcome of the measurement \(x_\mathrm {raw}\) cannot be perfectly predicted. The degree of unpredictability of \(a\) can be quantified by the probability to correctly guess \(a\) [17]. This guessing probability is equal to

$$\begin{aligned} P_\mathrm {guess} (a) =\max _a P(a|x_\mathrm {raw}), \end{aligned}$$
(10)

since the best guess that one can make about \(a\) is to output the most probable outcome. If \(P_\mathrm {guess} (a)=1\) then the outcome of the measurement \(x_\mathrm {raw}\) can be predicted with certainty, while lower values for \(P_\mathrm {guess} (a)\) imply less predictability.

Let \(g_\mathrm {exp}=\sum _{abxy}g_{abxy}P(ab|xy)=\mathrm{tr }[\rho \,G]\) denote the expected quantum violation of the Bell inequality (1) for the pair of systems described by (9), where

$$\begin{aligned} G= \sum _{a,b,x,y} g_{abxy} A(a|x) B(b|y), \end{aligned}$$
(11)

is the Bell operator associated to the inequality \(g\) and to the measurements \(A(a|x)\) and \(B(b|y)\). Independently of the precise form of the state \(\rho \) and of the measurement operators \(A(a|x)\) and \(B(b|y)\), the value of the Bell expectation \(g_\mathrm {exp}\) imposes a constraint on the guessing probability (10). Formally, this constraint can be expressed as a bound of the form

$$\begin{aligned} P_\mathrm {guess} (a) \le f(g_\mathrm {exp}), \end{aligned}$$
(12)

satisfied by all quantum distributions (9). The optimal point-wise values \(f(g_0)\) (for any \(g_0\)) correspond to the solution of the following maximization problem

$$\begin{aligned} \begin{array}{cl} \displaystyle \max _{\rho ,A,B} &{}\mathrm{tr }[\rho \, A(a|x_\mathrm {raw})]\\ \text {subject to}&{}\mathrm{tr }[\rho \, G]=g_0, \end{array} \end{aligned}$$
(13)

which can be solved (or upper-bounded) using the semidefinite programming (SDP) relaxations introduced in [18]. The resulting functions \(f\) (and in particular the optimal one) are then always concave and monotonically decreasing, as follows from the convex nature of the problem (13) and of its associated SDP relaxations. In the case of the CHSH inequality, the optimal function \(f\) is [10, 19]

$$\begin{aligned} f_\mathrm {chsh} (g)= \frac{1}{2} + \frac{1}{2}\sqrt{2 - \frac{g^2}{4} }, \end{aligned}$$
(14)

for any of the two possible values \(x_\mathrm {raw}=0\) or \(1\) entering in the CHSH definition (2).

As the function \(f\) is concave, it can be upper-bounded by its linearization around any point \(g_{0}\)

$$\begin{aligned} f(g) \le \mu (g_0) + \nu (g_0) g, \end{aligned}$$
(15)

where \(\mu (g_0)= f(g_0) -f'(g_0)g_0\), \(\nu (g_0)= f'(g_0)\). From concavity, it also follows that

$$\begin{aligned} f(g)= \min _{g_0} \left[ \mu (g_0) + \nu (g_0) g\right] . \end{aligned}$$
(16)

The bound (12) is thus equivalent to the family of inequalities \(P(a|x_\mathrm {raw}) \le \mu (g_0) + \nu (g_0), g_\mathrm {exp}\) for all \(a\) and \(g_0\). Since these inequalities are satisfied by any quantum distribution (9), and thus in particular by any state \(\rho \), they are equivalent to the operator inequalities

$$\begin{aligned} A(a|x_\mathrm {raw}) \le \mu (g_0)1\!\!1+ \nu (g_0) G, \end{aligned}$$
(17)

valid for all \(a\), \(g_0\), and any set of measurements \(A(a|x)\) and \(B(b|y)\).

Moving to the case of \(N\) pairs of systems described by (3) and (7), the probability with which Eve can correctly guess the raw key \(\mathbf {a}\) by measuring her side information \(\mathcal {E}\) can be computed as follows. Suppose thus that Eve performs some measurement \(z\) on her system \(\mathcal {E}\) and obtains an outcome \(e\). Let \(P(\mathbf {a}| \mathbf {x}_\mathrm {raw}, ez)\) denote the probability distribution of \(\mathbf a\) conditioned on Eve’s information. On average, her probability to correctly guess \(\mathbf a\) is given by \(\sum _eP(e|z)\max _\mathbf{a} P(\mathbf {a}|\mathbf {x}_\mathrm {raw},ez)\), and her optimal correct-guessing probability (optimized over all measurements \(z\)) is [17]:

$$\begin{aligned} P_\mathrm {guess} (\mathbf{a}|\mathcal {E}) = \max _z \sum _e P(e|z)\max _\mathbf{a} P(\mathbf{a}| \mathbf{x}_\mathrm {raw},ez). \end{aligned}$$
(18)

Denote by \(\rho _{\mathcal {AB}|ez}\) the \(2N\)-partite state prepared when Eve measures \(z\) and obtains the outcome \(e\) (with \(\rho _{\mathcal {AB}}=\sum _e P(e|z)\rho _{\mathcal {AB}|ez}\)), and write \(\mathbf {A}(\mathbf {a}|\mathbf {x}_\mathrm {raw})=\prod _{i=1}^N A_i(a_i|x_\mathrm {raw})\), so that

$$\begin{aligned} P(\mathbf{a}| \mathbf{x}_\mathrm {raw},ez)=\mathrm{tr }\left[ \rho _{\mathcal {AB}|ez} \mathbf {A}(\mathbf {a}|\mathbf {x}_\mathrm {raw})\right] . \end{aligned}$$
(19)

Consider the following \(N\)-partite Bell operator

$$\begin{aligned} \mathbf {G}(g_0)=\prod _{i=1}^N [ \mu (g_0) 1\!\!1+\nu (g_0) G_i], \end{aligned}$$
(20)

where \(G_i=\sum _{a,b,x,y} g_{abxy} A_i(a_i|x_i) B_i(b_i|y_i)\). The single-copy operator inequality (17) implies that for all \(\mathbf{a}\) and \(g_0\)

$$\begin{aligned} \mathbf {A}(\mathbf {a}|\mathbf {x}_\mathrm {raw})\le \mathbf {G}(g_0). \end{aligned}$$
(21)

To show this, write \(A'_i= A_i(a_i|x_\mathrm {raw})\) and \(G'_i= \mu (g_0) 1\!\!1+\nu (g_0) G_i\). We thus want to establish that \(\prod _{i=1}^N G'_i-\prod _{i=1}^N A'_i\ge 0\). Inequality (17) implies that for all \(i\), \(0\le A'_i\le G'_i\). Defining \(Z_i=G'_i-A'_i\ge 0\), note then that \(\prod _{i=1}^N G'_i-\prod _{i=1}^N A'_i=\prod _{i=1}^N (Z_i+A'_i)-\prod _{i=1}^N A'_i=\prod _{i=1}^N Z_i+Z_1\prod _{i=2}^N A'_i+\cdots +\prod _{i=1}^{N-1}A'_iZ_n\). Inequality (21) then follows from the fact that each term in this sum is positive since it is the product of operators that are positive and, according to (5), commuting.

Using inequality (21) in (18), we find

$$\begin{aligned} \nonumber P_\mathrm {guess} (\mathbf{a}|\mathcal{E})&= \max _z\sum _e P(e|z)\, \max _\mathbf{a}\mathrm{tr }\left[ \rho _{\mathcal {AB}|ez} A(\mathbf {a}|\mathbf {x}_\mathrm {raw})\right] \nonumber \\&\le \max _z \sum _e P(e|z)\, \min _{g_0} \mathrm{tr }\left[ \rho _{\mathcal {AB}|ez} \mathbf {G}(g_0)\right] , \nonumber \\&\le \min _{g_0}\, \mathrm{tr }\left[ \rho _{\mathcal{A}\mathcal{B}}\,\mathbf {G}(g_0)\right] \end{aligned}$$
(22)

where to deduce the first inequality we used, in addition to (21), the positivity of \(\rho _{\mathcal {AB}|ez}\).

Note now that the quantity \(\mathrm{tr }\left[ \rho _{\mathcal{A}\mathcal{B}},\mathbf {G}(g_0)\right] \) is a function of the marginal distributions \(P(\mathbf {ab}|\mathbf {xy})\) of Alice and Bob only and does not involve directly the system of Eve. It is shown in [17], that Alice and Bob can estimate (with high probability) this quantity from the Bell violation \(g\) observed on the randomly-chosen \(N_\mathrm {est}\) pairs. More precisely, Lemma 5 from reference [17] implies that the inequality

$$\begin{aligned} \mathrm{tr }\left[ \rho _{\mathcal{A}\mathcal{B}},\mathbf {G}(g_0)\right] \le \left[ \mu (g_0) + \nu (g_0) g_\mathrm {est} + N_\mathrm {est}^{-1/4} \right] ^N \end{aligned}$$
(23)

holds except with probability exponentially small in \(N_\mathrm {est}\). This, (22), and (16) imply that

$$\begin{aligned} P_\mathrm {guess}(\mathbf{a}|\mathcal{E}) \le \left[ f(g^\mathrm {est}) + N_\mathrm {est}^{-1/4} \right] ^N. \end{aligned}$$
(24)

Finally, it is shown in [17] that the (quantum) min-entropy \(H_\mathrm {min}(\mathbf{a}|\mathcal{E})\) of a state of the form (7) is given by

$$\begin{aligned} H_\mathrm {min}(\mathbf{a}|\mathcal{E}) = -\log _2\! {P_\mathrm {guess}(\mathbf{a}|\mathcal{E})}, \end{aligned}$$
(25)

which implies the asymptotic secret key rate

$$\begin{aligned} R\ge -\log _2\! {f(g_\mathrm {est})} - H(a|b). \end{aligned}$$
(26)

As announced, the bound applies to any Bell inequality and the corresponding DIQKD protocol.

5 Key Rates for the Chained Bell Inequality

As an illustration of the formalism, we explicitly compute the secret-key rates for the chained Bell inequalities of Ref. [20]. These inequalities were initially introduced in the scenario in which Alice and Bob perform \(M\) measurements of two outcomes. Later, they were generalized to an arbitrary number of outcomes [21], but we don’t consider this generalization here.

The chained inequalities for two measurement outcomes read as follows. The two outcomes of each measurement by Alice (Bob) are labeled by \(A_i=\pm 1\) (\(B_i=\pm 1\)), with \(i=1,\ldots ,M\). Then, for any local model one has

$$\begin{aligned} \sum _{i=1}^{M} \langle A_i B_i\rangle + \sum _{i=1}^{M-1}\langle B_i A_{i+1}\rangle - \langle B_M A_{1} \rangle \le 2(M-1), \end{aligned}$$
(27)

where \(\langle X\rangle \) stands for the expectation value of the random variable \(X\). The case \(M=2\) corresponds to the standard CHSH inequality.

Fig. 1.
figure 1

Key rates for the chained Bell inequalities for 2, 3 and 4 measurements. The critical visibility such that the lower bound on the key rate is zero is approximately of 0.9. Increasing the number of settings up to 4 worsens this critical visibility.

Full size image

In Fig. 2 we depict the lower bound on the secret-key rates (26) for DIQKD protocols based on the chained inequalities for \(M=2,3,4\). These rates have been computed for the probability distribution resulting from applying the optimal measurements for the maximal quantum violation of the chained inequality on a mixture of a two-qubit maximally entangled state \(|\Phi ^+\rangle \) and white noise, that is,

$$\begin{aligned} \rho _{AB}=v|\Phi ^+\rangle \!\langle \Phi ^+|+(1-v)1\!\!1/4 , \end{aligned}$$
(28)

where \(v\) is often known as the visibility. It is important to recall that, while the rate is computed for a concrete set of states and measurements, the security analysis is fully device independent (up to the requirement that measurement outcomes are causally disconnected). Each value of the visibility defines a value for the error rate between Alice and Bob, \(\epsilon _{AB}=(1+v)/2\), which specifies the amount of bits needed for error correction. The violation of the chained Bell inequality is just the maximal quantum violation multiplied by the visibility \(v\). Putting the two things together, one derives the rates given in Fig. 1. The obtained critical values of the visibility such that the key rate is provably strictly positive, are of approximately 0.9. They are then comparable to those of standard QKD, which are around 0.78.