Tomography increases key rates of quantum-key-distribution protocols

We construct a practically implementable classical processing for the BB84 protocol and the six-state protocol that fully utilizes the accurate channel estimation method, which is also known as the quantum tomography. Our proposed processing yields at least as high key rate as the standard processing by Shor and Preskill. We show two examples of quantum channels over which the key rate of our proposed processing is strictly higher than the standard processing. In the second example, the BB84 protocol with our proposed processing yields a positive key rate even though the so-called error rate is higher than the 25% limit.


I. INTRODUCTION
Quantum key distribution (QKD) has attracted great attention as an unconditionally secure key distribution scheme. The fundamental feature of QKD protocols is that the amount of information gained by an eavesdropper, usually referred to as Eve, can be estimated from the channel between the legitimate sender and the receiver, usually referred to as Alice and Bob respectively. Such a task cannot be conducted in classical key distribution schemes. If the estimated amount is lower than a threshold, then Alice and Bob determine the length of a secret key from the estimated amount of Eve's information, and can share a secret key by performing the information reconciliation (error correction) [1,2] and the privacy amplification [2,3]. Since the key rate, which is the length of securely sharable key per channel use, is one of the most important criteria for the efficiency of QKD protocols, the estimation of the channel is of primary importance.
In this paper, we only treat the BB84 protocol [4] and the six-state protocol [5], and we mean the BB84 protocol and the six-state protocol by the QKD protocols throughout the paper. Furthermore, a classical processing consists of a procedure to determine a key rate from a channel estimate and a procedure for the information reconciliation and the privacy amplification.
Mathematically, quantum channels are described by trace preserving completely positive (TPCP) maps [6]. Conventionally in the QKD protocols, we only use the statistics of matched measurement outcomes, which are transmitted and received by the same basis, to estimate the TPCP map describing the quantum channel; mismatched measurement outcomes, which are transmitted * To be published in Physical Review A. † Electronic address: shun-wata@it.ss.titech.ac.jp ‡ Electronic address: ryutaroh@rmatsumoto.org; URL: http://www.rmatsumoto.org/research.html § Electronic address: uyematsu@ieee.org and received by different bases, are discarded in the conventionally used channel estimation methods. By using the statistics of mismatched measurement outcomes in addition to that of matched measurement outcomes, we can estimate the TPCP map more accurately than the conventional estimation method. Such an accurate channel estimation method is also known as the quantum tomography [7,8]. In early 90s, Barnett et al. [9] showed that the use of mismatched measurement outcomes enables Alice and Bob to detect the presence of Eve with higher probability for the so-called intercept and resend attack. Furthermore, some literatures use the accurate estimation method to ensure the channel to be a Pauli channel [10,11,12,13], where a Pauli channel is a channel over which four kinds of Pauli errors (including the identity) occur probabilistically. However the channel is not necessarily a Pauli channel.
The use of the accurate channel estimation method in a classical processing has a potential to improve the key rates of previously known classical processing. However, there is no proposed practically implementable classical processing that fully utilizes the accurate estimation method. Recently, Renner et al. [14,15,16] developed information theoretical techniques to prove the security of the QKD protocols. Their proof techniques can be used to prove the security of the QKD protocols with a classical processing that fully utilizes the accurate estimation method. However they only considered Pauli channels or partial twirled channels 1 . For Pauli channels, the accurate estimation method and the conventional estimation method make no difference.
In this paper, we construct a practically implementable classical processing that fully utilizes the accurate channel estimation method. More precisely, we present a procedure to determine a key rate based on the accurate channel estimate for the BB84 protocol and the six-state protocol respectively. Then we also present a practically implementable procedure for the information reconciliation and the privacy amplification in which we can share a secret key at the determined key rate. Note that we only change the classical processing of the QKD protocols, and the method of the transmission and reception of quantum systems in the QKD protocols remain unchanged.
Although it is straight forward to determine a key rate from the accurate channel estimate for the six-state protocol, it is subtle how to determine a key rate from the accurate channel estimate for the BB84 protocol. More specifically, we can obtain only partial parameters describing the channel, and there remain some free parameters. Thus we have to consider the worst case, i.e., the key rate that is minimized over the free parameters. We shall show an explicit procedure to determine the minimized key rate.
Our proposed processing yields at least as high key rate as the standard processing by Shor and Preskill [18]. As examples, we show that the key rate of our proposed classical processing is strictly higher than that of the standard processing for the amplitude damping channel and the rotation channel, which are unitary channel that rotate the Bloch sphere in the z-x plane. In the example of the amplitude damping channel, we show that the key rate of the so-called reverse reconciliation 2 , in which the key is generated based on Bob's bit sequence, is higher than the key rate of the direct reconciliation, in which the key is generated based on Alice's bit sequence 3 . In the example of the rotation channel, we solve a problem left open in [22, Section 5]-the problem whether it is possible to obtain positive key rates from both matched measurement outcomes and mismatched measurement outcomes for the BB84 protocol.
It is believed that we cannot share any secret key if the so-called error rate is higher than the 25% limit in the BB84 protocol [23]. However Curty et al. [24] suggested that, for some asymmetric error patterns, it might be possible to share a secret key even for the error rates above the 25% limit. In the example of the rotation channel, we show that we can actually obtain a positive key rate even though the error rate is higher than the 25% limit.
Devetak and Winter [25] also showed the key rate formula that coincide with the key rate formula shown by Renner et al. [14,15,16] if we know the channel exactly. By combining our proposed procedure to determine a key rate based on the accurate channel estimate and Devetak and Winter's procedure for the information reconcil-iation and the privacy amplification, we can obtain the same key rate as in this paper. However the procedure for the information reconciliation and the privacy amplification shown by Devetak and Winter is not practically implementable.
Our proposed information reconciliation can be implemented by any efficiently decodeable linear code for the Slepian-Wolf coding [26]. For example, we can use the low density parity check matrix (LDPC) code [27].
The rest of this paper is organized as follows: We first present a procedure for the information reconciliation and the privacy amplification in Section II. Then we present a procedure to determine a key rate from the estimate of the channel in Section III. We consider the amplitude damping channel, the unital channel, and the rotation channel as examples, and show that the key rate of our proposed processing is higher than the standard processing in Section IV. We state the conclusion in Section V.
In this paper, we mainly consider standard procedures for the information reconciliation and the privacy amplification with one-way classical communication, i.e., we do not treat, except in Remarks 9 and 10, the noisy preprocessing [14,16] nor a procedure with two-way classical communication [23,28]. However, our results in this paper can be easily extended to procedures with the noisy preprocessing and two-way classical communication (see Remark 11).

II. INFORMATION RECONCILIATION AND PRIVACY AMPLIFICATION
We construct practical procedure for the information reconciliation and the privacy amplification in this section. We first describe our proposed procedure with general linear codes and the maximum a posteriori probability (MAP) decoding. Then as an example of efficiently decodeable linear code, we show how to apply the sumproduct algorithm of the low density parity check matrix (LDPC) code 4 to our proposed procedure in Remark 5.
For the simplicity we assume that Eve's attack is the collective attack 5 , i.e., the channel connecting Alice and Bob is given by tensor products of a channel E B from a qubit density matrix to itself. As is usual in QKD literatures, we assume that Eve can access all the environment of channel E B ; the channel to the environment is denoted by E E .
In the six-state protocol, Alice randomly sends bit 0 or 1 to Bob by modulating it into a transmission basis that is randomly chosen from the z-basis {|0 z , |1 z }, the x-basis {|0 x , |1 x }, or the y-basis {|0 y , |1 y }, where |0 a , |1 a are eigenstates of the Pauli matrix σ a for a ∈ {x, y, z} respectively. Then Bob randomly chooses one of measurement observables σ x , σ y , and σ z , and converts a measurement result +1 or −1 into a bit 0 or 1 respectively. After a sufficient number of transmissions, Alice and Bob publicly announce their transmission bases and measurement observables. They also announce a part of their bit sequences for estimating channel E B . Note that Alice and Bob do not discard mismatched measurement outcomes, which are transmitted and received by different bases, to estimate the channel accurately.
In the BB84 protocol, Alice only uses z-basis and xbasis to transmit the bit sequence, and Bob only uses observable σ z and σ x to receive the bit sequence.
Henceforth, we only treat Alice's bit sequence x ∈ F n 2 that is transmitted in z-basis and corresponding Bob's bit sequence y ∈ F n 2 that is received in σ z -measurement, where F 2 is the finite field of order 2. Furthermore, we occasionally omit the subscripts {x, y, z} of bases, and the basis {|0 , |1 } is regarded as z-basis unless otherwise stated. Since the pair of sequences (x, y) is transmitted and received in z-basis, they are independently identically distributed according to Note that the distribution P XY can be estimated from the statistics of the sample bits that are transmitted by z-basis and received by σ z -observable. Before describing our proposed procedure, we should review the basic facts of linear codes. An [n, n − m] classical linear code C is an (n − m)-dimensional linear subspace of F n 2 , and its parity check matrix M is an m × n matrix of rank m with 0, 1 entries such that M c = 0 for any codeword c ∈ C. By using these preparations, our proposed procedure is described as follows.
(i) Alice calculates syndrome t := M x, and sends it to Bob over the public channel.
(ii) Bob decodes (y, t) into estimatex of x by using the maximum a posteriori probability (MAP) decoding. More precisely, Bob selectsx ∈ F n 2 such that Mx = t and a posteriori probability P n X|Y (x|y) is maximized (if there exist tied sequences, then he selects the smallest one with respect to the lexicographic order), where P n X|Y is the nth product distribution of P X|Y .
(iii) Alice randomly choose a hash function f : F n 2 → S n from a set of universal hash functions [31], and sends the choice to Bob over the public channel. Then Alice and Bob's final keys are s A := f (x) and s B := f (x) respectively.
If we set the rate of syndrome as then there exists a linear code in the LDPC codes such that Bob's decoding error probability is arbitrary small for sufficiently large n [32, Theorem 2], where H(X|Y ) is the conditional entropy with respect to the joint probability distribution P XY [33]. Note that the base of a logarithm and a (conditional) entropy are 2 throughout the paper.
The key rate, 1 n log |S n |, is determined according to the results of privacy amplification [ be the conditional von Neumann entropy with respect to density matrix ρ XE := x∈F2 is the von Neumann entropy for a density matrix ρ. If the key rate satisfies then the final key S A is secure in the sense of the trace distance 6 . More precisely, the density matrix, ρ SATF E n , which describes Alice's final key S A , the publicly transmitted syndrome T and hash function F , and the state in Eve's system E n , satisfies for arbitrary small ε and sufficiently large n, where ρ S := s∈Sn 1 |Sn| |s s| is the density matrix that describes the uniformly distributed key on S n . From Eqs. (2) and (3), we find that is a secure key rate. Note that the conditional von Neumann entropy H ρ (X|E) can be calculated from the channel E B as follows. Since system X is classical, we can rewrite ) for the maximally entangled state |ψ := x∈F2 1 √ 2 |x |x , Eve's ambiguity for Alice's bit, H ρ (X|E), can be calculated from the channel E B . How to determine Eve's ambiguity H ρ (X|E) from a estimate of the channel E B is discussed in the next section.
Remark 1 If we use the conventionally used method [18,34] for decodingx, the rate of syndrome m n cannot be as 6 The trace norm of a matrix A is defined by A := Tr √ A * A. Then the trace distance between two matrices A and B is defined small as the right hand side of Eq. (2). Thus, the key rate in Eq. (4) cannot be achieved. Define a probability distribution on F 2 as Then the error w := x + y between Alice and Bob's sequence is distributed according to P n W . In the conventional method, Bob calculates the difference of syndromes, t + M y, and selects the errorŵ such that Mŵ = t + M y and the likelihood of the error P n W (ŵ) is maximized. Then , the estimate for Alice's sequence iŝ x = y +ŵ. The rate of syndrome have to be larger than H(W ) for the decoding error probability to be small. By the log-sum inequality [33] and Eq. (5), we have Thus, the key rate in Eq. (4) cannot be achieved by the conventional decoding method unless P X|Y (w|0) equals P X|Y (1 + w|1) for any w ∈ F 2 .
Remark 2 By switching the role of Alice and Bob, we obtain a classical processing that achieves the key rate Such a procedure is usually called the reverse reconciliation. On the other hand the original procedure is usually called the direct reconciliation. The reverse reconciliation was originally proposed by Maurer in the classical key agreement context [19]. Note that we can calculate the conditional von Neu- In Section IV A, we shall show that the key rate of the reverse reconciliation can be higher than that of the direct reconciliation. The fact that the key rate of the direct reconciliation and the reverse reconciliation are different is already pointed out for QKD protocols with weak coherent states [20,21].

Remark 3
We used the MAP decoding instead of the maximum likelihood (ML) decoding in our procedure, because the MAP decoding minimizes the decoding error probability, and the MAP decoding is different from the ML decoding for the reverse reconciliation. In the ML decoding for the reverse reconciliation, Alice selectsŷ ∈ F n 2 such that Mŷ equals the syndrome t = M y, and that the likelihood P n X|Y (x|ŷ) is maximized. Since the prior probability of Bob's sequence y is not necessarily the uniform distribution, the ML decoding and the MAP decoding are not necessarily equivalent, i.e., argmax y:Mŷ=t does not hold in general.
Remark 4 By modifying our proposed procedure as follows, we obtain a procedure in which Alice and Bob can share a secret key from Alice's sequence x that is transmitted by z-basis and corresponding Bob's sequence y that is received by σ x -measurement. Since (x, y) are independently identically distributed according to we replace P n X|Y in Step (ii) with P n X|Y ′ . By a similar arguments as in the original procedure, the secure key rate of the modified procedure is given by In Section IV B, we shall show an example in which Alice and Bob can share secret keys both from matched measurement outcomes and mismatched measurement outcomes, i.e., both Eqs. (4) and (8) are positive.

Remark 5 The sum product algorithm can be used in
Step (ii) of our proposed procedure as follows. For a given sequence y ∈ F n 2 , and a syndrome t ∈ F m 2 , define a function (9) where N (k) := {j | M kj = 1} for the parity check matrix M , and 1[·] is the indicator function. The function P * (x) is the non-normalized a posteriori probability distribution on F n 2 given y and t. The sum-product algorithm is a method to (approximately) calculate the marginal a posteriori probability, i.e., The definition of a posteriori probability in Eq. (9) is the only difference between the decoding for the Slepian-Wolf source coding and that for the channel coding. More precisely, we replace [35,Eq. (47.6)] with Eq. (9), and use the algorithm in [35,Section 47.3]. The above procedure is a generalization of [36], and a special case of [37].
In QKD protocols we should minimize the block error probability rather than the bit error probability, because a bit error might propagate to other bits after the privacy amplification. Although the sum-product algorithm is designed to minimize the bit error probability, it is known by computer simulations that the algorithm makes the block error probability small [35].

III. PROCEDURE FOR CHANNEL ESTIMATION
In this section we show procedures to estimate Eve's ambiguity H ρ (X|E) for the six-state protocol and the BB84 protocol. We first present general preliminaries in Section III A. Then we show procedures for the sixstate protocol and the BB84 protocol in Sections III B and III C respectively. In Section III D, we clarify the relation between our proposed procedures for estimating H ρ (X|E) and the conventional ones.
Although we explain the procedures to estimate H ρ (X|E) for the direct reconciliation, the estimation of H ρ (Y |E) for the reverse reconciliation can be done in a similar manner.

A. Preliminaries
In the Stokes parameterization, the qubit channel E B can be described by the affine map parameterized by 12 real parameters [38,39]: where (θ z , θ x , θ y ) describes a vector in the Bloch sphere [6]. For the channel E B and each pair of bases (a, b) ∈ {z, x, y} 2 , define the biases of the outputs as Then, a straight forward calculation shows the relations The qubit channel E B can be also described by the Choi matrix ρ AB := (id ⊗ E B )(ψ) [40] for the maximally entangled state |ψ = 1 √ 2 (|0 |0 + |1 |1 ). By using the parameters in Eq. (10), we can write the Choi matrix ρ AB as where i is the imaginary unit.

B. Six-state protocol
An ad-hoc approach to estimate Eve's ambiguity in the six-state protocol is very simple, because all parameters can be estimated from the statistics of sampled bits [7,8].
(i) By using the statistics of sampled bits and the relation in Eq. (11), Alice and Bob calculate the estimate (R,t) for the parameters of the channel E B .
(ii) By using Eq. (12), Alice and Bob calculate the corresponding matrixρ AB . If the resulting matrix ρ AB is not a Choi matrix, Alice and Bob select a Choi matrixρ AB such that the Frobenius norm be-tweenρ AB andρ AB is minimized 7 .
The validity of this estimation procedure is shown as follows. Since the estimators in Step (i) converge to the true parameters in probability as the number of sampled bits goes to the infinity, the matrixρ AB also converges 8 to ρ AB . Then the Choi matrixρ AB also converges to the ρ AB . Since the conditional entropy is a continuous function, the estimator Hρ(X|E) in Step (iii) also converges to H ρ (X|E) in probability as the number of sampled bits goes to the infinity.

C. BB84 protocol
The estimation of H ρ (X|E) in the BB84 protocol is much more complicated.
When Alice and Bob only use z-basis and x-basis, the statistics of the input and the output are irrelevant to the parameters (R zy , R xy , R yz , R yx , R yy , t y ). Thus, we can only estimate the parameters ω = (R zz , R zx , R xz , R xx , t z , t x ), and we have to consider the worst case for the parameters ω, i.e., where P ′ (ω) is the set of all parameters τ = (R zy , R xy , R yz , R yx , R yy , t y ) such that the parameters ω and τ constitute a qubit channel, and ρ τ is the Choi matrix corresponding to the parameter τ 9 . By using the following proposition, which is proved in Appendix B, we can make the desired function F (ω) into a simpler form.

Proposition 1
The minimization in Eq. (13) is achieved when the parameters, R zy , R xy , R yz , R yx , and t y , are 0.
The number of free parameters has been reduced to 1 by Proposition 1. Thus the problem is rewritten as looking for an estimator of where P(ω) is the set of parameters R yy such that the parameters ω and R yy constitute a qubit channel when other parameters are all 0, and ρ Ryy is the Choi matrix corresponding to the parameter R yy . Since the range P(ω) of the remaining free parameter R yy is a closed interval and H ρ (X|E) is a convex function (see Lemma 2), the minimization in F (ω) is achieved at the boundary point of the range of R yy or at the zero point of the derivative of H ρ (X|E) with respect to R yy . An ad-hoc approach to find an estimator is as follows.
(i) By using the statistics of sampled bits and the relation in Eq. (11), Alice and Bob calculate the estimateω for the parameters ω.
(ii) If P(ω) is the empty set, then Alice and Bob find the pointω such thatω is closest (in Euclidean distance) toω and P(ω) is not an empty set 10 .
The validity of this estimation procedure can be shown as follows. The estimatorω converges to the true value ω in probability. The estimatorω also converges to ω, because ω −ω ≤ ω − ω , which implies ω − ω ≤ 2 ω − ω by the triangle inequality. Thus the following lemma, which is proved in Appendix C, guarantees that the estimator F (ω) converges to the desired quantity F (ω) in probability as the number of sampled bits goes to the infinity.

Lemma 1 The function F (ω) is a continuous function of ω.
Although we showed a procedure to exactly estimate Eve's worst case ambiguity so far, it is worthwhile to show a closed form lower bound on Eve's worst case ambiguity, which will be proved in Appendix D.

Proposition 2 Let d z and d x be the singular values of the matrix
Then, we have where h(·) is the binary entropy function. The equality holds if t z = t x = 0.

Remark 6
For the reverse reconciliation, the worst case of Eve's ambiguity H ρ (Y |E) is lower bounded by the right hand side of Eq. (16) in which R xz is replaced by R zx .

Remark 7
The right hand side of Eq. (16) is further lower bounded by 1 − h((1 − R xx )/2). Since (1 − R xx )/2 equals to the so-called phase error rate P x (see Eq. (17)), the right hand side of Eq. (16) is a lower bound on Eve's worst case ambiguity that is tighter than the well known bound 1 − h(P x ) [14].

Remark 8
We described estimation methods for Eve's ambiguity H ρ (X|E) based on the channel estimation method so-called linear inversion [45] in Section III B and in this section. It is well-known that the maximum likelihood (ML) channel estimator has smaller estimation error than the linear inversion [45]. An algorithm for ML channel estimation has been proposed [45,46,47], however, its convergence as a numerical algorithm has not been proved. The absence of a convergence proof prevents us from using that algorithm in the QKD protocols that require a rigorous proof of the convergence of an estimator. The computation of the ML channel estimate in the six-state protocol is a convex optimization problem. Because the set of Choi matrices is a closed convex set defined by equality constraints and generalized inequality constraints [41] and the log-likelihood function is a concave function of Choi matrices for given measurement outcomes. Therefore, the interior point method [41], for example, can compute the ML estimate with convergence guarantee. For the BB84 protocol, the domain of loglikelihood function is narrowed to real Choi matrices by Proposition 1 that is also a closed convex set, and the parameter R yy remains undetermined as well as the linear inversion because the log-likelihood function is independent of R yy . The rest of parameters can be computed by a convex optimization algorithm. If we are allowed to use enough computation time for sophisticated channel estimation procedures, then it may be better to use the ML channel estimation.

D. Relation to the conventional estimation procedure
In this section, we show the relation between Eve's ambiguity H ρ (X|E) that is estimated by our proposed procedures and that estimated by the conventional procedures.
In the conventional procedure to estimate H ρ (X|E) in the six-state protocol [14], we first estimate the so called the error rate for each basis: Then, we calculate the worst case of Eve's ambiguity min H ρ (X|E) in which the minimization is taken over the set of all channels that are compatible with the estimates of the error rates (P z , P x , P y ). Since we estimate the actual channel instead of the worst case, Eve's ambiguity estimated by our procedure is at least as large as that estimated by the conventional one.
In the conventional procedure to estimate H ρ (X|E) in the BB84 protocol, we first estimate P z and P x . Then we calculate the worst case of Eve's ambiguity min H ρ (X|E) in which the minimization is taken over the set of all channels that are compatible with the estimates of the error rates (P z , P x ). The minimum is given by the well known value 1 − h(P x ) [14]. Since the error rates (P z , P x ) are degraded version of the parameters ω, the range of minimization in the conventional procedure is larger than P(ω) in our proposed procedure. Thus, Eve's worst case ambiguity estimated by our proposed procedure is at least as large as that estimated by the conventional one.
For both the six-state protocol and the BB84 protocol, a sufficient condition such that Eve's worst case ambiguity estimated by our proposed procedure and that estimated by the conventional one coincide is that the channel E B is a Pauli channel. However, it is not clear whether the condition is also a necessary condition or not.
Combining the arguments in this section and Remark 1, we find that our proposed classical processing yields at least as high key rate as the standard processing by Shor and Preskill [18] for the QKD protocols.

IV. EXAMPLES
In this section, we calculate the key rates of the BB84 protocol and the six-state protocol with our proposed classical processing for the amplitude damping channel, the unital channel, and the rotation channel, and clarify that the key rate of our proposed classical processing is higher than previously known ones.

A. Amplitude damping channel
In the Stokes parameterization, the amplitude damping channel E p is given by the afine map parameterized by a real parameter 0 ≤ p ≤ 1. We first calculate the key rate for the BB84 protocol. In the BB84 protocol, we can estimate the parameters By the proposition 1, we can set R zy = R xy = R yz = R yx = t y = 0. Furthermore, by the condition on the TPCP map [39] ( we can decide the remaining parameter as R yy = √ 1 − p. Thus, Eve's (worst-case) ambiguity F (ω) for the BB84 protocol coincide with the true value H ρ (X|E), which means that the BB84 protocol can achieve the same key rate as the six-state protocol.  (18)). "Reverse" and "Direct" are the key rates when we use the reverse reconciliation and the direct reconciliation in our proposed classical processing respectively. "Conventional six-state" and "Conventional BB84" are the key rates of the six-state protocol and the BB84 protocol with the conventional classical processing. Note that the conventional classical processing involves the noisy preprocessing [14,16].
By straightforward calculations, the key rates of the direct reconciliation and reverse reconciliation are calculated as respectively. These key rates are plotted in Fig. 1. The Bell diagonal entries of the Choi matrix (id ⊗ E p )(ψ) are 1 4 The key rate of the six-state protocol and the BB84 protocol with the conventional processing can be calculated only from the Bell diagonal entries, and are also plotted in Fig. 1.
We find that the key rates of our proposed classical processing are higher than those of the conventional processing. Furthermore, we find that the key rate of the reverse reconciliation is higher than that of the direct reconciliation.

Remark 9
When the channel is degradable [48], i.e., there exists a channel D such that E E (ρ) = D • E B (ρ) for any input ρ, the quantum wiretap channel capacity [49] is known to be achievable without any auxiliary random variable [50].
For the one-way key agreement from a degradable (from Alice to Bob and Eve) {ccq}-state, which is a state ρ XY E = x,y P XY (x, y)|x x| ⊗ |y y| ⊗ ρ x,y E such that there exist states {ρ y E } y satisfying y P Y |X (y|x)ρ y E = ρ x E := y P Y |X (y|x)ρ x,y E , a similar statement also holds, namely the key rate in Eq. (4) cannot be improved with any auxiliary random variable. The use of auxiliary random variable for the key agreement corresponds to the noisy preprocessing [14,16].
The above statement is proved as follows. Since we are considering the information reconciliation and the privacy amplification with one-way classical communication, key rates only depend on distribution P XY and {cq}-state ρ XE . Thus the maximum key rate for ρ XY E is equals to that for degraded version of it,ρ XY E := x,y P XY (x, y)|x x| ⊗ |y y| ⊗ρ y E . On the other hand the (quantum) intrinsic information is an upper bound on the maximum key rate [51], where is the quantum conditional mutual information, and the infimum is taken over all {ccq}-states ρ XY E ′ = (id ⊗ N E→E ′ )(ρ XY E ) for CPTP maps N E→E ′ from system E to E ′ . Taking the identity map id E , the quantum conditional mutual information I ρ (X; Y |E) itself is an upper bound on the maximum key rate. Applying this fact for the degraded {ccq}-state,ρ XY E , the maximum key rate is upper bounded by which is the desired upper bound, and is equal to Eq. (4).
When Alice randomly sends {|0 z , |1 z } over the amplitude damping channel and Bob measures the received state by σ z observable, the resulting {ccq}-state is degradable 11 , which implies the key rate of direct reconciliation cannot be improved by the noisy preprocessing. It is not clear whether the {ccq}-state for the amplitude damping channel is degradable in reverse order; there exists a possibility to improve the key rate of reverse reconciliation by the noisy preprocessing.

B. Unital channel and rotation channel
A channel E B is called a unital channel if the vector (t z , t x , t y ) is the zero vector in the Stokes parameterization (see Eq. (10)), or equivalently if the channel E B maps the completely mixed state I/2 to itself. The unital channel has the following physical meaning in QKD protocols. When Eve conducts the Pauli cloning [53] with respect to an orthonormal basis that is a rotated version of {|0 z , |1 z }, the quantum channel from Alice to Bob is not a Pauli channel but a unital channel. It is natural to assume that Eve cannot determine the direction of the basis {|0 z , |1 z } accurately, and the unital channel deserve consideration in the QKD research as well as the Pauli channel.
By the singular value decomposition, we can decompose the matrix R in Eq. (10) as where O 1 and O 2 are some rotation matrices 12 , and |e z |, |e x |, and |e y | are the singular value of the matrix R 13 . Thus, we can consider the unital channel E B as the composition of the unitary channel E O1 , the Pauli channel ̺ → q i ̺ + q z σ z ̺σ z + q x σ x ̺σ x + q y σ y ̺σ y , and the unitary channel E O2 , where q y = 1 − e z − e x + e y 4 [54].
For the unital channel, we have H(X|Y ) = H(Y |X) = h((1 + R zz )/2). For the six-state protocol, we can calculate Eve's ambiguity H ρ (X|E) as because (q i , q z , q x , q y ) are the eigenvalues of the Choi matrix ρ AB . For the reverse reconciliation, Eve's ambiguity H ρ (Y |E) is given by Eq. (20) in which R xz and R yz are replaced by R zx and R zy respectively. Thus, R 2 xz + R 2 yz = R 2 zx + R 2 zy is the necessary and sufficient condition for H ρ (X|E) = H ρ (Y |E). For the BB84 protocol, we can calculate Eve's worst case ambiguity F (ω) by Proposition 2 because t z = t x = 0 for the unital channel. Note that the singular values (d z , d x ) in Proposition 2 are different from the singular values 12 The rotation matrix is the real orthogonal matrix with determinant 1. 13 The decomposition is not unique because we can change the order of (ez, ex, ey) or the sign of them by adjusting the rotation matrices O 1 and O 2 . However, the result in this paper does not depends on a choice of the decomposition.
(|e z |, |e x |) in general because there exist off-diagonal elements (R zy , R xy , R yz , R yx ). From Remark 6, R 2 xz = R 2 zx is the necessary and sufficient condition for that Eve's worst case ambiguity for the direct reconciliation and that for the reverse reconciliation coincide.
In the rest of this section, we analyze a special class of the unital channel, the rotation channel. We define the rotation channel from Alice to Bob as The rotation channels occur, for example, when the directions of the transmitter and the receiver are not properly aligned.
For the rotation channel, Eq. (16) gives F (ω) = 1, which implies that Eve gained no information. Thus, Eve's (worst-case) ambiguity for the BB84 protocol coincide with the true value H ρ (X|E), and the BB84 protocol with our proposed classical processing can achieve the same key rate as the six-state protocol.
There are two reasons why we show this example-the rotation channel. The first one is that we can obtain secret keys, in the BB84 protocol, both from matched measurement outcomes, which are transmitted and received by the same basis (say z-basis), and mismatched measurement outcomes, which are transmitted and received by different bases (say z-basis and x-basis respectively). The probability distributions of Alice and Bob's bit for each case are given by P X|Y (1|0) = P X|Y (0|1) = sin 2 (ϑ/2) and P X|Y ′ (1|0) = P X|Y ′ (0|1) = sin 2 (ϑ/2 − π/4) respectively (see Eqs. (1) and (7) for the definitions of P XY and P XY ′ ). If the channel is biased, i.e., ϑ = 0, π/2, π, 3π/2, then we can obtain secret keys with positive key rates both from matched measurement outcomes and mismatched measurement outcomes. This fact solves an open problem discussed in [22,Section 5].
The second reason is that we can obtain a secret key from matched measurement outcomes even though the so called error rate is higher than the 25% limit [23] in the BB84 protocol. The Bell diagonal entries of the Choi matrix ρ ϑ are cos 2 (ϑ/2), 0, 0, and sin 2 (ϑ/2). Thus the error rate is sin 2 (ϑ/2). For π/3 ≤ ϑ ≤ 5π/3, the error rate is higher than 25%, but we can obtain the positive key rate, 1 − h(sin 2 (ϑ/2)) except ϑ = π/2, 3π/2. Note that the key rate of the standard processing by Shor and Preskill [18] is 1 − 2h(sin 2 (ϑ/2)). This fact verifies Curty et al's suggestion [24] that key agreement might be possible even for the error rates higher than 25% limits.

Remark 10
If the {ccq}-state ρ XY E is degraded (from Alice to Bob and Eve), i.e., the {ccq}-state is of the form ρ XY E = x,y P XY (x, y)|x x| ⊗ |y y| ⊗ ρ y E , then we can prove that the key rate in Eq. (4) cannot be improved even if we use any noisy preprocessing or two-way processing. The reason is that the upper bound I ρ (X; Y |E) and the lower bound in Eq. (4) coincide for the degraded {ccq}-state in a similar manner to Remark 9.
For the rotation channel E ϑ , the resulting {ccq}-state is obviously degraded. Thus the key rate 1−h(sin 2 (ϑ/2)) cannot be improved any more.

V. CONCLUSION
In this paper, we constructed a practically implementable classical processing for the BB84 protocol and the six-state protocol that fully utilizes the accurate channel estimation method. A consequence of our result is that we should not discard mismatched measurement outcomes in the QKD protocols; those measurement outcomes can be used to estimate the channel accurately, and increase key rates.
There is a problem that was not treated in this paper. Although we only treated asymptotically secure key rate in this paper, the final goal is the non-asymptotic analysis of eavesdropper's information, i.e., evaluate eavesdropper's information as a function of the length of the raw key, the key rate, and the length of sample bits as in literatures [15,34,55,56,57,58,59,60]. This topic is a future research agenda.
we can obtain the inequality The modifications of the proof is to replace ψ r ABE and ψ ′ ABER with (ψ r ABE ) ⊗k and (ψ ′ ABER ) ⊗k in Eqs. (A1) and (A2), to replace the partial trace over Bob's system with Bob's measurement, to append a map N X k Y k →UV , and to replace the measurement on the system H R with the measurements on H ⊗k R .

APPENDIX B: PROOF OF PROPOSITION 1
The statement of the Proposition 1 easily follows from Lemma 2. For any channel E B , letĒ B be the channel whose Choi matrix is the complex conjugate of that for E B . Note that eigenvalues of density matrices are unchanged by the complex conjugate, and thus Eve's ambiguity Hρ(X|E) forĒ B equals to H ρ (X|E). By applying where ρ ′ AB = 1 2 ρ AB + 1 2ρ AB . Note that ρ ′ AB is a real density matrix whose entries are equal to the real components of ρ AB , which implies that the parameters R zy , R xy , R yz , R yx , and t y , are 0 by Eq. (12). Since the channel E B was arbitrary, we have the assertion of the proposition. Since the conditional entropy is a continuous function, the following statement is suffice for proving that F (ω) is continuous function at any ω 0 ∈ P, where P is the set of all ω such that P(ω) is not empty. For any ω ∈ P such that ω − ω 0 ≤ ε, there exist ε ′ , ε ′′ > 0 such that and ε ′ and ε ′′ converge to 0 as ε goes to 0, where B ε ′ (P(ω 0 )) is the ε ′ -neighbor of the set P(ω 0 ). Define the set Q := {(ω, R yy ) | ω ∈ P, R yy ∈ P(ω)}, which is a closed convex set. Define functions R yy as the upper surface and the lower surface of the set Q respectively. Then U (ω) and L(ω) are concave and convex functions respectively, because Q is a convex set. Thus U (ω) and L(ω) are continuous functions except the extreme points of P. For any extreme point ω ′ and for any interior point ω, we have U (ω) ≥ U (ω ′ ) and L(ω) ≤ L(ω ′ ), because Q is a convex set. Since Q is a closed set, we have lim ω→ω ′ U (ω) ∈ P(ω ′ ) and lim ω→ω ′ L(ω) ∈ P(ω ′ ), which implies that U (ω ′ ) = lim ω→ω ′ U (ω) and L(ω ′ ) = lim ω→ω ′ L(ω). Thus U (ω) and L(ω) are also continuous at the extreme points. Since P(ω) is a convex set, the continuity of U (ω) and L(ω) implies that Eqs. (C1) and (C2) hold for some ε ′ , ε ′′ > 0, and ε ′ and ε ′′ converge to 0 as ε goes to 0.

APPENDIX D: PROOF OF PROPOSITION 2
By Proposition 1, it suffice to consider the channel E B of the form Define the channel E − B (̺) := σ y (E B (σ y ̺σ y ))σ y and the mixed channel E ′ B := 1 2 E B + 1 2 E − B . Since the channel E − B is given by where (q i , q z , q x , q y ) are the eigenvalues of the Choi matrix ρ ′ AB . By noting that q i + q z = 1+dz 2 and q i + q x = 1+dx 2 (see Section IV B), we have assertion of the proposition.

APPENDIX E: CONVEX OPTIMIZATION
In this appendix, we briefly explain how to apply a convex optimization method, the interior-point method, to the channel estimation in the BB84 protocol. In a similar manner, we can apply the interior-point method to the channel estimation in the six-state protocol. For more detail, see the textbook [41,Section 11.6].
First, we define a generalized inequality. Since the set K ⊂ R 4×4 of (real) semi-definite matrices is a proper cone (see [41,Section 2.4.1] for the definition of the proper cone), we can define a generalized inequality K as For a given parameter (ω, R yy ) ∈ R 7 , we define the real matrix ρ(ω, R yy ) ∈ R 4×4 by using the relation in Eq. (12), where we set other parameters (R zy , R xy , R yz , R yx , t y ) to be all 0. Then, the function ρ : R 7 → R 4×4 is a Kconcave function (see [41,Section 3.6.2] for the definition of the K-concave function).
We can formulate our optimization problem as follows: minimize ω −ω 2 subject to ρ(ω, R yy ) K 0, Tr B [ρ(ω, R yy )] = I, where · 2 is the square Euclidean norm, which is a convex function, and I is the 2 × 2 identity matrix. This optimization problem can be solved by the interior-point method. Note that we can use log det ρ(ω, R yy ) as a logarithmic barrier function (see [41,Example 11.7]).