Simple and Rigorous Proof Method for the Security of Practical Quantum Key Distribution in the Single-Qubit Regime Using Mismatched Basis Measurements

Abstract

Quantum key distribution (QKD) protocols aim at allowing two parties to generate a secret shared key. While many QKD protocols have been proven unconditionally secure in theory, practical security analyses of experimental QKD implementations typically do not take into account all possible loopholes, and practical devices are still not fully characterized for obtaining tight and realistic key rates. We present a simple method of computing secure key rates for any practical implementation of discrete-variable QKD (which can also apply to measurement-device-independent QKD), initially in the single-qubit lossless regime, and we rigorously prove its unconditional security against any possible attack. We hope our method becomes one of the standard tools used for analysing, benchmarking, and standardizing all practical realizations of QKD.

1. Introduction

The purpose of quantum key distribution (QKD) is to allow two legitimate parties, typically named Alice and Bob, to generate an information-theoretically secure key [1]. Most QKD protocols have been proven secure even if the adversary Eve is allowed to apply any theoretical attack allowed by the laws of quantum theory. However, despite enormous progress in recent years, unconditional security of practical implementations of QKD has remained elusive.

The difficulty of achieving practical security stems from the fact that practical implementations deviate from the theoretical protocols in many important aspects. The theoretical models of the preparation devices, the transmitted quantum systems, the quantum channels, and the measurement devices differ enormously from any experimental realization, and these differences open up loopholes and weaknesses that Eve may be able to exploit (see, e.g., [2,3]).

Most security weaknesses of the measurement devices can be closed using measurement-device-independent (MDI) QKD [4,5,6,7]. However, MDI QKD still requires us to trust the preparation devices of Alice and Bob, and deviations of the actually prepared quantum states from the theoretical states still pose a significant security threat. Alternatively, in (fully) device-independent (DI) QKD [8,9,10], Alice’s and Bob’s devices are completely uncharacterized, and violations of Bell’s inequality prove the secrecy of the final key. This method, while promising and theoretically solid, still achieves far worse secret key rates than standard QKD (including MDI QKD) in realistic experimental settings [11,12,13]; in addition, it still requires assumptions, including the assumption that Alice’s and Bob’s uncharacterized devices are never allowed to communicate with each other or with Eve. Therefore, while we believe that both DI QKD and standard (especially MDI) QKD are important directions that can lead to practical security (perhaps in different levels of security), in this paper, we focus on standard and MDI QKD protocols, where the most pressing practical security problem that has no fully available solution is imperfectly generated quantum states.

We suggest a simple and systematic method for analysing source imperfections and proving unconditional security of a large variety of QKD protocols. Our method (similarly to the “loss tolerant” QKD protocol [14,15,16,17]) assumes that the quantum source can only emit three possible quantum states (instead of the four states used by BB84), and it uses a mismatched-basis analysis (see, e.g., [18]) for deriving the key rate in the finite-key regime. Our analysis method is vastly simplified and rigorous, takes into account many subtle points that are often omitted in other security proofs, and gives an explicit key rate formula in the finite-key regime. We further suggest a practical step-by-step process for analysing experimental implementations of QKD, and we verify that the restriction to three states is indeed essential for practical security.

Our method currently applies only to the qubit regime (in the generalized sense: namely, we require the three emitted quantum states to be linearly dependent and, therefore, lie inside a two-dimensional Hilbert subspace), it does not support losses, and it does not support decoy states [19,20,21]. We believe that the analysis of losses and decoy states will work within our framework (see, e.g., [22,23,24]), but we leave their rigorous and precise analysis for future research. We also believe that our analysis can prove security for practical implementations of MDI QKD using the reduction techniques introduced by [4,6], but we leave a detailed analysis of this direction for future research.

In Section 2, we explain how the security of practical implementations of QKD should be rigorously analysed and proved. In Section 3, we fully define the analysed QKD protocol, and in Section 4, we prove its security; our final security result (the key rate) is presented as Corollary 3. In Section 5, we explain why four source states are likely too many (in the qubit and two-basis regime) and why we must restrict our protocol to three states.

2. Step-by-Step Analysis of Practical Implementations of QKD

Nowadays, despite the enormous progress made on practical security analysis, a comprehensive method for proving security is still lacking. In many descriptions of practical implementations of QKD, while the theoretical model suggested for analysis is close to the practical implementation, it is naturally not identical, and the reduction from the practical implementation to the theoretical protocol sometimes uses hand wavy arguments instead of fully rigorous mathematical modelling and analysis.

For rigorously proving the security of a practical implementation in the case of a measurement-device-independent (MDI) protocol, we suggest the following way:

• The implementation should be evaluated and tested. In particular, the emitted quantum states must be repeatedly measured in all aspects, including determining the modes—frequency spectrum (which includes wavelengths and their relative phases), polarization, timing and location of emission, direction of propagation (wave vector), and their degrees of mutual coherence—and performing a full tomography for each mode, thereby discovering the resulting quantum states. Each resulting quantum state (for each basis choice and data choice) must be reconstructed and explicitly written; this reconstruction is essential for the security analysis.
• The quantum states must be given as inputs to the security proof. The security proof then gives us a key rate formula and security parameters.
• The key rate and security parameters can now be compared to the security definition. The result of this comparison decides whether security of the practical implementation has been proved.

In particular, if this process requires any reduction between the practical implementation and the theoretical model, the reduction must be rigorous and precise, it must be included as a part of the proof, and it must be verified to work against any possible attack.

3. Definition of the QKD Protocol

The QKD protocol we analyse in this paper is a prepare-and-measure protocol, which is defined as follows:

• Alice and Bob publicly agree on the parameters of the protocol:
  • Three normalized quantum states $\{{|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}\}$ (identical between all rounds i) that can reside in any arbitrary Hilbert space but must be linearly dependent (and, therefore, must span a two-dimensional Hilbert subspace). Specifically, we denote

    $${|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}=a{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+b{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},$$

    (1)

    where $a,b\in \mathbb{C}$. We require ${\left|a\right|}^2+{\left|b\right|}^2>\frac{1}{2}$ or, equivalently, $\Re \left(a^{\star }b{\langle {\gamma }_0|{\gamma }_1\rangle }_{{\mathrm{B}}_i}\right)<\frac{1}{4}$.
  • Bob’s generalized measurement operators for each round i:

    (a)

    ${\left\{M_{{\mathrm{B}}_i}^{\mathrm{Z},t}\right\}}_{t\in \{0,1\}}$, which we name “measurement in the standard basis” or “measurement in the z basis”, and

    (b)

    ${\left\{M_{{\mathrm{B}}_i}^{\mathrm{X},t}\right\}}_{t\in \{0,1\}}$, which we name “measurement in the conjugate basis” or “measurement in the x basis”.

    which are defined similarly to [22]. We note that Bob’s measurement operators can be arbitrary and are not required to be perfectly implemented or perfectly known. However, they influence the measurement results and the error rate, which influence the protocol’s success probability and key rate.
  • The number m of all rounds (all quantum states sent by Alice to Bob).
  • The probabilities that Alice chooses each “preparation basis”: $p_z^{\mathrm{A}}$ represents the probability that Alice prepares either ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i}$ or ${|{\gamma }_1\rangle }_{{\mathrm{B}}_i}$ (each of which she chooses with an equal probability, $\frac{p_z^{\mathrm{A}}}{2}$), and $p_x^{\mathrm{A}}$ represents the probability that Alice prepares ${|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$. We require $p_z^{\mathrm{A}}+p_x^{\mathrm{A}}=1$.
  • The probabilities that Bob chooses to measure in each measurement basis: $p_z^{\mathrm{B}}$ (for choosing to measure in the “z basis”) and $p_x^{\mathrm{B}}$ (for choosing to measure in the “x basis”), respectively, such that $p_z^{\mathrm{B}}+p_x^{\mathrm{B}}=1$.
  • The numbers $k_1,k_2,k_3,k_4$ of TEST bits required for each pair of basis choices of Alice and Bob (Z-Z, Z-X, X-Z, and X-X, respectively, where the first letter (Z or X) represents Alice’s basis choice, and the second letter represents Bob’s basis choice) and the number $n_1$ of required INFO bits corresponding to basis choices of Z-Z. We require $n_1+k_1+k_2+k_3+k_4\le m$.
  • The error rate threshold $\delta$ (maximal allowed noise in TEST-Z-Z and TEST-X-X bits).
  • The zero rate threshold ${\delta }_{\mathrm{mismatch}}$ (maximal allowed rate of “+” or “0” results measured by Bob in TEST-Z-X and TEST-X-Z bits, respectively).
  • The error correction and privacy amplification parameters described in [22], including, in particular, the final key length ℓ.
• Alice randomly chooses a string ${\mathrm{\Phi }}_{\mathrm{A}}\in {\{0,1\}}^m$ of basis choices: she chooses each bit independently to have value 0 with probability $p_z^{\mathrm{A}}$ or value 1 with probability $p_x^{\mathrm{A}}$.
  Bob randomly chooses a string ${\mathrm{\Phi }}_{\mathrm{B}}\in {\{0,1\}}^m$ of basis choices: he chooses each bit independently to have value 0 with probability $p_z^{\mathrm{B}}$ or value 1 with probability $p_x^{\mathrm{B}}$.
  In addition, Alice chooses a uniformly random string $R\in {\{0,1\}}^m$ of the raw bits she prepares and sends (it is only used for rounds where Alice’s basis choice is 0).
  All strings are kept secret.
• For each round $i\in \{1,2,\dots ,m\}$ of the protocol, Alice prepares the state dictated by ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i$ and $R_i$—namely:
  • Alice prepares ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i}$ if ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0$ and $R_i=0$;
  • Alice prepares ${|{\gamma }_1\rangle }_{{\mathrm{B}}_i}$ if ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0$ and $R_i=1$;
  • Alice prepares ${|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$ if ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=1$ (independently of $R_i$).
  Alice sends the prepared state to Bob via the quantum channel. Bob measures each obtained state in the basis dictated by ${\left({\mathrm{\Phi }}_{\mathrm{B}}\right)}_i$ (the “z basis” if ${\left({\mathrm{\Phi }}_{\mathrm{B}}\right)}_i=0$, or the “x basis” if ${\left({\mathrm{\Phi }}_{\mathrm{B}}\right)}_i=1$) and puts the measurement result in the string $U\in {\{0,1\}}^m$, which is kept secret.
• Bob publicly sends to Alice his basis choice string ${\mathrm{\Phi }}_{\mathrm{B}}$.
• Alice verifies that the set $\mathrm{\Sigma }\triangleq \{1,2,\dots ,m\}$ includes at least $n_1+k_1$ rounds where Alice chose z and Bob chose z (named “Z-Z rounds”), at least $k_2$ “Z-X rounds”, at least $k_3$ “X-Z rounds”, and at least $k_4$ “X-X rounds”. If verified, Alice sets the flag $F^{\min }=✓$; otherwise, she sets the flag $F^{\min }=Ø$ and aborts the protocol.
• Alice randomly chooses four subsets ${\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4\subseteq \mathrm{\Sigma }$ of test rounds:
  • $|{\mathrm{\Pi }}_1|=k_1$ is randomly chosen out of all “Z-Z rounds” in $\mathrm{\Sigma }$, and it consists of $k_1$ rounds we define as the “TEST-Z-Z rounds”;
  • $|{\mathrm{\Pi }}_2|=k_2$ is randomly chosen out of all “Z-X rounds” in $\mathrm{\Sigma }$, and it consists of $k_2$ rounds we define as the “TEST-Z-X rounds”;
  • $|{\mathrm{\Pi }}_3|=k_3$ is randomly chosen out of all “X-Z rounds” in $\mathrm{\Sigma }$, and it consists of $k_3$ rounds we define as the “TEST-X-Z rounds”;
  • $|{\mathrm{\Pi }}_4|=k_4$ is randomly chosen out of all “X-X rounds” in $\mathrm{\Sigma }$, and it consists of $k_4$ rounds we define as the “TEST-X-X rounds”,
  and one subset ${\mathrm{\Sigma }}_1\subseteq \mathrm{\Sigma }$ of information rounds:
  • $|{\mathrm{\Sigma }}_1|=n_1$ is randomly chosen out of all “Z-Z rounds” in $\mathrm{\Sigma }\setminus {\mathrm{\Pi }}_1$, and it consists of $n_1$ rounds we define as the “INFO rounds”.
  She publicly sends the five disjoint sets ${\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4,{\mathrm{\Sigma }}_1$ to Bob.
• Each one of Alice and Bob produces five substrings of their respective bit strings $R,U$:
  • $V^1$ and $W^1$ are the substrings corresponding to ${\mathrm{\Pi }}_1$ (the TEST-Z-Z rounds) of Alice and Bob, respectively;
  • $V^2$ and $W^2$ are the substrings corresponding to ${\mathrm{\Pi }}_2$ (the TEST-Z-X rounds) of Alice and Bob, respectively;
  • $V^3$ and $W^3$ are the substrings corresponding to ${\mathrm{\Pi }}_3$ (the TEST-X-Z rounds) of Alice and Bob, respectively;
  • $V^4$ and $W^4$ are the substrings corresponding to ${\mathrm{\Pi }}_4$ (the TEST-X-X rounds) of Alice and Bob, respectively;
  • $X^1$ and $Y^1$ are the substrings corresponding to ${\mathrm{\Sigma }}_1$ (the INFO rounds) of Alice and Bob, respectively.
• Alice sends $V^1,V^4$ to Bob, and Bob compares them to his $W^1,W^4$ and computes the error rates. If the error rate in either the TEST-Z-Z rounds or the TEST-X-X rounds exceeds $\delta$, Bob sets $F^{\mathrm{pe}}=Ø$ and aborts the protocol.
  In addition, Bob evaluates his bit strings $W^2,W^3$ and computes their zero rates (namely, the percentages of his “+” or “0” measurement results, respectively). If the zero rate in either the TEST-Z-X rounds or the TEST-X-Z rounds exceeds ${\delta }_{\mathrm{mismatch}}$, Bob sets $F^{\mathrm{pe}}=Ø$ and aborts the protocol.
  If both tests pass, Bob sets $F^{\mathrm{pe}}=✓$, and the protocol proceeds.
• Alice and Bob perform error correction and privacy amplification to their secret INFO bits $X^1,Y^1$ in the standard way for BB84 protocols (described, e.g., in [22]) to obtain their final secret keys. We note that Alice and Bob generate another flag, $F^{\mathrm{ec}}$, and they abort the protocol if $F^{\mathrm{ec}}=Ø$ (see details in [22]); however, if $F^{\mathrm{ec}}=✓$, the protocol succeeds, and Alice’s and Bob’s final secret keys are denoted by $K_{\mathrm{A}},K_{\mathrm{B}}\in {\{0,1\}}^{\ell }$, respectively.

We point out that this is a very general protocol in the lossless qubit regime because Alice’s emitted states $\{{|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}\}$ can be any states (assuming they are linearly dependent and satisfy ${\left|a\right|}^2+{\left|b\right|}^2>\frac{1}{2}$), even if they lie inside a very general Hilbert space (which may be infinite-dimensional or even continuous). Thus, for this security proof to apply, Alice and Bob must first test their devices, perform a full quantum tomography of their emitted states, and input the resulting states ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$ to the security proof, as described in Section 2.

Using pure states ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$ does not hurt generality because if Alice sends a mixed state, we can always assume that she also sends the purifying system (which Eve intercepts and uses): this assumption is only beneficial to Eve, so it makes our security proof stronger.

4. Security Proof

Our security proof is a generalized version of the rigorous, mostly self-contained security proof presented by [22] for BB84-based protocols. That security proof uses entropic uncertainty relations to derive a key rate formula in the finite-key regime, showing a reduction from the prepare-and-measure protocol to an entanglement-based protocol. Here, we generalize this approach to apply to our practical protocol (in the qubit regime) described in Section 3.

4.1. Equivalent Modified Entanglement-Based Protocol

We begin our security proof by performing a reduction to the following modified entanglement-based protocol. We point out that this protocol does not strictly adhere to standard definitions of “entanglement-based” protocols because it requires Alice to prepare a specific entangled state, measure some portions of it, and send other portions to Bob (which Eve can attack). Therefore, it is similar to prepare-and-measure protocols. Nevertheless, this protocol is entanglement-based in the narrowest sense because it allows Alice to delay her measurements (on some portions of her state) and relies on the resulting entanglement for proving security.

Therefore, we call it a “modified entanglement-based protocol”, and it is defined as follows:

• Alice and Bob publicly agree on the parameters of the protocol:
  • Three normalized quantum states $\{{|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}\}$ (identical between all rounds i) that can reside in any arbitrary Hilbert space but must be linearly dependent (and, therefore, must span a two-dimensional Hilbert subspace). Specifically, we denote

    $${|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}=a{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+b{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},$$

    (2)

    where $a,b\in \mathbb{C}$. We require ${\left|a\right|}^2+{\left|b\right|}^2>\frac{1}{2}$ or, equivalently, $\Re \left(a^{\star }b{\langle {\gamma }_0|{\gamma }_1\rangle }_{{\mathrm{B}}_i}\right)<\frac{1}{4}$.
    We also denote the following parameter T:

    $$T\triangleq {\left|a\right|}^2+{\left|b\right|}^2$$

    (3)
    (so $T>\frac{1}{2}$, or $2T-1>0$), and a resulting fourth quantum state ${|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}$:

    $${|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}\triangleq \frac{b^{\star }{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}-a^{\star }{|{\gamma }_1\rangle }_{{\mathrm{B}}_i}}{\sqrt{2T-1}}.$$

    (4)

    Lemma 1.

    If ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$ are all normalized, then ${|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}$ is normalized, too.

    Proof. 

    $$\begin{array}{ccc}\hfill 1={\langle {\gamma }_{+}|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}& =& {\left|a\right|}^2{\langle {\gamma }_0|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+{\left|b\right|}^2{\langle {\gamma }_1|{\gamma }_1\rangle }_{{\mathrm{B}}_i}+2\Re \left(a^{\star }b{\langle {\gamma }_0|{\gamma }_1\rangle }_{{\mathrm{B}}_i}\right)\hfill \end{array}$$

    $$\begin{array}{ccc}& =& T+2\Re \left(a^{\star }b{\langle {\gamma }_0|{\gamma }_1\rangle }_{{\mathrm{B}}_i}\right),\hfill \\ \hfill {\langle {\gamma }_{-}|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}& =& \frac{{\left|b\right|}^2{\langle {\gamma }_0|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+{\left|a\right|}^2{\langle {\gamma }_1|{\gamma }_1\rangle }_{{\mathrm{B}}_i}-2\Re \left(b{a}^{\star }{\langle {\gamma }_0|{\gamma }_1\rangle }_{{\mathrm{B}}_i}\right)}{2T-1}\hfill \end{array}$$

    (5)

    $$\begin{array}{ccc}& =& \frac{T-2\Re \left(a^{\star }b{\langle {\gamma }_0|{\gamma }_1\rangle }_{{\mathrm{B}}_i}\right)}{2T-1}=\frac{T-(1-T)}{2T-1}=\frac{2T-1}{2T-1}=1\hfill \end{array}$$

    (6)

    □
  • Inside a separate qubit space ${\mathcal{H}}_{{\mathrm{A}}_i}\triangleq Span\{{|0\rangle }_{{\mathrm{A}}_i},{|1\rangle }_{{\mathrm{A}}_i}\}$, two orthonormal quantum states (using the same $a,b\in \mathbb{C}$ and T as above):

    $$\begin{array}{ccc}\hfill {|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}& \triangleq & \frac{a^{\star }{|0\rangle }_{{\mathrm{A}}_i}+b^{\star }{|1\rangle }_{{\mathrm{A}}_i}}{\sqrt{T}},\hfill \end{array}$$

    (7)

    $$\begin{array}{ccc}\hfill {|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}& \triangleq & \frac{b{|0\rangle }_{{\mathrm{A}}_i}-a{|1\rangle }_{{\mathrm{A}}_i}}{\sqrt{T}},\hfill \end{array}$$

    (8)

    leading to two orthonormal measurement bases (representing standard, projective quantum measurements) of Alice for each round i:

    (a)

    $\{{|0\rangle }_{{\mathrm{A}}_i},{|1\rangle }_{{\mathrm{A}}_i}\}$, which we name “the standard basis” or “the z basis”, and

    (b)

    $\{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i},{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\}$, which we name “the conjugate basis” or “the x basis”.

  • Bob’s generalized measurement operators for each round i:

    (a)

    ${\left\{M_{{\mathrm{B}}_i}^{\mathrm{Z},t}\right\}}_{t\in \{0,1\}}$, which we name “measurement in the standard basis” or “measurement in the z basis”, and

    (b)

    ${\left\{M_{{\mathrm{B}}_i}^{\mathrm{X},t}\right\}}_{t\in \{0,1\}}$, which we name “measurement in the conjugate basis” or “measurement in the x basis”.

    which are defined similarly to [22]. We note that Bob’s measurement operators can be arbitrary and are not required to be perfectly implemented or perfectly known. However, they influence the measurement results and the error rate, which influence the protocol’s success probability and key rate.
  • The number $M^{\prime }$ of all rounds (all quantum states sent by Alice to Bob).
  • The required number m of rounds where Alice does not tell Bob to discard (see Step 3).
  • The probabilities that Alice chooses to measure in each measurement basis: $p_z^{\prime \mathrm{A}}$ (for choosing to measure in the “z basis”) and $p_x^{\prime \mathrm{A}}$ (for choosing to measure in the “x basis”), respectively, such that $p_z^{\prime \mathrm{A}}+p_x^{\prime \mathrm{A}}=1$.
  • The probabilities that Bob chooses to measure in each measurement basis: $p_z^{\prime \mathrm{B}}$ (for choosing to measure in the “z basis”) and $p_x^{\prime \mathrm{B}}$ (for choosing to measure in the “x basis”), respectively, such that $p_z^{\prime \mathrm{B}}+p_x^{\prime \mathrm{B}}=1$.
  • The numbers $k_1,k_2,k_3,k_4$ of TEST bits required for each pair of basis choices of Alice and Bob (Z-Z, Z-X, X-Z, and X-X, respectively, where the first letter (Z or X) represents Alice’s basis choice, and the second letter represents Bob’s basis choice) and the number $n_1$ of required INFO bits corresponding to basis choices of Z-Z. We require $n_1+k_1+k_2+k_3+k_4\le m$.
  • The error rate threshold $\delta$ (maximal allowed noise in TEST-Z-Z and TEST-X-X bits).
  • The zero rate threshold ${\delta }_{\mathrm{mismatch}}$ (maximal allowed rate of “+” or “0” results measured by Bob in TEST-Z-X and TEST-X-Z bits, respectively).
  • The error correction and privacy amplification parameters described in [22], including, in particular, the final key length ℓ.
• Alice randomly chooses a string ${\mathrm{\Phi }}_{\mathrm{A}}\in {\{0,1\}}^{M^{\prime }}$ of basis choices: she chooses each bit independently to have value 0 with probability $p_z^{\prime \mathrm{A}}$ or value 1 with probability $p_x^{\prime \mathrm{A}}$.
  Bob randomly chooses a string ${\mathrm{\Phi }}_{\mathrm{B}}\in {\{0,1\}}^{M^{\prime }}$ of basis choices: he chooses each bit independently to have value 0 with probability $p_z^{\prime \mathrm{B}}$ or value 1 with probability $p_x^{\prime \mathrm{B}}$.
  Both strings are kept secret.
• For each round $i\in \{1,2,\dots ,M^{\prime }\}$ of the protocol, Alice generates the following entangled state:

  $${|\mathrm{\Psi }\rangle }_{{\mathrm{A}}_i{\mathrm{B}}_i}\triangleq \frac{{|0\rangle }_{{\mathrm{A}}_i}{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+{|1\rangle }_{{\mathrm{A}}_i}{|{\gamma }_1\rangle }_{{\mathrm{B}}_i}}{\sqrt{2}}=\frac{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}+\sqrt{2T-1}{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}}{\sqrt{2T}}$$

  (9)
  (this equality between its two representations can be proven algebraically). In other words, Alice generates the state

  $${\otimes }_{i=1}^{M^{\prime }}{|\mathrm{\Psi }\rangle }_{{\mathrm{A}}_i{\mathrm{B}}_i}$$

  (10)

  consisting of the $M^{\prime }$ quantum systems ${\mathrm{A}}_1,{\mathrm{A}}_2,\dots ,{\mathrm{A}}_{M^{\prime }}$ (one system for each round i).
  For each round i, if ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=1$ (namely, if Alice will have to measure this round in the “x basis”), Alice measures subsystem ${\mathrm{A}}_i$ in the “x basis” $\{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i},{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\}$. (If ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0$, she delays measurement to Step 8.) Alice then defines the following bit string $D\in {\{0,1\}}^{M^{\prime }}$:

  $$D_i\triangleq \left\{\begin{array}{cc}1\hfill & \mathrm{If}{\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=1\mathrm{and}\mathrm{Alice}\mathrm{measures}“{\xi }_{-}”\mathrm{in}\mathrm{round}i\hfill \\ 0\hfill & \mathrm{Otherwise},(\mathrm{either}{\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0,\mathrm{or}\mathrm{Alice}\mathrm{measures}“{\xi }_{+}”\mathrm{in}\mathrm{round}i)\hfill \end{array}\right.$$

  (11)
  Alice publicly sends to Bob the string D. This means that for each round i, Alice tells Bob (and Eve) whether she obtained the measurement result “${\xi }_{-}$”; however, if she did not obtain the measurement result “${\xi }_{-}$”, she does not expose the measurement result (if any) or the chosen basis.
  Alice and Bob discard and ignore all rounds where $D_i=1$, which we name the “discarded rounds”. However, for all the “non-discarded rounds” (rounds where $D_i=0$), Alice sends to Bob the subsystem ${\mathrm{B}}_i$ via the quantum channel, which can be attacked by Eve.
• Bob publicly sends to Alice his basis choice string ${\mathrm{\Phi }}_{\mathrm{B}}$.
• Alice denotes the set of rounds that were not discarded by her as $\mathrm{\Omega }\subseteq \{1,2,\dots ,M^{\prime }\}$ (namely, $\mathrm{\Omega }\triangleq \{1\le i\le M^{\prime }\mid D_i=0\}$). Alice verifies that at least m rounds appear in $\mathrm{\Omega }$, in which case she sets the flag $F^{\mathrm{sift}}\prime =$ and publishes the set $\mathrm{\Sigma }\subseteq \mathrm{\Omega }$ consisting of the first m rounds appearing in $\mathrm{\Omega }$ (which are the first m non-discarded rounds). Otherwise (if fewer than m rounds appear in $\mathrm{\Omega }$), Alice sets the flag $F^{\mathrm{sift}}\prime =Ø$ and aborts the protocol.
  The two next steps are completely identical to Steps 5 and 6 of the original prepare-and-measure protocol described in Section 3:
• Alice verifies that $\mathrm{\Sigma }$ includes at least $n_1+k_1$ rounds where Alice chose z and Bob chose z (named “Z-Z rounds”), at least $k_2$ “Z-X rounds”, at least $k_3$ “X-Z rounds”, and at least $k_4$ “X-X rounds”. If verified, Alice sets the flag $F^{\min }=✓$; otherwise, she sets the flag $F^{\min }=Ø$ and aborts the protocol.
• Alice randomly chooses four subsets ${\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4\subseteq \mathrm{\Sigma }$ of test rounds:
  • $|{\mathrm{\Pi }}_1|=k_1$ is randomly chosen out of all “Z-Z rounds” in $\mathrm{\Sigma }$, and it consists of $k_1$ rounds we define as the “TEST-Z-Z rounds”;
  • $|{\mathrm{\Pi }}_2|=k_2$ is randomly chosen out of all “Z-X rounds” in $\mathrm{\Sigma }$, and it consists of $k_2$ rounds we define as the “TEST-Z-X rounds”;
  • $|{\mathrm{\Pi }}_3|=k_3$ is randomly chosen out of all “X-Z rounds” in $\mathrm{\Sigma }$, and it consists of $k_3$ rounds we define as the “TEST-X-Z rounds”;
  • $|{\mathrm{\Pi }}_4|=k_4$ is randomly chosen out of all “X-X rounds” in $\mathrm{\Sigma }$, and it consists of $k_4$ rounds we define as the “TEST-X-X rounds”,
  and one subset ${\mathrm{\Sigma }}_1\subseteq \mathrm{\Sigma }$ of information rounds:
  • $|{\mathrm{\Sigma }}_1|=n_1$ is randomly chosen out of all “Z-Z rounds” in $\mathrm{\Sigma }\setminus {\mathrm{\Pi }}_1$, and it consists of $n_1$ rounds we define as the “INFO rounds”.
  She publicly sends the five disjoint sets ${\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4,{\mathrm{\Sigma }}_1$ to Bob.
• Alice measures all quantum systems ${\mathrm{A}}_i$ for which ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0$ in the “z basis” $\{{|0\rangle }_{{\mathrm{A}}_i},{|1\rangle }_{{\mathrm{A}}_i}\}$. She puts all her measurement results (from both this step and Step 3) in the string $R\in {\{0,1\}}^{M^{\prime }}$, which is kept secret.
• Bob measures all his non-discarded quantum systems in the bases dictated by ${\mathrm{\Phi }}_{\mathrm{B}}$ (the “z basis” if ${\left({\mathrm{\Phi }}_{\mathrm{B}}\right)}_i=0$, or the “x basis” if ${\left({\mathrm{\Phi }}_{\mathrm{B}}\right)}_i=1$) and puts his measurement results in the string $U\in {\{0,1\}}^{M^{\prime }}$, which is kept secret.
  The rest of the protocol is completely identical to the last steps of the original prepare-and-measure protocol described in Section 3 (in its Steps 7–9):
• Each one of Alice and Bob produces five substrings of their respective bit strings $R,U$:
  • $V^1$ and $W^1$ are the substrings corresponding to ${\mathrm{\Pi }}_1$ (the TEST-Z-Z rounds) of Alice and Bob, respectively;
  • $V^2$ and $W^2$ are the substrings corresponding to ${\mathrm{\Pi }}_2$ (the TEST-Z-X rounds) of Alice and Bob, respectively;
  • $V^3$ and $W^3$ are the substrings corresponding to ${\mathrm{\Pi }}_3$ (the TEST-X-Z rounds) of Alice and Bob, respectively;
  • $V^4$ and $W^4$ are the substrings corresponding to ${\mathrm{\Pi }}_4$ (the TEST-X-X rounds) of Alice and Bob, respectively;
  • $X^1$ and $Y^1$ are the substrings corresponding to ${\mathrm{\Sigma }}_1$ (the INFO rounds) of Alice and Bob, respectively.
• Alice sends $V^1,V^4$ to Bob, and Bob compares them to his $W^1,W^4$ and computes the error rates. If the error rate in either the TEST-Z-Z rounds or the TEST-X-X rounds exceeds $\delta$, Bob sets $F^{\mathrm{pe}}=Ø$ and aborts the protocol.
  In addition, Bob evaluates his bit strings $W^2,W^3$ and computes their zero rates (namely, the percentages of his “+” or “0” measurement results, respectively). If the zero rate in either the TEST-Z-X rounds or the TEST-X-Z rounds exceeds ${\delta }_{\mathrm{mismatch}}$, Bob sets $F^{\mathrm{pe}}=Ø$ and aborts the protocol.
  If both tests pass, Bob sets $F^{\mathrm{pe}}=✓$, and the protocol proceeds.
• Alice and Bob perform error correction and privacy amplification to their secret INFO bits $X^1,Y^1$ in the standard way for BB84 protocols (described, e.g., in [22]) to obtain their final secret keys. We note that Alice and Bob generate another flag, $F^{\mathrm{ec}}$, and they abort the protocol if $F^{\mathrm{ec}}=Ø$ (see details in [22]); however, if $F^{\mathrm{ec}}=✓$, the protocol succeeds, and Alice’s and Bob’s final secret keys are denoted by $K_{\mathrm{A}},K_{\mathrm{B}}\in {\{0,1\}}^{\ell }$, respectively.

In Section 4.2, we prove security of this protocol, and in Section 4.3, we prove the reduction to be correct—namely, we prove that security of the above protocol implies security of the original protocol.

4.2. Security Proof for the Modified Entanglement-Based Protocol

Our security proof is a generalization of Section 6 of [22] (which proves security of an entanglement-based version of BB84 [1,25,26]), requiring a few modifications of their proof.

The proof of [22] is based on an entropic uncertainty relation which, roughly speaking, links two quantities: the smooth min-entropy of Alice’s data conditioned on Eve’s data (denoted $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})$) and the smooth max-entropy of Alice’s data conditioned on Bob’s data (denoted $H_{\max }^{ϵ}\left(\mathrm{A}\right|\mathrm{B})$). Generally speaking, these entropies are measures of uncertainty: they capture the number of bits in Alice’s system $\mathrm{A}$ that are unknown to either Eve or Bob, respectively. Intuitively (and imprecisely), the smooth min-entropy $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})$ describes the number of secret bits that can be extracted from Alice’s system $\mathrm{A}$ and will be completely secret even from Eve (or from anyone that has Eve’s system $\mathrm{E}$), while the smooth max-entropy $H_{\max }^{ϵ}\left(\mathrm{A}\right|\mathrm{B})$ describes the number of extra information bits that Bob will have to receive from Alice if he wants to have full information on her system $\mathrm{A}$ (which is roughly equivalent to asking how much information Alice would need to send to Bob during the error correction procedure).

Roughly speaking, the entropic uncertainty relation used by [22] shows a lower bound on $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})+H_{\max }^{ϵ}\left(\mathrm{A}\right|\mathrm{B})$. Then, their proof upper-bounds $H_{\max }^{ϵ}\left(\mathrm{A}\right|\mathrm{B})$ by bounding the error rate between Alice and Bob using a law of large numbers, which shows it is unlikely that the error rate on TEST bits is less than $\delta$ while the error rate on INFO bits is more than $\delta +\nu$. (Intuitively, the smoothness parameter $ϵ$ means that we do not necessarily use the original quantum state given as an input to the entropy, but we may use any quantum state up to distance $ϵ$ from it. In our case, for example, ${ϵ}^2$ represents the maximal probability that the law of large numbers is violated—namely, the maximal probability that the true error rate in the INFO bits is much higher than the error rate observed in the TEST bits. Using the smooth min- and max-entropy allows us to upper-bound the impact of this unwanted possibility.) The combination of these two results implies a lower bound on $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})$, and this lower bound immediately gives us the protocol’s key rate using the Leftover Hashing Lemma [27] (which intuitively says that roughly $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})$ bits, known to Alice and completely secret from Eve, can be extracted from Alice’s system using a standard procedure of privacy amplification).

We mainly modify the first two parts of [22]’s proof: the entropic uncertainty relation and the use of the law of large numbers. In addition, we need to justify security of our sifting step.

4.2.1. The Sifting Step

The sifting step of our modified entanglement-based protocol does not appear in the entanglement-based protocol of [22]. Therefore, we must prove that it does not hurt security by showing that it keeps Alice’s and Bob’s basis choice strings ${\mathrm{\Phi }}_{\mathrm{A}},{\mathrm{\Phi }}_{\mathrm{B}}$ independent of the other systems.

Each bit of ${\mathrm{\Phi }}_{\mathrm{A}},{\mathrm{\Phi }}_{\mathrm{B}}$ is chosen independently (with probabilities $p_z^{\prime \mathrm{A}}$, $p_x^{\prime \mathrm{A}}$, $p_z^{\prime \mathrm{B}}$, and $p_x^{\prime \mathrm{B}}$, respectively). Moreover, the state that Alice generates for each round is as follows:

$${|\mathrm{\Psi }\rangle }_{{\mathrm{A}}_i{\mathrm{B}}_i}\triangleq \frac{{|0\rangle }_{{\mathrm{A}}_i}{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+{|1\rangle }_{{\mathrm{A}}_i}{|{\gamma }_1\rangle }_{{\mathrm{B}}_i}}{\sqrt{2}}=\frac{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}+\sqrt{2T-1}{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}}{\sqrt{2T}},$$

(12)

so we observe that if ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0$ (namely, if Alice chooses the “z basis”), Alice obtains the “0” and “1” results with equal conditional probabilities ($\frac{1}{2}$); and if ${\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=1$ (namely, if Alice chooses the “x basis”), Alice obtains the “${\xi }_{+}$” result with conditional probability $\frac{1}{2T}$ and obtains the “${\xi }_{-}$” result with conditional probability $\frac{2T-1}{2T}$. We conclude the following:

$$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left(0\right)={Pr}_{{\mathrm{A}}_i}\left(1\right)& =& p_z^{\prime \mathrm{A}}·\frac{1}{2}=\frac{p_z^{\prime \mathrm{A}}}{2},\hfill \end{array}$$

(13)

$$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left({\xi }_{+}\right)& =& p_x^{\prime \mathrm{A}}·\frac{1}{2T}=\frac{p_x^{\prime \mathrm{A}}}{2T},\hfill \end{array}$$

(14)

$$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left({\xi }_{-}\right)& =& p_x^{\prime \mathrm{A}}·\frac{2T-1}{2T}=\frac{p_x^{\prime \mathrm{A}}(2T-1)}{2T}.\hfill \end{array}$$

(15)

To justify the sifting step, we notice that this probabilistic process can equivalently be described as the following two-stage process:

• First, for each round i, Alice determines whether round i is discarded ($D_i=1$) or not ($D_i=0$). The round is discarded if and only if Alice measures “${\xi }_{-}$”; therefore,

  $$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}(D_i=1)& =& {Pr}_{{\mathrm{A}}_i}\left({\xi }_{-}\right)=\frac{p_x^{\prime \mathrm{A}}(2T-1)}{2T},\hfill \end{array}$$

  (16)

  $$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}(D_i=0)& =& {Pr}_{{\mathrm{A}}_i}\left(0\right)+{Pr}_{{\mathrm{A}}_i}\left(1\right)+{Pr}_{{\mathrm{A}}_i}\left({\xi }_{+}\right)=2·\frac{p_z^{\prime \mathrm{A}}}{2}+\frac{p_x^{\prime \mathrm{A}}}{2T}=p_z^{\prime \mathrm{A}}+\frac{p_x^{\prime \mathrm{A}}}{2T}.\hfill \end{array}$$

  (17)
  Remember that we define $\mathrm{\Omega }\triangleq \{1\le i\le M^{\prime }\mid D_i=0\}$ as the set of non-discarded rounds.
• Then, for each round i in $\mathrm{\Omega }$ (each non-discarded round), Alice determines the basis:

  $$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left[{\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=0\mid D_i=0\right]& =& \frac{{Pr}_{{\mathrm{A}}_i}\left(0\right)+{Pr}_{{\mathrm{A}}_i}\left(1\right)}{{Pr}_{{\mathrm{A}}_i}(D_i=0)}=\frac{2·\frac{p_z^{\prime \mathrm{A}}}{2}}{p_z^{\prime \mathrm{A}}+\frac{p_x^{\prime \mathrm{A}}}{2T}}=\frac{p_z^{\prime \mathrm{A}}}{p_z^{\prime \mathrm{A}}+\frac{p_x^{\prime \mathrm{A}}}{2T}},\hfill \end{array}$$

  (18)

  $$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left[{\left({\mathrm{\Phi }}_{\mathrm{A}}\right)}_i=1\mid D_i=0\right]& =& \frac{{Pr}_{{\mathrm{A}}_i}\left({\xi }_{+}\right)}{{Pr}_{{\mathrm{A}}_i}(D_i=0)}=\frac{\frac{p_x^{\prime \mathrm{A}}}{2T}}{p_z^{\prime \mathrm{A}}+\frac{p_x^{\prime \mathrm{A}}}{2T}}.\hfill \end{array}$$

  (19)
  These probabilities are independent between the rounds: namely, the basis is determined independently for each non-discarded round.

Note that this equivalence is only correct with respect to the probability distribution; the above process does not describe a physical process, but a virtual process that cannot be applied in practice and only gives the same probability distribution over ${\mathrm{\Phi }}_A$ and R. (This point can be counter-intuitive: from a quantum theory’s point of view, the choice of discarded and non-discarded rounds obviously depends on the basis chosen for measurement, yet from a probabilistic point of view, the process can be divided to the two above stages and still give us an identical probability distribution.)

We notice that both the flag $F^{\mathrm{sift}}\prime$ (which notes whether there are at least m rounds in $\mathrm{\Omega }$—namely, whether at least m rounds were not discarded) and the set $\mathrm{\Sigma }$ (which represents the first m rounds in $\mathrm{\Omega }$) only depend on stage 1: namely, from the probabilistic point of view, both the passing of the sifting test ($F^{\mathrm{sift}}\prime$) and the choice of the m relevant rounds ($\mathrm{\Sigma }$) depend only on the choice of discarded rounds in stage 1, and they are both completely independent of the bases ${\mathrm{\Phi }}_{\mathrm{A}}$ chosen for the non-discarded rounds in stage 2. The bases of the non-discarded rounds are chosen independently with the predetermined probabilities computed in Equations (18) and (19).

For this reason, in the rest of the analysis, we can treat ${\mathrm{\Phi }}_{\mathrm{A}}$ and ${\mathrm{\Phi }}_{\mathrm{B}}$ (more precisely, their restrictions to the m non-discarded rounds in $\mathrm{\Sigma }$) as completely independent of Eve’s attack. In other words, Eve’s attack is applied independently of Alice’s and Bob’s chosen bases (or their actually used bases) because Eve is only given access to the discarding string D which is completely independent of the bases in the non-discarded rounds. This result is crucial for the application of the law of large numbers to hypothetical protocols in Section 4.2.3.

Furthermore, we notice that our modified entanglement-based protocol actually acts in the following way regarding the choice of bases and TEST and INFO bits inside $\mathrm{\Sigma }$:

• In stage 2 (included in Step 2 of the protocol), Alice and Bob determine the bases of the m non-discarded rounds in $\mathrm{\Sigma }$, chosen randomly and independently for each round in $\mathrm{\Sigma }$.
• In Step 6 of the protocol, Alice verifies that $\mathrm{\Sigma }$ has sufficient numbers of rounds corresponding to each pair of bases (namely, at least $n_1+k_1$ “Z-Z rounds”, at least $k_2$ “Z-X rounds”, at least $k_3$ “X-Z rounds”, and at least $k_4$ “X-X rounds”). For simplicity, let us denote the “Z-Z rounds” by ${\mathrm{\Sigma }}_{\mathrm{Z},\mathrm{Z}}$, the “Z-X rounds” by ${\mathrm{\Sigma }}_{\mathrm{Z},\mathrm{X}}$, the “X-Z rounds” by ${\mathrm{\Sigma }}_{\mathrm{X},\mathrm{Z}}$, and the “X-X rounds” by ${\mathrm{\Sigma }}_{\mathrm{X},\mathrm{X}}$; here, Alice verifies that $|{\mathrm{\Sigma }}_{\mathrm{Z},\mathrm{Z}}|\ge n_1+k_1$, $|{\mathrm{\Sigma }}_{\mathrm{Z},\mathrm{X}}|\ge k_2$, $|{\mathrm{\Sigma }}_{\mathrm{X},\mathrm{Z}}|\ge k_3$, and $|{\mathrm{\Sigma }}_{\mathrm{X},\mathrm{X}}|\ge k_4$. We condition on passing this verification—namely, we evaluate the conditional probabilities on $F^{\min }=✓$.
• In Step 7 of the protocol, Alice uniformly and randomly chooses the corresponding disjoint subsets ${\mathrm{\Sigma }}_1,{\mathrm{\Pi }}_1\subseteq {\mathrm{\Sigma }}_{\mathrm{Z},\mathrm{Z}}$, ${\mathrm{\Pi }}_2\subseteq {\mathrm{\Sigma }}_{\mathrm{Z},\mathrm{X}}$, ${\mathrm{\Pi }}_3\subseteq {\mathrm{\Sigma }}_{\mathrm{X},\mathrm{Z}}$, and ${\mathrm{\Pi }}_4\subseteq {\mathrm{\Sigma }}_{\mathrm{X},\mathrm{X}}$ (of sizes $n_1$, $k_1$, $k_2$, $k_3$, and $k_4$, respectively). This effectively discards the other $m-n_1-k_1-k_2-k_3-k_4$ rounds in $\mathrm{\Sigma }\setminus ({\mathrm{\Sigma }}_1\cup {\mathrm{\Pi }}_1\cup {\mathrm{\Pi }}_2\cup {\mathrm{\Pi }}_3\cup {\mathrm{\Pi }}_4)$, because their basis choices and measurement results are completely ignored by the rest of the protocol.

Combining these three steps and conditioning on $F^{\min }=✓$ (namely, conditioning on passing the verification of the second step), this process is equivalent from the probabilistic point of view to uniformly and randomly choosing five disjoint subsets ${\mathrm{\Sigma }}_1,{\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4\subseteq \mathrm{\Sigma }$ of sizes $n_1$, $k_1$, $k_2$, $k_3$, and $k_4$, respectively (out of the m-sized set $\mathrm{\Sigma }$), and letting this uniform choice dictate the choice of measurement probabilities (Z-Z, Z-Z, Z-X, X-Z, and X-X, respectively). This equivalence results from the complete symmetry of the above three steps, which have no dependence whatsoever on the identifying number of each round inside $\mathrm{\Sigma }$. This observation, too, is crucial for the application of the law of large numbers in Section 4.2.3.

4.2.2. Entropic Uncertainty Relation

The security proof in [22] uses the uncertainty relation described in Proposition 4 of [22], which is equivalent to Corollary 7.4 of [28]. This uncertainty relation uses the symmetry of the BB84 protocol with respect to the chosen basis of the INFO bits: namely, it uses the property that each INFO bit in BB84 is measured in a uniformly random basis, independently of the TEST bits’ results and bases. Since a similar property does not apply to our protocol (because all our INFO bits are measured in the “z basis”), we must use a different uncertainty relation.

Adopting an approach similar to [29], we use Theorem 7.2 of [28] as the generalized entropic uncertainty relation (using slightly different notations compared to [28]):

Theorem 1.

(Theorem 7.2 of [28]) Given $ϵ\ge 0$ and a non-normalized state ${\rho }_{\mathrm{A}\mathrm{R}\mathrm{S}}$ over the Hilbert space ${\mathcal{H}}_{\mathrm{A}\mathrm{R}\mathrm{S}}$, and given two generalized measurement operators $M_1={\left\{M_1^x\right\}}_x,M_2={\left\{M_2^{x^{\prime }}\right\}}_{x^{\prime }}$ on ${\mathcal{H}}_{\mathrm{A}}$ and a projective measurement ${\left\{P^p\right\}}_p$ on ${\mathcal{H}}_{\mathrm{A}}$, the two post-measurement states

$$\begin{array}{ccc}\hfill {\sigma }_{\mathrm{X}\mathrm{P}\mathrm{R}}& =& \sum _{x,p}{|x\rangle }_{\mathrm{X}}{\langle x|}_{\mathrm{X}}\otimes {|p\rangle }_{\mathrm{P}}{\langle p|}_{\mathrm{P}}\otimes {tr}_{\mathrm{A}\mathrm{S}}\left(M_1^x{P}^p{\rho }_{\mathrm{A}\mathrm{R}\mathrm{S}}{P}^p{\left(M_1^x\right)}^{†}\right),\hfill \end{array}$$

(20)

$$\begin{array}{ccc}\hfill {\sigma }_{{\mathrm{X}}^{\prime }\mathrm{P}\mathrm{S}}^{\prime }& =& \sum _{x^{\prime },p}{|x^{\prime }\rangle }_{{\mathrm{X}}^{\prime }}{\langle x^{\prime }|}_{{\mathrm{X}}^{\prime }}\otimes {|p\rangle }_{\mathrm{P}}{\langle p|}_{\mathrm{P}}\otimes {tr}_{\mathrm{A}\mathrm{R}}\left(M_2^{x^{\prime }}{P}^p{\rho }_{\mathrm{A}\mathrm{R}\mathrm{S}}{P}^p{\left(M_2^{x^{\prime }}\right)}^{†}\right)\hfill \end{array}$$

(21)

satisfy the following inequality (uncertainty relation):

$$H_{\min }^{ϵ}{\left(\mathrm{X}\right|\mathrm{P}\mathrm{R})}_{\sigma }+H_{\max }^{ϵ}{\left({\mathrm{X}}^{\prime }\right|\mathrm{P}\mathrm{S})}_{{\sigma }^{\prime }}\ge {log}_2\left(\frac{1}{c_{\mathrm{P}}}\right),$$

(22)

where:

$$c_{\mathrm{P}}\triangleq \underset{p,x,x^{\prime }}{max}{\left|\left|M_1^x{P}^p{\left(M_2^{x^{\prime }}\right)}^{†}\right|\right|}_{\infty }^2.$$

(23)

Proof. 

Proved in Section 7.3.2 of [28] as Theorem 7.2. □

The next proposition will give us a similar result to Corollary 5 of [22] (namely, roughly speaking, a lower bound on the sum $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})+H_{\max }^{ϵ}\left(\mathrm{A}\right|\mathrm{B})$), with one important difference: the first term $H_{\min }^{ϵ}\left(\mathrm{A}\right|\mathrm{E})$ will still refer to the real QKD protocol (the modified entanglement-based protocol described in Section 4.1), but the second term $H_{\max }^{ϵ}\left(\mathrm{A}\right|\mathrm{B})$ will now refer to a hypothetical QKD protocol (still entanglement-based) where both Alice and Bob measure the INFO bits in the conjugate (“x”) basis. Formally:

Proposition 1.

For the modified entanglement-based protocol described in Section 4.1, for $ϵ\ge 0$, the state ${\sigma }_{{\mathrm{X}}^1{\mathrm{Y}}^1\mathrm{V}\mathrm{W}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}{\mathrm{F}}^{\mathrm{sift}}\prime {\mathrm{F}}^{\min }{\mathrm{F}}^{\mathrm{pe}}\mathrm{E}}$ held by Alice, Bob, and Eve after Step 11 of the real protocol, and the state ${\sigma }_{{\mathrm{X}}^{\prime 1}{\mathrm{Y}}^{\prime 1}\mathrm{V}\mathrm{W}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}{\mathrm{F}}^{\mathrm{sift}}\prime {\mathrm{F}}^{\min }{\mathrm{F}}^{\mathrm{pe}}\mathrm{E}}^{\prime }$ held by Alice, Bob, and Eve after Step 11 of the hypothetical protocol defined below, it holds that

$$\begin{array}{ccc}& & H_{\min }^{ϵ}{({\mathrm{X}}^1\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|\mathrm{V}\mathrm{W}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}\mathrm{E},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{\sigma }\hfill \\ & +& H_{\max }^{ϵ}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|{\mathrm{Y}}^{\prime 1},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }}\ge n_1{log}_2\left(\frac{1}{c}\right),\hfill \end{array}$$

(24)

where we define $\mathrm{V}\triangleq (V^1,V^2,V^3,V^4)$, $\mathrm{W}\triangleq (W^1,W^2,W^3,W^4)$, $\mathrm{\Pi }\triangleq ({\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4,{\mathrm{\Sigma }}_1,D,\mathrm{\Sigma })$, and $c\triangleq max\left(|{\langle 0|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 0|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 1|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,{\left|{\langle 1|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\right|}^2\right)$, using the protocol’s notations; subsystem $\mathrm{E}$ represents Eve’s ancilla (including her quantum data); and ${\mathrm{X}}^{\prime 1},{\mathrm{Y}}^{\prime 1}$ are the substrings corresponding to the $n_1$ INFO rounds (namely, the Z-Z rounds in ${\mathrm{\Sigma }}_1$) in the hypothetical protocol where both Alice and Bob measure the INFO bits in the conjugate (“x”) basis.

(The hypothetical protocol only changes the actual measurements performed by Alice and Bob in Steps 8 and 9 of the modified entanglement-based protocol. It does not change any other part of the protocol: in particular, Alice neither discards INFO rounds where she measured “${\xi }_{-}$” in the hypothetical protocol nor notifies Bob about them.)

Proof. 

This proof combines modified versions of the proofs of Corollary 7.4 in Section 7.4.2 of [28] and Corollary 5 in Section 6.2 of [22].

We choose the measurement operators $M_1=\left\{{|j\rangle }_{\mathrm{A}}{\langle j|}_{\mathrm{A}}\mid j\in {\{0,1\}}^{n_1}\right\}$ (i.e., the tensor product of $n_1$ copies of the “z basis”) and $M_2=\left\{{|j\rangle }_{\mathrm{A}}{\langle j|}_{\mathrm{A}}\mid j\in {\{{\xi }_{+},{\xi }_{-}\}}^{n_1}\right\}$ (i.e., the tensor product of $n_1$ copies of the “x basis”) and the projective measurement ${\left\{P^p\right\}}_p={\left\{|\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}\rangle \langle \mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}|\right\}}_{\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}}$. It is easy to verify (see, e.g., [28]) that $c_{\mathrm{P}}$ of Theorem 1 is equal to $c^{n_1}$, where c was defined in our proposition ($c\triangleq max\left(|{\langle 0|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 0|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 1|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,{\left|{\langle 1|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\right|}^2\right)$).

Then, we apply Theorem 1 to the state after Alice’s and Bob’s measurements of all TEST bits, before Alice’s and Bob’s measurements of the INFO bits (here, it is important that our modified entanglement-based protocol delays to its Step 8 all Alice’s measurements in the “z basis”, which include all measurements of the INFO bits), conditioned on the first two tests passing (${\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓$), and requiring the third test to pass (${\mathrm{F}}^{\mathrm{pe}}=✓$): (the difference between “conditioning” and “requiring” in this context is analogous to the difference between a “conditional probability” and a “joint probability”, respectively; see [22] for the precise definitions)

$${\rho }_{\mathrm{A}\mathrm{B}\mathrm{V}\mathrm{W}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}{\mathrm{F}}^{\mathrm{sift}}\prime {\mathrm{F}}^{\min }{\mathrm{F}}^{\mathrm{pe}}\mathrm{E}\wedge {\mathrm{F}}^{\mathrm{pe}}=✓\mid {\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓},$$

(25)

and by choosing the systems $\mathrm{P}=\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}},\mathrm{R}=\mathrm{V}\mathrm{W}\mathrm{E},\mathrm{S}=\mathrm{B}$ for Theorem 1, we obtain the following:

$$\begin{array}{ccc}& & H_{\min }^{ϵ}{({\mathrm{X}}^1\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|\mathrm{V}\mathrm{W}\mathrm{E}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{\sigma }\hfill \\ & +& H_{\max }^{ϵ}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|\mathrm{B}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }}\ge n_1{log}_2\left(\frac{1}{c}\right),\hfill \end{array}$$

(26)

where $X^1$ and $X^{\prime 1}$ represent the measurement results of Alice’s INFO bits in the “z basis” and in the “x basis”, respectively.

Performing a measurement of Bob’s INFO bits in subsystem $\mathrm{B}$ in the “x basis” (yielding the bit string ${\mathrm{Y}}^{\prime 1}$) and discarding the classical information systems, $\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}$ are two quantum operations (CPTP) operated exclusively on subsystems $\mathrm{B}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}$. According to the data processing inequality (see, e.g., [22,27]), such operations can only increase the max-entropy:

$$H_{\max }^{ϵ}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|\mathrm{B}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }}\le H_{\max }^{ϵ}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|{\mathrm{Y}}^{\prime 1},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }},$$

(27)

which gives us the desired result:

$$\begin{array}{ccc}& & H_{\min }^{ϵ}{({\mathrm{X}}^1\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|\mathrm{V}\mathrm{W}\mathrm{E}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{\sigma }\hfill \\ & +& H_{\max }^{ϵ}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=✓|{\mathrm{Y}}^{\prime 1},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }}\ge n_1{log}_2\left(\frac{1}{c}\right).\hfill \end{array}$$

(28)

□

4.2.3. The Law of Large Numbers

Intuitively, the proof of [22] uses a law of large numbers (Lemma 6 of [22]) to upper-bound the max-entropy $H_{\max }^{ϵ}\left(\mathrm{X}\right|\mathrm{Y})$—namely, the max-entropy of Alice’s raw key conditioned on Bob’s raw key in the real protocol. However, in our proof, we need to bound $H_{\max }^{ϵ}\left({\mathrm{X}}^{\prime 1}\right|{\mathrm{Y}}^{\prime 1})$—namely, the max-entropy of Alice’s raw key conditioned on Bob’s raw key in a hypothetical protocol where Alice and Bob measure the INFO bits in the conjugate (“x”) basis. For obtaining this bound, we need to apply the law of large numbers twice to two different hypothetical protocols:

• In the X-X hypothetical protocol (where both Alice and Bob measure the INFO bits in the “x basis”), we can compare the TEST-X-X bits (where the only non-discarded rounds are those where Alice measured “${\xi }_{+}$”) to the INFO bits. This way, we can discover the error rate on the “${\xi }_{+}$” bits.
• For finding the error rate on the “${\xi }_{-}$” bits, we use the Z-X hypothetical protocol, where Alice measures the INFO bits in the “z basis” while Bob measures them in the “x basis”. The following intuitive formula will give us the needed bound:

  $$Pr({\mathrm{A}}_i=-,{\mathrm{B}}_i=+)=Pr({\mathrm{A}}_i=0,{\mathrm{B}}_i=+)+Pr({\mathrm{A}}_i=1,{\mathrm{B}}_i=+)-Pr({\mathrm{A}}_i=+,{\mathrm{B}}_i=+).$$

  (29)
  This formula is intuitively trivial because it follows from the following formula:

  $$\begin{array}{ccc}& & Pr({\mathrm{A}}_i=-,{\mathrm{B}}_i=+)+Pr({\mathrm{A}}_i=+,{\mathrm{B}}_i=+)=Pr({\mathrm{B}}_i=+)\hfill \\ & =& Pr({\mathrm{A}}_i=0,{\mathrm{B}}_i=+)+Pr({\mathrm{A}}_i=1,{\mathrm{B}}_i=+).\hfill \end{array}$$

  (30)
  Formally, it follows from the independence of Alice’s and Bob’s operations, as elaborated in the “bounding the fourth probability” portion of the proof of Proposition 2 below.
  This idea can be compared with [30]’s analysis of the “loss tolerant” protocol (improving on the usual analysis which involves matrix computations [14,15,16,17]), but their analysis is more complicated and has several free parameters. Here, we present a full and precise analysis, leading to an explicit key rate formula in the single-qubit regime.

Formally, we use the following law of large numbers (Lemma 6 of [22]):

Lemma 2.

(Lemma 6 of [22]) Given a set of N random variables $Z=(Z_1,Z_2,\dots ,Z_N)$, where each $Z_i$ takes values in $\{0,1\}$ and $N=a+b$, and given an independent, a uniformly distributed subset $\mathrm{\Pi }\subseteq \{1,2,\dots ,N\}$ of size a, it holds that

$$Pr\left[\sum _{i\in \mathrm{\Pi }}{Z}_i\le a\delta \wedge \sum _{i\in \overline{\mathrm{\Pi }}}{Z}_i\ge b·(\delta +\nu )\right]\le e^{-\frac{2b{a}^2{\nu }^2}{(a+b)(a+1)}}.$$

(31)

Proof. 

Proved in Section 6.3 of [22] as Lemma 6. □

We also use another law of large numbers, proved in Section 2 of [31] as Theorem 1:

Lemma 3.

Let $Z_1,\dots ,Z_N$ be independent random variables with finite first and second moments, such that $0\le Z_i\le 1$ for all $1\le i\le N$. If $\overline{Z}\triangleq \frac{Z_1+...+Z_N}{N}$ is their average and $\mu \triangleq E\left[\overline{Z}\right]$ is the expected value of $\overline{Z}$, then for any $\nu >0$,

$$Pr\left[\overline{Z}-\mu \ge \nu \right]\le e^{-2N{\nu }^2}.$$

(32)

Using these Lemmas, we prove the following (a modified version of Proposition 8 of [22]):

Proposition 2.

For the modified entanglement-based protocol described in Section 4.1, for the state ${\sigma }_{{\mathrm{X}}^{\prime 1}{\mathrm{Y}}^{\prime 1}\mathrm{V}\mathrm{W}\mathrm{\Pi }{\mathrm{\Phi }}_{\mathrm{A}}{\mathrm{\Phi }}_{\mathrm{B}}{\mathrm{F}}^{\mathrm{sift}}\prime {\mathrm{F}}^{\min }{\mathrm{F}}^{\mathrm{pe}}\mathrm{E}}^{\prime }$ defined in Proposition 1, and for error rate threshold δ and zero rate threshold ${\delta }_{\mathrm{mismatch}}$, if we define for any $0<\nu \le \frac{1}{2}-\delta$:

$$\begin{array}{ccc}\hfill {\delta }^{\prime }\left(\nu \right)& \triangleq & {\delta }_{\mathrm{mismatch}}+\nu -\left(\frac{1}{2T}-\nu \right)·(1-2\delta -2\nu ),\hfill \end{array}$$

(33)

$$\begin{array}{ccc}\hfill ϵ\left(\nu \right)& \triangleq & \sqrt{e^{-2n_1{\nu }^2}+e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}}+e^{-\frac{2n_1{k}_2^2{\nu }^2}{(k_2+n_1)(k_2+1)}}},\hfill \end{array}$$

(34)

then, for any $0<\nu \le \frac{1}{2}-\delta$ satisfying $0<{\delta }^{\prime }\left(\nu \right)\le \frac{1}{2}$ and $ϵ{\left(\nu \right)}^2<Pr\left[F^{\mathrm{pe}}=\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]$, it holds that

$$H_{\max }^{ϵ\left(\nu \right)}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=\mid {\mathrm{Y}}^{\prime 1},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }}\le n_1·h_2\left({\delta }^{\prime }\left(\nu \right)\right),$$

(35)

where $h_2\left(x\right)\triangleq -x{log}_2\left(x\right)-(1-x){log}_2(1-x)$.

Proof. 

Let us define the following event:

$${\mathrm{\Omega }}_0\triangleq 1\left\{\sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\right\}.$$

(36)

We need to prove the following probability to be exponentially small:

$$\begin{array}{ccc}& & Pr\left[F^{\mathrm{pe}}=✓\wedge {\mathrm{\Omega }}_0\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\sum _{i=1}^{k_1}1\{V_i^1\ne W_i^1\}\le k_1\delta \wedge \sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\right.\hfill \\ & \wedge & \sum _{i=1}^{k_3}1\{W_i^3=0\}\le k_3{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right].\hfill \end{array}$$

(37)

Let us remember that $V^2$ and $W^2$ are Alice’s and Bob’s substrings corresponding to ${\mathrm{\Pi }}_2$ (the $k_2$ TEST-Z-X rounds); $V^4$ and $W^4$ are Alice’s and Bob’s substrings corresponding to ${\mathrm{\Pi }}_4$ (the $k_4$ TEST-X-X rounds); and $X^{\prime 1}$ and $Y^{\prime 1}$ are Alice’s and Bob’s substrings corresponding to ${\mathrm{\Sigma }}_1$ (the $n_1$ INFO rounds) in the X-X hypothetical protocol—namely, assuming that both Alice and Bob measured the INFO bits in the “x basis” in Steps 8 and 9 of the protocol, respectively.

Let us also denote Alice’s “${\xi }_{+}$ rate” (the percentage of INFO bits which Alice measures as “${\xi }_{+}$”) in the X-X hypothetical protocol by $R_{+}^{\prime }$—namely, $R_{+}^{\prime }\triangleq \frac{1}{n_1}{\sum }_{i=1}^{n_1}1\{X_i^{\prime 1}=0\}$. Thus, the probability $Pr\left[F^{\mathrm{pe}}=✓\wedge {\mathrm{\Omega }}_0\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]$ is bounded by the sum of four probabilities:

$$\begin{array}{ccc}& & Pr\left[F^{\mathrm{pe}}=✓\wedge {\mathrm{\Omega }}_0\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & Pr\left[R_{+}^{\prime }\le \frac{1}{2T}-\nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & +& Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & +& Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & +& Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\le n_1{R}_{+}^{\prime }·(\delta +\nu )\right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\le n_1·({\delta }_{\mathrm{mismatch}}+\nu )\wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right].\hfill \end{array}$$

(38)

 We now bound each of these four probabilities:

Bounding the first probability:

 We need to bound

$$Pr\left[R_{+}^{\prime }\le \frac{1}{2T}-\nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right],$$

(39)

where $R_{+}^{\prime }$ is the “${\xi }_{+}$” measurement rate of Alice among the INFO bits in the X-X hypothetical protocol. We notice that this rate is only dictated by identical quantum actions performed by Alice: because Alice measures all INFO bits in the “x basis” in the hypothetical protocol, her measurement results are obtained independently for all rounds and her probability of measuring “${\xi }_{+}$” is always $\frac{1}{2T}$. Namely, Alice’s measurement results are $n_1$ independent random variables ${\left\{Z_i\right\}}_{i=1}^{n_1}$ (with all probabilities conditioned on $F^{\mathrm{sift}}\prime =F^{\min }=✓$) such that for each i:

$$Pr(Z_i=0\mid F^{\mathrm{sift}}\prime =F^{\min }=✓)=\frac{1}{2T},Pr(Z_i=1\mid F^{\mathrm{sift}}\prime =F^{\min }=✓)=1-\frac{1}{2T}.$$

(40)

Therefore, the expected value of each $Z_i$ is $E\left[Z_i\right]=1-\frac{1}{2T}$.

We can thus apply Lemma 3 (which applies to N independent random variables) to the random variables ${\left\{Z_i\right\}}_{i=1}^{n_1}$ with parameters $N=n_1$ and $\mu =E\left[\overline{Z}\right]=1-\frac{1}{2T}$. We note that $\overline{Z}=1-R_{+}^{\prime }$. Therefore, we obtain the following result:

$$\begin{array}{ccc}\hfill Pr\left[R_{+}^{\prime }\le \frac{1}{2T}-\nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]& =& Pr\left[R_{+}^{\prime }-\frac{1}{2T}\le -\nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\frac{1}{2T}-R_{+}^{\prime }\ge \nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\left(1-R_{+}^{\prime }\right)-\left(1-\frac{1}{2T}\right)\ge \nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\overline{Z}-\mu \ge \nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\le e^{-2n_1{\nu }^2}.\hfill \end{array}$$

(41)

Bounding the second probability:

 We need to bound

$$\begin{array}{cc}\hfill Pr& \left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \right.\hfill \\ \hfill & \wedge \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right],\hfill \end{array}$$

(42)

where $V^4$ and $W^4$ are Alice’s and Bob’s substrings corresponding to ${\mathrm{\Pi }}_4$ (the $k_4$ TEST-X-X rounds); $X^{\prime 1}$ and $Y^{\prime 1}$ are Alice’s and Bob’s substrings corresponding to ${\mathrm{\Sigma }}_1$ (the $n_1$ INFO rounds) in the X-X hypothetical protocol; and $R_{+}^{\prime }$ is the “${\xi }_{+}$” measurement rate of Alice among the INFO bits in the X-X hypothetical protocol. We notice that the TEST-X-X rounds in ${\mathrm{\Pi }}_4$ consist only of rounds where Alice measured “${\xi }_{+}$” (the other rounds are discarded), so her recorded bit must be 0; therefore, the error event $V_i^4\ne W_i^4$ is actually equivalent to $V_i^4=0\wedge W_i^4=1$, and the probability is actually

$$\begin{array}{cc}\hfill =Pr& \left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ \hfill & \wedge \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right].\hfill \end{array}$$

(43)

We notice that all rates are evaluated in the X-X hypothetical protocol; that in all rounds, both Alice and Bob measure in the “x basis”; and that in all rounds taken into account, Alice obtains the “${\xi }_{+}$” result. We thus notice that the quantum behaviour of Alice, Bob, and Eve is identical on all these rounds in the X-X hypothetical protocol (in particular, $D_i=0$ for all these rounds, and while the timing of Alice’s measurements may differ between the rounds, this timing is meaningless from the quantum point of view).

Therefore, we can apply Lemma 2 using the following parameters: the random variables $Z=(Z_1,Z_2,\dots ,Z_N)$ represent the condition that Alice’s bit is 0 and Bob’s bit is 1 (namely, $Z_i$ represents the evaluation of the condition $V_i^4=0\wedge W_i^4=1$ or $X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1$, respectively); the sampled subset $\mathrm{\Pi }$ includes the $a=k_4$ TEST-X-X rounds in the ${\mathrm{\Pi }}_4$ subset chosen by the protocol, and the rest $\overline{\mathrm{\Pi }}$ includes the $b=n_1{R}_{+}^{\prime }$ INFO rounds in the ${\mathrm{\Sigma }}_1$ subset chosen by the protocol where Alice obtains the “${\xi }_{+}$” measurement result. The sampled susbet $\mathrm{\Pi }$ is completely independent of Bob’s measurement results (that are dictated solely by Eve’s transmitted states and Alice’s results in the “x basis”) because we showed in Section 4.2.1 that ${\mathrm{\Sigma }}_1$ and ${\mathrm{\Pi }}_4$ can be seen as uniformly and randomly chosen subsets of $\mathrm{\Sigma }$, conditioning on $F^{\mathrm{sift}}\prime =F^{\min }=✓$.

We remark that this is not a straightforward application of Lemma 2 because the number $b=n_1{R}_{+}^{\prime }$ of rounds in $\overline{\mathrm{\Pi }}$ is a random variable and not a parameter. Therefore, the computation is slightly more complicated because all possible values of $R_{+}^{\prime }=r_{+}^{\prime }$ need to be evaluated. Nevertheless, using the condition $R_{+}^{\prime }\ge \frac{1}{2T}-\nu$ and applying Lemma 2 for any possible value of $R_{+}^{\prime }$, we are able to bound this probability and prove it exponentially small.

Using the formulation of Lemma 2, we obtain

$$\begin{array}{ccc}& & Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& \sum _{j=⌈n_1·\left(\frac{1}{2T}-\nu \right)⌉}^{n_1}Pr\left[R_{+}^{\prime }=\frac{j}{n_1}\wedge \sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& \sum _{j=⌈n_1·\left(\frac{1}{2T}-\nu \right)⌉}^{n_1}Pr\left[R_{+}^{\prime }=\frac{j}{n_1}\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]·Pr\left[\sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid R_{+}^{\prime }=\frac{j}{n_1},F^{\mathrm{sift}}\prime =F^{\min }=✓\right].\hfill \end{array}$$

(44)

We can now bound this conditional probability, for each value of $j\in \left[n_1·\left(\frac{1}{2T}-\nu \right),n_1\right]$:

$$\begin{array}{ccc}& & Pr\left[\sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid R_{+}^{\prime }=\frac{j}{n_1},F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge j·(\delta +\nu )\mid R_{+}^{\prime }=\frac{j}{n_1},F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\sum _{i\in \mathrm{\Pi }}{Z}_i\le k_4\delta \wedge \sum _{i\in \overline{\mathrm{\Pi }}}{Z}_i\ge j·(\delta +\nu )\mid R_{+}^{\prime }=\frac{j}{n_1},F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & e^{-\frac{2j{k}_4^2{\nu }^2}{(k_4+j)(k_4+1)}}\le e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}},\hfill \end{array}$$

(45)

where the last inequality results from the fact that $j\ge n_1·\left(\frac{1}{2T}-\nu \right)$.

Substituting Equation (45) into Equation (44), we have

$$\begin{array}{ccc}& & Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& \sum _{j=⌈n_1·\left(\frac{1}{2T}-\nu \right)⌉}^{n_1}Pr\left[R_{+}^{\prime }=\frac{j}{n_1}\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]·Pr\left[\sum _{i=1}^{k_4}1\{V_i^4=0\wedge W_i^4=1\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid R_{+}^{\prime }=\frac{j}{n_1},F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & \sum _{j=⌈n_1·\left(\frac{1}{2T}-\nu \right)⌉}^{n_1}Pr\left[R_{+}^{\prime }=\frac{j}{n_1}\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]·e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}}\hfill \\ & \le & e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}}.\hfill \end{array}$$

(46)

Bounding the third probability:

 We need to bound

$$Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right],$$

(47)

where $W^2$ is Bob’s substring corresponding to ${\mathrm{\Pi }}_2$ (the $k_2$ TEST-Z-X rounds) and $Y^{\prime 1}$ is Bob’s substring corresponding to ${\mathrm{\Sigma }}_1$ (the $n_1$ INFO rounds) in the X-X hypothetical protocol. Let us now define $X^{″1}$ and $Y^{″1}$ as Alice’s and Bob’s substrings corresponding to ${\mathrm{\Sigma }}_1$ (the $n_1$ INFO rounds) in the Z-X hypothetical protocol—namely, assuming that Alice measured the INFO bits in the “z basis”, and Bob measured the INFO bits in the “x basis”. We can notice that $Y^{\prime 1}$ is completely identical to $Y^{″1}$, because Bob’s quantum operations (and Eve’s attack) are completely independent of Alice’s basis choice for the INFO bits (remembering that $D_i=0$ for all INFO bits—namely, they are never discarded). Therefore, $Y^{\prime 1}=Y^{″1}$, and the probability is

$$=Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{n_1}1\{Y_i^{″1}=0\}\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right].$$

(48)

We notice that all rates are evaluated in the Z-X hypothetical protocol; that in all rounds, Bob measures in the “x basis” (and Alice measures in the “z basis”); and that Alice’s measurement results are completely unconstrained (namely, no discarding is possible, because $D_i=0$ for all rounds where Alice measures in the “z basis”). We thus notice that the quantum behaviour of Alice, Bob, and Eve is identical on all these rounds in the Z-X hypothetical protocol.

Therefore, we can apply Lemma 2 using the following parameters: the random variables $Z=(Z_1,Z_2,\dots ,Z_N)$ represent the condition that Bob’s bit is 0 (namely, $Z_i$ is the value of $1-W_i^2$ or $1-Y_i^{″1}$, respectively); the sampled subset $\mathrm{\Pi }$ includes the $a=k_2$ TEST-Z-X rounds in the ${\mathrm{\Pi }}_2$ subset chosen by the protocol, and the rest $\overline{\mathrm{\Pi }}$ includes the $b=n_1$ INFO rounds in the ${\mathrm{\Sigma }}_1$ subset chosen by the protocol (note that Bob measures them in the “x basis”). The sampled susbet $\mathrm{\Pi }$ is completely independent of Bob’s measurement results (that are dictated solely by Eve’s transmitted states and Alice’s non-discarding of the rounds) because we showed in Section 4.2.1 that ${\mathrm{\Sigma }}_1$ and ${\mathrm{\Pi }}_2$ can be seen as uniformly and randomly chosen subsets of $\mathrm{\Sigma }$, conditioning on $F^{\mathrm{sift}}\prime =F^{\min }=✓$. Using the formulation of Lemma 2, we obtain the following:

$$\begin{array}{ccc}& & Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{n_1}1\{Y_i^{\prime \prime 1}=0\}\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & =& Pr\left[\sum _{i\in \mathrm{\Pi }}{Z}_i\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i\in \overline{\mathrm{\Pi }}}{Z}_i\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & e^{-\frac{2n_1{k}_2^2{\nu }^2}{(k_2+n_1)(k_2+1)}}.\hfill \end{array}$$

(49)

Bounding the fourth probability:

 We need to bound

$$\begin{array}{cc}\hfill Pr& \left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\le n_1{R}_{+}^{\prime }·(\delta +\nu )\right.\hfill \\ \hfill & \wedge \left.\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\le n_1·({\delta }_{\mathrm{mismatch}}+\nu )\wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right],\hfill \end{array}$$

(50)

where $X^{\prime 1}$ and $Y^{\prime 1}$ are Alice’s and Bob’s substrings corresponding to ${\mathrm{\Sigma }}_1$ (the $n_1$ INFO rounds) in the X-X hypothetical protocol, and $R_{+}^{\prime }$ is the “${\xi }_{+}$” measurement rate of Alice among the INFO bits in the X-X hypothetical protocol. We prove this probability to be zero; namely, we prove that these four conditions contradict each other and cannot be all true.

Indeed, assume by contradiction that all four conditions hold:

$$\begin{array}{ccc}& & R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\le n_1{R}_{+}^{\prime }·(\delta +\nu )\hfill \\ & \wedge & \sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\le n_1·({\delta }_{\mathrm{mismatch}}+\nu )\wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right).\hfill \end{array}$$

(51)

We can upper-bound ${\sum }_{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}$ (which represents the total error rate on the INFO bits in the X-X hypothetical protocol) using the first three conditions, as well as the two following definitions: ${\delta }^{\prime }\left(\nu \right)\triangleq {\delta }_{\mathrm{mismatch}}+\nu -\left(\frac{1}{2T}-\nu \right)·(1-2\delta -2\nu )$ and $R_{+}^{\prime }\triangleq \frac{1}{n_1}{\sum }_{i=1}^{n_1}1\{X_i^{\prime 1}=0\}$. So:

$$\begin{array}{ccc}\hfill \sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}& =& \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}+\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=1\wedge Y_i^{\prime 1}=0\}\hfill \\ & =& \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}+\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}-\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=0\}\hfill \\ & =& \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}+\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\hfill \\ & -& \left[\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\}-\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\right]\hfill \\ & =& 2\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}+\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}-\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\}\hfill \\ & =& 2\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}+\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}-n_1{R}_{+}^{\prime }\hfill \\ & \le & 2n_1{R}_{+}^{\prime }·(\delta +\nu )+n_1·({\delta }_{\mathrm{mismatch}}+\nu )-n_1{R}_{+}^{\prime }\hfill \\ & =& n_1·[2R_{+}^{\prime }·(\delta +\nu )+{\delta }_{\mathrm{mismatch}}+\nu -R_{+}^{\prime }]\hfill \\ & =& n_1·[{\delta }_{\mathrm{mismatch}}+\nu -R_{+}^{\prime }·(1-2\delta -2\nu )]\hfill \\ & \le & n_1·\left[{\delta }_{\mathrm{mismatch}}+\nu -\left(\frac{1}{2T}-\nu \right)·(1-2\delta -2\nu )\right]=n_1{\delta }^{\prime }\left(\nu \right),\hfill \end{array}$$

(52)

which strictly contradicts the fourth condition. (In the last inequality, we also used the condition $\nu \le \frac{1}{2}-\delta$, which means that $1-2\delta -2\nu \ge 0$.) Therefore, our probability is 0.

Summary of the proof:

 Combining our four bounds, we obtain the following inequality:

$$\begin{array}{ccc}& & Pr\left[F^{\mathrm{pe}}=✓\wedge {\mathrm{\Omega }}_0\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & Pr\left[R_{+}^{\prime }\le \frac{1}{2T}-\nu \mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & +& Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{k_4}1\{V_i^4\ne W_i^4\}\le k_4\delta \right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\ge n_1{R}_{+}^{\prime }·(\delta +\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & +& Pr\left[\sum _{i=1}^{k_2}1\{W_i^2=0\}\le k_2{\delta }_{\mathrm{mismatch}}\wedge \sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\ge n_1·({\delta }_{\mathrm{mismatch}}+\nu )\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & +& Pr\left[R_{+}^{\prime }\ge \frac{1}{2T}-\nu \wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}=0\wedge Y_i^{\prime 1}=1\}\le n_1{R}_{+}^{\prime }·(\delta +\nu )\right.\hfill \\ & \wedge & \left.\sum _{i=1}^{n_1}1\{Y_i^{\prime 1}=0\}\le n_1·({\delta }_{\mathrm{mismatch}}+\nu )\wedge \sum _{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\mid F^{\mathrm{sift}}\prime =F^{\min }=✓\right]\hfill \\ & \le & e^{-2n_1{\nu }^2}+e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}}+e^{-\frac{2n_1{k}_2^2{\nu }^2}{(k_2+n_1)(k_2+1)}}+0\hfill \\ & =& ϵ{\left(\nu \right)}^2.\hfill \end{array}$$

(53)

The rest of the proof is identical to the proof of Proposition 8 in Section 6.3 of [22], using our parameters $ϵ\left(\nu \right),X^{\prime 1},Y^{\prime 1},n_1,{\mathrm{\Omega }}_0,{\delta }^{\prime }\left(\nu \right)$ and conditioning all probabilities and entropies on $F^{\mathrm{sift}}\prime =F^{\min }=✓$. (A small algebraic difference is that our set ${\mathrm{\Omega }}_0$ requires the strong inequality $1\left\{{\sum }_{i=1}^{n_1}1\{X_i^{\prime 1}\ne Y_i^{\prime 1}\}>n_1{\delta }^{\prime }\left(\nu \right)\right\}$, while $\mathrm{\Omega }$’s definition in [22] only requires a weak inequality ($1\left\{{\sum }_{i=1}^{n}1\{X_i\ne Y_i\}\ge n·(\delta +\nu )\right\}$), but the proof still holds.) Therefore, we obtain the following:

$$H_{\max }^{ϵ\left(\nu \right)}{({\mathrm{X}}^{\prime 1}\wedge {\mathrm{F}}^{\mathrm{pe}}=\mid {\mathrm{Y}}^{\prime 1},{\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓)}_{{\sigma }^{\prime }}\le n_1·h_2\left({\delta }^{\prime }\left(\nu \right)\right),$$

(54)

as we wanted. □

4.2.4. Security Theorem for the Modified Entanglement-Based Protocol

Applying the entire proof described in Section 6 of [22] to our modified entanglement-based protocol described in Section 4.1, with the modifications described in Section 4.2.1, Section 4.2.2 and Section 4.2.3, yields the following security result:

Corollary 1.

For the modified entanglement-based protocol described in Section 4.1, we denote the final state as ${\omega }_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}}$, where ${\mathrm{K}}_{\mathrm{A}}$ is the final key generated by Alice and ${\mathrm{K}}_{\mathrm{B}}$ is the final key generated by Bob (both consisting of ℓ bits), $\mathrm{E}$ is Eve’s ancillary quantum system, and $\mathrm{S},\mathrm{C},\mathrm{F}$ consist of information published by Alice and Bob (where $H_{\mathrm{ec}},H_{\mathrm{pa}},Z,T,F^{\mathrm{ec}},r,t$ are used in the error correction and privacy amplification steps elaborated in [22]):

$$\begin{array}{ccc}\hfill \mathrm{S}& \triangleq & ({\mathrm{\Phi }}_{\mathrm{A}},{\mathrm{\Phi }}_{\mathrm{B}},{\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4,{\mathrm{\Sigma }}_1,H_{\mathrm{ec}},H_{\mathrm{pa}}),\hfill \end{array}$$

(55)

$$\begin{array}{ccc}\hfill \mathrm{C}& \triangleq & (D,\mathrm{\Sigma },V^1,V^2,V^3,V^4,Z,T),\hfill \end{array}$$

(56)

$$\begin{array}{ccc}\hfill \mathrm{F}& \triangleq & (F^{\mathrm{sift}}\prime ,F^{\min },F^{\mathrm{pe}},F^{\mathrm{ec}}).\hfill \end{array}$$

(57)

We also denote ${\omega }_{\mathrm{U}}\triangleq \frac{1}{2^{\ell }}{\sum }_{k\in {\{0,1\}}^{\ell }}{|k\rangle }_{{\mathrm{K}}_{\mathrm{A}}}{\langle k|}_{{\mathrm{K}}_{\mathrm{A}}}\otimes {|k\rangle }_{{\mathrm{K}}_{\mathrm{B}}}{\langle k|}_{{\mathrm{K}}_{\mathrm{B}}}$ (an ideal key: a uniformly random final key, identical for Alice and Bob) and ${\omega }_{\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}}\triangleq {tr}_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}}\left({\omega }_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}}\right)$. It then holds that

$$\begin{array}{ccc}& & \frac{1}{2}tr\left|{\omega }_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}\wedge {\mathrm{F}}^{\mathrm{pe}}={\mathrm{F}}^{\mathrm{ec}}=✓\mid {\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓}-{\omega }_{\mathrm{U}}\otimes {\omega }_{\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}\wedge {\mathrm{F}}^{\mathrm{pe}}={\mathrm{F}}^{\mathrm{ec}}=✓\mid {\mathrm{F}}^{\mathrm{sift}}\prime ={\mathrm{F}}^{\min }=✓}\right|\hfill \\ & \le & 2^{-t}+\underset{\nu \mid 0<\nu <\frac{1}{2}-\delta ,0<{\delta }^{\prime }\left(\nu \right)<\frac{1}{2}}{inf}({ϵ}_{\mathrm{pa}}\left(\nu \right)+{ϵ}_{\mathrm{pe}}\left(\nu \right)),\hfill \end{array}$$

(58)

for any possible attack by Eve, where we define

$$\begin{array}{ccc}\hfill {ϵ}_{\mathrm{pa}}\left(\nu \right)& \triangleq & \frac{1}{2}\sqrt{2^{-n_1·\left[{log}_2\left(\frac{1}{c}\right)-h_2\left({\delta }^{\prime }\left(\nu \right)\right)\right]+r+t+\ell }},\hfill \end{array}$$

(59)

$$\begin{array}{ccc}\hfill {ϵ}_{\mathrm{pe}}\left(\nu \right)& \triangleq & 2ϵ\left(\nu \right),\hfill \end{array}$$

(60)

$$\begin{array}{ccc}\hfill {\delta }^{\prime }\left(\nu \right)& \triangleq & {\delta }_{\mathrm{mismatch}}+\nu -\left(\frac{1}{2T}-\nu \right)·(1-2\delta -2\nu ),\hfill \end{array}$$

(61)

$$\begin{array}{ccc}\hfill c& \triangleq & max\left(|{\langle 0|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 0|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 1|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,{\left|{\langle 1|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\right|}^2\right),\hfill \end{array}$$

(62)

$$\begin{array}{ccc}\hfill ϵ\left(\nu \right)& \triangleq & \sqrt{e^{-2n_1{\nu }^2}+e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}}+e^{-\frac{2n_1{k}_2^2{\nu }^2}{(k_2+n_1)(k_2+1)}}},\hfill \end{array}$$

(63)

$$\begin{array}{ccc}\hfill h_2\left(x\right)& \triangleq & -x{log}_2\left(x\right)-(1-x){log}_2(1-x).\hfill \end{array}$$

(64)

This result is similar to Theorems 2–3 in Section 5 of [22] but has different parameters. According to standard definitions of composable security for QKD (e.g., [27]), this proves security of the modified entanglement-based protocol and gives a tight finite-key rate.

4.3. Reduction of the Original Protocol to the Modified Entanglement-Based Protocol

Intuitively, to prove security of our original prepare-and-measure protocol from Section 3, we perform a reduction to the entanglement-based protocol: namely, we show that the modified entanglement-based protocol includes the prepare-and-measure protocol as a special case. More precisely, for any possible attack of Eve on the prepare-and-measure protocol, we need to show that there exists an equivalent attack on the modified entanglement-based protocol leading to the same output for both protocols.

The proof intuitively works as follows: in the prepare-and-measure protocol, instead of generating one of the states $\{{|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}\}$, Alice can instead generate the following entangled state:

$${|\mathrm{\Psi }\rangle }_{{\mathrm{A}}_i{\mathrm{B}}_i}\triangleq \frac{{|0\rangle }_{{\mathrm{A}}_i}{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+{|1\rangle }_{{\mathrm{A}}_i}{|{\gamma }_1\rangle }_{{\mathrm{B}}_i}}{\sqrt{2}}=\frac{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}+\sqrt{2T-1}{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}}{\sqrt{2T}},$$

(65)

where the equality between the two expressions in Equation (65) can be shown algebraically using Equations (2)–(4) and (7)–(8). Then, Alice either measures her subsystem ${\mathrm{A}}_i$ in the standard (“z”) basis $\{{|0\rangle }_{{\mathrm{A}}_i},{|1\rangle }_{{\mathrm{A}}_i}\}$ with probability $p_z^{\prime \mathrm{A}}$, or measures it in the conjugate (“x”) basis $\{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i},{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\}$ with probability $p_x^{\prime \mathrm{A}}$. Either way, she sends the resulting state in subsystem ${\mathrm{B}}_i$ to Bob (immediately notifying Bob and cancelling the round if she measured “${\xi }_{-}$” in the “x basis”). This procedure is equivalent to our original prepare-and-measure protocol, but it works within the framework of the modified entanglement-based protocol (assuming Alice measures and discards the round before she sends Bob his part of the state), which proves the reduction.

Formally, we use an adapted version of the reduction in Section 9 of [22]. First, given the parameters of the original prepare-and-measure protocol (described in its Step 1), we must define all the parameters of the modified entanglement-based protocol (described in its Step 1), as follows:

• The parameters ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i},{\left\{M_{{\mathrm{B}}_i}^{\mathrm{Z},t}\right\}}_{t\in \{0,1\}},{\left\{M_{{\mathrm{B}}_i}^{\mathrm{X},t}\right\}}_{t\in \{0,1\}},m,k_1,k_2,k_3,k_4,n_1,\delta$, and ${\delta }_{\mathrm{mismatch}}$ are all identical for the two protocols. (From ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i},{|{\gamma }_1\rangle }_{{\mathrm{B}}_i},{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$ we can infer a, b, and $T\triangleq {\left|a\right|}^2+{\left|b\right|}^2$.) The error correction and privacy amplification parameters (from [22]) are also identical in both protocols.
• Given the parameters $m,T$, we choose the parameter $M^{\prime }$ of the modified entanglement-based protocol to be

  $$M^{\prime }=\frac{m}{\frac{1}{2T}-{\nu }_0},$$

  (66)

  where $0<{\nu }_0<\frac{1}{2T}$ is chosen freely, without any constraint, to reach the desired trade-off between performance (number of needed rounds) and robustness (success probability of the sifting procedure).
• Given the parameters $p_z^{\mathrm{A}},p_x^{\mathrm{A}}$ of the prepare-and-measure protocol and the parameter T, we choose the parameters $p_z^{\prime \mathrm{A}},p_x^{\prime \mathrm{A}}$ of the modified entanglement-based protocol to be

  $$p_z^{\prime \mathrm{A}}=\frac{p_z^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}},p_x^{\prime \mathrm{A}}=\frac{2T{p}_x^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}.$$

  (67)
• Given the parameters $p_z^{\mathrm{B}},p_x^{\mathrm{B}}$ of the prepare-and-measure protocol, we choose the parameters $p_z^{\prime \mathrm{B}},p_x^{\prime \mathrm{B}}$ of the modified entanglement-based protocol to be

  $$p_z^{\prime \mathrm{B}}=p_z^{\mathrm{B}},p_x^{\prime \mathrm{B}}=p_x^{\mathrm{B}}.$$

  (68)

Using these parameters, it is easy to verify that the output of the prepare-and-measure protocol (conditioned on $F^{\min }=✓$) is identical to the output of the modified entanglement-based protocol (conditioned on $F^{\mathrm{sift}}\prime =F^{\min }=✓$) if Eve performs the same attack on the first m non-discarded rounds in both protocols. Formally, the differences between the protocols are settled as follows:

• The modified entanglement-based protocol includes the possibility of discarded rounds (where Alice measures “${\xi }_{-}$”) which are immediately notified to Bob and Eve, while the prepare-and-measure protocol does not allow them. For this, we use the explanation in Section 4.2.1 to divide the process into two stages (again, this division works with respect to the probability distribution, not to the actual quantum operations): stage 1, where Alice determines which rounds are discarded; and stage 2, where Alice determines the basis for measuring all the non-discarded rounds. As explained in Section 4.2.1, stage 1 is in fact independent of the bases used for the non-discarded rounds; furthermore, the results of stage 1 are promptly communicated to Eve, who can devise her attack accordingly. Meanwhile, stage 2 is completely identical between the two protocols, as shown in the next item.
• Alice’s preparation is different between the two protocols:
  In the prepare-and-measure protocol, Alice randomly chooses ${\mathrm{\Phi }}_{\mathrm{A}}\in {\{0,1\}}^m$ (where each bit, independently, is 0 with probability $p_z^{\mathrm{A}}$ or 1 with probability $p_x^{\mathrm{A}}$) and chooses $R\in {\{0,1\}}^m$ uniformly at random, which lead to the preparation of ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i}$, ${|{\gamma }_1\rangle }_{{\mathrm{B}}_i}$, or ${|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$ with probabilities $\frac{p_z^{\mathrm{A}}}{2}$, $\frac{p_z^{\mathrm{A}}}{2}$, and $p_x^{\mathrm{A}}$, respectively. These probabilities are independent between the rounds.
  In the modified entanglement-based protocol, Alice generates the following state ${|\mathrm{\Psi }\rangle }_{{\mathrm{A}}_i{\mathrm{B}}_i}$ for each round i:

  $${|\mathrm{\Psi }\rangle }_{{\mathrm{A}}_i{\mathrm{B}}_i}\triangleq \frac{{|0\rangle }_{{\mathrm{A}}_i}{|{\gamma }_0\rangle }_{{\mathrm{B}}_i}+{|1\rangle }_{{\mathrm{A}}_i}{|{\gamma }_1\rangle }_{{\mathrm{B}}_i}}{\sqrt{2}}=\frac{{|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}+\sqrt{2T-1}{|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|{\gamma }_{-}\rangle }_{{\mathrm{B}}_i}}{\sqrt{2T}},$$

  (69)

  randomly chooses the measurement bases ${\mathrm{\Phi }}_{\mathrm{A}}\in {\{0,1\}}^{M^{\prime }}$ (where each bit, independently, is 0 with probability $p_z^{\prime \mathrm{A}}$ or 1 with probability $p_x^{\prime \mathrm{A}}$), performs the measurement, publicly discards the round if she obtains “${\xi }_{-}$”, and keeps the result secret otherwise. (In fact, Alice’s measurement is delayed to Step 8 if the chosen basis is the “z basis”, as described in Section 4.1.)
  As explained in Section 4.2.1 (Equations (18) and (19)), for each non-discarded round in the modified entanglement-based protocol, the probabilities that Alice measures “0”, “1”, or “${\xi }_{+}$” (leading to her sending to Bob ${|{\gamma }_0\rangle }_{{\mathrm{B}}_i}$, ${|{\gamma }_1\rangle }_{{\mathrm{B}}_i}$, or ${|{\gamma }_{+}\rangle }_{{\mathrm{B}}_i}$, respectively) are

  $${Pr}_{{\mathrm{A}}_i}\left(0\right)={Pr}_{{\mathrm{A}}_i}\left(1\right)=\frac{1}{2}·\frac{p_z^{\prime \mathrm{A}}}{p_z^{\prime \mathrm{A}}+\frac{p_x^{\prime \mathrm{A}}}{2T}},{Pr}_{{\mathrm{A}}_i}\left({\xi }_{+}\right)=\frac{1}{2T}·\frac{p_x^{\prime \mathrm{A}}}{p_z^{\prime \mathrm{A}}+\frac{p_x^{\prime \mathrm{A}}}{2T}}.$$

  (70)
  Substituting Equation (67) (and the fact $p_z^{\mathrm{A}}+p_x^{\mathrm{A}}=1$), we obtain the following probabilities:

  $$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left(0\right)={Pr}_{{\mathrm{A}}_i}\left(1\right)& =& \frac{1}{2}·\frac{\frac{p_z^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}}{\frac{p_z^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}+\frac{\frac{2T{p}_x^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}}{2T}}=\frac{1}{2}·\frac{p_z^{\mathrm{A}}}{p_z^{\mathrm{A}}+p_x^{\mathrm{A}}}=\frac{p_z^{\mathrm{A}}}{2},\hfill \end{array}$$

  (71)

  $$\begin{array}{ccc}\hfill {Pr}_{{\mathrm{A}}_i}\left({\xi }_{+}\right)& =& \frac{1}{2T}·\frac{\frac{2T{p}_x^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}}{\frac{p_z^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}+\frac{\frac{2T{p}_x^{\mathrm{A}}}{p_z^{\mathrm{A}}+2T{p}_x^{\mathrm{A}}}}{2T}}=\frac{1}{2T}·\frac{2T{p}_x^{\mathrm{A}}}{p_z^{\mathrm{A}}+p_x^{\mathrm{A}}}=p_x^{\mathrm{A}},\hfill \end{array}$$

  (72)

  which are independent between the rounds and identical to the prepare-and-measure probabilities found above. Therefore, Alice’s preparation results are identical on the (non-discarded) rounds of both protocols, even when conditioning on $F^{\mathrm{sift}}\prime =✓$ in the modified entanglement-based protocol.
• Eve’s attack is slightly different between the two protocols: on the prepare-and-measure protocol, it is applied to the m rounds which are all relevant, while on the modified entanglement-based protocol, it is applied to all $M^{\prime }$ rounds (including the discarded rounds) when Eve knows ahead of time which rounds are discarded.
  We need to prove that any attack that Eve applies to the m rounds of the prepare-and-measure protocol can also be applied to the relevant rounds of the modified entanglement-based (namely, to the m rounds in $\mathrm{\Sigma }$, which are the first m rounds not discarded by Alice). This is indeed true because in the modified entanglement-based protocol, Eve knows ahead of time (before she applies her attack) which rounds are discarded, and therefore, she knows exactly which rounds are included in $\mathrm{\Sigma }$ and can apply her attack only to them. This means that any attack by Eve on the m rounds of the prepare-and-measure protocol is a completely legitimate and valid attack on the m rounds in $\mathrm{\Sigma }$ of the modified entanglement-based protocol, and it gives the same outputs in both protocols.
• The rest of the steps in the prepare-and-measure protocol (Steps 5–9) are identical to the rest of the steps in the modified entanglement-based protocol (Steps 6–12), except the delayed measurement in Steps 8 and 9 of the modified entanglement-based protocol.

From the above, we can deduce that any attack by Eve on the prepare-and-measure protocol can also be applied to the modified entanglement-based protocol, giving exactly the same output. This conclusion only applies when we condition on $F^{\min }=✓$ (for the prepare-and-measure protocol) and $F^{\mathrm{sift}}\prime =F^{\min }=$ (for the modified entanglement-based protocol), which is indeed the case in our security proof in Section 4.2.

We therefore obtain the following result:

Corollary 2.

If the modified entanglement-based protocol is secure with a specific security parameter ϵ, the prepare-and-measure protocol is secure with the same security parameter.

Combining Corollaries 1 and 2, we obtain the final security result for the prepare-and-measure protocol:

Corollary 3.

For the prepare-and-measure protocol described in Section 3, we denote the final state as ${\omega }_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}}$, where ${\mathrm{K}}_{\mathrm{A}}$ is the final key generated by Alice and ${\mathrm{K}}_{\mathrm{B}}$ is the final key generated by Bob (both consisting of ℓ bits), $\mathrm{E}$ is Eve’s ancillary quantum system, and $\mathrm{S},\mathrm{C},\mathrm{F}$ consist of information published by Alice and Bob (where $H_{\mathrm{ec}},H_{\mathrm{pa}},Z,T,F^{\mathrm{ec}},r,t$ are used in the error correction and privacy amplification steps elaborated in [22]):

$$\begin{array}{ccc}\hfill \mathrm{S}& \triangleq & ({\mathrm{\Phi }}_{\mathrm{A}},{\mathrm{\Phi }}_{\mathrm{B}},{\mathrm{\Pi }}_1,{\mathrm{\Pi }}_2,{\mathrm{\Pi }}_3,{\mathrm{\Pi }}_4,{\mathrm{\Sigma }}_1,H_{\mathrm{ec}},H_{\mathrm{pa}}),\hfill \end{array}$$

(73)

$$\begin{array}{ccc}\hfill \mathrm{C}& \triangleq & (V^1,V^2,V^3,V^4,Z,T),\hfill \end{array}$$

(74)

$$\begin{array}{ccc}\hfill \mathrm{F}& \triangleq & (F^{\min },F^{\mathrm{pe}},F^{\mathrm{ec}}).\hfill \end{array}$$

(75)

We also denote ${\omega }_{\mathrm{U}}\triangleq \frac{1}{2^{\ell }}{\sum }_{k\in {\{0,1\}}^{\ell }}{|k\rangle }_{{\mathrm{K}}_{\mathrm{A}}}{\langle k|}_{{\mathrm{K}}_{\mathrm{A}}}\otimes {|k\rangle }_{{\mathrm{K}}_{\mathrm{B}}}{\langle k|}_{{\mathrm{K}}_{\mathrm{B}}}$ (an ideal key: a uniformly random final key, identical for Alice and Bob) and ${\omega }_{\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}}\triangleq {tr}_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}}\left({\omega }_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}}\right)$. It then holds that

$$\begin{array}{ccc}& & \frac{1}{2}tr\left|{\omega }_{{\mathrm{K}}_{\mathrm{A}}{\mathrm{K}}_{\mathrm{B}}\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}\wedge {\mathrm{F}}^{\mathrm{pe}}={\mathrm{F}}^{\mathrm{ec}}=✓\mid {\mathrm{F}}^{\min }=✓}-{\omega }_{\mathrm{U}}\otimes {\omega }_{\mathrm{S}\mathrm{C}\mathrm{F}\mathrm{E}\wedge {\mathrm{F}}^{\mathrm{pe}}={\mathrm{F}}^{\mathrm{ec}}=✓\mid {\mathrm{F}}^{\min }=✓}\right|\hfill \\ & \le & 2^{-t}+\underset{\nu \mid 0<\nu <\frac{1}{2}-\delta ,0<{\delta }^{\prime }\left(\nu \right)<\frac{1}{2}}{inf}({ϵ}_{\mathrm{pa}}\left(\nu \right)+{ϵ}_{\mathrm{pe}}\left(\nu \right)),\hfill \end{array}$$

(76)

for any possible attack by Eve, where we define

$$\begin{array}{ccc}\hfill {ϵ}_{\mathrm{pa}}\left(\nu \right)& \triangleq & \frac{1}{2}\sqrt{2^{-n_1·\left[{log}_2\left(\frac{1}{c}\right)-h_2\left({\delta }^{\prime }\left(\nu \right)\right)\right]+r+t+\ell }},\hfill \end{array}$$

(77)

$$\begin{array}{ccc}\hfill {ϵ}_{\mathrm{pe}}\left(\nu \right)& \triangleq & 2ϵ\left(\nu \right),\hfill \end{array}$$

(78)

$$\begin{array}{ccc}\hfill {\delta }^{\prime }\left(\nu \right)& \triangleq & {\delta }_{\mathrm{mismatch}}+\nu -\left(\frac{1}{2T}-\nu \right)·(1-2\delta -2\nu ),\hfill \end{array}$$

(79)

$$\begin{array}{ccc}\hfill c& \triangleq & max\left(|{\langle 0|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 0|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}{|}^2,|{\langle 1|{\xi }_{+}\rangle }_{{\mathrm{A}}_i}{|}^2,{\left|{\langle 1|{\xi }_{-}\rangle }_{{\mathrm{A}}_i}\right|}^2\right),\hfill \end{array}$$

(80)

$$\begin{array}{ccc}\hfill ϵ\left(\nu \right)& \triangleq & \sqrt{e^{-2n_1{\nu }^2}+e^{-\frac{2n_1·\left(\frac{1}{2T}-\nu \right)k_4^2{\nu }^2}{\left(k_4+n_1·\left(\frac{1}{2T}-\nu \right)\right)(k_4+1)}}+e^{-\frac{2n_1{k}_2^2{\nu }^2}{(k_2+n_1)(k_2+1)}}},\hfill \end{array}$$

(81)

$$\begin{array}{ccc}\hfill h_2\left(x\right)& \triangleq & -x{log}_2\left(x\right)-(1-x){log}_2(1-x).\hfill \end{array}$$

(82)

5. Necessity of the Restriction to Three Source States

In our protocol, similarly to the “loss tolerant” protocol [14,15,16,17], only three source states are used. This restriction is necessary in the imperfect-generation regime, as we briefly explain below.

Let us assume that our protocol emits four input states (similarly to BB84), denoted $|{\gamma }_0\rangle ,|{\gamma }_1\rangle ,|{\gamma }_{+}\rangle ,|{\gamma }_{-}\rangle$. For standard security analysis to work, the following conditions is required for some $0<p<1$ and $0<q<1$:

$$p|{\gamma }_0\rangle \langle {\gamma }_0|+(1-p)|{\gamma }_1\rangle \langle {\gamma }_1|=q|{\gamma }_{+}\rangle \langle {\gamma }_{+}|+(1-q)|{\gamma }_{-}\rangle \langle {\gamma }_{-}|,$$

(83)

which means that Alice sends to Bob identical mixed states in each round of the protocol, independently of the chosen basis. (Otherwise, Eve may gain information on the basis and attack differently on each basis, which refutes the crucial possibility of comparing her attack’s influence on different bases.)

For meeting the above condition, we obviously need $|{\gamma }_{+}\rangle$ and $|{\gamma }_{-}\rangle$ to be in the two-dimensional Hilbert subspace spanned by $|{\gamma }_0\rangle$ and $|{\gamma }_1\rangle$. Therefore, we require (for some $a,b,c,d\in \mathbb{C}$):

$$|{\gamma }_{+}\rangle =a|{\gamma }_0\rangle +b|{\gamma }_1\rangle ,|{\gamma }_{-}\rangle =c|{\gamma }_0\rangle +d|{\gamma }_1\rangle .$$

(84)

Substituting this into Equation (83), we obtain the following:

$$\begin{array}{ccc}\hfill q|{\gamma }_{+}\rangle \langle {\gamma }_{+}|+(1-q)|{\gamma }_{-}\rangle \langle {\gamma }_{-}|& =& q·[a|{\gamma }_0\rangle +b|{\gamma }_1\rangle ]·[a^{\star }\langle {\gamma }_0|+b^{\star }\langle {\gamma }_1|]\hfill \\ & +& (1-q)·[c|{\gamma }_0\rangle +d|{\gamma }_1\rangle ]·[c^{\star }\langle {\gamma }_0|+d^{\star }\langle {\gamma }_1|]\hfill \\ & =& {[q·|a|}^2+(1-q)·{\left|c\right|}^2]·|{\gamma }_0\rangle \langle {\gamma }_0|+[q·a{b}^{\star }+(1-q)·c{d}^{\star }]·|{\gamma }_0\rangle \langle {\gamma }_1|\hfill \\ & +& [q·a^{\star }b+(1-q)·c^{\star }d]·|{\gamma }_1\rangle \langle {\gamma }_0|{+[q·|b|}^2+(1-q)·{\left|d\right|}^2]·|{\gamma }_1\rangle \langle {\gamma }_1|.\hfill \end{array}$$

(85)

We thus obtain the following conditions for equality between Equations (83) and (85):

$$\begin{array}{ccc}\hfill q·{\left|a\right|}^2+(1-q)·{\left|c\right|}^2& =& p,\hfill \end{array}$$

(86)

$$\begin{array}{ccc}\hfill q·{\left|b\right|}^2+(1-q)·{\left|d\right|}^2& =& 1-p,\hfill \end{array}$$

(87)

$$\begin{array}{ccc}\hfill q·a{b}^{\star }+(1-q)·c{d}^{\star }& =& 0,\hfill \end{array}$$

(88)

$$\begin{array}{ccc}\hfill q·a^{\star }b+(1-q)·c^{\star }d& =& 0.\hfill \end{array}$$

(89)

The two last equations are the complex conjugates of one another, so one of them is sufficient.

Therefore, for standard security proofs to work, we require very stringent conditions on $a,b,c,d$. In particular, according to Equation (89), we require

$$q=-\frac{c^{\star }d}{a^{\star }b-c^{\star }d}=\frac{c^{\star }d}{c^{\star }d-a^{\star }b},$$

(90)

and for q to be real (and satisfy $0<q<1$), the complex phases of $c^{\star }d$ and $a^{\star }b$ must be opposite (namely, they must differ by $\pm \pi$, which is equivalent to having opposite signs).

This requirement seriously restricts the possible values on $|{\gamma }_0\rangle ,|{\gamma }_1\rangle ,|{\gamma }_{+}\rangle ,|{\gamma }_{-}\rangle$. In particular, if we assume (without loss of generality) that a and c are real and non-negative, it requires b and d to have opposite phases. Namely,

$$|{\gamma }_{+}\rangle =\left|a\right||{\gamma }_0\rangle +\left|b\right|e^{i\varphi }|{\gamma }_1\rangle ,|{\gamma }_{-}\rangle =\left|c\right||{\gamma }_0\rangle -\left|d\right|e^{i\varphi }|{\gamma }_1\rangle ,$$

(91)

where $\left|c\right|$ and $\left|d\right|$ are dictated by $\left|a\right|$ and $\left|b\right|$, respectively (see Equations (86) and (87)).

The above analysis means that $|{\gamma }_{-}\rangle$ is, in fact, completely determined by the choice of $|{\gamma }_0\rangle ,|{\gamma }_1\rangle ,|{\gamma }_{+}\rangle$ (because $\left|c\right|$, $\left|d\right|$, and $\varphi$ can all be inferred from $|{\gamma }_{+}\rangle$). From a realistic point of view, this means that a four-state protocol measured with two bases could be practically insecure whenever a slight deviation of $|{\gamma }_{-}\rangle$ (or of the states $|{\gamma }_0\rangle ,|{\gamma }_1\rangle ,|{\gamma }_{+}\rangle$ which determine it) causes the protocol to violate the conditions of Equations (86)–(89). Essentially, this means that in the presence of source imperfections, the use of at most three states (or, alternatively, measurements in three or more bases, which we do not explore here) is required for practical security, and the use of four states could lead to practical security issues.

6. Conclusions

To sum up, we have found a new way to analyse the security of practical QKD protocols by generalizing the results of [22] to more practical protocols (using a modified entropic uncertainty relation and a refined analysis of finite-key statistics). Our proof, compared with other proofs, is rigorous, careful, and simple, aiming to make it easy-to-use in the lossless qubit regime (its extension to losses and decoy states is left for future research because they present specific hurdles in this analysis regime: in particular, losses would need to be declared by Eve in the modified entanglement-based protocol, which could complicate the analysis). We believe that our suggested tools can contribute to benchmarking and certifying the security of practical implementations of QKD.